License and Activate Prisma Access

After you purchase a Prisma Access license, you can license and activate your Prisma Access instance from the hub.
Prisma Access provides a flexible licensing scheme so that you can purchase just what you need to secure your remote networks and mobile users. The instructions here are for activating Cloud Managed Prisma Access, which you’ll do using the hub. If you are planning to use Panorama to manage Prisma Access, follow the instructions for licensing Panorama Managed Prisma Access from the customer support portal instead.

Prisma Access Licenses

Prisma Access requires a Cortex Data Lake license, and one or more Prisma Access feature licenses (Remote Networks, Mobile Users, or Service Connections).
  • Cortex Data Lake
    —Prisma Access logs are stored in Cortex Data Lake, and so Prisma Access requires you to also have a Cortex Data Lake license.
    It’s a good idea to activate Cortex Data Lake before you begin activating Prisma Access. If you try to activate Prisma Access without first activating Cortex Data Lake, Prisma Access will guide you to activate Cortex Data Lake before allowing you to continue Prisma Access activation.
    Your Cortex Data Lake instance and Prisma Access instance must be deployed in the same region. Because Cloud Managed Prisma Access is currently supported only in the Americas region, you must also deploy Cortex Data Lake in the Americas.
  • Prisma Access for networks
    —To license Prisma Access for networks, you purchase a bandwidth pool, which you can divide among each network location that you onboard in increments of 2 Mbps, 5 Mbps, 10 Mbps, 20 Mbps, 25 Mbps, 50 Mbps, 100 Mbps, 150 Mbps, 300 Mbps, 500 Mbps, or 1000 Mbps.
    A remote network’s bandwidth speed is enforced equally in both directions. To enable traffic peaks, the service allows you to go 10% over the allocated bandwidth for each site; traffic overages above this peak limit is dropped.
  • Prisma Access for users
    —You license Prisma Access for users based on number of users, with tiers from 200 users to more than 100,000 users. Prisma Access for Users requires the GlobalProtect app on each supported endpoint. You can also enable support for unmanaged devices through Clientless VPN. Though there is no strict policing of the mobile user count, the service does track the number of unique users over the last 90 days to ensure that you have purchased the proper license tier for your user base, and stricter policing of user count may be enforced if continued overages occur.
  • Service Connections
    —This Prisma Access license includes the option to establish service connections that enable connectivity to resources in your headquarters and/or data center locations. The number of service connections you can add depends on your license:
    • If you purchase a Prisma Access for Networks, or if you purchase licenses for both Prisma Access for networks and Prisma Access for users, you can add up to 100 service connections to enable access to services and applications at your corporate network locations. You can add up to three service connections with no license cost; each connection after the third uses 300 Mbps from your licensed remote network bandwidth pool. Prisma Access does not limit the bandwidth over these connections.
    • If you purchase a Prisma Access for users license only, you can establish service connections to up to three of your headquarters or data center sites.
After you purchase the licenses you need for Prisma Access, you’ll receive an email from Palo Alto Networks order fulfillment with the auth code(s) that you’ll use to activate your licenses.
Other products you can use with Prisma Access include:
  • Directory Sync
    Directory Sync Service gives Prisma Access read-only access to your Active Directory information, so that you can easily set up and manage security and decryption policies for users and groups. Directory Sync is free and does not require a license to get started.
  • Prisma SaaS
    —Integrate Prisma SaaS with Prisma Access for Clientless VPN and authentication support.
Cloud services that you want to integrate with Prisma Access must be deployed in the same region as Prisma Access. Because Prisma Access is currently supported only in the Americas region, you’ll need to use Directory Sync and Prisma SaaS instances that are also deployed in Americas. You can integrate Directory Sync and Prisma SaaS with Prisma Access when you first activate Cloud Managed Prisma Access, or anytime afterward.

