config wireless-controller wtp-profile

Configure WTP profiles or FortiAP profiles that define radio settings for manageable FortiAP platforms.

config wireless-controller wtp-profile

Description: Configure WTP profiles or FortiAP profiles that define radio settings for manageable FortiAP platforms.

edit <name>

set comment {var-string}

config platform

Description: WTP, FortiAP, or AP platform.

set type [AP-11N|220B|...]

set mode [single-5G|dual-5G]

set ddscan [enable|disable]

end

set control-message-offload {option1}, {option2}, ...

set ble-profile {string}

set wan-port-mode [wan-lan|wan-only]

config lan

Description: WTP LAN port mapping.

set port-mode [offline|nat-to-wan|...]

set port-ssid {string}

set port1-mode [offline|nat-to-wan|...]

set port1-ssid {string}

set port2-mode [offline|nat-to-wan|...]

set port2-ssid {string}

set port3-mode [offline|nat-to-wan|...]

set port3-ssid {string}

set port4-mode [offline|nat-to-wan|...]

set port4-ssid {string}

set port5-mode [offline|nat-to-wan|...]

set port5-ssid {string}

set port6-mode [offline|nat-to-wan|...]

set port6-ssid {string}

set port7-mode [offline|nat-to-wan|...]

set port7-ssid {string}

set port8-mode [offline|nat-to-wan|...]

set port8-ssid {string}

end

set energy-efficient-ethernet [enable|disable]

set led-state [enable|disable]

set led-schedules <name1>, <name2>, ...

set dtls-policy {option1}, {option2}, ...

set dtls-in-kernel [enable|disable]

set max-clients {integer}

set handoff-rssi {integer}

set handoff-sta-thresh {integer}

set handoff-roaming [enable|disable]

config deny-mac-list

Description: List of MAC addresses that are denied access to this WTP, FortiAP, or AP.

edit <id>

set mac {mac-address}

next

end

set ap-country [NA|AL|...]

set ip-fragment-preventing {option1}, {option2}, ...

set tun-mtu-uplink {integer}

set tun-mtu-downlink {integer}

set split-tunneling-acl-path [tunnel|local]

set split-tunneling-acl-local-ap-subnet [enable|disable]

config split-tunneling-acl

Description: Split tunneling ACL filter list.

edit <id>

set dest-ip {ipv4-classnet}

next

end

set allowaccess {option1}, {option2}, ...

set login-passwd-change [yes|default|...]

set login-passwd {password}

set lldp [enable|disable]

set poe-mode [auto|8023af|...]

config radio-1

Description: Configuration options for radio 1.

set mode [disabled|ap|...]

set band [802.11a|802.11b|...]

set band-5g-type [5g-full|5g-high|...]

set airtime-fairness [enable|disable]

set protection-mode [rtscts|ctsonly|...]

set powersave-optimize {option1}, {option2}, ...

set transmit-optimize {option1}, {option2}, ...

set amsdu [enable|disable]

set coexistence [enable|disable]

set zero-wait-dfs [enable|disable]

set short-guard-interval [enable|disable]

set channel-bonding [160MHz|80MHz|...]

set auto-power-level [enable|disable]

set auto-power-high {integer}

set auto-power-low {integer}

set power-level {integer}

set dtim {integer}

set beacon-interval {integer}

set rts-threshold {integer}

set frag-threshold {integer}

set ap-sniffer-bufsize {integer}

set ap-sniffer-chan {integer}

set ap-sniffer-addr {mac-address}

set ap-sniffer-mgmt-beacon [enable|disable]

set ap-sniffer-mgmt-probe [enable|disable]

set ap-sniffer-mgmt-other [enable|disable]

set ap-sniffer-ctl [enable|disable]

set ap-sniffer-data [enable|disable]

set channel-utilization [enable|disable]

set spectrum-analysis [enable|disable]

set wids-profile {string}

set darrp [enable|disable]

set max-clients {integer}

set max-distance {integer}

set frequency-handoff [enable|disable]

set ap-handoff [enable|disable]

set vap-all [enable|disable]

set vaps <name1>, <name2>, ...

