Activate and Install Panorama Managed Prisma Access
Focus
Focus

Activate and Install Panorama Managed Prisma Access

Table of Contents

Activate and Install Panorama Managed Prisma Access

If you have a new Panorama Managed Prisma Access deployment as of August 2022, use Panorama Managed Prisma Access License Activation and Subscription Management to activate licenses and manage subscriptions. Be sure to follow the planning checklist before you begin activation.
If you have already activated your deployment and you need to upgrade your Cloud Services plugin to a new version, use the workflow in the Prisma Access Release Notes (Panorama Managed).
If you have an existing Panorama Managed Prisma Access deployment, Palo Alto Networks sends you a notification about the transition of your Prisma Access license activation to the Prisma SASE Platform. After the transition, you can only use the Prisma SASE Platform for
License Activation
. You cannot use the other
Common Services
such as
Tenant Management
or
Identity & Access
. Continue to manage your tenants and user role permissions on Panorama as you have been doing.
Prisma Access does not support FIPS-CC mode.

Planning Checklist Before You Activate Panorama Managed Prisma Access

If you are deploying Prisma Access for the first time, make sure that you have the following information and resources:
  • Be sure that you have the order fulfillment email that contains the activation links that are required to activate Prisma Access.
  • If you will use an existing Panorama to manage Prisma Access, be sure you that the Panorama on which you will install the Cloud Services plugin (which activates Prisma Access) is running the minimum Panorama version.
    During product activation, you can select an existing Panorama to manage Prisma Access, if you have registered Panorama, installed the licenses, and activated the support license on the Customer Support Portal (CSP). If you have added the Panorama serial number to the same CSP account on which you want to deploy Prisma Access, you can select the serial number of this Panorama appliance during installation.
    Alternatively, if you have a licensed Panorama that you have not yet installed, you can select that Panorama during product activation; the installation process provides you with links to register and install Panorama. In either case, the activation process allows the Panorama appliance you select to manage Prisma Access, and you must make sure that the Panorama appliance is running the minimum software version.
    For a list of the Panorama software versions that are supported with Prisma Access, see Minimum Required Panorama Software Versions in the Palo Alto Networks Compatibility Matrix.
    Make a note of the serial number of the Panorama appliance; you use that serial number in a later step.
  • Be sure that you have configured a DNS server and NTP server on the Panorama that manages Prisma Access (
    Panorama
    Setup
    Services
    ). If you do not configure a DNS and NTP server, you cannot verify your account and will have to reinstall the plugin.
  • During Prisma Access installation, Palo Alto Networks provides you the required roles on the Hub to activate Prisma Access, if those Hub roles are not already present. After you complete installation, you are assigned a role of Instance Admin. If you need additional roles on the Hub to perform system tasks, log in to the Hub, select
    Settings
    Access Management
    , find the
    Account Administrator
    for your organization, and contact them to be assigned additional roles.
  • (
    Deployments Using Panorama Appliances in HA Mode Only
    ) If you plan to use two Panorama appliances in High Availability (HA) mode, to simplify the HA set up, you should configure the Panorama appliances in HA
    after
    you purchase Prisma Access and Cortex Data Lake auth codes and components and associate the serial number of the primary Panorama appliance on which you plan to install the Cloud Services plugin with the auth codes, but
    before
    you Activate and Install Panorama Managed Prisma Access. However, you can use the same configuration process for Panorama appliances that already have the plugin installed.

License Activation

Complete the following steps to activate your Prisma Access licenses and download and install the Cloud Services plugin.
  1. When you receive the activation email from Palo Alto Networks, select
    Get Started with Prisma SASE
    and begin the activation process.
  2. When setup is complete, copy the one-time password (OTP). You use this when you verify your account on Panorama.
  3. Download and install the Cloud Services plugin.
    See the Palo Alto Networks Compatibility Matrix for the Panorama versions that are supported with the Cloud Services plugin.
    You can either download the plugin from the Customer Support Portal, or you can check for plugin updates directly from Panorama.
    • To download and install the Cloud Services plugin by downloading it from the Customer Support Portal, complete the following steps.
      1. Log in to the Customer Support Portal and select
        Software Updates
        Panorama Integration Plug In
        .
      2. Find the Cloud Services plugin in the Panorama Integration Plug In section and download it.
        Do not rename the plugin file or you will not be able to install it on Panorama.
      3. Log in to the Panorama Web Interface of the Panorama you licensed for use with the Prisma Access, select
        Panorama
        Plugins
        Upload
        and
        Browse
        for the plugin
        File
        that you downloaded from the CSP.
      4. Install
        the plugin.
    • To download and install the Cloud Services plugin directly from Panorama, complete the following steps:
      1. Select
        Panorama
        Plugins
        and click
        Check Now
        to display the latest Cloud Services plugin updates.
      2. Download
        the plugin version you want to install.
      3. After downloading the plugin,
        Install
        it.
    Installing a newer version of the Cloud Services plugin overwrites the previously installed version. If you are installing the plugin for the first time, after you successfully install, Panorama refreshes and the Cloud Services menu displays on the
    Panorama
    tab.
  4. Retrieve the Prisma Access license(s).
    1. Select
      Panorama
      Licenses
      and click
      Retrieve license keys from license server
      .
    2. Verify that you have the licenses for the Prisma Access components you plan to use.
  5. When you try to use the Cloud Services plugin for the first time after installing it, you will be prompted to verify your account. This step ensures that the Panorama serial number is registered to use Prisma Access and enables a secure communication path between the Prisma Access components and Panorama.
    1. In Panorama, select
      Panorama
      Cloud Services
      Configuration
      and click
      Verify
      .
      If
      Verify
      is disabled, check that you have configured a DNS server and NTP server on
      Panorama
      Setup
      Services
      .
    2. Paste the
      One-time Password
      you copied and click
      OK
      .
      You have ten minutes to enter the OTP before it expires.
  6. Apply device group changes in the Prisma Access infrastructure.
    Prisma Access moves all device groups under the
    Shared
    hierarchy. This step applies the device group changes to your configuration.
    1. Select
      Panorama
      Cloud Services
      Configuration
      Service Setup
      .
    2. Click the gear icon to edit the
      Settings
      .
    3. Make sure that
      Service_Conn_Device_Group
      is selected as the
      Device Group Name
      and
      Shared
      is selected as the
      Parent Device Group
      .
    4. Click
      OK
      .
      Do not click
      Cancel
      , even if you did not make any changes to this page.
  7. Continue to configure your Prisma Access deployment by Enabling the Service Infrastructure.

Recommended For You