Prisma Access Agent Administration
  • Prisma Access Agent Administration
  • Prisma Access Agent Documentation
  • All Documentation
>
Set Up the Infrastructure for Prisma Access Agents
Focus
Download PDF
Focus
  1. Home
  2. Prisma Access Agent
  3. Configure the Prisma Access Agent
  4. Set Up the Infrastructure for Prisma Access Agents
Download PDF
Prisma Access Agent

Set Up the Infrastructure for Prisma Access Agents

Table of Contents
Set up the infrastructure to provision the Prisma Access Agent environment on a Prisma Access tenant.
Where Can I Use This?What Do I Need?
  • Prisma Access (Managed by Strata Cloud Manager)
  • Prisma Access (Managed by Panorama)
  • NGFW (Managed by Panorama)
  • Check the prerequisites for the deployment you're using
  • Contact your Palo Alto Networks account representative to activate the Prisma Access Agent feature
Start onboarding your mobile users to by setting up the infrastructure and selecting Prisma Access locations. You can onboard mobile users on Prisma Access and NGFW deployments.
Set up the infrastructure to provision the Prisma Access Agent environment on a tenant that already has the GlobalProtect app configured.
Onboard your mobile users to Prisma Access by setting up the infrastructure and selecting Prisma Access locations using Strata Cloud Manager or Panorama.
Then, you can configure the Prisma Access agent settings, set up staged rollouts of the agent, configure general global settings for the agent, and configure HIP notifications.
On a Prisma Access Agent and GlobalProtect coexistence tenant, you will need to manually configure the infrastructure settings for the Prisma Access Agent. There is no mechanism to migrate the GlobalProtect app settings to the Prisma Access Agent.
Onboard your users by configuring the infrastructure and selecting Prisma Access locations in Strata Cloud Manager.
On a Strata Cloud Manager Managed Prisma Access tenant, configure the infrastructure settings that are specific to the Prisma Access Agent so that Prisma Access can provision your mobile user environment.
On an existing tenant where GlobalProtect is already configured, some infrastructure settings are shared between the Prisma Access Agent and the GlobalProtect app. The shared settings include Client DNS and Client IP Pool. To use the Client DNS and Client IP Pool settings that have been set up for the GlobalProtect app, you can skip the steps for configuring those settings.
  1. In Strata Cloud Manager, select WorkflowsPrisma Access SetupAccess AgentInfrastructure.
  2. Edit the infrastructure settings for the Prisma Access Agent.
  3. Because the Infrastructure Settings page is shared between the Prisma Access Agent and the GlobalProtect app, select Filter ByPrisma Access Agent to show only the settings that are related to the Prisma Access Agent.
  4. Add a hostname to the Domain Name for the service that Prisma Access Agents connect to.
    By default, users can access the service using an FQDN based on your hostname and the .epm.gpcloudservice.com domain.
  5. Enter Client DNS resolution settings for your Prisma Access Agent deployment.
    By default, each region uses worldwide DNS settings. You can customize DNS settings based on region if needed.
    1. Select a region for the DNS Servers (Add Region).
      Select Worldwide or a theater. If you specify multiple proxy settings with a mix of Worldwide and theater settings, Prisma Access uses the settings for the location group (a group of locations that is smaller than the theater), then theater, then Worldwide. Prisma Access evaluates the rules from top to bottom in the list.
    2. Edit or add the region settings.
      • If you are adding a region, enter a name in Dns Servers.
      • Choose whether or not you want Prisma Access to Resolve internal domains; if you do, Add one or more Internal Domain Resolve Rules.
        • Enter a unique Name for the rule.
        • Select Prisma Access Default to use the default Prisma Access DNS server to resolve internal domains.
        • If you have a Custom DNS server that can access your internal domains, specify the Primary DNS and Secondary DNS server IP addresses.
        • If you want your internal DNS server to only resolve the domains you specify, click + and enter the domains to resolve in the Domain Lists. Specify an asterisk in front of the domain; for example, *.acme.com. You can specify a maximum of 1,024 domain entries.
        • Save your changes when finished.
    3. Specify the DNS settings for Primary DNS for public domains and Secondary DNS for public domains.
      • Prisma Access Default—Use the default Prisma Access DNS server to resolve requests for public domains.
      • Internal DNS—Use the same server that you use to resolve internal domains.
      • Custom—If you have a DNS server that can access your public (external) domains, enter the primary DNS server address in that field.
      • (Optional) You can add a Client DNS Suffix List to specify the suffix that the client should use locally when an unqualified hostname is entered that it can't resolve, for example, acme.local. Don't enter a wildcard (*) character before the domain suffix (for example, acme.com). You can add multiple suffixes.
    4. Configure the Advanced Settings.
      • If you want Prisma Access to proxy DNS requests, configure the values for UDP Queries Retries. Specify the Interval (Sec) to retry the query in seconds and the number of retry Attempts to perform.
      • Select Advanced RCODE Support to allow the primary DNS server to fail over to the secondary DNS server if an RCODE 2 (SERVFAIL) and RCODE 5 (REFUSED) DNS return code is received.
        A DNS response code of SERVFAIL refers to a communication error with the primary DNS server, and a DNS response code of REFUSED means that the primary DNS server refused to provide the requested information. In both cases, the service fails over to the secondary DNS server.
  6. Configure the IP address pools used to assign IP addresses to Prisma Access Agent endpoints by clicking Add IP Pool.
