Configure Collectors for ThreatSync+ NDR (Windows Computers)

Applies To: ThreatSync+ NDR

This feature is only available to participants in the ThreatSync+ NDR Beta program.

To gain visibility into all areas of your network, you can monitor IP traffic across all the devices in your network.

Cloud-managed and locally-managed Fireboxes with cloud reporting that run Fireware v12.10.3 and higher automatically send network traffic data to WatchGuard Cloud and ThreatSync+ NDR. This data feed provides the information required for ThreatSync+ NDR to identify and detect potential threats and suspicious activities, such as lateral movements, DNS tunnels, fast and slow scans, and data exfiltration.

For locally-managed Fireboxes with cloud reporting, you must enable the Firebox to send log messages for reports in each policy. For more information, go to Set Logging and Notification Preferences.

For Fireboxes that run lower versions of Fireware or third-party firewalls or switches, you can use on-premise Windows-based collection devices called collectors to monitor network traffic. Collectors take data feeds such as NetFlow, sFlow, or Windows DHCP server logs directly from third-party switches and firewalls, and forward them through a secure connection to WatchGuard Cloud. These data feeds include information on the traffic that flows through the switch or firewall to network devices.

To install and configure collectors on Windows computers and servers, you must first Install the WatchGuard Agent and then Configure Collectors for ThreatSync+ NDR.

Figure of collector architecture in ThreatSync+ NDR

About Windows Collection Agents for ThreatSync+ NDR

The ThreatSync+ NDR Collection Agent receives log data from switches and routers in your network and sends the data to WatchGuard Cloud.

The ThreatSync+ NDR Collection Agent listens on:

  • Port 2055 for NetFlow log data from endpoints.
  • Port 6343 for sFlow log data from endpoints.
  • Port 514 for DHCP log data from the Windows Log Agent.

You can install the ThreatSync+ NDR Collection Agent on Windows computers with Windows 10 and Windows 11.

The Windows Log Agent is a collection agent that reads Windows DHCP server logs and then forwards them to the ThreatSync+ NDR Collection Agent. The ThreatSync+ NDR Collection Agent then forwards the DHCP logs to WatchGuard Cloud.

You can install the Windows Log Agent on Windows Server 2019 or 2022. Some of these servers could also be domain controllers.

We recommend that you use the Windows Log Agent to collect Active Directory DHCP logs to keep track of devices when they change their IP address. Add and configure the Windows Log Agent on all DHCP servers.

Install the WatchGuard Agent

To add and configure a collector, you must first download the WatchGuard Agent installer and run the installation wizard on Windows computers you want to configure as a collector. When you install the WatchGuard Agent, it then installs the ThreatSync+ NDR Collection Agent or Windows Log Agent. Use the ThreatSync management UI to specify which Windows computers or servers to use as collectors.

Before You Begin

Before you download the WatchGuard Agent, make sure that you have Administrator permissions and are logged in to the Windows computer where you want to install the WatchGuard Agent.

The Windows installer is compatible with computers with an x86 or ARM processor. Make sure that virtualization is enabled in the BIOS. For ThreatSync+ NDR, Windows computers and servers must meet these requirements:

  • ThreatSync+ NDR Collection Agent — Windows 10 and Windows 11 with two CPUs and a minimum of 8 GB RAM and 150 GB of disk space. For networks with a netflow rate greater than 500,000 per minute, more CPUs, RAM, and disk space are required.
  • Windows Log Agent — Windows Server 2019 or Windows Server 2022.

Install the WatchGuard Agent on each Windows computer you want to configure as a collector. Typically, you only have to install the ThreatSync+ NDR Collection Agent on one computer for each physical location in your network. We recommend that you install the agent on a dedicated computer so that the administrator can always be logged in. If the installation administrator is not logged in, the collector does not run. We recommend that you add and configure the Windows Log Agent on all DHCP servers.

To install the WatchGuard Agent:

  1. Log in to your WatchGuard Cloud account.
  2. For Service Provider accounts, from Account Manager, select My Account.
  3. Select Configure > ThreatSync.
  4. Select Collectors.
  5. Click Download WatchGuard Agent.
    The Windows WatchGuard_Agent.msi file downloads.
  6. Copy the .MSI file to the Windows computer or server you want to receive logs from.
  7. Double-click the WatchGuard_Agent.msi file and complete the steps in the wizard.
    A progress bar shows during the installation process. The agent opens a Ubuntu console window during installation. You should not close this window. The Windows computer or server will restart to complete installation.

Configure Collectors for ThreatSync+ NDR

To collect Active Directory DHCP logs, you must add and configure both types of collection agents in your network — first the ThreatSync+ NDR Collection Agent, and then the Windows Log Agent.

Screen shot of Configure > ThreatSync, ThreatSync+ NDR Collection Agents page

Add a ThreatSync+ NDR Collection Agent

Typically only one ThreatSync+ NDR Collection Agent is required for each physical location in your network. To collect DHCP data logs, you must add the ThreatSync+ NDR Collection Agent on a Windows computer with a static IP address.

To add a ThreatSync+ NDR Collection Agent:

  1. Log in to your WatchGuard Cloud account.
  2. For Service Provider accounts, from Account Manager, select My Account.
  3. Select Configure > ThreatSync.
  4. Select ThreatSync+ NDR > Collectors.
  5. On the ThreatSync+ NDR Collection Agents tab, click Add Collector.

Screen shot of Configure > ThreatSync, Add ThreatSync+ NDR Collection Agents dialog box

  1. From the Host drop-down list, select the Windows computer that you want to use as a ThreatSync+ NDR Collection Agent.
    This list includes all Windows computers with the WatchGuard Agent installed. Click to refresh the list of available computers and servers.
  2. Click Save.
    The collection agent starts to report data to ThreatSync+ NDR. You can see reported traffic information on the Network Summary page.

Add a Windows Log Agent Collector

Add and configure the Windows Log Agent on all DHCP servers in your network.

Screen shot of Configure > ThreatSync, Windows Log Agents page

After you add a server as a Windows Log Agent collector, make sure to configure your managed switches to send NetFlow data to the collector. For more information, go to the product documentation available with the switch.

To add a Windows Log Agent:

  1. Log in to your WatchGuard Cloud account.
  2. For Service Provider accounts, from Account Manager, select My Account.
  3. Select Configure > ThreatSync.
  4. Select ThreatSync+ NDR > Collectors.
  5. On the Windows Log Agent tab, click Add Collector.

Screen shot of Configure > ThreatSync, Add Windows Log Agent dialog box

  1. From the Host drop-down list, select the Windows computer that you want to use as a Windows Log Agent.
    This list includes all Windows servers with the WatchGuard Agent installed. Click to refresh the list of available computers and servers.
  2. In the ThreatSync+ NDR Collection Agent IP Address text box, enter the IP address of the Windows computer you configured the ThreatSync+ NDR Collection Agent for.
    You can see the IP address on the ThreatSync+ NDR Collection Agents tab.
  3. Click Save.
    The collection agent starts to report data to ThreatSync+ NDR. You can see reported traffic information on the Network Summary page. For more information, go to About the ThreatSync+ NDR Summary Page.

Related Topics

Quick Start — Set Up ThreatSync+ NDR

Configure ThreatSync+ NDR