What Happens When Licenses Expire on the Palo Alto Networks Firewall?

Printer Friendly Page

Question:

What Happens When Licenses Expire on the Palo Alto Networks Firewall?

 

Answer:

The following will occur when a license expires on the firewall.

  • Support - Online Software updates will no longer be allowed
  • Threat Prevention - Threat and Antivirus updates will no longer occur. The current database will continue to be utilized.
  • GlobalProtect Subscription - iOS and Android devices will no longer be able to establish a VPN.
  • WildFire - You fall back to the 'free' version of WildFire meaning :
    • WildFire supports only uploading of Portable Executable, or PE, files. The PE filetype is a container that includes .exe, .dll, .scr, and other extentions that match the PE header magic number.
    • Signatures aren't available through the licensed WildFire signature feed (= every 5 minutes) but rather through licensed Threat Prevention updates.
  • URL Filtering
    • BrightCloud - BrightCloud database updates will no longer occur.
      • You can see the overall URL filtering action when the URL Filtering license expires from the WebGUI go to Objects > Security Profiles > URL Filtering, then click on a profile name to see the above window. You will have 2 options, to either allow or to block URL filtering traffic when the URL License expires. 
        The action selected for Action On License Expiration will be applied for all web traffic handled by the rule that uses the security profile. If the action selected is block, then no web traffic would be allowed by this rule. Likewise, if the action is allow then the traffic would be allowedScreen Shot 2018-03-27 at 11.28.20 AM.pngURL Filtering profile showing Action On License Expiration (BrightCloud)
    • PAN-DB - The PAN-DB cloud will be blocked for lookups and updates.
      • The current database will continue to be utilized for URL categorization. The current URL Filtering security profiles will be used to apply the selected action for each category.
      • If a URL entry exists in the cache, a lookup will return whatever category is in the cache.
      • If the entry has expired or does not exist, the device cannot query the cloud for the latest information.
      • An uncategorized URL will be allowed.
      • URLs in custom categories will still be matched against the custom category/
      • The URL Filtering security profile does not have an Action On License Expiration option.

 

When you get a New License

When a new license is obtained by the firewall (Inside Device > Licenses) it will immediately resume normal operations associated with that license.

Note: It is not necessary to perform a commit or reboot the firewall to start working again.

 

owner: jjosephs

Comments

Just to double check, I assume when referring to "Software updates" this means the PA firmware?

Can someone please explain what happens if my GlobalProtect Subscription License expires?

you'll not be able to connect from ios or android with GP client.

Is this still accurate since it was written 5 years ago? Are there any updates that cover SSL decryption or changes for 6.x+?

For the expired GlobalProtect Gateway subscription use-case, what happens with HIP checks?

After the licenses expire on Firewalls, will the grace period of 30 days applies to all licenses types? How does that grace period work?

@jvalentine

Since the GlobalProtect license is for extended GP functions, if the license expires, then the HIP Checks will stop working.

 

@rk20ta

As far as Grace Periods are concerned, those are in reference to when the device is first registered, not when the license expires.

Please see the following page for more information about Grace Periods:
https://www.paloaltonetworks.com/services/support/support-policies/grace-period

 

@FrankScholl

As of Dec 2016, this article is up to date. Since there is no license for SSL Decryption, this functionality should work fine even without a support license.
If there is anything more specific you have questions for, please ask.

My Pan-DB URL filtering license has just expired, but all of my URL filtering policy cannot block access to news URL category.

I tested with "test url-info-host", such url still be there in the cache. The Log only show URL catetogy as expired license. What's is the wrong?

My licenese expired just over a year ago. If I renew, do I need to buy a license to cover the period that it was not active? In other words if I want another year of support, will I need to pay for two?

Hi @The_Huth: It's best to reach out to your sales contact to discuss re-licensing

Hi @The_Huth: yes you new license must cover the period that it was not active.

For example my license is expired on 26th of April, then on 20th of June I have just reactivated license feature, so my next expired day is on 25th of April on 2018.

@ reaper: About my question, it hasn't answered, so I have to reactivated because all of my URL filtering policy doesn't work right after the license features are expired.

 

Best regards,

Tried to set the 'Action on license expiration' ahead of time but the option is not there, apparently because my license has not yet expired. Title of this article states it addresses what happens 'when the licenses expire'. Would be usefull to be able to set this action ahead of time.

@dlogan_fnsb, I would suggest that you contact your local SE, and ask for a Feature Request for this feature to be added. This way it is added to a list of requested features that is delivered directly to our programmers.

Hi @dlogan_fnsb: are you using PAN-DB? This feature is not available for PAN-DB as it does not use a downloadable seed file but relies on cache. Once the cache is depleted all URL lookups will revert to 'uncategorized' and be allowed by default.

 

 

For GlobalProtect Subscription, if expired, HIP does not work. PA firewall can't detect anything. Thus, it does not reply 'matched' nor 'not matched' when GP connection is established. Correct?

If I'm correct. Could you update article?

I verified about license expiration of PAN-DB, and found the difference between "PAN-OS 7.1 or earlier" and "PAN-OS 8.0 or later".

"PAN-OS 7.1 or earlier"

Local cache works after the license expiration.

URL Filtering log is logged and a URL is categorized.

 

"PAN-OS 8.0 or later"

Local cashe doesn't work after the license expiration.

URL Filtering log isn't logged.

The URL category is treated as "license expired" and the action is fixed to "Allow".
I will ask the engineer about this behavior and the admin guide will be fixed as well.

 

https://www.paloaltonetworks.com/documentation/81/pan-os/pan-os/url-filtering/enable-a-url-filtering...

"If the license expires, the firewall ceases to perform PAN-DB URL Filtering; URL category enforcement, URL cloud lookups, and other cloud based updates will not function until you install a valid license."

The behavior of URL Filtering - PAN-DB changed and updated on the each admin guide as following.

 

Enable PAN-DB URL Filtering
(PAN-OS 8.0.x) : https://www.paloaltonetworks.com/documentation/80/pan-os/pan-os/url-filtering/enable-a-url-filtering...

If the license expires, PAN-DB URL Filtering continues to work based on the URL category information that exists in the dataplane and management plane caches. However, URL cloud lookups and other cloud‑based updates will not function until you install a valid license.

 

(PAN-OS 8.1.x) :  https://www.paloaltonetworks.com/documentation/81/pan-os/pan-os/url-filtering/enable-a-url-filtering...

If the license expires, the firewall ceases to perform PAN-DB URL Filtering; URL category enforcement, URL cloud lookups, and other cloud based updates will not function until you install a valid license.

@kkondo what is the fallback? Allow everything or block?