Fortinet is largely know for all their “Forti” branded gear.. Their bread and butter is their Firewall line, the FortiGate. My first experience with Fortinet was installing brand new Fortigate firewalls at a bunch of schools ten years ago. At Mobility Field Day 11, Fortigate took the Mobility emphasis and gave it a Fortigate shine.. FortiGate is the best controller and way to secure their Wifi 7 FortiAPs.
FortiWifi and FortiGate Better Together
To begin with, Fortinet discussed how their Firewalls are their Wifi Controllers. I personally have not configured FortiWifi on my own equipment, outside of a lab environment. BUT I have colleagues at other education institutions, that I support, who use Fortinet for their Firewall and Wifi needs. My colleagues originally used Meru with their Single Channel Architecture that they say worked great until they had to scale up. They then switched over to the Fortinet architecture, when Meru was acquired by Fortinet, for most of the systems, including the FortiAPs. They have gone all in to the Forti-line up.
Fortinet often talks about how since their FortiAPs are so tightly connected to a Fortigate firewall, you get advanced security protection. The APs have mini fortigate features built right in with their Unified Threat Protection.
The thing my colleagues love most about Fortinet for Wifi is that their controller is built into their firewall. This has its benefits and its drawbacks. If you’re already purchasing a Fortigate firewall, then you get the controller for free. BUT the opposite is also true in that you have to buy their firewall and are locked in once you make that decision. One of my colleagues has told me on several occasions when I discuss other vendors, switching from their Fortigate firewall to another vendor is difficult because they have Fortinet Wifi so they would have to switch that and all of their Forti-products.
Having the on-premises controller on the firewall makes sense for small organizations that do not want to move to the cloud. You have more of the coveted single pane of glass when it comes to configuration and logging. Plus everything is still local instead of being moved to the cloud.
For this blog post, I logged into one of my schools Fortigate Firewalls that I support. It was super simple to turning the FortiWifi controller on. You just have to click a slider and the Wifi Controller section appears. You then just have to configure your settings, install your APs, and you’re on your way. If you’re already in the Forti-Koolaid, this is a slick solution.
As a quick side note, In playing with the Wifi settings, I did notice something I forgot to test from previous blog posts about eduroam. I did not check to see if FortiWifi had WPA3-Enterprise Transition Mode as an option. All it took was a quick peek at the settings on a Fortigate, and sure enough, that is not a selectable option on FortiWifi. There is NO WPA3-Enterprise Transition Mode on FortiWifi.
Wifi 7 Live Demo
Fortinet brought a tower of Wifi 7 and Wifi 6e APs into the room at Mobility Field Day 11. They even had one of them turned on and broadcasting. They understood their audience.
Since it was a live demo, I was able to do some live packet captures. Wifi Explorer Pro 3 gave me this view of the Wifi 7 network. It also provided a detailed analysis in in the Advanced Details panel. As anymore trying to sell Wifi 7 equipment is required to do, they showed off a 320MHz wide channel in 6GHz.
Wifi Explorer Pro and Airtool 2 when using the built in Wifi card in the Macbook Pro isn’t a Wifi 7 card. It is only Wifi 6e. So it is only able to capture the beacons and management traffic of Wifi 7 traffic. That was something I was unaware of until this presentation when I was trying to capture that data. It was still really cool to see the traffic that I was able to capture from these FortiWifi APs. I was able to show the 320MHz wide channel because of some trickery that Adrian Granados does on the backend. It comes down to having to do a Passive Survey instead of an active Survey.
Fortigate Firewall at the Edge
As I mentioned before, having the Fortigate Firewall and FortiAPs so closely integrated brings some advantages. At MFD11, Fortigate talked about how you can create policies on the firewall that control traffic from the FortiAPs. This brings the Fortigate Firewall to the Edge of the network, closer to where the clients are located. This adds some strength that other vendors have to do through other products such as NAC.
FortiExtender Firewalls on 5G and LTE Routers
Lastly, Fortinet explored the idea of using a FortiExtender in fleets vehicles with a 5G and LTE backhaul with wired and Wifi fronthaul connectivity. This was a nice change to the Wifi 7 focus of a lot of the presentations at MFD11.
In my previous blog post, I talked about the Private Cellular COW that we have built. A few weeks ago, I was down visiting my buddy, Jason Eyre from Murray School District, and he had this ruggedized FortiExtender Vehicle that he was going to use in the COW. Although, I didn’t get the change to configure it, it looks likes a really nice product for a fleet environment. This is competing with your Cradlepoint or Digi product lines in a ruggedized form factor.
Protecting fleets is an important growing trend. Bringing a Firewall to that level to help with segmenting traffic within a vehicle is a needed solution. Fortinet’s expertise in the security side sets them apart. The configuration side is just as you would expect from another Forti-product such as the Fortigate. This product line brings Fortinet to the Edge and helps them succeed.
Fortinet Moving Forward
It was refreshing to see under the covers of what Fortinet is building for their Wifi 7 product line and Fleet Edge. Having been watching them from a far with my colleagues, I’ve had an interest in their gear but never enough time to actually dig into their product lineup. I think their Fortigate as a Controller for their FortiAPs is a great model for smaller organization that are still not wanting to jump the cloud as everyone else is doing. Sometimes you don’t have to follow the crowd and that is the approach that Fortinet is taking. Doing so reduces some of the innovations that are available such as the buzzword AI, but that isn’t necessarily a bad thing.
Fortinet has a mature product line in firewalls and APs in a strange but working marriage of the two. I’m excited to continue to watch Fortinet to see how they handle the coming barrage of AI in this market. They may just decide to stay where they are succeeding, and that may just work out for them.
