Troubleshoot Network Access Enforcement for the TDR Host Sensor

The end-of-life date for TDR is 30 September 2023. On this date, the TDR UI in WatchGuard Cloud will no longer be available. Host Sensors will continue to function, but remediation and report generation will be disabled. To upgrade your Host Sensors to Endpoint Security, go to the Host Sensor upgrade to Endpoint Security Knowledge Base article.

For devices that run Fireware v12.8x and lower, you must enable TDR and configure the TDR primary account UUID in the Host Sensor enforcement settings before you can enable network access enforcement on the Firebox. For devices that run Fireware v12.9 and higher, you do not have to enable TDR to enable network access enforcement.

To troubleshoot network access enforcement for your TDR Host Sensor, verify settings in these configurations:

TDR Account

  • Log In to TDR and verify that Enable Host Sensor Enforcement for VPN connections to the Firebox is On.
  • Verify the TDR authentication key is the same as the key specified on the Firebox at Subscription Services > Network Access Enforcement.

Firebox

TDR Configuration

For devices that run Fireware v12.9 and higher, when you enable local management with cloud reporting for your Firebox, TDR is automatically enabled. You do not need to enable TDR in order to enable network access enforcement (previously TDR Host Sensor Enforcement).

On the Firebox at Subscription Services > Network Access Enforcement:

  • Verify that the TDR Host Sensor is enabled.
  • Enable Network Access Enforcement. In Fireware v12.5.4 to v12.8.2, this feature is called Enable Host Sensor Enforcement.
  • Verify the TDR authentication key is the same as the TDR authentication key in your TDR account.
  • If operating system requirements are specified, determine whether the user’s device meets those requirements.

TDR Host Sensor Enforcement supports Windows and macOS operating systems included in the Operating System Compatibility Matrix section of the Fireware Release Notes.

If you select an operating system option other than Any or Custom, mobile devices must have that operating system or a higher version to connect to your Firebox over the mobile VPN.

Operating system enforcement does not apply to Windows Server operating systems. If a user connects to a mobile VPN from a supported Windows Server operating system, the Firebox allows the connection regardless of operating system enforcement settings if the Windows Server system meets all other network access enforcement requirements.

Mobile VPN Configuration

In the Mobile VPN with IKEv2, Mobile VPN with L2TP, and Mobile VPN with SSL configurations:

  • Verify that Network Access Enforcement is enabled for at least one mobile VPN group.
  • Verify the user is a member of that group.

For Mobile VPN with IPSec, from Authentication > Users and Groups:

  • Verify that Network Access Enforcement is enabled for at least one mobile VPN group.
  • Verify the user is a member of that group.

For mobile VPN groups, note the following:

  • If a user belongs to multiple groups that are part of the same mobile VPN configuration, and you enable Network Access Enforcement for any of those groups, enforcement applies to that user. For example, if a user belongs to two Mobile VPN with IKEv2 groups, but you enable enforcement for one only of those groups, enforcement applies to that user.
  • If a user belongs to multiple groups that are part of different mobile VPN configurations, and you enable Network Access Enforcement for some of those groups, enforcement applies to that user for only the VPN connection types that have enforcement enabled. For example, if a user is part of the IKEv2-Users and SSLVPN-Users groups, and you enable enforcement only for IKEv2-Users, enforcement applies to that user only for Mobile VPN with IKEv2 connections. Enforcement does not apply to that user for Mobile VPN with SSL connections.

If you select the Select check box for a group, the Firebox adds that group to the default group (IKEv2-Users, SSLVPN-Users, L2TP-Users, or IPSec-Users). If you enable network access enforcement for only some groups that are part of the default group, keep enforcement disabled for the default group.

To change the log level and view log messages:

  1. Change the VPN log level to Debug.
  2. View log messages in Web UI or Firebox System Manager.
  3. Search for vpn_enforcer, which is the process that handles network access enforcement for VPN connections.

