Related Topics

Configure AP Device Settings

From the Gateway Wireless Controller on your Firebox, you can edit the settings for any AP devices that are paired with the Firebox.

If the AP device is located behind a router or other network device and cannot receive broadcasts from the Gateway Wireless Controller, you must manually add the AP device. For more information, see Configure AP Device Settings.

Edit an AP Device Configuration

When you pair an AP device with a Firebox, you must configure the settings for the AP device. Because only some of the details about the AP device are automatically added to the AP device configuration when it is paired, you must edit the AP device settings to complete the initial configuration of the AP device.

When you edit the AP device settings, you can change any of the settings except for the model and serial number. The model and serial number are automatically set for paired AP devices and cannot be changed.

There are two network settings you can select for an AP device:


DHCP is the default selection.

Choose this option to configure the AP device to request a dynamically assigned IP address from a DHCP server. If you choose this option, make sure that a DHCP server is configured on the network that the AP device connects to. You can configure the Firebox as the DHCP server when you configure the Firebox interface that your AP device connects to.

For a configuration example, see WatchGuard AP Device Deployment Examples.


Select this option to assign the AP device a static IP address. When you select Static, you must configure these settings:

  • IP Address — The IP address to assign to the AP device
  • Subnet Mask — The subnet mask
  • Default Gateway — The IP address of the default gateway

To configure the AP device settings:

  1. (Optional) In the Name text box, type a new name for the AP device.
    The default name is <AP device model number >_<AP device serial number>.
  2. Adjacent to Network Settings, select an option to assign the AP device an IP address:
    • DHCP
    • Static
  3. If you selected Static, type the IP Address, Subnet Mask, and Default Gateway for your AP device.
  4. (Optional) In the Location text box, type the location of the AP device on your network.
  5. To override the Gateway Access Controller settings for syslog server logging:
    1. Select the Send log messages to a syslog server check box.
    2. In the Syslog server IP address text box, type the IP address of your syslog server.

External syslog support is not available for AP120, AP320, AP322, and AP420 devices.

  1. To disconnect roaming wireless clients from their current AP device so that the client can connect to an AP device with a stronger signal, select the Fast Handover check box.

Specify the Fast Handover RSSI threshold. This setting controls when a client should connect to an AP device with a stronger RSSI (Received Signal Strength Indicator) level.

For more information, see Fast Handover.

  1. To move dual-band wireless clients from the more widely-used and congested 2.4GHz spectrum to 5GHz, select the Enable Band Steering check box.

For more information, see Band Steering.

  1. To force your AP device to use outdoor wireless channels, select the Use Outdoor Channels only check box.
    This option is enabled by default for AP102 outdoor wireless devices.
  2. To make sure your AP device does not use DFS (Dynamic Frequency Selection) channels in the 5 GHz band in your region, select the Disable DFS Channels check box.
    DFS channels are used with radar. Your AP device stops transmitting if radar signals are detected on that channel. Devices on DFS channels also take longer to connect on the wireless network compared to non-DFS channels.
  3. To disable the LEDs on your AP device, select the Disable LEDs check box.
    This option allows you to operate your AP device in stealth mode to hide visible signs of wireless activity when the device is deployed in a location that requires additional security.
    For information on how you can flash the power LED to help identify AP devices in stealth mode, see Monitor AP Device Status.
  4. To use a tagged VLAN for management connections to the AP device:
    1. Select the Enable Management VLAN Tagging check box.
    2. In the Management VLAN ID text box, type the VLAN ID you want to use for management. This must be a VLAN that is configured to handle tagged traffic to the interface your AP device connects to.

If you configure a management VLAN ID in both the Gateway Wireless Controller settings and the AP device settings, the Firebox uses the management VLAN ID specified in the AP device settings.

  1. In the Radio 1 Settings and Radio 2 Settings sections, configure the settings for each AP device radio: band, wireless mode, channel, and SSID.
    For more information, see Configure AP Device Radio Settings.

When you save an AP device configuration to the Firebox, the device immediately sends the update to the affected AP devices. While the update is in progress, the AP device status briefly changes to Updating. The update process can take up to a minute to complete. While the update is in progress, wireless services might be interrupted on the AP device.

Fast Handover

Fast Handover helps wireless clients that roam between WatchGuard AP devices to disconnect from their current AP device and connect to another AP device with a stronger signal. Fast Handover tells wireless clients when to release their current AP device association if the signal degrades as the wireless client moves farther away.

Fast Handover uses the RSSI (Received Signal Strength Indicator) as a threshold to determine when to move a client to an AP device with a stronger RSSI level. The value is expressed in dBm (decibel milliwatts), for example, the default value is -85 dBm. The minimum is -100 dBm and the maximum is -60 dBm. The closer the value is to 0, the stronger the signal. For more information on signal strength, see Wireless Signal Strength and Noise Levels.

  • In Gateway Wireless Controller, Fast Handover is only supported on WatchGuard AP300 devices.
  • We recommend that you only enable Fast Handover for AP devices in high-traffic density areas.
  • Fast Handover causes an AP device to disconnect a client when the RSSI threshold is reached. You should check your environment and perform a site survey to make sure your AP devices are in range for handover based on your thresholds.
  • Wireless clients can have very different RSSI strengths depending on the manufacturer, and you must set your RSSI threshold accordingly.

Do not enable Fast Handover on adjacent AP devices that also have the Band Steering feature enabled. Clients steered to the 5Ghz band may have a drop in RSSI that can result in disconnections because of the Fast Handover RSSI threshold.

Band Steering

Band Steering helps reduce wireless network congestion by moving dual-band wireless clients from the more widely-used 2.4GHz spectrum to 5GHz. Band Steering is usually not required in an environment where most wireless devices are newer devices that are already optimized to choose the 5Ghz band.

  • Band Steering is only supported on WatchGuard AP120, AP300, AP320, AP322, and AP420 devices.
  • The same SSID and security mode must be configured on both 2.4GHz and 5GHz radios to allow wireless clients to switch frequency bands.
  • In some cases, Band Steering can cause connectivity issues with older legacy wireless clients that only support 2.4Ghz. In these cases, we recommend that you disable Band Steering or have clients manually connect to the SSID.

Do not use Band Steering and Fast Handover features at the same time. Switching to the 5GHz band can result in a loss of RSSI strength for the client and can cause disconnections based on the Fast Handover RSSI threshold.

Change the Pairing Passphrase

(Fireware v11.11.1 and lower)

When you initially add an AP device to your configuration, you set the Pairing Passphrase. This passphrase is only used when you first pair the AP device with a Firebox that runs Fireware v11.11.1 or lower. If the first Pairing Passphrase you specified is not the same as the passphrase on the AP device, you can change the passphrase the Firebox uses to pair with the AP device.

For more information about AP device passphrases, see About AP Device Passphrases.

See Also

Configure WatchGuard AP Device SSIDs

Configure Gateway Wireless Controller Settings

WatchGuard AP Device Discovery and Pairing

Give Us Feedback     Get Support     All Product Documentation     Technical Search