Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions

    • FortiWiFi and FortiAP Configuration Guide

    Home FortiAP / FortiWiFi 7.4.0 FortiWiFi and FortiAP Configuration Guide
    7.4.0
    7.6.0
    7.4.5
    7.4.4
    7.4.2
    7.4.1
    7.4.0
    7.2.5
    7.2.4
    7.2.1
    7.2.0
    7.0.4
    7.0.2
    7.0.1
    7.0.0
    6.4.6
    6.4.4
    6.4.3
    6.4.2
    6.4.1
    6.4.0
    6.2.2
    6.2.0
    6.0.5
    6.0.4
    6.0.3
    5.6.4
    5.4.3

    Creating a FortiAP profile

    Creating a FortiAP profile

    A FortiAP profile defines radio settings for a particular platform (FortiAP model). The profile also selects which SSIDs (virtual APs) the APs will carry. FortiAP units contain two or more radio transceivers, making it possible to provide 2.4 GHz 802.11b/g/n, 5 GHz 802.11a/n, or 6 GHz 802.11ax service from the same access point. The radios can also be used for monitoring accepted or rogue APs through the Rogue AP detection feature.

    You can modify existing FortiAP profiles or create new ones of your own.

    To configure a FortiAP profile - GUI:
    1. Go to WiFi and Switch Controller > FortiAP Profiles and select Create New.
    2. Enter a Name for the FortiAP Profile.

    3. Configure the following options:

      Platform

      Select the FortiWiFi or FortiAP model to which this profile applies.

      If you selected a WiFi 6E capable model, select a Platform mode:

      • Single 5G - Only one radio operates on the 5GHz 802.11ax/ac/n/a band.
      • Dual 5G - Two radios operate on the 5GHz 802.11ax/ac/n/a band and dedicated scanning is always disabled.
      Indoor/Outdoor Select where the FortiAP is being installed. You can override the default designation of the FortiAP to change the available channels based on your region.
      Country/Region

      Select the country or region to apply the Country Code for where the FortiAP will be used.
      Split Tunneling Subnets

      If split tunneling is used, enter a comma-separated list all of the destination IP address ranges that should not be routed through the FortiGate WiFi controller.
      AP login password

      Select if you want set a new AP login password or leave the password unchanged.
      Administrative access

      Select which types of administrative access you want to allow for the FortiAP:

      • HTTPS
      • SSH
      • SNMP
      Client load balancing

      Select a handoff type as needed (see Wireless client load balancing for high-density deployments).
      802.1X authentication

      Enable if you want to configure the FortiAP to act as a 802.1x supplicant to authenticate against the server using EAP-FAST, EAP-TLS or EAP-PEAP (see Configuring 802.1X supplicant on LAN).
      UNII-4 5GHz band channels

      Only available on G-series models.

      Enable if you want to use UNII-4 5GHz band channels (see Configuring UNII-4 5GHz radio bands).

    4. For each radio, enter:

      Mode

      Select the type of mode:

      • Disabled – The radio is disabled.
      • Access Point – The platform is an access point.
      • Dedicated Monitor – The platform is a dedicated monitor. See Wireless network monitoring.

      WIDS profile

      Optionally, select a Wireless Intrusion Detection (WIDS) profile. See Wireless Intrusion Detection System.

      Radio resource
      provision

      Select to enable the distributed radio resource provisioning (DARRP) feature. This feature measures utilization and interference on the available channels and selects the clearest channel at each access point. The measurement can be repeated periodically to respond to changing conditions. See Understanding Distributed Radio Resource Provisioning.

      Band

      Select the wireless protocols that you want to support. The available choices depend on the radio's capabilities. Where multiple protocols are supported, the letter suffixes are combined: "802.11g/b" means 802.11g and 802.11b.

      Note that on two-radio units such as the FortiAP-221C it is not possible to put both radios on the same band.

      Channel width

      Select channel width for 802.11ac or 802.11n on 5 GHz.