    By default, each region uses the Worldwide IP pool. You can opt to use a set of IP pools that are dedicated to regions or locations. For regions or locations where you don’t specify an IP pool, Prisma Access uses the Worldwide IP pool.
    1. Specify a region for the Ip Pools.
      You can use a single IP address pool for all Prisma Access Agent endpoints in the world (Worldwide), you can use separate pools for each theater where you have mobile users, or you can specify pools per location group (a group of locations that is smaller than the theater). You can also specify a combination of worldwide, per-theater, or per-location group IP pools. For example, you could add a pool for a specific location group and then add a Worldwide pool to use for all other locations.
      Use location group-specific IP address pools if you have services that depend on the source IP address of the user to identify the user’s details, such as location-based services or services based on a user group or function. This way, you can apply access control policies, or to perform routing or policy operations on different countries if the countries are in different compute regions. For example, you could use a separate IP address pool for Canada and one for Brazil, which are in different compute locations, to provide distinct access and security controls. To use location group-specific IP address pools, you must also specify a Worldwide or theater-specific pool.
      Prisma Access Agent users consume the IP addresses in the location group first, then theater-specific IP addresses, then Worldwide IP addresses. For example, if you specify a pool for a location group and Worldwide, and you then exhaust the available IP addresses in the location group pool, Prisma Access then takes IP addresses from the Worldwide pool to use in that location group.
      • To specify IP pools that can be used by all Prisma Access Agent users, select Worldwide.
      • To specify IP pools that can be used by Prisma Access Agent users in a specific theater, select the theater.
      • To specify IP pools that are specific to the location group, select it from the list.
    2. To assign to the endpoints in the region you selected, click + to enter one or more IP Pools.
      You can enter a minimum required subnet of /23 (512 IP addresses) per location. Additional locations require a minimum /23 subnet. If you specify a Worldwide subnet, the minimum required subnet is /23. However, for best results, use these IP address pools for mobile users deployment to allocate a set of IP addresses that is equal to or greater than the number of licensed mobile users so that they can log in at the same time.
      Don't specify addresses that overlap with other networks that you use internally or with the pools that you assigned when you set up the Prisma Access service infrastructure. In addition, do not use the following IP addresses and subnets, because Prisma Access reserves those IP addresses and subnets for its internal use:
      • 169.254.0.0/16
      • 100.64.0.0/10
      For best results, use an RFC 1918-compliant IP address pool. While non-RFC 1918-compliant (public) IP addresses are supported for mobile users, avoid using them due to possible conflicts with internet public IP address space.
    3. Save your IP pool settings.
      After establishing the tunnel, the Prisma Access location allocates IP addresses in this range to all endpoints that connect through that tunnel.
  7. (Optional) If needed, Reset the infrastructure to their default settings. If you do this, all your custom settings will be replaced by the default settings.
  8. Save the infrastructure settings.
Add the Prisma Access locations where you want to support Prisma Access Agent users.
Select the Prisma Access locations where you want to support Prisma Access Agent users.
  1. In Strata Cloud Manager, select WorkflowsPrisma Access SetupAccess AgentInfrastructure.
  2. If you are setting up the infrastructure for the first time, Add Locations. Otherwise, edit the Prisma Access Locations.
  3. Select the Prisma Access locations where your mobile users will connect to.
    Depending on your license agreement, you can select either Local or Worldwide locations. The map shows the regions where you can deploy Prisma Access for Users. In addition, Prisma Access provides multiple locations within each region to ensure that your users can connect to a location that provides a user experience tailored to the users’ locale. For the best performance, Select All. Alternatively, select specific locations within each selected region where your users will need access. By limiting your deployment to a single region, you can have more granular control over your deployed regions and exclude regions required by your policy or industry regulations.
    For Prisma Access Agents, you can deploy Prisma Access to the following Strata Logging Service regions:
    • US
    • India
    • Germany
    • Netherlands
    • United Kingdom
    • Japan
    • Canada
    • Singapore
    • France
    • Australia
    • Switzerland
    • Israel
    This list will be updated as more regions become available.
    For the best user experience if you are limiting the number of locations, choose locations that are closest to your users or in the same country as your users. If a location isn’t available in the country where your mobile users reside, choose a location that is closest to your users for the best performance.
    The images in this section are provided for illustrative purposes only.
    1. Select an available region on the map.
    2. Click the plus sign + on the locations that you want to add.
      You can switch between the Map and List views. You can also Select All locations.
      In the list view, you can select from the list of available locations to deploy Prisma Access. You can select All sites within a region.
    3. Save your Prisma Access location settings.
  4. (Optional) Restrict access to your SaaS applications from unauthorized users.
