Offboard IoT Security Subscriptions

Transfer IoT Security subscriptions or let them expire.
There are three ways to offboard IoT Security services from a firewall:
  • Transfer the IoT Security subscription to another firewall
  • Transfer a firewall from one customer support portal (CSP) account to another
  • Let the subscription expire
Transfer IoT Security Subscriptions
If you activate an IoT Security license on one firewall and later decide you want to use it on a different one, it’s possible to transfer it from the first firewall to the second, as long as the two firewalls are the same model (for production licenses only; trial and eval licenses are valid on any model); for example, both are PAN-PA-3020 firewalls. To do this, note the serial numbers of the two firewalls, and either call customer support or log in to your customer support portal (CSP) account and select
Support Cases
Create a Case
. Open a case, explain that you want to transfer the IoT Security license from one firewall to the other, and supply the serial numbers of the two firewalls you noted earlier.
Transfer Firewalls between CSP Accounts
If you have two CSP accounts or are an MSSP managing multiple accounts, you can transfer a firewall from one account to another, perhaps because you’re moving it to a different location managed by a different team with their own account. When you transfer the firewall, all its licenses are transferred along with it. To do this, log in to the CSP and click
. Find the device you want to transfer, click its serial number to open a device details pane for it, and then click
Transfer Ownership
. In the Device Transfer dialog box that appears, enter the destination email address of the owner of the account to which you’re transferring the firewall.
Let the IoT Security Subscription Expire
When a firewall no longer has an IoT Security subscription because it expired (and there is no pending license renewal), IoT Security services for that firewall stop and the connection between IoT Security and the firewall is terminated. IoT Security unsubscribes from the firewall log feed. As a result, it stops receiving and processing logs from that firewall. The firewall stops receiving new policy recommendations and IP address-to-device mappings, and it clears its cached mappings after 200 minutes (about three hours). At that point, none of the device-based policy rules using Device-ID will work and should be removed from your policy set. An efficient way to remove them is to check the Source Device and Destination Device columns on the
page and remove all rules that have entries in either of these two columns.

Recommended For You