Installation of the Client Software on Linux Platforms with Secure Boot

Applies To: WatchGuard EPDR, WatchGuard EDR, WatchGuard EPP

Some Linux distributions detect when a computer has Secure Boot enabled. With Secure Boot enabled, WatchGuard Endpoint Security client software that is not correctly signed is automatically disabled.

Secure Boot is detected when the software is installed, or later, if the distribution did not initially support this feature but it was added in a later update. In either case, the web UI shows an error and the client software does not run.

To enable the client software to interact with the boot system, complete these steps on the affected computer.

To register the certificate:

  1. On the computer console, run this command:
    sudo /usr/scr/protection-agent-version/scripts/sb_import_key.sh
    A message about the implications of using SecureBoot opens.
  2. To register the certificate used to sign the modules, press C.
  3. Enter an eight character password.
  4. Restart the computer.
  5. Complete the registration process:
    1. To start the registration process, press any key.
      This screen appears for a limited time. If you do not press a key, you must restart the registration process.
    2. From the menu, select Enroll MOK.
      A new menu shows the number of KEYS to register.
    3. Confirm that the KEYS listed are the keys that correspond to the WatchGuard Endpoint Security software.
    4. Select Continue.
    5. Enter the password you created.
    6. To restart the computer, use the REBOOT option.

Oracle Linux 7.x/8.x with UEKR6 Kernel

When the distribution installed is Oracle Linux 7.x/8.x with UEKR6 kernel, after you complete the steps to register the certificate, complete these steps:

  1. Re-run this command:
    sudo /usr/scr/protection-agent-version/scripts/sb_import_key.sh
    This adds the certificate used to sign the modules to the list of certificates trusted by the kernel. The modified kernel is signed and added to the list of kernels in GRUB. The module is loaded and started.
  2. To confirm that the certificate was added correctly, run this command:
    sudo /usr/scr/protection-agent-version/scripts/sb_import_key.sh

    The result should be:

    The signers common name is UA-MOK Driver Signing
    Image /boot/vmlinuz-kernel-version-panda-secure-boot already signed
    Kernel module successfully loaded