Before you add a WatchGuard AP to your network, it is important to understand the requirements and limitations of the AP.
You cannot manage WatchGuard Wi-Fi 6 APs (AP130, AP230W, AP330, AP332CR, AP430CR, AP432) with a Gateway Wireless Controller on a Firebox or WatchGuard Wi-Fi Cloud. If you are looking for information about how to manage Wi-Fi 6 APs in WatchGuard Cloud, go to About Wi-Fi in WatchGuard Cloud.
Minimum Fireware Versions Required for AP Models
These are the minimum versions of Fireware required for each AP model:
Caution: As of Fireware v12.11, only AP125, AP225W, AP325, AP327X, and AP420 devices that run firmware v11.0.0-36-4 are supported. You can no longer manage AP120, AP320, and AP322 devices on Fireware v12.11 or higher. Devices will still operate with their last known configuration, but can no longer be updated from the Gateway Wireless Controller.
| AP Model | Minimum Fireware Version on Firebox Required |
|---|---|
| AP120, 320 | 11.11.2 - 12.10.4. Not supported in v12.11 or higher. |
| AP322 | 11.12.2 - 12.10.4. Not supported in v12.11 or higher. |
| AP420 | 11.12.4 |
| AP325 | 12.1 |
| AP125 | 12.1.3 |
| AP327X | 12.5 |
| AP225W | 12.5.3 |
The latest AP firmware versions available to download from the Firebox are:
- AP120, AP320, AP322: 8.8.3-12 (only supported on Fireware v12.10 and lower)
- AP125, AP225W, AP325, AP327X, AP420: v11.0.0-36-4 (required for Fireware v12.11 and higher)
Requirements
For an AP to be managed by Gateway Wireless Controller on a Firebox:
- The Firebox must be configured in mixed routing or drop-in mode.
- The AP must connect to a trusted, optional, or custom network.
- The Firebox configuration must include a policy that allows NTP traffic from the AP to the Internet. The AP uses an NTP server to set the correct local time.
- The Firebox and APs on your network require access to WatchGuard servers (*.watchguard.com) on port 443. This allows the Gateway Wireless Controller on the Firebox to register and activate APs and find new firmware updates. APs require access to WatchGuard servers to get country and regional information.
The default Outgoing policy allows NTP traffic from the trusted network. If you remove or disable the Outgoing policy, or if your AP is connected to the Optional network, you must add an NTP policy to allow outgoing NTP traffic from the network the AP connects to.
Limitations
- You cannot use a WSM Management Server to manage WatchGuard APs.
- You cannot locate WatchGuard APs behind a NAT firewall.
- The WatchGuard Gateway Wireless Controller is designed to manage up to 20 WatchGuard APs. If you experience management performance issues as you add more APs to your network, you can use the Gateway Wireless Controller on another Firebox to manage these APs.
- We recommend you configure your AP to accept connections from a maximum of 20-40 wireless client devices for each radio based on the overall airtime demand of the client devices.
Features not Supported by Local Managed APs
These features are not supported on AP120, AP125, AP225W, AP320, AP322, AP325, AP327X, and AP420 devices when they are managed by the Gateway Wireless Controller:
- LED controls
- Link aggregation on additional Ethernet ports
- Third scanning radio on tri-radio APs