We have about a hundread FGTs for a retail customer managed by FMG-VM. And we're about to roll out a FAP per FGT for 100 of them. All have the same guest SSID/VAP. But when I looked at AP Manager, under the SSID tab I seem to be able to see configured VAPs for each device(FGT). So when we need to change something on the common VAP with AP Manager, we need to change it one by one in GUI.
Or, am I misinterpreting the menu and there is actually a way to set just one config of of VAP and link it to all 100 FGTs?
If not, I'm now thinking to set up a CLI template group/CLI templates to configure the VAP and all other necessary "wireless-controller" config so that when something needs to be changed, we just need to change the template and push it to all FGTs.
FMG-VM: v6.4.8
Thanks,
Toshi
Solved! Go to Solution.
Hey Toshi,
I don't currently have a Wifi setup with my FortiManager (only a FortiGate with no attached APs), so this is mostly guesswork until I can actually verify in my lab, but I think the wireless-controller objects in the ADOM database tie into AP Manager if that is running in Central management mode:
As for pushing one SSID/VAP to multiple FortiGates - you should be able to push one profile to multiple APs/FortiGates if APs are managed centrally, as I understand it:
https://docs.fortinet.com/document/fortimanager/7.0.1/administration-guide/256019/ap-manager
-> the WiFi profiles you can create if central AP management is enabled likely rely on the wireless-controller objects you noticed in CLI-only objects
--> you can also create WIDS profiles and AP profiles
-> you should be able to push the same WiFi/WIDS/AP profile to each FortiGate (provided they use the same AP model)
-> this should, as I understand it, include creation of the vap interfaces and related configuration
Prier to the CLI template consideration, I tested a policy package to manage wifi part because there are "wireless-controller" objects config available under "CLI Only Objects". But even when I modified the vap config there, the PP never went out of sync and doesn't install even when I removed the FGT from assigned device and re-assigned it.
Then I was wondering why they were there in Policy Package at the first place. Maybe for future usage?
Hey Toshi,
I don't currently have a Wifi setup with my FortiManager (only a FortiGate with no attached APs), so this is mostly guesswork until I can actually verify in my lab, but I think the wireless-controller objects in the ADOM database tie into AP Manager if that is running in Central management mode:
As for pushing one SSID/VAP to multiple FortiGates - you should be able to push one profile to multiple APs/FortiGates if APs are managed centrally, as I understand it:
https://docs.fortinet.com/document/fortimanager/7.0.1/administration-guide/256019/ap-manager
-> the WiFi profiles you can create if central AP management is enabled likely rely on the wireless-controller objects you noticed in CLI-only objects
--> you can also create WIDS profiles and AP profiles
-> you should be able to push the same WiFi/WIDS/AP profile to each FortiGate (provided they use the same AP model)
-> this should, as I understand it, include creation of the vap interfaces and related configuration
I see. When I started using FMG for this customer about a year ago, we unchecked FortiAP for central management so it was showing only "per-device" menu. Now I see how I could utilize FortiAP Manager in our operation. If we need some exceptions, I guess we just exclude those devices from the profile assignment. Only thing I'm missing right now is I don't see a way to pre-configure an AP without a FGT. But that wouldn't be a problem for our installation procedure because we're not using "model device" method.
I'll compare with the way I've come up with (CLI template + meta field for AP's S/N) to decide which way we want to do.
Thanks Debbie,
Toshi
After further testing AP Manager, I came to realize that as long as FAPs are centrally managed by AP Manager, the WiFi Profiles I can configure at AP Manager seems to be saved in Policy&Objects' CLI Only Objects section under wireless-controller->wtp-profile. When I changed it at AP Manager, the same change shows up in CLI Only Objects.
And when I change it at CLI Only Objects, it shows at AP Manager.
The problem now is it doesn't seem to be consistent. While I was testing above by change country from US to CA, and CA back to US, installation attempt failed due to:
error -2 - channel 165 is not supported. dfs=yes,region=,plat=221E,cnty=US,band=802.11ac,bond=40MHz
Also when I changed it via CLI script (changed a different part of profile), it didn't recognize the change to be installed.
I think this is a bug(s) at least with 6.4.8 we use instead this operation was not intended. But for now, we'll skip AP Manager feature and stick to CLI template(s) + meta field, which is very consistent.
Toshi
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1737 | |
1108 | |
752 | |
447 | |
240 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.