About Endpoint Security Licenses

The WatchGuard Endpoint Security portfolio includes these products and modules:

  • WatchGuard Endpoint Protection Platform (EPP)
  • WatchGuard Endpoint Detection and Response (EDR)
  • WatchGuard Endpoint Protection Detection and Response (EPDR)
  • WatchGuard Full Encryption
  • WatchGuard Patch Management
  • WatchGuard Advanced Reporting Tool
  • WatchGuard Data Control
  • WatchGuard SIEMFeeder

WatchGuard EDR Core is included in the Firebox Total Security Suite. It is available for a limited number of endpoints, based on the Firebox model. With a Total Security Suite subscription license, you will see an EDR Core license in WatchGuard Cloud. You can use WatchGuard Cloud to manage EDR Core endpoint allocation and to access the Endpoint Security management UI. For more information on EDR Core, go to WatchGuard EDR Core Features.

License Types

WatchGuard Endpoint Security products and modules are licensed for each endpoint (for example, computers, laptops, servers, mobile devices, etc.). There are four types of licenses:

Term Licenses

A term license has a set number of endpoints and a set duration, or term. For example, you might purchase a WatchGuard EPDR license for 100 endpoints that expires after three years.

Subscription Licenses

A subscription license enables you and your managed accounts to add endpoints with no allocation limits. You can set a limit on the accounts you manage. With a subscription license, WatchGuard bills you monthly based on the number of endpoints you have allocated. For more information, see About Endpoint Security Subscription Licenses.

Trial Licenses

Trial licenses of WatchGuard EPDR, WatchGuard EDR, WatchGuard EPP, and all modules are available to Service Provider and Subscriber accounts in WatchGuard Cloud. Trial licenses expire after 30 days but you can renew them one time for another 30 days. For information, see Extend a Trial.

NFR Licenses (Service Providers only)

A Not for Resale license includes a set number of endpoints and typically has a three-year term. NFR licenses are available to Service Providers only.

Allocation Types

When Service Providers allocate endpoints from a license to their managed accounts, they select an allocation type which specifies how the managed account can use the endpoints.

Term Allocation

When you allocate endpoints as a term allocation, the managed account can allocate a specific number of endpoints to an account for a set duration or term from a term or MSSP license.

Subscription Allocation

When you allocate endpoints as a subscription allocation, the managed account can allocate a specific number of endpoints or an unlimited number of endpoints. WatchGuard bills the account monthly based on the number of active endpoints.

Mixed Allocation

Partner accounts or Tier-1 Service Provider accounts can allocate endpoints to a Tier-2 Service Provider or Subscriber account as a mixed allocation. When you allocate endpoints as mixed, the endpoints show as subscription endpoints in the managed account. With the mixed allocation type, endpoints from the term license are used first, then when no endpoints remain in the term license, endpoints from the subscription license are used.

Term License Activation

You can activate licenses on the Activate Licenses page on the WatchGuard portal. For more information, see Activate an Endpoint Security License.

After you activate an endpoint security product or module license, from Support Center, on the Endpoint Security page, you can see the activated licenses for your account. Select WatchGuard EPP, WatchGuard EDR, or WatchGuard EPDR, and then click the name of a license to see the details and history of that license.

Licenses work differently for WatchGuard Cloud Subscriber and Service Provider accounts.


Subscriber accounts can have only one endpoint security product license. When a Subscriber account activates a new license key for an endpoint security product, it modifies the current active endpoint security product license. You can use a new license to add additional endpoints to, or extend the expiration date of, your existing license.

Service Providers

Service Providers can have many endpoint security product licenses. When a Service Provider activates a new license key, they can modify an active license or add a new, separate license. After activation, the endpoint license appears in the Service Provider inventory in WatchGuard Cloud.

Activate Endpoint Security Modules

To activate endpoint security modules, you must have an existing license for an endpoint security product (e.g., WatchGuard EPP, EDR, or EPDR). Available endpoint security modules depend on your endpoint security product:

  • WatchGuard Full Encryption — Available for use with WatchGuard EPP, WatchGuard EDR, and WatchGuard EPDR
  • WatchGuard Patch Management — Available for use with WatchGuard EPP, WatchGuard EDR, and WatchGuard EPDR
  • WatchGuard Advanced Reporting Tool — Available for use with WatchGuard EDR and WatchGuard EPDR.
  • WatchGuard Data Control — Available for use with WatchGuard EDR and WatchGuard EPDR. Only available in select European countries.
  • WatchGuard SIEMFeeder — Available for use with WatchGuard EDR and WatchGuard EPDR.

Modules are not available with WatchGuard EDR Core. We recommend you upgrade to WatchGuard EPDR.

