Standard Wifi configs via WSM

I setup a BYOD and Guest Wifi all all my sites. They are intentionally set to not have access to internal resources or VPN tunnel connectivity. Because of that, I setup all the same IP networks and Wifi setting at each of the sites. I have had to do this manually for 40+ sites. I'd like to be able to handle most, if not all of this, via WSM so I can make one template change and push it out to all the units.

I'd also like to be able to use more than just trusted and optional networks in my WSM templates for policies. I'd like to use custom ones, or at lease have a few more options, like Custom 2, 3, 4, etc. This would also make standard Wifi config via WSM template easier.

Please let me know your thoughts.

thx.

Answers

  • james.carsonjames.carson Moderator, WatchGuard Representative

    Hi @Logan5

    Custom is just an interface type that isn't part of any alias. You can use the custom type as many times as you want, and it will not be able to talk with any other custom network unless you make an explicit rule allowing it to do so.

    -James Carson
    WatchGuard Customer Support

  • edited June 2021

    @Logan5 said:
    I setup a BYOD and Guest Wifi all all my sites. They are intentionally set to not have access to internal resources or VPN tunnel connectivity. Because of that, I setup all the same IP networks and Wifi setting at each of the sites. I have had to do this manually for 40+ sites. I'd like to be able to handle most, if not all of this, via WSM so I can make one template change and push it out to all the units.

    I'd also like to be able to use more than just trusted and optional networks in my WSM templates for policies. I'd like to use custom ones, or at lease have a few more options, like Custom 2, 3, 4, etc. This would also make standard Wifi config via WSM template easier.

    Please let me know your thoughts.

    thx.

    My advice would be to follow the process:

    1. Create Alias called "Wifi-Guest Network" or something like that and have it be the source. The alias would have a "FQDN" member called "placeholder.test" so that it would allow you to save.
    2. Create policies called "wifi Guest Policies" (I would just do HTTP-Proxy, HTTPS-Proxy, and DNS-Proxy) I would name the rules Guest HTTP, Guest HTTPS, Guest DNS - I would also make sure the HTTP Proxy BLOCKS all .exe downloads... since guests shouldn't be downloading stuff haha
    3. Create appropriate WebBlocker policy for the HTTP and HTTPS proxies. Application control would be nice too but the templates have been having a hard time with Application Control with the recent engine update to Application Control.
    4. Change inheritance settings so that your Wifi-Guest Network settings can't be over written in case you need to make changes to this policy and re-push it out.

    Once this template is created, you simply need to:
    1. Push template out to all firewalls in question
    2. Update the FQDN in the Alias to be the network you want it to be.

    This will be annoying in beginning but should be a better "sudo streamlined" way of doing things!

    ~T

Sign In to comment.