Fortinet black logo

CLI Reference

wireless-controller wtp

wireless-controller wtp

Use this command to configure various wireless transaction protocol (WTP) settings, inlcuding VAP override options and physical APs for management by the wireless controller, also known as an Access Controller (AC). Note: Radio 2 settings are only available for FortiAP models with dual radios.

config wireless-controller wtp
    edit {wtp-id}
    # Configure Wireless Termination Points (WTPs), that is, FortiAPs or APs to be managed by FortiGate.
        set wtp-id {string}   WTP ID. size[35]
        set index {integer}   Index (0 - 4294967295). range[0-4294967295]
        set admin {discovered | disable | enable}   Configure how the FortiGate operating as a wireless controller discovers and manages this WTP, AP or FortiAP.
        set name {string}   WTP, AP or FortiAP configuration name. size[35]
        set location {string}   Field for describing the physical location of the WTP, AP or FortiAP. size[35]
        set wtp-profile {string}   WTP profile name to apply to this WTP, AP or FortiAP. size[35] - datasource(s): wireless-controller.wtp-profile.name
        set wtp-mode {normal | remote}   WTP, AP, or FortiAP operating mode; normal (by default) or remote. A tunnel mode SSID can be assigned to an AP in normal mode but not remote mode, while a local-bridge mode SSID can be assigned to an AP in either normal mode or remote mode.
                normal  Normal WTP, AP, or FortiAP.
                remote  Remote WTP, AP, or FortiAP.
        set bonjour-profile {string}   Bonjour profile name. size[35] - datasource(s): wireless-controller.bonjour-profile.name
        set override-led-state {enable | disable}   Enable to override the profile LED state setting for this FortiAP. You must enable this option to use the led-state command to turn off the FortiAP's LEDs.
        set led-state {enable | disable}   Enable to allow the FortiAPs LEDs to light. Disable to keep the LEDs off. You may want to keep the LEDs off so they are not distracting in low light areas etc.
        set override-wan-port-mode {enable | disable}   Enable/disable overriding the wan-port-mode in the WTP profile.
        set wan-port-mode {wan-lan | wan-only}   Enable/disable using the FortiAP WAN port as a LAN port.
                wan-lan   Use the FortiAP WAN port as a LAN port.
                wan-only  Do not use the WAN port as a LAN port.
        set override-ip-fragment {enable | disable}   Enable/disable overriding the WTP profile IP fragment prevention setting.
        set ip-fragment-preventing {tcp-mss-adjust | icmp-unreachable}   Method by which IP fragmentation is prevented for CAPWAP tunneled control and data packets (default = tcp-mss-adjust).
                tcp-mss-adjust    TCP maximum segment size adjustment.
                icmp-unreachable  Drop packet and send ICMP Destination Unreachable
        set tun-mtu-uplink {integer}   Uplink tunnel maximum transmission unit (MTU) in octets (eight-bit bytes). Set the value to either 0 (by default), 576, or 1500. range[576-1500]
        set tun-mtu-downlink {integer}   Downlink tunnel MTU in octets. Set the value to either 0 (by default), 576, or 1500. range[576-1500]
        set override-split-tunnel {enable | disable}   Enable/disable overriding the WTP profile split tunneling setting.
        set split-tunneling-acl-path {tunnel | local}   Split tunneling ACL path is local/tunnel.
                tunnel  Split tunneling ACL list traffic will be tunnel.
                local   Split tunneling ACL list traffic will be local NATed.
        set split-tunneling-acl-local-ap-subnet {enable | disable}   Enable/disable automatically adding local subnetwork of FortiAP to split-tunneling ACL (default = disable).
        config split-tunneling-acl
            edit {id}
            # Split tunneling ACL filter list.
                set id {integer}   ID. range[0-4294967295]
                set dest-ip {ipv4 classnet}   Destination IP and mask for the split-tunneling subnet.
            next
        set override-lan {enable | disable}   Enable to override the WTP profile LAN port setting.
        config lan
            set port-mode {offline | nat-to-wan | bridge-to-wan | bridge-to-ssid}   LAN port mode.
                    offline         Offline.
                    nat-to-wan      NAT WTP LAN port to WTP WAN port.
                    bridge-to-wan   Bridge WTP LAN port to WTP WAN port.
                    bridge-to-ssid  Bridge WTP LAN port to SSID.
            set port-ssid {string}   Bridge LAN port to SSID. size[15] - datasource(s): wireless-controller.vap.name
            set port1-mode {offline | nat-to-wan | bridge-to-wan | bridge-to-ssid}   LAN port 1 mode.
                    offline         Offline.
                    nat-to-wan      NAT WTP LAN port to WTP WAN port.
                    bridge-to-wan   Bridge WTP LAN port to WTP WAN port.
                    bridge-to-ssid  Bridge WTP LAN port to SSID.
            set port1-ssid {string}   Bridge LAN port 1 to SSID. size[15] - datasource(s): wireless-controller.vap.name
            set port2-mode {offline | nat-to-wan | bridge-to-wan | bridge-to-ssid}   LAN port 2 mode.
                    offline         Offline.
                    nat-to-wan      NAT WTP LAN port to WTP WAN port.
                    bridge-to-wan   Bridge WTP LAN port to WTP WAN port.
                    bridge-to-ssid  Bridge WTP LAN port to SSID.
            set port2-ssid {string}   Bridge LAN port 2 to SSID. size[15] - datasource(s): wireless-controller.vap.name
            set port3-mode {offline | nat-to-wan | bridge-to-wan | bridge-to-ssid}   LAN port 3 mode.
                    offline         Offline.
                    nat-to-wan      NAT WTP LAN port to WTP WAN port.
                    bridge-to-wan   Bridge WTP LAN port to WTP WAN port.
                    bridge-to-ssid  Bridge WTP LAN port to SSID.
            set port3-ssid {string}   Bridge LAN port 3 to SSID. size[15] - datasource(s): wireless-controller.vap.name
            set port4-mode {offline | nat-to-wan | bridge-to-wan | bridge-to-ssid}   LAN port 4 mode.
                    offline         Offline.
                    nat-to-wan      NAT WTP LAN port to WTP WAN port.
                    bridge-to-wan   Bridge WTP LAN port to WTP WAN port.
                    bridge-to-ssid  Bridge WTP LAN port to SSID.
            set port4-ssid {string}   Bridge LAN port 4 to SSID. size[15] - datasource(s): wireless-controller.vap.name
            set port5-mode {offline | nat-to-wan | bridge-to-wan | bridge-to-ssid}   LAN port 5 mode.
                    offline         Offline.
                    nat-to-wan      NAT WTP LAN port to WTP WAN port.
                    bridge-to-wan   Bridge WTP LAN port to WTP WAN port.
                    bridge-to-ssid  Bridge WTP LAN port to SSID.
            set port5-ssid {string}   Bridge LAN port 5 to SSID. size[15] - datasource(s): wireless-controller.vap.name
            set port6-mode {offline | nat-to-wan | bridge-to-wan | bridge-to-ssid}   LAN port 6 mode.
                    offline         Offline.
                    nat-to-wan      NAT WTP LAN port to WTP WAN port.
                    bridge-to-wan   Bridge WTP LAN port to WTP WAN port.
                    bridge-to-ssid  Bridge WTP LAN port to SSID.
            set port6-ssid {string}   Bridge LAN port 6 to SSID. size[15] - datasource(s): wireless-controller.vap.name
            set port7-mode {offline | nat-to-wan | bridge-to-wan | bridge-to-ssid}   LAN port 7 mode.
                    offline         Offline.
                    nat-to-wan      NAT WTP LAN port to WTP WAN port.
                    bridge-to-wan   Bridge WTP LAN port to WTP WAN port.
                    bridge-to-ssid  Bridge WTP LAN port to SSID.
            set port7-ssid {string}   Bridge LAN port 7 to SSID. size[15] - datasource(s): wireless-controller.vap.name
