Looking Thoughts on Bridge/Tunnel for FortiAP.

I currently have 4 FortiAP's managed by a Fg-40f the 40F is only job in life is to manage those AP's and the switches, I had it laying around its cheaper to keep paying for forticare for it than run cloud managed.

I am currently in bridge mode, 3 of the AP's are local and one is remote connected to a FG-60F on the remote side and managed by the local FG40 via an IPSec tunnel. I have the ability to run UTP on the AP's but didn't buy the AP UTP license since that is currently handled by a pair of edge Fortigates.

I have noticed that some stats just don't show up and I am guessing its because I am in bridge mode. Are there any benefits from running one or the other I should be considering? I ran bridge because each AP has two home runs to two different fortiswitches for hittless poe failover and I assume data failover. So in my mind tunnel mode brought those AP's into a single point of failure, however I just ordered a pair of 70Fs to replace my edge firewalls and could in theory run an HA pair of 40F's that just do switch and AP management. In that case they shouldn't in tunnel mode present a single point of failure.

I also could then benefit from having that ha pair managing the switches and AP's also take over DHCP, since currently my DHCP lives on a pair of Mikrotik routers with VRRP and I am constantly having to manually sync DHCP reservation, which I seem to always forget about with every new device I bring online.