Applies To: WatchGuard Cloud-managed Access Points (AP130, AP230W, AP330, AP332CR, AP430CR, AP432)
Wireless network setup and deployment can be easy if you have only a few access points and a quiet wireless airspace. Many network and airspace environments are challenging when you need to set up a wireless network in a high-density location with a crowded airspace and wireless clients with advanced requirements for roaming and bandwidth.
Wi-Fi in WatchGuard Cloud enables you to easily add cloud-managed access points to your network. The default configuration provides optimal settings for most networks, but there are scenarios where the default configuration requires adjustments to optimize the channel usage and transmit power for your specific environment.
The following guidelines and checklists can help you with your installation to ensure a successful Wi-Fi deployment and provide an optimal experience for your wireless clients.
The included charts and checklists are courtesy of Wireless LAN Professionals.
- Submit a Wi-Fi Customer Requirements Questionnaire (Predictive Site Survey)
- WatchGuard can assist partners with predictive site surveys for customers.
- WatchGuard provides a Wi-Fi Customer Requirements Questionnaire that specifies the data required to create a predictive site survey for the deployment.
- The site survey includes sizing information for the number and types of access points required by the wireless network, and a deployment floor plan with suggested access point placement.
- To download the questionnaire, log in to your partner account on the WatchGuard web site and go to Product > Selling Secure Wi-Fi.
- Review the Wireless Network Planning Guide
- To help meet your wireless deployment requirements for coverage, capacity, airtime demand, and security, you must understand the network, cabling, and hardware requirements for your network.
- Review the Deployment Best Practices
- Based on the Wi-Fi Customer Requirements Questionnaire, WatchGuard determines the optimal access point placement based on a theoretical simulation. You must physically survey the actual location to determine additional environmental factors that will affect your final placement.
- Wired Network Best Practices
- Wireless Network Best Practices
- Access Point Placement and Channel Plan Best Practices
- Review the MCS Index Tables (802.11n/ac and 802.11n/ac/ax)
- Use the MCS (Modulation and Coding Scheme) Index tables to determine quality of connections and the correct throughput expectations for wireless clients.
- Perform an On-Site Survey
- We recommend you perform a scan of the wireless environment with third-party tools to determine the wireless channels in use by other neighboring wireless signals. This is the safest method to validate the actual attenuation factors of the physical environment and limit co-channel interference. A complex wireless environment might require custom settings beyond the default automatic channel selection settings.
- Review the 2.4 GHz, 5 GHz, and 6 GHz Spectrum charts
- The charts provide an overview of channel availability in the different frequency bands. You can compare these with your on-site survey results to find the most optimal channel allocations.
- During the design phase of your wireless deployment, always plan for optimal performance. The spectrum charts enable you to see which channels are best to use for the selected bandwidth of each supported band.
- Review the Deployment Best Practice notes for information on wireless channels and access point features
- Review the deployment best practice notes for access point channels and features to optimize your channel, radio, and access point settings.
- Verify if supported wireless features are compatible with your requirements and understand if the feature implementation is appropriate for your specific deployment.
- Review the Deployment Checklist
- This checklist provides several pre-installation and post-installation checks to make sure you perform a successful wireless deployment.
Deployment Best Practice Notes
| Feature | Best Practice |
|---|---|
| Channel Selection |
By default, the preferred channel is set to Auto. In this mode, the access point automatically selects a quiet channel with the least interference from the available channels in the selected band. For complex or high-density deployments, you might need to use manual channel selection to minimize co-channel interference and contention, and maximize throughput. |
| DFS channels |
Use DFS channels when possible and based on your local regulatory domain. Remove any DFS channels from your available channel list if they cause recurring channel change events from radar signals. |
| Channel 144 and 165 | Make sure your wireless clients are able to access channels 144 and 165. Some older wireless clients might not support these channels. |
| 160 and 320 MHz Channel Width |
Use the widest channel possible that does not result in co-channel interference and contention. |
| SSID Security | Do not use TKIP, WEP, or WPA. WPA2 is the minimum recommended security setting. Wi-Fi 7 (6 GHz) uses WPA3/OWE only. The use of WPA2/WPA3 mixed mode as a transition method for WPA3 might not work with all clients. Plan a strategy on how to use WPA2 and WPA3 in a mixed deployment. |
| 802.11w - Management Frame Protection |
With WPA2, this adds an additional security mechanism of 802.11w management frame protection (MFP) to protect a certain class of management frames and prevent spoofing attacks. This feature is mandatory and automatically enabled with WPA3. |
| Transmit Power Settings |
Use your site survey to determine the transmit power for your deployment. In most cases, you can use the default Auto selection to provide the maximum power for optimal range. In very dense deployments where access points are deployed in close proximity to each other, we recommend that you adjust your transmit power to limit your coverage area so that it does not expand outside the necessary boundaries for your deployment. We recommend that you set access point transmit power levels for 2.4 GHz lower than those for 5 GHz. This compensates for better propagation of 2.4 GHz signals as compared to 5 GHz. |
| Band Steering |
Actively steers wireless clients from the 2.4 GHz band to use the less congested 5 GHz band to help balance associated clients on an access point between the 2.4 GHz and 5 GHz radios. Band steering is not required if you do not have SSID's shared across frequency bands. |
| Beacon Interval (100ms) | WatchGuard Cloud access points use a standard default beacon interval setting of 100ms that cannot be modified. |
| Captive Portals |
Enable captive portals as required for guest networks. Captive portals can add network complexity and cause issues with network access for other features such as multi-factor authentication and network access enforcement. |
| Client Isolation |
Enable this feature on guest networks to prevent traffic between guest clients. |
| Client Limits per Radio | Enable client limits based on the density of your wireless environment. This is useful to prevent some access points from an overload of connected clients that might affect performance. |
| SSID broadcast | It is not useful to disable broadcast and hide SSIDs. Scanners can still detect hidden wireless networks. |
Installation Checklist
This list includes pre-installation and post-installation checks to help you perform a successful wireless deployment.
| Pre-Installation Checklist | |
|---|---|
| Cabling meets or exceeds Cat5e specifications | |
| Total cable distance with patch cords is less than 100m | |
| PoE power meets requirements of access points (802.3af, at, or bt) | |
| Confirm DHCP addresses and VLAN assignments | |
| Confirm switch access or trunk port as required | |
|
Confirm default gateway is reachable with ping |
|
| Confirm target IP addresses reachable with ping | |
| Confirm DNS is reachable and DNS queries can be resolved | |
| Management VLAN is correctly assigned and available |
| Post-Installation Checklist | |
|---|---|
| Document access point IP address, MAC address, and device name | |
| Document access point location | |
| Document switch and port to which access point is connected | |
|
Confirm access point is installed with the correct orientation |
|
| Confirm external antennas (if any) are installed and oriented correctly | |
| Make sure access point receives a configuration from WatchGuard Cloud | |
|
Make sure access points have the latest firmware installed |
|
| Check your airspace to make sure that all SSIDs are broadcast | |
|
Connect a wireless client to the SSID to test the connection |
|
|
Check each SSID to make sure client receives an address on the correct IP address or VLAN IP address pool |