Related Topics

Configure Gateway Wireless Controller Settings

The Gateway Wireless Controller includes settings that apply to all AP devices. These settings include:

  • AP Passphrase
  • Firmware updates
  • Syslog server settings
  • Alarms and notification settings
  • Management VLAN tagging
  • Discovery Broadcasts
  • Advanced Deployment
  • Scan Interval
  • Scheduled Restarts
  • MAC Access Control

Configure Access Point Settings

You can configure the Access Point settings in the Gateway Wireless Controller.

Deployment Security Settings

The WatchGuard AP Passphrase is used for all WatchGuard AP devices after they are paired with your Firebox. The Gateway Wireless Controller uses this passphrase to establish connections between the Firebox and the paired AP devices. You set the WatchGuard AP Passphrase when you enable the Gateway Wireless Controller.

To change the WatchGuard AP Passphrase:

  1. In the WatchGuard AP Passphrase text box, type the passphrase to use for management of all AP devices.
    The passphrase must be a minimum of 8 characters.
  2. To see the passphrase you typed, select Show passphrase.

Automatic AP Passphrase Management

To improve the security and management of AP passphrases, the Gateway Wireless Controller can automatically create and manage unique, random passphrases for each AP device. The automatically generated passphrase only changes if the AP device is reset to factory-default settings.

Automatically generated AP passphrases cannot be restored. If data is lost on the Firebox that manages your AP devices, you might lose access to your AP devices. Automatic AP passphrase management is supported for FireClusters on Fireware v11.12.4 or higher.

To enable automatic passphrase management, clear the Use a manual global passphrase instead of automatically-generated unique passphrases for WatchGuard AP Devices check box to disable the manual passphrase.

To show the automatically generated passphrase for an AP device, from the Gateway Wireless Controller Dashboard page or Firebox System Manager Gateway Wireless Controller tab:

  1. Select the Access Points tab.
  2. Select an AP device.
  3. Click Action.
  4. Select Show Password.

Enable Automatic AP Device Firmware Updates

The Gateway Wireless Controller can automatically update the firmware on WatchGuard AP devices when a new version is available. The default setting enables the Gateway Wireless Controller to automatically update the firmware on all paired AP devices.

Automatic AP device firmware upgrades occur from 00:00 (midnight) to 04:00 at the local time of the Firebox. If your Firebox is paired with more than one AP device, the Gateway Wireless Controller automatically updates the AP devices one at a time. The Gateway Wireless Controller updates one AP device every five minutes.

To disable automatic AP firmware updates:

Clear the Automatically update WatchGuard AP firmware when a new version is available on the Firebox device check box.

If you disable automatic firmware updates, you can manually update the firmware for each AP device. For more information, see Update AP Device Firmware on the Gateway Wireless Controller.

Configure Syslog Settings

By default, each AP device automatically stores recent syslog log messages locally. You can see the syslog messages stored on each AP device. For more information about how to see syslog messages for an AP device, see Monitor Wireless Connections (Gateway Wireless Controller)

You can also configure all your AP devices to send syslog messages to the same external syslog server. When you configure the syslog server in the Gateway Wireless Controller settings, all paired AP devices send syslog messages to the specified server.

External syslog support is not available for AP120, AP320, AP322, and AP420 devices.

Before you configure the Gateway Wireless Controller settings for an external syslog server, make sure the syslog server you specify is set up and your AP devices can connect to the IP address of the syslog server.

To configure your AP devices to send log messages to an external syslog server:

  1. Select the Send WatchGuard AP log messages to a syslog server check box.
  2. In the Syslog server IP address text box, type the IP address of the syslog server.

Enable Logging For Reports

Enable this option to generate log messages of wireless events for reports.

These events include:

  • AP device discovery
  • AP device status updates
  • AP device reboot, online, offline, pairing and unpairing events
  • AP device configuration changes
  • AP device firmware version updates
  • Detection of rogue access points

Enable Management VLAN Tagging

You can optionally use a tagged VLAN for management connections to the AP device. You can enable VLAN tagging for each AP device in the configuration for each AP device, or you can enable it in the Gateway Wireless Controller settings. If you want to use the same management VLAN ID for all paired access points, it might be most convenient to set the VLAN ID in the Gateway Wireless Controller settings.