      Channel plan

      Select if you want to automatically configure a Channel plan or if want to select custom channels.

      • Three Channels – Automatically selects channel 1, 6, and 11.

      • Four Channels – Automatically selects channels 1, 4, 8, and 11.

      • Custom – Select custom channels.

      Channels

      Select the channel or channels to include. The available channels depend on which IEEE wireless protocol you selected in Band. By default, all available channels are enabled.

      For 5GHz radios, clicking Set Channels loads a channel selector panel where you can select individual channels.

      • Toggle DFS Channels – Select DFS channels.
      • Toggle Weather Radar Channels – Select Weather Radar channels.

      The channel chart also shows channel availability for 40MHz or 80MHz channel-bonding.

      Short guard
      interval

      Select to enable the short guard interval for 802.11ac or 802.11n on 5 GHz.

      Transmit power mode

      Select how you want to determine transmit power:

      • Percent – Transmit power is determined by multiplying set percentage with maximum available power determined by region and FortiAP device.
      • dBm – Transmit power is set using a dBm value.
      • Auto – Specify a range of dBm values and the power is set automatically.

      Transmit power

      Specify either the minimum and maximum Transmit power levels in dBm or as a percentage.

      SSIDs

      Select a traffic mode for SSIDs.

      • Tunnel – Available tunnel-mode SSIDs are automatically assigned to this radio.
      • Bridge – Available bridge-mode SSIDs are automatically assigned to this radio. This option is not available for FortiWiFi local radio platforms.
      • Manual – Manually select which available SSIDs and SSID groups to assign to this radio.

      Monitor channel utilization

      Select to enable monitoring channel utilization.

      5. Radio 2 and 3 settings are available for FortiAP models with multiple radios.

    5. In Syslog profile, enable if you want your FortiAPs to send logs to a syslog server (see Configuring a Syslog profile).
    6. Click OK.
    To configure a FortiAP profile - CLI:

    This example configures a FortiAP-220B to carry all SSIDs on Radio 1 but only SSID example_wlan on Radio 2.

    config wireless-controller wtp-profile

    edit "guest_prof"

    config platform

    set type 220B

    end

    config radio-1

    set mode ap

    set band 802.11g

    set vap-all enable

    end

    config radio-2

    set mode ap

    set band 802.11g

    set vaps example_wlan

    end

    end

    Previous
    Next

    Creating a FortiAP profile

    Creating a FortiAP profile

    A FortiAP profile defines radio settings for a particular platform (FortiAP model). The profile also selects which SSIDs (virtual APs) the APs will carry. FortiAP units contain two or more radio transceivers, making it possible to provide 2.4 GHz 802.11b/g/n, 5 GHz 802.11a/n, or 6 GHz 802.11ax service from the same access point. The radios can also be used for monitoring accepted or rogue APs through the Rogue AP detection feature.

    You can modify existing FortiAP profiles or create new ones of your own.

    To configure a FortiAP profile - GUI:
    1. Go to WiFi and Switch Controller > FortiAP Profiles and select Create New.
    2. Enter a Name for the FortiAP Profile.

    3. Configure the following options:

      Platform

      Select the FortiWiFi or FortiAP model to which this profile applies.

      If you selected a WiFi 6E capable model, select a Platform mode:

      • Single 5G - Only one radio operates on the 5GHz 802.11ax/ac/n/a band.
      • Dual 5G - Two radios operate on the 5GHz 802.11ax/ac/n/a band and dedicated scanning is always disabled.
      Indoor/Outdoor Select where the FortiAP is being installed. You can override the default designation of the FortiAP to change the available channels based on your region.
      Country/Region

      Select the country or region to apply the Country Code for where the FortiAP will be used.
      Split Tunneling Subnets

      If split tunneling is used, enter a comma-separated list all of the destination IP address ranges that should not be routed through the FortiGate WiFi controller.
      AP login password

      Select if you want set a new AP login password or leave the password unchanged.
      Administrative access

      Select which types of administrative access you want to allow for the FortiAP:

      • HTTPS
      • SSH
      • SNMP
      Client load balancing

      Select a handoff type as needed (see Wireless client load balancing for high-density deployments).
      802.1X authentication

      Enable if you want to configure the FortiAP to act as a 802.1x supplicant to authenticate against the server using EAP-FAST, EAP-TLS or EAP-PEAP (see Configuring 802.1X supplicant on LAN).
      UNII-4 5GHz band channels

      Only available on G-series models.

