FortiWLC – Support for CAPWAP

Support for CAPWAP

FortiWLC supports Control and Provisioning of Wireless Access Points (CAPWAP) protocol to allow Fortinet access points to discover Fortinet WLAN controllers. In addition to controller discovery, APs can send keep-alive packets to controllers via CAPWAP.

This is a partial implementation of the CAPWAP protocol that is limited to controller discovery, keepalive packets (echo request and response), AP image upgrade, and tunnelled client data packets between AP and controller.

Legacy Discovery Process

There are three types of access point discovery:

  • Layer 2 only-Access point is in the same subnet as controller.
  • Layer 2 preferred-Access point sends broadcasts to find the controller by trying Layer 2 discovery first. If the access point gets no response, it tries Layer 3 discovery.
  • Layer 3 preferred-Access point sends discovery message to the controller by trying Layer 3 discovery first. If the access point gets no response, it tries Layer 2 discovery.
  • Layer 3 only-Access point sends discovery message to the controller by trying Layer 3 only.

For Layer 2 and Layer 3 discovery, the access point cycles between Layer 2, Layer 3, and Mesh (if mesh is enabled) until it finds the controller.

An access point obtains its own IP address from DHCP (the default method), or you can assign a static IP address. After the access point has an IP address, it must find a controller’s IP address. By default, when using Layer 3 discovery, the access point obtains the controller’s IP address by using DNS and querying for hostname. The default hostname is “wlan-controller.” This presumes the DNS server knows the domain name where the controller is located. The domain name can be entered via the AP configuration or it can be obtained from the DHCP server, but without it, an Layer 3-configured AP will fail to find a controller. Alternately, you can configure the AP to point to the controller’s IP directly (if the controller has a static IP configuration).

After the access point obtains the controller IP address, it sends discovery messages using UDP port 9393. After the controller acknowledges the messages, a link is formed between the AP and the controller.

Discovery sequence for OAP832 and OAP433

Even if OAP832 and OAP433 are configured in the L3-only mode, the access points will be use L3 preferred mode to find controller. If the L3-preferred mode fails, they will fall back to L2 mode.

Legacy Discovery Process


CAPWAP and Legacy Reference
Port Requirements
Activity CAPWAP UDP Ports L3 UDP Ports Ethertype (L2)
Discovery 5246 9292 0x4003
Configuration and KeepAlive 5246 5000 0x4001
Data Flow 5247 9393 0x4000
Controller and AP Communication Ports
AP firmware version Discovery Mode Discovery

Port /


keep-alive ports /


Configuration ports/




Ports /


Pre-8.3 (8.2, 8.1, 8.0, 7.0,  etc.,) L2










After upgrade,

UDP 5246 and

8.3.0 L2 0x4003 0x4001 0x4001 0x4000 5247 is used for future discovery process and data flow respectively.
  L3 5246 5246 5000 5247  
CAPWAP Discovery

The CAPWAP protocol requires the UDP ports 5246 and 5247 to exchange control and data packets respectively

Legacy Discovery Process

Discovery Sequence

The CAPWAP discovery supports the following sequence on port UDP 5246:

  1. Unicast Options Controller IP address: AP sends discovery request to a controller based on the configured IP address in the AP.
    • DHCP Option 138: AP sends discover request to the controller configured with DHCP option 138. Alternatively, option 43 is also available for discovering controller.
    • DNS: AP sends discovery request based on the DNS resolution of –
  2. Multicast: AP sends discovery request via multicast address –
  3. Broadcast: AP sends discovery request via broadcast address on – 255.255.255
Discovery Process
  1. In L3 discovery mode, the AP sends discovery request on both port 5246 and port 9292 to the controller.
  2. If the controller is already upgraded to 8.3 release, it sends response on port 5246 to complete the AP association.
  3. Further the keep-alive and image upgrade message exchange happens on port 5246.
  4. Tunnelled client data are sent to controller on port 5247.
Upgrading from Pre-8.3 Release

Using the upgrade controller command with auto‐ap‐upgrade ON

  1. The controller is upgraded to 8.3 and will now listen on port 5246 and 9292 for discovery request from access points. During the controller upgrade process, the pre-8.3 access points will continue re-discovery of the controller using the legacy method.
  • Once the controller is upgraded, the pre-8.3 APs will associate with the controller using the legacy method.
  1. Now, the access points begin the upgrade process. After the upgrade is complete, the access points will send discovery request on port 5246 and port 9292. The controller that is already upgraded to 8.3 will respond on port 5246 to complete AP association.

Legacy Discovery Process

Using the upgrade system command
  1. The APs are upgraded first to the 8.3 release. After upgrade the APs will send discovery request using a method sequence as mentioned in the Discovery Sequence section.
  2. The controller is upgraded to 8.3 after the APs are upgraded. The 8.3 controller will respond to AP discovery request.

Post Upgrade

Ensure that UDP 5000 is open after the upgrade is complete.


When downgraded to a previous release, the discovery mechanism will switch back to the legacy discovery process. However, we recommend that you open the CAPWAP UDP ports, Kcom (L3) UDP ports, and Ethertypes.

This entry was posted in Administration Guides, FortiWLC on by .

About Mike

Michael Pruett, CISSP has a wide range of cyber-security and network engineering expertise. The plethora of vendors that resell hardware but have zero engineering knowledge resulting in the wrong hardware or configuration being deployed is a major pet peeve of Michael's. This site was started in an effort to spread information while providing the option of quality consulting services at a much lower price than Fortinet Professional Services. Owns PacketLlama.Com (Fortinet Hardware Sales) and Office Of The CISO, LLC (Cybersecurity consulting firm).

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.