As of February 2024, firmware images for the FortiAP-W2 models are no longer available for download from FortiGuard servers. Note that this is different from the Fortinet Support site, where firmware files for these FortiAPs can be manually downloaded as .out files.

In a practical sense, this means that it will no longer be possible to upgrade managed FortiAP-W2 units from the FortiGate using FortiGuard. Instead, it will only be possible to update FortiAPs via File Upload (which is only possible if the FortiAP has an active Support Contract):

This can also be demonstrated from the CLI using the command 'diagnose fdsm fortiap-latest-ver <FortiAP_Model>', where the FortiAP-W2 units will not show a valid firmware version or Image ID:

FortiGate # diag fdsm fortiap-latest-ver FP231E<----- FortiAP-W2 231E.
N/A

FortiGate # diag fdsm fortiap-latest-ver FP231G <----- FortiAP-231G.
FP231G - 7.4.5 b734 07004000FIMG0506604005

Rationale:

The main reason for this change is due to known issues with the FortiAP-W2 models where they can take significantly longer than expected to complete firmware upgrades. This behavior on its own is not necessarily an issue, but problems can occur when combined with the fact that FortiAPs are most-typically powered by PoE network switches (e.g. any power disruption during firmware upgrades can result in FortiAPs failing to boot up again).

As an example of how this can be a problem, refer to the following Special Notice in the v7.2.6 release notes: FortiAP-W2 models may experience bootup failure during automatic firmware and federated upgrade proc...

In the scenario described above, automatic firmware upgrades are being scheduled for both managed FortiSwitches as well as managed FortiAP-W2s. Notably, the FortiAPs are being powered via PoE by the FortiSwitch units.

Given how long FortiAP-W2 units can take to update firmware, there have been situations where the FortiSwitch can start and execute a firmware update and subsequently reboot before these FortiAPs can complete their updates. This disrupts PoE power delivery to connected devices like the FortiAPs, and this unexpected power-loss occurring mid-upgrade can result in bootup failures for the FortiAPs.

As a second example, a Customer Service Bulletin was posted for FortiAP-W2 units (and also certain F-series FortiAP units) in relation to HPE PoE Switches. For reference, see CSB-210127-1 posted on the FortiCare Customer Support Bulletin page.

In this scenario, HPE switches had a built-in behavior where they detect connected devices via Link Layer Discovery Protocol (LLDP). Notably, if a device did not respond to PoE for more than 120 seconds then the switch would reset/cycle PoE power for the connected port, and in the case of FortiAP-W2, this frequently occurred due to the extended amount of time required to complete firmware updates. This unexpected power loss occurring during the firmware update would also cause the FortiAP to have bootup issues.

Notably, this particular issue was resolved in FortiAP v6.4.3 and later, where LLDP functionality would now be maintained throughout the firmware upgrade procedure. However, the overall issue of long firmware upgrade times for FortiAP-W2 units is one that cannot be addressed in software.

Recommendations:

As discussed above, the main issue is that FortiAP-W2 can take a very long time to complete firmware upgrades, and so they are susceptible to being 'bricked' when PoE power is disrupted for any reason. With that in mind, here are some general recommendations regarding upgrading these units:

• As a reminder, this issue is specifically for FortiAP-W2 units, a list of which can be found here: FortiAP and FortiOS 7.6 Compatibility Matrix - FortiAP-W2. Other model variants (FortiAP, FortiAP-U, etc.) are not affected by this behavior.
• As per the FortiOS Special Notice mentioned above, it is recommended to disable automatic firmware upgrades for any FortiAP-W2 units managed by FortiGate.
  • It is not even possible to do automatic updates for these units any longer since the function involves pulling firmware via FortiGuard. Since these units no longer have firmware versions advertised via FortiGuard, they can no longer undergo automatic/federated updates.
• Consider pausing plans to update FortiAP-W2 firmware unless strictly required, since the upgrade process is what puts the FortiAP units in a precarious position.
• Where possible, perform 'manual' upgrades of FortiAP-W2 units (e.g. update units one-by-one or in smaller, controlled batches) to reduce risk during firmware upgrade procedures (e.g. if a mass power-loss event occurs then only units in the middle of upgrades are susceptible).
• Have someone available onsite with a Serial Console connection in-case FortiAP-W2 recovery is required. Note that FortiAP-221E and 223E units do not have onboard console ports, so they will need to undergo RMA to be recovered.
• Given the legacy status of FortiAP-W2 units, it may be a good idea to consider replacing them with newer models (e.g. F-series units, G-series, or newer).