Configure a Firewall Policy for TDR Traffic
When you enable TDR on your Firebox, the Firebox configuration must include a policy to allow the Host Sensors on your network to connect to your TDR account.
About the WG-TDR-Host-Sensor Policy Template
If your Firebox runs Fireware v11.12 or lower, when you enable TDR from Policy Manager or Fireware Web UI, you must manually add a policy that allows connections from your network to the FQDN for your TDR account.
Manually Add a Policy to Allow Host Sensor Traffic
If your Firebox runs Fireware v11.12.1 or higher, to allow Host Sensor connections from the trusted network, add the WG-TDR-Host-Sensor packet filter policy to your configuration. This policy is automatically added when you enable TDR on the Firebox.
If your Firebox runs Fireware v11.12, manually add an HTTPS packet filter policy with these settings:
- Connections are — Allowed
- From — Any-Trusted, Any-Optional (or the location where your Host Sensors are installed)
- To — FQDNs tdr-hsc-na.watchguard.com , tdr-hsc-eu.watchguard.com, and tdr-hsc-ap.watchguard.com
If you want to allow connections only to the FQDN for your TDR account, you can find the FQDN in the TDR web UI, and add it to the packet filter policy.

- Log In to the TDR Web UI as an Administrator or Analyst.
- Select Configuration > Host Sensor.
The Host Sensor page opens. - In the Host Sensor section, find the Controller Address. It appears in the format FQDN:port.
- Copy the FQDN value. Do not include the port number.

- Log In to TDR in WatchGuard Cloud.
- Select Monitor > Threat Detection.
- In the Devices / Users section, select Hosts.
The Hosts page opens. - Click Download Host Sensor.
The Host Sensor Download dialog box opens. - Find the Controller Address. It appears in the format FQDN:port.
- Copy the FQDN value. Do not include the port number.

- Select Firewall > Firewall Policies.
- Click Add Policy.
- From the Packet Filter drop-down list, select HTTPS.
- Click Add Policy.
The policy settings appear. - In the Name text box, type a name to identify this policy.
For example, type HTTPS-TDR. - In the To list, select Any-External and click Remove.
- In the To list, click Add.
- From the Member Type drop-down list, select FQDN.
- In the text box, paste the FQDN you copied from the Host Sensor Controller Address.
- Click OK.
The FQDN is added as the destination for the policy.
- Click Save.

- Open the Firebox configuration in Policy Manager.
- Select Edit > Add Policy.
- From the Packet Filter drop-down list, select HTTPS.
- Click Add.
- In the Name text box, type a name to identify this policy.
For example, type HTTPS-TDR. - In the To list, select Any-External and click Remove.
- In the To list, click Add.
- Click Add Other.
- From the Choose Type drop-down list, select FQDN.
- In the Value text box, paste the FQDN you copied from the Host Sensor Controller Address.
- Click OK twice.
The FQDN is added as the destination for the policy.
- Click OK.
- Save the configuration to the Firebox.
Add FQDNs for TDR Sandbox Analysis, AD Helper, and Research Data
It might be necessary to add other FQDNs as destinations in the WG-TDR-Host-Sensor or other HTTPS packet filter policy to allow Host Sensors and AD Helper to connect to the TDR cloud.
You must add these FQDNs only if your Firebox has an HTTPS proxy policy with these certificate validation options enabled in the content inspection settings:
- Use OCSP to validate certificates
- If a certificate cannot be validated, the certificate is considered invalid
In Fireware 12.4 and later, these FQDNs are automatically added as destinations in the WG-TDR-Host-Sensor policy that is created when you enable TDR. In earlier versions of Fireware, you may need to add tdr-files-na.watchguard.com, tdr-files-eu.watchguard.com, and tdr-files-ap.watchguard.com as destinations.
To allow TDR Host Sensors to execute the Sandbox File action, add these FQDNs as destinations in the WG-TDR-Host-Sensor policy:
tdr-frontline-na.watchguard.com
tdr-frontline-eu.watchguard.com
tdr-frontline-ap.watchguard.com
To allow AD Helper to connect to the TDR cloud, add these FQDNs as destinations in the WG-TDR-Host-Sensor policy:
tdr-adhh-na.watchguard.com
tdr-adhh-eu.watchguard.com
tdr-adhh-ap.watchguard.com
To allow TDR Host Sensors to send data that is used by WatchGuard for research, add this FQDN as a destination in the WG-TDR-Host-Sensor policy:
tdr-rdp-na.watchguard.com
Enable Proxy Policies and Services
For TDR to effectively correlate network events with Host Sensor events, we recommend that you also enable proxy policies and services on the Firebox. For more information, see Configure Proxy Policies for TDR.