Create an Image for Linux Persistent and Non-Persistent Environments

Applies To: WatchGuard Advanced EPDR, WatchGuard EPDR, WatchGuard EDR, WatchGuard EPP

Before You Begin

Virtual environments are complex and varied. This topic describes step-by-step instructions to install WatchGuard Endpoint Security in persistent and non-persistent Virtual Desktop Infrastructure (VDI) environments. Virtual computers or instances require that you follow a specific procedure to make sure that the images or templates used in virtual environments are up-to-date, optimized, and do not have a previously-assigned machine ID. This makes sure that when the virtual computer starts, it is uniquely registered in the Endpoint Security management UI.

In some unique environments, you might have to follow the recommendations provided by the virtualization vendor to adapt these general instructions to your needs.

This installation procedure requires that you prepare a template (for persistent environments) or a gold image (for non-persistent environments) to deploy later to virtual computers on the network. It is important to follow this procedure closely to make sure that:

  • The engine and signature file (knowledge) update.
  • Resource and bandwidth consumption is optimized in non-persistent environments.
  • Virtual instances are uniquely identified.

Prerequisites

  • In persistent environments, computers must have fixed MAC addresses.
  • The computer used to generate the template or gold image must have an Internet connection.

  • You must be able to download one of these tools:

    And, the tool must be run as root.

Compatible Systems

Generally, this procedure works for these types of virtual machines:

  • VMware Workstation
  • VMware Server
  • VMware ESX
  • VMware ESXi
  • Citrix XenDesktop
  • XenApp
  • XenServer
  • Microsoft Virtual Desktop
  • Microsoft Virtual Servers

Install the Protection in Persistent Environments

Caution: It is important that you carefully follow each step in this procedure. After you complete the procedure, you must verify that all cloned devices display in the Endpoint Security management UI. Devices cloned incorrectly can affect the visibility of monitored actions, impact the reliability of the Advanced Protection, and compromise the security of your network. If you see only a single device in the management UI, you must repeat the process, rebuild the gold image, and deploy it again to the affected endpoints as soon as possible.

  1. Install or update the operating system with the user applications.
  2. From the management UI, create a Virtual Machines group for new settings profiles.

Screen shot of Computers page and Add Group menu

  • For the Virtual Machines group:
    1. On the Settings tab, select Per-Computer Settings and create a settings profile for future image updates.
    2. Make sure automatic updates of the protection engine are enabled.

Screen shot of Per Computer Settings page, Updates section.

  1. Assign these settings to the Virtual Machines group.
  2. Select Settings > Workstations and Servers. Create a settings profile for future image updates.
  3. In the General > Updates section, make sure the Automatic Knowledge Updates toggle for signature files is enabled.

Screen shot of Edit Settings dialog box, Knowledge updates section

  1. Assign these settings to the Virtual Machines group.
  1. Install the Endpoint Agent and protection software on the Virtual Machines group.
    1. On the Computers tab, select the Virtual Machines group.
    2. To download the installer, click Add Computers.
      Screen shot of Add Computers dialog box, Windows selected.
    3. Install the Endpoint Agent on the template device. The protection software is automatically installed, configured, and updated. After installation is complete, the computer appears on the list of protected computers in the management UI, with a green icon. The protection software and knowledge (signature files) are up to date.

  1. Download the Endpoint Agent Tool for Linux or the Endpoint Agent Tool for Linux NO DEPS and extract it to the template device.

    1. Open the EndpointAgentTool folder and open the file for your operating system.

      2. Note: For the NO DEPS tool, you must copy the EndpointAgentTool file to /usr/local/management-agent/bin/.

    2. Run this command to restart counters and detections and to update settings and server tasks:

      sudo ./EndpointAgentTool -d -c -cmd

    3. If the computer is protected with anti-tamper protection, include the password after the atp parameter:

      sudo ./EndpointAgentTool -pei -atp:antitamperpassword

  2. Important: Disable the Endpoint Agent service so that the service does not start automatically before the name of the virtual instance changes.

Caution: This step is critical to make sure that each virtual machine is uniquely identified in the management UI.

  1. Open the virtual environment management tool and generate the template. For more information, refer to your vendor documentation.

After you create the template, you can modify the type of WatchGuard Agent service startup with scripts or other tools.

Install the Protection in Non-Persistent VDI Environments

The procedure to manage non-persistent VDI environments includes three phases.

Before you generate a gold image, you must prepare the computer you will create the image from.

  1. Install or update the operating system with the user applications.
  2. From the management UI, create one group to host the gold image (Gold or Template Image Group), and another group to host the virtual machines (Virtual Machines Group).
  • For the Gold or Template Image group:
    1. On the Settings tab, select Per-Computer Settings and create a settings profile for future image updates.
    2. Make sure to enable automatic updates of the protection software.
    3. Select the automatic restart option to make sure the computer updates.

Screen shot of Settings page, Per Computer Settings, Add Settings.

