Licensing

Question 1

What does the licensing process for the VM-Series firewall use to generate a unique serial number for each VM-Series firewall?

Answer 1

UUID and the CPU ID

Question 2

What is UUID (Universally Unique Identifier)?

Answer 2

• a 128-bit number used to uniquely identify information in computer systems
• UUIDs are used in many applications and protocols, including as part of the licensing process for Palo Alto VM-Series firewalls

Question 3

Which licensing models does Palo Alto support?

Answer 3

1. Bring Your Own License (BYOL)
2. PAYG (Pay-As-You-Go, PayGo) - only in public cloud

Question 4

What is the name of the licensing model that provides VM-50, VM-100, VM-200, VM-300, VM-500, etc.?

Answer 4

capacity licenses

no longer available for purchase

Question 5

What are the two licensing systems based on VCPUs that Palo Alto uses, where one is being deprecated?

Answer 5

1. FLEXIBLE VCPUS
2. FIXED VCPUS - being deprecated

Question 6

The flexible license cost is based on what?

Answer 6

1. number of vCPUs
2. security services enabled
3. whether Panorama is used to manage the firewall or act as a log collector

Question 7

Since when is the Flexible vCPUs model available?

Answer 7

PAN-OS 10.0.4 and later

Question 8

What is the capacity license cost is based on?

Answer 8

1. device memory
2. storage costs
3. support entitlement

Security services and a Panorama deployment to manage your firewalls are additional costs

Question 9

What exactly are the PayGo licenses? Where are they obtained from?

Answer 9

purchased from a public cloud marketplace (such as AWS, Azure, or GCP), or a Cloud Security Service Provider (CSSP)

Question 10

What are the capacity license types?

Answer 10

• VM-Series Enterprise License Agreement (Multi-Model ELA)
• Multi-Model ELA
• Perpetual VM-Series model capacity license
• Term firewall capacity license

Question 11

Describe VM-Series Enterprise License Agreement (Multi-Model ELA). Which licenses does it include?

Answer 11

• one- or three-year comprehensive licensing agreement that enables you to purchase VM-Series firewalls, along with the GlobalProtect, PAN-DB URL Filtering, Threat Prevention, WildFire, and DNS Security subscriptions
• also includes a support entitlement and a device management license for Panorama

Question 12

Describe Multi-Model ELA

Answer 12

features a token pool from which you allocate tokens to license VM-Series firewalls. (It is unique to the ELA, and is not the same as the Software NGFW Credits pool.)

Question 13

Describe Perpetual VM-Series license

Answer 13

capacity license with a support entitlement and/or security services bundle 1 or bundle 2

Question 14

Describe Term license

Answer 14

firewall capacity license with a support entitlement and your choice of security services

Question 15

What does Bundle 1 include?

Answer 15

Threat Prevention and premium support entitlement.

Question 16

What does Bundle 2 include?

Answer 16

Threat Prevention, DNS Security, GlobalProtect, WildFire, URL Filtering, SD-WAN, DLP, and premium support entitlement

Question 17

What is the Capacity License?

Answer 17

the VM-Series firewall requires a base license, also called a capacity license, to enable the model number (VM-50, VM-100, VM-200, VM300, VM-500, VM-700, or VM-1000-HV) and the associated capacities on the firewall

Question 18

Capacity licenses are included in a bundle and can be licensed as…?

Answer 18

1. Perpetual License
2. Term-Based License

Question 19

What is the Perpetual License?

Answer 19

• license with no expiration date
• allows to use the VM-Series firewall at the licensed capacity, indefinitely

Question 20

What are Perpetual Licenses available for?

Answer 20

the VM-Series capacity license only

Question 21

What is the Term-Based License?

Answer 21

• license that allows to use VM-Series firewall for a specified period of time
• it has an expiration date and you will be prompted to renew the license before it expires

Question 22

What are Term-based licenses available for?

Answer 22

capacity licenses, support entitlements, and subscriptions

Question 23

How does the multi-model VM-Series ELA work?

Answer 23

1. forecast the number of firewalls that needed over the term of subscription
2. based on the forecast and an additional allotment that accommodates for future growth, your account on the CSP is credited with a license token pool that allows to deploy any model of the VM-Series firewall
3. depending on the firewall model and the number of firewalls deployed, a specified number of tokens are deducted from available license token pool
4. tokens drawn from the account are calculated based on the value of each firewall model

Question 24

How many tokes are deducted for VM-50?

Answer 24

10 tokens

Question 25

How many tokes are deducted for VM-100?

