Do all Advance Licenses require Temp licenses?

Do all Advance Licenses require Temp licenses?

4108
Created On 10/23/24 15:15 PM - Last Modified 12/10/25 07:20 AM


Question


Do all new Advanced licenses require a system generated legacy license of the same feature?

Environment


Advanced and legacy feature licenses

Answer


Only the Advanced TP, URL and WF feature licenses may need the legacy license of the same feature.

ADNS license will work on all the PAN-OS versions without the need of a legacy DNS license.

If the firewall runs on an OS version supported lower than OS 11.2, the firewall can only retrieve DNS license even if ADNS is activated. 

This is because  Advanced DNS Security supports a licensing model that subsumes DNS Security functionality into the Advanced DNS Security license when installed on a previously unlicensed firewall. If you upgrade from a firewall with an existing DNS Security license, entries indicating the presence of separate DNS Security and Advanced DNS Security licenses are displayed. In this instance, the DNS Security license is a passive entry and all DNS Security and Advanced DNS Security functionality is conferred through the Advanced DNS License, including the relevant expiration date. Firewalls without a previously installed DNS Security license show an Advanced DNS Security license, however, it provides both DNS Security and Advanced DNS Security functionality.

Consequently, if you downgrade from a PAN-OS release operating an Advanced DNS Security license to a release that does not support Advanced DNS Security, the firewall continues to display and confer DNS Security functionality through the Advanced DNS Security license, however, it is limited to base DNS Security features.

Therefore even if you have license bundle that includes ADNS, but your firewall runs on an OS version lower than OS 11.2, only DNS will be fetched on the device.

On the firewall you will see ADNS license but on Panorama there will not be an ADNS license entry for the respective device. 

 

Additional Information


Q: Why do TEMP-TP or TEMP-WF licenses appear on the firewall even when the Advanced license (ATP / AWF) is already activated?
A: As per system design, certain Advanced licenses such as Advanced Threat Prevention (ATP) and Advanced WildFire (AWF) require a temporary legacy license (TEMP-TP or TEMP-WF) to ensure compatibility with older PAN-OS versions.

  • These TEMP licenses do not overlap with the Advanced licenses.

  • They are automatically created based on the PAN-OS version running on the firewall.

  • On PAN-OS versions earlier than 10.0, only the legacy license type works; therefore TEMP licenses appear.

  • On PAN-OS 10.0 and above, the Advanced licenses function normally, and TEMP licenses do not interfere with functionality.

This behavior is expected and does not indicate a licensing conflict or a deployment issue. 
Other users also viewed:
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u000000HEKkCAO&lang=en_US&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Choose Language