Access point deployment

Access point deployment

This chapter describes how to configure access points for your wireless network. Overview

Network topology for managed APs Discovering and authorizing APs Advanced WiFi controller discovery

Wireless client load balancing for high-density deployments

FortiAP Groups

LAN port options

Preventing IP fragmentation of packets in CAPWAP tunnels

LED options



FortiAP units discover WiFi controllers. The administrator of the WiFi controller authorizes the FortiAP units that the controller will manage.

In most cases, FortiAP units can find WiFi controllers through the wired Ethernet without any special configuration. Review the following section, Access point deployment on page 850, to make sure that your method of connecting the FortiAP unit to the WiFi controller is valid. Then, you are ready to follow the procedures in Access point deployment on page 850.

If your FortiAP units are unable to find the WiFi controller, refer to Access point deployment on page 850 for detailed information about the FortiAP unit’s controller discovery methods and how you can configure them.


Network topology for managed APs

The FortiAP unit can be connected to the FortiGate unit in any of the following ways:


Direct connection: The FortiAP unit is directly connected to the FortiGate unit with no switches between them. This configuration is common for locations where the number of FortiAP’s matches up with the number of ‘internal’ ports available on the FortiGate. In this configuration the FortiAP unit requests an IP address from the FortiGate unit, enters discovery mode and should quickly find the FortiGate WiFi controller. This is also known as a wirecloset deployment. See “Wirecloset and Gateway deployments” below.


Wirecloset deployment

Switched Connection: The FortiAP unit is connected to the FortiGate WiFi controller by an Ethernet switch operating in L2 switching mode or L3 routing mode. There must be a routable path between the FortiAP unit and the FortiGate unit and ports 5246 and 5247 must be open. This is also known as a gateway deployment. See Gateway Deployment below.

Gateway Deployment

Connection over WAN: The FortiGate WiFi controller is off-premises and connected by a VPN tunnel to a local FortiGate. In this method of connectivity its best to configure each FortiAP with the static IP address of the WiFi controller. Each FortiAP can be configured with three WiFi controller IP addresses for redundant failover. This is also known as a datacenter remote management deployment. See Remote deployment below.


Remote deployment

Discovering and authorizing APs

After you prepare your FortiGate unit, you can connect your APs to discover them using the discovery methods described earlier. To prepare the FortiGate unit, you need to

  • Configure the network interface to which the AP will connect.
  • Configure DHCP service on the interface to which the AP will connect.
  • Optionally, preauthorize FortiAP units. They will begin to function when connected.
  • Connect the AP units and let the FortiGate unit discover them.
  • Enable each discovered AP and configure it or assign it to an AP profile.


Configuring the network interface for the AP unit

The interface to which you connect your wireless access point needs an IP address. No administrative access, DNS Query service or authentication should be enabled.


To configure the interface for the AP unit – web-based manager

1. Go to Network > Interfaces and edit the interface to which the AP unit connects.

2. Set Addressing Mode to Dedicate to Extension Device.

3. Enter the IP address and netmask to use.

This FortiGate unit automatically configures a DHCP server on the interface that will assign the remaining higher addresses up to .254 to FortiAP units. For example, if the IP address is, the FortiAP units will be assigned to To maximize the available addresses, use the .1 address for the interface:, for example.

4. Select OK.


To configure the interface for the AP unit – CLI

In the CLI, you must configure the interface IP address and DHCP server separately.

config system interface edit port3

set mode static

set ip end

config system dhcp server edit 0

set interface “dmz” config ip-range

edit 1

set end-ip set start-ip


set netmask set vci-match enable

set vci-string “FortiAP” end

The optional vci-match and  vci-string fields ensure that the DHCP server will provide IP addresses only to FortiAP units.


Preauthorizing a FortiAP unit

If you enter the FortiAP unit information in advance, it is authorized and will begin to function when it is connected.


To pre-authorize a FortiAP unit

1. Go to WiFi & Switch Controller > Managed FortiAPs and select Create New.

On some models the WiFi Controller menu is called WiFi & Switch Controller.

2. Enter the Serial Number of the FortiAP unit.

3. Configure the Wireless Settings as required.

4. Select OK.


Enabling and configuring a discovered AP

Within two minutes of connecting the AP unit to the FortiGate unit, the discovered unit should be listed on WiFi Controller > Managed FortiAPs page. After you select the unit, you can authorize, edit or delete it.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.