Configure Network Access Enforcement for a Locally-Managed Firebox

Applies To: Locally-managed Fireboxes

You can enable network access enforcement for a mobile VPN connection to a locally-managed Firebox. Network access enforcement adds integrity checks that limit mobile VPN connections to devices that follow corporate policy.

When you enable network access enforcement, endpoint devices that try to connect to a Firebox mobile VPN must have WatchGuard Advanced EPDR, EPDR, EDR, EDR Core, or EPP installed.

Before an endpoint device can connect to the network, they must have these security settings:

  • Devices with WatchGuard Advanced EPDR, EPDR, EDR, or EPP installed must have Advanced Protection enabled in hardening or lock mode, or antivirus enabled and running.
  • Devices with WatchGuard EDR Core installed must have Advanced Protection enabled.

The WatchGuard Endpoint Agent installed on the device collects and sends the information that the Firebox requires to verify that the device meets the necessary requirements. The endpoint agent and Firebox verify that the device is associated with an account UUID specified in the Firebox network access enforcement settings and in the Network Services settings (Network Access Enforcement tab) of the WatchGuard Endpoint Security management UI. If the endpoint device does not meet these requirements, the Firebox rejects the connection.

How it Works

  1. An endpoint device tries to connect to the mobile VPN on the locally-managed Firebox.
  2. The Firebox allows the VPN connection, but initially allows only one-way VPN communication from the Firebox to the device.
  3. The Firebox connects to the device through the VPN over TCP port 33000.
  4. The Firebox verifies that the endpoint is associated with the account UUID specified in the Firebox network access enforcement settings and in the Network Services settings of the Endpoint Security management UI.
  5. The Firebox verifies that the endpoint device meets the operating system requirement (if specified).

Before You Begin

Before you configure network access enforcement:

  • Verify operating system compatibility — Network access enforcement supports Windows and macOS operating systems. For information about mobile VPN operating system compatibility, go to the Operating System Compatibility Matrix section of the Fireware Release Notes. For information about WatchGuard Endpoint Security operating system compatibility, got to the Installation Requirements section of the WatchGuard Endpoint Security Release Notes.
  • Configure at least one mobile VPN — The Firebox supports network access enforcement for all mobile VPN types. For more information, go to Select a Mobile VPN Type.
  • Configure mobile VPN user groups — To enable network access enforcement, create mobile VPN user groups.

Network access enforcement requires a Firebox with a Total Security Suite license.

Configure Network Access Enforcement on the Locally-Managed Firebox

This step to configure network access enforcement on Fireboxes that run Fireware v12.9 and higher is required for the WatchGuard Endpoint Agent to access the network.

In Fireware v12.5.4 to v12.8.2, Network Access Enforcement is called Endpoint Enforcement in the user interface.

  1. Select Subscription Services > Network Access Enforcement.

  2. Select the Enable Network Access Enforcement check box.
  3. Generate a random UUID for the account UUID.
    Use a random UUID. UUID is an open format, with free tools available from vendors such as Microsoft or https://www.uuidgenerator.net/. We recommend you record this information before you proceed with the Network Access Enforcement configuration in Endpoint Security.
  4. Add the Account UUID and an Authentication Key for the account:
    1. Click Add.
    2. Type the Account UUID.
    3. Type the TDR Authentication Key.
      Use a long authentication key that includes uppercase, numeric, and special characters. We recommend you record this information before you proceed with the Network Access Enforcement configuration in Endpoint Security.
    4. Click OK.
    5. Repeat this step to add up to 5 accounts.
  1. (Optional) From the Minimum Operating System Versions section, select requirements for Windows, macOS, or both.
    1. From the Windows drop-down list, select Windows 8.1, Windows 10, Windows 11, Any, or Custom.
    2. From the macOS drop-down list, select Catalina 10.15, BigSur 11.0, Monterey 12.0, Ventura 13.0, Any, or Custom.
      If you select Any, endpoints can run any Windows or macOS operating system supported by WatchGuard. For a list of supported operating systems, go to the Installation Requirements in the Endpoint Security Release Notes. If you select Custom, enter a specific OS version number. You can enter up to three segments, separated by periods (for example, 13.3.1). You cannot enter letters.
  2. Click Save.
  3. When prompted to apply network access enforcement to groups, click OK.
  1. Select Subscription Services > Network Access Enforcement.

  2. Select the Enable Network Access Enforcement check box.
  3. Generate a random UUID for the account UUID.
    You can use a random UUID. UUID is an open format, with free tools available from vendors such as Microsoft or https://www.uuidgenerator.net/.
  4. Add an Account UUID and an Authentication Key.
    1. Click Add.
    2. Type the Account UUID.
    3. Type the TDR Authentication Key.
      Use a long authentication key that includes uppercase, numeric, and special characters.
    4. Click OK.
  1. (Optional) From the Minimum Operating System Versions drop-down list, select requirements for Windows, macOS, or both.
    1. From the Windows drop-down list, select Windows 8.1, Windows 10, or Any.
    2. From the macOS drop-down list, select High Sierra 10.13, Mojave 10.14, Catalina 10.15, or Any.
      If you select Any, endpoints can run any Windows or macOS operating system supported by WatchGuard. For a list of supported operating systems, go to the Installation Requirements in the Endpoint Security Release Notes.
  2. Click OK.
  3. When prompted to apply enforcement to groups, click OK.