            set port8-mode {offline | nat-to-wan | bridge-to-wan | bridge-to-ssid}   LAN port 8 mode.
                    offline         Offline.
                    nat-to-wan      NAT WTP LAN port to WTP WAN port.
                    bridge-to-wan   Bridge WTP LAN port to WTP WAN port.
                    bridge-to-ssid  Bridge WTP LAN port to SSID.
            set port8-ssid {string}   Bridge LAN port 8 to SSID. size[15] - datasource(s): wireless-controller.vap.name
        set override-allowaccess {enable | disable}   Enable to override the WTP profile management access configuration.
        set allowaccess {telnet | http | https | ssh}   Control management access to the managed WTP, FortiAP, or AP. Separate entries with a space.
                telnet  TELNET access.
                http    HTTP access.
                https   HTTPS access.
                ssh     SSH access.
        set override-login-passwd-change {enable | disable}   Enable to override the WTP profile login-password (administrator password) setting.
        set login-passwd-change {yes | default | no}   Change or reset the administrator password of a managed WTP, FortiAP or AP (yes, default, or no, default = no).
                yes      Change the managed WTP, FortiAP or AP's administrator password. Use the login-password option to set the password.
                default  Keep the managed WTP, FortiAP or AP's administrator password set to the factory default.
                no       Do not change the managed WTP, FortiAP or AP's administrator password.
        set login-passwd {password_string}   Set the managed WTP, FortiAP, or AP's administrator password. size[31]
        config radio-1
            set radio-id {integer}   radio-id range[0-2]
            set override-band {enable | disable}   Enable to override the WTP profile band setting.
            set band {option}   WiFi band that Radio 1 operates on.
                    802.11a          802.11a.
                    802.11b          802.11b.
                    802.11g          802.11g/b.
                    802.11n          802.11n/g/b radio at 2.4GHz band.
                    802.11n-5G       802.11n/a at 5GHz.
                    802.11n,g-only   802.11n/g at 2.4GHz.
                    802.11g-only     802.11g.
                    802.11n-only     802.11n at 2.4GHz.
                    802.11n-5G-only  802.11n at 5GHz.
                    802.11ac         802.11ac/n/a radio.
                    802.11ac,n-only  802.11ac/n.
                    802.11ac-only    802.11ac.
            set override-analysis {enable | disable}   Enable to override the WTP profile spectrum analysis configuration.
            set spectrum-analysis {enable | disable}   Enable/disable spectrum analysis to find interference that would negatively impact wireless performance.
            set override-txpower {enable | disable}   Enable to override the WTP profile power level configuration.
            set auto-power-level {enable | disable}   Enable/disable automatic power-level adjustment to prevent co-channel interference (default = enable).
            set auto-power-high {integer}   Automatic transmission power high limit in decibels (dB) of the measured power referenced to one milliwatt (mW), or dBm (10 - 17 dBm, default = 17). range[0-4294967295]
            set auto-power-low {integer}   Automatic transmission power low limit in dBm (the actual range of transmit power depends on the AP platform type). range[0-4294967295]
            set power-level {integer}   Radio power level as a percentage of the maximum transmit power (0 - 100, default = 100). range[0-100]
            set override-vaps {enable | disable}   Enable to override WTP profile Virtual Access Point (VAP) settings.
            set vap-all {enable | disable}   Enable/disable the automatic inheritance of all Virtual Access Points (VAPs) (default = enable).
            config vaps
                edit {name}
                # Manually selected list of Virtual Access Points (VAPs).
                    set name {string}   Virtual Access Point (VAP) name. size[35] - datasource(s): wireless-controller.vap-group.name,wireless-controller.vap.name
                next
            set override-channel {enable | disable}   Enable to override WTP profile channel settings.
            config channel
                edit {chan}
                # Selected list of wireless radio channels.
                    set chan {string}   Channel number. size[3]
                next
        config radio-2
            set radio-id {integer}   radio-id range[0-2]
            set override-band {enable | disable}   Enable to override the WTP profile band setting.
            set band {option}   WiFi band that Radio 1 operates on.
                    802.11a          802.11a.
                    802.11b          802.11b.
                    802.11g          802.11g/b.
                    802.11n          802.11n/g/b radio at 2.4GHz band.
                    802.11n-5G       802.11n/a at 5GHz.
                    802.11n,g-only   802.11n/g at 2.4GHz.
                    802.11g-only     802.11g.
                    802.11n-only     802.11n at 2.4GHz.
                    802.11n-5G-only  802.11n at 5GHz.
                    802.11ac         802.11ac/n/a radio.
                    802.11ac,n-only  802.11ac/n.
                    802.11ac-only    802.11ac.
            set override-analysis {enable | disable}   Enable to override the WTP profile spectrum analysis configuration.
            set spectrum-analysis {enable | disable}   Enable/disable spectrum analysis to find interference that would negatively impact wireless performance.
            set override-txpower {enable | disable}   Enable to override the WTP profile power level configuration.
            set auto-power-level {enable | disable}   Enable/disable automatic power-level adjustment to prevent co-channel interference (default = enable).
            set auto-power-high {integer}   Automatic transmission power high limit in decibels (dB) of the measured power referenced to one milliwatt (mW), or dBm (10 - 17 dBm, default = 17). range[0-4294967295]
            set auto-power-low {integer}   Automatic transmission power low limit in dBm (the actual range of transmit power depends on the AP platform type). range[0-4294967295]
            set power-level {integer}   Radio power level as a percentage of the maximum transmit power (0 - 100, default = 100). range[0-100]
            set override-vaps {enable | disable}   Enable to override WTP profile Virtual Access Point (VAP) settings.
            set vap-all {enable | disable}   Enable/disable the automatic inheritance of all Virtual Access Points (VAPs) (default = enable).
            config vaps
                edit {name}
                # Manually selected list of Virtual Access Points (VAPs).
                    set name {string}   Virtual Access Point (VAP) name. size[35] - datasource(s): wireless-controller.vap-group.name,wireless-controller.vap.name
                next
            set override-channel {enable | disable}   Enable to override WTP profile channel settings.
            config channel
                edit {chan}
                # Selected list of wireless radio channels.
                    set chan {string}   Channel number. size[3]
                next
        set image-download {enable | disable}   Enable/disable WTP image download.
        set mesh-bridge-enable {default | enable | disable}   Enable/disable mesh Ethernet bridge when WTP is configured as a mesh branch/leaf AP.
        set coordinate-enable {enable | disable}   Enable/disable WTP coordinates (X,Y axis).
        set coordinate-x {string}   X axis coordinate. size[15]
        set coordinate-y {string}   Y axis coordinate. size[15]
        set coordinate-latitude {string}   WTP latitude coordinate. size[19]
        set coordinate-longitude {string}   WTP longitude coordinate. size[19]
    next
end

