Setting up WiFi with a FortiAP


In this recipe, you will set up a WiFi network with a FortiGate managing a FortiAP in Tunnel mode.

You can configure a FortiAP unit in either Tunnel mode or Bridge mode. Tunnel mode is the default mode for a FortiAP. A FortiAP in Tunnel mode uses a wireless-only subnet for wireless traffic. When a FortiAP is in Bridge mode, the Ethernet and WiFi interfaces are connected (or bridged), allowing wired and wireless networks to be on the same subnet.

For information about using a FortiAP in Bridge mode, see Setting up a WiFi bridge with a FortiAP.

Find this recipe for other FortiOS versions
5.2 | 5.4 | 5.6 | 6.0

1. Connecting and authorizing the FortiAP unit

Go to Network > Interfaces and edit the interface that will connect to the FortiAP (in this example, port 16).

Set Addressing Mode to Dedicate to Extension Device and set an IP/Network Mask.

Edit interface to connect to FortiAP

Connect the FortiAP unit to the interface.

Go to WiFi & Switch Controller > Managed FortiAPs. The FortiAP is listed. The device is not yet authorized, as indicated by the  in the State column.

By default, FortiGate adds newly discovered FortiAPs to the Managed FortiAPs list but does not authorize them.

FortiAP discovered by FortiGate and ready to be authorized.

Highlight the FortiAP unit on the list and select Authorize.

After a few minutes, hit the Refresh button and  will appear to tell you that the device is authorized.

2. Creating an SSID

Go to WiFi Controller > WiFi Network > SSID and create a new SSID.

Set Traffic Mode to Tunnel to Wireless Controller.

Select an IP/Network Mask for the wireless interface and enable DHCP Server.

Set the WiFi Settings as required and set a secure Pre-shared Key.

Create a new SSID

3. Creating a custom FortiAP profile

Go to WiFi & Switch Controller > FortiAP Profiles and create a new profile.

Set Platform to the FortiAP model you are using (FAP11C in this recipe).

The SSID defaults to Automatically assign Tunnel-mode SSIDs. Your network is assigned.

Create acustom FortiAP profile

Go to WiFi Controller > Managed Access Points > Managed FortiAPs and edit the FortiAP. Set FortiAP Profile to use the new profile.

By default, the FortiGate assigns all SSIDs to this profile.

Manage the FortiAP; set the profile to use the new profile

4. Allowing wireless access to the Internet

Go to Policy & Objects > IPv4 Policy and create a new policy.

Set Incoming Interface to the SSID and Outgoing Interface to your Internet-facing interface. Confirm that NAT is enabled.

Create a policy allowing wireless access

5. Results

Connect to the SSID with a wireless device. After a connection is established, you are able to browse the Internet.

Wireless device on newly created WiFi
Go to FortiView > All  Sessions to see the traffic allowed by the wireless policy.  

For further reading, check out Configuring a WiFi LAN in the FortiOS 5.4 Handbook.

Fortinet Technical Documentation

Contact Fortinet Technical Documentation at
Fortinet Technical Documentation

Latest posts by Fortinet Technical Documentation (see all)

It may take a few minutes for the FortiAP to appear.
You can disable this in the CLI. See Deploying Wireless Networks.