Access Point Airspace Monitoring

Applies To: WatchGuard Cloud-managed Access Points (AP130, AP230W, AP330, AP332CR, AP430CR, AP432)

You can enable Airspace Monitoring on your access points to scan your network for these types of malicious access points:

Rogue Access Point

A Rogue access point is an unauthorized access point that is physically connected to your wired network and broadcasts wireless SSIDs your clients might connect to instead of your legitimate access point SSIDs.

The rogue access point might have been connected by an unauthorized user. Your wireless clients might connect to these rogue access points instead of your authorized managed access points and communicate vulnerable data.
The rogue access point might be a device connected to the network by someone inside your organization without consent, or it could be a device set up for testing. These access points are security risks to your network if they are misconfigured or do not have required security features enabled.
The device might be a legitimate access point on your network that is not configured in your Trusted Access Point list.

Suspected Rogue Access Point

A Suspected Rogue access point might be an unauthorized access point physically connected to your wired network, or it also might be a legitimate access point.

A Suspected Rogue access point might be an unauthorized access point connected to your wired network that broadcasts SSIDs your clients might connect to instead of your legitimate access point SSIDs.
The device might also be a legitimate access point on your network that is not configured in your Trusted Access Point list.

Evil Twin Access Point

An Evil Twin is a nearby access point operating in your airspace that broadcasts the same SSID name as your managed access points to appear as a legitimate access point on your network.

The Evil Twin might have been set up near your network by an unauthorized user.
Wireless clients might connect to the Evil Twin access point instead of your legitimate managed access points and communicate vulnerable data.
The device might also be a legitimate access point on your network that is not configured in your Trusted Access Point list.

The ability to scan for Evil Twin access points requires an AP230W, AP330, or AP430CR that has a dedicated scanning radio.

Airspace Monitoring Reports and Alerts

You can view a summary of detected malicious access point threats in the Airspace Monitoring report. For more information, go to Access Point Airspace Monitoring Report.

When WatchGuard Cloud detects a malicious access point, you can generate an alert notification so that you can take action to investigate, identify, and remove the threat. For more information on how to create an alert notification for Airspace Monitoring events, go to Airspace Monitoring Alerts.

Airspace Monitoring and ThreatSync

Some of the features described in this topic are only available to participants in the ThreatSync Beta program. If a feature described in this topic is not available in your version of WatchGuard Cloud, it is a beta-only feature.

You can integrate access point Airspace Monitoring with ThreatSync. ThreatSync is a WatchGuard Cloud service that provides eXtended Detection and Response (XDR) technology for WatchGuard devices and products. You can receive incident alerts in ThreatSync when Airspace Monitoring detects malicious access points such as Rogue and Evil Twin access points.

With ThreatSync integration, you can also perform response actions to these threat incidents in ThreatSync to block wireless client connections to malicious access points or trust known access points in your deployment.

To send data to ThreatSync, access points must run firmware v2.0 or higher.
To perform ThreatSync response actions to block wireless client connections to malicious access points, access points must run firmware v2.7 and higher.
An AP230W, AP330, or AP430CR with a dedicated scanning radio is required for over-the-air Evil Twin detection and ThreatSync response actions to block connections to malicious access points.

For more information, go to About ThreatSync.

Before you Begin

Airspace Monitoring requires:

A WatchGuard USP Wi-Fi Management license
Access point firmware v2.0 or higher on all access points
Access point firmware v2.7 or higher when integrated with ThreatSync to perform response actions and block wireless client connections to Rogue and Evil Twin access points.
An AP230W, AP330, or AP430CR with a dedicated scanning radio for over-the-air Evil Twin detection and ThreatSync response actions to block wireless client connections to malicious access points.
All other Wi-Fi in WatchGuard Cloud access point models can only detect Rogue and Suspected Rogue access points physically connected to the network.
For larger deployments, we recommend you have at least one access point with a dedicated scanning radio for every 3 to 5 access points.
NTP (Network Time Protocol) server configured for your access points. NTP is required for accurate scanning and detection. The default servers configured for access points are: 0.pool.ntp.org, 1.pool.ntp.org, 2.pool.ntp.org. We recommend you specify an internal NTP server if available on your network, or a reliable, regional NTP server.

How Airspace Monitoring Works

Airspace Monitoring uses WatchGuard's patented identification technology to scan your wired network and your wireless airspace for malicious access points such as Rogue, Suspected Rogue, and Evil Twin access points.

WatchGuard access points can only detect malicious access points on the same network to which they are connected. They cannot detect malicious access points on other networks/VLANs.

Rogue Access Point Detection

Diagram of Rogue Access Point detection with Airspace Monitoring

All WatchGuard access point models managed by WatchGuard Cloud can detect Rogue and Suspected Rogue access points on your network.

