Access Point Support Subscriptions

WatchGuard access points provide secure, reliable wireless connectivity to businesses around the world. At WatchGuard, we are passionate about mobility and security and are dedicated to keeping wireless environments updated with the latest software features to keep people safe and their businesses running smoothly. For example, at the time of our public announcement of the WPA/WPA2 key reinstallation (KRACK) vulnerability, corrective software was already available online. Additional details about KRACK and software updates for WatchGuard products can be found in this knowledge base article.

Support Subscriptions for Access Points

Standard Support for access points is included in our Wi-Fi service subscriptions: Basic, Secure, and Total Wi-Fi. See this FAQ for more information on the Wi-Fi SKUs. Maintaining active support subscriptions for your access points is recommended to continue to receive important software updates, RMA replacement, and support.

Basic, Secure, and Total Wi-Fi Subscriptions include Standard Support:

  • 24×7 support
  • Unlimited number of support cases per annual subscription
  • Targeted response times:
    • 4 Hour – Critical, High
    • 8 Hours – Medium
    • 24 Hours – Low
  • Web-based support
  • Phone-based support
  • Software updates and patches for:
    • Gateway Wireless Controller
    • Access point firmware
    • Wi-Fi Cloud
  • Advanced hardware replacement
  • Product documentation and guides
  • Technical Training Materials
  • Moderated Customer Forum

At this time, premium four hour RMA is not available for access points.  Please remember to maintain an active Basic, Secure, or Total Wi-Fi subscription with each access point in order to maintain support.

Total Wi-Fi Program Chart

Sincerely,

Ryan Orsi
Director, Product Management, Secure Wi-Fi
WatchGuard Technologies


Source: WatchGuard

WatchGuard Integrates with Autotask PSA to Simplify Managed Security Services

Available with Fireware 12.0.1, WatchGuard has introduced a leading integration with Autotask to simplify managed security services for our global base of mutual Channel Partners. Managed security service providers (MSSPs) using WatchGuard and Autotask can now benefit from closed-looped service ticketing and synchronization of their customers’ asset Information.

Key Features

Integrated, Closed-Loop Service Ticketing — Track Issues with Service Ticketing Made Easy

  • Enable Autotask service tickets for WatchGuard security solutions.
  • Configure event thresholds on a wide range of parameters identified per device, including: security services, device statistics, and subscription statuses. Event thresholds automatically trigger the creation and closure of service tickets, closing tickets when issues are resolved, and reducing the number of false alarms.
  • Eliminate ticket flooding and provide trending visibility into customer security, because the same ticket reopens if the issue returns, rather than creating multiple tickets.

Auto Synchronization of Asset Information — Know a Customers’ Security

  • Automatically register and update customer security asset information.
  • Gain visibility into customer security through automated synchronization with WatchGuard security appliances, including subscription start and end dates, device serial numbers, OS versions, and more.
  • Avoid a managed network going unprotected because of incorrect security service subscription end dates.

Learn more about this integration by visiting our Autotask Integration page, which includes links to an integration guide, demo video, and a solution brief. To view all of our available Technology Partner integrations, visit our Technology Integrations page.


Source: WatchGuard

Fireware 12.0.1 is now available

Fireware 12.0.1 General Availability
We are pleased to announce the General Availability (GA) of Fireware 12.0.1 and WSM 12.0.1 today, along with updates for the Access Point firmware. These releases provide fixes for many reported issues and include some significant security updates. Key highlights: 

  • Patches previously announced in the blog post on KRACK WiFi vulnerabilities, including a new feature to mitigate against the vulnerability in unpatched clients. 
  • Streamlined some UI options for Gateway Antivirus to reflect the new capabilities of the new AV engine that we included in the 12.0 release in September. 
  • A new simple option to enable Support access to the appliance, which will cut down on the time required for support calls, and lead to a smoother experience when customers need to work with support. 

WatchGuard partners and customers should review the Release Notes and What’s New presentations prior to upgrading. 

Does this release pertain to me?
The Fireware release applies to all Firebox T, Firebox M, and XTM appliances, except XTM 21/21-W, 22/22-W, or 23/23-W, which are now End of Life (EOL), and XTM 505, 510, 520, and 530 which are EOL in December of this year.

AV Signatures in 11.x releases
Previously WatchGuard had announced that we would discontinue support for AV signatures for the older AVG engine in Fireware 11.x by January 2018. This support will now be extended until April 2018.

Software Download Center
Firebox and XTM appliance owners with active support subscriptions can obtain this update without additional charge by downloading the applicable packages from the WatchGuard Software Download Center. 

Contact
For Sales or Support questions, you can find phone numbers for your region online. If you contact WatchGuard Technical Support, please have your registered appliance Serial Number or Partner ID available.

 


Source: WatchGuard

Wi-Fi Key Reinstallation Attack “KRACK” Update: Protecting Unpatched Devices

Summary
On October 16, 2017, security researchers announced several vulnerabilities in the WPA/WPA2 encryption protocol that affect countless Wi-Fi enabled devices worldwide. As a result of KRACK, Wi-Fi data streams, including passwords and personal data, can be intercepted, decrypted, and modified without a user’s knowledge. This security flaw means that, for vulnerable clients and access points, WPA- and WPA2-encrypted Wi-Fi traffic is potentially exposed until certain steps are taken to remediate the issue.

Presently, there are 10 known vulnerabilities that comprise KRACK. WatchGuard is providing patches for all of our affected products. For non-WatchGuard devices, users should refer to their vendor’s website and security advisories to determine if they are affected, and if updates are available. Even though most companies will provide patches, it’s likely that unpatched devices will interact with your network and expose you to risk. WatchGuard offers additional methods to protect unpatched client devices from KRACK.

How to Mitigate KRACK
The steps below describe recommended actions to protect your network from KRACK vulnerabilities in various scenarios, including from unpatched client devices.

  1. Update your access point (AP) firmware (10/30/17)
    • WatchGuard will provide patches for all supported APs and tabletop appliances with embedded wireless APs.
  2.  

  3. Enable “Mitigate WPA/WPA2 key reinstallation vulnerability in clients” feature. The AP can compensate for the unpatched clients with this setting enabled. Mitigation is recommended only until all clients are patched.
    • AP managed by GWC: Available for the AP120, AP320, AP322, and AP420 with the upcoming 10/30/17 patch.
    • AP managed by Wi-Fi Cloud (link to WatchGuard Knowledge Base article is below).
    • Firebox with built-in Wi-Fi: Available on the T-10W, T-10W, and T-50W with TBD firmware update.
    • In a small percent of cases, mitigation may exacerbate client connectivity issues in environments already suffering from weak signal coverage or high interference.
  4.  

  5. Enable “AP MAC Spoofing Prevention” setting in Wi-Fi Cloud WIPS policy.
    • AP managed by GWC: manage your APs with a Wi-Fi Cloud license and acquire dedicated WIPS sensors for your environment.
    • AP managed by Wi-Fi Cloud: enable setting in the management interface.

 

Additional Information


Source: WatchGuard

KRACK (Key Reinstallation Attack) for WPA and WPA2 Vulnerabilities Update

[Editor’s note: Article updated on 10/20/2017 with additional information about KRACK mitigation options from WatchGuard.]

On October 16, 2017, a statement from the International Consortium for Advancement of Cybersecurity on the Internet (ICASI) alerted the industry to a series of vulnerabilities for WPA and WPA2, named KRACK (Key Reinstallation Attack). These vulnerabilities affect a large number of wireless infrastructure devices and wireless clients, across many vendors. This security flaw means that, for vulnerable clients and access points, WPA and WPA2-encrypted Wi-Fi traffic is no longer secure until certain steps are taken to remediate the issue. The Wi-Fi data stream, including passwords and personal data, can be intercepted, decrypted, and modified without a user’s knowledge. WatchGuard’s Wi-Fi access points (APs) and Wi-Fi enabled appliances are affected by these vulnerabilities. Following is detailed information about the vulnerabilities, which WatchGuard products are affected, and timing for patches. WatchGuard understands that in many cases, it’s difficult, if not impossible to patch all client devices. For example, IoT devices where vendors may be slow, out of business, or unwilling to patch older product versions, leaving many clients vulnerable indefinitely. See below for details on how WatchGuard Wi-Fi technology can mitigate KRACK for vulnerable clients and details are addressed below.

