FortiAP devices are thin wireless access points (AP) supporting the latest Wi-Fi technologies (multi-user MIMO 802.11ac Wave 1 and Wave 2, 4x4), as well as 802.11n, 802.11AX , and the demand for plug and play deployment.
Article Id 191013
This article describes how to run FortiAp shell commands via FortiGate CAPWAP tunnel.

It is very often that the FortiAp in the field is behind a NAT unit, and access to the FortiAP through telnet or SSH is not available.
It will be helpful if controller can send FortiAP shell commands to the FortiAP, and the FortiAP reports running results back to the controller using CAPWAP control tunnel.

This feature will allow a FortiAP shell command up to 127-bytes sent to the FortiAP, and FortiAP will run this command, and return the results to the controller.
The FortiAP will only report running result to the controller after the command is finished.
If a new command is sent to the FortiAP before the previous command is finished, the previous command will be cancelled.
This feature requires support from both FortiOS and FortiAP.

Command syntax: # diag wireless-controller wlac wtpcmd wtp_ip wtp_port cmd [cmd-to-ap]
Commands: run,show,showhex,clr,r&h,r&sh
- cmd-to-ap: any shell commands, but ap will not report results until the command is finished on the AP.
- run: controller send the ap-cmd to the FAP to run
- show: show current results reported by the AP in text
- showhex: show current results reported by the AP in hex
- clr: clear reported results
- r&s: run/show
- r&sh: run/showhex

1) First collect the below ouput from FortiGate to know the IP and cport of the FortiAP.
# diagnose wireless-controller wlac -c ws
Test-FortiGate # diagnose wireless-controller wlac -c ws
-------------------------------WTP SESSION    1----------------------------
WTP session             : 0- CWAS_RUN  =====> ip and cport
    Ctrl in_ifIdx       : 41/fortiap
         indev          : 41/fortiap
    Data in_ifIdx       : 41/fortiap
2) Run the wtpcommand to get the FortiAP shell command output EG:
Test-FortiGate # diagnose wireless-controller wlac  wtpcmd 25246 r&s "fap-get-status"
Send FortiAPAP cmd "'ap-get-status' to ws (0-
Collecting data from AP

ws (0- output is displayed

Version: FortiAP-U223EV v6.0,build0028,200303 (GA)
Serial-Number: PU223ETF18-----6
BIOS version: 00000001
System Part-Number: P19576-03
Regcode: A
Base MAC: 00:0c:e6:4d:5f:30
Hostname: PU223ETF18-----6
Branch point: 028
Release Version Information: GPower-type: PoE 802.3at
 ***AP cmd "fap-get-status" is done***

# diagnose wireless-controller wlac  wtpcmd 25246 show "fap-get-status"

# diagnose wireless-controller wlac  wtpcmd 25246 showhex "fap-get-status"

# diagnose wireless-controller wlac  wtpcmd 25246 clr "cw_diag kernel-panic"

# diagnose wireless-controller wlac  wtpcmd 25246 r&sh "fap-get-status"

Additional information.
- Running multiple commands in one request - # diagnose wireless-controller wlac wtpcmd 5246 r&s "ifconfig br0; ls /etc/r* -l"
- When executing multiple commands in one request no alias commands such as 'wcfg' etc can be used. Complete commands must be used 'cw_diag -c wtp-cfg'.
- Command to upgrade FortiAP: 'echo "y' | restore ap-image.out'.
- Control port is port used by FortiAP to reach controller.