Installation Requirements
Applies To: WatchGuard Advanced EPDR, WatchGuard EPDR, WatchGuard EPP, WatchGuard EDR, WatchGuard EDR Core
WatchGuard Endpoint Security supported on various client platforms, including Windows (Intel & ARM), macOS (Intel & ARM), Linux, Android, and iOS. For installation requirements, go to the appropriate section.
Supported Operating Systems
Workstations with an x86 or x64 Microprocessor
- Windows XP SP3 (32-bit)*
- Windows Vista (32-bit and 64-bit)
- Windows 7 (32-bit and 64-bit)
- Windows 8 (32-bit and 64-bit)
- Windows 8.1 (32-bit and 64-bit)
- Windows 10 (32-bit and 64-bit)
- Windows 11 (32-bit and 64-bit) (Supported from Windows protection version 8.00.19.0000)
*Installation on Windows XP requires a computer with the cache role assigned. For more information, go to this Knowledge Base article (external).
Computers with an ARM Microprocessor
- Windows 10 Pro and Home
- Windows 11 Pro and Home (Supported from Windows protection version 8.00.19.0010)
Note that all of the product's features work in ARM, except for some Patch Management and anti-exploit functionality.
Servers with an x86 or x64 Microprocessor
- Windows 2003 (32-bit, 64-bit and R2) SP2 and later
- Windows 2008 (32-bit and 64-bit) and 2008 R2
- Windows Small Business Server 2011, 2012
- Windows Server 2012 R2
- Windows Server 2016 and 2019
- Windows Server Core 2008, 2008 R2, 2012 R2, 2016, 2019, and 2022
- Windows Server 2022 (64-bits) (Supported from Windows protection version 8.00.19.0000)
- Windows Server 2025 ARM (Supported from Windows protection version 8.00.19.0000)
IoT and Windows Embedded Industry
Windows Embedded systems allow custom installations that could impact WatchGuard Endpoint Security. After you install WatchGuard Endpoint Security, we recommend that you confirm it works as expected.
- Windows XP Embedded
- Windows Embedded for Point of Service
- Windows Embedded POSReady 2009, 7, 7 (64-bit)
- Windows Embedded Standard 2009, 7, 7 (64-bit), 8, 8 (64-bit)
- Windows Embedded Pro 8, 8 (64 bits)
- Windows Embedded Industry 8, 8 (64-bit), 8.1, 8.1 (64-bit)
- Windows IoT Core 10, 10 (64 bits)
- Windows IoT Enterprise 10, 10 (64-bit)
- Windows Server IoT 2019
Hardware Requirements
- Processor: x86- or x64-compatible CPU with at least SSE2 support
- RAM: 1 GB
- Available hard disk space for installation: 650 MB
Root Certificates
It is necessary to keep the root certificates of workstations and servers up to date. If this requirement is not met, some features such as the ability for client agents to establish real-time communications with the management UI might not work. WatchGuard Endpoint Security solutions require SHA-256 encryption algorithms in order to secure communication between the endpoint and WatchGuard servers. Some operating systems, such as Windows XP SP3 and Windows 2003, do not include required certificates and ciphering methods by default.
To prevent connection issues, make sure that these Microsoft Knowledge Base (KB) changes are installed:
KB948963
This KB adds support for the Windows Server 2003 cipher suites TLS_RSA_WITH_AES_128_CBC_SHA AES128-SHA and TLS_RSA_WITH_AES_256_CBC_SHA AES256-SHA AES. If it is not installed, download the x64 or x32 version, as appropriate. For more information, go to the Microsoft Catalog (external link).
The download files are not hosted on a Microsoft official server as it is no longer supported. If you require them in another language, contact Microsoft.
KB3072630
This KB verifies the digital signature of the WatchGuard installation packages and their corresponding files. If the computer does not have this KB, download it here (external link) and install it.
The installation requires that you restart the computer.
KB3033929
This KB adds SHA 256 support for Windows 7 and 2008. If it is not installed, download the x64 or x32 versions here (external link).
