FortiAP™ - Thin Wireless Access Point

FortiOS Wireless LAN Controller

Release Notes
FortiAPTM v4.0 MR2

20-420-123747-20100518
Release Notes FortiAP v4.0 MR2 – FortiAP-220A

Table of Contents
1 FortiAP v4.0 MR2 ......................................................................................................................................................................... 1  
1.1  Summary  of  Enhancements  Provided  by  v4.0  MR2 ............................................................................................................................... 1  
1.2  Product  Operation ............................................................................................................................................................................................... 1  
1.3  Connectivity  Options ........................................................................................................................................................................................... 2  
1.4  FortiAP  Quick  Start ............................................................................................................................................................................................. 4  
1.5  Wireless  LAN  Controller  Quick  Start ........................................................................................................................................................... 4  
1.6  Operation  with  External  POE.......................................................................................................................................................................... 6  
1.7  How  to  configuration  DHCP  option  138  on  FortiGate: ........................................................................................................................ 7  
2 Special Notices ............................................................................................................................................................................ 9  
2.1  General...................................................................................................................................................................................................................... 9  
3 Upgrade Information............................................................................................................................................................... 10  
3.1  Upgrading  the  FortiGate.................................................................................................................................................................................10  
3.2  Upgrading  the  FortiAP.....................................................................................................................................................................................10  
4 Fortinet Product Integration and Support ..................................................................................................................... 11  
4.1  FortiGate  Support ..............................................................................................................................................................................................11  
5 Expected Behaviors................................................................................................................................................................ 12  
6 Resolved Issues in FortiAP v4.0 ........................................................................................................................................ 14  
6.1 Troubleshooting.................................................................................................................................................................... 15  
6.2  Understanding  Discovery  Process ...............................................................................................................................................................15  
6.3  Connection  Ports.................................................................................................................................................................................................17  
6.4  FortiAP  Clock........................................................................................................................................................................................................17  
7 Image Checksums ................................................................................................................................................................... 18  

Change Log

Date Change Description

2010-05-18 Initial Release.

© Copyright 2010 Fortinet Inc. All rights reserved.

Release Notes FortiAP v4.0 MR2.

Trademarks
Copyright© 2010 Fortinet, Inc. All rights reserved. Fortinet®, FortiGate®, and FortiGuard®, are registered trademarks of Fortinet, Inc., and other Fortinet names herein
may also be trademarks of Fortinet. All other product or company names may be trademarks of their respective owners. Performance metrics contained herein were
attained in internal lab tests under ideal conditions. Network variables, different network environments and other conditions may affect performance results, and
Fortinet disclaims all warranties, whether express or implied, except to the extent Fortinet enters a binding contract with a purchaser that expressly warrants that the
identified product will perform according to the performance metrics herein. For absolute clarity, any such warranty will be limited to performance in the same ideal
conditions as in Fortinet’s internal lab tests. Fortinet disclaims in full any guarantees. Fortinet reserves the right to change, modify, transfer, or otherwise revise this
publication without notice, and the most current version of the publication shall be applicable. Certain Fortinet products are licensed under U.S. Patent No. 5,623,600.

Support will be provided to customers who have purchased a valid support contract. All registered customers with valid support contracts may enter their support
tickets via the support site:

https://support.fortinet.com

i May 18, 2010

Release Notes FortiAP v4.0 MR2 – FortiAP-220A

1 FortiAP v4.0 MR2

This document provides information on issues and caveats in FortiAPTM v4.0 MR2 release. The following outlines the release
status.

Model FortiAP v4.0 Release Status

FAP-220A The FortiAP software branch introduced here is FortiAP build 106. This FortiAP build
requires a special FortiOS image as described below.
FortiOS The FortiAP device must be supported by a special FortiOS branch image for FortiGate
model 60B and above, excluding any FortiWiFi models.

The officially released image of FortiOS to support the FortiAP device is based off of
FortiOS v4.0 MR2 – fg_4_thin_ap_openssl/build_tag_6322.

The build number for this images in the System > Status page and the output from the
"get system status" CLI command displays 6322.

To confirm that you are running the proper build, the output from the "get system
status" CLI command has a "Branch point:" field. This should read 106.

