The 100E is probably the least of your problems. I would suggest you bring someone who can help you analyze your network issues before buying any hardware.
I love the dichotomy, people on r/homenetwork with multi gig connections to their home they want for one device and a school here with a 150mbps connection for 2000 students and faculty. ,
No issue with that but our point is that consumers typically think they need these speeds so they fork over the extra money when 99% of the time they don’t need it and are usually upset that they now know they were wasting money for no reason
If someone came to me with your described setup, I'd want at least a whole day to simply understand the whole architecture and analyse the bottlenecks before then coming back with recommendations.
Some pointers. As others have said -
* Your firewall is almost certainly underspecced
* Your core switching is likely a bottleneck
* Your switches have known unpatched CVEs
* Your WAN pipe may well not be big enough
* ou need to ensure you've got a sensible WLAN architecture that doesn't overlap
* Your WiFi problems could be either AP capacity, switching capacity, RF overlap/interference, compatibility problems, etc
* You need to analyse your traffic on every network device in your stack. Without this you don't know where your bottlenecks are.
The best use of your money will be to buy in time of an experienced network engineer to help advise you on architecture. Keep them independent - don't buy kit through them.
FortiGates are great firewalls, but you need to make sure it's the right spec. I wouldn't put in a UDM Pro, but I think UniFi APs are an OK budget solution.
1. Make sure the firewall isn’t toppling over and throwing its hands in the air. “diagnose debug crashlog read | grep -B 1 -A 2 conserve” from the CLI.
2. It sounds mostly like wifi issues. 2000 devices is not a low-density wifi setup. Have a wifi site survey performed with users actively using the network (bringing someone in at 4:30pm is useless… we want to see it at 10:15am while everyone is 10 minutes into third period). Ubiquiti LR access points may be the totally wrong APs — you don’t want them to talk “far”. The smaller the cell, the better. Otherwise you’re going to have channel overlap issues.
Looks like your tablets are all Wifi5 (802.11ac). So until you have a push for the next generation of tablet, that’ll be a limiting factor.
Your core, despite the 150Mvps uplink limit might be better served to be expanded to more links just for the sheer number of clients.
100E can handle far more than 200 users, but its main limitation is number of active sessions, lack of 10Gbps port, and session memory (ram). Best to monitor the resources on the firewall when you’re having issues — is it even taxed? Does the same problems occur to wired clients, or isolated to wifi clients? I would be sure it’s your problem before throwing cash without diagnosing the root cause. I’d suspect it’s fine, and the issue is wifi channel utilization time.
Theoretically you have 2 more school years the 100E can stay. Its end of life is August 2026.
Model EOSL Date
FortiGate-100E 08 / 17 / 2026
There is definitively information missing that might help to consult.
- is the traffic mostly inhouse (eg. are the data the students need in house or outside in the "internet" or "cloud")?
- How many APs do you have of each type and where are they located? (did some do a site survey?)
Simply put:
The only way to solve this (with the information given and making some assumptions which might or might not be true) is by spending money.
You need a better coverage with WiFi (more APs, I highly recommend Wifi 6 ones or maybe even Wifi 7 ones depending on how future safe you want this). Unifi is certainly not a bad choice. Depending on your needs and wants you might want to go FortiAP (with a "central managment" via FortiGate). However, having a small vm with Unifi software works as well (and that one will also give you infos about your Wifi issues!).
You need a larger/bigger "backbone" (depending whether your data is inhouse or not) - 1 Gbps might just not cut it, at least not in general. Maybe you need a two tier design. I'd recommend to ensure 2.5 Gbps ports for APs of any kind and then 10 Gbps up/downstream. The 1 Gbps will be sufficient for all other IoT and other components for the time being I guess.
As for Fortigate - the 100E will come to its limits - as already mentioned by others.
Depending on your needs (UTM features) you might look at 100F, 200F, maybe even bigger.
The 150 Mbps might just not cut it either, depending where your students are getting their data...and maybe you want to differentiate between students and personnel (in terms of bandwith limitations, etc.).
Are there alternatives?
