FortiGate Secure LAN Edge Controller

FortiGate as a Dedicated LAN Edge Controller

The FortiGate, in addition to its full suite of security functions, is a fully capable Wi-Fi and Switch Controller, able to manage FortiAPs, FortiSwitches, and extend Network Access Control (FortiLink NAC) to the edge of the LAN — Fortinet's LAN Edge solution.

The Fortinet LAN Edge solution consolidates network management into our industry-leading FortiGate. This solution provides comprehensive security for the LAN and WLAN infrastructure. With a single console for security and network functions, management is greatly simplified on a day-to-day basis, and security is fully integrated with every part of the network.

FortiGate LAN Edge Functions

All FortiGates include the following LAN Edge functions out of the box. No additional licensing is needed.

FortiAP -- Standard and Unified Threat Protection Models

FortiAP devices come in a variety of models that support the latest Wi-Fi technologies, including Wi-Fi 6 and 6E. Indoor, outdoor, and high-density models are available, as well as wall-plate models for the hospitality industry. The U-series (Unified Threat Protection) offer the additional power of FortiGuard services on the FortiAP.

Both the standard FortiAP and FortiAP-U families are available in 2x2 (two MIMO stream) and 4x4 (four MIMO stream) models. Advanced models support dual 5 GHz mode for the most demanding Wi-Fi environments. The FAP-831 is an 8x8 Multi-User MIMO model for high density cases, such as lecture halls or auditoriums. FortiGates require no additional licenses to manage FortiAPs, although there are FortiGate model-specific AP limits.

FortiSwitch -- Ethernet Switching

Reliable, highly-performing, and purpose-built, Ethernet FortiSwitches are available in a variety of models to address needs from the small office access layer to the datacenter. All models support FortiLink and can be managed and configured directly from a FortiGate. MCLAG (Multi-Chassis Link Aggregation Group) is supported on most models for network redundancy.

In a LAN Edge deployment, it is vital to align the switch uplink speed with the capacity of the FortiGate. Avoid too little FortiGate with too much FortiSwitch. PoE (Power over Ethernet) access switches can provide power for FortiAPs. FortiGates require no additional licenses to manage FortiSwitches, although there are FortiGate model-specific switch limits.

LAN Edge Design

Fortinet LAN Edge Solutions are very flexible and can be adapted to a wide variety of network needs. Some guidelines follow, but it is best to work with an experienced Fortinet reseller to ensure the chosen products align with your networking needs.

Dedicated vs Perimeter LAN Edge Controller

There are two broad design approaches to using a FortiGate as a LAN Edge Controller: SD-Branch and Dedicated Controller.

FortiAP Requirements

Determine the number of FortiAPs needed first, which is primarily driven by how much floor space needs to be covered, with adjustments to the local wireless conditions. Wi-Fi design is highly location dependent, and a wireless site-survey from your reseller is always recommended.

For planning purposes, a FortiAP typically covers 1500 sq ft (150 sq m) and accommodates 60 active devices per service radio, or 120 devices per FortiAP. The 2x2 models are common in retail, public access, and similar lighter use. The 4x4 models are more common in offices and heavier use environments. However, all devices will perform well with all FortiAP models. Consult a Fortinet reseller about external antenna or specialty models, such as the FAP-23JF.

The UTP (Unified Threat Protection) models can deliver FortiGuard services on the FortiAP itself, offloading from the FortiGate, and can operate in dual 5 GHz mode, making channel planning more flexible.

FortiAPs can be powered by standards-based PoE access switches that match the requirements of the particular model. Power injectors or AC power can be used when PoE switches are unavailable. FortiAPs can connect to a FortiGate via FortiLink over any IP network with full functionality, including providing FortiLink NAC for wireless devices; FortiSwitches are not necessarily required.

More in depth wireless design resources can be found here.

Number of FortiSwitches -- Access Ports

Start with the determining the number of access ports for your needs, both for the FortiAPs and for any other wired devices. PoE access layer FortiSwitches can be used to power the FortiAPs as well as provide the Wi-Fi uplink, and can power other devices such as IoT devices or desk phones. The PoE output level and total power budget needs to be aligned with the powered device needs.

FortiSwitches can also provide the wired port-based FortiLink NAC function, identifying devices by various criteria and assigning them to policy determined VLANs automatically. If such devices need PoE power, that must be covered by the access switch PoE power budget.

A switch FortiLink uplink must be directly connected to either a FortiGate LAN Edge Controller or another FortiSwitch that is, in turn, FortiLink connected to a FortiGate. Unlike FortiAPs, they cannot be tunneled through another vendor's switch.

In an SD-Branch design, a single access FortiSwitch connected directly to a FortiGate may be all that is needed. However, a large campus with hundreds or thousands of FortiAPs will certainly require core and distribution switch layers with MCLAG redundancy. Full Ethernet switch network design is beyond the scope of this document, but more in depth wired design resources can be found here.

