2. Watchguard
  3. AP

Watchguard AP User guide

  • Hello! I am an AI chatbot trained to assist you with the Watchguard AP User guide. I’ve already reviewed the document and can help you find the information you need or explain it in simple terms. Just ask your questions, and providing more details will help me assist you more effectively!
WatchGuard APDeployment Guide
WatchGuard AP
Deployment Guide
AP100, AP200
2 APDeployment Guide
About this Guide
The WatchGuard APDeployment Guide is a guide for deployment of a WatchGuard APdevice with an
XTMdevice. For the most recent product documentation, see the Fireware XTM WatchGuard System
Manager Help or Fireware XTMWeb UI Help on the WatchGuard web site at:
http://www.watchguard.com/help/documentation/.
Information in this guide is subject to change without notice. Companies, names, and data used in examples
herein are fictitious unless otherwise noted. No part of this guide may be reproduced or transmitted in any
form or by any means, electronic or mechanical, for any purpose, without the express written permission of
WatchGuard Technologies, Inc.
Guide revised: 1/7/2014
Copyright, Trademark, and Patent Information
Copyright © 1998-2014 WatchGuard Technologies, Inc. All rights reserved. All trademarks or trade names
mentioned herein, if any, are the property of their respective owners.
Complete copyright, trademark, patent, and licensing information can be found in the Copyright and
Licensing Guide, available online at: http://www.watchguard.com/help/documentation/.
About WatchGuard
WatchGuard offers affordable, all-in-one network and content
security solutions that provide defense-in-depth and help meet
regulatory compliance requirements. The WatchGuard XTM line
combines firewall, VPN, GAV, IPS, spam blocking and URL
filtering to protect your network from spam, viruses, malware, and
intrusions. The new XCS line offers email and web content
security combined with data loss prevention. WatchGuard
extensible solutions scale to offer right-sized security ranging from
small businesses to enterprises with 10,000+ employees.
WatchGuard builds simple, reliable, and robust security
appliances featuring fast implementation and comprehensive
management and reporting tools. Enterprises throughout the world
rely on our signature red boxes to maximize security without
sacrificing efficiency and productivity.
For more information, please call 206.613.6600 or visit
www.watchguard.com.
Address
505 Fifth Avenue South
Suite 500
Seattle, WA 98104
Support
www.watchguard.com/support
U.S. and Canada +877.232.3531
All Other Countries
+1.206.521.3575
Sales
U.S. and Canada +1.800.734.9905
All Other Countries
+1.206.613.0895
AP Deployment Guide i
Table of Contents
WatchGuard APDeployment Guide 1
About this Guide 2
Copyright, Trademark, and Patent Information 2
About WatchGuard 2
Address 2
Support 2
Sales 2
Introduction 1
WatchGuard AP Device Requirements and Limitations 1
Requirements 1
Limitations 1
AP Deployment Steps 2
Benefits of Using VLANs with Your APDevice 2
Step 1 Enable the Gateway Wireless Controller 3
Step 2 Connect the APDevice 4
Step 3 Configure the SSIDs 5
Step 4 Pair the APDevice 6
Step 5 Configure the APDevice Radios 7
Plan your Wireless APDevice Deployment 8
Wireless Site Survey 9
Wireless Modes and Channels 10
Wireless Channels 10
Channel Selection 10
Wireless Signal Strength and Noise Levels 11
Signal Strength 11
Noise Level 11
Signal to Noise Ratio 11
Wireless Environmental Factors 12
Wireless Placement 13
Monitor AP Device Status 14
Monitor Wireless Clients 15
About APDevice Activation 16
Reset the WatchGuard AP Device 16
Additional Resources 16
AP Deployment Guide ii
AP Deployment Guide 1
Introduction
The mass adoption of smart wireless devices such as tablets, smartphones and notebooks is driving the
BYOD (bring your own device) explosion, putting ever increasing demands for wireless access on your
network. WatchGuard's AP100 and AP200 devices enable you to add wireless access to the networks
protected by your XTM device.
