About ThreatSync+ NDR Licenses

Applies To: ThreatSync+ NDR

ThreatSync+ NDR extends the existing ThreatSync functionality in WatchGuard Cloud and offers enhanced network detection and response, network device identification, and advanced reporting for Fireboxes, third-party firewalls, and LAN infrastructure.

License Types

ThreatSync+ NDR is licensed for each user.

There are four types of licenses:

Term Licenses

A term license has a set number of users and a set duration, or term. For example, you might purchase a license for 100 users that expires after three years. The license expires the day after the expiration date at 00 UTC.

Subscription Licenses

A subscription license enables you and your managed accounts to add users with no allocation limits. You can set a limit on the accounts you manage. With a subscription license, WatchGuard bills you monthly based on the number of users you have allocated. For more information, go to About Subscription Licenses.

Trial Licenses

Trial licenses of ThreatSync+ NDR are available to Service Provider and Subscriber accounts in WatchGuard Cloud. Trial licenses expire after 30 days but you can renew them one time for another 30 days. For information, go to Extend a Trial – Service Providers.

NFR Licenses (Service Providers only)

A Not for Resale license includes a set number of users and typically has a three-year term. NFR licenses are available to Service Providers only.

Allocation Types

When Service Providers allocate users from a license to their managed accounts, they select an allocation type which specifies how the managed account can use the users .

Term Allocation

When you allocate users as a term allocation, the managed account can allocate a specific number of users to an account for a set duration or term from a term license or MSSP points.

Subscription Allocation

When you allocate users as a subscription allocation, the managed account can allocate a specific number of users or an unlimited number of users . WatchGuard bills the account monthly based on the number of active users .

Term License Activation

You can activate licenses on the Activate Licenses page on the WatchGuard website. For more information, go to Activate a ThreatSync+ NDR License.

After you activate a ThreatSync+ NDR license, you can review the activated licenses for your account in Support Center on the ThreatSync page. Click the name of a license to view the details and history of that license.

Licenses work differently for WatchGuard Cloud Subscriber and Service Provider accounts.

Subscribers

Subscriber accounts can only have one product license. When a Subscriber account activates a new license key in the Support Center, it is used to modify the current active license. You can use a new license to add users or extend the license expiration.

Service Providers

Service Providers can have many product licenses. When a Service Provider activates a new license key, they can use it to modify an active license or add a new, separate license. After activation, the license appears in the Service Provider inventory in WatchGuard Cloud, but the expiration date of the license is tracked separately.

License Renewals

To renew a license or modify an existing license, you purchase a new license and activate it. When you activate the new license, you select whether to add users or extend your current license. When you add users to your active license or extend it, the new license merges with your active license and the two licenses are co-termed.

Co-terming consolidates or merges your term licenses to synchronize renewal dates. When you co-term licenses, a new expiration date is calculated based on the updated users count and the term length of the license you activated. If you add users, the number of users you purchased is added to your current inventory. For example, if you have 50 users and purchase a term license for 100 users, your final count after you activate your new license is 150 users.

If you have an active subscription license, when you renew a term license, your subscription usage count reduces automatically so that only the users in excess of your termed license are billed as subscription users.

When you extend your license, if you purchased the same number of users that you currently have, your license is extended for another period (one or three years). If you purchased more users than are in your current inventory, your inventory immediately updates to match the number of users you purchased the license for.

To renew with fewer users, purchase a license for the desired number of users and choose Extend License when you activate your license key. Remember that ThreatSync+ NDR will monitor active network devices up to two times the number of users in the license.

When you renew the license for fewer users, we recommend that you do so close to your expiration date. If you activate the license key before your expiration date, your license count reduces immediately. This could limit the number of users available for your managed accounts and your account could become overallocated.

If you have an active subscription license, when you renew or upgrade a term license your subscription usage is automatically updated so that only the users in excess of your termed licenses are billed as subscription users.

Overallocation

Service Provider accounts could become overallocated when an account they manage allocates more users than there are available in the license. When a Service Provider account becomes overallocated, ThreatSync+ NDR continues to monitor network traffic, but access to the ThreatSync+ NDR management UI is disabled. The current number of users allocated shows on the dashboard.

Devices Exceed License

ThreatSync+ NDR will monitor active network devices for up to two times the number of users in the license. If your license is for 250 users, then ThreatSync+ NDR monitors network data for up to 500 active network devices (for example, workstations, mobile phones, IP phones, servers, cameras, or other IOT devices).

If the number of active devices exceeds the number available for licensed users, a warning message displays in WatchGuard Cloud and ThreatSync+ NDR stops monitoring network traffic for 24 hours. After 24 hours, the number of devices is re-evaluated. If the number is within the limits of the license, then ThreatSync+ NDR starts to monitor network traffic again.

To view a graph of the number of internal devices monitored over time, review the ThreatSync+ NDR monitoring dashboard (Monitor > ThreatSync+ NDR > Network Summary > Total Devices > Devices Over Time).

For more information on ThreatSync+ NDR licensing and enforcement, go to this Knowledge Base article: FAQ on ThreatSync+ NDR Licensing. (external)

License Expiration

ThreatSync+ NDR licenses expire on the expiration date at 00:00 UTC. After a ThreatSync+ NDR termed license expires, there is a seven-day grace period.

If you renew your license before the grace period ends, no further action is required.
If you do not renew your license before the grace period ends, ThreatSync+ NDR no longer monitors network traffic and access to the ThreatSync+ NDR management UI is disabled.

If you are a Service Provider with multiple licenses, ThreatSync+ NDR continues to monitor network traffic. After you renew your license, you can access the ThreatSync+ NDR management UI.

For accounts with an active subscription license and a term license, when the termed license expires, users in excess of the termed license are billed as subscription users.