Focus

Next-Generation Firewall

NGFW Compatible Subscriptions

Table of Contents

Filter

Expand All | Collapse All

Next-Generation Firewall Docs

Getting Started
Administration
Networking
Quick Start
Reference
Incidents & Alerts
Release Notes
Select a Document
- PAN-OS 12.1
- PAN-OS 11.2
- PAN-OS 11.1
- PAN-OS 11.0 (EoL)
- PAN-OS 10.2
- PAN-OS 10.1
- PAN-OS 10.0 (EoL)
- PAN-OS 9.1 (EoL)
- PAN-OS 9.0 (EoL)
- PAN-OS 8.1 (EoL)
Help
Select a Document
- PAN-OS 12.1
- PAN-OS 11.2
- PAN-OS 11.1
- PAN-OS 10.2
- PAN-OS 10.1

Update NGFWs Managed by Strata Cloud Manager

Activate Subscription Licenses

NGFW Compatible Subscriptions

Learn about the subscriptions and licenses compatible with your NGFWs.

Where Can I Use This?	What Do I Need?
NGFW

The following Palo Alto Networks subscriptions unlock certain NGFW features or enable the NGFW to leverage a Palo Alto Networks cloud-delivered service (or both). Here you can read more about each service or feature that requires a subscription to work with the NGFW. To enable a subscription, you must first activate subscription licenses; once active, most subscription services can use Dynamic Content Updates to provide new and updated functionality to the NGFW.

