Threat Detection and Response. Deployment Guide

Size: px
Start display at page:

Download "Threat Detection and Response. Deployment Guide"

Transcription

1 Threat Detection and Response Deployment Guide

2 About This Guide The Threat Detection and Response Getting Started Guide is a guide to help you set up the Threat Detection and Response subscription service. Information in this guide is subject to change without notice. Companies, names, and data used in examples herein are fictitious unless otherwise noted. No part of this guide may be reproduced or transmitted in any form or by any means, electronic or mechanical, for any purpose, without the express written permission of WatchGuard Technologies, Inc. Guide revised: 3/26/2018 Copyright, Trademark, and Patent Information Copyright WatchGuard Technologies, Inc. All rights reserved. All trademarks or trade names mentioned herein, if any, are the property of their respective owners. Complete copyright, trademark, patent, and licensing information can be found in the Copyright and Licensing Guide, available online at About WatchGuard WatchGuard Technologies, Inc. is a global leader in network security, providing best-in-class Unified Threat Management, Next Generation Firewall, secure Wi-Fi, and network intelligence products and services to more than 75,000 customers worldwide. The company s mission is to make enterprisegrade security accessible to companies of all types and sizes through simplicity, making WatchGuard an ideal solution for Distributed Enterprises and SMBs. WatchGuard is headquartered in Seattle, Washington, with offices throughout North America, Europe, Asia Pacific, and Latin America. To learn more, visit WatchGuard.com. For additional information, promotions and updates, follow WatchGuard on on Facebook, or on the LinkedIn Company page. Also, visit our InfoSec blog, Secplicity, for real-time information about the latest threats and how to cope with them at Address 505 Fifth Avenue South Suite 500 Seattle, WA Support U.S. and Canada All Other Countries Sales U.S. and Canada All Other Countries Threat Detection and Response Deployment Guide ii

3 Contents About Threat Detection and Response 1 Components 1 Quick Start Set Up Threat Detection and Response 2 Step 1 Activate a TDR Subscription 3 Step 2 Set up a Managed Customer Account (WatchGuard Partners Only) 4 Step 3 Enable TDR on the Firebox 7 Step 4 Add an HTTPS Policy on the Firebox 10 Step 5 Install a Host Sensor 11 TDR Deployment Best Practices 12 Phased Host Sensor Deployment 12 Add Exclusions for Desktop AV 13 Configure Desktop AV Software to Exclude TDR File Paths 13 Configure TDR to Exclude Desktop AV File Paths 13 Configure Host Groups 14 Configure Host Sensor Settings for Host Groups 14 Recommended Host Sensor Settings for Servers 15 Recommended Host Sensor Settings for Windows 7 16 Recommended Host Sensor Settings for Most Other Hosts 16 Configure Policies for Host Groups 17 Recommended TDR Policies 18 Default TDR Policies 18 Set the Cybercon Level 19 Use Groups as Policy Targets 20 Policy Tips 21 Next Steps 22 Monitor Threat Detection and Response 22 Threat Detection and Response Deployment Guide iii

4 Set Up Active Directory Helper 23 Configure Proxy Policies for TDR 27 TDR Account Types 28 TDR User Roles and Permissions 29 Administrator 29 Operator 30 TDR Service Provider Accounts 31 Multi-Tier Management 31 Service Provider User Roles 32 Administrator (SP) 32 Operator (SP) 32 More Information 33 Threat Detection and Response Deployment Guide iv

5 About Threat Detection and Response Threat Detection and Response (TDR) is a cloud-based subscription service that integrates with your Firebox to minimize the consequences of data breaches and penetrations through early detection and automated remediation of security threats. TDR collects and analyzes forensic data from the Firebox, and from endpoints on your network, to proactively detect and respond to security threats. ThreatSync analytics enable TDR to assign threat level scores based on heuristics, threat feeds, and a cloud-based malware verification service. Threat Detection and Response is supported for Firebox and XTMv device models only and requires Fireware v11.12 or higher. Components The Threat Detection and Response subscription service has several components: Threat Detection and Response Account Threat Detection and Response is a cloud-based service hosted by WatchGuard. Your Threat Detection and Response account in the cloud collects and analyzes forensic data received from Fireboxes and Host Sensors on your network. You log into your TDR account on the WatchGuard Portal to configure account settings, Host Sensor settings, and to monitor and manage security threats. Because your login credentials for TDR are your WatchGuard Portal credentials, when you log in to the WatchGuard Portal, single sign-on enables you to also be automatically logged in to your TDR account. Firebox or XTMv Device Threat Detection and Response is a security subscription that you activate for your Firebox. In the Firebox configuration, you enable the Firebox to send data to your TDR account, and you configure policies, services, and log settings to enable the Firebox and Host Sensors to send information to your TDR account. Host Sensors AD Helper You install Host Sensors on the computers on your network. Each Host Sensor collects forensic data from the host and sends it to the Threat Detection and Response cloud for analysis. Forensic data includes information related to files, processes, network connections, and registry keys on the host. You can configure Host Sensors to simply report security threats or to take action to fix certain types of security threats. AD Helper is an application that you can install to deploy Host Sensors on your network. AD Helper uses your existing Windows Active Directory infrastructure to assist with distributed installation of Host Sensors on your network. For information about how to get started with TDR, see: Quick Start Set Up Threat Detection and Response TDR Deployment Best Practices Threat Detection and Response Deployment Guide 1

6 Quick Start Set Up Threat Detection and Response Before you can use Threat Detection and Response (TDR), you must activate the TDR subscription for a Firebox in your WatchGuard Portal account. When you activate the first TDR subscription for a Firebox in your account, your TDR account is automatically created and Host Sensor licenses are added to your TDR account. The number of Host Sensor licenses included with your TDR subscription depends on the Firebox model. You can purchase additional Host Sensor licenses as an upgrade. Some steps to set up TDR require that you log in with a specific user role. The first user in a new TDR account has both the Administrator and Operator user roles. All other users have the Operator user role by default. A user with Administrator credentials can change the roles assigned to any user account. To get started with TDR, complete these steps: Step 1 Activate a TDR Subscription Step 2 Set up a Managed Customer Account (WatchGuard Partners Only) Step 3 Enable TDR on the Firebox Step 4 Add an HTTPS Policy on the Firebox Step 5 Install a Host Sensor Threat Detection and Response Deployment Guide 2

7 Quick Start Set Up Threat Detection and Response Step 1 Activate a TDR Subscription Threat Detection and Response is included in the Total Security Suite subscription. When you activate a Total Security Suite subscription, Host Sensor licenses are added to your TDR account. After you activate your TDR subscription, you must update the feature key on your Firebox. To update the feature key on the Firebox, from Fireware Web UI: 1. Log in to Fireware Web UI as a user with Device Administrator credentials. 2. Select System > Feature Key. 3. Click Get Feature Key. The Feature Key page appears. 4. Verify that the Threat Detection & Response feature is enabled in the feature key. To update the feature key on the Firebox, from Firebox System Manager: 1. Start Firebox System Manager for your Firebox. 2. Select Tools > Synchronize Feature Key. 3. Type the credentials for a user with Device Administrator credentials. 4. Select View > Feature Keys. The Feature Key dialog box appears. 5. Verify that the Threat Detection & Response feature is enabled in the feature key. 3 WatchGuard Technologies, Inc.

8 Quick Start Set Up Threat Detection and Response Step 2 Set up a Managed Customer Account (WatchGuard Partners Only) If you are not a WatchGuard partner, skip this step and continue to Step 3. If you are a WatchGuard Partner, your TDR account is a Service Provider account. In your TDR Service Provider account, you must add a separate customer account for each business or organization for which you manage TDR. To configure TDR to run on your own network, you must also add a customer account for your own internal network. You configure and manage TDR separately for each managed customer account. To create a managed customer account in your TDR Service Provider account: 1. Go to the WatchGuard Portal at and log in to your WatchGuard Portal account as a user with Administrator credentials. 2. In the Partner Portal, click Support Center. 3. Select My WatchGuard > Manage TDR. The Threat Detection & Response web UI appears. 4. In the TDR web UI, click Accounts. 5. Click Add Account. The Add Account dialog box appears. 6. In the Name text box, type business or organization name of the managed customer account. 7. Click Save & Close. The Account is added to the Accounts list and is also added to the drop-down list in the top navigation bar. You must assign Host Sensor licenses to each customer account you manage. The number of Host Sensor licenses you assign to a managed customer account controls the maximum number of Host Sensors you can install on computers for that customer. Threat Detection and Response Deployment Guide 4

9 Quick Start Set Up Threat Detection and Response To assign Host Sensor licenses to a managed customer account: 1. From the TDR web UI left navigation menu, select Licenses. The Licenses page appears and shows the Host Sensor licenses in your account. 2. In the Licenses list, find an unassigned license. 3. On the line of the unassigned license, at the far right side, click. A drop-down list with the available options appears. 4. Select Assign License. The Assign License dialog box appears. 5. In the Account text box, begin to type the name of the managed customer account. Account names that contain the letters you type appear below the text box. 6. Select the customer account name from the list. 7. In the Number of Hosts to Assign text box, type the number of Host Sensor licenses to assign to this account. By default, the Number of Hosts to Assign is set to the total number of unassigned Host Sensor licenses in the license you selected. You can change this to a lower number if you plan to install Host Sensors on fewer computers for this customer. 8. Click Assign License. The specified number of Host Sensor licenses are assigned to the managed customer account you selected. 5 WatchGuard Technologies, Inc.

