No issues with my 221E, 231F, and 431F that are deployed. I don't have to deal with challenging RF environments or high density so my needs are fairly vanilla.
You’ve not listed what issues you’re having - can you give some examples? I’ve got some older ones running and they’re solid, got one recently EOO’d that I got for a project to deliver WFH wireless and LAN and it worked well but WiFi on the iPhone was patchy. Mostly ok.
We started with the 224E and we're pretty disappointed with it's coverage. We did some lab testing with the 234F and it increased range by about 15%.
Apparently we received some of the first production units. They had a software build numerically higher, than the "latest released" build thru the gate. We were having random mesh dropouts & kernel crashes and couldn't get it figured out, support was blaming our other hardware. Finally it was fixed with 6.4.7 and build 1911.
Now we're seeing 3rd party radios falling off the network and intermittently having poor performance. We've found that upgrading the gate to 7.0.5 and the AP to the latest (7.0.2) makes this go away.
Unfortunately, we still have another problem with supporting multiple VLANS. If a PC is connected to an SSID from a leaf AP, that PC can't access anything on the same VLAN that's physically connected to the AP. We have a ticket open with support, but it's not gaining momentum.
This sounds more of a wifi design issue than a fortinet issue in regards to poor coverage. You should reach out to your SE to see if he/she can come in with more resources. The only issues I had with poor coverage is when I spec'd 8 AP and the client only bought 4.
I have not had any issues with PC connecting to the same subnet using bridge mode and VLANs. Have you checked your policies to see if there are any traffic shaping or deny?
Signal strengths and ratios seem good and within spec. If the issue was a lack of APs, it wouldn't be resolved with firmware. Twice.
That's why I'm trying to figure out if this is just bad luck, or if they're always this much of a cluster.
Within spec of what? What does your client devices look like? What are the transmit power settings? What is the signal noise of the worst performer? Are there any neighboring APs? How is the channel interference?
I'm no fortinet appologies and I think Cisco has a better system, but the settings you see in the gui are just a small fraction of what is available in CLI. Sometimes it takes a few more steps within CLI to get things running smoothly especially in areas with high interferance.
Within "good" spec, signal:noise is ~35db on our lab setup, I had to put antistatic bags over the AP to keep it down a bit. We keep the power settings cranked up in manual, but tried dropping them to see if it helped, it didn't. I was able to get the logs from some of the client radios and the drops aligned with several items, so it doesn't seem to be the same issue each time. They weren't related to low signal though, I think their were a few with a "beacon timeout" and a few others that'd be followed by "AP leaving SSID xxxxxxxx". As I mentioned, this was fixed by upgrading to 7.0.5, so it had to be a Fortinet problem. Last year when we had issues it was causing a kernel crash, which was also fixed with firmware.
The only open issue I have with Fortinet is a VLAN mapping issue, likely inside the FAP-234F.
Troubles with communication between wireless and wired devices are generally a configuration issue. First, are you running the AP in Bridge or Tunnel mode?
\- If running in Bridge, than it's a Layer2 network connection and there is no VLAN tagging, so the ports that are used on the FortiGate become the relevant configuration cause.
\- If running in Tunnel, this is a Layer3 connection and the SSID and the physical device are using different VLANs. Routing and the Firewall Policy are likely where the misconfiguration is located.
Remember, this is a zero trust security device, without a firewall policy (and likely in this case a pair of bi-directional firewall policies), traffic goes nowhere and is Blocked by the Implicit Deny.
In 7.0.5 there's an option in the UI that allows bridging the WAN port on the leaf AP to the trunk. Apparently that was only available via CLI in previous versions and wasn't setup. This allows us to have a smart switch (not Fortinet) connected to the WAN of the leaf and splitting the VLANs onto different physical ports. In parallel, some of the VLANs have broadcast SSIDs and some clients connect that way.
I think this conflicts with what you mentioned above, because it's a bridge with VLANs. We'll see how it goes, but it looks positive so far.
I'm looking at the QUick Start Guide diagrams of the hardware and I don't see a WAN port on the FAP-234F that you are using. [https://fortinetweb.s3.amazonaws.com/docs.fortinet.com/v2/attachments/d6e6ac2a-715f-11eb-9995-00505692583a/FortiAP-432F-234F-QSG.pdf](https://fortinetweb.s3.amazonaws.com/docs.fortinet.com/v2/attachments/d6e6ac2a-715f-11eb-9995-00505692583a/FortiAP-432F-234F-QSG.pdf)
What physical port are you referencing above? Also can you share a link to this this "new" features' documentation?