Activate Prisma Access

To get started with Cloud Managed Prisma Access, you’ll first need to activate the Prisma Access app on the hub. You do not need an auth code to activate the Prisma Access app. However, have the auth codes for the licenses you’ve purchased at hand: the Mobile Users license, the Remote Networks license, and/or the Service Connections license. After you activate the Prisma Access app, you’ll use these auth codes to activate your feature licenses.
If you have not yet activated Cortex Data Lake, you’ll also need your Cortex Data Lake auth code. Cortex Data Lake is required for Prisma Access, and you can activate it as part of this workflow.
Before you activate Prisma Access:
  • Confirm that you have a Customer Support Portal account.
    If you do not already have a CSP account, go to the to
    Create my account
    . When prompted, enter
    Your Email Address
    to associate with the CSP account and
    Submit
    to create your account.
  • Make sure that you’re assigned the the roles you’ll need to activate Prisma Access:
  • If you don’t already have an instance of Cortex Data Like, you must purchase a license before you begin. Because Prisma Access logs to the Cortex Data Lake, you must have a valid license. During the Prisma Access activation, you can associate the Prisma Access instance with an existing Cortex Data Lake instance, or activate a new instance using an auth code.
  1. Sign In
    to the hub.
    You can access the hub only if you have a Palo Alto Networks CSP account and are assigned the appropriate role. To configure and manage Cloud Managed Prisma Access, you need have the App Administrator role.
  2. Activate the Prisma Access app.
    Before you can activate Prisma Access for users or Prisma Access for networks, you must activate an instance of the Prisma Access app on the hub.
    1. From the hub home page,
      Activate
      Prisma Access in the Explore Apps from Palo Alto Networks area.
      activate-after-instance-setup.png
    2. Enter an
      Instance Name
      to identify the Prisma Access app instance.
    3. (Optional)
      Enter a brief
      Description
      of the Prisma Access app instance.
    4. Select the
      Cortex Data Lake
      instance that you want to associate with your Prisma Access app instance or select
      Activate new Cortex Data Lake
      .
      prisma-access-cortex-data-lake-activation-drop-down.png
      If you are activating a new Cortex Data Lake instance, enter the auth code when prompted and then enter a
      Name
      for the instance, select the
      Region
      in which to deploy Cortex Data Lake, and then
      Agree and Activate
      .
      activate-cortex-data-lake-screen.png
      When the Cortex Data Lake activation completes successfully, click
      Continue Activating Prisma Access
      .
      cortex-data-lake-activated.png
    5. Select the
      Region
      where you want to host the Prisma Access app instance.
      Americas is currently the only region supported for the Prisma Access app instance.
    6. You must integrate Prisma Access with Directory Sync and Prisma SaaS instances that are deployed in the same region as Prisma Access. Right now, Prisma Access is supported only in the Americas region, so choose Directory Sync and Prisma SaaS instances in the Americas.
      If you’re not ready to integrate Directory Sync or Prisma SaaS with Prisma Access just yet, you can skip this step for now and do this after you’ve activated Prisma Access instead.
    7. To activate the Prisma Access cloud management app,
      Agree and Activate
      .
      agree-and-activate-prisma-access.png
    8. When the app instance successfully activates, go to
      Manage Apps
      .
      prisma-access-activation-successful.png
      It takes up to fifteen minutes to deploy the Prisma Access cloud management instance. You must wait until the Prisma Access instance is up and running before you continue to activate your Prisma Access for networks and/or Prisma Access for users licenses.
      Verify the Status of your Prisma Access app instance. While the cloud management instance is provisioning, the
      Status
      shows an hourglass icon.
      provisioning-prisma-access-management-app.png
      After provisioning finishes, the
      Status
      changes to a green check mark.
      provisioning-prisma-access-management-app-complete.png
  3. Activate your Prisma Access for users or Prisma Access for networks license.
    After the Prisma Access app instance finishes provisioning, you can activate your Prisma Access licenses.
    1. Click on the hub icon to go back to the hub and then click
      Activate App
      .
      activate-auth-code-button.png
    2. Enter the product auth code you received by email
      from Palo Alto Networks order fulfillment and then click
      OK
      .
      activate-auth-code.png
    3. Configure the following settings for your Prisma Access for users or Prisma Access for networks license:
      1. (Optional)
        Enter a brief
        Description
        of the Prisma Access license.
      2. Select the
        Region
        where you are hosting your Prisma Access app instance.
        Americas is the only supported region currently.
      3. Select the
        Prisma Access
        app instance that you want to associate with this license.
        activate-prisma-access-license.png
    4. Agree and Activate
      to complete activation.
      A green banner displays when activation completes successfully. You can either add a second license, or click
      Manage Apps
      to verify your licenses.
      prisma-access-networks-successfully-activated.png
  4. (Optional)
    Add a second license to your Prisma Access app instance.
    If you purchased both Prisma Access for networks and Prisma Access for users, repeat step 3 to activate the second license. When you finish activating the second license, click
    Manage Apps
    to verify your licenses
  5. Verify your licenses.
    1. From the manage apps page, verify that you see your licenses associated with your Prisma Access app instance:
      manage-apps-verify-licenses.png
    2. Go back to the hub home page.
      Prisma Access now shows up on the hub as one of your apps.
      prisma-access-on-hub.png
      Click on the Prisma Access icon on the hub to launch the app.
      prisma-access-app-icon.png
    3. Verify that the Remote Networks and/or Mobile Users tiles on the
      Dashboard
      show the correct amount of bandwidth and/or number of users that you licensed.
      prisma-access-dashboard-before-setup.png

Recommended For You