About Endpoint Security Licenses

The WatchGuard Endpoint Security portfolio includes these products and modules:

  • WatchGuard Endpoint Protection Platform (EPP)
  • WatchGuard Endpoint Detection and Response (EDR)
  • WatchGuard Endpoint Protection Detection and Response (EPDR)
  • WatchGuard Advanced EPDR
  • WatchGuard Full Encryption
  • WatchGuard Patch Management
  • WatchGuard Advanced Reporting Tool
  • WatchGuard Data Control
  • WatchGuard SIEMFeeder
  • WatchGuard MDR

WatchGuard EDR Core is included in the Firebox Total Security Suite. It is available for a limited number of endpoints, based on the Firebox model. With a Total Security Suite subscription license, you will see an EDR Core license in WatchGuard Cloud. You can use WatchGuard Cloud to manage EDR Core endpoint allocation and to access the Endpoint Security management UI. For information on EDR Core features, go to WatchGuard EDR Core Features.

License Types

WatchGuard Endpoint Security products and modules are licensed for each endpoint (for example, computers, laptops, servers, mobile devices, etc.). There are four types of licenses:

Term Licenses

A term license has a set number of endpoints and a set duration, or term. For example, you might purchase a WatchGuard EPDR license for 100 endpoints that expires after three years. The license expires the day after the expiration date at 00 UTC.

Subscription Licenses

A subscription license enables you and your managed accounts to add endpoints with no allocation limits. You can set a limit on the accounts you manage. With a subscription license, WatchGuard bills you monthly based on the number of endpoints you have allocated. For more information, go to About Endpoint Security Subscription Licenses.

Trial Licenses

Trial licenses of WatchGuard Advanced EPDR, EPDR, EDR, EPP, and all modules are available to Service Provider and Subscriber accounts in WatchGuard Cloud. Trial licenses expire after 30 days but you can renew them one time for another 30 days. For information, go to Extend a Trial – Service Providers.

NFR Licenses (Service Providers only)

A Not for Resale license includes a set number of endpoints and typically has a three-year term. NFR licenses are available to Service Providers only.

Allocation Types

When Service Providers allocate endpoints from a license to their managed accounts, they select an allocation type which specifies how the managed account can use the endpoints.

Term Allocation

When you allocate endpoints as a term allocation, the managed account can allocate a specific number of endpoints to an account for a set duration or term from a term license or MSSP points.

Subscription Allocation

When you allocate endpoints as a subscription allocation, the managed account can allocate a specific number of endpoints or an unlimited number of endpoints. WatchGuard bills the account monthly based on the number of active endpoints.

Term License Activation

You can activate licenses on the Activate Licenses page on the WatchGuard website. For more information, go to Activate an Endpoint Security License.

After you activate an endpoint security product or module license, from Support Center, on the Endpoint Security page, you can review the activated licenses for your account. Select WatchGuard EPP, EDR, EPDR, or Advanced EPDR, and then click the name of a license to view the details and history of that license.

Licenses work differently for WatchGuard Cloud Subscriber and Service Provider accounts.

Subscribers

Subscriber accounts can have only one endpoint security product license. When a Subscriber account activates a new license key for an endpoint security product, it modifies the current active endpoint security product license. You can use a new license to add additional endpoints to, or extend the expiration date of, your existing license.

Service Providers

Service Providers can have many endpoint security product licenses. When a Service Provider activates a new license key, they can modify an active license or add a new, separate license. After activation, the endpoint license appears in the Service Provider inventory in WatchGuard Cloud.

Activate Endpoint Security Modules

To activate endpoint security modules, you must have an existing license for an endpoint security product (for example, WatchGuard EPP, EDR, EPDR, or Advanced EPDR). Available endpoint security modules depend on your endpoint security product:

  • WatchGuard Full Encryption — Available for use with WatchGuard EPP, WatchGuard EDR, WatchGuard EPDR, and Advanced EPDR.
  • WatchGuard Patch Management — Available for use with WatchGuard EPP, WatchGuard EDR, WatchGuard EPDR, and Advanced EPDR.
  • WatchGuard Advanced Reporting Tool — Available for use with WatchGuard EDR, WatchGuard EPDR, and Advanced EPDR.
  • WatchGuard Data Control — Available for use with WatchGuard EDR, WatchGuard EPDR, and Advanced EPDR. Only available in select European countries.
  • WatchGuard SIEMFeeder — Available for use with WatchGuard EDR, WatchGuard EPDR, and Advanced EPDR.
  • WatchGuard MDR — For approved Partners, available for use with WatchGuard EDR, WatchGuard EPDR, and Advanced EPDR.

Modules are not available with WatchGuard EDR Core. We recommend you upgrade to WatchGuard EPDR. If you upgrade to WatchGuard EPDR, your EDR Core license becomes inactive.

You cannot allocate more modules than the number of endpoints in the endpoint security product license. The required number of endpoints in the module license also varies by module:

  • WatchGuard Full Encryption — Module license must include the same number of endpoints as Windows and Mac devices deployed. If Full Encryption is only used in some specific endpoints, you can set the number of endpoints where the module will be used. For more information, go to WatchGuard Full Encryption Requirements.
  • WatchGuard Patch Management — Module license must include the same number of endpoints as endpoint devices deployed (Windows, Linux, and Mac). For more information, go to Patch Management Requirements.
  • WatchGuard Advanced Reporting Tool (ART) — Module license must include the same number of endpoints as workstations and servers protected (Windows, Linux, and Mac). For more information, go to Advanced Visualization Tool Requirements.
  • WatchGuard Data Control — Module license must include the same number of endpoints as Windows devices deployed. For more information, go to Advanced Visualization Tool Requirements.
  • WatchGuard SIEMFeeder — Module license must include the same number of endpoints for the SIEMFeeder service as you have for WatchGuard EDR, WatchGuard EPDR, or Advanced EPDR. For more information, go to SIEMFeeder Requirements.
  • WatchGuard MDR — Module license must include the same number of endpoints for WatchGuard MDR as you have for WatchGuard EDR, WatchGuard EPDR, or Advanced EPDR. For more information, go to About WatchGuard MDR.

If WatchGuard detects that any WatchGuard endpoint security module has been used on more computers than allowed, we reserve the right to disable the module on the computers you do not have licenses for.

License Renewals

To renew a license or modify an existing license, you purchase a new license and activate it. When you activate the new license, you choose whether you want to add endpoints or extend your current license. When you add to your active license or extend it, the new license merges with your active license and the two licenses are co-termed.

Co-terming consolidates or merges your term licenses to synchronize renewal dates. When you co-term licenses, a new expiration date is calculated based on the updated user count and the term length of the license you activated. If you add endpoints, the number of endpoints you purchased is added to your current inventory. So, if you have 50 endpoints and purchase a term license for 100 endpoints, your final count after you activate your new license is 150 endpoints.

If you have an active subscription license, when you renew or upgrade a term license, your subscription usage count reduces automatically so that only the endpoints in excess of your termed license are billed as subscription endpoints.

When you extend your license, if you purchased the same number of endpoints that you currently have, your license is extended for another period (one or three years). If you purchased more endpoints than are in your current inventory, your inventory immediately updates to match the number of endpoints you purchased the license for.

To renew with fewer endpoints, purchase a license for the desired number of endpoints and choose Extend License when you activate your license key.

When you renew the license for fewer endpoints, we recommend that you do so close to your expiration date. If you activate the license key before your expiration date, your license count reduces immediately. This could limit the number of endpoints available for your managed accounts and your account could become overallocated.

Overallocation

Service Provider accounts could become overallocated when an account they manage allocates more endpoints than there are available in the license. Access to all accounts in the management UI is then disabled. If your account becomes overallocated, you cannot manage configurations in the multi-tenant endpoint security management UI and no new installations are permitted.

When an account is overallocated, the product protection layers are maintained to prevent infection. Signature files are still updated.

If an endpoint security module is overallocated, the module is deactivated in affected endpoints and you will not be able to see the module in the management UI.

  • WatchGuard Patch Management — Tasks stop and patches are no longer applied. There is no visibility into available patches or end-of-life software as the module is not available in the management UI.
  • WatchGuard Data Control — Discovery, classification, and monitoring of sensitive information stops.
  • WatchGuard Full Encryption — Endpoints that are already encrypted remain encrypted. You cannot encrypt new endpoints or change the configuration. The module is not available in the management UI.
  • WatchGuard Advanced Reporting Tool — Continues to send telemetry to the cloud. The module is not available in the management UI.

License Upgrades

Service Provider accounts can have multiple WatchGuard Endpoint Security licenses on their account. In WatchGuard Cloud, Service Providers can change product allocation to a different product (for example, change WatchGuard EDR to WatchGuard EPDR). For more information, go to Allocate Endpoints.

Tier-1 Service Providers can only upgrade a WatchGuard Endpoint Security license during activation. You cannot downgrade a license during activation. For more information, go to Activate an Endpoint Security License

Current Product Upgrade Available
WatchGuard EDR Core (available with the Firebox Total Security Suite subscription) WatchGuard EDR, WatchGuard EPDR, Advanced EPDR*
WatchGuard EPP WatchGuard EDR, WatchGuard EPDR, Advanced EPDR
WatchGuard EDR WatchGuard EPDR, Advanced EPDR
WatchGuard EPDR Advanced EPDR
WatchGuard Advanced EPDR None

* When you upgrade EDR Core to WatchGuard EDR, EPDR, or Advanced EPDR, the EDR Core license becomes inactive. If the upgraded license expires, the WatchGuard EDR Core license becomes active.

If you have a Total Security Suite license with EDR Core and then activate Passport or another Endpoint Security product such as WatchGuard EPDR, the EDR Core license becomes inactive in WatchGuard Cloud. Make sure that the new license has the same number or more endpoints available to avoid overallocation in the account.

License Expiration

If you remove a license or a license expires, there is a seven-day grace period during which time devices remain protected. (The license expires the day after the expiration date at 00:00 UTC.) After the grace period, devices with an expired license:

  • Are unprotected, with no antivirus, advanced protection, firewall, device control, and URL filtering.
  • Cannot access the management UI.
  • Do not receive signature file updates.
  • Do not have scheduled tasks. All scheduled scans and patch tasks are disabled.

If the license expires for some devices but not others, computers and devices that have been offline for the longest time lose their license and are unprotected.

To select which computers would lose protection, before the license expires:

  • Remove computers that you do not need to protect from the management UI. These computers might not be currently in use. When you remove them from the management UI, make sure that you uninstall the client software. For more information, go to Uninstall the Endpoint Software.
  • Disable computers you do not want to protect but still want to manage from the management UI. On the Computers page, select the computer you want to disable. To remove assigned licenses, on the Details tab, click the × next to the Licenses you want to remove.

If the license is renewed within 90 days after you cancel it or it expires, device protection is automatically re-enabled and updated on devices connected to the Internet (usually within 4 hours). After 90 days, if you renew the license, you must reinstall the endpoint agent and then create and assign all settings.

Related Topics

Activate an Endpoint Security License

Manage Trials – Service Providers

Manage Trials – Subscribers

Allocate Endpoints

About Endpoint Security Subscription Licenses

WatchGuard EDR Core Features

WatchGuard Endpoint Security Modules