Network Services Best Practices

This table provides recommendations for network service configuration to support a WatchGuard Wi-Fi Cloud deployment in an enterprise environment.





Use the current network DHCP servers.



Use the current network DNS services.



Configure proxy bypass rules to allow AP to cloud management traffic.

All management traffic from the access points to Wi-Fi Cloud must be configured to bypass proxies while preventing unfiltered user access to the Internet.

You can use a WatchGuard Firebox to configure policies for Wi-Fi Cloud traffic and bypass proxies. Predefined policies are available for this purpose. If your Firebox runs Fireware v11.11.4 or higher, the Firebox configuration file includes the predefined WG-Cloud-Managed-WiFi packet filter policy that you can add to the configuration to enable traffic over the ports required for WatchGuard Wi-Fi Cloud domains.


You must allow this traffic on your firewall:

  • Port 3851 (UDP) outbound
  • Port 3852 (UDP) outbound for APs configured in CIP mode
  • Port 80 (TCP) outbound / stateful inbound
  • Port 443 (TCP) outbound / stateful inbound

These are the required ports for WatchGuard APs to communicate with WatchGuard Wi-Fi Cloud at these domains:




Use the current network NAT solution.

Consider enabling NAT on the AP for small remote sites.

Traffic Shaping and QoS

Apply traffic shaping and QoS to traffic inbound from Internet.


Content Filtering

Use the current network content filter solution.

Consider content filtering on the AP for small remote sites.



Use the current network RADIUS solution.