FortiAP devices are thin wireless access points (AP) supporting the latest Wi-Fi technologies (multi-user MIMO 802.11ac Wave 1 and Wave 2, 4x4), as well as 802.11n, 802.11AX , and the demand for plug and play deployment.
  • Via GUI for individual FortiAP
  • Via CLI for individual, all, or group of FortiAPs
  • Option A: Immediate upgrade
  • Option B: Schedule a reboot for FortiAP to trigger upgrade using script


Via GUI individual FortiAP

  1. Connect to the FortiGate that manages the FortiAP.
  2. Go to WiFi & Switch Controller > Managed FortiAPs and make sure the device State is Online.
  3. Select the FortiAP and select Edit. If new firmware is available, a message from FortiGuard appears. Select Upgrade. You can also upload the firmware manually from your computer.
  4. After the FortiAP uploads the firmware and reboots, go to WiFi & Switch Controller > Managed FortiAPs. Confirm that OS Version displays the correct firmware.

Via CLI for individual, all or group of FortiAP

  • To simplify the operation and maintenance of a Fortinet-powered secure wireless infrastructure, you can have the distributed FortiAP update their own firmware images directly from the system acting as the Wireless Access Controller. To enable this, you need first to add the FortiAP firmware to the FortiGate that is the Access Controller. You do this via TFTP or FTP in a similar manner as applying a firmware update.

Step 1: Confirm your network requirements

  • If you are already have an established FortiAP and FortiGate Wireless Controller connection, you can push the firmware from FortiGate when image-download option is enabled global and under the FortiAP unit in the FortiGate at join time.

  • Image-download under Global:

    • Default setting is enabled. You can confirm the current status by running the following command:
# get wireless-controller global
    • To change the setting:
config global
config wireless-controller global
set image-download {enable | disable}
  • Image-download under Specific FortiAP:
    • If you don't want to upgrade FortiAP image on all the units at the join time, you can keep it enabled in global but disable it for the specific FortiAP.
    • Default setting is enabled. 
    • To change the settings:
config wireless-controller wtp
edit <name>
set image-download {enable | disable}

Step 2: Upload FortiAP firmware image to FortiGate

  • Place the FortiAP firmware image on a FTP or TFTP server.
  • For more information on how to setup TFTP server check
  • Each firmware image you upload is only relevant to one FortiAP model. If you have multiple models that is NOT the same image you will need to upload them individually.
  • You can upload only one image per model.
  • In FortiGate CLI, type the command to upload the image to the FortiGate. Note: If you have multiple VDOMs, you will need to execute the command under global VDOM
execute wireless-controller upload-wtp-image tftp <filename> <TFTP server address>


execute wireless-controller upload-wtp-image ftp <filename> <ftp server>[:ftp port] username password

Step 3: Verify that the image is uploaded

execute wireless-controller list-wtp-image

  • To deleted an old images:
execute wireless-controller delete-wtp-image <all>|<image-name> 

Step 4 : FortiAP firmware automatically uploaded from FortiGate to FortiAP at join time.

Option A: Immediate Upgrade from FortiGate Wireless controller

  • FortiAP OS version v6.0 and onward
    • If the FortiGate unit has a more recent version of the FortiAP firmware, the FortiAP unit will download and install it at join time if in global and under the FortiAP profile image-download is enabled.
    • To restart managed WTP from the FortiGate: 

execute wireless-controller reset-wtp <all>|<SN>|<wtp-group> 

  • For older versions, it will automatically upload and reboot the FortiAP if in global and under the FortiAP profile image-download is enabled.
    • The FortiAP status will change from Online > Image Downloading > Reboot

Option B: Schedule reboot for FortiAP to trigger upgrade from FortiGate Wireless controller using CLI Script

  • This script apply only for FortiAP OS version v6.0 and onward.
  • From GUI: You can configure script if you want to by going to (Global VDOM if exists) > Security Fabric > Automation > Create new
  • The below steps are if you want configure the script via CLI

Step 4-B-1 Configure the script schedule

config global

config system automation-trigger

edit "Wifi-Upgrade-trigger"

set trigger-type scheduled

set trigger-frequency weekly

set trigger-weekday saturday

set trigger-hour 2

set trigger-minute 5



Step 4-B-2: Configure the script to reset managed FortiAP

config global

config system automation-action

edit "Reset-FortiAP"

set action-type cli-script

set required enable

set script "config vdom

edit root

execute wireless-controller reset-wtp <all>|<SN>|<wtp-group> 




config system automation-stitch

edit "Wifi-Upgrade-Schedule"

set trigger "Wifi-Upgrade-trigger"

set action "Reset-FortiAP"


Step 4-B-3: After script got executed disable the script

  • After the script got executed, delete or disable the script

config global

config system automation-stitch

edit "Wifi-Upgrade-Schedule"

set status disable