FortiAP Guest WiFi: Security-First Captive Portal Setup
Key Takeaways: Fortinet FortiAP access points integrate with the FortiGate next-generation firewall, giving guest WiFi networks enterprise-grade threat protection by default. MyWiFi connects through FortiOS REST API and RADIUS authentication. The FortiGate handles VLAN segmentation, application control, web filtering, and intrusion prevention on the guest SSID while MyWiFi provides the captive portal, data capture, and marketing automation. This combination serves compliance-heavy verticals — healthcare clinics, financial services, government facilities — where the security posture of the guest network is as important as the marketing data it generates.
Fortinet is the security company that happens to make access points. FortiAP hardware is designed to operate under the management of a FortiGate firewall, which means every guest WiFi connection passes through Fortinet's Security Fabric — IPS, application control, web filtering, antivirus, and sandboxing. For WiFi marketing resellers, this opens a vertical that other hardware integrations do not naturally serve: venues where the CISO or compliance team must sign off on the guest network before it goes live.
Healthcare clinics, law firms, financial advisors, government offices, and corporate campuses with strict security policies are difficult to pitch on guest WiFi marketing when the hardware is a basic AP with no native security stack. FortiAP with FortiGate changes that conversation. The security team gets the threat protection they require, and your client gets the guest data capture and marketing automation they want.
This guide covers the FortiAP captive portal setup with MyWiFi: FortiGate configuration, VLAN design, security policies, RADIUS integration, and the deployment patterns that work in security-conscious environments.
How the FortiAP + FortiGate architecture works
Unlike standalone AP systems where the access point handles WiFi and the captive portal redirect independently, FortiAP operates as a thin AP managed by the FortiGate firewall. All traffic from the FortiAP is tunneled back to the FortiGate (in tunnel mode) or bridged locally (in bridge mode). This architecture means:
- •All guest traffic is inspected by the FortiGate's security engines before reaching the internet. This includes the captive portal flow itself.
- •Security policies are enforced at the firewall level, not the AP level. The FortiGate applies IPS signatures, application control rules, and web filtering to guest traffic.
- •VLAN segmentation is managed by the FortiGate, which creates the guest network interface and routes traffic between the guest VLAN and the WAN.
For MyWiFi integration, this means the captive portal redirect and RADIUS authentication are configured on the FortiGate, not on the FortiAP directly. The AP broadcasts the SSID; the FortiGate handles everything else.
Prerequisites
- •FortiGate firewall running FortiOS 6.4 or later (7.x recommended)
- •FortiAP access points adopted and managed by the FortiGate (any model: FAP-231F, FAP-431F, FAP-231G, etc.)
- •FortiGate admin access with full read/write permissions
- •MyWiFi account with a location created for the venue
- •VLAN infrastructure — the switch connecting the FortiAP must support VLAN tagging
Step 1: Create the guest VLAN interface on the FortiGate
Before creating the SSID, you need a dedicated network interface for the guest VLAN.
In the FortiGate web interface, navigate to Network → Interfaces.
Create a new VLAN interface:
- •Name:
guest-wifi - •Type: VLAN
- •Interface: The physical interface or aggregate connected to the AP switch
- •VLAN ID: 100 (or any unused VLAN ID in your client's environment)
- •IP/Network Mask: Assign a gateway IP for the guest subnet (e.g.,
10.100.0.1/24) - •DHCP Server: Enable DHCP on this interface with a pool matching the subnet (e.g.,
10.100.0.10to10.100.0.250) - •DNS: Assign DNS servers for the guest VLAN. Use the FortiGate as DNS proxy or point to public DNS (8.8.8.8, 1.1.1.1)
This VLAN interface is where guest traffic will live — fully isolated from the corporate network by the FortiGate's firewall rules.
Step 2: Create the guest SSID on the FortiAP
Navigate to WiFi & Switch Controller → SSIDs in the FortiGate interface.
Click Create New and configure:
- •Name:
guest-wifi-ssid - •Traffic mode: Tunnel (recommended for security — all traffic returns to FortiGate for inspection) or Bridge (for local breakout if the venue's security policy allows it)
- •SSID: Your client's guest network name
- •Security mode: Open (captive portal will handle authentication)
- •Captive portal: Enable and select External for the portal type
- •External portal URL: Enter your MyWiFi portal URL
https://portal.mywifi.io/location/{location-id}
- •VLAN: Assign to the guest VLAN interface created in Step 1
- •Broadcast SSID: Enable
Tunnel mode vs. Bridge mode: Tunnel mode is the security-recommended option. All guest traffic is encapsulated in a CAPWAP tunnel from the FortiAP back to the FortiGate, where it is inspected by the full security stack before being routed to the internet. Bridge mode breaks out traffic locally at the AP, which reduces latency but bypasses FortiGate inspection for local traffic. For security-conscious deployments, use tunnel mode.
Step 3: Configure RADIUS authentication
On the FortiGate, create a RADIUS server entry for MyWiFi.
Navigate to User & Authentication → RADIUS Servers.
Click Create New:
- •Name:
mywifi-radius - •Primary Server IP: The MyWiFi RADIUS server IP (from your MyWiFi dashboard under Location → Hardware Settings → RADIUS Configuration)
- •Primary Server Port: 1812
- •Primary Server Secret: The shared secret from MyWiFi
- •Secondary Server: Configure the secondary RADIUS server for redundancy if provided
- •Authentication method: PAP (Password Authentication Protocol) — this is standard for captive portal RADIUS flows
- •Accounting: Enable RADIUS accounting on port 1813 with the same shared secret
Next, create a User Group that references this RADIUS server:
- •Navigate to User & Authentication → User Groups
- •Create a new group (e.g.,
guest-wifi-group) - •Add the
mywifi-radiusRADIUS server as a remote server in this group
Finally, assign this user group to the guest SSID's captive portal configuration. This tells the FortiGate to authenticate guest portal logins against MyWiFi's RADIUS server.
Step 4: Security policies for the guest network
This is where FortiAP deployments differentiate from commodity AP setups. The FortiGate applies real security policies to guest traffic.
Navigate to Policy & Objects → Firewall Policy.
Create a guest-to-internet policy:
- •Name:
guest-wifi-to-internet - •Incoming interface:
guest-wifi(the VLAN interface) - •Outgoing interface: WAN interface
- •Source: Guest subnet or user group
- •Destination: All
- •Service: HTTP, HTTPS, DNS (restrict as needed for the venue's policy)
- •Action: Accept
- •NAT: Enable (source NAT to the WAN IP)
Security profiles to apply on this policy:
- •AntiVirus: Enable with default profile. Scans HTTP/HTTPS downloads for malware. Protects the venue's reputation — if a guest downloads malware on the venue's WiFi and attributes it to the business, that is a liability.
- •Web Filter: Enable with a "guest" profile. Block categories like malware, phishing, explicit content, and gambling. Customize per venue type.
- •Application Control: Enable. Block bandwidth-intensive applications (BitTorrent, Tor) that degrade the guest experience for everyone.
- •Intrusion Prevention (IPS): Enable with default sensor. Detects and blocks network attacks originating from or targeting guest devices.
- •SSL Inspection: Optional. Deep inspection allows the FortiGate to inspect HTTPS traffic, but requires deploying a CA certificate to guest devices. For most captive portal deployments, use "Certificate Inspection" mode (inspects the certificate without decrypting content) to avoid certificate warnings.
Create a guest-to-corporate deny policy:
- •Name:
guest-deny-corporate - •Incoming interface:
guest-wifi - •Outgoing interface: Corporate interfaces
- •Source: Guest subnet
- •Destination: Corporate subnets
- •Action: Deny
Place this deny policy above the allow policy in the policy list. FortiGate processes policies top-down, so the deny rule must match first to prevent guest traffic from reaching corporate networks.
Step 5: Walled garden (exempted destinations)
Guests need to reach the MyWiFi portal and social login providers before they authenticate. On the FortiGate, this is configured as captive portal exemptions.
Navigate to the SSID captive portal settings or the exemption list under WiFi & Switch Controller → SSIDs → [your SSID] → Exempt Destinations.
Add:
*.mywifi.io
*.mywifinetworks.com
*.facebook.com
*.google.com
*.googleapis.com
*.gstatic.com
*.apple.com
*.whatsapp.com
*.cloudfront.net
The FortiGate also supports exemption by IP address or FQDN object. For social providers with known CDN ranges, FQDN objects provide more reliable exemption than wildcard domains.
Step 6: FortiOS REST API for automation
The FortiGate exposes a REST API (FortiOS REST API) that enables automation and monitoring. MyWiFi can use this API for advanced integrations beyond the standard RADIUS flow.
API capabilities relevant to WiFi marketing:
- •Session monitoring: Query active guest sessions, connection counts, and bandwidth usage per user
- •Log forwarding: Forward guest authentication logs to MyWiFi for audit trail integration
- •Dynamic address objects: Automatically create or update firewall address objects based on guest session data
- •FortiView integration: Pull real-time visibility data (top applications, top users, threat events) for enriched analytics reporting
To enable API access, create an API administrator account on the FortiGate and generate an API token. Configure this token in your MyWiFi dashboard under the hardware settings for the location. The API connection is read-only by default — MyWiFi does not modify firewall policies through the API.
Step 7: Compliance and audit readiness
FortiAP deployments often serve compliance-regulated venues. The FortiGate's logging and reporting capabilities support audit requirements.
Logging:
- •Enable detailed logging for the guest firewall policy. The FortiGate logs source IP, destination, application, action (allow/deny), and security profile events for every guest session.
- •Forward logs to FortiAnalyzer (Fortinet's dedicated log management appliance) for long-term retention and compliance reporting.
- •MyWiFi's GDPR compliance features handle the data capture and consent requirements on the captive portal side. The FortiGate handles network-level audit logging.
Guest session records: Between the FortiGate (network logs) and MyWiFi (portal logs), you have a complete audit trail: when a guest connected, what they authenticated with, how long they stayed, what they accessed (at the application level), and what security events occurred during their session.
