Enable Multitenancy and Migrate the First Tenant

Use the following workflow to enable multitenancy and migrate your existing configuration to the first tenant you create.
When you enable multitenancy, Prisma Access automatically migrates the following components of your configuration:
  • The amount of licensed bandwidth for remote networks and mobile users.
  • All service connection and remote network tunnel onboarding information, including tunnel configuration.
  • Existing mobile users onboarding information.
  • Cortex Data Lake information.
  • The templates, template stacks, and device groups for service connections, remote networks, and mobile users.
Because of these device group changes, you create an access domain and add the migrated device groups, templates, and template stacks, as shown in the following workflow.
If you don’t have an existing Prisma Access configuration, and you are creating an all-new multi-tenant deployment, do not use this workflow; instead, complete the steps in Add Tenants to Prisma Access to create the first tenant.
  1. Select
    Panorama
    Cloud Services
    Configuration
    .
  2. Select
    Enable Multitenancy
    (located on the upper right of the page).
    multi-tenant-enable-multitenancy-1-7.png
    After you enable multitenancy, Panorama displays a notification informing you that the existing Prisma Access configuration will be moved to the first tenant.
    After you enable multitenancy, we recommend not disabling it. Clearing the
    Enable Multitenancy
    option removes all the tenants that you have created except the first one, including all configuration for those tenants, and reverts the first tenant’s configuration back to a non-multitenant Prisma Access deployment.
  3. Click
    OK
    to migrate the existing configuration to the first tenant.
    The
    Tenants
    page displays. Three pie charts in the center of the window shows the available licensed bandwidth remaining for remote networks and clean pipe and the remaining licensed number of available mobile users. If you do not have a license for remote networks or mobile users, those choices are dimmed.
  4. Choose the type of deployment you want to use for the tenant.
    • For a remote network, mobile user deployment, or to configure both deployment types for a tenant, select
      Remote Networks/Mobile Users
      .
    • For a clean pipe deployment, select
      Clean Pipe
      .
      This section only describes how to configure tenants for remote network, mobile user, or both remote network and mobile user deployment types. To configure the clean pipe service, see Create and Configure Prisma Access for Clean Pipe.
    multi-tenant-tenants-window-choose-type.png
  5. Migrate the existing configuration to the first tenant.
    1. Specify a
      Name
      for the first tenant.
    2. Create a new
      Access Domain
      by clicking the down arrow selecting
      New Access Domain
      .
    3. Enter a
      Name
      for the access domain and click
      OK
      .
      Prisma Access adds the
      Mobile_User_Device_Group
      ,
      Remote_Network_Device_Group
      , and
      Service_Conn_Device_Group
      Device Groups
      to the new access domain.
      multi-tenant-access-domain-1st-tenant.png
    4. (
      Optional
      ) Click
      Templates
      to verify that Prisma Access added the following templates and template stacks:
      • Mobile_User_Template
      • Mobile_User_Template_Stack
      • Remote_Network_Template
      • Remote_Network_Template_Stack
      • Service_Conn_Template
      • Service_Conn_Template_Stack
        These are the default template stacks and templates for a standard Prisma Access deployment; if you added other templates, be sure that Prisma Access added them.
      multi-tenant-access-domain-1st-tenant-template-stack.png
    5. (
      Optional
      ) If you have other templates associated with this configuration, select them.
    6. Click
      OK
      to close the
      Access Domain
      page and return to the
      Tenants
      page.
  6. Make sure that the values in
    Bandwidth (Mbps)
    for remote networks and
    Users
    for mobile users are correct.
    These values automatically migrate from your existing configuration.
    multi-tenant-window-select-bandwidth.png
  7. Click
    OK
    .
    The
    Panorama
    Cloud Services
    Configuration
    page shows the first tenant successfully migrated, and a
    Tenants
    drop-down is added above the
    Tenants
    area.
    multi-tenant-tenant-1-onboarded.png
  8. Select the tenant you just created in the
    Tenants
    drop-down to verify that all settings were onboarded.
    multi-tenant-tenant-1-post-onboarding-settings.png
  9. Commit your changes locally to make them active in Panorama.
    You only have to perform this step if your configuration includes mobile users; skip this step if your configuration only includes Prisma Access for remote networks with no mobile user configuration.
    1. Select
      Commit
      Commit to Panorama
      .
    2. Make sure that the device groups, templates, and template stacks are part of the
      Commit Scope
      .
    3. Click
      OK
      to save your changes to the Push Scope.
    4. Commit
      your changes.
  10. Commit and push your changes to make them active in Prisma Access.
    1. Select
      Commit
      Commit and Push
      and
      Edit Selections
      in the Push Scope.
    2. Select
      Prisma Access
      , then select the tenant you created,
      Service Setup
      ,
      Remote Networks
      , and
      Mobile Users
      .
      multi-tenant-push-scope-selection.png
    3. Click
      OK
      to save your changes to the Push Scope.
    4. Commit
      and
      Push
      your changes.
  11. Select
    Panorama
    Cloud Services
    Status
    .
    The status page shows the status of all tenants. Because you have created only one tenant, that tenant is the only one that is shown. If you select that tenant from the drop-down, you show a detailed status of that tenant.
    multi-tenant-tenant-status-page.png
    Selecting a tenant from the drop-down list returns you to the Status page for that tenant.
  12. Continue to add more tenants to Prisma Access.

Recommended For You