Bridge wireless-clients to lan + management-vlan for FortiAP

I configure it this way (but we are not using FortiAP). AP itself is in mgmt vlan with a specific vid just like yours. All Wifi Networks that are broadcasted have their own subnet AND vlan. 

Ports on switch where AP is connected are vlan trunk with mgmt vid as pvid (i.e untagged in mgmt and tagged in all others). FortiGate then has vlan interfaces for all vlans so traffic is completely seperated. 

Traffic between vlans/ports is maintained by policies (routing is already there itself because of the interfaces). 

Works fine here even from wifi through ap + switch + FGT + ipsec to HQ :)

what would not work in my configuriation (without some proxy) is services that use udp broadcasting like bonjour or airprint. DHCP uses that too but the FGT can do DHCP relaying intself so this works.

Thanks for your information :-).

Do you think it is  a security risk to put a FortiAP in a vlan where the notebooks of the employees are connected to?

I had the idea to take a separate vlan as the manamenent-vlan of the FortiAPs because the employees or foreign (criminal) persons could try to hack one or several FortiAPs.

Do you understand what I mean?

I'm not sure about your network topology. But if outsider can come in to your LAN side to reach the FortiAP, you got a much bigger problem. Generally it's not allowed or blocked by the Fortigate. On WiFi side, first, guests and employee/corp accesses need to be separated by SSID and generally with subnets as well.

If you're worrying about somebody on the LAN hacking into your network devices like APs, vlan separation of management traffic would not be enough, because you likely have a policy allowing admin users on the LAN to access the management VLAN.

I regularly don't use "bridged" SSID so that SSID users can be in a separate subnet/VLAN per user group and put separate policies as necessary. If you do that you can put management connection on different subnet/VLAN.

Toshi