Presentation is loading. Please wait.

Presentation is loading. Please wait.

Introduction to the WatchGuard AP Device WatchGuard Training.

Similar presentations


Presentation on theme: "Introduction to the WatchGuard AP Device WatchGuard Training."— Presentation transcript:

1 Introduction to the WatchGuard AP Device WatchGuard Training

2 WatchGuard AP 100 and AP 200 WatchGuard Training 2

3 AP Device in an XTM Network A WatchGuard AP device adds wireless access to any XTM device network. Connect an AP device directly to an XTM device interface or to a switch on the trusted or optional network. Use the Gateway Wireless Controller on the XTM device to configure and manage connected AP devices. WatchGuard Training 3 OR Connect the AP device directly to an XTM device interface Connect the AP device to a switch on the trusted or optional network.

4 AP 100 and AP 200 Wireless Access Points AP 100 Single dual-band radio 2.4 GHz / GHz switchable 2x2:2 MIMO a/b/g/n Up to 300 Mbps 8 SSIDs Power AC Adapter 802.3af compliant PoE injector or switch WatchGuard Training 4 AP 200 Two single-band radios 2.4 GHz and 5 GHz 2x2:2 MIMO a/b/g/n Up to 600 Mbps 8 SSIDs per radio Plenum rated

5 Requirements and Limitations Requirements for an XTM device to manage an AP device: The XTM device must use Fireware XTM OS v or later. The XTM device must be configured in mixed routing mode. The AP device must connect to a trusted or optional network. Limitations You cannot use the Fireware XTM command line interface to manage WatchGuard AP devices. You cannot use a WatchGuard Management Server to manage WatchGuard AP devices. WatchGuard Training 5

6 AP Device Default Settings AP device automatically uses DHCP to request a dynamic IP address. If a DHCP server is not available, the AP device uses a default IP address. IP Address: Subnet Mask: Default Gateway: The AP device has its own web UI. You can connect to the Access Point web UI at https:// , or at the DHCP IP address.https:// Default password: wgwap To deploy an AP device, you do not need to use the Access Point web UI unless you need to assign a static IP address to the AP device. WatchGuard Training 6

7 Deployment Planning WatchGuard Training 7

8 Deployment Planning Before you add an AP device to your network, analyze your current environment and wireless requirements to determine: What wireless modes you need to support (802.11a/b/g/n) What SSIDs and networks you want to create for wireless clients to connect to The best physical location for the AP device When you think about where to install your AP device, consider: Potential sources of wireless noise and interference Factors that affect wireless signals, such as building construction and materials Where your wireless clients are likely to be located You can use a wireless site survey tool such as Ekahau HeatMapper to measure wireless signal strength for wireless clients at different locations. Measure before deployment as part of planning Measure after deployment to see the AP signal strength and range WatchGuard Training 8

9 Should You Enable VLAN Tagging? When you enable VLAN tagging, you associate a VLAN ID with each SSID. VLAN tagging is not required, but there are several reasons you could want to enable VLAN tagging: You want to set different firewall policies for multiple SSIDs that connect to the same network. For example, you can create different SSIDs for different groups of users and then create different firewall policies for each SSID. In each policy, you use the VLAN ID associated with an SSID to make a policy apply to traffic for that SSID. You want to separate traffic on the same physical network to different logical networks. VLAN tagging enables you to separately examine traffic for wireless clients connected to each SSID. If you use a network analyzer, you can use VLAN tags to see the traffic for the VLAN ID associated with a specific SSID. If you want to set up your AP device with one SSID for the trusted network and another SSID for the optional network, you can use a trusted VLAN and an optional VLAN to separate the traffic for the trusted and optional wireless clients. VLAN configuration is covered in detail in a later section of this training WatchGuard Training 9

10 Deployment Steps WatchGuard Training 10

11 Deployment Overview To deploy any AP device on your network you must: 1.Enable the Gateway Wireless Controller on the XTM device. 2.Connect the AP device to your network. 3.Pair the AP device with the XTM device. 4.Configure the SSIDs you want to use. 5.Configure the AP device settings. If you enable VLAN tagging in the AP device SSIDs you must also: Create a tagged VLAN for each SSID. Create an untagged VLAN for management of the AP device. WatchGuard Training 11 This training uses WatchGuard System Manager to show how to configure and monitor your AP device. You can also do these same tasks in Fireware XTM Web UI.

12 Enable the Gateway Wireless Controller To enable the Gateway Wireless Controller on the XTM device: 1. In Policy Manager, select Network > Gateway Wireless Controller. 2. Select the Enable the Gateway Wireless Controller check box. 3. Type the passphrase you want to use for all your WatchGuard AP devices after they are paired to the XTM device. Set the AP device location: 1. Click Settings. 2. Select the location of your AP device from the list of countries. This location is used to help configure the wireless radio. Save the configuration to the XTM device. WatchGuard Training 12

13 Connect the AP Device Connect the AP device directly to an XTM device interface, or to a switch on the trusted or optional network. If you want to connect the AP device directly to an XTM device interface, configure the XTM device interface: Set the Interface Type to Trusted or Optional. Enable the DHCP Server. Configure a pool of IP addresses the XTM device will assign to the AP device and to wireless clients. If you connect the AP device to a switch: The AP device gets an IP address from a DHCP server. If your network does not have a DHCP server, use the Access Point web UI to configure a static IP address on the AP device. WatchGuard Training 13

14 Pair the AP Device When you first connect the AP device, it is an unpaired Access Point. To pair the AP device to the XTM device: 1. Select Network > Gateway Wireless Controller. 2. Select the Access Points tab. 3. Click Refresh. 4. Type the XTM device IP address and configuration passphrase. The XTM device sends a local discovery broadcast on the trusted and optional networks over UDP port 2529 every 30 seconds. Unpaired AP devices send a response to the XTM device. WatchGuard Training 14

15 Pair the AP Device Unpaired AP devices appear in the Unpaired Access Points list. To pair an AP device to the XTM device: 1. Select an unpaired access point and click Pair. 2. Type the Pairing Passphrase. This must match the current passphrase on the AP device. Default AP passphrase is wgwap. The Edit Access Point dialog box opens automatically. 3. Edit the Access Point settings. Access Point configuration is covered in the next section of this training. WatchGuard Training 15

16 Pair the AP Device After you pair the AP device, the AP device is added to the Access Points list. Because Policy Manager is an offline configuration tool, pairing is not complete until you save the configuration to the XTM device. The first time you save the configuration to the XTM device after pairing: The XTM device uses the pairing passphrase to connect to the AP device and update the configuration. The AP device restarts with the updated configuration. The XTM device tries to activate the AP device. The AP device is activated in the WatchGuard account where the XTM device was activated. If automatic activation fails, the XTM device periodically tries again. Activation status of the AP device does not affect AP device functionality. WatchGuard Training 16

17 Configuration WatchGuard Training 17

18 Configuration In the Gateway Wireless Controller, you can configure: AP devices SSIDs Gateway Wireless Controller settings WatchGuard Training 18

19 Configure the AP Device To configure AP devices, in Policy Manager, select the Network > Gateway Wireless Controller > Access Points tab. You can add, edit or remove AP devices. Add manually add an AP device that has not been paired Edit edit an AP device configuration Remove remove the AP device Removes the AP device from the XTM device configuration Resets the AP device to factory default settings WatchGuard Training 19

20 Configure the AP Device When you pair an AP device, the Edit Access Point dialog box opens automatically. You can also select a configured AP device and click Edit. Configure AP device settings. Change the AP device Name. Configure Network Settings (DHCP or Static IP address). If you select Static, you must configure a static IP address. Enable logging to a syslog server. Configure radio settings. WatchGuard Training 20

21 Configure the AP Device Radio Settings For an AP 100, you can configure the radio Band to use. AP 100 has one radio that can use either the 2.4 GHz or 5 GHz band. AP 200 has two radios. Radio 1 always uses the 2.4 GHz band, and Radio 2 always uses the 5 GHz band. For each radio, configure the Wireless Mode. The 2.4 GHz band supports B, G, and N. The 5 GHz band supports A and N. For each radio, select the configured SSIDs to use (up to 8 per radio). You can also assign the AP device radio to an SSID when you create the SSID. WatchGuard Training 21 Radio Settings for an AP 200

