ThreatSync+ NDR Release Notes

ThreatSync+ NDR extends the existing ThreatSync functionality in WatchGuard Cloud and offers enhanced network detection and response, network device identification, and advanced reporting for Fireboxes, third-party firewalls, and LAN infrastructure.

For a full description of ThreatSync+ NDR features and functionality, go to ThreatSync+ NDR Help.

Release Information Date
Latest ThreatSync+ NDR Update 12 March 2026
Release Notes Revision Date 12 March 2026

Latest Release

Release Date: 12 March 2026

Resolved Issues

  • Minor updates and bug fixes.

Previous Releases

Resolved Issues

  • Minor updates and bug fixes.

Resolved Issues

  • Minor updates and bug fixes.

Resolved Issues

  • Minor updates and bug fixes.

New Features

Third-Party VPN Log Collection and Threat Detection

You can now monitor third-party VPN activity from third-party VPN devices to detect traffic and login anomalies. This feature associates VPN traffic logs with the logged in user for better traceability. Four policies can be configured to generate policy alerts [NDR-3567]:

  • Unusual Number of Failed Logins for a VPN User
  • Unusual Access Time for a VPN User
  • Unusual Access Location for a VPN User
  • New VPN User Detection

ThreatSync+ NDR Collection Agent Open DHCP Support

You can now monitor DHCP logs for network troubleshooting, security and monitoring, and to track IP address assignments for Cisco Meraki and Fortinet FortiGate firewalls. You can forward DHCP and VPN logs as syslogs to ThreatSync+ NDR to monitor data.

For more information, go to Fortinet Firewall Integration with ThreatSync+ NDR and Meraki Firewall Integration with ThreatSync+ NDR in Help Center. [NDR-403]

Resolved Issues

  • After a Total NDR or WatchGuard NDR for Firebox license renewal, Fireboxes now remain enabled for ThreatSync+ NDR monitoring and switches remain visible in the ThreatSync+ UI. [NDR-5488]
  • Minor updates and bug fixes.

Resolved Issues

  • Minor updates and bug fixes.

Resolved Issues

  • Minor updates and bug fixes.

Resolved Issues

  • Minor updates and bug fixes.

New Features

WatchGuard NDR for Firebox License

WatchGuard NDR for Firebox is licensed by Firebox model to provide comprehensive traffic monitoring, in-depth VPN log analysis, DHCP log analysis, and device monitoring for any endpoint connected to a Firebox.

You can now allocate WatchGuard NDR for Firebox licenses to your managed accounts. From the new Licenses tab on the Configure > ThreatSync+ Integrations > Firebox page, you can assign WatchGuard NDR for Firebox licenses to Fireboxes and FireClusters in your account for ThreatSync+ NDR monitoring.

For more information, go to About WatchGuard NDR for Firebox Licenses and Configure ThreatSync+ NDR Firebox Monitoring and Remediation in Help Center. [NDR-3735]

Resolved Issues

  • Minor updates and bug fixes.

Enhancements

  • From the Total Traffic widget on the Network Summary page, the Activity by Source Device table now shows a pane with VLAN ID log count details when VLAN activity is available. [NDR-4946]

Resolved Issues

  • Minor updates and bug fixes.

Resolved Issues

  • Minor updates and bug fixes.

ThreatSync+ NDR AWS VPC Flow Logs Cloud Integration

You can now use AWS VPC flow logs to capture information about IP traffic going to and from network interfaces in your VPC. ThreatSync+ NDR uses AWS VPC flow logs to collect, ingest, and analyze traffic to detect anomalies, identify potential security threats, and generate alerts.

For more information, go to About ThreatSync+ Cloud Integration — AWS VPC Flow Logs in Help Center.

Resolved Issues

  • The Smart Alert status now correctly updates when a Smart Alert is closed. [NDR-4532]
  • Minor updates and bug fixes. [NDR-4581]

Resolved Issues

  • Alerts are no longer generated when a Smart Alert Control rule is enabled. [NDR-4332]
  • Minor updates and bug fixes.

New Features

IONOS Flow Logs Cloud Integration

You can now use IONOS Cloud flow logs to provide enhanced visibility and threat detection in your IONOS environment. ThreatSync+ NDR uses IONOS flow logs to collect, ingest, and analyze traffic to detect anomalies, identify potential security threats, and generate alerts.