Who is affected by these vulnerabilities?
The vulnerability is widespread. Review the ICASI statement additional information and CVEs. Organizations that use wireless access points (APs) relying on WPA or WPA2 encryption, and mobile users who connect to Wi-Fi networks with smartphones, tablets, laptops, and other devices, should implement the necessary patches applicable to these vulnerabilities.

How many/what type of vulnerabilities are there?
Refer to the ICASI list of vulnerabilities and Common Vulnerability and Exposure (CVE) identifiers here.

How do the KRACK (Key Reinstallation Attack) for WPA and WPA2 vulnerabilities work?
A malicious user could inject specially-crafted packets into the middle of the WPA/WPA2 authentication handshake, forcing installation of a key known to—or controlled by—the attacker. This results in the possibility of decrypting and/or modifying client traffic. Traffic already protected by a higher-level encryption protocol, such as HTTPS, VPNs, or application encryption would not be impacted.

Depending on the specific device configuration, successful exploitation of these vulnerabilities could allow unauthenticated attackers to perform packet replay, decrypt wireless packets, and to potentially forge or inject packets into a wireless network. This is accomplished by manipulating retransmissions of handshake messages.

When an adversary manipulates certain handshake messages over the air, the exploit results in reuse of some packet numbers when handshakes are performed. The reuse of packet numbers violates the fundamental principle on which the strength of WPA2 encryption and replay security is based. The principle is that for a given key hierarchy, PTK, GTK and IGTK, packet numbers in two original (non-retransmits) packet transmissions protected by them cannot be repeated. For packet pairs where this assumption is violated, it is possible to determine the content of one packet if the plaintext of the other packet is known or can be guessed. Packet number can also permit adversary to replay old packets to the receiver.

Which WatchGuard products were affected?

  • Access Points: AP100, AP102, AP120, AP200, AP300, AP320, AP322, AP420
  • Appliances: XTM 25-W, 26-W, 33-W; Firebox T10-W, T30-W, T50-W

 

How can WatchGuard partners and customers access patches / updates that address these vulnerabilities?
Patches will be available for Fireware, WatchGuard legacy and current APs, and for WatchGuard Wi-Fi Cloud via the following releases and estimated timing (subject to changes, monitor this blog for patch updates):

Sunday, October 15, 2017:

  • AP120, 320, 322, 420:  Release 8.3.0-657, Cloud mode only

 

Monday, October 30, 2017:

  • Fireware: Release 12.0.1
  • Legacy AP:
    • AP300: Release 2.0.0.9
    • AP100, 102, 200: Release 1.2.9.14
  • AP120, 320, 322, 420:  Release 8.3.0-657, Non-Cloud (GWC mode)

 

Q: Is there a method to protect unpatched client devices?
A: WatchGuard is providing patches for all of our affected products and also recommends patching all non-WatchGuard Wi-Fi enabled devices whenever possible.  To protect unpatched client devices, WatchGuard provides two methods of protection:

  1. An option to “Mitigate WPA/WPA2 key reinstallation vulnerability in clients” is available now in the Wi-Fi Cloud, and available October 30, 2017 in Fireware version  12.0.1 in the Gateway Wireless Controller (GWC) settings [available for AP120, AP320, AP322, and AP420 version 8.3.0-657].
  2. AP MAC spoofing prevention is available now in the Wi-Fi Cloud when dedicated WIPS sensors are deployed (not background scanning)

 

Read more about protecting Wi-Fi devices from KRACK this blog post, and in the WatchGuard Knowledge Base.

