Watchguard AP User guide

Brand: Watchguard

Model: AP

Type: User guide

Watchguard AP offers seamless integration with your existing Watchguard XTM device, allowing you to extend your network's reach and provide secure wireless access. It supports multiple SSIDs, enabling you to create separate networks for guests, employees, or different departments. With advanced features like VLAN tagging, you can segment your network traffic for enhanced security and management. The AP's sleek and compact design blends seamlessly into any environment, making it an ideal solution for offices, retail stores, or hospitality venues.

WatchGuard APDevice Deployment Guide

WatchGuard AP

Deployment Guide

AP100, AP102, AP200

About this Guide

The WatchGuard APDeployment Guide is a guide for deployment of a WatchGuard APdevice with an XTMdevice. For the

most recent product documentation, see the Fireware XTM WatchGuard System Manager Help or Fireware XTMWeb UI Help

on the WatchGuard web site at: http://www.watchguard.com/help/documentation/.

Information in this guide is subject to change without notice. Companies, names, and data used in examples herein are

fictitious unless otherwise noted. No part of this guide may be reproduced or transmitted in any form or by any means,

electronic or mechanical, for any purpose, without the express written permission of WatchGuard Technologies, Inc.

Guide revised: 10/30/2014

any, are the property of their respective owners.

Complete copyright, trademark, patent, and licensing information can be found in the Copyright and Licensing Guide, available

online at: http://www.watchguard.com/help/documentation/.

About WatchGuard

WatchGuard offers affordable, all-in-one network and content

security solutions that provide defense-in-depth and help meet

regulatory compliance requirements. The WatchGuard XTM line

combines firewall, VPN, GAV, IPS, spam blocking and URL

filtering to protect your network from spam, viruses, malware, and

intrusions. The new XCS line offers email and web content

security combined with data loss prevention. WatchGuard

extensible solutions scale to offer right-sized security ranging

from small businesses to enterprises with 10,000+ employees.

WatchGuard builds simple, reliable, and robust security

appliances featuring fast implementation and comprehensive

management and reporting tools. Enterprises throughout the world

rely on our signature red boxes to maximize security without

sacrificing efficiency and productivity.

For more information, please call 206.613.6600 or visit

www.watchguard.com.

Address

505 Fifth Avenue South

Suite 500

Seattle, WA 98104

Support

www.watchguard.com/support

U.S. and Canada +877.232.3531

All Other Countries

+1.206.521.3575

Sales

U.S. and Canada +1.800.734.9905

All Other Countries

+1.206.613.0895

AP Deployment Guide iii

Table of Contents

WatchGuard APDevice Deployment Guide i

About this Guide ii

About WatchGuard ii

Address ii

Support ii

Sales ii

Introduction 1

WatchGuard AP Device Requirements and Limitations 2

Requirements 2

Limitations 2

AP Device Deployment Steps 3

Benefits of VLANs for Your APDevice 3

Step 1 — Enable the Gateway Wireless Controller 4

Step 2 — Connect the APDevice 5

Option 1 —Connect the APDevice to a Firebox or XTMDevice Interface 5

Option 2 — Connect the APdevice to a Switch 6

Step 3 — Configure the SSIDs 7

Step 4 — Pair the APDevice 8

Step 5 — Configure the APDevice Radios 10

Plan your Wireless APDevice Deployment 12

Wireless Site Survey 13

Wireless Modes and Channels 15

Wireless Channels 15

Use Wireless Deployment Maps to Find Channel Conflicts 16

Wireless Signal Strength and Noise Levels 17

Signal Strength 17

Noise Level 17

Signal to Noise Ratio 17

Wireless Environmental Factors 18

Wireless Placement 19

Use Wireless Deployment Maps for AP Device Placement 20

AP Deployment Guide iv

View Wireless Deployment Maps 21

Wireless Deployment Maps Overview 21

Use Maps for APDevice Placement 22

See Wireless Channel Conflicts 24

Find Unauthorized Access Points 28

Monitor AP Device Status 29

Monitor Wireless Clients 30

About APDevice Activation 31

Reset the WatchGuard AP Device 31

For APdevice firmware 1.2.9.2 or higher 31

For AP device firmware 1.2.9.1 or lower 31

Additional Resources 32

AP Deployment Guide 1

Introduction

The mass adoption of smart wireless devices such as tablets, smart phones and notebooks, has

greatly increased the demand for wireless access to most networks. The WatchGuard AP100, AP102,

and AP200 devices enable you to add wireless access to the networks that are protected by your

Firebox or XTM device.