22 Configure SSIDs The SSID is the network name that wireless clients see when they connect. You can assign multiple SSIDs to a single AP device radio. You can assign the same SSID to multiple AP device radios. To add an SSID, in the SSIDs tab, click Add. Specify the Network Name (SSID) Configure Settings Enable or disable SSID broadcast Enable MAC Access Control Enable VLAN tagging –Specify VLAN ID Add configured AP device radios as members of the SSID WatchGuard Training 22

23 Configure the SSID Security Mode To configure the SSID security mode, click the Security tab. AP devices support these security modes: Disabled no security/open system WPA/WPA2 (PSK) pre-shared key WPA/WPA2 Enterprise RADIUS WatchGuard Training 23

24 Configure Gateway Wireless Controller Settings Gateway Wireless Controller has settings that apply to all paired AP devices. Select Network > Gateway Wireless Controller, and click Settings. Update the WatchGuard AP Passphrase that is used by all AP devices after they are paired. Enable or disable automatic firmware updates when new firmware is available on the XTM device. Default is enabled. Set the syslog server for all AP devices. All AP devices send log messages to this syslog server unless you specify a different syslog server in the AP device configuration. Select the location of the AP devices. This enables the AP device to automatically select a radio channel allowed in your region. WatchGuard Training 24

25 Configure the MAC Access Control List In the MAC Access Control tab, add the MAC addresses of wireless clients that you want to deny access to your AP device SSIDs. For each SSID, you can decide whether to use the MAC Access Control list. WatchGuard Training 25

26 VLAN Configuration WatchGuard Training 26

27 VLAN Configuration Overview If you want to enable VLAN tagging in your SSIDs, you must configure VLANs and enable them on an XTM device interface. Enable VLANs before you connect and pair the AP device. The AP device uses tagged VLANs to identify traffic for each SSID, and an untagged VLAN for AP management connections. VLANs must be in the trusted or optional security zone. To configure VLANs on the XTM device: 1.Add one VLAN for each SSID. 2.Add one VLAN for management connections to the AP device. 3.Enable DHCP server or DHCP relay for each VLAN. 4.Configure the XTM device VLAN interface to pass tagged traffic for the VLANs for each SSID and untagged traffic for the AP management VLAN. WatchGuard Training 27

28 VLAN Configuration Options VLAN Configuration Connect the AP device directly to a VLAN interface on the XTM device. Connect the AP device to the XTM device VLAN interface through a VLAN switch. Configure the same VLANs on the switch interfaces as you configured on the XTM device. WatchGuard Training 28 OR VLAN Connect the AP device directly to an XTM device VLAN interface Connect the AP device to a VLAN switch.

29 VLAN Configuration Example Example: You want to add two SSIDs to allow wireless connections to two different networks through the same AP device. SSID Name: Trusted-W, for trusted wireless access SSID Name: Guest-W, for guest wireless access Create three VLANs; one for each SSID and one for AP management. Select Network > Configuration > VLAN. Add three VLANs, with DHCP enabled. For example: Trusted-VLAN (VLAN ID 10) to use with SSID Trusted-W Optional-VLAN (VLAN ID 20) to use with SSID Guest-W AP-Mgmt-VLAN to use for management connections to the AP device WatchGuard Training 29

30 VLAN Configuration Example VLAN Details WatchGuard Training 30 VLAN ID 30 VLAN ID 20 VLAN ID 10

31 VLAN Configuration Example VLAN Interface Configure a VLAN interface on the XTM device. In the Network Configuration dialog box, select the Interfaces tab. Select the interface you want to connect the AP device to, and click Configure. Set the Interface Type to VLAN, and configure it to: Send and receive tagged traffic for the VLANs for each SSID (VLAN IDs 10 and 20). Send and received untagged traffic for the VLAN for AP management connections (VLAN ID 30). Save the configuration to the XTM device to enable the VLAN interface. Connect the AP device to the VLAN interface. WatchGuard Training 31

32 VLAN Configuration Example Configure SSIDs Enable VLAN tagging in the two SSIDs. For this example: WatchGuard Training 32 SSID Trusted-W uses VLAN ID 10 SSID Guest-W uses VLAN ID 20

