Configure WatchGuard AP SSIDs

Before you can assign an SSID to a WatchGuard AP, you must add the SSID to the Gateway Wireless Controller.

Each radio on a WatchGuard AP supports up to eight SSIDs.

You can also enable VLAN tagging on each SSID. If you enable VLAN tagging, the SSID uses the VLAN ID you specify to connect to a VLAN that is configured on the network between your AP and Firebox. For more information about when and how to use VLAN tagging with your AP, see Configure VLANs for WatchGuard APs.

Add an SSID

Configure SSID Settings

Configure the SSID settings on the Settings tab:

  • Network Name (SSID) — Type the SSID name which is the name for this wireless network that appears to clients.
  • Broadcast SSID — Enable APs to broadcast the SSID name. Clear the Broadcast SSID check box if you want to hide the SSID name.
  • Enable client isolation — Prevents wireless clients connected to this SSID from sending traffic to each other through the AP. For more information, see About AP Client Isolation.
  • Limit number of associations — (Fireware v12.3 and higher) Limit the number of clients that can associate to this SSID. Select the Maximum number of associations from the selection box. This option is not supported on legacy APs (AP100, AP102, AP200, AP300).
  • Use the MAC Access Control list defined in the Gateway Wireless Controller Settings — Use a list of Denied or Allowed MAC addresses to control access from wireless clients. For more information, see Configure MAC Access Control.
  • Enable VLAN tagging — Use tagged VLANs to separate traffic between multiple SSIDs. If you enabled VLAN tagging, in the VLAN ID text box, type or select the ID of the tagged VLAN to use for this SSID.

If you enable VLAN tagging and try to configure an SSID to use a VLAN ID that is not configured on the Firebox, a warning message appears with the information that the VLAN ID you configured in the SSID settings does not exist. Make sure you configure a tagged VLAN for this SSID. In most network configurations, you create the tagged VLAN for each SSID, and one untagged VLAN for management connections to the AP.

  • Automatically deploy this SSID to all unpaired WatchGuard APs — Enable this SSID for use with automatic deployment to configure this SSID for newly deployed APs. For more information. see About AP Automatic Deployment.
  • Mitigate WPA/WPA2 key reinstallation vulnerability in clients — Mitigate KRACK WPA/WPA2 vulnerabilities in vulnerable wireless clients.

This option blocks handshake messages that can potentially exploit clients and forces clients to re-authenticate. This re-authentication typically does not require the user to re-enter credentials, but it might add a few seconds to the connection time of the client. This option is disabled by default. This mitigation logic can trigger for other similar dropped packet symptoms, for example, natural frame errors during a handshake or dropped packets when a client roams from one AP to another or roams beyond the range of the current AP connection. This can cause some client authentication connections to fail and be re-established. WatchGuard recommends that you enable this mitigation feature until you have updated all your client software to address the client vulnerabilities, and evaluate the impact to your client environment and user experience.

This option not supported on legacy APs (AP100, AP102, AP200, AP300).

  • Enable telecommuter mode on this SSID when used remotely — (Fireware v12.0.2 or lower) Enable this SSID for use in telecommuter mode when deployed in a remote location. The telecommuter option is only supported by legacy APs (AP100, AP102, AP200, AP300) in Fireware v12.0.2 and lower. For more information, see About AP Remote VPN Deployment.
  • Min. Association RSSI — Configure the minimum signal strength required for a client to associate with an AP.

The RSSI (Received Signal Strength Indicator) is used as a threshold to determine if clients can associate to an AP. The value is expressed in dBm (decibel milliwatts). For example, the default value is -70 dBm. The closer the value is to 0, the stronger the signal. For more information on signal strength, see Wireless Signal Strength and Noise Levels.

You can configure the Steering RSSI Threshold in the settings for an AP. For more information, see Configure AP Settings.

  • Smart Steering — Proactively steer clients to an AP with a stronger signal than their current AP.

This prevents clients from staying connected to their current AP when the signal degrades as the client roams. You must enable Min. Association RSSI before you can enable Smart Steering. You can configure advanced parameters for Smart Steering in the settings for an AP. For more information, see Configure AP Settings.

  • Band Steering — Help distribute wireless clients between the 2.4 GHz and 5 GHz bands for an SSID.

