Whitepaper: Fortinet wireless

Title: FortiAP 221C, 11C & Fortigate 60D

Author: Jurgen Vermeulen

Jurgen@juve-consulting.be
+32 (491) 56.35.96

JUVE Consulting BVBA ∙ Roosgrachtlaan 27, B-3400 Landen ∙ Tel.: +32 (491) 56.35.96 ∙
FortiAP 221C, 11C & Fortigate 60D/Fortinet wireless
Table of Contents

Table of Contents
1 INTRODUCTION ...................................................................................................................... 1

2 TEST SETUP ............................................................................................................................. 2

2.1 FIREWALL & WLC .................................................................................................................... 2

2.2 MAIN ACCESS POINTS ................................................................................................................ 2
2.3 THIN ACCESS POINT................................................................................................................... 3
2.4 LOCAL NETWORK...................................................................................................................... 4
2.5 TESTING EQUIPMENT................................................................................................................. 4

3 TEST CONFIGURATION ............................................................................................................ 5

3.1 CONNECTING THE ACCESS POINTS ................................................................................................ 5

3.2 THE FORTIAP PROFILES.............................................................................................................. 6
3.3 SSID CONFIGURATION ............................................................................................................... 7
3.4 FIREWALL POLICIES ................................................................................................................... 9
3.5 LOCAL AP MANAGEMENT INTERFACE .......................................................................................... 10

4 TEST RESULTS – LOCAL NETWORK ......................................................................................... 11

4.1 PERFORMANCE - CLEAR TEXT CONNECTION (DTLS DISABLED) ............................................................ 11

4.1.1 BRIDGED MODE (WIFIKEUH SSID) .................................................................................................... 11
4.1.2 TUNNELED MODE (WIFIKEUH2 SSID)................................................................................................ 12
4.2 PERFORMANCE - ENCRYPTED CONNECTION (DTLS ENABLED)............................................................. 13
4.2.1 BRIDGED MODE (WIFIKEUH SSID) .................................................................................................... 13
4.2.2 TUNNELED MODE (WIFIKEUH2 SSID)................................................................................................ 13
4.3 RANGE ................................................................................................................................ 14
4.4 GENERIC REMARKS ................................................................................................................. 14
4.4.1 HTTP CONNECTION TO THE AP........................................................................................................ 14
4.4.2 CLEAR TEXT CONNECTION BY DEFAULT ............................................................................................... 14
4.4.3 FIRMWARE ................................................................................................................................... 14
4.5 BUGS ENCOUNTERED............................................................................................................... 15
4.5.1 BRIDGED MODE DHCP BUG............................................................................................................. 15
4.5.2 AP UNSTABLE WHEN MAKING FREQUENT CONFIGURATION CHANGES ...................................................... 15

5 TEST RESULTS - REMOTE OFFICE USING FORTIAP 11C ............................................................ 16

5.1 INTRODUCTION ...................................................................................................................... 16

11/07/2014, V 1.0 <public> Page i

FortiAP 221C, 11C & Fortigate 60D/Fortinet wireless
Table of Contents

5.2 PERFORMANCE – DTLS DISABLED .............................................................................................. 16

5.3 PERFORMANCE – DTLS ENABLED ............................................................................................... 17
5.4 RANGE ................................................................................................................................ 18
5.5 EASE OF USE ......................................................................................................................... 18
5.6 GENERIC REMARKS ................................................................................................................. 18
5.6.1 HTTP CONNECTION TO THE AP........................................................................................................ 18
5.6.2 CLEAR TEXT CONNECTION BY DEFAULT ............................................................................................... 18
5.6.3 NO EASY WAY TO CONNECT TO A REMOTE AP’S INTERFACE .................................................................. 18

6 CONCLUSION ........................................................................................................................ 19

7 MORE INFORMATION ........................................................................................................... 20

11/07/2014, V 1.0 <public> Page ii

FortiAP 221C, 11C & Fortigate 60D/Fortinet wireless
Introduction

1 Introduction
I’ve been running a Fortigate 60D firewall for a while now and was looking to replace my home
wireless by a more stable solution. Since my Fortigate can also be used as a WLC for FortiAP access
points, I decided to give them a try.

The main focus on the document will be on basic installation and performance, but there are more
features available. The test setup will have 2 SSIDs configured on the local LAN (bridged and
tunneled), and the tunneled SSID will be made available for remote users using the FortiAP 11C.

