Patch Management Best Practices

Applies To: WatchGuard Patch Management

We recommend you follow these best practices for WatchGuard Patch Management:

Verify that Patch Management Works Properly

To confirm that Patch Management works correctly, make sure that all computers on your network:

  • Have a Patch Management license allocated and Patch Management installed and running. To identify issues, use the Patch Management Status tile on the Patch Management Dashboard.
  • Can communicate with the WatchGuard server. To identify computers that might have connection problems, use the Time Since Last Check tile on the Patch Management Dashboard.
  • Have the Windows Update service running with automatic updates disabled. To disable automatic updates, select the Disable Windows Update on Computers option in the Patch Management Settings.

Install All Critical Patches Regularly

When software vendors discover flaws in their products, they publish updates and patches to fix the flaws. We recommend that you install critical patches at least once a month.

To see available patches, use the Available Patches list. Filter the list to identify critical patches or patches for specific computers. For more information, go to Review Available Patches.

If Patch Management cannot get a download URL to install a critical patch automatically, download the patch manually so you can install it. For more information, go to Download Patches Manually.

Isolate Computers with Unpatched Critical Known Vulnerabilities

For critical known vulnerabilities that represent an extremely serious threat, such as WannaCry ransomware, you might decide to isolate computers that have not yet received published patches that fix the vulnerability.

In these cases, you can use the Available Patches list to identify computers that have not received the critical patches. To isolate computers, select the check box in one or more rows, then in the toolbar, click Isolate Computer.

Caution: We do not recommend that you isolate unpatched computers except for very serious threats. WatchGuard Endpoint Security denies all communications to and from isolated computers except those required to perform remote forensic analysis and to use remediation tools. If a computer or server performs an important function for your business, such as a DNS server, make sure that you have contingency plans in place before you isolate it.

For more information, go to Isolate a Computer.

Make Sure Programs Installed on your Computers are Not End-of-Life

End-of-life programs do not receive patches or updates from the software vendor. To reduce the attack surface, replace any end-of-life programs installed on your computers.

To identify end-of-life programs, use the End-of-Life Programs list. For more information, go to Review End-of-Life Programs.

Check the Installation History

Use the Installation History list to review the status of patch installations and identify computers where installation errors occurred. For more information, go to View Installation History.

Check the Patch Status of Computers where Incidents Occurred

Patch Management correlates computers where incidents have been recorded with their patch status so that you can determine whether an infected computer or a computer where threats have been detected has available patches. When incidents occur on a computer, we recommend that you install any available patches on the computer.

When you install patches, the patches are downloaded from the software vendor. This could delay their application We recommend that you first isolate the computer that needs to be patched. This can minimize the risk of infection to other computers on the corporate network until the patch installation occurs.

To identify available patches, in the Security Dashboard, click a threat, select the affected computer, and then click View Available Patches. The Available Patches list opens and shows available patches for the computer. For more information, go to Review Available Patches.

You can also see an overview of available patches and end-of-life programs for a computer on the Computer Details page. For more information, go to Computer Details.

To find a computer where an incident was detected and install required patches:

  1. Select Status.
  2. In one of these widgets, click a computer or incident:
    • Threats Detected by the Antivirus
    • Malware Activity
    • PUP Activity
    • Exploit Activity
    • Currently Blocked Programs Being Classified.
      Information about the threat detected on the computer displays.
  3. In the Affected Computer section, click View Available Patches.
    The Available patches list opens, filtered by the selected computer.
  4. Select all available patches for the computer.
  5. From the action toolbar, click Install.
  6. Create a patch installation task. For more information, go to Patch Management Best Practices

Related Topics

About Patch Management