Firewall Subscriptions
Unlock the additional features of Next Generation Firewall and improve your security posture
The frequency and sophistication of cyber attacks are increasing every day. To address this growing threat, many organizations have incorporated proxies, intrusion prevention systems (IPSs), sandboxing, and other security point products alongside their traditional firewalls.
However, this fragmented approach only adds complexity and increases the risk of breaches.
Palo Alto Networks technology is not fragmented, but naturally integrates Next-Generation Firewalls with endpoint and cloud security solutions.
The following Palo Alto Networks subscriptions unlock certain firewall features or enable the firewall to utilize Palo Alto Networks cloud services.

Here you can read more about each service or feature (for version 11 of PAN-OS) that requires a subscription to run on the firewall.

Subscriptions you can use with a firewall

Advanced Threat Prevention
In addition to all the features included in Threat Prevention, the Advanced Threat Prevention subscription provides a built-in cloud-based threat detection and prevention engine, using deep learning models. Advanced Threat Prevention protects your network from unknown and hard-to-detect threats by scanning all network traffic.
GlobalProtect Gateway
It offers mobility solutions and/or great VPN capabilities. By default you can deploy GlobalProtect portals and gateways (without HIP checks) without a license. If you want to use GlobalProtect's advanced features (HIP checks and related content updates, GlobalProtect Mobile App, IPv6 connections or GlobalProtect Clientless VPN) you will need a GlobalProtect Gateway license for each gateway.
While basic support for WildFire® is included as part of the Threat Prevention license, the WildFire subscription service enables enhanced services for organizations that need immediate threat coverage, frequent WildFire signature updates, advanced file type forwarding (APK, PDF, Microsoft Office and Java Applet), as well as the ability to upload files using the WildFire API.
Advanced WildFire
The Advanced WildFire subscription enables zero-day malware detection and prevention. Using a combination of dynamic and static analysis and "Intelligent Run-time Memory" analysis, it detects hidden threats and creates malware blocking protection.

When the Palo Alto Networks firewall detects an unknown pattern, it automatically forwards all supported file types from any application to the WildFire service for advanced WildFire analysis. Based on the properties, behavior, and activity a sample exhibits when analyzed and executed in a protected environment, Advanced WildFire determines whether a sample is benign, grayware, phishing, or malicious, then generates signatures to recognize newly discovered malware and in real-time creates the latest signature that is available for download globally.
Threat Prevention
Threat Prevention defends your network against both widespread but unsophisticated threats and targeted, advanced threats carried out by organized groups of cyber attackers. Threat Prevention includes comprehensive protection against exploits, malware and command-and-control attacks. Palo Alto Networks frequently publishes updates that equip firewalls with the latest threat intelligence.
Threat Prevention provides:
  • Antivirus, anti-spyware (command-and-control) and vulnerability protection.
  • Built-in external dynamic lists you can use to protect your network against malicious hosts.
  • Ability to identify infected hosts trying to connect to malicious domains.
Software-defined wide area network (SD-WAN) is a technology that allows you to use multiple Internet and private services to create an intelligent and dynamic WAN, which helps reduce costs and maximize application quality and usability. Instead of using expensive and time-consuming MPLS with components such as routers, firewalls, WAN path controllers and WAN optimizers to connect your WAN to the Internet, SD-WAN on the Palo Alto Networks firewall allows you to use less expensive Internet services and less equipment. You don't need to buy and maintain other WAN components. The implementation of PAN-OS SD-WAN includes:
  • Centralized configuration management
  • Automatic VPN Topology Creation
  • Traffic distribution
  • Monitoring and troubleshooting
DNS Security
The DNS Security service is designed to protect your organization against advanced DNS-based threats. Applying advanced machine learning and predictive analytics, DNS Security quickly generates enhanced DNS signatures to defend against known malicious DNS categories, as well as real-time DNS request analysis to defend your network against newly generated and unknown malicious domains. DNS Security can detect a variety of C2 threats, including DNS tunneling, domains created using auto-generation, malware hosts, and more. DNS Security requires and works with your subscription to Advanced Threat Prevention or Threat Prevention for complete coverage of DNS threats.
Advanced URL Filtering
It provides the ability to not only control Internet access, but also the way users interact with online content based on dynamic URL categories. You can also prevent credential theft by controlling the sites where users can leave their corporate credentials.
Advanced URL Filtering uses an ML-based security engine to perform real-time Internet traffic inspection. This reduces reliance on URL databases and out-of-band Internet indexing to detect and prevent advanced fileless attacks, including targeted phishing, malware and exploits, social engineering, and other types of web attacks.
IoT Security
IoT Security for next-generation firewalls is designed to dynamically discover and maintain an inventory of IoT devices on your network in real time. Using AI and machine learning algorithms, the IoT Security solution achieves a high level of accuracy, even classifying types of IoT devices encountered for the first time. Being dynamic, your IoT device inventory is always up to date. IoT Security also provides automatic generation of policy recommendations for controlling IoT device traffic, as well as automatic creation of IoT device attributes for use in firewall policies.
Enterprise Data Loss Prevention (DLP)
It provides cloud-based protection against unauthorized access, misuse, extraction and sharing of sensitive information. Enterprise DLP provides a single engine for accurate discovery and consistent policy enforcement for sensitive data at rest and in motion using machine learning-based data classification, hundreds of data patterns using regular expressions or keywords, and data profiles that use Boolean logic to scan collective data types.
Virtual Systems
This is a perpetual license and is required to enable support for multiple virtual systems on the PA-3200 Series firewalls. In addition, you must purchase a Virtual Systems license if you want to increase the number of virtual systems beyond the base number provided by default for the PA-400 series, PA-3400 series, PA-5200 series, PA-5400 series, and PA-7000 (base number varies by platform). PA-220, PA-800 series firewalls and VM firewalls do not support virtual systems
Provides graphical analysis of firewall traffic logs and identifies potential risks to your network using threat intelligence from the AutoFocus portal. With an active license, you can also open an AutoFocus search based on the logs recorded on the firewall.
Cortex Data Lake
It enables centralized log storage and cloud aggregation. Cortex Data Lake is required or highly recommended to support several other cloud-delivered services, including Cortex XDR, IoT Security, and Prisma Access and Traps management services.
SaaS Security Inline
SaaS Security in cooperation with the Cortex Data Lake solution discovers all the SaaS applications used in your network. SaaS Security Inline can discover thousands of Shadow IT applications, who is using them and the details of usage. SaaS Security Inline also applies SaaS policy rules to all existing Palo Alto Networks firewalls.

Reduce complexity with integrated innovation

Request a quote today and discover the power of Palo Alto Networks security services.