Manage VM-Series ELA License Tokens
Table of Contents
Manage VM-Series ELA License Tokens
Learn how to activate the Enterprise Level Agreement
(ELA) authorization code and manage the license token pool.
The VM-Series Enterprise License Agreement (Multi-Model ELA) (VM-Series
ELA) gives you the flexibility of having a single contract that
you can share with other administrators in your enterprise. You
must have the super user role on the Palo Alto Networks Customer
Support Portal (CSP) to activate the ELA, and upon activating the
ELA authorization code you inherit the ELA administrator role on
the CSP.
With the ELA administrator role, you can manage the
license token pool available to deploy VM-Series firewalls and subscriptions
included in the agreement. You can invite other administrators to
share the VM-Series ELA tokens, grant which models and how many
instances of the VM-Series firewalls are available to each administrator,
as well as remove CSP accounts from your VM-Series ELA. Depending
on what you allocate for each grantee, they receive a specific number
of tokens that they can then use to deploy VM-Series firewalls.
Additional
purchases and grants do not directly add to the number of available VM-Series
firewalls in a CSP account; instead, ELA license tokens are added
to the VM-Series ELA token pool. The ELA license tokens can subsequently
be allocated by the ELA administrator to a given CSP account to
increase the number of available VM-Series firewalls.
- (Legacy VM-Series ELA Customers only) Designate
an ELA administrator to manage tokens.Existing enterprise license customers who have been migrated to the Multi-Model ELA must designate an ELA administrator to manage VM-Series ELA license tokens. Upon conversion, no other action is necessary for continued operation of your firewalls, however, you will not be able to (re)allocate tokens for deploying firewalls until an ELA administrator has been assigned. Only an administrator with a super user role on the CSP has the ability to designate an ELA administrator, who in turn, can manage tokens or grant tokens to other administrators.
- Log in to the Palo Alto Networks CSP.
- Select .
- Click on the pencil icon under Actions to edit the user to whom you want to assign the ELA administrator role.
- Select ELA Administrator and then click the check mark to add the new role to the selected user.
- Continue to step 3.
- Activate the ELA authorization code.The administrative user who activates the ELA inherits the ELA administrator and super user role on the CSP and has the ability to manage the tokens or grant the tokens to other administrators.
- Log in to the Palo Alto Networks CSP.
- Select .
- Enter the Authorization Code and Agree
and Submit the EULA.Verify the authorization code is registered to your account under Enterprise Agreements: VM-Series. The page displays the Auth Code, Account ID, Account Name, License Description, Expiration Date, the number of Licenses (used/total) you have, and how many are available to deploy within the bounded and unbounded period of the agreement.
![]()
- Select to view the authorization codes for deploying each model
of the VM-Series firewall and associated subscriptions included with the
ELA.
![]()
- Grant ELA access to other administrators in your enterprise.This capability allows you to share the VM-Series ELA with other administrators within your enterprise or department so that they can deploy VM-Series firewalls on demand. As an ELA administrator, you can grant access to other users who are registered with an email address on the CSP.
![]()
- On , select Grant ELA Access.
- Enter the Destination Email address
of the administrator whom you want to invite.The destination email address that you enter above must be a registered user on the CSP with a super user role so that they can log in and accept the grant. If the email address is not registered on the CSP, you must first create a new account for the user on .
- Select Notify User to trigger
a notification email to the email address you entered.The recipient must log in to the CSP to Accept the VM-Series ELA. After the recipient accepts the grant, the account ID is available on as shown in the following screenshot.
![]()
- Allocate tokens for deploying firewalls.
- Select .For each account ID, you can specify the number of firewalls by model that you want to allocate. Based on the quantity and firewall model, the number of tokens are automatically calculated and become available for use. In this example, you are allowing 10 instances each of the VM-50 and the VM-500.
![]()
- Verify that the accurate number of firewall instances
are deposited in the account.Select to confirm the auth codes you allotted. In this example, the account has the ability to provision 10 instances each of the VM-50 and the VM-500. As the recipients deploy firewalls, the number of tokens are deducted from the total available pool, and you can view the number of firewall instances that they have provisioned as a ratio of the total quantity you allocated for them. As your security needs evolve, you have the flexibility to allocate more quantity and allow access to a different VM-Series firewall model as long as you have tokens available.
![]()
- Select .
- Remove a CSP account from the VM-Series ELA to reclaim
tokens.You cannot reclaim a portion of the tokens allocated to a CSP account. By reclaiming tokens, you are removing the entirety of the CSP account from the VM-Series ELA and reallocating all associated tokens to the token pool.
- Verify that all tokens associated with the CSP account that you want to remove are not being utilized by the VM-Series firewalls. Deactivate the VM-Series firewalls as necessary to provision tokens for removal.
- Select .Select the account ID from whom you want to reclaim tokens from and click Reclaim Token. If tokens are available for reclamation, you will receive a confirmation of a successful removal.
![]()