This dual-layer audit trail is what compliance officers in healthcare, finance, and government need to approve guest WiFi deployments. The security data comes from FortiGate; the marketing data comes from MyWiFi.
FortiAP hardware recommendations
| Model | Use Case | WiFi Standard | Environment |
|---|---|---|---|
| FAP-231F | Standard indoor | WiFi 6 | Offices, retail, clinics |
| FAP-431F | High-density indoor | WiFi 6 | Conference rooms, lobbies |
| FAP-231G | Next-gen indoor | WiFi 6E | New deployments, future-proof |
| FAP-432G | High-density WiFi 6E | WiFi 6E | Large venues, coworking |
| FAP-234G | Outdoor | WiFi 6E | Outdoor dining, parking |
FortiAP hardware pricing is mid-range enterprise — between UniFi (budget) and Meraki (premium). The key cost component is the FortiGate firewall, which your client may already have for their corporate network. Adding FortiAPs to an existing FortiGate deployment is incremental cost.
Comparing FortiAP to other security-focused options
| Feature | FortiAP + FortiGate | Sophos | Meraki + MX |
|---|---|---|---|
| Integrated firewall | FortiGate (NGFW) | Sophos Firewall (XGS) | Meraki MX (basic) |
| Threat protection | IPS, AV, App Control, Web Filter | IPS, AV, Web Filter | Basic IPS |
| Zero Trust | FortiNAC, ZTNA | Sophos ZTNA | None native |
| SD-WAN | FortiGate SD-WAN | None native | Meraki SD-WAN |
| MyWiFi integration | Full parity | Full parity | Full parity |
| MSP management | FortiCloud | Sophos Central | Meraki Dashboard |
Both Fortinet and Sophos serve the security-first MSP channel. The choice typically comes down to which security vendor the MSP has standardized on. Visit the hardware compatibility page for the full list of supported vendors.
FAQ
Does FortiAP require a FortiGate to work with MyWiFi?
FortiAP devices require a FortiGate (or FortiAP Cloud) for management. They are not standalone APs. If your client does not have a FortiGate, you need to include one in the deployment or consider a different AP vendor. Some MSPs deploy a FortiGate VM on a small server or in the cloud as a lightweight management option.
Can I use FortiAP Cloud instead of an on-premises FortiGate?
Yes. FortiAP Cloud is Fortinet's cloud management platform for FortiAPs. It provides SSID configuration, captive portal redirect, and basic security policies without an on-premises FortiGate. The security feature set is reduced compared to a full FortiGate, but external captive portal redirect and RADIUS authentication work for MyWiFi integration.
How does FortiGate handle the captive portal redirect for HTTPS sites?
Modern browsers default to HTTPS, which makes HTTP-based captive portal redirect unreliable. The FortiGate can intercept HTTPS connections and return a redirect, but this triggers a certificate warning. The industry-standard workaround (which FortiGate supports) is to serve the captive portal detection probe — iOS, Android, and Windows all send specific HTTP requests to known URLs to detect captive portals. The FortiGate intercepts these probe requests and returns the redirect.
What FortiOS version is recommended?
FortiOS 7.2 or later is recommended for the best captive portal and WiFi controller experience. FortiOS 7.4 and 7.6 added improvements to the WiFi controller interface and guest portal configuration. Earlier versions (6.4, 7.0) work but have a less streamlined configuration workflow.
Can I apply different security policies to different guest tiers?
Yes. Using RADIUS attributes returned by MyWiFi during authentication, the FortiGate can dynamically assign different firewall policies to different guest types. For example, premium guests might receive higher bandwidth limits and fewer web filter restrictions, while free-tier guests get stricter policies. This requires configuring dynamic policy assignment based on RADIUS group or VLAN attributes.
How does this compare to just using UniFi with a separate firewall?
UniFi APs do not integrate with the firewall at the AP management level. You can place a firewall in front of a UniFi deployment, but the security policies are not coordinated with the wireless controller. FortiAP + FortiGate is a unified system — the firewall manages the APs, applies security profiles per SSID, and provides single-pane-of-glass visibility across wired and wireless. For venues with serious security requirements, this integration is the differentiator.
Next steps
- •Assess the client's existing Fortinet stack — If they already have a FortiGate, adding FortiAPs is incremental. If not, scope the FortiGate sizing.
- •Configure the guest VLAN and security policies — Follow the steps above to create a fully isolated, inspected guest network
- •Explore all supported hardware — Visit the hardware compatibility page for 20+ vendors
- •Review pricing — See MyWiFi pricing plans to match the deployment scale
- •Book a demo — Schedule a live demo to see the FortiAP integration in a live environment
FortiAP with MyWiFi gives resellers a security-first pitch that opens doors in compliance-regulated verticals. The FortiGate inspects every packet, the FortiAP delivers the signal, and MyWiFi captures the marketing data — all without compromising the security posture. For MSPs who already sell Fortinet, adding WiFi marketing as a revenue stream is a natural extension of the existing security relationship.