Configure Gateway Wireless Controller Settings

The Gateway Wireless Controller includes settings that apply to all APs. These settings include:

  • Enable or disable the Gateway Wireless Controller
  • AP passphrase
  • Firmware updates
  • Syslog server settings
  • Alarms and notification settings
  • Communication VLAN tagging
  • Bridge LAN ports
  • Discovery broadcasts
  • Scan interval
  • Alarms
  • AP feature key synchronization
  • Reboot schedule
  • MAC access control

Configure Access Point Settings

You can configure the Access Point settings in the Gateway Wireless Controller.

Enable the Gateway Wireless Controller

Select the Enable the Gateway Wireless Controller check box to enable the Gateway Wireless Controller on this Firebox. You cannot pair, configure, or monitor APs until you enable the Gateway Wireless Controller.

Clear the check box to disable the Gateway Wireless Controller on this Firebox. When you disable the Gateway Wireless Controller, currently connected APs will continue to function until they receive a configuration update from the Firebox. To force connected APs to update their configuration, you must reboot each AP.

AP Configuration Passphrase

The AP configuration passphrase is used for all WatchGuard APs after they are paired with your Firebox. The Gateway Wireless Controller uses this passphrase to establish connections between the Firebox and the paired APs. You set the passphrase when you enable the Gateway Wireless Controller.

To change the passphrase:

  1. In the AP Configuration Passphrase text box, type the passphrase to use for management of all APs.
    The passphrase must be a minimum of 8 characters.
  2. To see the passphrase you typed, select Show passphrase.

Automatic AP Passphrase Management

(Fireware v12.0.2 or lower)

The Gateway Wireless Controller can automatically create and manage unique, random passphrases for each AP. The automatically generated passphrase only changes if the AP is reset to factory-default settings.

Automatically generated AP passphrases cannot be restored. If data is lost on the Firebox that manages your APs, you might lose access to your APs. Automatic AP passphrase management is supported for FireClusters on Fireware v11.12.4 or higher.

To enable automatic passphrase management, clear the Use a manual global passphrase instead of automatically-generated unique passphrases for WatchGuard AP Devices check box to disable the manual passphrase.

To show the automatically generated passphrase for an AP, from the Gateway Wireless Controller Dashboard page or Firebox System Manager Gateway Wireless Controller tab:

  1. Select the Access Points tab.
  2. Select an AP.
  3. Click Action.
  4. Select Show Password.

Enable Automatic AP Firmware Updates

The Gateway Wireless Controller can automatically update the firmware on WatchGuard APs when a new version is available. The default setting enables the Gateway Wireless Controller to automatically update the firmware on all paired APs.

Automatic AP firmware upgrades occur from 00:00 (midnight) to 04:00 at the local time of the Firebox. If your Firebox is paired with more than one AP, the Gateway Wireless Controller automatically updates the APs one at a time. The Gateway Wireless Controller updates one AP every five minutes.

To disable automatic AP firmware updates:

Clear the Automatically update WatchGuard AP firmware when a new version is available on the Firebox device check box.

If you disable automatic firmware updates, you can manually update the firmware for each AP. For more information, go to Update AP Firmware on the Gateway Wireless Controller.

Configure Syslog Settings

By default, each AP automatically stores recent syslog log messages locally. You can see the syslog messages stored on each AP. For more information about how to see syslog messages for an AP, go to Monitor Wireless Connections (Gateway Wireless Controller)

You can also configure all your APs to send syslog messages to the same external syslog server. When you configure the syslog server in the Gateway Wireless Controller settings, all paired APs send syslog messages to the specified server.

External syslog support is only available for AP100, AP102, AP200, and AP300 devices.

Before you configure the Gateway Wireless Controller settings for an external syslog server, make sure the syslog server you specify is set up and your APs can connect to the IP address of the syslog server.

To configure your APs to send log messages to an external syslog server:

  1. Select the Send WatchGuard AP log messages to a syslog server check box.
  2. In the Syslog server IP address text box, type the IP address of the syslog server.

Enable Logging For Reports

Enable this option to generate log messages of wireless events for reports.

These events include:

  • AP discovery
  • AP status updates
  • AP reboot, online, offline, pairing and unpairing events
  • AP configuration changes
  • AP firmware version updates
  • Detection of rogue access points

Enable Communication VLAN Tagging

You can optionally use a tagged VLAN for management communications to the AP. You can enable VLAN tagging for each AP in the configuration for each AP, or you can enable it in the Gateway Wireless Controller settings. If you want to use the same communication VLAN ID for all paired access points, it might be most convenient to set the VLAN ID in the Gateway Wireless Controller settings.

If you enable communication VLAN tagging in the Gateway Wireless Controller settings, you do not need to enable communication VLAN tagging individually for each AP. The Firebox uses the communication VLAN ID specified in the Gateway Wireless Controller settings for management traffic to all APs, if communication VLAN tagging is not enabled in the AP settings.

To enable communication VLAN tagging for all APs:

  1. Select the Enable Communication VLAN Tagging check box.
  2. In the Communication VLAN ID text box, type the VLAN ID to use for management connections.
    This must be a VLAN that is configured for tagged traffic to the interface your APs connect to.

If you specify a communication VLAN ID in the configuration settings for an AP, the Firebox uses the VLAN ID configured for the AP instead of the VLAN ID specified in the Gateway Wireless Controller settings.

Bridge LAN Ports

In Fireware v12.2.1 and higher, you can bridge together the LAN ports on AP models that have two LAN interfaces. This enables you to extend the wired network on the second LAN interface.

