WatchGuard Support Center

Knowledge Base - Article

 Configure Wi-Fi Cloud to use WatchGuard DNSWatchGO

How do I configure Wi-Fi Cloud to use the DNSWatchGO protected networks service?


WatchGuard DNSWatch is a cloud-based service that protects your network from malicious sites and phishing attempts. You can also block domains in specific content categories such as alcohol, gambling, and pornography. For more information about the DNSWatch service, see About DNSWatch.

You do not need a WatchGuard Firebox to protect your Wi-Fi Cloud network with WatchGuard DNSWatch. Layering DNSWatch protections onto your AP’s is easy with DNSWatchGO. 

With DNSWatchGO Protected Networks, you can configure your network to use DNSWatch as your DNS server to block malicious sites and domains based on content. DNSWatch evaluates your DNS traffic sent to your Wi-Fi Cloud access points from wireless clients, and denies any requests to known malicious or filtered domains.

For DNSWatchGO licensing, use your expected user count for the network, generally no more than the maximum number of concurrent users per AP radio  for your AP device model (For example, 20-40 users). Simply purchase and activate an equivalent number of users and register your AP’s as Protected Networks. There is a 10% buffer for protected network user counts in the event you have a slightly higher user count than expected.

Note: If you do use Wi-Fi Cloud with a Firebox in your deployment, see WatchGuard DNSWatch Integration with Wi-Fi Cloud and a Firebox for configuration instructions on how to integrate Wi-Fi Cloud with DNSWatch with a Firebox.

Configure DNSWatchGO Protected Networks

To configure protected networks with DNSWatch:
  1. Log in to DNSWatch in the WatchGuard Portal.
  2. Select Deploy > Protected Networks.
  3. Click Add Network.
  4. Your current IP address appears in the IP Address text box automatically. If you want to protect a different network, type the public IP address of the network in the text box.
  5. Type a descriptive name for the network in the Description text box.
  6. From the Policy drop-down list, select a content filter policy to apply to the network. For information about policies, see Manage User Access to Content
Note: If you want your Wi-Fi Cloud network to meet Friendly WiFi compliance, make sure you block Adult Material / Pornography type categories as part of your policy.
  1. To create a custom block page for this network:
    1. Select the Enable Custom Block Page check box. If you do not customize the block page, the network uses the default DNSWatch block page.
    2. In the Content text box, type the block page content in Markdown format.
    3. To preview the block page, click the Preview tab.
  2. Click Save Network.
For more information on this feature and configuration steps on how to set up protected networks, see About DNSWatchGO Protected Networks.

DNSWatch DNS Servers

WatchGuard hosts DNSWatch DNS servers in these regions:
  • North America (US East) --,
  • EU (Ireland) --,
  • APAC (Japan) --,
  • APAC (Sydney) --,
You can configure WatchGuard Wi-Fi Cloud to use these DNSWatch content filtering servers for your wireless clients.

    Configure Firewall Rules on an SSID for DNSWatch in Wi-Fi Cloud Discover

    You can use Wi-Fi Cloud Discover to configure firewall rules on an SSID to force the use of DNSWatch content filtering servers for your wireless clients.

    You must also make sure that the DNSWatch servers you select are defined in your network's DHCP configuration as the DNS server assigned to wireless clients.

    To configure firewall rules on an SSID to force DNS queries to use DNSWatch:
    1. Open Discover.
    2. Select Configure > WiFi > SSID.
    3. Edit the SSID you want to modify.
    4. Select the Access Control tab.
    5. Expand the Firewall section.
    6. Select the Layer 3-4 Firewall Rules check box.
    7. From the Default Rule action drop-down list, select Allow.
    8. Add  these rules using the DNSWatch server IP addresses for your region, then save the SSID configuration.
    Rule NameIP / HostnamePortAction ProtocolDirection
    Allow Selected DNS UDP54.174.40.213,
    Allow Selected DNS TCP54.174.40.213,
    Disallow other DNS UDP*53Block UDPOutgoing
    Disallow other DNS TCP*53BlockTCPOutgoing