Contents

Device Settings

In a Device Template, device settings are categorized into these sections:

VLAN Monitoring

VLAN monitoring is essential for the wired-side connection status, host name detection, smart device detection, and rogue AP detection.

SSID VLAN Monitoring

SSID VLAN Monitoring is enabled by default. An AP monitors the VLAN it uses to communicate with Wi-Fi Cloud and any SSID VLANs. Additionally, user defined VLANs can be monitored with the Monitor Additional VLANs option. An AP can monitor up to 16 VLANs.

You can disable SSID VLAN Monitoring if you do not want the AP to monitor VLANs corresponding to the SSIDs defined on the AP. This optimizes the use of IP addresses by not creating an automatic bridge interface for every VLAN on an SSID to reduce traffic on wireless networks (for example, the guest network).

Auto VLAN Monitoring

You can enable Auto VLAN Monitoring to automatically monitor the VLANs added by an SSID or your own user-configured VLANs. Auto VLAN Monitoring is useful in deployments where VLANs change or where you do not want add VLANs explicitly.

Monitor Additional VLANs

Select the Monitor Additional VLANs check box to manually specify the additional VLANs to monitor as a comma-separated list. The VLAN used by the device to communicate with the server is always monitored and does not have to be specified. The VLANs to be monitored must be configured on the switch port where the device is connected and must be DHCP enabled. The VLAN ID 0 indicates an untagged VLAN on the switch port where the device is connected, irrespective of the actual VLAN number on the switch.

If you want to customize the VLANs to be monitored for one or more specific devices to which a device template is applied, you can do it using the Devices > Device Properties. To override the additionally monitored VLANs, you must select the Allow Device Specific Customization check box.

Assign a Static IP Address to an AP

You can use device specific customization and the VLAN monitoring feature to set a static IP address for your AP.

For more information, see How to set a static IP address for an AP in WatchGuard Wi-Fi Cloud.

Device Password

You can manage the password for the device from the device template. By defining a password in the device template, you can manage the password for a group of devices without having to change it on each device separately. The password should be at least 6 characters long and it cannot contain spaces or your login ID.

You must specify the new password for the config user. Confirm the new password before saving. The new password is applied on all the devices associated with the device template.

Device Access Logs

You can send AP access logs to a syslog server.  This is useful for audit purposes and can be enabled or disabled for a device template.

  1. To send the AP logs to a syslog server, select the Enable logging check box.
  2. In the Syslog server IP/Hostname text box, type the IP address or hostname of your syslog server.

These log messages are sent to a syslog server:

  • Login success and failure
  • VLAN configuration
  • Server discovery
  • Client association and disassociation

Login Success

Jul 11 13:58:52 192.168.53.4 <00:11:74:E0:23:3F><133>Jan 1 00:02:04 dropbear[1591]: Login attempt from ::ffff:192.168.122.55:56291

Jul 11 13:59:13 192.168.53.4 <00:11:74:E0:23:3F><133>Jan 1 00:02:25 dropbear[1591]: Login successful for 'config' from ::ffff:192.168.122.55:56291 r 192.168.53.66, hostname wifi-security-server, real server 192.168.53.66, protocol UDP, proxied 0

Login Failure

Jul 11 14:00:51 192.168.53.4 <00:11:74:E0:23:3F><133>Jan 1 00:04:03 dropbear[978]: Login failed for 'config' from ::ffff:192.168.122.55:56365 directory

VLAN Configuration

Jul 11 14:03:19 192.168.53.4 <00:11:74:E0:23:3F><133>Jan 1 00:06:30 config: Successfully added VLAN [3]: BOOTPROTO [Static], IPADDR [1.1.1.1], NETMASK [255.255.255.0], GATEWAY [1.1.1.2], TYPE [Ethernet], IPV6ADDR [], IPV6_PREFIX_LEN [], IPV6_DEFAULTGW []

Server Discovery

Jul 11 14:04:58 192.168.53.4 <00:11:74:E0:23:3F><133>Jan 1 00:08:10 config: Set: Primary Server IP/Hostname = [redirector.online.spectraguard.net] r 192.168.53.66, hostname wifi-security-server, real server 192.168.53.66, protocol UDP, proxied 0