For example, you could use the second LAN port to connect a wired device to the same network as the AP, such as a computer, VoIP phone, or other device.

To bridge the LAN ports on your AP, select the Bridge LAN Ports check box.

You cannot use the second AP LAN port for link aggregation. You can only create a bridge between the LAN interfaces to extend the wired network to the second LAN port of the AP.

Discovery Broadcasts

By default, the Gateway Wireless Controller uses a UDP broadcast on port 2528 on all networks to automatically discover connected APs and retrieve the current AP status.

WatchGuard APs respond to the discovery broadcast with a unicast packet to the Gateway Wireless Controller on port UDP 2529.

When you enable the Gateway Wireless Controller, a WG-Gateway-Wireless-Controller policy is automatically added to the Firebox configuration. This policy allows traffic from the trusted and optional networks to the Firebox over UDP port 2529 for AP management. The Firebox uses a secure SSH connection to manage APs with the Gateway Wireless Controller.

The Gateway Wireless Controller cannot automatically discover an AP located somewhere on your network where it cannot receive the broadcast. In these types of deployments, you can instead connect to the AP to configure the network settings, and then add the AP to the Gateway Wireless Controller with the same network settings. For more information, see the manual AP configuration topic in Configure AP Settings.

You can limit the networks that you use for AP discovery broadcasts, and you can also disable automatic discovery broadcasts. This is useful if you use the automatic deployment feature and need control over the networks that will allow APs to be automatically deployed. For more information on automatic deployment, go to About AP Automatic Deployment.

To limit your discovery broadcast addresses:

  1. Select Only discover WatchGuard AP devices on these broadcast IP addresses.
  2. Click Add and specify a broadcast IP address for the network to use to deploy WatchGuard APs.
    You must add a valid broadcast address for your network.
    For example, if your trusted interface is configured as, the broadcast IP address is

To disable automatic discovery broadcasts:

  1. Select the Disable automatic discovery of WatchGuard AP devices check box.
  2. To manually discover unpaired APs, on the Gateway Wireless Controller Access Points page, click Refresh.

We recommend you do not disable discovery broadcasts in deployments where the IP address assigned to APs by DHCP can change (for example, non-fixed DHCP addresses). This can disrupt management communications between the APs and the Gateway Wireless Controller.

Advanced Deployment

(Fireware v12.0.2 or lower)

You can deploy AP300 devices over-the-air without a cable connection to your network. When the network cable is disconnected, the AP switches to client mode and associates to the nearest cabled AP.

To enable wireless deployment, select the Enable deployment over wireless check box.

For more detailed information, go to About AP Wireless Deployment .

Wireless Scan Interval

You can configure the interval for automatic wireless scans for AP channel selection, wireless deployment maps, and rogue access point detection. The default is 4 hours.

To reduce wireless traffic and resource usage for wireless network scans you can increase the automatic scan interval.

Enable SSH Access on All WatchGuard APs

Enable this option to allow SSH access to WatchGuard APs to troubleshoot device issues with a WatchGuard Technical Support representative.

Alarm Notifications

You can enable alarms to notify you when these wireless events occur:

  • Send alarm notification when an Access Point cannot be contacted — An AP can be unexpectedly disconnected for many reasons, this includes network disruption or loss of power. Alarm notifications are not generated if the AP is cannot be contacted because of a firmware upgrade or if the AP is rebooted by the administrator.
  • Send alarm notification when a Rogue Access Point is detected.
  • Send alarm notification when the Access Point feature key is expired or about to expire.
    For more information on AP licensing, go to About Gateway Wireless Controller AP Licenses.
    For more information on how to monitor AP activation status, go to Monitor AP Status.

Notifications are also sent when the trust state of an AP changes.

To configure your notifications, select the Notification tab in Fireware Web UI or click Notification in Policy Manager. For more information on notifications, go to Set Logging and Notification Preferences.

Access Point Feature Key

(Fireware v12.5.1 and higher)

Select the Enable automatic Access Point feature key synchronization check box to enable the Gateway Wireless Controller to automatically synchronize the activation status and AP feature keys for your APs from WatchGuard servers. This option is enabled by default.

Automatic AP feature key synchronization checks the feature key status of your APs based on this schedule:

  • On a weekly basis if no APs are approaching expiration
  • On a daily basis when one or more APs expire in less than 7 days

In addition, automatic feature key synchronization occurs during these events:

  • When the Gateway Wireless Controller is enabled or the Firebox restarted
  • When you attempt to pair an AP with the Gateway Wireless Controller
  • When you refresh the unpaired AP list
  • When you save a configuration to the Firebox from Policy Manager

If this option is disabled, or if you want to immediately update the activation status and AP feature key for an AP:

For more information on how to monitor and manage your AP activation status and AP feature keys with the Gateway Wireless Controller, go to Monitor AP Status.

For more information on AP licensing, go to About Gateway Wireless Controller AP Licenses.

Reboot Schedule

You can reboot your APs at scheduled times on a daily or weekly basis. When you enable scheduled reboots, the APs managed by the Gateway Wireless Controller are rebooted at intervals 90 seconds apart so they are not restarted at the same time.

Rebooting an AP reloads the device configuration, restarts wireless interfaces, and automatically updates channel selection.

To configure scheduled reboots:

  1. Select the Automatically reboot AP Devices check box.
  2. Select Daily or a specific day of the week for a weekly restart.
  3. Set the time for the reboot in 24-hour format (hh:mm).

Configure MAC Access Control

In the MAC Access Control section, you can configure a list of denied or allowed MAC addresses for your APs.

For more information, go to Configure MAC Access Control.

Related Topics

Configure AP Radio Settings