Size the LAN Edge Controller FortiGate

The scale of the FortiAP and FortiSwitch network will determine the necessary sizing of the FortiGate LAN Edge Controller. The FortiGate should be sized as usual, based on throughput (by inspection type), but with the addition of accounting for the tunneled FortiAP and FortiSwitch limits.

In order to leave room for growth, we recommend the FortiGate have a capacity for twice the number of FortiAPs (tunneled) and FortiSwitches to be deployed. Because of the different ways traffic is handled on the FortiGate, the FortiAP and FortiSwitch numbers are independent and can be evaluated separately. One LAN Edge device type does not affect the limit on the other type.

The most conservative FortiGate throughput number is the Threat Protection Throughput (Enterprise Mix), and that will be cited in the following examples. However, keep in mind that FortiAP-U series APs can offload FortiGuard Services. When that is the case, the higher NGFW number should be used for the FortiGate. In a branch deployment, the throughput should be more than the Internet uplink. In a dedicated controller environment, it is likely to be the same number in that the wireless end users are probably the primary Internet users.

Finally, the more critical and larger the LAN Edge Network, the more likely the LAN Edge Controller should actually be a pair of FortiGates in High Availability (HA) mode.

Cloud Management and Network Transition Options

Fewer and fewer networks of any size are deployed as pure greenfield. Most are established and have a refresh cycle with the NGFW, Ethernet, and Wi-Fi -- all refreshed at different times. Fortinet has options for those who want to transition to our Secure LAN Edge solution but are unable to do so all at once.

FortiLAN Cloud provides central cloud management for FortiAPs and FortiSwitches without an onsite FortiGate. Fortinet LAN Edge equipment can be deployed to a site and managed in FortiLAN Cloud, and later transitioned to FortiGate in the future.

FortiGate Cloud also provides cloud-based and remote management of FortiGates, and is completely compatible with everything above. FortiGate Cloud, via cloud management of a FortiGate, in turn manages the LAN Edge FortiAPs and FortiSwitches. FortiGate Cloud also adds one year of cloud log storage and backups, and is included in the FortiGate SMB bundles.

Example Specs/BoMs — FortiGate, FortiAP, FortiSwitch

NB - these are example BoMs, and should not be used as strict 'recipes.' Customer environments vary, and a full network design will be necessary to get the right number of FortiAPs, FortiSwitches, ports, and power requirements.

Light Retail / Small Branch

An open area allows wider FAP coverage, Wi-Fi use is light, 1 wired register, 1 wireless printer, cost conscious, SMB Bundle.

Mid Size Branch

Thirty thousand square feet, multi-gig access switches in a redundant MCLAG pair, extra PoE ports for PoE desk phones, redundant FortiGates as dedicated WiFi and Switch controllers (ISFW), Enterprise bundle.

Mid Range Enterprise

Large office building, multiple floors, 225 000 sq ft (150 FAPs), switch redundancy, redundant FortiGates as dedicated WiFi and Switch controllers (ISFW), Enterprise bundle.

Large Campus / School District

Eight hundred Indoor FortiAPs, 100 outdoor FortiAPs, MultiGig PoE access switches, aggregation switches, switch redundancy, redundant FortiGates as dedicated WiFi and Switch controllers (ISFW), Enterprise bundle.

Top Sellers - LAN Edge FortiGates

A country suffix code (-A, -B, -C, -D, -E, -F, -I, -J, -K, -N, -P, -S, -T, -U, -V, -W, or -Y) applies to all AP models based upon country of deployment. Work with your local supplier for the correct model in your regulatory domain. A - United States, Canada, and Latin America. E - United Kingdom and Europe.

Top Sellers - FortiAP

Top Sellers - FPoE FortiSwitch

A country suffix code (-A, -B, -C, -D, -E, -F, -I, -J, -K, -N, -P, -S, -T, -U, -V, -W, or -Y) applies to all AP models based upon country of deployment. Work with your local supplier for the correct model in your regulatory domain. A - United States, Canada, and Latin America. E - United Kingdom and Europe.

Order Information: FortiGate a LAN Edge Controller

The Fortinet LAN Edge solution consolidates network management into our industry-leading FortiGate. This solution provides comprehensive security for the LAN infrastructure and simpler management on a day-to-day basis. Fortinet enables the deployment of large-scale networks with minimal technical expertise via built-in best-practice configurations. Zero-touch provisioning delivers quick and easy application of device templates to sites at scale. FortiLink NAC creates improved visibility and segmentation, enabling auto-discovery of devices to implement "least privilege" access.

