Use LEFT and RIGHT arrow keys to navigate between flashcards;
Use UP and DOWN arrow keys to flip the card;
H to show hint;
A reads text to speech;
150 Cards in this Set
- Front
- Back
|
Which of these wireless modes are supported on the 5 GHz radio band? (Select two.)
a. 802.11a b. 802.11b c. 802.11g d. 802.11n |
a, d. The 5 GHz radio band supports 802.11a and 802.11n wireless modes
|
|
|
When two AP devices paired to the same Firebox use the same SSID, what controls wireless roaming behavior for wireless clients? (Select one.)
a. The Gateway Wireless Controller on the Firebox b. The two AP devices c. The wireless clients |
c. Roaming behavior is controlled by the wireless clients, not the AP devices or the Gateway Wireless Controller
|
|
|
If you enable VLAN tagging in an SSID, you must also enable management VLAN tagging in the Gateway Wireless Controller settings.
a. True b. False |
b. (False) You can optionally enable management VLAN tagging, but it is not required.
|
|
|
Which passphrase does the Gateway Wireless Controller use to connect to a paired WatchGuard AP device? (Select one.) a. WPA/WPA2 (PSK) passphrase b. Firebox configuration passphrase c. Pairing passphrase d. WatchGuard AP passphrase |
d. The Gateway Wireless Controller uses the WatchGuard AP passphrase to connect to all paired AP devices |
|
|
Which of these options can you configure in the hotspot connection settings? (Select three.) a. Allow hotspot users to connect without credentials. b. Allow hotspot users to connect without accepting Terms and Conditions. c. Require hotspot users to authenticate with a user name and passphrase. d. Require hotspot users to authenticate with only a passphrase. e. Require users to authenticate with a VPN client. |
a, c, d. There are no options to skip the Terms and Conditions or require a VPN client |
|
|
Name the two types of WatchGuard wireless devices |
1: Firebox and XTM devices with built-in wireless access points 2: WatchGuard AP devices |
|
|
Name the WatchGuard AP devices |
AP100, AP200, AP300 – indoor AP102 – indoor/outdoor |
|
|
Name the Firebox and XTM devices with built-in wireless |
Firebox T10-W, T30-W, T50-W XTM 25-W, XTM 26-W, XTM 33-W |
|
|
What functionality do both Firebox - XTM wireless devices and WatchGuard AP devices share |
Support 2.4 GHz and 5 GHz, 802.11a/b/g/n (802.11ac for T30-W, T50-W, AP300) Managed by WatchGuard System Manager, Fireware XTM Web UI, or CLI |
|
|
What functionality do Firebox and XTM wireless devices have |
•One built-in radio supports up tothree SSIDs •Can be configured to use wireless for external (as a wireless client) •Each wireless access point or client is configured as a network interface |
|
|
What functionality do WatchGuard AP devices have |
•Each AP device has one or two radios •Configure up to eight SSIDs per radio •Must be paired with and managed bya Firebox or XTM device Connect to a trusted, optional, or custom network A single Firebox device can manage many access points •You can configure the same SSID on more than one AP device for better wireless coverage |
|
|
What common set of wireless features and configuration settings do Firebox and XTM wireless devices share |
•Single dual-band radio •2.4 GHz / 5 GHz switchable •802.11a/b/g/n •802.11ac (T30-W and T50-W only) •3 SSIDs |
|
|
Which Firebox and XTM wireless devices have internal antennas |
Firebox T10-W, T30-W, T50-W |
|
|
Which Firebox and XTM wireless devices have external antennas |
XTM 25-W XTM 25-W XTM33-W |
|
|
What functionality does the AP100 and AP102 have |
•Single dual-band radio •2.4 GHz / 5 GHz switchable •2x2:2 MIMO 802.11 a/b/g/n •Up to 300 Mbps •8 SSIDs |
|
|
What functionality does the AP200 have |
•Dual radios •2.4GHz and 5 GHz •2x2:2MIMO 802.11 a/b/g/n •Up to 600 Mbps •8 SSIDs per radio |
|
|
What functionality does the AP300 have |
•Dual radios •2.4GHz and 5 GHz •3x3MIMO 802.11 a/b/g/n/ac •Up to1300 Mbps •8 SSIDs per radio |
|
|
What functionality does the AP102 over the AP100 |
•Weather-proof design for outdoor installations |
|
|
How are all WatchGuard AP devices powered |
•AC Adapter •802.3af compliant PoE injector orswitch |
|
|
How do you configure a Firebox wireless device |
In Policy Manager (or Web GUI) > Network > Wireless |
|
|
How do you configure a WatchGuard AP device |
In Policy Manager (or Web GUI) > Network > Gateway Wireless Controller ( Gateway Wireless Controller is a component of Fireware OS that you use to manage and monitor AP devices) |
|
|
How do you see the wireless status of a Firebox |
Select System Status > Wireless Statistics in the Fireware XTM Web UI |
|
|
How do you see the wireless status of a WatchGuard AP device |
•Select Dashboard> Gateway Wireless Controller in the Fireware XTM Web UI. •Select the Gateway Wireless Controller tab in Firebox System Manager. |
|
|
What wireless modes does WatchGuard support |
•802.11a •802.11b •802.11g •802.11n •802.11ac (AP300, T30-W, and T50-Wonly) |
|
|
What wireless mode is only supported by AP300, T30-W and T50-W |
802.11ac |
|
|
What is IEEE 802.11 |
They define a set of standards for wireless networks |
|
|
What happens if youconfigure an access point to support more than one mode |
Overall radio performance can decrease |
|
|
Are management frames sent at the lowest or highest rate |
Sent at the lowest rate supported by connected clients |
|
|
What wireless bands are supported by WatchGuard wireless devices |
2.4 GHz and 5 GHz wireless bands |
|
|
What wireless modes are supported by 2.4GHz |
Supports 802.11b, 802.11g, 802.11nwireless modes |
|
|
What has greater range 2.4GHz or 5GHz |
2.4GHz Range is generally greater than 5GHz, because lower frequency radio waves can move more easily through some physical barriers |
|
|
How many channels does 2.4GHz support |
Supports 14 channels; three non-overlapping channels |
