Configure Endpoint Enforcement

This topic explains how to configure endpoint enforcement with and without a TDR Host Sensor. The WatchGuard Endpoint Agent syncs data for endpoints with WatchGuard EDR Core, WatchGuard EDR, or WatchGuard EPDR installed and can be used for endpoint enforcement. To understand more about how this feature works, see About Endpoint Enforcement.

In Fireware v12.5.4 to v12.8.2, this feature is called TDR Host Sensor Enforcement.

For devices that run Fireware v12.9 and higher, when you enable local management with cloud reporting for your Firebox, TDR is automatically enabled. You do not need to enable TDR in order to enable endpoint enforcement.

Before You Begin

Endpoint enforcement and TDR Host Sensor Enforcement require a Firebox with a Total Security Suite license.

Before you configure endpoint enforcement:

  1. Verify operating system compatibility
    Endpoint enforcement supports Windows and macOS operating systems included in the Operating System Compatibility Matrix section of the Fireware Release Notes.
  1. If required, configure your TDR account and install the TDR Host Sensor
    For devices that run Fireware v12.5.4. to v12.8.2, you must enable TDR and configure the account UUID before you can enable endpoint enforcement. Your Firebox must have an active TDR subscription. To configure TDR, see Quick Start — Set Up TDR.

    You can install the TDR Host Sensor manually or automatically. For more information about TDR Host Sensor installation, see Manage TDR Hosts and Host Sensors.
  1. Configure at least one mobile VPN
    The Firebox supports endpoint enforcement for all mobile VPN types. For more information about mobile VPNs, see Mobile VPN Tunnels.
  1. Configure mobile VPN user groups
    To enable endpoint enforcement for Windows or macOS mobile users on a network with Android or iOS mobile users, create separate mobile VPN user groups. For example:
  • Create a user group called Windows and macOS users.
  • Create a user group called Android and iOS users.

The Mobile VPN section in this topic explains how to apply endpoint enforcement to user groups.

Configure Endpoint Enforcement

You enable endpoint enforcement in multiple locations:

  • TDR — Host Sensor settings
  • Firebox — Endpoint enforcement settings and mobile VPN settings (In Fireware v12.5.4 to v12.8.2, these settings are called TDR Host Sensor Enforcement.)
  • WatchGuard Endpoint Security — Endpoint enforcement settings and Network Services settings in the Endpoint Security management UI. For more information, see Configure Secure VPN.

Configure Endpoint Enforcement in TDR Host Sensor Settings

For devices that run Fireware v12.5.4 to v12.8.2, you must enable endpoint enforcement in your TDR account and generate an account UUID before you can enable endpoint enforcement on the Firebox.

  1. Log In to TDR.
  2. Select Configure > Threat Detection.
  3. In the Host Sensor section, select Settings.
  4. In the Firebox VPN Validation section, turn On Host Sensor enforcement.
  5. Specify a TDR authentication key manually or click Generate to generate a random authentication key.

Screen shot of the Host Sensor Enforcement settings in the TDR Web UI

Configure Endpoint Enforcement on the Firebox

This step to configure endpoint enforcement on the Firebox is required for endpoint enforcement with TDR Host Sensors and the WatchGuard Endpoint Agent.

  1. Select Subscription Services > Endpoint Enforcement.

  1. Select Enable Endpoint Enforcement.
    If you had TDR Host Sensor Enforcement previously enabled, endpoint enforcement is enabled automatically when you upgrade to Fireware v12.9.
  2. Add the Account UUID and Authentication Key.
    You can add up to 5 TDR accounts.
    1. Click Add.
    2. Type the Account UUID.
    3. Type the Authentication Key.
    4. Click OK.
  3. (Optional) From the Minimum Operating System Versions section, select requirements for Windows, macOS, or both.
    1. From the Windows drop-down list, select Windows 8.1, Windows 10, or Any.
    2. From the macOS drop-down list, select High Sierra 10.13, Mojave 10.14, Catalina 10.15, or Any.
      If you select Any, hosts can have any Windows or macOS operating system supported by WatchGuard. For a list of supported operating systems, see the Operating System Compatibility Matrix in the Fireware Release Notes.

    Operating system enforcement does not apply to Windows Server operating systems. If a user connects to a mobile VPN from a supported Windows Server operating system, the Firebox allows the connection regardless of operating system enforcement settings if the Windows Server system meets all other endpoint enforcement requirements.

  4. Click Save.
  1. Select Subscription Services > Endpoint Enforcement. In Fireware v12.5.4 to v12.8.2, select Subscription Services > Threat Detection.
  2. Select Enable Endpoint Enforcement.
  3. In Fireware v12.5.4 to v12.8.2, select the Enable Threat Detection and Response check box. Specify the TDR Authentication Key for the Primary Account UUID. Select Enable Host Sensor Enforcement.
  4. Add an Account UUID and Authentication Key.
    You can add up to four TDR accounts.
    1. Click Add.
    2. Type the Account UUID.
    3. Type the Authentication Key.
    4. Click OK.
  5. (Optional) From the Minimum Operating System Versions drop-down list, select requirements for Windows, macOS, or both.
    1. From the Windows drop-down list, select Windows 8.1, Windows 10, or Any.
    2. From the macOS drop-down list, select High Sierra 10.13, Mojave 10.14, Catalina 10.15, or Any.
      If you select Any, hosts can have any Windows or macOS operating system supported by WatchGuard. For a list of supported operating systems, see the Operating System Compatibility Matrix in the Fireware Release Notes.

