LAN Edge Deployment Guide

FortiGate, FortiSwitch, and FortiAP

FORTINET DOCUMENT LIBRARY
https://docs.fortinet.com

FORTINET VIDEO GUIDE

https://video.fortinet.com

FORTINET BLOG
https://blog.fortinet.com

CUSTOMER SERVICE & SUPPORT

https://support.fortinet.com

FORTINET TRAINING & CERTIFICATION PROGRAM

https://www.fortinet.com/training-certification

NSE INSTITUTE
https://training.fortinet.com

FORTIGUARD CENTER
https://www.fortiguard.com

END USER LICENSE AGREEMENT

https://www.fortinet.com/doc/legal/EULA.pdf

FEEDBACK
Email: [email protected]

April 13, 2023

FortiGate, FortiSwitch, and FortiAP LAN Edge Deployment Guide
11-644-762174-20230413
 TABLE OF CONTENTS

Change log 4
Introduction 5
Executive summary 5
Intended audience 5
About this guide 5
Design overview 6
Use case and topology 6
Design concept and considerations 6
Deployment overview 8
Deployment plan 8
Deployment procedures 9
Step 1: Bring up the FortiGate device 10
Power on the FortiGate device and log in 11
Step 2: Configure FortiLink and authorize the FortiSwitch unit 12
Remove the ports in the LAN hardware switch interface 12
Configure the FortiLink interface 12
Connect the FortiLink ports to the switch ports 13
Explore the switch controller 13
Check the switch authorization and topology 14
Step 3: Create and assign VLANs in the switch controller 15
Create FortiSwitch VLANs 15
Create firewall policies for Internet access 17
Enable inter-VLAN routing (if needed) 17
Assign VLANs to switch ports 18
Step 4: Set up NAC and create NAC policies 19
Change the onboarding VLAN 20
Set up NAC policies on the FortiSwitch unit 20
Assign ports to use a NAC policy 21
FortiSwitch configuration complete 22
Step 5: Deploy WiFi 23
Add an AP VLAN 23
Assign the AP VLAN to AP ports on the FortiSwitch unit 25
Create SSIDs 26
Configure the firewall policies 28
Deployment complete 28
Appendix A: Products used in this guide 29
Appendix B: Documentation references 30

FortiGate, FortiSwitch, and FortiAP LAN Edge Deployment Guide 3

Fortinet Inc.
Change log

Change log

Date Change Description

February 7, 2022 Initial release

April 13, 2023 Updated step 4d of the “Configure the FortiLink interface” section.

FortiGate, FortiSwitch, and FortiAP LAN Edge Deployment Guide 4

Fortinet Inc.
Introduction

Introduction

Executive summary

One of the great strengths of the Fortinet LAN Edge Solution is the tight integration of everything with FortiLink.
With FortiLink, FortiSwitch units and FortiAP units are extensions of the FortiGate device. The entire network
can be treated as a single unit with a single management system, and security can be applied consistently
everywhere—in other words, Security-Driven Networking.
LAN edge equipment leverages Security-Driven Networking to extend the Fortinet Security Fabric throughout
the LAN, converging security and network access into an integrated platform. This convergence increases
security while reducing complexity, lowering cost, and improving performance at the LAN edge.
Security-driven networking is compelling and simplifies the network overall, but the integrated whole can be
confusing. Everything you want and need in your network is in the FortiGate device, and all that integration that
makes it so powerful can make it hard to decide where to start. With great power may come great confusion.
Security designs are generally specific to the deployment, but they can also be developed and improved over
time. Indeed, that is generally the recommended approach. This deployment guide is focused on the network
skeleton and the default firewall policies so that the baseline network can be up and running as quickly as
possible.

Intended audience

This guide is intended for an audience who is interested in deploying Fortinet’s secure LAN Edge Solution in a
new environment or replacing their equipment in an existing environment. Readers are expected to have a firm
understanding of networking, wireless and security concepts. Interested audiences may include the following:
l Network, wireless, and security architects
l Network, wireless, and security engineers

About this guide

The deployment guide serves the purpose of going through the design and deployment steps involved in
deploying a specific architecture. Readers should first evaluate their environment to determine whether the
architecture and design outlined in this guide is suitable for them. It is advisable to review the Reference
Architecture Guide(s) if readers are still in the process of selecting the right architecture.
This deployment guide presents one of possibly many ways to deploy the solution. It may also omit specific
steps where readers must make design decisions to further configure their devices. It is recommended that
readers also review supplementary material found in product admin guides, example guides, cookbooks,
release notes and other documents where appropriate.