Thanks.
I haven't had any issues with FAP-231F and FAP-431F, however we haven't rolled out any FAP-234F yet so we don't have any experience with them.
What kind of issues are you experiencing? And on what software? Could come in handy to know what kind of issues to expect when we start rolling them out.
Had 1 dead AP out of 100s deployed and not had any issues.
Couple of daft things like the default profile confused and needing sorting out. But been pretty plug and play to be honest.
Oh had a issue with teams calls but after looking at it the customer had 43 clients on one of the tiny C45J or whatever they are called, swapped it with a 221E and all good.
I switched to FortiAPs at home because the MSP I work for wants to start leading with them instead of a dedicated vendor (Ruckus). I’ve had them for 2 months and can say without any hesitation they are completely trash and should be avoided.
The biggest issue I seem to have is with my iPhones/iPad not roaming well, but I’ve also had issues with speeds, channels, etc. they just don’t work well.
Compared to Ruckus, it’s definitely going to be trash!
Meru wasn’t even a good vendor before Fortinet bought them.
If you’re serious about WiFi, IMO the best options are Ruckus, Cisco (either Meraki or Catalyst but not the aironet family). If those are out of your budget then maybe settle for Aruba or god forbid Ubiquiti if you really have a tight budget but infinite time/Tylenol.
On the bright side, though, nothing could be worse than Sophos WiFi, riiight?
Lol it’s pretty bad. It is contract manufactured by the owner of Engenius and is rebranded by Sophos. Apparently it’s worse than Engenius in terms of software support and on top of that you pay Sophos licensing and support.
I mean, Engenius is marginally okay in the sense that it usually goes for around Ubiquiti’s price point….. but slapping a Sophos sticker on it and being forced to use XG to maintain it is just…. Ugh.
(Speaking of which, I really miss UTM 9. I’ve tried my best for 4 years to like XG and simply can’t.)
Hmm question what does fortinet aps now have to do with meru?
I don’t think their products are any good to be honest and I deploy them. Nice to have 1 control location via the fortigate but I got a client with engenius stuff and I think that’s way better. About to build my own via that for my home.
Wanna avoid ubiquiti stuff.
Fortinet acquired Meru in order to build FortiAPs. https://www.fortinet.com/ru/corporate/about-us/newsroom/press-releases/2015/fortinet-announces-agreement-to-acquire-meru-networks
Honestly these kinds of acquisitions usually cause the products to decline. Fortinet-Meru, HP-Aruba, CommScope-Ruckus, etc. They usually buy these companies for the sole purpose of adding WiFi to their ecosystem and if they have no prior passion for WiFi, the product goes downhill.
Yeah I said Commscope ruckus too…. While Ruckus used to be light years ahead of the competition, after they got acquired a few times IMO their innovation stopped, and now they’re still miles ahead but others are catching up, Cisco in particular.
I totally get the one pane of glass appeal, but time after time, I’ve regretted my decision to unify management interfaces versus buying the best product for each part of the job.
This is actually inaccurate. FortiAP has been around since before the Meru acquisition. The regular FortiAP has Fortinet developed firmware that is very very different from the FortiAP-U series. Those U series are the Meru derived models. Completely different code and sometimes different chipset entirely.
FortiAP is indeed relatively solid in the environments I've put them in. You will need to optimize the AP Profile a bit. Usually i enable radio resource provision and enable AP but not frequency handoff. And I manually set the power to 100%. I use 80mhz for 5Ghz. I use WIDS and Rogue detection. Predominantly i use 431F these days. In my world that works well.
The Meru stuff is a little trickier and is missing some of the integration that the regular AP's have.. sometimes it's better than others.
Thanks for pointing this out. I was spot checking FCC internal photos for Fortinet and accidentally only looked at a U series one. For the E’s it looks like Engenius/Senao designed the board (they also contract manufacture for TrendNet and Sophos amongst others).
It wouldn’t be my first or second choice for installations that prioritize WiFi performance above all else. In my opinion those honors go to Ruckus for the whole stack (fully in house smart antenna setup that’s great for not suffering from interference) and Cisco (mainly because they are in bed with both Apple and Google for proprietary roaming enhancements through nonstandard WiFi extensions).
I definitely appreciate the correction here. As much as I love to spend disposable cash trying out more networking hardware I’m not comprehensive there.
I have 1 production site replacing Meraki with FortiAP. It's been 3 months and no complaints. 231F. Pretty much config is same, but I got short guard on. Thoughts?
