Description
This article explains how the maximum number of Managed FortiAPs is calculated and why there are two separate limits shown in both the FortiGate GUI and the corresponding datasheet for that FortiGate model.
Scope
FortiGate, FortiAP, Wireless SSIDs
Solution
Each FortiGate model has a pre-defined limit for the Maximum Number of FortiAPs that can be managed by the FortiGate (acting as a wireless-controller). This limit can be observed in the datasheet on a per-model basis, and notably the limit is split into two values (Total and Tunnel).
For example the FortiGate-80F datasheet indicates that it supports 96 FortiAPs for the Total value, but only 48 for the Tunnel value:
This value can also be seen on the FortiGate web GUI under WiFi & Switch Controller -> Managed FortiAPs by hovering over the Managed element on the right-hand side of the screen:
The above values are determined based on the Wireless Termination Point (WTP) mode of the FortiAPs currently managed by the FortiGate. For more clarification, the WTP mode of a FortiAP determines/is determined by the types of Wireless SSIDs that are being broadcasted by that particular FortiAP unit:
- When a FortiAP is in normal mode, the FortiAP is able to broadcast both tunnel-mode and bridge-mode SSIDs, and it is counted under the lower Tunnel limit.
- When a FortiAP is in remote mode, the FortiAP is only able to broadcast bridge-mode SSIDs, and it is counted under the larger Bridged/Total limit.
Key Note:
As of v6.4.1 and later, the WTP mode of a given FortiAP is automatically detected and set based on the SSIDs that the FortiAP has been configured to broadcast (either directly or via a shared FortiAP Profile). To check the current WTP mode of the managed FortiAPs, run the command diagnose wireless-controller wlac -c wtp on the FortiGate and check for the wtp-mode entry:
FortiGate # diagnose wireless-controller wlac -c wtp
-------------------------------WTP 1----------------------------
WTP vd : root, 0-FP221ETFXXXXXXXX MP00
[...]
admin : enable
wtp-profile : cfg(fap221ecn) override(disabled) oper(fap221ecn)
wtp-mode : normal
wtp-wanlan-mode : wan-only
[...]
Before v6.4.1, the WTP mode had to be set manually on a per-FortiAP basis, with the default being set to normal mode. This meant that FortiAPs that were only assigned bridge-mode SSIDs would still be limited to the lower 'Tunnel' limit for the maximum number of Managed FortiAPs until they were manually changed to remote mode. To change the mode in earlier firmware, the following CLI commands could be executed (the setting is read-only in modern FortiOS and cannot be modified):
config wireless-controller wtp
edit <wtp-id>
set wtp-mode [normal | remote]
end
Tunnel-mode SSIDs are more resource-intensive to handle on the FortiGate when compared to bridge-mode SSIDs (namely due to the CAPWAP encapsulation used to 'tunnel' user traffic from the FortiAP to the FortiGate), and so the FortiGate is rated for a lower maximum number of FortiAPs when they are handling tunnel-mode SSIDs vs. bridge-mode SSIDs.
For more information on this limitation, refer to the following document: How to increase the number of supported FortiAPs
In addition to the datasheet and the FortiGate GUI, it is also possible to determine the maximum number of FortiAPs supported by a particular FortiGate model running a particular firmware version by checking the Maximum Values Table for the FortiGate.
Related documents:
config wireless-controller wtp: The last branch to support the manual wtp-mode setting.
Technical Tip: Increase in maximum number of managed FortiAPs
