GlobalProtect Administrator's Guide
  • GlobalProtect Administrator's Guide
  • GlobalProtect Documentation
  • All Documentation
>
About GlobalProtect Licenses
Focus
Download PDF
Focus
  1. Home
  2. GlobalProtect
  3. GlobalProtect Overview
  4. About GlobalProtect Licenses
Download PDF
GlobalProtect

About GlobalProtect Licenses

Table of Contents
End-of-Life (EoL)

About GlobalProtect Licenses

If you want to use GlobalProtect to provide a secure remote access or virtual private network (VPN) solution via single or multiple internal/external gateways, you do not need any GlobalProtect licenses. However, to use some of the more advanced features (such as HIP checks and associated content updates, support for the GlobalProtect mobile app, or IPv6 support) you must purchase an annual GlobalProtect Gateway license. This license must be installed on each firewall running a gateway(s) that:
  • Performs HIP checks
  • Supports the GlobalProtect app for mobile endpoints
  • Supports the GlobalProtect app for Linux endpoints
  • Provides IPv6 connections
  • Split tunnels traffic based on the destination domain, application process name, or HTTP/HTTPS video streaming application.
  • Supports identification of managed devices using the endpoint’s serial number on gateways
  • Enforces GlobalProtect connections with FQDN exclusions
For GlobalProtect Clientless VPN, you must also install a GlobalProtect Gateway license on the firewall that hosts the Clientless VPN from the GlobalProtect portal. You also need the GlobalProtect Clientless VPN dynamic updates to use this feature.
Feature
Gateway License Required?
Single external gateway (Windows and macOS)
Single or multiple internal gateways
Multiple external gateways
Internet of things (IoT) devices
HIP Checks
Identification of managed devices using the endpoint serial number on gateways
HIP-based policy enforcement based on the endpoint status
App for endpoints running Windows and macOS
Mobile app for endpoints running iOS, Android, Chrome OS, and Windows 10 UWP
App for endpoints running Linux
App for endpoints running IoT
IPv6 for external gateways
IPv6 for internal gateways
(change to default behavior—starting with GlobalProtect app 4.1.3, a GlobalProtect subscription is not required for this use case)
Clientless VPN
(Not supported on multi-VSYS firewalls if the Clientless VPN traffic must traverse multiple virtual systems)
Split tunneling based on destination domain, client process, and video streaming application
Split DNS
Enforces GlobalProtect connections with FQDN exclusions
See Activate Licenses for information on installing licenses on the firewall.

Technical Documentation

Company

Legal Notices

© 2025 Palo Alto Networks, Inc. All rights reserved.