When an SSID is configured in both the 2.4 GHz and 5 GHz bands, clients can be steered towards the less congested 5 GHz band to balance the load on the AP. Clients are steered to the 5 GHz band if the client's signal strength in 5 GHz is higher than the Band Steering RSSI (default is -75 dBm). Clients with weak signal strength cannot operate effectively in the 5 GHz band and should not be steered even if they are capable of operating in 5 GHz.

Band Steering is usually not required in an environment where most wireless devices are newer devices that are already optimized to choose the 5 GHz band.

Disable Band Steering if clients experience connection problems when Smart Steering is also enabled at the same time. Clients steered to the 5 GHz band might experience a drop in RSSI that can cause a disconnection because of the RSSI threshold.

  • Global SSID Traffic Shaping — Specify traffic shaping upload and download bandwidth limits for this SSID.

For example, you can use this feature to restrict downloads for users connected to your Guest SSID so they do not slow down the rest of the network, or apply limits to all users across your entire wireless network. The values you define depend on the bandwidth available on your Internet connection, how many concurrent clients are connected and the type and size of traffic, and if your users require audio/video streaming or other high-bandwidth applications.

You can configure limits for the entire SSID, or per user.

  • Restrict download bandwidth on the SSID to — Type a limit in Kbps. For example, to limit downloads to 2 Mbps, type 2000. Type 0 for unlimited.
  • Restrict upload bandwidth on the SSID to — Type a limit in Kbps. For example, to limit uploads to 1 Mbps, type 1000. Type 0 for unlimited.
  • Restrict user bandwidth download to — Type a limit in Kbps. For example, to limit downloads to 2 Mbps, type 2000. Type 0 for unlimited.
  • Restrict user bandwidth upload to — Type a limit in Kbps. For example, to limit uploads to 1 Mbps, type 1000. Type 0 for unlimited.

Legacy APs (AP100, AP102, AP200, AP300) only support download restrictions.

  • Enable an activation schedule — Activate this SSID for a specific time period. This limits access to this SSID based on the times you configure. For example, you might want to limit wireless guest access to only during business hours. Set the Start time and End time in 24 hour format (hh:mm).

SSIDs that are not active in the schedule do not appear in the Gateway Wireless Controller monitoring pages in Fireware Web UI or Firebox System Manager.

  • Enable rogue access point detection — Scan your wireless network for access points that do not belong to your network.

A rogue access point is any wireless access point within range of your network that is not recognized as an authorized access point. When you enable rogue access point detection, the Gateway Wireless Controller scans wireless channels to identify unknown wireless access points. For more information, see Enable Rogue Access Point Detection with the Gateway Wireless Controller.

Use the Wireless Deployment Maps feature of the Gateway Access Controller to view any external BSSIDs (Broadcast SSIDs) and potential rogue access points. For more information, see View Wireless Deployment Maps.

You can configure exceptions to the rogue access points list so that the Firebox does not identify a known access point (identified by MAC address) as a rogue access point. Click Add to add a MAC address of a known access point. Click Remove to remove a device from the list.

The Rogue Access Point Detection feature for the Gateway Wireless Controller and managed WatchGuard APs is different than the Rogue Access Point Detection feature designed for Firebox wireless devices with built-in wireless capabilities.

For information about the differences between Firebox wireless devices and WatchGuard APs, see WatchGuard Wireless Solutions. For information about Rogue Access Point Detection for Firebox wireless devices, see Rogue Access Point Detection.

Add AP Radios

When you add an SSID, you can assign the SSID to one or more AP radios.

To assign an SSID to an AP radio:

  1. From the SSID configuration, select the Access Points tab.
  2. In the Access Points with this SSID list, add the AP radios to use with this SSID.

You can also assign SSIDs to an AP radio when you edit the AP radio settings. For more information, see Configure AP Radio Settings.

Configure Security Settings

To configure the wireless security settings for the SSID:

  1. Select the Security tab.
  2. From the Security Mode drop-down list, select the security protocol to use for this SSID.
  3. Complete the settings to configure the selected security protocol.

For more information, see Configure SSID Security Settings.

See Also

Configure Gateway Wireless Controller Settings