WatchGuard AP420 review

WatchGuard’s AP420 teams up seriously secure wireless networks with slick cloud management and tons of features

Reviews
By Dave Mitchell
published

IT Pro Verdict

The AP420 isn't cheap but SMBs that want enterprise class wireless security and central management will find it will be money well spent. The cloud portal is one of the best we've yet seen, performance is great and WatchGuard's WIPS delivers smart wireless security.

Pros

  • +

    Robust management console; Strong detection and quarantine options; Excellent speeds

Cons

  • -

    Expensive;

SMBs that want plenty of management choices and tight wireless security will love WatchGuard's AP420. It can be managed as a standalone AP, remotely via WatchGuard's FireBox UTM appliances or taken into the cloud with the Wi-Fi Cloud service.

WatchGuard Firebox M5600 review DrayTek Vigor AP-910C review WatchGuard Firebox T70 review

This Wave 2 AC2500 dual-band AP looks pricey but it has another trick up its sleeve: it has not two, but three radios. Along with the 2.4GHz and 5GHz variety, the WP420 has a WIPS (wireless intrusion prevention system) radio designed to sniff out unauthorized wireless APs and quarantine them.

WIPS calms your concerns about wireless containment as the AP420 only takes an interest in APs that are physically wired into the same network. It has a very particular set of skills and if someone tries to sneak their own AP onto the LAN, it will find it, will alert you to its presence and, if intrusion prevention is enabled, will disable it.

WIPS requires a Wi-Fi Cloud account and we started deployment by using its Go portal to create wireless SSID profiles. All you do is provide a name, choose an encryption scheme, enter a key and you're done.

We tested using AP420 and AP320 devices and soon as they were powered on and linked to our cloud account, they received the relevant default template and started advertising the secure SSIDs. Our next stop was the main Wi-Fi Cloud portal. This opens with a Launchpad providing quick access to sections for management, demographics analysis and an Engage app for creating marketing campaigns for guest user portals.

The management portal provides a customizable dashboard showing everything you need to know about wireless networks, clients and rogue APs. Templates provide full control over wireless networks and include settings for all four WatchGuard AP models, where you choose the SSIDs to be assigned to them.

SSIDs can have a captive portal, walled garden, rules-based traffic and application firewalls, traffic shaping and QoS for voice and video traffic. BYOD onboarding redirects smartphones and tablets to an authorization URL or walled garden, you can enforce black and white MAC address lists and enable automatic packet capture for failed client connections.

WIPS works passively out of the box, where it identified 47 APs in our vicinity and classed those with no physical LAN connection as external. We connected a ZyXEL dual-radio AP to the LAN which popped up in the portal as a rogue and to test containment, we logged a Windows client onto the AP and enabled WIPS intrusion prevention.

It took two minutes for the change to propagate from the cloud portal but when it did, our wireless client was kicked off the AP and kept from associating with it. WIPS defaults to disrupting rogue APs by firing 'deauth' packets at up to two 11n and two 11ac channels but you can change to blocking, interrupting or degrading levels depending on how many channels you want affected and lock the list of authorised APs to stop more being added.

The AP420 is a good performer as well with real world file copies using a 5GHz 11ac connection on a Windows 10 Pro desktop averaging 60MB/sec at close range dropping to 56MB/sec at 10 metres. Coverage is good too, as the SweetSpots app on our iPad only registered a loss of signal after we got 45 metres down the main building corridor.

The AP420 isn't cheap but SMBs that want enterprise class wireless security and central management will find it will be money well spent. The cloud portal is one of the best we've yet seen, performance is great and WatchGuard's WIPS delivers smart wireless security.

Verdict

The AP420 isn't cheap but SMBs that want enterprise class wireless security and central management will find it will be money well spent. The cloud portal is one of the best we've yet seen, performance is great and WatchGuard's WIPS delivers smart wireless security.

Dual band 2.4GHz/5GHz 802.11ac

4 x 4 MU-MIMO

2 x 2 WIPS radio

internal aerials

2 x Gigabit (LAN and PoE+)

USB 2

Kensington lock

ceiling/wall mounting plates

220 x 220 x 57mm WDH

1.3kgs

1yr support contract with advanced hardware replacement

1yr Wi-Fi Cloud subscription

Dave Mitchell
Dave Mitchell

Dave is an IT consultant and freelance journalist specialising in hands-on reviews of computer networking products covering all market sectors from small businesses to enterprises. Founder of Binary Testing Ltd – the UK’s premier independent network testing laboratory - Dave has over 45 years of experience in the IT industry.

Dave has produced many thousands of in-depth business networking product reviews from his lab which have been reproduced globally. Writing for ITPro and its sister title, PC Pro, he covers all areas of business IT infrastructure, including servers, storage, network security, data protection, cloud, infrastructure and services.