WatchGuard access points scan the wired network for access points physically connected to the network, and also scan your wireless airspace for the SSIDs broadcast by these access points.
WatchGuard Cloud can correlate the MAC addresses of the detected wired and wireless interfaces to determine whether the access point is a Rogue access point.
If the correlation between the MAC addresses is uncertain, then the access point is classified as a Suspected Rogue access point which means it might be an unauthorized device that you must investigate. The access might also be a legitimate device that you have not added to your Trusted Access Points list.

Evil Twin Access Point Detection

An Evil Twin is a nearby access point operating in your airspace (not connected to your wired network) that broadcasts the same SSID name as your managed access points to appear as a legitimate access point on your network.

Diagram of Evil Twin Access Point detection with Airspace Monitoring

Only WatchGuard access points with a wireless scanning radio (AP230W, AP330, and AP430CR) are able to detect Evil Twin access points that operate in your wireless airspace.
WatchGuard Cloud uses patented signature-based identification to determine whether an access point is an Evil Twin and not a known WatchGuard managed access point or trusted access point.
The device might also be a legitimate access point on your network that is not configured in your Trusted Access Point list.

Trusted Access Points

WatchGuard's patented identification technology makes sure that WatchGuard Cloud does not generate security alerts for trusted wireless devices.

These WatchGuard devices are automatically identified as trusted access points:

WatchGuard access points managed by WatchGuard Cloud
Wireless Fireboxes managed by WatchGuard Cloud

Managed access points and wireless Fireboxes must be in the same WatchGuard Cloud account.

You can add the MAC addresses of additional devices on your network that you consider as managed, trusted devices to the Trusted Access Points list.

For example, you can add the MAC addresses of known devices such as other WatchGuard products and third-party access points as trusted access points. For more information, go to Configure Trusted Access Points.

You can also trust access points when you review a ThreatSync incident for a malicious access point detection. For more information, go to Review Incident Details and Configure Trusted Access Points in ThreatSync.

Configure Airspace Monitoring

To configure Airspace Monitoring for an access point:

Select Configure > Devices.
Select a cloud-managed access point.
Select Device Configuration.
In the Settings tile, select Advanced Settings.
Enable Airspace Monitoring.
Save the configuration.
Deploy the configuration to your access point.

Screenshot of the access point Airspace Monitoring settings in WatchGuard Cloud

We recommend you configure Airspace Monitoring in an Access Point Site and apply the configuration to multiple access points. For more information, go to About Access Point Sites.

Configure Trusted Access Points

By default, all WatchGuard access points and wireless Fireboxes you manage from WatchGuard Cloud are considered trusted access points. WatchGuard's patented identification technology makes sure that WatchGuard Cloud does not generate security alerts for devices you manage in your WatchGuard Cloud account.

You can add the MAC addresses of additional access points connected to your network that you want classified as trusted access points, such as:

Wi-Fi 5 access points managed by WatchGuard Wi-Fi Cloud
Wi-Fi 5 access points managed by a Gateway Wireless Controller on a Firebox
Wireless Fireboxes not managed by WatchGuard Cloud
Third-party access points

Make sure you add both the wired Ethernet MAC address of the access point and any BSSID MAC addresses of wireless networks broadcast by the access point to prevent Rogue and Evil Twin access point alerts.

To add MAC addresses of trusted access points, click Add MAC Address. When you have finished, click Add to save the list of trusted access points.

To upload a list of multiple MAC addresses, click Import MAC Address List.

Screenshot of the Import MAC Address List dialog box

You can drag and drop a MAC address list into the box or select the MAC address list file.

The MAC address list file must be in comma-separated value format (CSV), with a MAC address and an optional description.

For example, to import addresses with a description:

00:aa:00:bb:00:c1,Description
00:aa:00:bb:00:c2,Description

To import addresses with no description:

00:aa:00:bb:00:c1
00:aa:00:bb:00:c2

To import addresses with and without descriptions:

00:aa:00:bb:00:c1,Description
00:aa:00:bb:00:c2
00:aa:00:bb:00:c3,Description
00:aa:00:bb:00:c4

When the imported file is analyzed, you can select the MAC addresses to import. Click Save to import the MAC addresses.

Screenshot of the Trusted Access Poiints import settings

Troubleshoot Airspace Monitoring

If you enable Airspace Monitoring, and you encounter false positive alerts for known access points that are detected as Rogue, Suspected Rogue, or an Evil Twin access point, examine the following:

Make sure all your access points are upgraded to firmware v2.0 or higher. To perform response actions against threat access points when integrated with ThreatSync, access points must run firmware v2.7 or higher.
Make sure you enable Airspace Monitoring on all access points. We recommend you use Access Point Sites to apply the configuration to multiple access points.
Make sure that the configuration is correctly deployed to the access point. For more information, go to Access Point Deployment History.
Make sure all access points are configured to poll the same NTP server. The default is pool.ntp.org. Make sure that the connection to the NTP server is working. We recommend you use an internal NTP server if available on your network, or a reliable, regional NTP server.
Make sure trusted wireless devices on your network that you do not manage in WatchGuard Cloud are configured in your Trusted Access Point list.