About Firebox Wireless Configuration

When you enable the wireless feature of your Firebox wireless device, you can configure the external interface to use as a wireless client, or you can configure the Firebox as a wireless access point for users on specified networks.

You can enable wireless clients to connect to the Firebox wireless device as part of the trusted network or part of the optional network. You can also use a custom network to enable a wireless guest services network for your device, or use bridge or VLAN networks in your wireless configuration.

Wireless networking on Firebox wireless devices is not supported when the Firebox is configured in Drop-In mode. External interface as a wireless client is not supported when the Firebox is configured in Bridge mode.

Before you set up wireless network access, go to Before You Begin for deployment tips on wireless planning and environmental factors that apply to the installation of WatchGuard wireless Fireboxes.

Before you can enable the wireless feature on your Firebox, you must get the feature key. For more information, go to About Feature Keys.

About Firebox Wireless Default Settings

Beginning in Fireware v12.5.3 and higher, Firebox wireless is enabled in the factory-default settings. This enables you to use a Wi-Fi connection to connect to the Firebox and run the Setup Wizard to set up the Firebox. For more information about how to connect to the Firebox to run the Setup Wizard, go to About Firebox Setup Wizards.

Use these default settings to connect to the Firebox wireless:

  • Default SSID — The Firebox model plus the last part of the wireless MAC address. For example: T55-W-A1:B2:C3
  • Default Password — The Firebox serial number (including the dash).

In addition, these settings are enabled by default:

  • 2.4 GHz radio enabled
  • ath1 wireless interface enabled and bridged to the Firebox Trusted interface
  • Wireless Mode — 802.11n/g/b
  • Security — WPA2 Personal

To run the Setup Wizard on the Firebox after you have connected through the wireless connection, open your web browser and go to https://10.0.1.1:8080.

Configure Wireless

To configure wireless on your Firebox:

  1. Select Network > Wireless.
    The Wireless page appears.

Screen shot of the Wireless settings page

  1. Select the Enable Wireless check box.
  2. Select a wireless configuration option:

Enable wireless client as external interface

Select this option to configure the external interface of the Firebox to connect to a wireless network. This is useful in areas with limited or no existing network infrastructure.

When this option is enabled, the external interface acts as a wireless client. The radio settings in the configuration cannot be modified and are only used when the Firebox is configured as a wireless access point.

For more information, go to Configure Your External Interface as a Wireless Interface.

Enable wireless access points

Select this option to configure the Firebox as an access point for users on specified networks.

For more information, go to Enable Wireless Connections.

  1. In the Radio Settings section, select your wireless radio settings.

For more information, go to About Wireless Radio Settings.

  1. To mitigate KRACK WPA/WPA2 vulnerabilities in unpatched wireless clients, select the Enable WPA/WPA2 vulnerability mitigation check box.

This option blocks handshake messages that can potentially exploit clients and forces clients to reauthenticate. This re-authentication typically does not require the user to re-enter credentials, but it may add a few seconds to the connection time of the client. This option is disabled by default. This mitigation logic can trigger for other similar dropped packet symptoms, for example, natural frame errors during a handshake, or dropped packets when a client roams. This can result in some client authentication connections to fail and be reestablished. WatchGuard recommends you enable this mitigation feature until you have updated all your client software to address the client vulnerabilities, and evaluate the impact to your client environment and user experience.

  1. To enable the Firebox to scan for untrusted wireless access points, select the Enable rogue access point detection check box.

For more information, go to Enable Rogue Access Point Detection on a Wireless Firebox.

  1. Click Save.
  1. Select Network > Wireless.
    The Wireless Configuration dialog box appears.

Screen shot of the Wireless settings dialog box

  1. Select the Enable wireless check box.
  2. Select a wireless configuration option:

Enable wireless client as external interface

Select this option to configure the external interface of the Firebox wireless device to connect to a wireless network. This is useful in areas with limited or no existing network infrastructure.

For more information, go to Configure Your External Interface as a Wireless Interface.

Enable wireless access points

Select this option to configure the Firebox wireless device as an access point for users on specified networks.

For more information, go to Enable Wireless Connections.

  1. In the Radio Settings section, select your wireless radio settings.

For more information, go to About Wireless Radio Settings.

  1. To mitigate KRACK WPA/WPA2 vulnerabilities in unpatched wireless clients, select the Enable WPA/WPA2 vulnerability mitigation check box.

This option blocks handshake messages that can potentially exploit clients and forces clients to reauthenticate. This re-authentication typically does not require the user to re-enter credentials, but it may add a few seconds to the connection time of the client. This option is disabled by default. This mitigation logic can trigger for other similar dropped packet symptoms, for example, natural frame errors during a handshake, or dropped packets when a client roams. This can result in some client authentication connections to fail and be reestablished. WatchGuard recommends you enable this mitigation feature until you have updated all your client software to address the client vulnerabilities, and evaluate the impact to your client environment and user experience.

  1. To enable the device to scan for untrusted wireless access points, select the Enable rogue access point detection check box.

For more information, go to Enable Rogue Access Point Detection on a Wireless Firebox.

  1. Click OK.

Enable Wireless to Your Networks

You can enable wireless settings for the trusted, optional, VLAN, bridge, or custom networks. For more information, go to Enable Wireless Connections.

Enable a Wireless Guest Network

You can configure any access point as a wireless guest network. For more information, go to Enable a Wireless Guest Network.