Introduction to the WatchGuard AP Device WatchGuard Training.
-
Upload
samantha-corcoran -
Category
Documents
-
view
274 -
download
0
Transcript of Introduction to the WatchGuard AP Device WatchGuard Training.
Introduction to the WatchGuard AP Introduction to the WatchGuard AP DeviceDevice
WatchGuard Training
WatchGuard AP 100 and AP 200WatchGuard AP 100 and AP 200
WatchGuard Training 22
AP Device in an XTM NetworkAP Device in an XTM Network
A WatchGuard AP device adds wireless access to any XTM device network.• Connect an AP device directly to an XTM device interface or to a switch
on the trusted or optional network.
• Use the Gateway Wireless Controller on the XTM device to configure and manage connected AP devices.
WatchGuard Training 33
ORConnect the AP device directly to an XTM device interface
Connect the AP device to a switch on the trusted or optional network.
AP 100 and AP 200 Wireless Access PointsAP 100 and AP 200 Wireless Access Points
AP 100• Single dual-band radio
• 2.4 GHz / GHz switchable
• 2x2:2 MIMO 802.11 a/b/g/n
• Up to 300 Mbps
• 8 SSIDs
Power• AC Adapter
• 802.3af compliant PoE injector or switch
WatchGuard Training 44
AP 200• Two single-band radios
• 2.4 GHz and 5 GHz
• 2x2:2 MIMO 802.11 a/b/g/n
• Up to 600 Mbps
• 8 SSIDs per radio
• Plenum rated
Requirements and LimitationsRequirements and Limitations
Requirements for an XTM device to manage an AP device:• The XTM device must use Fireware XTM OS v11.7.2 or later.
• The XTM device must be configured in mixed routing mode.
• The AP device must connect to a trusted or optional network. Limitations• You cannot use the Fireware XTM command line interface to manage
WatchGuard AP devices.
• You cannot use a WatchGuard Management Server to manage WatchGuard AP devices.
WatchGuard Training 55
AP Device Default SettingsAP Device Default Settings
AP device automatically uses DHCP to request a dynamic IP address.
If a DHCP server is not available, the AP device uses a default IP address.• IP Address: 192.168.1.1
• Subnet Mask: 255.255.255.0
• Default Gateway: 192.168.1.1 The AP device has its own web UI.• You can connect to the Access Point
web UI at https://192.168.1.1, or at the DHCP IP address.
• Default password: wgwap To deploy an AP device, you do not need to use the Access Point
web UI unless you need to assign a static IP address to the AP device.
WatchGuard Training 66
Deployment PlanningDeployment Planning
WatchGuard Training 77
Deployment PlanningDeployment Planning
Before you add an AP device to your network, analyze your current environment and wireless requirements to determine:• What wireless modes you need to support (802.11a/b/g/n)
• What SSIDs and networks you want to create for wireless clients to connect to
• The best physical location for the AP device When you think about where to install your AP device, consider:• Potential sources of wireless noise and interference
• Factors that affect wireless signals, such as building construction and materials
• Where your wireless clients are likely to be located You can use a wireless site survey tool such as Ekahau
HeatMapper to measure wireless signal strength for wireless clients at different locations. • Measure before deployment as part of planning
• Measure after deployment to see the AP signal strength and range
WatchGuard Training 88
Should You Enable VLAN Tagging?Should You Enable VLAN Tagging?
When you enable VLAN tagging, you associate a VLAN ID with each SSID.
VLAN tagging is not required, but there are several reasons you could want to enable VLAN tagging: You want to set different firewall policies for multiple SSIDs that connect to
the same network. For example, you can create different SSIDs for different groups of users and
then create different firewall policies for each SSID. In each policy, you use the VLAN ID associated with an SSID to make a policy apply to traffic for that SSID.
