Access Point Firmware Releases

This beta firmware update includes these new features, enhancements, and resolved issues:

New Features

This firmware update supports these new beta features in WatchGuard Cloud:

• Access Point and Wireless Client Visibility Enhancements
• The access point and wireless client monitoring and details pages now include additional visibility data about devices, clients, and connection events.
• Access Point ThreatSync Response Actions
• This firmware update supports threat response features in ThreatSync to block client connections to malicious access points.

Enhancements

• New kernel integrity check measures show alerts in WatchGuard Cloud when suspicious files are detected in the access point operating system.
• The access point reset procedure is updated. To reset the device to factory-default settings, press and hold the reset button for at least 10 seconds or more until all LEDs turn off, then release the button. After a few seconds, the LEDs will show solid red or orange to indicate the device is reset and rebooting to factory-default settings.
• The access point reboot log is now included in the snapshot diagnostic file.
• The DNS Lookup diagnostic tool response messages are improved when the hostname does not correctly resolve.
• Performance is improved when you view the live status of wireless clients.

Resolved Issues

• In some cases, WatchGuard Cloud managed access points were classified as an Evil Twin by Airspace Monitoring as a false positive detection. [AP-1968]
• Timeout and deployment errors no longer occur when a large number of PPSK are applied to multiple SSIDs. [AP-2096, AP-2267]
• Access points no longer send excessive DHCP requests when client isolation is enabled. [AP-1267, AP-1846]
• In some cases, access points lost their connection then become inaccessible and did not respond to network traffic. The access point now reboots after 30 minutes of detected network inactivity from the LAN interface to try to recover the connection when the device is in this state. [AP-2157, AP-2098, AP-2116]
• Client data from an AP230W about client association time is now correctly sent to the Performance Issues report. [AP-2110]
• The access point local Web UI and CLI now report the correct country of operation. [AP-2117]
• The SSH server is updated to resolve CVE-2023-48795. [AP-2152]
• An error is fixed in the local Web UI failed firmware notification text. [AP-2121]
• The Client Name field in the Live Status > Clients page is now limited to display 31 characters to prevent data errors in the Wireless Mode column. [AP-2210]
• The Gateway and DNS Server fields are now mandatory when you configure static IP address settings in the local Web UI. [AP-2238]
• Wireless clients can now correctly access the network after you disable NAT on an SSID configured with Network Access Enforcement and Client Isolation enabled. [AP-1814]
• Wireless clients can now correctly access the network on an SSID with VLAN and Client isolation enabled. [AP-1276]

New Features and Enhancements

• This firmware update supports the Private Pre-Shared Key (PPSK) feature on an SSID that uses WPA2 Personal security.
• The Client Details page, Connection Events, and Performance Issues reports now show information about the security mode used by wireless clients. [AP-1912, AP-2064], [WIFI-9266]
• New access points now use 0.pool.ntp.org, 1.pool.ntp.org, and 2.pool.ntp.org as the default NTP servers on their initial startup until they receive their configuration from WatchGuard Cloud. [AP-2055]
• The descriptions for access point CLI commands are improved. [AP-1328]

Resolved Issues

• Access points now correctly use only IPv4 to connect to WatchGuard Cloud. [AP-2071, WIFI-9646]
• The RADIUS accounting interim update interval and session timeout settings now correctly use the values configured by the third-party captive portal service after a client roams between access points. [AP-2040, AP-2041]
• The Vendor-Specific value in a RADIUS Access-Accept message for Skyfii third-party captive portal integration now correctly shows “WatchGuard Technologies Inc.”. [AP-1925]
• An access point now correctly sends a low memory alert to WatchGuard Cloud. [AP-2045]
• The time zone settings for Mexico no longer include Daylight Saving Time. [AP-2093]
• SSIDs now correctly follow the configured SSID broadcast schedule. [AP-2100].

