Find out what happens when one of your Palo Alto Networks
firewall subscriptions expires.
Palo Alto Networks subscriptions provide
the firewall with added functionality and/or access to a Palo Alto
Networks cloud-delivered service. When a license is within 30 days
of expiration, a warning message displays in the system log daily
until the subscription is renewed or expires. Upon license expiration,
some subscriptions continue to function in a limited capacity, and
others stop operating completely. Here you can find out what happens
when each subscription expires.
The precise moment of license expiry is at the beginning
of the following day at 12:00 AM (GMT). For example, if your license
is scheduled to end on 1/20 you will have functionality for the remainder
of that day. At the start of the new day on 1/21 at 12:00 AM (GMT),
the license will expire. All license-related functions operate on
Greenwich Mean Time (GMT), regardless of the configured time zone on
the firewall.
(
Panorama license
) If the support license expires, Panorama can still manage
firewalls and collect logs, but software and content updates will be unavailable.
The software and content versions on Panorama must be the same as or later than the
versions on the managed firewalls, or else errors will occur. For details, see Panorama, Log Collector, Firewall, and WildFire
Version Compatibility.
Subscription
Expiry Behavior
Advanced Threat Prevention / Threat Prevention
Alerts appear in the System
Log indicating that the license has expired.
You can still:
Use signatures that were installed at the time the license expired,
unless you install a new Applications-only content update either
manually or as part of an automatic schedule. If you do, the update
will delete your existing threat signatures and you will no longer
receive protection against them.
Use and modify Custom App-ID™ and threat signatures.
You
can no longer:
Install new signatures.
Roll signatures back to previous versions.
Detect and prevent unknown threats using real-time, ML-based
detection engines provided by Advanced Threat Prevention.
DNS Security
You can still:
Use
local DNS signatures if you have an active Threat Prevention license.
You
can no longer:
Get new DNS signatures.
Advanced URL Filtering / URL Filtering
You can still:
Enforce
policy using custom URL categories.
You can no longer:
Get updates to cached PAN-DB categories.
Connect to the PAN-DB URL filtering database.
Get PAN-DB URL categories.
Analyze URL requests in real-time using advanced URL filtering.
WildFire
You can still:
Forward
PEs for analysis.
Get signature updates every 24-48 hours if you have an active
Threat Prevention subscription.
You can no longer:
Get five-minute updates through the WildFire public and private
clouds.
Forward advanced file types such as APKs, Flash files, PDFs,
Microsoft Office files, Java Applets, Java files (.jar and .class),
and HTTP/HTTPS email links contained in SMTP and POP3 email messages.