|
|
What channel has higher chance of interference 2.4GHz or 5GHz |
2.4GHz has a higher chance of signal interference from other wireless devices and networks –Many wireless devices use 2.4 GHz (Bluetooth, cordless phones, radio controlled toys) –2.4GHz band has fewer non-overlappingchannels than 5GHz band -5GHz has more channels, so less chance of interference from other wireless devices |
|
|
What wireless modes are supported by 5GHz |
Supports 802.11a, 802.11n, and 802.11ac wireless modes |
|
|
How many channels does 5GHz support |
5 GHz band supports 23 non-overlapping channels |
|
|
Can you use radio channels valid in other countries |
Due to different regional regulatory requirements, the location of your wireless device affects the available radio channels in each band. •Access points only use channels that are valid in the country where the device is located. |
|
|
Can you configure preferred radio channels |
Yes |
|
|
How are radio channels selected |
By default, all WatchGuard wireless devices automatically attempt to select a quiet available radio channel in the band. •You can also configure a preferred channel. •If you deploy multiple AP devices,we recommend that you manually configure the channel on each AP device to minimize channel conflicts. You can use the Gateway Wireless Controller maps in the Fireware XTM Web UI to decide which channels to use based on your wireless environment. |
|
|
What modes are supported on Firebox and XTM wireless devices on the 2.4GHz band |
802.11 B/G/N Mixed (default) 802.11 B/G Mixed 802.11 N/G Mixed 802.11 B only |
|
|
What modes are supported on Firebox and XTM wireless devices on the 5GHz band |
802.11 A/N Mixed (default) 802.11 A 802.11 AC (T30-W and T50-W only) |
|
|
What modes are supported on WatchGuard AP devices on the 5GHz band |
802.11 A/N Mixed (default) 802.11 A802.11 N only 802.11 N/AC (default for AP300) |
|
|
What modes are supported on WatchGuard AP devices on the 2.4GHz band |
802.11 G/N (default) 802.11 N only 802.11 B/G/N Mixed 802.11 B/G Mixed 802.11 G |
|
|
What setting for each wireless band is selected by default. |
The most flexible settings for each band are selected by default. |
|
|
What must you configure for each SSID |
Authentication and encryption method. These settings are known as the security mode. |
|
|
What are the Wireless Security Modes (From least to most secure) |
•Open System/Disabled — requires no authentication (not recommended for wireless connections to private network resources, such as on a trusted network) •Wired Equivalent Privacy (WEP) —has known security vulnerabilities •Wi-Fi Protected Access (WPA) —successor to WEP, more secure •Wi-Fi Protected Access II (WPA2) —most secure |
|
|
What are the two types of authentication WPA and WPA2 support |
•Pre-shared key (PSK) — users must know the pre-shared key to connect •Enterprise — requires users to authenticate to an external RADIUS server Enterprise authentication is more secure than WPA/WPA2 (PSK) because users must each authenticate with their own enterprise credentials instead of one shared key that is known by everyone who uses the wireless access point. |
|
|
What are the two encryption protocols supported by WPA and WPA2 |
•AES — uses Advanced EncryptionStandard (AES) for encryption (most secure) •TKIP or AES — uses Temporal KeyIntegrity Protocol or AES for encryption |
|
|
What are the security settings for an SSID on a Firebox or XTM device |
•WPA/WPA2 (PSK) requires a passphrase. •WPA/WPA2 Enterprise supports a RADIUS authentication server or you can use Firebox-DB for user authentication. |
|
|
What are the security settings for an SSID on an AP device |
•WPA/WPA2 (PSK) security mode requires a passphrase •WPA/WPA2 Enterprise security mode requires a RADIUS server for authentication./body> |
|
|
What are the two ways to control access by MAC address |
•Allowed MAC addresses (whitelist) a list of MAC addresses that are allowedto connect •Denied MAC addresses (blacklist) a list of MAC addresses that are notallowed to connect |
|
|
Are "Allowed MAC Addresses" and "Denied MAC Addresses" supported for both Firebox and XTM devices and AP devices. |
Firebox and XTM wireless devices support an allowed MAC address list AP devices support an allowed MAC address list or a denied MAC address list for an SSID. |
|
|
Why use MAC Access Control |
A malicious client could still use MAC address spoofing to connect |
|
|
What is a custom security zone |
We recommend that you configure a wireless guest network in the Custom security zone, so that wireless guests cannot access computers on your trusted or optional networks. •A custom interface enables you to define a custom security zone that is separate from the predefined trusted,optional, and external zones. •A custom interface is not a member of the built-in aliases Any-Trusted or Any-Optional. •Traffic for a custom interface is not allowed through the Firebox device unless you specifically configure policies to allow it. |
|
|
What should you do as part of Wireless Requirements Gathering |
•What wireless modes must your access point support (802.11a/b/g/n/ac)? What types of wireless clients do you want to allow to connect? What wireless modes do they typically support? •What SSIDs and networks do you want to create? Are there groups of wireless users who need wireless access to different network resources? Do you want to set up a guest wireless network that only allows Internet access? •Where is the best physical location for each AP devices? What is the physical size of the environments wireless users will connect from? Do you need more than one AP device to cover multiple areas? |
|
|
Why are wireless site surveys helpful? |