10 Quick Start Set Up Threat Detection and Response To manage TDR for a customer, you must select the customer account to manage. The drop-down list at the top of the page has the name of your service provider account, and the names of each customer account you added. To select a customer account to manage: 1. From the drop-down list at the top of the page, select the customer account. 2. To see a summary of status for this customer, select Dashboard in the left navigation menu. After you select a managed customer account, the options available in the left navigation menu depend on the user role assigned to you in the Service Provider account. Your user account can be assigned one or both of these roles: If you have the Administrator (SP) user role, you are an Administrator of your managed customer accounts. If you have the Operator (SP) user role in your service provider account, you are an Operator of your managed customer accounts. The first user in a TDR Service Provider account has both the Administrator (SP) and Operator (SP) user roles. All other users have the Operator (SP) user role by default. After you select a managed customer account, complete the procedures to set up Host Sensors and Fireboxes for each managed customer. To go back to your Service Provider account to manage accounts and licenses, select the name of your service provider account from the drop-down list at the top of the page. Threat Detection and Response Deployment Guide 6

11 Quick Start Set Up Threat Detection and Response Step 3 Enable TDR on the Firebox If your Firebox does not run Fireware v11.12, upgrade the Firebox OS to v11.12 or higher. For more information, see Upgrade Fireware OS or WatchGuard System Manager. Next, enable Threat Detection and Response on your Firebox. To enable TDR on the Firebox, you must get the UUID from your TDR account and add it to the Firebox configuration. To find your TDR Account UUID: 1. Go to the WatchGuard Portal at and log in to your WatchGuard partner or customer account as a user with Operator credentials. 2. If you are a WatchGuard partner, in the Partner Portal click Support Center. 3. Select My WatchGuard > Manage TDR. 4. (Partners only) Select the managed customer account. 5. Select Devices > Firebox. The Account UUID appears at the top of the page. 6. Copy the Account UUID. 7 WatchGuard Technologies, Inc.

12 Quick Start Set Up Threat Detection and Response To add the Account UUID to the Firebox: 1. Open the Firebox configuration in Policy Manager or Fireware Web UI. 2. Select Subscription Services > Threat Detection. 3. Select the Enable Threat Detection & Response check box. 4. In the Account UUID and Confirm text boxes, paste the Account UUID. 5. Save the configuration to the Firebox. To verify the connection from your Firebox to your TDR account: To see the Firebox connection status to Threat Detection and Response in Fireware Web UI, select Dashboard > Front Panel. Threat Detection and Response Deployment Guide 8

13 Quick Start Set Up Threat Detection and Response To see the Firebox connection status to Threat Detection and Response in Firebox System Manager, select the Status Report tab and search for TDR. To see the Firebox connection status in the TDR web UI, select Devices > Firebox and verify that your Firebox appears in the Fireboxes list. 9 WatchGuard Technologies, Inc.

14 Quick Start Set Up Threat Detection and Response Step 4 Add an HTTPS Policy on the Firebox When you enable TDR on your Firebox, the Firebox configuration must include a policy to allow Host Sensors on your network to connect to your TDR account. If your Firebox runs Fireware v or higher, when you enable TDR, the WatchGuard Threat Detection and Response policy to allow Host Sensor connections is automatically added. When you enable TDR in Fireware v and higher, the WatchGuard Threat Detection and Response policy is automatically added to the Firebox configuration. If your Firebox runs Fireware v , you must manually add an HTTPS packet filter policy with these settings: Connections are Allowed From Any-Trusted, Any-Optional (or the locations where your Host Sensors are installed) To FQDNs tdr-hsc-na.watchguard.com and tdr-hsc-eu.watchguard.com If your Firebox configuration includes an HTTPS proxy policy with content inspection and certificate validation enabled, add these FQDNs as destinations to the WatchGuard Threat Detection and Response policy or to the HTTPS policy you manually added: tdr-frontline-eu.watchguard.com tdr-frontline-na.watchguard.com tdr-adhh-na.watchguard.com tdr-adhh-eu.watchguard.com These additional FQDNs allow Host Sensors to upload files for APT Blocker analysis, and allow Active Directory Helper to synchronize data with your TDR account. Threat Detection and Response Deployment Guide 10

15 Quick Start Set Up Threat Detection and Response Step 5 Install a Host Sensor Next, install a Host Sensor on the computer to protect. The information you need to install the Host Sensor appears on the TDR web UI page where you download the software. You can manually install a Host Sensor for Windows or Red Hat Linux. For information about TDR Host Sensor OS compatibility, see the Threat Detection & Response Release Notes on the Fireware Release Notes page. To install a Host Sensor for Windows or Mac: 1. Go to the WatchGuard Portal at and log in to your WatchGuard account as a user with Operator credentials. 2. If you are a WatchGuard partner, in the Partner Portal click Support Center. 3. Select My WatchGuard > Manage TDR. 4. (Partners only) Select the managed customer account. 5. Select Configuration > Host Sensor. 6. Click the Download button for the Microsoft Windows Host Sensor or the Mac Host Sensor. 7. On the Host Sensor page, find the Account ID and Controller Address. 8. To run the installer, double-click the downloaded MSI or PKG file. The Threat Detection and Response Setup dialog box appears. 9. Copy and paste the Account ID from the TDR Host Sensor page to the Account ID text box in the installer. 10. Copy and paste the Controller Address from the TDR Host Sensor page to the Controller Address text box in the installer. To verify the connection from the Host Sensor to your TDR account: 1. In the TDR web UI, select Devices > Hosts. 2. Verify the host appears in the list and that the Host Sensor is operational ( ). You can also use AD Helper for automated installation of Windows Host Sensors. For more information, see Next Steps. 11 WatchGuard Technologies, Inc.

16 TDR Deployment Best Practices A TDR Host Sensor can automatically quarantine files, stop processes, and delete registry entries if it identifies a file or process as ransomware or another type of threat. Because the Host Sensor takes actions that could affect other applications installed on your hosts, we recommend you consider these best practices for your TDR deployment. To complete the procedures described in this topic you must log in to TDR as a user with Operator privileges. Phased Host Sensor Deployment If the Host Sensor identifies a file or process as a threat, and active TDR policies allow remediation action, the Host Sensor automatically takes action to disable it. To identify potential interactions with other installed software that you trust, we recommend that you first deploy and test Host Sensors on a small set of hosts that run applications commonly used on your network. A small pilot deployment can enable you to identify any interactions between the Host Sensor and other applications, so that you can add exceptions to resolve any interoperability or performance issues before wider deployment. You must decide how many and what types of hosts to include in your pilot deployment. For each host, install the Host Sensor, and then use other software on the host. Monitor the indicators in your TDR account to see threats and actions reported by the Host Sensors. If a Host Sensor identifies a threat, you can look at the details in the indicator to see the name of the file or process and why it was considered a threat. To see indicators for a host: 1. Select ThreatSync > Indicators. The Indicators page appears. 2. Clear all filters and then filter or search by the host name. 3. To see more information about an indicator, in the Indicator column, click Additional Information. For more information about the Indicators page, see Manage TDR Indicators in Fireware Help. If the Host Sensor identifies a trusted application as a threat, you can add the MD5 value to the Signature Overrides as a Whitelist item. TDR does not generate indicators for files you add to the Whitelist. To add a file to the Whitelist: 1. On the Indicators page, find the indicator for the application you want to add to the Whitelist. 2. Select the check box adjacent to the indicator. 3. From the Actions drop-down list, select Whitelist. The Confirm Action dialog box appears. 4. Click Execute Action. Threat Detection and Response Deployment Guide 12

17 TDR Deployment Best Practices If the Host Sensor causes performance issues or conflicts with other software that cause the Host Sensor or other software to not function, you can add an exclusion for the installation path of the software. An exclusion causes the Host Sensor to ignore the files in the specified path. To add an exclusion: 1. Select Configure > Exclusion. 2. Click Add. 3. Specify the path to exclude. For more information about how to add an exclusion, see Configure TDR Exclusions in Fireware Help. If the Host Sensor quarantines a file, it encrypts the file and stores it in the quarantine directory on the host. To remove a file from quarantine: 1. On the Indicators page, find the indicator. For an indicator with a successful Quarantine action, the threat score is Select the indicator. 3. Select the Unquarantine file or Unquarantine HRP action. The available action depends on whether the file was quarantined by Host Ransomware Prevention (HRP) or as the result of the Quarantine File action. For more information about how to remove a file from quarantine, see Remove a File from Quarantine in Fireware Help. Add Exclusions for Desktop AV The TDR Host Sensor and desktop antivirus both detect and prevent threats. To prevent conflicts between the Host Sensor and desktop antivirus software, we recommend that you add exclusions in TDR and your desktop AV software. Configure Desktop AV Software to Exclude TDR File Paths In the desktop antivirus software configuration, add the TDR Host Sensor installation directory to the exclusion list or whitelist. The directories to exclude are: c:\program Files (x86)\watchguard\threat Detection and Response\ c:\program Files\WatchGuard\Threat Detection and Response\ See the documentation from your antivirus software vendor for instructions to edit the exclusions list or whitelist. Configure TDR to Exclude Desktop AV File Paths In TDR, add exclusions for the locations where your antivirus software is installed. The paths to exclude are different for each desktop AV vendor and might be different for each OS or AV software version. Test the Host Sensor with your desktop AV solution to make sure you have excluded all necessary paths. For links to integration guides for TDR and popular desktop AV vendors, see Integration Guides, in WatchGuard Help Center. For more information about how to add a TDR exclusion, see Host Sensors and AV Software Exclusions in Fireware Help. 13 WatchGuard Technologies, Inc.

18 TDR Deployment Best Practices Configure Host Groups By default, the global Host Sensor settings and default TDR policies apply to all deployed Host Sensors. We recommend that you configure Host Groups so that you can easily configure different Host Sensor settings and policies for each group. You can use Host Groups to group together hosts that have a similar OS version, hardware, applications or user type. For example, you could create groups for Servers, Windows 7 Desktops, Laptops, Sales, Finance, Support, and so on. After you configure Host Groups you can change the Host Sensor settings for each group, and you can use the groups names in your TDR policies. We recommend that you test a few hosts in each group as part of your initial deployment phase. You can manage host group membership from the Hosts page or the Groups page. From the Hosts page you can select multiple hosts from a list to add them to a new or existing Host Group. To change the Host Group for one or more Hosts: 1. Select Devices > Hosts. 2. Select the check box adjacent to one or more hosts in the list. 3. From the Actions drop-down list, select Change Host Group. The Change Host Group dialog box appears. 4. Start to type the name of the group. This can be an existing group or a new group. As you type. the names of existing groups and the option to add a new group appear below the text box. 5. Select the group, or select the option to add the new group with the name you typed. The selected hosts are added to the group you selected. If you selected the option to add a new group, the Host Group is added. To remove one or more Host Sensors from a Host Group. 1. Select the check box adjacent to one or more hosts in the list. 2. From the Actions drop-down list, select Change Host Group. The Change Host Group dialog box appears. 3. Select No Group. Each selected host is removed from the Host Group it was previously a member of. For more information about the Hosts page, see Manage TDR Hosts and Host Sensors in Fireware Help. Configure Host Sensor Settings for Host Groups For each Host Group you can configure the Host Sensor settings to use for hosts in that group. In the Host Group configuration, you can override the global Host Sensor settings, and specify different Host Sensor settings for the group. To configure Host Sensor settings for a Host Group: Threat Detection and Response Deployment Guide 14

19 TDR Deployment Best Practices 1. Select Configuration > Groups. 2. Adjacent to the group name, click. 3. Select the Host Sensor Configuration tab. 4. Click the Override Host Sensor settings for this group switch. 5. Configure the Host Sensor settings for the group. WatchGuard provides recommended Host Sensor configuration settings for some types of hosts as a guideline. We recommend you test these settings with a small set of hosts first, to identify any issues. The best Host Sensor settings to use for your hosts might be different based on the installed OS and applications, physical or virtual hardware, and other aspects of your host environment. Recommended Host Sensor Settings for Servers To avoid conflicts with server software, we recommend that you disable Host Ransomware Prevention and do not enable driver configuration settings. 15 WatchGuard Technologies, Inc.

20 TDR Deployment Best Practices Host Sensor Settings Allow Events on Host Sensors: ON Host Ransomware Prevention Mode: OFF Allow Heuristics on Host Sensors ON Allow Loaded Modules on Host Sensors: OFF Allow Baselines on Host Sensors: OFF Host Sensor Driver Configuration Settings: All driver configuration settings: OFF Recommended Host Sensor Settings for Windows 7 On some Windows 7 computers, particularly those with older hardware, the Host Sensor performs better without Host Sensor driver configuration settings enabled. Host Sensor Settings: Allow Events on Host Sensors: ON Host Ransomware Prevention Mode: PREVENT Allow Heuristics on Host Sensors ON Allow Loaded Modules on Host Sensors: OFF Allow Baselines on Host Sensors: OFF Host Sensor Driver Configuration Settings: All driver configuration settings: OFF Recommended Host Sensor Settings for Most Other Hosts Host Sensor driver configuration settings control whether some Host Sensor actions occur in user space or kernel space. For the best Host Sensor performance on most hosts, we recommend that you enable and test Host Sensor driver configuration settings. These settings are not enabled by default in the global Host Sensor settings, to avoid problems with Host Sensors deployed on servers. Host Sensor Settings: Allow Events on Host Sensors: ON Host Ransomware Prevention Mode: PREVENT Allow Heuristics on Host Sensors ON Allow Loaded Modules on Host Sensors: OFF Allow Baselines on Host Sensors: OFF Host Sensor Driver Configuration Settings: All driver configuration settings: ON For more information about Host Sensor Settings, see Configure TDR Host Sensor Settings in Fireware Help. Threat Detection and Response Deployment Guide 16

21 TDR Deployment Best Practices Configure Policies for Host Groups Each TDR account has default policies enabled by default. These policies enable Host Sensors to take automated remediation actions for different levels of threats based on the Cybercon level you set in your TDR account. The default TDR policies apply to the built-in All Hosts group and define automated actions that the Host Sensor can perform for all hosts. For more granular control over automated actions, you can add policies for specific Host Groups or even specific hosts to change the actions Host Sensors can perform. For example, if you have a Servers group, and do not want the Host Sensors on servers in that group to make changes to the registry, you can add a policy for the Servers group that specifies that Host Sensors cannot perform the Delete Registry Value action. Or, if you do not want Host Sensors for a group to take any automated remediation action, add a policy for that group which specifies Host Sensors cannot perform the Quarantine File, Kill Process, or Delete Registry Value actions. If you add a policy for a Host Group, make sure that policy has a higher priority in the policy list than other policies that apply to All Hosts. For more information about policy configuration, see Configure TDR Policies in Fireware Help. 17 WatchGuard Technologies, Inc.

22 Recommended TDR Policies To enable Host Sensors to automatically take action against high severity threats, you must configure TDR policies. Recommended policies are enabled in your TDR account by default. You can modify these policies or add new ones, based on the host groups and the requirements of your network. For TDR accounts activated prior to 7 August 2017, the default TDR policies are configured, but are not enabled by default. Default TDR Policies Each TDR account has three default remediation policies. If you have enabled the APT Blocker feature, a default APT Blocker Policy is also enabled by default. The three default remediation policies allow Host Sensors to take remediation actions for indicators with different threat scores at Cybercon thresholds of 4, 3, and 2. With the default policies enabled, you can change the Cybercon level (from 3 to 2 for example) to immediately allow Host Sensors to take action on threats with a lower threat score. The default APT Blocker policy allows Host Sensors to send suspicious files that do not match a known threat to the sandbox for APT Blocker analysis. WatchGuard Default APT Blocker Policy for Cybercon 4 Cybercon Threshold: 4 (applies to Cybercon 4, 3, 2, and 1) Allow: the Sandbox File action Target: "All Hosts" WatchGuard Default Remediation Policy for Cybercon 2 Cybercon Threshold: 2 (applies to Cybercon 2 and 1) Threat Score Threshold: 7 (applies to Threat Scores 7 and higher) Allow: all remediation actions (Quarantine File, Kill Process, Delete Registry Value) Target: "All Hosts" WatchGuard Default Remediation Policy for Cybercon 3 Cybercon Threshold: 3 (applies to Cybercon 3, 2, 1) Threat Score Threshold: 8 (applies to Threat Scores 8 and higher) Allow: all remediation actions (Quarantine File, Kill Process, Delete Registry Value) Target: "All Hosts" WatchGuard Default Remediation Policy for Cybercon 4 Threat Detection and Response Deployment Guide 18

23 Recommended TDR Policies Cybercon Threshold: 4 (applies to Cybercon 4, 3, 2, 1) Threat Score Threshold: 9 (applies to Threat Scores 9 and higher) Allow: all remediation actions (Quarantine File, Kill Process, Delete Registry Value) Target: "All Hosts" The default APT Blocker policy is available only if you enable the APT Blocker feature on the General Settings page. When APT Blocker is enabled, the four default TDR policies look like this: With these default policies, all Host Sensors take these actions: When the Cybercon level is 4: Host Sensors automatically take remediation actions for indicators with a Threat Score of 9 or higher. Host Sensors automatically upload suspicious files for analysis in a secure sandbox environment. When the Cybercon level is 3: Host Sensors automatically take remediation actions for indicators with a Threat Score of 8 or higher. Host Sensors automatically upload suspicious files for analysis in a secure sandbox environment. When the Cybercon level is 2 or 1: Host Sensors automatically take remediation actions for indicators with a Threat Score of 7 or higher. Host Sensors automatically upload suspicious files for analysis in a secure sandbox environment. Set the Cybercon Level When you use the default TDR policies you can set the Cybercon level so that the Host Sensors can take automated action to remediate threats based on the active policies at each Cybercon threshold. For most deployments, we recommend you set the Cybercon level to 3. For a more conservative stance, with less automated remediation, set the Cybercon level to 4. For a more aggressive stance, with more automated remediation, set the Cybercon level to 2. For more information about Cyberon levels, see About TDR Cybercon Levels in Fireware Help. 19 WatchGuard Technologies, Inc.

24 Recommended TDR Policies Use Groups as Policy Targets The default TDR policies are a good place to start for a new TDR account. But it is likely that you might want to configure different policies for different hosts on your network. To create different policies for different groups of hosts, you can specify groups as targets in your policies. You can synchronize groups from your active directory server or you can define TDR groups based on host names or IP addresses. Tip! To add hosts to a group, on the Hosts page select the hosts select the Change Host Group action. For more information about how to configure Groups, see Manage TDR Groups in Fireware Help. The default group All Hosts includes all hosts that have a Host Sensor installed. We recommend that you create separate groups for clients and servers so that you can create policies specific to these groups. For example you could add these groups: All Clients Includes all client computers with a Host Sensor installed; does not include servers All Servers Includes all servers with a Host Sensor installed With these groups, you can configure remediation policies to take automated action for clients at a different threat level than for servers. At the highest threat levels (lowest Cybercon threshold) you can use the All Hosts group so policies to apply to all hosts. Threat Policy Cybercon Score Target Example Policy Name Threshold Threshold (Group) Automated Actions (no policy) Cybercon 5 None C4 Threat 8 - Clients Only Cybercon 4 8 All Clients - Kill Process - Quarantine Files - Delete Registry Value C4 - Sandbox All Cybercon 4 N/A All Hosts - Sandbox File C3 Threat 8 - Servers and Clients Cybercon 3 8 All Servers All Clients - Kill Process - Quarantine Files - Delete Registry Value C2 Threat 4 - All Hosts Cybercon 2 4 All Hosts - Kill Process - Quarantine Files - Delete Registry Value C1 - Threat 2 - All Hosts Cybercon 1 2 All Hosts - Kill Process - Quarantine Files - Delete Registry Value Threat Detection and Response Deployment Guide 20

25 Recommended TDR Policies Policy Tips As you configure additional policies, keep these tips in mind: Use the Cybercon Threshold to activate policies quickly With the default policies active, set the Cybercon level to 3. Configure no policies for Cybercon 5. Add policies for the higher severity (lower number) Cybercon levels. o You set the Cybercon Threshold for your policies. o You decide when to change the Cybercon level based on the current activity and risks on your network to activate policies for each Cybercon Threshold. Use groups for policy targets: Configure groups for hosts that have similar requirements; for example, create a group for servers Create policies that target that each group 21 WatchGuard Technologies, Inc.

26 Next Steps The TDR Deployment Guide describes the steps to set up your first Firebox and Host Sensor in your Threat Detection and Response account. To complete your installation, we recommend you complete these additional steps: Monitor Threat Detection and Response Set Up Active Directory Helper Configure Proxy Policies for TDR These steps are summarized in the next three sections. For a more detailed description, see Fireware Help. Monitor Threat Detection and Response After you configure Threat Detection and Response, to monitor and manage network threats, log in as a user with Operator credentials: Select Dashboard to monitor indicators and incidents for your network Select ThreatSync > Indicators to see reported threat indicators and take recommended actions to respond to threat indicators on hosts Select Configuration > Policies to configure policies to automatically take action to respond to threats on hosts At the top of the left navigation bar, use the arrows to change the CYBERCON level to determine which policies are active Select Reports > Generate to create reports of threats and remediation actions Threat Detection and Response Deployment Guide 22

27 Next Steps Set Up Active Directory Helper If your network has an Active Directory server, you can install AD Helper to enable automated installation of Host Sensors on your network. You can install AD Helper on any Windows server or computer in your network domain. You can also use AD Group Policy Objects (GPO) to deploy Host Sensors on your network. For more information, see TDR Host Sensor CLI and GPO Installation in Fireware Help. Prerequisites: You must install Java 8 on the computer where you install AD Helper You must run the AD Helper MSI installer as an administrator To install AD Helper: 1. From the computer where you want to install AD Helper, log in to your TDR account as a user with Operator credentials. 2. Select Devices > AD Helper. The AD Helper Configuration page appears. 3. Click Download to download the MSI installer file. 4. Copy the Account UUID from the AD Helper Configuration page. You use the Account UUID tin the next procedure to configure the AD Helper. 5. Run the downloaded file as an administrator. Next, configure AD Helper to connect to your Active Directory domain controller and your TDR account. To configure AD Helper, you connect to a local web server on port To configure AD Helper, you connect to a local web server on port On the computer where you installed AD Helper, connect to the AD Helper web UI at Tip! If you use Internet Explorer, you must type The Active Directory Helper web UI appears. 2. In AD Helper, select Configuration > Properties. 23 WatchGuard Technologies, Inc.

28 Next Steps 3. In the Account UUID text box, paste your Account UUID. You can copy the Account UUID from the page where you downloaded the.msi installer. 4. The Cloud URL is automatically configured with the URL for your TDR account. If WatchGuard instructs you to change the URL, type or paste the Cloud URL provided by WatchGuard. 5. Click Save. The account properties are saved and the connection to your TDR account is tested automatically. 6. To test the connection to your TDR account again, click Test URL. The test result appears in a banner at the top of the page. 7. Select Configuration > Domains. The Domains page appears. 8. Click Add Domain. 9. To add the domain controller, click Add. The Add Server dialog box appears. Threat Detection and Response Deployment Guide 24

29 Next Steps 10. In the Domain Controller text box, type the name of your Active Directory domain controller. 11. In the Port text box, specify the port you use for connections to the domain controller. Port, 389, is specified by default. 12. From the Protocol drop-down list, select the protocol to use for the connection to the domain controller. 13. Click Save. The Domain Controller is added to the list. of servers 14. In the Name text box, type the name of your Active Directory domain. 15. In the Fully Qualified Name text box, type the FQDN (fully qualified domain name) of your Active Directory domain. 16. In the Logon Domain text box, type the domain name that you must specify to log in to the Active Directory domain controller. 17. In the Username and Password text boxes, type the account credentials that AD Helper must use to log in to your Active Directory domain controller. 18. Click Save. AD Helper connects to your Active Directory domain controller and sends the list of hosts and domains to your TDR account. Active Directory synchronization does not happen instantly. It can take up to two hours for AD Helper to fully synchronize all host, group, and domain information to your TDR account. After you set up AD Helper, you can install Host Sensors on the hosts in your Active Directory domain from your TDR account. 1. Log in to the TDR web UI as a user with Operator credentials. 2. Select Devices > Hosts. A list of hosts on your network appears. The Install State column indicates whether a Host Sensor is installed. 3. To install a Host Sensor on one host, in the Install State column for that host, click. The Install State changes to Pending Install. AD Helper receives a request to install the Host Sensor. 25 WatchGuard Technologies, Inc.

30 Next Steps 4. To install a Host Sensor on more than one host: a. Select the check box for each host on which to install a Host Sensor. b. From the Actions drop-down list, select Install Sensor. The Install State for the selected hosts changes to Pending Install. AD Helper receives a request to install the host sensor on the selected hosts. 5. To see the installation status for each host, review the Sensor Status column. Threat Detection and Response Deployment Guide 26

31 Configure Proxy Policies for TDR For TDR to effectively correlate network events with host sensor events, we recommend that you enable proxy policies and services on the Firebox. Because the Firebox sends log messages about your network events to your TDR account, it is important to configure the Firebox to send a log message when it blocks, drops, or denies a connection. When you enable Threat Detection and Response on your Firebox, we recommend that you configure policies to: Inspect network traffic, and do not allow traffic that is considered a threat Enable Gateway AV, IPS, APT Blocker, WebBlocker, and Reputation Enabled Defense Generate log messages for Deny, Drop, and Block actions For the Firebox to inspect connections and take action when a threat is identified, you must configure proxy policies and services. When you configure the proxy actions, make sure to enable logging and specify that a log message is generated for any Deny, Block or Drop action. For example, to examine outbound HTTP, SMTP, and DNS connections, add these policies to your Firebox configuration: HTTP-proxy HTTPS-proxy SMTP-proxy Proxy action HTTP-Client.Standard or Default-HTTP-Client Enable Gateway AV, APT Blocker, WebBlocker and Reputation Enabled Defense in the proxy action Enable logging for any Deny, Block, or Drop action in the proxy action Proxy action HTTPS-Client.Standard or Default-HTTPS-Client Enable Content Inspection, with the HTTP-Client.Standard or Default-HTTP-Client proxy action Enable Gateway AV, APT Blocker, WebBlocker, and Reputation Enabled Defense in the proxy action Enable logging for any Deny, Block, or Drop action in the proxy action Proxy action SMTP-Client.Standard Enable Gateway AV and APT Blocker in the proxy action Enable logging for any Deny, Block, or Drop action in the proxy action If your Firebox allows incoming connections to servers or other resources on your network, make sure to configure a proxy policy to inspect the incoming traffic and enable services and logging for any Deny, Block, or Drop action in the proxy action. Threat Detection and Response Deployment Guide 27