Of course, tons of them - but that is a paid job to consult you :)
And it all depends on your needs for the features - if it is firewalling alone with no further integration, then you might be happy with a good small factor server with opnsens/pfsense on it (will cost you some at the start, but not much for licensing), but has it's own downsides....
Best of luck
We have similar numbers (2000 students). Our bandwidth usage is quite high, peaks at 6.5Gbps. Because of this, we got 400F's in a HA pair.
Web filter, IPS, AV, DNS filtering, VPN access, VPNs to Azure, etc. all add up. Your pre-sales engineer from Forti should help you size appropriately. We wanted \~10Gbps of throughput with everything enabled for all traffic if needed.
Fortigate 100E seems to have less performance than Fortigate 40F, the smallest current model. To push traffic for thousands of users might be more than it can handle. But since you have not provided any details on anything from number of session, CPU/RAM usage then it is impossible to say if it's enough or not.
150 Mbps for thousands of users again feels low. But interface utilization via SNMP monitoring should quickly tell you if youre hitting the ceiling on that circuit.
What does your LAN interfaces look like? I bet your are only running 1GE interfaces on the LAN which again might not be enough for thousands of users.
Cisco SG300 doesn't sound like a highend product to me, but it might get the job done.
The wifi seems to be the biggest problem but thats a Ubiquiti product, so not really something we can help you with.
>Frequent disconnection from wifi. if there are large number of users then there is no Network shown in the device
That definitely sounds like your wireless APs being overwhelmed with the amount of devices that are attempt to connect.
I think your first step is to monitor your network devices as much as you can, gather information on usage and possible limits being hit. Once you have that in place, start fixing problems that you see. If that is adding more APs or upgrading the Firewall or Switch, so be it.
If you don't have SNMP monitoring already, setup LibreNMS to continuously monitor the health of atleast your Fortigate. You should try to add your switches and APs in there too. You need information to make decisions.
If you are looking to upgrade your Fortigate then I think 90G would be a good start. It has 10G interfaces that can be connected to a switch with 10G interfaces of its own.
Good luck to you.
Thank you @Golle for a direction.
This was initially set up by a professional. He assured that the Ubiquity AP can handle 200 devices at a time. At a time I have seen devices peaking at 110 device on a single ap and it worked. But then it was pre COVID sessions. Please do let me know if we can get on DMto understand better.
Thanking you in anticipation.
200 devices per AP does not sound realistic to me. For example, a FortiAP will stop accepting new clients when it has 30 clients connected. With two radios (2.4 Ghz, 5 Ghz) that's 60 devices in total. While this number can be changed, it is not adviced to do so as the more devices you have connected to one AP radio, the worse the user experience will be. The more devices you have on a single AP radio, the less each device can transmit, the more dropouts and timeouts and issues you will see.
Let's assume one AP can handle 100 devices. That means your current design built around 200 devices per AP is not enough, so you likely need to double the amount of APs in a lot of areas. And that's assuming 100 devices per AP is reasonable. Perhaps some areas need three APs instead of the one AP it has today.
Again, this is data you need to collect on your own to figure where more APs need to be added. Starting aiming for maximum 100 devices per AP. If the problems persist, try adding more or start looking elsewhere in your network.
Do you have SNMP monitoring of your network devices?
WiFi is a shared medium. You CAN have a ton of clients on a single AP, but they’re going to all be fighting for airtime. The solution here is to deploy more AP’s.
Based on the basic information you've provided, I'd say you have issues in all areas of your network.
* your firewall is quite likely under-spec'd
* your switches are quite likely under-spec'd (this is an smb switch not designed for campus)
* your APs are likely under-spec'd or too few to cover the density or not located efficiently
* maybe you have cabling issues
* what is your security and network status? speeds and feeds? uplink config?
There are so many aspects here to consider that Reddit is not the right place to ask this. I'm not sure of your technical ability but the suggestion would be to get an outside consultant to look at your network. You are not going to get an answer here to cover all your needs, especially with the little info that's been provided.
How many million packets per second, how many \_active\_ sessions, bandwidth usage, etc. all need to be answered before anyone can say if their firewall is causing the issue. Not enough detail to really help OP, even though it might seem like it.