    You can enable the egress IP allow lists for existing mobile user deployments and during new user onboarding. If you enable egress IP allow lists for existing Prisma Access deployments, Prisma Access migrates all the egress IP addresses already allocated for your locations to the egress IP allow lists. For new Prisma Access deployments, enable the egress IP allow list while onboarding the Prisma Access Agent mobile users. Every time you add a location or have an auto scaling event, you should retrieve the new egress IP addresses that Prisma Access allocates and add them to allow lists in your SaaS applications. You can then push the configuration to your Prisma Access deployment to confirm the egress IP allow lists allocated for your locations.
    1. Enable Egress IP Allowlist to display the IP addresses for onboarded Prisma Access locations.
    2. Copy and add the allocated addresses to the allow lists of your SaaS applications.
    3. Migrate to confirm the IP addresses allocated for the onboarded locations in Prisma Access.
    4. Retrieve the IP addresses for new onboarded locations or during an auto scaling event.
      1. Select the Location name to find the new egress IP addresses allocated to the location.
      2. Add these IP addresses to the allow lists for your SaaS applications before you confirm them in Prisma Access.
      3. Save the allocated egress IP addresses.
Onboard your users by configuring the infrastructure and selecting Prisma Access locations in Panorama.
On a Panorama Managed Prisma Access tenant, set up the infrastructure settings that are specific to the Prisma Access Agent so that Prisma Access can provision your mobile user environment.
You will configure the infrastructure settings using a configuration app accessible through the Strata Cloud Manager.
  1. Launch the Prisma Access Agent configuration tool.
    1. From the Cloud Services plugin in Panorama, select PanoramaCloud ServicesPrisma Access Agent.
    2. Click Configure Prisma Access Agent.
  2. Configure the infrastructure settings.
    1. Select WorkflowsPrisma Access AgentSetup.
    2. Select Infrastructure and edit the infrastructure settings.
      The Prisma Access Locations and Gateways are imported from Panorama. You can't configure them here.
    3. Add a hostname to the Domain Name for the service that the Prisma Access Agent connects to.
      By default, users can access the service using an FQDN based on your hostname and the .epm.gpcloudservice.com domain. This FQDN will be published to the public domain name servers.
    4. Save your settings.
      The Client DNS and Client IP Pool are imported from your configurations in Panorama. You can't configure them here.
Onboard your users in NGFW deployments by configuring the infrastructure and selecting Prisma Access locations in Panorama.
For Panorama managed NGFW deployments, set up the infrastructure settings that are specific to the Prisma Access Agent to provision your mobile user environment.
You will configure the infrastructure settings using a configuration app accessible through Strata Cloud Manager.
Before you begin, ensure that you have the following information:
  • Certificates that are generated and managed on the gateway on Panorama.
    Because using authentication override cookie certificate is the only method for gateway authentication, you need to use the same authentication override cookie certificate on the gateway, portal, and Prisma Access Agent management plane (EPM). Only when all the certificates match can the gateway authenticate the user using the existing cookie that the portal generated. In addition, certificates are needed for HIP checks.
  • The FQDN or IP address for internal or external gateways managed on Panorama that you want your users to access.
  1. Log in to Strata Cloud Manager as the administrator.
  2. To configure the infrastructure settings in the configuration app in Strata Cloud Manager, select WorkflowsPrisma Access AgentSetup.
  3. Select Infrastructure.
  4. Configure the Prisma Access Agent domain FQDN. This is similar to the GlobalProtect™ portal FQDN.
    1. Edit the Domain Name and IPv6 Settings settings.
    2. Add a hostname to the Domain Name for the service that the Prisma Access Agent connects to (EPM).
      By default, users can access the service using an FQDN based on your hostname and the .epm.gpcloudservice.com domain. This FQDN will be published to the public domain name servers.
    3. Save your domain name setting.
  5. Import the authentication override cookie certificates that are used for gateway authentication.
    1. Click Add Certificate.
    2. Enter the Certificate Name.
    3. Choose File to select and upload the certificate file. This certificate file was generated and managed by the gateway.
    4. Select the Format for the certificate and choose the file for the Private key.
    5. (Optional) Enter and confirm a Passphrase.
    6. Save the certificate settings.
  6. Create certificate profiles based on the certificates that you imported in the previous step. These certificate profiles will be used for the authentication override cookie settings and for HIP matches.
    1. Click Add Certificate Profile.
    2. Enter a Name for the certificate profile.
    3. Click the + sign and open the drop-down to show the list of certificates that you imported in the previous step.
    4. Select a certificate from the list. You can add one or more certificates to the profile.
    5. Create the certificate profile.
  7. Add the internal and external gateways that you want your users to access. The gateways are configured on the NGFW firewall but you need to add the same details (gateway FQDN or IP address) here.
    1. Add a gateway.
      • For internal gateways, select Add GatewayInternal Gateway.
      • For external gateways, select Add GatewayExternal Gateway.
    2. Enter the Name for the gateway.
    3. Enter the IP address or FQDN for the gateway.
      1. For IP address, select IP and enter the IPv4 or IPv6 address for the gateway.
      2. For FQDN, select FQDN and enter the FQDN for the gateway.
    4. Save your gateway settings.

Technical Documentation

Company

Legal Notices

© 2025 Palo Alto Networks, Inc. All rights reserved.