GlobalProtect Licensing Overview

1. Introduction

GlobalProtect is Palo Alto Networks' comprehensive solution for secure remote access. It extends the protection of the corporate firewall to remote users by establishing a secure connection between the user's device and the enterprise network. Understanding the licensing options is crucial for deploying the appropriate features to meet organizational needs.

This article provides a detailed explanation of GlobalProtect licensing, including the different tiers, features associated with each, and visual aids to clarify complex concepts. Additionally, we will explore common App-ID concepts relevant to PCNSE certification and offer an interactive quiz to test your knowledge.

Key Takeaway: Choosing the right GlobalProtect license depends on your organization's specific remote access security requirements, including device types, security features like HIP checks, and integration needs.

2. Licensing Options

2.1 Basic Access (No License Required)

For organizations seeking fundamental VPN capabilities, GlobalProtect provides basic access without the need for additional licenses. This foundational tier allows you to establish secure remote connectivity for certain endpoints.

Features included in Basic Access:

Deployment of GlobalProtect portals and gateways.
Support for Windows and macOS endpoints using the GlobalProtect agent.
Configuration of single or multiple internal/external gateways for flexible deployment scenarios.
Basic VPN tunneling to secure traffic between the remote user and the corporate network.

Note: Advanced features such as Host Information Profile (HIP) checks, mobile device support, and Clientless VPN are not available in this tier. If these capabilities are required, a GlobalProtect Gateway License is necessary.

Basic access is suitable for organizations with simple remote access needs, primarily focused on providing VPN connectivity to Windows and macOS users without requiring advanced security posture checks or support for a wider range of devices.

2. Licensing Options (Continued)

2.2 GlobalProtect Gateway License

The GlobalProtect Gateway License unlocks a suite of advanced functionalities and is required for each Palo Alto Networks firewall that will host a GlobalProtect gateway and utilize these enhanced features. This license significantly expands the capabilities beyond basic VPN access.

Key features enabled by the Gateway License include:

Host Information Profile (HIP) checks and associated content updates: Allows the firewall to collect information about the security posture of connecting endpoints (e.g., OS patch level, AV status, disk encryption) and enforce policies based on this information. Content updates provide the latest HIP checks.
Support for the GlobalProtect mobile app: Extends secure access to mobile users on iOS, Android, Chrome OS, and Windows 10 UWP devices.
Support for Linux and IoT endpoints: Broadens device compatibility for secure remote access.
IPv6 support for external gateways: Enables GlobalProtect gateways to operate in IPv6 environments.
Clientless VPN access: Provides browser-based access to specific web applications without requiring the GlobalProtect agent, ideal for unmanaged devices or quick access scenarios.
Split tunneling based on destination domain, application process name, or video streaming application: Offers granular control over which traffic is sent through the VPN tunnel and which goes directly to the internet. This can optimize bandwidth and user experience.
Adding compromised devices to quarantine: Based on HIP check results, devices failing compliance can be automatically quarantined or placed in a restricted access group.

Remember that the Gateway License is applied per firewall acting as a GlobalProtect gateway. If you have multiple firewalls serving as gateways and requiring these advanced features, each will need its own Gateway License.

2. Licensing Options (Continued)

2.3 GlobalProtect Subscription License

The GlobalProtect Subscription License (often referred to simply as the "GlobalProtect subscription" in newer contexts, and sometimes tied to Prisma Access or advanced endpoint features) typically builds upon the Gateway License. It's geared towards organizations needing the most advanced security features and integrations, particularly for endpoint protection and cloud-delivered security.

The term "GlobalProtect Subscription License" can sometimes be confusing as its specific feature set and naming has evolved. It's crucial to refer to the latest Palo Alto Networks datasheets and documentation for the most current information. Historically, this license was distinct. Now, many advanced features are bundled with Cortex XDR/Pro or Prisma Access subscriptions which inherently use GlobalProtect technology.

For the purpose of this article, based on common understanding and the provided text, features associated with this higher-tier subscription include:

Advanced endpoint protection with integration to Palo Alto Networks' security services: This often implies tighter coupling with services like WildFire, DNS Security, and Threat Prevention for endpoints connecting via GlobalProtect.
Integration with Endpoint Protection Platforms (EPP) and Endpoint Detection and Response (EDR) solutions: Facilitates a more comprehensive security posture by allowing GlobalProtect to leverage data from or interact with third-party or Palo Alto Networks' own EDR/EPP solutions (like Cortex XDR).
Support for Prisma Access for remote users: Prisma Access is Palo Alto Networks' SASE (Secure Access Service Edge) solution, which uses GlobalProtect for endpoint connectivity. Licensing for Prisma Access inherently covers the necessary GlobalProtect client usage for connecting to the Prisma Access cloud.

