www.fortinet.com

Fortinet Unified Access Layer

Architecture

A FORTINET SOLUTION GUIDE

Introduction to Wireless SecurityBroad adoption of IEEE 802.11n has created a complex Wi-Fi landscape with proliferating mobile devices and applications. It is no longer sufficient to treat all Wi-Fi users and applications alike and there is a compelling need to deploy and enforce WLAN control policies. Fortinet offers the only business-grade Wi-Fi solution in the industry today, which addresses these myriads of challenges:

n Identifies business applications and controls their usagen Applies full UTM policies to both wired and wireless datan Brings maximum productivity with fair-use enforcementn Empowers identity-driven policies without complexityn Introduces simplicity via single pane of glass managementn Provides deployment flexibility with low TCO

Growth of Wireless LANsThe increasing popularity of mobile devices and the need for cost reduction are driving Wireless LAN (WLAN) adoption. Analysts have forecast that spending on enterprise WLAN equipment will rise from$3.4 billion in 2011 to $7.9 billion in 2016, representing a 18.4% CAGR. In addition, organizations have embraced a wireless edge design to drive down the cost associated with edge switches and wiring.

The ratification of the IEEE 802.11n wireless standard is the catalyst for new enterprise adoption since the new standard provides better coverage and fivefold performance increase over legacy wireless outperforming wired Fast Ethernet LANs. This results in a more widespread adoption of WLANs, resulting in a more pronounced need for network application services, such as WLAN network management and security.

TIMESTAMP (SECONDS)

TRANSMIT RATERECIEVE RATE

9000

8000

7000

6000

5000

4000

3000

2000

1000

0

VALU

E ($

BILL

IONS

)

2010 2011 2012 2013 2014 2015 2016

REGIONNORTH AMERICA

EMEA

ASIA-PACIFIC

LATIN AMERICA

WORLDWIDE

YEAR

Enterprise Wireless LAN Market Size Forecast

2010 2011 2012 2013 2014 2015 2016

There are two leading Wi-Fi architectures today. One is called “Thick APs” and the other is referred to as “Thin APs.” The use of a thick or thin AP Wi-Fi architecture depends on the service needs.

Thick AP refers to a wireless access point or Wireless Termination Point (WTP) that autonomously switches packets between wired and wireless domains. Each Thick AP is a standalone device responsible for authentication, encryption and applying access control policies. Each Thick AP requires independent management, or management via a centralized network management application. All-in-one, Thick APs are ideal for locations such as small office or retail shops requiring smaller service area.

A Thin AP provides the same features as a Thick AP, but in a distributed fashion to provide greater service area. The Thin AP simply passes wireless network traffic to the switch/controller, performing few complex tasks locally. This capability will enable all the Thin APs to delegate all the authentication, security processing, channel assignment, transmitter power level and rogue AP detection to the centralized wireless LAN controller which decreases management complexity and reduces overall cost of deployment. As the size of service area increases, you can deploy additional Thin APs and connect them to the existing Controller. Thin APs require a centralized wireless controller for management, and are ideal for locations requiring greater coverage and capacity than a single Thick AP can deliver.

The Need for Comprehensive Wireless LAN SecurityIndependent of the type of architecture used for access points, WLANs face many threats that strong authentication and link encryption do not address. Because wireless is a shared medium, it is more prone to malicious attacks such as de-authentication broadcasts, evil twin access point (AP) / Honeypot. Also, it is possible for one user’s high usage of application traffic to reduce the bandwidth available to all other users. Therefore you need to implement the same protection mechanisms, that you deploy ubiquitously on your WAN gateway, on your wireless LAN as well. Also, in response to these threats, regulators and standards bodies like the PCI Security Standards Council have created wireless data protection requirements. Failure to comply with those standards can result in significant penalties and/or loss of customer trust due to exposure of protected data.

Choice of Architectures

Unified Access Layer ArchitectureThere is one policy for how data should be treated in your organisation, and that policy rules certain parameters according to who the user is and what applications they are using. This requires instituting the ‘single pane of glass’ management view across wired and wireless resources, as mentioned earlier.

The opportunity here is for greater consolidation of networking elements, providing simplicity and scalability through deployment flexibility with low cost of ownership.

Sometimes piecemeal solutions work when money is no object. In reality, budgets are limited, resources are scarce and networks evolve over-time. It is typically unavoidable that WLAN is an overlay solution, in the sense that it is added to the rest of the network, though this doesn’t prevent it being able to behave as though were a designed piece from inception. Given the limitation of power budget and rack space in corporate networks, wireless solutions must avoid adding a large burden. For example, in a truly business-grade WLAN; the controller may be the existing firewall or UTM device already installed in the network. These devices are designed to handle large amount of information and therefore there is reserve processing and storage capacity that may be utilised by the business-grade WLAN. Utilizing existing installed base of network devices, inadvertently reduces cost and complexity and lends itself to a more scalable architecture.

Choice of ArchitecturesFortinet's Unified Access Layer SolutionAs described previously, the Unified Access Layer architecture will simplify the LAN connectivity/security for both wired and wireless networks. It is actually based on 4 key pillars exploiting common:

n Firewall and application policiesn User Managementn Logging and reporting n Configuration and provisioning

The Fortinet Unified Access Layer Solution is represented Fig 1. It is a combined set of products circulated around the FortiGate and the FortiAPs, which are the core products. Based on the size of the network and architecture FortiAuthenticator, FortiAnalyzer and FortiManager complements the core products for delivering a full and comprehensive solution.

Figure 1: Fortinet Unified Access Layer Solution

Core ProductsFortiGate and FortiAPs are the core products of the Fortinet Unified Acess Layer Architecture.

FortiGate Network Security Platform: Security Management + Wireless Controller

The FortiGate consolidated security platforms can act as wireless controllers, significantly reducing the cost and complexity of deploying secure WLANs. FortiGate platforms enable the integration of both wired and wireless traffic into a single management console, giving you a “single pane of glass” management interface of your network.

FortiGate platforms provide complete content protection against network, content, and application-level threats. These high-performance, low-latency devices ensure that your network security does not become a network bottleneck. FortiGate platforms incorporate sophisticated networking features, such as high availability (active/active, active/passive) for maximum network uptime, and virtual domain (VDOM) capabilities to provide multi-tenant support for subscriber-based environments or greater internal segmentation of data for policy compliance.

FortiWiFi is a FortiGate, ranging from the FortiWiFi-20C to the FortiWiFi-81CM. The FortiWiFi security appliances with Thick AP capabilities,. These Thick AP devices offer a range of performance and features, including high-speed 802.11n support and WAN communications via optional wireless broadband access and dial-up modems.

The FortiWiFi consolidated security platforms deliver comprehensive enterprise-class protection for smaller locations at an affordable price. They make it easy to protect smaller locations, branch offices; customer platforms’ integrated set of essential security technologies, you can deploy a single device that protects all of your applications and data. The simple per-device pricing, integrated management console, and remote management capabilities significantly reduce the costs associated with deploying and managing complete content protection.

Each FortiWiFi model is capable of broadcasting up to seven SSIDs or Virtual Access Points (VAPs) enabling multi-tenant environments in a single device. Each VAP appears a separate virtual interface on the FortiWiFi device, enabling the application of separate firewall and user policies to the traffic.

FortiAp Wireless Access Point Solutions: Secure Business-Grade Wireless

FortiAP wireless access points are enterprise class, controller-managed devices that extend FortiGate® consolidated security functions to your wireless networks. Each FortiAP access points tunnels all of its traffic to the wireless controller integrated into FortiGate platforms, providing a single console to manage both wired and wireless network traffic.

FortiAP wireless access point solutions provide increased visibility and policy enforcement capabilities while simplifying your overall network environment. They employ the latest 802.11n-based wireless chip technology, offering high-performance wireless access point with integrated wireless monitoring and support for multiple virtual APs on each radio. FortiAPs work in conjunction with the feature-rich family of FortiGate controllers to provide a fortified wireless space that delivers complete content protection. FortiGate controllers centrally manage radio operation, channel assignment, and transmit power, which further simplifies your deployment and management requirements.

FortiAuthenticator Two Factor Authentication: Centralized Identity Management

FortiAuthenticator is a centralized user authentication and management service providing various methods of validating the true identity of a user before allowing the access to the requested service making the solution ideal for deployment within small to medium enterprises. Authentication methods include local LDAP and RADIUS or integration with an existing directory service. These methods can be incremented with either time or certificate based two-factor authentication.

FortiAuthenticator will provide as well the self-user registration capabilities and is also available as a Virtual machine (VM).

FortiAnalyzer Logging & Reporting: Centralized Reporting System

FortiAnalyzer platforms integrate network logging, analysis, and reporting into a single system, deliveringincreased knowledge of security events throughout your network. They provide organizations of any size withcentralized security event analysis, forensic research, reporting, content archiving, data mining, malicious filequarantining and vulnerability management. Centralized collection, correlation, and analysis of geographicallyand chronologically diverse security data from Fortinet appliances and third-party devices deliver a simplified,consolidated view of your security posture.

The FortiAnalyzer family minimizes the effort required to monitor and maintain acceptable use policies, aswell as identify attack patterns to help you fine tune your policies. In addition, FortiAnalyzer platforms providedetailed data capture for forensic purposes to comply with policies regarding privacy and disclosure of information security breaches.

FortiAnalyzer is available as an appliance and as a Virtual Machine (VM).

FortiManager Centralized Management: Centralized Management System

FortiManager centralized management appliances deliver the essential tools needed to effectively manage your Fortinet-based security infrastructure. Whether deploying several or thousands of new devices and agents, distributing updates, or installing security policies across managed assets, FortiManager appliances drastically reduce management costs and overhead. Device discovery, group management, auditing facilities, and the ability to manage complex mesh and star VPN environments are just a few of the timesaving features that FortiManager appliances offer. Complemented by the FortiAnalyzer™ centralized logging and reporting appliance, FortiManager provides a comprehensive and powerful centralized management solution for your organization.

FortiManager appliances can scale to manage thousands of Fortinet devices and agents. Groups of devices and agents, along with their administrators, form the FortiManager concept of Administration Domains (ADOMs). Within an ADOM, an administrator has the ability to create policy packages, folders, and objects that can be shared between all the FortiGate devices in the local ADOM. In the Global ADOM of FortiManager, global policies and objects can also be assigned and applied to sub ADOMs. Whether you are managing one or one thousand ADOMs, FortiManager appliances always provide effective and efficient management of your Fortinet assets.

FortiManager is available as an appliance and as a Virtual Machine (VM).

platforms.

Figure 2: How The FortiGate Platform Simplifies And Unifies All Aspects Of Security

Why The Fortinet Unified Access Layer Solution?Fortinet is the only vendor providing a full and comprehensive solution delivering

n Highest securityThanks to its FortiGate platform, Fortinet is recognized by IDC as the worldwide #1 on the UTM (Unified Threat Management) market and by Gartner as the leader in their UTM magic quadrant. As the FortiGate platform is at the core of the Unified Access layer solution, it provides the highest level of security, integrity and management on both the wire and wireless LAN areas. Fig 2.

n Right sized solution for your deploymentThe broad range of FortiGate, FortiAuthenticator, FortiAnalyzer and FortiManager platforms (all available as virtual machine too), ranging from low-end towards mid-range and High-End, enable our customers choosing the right solution based on their needs.

n Simplified ManagementMany vendors are offering a Unified Access Layer Solution adding products from different third party suppliers. This brings complexity in terms of configuration, interoperability, troubleshooting and keeps increasing the TCO. Fortinet is dramatically reducing all of these thanks to its different

Fortinet Secure Business Grade Wireless LANFortinet pioneered the concept of a single security platform providing a wide range of integrated security technologies. This integrated approach addresses the fundamental challenges of deploying multiple layers of protection:

n They are complex and costly to deploy and manage.

n When adding so many layers of security, your network performance will degrade, due to the redundant processing. The result is that your network security becomes your network bottleneck.

n We pioneered our solution to address all these security and management issues, while also lowering cost and delivering faster network performance

n We utilize one appliance to deliver a robust set of security features, while also providing better performance

n We couple our security features with a set of services, called FortiGuard, to provide industry leading real-time security intelligence and protection

n We have a differentiated technology platform based on custom hardware and custom software specifically engineered to efficiently tackle IT security tasks

n All this allows us to lower our products total cost of ownership (TCO) and just make everything easier to use while improving performance

Fortinet added the Wi-Fi controller capabilities to the FortiGate, which makes it the single and unique to deliver security services both on the wired and wireless side. Fortinet consolidated security platforms deliver fully integrated security technologies in a single device, delivering increased performance, improved protection, and reduced costs. They act as a wireless controller while providing firewall, VPN, intrusion prevention, application control, web filtering and many other security and network technologies. There are FortiGate platforms for every size of network, from small offices to large enterprises and service providers.

By simply connecting the FortiAPs to the FortiGate, our customers can deploy a Secure Business Grade Wireless LAN very easily and rapidly. Most of the Business Grade Wireless features are inherited from the FortiGate itself and thus applicable both on the wired and wireless side. Figure 3 highlights the combination of FortiAPs and FortiGate to deliver Business-Grade Wireless capabilities.

Figure 3: Fortinet's Business-Grade Wireless

The Benefits of Fortinet Business-Grade WirelessOnce a user connects to the wireless network, his connection will go through different steps to make it fully secured for himself and the network.

n Captive Portal, 802.1x—Radius /shared key

n Assign users and devices (BYOD) to their role

n Examines wireless traffic to remove threats

n Identify applications and destinations of interest

n Truly stateful firewall controls users and applications

n Ensures business traffic has right of way

n Reports on policy violations, application usage, destinations, and PCI DSS

BYOD (Bring Your Own Device)As mentioned before the growth of Wireless LANs is driven by the proliferation on mobile devices and applications. This includes tablets and smartphones. Often they are personal devices or even corporate but employees are bringing them back home. Home is usually not a secure environment and those type of devices can be considered as such.

The Fortinet Secure Business Grade Wireless allows the setting of firewall policies based on the device and Operating System type. For example, granting access to resources or bandwidth limitation based on the type of device or operating system is possible. This can be extended to the type of application as well.

PCI DSS ComplianceRogue APs can pose a threat to your internal network by creating a leakage point where a malicious user can steal confidential, regulated, or proprietary data. For this reason, industry policies such as PCI-DSS mandate the regular scanning for suspicious or unknown APs.

The goal of the FortiGate Rogue AP detection engine is to automate this scanning process and provide the ability for FortiWiFi and FortiAP system administrators to continuously monitor for unknown APs and also to determine if unknown APs are on the network.

FortiGate/FortiWiFi and FortiAPs are addressing the requirements to mitigate the threat that rogue APs pose to the integrity of their credit card transaction system. The simplest and most cost effective method to address this risk is to use an automated monitoring system. For example, both FortiWiFi-60C platforms and FortiAP devices provide dual band radios that operate on both the 2.4 GHz and 5 GHz bands to seek out other APs. After identifying the APs by MAC address and manufacturer type, the Fortinet devices use wireless and ‘on-wire’ correlation technique to seek out wireless devices connected to the retail network. The Fortinet devices flag these APs with a high severity ‘on-wire’ syslog message and transmits it to an upstream log aggregation device and/or the FortiAnalyzer centralized analysis and reporting system. Once alerted of the presence of the device at the retail location, the IT staff can physically remove the rogue AP from the network.

Fortinet’s Rogue AP detection capability supports the following features:

n Dedicated or background Air Monitor scans for unknown APs and wireless client traffic.

n Unknown APs MAC address, Manufacturer, Security profile of AP, speed, last seen and ‘on-wire’ status are all shown in the FortiOS Rogue AP detection table.

n The ‘on-wire’ detection engine uses various correlation techniques to determine whether the unknown AP is connected to the FortiWiFi or FortiAP wireless LAN. If the engine finds that AP is on the LAN, a log message is generated in real time to inform system administrators.

n The correlation engine constantly compares wireless client traffic to wired client traffic to determine if a client using an unknown AP is communicating through a FortiGate device. This technique can detect an AP operating as a bridge regardless of wireless security settings and encryption and authentication levels.

n Another technique correlates wireless and wired MAC addresses to detect Layer-3 APs regardless of security settings and NAT configuration.

n Administrators can manually classify unknown APs as trusted or untrusted.

The FortiAnalyzer Logging & Reporting Centralized Reporting System provides detailed information on theno status of your wireless infrastructure:

n Summary of access points by category

n List of rogue access points by category

n List of all managed access points

n PCI Compliancen Rogue Access Point on-wire detection and mitigation capabilityn Special dual radio AP for simultaneous Security and Client Access n Local vulnerability scanning with central report aggregation

FortiAP Wireless Access PointsEnterprises are looking to increase productivity through uninterrupted access to applications and resources, without compromising security and agility. You want to increase visibility and control of your wireless network traffic by enforcing the same policies as your wired network and eliminate potential blind spots. You also need a solution that helps you meet compliance by proactively blocking unauthorized access all while providing tools for business continuity by following industry best practices.

Integrated Wireless Security and Access Solution

Fortinet’s FortiAP wireless thin access points deliver secure, identity-driven WiFi client access that creates a fortified WLAN network. Centrally managed by a FortiGate® or FortiWiFiTM platform with its integrated Wireless Controller, FortiAPs allow you to deploy a comprehensive, integrated security solution for your wireless and wired networks. By acting as a Wireless Controller, FortiGate or FortiWiFi security platforms enable you to deploy the comprehensive protection of the industry leader in enterprise unified threat management (UTM) in overlay architecture, thus leveraging your current investment.

Industry-Leading Wireless Technology

FortiAP wireless access points are IEEE 802.11a/b/g/n standards-based, and operate on both 2.4 GHz b/g/n and 5 GHz a/n spectrums. They utilize industry leading wireless chip technology that takes advantage of 2x2 MIMO (multiple input multiple output) with dual transmit streams.

This MIMO technology allows the FortiAP to reach wireless association rates as high as 300Mbps per radio and enables the coverage to extend twice as far as legacy 802.11a/b/g. Each FortiAP can support up to eight SSIDs per radio--seven for client access and one for scanning for rogue access points. They also use multiple discovery techniques to find available FortiGate controllers over L2 or L3 networks.

Example of FortiAP Deployment

FortiAP-11CThe FortiAP-11C is a small plug and play wireless access point suitable for travel or remote access. This compact device provides an IEEE 802.11 b/g/n radio and two Ethernet ports and an integrated power plug for flexible operation as a remote AP.

The remote access point function will allow IT personal to ship pre-configured devices to remote employees. Once plugged in, the AP automatically discovers the FortiGate wireless controller over the Internet, download its configuration and offers the same SSID used in corporate environments. This enables remote employees to gain secure encrypted network access to enterprise resources over the

Internet. This feature also allows IT administrators to save time and reduce helpdesk calls by eliminating the need to assist remote users to resolve access issues.

FortiAP-112BThe FortiAP-112B Wireless Access Point is an outdoor IEEE 802.11b/g/n economically priced to provide wireless access on 2.4GHz frequency up to 65Mbps. The wireless access point FortiAP 112B has built-in directional antenna, which concentrates the signal up to 6dB allowing for high performance point to multipoint connections. Just like all wireless access point FortiAP products, you can configure this versatile access point in AP mode, Mesh mode, Bridge Mode, or as a remote AP.

n In AP mode it can provide outdoor wireless access and leverages the FortiGate security and authentication features such as Guest user self provisioning, metered bandwidth hotspots.

n You can use the same AP as a Mesh wireless client, enabling point to multipoint coverage for large outdoor coverage. The AP includes dual Ethernet interfaces, allowing a Mesh node to bridge traffic to a remote (such as a security camera) or bridge two LAN networks in different buildings.

n You can also install the access point by itself at a remote location without a physical FortiGate onsite. It will tunnel its traffic securely over the Internet to a cloud-installed wireless controller allowing versatile yet low cost deployment.

FortiAP-210BThe FortiAP-210B is a durable, business-grade 802.11n solution that provides you with up to 300 Mbps of total throughput for demanding use cases. It uses a single radio dual-band (2.4 GHz and 5 GHz) with 2x2 MIMO technology.

The FortiAP-210B is an enterprise-grade AP that not only provides speedy client access but also offers intelligent application detection and traffic shaping capabilities. Two (2) internal antennas support IEEE 802.11a, b, g and n wireless standards.

The access point is capable of continuous air monitoring for rogue AP detection or delivering high throughput traffic to Wi-Fi clients. Unlike traditional airtime fairness algorithms that are not Business application aware, the FortiOS engine can perform deep L7 packet inspection to accelerate business applications, slow down non-priority traffic, and remove malware. When used as a dedicated AP with background scan or as a dedicated air monitor, the FortiAP-210B will help you meet PCI compliance requirements.

FortiAP-220BThe FortiAP-220B is a durable, business-grade high performance 802.11n solution that delivers up to 600 Mbps of total throughput. It uses a dual concurrent frequency (2.4 GHz and 5 GHz) with 2x2 MIMO technology designed for demanding use cases for any indoor deployment.

The FortiAP-220B has 4 antennas which enable it to provide concurrent operations on both 2.4 GHz and 5 GHz frequencies supporting 802.11a, b, g and n. The access point is capable of continuous air monitoring for rogue AP detection while delivering high throughput traffic to Wi-Fi clients.

Fortinet offers industry’s largest selection of WLAN controllers for all thin access points including the FortiAP-220B. Moreover, these controllers provide a unified wired and wireless console, giving you a single pane of glass management solution while reducing the total cost of ownership. The FortiAP-220Bis an enterprise-grade AP that not only provides uninterrupted client access but also offers intelligent application detection and traffic shaping capabilities.

FortiAP-221BThe FortiAP-221B is a concealable 802.11a/b/g/n wireless access point. When paired with the FortiGate® embedded wireless controller, it can deliver up to 600 Mbps of secure business-grade wireless throughput. The FortiAP-221B features dual-concurrent radios that are ideal for demanding client access for indoor deployments.

The FAP-221B is specially designed with PCI-DSS security compliance in mind. One radio can be configured to automatically switch between 2.4 GHz and 5 GHz frequencies, while the second radio delivers uninterrupted high throughput access to Wi-Fi clients.

The FAP-221B sports the latest generation of wireless hardware, enabling advanced 802.11n technologies and features. These features include Low-Density Parity Check (LDPC) encoding, Maximum Likelihood Demodulation/Maximum Ratio Combining (MLD/MRC), and Transmit Beam Forming (TxBF). The end result is an impressive increase in performance and coverage.

FortiAP-222BThe FortiAP-222B is an enterprise-grade outdoor wireless access point, suitable for challenging environmental conditions including extreme temperatures, contaminated zones and humid conditions. It is designed for all types of outdoor applications including golf courses, resorts, warehouses, stadiums, weather monitoring sites and refineries. Four (4) external antennas allow the FortiAP-222B to operate concurrently on 2.4 GHz and 5 GHz frequencies, providing support for IEEE 802.11a, b, g and n wireless standards.

The access point provides continuous air monitoring for rogue AP detection, intelligent application detection and traffic shaping capabilities. Unlike traditional airtime fairness algorithms that are not Business application aware, the FortiOS engine can perform deep L7 packet inspection to accelerate business applications and slow down unwanted traffic and remove malware. When used as a dedicated AP with background scan or as a dedicated air monitor, the FortiAP-222B will help you meet PCI compliance requirements

FAN-500N

The FAN-500N is a single-band 2-element 12-degree point-to-point antenna for use in 802.11n MIMO applications. The antenna provides coverage of 4.9 to 5.9 GHz in a single antenna radome. The lightweight and durable construction and UV-protected radome made of plastic allow both indoor and outdoor installation. Usage scenarios include:

n Building to building bridging for use with FAP-222B.

n Coverage to clients along narrow corridor

FAN-612R and FAN-612N 120° Sector

FAN-612R and FAN-612N are a dual-band 2-element 120 degree sector antenna for use in 802.11n MIMO applications. The antenna provides coverage of 2.4 to 2.5 GHz and 4.9 to 5.9 GHz in a single antenna radome. The light weight and durable construction and UV-protected radome made of plastic allow both indoor and outdoor installation. Usage scenarios include:

n This antenna is also suitable for coverage of large rectangular areas like shopping centers, courtyards and hallways.

n Two FAN-612R can be used with the FAP-223B to provide full dual-band dual radio 802.11a/b/g/n MIMO coverage. Placing FAP-223B indoor and the antenna outdoor on the opposite side of the wall can provide outdoor coverage.

n FAN-612N can be used with the FAP-222B to provide full dual-band dual-radio 802.11a/b/g/n MIMO coverage.

FortiAP-223BThe FortiAP-223B Wireless Access Point is an indoor dual-band dual-radio 802.11a/b/g/n wireless access point hardware with external antennas. It can deliver up to 600 Mbps of secure business-grade wireless throughput. The FAP-223B is specially designed with RP-SMA antenna connectors for use with directional panel antennas for optimal signal coverage in shopping centers, factories and corridors.

Just like all wireless access point FortiAP products, you can configure this versatile AP in AP mode, Mesh mode, Bridge Mode, dedicated air-monitor or as a remote AP with secure encrypted data channels.

The FAP-223B access point includes the latest generation of wireless access point hardware, enabling advanced 802.11n technologies and features. These features include Low-Density Parity Check (LDPC) encoding, Maximum Likelihood Demodulation/Maximum Ratio Combining (MLD/MRC), and Transmit Beam Forming (TxBF). The end result is an impressive increase in performance and coverage.

FortiAP-320BWireless Access Point FortiAP-320B is dual-band dual-radio IEEE 802.11a/b/g/n standards-based, and operates on both 2.4 GHz b/g/n and 5 GHz a/n spectrums. The FAP-320B delivers the new 3x3 MIMO technology with three spatial streams, which allows connection rates of up to 450Mbps. This results in more than 50% throughput than 2x2 MIMO access points and higher performance over longer connection ranges.

This Fortinet wireless access point is purpose-built for customers demanding the highest performance, availability and versatility. Its dual redundant POE Ethernet ports provide maximum uptime, making this wireless AP ideal for mission-critical environments such as hospitals and factories. You can also conceal this access point above drop-ceiling tiles as the enclosure uses plenum-rated plastics and cast aluminum in its construction.

FortiAP Common Product Features & Benefits

Scalable Hardware Platform Indoor Deployments

n Two radios provide simultaneous 802.11a/b/g/n connections with high throughput*

n Support for 802.3af PoE or standard power adapter

Security Simultaneous rogue AP detection, monitoring and control (suppression) as well as client access

n Support for 2-factor authentication with FortiTokenn WPA™ and WPA2™, 802.11i, WEP, 802.1X, PSKn Encryption: AES:CCMP, TKIP, and RC4 (WEP only)n Intra-SSID privacyn Wireless Multimedia Extensions (WME) with 4 QoS

priority queues for voice, video, data & background traffic

n WME power save (U-APSD)

Traffic Control Layer 7 traffic prioritization for business-grade application performance guarantees

n Fast roaming for uninterrupted Wi-Fi connectivity and VOIP over WLAN operations

n 2 dedicated SSIDs (1 per radio) for monitoring*

Centralized management with FortiManager

n Centralized reporting with FortiAnalyzern Global profile managementn WME with 4 priority queues for voice, video, data

and background traffic

Distributed Automatic Radio Resource Provisioning (DARRP) No dependency on client software or hardware

n Fully utilizes available spectrumn Reduces load on the controllern Reduces chatter between APsn Automatic client channel migration

* except FortiAP-210B

FortiAP Product Family Technical Specifications

FAP-11C FAP-112B FAP-210B FAP-220B FAP-221B FAP-222B FAP-223B FAP-320B

Product Description Plug & Play Remote Access Point 65 Mbps Outdoor Access PointSingle Radio Dual Band Access

PointDual Radio Dual Band Access

Point Smoke-Detector Access Point 600Mbps Outdoor Access Point

External Antenna Smoke-Detector AP

900Mbps Enterprise Access Point

Suggested Deployment SOHO, Travel indoor Small Outdoor, indoor corridors Indoor Motels, Clinics, Small Enterprise, Retail

Indoor Medium Enterprise, Hotels, Healthcare, Advanced

Schools and Retail

Indoor Medium Enterprise, Hotels, Healthcare, Advanced

Schools and RetailOutdoor deployments requirements for enterprises

Indoor Enterprises, Hotels, Healthcare, Advanced Schools

and Retail

HardwareForm Factor Wall Plug IP55 enclosure Square Square Round IP67 enclosure Round Square

Dimension 4.3x3.5x1.5 in / 11x8.9x3.4 cm

7.3x2.6x1.3 in / 18.5x6.6x3.3 cm 1.1x6.4x5.1 in 1.1x6.4x5.1 in 6.5x1.2in 2.75x7.75x10in 6.5x2.0in 6.5x6.5x1.6 in

Mounting Wall Plug Wall/Pole, drywall anchors Wall; Ceiling with optional bracket

Wall; Ceiling with optional bracket Drywall/T-Rail/Ceiling included Wall or Pole with kit included Drywall/T-Rail/Ceiling includedDrywall/T-Rail/Ceiling included

Kensington Lock • • • • •

Ethernet Interfaces 2x GbE Copper 2x FE 1x GbE Copper 1x GbE Copper 1x GbE Copper 1x GbE Copper 1x GbE Copper 2x GbE Copper

PoE Proprietary 803.3af 803.3af 803.3af 803.3at & proprietary 803.3af 803.3af /at

Maximum power draw 12.9 W 12.9 W 12.9 W 12.9 W 25 W 12.9 W 12.9W

Included accessories Power plugs AC adaptor & proprietary POE injector AC adaptor and Anchors AC adaptor and Anchors T-rail mounting, anchors

AC adaptor & proprietary POE injector, mounting brackets, anchors & grounding wire

T-rail mounting, anchors T-rail mounting, anchors

Resilient POE backup •

Plenum installable •

Mesh capable • • • • •

Wireless

IEEE Standard 802.11 b/g/n 802.11 b/g/n 802.11 za/b/g/n 802.11 a/b/g/n 802.11 a/b/g/n 802.11 a/b/g/n 802.11 a/b/g/n 802.11 a/b/g/n

