Troubleshoot Endpoint Access Enforcement

Applies To: WatchGuard Advanced EPDR This topic applies to the WatchGuard Advanced EPDR endpoint security product., WatchGuard EPDR This topic applies to the WatchGuard EPDR endpoint security product., WatchGuard EDR This topic applies to the WatchGuard EDR endpoint security product.

Endpoint Access Enforcement monitors connections to endpoints on your network to reduce threats from unprotected devices. In an Endpoint Access Enforcement settings profile, you can configure conditions that identify an endpoint at risk and an action to take for inbound connections from endpoints at risk. By default, Endpoint Access Enforcement monitors inbound connections for SMB and RDP traffic. You can specify additional protocols to monitor for inbound connections. For more information, go to Configure Endpoint Access Enforcement Settings (Windows Computers).

Dashboard and Connection Map

With Advanced EPDR, EPDR, and EDR, you can monitor inbound connections from endpoints at risk in the Endpoint Access Enforcement dashboard. You can use the information from the dashboard to address at-risk devices. For more information, go to Endpoint Access Enforcement Dashboard.

From the Endpoint Access Enforcement dashboard, you can view the Connection Map tile that shows the connections between client and server endpoints on the network. In this example, the red nodes represent unmanaged endpoints, and the blue nodes represent managed endpoints.

Endpoint Access Enforcement Issues

When Endpoint Access Enforcement monitors connections to endpoints on your network, these Endpoint Access Enforcement issues might occur.

Managed by Another Account

An issue might occur where the remote computer is protected by WatchGuard under a different account. To troubleshoot, run the PSInfo tool to gather logs from both client and server.

Protection Not Enabled

An issue might occur if the remote computer that initiated the connection has protection disabled or experiences an error. If the computer is currently protected, the error is likely temporary and the alert can be dismissed. Otherwise, follow the steps to gather information for your Support case.

Risk Level Value

An issue might occur when the risk level of the remote computer is greater than or equal to the configured threshold. To prevent Endpoint Access Enforcement from flagging the remote computer as at risk, verify the risk status of the remote computer and take appropriate action. For more information, go to Security Risks Status in WatchGuard Endpoint Security.

Endpoint in an Unmanaged or Incorrect State

An issue might occur when conditions that determine whether an endpoint is at risk are not correctly assessed. For example, Endpoint Access Enforcement might detect an endpoint as at risk because it is Unmanaged or in an unexpected state, but when you review the endpoint from the dashboard, it verifies that the endpoint is protected and in an expected state. This can occur when:

• The remote computer that initiates the incoming connection does not have the WatchGuard Agent installed.
• There is a timeout of the requests for the device status for the remote computer when:
  • One or both machines involved in the communication do not have the latest version of the WatchGuard Agent or protection software.
  • Communication between the two computers is not available through TCP port 33000.
  • Protection from another vendor is installed on the machines without cross-exclusions.
  • Single sign-on (SSO) software might be interfering with Endpoint Access Enforcement.

If issues such as these occur, collect information for your Support case.

Collect Information

Use these steps to verify connectivity and collect information for your Support case.

Verify Connectivity

For Endpoint Access Management to correctly detect endpoints at risk, both endpoints must be able to communicate over TCP port 33000.

To use Telnet to verify the connectivity between endpoints:

1. Open a command prompt with administrator permissions.
2. At the command prompt, where <COMPUTERNAME> is the name of the target endpoint, type:
   telnet <COMPUTERNAME> 33000
3. To verify that port 33000 is listening on both endpoints, perform this test from one endpoint to another endpoint and conversely.

4. Send screen shots of the results to Support.

Information for your Support Case

To help resolve an Endpoint Access Enforcement issue, provide this information:

• Provide a description of the network setup, including any intermediate hardware or software that could interfere with communication over TCP port 33000.
• Run the PSInfo tool to gather logs from both endpoints.
• Identify any security software installed on any affected endpoint. Confirm whether cross-exclusions are configured to prevent conflicts.
• Specify whether any SSO software is in use.
• Include the IP addresses and ports involved in the communication. Note the days and times when the issue occurs, when it first occurred, how frequently it occurs, how many endpoints are affected, and whether the issue can be replicated.

When you contact Support, make sure to provide any gathered information about the issue, the PSInfo diagnostic logs, and Telnet screen shots, for all the affected endpoints.