1. Updated for Fireware XTM v11.9.4
Wireless For WatchGuard AP devices and Firebox or XTM wireless devices with Fireware XTM v11.9
Updated for Fireware XTM v11.9.4
WatchGuard Training

2. Course Introduction: Wireless with Fireware XTM
WatchGuard Training

3. Training Objectives In this training, you will learn about:
The available types of WatchGuard wireless devices
Wireless radio and security settings
Factors to consider when planning a wireless network
How to configure and manage a wireless Firebox or XTM device
How to configure and manage a WatchGuard AP device
How to enable a wireless hotspot
WatchGuard Training

4. Requirements Necessary equipment and software: Prerequisite knowledge:
None
Prerequisite knowledge:
How to use Policy Manager to manage a Firebox or XTM device.
How to configure internal interfaces on a Firebox or XTM device.
A general understanding of VLANs for the VLAN section.
Optional:
Access to a wireless Firebox or XTM device
Access to a WatchGuard AP device and any Firebox or XTM device
WatchGuard System Manager v11.9 or higher.
If you do not have a WatchGuard wireless device, you can use Policy Manager to create a local configuration file that contains many of the wireless settings and features described in this training.
WatchGuard Training

5. Course Outline Product Overview Wireless Radio Settings
Wireless Security Settings
Deployment Planning
Configure and Monitor a Firebox or XTM Wireless Device
Configure and Monitor WatchGuard AP Devices
Set up a Wireless Hotspot
WatchGuard Training

6. Product Overview
WatchGuard Training

7. WatchGuard Wireless Devices
WatchGuard offers two types of wireless devices:
Firebox and XTM devices with built-in wireless access points
Firebox T10-W
XTM 25-W, XTM 26-W, XTM 33-W
WatchGuard AP devices
AP100 and AP200 – indoor
AP102 – indoor/outdoor
WatchGuard Training

8. Functional Comparison
Firebox and XTM wireless devices:
One built-in radio supports up to three SSIDs
Can be configured to use wireless for external (as a wireless client)
Each wireless access point or client is configured as a network interface
WatchGuard AP devices:
Each AP device has one or two radios
Configure up to eight SSIDs per radio
Must be paired with and managed by a Firebox or XTM device
Connect to a trusted, optional, or custom network
A single Firebox or XTM device can manage many access points
You can configure the same SSID on more than one AP device for better wireless coverage
Both:
Support 2.4 GHz and 5 GHz, a/b/g/n
Managed by WatchGuard System Manager, Fireware XTM Web UI, or CLI
WatchGuard Training

9. Firebox and XTM Wireless Devices
All Firebox and XTM wireless devices support a common set of wireless features and configuration settings
Single dual-band radio
2.4 GHz / 5 GHz switchable
a/b/g/n
3 SSIDs
Antennas are internal on the Firebox T10-W
XTM 25-W / 26-W
XTM 33-W
Firebox T10-W
WatchGuard Training

10. AP100, AP102, and AP200 Wireless Access Points
Single dual-band radio
2.4 GHz / 5 GHz switchable
2x2:2 MIMO a/b/g/n
Up to 300 Mbps
8 SSIDs
AP102
Weather-proof design for outdoor installations
Power
AC Adapter
802.3af compliant PoE injector or switch
AP200
Two single-band radios
2.4 GHz and 5 GHz
2x2:2 MIMO a/b/g/n
Up to 600 Mbps
8 SSIDs per radio
Plenum rated
AP100 / AP200
AP102
WatchGuard Training

11. Configure WatchGuard Wireless Devices
To configure wireless settings on a Firebox or XTM wireless device, select Network > Wireless.
To configure an AP100, AP102, or AP200 wireless access point, select Network > Gateway Wireless Controller.
Gateway Wireless Controller is a component of Fireware XTM OS that you use to manage and monitor AP devices.
WatchGuard Training

12. Monitor WatchGuard Wireless Devices
To see the wireless status of a Firebox or XTM wireless device, select System Status > Wireless Statistics in the Fireware XTM Web UI.
To monitor the status of AP100, AP102, or AP200 wireless access points:
Select Dashboard > Gateway Wireless Controller in the Fireware XTM Web UI.
Select the Gateway Wireless Controller tab in Firebox System Manager.
WatchGuard Training

13. Wireless Radio Settings
WatchGuard Training

14. Wireless Network Standards
IEEE defines a set of standards for wireless networks.
WatchGuard wireless devices support these wireless modes, listed from slowest to fastest:
802.11a
802.11b
802.11g
802.11n
Configure your WatchGuard access point to support the wireless modes required by the wireless clients that you want to connect.
If you configure an access point to support more than one mode, overall radio performance can decrease.
All management frames are sent at the lowest rate supported by connected clients.
WatchGuard Training

15. Radio Bands
WatchGuard wireless devices support 2.4 GHz and 5 GHz wireless bands.
Characteristics:
2.4 GHz:
Supports b, g, n wireless modes
Range is generally greater than 5Ghz, because lower frequency radio waves can move more easily through some physical barriers
Supports 14 channels; three non-overlapping channels
Higher chance of signal interference from other wireless devices and networks
Many wireless devices use 2.4 GHz (Bluetooth, cordless phones, radio controlled toys)
2.4GHz band has fewer non-overlapping channels than 5GHz band
5 GHz:
Supports a and n wireless modes
Less range than 2.4 GHz
5 GHz band supports 23 non-overlapping channels
More channels, so less chance of interference from other wireless devices
WatchGuard Training

16. Radio Channels
Due to different regional regulatory requirements, the location of your wireless device affects the available radio channels in each band.
Access points only use channels that are valid in the country where the device is located.
By default, all WatchGuard wireless devices automatically attempt to select a quiet available radio channel in the band.
You can also configure a preferred channel.
If you deploy multiple AP devices, we recommend that you manually configure the channel on each AP device to minimize channel conflicts.
You can use the Gateway Wireless Controller maps in the Fireware XTM Web UI to decide which channels to use based on your wireless environment.
WatchGuard Training

17. Wireless Radio Settings
WatchGuard wireless devices support these wireless bands and modes.
The most flexible settings for each band are selected by default.
Firebox and XTM devices:
2.4 GHz band:
B/G/N Mixed (default)
B/G Mixed
N/G Mixed
B only
5 GHz band:
A/N Mixed (default) A
AP100/102/200 devices:
2.4 GHz band:
B/G/N Mixed (default) B
B/G Mixed G
N only
5 GHz band:
A/N Mixed (default) A
WatchGuard Training

18. Wireless Security
WatchGuard Training

19. Wireless Security Settings — Security Modes
For each SSID, you configure the authentication and encryption method. These settings are also known as the security mode.
Wireless security modes, from least to most secure:
Open System/Disabled — requires no authentication (not recommended for wireless connections to private network resources, such as on a trusted network)
Wired Equivalent Privacy (WEP) — has known security vulnerabilities
Wi-Fi Protected Access (WPA) — successor to WEP, more secure
Wi-Fi Protected Access II (WPA2) — most secure
WPA and WPA2 support two types of authentication:
Pre-shared key (PSK) — users must know the pre-shared key to connect
Enterprise — requires users to authenticate to an external RADIUS server
Enterprise authentication is more secure than WPA/WPA2 (PSK) because users must each authenticate with their own enterprise credentials instead of one shared key that is known by everyone who uses the wireless access point.
WPA and WPA2 support two encryption protocols:
TKIP — uses Temporal Key Integrity Protocol for encryption
AES — uses Advanced Encryption Standard for encryption (most secure)
WatchGuard Training

20. Wireless Security Settings — Firebox and XTM Devices
Security settings for an SSID on a Firebox or XTM wireless device.
WPA/WPA2 (PSK) requires a passphrase.
WPA/WPA2 Enterprise supports a RADIUS authentication server or you can use Firebox-DB for user authentication.
WPA/WPA2 (PSK) for a Firebox or XTM wireless device
WPA/WPA2 Enterprise for a Firebox or XTM wireless device
WatchGuard Training

21. Wireless Security Settings — WatchGuard AP Devices
Security settings for an SSID on an AP100, AP102, or AP200 device
WPA/WPA2 (PSK) security mode requires a passphrase
WPA/WPA2 Enterprise security mode requires a RADIUS server for authentication.
WPA/WPA2 (PSK) settings for a WatchGuard AP device
WPA/WPA2 Enterprise settings for a WatchGuard AP device
WatchGuard Training

22. MAC Access Control
To further lock-down your wireless network, you can enable MAC access control on your wireless access point.
Two ways to control access by MAC address:
Allowed MAC addresses (whitelist)
a list of MAC addresses that are allowed to connect
Denied MAC addresses (blacklist)
a list of MAC addresses that are not allowed to connect
Firebox and XTM wireless devices support an allowed MAC address list
AP100, AP102, and AP200 devices support an allowed MAC address list or a denied MAC address list for an SSID.
While MAC access control can give you some control over which clients connect to your wireless network, a malicious client could still use MAC address spoofing to connect. For a trusted wireless network, we recommend that you use WPA or WPA2 Enterprise authentication to ensure that only trusted clients connect.
WatchGuard Training

23. Custom Security Zone for Wireless Guest Networks
We recommend that you configure a wireless guest network in the Custom security zone, so that wireless guests cannot access computers on your trusted or optional networks.
A custom interface enables you to define a custom security zone that is separate from the predefined trusted, optional, and external zones.
A custom interface is not a member of the built-in aliases Any-Trusted or Any-Optional.
Traffic for a custom interface is not allowed through the Firebox or XTM device unless you specifically configure policies to allow it.
WatchGuard Training

24. Wireless Deployment Planning
WatchGuard Training

25. Wireless Requirements Gathering
Before you add wireless access points to your network, evaluate your current environment and wireless requirements:
What wireless modes must your access point support (802.11a/b/g/n)?
What types of wireless clients do you want to allow to connect?
What wireless modes do they typically support?
What SSIDs and networks do you want to create?
Are there groups of wireless users who need wireless access to different network resources?
Do you want to set up a guest wireless network that only allows Internet access?
Where is the best physical location for each AP devices?
What is the physical size of the environments wireless users will connect from?
Do you need more than one AP device to cover multiple areas?
For more detailed information about deployment planning and site survey tools, see the WatchGuard System Manager Help.
WatchGuard Training

26. Wireless Site Survey
Perform a wireless site survey to analyze your physical environment and existing wireless signals.
It can be helpful to use a wireless site survey tool such as Ekahau HeatMapper.
Measure before deployment as part of planning
Measure any existing wireless signals and interference in your environment
Measure wireless signal strength at different locations.
Measure after deployment to see the AP signal strength and range
After you install your access points, make another heat map to see if your current placement provides adequate coverage and signal strength.
Use the Gateway Wireless Controller Maps
After you set up a WatchGuard AP100, AP102, or AP200 device, you can use the Maps feature in the Gateway Wireless Controller Dashboard to see a visual representation of your wireless network, including signal strength and range, and channel conflict information.
Gateway Wireless Controller Maps are covered in a later section of this training.
WatchGuard Training

27. Wireless Placement
Guidelines for the location and placement of wireless access points:
Install in a central location away from any corners, walls, or other obstructions.
Install high above the floor to provide the overall best signal strength.
Install away from electronic devices that can interfere with the signal.
Install access points far enough apart to provide maximum coverage for your wireless network area of availability. For wireless coverage over many floors, consider both vertical and horizontal space.
WatchGuard Training

28. Configure Wireless Firebox or XTM Devices (XTM 25-W, XTM 26-W, XTM 33-W, Firebox T10-W)
WatchGuard Training

29. Firebox and XTM Wireless Device Configuration Options
Select Network > Wireless to configure wireless settings.
You can enable wireless for external or internal network access.
Select Enable wireless client as external interface to enable wireless as an external interface. OR
Select Enable wireless access points to enable up to three separate wireless access points for connections from wireless clients.
Radio settings apply to all enabled wireless access points on the device.
Country is selected automatically.
Select the wireless band and mode.
Channel is set automatically unless you select a specific channel.
WatchGuard Training

30. Configuration Option 1 — Enable Wireless as External
In areas with limited or no existing network infrastructure, you can use your Firebox or XTM wireless device to provide secure network access. 
The Firebox or XTM device connects to another access point as a wireless client.
Devices on the trusted or optional networks must be directly connected.
Select Enable wireless client as external interface.
Use DHCP or configure a static IP address.
Configure wireless client settings needed to connect.
WatchGuard Training

31. Configuration Option 2 — Enable Wireless Access Points
Select Enable wireless access points to configure up to three wireless access points.
Each access point is a wireless interface and has a separate SSID.
WatchGuard Training

32. Wireless Access Points – Configure Network Settings
Configure network settings the same as you would for any other interface.
Interface Name (Alias)
The alias for this interface in the Firebox or XTM device configuration.
It is not visible to wireless clients.
Interface Type
Trusted, Optional, Custom, Bridge, or VLAN
IP Address
This is the default gateway for wireless clients.
DHCP
The Address Pool defines the IP addresses assigned to wireless clients that connect to this access point.
WatchGuard Training

33. Wireless Access Points – Configure Wireless Settings
Configure the wireless settings.
SSID — this is the name of the network that wireless clients connect to.
Broadcast SSID — Select this check box if you want to broadcast the SSID to wireless clients.
Select the authentication and encryption algorithms to use.
For WPA/WPA2 (PSK) authentication, specify the passphrase.
Wireless clients must know this passphrase to connect.
For WPA/WPA2 Enterprise authentication, select the authentication server (RADIUS or Firebox-DB).
You must also enable the RADIUS server or add users to the Firebox-DB in the Authentication Servers settings.
WatchGuard Training

34. Wireless Access Points – Configure MAC Access Control
On the MAC Access Control tab, you can restrict which devices can connect to this wireless access point, based on the client device MAC address.
When you restrict access by MAC address, only wireless devices with the listed MAC addresses can connect to this wireless network.
WatchGuard Training

35. Wireless Interfaces
Select Network > Configuration to see the interface list.
Wireless interfaces appear in the interfaces list, below the numbered physical interfaces.
The wireless interface numbers are:
ath0 —wireless client external interface
ath1 — Access point 1
ath2 — Access point 2
ath3 — Access point 3
Select a wireless interface and click Configure to change the wireless interface settings.
WatchGuard Training

36. Wireless Interface Types and Policies
If you configure an access point as a Trusted or Optional interface:
The interface is a member of the built-in Any-Trusted or Any-Optional alias.
All existing policies in your configuration that allow traffic to or from the Any-Trusted or Any-Optional aliases also allow traffic to or from wireless clients that connect to a trusted or optional wireless interface.
Do not allow untrusted wireless clients to connect to a trusted or optional wireless interface. Instead, set up a wireless guest network in the custom security zone.
If you configure an access point as a Custom interface:
The interface is not a member of the built-in aliases.
You must modify or add policies to allow traffic to or from the access point.
WatchGuard Training

37. Configure a Wireless Guest Network
Configure an access point as a Custom interface.
Enable SSID broadcasts so wireless clients can find your network.
Add a policy to allow traffic from the wireless guest interface to External. 1 3 2
WatchGuard Training

38. Monitor Firebox or XTM Wireless Device Status
In Firebox System Manager Front Panel, expand the Interfaces list to see:
Wireless radio settings
Traffic statistics for each wireless interface
WatchGuard Training

39. Monitor Firebox or XTM Device Wireless Status
In the Firebox XTM Web UI, select System Status > Wireless Statistics to see wireless statistics and a list of connected wireless clients.
WatchGuard Training

40. Configure WatchGuard AP Devices (AP100, AP102, and AP200)
WatchGuard Training

41. AP Device in a Firebox or XTM Network
A WatchGuard AP device adds wireless access to any Firebox or XTM device network.
Connect the AP device directly to an XTM device interface
Connect the AP device to a switch on the trusted or optional network. OR
WatchGuard Training

42. Requirements and Limitations
Requirements for a Firebox or XTM device to manage an AP device:
Fireware XTM OS v or higher.
Network configured in mixed routing mode.
The AP device must connect to a trusted, optional, or custom interface.
To manage the AP device on a custom interface you must configure the WatchGuard Gateway Wireless Controller policy to allow traffic from the custom network zone.
The Firebox or XTM device configuration must include a policy that allows NTP traffic from the AP device to the Internet.
The AP device uses an NTP server to set the correct local time.
WatchGuard Training

43. AP Device Default Settings
By default, an AP device uses DHCP to request an IP address.
If a DHCP server is not available, the AP device uses a static IP address.
Default IP Address:
Subnet Mask:
Default Gateway:
The AP device has its own web UI.
You can connect to the Access Point web UI at or at the DHCP IP address.
For an unpaired AP device, the default management password is wgwap.
For a paired AP device, the management password is the WatchGuard AP Password configured in the Gateway Wireless Controller.
You do not need to use the Access Point web UI unless you want to assign a static IP address to the AP device, or manually upgrade the firmware.
WatchGuard Training

44. AP Device Deployment Overview
To deploy any AP device on your network you must complete these steps:
Enable the Gateway Wireless Controller on the Firebox or XTM device.
Connect the AP device to your network.
Pair the AP device with the Firebox or XTM device.
Configure the AP device settings.
Configure the SSIDs.
If you want to enable VLAN tagging for AP device SSIDs you must also:
Create a tagged VLAN for each SSID.
Create an untagged VLAN for management of the AP device.
VLAN tagging is covered in a later section of this training.
This training uses WatchGuard System Manager to show how to configure and monitor your AP device. You can also do these same tasks in Fireware XTM Web UI.
WatchGuard Training

45. The Gateway Wireless Controller
On the Firebox or XTM device, the Gateway Wireless Controller connects to and manages AP devices.
An AP device is paired to the Firebox or XTM device that manages it.
A Firebox or XTM device can manage many paired AP devices.
After you enable the Gateway Wireless Controller, you can configure:
Gateway Wireless Controller settings
Settings that apply to all AP devices paired to this device
AP device settings
Settings that apply to a single AP device
SSIDs
Settings for SSIDs that wireless clients use to connect to your network.
SSIDs can be used by multiple AP devices.
WatchGuard Training

46. Enable the Gateway Wireless Controller
To enable the Gateway Wireless Controller :
In Policy Manager, select Network > Gateway Wireless Controller.
Select the Enable the Gateway Wireless Controller check box.
Set the WatchGuard AP Passphrase.
The passphrase is used for management connections to AP devices after they are paired to the Firebox or XTM device.
Save the configuration
Save the configuration to the Firebox or XTM device to enable AP device discovery.
The WatchGuard Gateway Wireless Controller policy is automatically added.
This policy enables AP device discovery and management.
By default, it allows UDP traffic on port 2529 from the Trusted and Optional networks to the Firebox or XTM device.
WatchGuard Training

47. Configure Gateway Wireless Controller Settings
To configure global Gateway Wireless Controller settings click Settings.
Set the WatchGuard AP Passphrase.
You set this when you first enable the Gateway Wireless Controller.
If you change it, the Gateway Wireless Controller updates all the AP devices to use this passphrase.
Enable automatic WatchGuard AP device firmware updates.
We recommend you keep this enabled.
When this is enabled, the Gateway Wireless Controller updates the AP devices one at a time, if a new firmware version is available on the Firebox or XTM device.
WatchGuard Training

48. Configure Gateway Wireless Controller Settings
Other Gateway Wireless Controller settings.
Management VLAN tagging
Not recommended for most environments.
VLAN tagging is covered in a later section of this training.
Send WatchGuard AP log messages to a syslog server
If you configure a syslog server, make sure all of your AP devices can connect to it.
You might need to add a syslog policy to allow traffic from the AP devices to your syslog server.
Enable SSH access to all WatchGuard APs
Do not enable this unless advised to by WatchGuard Technical Support for troubleshooting.
WatchGuard Training

49. Connect the AP Device
You can connect the AP device directly to a Firebox or XTM device interface, or to a switch connected to the Firebox or XTM device.
Before you connect an AP device to an interface, enable the interface.
Set the Interface Type.
Enable the DHCP Server.
Configure a pool of IP addresses to assign to the AP device and to wireless clients.
If you connect the AP device to a switch:
The AP device gets an IP address from a DHCP server.
If your network does not have a DHCP server, use the Access Point web UI to configure a static IP address on the AP device.
These instructions are for an AP device that does not use VLAN tagging.
WatchGuard Training

50. Manage Access Points Manage AP devices in the Access Points tab.
You can add, edit or remove AP devices.
Add — manually add an AP device
If you do not have an AP device, you can manually add one here, so that you can see the configuration settings while you complete this training.
Edit — edit AP device settings
Remove — remove an AP device
Removes the AP device from the configuration
If the AP device is connected, resets the AP device to factory-default settings
In the Unpaired Access Points list, you can discover and pair new AP devices.
WatchGuard Training

51. Pair an AP Device
When you first connect the AP device, it is an unpaired Access Point.
The power LED on the AP device alternates from green to amber when the device is unpaired.
To discover the unpaired AP device:
Select Network > Gateway Wireless Controller.
Select the Access Points tab.
Click Refresh.
Type the Firebox or XTM device IP address and configuration passphrase.
The Firebox or XTM device sends a local broadcast over UDP port 2529 every 30 seconds to discover unpaired AP devices.
WatchGuard Training

52. Pair an AP Device
Unpaired AP devices appear in the Unpaired Access Points list.
To pair an AP device to the Firebox or XTM device:
Select an unpaired access point and click Pair.
Type the Pairing Passphrase.
This must match the current passphrase on the AP device.
For a new AP device, the pairing passphrase is wgwap.
If the AP device has a different passphrase, use that as the pairing passphrase
Edit the Access Point settings.
The pairing is not complete until you save the configuration to the Firebox or XTM device.
WatchGuard Training

53. Edit Access Point Settings
When you pair an AP device, the Edit Access Point dialog box opens automatically.
Set the AP device Name.
This name identifies the device in the Gateway Wireless Controller.
It is not visible to wireless clients.
Configure Network Settings (DHCP or Static IP address).
Select DHCP if you want the device to use DHCP to request an IP address.
Select Static to configure a static IP address and gateway.
WatchGuard Training

54. Edit Access Point Settings
Serial Number is automatically set for a paired AP device.
Other settings:
Location
You can specify the location where the AP device is installed.
Syslog server
If specified, this overrides the syslog server in the Gateway Wireless Controller settings.
Management VLAN tagging
Enables VLAN tagging for management connections.
Disable LEDs
Disables the LEDs on your AP device (stealth mode)
Use outdoor channels only
Appropriate for an AP102 installed outdoors.
WatchGuard Training

55. Access Point Radio Settings
Configure the radio Band to use.
AP100 and AP102 have one radio that can use the 2.4 GHz or 5 GHz band.
AP200 has two radios. Radio 1 uses the 2.4 GHz band, and Radio 2 uses the 5 GHz band.
For each radio, configure the Wireless Mode.
Change other settings, if needed for your wireless environment.
For each radio, select the configured SSIDs to use (up to 8 per radio).
If you have already configured SSIDs, select an SSID, click Add.
You can leave the SSID blank if you have not configured SSIDs yet.
Radio Settings for an AP200
WatchGuard Training

56. Pair the AP Device
After you close the Edit Access Point dialog box, the AP device is added to the Access Points list.
To complete the pairing, save the configuration to the Firebox or XTM device.
When you save the configuration after you pair an AP device:
The Firebox uses the pairing passphrase to connect to the AP device.
The Firebox sends the configuration to the AP device.
The Firebox changes the passphrase on the AP device to the WatchGuard AP Passphrase you specified.
The Firebox attempts to activate the AP device LiveSecurity subscription.
LiveSecurity activation status does not affect AP device functionality
The AP device restarts. After pairing is complete, the power light on the AP device changes to solid green.
WatchGuard Training

57. Check the Access Point Status
After you pair the device, or save a configuration change, check the Access Point status in Firebox System Manager.
After the configuration update is complete, the status should be Online.
AP device monitoring is covered in more detail in a later section of this training.
WatchGuard Training

58. See Log Messages About Discovery and Pairing
If you change the Diagnostic log level for the Gateway Wireless Controller (GWC) to Information, the Gateway Wireless Controller creates detailed log messages during AP device discovery and pairing.
To change the log level in Policy Manager:
Select Setup > Logging.
Click Diagnostic Log Level.
Select Networking > GWC.
Use the slider to set the log level to Information.
WatchGuard Training

59. Log Messages During AP Device Discovery and Pairing
Example log messages during AP device discovery (after you click Refresh to update the Unpaired Access Points list):
:01:46 gwcd gwcd 0.0 :sent discovery frame on eth1 Debug
:01:46 gwcd gwcd 0.0 :sent discovery frame on eth2 Debug
:01:47 gwcd gwcd 0.0 :discovered new WAP model 0 [10AP C] at Debug
:01:47 gwcd gwcd 0.0 :WAP [10AP C] version set to build (5b39970b) Debug
:01:47 gwcd gwcd 0.0 :connection info for WAP [10AP C] changed from :0 to :443 Debug
Example log messages during AP device pairing (after you select a discovered AP device and click Pair):
:11:57 gwcd gwcd 0.0 :WAP [10AP C] went offline Debug
:12:01 gwcd gwcd 0.0 :WAP [10AP C] name changed from AP1 to AP100_10AP C Debug
:12:01 gwcd gwcd 0.0 :WAP [10AP C] now paired with Debug
:12:01 gwcd gwcd 0.0 :WAP [10AP C] now paired with D0FA02EDC5A05 Debug
:12:01 gwcd gwcd 0.0 :WAP [10AP C] now online Debug
Log messages include the serial number of the AP device and the serial number of the Firebox or XTM device it is paired with.
If discovery or pairing fails, log messages may provide information to help you troubleshoot the issue.
WatchGuard Training

60. Configure SSIDs
Manage SSIDs on the SSIDs tab of the Gateway Wireless Controller.
The SSID is the network name that wireless clients connect to.
You can assign the same SSID to multiple radios or multiple AP devices to enable simple wireless roaming.
Click Add to add an SSID.
WatchGuard Training

61. Configure SSID Settings
Broadcast SSID and respond to SSID queries
Enable SSID broadcast if you want wireless clients to detect the SSID as an available network.
Access Points with this SSID
Select the Access Point radios you want to use this SSID.
You can also associate the SSID with an Access Point when you edit the Access Point settings.
WatchGuard Training

62. Configure the SSID Security Mode
Configure the SSID security mode in the Security tab.
Select the authentication and encryption algorithms to use.
For WPA/WPA2 (PSK) authentication, specify the passphrase.
Wireless clients must know this passphrase to connect.
For WPA/WPA2 Enterprise authentication, select the RADIUS authentication server.
You must also enable the RADIUS server in the Authentication Servers settings.
It might be necessary to add a RADIUS policy to allow traffic from your AP devices to the RADIUS server.
AP devices do not support Firebox-DB for Enterprise authentication.
Save the configuration to enable the SSID on the Access Point.
WatchGuard Training

63. Configure MAC Access Control
To use MAC Access Control, configure MAC Access Control lists in the Gateway Wireless Controller settings.
In each SSID, enable MAC Access Control, and select which list to use.
Denied MAC Addresses — blocks connections from the listed MAC addresses
Allowed MAC Addresses — allows only the listed MAC addresses to connect
WatchGuard Training

64. Station Isolation Station isolation
Station isolation prevents direct traffic between wireless clients that connect to the SSID on the same radio.
When station isolation is enabled, all traffic between wireless clients connected to the same radio goes through the firewall.
Recommended for wireless networks (such as a wireless guest network) where clients do not trust each other.
WatchGuard Training

65. Wireless Roaming
You can assign an SSID to more than one AP device to extend the range.
When a wireless client that is connected to that SSID moves to a new location, the wireless client can automatically connect to the AP device that has the strongest signal for that SSID.
You cannot enable wireless roaming between AP devices and the built-in Access Point on a Firebox or XTM wireless device.
Wireless roaming behavior is controlled by the wireless client, not the AP devices.
Wireless clients decide when to connect to a different access point.
On some devices you can configure roaming aggressiveness.
WatchGuard Training

66. Configure a Wireless Guest Network without VLANs
If you connect an AP device to your Firebox for wireless guest access, we recommend you configure the interface as a custom interface.
Configure the interface that the AP device connects to as a custom interface.
To enable AP device discovery and management on the custom interface, add the name of the custom interface to the From list of the WatchGuard Gateway Wireless Controller policy.
Add a policy to allow outgoing traffic from the custom interface.
Discover, pair, and configure the AP device with the wireless guest SSID. 1 2 3
WatchGuard Training

67. AP Device Reset — Two Methods
Method 1: Use the Reset button on the AP device
Press and hold the reset button for five seconds or longer to reset the AP device to factory-default settings.
If you hold the reset button for less than 5 seconds, the AP device reboots, but is not reset.
If your AP device uses older AP firmware (v or lower), press and hold the reset button for 15 seconds or longer to reset it.
If you reset a paired AP device, the Gateway Wireless Controller can use the pairing passphrase to connect to the AP device. If the Gateway Wireless Controller successfully connects, it sends the configuration to the AP device and resets the AP device passphrase to the WatchGuard AP Passphrase.
Method 2: Unpair the device in the Gateway Wireless Controller
Select a paired AP device in the Gateway Wireless controller and click Remove.
When you save the configuration to the Firebox or XTM device, if the Gateway Wireless Controller can connect to the AP device, it resets the AP device to factory-default settings.
WatchGuard Training