Client Association and Disassociation

May 26 15:21:58 192.168.62.45 <00:11:74:41:D3:CF>wl_event_handler: ath1: STA 5C:F9:38:A1:EF:5E Dissociation received. Status[8]: Reserved ssid="syslog_test" bssid=00:11:74:41:D3:C1

May 26 15:21:58 192.168.62.45 <00:11:74:41:D3:CF>wl_event_handler: ath1: STA 5C:F9:38:A1:EF:5E left. ssid="syslog_test" bssid=00:11:74:41:D3:C1

May 26 15:22:29 192.168.62.45 <00:11:74:41:D3:CF>wl_event_handler: ath1: Authentication request received from STA 5C:F9:38:A1:EF:5E for ssid="syslog_test" bssid=00:11:74:41:D3:C1

May 26 15:22:29 192.168.62.45 <00:11:74:41:D3:CF>wl_event_handler: ath1: STA 5C:F9:38:A1:EF:5E authenticated. ssid="syslog_test" bssid=00:11:74:41:D3:C1

May 26 15:22:29 192.168.62.45 <00:11:74:41:D3:CF>wl_event_handler: ath1: Association request received from STA 5C:F9:38:A1:EF:5E for ssid="syslog_test" bssid=00:11:74:41:D3:C1

May 26 15:22:29 192.168.62.45 <00:11:74:41:D3:CF>wl_event_handler: ath1: STA 5C:F9:38:A1:EF:5E associated. ssid="syslog_test" bssid=00:11:74:41:D3:C1

May 26 15:22:59 192.168.62.45 <00:11:74:41:D3:CF>wl_event_handler: ath1: STA 5C:F9:38:A1:EF:5E connected to ssid="syslog_test" bssid=00:11:74:41:D3:C1 has received ip 192.168.62.39

NTP Configuration

When you configure a device template, you can enter the IP address or the host name of the primary or secondary NTP server with which a device can synchronize the time.

NTP synchronization happens over the communication VLAN of the device. Make sure that incoming UDP port 123 is open on the firewall for the communication VLAN.

The default primary NTP server is the NIST (National Institute of Standards and Technology) NTP server, time.nist.gov. The NIST NTP server is a server cluster maintained by the US federal government and is connected to high precision atomic clocks, and is available worldwide.

The device synchronizes time with the secondary NTP server, if specified, when the primary NTP server is unavailable or inaccessible.

To specify the NTP server details:

  1. Expand the NTP Configuration section.
  2. In the NTP Server IP/Hostname text box, specify the IP address or the host name of the primary NTP server.
  3. In the Secondary NTP Server IP/Hostname, specify the IP address or the host name of the secondary NTP server.
  4. Click Save.

Offline Configuration

The Offline Configuration feature provides some basic security coverage when there is no connectivity between an AP acting as a WIPS sensor and Wi-Fi Cloud. The AP will be able to provide some device classification and prevention capabilities when it is disconnected from Cloud services. The AP also generates and stores events, and sends the events to Wi-Fi Cloud when the AP reconnects.

Select Enable offline mode to enable offline services. You can specify the time (1-60 minutes, default 15), for the AP to switch to offline mode after the AP detects a loss of connectivity with Wi-Fi Cloud.

  • Managed Device Parameters — Specify these options:
  • Number of APs to be stored — Maximum number of AP identities that the AP will store in offline mode (default is 128).
  • Number of Clients to be stored — Maximum number of client identities that the AP will store in offline mode (default is 256).
  • Number of events to be stored — Maximum number of generated events that the AP will buffer in the offline mode (default is 256). This is maintained as a cyclic buffer. If the events generated exceed this limit, the oldest events are overwritten. The buffered events are transferred when the AP reconnects to Wi-Fi Cloud.
  • Number of intrusion prevention records — Maximum number of prevention records that the AP will buffer in Offline mode (default is 256). This is maintained as a cyclic buffer. If the records exceed this limit, the oldest records are overwritten. The buffered records are transferred when the AP reconnects to Wi-Fi Cloud.
  • Device Classification Policy — Specify how the WIPS sensor should classify APs when the sensor is not connected to Wi-Fi Cloud.
  • To classify networked APs as Rogue APs, select the Move networked APs to check box and select the Rogue option from the drop-down list.
  • To classify networked APs as Authorized APs, select the Move networked APs to check box and select the Authorized option from the drop-down list.
  • To classify non-networked APs as external APs, select the Move non-networked APs to the External Folder check box.
  • Client Classification Policy — Specify how the AP should classify clients when the AP is not connected to Wi-Fi Cloud. You can enable these options:

  • On association with an Authorized AP, classify an Uncategorized client as Authorized
  • On association with a Rogue AP, classify an Uncategorized client as Unauthorized
  • On association with an External AP, classify an Uncategorized client as Unauthorized
  • Intrusion Prevention Policy — Specify the threats that intrusion prevention will take action against when the WIPS sensor is not connected to Wi-Fi Cloud.
  • Rogue APs
  • Uncategorized APs that are connected to the network
  • APs categorized as Authorized but using no security mechanism (Open)
  • APs categorized as Authorized but using weak security mechanism (WEP)
  • Authorized client connections to APs categorized as External
  • Unauthorized client connections to APs categorized as Authorized
  • Uncategorized client connections to APs categorized as Authorized
  • Authorized clients participating in any ad hoc network
  • Honeypot/Evil Twin APs

Third-Party Analytics Integration

This feature enables you to send visibility analytics data directly from the AP to a third-party analytics server. You can then use this raw data for custom applications and reports for your wireless network.

Visibility analytics contain this data:

  • Client MAC address
  • Location of the client
  • Best received signal strength indication (RSSI)

The Send Interval option in the Third Party Analytics Integration configuration defines how often RSSI data is sent to your server. For example, if you want to capture RSSI values for live client location tracking, you can set the interval to as low as every 10 seconds.

  • MAC address of the sensor reporting best RSSI
  • Client session duration
  • Activity stop time (GMT)
  • Activity stop time per the local time zone of the user
  • Local Time Zone

The visibility analytics data can be sent either as a CSV file or as a JSON file. You can provide either an authorization key or a username and password combination to authenticate to the external server to send the file.

To enable integration with a third-party external server:

  1. Select Configuration > Device Configuration > Device Templates.
  2. Select an existing Device Template or create a new Device Template.
  3. Expand the Device Settings section.
  4. Expand the Third Party Analytics Integration section.

Screen shot of the Third-Party Analytics Integration page in a Device Template

  1. Select the Enable check box.
  2. Select CSV or JSON as the Visibility Analytics Format.
  3. In the Server URL text box, type the third-party external server URL or IP address.
  4. Specify the Send Interval at which the device should send visibility analytics to the third-party external server. The interval can be set from 10 to 3600 seconds. The default is 600 seconds (10 minutes). Set to lower values (for example, 10 seconds) if you want to send more recent data to the third-party server.
  5. Select Authorization Key or Username and Password as the method to authenticate with the external server.
  6. Type the authorization key or the user name and password combination based on the option selected as the external server authentication method.
  7. Click Save.

Network Settings

You can enable or disable the support for IPv4/IPv6 dual stack network from the Network Settings section. When you enable support for IPv4/IPv6 dual stack network, an AP  is able to operate on both IPv4 and IPv6 addresses simultaneously. When you disable support for IPv4/IPv6 dual stack network, the AP, to which the device template is applied, can operate on IPv4 networks only.

The Enable IPv4/IPv6 dual stack check box in Network Settings is enabled by default.

Disable Support for IPv4/IPv6 Dual Stack Network

You can disable support for IPv6 addresses when you want to apply the device template to APs deployed on an IPv4 network.

Do not disable support for IPv4/IPv6 dual stack networks when the AP has been deployed in an IPv6 only network.

To disable IPv6 support, do the following.

  1. Deselect the Enable IPv4/IPv6 dual stack check box in the Device Settings > Network Settings section for a device template.
  2. Click Save.

Enable SSH IP Whitelisting

You can resrict SSH access to APs from specific IP addresses. You must provide at least one IP address and wildcard mask. You can provide a maximum of 20 entries. SSH access to the communication IP of the AP is enabled only from the IP addresses that match the IP address and wildcard mask you configure.

SSH access for an AP can only be used in conjunction with WatchGuard Technical Support for troubleshooting purposes.

