Multitenancy Configuration Overview

Use the following workflow to enable and configure the ability to manage multiple tenants in a single Panorama appliance.
  1. Enable multitenancy. If you have an existing GlobalProtect cloud service instance, enabling multitenancy automatically migrates your existing GlobalProtect cloud service configuration to the first tenant.
    Device group configuration automatically changes when you upgrade the Cloud Services plugin and requires additional configuration changes. See Enable Multitenancy and Migrate the First Tenant for details.
  2. Then, Add Tenants to GlobalProtect Cloud Service. After you migrate your initial configuration, the administrative user in Panorama becomes a superuser with the ability to create and manage all GlobalProtect cloud service tenants.
    If you deploy GlobalProtect cloud service for remote networks in multi-tenant mode, you must have a minimum of 500 Mbps available in your license for each tenant. If you deploy GlobalProtect cloud service for mobile users in multi-tenant mode, you must have a minimum of 500 mobile users available in your license for each tenant. In both types of GlobalProtect cloud service configurations, you can add additional licensing (above these minimums) of either type on a per-tenant basis. You can increase or decrease the bandwidth or mobile user allocation for any tenants after onboarding, as long as you keep the minimum required allocation per tenant, and the overall licensed capacity is not exceeded.
    You must create templates and template stacks, device groups, and access domains for each tenant. Creating a separate environment for each tenant allows you to create a tenant-level administrative user by creating an administrative role based on the tenant’s device groups and templates, then creating an administrative user based on that role. In this way, you create an administrative user that has access to a single tenant without allowing that user access to the other tenants that are managed by the Panorama appliance.
    You allocate remote network and mobile user license resources for each tenant based on the license that is associated with the Cloud Services plugin in Panorama.
    The following figure shows a GlobalProtect cloud service license with a 20,000 Mbps remote network bandwidth pool and 20,000 mobile users. The administrator allocated 5,000 Mbps in remote network bandwidth and 5,000 mobile users for the existing configuration. After the administrator enabled multitenancy, the license allocation migrated along with all other configuration to the first tenant. The administrator then created additional tenants, each with a 5,000 Mbps bandwidth pool for remote networks and 5,000 mobile users for each tenant. The GlobalProtect cloud service allocates the license resources from the overall license allocation. After you complete this configuration, there is 5,000 Mbps of remote network bandwidth and 5,000 mobile users available in the license.
    Each tenant can use up to 3 service connections with no cost to the license. You can add more than 3 service connections to each tenant, however each additional service connection takes 300 Mbps from your remote network license.

Related Documentation