Answer 25

25 tokens

Question 26

How many tokes are deducted for VM-300?

Answer 26

50 tokens

Question 27

How many tokes are deducted for VM-500?

Answer 27

140 tokens

Question 28

How many tokes are deducted for VM-700?

Answer 28

300 tokens

Question 29

How does PAYG license work?

Answer 29

1. the firewall is prelicensed and ready for use as it is deployed; no auth code is received
2. when firewall is stopped or terminated from Cloud console, PAYG licenses are suspended or terminated
3. VM-Series capacity license is applied based on the hardware allocated to the instance

Question 30

Which billing options does PAYG firewall from AWS Marketplace support?

Answer 30

hourly and annual

Question 31

Which billing options does PAYG firewall from Azure Marketplace support?

Answer 31

hourly

Question 32

Which billing options does PAYG firewall from GCP Marketplace support?

Answer 32

per-minute

Question 33

What is the time period within which a warning message displays in the system log daily until you renew the subscription or it expires?

Answer 33

30 days

Question 34

What is the precise moment of license expiry?

Answer 34

• 12:00 AM Greenwich Mean Time (GMT)
• all license-related functions operate on GMT, regardless of the configured time zone on the firewall

Question 35

Can Panorama still manage the firewall of which the support license expires? What is the catch?

Answer 35

yes, but content updates are not available for the firewall, which will later cause commit errors, as the packages need to be the same on firewall and Panorama

Question 36

What are the limitations if the support license expires?

Answer 36

• can no longer:
  
  • receive software updates
  • download VM images
  • benefit from technical support

Question 37

What are the limitations if the VM-Series expires?

Answer 37

• can continue to configure and use the firewall you deployed prior to the license expiring with no change in session capacity and the firewall won’t reboot automatically and cause a disruption in traffic
• if the firewall reboots for any reason, the firewall enters an unlicensed state and while unlicensed, a firewall supports a maximum of 1,200 sessions

Question 38

What are the limitations if the DNS Security license expires?

Answer 38

cannot get new DNS signatures

Question 39

What are the limitations if the Threat Prevention
license
expires?

Answer 39

• can use signatures installed at the time the license expired, unless you install a new Applications-only content update either manually or as part of an automatic schedule - f you do, the update will delete your existing threat signatures and you will no longer receive protection against them
• cannot install new signatures or roll signatures back to previous versions

Question 40

What are the Advanced URL Filtering / URL Filtering
license
expires?

Answer 40

• get updates to cached PAN-DB categories
• connect to the PAN-DB URL filtering database
• get PAN-DB categories of uncached URLs
• analyze URL requests in real-time using Advanced URL Filtering

Question 41

In case of license deactivation, where does the process start?

Answer 41

on the firewall or Panorama (not on the Palo Alto Networks Customer Support web site)

Question 42

What needs to be done to successfully deactivate a license?

Answer 42

install a license deactivation API key and enable verification of the update server identity (enabled by default)

Question 43

When is the deactivation API key not required?

Answer 43

for manual license deactivation, where there is not connectivity between the firewall and license server

Question 44

What is the process of manual license key deactivation?

Answer 44

1. from the firewall or Panorama, you generate and export a license token file that includes information on the deactivated keys
2. while logged in to the CSP, upload the token file to dissociate the license keys from the firewall

Question 45

What are the steps for auto mode license deactivation?

Answer 45

1. log in to CLI
2. view the name of the license key for the feature you want to deactivate with request license deactivate key features
3. deactivate the license or subscription with request license deactivate key features <name> mode auto

Question 46

What should be done before deleting a VM firewall?

Answer 46

licenses should be deactivated

Question 47

What are the options if firewall is deleted before deactivating the licenses?

Answer 47

• if firewall is managed from Panorama, it is possible to deactivate them from there
• if the firewall is not managed from Panorama, open a TAC case

Question 48

Which billing options does PAYG firewall from OCI Marketplace support?

Answer 48

hourly

PAN-OS 10.0.3 or later

Question 49

Can firewall rely on Panorama for connectivity to license server in the absence of direct connectivity to the internet from the firewall?

Answer 49

yes; the Licensing plugin also supports timeout-based de-licensing

Question 50

What is the possible validity period that can be used for software NGFW credits?

Answer 50

can be defined for any amount of time between one and five years

Question 51

Do also unallocated credits expire or are they transferred to a new term?

Answer 51

both allocated and unallocated credits expire at the end of the agreed-upon term

Question 52

Can you purchase additional credits for a credit pool?

Answer 52

yes, but the expiration date must be the same as the target pool