Technical Tip: Understanding the Maximum Managed FortiAPs limit in the FortiGate GUI
Description
Scope
FortiGate, FortiAP, Wireless SSIDs.
Solution
Each FortiGate model has a pre-defined limit on the Maximum Number of FortiAPs that can be managed by the FortiGate (acting as a wireless controller). This limit can be observed in the datasheet on a per-model basis, and, notably, it is split into two values (Total and Tunnel).
For example, the FortiGate-80F datasheet indicates that it supports 96 FortiAPs for the Total value, but only 48 for the Tunnel value:
This value can also be seen on the FortiGate web GUI under WiFi & Switch Controller -> Managed FortiAPs by hovering over the Managed element on the right-hand side of the screen:
The above values are determined based on the Wireless Termination Point (WTP) mode of the FortiAPs currently managed by the FortiGate. For more clarification, the WTP mode of a FortiAP determines/is determined by the types of Wireless SSIDs that are being broadcast by that particular FortiAP unit:
- When a FortiAP is in normal mode, the FortiAP is able to broadcast both tunnel-mode and bridge-mode SSIDs, and it is counted under the lower Tunnel limit.
- When a FortiAP is in remote mode, the FortiAP is only able to broadcast bridge-mode SSIDs, and it is counted under the larger Bridged/Total limit.
Key Note:
As of v6.4.1 and later, the WTP mode of a given FortiAP is automatically detected and set based on the SSIDs that the FortiAP has been configured to broadcast (either directly or via a shared FortiAP Profile). To check the current WTP mode of the managed FortiAPs, run the command diagnose wireless-controller wlac -c wtp on the FortiGate and check for the wtp-mode entry:
FortiGate # diagnose wireless-controller wlac -c wtp
-------------------------------WTP 1----------------------------
WTP vd : root, 0-FP221ETFXXXXXXXX MP00
[...]
admin : enable
wtp-profile : cfg(fap221ecn) override(disabled) oper(fap221ecn)
wtp-mode : normal
wtp-wanlan-mode : wan-only
[...]
Before v6.4.1, the WTP mode had to be set manually on a per-FortiAP basis, with the default being set to normal mode. This meant that FortiAPs that were only assigned bridge-mode SSIDs would still be limited to the lower 'Tunnel' limit for the maximum number of Managed FortiAPs until they were manually changed to remote mode. To change the mode in earlier firmware, the following CLI commands could be executed (the setting is read-only in modern FortiOS and cannot be modified):
config wireless-controller wtp
edit <wtp-id>
set wtp-mode [normal | remote]
end
Tunnel-mode SSIDs are more resource-intensive to handle on the FortiGate when compared to bridge-mode SSIDs (namely due to the CAPWAP encapsulation used to 'tunnel' user traffic from the FortiAP to the FortiGate), and so the FortiGate is rated for a lower maximum number of FortiAPs when they are handling tunnel-mode SSIDs vs. bridge-mode SSIDs.
If the FortiGate wireless controller has reached its maximum limit of managed FortiAPs operating in tunnel mode, the FortiAPs can be configured to operate in local bridge mode instead. To configure FortiAPs for local bridge mode, follow these steps:
- Configure at least one SSID with the Traffic Mode set to Local Bridge.
- Create a new custom AP profile or clone an existing AP profile that includes only local bridge SSIDs.
- Assign the FortiAP to use the newly created or cloned AP profile to switch it to bridge mode.
- Finally, authorize the FortiAP under Managed FortiAPs.
For more information on this limitation, refer to the following document: How to increase the number of supported FortiAPs.
In addition to the datasheet and the FortiGate GUI, it is also possible to determine the maximum number of FortiAPs supported by a particular FortiGate model running a particular firmware version by checking the Maximum Values Table for the FortiGate.
Related documents:
config wireless-controller wtp: The last branch to support the manual wtp-mode setting.
Technical Tip: Increase in maximum number of managed FortiAPs