Plan Your Multitenant Deployment
Focus
Focus

Plan Your Multitenant Deployment

Table of Contents

Plan Your Multitenant Deployment

Before you enable multitenancy, migrate the first tenant, and create additional tenants, make sure that you have all required information and resources to do so by completing the following tasks:
  • If you are migrating an existing single-tenant deployment to a multitenant deployment, make a note of the following Prisma Access features that are not supported. See the Palo Alto Networks Compatibility Matrix for the list of unsupported features.
  • If don’t have an existing Prisma Access configuration, you Enable Multitenancy and add your tenants; then, then configure the tenants after you create them. See Create an All-New Multitenant Deployment for more information.
  • Make a note of your license allocation for remote networks and mobile users.
    Open your license (PanoramaLicenses) and find the Prisma Access Total Mbps (remote networks bandwidth pool) for remote networks and User Limit (total number of licensed users) for mobile users.
    When you create tenants, you assign resources for remote networks and mobile users from this license allocation. If you run out of the minimum required licensed Mbps for remote networks or mobile users, you cannot create additional tenants.
    You should also make a note of the bandwidth and mobile users allocation for your existing configuration. After you migrate your configuration to the first tenant, check these values to verify that the first tenant migrated correctly.
  • Make a list of the names you will use to identify each tenant.
    When you create tenant names, avoid using names like Tenant-1, Tenant-2, Tenant-3, and so on. The system logs reserve a small number of characters for the tenant name in the log output and, if tenants have similar names, it can be difficult to associate the tenant with the logs. We recommend using a unique and short name for tenants (for example, Acme or Hooli).
  • Make a list of the administrative users you will create and assign for each tenant, and note the maximum number of administrative users that can be logged in concurrently.
    When administrative users are performing normal multitenant operations such as configuration changes and commit operations, we recommend having a maximum of 12 administrative users logged in to Panorama concurrently.
    An administrative user who can manage multiple tenants can provision up to 200 tenants at the same time with a single commit operation.
  • Be sure that you have sufficient license resources to enable multiple tenants.
    The minimum license allocation for each tenant is 200 Mbps for each remote network or 200 mobile users. You can also create a tenant with only remote networks or mobile users, and can configure tenants in differing configurations on the same Panorama. For example, you could create a tenant with remote networks only, a tenant with mobile users only, or a tenant with both mobile users and remote networks, as long as each tenant meets the minimum license allocation and the relevant licenses are activated and associated with the Panorama where you configure the tenants.
  • When configuring a tenant in multitenancy mode, create a unique name for each IPSec tunnel and IKE gateway for service connections and remote network connections, and try to use a name that will not be duplicated by another tenant. While there is no effect to functionality, you cannot delete an IPSec tunnel or IKE gateway if another tenant is using a tunnel or gateway with the same name.
    This caveat applies to all objects, including QoS profiles (you cannot delete objects with duplicate names in a multi-tenant deployment if one of the objects is being referenced by another tenant).
  • Single-tenant users cannot view system logs; only superusers can. You can, however, sort logs by tenant.
  • When a mobile user logs into a single Prisma Access tenant, the user consumes one license unit. If a user logs into additional tenants under a single multitenant deployment, the user consumes one license unit for each tenant they are logged in. For example, if a single user is logged into five tenants, the user consumes five mobile user license units in total.
  • When using the multitenancy feature and logged in as a tenant-level administrative user, opening the Panorama Task Manager (clicking Tasks at the bottom of the Panorama web interface) shows all tasks for all tenants, including any tasks done at the superuser (Admin) level.
  • Some Prisma Access features are not supported for use with multitenancy. See Multitenancy Unsupported Features in the Palo Alto Networks Compatibility Matrix for details.
  • If you back up a Panorama configuration, then revert it to an earlier saved configuration, Panorama cannot revert to the configuration you saved if you perform the following actions in the following order:
    1. Backup a Panorama configuration.
    2. Delete a tenant.
    3. Restore the configuration.
    If you delete a tenant, you cannot use any of the previous backups you saved before you deleted the tenant. However, you can use any backups you make after you delete the tenant.