You want to separate traffic on the same physical network to different logical networks. VLAN tagging enables you to separately examine traffic for wireless clients
connected to each SSID. If you use a network analyzer, you can use VLAN tags to see the traffic for the VLAN ID associated with a specific SSID.
If you want to set up your AP device with one SSID for the trusted network and another SSID for the optional network, you can use a trusted VLAN and an optional VLAN to separate the traffic for the trusted and optional wireless clients.
VLAN configuration is covered in detail in a later section of this training
WatchGuard Training 99
Deployment StepsDeployment Steps
WatchGuard Training 1010
Deployment OverviewDeployment Overview
To deploy any AP device on your network you must:1. Enable the Gateway Wireless Controller on the XTM device.2. Connect the AP device to your network.3. Pair the AP device with the XTM device.4. Configure the SSIDs you want to use.5. Configure the AP device settings.
If you enable VLAN tagging in the AP device SSIDs you must also:• Create a tagged VLAN for each SSID.
• Create an untagged VLAN for management of the AP device.
WatchGuard Training 1111
This training uses WatchGuard System Manager to show how to configure and monitor your AP device. You can also do these same tasks in Fireware XTM Web UI.
Enable the Gateway Wireless ControllerEnable the Gateway Wireless Controller
To enable the Gateway Wireless Controller on the XTM device:1. In Policy Manager, select Network > Gateway Wireless Controller.2. Select the Enable the Gateway Wireless Controller check box.3. Type the passphrase you want to use for all your WatchGuard AP
devices after they are paired to the XTM device. Set the AP device location:
1. Click Settings.2. Select the location of your AP
device from the list of countries. This location is used to help
configure the wireless radio.
Save the configuration to the XTMdevice.
WatchGuard Training 1212
Connect the AP DeviceConnect the AP Device
Connect the AP device directly to an XTM device interface, or to a switch on the trusted or optional network.
If you want to connect the AP device directly to an XTM device interface, configure the XTM device interface:• Set the Interface Type
to Trusted or Optional.• Enable the DHCP Server.• Configure a pool of IP
addresses the XTM devicewill assign to the AP device and to wireless clients.
If you connect the AP deviceto a switch:• The AP device gets an IP
address from a DHCP server.• If your network does not
have a DHCP server,use the Access Point webUI to configure a static IPaddress on the AP device.
WatchGuard Training 1313
Pair the AP DevicePair the AP Device
When you first connect the AP device, it is an unpaired Access Point.
To pair the AP device to the XTM device:1. Select Network > Gateway Wireless Controller. 2. Select the Access Points tab.3. Click Refresh.4. Type the XTM device IP address and
configuration passphrase. The XTM device sends a local
discovery broadcast on the trusted and optional networks over UDP port 2529 every 30 seconds.
Unpaired AP devices send aresponse to the XTM device.
WatchGuard Training 1414
Pair the AP DevicePair the AP Device
Unpaired AP devices appear in the Unpaired Access Points list. To pair an AP device to the XTM device:
1. Select an unpaired access point and click Pair.
2. Type the Pairing Passphrase. This must match the current
passphrase on the AP device. Default AP passphrase is wgwap.
The Edit Access Point dialog box opens automatically.
3. Edit the Access Point settings.Access Point configuration is covered in the next section of this training.
WatchGuard Training 1515
Pair the AP DevicePair the AP Device
After you pair the AP device, the AP device is added to the Access Points list.
Because Policy Manager is an offline configuration tool, pairing is not complete until you save the configuration to the XTM device.
The first time you save the configuration to the XTM device after pairing:• The XTM device uses the pairing
passphrase to connect to the APdevice and update the configuration.
• The AP device restarts with the updated configuration.
• The XTM device tries toactivate the AP device.
The AP device is activated in the WatchGuard account where the XTM device was activated.
If automatic activation fails, the XTM device periodically tries again.
Activation status of the AP device does not affect AP device functionality.
