Installation Requirements
Applies To: WatchGuard Advanced EPDR, WatchGuard EPDR, WatchGuard EPP, WatchGuard EDR, WatchGuard EDR Core
WatchGuard Endpoint Security supported on various client platforms, including Windows (Intel & ARM), macOS (Intel & ARM), Linux, Android, and iOS. For installation requirements, go to the appropriate section.
As of 30 September 2024, you cannot add devices to the management UI or install the protection software on new computers that run these operating system versions: Windows XP, Windows Vista, Windows Server 2003, and Windows Server 2008 (Windows 2008 R2 will continue to be supported). Existing computers in the management UI are still protected. For more information, go to the WatchGuard End of Life Policy (external link).
Supported Operating Systems
Workstations with an x86 or x64 Microprocessor
- Windows XP SP3 (32-bit)*
- Windows Vista (32-bit and 64-bit)
- Windows 7 (32-bit and 64-bit)
- Windows 8 (32-bit and 64-bit)
- Windows 8.1 (32-bit and 64-bit)
- Windows 10 (32-bit and 64-bit)
- Windows 11 (32-bit and 64-bit) (Supported from Windows protection version 8.00.19.0000)
*Installation on Windows XP requires a computer with the cache role assigned. For more information, go to this Knowledge Base article (external).
Computers with an ARM Microprocessor
- Windows 10 Pro and Home
- Windows 11 Pro and Home (Supported from Windows protection version 8.00.19.0010)
Note that all of the product's features work in ARM, except for some Patch Management and anti-exploit functionality. - Windows Server 2025 Standard, Datacenter
Servers with an x86 or x64 Microprocessor
- Windows 2003 (32-bit, 64-bit) and R2 SP2 and later
- Windows 2008 (32-bit and 64-bit) and 2008 R2
- Windows Small Business Server 2011, 2012
- Windows Server 2012 and 2012 R2
- Windows Server 2016 and 2019
- Windows Server Core 2008, 2008 R2, 2012 R2, 2016, 2019, and 2022
- Windows Server 2022
- Windows Server 2025 Standard, Datacenter
IoT and Windows Embedded Industry
Windows Embedded systems allow custom installations that could impact WatchGuard Endpoint Security. After you install WatchGuard Endpoint Security, we recommend that you confirm it works as expected.
- Windows XP Embedded
- Windows Embedded for Point of Service
- Windows Embedded POSReady 2009, 7, 7 (64-bit)
- Windows Embedded Standard 2009, 7, 7 (64-bit), 8, 8 (64-bit)
- Windows Embedded Pro 8, 8 (64-bit)
- Windows Embedded Industry 8, 8 (64-bit), 8.1, 8.1 (64-bit)
- Windows IoT Core 10, 10 (64-bit)
- Windows IoT Enterprise 10, 10 (64-bit), 11
- Windows Server IoT 2019
Hardware Requirements
- Processor: x86- or x64-compatible CPU with at least SSE2 support
- RAM: 1 GB
- Available hard disk space for installation: 650 MB on average (The minimum space required to install the security software depends on the operating system version installed on the computer.)
WatchGuard Endpoint Security requires access to multiple Internet-hosted resources. It requires access to ports 80 and 443. For more information on port access requirements, go to Endpoint Security Network Requirements in Help Center.
Root Certificates
It is necessary to keep the root certificates of workstations and servers up to date. If this requirement is not met, some features such as the ability for client agents to establish real-time communications with the management UI or Patch Management might not work.
Endpoint Security solutions require SHA-256 encryption algorithms in order to secure communication between the endpoint and WatchGuard servers. Some operating systems, such as Windows XP SP3 and Windows 2003, do not include required certificates and ciphering methods by default.
Computers must also be able to access these URLs:
- http://*.globalsign.com
- http://*.digicert.com
- http://*.sectigo.com
Time Synchronization of Computers (NTP)
Although not an essential requirement, we recommend that the clocks on computers protected by WatchGuard Endpoint Security be synchronized. This synchronization can be achieved with an NTP server.
If a computer is not synchronized, several security issues could occur:
- Reduced stability in communications between the computer and the WatchGuard cloud servers.
- Appearance of errors checking certificates as valid or expired based on the computer system date, not the actual date.
- Date errors in alerts generated by the protection software that show the computer system date, not the actual date.
- Scan and patch installation tasks show the computer system date, not the reactual al date.
- Installer expiration date is not respected.
- Time periods defined in the web access control feature are not adhered to.
- Scheduled actions such as computer restarts and problem notifications might not run correctly.
Support for SHA-256 Driver Signing
To keep the security software up to date, the workstation or server must support SHA-256 driver signing. Some versions of Windows do not include this feature by default.
Computers that do not support SHA-256 driver signing will not have their protection software updated beyond protection version 4.00.00. These computers are not shown in the Outdated Protection tile. They show with a warning Cannot upgrade this computer’s protection to the latest version in the computer details. For more information, go to Computer Details in Help Center.
To find computers that do not support SHA-256 driver signing, create a filter in the filter tree with these parameters:
- Category: Computer
- Property: Supports SHA-256 signed drivers
- Condition: Is equal to
- Value: False
We recommend that you update all computers to make sure they are protected with the latest available version of the security software.
To prevent connection issues, make sure that these Microsoft Knowledge Base (KB) changes are installed:
KB948963
This KB adds support for the Windows Server 2003 cipher suites TLS_RSA_WITH_AES_128_CBC_SHA AES128-SHA and TLS_RSA_WITH_AES_256_CBC_SHA AES256-SHA AES. If it is not installed, download the x64 or x32 version, as appropriate. For more information, go to the Microsoft Catalog (external link).
The download files are not hosted on a Microsoft official server as it is no longer supported. If you require them in another language, contact Microsoft.
KB3072630
This KB verifies the digital signature of the WatchGuard installation packages and their corresponding files. If the computer does not have this KB, download it here (external link) and install it.
The installation requires that you restart the computer.
KB3033929
This KB adds SHA 256 support for Windows 7 and 2008. If it is not installed, download the x64 or x32 versions here (external link).
When the KBs are installed, download and extract the contents of the file addcertsv1.3-signed.zip (password panda). Run the file, AddCerts.exe, with administrator privileges from CMD or Windows Explorer.
KB4474419
This KB adds support to SHA 256 for Windows 7 + SP1 and Windows 2008 R2 + SP1. Access this link (external link) to download it.
KB4490628
This KB adds support to SHA 256 for Windows 7 + SP1 and Windows 2008 R2 + SP1. Access this link (external link) to download it.
When the KBs are installed, download and extract the contents of the file CertCheck.zip (password panda). Execute the file called AddCerts.exe with administrator privileges from a CMD window or from Windows Explorer.
After you install the required KBs, use the tool available at PSInfo Check Certificate in Help Center, to identify and update root certificates.
In Citrix environments we recommend that you run CertCheck.exe with the psexec tool.
Rootsupd
This is a Microsoft tool to update computer certificates. It has been removed from the download site as Windows XP is no longer supported. You should use the tool at your own discretion. We suggest that you use a test computer before you deploy it to more computers. Contact Microsoft for help if you have questions.
Download rootsupd and unzip the file (password panda). Run the rootsupd.exe file.
We recommend that you verify that the operating system does not block the execution of the rootsupd.exe file. If necessary, open the file properties to unblock it.
Communications TLS 1.2
For communications through TLS 1.2 protocol, ciphers TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 and TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 are required.
For more information, go to this article on the Microsoft site.
Windows 2008 R2 does not support TLS 1.2 natively. It requires that you install a patch available for certain winHTTP protocols. For more information, go to Update to enable TLS 1.1 and TLS 1.2 as default secure protocols in WinHTTP in Windows (external link).
Supported Operating Systems
- macOS 10.10 Yosemite (Supported until v2.00.10.0000)
- macOS 10.11 El Capitan (Supported until v2.00.10.0000)
- macOS 10.12 Sierra (Supported until v2.00.10.0000)
- macOS 10.13 High Sierra (Supported until v2.00.10.0000)
- macOS 10.14 Mojave (Supported until v2.00.10.0000)
- macOS 10.15 Catalina (Supported from v3.00.00.0000) (To ensure maximum protection in Catalina, go to this Knowledge Base article for instructions: How to assign permissions to Panda Security solutions for their correct operation in macOS Catalina? (external link)
- macOS 11.0 Big Sur (Supported from v3.00.00.0000)
- macOS 12 Monterey (Supported from v3.00.00.0000)
- macOS 13 Ventura (Supported from v3.02.00.0000)
- macOS 14 Sonoma (Supported from v3.03.00.0002)
- macOS 15 Sequoia (Supported from v3.05.00.0001)
WatchGuard EDR Core requires macOS Catalina 10.15 or higher (Intel and ARM).
For High Sierra and higher, kernel extensions must be loaded manually. For more information, go to this Knowledge Base article What can I do to prevent the system extension from being blocked on macOS 10.13 (High Sierra)? (external link)
Hardware Requirements
- Processor: Intel® Core 2 Duo
- RAM: 2 GB
- Available hard disk space for installation: 400 MB
- Ports: Ports 3127, 3128, 3129, and 8310 must be accessible for the web filtering and malware detection to work.
