Plan Your Multitenant Deployment
Focus
Focus

Plan Your Multitenant Deployment

Table of Contents

Plan Your Multitenant Deployment

Before you enable multitenancy, migrate the first tenant, and create additional tenants, make sure that you have all required information and resources to do so by completing the following tasks:
  • If you are migrating an existing single-tenant deployment to a multitenant deployment, make a note of the following Prisma Access features that are not supported. See the Palo Alto Networks Compatibility Matrix for the list of unsupported features.
  • If don’t have an existing Prisma Access configuration, you Enable Multitenancy and add your tenants; then, then configure the tenants after you create them. See Create an All-New Multitenant Deployment for more information.
  • Make a note of your license allocation for remote networks and mobile users.
    Open your license (PanoramaLicenses) and find the Prisma Access Total Mbps (remote networks bandwidth pool) for remote networks and User Limit (total number of licensed users) for mobile users.
    When you create tenants, you assign resources for remote networks and mobile users from this license allocation. If you run out of the minimum required licensed Mbps for remote networks or mobile users, you cannot create additional tenants.
    You should also make a note of the bandwidth and mobile users allocation for your existing configuration. After you migrate your configuration to the first tenant, check these values to verify that the first tenant migrated correctly.
  • Make a list of the names you will use to identify each tenant.
    When you create tenant names, avoid using names like Tenant-1, Tenant-2, Tenant-3, and so on. The system logs reserve a small number of characters for the tenant name in the log output and, if tenants have similar names, it can be difficult to associate the tenant with the logs. We recommend using a unique and short name for tenants (for example, Acme or Hooli).
  • Make a list of the administrative users you will create and assign for each tenant, and note the maximum number of administrative users that can be logged in concurrently.
    When administrative users are performing normal multitenant operations such as configuration changes and commit operations, we recommend having a maximum of 12 administrative users logged in to Panorama concurrently.
    An administrative user who can manage multiple tenants can provision up to 200 tenants at the same time with a single commit operation.
  • Be sure that you have sufficient license resources to enable multiple tenants.
    The minimum license allocation for each tenant is 200 Mbps for each remote network or 200 mobile users. You can also create a tenant with only remote networks or mobile users, and can configure tenants in differing configurations on the same Panorama. For example, you could create a tenant with remote networks only, a tenant with mobile users only, or a tenant with both mobile users and remote networks, as long as each tenant meets the minimum license allocation and the relevant licenses are activated and associated with the Panorama where you configure the tenants.
  • When configuring a tenant in multitenancy mode, create a unique name for each IPSec tunnel and IKE gateway for service connections and remote network connections, and try to use a name that will not be duplicated by another tenant. While there is no effect to functionality, you cannot delete an IPSec tunnel or IKE gateway if another tenant is using a tunnel or gateway with the same name.
  • Single-tenant users cannot view system logs; only superusers can. You can, however, sort logs by tenant.
  • When using the multitenancy feature and logged in as a tenant-level administrative user, opening the Panorama Task Manager (clicking Tasks at the bottom of the Panorama web interface) shows all tasks for all tenants, including any tasks done at the superuser (Admin) level.
  • Some Prisma Access features are not supported for use with multitenancy. See Multitenant Unsupported Features in the Palo Alto Networks Compatibility Matrix for details.