Licensing Flashcards
What does the licensing process for the VM-Series firewall use to generate a unique serial number for each VM-Series firewall?
UUID and the CPU ID
What is UUID (Universally Unique Identifier)?
- a 128-bit number used to uniquely identify information in computer systems
- UUIDs are used in many applications and protocols, including as part of the licensing process for Palo Alto VM-Series firewalls
Which licensing models does Palo Alto support?
- Bring Your Own License (BYOL)
- PAYG (Pay-As-You-Go, PayGo) - only in public cloud
What is the name of the licensing model that provides VM-50, VM-100, VM-200, VM-300, VM-500, etc.?
capacity licenses
no longer available for purchase
What are the two licensing systems based on VCPUs that Palo Alto uses, where one is being deprecated?
- FLEXIBLE VCPUS
- FIXED VCPUS - being deprecated
The flexible license cost is based on what?
- number of vCPUs
- security services enabled
- whether Panorama is used to manage the firewall or act as a log collector
Since when is the Flexible vCPUs model available?
PAN-OS 10.0.4 and later
What is the capacity license cost is based on?
- device memory
- storage costs
- support entitlement
Security services and a Panorama deployment to manage your firewalls are additional costs
What exactly are the PayGo licenses? Where are they obtained from?
purchased from a public cloud marketplace (such as AWS, Azure, or GCP), or a Cloud Security Service Provider (CSSP)
What are the capacity license types?
- VM-Series Enterprise License Agreement (Multi-Model ELA)
- Multi-Model ELA
- Perpetual VM-Series model capacity license
- Term firewall capacity license
Describe VM-Series Enterprise License Agreement (Multi-Model ELA). Which licenses does it include?
- one- or three-year comprehensive licensing agreement that enables you to purchase VM-Series firewalls, along with the GlobalProtect, PAN-DB URL Filtering, Threat Prevention, WildFire, and DNS Security subscriptions
- also includes a support entitlement and a device management license for Panorama
Describe Multi-Model ELA
features a token pool from which you allocate tokens to license VM-Series firewalls. (It is unique to the ELA, and is not the same as the Software NGFW Credits pool.)
Describe Perpetual VM-Series license
capacity license with a support entitlement and/or security services bundle 1 or bundle 2
Describe Term license
firewall capacity license with a support entitlement and your choice of security services
What does Bundle 1 include?
Threat Prevention and premium support entitlement.
What does Bundle 2 include?
Threat Prevention, DNS Security, GlobalProtect, WildFire, URL Filtering, SD-WAN, DLP, and premium support entitlement
What is the Capacity License?
the VM-Series firewall requires a base license, also called a capacity license, to enable the model number (VM-50, VM-100, VM-200, VM300, VM-500, VM-700, or VM-1000-HV) and the associated capacities on the firewall
Capacity licenses are included in a bundle and can be licensed as…?
- Perpetual License
- Term-Based License
What is the Perpetual License?
- license with no expiration date
- allows to use the VM-Series firewall at the licensed capacity, indefinitely
What are Perpetual Licenses available for?
the VM-Series capacity license only
What is the Term-Based License?
- license that allows to use VM-Series firewall for a specified period of time
- it has an expiration date and you will be prompted to renew the license before it expires
What are Term-based licenses available for?
capacity licenses, support entitlements, and subscriptions
How does the multi-model VM-Series ELA work?
- forecast the number of firewalls that needed over the term of subscription
- based on the forecast and an additional allotment that accommodates for future growth, your account on the CSP is credited with a license token pool that allows to deploy any model of the VM-Series firewall
- depending on the firewall model and the number of firewalls deployed, a specified number of tokens are deducted from available license token pool
- tokens drawn from the account are calculated based on the value of each firewall model
How many tokes are deducted for VM-50?
10 tokens
How many tokes are deducted for VM-100?
25 tokens
How many tokes are deducted for VM-300?
50 tokens
How many tokes are deducted for VM-500?
140 tokens
How many tokes are deducted for VM-700?
300 tokens
How does PAYG license work?
- the firewall is prelicensed and ready for use as it is deployed; no auth code is received
- when firewall is stopped or terminated from Cloud console, PAYG licenses are suspended or terminated
- VM-Series capacity license is applied based on the hardware allocated to the instance
Which billing options does PAYG firewall from AWS Marketplace support?
hourly and annual
Which billing options does PAYG firewall from Azure Marketplace support?
hourly
Which billing options does PAYG firewall from GCP Marketplace support?
per-minute
What is the time period within which a warning message displays in the system log daily until you renew the subscription or it expires?
30 days
What is the precise moment of license expiry?
- 12:00 AM Greenwich Mean Time (GMT)
- all license-related functions operate on GMT, regardless of the configured time zone on the firewall
Can Panorama still manage the firewall of which the support license expires? What is the catch?
yes, but content updates are not available for the firewall, which will later cause commit errors, as the packages need to be the same on firewall and Panorama
What are the limitations if the support license expires?
- can no longer:
- receive software updates
- download VM images
- benefit from technical support
What are the limitations if the VM-Series expires?
- can continue to configure and use the firewall you deployed prior to the license expiring with no change in session capacity and the firewall won’t reboot automatically and cause a disruption in traffic
- if the firewall reboots for any reason, the firewall enters an unlicensed state and while unlicensed, a firewall supports a maximum of 1,200 sessions
What are the limitations if the DNS Security license expires?
cannot get new DNS signatures
What are the limitations if the Threat Prevention
license
expires?
- can use signatures installed at the time the license expired, unless you install a new Applications-only content update either manually or as part of an automatic schedule - f you do, the update will delete your existing threat signatures and you will no longer receive protection against them
- cannot install new signatures or roll signatures back to previous versions
What are the Advanced URL Filtering / URL Filtering
license
expires?
- get updates to cached PAN-DB categories
- connect to the PAN-DB URL filtering database
- get PAN-DB categories of uncached URLs
- analyze URL requests in real-time using Advanced URL Filtering
In case of license deactivation, where does the process start?
on the firewall or Panorama (not on the Palo Alto Networks Customer Support web site)
What needs to be done to successfully deactivate a license?
install a license deactivation API key and enable verification of the update server identity (enabled by default)
When is the deactivation API key not required?
for manual license deactivation, where there is not connectivity between the firewall and license server
What is the process of manual license key deactivation?
- from the firewall or Panorama, you generate and export a license token file that includes information on the deactivated keys
- while logged in to the CSP, upload the token file to dissociate the license keys from the firewall
What are the steps for auto mode license deactivation?
- log in to CLI
- view the name of the license key for the feature you want to deactivate with
request license deactivate key features - deactivate the license or subscription with
request license deactivate key features <name> mode auto
What should be done before deleting a VM firewall?
licenses should be deactivated
What are the options if firewall is deleted before deactivating the licenses?
- if firewall is managed from Panorama, it is possible to deactivate them from there
- if the firewall is not managed from Panorama, open a TAC case
Which billing options does PAYG firewall from OCI Marketplace support?
hourly
PAN-OS 10.0.3 or later
Can firewall rely on Panorama for connectivity to license server in the absence of direct connectivity to the internet from the firewall?
yes; the Licensing plugin also supports timeout-based de-licensing
What is the possible validity period that can be used for software NGFW credits?
can be defined for any amount of time between one and five years
Do also unallocated credits expire or are they transferred to a new term?
both allocated and unallocated credits expire at the end of the agreed-upon term
Can you purchase additional credits for a credit pool?
yes, but the expiration date must be the same as the target pool
