Activate a License for Prisma Access (Managed by Panorama) China Through Common Services
Focus
Focus
Prisma Access

Activate a License for Prisma Access (Managed by Panorama) China Through Common Services

Table of Contents

Activate a License for Prisma Access (Managed by Panorama) China Through Common Services

Learn how to activate your single tenant Prisma Access (Managed by Panorama) China license.
Where Can I Use This?What Do I Need?
  • Panorama located in mainland China
  • Commercial deployments
  • Prisma Access license with optional add-ons
  • Activation link
  • Strata Logging Service
  • Role: Multitenant Superuser
This process applies to only single tenant Prisma Access (Managed by Panorama) China license activation. The Panorama you use to manage Prisma Access China must be installed and located in mainland China. If it is a hardware appliance, it must be based in mainland China; if it is a VM-series Panorama, the processing location must be in mainland China. These license activation instructions assume that you already have deployed your VM-Series or hardware Panorama with the China-specific Panorama image.
Make sure that you have reviewed the requirements and prerequisites for configuring a Prisma Access China deployment. Be aware that the CLI commands must be completed prior to generating your one-time password (OTP).
  1. After you receive an email from Palo Alto Networks identifying the license you are activating, including all your add-ons and capacities, select Get Started with Prisma Access in your email to begin the activation process.
  2. Log in with your email address.
    • If you have a Palo Alto Networks Customer Support account, then enter the email address you used when you registered for that account and select Next.
    • If you do not have a Palo Alto Networks Customer Support account, then Create a New AccountPasswordNext.
    The service uses this email address for the user account assigned to the tenant that you use for this license. This tenant, and any others created by this email address, will have the Multitenant Superuser role.
  3. Choose the Customer Support Account number that you want to use to claim the license.
  4. Choose Panorama management for your setup and management method.
  5. Select the activation flow for Panorama Managed / Single Tenant Cloud Management.
  6. You are automatically directed to Common ServicesSubscriptions & Add-ons, where you manage your license.
  7. Select your products to highlight them for activation, then Activate.
  8. Select Create New Tenant from the tenant drop-down to create the tenant that you want to use for this license.
  9. Choose the Customer Support Portal account number that you want to use to claim the license. This is limited to CSPs that are associated with Prisma Access China.
  10. Select Create New Instance to create the Cortex Data Lake that you want to use for this license.
  11. China is selected by default to create the SASE Region for the logs.
  12. Toggle off Cloud-Managed to select Panorama and follow the web interface instructions.
  13. Select Create New from the Panorama drop-down and copy the Panorama serial number for use in step 16.
  14. Add-ons are enabled by default based on your contract.
    • Level 1 support includes the following add-ons:
      • Additional SC for Private App Access
      • Site-to-Site and User-to-Site Access
    • Level 2 support includes the following add-ons:
      • Additional SC for Private App Access
      • Site-to-Site and User-to-Site Access
      • CASB Bundle for PA China
      • DLP (individual)
      • Internet of Things (IoT) security for PA China
      • SaaS Inline (individual)
  15. Select Cloud Identity Engine regardless if you intend to use it now or if you might use it in the future.
  16. Agree to the Terms and Conditions.
  17. Activate Now. The products and add-ons that you are activating (such as Prisma Access China or Strata Logging Service) are now provisioned. As the subscriptions are activating, the progress status will display. You now have a tenant provisioned with instances of the products that you purchased. The tenant has one user — the Customer Support account that you used when you began this process.
  18. After the provisioning is complete, you receive an email confirmation.
  19. In the Serial Number field of the Panorama web interface, enter the serial number that you copied from the license activation page, and then select OK.
    Panorama will become unresponsive after you select OK. If it does not return after a few minutes, refresh your browser.
  20. Change the Panorama update server location to the update server in China.
    1. In Panorama, go to PanoramaSetupServices and click the gear to edit the Settings.
    2. Change the update server to updates.paloaltonetworks.cn.
    3. Update the DNS servers and NTP servers to the servers of your choice.
  21. Perform a local commit to Panorama from CommitCommit to Panorama.
  22. Upgrade the Cloud Services plugin to the minimum required version.
    1. From the Panorama that manages Prisma Access, select PanoramaPlugins and click Check Now to display the latest Cloud Services plugin updates.
    2. Download the plugin version you want to install.
    3. After downloading the plugin, Install it.
  23. Open a CLI session with the Panorama appliance and enter the following commands to make sure that the Panorama appliance points to the Customer Support Portal that contains Prisma Access China and Panorama Assets to retrieve its one-time password (OTP):
    debug plugins cloud_services set-csp-endpoint api.sb.prismaaccess.com
    debug plugins cloud_services set-csp-trusted-endpoint api-trusted.sb.prismaaccess.com
    request certificate secure-bridge enable
    If you do not enter these commands, the Panorama appliance will not be able to retrieve the OTP or certificate.
  24. Generate your one-time password (OTP) from Common ServicesTenant ManagementTenant nameGenerate OTP for setting up Panorama.
  25. After you validate your OTP, the Cloud Services page will become available. However, it might take up to 2 hours for the China region of Strata Logging Service to show up under Settings; until it does, you can't save your configuration.
  26. Complete the product setup: