If your Firebox configuration includes Threat Detection and Response (TDR), you can enable TDR Host Sensor Enforcement in Fireware v12.5.4 or higher.
TDR Host Sensor Enforcement adds integrity checks that limit mobile VPN connections to devices that follow corporate policy. Your key corporate networks are more secure because only devices unlikely to be compromised by malware can connect.
When you enable Host Sensor Enforcement, mobile devices must meet these requirements to make a VPN connection to your Firebox:
- TDR Host Sensor must be running on the mobile device, and the Firebox must be able to communicate with TDR Host Sensor over TCP port 33000.
- TDR Host Sensor on the mobile device must be associated with a TDR account UUID specified in the Host Sensor Enforcement settings.
- (Optional) The mobile device has the specified Windows or macOS operating system version, or a later version.
How it Works
A user connects to the Firebox through a mobile VPN. If the user is a member of a mobile VPN group that has Host Sensor Enforcement enabled:
- The Firebox allows the VPN connection, but initially allows only one-way VPN communication from the Firebox to the mobile device.
- The Firebox connects to the Host Sensor through the VPN over TCP port 33000.
- The Firebox verifies that the Host Sensor is associated with a TDR account UUID specified in the Host Sensor Enforcement settings.
- The Firebox verifies that the mobile device meets the operating system requirement (if one is specified).
Connections matching policies by IP address in the From list or Any are allowed during the Host Sensor enforcement check.
The Firebox and Host Sensor use the TDR authentication key and a hash-based message authentication code (HMAC) for message authentication.
The Firebox terminates the mobile VPN connection if:
- The Firebox cannot communicate with TDR Host Sensor for any reason: TDR is not installed, TDR is installed but not running, TCP port 33000 is not open on the mobile device, or an HMAC mismatch occurs.
- TDR Host Sensor on the mobile device is not associated with a TDR account UUID specified in the Host Sensor Enforcement settings.
- The mobile device does not meet the operating system requirement.
After a host connects successfully, the Firebox does not monitor TDR Host Sensor for changes. For example, the Firebox does not terminate the connection if TDR Host Sensor is uninstalled while a host is connected to the VPN.
To configure TDR Host Sensor Enforcement, see Configure TDR Host Sensor Enforcement.