9/10/2014 GlobalProtect License & Subscription Pricing Cl...

| Main

GlobalProtect License & Subscription

Pricing Clarification Version 28

created by Joby Menon on May 25, 2012 3:53 PM, last modified by Wesley Robertson on Aug 5, 2014 6:24 AM

Here are the General Rules for GlobalProtect Licensing and Pricing

1. A GlobalProtect portal license is required for host checking (HIP) and/or multiple gateways. You
typically need 2 portal licenses per deployment (for HA) or 1 if HA isn't used.
2. A GlobalProtect gateway subscriptions is required for host checking (in addition to the portal license)
for all gateways that will be part of the GlobalProtect network.
3. A GlobalProtect gateway subscriptions is required for Mobile apps (iOS and Android GP app) on all
gateways that will be part of the GlobalProtect network
4. GlobalProtect Mobile Security Manager runs on GP‐100 appliance and comes with support for managing
500 mobile devices. Requires capacity license to support additional devices.
5. Large Scale VPN (LSVPN) introduced in 5.0. does not require GlobalProtect Portal or Gateway License.
LSVPN simplify the traditional Hub and Spoke Site‐to‐Site VPN deployments. LSVPN piggybacks on
GlobalProtect Portal and Gateway concept for simplifying configuration. Nick Campagna is the Product
Manager for LSVPN.

Reference Table

Feature Portal Gateway Mobile Security Manager WildFire

License Subscription Capacity License Subscription
Single, external gateway (Windows
and Mac)
Single or multiple internal gateways Required
Multiple external gateways Required
HIP checks Required Required
Mobile app for iOS and/or Android Required
Mobile Security Manager (requires GP‐ Required
100 appliance and the

GlobalProtect mobile app for iOS

and/or

Android)

Mobile Security Manager Android APK Required

malware detection

Here are some examples to help simplify GlobalProtect Licensing (Does not effect LSVPN):
https://intranet.paloaltonetworks.com/docs/DOC-4398 1/5
9/10/2014 GlobalProtect License & Subscription Pricing Cl... | Main

Mobile Apps , Great. My customer wants to use iOS and Android Mobile App (Internal or External
Gateway)

Customer will need to buy gateway subscriptions on all gateways.

My customer wants to deploy only 1 external gateway (like traditional basic SSL VPN) and will NOT use
iOS and Android mobile app.

It's free; Customer does not require a portal license or a gateway subscription

My customer wants to deploy only 1 external gateway (like traditional basic SSL VPN) and will use
third party IPsec clients for iOS, Android and Linux.

It's free; Customer does not require a portal license or a gateway subscription

My customer wants to deploy only 1 external gateway (like traditional basic SSL VPN) and also use iOS
and Android mobile app.

Customer require a gateway subscription. Portal License is not required.

My customer wants to deploy multiple gateways, but does not care about host information profiles
and does not care about iOS and Android app.

Customer will need to buy a Portal License. It does not matter if multiple gateways are on the same
appliance or different appliance. It aslo does not matter if the connect method is always‐on or on‐
demand , manual gateway or not , automatic gateway discovery or not. ; Technically each client
config shall list more than 1 gateway, Portal License is required.Gateway subscription is not required.

My Customer want to deploy 1 external gateway, but a different one to different user groups. Every
user will only get 1 external gateway to connect to ; Technically each client config shall list only 1
External gateway and does not care about iOS and Android app.

It's free; Customer does not require a portal license or a gateway subscription. This is one of corner
cases, don't expect many customer to deploy as such.

My customer wants to deploy multiple gateways, and also want to use iOS and Android app to be able
to connect to these gateways.

Customer will need to buy a Portal License. Customer will need to buy gateway subscriptions as well.

https://intranet.paloaltonetworks.com/docs/DOC-4398 2/5
9/10/2014 GlobalProtect License & Subscription Pricing Cl... | Main

My Customer wants to deploy an internal gateway or gateways and does not care about iOS and
Android app

Customer will need to buy a Portal License. Gateway subscription is not required

My customer wants to deploy 1 external gateway (like traditional basic SSL VPN) and 1 internal
gateway on the same Appliance and does not care about iOS and Android app

Customer will need to buy a Portal License. Gateway subscription is not required

My customer wants to use HIP profiles (Internal or External Gateway)

Customer will need to buy gateway subscriptions in addition to the Portal License(s)

My customer would deploy GlobalProtect on HA Pair

If Portal will be deployed on these HA Pair, and from the above rules its been determined that a Portal
License is required

1. Purchase 2 portal licenses, one for each member of the HA pair (Highly recommended). This will
be for Portal Redundancy.

If from the above rules its been determined that a Gateway Subscription is required, i.e. use HIP

1. Purchase HA SKU for Gateway Subscription. Both devices are required to have the the gateway
subscription

My Customer will deploy GlobalProtect on HA Pair , but need only 1 external gateway and no HIP and
no internal gateway.

No License is required , neither Portal nor Gateway. A/A mode will be deployed using floating IP

My customer will deploy multiple gateways , will they need Portal License on all devices

NO. Portal Licenses are required only on the devices that would run Portal. You will need 1 Portal
License and 2 if you are deploying Portal on a HA Pair.

Thanks to Taku Maeda , attached is a presentation with various scenarios as well.

1391 Views Categories: Pricing Info Tags : licensing, license, globalprotect

https://intranet.paloaltonetworks.com/docs/DOC-4398 3/5
9/10/2014 GlobalProtect License & Subscription Pricing Cl... | Main

Average User Rating

My Rating:

(2 ratings)

6 Comments

Youngpyo Kim Sep 4, 2012 2:12 AM

Hello Joby,

In the PPT file we can see the Case of 'Multiplegateways with HIP and HA Portal'.
This case we should order 3Gateways? or 4Gateways?

Regards,
Youngpyo Kim

Actions Like
(0)

Joby Menon Sep 4, 2012 2:28 PM (in response to Youngpyo Kim)

In that example you will order 2 single and 1 HA SKU ; i.e in total all 4 gateways would need
the subscription

Actions Like
(0)

Youngpyo Kim Sep 4, 2012 5:17 PM (in response to Joby Menon)

Thanks Joby ~

Actions Like
(0)

Nils Ullmann Apr 15, 2014 12:07 PM

Hey Joby,

3020 A/P with multiple ISPs, Windows, Android and iOS support
=> 2x GP gateway lics and 2x GP portal lics

https://intranet.paloaltonetworks.com/docs/DOC-4398 4/5
9/10/2014 GlobalProtect License & Subscription Pricing Cl... | Main

Is that right? Sound to expensive ;‐)

Actions Like
(0)

Joby Menon Apr 15, 2014 12:30 PM (in response to Nils Ullmann)

Not sure i understand what you are asking. But from what i gather ...
If its just one pair of 3020 in HA , then yes you will need an HA SKU 2x GP gateway subscription
, but you will need 2x GP portal license only if you use HIP.

Actions Like
(0)

Wesley Robertson Aug 5, 2014 6:22 AM

Joby,

You should update or pull the GlobalProtect_LicenseExplanation.pptx document ‐ it is not current.

Actions Like
(0)

Home | Top of page | About Jive | Help © 2007‐2014 Jive Software |

https://intranet.paloaltonetworks.com/docs/DOC-4398 5/5