•Measure before deployment as part of planning Measure any existing wireless signals and interference in your environment Measure wireless signal strength at different locations. •Measure after deployment to see the AP signal strength and range After you install your access points, make another heat map to see if your current placement provides adequate coverage and signal strength. |
|
|
What can you use to do a wireless site survey |
•It can be helpful to use a wireless site survey tool such as Ekahau HeatMapper. •Use the Gateway Wireless Controller Maps After you set up a WatchGuard AP device, you can use the Maps feature in the Gateway Wireless Controller Dashboard to see a visual representation of your wireless network, including signal strength and range, and channel conflict information. |
|
|
What are the wireless placement guidelines |
•Install in a central location away from any corners, walls, or other obstructions. •Install high above the floor to provide the overall best signal strength. •Install away from electronic devices that can interfere with the signal. •Install access points far enough apart to provide maximum coverage for your wireless network area of availability. For wireless coverage over many floors, consider both vertical and horizontal space. |
|
|
What are the two options when configuring a Firebox wireless device |
You can enable wireless for external or internal network access. •Select Enable wireless client as external interface to enable wireless as an external interface. OR •Select Enable wireless access points to enable up to three separate wireless access points for connections from wireless clients. |
|
|
What radio settings can you configure when setting up a Firebox wireless device |
Radio settings apply to all enabled wireless access points on the device. •Country is selected automatically. •Select the wireless band and mode. •Channel is set automatically unless you select a specific channel. |
|
|
With a Firebox wireless device what is can you configure with "Enable wireless client as external interface" |
•Use DHCP or configure a static IP address. •Configure wireless client settings needed to connect. |
|
|
How does a Firebox wireless device configured with"Enable wireless client as external interface" connect to the network |
•The Firebox connects to another access point as a wireless client. •Devices on the trusted or optional networks must be directly connected. |
|
|
With a Firebox wireless device what is can you configure with "Enable wireless access points" |
- SSID for up to 3 access points - Interface Type (Trusted, Optional, Custom, etc etc) |
|
|
With a WatchGuard AP device what can you configure in the "Network" tab |
•Interface Name (Alias) The alias for this interface in the Firebox configuration. It is not visible to wireless clients. •Interface Type Trusted, Optional, Custom, Bridge,or VLAN •IP Address This is the default gateway for wireless clients. •DHCP The Address Pool defines the IP addresses assigned to wireless clients that connect to this access point. |
|
|
With a WatchGuard AP device what can you configure in the "Wireless" tab |
•SSID — this is the name of the network that wireless clients connect to. •Broadcast SSID — Select this check box if you want to broadcast the SSID to wireless clients. •Select the authentication and encryption algorithms to use. For WPA/WPA2 (PSK) authentication,specify the passphrase. –Wireless clients must know this passphrase to connect. For WPA/WPA2 Enterprise authentication,select the authentication server (RADIUS or Firebox-DB). –You must also enable the RADIUS server or add users to the Firebox-DB in the Authentication Servers settings. |
|
|
With a WatchGuard AP device what can you configure in the "MAC Access Control" tab |
On the MAC Access Control tab, you can restrict which devices can connect to this wireless access point, based on the client device MAC address. •When you restrict access by MAC address, only wireless devices with the listed MAC addresses can connect to this wireless network. |
|
|
Where can you view Wireless interfaces |
Select Network> Configuration to see the interface list. Wireless interfaces appear in the interfaces list, below the numbered physical interfaces. The wireless interface numbers are: •ath0 —wireless client external interface •ath1 — Access point 1 •ath2 — Access point 2 •ath3 — Access point 3 |
|
|
What happens if you configure an AP as a Trusted or Optional interface |
•The interface is a member of the built-in Any-Trusted or Any-Optional alias. •All existing policies in your configuration that allow traffic to or from the Any-Trusted or Any-Optional aliases also allow traffic to or from wireless clients that connect to a trusted or optional wireless interface. •If you need the wireless interface to be on the same network as your trusted or optional networks, you must create a network bridge. |
|
|
What happens if you configure an AP as a Custom interface |
•The interface is not a member of the built-in aliases. •You must modify or add policies to allow traffic to or from the access point. |
|
|
How do you configure an AP as a Custom interface |
1.Configure an access point as a Custom interface. 2.Enable SSID broadcasts so wireless clients can find your network. 3.Add a policy to allow traffic from the wireless guest interface to External. |
|
|
How do you monitor the Wireless Device Status (System Manager) |
In Firebox System Manager Front Panel,expand the Interfaces list to see: •Wireless radio settings •Traffic statistics for each wireless interface |
|
|
How do you monitor the Wireless Device Status (Web UI) |
In the Fireware XTM Web UI, select System Status > Wireless Statistics to see wireless statistics and a list of connected wireless clients. |
|
|
What are the two ways to add an AP device in a Firebox network |
|
|
|
