Configure the Prisma AIRS MCP Server

1. Authentication Setup—Create authentication keys (API Key or OAuth 2.0 token) required for MCP server access with any one of the following methods.

   1. (Method1) Generate Prisma AIRS API key. This key is generated during the onboarding process in Strata Cloud Manager. Include the API key in MCP server configurations using the x-pan-token header. or,
   2. (Method2) Generate OAuth 2.0 token in Strata Cloud Manager. Include the OAuth 2.0 token in the MCP server configuration using the Authorization header.
2. Create an AI Security Profile. Configure one or more AI profiles for the detection features you want to use with Prisma AIRS API tools.

   There are three ways to pass profile when using Prisma AIRS MCP Server:

   • Add the profile name or id to the MCP Server configuration in the header (example: x-pan-profile: your-profile-name-or-id), or
   • Specify this profile name or the profile ID (in the profile input field) on all the MCP tool calls, or
   • Toggle Linked to enable Security Profile Linking to link to an existing Security Profile automatically (based on the AI application the Security Profile is linked with).

3. Configure the MCP client.

   You can have a unique MCP client architecture as per your requirement that varies with:

   • Application category and intended use case (such as, AI Agent, IDE, and CLI)
   • Development framework and programming language (such as, Python, Go, Java, TypeScript)
   • Deployment platform and environment (such as, desktop, browser, server-side, docker, and serverless)

   Although your MCP client implementations may vary, all MCP clients must specify the following minimum MCP server parameters:

   • (Mandatory) Authentication—Auth token or API key.
   • (Mandatory) Protocol Type—streamhttp or sse.
   • (Mandatory) HTTP API endpoint —Prisma AIRS MCP server endpoint URL:
     • streamhttp: https://service.api.aisecurity.paloaltonetworks.com/mcp, or
     • SSE: https://service.api.aisecurity.paloaltonetworks.com/mcp/sse
     Following are the MCP server API endpoints based on the regions to select while creating a Prisma AIRS AI Runtime API intercept deployment profile:

     • US: https://service.api.aisecurity.paloaltonetworks.com/mcp
     • EU: https://service-de.api.aisecurity.paloaltonetworks.com/mcp
     • IN: https://service-in.api.aisecurity.paloaltonetworks.com/mcp
     • SG: https://service-sg.api.aisecurity.paloaltonetworks.com/mcp
   • (Optional) AI Profile Name or ID—Profile name or ID (for example, x-pan-profile: your-profile-name-or-id). The Security Profile Linking (when enabled) automatically associates the default Security Profile with the AI profile and passed as a header.

   Example client configuration code:

   {
     "servers": {
       "prisma-airs": {
         "type": "http",
         "url": "https://service.api.aisecurity.paloaltonetworks.com/mcp",
         "headers": {"x-pan-token": "your-api-key", "x-pan-profile": "your-profile(optional)"}
       }
     }
   }

   The Palo Alto Networks MCP server tool descriptions don’t guarantee that your agent's LLM will invoke the server. AI agents and applications are responsible for building specific integration points to invoke Palo Alto Networks MCP tools. These integration points include system prompts, MS copilot connectors, and MS copilot topics.
4. Monitor the MCP server logs. In the log viewer, review the MCP attributes Sub Type(PANW MCP Server) and Scan Type (sync: pan_inline_tool, async: pan_batch_tool) for troubleshooting any issues.