WatchGuard DNSWatch Integration with Wi-Fi Cloud and a Firebox

Deployment Overview

This document describes the steps to integrate WatchGuard DNSWatch with Wi-Fi Cloud and a Firebox.

Platform and Software

The hardware and software used to complete the steps outlined in this document include:

  • WatchGuard AP325
  • WatchGuard Wi-Fi Cloud Account
  • WatchGuard Firebox

Test Topology
Diagram of network flow for AP and SecureW2 authentication

DNSWatch Overview

DNSWatch is a cloud-based service that integrates with your Firebox. DNSWatch monitors DNS requests through the Firebox to prevent connections to known malicious domains. DNSWatch protects against malicious clickjacking and phishing domains regardless of the connection type, protocol or port.

You can integrate DNSWatch services on the Firebox with Wi-Fi Cloud to provide protection to your wireless clients that access your network through your APs. For more information on DNSWatch, see About DNSWatch.

If you do not have a WatchGuard Firebox, you can still use DNSWatch services with DNSWatchGO and Protected Networks. For more information, see Configure Wi-Fi Cloud to use DNSWatchGO.

About DNSWatch Enforcement

When you enable DNSWatch, you must select a usage enforcement option. For each Firebox interface, enforcement can be Enabled or Disabled. The Usage Enforcement setting controls which outbound DNS requests the Firebox redirects to the DNSWatch DNS server.

  • Enabled — the Firebox redirects all outbound DNS requests to DNSWatch DNS servers.
    You can enforce DNSWatch on all Trusted, Optional, and Custom interfaces, or enforce only on the interfaces you select.
  • Disabled — the Firebox redirects outbound DNS requests from that interface to DNSWatch DNS servers only when the DNS request is addressed to the Firebox.

For most networks, we recommend that you enable enforcement on all Firebox interfaces.

DNSWatch Servers

WatchGuard hosts DNSWatch DNS servers in these regions:

  • North America (US East) — 54.174.40.213, 52.3.100.184
  • EU (Ireland) — 34.240.115.208, 34.251.171.117
  • APAC (Japan) — 54.199.61.196, 176.34.8.52
  • APAC (Sydney) — 13.237.104.38, 13.237.109.176

Configure DNSWatch on a Firebox

WatchGuard DNSWatch is a subscription service on your Firebox. Before you can enable the DNSWatch feature and configure it on your Firebox, you must add a DNSWatch license to your Firebox feature key.

To enable DNSWatch on the Firebox:

  1. Log in to Fireware Web UI at https://<IP address of Firebox>:8080.
  2. Select Subscription Services > DNSWatch.
  3. Select the Enable DNSWatch Service check box.
  4. From the Usage Enforcement drop-down list, select the type of usage enforcement for your deployment.

For most networks, we recommend that you enable enforcement on all Firebox interfaces.

If Usage Enforcement is enabled, this will enforce the use of the DNSWatch DNS servers regardless of the configuration in Wi-Fi Cloud. To make sure your Wi-Fi Cloud configuration is using the default bridged configuration, see Configure Wi-Fi Cloud with Default Bridged Mode when DNSWatch Usage Enforcement Enabled.

If Usage Enforcement is disabled, you can configure DNSWatch servers in Wi-Fi Cloud. For instructions, see Configure Wi-Fi Cloud with NAT when DNSWatch Usage Enforcement Disabled.

  1. Click Save.
  2. Make sure the Firebox successfully obtains the IP addresses for the DNS Servers and Blackhole Servers.

Screen shot of the SecureW2 Add RADIUS Profile settings

WatchGuard Wi-Fi Cloud Basic Configuration

For detailed information on WatchGuard Wi-Fi Cloud AP deployment, see the Getting Started Guide.

These instructions use the Discover application for the Wi-Fi Cloud configuration.

Wi-Fi Cloud Configuration Options

There are two ways you can configure WatchGuard Wi-Fi Cloud to integrate with DNSWatch depending on how you configure DNSWatch usage enforcement:

  • Configure Wi-Fi Cloud when DNSWatch Usage Enforcement is enabled
  • Configure Wi-Fi Cloud when DNSWatch Usage Enforcement disabled

Configure Wi-Fi Cloud with Default Bridged Mode when DNSWatch Usage Enforcement Enabled

When DNSWatch Usage Enforcement is enabled on your Firebox, you can configure Wi-Fi Cloud SSIDs with the default bridged mode so that all wireless clients will receive their IP addresses from your network DHCP server and use DNSWatch servers as configured by your Firebox.

  1. Log in to your WatchGuard Wi-Fi Cloud account.
  1. Open Discover.
  2. Select the top-level location where you have configured your SSID.
  3. Select Configure > WiFi, then select the SSID tab.
  4. Edit the SSID Profile.
  1. Select the Network tab.
  2. Make sure Bridged is selected which is the default setting.
  3. Click Save if you need to save the SSID Profile.

Screen shot of the Bridged settings in an SSID in Discover for DNSWatch

Configure Wi-Fi Cloud with NAT when DNSWatch Usage Enforcement Disabled

When DNSWatch Usage Enforcement is disabled on your Firebox, you can configure Wi-Fi Cloud to use DNSWatch servers for all wireless clients.

When you configure Wi-Fi Cloud SSIDs to use NAT, DNS server settings are configured through DHCP from the AP, and not your network DHCP server. You can configure the DHCP IP address range to use and the DNSWatch servers that will be used by your wireless clients.

  1. Log in to your WatchGuard Wi-Fi Cloud account.
  2. Open Discover.
  3. Select the top-level location where you have configured your SSID.
  4. Select Configure > WiFi, then select the SSID tab.
  5. Edit the SSID Profile.
  6. Select the Network tab.
  7. Select NAT.
  8. Type the Start IP Address, End IP Address, Local IP Address, and Subnet Mask for the IP address range you want to use.
  9. Add the IP address of the DNSWatch DNS servers (displayed in your DNSWatch configuration on your Firebox) in the DNS Servers section.
  10. Click Save to save the SSID Profile configuration.

Screen shot of the NAT settings in an SSID in Discover for DNSWatch

Test DNSWatch Integration

To test the DNSWatch integration:

  1. Connect a wireless client to the wireless SSID that is configured for DNSWatch.
  2. Make sure the client can visit Internet sites using the DNSWatch DNS server.

For example, from a Windows laptop client, you can open a command line and use the command ipconfig /all to display the IP address of the DNS Servers in use by the client.