Configure the Prisma Access Agent (Coexistence Tenant)
To manage both the Prisma Access Agent and GlobalProtect app on the same Prisma Access tenant (instance), you can onboard the Prisma Access Agent using a
tenant that is configured for GlobalProtect.
Where Can I Use This?
What Do I Need?
Prisma Access (Managed by Strata Cloud Manager)
Prisma Access (Managed by Panorama)
NGFW (Managed by Panorama)
Check the prerequisites for the deployment you're
using
Contact your Palo Alto Networks account representative to
activate the Prisma Access Agent feature
The settings for both the GlobalProtect app and Prisma Access Agent can coexist on
the same Prisma Access or NGFW tenant (instance).
After you have configured the GlobalProtect app on a tenant and want to deploy the Prisma Access Agent to your mobile users, you can onboard the Prisma Access Agent on the same tenant.
By onboarding the Prisma Access Agent on an existing GlobalProtect-enabled tenant,
you can reduce the operational overhead for managing separate tenants and
configurations, such as creating backend resources like service connections and remote
networks on each tenant.
Because the Prisma Access Agent and GlobalProtect app can be installed on the same
endpoint, you can deploy both apps from the same tenant, reducing the effort for
maintaining two separate tenants. If needed, your end users switch between the Prisma Access Agent and
GlobalProtect app. This enables a seamless migration from the GlobalProtect
app to the Prisma Access Agent.
Before you begin, ensure that you:
Contact your Palo Alto Networks account representative to activate the feature for
the Prisma Access Agent and GlobalProtect coexistence-enabled tenant.
Contact your Palo Alto Networks account representative to activate the Prisma Access Agent feature.
Obtain the required licenses (Prisma Access license for mobile users and a Strata Logging Service license with proper firewall storage space). If mobile
users will be connecting to other connected networks, you will need either the Zero
Trust Network Access or Enterprise Edition Prisma Access license that will
provide the corporate access node (CAN) necessary to connect.
Prisma Access Agent and GlobalProtect Coexistence Considerations
Review the following considerations for the coexistence of the Prisma Access Agent and GlobalProtect on the same Prisma Access
tenant:
Coexistence is supported on both new Prisma Access deployments and existing
deployments, as long as you upgrade the tenant to the required Prisma Access
dataplane version.
Support for the Prisma Access Agent on Prisma Access Insights is not
yet available.
The agent infrastructure settings include the configurations for both the Prisma Access Agent domain name and the GlobalProtect portal name.
For user authentication, the Prisma Access Agent supports SAML
authentication with Cloud Identity Engine and can coexist with GlobalProtect
running with any of the existing authentication methods for GlobalProtect.
The allowlist (Users Allowed to Authenticate) in the Prisma Access authentication profile for the Prisma Access Agent (Identity ServicesAuthenticationAuthentication Profile) must match the allowlist for GlobalProtect.
Gateway selection:
Both Prisma Access Agent and GlobalProtect can connect to
on-premises and Prisma Access Mobile User (MU) gateways.
For a deployment that uses the authentication override certificate, Prisma Access Agent users can connect to on-premises NGFW
gateways, as long as you export the authentication
override certificate.
Endpoint considerations:
To have the GlobalProtect app automatically disabled when installing Prisma Access Agent, you can configure the agent deployment
by using the unload_gp option.