Additional information

The following section is for those options that require additional explanation.

config {radio-1 | radio-2}

A configuration method to set various override options for Radio 1 and/or Radio 2.

override-band {enable | disable}

Enable or disable (by default) the override of a specific AP-mode radio band. When enabled, use the band entry to configure the band.

band {802.11b | 802.11g | 802.11n | 802.11n,g-only | 802.11g-only | 802.11n-only}

Note: This entry is only available when override-band is set to enable.

Band of AP-mode radio. Note that this entry becomes available at the same time as channel does. In order to set the band, channel must be empty. To do this, enter unset channel. The channel may then be set after the band.

override-txpower {enable | disable}

Enable or disable (by default) the override of transmission power. When enabled, use the auto-power-level and power-level entries to to configure further power level options.

auto-power-level {enable | disable}

Note: This entry is only available when override-txpower is set to enable.

Enable or disable (by default) automatic transmission power adjustment. When enabled, use the auto-power-high and auto-power-low entries to configure the high and low limitations. When disabled, use the power-level entry to configure the power level percentage.

auto-power-high <dBm>

Note: This entry is only available when override-txpower is set to enable and auto-power-level is then set to enable.

Automatic transmission power high limit in decibels (dB) of the measured power referenced to one milliwatt (mW), or dBm. Set the value between 10-17. The default is set to 17.

auto-power-low <dBm>

Note: This entry is only available when override-txpower is set to enable and auto-power-level is then set to enable.

Automatic transmission power low limit in dBm. Set the value between 1-17. The default is set to 10.

power-level <percentage>

Note: This entry is only available when override-txpower is set to enable and auto-power-level is then set to disable.

Radio power level as a percentage; as such, set the value between 0-100. The default is set to 100.

The maximum power level (i.e. 100%) will set to the regulatory maximum for your region, as determined by the country entry under config wireless-controller setting.

override-vaps {enable | disable}

Enable or disable (by default) the override of VAPs. When enabled, use the vap-all and vaps entries to configure the VAPs carried on the physical AP.

vap-all {enable | disable}

Note: This entry is only available when override-vaps is set to enable.

Enable or disable (by default) the automatic inheritance of all VAPs. If disabled, you can select specific VAPs by using the vaps entry (see below).

vaps <vaps>

Note: This entry is only available when override-vaps is set to enable and vap-all is then set to disable.

Specific VAPs carried on this physical AP. Separate each value with a space to add multiple VAPs. Values can also be added using append.

override-channel {enable | disable}

Enable or disable (by default) the override of channels. When enabled, use the channel entry to enter the channels used by the AP.

channel {1 | 2 | 3 | 4 | 5 | 6 | 7 | 8 | 9 | 10 | 11}

Note: This entry is only available when either override-band or override-channel are set to enable.

Wireless radio channels to override. Separate each value with a space to add multiple channels. Values can also be added using append.

config split-tunneling-acl

Note: This configuration method is only available when split-tunneling-acl-local-ap-subnet is set to enable.

A configuration method to set various split tunneling access control list (ACL) filter lists.

dest-ip <ipv4>

IPv4 destination address to be added to the ACL filter.

config lan

Note: This configuration method is only available when override-lan is set to enable.

A configuration method to set WTP port mode.

port-mode {offline | nat-to-wan | bridge-to-wan | bridge-to-ssid}

LAN port mode:

  • offline: No port bridging (by default)
  • nat-to-wan: Bridge NAT to the incoming WAN interface
  • bridge-to-wan: Bridge all LAN ports to the WAN interface
  • bridge-to-ssid: Bridge all LAN ports to the SSID

admin {discovered | disable | enable}

Enable (by default) or disable the AC to provide service to this WTP, or have the WTP discovered through either discovery or join request messages.

name <name>

Name for the AP.

location <location>

Location of the AP.

wtp-profile <profile>

Name of the WTP profile to apply to this AP, as created under config wireless-controller wtp-profile.

wtp-mode {normal | remote}

AP operating mode: normal (by default) or remote. A tunnel mode SSID can be assigned to an AP in normal mode but not remote mode, while a local-bridge mode SSID can be assigned to an AP in either normal mode or remote mode.

override-led-state {enable | disable}

Enable or disable (by default) the override of LED state. When enabled, use the led-state entry to enable or disable use of LEDs on WTP.

led-state {enable | disable}

Note: This entry is only available when override-led-state is set to enable. Enable (by default) or disable the use of LEDs on WTP.

override-ip-fragment {enable | disable}

Enable or disable (by default) the override of IP fragmentation. When enabled, use the ip-fragment-preventing, tun-mtu-uplink, and tun-mtu-downlink entries to configure IP fragmentation settings.

ip-fragment-preventing {tcp-mss-adjust | icmp-unreachable}

Note: This entry is only available when override-ip-fragment is set to enable. Method by which IP fragmentation is prevented for CAPWAP tunneled control and data packets:

  • tcp-mss-adjust: TCP maximum segment adjustment (by default).
  • icmp-unreachable: Drop packet and send an Internet Control Message Protocol (ICMP) Destination Unreachable error message.

tun-mtu-uplink <bytes>

Note: This entry is only available when override-ip-fragment is set to enable. Uplink tunnel maximum transmission unit (MTU) in octets (eight-bit bytes). An MTU is the largest size packet or frame that can be sent in a packet. Set the value to either 0 (by default), 576, or 1500.

tun-mtu-downlink <bytes>

Note: This entry is only available when override-ip-fragment is set to enable. Downlink tunnel MTU in octets. Set the value to either 0 (by default), 576, or 1500.

override-split-tunnel {enable | disable}

Enable or disable (by default) to override split-tunneling. When enabled, use the split-tunneling-acl-local-ap-subnet entry to enable/disable the configuration of ACL filter lists.

split-tunneling-acl-local-ap-subnet {enable | disable}

Note: This entry is only available when override-split-tunnel is set to enable. Enable or disable (by default) specified destinations to be accessed locally instead of through the WiFi controller. When enabled, the split-tunneling-acl configuration method will become available.

override-lan {enable | disable}

Enable or disable (by default) to override the WTP LAN port. When enabled, the lan configuration method will become available.

override-allowaccess {enable | disable}

Enable or disable (by default) to override management-access per protocol. When enabled, use the allowaccess entry to set the protocols permitted management-access.

allowaccess {telnet | http | https | ssh}

Note: This entry is only available when override-allowaccess is set to enable. Protocols to allow management-access to managed APs: telnet, http, https, and ssh. Separate each value with a space to add multiple protocols. Values can also be added using append.

override-login-passwd-change {enable | disable}

Enable or disable (by default) to override the login-password of managed APs. When enabled, use the login-passwd-change entry to determine password-change settings.

login-passwd-change {yes | default | no}

Note: This entry is only available when override-login-passwd-change is set to enable. Login password options:

  • yes: Change login password of the managed AP
  • default: Reset login password to factory default
  • no: Do not change login password (by default)

image-download {enable | disable}

Enable (by default) or disable image download of WTP to the AP. In addition, you can use the following command to import the WTP firmware file from a TFTP server:

execute wireless-controller upload-wtp-image tftp <filename> <TFTP server address>

mesh-bridge-enable {default | enable | disable}

Enable, disable, or use default (by default) mesh Ethernet bride local settings on the WTP (when the WTP is configured as a mesh branch-leaf AP).

coordinate-enable {enable | disable}

Enable or disable (by default) AP coordinates. When enabled, use the coordinate-x and coordinate-y entries to set the AP's X and Y axes.

coordinate-x <string>

Note: This entry is only available when coordinate-enable is set to enable. X axis coordinate of the AP.

coordinate-y <string>

Note: This entry is only available when coordinate-enable is set to enable. Y axis coordinate of the AP.

