Fortinet’s new Secure Remote Access Points allow a remote worker to simply plug in the FortiAP to any Internet connection and have a secure connection back to their office network without the need for any setup or software installed on their computer. You can read more about these devices here.

Once configured, the devices work exactly as advertised, and I would highly recommend them. Unfortunately, there is no official documentation provided by Fortinet that explains how to configure these devices for remote use.

So, let’s go through a basic setup step-by-step to to get these Remote FortiAPs working outside of your network.

Note: These steps assume you already have a working SSID setup on the FortiGate / FortiWifi that’s wireless interface has Traffic Mode set to Local Bridge with FortiAP’s Interface and has proper Firewall Policies configured.

Configure the Remote FortiAP

  1. Log in to your FortiAP device using your web browser.
  2. Under Network Configuration, set Address Mode to DHCP.
  3. Under Connectivity, set Uplink to Ethernet.
  4. Under WTP Configuration:
    • Set AC Discovery Type to DNS.
    • Set AC Control Port to 5246.
    • Set AC Host Name 1 to the public IP or FQDN of your FortiGate / FortiWifi’s wan1 interface.
  5. Click Apply.

Configure the FortiGate / FortiWifi

  1. Log into your FortiGate / FortiWifi device using your web browser.
  2. Go to System -> Network -> Interface and Edit wan1. Under Administrative Access enable CAPWAP.
  3. Go to Wifi Controller -> Managed Access Points -> Managed FortiAP then select the AP and click Authorize.
  4. Additional configuration can be done through this Managed FortiAP menu (device name, which SSIDs to inherit, band, channel, TX power, etc…).

That’s all, the documentation provided could have been sufficient if it had included the fact that CAPWAP needed to be enabled on the wan1 interface, and the AC Host Name 1 needed to be changed on the FortiAP unit itself.