Configure Collectors for ThreatSync+ NDR (Windows Computers)

Applies To: ThreatSync+ NDR

To gain visibility into your network, you can monitor IP traffic across all the devices in your network.

Cloud-managed and locally-managed Fireboxes with cloud reporting that run Fireware v12.10.3 and higher automatically send network traffic data to WatchGuard Cloud and ThreatSync+ NDR. This data feed provides the information required for ThreatSync+ NDR to identify and detect potential threats and suspicious activities, such as lateral movements, DNS tunnels, fast and slow scans, and data exfiltration.

For locally-managed Fireboxes with cloud reporting, you must enable the Firebox to send log messages for reports in each policy. For more information, go to Set Logging and Notification Preferences.

For Fireboxes that run lower versions of Fireware or third-party firewalls or switches, you can use on-premise Windows-based collection devices called collectors to monitor network traffic. Collectors take data feeds such as NetFlow, sFlow, or Windows DHCP server logs directly from third-party switches and firewalls, and forward them through a secure connection to WatchGuard Cloud. These data feeds include information on the traffic that flows through the switch or firewall to network devices.

To install and configure collectors on Windows computers and servers, you must first Install the WatchGuard Agent and then Configure Collectors for ThreatSync+ NDR.

Figure of collector architecture in ThreatSync+ NDR

About Windows Collection Agents for ThreatSync+ NDR

The ThreatSync+ NDR Collection Agent receives log data from switches and routers in your network and sends the data to WatchGuard Cloud.

The ThreatSync+ NDR Collection Agent listens on:

  • Port 2055 for NetFlow log data from endpoints.
  • Port 6343 for sFlow log data from endpoints.
  • Port 514 for DHCP log data from the Windows Log Agent.

You can install the ThreatSync+ NDR Collection Agent on Windows computers that run Windows 10, Windows 11, or Windows Server 2022.

The Windows Log Agent is a collection agent that reads Windows DHCP server logs and then forwards them to the ThreatSync+ NDR Collection Agent. The ThreatSync+ NDR Collection Agent then forwards the DHCP logs to WatchGuard Cloud.

You can install the Windows Log Agent on Windows Server 2019 or 2022. Some of these servers could also be domain controllers.

To keep track of devices when they change their IP address, we recommend that you use the Windows Log Agent to collect Active Directory DHCP logs. Add and configure the Windows Log Agent on all DHCP servers.

For detailed information about supported operating systems and virtualization environments, go to System Requirements.

Install the WatchGuard Agent

The installation of the WatchGuard Agent and the ThreatSync+ NDR Collection Agent or Windows Log Agent is a two-step process.

To add and configure a collector, you must first download the WatchGuard Agent installer and run the installation wizard on Windows computers you want to configure as a collector. When you install the WatchGuard Agent, it then installs the ThreatSync+ NDR Collection Agent or Windows Log Agent. Use the ThreatSync management UI to specify which Windows computers or servers to use as collectors.

Caution: You cannot install the ThreatSync+ NDR Collection Agent on endpoints that have Panda or Cytomic endpoint security products installed. The ThreatSync+ NDR Collection Agent is only compatible with WatchGuard Endpoint Security products.

Before You Begin

Before you download the WatchGuard Agent, make sure that:

  • The computer you want to install the agent on has antivirus software installed.
  • You have Administrator permissions and are logged in to the Windows computer where you want to install the WatchGuard Agent.

System Requirements

Make sure that virtualization is enabled in the BIOS and that Virtualization-Based Security (VBS) is enabled for virtual environment hosts.

For more information, go to:

If you run the collector on Hyper-V, Nested Virtualization must be enabled. For more information, go to Nested Virtualization and Run Hyper-V in a Virtual Machine with Nested Virtualization.

To avoid Nested Virtualization, we recommend that you run the collector on a dedicated physical device instead of a virtual device.

For ThreatSync+ NDR, Windows computers and servers must meet these requirements:

  • ThreatSync+ NDR Collection Agent — Windows 10, Windows 11, or Windows 2022 with two CPUs and a minimum of 8 GB RAM and 150 GB of disk space. For networks with a NetFlow rate greater than 500,000 per minute, more CPUs, RAM, and disk space are required.
  • Windows Log Agent — Windows Server 2019 or Windows Server 2022.

The Windows installer is compatible with computers with an x86 or ARM processor.

