Help
FortiAP
FortiAP devices are thin wireless access points (AP) supporting the latest Wi-Fi technologies (multi-user MIMO 802.11ac Wave 1 and Wave 2, 4x4), as well as 802.11n, 802.11AX , and the demand for plug and play deployment.
pprince
Staff
Staff

Created on ‎10-10-2024 12:19 AM

Article Id 348208

Technical Tip: FortiAP managed by two standalone FortiGates

Description

This article describes the scenario where FortiAP is managed by two FortiGate of different models operating independently.

This lets FortiAP failover to another FortiGate in a situation where the existing FortiGate goes down.
Scope All FortiAP Modes.
Solution

Consider the diagram below for reference.

 

TG12.png

 

  1. Both the FortiGate should be reachable to the FortiAP.
  2. Security Fabric connection to be enabled on both the FortiGate interfaces through which the FortiAP shall communicate.
  3. Configure the interface IPs of both the FortiGate. onto the FortiAP CLI 

 

For example, there is FortiGate -1 with interface IP 10.37.165.194 and FortiGate -2 with interface IP 10.37.164.34.

 

Login to the FortiAP CLI to configure the FortiGate's interface IPs :

 

cfg -a AC_DISCOVERY_TYPE=1
cfg -a AC_IPADDR_1:10.37.165.194
cfg -a AC_IPADDR_2:=10.37.164.3

cfg -c

 

To see the configuration is applied on FortiAP CLI :

 

FortiAP-231F # cfg -s
BAUD_RATE:=9600
WTP_VERSION:=FortiAP-231F v7.4.2,build0634,231228 (GA)
FIRMWARE_UPGRADE:=0
FACTORY_RESET:=0
LOGIN_PASSWD_ENC:=QMQWx8zyVMI/pNs7EOKon066L2pDQbWqFN9skwFX2WTDPXxYhi5TJAFBQYj80kJ55PzLMR2vNvU7v9Vow1GUsRkYGwZ/2YYpFIiqjs8ZaO/cH27VAmK7SoWffu/z6PunSp3IYrRMMIyXoyQ3ypQtx4HbmFeC1scTqYbHjdf9rDL7rQku98DY7c18O0ZWFGMVnq8lxw==
FIPS_CC:=0
FIPS_RESEED_INTV:=1440
ADMIN_TIMEOUT:=5
WANLAN_MODE:=WAN-ONLY
AP_MODE:=0
STP_MODE:=0
AP_MGMT_VLAN_ID:=0
ADDR_MODE:=DHCP
AP_IPADDR:=192.168.1.2
AP_NETMASK:=255.255.255.0
IPGW:=192.168.1.1
DNS_SERVER:=208.91.112.53
ALLOW_HTTPS:=2
ALLOW_SSH:=2
AC_DISCOVERY_TYPE:=1
AC_IPADDR_1:=10.37.165.194
AC_IPADDR_2:=10.37.164.34
AC_IPADDR_3:=
AC_HOSTNAME_1:=_capwap-control._udp.example.com
AC_HOSTNAME_2:=
AC_HOSTNAME_3:=
AC_DISCOVERY_MC_ADDR:=224.0.1.140
AC_DISCOVERY_DHCP_OPTION_CODE:=138
AC_DISCOVERY_FCLD_APCTRL:=
AC_CTL_PORT:=5246
AP_DATA_CHAN_SEC:=clear,dtls,ipsec
BONJOUR_GW:=2
MESH_AP_TYPE:=0
LED_STATE:=2
POE_MODE:=0
WAN_1X_ENABLE:=0
WAN_1X_USERID:=
WAN_1X_PASSWD_ENC:=
WAN_1X_METHOD:=0

 

This means the FortiAP will communicate with FortiGate -1 as it is set  with AC_IPADDR_1:=10.37.165.194 and if for some reason FortiGate -1 is

down then the FortiAP will attempt to reach to FortiGate -2  that is  AC_IPADDR_2:=10.37.164.34

 

FortiAP will maintain the list of FortiGate IPs  :

 

FortiAP-231F # cw_diag -c ha

wcha_mode: standalone @878

Current AC: 10.37.165.194:5246 pri 1

WC fast failover AC mode : 0
WC fast failover peer cnt: 0

Discovered AC list:
ip=10.37.164.34 allow=1 pri=1 dtls=3 wtp=1/16 sta=0/65535

 

To check the FortiAP connection state :

 

FortiAP-231F #
FortiAP-231F # wcfg
WTP Configuration
name : FortiAP-231F
loc : N/A
region map :
pos-x : 0
pos-y : 0
ap mode : thin AP
fmvap : FWF60FTK21006815,(0833f552,addb7f95,0),1800,0
atf mode : disabled
VWTP ac conf : dual-5g N/A ddscan enabled
VWTP wtp oper : dual-5g disabled ddscan enabled
poe mode : low(auto)
poe mode oper : low
usb port : disabled
led mode : normal
led schedules : SMTWTFS 00:00->00:00,
WAN port cnt : 2
lan1 : carrier=1, speed=1000, duplex=full
lan2 : carrier=0, speed=0, duplex=
energy-efficient-eth : disable
extension info enable: enable
vap-stats-interval : 15
radio-stats-interval : 15
sta-cap-interval : 30
idle-timeout : 300
fpresence-interval : 3600, 30
statistics-interval : 120
fsm-state : RUN 52
wtp-ip-addr : 10.37.166.34:5246 - 10.37.166.34:55437  
ac-ip-addr : 10.37.165.194 :5246 - 10.37.165.194:5247 FWF60F-v7.2-build1639 STATIC
base-mac : 80:80:2c:8e:fa:10
bulk data seq num : -1
ap-mgmt-vlanid : 0
ac-cert-version : 2

 

When the FortiGate -1 becomes unreachable the FortiAP will connect to FortiGate -2.

 

FortiAP-231F # wcfg
WTP Configuration
name : FortiAP-231F
loc : N/A
region map :
pos-x : 0
pos-y : 0
ap mode : thin AP
fmvap : FWF60FTK21006815,(0833f552,addb7f95,0),1800,0
atf mode : disabled
VWTP ac conf : dual-5g N/A ddscan enabled
VWTP wtp oper : dual-5g disabled ddscan enabled
poe mode : low(auto)
poe mode oper : low
usb port : disabled
led mode : normal
led schedules : SMTWTFS 00:00->00:00,
WAN port cnt : 2
lan1 : carrier=1, speed=1000, duplex=full
lan2 : carrier=0, speed=0, duplex=
energy-efficient-eth : disable
extension info enable: enable
allowaccess : ssh
lldp enable : enable
wtp-report-index : 2
sta-cap-interval : 30
idle-timeout : 300
fpresence-interval : 3600, 30
statistics-interval : 120
fsm-state : RUN 223
wtp-ip-addr : 10.37.166.34:5246 - 10.37.166.34:55437
ac-ip-addr : 10.37.165.194:5246 - 10.37.165.194:5247 FWF40F-v7.2-build1639 STATIC
base-mac : 80:80:2c:8e:fa:10
bulk data seq num : -1
ap-mgmt-vlanid : 0
ac-cert-version : 2


Note: When FortiGate-1 is unreachable the FortiAP will go offline and there will be a disruption in the services for the time when FortiAP connects 

to FortiGate-2.
3047
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.