wireless-controller wtp
Use this command to configure various wireless transaction protocol (WTP) settings, inlcuding VAP override options and physical APs for management by the wireless controller, also known as an Access Controller (AC). Note: Radio 2 settings are only available for FortiAP models with dual radios.
config wireless-controller wtp edit {wtp-id} # Configure Wireless Termination Points (WTPs), that is, FortiAPs or APs to be managed by FortiGate. set wtp-id {string} WTP ID. size[35] set index {integer} Index (0 - 4294967295). range[0-4294967295] set admin {discovered | disable | enable} Configure how the FortiGate operating as a wireless controller discovers and manages this WTP, AP or FortiAP. set name {string} WTP, AP or FortiAP configuration name. size[35] set location {string} Field for describing the physical location of the WTP, AP or FortiAP. size[35] set wtp-profile {string} WTP profile name to apply to this WTP, AP or FortiAP. size[35] - datasource(s): wireless-controller.wtp-profile.name set wtp-mode {normal | remote} WTP, AP, or FortiAP operating mode; normal (by default) or remote. A tunnel mode SSID can be assigned to an AP in normal mode but not remote mode, while a local-bridge mode SSID can be assigned to an AP in either normal mode or remote mode. normal Normal WTP, AP, or FortiAP. remote Remote WTP, AP, or FortiAP. set bonjour-profile {string} Bonjour profile name. size[35] - datasource(s): wireless-controller.bonjour-profile.name set override-led-state {enable | disable} Enable to override the profile LED state setting for this FortiAP. You must enable this option to use the led-state command to turn off the FortiAP's LEDs. set led-state {enable | disable} Enable to allow the FortiAPs LEDs to light. Disable to keep the LEDs off. You may want to keep the LEDs off so they are not distracting in low light areas etc. set override-wan-port-mode {enable | disable} Enable/disable overriding the wan-port-mode in the WTP profile. set wan-port-mode {wan-lan | wan-only} Enable/disable using the FortiAP WAN port as a LAN port. wan-lan Use the FortiAP WAN port as a LAN port. wan-only Do not use the WAN port as a LAN port. set override-ip-fragment {enable | disable} Enable/disable overriding the WTP profile IP fragment prevention setting. set ip-fragment-preventing {tcp-mss-adjust | icmp-unreachable} Method by which IP fragmentation is prevented for CAPWAP tunneled control and data packets (default = tcp-mss-adjust). tcp-mss-adjust TCP maximum segment size adjustment. icmp-unreachable Drop packet and send ICMP Destination Unreachable set tun-mtu-uplink {integer} Uplink tunnel maximum transmission unit (MTU) in octets (eight-bit bytes). Set the value to either 0 (by default), 576, or 1500. range[576-1500] set tun-mtu-downlink {integer} Downlink tunnel MTU in octets. Set the value to either 0 (by default), 576, or 1500. range[576-1500] set override-split-tunnel {enable | disable} Enable/disable overriding the WTP profile split tunneling setting. set split-tunneling-acl-path {tunnel | local} Split tunneling ACL path is local/tunnel. tunnel Split tunneling ACL list traffic will be tunnel. local Split tunneling ACL list traffic will be local NATed. set split-tunneling-acl-local-ap-subnet {enable | disable} Enable/disable automatically adding local subnetwork of FortiAP to split-tunneling ACL (default = disable). config split-tunneling-acl edit {id} # Split tunneling ACL filter list. set id {integer} ID. range[0-4294967295] set dest-ip {ipv4 classnet} Destination IP and mask for the split-tunneling subnet. next set override-lan {enable | disable} Enable to override the WTP profile LAN port setting. config lan set port-mode {offline | nat-to-wan | bridge-to-wan | bridge-to-ssid} LAN port mode. offline Offline. nat-to-wan NAT WTP LAN port to WTP WAN port. bridge-to-wan Bridge WTP LAN port to WTP WAN port. bridge-to-ssid Bridge WTP LAN port to SSID. set port-ssid {string} Bridge LAN port to SSID. size[15] - datasource(s): wireless-controller.vap.name set port1-mode {offline | nat-to-wan | bridge-to-wan | bridge-to-ssid} LAN port 1 mode. offline Offline. nat-to-wan NAT WTP LAN port to WTP WAN port. bridge-to-wan Bridge WTP LAN port to WTP WAN port. bridge-to-ssid Bridge WTP LAN port to SSID. set port1-ssid {string} Bridge LAN port 1 to SSID. size[15] - datasource(s): wireless-controller.vap.name set port2-mode {offline | nat-to-wan | bridge-to-wan | bridge-to-ssid} LAN port 2 mode. offline Offline. nat-to-wan NAT WTP LAN port to WTP WAN port. bridge-to-wan Bridge WTP LAN port to WTP WAN port. bridge-to-ssid Bridge WTP LAN port to SSID. set port2-ssid {string} Bridge LAN port 2 to SSID. size[15] - datasource(s): wireless-controller.vap.name set port3-mode {offline | nat-to-wan | bridge-to-wan | bridge-to-ssid} LAN port 3 mode. offline Offline. nat-to-wan NAT WTP LAN port to WTP WAN port. bridge-to-wan Bridge WTP LAN port to WTP WAN port. bridge-to-ssid Bridge WTP LAN port to SSID. set port3-ssid {string} Bridge LAN port 3 to SSID. size[15] - datasource(s): wireless-controller.vap.name set port4-mode {offline | nat-to-wan | bridge-to-wan | bridge-to-ssid} LAN port 4 mode. offline Offline. nat-to-wan NAT WTP LAN port to WTP WAN port. bridge-to-wan Bridge WTP LAN port to WTP WAN port. bridge-to-ssid Bridge WTP LAN port to SSID. set port4-ssid {string} Bridge LAN port 4 to SSID. size[15] - datasource(s): wireless-controller.vap.name set port5-mode {offline | nat-to-wan | bridge-to-wan | bridge-to-ssid} LAN port 5 mode. offline Offline. nat-to-wan NAT WTP LAN port to WTP WAN port. bridge-to-wan Bridge WTP LAN port to WTP WAN port. bridge-to-ssid Bridge WTP LAN port to SSID. set port5-ssid {string} Bridge LAN port 5 to SSID. size[15] - datasource(s): wireless-controller.vap.name set port6-mode {offline | nat-to-wan | bridge-to-wan | bridge-to-ssid} LAN port 6 mode. offline Offline. nat-to-wan NAT WTP LAN port to WTP WAN port. bridge-to-wan Bridge WTP LAN port to WTP WAN port. bridge-to-ssid Bridge WTP LAN port to SSID. set port6-ssid {string} Bridge LAN port 6 to SSID. size[15] - datasource(s): wireless-controller.vap.name set port7-mode {offline | nat-to-wan | bridge-to-wan | bridge-to-ssid} LAN port 7 mode. offline Offline. nat-to-wan NAT WTP LAN port to WTP WAN port. bridge-to-wan Bridge WTP LAN port to WTP WAN port. bridge-to-ssid Bridge WTP LAN port to SSID. set port7-ssid {string} Bridge LAN port 7 to SSID. size[15] - datasource(s): wireless-controller.vap.name set port8-mode {offline | nat-to-wan | bridge-to-wan | bridge-to-ssid} LAN port 8 mode. offline Offline. nat-to-wan NAT WTP LAN port to WTP WAN port. bridge-to-wan Bridge WTP LAN port to WTP WAN port. bridge-to-ssid Bridge WTP LAN port to SSID. set port8-ssid {string} Bridge LAN port 8 to SSID. size[15] - datasource(s): wireless-controller.vap.name set override-allowaccess {enable | disable} Enable to override the WTP profile management access configuration. set allowaccess {telnet | http | https | ssh} Control management access to the managed WTP, FortiAP, or AP. Separate entries with a space. telnet TELNET access. http HTTP access. https HTTPS access. ssh SSH access. set override-login-passwd-change {enable | disable} Enable to override the WTP profile login-password (administrator password) setting. set login-passwd-change {yes | default | no} Change or reset the administrator password of a managed WTP, FortiAP or AP (yes, default, or no, default = no). yes Change the managed WTP, FortiAP or AP's administrator password. Use the login-password option to set the password. default Keep the managed WTP, FortiAP or AP's administrator password set to the factory default. no Do not change the managed WTP, FortiAP or AP's administrator password. set login-passwd {password_string} Set the managed WTP, FortiAP, or AP's administrator password. size[31] config radio-1 set radio-id {integer} radio-id range[0-2] set override-band {enable | disable} Enable to override the WTP profile band setting. set band {option} WiFi band that Radio 1 operates on. 802.11a 802.11a. 802.11b 802.11b. 802.11g 802.11g/b. 802.11n 802.11n/g/b radio at 2.4GHz band. 802.11n-5G 802.11n/a at 5GHz. 802.11n,g-only 802.11n/g at 2.4GHz. 802.11g-only 802.11g. 802.11n-only 802.11n at 2.4GHz. 802.11n-5G-only 802.11n at 5GHz. 802.11ac 802.11ac/n/a radio. 