To add wireless access to your network, you can simply connect one or more WatchGuard APdevices

to any trusted or optional network on your Firebox or XTMdevice. Then you use the Gateway Wireless

Controller on the Firebox or XTMdevice to discover, configure, and manage the APdevices. The

network security policies already configured on your XTMdevice automatically apply to wireless

users.

The APdevice can also be located on the custom zone network (for Fireware XTM

OS v11.9 and higher). To allow the Gateway Wireless Controller to discover an

APdevice on a custom zone network, you must modify the WatchGuard Gateway

Wireless Controller policy to allow traffic from the custom zone.

You can then configure the AP device and SSIDs to meet the requirements of your wireless network.

n To increase the wireless range of your network and support wireless roaming you can use the

same SSID on multiple APdevices.

n To support different groups of wireless users, you can configure your AP device to use more

than one wireless SSIDs.

n You can optionally enable VLAN tagging in your SSIDs, and then use the VLANs in your

policies to create more specific rules for your wireless users, based on the SSIDthat they

connect to.

The procedures in this document describe how to use Policy Manager to configure

your Firebox or XTM device and APdevice. You could also use Fireware XTMWeb

UI to complete these steps. For more information, see the Fireware XTMWeb UI

Help.

This document includes the information you must know for the initial deployment of a WatchGuard

AP100, AP102, or AP200 device on your network. For a more comprehensive reference to all AP

device functionality, see the WatchGuard System Manager Help.

WatchGuard AP Device Requirements and Limitations

Before you add a WatchGuard AP device to your network, it is important to understand the

requirements and limitations of the AP device.

Requirements

n The WatchGuard AP device must be managed by a WatchGuard XTMdevice that uses

Fireware XTM OS v11.7.2 or higher.

n The XTMdevice must be configured in mixed routing mode.

n The APdevice must connect to a trusted or optional network.

n The XTM device configuration must include a policy that allows NTP traffic from the APdevice

to the Internet. The AP device uses an NTPserver to set the correct local time.

Limitations

n You cannot use the Fireware XTMCommand Line Interface to manage WatchGuard AP

devices.

n You cannot use a WatchGuard Management Server to manage WatchGuard AP devices.

n You cannot locate WatchGuard APdevices behind a NATfirewall.

Introduction

APDeployment Guide

AP Device Deployment Steps

AP Deployment Guide 3

AP Device Deployment Steps

When you add one or more WatchGuard AP devices to your network, you can manage and configure

the AP devices from the Gateway Wireless Controller on your Firebox or XTMdevice. You do not have

to connect directly to the AP device to configure it. The Gateway Wireless Controller on your Firebox or

XTMdevice manages the AP device for you.

To deploy any AP device on your Firebox o XTMdevice network you must:

1. Enable the Gateway Wireless Controller on your Firebox or XTMdevice.

2. Connect the APdevice to your network.

3. Configure SSIDs.

4. Pair the APdevice with you Firebox or XTMdevice.

5. Configure the APdevice settings.

You can optionally enable VLAN tagging in the SSIDs for your APdevice. If you enable VLAN tagging,

you must also configure the necessary VLANs on your XTM device.

This APDeployment Guide describes the basic steps necessary to deploy an AP device on your

network. For a more detailed description of the configuration settings, see the WatchGuard System

Manager Help.

Benefits of VLANs for Your APDevice

To deploy an APdevice on your network, you do not have to enable VLAN tagging. There are,

however, several reasons you could want to enable VLAN tagging:

You want to configure different firewall policies for SSIDs that connect to the same network

If you configure more than one SSID for your AP devices, and you want to set different firewall

policies for each SSID, you can enable VLANtagging in the SSID and then use the VLAN

IDassociated with each SSID in policies specific to each SSID.

For example, you could add a different HTTP policy for each SSID that specifies the

VLANassociated with that SSID. This enables you to specify which users can connect to each

SSID.

You want to separate the traffic on the same physical network to different logical networks.

If you have several APdevices connected to the same physical network, VLAN tagging gives

you the ability to separately examine traffic for wireless clients connected to each SSID.

