Presentation is loading. Please wait.

Presentation is loading. Please wait.

Introduction to the WatchGuard AP Device

Published byLee Tyler Modified over 5 years ago

Similar presentations

Presentation on theme: "Introduction to the WatchGuard AP Device"— Presentation transcript:

1 Introduction to the WatchGuard AP Device
WatchGuard Training

2 WatchGuard AP100, AP102, and AP200 WatchGuard Training

3 AP Device in an XTM Network
A WatchGuard AP device adds wireless access to any XTM device network. Connect an AP device directly to an XTM device interface or to a switch connected to the XTM device. Use the Gateway Wireless Controller on the XTM device to configure and manage connected AP devices. Connect the AP device directly to an XTM device interface Connect the AP device to a switch on the trusted or optional network. OR WatchGuard Training

4 AP100, AP102, and AP200 Wireless Access Points
Single dual-band radio 2.4 GHz / 5 GHz switchable 2x2:2 MIMO a/b/g/n Up to 300 Mbps 8 SSIDs AP102 Weather-proof design for outdoor installations Power AC Adapter 802.3af compliant PoE injector or switch AP200 Two single-band radios 2.4 GHz and 5 GHz 2x2:2 MIMO a/b/g/n Up to 600 Mbps 8 SSIDs per radio Plenum rated AP100 / AP200 AP102 WatchGuard Training

5 Requirements and Limitations
Requirements for an XTM device to manage an AP device: The XTM device must use Fireware XTM OS v and higher. The XTM device must be configured in mixed routing mode. The AP device must connect to a trusted or optional network. You can also deploy the AP device on a custom network zone (Fireware XTM OS v11.9 and higher), but to manage the AP device you must configure the WatchGuard Gateway Wireless Controller policy to allow traffic from the custom network zone. The management connection from the XTM device to the AP device must use either no VLAN or an untagged VLAN The XTM device configuration must include a policy that allows NTP traffic from the AP device to the Internet. Limitations You cannot use the Fireware XTM command line interface to manage WatchGuard AP devices. You cannot use a WatchGuard Management Server to manage WatchGuard AP devices. The AP device uses an NTP server to set the correct local time. WatchGuard Training

6 AP Device Default Settings
AP device automatically uses DHCP to request a dynamic IP address. If a DHCP server is not available, the AP device uses a default IP address. IP Address: Subnet Mask: Default Gateway: The AP device has its own web UI. You can connect to the Access Point web UI at or at the DHCP IP address. Default password: wgwap To deploy an AP device, you do not need to use the Access Point web UI unless you need to assign a static IP address to the AP device. WatchGuard Training

7 Deployment Planning WatchGuard Training

8 Deployment Planning Before you add an AP device to your network, analyze your current environment and wireless requirements to determine: What wireless modes you need to support (802.11a/b/g/n) What SSIDs and networks you want to create for wireless clients to connect to The best physical location for the AP device When you think about where to install your AP device, consider: Potential sources of wireless noise and interference Factors that affect wireless signals, such as building construction and materials Where your wireless clients are likely to be located You can use a wireless site survey tool such as Ekahau HeatMapper to measure wireless signal strength for wireless clients at different locations. Measure before deployment as part of planning Measure after deployment to see the AP signal strength and range After deployment, use the Gateway Wireless Controller Wireless Deployment Maps feature to display your AP device network, signal strength and range, and channel conflict information. For more detailed information about deployment planning and site survey tools, see the WatchGuard AP Deployment Guide or WatchGuard System Manager Help. WatchGuard Training