What happens if you plug an AP directly into the Firebox interface? |
If you connect the AP directly to a Firebox interface, the wireless users do not automatically have access to trusted resources connected to other trusted interfaces. You still need to create policies to allow that traffic because the wireless users are on a separate trusted network. The default policies only allow outbound traffic from trusted networks, but do not allow traffic between devices on different trusted networks. |
|
|
What happens if you plug an AP into a switch on the trusted network? |
If you connect the AP to a switch on the trusted network, the wireless users can access other network resources on the network connected to the same interface. You do not need to create any policies to allow access because the traffic does not go through the Firebox. You must still create policies for traffic to any other trusted interface. |
|
|
What are the requirements for a Firebox device to manage an AP device |
•Fireware XTM OS v11.7.2 or higher for AP100, AP102, AP200 •Fireware XTM OS v11.10.5 or higher for AP300 •Network configured in mixed routing mode. •The AP device must connect to a trusted, optional, or custom interface. To manage the AP device on a custom interface you must configure the WatchGuard Gateway Wireless Controller policy to allow traffic from the custom network zone. •The Firebox device configuration must include a policy that allows NTP traffic from the AP device to the Internet. The AP device uses an NTP server to set the correct local time. •All AP devices on your network require access to WatchGuard servers (*.watchguard.com) on port 443 to register and activate the device, obtain country and regional information, and check for new firmware updates. |
|
|
What is the default IP address for an AP device |
By default, an AP device uses DHCP to request an IP address. If a DHCP server is not available, the AP device uses a static IP address. •Default IP Address: 192.168.1.1 •Subnet Mask: 255.255.255.0 •Default Gateway: 192.168.1.1 |
|
|
How do you access an AP on its default settings |
•You can connect to the Access Point web UI at https://192.168.1.1, orat the DHCP IP address. •For an unpaired AP device, the default management password is wgwap. •For a paired AP device, the management password is the WatchGuard AP Password configured in the Gateway Wireless Controller. •You do not need to use the AccessPoint web UI unless you want to assign a static IP address to the AP device, or manually upgrade the firmware. |
|
|
How do you deploy an AP device on your network |
1.Enable the Gateway Wireless Controller on the Firebox device. 2.Connect the AP device to your network. 3.Pair the AP device with the Firebox device. 4.Configure the AP device settings. 5.Configure the SSIDs. |
|
|
What must you do to an AP if you want to enable VLAN Tagging |
•Create a tagged VLAN for each SSID. •Create an untagged VLAN for management of the AP device. |
|
|
What does the Gateway Wireless Controller do? |
On the Firebox device, the Gateway Wireless Controller connects to and manages AP devices. •An AP device is paired to the Firebox device that manages it. •A Firebox device can manage many paired AP devices. |
|
|
What can you configure on the Gateway Wireless Controller |
•Gateway Wireless Controller settings Settings that apply to all AP devices paired to this device •AP device settings Settings that apply to a single AP device •SSIDs Settings for SSIDs that wireless clients use to connect to your network. SSIDs can be used by multiple AP devices. |
|
|
How do you enable the Gateway Wireless Controller |
1.In Policy Manager, select Network > Gateway Wireless Controller. 2.Select the Enablethe Gateway Wireless Controller check box. 3.Set the WatchGuard AP Passphrase. The passphrase is used for management connections to AP devices after they are paired to the Firebox device. 4.Save the configuration Save the configuration to the Firebox device to enable AP device discovery. |
|
|
What policy is automatically added when the Gateway Wireless Controller is enabled. |
WatchGuard Gateway Wireless Controller policy is automatically added. •This policy enables AP device discovery and management. |
|
|
What traffic does the WatchGuard Gateway Wireless Controller policy allow by default. |
•By default, it allows UDP traffic on port 2529 from the Trusted and Optional networks to the Firebox device. |
|
|
If you enable automatic WatchGuard AP device firmware updates when are these performed. |
When this is enabled, the Gateway Wireless Controller updates the AP devices one at a time, if a new firmware version is available on the Firebox device. Automatic updates are performed between 00:00 (midnight) and 04:00 based on the local Firebox time. |
|
|
What can you configure in the settings of the Gateway Wireless Controller |
•Set the WatchGuardAP Passphrase. You set this when you first enable the Gateway Wireless Controller. If you change it, the Gateway Wireless Controller updates all the AP devices to use this passphrase. •Management VLAN tagging •Send WatchGuard AP log messages to a syslog server If you configure a syslog server, make sure all of your AP devices can connect to it. You might need to add a syslogpolicy to allow traffic from the AP devices to your syslog server. •Enable logging Enable logging to see wireless events in reports. •Enable scheduled restarts Reboot or restart wireless on your AP devices at scheduled times. •Enable alarm notifications Alarms for offline AP devices and rogue access points |
|
|
What should you do before connecting an AP device to an interface on a Firebox |
Before you connect an AP device to an interface, enable the interface. •Set the Interface Type. •Enable the DHCP Server. •Configure a pool of IP addresses to assign to the AP device and to wireless clients. |