1.1 Summary of Enhancements Provided by v4.0 MR2

The following is a brief list of the new features added in FortiAP v4.0.

FortiAP-220A support • Simultaneous Dual Radio operation 2.4GHz & 5 GHz

• WPA2 Enterprise grade encryption
• Captive Portal Authentication on FortiGate
• Black Hole prevention achieved by turning off radios while WLC connection
not available
• WME with Power Save. UAPSD
• Centralized update of FortiAP software
WLC Discovery • Three Static IP addresses
• DHCP option 138
• Broadcast
• Multicast
AP Profile • New AP profile management of groups of Physical AP’s have been added.
The AP profile allows single profile management of several physical APs
thus reducing the time to modify any settings.
Rogue AP Triangulation • Received Signal Strength triangulation between 3 or more FortiAPs.
Maps • Display of Rogue AP on MAP
* note: Triangulation with unlike access points is unreliable and is not
recommended. Please use all FortiAP devices

1.2 Product Operation

1 May 18, 2010

Release Notes FortiAP v4.0 MR2 – FortiAP-220A
The FortiAP is a thin access point that requires the FortiGate control for configuration and for centralized data aggregation. The
general operation is as follows:
1) Upon power up, and successful Ethernet
connectivity, the FortiAP will request
DHCP address from the network. If
DHCP server not available, static IP
address can be assigned using the
procedure in the quick start guide supplied
with the FortiAP.
2) The FortiAP will start discovery process of
the Controller via the following methods:
a. Static IP address as configured by
CLI or as extracted from DHCP
option 138
b. L2 broadcast
c. L3 multicast
d. DHCP
3) Once the FortiGate Wireless LAN
Controller WLC has been discovered, the
FortiAP will wait for instructions to be
managed by the controller.
4) Once FortiAP has been enabled for
management, WLC will download the
wireless configuration to the FortiAP at which point the wireless LED shall light up. When power, Ethernet and wireless
LEDs all turn green, the configuration has successfully been downloaded and the FortiAP is operational.

1.3 Connectivity Options

FortiAP series products are thin APs designed to work in conjunction with FortiGate devices model 60B and above. The FortiAP
requires a routed L3 communication to the WLC. If there is additional firewall between FortiAP and FortiGate, please ensure that
Make sure that the UDP ports 5246 and 5247 are open.

The FortiAP and FortiGate can be connected via the following methods.
Direct connection: in this method the FortiAP is directly connected to the FortiGate with no additional switches in the middle. This
configuration is common for locations where the number of FortiAP’s matches up with the number of ‘internal’ ports available on the
FortiGate. In this configuration the FortiAP will request IP address from the FortiGate and will enter discovery mode and should
quickly find the FortiGate WLC. See wirecloset deployment ‘1’ in figure below.

Switched Connection: In this topology the FortiAP is connected to an Ethernet Switch operating on L2 switching mode or L3 routing
mode. The only requirement in this toplogy is that there is a routable path between the FortiAP and FortiGate and that ports 5246 and
5247 are open. See Gateway deployment ‘2’ in figure below

Connection over WAN: in this method of connectivity, the FortiGate controller can be placed off premises and the connectivity is
achieved over a VPN tunnel to a local FortiGate. In this method of connectivity its best to configure each FortiAP with the static IP
address of the WLC. Each FortiAP can be configured with three WLC IP addresses for redundant failover. Please see Datacenter
remote management ‘3’ in figure below.

2 May 18, 2010

Release Notes FortiAP v4.0 MR2 – FortiAP-220A

3 May 18, 2010

Release Notes FortiAP v4.0 MR2 – FortiAP-220A
1.4 FortiAP Quick Start
1.4.1 Connect the FortiAP unit:
1. Insert a network cable to Port 0.
• Use straight-through cable for most equipment
• Use cross-over cable if connecting to FortiGate units without auto MDI detect
2. Insert the other end of the network cable into your LAN Ethernet edge switch, or directly to the FortiGate
Controller.
3. Connect the power adaptor to AC outlet.
4. Insert the power adaptor connector to the FortiAP unit.

1.4.2 Zero Configuration mode

The FortiAP is designed to require no configuration in most networks. Zero Configuration mode works if the FortiAP is
directly connected to the FortiGate performing the Wireless LAN Controller (WLC) functions, or on the same layer-2
network and subnet as the FortiGate.

