WatchGuard AP Discovery and Pairing

Before you can manage a WatchGuard AP with the Gateway Wireless Controller, the AP must be activated on your WatchGuard account and an AP feature key downloaded to the Gateway Wireless Controller. To activate your AP, see About AP Activation.

For more information on AP licensing, see About Gateway Wireless Controller AP Licenses.

After the AP is activated, you must pair the AP with the Gateway Wireless Controller. This ensures that no one can add an unauthorized WatchGuard AP to your network. The Gateway Wireless Controller will not manage, configure, or monitor an AP until it is activated and paired.

In their factory default state, APs first try to connect to WatchGuard Wi-Fi Cloud. If the AP is not activated and provisioned for cloud management, the AP continues to try to connect to cloud services for several minutes. When the AP appears in the Unpaired Access Points section on the Gateway Wireless Controller Access Points page, you can then pair the device with the Gateway Wireless Controller. If you want to change a previously cloud-managed AP to be a locally managed device, see How to change a Total Wi-Fi or Secure Wi-Fi cloud-managed AP to a Basic Wi-Fi local-managed AP.

About Discovery Broadcasts

The Gateway Wireless Controller sends a UDP broadcast on port 2528 on all networks to automatically discover connected APs.

WatchGuard APs respond to the discovery broadcast with a unicast packet to the Gateway Wireless Controller on port UDP 2529.

When you enable the Gateway Wireless Controller, a WG-Gateway-Wireless-Controller policy is automatically added to the Firebox configuration. This policy allows traffic from the trusted and optional networks to the Firebox over UDP port 2529 for AP management. The Firebox uses a secure SSH connection to manage APs with the Gateway Wireless Controller.

You can limit the networks for AP discovery broadcasts. This is useful if you use the automatic deployment feature and want control over which networks allow APs to be automatically deployed. For more information on how to configure discovery broadcasts, see Configure Gateway Wireless Controller Settings.

The AP receives the broadcast message and sends a response. When the Firebox receives a response from an unpaired AP, the discovered AP appears in the Unpaired Access Points list in the Gateway Wireless Controller.

The Gateway Wireless Controller cannot automatically discover an AP located somewhere on your network where the AP cannot receive the broadcast. For example:

  • The Firebox and the AP are separated by a Layer 3 switch or router
  • The Firebox and the AP are separated by a Branch Office VPN

For the Firebox to discover an AP, the network between the AP and the Firebox must include a route for the traffic between the two devices.

You can set up a new AP in the local broadcast network of the Firebox to allow for discovery and pairing. When the AP is paired to the Gateway Wireless Controller and is configured for your deployment, you can then move the AP to the new network location.

To continue to manage the AP in the new location, the AP must be able to connect to the Firebox that hosts the Gateway Wireless Controller over port UDP 2529. The packet filter policy WG-Gateway-Wireless-Controller is used to handle this traffic and is added automatically when you enabled the Gateway Wireless Controller.

About Automatic Deployment

You can enable automatic deployment on specific SSIDs so that unpaired APs are automatically deployed by the Gateway Wireless Controller and configured with the specified SSID.

This is useful in these deployment scenarios to automatically configure new APs:

  • If you need to deploy a large number of WatchGuard APs in your wireless network, and all the APs will be assigned the same SSIDs and do not require unique configurations.

  • If you want to add new APs to your deployment or replace existing device hardware with a new model, you can automatically configure the AP with your existing SSID configuration.

When you enable Automatic Deployment, the Gateway Wireless Controller can automatically configure a new unpaired AP. When you connect an unpaired AP to your network, GWC automatically configures it with specific SSIDs you specify. APs configured with automatic deployment are managed by the GWC the same way as paired devices.

An AP automatically deployed by the GWC is configured with the automatic deployment SSID settings, which include security, encryption, and other SSID specific settings. All other AP settings, such as radio settings, are set to default values.

For more information, see About AP Automatic Deployment.

Connect the AP

You must connect your AP to a trusted, optional, or custom Firebox network.

To allow the Gateway Wireless Controller to discover an AP on a custom zone network, you must modify the WatchGuard Gateway Wireless Controller policy to allow traffic from the custom zone. For more information on the custom zone, see Configure a Custom Interface.

If you connect the AP to a VLAN interface, make sure that you configure that interface to handle untagged VLAN traffic. An unpaired AP cannot accept tagged VLAN traffic.

By default, the AP is configured to use DHCP to get an IP address. Make sure that you enable the DHCP Server for the Firebox interface that connects to the AP, so that the AP can get an IP address.

Pair the AP to the Firebox

Use the Gateway Wireless Controller to discover the unpaired AP and pair it to the Firebox.

When an AP is started with factory default settings, it can take several minutes for it to be discovered by the Gateway Wireless Controller.

For information about how to monitor the status of your APs, see Monitor AP Status.

For information about how to unpair an AP, see Unpair an AP.

If your AP is correctly connected but cannot be discovered, it might be necessary to reset the AP to factory default settings. For more information, see Reset a WatchGuard AP .