Setting up WiFi with FortiAP


In this example, a FortiAP unit is connected to and managed by a FortiGate unit in Tunnel mode, allowing wireless access to the network.

You can configure a FortiAP unit in either Tunnel mode or Bridge mode. When a FortiAP is in Tunnel mode, a wireless-only subnet is used for wireless traffic. When a FortiAP is in Bridge mode, the Ethernet and WiFi interfaces are connected (or bridged), allowing wired and wireless networks to be on the same subnet. Tunnel mode is the default mode for a FortiAP.

For information about using a FortiAP in Bridge mode, see Setting up a WiFi bridge with a FortiAP.

Find this recipe for other FortiOS versions
5.2 | 5.4 | 5.6

1. Connecting and authorizing the FortiAP unit

Go to System > Network > Interfaces and edit the interface that will connect to the FortiAP (in this example, port 16).

Set Addressing Mode to Dedicate to Extension Device and set an IP/Network Mask.


Connect the FortiAP unit to the the lan interface.


Go to WiFi Controller > Managed Access Points > Managed FortiAPs. The FortiAP is listed, with a yellow question mark beside it because the device is not authorized.

Highlight the FortiAP unit on the list and select Authorize. A grey checkmark is now shown beside the FortiAP, showing that it is authorized but not yet online.

2. Creating an SSID

Go to WiFi Controller > WiFi Network > SSID and create a new SSID.

Set Traffic Mode to Tunnel to Wireless Controller.

Select an IP/Network Mask for the wireless interface and enable DHCP Server.

Set the WiFi Settings as required, including a secure Pre-shared Key.

3. Creating a custom FortiAP profile

Go to WiFi Controller > WiFi Network > FortiAP Profiles and create a new profile.

Set Platform to the correct FortiAP model you are using (FAP11C in the example).

Set SSID to use the new SSID.

Go to WiFi Controller > Managed Access Points > Managed FortiAPs and edit the FortiAP. Set FortiAP Profile to use the new profile.

4. Allowing wireless access to the Internet

Go to Policy & Objects > Policy > IPv4 and create a new policy.

Set Incoming Interface to the SSID and Outgoing Interface to your Internet-facing interface. Ensure that NAT is turned ON.

5. Results

Go to WiFi Controller > Managed Access Points > Managed FortiAPs. A green checkmark now appears beside the FortiAP, showing that the unit is authorized and online.

Connect to the SSID with a wireless device. After a connection is established, you are able to browse the Internet.

For further reading, check out Configuring a WiFi LAN in the FortiOS 5.2 Handbook.

Victoria Martin

Victoria Martin

Technical Writer & Head Cookbook Chef at Fortinet
Victoria Martin works in Ottawa as part of the FortiOS technical documentation team. She graduated with a Bachelor's degree from Mount Allison University, after which she attended Humber College's book publishing program, followed by the more practical technical writing program at Algonquin College. She does need glasses but also likes wearing them, since glasses make you look smarter.
Victoria Martin
  • Was this helpful?
  • Yes   No
It may take a few minutes for the FortiAP to appear.
  • Pedro Jesus Zaldivar Tapia

    Hi, I have a question about this recipe, how to use WPS in this configuration? Because I want to use for some people this form of connection.

  • Baltazar Muñoz Ledo Hurtado

    Hi everyone!, I have a problem with my AP fortiAP223B
    when a I turn it on, it starts with flashing amber and never changes
    I’ve tried to reset up to factory version and even doesn´t work

  • Bruce Davis

    Because there are so many variable in a network environment, which is considered to be the best practice will depend on your situation, environment and company policies.
    If you have several remote offices with APs connected to the controller at head office you may want to have bridged SSID, so authentication is centralized but user still maintain local network connectivity. Bridge is also good if you need wired and wireless on the same subnet, but if your objective is to segment your network then this would not be the way you want to go. The Bridge mode will make life more convenient for users but not as locked down as Tunnel mode.

  • eyexmeetsxeye

    One note to add, is that it is bad practice to bind a Tunnel to a software switch. It can be done but isn’t wholly stable (i.e. device detection may mess up, or devices may sometimes have trouble getting IPs, etc).
    One question I have been trying to figure out is whether it is a better practice to use: 1) Bridge with an interface that is supplying DHCP, or 2) Tunnel with an interface set as “dedicated to FortiAP/Switch mode”?