Mobile Device

Windows

From a Windows device that connects to the mobile VPN, verify the following:

  • The operating system is Windows or macOS and the operating system version meets the requirements specified in the Network Access Enforcement settings on the Firebox.
  • TDR Host Sensor on the host is associated with an account UUID specified in the Network Access Enforcement settings on the Firebox.
  • TDRSensorService service is running.
  • Windows Firewall has a rule for WatchGuard HostSensor that allows inbound TCP 33000.
  • Any third-party firewall used by the device allows inbound TCP 33000.
  • TDR Host Sensor is listening on TCP 33000. To verify this, we recommend TCPView, a Windows tool that shows the status of TCP endpoints. In TCPView, sort the by the Process column and look for host_sensor.exe.

To change the log level to Trace and view logs, in Windows:

  1. From Task Manager, stop the service named TDRSensorService.
  2. From an administrator command prompt, from the Threat Detection and Response installation folder, type these commands to change the log level to Trace:
    host_sensor.exe /setLogLevel=trace
  3. To view the log, in the Windows system tray, right-click the TDR Host Sensor application and select Show Log File Location. The [devicename]_host_sensor.log log appears in the Threat Detection and Response installation folder.
  4. In the log file, search for:
    sensor.query.server — To verify that the Host Sensor configuration matches what is expected from your TDR account.
    SensorQueryServer — To show the connection creation activity, which includes tx and rx errors for messages over the connection.
    ConfigManager — To view events related to configuration.
    For an example, go to the Example Log Messages section of this topic.
  5. After troubleshooting, reset the log level to Info, which is the default setting.
    host_sensor.exe /setLogLevel=info
  6. Start the Threat Detection and Response service.

macOS

From a macOS device that connects to the mobile VPN:

  • Verify the macOS version meets the requirements specified in the Network Access Enforcement settings on the Firebox.
  • Verify that TDR Host Sensor on the host is associated with an account UUID specified in the Network Access Enforcement settings on the Firebox.
  • Verify the TDRSensorService is running. From a command prompt, type:
    ps -ef | grep host_sensor
  • Verify the TDR Host Sensor is listening on TCP port 33000. From a command prompt, type:
    netstat -a -p tcp | grep 33000

To change the log level to Trace and view logs, in macOS:

  1. Stop the TDRSensorService service. From a command prompt, type:
    sudo lauchnctl (un)load /Library/LaunchDaemons/com.watchguard.tdr.hostsensor.plist
  2. Set the log level to Trace. From a command prompt, type:
    sudo /usr/local/watchguard/tdr/amd64/hostsensor  --setLogLevel=trace
  3. In the log, search for:
    sensor.query.server — To verify that the Host Sensor configuration matches what is expected from your TDR account.
    SensorQueryServer — To show the connection creation activity, which includes tx and rx errors for messages over the connection.
    ConfigManager — To view events related to configuration.
    For an example, go to the Example Log Messages section of this topic.
  4. After troubleshooting, reset the log level to Info, which is the default setting.
    sudo /usr/local/watchguard/tdr/amd64/hostsensor  --setLogLevel=info
  5. Start the TDRSensorService service.

Example Log Messages

On a Windows or macOS device, these messages appear if the authentication key is valid:

2019-12-02 06:43:37.050 [Information] [thread:8980] [SensorQueryServer] Creating connection
2019-12-02 06:43:37.051 [Information] [thread:8980] [SensorQueryServer] readEchoRequest start
2019-12-02 06:43:37.109 [Information] [thread:8980] [SensorQueryServer] Received echo request
2019-12-02 06:43:37.118 [Information] [thread:8980] [SensorQueryServer] Echo response sent

These messages appear if the authentication key is invalid:

2019-12-02 06:48:52.158 [Information] [thread:8980] [SensorQueryServer] Creating connection
2019-12-02 06:48:52.158 [Information] [thread:8980] [SensorQueryServer] readEchoRequest start
2019-12-02 06:48:52.158 [Error] [thread:8980] [SensorQueryServer] HMAC verification failed

Related Topics

About Network Access Enforcement with the TDR Host Sensor

Configure Network Access Enforcement with a TDR Host Sensor

Quick Start — Set Up TDR

Network Access Enforcement Overview