New Features and Enhancements

• This firmware update supports the Private Pre-Shared Key (PPSK) feature on an SSID that uses WPA2 Personal security.
• The Client Details page, Connection Events, and Performance Issues reports now show information about the security mode used by wireless clients. [AP-1912, AP-2064], [WIFI-9266]
• New access points now use 0.pool.ntp.org, 1.pool.ntp.org, and 2.pool.ntp.org as the default NTP servers on their initial startup until they receive their configuration from WatchGuard Cloud. [AP-2055]
• The descriptions for access point CLI commands are improved. [AP-1328]

Resolved Issues

• Access points now correctly use only IPv4 to connect to WatchGuard Cloud. [AP-2071, WIFI-9646]
• The RADIUS accounting interim update interval and session timeout settings now correctly use the values configured by the third-party captive portal service after a client roams between access points. [AP-2040, AP-2041]
• The Vendor-Specific value in a RADIUS Access-Accept message for Skyfii third-party captive portal integration now correctly shows “WatchGuard Technologies Inc.”. [AP-1925]
• An access point now correctly sends a low memory alert to WatchGuard Cloud. [AP-2045]
• The time zone settings for Mexico no longer include Daylight Saving Time. [AP-2093]

New Features and Enhancements

• This firmware update adds support for the Packet Capture feature.
• WatchGuard Cloud now generates an informational device alarm notification if the access point system integrity check allows a new non-executable internal system file to be installed on the device and no threat is detected.
• Added support for Mambo Wi-Fi third-party captive portal integration.

Resolved Issues

• The configuration reload time for the AP230W is improved. [AP-1806]
• Wireless clients that use a third-party captive portal now correctly retain their session IDs and accounting data when they roam to another access point. [AP-1935]
• The device description now correctly displays all characters in the Device Settings page when you enter the maximum number of characters. [AP-1978]
• An SSID now correctly broadcasts when fast roaming is enabled and the NAS ID is longer than 84 characters. [AP-1845]
• Network speed tests are no longer performed when an access point boots. [AP-1860]
• Open SSH components are upgraded to address vulnerabilities identified by CVE-2023-48795 (Terrapin). [AP-1873]
• You can no longer upgrade the access point firmware with the local Web UI or CLI when the device license is expired. [WIFI-1829]
• Real-time interface statistics in the local Web UI now show correctly for access points with multiple LAN interfaces. [AP-1883]
• Access point forwarding of multicast traffic is improved when you enable a VLAN on an SSID. [AP-1920]
• The 5G radio no longer uses a 20 MHz channel width when the radio is configured to use 802.11ac mode with a 40 MHz channel width and a fixed transmit power. [AP-1955]
• The device no longer responds to external traffic on TCP port 4430. [AP-1963]
• Access points now correctly support a 40 MHz channel width on the 2.4 GHz radio. [AP-1971]
• The channel width currently in use is now correctly displayed in WatchGuard Cloud when the channel width is set to 20/40 MHz. [AP-1975]
• The Link Layer Discovery Protocol (LLDP) stopped working after the installation of firmware v2.4. This functionality now works correctly after the installation of firmware v2.5. [AP-1999]
• When the channel width on the 2.4 GHz radio is set to 20/40 MHz, the access point now correctly selects a channel from the configured candidate channel list instead of channel 1. [AP-2027]

New Features and Enhancements

• This firmware update adds support for the Packet Capture beta feature. [WIFI-7529]

Resolved Issues

• The configuration reload time for the AP230W is improved. [AP-1806]
• Wireless clients that use a third-party captive portal now correctly retain their session IDs and accounting data when they roam to another access point. [AP-1935]
• The device description now correctly displays all characters in the Device Settings page when you enter the maximum number of characters. [AP-1978]
• An SSID now correctly broadcasts when fast roaming is enabled and the NAS ID is longer than 84 characters. [AP-1845]
• Network speed tests are no longer performed when an access point boots. [AP-1860]
• Open SSH components are upgraded to address vulnerabilities identified by CVE-2023-48795 (Terrapin). [AP-1873]
• You can no longer upgrade the access point firmware with the local Web UI or CLI when the device license is expired. [WIFI-1829]
• Real-time interface statistics in the local Web UI now show correctly for access points with multiple LAN interfaces. [AP-1883]
• The 5G radio no longer uses a 20 MHz channel width when the radio is configured to use 802.11ac mode with a 40 MHz channel width and a fixed transmit power. [AP-1955]
• The device no longer responds to external traffic on TCP port 4430. [AP-1963]
• Access points now correctly support a 40 MHz channel width on the 2.4 GHz radio. [AP-1971]
• The Link Layer Discovery Protocol (LLDP) stopped working after the installation of firmware v2.4. This functionality now works correctly after the installation of firmware v2.5. [AP-1999]