9 Should You Enable VLAN Tagging?
When you enable VLAN tagging, you associate a VLAN ID with each SSID. VLAN tagging is not required, but there are several reasons you could want to enable VLAN tagging: You want to set different firewall policies for multiple SSIDs that connect to the same network. For example, you can create different SSIDs for different groups of users and then create different firewall policies for each SSID. In each policy, you use the VLAN ID associated with an SSID to make a policy apply to traffic for that SSID. You want to separate traffic on the same physical network to different logical networks. VLAN tagging enables you to separately examine traffic for wireless clients connected to each SSID. If you use a network analyzer, you can use VLAN tags to see the traffic for the VLAN ID associated with a specific SSID. If you want to set up your AP device with one SSID for the trusted network and another SSID for the optional network, you can use a trusted VLAN and an optional VLAN to separate the traffic for the trusted and optional wireless clients. VLAN configuration is covered in detail in a later section of this training WatchGuard Training

10 Deployment Steps WatchGuard Training

11 Deployment Overview To deploy any AP device on your network you must:
Enable the Gateway Wireless Controller on the XTM device. Connect the AP device to your network. Pair the AP device with the XTM device. Configure the SSIDs you want to use. Configure the AP device settings. If you enable VLAN tagging in the AP device SSIDs you must also: Create a tagged VLAN for each SSID. Create an untagged VLAN for management of the AP device. This training uses WatchGuard System Manager to show how to configure and monitor your AP device. You can also do these same tasks in Fireware XTM Web UI. WatchGuard Training

12 Enable the Gateway Wireless Controller
To enable the Gateway Wireless Controller on the XTM device: In Policy Manager, select Network > Gateway Wireless Controller. Select the Enable the Gateway Wireless Controller check box. Type the passphrase you want to use for all your WatchGuard AP devices after they are paired to the XTM device. Set the AP device location: Click Settings. Select the location of your AP device from the list of countries. This location is used to help configure the wireless radio. Save the configuration to the XTM device. You can set the AP device location later, but it is a good idea to do it before you connect your AP device. This it to make sure that the AP device uses a supported radio channel for the region where it is located. WatchGuard Training

13 Connect the AP Device Connect the AP device directly to an XTM device interface, or to a switch connected to the XTM device. If you want to connect the AP device directly to an XTM device interface, configure the XTM device interface: Set the Interface Type. Enable the DHCP Server. Configure a pool of IP addresses the XTM device will assign to the AP device and to wireless clients. If you connect the AP device to a switch: The AP device gets an IP address from a DHCP server. If your network does not have a DHCP server, use the Access Point web UI to configure a static IP address on the AP device. These instructions apply if you do not use VLAN tagging. If you want to use VLAN tagging, set up your VLANs first, because you must connect the AP device to a VLAN interface. This is described later in this presentation. WatchGuard Training

14 Pair the AP Device When you first connect the AP device, it is an unpaired Access Point. The power LED on the AP device alternates from green to red when the device is unpaired. To pair the AP device to the XTM device: Select Network > Gateway Wireless Controller. Select the Access Points tab. Click Refresh. Type the XTM device IP address and configuration passphrase. The XTM device sends a local discovery broadcast on the trusted and optional networks over UDP port 2529 every 30 seconds. Unpaired AP devices send a response to the XTM device. You might need to click Refresh more than once to discover an AP device that you just connected. WatchGuard Training

15 Pair the AP Device Unpaired AP devices appear in the Unpaired Access Points list. To pair an AP device to the XTM device: Select an unpaired access point and click Pair. Type the Pairing Passphrase. This must match the current passphrase on the AP device. Default AP passphrase is wgwap. The Edit Access Point dialog box opens automatically. Edit the Access Point settings. Access Point configuration is covered in the next section of this training. WatchGuard Training

16 Pair the AP Device After you pair the AP device, the AP device is added to the Access Points list. When the AP device is paired, the power LED on the device will be green. Because Policy Manager is an offline configuration tool, pairing is not complete until you save the configuration to the XTM device. The first time you save the configuration to the XTM device after pairing: The XTM device uses the pairing passphrase to connect to the AP device and update the configuration. The AP device restarts with the updated configuration. The XTM device tries to activate the AP device. The AP device is activated in the WatchGuard account where the XTM device was activated. If automatic activation fails, the XTM device periodically tries again. Activation status of the AP device does not affect AP device functionality. AP device activation starts the LiveSecurity subscription for the AP device, which includes the AP device advance replacement hardware warranty. If your AP device has not been activated automatically, you can use the AP device serial number to activate the AP device in your WatchGuard account just as you would activate an XTM device. WatchGuard Training

17 Configuration WatchGuard Training

18 Configuration In the Gateway Wireless Controller, you can configure:
AP devices SSIDs Gateway Wireless Controller settings WatchGuard Training

19 Configure the AP Device
To configure AP devices, in Policy Manager, select the Network > Gateway Wireless Controller > Access Points tab. You can add, edit or remove AP devices. Add — manually add an AP device that has not been paired Edit — edit an AP device configuration Remove — remove the AP device Removes the AP device from the XTM device configuration Resets the AP device to factory default settings WatchGuard Training

20 Configure the AP Device
When you pair an AP device, the Edit Access Point dialog box opens automatically. You can also select a configured AP device and click Edit. Configure AP device settings. Change the AP device Name. Configure Network Settings (DHCP or Static IP address). If you select Static, you must configure a static IP address. Enable logging to a syslog server. Configure radio settings. WatchGuard Training

21 Configure the AP Device Radio Settings
For an AP100, you can configure the radio Band to use. AP100 has one radio that can use either the 2.4 GHz or 5 GHz band. AP200 has two radios. Radio 1 always uses the 2.4 GHz band, and Radio 2 always uses the 5 GHz band. For each radio, configure the Wireless Mode. The 2.4 GHz band supports B, G, and N. The 5 GHz band supports A and N. For each radio, select the configured SSIDs to use (up to 8 per radio). You can also assign the AP device radio to an SSID when you create the SSID. Radio Settings for an AP 200 WatchGuard Training

22 Configure SSIDs The SSID is the network name that wireless clients see when they connect. You can assign multiple SSIDs to a single AP device radio. You can assign the same SSID to multiple AP device radios. To add an SSID, in the SSIDs tab, click Add. Specify the Network Name (SSID) Configure Settings Enable or disable SSID broadcast Enable station isolation Enable MAC Access Control Enable VLAN tagging Add AP device radios as SSID members You configure the MAC Access Control lists in the Gateway Wireless Controller settings. WatchGuard Training

23 Configure SSID Settings
SSID broadcast Enable SSID broadcast to allow wireless clients to see the SSID as an available wireless network. Station isolation Enable station isolation to prevent direct traffic between wireless clients that connect to the same SSID on the same radio. MAC Access Control Enable MAC Access Control to use one of the MAC Access Control lists configured in the Gateway Wireless Controller settings: Denied MAC Addresses — MAC address blacklist Allowed MAC Addresses — MAC address whitelist Enable VLAN tagging Select the configured VLAN ID to use for traffic on the SSID. Add configured AP device radios as members of the SSID. VLAN tagging is covered in more detail later in this presentation. WatchGuard Training

24 Configure the SSID Security Mode
To configure the SSID security mode, click the Security tab. AP devices support these security modes: Disabled — no security/open system WPA/WPA2 (PSK) — pre-shared key WPA/WPA2 Enterprise — RADIUS To use Enterprise authentication, you must configure a RADIUS server. WatchGuard Training

25 Configure Gateway Wireless Controller Settings
Gateway Wireless Controller has settings that apply to all paired AP devices. Select Network > Gateway Wireless Controller, and click Settings. Update the WatchGuard AP Passphrase that is used by all AP devices after they are paired. Enable or disable automatic firmware updates when new firmware is available on the XTM device. Default is enabled. Set the syslog server for all AP devices. All AP devices send log messages to this syslog server unless you specify a different syslog server in the AP device configuration. Select the location of the AP devices. This enables the AP device to automatically select a radio channel allowed in your region. Firmware updates for AP devices are delivered to the XTM device in the sysa-dl file as part of an XTM device OS update. WatchGuard Training

26 Configure the MAC Access Control List
In the MAC Access Control tab, add MAC addresses of wireless clients to the Denied MAC Addresses or Allowed MAC Addresses list. In each SSID, enable MAC Access Control and select which MAC Access Control list to use. WatchGuard Training