11/07/2014, V 1.0 <public> Page 1

FortiAP 221C, 11C & Fortigate 60D/Fortinet wireless
Test setup

2 Test setup

2.1 Firewall & WLC

The firewall used in the test is Fortinet’s Fortigate 60D with following configuration:

- LAN interface, WAN interface + secondary WAN link

- UTM enabled
- No dedicated interface for FortiAP
- FortiOS 5.2.0

2.2 Main access points

For this test, I used 2 FortiAP 221C units. The main specs are:

- Dual radio.
- Internal antenna’s
- 802.1 AC capable (on 2nd radio)
- POE capable
- 1 Gbps connection
- Firmware 5.2.0

One AP is located on the ground floor, 1 AP is located on the first floor. A mounting bracket is
provided in the package, a power adapter isn’t. I have mine powered by a POE switch, but you can
use a POE injector as well (GPI-115).

11/07/2014, V 1.0 <public> Page 2

FortiAP 221C, 11C & Fortigate 60D/Fortinet wireless
Test setup

2.3 Thin access point

As remote AP, I’ll be using a FortiAP 11C unit. This is the entry level thin AP and has the following
specs:

- Single radio.
- Internal antenna
- Wireless b/g/N on 2,4 GHz.
- 2 Gbps connections: LAN & WAN
- Firmware 5.2

This AP will be used in a road warrior setup and connected to some DSL and cable home Internet
connections for testing.

11/07/2014, V 1.0 <public> Page 3

FortiAP 221C, 11C & Fortigate 60D/Fortinet wireless
Test setup

2.4 Local network

The LAN network is built on TP-LINK smart managed switches. Both the access points and firewall are
connected to a TP-Link SG2424P switch.

2.5 Testing equipment

The following equipment was used during the tests:

- Samsung galaxy tab 3 8.0 inch

- Samsung series 5 laptop (Win7 pro 64 bit)
- Desktop computer (Win7 pro 64 bit)
- Wifi speed test: android application to test your network speed. Server executable installed
on the Win7 machines.
- XBMC

Unfortunately, I don’t have any AC capable equipment today, so I wasn’t able to test this.

11/07/2014, V 1.0 <public> Page 4

FortiAP 221C, 11C & Fortigate 60D/Fortinet wireless
Test configuration

3 Test configuration

3.1 Connecting the Access Points

Connecting the equipment to the network is very easy:

- Enable CAPWAP on the Fortigate interface(s) facing the AP

- Enable wireless controller feature in case it is turned off.
- Create a wireless profile & assign correct country code
- Hook up the AP to the network.
- Authorize it on the Fortigate.
- Assign the profile created in step 3 (right-click on the AP name)

The result is something like this:

Under Monitor -> wireless health you can get an overview of generic wireless related data:

11/07/2014, V 1.0 <public> Page 5

FortiAP 221C, 11C & Fortigate 60D/Fortinet wireless
Test configuration

Under Client monitor, you get an overview of all wireless clients that are currently connected:

3.2 The FortiAP profiles

The FortiAP profile contains all settings you want to assign to a specific AP or group of AP’s. Each AP
hardware has a specific default profile, and you can create custom profiles as you wish.

Spectrum analysis will give you readings on rogue access points and can help you determine which
are the best wireless channels to use. I disabled channel 11 on radio 1, as it is the most used in my
neighbourhood and using it has a performance impact.

The client load balancing features allow for the access points to pass clients to least used nodes or to
spread the frequencies between the different access points.

11/07/2014, V 1.0 <public> Page 6

FortiAP 221C, 11C & Fortigate 60D/Fortinet wireless
Test configuration

By default, the AP and Fortinet support both clear text or DTLS encryption channels. If both are
available, clear text will be chosen automatically. You can force encryption by either changing the AP
or WLC profile configuration. Using DTLS combined with tunneled traffic (see below) does have a
performance impact.

For the FortiAP 11C, since this will be used off-site and it needs to connect to the firewall over the
Internet, we will statically configure the controller’s IP or hostname. Connect to the AP using HTTP
and modify the AC address accordingly:

This will allow the AP to connect to the Fortigate on its internal or external interface, no matter
where it is located. For a remote AP, you should use DTLS, but I choose to force this on the Fortigate
side on the WTP profile, for increased flexibility.

3.3 SSID configuration

Each AP can handle multiple SSIDs. You create the ones you need on the Fortigate WLC and assign
the required ones to each FortiAP profile. There are 2 ways to configure an SSID:

- Bridged to local interface: this will use the AP’s LAN interface to send data to the network.
You can use this mode when the AP is connected directly to your LAN and you want to avoid
the overhead of tunneling traffic towards the Fortigate.

11/07/2014, V 1.0 <public> Page 7

FortiAP 221C, 11C & Fortigate 60D/Fortinet wireless
Test configuration

- Tunneled mode: all traffic from and to clients connected to these SSIDs will be sent through
a tunnel between the AP and firewall. You can create several networks assigned to different
profiles and these networks only need to exist at the firewall, not on the AP’s LAN connection
point.

