Autonomous DEM
Enable ADEM in Panorama Managed Prisma Access for Mobile Users
Table of Contents
Expand All
|
Collapse All
Autonomous DEM Docs
-
- AI-Powered ADEM
- Autonomous DEM for China
-
-
- AI-Powered ADEM
- Access Experience Agent 5.1
- Access Experience Agent 5.3
Enable ADEM in Panorama Managed Prisma Access for Mobile Users
Prisma Access
for Mobile UsersLearn how to enable
Autonomous DEM
for your Panorama Managed Prisma Access
users.Autonomous
DEM is supported on GlobalProtect app version 5.2.11 with Content
Release version 8393-6628 or later running on Windows or macOS endpoints
only. Because you may not have licensed Autonomous DEM for all of
your mobile users, you might want to create a new app settings configuration
and restrict it to the supported operating systems and the specific
users for which you want to enable ADEM.
After the GlobalProtect
app receives the ADEM configuration, it uses the corresponding certificate
to authenticate to the ADEM service and register with the service.
After the agent registers, you will be able to assign app tests
to the user.
To enable Autonomous DEM for your GlobalProtect
users:
- Generate the certificate the agent will use to authenticate to theAutonomous DEMservice.
- From Panorama, select.PanoramaCloud ServicesConfigurationService Setup
- In the GlobalProtect App Log Collection section under Service Operators, clickGenerate Certificate for GlobalProtect App Collection and.Autonomous DEMA confirmation message indicates that the certificate was successfully generated in the Mobile_User_Template Shared location.
- Configure the portal to push the DEM settings to the GlobalProtect agent.
- Select.NetworkGlobalProtectPortalsGlobalProtect Portal
- To create an agent configuration to push to your DEM users only, in theMobile_User_Template, select the GlobalProtect Portal Configuration.
- On theAgenttab, select the DEFAULT agent configuration andCloneit and give it a newName.
- To enable the portal to push the DEM authentication certificate you just generated to the end user systems, on theAuthenticationtab setClient CertificatetoLocaland then select theglobalprotect_app_log_cert.After you pushglobalprotect_app_log_certto the client machine, one root CA, two intermediate CAs, and one client certificate, issued by Palo Alto Networks, are installed in the user's Personal store.Palo Alto Networks automatically generates theStrata Logging Servicecertificate, so the root CA certificate and intermediate CA certificate must be owned by Palo Alto Networks. Palo Alto Networks can add the root certificate to portal configuration so that the GlobalProtect client can install it as a trusted root CA to the machine if they want to do so.
- To ensure that this agent configuration is only pushed to agents running on supported operating systems, on thetab, clickConfig Selection CriteriaUser/User GroupAddin theOScolumn and selectMacand/orWindowsonly).
- If you only want to deploy the DEM configuration to a subset of your Mac and/or Windows users, in the User/User Group columnAddthe specific users or user groups to push this configuration to.
- To enableAutonomous DEMfunctionality for users on GlobalProtect version 6.2 and below, on theApptab, enable.Autonomous DEMendpoint agent forPrisma Accessfor GP version 6.2 and below (Windows & Mac Only)ADEM is enabled by default; however, you can allow users to disable ADEM by selectingInstall and user can enable/disable agent from GlobalProtect. End users can use this GlobalProtect configuration to pause/resume monitoring. If users disable the ADEM agent, they will continue to be online, but the agent will pause the monitoring and no synthetic tests will be conducted.ADEM is enabled by default. SelectInstall and user cannot enable/disable agent from GlobalProtectto keep ADEM enabled. Users will not be able to disable ADEM.To enableAutonomous DEMfunctionality for users on GlobalProtect version 6.3 and above, on theApptab, enableAccess Experience (ADEM, App Acceleration, end user coaching) for GP 6.3 and above (Windows & Mac Only).ADEM is enabled by default. If you want to keep it enabled, select theNo Action (The agent state remains the same)option. To install or uninstall the agent, selectInstall the AgentorUninstall the Agent.
- Also on theApptab, setEnabletoAutonomous DEMand GlobalProtect App Log Collection for TroubleshootingYesto enable the GlobalProtect app to use the certificate you just created to authenticate to the DEM service.
- Starting in GlobalProtect version 5.2.8, you have the option to suppress receiving allAutonomous DEMupdate notifications (pertaining to installing, uninstalling and upgrading an agent) on the endpoints. To suppress the notifications, set theDisplaytoAutonomous DEMUpdate NotificationsNo. By default, theDisplayis set toAutonomous DEMUpdate NotificationsYes.
- ClickOKto save the new app configuration settings, and clickOKagain to save the portal configuration.
- Make sure you have security policy rules required to allow the GlobalProtect app to connect to the ADEM service and run the synthetic tests.
- In Panorama, go to. Click onObjectsaddressesAddand add the following ADEM Service Destination FQDNs.Do not decrypt the following servers. Also, make sure the profile allows untrusted issuers.
- agents.dem.prismaaccess.com
- updates.dem.prismaaccess.com
- features.dem.prismaaccess.com
- agents-prod1-us-west2.dem.prismaaccess.com
- agents-sg1-asia-southeast1.dem.prismaaccess.com
- agents-au1-australia-southeast1.dem.prismaaccess.com
- agents-jp1-asia-northeast1.dem.prismaaccess.com
- agents-ca1-northamerica-northeast1.dem.prismaaccess.com
- agents-eu1-europe-west4.dem.prismaaccess.com
- agents-uk1-europe-west2.dem.prismaaccess.com
- agents-in1-asia-south1.dem.prismaaccess.com
- agents-de1-europe-west3.dem.prismaaccess.com
- agents-ch1-europe-west6.dem.prismaaccess.com
- agents-fr1-europe-west9.dem.prismaaccess.com
- Create an address group to contain the addresses above by going to, clickingObjectsAddress GroupsAddand providing a name for the address group.
- Add the address group you just created into the security policy. Go to. ClickPoliciesSecurityPreRulesAddand add the address group to the policy.
- To enable the GlobalProtect users to connect to and register with the ADEM service and to run the synthetic application tests, make sure there is a security policy rule that allows traffic to HTTPS-based applications.
- To enable the app to run network monitoring tests, you must have a security policy rule to allow ICMP and TCP traffic.
- (Optional) If you plan to run synthetic tests that use HTTP, you must also have a security policy rule to allow the GlobalProtect users to access applications over HTTP.
- Commit all your changes to Panorama and push the configuration changes toPrisma Access.
- Click.CommitCommit to Panorama
- Clickand clickCommitPush to DevicesEdit Selections.
- On thePrisma Accesstab, make sureis selected and then clickPrisma Accessfor usersOK.
- ClickPush.