Presentation is loading. Please wait.

Presentation is loading. Please wait.

Introduction to the WatchGuard AP Device

Similar presentations


Presentation on theme: "Introduction to the WatchGuard AP Device"— Presentation transcript:

1 Introduction to the WatchGuard AP Device
WatchGuard Training

2 WatchGuard AP 100 and AP 200 WatchGuard Training

3 AP Device in an XTM Network
A WatchGuard AP device adds wireless access to any XTM device network. Connect an AP device directly to an XTM device interface or to a switch on the trusted or optional network. Use the Gateway Wireless Controller on the XTM device to configure and manage connected AP devices. Connect the AP device directly to an XTM device interface Connect the AP device to a switch on the trusted or optional network. OR WatchGuard Training

4 AP 100 and AP 200 Wireless Access Points
Single dual-band radio 2.4 GHz / GHz switchable 2x2:2 MIMO a/b/g/n Up to 300 Mbps 8 SSIDs Power AC Adapter 802.3af compliant PoE injector or switch AP 200 Two single-band radios 2.4 GHz and 5 GHz 2x2:2 MIMO a/b/g/n Up to 600 Mbps 8 SSIDs per radio Plenum rated WatchGuard Training

5 Requirements and Limitations
Requirements for an XTM device to manage an AP device: The XTM device must use Fireware XTM OS v or later. The XTM device must be configured in mixed routing mode. The AP device must connect to a trusted or optional network. Limitations You cannot use the Fireware XTM command line interface to manage WatchGuard AP devices. You cannot use a WatchGuard Management Server to manage WatchGuard AP devices. WatchGuard Training

6 AP Device Default Settings
AP device automatically uses DHCP to request a dynamic IP address. If a DHCP server is not available, the AP device uses a default IP address. IP Address: Subnet Mask: Default Gateway: The AP device has its own web UI. You can connect to the Access Point web UI at https:// , or at the DHCP IP address. Default password: wgwap To deploy an AP device, you do not need to use the Access Point web UI unless you need to assign a static IP address to the AP device. WatchGuard Training

7 Deployment Planning WatchGuard Training

8 Deployment Planning Before you add an AP device to your network, analyze your current environment and wireless requirements to determine: What wireless modes you need to support (802.11a/b/g/n) What SSIDs and networks you want to create for wireless clients to connect to The best physical location for the AP device When you think about where to install your AP device, consider: Potential sources of wireless noise and interference Factors that affect wireless signals, such as building construction and materials Where your wireless clients are likely to be located You can use a wireless site survey tool such as Ekahau HeatMapper to measure wireless signal strength for wireless clients at different locations. Measure before deployment as part of planning Measure after deployment to see the AP signal strength and range For more detailed information about deployment planning and site survey tools, see the WatchGuard AP Deployment Guide or WatchGuard System Manager Help. WatchGuard Training

9 Should You Enable VLAN Tagging?
When you enable VLAN tagging, you associate a VLAN ID with each SSID. VLAN tagging is not required, but there are several reasons you could want to enable VLAN tagging: You want to set different firewall policies for multiple SSIDs that connect to the same network. For example, you can create different SSIDs for different groups of users and then create different firewall policies for each SSID. In each policy, you use the VLAN ID associated with an SSID to make a policy apply to traffic for that SSID. You want to separate traffic on the same physical network to different logical networks. VLAN tagging enables you to separately examine traffic for wireless clients connected to each SSID. If you use a network analyzer, you can use VLAN tags to see the traffic for the VLAN ID associated with a specific SSID. If you want to set up your AP device with one SSID for the trusted network and another SSID for the optional network, you can use a trusted VLAN and an optional VLAN to separate the traffic for the trusted and optional wireless clients. VLAN configuration is covered in detail in a later section of this training WatchGuard Training

10 Deployment Steps WatchGuard Training

11 Deployment Overview To deploy any AP device on your network you must:
Enable the Gateway Wireless Controller on the XTM device. Connect the AP device to your network. Pair the AP device with the XTM device. Configure the SSIDs you want to use. Configure the AP device settings. If you enable VLAN tagging in the AP device SSIDs you must also: Create a tagged VLAN for each SSID. Create an untagged VLAN for management of the AP device. This training uses WatchGuard System Manager to show how to configure and monitor your AP device. You can also do these same tasks in Fireware XTM Web UI. WatchGuard Training

12 Enable the Gateway Wireless Controller
To enable the Gateway Wireless Controller on the XTM device: In Policy Manager, select Network > Gateway Wireless Controller. Select the Enable the Gateway Wireless Controller check box. Type the passphrase you want to use for all your WatchGuard AP devices after they are paired to the XTM device. Set the AP device location: Click Settings. Select the location of your AP device from the list of countries. This location is used to help configure the wireless radio. Save the configuration to the XTM device. You can set the AP device location later, but it is a good idea to do it before you connect your AP device. This it to make sure that the AP device uses a supported radio channel for the region where it is located. WatchGuard Training

13 Connect the AP Device Connect the AP device directly to an XTM device interface, or to a switch on the trusted or optional network. If you want to connect the AP device directly to an XTM device interface, configure the XTM device interface: Set the Interface Type to Trusted or Optional. Enable the DHCP Server. Configure a pool of IP addresses the XTM device will assign to the AP device and to wireless clients. If you connect the AP device to a switch: The AP device gets an IP address from a DHCP server. If your network does not have a DHCP server, use the Access Point web UI to configure a static IP address on the AP device. These instructions apply if you do not use VLAN tagging. If you want to use VLAN tagging, set up your VLANs first, because you must connect the AP device to a VLAN interface. This is described later in this presentation. WatchGuard Training

14 Pair the AP Device When you first connect the AP device, it is an unpaired Access Point. To pair the AP device to the XTM device: Select Network > Gateway Wireless Controller. Select the Access Points tab. Click Refresh. Type the XTM device IP address and configuration passphrase. The XTM device sends a local discovery broadcast on the trusted and optional networks over UDP port 2529 every 30 seconds. Unpaired AP devices send a response to the XTM device. You might need to click Refresh more than once to discover an AP device that you just connected. WatchGuard Training

15 Pair the AP Device Unpaired AP devices appear in the Unpaired Access Points list. To pair an AP device to the XTM device: Select an unpaired access point and click Pair. Type the Pairing Passphrase. This must match the current passphrase on the AP device. Default AP passphrase is wgwap. The Edit Access Point dialog box opens automatically. Edit the Access Point settings. Access Point configuration is covered in the next section of this training. WatchGuard Training

16 Pair the AP Device After you pair the AP device, the AP device is added to the Access Points list. Because Policy Manager is an offline configuration tool, pairing is not complete until you save the configuration to the XTM device. The first time you save the configuration to the XTM device after pairing: The XTM device uses the pairing passphrase to connect to the AP device and update the configuration. The AP device restarts with the updated configuration. The XTM device tries to activate the AP device. The AP device is activated in the WatchGuard account where the XTM device was activated. If automatic activation fails, the XTM device periodically tries again. Activation status of the AP device does not affect AP device functionality. AP device activation starts the LiveSecurity subscription for the AP device, which includes the AP device advance replacement hardware warranty. If your AP device has not been activated automatically, you can use the AP device serial number to activate the AP device in your WatchGuard account just as you would activate an XTM device. WatchGuard Training

17 Configuration WatchGuard Training

18 Configuration In the Gateway Wireless Controller, you can configure:
AP devices SSIDs Gateway Wireless Controller settings WatchGuard Training

19 Configure the AP Device
To configure AP devices, in Policy Manager, select the Network > Gateway Wireless Controller > Access Points tab. You can add, edit or remove AP devices. Add — manually add an AP device that has not been paired Edit — edit an AP device configuration Remove — remove the AP device Removes the AP device from the XTM device configuration Resets the AP device to factory default settings WatchGuard Training

20 Configure the AP Device
When you pair an AP device, the Edit Access Point dialog box opens automatically. You can also select a configured AP device and click Edit. Configure AP device settings. Change the AP device Name. Configure Network Settings (DHCP or Static IP address). If you select Static, you must configure a static IP address. Enable logging to a syslog server. Configure radio settings. WatchGuard Training

21 Configure the AP Device Radio Settings
For an AP 100, you can configure the radio Band to use. AP 100 has one radio that can use either the 2.4 GHz or 5 GHz band. AP 200 has two radios. Radio 1 always uses the 2.4 GHz band, and Radio 2 always uses the 5 GHz band. For each radio, configure the Wireless Mode. The 2.4 GHz band supports B, G, and N. The 5 GHz band supports A and N. For each radio, select the configured SSIDs to use (up to 8 per radio). You can also assign the AP device radio to an SSID when you create the SSID. Radio Settings for an AP 200 WatchGuard Training

