Using Remote WLAN FortiAPs


Configuring the FortiAP units

Prior to providing a Remote WLAN FortiAP unit to an employee, you need to preconfigure the AP to connect to your FortiGate WiFi controller.

To pre-configure a FortiAP

1. Connect the FortiAP to the FortiGate unit.

2. Go to WiFi & Switch Controller > Managed FortiAPs and wait for the FortiAP to be listed. Click Refresh

periodically to see the latest information. Note the Connected Via IP address.

3. Go to Dashboard. In the CLI Console, log into the FortiAP CLI.

For example, if the IP address is, enter:

exec telnet

Enter admin at the login prompt. By default, no password is set.

4. Enter the following commands to set the FortiGate WiFi controller IP address. This should be the FortiGate

Internet-facing IP address, in this example

cfg -a AC_IPADDR_1= cfg -c

5. Enter exit to log out of the FortiAP CLI.


Preauthorizing FortiAP units

By preauthorizing FortiAP units, you facilitate their automatic authorization on the network. Also, you can assign each unit a unique name, such as the employee’s name, for easier tracking.

1. Go to WiFi & Switch Controller > Managed FortiAPs and create a new entry.

2. Enter the Serial Number of the FortiAP unit and give it a Name. Select the appropriate FortiAP Profile.

3. Click OK.

Repeat this process for each FortiAP.


Features for high-density deployments

High-density environments such as auditoriums, classrooms, and meeting rooms present a challenge to WiFi providers. When a large number of mobile devices try to connect to a WiFi network, difficulties arise because of the limited number of radio channels and interference between devices.

FortiOS and FortiAP devices provide several tools to mitigate the difficulties of high-density environments.


Broadcast packet suppression

Broadcast packets are sent at a low data rate in WiFi networks, consuming valuable air time. Some broadcast packets are unnecessary or even potentially detrimental to the network and should be suppressed.

ARP requests and replies could allow clients to discover each other’s IP addresses. On most WiFi networks, intra- client communication is not allowed, so these ARP requests are of no use, but they occupy air time.

DHCP (upstream) should be allowed so that clients can request an IP address using DHCP.

DHCP (downstream) should be suppressed because it would allow a client to provide DHCP service to other clients. Only the AP should do this.

NetBIOS is a Microsoft Windows protocol for intra-application communication. Usually this is not required in high- density deployments.

IPv6 broadcast packets can be suppressed if your network uses IPv4 addressing.

You can configure broadcast packet suppression in the CLI. For example, to suppress ARP, downstream DHCP, NetBIOS, and IPv6 packets on the conf-net network, enter:

config wireless-controller vap edit conf_net

set broadcast-suppress arp-known arp-unknown arp-reply dhcp-down netbios-ns netbios- ds ipv6



Multicast to unicast conversion

Multicast data such as streaming audio or video are sent at a low data rate in WiFi networks. This causes them to occupy considerable air time. FortiOS provides a multicast enhancement option that converts multicast streams to unicast. A unicast stream is sent to each client at high data rate that makes more efficient use of air time. You can configure multicast-to-unicast conversion in the CLI:


config wireless-controller vap edit <vap_name>

set multicast-enhance enable end


Ignore weak or distant clients

Clients beyond the intended coverage area can have some impact on your high-density network. Your APs will respond to these clients’ probe signals, consuming valuable air time. You can configure your WiFi network to ignore weak signals that most likely come from beyond the intended coverage area. The settings are available in the CLI:


config wireless-controller vap edit <vap_name>

set probe-resp-suppression enable

set probe-resp-threshold <level_int>



vap_name is the SSID name.


probe-respthreshold is the signal strength in dBm below which the client is ignored. The range is -95 to –

20dBm. The default level is -80dBm.

Having trouble configuring your Fortinet hardware or have some questions you need answered? Check Out The Fortinet Guru Youtube Channel! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!

6 thoughts on “Using Remote WLAN FortiAPs

  1. Milutin

    How to set split tunneling to public Internet destinations. There is no unique subnet for that. I want all traffic to Internet to go locally.

    1. Mike Post author

      Just to clarify, you are wanting all NON enterprise network (or organization etc) traffic to flow out the local internet connection instead of going over the tunnel back to HQ and out their pipe?

      1. Milutin

        Please, see our conversation above. I need to split tunnel all NON enterprise traffic to the local internet instead of going over the tunnel back to the HQ and out their pipe. It is possible with IPSec VPN, but I am not sure how to do this with RemoteAP. In my case it is FortiAP25D.
        Do you have any idea?


Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.