For more information, go to About ThreatSync+ NDR Cloud Integration — IONOS Flow Logs in Help Center. [NDR-3691]

Enhancements

Resolved Issues

  • Minor updates and bug fixes.

New Features

VPN Log Collection and Threat Detection

You can now monitor VPN activity from WatchGuard VPN devices to detect traffic and login anomalies. This feature associates VPN traffic logs with the logged in user for better traceability. Four new policies can be configured to generate policy alerts:

  • Unusual Number of Failed Logins for a VPN User
  • Unusual Access Time for a VPN User
  • Unusual Access Location for a VPN User
  • New VPN User Detection

For more information, go to Configure ThreatSync+ Policies and ThreatSync+ Users in Help Center. [NDR-3567]

ThreatSync+ NDR AWS VPC Flow Logs Cloud Integration (Beta)

You can now use AWS VPC flow logs to capture information about IP traffic going to and from network interfaces in your VPC. ThreatSync+ NDR uses AWS VPC flow logs to collect, ingest, and analyze traffic to detect anomalies, identify potential security threats, and generate alerts.

To learn more or to report an issue, go to the ThreatSync+ NDR Beta test community. [NDR-452]

Resolved Issues

  • Minor updates and bug fixes.

Enhancements

  • The Total XDR license is now called Total NDR. The WatchGuard Cloud UI is updated to reflect the name change. [NDR-3734]
  • The Activity Records section on the Investigate Traffic page now shows two tabs:
    • Aggregated Data — Opens by default and shows summarized activity records for quick analysis.
    • Raw Data Access — Shows detailed, unprocessed activity records for deeper investigation. [NDR-3553]

Resolved Issues

  • Minor updates and bug fixes.

New Features

Limitation Phase

If you exceed your ThreatSync+ NDR, ThreatSync+ SaaS, or Total XDR license, a Limitation Phase now begins that puts limits on the license.

When the number of active network devices exceeds 12 times the number of licensed ThreatSync+ NDR or Total NDR users, or when the number of active users exceeds 3 times the number of licensed ThreatSync+ SaaS or Total NDR users, ThreatSync+ pauses network traffic monitoring for 24 hours and enters the Limitation Phase.

For more information, go to the Limitation Phase FAQ Knowledge Base article. [NDR-2094]

Resolved Issues

  • On the Network Summary page, IP addresses from excluded networks no longer show on the Total Active Devices tab. [NDR-3738]
  • On the Network Summary page, the Devices Over Time chart now shows the correct device count. [NDR-2836]
  • Minor updates and bug fixes.

Resolved Issues

  • Minor updates and bug fixes.

Resolved Issues

  • Minor updates and bug fixes.

Enhancements

Resolved Issues

  • Minor updates and bug fixes.

Resolved Issues

  • Minor updates and bug fixes.

Resolved Issues

  • Minor updates and bug fixes.

Resolved Issues

  • Minor updates and bug fixes.

New Features

Firebox Management in ThreatSync+ NDR

You can now select which Fireboxes and FireClusters to include and exclude from ThreatSync + NDR management. [NDR-2662] For more information, go to Configure Firebox Monitoring and Remediation in Help Center.

Resolved Issues

  • Minor updates and bug fixes.

Resolved Issues

  • Minor updates and bug fixes.

Resolved Issues

  • Minor updates and bug fixes.

Resolved Issues

  • Minor updates and bug fixes. [NDR-3898, NDR-4171]

Resolved Issues

  • Minor updates and bug fixes.

Enhancements

  • The Configure > ThreatSync+ > Devices page now shows these updates:
    • The number of devices in the device list is now 25 by default.
    • The Include Deleted Devices check box is no longer selected by default. [NDR-3784]

Resolved Issues

  • Minor updates and bug fixes.

Resolved Issues

  • Minor updates and bug fixes.

Resolved Issues

  • Minor updates and bug fixes.

Enhancements

  • The Subscriber dashboard now shows these ThreatSync+ widget updates:
    • The ThreatSync+ NDR License Details widget now shows a count of devices detected in the last 30 days.
    • The ThreatSync+ SaaS License Details widget now shows a count of users detected in the last 30 days.
    • The ThreatSync+ Policy Alerts widget is now the ThreatSync+ Alerts widget.

    For more information, go to About the Dashboard for Subscriber Accounts in Help Center. [NDR-3373]

Resolved Issues

  • Minor updates and bug fixes.

Resolved Issues

  • Minor updates and bug fixes.