To add wireless access to your network, you simply connect one or more WatchGuard APdevices to any
trusted or optional network on your XTMdevice. Then you use the Gateway Wireless Controller on the
XTMdevice to discover, configure, and manage the APdevices. The network security policies already on
your XTMdevice automatically apply to wireless users.
You can then configure the AP device and SSIDs to meet your wireless network requirements.
n To increase the wireless range of your network and support wireless roaming you can use the same
SSID on multiple APdevices.
n To support different groups of wireless users, you can configure your AP device to use multiple
wireless SSIDs.
n You can optionally enable VLAN tagging in your SSIDs, and then use the VLANs in your policies to
create more granular rules for your wireless users, based on the SSIDthat they connect to.
The procedures in this document describe how to use Policy Manager to configure the
XTM device and APdevice. You could also use the Fireware XTMWeb UI to do these
steps. For more information, see the Fireware XTMWeb UI Help.
This document focuses on what you need to know for initial deployment of a WatchGuard AP 100 or AP 200
device on your network. For a more comprehensive reference to all AP device functionality, see the
WatchGuard System Manager Help.
WatchGuard AP Device Requirements and Limitations
Before you add a WatchGuard AP device to your network, it is important to understand the requirements and
limitations of the AP device.
Requirements
n The WatchGuard AP device must be managed by a WatchGuard XTMdevice that uses Fireware XTM
OS v11.7.2 or higher.
n The XTMdevice must be configured in mixed routing mode.
n The APdevice must connect to a trusted or optional network.
n The XTM device configuration must include a policy that allows NTP traffic from the APdevice to the
Internet. The AP device uses an NTPserver to set the correct local time.
Limitations
n You cannot use the Fireware XTMCommand Line Interface to manage WatchGuard AP devices.
n You cannot use a WatchGuard Management Server to manage WatchGuard AP devices.
n You cannot locate WatchGuard APdevices behind a NATfirewall.
AP Deployment Steps
When you add one or more WatchGuard AP devices to your network, you can manage and configure the AP
devices from the Gateway Wireless Controller on an XTMdevice. You do not have to connect directly to the
AP device to configure it. The Gateway Wireless Controller on the XTMdevice manages the AP device for
you.
To deploy any AP device on your XTMdevice network you must:
1. Enable the Gateway Wireless Controller on the XTMdevice.
2. Connect the APdevice to your network.
3. Configure the SSIDs you want to use.
4. Pair the APdevice with the XTMdevice.
5. Configure the APdevice settings.
You can optionally enable VLAN tagging in the SSIDs for your APdevice. If you enable VLAN tagging, you
must also configure the necessary VLANs on your XTM device.
This APDeployment Guide describes the basic steps necessary to deploy an AP device on your network. For
a more detailed description of the configuration settings, see the WatchGuard System Manager Help.
Benefits of Using VLANs with Your APDevice
To deploy an APdevice on your network, you do not need to enable VLAN tagging. There are, however,
several reasons you could want to enable VLAN tagging:
You want to configure different firewall policies for SSIDs that connect to the same network
If you configure multiple SSIDs for your AP devices, and you want to set different firewall policies for
each SSID, you can enable VLANtagging in the SSID and then use the VLAN IDassociated with each
SSID in policies specific to each SSID. For example, you could add a different HTTP policy for each
SSID that specifies the VLANassociated with that SSID. This enables you to specify which users can
connect to each SSID.
You want to separate the traffic on the same physical network to different logical networks.
If you have several APdevices connected to the same physical network, VLAN tagging gives you the
ability to separately examine traffic for wireless clients connected to each SSID. For example, if you run
a network analyzer, you can use the VLAN tags to see the traffic for the VLANIDassociated with an
SSID.
Or, you might want to set up all of your AP devices with one SSID for the trusted network and a different
SSID for the optional network. You can set up a trusted VLAN and an optional VLAN to separate the
traffic for the trusted and optional wireless clients.
