Cloud Edge WFBSS Endpoint Protection integrates with WFBSS to provide a means for enforcing compliance. During the compliance check for endpoints, Cloud Edge determines if an endpoint has an out-of-date WFBSS Security Agent pattern or if it has no WFBSS Security Agent installed.
Additionally, Cloud Edge can provide network access control for out-of-compliance endpoints.
Enabling the WFBSS Endpoint Protection
- Access the Cloud Edge Cloud Console and go to Gateways.
- Select a Gateway and click WFBSS Endpoint Protection.
- Turn On the feature, which is disabled by default.
- Specify the preferred action (either Block or Detect) for the following conditions:
- Endpoint does not have the WFBSS Security Agent installed
- Endpoint has WFBSS Security Agent installed but pattern is out-of-date
- Click Apply to save the changes.
- Specify which endpoints to be included in the Protection and Exception Lists. Note that endpoints are not automatically checked for compliance.
There are three (3) lists under the WFBSS Endpoint Protection feature:
- Client List shows all endpoints detected by Cloud Edge appliance over the last 24 hours.
- Protection List shows the endpoints under compliance protection.
- Exception List shows the endpoints to which compliance action is not enforced.
- Under Client List, choose the endpoint and click the Protection List or Exception List.
- Under Protection List or Exception List, click the Add button and specify the IP address/CIDR or MAC Address (256 maximum entries).
Sample Scenario
You can set this feature to block all traffic on endpoints without agents. Simply add the entire IP pool of your network under the Protection List (e.g. 10.0.0.0/24), and then manually add the IP/MAC address of the devices that you cannot install the Worry-Free Services Agent under the Exception List (e.g. printers, Linux, IoT Devices).
This way, traffic from unknown devices on your network will be blocked by the Cloud Edge box since they do not have any Security Agents installed.
Verification
To verify the settings, access the Internet using a machine that satisfies one of the criteria mentioned above. Below are the possible results based on the action selected.
- Block. If an endpoint is blocked by the WFBSS Endpoint Protection function, the client browser should be redirected to the WFBSS Endpoint Protection Violation notification page.
- Detect. This action will allow access to the Internet, but the access is logged in the WFBSS Endpoint Protection Troubleshooting page along with the reason that the endpoint is out-of-compliance.
