WatchGuard AP420 review

WatchGuard’s AP420 teams up seriously secure wireless networks with slick cloud management and tons of features

Editor's Choice
  • Robust management console; Strong detection and quarantine options; Excellent speeds
  • Expensive;

SMBs that want plenty of management choices and tight wireless security will love WatchGuard's AP420. It can be managed as a standalone AP, remotely via WatchGuard's FireBox UTM appliances or taken into the cloud with the Wi-Fi Cloud service.

This Wave 2 AC2500 dual-band AP looks pricey but it has another trick up its sleeve: it has not two, but three radios. Along with the 2.4GHz and 5GHz variety, the WP420 has a WIPS (wireless intrusion prevention system) radio designed to sniff out unauthorized wireless APs and quarantine them.

WIPS calms your concerns about wireless containment as the AP420 only takes an interest in APs that are physically wired into the same network. It has a very particular set of skills and if someone tries to sneak their own AP onto the LAN, it will find it, will alert you to its presence and, if intrusion prevention is enabled, will disable it.

WIPS requires a Wi-Fi Cloud account and we started deployment by using its Go portal to create wireless SSID profiles. All you do is provide a name, choose an encryption scheme, enter a key and you're done.

Advertisement - Article continues below
Advertisement - Article continues below

We tested using AP420 and AP320 devices and soon as they were powered on and linked to our cloud account, they received the relevant default template and started advertising the secure SSIDs. Our next stop was the main Wi-Fi Cloud portal. This opens with a Launchpad providing quick access to sections for management, demographics analysis and an Engage app for creating marketing campaigns for guest user portals.

The management portal provides a customizable dashboard showing everything you need to know about wireless networks, clients and rogue APs. Templates provide full control over wireless networks and include settings for all four WatchGuard AP models, where you choose the SSIDs to be assigned to them.

SSIDs can have a captive portal, walled garden, rules-based traffic and application firewalls, traffic shaping and QoS for voice and video traffic. BYOD onboarding redirects smartphones and tablets to an authorization URL or walled garden, you can enforce black and white MAC address lists and enable automatic packet capture for failed client connections.

WIPS works passively out of the box, where it identified 47 APs in our vicinity and classed those with no physical LAN connection as external. We connected a ZyXEL dual-radio AP to the LAN which popped up in the portal as a rogue and to test containment, we logged a Windows client onto the AP and enabled WIPS intrusion prevention.

It took two minutes for the change to propagate from the cloud portal but when it did, our wireless client was kicked off the AP and kept from associating with it. WIPS defaults to disrupting rogue APs by firing 'deauth' packets at up to two 11n and two 11ac channels but you can change to blocking, interrupting or degrading levels depending on how many channels you want affected and lock the list of authorised APs to stop more being added.

The AP420 is a good performer as well with real world file copies using a 5GHz 11ac connection on a Windows 10 Pro desktop averaging 60MB/sec at close range dropping to 56MB/sec at 10 metres. Coverage is good too, as the SweetSpots app on our iPad only registered a loss of signal after we got 45 metres down the main building corridor.

Advertisement - Article continues below

The AP420 isn't cheap but SMBs that want enterprise class wireless security and central management will find it will be money well spent. The cloud portal is one of the best we've yet seen, performance is great and WatchGuard's WIPS delivers smart wireless security.


The AP420 isn't cheap but SMBs that want enterprise class wireless security and central management will find it will be money well spent. The cloud portal is one of the best we've yet seen, performance is great and WatchGuard's WIPS delivers smart wireless security.

Dual band 2.4GHz/5GHz 802.11ac 4 x 4 MU-MIMO 2 x 2 WIPS radio internal aerials 2 x Gigabit (LAN and PoE+) USB 2 Kensington lock ceiling/wall mounting plates 220 x 220 x 57mm WDH 1.3kgs 1yr support contract with advanced hardware replacement 1yr Wi-Fi Cloud subscription

Featured Resources

Digital Risk Report 2020

A global view into the impact of digital transformation on risk and security management

Download now

6 ways your business could suffer if you don’t backup Office 365

Office 365 makes it easy to lose valuable data regularly, unpredictably, unintentionally, and for good

Download now

Get the best out of your workforce

7 steps to unleashing their true potential with robotic process automation

Download now

8 digital best practices for IT professionals

Don't leave anything to chance when going digital

Download now

Most Popular


How to use Chromecast without Wi-Fi

5 Feb 2020
operating systems

How to fix a stuck Windows 10 update

12 Feb 2020

The top ten password-cracking techniques used by hackers

10 Feb 2020
cyber security

McAfee researchers trick Tesla autopilot with a strip of tape

21 Feb 2020