set channel <chan1>, <chan2>, ...

set call-admission-control [enable|disable]

set call-capacity {integer}

set bandwidth-admission-control [enable|disable]

set bandwidth-capacity {integer}

end

config radio-2

Description: Configuration options for radio 2.

set mode [disabled|ap|...]

set band [802.11a|802.11b|...]

set band-5g-type [5g-full|5g-high|...]

set airtime-fairness [enable|disable]

set protection-mode [rtscts|ctsonly|...]

set powersave-optimize {option1}, {option2}, ...

set transmit-optimize {option1}, {option2}, ...

set amsdu [enable|disable]

set coexistence [enable|disable]

set zero-wait-dfs [enable|disable]

set short-guard-interval [enable|disable]

set channel-bonding [160MHz|80MHz|...]

set auto-power-level [enable|disable]

set auto-power-high {integer}

set auto-power-low {integer}

set power-level {integer}

set dtim {integer}

set beacon-interval {integer}

set rts-threshold {integer}

set frag-threshold {integer}

set ap-sniffer-bufsize {integer}

set ap-sniffer-chan {integer}

set ap-sniffer-addr {mac-address}

set ap-sniffer-mgmt-beacon [enable|disable]

set ap-sniffer-mgmt-probe [enable|disable]

set ap-sniffer-mgmt-other [enable|disable]

set ap-sniffer-ctl [enable|disable]

set ap-sniffer-data [enable|disable]

set channel-utilization [enable|disable]

set spectrum-analysis [enable|disable]

set wids-profile {string}

set darrp [enable|disable]

set max-clients {integer}

set max-distance {integer}

set frequency-handoff [enable|disable]

set ap-handoff [enable|disable]

set vap-all [enable|disable]

set vaps <name1>, <name2>, ...

set channel <chan1>, <chan2>, ...

set call-admission-control [enable|disable]

set call-capacity {integer}

set bandwidth-admission-control [enable|disable]

set bandwidth-capacity {integer}

end

config radio-3

Description: Configuration options for radio 3.

set mode [disabled|ap|...]

set band [802.11a|802.11b|...]

set band-5g-type [5g-full|5g-high|...]

set airtime-fairness [enable|disable]

set protection-mode [rtscts|ctsonly|...]

set powersave-optimize {option1}, {option2}, ...

set transmit-optimize {option1}, {option2}, ...

set amsdu [enable|disable]

set coexistence [enable|disable]

set zero-wait-dfs [enable|disable]

set short-guard-interval [enable|disable]

set channel-bonding [160MHz|80MHz|...]

set auto-power-level [enable|disable]

set auto-power-high {integer}

set auto-power-low {integer}

set power-level {integer}

set dtim {integer}

set beacon-interval {integer}

set rts-threshold {integer}

set frag-threshold {integer}

set ap-sniffer-bufsize {integer}

set ap-sniffer-chan {integer}

set ap-sniffer-addr {mac-address}

set ap-sniffer-mgmt-beacon [enable|disable]

set ap-sniffer-mgmt-probe [enable|disable]

set ap-sniffer-mgmt-other [enable|disable]

set ap-sniffer-ctl [enable|disable]

set ap-sniffer-data [enable|disable]

set channel-utilization [enable|disable]

set spectrum-analysis [enable|disable]

set wids-profile {string}

set darrp [enable|disable]

set max-clients {integer}

set max-distance {integer}

set frequency-handoff [enable|disable]

set ap-handoff [enable|disable]

set vap-all [enable|disable]

set vaps <name1>, <name2>, ...

set channel <chan1>, <chan2>, ...

set call-admission-control [enable|disable]

set call-capacity {integer}

set bandwidth-admission-control [enable|disable]

set bandwidth-capacity {integer}

end

config radio-4

Description: Configuration options for radio 4.

set mode [disabled|ap|...]