Time Synchronization of Computers (NTP)
Although not an essential requirement, we recommend that the clocks on computers protected by WatchGuard Endpoint Security be synchronized. This synchronization is normally achieved using an NTP server.
Required Permissions
For the protection to operate correctly, you must enable:
- Network extensions
- System extensions
- Full disk access
For information on how to do this, go to this Knowledge Base article: Permissions required to enable WatchGuard Endpoint Security on macOS. (external link)
HTTPS Inspection Network Ranges
If the computer where you want to install WatchGuard Endpoint Security is monitored by a proxy or firewall with HTTPS inspection, you must add these network ranges to the HTTPS protocol:
- 17.248.128.0/18
- 17.250.64.0/18
- 17.248.192.0/19
WatchGuard Endpoint Security can be installed on Linux workstations and servers. To manage protection on computers with no graphical environment, use the /usr/ local/protection-agent/pa_cmd tool.
To complete installation of WatchGuard Endpoint Security on Linux platforms, the target computer must be connected to the Internet.
Operating System Versions
To avoid undesired issues, before you install the product on Oracle Linux, make sure you have a compatible kernel version. To go to your kernel version, in the terminal, run uname -r. For a complete list, go to this Knowledge Base article. (external link)
Supported 64-bit Distributions
- Ubuntu: 14.04 LTS, 14.10, 15.04, 15.10, 16.04 LTS, 16.10, 17.04, 17.10, 18.04 LTS, 18.10, 19.04, 19.10, 20.04 LTS, 20.10, 21.04, 21.10, 22.04 LTS, 22.10, 23.04, 23.10, 24.04, and 24.10.
- Fedora: 23, 24, 25, 26, 27, 28, 29, 30, 31, 32, 33, 34, 35, 36, 37, 38, 39, and 40.
- Debian: 8, 9, 10, 11, and 12.
- Red Hat: 6.0, 6.1, 6.2, 6.3, 6.4, 6.5, 6.6, 6.7, 6.8, 6.9, 6.10, 7.0, 7.1, 7.2, 7.3, 7.4, 7.5, 7.6, 7.7, 7.8, 7.9, 8.0, 8.1, 8.2, 8.3, 8.4, 8.5, 8.6, 8.7, 8.8, 8.9, 8.10, 9.0, 9.1, 9.2, 9.3, 9.4, and 9.5.
- CentOS: 6.0, 6.1, 6.2, 6.3, 6.4, 6.5, 6.6, 6.7, 6.8, 6.9, 6.10, 7.0, 7.1, 7.2, 7.3, 7.4, 7.5, 7.6, 7.7, 7.8, 7.9, 8.0, 8.1, 8.2, 8.3, 8.4, and 8.5.
- CentOS Stream: 8 to 9.4.
- Rocky Linux: 8.3, 8.4, 8.5, 8.6, 8.7, 8.8, 8.9, 8.10, 9.0, 9.1, 9.2, 9.3, 9.4, and 9.5.
- Alma Linux: 8.3, 8.4, 8.5, 8.6, 8.7, 8.8, 8.9, 8.10, 9.0, 9.1, 9.2, 9.3, 9.4, and 9.5.
- Linux Mint: 18, 18.1, 18.2, 18.3, 19, 19.1, 19.2, 19.3, 20, 20.1, 20.2, 20.3, 21, 21.1, 21.2, 21.3, and 22.
- SUSE Linux Enterprise: 11 SP2, 11 SP3, 11 SP4, 12, 12 SP1, 12 SP2, 12 SP3, 12 SP4, 12 SP5, 15, 15 SP1, 15 SP2, 15 SP3, 15 SP4, 15 SP5, and 15 SP6.
- Oracle Linux: 6.0, 6.1, 6.2, 6.3, 6.4, 6.5, 6.6, 6.7, 6.8, 6.9, 6.10, 7.0, 7.1, 7.2, 7.3, 7.4, 7.5, 7.6, 7.7, 7.8, 7.9, 8.0, 8 , 8.1, 8.2, 8.3, 8.4, 8.5, 8.6, 8.7, 8.8, 8.9, 8.10, 9.0, 9.1, 9.2, 9.3, 9.4, and 9.5.
- openSUSE: 15.3, 15.4, 15.5, and 15.6.
- Amazon Linux: 2
Installation without dependencies is supported from RedHat/CentOS 6, 7 and 8 and from SUSE11 SP2 to SUSE15 SP6. It is available from Linux protection version 3.01.00.0001. For more information, go to Install the Client Software Locally in Help Center.
