Access Point Airspace Monitoring

Applies To: WatchGuard Cloud-managed Access Points (AP130, AP230W, AP330, AP332CR, AP430CR, AP432)

You can enable Airspace Monitoring on your access points to scan your network for these types of malicious access points:

Rogue Access Point

A Rogue access point is an unauthorized access point that is physically connected to your wired network and broadcasts wireless SSIDs your clients might connect to instead of your legitimate access point SSIDs.

  • The rogue access point might have been connected by an unauthorized user. Your wireless clients might connect to these rogue access points instead of your authorized managed access points and communicate vulnerable data.
  • The rogue access point might be a device connected to the network by someone inside your organization without consent, or it could be a device set up for testing. These access points are security risks to your network if they are misconfigured or do not have required security features enabled.
  • The device might be a legitimate access point on your network that is not configured in your Trusted Access Point list.

Suspected Rogue Access Point

A Suspected Rogue access point might be an unauthorized access point physically connected to your wired network, or it also might be a legitimate access point.

  • A Suspected Rogue access point might be an unauthorized access point connected to your wired network that broadcasts SSIDs your clients might connect to instead of your legitimate access point SSIDs.
  • The device might also be a legitimate access point on your network that is not configured in your Trusted Access Point list.

Evil Twin Access Point

An Evil Twin is a nearby access point operating in your airspace that broadcasts the same SSID name as your managed access points to appear as a legitimate access point on your network.

  • The Evil Twin might have been set up near your network by an unauthorized user.
  • Wireless clients might connect to the Evil Twin access point instead of your legitimate managed access points and communicate vulnerable data.
  • The device might also be a legitimate access point on your network that is not configured in your Trusted Access Point list.

The ability to scan for Evil Twin access points requires an AP330 or AP430CR that have a dedicated scanning radio.

Airspace Monitoring Reports and Alerts

You can view a summary of detected malicious access point threats in the Airspace Monitoring report. For more information, go to Access Point Airspace Monitoring Report.

When WatchGuard Cloud detects a malicious access point, you can generate an alert notification so that you can take action to investigate, identify, and remove the threat. For more information on how to create an alert notification for Airspace Monitoring events, go to Airspace Monitoring Alerts.

Airspace Monitoring and ThreatSync

You can integrate Airspace Monitoring alerts with ThreatSync. ThreatSync is a WatchGuard Cloud service that provides eXtended Detection and Response (XDR) technology for WatchGuard devices and products. You can receive alerts within ThreatSync when Airspace Monitoring detects malicious access points such as Rogue and Evil Twin access points. For more information, go to About ThreatSync.

ThreatSync currently only detects and reports on wireless threats. ThreatSync does not remediate wireless threat incidents to prevent connections to the malicious access point or disconnect wireless clients that have already associated to a malicious access point.

Before you Begin

Airspace Monitoring requires:

  • A WatchGuard USP Wi-Fi Management license
  • Access point firmware v2.0 or higher on all access points
  • AP330 or AP430CR with a scanning radio is required for Evil Twin detection. All other Wi-Fi in WatchGuard Cloud access point models can only detect Rogue and Suspected Rogue access points physically connected to the network. For larger deployments, we recommend you have at least one access point with a scanning radio for every 3 to 5 access points.
  • NTP (Network Time Protocol) server configured for your access points. NTP is required for accurate scanning and detection. The default servers configured for access points are: 0.pool.ntp.org, 1.pool.ntp.org, 2.pool.ntp.org. We recommend you specify an internal NTP server if available on your network, or a reliable, regional NTP server.

Make sure you upgrade all WatchGuard access points on your network to firmware v2.0 or higher before you enable Airspace Monitoring. This ensures that all managed access points on your network are correctly identified and able to participate in security scanning.

How Airspace Monitoring Works

Airspace Monitoring uses WatchGuard's patented identification technology to scan your wired network and your wireless airspace for malicious access points such as Rogue, Suspected Rogue, and Evil Twin access points.

WatchGuard access points can only detect malicious access points on the same network to which they are connected. They cannot detect malicious access points on other networks/VLANs.

Rogue Access Point Detection

A Rogue access point is an unauthorized access point that is physically connected to your wired network and broadcasts wireless SSIDs your clients might connect to instead of your legitimate access point SSIDs.

Diagram of Rogue Access Point detection with Airspace Monitoring

All WatchGuard access point models managed by WatchGuard Cloud can detect Rogue and Suspected Rogue access points on your network.

  • WatchGuard access points scan the wired network for access points physically connected to the network, and also scan your wireless airspace for the SSIDs broadcast by these access points.
  • WatchGuard Cloud can correlate the MAC addresses of the detected wired and wireless interfaces to determine whether the access point is a Rogue access point.
  • If the correlation between the MAC addresses is uncertain, then the access point is classified as a Suspected Rogue access point which means it might be an unauthorized device that you must investigate. The access might also be a legitimate device that you have not added to your Trusted Access Points list.