This subscription is aimed at organizations looking to implement a Zero Trust network access (ZTNA) strategy and require deep endpoint visibility and control, along with seamless integration into a broader security ecosystem, including cloud-based security services.

3. Licensing Summary

The following table summarizes the features and their corresponding GlobalProtect license requirements:

Feature	License Required
Basic VPN access (Windows/macOS)	No License Required
HIP checks and content updates	GlobalProtect Gateway License
Mobile app support (iOS, Android, etc.)	GlobalProtect Gateway License
Linux and IoT endpoint support	GlobalProtect Gateway License
IPv6 support for external gateways	GlobalProtect Gateway License
Clientless VPN access	GlobalProtect Gateway License
Split tunneling (destination domain, application process name, or video streaming application)	GlobalProtect Gateway License
Adding compromised devices to quarantine	GlobalProtect Gateway License
Advanced endpoint protection with integration to Palo Alto Networks' security services	GlobalProtect Subscription License (or equivalent like Prisma Access / Cortex XDR Pro)
Integration with Endpoint Protection Platforms (EPP) and Endpoint Detection and Response (EDR) solutions	GlobalProtect Subscription License (or equivalent)
Support for Prisma Access for remote users	GlobalProtect Subscription License (typically bundled with Prisma Access subscription)

Important Note: Licensing models can evolve. Always consult the official Palo Alto Networks documentation, datasheets, or your Palo Alto Networks account team for the most up-to-date and specific licensing information relevant to your deployment scenario and software version.

Visualizations: GlobalProtect License Decision Flowchart

This flowchart helps visualize the decision-making process for selecting the appropriate GlobalProtect licensing based on feature requirements.

Flowchart illustrating GlobalProtect licensing decision points.

Visualizations: GlobalProtect License Feature Mapping

This diagram provides a simplified visual mapping of features to GlobalProtect license tiers.

Simplified feature mapping across GlobalProtect license tiers.

Visualizations: Basic GlobalProtect Connection Sequence

This sequence diagram illustrates the high-level steps involved when a GlobalProtect client connects to the corporate network.

Sequence diagram of a typical GlobalProtect connection flow.

Visualizations: Simplified HIP Check State Machine

This state diagram shows a simplified view of the states an endpoint might go through during a HIP check process when connecting via GlobalProtect.

State machine illustrating a simplified HIP check process and outcomes.

App-ID PCNSE Interactive Quiz

Test your understanding of Palo Alto Networks App-ID with these 20 questions. These questions are designed to reflect common topics and scenarios you might encounter in PCNSE preparation.

1. Which of the following is NOT a primary identification technique used by App-ID?

Application Signatures Protocol Decoders Port-based Classification Heuristics

2. What is the primary purpose of an Application Override policy?

To block specific applications globally. To re-classify traffic matching specific criteria to a different App-ID, often for custom or internal applications. To update App-ID signatures manually. To prioritize bandwidth for certain applications.

3. If App-ID cannot identify an application using signatures or decoders, but the traffic is over TCP port 80, how might it initially be classified before further analysis?

unknown-application generic-tcp web-browsing service-http (if identified as HTTP by decoder, otherwise unknown-tcp if still unidentified)

Correct Answer: d) service-http (if identified as HTTP by decoder, otherwise unknown-tcp if still unidentified)
If traffic on TCP port 80 is identified by the HTTP protocol decoder as valid HTTP, it will be classified as


        service-http

. If it's not valid HTTP or if the decoder cannot determine the specific application using HTTP, and no other signature matches, it might eventually be classified as


        unknown-tcp

if it remains truly unidentifiable after all App-ID techniques. However,


        web-browsing

is a standard application, not an initial service classification.

4. How does App-ID handle applications that switch ports mid-session?

It can often identify the application correctly as App-ID is not solely reliant on port numbers. It will classify the new traffic as 'unknown-tcp' or 'unknown-udp'. The session will be dropped due to a port mismatch. It requires a custom App-ID to track port changes.

5. Which of the following statements about App-ID and SSL/TLS encrypted traffic is TRUE?

App-ID cannot identify any application within an SSL/TLS encrypted session without decryption. App-ID always decrypts SSL/TLS traffic to identify applications. App-ID can identify some applications (e.g., based on SNI in TLS or certificate information) even without full decryption, but decryption provides more granular visibility. SSL/TLS traffic is always classified as 'ssl' by App-ID and cannot be further specified.