New Features and Enhancements

• This firmware update adds support for the AP230W access point hardware model.
• This firmware update supports the Third-Party Captive Portal Integration feature.
• This firmware update supports the ability to configure network interfaces for access point models with additional LAN interfaces.
• DCS (Dynamic Channel Selection) is improved for optimized channel selection.
• The firmware upgrade confirmation page in the local Web UI now shows the SHA1 checksum of the upgrade file instead of the MD5 checksum. [AP-1817]
• The country of operation detection for the access point is improved. [AP-1906]
• To improve password security, the admin password for Web UI and CLI access to the device now supports a maximum length up to 32 characters. [AP-1546]

Resolved Issues

• The transmit power for an access point is now correctly reported when SSIDs are inactive due to a schedule. [AP-1907]
• You can no longer change the access point IP address configuration from WatchGuard Cloud after an access point license expires. [AP-1887]
• Access points with a configured channel width of 20/40 MHz on the 2.4 GHz radio now correctly allow client connections with a 40 MHz channel width. [AP-1895]
• After 21 days, the access point stopped sending event logs to a syslog server. [AP-1911]
• In some cases, access points might reboot into failsafe mode if the firmware upgrade process is interrupted. [AP-1937]

• This firmware update resolves an issue where in some cases, access points might reboot into failsafe mode if the firmware upgrade process is interrupted. [AP-1937]

• This firmware update supports the Third-Party Captive Portal Integration beta feature.
• DCS (Dynamic Channel Selection) is improved for optimized channel selection.
• The firmware upgrade confirmation page in the local Web UI now shows the SHA1 checksum of the upgrade file instead of the MD5 checksum. [AP-1817]
• The country of operation detection for the access point is improved. [AP-1906]

This update also includes these resolved issues:

• The transmit power for an access point is now correctly reported when SSIDs are inactive due to a schedule. [AP-1907]
• You can no longer change the access point IP address configuration from WatchGuard Cloud after an access point license expires. [AP-1887]
• After 21 days, the access point stopped sending event logs to a syslog server. [AP-1911]

• This firmware update supports the Dynamic VLANs, Captive Portal Web Form, Guest Analytics report, and Network Access Enforcement landing page features.
• You can now reboot the access point from the access point local Web UI. This action is available in the top-right corner of the Web UI when you click on the user account icon.
• The Live Status > Clients monitoring page in WatchGuard Cloud now loads client data much faster. [AP-1792, WIFI-8250]

This update also includes these resolved issues:

• An SNMP licensing issue is resolved. [AP-1692]
• DCS now operates correctly to set an optimal channel from the candidate channels list. [AP-1703]
• The access point transmit power is now correctly set to the values from the device configuration after a firmware upgrade. [AP-1756]
• The country of operation for the access point is now correctly updated when a device with no SSIDs configured is connected in a new region. [AP-1757]
• The access point connection status in WatchGuard Cloud now shows the correct status and is consistent with the local Web UI. [AP-1774]
• An access point with an expired MSSP license is now correctly disconnected and deregistered from WatchGuard Cloud. [AP-1801]
• Wireless clients no longer experience connection issues when scheduling is enabled on an SSID and DCS is enabled. [AP-1818]
• Special characters and maximum lengths for each field are now correctly processed by a captive portal web form. [AP-1819, AP-1820]
• An access point now correctly forwards multicast traffic to a wireless client after the client joins an IGMP group. [AP-1833]
• An AP430CR hardware revision M or higher with no LAN2 port now correctly receives a configuration from WatchGuard Cloud. [AP-1836]

• This firmware update supports the Dynamic VLANs and Captive Portal Enhancements beta features.
• You can now reboot the access point from the access point local Web UI. This is available in the top-right corner of the Web UI when you click on the user account icon.
• The Live Status > Clients monitoring page in WatchGuard Cloud now loads client data much faster. [AP-1792], [WIFI-8250]

This update also includes these resolved issues:

