- Forums
- Knowledge Base
- Customer Service
- FortiGate
- FortiClient
- FortiAP
- FortiAnalyzer
- FortiADC
- FortiAuthenticator
- FortiBridge
- FortiCache
- FortiCarrier
- FortiCASB
- FortiConnect
- FortiConverter
- FortiCNP
- FortiDAST
- FortiDDoS
- FortiDB
- FortiDNS
- FortiDeceptor
- FortiDevSec
- FortiDirector
- FortiEDR
- FortiExtender
- FortiGate Cloud
- FortiGuard
- FortiHypervisor
- FortiInsight
- FortiIsolator
- FortiMail
- FortiManager
- FortiMonitor
- FortiNAC
- FortiNAC-F
- FortiNDR (on-premise)
- FortiNDRCloud
- FortiPAM
- FortiPortal
- FortiProxy
- FortiRecon
- FortiRecorder
- FortiSandbox
- FortiSASE
- FortiScan
- FortiSIEM
- FortiSOAR
- FortiSwitch
- FortiTester
- FortiToken
- FortiVoice
- FortiWAN
- FortiWeb
- FortiWebCloud
- Wireless Controller
- RMA Information and Announcements
- FortiCloud Products
- ZTNA
- 4D Documents
- Customer Service
- Community Groups
- Blogs
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
- Fortinet Community
- Forums
- Support Forum
- Difference between "Bridge SSID to FortiGate wired...
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Difference between "Bridge SSID to FortiGate wired network" and "FortiAP local bridging"
Hi
The documentation (http://docs-legacy.fortinet.com/fos50hlp/50/index.html#page/FortiOS%25205.0%2520Help/wifi-ethernet_b...) names two different bridge operations:
[ol]The setup of the SSID seems identical to me. While in the first variant an interface on the Fortigate is being configured this step is missing in the second variant.
My setup would look like: FortiAP (Subnet C) <--> Switch (L3) <--> Fortigate (Subnet I)
The point is: when the traffic leaves the FortiAP anyhow (in bridged mode) why should I setup a software interface on the Fortigate? Whats is the intention of this? What do I gain?
I have somehow the feeling that I have to choose the first variant if I want to use VLANs (what I do not need in my case).
Thank you very much!
Solved! Go to Solution.
Labels:
- Labels:
-
5.2
2 Solutions
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi
It is probably not an answer to your question but let's see:
There are two modes to configure a SSID which means bridge or tunneling. If you confgure a SSID for tunneling you can do whatever you want the traffic from the AP listining for the tunneled SSID will be ALWAYS forwarded to the WiFi controller on the FGT and you can use UTM Features etc. because the traffic is ALWAYS going to the WiFi controller on the FGT. If you use on a SSID bridge the interface on the FAP which is listening for the bridged SSID is bridged. This means the traffic is NOT going ALWAYS to the WiFi controller instead the traffic goes directyl from the FAP interface to the segment in which the FAP interface is connected. Of course you can use VLAN's on the bridged SSID. Finally the first question you should answer yourself is following:
- Must the users connected to a SSID for some reason connecting directyl to a server etc. for performance reason etc.
If the answer is yes the FAP should be connected to the same segment as the servers (performance) or to a seperated interface using a specific VLAN connecting directly to the server (not so good regarding performance). Keep in mind if you use this bridged function YOU CAN NOT USE ANYMORE UTM features on the SSID because the traffic goes not anymore to the WiFi controller.
If the answer is NO you should use from my point of view a seperated interface on the FGT connecting all your FAP's because the traffic is tunneled the traffic comes anyway always to the FGT WiFi controller and you are using UTM features it is better to connect the FAP's to an seperate Interface.
If you are using a FAP im Branche Office and the FAP is connected over the WiFi Headquarter you should use bridge SSID because otherwise the user can not surf to anywhere if the connection from the Branche to the Headquarter is not anymore up. If you do so the user connecting in the Branche to the SSID bridge they can surf arround even the Headquarter connection is down. Keep in mind in this moment the Headquarter connection is down and you are using remote authentication from the Headquarter like WPA2 Enterprise no more NEW users can authenticate as long as the Headquarter connection is down. This users which are already authenticated can surf arround even the Headquarter connection is down.
Hope this helps
have fun
Andrea
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Not sure example #1 is correct.... vlans should be used there not the software switch... I'll check on this.
8 REPLIES 8
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi
It is probably not an answer to your question but let's see:
There are two modes to configure a SSID which means bridge or tunneling. If you confgure a SSID for tunneling you can do whatever you want the traffic from the AP listining for the tunneled SSID will be ALWAYS forwarded to the WiFi controller on the FGT and you can use UTM Features etc. because the traffic is ALWAYS going to the WiFi controller on the FGT. If you use on a SSID bridge the interface on the FAP which is listening for the bridged SSID is bridged. This means the traffic is NOT going ALWAYS to the WiFi controller instead the traffic goes directyl from the FAP interface to the segment in which the FAP interface is connected. Of course you can use VLAN's on the bridged SSID. Finally the first question you should answer yourself is following:
- Must the users connected to a SSID for some reason connecting directyl to a server etc. for performance reason etc.