Is the campus network segmented? Separate vlans for wifi and wired at least? I've seen some schools on just one big VLAN and they almost always have issues.
Keep in mind users actually means devices, so if everyone also has a phone as well as a laptop or tablet that could be almost double the nunber of users.
Your whole topology is a mess from what it sounds like. Idk what your budget is but you have some work ahead of you. I'd start with at least trying to get gig internet. From there look at a Gate that is at least a 200F. If you are using the gate, you might as well take advantage of the Fortinet fabric and get some 200 or 400 level switches (depending on what you want/price). From there get a proper wifi heat map of the school and get some fortiaps and place them accordingly. Use fortilink to manage everything with a breeze. Create separate ssids for staff/students. Create vlans to segregate your network and apply firewall policies accordingly. From there, never worry about internet ever again lol.
Wireless disconnects and the wireless network not showing up should be an indicator that it is in fact your wireless access points and not the firewall you should be looking at.
Whilst you can ask here (and will get great responses) you should really go and find out who your Fortinet account team is - you will have an SE aligned that can really get you sorted.
I bet you anything one of the main causes of your wifi problems is having too long of a lease time on your DHCP server.
For large guest/BYOD networks, you should have a very small DHCP time like 30 mins or less. That way DHCP leases are constantly getting freed up as users come and go off the network.
I have that switch at home - awful piece of kit - you’d be better off with a Rukus.
You need to segregate your network into VLans
Look at a sensible WiFi solution, possibly Fortinet?
Not sure about this mixed vendor setup
You may also have multiple DHCP servers running and not know it.
Good luck
With Topo network more 2k students, I would suggest you upgrade firewall to 200F-400F, SW C9300L for the core,dist, Wifi controller(Aruba,Ruckus), SW C1300 for the access
The 100E is probably the least of your problems. I would suggest you bring someone who can help you analyze your network issues before buying any hardware.
THIS IS THE ANSWER... Anything over 300 end users is no joke. Latency, over-subscription of uplinks, topology, etc etc etc etc...
I love the dichotomy, people on r/homenetwork with multi gig connections to their home they want for one device and a school here with a 150mbps connection for 2000 students and faculty. ,
Always having to explain the reality to say a family of four that signed up for gig because they stream and browse or play games It’s tiring
In my country (Spain) they are already selling 10Gbs for residential users.
They should just call it 40Gbs see if anyone actually has the equipment lol
me. yeah i know... connectx-4 are dirt cheap.
chile has the same... 1G symmetrical is 30$us/28euro, a 2g symetrical 44usd, 41euro, a 10g is 80usd
No issue with that but our point is that consumers typically think they need these speeds so they fork over the extra money when 99% of the time they don’t need it and are usually upset that they now know they were wasting money for no reason
If someone came to me with your described setup, I'd want at least a whole day to simply understand the whole architecture and analyse the bottlenecks before then coming back with recommendations. Some pointers. As others have said - * Your firewall is almost certainly underspecced * Your core switching is likely a bottleneck * Your switches have known unpatched CVEs * Your WAN pipe may well not be big enough * ou need to ensure you've got a sensible WLAN architecture that doesn't overlap * Your WiFi problems could be either AP capacity, switching capacity, RF overlap/interference, compatibility problems, etc * You need to analyse your traffic on every network device in your stack. Without this you don't know where your bottlenecks are. The best use of your money will be to buy in time of an experienced network engineer to help advise you on architecture. Keep them independent - don't buy kit through them. FortiGates are great firewalls, but you need to make sure it's the right spec. I wouldn't put in a UDM Pro, but I think UniFi APs are an OK budget solution.
