Cyber Security Technical Blog

Technical Tip: Unauthorized FortiAP (FP221E) Unexpectedly Appearing in Managed List

Written by Jesse Homa | Feb 26, 2026 1:15:00 PM

Overview

 

Administrators may encounter a situation where an unauthorized or unknown FortiAP, specifically model FP221E, appears in the managed Access Points list on a FortiGate. This phantom AP often shows a status of "Rejected" and can lead to High Availability (HA) synchronization issues if the FortiGate is part of a cluster.

This behavior is typically caused by having the Security Fabric Connection administrative access enabled on an untrusted external interface (such as wan1 or wan2).

Symptoms

  1. Unknown AP in Dashboard: An entry for FP221E appears under WiFi & Switch Controller > Managed FortiAPs with a status of "Rejected"

  1. HA Out of Sync: If the FortiGate is in an HA cluster, the "Rejected" AP object is created in the configuration of the primary unit. If it fails to sync properly to the secondary unit, the cluster will report an Out of Sync status.
  1. Security Fabric Connector enabled on WAN: The wan interface has Security Fabric Connection (or fabric in CLI) enabled under Administrative Access.

Cause

The "Security Fabric Connection" setting allows the FortiGate to listen for FortiTelemetry and downstream device discovery. If this is enabled on a public-facing WAN interface, the FortiGate may receive spoofed or illegitimate discovery packets from the internet. Attackers or automated scanners may send these packets to mimic a FortiAP (often defaulting to the FP221E profile) attempting to join the fabric.

While the FortiGate correctly "Rejects" the unauthorized AP, the creation of the object itself can disrupt HA sync and clutter the management console.

 

Solution

To resolve this issue and prevent its recurrence, follow these steps:

1. Disable Security Fabric Connection on WAN Interfaces

You should only enable the Security Fabric Connection on trusted internal interfaces where other Fabric devices (like FortiSwitches or FortiAPs) are physically located.

Via GUI:

  1. Go to Network > Interfaces.
  1. Edit your WAN interface (e.g., wan1).
  1. Under Administrative Access, uncheck Security Fabric Connection.
  1. Select OK.

Via CLI:

Plaintext

config system interface
    edit "wan1"
        set allowaccess ping  <-- Remove 'fabric' from this list
    next
end

2. Delete the Rejected Access Point

Once the WAN access is disabled, you must manually remove the "Rejected" entry to restore HA sync.

  1. Go to WiFi & Switch Controller > Managed FortiAPs.
  1. Right-click the FP221E entry and select Delete.
  1. If the delete option is greyed out, ensure the AP is not referenced in any Managed AP Groups.

3. Verify HA Synchronization

After deleting the object, check the HA status:

  1. Go to the System > HA dashboard.
  1. Verify the status shows Synchronized. If it remains out of sync, you may need to perform a manual checksum recalculation or check the diag sys ha checksum show output.

Conclusion

By limiting the Security Fabric Connection access to internal, trusted interfaces, you reduce the attack surface of the FortiGate and prevent unauthorized external devices from impacting your configuration and HA stability.

 
View full post