68. VLAN Configuration for Access Points
WatchGuard Training

69. Should You Enable VLAN Tagging?
Before you deploy a WatchGuard AP device, consider whether or not you should enable VLAN tagging for your SSIDs.
Without VLAN tagging:
All traffic from the AP device is in the same security zone as the network the AP device connects to. (Trusted, Optional, or Custom)
You cannot create separate firewall policies for traffic for different SSIDs.
With VLAN tagging:
You can create VLANs in different security zones for traffic for different SSIDs.
You can apply different policies to traffic for different VLANs.
You can identify and examine traffic for each VLAN in log messages or in a network analyzer.
If you use VLAN tagging, we recommend that you use an untagged VLAN for AP device management.
WatchGuard Training

70. VLAN Configuration Overview
Before you enable VLAN tagging in the Access Point, you must configure VLANs on the Firebox or XTM device.
Enable VLANs before you connect and pair the AP device.
The AP device uses tagged VLANs to identify traffic for each SSID, and an untagged VLAN for AP management connections.
You can optionally enable management VLAN tagging, but that is not recommended.
To configure VLANs on the Firebox or XTM device:
Add one VLAN for each SSID.
Add one VLAN for management connections to the AP device.
Enable DHCP server or DHCP relay for each VLAN.
Configure the Firebox or XTM device interface that the AP device connects to as a VLAN interface that passes tagged traffic for the VLANs for each SSID and untagged traffic for the AP management VLAN.
WatchGuard Training

71. VLAN Configuration Options
On the Firebox or XTM device, VLAN configuration is the same for either of these connection options:
Connect the AP device directly to a VLAN interface.
Connect the AP device to the VLAN interface through a VLAN switch.
If you connect AP device to a switch, you must also configure the same VLANs on the switch ports.
Connect the AP device directly to a Firebox or XTM device VLAN interface
Connect the AP device to a VLAN switch. OR
VLAN
VLAN
VLAN
WatchGuard Training

72. VLAN Example — Trusted and Guest Wireless Networks
Objectives:
Configure one AP device with two SSIDs to allow connections to separate networks for trusted wireless clients and wireless guests.
Do not allow wireless guests to access resources on the trusted network.
How to do it:
Create SSIDs for each group of users.
SSID Name: Trusted-W, for trusted wireless access
SSID Name: Guest-W, for guest wireless access
Create VLANs to put wireless guest traffic on a custom network rather than on your trusted network.
Create a VLAN in the trusted security zone for the trusted wireless network.
Configure a VLAN in the custom security zone for the guest wireless network.
Create a policy to allow traffic from the custom VLAN to the Internet.
WatchGuard Training

73. VLAN Example — Create VLANs
Create three VLANs; one for each SSID and a third for AP management.
Select Network > Configuration > VLAN.
Add three VLANs, with DHCP enabled.
Trusted-VLAN (VLAN ID 10) — Trusted zone
Guest-VLAN (VLAN ID 20) — Custom zone
AP-Mgmt-VLAN — Trusted zone
WatchGuard Training

74. VLAN Example — VLAN Details
VLAN ID 30
VLAN ID 20
VLAN ID 10
WatchGuard Training

75. VLAN Example — VLAN Interface
Configure a VLAN interface on the Firebox or XTM device.
In the Network Configuration dialog box, select the interface you will connect the AP device to, and click Configure.
Set the Interface Type to VLAN.
Configure the interface to:
Send and receive tagged traffic for the VLANs for each SSID (VLAN IDs 10 and 20).
Send and received untagged traffic for the VLAN for AP management connections (VLAN ID 30).
Save the configuration to the Firebox or XTM device.
Connect the AP device to the VLAN interface.
WatchGuard Training

76. VLAN Example — Configure SSIDs
Enable VLAN tagging in the two SSIDs.
SSID Trusted-W uses VLAN ID 10
SSID Guest-W uses VLAN ID 20
WatchGuard Training

77. VLAN Example — Configure Policies for the Custom VLAN
Because the VLAN for wireless guest users is in the Custom security zone, you must add a policy to allow traffic from this VLAN to the external interface.
WatchGuard Training

78. VLAN Example — Finish AP Device Setup
The rest of the AP device setup steps are the same as without VLAN tagging.
Connect the AP device to the VLAN interface
Use Policy Manager to discover and pair the AP device.
In the Unpaired Access Points list, the IP address of the discovered AP device is an IP address in the DHCP address pool for the management VLAN.
In the Access Point settings, add the SSIDs for trusted and guest wireless access.
Save the configuration to the Firebox or XTM device.
WatchGuard Training

79. VLAN Example — Connect the AP Device to a Switch
For this example, the VLAN configuration on the Firebox or XTM device is the same, whether you connect the AP device directly to an interface or through a VLAN switch.
If you connect the AP device to a switch, configure the same VLANs on the switch ports that the AP device and the Firebox or XTM device connect to.
WatchGuard Training

80. Use a VLAN with Station Isolation
To implement station isolation for an SSID used by more than one AP device, you can use an untagged or tagged VLAN.
Without a VLAN, station isolation prevents direct traffic only between wireless clients connected to the same AP device radio.
With a VLAN, station isolation prevents direct traffic between wireless clients connected to multiple AP devices that use the same SSID.
To set this up:
Add a VLAN and configure it to apply firewall policies to intra-VLAN traffic.
Configure the interfaces that the AP devices will connect to as VLAN interfaces that send and receive untagged traffic for the VLAN.
Create the SSID, with station isolation enabled.
Connect the AP devices to the VLAN interfaces.
Discover and pair the AP devices, and configure them to use the SSID
For more detailed steps, see the About AP Station Isolation topic in the WatchGuard System Manager Help or Fireware XTM Web UI Help.
WatchGuard Training

81. About Management VLAN Tagging
There are two places you can enable management VLAN tagging:
In the configuration for each AP device
In the Gateway Wireless Controller settings
When management VLAN tagging is enabled in the Gateway Wireless Controller settings:
The Gateway Wireless Controller uses the tagged VLAN for management traffic to all AP devices, unless a different Management VLAN ID is specified in the settings for an individual AP device.
The Gateway Wireless Controller cannot discover and pair with a new AP device or an AP device that has been reset.
An AP device with factory-default settings does not have management VLAN tagging enabled.
It is not possible to enable management VLAN tagging in the Access Point Web UI.
WatchGuard Training

