>
    Strata Copilot
    Install On-Premises Controller using CLIs
    Focus
    Download PDF
    Focus
    1. Home
    2. Prisma SD-WAN
    3. Understand Installation Workflow
    4. Install the On-Premises Controller
    5. Install On-Premises Controller using CLIs
    Download PDF
    Prisma SD-WAN

    Install On-Premises Controller using CLIs

    Table of Contents

    Install On-Premises Controller using CLIs

    Install the On-Premises Controller using the CLIs.
    Where Can I Use This?What Do I Need?
    • Prisma SD-WAN
    • Prisma SD-WAN
    To install the On-Premises Controller for Prisma SD-WAN using a script:
    1. Download the qcow file, contact your Palo Alto Networks Partner for assistance if needed.
    2. Bring up the VM using the downloaded qcow file.
    3. Log in to the VM using ubuntu/ubuntu.
      The ubuntu/ubuntu credential is the default username/password for the Palo Alto Networks–provided qcow image. You must change the password immediately after first login before proceeding further.
    4. Format the disk space by executing the following command.
      The following command repartitions /dev/vda, it will destroy all existing data on that disk. Execute this command only on a freshly deployed controller VM intended for Prisma SD-WAN installation. Before running, verify the correct device name by executing lsblk. On ESXi, guests the disk may appear as /dev/sda; substitute accordingly.
      lsblk
printf 'd\n\nn\n\n\n\nN\nw' | sudo fdisk /dev/vda
    5. Provide the server details by executing the command: 
      controller_install install -SIP <provide_your_management-IP> -TN "provide_tenant_name" -TND "provide_tenant_north_bound_domain" -TSD "provide_south_bound_domain" -NSP "" -DSP "" --template "provide_the_template_details"
    6. After completion, you will see the following output:
      Install triggered succesfully
      Check the status of the controller by executing the command controller_install status. It takes about 60 minutes for the installation to complete.
      ubuntu@ubuntu:~$ controller_install status 
Installation Status: Complete 
Completion percentage: 100.0 
Installation Details: Steps (5/5) 
Step: Preparation for Controller deployment 
Status: complete 
Completion percentage: 100.0 
Step: Install Controller Status: complete 
Completion percentage: 100.0 
Step: Setup Controller monitoring Status: complete 
Completion percentage: 100.0 
Step: Controller configuration and finalization Status: complete 
Completion percentage: 100.0 
Step: Verify installation Status: complete 
Completion percentage: 100.0

    Configure Certificate on the Device Using CLI Commands

    Update the CA chain on the ION device version older than 6.2.3-b2 release.
    Update the CA chain on ION devices running on software version older than 6.2.3-b2 release.
    1. Set up the controller chain file in the devices.
    2. Copy the ca chain file from the controller:
      /home/ubuntu/certs/cachain.cgnx.net.pem
    3. Replace or create the following files in the device, contact your Palo Alto Networks representative to update the CA certificate on the ION device.
      /config/certs/controller_ca_chain.pem
      /etc/certs/controller_ca_chain.pem
    4. Add the static host details to the device:
      config static host add ip <Controller_IP> name controller.local.cgnx.net
config static host add ip <Controller_IP> names locator.cgnx.net
config static host add ip <Controller_IP> names mfg.local.cgnx.net
config static host add ip <Controller_IP> names vmfg.local.cgnx.net
config static host add ip <Controller_IP> names toolkitsessions.local.cgnx.net
    5. Verify that the controller details are reflected in the device by executing the command dump overview.
    6. After verification, create machine by accessing the controller using the device ID.

    © 2026 Palo Alto Networks, Inc. All rights reserved.