1. Navigate to WiFi Controller -> SSIDs -> Create. Configure a new SSID by adding a name.
2. Choose the traffic mode as 'Tunnel-mode'.
3. Add the IP or Network Mask for the wireless interface.

4.  Enable DHCP. The address range will be automatically populated based on the IP Network assigned to the SSID.

5. Complete the WiFi settings by adding the SSID and passphrase. Keep the rest of the configuration on default or configure Radius if necessary.

6. Create an AP Profile for a specific hardware model, WiFi Controller -> FortiAP profiles > Create.
7. Supply the name and the hardware model for the platform on which the profile will be applied.

8. The SSIDs, by default, assign all Tunnel-mode SSIDs to the profile. The SSIDs must be the same for Radio 1 and Radio 2. Leave the rest of the setting to default. Select 'OK' to save.

9. Create a firewall policy to allow internet traffic for the wireless network. Ensure that the SSID is selected as the       Incoming interface and the Internet-facing Interface as the Outgoing Interface. 

Note: Starting FortiOS v7.6.5, the quarantine option is disabled by default when creating tunnel-mode SSID, preventing automatic creation of unused quarantine VLANs and simplifying configuration and management.

In the CLI:

Endeavour-kvm63 # config wireless-controller vap

Endeavour-kvm63 (vap) # edit tunnel_vap
new entry 'tunnel_vap' added

Endeavour-kvm63 (tunnel_vap) # sh fu | grep quarantine
set quarantine disable

Endeavour-kvm63 (tunnel_vap) #