TDR FAQs/Common Issues and Resolutions

John_NortonJohn_Norton WatchGuard Representative

No "Manage TDR" option under the "My WatchGuard" menu in the Support Portal.

Verify there is a device with a valid TDR subscription on the account.

Ensure that the TDR region has been selected as described in:
http://watchguardsupport.force.com/publicKB?type=KBArticle&SFDCID=kA22A000000HPxBSAW&lang=en_US

User receives a "Threat Detection and Response does not have your account information" error message after browsing to the TDR portal.

Verify there is a device with a valid TDR subscription on the account.

Ensure that the TDR region has been selected as described in:
http://watchguardsupport.force.com/publicKB?type=KBArticle&SFDCID=kA22A000000HPxBSAW&lang=en_US

Ensure that the user is going to the TDR portal via the My WatchGuard > Manage TDR menu item in the Support Portal.

Firebox does not show up in the TDR portal.

Verify that the TDR line item in the feature key on the device includes the region code.

For the America region, the line item should look like:
Feature: TDR@Nov-11-2018;AMER

For the Europe region, the line item should look like:
Feature: TDR@Nov-11-2018;EUR

Devices with a TDR line item in the feature key like the following need the feature key updated:
Feature: TDR@Nov-11-2018

Ensure that the Firebox is able to resolve the FQDN for the TDR log aggregator:
NA Region: tdr-fbla-na.watchguard.com
EU Region: tdr-fbla-eu.watchguard.com

Ensure that nothing upstream of the Firebox is blocking or dropping traffic going over TCP port 4115.

Host PC does not show up in the TDR portal.

Verify whether there is any HTTPS content inspection occurring between the client PCs and the TDR cloud (including content inspection on an HTTPS proxy on the Firebox). HTTPS content inspection will break the communication between the host sensor and the cloud as the host sensor uses certificates for authentication. On a Firebox, create an HTTPS packet filter with the appropriate FQDN from below in the To field of the policy:
tdr-hsc-na.watchguard.com
tdr-hsc-eu.watchguard.com

Ensure clients are able to resolve the FQDNs listed above.

Verify whether the :443 portion was included in the Controller Address field during the host sensor installation. Excluding this will allow the host sensor installation to complete but will prevent it from connecting to the cloud. Uninstalling and re-installing the host sensor is currently the only way to correct this.

Verify that the correct Account UUID was entered in the Account ID field during the host sensor installation. An incorrect account UUID will allow installation to continue but will prevent the host sensor from reporting to the customer's instance. Uninstalling and re-installing the host sensor is currently the only way to correct this.

Ensure there are no other software or hardware firewalls preventing outbound connections to the TDR cloud.

TDR portal shows wrong TDR expiration date or a licensed Firebox is missing from the Licenses section.

Verify that the TDR license for the device is valid in Salesforce.

If the TDR license is valid in Salesforce, create a Customer Care case with the serial number of the missing or incorrect device requesting the device be synchronized to the TDR cloud.

If the issue affects multiple devices on the account, create a Customer Care case under the affected account and request that the entire account be synchronized to the TDR cloud.

Host sensor/PC/application crashes/locks up OR PC has high CPU/memory usage when host sensor is installed.

Ensure the following articles have been followed:
http://www.watchguard.com/help/docs/fireware/11/en-US/Content/en-US/services/tdr/tdr_and_desktop_av_c.html
http://watchguardsupport.force.com/publicKB?type=KBKnownIssues&SFDCID=kA42A000000HAZ7SAO

Ensure that the PC is running the most current version of the host sensor.

If no settings under Host Sensor Driver Configuration Setting in the Settings > Host Sensor section (or under any configured groups under Configuration > Groups) in the TDR cloud are enabled:
Turn "Enable Kernel Process Events" on
Turn "Enable Kernel File Events" on

AD helper is unable to connect to the cloud.

Ensure the AD helper host is able to resolve the FQDN for the appropriate region.
NA Region: tdr-adhh-na.watchguard.com
EU Region: tdr-adhh-eu.watchguard.com

Verify whether there is any HTTPS content inspection occurring between the AD helper host and the TDR cloud (including content inspection on an HTTPS proxy on the Firebox). HTTPS content inspection will break the communication between the AD helper and the cloud.

AD helper returns a "Communication error connecting to server" message.

Ensure that the domain controller configuration in the AD helper settings use the IP addresses of the domain controllers instead of the hostname or FQDN of the servers.

Ensure that the port specified in domain controller configuration is either 389 or 636. If port 636 is specified, verify that the domain controller is configured to accept LDAPS connections.

Comments

  • edited June 2020

    Any update on this?
    "Host sensor/PC/application crashes/locks up OR PC has high CPU/memory usage when host sensor is installed" steps doesn't seem to resolve any issues.

  • John_NortonJohn_Norton WatchGuard Representative

    Kalos-- that isn't a common problem, but is typically seen when there is another AV/anti-malware application installed like McAfee or Symantec. Be sure to add exclusions in TDR for any AV software and exclude TDR in your AV. If the problem persists, support can help you pull detailed triage logs to identify the conflict.

Sign In to comment.