How is TDR handled when replacing a Firebox?
I have a client with a T50 with TDR all set up and running for 15 agents. It was cheaper to buy a new T35 than to renew the T50 (and the T35 is faster in all but total throughput, and it's barely slower there).
I know how to export/import config from the T50 to T35, but I am wondering what happens with the installed TDR agents. Do the agents need to be removed, then reinstalled under the T35? Or, will they just keep working happily behind the new T35?
I am thinking that I may only have to add the new Firebox to the TDR console and everything will be fine. Can anyone confirm if that's true?
Thank you!
Gregg Hill
0
Sign In to comment.
Comments
Hi @GreggHill
As long as they're both on the same account, and the new firewall has the TDR UUID put into it (Subscription Services -> Threat Detection) then you shouldn't have to do anything else. Everything should continue to run as normal.
If the firewalls ended up on different accounts you'll need to put the new UUID on the firewall, and uninstall/reinstall the clients so they're pointing at the right UUID.
Thank you,
-James Carson
WatchGuard Customer Support
Hi Gregg,
The Firebox provides for two things in TDR: first, event correlation with network activity, and second, the TDR licenses.
The sensors are tied to the account, so you can remove the T50 and add the T35 without any interruption if they are registered to the same partner/customer.
This second point is one area that you’ll want to be aware of, since each model comes with a set number of included host sensor licenses. Luckily, they are additive—you’ll have the licenses from the T50 and additional licenses for the T35, so don’t “retire” the T50 from your activated devices list in My WatchGuard.
You can replace the Firebox without any worries, you won’t need to reinstall any host sensors in this case.
If you changed the account ID or retired the T50 before adding the T35 within 14 days, you would have to reinstall the sensors.
Thank you both!
The T50 and the replacement for the failed new T35 will be registered to the same partner/customer.
Regarding retiring the T50, no I am not going to do so, but the TDR licenses are tied to its Total Security, so they would not be additive, would they? Anyway, they are not needed as there are only 15 agents in use and a T35 with Total Security includes 20 TDR licenses.
Gregg Hill
@GreggHill they'll be additive until those expire. If you're near the expiration of that box they should drop off.
Checking with customer care, the TDR client licensing should remain even if it's retired. However, T35 will have less client licenses than the T50, so double check that your new license has what you need before that one runs out.
-James Carson
WatchGuard Customer Support
The T50 expires 8/27 with a temp key to get me past original 8/12/19 expiration, due to the bad T35 I got. I should be fine, as long as the replacement T35 doesn't have a power issue, too!
Gregg Hill
Well, I just checked the client's TDR and it shows "This account has 15 expired host sensors. Please contact WatchGuard to purchase additional licenses."
The T35 is running 12.5 U1 with Total Security and it's the only Firebox listed, and it has enough licenses. I am just looking into why it shows them as expired hosts.
EDIT: EGAD! I waited too long to check the TDR agents, and they all show uninstalled, with no choice to install them from the console. I don't think the TDR web console knows that the T35 has its licenses.
Gregg Hill
OK, I found the issue. Replacing one Firebox with another and using the same TDR account does NOT automatically work. I had to log into my partner account for TDR, go to Licenses in the left-hand menu, then assign the license for the new T-35. Now the hosts show up with the Installation checkbox available. Installing now!
Gregg Hill