6. What is an "application dependency" in the context of App-ID?

A software bug that causes App-ID to fail. When one application requires another application to be allowed for it to function correctly (e.g., facebook-chat depends on facebook-base). The reliance of App-ID on up-to-date content versions. A situation where two applications are incorrectly identified as one.

7. How are new App-IDs for emerging applications primarily delivered to a Palo Alto Networks firewall?

Through PAN-OS software upgrades only. By manually creating custom App-IDs for all new applications. Via dynamic DNS updates. Through regular "Applications and Threats" content updates.

8. If a security policy rule explicitly allows "web-browsing" but denies "ssl", what is the likely outcome for HTTPS traffic to a standard website?

It will likely be allowed, as "web-browsing" often implicitly includes "ssl" as a dependency for HTTPS. It will be denied because "ssl" is explicitly denied. The firewall will prompt the user to choose. The session will be classified as "unknown-tcp".

9. What is the App-ID for traffic that the firewall has identified as DNS, but cannot associate with a more specific application using DNS (e.g., a specific SaaS service's DNS query)?

unknown-dns generic-dns dns udp-port-53

10. When creating a custom application, which characteristic is typically NOT part of its definition?

Signatures (pattern matches) Threat severity level Ports (TCP/UDP) Category and Subcategory

11. What does "insufficient-data" in the application field of a traffic log typically indicate?

The firewall has not yet seen enough packets in the session to definitively identify the application. The application is intentionally evasive and cannot be identified. There is a license missing for App-ID. The traffic matched an Application Override rule.

12. An administrator wants to allow general web surfing but block Facebook. Which is the most effective way to configure this using App-ID?

Deny TCP port 443 for facebook.com IP addresses. Allow "web-browsing" and "ssl", then create a URL filtering policy to block Facebook. Create a custom App-ID for web-browsing that excludes Facebook. Create a security policy rule to allow "web-browsing", and another rule above it to deny "facebook-base".

13. What is the primary function of the App-ID cache on a Palo Alto Networks firewall?

To store historical traffic logs for faster reporting. To buffer packets during high traffic loads. To speed up application identification for subsequent sessions to the same destination/port using a previously identified application. To store custom App-ID signatures.

14. If an application is identified as "unknown-tcp", what is the recommended first step for an administrator to gain more insight?

Immediately block all "unknown-tcp" traffic. Perform a packet capture (PCAP) of the traffic and submit it to Palo Alto Networks for App-ID creation if it's a legitimate application. Create an Application Override to classify it as "web-browsing". Update the firewall to the latest PAN-OS version.

15. Which component of the firewall is responsible for maintaining and updating the App-ID signature database?

The content updates (Applications and Threats) downloaded from the Palo Alto Networks update server. The PAN-OS software image. The User-ID agent. The management plane CPU.

16. What is an "Application Filter" primarily used for?

To filter out unwanted applications from log entries. To limit the number of App-IDs loaded into memory. To create a custom App-ID based on multiple existing App-IDs. To group multiple applications based on characteristics (like category, subcategory, technology, risk) for easier use in security policies.

17. Which of these App-IDs is an example of an "implicit" application that is often required for other applications to function?

ms-office365 skype ssl bittorrent

18. When App-ID identifies an application, what is the next logical step the firewall takes regarding that traffic flow in the context of a security policy?

It immediately applies Quality of Service (QoS). It matches the identified application (and other criteria like source/destination zone/IP, user) against security policy rules to determine the action (allow/deny). It sends an alert to the administrator. It performs a threat scan using WildFire.

19. If you see traffic logged as "application incomplete" in the traffic logs, what does this typically mean?

The TCP handshake did not complete, or the session ended before enough data was sent for App-ID to make a determination. The App-ID signatures are outdated. The application is using non-standard encryption. An Application Override policy is misconfigured.

20. How can User-ID information enhance App-ID based security policies?

User-ID helps App-ID identify applications more accurately. User-ID replaces the need for App-ID in policies. User-ID encrypts application traffic based on user identity. User-ID allows policies to be created based on user or group identity in addition to application identity, enabling more granular control.

4. References

For the most current and detailed information, always refer to the official Palo Alto Networks documentation:

GlobalProtect Licensing - Palo Alto Networks Documentation (Note: Specific links may change, search for "GlobalProtect Licensing" on the docs portal)
GlobalProtect Datasheet (Search for the latest version on the Palo Alto Networks website)
App-ID Overview - Palo Alto Networks Documentation

Consult your Palo Alto Networks account team or authorized reseller for specific licensing questions related to your environment and purchased products (e.g., Prisma Access, Cortex XDR).