Prisma Access Agent Administration
  • Prisma Access Agent Administration
  • Prisma Access Agent Documentation
  • All Documentation
>
Configure Agent Settings for the Prisma Access Agent (NGFW Deployment)
Focus
Download PDF
Focus
  1. Home
  2. Prisma Access Agent
  3. Configure the Prisma Access Agent
  4. Set Up the Prisma Access Agent
  5. Configure Agent Settings for the Prisma Access Agent
  6. Configure Agent Settings for the Prisma Access Agent (NGFW Deployment)
Download PDF
Prisma Access Agent

Configure Agent Settings for the Prisma Access Agent (NGFW Deployment)

Table of Contents
For NGFW deployments, follow the instructions to customize how your end users interact with the Prisma Access Agent.
The Prisma Access Agent provides default agent configurations that apply to all user groups. You can add an agent configuration to customize how your end users interact with the Prisma Access Agent.
Use the following instructions for NGFW (Managed by Panorama) deployments.
  1. Log in to Strata Cloud Manager as the administrator.
  2. Select WorkflowsPrisma Access AgentSetup.
  3. Select Prisma Access AgentAdd Agent Settings.
  4. Create an app configuration rule. The configuration rule associates users or user groups with app settings that are specific to those users or groups.
    1. Enter a Name for the rule.
    2. Specify the Match Criteria by adding User Entities. Users and groups that match the User Entities criteria will receive the Prisma Access Agent app settings that you specify.
      • To deploy the configuration to all users, select Match Any.
      • To deploy the configuration to specific user groups or users, select Match Users. Then, click Select Users to select from the list of user entities. Examples of user entities include usernames and user groups, which are available in cloud directory attributes such as Common Name (CN) and Domain Component (DC).
  5. Configure the app settings for the Prisma Access Agent.
    You can configure the following app settings:
    • Connect—Specify how the Prisma Access Agent connects to Prisma Access. This setting is required.
      • Select Every time the user logs on to the machine (Always on) to automatically establish a connection to Prisma Access every time the user logs on to an endpoint.
      • Select Only when the user clicks Connect (On demand) to connect to Prisma Access only when the user clicks Connect (the lock icon) in the Prisma Access Agent app.
    • Disable Agent—Specify whether to give your users the ability to disable the Prisma Access Agent on their devices. In cases where users have the GlobalProtect™ app installed on their device along with the Prisma Access Agent, they can conveniently disable the Prisma Access Agent so that they can switch to the GlobalProtect app to avoid interference between the two software. Select one of the following options:
      • Disallow—Users can't disable the Prisma Access Agent using the Prisma Access Agent app. The Disable link isn't available in the settings page in the Prisma Access Agent app.
      • Allow—Users can disable the Prisma Access Agent using the Disable link in the settings page in the Prisma Access Agent app. This is the default.
      After disabling the agent, the user can switch to the GlobalProtect app. The following table shows the Prisma Access Agent behavior after disabling the agent and after switching to GlobalProtect.
      Prisma Access Agent BehaviorAfter Disabling Prisma Access AgentAfter Switching to GlobalProtect
      Connectivity to the tunnelNoNo
      Connectivity to the server (Prisma Access Agent management plane)YesYes
      Prisma Access agent NotificationsNoNo
      Prisma Access Agent enforcerNoNo, but GlobalProtect enforcer is enabled
      ADEM Access Experience statusYes (independent of agent status)Yes (independent of agent status)
      Troubleshooting by remote shellYesYes
      Anti-tamper featureYesYes
      PACli commands functionalYes, but don't use pacli connectYes, but don't use pacli connect
    • Allow user to sign outEnable this setting to permit your users to sign out of the Prisma Access Agent. Default: Disabled.
    • Support Page—Enter the website that users can access for assistance when they click Support Resources in the Prisma Access Agent.
      Default: The website for the Prisma Access Agent documentation.
    • Append Local Search Domains to Tunnel DNS Suffixes (Mac only)Enable this setting to append tunnel DNS search domains to local DNS search domains on macOS endpoints. Appending tunnel search domains to an endpoint's local DNS search domains enables users to quickly access local and remote corporate websites and servers that they visit frequently without entering the complete address.
