Fortinet white logo
Fortinet white logo

FortiWiFi and FortiAP Configuration Guide

FortiAP CLI configuration and diagnostics commands

FortiAP CLI configuration and diagnostics commands

The FortiAP CLI controls radio and network operations through the use of variables manipulated with the configuration and diagnostics commands.

For details about accessing the FortiAP CLI, see FortiAP CLI access.

Configuration commands

Command

Description

cfg -s

List variables for most popular settings and also the ones that are not using default values.

cfg -a var=value

Add or change a variable value.

cfg -c

Commit the change to flash.

cfg -x

Reset settings to factory defaults.

cfg -r var

Remove variable.

cfg -e

Export variables.

cfg -h

Display help for all configuration commands and a complete list of configuration variables.

Configuration variables

Variable

Description and value

AC_CTL_PORT

WiFi Controller control (CAPWAP) port.

Default: 5246.

AC_DATA_CHAN_SEC

Supported data channel security policies.

clear - Clear text

dtls - DTLS (encrypted)

ipsec - IPsec VPN

ipsec-sn - IPsec VPN that includes the FortiAP serial number.

AC_DISCOVERY_TYPE

0 - Auto - Cycle through all of the discovery types until successful.

1 - Static. Specify WiFi Controllers

2 - DHCP

3 - DNS

5 - Broadcast

6 - Multicast

7- FortiCloud

AC_HOSTNAME_1
AC_HOSTNAME_2
AC_HOSTNAME_3

WiFi Controller host names for static discovery.

AC_IPADDR_1
AC_IPADDR_2
AC_IPADDR_3

WiFi Controller IP addresses for static discovery.

AC_DISCOVERY_DHCP_OPTION_CODE

Option code for DHCP server.

Default: 138.

AC_DISCOVERY_MC_ADDR

Multicast address for controller discovery.

Default: 224.0.1.140.

ADDR_MODE

How the FortiAP unit obtains its IP address and netmask.

DHCP - FortiGate interface assigns address.

STATIC - Specify in AP_IPADDR and AP_NETMASK.

Default: DHCP.

ADMIN_TIMEOUT

Administrative timeout in minutes. Applies to GUI sessions.

Default: 5 minutes.

AP_IPADDR
AP_NETMASK
IPGW

These variables set the FortiAP unit IP address, netmask and default gateway when ADDR_MODE is STATIC.

Default for AP_IPADDR: 192.168.1.2 .

Default for AP_NETMASK: 255.255.255.0.

Default for IPGW: 192.168.1.1.

ALLOW_HTTPS

0 - https disable

1 - https enable

2 - controlled by AC

Default: 2.

ALLOW_SSH

0 - SSH disable

1 - SSH enable

2 - controlled by AC

Default: 2.

AP_MGMT_VLAN_ID

Non-zero value applies VLAN ID for unit management. See Reserved VLAN IDs.

Default: 0.

AP_MODE

FortiAP operating mode.

0 - Thin AP
2 - Unmanaged Site Survey mode. See SURVEY variables.

Default: 0.

BAUD_RATE

Console data rate: 9600, 19200, 38400, 57600, or 115200 baud.

Default: 9600.

DNS_SERVER

DNS Server for clients. If ADDR_MODE is DHCP the DNS server is automatically assigned.

FAP_ETHER_TRUNK

Configure port behavior on FortiAP-U models.

0 - Dummy Switch. Default mode.

1 - Ether Hardware Bonding. Support Static Ethernet Channel Bonding on LAN1 and LAN2 ports. Only available on select FortiAP-U models.

2 - Ether 802.3ad Bonding. Support IEEE 802.3ad Link Aggregation Control Protocol (LACP) on LAN1 and LAN2 ports.

3 - Enable WAN-LAN. Supports configuration of a second WAN port as a LAN (WAN-LAN mode configuration).

FIPS_CC

Enable Federal Information Processing Standards (FIPS) mode on FortiAP models.

1 - Enable FIPS mode.

To disable FIPS mode, factory reset the FortiAP.

Note: FAP-431F and FAP-433F do not support FIPS mode.

FIRMWARE_UPGRADE

Default: 0.

