WatchGuard AP325 review: Perfect networking for SMBs

A supremely versatile wireless AP offering enterprise-class features and tough security at an SMB price

IT Pro Verdict

WatchGuard’s AP325 offers everything SMBs could possibly want from their wireless networks. It’s easy to deploy, provides great features and tough security while the cloud management portal is one of the best we’ve yet seen.

Pros

  • +

    Superb range of features; Strong network security controls; Simple monitoring and administration

Cons

  • -

    None to speak of

WatchGuard's AP325 targets SMBs that want an affordable combination of Wave 2 wireless performance, tight security and remote management choices. It can't be used as a standalone AP and is managed via WatchGuard's Firebox security appliances or its Wi-Fi Cloud service.

A standout feature is WatchGuard's WIPS (wireless intrusion prevention system) radio. The AP325 has six internal aerials, with two used to detect unauthorized wireless APs physically connected to your network and disable them.

The AP's first Gigabit port supports PoE+ and is used for the main LAN connection and management access while the second can be used to extend the wired network or for link aggregation. Avoid using a low-power 802.3af PoE source as this disables the second LAN port and downgrades the transmit power of all three radios.

You choose the management method when you purchase the AP325 with the Basic Wi-Fi license enabling Firebox management. WIPS is enabled with cloud management and a Secure Wi-Fi license gives you this plus the Go mobile web app and network monitoring tools. The Total Wi-Fi subscription adds location-based usage analysis and the Engage app for gathering guest user demographics.

We visited our cloud portal and used the 'Go' quick start option to create an initial set of SSIDs. After connecting an AP325 to our TP-Link TL-SG3424P PoE+ switch, it linked up with our cloud account, received the default template and advertised the new SSIDs.

The 'Manage' portal presents a graphical overview of wireless networks, clients, rogue APs and client traffic. APs can be placed in different locations and details are easily customised by adding more dashboards, each with their own widgets.

Each location inherits the top-level template or has its own and these determine the settings for associated APs and assigned SSIDs. These are easy to manage; we created multiple SSID profiles and decided which ones to assign to each device template.

Levels of control are remarkable - for each SSID profile, you can have captive portals, walled gardens, traffic shaping, QoS (quality of service) for voice and video traffic plus rules-based traffic and application firewalls. Black and white MAC address lists can be applied while BYOD on-boarding redirects mobile client devices to an authorization web page.

WIPS is enabled on selected locations and defaults to disrupting communications with rogue APs by sending de-authorization packets to stop clients associating with them. This uses two channels on each radio but you can change this to blocking, interrupting or degrading levels where the latter uses four channels.

To test WIPS, we connected a TP-Link EAP330 dual-band AP to the lab network and saw both its radios appear in the portal dashboard as rogues. With WIPS enabled, all attempts to associate with it were rebuffed and details of the offending wireless clients were logged by the portal which also advised us to place the AP in quarantine.

Real world wireless performance is good and our Netgear AC1200 equipped Windows 10 desktop returned a speedy close range 56MB/sec when copying a file to a server on the LAN. The AP325 also has a good range as we took our iPad 43m down the main building corridor before the SweetSpots app registered a signal loss.

The Discover portal provides a wealth of information about clients, login times and issues. Enable the application visibility setting in your SSID profiles and the AP325 can pass traffic details on over 1,400 apps to the Discover dashboard for use in live graphs.

The Engage portal negates the need to have a separate user demographics analysis solution. It works with authentication plug-ins for social media apps including Facebook, Twitter and LinkedIn to gather information on guest users so you can create targeted marketing campaigns.

WatchGuard's AP325 offers everything SMBs could possibly want from their wireless networks. It's easy to deploy, provides great features and tough security while the cloud management portal is one of the best we've yet seen.

Verdict

WatchGuard’s AP325 offers everything SMBs could possibly want from their wireless networks. It’s easy to deploy, provides great features and tough security while the cloud management portal is one of the best we’ve yet seen.

Wave 2 AC1200 dual-band 2.4GHz/5GHz 802.11ac

2 x 2 MU-MIMO

2 x 2 WIPS radio

6 x internal aerials

2 x Gigabit (LAN and PoE/PoE+)

Kensington lock

T-rail ceiling mounting plate

196 x 196 x 43mm (WDH)

850g

1yr support contract with advanced hardware replacement

1yr Total Wi-Fi subscription

Dave Mitchell

Dave is an IT consultant and freelance journalist specialising in hands-on reviews of computer networking products covering all market sectors from small businesses to enterprises. Founder of Binary Testing Ltd – the UK’s premier independent network testing laboratory - Dave has over 45 years of experience in the IT industry.

Dave has produced many thousands of in-depth business networking product reviews from his lab which have been reproduced globally. Writing for ITPro and its sister title, PC Pro, he covers all areas of business IT infrastructure, including servers, storage, network security, data protection, cloud, infrastructure and services.