Have any of WatchGuard’s customers or partners been negatively impacted by these vulnerabilities?
No, we are not aware of any WatchGuard customers or partners who have been negatively impacted by these vulnerabilities.

What is WPA2?
WPA2 (802.11i) is currently the standard for link layer security in Wi-Fi networks. It uses either 802.1x (EAP) or shared key (PSK) based authentication. In 802.1x, the client is authenticated from a backend RADIUS server when setting up a wireless connection. During the authentication process, the client and the RADIUS server generate a common key called Pairwise Master Key (PMK). The PMK is sent from the RADIUS server to the AP over a secure wired network. In PSK, the PMK is statically installed in the client and the AP by entering the same passphrase (password) on both sides. The PMK is then used to generate a hierarchy of keys to be used for encryption and integrity protection for data sent over wireless link between the AP and the client.

The protocol to generate the key hierarchy from PMK is called an EAPOL 4-Way Handshake. It is used to derive the following keys:

  • Pairwise Transient Key (PTK), used to encrypt unicast communication between AP and client. PTK is derived and installed by the AP and the client at the time of setting up a wireless connection. It is refreshed during the connection after pre-configured time has passed. It is also refreshed when client roams between APs using fast transition (FT) protocol.
  • Group Transient Key (GTK), used for encrypting broadcast and multicast messages from APs to clients. A GTK is generated and maintained by the AP. It is securely delivered by the AP to the client at the time of setting up a wireless connection.
  • Integrity Group Transient Key (IGTK), used for providing integrity for broadcast and multicast management messages (called management frame protection or MFP) transmitted from the AP to the client. IGTK is generated and maintained by the AP. It is securely delivered by the AP to the client at the time of setting up a wireless connection.

 

The keys (GTK and IGTK) are refreshed when a client leaves the AP and the new keys are distributed to all remaining clients using a protocol called Group Key Handshake.

What is WPA?
Wi-Fi Protected Access (WPA) is a security protocol and security certification system developed by the Wi-Fi Alliance in response to weaknesses found in the previous system, Wired Equivalent Privacy (WEP). This was an intermediate measure taken in anticipation of the availability of the more complex and secure WPA2. WPA is obsolete and insecure, and WatchGuard recommends that all customers use WPA2, and not WPA.


Source: WatchGuard

WPA and WPA2 Vulnerabilities Update

On October 16, 2017, a statement from the International Consortium for Advancement of Cybersecurity on the Internet (ICASI) was released alerting the industry to a series of vulnerabilities for WPA and WPA2. These vulnerabilities are at the protocol-level and affect a large number of wireless infrastructure devices and wireless clients, across many vendors. This security flaw means that, for vulnerable clients and access points, WPA and WPA2-encrypted Wi-Fi traffic is no longer secure until certain steps are taken to remediate the issue. The Wi-Fi data stream, including passwords and personal data, can be intercepted, decrypted, and modified without a user’s knowledge. WatchGuard’s Wi-Fi access points and Wi-Fi enabled appliances are affected by these vulnerabilities. Following is detailed information about the vulnerabilities, which WatchGuard products are affected, and timing for patches.

Who is affected by these vulnerabilities?
Any Wi-Fi client or access point that utilizes the wpa_supplicant or hostapd Open Source software packages in the authentication process may be affected by these vulnerabilities. These are widely used software packages across the industry, so the vast majority of devices will be affected. The ICASI statement linked above includes many, but not all, affected vendors. Organizations that use wireless access points (APs) relying on WPA or WPA2 encryption, and mobile users who connect to Wi-Fi networks with smartphones, tablets, laptops, and other devices, should implement the necessary patches applicable to these vulnerabilities.

How many/what type of vulnerabilities are there?
Refer to the ICASI list of vulnerabilities and Common Vulnerability and Exposure (CVE) identifiers here.

