Prisma Access offers a licensing model that allows you
to implement and use the capabilities of Prisma Access aligned to
your business needs in a way that delivers the fastest return on
investment. Whether your applications are migrating to the cloud,
your users are working from anywhere, or if you are looking to gain
operational efficiencies, Prisma Access offers the relevant type
of license for your deployment.
Zero Trust Network Access (ZTNA) Secure Internet Gateway
Your Prisma Access license edition determines the security
capabilities that are available to you. If you use any capability
in security rules or profiles that is unsupported based on your
license type, Prisma Access removes those configurations and those
capabilities are not enforced in your Prisma Access tenants until
you update Prisma Access with a license edition that supports those
capabilities. To find the capabilities included with your license,
see the Prisma Access Licensing Guide.
All license editions are available for Local and Worldwide Prisma
Access locations. When you purchase a license with Worldwide locations,
you can deploy Prisma Access in all Prisma Access locations. When
you purchase a license with Local locations, you can select up to
five Prisma Access locations.
Prisma Access uses
in licenses, and uses the following
definitions for a unit:
For mobile user deployments, a
as one mobile user. When you assign units in Prisma Access from
your Mobile users license, each unit allows a mobile user to utilize
Prisma Access—GlobalProtect, Prisma Access—Explicit Proxy, or both
GlobalProtect and Explicit Proxy.
For remote network and Clean Pipe deployments, a
defined as 1 Mbps of bandwidth.
When a Prisma Access license expires, you can still use
the service and collect logs for 15 days after license expiration.
You cannot make changes to configuration. Prisma Access shuts down
its instances 15 days after license expiration and completely deletes
the instances and tenants 30 days after license expiration.
License Enforcement for Prisma Access Mobile User Deployments
Learn how mobile user (GlobalProtect) licenses are counted
in Prisma Access.
Prisma Access uses these enforcement policies for mobile
Though there is no strict policing of the mobile user
count, the service does track the number of unique users over the
last 90 days to ensure that you have purchased the proper license
tier for your user base, and stricter policing of user count may
be enforced if continued overages occur.
In addition, if you use Prisma Access for users—GlobalProtect,
the GlobalProtect app is required on each supported endpoint. The
GlobalProtect app is not required for Mobile Users—Explicit Proxy
Other Required Prisma Access Licenses
See the other licenses that are required for Prisma Access.
In addition to the Prisma Access licenses, in order
to run the service you must also have the following licensed components:
—You deploy and manage Prisma Access using
the Cloud Services plugin for Panorama. In order to use this plugin,
you must have Panorama with a valid support license. See the Palo Alto Networks Compatibility
Matrix for the Panorama versions that are supported with
the Cloud Services plugin. When you license the Prisma Access components,
you must tie the auth code to a licensed Panorama serial number.
Cortex Data Lake
—The Prisma Access infrastructure
forwards all logs to Cortex Data Lake. You can view the Prisma
Access logs, ACC, and reports directly from Panorama for an aggregated
view into your remote network and mobile user traffic. To enable logging
for Prisma Access, you must purchase a Cortex Data Lake license.
Prisma Access Add-On Licenses
Learn about the add-on licenses that are provided by
You can add the following capabilities to use with Prisma
Access as an add-on license: