Best Practices for Service Providers in WatchGuard Cloud

A Service Provider account is the top level account that a Managed Service Provider (MSP) or Managed Security Service Provider (MSSP) uses to manage many customers or tenants (called Subscribers in WatchGuard Cloud).

The WatchGuard Cloud platform is specifically designed to meet the needs of Service Providers. Centralized and streamlined security administration with WatchGuard Cloud provides security policy management, threat remediation, visibility, and reports from a single user interface.

As a Service Provider, WatchGuard Cloud is where you create and manage your own account and Subscriber accounts for your customers. You also use WatchGuard Cloud to configure WatchGuard products and services and allocate users and licenses to the accounts you manage.

We recommend that Service Providers follow these best practices in WatchGuard Cloud:

View Your Service Provider Account Overview

When you log in to WatchGuard Cloud with your Service Provider account, you see your own Subscriber overview account, which is where you can manage your internal network devices, products and services, and review reports.

Account Manager, located in the left pane of the WatchGuard Cloud window, provides a unified view of the Service Provider and Subscriber accounts you manage. Service Provider accounts include a icon and Subscriber accounts include a icon.

To view your own Subscriber account, from Account Manager, select My Account.

You can also select the Subscriber view of any other managed account in Account Manager.

For more information about how to use Account Manager to manage your accounts, go to About WatchGuard Cloud Account Manager (Service Providers).

Manage Your Service Provider and Subscriber Accounts

As a Service Provider in WatchGuard Cloud, you use Account Manager to navigate between your managed Service Provider and Subscriber accounts.

Account Manager enables Service Providers to make changes to devices or user-based services across multiple accounts. For example, Service Provider accounts can upgrade Fireboxes and access points across multiple accounts without the need to navigate to each account separately. Service Providers can review notifications, audit logs, and account-level settings for a managed account without the need to switch to the Subscriber view of the account.

Multi-Tier Management

WatchGuard Cloud is a multi-tenant, multi-tier system.

  • Each Service Provider account can create and manage customer accounts up to five tiers (for example, tier-1 Service Provider > tier-2 Service Provider > tier-3 Service Provider > tier-4 Service Provider > tier-5 Subscriber). For information go to Add or Delete a Managed Account.
  • After a Service Provider creates a managed customer account, you can allocate users, devices, and licenses from your inventory to the account. For more information, go to Manage Inventory.
  • Each managed customer account has its own WatchGuard Cloud account and its own operators (users who can log in to WatchGuard Cloud to view and manage account information and configure services).
  • For each account they manage, a Service Provider can use the Subscriber view, configure WatchGuard products and services, and view reports.

For more detailed information about how to manage accounts, go to Account Management.

Account Groups and Operator Permissions

Service Providers can use Account Groups to control account access in WatchGuard Cloud. To simplify account access management, set up account groups so that you can assign operator permissions to manage a group of similar accounts instead of each individual account.

For example, you might have some support staff who manage only a specific subset of all your Subscriber accounts. You want to make sure that you only enable access to the Subscribers the operators manage, and not all Subscribers in your WatchGuard Cloud Service Provider account. You can create different Account Groups and only allow access to the appropriate account group in the settings for the support staff operators.

For more detailed information, go to Manage Account Groups.

Screenshot of Account Groups in WatchGuard Cloud

Account Groups and Policies for Endpoint Configuration

Service Providers can also use account groups to assign policies for endpoint configuration across multiple accounts.

  • You can centrally manage the endpoint security of tenant Subscriber and Service Provider accounts and account groups in WatchGuard Cloud.
  • You can apply endpoint security setting profiles and tasks to computers and devices on the network in the multi-tenant endpoint security management UI.

For more detailed information, go to About Multi-Tenant Management in WatchGuard Endpoint Security.

Use Account Delegation To Help Manage Subscriber Accounts

If Subscribers need help with the management of their accounts, they can delegate their account to a Service Provider. When a Subscriber delegates their account, this enables the Service Provider to manage the account and its products and services.

Services Providers can also manage inventory allocation for delegated Subscribers with a WatchGuard account (tier-1 Subscribers).

These are the primary use cases for account delegation:

  • A Subscriber needs help to configure their products and services
  • A Subscriber needs the Service Provider to manage their account while out of the office or unavailable
  • A Subscriber purchased and activated WatchGuard products, but wants the Service Provider to configure and manage them
  • A Subscriber wants the Service Provider to fully manage their account

Account delegation can be temporary or it can be permanent (until revoked). If customers contact you to request your help with the management of their accounts and you agree to do so, then they delegate their account to you. As the Service Provider, you must initiate the account delegation process with a request for account access.

