Prisma Access Licensing
Learn what type of licenses you need to use Prisma Access for mobile users, remote networks, and Clean Pipe instances.
The following sections describe the licensing options for Prisma Access, as well as components that are required to use the service.
Prisma Access Licenses
The licenses you need for Prisma Access depend on whether you want to use the service to secure your remote networks, your mobile users, or both:
- Prisma Access for Networks (formerly GlobalProtect Cloud Service for Remote Networks)—To license Prisma Access for networks you purchase a bandwidth pool, which you can divide among each remote network location that you onboard in increments of 2 Mbps, 5 Mbps, 10 Mbps, 20 Mbps, 25 Mbps, 50 Mbps, 100 Mbps, 150 Mbps, 300 Mbps, 500 Mbps, or 1000 Mbps.The 1000 Mbps bandwidth option is in preview mode. The throughput during preview is delivered on a best-effort basis and the actual performance will vary depending upon the traffic mix. The 500 Mbps option supports SSL decryption, but Palo Alto Networks does not guarantee 500 Mbps of throughput if it is enabled.To enable traffic peaks, the service allows you to go 10% over the allocated bandwidth for each site; traffic overages above this peak limit is dropped. See How to Calculate Remote Network Bandwidth for more details about the correct bandwidth to specify for your remote network.A remote network’s bandwidth speed is enforced equally in both directions. If you assign a remote network with 50Mbps bandwidth, then 55 Mbps (50 Mbps plus 10% overage allocation) is enforced for both ingress and egress traffic. If you have an asymmetric internet connection (which is a common deployment), you should specify the higher of the two values to fully utilize the circuit.
- Prisma Access for Users (formerly GlobalProtect Cloud Service for Mobile Users)—You license Prisma Access for mobile users based on number of users, with tiers from 200 users to more than 50,000 users. Prisma Access for mobile users requires the GlobalProtect app on each supported endpoint. Though there is no strict policing of the mobile user count, the service does track the number of unique users over the last 90 days to ensure that you have purchased the proper license tier for your user base, and stricter policing of user count may be enforced if continued overages occur.
- Prisma Access for Clean Pipe—The Prisma Access for Clean Pipe service allows organizations that manage the IT infrastructure of other organizations, such as service providers, MSSPs, or Telcos, to quickly and easily protect outbound internet traffic for their tenants.
When a Prisma Access license expires, you can still use the service and collect logs for 15 days after license expiration. You cannot make changes to configuration. Prisma Access shuts down its instances 15 days after license expiration and completely deletes the instances and tenants 30 days after license expiration.
Other Required Licenses
In addition to the Prisma Access licenses, in order to run the service you must also have the following licensed components:
- Panorama—You deploy and manage Prisma Access using the Cloud Services plugin for Panorama. In order to use this plugin, you must have Panorama with a valid support license. See the Palo Alto Networks Compatibility Matrix for the Panorama versions that are supported with the Cloud Services plugin. When you license the Prisma Access components, you must tie the auth code to a licensed Panorama serial number.
- Cortex Data Lake—The Prisma Access infrastructure forwards all logs to Cortex Data Lake. You can view the Prisma Access logs, ACC, and reports directly from Panorama for an aggregated view into your remote network and mobile user traffic. To enable logging for Prisma Access, you must purchase a Cortex Data Lake license.
Recommended For You
Recommended videos not found.