About Firebox WatchGuard Cloud Licenses
To add a Firebox to WatchGuard Cloud, the Firebox must have an active Total Security Suite or Basic Security Suite license, or a Standard Support license that includes access to WatchGuard Cloud. To connect to WatchGuard Cloud, Fireboxes with a Standard Support license must have Fireware v12.9 or higher and a feature key with a valid CLOUD_CONNECT entry.
The Firebox Cloud Hourly license does not include support for WatchGuard Cloud. For more information, go to Firebox Cloud License Options.
Most devices with a Standard Support license (Fireware v12.9 or higher) can be added to WatchGuard Cloud for centralized management. They do not send log messages to WatchGuard Cloud and there is no reporting or data retention. These Fireboxes with Standard Support cannot connect to WatchGuard Cloud:
- T15
- T35
- T55
- T70
Devices with a Total Security Suite or Basic Security Suite license send log messages to WatchGuard Cloud. The license includes a default retention period for Firebox data in WatchGuard Cloud:
- For a Firebox with the Total Security Suite:
- Reports — The data retention period for reports is 30 days plus the number of days associated with the Data Retention license assigned to the Firebox if a Data Retention license is purchased.
- Log Manager and Log Search — The data retention period for log data for Log Manager and Log Search is 365 days. 10 days of log data (plus the number of days associated with the Data Retention license assigned to the Firebox) is available for fast searches.
- For a Firebox with the Basic Security Suite:
- Reports — The data retention period for reports is 1 day plus the number of days associated with the Data Retention license assigned to the Firebox if a Data Retention license is purchased.
- Log Manager and Log Search — The data retention period for Log Manager and Log Search is 90 days. Fast search is not available with Basic Security Suite unless you purchase a Data Retention License.
License and Trial Activation
There is no separate activation required to enable WatchGuard Cloud. To increase the data retention period for a Firebox in WatchGuard Cloud, you can activate a Data Retention license and assign it to the Firebox in your WatchGuard Cloud account. For more information, go to About Data Retention Licenses.
If you activate trials for security services on your Standard Support Firebox during the activation process, and then add the Firebox to WatchGuard Cloud as a cloud-managed device, you cannot configure these services in WatchGuard Cloud:
- Application Control
- APT Blocker
- Gateway AntiVirus
- Intrusion Prevention Service
- Reputation Enabled Defense
- spamBlocker
- WebBlocker
To configure a 30-day trial of these security services on a device with Standard Support, the device must be locally-managed.
WatchGuard Cloud in the Feature Key
The Firebox feature key determines whether you can enable WatchGuard Cloud on the Firebox. With the release of Fireware v12.9, when you activate one of these devices, the feature key includes CLOUD_VISIBILITY and CLOUD_CONNECT:
- NV5
- T20/T20-W, T25/T25-W, T40/T40-W, T45, T45-PoE, T45-W-PoE, T45-CW, T80, T85-PoE
- M270, M290, M370, M390, M470, M570, M590, M670, M690, M4600, M4800, M5600, M5800
- FireboxV, Firebox Cloud (BYOL only)
Feature keys with CLOUD_CONNECT allow Fireboxes that run Fireware v12.9 to connect to WatchGuard Cloud. Older feature keys could include LIVE_SECURITY or SUPPORT, and CLOUD_VISIBILITY or DIMENSION_BASIC. The feature key should synchronize automatically with the update to Fireware v12.9. If you do not have the Enable automatic feature key synchronization option enabled, then we recommend that you manually synchronize the feature key from Fireware Web UI or WSM. For more information, go to Get a Firebox Feature Key.
When you add a Firebox to WatchGuard Cloud, you must use Fireware Web UI or Policy Manager to enable the feature in the Firebox configuration. For information about how to see the feature key on your Firebox, go to About Feature Keys.
If you activated your Basic Security Suite or Total Security Suite license before the release of Device Visibility support in WatchGuard Cloud, you might need to synchronize the feature key on the Firebox to add DIMENSION_BASIC. For more information, go to Get a Firebox Feature Key.
Renewals and Expiration
To avoid loss of data, we recommend that you renew the Total Security Suite or Basic Security Suite license before the license expires.
The expiration date of the CLOUD VISIBILITY feature controls whether the Firebox sends log messages to WatchGuard Cloud and whether WatchGuard Cloud continues to store data for the Firebox. To renew WatchGuard Cloud data retention, you must renew your Total Security Suite or Basic Security Suite license. Standard Support licenses do not send log messages to WatchGuard Cloud.
For information about what happens when a WatchGuard Cloud license with a Data Retention license expires, go to WatchGuard Cloud and Data Retention License Expiration.
If the Total Security Suite or Basic Security Suite license for a cloud-managed Firebox expires, a seven-day grace period starts. During the grace period, the Firebox continues to send log messages to WatchGuard Cloud. Log and report data remains in WatchGuard Cloud for the default data retention period associated with the license. For information about the default data retention period, go to License and Trial Activation.
After the grace period and default data retention period:
- The Firebox no longer communicates with WatchGuard Cloud.
- The Firebox connection status in WatchGuard Cloud is Not Connected.
- You can use Fireware Web UI to modify the Firebox configuration locally.
We recommend that you assign a Data Retention license to a Firebox to extend the data retention period. If the Firebox has a Data Retention license, historical log and report data remain in WatchGuard Cloud for the number of days provided by the Data Retention license. For more information, go to Manage Data Retention Licenses.
After the license for a cloud-managed Firebox expires, to continue to manage your Firebox in WatchGuard Cloud, you must renew your license or purchase a Standard Support license. When you do this, supported Fireboxes automatically reconnect to WatchGuard Cloud.
If you choose not to renew your Total Security Suite or Basic Security Suite license or purchase a Standard Support license, you can manage the Firebox locally. We recommend that you remove the Firebox from WatchGuard Cloud. When you manage your Firebox locally with an expired feature key:
- The Firebox retains its configuration.
- Web traffic fails if WebBlocker is enabled with the default setting to deny outbound web traffic.
- Subscription security services no longer work.
FireCluster License Requirements
FireCluster license requirements for WatchGuard Cloud are the same as for other subscription services. To enable WatchGuard Cloud on a FireCluster, the FireCluster must have a Total Security Suite or Basic Security Suite license.
- A locally-managed or cloud-managed active/passive FireCluster requires a license for only one member.
- A locally-managed active/active FireCluster requires a license for both members.
For information about how to see the licensed features on your FireCluster, go to About Feature Keys and FireCluster.