About Subscription Services Expiration and Renewal

Fireware subscription services need regular updates to operate effectively. The subscription services are:

  • Gateway AntiVirus
  • IntelligentAV
  • Intrusion Prevention Service
  • WebBlocker
  • spamBlocker
  • Reputation Enabled Defense
  • Application Control
  • Data Loss Prevention
  • APT Blocker
  • Botnet Detection
  • Tor Exit Node Detection
  • Network Discovery
  • WatchGuard EDR Core
  • DNSWatch
  • Geolocation

In addition, an initial subscription to support services is activated when you register your product. The support service subscription is identified in the feature key by the old name for WatchGuard support, LiveSecurity Service. Your support subscription gives you access to technical support, software updates, and feature enhancements. It also extends the hardware warranty of your WatchGuard device and provides advance hardware replacement.

We recommend that you renew your subscription services before they expire. After a subscription expires, that service does not operate, and you might not be able to disable the service. For more information on what happens when specific services expire, go to Security Service Expiration Behavior.

A subscription expires at 12:00 AM on the day after the specified expiration date. For example, if your expiration date is 04/07/2020, the feature expires and stops working at 12:00 AM on 04/08/2020.

Subscription Renewal Reminders

The Firebox sends you reminders to renew your subscriptions. When you save a configuration to your Firebox, Policy Manager warns you if a subscription will expire. These warnings appear 90 days before, 60 days before, 30 days before, 15 days before, and one day before the expiration date.

You can also use Firebox System Manager to monitor your subscription services. If a subscription service is about to expire or is expired, a warning appears on the front panel of Firebox System Manager and Renew Now appears at the upper-right corner of the window. Click Renew Now to go to the WatchGuard website to renew the subscription.

In Fireware Web UI, you can review the subscription service expiration dates in the License Information section of the System page.

You can also configure the Firebox to send you an alert when a subscription is about to expire. For more information, go to Enable Feature Key Synchronization and Alarm Notification.

To learn more about how to renew security service subscriptions, go to Renew Subscription Services.

For information about what happens when a WatchGuard Cloud license with a Data Retention license expires, go to WatchGuard Cloud and Data Retention License Expiration.

Feature Key Compliance

When you save a configuration to the device from Policy Manager (File > Save > To Firebox), Policy Manager checks if any configured services are expired. You cannot save any configuration changes from Policy Manager to the Firebox when a configured subscription service is expired. If you try to save a configuration to the device, the Feature Key Compliance dialog box appears, with a list of all configured services that are expired. You must either add a feature key with a later expiration date for the expired services, or you must select each service and click Disable to disable the service. After you disable the expired services, Policy Manager saves the updated configuration to the device.

If the Support subscription on your device is expired, you can save configuration changes to the device, but you cannot upgrade or reinstall any version of Fireware OS on the device.

For subscription Fireboxes that have a three year or one month service suite subscription, WatchGuard automatically extends the expiration date of the feature key and associated services on the 1st or 15th day of the month, based on your invoice cycle. If there are issues with the subscription contract, such as non-payment, the feature key does not renew automatically and expires at the end of the current invoice cycle.

Security Service Expiration Behavior

When a subscription service expires, that service does not operate, and the configuration options are disabled. The specific expiration behaviors for each subscription service are described below.

For information on how expiration of security services affects a cloud-managed Firebox, go to About Firebox WatchGuard Cloud Licenses.

Gateway AntiVirus

When the Gateway AntiVirus subscription expires:

  • Gateway AntiVirus signature updates stop immediately.
  • Gateway AntiVirus stops detecting and blocking viruses immediately. If the device attempts a Gateway AntiVirus scan when Gateway AntiVirus is enabled but expired, the device takes the same action as when a scan error occurs, as configured in the AntiVirus proxy action settings. A scan error is also sent to the log file.
  • Gateway AntiVirus configuration options are disabled in Policy Manager, except for the ability to disable Gateway AntiVirus for a policy that has it enabled.
  • Gateway AntiVirus configuration options are disabled in Fireware Web UI.
  • IntelligentAV stops scanning files, even if IntelligentAV is enabled and has a valid feature key.

IntelligentAV

When the IntelligentAV subscription expires:

  • IntelligentAV updates stop immediately.
  • IntelligentAV stops scanning files immediately.
  • IntelligentAV configuration options are disabled in Policy Manager.
  • IntelligentAV configuration options are disabled in Fireware Web UI.