FortiGate, FortiSwitch, and FortiAP LAN Edge Deployment Guide 5

Fortinet Inc.
Design overview

Design overview

Use case and topology

The following figure shows the topology:

l The focus is on getting the basic network up and running, leaving details for later.
l The ISP access router/modem has been deployed.
o It will serve as a DHCP address to your FortiGate WAN link.
o The physical WAN connection is Ethernet.
l The deployment will consist of the following:
o 1 FortiGate device
o 1 FortiSwitch unit
o One or more FortiAP units

o All necessary Ethernet cabling is available or already deployed/patched.

l A laptop or other management station with an Ethernet port is available.

Design concept and considerations

The topology presented in this deployment guide is a baseline network to deploy a secure LAN edge as quickly
as possible. The solution can be scaled out to accommodate more users on a site by adding additional
FortiSwitch units, FortiAP units, and using a higher model FortiGate device. Redundancy can be improved by
adding an additional FortiGate device into an HA cluster, provisioning a full-mesh switch network, and using
aggregate links for connections.
SD-WAN can also be configured in this setup to provide redundancy and intelligent traffic steering over multiple
underlays. Finally, in multi-site deployments, the sites can be standardized into SD-branches and quickly
provisioned with a FortiManager unit and other orchestration tools.

FortiGate, FortiSwitch, and FortiAP LAN Edge Deployment Guide 6

Fortinet Inc.
Design overview

In summary, the basic design in this deployment guide offers many possibilities to extend, optimize, and scale
your solution. Once you have understood the steps and concepts in this guide, also consider other guides listed
in Appendix B: Documentation references on page 30 for further reading.

FortiGate, FortiSwitch, and FortiAP LAN Edge Deployment Guide 7

Fortinet Inc.
Deployment overview

Deployment overview

Review the deployment plan before starting the configuration.

Deployment plan

This deployment will configure a FortiGate device, a FortiSwitch unit, and a FortiAP unit from factory default
settings to provide wired and wireless outbound access for internal users. Other than the physical connections,
the majority of the steps are completed on the FortiGate device.
The general deployment steps are as follows:
1. Bring up a FortiGate device and connect to an ISP.
2. Configure FortiLink and authorize a FortiSwitch unit.
3. Create and assign VLANs in the switch controller.
4. Set up NAC and create NAC policies.
5. Add one or more FortiAP units.

FortiGate, FortiSwitch, and FortiAP LAN Edge Deployment Guide 8

Fortinet Inc.
Deployment procedures

Deployment procedures

The following deployment steps provision a FortiGate device, a FortiSwitch unit, and a FortiAP unit in the
following topology:

FortiGate, FortiSwitch, and FortiAP LAN Edge Deployment Guide 9

Fortinet Inc.
Deployment procedures

Step 1: Bring up the FortiGate device

The following figures show the faceplate and back of the FortiGate 60F, which are similar to the FortiGate 61F:

On larger models, DMZ, HA, and MGMT ports might also be available.

When a FortiGate device is fresh out of the box, depending on the model, there are an array of physical ports
labeled according to their default configuration. To a large extent, these ports can be reconfigured, with some
hardware-dependent exceptions, to serve any purpose. However, in this case, as is best in most cases, you can
use the preconfigured and labeled defaults. Make a special note if you have ports labeled ‘A’ and ‘B’. If so, these
are preconfigured for FortiLink and will be connected to the FortiSwitch unit.
The following table lists some of the default settings on an out-of-the-box FortiGate device.

Setting Value

Management IP address and login credentials

Management IP 192.168.1.99/24

User name admin

Password <blank>
The FortiGate device prompts for a new password at the first login.

Ports and interfaces

MGMT port address range (if it 192.168.1.0/24, with the FortiGate device as the default gateway
exists)

LAN port only If there is no MGMT port, the LAN port address range is 192.168.1.0/24.

