Applies To: WatchGuard Cloud-managed Access Points (AP130, AP230W, AP330, AP332CR, AP430CR, AP432)
Caution: If you currently run one of these access point firmware versions:
v2.2.22-0.B691305 (any access point model)
v2.3.16.0-B693199 (AP230W with factory installed firmware)
We strongly recommend you upgrade to access point firmware v2.4.7 or higher that uses the latest system integrity software.
These system and firmware integrity checks are included in access point firmware v2.1 and higher:
- System Integrity Check — Each time the access point boots, the access point uses a cryptographic signature to verify the integrity of the device. These integrity checks make sure that system files are valid and have not been corrupted.
- Firmware Integrity Check — Each time you perform a firmware upgrade, the access point verifies the integrity of a firmware upgrade file before installation.
In access point firmware v2.7 and higher:
- Kernel Architecture Integrity Check — Access points perform continuous kernel architecture integrity checks to detect if suspicious new files are saved on the device.
System Integrity Check
Each time the access point boots, it uses a cryptographic key to verify the integrity of the system files.
If an access point shuts down because an integrity check fails:
- The access point reboots into failsafe mode
- The LED indicators on the access point flash alternating blue and red every second to indicate the device is in failsafe mode
- The access point does not broadcast wireless SSIDs or pass wireless traffic
- You cannot connect to the access point Web UI or Command Line Interface (CLI) to view the status
- You must contact WatchGuard Support to replace the device
WatchGuard Cloud generates an informational device alarm notification if the access point system integrity check allows a new non-executable internal system file to be installed on the device, and no threat is detected.
Firmware Integrity Check
When you select a firmware upgrade file to install, the access point examines the file to make sure it contains a cryptographic signature. If the signature is present, the access point uses the public key from the previously installed firmware image to verify the upgrade file. If the access point cannot verify the signature, or if the signature is not present, the access point cancels the upgrade.
Access point firmware v2.0.28 is the minimum firmware version required to validate higher versions of firmware upgrade files that require firmware integrity checks. After you upgrade to an access point firmware version that includes system integrity checks, you cannot downgrade to a firmware version that is not signed by WatchGuard.
If your access point runs a firmware version lower than v2.0.28 and you upgrade directly to v2.1 or higher from WatchGuard Cloud, the device will upgrade twice, first to v2.0.28 and then to the selected firmware version automatically. It might take additional time for the firmware upgrade to complete.
If file system integrity checks detect a new file on the device that is a legitimate new system file, you will see this informational alert notification message:
Access Point [device name] has detected a new file [file name] with hash [sha1sum] in the device’s protected filesystem. This might be a new system file, and no threat is detected by the system integrity check.
Kernel Architecture Integrity Check
In access point firmware v2.7 and higher, access points include continuous kernel architecture integrity checks to detect if suspicious new files are saved on the device.
Notification alerts appear if the system detects files without a valid signature, suspicious files, or if the kernel architecture integrity check has been disabled.
We recommend you contact WatchGuard Support if you see these alert notification messages:
- The access point has detected a file {{file}} at {{time}} on {{date}} that does not have a valid signature. Your AP might be under attack, and the file has been prevented from running. We recommend you contact WatchGuard Support.
- The access point has detected a suspicious temporary file {{file}} at {{time}} on {{date}. Your AP might be under attack. We recommend you contact WatchGuard Support.
- Kernel integrity checks have been disabled. Your access point might be under attack. We recommend you contact WatchGuard Support.