Activate Licenses and Subscriptions

Before you can start using your firewall to secure the traffic on your network, you must activate the licenses for each of the services you purchased. Available licenses and subscriptions include the following:
  • Threat Prevention —Provides antivirus, anti-spyware, and vulnerability protection.
  • Decryption Mirroring —Provides the ability to create a copy of decrypted traffic from a firewall and send it to a traffic collection tool that is capable of receiving raw packet captures—such as NetWitness or Solera—for archiving and analysis.
  • URL Filtering —Provides the ability to create security policy that allows or blocks access to the web based on dynamic URL categories. You must purchase and install a subscription for one of the supported URL filtering databases: PAN-DB or BrightCloud. With PAN-DB, you can set up access to the PAN-DB public cloud or to the PAN-DB private cloud. For more information about URL filtering, see Control Access to Web Content .
  • Virtual Systems —This license is required to enable support for multiple virtual systems on PA-3000 Series firewalls. In addition, you must purchase a Virtual Systems license if you want to increase the number of virtual systems beyond the base number provided by default on PA-4000 Series, PA-5000 Series, PA-5200 Series, and PA-7000 Series firewalls (the base number varies by platform). The PA-800 Series, PA-500, PA-200, PA-220, and VM-Series firewalls do not support virtual systems.
  • WildFire —Although basic WildFire support is included as part of the Threat Prevention license, the WildFire subscription service provides enhanced services for organizations that require immediate coverage for threats, frequent WildFire signature updates, advanced file type forwarding (APK, PDF, Microsoft Office, and Java Applet), as well as the ability to upload files using the WildFire API. A WildFire subscription is also required if your firewalls will be forwarding files to an on-premise WF-500 appliance.
  • GlobalProtect —Provides mobility solutions and/or large-scale VPN capabilities. By default, you can deploy GlobalProtect portals and gateways (without HIP checks) without a license. If you want to use advanced GlobalProtect features (HIP checks and related content updates, the GlobalProtect Mobile App, IPv6 connections, or a GlobalProtect Clientless VPN) you will need a GlobalProtect license (subscription) for each gateway.
  • AutoFocus —Provides a graphical analysis of firewall traffic logs and identifies potential risks to your network using threat intelligence from the AutoFocus portal. With an active license, you can also open an AutoFocus search based on logs recorded on the firewall.
  1. Locate the activation codes for the licenses you purchased.
    When you purchased your subscriptions you should have received an email from Palo Alto Networks customer service listing the activation code associated with each subscription. If you cannot locate this email, contact Customer Support to obtain your activation codes before you proceed.
  2. Activate your Support license.
    You will not be able to update your PAN-OS software if you do not have a valid Support license.
    1. Log in to the web interface and then select DeviceSupport.
    2. Click Activate support using authorization code.
    3. Enter your Authorization Code and then click OK.
  3. Activate each license you purchased.
    Select DeviceLicenses and then activate your licenses and subscriptions in one of the following ways:
    • Retrieve license keys from license server—Use this option if you activated your license on the Customer Support portal.
    • Activate feature using authorization code—Use this option to enable purchased subscriptions using an authorization code for licenses that have not been previously activated on the support portal. When prompted, enter the Authorization Code and then click OK.
    • Manually upload license key—Use this option if your firewall does not have connectivity to the Palo Alto Networks Customer Support Portal . In this case, you must download a license key file from the support site on an Internet connected computer and then upload to the firewall.
  4. Verify that the license was successfully activated
    On the DeviceLicenses page, verify that the license was successfully activated. For example, after activating the WildFire license, you should see that the license is valid:
    activate_license1.png
  5. (WildFire subscriptions only) Perform a commit to complete WildFire subscription activation.
    After activating a WildFire subscription, a commit is required for the firewall to begin forwarding advanced file types. You should either:
    • Commit any pending changes.
    • Check that the WildFire Analysis profile rules include the advanced file types that are now supported with the WildFire subscription. If no change to any of the rules is required, make a minor edit to a rule description and perform a commit.

Related Documentation