Help
FortiAP
FortiAP devices are thin wireless access points (AP) supporting the latest Wi-Fi technologies (multi-user MIMO 802.11ac Wave 1 and Wave 2, 4x4), as well as 802.11n, 802.11AX , and the demand for plug and play deployment.
rmittal
Staff
Staff

Created on ‎07-18-2022 08:01 AM Edited on ‎08-13-2025 06:19 AM By Community Manager

Article Id 217863

Technical Tip: How to configure MESH with FortiAP on FortiGate

Description This article describes how to configure MESH with FortiAP on FortiGate.
Scope FortiAP, FortiAPU, FortiAPS, FortiAP-W2 (6.2.2 and above).
Solution

Creating the mesh root SSID:

  1. Go to WiFi and Switch Controller -> SSIDs and select Create New -> SSID.
  2. Enter a Name for the WiFi interface.
  3. In Traffic Mode, select Mesh.
  4. Enter the SSID. In this example, the name will be MESH.
  5. Set Security Mode to WPA2 Personal and enter the Pre-shared key.
  6. Select OK.

 

rmittal_0-1658137560287.png

 

Create the FortiAP profile.

 

rmittal_1-1658137560307.png

 

rmittal_2-1658137560327.png

 

Configure FortiAP:

  • Get the Root and Leaf AP online on FortiGate as normal APs.
  • Add the FortiAP profile to the Root and Leaf FortiAP.
  • Once both the FortiAPs are online, configure the leaf FortiAP.


Get CLI access to the Leaf FortiAP. See How to enable SSH access to FortiAP managed by FortiGate.

  1. Assign a static IP to the leaf FortiAP.

 

cfg -a ADDR_MODE=STATIC

cfg -a AP_IPADDR=x.x.x.x <--- AP IP address

cfg -a AP_NETMASK=y.y.y.y <--- AP Netmask

cfg -a  IPGW=z.z.z.z <--- AP Gateway

 

 

  1. Set type to leaf and enter the mesh SSID name and password:

 

cfg -a MESH_AP_TYPE=1 <- WiFi Mesh.

cfg -a MESH_AP_SSID=MESH <- SSID name.

cfg -a MESH_AP_SECURITY=1 <- Mesh configured with WPA/WPA2-Personal.

cfg -a MESH_AP_PASSWD=test1234 <- SSID Mesh password.

 

See FortiAP CLI configuration and diagnostics commands.

 

  1. To save the above changes on Leaf FortiAP:

 

cfg -c

 

When the root FortiAP is connected and online, apply power to the preconfigured leaf FortiAPs. At this point, user can disconnect the FortiAP Leaf from the network and take it somewhere else, where the SSID Mesh can be used. Then energize the leaf FortiAP, which will connect wirelessly to the WiFi Controller through the mesh network.


Viewing the status of the mesh network.

 

rmittal_3-1658137560331.png

 

The user can also see the APs connected to the mesh by checking the FortiAP Clients and filtering by SSID Mesh. The user should be able to see the Leaf AP's IP on the FortiAP Client column 'IP Address'.

 

Note: It is possible that users do not see the FortiAP displayed as a 'Leaf' AP on 'Managed FortiAPs' if no additional SSIDs different than MESH are configured. Try overriding the SSIDs configured on the Leaf APs and refresh the GUI.

 

Note:

On FortiAP-431G v7.2.x, The command (cfg -a MESH_AP_SECURITY=1) is not available and therefore the Mesh network may not be established. It is necessary to update to v7.4.5, where the entry of said line is allowed, and it works correctly.
Labels:
9035
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.