Resolved Issues

  • On the Smart Alert Details page, the Smart Alerts Behavior Map now shows correctly. [NDR-3551]
  • Minor updates and bug fixes. [NDR-3571, NDR-3467]

New Features

ThreatSync+ NDR Azure Flow Logs Cloud Integration

You can now use Azure Virtual Network (VNet) flow logs to provide visibility into network activity across computing resources in your Azure environment. ThreatSync+ NDR uses VNet flow logs for advanced traffic analysis, to detect anomalies, identify potential security threats, and generate alerts.

For more information, go to About ThreatSync+ Cloud Integration — Azure Flow Logs in Help Center. [NDR-451]

Total XDR

The Total XDR license enables you to protect your network with advanced artificial intelligence and machine learning-based network detection and response, schedule compliance reports to help prove compliance, and extend the network-centric threat detection and response capabilities of ThreatSync+ to your cloud integrations.

Total XDR includes:

  • ThreatSync+ NDR
  • ThreatSync+ SaaS
  • WatchGuard Compliance Reporting

For more information, go to About Total XDR in Help Center. [NDR-1150]

ThreatSync+ Incidents in ThreatSync

You can now view and manage ThreatSync+ NDR and ThreatSync+ SaaS threat alerts as incidents in the new Incident Details UI in ThreatSync. To use this feature, enable the ThreatSync+ toggle on the Device Settings page in ThreatSync. In ThreatSync+ you can enable or disable ThreatSync+ policies and Smart Alerts that you want to generate ThreatSync incidents for. Level 1 policies and Smart Alerts are enabled by default.

ThreatSync receives Smart Alerts from ThreatSync+ NDR as IOA incidents and ThreatSync+ NDR and ThreatSync+ SaaS policy alerts as Advanced Security Policy incidents.

You can use the new Block/Unblock Domain action when you respond to ThreatSync+ NDR incidents. View and manage blocked domains on the Blocked Items page in ThreatSync.

For more information, go to Configure ThreatSync Device Settings and Incident Types and Triggers in ThreatSync in Help Center. [XDR-4293]

Resolved Issues

  • Minor updates and bug fixes.

Resolved Issues

  • On the Network Summary page, the Total Traffic widget now correctly shows network traffic when internal devices are detected and a ThreatSync+ NDR Collection Agent is online. [NDR-3376]
  • Minor updates and bug fixes.

Resolved Issues

  • Minor updates and bug fixes.

New Features

ThreatSync+ NDR Azure Flow Logs Cloud Integration (Beta)

You can now use Azure Virtual Network (VNet) flow logs to provide visibility into network activity across computing resources in your Azure environment. ThreatSync+ NDR uses VNet flow logs for advanced traffic analysis, to detect anomalies, identify potential security threats, and generate alerts. To learn more or to report an issue, go to the ThreatSync+ NDR Beta test community.

Resolved Issues

  • Minor updates and bug fixes. [NDR-3410]

Resolved Issues

  • Minor updates and bug fixes.

Resolved Issues

  • Minor updates and bug fixes.

Enhancements

  • Device counts are now simplified with consistent device and subnet counts in the ThreatSync+ UI. On the Network Summary page: [NDR-2942]
    • The Total Devices widget is renamed to Total Active Devices and shows active devices seen in the last 7 days.
    • The table on the Devices tab was moved to the Total Active Devices widget. You can now view details about devices seen in the last 24 hours, 7 days, 30 days, or customize the date selection up to the last 45 days.
    • In the Total Active Devices widget, the Origin filter is now the Devices filter with options to select All Active Devices, and Active User Created Devices.

For more information, go to About the ThreatSync+ Summary Page in Help Center.

Resolved Issues

  • Minor updates and bug fixes.

Resolved Issues

  • Minor updates and bug fixes.

Resolved Issues

  • When you configure a ThreatSync+ NDR policy to block an external IP address automatically, policy alerts and traffic logs no longer show activity from the blocked IP address. [NDR-2891]
  • The table on the Devices tab of the Network Summary page no longer includes an OS column. [NDR-2926]
  • Minor updates and bug fixes.

Resolved Issues

  • Minor updates and bug fixes.

Resolved Issues

  • Minor updates and bug fixes.

Resolved Issues

  • Minor updates and bug fixes.

