Licenses and Activation for Device Security
Focus
Focus
Device Security

Licenses and Activation for Device Security

Table of Contents

Licenses and Activation for Device Security

Extend, renew, and convert Device Security licenses.
Where Can I Use This?What Do I Need?
  • Device Security (Managed by Strata Cloud Manager)
  • (Legacy) IoT Security (Standalone portal)
One of the following subscriptions:
  • Device Security subscription for an advanced Device Security product (Enterprise, OT, or Medical)
  • Device Security X subscription
To use the Palo Alto Networks Device Security solution, you need to:
  1. Determine the best Device Security subscription license for your use case, based on the licenses outlined below.

Types of Device Security Licenses

Depending on your needs or where you plan to deploy Device Security, you can choose from several types of Device Security licensing subscriptions:
  • Enterprise Device Security, Medical, or OT Subscription License - supported with next-generation firewalls, VM-Series, CN-Series, and Prisma® Access. These subscription licenses apply on a per-firewall basis, meaning you need one license per firewall that streams logs to Device Security.
  • Device Security X Subscription License - supported with next-generation firewalls, VM-Series, and CN-Series, as well as VM-Series bootstrapped in virtual metadata collector mode (VMC). This subscription license provides individual licenses for each device learned by Device Security, regardless of how many firewalls or VM-Series VMCs stream logs to Device Security.
You can choose from different license types to fit your requirements.
  • Enterprise, Medical, or OT Device Security Doesn't Require Data Lake (DRDL) - when you don't need to store streaming logs in a data lake
  • Enterprise, Medical, or OT Device Security (with Data Lake) - when you have Strata Logging Service and want to store the streaming logs
To determine the best subscription and license type for your requirements, reach out to your Palo Alto Networks sales representative. You can obtain a trial or eval (evaluation) license to try out Device Security. The initial term of a trial or eval (evaluation) license is 60 days and can be extended in 30-day increments. To extend the trial or eval term, request a 30-day extension through your Palo Alto Networks sales representative or sales engineer. Not all subscriptions offer a trial or eval license.

Manage an Expiring License

You have several options when a license for an Device Security subscription or a third-party integration add-on expires. If you no longer want a firewall to subscribe to Device Security services or integrate with third-party systems, you can let the license expire. If you do want to continue using these services or integrations, you can renew paid licenses or convert licenses from one type to another.

License Renewals

As a paid license approaches its expiration date, you can renew it so that there is no break in service, the next license beginning immediately after the current license ends. You can renew the following licenses:
  • Device Security Subscription lab license
  • Device Security Subscription prod (production) license
  • Device Security X Subscription license
To renew any of these licenses, contact your Palo Alto Networks sales representative.

License Conversions

A license conversion is the change of one license type to another. The license can be for an Device Security subscription or a third-party integration add-on.
You can't convert between a Device Security X per-device license and a per-firewall Device Security license of any kind.
Palo Alto Networks supports the following conversions:
Device Security license conversions
  • Trial > Prod
    You can convert an Device Security license on a firewall from trial to prod, but not from eval to prod. An eval license is for an eval firewall, which is Palo Alto Networks property and loaned out for temporary use. However, if you create an Device Security tenant URL for eval licenses on eval firewalls and then replace them with prod licenses on prod firewalls, you can continue using the same Device Security tenant URL.
All conversions can be done after the current license expires at the end of its term, but only conversions considered to be upgrades are allowed midterm. Midterm conversions take place immediately, replacing the previous term with the new term. The following conversions are considered to be upgrades:
Device Security license upgrades
  • Trial version of any type of license > Prod version of any type of license
  • Device Security Subscription > Device Security, DRDL Subscription
Converting Device Security licenses from trial to prod generates a new purchase order with a link to a new onboarding workflow. During the onboarding process, you can select the existing Device Security tenant you were previously using for trial purposes. The rest of the onboarding workflow follows the same mechanism for activating prod licenses on firewalls as it did for activating trial licenses.
To convert any licenses, contact your Palo Alto Networks sales representative.