wireless-controller wtp

Use this command to configure various wireless transaction protocol (WTP) settings, inlcuding VAP override options and physical APs for management by the wireless controller, also known as an Access Controller (AC). Note: Radio 2 settings are only available for FortiAP models with dual radios.

config wireless-controller wtp
    edit {wtp-id}
    # Configure Wireless Termination Points (WTPs), that is, FortiAPs or APs to be managed by FortiGate.
        set wtp-id {string}   WTP ID. size[35]
        set index {integer}   Index (0 - 4294967295). range[0-4294967295]
        set admin {discovered | disable | enable}   Configure how the FortiGate operating as a wireless controller discovers and manages this WTP, AP or FortiAP.
        set name {string}   WTP, AP or FortiAP configuration name. size[35]
        set location {string}   Field for describing the physical location of the WTP, AP or FortiAP. size[35]
        set wtp-profile {string}   WTP profile name to apply to this WTP, AP or FortiAP. size[35] - datasource(s): wireless-controller.wtp-profile.name
        set wtp-mode {normal | remote}   WTP, AP, or FortiAP operating mode; normal (by default) or remote. A tunnel mode SSID can be assigned to an AP in normal mode but not remote mode, while a local-bridge mode SSID can be assigned to an AP in either normal mode or remote mode.
                normal  Normal WTP, AP, or FortiAP.
                remote  Remote WTP, AP, or FortiAP.
        set bonjour-profile {string}   Bonjour profile name. size[35] - datasource(s): wireless-controller.bonjour-profile.name
        set override-led-state {enable | disable}   Enable to override the profile LED state setting for this FortiAP. You must enable this option to use the led-state command to turn off the FortiAP's LEDs.
        set led-state {enable | disable}   Enable to allow the FortiAPs LEDs to light. Disable to keep the LEDs off. You may want to keep the LEDs off so they are not distracting in low light areas etc.
        set override-wan-port-mode {enable | disable}   Enable/disable overriding the wan-port-mode in the WTP profile.
        set wan-port-mode {wan-lan | wan-only}   Enable/disable using the FortiAP WAN port as a LAN port.
                wan-lan   Use the FortiAP WAN port as a LAN port.
                wan-only  Do not use the WAN port as a LAN port.
        set override-ip-fragment {enable | disable}   Enable/disable overriding the WTP profile IP fragment prevention setting.
        set ip-fragment-preventing {tcp-mss-adjust | icmp-unreachable}   Method by which IP fragmentation is prevented for CAPWAP tunneled control and data packets (default = tcp-mss-adjust).
                tcp-mss-adjust    TCP maximum segment size adjustment.
                icmp-unreachable  Drop packet and send ICMP Destination Unreachable
        set tun-mtu-uplink {integer}   Uplink tunnel maximum transmission unit (MTU) in octets (eight-bit bytes). Set the value to either 0 (by default), 576, or 1500. range[576-1500]
        set tun-mtu-downlink {integer}   Downlink tunnel MTU in octets. Set the value to either 0 (by default), 576, or 1500. range[576-1500]
        set override-split-tunnel {enable | disable}   Enable/disable overriding the WTP profile split tunneling setting.
        set split-tunneling-acl-path {tunnel | local}   Split tunneling ACL path is local/tunnel.
                tunnel  Split tunneling ACL list traffic will be tunnel.
                local   Split tunneling ACL list traffic will be local NATed.
        set split-tunneling-acl-local-ap-subnet {enable | disable}   Enable/disable automatically adding local subnetwork of FortiAP to split-tunneling ACL (default = disable).
        config split-tunneling-acl
            edit {id}
            # Split tunneling ACL filter list.
                set id {integer}   ID. range[0-4294967295]
                set dest-ip {ipv4 classnet}   Destination IP and mask for the split-tunneling subnet.
            next
        set override-lan {enable | disable}   Enable to override the WTP profile LAN port setting.
        config lan
            set port-mode {offline | nat-to-wan | bridge-to-wan | bridge-to-ssid}   LAN port mode.
                    offline         Offline.
                    nat-to-wan      NAT WTP LAN port to WTP WAN port.
                    bridge-to-wan   Bridge WTP LAN port to WTP WAN port.
                    bridge-to-ssid  Bridge WTP LAN port to SSID.
            set port-ssid {string}   Bridge LAN port to SSID. size[15] - datasource(s): wireless-controller.vap.name
            set port1-mode {offline | nat-to-wan | bridge-to-wan | bridge-to-ssid}   LAN port 1 mode.
                    offline         Offline.
                    nat-to-wan      NAT WTP LAN port to WTP WAN port.
                    bridge-to-wan   Bridge WTP LAN port to WTP WAN port.
                    bridge-to-ssid  Bridge WTP LAN port to SSID.
            set port1-ssid {string}   Bridge LAN port 1 to SSID. size[15] - datasource(s): wireless-controller.vap.name
            set port2-mode {offline | nat-to-wan | bridge-to-wan | bridge-to-ssid}   LAN port 2 mode.
                    offline         Offline.
                    nat-to-wan      NAT WTP LAN port to WTP WAN port.
                    bridge-to-wan   Bridge WTP LAN port to WTP WAN port.
                    bridge-to-ssid  Bridge WTP LAN port to SSID.
            set port2-ssid {string}   Bridge LAN port 2 to SSID. size[15] - datasource(s): wireless-controller.vap.name
            set port3-mode {offline | nat-to-wan | bridge-to-wan | bridge-to-ssid}   LAN port 3 mode.
                    offline         Offline.
                    nat-to-wan      NAT WTP LAN port to WTP WAN port.
                    bridge-to-wan   Bridge WTP LAN port to WTP WAN port.
                    bridge-to-ssid  Bridge WTP LAN port to SSID.
            set port3-ssid {string}   Bridge LAN port 3 to SSID. size[15] - datasource(s): wireless-controller.vap.name
            set port4-mode {offline | nat-to-wan | bridge-to-wan | bridge-to-ssid}   LAN port 4 mode.
                    offline         Offline.
                    nat-to-wan      NAT WTP LAN port to WTP WAN port.
                    bridge-to-wan   Bridge WTP LAN port to WTP WAN port.
                    bridge-to-ssid  Bridge WTP LAN port to SSID.
            set port4-ssid {string}   Bridge LAN port 4 to SSID. size[15] - datasource(s): wireless-controller.vap.name
            set port5-mode {offline | nat-to-wan | bridge-to-wan | bridge-to-ssid}   LAN port 5 mode.
                    offline         Offline.
                    nat-to-wan      NAT WTP LAN port to WTP WAN port.
                    bridge-to-wan   Bridge WTP LAN port to WTP WAN port.
                    bridge-to-ssid  Bridge WTP LAN port to SSID.
            set port5-ssid {string}   Bridge LAN port 5 to SSID. size[15] - datasource(s): wireless-controller.vap.name
            set port6-mode {offline | nat-to-wan | bridge-to-wan | bridge-to-ssid}   LAN port 6 mode.
                    offline         Offline.
                    nat-to-wan      NAT WTP LAN port to WTP WAN port.
                    bridge-to-wan   Bridge WTP LAN port to WTP WAN port.
                    bridge-to-ssid  Bridge WTP LAN port to SSID.
            set port6-ssid {string}   Bridge LAN port 6 to SSID. size[15] - datasource(s): wireless-controller.vap.name
            set port7-mode {offline | nat-to-wan | bridge-to-wan | bridge-to-ssid}   LAN port 7 mode.
                    offline         Offline.
                    nat-to-wan      NAT WTP LAN port to WTP WAN port.
                    bridge-to-wan   Bridge WTP LAN port to WTP WAN port.
                    bridge-to-ssid  Bridge WTP LAN port to SSID.
            set port7-ssid {string}   Bridge LAN port 7 to SSID. size[15] - datasource(s): wireless-controller.vap.name
