Prisma Access Skillets
A suite of deployment, configuration, and service information skillets for Prisma Access Service Setup, Mobile Users, and Remote Networks including:
* Panorama instantiation in Azure or AWS * Panorama licensing, content updates, sw updates, and basic configuration * Prisma Access service setup, mobile user, and remote network configuration/onboarding * Prisma Access API queries to view service information
The skillets are grouped into functional Collections:
* Prisma Access Deploy Panorama: initial cloud deployment and setup (licensing, updates, plugin) * Prisma Access Configure Service Setup: initial Prisma Access infrastructure configuration * Prisma Access Configure Mobile Users: mobile user configuration elements * Prisma Access Configure Remote Network: remote network configuration elements * Prisma Access Assess Tools: utilities for post-configuration information
License Activation and Customer Support Portal SuperUser Access
This is used to ensure Panorama can be dynamically licensed in Step 3. Also required is superuser access to generate the One Time Password (OTP) to authorize Panorama connectivity to the cloud instance.
See How to Activate Cortex Data Lake and Prisma Access for Evals if additional information needed for license activation.
Accept the EULA for Panorama in Azure or AWS
In the Azure Portal, open Azure Cloud Shell and run the following command (BASH ONLY!):
# Accept VM-Series EULA for desired currently-available version of Panorama (see above command for urn) $ az vm image terms accept --urn paloaltonetworks:panorama:byol:8.1.2
For AWS, visit this link to accept the EULA: https://aws.amazon.com/marketplace/pp?sku=eclz7j04vu9lf8ont8ta3n17o
Ensure you have the latest Panhandler
For GUI driven deployments using docker containers, ensure you have the latest Panhandler installed on your machine. The only requirement for Panhandler is Docker.
$ curl -s -k -L http://bit.ly/2xui5gM | bash
You can reference the panHandler Quick Start Guide for more information about using panHandler to import and run skillets.
Step 1 - Deploy Panorama
First, Choose which public cloud you will use for Panorama Deployment. Currently suppored options are:
Second, the skillet uses a set of Terraform templates to deploy a new Panorama instance.
Ensure the region selected supports the required image type
Azure Products by Region gives information about Azure VM compute resources per region.
Step 2 - Initial Panorama Setup
Initial Panorama staging is done using Ansible playbooks. Includes:
* DNS and NTP configuration * Licensing * Content and Software Updates * Prisma Access Plug-in installation * Changed Cloud Services Plugin to 1.6.0
Panorama is upgraded to version 9.0.7
Cloudservice plugin 1.5.0 is installed
Step 2.1 - Verify the Cloud Plugin using the One Time Password (OTP)
Before configuring Panorama, you must generate the OTP in the Customer Support Portal and add to Panorama
* Access the Customer Support Portal (Must be a SuperUser) and generate the OTP * Go to Panorama > Cloud Services > Configuration and Click ```Verify``` * Paste in the OTP and Submit
Serivce Setup Configuration
Step 1 - Initial Prisma Access Configuration
Prior to this step enter the Prisma Access OTP using the Panorama Web UI
Add the service infrastructure subnet and BGP AS.
Mobile User Configuration
Step 1 - Generate Config File and Import to Panorama
This skillet will capture configuration web form data and then generate a full xml config file that is then imported
to Panorama. This file will be referenced in Steps 5 and 6 using
load config partial to merge configuration elements
into the candidate configuration.
The default filename for import is
If API access is not available, use the Manual skillet option to generate a configuration file to import to Panorama
Step 2 - Initial Load Config Partial for Service Setup
After the file is imported, this skillet will configure service setup and add the mobile user template
At the completion of Step 2 a Panorama commit is required before proceeding to step 3
Step 3 - Generate Certificates and Complete Mobile User Configuration
COMMIT to Panorama before running step 3
This skillet will run through a series of load config partial commands and a certificate generation to:
* Configure Mobile User Setup and Onboarding * Generate certificates used as part of onboarding configuration
At the completion of Step 3 commit to Panorama and push the configuration to Prisma Access
GUI instructions to commit the changes and push to Prisma Access are found in the Admin Guide
Optional non-API Config File Generation
If API access to Panorama is not available, the following steps can be used as an alternative to steps 1, 2, and 3.
- Run the Optional Manual skillet to generate a config file
- Copy the xml file output to a file with name
- Import the file to Panorama (Panorama > Setup > Operations)
- Use the CLI and follow the manual steps for load config partial
Remote Network Configuration
Initial Remote Network configuration and per-site onboarding.
Step 1 - Initial Configuration
Setup the device-group, template, template-stack, and zone configuration.
Step 2 - Site Onboarding
Configure the IKE/IPSEC crypto profiles, IKE gateway, IPSEC tunnel, and plugin onboarding.
Details for each elements can be found by reviewing the Remote Network onboarding skillet content.
Retrieve Service Information
The details for using the API and information returned are found in the Admin Guide
As an alternative to the curl commands and generating and update the option.txt file, this skillet creates a simple web interface to input the API key and capture user selections for the arguments and choices.
The output of the API is shown on screen.
The code and templates in the repo are released under an as-is, best effort, support policy. These scripts should be seen as community supported and Palo Alto Networks will contribute our expertise as and when possible. We do not provide technical support or help in using or troubleshooting the components of the project through our normal support options such as Palo Alto Networks support teams, or ASC (Authorized Support Centers) partners and backline support options. The underlying product used (the VM-Series firewall) by the scripts or templates are still supported, but the support is only for the product functionality and not for help in deploying or using the template or script itself. Unless explicitly tagged, all projects or work posted in our GitHub repository (at https://github.com/PaloAltoNetworks) or sites other than our official Downloads page on https://support.paloaltonetworks.com are provided under the best effort policy.