Troubleshoot TDR Host Sensor Enforcement

To troubleshoot TDR Host Sensor Enforcement, verify settings in these configurations:

TDR Account

  • Log in to your TDR account and verify that Enable Host Sensor Enforcement for VPN connections to the Firebox is On.
  • Verify the TDR authentication key is the same as the key specified on the Firebox at Subscription Services > Threat Detection.

Firebox

TDR Configuration

On the Firebox at Subscription Services > Threat Detection:

  • Verify that Host Sensor Enforcement is enabled.
  • Verify the TDR authentication key is the same as the TDR authentication key in your TDR account.
  • If operating system requirements are specified, determine whether the user’s device meets those requirements.

TDR Host Sensor Enforcement supports Windows and macOS operating systems included in the Operating System Compatibility Matrix section of the Fireware Release Notes.

If you select an operating system option other than Any, mobile devices must have that operating system or a higher version to connect to your Firebox over the mobile VPN.

Operating system enforcement does not apply to Windows Server operating systems. If a user connects to a mobile VPN from a supported Windows Server operating system, the Firebox allows the connection regardless of operating system enforcement settings if the Windows Server system meets all other TDR Host Sensor Enforcement requirements.

Mobile VPN Configuration

In the Mobile VPN with IKEv2, Mobile VPN with L2TP, and Mobile VPN with SSL configurations:

  • Verify that Host Sensor Enforcement is enabled for at least one mobile VPN group.
  • Verify the user is a member of that group.

For Mobile VPN with IPSec, from Authentication > Users and Groups:

  • Verify that Host Sensor Enforcement is enabled for at least one mobile VPN group.
  • Verify the user is a member of that group.

For mobile VPN groups, note the following:

  • If a user belongs to multiple groups that are part of the same mobile VPN configuration, and you enable Host Sensor Enforcement for any of those groups, enforcement applies to that user. For example, if a user belongs to two Mobile VPN with IKEv2 groups, but you enable enforcement for one only of those groups, enforcement applies to that user.
  • If a user belongs to multiple groups that are part of different mobile VPN configurations, and you enable Host Sensor Enforcement for some of those groups, enforcement applies to that user for only the VPN connection types that have enforcement enabled. For example, if a user is part of the IKEv2-Users and SSLVPN-Users groups, and you enable enforcement only for IKEv2-Users, enforcement applies to that user only for Mobile VPN with IKEv2 connections. Enforcement does not apply to that user for Mobile VPN with SSL connections.

If you select the Select check box for a group, the Firebox adds that group to the default group (IKEv2-Users, SSLVPN-Users, L2TP-Users, or IPSec-Users). If you enable Host Sensor Enforcement for only some groups that are part of the default group, keep enforcement disabled for the default group.

To change the log level and view log messages:

  1. Change the VPN log level to Debug.
  2. View log messages in Web UI or Firebox System Manager.
  3. Search for vpn_enforcer, which is the process that handles Host Sensor Enforcement for VPN connections.

Mobile Device

Windows

From a Windows device that connects to the mobile VPN, verify the following:

  • The operating system is Windows or macOS and the operating system version meets the requirements specified in the Host Sensor Enforcement settings on the Firebox.
  • TDR Host Sensor on the host is associated with a TDR account UUID specified in the Host Sensor Enforcement settings on the Firebox.
  • TDRSensorService service is running.
  • Windows Firewall has a rule for WatchGuard HostSensor that allows inbound TCP 33000.
  • Any third-party firewall used by the device allows inbound TCP 33000.
  • TDR Host Sensor is listening on TCP 33000. To verify this, we recommend TCPView, a Windows tool that shows the status of TCP endpoints. In TCPView, sort the by the Process column and look for host_sensor.exe.

To change the log level to Trace and view logs, in Windows:

  1. From Task Manager, stop the service named TDRSensorService.
  2. From an administrator command prompt, from the Threat Detection and Response installation folder, type these commands to change the log level to Trace:
    host_sensor.exe /setLogLevel=trace
  3. To view the log, in the Windows system tray, right-click the TDR Host Sensor application and select Show Log File Location. The [devicename]_host_sensor.log log appears in the Threat Detection and Response installation folder.
  4. In the log file, search for:
    sensor.query.server — To verify that the Host Sensor configuration matches what is expected from your TDR account.
    SensorQueryServer — To show the connection creation activity, which includes tx and rx errors for messages over the connection.
    ConfigManager — To see events related to configuration.
    For an example, see the Example Log Messages section of this topic.
  5. After troubleshooting, reset the log level to Info, which is the default setting.
    host_sensor.exe /setLogLevel=info
  6. Start the Threat Detection and Response service.

macOS

From a macOS device that connects to the mobile VPN:

  • Verify the macOS version meets the requirements specified in the Host Sensor Enforcement settings on the Firebox.
  • Verify that TDR Host Sensor on the host is associated with a TDR account UUID specified in the Host Sensor Enforcement settings on the Firebox.
  • Verify the TDRSensorService is running. From a command prompt, type:
    ps -ef | grep host_sensor
  • Verify the TDR Host Sensor is listening on TCP port 33000. From a command prompt, type:
    netstat -a -p tcp | grep 33000

To change the log level to Trace and view logs, in macOS:

  1. Stop the TDRSensorService service. From a command prompt, type:
    sudo lauchnctl (un)load /Library/LaunchDaemons/com.watchguard.tdr.hostsensor.plist
  2. Set the log level to Trace. From a command prompt, type:
    sudo /usr/local/watchguard/tdr/amd64/hostsensor  --setLogLevel=trace
  3. In the log, search for:
    sensor.query.server — To verify that the Host Sensor configuration matches what is expected from your TDR account.
    SensorQueryServer — To show the connection creation activity, which includes tx and rx errors for messages over the connection.
    ConfigManager — To see events related to configuration.
    For an example, see the Example Log Messages section of this topic.
  4. After troubleshooting, reset the log level to Info, which is the default setting.
    sudo /usr/local/watchguard/tdr/amd64/hostsensor  --setLogLevel=info
  5. Start the TDRSensorService service.

Example Log Messages

On a Windows or macOS device, these messages appear if the authentication key is valid:

2019-12-02 06:43:37.050 [Information] [thread:8980] [SensorQueryServer] Creating connection
2019-12-02 06:43:37.051 [Information] [thread:8980] [SensorQueryServer] readEchoRequest start
2019-12-02 06:43:37.109 [Information] [thread:8980] [SensorQueryServer] Received echo request
2019-12-02 06:43:37.118 [Information] [thread:8980] [SensorQueryServer] Echo response sent

These messages appear if the authentication key is invalid:

2019-12-02 06:48:52.158 [Information] [thread:8980] [SensorQueryServer] Creating connection
2019-12-02 06:48:52.158 [Information] [thread:8980] [SensorQueryServer] readEchoRequest start
2019-12-02 06:48:52.158 [Error] [thread:8980] [SensorQueryServer] HMAC verification failed

See Also

About TDR Host Sensor Enforcement

Configure TDR Host Sensor Enforcement

About TDR