: Manage VM-Series ELA License Tokens
Focus
Focus

Manage VM-Series ELA License Tokens

Table of Contents

Manage VM-Series ELA License Tokens

Learn how to activate the Enterprise Level Agreement (ELA) authorization code and manage the license token pool.
The VM-Series Enterprise License Agreement (Multi-Model ELA) (VM-Series ELA) gives you the flexibility of having a single contract that you can share with other administrators in your enterprise. You must have the super user role on the Palo Alto Networks Customer Support Portal (CSP) to activate the ELA, and upon activating the ELA authorization code you inherit the ELA administrator role on the CSP.
With the ELA administrator role, you can manage the license token pool available to deploy VM-Series firewalls and subscriptions included in the agreement. You can invite other administrators to share the VM-Series ELA tokens, grant which models and how many instances of the VM-Series firewalls are available to each administrator, as well as remove CSP accounts from your VM-Series ELA. Depending on what you allocate for each grantee, they receive a specific number of tokens that they can then use to deploy VM-Series firewalls.
Additional purchases and grants do not directly add to the number of available VM-Series firewalls in a CSP account; instead, ELA license tokens are added to the VM-Series ELA token pool. The ELA license tokens can subsequently be allocated by the ELA administrator to a given CSP account to increase the number of available VM-Series firewalls.
  1. (Legacy VM-Series ELA Customers only) Designate an ELA administrator to manage tokens.
    Existing enterprise license customers who have been migrated to the Multi-Model ELA must designate an ELA administrator to manage VM-Series ELA license tokens. Upon conversion, no other action is necessary for continued operation of your firewalls, however, you will not be able to (re)allocate tokens for deploying firewalls until an ELA administrator has been assigned. Only an administrator with a super user role on the CSP has the ability to designate an ELA administrator, who in turn, can manage tokens or grant tokens to other administrators.
    1. Log in to the Palo Alto Networks CSP.
    2. Select MembersManage Users.
    3. Click on the pencil icon under Actions to edit the user to whom you want to assign the ELA administrator role.
    4. Select ELA Administrator and then click the check mark to add the new role to the selected user.
    5. Continue to step 3.
  2. Activate the ELA authorization code.
    The administrative user who activates the ELA inherits the ELA administrator and super user role on the CSP and has the ability to manage the tokens or grant the tokens to other administrators.
    1. Log in to the Palo Alto Networks CSP.
    2. Select ProductsEnterprise AgreementsActivate Enterprise Agreement.
    3. Enter the Authorization Code and Agree and Submit the EULA.
      Verify the authorization code is registered to your account under Enterprise Agreements: VM-Series. The page displays the Auth Code, Account ID, Account Name, License Description, Expiration Date, the number of Licenses (used/total) you have, and how many are available to deploy within the bounded and unbounded period of the agreement.
    4. Select ProductsVM-Series Auth-Codes to view the authorization codes for deploying each model of the VM-Series firewall and associated subscriptions included with the ELA.
  3. Grant ELA access to other administrators in your enterprise.
    This capability allows you to share the VM-Series ELA with other administrators within your enterprise or department so that they can deploy VM-Series firewalls on demand. As an ELA administrator, you can grant access to other users who are registered with an email address on the CSP.
    1. On ProductsEnterprise Agreements, select Grant ELA Access.
    2. Enter the Destination Email address of the administrator whom you want to invite.
      The destination email address that you enter above must be a registered user on the CSP with a super user role so that they can log in and accept the grant. If the email address is not registered on the CSP, you must first create a new account for the user on MembersCreate New User.
    3. Select Notify User to trigger a notification email to the email address you entered.
      The recipient must log in to the CSP to Accept the VM-Series ELA. After the recipient accepts the grant, the account ID is available on ProductsEnterprise Agreements as shown in the following screenshot.
  4. Allocate tokens for deploying firewalls.
    1. Select ProductsEnterprise AgreementsManage VM-Series Tokens.
      For each account ID, you can specify the number of firewalls by model that you want to allocate. Based on the quantity and firewall model, the number of tokens are automatically calculated and become available for use. In this example, you are allowing 10 instances each of the VM-50 and the VM-500.
    2. Verify that the accurate number of firewall instances are deposited in the account.
      Select ProductsVM-Series Auth-Code to confirm the auth codes you allotted. In this example, the account has the ability to provision 10 instances each of the VM-50 and the VM-500. As the recipients deploy firewalls, the number of tokens are deducted from the total available pool, and you can view the number of firewall instances that they have provisioned as a ratio of the total quantity you allocated for them. As your security needs evolve, you have the flexibility to allocate more quantity and allow access to a different VM-Series firewall model as long as you have tokens available.
  5. Remove a CSP account from the VM-Series ELA to reclaim tokens.
    You cannot reclaim a portion of the tokens allocated to a CSP account. By reclaiming tokens, you are removing the entirety of the CSP account from the VM-Series ELA and reallocating all associated tokens to the token pool.
    1. Verify that all tokens associated with the CSP account that you want to remove are not being utilized by the VM-Series firewalls. Deactivate the VM-Series firewalls as necessary to provision tokens for removal.
    2. Select ProductsEnterprise Agreements > Manage VM-Series Token.
      Select the account ID from whom you want to reclaim tokens from and click Reclaim Token. If tokens are available for reclamation, you will receive a confirmation of a successful removal.