>
    Licenses and Activation for Device Security
    Focus
    Download PDF
    Focus
    1. Home
    2. Device Security
    3. Licenses and Activation for Device Security
    Download PDF
    Device Security

    Licenses and Activation for Device Security

    Table of Contents

    Licenses and Activation for Device Security

    Extend, renew, and convert Device Security licenses.
    Where Can I Use This?What Do I Need?
    • Device Security (Managed by Strata Cloud Manager)
    • (Legacy) IoT Security (Standalone portal)
    One of the following subscriptions:
    • Device Security subscription for an advanced Device Security product (Enterprise, OT, or Medical)
    • Device Security X subscription
    To use the Palo Alto Networks Device Security solution, you need to:
    1. Determine the best Device Security subscription license for your use case, based on the licenses outlined below.
    2. Meet all of the Device Security Prerequisites.
    3. Ensure that you have Firewall and PAN-OS Support of Device Security.
    4. Activate Device Security.
    5. Onboard Device Security.
    6. Manage Device Security Users.

    Types of Device Security Licenses

    Depending on your needs or where you plan to deploy Device Security, you can choose from several types of Device Security licensing subscriptions:
    • Enterprise Device Security, Medical, or OT Subscription License - supported with next-generation firewalls, VM-Series, CN-Series, and Prisma® Access. These subscription licenses apply on a per-firewall basis, meaning you need one license per firewall that streams logs to Device Security.
    • Device Security X Subscription License - supported with next-generation firewalls, VM-Series, and CN-Series, as well as VM-Series bootstrapped in virtual metadata collector mode (VMC). This subscription license provides individual licenses for each device learned by Device Security, regardless of how many firewalls or VM-Series VMCs stream logs to Device Security.
    You can choose from different license types to fit your requirements.
    • Enterprise, Medical, or OT Device Security Doesn't Require Data Lake (DRDL) - when you don't need to store streaming logs in a data lake
    • Enterprise, Medical, or OT Device Security (with Data Lake) - when you have Strata Logging Service and want to store the streaming logs
    To determine the best subscription and license type for your requirements, reach out to your Palo Alto Networks sales representative. You can obtain a trial or eval (evaluation) license to try out Device Security. The initial term of a trial or eval (evaluation) license is 60 days and can be extended in 30-day increments. To extend the trial or eval term, request a 30-day extension through your Palo Alto Networks sales representative or sales engineer. Not all subscriptions offer a trial or eval license.

    Manage an Expiring License

    You have several options when a license for an Device Security subscription or a third-party integration add-on expires. If you no longer want a firewall to subscribe to Device Security services or integrate with third-party systems, you can let the license expire. If you do want to continue using these services or integrations, you can renew paid licenses or convert licenses from one type to another.

    License Renewals

    As a paid license approaches its expiration date, you can renew it so that there is no break in service, the next license beginning immediately after the current license ends. You can renew the following licenses:
    • Device Security Subscription lab license
    • Device Security Subscription prod (production) license
    • Device Security X Subscription license
    To renew any of these licenses, contact your Palo Alto Networks sales representative.

    License Conversions

    A license conversion is the change of one license type to another. The license can be for an Device Security subscription or a third-party integration add-on.
    You can't convert between a Device Security X per-device license and a per-firewall Device Security license of any kind.
    Palo Alto Networks supports the following conversions:
    Device Security license conversions
    • Trial > Prod
      You can convert an Device Security license on a firewall from trial to prod, but not from eval to prod. An eval license is for an eval firewall, which is Palo Alto Networks property and loaned out for temporary use. However, if you create an Device Security tenant URL for eval licenses on eval firewalls and then replace them with prod licenses on prod firewalls, you can continue using the same Device Security tenant URL.
    All conversions can be done after the current license expires at the end of its term, but only conversions considered to be upgrades are allowed midterm. Midterm conversions take place immediately, replacing the previous term with the new term. The following conversions are considered to be upgrades:
    Device Security license upgrades
    • Trial version of any type of license > Prod version of any type of license
    • Device Security Subscription > Device Security, DRDL Subscription
    Converting Device Security licenses from trial to prod generates a new purchase order with a link to a new onboarding workflow. During the onboarding process, you can select the existing Device Security tenant you were previously using for trial purposes. The rest of the onboarding workflow follows the same mechanism for activating prod licenses on firewalls as it did for activating trial licenses.
    To convert any licenses, contact your Palo Alto Networks sales representative.

    © 2025 Palo Alto Networks, Inc. All rights reserved.