Applies To: ThreatSync
ThreatSync provides eXtended Detection and Response (XDR) technology for WatchGuard network devices (Fireboxes, access points), Endpoint Security, and AuthPoint products.
ThreatSync is a WatchGuard unified security feature included with these licenses:
- Firebox Total Security Suite (TSS)
- Access Point USP Wi-Fi Management
- Advanced Endpoint Protection Detection and Response (Advanced EPDR)
- Endpoint Protection Detection and Response (EPDR)
- Endpoint Detection and Response (EDR)
- Endpoint Detection and Response Core (EDR Core)
- AuthPoint Multi-Factor Authentication
- AuthPoint Total Identity Security
WatchGuard EDR Core is included in the Firebox Total Security Suite. For more information, go to WatchGuard EDR Core Features.
Firebox Requirements
- Fireware v12.9 or higher
- Connected to WatchGuard Cloud for logging and reporting
Endpoint Security Requirements
- WatchGuard Endpoint Security Windows software v.8.00.21.0001 or higher
- If you have both Firebox and Endpoint Security licenses, the endpoint must be behind the Firebox
Access Point Requirements
- A valid USP Wi-Fi Management license.
- To send data to ThreatSync, access points must run firmware v2.2.23 or higher and have Airspace Monitoring enabled.
- To perform response actions against malicious access points when integrated with ThreatSync, access points must run firmware v2.7.9 or higher and have Airspace Monitoring enabled.
- An AP230W, AP330, or AP430CR with a dedicated scanning radio is required for over-the-air Evil Twin detection and ThreatSync response actions to block wireless client connections to malicious access points. All other Wi-Fi in WatchGuard Cloud access point models can detect Rogue and Suspected Rogue access points physically connected to the network, but cannot detect Evil Twin access points or perform ThreatSync response actions. For larger deployments, we recommend you deploy one access point with a dedicated scanning radio for every 3-5 access points in your deployment.
- Wireless scanning and response actions can potentially affect the performance of an access point during detection and response to a malicious access point.
- You cannot perform over-the-air response actions against malicious access points that use WPA3 security, WPA2 security with Protect Management Frames enabled (802.11w), or OWA security, or malicious access points that broadcast on a channel not in the current country of operation of the detecting access point.
Caution: Make sure you adhere to local regulations for the use of over-the-air response actions to disconnect wireless clients from an access point.