Intrusion Prevention Service (IPS)

When the IPS subscription expires:

  • IPS signature updates stop immediately.
  • IPS stops detecting and blocking intrusions immediately.
  • For Fireware v11.0–v11.3.x, if the device attempts an IPS scan when IPS is enabled but expired, the device allows the content and sends a scan error to the log file.
  • For Fireware v11.4 and higher, IPS configuration options are disabled in Policy Manager.
  • For Fireware v11.0–v11.3.x, IPS configuration options are disabled in Policy Manager, except for the ability to disable IPS for a policy that has it enabled.
  • IPS configuration options are disabled in Fireware Web UI.

WebBlocker

When the WebBlocker subscription expires:

  • Updates to the WebBlocker Server stop immediately.
  • WebBlocker stops scanning web content immediately.
  • The License Bypass setting in the WebBlocker configuration controls whether policies that have WebBlocker enabled allow or deny access to all websites when WebBlocker is expired. By default, policies that have WebBlocker enabled deny access to all websites when the WebBlocker service is expired.

If your WebBlocker subscription expires, and you did not change the default License Bypass setting before the service expired, WebBlocker denies access to all websites. You cannot change the License Bypass setting after the service has expired. If your service is expired and WebBlocker denies access to all websites, you must either disable WebBlocker for each policy that had it enabled, or renew the WebBlocker service and import an updated feature key.

  • WebBlocker configuration options are disabled in Policy Manager, except for the ability to disable WebBlocker for a policy that has it enabled.
  • WebBlocker configuration options are disabled in Fireware Web UI.

spamBlocker

When the spamBlocker subscription expires:

  • spamBlocker stops blocking spam immediately.
  • spamBlocker configuration options are disabled in Policy Manager, except for the ability to disable spamBlocker for a policy that has it enabled.
  • spamBlocker configuration options are disabled in Fireware Web UI.

Reputation Enabled Defense

When the Reputation Enabled Defense subscription expires:

  • Reputation Enabled Defense stops checking reputation immediately.
  • Reputation Enabled Defense configuration options are disabled in Policy Manager, except for the ability to disable Reputation Enabled Defense for a policy that has it enabled.
  • Reputation Enabled Defense configuration options are disabled in Fireware Web UI.

Application Control

When the Application Control subscription expires:

  • Application Control signature updates stop immediately.
  • Application Control stops identifying and blocking applications immediately.
  • Application Control configuration options are disabled in Policy Manager.
  • Application Control configuration options are disabled in Fireware Web UI.

Data Loss Prevention (DLP)

When the DLP subscription expires:

  • DLP signature updates stop immediately.
  • DLP stops identifying DLP violations immediately.
  • DLP configuration options are disabled in Policy Manager.
  • DLP configuration options are disabled in Fireware Web UI.

APT Blocker

When the APT Blocker subscription expires:

  • APT Blocker stops detecting and blocking APT malware immediately.
  • APT Blocker configuration options are disabled in Policy Manager.
  • APT Blocker configuration options are disabled in Fireware Web UI.

Botnet Detection

Botnet Detection is part of the Reputation Enabled Defense (RED) subscription. When the RED subscription expires:

  • Botnet Detection no longer receives Botnet Detection site list updates from RED.
  • Botnet Detection configuration options are disabled in Policy Manager.
  • Botnet Detection configuration options are disabled in Fireware Web UI.

Tor Exit Node Blocking

Tor Exit Node Blocking is part of the Reputation Enabled Defense (RED) subscription. When the RED subscription expires:

  • Tor Exit Node Blocking no longer receives known Tor exit node IP address updates from RED.
  • Tor Exit Node Blocking configuration options are disabled in Policy Manager.
  • Tor Exit Node Blocking configuration options are disabled in Fireware Web UI.

Network Discovery

When the Network Discovery subscription expires:

  • Network Discovery features are removed from Fireware Web UI.

WatchGuard EDR Core

WatchGuard EDR Core is included in the Total Security Suite subscription. You can install EDR Core on a limited number of endpoints in your network. The number of included endpoints depends on the Firebox model.