• An SNMP licensing issue is resolved. [AP-1692]
• DCS now operates correctly to set an optimal channel from the candidate channels list. [AP-1703]
• The access point transmit power is now correctly set to the values from the device configuration after a firmware upgrade. [AP-1756]
• The country of operation for the access point is now correctly updated when a device with no SSIDs configured is connected in a new region. [AP-1757]
• The access point connection status in WatchGuard Cloud now shows the correct status and is consistent with the local Web UI. [AP-1774]
• An access point with an expired MSSP license is now correctly disconnected and deregistered from WatchGuard Cloud. [AP-1801]

• With this firmware update, the access point now uses a cryptographic signature to verify the integrity of the device each time the access point boots. Integrity checks make sure that system files are valid and have not been corrupted. For more information, go to Access Point System Integrity Checks.
• This firmware update also supports the Network Access Enforcement and Enterprise Authentication Enhancements features.

You must currently run firmware version v2.0.28 or higher to upgrade to v2.1.12. If your access point runs a firmware version lower than v2.0.28 and you upgrade directly to v2.1.12, the device will upgrade twice, first to v2.0.28 and then to v2.1.12 automatically. It might take additional time for the firmware upgrade to complete.

This update also includes these enhancements and resolved issues:

• In some cases, access points managed by WatchGuard Cloud were incorrectly reported as threat access points. [AP-1617]
• Fast Roaming for wireless clients now works correctly with WPA2 Enterprise security. [WIFI-8251]
• Traffic shaping now consistently limits upload and download traffic as configured. [AP-1689]
• NTP server retry attempts are no longer delayed in some scenarios. [AP-1668]
• The diagnostic snapshot file download no longer times out when multiple wireless clients are connected. [AP-1659]
• The AP432 now uses the correct transmit power when it is configured to use the minimum setting of 8 dBm. [AP-1704]
• The diagnostic snapshot file now contains additional information for troubleshooting.

• With this firmware update, the access point now uses a cryptographic signature to verify the integrity of the device each time the access point boots. Integrity checks make sure that system files are valid and have not been corrupted.

• This firmware update also supports the Network Access Enforcement and Enterprise Authentication Enhancements beta features.

This update also includes these enhancements and resolved issues:

• Fast Roaming for wireless clients now works correctly with WPA2 Enterprise security. [WIFI-8251]
• Traffic shaping now consistently limits upload and download traffic as configured. [AP-1689]
• NTP server retry attempts are no longer delayed in some scenarios. [AP-1668]
• The diagnostic snapshot file download no longer times out when multiple wireless clients are connected. [AP-1659]
• The AP432 now uses the correct transmit power when it is configured to use the minimum setting of 8 dBm. [AP-1704]
• The diagnostic snapshot file now contains additional information for troubleshooting.

This is an important security update that enables a cryptographic signature to verify the integrity of future signed firmware files before each software upgrade. Integrity checks make sure that system files are valid and have not been corrupted. After you upgrade to an access point firmware version that includes integrity checks, you cannot downgrade to a version that is not signed by WatchGuard. This access point firmware version 2.0.28 becomes the minimum version required before you can install any future firmware upgrades.

This update also provides these enhancements and resolved issues:

• You can now configure up to 3 NTP servers in a device configuration or an Access Point Site. [AP-1527]
• You can now configure the Device LEDs option in an Access Point Site. [WIFI-8105]
• The access point diagnostic snapshot file now includes the system information, associated wireless clients, and rogue access point wired and wireless network scan results. [AP-1324, AP-1511, AP-1524].
• The Realtime traffic status in the local access point Web UI no longer shows negative values. [AP-1410]
• The Device status in the local access point Web UI now correctly shows the channel for the 5 GHz radio. [AP-1537]
• Font display inconsistencies in the access point local Web UI are resolved. [AP-1538, AP1539]
• An access point configuration can now be correctly deployed when the 2.4 GHz channel width is set to 20/40MHz in the European region. [AP-1566]
• Access point transmit power settings are now correctly applied to prevent exceeding the maximum power for a region. [WIFI-7961]

This firmware update enables support for the Airspace Monitoring feature, a new access point local Web UI, and resolves these issues:

• The RADIUS accounting interim update and stop packets now include the correct traffic size for the client. [AP-1353]
• The access point CLI tpmtest command now executes correctly. [AP-1390]
• This release includes Airspace Monitoring optimizations since the last beta version.
• This release includes minor access point Web UI page and text updates since the last beta version.