The wildcard mask is a mask of bits that help identify the parts of the IP address that must match and the parts that can be ignored. The binary equivalent of the IP address and wildcard mask is used for examining the bits that must match. The wildcard mask acts as an inverted subnet mask so that the zero bits in the mask indicate that the corresponding bit position in the IP addresses must match. For example, if the IP address is 10.10.0.0 and the mask is 0.0.0.255, then IP addresses 10.10.0.0 through 10.10.0.255 will match. If the mask is 0.0.1.255, then the IP addresses 10.10.0.0 through 10.10.0.255 and 10.10.1.0 through 10.10.1.255 will match.

To add an IP address and wildcard mask for SSH whitelisting:

  1. Select Enable SSH IP Whitelisting.
  2. In the IP Address field, type an IPv4 IP address. For example: 10.10.0.0.
  3. In the Wildcard Mask field, type a corresponding wildcard mask. For example: 0.0.0.255.
  4. Click Add.

Disable LEDs

The Disable LEDs option enables you to hide any visible LED activity on 802.11ac Wave 2 APs for security reasons. (Not supported on AP120, AP320, and AP322). The device settings are applied to all APs in the selected location and subfolder locations that inherit the device settings. This option cannot be configured for individual APs.

Client RSSI Update Interval

You can configure how often the AP updates the detected RSSI of visible Wi-Fi clients to the Manage server. This RSSI tracking data is used by Wi-Fi Cloud for analytics and reports.

The accuracy of RSSI data is dependent on the amount of traffic sent by wireless clients and the number of sensors or background scanning APs in the area.

To configure the Client RSSI Update Interval:

  1. Select Configuration > Device Configuration > Device Templates.
  2. Select an existing Device Template or create a new Device Template.
  3. Expand the Device Settings section.
  4. Expand the Client RSSI Update Interval section.

Screen shot of the Client RSSI Update Interval settings in a Device Template

  1. Select the number of seconds for the RSSI Update Interval.
    You can set the RSSI Update Interval from 5 to 60 seconds. The default is 60 seconds.
  2. Click Save.

Channel Settings

Select the channels for the AP to monitor and defend from the list of available channels. These channels will change according to your country of operation. WatchGuard recommends you use the default settings unless you want to monitor and defend on specific channels according to a manual channel plan for your deployment.

Refer to this table for the channel number, protocol, and frequency.

Channel

Protocol

Frequency (GHz)

 

Channel

Protocol

Frequency (GHz)

 

Channel

Protocol

Frequency (GHz)

1

b/g/n

2.412

 

34

a/n/ac

5.17

 

128

a/n/ac

5.64

2

b/g/n

2.417

 

36

a/n/ac

5.18

 

132

a/n/ac

5.66

3

b/g/n

2.422

 

38

a/n/ac

5.19

 

136

a/n/ac

5.68

4

b/g/n

2.427

 

40

a/n/ac

5.2

 

140

a/n/ac

5.7

5

b/g/n

2.432

 

42

a/n/ac

5.21

 

149

a/n/ac

5.745

6

b/g/n

2.437

 

44

a/n/ac

5.22

 

152

a/n/ac

5.76

7

b/g/n

2.442

 

46

a/n/ac

5.23

 

153

a/n/ac

5.765

8

b/g/n

2.447

 

48

a/n/ac

5.24

 

157

a/n/ac

5.785

9

b/g/n

2.452

 

50

a/n/ac

5.25

 

160

a/n/ac

5.8

10

b/g/n

2.457

 

52

a/n/ac

5.26

 

161

a/n/ac

5.805

11

b/g/n

2.462

 

56

a/n/ac

5.28

 

165

a/n/ac

5.825

12

b/g/n

2.467

 

58

a/n/ac

5.29

 

     

13

b/g/n

2.472

 

60

a/n/ac

5.3

 

     

14

b/g/n

2.487

 

64

a/n/ac

5.32

 

     

184

a/n/ac

4.92

 

100

a/n/ac

5.5

 

     

188

a/n/ac

4.94

 

104

a/n/ac

5.52

 

     

192

a/n/ac

4.96

 

108

a/n/ac

5.54

 

     

196

a/n/ac

4.98

 

112

a/n/ac

5.56

 

     

208

a/n/ac

5.04

 

116

a/n/ac

5.58

 

     

212

a/n/ac

5.06

 

120

a/n/ac

5.6

 

     

216

a/n/ac

5.08

 

124

a/n/ac

5.62

 

     

Give Us Feedback  ●   Get Support  ●   All Product Documentation  ●   Technical Search