Prisma Access Agent Administration
  • Prisma Access Agent Administration
  • Prisma Access Agent Documentation
  • All Documentation
>
Configure Gateways for the Prisma Access Agent (Prisma Access Deployment)
Focus
Download PDF
Focus
  1. Home
  2. Prisma Access Agent
  3. Configure the Prisma Access Agent
  4. Set Up the Prisma Access Agent
  5. Configure Gateways for the Prisma Access Agent
  6. Configure Gateways for the Prisma Access Agent (Prisma Access Deployment)
Download PDF
Prisma Access Agent

Configure Gateways for the Prisma Access Agent (Prisma Access Deployment)

Table of Contents
Configure gateways to provide security enforcement for traffic from Prisma Access Agents in Prisma Access deployments.
Complete the steps to configure gateways for Prisma Access Agents.
The following procedure applies to both Strata Cloud Manager Managed Prisma Access and Panorama Managed Prisma Access deployments.
  1. Navigate to the Prisma Access Agent setup.
      Expand all
      Collapse all
    • From Strata Cloud Manager:
    • From Panorama:
  2. Select an existing agent configuration or Add Agent Settings to create a new configuration.
  3. If you need to create or update an app configuration rule, follow the instructions in Configure Agent Settings for the Prisma Access Agent. Otherwise, go to the next step.
  4. To add an External Gateway to which your users can connect:
    1. Click Add.
    2. Enter a descriptive Name for the gateway. The name you enter here should match the name you defined when you configured the gateway and should be descriptive enough for users to know the location of the gateway they are connected to.
      For Panorama Managed Prisma Access, you can only select a gateway that's already configured in Panorama.
    3. Enter the FQDN or IP address of the interface where the gateway is configured.
      You can configure an IPv4. The address you specify must exactly match the Common Name (CN) in the gateway server certificate.
      For Panorama Managed Prisma Access, this FQDN and IP values are inherited from Panorama. You cannot update them.
    4. Click the + sign to add one or more Source Regions for the gateway, or select Any to make the gateway available to all regions. When users connect, the Prisma Access Agent recognizes the region, and only allows users to connect to gateways that are configured for that region. For gateway selection, the source region is considered first, then gateway priority.
    5. Set the Priority of the gateway by clicking the field and selecting one of the following values:
      • If you have only one external gateway, leave the value as Highest (the default).
      • If you have multiple external gateways, you can modify the priority values (ranging from Highest to Lowest) to indicate a preference for the specific user group to which this configuration applies. For example, if you prefer that the user group connects to a local gateway, you would set the priority higher than that of more geographically distant gateways. The priority value is then used to weight the agent’s gateway selection algorithm.
      • If you don't want apps to automatically establish connections with the gateway, select Manual only. This setting is useful in testing environments.
    6. Select Manual to identify the external gateway as a manual gateway.
      A manual external gateway resides outside of the corporate network and provides security enforcement, tunnel access, or both for your remote users. The difference between the autodiscovery external gateway and the manual external gateway is that the Prisma Access Agent only connects to a manual external gateway when the user initiates a connection. You can also configure different authentication requirements for manual external gateways.
    7. Save your settings. For Panorama Managed Prisma Access, Update your settings.
  5. Specify the internal gateways to which users with this configuration can connect.
    1. Select Internal Gateway and click Add.
    2. Enter a descriptive Name for the gateway. The name you enter here should match the name you defined when you configured the gateway and should be descriptive enough for users to know the location of the gateway they are connected to.
      For Panorama Managed Prisma Access, you can only select a gateway that's already configured in Panorama.
    3. Enter the FQDN or IP address of the interface where the gateway is configured.
      You can configure an IPv4. The address you specify must exactly match the Common Name (CN) in the gateway server certificate.
      For Panorama Managed Prisma Access, this FQDN and IP values are inherited from Panorama. You cannot update them.
    4. (Optional) Click the + sign to add one or more Source IP to the gateway configuration. The source IP address can be an IP subnet, range, or predefined address. The Prisma Access Agent supports IPv4 addresses. When users connect, the Prisma Access Agent recognizes the source address of the endpoint, and only allows users to connect to gateways that are configured for that address.
    5. Save your settings.
      For Panorama Managed Prisma Access, Update your settings.

Technical Documentation

Company

Legal Notices

© 2025 Palo Alto Networks, Inc. All rights reserved.