The subsequent sections provide a more detailed overview of the steps to deploy an AP device without
VLANtagging. See the WatchGuard System Manager Help for more information about VLANs, and for
configuration examples,
AP Deployment Steps
2
APDeployment Guide
AP Deployment Steps
AP Deployment Guide 3
Step 1 Enable the Gateway Wireless Controller
For the XTM device to discover and manage APdevices, you must enable the Gateway Wireless Controller.
1. Open your XTMdevice configuration in Policy Manager.
2. Select Network >Gateway Wireless Controller.
3. Select the Enable the Gateway Wireless Controller check box.
4. Type the WatchGuard APPassphrase that you want all your APdevices to use after they are paired.
5. Click Settings.
6. Select the location of the WatchGuard APdevices from the list of countries.
This location is used to help configure the wireless radio on your APdevices.
7. Save the configuration to the XTMdevice.
Step 2 Connect the APDevice
Use one of these options to connect the APdevice to your trusted or optional network. By default, the
APdevice automatically requests an IP address from a DHCP server on the local network.
If the network you connect your APdevice to does not use DHCP, you can use the web UI
on the AP device to manually assign a staticIPaddress to the APdevice before you
connect it to your network. See the APSetup Guide or WatchGuard System Manager Help
for more information.
APdevice connected to the XTMdevice APdevice connected to a switch
Option 1 —Connect the APdevice to an XTMdevice interface
If you have an unused interface on your XTMdevice, you can connect the AP device directly to an
XTMdevice trusted or optional interface.
To configure the XTM device interface as a trusted or optional interface:
1. In Policy Manager, select Network > Configuration.
2. Configure the XTMdevice interface as trusted or optional, and enable DHCP on that interface.
3. Save the configuration to the XTMdevice.
4. Connect the APdevice to the interface you configured.
Option 2 - Connect the APdevice to a switch
You can connect the AP device to the switch on your trusted or optional network. It is not necessary to
change the network settings on the XTM device interface.
AP Deployment Steps
4
APDeployment Guide
AP Deployment Steps
AP Deployment Guide 5
Step 3 Configure the SSIDs
Configure the SSIDs that you want your wireless users to connect to.
1. In Policy Manager, select Network >Gateway Wireless Controller.
2. In the SSIDs tab, click Add to add an SSID.
3. In the Network Name (SSID) text box, type the SSID for the wireless network.
The SSID is the network name wireless clients see when they connect to the AP device.
4. Click the Security tab.
5. From the Security Mode drop-down list, select the wireless security mode.
By default, the security mode is set to Disabled. In this mode, the SSID operates as an open wireless
network. You can change this to one of the WPA or WPA security modes that use pre-shared keys
(PSK) or RADIUS authentication.
n WPAonly (PSK)
n WPA2 only (PSK)
n WPA/WPA2 (PSK)
n WPA Enterprise
n WPA2 Enterprise
n WPA/WPA2 Enterprise
6. Configure the security settings for the selected security mode.
7. Repeat these steps to create additional SSIDs.
To use the Enterprise authentication methods, you must have a RADIUSserver.
Step 4 Pair the APDevice
When you first connect the AP device to your network, it is an unpaired Access Point. In this step, you pair the
AP device to your XTMdevice.
1. In Policy Manager, select Network >Gateway Wireless Controller.
2. Click the Access Points tab.
3. Below the Unpaired Access Points list, click Refresh to start a scan for unpaired APdevices.
4. Type the XTMdevice configuration passphrase.
The XTMdevice begins to scan for unpaired APdevices.
5. From the Unpaired Access Points list, select the AP device you want to pair.
6. Click Pair.
7. In the Pairing Passphrase dialog box, type the passphrase of the AP device.
The default AP passphrase is wgwap.
8. Click OK.
The Edit Access Dialog box appears.
AP Deployment Steps
6
APDeployment Guide
AP Deployment Steps
AP Deployment Guide 7
Step 5 Configure the APDevice Radios
The Edit Access Point dialog box automatically opens after you pair the APdevice. Here, you select the
radio settings to use for each radio.
