WatchGuard AP Requirements and Limitations

Before you add a WatchGuard AP to your network, it is important to understand the requirements and limitations of the AP.

You cannot manage WatchGuard Wi-Fi 6 APs (AP130, AP330, AP430CR, AP432) with a Gateway Wireless Controller on a Firebox or WatchGuard Wi-Fi Cloud. If you are looking for information about how to manage Wi-Fi 6 APs in WatchGuard Cloud, see About Wi-Fi in WatchGuard Cloud.

Minimum Fireware Versions Required for AP Models

These are the minimum versions of Fireware required for each AP model:

To use AP firmware 8.6.x and higher, your Firebox must run Fireware v12.5.1 or higher.

AP Model Minimum Fireware Version Required
AP100, AP102, AP200 11.7.2
AP300 11.10.5
AP120, 320 11.11.2
AP322 11.12.2
AP420 11.12.4
AP325 12.1
AP125 12.1.3
AP327X 12.5
AP225W 12.5.3

As of Fireware v12.7.2 Update 2, Fireware v12.5.9 Update 2, and Fireware v12.1.3 Update 8, the AP firmware versions available to download from the Firebox are:

  • AP120, AP320, AP322: 8.8.3-12 and higher
  • AP125, AP225W, AP325, AP327X, AP420: 10.0.0-124 and higher

These are the minimum AP firmware versions required for Fireboxes that support system integrity checks.


For an AP to be managed by Gateway Wireless Controller on a Firebox:

  • The Firebox must be configured in mixed routing or drop-in mode.
  • The AP must connect to a trusted, optional, or custom network.
  • The Firebox configuration must include a policy that allows NTP traffic from the AP to the Internet. The AP uses an NTP server to set the correct local time.
  • The Firebox and APs on your network require access to WatchGuard servers (* on port 443. This allows the Gateway Wireless Controller on the Firebox to register and activate APs and find new firmware updates. APs require access to WatchGuard servers to get country and regional information.

The default Outgoing policy allows NTP traffic from the trusted network. If you remove or disable the Outgoing policy, or if your AP is connected to the Optional network, you must add an NTP policy to allow outgoing NTP traffic from the network the AP connects to.


  • You cannot use a WSM Management Server to manage WatchGuard APs.
  • You cannot locate WatchGuard APs behind a NAT firewall.
  • The WatchGuard Gateway Wireless Controller is designed to manage up to 20 WatchGuard APs. If you experience management performance issues as you add more APs to your network, you can use the Gateway Wireless Controller on another Firebox to manage these APs.
  • We recommend you configure your AP to accept connections from a maximum of 20-40 wireless client devices for each radio based on the overall airtime demand of the client devices.

Features not Supported by Local Managed APs

These features are not supported on AP120, AP125, AP225W, AP320, AP322, AP325, AP327X, and AP420 devices when they are managed by the Gateway Wireless Controller:

  • LED controls
  • External syslog support
  • Link aggregation on additional Ethernet ports
  • Third scanning radio on tri-radio APs

See Also

Configure VLANs for WatchGuard APs