Enable ADEM in Panorama Managed

Prisma Access

for Mobile Users

Generate the certificate the agent will use to authenticate to the
Autonomous DEM
service.
From Panorama, select
Panorama
Cloud Services
Configuration
Service Setup
.
In the GlobalProtect App Log Collection section under Service Operators, click
Generate Certificate for GlobalProtect App Collection and
Autonomous DEM
.

A confirmation message indicates that the certificate was successfully generated in the Mobile_User_Template Shared location.
Configure the portal to push the DEM settings to the GlobalProtect agent.
Select
Network
GlobalProtect
Portals
GlobalProtect Portal
.
To create an agent configuration to push to your DEM users only, in the
Mobile_User_Template
, select the GlobalProtect Portal Configuration.
On the
Agent
tab, select the DEFAULT agent configuration and
Clone
it and give it a new
Name
.
To enable the portal to push the DEM authentication certificate you just generated to the end user systems, on the
Authentication
tab set
Client Certificate
to
Local
and then select the
globalprotect_app_log_cert
.

After you push
globalprotect_app_log_cert
to the client machine, one root CA, two intermediate CAs, and one client certificate, issued by Palo Alto Networks, are installed in the user's Personal store.
Palo Alto Networks automatically generates the
Strata Logging Service
certificate, so the root CA certificate and intermediate CA certificate must be owned by Palo Alto Networks. Palo Alto Networks can add the root certificate to portal configuration so that the GlobalProtect client can install it as a trusted root CA to the machine if they want to do so.
To ensure that this agent configuration is only pushed to agents running on supported operating systems, on the
Config Selection Criteria
User/User Group
tab, click
Add
in the
OS
column and select
Mac
and/or
Windows
only).
If you only want to deploy the DEM configuration to a subset of your Mac and/or Windows users, in the User/User Group column
Add
the specific users or user groups to push this configuration to.

To enable
Autonomous DEM
functionality for the selected users, on the
App
tab, enable
Autonomous DEM
endpoint agent for
Prisma Access
(Windows & Mac Only)
.
Install and user can enable/disable agent from GlobalProtect
ADEM is enabled by default, however you can allow users to disable ADEM by selecting
Install and user can enable/disable agent from GlobalProtect
. End users can use this GlobalProtect configuration to pause/resume monitoring. If users disable the ADEM agent, they will continue to be online, but the agent will pause the monitoring and no synthetic tests will be conducted.
Install and user cannot enable/disable agent from GlobalProtect
ADEM is enabled by default. Selecting
Install and user cannot enable/disable agent from GlobalProtect
will keep ADEM enabled. Users will not be able to disable ADEM.
Also on the
App
tab, set
Enable
Autonomous DEM
and GlobalProtect App Log Collection for Troubleshooting
to
Yes
to enable the GlobalProtect app to use the certificate you just created to authenticate to the DEM service.

Starting in GlobalProtect version 5.2.8, you have the option to suppress receiving all
Autonomous DEM
update notifications (pertaining to installing, uninstalling and upgrading an agent) on the endpoints. To suppress the notifications, set the
Display
Autonomous DEM
Update Notifications
to
No
. By default, the
Display
Autonomous DEM
Update Notifications
is set to
Yes
.

Click
OK
to save the new app configuration settings and click
OK
again to save the portal configuration.
Make sure you have security policy rules required to allow the GlobalProtect app to connect to the ADEM service and run the synthetic tests.
In Panorama, go to
Objects
addresses
. Click on
Add
and add the following ADEM Service Destination FQDNs.
Do not decrypt the following servers. Also, make sure the profile allows untrusted issuers.
agents.dem.prismaaccess.com
updates.dem.prismaaccess.com
agents-prod1-us-west2.dem.prismaaccess.com
agents-sg1-asia-southeast1.dem.prismaaccess.com
agents-au1-australia-southeast1.dem.prismaaccess.com
agents-jp1-asia-northeast1.dem.prismaaccess.com
agents-ca1-northamerica-northeast1.dem.prismaaccess.com
agents-eu1-europe-west4.dem.prismaaccess.com
agents-uk1-europe-west2.dem.prismaaccess.com
agents-in1-asia-south1.dem.prismaaccess.com
agents-de1-europe-west3.dem.prismaaccess.com
agents-ch1-europe-west6.dem.prismaaccess.com
agents-fr1-europe-west9.dem.prismaaccess.com
agents-stg1-us-west2.dem.prismaaccess.com
agents-stg2-us-west2.dem.prismaaccess.com

Create an address group to contain the addresses above by going to
Objects
Address Groups
, clicking
Add
and providing a name for the address group.

Add the address group you just created into the security policy. Go to
Policies
Security
PreRules
. Click
Add
and add the address group to the policy.

To enable the GlobalProtect users to connect to and register with the ADEM service and to run the synthetic application tests, make sure there is a security policy rule that allows traffic to HTTPS-based applications.
To enable the app to run network monitoring tests, you must have a security policy rule to allow ICMP and TCP traffic.
(
Optional
) If you plan to run synthetic tests that use HTTP, you must also have a security policy rule to allow the GlobalProtect users to access applications over HTTP.
Commit all your changes to Panorama and push the configuration changes to
Prisma Access
.
Click
Commit
Commit to Panorama
.
Click
Commit
Push to Devices
and click
Edit Selections
.
On the
Prisma Access
tab, make sure
Prisma Access
for users
is selected and then click
OK
.
Click
Push
.