Contents

WatchGuard DNSWatch Integration with Wi-Fi Cloud

Deployment Overview

This document describes the steps to integrate WatchGuard DNSWatch with Wi-Fi Cloud.

Platform and Software

The hardware and software used to complete the steps outlined in this document include:

  • WatchGuard AP325
  • WatchGuard Wi-Fi Cloud Account
  • WatchGuard Firebox

Test Topology
Diagram of network flow for AP and SecureW2 authentication

DNSWatch Overview

DNSWatch is a cloud-based service that integrates with your Firebox. DNSWatch monitors DNS requests through the Firebox to prevent connections to known malicious domains. DNSWatch protects against malicious clickjacking and phishing domains regardless of the connection type, protocol or port.

You can integrate DNSWatch services on the Firebox with Wi-Fi Cloud to provide protection to your wireless clients that access your network through your APs. For more information on DNSWatch, see About DNSWatch.

About DNSWatch Enforcement

When you enable DNSWatch, you must select a usage enforcement option. For each Firebox interface, enforcement can be Enabled or Disabled. The Usage Enforcement setting controls which outbound DNS requests the Firebox redirects to the DNSWatch DNS server.

  • Enabled — the Firebox redirects all outbound DNS requests from that interface to DNSWatch DNS servers.
  • Disabled — the Firebox redirects outbound DNS requests from that interface to DNSWatch DNS servers only when the DNS request is addressed to the Firebox.

Configure DNSWatch on a Firebox

WatchGuard DNSWatch is a subscription service on your Firebox. Before you can enable the DNSWatch feature and configure it on your Firebox, you must add a DNSWatch license to your Firebox feature key.

To enable DNSWatch on the Firebox:

  1. Log in to Fireware Web UI at https://<IP address of Firebox>:8080.
  2. Select Subscription Services > DNSWatch.
  3. Select the Enable DNSWatch Service check box.
  4. From the Usage Enforcement drop-down list, select the type of usage enforcement for your deployment.

If Usage Enforcement is enabled, this will enforce the use of the DNSWatch DNS servers regardless of the configuration in Wi-Fi Cloud. If Usage Enforcement is disabled, you can configure DNSWatch servers in Wi-Fi Cloud. For instructions, see Configure Wi-Fi Cloud with NAT when DNSWatch Usage Enforcement Disabled.

  1. Click Save.
  2. Make sure the Firebox successfully obtains the IP addresses for the DNS Servers and Blackhole Servers.

Screen shot of the SecureW2 Add RADIUS Profile settings

Configure WatchGuard Wi-Fi Cloud to use DNSWatch

For more information on how to configure Wi-Fi Cloud and your APs, see the Wi-Fi Cloud Help.

Make sure your APs are connected to Wi-Fi Cloud and online before you configure DNSWatch integration.

Wi-Fi Cloud Configuration Options

There are three ways you can configure WatchGuard Wi-Fi Cloud to integrate with DNSWatch depending on how you configure DNSWatch usage enforcement:

  • Configure Wi-Fi Cloud Manage with DNSWatch Usage Enforcement disabled
  • Configure Wi-Fi Cloud Manage with DNSWatch Usage Enforcement enabled
  • Configure Wi-Fi Cloud Go with DNSWatch Usage Enforcement enabled
    If DNSWatch Usage Enforcement is disabled, you must use Manage instead of Go to configure Wi-Fi Cloud

Configure Wi-Fi Cloud with NAT when DNSWatch Usage Enforcement Disabled

When DNSWatch Usage Enforcement is disabled on your Firebox, you can configure Wi-Fi Cloud to use DNSWatch servers for all wireless clients.

When you configure Wi-Fi Cloud SSIDs to use NAT, DNS server settings are configured through DHCP from the AP, and not your network DHCP server. You can configure the DHCP IP address range to use and the DNSWatch servers that will be used by your wireless clients.

  1. Log in to your WatchGuard Wi-Fi Cloud account.
  2. Open Manage.
  3. Select Configuration > Device Configuration > SSID Profiles.
  4. Select an SSID Profile.
  5. Expand the Network section.
  6. Select NAT.
  7. Type the Start IP Address, End IP Address, Local IP Address, and Subnet Mask for the IP address range you want to use.
  8. Add the IP address of the DNSWatch DNS servers (displayed in your DNSWatch configuration on your Firebox) in the DNS Servers section.
  9. Click Save to save the SSID Profile configuration.

Screen shot of the SecureW2 Add RADIUS Profile page

Configure Wi-Fi Cloud with Bridged Mode when DNSWatch Usage Enforcement Enabled

When DNSWatch Usage Enforcement is enabled on your Firebox, you can configure Wi-Fi Cloud SSIDs with the default bridged mode so that all wireless clients will receive their IP addresses from your network DHCP server and use DNSWatch servers as configured by your Firebox.

  1. Log in to your WatchGuard Wi-Fi Cloud account.
  2. Open Manage.
  3. Select Configuration > Device Configuration > SSID Profiles.
  4. Select an SSID Profile.
  5. Expand the Network section.
  6. Make sure Bridged is selected.
  7. Click Save to save the SSID Profile.

Screen shot of the SecureW2 Add RADIUS Profile page

Configure Wi-Fi Cloud with Go when DNSWatch Usage Enforcement Enabled

Go is a mobile-optimized app for basic wireless network setup and configuration. Go enables you to quickly create a wireless network with basic security features from your computer or mobile device.

When DNSWatch Usage Enforcement is enabled on your Firebox, you can configure Wi-Fi network SSIDs with Go and all wireless clients will receive their IP addresses from your network DHCP server and use DNSWatch servers as configured by your Firebox.

  1. Log in to your WatchGuard Wi-Fi Cloud account.
  2. Open the Go app.
  3. Click Get Started.
  4. Click Add WiFi Network.
  5. From the Basic section, select the Private tab.
  6. Type a WiFi Network Name.
  7. From the Security drop-down list, select a security type.
  8. Type a Password for the security type you selected.

Screen shot of WatchGuard Wi-Fi Cloud EAP-TLS SSID page

  1. Click Save.
  2. From the Wi-Fi Networks list, select ON for the Wi-Fi network you created for DNSWatch.

Screen shot of WatchGuard Wi-Fi Cloud EPA-TLS VLAN assignment

Test DNSWatch Integration

To test the DNSWatch integration:

  1. Connect a wireless client to the wireless SSID that is configured for DNSWatch.
  2. Make sure the client can visit Internet sites using the DNSWatch DNS server.

For example, from a Windows laptop client, you can open a command line and use the command ipconfig /all to display the IP address of the DNS Servers in use by the client.

Give Us Feedback  ●   Get Support  ●   All Product Documentation  ●   Technical Search