22 Configure SSIDs The SSID is the network name that wireless clients see when they connect. You can assign multiple SSIDs to a single AP device radio. You can assign the same SSID to multiple AP device radios. To add an SSID, in the SSIDs tab, click Add. Specify the Network Name (SSID) Configure Settings Enable or disable SSID broadcast Enable MAC Access Control Enable VLAN tagging Specify VLAN ID Add configured AP device radios as members of the SSID You configure the MAC Access Control list in the Gateway Wireless Controller settings. WatchGuard Training

23 Configure the SSID Security Mode
To configure the SSID security mode, click the Security tab. AP devices support these security modes: Disabled — no security/open system WPA/WPA2 (PSK) — pre-shared key WPA/WPA2 Enterprise — RADIUS To use Enterprise authentication, you must configure a RADIUS server. WatchGuard Training

24 Configure Gateway Wireless Controller Settings
Gateway Wireless Controller has settings that apply to all paired AP devices. Select Network > Gateway Wireless Controller, and click Settings. Update the WatchGuard AP Passphrase that is used by all AP devices after they are paired. Enable or disable automatic firmware updates when new firmware is available on the XTM device. Default is enabled. Set the syslog server for all AP devices. All AP devices send log messages to this syslog server unless you specify a different syslog server in the AP device configuration. Select the location of the AP devices. This enables the AP device to automatically select a radio channel allowed in your region. Firmware updates for AP devices are delivered to the XTM device in the sysa-dl file as part of an XTM device OS update. WatchGuard Training

25 Configure the MAC Access Control List
In the MAC Access Control tab, add the MAC addresses of wireless clients that you want to deny access to your AP device SSIDs. For each SSID, you can decide whether to use the MAC Access Control list. WatchGuard Training

26 VLAN Configuration WatchGuard Training

27 VLAN Configuration Overview
If you want to enable VLAN tagging in your SSIDs, you must configure VLANs and enable them on an XTM device interface. Enable VLANs before you connect and pair the AP device. The AP device uses tagged VLANs to identify traffic for each SSID, and an untagged VLAN for AP management connections. VLANs must be in the trusted or optional security zone. To configure VLANs on the XTM device: Add one VLAN for each SSID. Add one VLAN for management connections to the AP device. Enable DHCP server or DHCP relay for each VLAN. Configure the XTM device VLAN interface to pass tagged traffic for the VLANs for each SSID and untagged traffic for the AP management VLAN. WatchGuard Training

28 VLAN Configuration Options
Connect the AP device directly to a VLAN interface on the XTM device. Connect the AP device to the XTM device VLAN interface through a VLAN switch. Configure the same VLANs on the switch interfaces as you configured on the XTM device. Connect the AP device directly to an XTM device VLAN interface Connect the AP device to a VLAN switch. OR VLAN VLAN VLAN WatchGuard Training

29 VLAN Configuration Example
Example: You want to add two SSIDs to allow wireless connections to two different networks through the same AP device. SSID Name: Trusted-W, for trusted wireless access SSID Name: Guest-W, for guest wireless access Create three VLANs; one for each SSID and one for AP management. Select Network > Configuration > VLAN. Add three VLANs, with DHCP enabled. For example: Trusted-VLAN (VLAN ID 10) — to use with SSID Trusted-W Optional-VLAN (VLAN ID 20) — to use with SSID Guest-W AP-Mgmt-VLAN — to use for management connections to the AP device WatchGuard Training

30 VLAN Configuration Example — VLAN Details
VLAN ID 30 VLAN ID 20 VLAN ID 10 WatchGuard Training

31 VLAN Configuration Example — VLAN Interface
Configure a VLAN interface on the XTM device. In the Network Configuration dialog box, select the Interfaces tab. Select the interface you want to connect the AP device to, and click Configure. Set the Interface Type to VLAN, and configure it to: Send and receive tagged traffic for the VLANs for each SSID (VLAN IDs 10 and 20). Send and received untagged traffic for the VLAN for AP management connections (VLAN ID 30). Save the configuration to the XTM device to enable the VLAN interface. Connect the AP device to the VLAN interface. Any untagged traffic that goes through this interface is on VLAN 30. This includes all management traffic between the XTM device and the AP device. WatchGuard Training

32 VLAN Configuration Example — Configure SSIDs
Enable VLAN tagging in the two SSIDs. For this example: SSID Trusted-W uses VLAN ID 10 SSID Guest-W uses VLAN ID 20 WatchGuard Training