802.11ac,n-only 802.11ac/n. 802.11ac-only 802.11ac. set override-analysis {enable | disable} Enable to override the WTP profile spectrum analysis configuration. set spectrum-analysis {enable | disable} Enable/disable spectrum analysis to find interference that would negatively impact wireless performance. set override-txpower {enable | disable} Enable to override the WTP profile power level configuration. set auto-power-level {enable | disable} Enable/disable automatic power-level adjustment to prevent co-channel interference (default = enable). set auto-power-high {integer} Automatic transmission power high limit in decibels (dB) of the measured power referenced to one milliwatt (mW), or dBm (10 - 17 dBm, default = 17). range[0-4294967295] set auto-power-low {integer} Automatic transmission power low limit in dBm (the actual range of transmit power depends on the AP platform type). range[0-4294967295] set power-level {integer} Radio power level as a percentage of the maximum transmit power (0 - 100, default = 100). range[0-100] set override-vaps {enable | disable} Enable to override WTP profile Virtual Access Point (VAP) settings. set vap-all {enable | disable} Enable/disable the automatic inheritance of all Virtual Access Points (VAPs) (default = enable). config vaps edit {name} # Manually selected list of Virtual Access Points (VAPs). set name {string} Virtual Access Point (VAP) name. size[35] - datasource(s): wireless-controller.vap-group.name,wireless-controller.vap.name next set override-channel {enable | disable} Enable to override WTP profile channel settings. config channel edit {chan} # Selected list of wireless radio channels. set chan {string} Channel number. size[3] next config radio-2 set radio-id {integer} radio-id range[0-2] set override-band {enable | disable} Enable to override the WTP profile band setting. set band {option} WiFi band that Radio 1 operates on. 802.11a 802.11a. 802.11b 802.11b. 802.11g 802.11g/b. 802.11n 802.11n/g/b radio at 2.4GHz band. 802.11n-5G 802.11n/a at 5GHz. 802.11n,g-only 802.11n/g at 2.4GHz. 802.11g-only 802.11g. 802.11n-only 802.11n at 2.4GHz. 802.11n-5G-only 802.11n at 5GHz. 802.11ac 802.11ac/n/a radio. 802.11ac,n-only 802.11ac/n. 802.11ac-only 802.11ac. set override-analysis {enable | disable} Enable to override the WTP profile spectrum analysis configuration. set spectrum-analysis {enable | disable} Enable/disable spectrum analysis to find interference that would negatively impact wireless performance. set override-txpower {enable | disable} Enable to override the WTP profile power level configuration. set auto-power-level {enable | disable} Enable/disable automatic power-level adjustment to prevent co-channel interference (default = enable). set auto-power-high {integer} Automatic transmission power high limit in decibels (dB) of the measured power referenced to one milliwatt (mW), or dBm (10 - 17 dBm, default = 17). range[0-4294967295] set auto-power-low {integer} Automatic transmission power low limit in dBm (the actual range of transmit power depends on the AP platform type). range[0-4294967295] set power-level {integer} Radio power level as a percentage of the maximum transmit power (0 - 100, default = 100). range[0-100] set override-vaps {enable | disable} Enable to override WTP profile Virtual Access Point (VAP) settings. set vap-all {enable | disable} Enable/disable the automatic inheritance of all Virtual Access Points (VAPs) (default = enable). config vaps edit {name} # Manually selected list of Virtual Access Points (VAPs). set name {string} Virtual Access Point (VAP) name. size[35] - datasource(s): wireless-controller.vap-group.name,wireless-controller.vap.name next set override-channel {enable | disable} Enable to override WTP profile channel settings. config channel edit {chan} # Selected list of wireless radio channels. set chan {string} Channel number. size[3] next set image-download {enable | disable} Enable/disable WTP image download. set mesh-bridge-enable {default | enable | disable} Enable/disable mesh Ethernet bridge when WTP is configured as a mesh branch/leaf AP. set coordinate-enable {enable | disable} Enable/disable WTP coordinates (X,Y axis). set coordinate-x {string} X axis coordinate. size[15] set coordinate-y {string} Y axis coordinate. size[15] set coordinate-latitude {string} WTP latitude coordinate. size[19] set coordinate-longitude {string} WTP longitude coordinate. size[19] next end
Additional information
The following section is for those options that require additional explanation.