New Features

Firebox IP Address Remediation

You can now block or unblock IP addresses in ThreatSync+ NDR. You can perform actions on IP addresses manually or configure automatic block actions with a ThreatSync+ NDR policy. For more information, go to Configure Firebox Remediation and All IP Addresses in Help Center.

Enhancements

When you configure ThreatSync+ NDR notification rules, you can now select these additional notification types:

  • IP Addresses are Automatically Blocked
  • IP Addresses are Manually Blocked
  • IP Addresses are Manually Unblocked

For more information, go to Configure ThreatSync+ Alerts and Notification Rules in Help Center. [NDR-2609]

Resolved Issues

  • Minor updates and bug fixes.

Enhancements

  • You can now bundle ThreatSync+ alerts for policies and set the time duration for bundled alerts. You can bundle notifications by:
    • Policy
    • Policy and Source
    • Policy, Source, and Destination

For more information, go to Configure ThreatSync+ Alerts and Notification Rules in Help Center.[NDR-2052]

  • Two additional defense goal reports are now available with WatchGuard Compliance Reporting:
    • Network and Information Security Directive (NIS2)
    • Digital Operational Resilience Act (DORA)

ThreatSync+ NDR provides the network data required by these reports. To use Compliance Reporting, you require a ThreatSync+ NDR license and a Compliance Reporting license. For more information, go to About WatchGuard Compliance Reporting in Help Center. [NDR-516]

Resolved Issues

  • Minor updates and bug fixes. [NDR-2833]

Resolved Issues

  • Minor updates and bug fixes.

Resolved Issues

  • Minor updates and bug fixes.

Resolved Issues

  • Minor updates and bug fixes. [NDR-2670]

Resolved Issues

  • The Total Devices widget now works as expected when Monitor only my critical systems is selected on the Manage Subnets page. [NDR-1322]
  • The active device count for a ThreatSync+ NDR license now shows the correct number of active devices. [NDR-2218]
  • Minor updates and bug fixes. [NDR-2597]

Resolved Issues

  • Minor updates and bug fixes.

Resolved Issues

  • Minor updates and bug fixes. [NDR-2274, NDR-2514]

Enhancements

  • You can now select new device types and roles when you add a new device on the Devices page. [NDR-2410]

Resolved Issues

  • On the Devices page, the correct device type now shows when you add a new device. [NDR-2241, NDR-2452]
  • Minor updates and bug fixes.

Enhancements

  • You can now select to receive emails for notification rules in JSON format. [NDR-2231]

Resolved Issues

  • Minor updates and bug fixes.

Resolved Issues

  • Minor updates and bug fixes.

Enhancements

  • Traffic-based policies now show an Activity column on the Policy Alerts Details page. This value is the sum of the destination activities by source. [NDR-2222]

Resolved Issues

  • Minor updates and bug fixes. [NDR-2180, NDR-2258]

Enhancements

  • When you configure ThreatSync+ NDR notification rules, you can now select these additional notification types:
    • No DHCP Logs Received from a Source
    • DHCP Logs Received from a Source
    • No NDR Collector Heartbeat Detected
    • NDR Collector Heartbeat Detected
    • No NetFlow Logs Received
    • NetFlow Logs Received
    • No NetFlow Logs Received from a Source
    • NetFlow Logs Received from a Source

For more information, go to Configure ThreatSync+ Alerts and Notification Rules in Help Center.

  • In the ThreatSync+ Integrations UI, you can now mute collector failure notifications and configure which log sources have collector failure notifications muted. [NDR-1628]

Resolved Issues

  • Minor updates and bug fixes. [NDR-2202, NDR-2242]

Resolved Issues

  • The correct warning message now shows when you deallocate a ThreatSync+ NDR license. [WCD-22293]
  • Minor updates and bug fixes. [NDR-2002]

Enhancements

  • The Managed Security Service Provider (MSSP) Report now includes a Weighted/Unweighted policy alerts score and updated metrics. [NDR-1705].

Resolved Issues

  • Minor updates and bug fixes.

Enhancements

  • The Policy Alert Details page now shows What to Look For text that provides information about the type of policy alert and recommendations on how to tune the policy. [NDR-1705]

Resolved Issues

  • In the ThreatSync+ Integrations UI, the Windows Log Agents tab now shows detailed Windows Log Agent information. [NDR-1849]
  • Minor updates and bug fixes. [NDR-1460, NDR-1719]

Resolved Issues

  • Minor updates and bug fixes. [NDR-1734]

New Features

Initial release of ThreatSync+ SaaS. For information about ThreatSync+ SaaS, go to Introduction to ThreatSync+ SaaS in Help Center.