For example, if you run a network analyzer, you can use the VLAN tags to see the traffic for the

VLANIDassociated with an SSID.

Or, you might want to set up all of your AP devices with one SSID for the trusted network, and a

different SSID for the optional network. You can set up a trusted VLAN and an optional VLAN to

separate the traffic for the trusted and optional wireless clients.

The subsequent sections provide a more detailed overview of the steps to deploy an AP device without

VLANtagging. For more information about VLANs and for configuration examples, see the

WatchGuard System Manager Help.

Step 1 — Enable the Gateway Wireless Controller

Before your Firebox or XTM device can discover and manage your APdevices, you must enable the

Gateway Wireless Controller.

1. Open your XTMdevice configuration in Policy Manager.

2. Select Network >Gateway Wireless Controller.

3. Select the Enable the Gateway Wireless Controller check box.

The WatchGuard AP Passphrase dialog box appears.

4. In the WatchGuard APPassphrase text box, type the passphrase that you want all your

APdevices to use after they are paired. Click OK.

5. Click Settings.

The Settings dialog box appears with the Access Point Settings tab selected.

AP Device Deployment Steps

APDeployment Guide

AP Device Deployment Steps

AP Deployment Guide 5

6. From the Select the location of the WatchGuard APdevices drop-down list, select the

country where your AP devices are located.

This location is used to help configure the wireless radio on your APdevices.

7. Click OK.

8. Save the configuration to your Firebox or XTMdevice.

Step 2 — Connect the APDevice

Use one of these options to connect the APdevice to your trusted or optional network. The APdevice

can also be located on the custom zone network (Fireware XTM OS v11.9 and higher). To allow the

Gateway Wireless Controller to discover an AP device on a custom zone network, you must modify

the WatchGuard Gateway Wireless Controller policy to allow traffic from the custom zone.

By default, the APdevice automatically requests an IP address from a DHCP server on the local

network.. If the network you connect your APdevice to does not use DHCP, you can use the web UI

on the AP device to manually assign a staticIPaddress to the APdevice before you connect it to your

network. For more information, see the APSetup Guide or WatchGuard System Manager Help.

Option 1 —Connect the APDevice to a Firebox or XTMDevice Interface

If you have an unused interface on your Firebox or XTMdevice, you can connect the AP device directly

to a trusted or optional interface on your Firebox or XTMdevice.

APdevice connected to the Firebox or XTMdevice

To configure the Firebox or XTM device interface as a trusted or optional interface:

1. In Policy Manager, select Network > Configuration.

2. Configure the Firebox or XTMdevice interface as trusted or optional, and enable DHCP on that

interface.

3. Save the configuration to the device.

4. Connect the APdevice to the interface you configured.

Option 2 — Connect the APdevice to a Switch

You can connect the AP device to the switch on your trusted or optional network. When you use this

option, you do not have to change the network settings on the XTM device interface.

APdevice connected to a switch

AP Device Deployment Steps

APDeployment Guide

AP Device Deployment Steps

AP Deployment Guide 7

Step 3 — Configure the SSIDs

When you configure the SSIDs that your wireless user connect to, you must select a wireless security

mode for the SSID. By default, the security mode for an SSID is set to Disabled. In this mode, the

SSID operates as an open wireless network. You can change this to one of the WPA or WPA security

modes that use pre-shared keys (PSK) or RADIUS authentication.

n WPAonly (PSK)

n WPA2 only (PSK)

n WPA/WPA2 (PSK)

n WPA Enterprise

n WPA2 Enterprise

n WPA/WPA2 Enterprise

To use the Enterprise authentication methods, you must have a RADIUSserver.

To configure the SSIDs for your device:

1. In Policy Manager, select Network >Gateway Wireless Controller.

2. On the SSIDs tab, click Add.

The Add SSID dialog box appears.

3. In the Network Name (SSID) text box, type the SSID for the wireless network.

The SSID is the network name wireless clients see when they connect to the AP device.

4. Select the Security tab.

5. From the Security Mode drop-down list, select the wireless security mode.

6. Configure the security settings for the selected security mode.

7. Repeat these steps to create additional SSIDs.

Step 4 — Pair the APDevice

When you first connect the AP device to your network, it is an unpaired Access Point. The power LED

on the AP device alternates from green to amber when the device is unpaired.

