: Get Started with Common Services: License Activation, Subscription, Tenant Management, & Product Management
Focus
Focus

Get Started with Common Services: License Activation, Subscription, Tenant Management, & Product Management

Table of Contents

Get Started with Common Services: License Activation, Subscription, Tenant Management, & Product Management

Get Started with Common Services: License Activation, Subscription, Tenant Management, & Product Management.
Welcome to License Activation, Subscription, Tenant Management, and Product Management. Activate and manage all your available licenses from one location. In multitenant deployments, you can create multiple tenants, build a hierarchy, and share and allocate license subscriptions for the desired tenants.
Strata Cloud Manager is for commercial deployments only and not yet available for Prisma SASE FedRAMP Moderate or High "In Process." For the Prisma SASE FedRAMP Moderate or High "In Process" deployments see the Prisma SASE Platform.

Activate a Free Product

Products offered for free, such as AIOps Free and CIE, don't need an activation link or auth code for activation. The hub serves as the entry point for you to activate such products. If you have a Customer Support Portal account with access to authenticate on the tenant view of the hub, you can see all the products available to you for activation.
Activating a product from the tenant view of the hub creates a single tenant where the product is deployed.
After you activate a product, you have access to Common Services to manage your product from the hub or Strata Cloud Manager. You get assigned the Superuser role to manage your product.

Activate a License or Subscription for Paid Products

First-time license activation for paid products is through an email that you receive from Palo Alto Networks regarding. The email contains an activation link. Activating a product from the activation link creates a single tenant where the product is deployed.
After you activate a product, you have access to Common Services to manage your product from the hub or Strata Cloud Manager. You get assigned the Superuser role to manage your product.

Single Customer Support Portal Activation Behavior

See the license activation topics in this guide for details about activating specific products. In general, for a single Customer Support Portal account, certain fields in the activation form are prepopulated for you. Depending on your product, you might be asked to select a region where you want to deploy the product, to select or create Strata Logging Service to store your logs, to select or create a Cloud Identity Engine instance to identify and verify all users across your infrastructure, or to associate devices or appliances.
  • In the activation workflow, the Customer Support Portal account associated with the user is prepopulated if there is only one Customer Support Portal account associated with the user.
  • For the selected Customer Support Portal account, if there is no prior tenant associated, the tenant field is autopopulated with the same name as the Customer Support Portal account.
  • After completing the activation, the user who is activating the first product is added as a superuser on the selected tenant, and can also add other users.
  • The default tenant can't be deleted as long as there are products activated in the tenant.
  • If the user's selected Customer Support Portal account has a previously mapped tenant, and the user activating a license does not have access to that tenant, the user is informed to contact the tenant account admin to request access.

Multiple Customer Support Portal Activation Behavior

See the license activation topics in this guide for details about activating specific products. In general, if you have multiple Customer Support Portal accounts, you will select the Customer Support Portal account that you want to use for managing your product. Depending on your product, you might be asked to select a region where you want to deploy the product, to select or create Strata Logging Service to store your logs, to select or create a Cloud Identity Engine instance to identify and verify all users across your infrastructure, or to associate devices or appliances.
  • If there are multiple Customer Support Portal accounts associated with the user activating a license, the user can select a specific Customer Support Portal account.
  • For the selected Customer Support Portal account, if there is no prior tenant associated, the tenant field is autopopulated with a default tenant that has the same name as the Customer Support Portal account name.
  • After completing the activation, the user who is activating the first product is added as a superuser on the selected tenant, and they should be able to add other users.
  • If the selected Customer Support Portal account has a previously mapped tenant, and the user does not have access to that tenant, the user is informed to contact the account admin to request access.
  • If users require a multitenant setup, they are provided with an option to create a new tenant or a child tenant. They can create the hierarchy with the first child in the tenant management page. They can select the child tenant or create a new child tenant from the activation workflow.
  • If multiple tenants exist where products have been previously activated for the Customer Support Portal account, but the user does not have access to those tenants, the user is warned that the product will be activated in a different tenant from where the other services are currently active. The user gets the option to proceed anyway, but is warned that dependent products need to be activated in the same tenant.

Managed Security Service Provider (MSSP) Activation Behavior

See the license activation topics in this guide for details about activating specific products. In general, for a Managed Security Service Provider (MSSP), you will select the Customer Support Portal account that you want to use for managing your customers' products. You will create a tenant hierarchy to manage them. Depending on the product, you might be asked to select a region where you want to deploy the product, to select or create Strata Logging Service to store the logs, to select or create a Cloud Identity Engine instance to identify and verify all users across the infrastructure, or to associate devices or appliances.
After you activate a tenant heirarchy, you have access to Common Services to manage your tenants from the hub or Strata Cloud Manager. You can also use Strata Multitenant Cloud Manager aggregated views for monitoring information across all of your tenants.
  • In the case of managed security service providers (MSSP), the end customers are managed by the MSSP that owns the Customer Support Portal account.
  • The default tenant is associated with the MSSP Customer Support Portal account. The user activating the product must be granted access to that tenant, and then user can create child tenants and activate products in the child tenant.

How to Access Subscription Management, Tenant Management, and Product Management

After you activate a license for your product, there are a few ways to access Subscription Management, Tenant Management, and Product Management.
Prisma SASE Multitenant Portal and FedRAMP
Single Tenant View of the hubMultienant View of the hub Single Tenant AIOps for NGFW and Strata Cloud ManagerMultitenant AIOps for NGFW and Strata Cloud Manager
If you're a FedRAMP Moderate customer as of January 2024 or Prisma SASE FedRAMP High "In Process" customer as of December 2023, the following also applies to you.
If you have received information about the transition of your tenant to the Prisma SASE Multitenant Portal, you can access through the original support account view of the hubPrisma SASE Platform button Tenants and ServicesCommon ServicesSubscription or Tenant Management.
From the tenant view of the hubCommon Services button, you will see Subscriptions & Add-ons Products in a single tenant environment.
From the tenant view of the hubCommon Services button, you will see Subscriptions & Add-ons Tenant Management in a multitenant environment
If you have a single tenant, you can access through SettingsSubscriptions or Products .
If you have a multitenant environment, you can access through SettingsSubscriptions or Tenants .
Regardless of how you access Subscriptions or Tenants, you’ll use approximately the following flow to manage your deployment.
  1. Activate licenses for your deployment type.
  2. Manage your product or tenants.
  3. Manage users, roles, and service accounts with identity and access.
  4. (Optional) Manage devices in your deployment with Device Associations.
  5. (Optional) View health, security, and telemetry metrics with AIOps for NGFW.
  6. (Optional) Monitor and manage items such as multitenant status, alerts, alarms, virtual ION devices through the Strata Multitenant Cloud Manager.
See the Common Services FAQ for further information about tenants, the tenant transition, or the tenant view of the hub.