Evil Twin Access Point Detection

An Evil Twin is a nearby access point operating in your airspace (not connected to your wired network) that broadcasts the same SSID name as your managed access points to appear as a legitimate access point on your network.

Diagram of Evil Twin Access Point detection with Airspace Monitoring

  • Only WatchGuard access points with a wireless scanning radio (AP330 and AP430CR) are able to detect Evil Twin access points that operate in your wireless airspace.
  • WatchGuard Cloud uses patented signature-based identification to determine whether an access point is an Evil Twin and not a known WatchGuard managed access point or trusted access point.
  • The device might also be a legitimate access point on your network that is not configured in your Trusted Access Point list.

Trusted Access Points

WatchGuard's patented identification technology makes sure that WatchGuard Cloud does not generate security alerts for trusted wireless devices.

These WatchGuard devices are automatically identified as trusted access points:

  • WatchGuard access points managed by WatchGuard Cloud
  • Wireless Fireboxes managed by WatchGuard Cloud

Managed access points and wireless Fireboxes must be in the same WatchGuard Cloud account.

You can add the MAC addresses of additional devices on your network that you consider as managed, trusted devices to the Trusted Access Points list.

For example, you can add the MAC addresses of known devices such as other WatchGuard products and third-party access points as trusted access points. For more information, go to Configure Trusted Access Points.

Configure Airspace Monitoring

To configure Airspace Monitoring for an access point:

  1. Select Configure > Devices.
  2. Select a cloud-managed access point.
  3. Select Device Configuration.
  4. In the Settings tile, select Advanced Settings.
  5. Enable Airspace Monitoring.
  6. Save the configuration.
  7. Deploy the configuration to your access point.

Screenshot of the access point Airspace Monitoring settings in WatchGuard Cloud

We recommend you configure Airspace Monitoring in an Access Point Site and apply the configuration to multiple access points. For more information, go to About Access Point Sites.

Configure Trusted Access Points

By default, all WatchGuard access points and wireless Fireboxes you manage from WatchGuard Cloud are considered trusted access points. WatchGuard's patented identification technology makes sure that WatchGuard Cloud does not generate security alerts for devices you manage in your WatchGuard Cloud account.

You can add the MAC addresses of additional access points connected to your network that you want classified as trusted access points, such as:

  • Wi-Fi 5 access points managed by WatchGuard Wi-Fi Cloud
  • Wi-Fi 5 access points managed by a Gateway Wireless Controller on a Firebox
  • Wireless Fireboxes not managed by WatchGuard Cloud
  • Third-party access points

Make sure you add both the wired Ethernet MAC address of the access point and any BSSID MAC addresses of wireless networks broadcast by the access point to prevent Rogue and Evil Twin access point alerts.

To add MAC addresses of trusted access points, click Add MAC Address. When you have finished, click Add to save the list of trusted access points.

To upload a list of multiple MAC addresses, click Import MAC Address List.

Screenshot of the Import MAC Address List dialog box

You can drag and drop a MAC address list into the box or select the MAC address list file.

The MAC address list file must be in comma-separated value format (CSV), with a MAC address and an optional description.

For example, to import addresses with a description:

00:aa:00:bb:00:c1, Description
00:aa:00:bb:00:c2, Description

To import addresses with no description:

00:aa:00:bb:00:c1
00:aa:00:bb:00:c2

To import addresses with and without descriptions:

00:aa:00:bb:00:c1, Description
00:aa:00:bb:00:c2
00:aa:00:bb:00:c3, Description
00:aa:00:bb:00:c4

When the imported file is analyzed, you can select the MAC addresses to import. Click Save to import the MAC addresses.

Screenshot of the Trusted Access Poiints import settings

Troubleshoot Airspace Monitoring

If you enable Airspace Monitoring, and you encounter false positive alerts for known access points that are detected as Rogue, Suspected Rogue, or an Evil Twin access point, examine the following:

  • Make sure all your access points are upgraded to firmware v2.0 or higher.
  • Make sure you enable Airspace Monitoring on all access points. We recommend you use Access Point Sites to apply the configuration to multiple access points.
  • Make sure that the configuration is correctly deployed to the access point. For more information, go to Access Point Deployment History.
  • Make sure all access points are configured to poll the same NTP server. The default is pool.ntp.org. Make sure that the connection to the NTP server is working. We recommend you use an internal NTP server if available on your network, or a reliable, regional NTP server.
  • Make sure devices that you do not manage in WatchGuard Cloud are configured in your Trusted Access Point list.

Related Topics

Access Point Airspace Monitoring Report

Airspace Monitoring Alerts

Configure Access Point Advanced Device Settings

About ThreatSync