Configure Network Access Enforcement for a Cloud-Managed Firebox

Applies To: Cloud-managed Fireboxes

You can enable network access enforcement for a VPN connection to a cloud-managed Firebox. You can configure network access enforcement for Mobile VPN with SSL and Mobile VPN with IKEv2 user groups.

With network access enforcement for cloud-managed Fireboxes, network administrators can verify the identity and security of a device that tries to connect to the corporate network.

Before an endpoint device can connect to the network, they must have these security settings:

  • Devices with WatchGuard Advanced EPDR, EPDR, EDR, or EPP installed must have Advanced Protection enabled in hardening or lock mode, or antivirus enabled and running.
  • Devices with WatchGuard EDR Core installed must have Advanced Protection enabled.

The WatchGuard Endpoint Agent installed on the device collects and sends the information that the Firebox requires to verify that the device meets the necessary requirements. The endpoint agent and Firebox verify that the device is associated with an account UUID specified in the Firebox network access enforcement settings and in the Network Services settings (Network Access Enforcement tab) of the WatchGuard Endpoint Security management UI. If the endpoint device does not meet the requirements, the Firebox rejects the connection.

To enable network access enforcement for a cloud-managed Firebox, the Firebox must run Fireware v12.9 or higher.

How it Works

  1. An endpoint device tries to connect to the mobile VPN on the cloud-managed Firebox.
  2. The cloud-managed Firebox allows the VPN connection, but initially allows only one-way VPN communication from the Firebox to the device.
  3. The cloud-managed Firebox checks the endpoint client to validate if the device has a WatchGuard Endpoint Security product installed.
  4. The cloud-managed Firebox verifies that the endpoint is associated with the account UUID specified in the Firebox network access enforcement settings and in the Network Services settings of the WatchGuard Endpoint Security management UI.
  5. If all these checks pass, the endpoint device connects to the network through the mobile VPN.

Before You Begin

Before you configure network access enforcement:

Network access enforcement requires a Firebox with a Total Security Suite license.

Enable Network Access Enforcement in Endpoint Security

Before you enable Network Access Enforcement for a cloud-managed Firebox mobile VPN, you must first enable and configure network access enforcement in WatchGuard Endpoint Security.

The WatchGuard Endpoint Security configuration for Network Access Enforcement requires the Account UUID and Authentication Key of the WatchGuard Cloud account that manages your devices.

This information is available on the Administration > My Account page in WatchGuard Cloud. We recommend you record this information before you proceed with the Network Access Enforcement configuration in Endpoint Security.

Screen shot of the Network Access Enforcement UUID and Authentication Key for a WatchGuard Cloud account

To configure Network Access Enforcement, from WatchGuard Endpoint Security:

  1. In WatchGuard Cloud, select Configure > Endpoints.
  2. Select Settings.
  3. From the left pane, select Network Services.

Screen shot of Network Services, Network Access Enforcement tab

  1. Select Network Access Enforcement.
  2. Enable the Enable Network Access Enforcement toggle.

Screen shot of Network Services, Network Access Enforcement enabled

  1. In the Account UUID and Authentication Key text boxes, type the UUID and authentication key for the WatchGuard Cloud account that manages your devices.

If an endpoint device has been stolen or compromised, you can generate a new authentication key for devices to re-authenticate with Network Access Enforcement. From the Administration > My Account page in WatchGuard Cloud, click the refresh icon next to Authentication Key to generate a new key. After you generate a new key, WatchGuard Cloud auto-deploys the refreshed key pair to the device. Make sure to update these values in the WatchGuard Endpoint Security Network Access Enforcement configuration.

This information is available on the Administration > My Account page in WatchGuard Cloud.

  1. Click Save Changes.

It might take several minutes for the Network Access Enforcement configuration to deploy to your devices.

For more information about network access enforcement and Endpoint Security, go to Configure Network Access Enforcement in WatchGuard Endpoint Security.

Enable Network Access Enforcement for a Mobile VPN Group

Next, enable network access enforcement for one or more mobile VPN groups in your cloud-managed Firebox configuration. You cannot enable network access enforcement for individual mobile VPN users.

If a group is a member of a mobile VPN type, and you enable network access enforcement for the group from another mobile VPN type that the group also belongs to, network access enforcement is enabled for the group in both mobile VPN types.

  1. Log in to WatchGuard Cloud at cloud.watchguard.com.
  2. If you are a Service Provider, select an account.
  3. Select Configure > Devices.
  4. Select the cloud-managed Firebox.
  5. Click Device Configuration.
  6. In the VPN section, click the Mobile VPN tile.
  7. Select a mobile VPN (IKEv2 or SSL).
  8. In the mobile VPN configuration, go to the Users and Groups section.
  9. From the Name column for a group, select the check box next to one or more groups.
  10. Select Actions > Enable Network Access Enforcement.

  1. Click Save.
  2. Deploy the configuration changes to your cloud-managed Firebox.

Related Topics

Video tutorial: Network Access Enforcement

Network Access Enforcement Overview

Configure Mobile VPN with SSL for a Cloud-Managed Firebox

Configure Mobile VPN with IKEv2 for a Cloud-Managed Firebox