MGMT and LAN port If there is an MGMT port, the LAN ports default to a different subnet.

WAN1 DHCP client (will request an IP address from the ISP)

FortiGate, FortiSwitch, and FortiAP LAN Edge Deployment Guide 10

Fortinet Inc.
Deployment procedures

Setting Value

LAN ports labeled ‘A’ and ‘B’ Preconfigured for FortiLink

Firewall policies

LAN → WAN A firewall policy allows outgoing traffic from LAN ports but does not allow
incoming traffic from the Internet/uplink (WAN1).

If MGMT is a separate port, it will not have default Internet access.

See FortiGate Best Practices for tips on securing your administrative access.

Power on the FortiGate device and log in

1. Plug in the FortiGate device and power it on.

2. Plug the ISP uplink into the FortiGate WAN1 port.
3. Connect a management station to the MGMT (or LAN port 1) port using the Ethernet cable.
The management station should get an IP address from the FortiGate device. If it does not, configure the
management station to 192.168.1.110/255.255.255.0 with a gateway of 192.168.1.99.
4. Open a web browser and connect to 192.168.1.99.
5. At the login page, enter the user name admin, leave the password blank, and press Enter.

6. You will be prompted for a new password. Choose anything that fits your password policy. Leave the Old
Password field blank.

7. The first boot sequence setup continues with a FortiGate setup screen. This document skips these details.
A station that is Ethernet-connected to a FortiGate LAN port can now access the Internet through the
FortiGate firewall.

FortiGate, FortiSwitch, and FortiAP LAN Edge Deployment Guide 11

Fortinet Inc.
Deployment procedures

Step 2: Configure FortiLink and authorize the FortiSwitch unit

FortiLink allows a FortiSwitch unit to be fully managed from the FortiGate device as if it was simply part of the
FortiGate device. VLAN tags are provisioned automatically, and there is no need to configure trunks—the
FortiGate device and FortiSwitch unit act as a unified device.

Remove the ports in the LAN hardware switch interface

On FortiGate models where there are no dedicated FortiLink ports like port A and port B, you need to remove
two of the LAN ports from the LAN interface to be used in the FortiLink interface.
By default, LAN ports are grouped together into the LAN hardware switch interface. These ports are connected
with an internal hardware switch controller and are part of the same broadcast domain.
The following steps show the configurations on a FortiGate 61F:
1. Go to Network > Interfaces and double-click on LAN.
2. In the Interface Members field, remove two physical ports by clicking on the ‘X’s.
A common practice is to use the two highest-numbered ports, but you can remove any two ports.
3. Click OK.
4. On the Network > Interfaces page, the two ports are now removed from the LAN interface, and these
interfaces are listed under the Physical Interface grouping.

Configure the FortiLink interface

FortiLink connects switches (and access points) directly to the FortiGate device so that the network acts as a
single device.
1. Go to Network > Interfaces.
2. Double-click on FortiLink.
3. Check if there are interface members listed at the top.
l If there are already two members, FortiLink is ready to connect to a switch. The two members are likely
the ports labeled ‘A’ and ‘B’ if they exist on your physical FortiGate device.
l If there are no interface members, select the two LAN ports that were removed in Remove the ports in
the LAN hardware switch interface on page 12.
4. Check the FortiLink settings.
a. In the Address section, leave the addressing mode at the default setting, Dedicated to FortiSwitch.
b. In the Address section, ensure that Automatically authorize devices is enabled.
Devices can be manually admitted one at a time later if you prefer.
c. In the Address section, disable FortiLink split interface.
The split interface is used when more than one switch is connected directly to a FortiGate device.
d. Make certain that the DHCP server is enabled.
Connected FortiSwitch units will receive an IP address in this range.

FortiGate, FortiSwitch, and FortiAP LAN Edge Deployment Guide 12

Fortinet Inc.
Deployment procedures

5. Click OK.

Make the switch controller and WiFi controller visible in the GUI

Ensure that the switch controller is visible in the GUI by changing the feature visibility.
1. Go to System > Feature Visibility.
2. Under Core Features, enable Switch Controller if it is not already enabled.
3. Under Core Features, enable WiFi Controller if it is not already enabled.