To enable the FortiAP using Zero Configuration:

1. Connect the network and power cable as described in the Connecting section.

2. Once power is applied, the FortiAP goes through boot procedure and requests an IP address from the DHCP server.

3. If the IP address is retrieved successfully, the FortiAP enters discovery mode to locate a FortiGate wireless controller.

4. If this is the first time connecting the FortiAP to the controller, only the power light and Port 0 LED is lit. If the
FortiAP has been pre-provisioned in the controller, the Wireless LED is also lit.

5. Verify that the FortiAP has successfully connected to the controller. In FortiGate controller Web Config, go to
Wireless Controller > Configuration > Access Point. A successfully discovered unit displays a half-filled circle symbol.
For configuration please see Wireless LAN Controller Quick Start Section.

1.4.3 Manual configuration

If the FortiGate wireless controller’s IP address cannot be determined from the methods above or if the network uses
static IP addresses, do the following:
1. Connect the FortiAP to a separate private switch or hub or directly connect to your computer via a cross-over cable.
2. Change your computer’s IP address to 192.168.1.3
3. Telnet to IP address 192.168.1.2. This IP address is overwritten if the FortiAP is connected to a DHCP environment.
Ensure that FortiAP is in a private network with no DHCP server for the static IP address to be accessible.
4. Login with username: admin and no password.
5. Type the following commands to enter static IP address for Access Point. netmask & gateway information for your
network. Replace zzz with the IP address of the FortiGate Wireless Controller.
cfg –a AP_IPADDR=”xxx.xxx.xxx.xx”
cfg –a AP_NETMASK=”255.255.255.0”
cfg –a IPGW=”yyy.yyy.yyy.yyy”
cfg –a AC_IPADDR_1=”zzz.zzz.zzz.zzz”
6. Save the configuration by typing the following command:
cfg –c .
7. Unplug the FortiAP and plug it back in order for the configuration to take effect. Move the FortiAP to the intended
deployment location and connect the Ethernet cable as described in the Connecting section.
8. In FortiGate controller Web Config, go to Wireless Controller > Configuration > Access Point. A successfully
discovered unit displays a half-filled circle symbol. For configuration please see next section.

1.5 Wireless LAN Controller Quick Start

1) A successfully discovered AP will be shown with half filled circle like shown in 2nd row in table below.
2) Select the Access Point and click Edit.

4 May 18, 2010

Release Notes FortiAP v4.0 MR2 – FortiAP-220A

3) In the Admin field, changed the mode from “Discovered” to “Enable”.

4) In the AP Profile field, select a profile from the list and click OK. There a two default profiles can be selected and edited
later.

5 May 18, 2010

Release Notes FortiAP v4.0 MR2 – FortiAP-220A
5) Please check the selected ‘AP profile’ to ensure that all settings are correct for your network. If selecting access point ensure
to select at least one Virtual AP ‘VAP’ for proper operation.

5) If all settings are correct, the configuration is automatically downloaded from the FortiGate unit to the FortiAP and the
Wireless LED on the access point will lights up and will blink with traffic activity.

1.6 Operation with External POE

FortiAP-220A does not support internal Power over Ethernet (PoE) operation. One option is to use external PoE power adaptor. The
FortiAP-220A has been tested with 12V power injector like the linksys WAPPOE12. However, ensure to use the FortiAP supplied
power adaptor instead of the POE injectors adaptor.

6 May 18, 2010

Release Notes FortiAP v4.0 MR2 – FortiAP-220A

1.7 How to configuration DHCP option 138 on FortiGate:

Access your AC through GUI.

(1) Enable DHCP server on interface where AP is plan to connect as following.
a. GUI-> System->DHCP Sever->Service.
b. Select the interface. Mode -> server, enable -> should be checked.
c. Give IP-range, mask and default Gateway.

(2) For AC-discovery type DHCP setting, do the following.

a. Go to GUI-> System->DHCP Sever->Service-> advance-> check options
b. A new text box will appear.
c. Add the code as “138” and option as AC-interface IP address in Hex from. For Example : AC
interface:172.30.72.254, option: AC1E48FE.

