Related Topics
Configure AP Settings
From the Gateway Wireless Controller on your Firebox, you can edit the settings for any APs that are paired with the Firebox.
If the AP is located behind a router or other network device and cannot receive broadcasts from the Gateway Wireless Controller, you must manually add the AP. For more information, see Configure AP Settings.
Edit an AP Configuration
When you pair an AP with a Firebox, you must configure the settings for the AP. Because only some of the details about the AP are automatically added to the AP configuration when it is paired, you must edit the AP settings to complete the initial configuration of the AP.
When you edit the AP settings, you can change any of the settings, except for the model and serial number. The model and serial number are automatically set for paired APs and cannot be changed.
There are two network settings you can select for an AP:
DHCP
DHCP is the default selection. Choose this option to configure the AP to request a dynamically assigned IP address from a DHCP server. If you choose this option, make sure that a DHCP server is configured on the network that the AP connects to. You can configure the Firebox as the DHCP server when you configure the Firebox interface that your AP connects to.
For a configuration example, see WatchGuard AP Deployment Examples.
Static
Select this option to assign the AP a static IP address. When you select Static, you must configure these settings:
- IP Address — The IP address to assign to the AP
- Subnet Mask — The subnet mask
- Default Gateway — The IP address of the default gateway
- Select Network > Gateway Wireless Controller.
The Gateway Wireless Controller dialog box appears. - Select the Access Points tab.
The list of Access Points that you can configure appear in the Paired Access Points list.
- Select an AP and click Edit.
The Edit Access Point dialog box appears.
- Configure the AP settings, as described in the next section.
- Select Network > Gateway Wireless Controller.
The Gateway Wireless Controller dialog box appears. - Select the Access Points tab.
The list of Access Points that you can configure appear in the Access Points list.
- Select an AP and click Edit.
The Edit Access Point dialog box appears.
- Configure the AP settings, as described in the next section.
To configure the AP settings:
- (Optional) In the Name text box, type a new name for the AP.
The default name is <AP model number >_<AP serial number>. - Adjacent to Network Settings, select an option to assign the AP an IP address:
- DHCP
- Static
- If you selected Static, type the IP Address, Subnet Mask, and Default Gateway for your AP.
- (Optional) In the Location text box, type the location of the AP on your network.
- From the Model drop-down list, select the model of your AP.
- To override the Gateway Access Controller settings for syslog server logging:
- Select the Send log messages to a syslog server check box.
- In the Syslog server IP address text box, type the IP address of your syslog server.
External syslog support is not available for AP120, AP320, AP322, and AP420 devices.
-
(Fireware v12.0.2 or lower) To help wireless clients that roam between WatchGuard APs connect to another AP with a stronger signal, select the Fast Handover check box.
Specify the Fast Handover RSSI threshold to indicate the minimum RSSI (Received Signal Strength Indicator) required to connect to this AP.
This is also the threshold for when a client should disconnect from this AP and connect to another AP with a stronger RSSI level (AP300 devices only). For more information, see Fast Handover.
-
(Fireware v12.0.2 or lower) To move dual-band wireless clients from the 2.4 GHz band to 5 GHz, select the Enable Band Steering check box. For more information, see Band Steering.
- To disable the LEDs on your AP, select the Disable LEDs check box.
On AP100, AP102, AP200, and AP300 devices, this option allows you to operate your AP in stealth mode to hide visible signs of wireless activity when the device is deployed in a location that requires additional security. For information on how you can flash the power LED to help identify APs in stealth mode, see Monitor AP Status.
- To use a tagged VLAN for management connections to the AP:
- Select the Enable Communication VLAN Tagging check box.
- In the Communication VLAN ID text box, type the VLAN ID you want to use for management connections. This must be a VLAN that is configured to handle tagged traffic to the interface your AP connects to.
If you configure a communication VLAN ID in both the Gateway Wireless Controller settings and the AP settings, the Firebox uses the communication VLAN ID specified in the AP settings.
- In the Radio Settings tab, configure the settings for each AP radio: band, wireless mode, channel, and SSID.
For more information, see Configure AP Radio Settings.
When you save an AP configuration to the Firebox, the device immediately sends the update to the affected APs. While the update is in progress, the AP status briefly changes to Updating. The update process can take up to a minute to complete. While the update is in progress, wireless services might be interrupted on the AP.
Steering Parameters
These AP steering parameters enable you to configure thresholds and other advanced parameters for the Min. Association RSSI, Smart Steering, and Band Steering features that are enabled per SSID. For more information on how to enable these features, see Configure WatchGuard AP SSIDs.
- Min. Association RSSI — The minimum signal strength required for a client to associate with an AP.
- Smart Steering — Proactively steers clients to an AP with a stronger signal than their current AP. This prevents clients from staying connected to their current AP when the signal degrades as the client roams.
