>
    Strata Copilot
    Configure SASE Private Location
    Focus
    Download PDF
    Focus
    1. Home
    2. Prisma Access
    3. Prisma Access Administration
    4. SASE Private Location
    5. Configure SASE Private Location
    Download PDF
    Prisma Access

    Configure SASE Private Location

    Table of Contents

    Configure SASE Private Location

    Configure SASE Private Location in Prisma Access.
    Where Can I Use This?What Do I Need?
    • Prisma Access (Managed by Strata Cloud Manager)
    • Prisma Access (Managed by Panorama)
    • Prisma Access license
    • Minimum version of Prisma Access 6.1 Innovation
    • Minimum dataplane version of PAN-OS 12.1.1
    • (Prisma Access (Managed by Panorama) Deployments only) Minimum Cloud Services Plugin version of 6.1
    To activate SASE Private Location, reach out to your Palo Alto Networks account representative, who will contact the Site Reliability Engineering (SRE) team and submit a request.
    To create a SASE Private Location, set up an VMware ESXi environment and complete the following steps.

    Strata Cloud Manager

    To create and configure a SASE Private Location in Prisma Access (Managed by Strata Cloud Manager), complete the following workflow.
    1. Create a hypervisor resource profile.
      You use this profile with the ESXi instance you created to create an environment for SASE Private Location.
      Optionally, you can create this profile during SASE Private Location setup instead of creating it now.
    2. From Strata Cloud Manager, go to ConfigurationNGFW and Prisma Access and select the Prisma Access configuration scope.
    3. Configure the Prisma Access Infrastructure.
    4. Click the gear to configure the Prisma Access Private Locations settings and Add Private Location.
    5. Enter the location details.
      • Enter a unique Name for the private location.
        Don’t use spaces or dashes. Make sure that each SASE Private Location has a unique name, even across multiple tenants. You can’t change the name after you perform a Config Push.
      • (Optional) Enter a Description for this location.
      • Enter the Country, State, and City, and, optionally, the Zip/Postal Code closest to the area where this location will be deployed.
      Prisma Access populates the Latitude and Longitude based on the geographic information you enter.
      Save and Next to save your changes and go to the next section.
    6. Enable service capabilities for your SASE Private Location by entering the estimated number of Mobile Users to secure with SASE Private Location.
      The number depends on the number of mobile users in your Prisma Access license. For example, if you have a mobile user license of 2,000 units, enter a maximum of 2,000 estimated users.
      Save your changes when complete and go to the next section.
    7. Configure settings for mobile users.
      1. Specify the Hypervisor Resource Profile to use, or Create New and create a hypervisor resource profile based on your VMware ESXi environment.
      2. Specify the DNS Server IP address assignment (either DHCP or Static).
        If you want to use a static DNS server, enter the primary server and the secondary server.
      3. Enter the Load Balancer Configuration.
        Use the same IP addresses that you configured for the ESXi environment.
        • Enter the two IP addresses used for the Virtual Public IP Address.
        • Enter the load balancer data plane and management IP settings.
          The wizard populates the IP assignment type (either DHCP or Static) from the IP Assignment you specified under DNS Server settings.
          • If you specified DHCP for IP assignment, enter the Primary IP, Secondary IP, Netmask, and Gateway for the management IP address configuration.
          • If you specified Static for IP assignment, enter the Data Plane IP and Management IP addresses, including the Primary IP, Secondary IP, Netmask, and Gateway.
      4. Configure your VM instances.
        • Enter the Number of instances you have in your VM.
          You can have from two to four VM instances.
        • If you specified a Static IP address assignment, enter the Primary IP, Secondary IP, Netmask, and Gateway for the management IP configuration.
        • If you specified a DHCP IP address assignment enter the Data Plane IP address information, including the Primary IP, Secondary IP, Netmask, and Gateway.
      5. Go to the Next step when complete.
    8. Set up a Bastion Agent.
      Prisma Access uses the bastion host (bastion agent) for remote management, maintenance, and monitoring.
      1. Specify a Hypervisor Resource Profile.
