Help
FortiExtender
FortiExtender offers wireless connectivity for nearly any operational network.
wdarren
Staff
Staff

Created on ‎06-22-2022 12:58 PM Edited on ‎02-04-2025 08:21 AM By Moderator

Article Id 215494

Technical Tip: How to setup FortiExtender WAN-Extension (CAPWAP mode) with FortiGate

Description


This article describes how to configure FortiExtender (FEX) WAN-Extension (CAPWAP mode) with FortiGate.


Scope


FortiExtender v7.2.0 build0113, FortiGate v7.2.0 build1157.
FortiExtender Port4 is directly connected to the wan2 interface on FortiGate.

 

Solution

 

  1. On FortiGate, create a wan2 interface & configure an IP address 192.168.2.99 with a DHCP server running on it and allow Security Fabric connection traffic.
  2. Create a FortiExtender WAN Extension interface. Let's call it FEX-WAN-511F.

 

Create new interface.jpg

 

Create new interface-2.jpg

 

  1. The FortiExtender interface port4 connected to wan2 will get an IP from FortiGate that is 192.168.2.98.
  2. On FortiExtender GUI - Navigate to Setting -> Management, set Controller: FortiGate, Discovery Type: static, Discovery Interface: port4, and create Static Access Control Address with the server: 192.168.2.99.

 

FEX.jpg

 

  1. To Authorize FortiExtender on FortiGate GUI - Navigate to Network -> FortiExtenders, and wait for the FortiExtender to be discovered by FortiGate and then select it and under the Authorization drop-down select  Authorize. Wait for the status to become online. Make sure the Modem 1 Interface is selected under the WAN Extension with the extender interface that was created previously, see the last screenshot below.

image.png

 

image.png

 

image.png

 

  1. Wait for some minutes, FortiExtender may need to reboot if the mode was changed from nat to ip-passthrough.
  2. After the WAN extension tunnel is set up, the services like HTTPS, SSH, and Ping need to be enabled, then login GUI to check the status from FortiExtender GUI - Dashboard, Controller Infomation should be: FortiGate, with Status: Connected, and Mode is: FortiGate (ip-passthrough (capwap)).

 

FEX-FTG.jpg

  1. WAN Extension status can be found from FortiExtender CLI also, by running the below command:

get extender status

 

CLI.jpg

 

  1. When the FortiExtender modem is connected to the Internet, the FortiGate interface FEX-WAN-511F will get the same IP address as the FortiExtender LTE interface.

 

im2.PNG

 

  1. On FortiGate, after configuring the correct firewall policy, the client behind FortiGate can go to the internet via the FEX-WAN-511F interface.

  2. If the configuration looks good as per all the above-mentioned steps and users are not able to go out to the internet via the FortiExtender Interface, check the routing table using the following CLI command and see if the primary WAN port is other than FortiExtender Interface (FEX-WAN-XXX):

 

get router info routing-table details

 

This happens because the default static route for the FortiExtender Interface (FEX-WAN-XXX) has a higher administrative distance value (the default AD is 10) than the primary WAN Interface, especially if the Primary WAN interface uses a Dynamic IP address (default AD for dynamic WAN interface is 5).

 

Related document:

FortiOS and FortiExtender OS Compatibility Matrices

Labels:
13468
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.