33 VLAN Configuration Example — Finish AP Device Setup
The rest of the AP device setup steps are the same as without VLAN tagging enabled. Connect the AP device to the VLAN interface Use Policy Manager to discover and pair the AP device. In the AP configuration, add the SSIDs you configured. Save the configuration to the XTM device. In the Unpaired Access Points list, notice that the IP address of the discovered AP device is an IP address in the DHCP address pool for VLAN 30, the management VLAN. WatchGuard Training

34 VLAN Configuration Example — Connecting to a Switch
The VLAN configuration on the XTM device is the same, whether you connect the AP device directly to the XTM device or to a VLAN switch. To connect the AP device to a switch, configure the same VLANs on the switch ports that connect to the AP device and the XTM device. WatchGuard Training

35 Other VLAN Configuration Options
The flexibility of the VLAN configuration and routing on your XTM device, managed switch, and AP device enable you to deploy the AP device with VLANs in many other network configurations: Separate XTM interfaces for each VLAN on the switch VLAN segmentation with Branch Office VPN VLAN segmentation for separate gateways WatchGuard Training

36 Monitoring WatchGuard Training

37 Monitor AP Devices and Wireless Clients
Monitor AP devices and connected wireless clients in: Firebox System Manager on the Gateway Wireless Controller tab. Select the Access Points tab to monitor paired AP devices. Select the Wireless Clients tab to monitor connected wireless clients. Fireware XTM Web UI on the System Status > Gateway Wireless Controller page. Select the Access Points tab to monitor paired AP devices. WatchGuard Training

38 Monitor AP Devices Access Points tab shows: Select an AP device to:
AP device status SSIDs IP address Radio band and channel Uptime Select an AP device to: Do a Site Survey to detect other wireless access points See Log Messages on the AP device Reboot the AP device WatchGuard Training

39 AP Device Status — Online
After you deploy an AP device, check the device status. If the XTM device can log in to the AP device, and the AP device is fully configured, the Access Point status is Online. WatchGuard Training

40 AP Device Status — Offline
If the XTM device cannot contact the AP device, the device status is Offline. When an AP device reboots, the status is Offline during the reboot. The AP device reboots after each configuration change. WatchGuard Training

41 AP Device Status — Passphrase Mismatch
If the Pairing Passphrase on the XTM device does not match the passphrase on the AP device, AP device status is Passphrase mismatch. To resolve this, edit the Access Point configuration in Policy Manager and change the Pairing Passphrase to match the passphrase on the AP device. The default AP device passphrase is wgwap. WatchGuard Training

42 Monitoring — Connected Wireless Clients
Select the Wireless Clients tab to see a list of connected wireless clients. WatchGuard Training

43 Wireless Hotspot WatchGuard Training

44 Enable a Wireless Hotspot / Captive Portal
You can configure your WatchGuard AP device SSID as a wireless hotspot. With hotspot functionality enabled, when wireless clients connect to your SSID and try to browse to a web site, the hotspot welcome page appears. Users must accept the terms and conditions before they can browse the web through your AP device. WatchGuard Training

45 Enable a Hotspot / Captive Portal
In Policy Manager select Setup > Authentication > Hotspot. Enable the hotspot for the VLAN or physical interface your AP device uses: If you use VLANs, select the VLAN interface for the SSID. If you do not use VLANs and the AP device is directly connected to an XTM device interface, select the XTM device interface your AP device is connected to. Configure the settings for your hotspot welcome page. For more information about hotspot configuration, see the Fireware XTM WatchGuard System Manager help. WatchGuard Training

46 Monitor Hotspot Connections
To see the list of connected hotspot clients in Firebox System Manager select the Authentication List tab. Click Hotspot Clients. The connected hotspot clients also appear in the Wireless Clients tab on the Gateway Wireless Controller tab. WatchGuard Training

47 Documentation and Resources
Product Documentation WatchGuard AP — You can view and download the most current documentation for the WatchGuard AP device on the WatchGuard AP Product Documentation page at WatchGuard XTM —For detailed information about WatchGuard AP pairing, management, and configuration with your XTM device, see the Wireless AP Device Setup section of the Fireware XTM Web UI or WSM Help at Knowledge Base You can view and search the knowledge base for information on specific WatchGuard product issues at WatchGuard User Forum An interactive online user forum moderated by senior support engineers. Go to the WatchGuard forum at WatchGuard Training

48 Thank You! WatchGuard Training


Download ppt "Introduction to the WatchGuard AP Device"

Similar presentations


Ads by Google