            set port8-mode {offline | nat-to-wan | bridge-to-wan | bridge-to-ssid}   LAN port 8 mode.
                    offline         Offline.
                    nat-to-wan      NAT WTP LAN port to WTP WAN port.
                    bridge-to-wan   Bridge WTP LAN port to WTP WAN port.
                    bridge-to-ssid  Bridge WTP LAN port to SSID.
            set port8-ssid {string}   Bridge LAN port 8 to SSID. size[15] - datasource(s): wireless-controller.vap.name
        set override-allowaccess {enable | disable}   Enable to override the WTP profile management access configuration.
        set allowaccess {telnet | http | https | ssh}   Control management access to the managed WTP, FortiAP, or AP. Separate entries with a space.
                telnet  TELNET access.
                http    HTTP access.
                https   HTTPS access.
                ssh     SSH access.
        set override-login-passwd-change {enable | disable}   Enable to override the WTP profile login-password (administrator password) setting.
        set login-passwd-change {yes | default | no}   Change or reset the administrator password of a managed WTP, FortiAP or AP (yes, default, or no, default = no).
                yes      Change the managed WTP, FortiAP or AP's administrator password. Use the login-password option to set the password.
                default  Keep the managed WTP, FortiAP or AP's administrator password set to the factory default.
                no       Do not change the managed WTP, FortiAP or AP's administrator password.
        set login-passwd {password_string}   Set the managed WTP, FortiAP, or AP's administrator password. size[31]
        config radio-1
            set radio-id {integer}   radio-id range[0-2]
            set override-band {enable | disable}   Enable to override the WTP profile band setting.
            set band {option}   WiFi band that Radio 1 operates on.
                    802.11a          802.11a.
                    802.11b          802.11b.
                    802.11g          802.11g/b.
                    802.11n          802.11n/g/b radio at 2.4GHz band.
                    802.11n-5G       802.11n/a at 5GHz.
                    802.11n,g-only   802.11n/g at 2.4GHz.
                    802.11g-only     802.11g.
                    802.11n-only     802.11n at 2.4GHz.
                    802.11n-5G-only  802.11n at 5GHz.
                    802.11ac         802.11ac/n/a radio.
                    802.11ac,n-only  802.11ac/n.
                    802.11ac-only    802.11ac.
            set override-analysis {enable | disable}   Enable to override the WTP profile spectrum analysis configuration.
            set spectrum-analysis {enable | disable}   Enable/disable spectrum analysis to find interference that would negatively impact wireless performance.
            set override-txpower {enable | disable}   Enable to override the WTP profile power level configuration.
            set auto-power-level {enable | disable}   Enable/disable automatic power-level adjustment to prevent co-channel interference (default = enable).
            set auto-power-high {integer}   Automatic transmission power high limit in decibels (dB) of the measured power referenced to one milliwatt (mW), or dBm (10 - 17 dBm, default = 17). range[0-4294967295]
            set auto-power-low {integer}   Automatic transmission power low limit in dBm (the actual range of transmit power depends on the AP platform type). range[0-4294967295]
            set power-level {integer}   Radio power level as a percentage of the maximum transmit power (0 - 100, default = 100). range[0-100]
            set override-vaps {enable | disable}   Enable to override WTP profile Virtual Access Point (VAP) settings.
            set vap-all {enable | disable}   Enable/disable the automatic inheritance of all Virtual Access Points (VAPs) (default = enable).
            config vaps
                edit {name}
                # Manually selected list of Virtual Access Points (VAPs).
                    set name {string}   Virtual Access Point (VAP) name. size[35] - datasource(s): wireless-controller.vap-group.name,wireless-controller.vap.name
                next
            set override-channel {enable | disable}   Enable to override WTP profile channel settings.
            config channel
                edit {chan}
                # Selected list of wireless radio channels.
                    set chan {string}   Channel number. size[3]
                next
        config radio-2
            set radio-id {integer}   radio-id range[0-2]
            set override-band {enable | disable}   Enable to override the WTP profile band setting.
            set band {option}   WiFi band that Radio 1 operates on.
                    802.11a          802.11a.
                    802.11b          802.11b.
                    802.11g          802.11g/b.
                    802.11n          802.11n/g/b radio at 2.4GHz band.
                    802.11n-5G       802.11n/a at 5GHz.
                    802.11n,g-only   802.11n/g at 2.4GHz.
                    802.11g-only     802.11g.
                    802.11n-only     802.11n at 2.4GHz.
                    802.11n-5G-only  802.11n at 5GHz.
                    802.11ac         802.11ac/n/a radio.
                    802.11ac,n-only  802.11ac/n.
                    802.11ac-only    802.11ac.
            set override-analysis {enable | disable}   Enable to override the WTP profile spectrum analysis configuration.
            set spectrum-analysis {enable | disable}   Enable/disable spectrum analysis to find interference that would negatively impact wireless performance.
            set override-txpower {enable | disable}   Enable to override the WTP profile power level configuration.
            set auto-power-level {enable | disable}   Enable/disable automatic power-level adjustment to prevent co-channel interference (default = enable).
            set auto-power-high {integer}   Automatic transmission power high limit in decibels (dB) of the measured power referenced to one milliwatt (mW), or dBm (10 - 17 dBm, default = 17). range[0-4294967295]
            set auto-power-low {integer}   Automatic transmission power low limit in dBm (the actual range of transmit power depends on the AP platform type). range[0-4294967295]
            set power-level {integer}   Radio power level as a percentage of the maximum transmit power (0 - 100, default = 100). range[0-100]
            set override-vaps {enable | disable}   Enable to override WTP profile Virtual Access Point (VAP) settings.
            set vap-all {enable | disable}   Enable/disable the automatic inheritance of all Virtual Access Points (VAPs) (default = enable).
            config vaps
                edit {name}
                # Manually selected list of Virtual Access Points (VAPs).
                    set name {string}   Virtual Access Point (VAP) name. size[35] - datasource(s): wireless-controller.vap-group.name,wireless-controller.vap.name
                next
            set override-channel {enable | disable}   Enable to override WTP profile channel settings.
            config channel
                edit {chan}
                # Selected list of wireless radio channels.
                    set chan {string}   Channel number. size[3]
                next
        set image-download {enable | disable}   Enable/disable WTP image download.
        set mesh-bridge-enable {default | enable | disable}   Enable/disable mesh Ethernet bridge when WTP is configured as a mesh branch/leaf AP.
        set coordinate-enable {enable | disable}   Enable/disable WTP coordinates (X,Y axis).
        set coordinate-x {string}   X axis coordinate. size[15]
        set coordinate-y {string}   Y axis coordinate. size[15]
        set coordinate-latitude {string}   WTP latitude coordinate. size[19]
        set coordinate-longitude {string}   WTP longitude coordinate. size[19]
    next
end

