Palo Alto Networks Knowledgebase: What Happens When Licenses Expire on the Palo Alto Networks Firewall?

What Happens When Licenses Expire on the Palo Alto Networks Firewall?

Created On 02/07/19 23:45 PM - Last Updated 02/07/19 23:45 PM


What Happens When Licenses Expire on the Palo Alto Networks Firewall?



The following will occur when a license expires on the firewall.

  • Support - Online Software updates will no longer be allowed
  • Threat Prevention - Threat and Antivirus updates will no longer occur. The current database will continue to be utilized.
  • GlobalProtect Subscription - iOS and Android devices will no longer be able to establish a VPN.
  • WildFire - You fall back to the 'free' version of WildFire meaning :
    • WildFire supports only uploading of Portable Executable, or PE, files. The PE filetype is a container that includes .exe, .dll, .scr, and other extentions that match the PE header magic number.
    • Signatures aren't available through the licensed WildFire signature feed (= every 5 minutes) but rather through licensed Threat Prevention updates.
  • URL Filtering
    • BrightCloud - BrightCloud database updates will no longer occur.
      • You can see the overall URL filtering action when the URL Filtering license expires from the WebGUI go to Objects > Security Profiles > URL Filtering, then click on a profile name to see the above window. You will have 2 options, to either allow or to block URL filtering traffic when the URL License expires. 
        The action selected for Action On License Expiration will be applied for all web traffic handled by the rule that uses the security profile. If the action selected is block, then no web traffic would be allowed by this rule. Likewise, if the action is allow then the traffic would be allowedScreen Shot 2018-03-27 at 11.28.20 AM.pngURL Filtering profile showing Action On License Expiration (BrightCloud)
    • PAN-DB - The PAN-DB cloud will be blocked for lookups and updates.
      • The current database will continue to be utilized for URL categorization. The current URL Filtering security profiles will be used to apply the selected action for each category.
      • If a URL entry exists in the cache, a lookup will return whatever category is in the cache.
      • If the entry has expired or does not exist, the device cannot query the cloud for the latest information.
      • An uncategorized URL will be allowed.
      • URLs in custom categories will still be matched against the custom category/
      • The URL Filtering security profile does not have an Action On License Expiration option.


When you get a New License

When a new license is obtained by the firewall (Inside Device > Licenses) it will immediately resume normal operations associated with that license.

Note: It is not necessary to perform a commit or reboot the firewall to start working again.


owner: jjosephs

  • Print
  • Copy Link

Choose Language