This firmware update enables support for the Airspace Monitoring beta feature, a new access point local Web UI, and resolves these issues:

• The RADIUS accounting interim update and stop packets now include the correct traffic size for the client. [AP-1353]
• The access point CLI tpmtest command now executes correctly. [AP-1390]

Resolved Issues

• The RADIUS accounting server shared secret is now correctly processed by the access point to allow the server and access point to exchange accounting messages. [AP-1351]
• NTP server connection alerts are optimized to reduce the number of connection alerts. [AP-1358]
• This release updates the version of OpenSSH to 9.0p1. [AP-1307]
• The SSL/TLS cipher key size for DH/RSA exchange is increased to 2048 bits. [AP1341]
• New commands are available in the access point CLI to show and test the RSA public key of the access point for troubleshooting connections to WatchGuard Cloud.

New Features and Enhancements

• This update is required for the access point SNMP monitoring feature.
• You can now add up to 256 MAC addresses for the MAC Address Access Control feature.

Resolved Issues

• After the installation of access point firmware 1.1.23, the AP130 fails to broadcast an SSID with NAT enabled on the 2.4 GHz radio. [AP-1320]

This update replaces the current 1.1.22 beta firmware, and resolves these issues:

• SSIDs failed to broadcast after the installation of firmware version 1.1.22 on the AP130. [AP-1311]
• Radar detection traps are not sent to the trap server. [AP-1295]

This update is required for the SNMP monitoring beta feature.

New Features and Enhancements

This update adds support for the access point Description and Radio Details features.

Resolved Issues

• Wireless clients now successfully reconnect to an access point with WPA2 and WPA3 Enterprise authentication. [AP-1163]
• Wireless clients now correctly obtain an IP address after you change the access point from a static IP address with a management VLAN enabled to a DHCP only address. [AP-1222]
• Security scan warnings no longer occur for the access point certificate and hashing algorithm for local access to the device. [AP-1165]
• Syslog entries accessed from the access point CLI interface are now correctly displayed in time-sequential order with the newest entries at the end of the list. [AP-1061]

Enhancements

• This update is required to use the Diagnostic Tools and Support Snapshot features.
• The access point LED indicator status is enhanced to provide more granular status of the device connection to WatchGuard Cloud. This enables you to more accurately troubleshoot the issue if the access point status stops in a specific state. For more information about the LED status and how to troubleshoot connection issues, see the Hardware Guide for your device.

Resolved Issues

• The correct wireless mode for a client now appears on the Live Status > Clients monitoring page. [AP-1140]
• The operating system of Apple iOS 14.8 and 15.x wireless clients are now correctly identified. [AP-1075]
• You can now correctly disable a VLAN on an SSID after you enable the Captive Portal feature. [AP-1092]
• Dynamic channel selection now correctly switches to a new channel when interference is detected on the current channel. [AP-1115]
• Access point firmware upgrade from the CLI now correctly validates the specified download link and correct firmware version for the device model. [AP-1039, AP-1083]

• This update is required to use the Diagnostic Tools and Support Snapshot beta features. To learn more or to report an issue, go to the Wi-Fi in WatchGuard Cloud Beta test community.
• The operating system of Apple iOS 14.8 and 15.x wireless clients are now correctly identified. [AP-1075]
• You can now correctly disable a VLAN on an SSID after you enable the Captive Portal feature. [AP-1092]
• Dynamic channel selection now correctly switches to a new channel when interference is detected on the current channel. [AP-1115]
• Access point firmware upgrade from the CLI now correctly validates the specified download link and correct firmware version for the device model. [AP-1039, AP-1083]

• This update is required to use the Diagnostic Tools and Support Snapshot beta features. To learn more or to report an issue, go to the Wi-Fi in WatchGuard Cloud Beta test community.

• Access Point VPN now correctly connects when the Firebox VPN settings use a domain name of 16 characters or greater. [AP-1105]
• Minor bug fixes and enhancements. [AP-1077, AP-1085, AP-1086]

• Initial firmware release.