Network Access Enforcement provides an extra layer of security when user computers connect to the corporate network either remotely using a VPN connection or locally using a Wi-Fi connection.
A user computer trying to connect to a corporate network using a VPN or a Wi-Fi connection must meet a series of requirements for the connection to be allowed. If it does not meet those requirements, the connection is rejected.
The agent installed on the computer collects and sends the information required by the device that performs the necessary checks: Firebox for VPN connections and Access Point for Wi-Fi connections.
The device (Firebox or Access Point) uses UUID and authentication key to validate VPN and Wi-Fi connections. Therefore, you must have configured the same UUID and authentication key pair on the device and on the Adaptive Defense 360 console.
If you have not configured a UUID on the device, you must generate a new one. UUID is an open format so you can use free tools such as https://www.uuidgenerator.net/
NOTE: Use a long password that includes upper case, numeric, and special characters.
For more information about the Firebox and its VPN connection settings, see https://www.watchguard.com/help/docs/help-center/es-xl/Content/en-US/Fireware/services/tdr/tdr_host_sensor_enforcement_configure.html
For a user computer to connect to a corporate network, it must meet these requirements:
- Have the protection installed and active.
- Have a valid account UUID and authentication key configured on the device that validates the connection and on the Adaptive Defense 360 console.
- Operating system: Windows 8.1 or higher and macOS High Sierra 10.13 or higher.
- Ports: For the security protection for VN connections to work properly, the agent installed on the computer requires port 33000 for its communication with the Firebox.
- Activated and running advanced hardening or lock mode protection.
- Activated and running antivirus protection is considered valid.
Network Access Enforcement is not supported on Linux systems.
When the computer tries to connect to the corporate network, the device that validates the connection takes these actions:
- Requests information about the status of the protection installed on the computer.
- Check that the account UUID and authentication key are valid. Both are available in the configuration of the Firebox that is used to connect to the VPN.
- Confirm that the computer's operating system is valid, contrasting it with the ones configured.
- Verifies the computer operating system against the operating systems defined in the device settings.
By default, all computers are forced to comply with the security requirements for connecting to the corporate network.
Accessing Network Access Enforcement settings
To turn on Network Access Enforcement, follow these steps:
- Click Network Services in the side menu.
- In the top tab menu, select the Network Access Enforcement tab.
- To enable the protection, click the toggle.
- Enter the UUID of the account and the authentication key.
- Click the Save Changes button.
Until the release of Fireware v12.9, you configure secure VPN for the Firebox with the TDR host sensor enforcement settings in Fireware Web UI or Policy Manager.
For information on how to configure host sensor enforcement on the Firebox, see Configure TDR Host Sensor Enforcement in Help Center.