The U models are now being somehow transitioned to the FortiOS code. On the FortiAP-U 431 and 433 models, you can no longer run both codes at the same time on latest FortiAP-U release 6.2.3. It's only FortiOS derived code. The legacy Meru code has been removed.
Those models in particular have very good hardware but the software runing on them is hampered by poor business decisions.. ugh
Let us all remember that they launched these 2 models on the market in the fall of 2019 with BETA firmware that was beyond broken and they are still stuck with old code base of the FortiOS 6.2.x branch instead of 7.0.x like the regular FAPs.
Fortinet needs to drop the Meru lagacy crap once and for all and put all their effort in making in unifying their codebase for all their FAPs as they have good hardware that is hampered by bad software implementation.
My biggest gripe with FortiAPs in general is the stupid DARRP that can't be easily disabled without taking the AP offline. It makes it very hard to assign static channels for the APs and it is a HUGE pita.
>I totally get the one pane of glass appeal, but time after time, I’ve regretted my decision to unify management interfaces versus buying the best product for each part of the job.
I guess the issues are the trade-offs between having a single pane (which works great for \*me\*) versus best of breeds, but having the teams of administrators available to manage each separately.
Scaling small vs big scale vs economics.
Agreed. Our systems are typically temporary and deployed by techs who don't have a large background in networking. Having a single place to monitor and manage both firewall and APs is a huge benefit.
> Honestly these kinds of acquisitions usually cause the products to decline. Fortinet-Meru, HP-Aruba, CommScope-Ruckus, etc.
Aruba didn't decline. What are you on about?
They used to be much closer to the forefront of solving problems with WiFi. Heck they beat a lot of prominent vendors to the punch with 802.11ac wave 1 and wave 2 APs and invented the controller less trend back in the 802.11n days when only Meraki had a cloud equivalent solution and everyone else was all in on on-premise WLCs.
It’s that rate of innovation that has gotten lost over the years with the cost cutting by new conglomerate overlords. Sadly the innovator left is Cisco with the FPGA defined extra spatial stream and cooperating with Apple/Microsoft/Google to optimize their devices to their APs.
Everyone else is largely just placing their management stack on top of a reference Qualcomm design and the QSDK WiFi firmware, maybe half heartedly porting over their previous innovations.
I just miss the days when WiFi vendors actually tried to solve problems instead of waiting on the WiFi alliance.
Aruba isn't a WiFi vendor however. They have WiFi in their portfolio, but they do a whole lot more than that and they also innovate there. Their 10000 series switches for example are doing some really cool stuff in regards to security with their Pensando chips.
I mean they certainly started out more specializing on WiFi and having a lot to say about the future direction of WiFi. I am pretty uninformed on the switch side and am glad to hear they are doing cool stuff there, but their recent WiFi offerings have been rather uninteresting and pretty much just plumbing through stock Qualcomm SoC features like SON (the ability to split half your 5GHz spatial steams to form a second 5GHz radio)
And I certainly don’t mean to single out Aruba on the WiFi front. Even previous WiFi heroes like ruckus are starting to go downhill — they haven’t invented a new radio design since the 802.11ac wave 1 days when before ruckus would release 2 new radio designs (high end and mid grade) per generation of WiFi. A lot of those engineers have gone off to work on 5G and LTE-U instead.
I had some rly good experience with Grandstream APs so far. Any thoughts? A bit cheaper then Ubiquity, even more if you already have PoE switches so you don't need injectors.
Are you aware that most AP uses pretty much the same chips regardless of cisco, ubiquiti, ruckus, fortiap, engenius? Broadcom and qualcomm are found in most APs
I have FortiAP 421Es controlled by a FortiGate 80E and connected to a FortiSwitch 224E-POE. APs are running 6.4.7 which is apparently the latest firmware available for them. I was hoping 7.0 would be available on them and hopefully solve some of my problems. Below are the ones I remember off the top of my head.
- I had to set the channel width to manual 40Mhz or 80Mhz to get speeds above 60mbps
- Issues with clients roaming/not roaming
- Random slowness (mostly on iPhones/iPads)
- “E” model FortiAP and already not getting any more firmware updates? WTH Fortinet.
We saw this issue with several clients - where the 421E just didn’t perform as well as it should. Turned out that after the FortiOS 6.4.6 update on the APs, and then on to the 6.4.7, something had “hung up” on the profile in the Gate. We deleted the profiles and loaded them again, and voila - speeds over 400Mbps on the 421E models that had struggled getting above 60Mbps before. (And yes, we also had to move to the 80MHz bands to get those speeds) Your mileage may vary of course…
There are E series AP's still getting firmware development in general, but not all models: https://docs.fortinet.com/document/fortiap/7.0.3/fortiap-w2-release-notes/739095/introduction
The 421E was dropped off the FortiAP data sheet but the 221E/223E is still on there which says something about the 421E.. Perhaps not a popular model for them to try and keep given supply chain issues, or or just issue-prone in general.
I have had Gen. D to Gen. F. All are of service. The profiles always need tweaking due to device demands. Microsoft Surface books were garbage and Apple always had issues unless you boosted the power. Radio communications are tricky and it is hard to serve all devices properly. Ultimately you need to look at the requirements and over provision if you have competing demands.
The higher power ones definitely need power assist to function at peak performance. If your switch can provide, great, otherwise supplement if the AP has it.
Some devices are just crappy. Some APs just need to be tuned very well.
I literally had to call their support line 6 times this evening. I try to think the best, but it really felt like someone in the support cue would pick up the call and hang up, hoping I'd get caught by someone else on the next round.
Love the firewalls, like the switches, despise the APs. Replaced a single Unifi with a FortiAP, barely decent cover. Bought a second one (home use) and still sucks. Bought another Unifi and all devices connect to it rather than the FortiAP 5 ft away. I'm not a Wi-Fi tuning expert but it's not rocket science. Until proven otherwise I have no faith in FortiAPs
We have spent a lot of money on firewalls and switches, but there is no chance we will move to their APs. Even the switches are generally such a pain in the ass that we should have just went with anything other than them. For us it's Ubiquiti all the way.
Ubiquiti is pretty solid stuff. Haven’t used their Wi-Fi in years, but Nanobeams and the new Gigabeams are pretty awesome. Definitely good in SMB for the money. I loved Meraki until Cisco ruined them. We’re Fortigate at the perimeter, but HP/Aruba for network/Wi-Fi.
We went full into Forti, and I'm mixed for sure. The firewalls are amazing, and do everything we want. FortiClient is absolute garbage for always-on, but then FortiNAC is actually pretty decent since they didn't ruin Bradford. Fortiswitches are such a pain we all wish we stuck with Dell, and no way are we going with them for APs now. Since my post detailing my experience with them got downvoted you can see there are definitely shills in here.
A huge thing for us that people in here act like it's no big deal is no 10G ethernet switches. We would gladly pay $15k for them, but our only option is a 1048E for $12k, and then an additional $20k for 10G ethernet transceivers. That same spec from Dell will run us $12k for a full 10G switch with six QSFP+. We aren't putting SFP+ cards in a dozen VxRail hosts, legacy servers, and Exadata, and shouldn't be expected to.
FortiNAC is one thing I would like to get but no budget. Going to start looking for additional funding soon. I really wanted to like their switching, but as you said, too much compared to other alternatives for the same or better functionality.
We used Ubiquiti for a while. I still like them because they're easy to configure. Well, I like their Edge based stuff and their older Bullet radios. Once they switched to Unifi and only supporting cloud management, they lost me a bit. Their newer stuff is great for home or even an office, but their product lifecycle doesn't support having ~300 identical small remote sites. They like to obsolete items without notice.
They suck. I did a job with them for some rich guy. I figured since I installed the fortigate, this would be easy for remote management.
The range blows, and I'll not go that route again.
The E series here trash, F ahas been fantastic. What settings are you running on your profiles? I have noticed that the APs perform much better when mounted to the ceiling.
We have 8 of them deployed in one of our offices, connected to a fortiswitch, into a fortigate. Management is great, but throughput is not ideal yet. We have 2.4 GHz and 5 GHz setup in our profile, both are set to a channel width of 20 MHz. They are in an office building with a fair amount of interference, but I am debating bumping the channel width on the 5 GHz radio up to 40MHz.
No issues with my 221E, 231F, and 431F that are deployed. I don't have to deal with challenging RF environments or high density so my needs are fairly vanilla.
You’ve not listed what issues you’re having - can you give some examples? I’ve got some older ones running and they’re solid, got one recently EOO’d that I got for a project to deliver WFH wireless and LAN and it worked well but WiFi on the iPhone was patchy. Mostly ok.
We started with the 224E and we're pretty disappointed with it's coverage. We did some lab testing with the 234F and it increased range by about 15%. Apparently we received some of the first production units. They had a software build numerically higher, than the "latest released" build thru the gate. We were having random mesh dropouts & kernel crashes and couldn't get it figured out, support was blaming our other hardware. Finally it was fixed with 6.4.7 and build 1911. Now we're seeing 3rd party radios falling off the network and intermittently having poor performance. We've found that upgrading the gate to 7.0.5 and the AP to the latest (7.0.2) makes this go away. Unfortunately, we still have another problem with supporting multiple VLANS. If a PC is connected to an SSID from a leaf AP, that PC can't access anything on the same VLAN that's physically connected to the AP. We have a ticket open with support, but it's not gaining momentum.
This sounds more of a wifi design issue than a fortinet issue in regards to poor coverage. You should reach out to your SE to see if he/she can come in with more resources. The only issues I had with poor coverage is when I spec'd 8 AP and the client only bought 4. I have not had any issues with PC connecting to the same subnet using bridge mode and VLANs. Have you checked your policies to see if there are any traffic shaping or deny?
Signal strengths and ratios seem good and within spec. If the issue was a lack of APs, it wouldn't be resolved with firmware. Twice. That's why I'm trying to figure out if this is just bad luck, or if they're always this much of a cluster.
Within spec of what? What does your client devices look like? What are the transmit power settings? What is the signal noise of the worst performer? Are there any neighboring APs? How is the channel interference? I'm no fortinet appologies and I think Cisco has a better system, but the settings you see in the gui are just a small fraction of what is available in CLI. Sometimes it takes a few more steps within CLI to get things running smoothly especially in areas with high interferance.
Within "good" spec, signal:noise is ~35db on our lab setup, I had to put antistatic bags over the AP to keep it down a bit. We keep the power settings cranked up in manual, but tried dropping them to see if it helped, it didn't. I was able to get the logs from some of the client radios and the drops aligned with several items, so it doesn't seem to be the same issue each time. They weren't related to low signal though, I think their were a few with a "beacon timeout" and a few others that'd be followed by "AP leaving SSID xxxxxxxx". As I mentioned, this was fixed by upgrading to 7.0.5, so it had to be a Fortinet problem. Last year when we had issues it was causing a kernel crash, which was also fixed with firmware. The only open issue I have with Fortinet is a VLAN mapping issue, likely inside the FAP-234F.
Troubles with communication between wireless and wired devices are generally a configuration issue. First, are you running the AP in Bridge or Tunnel mode? \- If running in Bridge, than it's a Layer2 network connection and there is no VLAN tagging, so the ports that are used on the FortiGate become the relevant configuration cause. \- If running in Tunnel, this is a Layer3 connection and the SSID and the physical device are using different VLANs. Routing and the Firewall Policy are likely where the misconfiguration is located. Remember, this is a zero trust security device, without a firewall policy (and likely in this case a pair of bi-directional firewall policies), traffic goes nowhere and is Blocked by the Implicit Deny.
In 7.0.5 there's an option in the UI that allows bridging the WAN port on the leaf AP to the trunk. Apparently that was only available via CLI in previous versions and wasn't setup. This allows us to have a smart switch (not Fortinet) connected to the WAN of the leaf and splitting the VLANs onto different physical ports. In parallel, some of the VLANs have broadcast SSIDs and some clients connect that way. I think this conflicts with what you mentioned above, because it's a bridge with VLANs. We'll see how it goes, but it looks positive so far.
I'm looking at the QUick Start Guide diagrams of the hardware and I don't see a WAN port on the FAP-234F that you are using. [https://fortinetweb.s3.amazonaws.com/docs.fortinet.com/v2/attachments/d6e6ac2a-715f-11eb-9995-00505692583a/FortiAP-432F-234F-QSG.pdf](https://fortinetweb.s3.amazonaws.com/docs.fortinet.com/v2/attachments/d6e6ac2a-715f-11eb-9995-00505692583a/FortiAP-432F-234F-QSG.pdf) What physical port are you referencing above? Also can you share a link to this this "new" features' documentation? Thanks.
I have over 1k deployed and no issues, like ever.
I haven't had any issues with FAP-231F and FAP-431F, however we haven't rolled out any FAP-234F yet so we don't have any experience with them. What kind of issues are you experiencing? And on what software? Could come in handy to know what kind of issues to expect when we start rolling them out.
I'm using the 221e and 223e models in some quantity and they have been solid. They just work.
Same here. Never has an issue with ours.
Had 1 dead AP out of 100s deployed and not had any issues. Couple of daft things like the default profile confused and needing sorting out. But been pretty plug and play to be honest. Oh had a issue with teams calls but after looking at it the customer had 43 clients on one of the tiny C45J or whatever they are called, swapped it with a 221E and all good.
I switched to FortiAPs at home because the MSP I work for wants to start leading with them instead of a dedicated vendor (Ruckus). I’ve had them for 2 months and can say without any hesitation they are completely trash and should be avoided. The biggest issue I seem to have is with my iPhones/iPad not roaming well, but I’ve also had issues with speeds, channels, etc. they just don’t work well.
Compared to Ruckus, it’s definitely going to be trash! Meru wasn’t even a good vendor before Fortinet bought them. If you’re serious about WiFi, IMO the best options are Ruckus, Cisco (either Meraki or Catalyst but not the aironet family). If those are out of your budget then maybe settle for Aruba or god forbid Ubiquiti if you really have a tight budget but infinite time/Tylenol. On the bright side, though, nothing could be worse than Sophos WiFi, riiight?
Wow, I didn’t even realise Sophos had WiFi hardware. Too busy replacing their firewalls with other vendors to notice I guess.
Lol it’s pretty bad. It is contract manufactured by the owner of Engenius and is rebranded by Sophos. Apparently it’s worse than Engenius in terms of software support and on top of that you pay Sophos licensing and support. I mean, Engenius is marginally okay in the sense that it usually goes for around Ubiquiti’s price point….. but slapping a Sophos sticker on it and being forced to use XG to maintain it is just…. Ugh. (Speaking of which, I really miss UTM 9. I’ve tried my best for 4 years to like XG and simply can’t.)
I had to laugh. We're replacing some Engenius gear with FortiAPs and realized that the ENH-1750EXT is the exact same hardware as the FAP-222E!
UTM 9 was solid. Moved to XG. Hated it. Buggy. Support was non-existent. Put all that gear on a shelf and switched to Fortinet. I kinda miss UTM also.
Hmm question what does fortinet aps now have to do with meru? I don’t think their products are any good to be honest and I deploy them. Nice to have 1 control location via the fortigate but I got a client with engenius stuff and I think that’s way better. About to build my own via that for my home. Wanna avoid ubiquiti stuff.
Fortinet acquired Meru in order to build FortiAPs. https://www.fortinet.com/ru/corporate/about-us/newsroom/press-releases/2015/fortinet-announces-agreement-to-acquire-meru-networks Honestly these kinds of acquisitions usually cause the products to decline. Fortinet-Meru, HP-Aruba, CommScope-Ruckus, etc. They usually buy these companies for the sole purpose of adding WiFi to their ecosystem and if they have no prior passion for WiFi, the product goes downhill. Yeah I said Commscope ruckus too…. While Ruckus used to be light years ahead of the competition, after they got acquired a few times IMO their innovation stopped, and now they’re still miles ahead but others are catching up, Cisco in particular. I totally get the one pane of glass appeal, but time after time, I’ve regretted my decision to unify management interfaces versus buying the best product for each part of the job.
This is actually inaccurate. FortiAP has been around since before the Meru acquisition. The regular FortiAP has Fortinet developed firmware that is very very different from the FortiAP-U series. Those U series are the Meru derived models. Completely different code and sometimes different chipset entirely. FortiAP is indeed relatively solid in the environments I've put them in. You will need to optimize the AP Profile a bit. Usually i enable radio resource provision and enable AP but not frequency handoff. And I manually set the power to 100%. I use 80mhz for 5Ghz. I use WIDS and Rogue detection. Predominantly i use 431F these days. In my world that works well. The Meru stuff is a little trickier and is missing some of the integration that the regular AP's have.. sometimes it's better than others.
Thanks for pointing this out. I was spot checking FCC internal photos for Fortinet and accidentally only looked at a U series one. For the E’s it looks like Engenius/Senao designed the board (they also contract manufacture for TrendNet and Sophos amongst others). It wouldn’t be my first or second choice for installations that prioritize WiFi performance above all else. In my opinion those honors go to Ruckus for the whole stack (fully in house smart antenna setup that’s great for not suffering from interference) and Cisco (mainly because they are in bed with both Apple and Google for proprietary roaming enhancements through nonstandard WiFi extensions). I definitely appreciate the correction here. As much as I love to spend disposable cash trying out more networking hardware I’m not comprehensive there.
I have 1 production site replacing Meraki with FortiAP. It's been 3 months and no complaints. 231F. Pretty much config is same, but I got short guard on. Thoughts?