Connect the FortiLink ports to the switch ports

1. Unpack the FortiSwitch unit and deploy it.

2. Turn on the FortiSwitch unit.
3. Connect the FortiSwitch unit to the FortiGate device using two Ethernet connections. Use the two
designated FortiLink ports of the FortiGate device to connect to the last two ports on the FortiSwitch unit.
It will take a few minutes for the switch to become visible and configurable in the FortiGate device.

Explore the switch controller

Go to WiFi & Switch Controller > FortiLink Interface.

This is the same FortiLink interface that you configured earlier, but there are some additional options here such
as FortiOS network address control (NAC).

FortiGate, FortiSwitch, and FortiAP LAN Edge Deployment Guide 13

Fortinet Inc.
Deployment procedures

Check the switch authorization and topology

1. Go to WiFi & Switch Controller > Managed FortiSwitch.

2. Check that the FortiSwitch unit is visible, connected to the FortiGate device, and authorized.
If the FortiSwitch unit has not been automatically authorized, click on the icon and authorize the switch.

3. To get a topology view, use the dropdown menu in the upper right corner to change List to Topology.
The Topology view shows the logical connection between the FortiGate device and the connected
FortiSwitch unit.
4. Hover over the switch icon to see the context menu with several options.
5. The following figure shows that the FortiSwitch unit is now connected, authorized, and ready to be

FortiGate, FortiSwitch, and FortiAP LAN Edge Deployment Guide 14

Fortinet Inc.
Deployment procedures

configured.

Step 3: Create and assign VLANs in the switch controller

Create FortiSwitch VLANs

There are several predefined VLANs for NAC purposes, which allow devices connected to the FortiSwitch unit
to be assigned a default VLAN automatically. This is covered in a later section. For now, you can create two
example VLANs.
Up to this point, the recommended configuration has been virtually identical to this guide. At this point, you might
want your specific deployment to deviate from this guide due to a preferred IP address scheme and the number
of VLANs needed, and if inter-VLAN routing is needed. The following configuration is for two internal VLANs,
both with Internet access and routing between them allowed.
1. Go to WiFi & Switch Controller > FortiSwitch VLANs.
2. Click Create New.
3. Assign a VLAN name. For example, enter VLAN100.
4. By default, Type is set to VLAN, and Interface is set to fortilink.
5. Assign a number between 2 and 4,094 not already in use for the VLAN ID. For example, enter 100.
The default configuration uses 4089-4093 for the predefined VLANs.
6. Select a color if you want to.
7. From the Role dropdown list, select LAN.
8. For the addressing mode, click Manual.
9. In the IP/Netmask field, enter an IP address and netmask. For example, enter
10.10.100.1/255.255.255.0.
10. Enable Create address object matching subnet if it is not already enabled.

FortiGate, FortiSwitch, and FortiAP LAN Edge Deployment Guide 15

Fortinet Inc.
Deployment procedures

This setting will be useful in policies later.

11. Enable DHCP Server.

12. Accept the default address range or adjust it for your environment.
13. Check that Same as Interface IP and Same as System DNS are enabled.

14. Click OK.

15. For the second VLAN, repeat the preceding procedure with a different interface address:
a. Enter VLAN200 for the VLAN name.
b. Enter 200 for the VLAN ID.
c. Enter 10.10.200.1/255.255.255.0 for the IP address and netmask.
d. Configure other settings as needed.

FortiGate, FortiSwitch, and FortiAP LAN Edge Deployment Guide 16

Fortinet Inc.
Deployment procedures

16. Click OK.

Create firewall policies for Internet access

The Internet access policies will mirror the LAN internet policy described in Step 1: Bring up the FortiGate
device on page 10.
1. Go to Policy & Objects > Firewall Policy.
2. Click Create New.
3. Configure the firewall policy according to your VLAN names.
a. Enter a name for the Internet access policy for the first VLAN. For example, enter VLAN100-
Internet.
b. Select your first VLAN for the incoming interface. For example, select VLAN100.
c. Select WAN1 for the outgoing interface.
d. Select all for the source.
e. Select all for the destination.
f. Select always for the schedule.
g. Select all for the service.
h. Click ACCEPT for the action.
4. Under Firewall/Network Options, make certain that NAT is enabled and Use Outgoing Interface Address is
selected.

