FortiAP devices are thin wireless access points (AP) supporting the latest Wi-Fi technologies (multi-user MIMO 802.11ac Wave 1 and Wave 2, 4x4), as well as 802.11n, 802.11AX , and the demand for plug and play deployment.
In FortiOS 4.3.x, the CAPWAP was enabled by default on all physical and VLAN interfaces. In most cases a FortiAP is only connected to the internal interfaces to create a private WiFI network inside the network.
However, this can be a potential threat as the external WAN interface can easily be exploited by sending the Fake client Hello messages leading to DDOS attack as explained in the following link. http://www.fortiguard.com/advisory/FG-IR-15-002/
In order to protect from such threats, in FortiOS version 5.0.x and 5.2.x, the CAPWAP should be enabled manually on each physical or VLAN interface where the FortiAP should need to be authorized.
To enable CAPWAP in the Web GUI go to system > network > interface > edit specific interface > enable CAPWAP
Alternatively, in the CLI use:
config system interface edit "ravi_vlan111" set allowaccess ping https capwap set interface "port2" set vlanid 111 end
After this has been configured the FortiAP can be authorized and managed by the FortiGate Controller.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.