About WatchGuard Wi-Fi Cloud

WatchGuard Wi-Fi Cloud is a powerful cloud-based enterprise wireless management solution for AP configuration, security, and monitoring.

You cannot manage WatchGuard Wi-Fi 6 APs (AP130, AP330, AP430CR, AP432) with a Gateway Wireless Controller on a Firebox or WatchGuard Wi-Fi Cloud. If you are looking for information about how to manage Wi-Fi 6 APs in WatchGuard Cloud, see About Wi-Fi in WatchGuard Cloud.

You can use WatchGuard Wi-Fi Cloud service to manage these AP models:

  • AP120
  • AP125
  • AP225W
  • AP320
  • AP322
  • AP325
  • AP327X
  • AP420

Manage APs with WatchGuard Wi-Fi Cloud

For information about how to use WatchGuard Wi-Fi Cloud to configure and manage APs, see the resources available on the WatchGuard Wi-Fi Cloud documentation page or see Wi-Fi Cloud Help.

To manage APs on your network with WatchGuard Wi-Fi Cloud, make sure that your APs have Internet connectivity and are able to communicate on HTTP TCP ports 80 and 443, and UDP port 3851 to connect to these domains. UDP port 3852 is also required if you have APs that run in Cloud Integration Point (CIP) mode.

  • *.cloudwifi.com
  • redirector.online.spectraguard.net

These policy and proxy settings can help you facilitate access to WatchGuard Wi-Fi Cloud:

WG-Cloud-Managed-WiFi Packet Filter Policy

To manage your APs with WatchGuard Wi-Fi Cloud, the APs must have Internet connectivity and must be able to communicate on HTTP TCP ports 80 and 443, and UDP port 3851 to connect to WatchGuard Wi-Fi Cloud services. UDP port 3852 is also required if you have APs that run in Cloud Integration Point (CIP) mode. The predefined WG-Cloud-Managed-WiFi packet filter policy that is available on your Firebox (Fireware OS v11.11.4 or higher) includes the required ports for WatchGuard Wi-Fi Cloud domains.

HTTP Proxy Exceptions

Domain names for WatchGuard Wi-Fi Cloud services are included by default in the HTTP Proxy Exceptions list on the Firebox. This prevents communications issues with cloud services and the HTTP Proxy when you connect from behind a Firebox. For more information, see HTTP-Proxy: Exceptions.

HTTPS Domain Name Rules

Domain names for WatchGuard Wi-Fi Cloud are included in the HTTPS Proxy Domain Names list on the Firebox. This allows access to the domain and bypasses HTTPS content inspection to prevent communications issues with cloud services and the HTTPS Proxy when you are behind a Firebox. For more information, see HTTPS-Proxy: Domain Name Rules.

Blocked Site Exceptions

Domain names for WatchGuard Wi-Fi Cloud services are included by default in the Blocked Site Exceptions list on the Firebox. This prevents communications issues with cloud services when you connect from behind a Firebox. For more information, see Create Blocked Sites Exceptions.

Manage APs Locally with the Gateway Wireless Controller

If you do not use WatchGuard Wi-Fi Cloud, you can manage APs locally with the Gateway Wireless Controller on your Firebox.

Pair APs with the Gateway Wireless Controller

In their factory default state, APs first try to connect to WatchGuard Wi-Fi Cloud. If the AP is not activated and provisioned for cloud management, the AP continues to try to connect to cloud services for several minutes.

When the AP appears in the Unpaired Access Points section on the Gateway Wireless Controller Access Points page, you can pair the device with the Gateway Wireless Controller.

For information about device discovery and pairing, see WatchGuard AP Discovery and Pairing.

After you successfully pair the AP with the Gateway Wireless Controller, the AP does not try to connect to WatchGuard Wi-Fi Cloud again, unless you complete a factory reset of the AP.

Change a Cloud Managed AP to be Locally Managed by the Gateway Wireless Controller

For information about how to change a cloud managed AP to a locally managed device, see How to change a Total Wi-Fi or Secure Wi-Fi cloud-managed AP to a Basic Wi-Fi local-managed AP in the WatchGuard Knowledge Base.