Configure Network Access Enforcement for a Mobile VPN Group

You must now enable network access enforcement for a mobile VPN group. Users that are members of the mobile VPN group must meet the requirements from Before You Begin in this section.

For a user who belongs to multiple mobile VPN groups, enforcement applies to that user if:

  • The mobile VPN groups are all part of the same mobile VPN configuration, and
  • You enable network access enforcement for only some of those groups.

For example, if a user belongs to two mobile VPN with IKEv2 groups, but you enable enforcement for only one of those groups, enforcement applies to that user.

For a user who belongs to multiple groups that are part of different mobile VPN configurations, if network access enforcement is enabled for only some of the groups, enforcement applies to that user for only some types of mobile VPN connections. For example:

  • If a user is part of the IKEv2-Users and SSLVPN-Users groups, and you enable enforcement only for IKEv2-Users, enforcement applies to that user only for mobile VPN with IKEv2 connections.
  • Enforcement does not apply to that user for mobile VPN with SSL connections.

You cannot enable network access enforcement for individual mobile VPN users.

Mobile VPN with IKEv2

  1. Select VPN > Mobile VPN.
  2. In the IKEv2 section, click Configure.
  3. Select Authentication.
  4. From Users and Groups, select the check box next to a group.
  5. In the Network Access Enforcement column, select Yes.

Screen shot of the Host Sensor Enforcement settings

  1. Click Save.
  1. Select VPN > Mobile VPN > IKEv2.
  2. Select Authentication.
  3. From the left column, select the check box next to the group.
    You can now change the Network Access Enforcement setting.
  4. In the Network Access Enforcement column, select the check box for the group.

  5. Click OK.

Mobile VPN with L2TP

  1. Select VPN > Mobile VPN.
  2. In the L2TP section, click Manually Configure.
  3. Select Authentication.
  4. From Users and Groups, select the check box next to a group.
  5. In the Network Access Enforcement column, select Yes.

Screen shot of the Host Sensor Enforcement settings

  1. Click Save.
  1. Select VPN > Mobile VPN > L2TP.
  2. Select Authentication.
  3. From the left column, select the check box next to the group.
    You can now change the Network Access Enforcement setting.
  4. In the Network Access Enforcement column, select the check box for the group.

  5. Click OK.

Mobile VPN with SSL:

  1. Select VPN > Mobile VPN.
  2. In the SSL section, click Configure.
  3. Select Authentication.
  4. From Users and Groups, select the check box next to a group.
  5. In the Network Access Enforcement column, select Yes.

Screen shot of the Host Sensor Enforcement settings

  1. Click Save.
  1. Select VPN > Mobile VPN > SSL.
  2. Select Authentication.
  3. From the left column, select the check box next to the group.
    You can now change the Network Access Enforcement setting.
  4. In the Network Access Enforcement column, select the check box for the group.

  5. Click OK.

Mobile VPN with IPSec:

  1. To enable network access enforcement for Firebox-DB users, select Authentication > Servers > Firebox-DB.
    Or, to enable network access enforcement for users on third-party authentication servers, select Authentication > Users and Groups.
  2. Select a group and click Edit.
    For Firebox-DB users, the Firebox Group authentication settings dialog box opens. For users on third-party authentication servers, the Edit User or Group dialog box opens.
  3. Select the Enable Network Access Enforcement check box.

Screen shot of the Edit User or Group settings in Fireware Web UI

  1. Click OK.
  1. To enable network access enforcement for Firebox-DB users, select Setup > Authentication > Authentication Servers > Firebox-DB.
    Or, to enable network access enforcement for users on third-party authentication servers, select Authentication > Users and Groups.
  2. Select a group and click Edit.
    For Firebox-DB users, the Firebox Group authentication settings dialog box opens. For users on third-party authentication servers, the Edit User or Group dialog box opens.
  3. Select the Enable Network Access Enforcement check box.

Screen shot of the Firebox Group dialog box

  1. Click OK.

Enable Network Access Enforcement in Endpoint Security

After you enable and configure network access enforcement on the Firebox, you must configure network access enforcement settings in WatchGuard Endpoint Security.

  1. In WatchGuard Cloud, select Configure > Endpoints.
  2. Select Settings.
  3. From the left pane, select Network Services.
  4. Click Network Access Enforcement.
  5. Enable the Enable Network Access Enforcement toggle.
  6. In the Account UUID text box, type the UUID for the Firebox.
    This UUID must be the same as the UUID you specify in the Firebox configuration.
  7. In the Authentication Key text box, type the authentication key.
    This must be the same as the authentication key you specify in the Firebox configuration.
  8. Click Save Changes.

Related Topics

Network Access Enforcement Overview

Configure Network Access Enforcement in Fireware