82. About Management VLAN Tagging
We recommend you do not enable management VLAN tagging , because it make AP deployment more complex.
To successfully use this feature, you must first pair with the AP devices without management VLAN tagging enabled.
Pair the AP devices to the Gateway Wireless Controller without management VLAN tagging enabled.
Enable management VLAN tagging in the Gateway Wireless Controller. Do not configure the interfaces to tag traffic for this VLAN yet.
Save the configuration to the Firebox or XTM device. The Gateway wireless controller updates the configuration of all AP devices to enable management VLAN tagging. The Gateway Wireless Controller temporarily loses management access to the paired AP devices.
Create the VLAN, and for each interface that an AP device connects to, configure the interface to send and receive tagged traffic for the VLAN. If there is a switch between your AP device and the Firebox or XTM device, enable tagging for this VLAN on the switch interfaces.
Save the configuration to the Firebox or XTM device. The Gateway Wireless Controller uses the tagged VLAN for management connections to all AP devices.
WatchGuard Training

83. Monitor AP Device Status
WatchGuard Training

84. Monitor AP Devices and Wireless Clients
Monitor AP devices and connected wireless clients in:
Firebox System Manager on the Gateway Wireless Controller tab.
Select the Access Points tab to monitor paired AP devices.
Select the Wireless Clients tab to monitor or disconnect wireless clients.
Fireware XTM Web UI on the Dashboard > Gateway Wireless Controller page.
Select the Access Points tab to monitor paired AP devices.
Select the Wireless Maps tab to view wireless maps of AP devices and other nearby wireless devices.
WatchGuard Training

85. Monitor AP Devices in Firebox System Manager
For each AP Device, the Access Points tab shows:
AP name
AP device status
SSIDs
IP address
Radio band & channel
Firmware version
AP model
Activation status
Uptime
WatchGuard Training

86. Monitor AP Devices
On the Access Points tab, after you select an AP device, you can:
Reboot — Reboot the AP device.
You can also reboot by pressing the reset button on the AP device briefly (less than 5 seconds).
Restart Wireless — Restart the wireless interfaces. (This causes the AP device to auto-select a new wireless channel without a reboot)
Flash Power LEDs — Flash the power LED on the specified AP device to help with identification.
The power LED on the AP device flashes green for several minutes.
This is useful if you use the Disable LEDs option to operate your AP device in stealth mode.
Upgrade — Upgrade the firmware on the selected AP device.
Site Survey — Start a scan from the AP device to detect other wireless access points
Log Messages — See log messages on the AP device
Network Statistics — See the network status report for the AP device
This can be useful for troubleshooting network problems with WatchGuard technical support. 
WatchGuard Training

87. AP Device Status — Online
If the Firebox or XTM device can log in to the AP device, and the AP device is fully configured, the Access Point status is Online.
WatchGuard Training

88. AP Device Status — Offline
If the Firebox or XTM device cannot contact the AP device, the device status is Offline.
When an AP device reboots, the status is Offline during the reboot.
WatchGuard Training

89. AP Device Status — Passphrase Mismatch
If the Pairing Passphrase on the Firebox or XTM device does not match the passphrase on the AP device, AP device status is Passphrase mismatch.
To resolve this, edit the Access Point configuration in Policy Manager and change the Pairing Passphrase to match the passphrase on the AP device.
The default AP device passphrase is wgwap.
WatchGuard Training

90. Monitoring — Connected Wireless Clients
Select the Wireless Clients tab to see a list of connected wireless clients.
For each wireless client you can see:
Client MAC Address
SSID, AP, and radio the client is connected to
Amount of data the client has sent and received through the AP device
How long it has been since the client has sent or received data through the AP device
WatchGuard Training

91. Gateway Wireless Controller Dashboard
In Fireware XTM Web UI, the Dashboard > Gateway Wireless Controller page provides statistics and tools to monitor your wireless environment.
WatchGuard Training

92. Gateway Wireless Controller Dashboard
The Summary tab shows Access Point summary statistics.
The Access Points and Wireless Clients tabs are similar to the same tabs in the Gateway Wireless Controller tab in Firebox System Manager.
WatchGuard Training

93. Gateway Wireless Controller Maps
The Maps tab on the Dashboard > Gateway Wireless Controller page includes two maps to help you visualize your wireless environment.
The Wireless Coverage Map helps you assess wireless coverage.
The Channel Conflict Map helps you identify radio channel conflicts.
To generate the maps, your AP devices scan the environment to detect each other, and any other wireless access points.
Access Points in the Wireless Deployment Maps appear as colored dots.
The color of the dots depends on the map view.
Access points that are not part of your AP device deployment appear in both maps as small, light blue dots.
You can filter the maps by:
Radio band
SSID
WatchGuard Training

94. Gateway Wireless Controller Maps
The Wireless Coverage Map shows the wireless coverage for multiple access points.
If your AP devices are located in positions that provide good coverage for wireless roaming between AP devices:
The Wireless Coverage Map should resemble a mesh pattern where there are as many redundant links as possible between AP devices.
The distance between AP devices should be a relatively uniform
Lines between the devices should be solid green or dashed green.
Red or yellow lines indicate a channel conflict between the two devices.
WatchGuard Training

95. Gateway Wireless Controller Maps
Channel Conflict Map
Shows the location of your AP devices and any other access points in the vicinity.
To see more detailed information about channel conflicts for a specific device, right-click the device and click View Details.
Access Points move around on the map based on relative signal strength.
To anchor the AP devices to a location on the map select Sticky Access Points. Then click and drag each device where you want it.
WatchGuard Training

96. Gateway Wireless Controller Maps
Select an AP device to see more information about it.
Click View Details to see more detailed information about the AP device.
For more information, see the Fireware XTM Web UI Help.
Use Gateway Wireless Controller Maps
WatchGuard Training