5. Accept the rest of the default settings and then click OK.
6. Repeat steps 1-5 for your second VLAN.

Enable inter-VLAN routing (if needed)

Both VLANs now have Internet access. If the VLANs need to reach each other, you need to configure two more
policies for inter-VLAN routing. Repeat the steps in Create firewall policies for Internet access on page 17 but

FortiGate, FortiSwitch, and FortiAP LAN Edge Deployment Guide 17

Fortinet Inc.
Deployment procedures

with changes to the incoming and outgoing interfaces.

For example, for the first inter-VLAN routing policy:
l Select VLAN100 as the incoming interface.
l Select VLAN200 as the outgoing interface.
For example, for the second inter-VLAN routing policy:
l Select VLAN200 as the incoming interface.
l Select VLAN100 as the outgoing interface.

Assign VLANs to switch ports

Now that the VLANs and policies are configured, you need to assign the VLANs to the switch ports. This method
assigns VLANs statically to a port. The next section describes how to use NAC policies to assign VLANs.
1. Go to WiFi & Switch Controller > FortiSwitch Ports.
2. Notice that the FortiLink ports show the FortiGate device itself in the native VLAN column. You do not need
to configure a trunk port.
3. To change the VLAN assigned to any port, hover over the current native VLAN of that port, and a pencil
icon is displayed.

FortiGate, FortiSwitch, and FortiAP LAN Edge Deployment Guide 18

Fortinet Inc.
Deployment procedures

4. Click the pencil icon to edit the port.

a. In the Select Entries pane, select the VLAN to assign to this port.

b. If that VLAN has not been defined yet, click Create to create a new VLAN.
c. Click Apply to save the change.
5. Assign other ports to static VLANs as needed.

Step 4: Set up NAC and create NAC policies

NAC identifies a device by some criteria, such as the operating system and hardware vendor, and then assigns
it to a policy-defined VLAN.

FortiGate, FortiSwitch, and FortiAP LAN Edge Deployment Guide 19

Fortinet Inc.
Deployment procedures

By default, there is an onboarding VLAN for NAC onboarding devices. For NAC, the onboarding VLAN is treated
differently than other VLANs. When a device connects to a switch port in NAC mode, the device goes the
following process:
1. The device gets a DHCP address on the onboarding VLAN.
2. The device gets categorized by a NAC policy.
3. The device gets a new DHCP address on the assigned VLAN.

If the device does not match any category, the device remains in the onboarding VLAN. Therefore, consider
applying stricter restrictions on the policy to allow traffic for the onboarding VLAN.
By default, there are other default defined VLANs that you can use for your NAC policies. You can also add
additional VLANs for your NAC policy.

Change the onboarding VLAN

By default, FortiGate NAC policies place onboarding devices into the onboarding VLAN. To change this
behavior, you can edit the VLAN from NAC Policies > FortiSwitch VLANs and edit the FortiLink interface.

Set up NAC policies on the FortiSwitch unit

You can define additional rules to assign devices into VLANs based on device patterns, user information, or
EMS tags.
1. Go to WiFi & Switch Controller > NAC Policies.
2. Click Create New to created a FortiSwitch NAC policy.
a. Enter dev-NAC for the name of the NAC policy.
b. Click Enabled for the status.

FortiGate, FortiSwitch, and FortiAP LAN Edge Deployment Guide 20

Fortinet Inc.
Deployment procedures

c. Click Device for the category.

d. Enable MAC address and then enter a device MAC address using the 00:00:00:00:00:00 format.
e. You can enable multiple criteria.
f. Under Switch Controller Action, enable Assign VLAN and then select a previously configured VLAN
from the dropdown list.

3. Click OK to save the NAC policy

4. Create other NAC policies to assign devices to different VLANs.

Assign ports to use a NAC policy

So far, you have statically assigned ports to a VLAN. However, for ports that require different access or security
levels based on the device connected, they can be configured to use NAC policies.
1. Go to WiFi & Switch Controller > FortiSwitch Ports.
2. Select the ports that need to be changed to NAC mode.
3. Right-click and select Mode > NAC.

