Sign In with your
Trend Micro Account
Need Help?
Need More Help?

Create a technical support case if you need further support.

Configuring Network Access Control (WFBSS Endpoint Protection)

    • Updated:
    • 13 Mar 2020
    • Product/Version:
    • Cloud Edge 5.5
    • Platform:
    • Macintosh (Mac)
    • Windows -

Cloud Edge WFBSS Endpoint Protection integrates with WFBSS to provide a means for enforcing compliance. During the compliance check for endpoints, Cloud Edge determines if an endpoint has an out-of-date WFBSS Security Agent pattern or if it has no WFBSS Security Agent installed.

Additionally, Cloud Edge can provide network access control for out-of-compliance endpoints.


Enabling the WFBSS Endpoint Protection

  1. Access the Cloud Edge Cloud Console and go to Gateways.
  2. Select a Gateway and click WFBSS Endpoint Protection.
  3. Turn On the feature, which is disabled by default.
  4. Specify the preferred action (either Block or Detect) for the following conditions:
    • Endpoint does not have the WFBSS Security Agent installed
    • Endpoint has WFBSS Security Agent installed but pattern is out-of-date

    Enable WFBSS Endpoint Protection

  5. Click Apply to save the changes.
  6. Specify which endpoints to be included in the Protection and Exception Lists. Note that endpoints are not automatically checked for compliance.

    There are three (3) lists under the WFBSS Endpoint Protection feature:

    • Client List shows all endpoints detected by Cloud Edge appliance over the last 24 hours.
    • Protection List shows the endpoints under compliance protection.
    • Exception List shows the endpoints to which compliance action is not enforced.
    Do either of the following to configure the list:
    • Under Client List, choose the endpoint and click the Protection List or Exception List.

      Configure Client List

    • Under Protection List or Exception List, click the Add button and specify the IP address/CIDR or MAC Address (256 maximum entries).

      Protection List

Sample Scenario

You can set this feature to block all traffic on endpoints without agents. Simply add the entire IP pool of your network under the Protection List (e.g., and then manually add the IP/MAC address of the devices that you cannot install the Worry-Free Services Agent under the Exception List (e.g. printers, Linux, IoT Devices).

This way, traffic from unknown devices on your network will be blocked by the Cloud Edge box since they do not have any Security Agents installed.

Block unknown devices


To verify the settings, access the Internet using a machine that satisfies one of the criteria mentioned above. Below are the possible results based on the action selected.

  • Block. If an endpoint is blocked by the WFBSS Endpoint Protection function, the client browser should be redirected to the WFBSS Endpoint Protection Violation notification page.

    WFBSS Endpoint Protection Violation

  • Detect. This action will allow access to the Internet, but the access is logged in the WFBSS Endpoint Protection Troubleshooting page along with the reason that the endpoint is out-of-compliance.

    WFBSS Endpoint Protection Troubleshooting

Solution Id:
Did this article help you?

Thank you for your feedback!

*This form is automated system. General questions, technical, sales, and product-related issues submitted through this form will not be answered.

If you need additional help, you may try to contact the support team. Contact Support

To help us improve the quality of this article, please leave your email here so we can clarify further your feedback, if neccessary:
We will not send you spam or share your email address.

*This form is automated system. General questions, technical, sales, and product-related issues submitted through this form will not be answered.