Prisma Access
Panorama
Table of Contents
Panorama
- Create and configure a hypervisor resource profile to use with your SASE Private location.You use this profile with the ESXi instance you created to create an environment for SASE Private Location.Optionally, you can create this profile during SASE Private Location setup instead of creating it now.From Panorama, go to and click the gear to edit the settings.
![]()
From the Private Locations tab, Add a new private location.![]()
Enter the location details.- Enter a unique Name for the private location.
Don’t use spaces or dashes. Make sure that each SASE Private Location has a unique name, even across multiple tenants. You can’t change the name after you perform a Commit and Push operation.
- (Optional) Enter a Description for this location.
- Enter the Country, State, and City, and, optionally, the Zip/Postal Code closest to the area where this location will be deployed.
Prisma Access populates the Latitude and Longitude based on the city or other geographic information you enter.When complete, go to the Next section.![]()
Enable service capabilities for your SASE Private Location by entering the estimated number of users to secure with SASE Private Location.The number depends on the number of mobile users in your Prisma Access license. For example, if you have a mobile user license of 2,000 units, enter a maximum of 2,000 estimated users. If you have already set up multiple SASE Private Locations, the total number of mobile users must be distributed across the regions and you cannot allocate the maximum number of mobile users in each region.When complete, go to the Next section.![]()
Configure settings for mobile users.- Specify the Hypervisor Resource Profile to use, or Create Profile and create a hypervisor resource profile based on your VMware ESXi environment.
![]()
Specify the DNS Server assignment (either DHCP or Static).If you want to use a static DNS server, enter the primary Server and the secondary server.Enter the Load Balancer Configuration.Use the same IP addresses that you configured for the ESXi environment.- Enter the two IP addresses used for the Virtual Public IP Address.
- Enter the Management IP Assignment (either
DHCP or
Static). If you use a static Management IP address, enter the Primary IP, Secondary IP, Netmask, and Gateway for the management IP address configuration.Use the same IP addresses that you configured for the ESXi environment.
- Enter the Load Balancer Data Plane & Management IP Address,
including the Primary IP,
Secondary IP,
Netmask, and
Gateway.
![]()
Enter the VM instance data plane settings.The number of instances depend on the number of mobile users you estimate to use. For deployments of fewer then 4,000 mobile users, Prisma Access allocates two VM instances; for deployments of 4,000 or more, Prisma Access allocates an additional VM for a total of three.- Enter the Management IP Assignment (either
DHCP or
Static). SASE Private Location uses these IP addresses for management only. If you use a static Management IP address, enter the Primary IP, Secondary IP, Netmask, and Gateway for the management IP configuration.
- Enter the Data Plane IP address information, including the
Primary IP, Secondary
IP, Netmask, and
Gateway.
![]()
Go to the Next step when complete.Set up a Bastion Agent by specifying a Hypervisor Resource Profile.Prisma Access uses the bastion host (bastion agent) for remote management, maintenance, and monitoring.Palo Alto Networks recommends that you specify the same VM instance that you specified for the hypervisor resource profile.![]()
Go to the Next step when complete.Review your configuration.If you need to make any changes to your configuration, go to the Previous selection screens and edit your choices; otherwise, Save and Next to save your changes and go to the next screen.![]()
Perform a Commit and Push operation in Panorama.You must exit from the wizard to perform the commit and push operation.- Cancel the configuration process to exit and wizard.Canceling the wizard does not lose your configuration changes.
![]()
Select .![]()
Commit and Push your configuration changes.![]()
Wait for the commit and push operation to complete.Set up your mobile users deployment in Prisma Access.- Select .In the Onboarding section, select the Hostname in the hostname area if you've already configured Prisma Access mobile users, or select Configure in the hostname area to configure it for the first time.
![]()
In the Locations tab, select a Prisma Access region.Select the region where you deployed the SASE Private Location.![]()
Select the SASE Private Location you created and Save your changes.Switch from the Map view to a List view to find the location you created; then select the location.![]()
![]()
Click Yes if prompted to add the location.Perform another Commit and Push operation by selecting and Commit and Push your changes.(Optional) Check the status of your SASE Private Location deployment by checking your deployment in the Private Locations tag under .The newly-deployed region should show a Prisma Access Onboarding Status of Complete and an On-Prem Deployment Status of Pending. The Pending state indicates that you have not yet deployed the SASE Private Location to your on-premises environment.![]()
Deploy the SASE Private Location to your on-premises environment.- Return to , select the location you were configuring, go to the Onboarding to Prisma Access step, and click Save and Next.
![]()
In the Deploy to your On-Prem Environment step, Generate Authentication Key and copy its contents.You use this key in the Terraform template. This authentication key is valid for one hour.![]()
Download Terraform Template and save it to your local device.The Terraform .tf template downloads to your local system. You fill out the template with information about your system.![]()
Open the Terraform file in a text editing program and edit the following parameters:- Replace <vcenter_hostname> with your ESXi hostname.
- Replace <vcenter_username> with the ESXi username.
- Replace <vcenter_password> with the ESXi password.
- Replace <prismasase_deployment_token> with the authentication key you just downloaded.
Edit the template for your environment.- Replace <vcenter_hostname> with the ESXi vCenter hostname.
- Replace <vcenter_usernasme> with the ESXi vCenter username.
- Replace <vcenter_password> with the ESXi vCenter password.
- Replace <prismasase_deployment_token> with the authentication key you generated and copied in an earlier step.
Initialize the Terraform environment by entering the terraform-init command to initialize Terraform and download the required provider:Generate a plan to review the resources that will be created by entering the terraform plan command.Apply the configuration to deploy the SASE Private Location components by entering the terraform apply command.Confirm the deployment when prompted.After successful deployment, the SASE Private Location components are provisioned in your VMware ESXi environment. The components will register with the Prisma Access cloud service and become available for configuration through the Prisma Access management interface.You can verify the deployment status in the Prisma Access management interface, where the newly deployed SASE Private Location will appear as an available region for your tenant.Verify that the SASE Private Location deployment was successfully completed.- Go to , select the Prisma Access configuration scope, and then selectCheck the
- On-Prem Onboarding Status—Shows the progress of the SASE Private Location onboarding. Onboarding is complete when this field displays Complete.
- On-Prem Deployment Status—Shows the progress of the SASE Private Location deployment. Deployment is complete when this field displays Complete.
![]()
Configure security policy rules specific to your SASE Private Location using tags.
