Using a FortiAP to provide remote access

Facebooktwittergoogle_plusredditpinterestlinkedinFacebooktwittergoogle_plusredditpinterestlinkedin

In this example, you pre-configure a FortiAP to provide access to the office network from any remote location simply by connecting the FortiAP to the Internet. This FortiAP could be given to an employee to use at home or when traveling.

The FortiAP’s configuration also supports Internet browsing from behind the corporate firewall. The remote user’s local network remains accessible by defining it as a split tunnel destination that is not routed through the FortiGate unit.

1. Enable the split tunneling feature

By default, split tunneling options are not visible in the FortiGate GUI. You can make these options visible using the CLI.

Go to System > Dashboard > Status and use the CLI Console.  config system global
  set gui-fortiap-split-tunneling enable
end

2. Create the WiFi network

Go to WiFi Controller > WiFi Network > SSID and create a new SSID. The SSID will accept logons from the employees user group.  
Enable the DHCP Server and make note of the IP range.  

3. Create the security policy

Go to Policy & Objects > Objects > Addresses and create an address representing the range of remote user addresses that the DHCP server can assign.  
Go to Policy & Objects > Policy > IPv4 and create a policy that allows remote wireless users to access the Internet and the corporate network.  

4. Create the FortiAP Profile

Go to WiFi Controller > WiFi Network > FortiAP Profiles and create a new profile for the FortiAP model you are using.

The Split Tunneling Subnet(s) entry exempts a typical home network subnet from being routed through the FortiGate.

Select the SSID that the remote FortiAP will broadcast.

 

5. Enable CAPWAP on the Internet interface

Go to System ­> Network > Interfaces and edit the Internet-facing interface. In Administrative Access, enable CAPWAP.   

6. Pre-authorize the FortiAP unit

Go to WiFi Controller > Managed Devices > Managed FortiAPs and create a new entry.
Enter your FortiAP’s Serial Number and a Name to identify whose device it is.
Choose the FortiAP Profile that you created.

 

7. Configure the FortiAP unit

Use FortiExplorer to access the FortiAP CLI through the USB MGMT port.

Enter these commands to specify the IP address of the FortiGate WiFi controller, which will be the Internet-facing interface IP address. Enter exit to end.

The remote user can now take this device to a remote location to connect securely to the corporate FortiGate unit.

FAP11C3X13000412 # login: admin
FAP11C3X13000412 # cfg -a AC_IPADDR_1=172.20.120.142
FAP11C3X13000412 # cfg -c
FAP11C3X13000412 # exit

Results

At the remote location, connect the FortiAP to the Internet using an Ethernet cable. Next, connect the FortiAP to power. The network must provide DHCP service and allow the FortiAP to access the internet.

Once connected, the FortiAP requests an IP address and locates the FortiGate wireless controller.
The remote WiFi user can now access the corporate network and browse the Internet securely from behind the corporate firewall.

Connections to destinations on the “split tunneling” network are possible, but will not be visible in the FortiGate logs as the traffic remains local to the FortiAP.

Go to WiFi Controller > Monitor > Client Monitor to see remote wireless users connected to the FortiAP unit.  
Go to Log & Report > Traffic Log > Forward Traffic to see remote wireless users appear in the logs. Select an entry to view more information about remote traffic to the corporate network and to the Internet.  

For further reading, check out Deploying Wireless Networks in the FortiOS 5.2 Handbook.

Jonathan Coles

Jonathan Coles

Technical Writer at Fortinet
Jonathan Coles is part of the FortiOS Technical Documentation team in Ottawa. He has a B.A. in English from the University of Waterloo and an Electronics Technologist diploma from Conestoga College. Long ago at another company he convinced a documentation manager that he could write. After writing about telephone PBXs, text search software, cell tower planning software, and some less memorable things, he joined Fortinet around the time that FortiOS 3.0 was released.
Jonathan Coles

Latest posts by Jonathan Coles (see all)

  • Was this helpful?
  • Yes   No
  • Rensley Pereira

    in the CLI command to enable SPlit tunneling, the first line should be CONFIG SYSTEM SETTINGS

    • Adam Bristow

      Hello Rensley,

      You are correct – in FortiOS 5.4, the “gui-fortiap-split-tunneling” command is found under “config system settings”. However this recipe is for FortiOS 5.2, where the command is found under “config system global”.

      Regards,

      Adam