Académique Documents
Professionnel Documents
Culture Documents
| Main
created by Joby Menon on May 25, 2012 3:53 PM, last modified by Wesley Robertson on Aug 5, 2014 6:24 AM
Here are the General Rules for GlobalProtect Licensing and Pricing
1. A GlobalProtect portal license is required for host checking (HIP) and/or multiple gateways. You
typically need 2 portal licenses per deployment (for HA) or 1 if HA isn't used.
2. A GlobalProtect gateway subscriptions is required for host checking (in addition to the portal license)
for all gateways that will be part of the GlobalProtect network.
3. A GlobalProtect gateway subscriptions is required for Mobile apps (iOS and Android GP app) on all
gateways that will be part of the GlobalProtect network
4. GlobalProtect Mobile Security Manager runs on GP‐100 appliance and comes with support for managing
500 mobile devices. Requires capacity license to support additional devices.
5. Large Scale VPN (LSVPN) introduced in 5.0. does not require GlobalProtect Portal or Gateway License.
LSVPN simplify the traditional Hub and Spoke Site‐to‐Site VPN deployments. LSVPN piggybacks on
GlobalProtect Portal and Gateway concept for simplifying configuration. Nick Campagna is the Product
Manager for LSVPN.
Reference Table
Android)
Here are some examples to help simplify GlobalProtect Licensing (Does not effect LSVPN):
https://intranet.paloaltonetworks.com/docs/DOC-4398 1/5
9/10/2014 GlobalProtect License & Subscription Pricing Cl... | Main
Mobile Apps , Great. My customer wants to use iOS and Android Mobile App (Internal or External
Gateway)
My customer wants to deploy only 1 external gateway (like traditional basic SSL VPN) and will NOT use
iOS and Android mobile app.
It's free; Customer does not require a portal license or a gateway subscription
My customer wants to deploy only 1 external gateway (like traditional basic SSL VPN) and will use
third party IPsec clients for iOS, Android and Linux.
It's free; Customer does not require a portal license or a gateway subscription
My customer wants to deploy only 1 external gateway (like traditional basic SSL VPN) and also use iOS
and Android mobile app.
My customer wants to deploy multiple gateways, but does not care about host information profiles
and does not care about iOS and Android app.
Customer will need to buy a Portal License. It does not matter if multiple gateways are on the same
appliance or different appliance. It aslo does not matter if the connect method is always‐on or on‐
demand , manual gateway or not , automatic gateway discovery or not. ; Technically each client
config shall list more than 1 gateway, Portal License is required.Gateway subscription is not required.
My Customer want to deploy 1 external gateway, but a different one to different user groups. Every
user will only get 1 external gateway to connect to ; Technically each client config shall list only 1
External gateway and does not care about iOS and Android app.
It's free; Customer does not require a portal license or a gateway subscription. This is one of corner
cases, don't expect many customer to deploy as such.
My customer wants to deploy multiple gateways, and also want to use iOS and Android app to be able
to connect to these gateways.
Customer will need to buy a Portal License. Customer will need to buy gateway subscriptions as well.
https://intranet.paloaltonetworks.com/docs/DOC-4398 2/5
9/10/2014 GlobalProtect License & Subscription Pricing Cl... | Main
My Customer wants to deploy an internal gateway or gateways and does not care about iOS and
Android app
Customer will need to buy a Portal License. Gateway subscription is not required
My customer wants to deploy 1 external gateway (like traditional basic SSL VPN) and 1 internal
gateway on the same Appliance and does not care about iOS and Android app
Customer will need to buy a Portal License. Gateway subscription is not required
Customer will need to buy gateway subscriptions in addition to the Portal License(s)
If Portal will be deployed on these HA Pair, and from the above rules its been determined that a Portal
License is required
1. Purchase 2 portal licenses, one for each member of the HA pair (Highly recommended). This will
be for Portal Redundancy.
If from the above rules its been determined that a Gateway Subscription is required, i.e. use HIP
1. Purchase HA SKU for Gateway Subscription. Both devices are required to have the the gateway
subscription
My Customer will deploy GlobalProtect on HA Pair , but need only 1 external gateway and no HIP and
no internal gateway.
No License is required , neither Portal nor Gateway. A/A mode will be deployed using floating IP
My customer will deploy multiple gateways , will they need Portal License on all devices
NO. Portal Licenses are required only on the devices that would run Portal. You will need 1 Portal
License and 2 if you are deploying Portal on a HA Pair.
(2 ratings)
6 Comments
Hello Joby,
In the PPT file we can see the Case of 'Multiplegateways with HIP and HA Portal'.
This case we should order 3Gateways? or 4Gateways?
Regards,
Youngpyo Kim
Actions Like
(0)
In that example you will order 2 single and 1 HA SKU ; i.e in total all 4 gateways would need
the subscription
Actions Like
(0)
Thanks Joby ~
Actions Like
(0)
Hey Joby,
3020 A/P with multiple ISPs, Windows, Android and iOS support
=> 2x GP gateway lics and 2x GP portal lics
https://intranet.paloaltonetworks.com/docs/DOC-4398 4/5
9/10/2014 GlobalProtect License & Subscription Pricing Cl... | Main
Actions Like
(0)
Joby Menon Apr 15, 2014 12:30 PM (in response to Nils Ullmann)
Not sure i understand what you are asking. But from what i gather ...
If its just one pair of 3020 in HA , then yes you will need an HA SKU 2x GP gateway subscription
, but you will need 2x GP portal license only if you use HIP.
Actions Like
(0)
Joby,
Actions Like
(0)
https://intranet.paloaltonetworks.com/docs/DOC-4398 5/5