Applies To: WatchGuard Core MDR, WatchGuard Core MDR for Microsoft, WatchGuard Total MDR, WatchGuard Open MDR
WatchGuard MDR is a managed detection and response service that keeps your licensed endpoints safe with security monitoring, threat hunting, attack detection, investigation, and containment.
There are four MDR licenses that provide managed services:
| WatchGuard MDR License | Monitored Environments | Additional Requirements |
|---|---|---|
| WatchGuard Core MDR | WatchGuard Endpoint Security | WatchGuard Advanced EPDR, EDPR, EDR, Panda Adaptive Defense, or Panda Adaptive Defense 360 license |
| Microsoft 365 |
Access to your Microsoft 365 environment For more information, go to Connect WatchGuard MDR with Microsoft 365. |
|
| WatchGuard Core MDR for Microsoft | Microsoft Defender for Endpoints |
Bring Your Own License (BYOL) — Each endpoint that you want WatchGuard MDR to monitor must have a Defender for Endpoint P1 or Defender for Endpoint P2 license. For more information about recommended Microsoft subscriptions, go to Connect WatchGuard MDR with Microsoft Defender. |
| Microsoft 365 |
Access to your Microsoft 365 environment For more information, go to Connect WatchGuard MDR with Microsoft 365. |
|
| WatchGuard Total MDR | WatchGuard Endpoint Security | WatchGuard Advanced EPDR, EDPR, or EDR license |
| WatchGuard Fireboxes | Total Security Suite (TSS) license | |
| AuthPoint | AuthPoint Multi-Factor Authentication or AuthPoint Total Identity Security license | |
| NDR | ThreatSync+ NDR license | |
| AWS CloudTrail |
Access to your AWS environment For more information, go to Connect WatchGuard MDR with AWS CloudTrail. |
|
| Google Workspace |
Access to your Google Workspace environment For more information, go to Connect WatchGuard with Google Workspace. |
|
| Microsoft 365 |
Access to your Microsoft 365 environment For more information, go to Connect WatchGuard MDR with Microsoft 365. |
|
| Azure Cloud Security Posture Management (CSPM) |
Access to your Microsoft Azure environment For more information, go to Microsoft Azure Cloud Security Posture Management (CSPM) with WatchGuard MDR. |
|
| AWS Cloud Security Posture Management (CSPM) |
Access to your AWS environment For more information, go to AWS Cloud Security Posture Management (CSPM) with WatchGuard MDR. |
|
| WatchGuard Open MDR | WatchGuard Endpoint Security |
WatchGuard Advanced EPDR, EDPR, or EDR license |
| WatchGuard Fireboxes |
Total Security Suite (TSS) license |
|
| AuthPoint | AuthPoint Multi-Factor Authentication or AuthPoint Total Identity Security license | |
| NDR | ThreatSync+ NDR license | |
| Microsoft Defender for Endpoints |
Bring Your Own License (BYOL) — Each endpoint that you want WatchGuard MDR to monitor must have a Defender for Endpoint P1 or Defender for Endpoint P2 license. For more information about recommended Microsoft subscriptions, go to Connect WatchGuard MDR with Microsoft Defender. |
|
| AWS CloudTrail |
Access to your AWS environment For more information, go to Connect WatchGuard MDR with AWS CloudTrail. |
|
| Google Workspace |
Access to your Google Workspace environment For more information, go to Connect WatchGuard with Google Workspace. |
|
| Microsoft 365 |
Access to your Microsoft 365 environment For more information, go to Connect WatchGuard MDR with Microsoft 365. |
|
| Azure Cloud Security Posture Management (CSPM) |
Access to your Microsoft Azure environment For more information, go to Microsoft Azure Cloud Security Posture Management (CSPM) with WatchGuard MDR. |
|
| AWS Cloud Security Posture Management (CSPM) |
Access to your AWS environment For more information, go to AWS Cloud Security Posture Management (CSPM) with WatchGuard MDR. |
|
| CrowdStrike EDR |
Bring Your Own License (BYOL) — Falcon Insight™ license from CrowdStrike For more information, go to CrowdStrike EDR Integration with WatchGuard Open MDR. |
|
| Okta |
Access to your Okta environment For more information, go to Okta Integration with WatchGuard Open MDR. |
|
| Supported Third-party Firewalls | You must have the required license and permissions for your third-party firewall to configure syslog forwarding. For more information and a list of supported firewalls, go to WatchGuard MDR Integration Guides. |
License Combinations and Restrictions
For environments with both WatchGuard Endpoint Security and Microsoft Defender, you can allocate WatchGuard Core MDR and WatchGuard Core MDR for Microsoft.
You cannot combine any other WatchGuard MDR licenses in the same Subscriber account.
License Types
WatchGuard Core MDR for Microsoft, WatchGuard Total MDR, and WatchGuard Open MDR monitor one endpoint device for each licensed user.
There are these types of licenses:
Term Licenses
A term license has a set number of users and a set duration, or term. For example, you might purchase a license for 100 users that expires after three years. The license expires the day after the expiration date at 00 UTC.
