About Feature Keys and FireCluster

Each device in a cluster has its own feature key. When you configure a FireCluster, you import feature keys for each cluster member. For more information about how to get a feature key for a device, go to Get a Firebox Feature Key.

This topic explains the following:

How Cluster Licensing Works

When you enable a FireCluster, the subscription services and upgrades activated for cluster members operate as follows:

Support subscription

A support subscription applies to a single device, even when that device is configured as a member of a cluster. Each device in the cluster must have an active support subscription at the same support level. If the support subscription expires for one or both cluster members, the cluster still functions as usual, and role changes, configuration changes, and failovers can still occur. However, you cannot upgrade Fireware on that device, or replace it with an RMA unit. In the feature key, the support subscription is identified by the old name for WatchGuard support, LiveSecurity Service. In the Feature Key Details, the feature key line item for the support subscription appears in this format: Feature: LIVESECURITY@MMM-DD-YYYY.

The support level for each cluster Firebox is not visible in the feature key. To see the support level and subscription expiration dates for each member, go to the Manage Products page in your account on the WatchGuard website. Each FireCluster member is entitled to the level of support purchased for that Firebox. For example, if only one member of a FireCluster has a Gold Support upgrade, the other cluster member receives the level of support associated with its own support subscription.

For information about support levels, go to https://www.watchguard.com/wgrd-support/support-levels.

Dimension Command

To manage a FireCluster with Dimension, the feature key must have both the LiveSecurity Service and Dimension Command feature enabled. The requirements for the Dimension Command feature key are different for an active/active cluster and an active/passive cluster.

  • Active/Active — Dimension Command must be enabled in the feature keys for both cluster members.
  • Active/Passive — Dimension Command must be enabled in the feature key for only one cluster member. The active cluster member uses the Dimension Command license that is active in the feature key of either cluster member.

For more information about how to use Dimension for management, go to Add a Firebox to Dimension for Management.

BOVPN and Mobile VPN upgrades

Branch Office VPN (BOVPN) and Mobile VPN licenses operate differently for an active/active cluster and an active/passive cluster.

  • Active/Active — Licenses for Branch Office VPN and Mobile VPN are aggregated for devices configured as a FireCluster. If you purchase additional BOVPN or Mobile VPN licenses for each device in a cluster, that additional capacity is shared between the devices in the cluster. For example, if you have two devices in a cluster and each device feature key has a capacity for 2000 Mobile VPN users, the effective license for the FireCluster is 4000 Mobile VPN users.
  • Active/Passive — Licenses for Branch Office and Mobile VPN are not aggregated for devices configured as a FireCluster. The active device uses the highest capacity Branch Office and Mobile VPN activated for either device. If you purchase additional BOVPN or Mobile VPN licenses for either device in a cluster, the additional capacity is used by the active device.

Subscription Services

Subscription services such as WebBlocker, spamBlocker, and Gateway AntiVirus operate differently for an active/active cluster and an active/passive cluster.

  • Active/Active — You must have the same subscription services enabled in the feature keys for both cluster members. Each cluster member applies the services from its own feature key.
  • Active/Passive — You must enable the subscription services in the feature key for only one cluster member. The active cluster member uses the subscription services that are active in the feature key of either cluster member.

In an active/active cluster, it is very important to renew subscription services for both cluster members. If a subscription service expires on one member of an active/active cluster, the service does not function for that member. The member with the expired license continues to pass traffic, but does not apply the service to that traffic.

Mobile Security

The Mobile Security license specifies the capacity for the number of mobile security users and also has an expiration date. Mobile Security licenses operate different for an active/active cluster and an active/passive cluster.

  • Active/Active — You must have Mobile Security enabled in the feature keys for both cluster members. Licenses for Mobile Security are aggregated for devices configured as a FireCluster. If you purchase additional Mobile Security licenses for each device in a cluster, that additional capacity is shared between the devices in the cluster. For example, if you have two devices in a cluster and each device feature key has a capacity for 100 Mobile Security users, the effective license for the FireCluster is 200 Mobile Security users.
  • Active/Passive — You must enable Mobile Security in the feature key for only one cluster member. Licenses for Mobile Security are not aggregated for devices configured as a FireCluster. The active device uses the highest capacity Mobile Security license activated for either device. If you purchase additional Mobile Security licenses for either device in a cluster, the additional capacity is used by the active device.

See the Feature Keys and Cluster Features for a Cluster

  1. Open Policy Manager for the cluster master.
  2. Select FireCluster > Configure.
  3. Select the Members tab.

Screenshot of the FireCluster Configuration dialog box, Members tab

  1. Select the FireCluster folder.
    Tabs with the cluster features, and features for each cluster member, appear at the bottom of the dialog box.
  2. To see the licensed features for the cluster, select the Cluster Features tab.
    • The Expiration and Status columns show the latest expiration date and days remaining for that service among the cluster members.
    • The Value column shows the status or capacity of the feature for the cluster as a whole.
  3. Select the Member tabs to see the individual licenses for each cluster member.
    Make sure to check the expiration date on any services for each cluster member.

See or Update the Feature Key for a Cluster Member in Policy Manager

You can use Policy Manager to see or update the feature key for each cluster member.

  1. Select FireCluster > Configure.
  2. Select the Members tab.
  3. In the FireCluster tree, select the member name. Click Edit.
    The FireCluster Member Configuration dialog box appears.

Screenshot of the FireCluster Member Configuration dialog box, Feature Key tab

  1. Select the Feature Key tab.
    The features that are available from this feature key appear.
    This tab also includes:
    • Whether each feature is enabled or disabled
    • A value assigned to the feature, such as the number of allowed VLAN interfaces
    • The expiration date of the feature
    • The amount of time that remains before the feature expires
  2. To update the feature key, click Remove. You must remove the feature key before you import the new feature key.
  3. Click Import.
    The Import Firebox Feature Key dialog box appears.

Screenshot of the Import Firebox Feature Key dialog box.

  1. To find the feature key file, click Browse.
    Or, copy the text of the feature key file and click Paste to insert it in the dialog box. Click OK.
  2. Save the Configuration File.
    The feature key is not copied to the device until you save the configuration file to the cluster master.

In Policy Manager, you can also select Setup > Feature Keys to see the feature key information for the cluster, and to enable automatic feature key synchronization for the cluster.

For more information, go to Enable Feature Key Synchronization and Alarm Notification.

See the Feature Key in Firebox System Manager

You can also see the feature key, from Firebox System Manager:

  1. Select View > Feature Keys.
    The Firebox Feature Key dialog appears with a summary of all devices in the cluster. The Licensed Features section includes the features licensed for the entire cluster.

Screenshot of the Firebox Feature Key dialog box for a FireCluster.

  1. Click Details to see the details about the feature key for each device in the cluster.

Screenshot of the Feature Key Details dialog box for a FireCluster.

  1. Scroll down to see the feature key for the second device.

See the Feature Key in Fireware Web UI

If you use the management IP address of a cluster member to connect to a cluster member, you can select System > Feature Key to see the feature key for that member. You cannot use Fireware Web UI to remove or manage feature keys for cluster members.

RMA Subscription

To upgrade both FireCluster members to a Premium 4-Hour RMA subscription, you must purchase this subscription for each cluster member regardless of the cluster type (active/active or active/passive). For more information about Premium 4-Hour RMA subscriptions, go to the RMA Service FAQ on the WatchGuard website.

Related Topics

Configure FireCluster Manually

About Feature Keys