Introduction to the Deployment Guide

This guide provides best practices for network design, deployment, and configuration of enterprise wireless environments with WatchGuard Wi-Fi Cloud.

This guide includes these topics:

This guide is intended for use by engineers with a background in wireless technology and for those involved with design, installation, and optimization of WatchGuard wireless networks.


The WatchGuard AP family of wireless access points provide secure, reliable, wireless communications while delivering high performance and broad coverage to meet the needs of enterprise-level customers, small businesses, branch offices, campuses, and hotels.

Internal antennas, slim cases, minimalist labeling, and small LEDs, coupled with wall and ceiling mount options and Power over Ethernet (PoE) make these devices ideal for low profile deployment scenarios.

Current AP Models

List of the current AP models offered by WatchGuard

Legacy AP Models

Legacy AP Models AP120
Use Cases
Low-density Medium-High Density High performance
rugged outdoor
Radios and
2x2 MIMO
Wave 1
3x3 MIMO
Wave 1
3x3:3 MIMO
Wave 1
Deployment Indoor Indoor Outdoor
Number of Antennas 4 internal 6 internal 6 internal
Maximum TX Power 20 dBm 20 dBm 20 dBm
Maximum Data Rate
(5 GHz / 2.4 GHz)
867 Mbps /
300 Mbps
1.3 Gbps /
450 Mbps
1.3 Gbps /
450 Mbps
Ports 2x GbE 2x GbE 2x GbE
Power 802.3af (PoE) 802.3af (PoE) 802.3at (PoE+)

WatchGuard AP Management

There are two ways you can manage WatchGuard APs:

WatchGuard Firebox Gateway Wireless Controller

This management solution provides local management, configuration, security, and monitoring of APs directly from your WatchGuard Firebox with the Gateway Wireless Controller.

WatchGuard Wi-Fi Cloud

WatchGuard Wi-Fi Cloud provides a powerful cloud-based enterprise wireless management solution for AP configuration, security, and monitoring. When managed by our WatchGuard Wi-Fi Cloud, WatchGuard APs deliver fast, reliable wireless access and provide industry-leading wireless security, guest engagement, and analytic tools. The solution has also been designed from the ground-up to focus on ease of deployment and administration, to simplify the most complex aspects of Wi-Fi management, and to make fast, secure, and intelligent Wi-Fi accessible to organizations of all types and sizes.

In this guide, we use the powerful features available in WatchGuard Wi-Fi Cloud for the examples and use cases.

WatchGuard Wi-Fi Subscriptions

WatchGuard offers three types of wireless security subscriptions for WatchGuard APs:

  • Basic Wi-Fi — Use the Gateway Wireless Controller on a WatchGuard Firebox to configure, manage, and monitor WatchGuard APs directly from the Firebox.
  • Secure Wi-Fi — Use WatchGuard Wi-Fi Cloud for WatchGuard AP management, security, and monitoring.
  • Total Wi-Fi — Use WatchGuard Wi-Fi Cloud for WatchGuard AP management, security, and monitoring. With Total Wi-Fi, you also get access to additional tools for guest user engagement, analytics, social media integration, captive portals, and splash page design. You can also create a Trusted Wireless Environment for your users.

Diagram of WatchGuard Wi-Fi Solutions

WatchGuard Wi-Fi Cloud Architecture

With WatchGuard Wi-Fi Cloud, all services, such as Wi-Fi, WIPS, monitoring, troubleshooting, and guest management, are integrated into a single cloud platform. This provides a cost-effective, easy to manage, highly scalable, secure and reliable cloud Wi-Fi solution.

Diagram of Wi-Fi Cloud Architecture

The Wi-Fi Cloud solution is built on a controller-less architecture and only encrypted management traffic is sent to the cloud. Customer data traffic is never sent to the cloud.

Diagram of the Wi-Fi Cloud Architecture

WatchGuard APs are cloud-managed, but provide full functionality even when Internet access is unavailable. For example, when a WatchGuard AP reboots without access to the Internet, the AP uses a locally stored configuration to operate.

Because WatchGuard APs operate without a controller, these features and functionality are performed at the AP level:

  • QoS (Quality of service) and traffic shaping
  • RF management
  • Bonjour gateway
  • Application visibility
  • WIPS (Wireless Intrusion Prevention System)
  • Compliance
  • SSID scheduling

Cloud-based Management with WatchGuard Discover

WatchGuard Wi-Fi Cloud and WatchGuard APs eliminate the cost and complexity of traditional controller-based enterprise wireless network solutions, to simplify deployment. This makes it an ideal solution for organizations with a limited IT staff, distributed sites, and a tight IT budget.

The WatchGuard Discover interface is designed for cloud applications. The interface is lightweight and can be used on any Web browser, OS, or device, including Android devices, iPads, and other tablets. Dashboards and widgets optimize the information display according to their needs and screen sizes.

The unique hierarchical location-based policy management architecture simplifies management of multiple locations from a single UI. You can define role-based administration, Wi-Fi configurations, WIPS policies, and perform monitoring and troubleshooting in a logical context to specific locations.

Screen shot of the Discover Dashboard

Trusted Wireless Environment with WIPS

A Trusted Wireless Environment is a framework used to build a complete Wi-Fi network that is fast, easy to manage, and most importantly, secure. A Trusted Wireless Environment is based on these three core concepts:

  1. Market-Leading Performance: You should never be forced to compromise security to achieve adequate performance to support your environment with the speed, connections and density that it requires.
  2. Scalable Management: With easy set-up and management, you should be able control your entire wireless network, big or small, from a single interface and execute key processes to safeguard the environment and its users.
  3. Verified Comprehensive Security: You should be able to prove that your security solution defends your business against Wi-Fi attacks and can deliver on the following benefits:
  • Provide automatic protection from the six known Wi-Fi threat categories:
    • Rogue access point
    • Rogue client
    • Neighbor access point
    • Ad-hoc connection
    • Evil Twin access point
    • Misconfigured access point
  • Allow legitimate external access points to operate in the same airspace
  • Prevent user connections to unsanctioned Wi-Fi access points

For more information, see Trusted Wireless Environment on the WatchGuard web site.

For detailed information on how to configure Wi-Fi Cloud WIPS to meet the requirements of a Trusted Wireless Environment, see Create a Trusted Wireless Environment with WIPS.

You can test your own wireless network security measures to see if they are able to detect and prevent the six known threats identified by the Trusted Wireless Environment. For more information, see the Trusted Wireless Environment Test Guide.

Create a Trusted Wireless Environment with WIPS

WIPS (Wireless Intrusion Prevention System) is a best-in-class wireless security architecture based on several patents. The system provides comprehensive protection from wireless threats, such as rogue APs, ad-hoc networks, client mis-associations, honeypots and evil twin APs, DoS attacks, and BYOD (Bring Your Own Device) risks including mobile hotspots.

With WIPS, it is easy to quickly create a Trusted Wireless Environment and automatically protect your Wi-Fi network against the six common Wi-Fi threat categories. WIPS is a collection of features that run on WatchGuard APs and Wi-Fi Cloud.

Diagram of WatchGuard APs protected by a WatchGuard WIPS Sensor

You can use WatchGuard APs for both Wi-Fi access and WIPS security protection, or you can use APs as dedicated WIPS security sensors that you can deploy alongside other WatchGuard APs or third-party APs and Wi-Fi controllers.

Diagram of third-party APs protected by WatchGuard WIPS sensors

WatchGuard Analyze

WatchGuard Analyze provides enhanced guest management features to enable guest Wi-Fi access with social media, SMS, Guest Book, and Web Form plug-ins. Social media authentication gives guest Wi-Fi users the option to share their public profile information for social engagement.

Diagram of social media interaction with Wi-Fi Cloud

Scalable, Multi-Tenant, Elastic Cloud Architecture

Powered by a mature, elastic cloud technology in development since 2008, Wi-Fi Cloud can scale to any number of locations. Built-in multi-tenancy enables account information, configurations and data to be completely segmented for different customers.

The data centers offer 99.9% up-time with local and WAN-based high availability and disaster recovery.

WatchGuard APs are managed from the cloud over a secure AES-encrypted tunnel. APs are capable of standalone operation and provide uninterrupted service with full functionality even if the AP loses connectivity to Wi-Fi Cloud.

Zero Touch Deployment

WatchGuard APs can automatically discover and connect to W-Fi Cloud as soon as they are powered up and receive Internet access. This simplifies deployment, especially at remote sites without IT staff. When APs are configured in Wi-Fi Cloud for a location, the policies and configurations assigned to that location are automatically pushed to the device to immediately deploy the AP when it connects to the Internet.

Diagram of the Wi-Fi Cloud archtecture

Regulatory Compliance Reports

WatchGuard Wi-Fi Cloud enables organizations to meet wireless security requirements defined by their respective regulatory compliance standards. The audit process is simplified with predefined HIPAA and PCI compliance reports that map wireless vulnerabilities and threats to specific requirements. From WatchGuard Discover, you can generate reports across many locations. You can generate reports on-demand or schedule reports for automatic generation, and they can be archived or delivered by email.

Screen shot of compliance reports in Discover