GlobalProtect Cloud Service Licensing

Learn what type of licenses you need to use the GlobalProtect cloud service for mobile users and remote networks.
The following sections describe the licensing options for the GlobalProtect cloud service, as well as components that are required to use the service.

GlobalProtect Cloud Service Licenses

The licenses you need for GlobalProtect cloud service depend on whether you want to use the service to secure your remote networks, your mobile users, or both:
  • Remote Networks—To license the GlobalProtect cloud service for remote networks you purchase a bandwidth pool, which you can divide among each remote network location that you onboard in increments of 2 Mbps, 5 Mbps, 10 Mbps, 20 Mbps, 25 Mbps, 50 Mbps, 100 Mbps, 150 Mbps, 300 Mbps, 500 Mbps, or 1000 Mbps.
    A remote network’s bandwidth speed is enforced equally in both directions. To enable traffic peaks, the service allows you to go 10% over the allocated bandwidth for each site; traffic overages above this peak limit is dropped. See How To Calculate Remote Network Bandwidth for more details about the correct bandwidth to specify for your remote network.
  • Mobile Users—You license GlobalProtect cloud service for mobile users based on number of users, with tiers from 200 users to more than 50,000 users. GlobalProtect cloud service for mobile users requires the GlobalProtect app on each supported endpoint. Though there is no strict policing of the mobile user count, the service does track the number of unique users over the last 90 days to ensure that you have purchased the proper license tier for your user base, and stricter policing of user count may be enforced if continued overages occur.
  • Service Connections—The GlobalProtect cloud service license includes the option to establish service connections. The number of service connections you can add depends on your license:
    • If you purchase a license for remote networks, or if you purchase licenses for both remote networks and mobile users, you can add up to 100 service connections to enable access to services and applications. You can add up to three service connections with no license cost; each connection after the third uses 300 Mbps from your licensed remote network bandwidth pool. GlobalProtect cloud service does not limit the bandwidth over these connections.
    • If you purchase a license for mobile users only, the GlobalProtect cloud service license includes the option to establish service connections to up to three of your headquarters or data center sites.
    The first three service connections do not count towards your licensed bandwidth pool, regardless of the type of license you purchase. If you configure GlobalProtect cloud service to manage multiple tenants, the maximum number of licensed service connections does not increase; you can still configure a maximum of three service connections per license, and each additional service connection uses 300 Mbps from your licensed bandwidth pool.

Other Required Licenses

In addition to the GlobalProtect cloud service licenses, in order to run the service you must also have the following licensed components:
  • Panorama—You deploy and manage the GlobalProtect cloud service using the Cloud Services plugin for Panorama. In order to use this plugin, you must have Panorama version 8.0.5 or later, 8.1.0 or later except 8.1.2, or 9.0.0 or later with a valid support license. When you license the GlobalProtect cloud service components, you must tie the auth code to a licensed Panorama serial number.
    While using Panorama 9.0 is supported with GlobalProtect cloud service, upgrading to Panorama 9.0 does not give you access to 9.0 features in GlobalProtect cloud service. The GlobalProtect cloud service infrastructure supports PAN-OS features up to release 8.1. See What Features Does GlobalProtect Cloud Service Support? for a list of supported features.
  • Cortex Data Lake—The cloud firewalls, gateways, and portals deployed as part of the GlobalProtect cloud service infrastructure must forward all logs to Cortex Data Lake. You can view the GlobalProtect cloud service logs, ACC, and reports directly from Panorama for an aggregated view into your remote network and mobile user traffic. To enable logging for GlobalProtect cloud service, you must purchase a Cortex Data Lake license.

Related Documentation