Your Prisma Access License
Learn about Prisma Access licenses.
Where Can I Use This? | What Do I Need? |
Prisma Access offers a licensing model that allows you to implement and use the
capabilities of Prisma Access aligned to your business needs in a way that delivers the
fastest return on investment. Whether your applications are migrating to the cloud, your
users are working from anywhere, or if you are looking to gain operational efficiencies,
Prisma Access offers the relevant type of license for your deployment.
You can choose from the following license editions (more details are in the
Prisma Access):
Your
Prisma Access license edition determines the security capabilities that are
available to you. If you use any capability in security rules or profiles that is
unsupported based on your license type,
Prisma Access removes those configurations
and those capabilities are not enforced in your
Prisma Access tenants until you
update
Prisma Access with a license edition that supports those capabilities. To
find the capabilities included with your license, refer to the
Prisma Access.
All license editions are available for Local and Worldwide Prisma Access locations. When
you purchase a license with Worldwide locations, you can deploy Prisma Access in all
Prisma Access locations. When you purchase a license with Local locations, you can
select up to five Prisma Access locations.
Prisma Access uses units in licenses, and uses the following definitions for a
unit:
For mobile user deployments, a unit is defined as one mobile user. When
you assign units in Prisma Access from your Mobile users license, each unit
allows a mobile user to utilize Prisma Access—GlobalProtect, Prisma
Access—Explicit Proxy, or both GlobalProtect and Explicit Proxy.
Mobile Users who access apps using
Clientless VPN are also counted as a
unit for licensing purposes.
For remote network and Clean Pipe deployments, a unit is defined as 1 Mbps
of bandwidth.
When a Prisma Access license expires, you can still use the service and collect logs
for 15 days after license expiration. You cannot make changes to configuration.
Prisma Access shuts down its instances 15 days after license expiration and
completely deletes the instances and tenants 30 days after license expiration.
License Enforcement for Prisma Access Mobile User Deployments
Learn how mobile user (GlobalProtect and Explicit Proxy) licenses are counted in
Prisma Access.
Prisma Access uses these enforcement policies for mobile user licenses:
Though there is no strict policing of the mobile user count, the service does
track the number of unique users over the last 30 days to ensure that you
have purchased the proper license tier for your user base, and stricter
policing of user count may be enforced if continued overages occur.
A Prisma Access Mobile User license allows you to use both GlobalProtect and
explicit proxy connect methods. With a single Mobile User license, the user
can connect with GlobalProtect, Explicit Proxy, or both.
If you use
Prisma Access for users—GlobalProtect, the GlobalProtect app is
required on each
supported endpoint. The
GlobalProtect app is not required for Mobile Users—Explicit Proxy
deployments.
Other Licenses to Use With Prisma Access (Managed by Panorama)
See the other licenses that are required for Prisma Access (Managed by Panorama).
In addition to the Prisma Access licenses, in order to run the service you must also
have the following licensed components:
Panorama—You deploy and manage
Prisma Access using the Cloud Services
plugin for Panorama. In order to use this plugin, you must have Panorama
with a valid support license. See the
Palo Alto Networks Compatibility
Matrix for the Panorama versions that are supported with the
Cloud Services plugin. When you license the
Prisma Access components, you
must tie the auth code to a licensed Panorama serial number.
Cloud Identity Engine (Directory Sync)—Cloud Identity Engine gives
Prisma Access
read-only access to your Active
Directory information, so that you can easily set up and manage security and
decryption policies for users and groups. Cloud Identity Engine is free and
does not require a license to get started.
Strata Logging Service—The
Prisma Access infrastructure forwards all logs to
Strata Logging Service. You can view the
Prisma Access logs, ACC, and reports directly from Panorama for an
aggregated view into your remote network and mobile user traffic. To enable
logging for
Prisma Access, you must purchase a
Strata Logging Service license.
Other Licenses to Use With Prisma Access (Managed by Strata Cloud Manager)
These licenses are required with Prisma Access (Managed by Strata Cloud Manager):
- Strata Cloud Manager
(Required)—Strata Cloud Manager supports two licensing
tiers—Essentials and Pro. Essentials is available for free with a Prisma Access and Pro is available as an add-on. Both licenses
unlock a range of network security features and management tools to optimize
NGFW and Prisma Access operations.
Strata Logging Service (Required)—Prisma Access logs are stored in Strata Logging Service, and so
Prisma Access requires you to also have a Strata Logging Service license. It’s a good idea to activate Strata Logging Service before you begin activating Prisma Access.
If you try to activate Prisma Access without first activating Strata Logging Service, Prisma Access will guide you to activate
Strata Logging Service before allowing you to continue Prisma Access activation. Your Strata Logging Service instance
and Prisma Access instance must be deployed in the same region.
Cloud Identity Engine (Directory Sync)—Cloud Identity Engine gives
Prisma Access
read-only access to your Active
Directory information, so that you can easily set up and manage security and
decryption policies for users and groups. Cloud Identity Engine is free and
does not require a license to get started.
SaaS Security API—Integrate SaaS Security API with Prisma Access for
Clientless VPN and authentication support.
Remote Browser Isolation (RBI)—Integrate
RBI with
Prisma Access to provide a browsing environment that
isolates all malware, including zero-day attacks that result from browsing
and web activity, away from your end users and your network.
Prisma Access Add-On Licenses
Learn about the add-on licenses that are provided by Prisma Access.
You can add the following capabilities to use with Prisma Access as an add-on
license: