Patch Management Best Practices

Applies To: WatchGuard Patch Management

We recommend you follow these best practices for WatchGuard Patch Management:

Verify that Patch Management Works Properly

To confirm that Patch Management works correctly, make sure that all computers on your network:

  • Have a Patch Management license allocated and Patch Management installed and running. To identify issues, use the Patch Management Status tile on the Patch Management Dashboard.
  • Can communicate with the WatchGuard server. To identify computers that might have connection problems, use the Time Since Last Check tile on the Patch Management Dashboard.
  • Have the Windows Update service running with automatic updates disabled. To disable automatic updates, select the Disable Windows Update on Computers option in the Patch Management Settings.

Install All Critical Patches Regularly

When software vendors discover flaws in their products, they publish updates and patches to fix the flaws. We recommend that you install critical patches at least once a month.

To see available patches, use the Available Patches list. Filter the list to identify critical patches or patches for specific computers. For more information, see See Available Patches.

If Patch Management cannot get a download URL to install a critical patch automatically, download the patch manually so you can install it. For more information, see Download Patches Manually.

Isolate Computers with Unpatched Critical Known Vulnerabilities

For critical known vulnerabilities that represent an extremely serious threat, such as WannaCry ransomware, you might decide to isolate computers that have not yet received published patches that fix the vulnerability.

In these cases, you can use the Available Patches list to identify computers that have not received the critical patches. To isolate computers, select the check box in one or more rows, then in the toolbar, click Isolate Computer.

We do not recommend that you isolate unpatched computers except for very serious threats. WatchGuard Endpoint Security denies all communications to and from isolated computers except those required to perform remote forensic analysis and to use remediation tools. If a computer or server performs an important function for your business, such as a DNS server, make sure that you have contingency plans in place before you isolate it.

For more information, see Isolate a Computer (Windows computers).

Make Sure Programs Installed on your Computers are Not End-of-Life

End-of-life programs do not receive patches or updates from the software vendor. To reduce the attack surface, replace any end-of-life programs installed on your computers.

To identify end-of-life programs, use the End-of-Life Programs list. For more information, see Review End-of-Life Programs.

Check the Installation History

Use the Installation History list to review the status of patch installations and identify computers where installation errors occurred. For more information, see See Installation History.

Check the Patch Status of Computers where Incidents Occurred

When incidents occur on a computer, we recommend that you install any available patches on the computer.

To identify available patches, in the Security Dashboard, click a threat, select the affected computer, and then click View Available Patches. The Available Patches list opens and shows available patches for the computer. For more information, see See Available Patches.

You can also see an overview of available patches and end-of-life programs for a computer on the Computer Details page. For more information, see Computer Details.

See Also

About Patch Management