Configure General Global Settings for the Prisma Access Agent

Table of Contents

Stage the Rollout of Prisma Access Agent Upgrades

Set Up Forwarding Profiles to Manage Agent Traffic

Configure general global agent settings such as the anti-tamper unlock password, authentication override settings, and the inactivity timeout settings.

Where Can I Use This?	What Do I Need?
Prisma Access (Managed by Strata Cloud Manager) Prisma Access (Managed by Panorama) NGFW (Managed by Panorama)	Check the prerequisites for the deployment you're using Contact your Palo Alto Networks account representative to activate the Prisma Access Agent feature

You can customize the global agent settings that apply to Prisma Access Agents across all endpoints.

General global agent settings include setting up the anti-tamper feature that prevents users from tampering with the Prisma Access Agent, such as uninstalling it from an end user's device. In addition, you can configure the authentication override settings, the inactivity timeout setting, and block the login of quarantined devices.

Navigate to the Prisma Access Agent setup.
- From Strata Cloud Manager:
  Log in to Strata Cloud Manager as the administrator.
  Select WorkflowsPrisma Access SetupAccess AgentPrisma Access Agent.
- From Panorama:
  From the Cloud Services plugin in Panorama, select PanoramaCloud ServicesPrisma Access AgentConfigure Prisma Access Agent.
  Select WorkflowsPrisma Access AgentSetupPrisma Access Agent.
Edit the Global Agent Settings.
Strata Cloud Manager only Select General.
Configure an anti-tamper unlock password.
You can safeguard the Prisma Access Agent by enabling the anti-tamper feature, which prevents any unauthorized user from tampering with the Prisma Access Agent. The anti-tamper feature can protect the following Prisma Access Agent resources on your endpoints:
- Prisma Access Agent folders and files—Unauthorized users cannot delete or rename any Prisma Access Agent-related files and folders.
- Prisma Access Agent services and host information profile (HIP) processes—Unauthorized users cannot stop any Prisma Access Agent-related services and HIP processes. The HIP processes collect information about the host that the Prisma Access Agent is running on and submits the host information to Prisma Access for inspection. If a user tries to stop a process, they must supply the anti-tamper unlock password.
- Prisma Access Agent Registry keys (on Windows) or .plist file (on macOS)—Unauthorized users cannot delete or update the Windows Registry keys or .plist file for the Prisma Access Agent.
- The PACli command-line interface—Unauthorized users cannot disable the Prisma Access Agent or the anti-tamper feature using the PACli command-line interface. Administrators and authorized users who need to perform certain actions for troubleshooting at the command line must provide the anti-tamper unlock (supervisor) password when prompted.
To unlock the anti-tamper feature to troubleshoot the Prisma Access Agent, you need to set up an anti-tamper unlock password (also known as the supervisor password).
1. Enable the anti-tamper unlock password.
  
  If you don't enable the anti-tamper password, no password is assigned, and a user can enter any password (including an empty password) when prompted at the Prisma Access Agent command line.
  
  If you disable the anti-tamper password after enabling it, users can run certain PACli commands on the agent, such as the pacli disable, pacli hip status, pacli protect disable, and pacli switchto GlobalProtect commands, without providing the supervisor password. They only need to press Enter when prompted for the password.
2. Enter the Password, and then Confirm Password by reentering the password. The password must have a minimum of eight alphanumeric characters.
  Expand all
  
  Collapse all
  
  For Strata Cloud Manager Managed Prisma Access:
  
  If you do not provide a password, the default password will be used. By default, the anti-tamper password is set to the first three characters of the Prisma Access tenant name in uppercase, plus the Prisma Access Data Region in lowercase, plus the last five digits of the Prisma Access Instance ID, for example: PANamericas56789.
  You can obtain the Prisma Access Instance ID and Data Region by selecting SettingsTenants<your_tenant> and selecting the View Support Info tool tip next to the serial number for Prisma Access.
  
  To provide a higher level of security for your agents, override the default anti-tamper unlock password by setting up a new secure password.
  
  For Panorama Managed Prisma Access or Panorama managed NGFW deployments:
  
  Enter a password. There is no default anti-tamper unlock password. The password must have a minimum of eight alphanumeric characters.
Configure Authentication Override settings to allow Prisma Access to generate and accept secure, encrypted cookies for user authentication. Authentication override allows the user to provide login credentials only once during the specified Cookie Lifetime.
- Generate cookie for authentication override—Enables Prisma Access to generate encrypted endpoint-specific cookies and issue authentication cookies to the endpoint. Default: Enabled.
- Accept cookie for authentication override—Enables Prisma Access to authenticate users with a valid, encrypted cookie. When the app presents a valid cookie, Prisma Access verifies that the cookie was encrypted by Prisma Access originally, decrypts the cookie, and then authenticates the user. Default: Enabled.
- Certificate to Encrypt/Decrypt Cookie—Select a certificate to use to encrypt and decrypt the cookie. For NGFW deployments, this certificate is the same one that you imported in the Infrastructure settings.
- Cookie Lifetime—Specifies the hours, days, or weeks for which the cookie is valid (default is 24 hours). The range for hours is 1-72; the range for weeks is 1-52; and the range for days is 1-365. After the cookie expires, the user must reenter their login credentials. Prisma Access then encrypts a new cookie to send to the agent. This value can be the same as or different from the cookie lifetime that you configure.
(Strata Cloud Manager) Configure Timeout settings for the Prisma Access Agent.
The Inactivity Logout setting applies to both Prisma Access Agent and GlobalProtect. Any changes you make will be reflected and used for GlobalProtect, and vice versa.
- Inactivity Logout—Specify the amount of time after which idle users are logged out of the Prisma Access Agent.
  You can use the inactivity logout period to enforce a security policy to monitor traffic from endpoints while connected to Prisma Access and to quickly log out inactive Prisma Access Agent sessions. You can enforce a shorter inactivity logout period. Users are logged out if the Prisma Access Agent has not routed traffic through the tunnel or if the gateway does not receive a HIP check from the endpoint within the configured time period.
(Strata Cloud Manager) Block Login for Quarantined Devices to prevent Prisma Access Agent users from logging in from quarantined devices.

If a user attempts to log in from a quarantined device when this setting is enabled, the Prisma Access Agent notifies the user that the device is quarantined and the user cannot log in from that device. If this setting is not enabled, the user receives the notification but is able to log in from that device.

The Block Login for Quarantined Devices setting applies to both Prisma Access Agent and GlobalProtect. Any changes you make will be reflected and used for GlobalProtect, and vice versa.
Save your settings.