How do the WPA and WPA2 vulnerabilities work?
A malicious user could inject specially-crafted packets into the middle of the WPA/WPA2 authentication handshake, forcing installation of a key known to—or controlled by—the attacker. This results in the possibility of decrypting and/or modifying client traffic. Traffic already protected by a higher-level encryption protocol, such as HTTPS, VPNs, or application encryption would not be impacted.

Depending on the specific device configuration, successful exploitation of these vulnerabilities could allow unauthenticated attackers to perform packet replay, decrypt wireless packets, and to potentially forge or inject packets into a wireless network. This is accomplished by manipulating retransmissions of handshake messages.

When an adversary manipulates certain handshake messages over the air, the exploit results in reuse of some packet numbers when handshakes are performed. The reuse of packet numbers violates the fundamental principle on which the strength of WPA2 encryption and replay security is based. The principle is that for a given key hierarchy, PTK, GTK and IGTK, packet numbers in two original (non-retransmits) packet transmissions protected by them cannot be repeated. For packet pairs where this assumption is violated, it is possible to determine the content of one packet if the plaintext of the other packet is known or can be guessed. Packet number can also permit adversary to replay old packets to the receiver.

Do these vulnerabilities represent a protocol design failure of WPA2?
No, the failure is with the wpa_supplicant or hostapd Open Source software packages, and is not a protocol design failure of WPA2.

Which WatchGuard products were affected?

  • Access Points: AP100, AP102, AP120, AP200, AP300, AP320, AP322, AP420
  • Appliances: XTM 25-W, 26-W, 33-W; Firebox T10-W, T30-W, T50-W

How can WatchGuard partners and customers access patches / updates that address these vulnerabilities?
Patches will be available for Fireware, WatchGuard legacy and current APs, and for WatchGuard Wi-Fi Cloud via the following releases and estimated timing (subject to changes, monitor this blog for patch updates):
Sunday, October 15, 2017:

  • AP120, 320, 322, 420:  Release 8.3.0-657, Cloud mode only

Monday, October 30, 2017:

  • Fireware: Release 12.0.1
  • Legacy AP:
    • AP300: Release 2.0.0.9
    • AP100, 102, 200: Release 1.2.9.14
  • AP120, 320, 322, 420:  Release 8.3.0-657, Non-Cloud (GWC mode)

Have any of WatchGuard’s customers or partners been negatively impacted by these vulnerabilities?
No, we are not aware of any WatchGuard customers or partners who have been negatively impacted by these vulnerabilities.

What is WPA2?
WPA2 (802.11i) is currently the standard for link layer security in Wi-Fi networks. It uses either 802.1x (EAP) or shared key (PSK) based authentication. In 802.1x, the client is authenticated from a backend RADIUS server when setting up a wireless connection. During the authentication process, the client and the RADIUS server generate a common key called Pairwise Master Key (PMK). The PMK is sent from the RADIUS server to the AP over a secure wired network. In PSK, the PMK is statically installed in the client and the AP by entering the same passphrase (password) on both sides. The PMK is then used to generate a hierarchy of keys to be used for encryption and integrity protection for data sent over wireless link between the AP and the client.

The protocol to generate the key hierarchy from PMK is called an EAPOL 4-Way Handshake. It is used to derive the following keys:

  • Pairwise Transient Key (PTK), used to encrypt unicast communication between AP and client. PTK is derived and installed by the AP and the client at the time of setting up a wireless connection. It is refreshed during the connection after pre-configured time has passed. It is also refreshed when client roams between APs using fast transition (FT) protocol.
  • Group Transient Key (GTK), used for encrypting broadcast and multicast messages from APs to clients. A GTK is generated and maintained by the AP. It is securely delivered by the AP to the client at the time of setting up a wireless connection.
  • Integrity Group Transient Key (IGTK), used for providing integrity for broadcast and multicast management messages (called management frame protection or MFP) transmitted from the AP to the client. IGTK is generated and maintained by the AP. It is securely delivered by the AP to the client at the time of setting up a wireless connection.

The keys (GTK and IGTK) are refreshed when a client leaves the AP and the new keys are distributed to all remaining clients using a protocol called Group Key Handshake.