If the answer is yes the FAP should be connected to the same segment as the servers (performance) or to a seperated interface using a specific VLAN connecting directly to the server (not so good regarding performance). Keep in mind if you use this bridged function YOU CAN NOT USE ANYMORE UTM features on the SSID because the traffic goes not anymore to the WiFi controller.
If the answer is NO you should use from my point of view a seperated interface on the FGT connecting all your FAP's because the traffic is tunneled the traffic comes anyway always to the FGT WiFi controller and you are using UTM features it is better to connect the FAP's to an seperate Interface.
If you are using a FAP im Branche Office and the FAP is connected over the WiFi Headquarter you should use bridge SSID because otherwise the user can not surf to anywhere if the connection from the Branche to the Headquarter is not anymore up. If you do so the user connecting in the Branche to the SSID bridge they can surf arround even the Headquarter connection is down. Keep in mind in this moment the Headquarter connection is down and you are using remote authentication from the Headquarter like WPA2 Enterprise no more NEW users can authenticate as long as the Headquarter connection is down. This users which are already authenticated can surf arround even the Headquarter connection is down.
Hope this helps
have fun
Andrea
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Not sure example #1 is correct.... vlans should be used there not the software switch... I'll check on this.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks for your answers. I understand the difference between the tunnel and the bridge approach. And I was aware of loosing all UTM functionality in bridge mode.
What I don't understood was why Fortinet propose to create an interface on the Fortigate for a bridge approach because the traffic will "leave" the FAP but will still be routed by the Fortigate. I discussed the situation with another person and I might begin to understand:
In the example provided by Fortinet they have a captive portal in use. My read is that you cannot setup a captive portal some other way in a bridge environment. One have to create a switch. From my point of view smaller Fortigate appliances might impact the performance as well because all the traffic is then routed again through a software switch.
I am confident now that the solution without the switch is the right one for me. Thanks for your time and help!
Frederik
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Yes, that example is a very poor one, it describes the steps to get your wireless and wired on the same subnet but lacks some required steps such as creating the vlan interface on DMZ and also assigned vlan ID to the bridge interface.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi
in general you got it...if you use a Captive Portal you have to use tunneled because the Captive Portal is running on the FGT and not on the FAP. In general DO NOT USE software switches is absolutly not recommended and neccessary. Again if you use bridge there is a GOAL to reach meaning like performance isseu getting NOT TO FGT bringen NOT THE traffic to FGT instead go directly. Again in GENERAL you do not need bridge normaly by standard use tunneled on a seperated interface meaning for Captive Portal guest and for internal use. Of course you can mix the stuff meaning using bridge for internal use getting direct to server and Captive Portal tunneled for guest access.
hope this helps
Andrea
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi
if you like to have the SSID on the same subnet as your LAN for example do following:
- place your AP on the same subnet as your internal LAN. Because -or hopefully- within the internal LAN there is a DHCP server for your client the AP will receive the IP for mgmt. from your DHCP server.
- create a SSID and if you create the SSID set it to bridge as assing the VLAN ID if neccessary (default is 0). Actually if you place the FAP in the same subnet as your client/server you do not need a VLAN ID this is only neccessary if your clients/server are connected to different stuff mixing up on one switch segment. For the SSID define the DHCP server as relay and point it to the DHCP server within the internal LAN.
If the FAP is coming up in this constellation it will request by DHCP a IP for mgmt. only. The SSID is configured with the DHCP relay etc. from this point of view all in the same segment and no traffic goes to the FGT because of the SSID bridged.
Of course you can add another SSID for guest in tunnel mode and with a seperated IP range DHCP server served by SSID meaning FGT.
More or less that's it.....internal use can go directly disadvantage you use all UTM features. Guest must go to FGT because of tunneled and UTM feature can be fully used.
I personaly would never use bridge if I do not have to use for some reason but is my last option :)
Hope this helps
have fun
Andrea
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Andrea
I personaly would never use bridge if I do not have to use for some reason but is my last option :)
One example: if you want to add 3 FAPs to a 60D and a 60D has only 175 MBps (roughly 21 MB/s) CAPWAP throughput I have the strong feeling that I will make my internal staff not really happy 
.
I would love to use a tunnel but my Fortigate just don't have the power for this particular setup - or do I miss something?