32 TDR Account Types There are two types of Threat Detection and Response (TDR) accounts, each with different privileges. Your account type depends on whether you are a WatchGuard partner. Customer Account If you are a WatchGuard customer, but not a WatchGuard partner, your TDR account is a Customer account. With your TDR account, you can manage and monitor all Fireboxes and Host Sensors deployed on your network. Customer accounts can have these user roles: Administrator, Operator, Analyst, and Observer. In a TDR Customer account, the first user account has the Administrator and Operator user roles. All other users have the Operator role. Service Provider Account If you are a WatchGuard partner, your TDR account is a Service Provider account. With your TDR Service Provider account, you can manage and monitor Fireboxes and Host Sensors for all customer accounts that you manage. From your account, you can allocate TDR Host Sensor licenses to managed customer accounts. Service Provider accounts can have these user roles: Administrator (SP) and Operator (SP). In a TDR Service Provider account, the first user has the Administrator (SP) and Operator (SP) user roles. All other user have the Operator (SP) role. Threat Detection and Response Deployment Guide 28

33 TDR User Roles and Permissions In your Threat Detection and Response account, user roles determine what information a user can see, and what actions a user can complete. If a user account has more than one user role, the user has the privileges from all of the assigned roles. All configuration tasks must be performed by a user with the Administrator or Operator user role. Administrator A user assigned the Administrator role can manage user accounts and global Host Sensor settings. A user with the Administrator role has limited visibility into the status of the system, but cannot see the Dashboard or information about current incidents. Administrators can: Manage user accounts and user roles Change their own user roles Change Host Sensor settings See the CYBERCON level See the status of Firebox and Host Sensor licenses Generate and schedule reports See the Audit Log Threat Detection and Response Deployment Guide 29

34 Operator A user assigned the Operator role can complete most actions, but cannot manage user accounts or change global Host Sensor settings. Operators can: Change the CYBERCON level See the Dashboard Take action on incidents and indicators Add policies and exclusions Generate and schedule reports Set up AD Helper, Host Sensors, and Fireboxes See information about hosts and network events See domain and group information Add signature overrides See the Audit Log 30 WatchGuard Technologies, Inc.

35 TDR Service Provider Accounts If you are a WatchGuard Partner, your Threat Detection and Response account is automatically a Service Provider account. As a Service Provider, you create and manage separate TDR accounts for multiple customers. From your Service Provider account, you manage the Threat Detection and Response subscription service for multiple managed customer accounts, and the subordinate Service Provider accounts. For each managed customer account, a Service Provider can: Activate, allocate, and renew Host Sensor licenses Monitor deployed Fireboxes and Host Sensors Configure Threat Detection and Response policies Take threat mediation actions The actions available to each user in a service provider account are based on the user role, as described in the next section. Multi-Tier Management Threat Detection and Response is a multi-tenant, multi-tier system. Each Service Provider account can manage many customer accounts. Each managed customer account has a separate UUID that uniquely identifies the account. The Service Provider deploys Host Sensors and Fireboxes, and manages policies, actions, and reports separately for each managed account. Data is not shared between managed accounts. As a Service Provider, you create accounts for each of your customers in your TDR service provider account. After you create an managed customer account, you can assign Host Sensors to each account. Threat Detection and Response Deployment Guide 31

36 Service Provider User Roles Service Provider accounts have two user roles: Administrator (SP) and Operator (SP). The first user who activates TDR for a Firebox in a WatchGuard Partner Portal account is assigned both user roles. Additional users in the same partner account who log in to TDR are assigned the Operator (SP) role. Administrator (SP) A user assigned the Administrator (SP) user role in a Service Provider account can create managed customer accounts for the Service Provider account, and can assign Host Sensor licenses to managed customer accounts. A user with the Administrator (SP) user role can also complete the same actions for a managed account as a user with the Administrator role. Administrators can: Manage user account roles of other users in the Service Provider account Add managed customer accounts Assign host sensor licenses to managed accounts Configure the global Host Sensor settings in each managed account Manage all customer accounts with the same privileges as a user assigned the Administrator role Operator (SP) A user assigned the Operator (SP) role is the Operator for all accounts managed from the Service Provider account. The Operator can manage all managed customer accounts with the same privileges as a user assigned the Operator role. 32 WatchGuard Technologies, Inc.

37 More Information Complete documentation for Threat Detection and Response is available in Fireware Help. Threat Detection and Response Deployment Guide 33

TDR and Microsoft Security Essentials. Integration Guide

TDR and Microsoft Security Essentials. Integration Guide TDR and Microsoft Security Essentials Integration Guide i WatchGuard Technologies, Inc. TDR and Microsoft Security Essentials Deployment Overview Threat Detection and Response (TDR) is a collection of

More information

TDR and Windows Defender. Integration Guide

TDR and Windows Defender. Integration Guide TDR and Windows Defender Integration Guide i WatchGuard Technologies, Inc. TDR and Windows Defender Deployment Overview Threat Detection and Response (TDR) is a collection of advanced malware defense tools

More information

TDR and Symantec. Integration Guide

TDR and Symantec. Integration Guide TDR and Symantec Integration Guide i WatchGuard Technologies, Inc. TDR and Symantec Deployment Overview Threat Detection and Response (TDR) is a collection of advanced malware defense tools that correlate

More information

Okta SAML Authentication with WatchGuard Access Portal. Integration Guide

Okta SAML Authentication with WatchGuard Access Portal. Integration Guide Okta SAML Authentication with WatchGuard Access Portal Integration Guide i WatchGuard Technologies, Inc. Okta SAML Authentication with WatchGuard Access Portal Deployment Overview You can configure Single

More information

OneLogin SAML Authentication with WatchGuard Access Portal. Integration Guide

OneLogin SAML Authentication with WatchGuard Access Portal. Integration Guide OneLogin SAML Authentication with WatchGuard Access Portal Integration Guide i WatchGuard Technologies, Inc. One Login SAML Authentication with WatchGuard Access Portal Deployment Overview You can configure

More information

Mitel Cloud VOIP. Integration Guide

Mitel Cloud VOIP. Integration Guide Mitel Cloud VOIP Integration Guide i WatchGuard Technologies, Inc. Mitel VoIP, WatchGuard Wi-Fi Cloud, WatchGuard Firebox, and QoS Deployment Overview This document describes how to set up QoS from the

More information

SecureW2 and Wi-Fi Cloud. Integration Guide

SecureW2 and Wi-Fi Cloud. Integration Guide SecureW2 and Wi-Fi Cloud Integration Guide SecureW2 and Wi-Fi Cloud Integration Guide Deployment Overview This guide demonstrates how to integrate a WatchGuard Wi-Fi Cloud Captive Portal with SecureW2

More information

Threat Detection and Response Release Notes Introduction

Threat Detection and Response Release Notes Introduction Threat Detection and Response Release Notes Latest TDR Update: 14 March 2018 Release Notes Revision Date 14 March 2018 TDR Cloud 5.3.2 Host Sensor for 5.3.2 Host Sensor for Linux 5.3.2 Host Sensor for

More information

WatchGuard Total Security Complete network protection in a single, easy-to-deploy solution.

WatchGuard Total Security Complete network protection in a single, easy-to-deploy solution. WatchGuard Total Security Complete network protection in a single, easy-to-deploy solution. Total Security. A stateful packet firewall, while essential, simply isn t enough anymore. The reality is that

More information

Configuration Example

Configuration Example Configuration Example Use NAT for Public Access to Servers with Private IP Addresses on the Private Network Example configuration files created with WSM v11.10.1 Revised 7/21/2015 Use Case In this use

More information

WatchGuard XTMv Setup Guide

WatchGuard XTMv Setup Guide WatchGuard XTMv Setup Guide All XTMv Editions Copyright and Patent Information Copyright 1998 2011 WatchGuard Technologies, Inc. All rights reserved. WatchGuard, the WatchGuard logo, LiveSecurity, and

More information

Firebox Cloud. Deployment Guide. Firebox Cloud for AWS and Microsoft Azure

Firebox Cloud. Deployment Guide. Firebox Cloud for AWS and Microsoft Azure Firebox Cloud Deployment Guide Firebox Cloud for AWS and Microsoft Azure About This Guide The Firebox Cloud Deployment Guide is a guide for deployment of a WatchGuard Firebox Cloud virtual security appliance.

More information

WatchGuard XTMv Setup Guide Fireware XTM v11.8

WatchGuard XTMv Setup Guide Fireware XTM v11.8 WatchGuard XTMv Setup Guide Fireware XTM v11.8 All XTMv Editions Copyright and Patent Information Copyright 1998 2013 WatchGuard Technologies, Inc. All rights reserved. WatchGuard, the WatchGuard logo,

More information

Fireware. AP Deployment Guide. WatchGuard APs Gateway Wireless Controller Fireware OS v12.1

Fireware. AP Deployment Guide. WatchGuard APs Gateway Wireless Controller Fireware OS v12.1 Fireware AP Deployment Guide WatchGuard APs Gateway Wireless Controller Fireware OS v12.1 About This Guide The WatchGuard Fireware APDeployment Guide is a guide for deployment of a WatchGuard AP with a

More information

OUR SECURITY, DELIVERED YOUR WAY

OUR SECURITY, DELIVERED YOUR WAY M200 OUR SECURITY, DELIVERED YOUR WAY U.S. Sales: 1.800.734.9905 International Sales: 1.206.613.0895 Web: www.watchguard.com WatchGuard Technologies, Inc. Partner with WatchGuard It s Just Easy Everything

More information

Fireware-Essentials. Number: Fireware Essentials Passing Score: 800 Time Limit: 120 min File Version: 7.

Fireware-Essentials.  Number: Fireware Essentials Passing Score: 800 Time Limit: 120 min File Version: 7. Fireware-Essentials Number: Fireware Essentials Passing Score: 800 Time Limit: 120 min File Version: 7.0 http://www.gratisexam.com/ Fireware Essentials Fireware Essentials Exam Exam A QUESTION 1 Which

More information

Configuration Example

Configuration Example Configuration Example Use a Branch Office VPN for Failover From a Private Network Link Example configuration files created with WSM v11.10.1 Revised 7/22/2015 Use Case In this configuration example, an

More information

WatchGuard Dimension v2.1.1 Update 3 Release Notes

WatchGuard Dimension v2.1.1 Update 3 Release Notes WatchGuard Dimension v2.1.1 Update 3 Release Notes Build Number 567758 Release Date 8 August 2018 Release Notes Revision Date 8 August 2018 On 8 August 2018, WatchGuard released the Dimension v2.1.1 Update

More information

What s New in Fireware v12.3 WatchGuard Training

What s New in Fireware v12.3 WatchGuard Training What s New in Fireware v12.3 2 What s New in Fireware v12.3 Updates to Networking functionality: SD-WAN actions SD-WAN reporting enhancements NetFlow support Link monitor enhancements Centralized FireCluster

More information

OUR SECURITY DELIVERED YOUR WAY

OUR SECURITY DELIVERED YOUR WAY M200 OUR SECURITY DELIVERED YOUR WAY U.S. Sales: 1.800.734.9905 International Sales: 1.206.613.0895 Web: www.watchguard.com WatchGuard Technologies, Inc. Partner with WatchGuard It s Just Easy Everything

More information

WatchGuard Technologies

WatchGuard Technologies 1 WatchGuard Technologies Andrés A. Buendía Ucrós Master Sales Engineer Caribbean & LatinAmerica 2 About WatchGuard Who We Are Mission: To bring widely deployable, enterprise-grade security to small and

More information

Trend Micro Incorporated reserves the right to make changes to this document and to the product described herein without notice. Before installing and using the product, review the readme files, release

More information

WatchGuard Dimension v2.0 Update 2 Release Notes. Introducing New Dimension Command. Build Number Revision Date 13 August 2015

WatchGuard Dimension v2.0 Update 2 Release Notes. Introducing New Dimension Command. Build Number Revision Date 13 August 2015 WatchGuard Dimension v2.0 Update 2 Release Notes Build Number 483146 Revision Date 13 August 2015 On 13 August 2015, WatchGuard released Dimension v2.0 Update 2. This update resolves an issue that caused

More information

ForeScout Extended Module for Carbon Black

ForeScout Extended Module for Carbon Black ForeScout Extended Module for Carbon Black Version 1.0 Table of Contents About the Carbon Black Integration... 4 Advanced Threat Detection with the IOC Scanner Plugin... 4 Use Cases... 5 Carbon Black Agent

More information

McAfee Network Security Platform Administration Course

McAfee Network Security Platform Administration Course McAfee Network Security Platform Administration Course Education Services administration course The McAfee Network Security Platform Administration course from McAfee Education Services is an essential

More information

Mission Control for the Microsoft Cloud. 5nine Cloud Security. Web Portal Version 12.o. Getting Started Guide

Mission Control for the Microsoft Cloud. 5nine Cloud Security. Web Portal Version 12.o. Getting Started Guide Mission Control for the Microsoft Cloud 5nine Cloud Security Web Portal Version 12.o Getting Started Guide 2018 5nine Software Inc. All rights reserved. All trademarks are the property of their respective

More information

Centrify for Dropbox Deployment Guide

Centrify for Dropbox Deployment Guide CENTRIFY DEPLOYMENT GUIDE Centrify for Dropbox Deployment Guide Abstract Centrify provides mobile device management and single sign-on services that you can trust and count on as a critical component of

More information

WatchGuard Dimension v1.1 Update 1 Release Notes

WatchGuard Dimension v1.1 Update 1 Release Notes WatchGuard Dimension v1.1 Update 1 Release Notes Build Number 442674 Revision Date March 25, 2014 WatchGuard Dimension is the next-generation cloud-ready visibility solution for our Unified Threat Management

More information

SonicWall Capture Client 1.0. Operations

SonicWall Capture Client 1.0. Operations SonicWall Capture Client 1.0 Operations Contents Part 1. Introduction About Capture Client................................................................5 Description...........................................................................

More information

Quick Start Guide WatchGuard Technologies, Inc.

Quick Start Guide WatchGuard Technologies, Inc. WatchGuard XCS Platform Appliance Models: 970 and 1170 Quick Start Guide WatchGuard Technologies, Inc. WatchGuard XCS Quick Start Guide Registration and Configuration 1 2 Register with LiveSecurity Service

More information

ForeScout CounterACT. Controller Plugin. Configuration Guide. Version 1.0

ForeScout CounterACT. Controller Plugin. Configuration Guide. Version 1.0 ForeScout CounterACT Network Module: Centralized Network Controller Plugin Version 1.0 Table of Contents About the Centralized Network Controller Integration... 4 About This Plugin... 4 How It Works...

More information

SOLO NETWORK. UTM-Enabled Network Protection. Unlocking the Promise of

SOLO NETWORK. UTM-Enabled Network Protection. Unlocking the Promise of Unlocking the Promise of UTM-Enabled Network Protection What small, midsized, and distributed enterprises need to know to get the most from Unified Threat Management Based on a Frost & Sullivan Executive

More information

WatchGuard System Manager Fireware Configuration Guide. WatchGuard Fireware Pro v8.1

WatchGuard System Manager Fireware Configuration Guide. WatchGuard Fireware Pro v8.1 WatchGuard System Manager Fireware Configuration Guide WatchGuard Fireware Pro v8.1 Notice to Users Information in this guide is subject to change without notice. Companies, names, and data used in examples

More information

Data Sheet: Endpoint Security Symantec Multi-tier Protection Trusted protection for endpoints and messaging environments

Data Sheet: Endpoint Security Symantec Multi-tier Protection Trusted protection for endpoints and messaging environments Trusted protection for endpoints and messaging environments Overview creates a protected endpoint and messaging environment that is secure against today s complex data loss, malware, and spam threats controlling

More information

Licensing the Firepower System

Licensing the Firepower System The following topics explain how to license the Firepower System. About Firepower Feature Licenses, page 1 Service Subscriptions for Firepower Features, page 1 Classic Licensing for the Firepower System,

More information

Trend Micro Incorporated reserves the right to make changes to this document and to the product described herein without notice. Before installing and using the product, review the readme files, release

More information

What s New in Fireware v WatchGuard Training

What s New in Fireware v WatchGuard Training What s New in Fireware v12.2.1 What s New in Fireware v12.2.1 2 DNS enhancements for mobile VPN WAN interface monitors Loopback IP address support Certificate management enhancements DF bit setting for

More information

Juniper Sky Advanced Threat Prevention

Juniper Sky Advanced Threat Prevention Juniper Sky Advanced Threat Prevention Product Overview Juniper Sky Advanced Threat Prevention is a cloud-based service that provides complete advanced malware protection. Integrated with SRX Series Services

More information

Trend Micro Incorporated reserves the right to make changes to this document and to the product described herein without notice. Before installing and using the product, review the readme files, release

More information

Integration Guide PRTG

Integration Guide PRTG Integration Guide PRTG Revised: 24 June 2016 About This Guide Guide Type Documented Integration WatchGuard or a Technology Partner has provided documentation demonstrating integration. Guide Details WatchGuard

More information

SentinelOne Technical Brief

SentinelOne Technical Brief SentinelOne Technical Brief SentinelOne unifies prevention, detection and response in a fundamentally new approach to endpoint protection, driven by behavior-based threat detection and intelligent automation.

More information

Integration Guide. Auvik

Integration Guide. Auvik Integration Guide Auvik Revised: 27 February 2017 About This Guide Guide Type Documented Integration WatchGuard or a Technology Partner has provided documentation demonstrating integration. Guide Details

More information

Integrate WatchGuard XTM. EventTracker Enterprise

Integrate WatchGuard XTM. EventTracker Enterprise EventTracker Enterprise Publication Date: November 9, 2017 Abstract This guide provides instructions to configure WatchGuard XTM to send the event logs to EventTracker Enterprise. Once events are configured

More information

Compare Security Analytics Solutions

Compare Security Analytics Solutions Compare Security Analytics Solutions Learn how Cisco Stealthwatch compares with other security analytics products. This solution scales easily, giving you visibility across the entire network. Stealthwatch

More information

JUNIPER SKY ADVANCED THREAT PREVENTION

JUNIPER SKY ADVANCED THREAT PREVENTION Data Sheet JUNIPER SKY ADVANCED THREAT PREVENTION Product Overview Juniper Sky Advanced Threat Prevention is a cloud-based service that provides complete advanced malware protection. Integrated with SRX

More information

Installing and Configuring VMware Identity Manager Connector (Windows) OCT 2018 VMware Identity Manager VMware Identity Manager 3.