|
|
What can you configure in the "Access Points" tab of the Gateway Wireless Controller |
Manage AP devices in the Access Points tab. You can add, edit or remove AP devices. •Add —manually add an AP device If you do not have an AP device, you can manually add one here, so that you can see the configuration settings while you complete this training. •Edit —edit AP device settings •Remove —remove an AP device Removes the AP device from the configuration If the AP device is connected, resets the AP device to factory-default settings In the Unpaired Access Points list, you can discover and pair new AP devices. |
|
|
How do you discover an unpaired AP device |
When you first connect the AP device,it is an unpaired Access Point. •The power LED on the AP device alternates from green to amber when the device is unpaired. (AP100/102/200) •The power LED alternates flashinggreen with the wireless LED (AP300) To discover the unpaired AP device: 1.Select Network> Gateway Wireless Controller. 2.Select the Access Points tab. 3.Click Refresh. 4.Type the Firebox IP address and configuration passphrase. The Firebox sends a local broadcast over UDP port 2529 every 30 seconds to discover unpaired AP devices. |
|
|
How do you pair an unpaired AP device |
Once an AP has been discovered and shows in the Unpaired Access Points list you can pair it by: 1.Select an unpaired access point and click Pair. 2.Type the Pairing Passphrase. This must match the current passphrase on the AP device. For anew AP device, the pairing passphrase is wgwap. If the AP device has a different passphrase, use that as the pairing passphrase 3.Edit the Access Point settings. The pairing is not complete until you save the configuration to the Firebox. |
|
|
How do you edit an existing APs settings |
When you pair an AP device, the Edit Access Point dialog box opens automatically. Set the AP device Name. •This identifies the device in the Gateway Wireless Controller. •It is not visible to wireless clients. Configure Network Settings (DHCP or Static IP address). •Select DHCP if you want the device to use DHCP to request an IP address. •Select Static to configure a static IP address and gateway. |
|
|
What settings can you edit on an existing AP |
Set the AP device Name. •This identifies the device in the Gateway Wireless Controller. •It is not visible to wireless clients. Configure Network Settings (DHCP or Static IP address). •Select DHCP if you want the device to use DHCP to request an IP address. •Select Static to configure a static IP address and gateway. Serial Number is automatically set for a paired AP device. Other settings: •Syslog server If specified, this overrides the syslog server in the Gateway Wireless Controller settings. •Management VLAN tagging Enables VLAN tagging for management connections. •Disable LEDs Disables the LEDs on your AP device(stealth mode) •Use outdoor channels only Appropriate for an AP102 installed outdoors. •Disable DFS channels Avoid use of radar channels •Fast Handover (AP300 only) Encourage clients to move to an AP with stronger signal based on RSSI •Band Steering (AP300 only) Encourage 2.4GHz clients to move to 5GHz |
|
|
What APs can only use 1 radio and what APs can used both? |
•AP100 and AP102 have one radio that can use the 2.4 GHz or 5 GHz band. •AP200 and AP300 have two radios.Radio 1 uses the 2.4 GHz band, and Radio 2 uses the 5 GHz band. |
|
|
On what AP can you set client limits per radio |
AP300 |
|
|
What radio settings can be configured per AP |
For each radio, configure the Wireless Mode and other settings. For each radio, select the configured SSIDs to use (up to 8 per radio). •If you have already configured SSIDs, select an SSID, click Add. •You can leave the SSID blank if you have not configured SSIDs yet. |
|
|
What happens after you save the configuration after you have paired an AP |
1.The Firebox uses the pairing passphrase to connect to the AP device. 2.The Firebox sends the configuration to the AP device. 3.The Firebox changes the passphrase on the AP device to the WatchGuard AP Passphrase you specified. 4.TheFirebox attempts to activate the AP device with WatchGuard. Requires port 443 access to WatchGuard Activation status does not affect AP device functionality 5.The AP device restarts. After pairing is complete, the power light on the AP device changes to solid green. |
|
|
How do you check the AP status |
After you pair the device, or save a configuration change, check the Access Point status in Firebox System Manager. •After the configuration update is complete, the status should be Online. •AP device monitoring is covered in more detail in a later section. |
|
|
How do you see detailed log messages for the Gateway Wireless Controller |
If you change the Diagnostic log level for the Gateway Wireless Controller (GWC) to Information, the Gateway Wireless Controller creates detailed log messages. To change the log level in PolicyManager: 1.Select Setup> Logging. 2.Click Diagnostic Log Level. 3.SelectNetworking> GWC. 4.Use the slider to set the log level to Information. |
|
What is this an example of |
Example log messages during AP device discovery (after you click Refresh to update the Unpaired Access Points list) |
|
What is this an example of |
Example log messages during AP device pairing (after you select a discovered AP device and click Pair) |
|
|
In the Gateway Wireless Controller what settings can you change for the SSID |
|
|
|
Can you limit certain SSIDs to specific APs |
Yes |
|
|
What are the 3 rate shaping settings you can set in regards to SSIDs |
