To add a Firebox to WatchGuard Cloud, the Firebox must have an active Total Security Suite or Basic Security Suite subscription, or a Standard Support license that includes WatchGuard Cloud. To connect to WatchGuard Cloud, Fireboxes with a Standard Support license must have Fireware v12.9 or higher and a feature key with a valid CLOUD_CONNECT entry.
The Firebox Cloud Hourly license does not include support for WatchGuard Cloud. For more information, see Firebox Cloud License Options.
Devices with a Standard Support license, the Total Security Suite, or the Basic Security Suite include a subscription for WatchGuard Cloud. Devices with a Standard Support license can be added to WatchGuard Cloud for centralized management, but they do not send log messages to WatchGuard Cloud. There is no reporting or data retention. Devices with the Total Security Suite or Basic Security Suite send log messages to WatchGuard Cloud. The subscription includes a default retention period for Firebox data in WatchGuard Cloud:
- Total Security Suite includes WatchGuard Cloud with 30 days of data retention
- Basic Security Suite includes WatchGuard Cloud with 1 day of data retention
There is no separate activation required to enable WatchGuard Cloud. To increase the data retention period for a Firebox in WatchGuard Cloud, you can activate a Data Retention license and assign it to the Firebox in your WatchGuard Cloud account. For more information, see About Data Retention Licenses.
If you activate trials for security services on your Standard Support Firebox during the activation process, and then add the Firebox to WatchGuard Cloud as a cloud-managed device, you cannot configure these services in WatchGuard Cloud:
- Application Control
- APT Blocker
- Gateway AntiVirus
- Intrusion Prevention Service
- Reputation Enabled Defense
To configure a 30-day trial of these security services on a device with Standard Support, the device must be locally managed.
WatchGuard Cloud in the Feature Key
The Firebox feature key determines whether you can enable WatchGuard Cloud on the Firebox.
With the release of Fireware v12.9, when you activate one of these devices, the feature key includes CLOUD_VISIBILITY and CLOUD_CONNECT:
- T20/T20-W, T40/T40-W, T80
- M270, M290, M370, M390, M470, M570, M590, M670, M690, M4600, M4800, M5600, M5800
- FireboxV, Firebox Cloud (BYOL only)
Features keys with CLOUD_CONNECT allow Fireboxes that run Fireware v12.9 to connect to WatchGuard Cloud. Older feature keys could include LIVE_SECURITY or SUPPORT, and CLOUD_VISIBILITY or DIMENSION_BASIC. The feature key should synchronize automatically with the update to Fireware v12.9. If you do not have the Enable automatic feature key synchronization option enabled, then we recommend that you manually synchronize the feature key from Fireware Web UI or WSM. For more information, see Get a Firebox Feature Key.
When you add a Firebox to WatchGuard Cloud, you must use Fireware Web UI or Policy Manager to enable the feature in the Firebox configuration. For information about how to see the feature key on your Firebox, see About Feature Keys.
If you activated your Basic Security Suite or Total Security Suite subscription before the release of Device Visibility support in WatchGuard Cloud, you might need to synchronize the feature key on the Firebox to add DIMENSION_BASIC. For more information, see Get a Firebox Feature Key.
Renewals and Expiration
To avoid loss of data, we recommend that you renew the Total Security Suite or Basic Security Suite subscription before the subscription expires.
The expiration date of the Dimension Basic feature controls whether the Firebox sends log messages to WatchGuard Cloud and whether WatchGuard Cloud continues to store data for the Firebox. To renew WatchGuard Cloud data retention, you must renew your Total Security Suite or Basic Security Suite license. Standard Support licenses do not send log messages to WatchGuard Cloud.
For information about what happens when a WatchGuard Cloud license with a Data Retention license expires, see WatchGuard Cloud and Data Retention License Expiration.
If the Total Security Suite or Basic Security Suite license for a cloud-managed Firebox expires, a seven-day grace period starts. During the grace period, the Firebox continues to send log messages to WatchGuard Cloud. Log and report data remains in WatchGuard Cloud for the default data retention period associated with the subscription (30 days for TSS or 1 day for BSS).
After the grace period and default data retention period (37 days or 8 days):
- The Firebox no longer communicates with WatchGuard Cloud.
- The Firebox connection status in WatchGuard Cloud is Not Connected.
- You can use Fireware Web UI to modify the Firebox configuration locally.
We recommend that you assign a Data Retention license to a Firebox to extend the data retention period. If the Firebox has a Data Retention license, historical log and report data remain in WatchGuard Cloud for the number of days provided by the Data Retention license. For more information, see Manage Data Retention Licenses.
After the license for a cloud-managed Firebox expires, to continue to manage your Firebox in WatchGuard Cloud, you must renew your license or purchase a Standard Support license. When you do this, the Firebox automatically reconnects to WatchGuard Cloud.
If you choose not to renew your Total Security Suite or Basic Security Suite license or purchase a Standard Support license, you can manage the Firebox locally. We recommend that you remove the Firebox from WatchGuard Cloud. When you manage your Firebox locally with an expired feature key:
- The Firebox retains its configuration.
- Web traffic fails if web blockers are enabled with the default setting to deny outbound web traffic.
- Subscription security services no longer work.
FireCluster License Requirements
FireCluster license requirements for WatchGuard Cloud are the same as for other subscription services. To enable WatchGuard Cloud on a FireCluster, the FireCluster must have a Total Security Suite or Basic Security Suite subscription.
- A locally-managed or cloud-managed active/passive FireCluster requires a subscription for only one member.
- A locally-managed active/active FireCluster requires a subscription for both members.
For information about how to see the licensed features on your FireCluster, see About Feature Keys and FireCluster.