        Palo Alto Networks recommends that you use the same VM instance that you specified for the hypervisor resource profile.
        Go to the Next step when complete.
      2. Specify DNS Server settings.
        If you specified Static for IP assignment, enter the Prisma Server and Secondary Server IP addresses and the Management IP settings, including the Primary IP, Secondary IP, Netmask, and Gateway.
    9. Review your configuration.
      If you need to make any changes to your configuration, Edit your choices; otherwise, Save & Next to save your changes and go to the next screen.
      Prisma Access populated the Load Balancer Instance Name and the VM Instance Name during onboarding.
    10. Onboard your private location to Prisma Access
      1. Perform a Config Push to push your configuration.
      2. Confirm the Config Push operation.
        The Push Status window displays. Wait for the job to complete successfully before moving to the next step.
      3. (Optional) to check the status of your pending job, click Job Status.
        To get more details about the status of your job, click the down arrow on the left side of the screen to see the status of the job types.
      4. Wait for the Config Push to display with a green check mark.
    11. Set up your mobile users deployment in Prisma Access.
      1. Select Mobile Users Configuration.
      2. Select a Prisma Access region.
        Select the region where you deployed the SASE Private Location.
      3. Select the SASE Private Location you created and Save your changes.
        Switch from the Map view to a List view to find the location you created; then select the location.
      4. Click the arrow to the left of Prisma Access Locations.
      5. Select the GlobalProtect App tab and select the gear to edit the GlobalProtect settings.
      6. Select Manual Gateway Selection, select the SASE Private Location you created, and Save your changes.
        This step enables your mobile users to manually select this gateway from the GlobalProtect app.
      7. Push Config to save your GlobalProtect configuration changes.
        Make sure that GlobalProtect in the push scope.
      8. Wait for the second push to complete; then, go to the Next step.
        When a green check mark displays next to Configure Mobile Users, the second push is complete.
    12. Deploy the SASE Private Location to your on-premises environment.
      1. From the onboarding workflow, Generate Authentication Key and copy its contents.
        You use this key in the Terraform template. This authentication key is valid for one hour.
      2. Download Terraform Template and save it to your local device.
        The Terraform template provides you with access to upgrade your Prisma Access dataplane.
      3. Open the Terraform file in a text editing program and edit the following parameters:
        • Replace <vcenter_hostname> with your ESXi hostname.
        • Replace <vcenter_username> with the ESXi username.
        • Replace <vcenter_password> with the ESXi password.
        • Replace <prismasase_deployment_token> with the authentication key you just downloaded.
      4. Initialize the Terraform environment by entering the terraform-init command to initialize Terraform and download the required provider.
      5. Generate a plan to review the resources that will be created by entering the terraform plan command.
      6. Apply the configuration to deploy the SASE Private Location components by entering the terraform apply command.
      7. Confirm the deployment when prompted.
        After successful deployment, the SASE Private Location components are provisioned in your VMware ESXi environment. The components will register with the Prisma Access cloud service and become available for configuration through the Prisma Access management interface.
        You can verify the deployment status in the Prisma Access management interface, where the newly deployed SASE Private Location will appear as an available region for your tenant.
    13. Verify that the SASE Private Location deployment was successfully completed.
      1. Go to ConfigurationNGFW and Prisma Access, select the Prisma Access configuration scope, and then select Prisma Access Setup
      2. Check the Prisma Access Private Locations
        • On-Prem Onboarding Status—Shows the progress of the SASE Private Location onboarding. Onboarding is complete when this field displays Complete.
        • On-Prem Deployment Status—Shows the progress of the SASE Private Location deployment. Deployment is complete when this field displays Complete.
    14. Configure security policy rules specific to your SASE Private Location using tags.

