Configure Network Settings > Set Up a WatchGuard AP Device > WatchGuard AP Device Deployment Overview

WatchGuard AP Device Deployment Overview

When you add one or more WatchGuard Access Point (AP) devices to your network, you manage and configure the AP devices from the Gateway Wireless Controller on a Firebox. You do not have to connect directly to the AP device to configure the device settings.

To deploy any AP device on your Firebox network you must:

  1. Enable the Gateway Wireless Controller on the Firebox.
  2. Connect the AP device to your network.
    If your network has a DHCP server, the AP device automatically gets an IP address.
  3. From the Gateway Wireless Controller:
    1. Configure the SSIDs for your AP device to use.
    2. Pair the AP device with the Firebox.
    3. Configure the AP device settings and select the SSIDs to use.
    4. Trust the AP device.

About Automatic Deployment

For wireless networks with a large number of WatchGuard AP devices to deploy that have the same SSIDs and do not require unique configurations, you can enable automatic deployment on specific SSIDs. Unpaired AP devices are automatically deployed by the Gateway Wireless Controller and configured with the specified SSID.

For more information, see About AP Automatic Deployment.

About VLAN Tagging

You can optionally enable VLAN tagging in the SSIDs for your AP device. If you enable VLAN tagging, you must configure the necessary VLANs on your Firebox. For information about when to enable VLAN tagging and how to configure VLANs, see Configure VLANs for WatchGuard AP Devices.

You can optionally enable the AP device to use a tagged VLAN for management connections from the Firebox. But, you must configure an untagged VLAN that the Firebox can use to initially discover and connect to the AP device.

The subsequent sections provide a more detailed overview of the steps to deploy an AP device with, and without, VLAN tagging enabled.

If the network you connect your AP device to does not use DHCP, you can use the Access Point web UI to manually assign a static IP address to the AP device before you connect it to your network. For more information, see Use the WatchGuard Access Point Web UI.

Deploy AP Devices Without VLAN Tagging

To deploy an AP device without VLAN tagging, you must enable the Gateway Wireless Controller, configure SSIDs on your Firebox, pair your AP device with your Firebox, and configure your AP device.

For a configuration example that demonstrates this type of deployment, see AP Device Deployment with a Single SSID.

Step 1 — Enable the Gateway Wireless Controller

Before your Firebox can discover and manage an AP device, you must enable the Gateway Wireless Controller on the Firebox.

For more information, see Configure AP Devices in the Gateway Wireless Controller.

Step 2 — Connect the AP Device

Use one of these options to connect the AP device to your trusted, optional, or custom network. By default, the AP device automatically requests an IP address from a DHCP server on the local network.

To enable the Gateway Wireless Controller to discover an AP device on a custom zone network, you must modify the WatchGuard Gateway Wireless Controller policy to allow traffic from the custom zone.

Option 1 — Connect the AP device to a Firebox interface

If you have an available trusted, optional, or custom interface on your Firebox, you can connect the AP device directly to one of those interfaces.

Diagram of an AP device connected to an XTM device interface

For more information about interface configuration, see Common Interface Settings.

Option 2 — Connect the AP device to a switch

If you have a switch that connects to a trusted, optional, or custom interface on your Firebox, you can connect the AP device to that switch. With this option, you do not have to change the network settings on the Firebox interface.

Diagram of an AP device connected to a switch on the trusted network

Step 3 — Configure the SSIDs

Configure the SSIDs for your wireless users to connect to. You can configure up to eight SSIDs for each radio.

  1. In the Gateway Wireless Controller settings, select the SSIDs tab.
  2. Click Add to add an SSID.
  3. Configure the SSID (network name) and wireless security settings.

For more information, see Configure WatchGuard AP Device SSIDs.

Step 4 — Pair the AP Device

When you first connect the AP device to your network, it is an unpaired access point. This means it is not yet managed by a Firebox.

To discover an unpaired AP device and pair it with your Firebox:

  1. In the Gateway Wireless Controller settings, select the Access Points tab.
  2. Click Refresh.
    The unpaired AP device appears in the Unpaired Access Points list.
    For more information, see WatchGuard AP Device Discovery and Pairing.
  3. From the Unpaired Access Points list, select the AP device and click Pair.

For Fireware v11.11.1 and lower, in the Pairing Passphrase text box, type the passphrase of the AP device.
The default AP passphrase is wgwap. In Fireware v11.11.2 and higher, the pairing passphrase is not required.

Step 5 — Configure the AP Device

After you pair the AP device with your Firebox, configure the AP device settings.

  1. On the Access Points tab, select the AP device, and click Edit.
  2. Configure the radio settings for each radio.
  3. Add the SSID you created in Step 3 to the SSID list.

For more information, see Configure AP Device Radio Settings.

Step 6 — Trust the AP Device

To help prevent potential security issues from factory reset, unauthorized, or compromised AP devices in your deployment, the Gateway Wireless Controller creates trust records for each AP device. The Gateway Wireless Controller will not communicate with an AP device until it has been trusted.

