config wireless-controller wtp-profile

Configure WTP profiles or FortiAP profiles that define radio settings for manageable FortiAP platforms.

config wireless-controller wtp-profile
    Description: Configure WTP profiles or FortiAP profiles that define radio settings for manageable FortiAP platforms.
    edit <name>
        set admin-auth-tacacs+ {string}
        set admin-restrict-local [enable|disable]
        set allowaccess {option1}, {option2}, ...
        set ap-country [--|AF|...]
        set ap-handoff [enable|disable]
        set apcfg-auto-cert [enable|disable]
        set apcfg-auto-cert-auto-regen-days {integer}
        set apcfg-auto-cert-crypto-algo [rsa-1024|rsa-1536|...]
        set apcfg-auto-cert-enroll-protocol [none|est|...]
        set apcfg-auto-cert-est-ca-id {string}
        set apcfg-auto-cert-est-http-password {password}
        set apcfg-auto-cert-est-http-username {string}
        set apcfg-auto-cert-est-https-ca {string}
        set apcfg-auto-cert-est-server {string}
        set apcfg-auto-cert-est-subject {string}
        set apcfg-auto-cert-est-subject-alt-name {string}
        set apcfg-auto-cert-scep-ca-id {string}
        set apcfg-auto-cert-scep-ec-name [secp256r1|secp384r1|...]
        set apcfg-auto-cert-scep-https-ca {string}
        set apcfg-auto-cert-scep-keysize [1024|1536|...]
        set apcfg-auto-cert-scep-keytype [rsa|ec]
        set apcfg-auto-cert-scep-password {password}
        set apcfg-auto-cert-scep-sub-fully-dn {string}
        set apcfg-auto-cert-scep-subject-alt-name {string}
        set apcfg-auto-cert-scep-url {string}
        set apcfg-mesh [enable|disable]
        set apcfg-mesh-ap-type [ethernet|mesh|...]
        set apcfg-mesh-eth-bridge [enable|disable]
        set apcfg-mesh-ssid {string}
        set apcfg-profile {string}
        set ble-profile {string}
        set bonjour-profile {string}
        set comment {var-string}
        set console-login [enable|disable]
        set control-message-offload {option1}, {option2}, ...
        set default-mesh-root [enable|disable]
        config deny-mac-list
            Description: List of MAC addresses that are denied access to this WTP, FortiAP, or AP.
            edit <id>
                set mac {mac-address}
            next
        end
        set dtls-in-kernel [enable|disable]
        set dtls-policy {option1}, {option2}, ...
        set energy-efficient-ethernet [enable|disable]
        config esl-ses-dongle
            Description: ESL SES-imagotag dongle configuration.
            set apc-addr-type [fqdn|ip]
            set apc-fqdn {string}
            set apc-ip {ipv4-address}
            set apc-port {integer}
            set coex-level {option}
            set compliance-level {option}
            set esl-channel [-1|0|...]
            set output-power [a|b|...]
            set scd-enable [enable|disable]
            set tls-cert-verification [enable|disable]
            set tls-fqdn-verification [enable|disable]
        end
        set ext-info-enable [enable|disable]
        set frequency-handoff [enable|disable]
        set handoff-roaming [enable|disable]
        set handoff-rssi {integer}
        set handoff-sta-thresh {integer}
        set indoor-outdoor-deployment [platform-determined|outdoor|...]
        set ip-fragment-preventing {option1}, {option2}, ...
        config lan
            Description: WTP LAN port mapping.
            set port-esl-mode [offline|nat-to-wan|...]
            set port-esl-ssid {string}
            set port-mode [offline|nat-to-wan|...]
            set port-ssid {string}
            set port1-mode [offline|nat-to-wan|...]
            set port1-ssid {string}
            set port2-mode [offline|nat-to-wan|...]
            set port2-ssid {string}
            set port3-mode [offline|nat-to-wan|...]
            set port3-ssid {string}
            set port4-mode [offline|nat-to-wan|...]
            set port4-ssid {string}
            set port5-mode [offline|nat-to-wan|...]
            set port5-ssid {string}
            set port6-mode [offline|nat-to-wan|...]
            set port6-ssid {string}
            set port7-mode [offline|nat-to-wan|...]
            set port7-ssid {string}
            set port8-mode [offline|nat-to-wan|...]
            set port8-ssid {string}
        end
        config lbs
            Description: Set various location based service (LBS) options.
            set aeroscout [enable|disable]
            set aeroscout-ap-mac [bssid|board-mac]
            set aeroscout-mmu-report [enable|disable]
            set aeroscout-mu [enable|disable]
            set aeroscout-mu-factor {integer}
            set aeroscout-mu-timeout {integer}
            set aeroscout-server-ip {ipv4-address-any}
            set aeroscout-server-port {integer}
            set ble-rtls [none|polestar|...]
            set ble-rtls-accumulation-interval {integer}
            set ble-rtls-asset-addrgrp-list {string}
            set ble-rtls-asset-uuid-list1 {string}
            set ble-rtls-asset-uuid-list2 {string}
            set ble-rtls-asset-uuid-list3 {string}
            set ble-rtls-asset-uuid-list4 {string}
            set ble-rtls-protocol {option}
            set ble-rtls-reporting-interval {integer}
            set ble-rtls-server-fqdn {string}
            set ble-rtls-server-path {string}
            set ble-rtls-server-port {integer}
            set ble-rtls-server-token {string}
            set ekahau-blink-mode [enable|disable]
            set ekahau-tag {mac-address}
            set erc-server-ip {ipv4-address-any}
            set erc-server-port {integer}
            set fortipresence [foreign|both|...]
            set fortipresence-ble [enable|disable]
            set fortipresence-frequency {integer}
            set fortipresence-port {integer}
            set fortipresence-project {string}
            set fortipresence-rogue [enable|disable]
            set fortipresence-secret {password}
            set fortipresence-server {ipv4-address-any}
            set fortipresence-server-addr-type [ipv4|fqdn]
            set fortipresence-server-fqdn {string}
            set fortipresence-unassoc [enable|disable]
            set station-locate [enable|disable]
        end
        set led-schedules <name1>, <name2>, ...
        set led-state [enable|disable]
        set lldp [enable|disable]
        set login-passwd {password}
        set login-passwd-change [yes|default|...]
        set lw-profile {string}
        set max-clients {integer}
        config platform
            Description: WTP, FortiAP, or AP platform.
            set ddscan [enable|disable]
            set mode [single-5G|dual-5G]
            set type [AP-11N|C24JE|...]
        end
        set poe-mode [auto|8023af|...]
        config radio-1
            Description: Configuration options for radio 1.
            set 80211d [enable|disable]
            set 80211mc [enable|disable]
            set ai-darrp-support [enable|disable]
            set airtime-fairness [enable|disable]
            set amsdu [enable|disable]
            set ap-sniffer-addr {mac-address}
            set ap-sniffer-bufsize {integer}
            set ap-sniffer-chan {integer}
            set ap-sniffer-chan-width [320MHz|240MHz|...]
            set ap-sniffer-ctl [enable|disable]
            set ap-sniffer-data [enable|disable]
            set ap-sniffer-mgmt-beacon [enable|disable]
            set ap-sniffer-mgmt-other [enable|disable]
            set ap-sniffer-mgmt-probe [enable|disable]
            set arrp-profile {string}
            set auto-power-high {integer}
            set auto-power-level [enable|disable]
            set auto-power-low {integer}
            set auto-power-target {string}
            set band {option1}, {option2}, ...
            set band-5g-type [5g-full|5g-high|...]
            set bandwidth-admission-control [enable|disable]
            set bandwidth-capacity {integer}
            set beacon-interval {integer}
            set bss-color {integer}
            set bss-color-mode [auto|static]
            set call-admission-control [enable|disable]
            set call-capacity {integer}
            set channel <chan1>, <chan2>, ...
            set channel-bonding [320MHz|240MHz|...]
            set channel-bonding-ext [320MHz-1|320MHz-2]
            set channel-utilization [enable|disable]
            set coexistence [enable|disable]
            set darrp [enable|disable]
            set drma [disable|enable]
            set drma-sensitivity [low|medium|...]
            set dtim {integer}
            set frag-threshold {integer}
            set iperf-protocol [udp|tcp]
            set iperf-server-port {integer}
            set max-clients {integer}
            set max-distance {integer}
            set mimo-mode [default|1x1|...]
            set mode [disabled|ap|...]
            set optional-antenna [none|custom|...]
            set optional-antenna-gain {string}
            set power-level {integer}
            set power-mode [dBm|percentage]
            set power-value {integer}
            set powersave-optimize {option1}, {option2}, ...
            set protection-mode [rtscts|ctsonly|...]
            set rts-threshold {integer}
            set sam-bssid {mac-address}
            set sam-ca-certificate {string}
            set sam-captive-portal [enable|disable]
            set sam-client-certificate {string}
            set sam-cwp-failure-string {string}
            set sam-cwp-match-string {string}
            set sam-cwp-password {password}
            set sam-cwp-success-string {string}
            set sam-cwp-test-url {string}
            set sam-cwp-username {string}
            set sam-eap-method [both|tls|...]
            set sam-password {password}
            set sam-private-key {string}
            set sam-private-key-password {password}
            set sam-report-intv {integer}
            set sam-security-type [open|wpa-personal|...]
            set sam-server-fqdn {string}
            set sam-server-ip {ipv4-address}
            set sam-server-type [ip|fqdn]
            set sam-ssid {string}
            set sam-test [ping|iperf]
            set sam-username {string}
            set short-guard-interval [enable|disable]
            set transmit-optimize {option1}, {option2}, ...
            set vap-all [tunnel|bridge|...]
            set vaps <name1>, <name2>, ...
            set wids-profile {string}
            set zero-wait-dfs [enable|disable]
        end
        config radio-2
            Description: Configuration options for radio 2.
            set 80211d [enable|disable]
            set 80211mc [enable|disable]
            set ai-darrp-support [enable|disable]
            set airtime-fairness [enable|disable]
            set amsdu [enable|disable]
            set ap-sniffer-addr {mac-address}
            set ap-sniffer-bufsize {integer}
            set ap-sniffer-chan {integer}
            set ap-sniffer-chan-width [320MHz|240MHz|...]
            set ap-sniffer-ctl [enable|disable]
            set ap-sniffer-data [enable|disable]
            set ap-sniffer-mgmt-beacon [enable|disable]
            set ap-sniffer-mgmt-other [enable|disable]
            set ap-sniffer-mgmt-probe [enable|disable]
            set arrp-profile {string}
            set auto-power-high {integer}
            set auto-power-level [enable|disable]
            set auto-power-low {integer}
            set auto-power-target {string}
            set band {option1}, {option2}, ...
            set band-5g-type [5g-full|5g-high|...]
            set bandwidth-admission-control [enable|disable]
            set bandwidth-capacity {integer}
            set beacon-interval {integer}
            set bss-color {integer}
            set bss-color-mode [auto|static]
            set call-admission-control [enable|disable]
            set call-capacity {integer}
            set channel <chan1>, <chan2>, ...
            set channel-bonding [320MHz|240MHz|...]
            set channel-bonding-ext [320MHz-1|320MHz-2]
            set channel-utilization [enable|disable]
            set coexistence [enable|disable]
            set darrp [enable|disable]
            set drma [disable|enable]
            set drma-sensitivity [low|medium|...]
            set dtim {integer}
            set frag-threshold {integer}
            set iperf-protocol [udp|tcp]
            set iperf-server-port {integer}
            set max-clients {integer}
            set max-distance {integer}
            set mimo-mode [default|1x1|...]
            set mode [disabled|ap|...]
            set optional-antenna [none|custom|...]
            set optional-antenna-gain {string}
            set power-level {integer}
            set power-mode [dBm|percentage]
            set power-value {integer}
            set powersave-optimize {option1}, {option2}, ...
            set protection-mode [rtscts|ctsonly|...]
            set rts-threshold {integer}
            set sam-bssid {mac-address}
            set sam-ca-certificate {string}
            set sam-captive-portal [enable|disable]
            set sam-client-certificate {string}
            set sam-cwp-failure-string {string}
            set sam-cwp-match-string {string}
            set sam-cwp-password {password}
            set sam-cwp-success-string {string}
            set sam-cwp-test-url {string}
            set sam-cwp-username {string}
            set sam-eap-method [both|tls|...]
            set sam-password {password}
            set sam-private-key {string}
            set sam-private-key-password {password}
            set sam-report-intv {integer}
            set sam-security-type [open|wpa-personal|...]
            set sam-server-fqdn {string}
            set sam-server-ip {ipv4-address}
            set sam-server-type [ip|fqdn]
            set sam-ssid {string}
            set sam-test [ping|iperf]
            set sam-username {string}
            set short-guard-interval [enable|disable]
            set transmit-optimize {option1}, {option2}, ...
            set vap-all [tunnel|bridge|...]
            set vaps <name1>, <name2>, ...
            set wids-profile {string}
            set zero-wait-dfs [enable|disable]
        end
        config radio-3
            Description: Configuration options for radio 3.
            set 80211d [enable|disable]
            set 80211mc [enable|disable]
            set ai-darrp-support [enable|disable]
            set airtime-fairness [enable|disable]
            set amsdu [enable|disable]
            set ap-sniffer-addr {mac-address}
            set ap-sniffer-bufsize {integer}
            set ap-sniffer-chan {integer}
            set ap-sniffer-chan-width [320MHz|240MHz|...]
            set ap-sniffer-ctl [enable|disable]
            set ap-sniffer-data [enable|disable]
            set ap-sniffer-mgmt-beacon [enable|disable]
            set ap-sniffer-mgmt-other [enable|disable]
            set ap-sniffer-mgmt-probe [enable|disable]
            set arrp-profile {string}
            set auto-power-high {integer}
            set auto-power-level [enable|disable]
            set auto-power-low {integer}
            set auto-power-target {string}
            set band {option1}, {option2}, ...
            set band-5g-type [5g-full|5g-high|...]
            set bandwidth-admission-control [enable|disable]
            set bandwidth-capacity {integer}
            set beacon-interval {integer}
            set bss-color {integer}
            set bss-color-mode [auto|static]
            set call-admission-control [enable|disable]
            set call-capacity {integer}
            set channel <chan1>, <chan2>, ...
            set channel-bonding [320MHz|240MHz|...]
            set channel-bonding-ext [320MHz-1|320MHz-2]
            set channel-utilization [enable|disable]
            set coexistence [enable|disable]
            set darrp [enable|disable]
            set drma [disable|enable]
            set drma-sensitivity [low|medium|...]
            set dtim {integer}
            set frag-threshold {integer}
            set iperf-protocol [udp|tcp]
            set iperf-server-port {integer}
            set max-clients {integer}
            set max-distance {integer}
            set mimo-mode [default|1x1|...]
            set mode [disabled|ap|...]
            set optional-antenna [none|custom|...]
            set optional-antenna-gain {string}
            set power-level {integer}
            set power-mode [dBm|percentage]
            set power-value {integer}
            set powersave-optimize {option1}, {option2}, ...
            set protection-mode [rtscts|ctsonly|...]
            set rts-threshold {integer}
            set sam-bssid {mac-address}
            set sam-ca-certificate {string}
            set sam-captive-portal [enable|disable]
            set sam-client-certificate {string}
            set sam-cwp-failure-string {string}
            set sam-cwp-match-string {string}
            set sam-cwp-password {password}
            set sam-cwp-success-string {string}
            set sam-cwp-test-url {string}
            set sam-cwp-username {string}
            set sam-eap-method [both|tls|...]
            set sam-password {password}
            set sam-private-key {string}
            set sam-private-key-password {password}
            set sam-report-intv {integer}
            set sam-security-type [open|wpa-personal|...]
            set sam-server-fqdn {string}
            set sam-server-ip {ipv4-address}
            set sam-server-type [ip|fqdn]
            set sam-ssid {string}
            set sam-test [ping|iperf]
            set sam-username {string}
            set short-guard-interval [enable|disable]
            set transmit-optimize {option1}, {option2}, ...
            set vap-all [tunnel|bridge|...]
            set vaps <name1>, <name2>, ...
            set wids-profile {string}
            set zero-wait-dfs [enable|disable]
        end
        config radio-4
            Description: Configuration options for radio 4.
            set 80211d [enable|disable]
            set 80211mc [enable|disable]
            set ai-darrp-support [enable|disable]
            set airtime-fairness [enable|disable]
            set amsdu [enable|disable]
            set ap-sniffer-addr {mac-address}
            set ap-sniffer-bufsize {integer}
            set ap-sniffer-chan {integer}
            set ap-sniffer-chan-width [320MHz|240MHz|...]
            set ap-sniffer-ctl [enable|disable]
            set ap-sniffer-data [enable|disable]
            set ap-sniffer-mgmt-beacon [enable|disable]
            set ap-sniffer-mgmt-other [enable|disable]
            set ap-sniffer-mgmt-probe [enable|disable]
            set arrp-profile {string}
            set auto-power-high {integer}
            set auto-power-level [enable|disable]
            set auto-power-low {integer}
            set auto-power-target {string}
            set band {option1}, {option2}, ...
            set band-5g-type [5g-full|5g-high|...]
            set bandwidth-admission-control [enable|disable]
            set bandwidth-capacity {integer}
            set beacon-interval {integer}
            set bss-color {integer}
            set bss-color-mode [auto|static]
            set call-admission-control [enable|disable]
            set call-capacity {integer}
            set channel <chan1>, <chan2>, ...
            set channel-bonding [320MHz|240MHz|...]
            set channel-bonding-ext [320MHz-1|320MHz-2]
            set channel-utilization [enable|disable]
            set coexistence [enable|disable]
            set darrp [enable|disable]
            set drma [disable|enable]
            set drma-sensitivity [low|medium|...]
            set dtim {integer}
            set frag-threshold {integer}
            set iperf-protocol [udp|tcp]
            set iperf-server-port {integer}
            set max-clients {integer}
            set max-distance {integer}
            set mimo-mode [default|1x1|...]
            set mode [disabled|ap|...]
            set optional-antenna [none|custom|...]
            set optional-antenna-gain {string}
            set power-level {integer}
            set power-mode [dBm|percentage]
            set power-value {integer}
            set powersave-optimize {option1}, {option2}, ...
            set protection-mode [rtscts|ctsonly|...]
            set rts-threshold {integer}
            set sam-bssid {mac-address}
            set sam-ca-certificate {string}
            set sam-captive-portal [enable|disable]
            set sam-client-certificate {string}
            set sam-cwp-failure-string {string}
            set sam-cwp-match-string {string}
            set sam-cwp-password {password}
            set sam-cwp-success-string {string}
            set sam-cwp-test-url {string}
            set sam-cwp-username {string}
            set sam-eap-method [both|tls|...]
            set sam-password {password}
            set sam-private-key {string}
            set sam-private-key-password {password}
            set sam-report-intv {integer}
            set sam-security-type [open|wpa-personal|...]
            set sam-server-fqdn {string}
            set sam-server-ip {ipv4-address}
            set sam-server-type [ip|fqdn]
            set sam-ssid {string}
            set sam-test [ping|iperf]
            set sam-username {string}
            set short-guard-interval [enable|disable]
            set transmit-optimize {option1}, {option2}, ...
            set vap-all [tunnel|bridge|...]
            set vaps <name1>, <name2>, ...
            set wids-profile {string}
            set zero-wait-dfs [enable|disable]
        end
        config split-tunneling-acl
            Description: Split tunneling ACL filter list.
            edit <id>
                set dest-ip {ipv4-classnet}
            next
        end
        set split-tunneling-acl-local-ap-subnet [enable|disable]
        set split-tunneling-acl-path [tunnel|local]
        set syslog-profile {string}
        set tun-mtu-downlink {integer}
        set tun-mtu-uplink {integer}
        set unii-4-5ghz-band [enable|disable]
        set usb-port [enable|disable]
        set wan-port-auth [none|802.1x]
        set wan-port-auth-macsec [enable|disable]
        set wan-port-auth-methods [all|EAP-FAST|...]
        set wan-port-auth-password {password}
        set wan-port-auth-usrname {string}
        set wan-port-mode [wan-lan|wan-only]
    next
end

config wireless-controller wtp-profile

Parameter

Description

Type

Size

Default

admin-auth-tacacs+

Remote authentication server for admin user.

string

Maximum length: 35

admin-restrict-local

Enable/disable local admin authentication restriction when remote authenticator is up and running (default = disable).

option

disable

Option	Description
enable	Enable local admin authentication restriction.
disable	Diable local admin authentication restriction.

allowaccess

Control management access to the managed WTP, FortiAP, or AP. Separate entries with a space.

option

Option	Description
https	HTTPS access.
ssh	SSH access.
snmp	SNMP access.

ap-country

Country in which this WTP, FortiAP, or AP will operate (default = NA, automatically use the country configured for the current VDOM).

option

Option	Description
--	NO_COUNTRY_SET
AF	AFGHANISTAN
AL	ALBANIA
DZ	ALGERIA
AS	AMERICAN SAMOA
AO	ANGOLA
AR	ARGENTINA
AM	ARMENIA
AU	AUSTRALIA
AT	AUSTRIA
AZ	AZERBAIJAN
BS	BAHAMAS
BH	BAHRAIN
BD	BANGLADESH
BB	BARBADOS
BY	BELARUS
BE	BELGIUM
BZ	BELIZE
BJ	BENIN
BM	BERMUDA
BT	BHUTAN
BO	BOLIVIA
BA	BOSNIA AND HERZEGOVINA
BW	BOTSWANA
BR	BRAZIL
BN	BRUNEI DARUSSALAM
BG	BULGARIA
BF	BURKINA-FASO
KH	CAMBODIA
CM	CAMEROON
KY	CAYMAN ISLANDS
CF	CENTRAL AFRICA REPUBLIC
TD	CHAD
CL	CHILE
CN	CHINA
CX	CHRISTMAS ISLAND
CO	COLOMBIA
CG	CONGO REPUBLIC
CD	DEMOCRATIC REPUBLIC OF CONGO
CR	COSTA RICA
HR	CROATIA
CY	CYPRUS
CZ	CZECH REPUBLIC
DK	DENMARK
DJ	DJIBOUTI
DM	DOMINICA
DO	DOMINICAN REPUBLIC
EC	ECUADOR
EG	EGYPT
SV	EL SALVADOR
ET	ETHIOPIA
EE	ESTONIA
GF	FRENCH GUIANA
PF	FRENCH POLYNESIA
FO	FAEROE ISLANDS
FJ	FIJI
FI	FINLAND
FR	FRANCE
GA	GABON
GE	GEORGIA
GM	GAMBIA
DE	GERMANY
GH	GHANA
GI	GIBRALTAR
GR	GREECE
GL	GREENLAND
GD	GRENADA
GP	GUADELOUPE
GU	GUAM
GT	GUATEMALA
GY	GUYANA
HT	HAITI
HN	HONDURAS
HK	HONG KONG
HU	HUNGARY
IS	ICELAND
IN	INDIA
ID	INDONESIA
IQ	IRAQ
IE	IRELAND
IM	ISLE OF MAN
IL	ISRAEL
IT	ITALY
CI	COTE_D_IVOIRE
JM	JAMAICA
JO	JORDAN
KZ	KAZAKHSTAN
KE	KENYA
KR	KOREA REPUBLIC
KW	KUWAIT
LA	LAOS
LV	LATVIA
LB	LEBANON
LS	LESOTHO
LR	LIBERIA
LY	LIBYA
LI	LIECHTENSTEIN
LT	LITHUANIA
LU	LUXEMBOURG
MO	MACAU SAR
MK	MACEDONIA, FYRO
MG	MADAGASCAR
MW	MALAWI
MY	MALAYSIA
MV	MALDIVES
ML	MALI
MT	MALTA
MH	MARSHALL ISLANDS
MQ	MARTINIQUE
MR	MAURITANIA
MU	MAURITIUS
YT	MAYOTTE
MX	MEXICO
FM	MICRONESIA
MD	REPUBLIC OF MOLDOVA
MC	MONACO
MN	MONGOLIA
MA	MOROCCO
MZ	MOZAMBIQUE
MM	MYANMAR
NA	NAMIBIA
NP	NEPAL
NL	NETHERLANDS
AN	NETHERLANDS ANTILLES
AW	ARUBA
NZ	NEW ZEALAND
NI	NICARAGUA
NE	NIGER
NG	NIGERIA
NO	NORWAY
MP	NORTHERN MARIANA ISLANDS
OM	OMAN
PK	PAKISTAN
PW	PALAU
PA	PANAMA
PG	PAPUA NEW GUINEA
PY	PARAGUAY
PE	PERU
PH	PHILIPPINES
PL	POLAND
PT	PORTUGAL
PR	PUERTO RICO
QA	QATAR
RE	REUNION
RO	ROMANIA
RU	RUSSIA
RW	RWANDA
BL	SAINT BARTHELEMY
KN	SAINT KITTS AND NEVIS
LC	SAINT LUCIA
MF	SAINT MARTIN
PM	SAINT PIERRE AND MIQUELON
VC	SAINT VINCENT AND GRENADIENS
SA	SAUDI ARABIA
SN	SENEGAL
RS	REPUBLIC OF SERBIA
ME	MONTENEGRO
SL	SIERRA LEONE
SG	SINGAPORE
SK	SLOVAKIA
SI	SLOVENIA
SO	SOMALIA
ZA	SOUTH AFRICA
ES	SPAIN
LK	SRI LANKA
SR	SURINAME
SZ	SWAZILAND
SE	SWEDEN
CH	SWITZERLAND
TW	TAIWAN
TZ	TANZANIA
TH	THAILAND
TL	TIMOR-LESTE
TG	TOGO
TT	TRINIDAD AND TOBAGO
TN	TUNISIA
TR	TURKEY
TM	TURKMENISTAN
AE	UNITED ARAB EMIRATES
TC	TURKS AND CAICOS
UG	UGANDA
UA	UKRAINE
GB	UNITED KINGDOM
US	UNITED STATES2
PS	UNITED STATES (PUBLIC SAFETY)
UY	URUGUAY
UZ	UZBEKISTAN
VU	VANUATU
VE	VENEZUELA
VN	VIET NAM
VI	VIRGIN ISLANDS
WF	WALLIS AND FUTUNA
YE	YEMEN
ZM	ZAMBIA
ZW	ZIMBABWE
JP	JAPAN14
CA	CANADA2

ap-handoff

Enable/disable AP handoff of clients to other APs (default = disable).

option

disable

Option	Description
enable	Enable AP handoff.
disable	Disable AP handoff.

apcfg-auto-cert

Enable/disable AP local auto cert configuration (default = disable).

option

disable

Option	Description
enable	Enable AP local auto cert configuration.
disable	Disable AP local auto cert configuration.

apcfg-auto-cert-auto-regen-days

Number of days to wait before expiry of an updated local certificate is requested (0 = disabled) (default = 30).

integer

Minimum value: 0 Maximum value: 4294967295

apcfg-auto-cert-crypto-algo

Cryptography algorithm: rsa-1024, rsa-1536, rsa-2048, rsa-4096, ec-secp256r1, ec-secp384r1, ec-secp521r1 (default = ec-secp256r1)

option

ec-secp256r1

Option	Description
rsa-1024	Cryptography algorithm rsa-1024.
rsa-1536	Cryptography algorithm rsa-1536.
rsa-2048	Cryptography algorithm rsa-2048.
rsa-4096	Cryptography algorithm rsa-4096.
ec-secp256r1	Cryptography algorithm ec-secp256r1.
ec-secp384r1	Cryptography algorithm ec-secp384r1.
ec-secp521r1	Cryptography algorithm ec-secp521r1.

apcfg-auto-cert-enroll-protocol

Certificate enrollment protocol (default = none)

option

none

Option	Description
none	None (default).
est	Enrollment over Secure Transport.
scep	Simple Certificate Enrollment Protocol.

apcfg-auto-cert-est-ca-id

CA identifier of the CA server for signing via EST.

string

Maximum length: 255

apcfg-auto-cert-est-http-password

HTTP Authentication password for signing via EST.

password

Not Specified

apcfg-auto-cert-est-http-username

HTTP Authentication username for signing via EST.

string

Maximum length: 63

apcfg-auto-cert-est-https-ca

PEM format https CA Certificate.

string

Maximum length: 79

apcfg-auto-cert-est-server

Address and port for EST server (e.g. https://example.com:1234).

string

Maximum length: 255

apcfg-auto-cert-est-subject

Subject e.g. "CN=User,DC=example,DC=COM" (default = CN=FortiAP,DC=local,DC=COM)

string

Maximum length: 127

CN=FortiAP,DC=local,DC=COM

apcfg-auto-cert-est-subject-alt-name

Subject alternative name (optional, e.g. "DNS:dns1.com,IP:192.168.1.99")

string

Maximum length: 127

apcfg-auto-cert-scep-ca-id

CA identifier of the CA server for signing via SCEP.

string

Maximum length: 255

apcfg-auto-cert-scep-ec-name

Elliptic curve name: secp256r1, secp384r1 and secp521r1. (default secp256r1).

option

secp256r1

Option	Description
secp256r1	Elliptic curve name secp256r1.
secp384r1	Elliptic curve name secp384r1.
secp521r1	Elliptic curve name secp521r1.

apcfg-auto-cert-scep-https-ca

PEM format https CA Certificate.

string

Maximum length: 79

apcfg-auto-cert-scep-keysize

Key size: 1024, 1536, 2048, 4096 (default 2048).

option

2048

Option	Description
1024	keysize 1024.
1536	keysize 1536.
2048	keysize 2048.
4096	keysize 4096.

apcfg-auto-cert-scep-keytype

Key type (default = rsa)

option

rsa

Option	Description
rsa	Generate a RSA certificate request.
ec	Generate an elliptic curve certificate request.

apcfg-auto-cert-scep-password

SCEP server challenge password for auto-regeneration.

password

Not Specified

apcfg-auto-cert-scep-sub-fully-dn

Full DN of the subject (e.g C=US,ST=CA,L=Sunnyvale,O=Fortinet,OU=Dep1,emailAddress=test@example.com). There should be no space in between the attributes. Supported DN attributes (case-sensitive) are:C,ST,L,O,OU,emailAddress. The CN defaults to the device’s SN and cannot be changed.

string

Maximum length: 255

apcfg-auto-cert-scep-subject-alt-name

Subject alternative name (optional, e.g. "DNS:dns1.com,IP:192.168.1.99")

string

Maximum length: 127

apcfg-auto-cert-scep-url

SCEP server URL.

string

Maximum length: 255

apcfg-mesh

Enable/disable AP local mesh configuration (default = disable).

option

disable

Option	Description
enable	Enable AP local mesh configuration.
disable	Disable AP local mesh configuration.

apcfg-mesh-ap-type

Mesh AP Type (default = ethernet).

option

ethernet

Option	Description
ethernet	Use ethernet uplink.
mesh	Use mesh uplink.
auto	Ethernet with mesh backup support.

apcfg-mesh-eth-bridge

Enable/disable mesh ethernet bridge (default = disable).

option

disable

Option	Description
enable	Enable AP local mesh eth bridge configuration.
disable	Disable AP local mesh eth bridge configuration.

apcfg-mesh-ssid

Mesh SSID (default = none).

string

Maximum length: 15

apcfg-profile

AP local configuration profile name.

string

Maximum length: 35

ble-profile

Bluetooth Low Energy profile name.

string

Maximum length: 35

bonjour-profile

Bonjour profile name.

string

Maximum length: 35

comment

Comment.

var-string

Maximum length: 255

console-login

Enable/disable FortiAP console login access (default = enable).

option

enable

Option	Description
enable	Enable FAP console login access.
disable	Disable FAP console login access.

control-message-offload

Enable/disable CAPWAP control message data channel offload.

option

ebp-frame aeroscout-tag ap-list sta-list sta-cap-list stats aeroscout-mu sta-health spectral-analysis

Option	Description
ebp-frame	Ekahau blink protocol (EBP) frames.
aeroscout-tag	AeroScout tag.
ap-list	Rogue AP list.
sta-list	Rogue STA list.
sta-cap-list	STA capability list.
stats	WTP, radio, VAP, and STA statistics.
aeroscout-mu	AeroScout Mobile Unit (MU) report.
sta-health	STA health log.
spectral-analysis	Spectral analysis report.

default-mesh-root

Configure default mesh root SSID when it is not included by radio's SSID configuration.

option

disable

Option	Description
enable	Enable default mesh root SSID if it is not included by radio's SSID configuration.
disable	Do not enable default mesh root SSID if it is not included by radio's SSID configuration.

dtls-in-kernel

Enable/disable data channel DTLS in kernel.

option

disable

Option	Description
enable	Enable data channel DTLS in kernel.
disable	Disable data channel DTLS in kernel.

dtls-policy

WTP data channel DTLS policy (default = clear-text).

option

clear-text

Option	Description
clear-text	Clear Text Data Channel.
dtls-enabled	DTLS Enabled Data Channel.
ipsec-vpn	IPsec VPN Data Channel.
ipsec-sn-vpn	IPsec VPN Data Channel with FortiAP's SN in the first IKE messages.

energy-efficient-ethernet

Enable/disable use of energy efficient Ethernet on WTP.

option

disable

Option	Description
enable	Enable use of energy efficient Ethernet on WTP.
disable	Disable use of energy efficient Ethernet on WTP.

ext-info-enable

Enable/disable station/VAP/radio extension information.

option

enable

Option	Description
enable	Enable station/VAP/radio extension information.
disable	Disable station/VAP/radio extension information.

frequency-handoff

Enable/disable frequency handoff of clients to other channels (default = disable).

option

disable

Option	Description
enable	Enable frequency handoff.
disable	Disable frequency handoff.

handoff-roaming

Enable/disable client load balancing during roaming to avoid roaming delay (default = enable).

option

enable

Option	Description
enable	Enable handoff roaming.
disable	Disable handoff roaming.

handoff-rssi

Minimum received signal strength indicator (RSSI) value for handoff (20 - 30, default = 25).

integer

Minimum value: 20 Maximum value: 30

handoff-sta-thresh

Threshold value for AP handoff.

integer

Minimum value: 5 Maximum value: 60

indoor-outdoor-deployment

Set to allow indoor/outdoor-only channels under regulatory rules (default = platform-determined).

option

platform-determined

Option	Description
platform-determined	Set AP deployment type based on its platform.
outdoor	Set AP deployment type to outdoor.
indoor	Set AP deployment type to indoor.

ip-fragment-preventing

Method(s) by which IP fragmentation is prevented for control and data packets through CAPWAP tunnel (default = tcp-mss-adjust).

option

tcp-mss-adjust

Option	Description
tcp-mss-adjust	TCP maximum segment size adjustment.
icmp-unreachable	Drop packet and send ICMP Destination Unreachable

led-schedules <name>

Recurring firewall schedules for illuminating LEDs on the FortiAP. If led-state is enabled, LEDs will be visible when at least one of the schedules is valid. Separate multiple schedule names with a space.

Schedule name.

string

Maximum length: 35

led-state

Enable/disable use of LEDs on WTP (default = enable).

option

enable

Option	Description
enable	Enable use of LEDs on WTP.
disable	Disable use of LEDs on WTP.

lldp

Enable/disable Link Layer Discovery Protocol (LLDP) for the WTP, FortiAP, or AP (default = enable).

option

enable

Option	Description
enable	Enable LLDP.
disable	Disable LLDP.

Set the managed WTP, FortiAP, or AP's administrator password.

password

Not Specified

Change or reset the administrator password of a managed WTP, FortiAP or AP (yes, default, or no, default = no).

option

Option	Description
yes	Change the managed WTP, FortiAP or AP's administrator password. Use the login-password option to set the password.
default	Keep the managed WTP, FortiAP or AP's administrator password set to the factory default.
no	Do not change the managed WTP, FortiAP or AP's administrator password.

lw-profile

LoRaWAN profile name.

string

Maximum length: 35

max-clients

Maximum number of stations (STAs) supported by the WTP (default = 0, meaning no client limitation).

integer

Minimum value: 0 Maximum value: 4294967295

name

WTP (or FortiAP or AP) profile name.

string

Maximum length: 35

poe-mode

Set the WTP, FortiAP, or AP's PoE mode.

option

auto

Option	Description
auto	Automatically detect the PoE mode.
8023af	Use 802.3af PoE mode.
8023at	Use 802.3at PoE mode.
power-adapter	Use the power adapter to control the PoE mode.
full	Use full power mode.
high	Use high power mode.
low	Use low power mode.

split-tunneling-acl-local-ap-subnet

Enable/disable automatically adding local subnetwork of FortiAP to split-tunneling ACL (default = disable).

option

disable

Option	Description
enable	Enable automatically adding local subnetwork of FortiAP to split-tunneling ACL.
disable	Disable automatically adding local subnetwork of FortiAP to split-tunneling ACL.

split-tunneling-acl-path

Split tunneling ACL path is local/tunnel.

option

local

Option	Description
tunnel	Split tunneling ACL list traffic will be tunnel.
local	Split tunneling ACL list traffic will be local NATed.

syslog-profile

System log server configuration profile name.

string

Maximum length: 35

tun-mtu-downlink

The MTU of downlink CAPWAP tunnel (576 - 1500 bytes or 0; 0 means the local MTU of FortiAP; default = 0).

integer

Minimum value: 576 Maximum value: 1500

tun-mtu-uplink

The maximum transmission unit (MTU) of uplink CAPWAP tunnel (576 - 1500 bytes or 0; 0 means the local MTU of FortiAP; default = 0).

integer

Minimum value: 576 Maximum value: 1500

unii-4-5ghz-band

Enable/disable UNII-4 5Ghz band channels (default = disable).

option

disable

Option	Description
enable	Enable UNII-4 5Ghz band channels.
disable	Disable UNII-4 5Ghz band channels.

usb-port

Enable/disable USB port of the WTP (default = enable).

option

enable

Option	Description
enable	Enable USB port.
disable	Disable USB port.

wan-port-auth

Set WAN port authentication mode (default = none).

option

none

Option	Description
none	Disable WAN port authentication.
802.1x	Enable WAN port 802.1x authentication.

wan-port-auth-macsec

Enable/disable WAN port 802.1x supplicant MACsec policy (default = disable).

option

disable

Option	Description
enable	Enable WAN port 802.1x supplicant MACsec policy.
disable	Disable WAN port 802.1x supplicant MACsec policy.

wan-port-auth-methods

WAN port 802.1x supplicant EAP methods (default = all).

option

all

Option	Description
all	Do not specify any EAP methods.
EAP-FAST	Enable EAP-FAST.
EAP-TLS	Enable EAP-TLS.
EAP-PEAP	Enable EAP-PEAP.

wan-port-auth-password

Set WAN port 802.1x supplicant password.

password

Not Specified

wan-port-auth-usrname

Set WAN port 802.1x supplicant user name.

string

Maximum length: 63

wan-port-mode

Enable/disable using a WAN port as a LAN port.

option

wan-only

Option	Description
wan-lan	Enable using a WAN port as a LAN port.
wan-only	Disable using a WAN port as a LAN port.

config deny-mac-list

Parameter	Description	Type	Size	Default
id	ID.	integer	Minimum value: 0 Maximum value: 4294967295	0
mac	A WiFi device with this MAC address is denied access to this WTP, FortiAP or AP.	mac-address	Not Specified	00:00:00:00:00:00

config esl-ses-dongle

Parameter

Description

Type

Size

Default

apc-addr-type

ESL SES-imagotag APC address type (default = fqdn).

option

fqdn

Option	Description
fqdn	Fully Qualified Domain Name address.
ip	IPv4 address.

apc-fqdn

FQDN of ESL SES-imagotag Access Point Controller (APC).

string

Maximum length: 63

apc-ip

IP address of ESL SES-imagotag Access Point Controller (APC).

ipv4-address

Not Specified

0.0.0.0

apc-port

Port of ESL SES-imagotag Access Point Controller (APC).

integer

Minimum value: 0 Maximum value: 65535

coex-level

ESL SES-imagotag dongle coexistence level (default = none).

option

none

Option	Description
none	No support for coexistence of USB-Dongle with WiFi AP.

compliance-level

Compliance levels for the ESL solution integration (default = compliance-level-2).

option

compliance-level-2

Option	Description
compliance-level-2	Compliance Level 2 - Full Cloud Support, IoT and Fast-Response.

esl-channel

ESL SES-imagotag dongle channel (default = 127).

option

127

Option	Description
-1	No esl-channel is set.
0	ESL channel 0.
1	ESL channel 1.
2	ESL channel 2.
3	ESL channel 3.
4	ESL channel 4.
5	ESL channel 5.
6	ESL channel 6.
7	ESL channel 7.
8	ESL channel 8.
9	ESL channel 9.
10	ESL channel 10.
127	Managed channel enabled, indicates that the APC (server) is setting the esl-channel via the slot channel

output-power

ESL SES-imagotag dongle output power (default = A).

option

Option	Description
a	About 15mW.
b	About 7mW.
c	About 5mW.
d	About 1mW.
e	About 13mW.
f	About 10mW.
g	About 3mW.
h	About 2mW.

scd-enable

Enable/disable ESL SES-imagotag Serial Communication Daemon (SCD) (default = disable).

option

disable

Option	Description
enable	Enable ESL SES-imagotag SCD.
disable	Disable ESL SES-imagotag SCD.

tls-cert-verification

Enable/disable TLS certificate verification (default = enable).

option

enable

Option	Description
enable	Enable TLS Certificate verification.
disable	Disable TLS Certificate verification.

tls-fqdn-verification

Enable/disable TLS FQDN verification (default = disable).

option

disable

Option	Description
enable	Enable TLS FQDN verification.
disable	Disable TLS FQDN verification.

config lan

Parameter

Description

Type

Size

Default

port-esl-mode

ESL port mode.

option

offline

Option	Description
offline	Offline.
nat-to-wan	NAT WTP ESL port to WTP WAN port.
bridge-to-wan	Bridge WTP ESL port to WTP WAN port.
bridge-to-ssid	Bridge WTP ESL port to SSID.

port-esl-ssid

Bridge ESL port to SSID.

string

Maximum length: 15

port-mode

LAN port mode.

option

offline

Option	Description
offline	Offline.
nat-to-wan	NAT WTP LAN port to WTP WAN port.
bridge-to-wan	Bridge WTP LAN port to WTP WAN port.
bridge-to-ssid	Bridge WTP LAN port to SSID.

port-ssid

Bridge LAN port to SSID.

string

Maximum length: 15

port1-mode

LAN port 1 mode.

option

offline

Option	Description
offline	Offline.
nat-to-wan	NAT WTP LAN port to WTP WAN port.
bridge-to-wan	Bridge WTP LAN port to WTP WAN port.
bridge-to-ssid	Bridge WTP LAN port to SSID.

port1-ssid

Bridge LAN port 1 to SSID.

string

Maximum length: 15

port2-mode

LAN port 2 mode.

option

offline

Option	Description
offline	Offline.
nat-to-wan	NAT WTP LAN port to WTP WAN port.
bridge-to-wan	Bridge WTP LAN port to WTP WAN port.
bridge-to-ssid	Bridge WTP LAN port to SSID.

port2-ssid

Bridge LAN port 2 to SSID.

string

Maximum length: 15

port3-mode

LAN port 3 mode.

option

offline

Option	Description
offline	Offline.
nat-to-wan	NAT WTP LAN port to WTP WAN port.
bridge-to-wan	Bridge WTP LAN port to WTP WAN port.
bridge-to-ssid	Bridge WTP LAN port to SSID.

port3-ssid

Bridge LAN port 3 to SSID.

string

Maximum length: 15

port4-mode

LAN port 4 mode.

option

offline

Option	Description
offline	Offline.
nat-to-wan	NAT WTP LAN port to WTP WAN port.
bridge-to-wan	Bridge WTP LAN port to WTP WAN port.
bridge-to-ssid	Bridge WTP LAN port to SSID.

port4-ssid

Bridge LAN port 4 to SSID.

string

Maximum length: 15

port5-mode

LAN port 5 mode.

option

offline

Option	Description
offline	Offline.
nat-to-wan	NAT WTP LAN port to WTP WAN port.
bridge-to-wan	Bridge WTP LAN port to WTP WAN port.
bridge-to-ssid	Bridge WTP LAN port to SSID.

port5-ssid

Bridge LAN port 5 to SSID.

string

Maximum length: 15

port6-mode

LAN port 6 mode.

option

offline

Option	Description
offline	Offline.
nat-to-wan	NAT WTP LAN port to WTP WAN port.
bridge-to-wan	Bridge WTP LAN port to WTP WAN port.
bridge-to-ssid	Bridge WTP LAN port to SSID.

port6-ssid

Bridge LAN port 6 to SSID.

string

Maximum length: 15

port7-mode

LAN port 7 mode.

option

offline

Option	Description
offline	Offline.
nat-to-wan	NAT WTP LAN port to WTP WAN port.
bridge-to-wan	Bridge WTP LAN port to WTP WAN port.
bridge-to-ssid	Bridge WTP LAN port to SSID.

port7-ssid

Bridge LAN port 7 to SSID.

string

Maximum length: 15

port8-mode

LAN port 8 mode.

option

offline

Option	Description
offline	Offline.
nat-to-wan	NAT WTP LAN port to WTP WAN port.
bridge-to-wan	Bridge WTP LAN port to WTP WAN port.
bridge-to-ssid	Bridge WTP LAN port to SSID.

port8-ssid

Bridge LAN port 8 to SSID.

string

Maximum length: 15

config lbs

Parameter

Description

Type

Size

Default

aeroscout

Enable/disable AeroScout Real Time Location Service (RTLS) support (default = disable).

option

disable

Option	Description
enable	Enable AeroScout support.
disable	Disable AeroScout support.

aeroscout-ap-mac

Use BSSID or board MAC address as AP MAC address in AeroScout AP messages (default = bssid).

option

bssid

Option	Description
bssid	Use BSSID as AP MAC address in AeroScout AP messages.
board-mac	Use board MAC address as AP MAC address in AeroScout AP messages.

aeroscout-mmu-report

Enable/disable compounded AeroScout tag and MU report (default = enable).

option

enable

Option	Description
enable	Enable compounded AeroScout tag and MU report.
disable	Disable compounded AeroScout tag and MU report.

aeroscout-mu

Enable/disable AeroScout Mobile Unit (MU) support (default = disable).

option

disable

Option	Description
enable	Enable AeroScout MU mode support.
disable	Disable AeroScout MU mode support.

aeroscout-mu-factor

AeroScout MU mode dilution factor (default = 20).

integer

Minimum value: 0 Maximum value: 4294967295

aeroscout-mu-timeout

AeroScout MU mode timeout (0 - 65535 sec, default = 5).

integer

Minimum value: 0 Maximum value: 65535

aeroscout-server-ip

IP address of AeroScout server.

ipv4-address-any

Not Specified

0.0.0.0

aeroscout-server-port

AeroScout server UDP listening port.

integer

Minimum value: 1024 Maximum value: 65535

ble-rtls

Set BLE Real Time Location Service (RTLS) support (default = none).

option

none

Option	Description
none	Set BLE RTLS to none (default = none).
polestar	Set BLE RTLS to PoleStar.
evresys	Set BLE RTLS to Evresys.

ble-rtls-accumulation-interval

Time that measurements should be accumulated in seconds (default = 2).

integer

Minimum value: 1 Maximum value: 60

ble-rtls-asset-addrgrp-list

Tags and asset addrgrp list to be reported.

string

Maximum length: 79

ble-rtls-asset-uuid-list1

Tags and asset UUID list 1 to be reported (string in the format of 'XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX').

string

Maximum length: 36

ble-rtls-asset-uuid-list2

Tags and asset UUID list 2 to be reported (string in the format of 'XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX').

string

Maximum length: 36

ble-rtls-asset-uuid-list3

Tags and asset UUID list 3 to be reported (string in the format of 'XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX').

string

Maximum length: 36

ble-rtls-asset-uuid-list4

Tags and asset UUID list 4 to be reported (string in the format of 'XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX').

string

Maximum length: 36

ble-rtls-protocol

Select the protocol to report Measurements, Advertising Data, or Location Data to Cloud Server (default = WSS).

option

WSS

Option	Description
WSS	Use WebSocket protocol to report Measurements, Advertising Data, or Location Data to Cloud Server.

ble-rtls-reporting-interval

Time between reporting accumulated measurements in seconds (default = 2).

integer

Minimum value: 1 Maximum value: 600

ble-rtls-server-fqdn

FQDN of BLE Real Time Location Service (RTLS) Server.

string

Maximum length: 255

ble-rtls-server-path

Path of BLE Real Time Location Service (RTLS) Server.

string

Maximum length: 255

ble-rtls-server-port

Port of BLE Real Time Location Service (RTLS) Server (default = 443).

integer

Minimum value: 1 Maximum value: 65535

443

ble-rtls-server-token

Access Token of BLE Real Time Location Service (RTLS) Server.

string

Maximum length: 31

ekahau-blink-mode

Enable/disable Ekahau blink mode (now known as AiRISTA Flow) to track and locate WiFi tags (default = disable).

option

disable

Option	Description
enable	Enable Ekahau blink mode.
disable	Disable Ekahau blink mode.

ekahau-tag

WiFi frame MAC address or WiFi Tag.

mac-address

Not Specified

01:18:8e:00:00:00

erc-server-ip

IP address of Ekahau RTLS Controller (ERC).

ipv4-address-any

Not Specified

0.0.0.0

erc-server-port

Ekahau RTLS Controller (ERC) UDP listening port.

integer

Minimum value: 1024 Maximum value: 65535

8569

fortipresence

Enable/disable FortiPresence to monitor the location and activity of WiFi clients even if they don't connect to this WiFi network (default = disable).

option

disable

Option	Description
foreign	FortiPresence monitors foreign channels only. Foreign channels mean all other available channels than the current operating channel of the WTP, AP, or FortiAP.
both	Enable FortiPresence on both foreign and home channels. Select this option to have FortiPresence monitor all WiFi channels.
disable	Disable FortiPresence.

fortipresence-ble

Enable/disable FortiPresence finding and reporting BLE devices.

option

enable

Option	Description
enable	Enable FortiPresence finding and reporting BLE devices.
disable	Disable FortiPresence finding and reporting BLE devices.

fortipresence-frequency

FortiPresence report transmit frequency (5 - 65535 sec, default = 30).

integer

Minimum value: 5 Maximum value: 65535

fortipresence-port

UDP listening port of FortiPresence server (default = 3000).

integer

Minimum value: 300 Maximum value: 65535

3000

fortipresence-project

FortiPresence project name (max. 16 characters, default = fortipresence).

string

Maximum length: 16

fortipresence

fortipresence-rogue

Enable/disable FortiPresence finding and reporting rogue APs.

option

disable

Option	Description
enable	Enable FortiPresence finding and reporting rogue APs.
disable	Disable FortiPresence finding and reporting rogue APs.

fortipresence-secret

FortiPresence secret password (max. 16 characters).

password

Not Specified

fortipresence-server

IP address of FortiPresence server.

ipv4-address-any

Not Specified

0.0.0.0

fortipresence-server-addr-type

FortiPresence server address type (default = ipv4).

option

ipv4

Option	Description
ipv4	IPv4 address.
fqdn	Fully Qualified Domain Name address.

fortipresence-server-fqdn

FQDN of FortiPresence server.

string

Maximum length: 255

fortipresence-unassoc

Enable/disable FortiPresence finding and reporting unassociated stations.

option

enable

Option	Description
enable	Enable FortiPresence finding and reporting unassociated stations.
disable	Disable FortiPresence finding and reporting unassociated stations.

station-locate

Enable/disable client station locating services for all clients, whether associated or not (default = disable).

option

disable

Option	Description
enable	Enable station locating service.
disable	Disable station locating service.

config platform

Parameter

Description

Type

Size

Default

ddscan

Enable/disable use of one radio for dedicated full-band scanning to detect RF characterization and wireless threat management.

option

disable

Option	Description
enable	Enable dedicated full-band scan mode.
disable	Disable dedicated full-band scan mode.

mode

Configure operation mode of 5G radios (default = single-5G).

option

single-5G

Option	Description
single-5G	Configure radios as one 5GHz band, one 2.4GHz band, and one dedicated monitor or sniffer.
dual-5G	Configure radios as one lower 5GHz band, one higher 5GHz band and one 2.4GHz band respectively.

type

WTP, FortiAP or AP platform type. There are built-in WTP profiles for all supported FortiAP models. You can select a built-in profile and customize it or create a new profile.

option

221E

Option	Description
AP-11N	Default 11n AP.
C24JE	FAPC24JE.
421E	FAP421E.
423E	FAP423E.
221E	FAP221E.
222E	FAP222E.
223E	FAP223E.
224E	FAP224E.
231E	FAP231E.
321E	FAP321E.
431F	FAP431F.
431FL	FAP431FL.
432F	FAP432F.
432FR	FAP432FR.
433F	FAP433F.
433FL	FAP433FL.
231F	FAP231F.
231FL	FAP231FL.
234F	FAP234F.
23JF	FAP23JF.
831F	FAP831F.
231G	FAP231G.
233G	FAP233G.
234G	FAP234G.
431G	FAP431G.
432G	FAP432G.
433G	FAP433G.
231K	FAP231K.
231KD	FAP231KD.
23JK	FAP23JK.
222KL	FAP222KL.
241K	FAP241K.
243K	FAP243K.
244K	FAP244K.
441K	FAP441K.
432K	FAP432K.
443K	FAP443K.
U421E	FAPU421EV.
U422EV	FAPU422EV.
U423E	FAPU423EV.
U221EV	FAPU221EV.
U223EV	FAPU223EV.
U24JEV	FAPU24JEV.
U321EV	FAPU321EV.
U323EV	FAPU323EV.
U431F	FAPU431F.
U433F	FAPU433F.
U231F	FAPU231F.
U234F	FAPU234F.
U432F	FAPU432F.
U231G	FAPU231G.
MVP	FAP MVP.

config radio-1

Parameter

Description

Type

Size

Default

80211d

Enable/disable 802.11d countryie(default = enable).

option

enable

Option	Description
enable	Enable 802.11d countryie.
disable	Disable 802.11d countryie.

80211mc

Enable/disable 802.11mc responder mode (default = disable).

option

disable

Option	Description
enable	Enable 802.11mc responder mode.
disable	Disable 802.11mc responder mode.

ai-darrp-support

Enable/disable support for FortiAIOps to retrieve Distributed Automatic Radio Resource Provisioning (DARRP) data through REST API calls (default = disable).

option

disable

Option	Description
enable	Enable support for FortiAIOps REST API calls for DARRP data.
disable	Disable support for FortiAIOps REST API calls for DARRP data.

airtime-fairness

Enable/disable airtime fairness (default = disable).

option

disable

Option	Description
enable	Enable airtime fairness (ATF) support.
disable	Disable airtime fairness (ATF) support.

amsdu

Enable/disable 802.11n AMSDU support. AMSDU can improve performance if supported by your WiFi clients (default = enable).

option

enable

Option	Description
enable	Enable AMSDU support.
disable	Disable AMSDU support.

ap-sniffer-addr

MAC address to monitor.

mac-address

Not Specified

00:00:00:00:00:00

ap-sniffer-bufsize

Sniffer buffer size (1 - 32 MB, default = 16).

integer

Minimum value: 1 Maximum value: 32

ap-sniffer-chan

Channel on which to operate the sniffer (default = 6).

integer

Minimum value: 0 Maximum value: 4294967295

ap-sniffer-chan-width

Channel bandwidth for sniffer.

option

20MHz

Option	Description
320MHz	320 MHz channel width.
240MHz	240 MHz channel width.
160MHz	160 MHz channel width.
80MHz	80 MHz channel width.
40MHz	40 MHz channel width.
20MHz	20 MHz channel width.

ap-sniffer-ctl

Enable/disable sniffer on WiFi control frame (default = enable).

option

enable

Option	Description
enable	Enable sniffer on WiFi control frame.
disable	Disable sniffer on WiFi control frame.

ap-sniffer-data

Enable/disable sniffer on WiFi data frame (default = enable).

option

enable

Option	Description
enable	Enable sniffer on WiFi data frame
disable	Disable sniffer on WiFi data frame

ap-sniffer-mgmt-beacon

Enable/disable sniffer on WiFi management Beacon frames (default = enable).

option

enable

Option	Description
enable	Enable sniffer on WiFi management beacon frame.
disable	Disable sniffer on WiFi management beacon frame.

ap-sniffer-mgmt-other

Enable/disable sniffer on WiFi management other frames (default = enable).

option

enable

Option	Description
enable	Enable sniffer on WiFi management other frame.
disable	Disable sniffer on WiFi management other frame.

ap-sniffer-mgmt-probe

Enable/disable sniffer on WiFi management probe frames (default = enable).

option

enable

Option	Description
enable	Enable sniffer on WiFi management probe frame.
disable	Enable sniffer on WiFi management probe frame.

arrp-profile

Distributed Automatic Radio Resource Provisioning (DARRP) profile name to assign to the radio.

string

Maximum length: 35

auto-power-high

The upper bound of automatic transmit power adjustment in dBm (the actual range of transmit power depends on the AP platform type).

integer

Minimum value: 0 Maximum value: 4294967295

auto-power-level

Enable/disable automatic power-level adjustment to prevent co-channel interference (default = disable).

option

disable

Option	Description
enable	Enable automatic transmit power adjustment.
disable	Disable automatic transmit power adjustment.

auto-power-low

The lower bound of automatic transmit power adjustment in dBm (the actual range of transmit power depends on the AP platform type).

integer

Minimum value: 0 Maximum value: 4294967295

auto-power-target

Target of automatic transmit power adjustment in dBm (-95 to -20, default = -70).

string

Maximum length: 7

-70

band

WiFi band that Radio 1 operates on.

option

Option	Description
802.11a	802.11a.
802.11b	802.11b.
802.11g	802.11g.
802.11n-2G	802.11n (WiFi 4) at 2.4GHz.
802.11n-5G	802.11n (WiFi 4) at 5GHz.
802.11ac-2G	802.11ac (WiFi 5) at 2.4GHz.
802.11ac-5G	802.11ac (WiFi 5) at 5GHz.
802.11ax-2G	802.11ax (WiFi 6) at 2.4GHz.
802.11ax-5G	802.11ax (WiFi 6) at 5GHz.
802.11ax-6G	802.11ax (WiFi 6) at 6GHz.
802.11be-2G	802.11be (WiFi 7) at 2.4GHz.
802.11be-5G	802.11be (WiFi 7) at 5GHz.
802.11be-6G	802.11be (WiFi 7) at 6GHz.

band-5g-type

WiFi 5G band type.

option

5g-full

Option	Description
5g-full	Full 5G band.
5g-high	High 5G band.
5g-low	Low 5G band.

bandwidth-admission-control

Enable/disable WiFi multimedia (WMM) bandwidth admission control to optimize WiFi bandwidth use. A request to join the wireless network is only allowed if the access point has enough bandwidth to support it.

option

disable

Option	Description
enable	Enable WMM bandwidth admission control.
disable	Disable WMM bandwidth admission control.

bandwidth-capacity

Maximum bandwidth capacity allowed (1 - 600000 Kbps, default = 2000).

integer

Minimum value: 1 Maximum value: 600000

2000

beacon-interval

Beacon interval. The time between beacon frames in milliseconds. Actual range of beacon interval depends on the AP platform type (default = 100).

integer

Minimum value: 0 Maximum value: 65535

100

bss-color

BSS color value for this 11ax radio (0 - 63, disable = 0, default = 0).

integer

Minimum value: 0 Maximum value: 63

bss-color-mode

BSS color mode for this 11ax radio (default = auto).

option

auto

Option	Description
auto	Automatically select BSS color value on AP.
static	Set BSS color value on this radio based on 'bss-color' CLI.

call-admission-control

Enable/disable WiFi multimedia (WMM) call admission control to optimize WiFi bandwidth use for VoIP calls. New VoIP calls are only accepted if there is enough bandwidth available to support them.

option

disable

Option	Description
enable	Enable WMM call admission control.
disable	Disable WMM call admission control.

call-capacity

Maximum number of Voice over WLAN (VoWLAN) phones supported by the radio (0 - 60, default = 10).

integer

Minimum value: 0 Maximum value: 60

channel <chan>

Selected list of wireless radio channels.

Channel number.

string

Maximum length: 3

channel-bonding

Channel bandwidth: 320, 240, 160, 80, 40, or 20MHz. Channels may use both 20 and 40 by enabling coexistence.

option

20MHz

Option	Description
320MHz	320 MHz channel width.
240MHz	240 MHz channel width.
160MHz	160 MHz channel width.
80MHz	80 MHz channel width.
40MHz	40 MHz channel width.
20MHz	20 MHz channel width.

channel-bonding-ext

Channel bandwidth extension: 320 MHz-1 and 320 MHz-2 (default = 320 MHz-2).

option

320MHz-2

Option	Description
320MHz-1	320 MHz channel with channel center frequency numbered 31, 95, and 159.
320MHz-2	320 MHz channel with channel center frequency numbered 63, 127, and 191.

channel-utilization

Enable/disable measuring channel utilization.

option

enable

Option	Description
enable	Enable measuring channel utilization.
disable	Disable measuring channel utilization.

coexistence

Enable/disable allowing both HT20 and HT40 on the same radio (default = enable).

option

enable

Option	Description
enable	Enable support for both HT20 and HT40 on the same radio.
disable	Disable support for both HT20 and HT40 on the same radio.

darrp

Enable/disable Distributed Automatic Radio Resource Provisioning (DARRP) to make sure the radio is always using the most optimal channel (default = disable).

option

disable

Option	Description
enable	Enable distributed automatic radio resource provisioning.
disable	Disable distributed automatic radio resource provisioning.

drma

Enable/disable dynamic radio mode assignment (DRMA) (default = disable).

option

disable

Option	Description
disable	Disable dynamic radio mode assignment (DRMA).
enable	Enable dynamic radio mode assignment (DRMA).

drma-sensitivity

Network Coverage Factor (NCF) percentage required to consider a radio as redundant (default = low).

option

low

Option	Description
low	Consider a radio as redundant when its NCF is 100%.
medium	Consider a radio as redundant when its NCF is 95%.
high	Consider a radio as redundant when its NCF is 90%.

dtim

Delivery Traffic Indication Map (DTIM) period (1 - 255, default = 1). Set higher to save battery life of WiFi client in power-save mode.

integer

Minimum value: 1 Maximum value: 255

frag-threshold

Maximum packet size that can be sent without fragmentation (800 - 2346 bytes, default = 2346).

integer

Minimum value: 800 Maximum value: 2346

2346

iperf-protocol

Iperf test protocol (default = "UDP").

option

udp

Option	Description
udp	UDP.
tcp	TCP.

iperf-server-port

Iperf service port number.

integer

Minimum value: 0 Maximum value: 65535

5001

max-clients

Maximum number of stations (STAs) or WiFi clients supported by the radio. Range depends on the hardware.

integer

Minimum value: 0 Maximum value: 4294967295

max-distance

Maximum expected distance between the AP and clients (0 - 54000 m, default = 0).

integer

Minimum value: 0 Maximum value: 54000

mimo-mode

Configure radio MIMO mode (default = default).

option

default

Option	Description
default	Default radio MIMO mode.
1x1	1x1 radio MIMO mode.
2x2	2x2 radio MIMO mode.
3x3	3x3 radio MIMO mode.
4x4	4x4 radio MIMO mode.
8x8	8x8 radio MIMO mode.

mode

Mode of radio 1. Radio 1 can be disabled, configured as an access point, a rogue AP monitor, a sniffer, or a station.

option

Option	Description
disabled	Radio 1 is disabled.
ap	Radio 1 operates as an access point that allows WiFi clients to connect to your network.
monitor	Radio 1 operates as a dedicated monitor. As a monitor, the radio scans for other WiFi access points and adds them to the Rogue AP monitor list.
sniffer	Radio 1 operates as a sniffer capturing WiFi frames on air.
sam	Radio 1 operates as a station that can connect to a neighboring AP for connectivity and health check.

optional-antenna

Optional antenna used on FAP (default = none).

option

none

Option	Description
none	None.
custom	Customize optional antenna gain.
FANT-04ABGN-0606-O-N	6 dBi(2.4GHz) and 6 dBi(5GHz).
FANT-04ABGN-1414-P-N	14 dBi(2.4GHz) and 14 dBi(5GHz).
FANT-04ABGN-8065-P-N	8 dBi(2.4GHz) and 6.5 dBi(5GHz).
FANT-04ABGN-0606-O-R	6 dBi(2.4GHz) and 6 dBi(5GHz).
FANT-04ABGN-0606-P-R	6 dBi(2.4GHz) and 6 dBi(5GHz).
FANT-10ACAX-1213-D-N	12 dBi(2.4GHz) and 13 dBi(5GHz).
FANT-08ABGN-1213-D-R	12 dBi(2.4GHz) and 13 dBi(5GHz).
FANT-04BEAX-0606-P-R	6 dBi(2.4GHz), 6 dBi(5GHz) and 6 dBi(6GHz).

optional-antenna-gain

Optional antenna gain in dBi (0 to 20, default = 0).

string

Maximum length: 7

power-level

Radio EIRP power level as a percentage of the maximum EIRP power (0 - 100, default = 100).

integer

Minimum value: 0 Maximum value: 100

100

power-mode

Set radio effective isotropic radiated power (EIRP) in dBm or by a percentage of the maximum EIRP (default = percentage). This power takes into account both radio transmit power and antenna gain. Higher power level settings may be constrained by local regulatory requirements and AP capabilities.

option

percentage

Option	Description
dBm	Set radio EIRP power in dBm.
percentage	Set radio EIRP power by percentage.

power-value

Radio EIRP power in dBm (1 - 33, default = 27).

integer

Minimum value: 1 Maximum value: 33

powersave-optimize

Enable client power-saving features such as TIM, AC VO, and OBSS etc.

option

Option	Description
tim	TIM bit for client in power save mode.
ac-vo	Use AC VO priority to send out packets in the power save queue.
no-obss-scan	Do not put OBSS scan IE into beacon and probe response frames.
no-11b-rate	Do not send frame using 11b data rate.
client-rate-follow	Adapt transmitting PHY rate with receiving PHY rate from a client.

protection-mode

Enable/disable 802.11g protection modes to support backwards compatibility with older clients (rtscts, ctsonly, disable).

option

disable

Option	Description
rtscts	Enable 802.11g protection RTS/CTS mode.
ctsonly	Enable 802.11g protection CTS only mode.
disable	Disable 802.11g protection mode.

rts-threshold

Maximum packet size for RTS transmissions, specifying the maximum size of a data packet before RTS/CTS (256 - 2346 bytes, default = 2346).

integer

Minimum value: 256 Maximum value: 2346

2346

sam-bssid

BSSID for WiFi network.

mac-address

Not Specified

00:00:00:00:00:00

sam-ca-certificate

CA certificate for WPA2/WPA3-ENTERPRISE.

string

Maximum length: 79

sam-captive-portal

Enable/disable Captive Portal Authentication (default = disable).

option

disable

Option	Description
enable	Enable Captive Portal Authentication.
disable	Disable Captive Portal Authentication.

sam-client-certificate

Client certificate for WPA2/WPA3-ENTERPRISE.

string

Maximum length: 35

sam-cwp-failure-string

Failure identification on the page after an incorrect login.

string

Maximum length: 64

sam-cwp-match-string

Identification string from the captive portal login form.

string

Maximum length: 64

sam-cwp-password

Password for captive portal authentication.

password

Not Specified

sam-cwp-success-string

Success identification on the page after a successful login.

string

Maximum length: 64

sam-cwp-test-url

Website the client is trying to access.

string

Maximum length: 255

sam-cwp-username

Username for captive portal authentication.

string

Maximum length: 35

sam-eap-method

Select WPA2/WPA3-ENTERPRISE EAP Method (default = PEAP).

option

peap

Option	Description
both	EAP PEAP and TLS. (Not applicable in FIPS mode)
tls	EAP TLS.
peap	EAP PEAP. (Not applicable in FIPS mode)

sam-password

Passphrase for WiFi network connection.

password

Not Specified

sam-private-key

Private key for WPA2/WPA3-ENTERPRISE.

string

Maximum length: 35

sam-private-key-password

Password for private key file for WPA2/WPA3-ENTERPRISE.

password

Not Specified

sam-report-intv

SAM report interval (sec), 0 for a one-time report.

integer

Minimum value: 60 Maximum value: 864000

sam-security-type

Select WiFi network security type (default = "wpa-personal" for 2.4/5G radio, "wpa3-sae" for 6G radio).

option

wpa-personal

Option	Description
open	Open.
wpa-personal	WPA/WPA2 personal.
wpa-enterprise	WPA2/WPA3 enterprise.
wpa3-sae	WPA3 SAE.
owe	OWE.

sam-server-fqdn

SAM test server domain name.

string

Maximum length: 255

sam-server-ip

SAM test server IP address.

ipv4-address

Not Specified

0.0.0.0

sam-server-type

Select SAM server type (default = "IP").

option

Option	Description
ip	IPv4 address.
fqdn	Fully Qualified Domain Name address.

sam-ssid

SSID for WiFi network.

string

Maximum length: 32

sam-test

Select SAM test type (default = "PING").

option

ping

Option	Description
ping	PING test.
iperf	IPERF test.

sam-username

Username for WiFi network connection.

string

Maximum length: 35

short-guard-interval

Use either the short guard interval (Short GI) of 400 ns or the long guard interval (Long GI) of 800 ns.

option

disable

Option	Description
enable	Select the 400 ns short guard interval (Short GI).
disable	Select the 800 ns long guard interval (Long GI).

transmit-optimize

Packet transmission optimization options including power saving, aggregation limiting, retry limiting, etc. All are enabled by default.

option

power-save aggr-limit retry-limit send-bar

Option	Description
disable	Disable packet transmission optimization.
power-save	Tag client as operating in power save mode if excessive transmit retries occur.
aggr-limit	Set aggregation limit to a lower value when data rate is low.
retry-limit	Set software retry limit to a lower value when data rate is low.
send-bar	Limit transmission of BAR frames.

vap-all

Configure method for assigning SSIDs to this FortiAP (default = automatically assign tunnel SSIDs).

option

tunnel

Option	Description
tunnel	Automatically select tunnel SSIDs.
bridge	Automatically select local-bridging SSIDs.
manual	Manually select SSIDs.

vaps <name>

Manually selected list of Virtual Access Points (VAPs).

Virtual Access Point (VAP) name.

string

Maximum length: 35

wids-profile

Wireless Intrusion Detection System (WIDS) profile name to assign to the radio.

string

Maximum length: 35

zero-wait-dfs

Enable/disable zero wait DFS on radio (default = enable).

option

enable

Option	Description
enable	Enable zero wait DFS
disable	Disable zero wait DFS

config radio-2

Parameter

Description

Type

Size

Default

80211d

Enable/disable 802.11d countryie(default = enable).

option

enable

Option	Description
enable	Enable 802.11d countryie.
disable	Disable 802.11d countryie.

80211mc

Enable/disable 802.11mc responder mode (default = disable).

option

disable

Option	Description
enable	Enable 802.11mc responder mode.
disable	Disable 802.11mc responder mode.

ai-darrp-support

Enable/disable support for FortiAIOps to retrieve Distributed Automatic Radio Resource Provisioning (DARRP) data through REST API calls (default = disable).

option

disable

Option	Description
enable	Enable support for FortiAIOps REST API calls for DARRP data.
disable	Disable support for FortiAIOps REST API calls for DARRP data.

airtime-fairness

Enable/disable airtime fairness (default = disable).

option

disable

Option	Description
enable	Enable airtime fairness (ATF) support.
disable	Disable airtime fairness (ATF) support.

amsdu

Enable/disable 802.11n AMSDU support. AMSDU can improve performance if supported by your WiFi clients (default = enable).

option

enable

Option	Description
enable	Enable AMSDU support.
disable	Disable AMSDU support.

ap-sniffer-addr

MAC address to monitor.

mac-address

Not Specified

00:00:00:00:00:00

ap-sniffer-bufsize

Sniffer buffer size (1 - 32 MB, default = 16).

integer

Minimum value: 1 Maximum value: 32

ap-sniffer-chan

Channel on which to operate the sniffer (default = 6).

integer

Minimum value: 0 Maximum value: 4294967295

ap-sniffer-chan-width

Channel bandwidth for sniffer.

option

20MHz

Option	Description
320MHz	320 MHz channel width.
240MHz	240 MHz channel width.
160MHz	160 MHz channel width.
80MHz	80 MHz channel width.
40MHz	40 MHz channel width.
20MHz	20 MHz channel width.

ap-sniffer-ctl

Enable/disable sniffer on WiFi control frame (default = enable).

option

enable

Option	Description
enable	Enable sniffer on WiFi control frame.
disable	Disable sniffer on WiFi control frame.

ap-sniffer-data

Enable/disable sniffer on WiFi data frame (default = enable).

option

enable

Option	Description
enable	Enable sniffer on WiFi data frame
disable	Disable sniffer on WiFi data frame

ap-sniffer-mgmt-beacon

Enable/disable sniffer on WiFi management Beacon frames (default = enable).

option

enable

Option	Description
enable	Enable sniffer on WiFi management beacon frame.
disable	Disable sniffer on WiFi management beacon frame.

ap-sniffer-mgmt-other

Enable/disable sniffer on WiFi management other frames (default = enable).

option

enable

Option	Description
enable	Enable sniffer on WiFi management other frame.
disable	Disable sniffer on WiFi management other frame.

ap-sniffer-mgmt-probe

Enable/disable sniffer on WiFi management probe frames (default = enable).

option

enable

Option	Description
enable	Enable sniffer on WiFi management probe frame.
disable	Enable sniffer on WiFi management probe frame.

arrp-profile

Distributed Automatic Radio Resource Provisioning (DARRP) profile name to assign to the radio.

string

Maximum length: 35

auto-power-high

The upper bound of automatic transmit power adjustment in dBm (the actual range of transmit power depends on the AP platform type).

integer

Minimum value: 0 Maximum value: 4294967295

auto-power-level

Enable/disable automatic power-level adjustment to prevent co-channel interference (default = disable).

option

disable

Option	Description
enable	Enable automatic transmit power adjustment.
disable	Disable automatic transmit power adjustment.

auto-power-low

The lower bound of automatic transmit power adjustment in dBm (the actual range of transmit power depends on the AP platform type).

integer

Minimum value: 0 Maximum value: 4294967295

auto-power-target

Target of automatic transmit power adjustment in dBm (-95 to -20, default = -70).

string

Maximum length: 7

-70

band

WiFi band that Radio 2 operates on.

option

Option	Description
802.11a	802.11a.
802.11b	802.11b.
802.11g	802.11g.
802.11n-2G	802.11n (WiFi 4) at 2.4GHz.
802.11n-5G	802.11n (WiFi 4) at 5GHz.
802.11ac-2G	802.11ac (WiFi 5) at 2.4GHz.
802.11ac-5G	802.11ac (WiFi 5) at 5GHz.
802.11ax-2G	802.11ax (WiFi 6) at 2.4GHz.
802.11ax-5G	802.11ax (WiFi 6) at 5GHz.
802.11ax-6G	802.11ax (WiFi 6) at 6GHz.
802.11be-2G	802.11be (WiFi 7) at 2.4GHz.
802.11be-5G	802.11be (WiFi 7) at 5GHz.
802.11be-6G	802.11be (WiFi 7) at 6GHz.

band-5g-type

WiFi 5G band type.

option

5g-full

Option	Description
5g-full	Full 5G band.
5g-high	High 5G band.
5g-low	Low 5G band.

bandwidth-admission-control

option

disable

Option	Description
enable	Enable WMM bandwidth admission control.
disable	Disable WMM bandwidth admission control.

bandwidth-capacity

Maximum bandwidth capacity allowed (1 - 600000 Kbps, default = 2000).

integer

Minimum value: 1 Maximum value: 600000

2000

beacon-interval

Beacon interval. The time between beacon frames in milliseconds. Actual range of beacon interval depends on the AP platform type (default = 100).

integer

Minimum value: 0 Maximum value: 65535

100

bss-color

BSS color value for this 11ax radio (0 - 63, disable = 0, default = 0).

integer

Minimum value: 0 Maximum value: 63

bss-color-mode

BSS color mode for this 11ax radio (default = auto).

option

auto

Option	Description
auto	Automatically select BSS color value on AP.
static	Set BSS color value on this radio based on 'bss-color' CLI.

call-admission-control

Enable/disable WiFi multimedia (WMM) call admission control to optimize WiFi bandwidth use for VoIP calls. New VoIP calls are only accepted if there is enough bandwidth available to support them.

option

disable

Option	Description
enable	Enable WMM call admission control.
disable	Disable WMM call admission control.

call-capacity

Maximum number of Voice over WLAN (VoWLAN) phones supported by the radio (0 - 60, default = 10).

integer

Minimum value: 0 Maximum value: 60

channel <chan>

Selected list of wireless radio channels.

Channel number.

string

Maximum length: 3

channel-bonding

Channel bandwidth: 320, 240, 160, 80, 40, or 20MHz. Channels may use both 20 and 40 by enabling coexistence.

option

20MHz

Option	Description
320MHz	320 MHz channel width.
240MHz	240 MHz channel width.
160MHz	160 MHz channel width.
80MHz	80 MHz channel width.
40MHz	40 MHz channel width.
20MHz	20 MHz channel width.

channel-bonding-ext

Channel bandwidth extension: 320 MHz-1 and 320 MHz-2 (default = 320 MHz-2).

option

320MHz-2

Option	Description
320MHz-1	320 MHz channel with channel center frequency numbered 31, 95, and 159.
320MHz-2	320 MHz channel with channel center frequency numbered 63, 127, and 191.

channel-utilization

Enable/disable measuring channel utilization.

option

enable

Option	Description
enable	Enable measuring channel utilization.
disable	Disable measuring channel utilization.

coexistence

Enable/disable allowing both HT20 and HT40 on the same radio (default = enable).

option

enable

Option	Description
enable	Enable support for both HT20 and HT40 on the same radio.
disable	Disable support for both HT20 and HT40 on the same radio.

darrp

Enable/disable Distributed Automatic Radio Resource Provisioning (DARRP) to make sure the radio is always using the most optimal channel (default = disable).

option

disable

Option	Description
enable	Enable distributed automatic radio resource provisioning.
disable	Disable distributed automatic radio resource provisioning.

drma

Enable/disable dynamic radio mode assignment (DRMA) (default = disable).

option

disable

Option	Description
disable	Disable dynamic radio mode assignment (DRMA).
enable	Enable dynamic radio mode assignment (DRMA).

drma-sensitivity

Network Coverage Factor (NCF) percentage required to consider a radio as redundant (default = low).

option

low

Option	Description
low	Consider a radio as redundant when its NCF is 100%.
medium	Consider a radio as redundant when its NCF is 95%.
high	Consider a radio as redundant when its NCF is 90%.

dtim

Delivery Traffic Indication Map (DTIM) period (1 - 255, default = 1). Set higher to save battery life of WiFi client in power-save mode.

integer

Minimum value: 1 Maximum value: 255

frag-threshold

Maximum packet size that can be sent without fragmentation (800 - 2346 bytes, default = 2346).

integer

Minimum value: 800 Maximum value: 2346

2346

iperf-protocol

Iperf test protocol (default = "UDP").

option

udp

Option	Description
udp	UDP.
tcp	TCP.

iperf-server-port

Iperf service port number.

integer

Minimum value: 0 Maximum value: 65535

5001

max-clients

Maximum number of stations (STAs) or WiFi clients supported by the radio. Range depends on the hardware.

integer

Minimum value: 0 Maximum value: 4294967295

max-distance

Maximum expected distance between the AP and clients (0 - 54000 m, default = 0).

integer

Minimum value: 0 Maximum value: 54000

mimo-mode

Configure radio MIMO mode (default = default).

option

default

Option	Description
default	Default radio MIMO mode.
1x1	1x1 radio MIMO mode.
2x2	2x2 radio MIMO mode.
3x3	3x3 radio MIMO mode.
4x4	4x4 radio MIMO mode.
8x8	8x8 radio MIMO mode.

mode

Mode of radio 2. Radio 2 can be disabled, configured as an access point, a rogue AP monitor, a sniffer, or a station.

option

Option	Description
disabled	Radio 2 is disabled.
ap	Radio 2 operates as an access point that allows WiFi clients to connect to your network.
monitor	Radio 2 operates as a dedicated monitor. As a monitor, the radio scans for other WiFi access points and adds them to the Rogue AP monitor list.
sniffer	Radio 2 operates as a sniffer capturing WiFi frames on air.
sam	Radio 2 operates as a station that can connect to a neighboring AP for connectivity and health check.

optional-antenna

Optional antenna used on FAP (default = none).

option

none

Option	Description
none	None.
custom	Customize optional antenna gain.
FANT-04ABGN-0606-O-N	6 dBi(2.4GHz) and 6 dBi(5GHz).
FANT-04ABGN-1414-P-N	14 dBi(2.4GHz) and 14 dBi(5GHz).
FANT-04ABGN-8065-P-N	8 dBi(2.4GHz) and 6.5 dBi(5GHz).
FANT-04ABGN-0606-O-R	6 dBi(2.4GHz) and 6 dBi(5GHz).
FANT-04ABGN-0606-P-R	6 dBi(2.4GHz) and 6 dBi(5GHz).
FANT-10ACAX-1213-D-N	12 dBi(2.4GHz) and 13 dBi(5GHz).
FANT-08ABGN-1213-D-R	12 dBi(2.4GHz) and 13 dBi(5GHz).
FANT-04BEAX-0606-P-R	6 dBi(2.4GHz), 6 dBi(5GHz) and 6 dBi(6GHz).

optional-antenna-gain

Optional antenna gain in dBi (0 to 20, default = 0).

string

Maximum length: 7

power-level

Radio EIRP power level as a percentage of the maximum EIRP power (0 - 100, default = 100).

integer

Minimum value: 0 Maximum value: 100

100

power-mode

option

percentage

Option	Description
dBm	Set radio EIRP power in dBm.
percentage	Set radio EIRP power by percentage.

power-value

Radio EIRP power in dBm (1 - 33, default = 27).

integer

Minimum value: 1 Maximum value: 33

powersave-optimize

Enable client power-saving features such as TIM, AC VO, and OBSS etc.

option

Option	Description
tim	TIM bit for client in power save mode.
ac-vo	Use AC VO priority to send out packets in the power save queue.
no-obss-scan	Do not put OBSS scan IE into beacon and probe response frames.
no-11b-rate	Do not send frame using 11b data rate.
client-rate-follow	Adapt transmitting PHY rate with receiving PHY rate from a client.

protection-mode

Enable/disable 802.11g protection modes to support backwards compatibility with older clients (rtscts, ctsonly, disable).

option

disable

Option	Description
rtscts	Enable 802.11g protection RTS/CTS mode.
ctsonly	Enable 802.11g protection CTS only mode.
disable	Disable 802.11g protection mode.

rts-threshold

Maximum packet size for RTS transmissions, specifying the maximum size of a data packet before RTS/CTS (256 - 2346 bytes, default = 2346).

integer

Minimum value: 256 Maximum value: 2346

2346

sam-bssid

BSSID for WiFi network.

mac-address

Not Specified

00:00:00:00:00:00

sam-ca-certificate

CA certificate for WPA2/WPA3-ENTERPRISE.

string

Maximum length: 79

sam-captive-portal

Enable/disable Captive Portal Authentication (default = disable).

option

disable

Option	Description
enable	Enable Captive Portal Authentication.
disable	Disable Captive Portal Authentication.

sam-client-certificate

Client certificate for WPA2/WPA3-ENTERPRISE.

string

Maximum length: 35

sam-cwp-failure-string

Failure identification on the page after an incorrect login.

string

Maximum length: 64

sam-cwp-match-string

Identification string from the captive portal login form.

string

Maximum length: 64

sam-cwp-password

Password for captive portal authentication.

password

Not Specified

sam-cwp-success-string

Success identification on the page after a successful login.

string

Maximum length: 64

sam-cwp-test-url

Website the client is trying to access.

string

Maximum length: 255

sam-cwp-username

Username for captive portal authentication.

string

Maximum length: 35

sam-eap-method

Select WPA2/WPA3-ENTERPRISE EAP Method (default = PEAP).

option

peap

Option	Description
both	EAP PEAP and TLS. (Not applicable in FIPS mode)
tls	EAP TLS.
peap	EAP PEAP. (Not applicable in FIPS mode)

sam-password

Passphrase for WiFi network connection.

password

Not Specified

sam-private-key

Private key for WPA2/WPA3-ENTERPRISE.

string

Maximum length: 35

sam-private-key-password

Password for private key file for WPA2/WPA3-ENTERPRISE.

password

Not Specified

sam-report-intv

SAM report interval (sec), 0 for a one-time report.

integer

Minimum value: 60 Maximum value: 864000

sam-security-type

Select WiFi network security type (default = "wpa-personal" for 2.4/5G radio, "wpa3-sae" for 6G radio).

option

wpa-personal

Option	Description
open	Open.
wpa-personal	WPA/WPA2 personal.
wpa-enterprise	WPA2/WPA3 enterprise.
wpa3-sae	WPA3 SAE.
owe	OWE.

sam-server-fqdn

SAM test server domain name.

string

Maximum length: 255

sam-server-ip

SAM test server IP address.

ipv4-address

Not Specified

0.0.0.0

sam-server-type

Select SAM server type (default = "IP").

option

Option	Description
ip	IPv4 address.
fqdn	Fully Qualified Domain Name address.

sam-ssid

SSID for WiFi network.

string

Maximum length: 32

sam-test

Select SAM test type (default = "PING").

option

ping

Option	Description
ping	PING test.
iperf	IPERF test.

sam-username

Username for WiFi network connection.

string

Maximum length: 35

short-guard-interval

Use either the short guard interval (Short GI) of 400 ns or the long guard interval (Long GI) of 800 ns.

option

disable

Option	Description
enable	Select the 400 ns short guard interval (Short GI).
disable	Select the 800 ns long guard interval (Long GI).

transmit-optimize

Packet transmission optimization options including power saving, aggregation limiting, retry limiting, etc. All are enabled by default.

option

power-save aggr-limit retry-limit send-bar

Option	Description
disable	Disable packet transmission optimization.
power-save	Tag client as operating in power save mode if excessive transmit retries occur.
aggr-limit	Set aggregation limit to a lower value when data rate is low.
retry-limit	Set software retry limit to a lower value when data rate is low.
send-bar	Limit transmission of BAR frames.

vap-all

Configure method for assigning SSIDs to this FortiAP (default = automatically assign tunnel SSIDs).

option

tunnel

Option	Description
tunnel	Automatically select tunnel SSIDs.
bridge	Automatically select local-bridging SSIDs.
manual	Manually select SSIDs.

vaps <name>

Manually selected list of Virtual Access Points (VAPs).

Virtual Access Point (VAP) name.

string

Maximum length: 35

wids-profile

Wireless Intrusion Detection System (WIDS) profile name to assign to the radio.

string

Maximum length: 35

zero-wait-dfs

Enable/disable zero wait DFS on radio (default = enable).

option

enable

Option	Description
enable	Enable zero wait DFS
disable	Disable zero wait DFS

config radio-3

Parameter

Description

Type

Size

Default

80211d

Enable/disable 802.11d countryie(default = enable).

option

enable

Option	Description
enable	Enable 802.11d countryie.
disable	Disable 802.11d countryie.

80211mc

Enable/disable 802.11mc responder mode (default = disable).

option

disable

Option	Description
enable	Enable 802.11mc responder mode.
disable	Disable 802.11mc responder mode.

ai-darrp-support

Enable/disable support for FortiAIOps to retrieve Distributed Automatic Radio Resource Provisioning (DARRP) data through REST API calls (default = disable).

option

disable

Option	Description
enable	Enable support for FortiAIOps REST API calls for DARRP data.
disable	Disable support for FortiAIOps REST API calls for DARRP data.

airtime-fairness

Enable/disable airtime fairness (default = disable).

option

disable

Option	Description
enable	Enable airtime fairness (ATF) support.
disable	Disable airtime fairness (ATF) support.

amsdu

Enable/disable 802.11n AMSDU support. AMSDU can improve performance if supported by your WiFi clients (default = enable).

option

enable

Option	Description
enable	Enable AMSDU support.
disable	Disable AMSDU support.

ap-sniffer-addr

MAC address to monitor.

mac-address

Not Specified

00:00:00:00:00:00

ap-sniffer-bufsize

Sniffer buffer size (1 - 32 MB, default = 16).

integer

Minimum value: 1 Maximum value: 32

ap-sniffer-chan

Channel on which to operate the sniffer (default = 6).

integer

Minimum value: 0 Maximum value: 4294967295

ap-sniffer-chan-width

Channel bandwidth for sniffer.

option

20MHz

Option	Description
320MHz	320 MHz channel width.
240MHz	240 MHz channel width.
160MHz	160 MHz channel width.
80MHz	80 MHz channel width.
40MHz	40 MHz channel width.
20MHz	20 MHz channel width.

ap-sniffer-ctl

Enable/disable sniffer on WiFi control frame (default = enable).

option

enable

Option	Description
enable	Enable sniffer on WiFi control frame.
disable	Disable sniffer on WiFi control frame.

ap-sniffer-data

Enable/disable sniffer on WiFi data frame (default = enable).

option

enable

Option	Description
enable	Enable sniffer on WiFi data frame
disable	Disable sniffer on WiFi data frame

ap-sniffer-mgmt-beacon

Enable/disable sniffer on WiFi management Beacon frames (default = enable).

option

enable

Option	Description
enable	Enable sniffer on WiFi management beacon frame.
disable	Disable sniffer on WiFi management beacon frame.

ap-sniffer-mgmt-other

Enable/disable sniffer on WiFi management other frames (default = enable).

option

enable

Option	Description
enable	Enable sniffer on WiFi management other frame.
disable	Disable sniffer on WiFi management other frame.

ap-sniffer-mgmt-probe

Enable/disable sniffer on WiFi management probe frames (default = enable).

option

enable

Option	Description
enable	Enable sniffer on WiFi management probe frame.
disable	Enable sniffer on WiFi management probe frame.

arrp-profile

Distributed Automatic Radio Resource Provisioning (DARRP) profile name to assign to the radio.

string

Maximum length: 35

auto-power-high

The upper bound of automatic transmit power adjustment in dBm (the actual range of transmit power depends on the AP platform type).

integer

Minimum value: 0 Maximum value: 4294967295

auto-power-level

Enable/disable automatic power-level adjustment to prevent co-channel interference (default = disable).

option

disable

Option	Description
enable	Enable automatic transmit power adjustment.
disable	Disable automatic transmit power adjustment.

auto-power-low

The lower bound of automatic transmit power adjustment in dBm (the actual range of transmit power depends on the AP platform type).

integer

Minimum value: 0 Maximum value: 4294967295

auto-power-target

Target of automatic transmit power adjustment in dBm (-95 to -20, default = -70).

string

Maximum length: 7

-70

band

WiFi band that Radio 3 operates on.

option

Option	Description
802.11a	802.11a.
802.11b	802.11b.
802.11g	802.11g.
802.11n-2G	802.11n (WiFi 4) at 2.4GHz.
802.11n-5G	802.11n (WiFi 4) at 5GHz.
802.11ac-2G	802.11ac (WiFi 5) at 2.4GHz.
802.11ac-5G	802.11ac (WiFi 5) at 5GHz.
802.11ax-2G	802.11ax (WiFi 6) at 2.4GHz.
802.11ax-5G	802.11ax (WiFi 6) at 5GHz.
802.11ax-6G	802.11ax (WiFi 6) at 6GHz.
802.11be-2G	802.11be (WiFi 7) at 2.4GHz.
802.11be-5G	802.11be (WiFi 7) at 5GHz.
802.11be-6G	802.11be (WiFi 7) at 6GHz.

band-5g-type

WiFi 5G band type.

option

5g-full

Option	Description
5g-full	Full 5G band.
5g-high	High 5G band.
5g-low	Low 5G band.

bandwidth-admission-control

option

disable

Option	Description
enable	Enable WMM bandwidth admission control.
disable	Disable WMM bandwidth admission control.

bandwidth-capacity

Maximum bandwidth capacity allowed (1 - 600000 Kbps, default = 2000).

integer

Minimum value: 1 Maximum value: 600000

2000

beacon-interval

Beacon interval. The time between beacon frames in milliseconds. Actual range of beacon interval depends on the AP platform type (default = 100).

integer

Minimum value: 0 Maximum value: 65535

100

bss-color

BSS color value for this 11ax radio (0 - 63, disable = 0, default = 0).

integer

Minimum value: 0 Maximum value: 63

bss-color-mode

BSS color mode for this 11ax radio (default = auto).

option

auto

Option	Description
auto	Automatically select BSS color value on AP.
static	Set BSS color value on this radio based on 'bss-color' CLI.

call-admission-control

Enable/disable WiFi multimedia (WMM) call admission control to optimize WiFi bandwidth use for VoIP calls. New VoIP calls are only accepted if there is enough bandwidth available to support them.

option

disable

Option	Description
enable	Enable WMM call admission control.
disable	Disable WMM call admission control.

call-capacity

Maximum number of Voice over WLAN (VoWLAN) phones supported by the radio (0 - 60, default = 10).

integer

Minimum value: 0 Maximum value: 60

channel <chan>

Selected list of wireless radio channels.

