: Enterprise License Agreement Add-on Activation
Focus
Focus

Enterprise License Agreement Add-on Activation

Table of Contents

Enterprise License Agreement Add-on Activation

Learn about Enterprise License Agreement Add-on activation.
Where Can I Use This?What Do I Need?
  • hub
  • Commercial deployments
  • AIOps for NGFW
  • IoT Security
  • Customer Support Portal (CSP) account with Enterprise License Agreement (ELA) enabled
  • Strata Logging Service
  • Role: Multitenant Superuser, Superuser, or Business Administrator
The add-on for ELA is a consumption model for large enterprises to assign subscriptions in bulk to assets purchased from Palo Alto Networks.
ELA offers the flexibility to enable any of the following licenses that are supported for a tenant or TSG:
You can start the ELA activation process in either the hub or Customer Support Portal as described in the following sections.

Activate ELA AIOps for NGFW Premium Through Common Services

Learn how to activate a premium add-on Enterprise License Agreement (ELA) of AIOps for NGFW Premium on a tenant through Common Services.
This task shows how to activate Enterprise License Agreement (ELA) for AIOps for NGFW Premium license.
Strata Cloud Manager is now available, featuring two licensing tiers: Strata Cloud Manager Essentials and Strata Cloud Manager Pro. This unified structure streamlines the deployment of network security offerings, including AIOps for NGFW, Autonomous Digital Experience Management (ADEM), cloud management functionality, and Strata Logging Service. See Strata Cloud Manager License.
  1. Use one of the following activation methods.
    • Log into the hub and activate from tenant view of the hubELA ActivationAIOps for NGFW:
    • Log into the Customer Support Portal and activate from Customer Support PortalDevicesELA AIOps Activation:
  2. You are automatically directed to Common ServicesSubscription & Add-ons, where you activate the subscription for your product.
  3. Select the same Tenant that you used for Strata Logging Service, so that you can associate ELA for AIOps on the same tenant where you want AIOps to be applied.
  4. The Customer Support Account is grayed out, but is auto-populated with the same CSP that you used for Strata Logging Service.
  5. The Region is grayed out, but is auto-populated with the same region that you used for Strata Logging Service.
  6. The UI shows if you have Strata Logging Service available in this tenant where you can apply ELA for AIOps.
  7. Agree to the terms and conditions, and Activate.
  8. Common ServicesTenant Management displays the status of the activation, such as initializing or complete.
  9. After the status is complete, you must go to the Common ServicesDevice Associations tab to select the devices and apply ELA for AIOps on them: Device Associations.
    If the status is not complete, you cannot apply ELA for AIOps on the devices yet.
  10. After the status is complete, you can launch AIOps from one of the following options.
    • Launch from email.
    • Launch from the hub tile.
    • Launch from Common ServicesTenant Management.
  11. Get started with AIOps for NGFW.
  12. (Optional) Manage identity and access. Assign role of Superuser or Business Administrator. The CSP-level access is not sufficient.

Activate ELA for IoT Security Through Common Services

Learn how to activate an add-on Enterprise License Agreement (ELA) for IoT Security on a tenant through Common Services.
  1. Start the ELA activation process from either the hub or Customer Support Portal.
    Hub: Log in to the hub and, from the tenant view, click ELA ActivationIoT Security at the top of the page.
    or
    Customer Support Portal: Log in to your customer support portal account, select Products Enterprise AgreementsLicenses, and then click ELA-IoT Activation.
    Whether you start in the hub or Customer Support Portal, both actions load a magic link that opens the Activate IoT Security page on the hub.
  2. Activate the IoT Security ELA for a tenant service group.
    1. Choose an existing tenant service group (TSG) tenant or create a new one. A TSG essentially associates firewalls with applications such as IoT Security.
    2. Choose the firewall deployment region.
    3. Create a new IoT Security tenant URL by entering a unique subdomain to complete <subdomain>.iot.paloaltonetworks.com.
      This is the URL where you'll log in to your IoT Security portal.
      If you want to convert an existing IoT Security tenant from using one or more IoT Security licenses to an IoT Security Enterprise License Agreement, contact your Palo Alto Networks sales representative.
    4. Agree to the terms and conditions and then Activate.
  3. Go to the Common ServicesDevice Associations tab to add firewalls to the TSG tenant, associate them with the IoT Security app, and then apply the Enterprise IoT Security ELA to them: Device Associations.
  4. In the Customer Support Portal, select ProductsDevices and view the entries in the License column for your firewalls to confirm that IoT Security is now applied to them.
  5. Continue setting up IoT Security to work with your firewalls.
    To log in to your IoT Security portal, return to Common Services on the hub and select the IoT Security link on either the Tenant Management page or the Device Associations page.
    For IoT Security (Enterprise IoT Security Plus, Industrial IoT Security, or Medical IoT Security), see Onboard IoT Security.
    For Enterprise IoT Security, see Onboard Enterprise IoT Security.
  6. (Optional) Manage identity and access to IoT Security.
    To create an IoT Security user with owner privileges plus the ability to generate one-time passwords (OTPs) and pre-shared keys (PSKs), add a user account in the Customer Support Portal and assign a Superuser role in the relevant tenant service group (TSG) in Identity & Access (this is described in the following steps.) To create an IoT Security user with all owner privileges except the ability to generate OTPs and PSKs, add the new user account in Identity & Access and assign a Superuser role in Identity & Access. To create an IoT Security user with read-only privileges, add a user account in Identity & Access and assign a View Only user role in Identity & Access.
    1. (Optional) Add a user account in the Customer Support Portal. New users only need to be added to the Customer Support Portal accounts if they need access to operate onboarding or offboarding tasks, such as generating OTPs and PSKs. To create a new user in the Customer Support Portal:
      1. Log in to the Customer Support Portal with superuser permissions, which allow you to create new user accounts.
      2. Select Members Create New User, enter the required information, and then Submit.
      A new user account is created and added to the account as a member. An email notification is sent to the new user with login credentials.
    2. Log in to the hub, navigate to Common ServicesIdentity & Access/Access Management.
    3. Add Identity.
      Users added in the Customer Support Portal are separate from users added in Identity & Access.
    4. To assign a role to the user you created, select the user, Assign Roles, choose IoT Security in Apps & Services, choose one of the options in Role, and then Assign Role.