ADEM Data Collection and Agent Processes
Focus
Focus
Autonomous DEM

ADEM Data Collection and Agent Processes

Table of Contents

ADEM Data Collection and Agent Processes

Learn about the metrics that the ADEM agent collects from the user's workstation in order to provide actionable insights into the workstation, network, path and application performance
Where Can I Use This?What Do I Need?
  • Prisma Access (Managed by Strata Cloud Manager)
  • Prisma Access (Managed by Panorama)
  • Strata Cloud Manager
  • Prisma Access license
  • Autonomous DEM license
The Autonomous Digital Experience Management capability is built into the GlobalProtect Client. It is enabled/disabled by the policy in the Prisma Access administration portal (Both Panorama and Cloud Managed).

Data Collection

The ADEM agent collects metrics from the user's workstation in order to provide actionable insights into the workstation, network, path and application performance. The metrics collected are:
User sessions
  • GlobalProtect username
  • GlobalProtect Login / Logout time
  • GlobalProtect status
  • Prisma Access location
  • User geographical local
  • Service provider name
BIOS
  • Serial number
Computer
  • Hostname
  • Model
  • Manufacturer
  • Battery
Network
  • Hostname
  • Network interfaces
  • IPv4 and IPv6 address
  • Public IP Address
  • MAC address
  • Default gateway
  • WiFi Signal Quality
  • WiFi Tx Speed
  • WiFi Rx Speed
  • WiFi Channel
  • WiFi Network SSID
  • WiFi Network BSSID
VPN Network
  • VPN Interface
  • VPN Gateway ID/Hostname
  • Network interfaces
Operating System
  • OS type
  • Version
  • OS architecture
Logical Devices
  • Device ID
  • Device type
  • Media type
  • Size
  • Name
  • Volume name
  • Volume serial number
  • Filesystem count
  • Filesystem storage size
  • Filesystem usage
CPU
  • Architecture
  • Core count
  • Logical processor count
  • Manufacturer
  • Max clock speed (Except on Apple Silicon)
  • Name
RAM
  • Memory module capacity (Windows only)
  • Total Capacity
Synthetic Test Results
  • Network Latency
  • Network Jitter
  • Network Loss
  • DNS resolution times
  • TCP Latency
  • SSL Latency
  • HTTP Latency
Real User Monitoring (RUM) Metrics
  • Page Load Time
  • Time To First Byte (TTTB)
  • Largest Contentful Paint (LCP)
  • Cumulative Layout Shift (CLS)
  • First Input Delay (FID)
  • Interaction to Next Paint (INP)

FQDNs Used by ADEM

The ADEM Client sends the data collected to the ADEM Portal. As such the following FQDN’s may need to be whitelisted and/or excluded from SSL decryption:
  • agents.dem.prismaaccess.com
  • updates.dem.prismaaccess.com
  • features.dem.prismaaccess.com
  • agents-prod1-us-west2.dem.prismaaccess.com
  • agents-sg1-asia-southeast1.dem.prismaaccess.com
  • agents-au1-australia-southeast1.dem.prismaaccess.com
  • agents-jp1-asia-northeast1.dem.prismaaccess.com
  • agents-ca1-northamerica-northeast1.dem.prismaaccess.com
  • agents-eu1-europe-west4.dem.prismaaccess.com
  • agents-uk1-europe-west2.dem.prismaaccess.com
  • agents-in1-asia-south1.dem.prismaaccess.com
  • agents-de1-europe-west3.dem.prismaaccess.com
  • agents-ch1-europe-west6.dem.prismaaccess.com
  • agents-fr1-europe-west9.dem.prismaaccess.com