- Band Steering — Helps evenly distribute wireless clients between the 2.4 and 5 GHz bands for an SSID by steering clients to the less congested 5 GHz band to balance the load on the AP. Dual band clients are steered to the 5 GHz band if the client's signal strength in 5 GHz is higher than the Steering RSSI Threshold.
You can configure different thresholds for specific APs. For example, you can fine tune your thresholds for APs at the perimeter of your network to be lower than the thresholds for APs closer to the core of the network for better connectivity for clients roaming at your network boundaries.
- Steering RSSI Threshold — This threshold is used for the Min. Association RSSI and Band Steering features, and can be between -60 to - 85 dBm. The default is -70 dBm. The Smart Steering RSSI Threshold is -10 dBm less than this value.
- Steering Attempts Threshold — This is the maximum number of steering attempts for a client within a 10 minute window after which the client's steering is suspended for a period specified by the Steering Blackout Period. The default value for steering attempts is 2. The minimum value is 1 and the maximum value is 5.
- Steering Blackout Period — This is the steering suspension period for a client. No steering methods are employed for a client within this time period. The default value for steering blackout period is 15 minutes. The minimum value is 10 minutes and the maximum is 60 minutes.
- Roam Initiation Threshold Interval —The time interval, in seconds, for which the client's signal strength should be lower than the threshold for the AP to initiate the roam. The default is 10 seconds.
- Roam Initiation Threshold Packets — The packet count threshold for disconnecting a client with low RSSI. This is the minimum number of packets from clients with RSSI lower than the RSSI threshold within the interval to initiate a roam for the client. If these number of packets are not received within the Roam Initiation Threshold Interval, the AP waits to receive this number of packets before initiating a roam. The default is 5 packets.
When you enable Smart Steering for an SSID, the values for Roam Initiation Threshold Interval and Roam Initiation Threshold Packets are used to decide if the AP can allow or reject a client connection.
If the signal strength of the client is less than the Smart Steering RSSI Threshold, and the number of packets received by the AP are greater than the Roam Initiation Threshold Packets in the time interval specified in the Roam Initiation Threshold Interval, the AP disconnects the client so that it can find another AP with better signal strength.
Fast Handover
(Fireware 12.0.2 or lower)
Fast Handover helps wireless clients that roam between WatchGuard APs to disconnect from their current AP and connect to another AP with a stronger signal. Fast Handover controls the minimum signal strength required to associate with an AP and tells wireless clients when to release their current AP association if the signal degrades as the wireless client moves farther away.
In Fireware v12.1 or higher, Fast Handover is replaced by the Min. Association RSSI and Smart Steering options configured in the SSID settings. For more information, see Configure WatchGuard AP SSIDs.
Fast Handover uses the RSSI (Received Signal Strength Indicator) as a threshold to determine if clients can associate to an AP and when to disconnect a wireless client with a weak signal. The value is expressed in dBm (decibel milliwatts). The default value is -85 dBm. The minimum is -100 dBm and the maximum is -60 dBm. The closer the value is to 0, the stronger the signal. For more information on signal strength, see Wireless Signal Strength and Noise Levels.
- Fast Handover is only supported on WatchGuard AP120, AP300, AP320, AP322, and AP420 devices.
- AP120, AP320, AP322, and AP420 devices currently support only a minimum association RSSI threshold. The APs do not actively disconnect clients with degraded signals.
- We recommend that you only enable Fast Handover for APs in high-traffic density areas.
- Fast Handover causes an AP to disconnect a client when the RSSI threshold is reached. We recommend that you perform a site survey of your environment to make sure your APs are in range for handover based on your thresholds.
- Wireless clients can have very different RSSI strengths depending on the manufacturer, and you must set your RSSI threshold accordingly.
Do not enable Fast Handover on adjacent APs that also have the Band Steering feature enabled. Clients steered to the 5Ghz band might have a drop in RSSI that can cause a disconnection because of the Fast Handover RSSI threshold.
Band Steering
(Fireware v12.0.2 or lower)
Band Steering helps reduce wireless network congestion by moving dual-band wireless clients from the more widely-used 2.4 GHz spectrum to the less-congested 5 GHz band. Band Steering is usually not required in an environment where most wireless devices are newer devices that are already optimized to choose the 5 Ghz band.
In Fireware v12.1 or higher, Band Steering is configured in the SSID settings. For more information, see Configure WatchGuard AP SSIDs.
- Band Steering is only supported on WatchGuard AP120, AP300, AP320, AP322, and AP420 devices.
- The same SSID and security mode must be configured on both 2.4 GHz and 5 GHz radios to allow wireless clients to switch frequency bands.
- In some cases, Band Steering can cause connectivity issues with older legacy wireless clients that only support 2.4 Ghz. In these cases, we recommend that you disable Band Steering or have clients manually connect to the SSID.
Do not use Band Steering and Fast Handover features at the same time. Steering to the 5 GHz band can result in a loss of RSSI strength for the client and can cause disconnections based on the Fast Handover threshold.