Best regards
Frederik
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi
I understand your doubts but do a test...nothing easier as connect all FAP's to one interface and tunnel all SSID's and go ahead for a test. We have many many customers which are using this config and nobody complains about performance. Keep in mind that this setup is for not only wirlesss meaning all this customers are using by standard cabling for the internal access and the SSID's are used for devices which do not have cabling which means IOS device, android etc. A setup for internal based on -only wireless- I would never do because to many factors are impacting wirless like interferences etc. From this point of view this stuff is mainly used for guest access and for internal access and/or outside world for devices which do not have a cabling etc. Go ahead and do a test...is configured in 5 minutes and you can test and try. Keep in mind that if you do test that UTM features are mainly impacting also the performance like Antivirus, WebFilter etc. If you do test do not doing test with Internet based tools etc. use test tool which you have full controll like:
http://www.metageek.net/support/downloads (inSSIDer für Windows / Mac / Android) http://www.nirsoft.net/network_tools.html (WifiInfoView für Windows) http://www.ekahau.com/products/heatmapper/overview.html (HeatMapper für Windows XP / Windows Vista / Windows 7)
or to test over internal server:
http://sourceforge.net/projects/jperf)
Try to eliminate every factor which means UTM feature, duplex mismatch or not known factors like ISP etc.
hope this helps
Andrea
Labels
-
FortiGate
6,752 -
FortiClient
1,343 -
5.2
801 -
5.4
639 -
FortiManager
580 -
FortiAnalyzer
425 -
6.0
416 -
5.6
362 -
FortiSwitch
345 -
FortiAP
344 -
FortiClient EMS
274 -
FortiMail
262 -
6.2
251 -
FortiAuthenticator v5.5
234 -
5.0
196 -
FortiWeb
160 -
6.4
128 -
FortiNAC
110 -
FortiGuard
108 -
FortiSIEM
92 -
FortiGateCloud
88 -
IPsec
85 -
FortiCloud Products
85 -
FortiToken
73 -
Customer Service
70 -
SSL-VPN
69 -
4.0MR3
64 -
Wireless Controller
62 -
FortiProxy
47 -
FortiADC
44 -
FortiEDR
41 -
Fortivoice
41 -
FortiGate v5.4
34 -
FortiDNS
34 -
FortiExtender
33 -
FortiSandbox
33 -
SD-WAN
33 -
FortiSwitch v6.4
30 -
Firewall policy
30 -
High Availability
24 -
FortiConnect
24 -
VLAN
23 -
FortiAuthenticator
22 -
FortiWAN
22 -
FortiConverter
21 -
ZTNA
20 -
FortiPortal
18 -
FortiSwitch v6.2
16 -
FortiGate v5.2
16 -
Certificate
16 -
FortiMonitor
14 -
SAML
14 -
BGP
14 -
DNS
14 -
Interface
14 -
Logging
14 -
FortiGate v5.0
13 -
FortiDDoS
13 -
LDAP
12 -
Routing
12 -
FortiCASB
12 -
VDOM
12 -
fortilink
11 -
RADIUS
10 -
Virtual IP
10 -
FortiRecorder
10 -
FortiWeb v5.0
9 -
Authentication
9 -
SSL SSH inspection
9 -
Traffic shaping
9 -
FortiManager v5.0
9 -
NAT
9 -
4.0MR2
9 -
SSID
8 -
SSO
8 -
Application control
8 -
RMA Information and Announcements
7 -
FortiSOAR
7 -
FortiAnalyzer v5.0
7 -
Fortigate Cloud
7 -
FortiGate v4.0 MR3
7 -
Admin
7 -
4.0
7 -
IP address management - IPAM
7 -
Security profile
6 -
FortiBridge
6 -
SNMP
6 -
Web profile
6 -
Proxy policy
5 -
Traffic shaping policy
5 -
FortiAP profile
5 -
Web application firewall profile
5 -
FortiTester
5 -
FortiManager v4.0
5 -
Static route
5 -
FortiDirector
4 -
IPS signature
4 -
Packet capture
4 -
Antivirus profile
4 -
Automation
4 -
WAN optimization
4 -
DNS Filter
4 -
FortiCarrier
4 -
FortiCache
4 -
OSPF
4 -
3.6
4 -
FortiScan
4 -
Port policy
4 -
FortiToken Cloud
3 -
DoS policy
3 -
Email filter profile
3 -
Web rating
3 -
Intrusion prevention
3 -
FortiDB
3 -
trunk
3 -
FortiDeceptor
2 -
System settings
2 -
FortiInsight
2 -
NAC policy
2 -
Fortinet Engage Partner Program
2 -
Users
2 -
Traffic shaping profile
2 -
FortiPAM
2 -
VoIP profile
2 -
FortiAI
2 -
FortiHypervisor
2 -
Netflow
2 -
Protocol option
2 -
4.0MR1
1 -
TACACS
1 -
Replacement messages
1 -
Subscription Renewal Policy
1 -
Schedule
1 -
FortiCWP
1 -
FortiNDR
1 -
SDN connector
1 -
Application signature
1 -
Authentication rule and scheme
1 -
FortiManager-VM
1 -
Internet Service Database
1 -
Fabric connector
1 -
Multicast routing
1 -
Explicit proxy
1 -
Zone
1
Broad. Integrated. Automated.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Security Research
Company
News & Articles
Copyright 2024 Fortinet, Inc. All Rights Reserved.