Strata Cloud Manager

1. Create a hypervisor resource profile.

   You use this profile with the ESXi instance you created to create an environment for SASE Private Location.

   Optionally, you can create this profile during SASE Private Location setup instead of creating it now.
2. From Strata Cloud Manager, go to ConfigurationNGFW and Prisma Access and select the Prisma Access configuration scope.
3. Configure the Prisma Access Infrastructure.

4. Click the gear to configure the Prisma Access Private Locations settings and Add Private Location.

5. Enter the location details.

   • Enter a unique Name for the private location.
     Don’t use spaces or dashes. Make sure that each SASE Private Location has a unique name, even across multiple tenants. You can’t change the name after you perform a Config Push.
   • (Optional) Enter a Description for this location.
   • Enter the Country, State, and City, and, optionally, the Zip/Postal Code closest to the area where this location will be deployed.

   Prisma Access populates the Latitude and Longitude based on the geographic information you enter.

   Save and Next to save your changes and go to the next section.

6. Enable service capabilities for your SASE Private Location by entering the estimated number of Mobile Users to secure with SASE Private Location.

   The number depends on the number of mobile users in your Prisma Access license. For example, if you have a mobile user license of 2,000 units, enter a maximum of 2,000 estimated users.

   Save your changes when complete and go to the next section.

7. Configure settings for mobile users.

   1. Specify the Hypervisor Resource Profile to use, or Create New and create a hypervisor resource profile based on your VMware ESXi environment.
   2. Specify the DNS Server IP address assignment (either DHCP or Static).

      If you want to use a static DNS server, enter the primary server and the secondary server.
   3. Enter the Load Balancer Configuration.

      Use the same IP addresses that you configured for the ESXi environment.

      • Enter the two IP addresses used for the Virtual Public IP Address.

      • Enter the load balancer data plane and management IP settings.
        The wizard populates the IP assignment type (either DHCP or Static) from the IP Assignment you specified under DNS Server settings.
        • If you specified DHCP for IP assignment, enter the Primary IP, Secondary IP, Netmask, and Gateway for the management IP address configuration.
        • If you specified Static for IP assignment, enter the Data Plane IP and Management IP addresses, including the Primary IP, Secondary IP, Netmask, and Gateway.

   4. Configure your VM instances.

      • Enter the Number of instances you have in your VM.
        You can have from two to four VM instances.
      • If you specified a Static IP address assignment, enter the Primary IP, Secondary IP, Netmask, and Gateway for the management IP configuration.
      • If you specified a DHCP IP address assignment enter the Data Plane IP address information, including the Primary IP, Secondary IP, Netmask, and Gateway.

   5. Go to the Next step when complete.
8. Set up a Bastion Agent.

   Prisma Access uses the bastion host (bastion agent) for remote management, maintenance, and monitoring.

   1. Specify a Hypervisor Resource Profile.

      Palo Alto Networks recommends that you use the same VM instance that you specified for the hypervisor resource profile.

      Go to the Next step when complete.
   2. Specify DNS Server settings.

      If you specified Static for IP assignment, enter the Prisma Server and Secondary Server IP addresses and the Management IP settings, including the Primary IP, Secondary IP, Netmask, and Gateway.

9. Review your configuration.

   If you need to make any changes to your configuration, Edit your choices; otherwise, Save & Next to save your changes and go to the next screen.

   Prisma Access populated the Load Balancer Instance Name and the VM Instance Name during onboarding.

10. Onboard your private location to Prisma Access

    1. Perform a Config Push to push your configuration.

    2. Confirm the Config Push operation.

       The Push Status window displays. Wait for the job to complete successfully before moving to the next step.

    3. (Optional) to check the status of your pending job, click Job Status.

       To get more details about the status of your job, click the down arrow on the left side of the screen to see the status of the job types.

    4. Wait for the Config Push to display with a green check mark.

11. Set up your mobile users deployment in Prisma Access.

    1. Select Mobile Users Configuration.

    2. Select a Prisma Access region.

       Select the region where you deployed the SASE Private Location.

    3. Select the SASE Private Location you created and Save your changes.

       Switch from the Map view to a List view to find the location you created; then select the location.

    4. Click the arrow to the left of Prisma Access Locations.

    5. Select the GlobalProtect App tab and select the gear to edit the GlobalProtect settings.

    6. Select Manual Gateway Selection, select the SASE Private Location you created, and Save your changes.

       This step enables your mobile users to manually select this gateway from the GlobalProtect app.

    7. Push Config to save your GlobalProtect configuration changes.

       Make sure that GlobalProtect in the push scope.

    8. Wait for the second push to complete; then, go to the Next step.

       When a green check mark displays next to Configure Mobile Users, the second push is complete.

12. Deploy the SASE Private Location to your on-premises environment.

    1. From the onboarding workflow, Generate Authentication Key and copy its contents.

       You use this key in the Terraform template. This authentication key is valid for one hour.

    2. Download Terraform Template and save it to your local device.

       The Terraform template provides you with access to upgrade your Prisma Access dataplane.

    3. Open the Terraform file in a text editing program and edit the following parameters:

       • Replace <vcenter_hostname> with your ESXi hostname.
       • Replace <vcenter_username> with the ESXi username.
       • Replace <vcenter_password> with the ESXi password.
       • Replace <prismasase_deployment_token> with the authentication key you just downloaded.
    4. Initialize the Terraform environment by entering the terraform-init command to initialize Terraform and download the required provider.
    5. Generate a plan to review the resources that will be created by entering the terraform plan command.
    6. Apply the configuration to deploy the SASE Private Location components by entering the terraform apply command.
    7. Confirm the deployment when prompted.

       After successful deployment, the SASE Private Location components are provisioned in your VMware ESXi environment. The components will register with the Prisma Access cloud service and become available for configuration through the Prisma Access management interface.

       You can verify the deployment status in the Prisma Access management interface, where the newly deployed SASE Private Location will appear as an available region for your tenant.
13. Verify that the SASE Private Location deployment was successfully completed.

    1. Go to ConfigurationNGFW and Prisma Access, select the Prisma Access configuration scope, and then select Prisma Access Setup
    2. Check the Prisma Access Private Locations

       • On-Prem Onboarding Status—Shows the progress of the SASE Private Location onboarding. Onboarding is complete when this field displays Complete.
       • On-Prem Deployment Status—Shows the progress of the SASE Private Location deployment. Deployment is complete when this field displays Complete.

14. Configure security policy rules specific to your SASE Private Location using tags.