FortiAP devices are thin wireless access points (AP) supporting the latest Wi-Fi technologies (multi-user MIMO 802.11ac Wave 1 and Wave 2, 4x4), as well as 802.11n, 802.11AX , and the demand for plug and play deployment.
Article Id 195989


In FortiOS 4.3.x, the CAPWAP was enabled by default on all physical and VLAN interfaces. In most cases a FortiAP is only connected to the internal interfaces to create a private WiFI network inside the network.

However, this can be a potential threat as the external WAN interface can easily be exploited by sending the Fake client Hello messages leading to DDOS attack as explained in the following link.


In order to protect from such threats, in FortiOS version 5.0.x and 5.2.x, the CAPWAP should be enabled manually on each physical or VLAN interface where the FortiAP should need to be authorized.

To enable CAPWAP in the Web GUI go to system > network > interface > edit specific interface > enable CAPWAP

Alternatively, in the CLI use:

config system interface
    edit "ravi_vlan111"
        set allowaccess ping https capwap
        set interface "port2"
        set vlanid 111

After this has been configured the FortiAP can be authorized and managed by the FortiGate Controller.