7 May 18, 2010

Release Notes FortiAP v4.0 MR2 – FortiAP-220A

8 May 18, 2010

Release Notes FortiAP v4.0 MR2 – FortiAP-220A

2 Special Notices
2.1 General
The FortiAP-220A is pre-loaded with build106.

IMPORTANT!
• Fortinet recommends setting your monitor to a screen resolution of 1280x1024. This allows for all objects in the Web UI to
be viewed properly.

Web Browser Support

• Microsoft Internet ExplorerTM 6.0/7.0 and FireFox 2.0x are fully supported.

BEFORE any upgrade

• [FortiAP Configuration] Save a copy of your FortiAP unit configuration (including replacement messages) prior to
upgrading.

AFTER any upgrade

• [WebUI Display] If you are using the Web UI, clear the browser cache prior to login on the FortiAP to ensure proper display
of the Web UI screens.

9 May 18, 2010

Release Notes FortiAP v4.0 MR2 – FortiAP-220A
3 Upgrade Information
3.1 Upgrading the FortiGate
Please install the special release of FortiOS on your FortiGate device using standard upgrade instructions as outlined in FortiOS
4.0MR2 Admin guide.

3.2 Upgrading the FortiAP

The FortiAP can be upgraded automatically through the FortiGate controller or directly by telneting to the FortiAP.

Method  1  –  Through  FortiGate  using  CLI  

Step 1) Place the FortiAP image on a TFTP server
Step 2) From the FortiGate CLI type the command

exec wireless-controller upload-wtp-image tftp <fap-image-name> <tftp-server-ip>

Step 3) Verify that image Show what image is uploaded,

exec wireless-controller list-wtp-image

Step 4) Upgrade the AP from CLI. Use all to upgrade all APs or type specific serial number
exec wireless-controller reset-wtp <all | SN>

Method  2  –  Directly  from  Access  Point  

Step 1) Place the FortiAP image on a TFTP server on your computer
Step 2) Connect the FortiAP to a separate private switch or hub or directly connect to your computer via a cross-over cable.
Step 3) Change your computer’s IP address to 192.168.1.3
Step 4) Telnet to IP address 192.168.1.2. This IP address is overwritten if the FortiAP is connected to a DHCP environment.
Ensure that FortiAP is in a private network with no DHCP server for the static IP address to be accessible.
Step 5) Login with username: admin and no password.

Step 6) Type the following command replacing <tftp-server-ip> with 192.168.1.3

restore <fap-image-name> <tftp-server-ip>

10 May 18, 2010

Release Notes FortiAP v4.0 MR2 – FortiAP-220A
4 Fortinet Product Integration and Support
4.1 FortiGate Support
The FortiAP device must be supported by a special FortiOS branch image on the FortiGate device. See Section 1 for build details.

11 May 18, 2010

Release Notes FortiAP v4.0 MR2 – FortiAP-220A

5 Expected Behaviors
1)
Expected Behavior: connection between FortiAP and Wireless LAN controller may not be available for approximately 1 minute after
any configuration change

Description: When new configuration is pushed to the FortiAP, the accesspoint will disconnect, commit the new configuration and
attempt to reconnect back to the Controller. During this time the connection to FortiAP is not available. Depending on network
topology, this discovery and join process can take upwards of 1 minute and is normal.

2)
Expected behavior: FortiAP or FortiWiFi-thinAP will disconnect from WLC if they receive bad configuration from WLC

Description: if there is a mismatch between the configuration in AP profile and capability of FortiAP, the FortiAP will disconnect
from the WLC. The WLC configuration will need to be corrected first then FortiAP be configured from discovered to admin state.
The condition described can be observed for example if the FortiAP-220A radio configurations are reversed from expected. FortiAP-
220A radio 1 is 2.4GHz Radio and Radio 2 is the 5GHz radio. Simply correct the radio configuration and the FortiAP will rejoin the
WLC. FortiWiFi-ThinAP’s only have 1 radio; therefore ensure that the AP profile for these units has the 2nd radio’s disabled.

FortiAP-220A Radio-1 supports 802.11b/g/n in 2.4Ghz band.

ForitAP-220A Radio-2 supports 802.11a/n in 5Ghz band.