Subscriptions You Can Use With the Firewall
Strata Cloud Manager	Manage your Palo Alto Networks Next-Generation Firewalls (NGFW) from Strata Cloud Manager. This cloud-delivered, AI-powered security solution allows seamless management of your advanced ML-powered NGFWs, alongside Prisma Access deployments, through a single, streamlined user interface. Strata Cloud Manager has two licensing tiers: Strata Cloud Manager Essentials and Strata Cloud Manager Pro. This unified structure streamlines the deployment of network security offerings, including AIOps for NGFW, Autonomous Digital Experience Management (ADEM), cloud management functionality, and Strata Logging Service. Get Started with Strata Cloud Manager Strata Cloud Manager License
IoT Security	The IoT Security solution works with next-generation NGFWs to dynamically discover and maintain a real-time inventory of the IoT devices on your network. Through AI and machine-learning algorithms, the IoT Security solution achieves a high level of accuracy, even classifying IoT device types encountered for the first time. And because it’s dynamic, your IoT device inventory is always up to date. IoT Security also provides the automatic generation of policy recommendations to control IoT device traffic, as well as the automatic creation of IoT device attributes for use in NGFW policies. Get Started with IoT Security.
SD-WAN	Provides intelligent and dynamic path selection on top of the industry-leading security that PAN-OS software already delivers. Managed by Panorama, the SD-WAN implementation includes: Centralized configuration management Automatic VPN topology creation Traffic distribution Monitoring and troubleshooting Get Started with SD-WAN
Threat Prevention	Threat Prevention provides: Antivirus, anti-spyware (command-and-control), and vulnerability protection. Built-in external dynamic lists that you can use to secure your network against malicious hosts. Ability to identify infected hosts that try to connect to malicious domains. Get Started with Threat Prevention
Advanced Threat Prevention	In addition to all of the features included with Threat Prevention, the Advanced Threat Prevention subscription provides an inline cloud-based threat detection and prevention engine, leveraging deep learning models trained on high fidelity threat intelligence gathered by Palo Alto Networks, to defend your network from evasive and unknown command-and-control (C2) threats by inspecting all network traffic. Get Started with Advanced Threat Prevention
DNS Security	Provides enhanced DNS sinkholing capabilities by querying DNS Security, an extensible cloud-based service capable of generating DNS signatures using advanced predictive analytics and machine learning. This service provides full access to the continuously expanding DNS-based threat intelligence produced by Palo Alto Networks. To set up DNS Security, you must first purchase and install a Threat Prevention license. Get Started with DNS Security
Advanced DNS Security	In addition to all of the features included with DNS Security, the Advanced DNS Security subscription provides access to the Advanced DNS Security cloud, which operates cloud-based domain detection engines that inspect changes to DNS responses. This enables NGFWs to detect and categorize hijacked and misconfigured domains in real-time to block malicious activity. Get Started with Advanced DNS Security
URL Filtering	Provides the ability to not only control web-access, but how users interact with online content based on dynamic URL categories. You can also prevent credential theft by controlling the sites to which users can submit their corporate credentials. To set up URL Filtering, you must purchase and install a subscription for the supported URL filtering database, PAN-DB. With PAN-DB, you can set up access to the PAN-DB public cloud or to the PAN-DB private cloud. URL Filtering is no longer available as a standalone subscription. All URL Filtering features are included with the Advanced URL Filtering subscription. Get Started with URL Filtering
Advanced URL Filtering	Advanced URL Filtering uses a cloud-based ML-powered web security engine to perform ML-based inspection of web traffic in real-time. This reduces reliance on URL databases and out-of-band web crawling to detect and prevent advanced, file-less web-based attacks including targeted phishing, web-delivered malware and exploits, command-and-control, social engineering, and other types of web attacks. Get Started with Advanced URL Filtering
WildFire	Although basic WildFire® support is included as part of the Threat Prevention license, the WildFire subscription service provides enhanced services for organizations that require immediate coverage for threats, frequent WildFire signature updates, advanced file type forwarding (APK, PDF, Microsoft Office, and Java Applet), as well as the ability to upload files using the WildFire API. A WildFire subscription is also required if your NGFWs will be forwarding files to an on-premise WF-500 appliance. Get Started with WildFire
Advanced WildFire	Advanced WildFire is a subscription offering that provides access to Intelligent Run-time Memory Analysis: a cloud-based advanced analysis engine that complements static and dynamic analysis, to detect and prevent evasive malware threats. By leveraging a cloud-based detection infrastructure, Intelligent Run-time Memory Analysis detection engines operate a wide array of detection mechanisms to target these highly-evasive malware. Get Started with Advanced WildFire
AutoFocus	Provides a graphical analysis of NGFW traffic logs and identifies potential risks to your network using threat intelligence from the AutoFocus portal. With an active license, you can also open an AutoFocus search based on logs recorded on the NGFW. Get Started with AutoFocus
`Strata Logging Service`	Provides cloud-based, centralized log storage and aggregation. The Strata Logging Service is required or highly-recommended to support several other cloud-delivered services, including Cortex XDR, IoT Security, and Prisma Access, and Traps management service. Get Started with Strata Logging Service
GlobalProtect Gateway	Provides mobility solutions and/or large-scale VPN capabilities. By default, you can deploy GlobalProtect portals and gateways (without HIP checks) without a license. If you want to use advanced GlobalProtect features (HIP checks and related content updates, the GlobalProtect Mobile App, IPv6 connections, or a GlobalProtect Clientless VPN) you will need a GlobalProtect Gateway license for each gateway. Get Started with GlobalProtect
Virtual Systems	This is a perpetual license, and is required to enable support for multiple virtual systems on PA-3200 Series NGFWs. In addition, you must purchase a Virtual Systems license if you want to increase the number of virtual systems beyond the base number provided by default on PA-400 Series, PA-3400 Series, PA-5200 Series, PA-5400 Series, and PA-7000 Series NGFWs (the base number varies by platform). The PA-220 and PA-800 Series NGFWs do not support virtual systems. `(PAN-OS 11.1.2 and earlier releases)`The multiple virtual systems are not supported on VM- Series NGFWs. `(PAN-OS 11.1.3 and later releases)`The multiple virtual systems are supported on VM-Series NGFWs. Get Started with Virtual Systems
Enterprise Data Loss Prevention (DLP)	Provides cloud-based protection against unauthorized access, misuse, extraction, and sharing of sensitive information. Enterprise DLP provides a single engine for accurate detection and consistent policy enforcement for sensitive data at rest and in motion using machine learning-based data classification, hundreds of data patterns using regular expressions or keywords, and data profiles using Boolean logic to scan for collective types of data. Get Started with Enterprise DLP
SaaS Security Inline	The SaaS Security solution works with Strata Logging Service to discover all of the SaaS applications in use on your network. SaaS Security Inline can discover thousands of Shadow IT applications and their users and usage details. SaaS Security Inline also enforces SaaS policy rule recommendations seamlessly across your existing Palo Alto Networks NGFWs. App-ID Cloud Engine (ACE) also requires SaaS Security Inline. Get Started with SaaS Security Inline

Update NGFWs Managed by Strata Cloud Manager

Activate Subscription Licenses

Next-Generation Firewall Docs

NGFW Compatible Subscriptions

Next-Generation Firewall Docs

NGFW Compatible Subscriptions

Activation and Onboarding

Next-Generation Firewalls

SASE

Cloud-Delivered Security Services

Network Security

Endpoints

Visibility & Monitoring

FedRAMP

Hardware Reference

Hardware Quick Start Guides

Virtual ION Deployment

3rd Party Integrations

Best Practices

Experts Corner