On supported Debian based systems (Linux Mint, Fedora, Ubuntu, and Debian), the server requires access to the official repositories to download the corresponding kernel headers during installation. These repositories are the responsibility of the distribution vendor who maintains at least one repository for each published version. When a version reaches end-of-life (EOL), the vendor deletes the repository which can cause the security software installation to fail. We recommend that you use a local repository and install the software without dependencies.
Supported 32-bit Distributions
- Red Hat: 6.0, 6.1, 6.2, 6.3, 6.4, 6.5, 6.6, 6.7, 6.8, 6.9, 6.10.
- CentOS: 6.0, 6.1, 6.2, 6.3, 6.4, 6.5, 6.6, 6.7, 6.8, 6.9, 6.10.
Supported File Managers
- Nautilus
- PCManFM
- Dolphin
Hardware Requirements
- Processor: Processor: x86 or x64-compatible CPU with at least SSE2 support
- RAM: 1.5 GB
- Available hard disk space for installation: 500 MB
- Ports: Ports 3127, 3128, 3129, and 8310 must be accessible for malware detection to work.
Installation Package Dependencies
During installation, the client agent downloads all required packages required, including:
- Libcurl (For Debian-based distributions, go to Libcurl Libraries.)
- OpenSSL
- GCC and Fedora compilation utilities (for example, make and makeconfig)
The installation process on Fedora includes compilation of the modules required by the WatchGuard Client Agent to work properly. To display the agent dependencies, run these commands on a terminal based on the target distribution:
- For Debian-based distributions: dpkg --info package.deb
- For Fedora-based distributions: rpm --qRp package.rpm
Libcurl Libraries
The protection module requires the installation of the 32-bit libcurl3 or 32-bit libcurl4 library. If you already have one of these libraries installed (for 64-bit systems), make sure the package manager downloads the same library (libcurl3 or libcurl4) with the same version for 32-bit systems. Otherwise, WatchGuard Endpoint Security does not run correctly on the computer and you must manually install the appropriate library.
Supported Operating Systems
- Android Lollipop 5.0/5.1
- Android Marshmallow 6.0
- Android Nougat 7.0 - 7.1
- Android Oreo 8.0
- Android Pie 9.0
- Android 10
- Android 11
- Android 12
- Android 13
- Android 14
Hardware Requirements
A minimum of 10 MB of internal memory is required on the target device. For some Android models, more space can be required.
Network Requirements
For push notifications to work, open ports 5228, 5229, and 5230 to all IP addresses contained in the IP blocks listed in Google's ASN 15169.
In addition to an Internet connection, Google Play Services must be installed.
Permissions Required on the Device
To use all of the WatchGuard Mobile Security features, the user of the device must allow these permissions:
- Camera access
- Read phone state
- Make calls
- Get location
- Device location services
- Draw over other apps
- Act as device administrator
- Access external storage
- Background location access
On mobile devices that run Android 12, these permissions are also required:
- Disable app hibernation
- Ignore battery optimizations
Supported Operating Systems
- iOS 13 / iPadOS 13
- iOS 14 / iPadOS 14
- iOS 15 / iPadOS 15
- iOS 16 / iPadOS 16
- iOS 17/ iPadOS 17
Hardware Requirements
A minimum of 12 MB of internal memory on the target device. For some models, more space can be required.
Network Requirements
The application installed on the mobile device uses the Apple Push Notification service to communicate with the software. If the device is connected to the network by 2G, 3G, or 4G, there are no specific network requirements. If the device is connected to the network by Wi-Fi, Access Point (AP) or other method, it connects to specific servers. Make sure these ports are available:
- TCP 5223 to communicate with the Apple Push Notification service
- TCP 443 or 2197 to send notifications
Servers that make up the Apple Push Notification service use load balancing. The device will not always connect to the same IP address. We recommend that you configure your firewall to allow connections to the entire 17.0.0.0/8 range assigned to Apple.
If this is not possible, allow connections to these IP ranges, for IPv4:
- 17.249.0.0/16
- 17.252.0.0/16
- 17.57.144.0/22
- 17.188.128.0/18
- 17.188.20.0/23
Allow connections to these IP ranges, for IPv6:
- 2620:149:a44::/48
- 2403:300:a42::/48
- 2403:300:a51::/48
- 2a01:b740:a42::/48
Permissions Required on Device
To use all of the features, the user of the device must allow these permissions:
- Get location
- Device location services
- Background location access
- Filter network content
- Send notifications
- Allow background app refresh