Inventory Overallocation in WatchGuard Cloud

Applies To: WatchGuard Cloud

Devices, users, or endpoints purchased by a Service Provider are stored as inventory in WatchGuard Cloud. As a Service Provider, you can allocate devices, users, or endpoints from your inventory to your account or any account you manage. Inventory purchased through a single license from WatchGuard can be allocated to multiple accounts. The Linked to License allocation type allows WatchGuard Cloud to track allocation to an account from a specific license.

In our software products, overallocation occurs when more users or endpoints are allocated than there are available in the inventory. As a Service Provider, accounts you manage become overallocated when they are allocated more users or endpoints than there are available in your inventory. This could happen if a product license expires and reduces your inventory to less than what you have allocated to all of your managed accounts.

In WatchGuard Cloud, the Inventory > Allocation > Overview page shows Service Providers how many users or endpoints have been allocated from the total inventory. The number of users or endpoints allocated (the first number) must be lower than or equal to the second number (total inventory available in the license). If the first number is higher than the second number, your account is overallocated.

What Happens to an Overallocated Account?

As a Service Provider, when one of your accounts is overallocated, you lose access to the management UI of that product for all of your accounts, with the exception of accounts that have allocated users or endpoints as Linked to License. For example, when a Service Provider account overallocates ThreatSync+ NDR, access to the ThreatSync+ NDR management UI is no longer available.

For more information on Linked to License, go to About the Linked to License Allocation Type.

For FireCloud, if an account becomes overallocated, some existing users will also lose access to FireCloud.

For AuthPoint, if an account becomes overallocated, some existing users will also lose access to AuthPoint. Affected users are not be able to authenticate with AuthPoint to protected resources.

For Endpoint Security, access to the management UI is disabled. Service Providers cannot manage configurations in the multi-tenant endpoint security management UI and no new installations are permitted. If an endpoint security module is overallocated, the module is deactivated in affected endpoints, and you will not be able to see the module in the management UI.

WatchGuard Patch Management — Tasks stop, and patches are no longer applied. There is no visibility into available patches or end-of-life software as the module is not available in the management UI.
WatchGuard Data Control — Discovery, classification, and monitoring of sensitive information stops.
WatchGuard Full Encryption — Endpoints that are already encrypted remain encrypted. You cannot encrypt new endpoints or change the configuration. The module is not available in the management UI.
WatchGuard Advanced Reporting Tool — Continues to send telemetry to the cloud. The module is not available in the management UI.

When an account is overallocated, the Endpoint Security protection layers are maintained to prevent infection. Signature files are still updated.

How Can I Determine Which Product Is Overallocated?

To identify which product has allocated more users or endpoints than there are available, review Service Provider dashboards for each product or review the dashboards in the Overview > Inventory > Summary section. When a product is overallocated, it shows in the usage tile with red text.

You can also review recent actions in audit logs to see when inventory was changed, on which account, and who made the change. If a license recently expired, this can cause your account to become overallocated.

How Do I Resolve Overallocation?

When an account is overallocated, it is usually due to a Term license that has recently expired. The first step is to identify the product license that you should renew. Go to the Inventory > Licenses page for each product and review licenses that have recently expired. You can filter the list of licenses to only show expired licenses. Click the Expiration column heading to show the most recent expired licenses first. When you have identified the expired license, renew the license at WatchGuard.com.

If you have allocated Term users or endpoints to a managed account with a Never Expire expiration date and the license then expires, the account becomes overallocated. To resolve the overallocation, edit the expiration date to a date prior to the current date or reduce the number of users or endpoints allocated to the managed account to 0.

When an account is overallocated, you can also activate new license keys at WatchGuard.com and add more users or endpoints to your inventory. When an account is no longer overallocated, access to the management UI and all functionality returns to normal.

How Can I Prevent Overallocation?

Make sure to renew all licenses before they expire. We recommend you create renewal notifications in WatchGuard Cloud to receive email notifications and alerts when you must renew a license. You should activate notifications for each of your managed accounts.

You can also activate an overallocation notification to be proactively informed when overallocation occurs. To do this, create a notification in one managed account where you are using Term licenses. This notification rule will send an email notification and alert when any managed account with a Term license becomes overallocated.

For Term licenses, you can also generate alerts when a license is about to expire and when it expires. To do this, make sure to add an accurate expiration date when you allocate users or endpoints from a license.

Limit the Impact of Overallocation with the Linked to License Allocation Type

The Linked to License allocation type enables partners to allocate inventory from a separate license to each account they manage. When more inventory is required, partners can purchase more users or endpoints for the specific license at WatchGuard.com. The allocation in WatchGuard Cloud updates automatically to reflect changes to the license.

The Linked to License allocation type helps to: