Hi all,
I am looking at the features that the GP (Global Protect) license brings: About GlobalProtect Licenses
I am having a hard time deciding if we need or not. Our reseller has quoted us (we are based in Netherlands) 200 Euros per user, per month, which is a huge amount of money and when I look at the extra features it brings, I don’t see the point unless you really need mobile VPN for phones and IOT.
Most our users have laptops and phones but phones don’t run any VPN and don’t require any.
For the enhanced split-tunneling, I don’t think we’ll need that either.
The only thing is that we currently run Umbrella roaming client to make sure our laptops are protected even when the VPN doesnt run, our reseller is stating we need a GP license to get the same feature, but I cant find nowhere proof of this based on PaloAlto doc.
I am starting to thing we’d be better off with the GP app without license and try to run the Umbrella roaming client in parallel. Cisco states only PA GP version < 2 are not working: https://support.umbrella.com/hc/en-us/articles/230561147-Umbrella-Roaming-Client-Compatibility-Guide-for-Software-and-VPNs
Palo Alto GlobalProtect VPN ^ (version 2.x and below)(Windows, Select Modes)
VPNs running in a split-dns mode (where DNS is split between the tunnel and the local network) are not supported by the roaming client.
Split tunneling is generally supported unless noted otherwise. The roaming client effectively creates a split-dns scenario where only domains on the internal domains list configured on the dashboard reach the VPN-configured local DNS servers while all other DNS goes straight to Umbrella resolvers.
EDIT: I am sorry all, I have misread the quote iit is 200 Euros per user per year, anyways I really appreciate the feedback
Palo Alto doesn’t use a per-user licence for GlobalProtect, it’s purchased per firewall and is costed based on the model. Which model are you using?
You are about to be scammed if they are quoting the license based on user.
Just to add to this, yep palo don’t do per user licensing but more importantly, 2.x is way out of date so shouldn’t even be a factor, current is 5.2.4
Are you quite sure they were not talking about Prisma Access?
200 Euros per user per month sounds insane. Per year would make more sense if they were adding markup for Prisma Access as that is charged by user per year.
Oh, you should sign up for the Palo Alto Ignite conference which is happening later this week. It’s free and you can ask questions directly to PA reps rather than resellers.
Just to add we run Umbrella with Global Protect and haven’t had any issues.
What features do you need? You might be right that you’re alright with the standard Global Protect and don’t need the subscription for additional features.
Feature comparison: GlobalProtect
If you’re running Pan-OS 8.0 or higher (technically corrected in a latter version of 7.1.x), there is no license needed for basic VPN functionality.
For Umbrella/GP, they are right that you would basically need GlobalProtect to get Palo Alto’s DNS Security feature. Palo’s DNS security feature (analysis on the firewall of bad domains/blocking domains by category) is only available when users are on the VPN and their traffic can route to the firewall gateway. This also means you would need to guarantee users are on the VPN all the time, as this feature does not work when they are not on the VPN.
You could configure the GP Gateway to use “always-on” behavior where it stays connected as much as possible, and possibly pair it with cert auth so it isn’t prompting the user to re-auth every 24 hours. This doesn’t completely fix the need to have users be on the VPN since they could just disable their VPN. You might also have some sales folks need to disable VPN while they’re on site at a customer’s office and the VPN isn’t compatible.
My team just suggested to the DNS Security team to think about integrating DNS Security into one of the existing agents like Cortex XDR so it can still work without VPN, since VPN-less users is still a problem we have to overcome. Maybe Palo will take that to heart and do something about that. Until then, no DNS Security license for us.
Umbrella and GP can co-exist, we do that in our org. So long as you have local Umbrella resolvers in your VPN network that can forward DNS lookups along with the config to point computers to their public DNS, it works just fine.
I agree with the other users that the pricing sounds obscene, please check with them to see what exactly you would be buying. The only way that pricing makes sense is if you’re buying Prisma Access, Palo’s global VPN network (you wouldn’t be tied to a single VPN gateway at your office, it would allow users around the world to connect to a nearby gateway to them). This would still require an instance of Panorama to manage your Prisma Access configuration, which is an additional cost.
I feel if you nare not bother about using vpn in phones then only advantage it brings is host info check.
If you wish to do host check before allowing the user access your resources you can get it or else you may leave it…
The ability to split tunnel on domains alone made it worth it for us. We use that for split tunneling MS update traffic.
Just for info if you are licensed for prisma would you still need a global protect license for vpn?
Do you have more details on how to reach out PA reps? Cheers
I look like a fool now, because I have misinterpreted the quote, it is 200 Euros per user per year. I am checking with them if they are talking about Prisma Access or not.
I was thinking about the always-on function as well, we do run the Umbrella Appliances on-prem and our DHCP servers are configured to lease IP addresses to clients with the appliances as local DNS resolvers.
For info, this comes as part of a project to run VeloCloud appliances, the VM-50 will run on the VeloCloud whiteboxes. For a start we’ll setup 3 VPN gateways per each region we have staff. Now if they had Prisma to the mix to provide Umbrella-like features I need to check how each components are working together, I’ll get a FW with GP and Prisma, not sure if we are making things too complicated but in terms of FW we still need services like VLAN segmentation and DMZ zones to publish webservices running on our on-prem servers, I am not sure thats th etype of things Prisma will allow.
for split-tunnel you don’t need GP license. but unsure if GP license could cover split tunnel based on DNS…
GlobalProtect license is about 20% of device cost depending on discounts.
GlobalProtect license is needed for HIP checks, Mobile, GlobalpProtect web based VPN, and possibly Linux. IDK about the Linux.
GlobalProtect on Windows does not need the license if you are not using HIP checks.
Prisma Access is a separate “firewall as a service” and does not require you to have a firewall deployed (depending on what you want to do). You (currently) purchase it as either x number of concurrent users (who connect with the GlobalProtect client) or x Mbps of bandwidth (if you are connecting remote offices over VPN). In both cases, you will not need a separate GlobalProtect subscription because the Prisma Access subscription includes all required subscriptions.
If you wanted to still connect to a firewall, you can setup basic GlobalProtect (which is all that most end users need) for PC and Macs for free. You could purchase a subscription for the firewall if you needed the extra features for users connecting to the firewall. As you have pointed out, you possibly don’t need the enhanced features.
If you are using a VM-50, get a quote for VM-50 with “BND2” (PAN-VM-50-PERP-BND2-BKLN-1YR or PAN-VM-50-PERP-BND2-PREM-1YR). Bundle 2 licensing gives you Threat Prevention, WildFire, DNS Security, URL Filtering and GlobalProtect. (Bundle 1 just gives you Threat Prevention). BND2 is about 30% more expensive than BND1 but you get a lot more subscriptions for it.
The always-on DNS protection is an interesting one. /u/Jemikwa 's response is good.