WatchGuard AP Device Discovery and Pairing

For the Gateway Wireless Controller on your Firebox to control a WatchGuard AP device, the AP device and the Firebox must be paired. For pairing to occur, you must first enable the Gateway Wireless Controller on the Firebox. When the Gateway Wireless Controller is enabled, the Firebox sends a discovery broadcast message to all networks. For more information on how to configure discovery broadcasts, see Configure Gateway Wireless Controller Settings.

After you connect a new AP device to your network, the AP device receives the broadcast message and sends a response. When the Firebox receives a response from an unpaired AP device, the discovered AP device appears in the Unpaired Access Points list in the Gateway Wireless Controller.

If the AP device is located behind a router or other network device and cannot see broadcasts from the Gateway Wireless Controller, you must manually add the AP device. For more information, see Manually Add an AP Device Configuration.

An AP device discovered by the Firebox is not automatically paired with the Firebox. You must pair the AP device with the Firebox in the Gateway Access Controller. This step makes sure no one can add an unauthorized WatchGuard AP device to your network. The AP device only accepts configuration information from the Firebox it is paired with.

After the first time you pair a new AP device with a Firebox, the Firebox attempts to automatically activate the AP device on your account on the WatchGuard website. For more information, see About AP Device Activation.

About Automatic Deployment

For wireless environments with many AP devices that will be configured with the same SSIDs and only require a simple configuration, you can use Automatic Deployment.

Automatic Deployment enables you to connect an unpaired AP device to your network and have the device automatically configured by the GWC for specific SSIDs. AP devices configured with automatic deployment are managed by the GWC the same way as paired devices.

An AP device automatically deployed by the GWC is configured with the automatic deployment SSID settings (including security encryption and any other specific SSID settings). All other AP settings, such as radio settings, are set to default values.

For more information, see About AP Automatic Deployment.

About Discovery Broadcasts

By default, the Gateway Wireless Controller uses a UDP broadcast on ports 2528 and 2529 on all networks to automatically discover connected AP devices. You can limit the networks that you use for AP discovery broadcasts. This is useful if you use the automatic deployment feature and need control over the networks that will allow AP devices to be automatically deployed. For more information on how to configure discovery broadcasts, see Configure Gateway Wireless Controller Settings.

About WatchGuard AP120, AP320, and AP322 Devices

WatchGuard Wi-Fi Cloud is a powerful cloud-based enterprise wireless management solution for AP configuration, security, and monitoring.

The WatchGuard Wi-Fi Cloud service supports these AP devices:

  • AP120
  • AP320
  • AP322

If you do not use WatchGuard Wi-Fi Cloud, you can also manage these devices locally with the Gateway Wireless Controller on your Firebox. The WatchGuard Firebox requires Fireware v11.11.2 or higher for local Gateway Wireless Controller management.

Pair AP Devices with the Gateway Wireless Controller

In their factory default state, AP120, AP320, and AP322 devices first try to connect to WatchGuard Wi-Fi Cloud. If the AP device is not activated and provisioned for cloud management, the AP will continue to try to connect to cloud services for several minutes.

When the AP device appears in the Unpaired Access Points section on the Gateway Wireless Controller Access Points page, you can then pair the device.

When you successfully pair the AP device with the Gateway Wireless Controller, the AP device will not attempt to connect to WatchGuard Wi-Fi Cloud again until you complete a factory reset on the AP device.

Connect the AP Device

Before you can pair the AP device with the Firebox, you must connect it to a trusted, optional, or custom Firebox network.

To allow the Gateway Wireless Controller to discover an AP device on a custom zone network, you must modify the WatchGuard Gateway Wireless Controller policy to allow traffic from the custom zone. For more information on the custom zone, see Configure a Custom Interface.

If you connect the AP device to a VLAN interface, make sure that you configure that interface to handle untagged VLAN traffic. An unpaired AP device cannot accept tagged VLAN traffic.

The power LED on the AP device alternates from green to amber (AP100/102/200), flashes green alternating with the wireless LED (AP300), or is amber while the LAN LED flashes (AP120/AP320/AP322) when the device is unpaired.

By default, the AP device is configured to use DHCP to get an IP address. Make sure that you enable the DHCP Server for the Firebox interface that connects to the AP device, so that the AP device can get an IP address.

Pair the AP Device to the Firebox

Use the Gateway Wireless Controller to discover the unpaired AP device and pair it to the Firebox.

For information about how to monitor the status of your AP devices, see Monitor AP Device Status.

For information about how to unpair an AP device, see Unpair an AP Device.

If your AP device is correctly connected but cannot be discovered, it may be necessary to reset the AP device to factory default settings. For more information, see Reset the WatchGuard AP Device.

Manually Add an AP Device Configuration

The Gateway Wireless Controller uses a UDP broadcast to automatically discover connected AP devices. The Gateway Wireless Controller cannot automatically discover an AP device located somewhere on your network where it cannot receive the broadcast. In these types of deployments, you can instead connect to the AP device to configure the network settings, and then add the AP device to the Gateway Wireless Controller, with the same network settings. The Firebox can then connect to the AP device to pair with it.

For more information on how to configure discovery broadcasts, see Configure Gateway Wireless Controller Settings.

Some examples of examples of deployment scenarios where you must use manual configuration and discovery are:

  • The Firebox and the AP device are separated by a Layer 3 switch or router
  • The Firebox and the AP device are separated by a Branch Office VPN

For the Firebox to discover an AP device, the network between the AP device and the Firebox must include a route for the traffic between the two devices.

To configure the network settings on the AP device, use the WatchGuard Access Point web UI. For information, see Use the WatchGuard Access Point Web UI. (AP100, AP102, AP200, and AP300 devices only).

To manually add an AP device to the Gateway Wireless Controller, from Fireware Web UI or Policy Manager:

  1. Select Network > Gateway Wireless Controller.
    The Gateway Wireless Controller dialog box appears.
  2. Select the Access Points tab
  3. Click Add.
  4. Click OK.
    The Add Access Point dialog box appears.
  5. In the Name text box, type a name for this AP device.
  6. In the Model drop-down list, select the AP device model.
  7. In the Serial Number text box, type the serial number of the AP device.
  8. Adjacent to Network Settings, select Static.

Screen shot of the Access Point configuration page
Static Network Settings for an AP device in Fireware Web UI


Static Network Settings for an AP device in Policy Manager

  1. In the IP Address text box, type the static IP address you configured on the AP device.
  2. In the Subnet Mask text box, type the subnet mask you configured on the AP device.
  3. In the Default Gateway text box, type the default gateway IP address you configured on the AP device.
  4. Configure the other AP device settings as described in the previous section.

See Also

Configure AP Devices in the Gateway Wireless Controller

Configure AP Device Settings

Give Us Feedback     Get Support     All Product Documentation     Technical Search