Processes to be Whitelisted on EDR Deployments

Here are the ADEM processes that you must whitelist on your EDR deployments in order for Autonomous DEM to run.
MacOS Process
ProcessProcess DescriptionUser/Permission level
/Applications/Access Experience.app/Contents/MacOS/crypter(This is a debugging tool as of 3.0.0) In previous versions it was used to read encrypted data from GlobalProtect: username, subtenant_id,certificate password._panwdem (sudo)
/Applications/Access Experience.app/Contents/Services/DemPathTestService.xpc/Contents/MacOS/mtrPath Trace test for showing path visualization data on ADEM portal_panwdem (sudo)
/Applications/Access Experience.app/Contents/Services/DemPathTestService.xpc/Contents/MacOS/DemPathTestServiceInvokes the mtr process for path traces._panwdem
/Applications/Access Experience.app/Contents/Services/DemWebTestService.xpc/Contents/MacOS/DemWebTestServiceRuns the curl process._panwdem
/Applications/Access Experience.app/Contents/Services/DemWebTestService.xpc/Contents/MacOS/curlApplication Performance test using Curl_panwdem
/Applications/Access Experience.app/Contents/Services/DemUpdateService.xpc/Contents/MacOS/DemUpdateServiceEndpoint DEM service software update managerroot
/Applications/Access Experience.app/Contents/Services/DemNetworkTestService.xpc/Contents/MacOS/DemNetworkTestServiceRuns ICMP/TCP ping tests._panwdem
/Applications/Access Experience.app/Contents/Services/DemCollectionService.xpc/Contents/MacOS/DemCollectionServiceCollects local system metrics such as cpu, memory, and wifi statistics._panwdem
/Applications/Access Experience.app/Contents/Services/DemPortalService.xpc/Contents/MacOS/DemPortalServiceProvides connectivity to the ADEM portal for incoming configuration and transmission of test results._panwdem
/Applications/Access Experience.app/Contents/Services/DemTransmissionService.xpc/Contents/MacOS/DemTransmissionServiceRuns periodically to collect test results from the other services and transmits them to the portal via the portal service._panwdem
/Applications/Access Experience.app/Contents/MacOS/Access Experience
/Applications/Access Experience.app/Contents/Library/Access Experience Menu.app/Contents/MacOS/Access Experience Menu
/Applications/Access Experience.app/Contents/Services/DemPathTestService.xpc/Contents/MacOS/mtr-packet
/Applications/Access Experience.app/Contents/Services/DemUserProxyService.xpc/Contents/MacOS/DemUserProxyService
/Applications/Access Experience.app/Contents/Services/DemNetworkTestService.xpc/Contents/Frameworks/SPLPing.framework/Versions/A/SPLPing
/Applications/Access Experience.app/Contents/Services/DemUpdateService.xpc/Contents/Frameworks/Sparkle.framework/Versions/A/Resources/Autoupdate.app/Contents/MacOS/fileop
/Applications/Access Experience.app/Contents/Services/DemUpdateService.xpc/Contents/Frameworks/Sparkle.framework/Versions/A/Resources/Autoupdate.app/Contents/MacOS/Autoupdate
/Applications/Access Experience.app/Contents/Services/DemUpdateService.xpc/Contents/Frameworks/Sparkle.framework/Versions/A/Sparkle
/etc/sudoers.d/‘palo_alto_networks_dem.tmp’File lists processes that requires sudo access_panwdem (sudo)
/Applications/Access Experience.app/Contents/Services/DemAnalyticsService.xpc/Contents/MacOS/DemAnalyticsService
Windows Process
ProcessProcess DescriptionUser/Permission level
C:\Program Files\Palo Alto Networks\DEM\bin\curlApplication Performance test using CurlNetwork Service
C:\Program Files\Palo Alto Networks\DEM\bin\mtr-packetPath Trace test for showing path visualization data on ADEM portalNetwork Service
C:\Program Files\Palo Alto Networks\DEM\bin\mtrInvokes the mtr process for path traces.Network Service
C:\Program Files\Palo Alto Networks\DEM\bin\tcpingNetwork Performance test for Applications using TCP PingNetwork Service
C:\Program Files\Palo Alto Networks\DEM\AgentProcessThis is the main agent process that provides portal connectivity and test coordination.Local System
C:\Program Files\Palo Alto Networks\DEM\DEMAgentService
C:\Program Files\Palo Alto Networks\DEM\DEMPortalProcess
C:\Program Files\Palo Alto Networks\DEM\bin\BMTR
C:\Program Files\Palo Alto Networks\DEM\deployment\DEMUpdateService
C:\Program Files\Palo Alto Networks\DEM\Feature-Self-Service\createdump
C:\Program Files\Palo Alto Networks\DEM\Feature-Self-Service\DEMAnalyticsProcess
C:\Program Files\Palo Alto Networks\DEM\Feature-Self-Service\Access Experience
C:\Program Files\Palo Alto Networks\DEM\Feature-Self-Service\AccessExperienceUI