Channel number.

string

Maximum length: 3

channel-bonding

Channel bandwidth: 320, 240, 160, 80, 40, or 20MHz. Channels may use both 20 and 40 by enabling coexistence.

option

20MHz

Option	Description
320MHz	320 MHz channel width.
240MHz	240 MHz channel width.
160MHz	160 MHz channel width.
80MHz	80 MHz channel width.
40MHz	40 MHz channel width.
20MHz	20 MHz channel width.

channel-bonding-ext

Channel bandwidth extension: 320 MHz-1 and 320 MHz-2 (default = 320 MHz-2).

option

320MHz-2

Option	Description
320MHz-1	320 MHz channel with channel center frequency numbered 31, 95, and 159.
320MHz-2	320 MHz channel with channel center frequency numbered 63, 127, and 191.

channel-utilization

Enable/disable measuring channel utilization.

option

enable

Option	Description
enable	Enable measuring channel utilization.
disable	Disable measuring channel utilization.

coexistence

Enable/disable allowing both HT20 and HT40 on the same radio (default = enable).

option

enable

Option	Description
enable	Enable support for both HT20 and HT40 on the same radio.
disable	Disable support for both HT20 and HT40 on the same radio.

darrp

Enable/disable Distributed Automatic Radio Resource Provisioning (DARRP) to make sure the radio is always using the most optimal channel (default = disable).

option

disable

Option	Description
enable	Enable distributed automatic radio resource provisioning.
disable	Disable distributed automatic radio resource provisioning.

drma

Enable/disable dynamic radio mode assignment (DRMA) (default = disable).

option

disable

Option	Description
disable	Disable dynamic radio mode assignment (DRMA).
enable	Enable dynamic radio mode assignment (DRMA).

drma-sensitivity

Network Coverage Factor (NCF) percentage required to consider a radio as redundant (default = low).

option

low

Option	Description
low	Consider a radio as redundant when its NCF is 100%.
medium	Consider a radio as redundant when its NCF is 95%.
high	Consider a radio as redundant when its NCF is 90%.

dtim

Delivery Traffic Indication Map (DTIM) period (1 - 255, default = 1). Set higher to save battery life of WiFi client in power-save mode.

integer

Minimum value: 1 Maximum value: 255

frag-threshold

Maximum packet size that can be sent without fragmentation (800 - 2346 bytes, default = 2346).

integer

Minimum value: 800 Maximum value: 2346

2346

iperf-protocol

Iperf test protocol (default = "UDP").

option

udp

Option	Description
udp	UDP.
tcp	TCP.

iperf-server-port

Iperf service port number.

integer

Minimum value: 0 Maximum value: 65535

5001

max-clients

Maximum number of stations (STAs) or WiFi clients supported by the radio. Range depends on the hardware.

integer

Minimum value: 0 Maximum value: 4294967295

max-distance

Maximum expected distance between the AP and clients (0 - 54000 m, default = 0).

integer

Minimum value: 0 Maximum value: 54000

mimo-mode

Configure radio MIMO mode (default = default).

option

default

Option	Description
default	Default radio MIMO mode.
1x1	1x1 radio MIMO mode.
2x2	2x2 radio MIMO mode.
3x3	3x3 radio MIMO mode.
4x4	4x4 radio MIMO mode.
8x8	8x8 radio MIMO mode.

mode

Mode of radio 3. Radio 3 can be disabled, configured as an access point, a rogue AP monitor, a sniffer, or a station.

option

Option	Description
disabled	Radio 3 is disabled.
ap	Radio 3 operates as an access point that allows WiFi clients to connect to your network.
monitor	Radio 3 operates as a dedicated monitor. As a monitor, the radio scans for other WiFi access points and adds them to the Rogue AP monitor list.
sniffer	Radio 3 operates as a sniffer capturing WiFi frames on air.
sam	Radio 3 operates as a station that can connect to a neighboring AP for connectivity and health check.

optional-antenna

Optional antenna used on FAP (default = none).

option

none

Option	Description
none	None.
custom	Customize optional antenna gain.
FANT-04ABGN-0606-O-N	6 dBi(2.4GHz) and 6 dBi(5GHz).
FANT-04ABGN-1414-P-N	14 dBi(2.4GHz) and 14 dBi(5GHz).
FANT-04ABGN-8065-P-N	8 dBi(2.4GHz) and 6.5 dBi(5GHz).
FANT-04ABGN-0606-O-R	6 dBi(2.4GHz) and 6 dBi(5GHz).
FANT-04ABGN-0606-P-R	6 dBi(2.4GHz) and 6 dBi(5GHz).
FANT-10ACAX-1213-D-N	12 dBi(2.4GHz) and 13 dBi(5GHz).
FANT-08ABGN-1213-D-R	12 dBi(2.4GHz) and 13 dBi(5GHz).
FANT-04BEAX-0606-P-R	6 dBi(2.4GHz), 6 dBi(5GHz) and 6 dBi(6GHz).

optional-antenna-gain

Optional antenna gain in dBi (0 to 20, default = 0).

string

Maximum length: 7

power-level

Radio EIRP power level as a percentage of the maximum EIRP power (0 - 100, default = 100).

integer

Minimum value: 0 Maximum value: 100

100

power-mode

option

percentage

Option	Description
dBm	Set radio EIRP power in dBm.
percentage	Set radio EIRP power by percentage.

power-value

Radio EIRP power in dBm (1 - 33, default = 27).

integer

Minimum value: 1 Maximum value: 33

powersave-optimize

Enable client power-saving features such as TIM, AC VO, and OBSS etc.

option

Option	Description
tim	TIM bit for client in power save mode.
ac-vo	Use AC VO priority to send out packets in the power save queue.
no-obss-scan	Do not put OBSS scan IE into beacon and probe response frames.
no-11b-rate	Do not send frame using 11b data rate.
client-rate-follow	Adapt transmitting PHY rate with receiving PHY rate from a client.

protection-mode

Enable/disable 802.11g protection modes to support backwards compatibility with older clients (rtscts, ctsonly, disable).

option

disable

Option	Description
rtscts	Enable 802.11g protection RTS/CTS mode.
ctsonly	Enable 802.11g protection CTS only mode.
disable	Disable 802.11g protection mode.

rts-threshold

Maximum packet size for RTS transmissions, specifying the maximum size of a data packet before RTS/CTS (256 - 2346 bytes, default = 2346).

integer

Minimum value: 256 Maximum value: 2346

2346

sam-bssid

BSSID for WiFi network.

mac-address

Not Specified

00:00:00:00:00:00

sam-ca-certificate

CA certificate for WPA2/WPA3-ENTERPRISE.

string

Maximum length: 79

sam-captive-portal

Enable/disable Captive Portal Authentication (default = disable).

option

disable

Option	Description
enable	Enable Captive Portal Authentication.
disable	Disable Captive Portal Authentication.

sam-client-certificate

Client certificate for WPA2/WPA3-ENTERPRISE.

string

Maximum length: 35

sam-cwp-failure-string

Failure identification on the page after an incorrect login.

string

Maximum length: 64

sam-cwp-match-string

Identification string from the captive portal login form.

string

Maximum length: 64

sam-cwp-password

Password for captive portal authentication.

password

Not Specified

sam-cwp-success-string

Success identification on the page after a successful login.

string

Maximum length: 64

sam-cwp-test-url

Website the client is trying to access.

string

Maximum length: 255

sam-cwp-username

Username for captive portal authentication.

string

Maximum length: 35

sam-eap-method

Select WPA2/WPA3-ENTERPRISE EAP Method (default = PEAP).

option

peap

Option	Description
both	EAP PEAP and TLS. (Not applicable in FIPS mode)
tls	EAP TLS.
peap	EAP PEAP. (Not applicable in FIPS mode)

sam-password

Passphrase for WiFi network connection.

password

Not Specified

sam-private-key

Private key for WPA2/WPA3-ENTERPRISE.

string

Maximum length: 35

sam-private-key-password

Password for private key file for WPA2/WPA3-ENTERPRISE.

password

Not Specified

sam-report-intv

SAM report interval (sec), 0 for a one-time report.

integer

Minimum value: 60 Maximum value: 864000

sam-security-type

Select WiFi network security type (default = "wpa-personal" for 2.4/5G radio, "wpa3-sae" for 6G radio).

option

wpa-personal

Option	Description
open	Open.
wpa-personal	WPA/WPA2 personal.
wpa-enterprise	WPA2/WPA3 enterprise.
wpa3-sae	WPA3 SAE.
owe	OWE.

sam-server-fqdn

SAM test server domain name.

string

Maximum length: 255

sam-server-ip

SAM test server IP address.

ipv4-address

Not Specified

0.0.0.0

sam-server-type

Select SAM server type (default = "IP").

option

Option	Description
ip	IPv4 address.
fqdn	Fully Qualified Domain Name address.

sam-ssid

SSID for WiFi network.

string

Maximum length: 32

sam-test

Select SAM test type (default = "PING").

option

ping

Option	Description
ping	PING test.
iperf	IPERF test.

sam-username

Username for WiFi network connection.

string

Maximum length: 35

short-guard-interval

Use either the short guard interval (Short GI) of 400 ns or the long guard interval (Long GI) of 800 ns.

option

disable

Option	Description
enable	Select the 400 ns short guard interval (Short GI).
disable	Select the 800 ns long guard interval (Long GI).

transmit-optimize

Packet transmission optimization options including power saving, aggregation limiting, retry limiting, etc. All are enabled by default.

option

power-save aggr-limit retry-limit send-bar

Option	Description
disable	Disable packet transmission optimization.
power-save	Tag client as operating in power save mode if excessive transmit retries occur.
aggr-limit	Set aggregation limit to a lower value when data rate is low.
retry-limit	Set software retry limit to a lower value when data rate is low.
send-bar	Limit transmission of BAR frames.

vap-all

Configure method for assigning SSIDs to this FortiAP (default = automatically assign tunnel SSIDs).

option

tunnel

Option	Description
tunnel	Automatically select tunnel SSIDs.
bridge	Automatically select local-bridging SSIDs.
manual	Manually select SSIDs.

vaps <name>

Manually selected list of Virtual Access Points (VAPs).

Virtual Access Point (VAP) name.

string

Maximum length: 35

wids-profile

Wireless Intrusion Detection System (WIDS) profile name to assign to the radio.

string

Maximum length: 35

zero-wait-dfs

Enable/disable zero wait DFS on radio (default = enable).

option

enable

Option	Description
enable	Enable zero wait DFS
disable	Disable zero wait DFS

config radio-4

Parameter

Description

Type

Size

Default

80211d

Enable/disable 802.11d countryie(default = enable).

option

enable

Option	Description
enable	Enable 802.11d countryie.
disable	Disable 802.11d countryie.

80211mc

Enable/disable 802.11mc responder mode (default = disable).

option

disable

Option	Description
enable	Enable 802.11mc responder mode.
disable	Disable 802.11mc responder mode.

ai-darrp-support

Enable/disable support for FortiAIOps to retrieve Distributed Automatic Radio Resource Provisioning (DARRP) data through REST API calls (default = disable).

option

disable

Option	Description
enable	Enable support for FortiAIOps REST API calls for DARRP data.
disable	Disable support for FortiAIOps REST API calls for DARRP data.

airtime-fairness

Enable/disable airtime fairness (default = disable).

option

disable

Option	Description
enable	Enable airtime fairness (ATF) support.
disable	Disable airtime fairness (ATF) support.

amsdu

Enable/disable 802.11n AMSDU support. AMSDU can improve performance if supported by your WiFi clients (default = enable).

option

enable

Option	Description
enable	Enable AMSDU support.
disable	Disable AMSDU support.

ap-sniffer-addr

MAC address to monitor.

mac-address

Not Specified

00:00:00:00:00:00

ap-sniffer-bufsize

Sniffer buffer size (1 - 32 MB, default = 16).

integer

Minimum value: 1 Maximum value: 32

ap-sniffer-chan

Channel on which to operate the sniffer (default = 6).

integer

Minimum value: 0 Maximum value: 4294967295

ap-sniffer-chan-width

Channel bandwidth for sniffer.

option

20MHz

Option	Description
320MHz	320 MHz channel width.
240MHz	240 MHz channel width.
160MHz	160 MHz channel width.
80MHz	80 MHz channel width.
40MHz	40 MHz channel width.
20MHz	20 MHz channel width.

ap-sniffer-ctl

Enable/disable sniffer on WiFi control frame (default = enable).

option

enable

Option	Description
enable	Enable sniffer on WiFi control frame.
disable	Disable sniffer on WiFi control frame.

ap-sniffer-data

Enable/disable sniffer on WiFi data frame (default = enable).

option

enable

Option	Description
enable	Enable sniffer on WiFi data frame
disable	Disable sniffer on WiFi data frame

ap-sniffer-mgmt-beacon

Enable/disable sniffer on WiFi management Beacon frames (default = enable).

option

enable

Option	Description
enable	Enable sniffer on WiFi management beacon frame.
disable	Disable sniffer on WiFi management beacon frame.

ap-sniffer-mgmt-other

Enable/disable sniffer on WiFi management other frames (default = enable).

option

enable

Option	Description
enable	Enable sniffer on WiFi management other frame.
disable	Disable sniffer on WiFi management other frame.

ap-sniffer-mgmt-probe

Enable/disable sniffer on WiFi management probe frames (default = enable).

option

enable

Option	Description
enable	Enable sniffer on WiFi management probe frame.
disable	Enable sniffer on WiFi management probe frame.

arrp-profile

Distributed Automatic Radio Resource Provisioning (DARRP) profile name to assign to the radio.

string

Maximum length: 35

auto-power-high

The upper bound of automatic transmit power adjustment in dBm (the actual range of transmit power depends on the AP platform type).

integer

Minimum value: 0 Maximum value: 4294967295

auto-power-level

Enable/disable automatic power-level adjustment to prevent co-channel interference (default = disable).

option

disable

Option	Description
enable	Enable automatic transmit power adjustment.
disable	Disable automatic transmit power adjustment.

auto-power-low

The lower bound of automatic transmit power adjustment in dBm (the actual range of transmit power depends on the AP platform type).

integer

Minimum value: 0 Maximum value: 4294967295

auto-power-target

Target of automatic transmit power adjustment in dBm (-95 to -20, default = -70).

string

Maximum length: 7

-70

band

WiFi band that Radio 4 operates on.

option

Option	Description
802.11a	802.11a.
802.11b	802.11b.
802.11g	802.11g.
802.11n-2G	802.11n (WiFi 4) at 2.4GHz.
802.11n-5G	802.11n (WiFi 4) at 5GHz.
802.11ac-2G	802.11ac (WiFi 5) at 2.4GHz.
802.11ac-5G	802.11ac (WiFi 5) at 5GHz.
802.11ax-2G	802.11ax (WiFi 6) at 2.4GHz.
802.11ax-5G	802.11ax (WiFi 6) at 5GHz.
802.11ax-6G	802.11ax (WiFi 6) at 6GHz.
802.11be-2G	802.11be (WiFi 7) at 2.4GHz.
802.11be-5G	802.11be (WiFi 7) at 5GHz.
802.11be-6G	802.11be (WiFi 7) at 6GHz.

band-5g-type

WiFi 5G band type.

option

5g-full

Option	Description
5g-full	Full 5G band.
5g-high	High 5G band.
5g-low	Low 5G band.

bandwidth-admission-control

option

disable

Option	Description
enable	Enable WMM bandwidth admission control.
disable	Disable WMM bandwidth admission control.

bandwidth-capacity

Maximum bandwidth capacity allowed (1 - 600000 Kbps, default = 2000).

integer

Minimum value: 1 Maximum value: 600000

2000

beacon-interval

Beacon interval. The time between beacon frames in milliseconds. Actual range of beacon interval depends on the AP platform type (default = 100).

integer

Minimum value: 0 Maximum value: 65535

100

bss-color

BSS color value for this 11ax radio (0 - 63, disable = 0, default = 0).

integer

Minimum value: 0 Maximum value: 63

bss-color-mode

BSS color mode for this 11ax radio (default = auto).

option

auto

Option	Description
auto	Automatically select BSS color value on AP.
static	Set BSS color value on this radio based on 'bss-color' CLI.

call-admission-control

Enable/disable WiFi multimedia (WMM) call admission control to optimize WiFi bandwidth use for VoIP calls. New VoIP calls are only accepted if there is enough bandwidth available to support them.

option

disable

Option	Description
enable	Enable WMM call admission control.
disable	Disable WMM call admission control.

call-capacity

Maximum number of Voice over WLAN (VoWLAN) phones supported by the radio (0 - 60, default = 10).

integer

Minimum value: 0 Maximum value: 60

channel <chan>

Selected list of wireless radio channels.

Channel number.

string

Maximum length: 3

channel-bonding

Channel bandwidth: 320, 240, 160, 80, 40, or 20MHz. Channels may use both 20 and 40 by enabling coexistence.

option

20MHz

Option	Description
320MHz	320 MHz channel width.
240MHz	240 MHz channel width.
160MHz	160 MHz channel width.
80MHz	80 MHz channel width.
40MHz	40 MHz channel width.
20MHz	20 MHz channel width.

channel-bonding-ext

Channel bandwidth extension: 320 MHz-1 and 320 MHz-2 (default = 320 MHz-2).

option

320MHz-2

Option	Description
320MHz-1	320 MHz channel with channel center frequency numbered 31, 95, and 159.
320MHz-2	320 MHz channel with channel center frequency numbered 63, 127, and 191.

channel-utilization

Enable/disable measuring channel utilization.

option

enable

Option	Description
enable	Enable measuring channel utilization.
disable	Disable measuring channel utilization.

coexistence

Enable/disable allowing both HT20 and HT40 on the same radio (default = enable).

option

enable

Option	Description
enable	Enable support for both HT20 and HT40 on the same radio.
disable	Disable support for both HT20 and HT40 on the same radio.

darrp

Enable/disable Distributed Automatic Radio Resource Provisioning (DARRP) to make sure the radio is always using the most optimal channel (default = disable).

option

disable

Option	Description
enable	Enable distributed automatic radio resource provisioning.
disable	Disable distributed automatic radio resource provisioning.

drma

Enable/disable dynamic radio mode assignment (DRMA) (default = disable).

option

disable

Option	Description
disable	Disable dynamic radio mode assignment (DRMA).
enable	Enable dynamic radio mode assignment (DRMA).

drma-sensitivity

Network Coverage Factor (NCF) percentage required to consider a radio as redundant (default = low).

option

low

Option	Description
low	Consider a radio as redundant when its NCF is 100%.
medium	Consider a radio as redundant when its NCF is 95%.
high	Consider a radio as redundant when its NCF is 90%.

dtim

Delivery Traffic Indication Map (DTIM) period (1 - 255, default = 1). Set higher to save battery life of WiFi client in power-save mode.

integer

Minimum value: 1 Maximum value: 255

frag-threshold

Maximum packet size that can be sent without fragmentation (800 - 2346 bytes, default = 2346).

integer

Minimum value: 800 Maximum value: 2346

2346

iperf-protocol

Iperf test protocol (default = "UDP").

option

udp

Option	Description
udp	UDP.
tcp	TCP.

iperf-server-port

Iperf service port number.

integer

Minimum value: 0 Maximum value: 65535

5001

max-clients

Maximum number of stations (STAs) or WiFi clients supported by the radio. Range depends on the hardware.

integer

Minimum value: 0 Maximum value: 4294967295

max-distance

Maximum expected distance between the AP and clients (0 - 54000 m, default = 0).

integer

Minimum value: 0 Maximum value: 54000

mimo-mode

Configure radio MIMO mode (default = default).

option

default

Option	Description
default	Default radio MIMO mode.
1x1	1x1 radio MIMO mode.
2x2	2x2 radio MIMO mode.
3x3	3x3 radio MIMO mode.
4x4	4x4 radio MIMO mode.
8x8	8x8 radio MIMO mode.

mode

Mode of radio 4. Radio 4 can be disabled, configured as an access point, a rogue AP monitor, a sniffer, or a station.

option

Option	Description
disabled	Radio 4 is disabled.
ap	Radio 4 operates as an access point that allows WiFi clients to connect to your network.
monitor	Radio 4 operates as a dedicated monitor. As a monitor, the radio scans for other WiFi access points and adds them to the Rogue AP monitor list.
sniffer	Radio 4 operates as a sniffer capturing WiFi frames on air.
sam	Radio 4 operates as a station that can connect to a neighboring AP for connectivity and health check.

optional-antenna

Optional antenna used on FAP (default = none).

option

none

Option	Description
none	None.
custom	Customize optional antenna gain.
FANT-04ABGN-0606-O-N	6 dBi(2.4GHz) and 6 dBi(5GHz).
FANT-04ABGN-1414-P-N	14 dBi(2.4GHz) and 14 dBi(5GHz).
FANT-04ABGN-8065-P-N	8 dBi(2.4GHz) and 6.5 dBi(5GHz).
FANT-04ABGN-0606-O-R	6 dBi(2.4GHz) and 6 dBi(5GHz).
FANT-04ABGN-0606-P-R	6 dBi(2.4GHz) and 6 dBi(5GHz).
FANT-10ACAX-1213-D-N	12 dBi(2.4GHz) and 13 dBi(5GHz).
FANT-08ABGN-1213-D-R	12 dBi(2.4GHz) and 13 dBi(5GHz).
FANT-04BEAX-0606-P-R	6 dBi(2.4GHz), 6 dBi(5GHz) and 6 dBi(6GHz).

optional-antenna-gain

Optional antenna gain in dBi (0 to 20, default = 0).

string

Maximum length: 7

power-level

Radio EIRP power level as a percentage of the maximum EIRP power (0 - 100, default = 100).

integer

Minimum value: 0 Maximum value: 100

100

power-mode

option

percentage

Option	Description
dBm	Set radio EIRP power in dBm.
percentage	Set radio EIRP power by percentage.

power-value

Radio EIRP power in dBm (1 - 33, default = 27).

integer

Minimum value: 1 Maximum value: 33

powersave-optimize

Enable client power-saving features such as TIM, AC VO, and OBSS etc.

option

Option	Description
tim	TIM bit for client in power save mode.
ac-vo	Use AC VO priority to send out packets in the power save queue.
no-obss-scan	Do not put OBSS scan IE into beacon and probe response frames.
no-11b-rate	Do not send frame using 11b data rate.
client-rate-follow	Adapt transmitting PHY rate with receiving PHY rate from a client.

protection-mode

Enable/disable 802.11g protection modes to support backwards compatibility with older clients (rtscts, ctsonly, disable).

option

disable

Option	Description
rtscts	Enable 802.11g protection RTS/CTS mode.
ctsonly	Enable 802.11g protection CTS only mode.
disable	Disable 802.11g protection mode.

rts-threshold

Maximum packet size for RTS transmissions, specifying the maximum size of a data packet before RTS/CTS (256 - 2346 bytes, default = 2346).

integer

Minimum value: 256 Maximum value: 2346

2346

sam-bssid

BSSID for WiFi network.

mac-address

Not Specified

00:00:00:00:00:00

sam-ca-certificate

CA certificate for WPA2/WPA3-ENTERPRISE.

string

Maximum length: 79

sam-captive-portal

Enable/disable Captive Portal Authentication (default = disable).

option

disable

Option	Description
enable	Enable Captive Portal Authentication.
disable	Disable Captive Portal Authentication.

sam-client-certificate

Client certificate for WPA2/WPA3-ENTERPRISE.

string

Maximum length: 35

sam-cwp-failure-string

Failure identification on the page after an incorrect login.

string

Maximum length: 64

sam-cwp-match-string

Identification string from the captive portal login form.

string

Maximum length: 64

sam-cwp-password

Password for captive portal authentication.

password

Not Specified

sam-cwp-success-string

Success identification on the page after a successful login.

string

Maximum length: 64

sam-cwp-test-url

Website the client is trying to access.

string

Maximum length: 255

sam-cwp-username

Username for captive portal authentication.

string

Maximum length: 35

sam-eap-method

Select WPA2/WPA3-ENTERPRISE EAP Method (default = PEAP).

option

peap

Option	Description
both	EAP PEAP and TLS. (Not applicable in FIPS mode)
tls	EAP TLS.
peap	EAP PEAP. (Not applicable in FIPS mode)

sam-password

Passphrase for WiFi network connection.

password

Not Specified

sam-private-key

Private key for WPA2/WPA3-ENTERPRISE.

string

Maximum length: 35

sam-private-key-password

Password for private key file for WPA2/WPA3-ENTERPRISE.

password

Not Specified

sam-report-intv

SAM report interval (sec), 0 for a one-time report.

integer

Minimum value: 60 Maximum value: 864000

sam-security-type

Select WiFi network security type (default = "wpa-personal" for 2.4/5G radio, "wpa3-sae" for 6G radio).

option

wpa-personal

Option	Description
open	Open.
wpa-personal	WPA/WPA2 personal.
wpa-enterprise	WPA2/WPA3 enterprise.
wpa3-sae	WPA3 SAE.
owe	OWE.

sam-server-fqdn

SAM test server domain name.

string

Maximum length: 255

sam-server-ip

SAM test server IP address.

ipv4-address

Not Specified

0.0.0.0

sam-server-type

Select SAM server type (default = "IP").

option

Option	Description
ip	IPv4 address.
fqdn	Fully Qualified Domain Name address.

sam-ssid

SSID for WiFi network.

string

Maximum length: 32

sam-test

Select SAM test type (default = "PING").

option

ping

Option	Description
ping	PING test.
iperf	IPERF test.

sam-username

Username for WiFi network connection.

string

Maximum length: 35

short-guard-interval

Use either the short guard interval (Short GI) of 400 ns or the long guard interval (Long GI) of 800 ns.

option

disable

Option	Description
enable	Select the 400 ns short guard interval (Short GI).
disable	Select the 800 ns long guard interval (Long GI).

transmit-optimize

Packet transmission optimization options including power saving, aggregation limiting, retry limiting, etc. All are enabled by default.

option

power-save aggr-limit retry-limit send-bar

Option	Description
disable	Disable packet transmission optimization.
power-save	Tag client as operating in power save mode if excessive transmit retries occur.
aggr-limit	Set aggregation limit to a lower value when data rate is low.
retry-limit	Set software retry limit to a lower value when data rate is low.
send-bar	Limit transmission of BAR frames.

vap-all

Configure method for assigning SSIDs to this FortiAP (default = automatically assign tunnel SSIDs).

option

tunnel

Option	Description
tunnel	Automatically select tunnel SSIDs.
bridge	Automatically select local-bridging SSIDs.
manual	Manually select SSIDs.

vaps <name>

Manually selected list of Virtual Access Points (VAPs).

