Endpoint Security Installation Requirements

Applies To: WatchGuard Advanced EPDR This topic applies to the WatchGuard Advanced EPDR endpoint security product., WatchGuard EPDR This topic applies to the WatchGuard EPDR endpoint security product., WatchGuard EDR This topic applies to the WatchGuard EDR endpoint security product., WatchGuard EPP This topic applies to the WatchGuard EPP endpoint security product., WatchGuard EDR Core This topic applies to the WatchGuard EDR Core, available in the Total Security Suite license.

WatchGuard Endpoint Security software is compatible with Windows, Linux, Android, iOS, and macOS. Installation requirements differ for different platforms. Detailed requirements information is available from the WatchGuard Endpoint Security Release Notes.

For modules requirements, go to the appropriate topic:

• WatchGuard Full Encryption Requirements
• Patch Management Requirements
• Advanced Visualization Tool Requirements
• Data Control Requirements
• SIEMFeeder Requirements

Systems Requirements

These are the system requirements for each supported platform.

Windows

Workstations — Windows XP SP3 and higher, Windows Vista, Windows 7, Windows 8 and higher, Windows 10, and Windows 11

Installation on Windows XP requires a computer with the cache role assigned. For more information, go to this Knowledge Base article (external).

Servers — Windows 2003 SP2 and higher, Windows 2008, Windows Small Business Server 2011 and higher, Windows Server 2012 R2, Windows Server 2016, Windows Server 2019, Windows Server Core 2008 and higher, Windows Server Core 2012 R2, Windows Server Core 2016, Windows Server Core 2019, and Windows Server 2022

Versions with an ARM processor — Windows 10 Home and Pro

Minimum free space for installation — 650 MB

Updated root certificates to use the Patch Management module and establish real-time communications with the Endpoint Security management UI.

To keep security software up to date, the workstation or server must support SHA-256 driver signing. For more information about affected operating systems and how to update them, go to Update Required to Support SHA-256 Signed Drivers.

Compatible with Windows XP Embedded and higher. Windows Embedded systems allow custom installations that could possibly impact the installation and working of WatchGuard Endpoint Security products and modules. After you install WatchGuard Endpoint Security, we recommend that you verify the different protection modules work correctly.

For more information about supported Windows versions, go to the Release Notes.

macOS

Operating systems — macOS 10.10 Yosemite and higher (WatchGuard EDR Core requires macOS Catalina 10.15 and higher (Intel and ARM).)

Processor: Intel® Core 2 Duo

RAM: 2 GB

Minimum free space for installation — 400 MB

Ports — 3127, 3128, 3129, and 8310 must be accessible for the web anti-malware and URL filtering to work.

For more information about macOS requirements, go to the Release Notes.

Linux

64-bit operating systems — AlmaLinux 8.3 and higher, Ubuntu 14.04 LTS and higher, Fedora 23 and higher, Debian 8 and higher, RedHat 7 and higher, CentOS 7 and higher, LinuxMint 18 and higher, SuseLinux Enterprise 11SP2 and higher, Oracle Linux 6.0 and higher, RHEL 8.6, and Rocky Linux 8.3 and higher. No window manager required. Use the /usr/local/protection-agent/bin/pa_cmd tool from the command line.

32-bit operating systems — RedHat 6 and CentOS 6

For a complete list of the supported kernels, go to this Knowledge Base article: Supported Kernels (external).

Minimum free space for installation — 500 MB

For more information about Linux requirements, go to the Release Notes.

To install WatchGuard Endpoint Security on Linux platforms, the target computer must remain connected to the Internet during the installation process. The installer connects to the appropriate repositories based on the system (RPM or DEB), and the packages required to finish the installation successfully download.

Android

Operating systems — Android 4.0 or higher

Minimum free space for installation — 10 MB

For more information about Android requirements, go to the Release Notes.

iOS

Operating systems — iOS 13 / iPadOS 13, iOS 14 / iPadOS 14, iOS 15 / iPadOS 15, iOS 16 / iPadOS

Minimum free space for installation — 12 MB

For more information about iOS requirements, go to the Release Notes.

Network Requirements

WatchGuard Endpoint Security requires access to multiple Internet-hosted resources. It requires access to ports 80 and 443.

To implement certain features, the security software installed on the computers on the network uses these listening ports:

• TCP port 18226: Used by computers with the cache role to serve files.
• TCP port 21226: Used by computers with the cache role to request the files to download.
• TCP port 3128: Used by computers with the proxy role.
• UDP port 21226: Used by computers with the discovery computer role.
• TCP port 33000: Used by computers that make a VPN connection to the Firebox.

For more information, go to Designate a Cache Computer (Windows computers), Designate a Computer as a WatchGuard Proxy (Windows Computers), Designate a Discovery Computer, and Configure Network Access Enforcement in WatchGuard Endpoint Security.

For a complete list of the URLs that WatchGuard Endpoint Security requires access to, go to this Knowledge Base article.

Android Devices

For push notifications to work, open ports 5228, 5229, and 5230 to all IP addresses contained in the IP blocks listed in Google’s ASN 15169.

iOS Devices

The application installed on iOS mobile device uses the Apple Push Notification service to communicate with the software. If the device is connected to the network by 2G, 3G, or 4G, there are no specific network requirements. If the device is connected to the network by Wi-Fi, Access Point (AP) or other method, it connects to specific servers. Make sure these ports are available:

• TCP 5223 to communicate with the Apple Push Notification service
• TCP 443 or 2197 to send notifications

Servers that make up the Apple Push Notification service use load balancing. This means that the device will not always connect to the same IP address. We recommend that you configure your firewall to allow connections to the entire 17.0.0.0/8 range assigned to Apple.

If this is not possible, allow connections to these ranges for IPv4:

• 17.249.0.0/16
• 17.252.0.0/16
• 17.57.144.0/22
• 17.188.128.0/18
• 17.188.20.0/23

Allow connections to these ranges for IPv6:

• 2620:149:a44::/48
• 2403:300:a42::/48
• 2403:300:a51::/48
• 2a01:b740:a42::/48

Related Topics

Determine the Software Version

WatchGuard Endpoint Security Release Notes