Activate and Install Prisma Access

Use the following workflow to activate your Prisma Access licenses and download and install the Cloud Services plugin. If you are upgrading an existing Prisma Access deployment to a new version, use the workflow in the Prisma Access Release Notes (Panorama Managed) to upgrade the Cloud Services plugin.
This section describes the installation procedure for licenses that were available before November 17, 2020; for an overview of the installation procedure for the licenses that are available after November 17, 2020, see the Prisma Access 1.8 Administration Guide.
Prisma Access does not support FIPS-CC mode.
  1. Before you begin, make sure that you have the following information and resources:
    • Be sure that you have the order fulfillment email that contains the activation links that are required to activate Prisma Access.
    • If you are going to set up Prisma Access in High Availability (HA) mode with a primary and secondary Panorama, Configure Panorama Appliances in High Availability for Prisma Access before you license and activate Prisma Access.
  2. (
    Optional
    ) If you will use an existing Panorama to manage Prisma Access, be sure you that the Panorama on which you will install the Cloud Services plugin (which activates Prisma Access) is running the minimum Panorama version.
    During product activation, you can select an existing Panorama to manage Prisma Access, if that Panorama has a valid support license. Alternatively, if you have a licensed Panorama that you have not yet installed, you can select that Panorama during product activation. In either case, the activation process allows the Panorama appliance you select to manage Prisma Access, and you must make sure that the Panorama appliance is running the minimum software version.
    You can manage Prisma Access with a Panorama appliance running one of the following versions:
    • PAN-OS 9.0.4 or a later PAN-OS 9.0 version
    • PAN-OS 9.1.1 or a later PAN-OS 9.1 version
    • PAN-OS 10.0.0 or a later PAN-OS 10.0 version
      Note the upgrade path to use if you are upgrading from PAN-OS 9.0 to 10.0.
    The Prisma Access infrastructure supports PAN-OS features up to release 9.1. You must upgrade your Panorama to a version of 9.1.1 or later to take advantage of PAN-OS 9.1 features.
    Make a note of the serial number of the Panorama appliance; you use that serial number in a later step.
  3. When you receive the activation email from Palo Alto Networks, click
    Activate
    to activate your products.
    Select any of the links in the email to activate all of your licensed Prisma Access and Cortex Data Lake products. You will be prompted to sign in to the Hub if you are not signed in already.
    license-activation-email.png
  4. Select the products you want to activate; then, click
    Start Activation
    .
    In most cases, activate all products that display; however, if you want to associate Prisma Access with a Cortex Data Lake you have already activated, deselect
    Cortex Data Lake
    .
    license-activation-select-products.png
  5. Assign the products you selected with a Customer Support Account; then, click
    Next
    .
    If you have multiple support accounts associated with your email, select the account to which you want to assign the products.
    license-activation-select-account.png
  6. Choose the Panorama appliance that will manage Prisma Access; then, click
    Next
    .
    • To use an existing Panorama appliance, select
      Use existing Panorama
      and select the serial number of the Panorama appliance that you want to use.
      license-activation-choose-existing-panorama.png
    • If you want to register a new Panorama appliance, review the steps to register either a Panorama virtual or hardware appliance.
      Enter the serial number of the Panorama appliance in the
      Enter Serial #
      area.
      license-activation-choose-new-panorama.png
  7. Choose the Cortex Data Lake options; then, click
    Confirm Selections
    .
    • In the
      Cortex Data Lake Selection
      area, choose whether to activate a new Cortex Data Lake instance (
      Activate New
      ), or select an existing Cortex Data Lake instance.
    • In the
      Region Selection
      area, select a region for Cortex Data Lake.
    license-activation-finalize-selections.png
    The progress bar can appear to pause during product activation. Wait until the progress bar reaches 100%. The activation process takes approximately 20 minutes.
  8. When setup is complete, copy the one-time password (OTP). You use this in a later step to verify your account on Panorama.
    license-activation-setup-complete.png
  9. Download and install the Cloud Services plugin.
    See the Palo Alto Networks Compatibility Matrix for the Panorama versions that are supported with the Cloud Services plugin.
    You can either download the plugin from the Customer Support Portal, or you can check for plugin updates directly from Panorama.
    • To download and install the Cloud Services plugin by downloading it from the Customer Support Portal, complete the following steps.
      1. Log in to the Customer Support Portal and select
        Software Updates
        .
      2. Find the Cloud Services plugin in the Panorama Integration Plug In section and download it.
        Do not rename the plugin file or you will not be able to install it on Panorama.
      3. Log in to the Panorama Web Interface of the Panorama you licensed for use with the Prisma Access, select
        Panorama
        Plugins
        Upload
        and
        Browse
        for the plugin
        File
        that you downloaded from the CSP.
      4. Install
        the plugin.
    • To download and install the new version of the Cloud Services plugin directly from Panorama, complete the following steps:
      1. Select
        Panorama
        Plugins
        and click
        Check Now
        to display the latest Cloud Services plugin updates.
        plugin-updates-1-7.png
      2. Download
        the plugin version you want to install.
      3. After downloading the plugin,
        Install
        it.
    After you install the Cloud Services plugin, the plugin creates a Panorama administrative user with a username of
    __cloud_services
    . This user account is required to enable communication between Enterprise DLP on Prisma Access and the Prisma Access management infrastructure. Palo Alto Networks recommends that you change the password for this administrative user in accordance with your organization’s password policy.
    If you delete the
    __cloud_services
    user, you must re-add the user manually. The account is used to register and activate Enterprise DLP on Prisma Access, and for continued DLP scanning using the data patterns and data filtering profiles referenced in security policy rules.
    Installing a newer version of the Cloud Services plugin overwrites the previously installed version. If you are installing the plugin for the first time, after you successfully install, Panorama refreshes and the Cloud Services menu displays on the
    Panorama
    tab.
    plugin-installed.png
  10. Retrieve the Prisma Access license(s).
    1. Select
      Panorama
      Licenses
      and click
      Retrieve license keys from license server
      .
    2. Verify that you have the licenses for the Prisma Access components you plan to use.
      prisma-access-license.png
  11. Verify your account.
    When you try to use the Cloud Services plugin for the first time after installing it, you will be prompted to verify your account. This step ensures that the Panorama serial number is registered to use Prisma Access and enables a secure communication path between the Prisma Access components and Panorama.
    You also have to re-verify your account every 3 months; complete these steps to re-verify the account.
    1. In Panorama, select
      Panorama
      Cloud Services
      Configuration
      and click
      Verify
      .
      If
      Verify
      is disabled, check that you have configured a DNS server and NTP server on
      Panorama
      Setup
      Services
      .
      prisma-access-verify-screen.png
    2. Paste the
      One-time Password
      you copied from Step 8 and click
      OK
      .
      verify-account.png
      You have ten minutes to enter the OTP before it expires.
  12. Apply device group changes in the Prisma Access infrastructure.
    Prisma Access moves all device groups under the
    Shared
    hierarchy. This step applies the device group changes to your configuration.
    1. Select
      Panorama
      Cloud Services
      Configuration
      Service Setup
      .
    2. Click the gear icon to edit the
      Settings
      .
    3. Make sure that
      Service_Conn_Device_Group
      is selected as the
      Device Group Name
      and
      Shared
      is selected as the
      Parent Device Group
      .
      upgrade-device-groups-1-7.png
    4. Click
      OK
      .
      Do not click
      Cancel
      , even if you did not make any changes to this page.
  13. Continue to configure your Prisma Access deployment by Enabling the Service Infrastructure.

Recommended For You