Multitenancy Configuration Overview

1. Enable multitenancy. If you have an existing Prisma Access instance, enabling multitenancy automatically migrates your existing Prisma Access configuration to the first tenant.
   You give the first (migrated) tenant a name and specify an access domain. Prisma Access migrates the templates, template stacks, and device groups associated with the existing configuration and associates them with the access domain you create.

   After you migrate your initial configuration, the administrative user in Panorama becomes a superuser with the ability to create and manage all Prisma Access tenants.

2. Then, add tenants to Prisma Access.
   To deploy multiple tenants, make sure that you have the following license minimums:

   To determine the type of Prisma Access license you have from Panorama, select PanoramaLicenses. See Determine Your License Type from Panorama for details.

   • If you have a Business, Business Premium, Zero Trust Network Access (ZTNA) Secure Internet Gateway (SIG), or Enterprise license, use the following minimums as a guideline:
     Prisma Access for Networks and Prisma Access for Users:
     If you have a Local Edition, a minimum quantity of 200 units is required for each tenant, and all tenants will be Local.
     If you have a Worldwide Edition, a minimum quantity of 1,000 units is required to create a Worldwide tenant. If you allocate between 200 and 999 units for a tenant, Prisma Access creates a Local tenant; if you allocate 1,000 or more units for a tenant, then Prisma Access creates a Worldwide tenant.
     Units correspond to bandwidth in Mbps for Prisma Access for Remote Networks and the number of mobile users for Prisma Access for Users.
   • If your license type starts with GlobalProtect Cloud Service, use the following minimums as a guideline:
     Prisma Access for Networks—You must have a minimum of 200 Mbps available in your license for each tenant.
     Prisma Access for Users—You must have a minimum of 200 mobile users available in your license for each tenant.
     In both types of Prisma Access configurations, you can add additional licensing (above these minimums) of either type. You can increase or decrease the bandwidth or mobile user allocation for any tenants after onboarding, as long as you keep the minimum required allocation per tenant, and the overall licensed capacity is not exceeded.

   You can set up a multitenant configuration for only remote networks, only mobile users, or both. You allocate licenses accordingly to each tenant when you enable multitenancy.

   If you have a license for remote networks and mobile users, you can set up an individual tenant with only mobile users or only remote networks. For example, if your Prisma Access deployment has a Worldwide edition license for mobile users and remote networks, you could set up a tenant for mobile users only, as long as you specify a minimum of 1,000 mobile users for the tenant.

   For each tenant you create after the first, Prisma Access automatically creates templates, template stacks, and device groups for each tenant and associates them to the access domain you create. Prisma Access creates this environment to allow you to create a tenant-level administrative user using an administrative role based on the tenant’s device groups and templates, then creating an administrative user based on that role. In this way, you create an administrative user that has access to a single tenant without allowing that user access to the other tenants that are managed by the Panorama appliance.

   Prisma Access creates template stacks, templates, and device group using the following naming convention:

   • A service connection template stack with the name of sc-stk-tenant, where tenant is the tenant’s name.
   • A service connection template with the name of sc-tpl-tenant.
   • A service connection device group with the name of sc-dg-tenant.
   • A mobile user template stack with the name of mu-stk-tenant.
   • A mobile user template with the name of mu-tpl-tenant.
   • A mobile user device group with the name of mu-dg-tenant.
   • A remote network template stack with the name of rn-stk-tenant.
   • A remote network template with the name of rn-tpl-tenant.
   • A remote network device group with the name of rn-dg-tenant.
   • An Explicit Proxy template stack with the name of ep-stk-tenant.
   • An Explicit Proxy template with the name of ep-tpl-tenant.
   • An Explicit Proxy device group with the name of ep-dg-tenant.
   • A Clean Pipe template stack with the name of cp-stk-tenant.
   • A Clean Pipe template with the name of cp-tpl-tenant.
   • A Clean Pipe device group with the name of cp-dg-tenant.

   Prisma Access creates template stacks, templates, and device groups for all Prisma Access types, even those for which you might not be licensed. For example, if you purchase a license for remote networks, Prisma Access automatically creates template stacks, templates, and device groups for remote networks, mobile users, and Clean Pipe.

   If you add custom templates, they cannot take precedence over the Prisma Access-created templates.

   You allocate remote network and mobile user license resources for each tenant based on the license that is associated with the Cloud Services plugin in Panorama.

   The following figure shows a sample Prisma Access deployment using a license with a 20,000 Mbps remote network bandwidth pool and 20,000 mobile users. The administrator allocated 5,000 Mbps in remote network bandwidth and 5,000 mobile users for the existing configuration. After the administrator enabled multitenancy, the license allocation migrated along with all other configuration to the first tenant. The administrator then created additional tenants, each with a 5,000 Mbps bandwidth pool for remote networks and 5,000 mobile users for each tenant. Prisma Access allocates the license resources from the overall license allocation. After you complete this configuration, there is 5,000 Mbps of remote network bandwidth and 5,000 mobile users available in the license.