config {radio-1 | radio-2}
A configuration method to set various override options for Radio 1 and/or Radio 2.
override-band {enable | disable}
Enable or disable (by default) the override of a specific AP-mode radio band. When enabled, use the band
entry to configure the band.
band {802.11b | 802.11g | 802.11n | 802.11n,g-only | 802.11g-only | 802.11n-only}
Note: This entry is only available when override-band
is set to enable
.
Band of AP-mode radio. Note that this entry becomes available at the same time as channel
does. In order to set the band, channel
must be empty. To do this, enter unset channel
. The channel may then be set after the band.
override-txpower {enable | disable}
Enable or disable (by default) the override of transmission power. When enabled, use the auto-power-level
and power-level
entries to to configure further power level options.
auto-power-level {enable | disable}
Note: This entry is only available when override-txpower
is set to enable
.
Enable or disable (by default) automatic transmission power adjustment. When enabled, use the auto-power-high
and auto-power-low
entries to configure the high and low limitations. When disabled, use the power-level
entry to configure the power level percentage.
auto-power-high <dBm>
Note: This entry is only available when override-txpower
is set to enable
and auto-power-level
is then set to enable
.
Automatic transmission power high limit in decibels (dB) of the measured power referenced to one milliwatt (mW), or dBm. Set the value between 10-17. The default is set to 17
.
auto-power-low <dBm>
Note: This entry is only available when override-txpower
is set to enable
and auto-power-level
is then set to enable
.
Automatic transmission power low limit in dBm. Set the value between 1-17. The default is set to 10
.
power-level <percentage>
Note: This entry is only available when override-txpower
is set to enable
and auto-power-level
is then set to disable
.
Radio power level as a percentage; as such, set the value between 0-100. The default is set to 100
.
The maximum power level (i.e. 100%) will set to the regulatory maximum for your region, as determined by the country entry under config wireless-controller setting
.
override-vaps {enable | disable}
Enable or disable (by default) the override of VAPs. When enabled, use the vap-all
and vaps
entries to configure the VAPs carried on the physical AP.
vap-all {enable | disable}
Note: This entry is only available when override-vaps
is set to enable
.
Enable or disable (by default) the automatic inheritance of all VAPs. If disabled, you can select specific VAPs by using the vaps
entry (see below).
vaps <vaps>
Note: This entry is only available when override-vaps
is set to enable
and vap-all
is then set to disable
.
Specific VAPs carried on this physical AP. Separate each value with a space to add multiple VAPs. Values can also be added using append
.
override-channel {enable | disable}
Enable or disable (by default) the override of channels. When enabled, use the channel
entry to enter the channels used by the AP.
channel {1 | 2 | 3 | 4 | 5 | 6 | 7 | 8 | 9 | 10 | 11}
Note: This entry is only available when either override-band
or override-channel
are set to enable
.
Wireless radio channels to override. Separate each value with a space to add multiple channels. Values can also be added using append
.
config split-tunneling-acl
Note: This configuration method is only available when split-tunneling-acl-local-ap-subnet
is set to enable
.
A configuration method to set various split tunneling access control list (ACL) filter lists.
dest-ip <ipv4>
IPv4 destination address to be added to the ACL filter.
config lan
Note: This configuration method is only available when override-lan
is set to enable
.
A configuration method to set WTP port mode.
port-mode {offline | nat-to-wan | bridge-to-wan | bridge-to-ssid}
LAN port mode:
- offline: No port bridging (by default)
- nat-to-wan: Bridge NAT to the incoming WAN interface
- bridge-to-wan: Bridge all LAN ports to the WAN interface
- bridge-to-ssid: Bridge all LAN ports to the SSID
admin {discovered | disable | enable}
Enable (by default) or disable the AC to provide service to this WTP, or have the WTP discovered through either discovery or join request messages.
name <name>
Name for the AP.
location <location>
Location of the AP.
wtp-profile <profile>
Name of the WTP profile to apply to this AP, as created under config wireless-controller wtp-profile
.
wtp-mode {normal | remote}
AP operating mode: normal
(by default) or remote.
A tunnel mode SSID can be assigned to an AP in normal mode but not remote mode, while a local-bridge mode SSID can be assigned to an AP in either normal mode or remote mode.
override-led-state {enable | disable}
Enable or disable (by default) the override of LED state. When enabled, use the led-state
entry to enable or disable use of LEDs on WTP.
led-state {enable | disable}
Note: This entry is only available when override-led-state
is set to enable
.
Enable (by default) or disable the use of LEDs on WTP.
override-ip-fragment {enable | disable}
Enable or disable (by default) the override of IP fragmentation. When enabled, use the ip-fragment-preventing
, tun-mtu-uplink
, and tun-mtu-downlink
entries to configure IP fragmentation settings.
ip-fragment-preventing {tcp-mss-adjust | icmp-unreachable}
Note: This entry is only available when override-ip-fragment
is set to enable
.
Method by which IP fragmentation is prevented for CAPWAP tunneled control and data packets:
- tcp-mss-adjust: TCP maximum segment adjustment (by default).
- icmp-unreachable: Drop packet and send an Internet Control Message Protocol (ICMP) Destination Unreachable error message.
tun-mtu-uplink <bytes>
Note: This entry is only available when override-ip-fragment
is set to enable
.
Uplink tunnel maximum transmission unit (MTU) in octets (eight-bit bytes). An MTU is the largest size packet or frame that can be sent in a packet.
Set the value to either 0
(by default), 576
, or 1500
.
tun-mtu-downlink <bytes>
Note: This entry is only available when override-ip-fragment
is set to enable
.
Downlink tunnel MTU in octets. Set the value to either 0
(by default), 576
, or 1500
.
override-split-tunnel {enable | disable}
Enable or disable (by default) to override split-tunneling. When enabled, use the split-tunneling-acl-local-ap-subnet
entry to enable/disable the configuration of ACL filter lists.
split-tunneling-acl-local-ap-subnet {enable | disable}
Note: This entry is only available when override-split-tunnel
is set to enable
.
Enable or disable (by default) specified destinations to be accessed locally instead of through the WiFi controller. When enabled, the split-tunneling-acl
configuration method will become available.
override-lan {enable | disable}
Enable or disable (by default) to override the WTP LAN port. When enabled, the lan
configuration method will become available.
override-allowaccess {enable | disable}
Enable or disable (by default) to override management-access per protocol. When enabled, use the allowaccess
entry to set the protocols permitted management-access.
allowaccess {telnet | http | https | ssh}
Note: This entry is only available when override-allowaccess
is set to enable
.
Protocols to allow management-access to managed APs: telnet
, http
, https
, and ssh
.
Separate each value with a space to add multiple protocols. Values can also be added using append
.
override-login-passwd-change {enable | disable}
Enable or disable (by default) to override the login-password of managed APs. When enabled, use the login-passwd-change
entry to determine password-change settings.
login-passwd-change {yes | default | no}
Note: This entry is only available when override-login-passwd-change
is set to enable
.
Login password options:
- yes: Change login password of the managed AP
- default: Reset login password to factory default
- no: Do not change login password (by default)
image-download {enable | disable}
Enable (by default) or disable image download of WTP to the AP. In addition, you can use the following command to import the WTP firmware file from a TFTP server:
execute wireless-controller upload-wtp-image tftp <filename> <TFTP server address>
mesh-bridge-enable {default | enable | disable}
Enable, disable, or use default (by default) mesh Ethernet bride local settings on the WTP (when the WTP is configured as a mesh branch-leaf AP).
coordinate-enable {enable | disable}
Enable or disable (by default) AP coordinates. When enabled, use the coordinate-x
and coordinate-y
entries to set the AP's X and Y axes.
coordinate-x <string>
Note: This entry is only available when coordinate-enable
is set to enable
.
X axis coordinate of the AP.
coordinate-y <string>
Note: This entry is only available when coordinate-enable
is set to enable
.
Y axis coordinate of the AP.