set band [802.11a|802.11b|...]

set band-5g-type [5g-full|5g-high|...]

set airtime-fairness [enable|disable]

set protection-mode [rtscts|ctsonly|...]

set powersave-optimize {option1}, {option2}, ...

set transmit-optimize {option1}, {option2}, ...

set amsdu [enable|disable]

set coexistence [enable|disable]

set zero-wait-dfs [enable|disable]

set short-guard-interval [enable|disable]

set channel-bonding [160MHz|80MHz|...]

set auto-power-level [enable|disable]

set auto-power-high {integer}

set auto-power-low {integer}

set power-level {integer}

set dtim {integer}

set beacon-interval {integer}

set rts-threshold {integer}

set frag-threshold {integer}

set ap-sniffer-bufsize {integer}

set ap-sniffer-chan {integer}

set ap-sniffer-addr {mac-address}

set ap-sniffer-mgmt-beacon [enable|disable]

set ap-sniffer-mgmt-probe [enable|disable]

set ap-sniffer-mgmt-other [enable|disable]

set ap-sniffer-ctl [enable|disable]

set ap-sniffer-data [enable|disable]

set channel-utilization [enable|disable]

set spectrum-analysis [enable|disable]

set wids-profile {string}

set darrp [enable|disable]

set max-clients {integer}

set max-distance {integer}

set frequency-handoff [enable|disable]

set ap-handoff [enable|disable]

set vap-all [enable|disable]

set vaps <name1>, <name2>, ...

set channel <chan1>, <chan2>, ...

set call-admission-control [enable|disable]

set call-capacity {integer}

set bandwidth-admission-control [enable|disable]

set bandwidth-capacity {integer}

end

config lbs

Description: Set various location based service (LBS) options.

set ekahau-blink-mode [enable|disable]

set ekahau-tag {mac-address}

set erc-server-ip {ipv4-address-any}

set erc-server-port {integer}

set aeroscout [enable|disable]

set aeroscout-server-ip {ipv4-address-any}

set aeroscout-server-port {integer}

set aeroscout-mu [enable|disable]

set aeroscout-ap-mac [bssid|board-mac]

set aeroscout-mmu-report [enable|disable]

set aeroscout-mu-factor {integer}

set aeroscout-mu-timeout {integer}

set fortipresence [foreign|both|...]

set fortipresence-server {ipv4-address-any}

set fortipresence-port {integer}

set fortipresence-secret {password}

set fortipresence-project {string}

set fortipresence-frequency {integer}

set fortipresence-rogue [enable|disable]

set fortipresence-unassoc [enable|disable]

set fortipresence-ble [enable|disable]

set station-locate [enable|disable]

end

set ext-info-enable [enable|disable]

next

end

config wireless-controller wtp-profile

Parameter name

Description

Type

Size

comment

Comment.

var-string

Maximum length: 255

control-message-offload

Enable/disable CAPWAP control message data channel offload.

option

-

 

Option

Description

ebp-frame

Ekahau blink protocol (EBP) frames.

aeroscout-tag

AeroScout tag.

ap-list

Rogue AP list.

sta-list

Rogue STA list.

sta-cap-list

STA capability list.

stats

WTP, radio, VAP, and STA statistics.

aeroscout-mu

AeroScout Mobile Unit (MU) report.

sta-health

STA health log.

ble-profile

Bluetooth Low Energy profile name.

string

Maximum length: 35

wan-port-mode

Enable/disable using a WAN port as a LAN port.

option

-

 

Option

Description

wan-lan

Enable using a WAN port as a LAN port.

wan-only

Disable using a WAN port as a LAN port.

energy-efficient-ethernet

Enable/disable use of energy efficient Ethernet on WTP.

option

-

 

Option

Description

enable

Enable use of energy efficient Ethernet on WTP.

disable

Disable use of energy efficient Ethernet on WTP.

led-state

Enable/disable use of LEDs on WTP (default = disable).

option

-

 

Option

Description

enable

Enable use of LEDs on WTP.

disable

Disable use of LEDs on WTP.

led-schedules <name>

Recurring firewall schedules for illuminating LEDs on the FortiAP. If led-state is enabled, LEDs will be visible when at least one of the schedules is valid. Separate multiple schedule names with a space.