Installing and Configuring VMware Identity Manager Connector (Windows) OCT 2018 VMware Identity Manager VMware Identity Manager 3. Installing and Configuring VMware Identity Manager Connector 2018.8.1.0 (Windows) OCT 2018 VMware Identity Manager VMware Identity Manager 3.3 You can find the most up-to-date technical documentation on

More information

McAfee Network Security Platform 8.3

McAfee Network Security Platform 8.3 8.3.7.28-8.3.7.6 Manager-Virtual IPS Release Notes McAfee Network Security Platform 8.3 Revision B Contents About this release New features Enhancements Resolved issues Installation instructions Known

More information

Forescout. eyeextend for Carbon Black. Configuration Guide. Version 1.1

Forescout. eyeextend for Carbon Black. Configuration Guide. Version 1.1 Forescout Version 1.1 Contact Information Forescout Technologies, Inc. 190 West Tasman Drive San Jose, CA 95134 USA https://www.forescout.com/support/ Toll-Free (US): 1.866.377.8771 Tel (Intl): 1.408.213.3191

More information

Forescout. eyeextend for Palo Alto Networks Wildfire. Configuration Guide. Version 2.2

Forescout. eyeextend for Palo Alto Networks Wildfire. Configuration Guide. Version 2.2 Forescout Version 2.2 Contact Information Forescout Technologies, Inc. 190 West Tasman Drive San Jose, CA 95134 USA https://www.forescout.com/support/ Toll-Free (US): 1.866.377.8771 Tel (Intl): 1.408.213.3191

More information

VMWARE HORIZON CLOUD WITH VMWARE IDENTITY MANAGER QUICK START GUIDE WHITE PAPER MARCH 2018

VMWARE HORIZON CLOUD WITH VMWARE IDENTITY MANAGER QUICK START GUIDE WHITE PAPER MARCH 2018 VMWARE HORIZON CLOUD WITH VMWARE IDENTITY MANAGER QUICK START GUIDE WHITE PAPER MARCH 2018 Table of Contents Introduction to Horizon Cloud with Manager.... 3 Benefits of Integration.... 3 Single Sign-On....3

More information

ForeScout CounterACT. Plugin. Configuration Guide. Version 2.3

ForeScout CounterACT. Plugin. Configuration Guide. Version 2.3 ForeScout CounterACT Endpoint Module: Microsoft SMS / SCCM Plugin Version 2.3 Table of Contents About the Microsoft SMS/SCCM Plugin... 3 Concepts, Components, Considerations... 3 What to Do... 5 Requirements...

More information

BIG-IP Access Policy Manager : Secure Web Gateway. Version 13.0

BIG-IP Access Policy Manager : Secure Web Gateway. Version 13.0 BIG-IP Access Policy Manager : Secure Web Gateway Version 13.0 Table of Contents Table of Contents BIG-IP APM Secure Web Gateway Overview...9 About APM Secure Web Gateway... 9 About APM benefits for web

More information

NetIQ Secure Configuration Manager Installation Guide. October 2016

NetIQ Secure Configuration Manager Installation Guide. October 2016 NetIQ Secure Configuration Manager Installation Guide October 2016 Legal Notice For information about NetIQ legal notices, disclaimers, warranties, export and other use restrictions, U.S. Government restricted

More information

Stonesoft Management Center. Release Notes Revision A

Stonesoft Management Center. Release Notes Revision A Stonesoft Management Center Release Notes 5.10.5 Revision A Table of contents 1 About this release...3 System requirements... 3 Build version...4 Compatibility... 5 2 New features...6 3 Enhancements...

More information

USM Anywhere AlienApps Guide

USM Anywhere AlienApps Guide USM Anywhere AlienApps Guide Updated April 23, 2018 Copyright 2018 AlienVault. All rights reserved. AlienVault, AlienApp, AlienApps, AlienVault OSSIM, Open Threat Exchange, OTX, Unified Security Management,

More information

Getting Started with VMware View View 3.1

Getting Started with VMware View View 3.1 Technical Note Getting Started with VMware View View 3.1 This guide provides an overview of how to install View Manager components and provision virtual desktops. Additional View Manager documentation

More information

Stonesoft Management Center. Release Notes Revision A

Stonesoft Management Center. Release Notes Revision A Stonesoft Management Center Release Notes 5.10.2 Revision A Table of contents 1 About this release...3 System requirements... 3 Build version...4 Compatibility... 5 2 New features...6 3 Enhancements...

More information

MOVE AntiVirus page-level reference

MOVE AntiVirus page-level reference McAfee MOVE AntiVirus 4.7.0 Interface Reference Guide (McAfee epolicy Orchestrator) MOVE AntiVirus page-level reference General page (Configuration tab) Allows you to configure your McAfee epo details,

More information

Licensing the Firepower System

Licensing the Firepower System The following topics explain how to license the Firepower System. About Firepower Feature Licenses, page 1 Service Subscriptions for Firepower Features, page 2 Smart Licensing for the Firepower System,

More information

Evaluation Guide Host Access Management and Security Server 12.4

Evaluation Guide Host Access Management and Security Server 12.4 Evaluation Guide Host Access Management and Security Server 12.4 Copyrights and Notices Copyright 2017 Attachmate Corporation, a Micro Focus company. All rights reserved. No part of the documentation materials

More information

Quick Start Guide. WatchGuard XCS Platform Appliance Models: 170, 370, 570, 770, and 770R. Guide de démarrage rapide Kurzanleitung Guida introduttiva

Quick Start Guide. WatchGuard XCS Platform Appliance Models: 170, 370, 570, 770, and 770R. Guide de démarrage rapide Kurzanleitung Guida introduttiva WatchGuard XCS Platform Appliance Models: 170, 370, 570, 770, and 770R Quick Start Guide Guide de démarrage rapide Kurzanleitung Guida introduttiva Guía Rápida WatchGuard Technologies, Inc. XCS_170_370_570_770_770R_QSG_FINAL_0110110.indd

More information

Administration Guide. . All right reserved. For more information about Specops Deploy and other Specops products, visit

Administration Guide. . All right reserved. For more information about Specops Deploy and other Specops products, visit . All right reserved. For more information about Specops Deploy and other Specops products, visit www.specopssoft.com Copyright and Trademarks Specops Deploy is a trademark owned by Specops Software. All

More information

The SSL device also supports the 64-bit Internet Explorer with new ActiveX loaders for Assessment, Abolishment, and the Access Client.

The SSL device also supports the 64-bit Internet Explorer with new ActiveX loaders for Assessment, Abolishment, and the Access Client. WatchGuard SSL v3.2 Update 2 Release Notes Supported Devices SSL 100 and 560 WatchGuard SSL OS Build 452330 Revision Date 11 November 2014 Introduction WatchGuard is pleased to announce the release of

More information

TDR and Panda Fusion. Integration Guide

TDR and Panda Fusion. Integration Guide TDR and Panda Fusin Integratin Guide i WatchGuard Technlgies, Inc. TDR and Panda Deplyment Overview Threat Detectin and Respnse (TDR) is a cllectin f advanced malware defense tls that crrelate threat indicatrs

More information

SentinelOne Technical Brief

SentinelOne Technical Brief SentinelOne Technical Brief SentinelOne unifies prevention, detection and response in a fundamentally new approach to endpoint protection, driven by machine learning and intelligent automation. By rethinking

More information

ForeScout CounterACT. (AWS) Plugin. Configuration Guide. Version 1.3

ForeScout CounterACT. (AWS) Plugin. Configuration Guide. Version 1.3 ForeScout CounterACT Hybrid Cloud Module: Amazon Web Services (AWS) Plugin Version 1.3 Table of Contents Amazon Web Services Plugin Overview... 4 Use Cases... 5 Providing Consolidated Visibility... 5 Dynamic

More information

Stonesoft Management Center. Release Notes for Version 5.6.1

Stonesoft Management Center. Release Notes for Version 5.6.1 Stonesoft Management Center Release Notes for Version 5.6.1 Updated: January 9, 2014 Table of Contents What s New... 3 Fixes... 3 System Requirements... 6 Basic Management System Hardware Requirements...

More information

NGFW Security Management Center

NGFW Security Management Center NGFW Security Management Center Release Notes 6.4.3 Revision A Contents About this release on page 2 System requirements on page 2 Build version on page 3 Compatibility on page 4 New features on page 5

More information

vshield Administration Guide

vshield Administration Guide vshield Manager 5.1 vshield App 5.1 vshield Edge 5.1 vshield Endpoint 5.1 This document supports the version of each product listed and supports all subsequent versions until the document is replaced by

More information

Trend Micro Incorporated reserves the right to make changes to this document and to the product described herein without notice. Before installing and using the product, review the readme files, release

More information

McAfee Network Security Platform 8.3

McAfee Network Security Platform 8.3 8.3.7.28-8.3.3.9 Manager-Mxx30-series Release Notes McAfee Network Security Platform 8.3 Revision C Contents About this release New features Enhancements Resolved issues Installation instructions Known

More information

Building Resilience in a Digital Enterprise

Building Resilience in a Digital Enterprise Building Resilience in a Digital Enterprise Top five steps to help reduce the risk of advanced targeted attacks To be successful in business today, an enterprise must operate securely in the cyberdomain.