FORTIGATE APPLIANCES

FortiGate Appliances

FortiGate VM Virtual Machines

FortiAP

FortiAP (UTP)

For additional FortiAP details, external antennas and accessories, please see https://www.fortinet.com/products/wireless-access-points.

FortiSwitch

For additional models, accessories, advanced licenses, etc, please see the FortiSwitch Ordering Guide: https://www.fortinet.com/content/dam/fortinet/assets/data-sheets/og-fortiswitch.pdf.

Additional Wireless Management Products

Additional Ordering Guides

• All: https://www.fortinet.com/resources/ordering-guides
• NGFW: https://www.fortinet.com/content/dam/fortinet/assets/data-sheets/og-next-generation-firewall.pdf
• FortiAP: https://www.fortinet.com/content/dam/fortinet/assets/data-sheets/og-wireless.pdf
• FortiSwitch: https://www.fortinet.com/content/dam/fortinet/assets/data-sheets/og-fortiswitch.pdf

Frequently Asked Questions

What makes a FortiGate a LAN Edge Controller?

A FortiGate combines security enforcement, FortiAP management, FortiSwitch management and secure network fabric traffic into a unified whole — Security Driven Networking. Security is enforced not only at the perimeter, but extended out to the edge of the network — where the clients connect, or the LAN Edge of FortiAPs and FortiSwitches.

What is the difference between FortiGate Cloud and FortiLAN Cloud?

With FortiGate as a LAN Edge controller it manages the on-site FortiAPs and FortiSwitches, so FortiGate Cloud manages the LAN Edge devices via the managed FortiGate. For locations that need Fortinet LAN Edge devices that are not associated with a FortiGate (for whatever reason), FortiLAN Cloud can directly manage the FortiAPs and FortiSwitches.

How can an MSSP use FortiGate or FortiLAN Cloud with multiple customers?

They can add a multi-tenancy license to either, which will enable the creation of sub-accounts with full data isolation.

What are typical licenses for customer deployments with NGFW with FortiGates?

The Unified Threat Protection (UTP) and the Enterprise bundles, which provide extensive coverage for device-, content-, and web-based threats, comprehensively cover most customer use cases, or the SMB bundles for site requiring the smaller FortiGate models. See FortiGuard Security Services here.

What does the Enterprise bundle include?

The Enterprise bundle includes IPS, Advanced Malware Protection, Application Control, URL, DNS and Video Filtering, Antispam, Security Rating, IoT Detection, Industrial Security, FortiConverter Service, and FortiCare Premium. FortiGate cloud must be added when purchasing enterprise bundle.

What does the SMB Bundle include?

The SMB Protection bundle includes IPS, Advanced Malware Protection, Application Control, URL, DNS and Video Filtering, Antispam, plus FortiGate Cloud subscription and FortiCare Premium. FortiGate Cloud does not need to be added.

What does the UTP license include?

The UTP license includes IPS, advanced malware protection, application control, botnet DB, mobile malware, outbreak prevention, web and video filtering, Cloud Sandbox, secure DNS filtering, antispam service, and 24x7 support. For more information click here. FortiGate Cloud would need to be added.

Why the difference between "Tunnel vs Total" FortiAPs?

On a per SSID basis, FortiAPs can tunnel traffic back to the FortiGate for a full security stack inspection – the default behavior. However, some customer environments may have a need for local-only Wi-Fi or low inspection guest traffic. Under such circumstances, more FortiAPs.

How do I license FortiAPs and FortiSwitches on the FortiGate?

No need. There are no licensing limits for on any FortiGate for LAN Edge devices. Each one comes out of the box able to manage the full number of FortiAPs and FortiSwitches, with only the hardware-based limits above.

How many FortiAPs does my customer need?

Every physical site is different. Any FortiAP deployment should have a site survey and a wireless deployment plan from a capable Wi-fi engioneer to insure good coverage and performance over a site. As an estimate for planning purposes, most sites require approximately one for FortiAP for 1500 sq ft (150 sq m) and about 60 active devices per FortiAP (30 devices per service radio).

What is the difference between 4x4 vs 2x2?

MIMO is a feature of Wi-Fi that uses multiple antennas to send simultaneous signals and so increase throughput. However, the number of antennas must align on both the client and the FortiAP to maximize the potential benefits. Phones and tablets normally have one antenna, at most two, and so cannot take significant advantage of a 4x4 FortiAP vs a 2x2, while laptops, which usually have three antennas, get a significant boost from a 4x4 FortiAP. Of course, all FortiAPs work with all Wi-Fi client devices, so sometimes budget is the deciding factor or 2x2 performance is plenty. The FAP-831F is an 8x8 FortiAP that supports Multi-User MIMO, able to divide its multiple traffic streams among clients simultaneous, boosting total Wi-Fi performance and is meant for high density environments such as auditoriums and stadiums.