AP Deployment Steps

Before you deploy WatchGuard APs on your network, you must research, design, and plan your wireless network deployment to make sure it meets your requirements for coverage, capacity and airtime demand, and security. For more information, see the Plan your Wireless AP Deployment section of this guide.

AP Deployment

When you add one or more WatchGuard APs to your network, you can manage and configure the APs from the Gateway Wireless Controller on your Firebox. You do not connect directly to the AP to configure it. The Gateway Wireless Controller on your Firebox manages the AP for you.

To deploy any AP on your Firebox network you must:

This AP Deployment Guide describes the basic steps necessary to deploy an AP on your network. For a more detailed description of the configuration settings, see the Fireware Help.

About Automatic Deployment

For wireless networks with a large number of WatchGuard APs to deploy that will be assigned the same SSIDs and do not require unique configurations, you can enable automatic deployment on specific SSIDs. Unpaired APs will be automatically deployed by the Gateway Wireless Controller and configured with the specified SSID.

For more information, see About AP Automatic Deployment.

For more information on Automatic Deployment, see the Fireware Help.

Benefits of VLANs for Your AP

To deploy an AP on your network, you do not have to enable VLAN tagging. There are, however, several reasons you might want to enable VLAN tagging:

You want to configure different firewall policies for SSIDs that connect to the same network

If you configure more than one SSID for your APs, and you want to set different firewall policies for each SSID, you can enable VLAN tagging in the SSID and then use the VLAN ID associated with each SSID in policies specific to each SSID.

For example, you could add a different HTTP policy for each SSID that specifies the VLAN associated with that SSID. This enables you to specify which users can connect to each SSID.

You want to separate the traffic on the same physical network to different logical networks.

If you have several APs connected to the same physical network, VLAN tagging gives you the ability to separately examine traffic for wireless clients connected to each SSID.

For example, if you run a network analyzer, you can use the VLAN tags to see the traffic for the VLAN ID associated with an SSID.

Or, you might want to set up all of your APs with one SSID for the trusted network, and a different SSID for the optional network. You can set up a trusted VLAN and an optional VLAN to separate the traffic for the trusted and optional wireless clients.

This topic provides a more detailed overview of the steps to deploy an AP without VLAN tagging. For more information about VLANs and for configuration examples, see the Fireware Help.

Step 1 — Activate your AP

You must activate your AP with WatchGuard to enable your hardware replacement warranty, receive technical support, and get access to the latest OS updates and product news. You cannot manage the AP with the Gateway Wireless Controller until the AP is activated with a valid Basic Wi-Fi AP subscription, and an AP feature key downloaded to the Firebox.

You can activate the AP in your WatchGuard account just as you would activate a Firebox or add-on feature.

To activate your WatchGuard AP:

  1. Open a web browser and go to https://www.watchguard.com/activate.
  2. Log in with your WatchGuard account user name and password.
    If you are already logged in to your WatchGuard account, select My WatchGuard > Activate Products from the WatchGuard Support Center.
  3. Type the serial number of the WatchGuard AP. Make sure to include any hyphens.

Make sure the AP you want to activate has a Basic Wi-Fi subscription.

Screen shot of the LiveSecurity Enter Serial Number or License Key page

  1. Click Continue.
  2. Type a friendly name to identify your AP in your account.
  3. (Optional) Select free trials for your AP, if available.

After activation is complete, the AP appears in the Manage Products list in your WatchGuard account.

Step 2 — Enable the Gateway Wireless Controller on your Firebox

Before your Firebox can discover and manage your APs, you must enable the Gateway Wireless Controller.

  1. From Fireware Web UI, select Network > Gateway Wireless Controller.

Screen shot of Gateway Wireless Controller main page

  1. Select the Enable the Gateway Wireless Controller check box.
    The WatchGuard AP Passphrase dialog box appears.
  2. In the WatchGuard AP Passphrase text box, type the passphrase that you want all your APs to use after they are paired.
  3. Click OK.
  4. Save the Firebox configuration.

