Third party Wireless access point

springeruk · ‎09-06-2016

Hi all,

I had intended to use a low cost Netgear Wireless Access Point connected via ethernet back to my Fortiwifi60D to extend the wireless network but have and have just been told that I can only use a Fortigate product to do this. That seems almost impossible to believe as I have never had this restriction with any other firewall/router manufacturer.

Before I consider buying a significantly more expensive Fortigate device... Has anyone here ever used a third party wireless access point with a Fortiwifi60D (or any other Fortigate firewall/router)?

Thanks.

springeruk · ‎09-07-2016

tanr wrote:
...plus you may have to explicitly tell the 60D that your Netgear WAP isn't a rogue AP

Could you tell me more about that?

Bromont_FTNT · ‎09-07-2016

springeruk... yes I found your support ticket, if you can upload it there I'll take a look. If Rogue AP suppression was an issue all your clients connected to the WAC120 would get disconnected right away, doesn't look like that's a problem.

springeruk · ‎09-07-2016

Bromont wrote:
springeruk... yes I found your support ticket, if you can upload it there I'll take a look. If Rogue AP suppression was an issue all your clients connected to the WAC120 would get disconnected right away, doesn't look like that's a problem.

That's interesting as all clients connected to the WAC120 are excluded from connecting to the FGT, on to the internet via it, or any device connected to one of it's LAN ports. However they can connect to other devices on the network via the network switch...

The config file has been uploaded to the support ticket.

tanr · ‎09-07-2016

@springeruk

You're (hopefully) already resolving this with TAC, but if not, a few more details:

Is your WAP receiving its IP from the FGT, or does it have a static IP? If the IP is static, have you confirmed that nothing else on the network has that IP? Does changing the static IP to something else help?

In the same vein, have you looked at the switch, with the WAP hooked up, and checked that the ARP and MAC tables make sense? A duplicate MAC (though unlikely) would certainly muck things up.

Rogue AP's are WAPs connected to the FGT that the FGT doesn't have in its list of valid APs.

However, the FGT only scans for these and suppresses them if you've told it to do so.

The Rogue AP monitoring and suppression would be part of the WIDS profile for your built in AP on the FortiWifi 60D.

If you search the docs for "Monitoring Rogue APs" or "Suppressing Rogue APs" you should find details.

If you're running the 60D with 5.4.0 or 5.4.1 you can look in the GUI under Monitor > Rogue AP Monitor to see if anything shows up.

Be interested to hear the resolution to this - especially since I'm supposed to be hooking up a FortiAP and a third party WAP to the same network next week.

Bromont_FTNT · ‎09-07-2016

Strange... everything looks good. Next step would be to run this sniffer on the Fortigate fitering a wireless client IP to determine if it's seeing packets coming towards it.

#diag sniffer packet Internal "host 192.168.16.x" 6 0 a

ctrl-c to stop...

then a debug flow:

diag debug en

#diag debug flow filter addr 192.168.16.x

#diag debug flow show console en

#diag debug flow trace start 100

Bromont_FTNT · ‎09-13-2016

From what I can tell you don't need another firewall policy seeing as your AP is bridged to your internal wired network. We'd need to see the output form the above sniffer and debug flow to see if the traffic is hitting the fortigate and if so what the Fortigate is doing with it.

michaelbazy_FTNT · ‎09-07-2016

Usually, third party APs just do a WiFi to Lan conversion of the packets... However, you might have some complaints from your userse on the signal quality where the 2 signals overlap...

I'm operating by "Crocker's Rules"