1. For an AP100, you can select the radio Band to use.
The AP100 has one radio, Radio 1. You can configure it to use either the 2.4 GHz or 5 GHz band.
The AP200 has two single-band radios, Radio 1 and Radio 2. Radio 1 always uses the 2.4 GHz band,
and Radio 2 always uses the 5 GHz band.
2. For each radio, select the Wireless Mode. The available modes depend on the radio band.
n The 2.4 GHz band supports 802.11 B, G and N wireless modes.
n The 5 GHz band supports 802.11 A and N wireless modes.
3. (Optional) For each radio, select the Preferred Channel.
4. (Optional) For each radio, select the Rate.
The rate limits the maximum data transfer rate per wireless client.
5. For each radio, select a configured SSID and click Add.
6. Save the configuration to the XTMdevice.
The Preferred Channel and Rate are configurable in Fireware XTM v11.8 and higher.
Plan your Wireless APDevice Deployment
Before you deploy WatchGuard APdevices on your network, you must research, design, and plan your
wireless network deployment to make sure it meets your requirements for coverage, signal strength, data
rates, and security.
We recommend that you review these sections for general wireless knowledge and guidelines for a
successful deployment.
n Wireless Site Survey Perform a wireless site survey to analyze your current environment and
wireless requirements.
n Wireless Modes and Channels Determine which wireless modes and channels you support for
your wireless clients.
n Wireless Signal Strength and Noise Levels Understand wireless signal strength and signal-to-
noise ratios.
n Wireless Environment Factors Identify environmental factors that can affect the range and
performance of wireless networks.
n WatchGuard APDevice Placement Determine the best location and placement of your
WatchGuard AP devices.
Plan your Wireless APDevice Deployment
8
APDeployment Guide
Plan your Wireless APDevice Deployment
AP Deployment Guide 9
Wireless Site Survey
Before you deploy a new WatchGuard AP device, you can perform a wireless site survey to analyze your
current environment and existing wireless signals. The wireless site survey helps you to identify your specific
requirements for your wireless network, and any external factors that could affect your deployment.
Site survey results can help you determine this information:
n Number of wireless clients that must be supported
n Areas of coverage and number of AP devices required
n Best physical placement of AP devices
n Range from clients to each AP device
n Minimum data rates required for specific applications
n Wireless signal strength and potential sources of wireless noise and interference
n Environmental factors that affect wireless signals, such as building construction and materials
Typically, you begin a site survey with a physical walk-through of your environment. It is helpful to have a
floor plan of your facilities that shows your existing networking environment and a list of requirements for
your planned wireless networks. A visual inspection helps you to understand the areas of coverage required,
the physical limitations and barriers due to building construction, and potential sources of wireless
interference.
After you complete a physical inspection of your facilities, you must be able to visualize and understand
where the current wireless signals are located in your environment, and how they react to your physical
environment.
Many wireless site survey tools are available that enable you to map your environment and generate
wireless heat maps, which provide a visual representation of the wireless signals in your environment. The
heat map shows the strength and range of wireless access points, how their signals react to your physical
environment, and identifies any existing wireless interference.
To determine what wireless signals and interference already exist in your environment, you can generate a
heat map to help you plan your deployment scenario. You can use one of the many available third-party
wireless site survey tools. such as Ekahau HeatMapper. After you install your AP devices, you can make
another heat map of your environment to see if your current placement provides adequate coverage and
signal strength for your wireless network.
Wireless Modes and Channels
The WatchGuard AP wireless device supports two different wireless bands: 2.4 GHz and 5 GHz. The band
you select and the country determine the wireless modes available.
n The 2.4 GHz band supports 802.11b, 802.11g and 802.11n
n The 5 GHz band supports 802.11a and 802.11n
The 802.11n protocol is the latest wireless standard, and provides high data rates and performance in the 5
GHz frequency band. It is only supported in the most recent types of wireless devices.