More information

Enhancing VMware Horizon View with F5 Solutions

Enhancing VMware Horizon View with F5 Solutions Enhancing VMware Horizon View with F5 Solutions VMware Horizon View is the leading virtualization solution for delivering desktops as a managed service to a wide range of devices. F5 BIG-IP devices optimize

More information

Trend Micro Incorporated reserves the right to make changes to this document and to the product described herein without notice. Before installing and using the product, review the readme files, release

More information

Trend Micro Incorporated reserves the right to make changes to this document and to the products described herein without notice. Before installing and using the product, please review the readme files,

More information

Veriato Recon / 360. Version 9.0.3

Veriato Recon / 360. Version 9.0.3 Veriato Recon / 360 Version 9.0.3 1/3/2018 Upgrade Guide January 3, 2018 Table of Contents Before You Begin... 1 What's New... 1 How the System Works... 1 Upgrade Support... 6 Update Antivirus Exclusions...

More information

VII. Corente Services SSL Client

VII. Corente Services SSL Client VII. Corente Services SSL Client Corente Release 9.1 Manual 9.1.1 Copyright 2014, Oracle and/or its affiliates. All rights reserved. Table of Contents Preface... 5 I. Introduction... 6 Chapter 1. Requirements...

More information

McAfee Cloud Workload Security Product Guide

McAfee Cloud Workload Security Product Guide Revision B McAfee Cloud Workload Security 5.1.0 Product Guide (McAfee epolicy Orchestrator) COPYRIGHT Copyright 2018 McAfee, LLC TRADEMARK ATTRIBUTIONS McAfee and the McAfee logo, McAfee Active Protection,

More information

Dell SonicWALL Capture Advanced Threat Protection Beta Feature Guide

Dell SonicWALL Capture Advanced Threat Protection Beta Feature Guide Dell SonicWALL Capture Advanced Threat Protection Beta Feature Guide June 2016 Topics: Purpose Supported platforms Overview Licensing Capture ATP Configuring Capture ATP About Dell Purpose This feature

More information

Product Guide Revision B. McAfee Cloud Workload Security 5.0.0

Product Guide Revision B. McAfee Cloud Workload Security 5.0.0 Product Guide Revision B McAfee Cloud Workload Security 5.0.0 COPYRIGHT Copyright 2018 McAfee, LLC TRADEMARK ATTRIBUTIONS McAfee and the McAfee logo, McAfee Active Protection, epolicy Orchestrator, McAfee

More information

Tenable Network Security Support Portal. November 9, 2010 (Revision 8)

Tenable Network Security Support Portal. November 9, 2010 (Revision 8) Tenable Network Security Support Portal November 9, 2010 (Revision 8) Table of Contents TABLE OF CONTENTS... 2 INTRODUCTION... 3 OBTAINING ACCESS TO THE TENABLE SUPPORT PORTAL... 3 MANAGING YOUR NESSUS

More information

Mobile Network Access Control Extending corporate security policies to mobile devices

Mobile Network Access Control Extending corporate security policies to mobile devices Mobile Network Access Control Extending corporate security policies to mobile devices WHITE PAPER NetMotion Wireless 701 N 34th Street, Suite 250 Seattle, WA 98103 206.691.5555 www.netmotionwireless.com

More information

Comodo Dome Shield - Admin Guide

Comodo Dome Shield - Admin Guide rat Comodo Dome Shield Software Version 1.12 Administrator Guide Guide Version 1.12.111717 Comodo Security Solutions 1255 Broad Street Clifton, NJ 07013 Table of Contents 1 Introduction to Comodo Dome

More information

VMware AirWatch Content Gateway for Windows. VMware Workspace ONE UEM 1811 Unified Access Gateway

VMware AirWatch Content Gateway for Windows. VMware Workspace ONE UEM 1811 Unified Access Gateway VMware AirWatch Content Gateway for Windows VMware Workspace ONE UEM 1811 Unified Access Gateway You can find the most up-to-date technical documentation on the VMware website at: https://docs.vmware.com/

More information

User Identity Sources

User Identity Sources The following topics describe Firepower System user identity sources, which are sources for user awareness. These users can be controlled with identity and access control policies: About, on page 1 The

More information

App Gateway Deployment Guide

App Gateway Deployment Guide C E N T R I F Y D E P L O Y M E N T G U I D E App Gateway Deployment Guide Abstract Centrify provides mobile device management and single sign-on services that you can trust and count on as a critical

More information

Installation on Windows Server 2008

Installation on Windows Server 2008 USER GUIDE MADCAP PULSE 4 Installation on Windows Server 2008 Copyright 2018 MadCap Software. All rights reserved. Information in this document is subject to change without notice. The software described

More information

FIREWALL BEST PRACTICES TO BLOCK

FIREWALL BEST PRACTICES TO BLOCK Brought to you by Enterprie Control Systems FIREWALL BEST PRACTICES TO BLOCK Recent ransomware attacks like Wanna and Petya have spread largely unchecked through corporate networks in recent months, extorting

More information

USER GUIDE. CTERA Agent for Windows. June 2016 Version 5.5

USER GUIDE. CTERA Agent for Windows. June 2016 Version 5.5 USER GUIDE CTERA Agent for Windows June 2016 Version 5.5 Copyright 2009-2016 CTERA Networks Ltd. All rights reserved. No part of this document may be reproduced in any form or by any means without written

More information

Workspace ONE UEM Notification Service 2. VMware Workspace ONE UEM 1811

Workspace ONE UEM  Notification Service 2. VMware Workspace ONE UEM 1811 Workspace ONE UEM Email Notification Service 2 VMware Workspace ONE UEM 1811 You can find the most up-to-date technical documentation on the VMware website at: https://docs.vmware.com/ If you have comments

More information

Endpoint Security Manager

Endpoint Security Manager Comodo Endpoint Security Manager Software Version 1.6 CIS Configuration Editor Version 1.6.010511 Comodo Security Solutions 1255 Broad Street STE 100 Clifton, NJ 07013 Table of Contents 1.Introduction

More information

Privileged Identity App Launcher and Session Recording

Privileged Identity App Launcher and Session Recording Privileged Identity App Launcher and Session Recording 2018 Bomgar Corporation. All rights reserved worldwide. BOMGAR and the BOMGAR logo are trademarks of Bomgar Corporation; other trademarks shown are

More information

VMware Content Gateway to Unified Access Gateway Migration Guide

VMware Content Gateway to Unified Access Gateway Migration Guide VMware Content Gateway to Unified Access Gateway Migration Guide Workspace ONE UEM v9.7 Have documentation feedback? Submit a Documentation Feedback support ticket using the Support Wizard on support.air-watch.com.

More information

File Reputation Filtering and File Analysis

File Reputation Filtering and File Analysis This chapter contains the following sections: Overview of, page 1 Configuring File Reputation and Analysis Features, page 5 File Reputation and File Analysis Reporting and Tracking, page 14 Taking Action

More information

CounterACT Afaria MDM Plugin

CounterACT Afaria MDM Plugin Version 1.7.0 and Above Table of Contents About Afaria MDM Service Integration... 4 About This Plugin... 4 How It Works... 5 Continuous Query Refresh... 5 Offsite Device Management... 6 Supported Devices...

More information

Revised: 22 November Integration Guide

Revised: 22 November Integration Guide Revised: 22 November 2016 Integration Guide About This Guide Guide Type Documented Integration WatchGuard or a Technology Partner has provided documentation demonstrating integration Guide Details WatchGuard

More information

Comodo Endpoint Security Manager Professional Edition Software Version 3.3

Comodo Endpoint Security Manager Professional Edition Software Version 3.3 Comodo Endpoint Security Manager Professional Edition Software Version 3.3 Quick Start Guide Guide Version 3.2.022615 Comodo Security Solutions 1255 Broad Street Clifton, NJ 07013 Comodo Endpoint Security

More information

EMC SourceOne Management Pack for Microsoft System Center Operations Manager

EMC SourceOne Management Pack for Microsoft System Center Operations Manager EMC SourceOne Management Pack for Microsoft System Center Operations Manager Version 7.2 Installation and User Guide 302-000-955 REV 01 Copyright 2005-2015. All rights reserved. Published in USA. Published

More information

WatchGuard Cloud Release Notes

WatchGuard Cloud Release Notes WatchGuard Cloud Release Notes Latest WatchGuard Cloud Update: 15 November 2018 Release Notes Revision Date 15 November 2018 Introduction WatchGuard Cloud allows you to see and manage all your products

More information

Integration Guide. Eduroam

Integration Guide. Eduroam Integration Guide Eduroam Revised: 16 August 2017 About This Guide Guide Type Documented Integration WatchGuard or a Technology Partner has provided documentation demonstrating integration Guide Details

More information