Configure Device Settings

You can configure device-related settings such as AP scan modes, client steering parameters, and WIPS settings that are applied to your APs.

Device settings apply to all radios of an AP. Tri-radio APs use two radios for 2.4 and 5 GHz Wi-Fi communications, and the third radio is a dedicated WIPS sensor. Dual-radio APs can operate as a Wi-Fi access point or dedicated WIPS sensor.

Device settings applied to APs in a location are automatically inherited by location subfolders. You can customize the device settings of a subfolder location so that they are different from the inherited settings, or you can use AP Groups to apply device settings to APs in separate location folders.

You configure the settings on two tabs:

Device Settings

To configure device settings in Discover:

  1. Open Discover.
  2. Open the Navigator, and select a location where to apply device settings.
  3. Select Configure > WiFi.
  4. Select Device Settings.

Screen shot of the Device Settings configuration in Discover

  1. Configure the device settings for your deployment:

    2. Select this check box to configure dual-radio Wi-Fi access points in the selected folder as dedicated WIPS sensors. These APs no longer broadcast Wi-Fi and are dedicated to WIPS security scanning.

    Select the scanning mode for APs. For more information, see AP Scan Modes.

    VoIP-aware Scanning (default)

    Only supported on 802.11ac Wave 2 APs. VoIP-aware scanning optimizes high priority traffic during background scanning to prevent disruption to voice and video traffic. Make sure that SSIDs added to this radio have the Application Visibility option enabled for traffic detection.

    The AP performs a quick scan of channels for a duration of 30 ms instead of a full scan. If a voice or video application is in progress, after every 10 seconds on the service channel to serve Wi-Fi clients, the radio switches to a single off-service channel for 30 ms.

    If you enable this option on Wave 1 APs (AP120, AP320, AP322), background scanning is disabled because VoIP-aware Scanning is not supported.

    Background Scanning

    Background scanning enables a radio to provide Wi-Fi access service and scans off-service channels intermittently. If you want to enable WIPS security features with background scanning, you must also enable the Wireless Security Features option in the Background Scan settings. Wireless Security Features are enabled by default. You can configure the scan times. By default, the scan duration is 100 ms and the access duration is 10 ms. For tri-radio devices, background scanning is disabled by default because one of the radios is always in WIPS mode.

    Wi-Fi Scan Duration is the duration, in milliseconds, for which the AP scans a background channel when background scanning is enabled. The scan duration alternates with the AP interval. Connected clients remain connected to the AP for the scan duration.

    Wi-Fi Access Duration is the duration, in seconds, after which the AP scans a background channel when background scanning is enabled. Background scanning does not occur during this duration, and the AP interval alternates with the scan duration.

    No Scanning

    AP radios do not perform scanning.

    Enables you to share client visibility information among neighboring APs for improved steering. Enable this feature only for high-density multi-AP deployments. Sync Period is the time interval in seconds for broadcasting periodic sync messages. You can specify an interval from 10 to 60 seconds. The default is 10. Background scanning must be enabled on all AP radios, except for devices with a third scanning radio.

    Bluetooth Low Energy (BLE) is only supported by specific AP models, and is used for proximity-based services on compatible mobile devices.

    • UUID — Identifies the beacon for the selected location. The default value of the UUID is a predefined random string at the Root location. You can keep this value or generate a new value.
    • Major — A number that identifies a subset of beacons within a large group.
    • Minor — A number that identifies a specific beacon for the device.
    • Advertising Interval — The periodic interval at which beacons are transmitted. The UUID and Major values are defined at a location in your location hierarchy. For subfolder locations, you can copy the values of these parameters from the parent locations.

    You can enable a VLAN extension on an available LAN interface on your AP. When you enable a VLAN Extension, it takes precedence over the Wired Extension configuration in the SSID Network settings.

    Select the VLAN Extension check box to enable VLAN Extension. Select the LAN interface, then specify the VLAN ID for the LAN interface.

    You can select a VLAN ID from 0 to 4094. 0 indicates an untagged VLAN. You can map a LAN port to only one VLAN ID. The same VLAN ID can be mapped to more than one LAN port.

    Link aggregation enables both Ethernet ports of the AP to logically merge into a single link for higher aggregate bandwidth. You must connect the AP to a compatible switch with link aggregation enabled. Both links should use CAT6 Ethernet cabling.

    The Link Aggregation option is only supported on 802.11ac Wave 2 APs.

    To define the transmit hash policy, you can select from these options:

    • Layer 2 (MAC)
    • Layer 3+4 (IP+Port)
    • Layer 2+3 (MAC+IP)

    If you enable link aggregation for the device, the Enable Wired Extension option in the SSID profile is ignored and the wired extension is not enabled.