Virtual Access Point (VAP) name.

string

Maximum length: 35

wids-profile

Wireless Intrusion Detection System (WIDS) profile name to assign to the radio.

string

Maximum length: 35

zero-wait-dfs

Enable/disable zero wait DFS on radio (default = enable).

option

enable

Option	Description
enable	Enable zero wait DFS
disable	Disable zero wait DFS

config split-tunneling-acl

Parameter	Description	Type	Size	Default
dest-ip	Destination IP and mask for the split-tunneling subnet.	ipv4-classnet	Not Specified	0.0.0.0 0.0.0.0
id	ID.	integer	Minimum value: 0 Maximum value: 4294967295	0

config wireless-controller wtp-profile

Configure WTP profiles or FortiAP profiles that define radio settings for manageable FortiAP platforms.

config wireless-controller wtp-profile
    Description: Configure WTP profiles or FortiAP profiles that define radio settings for manageable FortiAP platforms.
    edit <name>
        set admin-auth-tacacs+ {string}
        set admin-restrict-local [enable|disable]
        set allowaccess {option1}, {option2}, ...
        set ap-country [--|AF|...]
        set ap-handoff [enable|disable]
        set apcfg-auto-cert [enable|disable]
        set apcfg-auto-cert-auto-regen-days {integer}
        set apcfg-auto-cert-crypto-algo [rsa-1024|rsa-1536|...]
        set apcfg-auto-cert-enroll-protocol [none|est|...]
        set apcfg-auto-cert-est-ca-id {string}
        set apcfg-auto-cert-est-http-password {password}
        set apcfg-auto-cert-est-http-username {string}
        set apcfg-auto-cert-est-https-ca {string}
        set apcfg-auto-cert-est-server {string}
        set apcfg-auto-cert-est-subject {string}
        set apcfg-auto-cert-est-subject-alt-name {string}
        set apcfg-auto-cert-scep-ca-id {string}
        set apcfg-auto-cert-scep-ec-name [secp256r1|secp384r1|...]
        set apcfg-auto-cert-scep-https-ca {string}
        set apcfg-auto-cert-scep-keysize [1024|1536|...]
        set apcfg-auto-cert-scep-keytype [rsa|ec]
        set apcfg-auto-cert-scep-password {password}
        set apcfg-auto-cert-scep-sub-fully-dn {string}
        set apcfg-auto-cert-scep-subject-alt-name {string}
        set apcfg-auto-cert-scep-url {string}
        set apcfg-mesh [enable|disable]
        set apcfg-mesh-ap-type [ethernet|mesh|...]
        set apcfg-mesh-eth-bridge [enable|disable]
        set apcfg-mesh-ssid {string}
        set apcfg-profile {string}
        set ble-profile {string}
        set bonjour-profile {string}
        set comment {var-string}
        set console-login [enable|disable]
        set control-message-offload {option1}, {option2}, ...
        set default-mesh-root [enable|disable]
        config deny-mac-list
            Description: List of MAC addresses that are denied access to this WTP, FortiAP, or AP.
            edit <id>
                set mac {mac-address}
            next
        end
        set dtls-in-kernel [enable|disable]
        set dtls-policy {option1}, {option2}, ...
        set energy-efficient-ethernet [enable|disable]
        config esl-ses-dongle
            Description: ESL SES-imagotag dongle configuration.
            set apc-addr-type [fqdn|ip]
            set apc-fqdn {string}
            set apc-ip {ipv4-address}
            set apc-port {integer}
            set coex-level {option}
            set compliance-level {option}
            set esl-channel [-1|0|...]
            set output-power [a|b|...]
            set scd-enable [enable|disable]
            set tls-cert-verification [enable|disable]
            set tls-fqdn-verification [enable|disable]
        end
        set ext-info-enable [enable|disable]
        set frequency-handoff [enable|disable]
        set handoff-roaming [enable|disable]
        set handoff-rssi {integer}
        set handoff-sta-thresh {integer}
        set indoor-outdoor-deployment [platform-determined|outdoor|...]
        set ip-fragment-preventing {option1}, {option2}, ...
        config lan
            Description: WTP LAN port mapping.
            set port-esl-mode [offline|nat-to-wan|...]
            set port-esl-ssid {string}
            set port-mode [offline|nat-to-wan|...]
            set port-ssid {string}
            set port1-mode [offline|nat-to-wan|...]
            set port1-ssid {string}
            set port2-mode [offline|nat-to-wan|...]
            set port2-ssid {string}
            set port3-mode [offline|nat-to-wan|...]
            set port3-ssid {string}
            set port4-mode [offline|nat-to-wan|...]
            set port4-ssid {string}
            set port5-mode [offline|nat-to-wan|...]
            set port5-ssid {string}
            set port6-mode [offline|nat-to-wan|...]
            set port6-ssid {string}
            set port7-mode [offline|nat-to-wan|...]
            set port7-ssid {string}
            set port8-mode [offline|nat-to-wan|...]
            set port8-ssid {string}
        end
        config lbs
            Description: Set various location based service (LBS) options.
            set aeroscout [enable|disable]
            set aeroscout-ap-mac [bssid|board-mac]
            set aeroscout-mmu-report [enable|disable]
            set aeroscout-mu [enable|disable]
            set aeroscout-mu-factor {integer}
            set aeroscout-mu-timeout {integer}
            set aeroscout-server-ip {ipv4-address-any}
            set aeroscout-server-port {integer}
            set ble-rtls [none|polestar|...]
            set ble-rtls-accumulation-interval {integer}
            set ble-rtls-asset-addrgrp-list {string}
            set ble-rtls-asset-uuid-list1 {string}
            set ble-rtls-asset-uuid-list2 {string}
            set ble-rtls-asset-uuid-list3 {string}
            set ble-rtls-asset-uuid-list4 {string}
            set ble-rtls-protocol {option}
            set ble-rtls-reporting-interval {integer}
            set ble-rtls-server-fqdn {string}
            set ble-rtls-server-path {string}
            set ble-rtls-server-port {integer}
            set ble-rtls-server-token {string}
            set ekahau-blink-mode [enable|disable]
            set ekahau-tag {mac-address}
            set erc-server-ip {ipv4-address-any}
            set erc-server-port {integer}
            set fortipresence [foreign|both|...]
            set fortipresence-ble [enable|disable]
            set fortipresence-frequency {integer}
            set fortipresence-port {integer}
            set fortipresence-project {string}
            set fortipresence-rogue [enable|disable]
            set fortipresence-secret {password}
            set fortipresence-server {ipv4-address-any}
            set fortipresence-server-addr-type [ipv4|fqdn]
            set fortipresence-server-fqdn {string}
            set fortipresence-unassoc [enable|disable]
            set station-locate [enable|disable]
        end
        set led-schedules <name1>, <name2>, ...
        set led-state [enable|disable]
        set lldp [enable|disable]
        set login-passwd {password}
        set login-passwd-change [yes|default|...]
        set lw-profile {string}
        set max-clients {integer}
        config platform
            Description: WTP, FortiAP, or AP platform.
            set ddscan [enable|disable]
            set mode [single-5G|dual-5G]
            set type [AP-11N|C24JE|...]
        end
        set poe-mode [auto|8023af|...]
        config radio-1
            Description: Configuration options for radio 1.
            set 80211d [enable|disable]
            set 80211mc [enable|disable]
            set ai-darrp-support [enable|disable]
            set airtime-fairness [enable|disable]
            set amsdu [enable|disable]
            set ap-sniffer-addr {mac-address}
            set ap-sniffer-bufsize {integer}
            set ap-sniffer-chan {integer}
            set ap-sniffer-chan-width [320MHz|240MHz|...]
            set ap-sniffer-ctl [enable|disable]
            set ap-sniffer-data [enable|disable]
            set ap-sniffer-mgmt-beacon [enable|disable]
            set ap-sniffer-mgmt-other [enable|disable]
            set ap-sniffer-mgmt-probe [enable|disable]
            set arrp-profile {string}
            set auto-power-high {integer}
            set auto-power-level [enable|disable]
            set auto-power-low {integer}
            set auto-power-target {string}
            set band {option1}, {option2}, ...
            set band-5g-type [5g-full|5g-high|...]
            set bandwidth-admission-control [enable|disable]
            set bandwidth-capacity {integer}
            set beacon-interval {integer}
            set bss-color {integer}
            set bss-color-mode [auto|static]
            set call-admission-control [enable|disable]
            set call-capacity {integer}
            set channel <chan1>, <chan2>, ...
            set channel-bonding [320MHz|240MHz|...]
            set channel-bonding-ext [320MHz-1|320MHz-2]
            set channel-utilization [enable|disable]
            set coexistence [enable|disable]
            set darrp [enable|disable]
            set drma [disable|enable]
            set drma-sensitivity [low|medium|...]
            set dtim {integer}
            set frag-threshold {integer}
            set iperf-protocol [udp|tcp]
            set iperf-server-port {integer}
            set max-clients {integer}
            set max-distance {integer}
            set mimo-mode [default|1x1|...]
            set mode [disabled|ap|...]
            set optional-antenna [none|custom|...]
            set optional-antenna-gain {string}
            set power-level {integer}
            set power-mode [dBm|percentage]
            set power-value {integer}
            set powersave-optimize {option1}, {option2}, ...
            set protection-mode [rtscts|ctsonly|...]
            set rts-threshold {integer}
            set sam-bssid {mac-address}
            set sam-ca-certificate {string}
            set sam-captive-portal [enable|disable]
            set sam-client-certificate {string}
            set sam-cwp-failure-string {string}
            set sam-cwp-match-string {string}
            set sam-cwp-password {password}
            set sam-cwp-success-string {string}
            set sam-cwp-test-url {string}
            set sam-cwp-username {string}
            set sam-eap-method [both|tls|...]
            set sam-password {password}
            set sam-private-key {string}
            set sam-private-key-password {password}
            set sam-report-intv {integer}
            set sam-security-type [open|wpa-personal|...]
            set sam-server-fqdn {string}
            set sam-server-ip {ipv4-address}
            set sam-server-type [ip|fqdn]
            set sam-ssid {string}
            set sam-test [ping|iperf]
            set sam-username {string}
            set short-guard-interval [enable|disable]
            set transmit-optimize {option1}, {option2}, ...
            set vap-all [tunnel|bridge|...]
            set vaps <name1>, <name2>, ...
            set wids-profile {string}
            set zero-wait-dfs [enable|disable]
        end
        config radio-2
            Description: Configuration options for radio 2.
            set 80211d [enable|disable]
            set 80211mc [enable|disable]
            set ai-darrp-support [enable|disable]
            set airtime-fairness [enable|disable]
            set amsdu [enable|disable]
            set ap-sniffer-addr {mac-address}
            set ap-sniffer-bufsize {integer}
            set ap-sniffer-chan {integer}
            set ap-sniffer-chan-width [320MHz|240MHz|...]
            set ap-sniffer-ctl [enable|disable]
            set ap-sniffer-data [enable|disable]
            set ap-sniffer-mgmt-beacon [enable|disable]
            set ap-sniffer-mgmt-other [enable|disable]
            set ap-sniffer-mgmt-probe [enable|disable]
            set arrp-profile {string}
            set auto-power-high {integer}
            set auto-power-level [enable|disable]
            set auto-power-low {integer}
            set auto-power-target {string}
            set band {option1}, {option2}, ...
            set band-5g-type [5g-full|5g-high|...]
            set bandwidth-admission-control [enable|disable]
            set bandwidth-capacity {integer}
            set beacon-interval {integer}
            set bss-color {integer}
            set bss-color-mode [auto|static]
            set call-admission-control [enable|disable]
            set call-capacity {integer}
            set channel <chan1>, <chan2>, ...
            set channel-bonding [320MHz|240MHz|...]
            set channel-bonding-ext [320MHz-1|320MHz-2]
            set channel-utilization [enable|disable]
            set coexistence [enable|disable]
            set darrp [enable|disable]
            set drma [disable|enable]
            set drma-sensitivity [low|medium|...]
            set dtim {integer}
            set frag-threshold {integer}
            set iperf-protocol [udp|tcp]
            set iperf-server-port {integer}
            set max-clients {integer}
            set max-distance {integer}
            set mimo-mode [default|1x1|...]
            set mode [disabled|ap|...]
            set optional-antenna [none|custom|...]
            set optional-antenna-gain {string}
            set power-level {integer}
            set power-mode [dBm|percentage]
            set power-value {integer}
            set powersave-optimize {option1}, {option2}, ...
            set protection-mode [rtscts|ctsonly|...]
            set rts-threshold {integer}
            set sam-bssid {mac-address}
            set sam-ca-certificate {string}
            set sam-captive-portal [enable|disable]
            set sam-client-certificate {string}
            set sam-cwp-failure-string {string}
            set sam-cwp-match-string {string}
            set sam-cwp-password {password}
            set sam-cwp-success-string {string}
            set sam-cwp-test-url {string}
            set sam-cwp-username {string}
            set sam-eap-method [both|tls|...]
            set sam-password {password}
            set sam-private-key {string}
            set sam-private-key-password {password}
            set sam-report-intv {integer}
            set sam-security-type [open|wpa-personal|...]
            set sam-server-fqdn {string}
            set sam-server-ip {ipv4-address}
            set sam-server-type [ip|fqdn]
            set sam-ssid {string}
            set sam-test [ping|iperf]
            set sam-username {string}
            set short-guard-interval [enable|disable]
            set transmit-optimize {option1}, {option2}, ...
            set vap-all [tunnel|bridge|...]
            set vaps <name1>, <name2>, ...
            set wids-profile {string}
            set zero-wait-dfs [enable|disable]
        end
        config radio-3
            Description: Configuration options for radio 3.
            set 80211d [enable|disable]
            set 80211mc [enable|disable]
            set ai-darrp-support [enable|disable]
            set airtime-fairness [enable|disable]
            set amsdu [enable|disable]
            set ap-sniffer-addr {mac-address}
            set ap-sniffer-bufsize {integer}
            set ap-sniffer-chan {integer}
            set ap-sniffer-chan-width [320MHz|240MHz|...]
            set ap-sniffer-ctl [enable|disable]
            set ap-sniffer-data [enable|disable]
            set ap-sniffer-mgmt-beacon [enable|disable]
            set ap-sniffer-mgmt-other [enable|disable]
            set ap-sniffer-mgmt-probe [enable|disable]
            set arrp-profile {string}
            set auto-power-high {integer}
            set auto-power-level [enable|disable]
            set auto-power-low {integer}
            set auto-power-target {string}
            set band {option1}, {option2}, ...
            set band-5g-type [5g-full|5g-high|...]
            set bandwidth-admission-control [enable|disable]
            set bandwidth-capacity {integer}
            set beacon-interval {integer}
            set bss-color {integer}
            set bss-color-mode [auto|static]
            set call-admission-control [enable|disable]
            set call-capacity {integer}
            set channel <chan1>, <chan2>, ...
            set channel-bonding [320MHz|240MHz|...]
            set channel-bonding-ext [320MHz-1|320MHz-2]
            set channel-utilization [enable|disable]
            set coexistence [enable|disable]
            set darrp [enable|disable]
            set drma [disable|enable]
            set drma-sensitivity [low|medium|...]
            set dtim {integer}
            set frag-threshold {integer}
            set iperf-protocol [udp|tcp]
            set iperf-server-port {integer}
            set max-clients {integer}
            set max-distance {integer}
            set mimo-mode [default|1x1|...]
            set mode [disabled|ap|...]
            set optional-antenna [none|custom|...]
            set optional-antenna-gain {string}
            set power-level {integer}
            set power-mode [dBm|percentage]
            set power-value {integer}
            set powersave-optimize {option1}, {option2}, ...
            set protection-mode [rtscts|ctsonly|...]
            set rts-threshold {integer}
            set sam-bssid {mac-address}
            set sam-ca-certificate {string}
            set sam-captive-portal [enable|disable]
            set sam-client-certificate {string}
            set sam-cwp-failure-string {string}
            set sam-cwp-match-string {string}
            set sam-cwp-password {password}
            set sam-cwp-success-string {string}
            set sam-cwp-test-url {string}
            set sam-cwp-username {string}
            set sam-eap-method [both|tls|...]
            set sam-password {password}
            set sam-private-key {string}
            set sam-private-key-password {password}
            set sam-report-intv {integer}
            set sam-security-type [open|wpa-personal|...]
            set sam-server-fqdn {string}
            set sam-server-ip {ipv4-address}
            set sam-server-type [ip|fqdn]
            set sam-ssid {string}
            set sam-test [ping|iperf]
            set sam-username {string}
            set short-guard-interval [enable|disable]
            set transmit-optimize {option1}, {option2}, ...
            set vap-all [tunnel|bridge|...]
            set vaps <name1>, <name2>, ...
            set wids-profile {string}
            set zero-wait-dfs [enable|disable]
        end
        config radio-4
            Description: Configuration options for radio 4.
            set 80211d [enable|disable]
            set 80211mc [enable|disable]
            set ai-darrp-support [enable|disable]
            set airtime-fairness [enable|disable]
            set amsdu [enable|disable]
            set ap-sniffer-addr {mac-address}
            set ap-sniffer-bufsize {integer}
            set ap-sniffer-chan {integer}
            set ap-sniffer-chan-width [320MHz|240MHz|...]
            set ap-sniffer-ctl [enable|disable]
            set ap-sniffer-data [enable|disable]
            set ap-sniffer-mgmt-beacon [enable|disable]
            set ap-sniffer-mgmt-other [enable|disable]
            set ap-sniffer-mgmt-probe [enable|disable]
            set arrp-profile {string}
            set auto-power-high {integer}
            set auto-power-level [enable|disable]
            set auto-power-low {integer}
            set auto-power-target {string}
            set band {option1}, {option2}, ...
            set band-5g-type [5g-full|5g-high|...]
            set bandwidth-admission-control [enable|disable]
            set bandwidth-capacity {integer}
            set beacon-interval {integer}
            set bss-color {integer}
            set bss-color-mode [auto|static]
            set call-admission-control [enable|disable]
            set call-capacity {integer}
            set channel <chan1>, <chan2>, ...
            set channel-bonding [320MHz|240MHz|...]
            set channel-bonding-ext [320MHz-1|320MHz-2]
            set channel-utilization [enable|disable]
            set coexistence [enable|disable]
            set darrp [enable|disable]
            set drma [disable|enable]
            set drma-sensitivity [low|medium|...]
            set dtim {integer}
            set frag-threshold {integer}
            set iperf-protocol [udp|tcp]
            set iperf-server-port {integer}
            set max-clients {integer}
            set max-distance {integer}
            set mimo-mode [default|1x1|...]
            set mode [disabled|ap|...]
            set optional-antenna [none|custom|...]
            set optional-antenna-gain {string}
            set power-level {integer}
            set power-mode [dBm|percentage]
            set power-value {integer}
            set powersave-optimize {option1}, {option2}, ...
            set protection-mode [rtscts|ctsonly|...]
            set rts-threshold {integer}
            set sam-bssid {mac-address}
            set sam-ca-certificate {string}
            set sam-captive-portal [enable|disable]
            set sam-client-certificate {string}
            set sam-cwp-failure-string {string}
            set sam-cwp-match-string {string}
            set sam-cwp-password {password}
            set sam-cwp-success-string {string}
            set sam-cwp-test-url {string}
            set sam-cwp-username {string}
            set sam-eap-method [both|tls|...]
            set sam-password {password}
            set sam-private-key {string}
            set sam-private-key-password {password}
            set sam-report-intv {integer}
            set sam-security-type [open|wpa-personal|...]
            set sam-server-fqdn {string}
            set sam-server-ip {ipv4-address}
            set sam-server-type [ip|fqdn]
            set sam-ssid {string}
            set sam-test [ping|iperf]
            set sam-username {string}
            set short-guard-interval [enable|disable]
            set transmit-optimize {option1}, {option2}, ...
            set vap-all [tunnel|bridge|...]
            set vaps <name1>, <name2>, ...
            set wids-profile {string}
            set zero-wait-dfs [enable|disable]
        end
        config split-tunneling-acl
            Description: Split tunneling ACL filter list.
            edit <id>
                set dest-ip {ipv4-classnet}
            next
        end
        set split-tunneling-acl-local-ap-subnet [enable|disable]
        set split-tunneling-acl-path [tunnel|local]
        set syslog-profile {string}
        set tun-mtu-downlink {integer}
        set tun-mtu-uplink {integer}
        set unii-4-5ghz-band [enable|disable]
        set usb-port [enable|disable]
        set wan-port-auth [none|802.1x]
        set wan-port-auth-macsec [enable|disable]
        set wan-port-auth-methods [all|EAP-FAST|...]
        set wan-port-auth-password {password}
        set wan-port-auth-usrname {string}
        set wan-port-mode [wan-lan|wan-only]
    next
end

config wireless-controller wtp-profile

Parameter

Description

Type

Size

Default

admin-auth-tacacs+

Remote authentication server for admin user.

string

Maximum length: 35

admin-restrict-local

Enable/disable local admin authentication restriction when remote authenticator is up and running (default = disable).

option

disable

Option	Description
enable	Enable local admin authentication restriction.
disable	Diable local admin authentication restriction.

allowaccess

Control management access to the managed WTP, FortiAP, or AP. Separate entries with a space.

option

Option	Description
https	HTTPS access.
ssh	SSH access.
snmp	SNMP access.

ap-country

Country in which this WTP, FortiAP, or AP will operate (default = NA, automatically use the country configured for the current VDOM).

option

Option	Description
--	NO_COUNTRY_SET
AF	AFGHANISTAN
AL	ALBANIA
DZ	ALGERIA
AS	AMERICAN SAMOA
AO	ANGOLA
AR	ARGENTINA
AM	ARMENIA
AU	AUSTRALIA
AT	AUSTRIA
AZ	AZERBAIJAN
BS	BAHAMAS
BH	BAHRAIN
BD	BANGLADESH
BB	BARBADOS
BY	BELARUS
BE	BELGIUM
BZ	BELIZE
BJ	BENIN
BM	BERMUDA
BT	BHUTAN
BO	BOLIVIA
BA	BOSNIA AND HERZEGOVINA
BW	BOTSWANA
BR	BRAZIL
BN	BRUNEI DARUSSALAM
BG	BULGARIA
BF	BURKINA-FASO
KH	CAMBODIA
CM	CAMEROON
KY	CAYMAN ISLANDS
CF	CENTRAL AFRICA REPUBLIC
TD	CHAD
CL	CHILE
CN	CHINA
CX	CHRISTMAS ISLAND
CO	COLOMBIA
CG	CONGO REPUBLIC
CD	DEMOCRATIC REPUBLIC OF CONGO
CR	COSTA RICA
HR	CROATIA
CY	CYPRUS
CZ	CZECH REPUBLIC
DK	DENMARK
DJ	DJIBOUTI
DM	DOMINICA
DO	DOMINICAN REPUBLIC
EC	ECUADOR
EG	EGYPT
SV	EL SALVADOR
ET	ETHIOPIA
EE	ESTONIA
GF	FRENCH GUIANA
PF	FRENCH POLYNESIA
FO	FAEROE ISLANDS
FJ	FIJI
FI	FINLAND
FR	FRANCE
GA	GABON
GE	GEORGIA
GM	GAMBIA
DE	GERMANY
GH	GHANA
GI	GIBRALTAR
GR	GREECE
GL	GREENLAND
GD	GRENADA
GP	GUADELOUPE
GU	GUAM
GT	GUATEMALA
GY	GUYANA
HT	HAITI
HN	HONDURAS
HK	HONG KONG
HU	HUNGARY
IS	ICELAND
IN	INDIA
ID	INDONESIA
IQ	IRAQ
IE	IRELAND
IM	ISLE OF MAN
IL	ISRAEL
IT	ITALY
CI	COTE_D_IVOIRE
JM	JAMAICA
JO	JORDAN
KZ	KAZAKHSTAN
KE	KENYA
KR	KOREA REPUBLIC
KW	KUWAIT
LA	LAOS
LV	LATVIA
LB	LEBANON
LS	LESOTHO
LR	LIBERIA
LY	LIBYA
LI	LIECHTENSTEIN
LT	LITHUANIA
LU	LUXEMBOURG
MO	MACAU SAR
MK	MACEDONIA, FYRO
MG	MADAGASCAR
MW	MALAWI
MY	MALAYSIA
MV	MALDIVES
ML	MALI
MT	MALTA
MH	MARSHALL ISLANDS
MQ	MARTINIQUE
MR	MAURITANIA
MU	MAURITIUS
YT	MAYOTTE
MX	MEXICO
FM	MICRONESIA
MD	REPUBLIC OF MOLDOVA
MC	MONACO
MN	MONGOLIA
MA	MOROCCO
MZ	MOZAMBIQUE
MM	MYANMAR
NA	NAMIBIA
NP	NEPAL
NL	NETHERLANDS
AN	NETHERLANDS ANTILLES
AW	ARUBA
NZ	NEW ZEALAND
NI	NICARAGUA
NE	NIGER
NG	NIGERIA
NO	NORWAY
MP	NORTHERN MARIANA ISLANDS
OM	OMAN
PK	PAKISTAN
PW	PALAU
PA	PANAMA
PG	PAPUA NEW GUINEA
PY	PARAGUAY
PE	PERU
PH	PHILIPPINES
PL	POLAND
PT	PORTUGAL
PR	PUERTO RICO
QA	QATAR
RE	REUNION
RO	ROMANIA
RU	RUSSIA
RW	RWANDA
BL	SAINT BARTHELEMY
KN	SAINT KITTS AND NEVIS
LC	SAINT LUCIA
MF	SAINT MARTIN
PM	SAINT PIERRE AND MIQUELON
VC	SAINT VINCENT AND GRENADIENS
SA	SAUDI ARABIA
SN	SENEGAL
RS	REPUBLIC OF SERBIA
ME	MONTENEGRO
SL	SIERRA LEONE
SG	SINGAPORE
SK	SLOVAKIA
SI	SLOVENIA
SO	SOMALIA
ZA	SOUTH AFRICA
ES	SPAIN
LK	SRI LANKA
SR	SURINAME
SZ	SWAZILAND
SE	SWEDEN
CH	SWITZERLAND
TW	TAIWAN
TZ	TANZANIA
TH	THAILAND
TL	TIMOR-LESTE
TG	TOGO
TT	TRINIDAD AND TOBAGO
TN	TUNISIA
TR	TURKEY
TM	TURKMENISTAN
AE	UNITED ARAB EMIRATES
TC	TURKS AND CAICOS
UG	UGANDA
UA	UKRAINE
GB	UNITED KINGDOM
US	UNITED STATES2
PS	UNITED STATES (PUBLIC SAFETY)
UY	URUGUAY
UZ	UZBEKISTAN
VU	VANUATU
VE	VENEZUELA
VN	VIET NAM
VI	VIRGIN ISLANDS
WF	WALLIS AND FUTUNA
YE	YEMEN
ZM	ZAMBIA
ZW	ZIMBABWE
JP	JAPAN14
CA	CANADA2

ap-handoff

Enable/disable AP handoff of clients to other APs (default = disable).

option

disable

Option	Description
enable	Enable AP handoff.
disable	Disable AP handoff.

apcfg-auto-cert

Enable/disable AP local auto cert configuration (default = disable).

option

disable

Option	Description
enable	Enable AP local auto cert configuration.
disable	Disable AP local auto cert configuration.

apcfg-auto-cert-auto-regen-days

Number of days to wait before expiry of an updated local certificate is requested (0 = disabled) (default = 30).

integer

Minimum value: 0 Maximum value: 4294967295

apcfg-auto-cert-crypto-algo

Cryptography algorithm: rsa-1024, rsa-1536, rsa-2048, rsa-4096, ec-secp256r1, ec-secp384r1, ec-secp521r1 (default = ec-secp256r1)

option

ec-secp256r1

Option	Description
rsa-1024	Cryptography algorithm rsa-1024.
rsa-1536	Cryptography algorithm rsa-1536.
rsa-2048	Cryptography algorithm rsa-2048.
rsa-4096	Cryptography algorithm rsa-4096.
ec-secp256r1	Cryptography algorithm ec-secp256r1.
ec-secp384r1	Cryptography algorithm ec-secp384r1.
ec-secp521r1	Cryptography algorithm ec-secp521r1.

apcfg-auto-cert-enroll-protocol

Certificate enrollment protocol (default = none)

option

none

Option	Description
none	None (default).
est	Enrollment over Secure Transport.
scep	Simple Certificate Enrollment Protocol.

apcfg-auto-cert-est-ca-id

CA identifier of the CA server for signing via EST.

string

Maximum length: 255

apcfg-auto-cert-est-http-password

HTTP Authentication password for signing via EST.

password

Not Specified

apcfg-auto-cert-est-http-username

HTTP Authentication username for signing via EST.

string

Maximum length: 63

apcfg-auto-cert-est-https-ca

PEM format https CA Certificate.

string

Maximum length: 79

apcfg-auto-cert-est-server

Address and port for EST server (e.g. https://example.com:1234).

string

Maximum length: 255

apcfg-auto-cert-est-subject

Subject e.g. "CN=User,DC=example,DC=COM" (default = CN=FortiAP,DC=local,DC=COM)

string

Maximum length: 127

CN=FortiAP,DC=local,DC=COM

apcfg-auto-cert-est-subject-alt-name

Subject alternative name (optional, e.g. "DNS:dns1.com,IP:192.168.1.99")

string

Maximum length: 127

apcfg-auto-cert-scep-ca-id

CA identifier of the CA server for signing via SCEP.

string

Maximum length: 255

apcfg-auto-cert-scep-ec-name

Elliptic curve name: secp256r1, secp384r1 and secp521r1. (default secp256r1).

option

secp256r1

Option	Description
secp256r1	Elliptic curve name secp256r1.
secp384r1	Elliptic curve name secp384r1.
secp521r1	Elliptic curve name secp521r1.

apcfg-auto-cert-scep-https-ca

PEM format https CA Certificate.

string

Maximum length: 79

apcfg-auto-cert-scep-keysize

Key size: 1024, 1536, 2048, 4096 (default 2048).

option

2048

Option	Description
1024	keysize 1024.
1536	keysize 1536.
2048	keysize 2048.
4096	keysize 4096.

apcfg-auto-cert-scep-keytype

Key type (default = rsa)

option

rsa

Option	Description
rsa	Generate a RSA certificate request.
ec	Generate an elliptic curve certificate request.

apcfg-auto-cert-scep-password

SCEP server challenge password for auto-regeneration.

password

Not Specified

apcfg-auto-cert-scep-sub-fully-dn

string

Maximum length: 255

apcfg-auto-cert-scep-subject-alt-name

Subject alternative name (optional, e.g. "DNS:dns1.com,IP:192.168.1.99")

string

Maximum length: 127

apcfg-auto-cert-scep-url

SCEP server URL.

string

Maximum length: 255

apcfg-mesh

Enable/disable AP local mesh configuration (default = disable).

option

disable

Option	Description
enable	Enable AP local mesh configuration.
disable	Disable AP local mesh configuration.

apcfg-mesh-ap-type

Mesh AP Type (default = ethernet).

option

ethernet

Option	Description
ethernet	Use ethernet uplink.
mesh	Use mesh uplink.
auto	Ethernet with mesh backup support.

apcfg-mesh-eth-bridge

Enable/disable mesh ethernet bridge (default = disable).

option

disable

Option	Description
enable	Enable AP local mesh eth bridge configuration.
disable	Disable AP local mesh eth bridge configuration.

apcfg-mesh-ssid

Mesh SSID (default = none).

string

Maximum length: 15

apcfg-profile

AP local configuration profile name.

string

Maximum length: 35

ble-profile

Bluetooth Low Energy profile name.

string

Maximum length: 35

bonjour-profile

Bonjour profile name.

string

Maximum length: 35

comment

Comment.

var-string

Maximum length: 255

console-login

Enable/disable FortiAP console login access (default = enable).

option

enable

Option	Description
enable	Enable FAP console login access.
disable	Disable FAP console login access.

control-message-offload

Enable/disable CAPWAP control message data channel offload.

option

ebp-frame aeroscout-tag ap-list sta-list sta-cap-list stats aeroscout-mu sta-health spectral-analysis

Option	Description
ebp-frame	Ekahau blink protocol (EBP) frames.
aeroscout-tag	AeroScout tag.
ap-list	Rogue AP list.
sta-list	Rogue STA list.
sta-cap-list	STA capability list.
stats	WTP, radio, VAP, and STA statistics.
aeroscout-mu	AeroScout Mobile Unit (MU) report.
sta-health	STA health log.
spectral-analysis	Spectral analysis report.

default-mesh-root

Configure default mesh root SSID when it is not included by radio's SSID configuration.

option

disable

Option	Description
enable	Enable default mesh root SSID if it is not included by radio's SSID configuration.
disable	Do not enable default mesh root SSID if it is not included by radio's SSID configuration.

dtls-in-kernel

Enable/disable data channel DTLS in kernel.

option

disable

Option	Description
enable	Enable data channel DTLS in kernel.
disable	Disable data channel DTLS in kernel.

dtls-policy

WTP data channel DTLS policy (default = clear-text).

option

clear-text

Option	Description
clear-text	Clear Text Data Channel.
dtls-enabled	DTLS Enabled Data Channel.
ipsec-vpn	IPsec VPN Data Channel.
ipsec-sn-vpn	IPsec VPN Data Channel with FortiAP's SN in the first IKE messages.

energy-efficient-ethernet

Enable/disable use of energy efficient Ethernet on WTP.

option

disable

Option	Description
enable	Enable use of energy efficient Ethernet on WTP.
disable	Disable use of energy efficient Ethernet on WTP.

ext-info-enable

Enable/disable station/VAP/radio extension information.

option

enable

Option	Description
enable	Enable station/VAP/radio extension information.
disable	Disable station/VAP/radio extension information.

frequency-handoff

Enable/disable frequency handoff of clients to other channels (default = disable).

option

disable

Option	Description
enable	Enable frequency handoff.
disable	Disable frequency handoff.

handoff-roaming

Enable/disable client load balancing during roaming to avoid roaming delay (default = enable).

option

enable

Option	Description
enable	Enable handoff roaming.
disable	Disable handoff roaming.

handoff-rssi

Minimum received signal strength indicator (RSSI) value for handoff (20 - 30, default = 25).

integer

Minimum value: 20 Maximum value: 30

handoff-sta-thresh

Threshold value for AP handoff.

integer

Minimum value: 5 Maximum value: 60

indoor-outdoor-deployment

Set to allow indoor/outdoor-only channels under regulatory rules (default = platform-determined).

option

platform-determined

Option	Description
platform-determined	Set AP deployment type based on its platform.
outdoor	Set AP deployment type to outdoor.
indoor	Set AP deployment type to indoor.

ip-fragment-preventing

Method(s) by which IP fragmentation is prevented for control and data packets through CAPWAP tunnel (default = tcp-mss-adjust).

option

tcp-mss-adjust

Option	Description
tcp-mss-adjust	TCP maximum segment size adjustment.
icmp-unreachable	Drop packet and send ICMP Destination Unreachable

led-schedules <name>

Schedule name.

string

Maximum length: 35

led-state

Enable/disable use of LEDs on WTP (default = enable).

option

enable

Option	Description
enable	Enable use of LEDs on WTP.
disable	Disable use of LEDs on WTP.

lldp

Enable/disable Link Layer Discovery Protocol (LLDP) for the WTP, FortiAP, or AP (default = enable).

option

enable

Option	Description
enable	Enable LLDP.
disable	Disable LLDP.