    Operating system enforcement does not apply to Windows Server operating systems. If a user connects to a mobile VPN from a supported Windows Server operating system, the Firebox allows the connection regardless of operating system enforcement settings if the Windows Server system meets all other endpoint enforcement requirements.

  6. Click Save.

When you save the configuration with Host Sensor enforcement to a Fireware version lower than v12.9, you are prompted to enable TDR. When you save the configuration with TDR enabled to Fireware v12.9 and higher, a message appears to inform you that you do not enable TDR in Policy Manager. It is automatically enabled in locally-managed Fireboxes with cloud reporting.

Configure Endpoint Enforcement for the Mobile VPN

Next, enable endpoint enforcement for one or more mobile VPN groups. You cannot enable endpoint enforcement for individual mobile VPN users.

To enable endpoint enforcement for Windows and macOS mobile users on a network with Android or iOS mobile users, apply endpoint enforcement to separate mobile VPN user groups.

For example:

  • Windows and macOS users— Enable endpoint enforcement for this group.
  • Android and iOS users— Keep endpoint enforcement disabled for this group.
  • IKEv2-Users — Keep endpoint enforcement disabled for this default VPN group.

If you select the Select check box for a group, the Firebox adds that group to the default group (IKEv2-Users, SSLVPN-Users, L2TP-Users, or IPSec-Users). If you enable endpoint enforcement for only some groups that are part of the default group, keep enforcement disabled for the default group.

For a user who belongs to multiple mobile VPN groups, enforcement applies to that user if:

  • The mobile VPN groups are all part of the same mobile VPN configuration, and
  • You enable Endpoint Enforcement for only some of those groups.

For example, if a user belongs to two mobile VPN with IKEv2 groups, but you enable enforcement for one only of those groups, enforcement applies to that user.

For a user who belongs to multiple groups that are part of different mobile VPN configurations, if endpoint enforcement is enabled for only some of the groups, enforcement applies to that user for only some types of mobile VPN connections. For example:

  • If a user is part of the IKEv2-Users and SSLVPN-Users groups, and you enable enforcement only for IKEv2-Users, enforcement applies to that user only for mobile VPN with IKEv2 connections.
  • Enforcement does not apply to that user for mobile VPN with SSL connections.

Mobile VPN with IKEv2:

  1. Select VPN > Mobile VPN.
  2. In the IKEv2 section, click Configure.
  3. Select Authentication.
  4. In the Endpoint Enforcement column, select the check box adjacent to the group.

Screen shot of the Host Sensor Enforcement settings

  1. Select VPN > Mobile VPN > IKEv2.
  2. Select Authentication.
  3. From the left column, select the check box adjacent to the group.
    You can now change the Endpoint Enforcement setting.
  4. In the Endpoint Enforcement column, select the check box adjacent to the group.

Screen shot of the Host Sensor Enforcement settingss

Mobile VPN with L2TP:

  1. Select VPN > Mobile VPN.
  2. In the L2TP section, click Configure.
  3. Select Authentication.
  4. In the Endpoint Enforcement column, select the check box adjacent to the group.

Screen shot of the Users and Groups settings in Fireware Web UI

  1. Select VPN > Mobile VPN > L2TP.
  2. Select Authentication.
  3. From the left column, select the check box adjacent to the group.
    You can now change the Host Sensor Enforcement setting.
  4. In the Endpoint Enforcement column, select the check box adjacent to the group.

Screen shot of the Host Sensor Enforcement setting in Policy Manager

Mobile VPN with SSL:

  1. Select VPN > Mobile VPN.
  2. In the SSL section, click Configure.
  3. Select Authentication.
  4. In the Endpoint Enforcement column, select the check box adjacent to the group.

Screen shot of the Host Sensor Enforcement setting in Fireware Web UI

  1. Select VPN > Mobile VPN > SSL.
  2. Select Authentication.
  3. From the left column, select the check box adjacent to the group.
    You can now change the Endpoint Enforcement setting.
  4. In the Endpoint Enforcement column, select the check box adjacent to the group.

Screen shot of the Host Sensor Enforcement settings in Policy Manager

Mobile VPN with IPSec:

  1. To enable endpoint enforcement for Firebox-DB users, select Authentication > Servers > Firebox-DB.
  2. To enable endpoint enforcement for users on third-party authentication servers, select Authentication > Users and Groups.
  3. Select a group and click Edit.
    For Firebox-DB users, the Firebox Group authentication settings dialog box opens. For users on third-party authentication servers, the Edit User or Group dialog box opens.
  4. Select Enable Endpoint Enforcement.

Screen shot of the Edit User or Group settings in Fireware Web UI

  1. To enable endpoint enforcement for Firebox-DB users, select Setup > Authentication > Authentication Servers > Firebox-DB.
  2. To enable endpoint enforcement for users on third-party authentication servers, select Authentication > Users and Groups.
  3. Select a group and click Edit.
    For Firebox-DB users, the Firebox Group authentication settings dialog box opens. For users on third-party authentication servers, the Edit User or Group dialog box opens.
  4. Select Enable Endpoint Enforcement.

Screen shot of the Firebox Group dialog box

Related Topics

Troubleshoot Endpoint Enforcement for TDR Host Sensor

About Endpoint Enforcement

About TDR

Quick Start — Set Up TDR

Enable TDR on Your Firebox