FortiOS 5.4 Online Help Link FortiOS 5.2 Online Help Link FortiOS 5.0 Online Help Link FortiOS 4.3 Online Help Link

Home > Online Help

> Chapter 8 - Deploying Wireless Networks > Access point deployment > Discovering and authorizing APs

Discovering and authorizing APs

After you prepare your FortiGate unit, you can connect your APs to discover them using the discovery methods described earlier. To prepare the FortiGate unit, you need to

  • Configure the network interface to which the AP will connect.
  • Configure DHCP service on the interface to which the AP will connect.
  • Optionally, preauthorize FortiAP units. They will begin to function when connected.
  • Connect the AP units and let the FortiGate unit discover them.
  • Enable each discovered AP and configure it or assign it to an AP profile.

Configuring the network interface for the AP unit

The interface to which you connect your wireless access point needs an IP address. No administrative access, DNS Query service or authentication should be enabled.

To configure the interface for the AP unit - web-based manager
  1. Go to System > Network > Interfaces and edit the interface to which the AP unit connects.
  2. Set Addressing Mode to Dedicate to Extension Device.
  3. Enter the IP address and netmask to use.
    This FortiGate unit automatically configures a DHCP server on the interface that will assign the remaining higher addresses up to .254 to FortiAP units. For example, if the IP address is, the FortiAP units will be assigned to To maximize the available addresses, use the .1 address for the interface:, for example.
  4. Select OK.
To configure the interface for the AP unit - CLI

In the CLI, you must configure the interface IP address and DHCP server separately.

config system interface

edit port3

set mode static

set ip


config system dhcp server

edit 0

set interface "dmz"

config ip-range

edit 1

set end-ip

set start-ip


set netmask

set vci-match enable

set vci-string "FortiAP"


The optional vci-match and vci-string fields ensure that the DHCP server will provide IP addresses only to FortiAP units.

Pre-authorizing a FortiAP unit

If you enter the FortiAP unit information in advance, it is authorized and will begin to function when it is connected.

To pre-authorize a FortiAP unit
  1. Go to WiFi Controller > Managed Access Points > Managed FortiAPs and select Create New.
    On some models the WiFi Controller menu is called WiFi & Switch Controller.
  2. Enter the Serial Number of the FortiAP unit.
  3. Configure the Wireless Settings as required.
  4. Select OK.

Enabling and configuring a discovered AP

Within two minutes of connecting the AP unit to the FortiGate unit, the discovered unit should be listed on WiFi Controller > Managed Access Points > Managed FortiAP page.

Discovered access point unit

When you authorize (enable) a FortiAP unit, it is configured by default to use the default FortiAP profile (determined by model). You can create and select a different profile if needed. The FortiAP Profile defines the entire configuration for the AP.

To add and configure the discovered AP unit - web-based manager
  1. Go to WiFi Controller > Managed Access Points > Managed FortiAP.
    This configuration also applies to local WiFi radio on FortiWiFi models.
  2. Select the FortiAP unit from the list and edit it.
  3. Optionally, enter a Name. Otherwise, the unit will be identified by serial number.
  4. Select Authorize.
  5. Select a FortiAP Profile.
  6. If you want to override the FortiAP profile, select Override Settings and adjust the following:
Enable WiFi Radio This must be selected to enable operation of this AP.
SSID Automatically Inherit all SSIDs — AP will carry all WiFi networks.
Select SSIDs — select individual SSIDs for this AP to carry.
Auto TX Power Control If you enable automatic transmitter power control, adjust TX Power Low and TX Power High to set the power range.
Tx Power If you are not using automatic power control, adjust AP transmitter power. The 100% setting is the maximum permitted in your country. See Configuring a WiFi LAN.
Do not participate in Rogue AP scanning Select this option if scanning adversely affects WiFi traffic.
  1. Select OK.

The physical access point is now added to the system. If the rest of the configuration is complete, it should be possible to connect to the wireless network through the AP.

To add the discovered AP unit - CLI

First get a list of the discovered access point unit serial numbers:

get wireless-controller wtp

Add a discovered unit and associate it with AP-profile1, for example:

config wireless-controller wtp

edit FAP22A3U10600118

set admin enable

set wtp-profile AP-profile1


To use the default profile, leave the wtp-profile field unset.

To view the status of the added AP unit

config wireless-controller wtp

edit FAP22A3U10600118


The join-time field should show a time, not “N/A”. See the preceding web-based manager procedure for more information.

Assigning the same profile to multiple FortiAP units

The same profile can now be applied to multiple managed FortiAP units at the same time. To do this, do the following:

  1. Go to WiFi Controller > Managed Access Points > Managed FortiAPs to view the AP list.
  2. Select all FortiAP units you wish to apply the profile to.
  3. Right click on one of the selected FortiAPs and select Assign Profile.
  4. Choose the profile you wish to apply.

Connecting to the FortiAP CLI

The FortiAP unit has a CLI through which some configuration options can be set. You can access the CLI using Telnet.

To access the FortiAP unit CLI through the FortiAP Ethernet port
  1. Connect your computer to the FortiAP Ethernet interface, either directly with a cross-over cable or through a separate switch or hub.
  2. Change your computer’s IP address to
  3. Telnet to IP address
    Ensure that FortiAP is in a private network with no DHCP server for the static IP address to be accessible.
  4. Login with user name admin and no password.
  5. Enter commands as needed.
  6. Optionally, use the passwd command to assign an administrative password for better security.
  7. Save the configuration by entering the following command:

cfg –c .


  1. Unplug the FortiAP and then plug it back in, in order for the configuration to take effect
To access the FortiAP unit CLI through the FortiGate unit
  1. Connect the FortiAP unit to the FortiGate network interface that has been configured for FortiAP units.
  2. Use the FortiGate CLI execute telnet command to access the FortiAP. For example, if the FortiAP unit IP address is, enter:

execute telnet


  1. At the FortiAP login prompt, enter admin. When you are finished using the FortiAP CLI, enter exit.
When a WiFi controller has taken control of the FortiAP unit, Telnet access to the FortiAP unit’s CLI is no longer available.

Checking and updating FortiAP unit firmware

You can view and update the FortiAP unit’s firmware from the FortiGate unit that acts as its WiFi controller.

Checking the FortiAP unit firmware version

Go to WiFi Controller > Managed Access Points > Managed FortiAP to view the list of FortiAP units that the FortiGate unit can manage. The OS Version column shows the current firmware version running on each AP.

Updating FortiAP firmware from the FortiGate unit

You can update the FortiAP firmware using either the web-based manager or the CLI. Only the CLI method can update all FortiAP units at once.

To update FortiAP unit firmware - web-based manager
  1. Go to WiFi Controller > Managed Access Points > Managed FortiAP.
  2. Select the FortiAP unit from the list and edit it.
  3. In FortiAP OS Version, select Upgrade from File.
  4. Select Browse and locate the firmware upgrade file.
  5. Select OK.
  6. When the upgrade process completes, select OK.
    The FortiAP unit restarts.
To update FortiAP unit firmware - CLI
  1. Upload the FortiAP image to the FortiGate unit.
    For example, the Firmware file is FAP_22A_v4.3.0_b0212_fortinet.out and the server IP address is

execute wireless-controller upload-wtp-image tftp FAP_22A_v4.3.0_b0212_fortinet.out

If your server is FTP, change tftp to ftp, and if necessary add your user name and password at the end of the command.

  1. Verify that the image is uploaded:

execute wireless-controller list-wtp-image


  1. Upgrade the FortiAP units:

exec wireless-controller reset-wtp all

If you want to upgrade only one FortiAP unit, enter its serial number instead of all.

Updating FortiAP firmware from the FortiAP unit

You can connect to a FortiAP unit’s internal CLI to update its firmware from a TFTP server on the same network. This method does not require access to the wireless controller.

  1. Place the FortiAP firmware image on a TFTP server on your computer.
  2. Connect the FortiAP unit to a separate private switch or hub or directly connect to your computer via a cross-over cable.
  3. Change your computer’s IP address to
  4. Telnet to IP address
    This IP address is overwritten if the FortiAP is connected to a DHCP environment. Ensure that the FortiAP unit is in a private network with no DHCP server.
  5. Login with the username “admin” and no password.
  6. Enter the following command.
    For example, the FortiAP image file name is FAP_22A_v4.3.0_b0212_fortinet.out.

restore FAP_22A_v4.3.0_b0212_fortinet.out