FortiGate, FortiSwitch, and FortiAP LAN Edge Deployment Guide 21

Fortinet Inc.
Deployment procedures

4. After applying the NAC mode, refresh the page in a few seconds. The Native VLAN value will be updated.

FortiSwitch configuration complete

Your FortiSwitch configuration is now complete. Connecting devices to ports in static mode allows traffic to pass
through the firewall policy assigned to those VLANs. Connecting devices to the NAC-mode port places the
device in the VLAN based on the NAC policy that matches.

FortiGate, FortiSwitch, and FortiAP LAN Edge Deployment Guide 22

Fortinet Inc.
Deployment procedures

Step 5: Deploy WiFi

This deployment guide does not cover the details of installing access points (APs); see the FortiAP Quick Start
Guides. However, here are some of the best practices to follow:
l Access points with integrated/internal antennas are intended for ceiling mounts. If wall mounting is
necessary, use an external antenna access point with the appropriate antenna.
l All antennas have a directional element. Omnidirectional antennas propagate the signal in a donut
pattern (a torus) and have the strongest signal at the level of the access point. They work fine for 10-
20-foot ceilings. Down-pointed directional antennas might be better for higher ceilings. High-gain
omnidirectional antennas are a poor choice for high ceilings because they flatten the donut into a
pancake, raising signal strength at the ceiling level.
l Wall-mounted access points must have external antennas so that the signal can be directed properly.
Omnidirectional antennas (the standard “rubber ducks”) need to be vertically aligned.
l Be sure you have the correct power over Ethernet (PoE) level to power the access points available from the
switch and that the total PoE budget is sufficient for the total number of access points.
l Note the MAC address and/or a serial number of the access points and their locations. These notes will
help with later documentation.
l When running cable for access points, leave plenty of extra cable at the AP end to allow the access point to
be moved to adjust coverage. Sometimes a few feet (meters) can eliminate an unanticipated dead spot.

Add an AP VLAN

Prepare an AP VLAN by going to WiFi & Switch Controller > FortiSwitch VLANs and creating a VLAN (see
Create FortiSwitch VLANs on page 15) for AP management (control plane). This VLAN creates security
isolation between the AP management (control channel) and user traffic (data channel).
1. Enter a name for the VLAN.
2. Assign a VLAN ID.
3. Select Manual for the addressing mode and assign a VLAN/gateway IP address.
4. Under Administrative Access, click Security Fabric Connection. Add other access types as needed.

FortiGate, FortiSwitch, and FortiAP LAN Edge Deployment Guide 23

Fortinet Inc.
Deployment procedures

5. Enable DHCP server and enter the IP address range.

6. Under Network, enable Device detection.
7. Enable Automatically authorize devices.
Even in a high-security environment, it is usually best to enable this option until the initial deployment is
done. Then disable it to lock down the network.

8. Click OK.

FortiGate, FortiSwitch, and FortiAP LAN Edge Deployment Guide 24

Fortinet Inc.
Deployment procedures

Assign the AP VLAN to AP ports on the FortiSwitch unit

Any FortiAP units connected to the FortiSwitch ports that are assigned as the AP VLAN will automatically
connect to the FortiGate device, get an IP address, and be authorized by the FortiGate device. To simplify the
deployment, a FortiAP unit can connect to a FortiSwitch PoE port for power. Otherwise, an external power
source is needed.
1. Go to WiFi & Switch Controller > FortiSwitch Ports.
2. Select a PoE-capable port if possible and change the native VLAN to the AP VLAN.

3. Connect the access points with Ethernet cables to the correct ports on the PoE-capable FortiSwitch unit
and give them a few minutes to start and become authorized.
You can check the progress by going to Security Fabric > Physical Topology or in WiFi & Switch Controller
> Managed FortiAPs.
4. Go to WiFi & Switch Controller > Managed FortiAPs.
5. If necessary, change the view in the dropdown list from Group to AP.

FortiGate, FortiSwitch, and FortiAP LAN Edge Deployment Guide 25

Fortinet Inc.
Deployment procedures

6. If necessary, access points that have not been automatically authorized can be authorized using the right-
click menu or the Edit button.
7. Fortinet recommends using the edit function to rename the access points to something helpful, such as
“Main-Lobby” or “breakroom.”