27 VLAN Configuration WatchGuard Training

28 VLAN Configuration Overview
If you want to enable VLAN tagging in your SSIDs, you must configure VLANs and enable them on an XTM device interface. Enable VLANs before you connect and pair the AP device. The AP device uses tagged VLANs to identify traffic for each SSID, and an untagged VLAN for AP management connections. To configure VLANs on the XTM device: Add one VLAN for each SSID. Add one VLAN for management connections to the AP device. Enable DHCP server or DHCP relay for each VLAN. Configure the XTM device VLAN interface to pass tagged traffic for the VLANs for each SSID and untagged traffic for the AP management VLAN. WatchGuard Training

29 VLAN Configuration Options
Connect the AP device directly to a VLAN interface on the XTM device. Connect the AP device to the XTM device VLAN interface through a VLAN switch. Configure the same VLANs on the switch interfaces as you configured on the XTM device. Connect the AP device directly to an XTM device VLAN interface Connect the AP device to a VLAN switch. OR VLAN VLAN VLAN WatchGuard Training

30 VLAN Configuration Example
Example: You want to add two SSIDs to allow wireless connections to two different networks through the same AP device. SSID Name: Trusted-W, for trusted wireless access SSID Name: Guest-W, for guest wireless access Create three VLANs; one for each SSID and one for AP management. Select Network > Configuration > VLAN. Add three VLANs, with DHCP enabled. For example: Trusted-VLAN (VLAN ID 10) — to use with SSID Trusted-W Optional-VLAN (VLAN ID 20) — to use with SSID Guest-W AP-Mgmt-VLAN — to use for management connections to the AP device WatchGuard Training

31 VLAN Configuration Example — VLAN Details
VLAN ID 30 VLAN ID 20 VLAN ID 10 WatchGuard Training

32 VLAN Configuration Example — VLAN Interface
Configure a VLAN interface on the XTM device. In the Network Configuration dialog box, select the Interfaces tab. Select the interface you want to connect the AP device to, and click Configure. Set the Interface Type to VLAN, and configure it to: Send and receive tagged traffic for the VLANs for each SSID (VLAN IDs 10 and 20). Send and received untagged traffic for the VLAN for AP management connections (VLAN ID 30). Save the configuration to the XTM device to enable the VLAN interface. Connect the AP device to the VLAN interface. Any untagged traffic that goes through this interface is on VLAN 30. This includes all management traffic between the XTM device and the AP device. WatchGuard Training

33 VLAN Configuration Example — Configure SSIDs
Enable VLAN tagging in the two SSIDs. For this example: SSID Trusted-W uses VLAN ID 10 SSID Guest-W uses VLAN ID 20 WatchGuard Training

34 VLAN Configuration Example — Finish AP Device Setup
The rest of the AP device setup steps are the same as without VLAN tagging enabled. Connect the AP device to the VLAN interface Use Policy Manager to discover and pair the AP device. In the AP configuration, add the SSIDs you configured. Save the configuration to the XTM device. In the Unpaired Access Points list, notice that the IP address of the discovered AP device is an IP address in the DHCP address pool for VLAN 30, the management VLAN. WatchGuard Training

35 VLAN Configuration Example — Connecting to a Switch
The VLAN configuration on the XTM device is the same, whether you connect the AP device directly to the XTM device or to a VLAN switch. To connect the AP device to a switch, configure the same VLANs on the switch ports that connect to the AP device and the XTM device. WatchGuard Training

36 Other VLAN Configuration Options
The flexibility of the VLAN configuration and routing on your XTM device, managed switch, and AP device enable you to deploy the AP device with VLANs in many other network configurations: Separate XTM interfaces for each VLAN on the switch VLAN segmentation with Branch Office VPN VLAN segmentation for separate gateways You can also use a VLAN without VLAN tagging enabled in the SSID to implement station isolation for an SSID shared by multiple AP devices. For more information and a configuration example, see the WatchGuard System Manager Help or Fireware XTM Web UI Help. WatchGuard Training

37 Monitoring WatchGuard Training

38 Monitor AP Devices and Wireless Clients
Monitor AP devices and connected wireless clients in: Firebox System Manager on the Gateway Wireless Controller tab. Select the Access Points tab to monitor paired AP devices. Select the Wireless Clients tab to monitor connected wireless clients. Fireware XTM Web UI on the System Status > Gateway Wireless Controller page. Select the Access Points tab to monitor paired AP devices. Select the Wireless Maps tab to view wireless maps of AP devices and other nearby wireless devices. WatchGuard Training

39 Monitor AP Devices For each AP Device, the Access Points tab shows:
AP name AP device status SSIDs IP address Radio band and channel Firmware version AP model Activation status Uptime WatchGuard Training

40 Monitor AP Devices On the Access Points tab, after you select an AP device, you can select one of these options: Reboot — Reboot the AP device. You can also reboot by pressing the physical reset button on the AP device briefly (less than 5 seconds). To reset the AP device to factory-default settings, press and hold the reset button for five seconds or longer. Restart Wireless — Restart the wireless interfaces. (You can use this to auto-select a new wireless channel without rebooting the AP device) Flash Power LEDs — Flash the power LED on a specific AP device to help with identification. This utility is useful if you use the Disable LEDs option to operate your AP device in stealth mode to hide the use of wireless activity. Upgrade — Upgrade the firmware on the selected AP device. Site Survey — Start a scan from the AP device to detect other wireless access points Log Messages — See log messages on the AP device Network Statistics — See the network statistics for the AP device Interface Statistics (names, MAC and/or IP addresses, and traffic counters) Routing Table ARP Table  WatchGuard Training

41 AP Device Status — Online
After you deploy an AP device, check the device status. If the XTM device can log in to the AP device, and the AP device is fully configured, the Access Point status is Online. WatchGuard Training

42 AP Device Status — Offline
If the XTM device cannot contact the AP device, the device status is Offline. When an AP device reboots, the status is Offline during the reboot. WatchGuard Training

43 AP Device Status — Passphrase Mismatch
If the Pairing Passphrase on the XTM device does not match the passphrase on the AP device, AP device status is Passphrase mismatch. To resolve this, edit the Access Point configuration in Policy Manager and change the Pairing Passphrase to match the passphrase on the AP device. The default AP device passphrase is wgwap. WatchGuard Training

44 Monitoring — Connected Wireless Clients
Select the Wireless Clients tab to see a list of connected wireless clients. For each wireless client you can see: Client MAC Address SSID, AP, and radio the client is connected to Amount of data the client has sent and received through the AP device How long it has been since the client has sent or received data through the AP device WatchGuard Training

45 Gateway Wireless Controller — Maps
In Fireware XTM Web UI, use the Maps tab on the Dashboard > Gateway Wireless Controller page to help you visualize your wireless environment, determine where to place your AP devices, and how to best configure them for your network environment. Two views: Wireless Coverage Map — Shows the location of your Access Point devices in relation to one another. Channel Conflict Map — Shows the location of your Access Point devices and any other wireless devices in the vicinity and shows the channel and bandwidth details for each device. Select which radio bands to show on the maps: 2.4 GHz 5 GHz Select which SSIDs to show on the maps. Enable the Sticky Access Points option to anchor the AP devices to a place on the map WatchGuard Training

46 Gateway Wireless Controller — Maps
WatchGuard Training

47 Wireless Hotspot WatchGuard Training

48 Enable a Wireless Hotspot / Captive Portal
You can configure your WatchGuard AP device SSID as a wireless hotspot. With hotspot functionality enabled, when wireless clients connect to your SSID and try to browse to a web site, the hotspot welcome page appears. Users must accept the terms and conditions before they can browse the web through your AP device. WatchGuard Training

