List variables for most popular settings and also the ones that are not using default values.

Add or change a variable value.

Commit the change to flash.

Reset settings to factory defaults.

Remove variable.

Export variables.

WiFi Controller control (CAPWAP) port.

Default: 5246.

Supported data channel security policies.

clear - Clear text

dtls - DTLS (encrypted)

ipsec - IPsec VPN

ipsec-sn - IPsec VPN that includes the FortiAP serial number.

0 - Auto - Cycle through all of the discovery types until successful.

1 - Static. Specify WiFi Controllers

2 - DHCP

3 - DNS

5 - Broadcast

6 - Multicast

7- FortiCloud

WiFi Controller host names for static discovery.

WiFi Controller IP addresses for static discovery.

Option code for DHCP server.

Default: 138.

Multicast address for controller discovery.

Default: 224.0.1.140.

How the FortiAP unit obtains its IP address and netmask.

DHCP - FortiGate interface assigns address.

STATIC - Specify in AP_IPADDR and AP_NETMASK.

Default: DHCP.

Administrative timeout in minutes. Applies to GUI sessions.

Default: 5 minutes.

These variables set the FortiAP unit IP address, netmask and default gateway when ADDR_MODE is STATIC.

Default for AP_IPADDR: 192.168.1.2 .

Default for AP_NETMASK: 255.255.255.0.

Default for IPGW: 192.168.1.1.

0 - https disable

1 - https enable

2 - controlled by AC

Default: 2.

0 - SSH disable

1 - SSH enable

2 - controlled by AC

Default: 2.

Non-zero value applies VLAN ID for unit management. See Reserved VLAN IDs.

Default: 0.

FortiAP operating mode.

0 - Thin AP
2 - Unmanaged Site Survey mode. See SURVEY variables.

Default: 0.

Console data rate: 9600, 19200, 38400, 57600, or 115200 baud.

Default: 9600.

DNS Server for clients. If ADDR_MODE is DHCP the DNS server is automatically assigned.

Configure port behavior on FortiAP-U models.

0 - Dummy Switch. Default mode.

1 - Ether Hardware Bonding. Support Static Ethernet Channel Bonding on LAN1 and LAN2 ports. Only available on select FortiAP-U models.

2 - Ether 802.3ad Bonding. Support IEEE 802.3ad Link Aggregation Control Protocol (LACP) on LAN1 and LAN2 ports.

3 - Enable WAN-LAN. Supports configuration of a second WAN port as a LAN (WAN-LAN mode configuration).

Enable Federal Information Processing Standards (FIPS) mode on FortiAP models.

1 - Enable FIPS mode.

To disable FIPS mode, factory reset the FortiAP.

Note: FAP-431F and FAP-433F do not support FIPS mode.

Default: 0.

Enable/disable status LEDs.
0 - LEDs enabled

1 - LEDs disabled

2 - follow AC setting

Administrator login password. By default this is empty.

Spanning Tree Protocol.

0 - off

1 - on

Wi-Fi 6E Models only: Enable Trusted Platform Module (TPM).

1 - Enable TPM

0 - Disable TPM

Default : 0.

Configure port behavior on FortiAP, FortiAP-S, and FortiAP-W2 models.

WAN-ONLY - Default mode

WAN-LAN - Bridges the LAN port to the incoming WAN interface

AGGREGATE - Enables link aggregation

Enable or Disable WAN port 802.1x supplicant:

• 0: Disabled
• 1: Enabled

The default setting is 0.

WAN port 802.1x supplicant user ID.

WAN port 802.1x supplicant password.

Can only be configured when WAN_1X_ENABLE = 1

Enable or Disable MACsec locally:

• 0: Disabled
• 1: Enabled

The default setting is 0.

Select an EAP method for the WAN port 802.1x supplicant:

• 0: EAP-ALL
• 1: EAP-FAST
• 2: EAP-TLS
• 3: EAP-PEAP

The default setting is 0.

Optional string describing AP location.

Mesh variables

Enable or disable background mesh root AP scan.

0 - Disabled

1 - Enabled

If the signal of the root AP is weak, and lower than the received signal strength indicator (RSSI) threshold, the WiFi driver immediately starts a new round scan and ignores the configured MESH_AP_BGSCAN_PERIOD delays. Set the value between 0 and 127.

After the new round scan is finished, a scan done event is passed to wtp daemon to trigger roaming.

Time in seconds that a delay period occurs between scans. Set the value between 1 and 3600.