    You can manage the password for your APs. You can manage the password for a group of APs instead of for each AP separately. The password must be at least six characters long and cannot contain spaces or your login ID.

    Type the IP address or the host name of the primary or secondary Network Time Protocol (NTP) server with which an AP can synchronize the time. The default primary NTP server is the NIST (National Institute of Standards and Technology) NTP server, time.nist.gov.

    You can send AP access logs to a syslog server.

    These log messages are sent to a syslog server:

    • Login success and failure
    • VLAN configuration
    • Server discovery
    • Client association and disassociation

    SSH access for an AP can only be used in conjunction with WatchGuard Technical Support for troubleshooting purposes.

    • To show a display banner when a user logs in to an AP through SSH, select Show SSH Banner.
    • You can configure the SSH Idle Timeout (in minutes) after which an SSH connection automatically logs out.

    When you enable support for IPv4/IPv6 dual stack, an AP can operate on both IPv4 and IPv6 addresses simultaneously. When you disable support for IPv4/IPv6 dual stack networks, the AP to which you apply the device settings can operate on IPv4 networks only.

    You can restrict SSH access to APs from specific IP addresses. You must provide at least one IP address and wildcard mask. You can provide a maximum of 20 entries. SSH access to the communication IP of the AP is enabled only from the IP addresses that match the IP address and wildcard mask you configure.

    SSH access for an AP can only be used in conjunction with WatchGuard Technical Support for troubleshooting purposes.

    The Disable LEDs option enables you to hide any visible LED activity on 802.11ac Wave 2 APs for security reasons. (Not supported on AP120, AP320, and AP322). The device settings are applied to all APs in the selected location and subfolder locations that inherit the device settings. This option cannot be configured for individual APs.

    You can send visibility analytics data directly from the AP to a third-party analytics server. You can then use this raw data for custom applications and reports for your wireless network.

    Visibility analytics contain this data:

    • Client MAC address
    • Location of the client
    • Best received signal strength indication (RSSI)
    • MAC address of the sensor reporting best RSSI
    • Client session duration
    • Activity stop time (GMT)
    • Activity stop time per the local time zone of the user
    • Local time zone

    The Send Interval option in the Third Party Analytics Integration configuration defines how often RSSI data is sent to your server. For example, if you want to capture RSSI values for live client location tracking, you can set the interval to as low as every 10 seconds.

    The visibility analytics data can be sent as a CSV file or a JSON file. To authenticate to the external server to send the file, you can provide either an authorization key or a username and password combination.

Security Settings

To configure Security Settings in Discover:

  1. Open Discover.
  2. Select Configure > WiFi.
  3. Select Device Settings.
  4. Click the Security tab.

  1. Configure the device security settings for your deployment:

    2. VLAN monitoring is essential for the wired-side connection status, host name detection, smart device detection, and rogue AP detection.

    SSID VLAN Monitoring

    SSID VLAN Monitoring is enabled by default. An AP monitors the VLAN it uses to communicate with Wi-Fi Cloud and any SSID VLANs. Additionally, user-defined VLANs can be monitored with the Monitor Additional VLANs option. An AP can monitor up to 16 VLANs. You can disable SSID VLAN Monitoring if you do not want the AP to monitor VLANs corresponding to the SSIDs defined on the AP. This optimizes the use of IP addresses by not creating an automatic bridge interface for every VLAN on an SSID to reduce traffic on wireless networks (for example, the guest network).

    Auto VLAN Monitoring

    You can enable Auto VLAN Monitoring to automatically monitor the VLANs added by an SSID or your own user-configured VLANs. Auto VLAN Monitoring is useful in deployments where VLANs change or where you do not want to add VLANs explicitly.

    Monitor Additional VLANs

    To manually specify the additional VLANs to monitor as a comma-separated list, select the Monitor Additional VLANs check box. The VLAN used by the device to communicate with the server is always monitored and does not have to be specified. The VLANs to be monitored must be configured on the switch port where the device is connected and must be DHCP enabled. The VLAN ID 0 indicates an untagged VLAN on the switch port where the device is connected, irrespective of the actual VLAN number on the switch.

    Offline mode

    The Offline Mode feature provides basic security coverage when there is no connectivity between an AP acting as a WIPS sensor and Wi-Fi Cloud. The AP can provide some device classification and prevention capabilities when it is disconnected from Cloud services. The AP also generates and stores events, and sends the events to Wi-Fi Cloud when the AP reconnects. Specify the amount of time (1-60 minutes, default 15) after the AP detects a loss of connectivity before the AP switches to offline mode.

    Select the channels for the AP to monitor and defend from the list of available channels. These channels change based on your country of operation. WatchGuard recommends that you use the default settings unless you want to monitor and defend on specific channels based on a manual channel plan for your deployment.

  1. Click Save.