If your FortiAP is located in an easily accessible location, you can disable serial console port access to prevent intruders from physically accessing the FortiAP. By default, console login is enabled in WTP profiles.
config wireless-controller wtp-profile
set console-login disable
When the console access is changed, all managed FortiAPs using the profile are rebooted.
You can confirm console login is disabled by logging into the FortiAP with the SSH connection.
FortiAP-433F # wcfg | grep console-login
console-login : disabled