About Endpoint Enforcement
Endpoint enforcement adds integrity checks that limit mobile VPN connections to devices that follow corporate policy. Your key corporate networks are more secure because only devices unlikely to be compromised by malware can connect. In Fireware v12.5.4 to v12.8.2, this feature is named TDR Host Sensor Enforcement. In Fireware v12.9 and higher, endpoint enforcement does not require that TDR be enabled on the Firebox. The WatchGuard Endpoint Agent also syncs data with endpoints with WatchGuard EDR Core, WatchGuard EDR, or WatchGuard EPDR installed.
Endpoint enforcement and TDR Host Sensor Enforcement require a Firebox with a Total Security Suite license.
When you enable endpoint enforcement, mobile devices must meet these requirements to make a VPN connection to your Firebox:
- For devices that run Fireware v12.8x and lower, you must enable TDR and configure the TDR primary account UUID in the Host Sensor enforcement settings before you can enable endpoint enforcement.
- For devices that run Fireware v12.9 and higher, you do not have to enable TDR to enable endpoint enforcement. When you enable local management with cloud reporting for your Firebox, TDR is automatically enabled. WatchGuard Cloud automatically syncs data with the Firebox.
- The TDR Host Sensor or WatchGuard Endpoint Agent must be running on the mobile device, and the Firebox must be able to communicate with the device over TCP port 33000.
- (Optional) The mobile device has the specified Windows or macOS operating system version, or a later version.
How it Works
A device connects to the Firebox through a mobile VPN. If the device is a member of a mobile VPN group that has endpoint enforcement enabled:
- The Firebox allows the VPN connection, but initially allows only one-way VPN communication from the Firebox to the mobile device.
- The Firebox connects to the device through the VPN over TCP port 33000.
- For TDR Host Sensors, the Firebox verifies that the TDR Host Sensor is associated with a TDR primary account UUID specified in the Endpoint Enforcement settings.
- For the WatchGuard Endpoint Agent and endpoints with WatchGuard EPDR, EDR, or EDR Core installed, the Firebox verifies that the endpoint is associated an account UUID specified in the Endpoint Enforcement settings and in the WatchGuard Endpoint Security Network Services (Secure VPN).
- The Firebox verifies that the mobile device meets the operating system requirement (if one is specified).
Connections matching policies by IP address in the From list or Any are allowed during the endpoint enforcement check.
The Firebox and device use an authentication key and a hash-based message authentication code (HMAC) for message authentication.
The Firebox terminates the mobile VPN connection if:
- The Firebox cannot communicate with TDR Host Sensor or WatchGuard Endpoint Agent for any reason (not installed, installed but not running, TCP port 33000 not open on the mobile device, or HMAC mismatch).
- TDR Host Sensor or the WatchGuard Endpoint Agent on the mobile device is not associated with an account UUID specified in the Endpoint Enforcement settings.
- The mobile device does not meet the operating system requirement.
After a device connects successfully, the Firebox does not monitor the device for changes. For example, the Firebox does not terminate the connection if TDR Host Sensor is uninstalled while a device is connected to the VPN.
To configure endpoint enforcement, go to Configure Endpoint Enforcement.
Troubleshoot Endpoint Enforcement for TDR Host Sensor