For more information about supported operating systems and virtualization environments, go to the Troubleshoot Collector Issues section in this document, or the Operating System Compatibility for ThreatSync+ NDR Components in the ThreatSync+ NDR Release Notes.

Install the Agent

Install the WatchGuard Agent on each Windows computer you want to configure as a collector. Typically, you only have to install the ThreatSync+ NDR Collection Agent on one computer for each physical location in your network.

We recommend that you install the agent on a dedicated computer with a unique administrator account so that the administrator can always be logged in. If the administrator account that installed the agent is not logged in, the collector does not run.

We recommend that you add and configure the Windows Log Agent on all DHCP servers.

To install the WatchGuard Agent:

  1. Log in to your WatchGuard Cloud account.
  2. For Service Provider accounts, from Account Manager, select My Account.
  3. Select Configure > ThreatSync.
  4. Select Collectors.
  5. Click Download WatchGuard Agent.
    The Windows WatchGuard_Agent.msi file downloads.
  6. Copy the .MSI file to the Windows computer or server you want to receive logs from.
  7. Double-click the WatchGuard_Agent.msi file and complete the steps in the wizard.
    A progress bar shows during the installation process. The agent opens an Ubuntu console window during installation. You should not close this window. The Windows computer or server will restart to complete installation.

Configure Collectors for ThreatSync+ NDR

To collect Active Directory DHCP logs, you must add and configure both types of collection agents in your network — first the ThreatSync+ NDR Collection Agent, and then the Windows Log Agent.

Screenshot of Configure > ThreatSync, ThreatSync+ NDR Collection Agents page

Add a ThreatSync+ NDR Collection Agent

Typically only one ThreatSync+ NDR Collection Agent is required for each physical location in your network. To collect DHCP data logs, you must add the ThreatSync+ NDR Collection Agent on a Windows computer with a static IP address.

To add a ThreatSync+ NDR Collection Agent:

  1. Log in to your WatchGuard Cloud account.
  2. For Service Provider accounts, from Account Manager, select My Account.
  3. Select Configure > ThreatSync.
  4. Select ThreatSync+ NDR > Collectors.
  5. On the ThreatSync+ NDR Collection Agents tab, click Add Collector.

Screen shot of Configure > ThreatSync, Add ThreatSync+ NDR Collection Agents dialog box

  1. From the Host drop-down list, select the Windows computer that you want to use as a ThreatSync+ NDR Collection Agent.
    This list includes all Windows computers with the WatchGuard Agent installed. To refresh the list of available computers and servers, click .
  2. Click Save.
    The collection agent starts to report data to ThreatSync+ NDR. You can see reported traffic information on the Network Summary page.
  3. On your host computer, click OK when the Permissions Required dialog box opens.
    It might take some time for the Permissions Required dialog box to appear on the host computer.

Screenshot of the Permissions Required dialog box that appears on the host computer.

Add a Windows Log Agent Collector

Add and configure the Windows Log Agent on all DHCP servers in your network.

Screen shot of Configure > ThreatSync, Windows Log Agents page

After you add a server as a Windows Log Agent collector, make sure to configure your managed switches to send NetFlow data to the collector. For more information, go to the product documentation available with the switch.

To add a Windows Log Agent:

  1. Log in to your WatchGuard Cloud account.
  2. For Service Provider accounts, from Account Manager, select My Account.
  3. Select Configure > ThreatSync.
  4. Select ThreatSync+ NDR > Collectors.
  5. On the Windows Log Agent tab, click Add Collector.

Screen shot of Configure > ThreatSync, Add Windows Log Agent dialog box

  1. From the Host drop-down list, select the Windows computer that you want to use as a Windows Log Agent.
    This list includes all Windows servers with the WatchGuard Agent installed. To refresh the list of available computers and servers, click
  2. In the ThreatSync+ NDR Collection Agent IP Address text box, enter the IP address of the Windows computer you configured the ThreatSync+ NDR Collection Agent for.
    You can see the IP address on the ThreatSync+ NDR Collection Agents tab.
  3. Click Save.
    The collection agent starts to report data to ThreatSync+ NDR. You can see reported traffic information on the Network Summary page. For more information, go to About the ThreatSync+ NDR Summary Page.

If you experience a power outage on the computer the agents are installed on, or if the computer reboots after updates are installed, make sure you restart the computer.

Troubleshoot Collector Issues

If you do not see reported traffic information on the Network Summary page within 60 to 90 minutes, you can use the information in this section to troubleshoot collector issues.