LED_STATE

Enable/disable status LEDs.
0 - LEDs enabled

1 - LEDs disabled

2 - follow AC setting

LOGIN_PASSWD

Administrator login password. By default this is empty.

STP_MODE

Spanning Tree Protocol.

0 - off

1 - on

TPM

Wi-Fi 6E Models only: Enable Trusted Platform Module (TPM).

1 - Enable TPM

0 - Disable TPM

Default : 0.

WANLAN_MODE

Configure port behavior on FortiAP, FortiAP-S, and FortiAP-W2 models.

WAN-ONLY - Default mode

WAN-LAN - Bridges the LAN port to the incoming WAN interface

AGGREGATE - Enables link aggregation

WTP_LOCATION

Optional string describing AP location.

Mesh variables

MESH_AP_BGSCAN

Enable or disable background mesh root AP scan.

0 - Disabled

1 - Enabled

MESH_AP_BGSCAN_RSSI

If the signal of the root AP is weak, and lower than the received signal strength indicator (RSSI) threshold, the WiFi driver immediately starts a new round scan and ignores the configured MESH_AP_BGSCAN_PERIOD delays. Set the value between 0 and 127.

After the new round scan is finished, a scan done event is passed to wtp daemon to trigger roaming.

MESH_AP_BGSCAN_PERIOD

Time in seconds that a delay period occurs between scans. Set the value between 1 and 3600.

MESH_AP_BGSCAN_IDLE

Time in milliseconds. Set the value between 0 and 1000.

MESH_AP_BGSCAN_INTV

Time in milliseconds between channel scans. Set the value between 200 and 16000.

MESH_AP_BGSCAN_DUR

Time in milliseconds that the radio will continue scanning the channel. Set the value between 10 and 200.

MESH_AP_BSSID

WiFi MAC address.

MESH_AP_PASSWD

Pre-shared key for mesh backhaul.

MESH_AP_SCANCHANLIST

Specify those channels to be scanned.

MESH_AP_SECURITY

Configure the security mode of a mesh-backhaul SSID.

0 - Open

1 - WPA/WPA2-Personal

2 - WPA3-SAE

Default: 0.

MESH_AP_SSID

SSID for mesh backhaul.

Default: fortinet.mesh.root.

MESH_AP_TYPE

Type of communication for backhaul to controller:

0 - Ethernet

1 - WiFi mesh

2 - Ethernet with mesh backup support

Default: 0.

MESH_ETH_BRIDGE

1 - Bridge mesh WiFi SSID to FortiAP Ethernet port. This can be used for point-to-point bridge configuration. This is available only when MESH_AP_TYPE =1.

0 - No WiFi-Ethernet bridge

Default: 0.

MESH_MAX_HOPS

Maximum number of times packets can be passed from node to node on the mesh.

Default: 4.

The following factors are summed and the FortiAP associates with the lowest scoring mesh AP.

MESH_SCORE_HOP_WEIGHT

Multiplier for number of mesh hops from root. Default: 50.

MESH_SCORE_CHAN_WEIGHT

AP total RSSI multiplier. Default: 1.

MESH_SCORE_RATE_WEIGHT

Beacon data rate multiplier. Default: 1.

MESH_SCORE_BAND_WEIGHT

Band weight (0 for 2.4 GHz, 1 for 5 GHz) multiplier. Default: 100.

MESH_SCORE_RSSI_WEIGHT

AP channel RSSI multiplier. Default: 100.

Survey variables

SURVEY_SSID

SSID to broadcast in site survey mode (AP_MODE=2).

SURVEY_TX_POWER

Transmitter power in site survey mode (AP_MODE=2).

SURVEY_TX_POWER_24

2.4 GHz transmitter power used for site survey SSID in dBm. Default=30.

SURVEY_TX_POWER_50

5 GHz transmitter power used for site survey SSID in dBm. Default=30.

SURVEY_TX_POWER_60

6 GHz transmitter power used for site survey SSID in dBm. Default=30.

SURVEY_BEACON_INTV

Site survey beacon interval in seconds. Default: 100 ms.

SURVEY_CH_24

Site survey transmit channel for the 2.4 GHz band. Default: 6.

SURVEY_CH_50

Site survey transmit channel for the 5 GHz band. Default: 36.

SURVEY_CH_60

Site survey transmit channel for the 6 GHz band. Default: 36.

SURVEY_CW_24

2.4 GHz channel-bonding bandwidth for site survey SSID.

0 - 20MHz

1 - 40MHz

Default=0

SURVEY_CW_50

5 GHz channel-bonding bandwidth for site survey SSID.

0 - 20MHz

1 - 40MHz

2 - 80MHz

3 - 160MHz

Default=0

SURVEY_CW_60

6 GHz channel-bonding bandwidth for site survey SSID.

0 - 20MHz

1 - 40MHz

2 - 80MHz

3 - 160MHz

Default=0

Diagnostics commands

Command

Description

fap-tech

Shows a consolidated log command output for debugging purposes.

cw_diag admin-timeout [30]

Set the shell idle timeout in minutes.

cw_diag baudrate [9600 | 19200 | 38400 | 57600 | 115200]

Set the console baud rate.

cw_diag debug ping_ac

Enable AC IP ping check and set the ping interval (disabled by default).

cw_diag help

Display help for all diagnostics commands.

cw_diag plain-ctl [0|1]

Show or change the current plain control setting.

cw_diag sniff [0|1|2]

Enable or disable the sniff packet.

cw_diag sniff-cfg ip port

Set the sniff server IP and port.

cw_diag stats wl_intf

Show the wl_intf status.

cw_diag uptime

Show daemon uptime.

cw_diag wlanfw-dump <TFTP server IP>

Upload Target Assert logs to a specified TFTP server.

cw_diag -c acs-chan-stats

Check the real-time status of CAPWAP connections to the AP controllers (AC).

cw_diag -c ap-scan

Show scanned APs.

cw_diag -c ap-suppress

Show suppressed APs.

cw_diag -c arp-req

Show scanned arp requests.

cw_diag -c atf

Show Air Time Fairness information at the FortiAP level.

cw_diag -c ble-scan

Show scanned Bluetooth Low Energy (BLE) devices that are reported to FortiPresence.

cw_diag -c bonjour

Show the current Bonjour gateway configuration in the control plane.

cw_diag -c darrp

Show the DARRP radio channel.

cw_diag -c fortipresence

Show FortiPresence statistics including reported BLE devices.

cw_diag -c k-lan-host

Display wired client information for clients connected to LAN2 of the FortiAP

cw_diag -c k-qos wlan00

Verify that the vmn-dscp-marking values are pushed to FortiAP.

cw_diag -c mesh

Show the mesh status.

cw_diag -c mesh-ap

Show the mesh ap candidates.

cw_diag -c mesh-veth-acinfo

Show the mesh veth ac info, and mesh ether type.

cw_diag -c mesh-veth-host

Show the mesh veth host.

cw_diag -c mesh-veth-vap

Show the mesh veth vap.

cw_diag -c radio-cfg

Show the current radio config parameters in the control plane.

cw_diag -c scan-clr-all

Flush all scanned AP/STA/ARPs.

cw_diag -c snmp

Show configuration details for SNMP support.

cw_diag -c sta-cap

Show scanned STA capabilities.

cw_diag -c sta-deauth

De-authenticate an STA.

cw_diag -c sta-scan

Show scanned STAs.

cw_diag -c temperature

Show operating temperature of the FortiAP CPU.

cw_diag -c vap-cfg

Show the current VAPs in the control plane.

cw_diag -c vlan-probe-cmd <action> <interface ID> <start Vlan ID> <end Vlan ID> <retry> <timeout>

Start the VLAN probe.

"Action" value list:

  • 0 - start
  • 1 - stop

Example command: cw_diag -c vlan-probe-cmd 0 eth0 2 300 3 10

Example output: VLAN probing: start intf [eth0] vlan range[2,300] retries[3] timeout[10] ...

cw_diag -c vlan-probe-rpt

Show the VLAN probe report.

cw_diag -c wids

Show scanned WIDS detections.

cw_diag -c wtp-cfg

Show the current wtp config parameters in the control plane.

cw_diag --clog <on|off>

Turn on or off console log message.

FortiAP CLI configuration and diagnostics commands

FortiAP CLI configuration and diagnostics commands

The FortiAP CLI controls radio and network operations through the use of variables manipulated with the configuration and diagnostics commands.

For details about accessing the FortiAP CLI, see FortiAP CLI access.

Configuration commands

Command

Description

cfg -s

List variables for most popular settings and also the ones that are not using default values.

cfg -a var=value

Add or change a variable value.

cfg -c

Commit the change to flash.

cfg -x

Reset settings to factory defaults.

cfg -r var

Remove variable.

cfg -e

Export variables.

cfg -h

Display help for all configuration commands and a complete list of configuration variables.

Configuration variables

Variable

Description and value

AC_CTL_PORT

WiFi Controller control (CAPWAP) port.

Default: 5246.

AC_DATA_CHAN_SEC

Supported data channel security policies.

clear - Clear text

dtls - DTLS (encrypted)

ipsec - IPsec VPN

ipsec-sn - IPsec VPN that includes the FortiAP serial number.

AC_DISCOVERY_TYPE

0 - Auto - Cycle through all of the discovery types until successful.

1 - Static. Specify WiFi Controllers

2 - DHCP

3 - DNS

5 - Broadcast

6 - Multicast

7- FortiCloud

AC_HOSTNAME_1
AC_HOSTNAME_2
AC_HOSTNAME_3

WiFi Controller host names for static discovery.

AC_IPADDR_1
AC_IPADDR_2
AC_IPADDR_3

WiFi Controller IP addresses for static discovery.

AC_DISCOVERY_DHCP_OPTION_CODE

Option code for DHCP server.

Default: 138.

AC_DISCOVERY_MC_ADDR

Multicast address for controller discovery.

Default: 224.0.1.140.

ADDR_MODE

How the FortiAP unit obtains its IP address and netmask.

DHCP - FortiGate interface assigns address.

STATIC - Specify in AP_IPADDR and AP_NETMASK.

Default: DHCP.

ADMIN_TIMEOUT

Administrative timeout in minutes. Applies to GUI sessions.

Default: 5 minutes.

AP_IPADDR
AP_NETMASK
IPGW

These variables set the FortiAP unit IP address, netmask and default gateway when ADDR_MODE is STATIC.

Default for AP_IPADDR: 192.168.1.2 .

Default for AP_NETMASK: 255.255.255.0.

Default for IPGW: 192.168.1.1.

ALLOW_HTTPS

0 - https disable

1 - https enable

2 - controlled by AC

Default: 2.

ALLOW_SSH

0 - SSH disable

1 - SSH enable

2 - controlled by AC

Default: 2.

AP_MGMT_VLAN_ID

Non-zero value applies VLAN ID for unit management. See Reserved VLAN IDs.

Default: 0.

AP_MODE

FortiAP operating mode.

0 - Thin AP
2 - Unmanaged Site Survey mode. See SURVEY variables.

Default: 0.

BAUD_RATE

Console data rate: 9600, 19200, 38400, 57600, or 115200 baud.

Default: 9600.

DNS_SERVER

DNS Server for clients. If ADDR_MODE is DHCP the DNS server is automatically assigned.

FAP_ETHER_TRUNK

Configure port behavior on FortiAP-U models.

0 - Dummy Switch. Default mode.

1 - Ether Hardware Bonding. Support Static Ethernet Channel Bonding on LAN1 and LAN2 ports. Only available on select FortiAP-U models.

2 - Ether 802.3ad Bonding. Support IEEE 802.3ad Link Aggregation Control Protocol (LACP) on LAN1 and LAN2 ports.

3 - Enable WAN-LAN. Supports configuration of a second WAN port as a LAN (WAN-LAN mode configuration).

FIPS_CC

Enable Federal Information Processing Standards (FIPS) mode on FortiAP models.

1 - Enable FIPS mode.

To disable FIPS mode, factory reset the FortiAP.

Note: FAP-431F and FAP-433F do not support FIPS mode.

FIRMWARE_UPGRADE

Default: 0.

LED_STATE

Enable/disable status LEDs.
0 - LEDs enabled

1 - LEDs disabled

2 - follow AC setting

LOGIN_PASSWD

Administrator login password. By default this is empty.

STP_MODE

Spanning Tree Protocol.

0 - off

1 - on

TPM

Wi-Fi 6E Models only: Enable Trusted Platform Module (TPM).

1 - Enable TPM

0 - Disable TPM

Default : 0.

WANLAN_MODE

Configure port behavior on FortiAP, FortiAP-S, and FortiAP-W2 models.

WAN-ONLY - Default mode

WAN-LAN - Bridges the LAN port to the incoming WAN interface

AGGREGATE - Enables link aggregation

WTP_LOCATION

Optional string describing AP location.

Mesh variables

MESH_AP_BGSCAN

Enable or disable background mesh root AP scan.

0 - Disabled

1 - Enabled

MESH_AP_BGSCAN_RSSI

If the signal of the root AP is weak, and lower than the received signal strength indicator (RSSI) threshold, the WiFi driver immediately starts a new round scan and ignores the configured MESH_AP_BGSCAN_PERIOD delays. Set the value between 0 and 127.

After the new round scan is finished, a scan done event is passed to wtp daemon to trigger roaming.

MESH_AP_BGSCAN_PERIOD

Time in seconds that a delay period occurs between scans. Set the value between 1 and 3600.

MESH_AP_BGSCAN_IDLE

Time in milliseconds. Set the value between 0 and 1000.

MESH_AP_BGSCAN_INTV

Time in milliseconds between channel scans. Set the value between 200 and 16000.

MESH_AP_BGSCAN_DUR

Time in milliseconds that the radio will continue scanning the channel. Set the value between 10 and 200.

MESH_AP_BSSID

WiFi MAC address.

MESH_AP_PASSWD

Pre-shared key for mesh backhaul.

MESH_AP_SCANCHANLIST

Specify those channels to be scanned.

MESH_AP_SECURITY

Configure the security mode of a mesh-backhaul SSID.

0 - Open

1 - WPA/WPA2-Personal

2 - WPA3-SAE

Default: 0.

MESH_AP_SSID

SSID for mesh backhaul.

Default: fortinet.mesh.root.

MESH_AP_TYPE

Type of communication for backhaul to controller:

0 - Ethernet

1 - WiFi mesh

2 - Ethernet with mesh backup support

Default: 0.

MESH_ETH_BRIDGE

1 - Bridge mesh WiFi SSID to FortiAP Ethernet port. This can be used for point-to-point bridge configuration. This is available only when MESH_AP_TYPE =1.

0 - No WiFi-Ethernet bridge

Default: 0.

MESH_MAX_HOPS

Maximum number of times packets can be passed from node to node on the mesh.

Default: 4.

The following factors are summed and the FortiAP associates with the lowest scoring mesh AP.

MESH_SCORE_HOP_WEIGHT

Multiplier for number of mesh hops from root. Default: 50.

MESH_SCORE_CHAN_WEIGHT

AP total RSSI multiplier. Default: 1.

MESH_SCORE_RATE_WEIGHT

Beacon data rate multiplier. Default: 1.

MESH_SCORE_BAND_WEIGHT

Band weight (0 for 2.4 GHz, 1 for 5 GHz) multiplier. Default: 100.

MESH_SCORE_RSSI_WEIGHT

AP channel RSSI multiplier. Default: 100.

Survey variables

SURVEY_SSID

SSID to broadcast in site survey mode (AP_MODE=2).

SURVEY_TX_POWER

Transmitter power in site survey mode (AP_MODE=2).

SURVEY_TX_POWER_24

2.4 GHz transmitter power used for site survey SSID in dBm. Default=30.

SURVEY_TX_POWER_50

5 GHz transmitter power used for site survey SSID in dBm. Default=30.

SURVEY_TX_POWER_60

6 GHz transmitter power used for site survey SSID in dBm. Default=30.

SURVEY_BEACON_INTV

Site survey beacon interval in seconds. Default: 100 ms.

SURVEY_CH_24

Site survey transmit channel for the 2.4 GHz band. Default: 6.

SURVEY_CH_50

Site survey transmit channel for the 5 GHz band. Default: 36.

SURVEY_CH_60

Site survey transmit channel for the 6 GHz band. Default: 36.

SURVEY_CW_24

2.4 GHz channel-bonding bandwidth for site survey SSID.

0 - 20MHz

1 - 40MHz

Default=0

SURVEY_CW_50

5 GHz channel-bonding bandwidth for site survey SSID.

0 - 20MHz

1 - 40MHz

2 - 80MHz

3 - 160MHz

Default=0

SURVEY_CW_60

6 GHz channel-bonding bandwidth for site survey SSID.

0 - 20MHz

1 - 40MHz

2 - 80MHz

3 - 160MHz

Default=0

Diagnostics commands

Command

Description

fap-tech

Shows a consolidated log command output for debugging purposes.

cw_diag admin-timeout [30]

Set the shell idle timeout in minutes.

cw_diag baudrate [9600 | 19200 | 38400 | 57600 | 115200]

Set the console baud rate.

cw_diag debug ping_ac

Enable AC IP ping check and set the ping interval (disabled by default).

cw_diag help

Display help for all diagnostics commands.

cw_diag plain-ctl [0|1]

Show or change the current plain control setting.

cw_diag sniff [0|1|2]

Enable or disable the sniff packet.

cw_diag sniff-cfg ip port

Set the sniff server IP and port.

cw_diag stats wl_intf

Show the wl_intf status.

cw_diag uptime

Show daemon uptime.

cw_diag wlanfw-dump <TFTP server IP>

Upload Target Assert logs to a specified TFTP server.

cw_diag -c acs-chan-stats

Check the real-time status of CAPWAP connections to the AP controllers (AC).

cw_diag -c ap-scan

Show scanned APs.

cw_diag -c ap-suppress

Show suppressed APs.

cw_diag -c arp-req

Show scanned arp requests.

cw_diag -c atf

Show Air Time Fairness information at the FortiAP level.

cw_diag -c ble-scan

Show scanned Bluetooth Low Energy (BLE) devices that are reported to FortiPresence.

cw_diag -c bonjour

Show the current Bonjour gateway configuration in the control plane.

cw_diag -c darrp

Show the DARRP radio channel.

cw_diag -c fortipresence

Show FortiPresence statistics including reported BLE devices.

cw_diag -c k-lan-host

Display wired client information for clients connected to LAN2 of the FortiAP

cw_diag -c k-qos wlan00

Verify that the vmn-dscp-marking values are pushed to FortiAP.

cw_diag -c mesh

Show the mesh status.

cw_diag -c mesh-ap

Show the mesh ap candidates.

cw_diag -c mesh-veth-acinfo

Show the mesh veth ac info, and mesh ether type.

cw_diag -c mesh-veth-host

Show the mesh veth host.

cw_diag -c mesh-veth-vap

Show the mesh veth vap.

cw_diag -c radio-cfg

Show the current radio config parameters in the control plane.

cw_diag -c scan-clr-all

Flush all scanned AP/STA/ARPs.

cw_diag -c snmp

Show configuration details for SNMP support.

cw_diag -c sta-cap

Show scanned STA capabilities.

cw_diag -c sta-deauth

De-authenticate an STA.

cw_diag -c sta-scan

Show scanned STAs.

cw_diag -c temperature

Show operating temperature of the FortiAP CPU.

cw_diag -c vap-cfg

Show the current VAPs in the control plane.

cw_diag -c vlan-probe-cmd <action> <interface ID> <start Vlan ID> <end Vlan ID> <retry> <timeout>

Start the VLAN probe.

"Action" value list:

  • 0 - start
  • 1 - stop

Example command: cw_diag -c vlan-probe-cmd 0 eth0 2 300 3 10

Example output: VLAN probing: start intf [eth0] vlan range[2,300] retries[3] timeout[10] ...

cw_diag -c vlan-probe-rpt

Show the VLAN probe report.

cw_diag -c wids

Show scanned WIDS detections.

cw_diag -c wtp-cfg

Show the current wtp config parameters in the control plane.

cw_diag --clog <on|off>

Turn on or off console log message.