When an AP device is first paired, the status is Not Trusted.

To trust an AP device:

  1. Select Dashboard > Gateway Wireless Controllers.
  2. Select the Access Points tab.
  3. Select one or more AP devices that are not trusted.
    Make sure than the devices are known AP devices in your deployment before you mark the devices as trusted.
  4. Click Action.
  5. Select Mark Trusted.

Deploy AP Devices With VLAN Tagging Enabled

To set up an AP device with VLAN tagging enabled in the SSIDs, you must configure VLANs and enable VLAN tagging in your SSIDs.

For a configuration example that shows this type of deployment, see AP Device Deployment with VLANs and Guest Network.

Step 1 — Configure VLANs on the Firebox

To enable VLAN tagging in your SSIDs, you must configure VLANs and enable them on a Firebox interface. The AP device uses tagged VLANs to identify traffic for each SSID. The Firebox uses an untagged VLAN to pair with the AP device.

To configure VLANs on the Firebox:

  1. Add one VLAN for each SSID.
    These VLANs are used for tagged VLAN traffic for each SSID.
  2. Add one VLAN for management connections to the AP device.
    This VLAN is used for untagged management connections to the AP device.
  3. Enable DHCP server or DHCP relay for each VLAN.
  4. Configure the Firebox interface to pass tagged traffic for the VLANs for each SSID.
  5. Configure the Firebox to pass untagged traffic for the AP management VLAN.

For an example VLAN configuration, see Configure VLANs for WatchGuard AP Devices.

Step 2 — Enable the Gateway Wireless Controller

For the Firebox to discover and manage an AP device, you must enable the Gateway Wireless Controller on your Firebox.

For more information, see Configure AP Devices in the Gateway Wireless Controller.

Step 3 — Connect the AP Device

Select one of these options to connect the AP device to your trusted, optional, or custom network. By default, the AP device automatically requests an IP address from a DHCP server on the local network.

If the network you connect your AP device to does not use DHCP, you can use the Access Point web UI for the AP device to manually assign a static IP address to the AP device before you connect it to your network. For more information, see Use the WatchGuard Access Point Web UI.

Option 1 — Connect the AP device to a Firebox interface

You can connect the AP device directly to the Firebox interface that you configured as a VLAN interface in Step 1.

Option 2 — Connect the AP device to a 802.1Q switch

You can connect the AP device to an 802.1Q switch that has the necessary VLANs configured.

To configure the VLANs on the switch:

  1. Add VLANs to the switch with the same IDs as the VLANs you configured on the Firebox.
  2. Configure the switch interfaces that connect to the Firebox VLAN interface and the AP device to:
    • Send and receive tagged traffic for the VLANs assigned to each SSID.
    • Send and received untagged traffic for the VLAN you use for AP device management.

For more information about VLAN configuration, see Configure VLANs for WatchGuard AP Devices.

Step 4 — Configure the SSIDs

Configure the SSIDs for your wireless users to connect to. You can configure up to eight SSIDs per radio.

  1. In the Gateway Wireless Controller settings, select the SSIDs tab.
  2. Click Add to add an SSID.
  3. Configure the SSID (network name) and wireless security settings.
  4. In each SSID, enable VLAN tagging, and select the VLAN ID to use.

For more information, see Configure WatchGuard AP Device SSIDs.

Step 5 — Pair the AP Device

When you first connect the AP device to your network, it is an unpaired access point. This means it is not yet managed by a Firebox.

To discover an unpaired AP device and pair it with your Firebox:

  1. In the Gateway Wireless Controller settings, select the Access Points tab.
  2. Click Refresh.
    The unpaired AP device appears in the Unpaired Access Points list.
    For more information, see WatchGuard AP Device Discovery and Pairing.
  3. From the Unpaired Access Points list, select the AP device and click Pair.

For Fireware v11.11.1 and lower, in the Pairing Passphrase text box, type the passphrase of the AP device.
The default AP passphrase is wgwap. In Fireware v11.11.2 and higher, the pairing passphrase is not required.

Step 6 — Configure the AP Device

After you pair the AP device with your Firebox, configure the AP device settings.

  1. On the Access Points tab, select the AP device, and click Edit.
  2. Configure the radio settings to use for each radio.
  3. Add the SSID you created in Step 4 to the SSID list.

For more information, see Configure AP Device Radio Settings.

Step 7 — Trust the AP Device

To help prevent potential security issues from factory reset, unauthorized, or compromised AP devices in your deployment, the Gateway Wireless Controller creates trust records for each AP device. The Gateway Wireless Controller will not communicate with an AP device until it has been trusted.

When an AP device is first paired, the status is Not Trusted.

To trust an AP device:

  1. Select Dashboard > Gateway Wireless Controllers.
  2. Select the Access Points tab.
  3. Select one or more AP devices that are not trusted.
    Make sure than the devices are known AP devices in your deployment before you mark the devices as trusted.
  4. Click Action.
  5. Select Mark Trusted.

See Also

About AP Device Configuration

Give Us Feedback     Get Support     All Product Documentation     Technical Search