Troubleshoot ThreatSync+ NDR Collection Agent Issues

To troubleshoot ThreatSync+ NDR Collection Agent issues:

  • Make sure that the Windows computer meets the requirements described in the System Requirements section.
  • Make sure that the administrator account that installed the WatchGuard Agent is logged in to the Windows computer where the ThreatSync+ NDR Collection Agent is installed. We recommend that you create a dedicated installation administrator account. The installation administrator must always be logged in.
  • During the installation process, the WatchGuard Agent opens a Ubuntu console window. Do not close this window. Use the wsl -l PowerShell command to confirm that the WatchGuard Agent was successfully installed.
  • Use the netstat -l PowerShell command to confirm that the computer is able to listen on these ports: 
    • Port 2055 — NetFlow log data from endpoints
    • Port 6343 — sFlow log data from endpoints
    • Port 514 — DHCP log data from the Windows Log Agent
  • Make sure that there is no firewall rule that blocks traffic from these ports: 2055, 6343, and 514. For a cloud-managed Firebox, remove the blocked port 514 on the Configure > Devices > Device Configuration > Network Blocking page in WatchGuard Cloud. For information on how to remove a blocked port for locally-managed Fireboxes, go to Block a Port in Fireware Help.
  • Make sure that virtualization is enabled in the BIOS. These virtualization environments are verified:
ThreatSync+ NDR Collector Virtualization Environment Microsoft Windows 10 Microsoft Windows 11 Microsoft Windows Server 2022
Hyper-V Icon of check mark Icon of check mark  
VMware ESXi 6.7 Icon of check mark Icon of check mark  
VMware ESXi 7.0.3 Icon of check mark Icon of check mark Icon of check mark*
VMware ESXi 8.0 Icon of check mark Icon of check mark Icon of check mark
KVM Hypervisor QEMU 9.0.0   Icon of check mark Icon of check mark

*Windows Server 2022, build 20.348.2527

  • On the Configure > ThreatSync > ThreatSync+ NDR > Collectors page, review the Status column in the collectors table. Click the status for more information:
    • Success — The collector is installed and receiving network data.
    • No Information — Could not report the status of the collector.
    • Offline — The collector is offline.
    • Error — The collector encountered an error.

Troubleshoot Windows Log Agent Issues

To troubleshoot Windows Log Agent issues:

  • In Control Panel in Windows, confirm that the Windows Log Agent is installed.

  • Make sure that the Windows computer meets the requirements described in the System Requirements section. You can install the Windows Log Agent on Windows devices with Windows Server 2019 or Windows Server 2022 installed. The Windows computer must have antivirus software installed.
  • Make sure that the server can reach the ThreatSync+ NDR Collection agent through port 514. Make sure that no firewall rules block traffic from port 514.
  • Make sure that virtualization is enabled in the BIOS. These virtualization environments are verified:
Windows Log Agent Virtualization Environment Microsoft Windows Server 2019 Microsoft Windows Server 2022
VMware ESXi 6.7 Icon of check mark Icon of check mark
VMware ESXi 7.0.3 Icon of check mark  
VMware ESXi 8.0 Icon of check mark Icon of check mark
  • Confirm that the NXLog service is running (nxlog.exe). Review the NXLog files for errors (c:\Program Files\nxlog):
    • Review the *.conf, *.pm, *.log files and recurrent folders.
    • Review the %windir%\temp\WatchGuard_Log_Collection_Agent_**************.log
    • Review the %windir%\temp\WatchGuard_Log_Collection_Agent_**************_000_NXLog.log
    • Review the %windir%\temp\WatchGuard_Log_Collection_Agent\WatchGuard_Log_Collection_Agent**************_001_NXLogconf.log
  • Make sure that there is no previous installation of NXLog from another software vendor.
  • In WatchGuard Cloud, on the Configure > ThreatSync > ThreatSync+ NDR > Collectors page, review these columns in the Windows Log Agents table:
    • DHCP Monitoring — Shows the status of DHCP monitoring. For example, Running or Stopped.
    • NXLog Monitoring — Shows the status of NXLog monitoring. For example, Running or Stopped.
    • Status — Shows the status of the Windows Log Agents. Click the status for more information. For example, Error or Success.

Related Topics

Quick Start — Set Up ThreatSync+ NDR

Configure ThreatSync+ NDR