Network Access Enforcement Overview

Applies To: Cloud-managed Fireboxes This topic applies to Fireboxes you configure in WatchGuard Cloud., Locally-managed Fireboxes This topic applies to Fireboxes you configure in Policy Manager or Fireware Web UI.

With network access enforcement (previously called endpoint enforcement), network administrators can specify that endpoint devices meet security requirements before they can connect to the network. For example, administrators can require that endpoint devices are protected by a WatchGuard Endpoint Security product. This provides an extra layer of security when an endpoint connects to your corporate network, and makes the network more secure because only endpoints unlikely to be compromised by malware can connect.

You can enable network access enforcement for these types of connections:

• A VPN connection to a Firebox
• A Wi-Fi connection to a WatchGuard access point

How Network Access Enforcement Works

When you enable network access enforcement, devices that try to connect to a Firebox VPN or an access point Wi-Fi network must have WatchGuard Advanced EPDR, EPDR, EDR, EDR Core, or EPP installed, running, and with real-time protection activated.

With network access enforcement, a device must meet specific security requirements that are defined by the WatchGuard Endpoint Security configuration. A network administrator configures the security settings from the WatchGuard Endpoint Security user interface.

Before an endpoint device can connect to the network, they must have these security settings:

• Devices with WatchGuard Advanced EPDR, EPDR, EDR, or EPP installed must have Advanced Protection enabled in hardening or lock mode, or antivirus enabled and running.
• Devices with WatchGuard EDR Core installed must have Advanced Protection enabled.

The WatchGuard Endpoint Agent installed on the device collects and sends the information that the Firebox or access point requires to verify that the device meets the necessary requirements. The endpoint agent and Firebox verify that the device is associated with an account UUID specified in the Firebox or access point network access enforcement settings and in the Network Services settings (Network Access Enforcement tab) of the WatchGuard Endpoint Security management UI. If the endpoint device does not meet the requirements, the Firebox or access point rejects the connection.

Configure Network Access Enforcement

You can enable network access enforcement for the specific type of connection:

• Configure Network Access Enforcement for a Cloud-Managed Firebox
• Configure Network Access Enforcement for a Locally-Managed Firebox
• Configure Network Access Enforcement for a Cloud-Managed Access Point