GlobalProtect Portal and Gateway License Requirements

Printer Friendly Page

Overview

Listed below are scenarios when the GlobalProtect Portal and Gateway licenses are required.

 

Global Protect Portal License

 

Prior to PAN-OS 7.0:

The GlobalProtect Portal license is required when:

  • Using HIP
  • Configuring multiple gateways
  • Configuring internal gateway

PAN-OS 7.0 and later:

GlobalProtect Portal license is not required.

 

 

GlobalProtect Gateway License  

The GlobalProtect Gateway license is required when:

  • Using HIP
  • Using iOS or Android mobile application

The GlobalProtect Gateway License requirement remains same for PAN-OS version 7.0 and later.

 

High Availability deployment of the portal and gateway requires identical licenses to be installed on both the devices.

 

See Also

GlobalProtect Configuration Tech Note

GlobalProtect Configuration for the IPsec Client on Apple iOS Devices

GlobalProtect Configuration for the IPSec Client on Android Devices

 

owner: sdarapuneni

Comments

Please describe the licensing requirements when the same device receives connection requests from GP clients on two or more interfaces configured with different IPs: does the device require a Portal license (i. e. multiple interfaces = multiple gateways)?

Hi,

if you use 1 portal and 1 gateway no license requiered.if you use 3 portals and 3 gateways  (but only 1 gateway defined for each portal) again you don't need a license.

License requirement is about choosing the best gateway for 1 portal.So if each portal has 1 gateway, no problem.

Hello, Thank you for the promptitude of your answer and sorry for my insistence (I can't test the condition by myself). So, on the same box/unit/appliance with two or more external interfaces, configured with distinct IPs and used as VPN termination for GP clients I DO need a GP Portal license because GP clients could be dispatched to several IPs. Thank you for your time and support, andreip

How many portal licenses are needed for a HA?

In order to use:

- one portal with only one gateway

- but, using iOS and Android Apps

is it OK buying ONLY "GP Gateway license" (without GP Portal License)?

yes that is OK.GW license will be enough.You can use trial license to see how the application works.

Thank you very much <panos>: we tested it using trial license, and I confirm it worked!!

I am too interest on Hopcio question, we have 1 portal and 1 gateway and like Stefano. we don't use HIP or internal gateway, but also using iOS and Android.

How many Gateway license should I purchase for a Active-Passive HA?

Thanks

Hello,

I'd configure only an Internal Gateway and use it with IOS app. Do I buy ONLY GP Portal license or both Gateway and Portal ?

Thanks

You would need both portal and gateway licenses to use the iOS app and internal gateways.

How about if I want to set up a GP Portal & GW in 2 Vsys on the same PANW appliance?  Do I need to purchase a GP Portal license and GW subscription?

I don't believe anyone answered the question regarding "How many GP Portal Licenses are required for an HA pair of NGFWs?"  Could someone please clarify?

just one per HA pair.

Hi SJ... Thank you very much for the reply.  I just want to make sure I understand your response.  So, I only need to purchase one GP Portal License for one of the FWs in the HA pair or for both of the FWs in the HA pair?

I see that one portal license is required per HA pair.  Am I correct in assuming that the license stays with the firewall that it is applied to?

E.g., if the active firewall (licensed for GP portal) in an Active/Standby HA pair fails, the passive firewall takes over but is not licensed for GP portal.  Correct?  Or does the license move to the passive firewall?

The license is specific to the device and will not be applied to passive firewall

I believe there is an HA license for portal. Check with your PAN SE or re-seller.

I don't understand why I need a GP license to use HIP on a security rule that isn't related to any sort of VPN.  For example, I want to block any host running Windows XP on my LAN.  The only way to do this without manually setting each IP on a security rule is to use a HIP profile, yet I can't because I don't have a GP license?  This doesn't make sense to me.

HIP is a feature of GlobalProtect. The information that is used to determine if a system matches a HIP profiles is collected by the GP client and sent to the firewall. Unless you install the GP agent on all systems in your lan, the firewall has no way of knowing what OS is installed on those systems or any other information to match a HIP profile. As such, HIP profiles can't be used without the GP license since they can't be used without GP.

I see, I guess that would make sense. I didn't think that one through.  Thanks for the reply.

note that in PanOS 7.0 the GlobalPortect portal license does not exist anymore. So features like the internal gateway are now available without license

Hi,

Does it mean that the GlobalProtect Portal subscription does not exist any more? I had the Global Protect Portal license activated on a PA FW with the 8.0.6 version for running Clientless VPN. However, now when trying to renew the license we were provided with the so called GlobalProtect Gateway subscription...Does it provide the same features?

Thanks!

Hi @Gabriel_Linero

 

The portal license no longer exists

The gateway license enables HIP checks, allows mobile clients to connect and enables clientless connectivity. 

 

https://www.paloaltonetworks.com/documentation/80/globalprotect/globalprotect-admin-guide/globalprot...

@reaper thanks a lot!