GlobalProtect
Your GlobalProtect License (NGFW)
Table of Contents
Your GlobalProtect License (NGFW)
If you want to use GlobalProtect to provide a secure remote access or VPN solution via
single or multiple internal/external gateways, you don't need any GlobalProtect
licenses. However, to use some of the more advanced features (such as HIP checks and
associated content updates, support for the GlobalProtect mobile app, or IPv6 support)
you must purchase an annual GlobalProtect Gateway license. This license must be
installed on each firewall running a gateway that:
- Performs HIP checks
- Supports the GlobalProtect app for mobile endpoints
- Supports the GlobalProtect app for Linux endpoints
- Supports the GlobalProtect app for IoT endpoints
- Provides IPv6 connections
- Split tunnels traffic based on the destination domain, application process name, or HTTP/HTTPS video streaming application
- Supports adding a compromised device to the quarantine list.
- Supports identification of managed devices using the endpoint's serial number on gateways
- Enforces GlobalProtect connections with FQDN exclusions
For GlobalProtect Clientless VPN, you must also install a GlobalProtect gateway license
on the firewall that hosts the Clientless VPN from the GlobalProtect portal. You also
need the GlobalProtect Clientless VPN dynamic updates to use this
feature.
Similarly, for any firewall or GlobalProtect gateway which is acting as HIP redistribution agent or client and
collector requires a GlobalProtect Gateway license. The only exception is Panorama.
|
Feature
|
Gateway License Required?
|
|---|---|
|
Single external gateway (Windows and macOS)
|
—
|
|
Single or multiple internal gateways
|
—
|
|
Multiple external gateways
|
—
|
|
Internet of things (IoT) devices
|
|
|
HIP Checks
|
|
|
Identification of managed devices using the endpoint serial number on
gateways
|
|
|
HIP-based policy enforcement based on the endpoint status
|
|
|
App for endpoints running Windows and macOS
|
—
|
|
Mobile app for endpoints running iOS, Android, Chrome OS, and Windows
10 UWP
|
|
|
App for endpoints running Linux
|
|
|
App for endpoints running IoT
|
|
|
IPv6 for external gateways
|
|
|
IPv6 for internal gateways
(change to default behavior—starting with GlobalProtect app 4.1.3, a
GlobalProtect subscription isn't required for this use case)
|
—
|
|
Clientless VPN
(Not supported on multi-VSYS firewalls if the traffic must traverse
multiple virtual systems)
|
|
|
Split tunneling based on destination domain, client process, and
video streaming application
|
|
|
Split DNS
|
|
|
Adding a compromised device to the quarantine list
|
|
|
GlobalProtect App Log Collection for Troubleshooting
(Panorama appliance running 9.0 or later and PAN-OS 8.1 or later)
|
|
|
Enforces GlobalProtect connections with FQDN exclusions
|
|
|
Redistribute HIP Reports
|
|
|
DHCP Based IP Address Assignment and Management for GlobalProtect
|
|
See Activate Licenses for information on
installing licenses on the firewall.