Applies To: WatchGuard Patch Management
We recommend you follow these best practices for WatchGuard Patch Management:
- Verify that Patch Management Works Properly
- Install All Critical Patches Regularly
- Isolate Computers with Unpatched Critical Known Vulnerabilities
- Make Sure Programs Installed on your Computers are Not End-of-Life
- Check the Installation History
- Check the Patch Status of Computers where Incidents Occurred
To confirm that Patch Management works correctly, make sure that all computers on your network:
- Have a Patch Management license allocated and Patch Management installed and running. To identify issues, use the Patch Management Status tile on the Patch Management Dashboard.
- Can communicate with the WatchGuard server. To identify computers that might have connection problems, use the Time Since Last Check tile on the Patch Management Dashboard.
- Have the Windows Update service running with automatic updates disabled. To disable automatic updates, select the Disable Windows Update on Computers option in the Patch Management Settings.
When software vendors discover flaws in their products, they publish updates and patches to fix the flaws. We recommend that you install critical patches at least once a month.
To see available patches, use the Available Patches list. Filter the list to identify critical patches or patches for specific computers. For more information, see Review Available Patches.
If Patch Management cannot get a download URL to install a critical patch automatically, download the patch manually so you can install it. For more information, see Download Patches Manually.
For critical known vulnerabilities that represent an extremely serious threat, such as WannaCry ransomware, you might decide to isolate computers that have not yet received published patches that fix the vulnerability.
In these cases, you can use the Available Patches list to identify computers that have not received the critical patches. To isolate computers, select the check box in one or more rows, then in the toolbar, click Isolate Computer.
We do not recommend that you isolate unpatched computers except for very serious threats. WatchGuard Endpoint Security denies all communications to and from isolated computers except those required to perform remote forensic analysis and to use remediation tools. If a computer or server performs an important function for your business, such as a DNS server, make sure that you have contingency plans in place before you isolate it.
For more information, see Isolate a Computer (Windows Computers).
End-of-life programs do not receive patches or updates from the software vendor. To reduce the attack surface, replace any end-of-life programs installed on your computers.
To identify end-of-life programs, use the End-of-Life Programs list. For more information, see Review End-of-Life Programs.
Use the Installation History list to review the status of patch installations and identify computers where installation errors occurred. For more information, see View Installation History.
When incidents occur on a computer, we recommend that you install any available patches on the computer.
To identify available patches, in the Security Dashboard, click a threat, select the affected computer, and then click View Available Patches. The Available Patches list opens and shows available patches for the computer. For more information, see Review Available Patches.
You can also see an overview of available patches and end-of-life programs for a computer on the Computer Details page. For more information, see Computer Details.