Activate and Install Prisma Access (Panorama Managed)
Table of Contents
Activate and Install Prisma Access (Panorama Managed)
Use the following workflow to activate your
Prisma Access (Panorama Managed) licenses and download and install
the Cloud Services plugin. If you are upgrading an existing Prisma
Access deployment to a new version, use the workflow in the Prisma Access Release Notes (Panorama
Managed) to upgrade the Cloud Services plugin.
- Installation Prerequisites
- Hub Roles and Prisma Access Installation
- Activate and Install Prisma Access
Prisma
Access does not support FIPS-CC mode.
Installation Prerequisites
Before you begin your installation and activation,
make sure that you have the following information and resources:
- Be sure that you have the order fulfillment email that contains the activation links that are required to activate Prisma Access.
- Be sure that you have configured a DNS server and NTP server on . If you do not configure a DNS and NTP server, you cannot verify your account and will have to reinstall the plugin.
- If you will use an existing Panorama to manage Prisma Access, be sure you that the Panorama on which you will install the Cloud Services plugin (which activates Prisma Access) is running the minimum Panorama version.During product activation, you can select an existing Panorama to manage Prisma Access, if you have registered Panorama, installed the licenses, and activated the support license on the Customer Support Portal (CSP). If you have added the Panorama serial number to the same CSP account on which you want to deploy Prisma Access, you can select the serial number of this Panorama appliance during installation.Alternatively, if you have a licensed Panorama that you have not yet installed, you can select that Panorama during product activation; the installation process provides you with links to register and install Panorama. In either case, the activation process allows the Panorama appliance you select to manage Prisma Access, and you must make sure that the Panorama appliance is running the minimum software version.For a list of the Panorama software versions that are supported with Prisma Access, see Minimum Required Panorama Software Versions in the Palo Alto Networks Compatibility Matrix.Make a note of the serial number of the Panorama appliance; you use that serial number in a later step.
Hub Roles and Prisma Access Installation
During Prisma Access installation, Palo Alto
Networks provides you the required roles on the Hub to activate Prisma Access,
if those Hub roles are not already present. After you complete installation,
you are assigned a role of Instance Admin.
If you need additional roles on the Hub to perform system tasks,
log in to the Hub, select , find the Account
Administrator for your organization, and contact them
to be assigned additional roles.
Activate and Install Prisma Access
If you purchased Prisma Access (Panorama Managed)
on or after November 17, 2020, complete the following steps to activate your
Prisma Access licenses and download and install the Cloud Services
plugin.
- When you receive the activation email from Palo Alto Networks, click Activate to activate your products.Select any of the links in the email to activate all of your licensed Prisma Access and Strata Logging Service products. You will be prompted to sign in to the Hub if you are not signed in already.
- Select the products you want to activate; then, click Start Activation.In most cases, activate all products that display; however, if you want to associate Prisma Access with a Strata Logging Service you have already activated, deselect Strata Logging Service.If you have purchased the add-ons such as IoT or DLP, these products appear in the Add-on area.
- Assign the products you selected with a Customer Support Account; then, click Next.If you have multiple support accounts associated with your email, select the account to which you want to assign the products.
- Choose the Panorama appliance by selecting Setup new Panorama.
- Follow the provided steps to register the new Panorama.
- Choose the Strata Logging Service options; then, click Confirm Selections.
- In the Strata Logging Service Selection area, choose whether to activate a new Strata Logging Service instance (Activate New), or select an existing Strata Logging Service instance.
- In the Region Selection area, select a region for Strata Logging Service.
The progress bar can appear to pause during product activation. Wait until the progress bar reaches 100%. The activation process takes approximately 20 minutes. - When setup is complete, copy the one-time password (OTP). You use this when you verify your account on Panorama.
- Download and install the Cloud Services plugin.See the Palo Alto Networks Compatibility Matrix for the Panorama versions that are supported with the Cloud Services plugin.You can either download the plugin from the Customer Support Portal, or you can check for plugin updates directly from Panorama.
- To download and install the Cloud Services plugin by downloading it from the Customer Support Portal, complete the following steps.
- Log in to the Customer Support Portal and select .
- Find the Cloud Services plugin in the Panorama Integration Plug In section and download it.Do not rename the plugin file or you will not be able to install it on Panorama.
- Log in to the Panorama Web Interface of the Panorama you licensed for use with the Prisma Access, select and Browse for the plugin File that you downloaded from the CSP.
- Install the plugin.
- To download and install the Cloud Services plugin directly from Panorama, complete the following steps:
- Select and click Check Now to display the latest Cloud Services plugin updates.
- Download the plugin version you want to install.
- After downloading the plugin, Install it.
Installing a newer version of the Cloud Services plugin overwrites the previously installed version. If you are installing the plugin for the first time, after you successfully install, Panorama refreshes and the Cloud Services menu displays on the Panorama tab.
- Retrieve the Prisma Access license(s).
- Select and click Retrieve license keys from license server.
- Verify that you have the licenses for the Prisma Access components you plan to use.
- Verify your account.When you try to use the Cloud Services plugin for the first time after installing it, you will be prompted to verify your account. This step ensures that the Panorama serial number is registered to use Prisma Access and enables a secure communication path between the Prisma Access components and Panorama.
- In Panorama, select and click Verify.If Verify is disabled, check that you have configured a DNS server and NTP server on .
- Paste the One-time Password you copied and click OK.
You have ten minutes to enter the OTP before it expires.
You also have to re-verify your account every 3 months, which requires a new OTP. To generate a new OTP for the re-verification process, complete these steps.You must have superuser administrative rights to retrieve the OTP.- From the Palo Alto Networks hub, select Panorama, find the serial number of your Panorama appliance, select Generate OTP, and copy the OTP that is generated.
- From the CSP, select , select Generate OTP; then select the serial number of your Panorama appliance, generate the OTP, and copy the OTP that is generated.
- Apply device group changes in the Prisma Access infrastructure.Prisma Access moves all device groups under the Shared hierarchy. This step applies the device group changes to your configuration.
- Select .
- Click the gear icon to edit the Settings.
- Make sure that Service_Conn_Device_Group is selected as the Device Group Name and Shared is selected as the Parent Device Group.
- Click OK.Do not click Cancel, even if you did not make any changes to this page.
- Continue to configure your Prisma Access deployment by Enabling the Service Infrastructure.
