I’ve just received the long-awaited and much overdue Fortinet dedicated Access-Point, dubbed the FortiAP 220A. Though Fortinet has had WiFi capable devices in the past, they have always fallen short when it came to a wireless cloud solution – actually, they’ve had none. I’ve been using Cisco Aironet products for years with success, despite the usual non-ergonomic configuration options of both the CLI and GUI. But they work, most of the time – and they offer me features that frankly our beloved FortiWifi’s could not.
And this market is getting more and more crowded, with priced-to-sell solutions from Meraki and Ruckus competing for your building-wide wireless needs. This has certainly been an area where Fortinet has fallen behind, way behind. One FortiWifi device is just not enough. And paying for additional FortiWifi 50B UTMs to use solely as Access Points just did not make sense, even though they can be powered conveniently by PoE.
With the introduction of FortiOS 4.0, we’ve been teased with a new menu option labeled Wireless Controller. Even without the new hardware, we’ve been able to create Virtual Access-Points (VAPs) and get an idea of how this new FortiWifi Cloud solution was going to work and be managed. Embedding a Wireless Controller into an existing Firewall or UTM is pure convenience and efficiency. Though the FortiAP 220A is not officially supported until FortiOS 4.2 (rumored), they are being distributed. However, even though we are seeing the Wireless Controller option on our existing installations of FortiOS 4.0, a special branch version of FortiOS is required. From the release notes:
The FortiAP device must be supported by a special FortiOS branch image for FortiGate model 60B and above, excluding any FortiWiFi models.
The officially released image of FortiOS to support the FortiAP device is based off of FortiOS v4.0 MR2 – fg_4_thin_ap_openssl/build_tag_6322.
You can find the special version on the Fortinet FTP site under the FortiAP directory
Now that I’ve had a few hours with this new line, here’s what I’ve found:
- No PoE support. WHAT? It’s an AP with no option for PoE. Though, Fortinet does say you can use the Linksys WAPPOE12 adapter with the 220A power supply.
- No SSID->VLAN Interface bridging. Still, an enormous thorn in my side. Though, the pain is dulled when you realize now that you can implement a true cloud solution consisting of many FortiAPs and have roaming clients, you will just dedicate a wireless network. But bridging is still required or preferred by some installations.
- Doesn’t run FortiOS. Well, that’s fine and was expected – it’s a completely new piece of hardware running BusyBox. You can shell in and browse the directory structure as well as manually update network settings (even cat cpuinfo to see it is running an Atheros AR7100 MIPS 24k)
- Telnet disabled when Registered. When the AP is discovered by your WC, and you set Admin level to Enabled, you can no longer Telnet to the AP. Security feature; you’re already managing the device from a WC at this point, and there are remote execute options from the WC CLI.
- Has 4 “Do not use these ports” Ethernet Ports. That’s right, of the 5 ports, 4 are 100Mbps Ethernet ports that are apparently not for use. This really leads us to believe that the hardware used is off-the-shelf and not engineered from scratch by or for Fortinet.
- Reset Button. The first Fortinet device to have a Factory Reset button. Reset it and then re-discover the AP on your Wireless Controller and away you go. This again indicates the use of generic appliance hardware (which, don’t get me wrong, is NOT new to Fortinet)
- Limited WEP SSIDs. You are limited to no more than 4 WEP-Enabled SSIDs; WEP is supported only as a ‘legacy feature’. WEP has long been “de-secured”, and shouldn’t be anywhere near a Corporate or Enterprise environment anyway. If you’re running WEP, use this as a ‘goose’ to migrate to WPA.
- Useless Button. There is a button in the center of the housing on the front of the AP that has apparently no function.
- Dual Radios. Great support for all the bands, including N and G. Like others, you can assign your SSIDs to specific radios/bands using Access Point Profiles. These profiles are then applied to the physical Access Point registrations. This is nice and will really help flexibility in larger implementations.
- Limited Documentation. Actually, besides the Quick Start guide there isn’t much. Since it’s managed by a FortiGate (FortiWifi models cannot be Wireless Controllers), you’ll find most of the necessary information in the FortiOS 4.0 Administration Guides.
- Manual or Automatic Firmware Upgrade. When the AP is not ‘Enabled’ by the WC, you can telnet in and manually TFTP in new firmware. Better yet, upgrading the WC’s firmware will update the AP’s firmware if necessary as long as the AP is ‘Enabled’ by the WC.
8 comments:
Did you mean FortiOS4.3, since 4.2 is already public for some time?
You think that "only" software's updates can do a better Access Point or we need waiting a new FortiAP model?
regards,
Paulo Raponi
FCNSP
Regarding 4.2 - I was being somewhat facetious since yes, it has been out yet it doesn't officially support the AP despite the rumor.
Software updates will make this a very viable solution in the end. Still, I'm not entirely happy with the current hardware but we will live with it.
I've had compatibility problems with the 110C, but have learned to NOT run both radios on the AP @ 2.4Ghz, even if you use them for different bands (i.e, a,b,g,n) - there is no enforcement of this rule in the GUI. The errors that are produced are somewhat misleading, and development confirms that they will be making improvements in this area.
Fortinet has recently released the FortiAP 220B, which supports PoE.
However, Fortient do not offer client isolation which seems like a pretty basic sercurity feature to be omitted.
I recently deployed FortiAP 220B with the FortisOS 4.3 and pretty much all these missing features are supported: PoE, client isolation, QOS and more. I know there might still be mssing features compared to companies who have been in this business for long, however Fortinet seems to have addressed 80% of key requirements. Watch out competition!
And what about VLAN per SSID setup ?
You can create an ssid, that will be an seperate network interface on the fortinet.
If you add this to an virtual switch you can bridge this vlan to an fysical port or to an other vlan.
I´m comparing to the Ruckus solution.. Ruckus is 1000% better...
Nice little review.
I have a question though.. have you done any benchmarks on the throughput? I have one too in a lab connected to an 80c and from a wired client to a wireless n client I get only about 80mpbs with iperf even though the client says connection speed 300mpbs
Post a Comment