If you choose a wireless mode that supports multiple 802.11 standards, the overall
performance can drop considerably. This is partly because of the need for backward
compatibility when devices that use slower modes are connected. The slower devices
tend to dominate the throughput because it can take much longer to send or receive the
same amount of data to devices that use a slower mode.
Wireless Channels
A wireless channel is a specific division of frequencies within a specific wireless band.
For example, in the 2.4GHz band with a channel width of 20MHz, there are 14 defined channels spaced
every 5MHz. Channels 12 and 13 are applicable in countries outside of North America. Channel 14 is for
Japan only and is spaced at 12 MHz.
One wireless channel can overlap the frequency of another wireless channel. When you design and deploy
wireless networks, you must take into account which channels you use for your wireless network. For
example, in the 2.4 GHz band, adjacent channels such as channel 3 and 4 have very closely overlapping
frequencies that can cause interference. In the 2.4 GHz band, channels 1, 6, and 11 do not overlap each
other because of the spacing between their frequencies, and these are the channels most commonly used.
The 2.4GHz band is crowded because many other devices that operate on this band, such as cordless
phones, microwaves, monitors, and wireless headsets, also use the same channels, and can cause wireless
congestion.
In the 5GHz band, the full channel width is reserved and there is a very large selection of non-overlapping
channels. 802.11n also allows you to combine two 20MHz channels to form a 40MHz channel for increased
bandwidth.
Channel Selection
The WatchGuard AP is configured by default to automatically select the wireless channel to use. When you
power on the WatchGuard AP device, it automatically scans the network and selects the wireless channel
with the least amount of interference.
The default channel width is configured as 20/40MHz. This mixed mode sets the radio to use 40MHz channel
width, but with additional transmission information that enable it to be used in an environment that includes
802.11a/b/g wireless access points.
Plan your Wireless APDevice Deployment
10
APDeployment Guide
Plan your Wireless APDevice Deployment
AP Deployment Guide 11
Wireless Signal Strength and Noise Levels
To make sure that all users in your environment receive a strong wireless signal, consider these guidelines
when you install your WatchGuard AP devices.
Signal Strength
The signal strength is the wireless signal power level received by the wireless client.
n Strong signal strength results in more reliable connections and higher speeds.
n Signal strength is represented in -dBm format (0 to -100). This is the power ratio in decibels (dB) of
the measured power referenced to one milliwatt.
n The closer the value is to 0, the stronger the signal. For example, -41dBm is better signal strength
than -61dBm.
Noise Level
The noise level indicates the amount of background noise in your environment.
n If the noise level is too high, it can result in degraded strength and performance for your wireless
signal strength.
n Noise level is measured in -dBm format (0 to -100). This is the power ratio in decibels (dB) of the
measured power referenced to one milliwatt.
n The closer the value to 0, the greater the noise level.
n Negative values indicate less background noise. For example, -96dBm is a lower noise level than
-20dBm.
Signal to Noise Ratio
The signal-to-noise ratio (SNR) is the power ratio between the signalstrength and the noise level.
n This value is represented as a +dBm value.
n In general, you should have a minimum of +25dBm signal-to-noise ratio. Lower values than +25dBm
result in poor performance and speeds.
For example:
n If you have a -41dBm signal strength, and a -50dBm noise level, this results in a poor signal-to-noise
ratio of +9dBm.
n If you have a -41dBm signal strength, and a -96dBm noise level, this results in an excellent signal-to-
noise ratio of +55dBm.
Wireless Environmental Factors
There are several environmental factors that can affect the range and performance of wireless networks.
Walls and ceilings
Walls and ceilings between the AP device and wireless clients can degrade signal strength. Wireless
signals can penetrate walls and other structures, but the rate of penetration is directly related to the type
of building materials, materials thickness, and the distance from the wireless antenna.
Building materials
Metal and aluminum doors, glass, concrete, and other types of building materials can have a
significantly negative effect on the signal strength of wireless signals.
EMI (Electro-magnetic interference)
EMI from other electrical devices, such as microwaves, cordless phones, and wireless headsets, can
generate significant RF noise and degrade or disrupt wireless communications.