WatchGuard Training 1616
ConfigurationConfiguration
WatchGuard Training 1717
ConfigurationConfiguration
In the Gateway Wireless Controller, you can configure:• AP devices
• SSIDs
• Gateway Wireless Controller settings
WatchGuard Training 1818
Configure the AP DeviceConfigure the AP Device
To configure AP devices, in Policy Manager, select the Network > Gateway Wireless Controller > Access Points tab.
You can add, edit or remove AP devices.• Add — manually add an AP
device that has not been paired
• Edit — edit an AP device configuration
• Remove — remove the AP device
Removes the AP device fromthe XTM device configuration
Resets the AP deviceto factory default settings
WatchGuard Training 1919
Configure the AP DeviceConfigure the AP Device
When you pair an AP device, the Edit Access Point dialog box opens automatically.
You can also select a configured AP device and click Edit. Configure AP device settings.• Change the AP device Name.
• Configure Network Settings (DHCP or Static IP address).
If you select Static, you must configure a static IP address.
• Enable logging to a syslogserver.
• Configure radio settings.
WatchGuard Training 2020
Configure the AP Device Radio SettingsConfigure the AP Device Radio Settings
For an AP 100, you can configure the radio Band to use.• AP 100 has one radio that can use either the 2.4 GHz or 5 GHz band.
• AP 200 has two radios. Radio 1 always uses the 2.4 GHz band, and Radio 2 always uses the 5 GHz band.
For each radio, configure the Wireless Mode.• The 2.4 GHz band supports
802.11B, G, and N.
• The 5 GHz band supports802.11 A and N.
For each radio, select theconfigured SSIDs to use (up to 8 per radio).• You can also assign the
AP device radio to an SSID when you create the SSID.
WatchGuard Training 2121
Radio Settings for an AP 200
Configure SSIDsConfigure SSIDs
The SSID is the network name that wireless clients see when they connect. • You can assign multiple SSIDs to a single AP device radio.
• You can assign the same SSID to multiple AP device radios. To add an SSID, in the SSIDs tab,
click Add.• Specify the Network Name (SSID)
• Configure Settings Enable or disable SSID broadcast Enable MAC Access Control Enable VLAN tagging
– Specify VLAN ID
Add configured AP device radios as members of the SSID
WatchGuard Training 2222
Configure the SSID Security ModeConfigure the SSID Security Mode
To configure the SSID security mode, click the Security tab. AP devices support these security modes:• Disabled — no security/open system
• WPA/WPA2 (PSK) — pre-shared key
• WPA/WPA2 Enterprise — RADIUS
WatchGuard Training 2323
Configure Gateway Wireless Controller SettingsConfigure Gateway Wireless Controller Settings
Gateway Wireless Controller has settings that apply to all paired AP devices.
Select Network > Gateway Wireless Controller, and click Settings.• Update the WatchGuard AP
Passphrase that is used by all AP devices after they are paired.
• Enable or disable automatic firmwareupdates when new firmware is availableon the XTM device.
Default is enabled.
• Set the syslog server for all AP devices. All AP devices send log messages to
this syslog server unless you specify a different syslog server in the AP device configuration.
• Select the location of the AP devices. This enables the AP device to automatically
select a radio channel allowed in your region.WatchGuard Training 2424
Configure the MAC Access Control ListConfigure the MAC Access Control List
In the MAC Access Control tab, add the MAC addresses of wireless clients that you want to deny access to your AP device SSIDs.
For each SSID, you can decide whether to use the MAC Access Control list.
WatchGuard Training 2525
VLAN ConfigurationVLAN Configuration
WatchGuard Training 2626
VLAN Configuration OverviewVLAN Configuration Overview
If you want to enable VLAN tagging in your SSIDs, you must configure VLANs and enable them on an XTM device interface. • Enable VLANs before you connect and pair the AP device.
• The AP device uses tagged VLANs to identify traffic for each SSID, and an untagged VLAN for AP management connections.
