Configure a Hotspot

To give Internet access to your guests or customers, you can enable a hotspot on any trusted, optional, or custom Firebox interface. You can configure a hotspot for connections to wireless or wired interfaces on your Firebox, and you can enable different hotspots for different interfaces.

To use your hotspot, a guest user must open a browser while connected to the network that has the hotspot enabled. When the user tries to browse to the Internet, the custom hotspot page appears in the browser. To use the hotspot, the user must accept the specified terms and conditions.

You can also configure the hotspot to require user authentication. When you enable this option, guests must authenticate before they can connect to the Internet. If your Firebox runs Fireware OS v11.12 or higher, you can create a Walled Garden. A Walled Garden is a list of IP addresses, IP ranges, networks, and domain names your guests can connect to before they authenticate. For example, you can allow guests to connect to you company website before they authenticate.

If your hotspot requires authentication, you must create a Guest Administrator user account. The Guest Administrator logs in to the WatchGuard Guest Administrator Portal to create and manage temporary hotspot user accounts and print hotspot credentials for guests.

If your Firebox runs Fireware v11.11 and lower, you can enable only one hotspot on one interface on your Firebox. Multiple hotspots are only supported in versions higher than v11.11. The configuration settings in lower versions of Fireware appear different, but the configuration settings are the same as for a single hotspot in higher versions of Fireware.

To configure the hotspot settings from Fireware Web UI, select Authentication > Hotspot.
The Hotspots page appears with the Hotspots tab selected.

Screen shot of the Hotspots page in Fireware Web UI

To configure hotspot settings from Policy Manager, select Setup > Authentication > Hotspot.
The Hotspot Configuration dialog box appears with the Hotspots tab selected.

Screen shot of the Hotspot Configuration dialog box in Policy Manager

The Hotspots configuration has three tabs:

  • Hotspots — Configure hotspots, assign hotspots to interfaces, create an Authentication list, and manage Guest Administrator accounts
  • External Guest Authentication — Configure a hotspot that authenticates guests to an external web server, and create a Walled Garden
  • Settings — Configure settings that apply to all hotspots

Configure Hotspots

On the Hotspots tab, you can add, edit, or remove a hotspot. You can also assign a hotspot to an interface and manage Guest Administrator accounts. You can add more than one hotspot, and specify different authentication requirements and hotspot page settings for each hotspot. You must add a hotspot before you can enable it for an interface. If a hotspot requires authentication, you must also add at least one Guest Administrator account to create and manage user accounts.

In Fireware v11.12 through v11.12.4, the Walled Garden list was called Authentication Exceptions.

Add a Hotspot

Edit a Hotspot

If you change hotspot authentication settings, all existing guest user accounts for that hotspot are removed.

Remove a Hotspot

If you remove a hotspot:, all existing guest user accounts for that hotspot are removed, and any interfaces that used the hotspot no longer have a hotspot enabled.

Enable a Hotspot for an Interface

After you add a hotspot, you can enable it for one or more interfaces. When you enable a hotspot for an interface, the hotspot is enabled for all connections (both wired and wireless) to that interface.

To enable a hotspot for connections to a WatchGuard AP device, the interface you enable the hotspot on depends on the SSID configuration. If the AP device SSID uses VLAN tagging, enable the hotspot for the VLAN interface that corresponds to the VLAN ID in the SSID. If the AP device SSID does not use VLAN tagging, enable the hotspot for the Firebox interfaces that all AP devices that use this SSID connect to.

When you enable hotspots for one or more interfaces, the Allow Hotspot-Users policy is automatically created in the Firebox configuration file. This policy allows outbound connections from all interfaces that have a hotspot enabled.

Manage Guest Administrator User Accounts

If you add a hotspot that requires authentication, you must add at least one Guest Administrator. A Guest Administrator is a user account on your Firebox that has privileges to connect to the Guest Administration Portal on the Firebox and manage the list of guest user accounts that can connect to your hotspots.

You can manage Guest Administrator user accounts directly from the Hotspots tab. Or, you can manage Guest Administrator user accounts from the Users and Roles list on the Firebox. The instructions in this topic describe how to manage Guest Administrator user accounts from the Hotspots configuration. For information about how to manage Guest Administrator user accounts from the Users and Roles list that includes all administrative user accounts, go to Manage Users and Roles on Your Firebox.

Add a Guest Administrator Account

Edit a Guest Administrator User Account

When you edit a Guest Administrator user account, you can disable the user account, or change the passphrase only for users defined in the Firebox-DB authentication server. You cannot change the user name or the authentication server. To change the user name or the authentication server specified for a user account, you must remove the user from the Guest Administrators list in Fireware Web UI or from the Manage Users and Roles list in Policy Manager, and then add the user account again with the correct settings.

Remove a Guest Administrator User Account

Enable External Guest Authentication

On the External Guest Authentication tab, you can configure one External Guest Authentication hotspot, which uses an external web server for hotspot user authentication.

When a user connects to the External Guest Authentication hotspot, the Firebox redirects the user to a page on an external web server. The external web server can perform user authentication, or collect information from hotspot users. After the hotspot user attempts to authenticate, the external web server sends the Firebox a result that indicates whether to allow the user to use the hotspot.

For more information, go to Configure an External Guest Authentication Hotspot.

Configure Hotspot Global Settings

On the Settings tab, you can configure settings that apply to all hotspots. These include settings for the maximum number of accounts a Guest Administrator can add, and user session timeout settings.

For more information, go to Configure Hotspot Global Settings

Related Topics

Configure Hotspot Settings

Connect to a Hotspot

See Hotspot Connections