      Enable if you want to use UNII-4 5GHz band channels (see Configuring UNII-4 5GHz radio bands).

    4. For each radio, enter:

      Mode

      Select the type of mode:

      • Disabled – The radio is disabled.
      • Access Point – The platform is an access point.
      • Dedicated Monitor – The platform is a dedicated monitor. See Wireless network monitoring.

      WIDS profile

      Optionally, select a Wireless Intrusion Detection (WIDS) profile. See Wireless Intrusion Detection System.

      Radio resource
      provision

      Select to enable the distributed radio resource provisioning (DARRP) feature. This feature measures utilization and interference on the available channels and selects the clearest channel at each access point. The measurement can be repeated periodically to respond to changing conditions. See Understanding Distributed Radio Resource Provisioning.

      Band

      Select the wireless protocols that you want to support. The available choices depend on the radio's capabilities. Where multiple protocols are supported, the letter suffixes are combined: "802.11g/b" means 802.11g and 802.11b.

      Note that on two-radio units such as the FortiAP-221C it is not possible to put both radios on the same band.

      Channel width

      Select channel width for 802.11ac or 802.11n on 5 GHz.

      Channel plan

      Select if you want to automatically configure a Channel plan or if want to select custom channels.

      • Three Channels – Automatically selects channel 1, 6, and 11.

      • Four Channels – Automatically selects channels 1, 4, 8, and 11.

      • Custom – Select custom channels.

      Channels

      Select the channel or channels to include. The available channels depend on which IEEE wireless protocol you selected in Band. By default, all available channels are enabled.

      For 5GHz radios, clicking Set Channels loads a channel selector panel where you can select individual channels.

      • Toggle DFS Channels – Select DFS channels.
      • Toggle Weather Radar Channels – Select Weather Radar channels.

      The channel chart also shows channel availability for 40MHz or 80MHz channel-bonding.

      Short guard
      interval

      Select to enable the short guard interval for 802.11ac or 802.11n on 5 GHz.

      Transmit power mode

      Select how you want to determine transmit power:

      • Percent – Transmit power is determined by multiplying set percentage with maximum available power determined by region and FortiAP device.
      • dBm – Transmit power is set using a dBm value.
      • Auto – Specify a range of dBm values and the power is set automatically.

      Transmit power

      Specify either the minimum and maximum Transmit power levels in dBm or as a percentage.

      SSIDs

      Select a traffic mode for SSIDs.

      • Tunnel – Available tunnel-mode SSIDs are automatically assigned to this radio.
      • Bridge – Available bridge-mode SSIDs are automatically assigned to this radio. This option is not available for FortiWiFi local radio platforms.
      • Manual – Manually select which available SSIDs and SSID groups to assign to this radio.

      Monitor channel utilization

      Select to enable monitoring channel utilization.

      5. Radio 2 and 3 settings are available for FortiAP models with multiple radios.

    5. In Syslog profile, enable if you want your FortiAPs to send logs to a syslog server (see Configuring a Syslog profile).
    6. Click OK.
    To configure a FortiAP profile - CLI:

    This example configures a FortiAP-220B to carry all SSIDs on Radio 1 but only SSID example_wlan on Radio 2.

    config wireless-controller wtp-profile

    edit "guest_prof"

    config platform

    set type 220B

    end

    config radio-1

    set mode ap

    set band 802.11g

    set vap-all enable

    end

    config radio-2

    set mode ap

    set band 802.11g

    set vaps example_wlan

    end

    end

    Previous
    Next