• VLANs must be in the trusted or optional security zone. To configure VLANs on the XTM device:
1. Add one VLAN for each SSID.2. Add one VLAN for management connections to the AP device.3. Enable DHCP server or DHCP relay for each VLAN.4. Configure the XTM device VLAN interface to pass tagged traffic for the
VLANs for each SSID and untagged traffic for the AP management VLAN.
WatchGuard Training 2727
VLAN Configuration OptionsVLAN Configuration Options
VLAN Configuration• Connect the AP device directly to a VLAN interface on the XTM
device.
• Connect the AP device to the XTM device VLAN interface through a VLAN switch.
• Configure the same VLANs on the switch interfaces as you configured on the XTM device.
WatchGuard Training 2828
OR
VLAN
VLAN
VLAN
Connect the AP device directly to an XTM device VLAN interface
Connect the AP device to a VLAN switch.
VLAN Configuration ExampleVLAN Configuration Example
Example: You want to add two SSIDs to allow wireless connections to two different networks through the same AP device.• SSID Name: Trusted-W, for trusted wireless access
• SSID Name: Guest-W, for guest wireless access Create three VLANs; one for each SSID and one for AP
management.• Select Network > Configuration > VLAN.
• Add three VLANs, with DHCP enabled. For example: Trusted-VLAN (VLAN ID 10) — to use with SSID Trusted-W Optional-VLAN (VLAN ID 20) — to use with SSID Guest-W AP-Mgmt-VLAN — to use for management connections to the AP device
WatchGuard Training 2929
VLAN Configuration Example — VLAN DetailsVLAN Configuration Example — VLAN Details
WatchGuard Training 3030
VLAN ID 30
VLAN ID 20
VLAN ID 10
VLAN Configuration Example — VLAN InterfaceVLAN Configuration Example — VLAN Interface
Configure a VLAN interface on the XTM device.• In the Network Configuration dialog box, select the Interfaces tab.
• Select the interface you want to connect the AP device to, and click Configure.
• Set the Interface Type to VLAN, and configure it to: Send and receive tagged
traffic for the VLANs for each SSID (VLAN IDs 10 and 20).
Send and received untaggedtraffic for the VLAN for APmanagement connections(VLAN ID 30).
• Save the configuration to theXTM device to enable the VLAN interface.
• Connect the AP device to theVLAN interface.
WatchGuard Training 3131
VLAN Configuration Example — Configure SSIDsVLAN Configuration Example — Configure SSIDs
Enable VLAN tagging in the two SSIDs.• For this example:
WatchGuard Training 3232
SSID Trusted-W uses VLAN ID 10 SSID Guest-W uses VLAN ID 20
VLAN Configuration Example — Finish AP Device VLAN Configuration Example — Finish AP Device SetupSetup The rest of the AP device setup steps are the same as without
VLAN tagging enabled.• Connect the AP device to the VLAN interface
• Use Policy Manager to discover and pair the AP device.
• In the AP configuration, add the SSIDs you configured.
• Save the configuration to the XTM device.
WatchGuard Training 3333
VLAN Configuration Example — Connecting to a VLAN Configuration Example — Connecting to a SwitchSwitch The VLAN configuration on the XTM device is the same, whether
you connect the AP device directly to the XTM device or to a VLAN switch.
To connect the AP device to a switch, configure the same VLANs on the switch ports that connect to the AP device and the XTM device.
WatchGuard Training 3434
Other VLAN Configuration OptionsOther VLAN Configuration Options
The flexibility of the VLAN configuration and routing on your XTM device, managed switch, and AP device enable you to deploy the AP device with VLANs in many other network configurations:• Separate XTM interfaces for each VLAN on the switch
• VLAN segmentation with Branch Office VPN
• VLAN segmentation for separate gateways
WatchGuard Training 3535
MonitoringMonitoring
WatchGuard Training 3636
Monitor AP Devices and Wireless ClientsMonitor AP Devices and Wireless Clients
Monitor AP devices and connected wireless clients in:• Firebox System Manager on the Gateway Wireless Controller tab.
