: Enable ADEM in Panorama Managed Prisma Access for Mobile Users
Focus
Focus

Enable ADEM in Panorama Managed Prisma Access for Mobile Users

Table of Contents

Enable ADEM in Panorama Managed
Prisma Access
for Mobile Users

Learn how to enable
Autonomous DEM
for your Panorama Managed
Prisma Access
users.
Autonomous DEM is supported on GlobalProtect app version 5.2.11 with Content Release version 8393-6628 or later running on Windows or macOS endpoints only. Because you may not have licensed Autonomous DEM for all of your mobile users, you might want to create a new app settings configuration and restrict it to the supported operating systems and the specific users for which you want to enable ADEM.
After the GlobalProtect app receives the ADEM configuration, it uses the corresponding certificate to authenticate to the ADEM service and register with the service. After the agent registers, you will be able to assign app tests to the user.
To enable Autonomous DEM for your GlobalProtect users:
  1. Generate the certificate the agent will use to authenticate to the
    Autonomous DEM
    service.
    1. From Panorama, select
      Panorama
      Cloud Services
      Configuration
      Service Setup
      .
    2. In the GlobalProtect App Log Collection section under Service Operators, click
      Generate Certificate for GlobalProtect App Collection and
      Autonomous DEM
      .
      A confirmation message indicates that the certificate was successfully generated in the Mobile_User_Template Shared location.
  2. Configure the portal to push the DEM settings to the GlobalProtect agent.
    1. Select
      Network
      GlobalProtect
      Portals
      GlobalProtect Portal
      .
    2. To create an agent configuration to push to your DEM users only, in the
      Mobile_User_Template
      , select the GlobalProtect Portal Configuration.
    3. On the
      Agent
      tab, select the DEFAULT agent configuration and
      Clone
      it and give it a new
      Name
      .
    4. To enable the portal to push the DEM authentication certificate you just generated to the end user systems, on the
      Authentication
      tab set
      Client Certificate
      to
      Local
      and then select the
      globalprotect_app_log_cert
      .
      After you push
      globalprotect_app_log_cert
      to the client machine, one root CA, two intermediate CAs, and one client certificate, issued by Palo Alto Networks, are installed in the user's Personal store.
      Palo Alto Networks automatically generates the
      Strata Logging Service
      certificate, so the root CA certificate and intermediate CA certificate must be owned by Palo Alto Networks. Palo Alto Networks can add the root certificate to portal configuration so that the GlobalProtect client can install it as a trusted root CA to the machine if they want to do so.
    5. To ensure that this agent configuration is only pushed to agents running on supported operating systems, on the
      Config Selection Criteria
      User/User Group
      tab, click
      Add
      in the
      OS
      column and select
      Mac
      and/or
      Windows
      only).
    6. If you only want to deploy the DEM configuration to a subset of your Mac and/or Windows users, in the User/User Group column
      Add
      the specific users or user groups to push this configuration to.
    7. To enable
      Autonomous DEM
      functionality for users on GlobalProtect version 6.2 and below, on the
      App
      tab, enable
      Autonomous DEM
      endpoint agent for
      Prisma Access
      for GP version 6.2 and below (Windows & Mac Only)
      .
      ADEM is enabled by default; however, you can allow users to disable ADEM by selecting
      Install and user can enable/disable agent from GlobalProtect
      . End users can use this GlobalProtect configuration to pause/resume monitoring. If users disable the ADEM agent, they will continue to be online, but the agent will pause the monitoring and no synthetic tests will be conducted.
      ADEM is enabled by default. Select
      Install and user cannot enable/disable agent from GlobalProtect
      to keep ADEM enabled. Users will not be able to disable ADEM.
      To enable
      Autonomous DEM
      functionality for users on GlobalProtect version 6.3 and above, on the
      App
      tab, enable
      Access Experience (ADEM, App Acceleration, end user coaching) for GP 6.3 and above (Windows & Mac Only)
      .
      ADEM is enabled by default. If you want to keep it enabled, select the
      No Action (The agent state remains the same)
      option. To install or uninstall the agent, select
      Install the Agent
      or
      Uninstall the Agent
      .
    8. Also on the
      App
      tab, set
      Enable
      Autonomous DEM
      and GlobalProtect App Log Collection for Troubleshooting
      to
      Yes
      to enable the GlobalProtect app to use the certificate you just created to authenticate to the DEM service.
    9. Starting in GlobalProtect version 5.2.8, you have the option to suppress receiving all
      Autonomous DEM
      update notifications (pertaining to installing, uninstalling and upgrading an agent) on the endpoints. To suppress the notifications, set the
      Display
      Autonomous DEM
      Update Notifications
      to
      No
      . By default, the
      Display
      Autonomous DEM
      Update Notifications
      is set to
      Yes
      .
    10. Click
      OK
      to save the new app configuration settings, and click
      OK
      again to save the portal configuration.
  3. Make sure you have security policy rules required to allow the GlobalProtect app to connect to the ADEM service and run the synthetic tests.
    1. In Panorama, go to
      Objects
      addresses
      . Click on
      Add
      and add the following ADEM Service Destination FQDNs.
      Do not decrypt the following servers. Also, make sure the profile allows untrusted issuers.
      • agents.dem.prismaaccess.com
      • updates.dem.prismaaccess.com
      • features.dem.prismaaccess.com
      • agents-prod1-us-west2.dem.prismaaccess.com
      • agents-sg1-asia-southeast1.dem.prismaaccess.com
      • agents-au1-australia-southeast1.dem.prismaaccess.com
      • agents-jp1-asia-northeast1.dem.prismaaccess.com
      • agents-ca1-northamerica-northeast1.dem.prismaaccess.com
      • agents-eu1-europe-west4.dem.prismaaccess.com
      • agents-uk1-europe-west2.dem.prismaaccess.com
      • agents-in1-asia-south1.dem.prismaaccess.com
      • agents-de1-europe-west3.dem.prismaaccess.com
      • agents-ch1-europe-west6.dem.prismaaccess.com
      • agents-fr1-europe-west9.dem.prismaaccess.com
    2. Create an address group to contain the addresses above by going to
      Objects
      Address Groups
      , clicking
      Add
      and providing a name for the address group.
    3. Add the address group you just created into the security policy. Go to
      Policies
      Security
      PreRules
      . Click
      Add
      and add the address group to the policy.
    4. To enable the GlobalProtect users to connect to and register with the ADEM service and to run the synthetic application tests, make sure there is a security policy rule that allows traffic to HTTPS-based applications.
    5. To enable the app to run network monitoring tests, you must have a security policy rule to allow ICMP and TCP traffic.
    6. (
      Optional
      ) If you plan to run synthetic tests that use HTTP, you must also have a security policy rule to allow the GlobalProtect users to access applications over HTTP.
  4. Commit all your changes to Panorama and push the configuration changes to
    Prisma Access
    .
    1. Click
      Commit
      Commit to Panorama
      .
    2. Click
      Commit
      Push to Devices
      and click
      Edit Selections
      .
    3. On the
      Prisma Access
      tab, make sure
      Prisma Access
      for users
      is selected and then click
      OK
      .
    4. Click
      Push
      .

Recommended For You