Configure the WatchGuard Endpoint Security Plug-in for N-able

After you use the onboarding application to install the plug-in, you must configure the plug-in for integration with N-able N-central. To configure the plug-in you must complete these steps:

To see what N-able N-central monitors after you complete your configuration, see Items Monitored by the Service .

Import WatchGuard Scripts

When you download the WatchGuard Endpoint Security plug-in for N-able N-central, the downloaded folder includes WatchGuard scripts. These scripts are necessary to perform actions in N-able N-central.

The scripts available to perform Windows actions are:

  • WatchGuard Endpoint Security – Install agent in Windows.amp
  • WatchGuard Endpoint Security – Scan Windows device.amp
  • WatchGuard Endpoint Security – Isolate Windows device.amp
  • WatchGuard Endpoint Security – Unisolate Windows device.amp
  • WatchGuard Endpoint Security – Uninstall agent in Windows.amp

The scripts available to perform macOS actions are:

  • WG-Install-Mac.sh (WatchGuard Endpoint Security – Install agent in mac)
  • WG-Scan-Mac.sh (WatchGuard Endpoint Security – Scan mac device)

To import WatchGuard scripts, from N-central:

  1. Select Configuration > Scheduled Tasks > Script/Software Repository.

Screen shot of N-Central Script Software Repository

  1. Click Add.
    A drop-down list opens.

Screen shot of N-Central, Script Software Repository, Add

  1. From the drop-down list, select Automation Policy to import scripts for Windows devices or select Mac Scripting to import scripts for macOS devices.
    The Add Script/Software Repository Item dialog box opens.

Screen shot of N-Central, Add Script Software Repository dialog box

  1. Click Browse and select the script you want to import.
  2. For Windows scripts, do not enter a Name or Description.
    For macOS scripts, you must enter a Name and Description.
  3. Click OK. In N-central, the scripts list now includes the imported script.
  4. Repeat this procedure for all Windows and macOS scripts.

Configure Service Monitoring

To monitor security (such as threats detected and security status incidents) in N-central, you must complete these steps:

Import the Service Template

When you download the WatchGuard Endpoint Security plug-in for N-able N-central, the downloaded folder includes the WatchGuard service template.

To import the service template, from N-central:

  1. Select Administration > Service Management > Service Templates.

Screen shot of N-Central, Service Templates

  1. Click Import.
    The Import Service Template page opens.

Screen shot of N-Central Import Service Tempate

  1. Click Browse and select the service template zip file (WatchGuard Endpoint Security – Monitor Windows device service template.zip) from the NableInt folder.
  2. Click Import Service Template.
    The Add Service Template page opens.

Screen shot of N-Central, Add Service Template

  1. (Optional) Edit the Name of the service template.
  2. In the Service Template Services section, in the Name column, click WatchGuard Endpoint Security – Monitor Windows device.
    The WatchGuard Endpoint Security – Monitor Windows Device dialog box opens.

Screen shot of N-Central, WatchGuard Endpoint Security – Monitor Windows device

  1. On the Details tab, in the Select or Enter Value column, from the drop-down lists, select these parameters: 
    • WatchGuard Endpoint Security Integration API Key
    • WatchGuard Endpoint Security Integration Client Account ID
    • WatchGuard Endpoint Security Integration Service Provider Account ID

Screen shot of WatchGuard Endpoint Security – Monitor Windows device details

  1. Click Save.

Create a Rule

You must create a rule to use service monitoring in all existing computers and any computers that you add in the future.

To create a rule, in N-central:

  1. Select Configuration > Monitoring > Rules.
    The Rules page opens.

Screen shot of N-Central, Rules page

  1. Click Add.
    The Rule Details page opens.

Screen shot of N-Central, Rules details

  1. Enter a name and description for the rule.
  2. On the Devices to Target tab, in the Filters section, move these filters to the Selected Filters column:
    • Laptops - Windows
    • Servers - Windows
    • Workstations and Laptops - Windows

Screen shot of N-Central, Inelligible Filters

  1. Select the Monitoring Options tab.

Screen shot of N-Central, Monitoring Options

  1. In the Service Templates section, from the Service Templates column, select the service template you imported and move it to the Selected Service Templates column.
  2. Select the Grant Customers & Sites Access tab.

Screen shot of N-Central, Grant Customers & Sites Access tab

  1. In the Customers/Site section, select the customer/site where you want to monitor the service.
  2. Click Save.

Configure Notifications

As part of service monitoring in N-central, you can configure notifications for failures that occur for items monitored by the WatchGuard service.