Additional information

The following section is for those options that require additional explanation.

config {radio-1 | radio-2}

A configuration method to set various override options for Radio 1 and/or Radio 2.

override-band {enable | disable}

Enable or disable (by default) the override of a specific AP-mode radio band. When enabled, use the band entry to configure the band.

band {802.11b | 802.11g | 802.11n | 802.11n,g-only | 802.11g-only | 802.11n-only}

Note: This entry is only available when override-band is set to enable.

Band of AP-mode radio. Note that this entry becomes available at the same time as channel does. In order to set the band, channel must be empty. To do this, enter unset channel. The channel may then be set after the band.

override-txpower {enable | disable}

Enable or disable (by default) the override of transmission power. When enabled, use the auto-power-level and power-level entries to to configure further power level options.

auto-power-level {enable | disable}

Note: This entry is only available when override-txpower is set to enable.

Enable or disable (by default) automatic transmission power adjustment. When enabled, use the auto-power-high and auto-power-low entries to configure the high and low limitations. When disabled, use the power-level entry to configure the power level percentage.

auto-power-high <dBm>

Note: This entry is only available when override-txpower is set to enable and auto-power-level is then set to enable.

Automatic transmission power high limit in decibels (dB) of the measured power referenced to one milliwatt (mW), or dBm. Set the value between 10-17. The default is set to 17.

auto-power-low <dBm>

Note: This entry is only available when override-txpower is set to enable and auto-power-level is then set to enable.

Automatic transmission power low limit in dBm. Set the value between 1-17. The default is set to 10.

power-level <percentage>

Note: This entry is only available when override-txpower is set to enable and auto-power-level is then set to disable.

Radio power level as a percentage; as such, set the value between 0-100. The default is set to 100.

The maximum power level (i.e. 100%) will set to the regulatory maximum for your region, as determined by the country entry under config wireless-controller setting.

override-vaps {enable | disable}

Enable or disable (by default) the override of VAPs. When enabled, use the vap-all and vaps entries to configure the VAPs carried on the physical AP.

vap-all {enable | disable}

Note: This entry is only available when override-vaps is set to enable.