Schedule name.

string

Maximum length: 35

dtls-policy

WTP data channel DTLS policy (default = clear-text).

option

-

 

Option

Description

clear-text

Clear Text Data Channel.

dtls-enabled

DTLS Enabled Data Channel.

ipsec-vpn

IPsec VPN Data Channel.

dtls-in-kernel

Enable/disable data channel DTLS in kernel.

option

-

 

Option

Description

enable

Enable data channel DTLS in kernel.

disable

Disable data channel DTLS in kernel.

max-clients

Maximum number of stations (STAs) supported by the WTP (default = 0, meaning no client limitation).

integer

Minimum value: 0 Maximum value: 4294967295

handoff-rssi

Minimum received signal strength indicator (RSSI) value for handoff (20 - 30, default = 25).

integer

Minimum value: 20 Maximum value: 30

handoff-sta-thresh

Threshold value for AP handoff.

integer

Minimum value: 0 Maximum value: 4294967295

handoff-roaming

Enable/disable client load balancing during roaming to avoid roaming delay (default = disable).

option

-

 

Option

Description

enable

Enable handoff roaming.

disable

Disable handoff roaming.

ap-country

Country in which this WTP, FortiAP or AP will operate (default = NA, automatically use the country configured for the current VDOM).

option

-

 

Option

Description

NA

NO_COUNTRY_SET

AL

ALBANIA

DZ

ALGERIA

AO

ANGOLA

AR

ARGENTINA

AM

ARMENIA

AU

AUSTRALIA

AT

AUSTRIA

AZ

AZERBAIJAN

BH

BAHRAIN

BD

BANGLADESH

BB

BARBADOS

BY

BELARUS

BE

BELGIUM

BZ

BELIZE

BO

BOLIVIA

BA

BOSNIA AND HERZEGOVINA

BR

BRAZIL

BN

BRUNEI DARUSSALAM

BG

BULGARIA

KH

CAMBODIA

CF

CENTRAL AFRICA REPUBLIC

CL

CHILE

CN

CHINA

CO

COLOMBIA

CR

COSTA RICA

HR

CROATIA

CY

CYPRUS

CZ

CZECH REPUBLIC

DK

DENMARK

DO

DOMINICAN REPUBLIC

EC

ECUADOR

EG

EGYPT

SV

EL SALVADOR

EE

ESTONIA

FI

FINLAND

FR

FRANCE

GE

GEORGIA

DE

GERMANY

GR

GREECE

GL

GREENLAND

GD

GRENADA

GU

GUAM

GT

GUATEMALA

HT

HAITI

HN

HONDURAS

HK

HONG KONG

HU

HUNGARY

IS

ICELAND

IN

INDIA

ID

INDONESIA

IR

IRAN

IE

IRELAND

IL

ISRAEL

IT

ITALY

JM

JAMAICA

JO

JORDAN

KZ

KAZAKHSTAN

KE

KENYA

KP

NORTH KOREA

KR

KOREA REPUBLIC

KW

KUWAIT

LV

LATVIA

LB

LEBANON

LI

LIECHTENSTEIN

LT

LITHUANIA

LU

LUXEMBOURG

MO

MACAU SAR

MK

MACEDONIA, FYRO

MY

MALAYSIA

MT

MALTA

MX

MEXICO

MC

MONACO

MA

MOROCCO

MZ

MOZAMBIQUE

MM

MYANMAR

NP

NEPAL

NL

NETHERLANDS

AN

NETHERLANDS ANTILLES

AW

ARUBA

NZ

NEW ZEALAND

NO

NORWAY

OM

OMAN

PK

PAKISTAN

PA

PANAMA

PG

PAPUA NEW GUINEA

PY

PARAGUAY

PE

PERU

PH

PHILIPPINES

PL

POLAND

PT

PORTUGAL

PR

PUERTO RICO

QA

QATAR

RO

ROMANIA

RU

RUSSIA

RW

RWANDA

SA

SAUDI ARABIA

RS

REPUBLIC OF SERBIA

ME

MONTENEGRO

SG

SINGAPORE

SK

SLOVAKIA

SI

SLOVENIA

ZA

SOUTH AFRICA

ES

SPAIN

LK

SRI LANKA

SE

SWEDEN

SD

SUDAN

CH

SWITZERLAND

SY

SYRIAN ARAB REPUBLIC

TW

TAIWAN

TZ

TANZANIA

TH

THAILAND

TT

TRINIDAD AND TOBAGO

TN

TUNISIA

TR

TURKEY

AE

UNITED ARAB EMIRATES

UA

UKRAINE

GB

UNITED KINGDOM

US

UNITED STATES2

PS

UNITED STATES (PUBLIC SAFETY)

UY

URUGUAY

UZ

UZBEKISTAN

VE

VENEZUELA

VN

VIET NAM

YE

YEMEN

ZB

ZAMBIA

ZW

ZIMBABWE

JP

JAPAN14

CA

CANADA2

ip-fragment-preventing

Method(s) by which IP fragmentation is prevented for control and data packets through CAPWAP tunnel (default = tcp-mss-adjust).

option

-

 

Option

Description

tcp-mss-adjust

TCP maximum segment size adjustment.

icmp-unreachable

Drop packet and send ICMP Destination Unreachable

tun-mtu-uplink

The maximum transmission unit (MTU) of uplink CAPWAP tunnel (576 - 1500 bytes or 0; 0 means the local MTU of FortiAP; default = 0).

integer

Minimum value: 576 Maximum value: 1500

tun-mtu-downlink

The MTU of downlink CAPWAP tunnel (576 - 1500 bytes or 0; 0 means the local MTU of FortiAP; default = 0).

integer

Minimum value: 576 Maximum value: 1500

split-tunneling-acl-path

Split tunneling ACL path is local/tunnel.

option

-

 

Option

Description

tunnel

Split tunneling ACL list traffic will be tunnel.

local

Split tunneling ACL list traffic will be local NATed.

split-tunneling-acl-local-ap-subnet

Enable/disable automatically adding local subnetwork of FortiAP to split-tunneling ACL (default = disable).

option

-

 

Option

Description

enable

Enable automatically adding local subnetwork of FortiAP to split-tunneling ACL.

disable

Disable automatically adding local subnetwork of FortiAP to split-tunneling ACL.

allowaccess

Control management access to the managed WTP, FortiAP, or AP. Separate entries with a space.

option

-

 

Option

Description

https

HTTPS access.

ssh

SSH access.

snmp

SNMP access.

login-passwd-change

Change or reset the administrator password of a managed WTP, FortiAP or AP (yes, default, or no, default = no).

option

-

 

Option

Description

yes

Change the managed WTP, FortiAP or AP's administrator password. Use the login-password option to set the password.

default

Keep the managed WTP, FortiAP or AP's administrator password set to the factory default.

no

Do not change the managed WTP, FortiAP or AP's administrator password.

login-passwd

Set the managed WTP, FortiAP, or AP's administrator password.

password

Not Specified

lldp

Enable/disable Link Layer Discovery Protocol (LLDP) for the WTP, FortiAP, or AP (default = enable).

option

-

 

Option

Description

enable

Enable LLDP.

disable

Disable LLDP.

poe-mode

Set the WTP, FortiAP, or AP's PoE mode.

option

-

 

Option

Description

auto

Automatically detect the PoE mode.

8023af

Use 802.3af PoE mode.

