Prisma Access Licensing

Learn what type of licenses you need to use Prisma Access for mobile users, remote networks, and Clean Pipe instances.
The following sections describe the licensing options for Prisma Access, as well as components that are required to use the service.

Prisma Access Licenses

The licenses you need for Prisma Access depend on whether you want to use the service to secure your remote networks, your mobile users, or both:
  • Prisma Access for Networks (formerly GlobalProtect Cloud Service for Remote Networks)
    —To license Prisma Access for networks you purchase a bandwidth pool, which you can divide among each remote network location that you onboard in increments of 2 Mbps, 5 Mbps, 10 Mbps, 20 Mbps, 25 Mbps, 50 Mbps, 100 Mbps, 150 Mbps, 300 Mbps, 500 Mbps, or 1000 Mbps.
    To enable traffic peaks, the service allows you to go 10% over the allocated bandwidth for each site; traffic overages above this peak limit is dropped. See How to Calculate Remote Network Bandwidth for more details about the correct bandwidth to specify for your remote network.
    A remote network’s bandwidth speed is enforced equally in both directions. If you assign a remote network with 50Mbps bandwidth, then 55 Mbps (50 Mbps plus 10% overage allocation) is enforced for both ingress and egress traffic. If you have an asymmetric internet connection (which is a common deployment), you should specify the higher of the two values to fully utilize the circuit.
  • Prisma Access for Users (formerly GlobalProtect Cloud Service for Mobile Users)
    —You license Prisma Access for mobile users based on number of users, with tiers from 200 users to more than 50,000 users. Prisma Access for mobile users requires the GlobalProtect app on each supported endpoint. Though there is no strict policing of the mobile user count, the service does track the number of unique users over the last 90 days to ensure that you have purchased the proper license tier for your user base, and stricter policing of user count may be enforced if continued overages occur.
  • Prisma Access for Clean Pipe
    —The Prisma Access for Clean Pipe service allows organizations that manage the IT infrastructure of other organizations, such as service providers, MSSPs, or Telcos, to quickly and easily protect outbound internet traffic for their tenants.
    Prisma Access for Clean Pipe uses its own license and has its own requirements. However, it requires the same Panorama and Cortex Data Lake licenses as the other Prisma Access products described in this section.

Other Required Licenses

In addition to the Prisma Access licenses, in order to run the service you must also have the following licensed components:
  • Panorama
    —You deploy and manage Prisma Access using the Cloud Services plugin for Panorama. In order to use this plugin, you must have Panorama with a valid support license. See the Palo Alto Networks Compatibility Matrix for the Panorama versions that are supported with the Cloud Services plugin. When you license the Prisma Access components, you must tie the auth code to a licensed Panorama serial number.
  • Cortex Data Lake
    —The Prisma Access infrastructure forwards all logs to Cortex Data Lake. You can view the Prisma Access logs, ACC, and reports directly from Panorama for an aggregated view into your remote network and mobile user traffic. To enable logging for Prisma Access, you must purchase a Cortex Data Lake license.

Related Documentation