The data retention period for a Firebox is the number of days of data retention included with the Total Security Suite or Basic Security Suite subscription on the Firebox plus any additional days added by an assigned Data Retention license.
WatchGuard Cloud stores diagnostic log messages sent by a Firebox, but they are not visible in Log Manager or Log Search. If you need to troubleshoot an issue, you can request these diagnostic log messages from WatchGuard Technical Support.
The total data retention period appears in the Device Summary for your Firebox in WatchGuard Cloud.
Data Deletion Schedule
Once a day, an automated process removes stored Firebox data that is older than the current data retention period. The process starts at 1:00 AM UTC and takes some time, so the exact time when it deletes older data can vary.
If you reduce the data retention period for a Firebox, stored data older than the data retention period remains on the server until the next time the daily process runs.
For a FireCluster, the effective data retention period depends on the data retention period for both cluster members, and the cluster type.
- Active/passive FireCluster — WatchGuard Cloud deletes stored data older than the longest data retention period of a cluster member.
- Active/active FireCluster — WatchGuard Cloud deletes stored data that is older than the shortest data retention period of a cluster member.
To increase the data retention period for an active/active FireCluster, you must assign a data retention license to each cluster member. For more information, see Manage Data Retention Licenses.
License Expiration Grace Period
The data retention period becomes shorter when the Total Security Suite or Data Retention license for the device expires. After a seven-day grace period, WatchGuard removes stored data associated with the expired license from WatchGuard Cloud. For more information, see WatchGuard Cloud and Data Retention License Expiration.