Distance
Wireless signals degrade quickly past their maximum range. You must plan your network carefully to
provide adequate wireless coverage over the range you require in your environment.
Plan your Wireless APDevice Deployment
12
APDeployment Guide
Plan your Wireless APDevice Deployment
AP Deployment Guide 13
Wireless Placement
For full wireless coverage and to make sure that all users in your environment receive a strong wireless
signal, consider these guidelines for the location and placement of your WatchGuard AP devices:
n Place your AP devices in a central location away from any corners, walls, or other physical
obstructions to provide maximum signal coverage.
n Place your AP devices in a high location to provide the overall best signal strength reception and
performance for your wireless network.
n Make sure you do not install an AP device in close proximity to any electronic devices that can
interfere with the signal, such as televisions, microwave ovens, cordless phones, air conditioners,
fans, or any other type of equipment that can cause signal interference.
n When you install multiple AP devices, make sure to space them to provide maximum coverage for
your wireless network area of availability. For wireless coverage over multiple floors, you can stagger
the placement of devices to cover both vertical and horizontal space.
Monitor AP Device Status
1. Start Firebox System Manager for your XTMdevice.
2. Select the Gateway Wireless Controller tab.
The Gateway Wireless Controller Summary and Detail information appears.
3. Select the Access Points tab.
From the Access Points tab, you can:
n See the connection status and uptime of your APdevice.
n See the radio frequency and channel used by each radio.
n See the APdevice activation status.
n See the log messages for the selected APdevice.
n See network statistics for the selected APdevice.
n Reboot the selected APdevice.
n Upgrade the firmware on the selected APdevice.
n Perform a site survey from the selected AP device to detect other wireless access points.
Monitor AP Device Status
14
APDeployment Guide
Monitor Wireless Clients
AP Deployment Guide 15
Monitor Wireless Clients
In Firebox System Manager, you can see the wireless clients that are connected to your WatchGuard
APdevices. You can also disconnect a wireless client from an AP device.
To see the connected wireless clients:
1. Start Firebox System Manager for your XTM device.
2. Select the Gateway Wireless Controller tab.
3. Select the Wireless Clients tab.
A list of connected wireless clients appears.
4. To show only wireless clients that are connected to a specific AP device, select an AP device from the
Filter By APdrop-down list.
5. To show only wireless clients that are connected to a specific SSID, select an SSID from the Filter By
SSIDdrop-down list.
6. To disconnect a wireless client, select the client and click Disconnect Client.
About APDevice Activation
You must activate your WatchGuard AP device to start your LiveSecurity subscription. The WatchGuard
LiveSecurity subscription activates your hardware replacement warranty, enables you to receive technical
support, and provides access to the latest OS updates and product news.
After you pair a WatchGuard APdevice with an XTMdevice, the XTM device automatically connects to the
WatchGuard web site and sends the information necessary to activate the AP device on the same
WatchGuard account where the XTM device was activated.
If automatic activation fails, the XTMdevice periodically tries to activate again. The activation status of your
APdevice does not affect the functionality of the AP device.
If your APdevice has not been activated automatically and you want to activate it manually, you can activate
the AP device in your WatchGuard account just as you would activate an XTMdevice or add-on feature.
Reset the WatchGuard AP Device
To reset the AP device with the reset button on the APdevice:
1. With the APdevice powered on, press and hold the reset button.
2. After 12 seconds, release the reset button.
The APdevice resets.
When the device completes initialization, it is reset to the factory default settings.
Additional Resources
This APDeployment Guide provides information about initial setup of your WatchGuard AP100 or AP200
device.
For information about your APdevice hardware and physical installation, see the WatchGuard APSetup
Guide.
For more detailed information about VLAN configuration, and AP device configuration examples, see the
WatchGuard System Manager Help.
You can view and download the most current documentation for the WatchGuard AP on the WatchGuard
APProduct Documentation page at http://www.watchguard.com/help/documentation.ap.asp.
About APDevice Activation
16
APDeployment Guide
/