Create SSIDs

1. Go to WiFi & Switch Controller > SSIDs.

2. Click Create New > SSID.
3. Enter a name for the SSID.
This is an internal name and does not have to match an over-the-air SSID.
4. Make certain that Tunnel is selected for the traffic mode.
In tunnel mode, WLANs are treated as interfaces in the FortiGate device and behave as a VLAN interface.
5. Assign an IP address (VLAN gateway) and set up the DHCP server.

FortiGate, FortiSwitch, and FortiAP LAN Edge Deployment Guide 26

Fortinet Inc.
Deployment procedures

6. Under WiFi Settings, configure the following:

a. Enter the name of the SSID.
This is the over-the-air name.
b. Select WPA3 SAE or WPA2 Personal for the security mode.
Ideally, as you refine your security policies, you will use one of the enterprise security modes. See the
primary documentation for how to set up WPA2 Enterprise and WPA3 Enterprise with a RADIUS
server.
c. Enter a pre-shared key.

d. Click OK.

The SSIDs are deployed to the APs. More complex deployments involving groups of access points with different
WLANs can be configured. See the primary documentation.

FortiGate, FortiSwitch, and FortiAP LAN Edge Deployment Guide 27

Fortinet Inc.
Deployment procedures

Configure the firewall policies

Firewall policies must be configured (see Create firewall policies for Internet access on page 17) to allow
wireless access from the SSID. Here you can also define the profiles to use for scanning the traffic.

Deployment complete

The basic LAN edge network design is configured. The FortiGate device is a gateway to the Internet, a
FortiSwitch unit is connected and communicating over a FortiLink, Wi-Fi is available, and an example NAC
policy is configured.
You can refer to other Fortinet documentation to further secure, refine, optimize, and scale your solution.

FortiGate, FortiSwitch, and FortiAP LAN Edge Deployment Guide 28

Fortinet Inc.
Appendix A: Products used in this guide

Appendix A: Products used in this guide

The following product models and firmware were used in this guide. FortiSwitch 7.0 and FortiAP 7.0 can also be
used for this deployment.

Product Model Firmware

FortiGate FortiGate 61F 7.0.3

FortiSwitch FortiSwitch 108E-POE 6.4.4

FortiAP FortiAP 221E 6.4.4

FortiGate, FortiSwitch, and FortiAP LAN Edge Deployment Guide 29

Fortinet Inc.
Appendix B: Documentation references

Appendix B: Documentation references

For more information, use the following resources:

l Product administration guides
l FortiGate Administration Guide
l Managed FortiSwitch Administration Guide
l FortiWiFi and FortiAP Configuration Guide
l Solution hub
l Secure Access

FortiGate, FortiSwitch, and FortiAP LAN Edge Deployment Guide 30

Fortinet Inc.
 www.fortinet.com

Copyright© 2023 Fortinet, Inc. All rights reserved. Fortinet®, FortiGate®, FortiCare® and FortiGuard®, and certain other marks are registered trademarks of Fortinet, Inc., and other Fortinet names herein
may also be registered and/or common law trademarks of Fortinet. All other product or company names may be trademarks of their respective owners. Performance and other metrics contained herein were
attained in internal lab tests under ideal conditions, and actual performance and other results may vary. Network variables, different network environments and other conditions may affect performance
results. Nothing herein represents any binding commitment by Fortinet, and Fortinet disclaims all warranties, whether express or implied, except to the extent Fortinet enters a binding written contract,
signed by Fortinet’s General Counsel, with a purchaser that expressly warrants that the identified product will perform according to certain expressly-identified performance metrics and, in such event, only
the specific performance metrics expressly identified in such binding written contract shall be binding on Fortinet. For absolute clarity, any such warranty will be limited to performance in the same ideal
conditions as in Fortinet’s internal lab tests. Fortinet disclaims in full any covenants, representations, and guarantees pursuant hereto, whether express or implied. Fortinet reserves the right to change,
modify, transfer, or otherwise revise this publication without notice, and the most current version of the publication shall be applicable.