Patch Management Best Practices — Cache Optimization

Applies To: WatchGuard Patch Management This topic applies to the WatchGuard endpoint security module, Patch Management. Patch Management is available with Endpoint Security Elite, 360, Prime, Basic, and WatchGuard EDR.

This topic describes how to configure and optimize Endpoint Security cache computers to improve patch distribution performance across your environment. Complete these steps to help reduce bandwidth usage, balance load, and make sure that patch deployment remains reliable at scale.

Select and Prepare Cache Computers

Select five to seven computers that you want to designate as cache computers.

Each cache computer must meet these requirements:

• 1 Gbps Ethernet or faster connection. Do not use Wi‑Fi or 100 Mbps Ethernet.
• Server-class hardware that remains powered on continuously. Avoid devices that enter sleep or low-power states.
• At least 100 GB of SSD storage capacity. Do not use mechanical HDDs. To accommodate future growth in Microsoft patch sizes, configure 200 GB SSD capacity.

For information on how to designate a cache computer in the Endpoint Security management UI, go to Designate a Cache Computer (Windows computers).

Configure the Cache Computers

Configure each cache computer to download patches directly from the Internet. Do not configure additional cache layers or proxy servers on these computers.

To make sure that the cache process works as expected, verify that each device retrieves patches directly from the vendor.

Distribute Endpoints across Cache Computers

To prevent overload on a single cache computer, balance the distribution of your endpoints across the cache computers you configured.

To distribute the endpoints:

1. Identify the total number of endpoints.
2. Divide the endpoints evenly across the available cache devices.
3. Create endpoint groups based on this distribution.
4. Assign each group to a specific cache computer. For example, for 500 endpoints and 5 cache computers, assign approximately 100 endpoints to each cache computer.
5. Validate that the distribution balances patch requests.

Prepare the Cache Computers (Optional)

This step is optional but can be useful to make sure patch deployment is reliable at scale.

To prepare the cache computers:

1. Identify a scheduled patch deployment window.
2. Before the deployment window begins, select one endpoint from each cache group.
3. Trigger a task to apply the patch on these computers in advance of the scheduled patch deployment window. For example, if patch deployment occurs on the second Wednesday of each month, start the patch installation task earlier that day on six to seven representative endpoints.
4. Confirm that the cache computers download the required patches before the full scheduled patch deployment begins.

Validate Deployment Performance

During the scheduled deployment window, validate deployment performance and installation success. To validate performance, you can:

• Monitor WAN bandwidth usage to confirm reduced external downloads.
• Measure patch deployment times across endpoints.
• Review cache utilization to make sure load distribution is even.
• Verify successful and reliable patch deployment during large-scale updates.

Related Topics

Patch Management Best Practices