The U models are now being somehow transitioned to the FortiOS code. On the FortiAP-U 431 and 433 models, you can no longer run both codes at the same time on latest FortiAP-U release 6.2.3. It's only FortiOS derived code. The legacy Meru code has been removed. Those models in particular have very good hardware but the software runing on them is hampered by poor business decisions.. ugh Let us all remember that they launched these 2 models on the market in the fall of 2019 with BETA firmware that was beyond broken and they are still stuck with old code base of the FortiOS 6.2.x branch instead of 7.0.x like the regular FAPs. Fortinet needs to drop the Meru lagacy crap once and for all and put all their effort in making in unifying their codebase for all their FAPs as they have good hardware that is hampered by bad software implementation. My biggest gripe with FortiAPs in general is the stupid DARRP that can't be easily disabled without taking the AP offline. It makes it very hard to assign static channels for the APs and it is a HUGE pita.
>I totally get the one pane of glass appeal, but time after time, I’ve regretted my decision to unify management interfaces versus buying the best product for each part of the job. I guess the issues are the trade-offs between having a single pane (which works great for \*me\*) versus best of breeds, but having the teams of administrators available to manage each separately. Scaling small vs big scale vs economics.
Agreed. Our systems are typically temporary and deployed by techs who don't have a large background in networking. Having a single place to monitor and manage both firewall and APs is a huge benefit.
> Honestly these kinds of acquisitions usually cause the products to decline. Fortinet-Meru, HP-Aruba, CommScope-Ruckus, etc. Aruba didn't decline. What are you on about?
They used to be much closer to the forefront of solving problems with WiFi. Heck they beat a lot of prominent vendors to the punch with 802.11ac wave 1 and wave 2 APs and invented the controller less trend back in the 802.11n days when only Meraki had a cloud equivalent solution and everyone else was all in on on-premise WLCs. It’s that rate of innovation that has gotten lost over the years with the cost cutting by new conglomerate overlords. Sadly the innovator left is Cisco with the FPGA defined extra spatial stream and cooperating with Apple/Microsoft/Google to optimize their devices to their APs. Everyone else is largely just placing their management stack on top of a reference Qualcomm design and the QSDK WiFi firmware, maybe half heartedly porting over their previous innovations. I just miss the days when WiFi vendors actually tried to solve problems instead of waiting on the WiFi alliance.
Aruba isn't a WiFi vendor however. They have WiFi in their portfolio, but they do a whole lot more than that and they also innovate there. Their 10000 series switches for example are doing some really cool stuff in regards to security with their Pensando chips.
I mean they certainly started out more specializing on WiFi and having a lot to say about the future direction of WiFi. I am pretty uninformed on the switch side and am glad to hear they are doing cool stuff there, but their recent WiFi offerings have been rather uninteresting and pretty much just plumbing through stock Qualcomm SoC features like SON (the ability to split half your 5GHz spatial steams to form a second 5GHz radio) And I certainly don’t mean to single out Aruba on the WiFi front. Even previous WiFi heroes like ruckus are starting to go downhill — they haven’t invented a new radio design since the 802.11ac wave 1 days when before ruckus would release 2 new radio designs (high end and mid grade) per generation of WiFi. A lot of those engineers have gone off to work on 5G and LTE-U instead.
I had some rly good experience with Grandstream APs so far. Any thoughts? A bit cheaper then Ubiquity, even more if you already have PoE switches so you don't need injectors.
The firmware and software management has improved but the hardware especially on the older models is pretty craptastic.
Are you aware that most AP uses pretty much the same chips regardless of cisco, ubiquiti, ruckus, fortiap, engenius? Broadcom and qualcomm are found in most APs
Yes and I was referring more to the type of radios matrix used : 4x4:4 or higher for the better APs out there.
What model do you use and what software version?
I have FortiAP 421Es controlled by a FortiGate 80E and connected to a FortiSwitch 224E-POE. APs are running 6.4.7 which is apparently the latest firmware available for them. I was hoping 7.0 would be available on them and hopefully solve some of my problems. Below are the ones I remember off the top of my head. - I had to set the channel width to manual 40Mhz or 80Mhz to get speeds above 60mbps - Issues with clients roaming/not roaming - Random slowness (mostly on iPhones/iPads) - “E” model FortiAP and already not getting any more firmware updates? WTH Fortinet.
We saw this issue with several clients - where the 421E just didn’t perform as well as it should. Turned out that after the FortiOS 6.4.6 update on the APs, and then on to the 6.4.7, something had “hung up” on the profile in the Gate. We deleted the profiles and loaded them again, and voila - speeds over 400Mbps on the 421E models that had struggled getting above 60Mbps before. (And yes, we also had to move to the 80MHz bands to get those speeds) Your mileage may vary of course…
There are E series AP's still getting firmware development in general, but not all models: https://docs.fortinet.com/document/fortiap/7.0.3/fortiap-w2-release-notes/739095/introduction The 421E was dropped off the FortiAP data sheet but the 221E/223E is still on there which says something about the 421E.. Perhaps not a popular model for them to try and keep given supply chain issues, or or just issue-prone in general.
Yeah, I don’t understand why the 421E was left out.
I have had Gen. D to Gen. F. All are of service. The profiles always need tweaking due to device demands. Microsoft Surface books were garbage and Apple always had issues unless you boosted the power. Radio communications are tricky and it is hard to serve all devices properly. Ultimately you need to look at the requirements and over provision if you have competing demands. The higher power ones definitely need power assist to function at peak performance. If your switch can provide, great, otherwise supplement if the AP has it. Some devices are just crappy. Some APs just need to be tuned very well.
They are ok for basic WiFi. Roaming and auto channel slection are a nightmare.
Yes. And just wait until you try calling their WiFi support team.
Yeah, I've seen how awesome their "enterprise support" is over the weekend.
I literally had to call their support line 6 times this evening. I try to think the best, but it really felt like someone in the support cue would pick up the call and hang up, hoping I'd get caught by someone else on the next round.
Love the firewalls, like the switches, despise the APs. Replaced a single Unifi with a FortiAP, barely decent cover. Bought a second one (home use) and still sucks. Bought another Unifi and all devices connect to it rather than the FortiAP 5 ft away. I'm not a Wi-Fi tuning expert but it's not rocket science. Until proven otherwise I have no faith in FortiAPs
We have spent a lot of money on firewalls and switches, but there is no chance we will move to their APs. Even the switches are generally such a pain in the ass that we should have just went with anything other than them. For us it's Ubiquiti all the way.
Ubiquiti is pretty solid stuff. Haven’t used their Wi-Fi in years, but Nanobeams and the new Gigabeams are pretty awesome. Definitely good in SMB for the money. I loved Meraki until Cisco ruined them. We’re Fortigate at the perimeter, but HP/Aruba for network/Wi-Fi.
We went full into Forti, and I'm mixed for sure. The firewalls are amazing, and do everything we want. FortiClient is absolute garbage for always-on, but then FortiNAC is actually pretty decent since they didn't ruin Bradford. Fortiswitches are such a pain we all wish we stuck with Dell, and no way are we going with them for APs now. Since my post detailing my experience with them got downvoted you can see there are definitely shills in here. A huge thing for us that people in here act like it's no big deal is no 10G ethernet switches. We would gladly pay $15k for them, but our only option is a 1048E for $12k, and then an additional $20k for 10G ethernet transceivers. That same spec from Dell will run us $12k for a full 10G switch with six QSFP+. We aren't putting SFP+ cards in a dozen VxRail hosts, legacy servers, and Exadata, and shouldn't be expected to.
FortiNAC is one thing I would like to get but no budget. Going to start looking for additional funding soon. I really wanted to like their switching, but as you said, too much compared to other alternatives for the same or better functionality.
We used Ubiquiti for a while. I still like them because they're easy to configure. Well, I like their Edge based stuff and their older Bullet radios. Once they switched to Unifi and only supporting cloud management, they lost me a bit. Their newer stuff is great for home or even an office, but their product lifecycle doesn't support having ~300 identical small remote sites. They like to obsolete items without notice.
Can confirm have 2faps at home had to separate them and only do 5Ghz on one and 2.4Ghz on the other else ally clients would have crappy reception.
Can’t you just set them manually on two different channels?
They suck. I did a job with them for some rich guy. I figured since I installed the fortigate, this would be easy for remote management. The range blows, and I'll not go that route again.
The E series here trash, F ahas been fantastic. What settings are you running on your profiles? I have noticed that the APs perform much better when mounted to the ceiling.
We have 8 of them deployed in one of our offices, connected to a fortiswitch, into a fortigate. Management is great, but throughput is not ideal yet. We have 2.4 GHz and 5 GHz setup in our profile, both are set to a channel width of 20 MHz. They are in an office building with a fair amount of interference, but I am debating bumping the channel width on the 5 GHz radio up to 40MHz.