What Happens When Licenses Expire on the Palo Alto Networks Firewall?
Answer:
The following will occur when a license expires on the firewall.
Support - Online Software updates will no longer be allowed
Threat Prevention - Threat and Antivirus updates will no longer occur. The current database will continue to be utilized.
GlobalProtect Subscription - iOS and Android devices will no longer be able to establish a VPN.
WildFire - You fall back to the 'free' version of WildFire meaning :
WildFire supports only uploading of Portable Executable, or PE, files. The PE filetype is a container that includes .exe, .dll, .scr, and other extentions that match the PE header magic number.
Signatures aren't available through the licensed WildFire signature feed (= every 5 minutes) but rather through licensed Threat Prevention updates.
URL Filtering
PRE- PAN-OS VERSION 8.0
PAN-DB - The PAN-DB cloud will be blocked for lookups and updates.
The current database will continue to be utilized for URL categorization. The current URL Filtering security profiles will be used to apply the selected action for each category.
If a URL entry exists in the cache, a lookup will return whatever category is in the cache.
If the entry has expired or does not exist, the device cannot query the cloud for the latest information.
An uncategorized URL will be allowed.
URLs in custom categories will still be matched against the custom category/
The URL Filtering security profile does not have an Action On License Expiration option.
AFTER PAN-OS VERSION 8.0
PAN-DB - The PAN-DB Cloud will be blocked for lookups and updates.
The PAN-DB Cloud will return “license-expired” for URL Categorization.
If the requested URL exist in the local cache or custom category it will continue to function as intended.
All other URL's not part of local cache or custom category will be allowed.
When you get a New License
When a new license is obtained by the firewall (Inside Device > Licenses) it will immediately resume normal operations associated with that license.
Note: It is not necessary to perform a commit or reboot the firewall to start working again.