When the KBs are installed, download and extract the contents of the file addcertsv1.3-signed.zip (password panda). Run the file, AddCerts.exe, with administrator privileges from CMD or Windows Explorer.
KB4474419
This KB adds support to SHA-2 for Windows 7 + SP1 and Windows 2008 R2 + SP1. Access this link (external link) to download it.
KB4490628
This KB adds support to SHA-2 for Windows 7 + SP1 and Windows 2008 R2 + SP1. Access this link (external link) to download it.
When the KBs are installed, download and extract the contents of the file WESCertCheck.zip (password panda). Execute the file called AddCerts.exe with administrator privileges from a CMD window or from Windows Explorer.
Windows 2008 R2 does not support TLS 1.2 natively. It requires that you install a patch available for certain winHTTP protocols. For more information, go to Update to enable TLS 1.1 and TLS 1.2 as default secure protocols in WinHTTP in Windows (external link).
Rootsupd
This is a Microsoft tool to update computer certificates. It has been removed from the download site as Windows XP is no longer supported. You should use the tool at your own discretion. We suggest that you use a test computer before you deploy it to more computers. Contact Microsoft for help if you have questions.
Download rootsupd and unzip the file (password panda). Run the rootsupd.exe file.
We recommend that you verify that the operating system does not block the execution of the rootsupd.exe file. If necessary, open the file properties to unblock it.
Supported Operating Systems
- macOS 10.10 Yosemite (Supported until v2.00.10.0000)
- macOS 10.11 El Capitan (Supported until v2.00.10.0000)
- macOS 10.12 Sierra (Supported until v2.00.10.0000)
- macOS 10.13 High Sierra (Supported until v2.00.10.0000)
- macOS 10.14 Mojave (Supported until v2.00.10.0000)
- macOS 10.15 Catalina (Supported from v3.00.00.0000) (To ensure maximum protection in Catalina, go to this Knowledge Base article for instructions: How to assign permissions to Panda Security solutions for their correct operation in macOS Catalina? (external link)
- macOS 11.0 Big Sur (Supported from v3.00.00.0000)
- macOS 12 Monterey (Supported from v3.00.00.0000)
- macOS 13 Ventura (Supported from v3.02.00.0000)
- macOS 14 Sonoma (Supported from v3.03.00.0002)
- macOS 15 Sequoia (Supported from v3.05.00.0001)
WatchGuard EDR Core requires macOS Catalina 10.15 or higher (Intel and ARM).
For High Sierra and higher, kernel extensions must be loaded manually. For more information, go to this Knowledge Base article What can I do to prevent the system extension from being blocked on macOS 10.13 (High Sierra)? (external link)
Hardware Requirements
- Processor: Intel® Core 2 Duo
- RAM: 2 GB
- Available hard disk space for installation: 400 MB
- Ports: Ports 3127, 3128, 3129, and 8310 must be accessible for the web filtering and malware detection to work.
Time Synchronization of Computers (NTP)
Although not an essential requirement, we recommend that the clocks on computers protected by WatchGuard Endpoint Security be synchronized. This synchronization is normally achieved using an NTP server.
Required Permissions
For the protection to operate correctly, you must enable:
- Network extensions
- System extensions
- Full disk access
For information on how to do this, go to this Knowledge Base article: Permissions required to enable WatchGuard Endpoint Security on macOS. (external link)
HTTPS Inspection Network Ranges
If the computer where you want to install WatchGuard Endpoint Security is monitored by a proxy or firewall with HTTPS inspection, you must add these network ranges to the HTTPS protocol:
- 17.248.128.0/18
- 17.250.64.0/18
- 17.248.192.0/19
WatchGuard Endpoint Security can be installed on Linux workstations and servers. To manage protection on computers with no graphical environment, use the /usr/ local/protection-agent/pa_cmd tool.
To complete installation of WatchGuard Endpoint Security on Linux platforms, the target computer must be connected to the Internet.
