Prisma Access Agent Administration
  • Prisma Access Agent Administration
  • Prisma Access Agent Documentation
  • All Documentation
>
Create and Manage HIP Profiles for the Prisma Access Agent
Focus
Download PDF
Focus
  1. Home
  2. Prisma Access Agent
  3. Configure the Prisma Access Agent
  4. Configure HIP Notifications for the Prisma Access Agent
  5. Create and Manage HIP Profiles for the Prisma Access Agent
Download PDF
Prisma Access Agent

Create and Manage HIP Profiles for the Prisma Access Agent

Table of Contents
Learn how to create a collection of HIP objects that are evaluated together, either for monitoring or for security policy enforcement.
Where Can I Use This?What Do I Need?
  • Prisma Access (Managed by Strata Cloud Manager)
  • Prisma Access 5.1 Preferred or Innovation
  • Prisma Access license with the Mobile User subscription
  • Prisma Access Agent version: 25.1.0.14
  • macOS 14 and later or Windows 10 version 2024 and later desktop devices
  • Contact your Palo Alto Networks account representative to activate the Prisma Access Agent feature
  1. You can configure HIP Profiles from ManageConfigurationNGFW and Prisma AccessObjectsHIPHIP Profiles.
  2. Click Add HIP Profile.
  3. Enter a Name and Description to identify the profile.
  4. Click within the Match field to open the HIP Profile builder.
    1. Select the HIP object or profile that you want to use as match criteria from the list.
    2. Select a Boolean operator (And, And). If you want the HIP Profile to evaluate the object as a match only when the criteria in the object are not true for a flow, select the Not check box before adding the object.
    3. Select another HIP object or profile to evaluate against the first HIP object.
  5. Continue adding match criteria for the profile that you're building, making sure to select the appropriate Boolean operator radio button (And or Or) between each addition, and using the Not check box when appropriate. The HIP Profile can contain up to 2,048 characters in length.
  6. When creating a complex Boolean expression, you must manually add the parenthesis in the proper places in the Match text box to ensure that the HIP Profile is evaluated using the logic you intend.
  7. Save and Add your HIP Profile.
  8. To manage your HIP Profiles, you can select an existing profile from the HIP Notifications table or click Add in the Edit Global Agent Settings page to open the HIP Notifications window.
    From there, click Manage HIP Profile to view the list of HIP Profiles that you have configured. You can select a HIP Profile and Delete, Clone, or Move it. You can also Add a HIP Profile from here.

Create HIP-Enabled Security Rules on Your Gateways

As a best practice, you should create your security rules and test that they match the expected flows (based on the source and destination criteria) before adding your HIP profiles. By doing this, you can better determine the proper placement of the HIP-enabled rules within the policy.
  1. On the firewall that's hosting your gateway, select PoliciesSecurity, and then select the rule to which you want to add a HIP profile.
  2. On the Source tab, make sure the Source Zone is a zone for which you enabled User-ID.
  3. On the Source tab under Source Device, Add the HIP Profiles used to identify devices (you can add up to 63 HIP profiles to a rule).
  4. Click OK to save the rule.
  5. Commit the changes.

Technical Documentation

Company

Legal Notices

© 2025 Palo Alto Networks, Inc. All rights reserved.