Network Access Enforcement

Network Access Enforcement provides an extra layer of security when a user device (desktop, server, laptop, or mobile device) connects to your corporate network either remotely using a VPN connection or locally using a Wi-Fi connection.

The user device that tries to connect to the corporate network using a VPN or a Wi-Fi connection must meet a series of security requirements for the connection to be allowed. If it does not meet those requirements, the connection is rejected.

The Cytomic agent installed on the user device collects and sends the information that the Firebox or access point requires to verify that the device meets the necessary requirements.

Random UUID and authentication key generation

A UUID (Universal Unique Identifier) is a character string used to uniquely identify a device.

The device (Firebox or Access Point) uses UUID and authentication key to validate VPN and Wi-Fi connections. Therefore, you must have configured the same UUID and authentication key pair on the device and on the Advanced EDR console.

If you have not configured a UUID on the device, you must generate a new one. UUID is an open format so you can use free tools such as https://www.uuidgenerator.net/

Use a long password that includes upper case, numeric, and special characters.

For more information about the Firebox and its VPN connection settings, see https://www.watchguard.com/help/docs/help-center/es-xl/Content/en-US/Fireware/services/tdr/tdr_host_sensor_enforcement_configure.html

Requirements

For a user device to connect to the corporate network, it must meet these security requirements:

  • It must have the security software installed, running, and correctly configured.

  • You must have a valid UUID and authentication key configured on the device that validates the connection and in the Advanced EDR console.

  • Operating systeminstalled on the user device:

    • Windows 8.1 or higher.

    • MacOS High Sierra 10.13 or higher.

    • Android 6 or higher.

    With Android, unlike Windows or macOS, the Firebox console user cannot select the operating system version. On devices that run Android 6.0 or higher, Network Access Enforcement enables after they receive the relevant settings from the Cytomic servers.

  • Open ports on the user device: The Cytomic agent requires that TCP port 33000 be open to communicate with the device that validates the connection.

  • Security software settings: Advanced EDR advanced protection enabled and running in Hardening or Lock mode, or antivirus enabled and running.

Network Access Enforcement does not support Linux devices.

Requirements verification

When a user device tries to connect to the corporate network, the device that validates the connection performs these actions: 

  • Requests information about the status of the protection installed on the user device.

  • Verifies the account UUID and the authentication key are valid.

  • Verifies the user device operating system against the operating systems defined in its settings.

If all requirements are met, the user device is allowed to access the corporate network. Otherwise, the connection is rejected.

By default, all devices are forced to comply with the security requirements for connecting to the corporate network.

Accessing the Network Access Enforcement settings

  • From the side menu, select Network services.

  • Select the Network Access Enforcement tab.

  • To enable the protection, click the toggle.

  • Enter the account UUID and the authentication key.

  • Click Save changes.