Focus

GlobalProtect

About GlobalProtect Licenses

Table of Contents

Filter

Expand All | Collapse All

GlobalProtect Docs

Administration
Version
- 10.1 & Later
- 9.1 (EoL)
User Guide
Version
- 6.3
- 6.2
- 6.1
- 6.0
- 5.1
New Feature
Version
- 6.1
- 6.0
- 5.1
Release Notes
Version
- 6.3
- 6.2
- 6.1
- 6.0
- 5.1

What OS Versions are Supported with GlobalProtect?

Get Started

About GlobalProtect Licenses

If you want to use GlobalProtect for secure remote access or VPN, no license is needed. However, advanced features like HIP checks, mobile app support, IPv6, split tunneling, and Clientless VPN require a GlobalProtect gateway license.

If you want to use GlobalProtect to provide a secure remote access or VPN solution via single or multiple internal/external gateways, you don't need any GlobalProtect licenses. However, to use some of the more advanced features (such as HIP checks and associated content updates, support for the GlobalProtect mobile app, or IPv6 support) you must purchase an annual GlobalProtect Gateway license. This license must be installed on each firewall running a gateway that:

Performs HIP checks
Supports the GlobalProtect app for mobile endpoints
Supports the GlobalProtect app for Linux endpoints
Supports the GlobalProtect app for IoT endpoints
Provides IPv6 connections
Split tunnels traffic based on the destination domain, application process name, or HTTP/HTTPS video streaming application
Supports adding a compromised device to the quarantine list.
Supports identification of managed devices using the endpoint's serial number on gateways
Enforces GlobalProtect connections with FQDN exclusions

For GlobalProtect Clientless VPN, you must also install a GlobalProtect gateway license on the firewall that hosts the Clientless VPN from the GlobalProtect portal. You also need the GlobalProtect Clientless VPN dynamic updates to use this feature.

Similarly, for any firewall or GlobalProtect gateway which is acting as HIP redistribution agent or client and collector requires a GlobalProtect Gateway license. The only exception is Panorama.

Feature	Gateway License Required?
Single external gateway (Windows and macOS)	—
Single or multiple internal gateways	—
Multiple external gateways	—
Internet of things (IoT) devices
HIP Checks
Identification of managed devices using the endpoint serial number on gateways
HIP-based policy enforcement based on the endpoint status
App for endpoints running Windows and macOS	—
Mobile app for endpoints running iOS, Android, Chrome OS, and Windows 10 UWP
App for endpoints running Linux
App for endpoints running IoT
IPv6 for external gateways
IPv6 for internal gateways (change to default behavior—starting with GlobalProtect app 4.1.3, a GlobalProtect subscription isn't required for this use case)	—
Clientless VPN (Not supported on multi-VSYS firewalls if the traffic must traverse multiple virtual systems)
Split tunneling based on destination domain, client process, and video streaming application
Split DNS
Adding a compromised device to the quarantine list
GlobalProtect App Log Collection for Troubleshooting (Panorama appliance running 9.0 or later and PAN-OS 8.1 or later)
Enforces GlobalProtect connections with FQDN exclusions
Redistribute HIP Reports
DHCP Based IP Address Assignment and Management for GlobalProtect

See Activate Licenses for information on installing licenses on the firewall.

What OS Versions are Supported with GlobalProtect?

Get Started

GlobalProtect Docs

About GlobalProtect Licenses

GlobalProtect Docs

About GlobalProtect Licenses

Next-Generation Firewalls

SASE

Cloud-Delivered Security Services

Experts Corner