What Happens When Licenses Expire on the Palo Alto Networks Firewall?

What Happens When Licenses Expire on the Palo Alto Networks Firewall?

93282
Created On 09/26/18 13:47 PM - Last Modified 08/18/20 14:42 PM


Resolution

Question:

What Happens When Licenses Expire on the Palo Alto Networks Firewall?

 

Answer:

The following will occur when a license expires on the firewall.

  • Support - Online Software updates will no longer be allowed
  • Threat Prevention - Threat and Antivirus updates will no longer occur. The current database will continue to be utilized.
  • GlobalProtect Subscription - iOS and Android devices will no longer be able to establish a VPN.
  • WildFire - You fall back to the 'free' version of WildFire meaning :
    • WildFire supports only uploading of Portable Executable, or PE, files. The PE filetype is a container that includes .exe, .dll, .scr, and other extentions that match the PE header magic number.
    • Signatures aren't available through the licensed WildFire signature feed (= every 5 minutes) but rather through licensed Threat Prevention updates.
  • URL Filtering
PRE- PAN-OS VERSION 8.0
  • PAN-DB - The PAN-DB cloud will be blocked for lookups and updates.
    • The current database will continue to be utilized for URL categorization. The current URL Filtering security profiles will be used to apply the selected action for each category.
    • If a URL entry exists in the cache, a lookup will return whatever category is in the cache.
    • If the entry has expired or does not exist, the device cannot query the cloud for the latest information.
    • An uncategorized URL will be allowed.
    • URLs in custom categories will still be matched against the custom category/
    • The URL Filtering security profile does not have an Action On License Expiration option.

AFTER PAN-OS VERSION 8.0

  • PAN-DB - The PAN-DB cloud will be blocked for lookups and updates.
  • The Pan-DB cloud will return “license-expired” for URL Categorization.
  • Unless there is a custom URL category in place, the current database will NO LONGER be utilized for URL categorization.
  • The firewall will NO LONGER enforce policy using PAN-DB categories that were in local cache.

When you get a New License

When a new license is obtained by the firewall (Inside Device > Licenses) it will immediately resume normal operations associated with that license.

Note: It is not necessary to perform a commit or reboot the firewall to start working again.

 

owner: jjosephs



 Additional Information
More detailed information can be found in the following Palo Alto Networks techdoc.

 Attachments
Other users also viewed:
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000CloiCAC&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Attachments
Choose Language