Configure Endpoint Enforcement

This topic explains how to configure endpoint enforcement with and without a TDR Host Sensor. The WatchGuard Endpoint Agent syncs data for endpoints with WatchGuard EDR and WatchGuard EPDR installed and can be used for endpoint enforcement. To understand more about how this feature works, see About Endpoint Enforcement.

In Fireware v12.5.4 to v12.8.2, this feature is called TDR Host Sensor Enforcement.

For devices that run Fireware v12.9 and higher, when you enable local management with cloud reporting for your Firebox, TDR is automatically enabled. You do not need to enable TDR in order to enable endpoint enforcement.

Before You Begin

Endpoint enforcement and TDR Host Sensor Enforcement require a Firebox with a Total Security Suite license.

Before you configure endpoint enforcement:

  1. Verify operating system compatibility
    Endpoint enforcement supports Windows and macOS operating systems included in the Operating System Compatibility Matrix section of the Fireware Release Notes.
  1. If required, configure your TDR account and install the TDR Host Sensor
    For devices that run Fireware v12.5.4. to v12.8.2, you must enable TDR and configure the account UUID before you can enable endpoint enforcement. Your Firebox must have an active TDR subscription. To configure TDR, see Quick Start — Set Up TDR.

    You can install the TDR Host Sensor manually or automatically. For more information about TDR Host Sensor installation, see Manage TDR Hosts and Host Sensors.
  1. Configure at least one mobile VPN
    The Firebox supports endpoint enforcement for all mobile VPN types. For more information about mobile VPNs, see Mobile VPN Tunnels.
  1. Configure mobile VPN user groups
    To enable endpoint enforcement for Windows or macOS mobile users on a network with Android or iOS mobile users, create separate mobile VPN user groups. For example:
  • Create a user group called Windows and macOS users.
  • Create a user group called Android and iOS users.

The Mobile VPN section in this topic explains how to apply endpoint enforcement to user groups.

Configure Endpoint Enforcement

You enable endpoint enforcement in multiple locations:

  • TDR — Host Sensor settings
  • Firebox — Endpoint enforcement settings and mobile VPN settings (In Fireware v12.5.4 to v12.8.2, these settings are called TDR Host Sensor Enforcement.)
  • WatchGuard Endpoint Security — Endpoint enforcement settings and Network Services settings in the Endpoint Security management UI. For more information, see Configure Secure VPN.

Configure Endpoint Enforcement in TDR Host Sensor Settings

For devices that run Fireware v12.5.4 to v12.8.2, you must enable endpoint enforcement in your TDR account and generate an account UUID before you can enable endpoint enforcement on the Firebox.

  1. Log In to TDR.
  2. Select Configure > Threat Detection.
  3. In the Host Sensor section, select Settings.
  4. In the Firebox VPN Validation section, turn On Host Sensor enforcement.
  5. Specify a TDR authentication key manually or click Generate to generate a random authentication key.

Screen shot of the Host Sensor Enforcement settings in the TDR Web UI

Configure Endpoint Enforcement on the Firebox

This step to configure endpoint enforcement on the Firebox is required for endpoint enforcement with TDR Host Sensors and the WatchGuard Endpoint Agent.

Configure Endpoint Enforcement for the Mobile VPN

Next, enable endpoint enforcement for one or more mobile VPN groups. You cannot enable endpoint enforcement for individual mobile VPN users.

To enable endpoint enforcement for Windows and macOS mobile users on a network with Android or iOS mobile users, apply endpoint enforcement to separate mobile VPN user groups.

For example:

  • Windows and macOS users— Enable endpoint enforcement for this group.
  • Android and iOS users— Keep endpoint enforcement disabled for this group.
  • IKEv2-Users — Keep endpoint enforcement disabled for this default VPN group.

If you select the Select check box for a group, the Firebox adds that group to the default group (IKEv2-Users, SSLVPN-Users, L2TP-Users, or IPSec-Users). If you enable endpoint enforcement for only some groups that are part of the default group, keep enforcement disabled for the default group.

For a user who belongs to multiple mobile VPN groups, enforcement applies to that user if:

  • The mobile VPN groups are all part of the same mobile VPN configuration, and
  • You enable Endpoint Enforcement for only some of those groups.

For example, if a user belongs to two mobile VPN with IKEv2 groups, but you enable enforcement for one only of those groups, enforcement applies to that user.

For a user who belongs to multiple groups that are part of different mobile VPN configurations, if endpoint enforcement is enabled for only some of the groups, enforcement applies to that user for only some types of mobile VPN connections. For example:

  • If a user is part of the IKEv2-Users and SSLVPN-Users groups, and you enable enforcement only for IKEv2-Users, enforcement applies to that user only for mobile VPN with IKEv2 connections.
  • Enforcement does not apply to that user for mobile VPN with SSL connections.

Mobile VPN with IKEv2:

Mobile VPN with L2TP:

Mobile VPN with SSL:

Mobile VPN with IPSec:

Related Topics

Troubleshoot Endpoint Enforcement for TDR Host Sensor

About Endpoint Enforcement

About TDR

Quick Start — Set Up TDR

Enable TDR on Your Firebox