If you cancel the Total Security Suite subscription or it expires, protection is disabled on the affected devices. There is a seven-day grace period during which the devices remain protected. After the grace period, computers and devices with an expired license:

  • Are unprotected, with no antivirus, advanced protection, firewall, device control, and URL filtering.
  • Cannot access the management UI.
  • Do not receive signature file updates.
  • Do not have scheduled tasks. All scheduled scans and patch tasks are disabled.

If the subscription expires for some devices but not others, computers and devices that have been offline for the longest time lose their license and are unprotected.

To specify which computers lose protection, before the subscription expires:

  • Remove computers that you do not need to protect from the management UI. These computers might not be currently in use. When you remove them from the management UI, make sure that you uninstall the client software. For more information, go to Uninstall the Endpoint Software.
  • Disable computers you do not want to protect but still want to manage from the management UI. In the Endpoint Security management UI, , on the Computers page, select the computer you want to disable. To remove the devices, on the Details tab, click the x next to the Licenses you want to remove.

If you renew the subscription within 90 days after you cancel it or it expires, device protection is automatically re-enabled and updated on devices connected to the Internet (usually within 4 hours). After 90 days, if you renew the subscription, you must reinstall the endpoint agent and then create and assign all settings.

DNSWatch

When the DNSWatch subscription expires:

  • The Firebox uses the existing DNS settings in the Firebox network configuration
  • If DNSWatch is expired and no DNS servers are configured on the Firebox:
  • To avoid a DNS outage, the Firebox continues to use DNSWatch for DNS queries only.
  • No alerts or configuration options are applied
  • The Firebox generates a log message to alert you that no DNS servers are configured

Subscription Expiration and FireCluster

These requirements and behaviors are the same for an active/active or an active/passive FireCluster.

  • A Support Service subscription applies to a single device, even when that device is configured as a member of a cluster. You must have an active Support subscription for each device in the cluster. If the Support subscription expires for a cluster member, you cannot upgrade the Fireware OS on that device.
  • If a subscription service is active (not expired) on at least one member of a FireCluster, you can configure the feature in Policy Manager and you can save configuration changes to the FireCluster.
  • If a subscription service is expired on one member of a cluster, the combined feature key, on the Cluster Features tab (in Policy Manager > Setup > Feature Key), shows the service is expired.

The requirements for subscription service licensing and the service expiration behavior are different for an active/passive cluster than they are for an active/active cluster. These differences apply to all subscription services except Support.

Active/Passive Cluster

  • The active cluster member uses the configured subscription services that are active in the feature key of either cluster member.
  • If a subscription service does not exist or is expired for both cluster members, the service is not active for the active cluster member. The service expiration behavior is the same as when the subscription service is expired for a single device.

Active/Active Cluster

  • You must enable the same service subscriptions in the feature key for both devices. Each cluster member uses the configured subscription service only if the subscription is active (not expired) in its own feature key.
  • If a subscription service expires on one member of an active/active cluster, the service does not function for that member only. For example, if a WebBlocker subscription expires on one member of an active/active cluster, both devices continue to handle web traffic, but the web requests handled by the cluster member that has an expired WebBlocker service are not filtered by WebBlocker.

For an active/active cluster it is very important to renew subscription services for both cluster members for your subscription services to remain effective.

Support

When the Support subscription expires:

  • You cannot upgrade or reinstall Fireware OS on your device, even if it is a Fireware OS version that was released before the Support expiration date.
  • WatchGuard does not provide telephone and web-based support, software updates and enhancements, or hardware replacement (RMA).
  • Dimension will not accept log messages for the device
  • All other functionality, including VPN features, Traffic Monitor and Log Server logging, and management functions, continue to operate.
  • You can manage your device and save configuration changes to your device from Policy Manager or the Web UI.
  • You can save a backup image of your configuration from Policy Manager or the Web UI.

Synchronize Subscription Renewals

If you have many subscriptions with different expiration dates, your WatchGuard reseller can create a custom renewal quote that synchronizes the renewal dates for multiple subscription services. Contact WatchGuard or your WatchGuard reseller for details.

Non-Subscription Services

Firebox continues to retrieve updates for all non-services such as HTTPS Exception List, Microsoft365 alias, Trusted CA Certificate List, and other non-subscription services, even after the feature license or support subscription expires.

Related Topics

Renew Subscription Services

About Feature Keys