Description
In FortiOS 4.3.x, the CAPWAP was enabled by default on all physical and VLAN interfaces. In most cases a FortiAP is only connected to the internal interfaces to create a private WiFI network inside the network.
However, this can be a potential threat as the external WAN interface can easily be exploited by sending the Fake client Hello messages leading to DDOS attack as explained in the following link. http://www.fortiguard.com/advisory/FG-IR-15-002/
Solution
In order to protect from such threats, in FortiOS version 5.0.x and 5.2.x, the CAPWAP should be enabled manually on each physical or VLAN interface where the FortiAP should need to be authorized.
To enable CAPWAP in the Web GUI go to system > network > interface > edit specific interface > enable CAPWAP
Alternatively, in the CLI use:
config system interface
edit "ravi_vlan111"
set allowaccess ping https capwap
set interface "port2"
set vlanid 111
end
After this has been configured the FortiAP can be authorized and managed by the FortiGate Controller.