To configure notifications, in N-central:

  1. Select Configuration > Monitoring > Notifications.
    The Notifications page opens.

Screen shot of N-Central, Notifications page

  1. Click Add Notification.
    The Add Notification page opens.

Screen shot of N-Central, Add Notifications page

  1. Enter a name for the notification.
  2. For the Profile Type, select Multiple Device, Single Service Notifications.
  3. Select the recipients who you want to receive the notification.
  4. Click Save And Continue.
    The Triggers Details page opens.

Screen shot of N-Central, Trigger Details page

  1. Click Add.
    The New Trigger Settings dialog box opens.

Screen shot of N-Central, New Trigger Settings

  1. Enter a name for the trigger.
  2. In the Step 1: Select Monitoring Service or Service Intakes, Services section, move WatchGuard Endpoint Security to the Selected Items column.
  3. In the Step 2: Apply the Notification Trigger to the Selected Devices, Rules section, move WatchGuard to the Selected Items column.

Screen shot of N-Central, New Trigger Settings

  1. Click OK.

Items Monitored by the Service

This table shows items that the WatchGuard Endpoint Security service monitors and the messages for failed and normal results:

Monitored Item Failed Result Normal Result

Indicators of attack*

 One or more indicators of attack detected. No indicators of attack detected.
PUP execution* One or more PUP executions detected. No PUP executions detected.
Malware execution* One or more malware executions detected. No malware executions detected.
Pending restart There is a pending restart. There is no pending restart.
WatchGuard Agent installation WatchGuard Agent installation not successful. WatchGuard Agent installation successful.
WatchGuard license validation There is no valid WatchGuard license assigned. A valid WatchGuard license is assigned.
Protection status Protection status is not correct. Protection status is correct.

Threat detection**

 One or more threats detected. No threats detected.

* The WatchGuard Endpoint Security service monitors for indicators of attack, PUP executions, and malware executions in the previous seven days.

** Threat detection includes WatchGuard Endpoint Security monitoring for the previous seven days and includes:

  • Malware detected
  • PUP detected
  • Programs blocked
  • Exploit
  • Virus
  • Spyware
  • Hacking tool
  • Phishing
  • Intrusion attempts blocked
  • Malware URLs blocked
  • Devices blocked

If WatchGuard Endpoint Security detects a threat, the Value column of the Status Details page in Service Monitoring shows details of the detections in JSON format that you can copy. For example:

{

"malwares": [

{

"eventDateTime": "2022-04-11T14:16:11.036",

"hostName": "WIN-LAPTOP-1",

"path": "C:\\Documents\\AAABC_d61266bfH.zip"

}

],

"puPs": [

{

"eventDateTime": "2022-04-11T11:01:12.52",

"hostName": "WIN-LAPTOP-1",

"itemName": "HackingTool/VulnerabilityScanner",

"path":"SYSTEMDRIVE|\\Users\\administrator\\Downloads\\vulnerabilityscanner.exe"

},

{

"eventDateTime": "2022-04-11T08:23:52",

"hostName": "WIN-LAPTOP-1",

"itemName": "Trj/WLT.C",

"path": "TEMP|\\62b2153392561255386e5f059c216110"

}

],

"ioAs":

[

{

"eventDateTime": "2022-04-07T00:33:05",

"hostName": "WIN-LAPTOP-1",

"ruleName": "Use of pipes to escalate privileges",

"ruleRisk": "Critical",

"action": "Undefined"

},

{

"eventDateTime": "2022-04-09T00:20:20.001",

"hostName": "WIN-LAPTOP-1",

"ruleName": "Credentials compromised after brute-force attack on RDP",

"ruleRisk": "Critical",

"action": "Attack Blocked"

},

{

"eventDateTime": "2022-04-09T00:20:20",

"hostName": "WIN-LAPTOP-1",

"ruleName": "In-memory execution of a remote script",

"ruleRisk": "Critical",

"action": "Undefined"

},

{

"eventDateTime": "2022-03-26T00:31:16.001",

"hostName": "WIN-LAPTOP-1",

"ruleName": "Credentials compromised after brute-force attack on RDP",

"ruleRisk": "Critical",

"action": "Attack Blocked"

},

{

"eventDateTime": "2022-04-11T00:33:38",

"hostName": "WIN-LAPTOP-1",

"ruleName": "Privilege escalation bypassing UAC",

"ruleRisk": "Critical", "action": "Undefined"

}

]

}

Related Topics

About the WatchGuard Endpoint Security Plug-in for N-able N-central

Automation Policies for Windows Devices in N-able N-central

Run Tasks on macOS Devices in N-able N-central

Manage the WatchGuard Endpoint Security Plug-in for N-able N-central