When configuring the SSID for FortiAP, two of the most common traffic mode options are bridge and tunnel.

Bridge traffic mode allows the wireless endpoint to communicate with the LAN resources while tunnel traffic mode means that the wireless endpoints are going to be on a different broadcast domain and network subnet which is more ideal in terms of performance and security.

Guest SSID is normally added as a tunnel because guest users are not supposed to connect to Local Area Network (LAN) devices for security purposes. On the other hand, internal SSIDs for employees and staff normally require access to LAN to access network resources such as printers, file servers, etc. 

Guest SSID should be on tunnel mode and a firewall policy from the Guest SSID to WAN with NAT enabled is needed to allow internet connection. Internal SSID should be configured as tunnel mode as well unless there's a requirement for wireless endpoints to be on the same broadcast domain as the LAN.

The endpoints connected to internal SSID are not allowed to communicate with other network subnets by default thus two firewall policies are needed, one for internet SSID to WAN with NAT enabled, and another one for internal SSID to LAN networks without NAT enabled.

Ideally, enable Multiple Interface Policies in System -> Feature Visibility to enable adding multiple interfaces in the source and destination interface to consolidate the needed firewall policies.