Faced rather strange bug with Cisco WLC-controlled WiFi (local, where APs establish GRE tunnels to WLC and forward actual traffic through them, to avoid MAC flapping) and FortiGate cluster (300D in particular). Sometimes for some people internet might disappear for 10-20 seconds every 10-20 minutes, sometimes it might take longer to recover. Like, pings disappear and appear back. It didn't depend on firewall or WLC firmware (the bug persisted on 6.0.13, 6.2.9, 6.4.7 of FortiGate and 8.0, 8.3.150 and the latest 8.5.182 of WLC2504).

After investigating and playing around with 802.1x security settings, roaming features, etc.. I realized that the actual reason is totally different - other hosts in the same VLAN as WiFi SSID were responding to pings! So it was only issue with the gateway reachability. I tried to add static ARP record (MAC-IP pair) to firewall config - internet became rock solid! What made me think of ARP is the way FortiGate cluster works, it creates some kind of virtual MAC too.

Cisco WiFi APs include ARP proxy, so that actual devices wouldn't have to answer ARP requests, thus saving energy. Tried enabling broadcast forwarding in WLC config, no luck. Increasing ARP timeout didn't help neither. The only solution I was able to come up with is to switch WiFi APs into flex mode, changing switchport type of APs to trunk and putting actual VLANs there. With flex mode it's possible to disable proxy ARP (locally connected APs don't support this). Just use "config flexconnect arp-caching disable" command.