FirewallFortinet

Performance Tuning for High-Density Wi-Fi

Sanjay Seth
June 10, 2025
253 0
0
71
2
Shares
Optimize for crowded venues with intelligent RF tuning and user authentication.

Mastering High-Density Wi-Fi with FortiAP and FortiGate

Well, once again, it’s me putting my third coffee back on my desk and pondering what must be one of the most challenging beasts to tame in our network world, high-density Wi-Fi. Around the block since the early 2000s, kicked off as a network admin back in 93 managing voice and data muxes over PSTN — yep, the days before broadband and smart phones sucked up all the RF! Nowadays, I run PJ Networks and spend time with clients (including a trio of big banks wanting to fine-tune their zero-trust aspects) getting their FortiAPs and FortiGates ready for dense environments. And let me tell ya — it’s a whole other ballgame.

Density Challenges

Let’s start by talking about why high-density Wi-Fi is not your normal networking problem. When a couple of dozen of devices fill a meeting room, fine. But try thousands at an arena or a campus and you have a recipe for disaster if you’re not careful.

  • Interference becomes a nightmare.
  • Authentication servers are slammed.
  • It is like choking on channel overlap.

Here’s the catch. But, virtually all other solutions out there are like adding yet more APs: You’re only adding goodness. Nope. Not even close. Unfortunately, you need to know a bit about how FortiAPs and your FortiGate controller interact, when you’re working on identity-based access anyway. Without proper tuning? Anticipate angry users and security holes.

RF Planning

You can’t eyeball RF planning like it’s back in the days where you plugged some router in and had a prayer. Nope.

At PJ Networks, wireless is something that we take very seriously by means of very accurate RF surveys and heatmaps so as to have an ironclad understanding of signal coverage and interference zones. This isn’t a one-time-and-it’s-done thing, either—high-density means we’re always iterating as user behavior changes.

Key elements:

  • Channel allocation: Big factor. We are going to kick the shit out of that overlap, squeeze every last MHz out of it.
  • Transmit power: Too much and your APs fight each other, too little and you end up with dead spots.
  • Antenna positioning: Imagine yourself a chef arranging ingredients to let flavors blend — not compete.

And I’ll do a mini rant here, I can not tell you how many installs contact me each month and believe RF is a black box. Just put APs everywhere! No. Don’t do that. It’s akin to overseasoning a sauce — you’ve spoiled the entire dish.

Authenticator Load

This is one that tends to go missed until it slaps you across the face. Fast&secure authentication is key in cluttered scenarios as in the presence of identity based policy control.

Most commonly FortiGate is the authenticator for FortiAP, however:

  • It’s easily flooded by thousands of concurrent requests (like everybody else, especially on peak periods like lunch breaks or during a conference).
  • Misconfigured RADIUS servers can grind things to a halt.

I realized the importance of the following through my recent bank zero-trust rollouts:

  • Distributing requests to authenticators
  • Caching of credentials in accordance with security policy
  • Real-time tracking of authentication metrics

Seriously. Nothing kills the UX faster than waiting for 10 seconds just to be able to log into Wi-Fi. Not to mention that’s a security risk.

Tuning Parameters

Now, here’s where the beef is. Those who have been following me know what I usually advice with most technologies, go conservative, with built-in capability you can keep raising higher, in many cases you can’t lower once you raised too high (Think the CoG setting). FortiAP and FortiGate are great devices, but they’re shipped with settings that fit a lot of use-cases, sadly that’s almost never the case in a dense environment. You gotta get into the weeds.

Some of the tuning I have been obsessing on:

  • Band steering: Push clients who are fit onto 5GHz to relieve congestion on 2.4GHz. But carefully — aggressive APIs and you lose legacy devices.
  • Load balancing between APs: If we tell the controllers to do so (to avoid overloading a given AP).
  • Roaming thresholds: Make changes here so that clients doesn’t hand on to a weak signal AP longer than it should have.
  • Airtime fairness: Give the newer, faster devices the faster airtime and don’t let the old clunkers hold everyone back.

And firmware updates — please, by all means — keep the Fortinet firmware up to date. A few of the tuning features, in particular those for high density, are only available in the newest versions. Some environments at PJ Networks have doubled their throughput simply by applying the appropriate patch.

Pro Tip: Vendor defaults aren’t always best for you to accept blindly. Non-stop testing in true loading conditions. And yes, it’s painstaking.

PJ Networks RF Survey

We do a lot of these. If I’m honest, there are times I feel like a Wi-Fi Detective.

  • We first generate heatmaps to see the current RF environment
  • and then manually optimization channels in the FortiGate controller
  • Then, post-per-AP tuning—climb into the controller and tweak power, heading, and advanced parameters

This is not just technical; it’s an art form. You know that cooking analogy? You can have all the ingredients, but the timing and seasoning bring the dish to life.

We recently did one on a large campus (University) that had over 300 FortiAPs. Suffering from poor tuning, students complained of drop-outs in lecture halls. Post-tuning? There was almost a 70% decrease in dropouts, throughput substantially improved, and security policies worked seamlessly with FortiGate’s identity-based controls.

Ongoing Support

Wi-Fi tuning is not “set it and forget it.” That sort of thinking helped kill many deployments in the past.

24/7 NOC monitoring from PJ Networks—that’s 24 hours a day, 365 days a year—and with the special tools keeping an eye on:

  • Channel interference shifts
  • Spontaneous spikes in authentication load
  • Firmware health
  • KPIs on strategic aspects

If something’s wrong, we find it before users do. Such as when I first detected a hint of worm activity years ago (Slammer—I still shudder thinking about that little bugger!), having it as a proactive monitor can be disaster avoided.

The thing is, high-density Wi-Fi is a living ecosystem. Devices proliferate, use cases mutate. So too must your FortiAP and FortiGate configuration.

Quick Take

  • HD Wi-Fi requires RF planning — attention to radio frequencies, channels, powers, and placements
  • AuthN load can be a bottleneck: balance & cache wisely
  • Fine-tune beyond defaults with FortiAP/FortiGate—roaming, airtime, band steering
  • Keep updated on firmware and continuously check it
  • At PJ Networks, it’s surveys + tuning + 24/7 NOC = happy customers

To conclude, it’s tempting to just slap more APs and call it a day. But here’s some truth, from long decades in this business: Without substantial tuning and identity-aware integration, you’re just painting over rust. And in cybersecurity — especially wireless — rust will provide holes that both bad actors and performance failures will happily exploit.

So yeah, it’s tricky and sometimes frustrating, but when you get it right, it’s a very big win. And believe me — after a long day, it’s the best coffee kick you’ll ever get.

Stay secure out there.

—Sanjay Seth, PJ Networks Pvt Ltd

Sanjay Seth

Sanjay Seth

What's your reaction?

Related Posts

1 of 245
© 2025 Fortinet Firewall CyberSecurity Networksecurity PJNetworks NAC Solution Blog - Fortinet Firewall CyberSecurity Networksecurity PJNetworks NAC Solution Blog by Sanjay Seth.
© 2025 Fortinet Firewall CyberSecurity Networksecurity PJNetworks NAC Solution Blog - Fortinet Firewall CyberSecurity Networksecurity PJNetworks NAC Solution Blog by Sanjay Seth.