Applies To: WatchGuard Core MDR, WatchGuard Core MDR for Microsoft, WatchGuard Total MDR
WatchGuard MDR is a managed detection and response service that keeps your licensed endpoints safe with security monitoring, threat hunting, attack detection, investigation, and containment.
There are three MDR licenses that provide managed services:
WatchGuard Core MDR
For environments that use one of the Endpoint Security products - WatchGuard Advanced EPDR, EDPR, EDR, Panda Adaptive Defense, and Panda Adaptive Defense 360, WatchGuard Core MDR enables the WatchGuard MDR team to monitor licensed endpoints and your cloud-based Microsoft 365 environment.
WatchGuard Core MDR is licensed as an Endpoint Security module. For more information on WatchGuard Core MDR, go to WatchGuard Endpoint Security Modules. For information on Endpoint Security product licenses, go to About Endpoint Security Licenses.
WatchGuard Core MDR for Microsoft
For environments that use Microsoft Defender for Endpoints, WatchGuard Core MDR for Microsoft enables the WatchGuard MDR team to monitor endpoints in your Microsoft Defender environment and your cloud-based Microsoft 365 environment. You must have your own Microsoft Defender for Endpoint license.
WatchGuard Total MDR
For environments that use one of the Advanced EPDR, EPDR, or EDR Endpoint Security products, WatchGuard MDR can monitor your licensed endpoints. WatchGuard Total MDR can monitor third-party cloud integrations that include Microsoft 365, AWS CloudTrail, and Google Workspace. With ThreatSync, WatchGuard MDR can also monitor data from these products and features:
- Fireboxes with Total Security Suite (TSS)
- AuthPoint Multi-Factor Authentication
- AuthPoint Total Identity Security
- ThreatSync+ NDR
License Combinations and Restrictions
For environments with both WatchGuard Endpoint Security and Microsoft Defender, you can allocate WatchGuard Core MDR and WatchGuard Core MDR for Microsoft.
These license combinations are not permitted in the same Subscriber account:
- WatchGuard Total MDR and WatchGuard Core MDR for Microsoft
- WatchGuard Core MDR and WatchGuard Total MDR
License Types
WatchGuard Core MDR for Microsoft and WatchGuard Total MDR monitor one endpoint device for each licensed user.
There are these types of licenses:
Term Licenses
A term license has a set number of users and a set duration, or term. For example, you might purchase a license for 100 users that expires after three years. The license expires the day after the expiration date at 00 UTC.
Subscription Licenses
A subscription license enables you and your managed accounts to add users with no allocation limits. You can set a limit on the accounts you manage. With a subscription license, WatchGuard bills you monthly based on the number of users you have allocated. For more information, go to About Subscription Licenses in WatchGuard Cloud.
NFR Licenses (Service Providers only)
A Not for Resale license includes a set number of users and typically has a three-year term. NFR licenses are available to Service Providers only.
Allocation Types
When Service Providers allocate users from a license to their managed accounts, they select an allocation type which specifies how the managed account can use the users.
Term Allocation
When you allocate users as a term allocation, the managed account can allocate a specific number of users to an account for a set duration or term from a term license or MSSP points.
Subscription Allocation
When you allocate users as a subscription allocation, the managed account can allocate a specific number of users or an unlimited number of users . WatchGuard bills the account monthly based on the number of active users.
Linked to License
When you allocate users as Linked to License, the quantity and expiration date of the allocated users are linked to the quantity and expiration date of your term license.
Term License Activation
You can activate licenses on the Activate Licenses page on the WatchGuard website. For more information, go to Activate a WatchGuard MDR License.
After you activate a WatchGuard Core MDR for Microsoft or WatchGuard Total MDR license, you can review the activated licenses for your account in Support Center on the Managed Services page. Click the name of a license to view the details and history of that license.
Licenses work differently for WatchGuard Cloud Subscriber and Service Provider accounts.
Subscribers
Subscriber accounts can only have one product license. When a Subscriber account activates a new license key in the Support Center, it is used to modify the current active license. You can use a new license to add users or extend the license expiration.
Service Providers
Service Providers can have many product licenses. When a Service Provider activates a new license key, they can use it to modify an active license or add a new, separate license. After activation, the license appears in the Service Provider inventory in WatchGuard Cloud, but the expiration date of the license is tracked separately.
License Renewals
To renew a license or modify an existing license, you purchase a new license and activate it. When you activate the new license, you select whether to add users or extend your current license. When you add users to your active license or extend it, the new license merges with your active license and the two licenses are co-termed.
Co-terming consolidates or merges your term licenses to synchronize renewal dates. When you co-term licenses, a new expiration date is calculated based on the updated users count and the term length of the license you activated. If you add users, the number of users you purchased is added to your current inventory. For example, if you have 50 users and purchase a term license for 100 users, your final count after you activate your new license is 150 users.
If you have an active subscription license, when you renew a term license, your subscription usage count reduces automatically so that only the users in excess of your termed license are billed as subscription users.
When you extend your license, if you purchased the same number of users that you currently have, your license is extended for another period (one or three years). If you purchased more users than are in your current inventory, your inventory immediately updates to match the number of users you purchased the license for.
To renew with fewer users, purchase a license for the desired number of users and choose Extend License when you activate your license key.
When you renew the license for fewer users, we recommend that you do so close to your expiration date. If you activate the license key before your expiration date, your license count reduces immediately. This could limit the number of users available for your managed accounts and your account could become overallocated.
If you have an active subscription license, when you renew or upgrade a term license your subscription usage is automatically updated so that only the users in excess of your termed licenses are billed as subscription users.
License Expiration
WatchGuard Core MDR for Microsoft and WatchGuard Total MDR licenses expire on the expiration date at 00:00 UTC. After a license expires, there is a seven-day grace period. If you renew your license before the grace period ends, no further action is required. If you do not renew your license before the grace period ends:
- For WatchGuard Core MDR for Microsoft, the WatchGuard MDR team no longer monitors Microsoft Defender.
- For WatchGuard Total MDR, the MDR team no longer monitors your licensed endpoints, Fireboxes, AuthPoint, ThreatSync, and ThreatSync+ NDR, or your cloud-based Microsoft 365, AWS CloudTrail, and Google Workspace environments.
- Access to the Managed Services portal is disabled.
- WatchGuard Core MDR for Microsoft data is deleted.
If you are a Service Provider with different WatchGuard MDR licenses and one license expires, the managed services continue. After you renew your license, the MDR team monitoring and access to the portal return for all of the affected endpoints.
Overallocation
Service Provider accounts could become overallocated when an account they manage allocates more users than there are available in the license. When a Service Provider account becomes overallocated, access to the Managed Services portal is no longer available.
To identify accounts that are over their limit, review Subscriber dashboards and audit logs. When an account is overallocated, we recommend that you reduce the number of allocated users (deallocate), or increase the number of users in the license. For more information on overallocation, go to Inventory Overallocation in WatchGuard Cloud.