49 Enable a Hotspot / Captive Portal
In Policy Manager select Setup > Authentication > Hotspot. Enable the hotspot for the VLAN or physical interface your AP device uses: If you use VLANs, select the VLAN interface for the SSID. If you do not use VLANs and the AP device is directly connected to an XTM device interface, select the XTM device interface your AP device is connected to. Configure the settings for your hotspot welcome page. For more information about hotspot configuration, see the Fireware XTM WatchGuard System Manager help. WatchGuard Training

50 Monitor Hotspot Connections
To see the list of connected hotspot clients in Firebox System Manager: Select the Authentication List tab. Click Hotspot Clients. The connected hotspot clients also appear as connected wireless clients in the Firebox System Manager Gateway Wireless Controller tab. WatchGuard Training

51 Documentation and Resources
Product Documentation WatchGuard AP — You can view and download the most current documentation for the WatchGuard AP device on the WatchGuard AP Product Documentation page at WatchGuard XTM —For detailed information about WatchGuard AP pairing, management, and configuration with your XTM device, see the Wireless AP Device Setup section of the Fireware XTM Web UI or WSM Help at Knowledge Base You can view and search the knowledge base for information on specific WatchGuard product issues at WatchGuard User Forum An interactive online user forum moderated by senior support engineers. Go to the WatchGuard forum at WatchGuard Training

52 Thank You! WatchGuard Training

Download ppt "Introduction to the WatchGuard AP Device"

Similar presentations

What’s New in Fireware XTM

What’s New in Fireware XTM
Whats New in Fireware XTM v11.5.2. New Features in Fireware XTM v11.5.2 Major Changes FireCluster with XTM 330 appliances Mobile VPN with SSL using multiple.

Whats New in Fireware XTM v New Features in Fireware XTM v Major Changes FireCluster with XTM 330 appliances Mobile VPN with SSL using multiple.
What’s New in Fireware XTM v11.3.4

What’s New in Fireware XTM v11.3.4
Introduction to the WatchGuard AP Device

Introduction to the WatchGuard AP Device
What’s New in Fireware XTM v11.7.3

What’s New in Fireware XTM v11.7.3
What’s New in Fireware XTM

What’s New in Fireware XTM
What’s New in Fireware XTM v11.3.2

What’s New in Fireware XTM v11.3.2
What’s New in Fireware XTM v11.8.3

What’s New in Fireware XTM v11.8.3
What’s New in Fireware XTM v11.9.1

What’s New in Fireware XTM v11.9.1
Application Guide For Mesh AP – MAP-3120

Application Guide For Mesh AP – MAP-3120
DSL-2730B, DSL-2740B, DSL-2750B.

DSL-2730B, DSL-2740B, DSL-2750B.
Altai Certification Training Operation & Maintenance

Altai Certification Training Operation & Maintenance
DAP-1520 FAQ’s Wireless AC750 Dual Band Range Extender.

DAP-1520 FAQ’s Wireless AC750 Dual Band Range Extender.
DNR-322L & DNR-326.

DNR-322L & DNR-326.
DSL-2870B How to Change ADSL Username and Password in your modem router How to Change Wireless Channel in your modem router How to Open Ports in your modem.

DSL-2870B How to Change ADSL Username and Password in your modem router How to Change Wireless Channel in your modem router How to Open Ports in your modem.
11 TROUBLESHOOTING Chapter 12. Chapter 12: TROUBLESHOOTING2 OVERVIEW  Determine whether a network communications problem is related to TCP/IP.  Understand.

11 TROUBLESHOOTING Chapter 12. Chapter 12: TROUBLESHOOTING2 OVERVIEW  Determine whether a network communications problem is related to TCP/IP.  Understand.
Updated for Fireware XTM v11.9.4

Updated for Fireware XTM v11.9.4
Introduction to XTMv WatchGuard Training.

Introduction to XTMv WatchGuard Training.
DVG-N5402SP.

DVG-N5402SP.
1 Configuring Linksys Wireless Router Prof. Valencia Community College.

1 Configuring Linksys Wireless Router Prof. Valencia Community College.

Similar presentations

Ads by Google