You cannot allocate more modules than the number of endpoints in the endpoint security product license. The required number of endpoints in the module license also varies by module:

  • WatchGuard Full Encryption — Module license must include the same number of endpoints as Windows devices deployed. If Full Encryption is only used in some specific Windows endpoints, you can set the number of endpoints where the module will be used.
  • WatchGuard Patch Management — Module license must include the same number of endpoints as Windows devices deployed.
  • WatchGuard Advanced Reporting Tool (ART) — Module license must include the same number of endpoints as workstations and servers protected (Windows, Linux, and macOS).
  • WatchGuard Data Control — Module license must include the same number of endpoints as Windows devices deployed.
  • WatchGuard SIEMFeeder — Module license must include the same number of active licenses for the SIEMFeeder service as you have for WatchGuard EDR or WatchGuard EPDR. For more information, see SIEMFeeder Requirements.

If WatchGuard detects that any WatchGuard endpoint security module has been used on more computers than allowed, it reserves the right to disable the module on the computers the client has not purchased licenses for.

License Renewals

To renew a license or modify an existing license, you purchase a new license and activate it. When you activate the new license, you choose whether you want to add endpoints or extend your current license. When you add to your active license or extend it, the new license merges with your active license and the two licenses are co-termed.

Co-terming consolidates or merges your term licenses to synchronize renewal dates. When you co-term licenses, a new expiration date is calculated based on the updated user count and the term length of the license you activated. If you add endpoints, the number of endpoints you purchased is added to your current inventory. So, if you have 50 endpoints and purchase a term license for 100 endpoints, your final count after you activate your new license is 150 endpoints.

When you extend your license, if you purchased the same number of endpoints that you currently have, your license is extended for another period (one or three years). If you purchased more endpoints than are in your current inventory, your inventory immediately updates to match the number of endpoints you purchased the license for.

To renew with fewer endpoints, purchase a license for the desired number of endpoints and choose Extend License when you activate your license key.

When you renew the license for fewer endpoints, we recommend that you do so close to your expiration date. If you activate the license key before your expiration date, your license count reduces immediately. This could limit the number of endpoints available for your managed accounts and your account could become overallocated.

If your account becomes overallocated, you cannot access the management UI and no new installations are permitted. Tier-1 Service Provider accounts can become overallocated when an account they manage allocates more endpoints than there are available in the license. Access to all accounts in the management UI is disabled.

If you have an active subscription license, when you renew or upgrade a term license, your subscription usage count reduces automatically so that only the endpoints in excess of your termed license are billed as subscription endpoints.

License Upgrades

Service Provider accounts can have multiple WatchGuard Endpoint Security licenses on their account. In WatchGuard Cloud, Service Providers can change product allocation to a different product (for example, change WatchGuard EDR to WatchGuard EPDR). For more information, see Allocate Endpoints.

Tier-1 Service Providers can only upgrade a WatchGuard Endpoint Security license during activation. You cannot downgrade a license during activation. For more information, see Activate an Endpoint Security License

Current Product Upgrade Available
WatchGuard EDR Core (available with the Firebox Total Security Suite subscription) WatchGuard EDR, WatchGuard EPDR
WatchGuard EPP WatchGuard EDR, WatchGuard EPDR
WatchGuard EDR WatchGuard EPDR
WatchGuard EPDR None

License Expiration

If you cancel a license or a license expires, your account becomes overallocated. There is a seven-day grace period during which time devices remain protected. After the grace period, devices with an expired license:

  • Are unprotected, with no antivirus, advanced protection, firewall, device control, and URL filtering.
  • Cannot access the management UI.
  • Do not receive signature file updates.
  • Do not have scheduled tasks. All scheduled scans and patch tasks are disabled.

If the license expires for some devices but not others, computers and devices that have been offline for the longest time lose their license and are unprotected.

To choose which computers will lose protection, before the license expires:

  • Remove computers that you do not need to protect from the management UI. These computers might not be currently in use. When you remove them from the management UI, make sure that you uninstall the client software. For more information, see Uninstall the Endpoint Software.
  • Disable computers you do not want to protect but still want to manage from the management UI. On the Computers page, select the computer you want to disable. To remove assigned licenses, on the Details tab, click the × next to the Licenses you want to remove.

If the license is renewed within 90 days after you cancel it or it expires, device protection is automatically re-enabled and updated on devices connected to the Internet (usually within 4 hours). After 90 days, if you renew the license, you must reinstall the endpoint agent and then create and assign all settings.

Related Topics

Activate an Endpoint Security License

Manage Trials – Service Providers

Manage Trials - Subscribers

Allocate Endpoints

About Endpoint Security Subscription Licenses

WatchGuard EDR Core Features

WatchGuard Endpoint Security Modules