GlobalProtect Cloud Service Licensing
Learn what type of licenses you need to use the GlobalProtect cloud service for mobile users and remote networks.
The following sections describe the licensing options for the GlobalProtect cloud service, as well as components that are required to use the service.
GlobalProtect Cloud Service Licenses
The licenses you need for GlobalProtect cloud service depend on whether you want to use the service to secure your remote networks, your mobile users, or both:
- Remote Networks—To license the GlobalProtect cloud service for remote networks you purchase a bandwidth pool, which you can divide among each remote network location that you onboard in increments of 2 Mbps, 5 Mbps, 10 Mbps, 20 Mbps, 25 Mbps, 50 Mbps, 100 Mbps, 150 Mbps, 300 Mbps, 500 Mbps, or 1000 Mbps.A remote network’s bandwidth speed is enforced equally in both directions. To enable traffic peaks, the service allows you to go 10% over the allocated bandwidth for each site; traffic overages above this peak limit is dropped. See How To Calculate Remote Network Bandwidth for more details about the correct bandwidth to specify for your remote network.
- Mobile Users—You license GlobalProtect cloud service for mobile users based on number of users, with tiers from 200 users to more than 50,000 users. GlobalProtect cloud service for mobile users requires the GlobalProtect app on each supported endpoint. Though there is no strict policing of the mobile user count, the service does track the number of unique users over the last 90 days to ensure that you have purchased the proper license tier for your user base, and stricter policing of user count may be enforced if continued overages occur.
- Service Connections—The GlobalProtect cloud service license includes the option to establish service connections. The number of service connections you can add depends on your license:
The first three service connections do not count towards your licensed bandwidth pool, regardless of the type of license you purchase. If you configure GlobalProtect cloud service to manage multiple tenants, the maximum number of licensed service connections does not increase; you can still configure a maximum of three service connections per license, and each additional service connection uses 300 Mbps from your licensed bandwidth pool.
- If you purchase a license for remote networks, or if you purchase licenses for both remote networks and mobile users, you can add up to 100 service connections to enable access to services and applications. You can add up to three service connections with no license cost; each connection after the third uses 300 Mbps from your licensed remote network bandwidth pool. GlobalProtect cloud service does not limit the bandwidth over these connections.
- If you purchase a license for mobile users only, the GlobalProtect cloud service license includes the option to establish service connections to up to three of your headquarters or data center sites.
Other Required Licenses
In addition to the GlobalProtect cloud service licenses, in order to run the service you must also have the following licensed components:
- Panorama—You deploy and manage the GlobalProtect cloud service using the Cloud Services plugin for Panorama. In order to use this plugin, you must have Panorama version 8.0.5 or later, 8.1.0 or later except 8.1.2, or 9.0.0 or later with a valid support license. When you license the GlobalProtect cloud service components, you must tie the auth code to a licensed Panorama serial number.While using Panorama 9.0 is supported with GlobalProtect cloud service, upgrading to Panorama 9.0 does not give you access to 9.0 features in GlobalProtect cloud service. The GlobalProtect cloud service infrastructure supports PAN-OS features up to release 8.1. See What Features Does GlobalProtect Cloud Service Support? for a list of supported features.
- Cortex Data Lake—The cloud firewalls, gateways, and portals deployed as part of the GlobalProtect cloud service infrastructure must forward all logs to Cortex Data Lake. You can view the GlobalProtect cloud service logs, ACC, and reports directly from Panorama for an aggregated view into your remote network and mobile user traffic. To enable logging for GlobalProtect cloud service, you must purchase a Cortex Data Lake license.
When Do IP Addresses Change?
Plan For IP Address Changes for Mobile Users, Remote Networks, and Service Connections If you know when IP addresses change, you can pro-actively plan your ...
Multitenancy Configuration Overview
Multitenancy Configuration Overview Use the following workflow to enable and configure the ability to manage multiple tenants in a single Panorama appliance. Enable multitenancy. If ...
Service Connection Overview
Service Connection Overview Use service connections to connect users to the resources they need in your data center or HQ locations (for example, provide users ...
GlobalProtect Cloud Service
GlobalProtect Cloud Service As your business expands globally with new remote network locations popping up around the globe and mobile users roaming the world, it ...
Plan the Service Infrastructure and Service Connections
Plan the Service Infrastructure and Service Connections Plan the Service Infrastructure To Enable the Service Infrastructure in the cloud for your remote network locations and ...
GlobalProtect Cloud Service Overview
Read this section to get an idea of what GlobalProtect cloud service is and does. ...
Plan Your Multitenant Deployment
Plan Your Multitenant Deployment Before you enable multitenancy, migrate the first tenant, and create additional tenants, make sure that you have all required information and ...
How To Calculate Remote Network Bandwidth
How To Calculate Remote Network Bandwidth When you onboard a remote network, it is important to specify the correct remote network connection bandwidth that meets ...