About GlobalProtect Licenses
Focus
Focus
GlobalProtect

About GlobalProtect Licenses

Table of Contents

About GlobalProtect Licenses

If you want to use GlobalProtect for secure remote access or VPN, no license is needed. However, advanced features like HIP checks, mobile app support, IPv6, split tunneling, and Clientless VPN require a GlobalProtect gateway license.
If you want to use GlobalProtect to provide a secure remote access or VPN solution via single or multiple internal/external gateways, you don't need any GlobalProtect licenses. However, to use some of the more advanced features (such as HIP checks and associated content updates, support for the GlobalProtect mobile app, or IPv6 support) you must purchase an annual GlobalProtect Gateway license. This license must be installed on each firewall running a gateway that:
  • Performs HIP checks
  • Supports the GlobalProtect app for mobile endpoints
  • Supports the GlobalProtect app for Linux endpoints
  • Supports the GlobalProtect app for IoT endpoints
  • Provides IPv6 connections
  • Split tunnels traffic based on the destination domain, application process name, or HTTP/HTTPS video streaming application
  • Supports adding a compromised device to the quarantine list.
  • Supports identification of managed devices using the endpoint's serial number on gateways
  • Enforces GlobalProtect connections with FQDN exclusions
For GlobalProtect Clientless VPN, you must also install a GlobalProtect gateway license on the firewall that hosts the Clientless VPN from the GlobalProtect portal. You also need the GlobalProtect Clientless VPN dynamic updates to use this feature.
Similarly, for any firewall or GlobalProtect gateway which is acting as HIP redistribution agent or client and collector requires a GlobalProtect Gateway license. The only exception is Panorama.
Feature
Gateway License Required?
Single external gateway (Windows and macOS)
Single or multiple internal gateways
Multiple external gateways
HIP Checks
Identification of managed devices using the endpoint serial number on gateways
HIP-based policy enforcement based on the endpoint status
App for endpoints running Windows and macOS
Mobile app for endpoints running iOS, Android, Chrome OS, and Windows 10 UWP
App for endpoints running Linux
App for endpoints running IoT
IPv6 for external gateways
IPv6 for internal gateways
(change to default behavior—starting with GlobalProtect app 4.1.3, a GlobalProtect subscription isn't required for this use case)
Clientless VPN
(Not supported on multi-VSYS firewalls if the traffic must traverse multiple virtual systems)
Split tunneling based on destination domain, client process, and video streaming application
Split DNS
Adding a compromised device to the quarantine list
(Panorama appliance running 9.0 or later and PAN-OS 8.1 or later)
See Activate Licenses for information on installing licenses on the firewall.