Configure Network Access Enforcement in WatchGuard Endpoint Security

Applies To: WatchGuard Advanced EPDR, WatchGuard EPDR, WatchGuard EDR, WatchGuard EPP

With network access enforcement, endpoints that try to connect to a Firebox VPN or an access point Wi-Fi network must meet specified security requirements.

Before You Begin

Before you begin, make sure to meet these requirements:

  • Fireboxes require Fireware v12.9 or higher.
  • Access points require firmware version v2.1 or higher.
  • Network access enforcement on the Firebox or access point SSID must be enabled.
  • Devices you want to enable network access enforcement for must run:
    • Windows 8.1 or higher
    • macOS High Sierra 10.15 or higher
    • Android 6 or higher

With Android, unlike Windows or macOS, the Firebox console user cannot select the operating system version. On devices that run Android 6.0 or higher, Network Access Enforcement enables after the devices receives the relevant settings from the Aether servers.

  • Network access enforcement on access points does not support iOS and Linux devices.
    • Network access enforcement is not compatible with Linux. If you enable this feature, Linux computers or computers with operating system versions lower than Windows 8.1 or macOS High Sierra 10.13 cannot connect to a Firebox VPN or an access point Wi-Fi network when network access enforcement is enabled.
  • Computers you want to enable network access enforcement for must have WatchGuard Endpoint Security installed and running with Advanced Protection in hardening or lock mode, or antivirus enabled and running. (EDR Core must have Advanced Protection enabled.)
  • The WatchGuard Agent installed on the computer must be able to communicate with the Firebox or access point over TCP port 33000.

Random UUID and Authentication Key Generation

The Firebox or access point uses a UUID and authentication key to validate VPN or Wi-Fi network connections. For cloud-managed access points and Fireboxes, this UUID is in Administration > My Account in WatchGuard Cloud. If you have not configured a UUID on a local-managed Firebox, you must generate one. You can use a random UUID and authentication key. Specify the same UUID-authentication key pair on the Firebox and in the Endpoint Security management UI.

UUID is an open format. To generate a random UUID, there are free tools available from vendors such as Microsoft or https://www.uuidgenerator.net/.

Use a long authentication key that includes uppercase, numeric, and special characters.

Configure Network Access Enforcement

You must enable network access enforcement on the Firebox before you enable enforcement in the Endpoint Security management UI. For more information, go to Network Access Enforcement Overview.

To configure network access enforcement:

  1. In WatchGuard Cloud, select Configure > Endpoints.
  2. Select Settings.
  3. From the left pane, select Network Services.

Screen shot of Network Services, Network Access Enforcement tab

  1. Click Network Access Enforcement.
  2. Click the Enable Network Access Enforcement toggle to enable it.

Screen shot of Network Services, Network Access Enforcement enabled

  1. In the Account UUID text box, type the UUID for the Firebox or access point.
    This information is available in the local-managed Firebox configuration. For cloud-managed Fireboxes and access points, the UUID and Authentication Key are available on the Administration > My Account page in WatchGuard Cloud.
  2. In the Authentication Key text box, type the authentication key.
    This information is available in the local-managed Firebox configuration. For cloud-managed Fireboxes and access points, the UUID and Authentication Key are available on the Administration > My Account page in WatchGuard Cloud.
  3. Click Save Changes.
    All computers must comply with the security requirements to connect to VPN or a Wi-Fi network.

Related Topics

Configure Network Services

Configure Network Settings

Network Access Enforcement Overview