Activate SaaS Security Inline for VM-Series Firewalls with Software NGFW Credits

1. Create one or more deployment profiles for VM-Series firewalls.

   Create a deployment profile for each type of VM-Series firewall model you want to deploy.

   1. Log in to the Customer Support Portal (CSP), and—if you have multiple accounts—choose the account you want to use.
   2. Select AssetsSoftware NGFW Credits to view the Software NGFW Credits Dashboard.
   3. Locate your purchased NGFW Credits pool on the dashboard and Create Deployment Profile.

   4. Select VM Series and either Fixed vCPU models (Valid for all currently supported PAN-OS releases) or Flexible vCPUs (PAN-OS 10.0.4 and above) and then click Next.
   5. Assuming you selected Fixed vCPU models (Valid for all currently supported PAN-OS releases), configure the following and then Create Deployment Profile:
      Profile Name: Enter a name for the deployment profile.
      Number of Firewalls: Enter the maximum number of firewalls that can be associated with this deployment profile.
      Fixed vCPU model: Choose a VM-Series firewall model from the list.
      Security Use Case: Choose Custom.
      Customize Subscriptions: Clear all preselected items and select SaaS Inline.
      Use Credits to Enable VM Panorama: (clear all)
      After creating the deployment profile, it appears in the Current Deployment Profiles table on the AssetsSoftware NGFW Credits page.
   6. (Optional) After you click Create Deployment Profile, you can return to the configuration and click Calculate Estimated Cost to see an estimation of how many Flex credits will be deducted from your account and your remaining balance. If you hover your cursor over the question mark next to the estimate, you can see the credit breakdown for each component.
   7. If you have other types of firewall models to deploy, create additional deployment profiles, one for each type.
2. Activate SaaS Inline subscriptions based on the deployment profile in Common Services.

   1. Log in to the hub with your Palo Alto Networks Customer Support credentials.
      The hub fetches available deployment profiles for this account from the CSP.
   2. Select Common ServicesSubscriptions & Add-ons.
      The deployment profile you created appears in the Ready for Activation section at the top of the page.

   3. Click Activate Now.
      The Activate Subscriptions based on Deployment Profile(s) page appears.
   4. Configure the following SaaS Inline subscription activation settings:
      Customer Support Account: Choose your CSP account with the deployment profile.
      Recipient: Use an existing tenant or create a new one.
      If you are a CASB-X customer, do not activate SaaS Security Inline for VM-Series in the same tenant service group (TSG) as CASB-X.
      To create a new tenant, hover your cursor over All Tenants at the top of the Select Tenant drop-down list and then click the Add icon ( + ) that appears on the right. Enter a unique name for the tenant service group (TSG) and choose a business vertical.
      Select Region: When activating a SaaS Inline subscription, you must already have an activated Strata Logging Service instance in the same tenant service group (TSG). SaaS Inline will then use this instance by default. The TSG might already have another product with an activated Strata Logging Service, or you might have migrated an activated standalone to the TSG before activating the SaaS Inline subscription. In either case, the region will be automatically populated based on the region of the existing Strata Logging Service in the TSG.
      Select Deployment Profile(s): Select the deployment profile you previously created, which has an activated Strata Logging Service instance.
      If you do not have a activated Strata Logging Service instance, the deployment profile is listed in the Unavailable section.
   5. Agree to the Terms and Conditions and then click Activate.
      The hub displays the Tenant Management page where you can see the SaaS Inline initialization status for the TSG. The initialization generally takes a few minutes to complete.
3. Associate firewalls through the deployment profile with the SaaS Inline subscription in the TSG.

   1. Return to the CSP and select AssetsSoftware NGFW Credits to view the Software NGFW Credits Dashboard again.
   2. Locate the deployment profile in the Current Deployment Profiles table, hover your cursor over the More Options icon (three vertical dots) on the far right of the row, and then click Register Firewall in the pop-up menu that appears.
      You can also use the More Options menu to edit, delete, transfer, and clone a deployment profile.
   3. Register a VM-Series firewall using one of the methods described in Register the VM-Series Firewall (Software NGFW Credits) and Submit the registration. The preferred registration method is to enter your VM-Series authorization code directly by using the VM-Series firewall web interface (DeviceLicensesActivate feature using authorization code link).
      After you submit the firewall registration, the CSP associates this firewall through the deployment profile with the TSG. It typically takes a few minutes for the registration and association to complete. When completed, you can see the firewall on the Common ServicesDevice Associations tab in the hub.
      During the firewall registration, the number of Software NGFW credits needed to fund the virtual firewall are automatically deducted from your pool of credits.
   4. Associate more firewalls to the TSG through the same deployment profile or, if they are different types of firewall models, through other deployment profiles you have created for them.