Using Remote WLAN FortiAPs

Using Remote WLAN FortiAPs

Remote WLAN FortiAP models enable you to provide a pre-configured WiFi access point to a remote or traveling employee. Once plugged in at home or in a hotel room, the FortiAP automatically discovers the enterprise FortiGate WiFi controller over the Internet and broadcasts the same wireless SSID used in the corporate office. Communication between the WiFi controller and the FortiAP is secure, eliminating the need for a VPN.


Split tunneling

By default, all traffic from the remote FortiAP is sent to the FortiGate WiFi controller. If split tunneling is configured, only traffic destined for the corporate office networks is routed to the FortiGate unit. Other general Internet traffic is routed unencrypted through the local gateway. Split tunneling avoids loading the FortiGate unit with unnecessary traffic and allows direct access to local private networks at the FortiAP’s location even if the connection to the WiFi controller goes down.


Note: Split tunneling in WiFi networks differs in implementation from split tunneling in VPN configurations.

By default, split tunneling options are not visible in the FortiGate GUI. You can make these options visible using the following CLI command:

config system settings

set gui-fortiap-split-tunneling enable end

Split tunneling is configured in the FortiAP Profile and enabled in the SSID.



Configuring the FortiGate for remote FortiAPs

This section assumes that you have already defined SSIDs and now want to make them available to remote


  • Create FortiAP profiles for the Remote LAN FortiAP models
  • If split tunneling will be used
  • enable Split Tunneling in the SSID
  • configure the split tunnel networks in the FortiAP profile

6 thoughts on “Using Remote WLAN FortiAPs

  1. Milutin

    How to set split tunneling to public Internet destinations. There is no unique subnet for that. I want all traffic to Internet to go locally.

    1. Mike Post author

      Just to clarify, you are wanting all NON enterprise network (or organization etc) traffic to flow out the local internet connection instead of going over the tunnel back to HQ and out their pipe?

      1. Milutin

        Please, see our conversation above. I need to split tunnel all NON enterprise traffic to the local internet instead of going over the tunnel back to the HQ and out their pipe. It is possible with IPSec VPN, but I am not sure how to do this with RemoteAP. In my case it is FortiAP25D.
        Do you have any idea?


Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.