Configure AP Device Settings

From the Gateway Wireless Controller on your Firebox, you can edit the settings for any AP devices that are paired with the Firebox.

If the AP device is located behind a router or other network device and cannot see broadcasts from the Gateway Wireless Controller, you must manually add the AP device. For more information, see Configure AP Device Settings.

Edit an AP Device Configuration

When you pair an AP device with a Firebox, you must configure the settings for the AP device. Because only some of the details about the AP device are automatically added to the AP device configuration when it is paired, you must edit the AP device settings to complete the initial configuration of the AP device.

When you edit the AP device settings, you can change any of the settings except for the model and serial number. The model and serial number are automatically set for paired AP devices and cannot be changed.

There are two network settings you can select for an AP device:


DHCP is the default selection.

Choose this option to configure the AP device to request a dynamically assigned IP address from a DHCP server. If you choose this option, make sure that a DHCP server is configured on the network that the AP device connects to. You can configure the Firebox as the DHCP server when you configure the Firebox interface that your AP device connects to.

For a configuration example, see WatchGuard AP Device Deployment Examples.


Select this option to assign the AP device a static IP address, subnet mask, and default gateway. When you select Static, you must configure these settings:

  • IP Address — The IP address to assign to the AP device
  • Subnet Mask — The subnet mask
  • Default Gateway — The IP address of the default gateway

By default, the AP device uses the syslog server settings you configure in the common settings in the Gateway Access Controller. When you edit the settings for an AP device, you can configure the AP device to use a different syslog server. For more information about the syslog server settings for the Gateway Wireless Controller, see Configure Gateway Wireless Controller Settings.

To configure the AP device settings:

  1. (Optional) In the Name text box, type a new name for the AP device.
    The default name is <AP device model number >_<AP device serial number>.
  2. Adjacent to Network Settings, select an option to assign the AP device an IP address:
    • DHCP
    • Static
  3. If you selected Static, type the IP Address, Subnet Mask, and Default Gateway for your AP device.
  4. (Optional) In the Location text box, type the location of the AP device on your network.
  5. To override the Gateway Access Controller settings for syslog server logging:
    1. Select the Send log messages to a syslog server check box.
    2. In the Syslog server IP address text box, type the IP address of your syslog server.
  6. To encourage wireless clients that are roaming between WatchGuard AP devices to disconnect from their current AP device and associate to the AP device with the stronger signal, select the Fast Handover check box.

Set the Fast Handover RSSI threshold to use (in dBm) when a client should be encouraged to move to an AP device with a stronger RSSI (Received Signal Strength Indicator) level.

For more information, see Fast Handover.

  1. To reduce network congestion and encourage dual-band wireless clients to move from the more widely-used 2.4GHz spectrum to 5GHz, select the Enable Band Steering check box.

For more information, see Band Steering.

  1. To force your AP device to use outdoor wireless channels, select the Use Outdoor Channels only check box.
    This option is enabled by default for AP102 outdoor wireless devices.
  2. To make sure your AP device does not use DFS (Dynamic Frequency Selection) channels in the 5 GHz band in your region, select the Disable DFS Channels check box.
    DFS channels are used with radar and your AP device will stop transmitting if radar signals are detected on that channel. Devices on DFS channels also take longer to connect on the wireless network compared to non-DFS channels.
  3. To disable the LEDs on your AP device, select the Disable LEDs check box.
    This option allows you to operate your AP device in stealth mode to hide the use of wireless activity when the device is deployed in a location that requires additional security.
    For information on how you can flash the power LED to help identify AP devices in stealth mode, see Monitor AP Device Status.
  4. To use a tagged VLAN for management connections to the AP device:
    1. Select the Enable Management VLAN Tagging check box.
    2. In the Management VLAN ID text box, type the VLAN ID you want to use for management. This must be a VLAN that is configured to handle tagged traffic to the interface your AP device connects to.

If you configure a management VLAN ID in both the Gateway Wireless Controller settings and the AP device settings, the Firebox uses the management VLAN ID specified in the AP device settings.

  1. In the Radio 1 Settings and Radio 2 Settings sections, configure the settings for each AP device radio: band, wireless mode, channel, and SSID.
    For more information, see Configure AP Device Radio Settings.

When you save an AP device configuration to the Firebox, the device immediately sends the update to the affected AP devices. While the update is in progress, the AP device status briefly changes to Updating. The update process can take up to a minute to complete. While the update is in progress, wireless services might be interrupted on the AP device.

Fast Handover

Fast Handover encourages wireless clients that are roaming between WatchGuard AP devices to disconnect from their current AP device and associate to the AP device with a stronger signal. This prevents wireless clients from holding on to their current AP device association even as the signal degrades as the wireless client moves farther away.

Fast Handover uses the RSSI (Received Signal Strength Indicator) as a threshold to use when a client should be encouraged to move to an AP device with a stronger RSSI level. The value is expressed in dBm (decibel milliwatts), for example, the default value is -85 dBm. The minimum is -100 dBm and the maximum is -60 dBm. The closer the value is to 0, the stronger the signal. For more information on signal strength, see Wireless Signal Strength and Noise Levels.

  • Fast Handover is only supported on WatchGuard AP300 devices.
  • We recommend that you only enable Fast Handover for AP devices in high-traffic density areas.
  • Fast Handover will disconnect a client when the RSSI threshold is reached. You should check your environment and perform a site survey to make sure your AP devices are in range for handover based on your thresholds.
  • Wireless clients can have very different RSSI strengths depending on the manufacturer, and you must set your RSSI threshold accordingly.

Do not enable Fast Handover on adjacent AP devices that also have the Band Steering feature enabled. Clients steered to the 5Ghz band may have a drop in RSSI that can result in disconnections because of the Fast Handover RSSI threshold.

Band Steering

Band Steering helps reduce wireless network congestion by encouraging dual-band wireless clients to move from the more widely-used 2.4GHz spectrum to 5GHz. Band Steering is usually not required in an environment where most wireless devices are newer devices that are already optimized to choose the 5Ghz band.

  • Band Steering is only supported on WatchGuard AP120, AP300, AP320, and AP322 devices.
  • The same SSID and security mode must be configured on both 2.4GHz and 5GHz radios to allow wireless clients to switch frequency bands.
  • In some cases, Band Steering can cause connectivity issues with older legacy wireless clients that only support 2.4Ghz. In these cases, we recommend that you disable Band Steering or have clients manually connect to the SSID.

Do not use Band Steering at the same time as the Fast Handover feature because switching to the 5GHz band can result in a loss of RSSI strength for the client and disconnections based on the Fast Handover RSSI threshold can occur.

Change the Pairing Passphrase

(Fireware v11.11.1 and lower)

When you initially add an AP device to your configuration, you set the Pairing Passphrase. This passphrase is only used when you first pair the AP device with a Firebox that runs Fireware v11.11.1 or lower. If the first Pairing Passphrase you typed is not the same as the passphrase on the AP device, you can change the passphrase the Firebox uses to pair with the AP device.

For more information about AP device passphrases, see About AP Device Passphrases.

See Also

Configure WatchGuard AP Device SSIDs

Configure Gateway Wireless Controller Settings

WatchGuard AP Device Discovery and Pairing

Give Us Feedback     Get Support     All Product Documentation     Technical Search