Before you can start using your firewall to secure the traffic on your network, you must activate the licenses for each of the services you purchased. Available licenses and subscriptions include the following:
Threat Prevention—Provides antivirus, anti-spyware, and vulnerability protection.
Decryption Mirroring—Provides the ability to create a copy of decrypted traffic from a firewall and send it to a traffic collection tool that is capable of receiving raw packet captures—such as NetWitness or Solera—for archiving and analysis.
URL Filtering—Allows you create security policy to enforce web access based on dynamic URL categories. You must purchase and install a subscription for one of the supported URL filtering databases: PAN-DB or BrightCloud. With PAN-DB, you can set up access to the PAN-DB public cloud or to the PAN-DB private cloud. For more information about URL filtering, see
Control Access to Web Content.Virtual Systems
—This license is required to enable support for multiple virtual systems on PA-2000 and PA-3000 Series firewalls. In addition, you must purchase a Virtual Systems license if you want to increase the number of virtual systems beyond the base number provided by default on PA-4000 Series, PA-5000 Series, and PA-7000 Series firewalls (the base number varies by platform). The PA-500, PA-200, and VM-Series firewalls do not support virtual systems.WildFire
—Although basic WildFire support is included as part of the Threat Prevention license, the WildFire subscription service provides enhanced services for organizations that require immediate coverage for threats, frequent WildFire signature updates, advanced file type forwarding (APK, PDF, Microsoft Office, and Java Applet), as well as the ability to upload files using the WildFire API. A WildFire subscription is also required if your firewalls will be forwarding files to a WF-500 appliance. GlobalProtect
—Provides mobility solutions and/or large-scale VPN capabilities. By default, you can deploy GlobalProtect portals and gateways (without HIP checks) without a license. If you want to use HIP checks, you will also need gateway licenses (subscription) for each gateway.AutoFocus
—Provides a graphical analysis of firewall traffic logs and identifies potential risks to your network using threat intelligence from the AutoFocus portal. With an active license, you can also open an AutoFocus search based on logs recorded on the firewall.
Activate Licenses and Subscriptions
Locate the activation codes for the licenses you purchased.
When you purchased your subscriptions you should have received an email from Palo Alto Networks customer service listing the activation code associated with each subscription. If you cannot locate this email, contact Customer Support
to obtain your activation codes before you proceed.
Activate your Support license.
You will not be able to update your PAN-OS software if you do not have a valid Support license.
Log in to the web interface and then select
Device > Support.
Activate support using authorization code.
and then click
Activate each license you purchased.
Device > Licenses
and then activate your licenses and subscriptions in one of the following ways:
Retrieve license keys from license server
—Use this option if you activated your license on the Customer Support
Activate feature using authorization code
—Use this option to enable purchased subscriptions using an authorization code for licenses that have not been previously activated on the support portal. When prompted, enter the
and then click
Manually upload license key
—Use this option if your firewall does not have connectivity to the Palo Alto Networks Customer Support web site. In this case, you must download a license key file from the support site on an Internet connected computer and then upload to the firewall.
Verify that the license was successfully activated
Device > Licenses
page, verify that the license was successfully activated. For example, after activating the WildFire license, you should see that the license is valid:
WildFire subscriptions only
Perform a commit to complete WildFire subscription activation.
After activating a WildFire subscription, a commit is required for the firewall to begin forwarding advanced file types. You should either:
Commit any pending changes.
Check that the WildFire Analysis profile rules
include the advanced file types that are now supported with the WildFire subscription. If no change to any of the rules is required, make a minor edit to a rule description and perform a commit.