•These limits are applied to all combined traffic on the SSID, and not on a per client basis. Base Rate —Download traffic is not allowed to exceed this limit (in kilobits per second) except for burst activity. Ceiling Rate — The hard limit throughput rate in kilobits per second. This limit includes burst activity. Burst —The maximum number of kilobytes allowed beyond the base rate. Set to 0 to disable bursting. Enable an activation schedule •Limits access to this SSID based on the times you configure. |
|
|
True or False - AP devices support Firebox-DB for Enterprise Autentication |
False |
|
|
Which AP supports Fast Roaming to prevent network interruption while roaming |
AP300 |
|
|
What authentication and encryption algorithms can you use on SSIDs |
•For WPA/WPA2 (PSK) authentication,specify the passphrase. Wireless clients must know this passphrase to connect. •For WPA/WPA2 Enterprise authentication, select the RADIUS authentication server. You must also enable the RADIUS server in the Authentication Servers settings. It might be necessary to add a RADIUS policy to allow traffic from your AP devices to the RADIUS server. AP devices do not support Firebox-DBfor Enterprise authentication. |
|
|
Can you do MAC Access Control on a per SSID basis |
Yes - both Allowed and Denied MAC Addresses |
|
|
What is station isolation |
•Station isolation prevents direct traffic between wireless clients that connect to the SSID on the same radio. •When station isolation is enabled,all traffic between wireless clients connected to the same radio goes through the firewall. •Recommended for wireless networks (such as a wireless guest network) where clients do not trust each other. |
|
|
What are the two ways to reset an AP |
Method 1: Use the Reset button on the AP device •Press and hold the reset button for five seconds or longer to reset the AP device to factory-default settings. If you hold the reset button for less than 5 seconds, the AP device reboots, but is not reset. If your AP device uses older AP firmware(v1.2.9.1or lower),press and hold the reset button for 15 seconds or longer to reset it. •If you reset a paired AP device,the Gateway Wireless Controller can use the pairing passphrase to connect to the AP device. If the Gateway Wireless Controller successfully connects, it sends the configuration to the AP device and resets the AP device passphrase to the WatchGuard AP Passphrase. Method 2: Unpair the device in the Gateway Wireless Controller •Select a paired AP device in the Gateway Wireless controller and click Remove. •When you save the configuration to the Firebox device, if the Gateway Wireless Controller can connect to the AP device, it resets the AP device to factory-default settings. |
|
|
Differences between VLAN Tagging and not VLAN Tagging |
Without VLAN tagging: All traffic from the AP device is in the same security zone as the network the AP device connects to. (Trusted, Optional, or Custom) You cannot create separate firewall policies for traffic for different SSIDs. With VLAN tagging: You can create VLANs in different security zones for traffic for different SSIDs. You can apply different policies to traffic for different VLANs. You can identify and examine traffic for each VLAN in log messages or in a network analyzer. If you use VLAN tagging, we recommend that you use an untagged VLAN for AP device management. |
|
|
What must you do before VLAN tagging on an access point |
Before you enable VLAN tagging in the Access Point, you must configure VLANs on the Firebox device. •Enable VLANs before you connect and pair the AP device. •The AP device uses tagged VLANs to identify traffic for each SSID, and an untagged VLAN for AP management connections. You can optionally enable management VLAN tagging, but that is not recommended. |
|
|
How do you configure VLANs on the Firebox device |
1.Add one VLAN for each SSID. 2.Add one VLAN for management connections to the AP device. 3.Enable DHCP server or DHCP relay for each VLAN. 4.Configure the Firebox device interface that the AP device connects to as a VLAN interface that passes tagged traffic for the VLANs for each SSID and untagged traffic for the AP management VLAN. |
|
|
What are the VLAN configuration options |
On the Firebox,VLAN configuration is the same for either of these connection options: •Connect the AP device directly to aVLAN interface. •Connect the AP device to the VLAN interface through a VLAN switch. If you connect AP device to a switch, you must also configure the same VLANs on the switch ports. |
|
|
How do you enable VLAN Tagging on SSIDs |
|
|
|
What must you do to allow traffic to a newly created VLAN for wireless users (if using a Custom interface) |
Because the VLAN for wireless guest users is in the Custom security zone, you must add a policy to allow traffic from this VLAN to the external interface. |
|
|
How does having a VLAN Tag affect Station Isolation |
•Without a VLAN, station isolation prevents direct traffic only between wireless clients connected to the same AP device radio. •With a VLAN, station isolation prevents direct traffic between wireless clients connected to multiple AP devices that use the same SSID. |
|
|
How do you setup Station Isolation with VLAN Tagging |
1.Add aVLAN andconfigure it to apply firewall policies to intra-VLAN traffic. 2.Configuretheinterfaces that the AP devices will connect to asVLAN interfaces that send and receive untagged traffic for the VLAN. 3.Createthe SSID, with station isolation enabled. 4.Connectthe AP devices to the VLAN interfaces. 5.Discoverand pair the AP devices, and configure them to use the SSID |
|
|
What are the two places you can enable Management VLAN Tagging |
•In the configuration for each AP device •In the Gateway Wireless Controller settings |
|
|
What is the default management VLAN when VLAN Tagging is enabled in the Gateway Wireless Controller |
•The Gateway Wireless Controller uses the tagged VLAN for management traffic to all AP devices, unless a different Management VLAN ID is specified in the settings for an individual AP device. |