Set the managed WTP, FortiAP, or AP's administrator password.

password

Not Specified

Change or reset the administrator password of a managed WTP, FortiAP or AP (yes, default, or no, default = no).

option

Option	Description
yes	Change the managed WTP, FortiAP or AP's administrator password. Use the login-password option to set the password.
default	Keep the managed WTP, FortiAP or AP's administrator password set to the factory default.
no	Do not change the managed WTP, FortiAP or AP's administrator password.

lw-profile

LoRaWAN profile name.

string

Maximum length: 35

max-clients

Maximum number of stations (STAs) supported by the WTP (default = 0, meaning no client limitation).

integer

Minimum value: 0 Maximum value: 4294967295

name

WTP (or FortiAP or AP) profile name.

string

Maximum length: 35

poe-mode

Set the WTP, FortiAP, or AP's PoE mode.

option

auto

Option	Description
auto	Automatically detect the PoE mode.
8023af	Use 802.3af PoE mode.
8023at	Use 802.3at PoE mode.
power-adapter	Use the power adapter to control the PoE mode.
full	Use full power mode.
high	Use high power mode.
low	Use low power mode.

split-tunneling-acl-local-ap-subnet

Enable/disable automatically adding local subnetwork of FortiAP to split-tunneling ACL (default = disable).

option

disable

Option	Description
enable	Enable automatically adding local subnetwork of FortiAP to split-tunneling ACL.
disable	Disable automatically adding local subnetwork of FortiAP to split-tunneling ACL.

split-tunneling-acl-path

Split tunneling ACL path is local/tunnel.

option

local

Option	Description
tunnel	Split tunneling ACL list traffic will be tunnel.
local	Split tunneling ACL list traffic will be local NATed.

syslog-profile

System log server configuration profile name.

string

Maximum length: 35

tun-mtu-downlink

The MTU of downlink CAPWAP tunnel (576 - 1500 bytes or 0; 0 means the local MTU of FortiAP; default = 0).

integer

Minimum value: 576 Maximum value: 1500

tun-mtu-uplink

The maximum transmission unit (MTU) of uplink CAPWAP tunnel (576 - 1500 bytes or 0; 0 means the local MTU of FortiAP; default = 0).

integer

Minimum value: 576 Maximum value: 1500

unii-4-5ghz-band

Enable/disable UNII-4 5Ghz band channels (default = disable).

option

disable

Option	Description
enable	Enable UNII-4 5Ghz band channels.
disable	Disable UNII-4 5Ghz band channels.

usb-port

Enable/disable USB port of the WTP (default = enable).

option

enable

Option	Description
enable	Enable USB port.
disable	Disable USB port.

wan-port-auth

Set WAN port authentication mode (default = none).

option

none

Option	Description
none	Disable WAN port authentication.
802.1x	Enable WAN port 802.1x authentication.

wan-port-auth-macsec

Enable/disable WAN port 802.1x supplicant MACsec policy (default = disable).

option

disable

Option	Description
enable	Enable WAN port 802.1x supplicant MACsec policy.
disable	Disable WAN port 802.1x supplicant MACsec policy.

wan-port-auth-methods

WAN port 802.1x supplicant EAP methods (default = all).

option

all

Option	Description
all	Do not specify any EAP methods.
EAP-FAST	Enable EAP-FAST.
EAP-TLS	Enable EAP-TLS.
EAP-PEAP	Enable EAP-PEAP.

wan-port-auth-password

Set WAN port 802.1x supplicant password.

password

Not Specified

wan-port-auth-usrname

Set WAN port 802.1x supplicant user name.

string

Maximum length: 63

wan-port-mode

Enable/disable using a WAN port as a LAN port.

option

wan-only

Option	Description
wan-lan	Enable using a WAN port as a LAN port.
wan-only	Disable using a WAN port as a LAN port.

config deny-mac-list

Parameter	Description	Type	Size	Default
id	ID.	integer	Minimum value: 0 Maximum value: 4294967295	0
mac	A WiFi device with this MAC address is denied access to this WTP, FortiAP or AP.	mac-address	Not Specified	00:00:00:00:00:00

config esl-ses-dongle

Parameter

Description

Type

Size

Default

apc-addr-type

ESL SES-imagotag APC address type (default = fqdn).

option

fqdn

Option	Description
fqdn	Fully Qualified Domain Name address.
ip	IPv4 address.

apc-fqdn

FQDN of ESL SES-imagotag Access Point Controller (APC).

string

Maximum length: 63

apc-ip

IP address of ESL SES-imagotag Access Point Controller (APC).

ipv4-address

Not Specified

0.0.0.0

apc-port

Port of ESL SES-imagotag Access Point Controller (APC).

integer

Minimum value: 0 Maximum value: 65535

coex-level

ESL SES-imagotag dongle coexistence level (default = none).

option

none

Option	Description
none	No support for coexistence of USB-Dongle with WiFi AP.

compliance-level

Compliance levels for the ESL solution integration (default = compliance-level-2).

option

compliance-level-2

Option	Description
compliance-level-2	Compliance Level 2 - Full Cloud Support, IoT and Fast-Response.

esl-channel

ESL SES-imagotag dongle channel (default = 127).

option

127

Option	Description
-1	No esl-channel is set.
0	ESL channel 0.
1	ESL channel 1.
2	ESL channel 2.
3	ESL channel 3.
4	ESL channel 4.
5	ESL channel 5.
6	ESL channel 6.
7	ESL channel 7.
8	ESL channel 8.
9	ESL channel 9.
10	ESL channel 10.
127	Managed channel enabled, indicates that the APC (server) is setting the esl-channel via the slot channel

output-power

ESL SES-imagotag dongle output power (default = A).

option

Option	Description
a	About 15mW.
b	About 7mW.
c	About 5mW.
d	About 1mW.
e	About 13mW.
f	About 10mW.
g	About 3mW.
h	About 2mW.

scd-enable

Enable/disable ESL SES-imagotag Serial Communication Daemon (SCD) (default = disable).

option

disable

Option	Description
enable	Enable ESL SES-imagotag SCD.
disable	Disable ESL SES-imagotag SCD.

tls-cert-verification

Enable/disable TLS certificate verification (default = enable).

option

enable

Option	Description
enable	Enable TLS Certificate verification.
disable	Disable TLS Certificate verification.

tls-fqdn-verification

Enable/disable TLS FQDN verification (default = disable).

option

disable

Option	Description
enable	Enable TLS FQDN verification.
disable	Disable TLS FQDN verification.

config lan

Parameter

Description

Type

Size

Default

port-esl-mode

ESL port mode.

option

offline

Option	Description
offline	Offline.
nat-to-wan	NAT WTP ESL port to WTP WAN port.
bridge-to-wan	Bridge WTP ESL port to WTP WAN port.
bridge-to-ssid	Bridge WTP ESL port to SSID.

port-esl-ssid

Bridge ESL port to SSID.

string

Maximum length: 15

port-mode

LAN port mode.

option

offline

Option	Description
offline	Offline.
nat-to-wan	NAT WTP LAN port to WTP WAN port.
bridge-to-wan	Bridge WTP LAN port to WTP WAN port.
bridge-to-ssid	Bridge WTP LAN port to SSID.

port-ssid

Bridge LAN port to SSID.

string

Maximum length: 15

port1-mode

LAN port 1 mode.

option

offline

Option	Description
offline	Offline.
nat-to-wan	NAT WTP LAN port to WTP WAN port.
bridge-to-wan	Bridge WTP LAN port to WTP WAN port.
bridge-to-ssid	Bridge WTP LAN port to SSID.

port1-ssid

Bridge LAN port 1 to SSID.

string

Maximum length: 15

port2-mode

LAN port 2 mode.

option

offline

Option	Description
offline	Offline.
nat-to-wan	NAT WTP LAN port to WTP WAN port.
bridge-to-wan	Bridge WTP LAN port to WTP WAN port.
bridge-to-ssid	Bridge WTP LAN port to SSID.

port2-ssid

Bridge LAN port 2 to SSID.

string

Maximum length: 15

port3-mode

LAN port 3 mode.

option

offline

Option	Description
offline	Offline.
nat-to-wan	NAT WTP LAN port to WTP WAN port.
bridge-to-wan	Bridge WTP LAN port to WTP WAN port.
bridge-to-ssid	Bridge WTP LAN port to SSID.

port3-ssid

Bridge LAN port 3 to SSID.

string

Maximum length: 15

port4-mode

LAN port 4 mode.

option

offline

Option	Description
offline	Offline.
nat-to-wan	NAT WTP LAN port to WTP WAN port.
bridge-to-wan	Bridge WTP LAN port to WTP WAN port.
bridge-to-ssid	Bridge WTP LAN port to SSID.

port4-ssid

Bridge LAN port 4 to SSID.

string

Maximum length: 15

port5-mode

LAN port 5 mode.

option

offline

Option	Description
offline	Offline.
nat-to-wan	NAT WTP LAN port to WTP WAN port.
bridge-to-wan	Bridge WTP LAN port to WTP WAN port.
bridge-to-ssid	Bridge WTP LAN port to SSID.

port5-ssid

Bridge LAN port 5 to SSID.

string

Maximum length: 15

port6-mode

LAN port 6 mode.

option

offline

Option	Description
offline	Offline.
nat-to-wan	NAT WTP LAN port to WTP WAN port.
bridge-to-wan	Bridge WTP LAN port to WTP WAN port.
bridge-to-ssid	Bridge WTP LAN port to SSID.

port6-ssid

Bridge LAN port 6 to SSID.

string

Maximum length: 15

port7-mode

LAN port 7 mode.

option

offline

Option	Description
offline	Offline.
nat-to-wan	NAT WTP LAN port to WTP WAN port.
bridge-to-wan	Bridge WTP LAN port to WTP WAN port.
bridge-to-ssid	Bridge WTP LAN port to SSID.

port7-ssid

Bridge LAN port 7 to SSID.

string

Maximum length: 15

port8-mode

LAN port 8 mode.

option

offline

Option	Description
offline	Offline.
nat-to-wan	NAT WTP LAN port to WTP WAN port.
bridge-to-wan	Bridge WTP LAN port to WTP WAN port.
bridge-to-ssid	Bridge WTP LAN port to SSID.

port8-ssid

Bridge LAN port 8 to SSID.

string

Maximum length: 15

config lbs

Parameter

Description

Type

Size

Default

aeroscout

Enable/disable AeroScout Real Time Location Service (RTLS) support (default = disable).

option

disable

Option	Description
enable	Enable AeroScout support.
disable	Disable AeroScout support.

aeroscout-ap-mac

Use BSSID or board MAC address as AP MAC address in AeroScout AP messages (default = bssid).

option

bssid

Option	Description
bssid	Use BSSID as AP MAC address in AeroScout AP messages.
board-mac	Use board MAC address as AP MAC address in AeroScout AP messages.

aeroscout-mmu-report

Enable/disable compounded AeroScout tag and MU report (default = enable).

option

enable

Option	Description
enable	Enable compounded AeroScout tag and MU report.
disable	Disable compounded AeroScout tag and MU report.

aeroscout-mu

Enable/disable AeroScout Mobile Unit (MU) support (default = disable).

option

disable

Option	Description
enable	Enable AeroScout MU mode support.
disable	Disable AeroScout MU mode support.

aeroscout-mu-factor

AeroScout MU mode dilution factor (default = 20).

integer

Minimum value: 0 Maximum value: 4294967295

aeroscout-mu-timeout

AeroScout MU mode timeout (0 - 65535 sec, default = 5).

integer

Minimum value: 0 Maximum value: 65535

aeroscout-server-ip

IP address of AeroScout server.

ipv4-address-any

Not Specified

0.0.0.0

aeroscout-server-port

AeroScout server UDP listening port.

integer

Minimum value: 1024 Maximum value: 65535

ble-rtls

Set BLE Real Time Location Service (RTLS) support (default = none).

option

none

Option	Description
none	Set BLE RTLS to none (default = none).
polestar	Set BLE RTLS to PoleStar.
evresys	Set BLE RTLS to Evresys.

ble-rtls-accumulation-interval

Time that measurements should be accumulated in seconds (default = 2).

integer

Minimum value: 1 Maximum value: 60

ble-rtls-asset-addrgrp-list

Tags and asset addrgrp list to be reported.

string

Maximum length: 79

ble-rtls-asset-uuid-list1

Tags and asset UUID list 1 to be reported (string in the format of 'XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX').

string

Maximum length: 36

ble-rtls-asset-uuid-list2

Tags and asset UUID list 2 to be reported (string in the format of 'XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX').

string

Maximum length: 36

ble-rtls-asset-uuid-list3

Tags and asset UUID list 3 to be reported (string in the format of 'XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX').

string

Maximum length: 36

ble-rtls-asset-uuid-list4

Tags and asset UUID list 4 to be reported (string in the format of 'XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX').

string

Maximum length: 36

ble-rtls-protocol

Select the protocol to report Measurements, Advertising Data, or Location Data to Cloud Server (default = WSS).

option

WSS

Option	Description
WSS	Use WebSocket protocol to report Measurements, Advertising Data, or Location Data to Cloud Server.

ble-rtls-reporting-interval

Time between reporting accumulated measurements in seconds (default = 2).

integer

Minimum value: 1 Maximum value: 600

ble-rtls-server-fqdn

FQDN of BLE Real Time Location Service (RTLS) Server.

string

Maximum length: 255

ble-rtls-server-path

Path of BLE Real Time Location Service (RTLS) Server.

string

Maximum length: 255

ble-rtls-server-port

Port of BLE Real Time Location Service (RTLS) Server (default = 443).

integer

Minimum value: 1 Maximum value: 65535

443

ble-rtls-server-token

Access Token of BLE Real Time Location Service (RTLS) Server.

string

Maximum length: 31

ekahau-blink-mode

Enable/disable Ekahau blink mode (now known as AiRISTA Flow) to track and locate WiFi tags (default = disable).

option

disable

Option	Description
enable	Enable Ekahau blink mode.
disable	Disable Ekahau blink mode.

ekahau-tag

WiFi frame MAC address or WiFi Tag.

mac-address

Not Specified

01:18:8e:00:00:00

erc-server-ip

IP address of Ekahau RTLS Controller (ERC).

ipv4-address-any

Not Specified

0.0.0.0

erc-server-port

Ekahau RTLS Controller (ERC) UDP listening port.

integer

Minimum value: 1024 Maximum value: 65535

8569

fortipresence

Enable/disable FortiPresence to monitor the location and activity of WiFi clients even if they don't connect to this WiFi network (default = disable).

option

disable

Option	Description
foreign	FortiPresence monitors foreign channels only. Foreign channels mean all other available channels than the current operating channel of the WTP, AP, or FortiAP.
both	Enable FortiPresence on both foreign and home channels. Select this option to have FortiPresence monitor all WiFi channels.
disable	Disable FortiPresence.

fortipresence-ble

Enable/disable FortiPresence finding and reporting BLE devices.

option

enable

Option	Description
enable	Enable FortiPresence finding and reporting BLE devices.
disable	Disable FortiPresence finding and reporting BLE devices.

fortipresence-frequency

FortiPresence report transmit frequency (5 - 65535 sec, default = 30).

integer

Minimum value: 5 Maximum value: 65535

fortipresence-port

UDP listening port of FortiPresence server (default = 3000).

integer

Minimum value: 300 Maximum value: 65535

3000

fortipresence-project

FortiPresence project name (max. 16 characters, default = fortipresence).

string

Maximum length: 16

fortipresence

fortipresence-rogue

Enable/disable FortiPresence finding and reporting rogue APs.

option

disable

Option	Description
enable	Enable FortiPresence finding and reporting rogue APs.
disable	Disable FortiPresence finding and reporting rogue APs.

fortipresence-secret

FortiPresence secret password (max. 16 characters).

password

Not Specified

fortipresence-server

IP address of FortiPresence server.

ipv4-address-any

Not Specified

0.0.0.0

fortipresence-server-addr-type

FortiPresence server address type (default = ipv4).

option

ipv4

Option	Description
ipv4	IPv4 address.
fqdn	Fully Qualified Domain Name address.

fortipresence-server-fqdn

FQDN of FortiPresence server.

string

Maximum length: 255

fortipresence-unassoc

Enable/disable FortiPresence finding and reporting unassociated stations.

option

enable

Option	Description
enable	Enable FortiPresence finding and reporting unassociated stations.
disable	Disable FortiPresence finding and reporting unassociated stations.

station-locate

Enable/disable client station locating services for all clients, whether associated or not (default = disable).

option

disable

Option	Description
enable	Enable station locating service.
disable	Disable station locating service.

config platform

Parameter

Description

Type

Size

Default

ddscan

Enable/disable use of one radio for dedicated full-band scanning to detect RF characterization and wireless threat management.

option

disable

Option	Description
enable	Enable dedicated full-band scan mode.
disable	Disable dedicated full-band scan mode.

mode

Configure operation mode of 5G radios (default = single-5G).

option

single-5G

Option	Description
single-5G	Configure radios as one 5GHz band, one 2.4GHz band, and one dedicated monitor or sniffer.
dual-5G	Configure radios as one lower 5GHz band, one higher 5GHz band and one 2.4GHz band respectively.

type

WTP, FortiAP or AP platform type. There are built-in WTP profiles for all supported FortiAP models. You can select a built-in profile and customize it or create a new profile.

option

221E

Option	Description
AP-11N	Default 11n AP.
C24JE	FAPC24JE.
421E	FAP421E.
423E	FAP423E.
221E	FAP221E.
222E	FAP222E.
223E	FAP223E.
224E	FAP224E.
231E	FAP231E.
321E	FAP321E.
431F	FAP431F.
431FL	FAP431FL.
432F	FAP432F.
432FR	FAP432FR.
433F	FAP433F.
433FL	FAP433FL.
231F	FAP231F.
231FL	FAP231FL.
234F	FAP234F.
23JF	FAP23JF.
831F	FAP831F.
231G	FAP231G.
233G	FAP233G.
234G	FAP234G.
431G	FAP431G.
432G	FAP432G.
433G	FAP433G.
231K	FAP231K.
231KD	FAP231KD.
23JK	FAP23JK.
222KL	FAP222KL.
241K	FAP241K.
243K	FAP243K.
244K	FAP244K.
441K	FAP441K.
432K	FAP432K.
443K	FAP443K.
U421E	FAPU421EV.
U422EV	FAPU422EV.
U423E	FAPU423EV.
U221EV	FAPU221EV.
U223EV	FAPU223EV.
U24JEV	FAPU24JEV.
U321EV	FAPU321EV.
U323EV	FAPU323EV.
U431F	FAPU431F.
U433F	FAPU433F.
U231F	FAPU231F.
U234F	FAPU234F.
U432F	FAPU432F.
U231G	FAPU231G.
MVP	FAP MVP.

config radio-1

Parameter

Description

Type

Size

Default

80211d

Enable/disable 802.11d countryie(default = enable).

option

enable

Option	Description
enable	Enable 802.11d countryie.
disable	Disable 802.11d countryie.

80211mc

Enable/disable 802.11mc responder mode (default = disable).

option

disable

Option	Description
enable	Enable 802.11mc responder mode.
disable	Disable 802.11mc responder mode.

ai-darrp-support

Enable/disable support for FortiAIOps to retrieve Distributed Automatic Radio Resource Provisioning (DARRP) data through REST API calls (default = disable).

option

disable

Option	Description
enable	Enable support for FortiAIOps REST API calls for DARRP data.
disable	Disable support for FortiAIOps REST API calls for DARRP data.

airtime-fairness

Enable/disable airtime fairness (default = disable).

option

disable

Option	Description
enable	Enable airtime fairness (ATF) support.
disable	Disable airtime fairness (ATF) support.

amsdu

Enable/disable 802.11n AMSDU support. AMSDU can improve performance if supported by your WiFi clients (default = enable).

option

enable

Option	Description
enable	Enable AMSDU support.
disable	Disable AMSDU support.

ap-sniffer-addr

MAC address to monitor.

mac-address

Not Specified

00:00:00:00:00:00

ap-sniffer-bufsize

Sniffer buffer size (1 - 32 MB, default = 16).

integer

Minimum value: 1 Maximum value: 32

ap-sniffer-chan

Channel on which to operate the sniffer (default = 6).

integer

Minimum value: 0 Maximum value: 4294967295

ap-sniffer-chan-width

Channel bandwidth for sniffer.

option

20MHz

Option	Description
320MHz	320 MHz channel width.
240MHz	240 MHz channel width.
160MHz	160 MHz channel width.
80MHz	80 MHz channel width.
40MHz	40 MHz channel width.
20MHz	20 MHz channel width.

ap-sniffer-ctl

Enable/disable sniffer on WiFi control frame (default = enable).

option

enable

Option	Description
enable	Enable sniffer on WiFi control frame.
disable	Disable sniffer on WiFi control frame.

ap-sniffer-data

Enable/disable sniffer on WiFi data frame (default = enable).

option

enable

Option	Description
enable	Enable sniffer on WiFi data frame
disable	Disable sniffer on WiFi data frame

ap-sniffer-mgmt-beacon

Enable/disable sniffer on WiFi management Beacon frames (default = enable).

option

enable

Option	Description
enable	Enable sniffer on WiFi management beacon frame.
disable	Disable sniffer on WiFi management beacon frame.

ap-sniffer-mgmt-other

Enable/disable sniffer on WiFi management other frames (default = enable).

option

enable

Option	Description
enable	Enable sniffer on WiFi management other frame.
disable	Disable sniffer on WiFi management other frame.

ap-sniffer-mgmt-probe

Enable/disable sniffer on WiFi management probe frames (default = enable).

option

enable

Option	Description
enable	Enable sniffer on WiFi management probe frame.
disable	Enable sniffer on WiFi management probe frame.

arrp-profile

Distributed Automatic Radio Resource Provisioning (DARRP) profile name to assign to the radio.

string

Maximum length: 35

auto-power-high

The upper bound of automatic transmit power adjustment in dBm (the actual range of transmit power depends on the AP platform type).

integer

Minimum value: 0 Maximum value: 4294967295

auto-power-level

Enable/disable automatic power-level adjustment to prevent co-channel interference (default = disable).

option

disable

Option	Description
enable	Enable automatic transmit power adjustment.
disable	Disable automatic transmit power adjustment.

auto-power-low

The lower bound of automatic transmit power adjustment in dBm (the actual range of transmit power depends on the AP platform type).

integer

Minimum value: 0 Maximum value: 4294967295

auto-power-target

Target of automatic transmit power adjustment in dBm (-95 to -20, default = -70).

string

Maximum length: 7

-70

band

WiFi band that Radio 1 operates on.

option

Option	Description
802.11a	802.11a.
802.11b	802.11b.
802.11g	802.11g.
802.11n-2G	802.11n (WiFi 4) at 2.4GHz.
802.11n-5G	802.11n (WiFi 4) at 5GHz.
802.11ac-2G	802.11ac (WiFi 5) at 2.4GHz.
802.11ac-5G	802.11ac (WiFi 5) at 5GHz.
802.11ax-2G	802.11ax (WiFi 6) at 2.4GHz.
802.11ax-5G	802.11ax (WiFi 6) at 5GHz.
802.11ax-6G	802.11ax (WiFi 6) at 6GHz.
802.11be-2G	802.11be (WiFi 7) at 2.4GHz.
802.11be-5G	802.11be (WiFi 7) at 5GHz.
802.11be-6G	802.11be (WiFi 7) at 6GHz.

band-5g-type

WiFi 5G band type.

option

5g-full

Option	Description
5g-full	Full 5G band.
5g-high	High 5G band.
5g-low	Low 5G band.

bandwidth-admission-control

option

disable

Option	Description
enable	Enable WMM bandwidth admission control.
disable	Disable WMM bandwidth admission control.

bandwidth-capacity

Maximum bandwidth capacity allowed (1 - 600000 Kbps, default = 2000).

integer

Minimum value: 1 Maximum value: 600000

2000

beacon-interval

Beacon interval. The time between beacon frames in milliseconds. Actual range of beacon interval depends on the AP platform type (default = 100).

integer

Minimum value: 0 Maximum value: 65535

100

bss-color

BSS color value for this 11ax radio (0 - 63, disable = 0, default = 0).

integer

Minimum value: 0 Maximum value: 63

bss-color-mode

BSS color mode for this 11ax radio (default = auto).

option

auto

Option	Description
auto	Automatically select BSS color value on AP.
static	Set BSS color value on this radio based on 'bss-color' CLI.

call-admission-control

Enable/disable WiFi multimedia (WMM) call admission control to optimize WiFi bandwidth use for VoIP calls. New VoIP calls are only accepted if there is enough bandwidth available to support them.

option

disable

Option	Description
enable	Enable WMM call admission control.
disable	Disable WMM call admission control.

call-capacity

Maximum number of Voice over WLAN (VoWLAN) phones supported by the radio (0 - 60, default = 10).

integer

Minimum value: 0 Maximum value: 60

channel <chan>

Selected list of wireless radio channels.