    • Optimized MTU—The maximum transmission unit (MTU) is the largest packet size that Prisma Access Agent can send in a packet during a transmission. When enabled, Prisma Access Agent will automatically determine the best MTU to use for packet transmissions.
      Default: Enabled. You can disable this option to manually configure the MTU. The Configurable MTU (bytes) range is 576-1500 bytes. If you set a value outside this range or don't specify a value, the system will default to 1400 bytes.
  6. (Optional) Configure the Proxy settings.
    • Detect Proxy for each Connection (Windows Only)(Optional)Enable this setting to automatically detect the proxy at every connection. Disable this setting if you want to automatically detect the proxy for the gateway connection and use that proxy for subsequent connections to the gateway. Default: Disabled.
  7. Configure MFA settings.
    • Inbound Authentication Prompts from MFA Gateways—To support multi-factor authentication (MFA), a Prisma Access Agent endpoint must receive and acknowledge UDP prompts that are inbound from the gateway. Enable this setting to allow a Prisma Access Agent endpoint to receive and acknowledge the UDP prompts. This setting is enabled by default. Disable this setting to block UDP prompts from the gateway.
    • Network Port for Inbound Authentication Prompts (UDP)—Specifies the port number a Prisma Access Agent endpoint uses to receive inbound authentication prompts from MFA gateways. The default port is 4501. To change the port, specify a number 1-65535.
    • MFA Trusted Host listAdd the hosts for firewalls or authentication gateways that a Prisma Access Agent endpoint can trust for multi-factor authentication. When an endpoint receives a UDP message on the specified network port, the Prisma Access Agent displays an authentication message only if the UDP prompt comes from a trusted gateway.
    • Inbound Authentication Messages—Customize a notification message to display when users try to access a resource that requires additional authentication.
      When users try to access a resource that requires additional authentication, Prisma Access Agent receives a UDP packet containing the inbound authentication prompt and displays this message. The UDP packet also contains the URL for the Authentication Portal page you specified when you configured multi-factor authentication. Prisma Access Agent automatically appends the URL to the message.
      For example: 
      You have attempted to access a protected resource that requires additional authentication. Do you want to continue?
      The message can have 255 or fewer characters.
    • Suppress Multiple Inbound MFA Prompts (sec)—Specify the number of seconds to wait before Prisma Access Agent can suppress multiple inbound UDP prompts. The default is 180 seconds.
  8. Configure ADEM settings.
    • Access Experience (Optional)—Specify whether to install the ADEM Access Experience agent during the Prisma Access Agent app installation and to let end users enable or disable user experience tests from the app.
      • Install
      • No action (The agent state remains as is)
      • Uninstall
      Default: No action (The agent state remains as is)
    • Display ADEM update notificationsEnable this setting to display notifications from ADEM when an update is available on the endpoint.
  9. Enable Internal Host Detection if you don’t require your Prisma Access Agent users to connect to the gateway when they are on the internal network. This option will enable the Prisma Access Agent to determine if it's on an internal or external network.
    Default: Disabled
    After you enable this option, complete the following steps:
    1. Enter the IP Address (IPv4) of a host that Prisma Access Agent can resolve from the internal network only.
    2. Enter the DNS HostName that resolves to the IP address that you entered.
  10. Configure external and internal gateways for the Prisma Access Agent by selecting the external and internal gateways that you configured in the Infrastructure tab.
  11. (Optional) Select a Forwarding Profile that you configured previously to manage how traffic flows between the agent and Prisma Access. For example, you can set up split tunnels to exclude traffic from certain applications or destinations from the tunnel while routing all other traffic through the tunnel.
  12. (Optional) Configure HIP Data Collection Settings for the Prisma Access Agent
  13. When you have finished setting up the Prisma Access Agent settings, click Create.

Technical Documentation

Company

Legal Notices

© 2025 Palo Alto Networks, Inc. All rights reserved.