Contents

Configure TDR Containment

To prevent the spread of threats on your network, you can contain a host. Containment terminates current connections and prevents new network connections on a specific host so that threats cannot spread through the network. Contained hosts are isolated and cannot connect over the network. Other devices cannot connect to a contained host. To restore network connectivity when the threat is resolved, the host must be released from containment.

There are two ways to contain and release hosts — manually or automatically based on a containment policy. To allow hosts to be contained manually or automatically, the Enable Kernel Host Containment Action must be enabled in the Host Sensor settings. For more information, see Configure TDR Host Sensor Settings.

TDR can contain Windows hosts. Containment is not supported on non-Windows systems.

Contain and Release Hosts Manually

You can contain and release a Windows host manually in the Incidents, Hosts, or Groups pages.

To contain a host manually:

  1. Select the check box next to the Windows host you want to contain.
  2. Select Actions > Contain Host.
    The Confirm Action – Contain Host dialog box appears.
  3. Click Execute Action.
    The host is contained and a containment icon is shown in the Sensor Status column.

Screen shot of the Install State and Sensor status columns for a contained host

To release a host from containment manually:

  1. Select the check box next to the Windows host you want to release.
  2. Select Actions > Release Host.
    The Confirm Action – Release Host dialog box appears.
  3. Click Execute Action
    The host is released from containment.

For more information, see Manage TDR Hosts and Host Sensors, Manage TDR Groups, and Manage TDR Incidents.

Containment Policies

Containment policies contain and release Windows hosts automatically based on an incident threat score threshold. When an incident with a threat score equal to the value specified in the policy occurs, the host is contained. When the threat score falls below the specified threshold, the host is released from containment automatically.

Your TDR account includes a default containment policy with recommended settings. You can edit the default containment policy and configure additional policies that apply to different hosts and host groups at different Cybercon levels.

For information on how to add a containment policy, see Configure TDR Policies

Containment Exceptions

When a host is contained, it can only connect to itself, TDR, DNS servers, and DHCP servers. If you want to allow other network traffic to and from contained hosts, you can add host containment exceptions. For example, you might want to allow support to connect to contained hosts to troubleshoot incidents.

To define a containment exception, you must specify two or more of these connection details:

Local IP

IP address of a specific host

Local Port

Port on a host

Remote IP

IP address of a specific remote machine

Remote Port

Port on a remote machine

For example, to configure a containment exception to allow a support person to connect to contained hosts, specify:

  • Remote IP — IP address of the support person’s computer
  • Local Port — Port the support person needs to connect to on the hosts

Add Containment Exceptions

To add a containment exception:

  1. Select Configuration > Containment.
    The Containment page appears.
  2. Click Add Containment Exception.
    The Add Containment Exception dialog box appears.

Screen shot of Add Containment Exception dialog box.

  1. In the Connection Types section, from the drop-down lists, select the type of connection you want to allow.
    You can specify the type of IP address (IPv4 or IPv6). You can also specify the protocol (TCP or UDP).
  2. To specify the network connection you want to allow, type connection details in two or more of the Local IP, Local Port, Remote IP, and Remote Port text boxes.
  3. Select the hosts and groups the exception applies to:
    1. In the Host Name or Host Group text box, type at least three characters from the name of the host or host group to add. Tip!To specify all hosts, type "All Hosts". This is a built-in default group that includes all hosts that have a Host Sensor installed.
      Host names and group names that include the characters appear.
    2. Select the host or group name to add.
    3. To add other hosts or groups, repeat the previous two steps.
  4. (Optional) In the Comments text box, type other information about the exception.
  5. Click Save & Close.

Back Up or Import Containment Exceptions

You can save a backup of all containment exceptions to a .json file. To add the containment exceptions to any TDR account, you can import the saved file. This enables a TDR Service Provider to easily copy containment exceptions configured in one managed customer account to another managed account. To avoid duplicate exceptions, the imported containment exceptions are merged with the existing list of containment exceptions.

To save containment exceptions to a backup file:

  1. Select Configuration > Containment.
    The list of currently configured containment exceptions appears.
  2. Click Backup.
    The .json backup file is saved to the downloads folder.

The name of the containment exceptions backup file includes the current date and time. For example:

WatchGuardTDR_ContainmentExceptions_2018-09-17_15-11-11.json

To import containment exceptions from a saved .json file:

  1. Click Import.
  2. Select and open the saved backup file.
    A confirmation dialog box appears.
  3. Click Import.
    The containment exceptions from the file are added to the containment exceptions list.

Edit or Remove a Containment Exception

To edit a containment exception:

  1. In the Containment list, to the left of the exception to edit, click .
  2. Edit the settings as described in the previous procedure.
  3. Click Save & Close.

To remove a containment exception:

  1. In the Containment list, to the right of the exception to remove, click .
  2. Select Remove Containment Exception.
    A confirmation message appears.
  3. Click Yes, Delete.

See Also

Manage TDR Hosts and Host Sensors

Manage TDR Groups

Configure TDR Policies

Configure TDR Host Sensor Settings

Give Us Feedback  ●   Get Support  ●   All Product Documentation  ●   Technical Search