What is WPA?
Wi-Fi Protected Access (WPA) is a security protocol and security certification system developed by the Wi-Fi Alliance in response to weaknesses found in the previous system, Wired Equivalent Privacy (WEP). This was an intermediate measure taken in anticipation of the availability of the more complex and secure WPA2. WPA is obsolete and insecure, and WatchGuard recommends that all customers use WPA2, and not WPA.

Is there a method to protect patched devices against unpatched devices?
WatchGuard is providing patches for all of our affected products, and for non-WatchGuard appliances, users should refer to their Wi-Fi device vendor’s website or security advisories to determine if their device has been affected and has an update available.


Source: WatchGuard

Now Available: TDR 5.1 with APT Blocker Built-in

We’re thrilled to announce the general availability of Threat Detection and Response (TDR) 5.1, which includes some great new features that enhance both detection and response to threats as well as the overall user experience when testing new features. This release further increases the value of both TDR and the Total Security Suite, enabling users to more broadly identify threats across their network and respond to them in real-time.

This release of TDR includes two new key features:

  • APT Blocker
    With this release TDR can now directly triage suspicious files discovered by a Host Sensor by sending them to APT Blocker for further analysis. The submitted files undergo deep analysis for APT activity in a sandbox environment at a Lastline cloud-based data center. If evidence of malware activity is discovered, TDR can adjust the original suspicious threat score assigned to the file to prevent future infection. With sandbox policy enabled, this process and subsequent response can be automated, making threat triage incredibly easy and effortless.
  • Localization
    The TDR user interface is now available in French, Japanese, and Spanish. TDR automatically displays the localized user interface if your browser language is set to one of these languages.

To learn more, visit Threat Detection and Response.


Source: WatchGuard

Updates to Customer Support Phone System

As of Monday 18 September, WatchGuard Customer Support is pleased to announce some upcoming improvements to our phone system. We are integrating our phone system and CRM systems so that we can automatically find your account and contact information when you call in for support. We will use your phone number, either the number you call from or a number manually entered by you when you call, to locate your details within our system. We will use this information to prioritize your call and route your call to the correct support representative. We have also made some minor improvements to our language specific lines.

What to expect

  • Two new options when you call in to WatchGuard Technical Support:
    • You can select the language you want to be supported in (English, Spanish, French, Italian, Japanese, Mandarin)
    • You can confirm the best phone number for us to use to find your account information
  • Introduction of Business Hours for our language-specific phone lines:
    • The language-specific phone lines will open and close depending on customer time zone
    • During closed hours, customers who call a language-specific line will be given the option to leave a voicemail for the next available language speaker or to be transferred to an English-speaking representative

What you need to do

To prepare for these changes, we recommend that you log in to the WatchGuard website to verify your contact information is correct. We will use the phone numbers in your Profile to find your account when you call in. To review and update your profile information, click here. For more information about how to update your profile, you can also watch this video tutorial.


Source: WatchGuard

Fireware 12.0 is now available!

Fireware 12.0 General Availability
We are pleased to announce the General Availability (GA) of Fireware 12.0 and WSM 12.0 after a comprehensive Beta where the release was installed 400 Fireboxes around the world. These significant new releases are now available for download from the software download center.

Fireware 12.0 improves on the efficacy and performance of our Gateway Antivirus (GAV) service through the introduction of a new lightweight detection engine. Fireware 12.0 also introduces more secure defaults, improvements to APT Blocker, and continued support for more advanced networking use cases. You can find full details in the What’s New presentation on the website, and we encourage everyone upgrading to read the Release Notes in advance. Here is a quick summary of some key enhancements:

New GAV engine from Bitdefender with many benefits: 

  • Breadth of Protection against known threats with industry-leading file coverage
  • Rapid response to new threats with multiple incremental signature updates per day
  • Machine learning to assist in detection of unknown and evasive malware types
  • Faster performance through optimized scanning of executables, Microsoft Office, PDF files and more!