11/07/2014, V 1.0 <public> Page 8

FortiAP 221C, 11C & Fortigate 60D/Fortinet wireless
Test configuration

3.4 Firewall policies

You can create policies using the assigned network interfaces linked to the SSIDs.

11/07/2014, V 1.0 <public> Page 9

FortiAP 221C, 11C & Fortigate 60D/Fortinet wireless
Test configuration

3.5 Local AP management interface

It is possible to make some configuration changes to the AP through HTTP or telnet (needs to be
manually enabled + access will be disabled once a connection to a WLC is made). This is needed
when you connect the AP to a remote location and it isn’t able to autodiscover the WLC parameters.
You can also assign a static IP and monitor the wireless radio.

11/07/2014, V 1.0 <public> Page 10

FortiAP 221C, 11C & Fortigate 60D/Fortinet wireless
Test results – local network

4 Test results – local network

4.1 Performance - clear text connection (DTLS disabled)

4.1.1 Bridged mode (Wifikeuh SSID)
When connected to the AP in bridged mode, it’s possible to get an average throughput of 39 mbps,
which is better than what I’ve seen on my other equipment. The signal allows to play back a 1080p
mkv with 5.1 surround without any issues when not too far away from the AP.

11/07/2014, V 1.0 <public> Page 11

FortiAP 221C, 11C & Fortigate 60D/Fortinet wireless
Test results – local network

4.1.2 Tunneled mode (Wifikeuh2 SSID)

Next, I switched to the Wifikeuh2 SSID, which has all traffic tunneled towards the Foritgate WLC, and
is then routed onto the network. Results were very similar:

There’s little overhead and you don’t notice any difference when connected to this SSID. Video kept
playing smoothly as well.

11/07/2014, V 1.0 <public> Page 12

FortiAP 221C, 11C & Fortigate 60D/Fortinet wireless
Test results – local network

4.2 Performance - encrypted connection (DTLS enabled)

4.2.1 Bridged mode (Wifikeuh SSID)
When connected in bridge mode, you observe no speed difference when connected. This is logical,
because all traffic is handed off through the LAN port of the AP, directly onto the network instead of
being sent through the tunnel. Only control data is encrypted over the link between the AP and the
WLC.

4.2.2 Tunneled mode (Wifikeuh2 SSID)

Where you do notice a difference, is in the tunneled SSIDs. When performing the same tests on a
DTLS channel, my performance dropped to around 11 mbps:

Both the AP’s and the Fortigate’s CPU went very high. While this speed is more than enough to do
some surfing and office work, don’t expect to stream full HD content over the DTLS link without any
issues. If the AP is located remotely and needs to connect over an untrusted connection, DTLS is a
must have, so keep this in mind when scaling the equipment.

11/07/2014, V 1.0 <public> Page 13

FortiAP 221C, 11C & Fortigate 60D/Fortinet wireless
Test results – local network

4.3 Range
One of the main drawbacks of my old wifi equipment was range. I used to have a Linksys WRT54GS,
flashed DD-WRT on it and boosted transmit power to maximum to get some decent coverage. My
second AP was a Netgear router with Wireless-N, dual band radio and that was barely able to server
1 floor in the house. Roaming between them was also impossible.

I was pleasantly surprised that with 2 access points, I now have decent wireless coverage throughout
the entire house (ground floor, first floor and second floor), while having a lot of concrete and metal
used throughout the house. Roaming is also working very well, thanks to the cooperation between
the access points. I didn’t perform any VOIP tests yet, but I don’t get disconnected for a minute
anymore when moving from one floor to another.

4.4 Generic remarks

4.4.1 HTTP Connection to the AP
While telnet gets disabled once the AP connects to the controller, and there aren’t that many options
to configure on the AP, having a HTTPS interface would be preferred over HTTP. In the meantime,
take this into account and make sure to use a different password and change it frequently in order to
manage the AP from the web interface.

4.4.2 Clear text connection by default

The recommended setup for deploying AP’s is slightly different from what I did, ie. Connecting the
AP’s to a dedicated Fortigate interface that is separated from the rest of the network, so I
understand that from a performance point of view, the default way of connecting the AP is using a
clear text connection. However, since we’re talking about a security product, I would rather see the
most secure option being chosen in case of multiple possibilities. By default, both clear text and DTLS
are enabled, so logic would be to use DTLS. If you want to use clear text as default to bypass possible
performance impact , make ‘clear text’ the default setting and not both options.

4.4.3 Firmware
The FAP 221C is a new product and the FortiOS 5.2.0 being a new ‘major’ release, there still are some
hiccups. The AP’s second radio sometimes doesn’t appear as functional in the Managed AP view,
while it seems active on the AP itself, performing frequent changes confuse the AP and Fortigate, and
I had to do 2 or 3 reboots of the AP’s because of some weird behavior.