If you enable management VLAN tagging in the Gateway Wireless Controller settings, you do not need to enable management VLAN tagging individually for each AP device. The Firebox uses the management VLAN ID specified in the Gateway Wireless Controller settings for management traffic to all AP devices, if management VLAN tagging is not enabled in the AP device settings.

To enable management VLAN tagging for all AP devices:

  1. Select the Enable Management VLAN Tagging check box.
  2. In the Management VLAN ID text box, type the VLAN ID to use for management.
    This must be a VLAN that is configured for tagged traffic to the interface your AP devices connect to.

If you specify a management VLAN ID in the configuration settings for an AP device, the Firebox uses the VLAN ID configured for the AP device instead of the VLAN ID specified in the Gateway Wireless Controller settings.

Discovery Broadcasts

By default, the Gateway Wireless Controller uses a UDP broadcast on ports 2528 and 2529 on all networks to automatically discover connected AP devices and retrieve the current AP device status.

The Gateway Wireless Controller cannot automatically discover an AP device located somewhere on your network where it cannot receive the broadcast. In these types of deployments, you can instead connect to the AP device to configure the network settings, and then add the AP device to the Gateway Wireless Controller, with the same network settings.
For more information, see the manual AP device configuration topic in Configure AP Device Settings.

You can limit the networks that you use for AP discovery broadcasts, and you can also disable automatic discovery broadcasts. This is useful if you use the automatic deployment feature and need control over the networks that will allow AP devices to be automatically deployed. For more information on automatic deployment, see About AP Automatic Deployment.

To limit your discovery broadcast addresses:

  1. Select Only discover WatchGuard AP devices on these broadcast IP addresses.
  2. Click Add and specify a broadcast IP address for the network to use to deploy WatchGuard AP devices.
    You must add a valid broadcast address for your network.
    For example, if your trusted interface is configured as, the broadcast IP address is

To disable automatic discovery broadcasts:

  1. Select the Disable automatic discovery of WatchGuard AP devices check box.
  2. To manually discover unpaired AP devices, on the Gateway Wireless Controller Access Points page, click Refresh.

We recommend you do not disable discovery broadcasts in deployments where the IP address assigned to AP devices by DHCP can change (for example, non-fixed DHCP addresses). This can disrupt management communications between the AP devices and the Gateway Wireless Controller.

Advanced Deployment

You can deploy AP300 devices over-the-air without a cable connection to your network. When the network cable is disconnected, the AP device switches to client mode and associates to the nearest cabled AP device.

To enable wireless deployment, select the Enable deployment over wireless check box.

For more detailed information, see About AP Wireless Deployment.

Wireless Scan Interval

You can configure the interval for automatic wireless scans for AP device channel selection, wireless deployment maps, and rogue access point detection. The default is one hour.

To reduce wireless traffic and resource usage for wireless network scans you can increase the automatic scan interval.

Alarm Notifications

You can enable alarms to notify you when these wireless events occur:

  • Send alarm notification when an Access Point cannot be contacted — An AP device can be unexpectedly disconnected for many reasons, this includes network disruption or loss of power. Alarm notifications are not generated if the AP device is cannot be contacted because of a firmware upgrade or if the AP device is restarted by the administrator.
  • Send alarm notification when a Rogue Access Point is detected.

Notifications are also sent when the trust state of an AP device changes.

To configure your notifications, select the Notification tab in Fireware Web UI or click Notification in Policy Manager. For more information on notifications, see Set Logging and Notification Preferences.

Enable Scheduled Restarts

You can restart wireless services or reboot all of your AP devices at scheduled times on a daily or weekly basis. When you enable scheduled restarts, the AP devices managed by the Gateway Wireless Controller are restarted at intervals 90 seconds apart so they are not restarted at the same time.

To configure scheduled restarts:

  1. Select the Enabled Scheduled Restarts check box.
  2. Select Daily or a specific day of the week for a weekly restart.
  3. Set the time for the restart in 24-hour format (hh:mm).
  4. From the drop-down list, select an option:.
  • Reboot Access Point — Reboot the device. The configuration is not reloaded when you reboot a device.
  • Restart Wireless only — Restart the wireless interfaces, automatically update channel selection, and reload the device configuration. The device is not rebooted when you restart wireless.

Configure MAC Access Control

In the MAC Access Control section, you can configure a list of denied or allowed MAC addresses for your AP devices.

For more information, see Configure MAC Access Control.

See Also

Configure AP Device Radio Settings

Give Us Feedback     Get Support     All Product Documentation     Technical Search