For more detailed information on how to manage Subscriber account delegation, go to Manage a Delegated Account.

Simplify Configuration with Firebox Templates

Firebox templates provide a way to manage shared configuration settings for multiple cloud-managed Fireboxes.

  • In a Firebox template, you can configure firewall policies and services just as you would for an individual Firebox, and then apply that template to multiple cloud-managed Fireboxes. For more information, go to About Firebox Templates.
  • As a Service Provider, you can create Firebox templates that are available to devices in all your managed accounts.
  • When you create a Firebox template in a Service Provider account, all Subscriber accounts inherit that template as a read-only template. For more information about template inheritance, go to Firebox Template Inheritance.
  • Devices from multiple managed accounts can subscribe to the same template to provide a standard, consistent, and secure configuration.
  • As a Service Provider, you can subscribe devices in any account you manage to the inherited template, or copy that template to create a new editable template.
  • When you deploy a change to a Service Provider template, the template changes automatically deploy to all subscribed devices.

To plan your templates, identify common Firebox policies and services that you can group together. Instead of just one template, consider the use of multiple templates based on specific groups of policies and services. You can create a base template for standard settings that you apply to all Subscriber account devices, and then apply other templates as needed to enable different policies and services, based on the requirements of a specific Subscriber or group of Subscriber accounts.

These general examples show how as a Service Provider, you can use templates to configure and update cloud-managed devices in your Subscriber accounts.

Global Configuration Template

In this simplest configuration, you create a global template in your Service Provider account to use for devices in all Subscriber accounts.

Diagram of the global configuration use case

In this example: 

  • In the Service Provider account, create and deploy a template with global base settings that are applicable to all devices.
  • In each Subscriber account, an operator subscribes all devices to the template.

Benefits:

  • Service Provider creates and deploys the global template once.
  • When the Service Provider updates and deploys the template, any changes deploy to all subscribed devices automatically.

Multiple Templates

In the Service Provider account, configure multiple templates that all Subscriber accounts inherit. With multiple templates, you can create a single base template that contains common settings that you can apply to multiple devices.

Then, you can create additional templates that enable and configure different policies, services, and features, and apply them as required for Subscriber accounts.

Diagram of the multiple template use case

In this example:

  • In the Service Provider account, you create and deploy multiple templates. For example:
    • Base — template with settings appropriate for most devices
    • Services — One or more templates that enable specific policies and services
  • In Subscriber accounts, an operator subscribes specific devices to one or more templates as required for the deployment.

Benefits:

  • The Service Provider creates each template once.
  • When the Service Provider deploys an update to a template, any changes deploy to all subscribed devices automatically.
  • You can use multiple templates to apply different policies and services as required, based on Subscriber account requirements.

Keep your Device Firmware Up to Date

As a Service Provider, you can upgrade the firmware for devices in any Subscriber account you manage. WatchGuard Cloud helps you keep the cloud-managed Fireboxes and access points of your Subscribers up to date with the latest firmware release.

  • Keep your device firmware current to make sure that you always have the latest security and product updates for the device. This includes updates to resolve emerging security vulnerabilities and to fix known product issues.
  • You can view which devices have firmware upgrades available from the Device Firmware widget on your Dashboard.

Screen shot of the Device Upgrades widget on the WatchGuard Cloud dashboard

  • Click the widget to go to the Firmware Upgrades overview page where you can immediately upgrade one or more devices, or schedule firmware upgrades.

Screenshot of the Firmware Upgrades Overview page in WatchGuard Cloud

Use firmware update schedules to update your Subscriber devices. This enables you to automate the process for each Subscriber account and customize a schedule with appropriate times for each Subscriber to avoid network disruption. For more information on how to configure and schedule firmware upgrades, go to Upgrade Firmware in WatchGuard Cloud.

  • Make sure you subscribe to the WatchGuard Product and Support News blog for product updates, new firmware announcements, and support alerts.
  • Read the What's New information and Release Notes to review the new features and resolved issues in a product release.
  • To view the Release Notes of any product release, go to Release Notes.
  • To view all product documentation, including the What's New information and Help for each release, go to watchguard.com/help.

Keep Firebox Certificates Up to Date

As a Service Provider, it is important that you track the expiration of any device certificates installed on cloud-managed Fireboxes in your Subscriber accounts.

WatchGuard Cloud stores custom certificates that makes it easy to upload the same certificate across multiple Fireboxes. However, after you install the certificates, you must manage the certificates of each account and Firebox individually.

  • Make sure that Firebox certificates are not expired or do not expire soon.
  • To view the current list of certificates for a Subscriber account, select the Subscriber account, then select Administration > Certificates.
  • To view specific device certificates, go to Configure > Devices > Device Configuration > Device Certificates.

From the Service Provider view, you can manage certificates on the Device Configuration page only. From the Subscriber view, you can manage certificates for your account or managed accounts in the Administration menu, or for your cloud-managed devices on the Device Configuration page.

For more detailed information, go to Manage Certificates.

Review the Service Provider Dashboard

For Service Providers, the Dashboard page shows you a quick overview of your Service Provider account and your managed Service Provider and Subscriber accounts.

You can view information such as devices that have firmware upgrades available, the next license expiration, allocations for different products and services, and a ThreatSync incidents summary.

  • On the Dashboard page, several widgets show important information and provide useful links.
  • Different widgets appear when you select Overview, a Service Provider account, or a Subscriber account in Account Manager.
  • The content of the widgets on the Overview page reflects aggregated data for all the accounts (Service Provider and Subscriber) you manage.
  • To open the Overview page, in Account Manager, select Overview.

Screenshot of WatchGuard Cloud Service Provider Dashboard

For more information, go to About the Configure Devices Overview Page.

Review the ThreatSync Dashboard

ThreatSync is a WatchGuard Cloud service that provides eXtended Detection and Response (XDR) technology for WatchGuard devices and Endpoint Security products to detect and respond to threats. For more information, go to About ThreatSync.

As a Service Provider, you can view threat information for all the accounts you manage.

Monitor ThreatSync

In WatchGuard Cloud, select Monitor > Threats.

The Summary page provides a snapshot of incident activity for your Subscriber accounts. This page includes graphs and incident data and provides a snapshot of incident activity over a specified period of time.

Screen shot of the Monitor Threats summary page in WatchGuard Cloud

The Incidents page shows a list of incidents for a specified time period and enables you to perform remediation actions.

  • An incident is activity that is confirmed to be malicious.
  • An incident can be as simple as an indicator of compromise, or as complex as an indicator of attack that sequences behaviors to determine malicious intent.

Screenshot of the Threats Incidents page in WatchGuard Cloud

For more information, go to Monitor ThreatSync.

Configure ThreatSync Automation Policy Templates

You can create ThreatSync automation policy templates that include multiple automation policies and assign the template to the accounts or account groups you manage.

Each ThreatSync account also has two default automation policies. These default automation policies enable ThreatSync to take automatic action on the highest and lowest risk incidents so you can focus on the most important incidents that might require manual investigation and remediation.

Screenshot of the ThreatSync Add Automation Policy Template page for Service Providers

These automation policy templates enable you to apply automation policies consistently across managed accounts, and save time when you set up ThreatSync for new accounts or account groups.

For example, you could create a policy that automatically deletes a file when ThreatSync detects a high or critical risk, such as a malicious file detected by APT Blocker. This automates the process of detection and remediation to delete the file on the computer with the WatchGuard Endpoint Agent.

Screenshot of the ThreatSync Add Policy page in WatchGuard Cloud

For more information, go to Manage ThreatSync Automation Policy Templates (Service Providers).

Schedule Executive Summary and Policy Usage Reports

WatchGuard provides useful summary reports that provide an overview of device status, network performance and security, and policy usage. For more detailed information about reports, go to View WatchGuard Cloud Device Reports.

As a Service Provider, you can schedule WatchGuard Cloud to run these reports automatically and send the reports to your customers by email. For more information, go to Schedule WatchGuard Cloud Reports.

Executive Summary

In the WatchGuard Cloud Device Summary page, you can view a summary of status for all devices and the detailed status for each device. You can also generate an Executive Summary report for a device or devices.

The Executive Summary report is a PDF report that includes a high-level summary of the attacks and traffic blocked by the Firebox.

For more detailed information, go to Executive Summary (WatchGuard Cloud).

The Malware Attacks section of the executive summary report

Top Categories section of the executive summary report

Policy Usage Report

The Policy Usage report is another report that you can generate for your customers to show policy usage by their users.

  • The report shows a list of policies and how each policy was used, including how much traffic was handled by each policy in a selected time range.
  • The report can help the customer understand which policies are used the most and if the policies are functioning the way they expect.
  • If you plan to migrate Fireboxes from local management to cloud management, the report can help you plan and optimize your use of policies and templates.

For more information, go to Policy Usage Report.

Screenshot of the Policy Usage report in WatchGuard Cloud

Report Customization

You can change the logo and Reply-to Email Address displayed on the report from the default WatchGuard logo and email address to the logo and email address of the partner you manage. With custom branding, the logo and email address seen by the customer show that it was sent from the partner account.

Any custom branding for your account is inherited by the Subscriber accounts you manage, and you can customize each Subscriber as required. For more information, go to Add Custom Branding.

Screenshot of the Custom Branding page in WatchGuard Cloud

Review and Customize Alert Notifications

Alerts are notifications about your managed accounts, Firebox and access point devices, or specific events that occur in WatchGuard Cloud.

Alerts make sure that you are aware of any significant changes that affect your managed accounts and devices. For example, you can receive an alert for events such as when a device feature key is about to expire.

You can view notifications from Administration > Notifications in WatchGuard Cloud.

For more information, go to Manage WatchGuard Cloud Alerts.

Screenshot of the Notifications configuration page in WatchGuard Cloud

In the Rules section, you can review several default rules. You can also add customized rules for events specific to the accounts you manage, and enable email delivery for specific alarm notifications.

A helpful rule you can add is the Device Alarms rule that generates alert notifications when a Firebox or access point generates an alarm. For example, you can configure a device to generate an alarm when a security service detects a malicious file, or when an access point detects a wireless threat. Note that if you also enable Email notifications, this increases the potential volume of email alert messages.

Screenshot of the Notifications - Rules configuration page in WatchGuard Cloud

Integrate Fireboxes and Endpoint Security with PSA Tools

You can integrate your Firebox with your existing professional service automation (PSA) tools such as ConnectWise and Autotask. These platforms enable service providers to automatically synchronize customer Firebox information for more efficient device management and monitoring.

  • Auto Synchronization of Asset Information — Automatically synchronizes your Firebox asset information and the status of your security service subscription that includes subscription start and end dates, device serial numbers, and firmware versions.
  • Closed-Loop Ticketing of System, Security, and Subscription Events — Configure event thresholds for a wide range of parameters to automatically trigger the creation and closure of tickets, such as security services, device statistics, and subscription status.

For detailed information on each WatchGuard technology integration available, go to:

Screenshot of the Technology Integrations landing page

WatchGuard Endpoint Security Integration Plug-ins

These plug-ins enable you to integrate WatchGuard Endpoint Security products with third-party RMM tools. For more information, go to WatchGuard Endpoint Security Plug-ins.

Integrate WatchGuard Devices and RMM Solutions with SNMP

You can use SNMP (Simple Network Management Protocol) to monitor WatchGuard Fireboxes and access points on your network. Your devices can accept polls from an SNMP management system and send SNMP trap messages for device events to an SNMP trap destination server.

For more information on how to configure SNMP on your WatchGuard device, go to:

When you configure SNMP on your WatchGuard devices, you can integrate with remote management and monitoring (RMM) solutions to monitor your devices.

Firebox and RMM Integrations

For detailed information on WatchGuard Firebox integrations with these popular RMM solutions, go to:

Access Points and RMM Integrations

For detailed information on WatchGuard access point integrations with these popular RMM solutions, go to:

Verify your MSSP Points Each Month

MSSPs can enroll in a flexible prepaid points program. Partners can manage and allocate these prepaid points to tenants. You can apply these points to most WatchGuard products. For more information about payment programs, go to WatchGuard Payment Programs and Product Bundling.

Products that you manage in WatchGuard Cloud and purchase with points show as a subscription. At the start of each calendar month, WatchGuard automatically deducts points from your total points available, based on the service type and monthly point allocation for each managed device and service.

From the WatchGuard Partner Portal, you can view the status of your points from MSSP Command in the Tools menu.

Screenshot of the MSSP Points in MSSP Command

If you use MSSP points, we recommend that you:

  • Manage and view your points activity and allocation.
  • You can view how you consume your points on a monthly basis and download a transaction history with an audit report for more detailed information.
  • The audit report also includes user data for full details about your points usage.
  • Make sure you have enough points for the next month.
  • An Alerts tile shows you the number of alerts related to the points for your account in the past ninety days. Click this tile to view a list with information about the alerts for your account.
  • You can receive email notifications to make sure that you always know if you are below the required points threshold for your next renewal.

For more detailed information about MSSP Command, go to Get Started with MSSP Command.

Keep Up To Date with Training and Certification

WatchGuard offers sales training and certification for our partner community, and technical training and certification for all partners and customers. When you keep current on training and certification, you demonstrate to your customers that you sell and support products with which your employees have a high level of technical competence.

You can find all WatchGuard sales and technical training in the WatchGuard Learning Center.

If you are a WatchGuard Partner, you can view the current status of your technical and sales certifications from the Partner portal. For more information about certification, go to Partner Specializations and Certification on the WatchGuard web site.