Setting up WiFi with a FortiAP


In this recipe, you will set up a WiFi network with by adding a FortiAP in Tunnel mode to your network.

This recipe is in the Basic FortiGate network collection. You can also use it as a standalone recipe.

You can configure a FortiAP in either Tunnel mode (default) or Bridge mode. When a FortiAP is in Tunnel mode, a wireless-only subnet is used for wireless traffic. When a FortiAP is in Bridge mode, the Ethernet and WiFi interfaces are connected (or bridged), allowing wired and wireless networks to be on the same subnet.

Find this recipe for other FortiOS versions
5.2 | 5.4 | 5.6 | 6.0

1. Connecting and authorizing the FortiAP

To edit the interface that will connect to the FortiAP (in the example, port 22), go to Network > Interfaces.

Set Role to LAN and Addressing Mode to Manual. Set IP/Network Mask to a private IP address (in the example

Under Administrative Access, enable CAPWAP.

Enable DHCP Server.

Under Networked Devices, enable Device Detection.


Connect the FortiAP unit to the interface.

To view the list of managed FortiAPs, go to WiFi & Switch Controller > Managed FortiAPs. The newFortiAP appears in the list but it is greyed out because it is not authorized.

Select the FortiAP, and select Authorize.


After a few minutes, select Refresh. The FortiGate shows the FortiAP as authorized.

2. Creating an SSID

To create a new SSID to be broadcast for WiFi users, go to WiFi & Switch Controller > SSID.

Set Traffic Mode to Tunnel and set IP/Network Mask to a private IP address (in the example

Enable DHCP Server and Device Detection.


Under WiFi Settings, name the SSID (in the example, Office-WiFi) and set a secure Pre-shared Key.

Enable Broadcast SSID.

3. Creating a custom FortiAP profile

To create a new FortiAP profile, go to WiFi & Switch Controller > FortiAP Profiles.

Set Platform to the FortiAP model you are using (in the example, FAP221C) and Country/Region to the appropriate location.

Set an AP Login Password to secure the FortiAP.

Under Radio 1, set Mode to Access Point and SSIDs to Manual. Add your new SSID.


To assign the new profile, go to WiFi & Switch Controller > Managed FortiAPs and right-click the FortiAP. Select Assign Profile and set the FortiAP to use the new profile.

4. Allowing wireless access to the Internet

To create a new policy for wireless Internet access, go to Policy & Objects > IPv4 Policy.

Set Incoming Interface to the SSID and Outgoing Interface to your Internet-facing interface.

Enable NAT.

5. Results

Connect to the SSID with a wireless device. After a connection is established, browse the Internet to generate traffic.

To view the traffic using the wireless Internet access policy, go to FortiView > All Segments > Polices.  
To view more information about this traffic, right-click the policy and select Drill Down to Details.

For further reading, check out Configuring a WiFi LAN in the FortiOS 6.0 Online Help.

Victoria Martin

Victoria Martin

Technical Writer at Fortinet
Victoria Martin works in Ottawa as part of the FortiOS technical documentation team. She graduated with a Bachelor's degree from Mount Allison University, after which she attended Humber College's book publishing program, followed by the more practical technical writing program at Algonquin College. She does need glasses but also likes wearing them, since glasses make you look smarter.
Victoria Martin

Latest posts by Victoria Martin (see all)

If the FortiAP does not appear, wait a few minutes, then refresh the page.
If you are in the United States, you can use the default profile for your FortiAP model, which has Country/Region set to United States.