Once I put on a final configuration and didn’t fiddle with it every couple of minutes, the setup was
very stable though. These are some minor issues that should disappear in the coming firmware
updates.

11/07/2014, V 1.0 <public> Page 14

FortiAP 221C, 11C & Fortigate 60D/Fortinet wireless
Test results – local network

4.5 Bugs encountered

4.5.1 Bridged mode DHCP bug
When you connect to a SSID that is configured to be bridged over the AP’s interface (not using tunnel
mode), it happens that you can’t get an IP from the DHCP server. I haven’t been able to pinpoint the
exact problem, but there are other people experiencing the same issue. When connected in tunnel
mode, I never experienced this issue. A reboot restores connectivity, but it can happen again at
random.

4.5.2 AP unstable when making frequent configuration changes

I did notice the AP’s becoming unstable when making a lot of changes to the configuration. This was
adding and removing SSID’s, changing frequencies, … I didn’t notice issues when I left the
configuration alone, so it shouldn’t be a real issue when in production.

11/07/2014, V 1.0 <public> Page 15

FortiAP 221C, 11C & Fortigate 60D/Fortinet wireless
Test results - remote office using FortiAP 11C

5 Test results - remote office using FortiAP 11C

5.1 Introduction
After conducting the LAN tests, I setup the FortiAP 11C to be used as a secure connection to the main
network from any remote location. I did perform a speed test with DTLS disabled to show the
difference in speed, however in this scenario you should really go for security over performance.

5.2 Performance – DTLS disabled

11/07/2014, V 1.0 <public> Page 16

FortiAP 221C, 11C & Fortigate 60D/Fortinet wireless
Test results - remote office using FortiAP 11C

5.3 Performance – DTLS enabled

Performance is pretty good for a remote user, even with DTLS enabled. In any case, it is more than
enough to be able to work and have a video call. When taking Belgium into account, most home
Internet lines do have very high download bandwidth (10 to 160 Mbps), but limited upload
bandwidth of around 4 to 6 Mbps.

11/07/2014, V 1.0 <public> Page 17

FortiAP 221C, 11C & Fortigate 60D/Fortinet wireless
Test results - remote office using FortiAP 11C

5.4 Range
Range is pretty good considering the form factor of the device. It doesn’t go as far as a regular AP,
but I was able to move around on the same floor without losing connectivity. Don’t expect any
decent signal when moving up or down a floor though.

5.5 Ease of use

Staging the AP is a matter of minutes. Once this has been performed, you can just give it to anyone
and they can set it up in just 2 minutes. Plug an Ethernet cable into the wan port and plug the unit
into a power plug, and wait until the connection to the firewall is up. No need to fiddle around with
VPN clients or network settings, the user just has the same experience as being inside the office.

5.6 Generic remarks

5.6.1 HTTP Connection to the AP
Same as for the central access points, the use of HTTPS would be more appropriate, since these
access points are connected in untrusted environments.

5.6.2 Clear text connection by default

By default, both clear text and DTLS are enabled, so logic would be to use DTLS. The main use of
these Aps is to create a secured home office, so not using DTLS would compromise security.

5.6.3 No easy way to connect to a remote AP’s interface

While most of the configuration is performed from the Fortigate WLC, in some cases it can be useful
to be able to connect to the web interface or cli of the AP itself. Adding a shortcut launching a
console session from the Fortinet would make this a lot easier, and if the DTLS tunnel is used, you
can bypass problems with ISP’s blocking HTTP/HTTPS/… which will stop you from connecting to the
AP.

11/07/2014, V 1.0 <public> Page 18

FortiAP 221C, 11C & Fortigate 60D/Fortinet wireless
Conclusion

6 Conclusion
I’m very happy with the performance of the AP’s and the interconnection between wireless and
security. Range and throughput on the AP’s is very good, there are some minor bugs present in the
current firmware but nothing shocking and It is very easy to deploy. I didn’t test every feature yet
and focused on performance for now, but I’m very impressed with what you get for the money. Most
AP’s are a lot more expensive and having to manage a separate WLC can be a hurdle. Another option
are cloud-managed networks using Meraki/Aerohive/… but if you already have Fortinet equipment
installed, the seamless integration is a real plus.

As for the FortiAP 11C, it is a really cheap solution to allow people to work remotely without the
hassle of VPN clients, overlapping subnets, … It really is plug&play and very portable.

11/07/2014, V 1.0 <public> Page 19

FortiAP 221C, 11C & Fortigate 60D/Fortinet wireless
More information

7 More information
For more information, a live demo or quote, don’t hesitate to contact us:

JUVE Consulting

Jurgen Vermeulen
Jurgen@juve-consulting.be
+32 (491) 56.35.96

11/07/2014, V 1.0 <public> Page 20