GlobalProtect
Your GlobalProtect License
Table of Contents
Your GlobalProtect License
GlobalProtect licenses
| Where Can I Use This? | What Do I Need? |
|---|---|
|
|
GlobalProtect license behavior depends on your environment.
Your GlobalProtect License (NGFW)
If you want to use GlobalProtect to provide a secure remote access or VPN solution via
single or multiple internal/external gateways, you don't need any GlobalProtect
licenses. However, to use some of the more advanced features (such as HIP checks and
associated content updates, support for the GlobalProtect mobile app, or IPv6 support)
you must purchase an annual GlobalProtect Gateway license. This license must be
installed on each firewall running a gateway that:
- Performs HIP checks
- Supports the GlobalProtect app for mobile endpoints
- Supports the GlobalProtect app for Linux endpoints
- Supports the GlobalProtect app for IoT endpoints
- Provides IPv6 connections
- Split tunnels traffic based on the destination domain, application process name, or HTTP/HTTPS video streaming application
- Supports adding a compromised device to the quarantine list.
- Supports identification of managed devices using the endpoint's serial number on gateways
- Enforces GlobalProtect connections with FQDN exclusions
For GlobalProtect Clientless VPN, you must also install a GlobalProtect gateway license
on the firewall that hosts the Clientless VPN from the GlobalProtect portal. You also
need the GlobalProtect Clientless VPN dynamic updates to use this
feature.
Similarly, for any firewall or GlobalProtect gateway which is acting as HIP redistribution agent or client and
collector requires a GlobalProtect Gateway license. The only exception is Panorama.
|
Feature
|
Gateway License Required?
|
|---|---|
|
Single external gateway (Windows and macOS)
|
—
|
|
Single or multiple internal gateways
|
—
|
|
Multiple external gateways
|
—
|
|
Internet of things (IoT) devices
|
|
|
HIP Checks
|
|
|
Identification of managed devices using the endpoint serial number on
gateways
|
|
|
HIP-based policy enforcement based on the endpoint status
|
|
|
App for endpoints running Windows and macOS
|
—
|
|
Mobile app for endpoints running iOS, Android, Chrome OS, and Windows
10 UWP
|
|
|
App for endpoints running Linux
|
|
|
App for endpoints running IoT
|
|
|
IPv6 for external gateways
|
|
|
IPv6 for internal gateways
(change to default behavior—starting with GlobalProtect app 4.1.3, a
GlobalProtect subscription isn't required for this use case)
|
—
|
|
Clientless VPN
(Not supported on multi-VSYS firewalls if the traffic must traverse
multiple virtual systems)
|
|
|
Split tunneling based on destination domain, client process, and
video streaming application
|
|
|
Split DNS
|
|
|
Adding a compromised device to the quarantine list
|
|
|
GlobalProtect App Log Collection for Troubleshooting
(Panorama appliance running 9.0 or later and PAN-OS 8.1 or later)
|
|
|
Enforces GlobalProtect connections with FQDN exclusions
|
|
|
Redistribute HIP Reports
|
|
|
DHCP Based IP Address Assignment and Management for GlobalProtect
|
|
See Activate Licenses for information on
installing licenses on the firewall.
Your GlobalProtect License (Prisma Access)
To use GlobalProtect in your Prisma Access environment, you will need the Prisma Access
license for mobile users and a Strata Logging Service license with proper firewall
storage space. If mobile users will be connecting to other connected networks, you will
need either the Zero Trust Network Access (ZTNA) or Enterprise Edition Prisma Access
license that will provide the corporate access node (CAN) necessary to connect.
For more information, see Prisma Access License.