>
    Offboard IoT Security Subscriptions
    Focus
    Download PDF
    Focus
    1. Home
    2. IoT Security
    3. Offboard IoT Security Subscriptions
    Download PDF
    IoT Security

    Offboard IoT Security Subscriptions

    Table of Contents

    Offboard IoT Security Subscriptions

    Deactivate IoT Security licenses, transfer IoT Security subscriptions, or let them expire.
    Where Can I Use This?What Do I Need?
    • Palo Alto Networks Customer Support Portal
    • IoT Security subscription for an advanced IoT Security product (Enterprise Plus, Industrial OT, or Medical) OR an IoT Security subscription for Enterprise IoT Security
    There are three ways to offboard IoT Security services from a firewall:
    • Deactivate the IoT Security license on a firewall and optionally transfer it to another firewall
    • Transfer a firewall from one customer support portal (CSP) account to another
    • Let the subscription expire

    Deactivate Firewalls and Transfer Licenses

    If you want to remove an IoT Security license from a firewall—and perhaps then use the license on another firewall—you can do so on the Customer Support Portal.
    1. Log in to your Customer Support Portal account.
    2. Disassociate IoT Security licenses from one or more firewalls.
      1. Select License ManagementActivated Licenses, select the license-to-firewall associations that you want to sever based on firewall serial numbers, and then Deactivate Licenses.
      2. Confirm the deactivation.
        If you want to apply the deactivated licenses to other firewalls and you have multiple IoT Security license purchase orders, note the number of available licenses in the orders on the Activate Products page before confirming the deactivation. Then when you return to this page after deactivating licenses, you can tell which order they were returned to because the license number will have increased.
        This dissociates the selected IoT Security licenses from the firewall serial numbers and returns them to the pool of available licenses in the original order on the Activate Products page.
    3. Verify that the Hub also shows that the IoT Security licenses disassociated from the firewalls.
      Both the IoT Security license and the firewall need to be disassociated on the Hub. If the IoT Security license and the firewalls still show as associated on the Hub, reach out to Palo Alto Networks support.
    4. Associate licenses with other firewalls or reassociate them with the same firewalls.
      1. Select Activate ProductsReady for Activation and then click Activate Now for the order with licenses to activate.
      2. Follow the workflow described in Onboard IoT Security.
        When you reach the point in the onboarding workflow when you select firewalls to subscribe to IoT Security, you can see the length of time remaining for each license in the Purchased Term drop-down list. If you want to apply the same license that you just deactivated to another firewall, you’ll notice that its remaining length of unused time will be shorter than other licenses that haven’t yet been put in service. For example, if the original order contains licenses valid for three years and you used a license for one year before deactivating it, you can easily spot it because its remaining validity period will be the only one listed as just two years.

    Transfer Firewalls between CSP Accounts

    If you have two CSP accounts or are an MSSP managing multiple accounts, you can transfer a firewall from one account to another, perhaps because you’re moving it to a different location managed by a different team with their own account. When you transfer the firewall, all its licenses are transferred along with it. To do this, log in to the CSP and click Devices. Find the device you want to transfer, click its serial number to open a device details pane for it, and then click Transfer Ownership. In the Device Transfer dialog box that appears, enter the destination email address of the owner of the account to which you’re transferring the firewall.

    Let the IoT Security Subscription Expire

    When a firewall no longer has an IoT Security subscription because it expired (and there is no pending license renewal), IoT Security services for that firewall stop and the connection between IoT Security and the firewall is terminated. IoT Security unsubscribes from the firewall log feed. As a result, it stops receiving and processing logs from that firewall. The firewall stops receiving new policy recommendations and IP address-to-device mappings, and it clears its cached mappings after 200 minutes (about three hours). At that point, none of the device-based policy rules using Device-ID will work and should be removed from your policy set. An efficient way to remove them is to check the Source Device and Destination Device columns on the PoliciesSecurity page and remove all rules that have entries in either of these two columns.

    © 2025 Palo Alto Networks, Inc. All rights reserved.