8023at

Use 802.3at PoE mode.

power-adapter

Use the power adapter to control the PoE mode.

ext-info-enable

Enable/disable station/VAP/radio extension information.

option

-

 

Option

Description

enable

Enable station/VAP/radio extension information.

disable

Disable station/VAP/radio extension information.

config platform

Parameter name

Description

Type

Size

type

WTP, FortiAP or AP platform type. There are built-in WTP profiles for all supported FortiAP models. You can select a built-in profile and customize it or create a new profile.

option

-

 

Option

Description

AP-11N

Default 11n AP.

220B

FAP220B/221B.

210B

FAP210B.

222B

FAP222B.

112B

FAP112B.

320B

FAP320B.

11C

FAP11C.

14C

FAP14C.

223B

FAP223B.

28C

FAP28C.

320C

FAP320C.

221C

FAP221C.

25D

FAP25D.

222C

FAP222C.

224D

FAP224D.

214B

FK214B.

21D

FAP21D.

24D

FAP24D.

112D

FAP112D.

223C

FAP223C.

321C

FAP321C.

C220C

FAPC220C.

C225C

FAPC225C.

C23JD

FAPC23JD.

C24JE

FAPC24JE.

S321C

FAPS321C.

S322C

FAPS322C.

S323C

FAPS323C.

S311C

FAPS311C.

S313C

FAPS313C.

S321CR

FAPS321CR.

S322CR

FAPS322CR.

S323CR

FAPS323CR.

S421E

FAPS421E.

S422E

FAPS422E.

S423E

FAPS423E.

421E

FAP421E.

423E

FAP423E.

221E

FAP221E.

222E

FAP222E.

223E

FAP223E.

224E

FAP224E.

231E

FAP231E.

S221E

FAPS221E.

S223E

FAPS223E.

321E

FAP321E.

431F

FAP431F.

432F

FAP432F.

433F

FAP433F.

231F

FAP231F.

234F

FAP234F.

23JF

FAP23JF.

U421E

FAPU421EV.

U422EV

FAPU422EV.

U423E

FAPU423EV.

U221EV

FAPU221EV.

U223EV

FAPU223EV.

U24JEV

FAPU24JEV.

U321EV

FAPU321EV.

U323EV

FAPU323EV.

U431F

FAPU431F.

U433F

FAPU433F.

mode

Configure operation mode of 5G radios (default = single-5G).

option

-

 

Option

Description

single-5G

Configure radios as one 5GHz band, one 2.4GHz band, and one dedicated monitor or sniffer.

dual-5G

Configure radios as one lower 5GHz band, one higher 5GHz band and one 2.4GHz band respectively.

ddscan

Enable/disable use of one radio for dedicated dual-band scanning to detect RF characterization and wireless threat management.

option

-

 

Option

Description

enable

Enable dedicated dual-band scan mode.

disable

Disable dedicated dual-band scan mode.

config lan

Parameter name

Description

Type

Size

port-mode

LAN port mode.

option

-

 

Option

Description

offline

Offline.

nat-to-wan

NAT WTP LAN port to WTP WAN port.

bridge-to-wan

Bridge WTP LAN port to WTP WAN port.

bridge-to-ssid

Bridge WTP LAN port to SSID.

port-ssid

Bridge LAN port to SSID.

string

Maximum length: 15

port1-mode

LAN port 1 mode.

option

-

 

Option

Description

offline

Offline.

nat-to-wan

NAT WTP LAN port to WTP WAN port.

bridge-to-wan

Bridge WTP LAN port to WTP WAN port.

bridge-to-ssid

Bridge WTP LAN port to SSID.

port1-ssid

Bridge LAN port 1 to SSID.

string

Maximum length: 15

port2-mode

LAN port 2 mode.

option

-

 

Option

Description

offline

Offline.

nat-to-wan

NAT WTP LAN port to WTP WAN port.

bridge-to-wan

Bridge WTP LAN port to WTP WAN port.

bridge-to-ssid

Bridge WTP LAN port to SSID.

port2-ssid

Bridge LAN port 2 to SSID.

string

Maximum length: 15

port3-mode

LAN port 3 mode.

option

-

 

Option