Channel number.

string

Maximum length: 3

channel-bonding

Channel bandwidth: 320, 240, 160, 80, 40, or 20MHz. Channels may use both 20 and 40 by enabling coexistence.

option

20MHz

Option	Description
320MHz	320 MHz channel width.
240MHz	240 MHz channel width.
160MHz	160 MHz channel width.
80MHz	80 MHz channel width.
40MHz	40 MHz channel width.
20MHz	20 MHz channel width.

channel-bonding-ext

Channel bandwidth extension: 320 MHz-1 and 320 MHz-2 (default = 320 MHz-2).

option

320MHz-2

Option	Description
320MHz-1	320 MHz channel with channel center frequency numbered 31, 95, and 159.
320MHz-2	320 MHz channel with channel center frequency numbered 63, 127, and 191.

channel-utilization

Enable/disable measuring channel utilization.

option

enable

Option	Description
enable	Enable measuring channel utilization.
disable	Disable measuring channel utilization.

coexistence

Enable/disable allowing both HT20 and HT40 on the same radio (default = enable).

option

enable

Option	Description
enable	Enable support for both HT20 and HT40 on the same radio.
disable	Disable support for both HT20 and HT40 on the same radio.

darrp

Enable/disable Distributed Automatic Radio Resource Provisioning (DARRP) to make sure the radio is always using the most optimal channel (default = disable).

option

disable

Option	Description
enable	Enable distributed automatic radio resource provisioning.
disable	Disable distributed automatic radio resource provisioning.

drma

Enable/disable dynamic radio mode assignment (DRMA) (default = disable).

option

disable

Option	Description
disable	Disable dynamic radio mode assignment (DRMA).
enable	Enable dynamic radio mode assignment (DRMA).

drma-sensitivity

Network Coverage Factor (NCF) percentage required to consider a radio as redundant (default = low).

option

low

Option	Description
low	Consider a radio as redundant when its NCF is 100%.
medium	Consider a radio as redundant when its NCF is 95%.
high	Consider a radio as redundant when its NCF is 90%.

dtim

Delivery Traffic Indication Map (DTIM) period (1 - 255, default = 1). Set higher to save battery life of WiFi client in power-save mode.

integer

Minimum value: 1 Maximum value: 255

frag-threshold

Maximum packet size that can be sent without fragmentation (800 - 2346 bytes, default = 2346).

integer

Minimum value: 800 Maximum value: 2346

2346

iperf-protocol

Iperf test protocol (default = "UDP").

option

udp

Option	Description
udp	UDP.
tcp	TCP.

iperf-server-port

Iperf service port number.

integer

Minimum value: 0 Maximum value: 65535

5001

max-clients

Maximum number of stations (STAs) or WiFi clients supported by the radio. Range depends on the hardware.

integer

Minimum value: 0 Maximum value: 4294967295

max-distance

Maximum expected distance between the AP and clients (0 - 54000 m, default = 0).

integer

Minimum value: 0 Maximum value: 54000

mimo-mode

Configure radio MIMO mode (default = default).

option

default

Option	Description
default	Default radio MIMO mode.
1x1	1x1 radio MIMO mode.
2x2	2x2 radio MIMO mode.
3x3	3x3 radio MIMO mode.
4x4	4x4 radio MIMO mode.
8x8	8x8 radio MIMO mode.

mode

Mode of radio 1. Radio 1 can be disabled, configured as an access point, a rogue AP monitor, a sniffer, or a station.

option

Option	Description
disabled	Radio 1 is disabled.
ap	Radio 1 operates as an access point that allows WiFi clients to connect to your network.
monitor	Radio 1 operates as a dedicated monitor. As a monitor, the radio scans for other WiFi access points and adds them to the Rogue AP monitor list.
sniffer	Radio 1 operates as a sniffer capturing WiFi frames on air.
sam	Radio 1 operates as a station that can connect to a neighboring AP for connectivity and health check.

optional-antenna

Optional antenna used on FAP (default = none).

option

none

Option	Description
none	None.
custom	Customize optional antenna gain.
FANT-04ABGN-0606-O-N	6 dBi(2.4GHz) and 6 dBi(5GHz).
FANT-04ABGN-1414-P-N	14 dBi(2.4GHz) and 14 dBi(5GHz).
FANT-04ABGN-8065-P-N	8 dBi(2.4GHz) and 6.5 dBi(5GHz).
FANT-04ABGN-0606-O-R	6 dBi(2.4GHz) and 6 dBi(5GHz).
FANT-04ABGN-0606-P-R	6 dBi(2.4GHz) and 6 dBi(5GHz).
FANT-10ACAX-1213-D-N	12 dBi(2.4GHz) and 13 dBi(5GHz).
FANT-08ABGN-1213-D-R	12 dBi(2.4GHz) and 13 dBi(5GHz).
FANT-04BEAX-0606-P-R	6 dBi(2.4GHz), 6 dBi(5GHz) and 6 dBi(6GHz).

optional-antenna-gain

Optional antenna gain in dBi (0 to 20, default = 0).

string

Maximum length: 7

power-level

Radio EIRP power level as a percentage of the maximum EIRP power (0 - 100, default = 100).

integer

Minimum value: 0 Maximum value: 100

100

power-mode

option

percentage

Option	Description
dBm	Set radio EIRP power in dBm.
percentage	Set radio EIRP power by percentage.

power-value

Radio EIRP power in dBm (1 - 33, default = 27).

integer

Minimum value: 1 Maximum value: 33

powersave-optimize

Enable client power-saving features such as TIM, AC VO, and OBSS etc.

option

Option	Description
tim	TIM bit for client in power save mode.
ac-vo	Use AC VO priority to send out packets in the power save queue.
no-obss-scan	Do not put OBSS scan IE into beacon and probe response frames.
no-11b-rate	Do not send frame using 11b data rate.
client-rate-follow	Adapt transmitting PHY rate with receiving PHY rate from a client.

protection-mode

Enable/disable 802.11g protection modes to support backwards compatibility with older clients (rtscts, ctsonly, disable).

option

disable

Option	Description
rtscts	Enable 802.11g protection RTS/CTS mode.
ctsonly	Enable 802.11g protection CTS only mode.
disable	Disable 802.11g protection mode.

rts-threshold

Maximum packet size for RTS transmissions, specifying the maximum size of a data packet before RTS/CTS (256 - 2346 bytes, default = 2346).

integer

Minimum value: 256 Maximum value: 2346

2346

sam-bssid

BSSID for WiFi network.

mac-address

Not Specified

00:00:00:00:00:00

sam-ca-certificate

CA certificate for WPA2/WPA3-ENTERPRISE.

string

Maximum length: 79

sam-captive-portal

Enable/disable Captive Portal Authentication (default = disable).

option

disable

Option	Description
enable	Enable Captive Portal Authentication.
disable	Disable Captive Portal Authentication.

sam-client-certificate

Client certificate for WPA2/WPA3-ENTERPRISE.

string

Maximum length: 35

sam-cwp-failure-string

Failure identification on the page after an incorrect login.

string

Maximum length: 64

sam-cwp-match-string

Identification string from the captive portal login form.

string

Maximum length: 64

sam-cwp-password

Password for captive portal authentication.

password

Not Specified

sam-cwp-success-string

Success identification on the page after a successful login.

string

Maximum length: 64

sam-cwp-test-url

Website the client is trying to access.

string

Maximum length: 255

sam-cwp-username

Username for captive portal authentication.

string

Maximum length: 35

sam-eap-method

Select WPA2/WPA3-ENTERPRISE EAP Method (default = PEAP).

option

peap

Option	Description
both	EAP PEAP and TLS. (Not applicable in FIPS mode)
tls	EAP TLS.
peap	EAP PEAP. (Not applicable in FIPS mode)

sam-password

Passphrase for WiFi network connection.

password

Not Specified

sam-private-key

Private key for WPA2/WPA3-ENTERPRISE.

string

Maximum length: 35

sam-private-key-password

Password for private key file for WPA2/WPA3-ENTERPRISE.

password

Not Specified

sam-report-intv

SAM report interval (sec), 0 for a one-time report.

integer

Minimum value: 60 Maximum value: 864000

sam-security-type

Select WiFi network security type (default = "wpa-personal" for 2.4/5G radio, "wpa3-sae" for 6G radio).

option

wpa-personal

Option	Description
open	Open.
wpa-personal	WPA/WPA2 personal.
wpa-enterprise	WPA2/WPA3 enterprise.
wpa3-sae	WPA3 SAE.
owe	OWE.

sam-server-fqdn

SAM test server domain name.

string

Maximum length: 255

sam-server-ip

SAM test server IP address.

ipv4-address

Not Specified

0.0.0.0

sam-server-type

Select SAM server type (default = "IP").

option

Option	Description
ip	IPv4 address.
fqdn	Fully Qualified Domain Name address.

sam-ssid

SSID for WiFi network.

string

Maximum length: 32

sam-test

Select SAM test type (default = "PING").

option

ping

Option	Description
ping	PING test.
iperf	IPERF test.

sam-username

Username for WiFi network connection.

string

Maximum length: 35

short-guard-interval

Use either the short guard interval (Short GI) of 400 ns or the long guard interval (Long GI) of 800 ns.

option

disable

Option	Description
enable	Select the 400 ns short guard interval (Short GI).
disable	Select the 800 ns long guard interval (Long GI).

transmit-optimize

Packet transmission optimization options including power saving, aggregation limiting, retry limiting, etc. All are enabled by default.

option

power-save aggr-limit retry-limit send-bar

Option	Description
disable	Disable packet transmission optimization.
power-save	Tag client as operating in power save mode if excessive transmit retries occur.
aggr-limit	Set aggregation limit to a lower value when data rate is low.
retry-limit	Set software retry limit to a lower value when data rate is low.
send-bar	Limit transmission of BAR frames.

vap-all

Configure method for assigning SSIDs to this FortiAP (default = automatically assign tunnel SSIDs).

option

tunnel

Option	Description
tunnel	Automatically select tunnel SSIDs.
bridge	Automatically select local-bridging SSIDs.
manual	Manually select SSIDs.

vaps <name>

Manually selected list of Virtual Access Points (VAPs).

Virtual Access Point (VAP) name.

string

Maximum length: 35

wids-profile

Wireless Intrusion Detection System (WIDS) profile name to assign to the radio.

string

Maximum length: 35

zero-wait-dfs

Enable/disable zero wait DFS on radio (default = enable).

option

enable

Option	Description
enable	Enable zero wait DFS
disable	Disable zero wait DFS

config radio-2

Parameter

Description

Type

Size

Default

80211d

Enable/disable 802.11d countryie(default = enable).

option

enable

Option	Description
enable	Enable 802.11d countryie.
disable	Disable 802.11d countryie.

80211mc

Enable/disable 802.11mc responder mode (default = disable).

option

disable

Option	Description
enable	Enable 802.11mc responder mode.
disable	Disable 802.11mc responder mode.

ai-darrp-support

Enable/disable support for FortiAIOps to retrieve Distributed Automatic Radio Resource Provisioning (DARRP) data through REST API calls (default = disable).

option

disable

Option	Description
enable	Enable support for FortiAIOps REST API calls for DARRP data.
disable	Disable support for FortiAIOps REST API calls for DARRP data.

airtime-fairness

Enable/disable airtime fairness (default = disable).

option

disable

Option	Description
enable	Enable airtime fairness (ATF) support.
disable	Disable airtime fairness (ATF) support.

amsdu

Enable/disable 802.11n AMSDU support. AMSDU can improve performance if supported by your WiFi clients (default = enable).

option

enable

Option	Description
enable	Enable AMSDU support.
disable	Disable AMSDU support.

ap-sniffer-addr

MAC address to monitor.

mac-address

Not Specified

00:00:00:00:00:00

ap-sniffer-bufsize

Sniffer buffer size (1 - 32 MB, default = 16).

integer

Minimum value: 1 Maximum value: 32

ap-sniffer-chan

Channel on which to operate the sniffer (default = 6).

integer

Minimum value: 0 Maximum value: 4294967295

ap-sniffer-chan-width

Channel bandwidth for sniffer.

option

20MHz

Option	Description
320MHz	320 MHz channel width.
240MHz	240 MHz channel width.
160MHz	160 MHz channel width.
80MHz	80 MHz channel width.
40MHz	40 MHz channel width.
20MHz	20 MHz channel width.

ap-sniffer-ctl

Enable/disable sniffer on WiFi control frame (default = enable).

option

enable

Option	Description
enable	Enable sniffer on WiFi control frame.
disable	Disable sniffer on WiFi control frame.

ap-sniffer-data

Enable/disable sniffer on WiFi data frame (default = enable).

option

enable

Option	Description
enable	Enable sniffer on WiFi data frame
disable	Disable sniffer on WiFi data frame

ap-sniffer-mgmt-beacon

Enable/disable sniffer on WiFi management Beacon frames (default = enable).

option

enable

Option	Description
enable	Enable sniffer on WiFi management beacon frame.
disable	Disable sniffer on WiFi management beacon frame.

ap-sniffer-mgmt-other

Enable/disable sniffer on WiFi management other frames (default = enable).

option

enable

Option	Description
enable	Enable sniffer on WiFi management other frame.
disable	Disable sniffer on WiFi management other frame.

ap-sniffer-mgmt-probe

Enable/disable sniffer on WiFi management probe frames (default = enable).

option

enable

Option	Description
enable	Enable sniffer on WiFi management probe frame.
disable	Enable sniffer on WiFi management probe frame.

arrp-profile

Distributed Automatic Radio Resource Provisioning (DARRP) profile name to assign to the radio.

string

Maximum length: 35

auto-power-high

The upper bound of automatic transmit power adjustment in dBm (the actual range of transmit power depends on the AP platform type).

integer

Minimum value: 0 Maximum value: 4294967295

auto-power-level

Enable/disable automatic power-level adjustment to prevent co-channel interference (default = disable).

option

disable

Option	Description
enable	Enable automatic transmit power adjustment.
disable	Disable automatic transmit power adjustment.

auto-power-low

The lower bound of automatic transmit power adjustment in dBm (the actual range of transmit power depends on the AP platform type).

integer

Minimum value: 0 Maximum value: 4294967295

auto-power-target

Target of automatic transmit power adjustment in dBm (-95 to -20, default = -70).

string

Maximum length: 7

-70

band

WiFi band that Radio 2 operates on.

option

Option	Description
802.11a	802.11a.
802.11b	802.11b.
802.11g	802.11g.
802.11n-2G	802.11n (WiFi 4) at 2.4GHz.
802.11n-5G	802.11n (WiFi 4) at 5GHz.
802.11ac-2G	802.11ac (WiFi 5) at 2.4GHz.
802.11ac-5G	802.11ac (WiFi 5) at 5GHz.
802.11ax-2G	802.11ax (WiFi 6) at 2.4GHz.
802.11ax-5G	802.11ax (WiFi 6) at 5GHz.
802.11ax-6G	802.11ax (WiFi 6) at 6GHz.
802.11be-2G	802.11be (WiFi 7) at 2.4GHz.
802.11be-5G	802.11be (WiFi 7) at 5GHz.
802.11be-6G	802.11be (WiFi 7) at 6GHz.

band-5g-type

WiFi 5G band type.

option

5g-full

Option	Description
5g-full	Full 5G band.
5g-high	High 5G band.
5g-low	Low 5G band.

bandwidth-admission-control

option

disable

Option	Description
enable	Enable WMM bandwidth admission control.
disable	Disable WMM bandwidth admission control.

bandwidth-capacity

Maximum bandwidth capacity allowed (1 - 600000 Kbps, default = 2000).

integer

Minimum value: 1 Maximum value: 600000

2000

beacon-interval

Beacon interval. The time between beacon frames in milliseconds. Actual range of beacon interval depends on the AP platform type (default = 100).

integer

Minimum value: 0 Maximum value: 65535

100

bss-color

BSS color value for this 11ax radio (0 - 63, disable = 0, default = 0).

integer

Minimum value: 0 Maximum value: 63

bss-color-mode

BSS color mode for this 11ax radio (default = auto).

option

auto

Option	Description
auto	Automatically select BSS color value on AP.
static	Set BSS color value on this radio based on 'bss-color' CLI.

call-admission-control

Enable/disable WiFi multimedia (WMM) call admission control to optimize WiFi bandwidth use for VoIP calls. New VoIP calls are only accepted if there is enough bandwidth available to support them.

option

disable

Option	Description
enable	Enable WMM call admission control.
disable	Disable WMM call admission control.

call-capacity

Maximum number of Voice over WLAN (VoWLAN) phones supported by the radio (0 - 60, default = 10).

integer

Minimum value: 0 Maximum value: 60

channel <chan>

Selected list of wireless radio channels.

Channel number.

string

Maximum length: 3

channel-bonding

Channel bandwidth: 320, 240, 160, 80, 40, or 20MHz. Channels may use both 20 and 40 by enabling coexistence.

option

20MHz

Option	Description
320MHz	320 MHz channel width.
240MHz	240 MHz channel width.
160MHz	160 MHz channel width.
80MHz	80 MHz channel width.
40MHz	40 MHz channel width.
20MHz	20 MHz channel width.

channel-bonding-ext

Channel bandwidth extension: 320 MHz-1 and 320 MHz-2 (default = 320 MHz-2).

option

320MHz-2

Option	Description
320MHz-1	320 MHz channel with channel center frequency numbered 31, 95, and 159.
320MHz-2	320 MHz channel with channel center frequency numbered 63, 127, and 191.

channel-utilization

Enable/disable measuring channel utilization.

option

enable

Option	Description
enable	Enable measuring channel utilization.
disable	Disable measuring channel utilization.

coexistence

Enable/disable allowing both HT20 and HT40 on the same radio (default = enable).

option

enable

Option	Description
enable	Enable support for both HT20 and HT40 on the same radio.
disable	Disable support for both HT20 and HT40 on the same radio.

darrp

Enable/disable Distributed Automatic Radio Resource Provisioning (DARRP) to make sure the radio is always using the most optimal channel (default = disable).

option

disable

Option	Description
enable	Enable distributed automatic radio resource provisioning.
disable	Disable distributed automatic radio resource provisioning.

drma

Enable/disable dynamic radio mode assignment (DRMA) (default = disable).

option

disable

Option	Description
disable	Disable dynamic radio mode assignment (DRMA).
enable	Enable dynamic radio mode assignment (DRMA).

drma-sensitivity

Network Coverage Factor (NCF) percentage required to consider a radio as redundant (default = low).

option

low

Option	Description
low	Consider a radio as redundant when its NCF is 100%.
medium	Consider a radio as redundant when its NCF is 95%.
high	Consider a radio as redundant when its NCF is 90%.

dtim

Delivery Traffic Indication Map (DTIM) period (1 - 255, default = 1). Set higher to save battery life of WiFi client in power-save mode.

integer

Minimum value: 1 Maximum value: 255

frag-threshold

Maximum packet size that can be sent without fragmentation (800 - 2346 bytes, default = 2346).

integer

Minimum value: 800 Maximum value: 2346

2346

iperf-protocol

Iperf test protocol (default = "UDP").

option

udp

Option	Description
udp	UDP.
tcp	TCP.

iperf-server-port

Iperf service port number.

integer

Minimum value: 0 Maximum value: 65535

5001

max-clients

Maximum number of stations (STAs) or WiFi clients supported by the radio. Range depends on the hardware.

integer

Minimum value: 0 Maximum value: 4294967295

max-distance

Maximum expected distance between the AP and clients (0 - 54000 m, default = 0).

integer

Minimum value: 0 Maximum value: 54000

mimo-mode

Configure radio MIMO mode (default = default).

option

default

Option	Description
default	Default radio MIMO mode.
1x1	1x1 radio MIMO mode.
2x2	2x2 radio MIMO mode.
3x3	3x3 radio MIMO mode.
4x4	4x4 radio MIMO mode.
8x8	8x8 radio MIMO mode.

mode

Mode of radio 2. Radio 2 can be disabled, configured as an access point, a rogue AP monitor, a sniffer, or a station.

option

Option	Description
disabled	Radio 2 is disabled.
ap	Radio 2 operates as an access point that allows WiFi clients to connect to your network.
monitor	Radio 2 operates as a dedicated monitor. As a monitor, the radio scans for other WiFi access points and adds them to the Rogue AP monitor list.
sniffer	Radio 2 operates as a sniffer capturing WiFi frames on air.
sam	Radio 2 operates as a station that can connect to a neighboring AP for connectivity and health check.

optional-antenna

Optional antenna used on FAP (default = none).

option

none

Option	Description
none	None.
custom	Customize optional antenna gain.
FANT-04ABGN-0606-O-N	6 dBi(2.4GHz) and 6 dBi(5GHz).
FANT-04ABGN-1414-P-N	14 dBi(2.4GHz) and 14 dBi(5GHz).
FANT-04ABGN-8065-P-N	8 dBi(2.4GHz) and 6.5 dBi(5GHz).
FANT-04ABGN-0606-O-R	6 dBi(2.4GHz) and 6 dBi(5GHz).
FANT-04ABGN-0606-P-R	6 dBi(2.4GHz) and 6 dBi(5GHz).
FANT-10ACAX-1213-D-N	12 dBi(2.4GHz) and 13 dBi(5GHz).
FANT-08ABGN-1213-D-R	12 dBi(2.4GHz) and 13 dBi(5GHz).
FANT-04BEAX-0606-P-R	6 dBi(2.4GHz), 6 dBi(5GHz) and 6 dBi(6GHz).

optional-antenna-gain

Optional antenna gain in dBi (0 to 20, default = 0).

string

Maximum length: 7

power-level

Radio EIRP power level as a percentage of the maximum EIRP power (0 - 100, default = 100).

integer

Minimum value: 0 Maximum value: 100

100

power-mode

option

percentage

Option	Description
dBm	Set radio EIRP power in dBm.
percentage	Set radio EIRP power by percentage.

power-value

Radio EIRP power in dBm (1 - 33, default = 27).

integer

Minimum value: 1 Maximum value: 33

powersave-optimize

Enable client power-saving features such as TIM, AC VO, and OBSS etc.

option

Option	Description
tim	TIM bit for client in power save mode.
ac-vo	Use AC VO priority to send out packets in the power save queue.
no-obss-scan	Do not put OBSS scan IE into beacon and probe response frames.
no-11b-rate	Do not send frame using 11b data rate.
client-rate-follow	Adapt transmitting PHY rate with receiving PHY rate from a client.

protection-mode

Enable/disable 802.11g protection modes to support backwards compatibility with older clients (rtscts, ctsonly, disable).

option

disable

Option	Description
rtscts	Enable 802.11g protection RTS/CTS mode.
ctsonly	Enable 802.11g protection CTS only mode.
disable	Disable 802.11g protection mode.

rts-threshold

Maximum packet size for RTS transmissions, specifying the maximum size of a data packet before RTS/CTS (256 - 2346 bytes, default = 2346).

integer

Minimum value: 256 Maximum value: 2346

2346

sam-bssid

BSSID for WiFi network.

mac-address

Not Specified

00:00:00:00:00:00

sam-ca-certificate

CA certificate for WPA2/WPA3-ENTERPRISE.

string

Maximum length: 79

sam-captive-portal

Enable/disable Captive Portal Authentication (default = disable).

option

disable

Option	Description
enable	Enable Captive Portal Authentication.
disable	Disable Captive Portal Authentication.

sam-client-certificate

Client certificate for WPA2/WPA3-ENTERPRISE.

string

Maximum length: 35

sam-cwp-failure-string

Failure identification on the page after an incorrect login.

string

Maximum length: 64

sam-cwp-match-string

Identification string from the captive portal login form.

string

Maximum length: 64

sam-cwp-password

Password for captive portal authentication.

password

Not Specified

sam-cwp-success-string

Success identification on the page after a successful login.

string

Maximum length: 64

sam-cwp-test-url

Website the client is trying to access.

string

Maximum length: 255

sam-cwp-username

Username for captive portal authentication.

string

Maximum length: 35

sam-eap-method

Select WPA2/WPA3-ENTERPRISE EAP Method (default = PEAP).

option

peap

Option	Description
both	EAP PEAP and TLS. (Not applicable in FIPS mode)
tls	EAP TLS.
peap	EAP PEAP. (Not applicable in FIPS mode)

sam-password

Passphrase for WiFi network connection.

password

Not Specified

sam-private-key

Private key for WPA2/WPA3-ENTERPRISE.

string

Maximum length: 35

sam-private-key-password

Password for private key file for WPA2/WPA3-ENTERPRISE.

password

Not Specified

sam-report-intv

SAM report interval (sec), 0 for a one-time report.

integer

Minimum value: 60 Maximum value: 864000

sam-security-type

Select WiFi network security type (default = "wpa-personal" for 2.4/5G radio, "wpa3-sae" for 6G radio).

option

wpa-personal

Option	Description
open	Open.
wpa-personal	WPA/WPA2 personal.
wpa-enterprise	WPA2/WPA3 enterprise.
wpa3-sae	WPA3 SAE.
owe	OWE.

sam-server-fqdn

SAM test server domain name.

string

Maximum length: 255

sam-server-ip

SAM test server IP address.

ipv4-address

Not Specified

0.0.0.0

sam-server-type

Select SAM server type (default = "IP").

option

Option	Description
ip	IPv4 address.
fqdn	Fully Qualified Domain Name address.

sam-ssid

SSID for WiFi network.

string

Maximum length: 32

sam-test

Select SAM test type (default = "PING").

option

ping

Option	Description
ping	PING test.
iperf	IPERF test.

sam-username

Username for WiFi network connection.

string

Maximum length: 35

short-guard-interval

Use either the short guard interval (Short GI) of 400 ns or the long guard interval (Long GI) of 800 ns.

option

disable

Option	Description
enable	Select the 400 ns short guard interval (Short GI).
disable	Select the 800 ns long guard interval (Long GI).

transmit-optimize

Packet transmission optimization options including power saving, aggregation limiting, retry limiting, etc. All are enabled by default.

option

power-save aggr-limit retry-limit send-bar

Option	Description
disable	Disable packet transmission optimization.
power-save	Tag client as operating in power save mode if excessive transmit retries occur.
aggr-limit	Set aggregation limit to a lower value when data rate is low.
retry-limit	Set software retry limit to a lower value when data rate is low.
send-bar	Limit transmission of BAR frames.

vap-all

Configure method for assigning SSIDs to this FortiAP (default = automatically assign tunnel SSIDs).

option

tunnel

Option	Description
tunnel	Automatically select tunnel SSIDs.
bridge	Automatically select local-bridging SSIDs.
manual	Manually select SSIDs.

vaps <name>

Manually selected list of Virtual Access Points (VAPs).

Virtual Access Point (VAP) name.

string

Maximum length: 35

wids-profile

Wireless Intrusion Detection System (WIDS) profile name to assign to the radio.

string

Maximum length: 35

zero-wait-dfs

Enable/disable zero wait DFS on radio (default = enable).

option

enable

Option	Description
enable	Enable zero wait DFS
disable	Disable zero wait DFS

config radio-3

Parameter

Description

Type

Size

Default

80211d

Enable/disable 802.11d countryie(default = enable).

option

enable

Option	Description
enable	Enable 802.11d countryie.
disable	Disable 802.11d countryie.

80211mc

Enable/disable 802.11mc responder mode (default = disable).

option

disable

Option	Description
enable	Enable 802.11mc responder mode.
disable	Disable 802.11mc responder mode.

ai-darrp-support

Enable/disable support for FortiAIOps to retrieve Distributed Automatic Radio Resource Provisioning (DARRP) data through REST API calls (default = disable).

option

disable

Option	Description
enable	Enable support for FortiAIOps REST API calls for DARRP data.
disable	Disable support for FortiAIOps REST API calls for DARRP data.

airtime-fairness

Enable/disable airtime fairness (default = disable).

option

disable

Option	Description
enable	Enable airtime fairness (ATF) support.
disable	Disable airtime fairness (ATF) support.

amsdu

Enable/disable 802.11n AMSDU support. AMSDU can improve performance if supported by your WiFi clients (default = enable).

option

enable

Option	Description
enable	Enable AMSDU support.
disable	Disable AMSDU support.

ap-sniffer-addr

MAC address to monitor.

mac-address

Not Specified

00:00:00:00:00:00

ap-sniffer-bufsize

Sniffer buffer size (1 - 32 MB, default = 16).

integer

Minimum value: 1 Maximum value: 32

ap-sniffer-chan

Channel on which to operate the sniffer (default = 6).

integer

Minimum value: 0 Maximum value: 4294967295

ap-sniffer-chan-width

Channel bandwidth for sniffer.

option

20MHz

Option	Description
320MHz	320 MHz channel width.
240MHz	240 MHz channel width.
160MHz	160 MHz channel width.
80MHz	80 MHz channel width.
40MHz	40 MHz channel width.
20MHz	20 MHz channel width.

ap-sniffer-ctl

Enable/disable sniffer on WiFi control frame (default = enable).

option

enable

Option	Description
enable	Enable sniffer on WiFi control frame.
disable	Disable sniffer on WiFi control frame.

ap-sniffer-data

Enable/disable sniffer on WiFi data frame (default = enable).

option

enable

Option	Description
enable	Enable sniffer on WiFi data frame
disable	Disable sniffer on WiFi data frame

ap-sniffer-mgmt-beacon

Enable/disable sniffer on WiFi management Beacon frames (default = enable).

option

enable

Option	Description
enable	Enable sniffer on WiFi management beacon frame.
disable	Disable sniffer on WiFi management beacon frame.

ap-sniffer-mgmt-other

Enable/disable sniffer on WiFi management other frames (default = enable).

option

enable

Option	Description
enable	Enable sniffer on WiFi management other frame.
disable	Disable sniffer on WiFi management other frame.

ap-sniffer-mgmt-probe

Enable/disable sniffer on WiFi management probe frames (default = enable).

option

enable

Option	Description
enable	Enable sniffer on WiFi management probe frame.
disable	Enable sniffer on WiFi management probe frame.

arrp-profile

Distributed Automatic Radio Resource Provisioning (DARRP) profile name to assign to the radio.

string

Maximum length: 35

auto-power-high

The upper bound of automatic transmit power adjustment in dBm (the actual range of transmit power depends on the AP platform type).

integer

Minimum value: 0 Maximum value: 4294967295

auto-power-level

Enable/disable automatic power-level adjustment to prevent co-channel interference (default = disable).

option

disable

Option	Description
enable	Enable automatic transmit power adjustment.
disable	Disable automatic transmit power adjustment.

auto-power-low

The lower bound of automatic transmit power adjustment in dBm (the actual range of transmit power depends on the AP platform type).

integer

Minimum value: 0 Maximum value: 4294967295

auto-power-target

Target of automatic transmit power adjustment in dBm (-95 to -20, default = -70).

string

Maximum length: 7

-70

band

WiFi band that Radio 3 operates on.

option

Option	Description
802.11a	802.11a.
802.11b	802.11b.
802.11g	802.11g.
802.11n-2G	802.11n (WiFi 4) at 2.4GHz.
802.11n-5G	802.11n (WiFi 4) at 5GHz.
802.11ac-2G	802.11ac (WiFi 5) at 2.4GHz.
802.11ac-5G	802.11ac (WiFi 5) at 5GHz.
802.11ax-2G	802.11ax (WiFi 6) at 2.4GHz.
802.11ax-5G	802.11ax (WiFi 6) at 5GHz.
802.11ax-6G	802.11ax (WiFi 6) at 6GHz.
802.11be-2G	802.11be (WiFi 7) at 2.4GHz.
802.11be-5G	802.11be (WiFi 7) at 5GHz.
802.11be-6G	802.11be (WiFi 7) at 6GHz.

band-5g-type

WiFi 5G band type.

option

5g-full

Option	Description
5g-full	Full 5G band.
5g-high	High 5G band.
5g-low	Low 5G band.

bandwidth-admission-control

option

disable

Option	Description
enable	Enable WMM bandwidth admission control.
disable	Disable WMM bandwidth admission control.

bandwidth-capacity

Maximum bandwidth capacity allowed (1 - 600000 Kbps, default = 2000).

integer

Minimum value: 1 Maximum value: 600000

2000

beacon-interval

Beacon interval. The time between beacon frames in milliseconds. Actual range of beacon interval depends on the AP platform type (default = 100).

integer

Minimum value: 0 Maximum value: 65535

100

bss-color

BSS color value for this 11ax radio (0 - 63, disable = 0, default = 0).

integer

Minimum value: 0 Maximum value: 63

bss-color-mode

BSS color mode for this 11ax radio (default = auto).

option

auto

Option	Description
auto	Automatically select BSS color value on AP.
static	Set BSS color value on this radio based on 'bss-color' CLI.

call-admission-control

Enable/disable WiFi multimedia (WMM) call admission control to optimize WiFi bandwidth use for VoIP calls. New VoIP calls are only accepted if there is enough bandwidth available to support them.

option

disable

Option	Description
enable	Enable WMM call admission control.
disable	Disable WMM call admission control.

call-capacity

Maximum number of Voice over WLAN (VoWLAN) phones supported by the radio (0 - 60, default = 10).

integer

Minimum value: 0 Maximum value: 60

channel <chan>

Selected list of wireless radio channels.