Operating System Versions
To avoid undesired issues, before you install the product on Oracle Linux, make sure you have a compatible kernel version. To go to your kernel version, in the terminal, run uname -r. For a complete list, go to this Knowledge Base article. (external link)
Supported 64-bit Distributions
- Ubuntu: 14.04 LTS, 14.10, 15.04, 15.10, 16.04 LTS, 16.10, 17.04, 17.10, 18.04 LTS, 18.10, 19.04, 19.10, 20.04 LTS, 20.10, 21.04, 21.10, 22.04 LTS, 22.10, 23.04, 23.10, and 24.04.
- Fedora: 23, 24, 25, 26, 27, 28, 29, 30, 31, 32, 33, 34, 35, 36, 37, 38, 39, and 40.
- Debian: 8, 9, 10, 11, and 12.
- Red Hat: 6.0, 6.1, 6.2, 6.3, 6.4, 6.5, 6.6, 6.7, 6.8, 6.9, 6.10, 7.0, 7.1, 7.2, 7.3, 7.4, 7.5, 7.6, 7.7, 7.8, 7.9, 8.0, 8.1, 8.2, 8.3, 8.4, 8.5, 8.6, 8.7, 8.8, 8.9, 8.10, 9.0, 9.1, 9.2, 9.3, and 9.4.
- CentOS: 6.0, 6.1, 6.2, 6.3, 6.4, 6.5, 6.6, 6.7, 6.8, 6.9, 6.10, 7.0, 7.1, 7.2, 7.3, 7.4, 7.5, 7.6, 7.7, 7.8, 7.9, 8.0, 8.1, 8.2, 8.3, 8.4, and 8.5.
- CentOS Stream: 8 and 9.
- Rocky Linux: 8.3, 8.4, 8.5, 8.6, 8.7, 8.8, 8.9, 8.10, 9.0, 9.1, 9.2, 9.3, and 9.4.
- Alma Linux: 8.3, 8.4, 8.5, 8.6, 8.7, 8.8, 8.9, 8.10, 9.0, 9.1, 9.2, 9.3 and 9.4.
- Linux Mint: 18, 18.1, 18.2, 18.3, 19, 19.1, 19.2, 19.3, 20, 20.1, 20.2, 20.3, 21, 21.1, 21.2, 21.3, and 22.
- SUSE Linux Enterprise: 11 SP2, 11 SP3, 11 SP4, 12, 12 SP1, 12 SP2, 12 SP3, 12 SP4, 12 SP5, 15, 15 SP1, 15 SP2, 15 SP3, 15 SP4, 15 SP5, and 15 SP6.
- Oracle Linux: 6.0, 6.1, 6.2, 6.3, 6.4, 6.5, 6.6, 6.7, 6.8, 6.9, 6.10, 7.0, 7.1, 7.2, 7.3, 7.4, 7.5, 7.6, 7.7, 7.8, 7.9, 8.0, 8 , 8.1, 8.2, 8.3, 8.4, 8.5, 8.6, 8.7, 8.8, 8.9, 8.10, 9.0, 9.1, 9.2, 9.3, and 9.4.
- openSUSE: 15.3, 15.4, 15.5, and 15.6.
- Amazon Linux: 2
Installation without dependencies is supported from RedHat/CentOS 6, 7 and 8 and from SUSE11 SP2 to SUSE15 SP6. It is available from Linux protection version 3.01.00.0001. For more information, go to Install the Client Software Locally in Help Center.
On supported Debian based systems (Linux Mint, Fedora, Ubuntu, and Debian), the server requires access to the official repositories to download the corresponding kernel headers during installation. These repositories are the responsibility of the distribution vendor who maintains at least one repository for each published version. When a version reaches end-of-life (EOL), the vendor deletes the repository which can cause the security software installation to fail. We recommend that you use a local repository and install the software without dependencies.
Supported 32-bit Distributions
- Red Hat: 6.0, 6.1, 6.2, 6.3, 6.4, 6.5, 6.6, 6.7, 6.8, 6.9, 6.10.
- CentOS: 6.0, 6.1, 6.2, 6.3, 6.4, 6.5, 6.6, 6.7, 6.8, 6.9, 6.10.
Supported File Managers
- Nautilus
- PCManFM
- Dolphin
Hardware Requirements
- Processor: Processor: x86 or x64-compatible CPU with at least SSE2 support
- RAM: 1.5 GB
- Available hard disk space for installation: 500 MB
- Ports: Ports 3127, 3128, 3129, and 8310 must be accessible for malware detection to work.
Installation Package Dependencies
During installation, the client agent downloads all required packages required, including:
- Libcurl (For Debian-based distributions, go to Libcurl Libraries.)
- OpenSSL
- GCC and Fedora compilation utilities (for example, make and makeconfig)
The installation process on Fedora includes compilation of the modules required by the WatchGuard Client Agent to work properly. To display the agent dependencies, run these commands on a terminal based on the target distribution:
- For Debian-based distributions: dpkg --info package.deb
- For Fedora-based distributions: rpm --qRp package.rpm
Libcurl Libraries
The protection module requires the installation of the 32-bit libcurl3 or 32-bit libcurl4 library. If you already have one of these libraries installed (for 64-bit systems), make sure the package manager downloads the same library (libcurl3 or libcurl4) with the same version for 32-bit systems. Otherwise, WatchGuard Endpoint Security does not run correctly on the computer and you must manually install the appropriate library.
Supported Operating Systems
- Android Lollipop 5.0/5.1
- Android Marshmallow 6.0
- Android Nougat 7.0 - 7.1
- Android Oreo 8.0
- Android Pie 9.0
- Android 10
- Android 11
- Android 12
- Android 13
- Android 14
Hardware Requirements
A minimum of 10 MB of internal memory is required on the target device. For some Android models, more space can be required.
Network Requirements
For push notifications to work, open ports 5228, 5229, and 5230 to all IP addresses contained in the IP blocks listed in Google's ASN 15169.
In addition to an Internet connection, Google Play Services must be installed.
Permissions Required on the Device
To use all of the WatchGuard Mobile Security features, the user of the device must allow these permissions:
- Camera access
- Read phone state
- Make calls
- Get location
- Device location services
- Draw over other apps
- Act as device administrator
- Access external storage
- Background location access
On mobile devices that run Android 12, these permissions are also required:
- Disable app hibernation
- Ignore battery optimizations
Supported Operating Systems
- iOS 13 / iPadOS 13
- iOS 14 / iPadOS 14
- iOS 15 / iPadOS 15
- iOS 16 / iPadOS 16
- iOS 17/ iPadOS 17
Hardware Requirements
A minimum of 12 MB of internal memory on the target device. For some models, more space can be required.
Network Requirements
The application installed on the mobile device uses the Apple Push Notification service to communicate with the software. If the device is connected to the network by 2G, 3G, or 4G, there are no specific network requirements. If the device is connected to the network by Wi-Fi, Access Point (AP) or other method, it connects to specific servers. Make sure these ports are available:
- TCP 5223 to communicate with the Apple Push Notification service
- TCP 443 or 2197 to send notifications
Servers that make up the Apple Push Notification service use load balancing. The device will not always connect to the same IP address. We recommend that you configure your firewall to allow connections to the entire 17.0.0.0/8 range assigned to Apple.
If this is not possible, allow connections to these IP ranges, for IPv4:
- 17.249.0.0/16
- 17.252.0.0/16
- 17.57.144.0/22
- 17.188.128.0/18
- 17.188.20.0/23
Allow connections to these IP ranges, for IPv6:
- 2620:149:a44::/48
- 2403:300:a42::/48
- 2403:300:a51::/48
- 2a01:b740:a42::/48
Permissions Required on Device
To use all of the features, the user of the device must allow these permissions:
- Get location
- Device location services
- Background location access
- Filter network content
- Send notifications
- Allow background app refresh