3)
Expected Behavior: do not exceed 7 Virtual AP’s per Radio.

Description: If there are more VAPs configured than the radio allows, the system will choose any 7 at Random. Therefore for
deterministic behavior please ensure that no more than seven VAPs are assigned to any radio at one time.

4)
Expected Behavior: air scanning is limited to each radio’s frequency band
Description: please note that FortiAP-220A has two dedicated radios; Radio1 is dedicated for 2.4Ghz band and Radio 2 for 5Ghz
band. Therefore when in background or dedicated air monitor mode, each radio will scan its own band. If full scanning of 2.4 and
5Ghz range is needed, please configure both radio 1 & 2 in background scan or dedicated scan mode.

5)
Expected Behavior: in Monitor mode the Rogue AP Map is only available if 3 or more FortiAP’s pickup the signal from the rogue.

Description: The Rogue AP location map uses triangulation technique based on received signal strength (RSSI.) Naturally
triangulation algorithm needs 3 datapoints to be able to locate the Rogue AP. The availability of triangulation data is indicated by the
MAP icon for each row.

6)
Expected Behavior: Rogue AP map is only available if FortiAP coordinates have been given

Description: Rogue AP triangulation algorithms needs to know the location of each FortiAP using X,Y coordinate system. Please
update these coordinates accurately for triangulation map to function. Please note that 0,0 origin is in bottom left corner of the GUI.

7)
Expected Behavior: air monitor results may be delayed in Background scan mode

Description: Background scan as the name implies only occurs when the FortiAP is idle. Therefore if the AP is continuously
transmitting or receiving, it may not have time to perform background scan. In this situation, the background scan results will not be
available until an idle time is found for scanning. If continuous scanning is necessary, please use dedicated scan mode.

8)
Expected Behavior: up to 4 VAPs can be configured for WEP encryption

12 May 18, 2010

Release Notes FortiAP v4.0 MR2 – FortiAP-220A
Description: WEP mode is not recommended for systems that can support WPA or WPA2 authentication. However for your
convenience FortiAP provides up to 4 WEP Virtual AP’s for backward compatibility.

9)
Expected Behavior: If client is idle for longer than 5 minutes, it will be de-authenticated

Description: The default idle timer for client inactivity is set to 300 seconds or 5 minutes. This idle timeout ensures that if a user’s PC
is not using the wireless system, or has become inoperative, the wireless system resources are reclaimed for other users. This timeout
value can be changed using the following CLI command.

config wireless-controller timers

set client-idle-timeout 300
end

10)
Expected Behavior: auto Channel mode selects best idle channel. This channel may change over time.
Description: Auto-channel configuration should be the default selection. The FortiAP will scan all available channels and will
automatically select the least busy channel for self configuration. This results in optimum channel allocation for the location of that
AP. This setting should not be changed, unless IT has more specific channel assignment plan in mind.

11)
Expected Behavior: TKIP configuration is not supported on 802.11n.
Description: If TKIP configuration is used with 802.11n configuration, the radio will remain in 802.11g or 802.11a mode and 802.11n
mode will be disabled. Please ensure that only AES is used if 802.11n high performance wireless is expected.

12)
Expected Behavior: the refresh button will not poll each FortiAP for new data.

Description: the refresh button is intended to update the GUI screen if there is new data in the WLC. But it will not cause the WLC to
poll the FortiAP’s for new data. The FortiAP’s will update the WLC only when new data is available and the reporting period can not
be controlled by the GUI.

13 May 18, 2010

Release Notes FortiAP v4.0 MR2 – FortiAP-220A

6 Resolved Issues in FortiAP v4.0

Description: The FortiAP and Wireless LAN controller may not correctly discover each other if there if they are separated by a NAT
device or a packet reordering device.
Bug ID: 0123390
Status: Fixed in next release.

