What Happens When Licenses Expire?

Find out what happens when one of your Palo Alto Networks firewall expires.
Palo Alto Networks VM-Series firewall licenses and subscriptions provide the firewall with added functionality and/or access to a Palo Alto Networks cloud-delivered service. When a license is within 30 days of expiration, a warning message displays in the system log daily until the subscription is renewed or expires. Upon license expiration, some subscriptions continue to function in a limited capacity, and others stop operating completely. Here you can find out what happens when each subscription expires.
The precise moment of license expiry is at the beginning of the following day at 12:00 AM (GMT). For example, if your license is scheduled to end on 1/20 you will have functionality for the remainder of that day. At the start of the new day on 1/21 at 12:00 AM (GMT), the license will expire. All license-related functions operate on Greenwich Mean Time (GMT), regardless of the configured time zone on the firewall.
Expiry Behavior
You can still:
  • You can continue to configure and use the firewall(s) you deployed prior to the license expiring with no change in session capacity. The firewall(s) will not reboot automatically and cause a disruption in traffic.
    However, if the firewall reboots for any reason, the firewall enters an unlicensed state. While unlicensed, the number of supported sessions is limited to 1200. No other management plane features or configuration options are restricted.
Threat Prevention
Alerts appear in the System Log indicating that the license has expired.
You can still:
  • Use signatures that were installed at the time the license expired, unless you install a new Applications-only content update either manually or as part of an automatic schedule. If you do, the update will delete your existing threat signatures and you will no longer receive protection against them.
  • Use and modify Custom App-ID™ and threat signatures.
You can no longer:
  • Install new signatures.
  • Roll signatures back to previous versions.
DNS Security
You can still:
  • Use local DNS signatures if you have an active Threat Prevention license.
You can no longer:
  • Get new DNS signatures.
Advanced URL Filtering / URL Filtering
You can still:
  • Enforce policy using custom URL categories.
  • Enforce policy using PAN-DB categories that were in your local cache when the license expired.
You can no longer:
  • Get updates to cached PAN-DB categories.
  • Connect to the PAN-DB URL filtering database.
  • Get PAN-DB categories of uncached URLs.
  • Analyze URL requests in real-time using advanced URL filtering.
You can still:
  • Forward PEs for analysis.
  • Get signature updates every 24-48 hours if you have an active Threat Prevention subscription.
You can no longer:
  • Get five-minute updates through the WildFire public and private clouds.
  • Forward advanced file types such as APKs, Flash files, PDFs, Microsoft Office files, Java Applets, Java files (.jar and .class), and HTTP/HTTPS email links contained in SMTP and POP3 email messages.
  • Use the WildFire API.
  • Use the WildFire appliance to host a WildFire private cloud or a WildFire hybrid cloud.
You can still:
  • Use an external dynamic list with AutoFocus data for a grace period of three months.
You can no longer:
Cortex Data Lake
You can still:
  • Store log data for a 30-day grace period, after which it is deleted.
  • Forward logs to Cortex Data Lake until the end of the 30-day grace period.
You can still:
  • Use the app for endpoints running Windows and macOS.
  • Configure single or multiple internal/external gateways.
You can no longer:
  • Access the Linux OS app and mobile app for iOS, Android, Chrome OS, and Windows 10 UWP.
  • Use IPv6 for external gateways.
  • Run HIP checks.
  • Enforce split tunneling based on destination domain, client process, and video streaming application.
You can no longer:
  • Receive software updates.
  • Download VM images.
  • Benefit from technical support.

Recommended For You