FCP_FWF_AD-7.4 FCP - Secure Wireless LAN 7.4 Administrator Questions and Answers

The scenario involves employees connecting via remote FortiAP (FAP) devices, with a requirement to enforce corporate security policies for all wireless stations at branch/remote sites.

Teleworker topology (also called remote AP, or split-tunnel mode) is designed exactly for this:

FortiAP at remote sites connects to the main office FortiGate via a secure tunnel (CAPWAP over VPN or DTLS).

Traffic destined for corporate resources is tunneled back to the main office for full security inspection and policy enforcement.

Local internet-bound traffic can be split off locally (split-tunnel) or tunneled back as well (full-tunnel), based on policy.

This ensures all employee wireless sessions accessing corporate resources are subject to central security policies, without requiring local IT staff.

Option A (VPN tunnels) is part of the teleworker topology but doesn ' t by itself ensure wireless security enforcement or policy application for wireless stations—teleworker/split-tunnel is more precise.

Option B is impractical and unnecessary.

Option C moves resources to the cloud, but this does not ensure security enforcement for wireless clients over remote links.

Summary: Teleworker topology on FortiAP allows secure, policy-enforced connectivity from remote sites back to HQ for all wireless stations.

Exhibit Analysis:

The diagram shows a section of the 5 GHz Wi-Fi band, with several adjacent channels: 149, 153, 157, 161.

The red line outlines a wider frequency range covering multiple adjacent channels (149, 153, 157).

What this means:

In Wi-Fi (especially 802.11ac/ax), “channel bonding” means combining adjacent 20 MHz channels into a wider channel (40, 80, or even 160 MHz).

The red line indicates the frequency range that would be used if an 80 MHz channel (covering channels 149, 153, 157, 161) is formed by bonding the narrower channels together.

This increases throughput because a wider channel allows more data to be transmitted at once.

Option Review:

A. Practical channel bonding to increase high throughput

Correct. The red line represents the spectrum occupied when several 20 MHz channels are bonded into a single, wider channel to increase data rates.

B. A pool of channels for the wireless radio to broadcast the wireless signal.

Incorrect. A pool would be all available channels, not the bonded range.

C. The range of channels used to allocate available airtime while transmitting data

Incorrect. This is about frequency, not time.

D. The total length of the wireless signal wavelength

Incorrect. The line indicates frequency spectrum, not wavelength length.

Summary:

The red line shows how multiple adjacent 20 MHz channels are bonded together (in this case, most likely into an 80 MHz channel), a practical method to increase wireless throughput in modern Wi-Fi networks.

Exhibit Review:

The diagnostics panel for FortiAP FP231FTF2001 shows:

Tx bandwidth label: 150.54 Mbps (likely the negotiated or theoretical maximum).

Bandwidth graph (actual traffic) : Transmit (Tx) bandwidth peaked at only ~3 Mbps over the last 5 minutes—far below the maximum.

Radio 1 (2.4 GHz) shows 10 interfering SSIDs and 40% channel utilization .

Radio 2 (5 GHz) is not the focus in the current graph.

Interpretation:

The significant difference between the potential (label) and actual (graph) throughput indicates that something is preventing the AP from delivering full speed.

This could be resource overload (e.g., too many clients, too much interference, CPU/memory constraints), leading to overall reduced throughput for all users .

The graph represents real-time/actual usage, not just the theoretical capability.

Option Breakdown:

A. Resources on FortiAP are overloaded which limits speed rates for all users

Correct. Overload (either due to too many clients, high interference, or hardware resources) is a logical reason why actual throughput is far below the possible maximum.

B. Label values are historical and provide average bandwidth

Incorrect. The label reflects the maximum link rate or negotiated data rate, not an average or historical usage value.

C. FortiAP is dual band and is transmitting data faster with a higher frequency band

Not supported by the evidence. The current data is for Radio 1 (2.4 GHz) and does not show high usage on either band.

D. Bandwidth is shared with other SSID signals broadcasting for nearby AP devices

While interference does share airtime, the drastic drop in throughput strongly suggests an overload or other limiting factor on this AP.

Summary:

The large gap between the expected maximum (label) and the actual throughput observed suggests that resource overload is the root cause of poor wireless speeds for all users.

Wireless Intrusion Detection System (WIDS) in Fortinet’s Secure Wireless LAN (SWLAN) platform monitors for threats to the wireless environment and detects a range of attacks and misconfigurations.

The main threats detected by WIDS include:

Rogue access points: These are unauthorized APs plugged into the network, posing a security risk. WIDS scans and identifies any AP that is not part of the authorized network, flagging them as potential rogues.

Unauthorized wireless connections: WIDS can detect clients that connect to unauthorized or suspicious wireless networks, as well as unauthorized wireless devices attempting to connect to the network.

Analysis of Options:

A. Brute-force dictionary attacks:

WIDS does not specifically detect brute-force dictionary attacks against authentication. It focuses more on network topology threats and unauthorized devices.

B. Unauthorized wireless connection:

Correct. WIDS can detect unauthorized wireless connections, such as clients connecting to networks/APs that are not trusted.

C. Rogue access points:

Correct. Detecting rogue APs is a primary function of WIDS.

D. WPA2 authentication vulnerabilities:

WIDS does not specifically scan for cryptographic protocol vulnerabilities. It detects behavioral/network threats.

When enabling a Security Fabric connection on a FortiGate interface to manage FortiAP devices, the following two types of CAPWAP (Control and Provisioning of Wireless Access Points) communication channels are established:

Control channels:

Correct. The control channel is used for management and control information between the FortiGate (controller) and FortiAP. This includes configuration, monitoring, and state updates.

Data channels:

Correct. The data channel carries client traffic between the FortiAP and FortiGate. This enables the FortiGate to apply security policies, content filtering, and other services to wireless client data.

Analysis of Other Options:

C. Security channels:

There is no specific “security channel” in CAPWAP terminology.

D. Fortlink channels:

FortLink is used for FortiSwitch management, not FortiAPs. CAPWAP is the protocol for FortiAP management.

The logs show repeated client-association-failure events followed by RADIUS authentication failure messages for client

This means the station successfully associated at Layer 2 but failed at the RADIUS authentication step (802.1X/EAP), typically due to invalid credentials or a misconfiguration on the RADIUS server.

Eventually, the log shows a successful authentication, indicating the credentials or RADIUS issue was resolved on a later attempt.