|
|
If you have VLAN Tagging enabled can you discover new and factory reset AP devices in the Gateway Wireless Controller |
•The Gateway Wireless Controller cannot discover and pair with a new AP device or an AP device that has been reset. An AP device with factory-default settings does not have management VLAN tagging enabled. It is not possible to enable management VLAN tagging in the Access Point Web UI. To successfully use this feature, you must first pair with the AP devices without management VLAN tagging enabled. |
|
|
Where can you monitor AP devices and Wireless clients |
Monitor AP devices and connected wireless clients in: •Firebox System Manager on the Gateway Wireless Controller tab. Select the Access Points tab to monitor paired AP devices. Select the Wireless Clients tab to monitor or disconnect wireless clients. •Fireware XTM Web UI on the Dashboard> Gateway Wireless Controller page. Select the Access Points tab to monitor paired AP devices. Select the WirelessClients tab to monitor or disconnect wireless clients. Select the WirelessMaps tab to view wireless maps of AP devices and other nearby wireless devices. |
|
|
In the Gateway Wireless Controller tab of the Firebox System Manager what details can you see for each AP |
•AP name •AP device status •SSIDs •IP address •Radio band & channel •Firmware version •AP model •Activation status •Uptime |
|
|
In the Gateway Wireless Controller tab of the Firebox System Manager what details can you see for each AP in the "Access Points" section. What actions can you do from that view |
•Reboot—Reboot the AP device. (You can select multiple AP devices to reboot) You can also reboot by pressing the reset button on the AP device briefly (less than 5 seconds). •Restart Wireless —Restart the wireless interfaces. This causes the AP device to auto-select a new wireless channel without a reboot. (You can select multiple AP devices andrestart their wireless interfaces) •Flash Power LEDs —Flash the power LED on the specified AP device to help with identification. The power LED on the AP device flashesgreen for several minutes. This is useful if you use the Disable LEDs option to operate your AP device in stealth mode. •Upgrade —Upgrade the firmware on the selected AP device. (You can select multiple AP devices to upgrade) •Site Survey —Start a scan from the AP device to detect other wireless access points •Log Messages — See log messages on the AP device •Network Statistics — Seethe network status report for the AP device |
|
|
What does the "online" status mean for an AP |
If the Firebox device can log in to the AP device, and the AP device is fully configured, the Access Point status is Online |
|
|
What does the "offline" status mean for an AP |
If the Firebox device cannot contact the AP device, the device status is Offline. When an AP device reboots, the status is Offline during the reboot. |
|
|
What does the "passphrase mismatch" status mean for an AP |
If the Pairing Passphrase on the Firebox device does not match the passphrase on the AP device, AP device status is Passphrase mismatch. To resolve this, edit the Access Point configuration in Policy Manager and change the Pairing Passphrase to match the passphrase on the AP device. The default AP device passphrase is wgwap. |
|
|
In the Gateway Wireless Controller tab of the Firebox System Manager what details can you see for each connected wireless client |
•If clients use Firebox DHCP, you will see client host name and IP address •Client MAC Address •SSID, AP, and radio the client is connected to •Amount of data the client has sent and received through the AP device •Signal strength •How long it has been since the client has sent or received data through the AP device |
|
|
Where can you view statistics for the wireless environment |
In Fireware XTM Web UI, the Dashboard> Gateway Wireless Controller page provides statistics and tools to monitor your wireless environment. |
|
|
What can you see in the Gateway Wireless Controller Dashboard of the Fireware XTM Web UI |
The Summary tab shows Access Point summary statistics. The Access Points and Wireless Clients tabs are similar to the same tabs in the Gateway Wireless Controller tab in Firebox System Manager. |
|
|
What are the two Gateway Wireless Controller Maps |
The Maps tab on the Dashboard> Gateway Wireless Controller page includes two maps to help you visualize your wireless environment. •The Wireless Coverage Map helps you assess wireless coverage. •The Channel Conflict Map helps you identify radio channel conflicts. |
|
|
How can you filter maps |
- Radio Band - SSID |
|
|
How do APs appear in the Wireless Deployment Maps |
Access Points in the Wireless Deployment Maps appear as colored dots. •The color of the dots depends on the map view. •Access points that are not part of your AP device deployment appear in both maps as small, light blue dots. |
|
|
What do Wireless Coverage Maps show |
The Wireless Coverage Map shows the wireless coverage for multiple access points. If your AP devices are located in positions that provide good coverage for wireless roaming between AP devices: The Wireless Coverage Map should resemble a mesh pattern where there are as many redundant links as possible between AP devices. The distance between AP devices should be relatively uniform Lines between the devices should be solid green or dashed green. Red or yellow lines indicate a channel conflict between the two devices. |
|
|
What do Channel Conflict Maps show |
Channel Conflict Map shows the location of your AP devices and any other access points in the vicinity. To see more detailed information about channel conflicts for a specific device, right-click the device and click View Details. Access Points move around on the map based on relative signal strength. To anchor the AP devices to a location on the map select Sticky Access Points.Then click and drag each device where you want it. |