33 VLAN Configuration Example Finish AP Device Setup The rest of the AP device setup steps are the same as without VLAN tagging enabled. Connect the AP device to the VLAN interface Use Policy Manager to discover and pair the AP device. In the AP configuration, add the SSIDs you configured. Save the configuration to the XTM device. WatchGuard Training 33

34 VLAN Configuration Example Connecting to a Switch The VLAN configuration on the XTM device is the same, whether you connect the AP device directly to the XTM device or to a VLAN switch. To connect the AP device to a switch, configure the same VLANs on the switch ports that connect to the AP device and the XTM device. WatchGuard Training 34

35 Other VLAN Configuration Options The flexibility of the VLAN configuration and routing on your XTM device, managed switch, and AP device enable you to deploy the AP device with VLANs in many other network configurations: Separate XTM interfaces for each VLAN on the switch VLAN segmentation with Branch Office VPN VLAN segmentation for separate gateways WatchGuard Training 35

36 Monitoring WatchGuard Training 36

37 Monitor AP Devices and Wireless Clients Monitor AP devices and connected wireless clients in: Firebox System Manager on the Gateway Wireless Controller tab. Select the Access Points tab to monitor paired AP devices. Select the Wireless Clients tab to monitor connected wireless clients. Fireware XTM Web UI on the System Status > Gateway Wireless Controller page. Select the Access Points tab to monitor paired AP devices. Select the Wireless Clients tab to monitor connected wireless clients. WatchGuard Training 37

38 Monitor AP Devices Access Points tab shows: AP device status SSIDs IP address Radio band and channel Uptime Select an AP device to: Do a Site Survey to detect other wireless access points See Log Messages on the AP device Reboot the AP device WatchGuard Training 38

39 AP Device Status Online WatchGuard Training 39 After you deploy an AP device, check the device status. If the XTM device can log in to the AP device, and the AP device is fully configured, the Access Point status is Online.

40 AP Device Status Offline If the XTM device cannot contact the AP device, the device status is Offline. When an AP device reboots, the status is Offline during the reboot. The AP device reboots after each configuration change. WatchGuard Training 40

41 AP Device Status Passphrase Mismatch If the Pairing Passphrase on the XTM device does not match the passphrase on the AP device, AP device status is Passphrase mismatch. To resolve this, edit the Access Point configuration in Policy Manager and change the Pairing Passphrase to match the passphrase on the AP device. The default AP device passphrase is wgwap. WatchGuard Training 41

42 Monitoring Connected Wireless Clients Select the Wireless Clients tab to see a list of connected wireless clients. WatchGuard Training 42

43 Wireless Hotspot WatchGuard Training 43

44 Enable a Wireless Hotspot / Captive Portal You can configure your WatchGuard AP device SSID as a wireless hotspot. With hotspot functionality enabled, when wireless clients connect to your SSID and try to browse to a web site, the hotspot welcome page appears. Users must accept the terms and conditions before they can browse the web through your AP device. WatchGuard Training 44

45 Enable a Hotspot / Captive Portal In Policy Manager select Setup > Authentication > Hotspot. Enable the hotspot for the VLAN or physical interface your AP device uses: If you use VLANs, select the VLAN interface for the SSID. If you do not use VLANs and the AP device is directly connected to an XTM device interface, select the XTM device interface your AP device is connected to. Configure the settings for your hotspot welcome page. WatchGuard Training 45

46 Monitor Hotspot Connections To see the list of connected hotspot clients in Firebox System Manager select the Authentication List tab. Click Hotspot Clients. The connected hotspot clients also appear in the Wireless Clients tab on the Gateway Wireless Controller tab. WatchGuard Training 46

47 Documentation and Resources Product Documentation WatchGuard AP You can view and download the most current documentation for the WatchGuard AP device on the WatchGuard AP Product Documentation page at WatchGuard XTM For detailed information about WatchGuard AP pairing, management, and configuration with your XTM device, see the Wireless AP Device Setup section of the Fireware XTM Web UI or WSM Help at Knowledge Base You can view and search the knowledge base for information on specific WatchGuard product issues at WatchGuard User Forum An interactive online user forum moderated by senior support engineers. Go to the WatchGuard forum at WatchGuard Training 47

48 Thank You! WatchGuard Training 48


Download ppt "Introduction to the WatchGuard AP Device WatchGuard Training."

Similar presentations


Ads by Google