14 May 18, 2010

Release Notes FortiAP v4.0 MR2 – FortiAP-220A

6.1 Troubleshooting
6.2 Understanding Discovery Process
The communication between FortiAP and the Controller uses CAPWAP protocols (RFC 5415). A FortiAP in operation setup two
tunnels, for control message and data respectively, to the controller. When a FortiAP is connected into the network, it first identifies
the proper controller with which to establish the CAPWAP connections. This process is called Discovery.
Discovery  Methods  
FortiAP can use one of four methods to locate the controller.
1. Broadcast  
FortiAP  sends  Discovery  Request  message  as  UDP  broadcast  to  the  network.  The  controller  replies  it  with  
Discovery  Response  message  in  unicast.  This  method  requires  AP  and  the  controller  to  be  in  the  same  broadcast  
domain.  
 
2. Multicast  
FortiAP  sends  Discovery  Request  message  as  multicast.  The  controller  replies  it  with  Discovery  Response  
message  in  unicast.  This  method  requires  AP  and  the  controller  to  be  in  the  same  broadcast  domain.  
 
The  default  destination  address  is  224.0.1.140.  It  can  be  changed  through  CLI.  The  address  must  be  same  on  the  
controller  and  FortiAP.  
To  change  the  multicast  address  on  the  controller,  
config wireless-controller global
set discovery-mc-addr 224.0.1.250
end
To  change  the  multicast  address  on  FortiAP,  
cfg –a AC_DISCOVERY_MC_ADDR=”224.0.1.250”

3. Static  IP  
If  FortiAP  and  the  controller  are  not  in  the  same  subnet,  broadcast  and  multicast  packets  cannot  reach  the  
controller.  The  admin  can  specify  the  controller’s  static  IP  on  FortiAP.  FortiAP  send  Discovery  Request  message  
in  unicast  to  the  controller.  
 
To  specify  the  controller’s  IP  address  on  FortiAP,  
cfg –a AC_IPADDR_1=”192.168.0.1”

4. DHCP  
Using  the  last  method,  the  admin  can  explicitly  specify  the  controller’s  IP  address  on  all  FortiAP,  but  it  is  not  
convenient  when  a  lot  of  FortiAP  are  going  to  be  deployed  or  when  the  controller’s  IP  address  needs  to  be  
changed.  
 
This  method  starts  by  FortiAP  initiating  a  DHCP  request.  The  admin  can  pre-­‐configure  the  controller’s  IP  address  
on  the  DHCP  server,  so  when  the  request  is  received  by  the  DHCP  server,  the  server  will  send  the  response  with  
a  specific  option  including  the  controller’s  IP  address.  FortiAP  will  send  the  Discovery  Request  message  to  this  
address  in  unicast  packet.  
 

15 May 18, 2010

Release Notes FortiAP v4.0 MR2 – FortiAP-220A
The  default  DHCP  option  code  is  138  (RFC5417).  If  a  FGT  is  used  to  provide  the  DHCP  service,  the  admin  can  
create  a  DHCP  server  first.  In  the  ‘Advanced’  configuration  section,  an  option  can  be  added  with  code  138  and  
value  as  the  controller’s  IP  in  hex  format,  for  example,  “C0A80001”  if  IP  is  192.168.0.1.  The  DHCP  request  for  
discovery  is  independent  with  the  DHCP  request  to  obtain  a  local  IP  address  for  FortiAP.  The  DHCP  server  can  be  
but  not  necessarily  to  be  the  same.  
 
To  use  a  different  DHCP  option  code,  
cfg –a AC_DISCOVERY_DHCP_OPTION_CODE=138

Auto  Discovery  Mode  

Discovery  method  can  be  configured  on  FortiAP  using  following  command  
cfg –a AC_DISCOVERY_TYPE=1
0: Auto Mode
1: Static IP
2: DHCP
5: Broadcast
6: Multicast

By  default,  FortiAP  starts  the  Discovery  process  with  Auto  mode  (0).  It  uses  all  four  methods  in  the  order  of  Static  IP  -­‐>  
DHCP  -­‐>  Multicast  -­‐>  Broadcast.  For  each  method,  FortiAP  sends  Discovery  Request  messages  and  wait  for  the  response.  
If  no  controller  is  discovered,  FortiAP  move  to  the  next  method.  When  all  methods  are  attempted  without  locating  any  
controller,  FortiAP  starts  over  again  from  Static  IP  and  keeps  trying  until  at  least  one  controller  is  found.  
If  FortiAP  and  the  controller  are  in  the  same  broadcast  domain,  they  can  find  each  other  automatically  through  
Broadcast  method  without  any  configuration.  This  is  the  easiest  deployment  scenario.  If  FortiAP  and  the  controller  are  in  
the  different  broadcast  domain,  admin  has  to  input  the  AC’s  IP  address  either  to  FortiAP  or  to  the  proper  DHCP  server.  
 