Resolved Issues

  • Minor updates and bug fixes.

Resolved Issues

  • Minor updates and bug fixes. [NDR-1471, NDR-1487, NDR-1702]

New Features

ThreatSync+ NDR Collection Agent for Linux

You can now enable and configure the ThreatSync+ NDR Collection Agent for Linux to collect logs from devices and provide real-time collector status. For more information, go to Configure Collectors for ThreatSync+ NDR (Linux Computers) in Help Center.

Enhancements

  • The ThreatSync+ NDR Collectors menu has moved to Configure > ThreatSync+ Integrations. [NDR-764]
  • On the Manage Devices page, you can now select Phone or Tablet as a device type when you create a device. [NDR-1642]
  • The ThreatSync+ NDR Collection Agent for Linux now shows an Initialization status when the collector is being installed by the WatchGuard Agent. [NDR-1453]

Resolved Issues

  • Minor updates and bug fixes. [NDR-1562, NDR-1666]

Enhancements

  • The Download WatchGuard Agent Installer dialog box now includes a Copy Download URL link. [NDR-1492]

Resolved Issues

  • Minor updates and bug fixes. [NDR-1466, NDR-1562]

Resolved Issues

  • Minor updates and bug fixes.

New Features

ThreatSync+ NDR Collection Agent for Linux (Beta)

You can now enable and configure the ThreatSync+ NDR Collection Agent for Linux to collect logs from devices and provide real-time collector status. To learn more or to report an issue, go to the ThreatSync+ NDR Beta test community.

Resolved Issues

  • Minor updates and bug fixes.

Resolved Issues

  • Minor updates and bug fixes.

Resolved Issues

  • Minor updates and bug fixes.

Resolved Issues

  • Minor updates and bug fixes.

Resolved Issues

  • Minor updates and bug fixes.

Resolved Issues

  • Minor updates and bug fixes.

New Features

Managed Security Service Provider (MSSP) Reports

You can now generate and schedule a Service Provider Summary Report for your managed accounts in WatchGuard Cloud. For more information, go to Schedule ThreatSync+ NDR Reports in Help Center.

Resolved Issues

  • Minor updates and bug fixes.

Resolved Issues

  • Minor updates and bug fixes.

Resolved Issues

  • Minor updates and bug fixes.

Resolved Issues

  • This release resolves a display issue with the Traffic page. [NDR-595]
  • Minor updates and bug fixes.

Enhancements

  • WatchGuard Cloud now deletes ThreatSync+ NDR data for an account when:
    • The ThreatSync+ NDR license expires
    • You deallocate the license to 0 users
    • You cancel an active ThreatSync+ NDR trial

A new message warns operators that the data will be deleted in seven days. After seven days, data is deleted and operators cannot access the ThreatSync+ NDR management UI. Deleted data cannot be restored.

For more information, go to FAQs for ThreatSync+ NDR Licensing. [NDR-433, NDR-434, NDR-435, NDR-645, NDR-647, NDR-648, NDR-649, NDR-650]

Resolved Issues

  • This release resolves a display issue with the Traffic page. [NDR-595]
  • Minor updates and bug fixes.

Resolved Issues

  • You can now control how much of your network ThreatSync+ NDR monitors. [NDR-476]
  • Minor updates and bug fixes. [NDR-889]

Resolved Issues

  • Minor updates and bug fixes.

Resolved Issues

  • Minor updates and bug fixes.

Enhancements

  • The Traffic page now shows the Alert Severity Scale when specific anomaly types are selected with the Events Data Source. [NDR-666]

Resolved Issues

  • The ThreatSync+ NDR UI now shows Monitor and Configure pages as expected. [NDR-641]
  • Minor updates and bug fixes. [NDR-637, NDR-577, NDR-694]

Resolved Issues

  • Helpdesk operators now have the expected read-write permissions in ThreatSync+ NDR. [NDR-578]
  • The Activity by Source Device table now shows FireClusters as a device type. [NDR-366]
  • The Activity by Source Device table now shows data for all dates selected. [NDR-639]
  • Minor updates and bug fixes.

New Features

Initial release of ThreatSync+ NDR. For information about ThreatSync+ NDR, go to Introduction to ThreatSync+ NDR in Help Center.