Select the Access Points tab to monitor paired AP devices. Select the Wireless Clients tab to monitor connected wireless clients.
• Fireware XTM Web UI on the System Status > Gateway Wireless Controller page.
Select the Access Points tab to monitor paired AP devices. Select the Wireless Clients tab to monitor connected wireless clients.
WatchGuard Training 3737
Monitor AP DevicesMonitor AP Devices
Access Points tab shows:• AP device status
• SSIDs
• IP address
• Radio band and channel
• Uptime Select an AP device to:• Do a Site Survey to
detect other wireless access points
• See Log Messages on the AP device
• Reboot the AP device
WatchGuard Training 3838
AP Device Status — OnlineAP Device Status — Online
WatchGuard Training 3939
After you deploy an AP device, check the device status. If the XTM device can log in to the AP device, and the AP device is
fully configured, the Access Point status is Online.
AP Device Status — OfflineAP Device Status — Offline
If the XTM device cannot contact the AP device, the device status is Offline.
When an AP device reboots, the status is Offline during the reboot.• The AP device reboots after each configuration change.
WatchGuard Training 4040
AP Device Status — Passphrase MismatchAP Device Status — Passphrase Mismatch
If the Pairing Passphrase on the XTM device does not match the passphrase on the AP device, AP device status is Passphrase mismatch.
To resolve this, edit the Access Point configuration in Policy Manager and change the Pairing Passphrase to match the passphrase on the AP device.
The default AP devicepassphrase is wgwap.
WatchGuard Training 4141
Monitoring — Connected Wireless ClientsMonitoring — Connected Wireless Clients
Select the Wireless Clients tab to see a list of connected wireless clients.
WatchGuard Training 4242
Wireless HotspotWireless Hotspot
WatchGuard Training 4343
Enable a Wireless Hotspot / Captive PortalEnable a Wireless Hotspot / Captive Portal
You can configure your WatchGuard AP device SSID as a wireless hotspot.
With hotspot functionality enabled, when wireless clients connect to your SSID and try to browse to a web site, the hotspot welcome page appears.
Users must accept the terms and conditions before they can browse the web through your AP device.
WatchGuard Training 4444
Enable a Hotspot / Captive PortalEnable a Hotspot / Captive Portal
In Policy Manager select Setup > Authentication > Hotspot. Enable the hotspot for the VLAN
or physical interface your APdevice uses: • If you use VLANs, select the
VLAN interface for the SSID.
• If you do not use VLANs and the AP device is directly connected to an XTM device interface, select the XTM device interface your AP device is connected to.
Configure the settings for yourhotspot welcome page.
WatchGuard Training 4545
Monitor Hotspot ConnectionsMonitor Hotspot Connections
To see the list of connected hotspot clients in Firebox System Manager select the Authentication List tab.
Click Hotspot Clients.
The connected hotspot clients also appear in the Wireless Clients tab on the Gateway Wireless Controller tab.
WatchGuard Training 4646
Documentation and ResourcesDocumentation and Resources
Product Documentation• WatchGuard AP — You can view and download the most current
documentation for the WatchGuard AP device on the WatchGuard AP Product Documentation page at http://www.watchguard.com/help/documentation/ap.asp
• WatchGuard XTM —For detailed information about WatchGuard AP pairing, management, and configuration with your XTM device, see the Wireless AP Device Setup section of the Fireware XTM Web UI or WSM Help at http://www.watchguard.com/help/documentation/xtm.asp
Knowledge Base• You can view and search the knowledge base for information on
specific WatchGuard product issues at http://customers.watchguard.com
WatchGuard User Forum• An interactive online user forum moderated by senior support
engineers. Go to the WatchGuard forum at http://www.watchguard.com/forum
WatchGuard Training 4747
Thank You!Thank You!
WatchGuard Training 4848