  1. Assign these settings to the Gold or Template Image group.
  2. Select Settings > Workstations and Servers and create a settings profile for future image updates.
  3. In the General > Updates section, make sure automatic knowledge updates (signature files) are enabled.
  4. Assign these settings to the Gold or Template Image group.
  • For the Virtual Machines group:

    • Virtual instances are based on the updated gold image. To optimize the VDI server resources and reduce bandwidth usage, disable updates.


    Screen shot of Per Computer Settings page, Recipients.

    1. Create a per-computer settings profile that has updates disabled, and assign it to the Virtual Machines group.
    2. Create a workstations and servers settings profile and, in the Security section, disable automatic knowledge updates.
      Screen shot of Per Computer Settings page, Recipients.
    3. Assign the settings profile to the Virtual Machines group.
    4. Install the Endpoint Agent and protection software on the Virtual Machines group to generate the gold image.
    5. On the Computers tab, select the Virtual Machines group and click Add Computers to download the installer.
    6. Install the Endpoint Agent on the computer used to create the gold image. The protection software is automatically installed and configured. After the installation is complete, the computer appears in the list of protected computers in the management UI.
    7. Download the Endpoint Agent Tool for Linux or Endpoint Agent Tool for linux NO DEPS and extract it on the computer with the gold image.
  • Open the EndpointAgentTool folder.
    Note: If it is the NO DEPS version, you must copy the EndpointAgentTool file to /usr/local/management-agent/bin/.
  • Run this command to send counters and detections, and to update settings and tasks on the server:
    sudo ./EndpointAgentTool -d -c -cmd
  • Important: If the computer is protected with anti-tamper protection, include the password after the atp parameter:
    sudo ./EndpointAgentTool -pei -gi -atp:antitamperpassword

Caution: This step is critical to make sure that each virtual computer is uniquely identified in the management UI.

After you create the template, you can modify the type of WatchGuard Agent service startup with scripts or other tools.

You must update the Endpoint Agent, the protection software, and signatures files in the gold image frequently (at least once a month). These updates are essential to make sure that there is maximum protection against new attack techniques developed by hackers.

To update the gold image:

  1. Start the computer where the gold image is installed.
  2. Open Windows Services and make sure that the Endpoint Agent Type of Start is Automatic and the Service Status is Running.
  3. From the management UI, move the computer with the gold image to the Gold or Template Image group so that it receives the appropriate settings with automatic updates of the engine and knowledge.

  4. Download the Endpoint Agent Tool for Linux or Endpoint Agent Tool for linux NO DEPS and extract it to the computer with the gold image.

  5. Open the EndpointAgentTool folder.
    Note: If it is the NO DEPS version, you must copy the EndpointAgentTool file to /usr/local/management-agent/bin/.

  6. Run this command to update the Endpoint Agent and protection software if new versions are available:
    sudo ./EndpointAgentTool -su

  7. Run this command to update protection signatures:
    sudo ./EndpointAgentTool -ku

  8. Run this command to send counters and detections, and to update settings and tasks on the server.
    sudo ./EndpointAgentTool -d -c -cmd

  9. If the computer is protected with anti-tamper protection, include the password after the atp parameter:
    /usr/local/management-agent/bin/EndpointAgentTool -pei -gi -atp:antitamperpassword

  10. Important: Disable the Endpoint Agent service so it does not restart automatically before the name of the virtual instance changes.

Caution: This step is critical to make sure that each virtual instance is uniquely identified in the Endpoint Security management UI.

Verify Computers in the Management UI

To make sure that you have followed the procedure correctly, make sure that the computers display in the Endpoint Security management UI.

Caution: If you see a single device, you must remove the device from the Computers list and start the procedure from scratch, that is, rebuild the gold image and deploy it again to the affected endpoints.

Persistent Computers

To verify persistent computers, from the management UI:

  1. Select Computers.
  2. Confirm that the cloned devices display in the list.

Non-Persistent Computers

WatchGuard Endpoint Security uses the FQDN (Fully Qualified Domain Name) to identify computers with IDs that have been deleted with the Endpoint Agent Tool and that are marked as gold image.

To verify non-persistent VDI computers, from the management UI:

  1. Select Settings.
  2. From the left pane, select Computer Maintenance.
  3. In the VDI Environments section, click Show non-persistent computers.
    The computers list displays with the non-persistent computers.
  4. Confirm that the devices are in the list.

License Management

After you delete the agent ID and disable the Is a Gold Image option, when a new computer starts, the system calculates its machine ID and determines whether the computer is a new computer or an existing one, based on the selected environment.

Non-Persistent Environments

If the maximum number of computers that are active simultaneously for non-persistent images is set, the server manages licenses automatically, provided there are available licenses and the number of concurrent machines is not exceeded.

Persistent Environments

If there are multiple computers that you no longer use, delete them from the database to free up licenses just as you would do with physical computers. You can delete all computers, or select an individual computer to delete.