Many of the settings in the VPN area have been updated to stronger default cryptography settings for authentication and encryption. SHA-256 and AES-256 are now the default in most cases. We have also removed the PPTP option for VPN because it is no longer considered to be a secure protocol.

There are some APT Blocker improvements to guard against the delivery of zero-day malware and ransomware via email, including

  • Optional delay in email messages while waiting for results from the sandbox detonation of unknown attachments
  • Analysis and detonation of javascript files that are included in email

There are more advanced networking use cases.

  • Host Header redirection allows the hosting of different web applications behind a single public IP address, by routing traffic based on URL paths included in HTTP headers.             
  • The Firebox can pass multicast (PIM-SM) traffic, which is used to deliver application traffic from one to many nodes – typically used in VoIP and broadcast applications.

There are many more enhancements so please pay close attention to the Release Notes and What’s New presentations.

AV Signatures in 11.x releases
Previously WatchGuard had announced that we would discontinue support for AV signatures for the older AVG engine in Fireware 11.x by January 2018. This support will now be extended until April 2018. We will continue to notify partners and customers about this issue over the coming months.  

Does this release pertain to me?
The Fireware release applies to all Firebox T, Firebox M, and XTM appliances, except XTM 21/21-W, 22/22-W, or 23/23-W, which are now End of Life (EOL), and XTM 505, 510, 520, and 530 which are EOL in December of this year. 

Software Download Center
Firebox and XTM appliance owners with active support subscriptions can obtain this update without additional charge by downloading the applicable packages from the WatchGuard Software Download Center. 

Contact 
For Sales or Support questions, you can find phone numbers for your region online. If you contact WatchGuard Technical Support, please have your registered appliance Serial Number or Partner ID available.


Source: WatchGuard

Now Available: AP420 Indoor High Density Access Point

It gives me great pleasure to announce the availability of the AP420, our indoor 802.11ac Wave 2 4×4 access point. The AP420’s Multi-User MIMO (MU-MIMO) features mean it’s perfectly suited for the highest client density deployments. This access point easily serves crowded rooms full of smartphones, laptops and tablets to give users an excellent mobile connectivity experience. The AP420 also includes a 3rd radio for dedicated WIPS (Wireless Intrusion Prevention System) and RF optimization scanning. This 3rd radio will constantly defend your airspace against prolific man-in-the-middle (MitM) attacks responsible for stolen passwords, credit cards and other sensitive information, as well as optimize radio power, channel, and other RF parameters for the optimal Wi-Fi connectivity experience. Common deployment scenarios include tradeshow floors, auditoriums, large conference rooms, and shopping malls. 

Key Specifications

  • 802.11ac Wave 2
  • 4×4 MU-MIMO
  • Third 2×2 MIMO dual band radio for dedicated WIPS and RF scanning
  • Up to 800 Mbps for 2.4GHz
  • Up to 1.7 Gbps for 5GHz
  • 20/40/80/80+80 MHz channel width support
  • 10 internal antennas
  • 2x GbE ports (link aggregation supported in Wi-Fi Cloud)
  • PoE+ power required

The AP420 can be managed with either a Firebox®, via the Gateway Wireless Controller, or with WatchGuard’s Wi-Fi Cloud. With the Wi-Fi Cloud, you get an expanded set of features including:

  • WIPS powered with patented technology for hack-free hotspots
  • Engaging guest Wi-Fi experiences
  • Powerful location-based analytics
  • Ability to scale from 1 to unlimited access points with no infrastructure

The latest version of the Wi-Fi Cloud (Manage 8.3) includes new Wi-Fi performance features that improve the quality of experience for users connected to WatchGuard’s access points, new application visibility and firewall policy control, plus an integration with Google for Education to ensure that only devices registered in the school’s Google domain can connect to the school Wi-Fi network and enforce network access policies. This unique integration brings even more control, usability and ease of use to school districts.

To learn more, visit http://www.watchguard.com/wifi


Source: WatchGuard