Number of Radios 1 1 1 2 2 2 2 2

Radio Band Single Single Dual Dual Dual Dual Dual Dual

Radio 1 Band 2.4 Ghz 2.4 Ghz 2.4 Ghz / 5Ghz 2.4 Ghz / 5Ghz 2.4 Ghz / 5Ghz 5 Ghz 5 Ghz 5 Ghz

Radio 2 Band - - - 2.4 Ghz 2.4 Ghz 2.4 Ghz 2.4 Ghz 2.4 Ghz

MIMO 1x1 (1 stream) 1x1 (1 stream) 2x2 (dual stream) 2x2 (dual stream) 2x2 (dual stream) 2x2 (dual stream) 2x2 (dual stream) 3x3 (3 stream)

Peak radio association rate 65 Mbps 65 Mbps 300 Mbps 300 Mbps 300 Mbps 300 Mbps 300 Mbps 450 Mbps

Max / recommended number of concurrent clients no limit / 5 no limit / 30 no limit / 30 no limit / 30 per radio no limit / 30 per radio no limit / 30 per radio no limit / 30 per radio no limit / 50 per radio

Antenna Type and Count 1 - Internal 1 - Internal 2 - Internal 4 - Internal 4 - Internal 4 N-type External 4 RP-SMA External 6 - Internal

Antenna Gain 3dBi 6dBi 3dBi/(4dBi-5Ghz) 3dBi/(4dBi-5Ghz) 3dBi/(4dBi-5Ghz) 5dBi/(7dBi-5Ghz) 3dBi/(4dBi-5Ghz) 3dBi/(4dBi-5Ghz)

Max TX Power 17 dBm (50mW) 24 dBm (250mW) 17 dBm (50mW) 17 dBm (50mW) 17 dBm (50mW) 27dBm (500mW) 17 dBm (50mW) 24 dBm (250mW)

Number of SSIDs 8 (7 client, 1 monitor) 8 (7 client, 1 monitor) 8 (7 client, 1 monitor) 16 (14 client, 2 monitor) 16 (14 client, 2 monitor) 16 (14 client,2 monitor) 16 (14 client,2 monitor) 16 (14 client, 2 monitor)

4 queues 4 queues 4 queues 4 queues 4 queues 4 queues 4 queues 4 queues

802.11n 20/40Mhz HT • • • • • •

802.11n MPDU/MSDU agg • • •

802.11n Dynamic MIMO PS • • •

802.11n LDPC encoding • • •

802.11n MLD • • • •

802.11n tx Beam-Forming • • • •

802.11n Max ratio combining • • • •

Thin Access PointsFortiAP Product Matrix

FAP-11C FAP-112B FAP-210B FAP-220B FAP-221B FAP-222B FAP-223B FAP-320B

Rogue AP scanning

Dual Band Scanning • • • • • •

Background Scan • • • • • •

Full-time dedicated monitor • • • • • •

Single Radio Dual band scan-ning • •

On-wire MAC address collector • • • • • • •

ManagementWebUI • • • • • • • •

Wireless Controller • • • • • • • •

Command line CLI • • • • • • • •

External serial console port • • •

Cloud deployment ready • • • • • • • •

DNS based Controller discovery • • • • • • • •

DHCP based controller discovery • • • • • • • •

Controller discover over L3 boundary • • • • • • • •

Included accessories Power plugs AC adaptor & POE injector AC adaptor and Anchors AC adaptor and Anchors T-rail mounting, anchors AC adaptor & POE injector,

mounting brackets, anchors & grounding wire

T-rail mounting, anchors T-rail mounting, anchors

Resilient POE backup •

Plenum installable •

Mesh capable • • • • •

Certifications

• • •

www.fortinet.com

Copyright© 2013 Fortinet, Inc. All rights reserved. Fortinet®, FortiGate®, and FortiGuard®, are registered trademarks of Fortinet, Inc., and other Fortinet names herein may also be trademarks of Fortinet. All other product or company names may be trademarks of their respective owners. Nothing herein represents any binding

clarity, any such warranty will be limited to performance in the same ideal conditions as in Fortinet’s internal lab tests. Fortinet disclaims in full any guarantees. Fortinet reserves the right to change, modify, transfer, or otherwise revise this publication without notice, and the most current version of the publication shall be applicable. WLMTX-2013-R01-JAN

, EAP-TLS, EAP-TTLS/MSCHAPv2, PEAPv0/EAP-MSCHAPv2, PEAPv1/EAP-GTC, EAP-SIM, EAP-AKA, EAP-FAST, 802.11 d/h, WMM Power Save

FG/FWF-40C, 60C, 60D Series

FG/FWF-80CSeries

FG-110B, 100D, 200B Series

FG-310B. 300C Series

FG-620B, 600C, 800C, 1000C, 1240B Series

FG-3000Series

FG-5000Series

FG-VMSeries

Hardware

PoE Variant FG-60C-PoE (24 ports) - FG-200B-POE (8 ports) - - - - -Form Factor Desktop Desktop Desktop-1 RU 1 RU 1-2 RU 2-3 RU 3-13 RU