|
|
What is "Foreign BSSIDs" in the Gateway Wireless Controller |
Displays all foreign wireless access points that operate within range of your managed AP devices. The BSSID (Broadcast SSID) is the MAC address of the wireless access point if broadcast is disabled. Some of these foreign access points could be rogue access points. A rogue access point is any wireless access point within range of your network that is not recognized as a paired access point or configured exception in your wireless deployment. Rogue access points also appear in coverage and channel conflict maps. |
|
|
How can you view the details of an AP from maps |
Select an AP device to see more information about it. Click View Details to see more detailed information about the AP device. |
|
What do the following lines from maps mean |
|
|
What do the AP colours in maps mean |
|
|
|
What is a wireless hotspot |
Use a hotspot to provide Internet connectivity to your visitors or customers. A hotspot gives you more control over guest connections to your network. •A hotspot can apply to wired and wireless connections to an interface. |
|
|
What wireless hotspot settings can you customise |
•The interface on which the hotspotruns •What type of authentication isrequired to use your hotspot •The splashpagethat usersseewhen theyconnect •The terms and conditions that usersmustaccept before they can use your wireless network •The maximum length of time a user canbe continuously connected |
|
|
How do you configure wireless hotspots |
1.In Policy Manager select Setup> Authentication > Hotspot. 2.Select Enable hotspot on an interface. 3.Select the interface you have configured as a wireless guest network •For a Firebox or XTM wireless device, select the name of the wireless interface. •For a WatchGuard Access Point: Select the Firebox device interface the AP device connects to. –This enables the hotspot for all SSIDs on the AP device that connects to this interface. –If the interface has wired clients, the hotspot also applies to those connections If you use VLAN tagging, selectthe name of the VLAN your guest SSID uses. –If your AP device has multiple SSIDs, youmust enable VLAN tagging if you want to enable a hotspot on only one SSID. |
|
|
What are the two hotspot types |
•Custom Page Use the custom page on the Firebox device for hotspot connections. On the Hotspot Connections tab,specify whether hotspot users must authenticate. On the Customize Hotspot Page tab,customize the page users see when they connect. •External Guest Authentication This not common, and requires that you configure a separate web server for authentication. |
|
|
What are the two ways to connect to a hotspot |
- Allow all users to connect without credentials •Users must accept your terms and conditions, but do not need a user name or password to use your hotspot.> - Require users to authenticate with generated credentials •Add at least one Guest Administrator account. •The Guest Administrator creates and manages hotspot guest user accounts. •Hotspot users use guest accountcredentials to authenticate to the hotspot. |
|
|
What is the address for the wireless guest administration web portal |
Guest Administrators connect tothe Firebox or XTM device at: https://:8080/wirelessguest/ |
|
|
What can guest administrators do |
•Manage guest user accounts •Print custom vouchers for guest user accounts (they can also customise vouchers) |
|
|
What settings can guest administrators change when setting up a guest user |
•User Name Prefix The prefix for all guest user account user names. When guest user accounts are generated,each user name begins with this prefix. •Account Life time The amount of time that each guest user account can be used after it is activated for the first time. When the guest user logs in with the guest user account credentials, the countdown starts. The default account lifetime is 24 hours. •Account Expiration The amount of time after which the guest user account expires and is removed from the Guest Accounts list. If the guest user account has not been activated before the account expiration time is reached, the guest user account still expires. |
|
|
What customisations can guest administrators make to vouchers |
•Business Name The name of the company where the hotspot is located. The name you specify is included in the voucher text. •Contact Information The contact information for the company. This text can include instructions to get hotspot connection help as well as contact numbers or addresses. •Use a custom logo Upload the company logo to use on the voucher. The logo file can include images, text,and other special information that you want to give guest users. Image files must be JPG, PNG, or GIF files. There is no size constraint on the logo image files, but the recommended size is 90 x 50 pixels. |
|
|
Can you customise the hotspot page |
Yes |
|
|
How do you connect to a wireless hotspot |
1.Connect to the wireless network •Select the SSID from the list of available wireless networks. •Type the SSID password, if required. To avoid this step for guests, configure the Access Point SSID to not require a password. –For an AP device SSID, set the Security Mode to Disabled. –For a Firebox or XTM device wireless access point, set Encryption to Open System. 2.Connect to the hotspot •Open a browser and browse to any website. The Hotspot splash page appears. •Accept the terms and conditions. •Type the guest Username and Passcode,if required. •Click Continue. |
|
|
How do you monitor hotspot connections |
To see the list of connected hotspot clients in Firebox System Manager: •Select the Authentication List tab. •Click Hotspot Clients. |
