How to Transfer PA-Series Licenses Along with Cloud/Tenant-Based License(s) (DLP, SaaS Inline, Device Security, and AIOps Premium) to a Spare Device?

How to Transfer PA-Series Licenses Along with Cloud/Tenant-Based License(s) (DLP, SaaS Inline, Device Security, and AIOps Premium) to a Spare Device?

9777
Created On 11/25/24 01:55 AM - Last Modified 06/11/25 17:06 PM


Objective


There are two scenarios outlined below to accomplish the transfer of licenses along with the Cloud/Tenant-Based License(s).
Each scenario will follow a different process. Please ensure to follow the steps as outlined in the procedure below. 
Due to system design limitations, the Cloud/Tenant-Based License(s) cannot be transferred to a spare device using the process outlined in the "How to Transfer Licenses to a Spare Device" guide.
As a result, the Cloud/Tenant-Based License(s) will need to be delicensed on the defective device and reactivated on the spare device. 

  • Scenario 1
    DLP, SaaS Inline, Device Security, and AIOps Premium for NGFW without the Renewal SKU (e.g., PAN-PA-device model-DLP)

  • Scenario 2
    DLP, SaaS Inline, Device Security, and AIOps Premium for NGFW with the Renewal SKU (e.g., PAN-PA-device model-DLP-R)

Note: If your AIOps Premium has already been migrated to Strata Cloud Manager (SCM) Pro, there is no need to follow the steps outlined below.

Environment


  • CSP
  • NGFW
  • SCM
  • Device Security

 

Procedure


Note:
Cloud/Tenant-Based License(s) on a firewall is de-activated and the association is removed, the configuration will be removed.
Customer will have to start from the scratch on the new device.

Q:
It says "configuration will be removed" but what exactly is configuration? Configuration on RMAed device, or partial/whole configuration on SaaS, DLP, and AIOps?

Ans:
If only one device is RMA'ed, then is should be only Configuration on RMA'ed device because this will not delete the entire tenant but just the association of the RMA'ed device with the tenant.


Method A
This method is applicable to both Scenario 1 and Scenario 2 as outlined in the 'Objective' section above.

Before performing the RMA License Transfer, please de-license the firewall from SCM Portal.

      • Step 1
        Kindly refer to the document below for details regarding the delicensing feature in SCM Portal. 
        Remove Device Associations

      • Step 2
        Please follow the steps in the link below to transfer the non-cloud/tenant-based license(s) to the replacement device.
        How to Transfer Licenses to a Spare Device

      • Step 3
        Please associate the replacement device with the applicable tenant(s) in the SCM Portal.
        Kindly refer to the document below for details. (This is the same document referenced in Step 1.)
        *By completing Step 1 above (delicensing the device from the SCM Portal), you will only need to associate the new firewall (replacement device) with DLP, SaaS Inline, Device Security Security, and AIOps for the tenant(s).
        The license should then be available for selection at this step.
        Associate Product with Devices

Method B
This method is applicable to both Scenario 1 and Scenario 2* as outlined in the 'Objective' section above.
*Kindly note that additional steps will be required for Scenario 2 starting from Step 3 below.

            Performing the RMA License Transfer from CSP without delicensing the firewall from SCM Portal.

      • Step 1
        Please follow the instructions in the link below to perform the RMA license transfer.
        This process will release the DLP, SaaS Inline, Device Security Security, and AIOps Premium license(s), allowing you to onboard the new firewall (replacement device) under those license(s).
        How to Transfer Licenses to a Spare Device

      • Step 2
        Activation link for the license(s) will be available on the Customer Support Portal (CSP) under "Activate Products".
        To locate the activation link in the CSP, please follow the instructions provided in the link below. You can then follow the activation link to onboard the new firewall (replacement device). 
        How to Activate Products in Support Portal

        Note:
        - For activation, it is necessary that a user with the appropriate access rights to the existing TSGID performs the activation.
        If the user does not have access rights in the existing TSG, selecting the existing TSGID during activation will not be possible.

        - For Scenario 2, only the initial activation link issued prior to the renewal will be available under 'Activate Products,' as the renewal license does not come with a new activation link.

        - If you are unable to locate the relevant activation link in the CSP, please open an Admin Support case.
        In the case description, include the defective device serial number, the replacement device serial number, and the license authorization codes that need to be reactivated for the replacement device.

      •  Step 3
        This is the final step for you in Scenario 1:
        Please associate the replacement device with the applicable tenant(s) in the SCM Portal. Kindly refer to the document below for details.
        Associate Product with Devices

        For Scenario 2: 
        Once you have reactivated the license(s) using the initial activation link in Step 2, please open an admin case from the CSP.
        We will then perform a manual workaround to update the magic link so that it points to the renewal license and removes the Renewal SKU (-R) from the license.
        This will ensure the activation works just like it did with the original license.

      • Step 4
        This is the final step for you in Scenario 2:
        Please associate the replacement device with the applicable tenant(s) in the SCM Portal. Kindly refer to the document below for details.
        Associate Product with Devices

Additional Information


Q&A:

  • Is there any service impact on existing(already activated) Cloud Service Module? 
    Ans: 
    Whichever the tenant is, if you need to remove the license from one firewall, then that will not affect the entire tenant. Only the required firewall tenant association will be removed.
    Note: Only when the entire tenant is requested to be deleted, then the tenant will be de-provisioned after removing all the devices under the tenant. 

  • Let's say the Could License is SaaS Inline and 4 devices within same tenant has SaaS Inline license attached. I've received Initial activation link for SaaS Inline Activation for 4 devices.
    If one of the device needs RMA, re-activating via initial activation link won't work because SaaS Inline Module is activated with 3 other devices associated.
    Ans:
    Initial activation link will work for licenses without the Renewal SKU.
Other users also viewed:
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u000000sd29CAA&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Choose Language