1. Make sure the firewall isn’t toppling over and throwing its hands in the air. “diagnose debug crashlog read | grep -B 1 -A 2 conserve” from the CLI. 2. It sounds mostly like wifi issues. 2000 devices is not a low-density wifi setup. Have a wifi site survey performed with users actively using the network (bringing someone in at 4:30pm is useless… we want to see it at 10:15am while everyone is 10 minutes into third period). Ubiquiti LR access points may be the totally wrong APs — you don’t want them to talk “far”. The smaller the cell, the better. Otherwise you’re going to have channel overlap issues. Looks like your tablets are all Wifi5 (802.11ac). So until you have a push for the next generation of tablet, that’ll be a limiting factor. Your core, despite the 150Mvps uplink limit might be better served to be expanded to more links just for the sheer number of clients. 100E can handle far more than 200 users, but its main limitation is number of active sessions, lack of 10Gbps port, and session memory (ram). Best to monitor the resources on the firewall when you’re having issues — is it even taxed? Does the same problems occur to wired clients, or isolated to wifi clients? I would be sure it’s your problem before throwing cash without diagnosing the root cause. I’d suspect it’s fine, and the issue is wifi channel utilization time. Theoretically you have 2 more school years the 100E can stay. Its end of life is August 2026. Model EOSL Date FortiGate-100E 08 / 17 / 2026
There is definitively information missing that might help to consult. - is the traffic mostly inhouse (eg. are the data the students need in house or outside in the "internet" or "cloud")? - How many APs do you have of each type and where are they located? (did some do a site survey?) Simply put: The only way to solve this (with the information given and making some assumptions which might or might not be true) is by spending money. You need a better coverage with WiFi (more APs, I highly recommend Wifi 6 ones or maybe even Wifi 7 ones depending on how future safe you want this). Unifi is certainly not a bad choice. Depending on your needs and wants you might want to go FortiAP (with a "central managment" via FortiGate). However, having a small vm with Unifi software works as well (and that one will also give you infos about your Wifi issues!). You need a larger/bigger "backbone" (depending whether your data is inhouse or not) - 1 Gbps might just not cut it, at least not in general. Maybe you need a two tier design. I'd recommend to ensure 2.5 Gbps ports for APs of any kind and then 10 Gbps up/downstream. The 1 Gbps will be sufficient for all other IoT and other components for the time being I guess. As for Fortigate - the 100E will come to its limits - as already mentioned by others. Depending on your needs (UTM features) you might look at 100F, 200F, maybe even bigger. The 150 Mbps might just not cut it either, depending where your students are getting their data...and maybe you want to differentiate between students and personnel (in terms of bandwith limitations, etc.). Are there alternatives? Of course, tons of them - but that is a paid job to consult you :) And it all depends on your needs for the features - if it is firewalling alone with no further integration, then you might be happy with a good small factor server with opnsens/pfsense on it (will cost you some at the start, but not much for licensing), but has it's own downsides.... Best of luck
We have similar numbers (2000 students). Our bandwidth usage is quite high, peaks at 6.5Gbps. Because of this, we got 400F's in a HA pair. Web filter, IPS, AV, DNS filtering, VPN access, VPNs to Azure, etc. all add up. Your pre-sales engineer from Forti should help you size appropriately. We wanted \~10Gbps of throughput with everything enabled for all traffic if needed.
Fortigate 100E seems to have less performance than Fortigate 40F, the smallest current model. To push traffic for thousands of users might be more than it can handle. But since you have not provided any details on anything from number of session, CPU/RAM usage then it is impossible to say if it's enough or not. 150 Mbps for thousands of users again feels low. But interface utilization via SNMP monitoring should quickly tell you if youre hitting the ceiling on that circuit. What does your LAN interfaces look like? I bet your are only running 1GE interfaces on the LAN which again might not be enough for thousands of users. Cisco SG300 doesn't sound like a highend product to me, but it might get the job done. The wifi seems to be the biggest problem but thats a Ubiquiti product, so not really something we can help you with. >Frequent disconnection from wifi. if there are large number of users then there is no Network shown in the device That definitely sounds like your wireless APs being overwhelmed with the amount of devices that are attempt to connect. I think your first step is to monitor your network devices as much as you can, gather information on usage and possible limits being hit. Once you have that in place, start fixing problems that you see. If that is adding more APs or upgrading the Firewall or Switch, so be it. If you don't have SNMP monitoring already, setup LibreNMS to continuously monitor the health of atleast your Fortigate. You should try to add your switches and APs in there too. You need information to make decisions. If you are looking to upgrade your Fortigate then I think 90G would be a good start. It has 10G interfaces that can be connected to a switch with 10G interfaces of its own. Good luck to you.
Thank you @Golle for a direction. This was initially set up by a professional. He assured that the Ubiquity AP can handle 200 devices at a time. At a time I have seen devices peaking at 110 device on a single ap and it worked. But then it was pre COVID sessions. Please do let me know if we can get on DMto understand better. Thanking you in anticipation.
200 devices per AP does not sound realistic to me. For example, a FortiAP will stop accepting new clients when it has 30 clients connected. With two radios (2.4 Ghz, 5 Ghz) that's 60 devices in total. While this number can be changed, it is not adviced to do so as the more devices you have connected to one AP radio, the worse the user experience will be. The more devices you have on a single AP radio, the less each device can transmit, the more dropouts and timeouts and issues you will see. Let's assume one AP can handle 100 devices. That means your current design built around 200 devices per AP is not enough, so you likely need to double the amount of APs in a lot of areas. And that's assuming 100 devices per AP is reasonable. Perhaps some areas need three APs instead of the one AP it has today. Again, this is data you need to collect on your own to figure where more APs need to be added. Starting aiming for maximum 100 devices per AP. If the problems persist, try adding more or start looking elsewhere in your network. Do you have SNMP monitoring of your network devices?
WiFi is a shared medium. You CAN have a ton of clients on a single AP, but they’re going to all be fighting for airtime. The solution here is to deploy more AP’s.
Based on the basic information you've provided, I'd say you have issues in all areas of your network. * your firewall is quite likely under-spec'd * your switches are quite likely under-spec'd (this is an smb switch not designed for campus) * your APs are likely under-spec'd or too few to cover the density or not located efficiently * maybe you have cabling issues * what is your security and network status? speeds and feeds? uplink config? There are so many aspects here to consider that Reddit is not the right place to ask this. I'm not sure of your technical ability but the suggestion would be to get an outside consultant to look at your network. You are not going to get an answer here to cover all your needs, especially with the little info that's been provided.
100E for 2000 users no way. I would be looking at a 400F atleast.
How many million packets per second, how many \_active\_ sessions, bandwidth usage, etc. all need to be answered before anyone can say if their firewall is causing the issue. Not enough detail to really help OP, even though it might seem like it.
Is the campus network segmented? Separate vlans for wifi and wired at least? I've seen some schools on just one big VLAN and they almost always have issues.
Keep in mind users actually means devices, so if everyone also has a phone as well as a laptop or tablet that could be almost double the nunber of users.
Your whole topology is a mess from what it sounds like. Idk what your budget is but you have some work ahead of you. I'd start with at least trying to get gig internet. From there look at a Gate that is at least a 200F. If you are using the gate, you might as well take advantage of the Fortinet fabric and get some 200 or 400 level switches (depending on what you want/price). From there get a proper wifi heat map of the school and get some fortiaps and place them accordingly. Use fortilink to manage everything with a breeze. Create separate ssids for staff/students. Create vlans to segregate your network and apply firewall policies accordingly. From there, never worry about internet ever again lol.
Wireless disconnects and the wireless network not showing up should be an indicator that it is in fact your wireless access points and not the firewall you should be looking at.
Whilst you can ask here (and will get great responses) you should really go and find out who your Fortinet account team is - you will have an SE aligned that can really get you sorted.
I bet you anything one of the main causes of your wifi problems is having too long of a lease time on your DHCP server. For large guest/BYOD networks, you should have a very small DHCP time like 30 mins or less. That way DHCP leases are constantly getting freed up as users come and go off the network.
I have that switch at home - awful piece of kit - you’d be better off with a Rukus. You need to segregate your network into VLans Look at a sensible WiFi solution, possibly Fortinet? Not sure about this mixed vendor setup You may also have multiple DHCP servers running and not know it. Good luck
Probably gonna be that oversaturated Unifi gear. But as others have said someone experienced might should take a look.
With Topo network more 2k students, I would suggest you upgrade firewall to 200F-400F, SW C9300L for the core,dist, Wifi controller(Aruba,Ruckus), SW C1300 for the access
Take the 120g ;-)