Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
johnathan
Staff
Staff

Created on ‎10-26-2024 08:16 AM Edited on ‎12-10-2025 07:16 AM By Community Manager

Article Id 352723

Technical Tip: How to disable CAPWAP offloading for FortiAPs without disrupting wireless traffic

Description This article describes how to disable CAPWAP offloading for FortiAPs without disrupting wireless traffic.
Scope FortiGate v7.x.x+.
Solution

It is possible to disable FortiAP CAPWAP offloading globally on the FortiGate by running the following commands:

 

config system npu

    set capwap-offload disable

end

execute wireless-controller restart-acd

When the last command is run, all wireless traffic will be disrupted temporarily as the wireless daemon restarts. Instead, it is possible to disable the offloading by enabling DTLS encryption for the CAPWAP traffic on the FortiAP profile.

This will not disrupt traffic.

 

To apply this change, run the following commands:

 

config wireless-controller wtp-profile
    edit "profile-name"
        set dtls-policy dtls-enabled
    next
end

 

Note.

On NP7-based platforms, CAPWAP offloading is not supported for legacy FortiAP models. To address related issues, consider disabling CAPWAP offloading. Refer to the following document to verify which FortiAP models and firmware versions are compatible with NP7 CAPWAP offloading: capwap-offload {disable | enable}.
Labels:
3438
0 Kudos
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.