GbE Interfaces 7-10 2 8 - 20 10 16-18 12 - 108 2 - 28 Refer to Datasheet

10 GbE Interfaces - - - - 2 2 - 12 2 - 112 Refer to Datasheet

Maximum Supported APs 5 16 32 256 512 1,024 Up to 14,336 (1,024/blade) 32 - 1,024

Max number of SSIDs 32 32 256 256 256 1,024 Up to 14,336 (1,024/blade) 32 - 1,024

Max Concurrent Sessions 40 K - 500 K 1 Mil 500 K - 2.5 Mil 600 K -2 Mil 1 - 7 Mil 10 - 20 Mil 10 - 100M Refer to Datasheet

Wireless ControllersFortiGate Product Matrix

Simple And Flexible Wi-Fi Planning ToolsFortiPlanner helps you to estimate the number FortiAP wireless access points (AP) and recommends their placement on your premises for optimum performance. This easy to use windows application allows you to import a your building floor plan, draw the walls and other obstructions that can impede with wireless signal, and places the right number of APs based on the type of wireless. application you choose. The output of the tool is a comprehensive report that can be used to purchase the right number of FAPs as well as maps to aid installation.

Dynamic Heatmaps The heatmap window gives you a realistic view of how your wireless network behaves in real time.

n Real-time polling of FortiGate Wireless Controllern Fortiplanner logs into Fortigate via SSHn Fortiplanner automatically import FAPs informationn Display current number of clients, channel, TX power n Helps to spot coverage holes and failed AP (Red status)

FortiPlanner The heatmap window gives you a realistic view of how your wireless network behaves in real time.

n Pre-deployment checkn Post-deployment validation

Guest ManagementFortiOS 5.0 supports the captive portal technology and gives you the capability to create and localizable any sorts of web pages to allow the users to connect to the wireless network.

n HTML customizable captive portaln Validates email formatn Enables business intelligence and marketing opportunitiesn Runs on the FortiGaten No extra license needed

ConclusionThe Fortinet Unified Access Layer solution delivers the integrated, consolidated security every organization needs to fortify their wireless network security. FortiGate, FortiWiFi and FortiAP security platforms add layers of security to wireless traffic without affecting performance or increasing costs. You can quickly and easily add core security services such as application control, antivirus, intrusion prevention (IPS), web filtering, antispam, and traffic shaping to your network, which reduce your risk of unauthorized access, data loss, or damage to critical systems.

FortiGate and FortiWiFi platforms provide the ‘single pane of glass’ management you need for increased control and visibility of all network traffic. Our robust reporting and analysis tools also help you demonstrate policy compliance and satisfy audit requests. Fortinet delivers complete, end-to-end security, from the mobile endpoint to the network core. Our solutions scale for any size environment, from the SOHO to Headquarters to a global telecommunications provider.

Sophisticated Simplicity

n Unified global managementn All-in-one appliancen Business application control

High Security

n UTM cleansing of wirelessn Rogue AP control for PCIn In-House Security Experts

n Use your existing FortiGate, no additional licensesn Less devices to manage

n Lower TCO

AMERICAS HEADQUARTERS

1090 Kifer RoadSunnyvale, CA 94086United StatesTel +1.408.235.7700Fax +1.408.235.7737www.fortinet.com/sales

EMEA HEADQUARTERS

120 rue Albert CaquotSophia AntipolisFrance 06560Tel +33.4.8987.0510Fax +33.4.8987.0501

APAC HEADQUARTERS

300 Beach Road 20-01The ConcourseSingapore 199555Tel +65.6513.3734Fax +65.6295.0015

Copyright© 2013 Fortinet, Inc. All rights reserved. Fortinet®, FortiGate®, and FortiGuard®, are registered trademarks of Fortinet, Inc., and other Fortinet names herein may also be trademarks of Fortinet. All other product or company names may be trademarks of their respective owners. Performance metrics contained herin were attained in internal lab tests under ideal conditions, and performance may vary. Network variables, different network environments and other conditions may affect performance results. Nothing herein represents any binding commitment by Fortinet, and Fortinet disclaims all warranties, whether express or implied, except to the extent Fortinet enters a binding written contract, signed by Fortinet's General Counsel, with a purchaser that expressly warrants that the identified product will perform according to the performance metrics herein. For absolute clarity, any such warranty will be limited to performance in the same ideal conditions as in Fortinet's internal lab tests. Fortinet disclaims in full any guarantees. Fortinet reserves the right to change, modify, transfer, or otherwise revise this publication without notice, and the most current version of the publication shall be applicable.

www.fortinet.com

Fortinet is a global provider of high-performance network security solutions that provide our customers with the power to protect and control their IT infrastructure. Our purpose-built, integrated security technologies, combined with our FortiGuard security intelligence services, provide the high performance and complete content protection our customers need to stay abreast of a constantly evolving threat landscape. More than 125,000 customers around the world - including the majority of the Global 1,000 enterprises, service providers and governments - are utilizing Fortinet’s broad and deep portfolio to improve their security posture, simplify their infrastructure, and reduce their overall cost of ownership. From endpoints and mobile devices, to the perimeter and the core - including databases, messaging and Web applications - Fortinet helps protect the constantly evolving networks in every industry and region around the world.