Prisma Access Licensing

Learn what type of licenses you need to use Prisma Access for mobile users, remote networks, and Clean Pipe instances.
The following sections describe the licensing options for Prisma Access, as well as components that are required to use the service.

Prisma Access Licenses

Prisma Access offers a licensing model that allows you to implement and use the capabilities of Prisma Access aligned to your business needs in a way that delivers the fastest return on investment. Whether your applications are migrating to the cloud, your users are working from anywhere, or if you are looking to gain operational efficiencies, Prisma Access offers the relevant type of license for your deployment.
This section describes the licenses that are available beginning November 17, 2020; for a description of the licenses used before that date, see the licensing section of the Prisma Access 1.7 Administration Guide.
You must use the Cloud Services 1.8 when you activate and install Prisma Access with the licenses that are available after November 17, 2020; using the Cloud Services plugin 1.7 is not supported.
You can choose from the following license editions:
  • Business
  • Business Premium
  • Zero Trust Network Access (ZTNA) Secure Internet Gateway (SIG)
  • Enterprise
ZTNA SIG is available for Prisma Access for Mobile Users only; you can use all other editions with Mobile Users, Remote Networks, or both mobile users and remote networks. For more details about what is available with the new licenses, see the Prisma Access Licensing Guide.
All license editions are available for Local and Worldwide Prisma Access locations. When you purchase a license with Worldwide locations, you can deploy Prisma Access in all Prisma Access locations. When you purchase a license with Local locations, you can select up to 5 Prisma Access locations.
When a Prisma Access license expires, you can still use the service and collect logs for 15 days after license expiration. You cannot make changes to configuration. Prisma Access shuts down its instances 15 days after license expiration and completely deletes the instances and tenants 30 days after license expiration.

License Enforcement for Mobile User and Remote Network Deployments

Prisma Access uses the following enforcement policies for mobile user and remote network licenses:
  • Mobile User Deployments
    —Though there is no strict policing of the mobile user count, the service does track the number of unique users over the last 90 days to ensure that you have purchased the proper license tier for your user base, and stricter policing of user count may be enforced if continued overages occur.
    In addition, if you use Prisma Access for users—GlobalProtect, the GlobalProtect app is required on each supported endpoint. The GlobalProtect app is not required for Mobile Users—Explicit Proxy deployments.
  • Remote Network Deployments
    —To enable traffic peaks, the service allows you to go 10% over the allocated bandwidth for each site; traffic overages above this peak limit is dropped.
    A remote network’s bandwidth speed is enforced equally in both directions. If you assign a remote network with 50Mbps bandwidth, then 55 Mbps (50 Mbps plus 10% overage allocation) is enforced for both ingress and egress traffic. If you have an asymmetric internet connection (which is a common deployment), you should specify the higher of the two values to fully utilize the circuit.

Other Required Licenses

In addition to the Prisma Access licenses, in order to run the service you must also have the following licensed components:
  • Panorama
    —You deploy and manage Prisma Access using the Cloud Services plugin for Panorama. In order to use this plugin, you must have Panorama with a valid support license. See the Palo Alto Networks Compatibility Matrix for the Panorama versions that are supported with the Cloud Services plugin. When you license the Prisma Access components, you must tie the auth code to a licensed Panorama serial number.
  • Cortex Data Lake
    —The Prisma Access infrastructure forwards all logs to Cortex Data Lake. You can view the Prisma Access logs, ACC, and reports directly from Panorama for an aggregated view into your remote network and mobile user traffic. To enable logging for Prisma Access, you must purchase a Cortex Data Lake license.

Add-On Licenses

If you have a Prisma Access Local or Worldwide Edition license, you can add the following capabilities to use with Prisma Access as an add-on license:

Determine Your License Type from Panorama

Some license requirements, such as the requirements you need to enable tenants in a multi-tenant configuration, are dependent on the type of Prisma Access license you have. To determine your license type, select
and find the information in the
Prisma Access
Licenses available after November 17, 2020 include the license
and provide you with the type of
Prisma Access Locations
you can deploy (either
Licenses available before November 17, 2020, contain the words
GlobalProtect Cloud Service
in the license areas and are divided by remote networks, mobile users, or Clean Pipe.

Recommended For You