Subscription Licenses
A subscription license enables you and your managed accounts to add users with no allocation limits. You can set a limit on the accounts you manage. With a subscription license, WatchGuard bills you monthly based on the number of users you have allocated. For more information, go to About Subscription Licenses in WatchGuard Cloud.
NFR Licenses (Service Providers only)
A Not for Resale license includes a set number of users and typically has a three-year term. NFR licenses are available to Service Providers only.
Allocation Types
When Service Providers allocate users from a license to their managed accounts, they select an allocation type which specifies how the managed account can use the users.
Term Allocation
When you allocate users as a term allocation, the managed account can allocate a specific number of users to an account for a set duration or term from a term license or MSSP points.
Subscription Allocation
When you allocate users as a subscription allocation, the managed account can allocate a specific number of users or an unlimited number of users . WatchGuard bills the account monthly based on the number of active users.
Linked to License
When you allocate users as Linked to License, the quantity and expiration date of the allocated users are linked to the quantity and expiration date of your term license.
Term License Activation
You can activate licenses on the Activate Licenses page on the WatchGuard website. For more information, go to Activate a WatchGuard MDR License.
After you activate a WatchGuard Core MDR for Microsoft, WatchGuard Total MDR, or WatchGuard Open MDR license, you can review the activated licenses for your account in Support Center on the Managed Services page. Click the name of a license to view the details and history of that license.
Licenses work differently for WatchGuard Cloud Subscriber and Service Provider accounts.
Subscribers
Subscriber accounts can only have one product license. When a Subscriber account activates a new license key in the Support Center, it is used to modify the current active license. You can use a new license to add users or extend the license expiration.
Service Providers
Service Providers can have many product licenses. When a Service Provider activates a new license key, they can use it to modify an active license or add a new, separate license. After activation, the license appears in the Service Provider inventory in WatchGuard Cloud, but the expiration date of the license is tracked separately.
License Renewals
To renew a license or modify an existing license, you purchase a new license and activate it. When you activate the new license, you select whether to add users or extend your current license. When you add users to your active license or extend it, the new license merges with your active license and the two licenses are co-termed.
Co-terming consolidates or merges your term licenses to synchronize renewal dates. When you co-term licenses, a new expiration date is calculated based on the updated users count and the term length of the license you activated. If you add users, the number of users you purchased is added to your current inventory. For example, if you have 50 users and purchase a term license for 100 users, your final count after you activate your new license is 150 users.
If you have an active subscription license, when you renew a term license, your subscription usage count reduces automatically so that only the users in excess of your termed license are billed as subscription users.
When you extend your license, if you purchased the same number of users that you currently have, your license is extended for another period (one or three years). If you purchased more users than are in your current inventory, your inventory immediately updates to match the number of users you purchased the license for.
To renew with fewer users, purchase a license for the desired number of users and choose Extend License when you activate your license key.
When you renew the license for fewer users, we recommend that you do so close to your expiration date. If you activate the license key before your expiration date, your license count reduces immediately. This could limit the number of users available for your managed accounts and your account could become overallocated.
If you have an active subscription license, when you renew or upgrade a term license your subscription usage is automatically updated so that only the users in excess of your termed licenses are billed as subscription users.
License Expiration
WatchGuard Core MDR for Microsoft, WatchGuard Total MDR, and WatchGuard Open MDR licenses expire the day after the expiration date at 00 UTC. After a license expires, there is a seven-day grace period. If you renew your license before the grace period ends, no further action is required. If you do not renew your license before the grace period ends:
- For WatchGuard Core MDR, the WatchGuard MDR team no longer monitors your licensed endpoints or Microsoft 365 environment.
- For WatchGuard Core MDR for Microsoft, the MDR team no longer monitors Microsoft Defender.
- For WatchGuard Total MDR and WatchGuard Open MDR, the MDR team no longer monitors your licensed endpoints, Fireboxes, AuthPoint, ThreatSync, and ThreatSync+ NDR, or your cloud-based Microsoft 365, AWS CloudTrail, and Google Workspace environments.
- For WatchGuard Open MDR, the MDR team no longer monitors your CrowdStrike EDR or Okta environments or third-party firewall logs.
- Access to the Managed Services portal is disabled.
- WatchGuard Core MDR for Microsoft data is deleted.
If you are a Service Provider with different WatchGuard MDR licenses and one license expires, the managed services continue. After you renew your license, monitoring by the MDR team and access to the portal return for all affected endpoints.
Overallocation
Service Provider accounts could become overallocated when an account they manage allocates more users than there are available in the license. When a Service Provider account becomes overallocated, access to the Managed Services portal is no longer available.
To identify accounts that are over their limit, review Subscriber dashboards and audit logs. When an account is overallocated, we recommend that you reduce the number of allocated users (deallocate), or increase the number of users in the license. For more information on overallocation, go to Inventory Overallocation in WatchGuard Cloud.