To pair the AP device to your Firebox or XTMdevice:

1. In Policy Manager, select Network >Gateway Wireless Controller.

The Gateway Wireless Controller dialog box appears.

2. Select the Access Points tab.

3. To start a scan for the unpaired APdevices in your area, click Refresh.

The Refresh the Unpaired Access Points list dialog box appears.

4. Specify the user name and passphrase for a user with Device Administrator privileges.

The Firebox or XTMdevice scans for unpaired APdevices.

5. From the Unpaired Access Points list, select the AP device to pair.

6. Click Pair.

The Pairing Passphrase dialog box appears.

AP Device Deployment Steps

APDeployment Guide

AP Device Deployment Steps

AP Deployment Guide 9

7. In the Pairing Passphrase text box, type the passphrase of the AP device.

The default AP passphrase is wgwap.

8. Click OK.

The Edit Access Dialog box appears.

When the APdevice is paired, the power LED on the device changes to green.

Step 5 — Configure the APDevice Radios

The Edit Access Point dialog box automatically opens after you pair the APdevice. From this dialog

box, select the radio settings to use for each radio on your AP device. AP100 and AP102 devices each

have one radio, Radio 1. You can configure it to use either the 2.4 GHz or 5 GHz band. An AP200

device has two single-band radios, Radio 1 and Radio 2. Because Radio 1 always uses the 2.4 GHz

band, and Radio 2 always uses the 5 GHz band, you do not have to configure the radio bands for an

AP200 device.

1. For an AP100 or AP102 device, from the Banddrop-down list, select the band for Radio 1:

n 2.4GHz

n 5GHz

For an AP200 device, you do not have to set the radio band.

2. From the Wireless Mode drop-down list, select the wireless mode to use for each radio. The

available modes depend on the radio band:

n 2.4GHz band — 802.11 B, G and N wireless modes

n 5GHz band — 802.11 A and N wireless modes

3. (Optional) For each radio, select the Preferred Channel.

For the AP 102 outdoor model, the Use outdoor channels only option is enabled by default.

AP Device Deployment Steps

APDeployment Guide

AP Device Deployment Steps

AP Deployment Guide 11

4. (Optional) For each radio, select the Rate and TXPower.

The rate limits the maximum data transfer rate per wireless client.

5. For each radio, select a configured SSID and click Add.

6. Save the configuration to the Firebox or XTMdevice.

The Preferred Channel and Rate are configurable in Fireware XTM OS v11.8 and

higher. TXPower, Disable LEDs, Use outdoor channels only, and Disable DFS

Channels option are configurable in Fireware XTMOS v11.9 and higher.

Plan your Wireless APDevice Deployment

Before you deploy WatchGuard APdevices on your network, you must research, design, and plan your

wireless network deployment to make sure it meets your requirements for coverage, signal strength,

data rates, and security.

We recommend that you review these sections for general wireless knowledge and guidelines for a

successful deployment.

n Wireless Site Survey — Perform a wireless site survey to analyze your current environment and

wireless requirements.

n Wireless Modes and Channels — Determine which wireless modes and channels you support

for your wireless clients.

n Wireless Signal Strength and Noise Levels — Understand wireless signal strength and signal-

to-noise ratios.

n Wireless Environment Factors — Identify environmental factors that can affect the range and

performance of wireless networks.

n WatchGuard APDevice Placement — Determine the best location and placement of your

WatchGuard AP devices.

n Wireless Deployment Maps — Use the Wireless Deployment Maps feature on the Gateway

Wireless Controller to help deploy your WatchGuard AP devices, check signal strength, and

resolve channel conflicts.

Plan your Wireless APDevice Deployment

APDeployment Guide

Plan your Wireless APDevice Deployment

AP Deployment Guide 13

Wireless Site Survey

Before you deploy a new WatchGuard AP device, you can perform a wireless site survey to analyze

your current environment and existing wireless signals. The wireless site survey helps you to identify

your specific requirements for your wireless network, and any external factors that could affect your

deployment.

Site survey results can help you determine this information:

n Number of wireless clients that must be supported

n Areas of coverage and number of AP devices required

n Best physical placement of AP devices

n Range from clients to each AP device

n Minimum data rates required for specific applications

n Wireless signal strength and potential sources of wireless noise and interference

n Environmental factors that affect wireless signals, such as building construction and materials

Typically, you begin a site survey with a physical walk-through of your environment. It is helpful to

have a floor plan of your facilities that shows your existing networking environment and a list of

requirements for your planned wireless networks. A visual inspection helps you to understand the

areas of coverage required, the physical limitations and barriers due to building construction, and

potential sources of wireless interference.