Enable or disable (by default) the automatic inheritance of all VAPs. If disabled, you can select specific VAPs by using the vaps entry (see below).

vaps <vaps>

Note: This entry is only available when override-vaps is set to enable and vap-all is then set to disable.

Specific VAPs carried on this physical AP. Separate each value with a space to add multiple VAPs. Values can also be added using append.

override-channel {enable | disable}

Enable or disable (by default) the override of channels. When enabled, use the channel entry to enter the channels used by the AP.

channel {1 | 2 | 3 | 4 | 5 | 6 | 7 | 8 | 9 | 10 | 11}

Note: This entry is only available when either override-band or override-channel are set to enable.

Wireless radio channels to override. Separate each value with a space to add multiple channels. Values can also be added using append.

config split-tunneling-acl

Note: This configuration method is only available when split-tunneling-acl-local-ap-subnet is set to enable.

A configuration method to set various split tunneling access control list (ACL) filter lists.

dest-ip <ipv4>

IPv4 destination address to be added to the ACL filter.

config lan

Note: This configuration method is only available when override-lan is set to enable.

A configuration method to set WTP port mode.

port-mode {offline | nat-to-wan | bridge-to-wan | bridge-to-ssid}

LAN port mode:

  • offline: No port bridging (by default)
  • nat-to-wan: Bridge NAT to the incoming WAN interface
  • bridge-to-wan: Bridge all LAN ports to the WAN interface
  • bridge-to-ssid: Bridge all LAN ports to the SSID

admin {discovered | disable | enable}

Enable (by default) or disable the AC to provide service to this WTP, or have the WTP discovered through either discovery or join request messages.

name <name>

Name for the AP.

location <location>

Location of the AP.

wtp-profile <profile>

Name of the WTP profile to apply to this AP, as created under config wireless-controller wtp-profile.

wtp-mode {normal | remote}

AP operating mode: normal (by default) or remote. A tunnel mode SSID can be assigned to an AP in normal mode but not remote mode, while a local-bridge mode SSID can be assigned to an AP in either normal mode or remote mode.

override-led-state {enable | disable}

Enable or disable (by default) the override of LED state. When enabled, use the led-state entry to enable or disable use of LEDs on WTP.

led-state {enable | disable}

Note: This entry is only available when override-led-state is set to enable. Enable (by default) or disable the use of LEDs on WTP.

override-ip-fragment {enable | disable}

Enable or disable (by default) the override of IP fragmentation. When enabled, use the ip-fragment-preventing, tun-mtu-uplink, and tun-mtu-downlink entries to configure IP fragmentation settings.

ip-fragment-preventing {tcp-mss-adjust | icmp-unreachable}

Note: This entry is only available when override-ip-fragment is set to enable. Method by which IP fragmentation is prevented for CAPWAP tunneled control and data packets:

  • tcp-mss-adjust: TCP maximum segment adjustment (by default).
  • icmp-unreachable: Drop packet and send an Internet Control Message Protocol (ICMP) Destination Unreachable error message.

tun-mtu-uplink <bytes>

Note: This entry is only available when override-ip-fragment is set to enable. Uplink tunnel maximum transmission unit (MTU) in octets (eight-bit bytes). An MTU is the largest size packet or frame that can be sent in a packet. Set the value to either 0 (by default), 576, or 1500.

tun-mtu-downlink <bytes>

Note: This entry is only available when override-ip-fragment is set to enable. Downlink tunnel MTU in octets. Set the value to either 0 (by default), 576, or 1500.

override-split-tunnel {enable | disable}

Enable or disable (by default) to override split-tunneling. When enabled, use the split-tunneling-acl-local-ap-subnet entry to enable/disable the configuration of ACL filter lists.

split-tunneling-acl-local-ap-subnet {enable | disable}

Note: This entry is only available when override-split-tunnel is set to enable. Enable or disable (by default) specified destinations to be accessed locally instead of through the WiFi controller. When enabled, the split-tunneling-acl configuration method will become available.

override-lan {enable | disable}

Enable or disable (by default) to override the WTP LAN port. When enabled, the lan configuration method will become available.

override-allowaccess {enable | disable}

Enable or disable (by default) to override management-access per protocol. When enabled, use the allowaccess entry to set the protocols permitted management-access.

allowaccess {telnet | http | https | ssh}

Note: This entry is only available when override-allowaccess is set to enable. Protocols to allow management-access to managed APs: telnet, http, https, and ssh. Separate each value with a space to add multiple protocols. Values can also be added using append.

override-login-passwd-change {enable | disable}

Enable or disable (by default) to override the login-password of managed APs. When enabled, use the login-passwd-change entry to determine password-change settings.

login-passwd-change {yes | default | no}

Note: This entry is only available when override-login-passwd-change is set to enable. Login password options:

  • yes: Change login password of the managed AP
  • default: Reset login password to factory default
  • no: Do not change login password (by default)

image-download {enable | disable}

Enable (by default) or disable image download of WTP to the AP. In addition, you can use the following command to import the WTP firmware file from a TFTP server:

execute wireless-controller upload-wtp-image tftp <filename> <TFTP server address>

mesh-bridge-enable {default | enable | disable}

Enable, disable, or use default (by default) mesh Ethernet bride local settings on the WTP (when the WTP is configured as a mesh branch-leaf AP).

coordinate-enable {enable | disable}

Enable or disable (by default) AP coordinates. When enabled, use the coordinate-x and coordinate-y entries to set the AP's X and Y axes.

coordinate-x <string>

Note: This entry is only available when coordinate-enable is set to enable. X axis coordinate of the AP.

coordinate-y <string>

Note: This entry is only available when coordinate-enable is set to enable. Y axis coordinate of the AP.