Configure Gateway Wireless Controller Settings

The Gateway Wireless Controller includes settings that apply to all AP devices. These settings include:

  • WatchGuard AP Passphrase
  • Firmware updates
  • Syslog server settings
  • Alarms and notification settings
  • Management VLAN tagging
  • Discovery Broadcasts
  • Advanced Deployment
  • Scan Interval
  • Scheduled Restarts
  • MAC Access Control

Configure Access Point Settings

You can configure the Access Point settings in the Gateway Wireless Controller.

Change the WatchGuard AP Passphrase

The WatchGuard AP Passphrase is used for all WatchGuard AP devices after they are paired with your Firebox. The Gateway Wireless Controller uses this passphrase to establish connections between the Firebox and the paired AP devices. This is also the passphrase you use to log in to the Access Point web UI of a paired AP device. You set the WatchGuard AP passphrase when you enabled the Gateway Wireless Controller.

To change the WatchGuard AP passphrase:

  1. In the WatchGuard AP Passphrase text box, type the passphrase to use for management of all AP devices.
  2. To make the passphrase you type visible, select Show passphrase.

Enable Automatic AP Device Firmware Updates

The Gateway Access Controller can automatically update the firmware on WatchGuard AP devices when a new version is available. The default setting enables the Gateway Wireless Controller to automatically update the firmware on all paired AP devices.

Automatic AP device firmware upgrades occur from 00:00 (midnight) to 04:00 based on the local time of the Firebox. If your Firebox is paired with more than one AP device, the Gateway Wireless Controller automatically updates the AP devices one at a time. The Gateway Wireless Controller updates one AP device every five minutes. The AP device power LED flashes amber (AP100/102/200) or flashes slowly green (AP300) while the AP device is upgraded.

To disable automatic firmware updates:

Clear the Automatically update WatchGuard AP firmware when a new version is available on the XTM device check box.

If you disable automatic firmware updates, you can manually update the firmware for each AP device. For more information, see Update AP Device Firmware.

Configure Syslog Settings

By default, each AP device automatically stores recent syslog log messages locally. You can see the syslog messages stored on each AP device. For more information about how to see syslog messages for an AP device, see Monitor Wireless Connections (Gateway Wireless Controller)

You can also configure all your AP devices to send syslog messages to the same, external syslog server. When you configure the syslog server in the Gateway Wireless Controller settings, all paired AP devices send syslog messages to the specified server.

Before you configure the Gateway Wireless Controller settings for an external syslog server, make sure the syslog server you specify is set up and your AP devices can connect to the IP address of the syslog server.

To configure your AP devices to send log messages to an external syslog server:

  1. Select the Send WatchGuard AP log messages to a syslog server check box.
  2. In the Syslog server IP address text box, type the IP address of the syslog server.

Enable Logging For Reports

Enable this option to log wireless events for reports.

These events include:

  • AP device discovery
  • AP device status updates
  • AP device reboot, online, offline, pairing and unpairing events
  • AP device configuration changes
  • AP device firmware version updates
  • Detection of rogue access points

Enable Management VLAN Tagging

You can optionally use a tagged VLAN for management connections to the AP device. You can enable VLAN tagging for each AP device in the configuration for each AP device, or you can enable it in the Gateway Wireless Controller settings. If you want to use the same management VLAN ID for all paired access points, it might be most convenient to set the VLAN ID in the Gateway Wireless Controller settings.

If you enable management VLAN tagging in the Gateway Wireless Controller settings, you do not need to enable management VLAN tagging for each AP device. The Firebox uses the management VLAN ID specified in the Gateway Wireless Controller settings for management traffic to all AP devices, if management VLAN tagging is not enabled in the AP device settings.

To enable management VLAN tagging for all AP devices:

  1. Select the Enable Management VLAN Tagging check box.
  2. In the Management VLAN ID text box, type the VLAN ID you want to use for management. This must be a VLAN that is configured to handle tagged traffic to the interface your AP devices connect to.

If you specify a management VLAN ID in the configuration settings for an AP device, the Firebox uses the VLAN ID configured for the AP device instead of the VLAN ID specified in the Gateway Wireless Controller settings.

Discovery Broadcasts

By default, the Gateway Wireless Controller uses a UDP broadcast on ports 2528 and 2529 on all networks to automatically discover connected AP devices.

You can limit the networks that you use for AP discovery broadcasts, and you can also disable automatic discovery broadcasts. This is useful if you use the automatic deployment feature and need control over the networks that will allow AP devices to be automatically deployed. For more information on automatic deployment, see About AP Automatic Deployment.

To limit your discovery broadcast addresses, select Only discover WatchGuard AP devices on these broadcast IP addresses, then click Add to add a broadcast IP address for the network you want to use to deploy WatchGuard AP devices. You must add a valid broadcast address for your network. For example, if your trusted interface is configured as, the broadcast IP address is

To disable automatic discovery broadcasts, select the Disable automatic discovery of WatchGuard AP devices check box. If you disable automatic broadcasts, you can click the Refresh button in the Gateway Wireless Controller Access Points page to manually discover unpaired AP devices.

The Gateway Wireless Controller cannot automatically discover an AP device located somewhere on your network where it cannot receive the broadcast. In these types of deployments, you can instead connect to the AP device to configure the network settings, and then add the AP device to the Gateway Wireless Controller, with the same network settings. For more information, see the manual AP device configuration topic in Configure AP Device Settings.

Advanced Deployment

You can deploy AP300 devices over-the-air without physical cables. When the network cable is disconnected, the AP device switches to client mode and associates to the nearest cabled AP device.

To enable wireless deployment, select the Enable deployment over wireless check box.

For more detailed information, see About AP Wireless Deployment.

Wireless Scan Interval

You can configure the interval for automatic wireless scans for AP device channel selection, wireless deployment maps and rogue access point detection. The default is 1 hour.

Increase the automatic scan interval to longer intervals to reduce wireless traffic and resource usage from scanning the wireless network.

Alarm Notifications

You can enable alarms to notify you when these wireless events occur:

  • Send alarm notification when an Access Point becomes unreachable — An AP device can be unreachable for many reasons, including network disruption, power loss, and firmware upgrades.
  • Send alarm notification when a Rogue Access Point is detected.

Select the Notification tab in Fireware Web UI or the Notification button in Policy Manager to configure your notifications. For more information on notifications, see Set Logging and Notification Preferences.

Enable Scheduled Restarts

You can restart wireless services or reboot all of your AP devices at scheduled times on a daily or weekly basis. This refreshes the AP device and makes sure the device configuration and all access control lists are up to date, and automatically updates wireless channel selection.

When scheduled restarts are enabled, each of your AP devices managed by the Gateway Wireless Controller are restarted in 90 second intervals to make sure they are not restarted at the same time.

To configure scheduled restarts:

  1. Select the Enabled Scheduled Restarts check box.
  2. Select Daily or a specific day of the week for a weekly restart.
  3. Set the time for the restart in 24 hour format (hh:mm).
  4. From the drop-down list, select Reboot Access Point or Restart Wireless only.
  • Use Reboot Access Point to reboot the device and automatically update channel selection. The configuration is not reloaded when you reboot a device.
  • Use Restart Wireless only to restart the wireless interfaces, automatically update channel selection, and reload the device configuration. The device is not rebooted when you restart wireless.

Configure MAC Access Control

In the MAC Access Control section, you can configure a list of denied or allowed MAC addresses for your AP devices.

For more information, see Configure MAC Access Control.

See Also

Configure AP Device Radio Settings

Give Us Feedback     Get Support     All Product Documentation     Technical Search