    Panorama

    To create and configure a SASE Private Location in Prisma Access (Managed by Panorama), complete the following workflow.
    1. Create and configure a hypervisor resource profile to use with your SASE Private location.
      You use this profile with the ESXi instance you created to create an environment for SASE Private Location.
      Optionally, you can create this profile during SASE Private Location setup instead of creating it now.
    2. From Panorama, go to PanoramaCloud ServicesConfigurationService SetupPrisma Access Private Locations and click the gear to edit the settings.
    3. From the Private Locations tab, Add a new private location.
    4. Enter the location details.
      • Enter a unique Name for the private location.
        Don’t use spaces or dashes. Make sure that each SASE Private Location has a unique name, even across multiple tenants. You can’t change the name after you perform a Commit and Push operation.
      • (Optional) Enter a Description for this location.
      • Enter the Country, State, and City, and, optionally, the Zip/Postal Code closest to the area where this location will be deployed.
      Prisma Access populates the Latitude and Longitude based on the city or other geographic information you enter.
      When complete, go to the Next section.
    5. Enable service capabilities for your SASE Private Location by entering the estimated number of users to secure with SASE Private Location.
      The number depends on the number of mobile users in your Prisma Access license. For example, if you have a mobile user license of 2,000 units, enter a maximum of 2,000 estimated users. If you have already set up multiple SASE Private Locations, the total number of mobile users must be distributed across the regions and you cannot allocate the maximum number of mobile users in each region.
      When complete, go to the Next section.
    6. Configure settings for mobile users.
      1. Specify the Hypervisor Resource Profile to use, or Create Profile and create a hypervisor resource profile based on your VMware ESXi environment.
      2. Specify the DNS Server assignment (either DHCP or Static).
        If you want to use a static DNS server, enter the primary Server and the secondary server.
      3. Enter the Load Balancer Configuration.
        Use the same IP addresses that you configured for the ESXi environment.
        • Enter the two IP addresses used for the Virtual Public IP Address.
        • Enter the Management IP Assignment (either DHCP or Static).
          If you use a static Management IP address, enter the Primary IP, Secondary IP, Netmask, and Gateway for the management IP address configuration.
          Use the same IP addresses that you configured for the ESXi environment.
        • Enter the Load Balancer Data Plane & Management IP Address, including the Primary IP, Secondary IP, Netmask, and Gateway.
      4. Enter the VM instance data plane settings.
        The number of instances depend on the number of mobile users you estimate to use. For deployments of fewer then 4,000 mobile users, Prisma Access allocates two VM instances; for deployments of 4,000 or more, Prisma Access allocates an additional VM for a total of three.
        • Enter the Management IP Assignment (either DHCP or Static).
          SASE Private Location uses these IP addresses for management only. If you use a static Management IP address, enter the Primary IP, Secondary IP, Netmask, and Gateway for the management IP configuration.
        • Enter the Data Plane IP address information, including the Primary IP, Secondary IP, Netmask, and Gateway.
      5. Go to the Next step when complete.
    7. Set up a Bastion Agent by specifying a Hypervisor Resource Profile.
      Prisma Access uses the bastion host (bastion agent) for remote management, maintenance, and monitoring.
      Palo Alto Networks recommends that you specify the same VM instance that you specified for the hypervisor resource profile.
      Go to the Next step when complete.
    8. Review your configuration.
      If you need to make any changes to your configuration, go to the Previous selection screens and edit your choices; otherwise, Save and Next to save your changes and go to the next screen.
    9. Perform a Commit and Push operation in Panorama.
      You must exit from the wizard to perform the commit and push operation.
      1. Cancel the configuration process to exit and wizard.
        Canceling the wizard does not lose your configuration changes.
      2. Select CommitCommit and Push.
      3. Commit and Push your configuration changes.
      4. Wait for the commit and push operation to complete.
    10. Set up your mobile users deployment in Prisma Access.
      1. Select PanoramaCloud ServicesConfigurationMobile Users—GlobalProtect.
      2. In the Onboarding section, select the Hostname in the hostname area if you've already configured Prisma Access mobile users, or select Configure in the hostname area to configure it for the first time.
      3. In the Locations tab, select a Prisma Access region.
        Select the region where you deployed the SASE Private Location.
      4. Select the SASE Private Location you created and Save your changes.
        Switch from the Map view to a List view to find the location you created; then select the location.
        Click Yes if prompted to add the location.
    11. Perform another Commit and Push operation by selecting CommitCommit and Push and Commit and Push your changes.
    12. (Optional) Check the status of your SASE Private Location deployment by checking your deployment in the Private Locations tag under PanoramaCloud ServicesConfigurationService SetupPrisma Access Private Locations.
      The newly-deployed region should show a Prisma Access Onboarding Status of Complete and an On-Prem Deployment Status of Pending. The Pending state indicates that you have not yet deployed the SASE Private Location to your on-premises environment.
    13. Deploy the SASE Private Location to your on-premises environment.
      1. Return to PanoramaCloud ServicesConfigurationService SetupPrisma Access Private Locations, select the location you were configuring, go to the Onboarding to Prisma Access step, and click Save and Next.
      2. In the Deploy to your On-Prem Environment step, Generate Authentication Key and copy its contents.
        You use this key in the Terraform template. This authentication key is valid for one hour.
      3. Download Terraform Template and save it to your local device.
        The Terraform .tf template downloads to your local system. You fill out the template with information about your system.
      4. Open the Terraform file in a text editing program and edit the following parameters:
        • Replace <vcenter_hostname> with your ESXi hostname.
        • Replace <vcenter_username> with the ESXi username.
        • Replace <vcenter_password> with the ESXi password.
        • Replace <prismasase_deployment_token> with the authentication key you just downloaded.
      5. Edit the template for your environment.
        • Replace <vcenter_hostname> with the ESXi vCenter hostname.
        • Replace <vcenter_usernasme> with the ESXi vCenter username.
        • Replace <vcenter_password> with the ESXi vCenter password.
        • Replace <prismasase_deployment_token> with the authentication key you generated and copied in an earlier step.
      6. Initialize the Terraform environment by entering the terraform-init command to initialize Terraform and download the required provider:
      7. Generate a plan to review the resources that will be created by entering the terraform plan command.
      8. Apply the configuration to deploy the SASE Private Location components by entering the terraform apply command.
      9. Confirm the deployment when prompted.
        After successful deployment, the SASE Private Location components are provisioned in your VMware ESXi environment. The components will register with the Prisma Access cloud service and become available for configuration through the Prisma Access management interface.
        You can verify the deployment status in the Prisma Access management interface, where the newly deployed SASE Private Location will appear as an available region for your tenant.
    14. Verify that the SASE Private Location deployment was successfully completed.
      1. Go to ConfigurationNGFW and Prisma Access, select the Prisma Access configuration scope, and then select Prisma Access Setup
      2. Check the Prisma Access Private Locations
        • On-Prem Onboarding Status—Shows the progress of the SASE Private Location onboarding. Onboarding is complete when this field displays Complete.
        • On-Prem Deployment Status—Shows the progress of the SASE Private Location deployment. Deployment is complete when this field displays Complete.
    15. Configure security policy rules specific to your SASE Private Location using tags.

    © 2025 Palo Alto Networks, Inc. All rights reserved.