Access Point System Integrity Checks
Applies To: WatchGuard Cloud-managed Access Points (AP130, AP230W, AP330, AP332CR, AP430CR, AP432)
Caution: If you currently run one of these access point firmware versions:
v2.2.22-0.B691305 (any access point model)
v2.3.16.0-B693199 (AP230W with factory installed firmware)
We strongly recommend you upgrade to access point firmware v2.4.7 or higher that uses the latest system integrity software.
In access point firmware v2.1 and higher, access points use a cryptographic signature to verify the integrity of the device each time the access point boots, and the integrity of a firmware upgrade file before each upgrade. Integrity checks make sure that system files are valid and have not been corrupted. After you upgrade to an access point firmware version that includes system integrity checks, you cannot downgrade to a firmware version that is not signed by WatchGuard.
System Integrity Check
Each time the access point boots, it uses a cryptographic key to verify the integrity of the system files.
If an access point shuts down because an integrity check fails:
- The access point reboots into failsafe mode
- The LED indicators on the access point flash alternating blue and red every second to indicate the device is in failsafe mode
- The access point does not broadcast wireless SSIDs or pass wireless traffic
- You cannot connect to the access point Web UI or Command Line Interface (CLI) to view the status
- You must contact WatchGuard Support to replace the device
WatchGuard Cloud generates an informational device alarm notification if the access point system integrity check allows a new non-executable internal system file to be installed on the device, and no threat is detected.
Firmware Integrity Check
When you select a firmware upgrade file to install, the access point examines the file to make sure it contains a cryptographic signature. If the signature is present, the access point uses the public key from the previously installed firmware image to verify the upgrade file. If the access point cannot verify the signature, or if the signature is not present, the access point cancels the upgrade.
Access point firmware v2.0.28 is the minimum firmware version required to validate higher versions of firmware upgrade files that require firmware integrity checks.
If your access point runs a firmware version lower than v2.0.28 and you upgrade directly to v2.1 or higher from WatchGuard Cloud, the device will upgrade twice, first to v2.0.28 and then to the selected firmware version automatically. It might take additional time for the firmware upgrade to complete.