After you complete a physical inspection of your facilities, you must be able to visualize and

understand where the current wireless signals are located in your environment, and how they react to

your physical environment.

Many wireless site survey tools are available that enable you to map your environment and generate

wireless heat maps, which provide a visual representation of the wireless signals in your environment.

The heat map shows the strength and range of wireless access points, how their signals react to your

physical environment, and identifies any existing wireless interference.

To determine what wireless signals and interference already exist in your environment, you can

generate a heat map to help you plan your deployment scenario. You can use one of the many available

third-party wireless site survey tools. such as Ekahau HeatMapper. After you install your AP devices,

you can make another heat map of your environment to see if your current placement provides

adequate coverage and signal strength for your wireless network.

You can also use the Wireless Deployment Maps feature on the Gateway Wireless Controller to

provide a simulated physical view of your wireless network to help you place the APdevices in optimal

locations for maximum coverage, and to detect channel conflicts with other wireless devices in your

area.

Plan your Wireless APDevice Deployment

APDeployment Guide

Plan your Wireless APDevice Deployment

AP Deployment Guide 15

Wireless Modes and Channels

WatchGuard AP wireless devices support two different wireless bands: 2.4 GHz and 5 GHz. The band

you select and the country you specify determine which wireless modes are available.

n The 2.4 GHz band supports 802.11b, 802.11g and 802.11n

n The 5 GHz band supports 802.11a and 802.11n

The 802.11n protocol is the latest wireless standard, and provides high data rates and performance in

the 5 GHz frequency band. It is only supported in the most recent types of wireless devices.

If you choose a wireless mode that supports more than one 802.11 standards, the

overall performance can be considerably impacted. This is in part because of

backward compatibility requirement when devices that use slower modes are

connected. The slower devices often use more of the available throughput because it

can take much longer to send or receive the same amount of data to devices that use

a slower mode.

Wireless Channels

A wireless channel is a specific division of frequencies within a specific wireless band. For example, in

the 2.4GHz band with a channel width of 20MHz, there are 14 defined channels spaced every 5MHz.

Channels 12 and 13 are available in countries outside of North America. Channel 14 is for Japan only

and is spaced at 12 MHz.

One wireless channel can overlap the frequency of another wireless channel. When you design and

deploy wireless networks, you must consider which channels you use for your wireless network. For

example, in the 2.4 GHz band, adjacent channels such as channel 3 and 4 have frequencies that

closely overlap, which can cause interference. In the 2.4 GHz band, channels 1, 6, and 11 are the most

commonly used channels. They do not overlap each other because of the space between their

frequencies. The 2.4GHz band is crowded because many other devices that operate on this band

(such as cordless phones, microwaves, monitors, and wireless headsets) also use the same

channels, and can cause wireless congestion.

In the 5GHz band, the full channel width is reserved and there is a very large selection of channels that

do not overlap. 802.11n also enables you to combine two 20MHz channels to form a 40MHz channel

for increased bandwidth.

In some regions, DFS (Dynamic Frequency Selection) channels operate in the 5GHz band. Because

DFS channels are used with radar, transmissions from your AP device stop if radar signals are

detected on that channel. Use can disable the use of DFS channels in your AP device configuration.

For outdoor model AP102, you can configure the device to only use outdoor channels.

Channel Selection

The WatchGuard AP device is configured by default to automatically select a wireless channel. When

you power on the WatchGuard AP device, it automatically scans the network and selects the wireless

channel with the least amount of interference.

The default channel width is configured as 20/40MHz. This mixed mode sets the radio to use 40MHz

channel width, but it also has additional transmission information, which enables it to be used in an

environment that includes 802.11a/b/g wireless access points.

Use Wireless Deployment Maps to Find Channel Conflicts

You can use the Wireless Deployment Maps feature in the Gateway Wireless Controller to help you

find wireless channel conflicts and optimize your wireless environment.

Plan your Wireless APDevice Deployment

APDeployment Guide

Page is loading ...

Watchguard AP User guide

Watchguard AP User guide

Related papers

Other documents