About Endpoint Security Licenses

Applies To: Endpoint Security Elite, Endpoint Security 360, Endpoint Security Prime, WatchGuard EDR, WatchGuard EDR Core, Endpoint Security Basic

The WatchGuard Endpoint Security portfolio includes these products and modules:

WatchGuard Endpoint Security Basic (evolved from WatchGuard EPP)
WatchGuard Endpoint Security Prime
WatchGuard Endpoint Security 360 (formerly WatchGuard EPDR)
WatchGuard Endpoint Security Elite (formerly Advanced EPDR)
WatchGuard Endpoint Detection and Response (EDR)
WatchGuard Full Encryption
WatchGuard Patch Management
WatchGuard Advanced Reporting Tool
WatchGuard Data Control
WatchGuard SIEMFeeder
WatchGuard Core MDR*
WatchGuard Endpoint Security 1-Year Data Retention
WatchGuard Orion

*For information about MDR licenses, go to About WatchGuard MDR Licenses.

WatchGuard EDR Core is included in the Firebox Total Security Suite. It is available for a limited number of endpoints, based on the Firebox model. With a Total Security Suite subscription license, you will see an EDR Core license in WatchGuard Cloud. You can use WatchGuard Cloud to manage EDR Core endpoint allocation and to access the Endpoint Security management UI. For information on EDR Core features, go to WatchGuard EDR Core Features.

Service Providers and partners who need to renew or upgrade a license for a Panda endpoint security product can refer to the Partner Center Help topic, License Management for more information. (external link)

License Types

Endpoint Security products and modules are licensed for each endpoint (for example, computers, laptops, servers, mobile devices, etc.).

The Endpoint Security Basic, Prime, 360, Elite, and WatchGuard EDR license agreements grant clients the right to use Endpoint Security products on endpoints, including a limited number of servers (up to 10% of those endpoints). If the number of servers you want to protect exceeds this threshold, you must acquire a WatchGuard Endpoint Security for Servers license to protect the additional servers. For more information, contact your WatchGuard Representative.

There are these types of licenses:

Term Licenses

A term license has a set number of endpoints and a set duration, or term. For example, you might purchase a license for 100 endpoints that expires after three years. The license expires the day after the expiration date at 00 UTC.

Subscription Licenses

A subscription license enables you and your managed accounts to add endpoints with no allocation limits. You can set a limit on the accounts you manage. With a subscription license, WatchGuard bills you monthly based on the number of endpoints you have allocated. For more information, go to About Subscription Licenses in WatchGuard Cloud.

Trial Licenses

Product trials are available to Service Provider and Subscriber accounts in WatchGuard Cloud. Trial licenses expire after 30 days but you can renew them one time for another 30 days. For information, go to Extend a Trial – Service Providers.

NFR Licenses (Service Providers only)

A Not for Resale license includes a set number of endpoints and typically has a three-year term. NFR licenses are available to Service Providers only. If the Endpoint Security core product license is an NFR license, you can still allocate modules.

Term License Activation

You can activate licenses on the Activate Licenses page on the WatchGuard website. For more information, go to Activate an Endpoint Security License.

After you activate an endpoint security product or module license, from Support Center, on the Endpoint Security page, you can review the activated licenses for your account. Select Endpoint Security Basic, Prime, 360, or Elite and then click the name of a license to view the details and history of that license.

Licenses work differently for WatchGuard Cloud Subscriber and Service Provider accounts.

Subscribers

Subscriber accounts can only have one product license. When a Subscriber account activates a new license key in the Support Center, it is used to modify the current active license. You can use a new license to add endpoints or extend the license expiration.

Service Providers

Service Providers can have many product licenses. When a Service Provider activates a new license key, they can use it to modify an active license or add a new, separate license. After activation, the license appears in the Service Provider inventory in WatchGuard Cloud, but the expiration date of the license is tracked separately.

Endpoint Security Module Activation

To activate endpoint security modules, you must have an existing license for an endpoint security product (for example, Endpoint Security Basic, Prime, 360, Elite, or WatchGuard EDR). Available endpoint security modules depend on your endpoint security product:

Full Encryption — Available for use with Endpoint Security Basic, WatchGuard EDR, Endpoint Security Prime, Endpoint Security 360, and Endpoint Security Elite.
Patch Management — Available for use with Endpoint Security Basic, WatchGuard EDR, Endpoint Security Prime, Endpoint Security 360, and Endpoint Security Elite.
Advanced Reporting Tool — Available for use with WatchGuard EDR, Endpoint Security Prime, Endpoint Security 360, and Endpoint Security Elite.
Data Control — Available for use with WatchGuard EDR, Endpoint Security Prime, Endpoint Security 360, and Endpoint Security Elite. Only available in select European countries.
SIEMFeeder — Available for use with WatchGuard EDR, Endpoint Security Prime, Endpoint Security 360, and Endpoint Security Elite.
Core MDR — For approved Partners, available for use with WatchGuard EDR, Endpoint Security Prime, Endpoint Security 360, and Endpoint Security Elite.
Endpoint Security 1-Year Data Retention — Available for use with Endpoint Security Basic, Endpoint Security Prime, Endpoint Security 360, and Endpoint Security Elite.
WatchGuard Orion — For approved Partners, available for use with WatchGuard EDR, Endpoint Security Prime, Endpoint Security 360, and Endpoint Security Elite.

Modules are not available with WatchGuard EDR Core. We recommend you upgrade to Endpoint Security 360. If you upgrade to Endpoint Security Prime or Endpoint Security 360, your EDR Core license becomes inactive.

You should not allocate more endpoints from a module license than the number of endpoints allocated from the endpoint security product license. The required number of endpoints varies by product:

Full Encryption — Module license should include the same number of endpoints as Windows and Mac devices deployed. If Full Encryption is only used in some specific endpoints, you can set the number of endpoints where the module will be used. For more information, go to WatchGuard Full Encryption Requirements.
Patch Management — Module license should include the same number of endpoints as endpoint devices deployed (Windows, Linux, and Mac). For more information, go to Patch Management Requirements.
Advanced Reporting Tool (ART) — Module license should include the same number of endpoints as workstations and servers protected (Windows, Linux, and Mac). For more information, go to Advanced Visualization Tool Requirements.
Data Control — Module license should include the same number of endpoints as Windows devices deployed. For more information, go to Advanced Visualization Tool Requirements.
SIEMFeeder — Module license should include the same number of endpoints for the SIEMFeeder service as you have for WatchGuard EDR, Endpoint Security Prime, Endpoint Security 360, or Endpoint Security Elite. For more information, go to SIEMFeeder Requirements.
Core MDR — Module license must include the same number of endpoints for WatchGuard Core MDR as you have for WatchGuard EDR, Endpoint Security Prime, Endpoint Security 360, or Endpoint Security Elite. For more information, go to About Managed Services with WatchGuard MDR. For information on Core MDR for Microsoft, go to About Managed Services with WatchGuard MDR.
Endpoint Security 1-Year Data Retention — Module license must include the same number of endpoints for data retention that you have for the Endpoint Security product. For more information, go to About WatchGuard Endpoint Security 1-Year Data Retention Module.
WatchGuard Orion — Module license must include the same number of endpoints for WatchGuard Orion as you have for WatchGuard EDR, Endpoint Security Prime, Endpoint Security 360, or Endpoint Security Elite. For information on Orion, go to About WatchGuard Orion.

Caution: If WatchGuard detects that any endpoint security module has been used on more endpoints than allowed, we reserve the right to disable the module on the endpoints you do not have licenses for.

License Renewals and Upgrades

To renew a license or modify an existing license, you purchase a new license and activate it. When you activate the new license, you select whether to add endpoints or extend your current license. When you add endpoints to your active license or extend it, the new license merges with your active license and the two licenses are co-termed.

Co-terming consolidates or merges your term licenses to synchronize renewal dates. When you co-term licenses, a new expiration date is calculated based on the updated endpoints count and the term length of the license you activated. If you add endpoints, the number of endpoints you purchased is added to your current inventory. For example, if you have 50 endpoints and purchase a term license for 100 endpoints, your final count after you activate your new license is 150 endpoints.

If you have an active subscription license, when you renew a term license, your subscription usage count reduces automatically so that only the endpoints in excess of your termed license are billed as subscription endpoints.

When you extend your license, if you purchased the same number of endpoints that you currently have, your license is extended for another period (one or three years). If you purchased more endpoints than are in your current inventory, your inventory immediately updates to match the number of endpoints you purchased the license for.

To renew with fewer endpoints, purchase a license for the desired number of endpoints and choose Extend License when you activate your license key.

When you renew the license for fewer endpoints, we recommend that you do so close to your expiration date. If you activate the license key before your expiration date, your license count reduces immediately. This could limit the number of endpoints available for your managed accounts and your account could become overallocated.

If you have an active subscription license, when you renew or upgrade a term license your subscription usage is automatically updated so that only the endpoints in excess of your termed licenses are billed as subscription endpoints.

Service Provider accounts can have multiple WatchGuard Endpoint Security licenses on their account. In WatchGuard Cloud, Service Providers can change product allocation to a different product (for example, change WatchGuard EDR to Endpoint Security 360). For more information, go to Allocate Endpoints.

Tier-1 Service Providers can only upgrade a WatchGuard Endpoint Security license during activation. You cannot downgrade a license during activation. For more information, go to Activate an Endpoint Security License.

Current Product	Upgrade Available
WatchGuard EDR Core (available with the Firebox Total Security Suite subscription)	WatchGuard EDR, Endpoint Security Prime, Endpoint Security 360, Endpoint Security Elite**
Endpoint Security Basic	WatchGuard EDR, Endpoint Security Prime, Endpoint Security 360, Endpoint Security Elite
WatchGuard EDR	Endpoint Security Prime, Endpoint Security 360, Endpoint Security Elite
Endpoint Security Prime	Endpoint Security 360, Endpoint Security Elite
Endpoint Security 360	Endpoint Security Elite
WatchGuard Endpoint Security Elite	None

** When you upgrade EDR Core to WatchGuard EDR, Endpoint Security Prime, 360, or Elite, the EDR Core license becomes inactive. If the upgraded license expires, the WatchGuard EDR Core license becomes active.

Caution: If you have a Total Security Suite license with EDR Core and then activate Passport or another Endpoint Security product such as Endpoint Security 360, the EDR Core license becomes inactive in WatchGuard Cloud. Make sure that the new license has the same number or more endpoints available to avoid overallocation in the account. The affected endpoints show in the Endpoint Security management UI without a license. You must assign the new license to the affected endpoints from the Licenses list.

License Expiration

If you remove a license or a license expires, there is a seven-day grace period during which time devices remain protected. (The license expires the day after the expiration date at 00:00 UTC.) After the grace period, devices with an expired license:

Are unprotected, with no antivirus, advanced protection, firewall, device control, and URL filtering.
Cannot access the management UI.
Do not receive signature file updates.
Do not have scheduled tasks. All scheduled scans and patch tasks are disabled.

If the license expires for some devices but not others, computers and devices that have been offline for the longest time lose their license and are unprotected.

To select which computers would lose protection, before the license expires:

Remove computers that you do not need to protect from the management UI. These computers might not be currently in use. When you remove them from the management UI, make sure that you uninstall the client software. For more information, go to Uninstall the Endpoint Software.
Disable computers you do not want to protect but still want to manage from the management UI. On the Computers page, select the computer you want to disable. To remove assigned licenses, on the Details tab, click the × next to the Licenses you want to remove.

If the license is renewed within 90 days after you cancel it or it expires, device protection is automatically re-enabled and updated on devices connected to the Internet (usually within 4 hours). After 90 days, if you renew the license, you must reinstall the endpoint agent and then create and assign all settings.

Service Provider accounts could become overallocated when a license expires. If your account becomes overallocated, you cannot manage configurations in the multi-tenant endpoint security management UI and no new installations are permitted. For more information on overallocation, go to Inventory Overallocation in WatchGuard Cloud.