Time in milliseconds. Set the value between 0 and 1000.

Time in milliseconds between channel scans. Set the value between 200 and 16000.

Time in milliseconds that the radio will continue scanning the channel. Set the value between 10 and 200.

WiFi MAC address.

Pre-shared key for mesh backhaul.

Specify those channels to be scanned.

Configure the security mode of a mesh-backhaul SSID.

0 - Open

1 - WPA/WPA2-Personal

2 - WPA3-SAE

Default: 0.

SSID for mesh backhaul.

Default: fortinet.mesh.root.

Type of communication for backhaul to controller:

0 - Ethernet

1 - WiFi mesh

2 - Ethernet with mesh backup support

Default: 0.

1 - Bridge mesh WiFi SSID to FortiAP Ethernet port. This can be used for point-to-point bridge configuration. This is available only when MESH_AP_TYPE =1.

0 - No WiFi-Ethernet bridge

Default: 0.

Maximum number of times packets can be passed from node to node on the mesh.

Default: 4.

The following factors are summed and the FortiAP associates with the lowest scoring mesh AP.

Multiplier for number of mesh hops from root. Default: 50.

AP total RSSI multiplier. Default: 1.

Beacon data rate multiplier. Default: 1.

Band weight (0 for 2.4 GHz, 1 for 5 GHz) multiplier. Default: 100.

AP channel RSSI multiplier. Default: 100.

Survey variables

SSID to broadcast in site survey mode (AP_MODE=2).

Transmitter power in site survey mode (AP_MODE=2).

2.4 GHz transmitter power used for site survey SSID in dBm. Default=30.

5 GHz transmitter power used for site survey SSID in dBm. Default=30.

6 GHz transmitter power used for site survey SSID in dBm. Default=30.

Site survey beacon interval in seconds. Default: 100 ms.

Site survey transmit channel for the 2.4 GHz band. Default: 6.

Site survey transmit channel for the 5 GHz band. Default: 36.

Site survey transmit channel for the 6 GHz band. Default: 36.

2.4 GHz channel-bonding bandwidth for site survey SSID.

0 - 20MHz

1 - 40MHz

Default=0

5 GHz channel-bonding bandwidth for site survey SSID.

0 - 20MHz

1 - 40MHz

2 - 80MHz

3 - 160MHz

Default=0

Shows a consolidated log command output for debugging purposes.

Set the shell idle timeout in minutes.

Set the console baud rate.

Enable AC IP ping check and set the ping interval (disabled by default).

Display help for all diagnostics commands.

Show or change the current plain control setting.

Enable or disable the sniff packet.

Set the sniff server IP and port.

Show the wl_intf status.

Show daemon uptime.

Upload Target Assert logs to a specified TFTP server.

Check the real-time status of CAPWAP connections to the AP controllers (AC).

Show scanned APs.

Show suppressed APs.

Show scanned arp requests.

Show Air Time Fairness information at the FortiAP level.

Show scanned Bluetooth Low Energy (BLE) devices that are reported to FortiPresence.

Show the current Bonjour gateway configuration in the control plane.

Show the DARRP radio channel.

Show FortiPresence statistics including reported BLE devices.

Display wired client information for clients connected to LAN2 of the FortiAP

Verify that the vmn-dscp-marking values are pushed to FortiAP.

Show the mesh status.

Show the mesh ap candidates.

Show the mesh veth ac info, and mesh ether type.

Show the mesh veth host.

Show the mesh veth vap.

Show the current radio config parameters in the control plane.

Flush all scanned AP/STA/ARPs.

Show configuration details for SNMP support.

Show scanned STA capabilities.

De-authenticate an STA.

Show scanned STAs.

Show operating temperature of the FortiAP CPU.

Show the current VAPs in the control plane.

Start the VLAN probe.

"Action" value list:

• 0 - start
• 1 - stop

Example command: cw_diag -c vlan-probe-cmd 0 eth0 2 300 3 10

Example output: VLAN probing: start intf [eth0] vlan range[2,300] retries[3] timeout[10] ...

Show the VLAN probe report.

Show WAN 802.1x supplicant configuration.

• get-ca-cert

• get-client-cert

• get-private-key

cw_diag -c wan1x [show-ca-cert|show-client-cert|del-all|del-ca-cert|del-client-cert|del-private-key|[<get-ca-cert|get-client-cert|get-private-key> <TFTP server IP> <file name>]]

Show scanned WIDS detections.

Show the current wtp config parameters in the control plane.