97. Gateway Wireless Controller Maps
Click Legend to see a map legend.
WatchGuard Training

98. Wireless Hotspot
WatchGuard Training

99. Enable a Wireless Hotspot
Use a hotspot to provide Internet connectivity to your visitors or customers.
A hotspot gives you more control over guest connections to your network.
A hotspot can apply to wired and wireless connections to an interface. 
In the hotspot settings, you can customize:
The interface on which the hotspot runs
What type of authentication is required to use your hotspot
The splash page that users see when they connect
The terms and conditions that users must accept before they can use your wireless network
The maximum length of time a user can be continuously connected
WatchGuard Training

100. Enable a Wireless Hotspot
In Policy Manager select Setup > Authentication > Hotspot.
Select Enable hotspot on an interface.
Select the interface you have configured as a wireless guest network
For a Firebox or XTM wireless device, select the name of the wireless interface.
For a WatchGuard Access Point:
Select the Firebox or XTM device interface the AP device connects to.
This enables the hotspot for all SSIDs on the AP device that connects to this interface.
If the interface has wired clients, the hotspot also applies to those connections
If you use VLAN tagging, select the name of the VLAN your guest SSID uses.
If your AP device has multiple SSIDs, you must enable VLAN tagging if you want to enable a hotspot on only one SSID.
WatchGuard Training

101. Select the Hotspot Type
There are two hotspot types:
Custom Page
Use the custom page on the Firebox or XTM device for hotspot connections.
On the Hotspot Connections tab, specify whether hotspot users must authenticate.
On the Customize Hotspot Page tab, customize the page users see when they connect.
External Guest Authentication
This not common, and requires that you configure a separate web server for authentication.
WatchGuard Training

102. Custom Page — Without Authentication
Select Allow all users to connect without credentials
Users must accept your terms and conditions, but do not need a user name or password to use your hotspot.
WatchGuard Training

103. Custom Page – with Guest User Accounts
Select Require users to authenticate with generated credentials
Add at least one Guest Administrator account.
The Guest Administrator creates and manages hotspot guest user accounts.
Hotspot users use guest account credentials to authenticate to the hotspot.
WatchGuard Training

104. Wireless Guest Administration Web Portal
Guest Administrators connect to the Firebox or XTM device at: and log in to the Wireless Guest Administration web portal with Guest Administrator credentials.
A Guest Administrator can:
Manage guest user accounts
Print custom vouchers for guest user accounts
A Guest Administrator cannot see or change any other settings on the Firebox or XTM device or the hotspot.
WatchGuard Training

105. Guest Administration for Hotspots
In the Wireless Guest Administration web portal, the Guest Administrator configures the user account settings for guest user accounts.
Select the Settings tab
WatchGuard Training

106. Guest Administration for Hotspots
The Guest Administrator can configure these settings for guest user accounts:
User Name Prefix
The prefix for all guest user account user names.
When guest user accounts are generated, each user name begins with this prefix.
Account Lifetime
The amount of time that each guest user account can be used after it is activated for the first time.
When the guest user logs in with the guest user account credentials, the countdown starts.
The default account lifetime is 24 hours.
Account Expiration
The amount of time after which the guest user account expires and is removed from the Guest Accounts list.
If the guest user account has not been activated before the account expiration time is reached, the guest user account still expires.
WatchGuard Training

107. Guest Administration for Hotspots
The Guest Administrator can configure the settings for the printed vouchers to give guest users with their guest user account information.
Select the Customize Voucher tab.
WatchGuard Training

108. Guest Administration for Hotspots
Configure these settings for the guest user vouchers:
Business Name
The name of the company where the hotspot is located.
The name you specify is included in the voucher text.
Contact Information
The contact information for the company.
This text can include instructions to get hotspot connection help as well as contact numbers or addresses.
Use a custom logo
Upload the company logo to use on the voucher.
The logo file can include images, text, and other special information that you want to give guest users.
Image files must be JPG, PNG, or GIF files. There is no size constraint on the logo image files, but the recommended size is 90 x 50 pixels.
WatchGuard Training

109. Guest Administration for Hotspots
The Guest Administrator adds guest user accounts and prints vouchers.
Select the Accounts tab.
Specify the number of guest user accounts to create.
Click Add and Print New Accounts.
WatchGuard Training

110. Guest Administration for Hotspots
Example vouchers — Logo only and logo with informational text.
WatchGuard Training

111. Guest Administration for Hotspots
Print the voucher:
Click Print in the Print Guest Account window.
WatchGuard Training

112. Customize the Hotspot Splash Page
Select the Customize Hotspot Page tab to customize the splash page that users see in the browser after they connect to your hotspot.
Customize text, fonts, and colors
Specify Terms and Conditions
Add your custom logo
Hotspot users see the customized hotspot page when they connect.
WatchGuard Training

113. Connect to a Wireless Hotspot
Connect to the wireless network
Select the SSID from the list of available wireless networks.
Type the SSID password, if required.
To avoid this step for guests, configure the Access Point SSID to not require a password.
For an AP device SSID, set the Security Mode to Disabled.
For a Firebox or XTM device wireless access point, set Encryption to Open System.
Connect to the hotspot
Open a browser and browse to any website. The Hotspot splash page appears.
Accept the terms and conditions.
Type the guest Username and Passcode, if required.
Click Continue. 1 2
WatchGuard Training

114. Monitor Hotspot Connections
To see the list of connected hotspot clients in Firebox System Manager:
Select the Authentication List tab.
Click Hotspot Clients.
To see the list of Hotspot clients in Fireware XTM Web UI, select System Status > Hotspot Clients.
WatchGuard Training

115. Conclusion
WatchGuard Training

116. Conclusion
This training describes how to configure and manage WatchGuard wireless devices and how to set up and manage a wireless hotspot.
For more information, see these documentation and support resources available in the Support section of the WatchGuard web site:
WatchGuard System Manager Help
Fireware XTM Web UI Help
WatchGuard Knowledge Base
Product documentation, help and the Knowledge Base are available at
WatchGuard Training

117. Thank You!
WatchGuard Training