>
    Strata Copilot
    Staged Rollouts of Prisma Access Agents
    Focus
    Download PDF
    Focus
    1. Home
    2. Prisma Access Agent
    3. Prisma Access Agent Administration
    4. Configure the Prisma Access Agent
    5. Staged Rollouts of Prisma Access Agents
    Download PDF
    Prisma Access Agent

    Staged Rollouts of Prisma Access Agents

    Table of Contents

    Staged Rollouts of Prisma Access Agents

    Use staged rollouts to upgrade Prisma Access Agents after the initial deployment of the agents.
    Where Can I Use This?What Do I Need?
    • Prisma Access (Managed by Strata Cloud Manager)
    • Prisma Access (Managed by Panorama)
    • NGFW (Managed by Panorama)
    • Check the prerequisites for the deployment you're using
    • macOS 14 and later or Windows 10 version 2024 and later desktop devices
    • Contact your Palo Alto Networks account representative to activate the Prisma Access Agent feature
    You can stagger the upgrade of Prisma Access Agents using a maintenance routine called a staged rollout. Staged rollouts enable you to upgrade Prisma Access Agents sequentially on your end users' devices. Using staged rollouts, you can plan the Prisma Access Agent upgrades based on users, user groups, or operating systems.
    Staged rollouts can occur only after the initial deployment initial deployment or installation of the Prisma Access Agent on your end users' devices.
    You can stage the rollout of Prisma Access Agent upgrades by configuring upgrade rings, which consist of batches of end users' devices that you want to upgrade in a specific order.
    You can define up to five upgrade rings containing devices that match the criteria that you set up. For each ring, you can define up to three matching criteria using these attributes: username, user group, or operating system. The devices that meet the ring criteria will be upgraded according to the order of the rings.
    As a best practice, set up Ring 0 to limit the upgrade to a small group of users to ensure that no issues exist before rolling out the agent upgrades to the rest of your organization.
    For example, you can define:
    • Ring 0 to include a group of admin users
    • Ring 1 to include all macOS users in North America
    • Ring 2 to include all Windows users in North America
    • Ring 3 to include all macOS users in Europe
    • Ring 4 to include all Windows users in Europe
    A default ring is available for those devices that missed their assigned rings. The default ring is not configurable. If you modify the criteria for the other rings after the staged rollout has begun, the changes will take effect in subsequent upgrade rollouts.

    What Happens During an Upgrade Rollout

    You can start the Prisma Access Agent upgrade process by clicking Start from ConfigurationEndpoint Management in Strata Cloud Manager. When the upgrade rollout begins, the end users' devices will be upgraded according to the order of the rings they belong to. Any devices that are offline or not reachable during the staged rollout are placed in the default ring. Likewise, any new devices that connect to Prisma Access after the stage rollout has completed, are placed in the default ring. After Rings 0 to 4 have been upgraded, the devices in the default ring will get upgraded in the order of their assigned rings.
    When a ring is active, the agent is upgraded on any device that belongs to the ring, provided that the device has basic local network connectivity, can connect to the service that manages the agents, and can authenticate with the Endpoint Manager. Each ring will be active for 72 hours, after which the next ring will begin.
    Devices that are in a disconnected state (with no tunnel connection established) can be upgraded. Devices that are offline (not connected to the service that manages agents) cannot be upgraded. When a device comes back online and if the rollout is still active for the ring that the device belongs to, that device will be upgraded as part of the ring. If the ring is no longer active, the device will be upgraded as part of the default ring. This upgrade behavior applies to quarantined devices as well.
    The following table shows the duration for each stage of the ring upgrade cycle:
    StageDuration
    Agent rollout notification period
    You are notified of the upcoming upgrade after clicking Start. The upgrade begins automatically at the end of the notification period.
    		5 minutes
    Active period for each ring
    The runtime for each upgrade ring (Rings 0 to 4 and default ring). Devices that missed the stage rollout are upgraded as part of the default ring.
    		72 hours per ring
    If a failure occurs during a ring upgrade, you can stop the staged rollout to troubleshoot and resolve any issues before starting the rollout again.

    © 2026 Palo Alto Networks, Inc. All rights reserved.