Activate a License for

Prisma Access

Multitenant FedRAMP High "In Process" Through

Common Services

Select
Get Started with
Prisma Access
in your email.
Select the activation flow for
MSP and Distributed Enterprise
.
Use
MSP and Distributed Enterprise on Cloud Management
for first-time multitenant activation:

Use
Cloud Management
for return visits to multitenant license activation:

Provide your work email address
,
Create your password
, and
Continue
.
The service uses this email address for the user account assigned to the tenant that you use for this license. This tenant, and any others created by this email address, will have the
Multitenant Superuser
role.
If you have a Palo Alto Networks Customer Support FedRAMP account, then enter the email address you used when you registered for that account.
If you do not have a Palo Alto Networks Customer Support FedRAMP account, then
Create a New Account
.
Select your products to highlight them for activation, then
Activate
.
You are automatically directed to
Common Services
Subscription & Add-ons
, where you
Claim
the subscription for your product.

Choose the
FedRAMP Customer Support account
number that you want to use to claim the license.
Make sure that you intend to set up a multitenant hierarchy. This is typically for Managed Security Service Providers (MSSPs) or distributed enterprises. If you only want a single tenant, activate a license for single tenant cloud-managed
Prisma Access
FedRAMP instead.
Create New
tenant that you want to use for this license. This is not necessarily the actual tenant you will use when allocating this license but is, instead, the top-most, root-level name of the parent tenant service group under which you will create the child tenants and activate the licenses.

Claim and continue
.
You are automatically directed to
Tenant Management
to the parent tenant where the license was claimed.
Edit Tenant
to give the tenant a name of your choice, such as ParentTenant in the examples that follow. You can also add a business vertical and a support contact.

Add a
New Tenant
to create a multitenant hierarchy, such as ChildTenantEast and ChildTenantWest in the examples that follow. You can also add a business vertical and a support contact.

Select a tenant where you want to add your licensed product.
Prisma Access
can be activated against any tenant in the hierarchy — there is no requirement for the parent tenant to have
Prisma Access
activated.
The requirements are different if you add
Prisma SD-WAN
to an existing
Prisma Access
tenant.

Select the
Contract
for the product in the
Gov Region
where you want to deploy your product.

There is no cross-region aggregation. Make sure that all your tenants are in the same region for monitoring purposes.
Toggle
Activate
Prisma Access
to view your activation choices.
Choose how to allocate the
Prisma Access
License:

Allocate part of the license to this tenant if you want to conserve part of the license for another tenant.
Allocate the entire license to this tenant if you do not have other tenants or if you have other licenses available to allocate to your other tenants.
Share a
Prisma Access
license
Allocate licenses per number of mobile users (MU).

The maximum number of users available for your first tenant is based on your
Prisma Access
license quantity.
The number of users available for other tenants is based on the remainder after allocation.
Based on your license, you need a minimum capacity to share with another tenant. For example,
Prisma Access
local edition requires a minimum of 200 licenses that need to be allocated whether it's a root tenant or a child tenant, but
Prisma Access
global or worldwide edition requires a minimum of 1000 licenses that need to be allocated whether it's a root tenant or a child tenant.
If you have a license that is a combination of MU+RN together, you can’t split it into different tenants. For example, a 200 MU+RN local edition license still needs to be split as minimum 200 MU+RN in each tenant. You can’t have 200 MU in one tenant and 200 RN in another tenant.
Secure mobile users with
Prisma Access
.
Allocate licenses per bandwidth of remote networks (RN).

The maximum amount of bandwidth available for your first tenant is based on your
Prisma Access
license quantity.
The amount of bandwidth available for other tenants is based on the remainder after allocation.
Based on your license, you need a minimum capacity to share with another tenant. For example,
Prisma Access
local edition requires 200 Mbps that need to be allocated whether it's a root tenant or a child tenant, but a Prisma Access global or worldwide requires min of 1000 Mbps that need to be allocated whether it's a root tenant or a child tenant.
If you have a license that is a combination of MU+RN together, you can’t split it into different tenants. For example, a 200 MU+RN local edition license still needs to be split as minimum 200 MU+RN in each tenant. You can’t have 200 MU in one tenant and 200 RN in another tenant.
Secure remote networks with
Prisma Access
.
Choose how many locations to allocate to your tenant.

If you have a local edition license, the default number of locations is 5, and the number available for allocating to your tenants is based on the Additional Locations add-on. If you have a global or worldwide license, the number of locations is unlimited, so you do not have the option to add the quantity.
The select/deselect checkbox is available for toggle if you have chosen to allocate part of the license to this tenant for
Prisma Access
license sharing.
The number available for other tenants is based on the remainder after allocation.
Set up your data lake.

Allocate part of the part of the available storage to this tenant if you want to conserve part of the storage for another tenant.
Allocate the entire available storage to this tenant if you do not have other tenants or if you will purchase additional capacity to allocate to your other tenants.
Based on your license, you need a minimum capacity to share with another tenant. For example, a
Prisma Access
local and business licenses require 1 TB.
See
Cortex Data Lake
Getting Started Guide.
Products
or
Add-ons
are enabled by default based on your contract.
Disable (deselect) add-ons you don’t want to activate now, such as Autonomous DEM and Service Connection.



Use the following settings for the CASB Bundle:
URL Subnet
is the URL to launch the corresponding service UI.
Agree to the Terms and Conditions
.
Activate Now
. The products and add-ons that you are activating (such as
Prisma Access
or
Cortex Data Lake
) are now provisioned. As the subscriptions are activating, the progress status will display. When the process is complete, the tenant status displays as
Up
. You now have a tenant provisioned with instances of the products that you purchased. The tenant has one user — the Customer Support account that you used when you began this process.
To complete the product setup, you must access the products you purchased and perform any required post-installation configuration. For information about your products, see:
Open APIs
Cortex Data Lake
Getting Started Guide
Prisma Access
Cloud Managed Administrators Guide
Prisma Access
Insights Administrators Guide
Next-Generation CASB
Enterprise DLP
Autonomous DEM in
Prisma Access
(
Optional
) In a multitenant hierarchy, monitor your tenants with the
Prisma Access
Summary Dashboard.
(
Optional
) add user access and assign roles.