Setting up WiFi with FortiAP

In this example, a FortiAP unit is connected to and managed by a FortiGate unit in Tunnel mode, allowing wireless access to the network.

You can configure a FortiAP unit in either Tunnel mode or Bridge mode. When a FortiAP is in Tunnel mode, a wireless-only subnet is used for wireless traffic. When a FortiAP is in Bridge mode, the Ethernet and WiFi interfaces are connected (or bridged), allowing wired and wireless networks to be on the same subnet. Tunnel mode is the default mode for a FortiAP.

For information about using a FortiAP in Bridge mode, see Setting up a WiFi bridge with a FortiAP.

Find this recipe for other FortiOS versions
5.2 | 5.4 | 5.6 | 6.0

1. Connecting and authorizing the FortiAP unit

Go to System > Network > Interfaces and edit the interface that will connect to the FortiAP (in this example, port 16).

Set Addressing Mode to Dedicate to Extension Device and set an IP/Network Mask.


Connect the FortiAP unit to the the lan interface.


Go to WiFi Controller > Managed Access Points > Managed FortiAPs. The FortiAP is listed, with a yellow question mark beside it because the device is not authorized.

Highlight the FortiAP unit on the list and select Authorize. A grey checkmark is now shown beside the FortiAP, showing that it is authorized but not yet online.

2. Creating an SSID

Go to WiFi Controller > WiFi Network > SSID and create a new SSID.

Set Traffic Mode to Tunnel to Wireless Controller.

Select an IP/Network Mask for the wireless interface and enable DHCP Server.

Set the WiFi Settings as required, including a secure Pre-shared Key.

3. Creating a custom FortiAP profile

Go to WiFi Controller > WiFi Network > FortiAP Profiles and create a new profile.

Set Platform to the correct FortiAP model you are using (FAP11C in the example).

Set SSID to use the new SSID.

Go to WiFi Controller > Managed Access Points > Managed FortiAPs and edit the FortiAP. Set FortiAP Profile to use the new profile.

4. Allowing wireless access to the Internet

Go to Policy & Objects > Policy > IPv4 and create a new policy.

Set Incoming Interface to the SSID and Outgoing Interface to your Internet-facing interface. Ensure that NAT is turned ON.

5. Results

Go to WiFi Controller > Managed Access Points > Managed FortiAPs. A green checkmark now appears beside the FortiAP, showing that the unit is authorized and online.

Connect to the SSID with a wireless device. After a connection is established, you are able to browse the Internet.


For further reading, check out Configuring a WiFi LAN in the FortiOS 5.2 Handbook.

Victoria Martin

Technical Writer at Fortinet
Victoria Martin works in Ottawa as part of the FortiOS technical documentation team. She graduated with a Bachelor's degree from Mount Allison University, after which she attended Humber College's book publishing program, followed by the more practical technical writing program at Algonquin College. She does need glasses but also likes wearing them, since glasses make you look smarter.
Victoria Martin

Latest posts by Victoria Martin (see all)

It may take a few minutes for the FortiAP to appear.