Step 3 — Connect the AP to your Network

You can connect the AP to a trusted, optional, or custom Firebox network. To allow the Gateway Wireless Controller to discover an AP on a custom zone network, you must modify the WatchGuard Gateway Wireless Controller policy to allow traffic from the custom zone.

By default, the AP automatically requests an IP address from a DHCP server on the local network.

To assign a static IP address to the AP, see Configure AP Settings.

To assign a static IP address to the AP, see Configure AP Settings.

To configure a Firebox interface:

  1. From Fireware Web UI, select Network > Interfaces.
  2. Configure the Firebox interface as trusted, optional, or custom, and enable DHCP on that interface.
  3. Save the configuration.

Step 4 — Configure SSIDs

When you configure the SSID that your wireless users connect to, you must select a wireless security mode for the SSID. By default, the security mode for an SSID is set to WPA2 only.

To configure the SSIDs for your device:

  1. From Fireware Web UI, select Network > Gateway Wireless Controller.
  2. On the SSIDs tab, click Add.

    The Add SSID dialog box appears.
  3. In the Network Name (SSID) text box, type the SSID for the wireless network.
    The SSID is the network name wireless clients see when they connect to the AP.
  4. Select the Security tab.
  5. From the Security Mode drop-down list, select the wireless security mode. The default is WPA2 only (PSK).

Screen shot of the SSID settings page - Security tab

  1. Configure the security settings for the selected security mode.
  2. Repeat these steps to create additional SSIDs.

Step 5 — Pair the AP with your Firebox

When you first connect the AP to your network, it is an unpaired Access Point.

To pair the AP to your Firebox:

  1. From Fireware Web UI, select Network > Gateway Wireless Controller.
  2. Select the Access Points tab.
  3. To start a scan for the unpaired APs in your area, click Refresh.

Screen shot of Gateway Wireless Controller - Access Points tab

  1. From the Unpaired Access Points list, select the AP to pair.
  2. Click Pair.
  3. Click OK.

In their factory default state, APs first try to connect to WatchGuard Wi-Fi Cloud. If the AP is not activated and provisioned for cloud management, the AP continues to try to connect to cloud services for several minutes. When the AP appears in the Unpaired Access Points section on the Gateway Wireless Controller Access Points page, you can then pair the device with the Gateway Wireless Controller. If you want to change a previously cloud-managed AP to be a locally managed device, see How to change a Total Wi-Fi or Secure Wi-Fi cloud-managed AP to a Basic Wi-Fi local-managed AP.

Step 6 — Configure the AP Settings

The Edit Access Point dialog box automatically opens after you pair the AP. Select the Radio Settings tab to configure the radio settings to use for each radio on your AP.

To configure radio settings:

  1. From the Frequency Banddrop-down list, select a band: 2.4 GHz or 5 GHz.
  2. From the Wireless Mode drop-down list, select the wireless mode to use for each radio. The available modes depend on the radio band:
  3. 2.4 GHz band — 802.11 B, G, and N wireless modes
  4. 5 GHz band — 802.11 A, N, and N/AC wireless modes
  5. (Optional) For each radio, select the Preferred Channel and Channel Width.
  6. (Optional) For each radio, select the Rate and Transmit Power.
    The rate limits the maximum data transfer rate per wireless client.
  7. Save the configuration.

Screen shot of Radio settings page for an AP device with two radios

Step 7 — Check the AP Status

To see the status of your paired APs:

  1. From Fireware Web UI, select Dashboard > Gateway Wireless Controller > Access Points.
  2. Verify that the AP status is Online.

Screen shot of Gateway Wireless Controller Dashboard - Access Points page

If your AP status is Not Trusted, you must make sure this AP is a known AP in your deployment before you trust the device. For more information, see AP Trust Store.For more information on the AP Trust Store, see the Fireware Help.

To trust an AP:

  1. Select the AP.
  2. Click Action.
  3. Select Mark Trusted.