Join  Request  

At  the  controller  side,  once  a  Discovery  Request  message  is  received,  the  controller  adds  a  new  entry  to  Access  Point  
List.  The  serial  number  of  the  AP  is  displayed  and  the  status  of  the  new  entry  is  set  to  ‘Discovery’.  At  this  time,  FortiAP  is  
not  connected  to  the  controller  yet.  Admin  has  to  manually  change  the  status  to  ‘Enabled’  and  assign  an  AP  profile  to  
the  AP.  
At  the  FortiAP  side,  the  discovery  process  stops  when  at  least  one  controller  is  located.  FortiAP  tries  to  setup  the  control  
channel  to  the  controller.  The  control  channel  is  a  DTLS  connection.  It  is  established  by  exchanging  FortiAP  and  the  
controller’s  certificates  and  encryption  key.  FortiAP  sends  Join  request  to  the  controller  through  the  control  channel.  If  
the  corresponding  AP  entry  is  enabled,  the  controller  allows  FortiAP  to  connect  by  sending  a  Join  response  message  with  
the  code  to  indicate  the  connection  is  successfully  established.  
For  high  availability  installations  it  is  possible  that  multiple  controllers  respond  to  the  Discovery  request  during  the  
Discovery  process.  FortiAP  calculates  the  priority  of  these  controllers  based  on  their  load.  The  Join  Request  is  sent  to  the  
controller  with  the  least  load.  If  the  Join  Request  fails  for  any  reason,  for  example,  if  the  FortiAP  is  not  enabled  at  the  
controller  side,  FortiAP  remove  this  controller  from  its  local  list  and  sends  another  Join  Request  to  the  next  best  
controller  in  the  list.  If  FortiAP  fails  to  establish  connection  to  all  controllers,  it  starts  the  Discovery  process  again.  
 

Connection  Keep  Alive  

After  the  control  channel  between  FortiAP  and  the  controller  is  established,  the  data  channel  is  also  created  to  transmit  
wireless  data  packets.    Every  30  seconds,  a  keep-­‐alive  message  is  exchanged  between  FortiAP  and  the  controller  using  

16 May 18, 2010

Release Notes FortiAP v4.0 MR2 – FortiAP-220A
the  data  tunnel.  If  3  consecutive  keep-­‐alive  messages  are  lost,  FortiAP  tears  down  its  connection  to  the  controller  and  
start  the  Discovery  process  again.  

6.3 Connection Ports

Discovery  Request  message  is  sent  to  UDP  port  5246.  This  is  also  the  port  that  controller  tunnel  uses.  Data  channel  uses  
UDP  port  5247.  If  there  are  firewall  devices  between  FortiAP  and  the  controller,  these  two  ports  must  be  opened.  
The  connection  port  of  the  control  channel  can  be  changed  on  both  FortiAP  and  the  controller.  The  data  channel  always  
uses  one  port  next  to  control  channel’s  port.  
To  change  control  channel  port  on  the  controller,  
config system global
set wireless-controller-port 5246
end
To  change  control  channel  port  on  FortiAP,  
cfg –a AC_CTL_PORT=”5246”

6.4 FortiAP Clock

FortiAP  and  the  controller  establish  the  control  channel  by  exchanging  their  certificates.  If  FortiAP’s  clock  is  too  far  off  
with  the  controller,  the  certificate  might  fall  out  of  the  valid  period  so  that  the  DTLS  connection  cannot  be  established.  
Use  ‘date’  command  to  check  and  change  FortiAP’s  clock.  The  ‘date’  command  works  as  same  as  in  Linux.  
date -s "5/17/2010 16:48:00"

17 May 18, 2010

Release Notes FortiAP v4.0 MR2 – FortiAP-220A

7 Image Checksums
The MD5 checksums for the firmware images are contained in a file in the download directory on the Fortinet Customer Support
website (https://support.fortinet.com).

(End of Release Notes.)

18 May 18, 2010