Channel number.

string

Maximum length: 3

channel-bonding

Channel bandwidth: 320, 240, 160, 80, 40, or 20MHz. Channels may use both 20 and 40 by enabling coexistence.

option

20MHz

Option	Description
320MHz	320 MHz channel width.
240MHz	240 MHz channel width.
160MHz	160 MHz channel width.
80MHz	80 MHz channel width.
40MHz	40 MHz channel width.
20MHz	20 MHz channel width.

channel-bonding-ext

Channel bandwidth extension: 320 MHz-1 and 320 MHz-2 (default = 320 MHz-2).

option

320MHz-2

Option	Description
320MHz-1	320 MHz channel with channel center frequency numbered 31, 95, and 159.
320MHz-2	320 MHz channel with channel center frequency numbered 63, 127, and 191.

channel-utilization

Enable/disable measuring channel utilization.

option

enable

Option	Description
enable	Enable measuring channel utilization.
disable	Disable measuring channel utilization.

coexistence

Enable/disable allowing both HT20 and HT40 on the same radio (default = enable).

option

enable

Option	Description
enable	Enable support for both HT20 and HT40 on the same radio.
disable	Disable support for both HT20 and HT40 on the same radio.

darrp

Enable/disable Distributed Automatic Radio Resource Provisioning (DARRP) to make sure the radio is always using the most optimal channel (default = disable).

option

disable

Option	Description
enable	Enable distributed automatic radio resource provisioning.
disable	Disable distributed automatic radio resource provisioning.

drma

Enable/disable dynamic radio mode assignment (DRMA) (default = disable).

option

disable

Option	Description
disable	Disable dynamic radio mode assignment (DRMA).
enable	Enable dynamic radio mode assignment (DRMA).

drma-sensitivity

Network Coverage Factor (NCF) percentage required to consider a radio as redundant (default = low).

option

low

Option	Description
low	Consider a radio as redundant when its NCF is 100%.
medium	Consider a radio as redundant when its NCF is 95%.
high	Consider a radio as redundant when its NCF is 90%.

dtim

Delivery Traffic Indication Map (DTIM) period (1 - 255, default = 1). Set higher to save battery life of WiFi client in power-save mode.

integer

Minimum value: 1 Maximum value: 255

frag-threshold

Maximum packet size that can be sent without fragmentation (800 - 2346 bytes, default = 2346).

integer

Minimum value: 800 Maximum value: 2346

2346

iperf-protocol

Iperf test protocol (default = "UDP").

option

udp

Option	Description
udp	UDP.
tcp	TCP.

iperf-server-port

Iperf service port number.

integer

Minimum value: 0 Maximum value: 65535

5001

max-clients

Maximum number of stations (STAs) or WiFi clients supported by the radio. Range depends on the hardware.

integer

Minimum value: 0 Maximum value: 4294967295

max-distance

Maximum expected distance between the AP and clients (0 - 54000 m, default = 0).

integer

Minimum value: 0 Maximum value: 54000

mimo-mode

Configure radio MIMO mode (default = default).

option

default

Option	Description
default	Default radio MIMO mode.
1x1	1x1 radio MIMO mode.
2x2	2x2 radio MIMO mode.
3x3	3x3 radio MIMO mode.
4x4	4x4 radio MIMO mode.
8x8	8x8 radio MIMO mode.

mode

Mode of radio 3. Radio 3 can be disabled, configured as an access point, a rogue AP monitor, a sniffer, or a station.

option

Option	Description
disabled	Radio 3 is disabled.
ap	Radio 3 operates as an access point that allows WiFi clients to connect to your network.
monitor	Radio 3 operates as a dedicated monitor. As a monitor, the radio scans for other WiFi access points and adds them to the Rogue AP monitor list.
sniffer	Radio 3 operates as a sniffer capturing WiFi frames on air.
sam	Radio 3 operates as a station that can connect to a neighboring AP for connectivity and health check.

optional-antenna

Optional antenna used on FAP (default = none).

option

none

Option	Description
none	None.
custom	Customize optional antenna gain.
FANT-04ABGN-0606-O-N	6 dBi(2.4GHz) and 6 dBi(5GHz).
FANT-04ABGN-1414-P-N	14 dBi(2.4GHz) and 14 dBi(5GHz).
FANT-04ABGN-8065-P-N	8 dBi(2.4GHz) and 6.5 dBi(5GHz).
FANT-04ABGN-0606-O-R	6 dBi(2.4GHz) and 6 dBi(5GHz).
FANT-04ABGN-0606-P-R	6 dBi(2.4GHz) and 6 dBi(5GHz).
FANT-10ACAX-1213-D-N	12 dBi(2.4GHz) and 13 dBi(5GHz).
FANT-08ABGN-1213-D-R	12 dBi(2.4GHz) and 13 dBi(5GHz).
FANT-04BEAX-0606-P-R	6 dBi(2.4GHz), 6 dBi(5GHz) and 6 dBi(6GHz).

optional-antenna-gain

Optional antenna gain in dBi (0 to 20, default = 0).

string

Maximum length: 7

power-level

Radio EIRP power level as a percentage of the maximum EIRP power (0 - 100, default = 100).

integer

Minimum value: 0 Maximum value: 100

100

power-mode

option

percentage

Option	Description
dBm	Set radio EIRP power in dBm.
percentage	Set radio EIRP power by percentage.

power-value

Radio EIRP power in dBm (1 - 33, default = 27).

integer

Minimum value: 1 Maximum value: 33

powersave-optimize

Enable client power-saving features such as TIM, AC VO, and OBSS etc.

option

Option	Description
tim	TIM bit for client in power save mode.
ac-vo	Use AC VO priority to send out packets in the power save queue.
no-obss-scan	Do not put OBSS scan IE into beacon and probe response frames.
no-11b-rate	Do not send frame using 11b data rate.
client-rate-follow	Adapt transmitting PHY rate with receiving PHY rate from a client.

protection-mode

Enable/disable 802.11g protection modes to support backwards compatibility with older clients (rtscts, ctsonly, disable).

option

disable

Option	Description
rtscts	Enable 802.11g protection RTS/CTS mode.
ctsonly	Enable 802.11g protection CTS only mode.
disable	Disable 802.11g protection mode.

rts-threshold

Maximum packet size for RTS transmissions, specifying the maximum size of a data packet before RTS/CTS (256 - 2346 bytes, default = 2346).

integer

Minimum value: 256 Maximum value: 2346

2346

sam-bssid

BSSID for WiFi network.

mac-address

Not Specified

00:00:00:00:00:00

sam-ca-certificate

CA certificate for WPA2/WPA3-ENTERPRISE.

string

Maximum length: 79

sam-captive-portal

Enable/disable Captive Portal Authentication (default = disable).

option

disable

Option	Description
enable	Enable Captive Portal Authentication.
disable	Disable Captive Portal Authentication.

sam-client-certificate

Client certificate for WPA2/WPA3-ENTERPRISE.

string

Maximum length: 35

sam-cwp-failure-string

Failure identification on the page after an incorrect login.

string

Maximum length: 64

sam-cwp-match-string

Identification string from the captive portal login form.

string

Maximum length: 64

sam-cwp-password

Password for captive portal authentication.

password

Not Specified

sam-cwp-success-string

Success identification on the page after a successful login.

string

Maximum length: 64

sam-cwp-test-url

Website the client is trying to access.

string

Maximum length: 255

sam-cwp-username

Username for captive portal authentication.

string

Maximum length: 35

sam-eap-method

Select WPA2/WPA3-ENTERPRISE EAP Method (default = PEAP).

option

peap

Option	Description
both	EAP PEAP and TLS. (Not applicable in FIPS mode)
tls	EAP TLS.
peap	EAP PEAP. (Not applicable in FIPS mode)

sam-password

Passphrase for WiFi network connection.

password

Not Specified

sam-private-key

Private key for WPA2/WPA3-ENTERPRISE.

string

Maximum length: 35

sam-private-key-password

Password for private key file for WPA2/WPA3-ENTERPRISE.

password

Not Specified

sam-report-intv

SAM report interval (sec), 0 for a one-time report.

integer

Minimum value: 60 Maximum value: 864000

sam-security-type

Select WiFi network security type (default = "wpa-personal" for 2.4/5G radio, "wpa3-sae" for 6G radio).

option

wpa-personal

Option	Description
open	Open.
wpa-personal	WPA/WPA2 personal.
wpa-enterprise	WPA2/WPA3 enterprise.
wpa3-sae	WPA3 SAE.
owe	OWE.

sam-server-fqdn

SAM test server domain name.

string

Maximum length: 255

sam-server-ip

SAM test server IP address.

ipv4-address

Not Specified

0.0.0.0

sam-server-type

Select SAM server type (default = "IP").

option

Option	Description
ip	IPv4 address.
fqdn	Fully Qualified Domain Name address.

sam-ssid

SSID for WiFi network.

string

Maximum length: 32

sam-test

Select SAM test type (default = "PING").

option

ping

Option	Description
ping	PING test.
iperf	IPERF test.

sam-username

Username for WiFi network connection.

string

Maximum length: 35

short-guard-interval

Use either the short guard interval (Short GI) of 400 ns or the long guard interval (Long GI) of 800 ns.

option

disable

Option	Description
enable	Select the 400 ns short guard interval (Short GI).
disable	Select the 800 ns long guard interval (Long GI).

transmit-optimize

Packet transmission optimization options including power saving, aggregation limiting, retry limiting, etc. All are enabled by default.

option

power-save aggr-limit retry-limit send-bar

Option	Description
disable	Disable packet transmission optimization.
power-save	Tag client as operating in power save mode if excessive transmit retries occur.
aggr-limit	Set aggregation limit to a lower value when data rate is low.
retry-limit	Set software retry limit to a lower value when data rate is low.
send-bar	Limit transmission of BAR frames.

vap-all

Configure method for assigning SSIDs to this FortiAP (default = automatically assign tunnel SSIDs).

option

tunnel

Option	Description
tunnel	Automatically select tunnel SSIDs.
bridge	Automatically select local-bridging SSIDs.
manual	Manually select SSIDs.

vaps <name>

Manually selected list of Virtual Access Points (VAPs).

Virtual Access Point (VAP) name.

string

Maximum length: 35

wids-profile

Wireless Intrusion Detection System (WIDS) profile name to assign to the radio.

string

Maximum length: 35

zero-wait-dfs

Enable/disable zero wait DFS on radio (default = enable).

option

enable

Option	Description
enable	Enable zero wait DFS
disable	Disable zero wait DFS

config radio-4

Parameter

Description

Type

Size

Default

80211d

Enable/disable 802.11d countryie(default = enable).

option

enable

Option	Description
enable	Enable 802.11d countryie.
disable	Disable 802.11d countryie.

80211mc

Enable/disable 802.11mc responder mode (default = disable).

option

disable

Option	Description
enable	Enable 802.11mc responder mode.
disable	Disable 802.11mc responder mode.

ai-darrp-support

Enable/disable support for FortiAIOps to retrieve Distributed Automatic Radio Resource Provisioning (DARRP) data through REST API calls (default = disable).

option

disable

Option	Description
enable	Enable support for FortiAIOps REST API calls for DARRP data.
disable	Disable support for FortiAIOps REST API calls for DARRP data.

airtime-fairness

Enable/disable airtime fairness (default = disable).

option

disable

Option	Description
enable	Enable airtime fairness (ATF) support.
disable	Disable airtime fairness (ATF) support.

amsdu

Enable/disable 802.11n AMSDU support. AMSDU can improve performance if supported by your WiFi clients (default = enable).

option

enable

Option	Description
enable	Enable AMSDU support.
disable	Disable AMSDU support.

ap-sniffer-addr

MAC address to monitor.

mac-address

Not Specified

00:00:00:00:00:00

ap-sniffer-bufsize

Sniffer buffer size (1 - 32 MB, default = 16).

integer

Minimum value: 1 Maximum value: 32

ap-sniffer-chan

Channel on which to operate the sniffer (default = 6).

integer

Minimum value: 0 Maximum value: 4294967295

ap-sniffer-chan-width

Channel bandwidth for sniffer.

option

20MHz

Option	Description
320MHz	320 MHz channel width.
240MHz	240 MHz channel width.
160MHz	160 MHz channel width.
80MHz	80 MHz channel width.
40MHz	40 MHz channel width.
20MHz	20 MHz channel width.

ap-sniffer-ctl

Enable/disable sniffer on WiFi control frame (default = enable).

option

enable

Option	Description
enable	Enable sniffer on WiFi control frame.
disable	Disable sniffer on WiFi control frame.

ap-sniffer-data

Enable/disable sniffer on WiFi data frame (default = enable).

option

enable

Option	Description
enable	Enable sniffer on WiFi data frame
disable	Disable sniffer on WiFi data frame

ap-sniffer-mgmt-beacon

Enable/disable sniffer on WiFi management Beacon frames (default = enable).

option

enable

Option	Description
enable	Enable sniffer on WiFi management beacon frame.
disable	Disable sniffer on WiFi management beacon frame.

ap-sniffer-mgmt-other

Enable/disable sniffer on WiFi management other frames (default = enable).

option

enable

Option	Description
enable	Enable sniffer on WiFi management other frame.
disable	Disable sniffer on WiFi management other frame.

ap-sniffer-mgmt-probe

Enable/disable sniffer on WiFi management probe frames (default = enable).

option

enable

Option	Description
enable	Enable sniffer on WiFi management probe frame.
disable	Enable sniffer on WiFi management probe frame.

arrp-profile

Distributed Automatic Radio Resource Provisioning (DARRP) profile name to assign to the radio.

string

Maximum length: 35

auto-power-high

The upper bound of automatic transmit power adjustment in dBm (the actual range of transmit power depends on the AP platform type).

integer

Minimum value: 0 Maximum value: 4294967295

auto-power-level

Enable/disable automatic power-level adjustment to prevent co-channel interference (default = disable).

option

disable

Option	Description
enable	Enable automatic transmit power adjustment.
disable	Disable automatic transmit power adjustment.

auto-power-low

The lower bound of automatic transmit power adjustment in dBm (the actual range of transmit power depends on the AP platform type).

integer

Minimum value: 0 Maximum value: 4294967295

auto-power-target

Target of automatic transmit power adjustment in dBm (-95 to -20, default = -70).

string

Maximum length: 7

-70

band

WiFi band that Radio 4 operates on.

option

Option	Description
802.11a	802.11a.
802.11b	802.11b.
802.11g	802.11g.
802.11n-2G	802.11n (WiFi 4) at 2.4GHz.
802.11n-5G	802.11n (WiFi 4) at 5GHz.
802.11ac-2G	802.11ac (WiFi 5) at 2.4GHz.
802.11ac-5G	802.11ac (WiFi 5) at 5GHz.
802.11ax-2G	802.11ax (WiFi 6) at 2.4GHz.
802.11ax-5G	802.11ax (WiFi 6) at 5GHz.
802.11ax-6G	802.11ax (WiFi 6) at 6GHz.
802.11be-2G	802.11be (WiFi 7) at 2.4GHz.
802.11be-5G	802.11be (WiFi 7) at 5GHz.
802.11be-6G	802.11be (WiFi 7) at 6GHz.

band-5g-type

WiFi 5G band type.

option

5g-full

Option	Description
5g-full	Full 5G band.
5g-high	High 5G band.
5g-low	Low 5G band.

bandwidth-admission-control

option

disable

Option	Description
enable	Enable WMM bandwidth admission control.
disable	Disable WMM bandwidth admission control.

bandwidth-capacity

Maximum bandwidth capacity allowed (1 - 600000 Kbps, default = 2000).

integer

Minimum value: 1 Maximum value: 600000

2000

beacon-interval

Beacon interval. The time between beacon frames in milliseconds. Actual range of beacon interval depends on the AP platform type (default = 100).

integer

Minimum value: 0 Maximum value: 65535

100

bss-color

BSS color value for this 11ax radio (0 - 63, disable = 0, default = 0).

integer

Minimum value: 0 Maximum value: 63

bss-color-mode

BSS color mode for this 11ax radio (default = auto).

option

auto

Option	Description
auto	Automatically select BSS color value on AP.
static	Set BSS color value on this radio based on 'bss-color' CLI.

call-admission-control

Enable/disable WiFi multimedia (WMM) call admission control to optimize WiFi bandwidth use for VoIP calls. New VoIP calls are only accepted if there is enough bandwidth available to support them.

option

disable

Option	Description
enable	Enable WMM call admission control.
disable	Disable WMM call admission control.

call-capacity

Maximum number of Voice over WLAN (VoWLAN) phones supported by the radio (0 - 60, default = 10).

integer

Minimum value: 0 Maximum value: 60

channel <chan>

Selected list of wireless radio channels.

Channel number.

string

Maximum length: 3

channel-bonding

Channel bandwidth: 320, 240, 160, 80, 40, or 20MHz. Channels may use both 20 and 40 by enabling coexistence.

option

20MHz

Option	Description
320MHz	320 MHz channel width.
240MHz	240 MHz channel width.
160MHz	160 MHz channel width.
80MHz	80 MHz channel width.
40MHz	40 MHz channel width.
20MHz	20 MHz channel width.

channel-bonding-ext

Channel bandwidth extension: 320 MHz-1 and 320 MHz-2 (default = 320 MHz-2).

option

320MHz-2

Option	Description
320MHz-1	320 MHz channel with channel center frequency numbered 31, 95, and 159.
320MHz-2	320 MHz channel with channel center frequency numbered 63, 127, and 191.

channel-utilization

Enable/disable measuring channel utilization.

option

enable

Option	Description
enable	Enable measuring channel utilization.
disable	Disable measuring channel utilization.

coexistence

Enable/disable allowing both HT20 and HT40 on the same radio (default = enable).

option

enable

Option	Description
enable	Enable support for both HT20 and HT40 on the same radio.
disable	Disable support for both HT20 and HT40 on the same radio.

darrp

Enable/disable Distributed Automatic Radio Resource Provisioning (DARRP) to make sure the radio is always using the most optimal channel (default = disable).

option

disable

Option	Description
enable	Enable distributed automatic radio resource provisioning.
disable	Disable distributed automatic radio resource provisioning.

drma

Enable/disable dynamic radio mode assignment (DRMA) (default = disable).

option

disable

Option	Description
disable	Disable dynamic radio mode assignment (DRMA).
enable	Enable dynamic radio mode assignment (DRMA).

drma-sensitivity

Network Coverage Factor (NCF) percentage required to consider a radio as redundant (default = low).

option

low

Option	Description
low	Consider a radio as redundant when its NCF is 100%.
medium	Consider a radio as redundant when its NCF is 95%.
high	Consider a radio as redundant when its NCF is 90%.

dtim

Delivery Traffic Indication Map (DTIM) period (1 - 255, default = 1). Set higher to save battery life of WiFi client in power-save mode.

integer

Minimum value: 1 Maximum value: 255

frag-threshold

Maximum packet size that can be sent without fragmentation (800 - 2346 bytes, default = 2346).

integer

Minimum value: 800 Maximum value: 2346

2346

iperf-protocol

Iperf test protocol (default = "UDP").

option

udp

Option	Description
udp	UDP.
tcp	TCP.

iperf-server-port

Iperf service port number.

integer

Minimum value: 0 Maximum value: 65535

5001

max-clients

Maximum number of stations (STAs) or WiFi clients supported by the radio. Range depends on the hardware.

integer

Minimum value: 0 Maximum value: 4294967295

max-distance

Maximum expected distance between the AP and clients (0 - 54000 m, default = 0).

integer

Minimum value: 0 Maximum value: 54000

mimo-mode

Configure radio MIMO mode (default = default).

option

default

Option	Description
default	Default radio MIMO mode.
1x1	1x1 radio MIMO mode.
2x2	2x2 radio MIMO mode.
3x3	3x3 radio MIMO mode.
4x4	4x4 radio MIMO mode.
8x8	8x8 radio MIMO mode.

mode

Mode of radio 4. Radio 4 can be disabled, configured as an access point, a rogue AP monitor, a sniffer, or a station.

option

Option	Description
disabled	Radio 4 is disabled.
ap	Radio 4 operates as an access point that allows WiFi clients to connect to your network.
monitor	Radio 4 operates as a dedicated monitor. As a monitor, the radio scans for other WiFi access points and adds them to the Rogue AP monitor list.
sniffer	Radio 4 operates as a sniffer capturing WiFi frames on air.
sam	Radio 4 operates as a station that can connect to a neighboring AP for connectivity and health check.

optional-antenna

Optional antenna used on FAP (default = none).

option

none

Option	Description
none	None.
custom	Customize optional antenna gain.
FANT-04ABGN-0606-O-N	6 dBi(2.4GHz) and 6 dBi(5GHz).
FANT-04ABGN-1414-P-N	14 dBi(2.4GHz) and 14 dBi(5GHz).
FANT-04ABGN-8065-P-N	8 dBi(2.4GHz) and 6.5 dBi(5GHz).
FANT-04ABGN-0606-O-R	6 dBi(2.4GHz) and 6 dBi(5GHz).
FANT-04ABGN-0606-P-R	6 dBi(2.4GHz) and 6 dBi(5GHz).
FANT-10ACAX-1213-D-N	12 dBi(2.4GHz) and 13 dBi(5GHz).
FANT-08ABGN-1213-D-R	12 dBi(2.4GHz) and 13 dBi(5GHz).
FANT-04BEAX-0606-P-R	6 dBi(2.4GHz), 6 dBi(5GHz) and 6 dBi(6GHz).

optional-antenna-gain

Optional antenna gain in dBi (0 to 20, default = 0).

string

Maximum length: 7

power-level

Radio EIRP power level as a percentage of the maximum EIRP power (0 - 100, default = 100).

integer

Minimum value: 0 Maximum value: 100

100

power-mode

option

percentage

Option	Description
dBm	Set radio EIRP power in dBm.
percentage	Set radio EIRP power by percentage.

power-value

Radio EIRP power in dBm (1 - 33, default = 27).

integer

Minimum value: 1 Maximum value: 33

powersave-optimize

Enable client power-saving features such as TIM, AC VO, and OBSS etc.

option

Option	Description
tim	TIM bit for client in power save mode.
ac-vo	Use AC VO priority to send out packets in the power save queue.
no-obss-scan	Do not put OBSS scan IE into beacon and probe response frames.
no-11b-rate	Do not send frame using 11b data rate.
client-rate-follow	Adapt transmitting PHY rate with receiving PHY rate from a client.

protection-mode

Enable/disable 802.11g protection modes to support backwards compatibility with older clients (rtscts, ctsonly, disable).

option

disable

Option	Description
rtscts	Enable 802.11g protection RTS/CTS mode.
ctsonly	Enable 802.11g protection CTS only mode.
disable	Disable 802.11g protection mode.

rts-threshold

Maximum packet size for RTS transmissions, specifying the maximum size of a data packet before RTS/CTS (256 - 2346 bytes, default = 2346).

integer

Minimum value: 256 Maximum value: 2346

2346

sam-bssid

BSSID for WiFi network.

mac-address

Not Specified

00:00:00:00:00:00

sam-ca-certificate

CA certificate for WPA2/WPA3-ENTERPRISE.

string

Maximum length: 79

sam-captive-portal

Enable/disable Captive Portal Authentication (default = disable).

option

disable

Option	Description
enable	Enable Captive Portal Authentication.
disable	Disable Captive Portal Authentication.

sam-client-certificate

Client certificate for WPA2/WPA3-ENTERPRISE.

string

Maximum length: 35

sam-cwp-failure-string

Failure identification on the page after an incorrect login.

string

Maximum length: 64

sam-cwp-match-string

Identification string from the captive portal login form.

string

Maximum length: 64

sam-cwp-password

Password for captive portal authentication.

password

Not Specified

sam-cwp-success-string

Success identification on the page after a successful login.

string

Maximum length: 64

sam-cwp-test-url

Website the client is trying to access.

string

Maximum length: 255

sam-cwp-username

Username for captive portal authentication.

string

Maximum length: 35

sam-eap-method

Select WPA2/WPA3-ENTERPRISE EAP Method (default = PEAP).

option

peap

Option	Description
both	EAP PEAP and TLS. (Not applicable in FIPS mode)
tls	EAP TLS.
peap	EAP PEAP. (Not applicable in FIPS mode)

sam-password

Passphrase for WiFi network connection.

password

Not Specified

sam-private-key

Private key for WPA2/WPA3-ENTERPRISE.

string

Maximum length: 35

sam-private-key-password

Password for private key file for WPA2/WPA3-ENTERPRISE.

password

Not Specified

sam-report-intv

SAM report interval (sec), 0 for a one-time report.

integer

Minimum value: 60 Maximum value: 864000

sam-security-type

Select WiFi network security type (default = "wpa-personal" for 2.4/5G radio, "wpa3-sae" for 6G radio).

option

wpa-personal

Option	Description
open	Open.
wpa-personal	WPA/WPA2 personal.
wpa-enterprise	WPA2/WPA3 enterprise.
wpa3-sae	WPA3 SAE.
owe	OWE.

sam-server-fqdn

SAM test server domain name.

string

Maximum length: 255

sam-server-ip

SAM test server IP address.

ipv4-address

Not Specified

0.0.0.0

sam-server-type

Select SAM server type (default = "IP").

option

Option	Description
ip	IPv4 address.
fqdn	Fully Qualified Domain Name address.

sam-ssid

SSID for WiFi network.

string

Maximum length: 32

sam-test

Select SAM test type (default = "PING").

option

ping

Option	Description
ping	PING test.
iperf	IPERF test.

sam-username

Username for WiFi network connection.

string

Maximum length: 35

short-guard-interval

Use either the short guard interval (Short GI) of 400 ns or the long guard interval (Long GI) of 800 ns.

option

disable

Option	Description
enable	Select the 400 ns short guard interval (Short GI).
disable	Select the 800 ns long guard interval (Long GI).

transmit-optimize

Packet transmission optimization options including power saving, aggregation limiting, retry limiting, etc. All are enabled by default.

option

power-save aggr-limit retry-limit send-bar

Option	Description
disable	Disable packet transmission optimization.
power-save	Tag client as operating in power save mode if excessive transmit retries occur.
aggr-limit	Set aggregation limit to a lower value when data rate is low.
retry-limit	Set software retry limit to a lower value when data rate is low.
send-bar	Limit transmission of BAR frames.

vap-all

Configure method for assigning SSIDs to this FortiAP (default = automatically assign tunnel SSIDs).

option

tunnel

Option	Description
tunnel	Automatically select tunnel SSIDs.
bridge	Automatically select local-bridging SSIDs.
manual	Manually select SSIDs.

vaps <name>

Manually selected list of Virtual Access Points (VAPs).

Virtual Access Point (VAP) name.

string

Maximum length: 35

wids-profile

Wireless Intrusion Detection System (WIDS) profile name to assign to the radio.

string

Maximum length: 35

zero-wait-dfs

Enable/disable zero wait DFS on radio (default = enable).

option

enable

Option	Description
enable	Enable zero wait DFS
disable	Disable zero wait DFS

config split-tunneling-acl

Parameter	Description	Type	Size	Default
dest-ip	Destination IP and mask for the split-tunneling subnet.	ipv4-classnet	Not Specified	0.0.0.0 0.0.0.0
id	ID.	integer	Minimum value: 0 Maximum value: 4294967295	0

Secure Networking

Hybrid Mesh Firewall

NOC Management

LAN

WAN

Unified SASE

Single Vendor SASE

Cloud Network Security

Secure Endpoint Connectivity

Web Application / API Protection

Security Operations

Security Operations Automation

Identity

Early Detection & Prevention

Secure Networking

Hybrid Mesh Firewall

NOC Management

LAN

WAN

Communication & Surveillance

Unified SASE

Single Vendor SASE

Secure Endpoint Connectivity

Cloud Network Security

Cloud-Native Security

Web Application / API Protection

Security Operations

Security Operations Automation

Endpoint

Data Protection

Identity

Email

Early Detection & Prevention

Expert Services

Edge Firewall

Orchestration & management

SD Branch

Application Delivery

Single Vendor SASE

Secure Endpoint Connectivity

Secure Private Access

Thin Edge

Identity

Application Gateway

Enterprise Asset Management

Endpoint Agent

Agentless Security Posture

Identity

Wireless

Switching

Identity

Privilege Acccess Management

Next Generation Firewall

Orchestration & management

Expert Services

Web Application / API Protection

All

All

Account Management

SAAS Management

SAAS Application Security

Managed Services

Platform as a service (PAAS)

Other SAAS Services

4D Pillars

Cloud

Popular Solutions

All Products

CLI Reference

config wireless-controller wtp-profile

config wireless-controller wtp-profile

config wireless-controller wtp-profile

config deny-mac-list

config esl-ses-dongle

config lan

config lbs

config platform

config radio-1

config radio-2

config radio-3