Prisma Access Agent
Prisma Access Agent Deployment Configuration
Table of Contents
Expand All
|
Collapse All
Prisma Access Agent Docs
-
-
- Configure the Prisma Access Agent (Coexistence Tenant)
- Set Up the Infrastructure for Prisma Access Agents
- Configure General Global Settings for the Prisma Access Agent
- Configure a Certificate to Decrypt the Authentication Override Cookie (Panorama Managed NGFW)
- Export the Authentication Override Cookie for Connecting to an On-Premises NGFW Gateway (Coexistence Tenant)
- Push the Prisma Access Agent Configuration
-
- Prisma Access Agent Overview
-
- Install the Prisma Access Agent
- Log in to the Prisma Access Agent
- Change Prisma Access Agent App Settings
- Connect the Prisma Access Agent to a Different Location
- Connect the Prisma Access Agent to a Different Server
- View Prisma Access Agent Notifications
- Disconnect the Prisma Access Agent from a Location
- Disable the Prisma Access Agent
- Log out of the Prisma Access Agent
- Get Help for Prisma Access Agent Issues
- Switch Between the Prisma Access Agent and GlobalProtect App
- Prisma Access Agent Commands
Prisma Access Agent Deployment Configuration
Learn how to modify the configuration of the Prisma Access Agent
before deploying the agent to your endpoints.
| Where Can I Use This? | What Do I Need? |
|---|---|
|
|
After you finish onboarding your mobile users, your Prisma Access Agent
configurations, along with the Prisma Access tenant ID and Prisma Access server URL,
are saved to the Prisma Access Agent configuration file. You can download this
configuration file when you download the Prisma Access agent package from the ManagePrisma Access Agent. The configuration file is used during the installation of the Prisma
Access Agent on your end users' devices.
Before you deploy the Prisma Access Agent to your end users' devices, you can
optionally edit the configuration file to modify the following options:
- Set the server URL (the Prisma Access Agent domain)
- Permanently enable or disable the feature to access Prisma Access Agents using a remote shell from ManagePrisma Access Agent in Strata Cloud Manager
- If the GlobalProtect app is running on your end users' devices, choose whether to enable or disable the GlobalProtect app during the installation of the Prisma Access Agent
- Activate Endpoint DLP during the installation of Prisma Access Agent
- for SAML authentication on the endpoint
Updating this file is optional, as the configuration already contains default
settings or settings that you configured during the Prisma Access Agent onboarding
process.
Prisma Access Agent Configuration File
To install the Prisma Access Agent with your configuration, you must put the
configuration file with a predefined name (such as config.json)
in the same folder as the Prisma Access Agent installation package. The Prisma
Access Agent installer will look for this file during the agent startup, read all
the supported values in the file, and configure the agent accordingly.
The following example shows the typical contents that you can have in a configuration
file:
{
"server_url": "xxx.epm.gpcloudservice.com",
"tenant_id": "xxxxxxxxxx",
"disable_remote_shell": false,
"unload_gp": false,
"enable_dlp": false
}You can modify the following fields and values in JSON format:
| Field | Value |
|---|---|
| disable_remote_shell | false | true Specifies whether to remove
the feature to access a Prisma Access Agent for troubleshooting
using a remote shell. The value is of type
boolean. Default:
false If you set the value to
true, the remote shell capabilities
are disabled at deployment and cannot be reenabled until you
remove the Prisma Access Agent and reinstall it. |
| enable_dlp | false | true When set to
true, activates Endpoint DLP during
Prisma Access Agent installation. Endpoint DLP can prevent the
exfiltration of sensitive data to peripheral devices such as USB
devices, printers, and network shares, or to control access to
them. Default: false |
| server_url | The FQDN for the Prisma Access Agent domain without the https:// protocol. The server_url value is of type string. The server URL has this format: xxx.epm.gpcloudservice.com |
| tenant_id | The ID for your Prisma Access tenant. The tenant ID corresponds
to the Strata Logging Service Instance (Tenant)
ID. The tenant_id is of type
string and is a numerical value. This field
will be removed after the endpoint is able to resolve the tenant
ID from the FQDN. |
| unload_gp | false | true If the GlobalProtect app is
installed on the end user's device, specifies whether to disable
the GlobalProtect app during the installation of the Prisma
Access Agent. Default: false If you
set the value to true, the GlobalProtect
app is disabled upon the installation of the Prisma Access
Agent. After the installation, users can switch between the Prisma
Access Agent and GlobalProtect app. |
For Windows MSI packages, the following table shows the MSI properties and the
corresponding Prisma Access Agent configuration file settings:
| MSI Property Name | Configuration Setting | Notes |
|---|---|---|
| CONFIG | — | The full path to the Prisma Access Agent configuration file. Default: config.json |
| DISABLE_REMOTE_SHELL | disable_remote_shell | For Boolean values in MSI, specify 1 for the true value, and an empty value for the false value. |
| ENABLE_DLP | enable_dlp | For Boolean values in MSI, specify 1 for the true value, and an empty value for the false value. |
| SERVER_URL | server_url | — |
| TENANT_ID | tenant_id | — |
| UNLOAD_GP | unload_gp | For Boolean values in MSI, specify 1 for the true value, and an empty value for the false value. |
Change the Prisma Access Agent Server Address
If a Prisma Access Agent is not connected to Prisma Access and the agent cannot be
found in the inventory, an incorrect
address for server might have been configured. You can change the address by using
the PACLI tool.
- Issue the following command in a terminal window or command prompt:
- On macOS
agents:
/Applications/Prisma\ Access\ Agent.app/Contents/Helpers/pacli epm address <xxx>.epm.gpcloudservice.com 443 <tenant-id>
- On Windows
agents:
"C:\Program Files\Palo Alto Networks\Prisma Access Agent\pacli" epm address <xxx>.epm.gpcloudservice.com 443 <tenant-id>
where <xxx>.epm.gpcloudservice.com is the FQDN for the Prisma Access Agent domain without the https:// protocol, and <tenant-id> is the Prisma Access tenant ID. 443 is the port number for the server address. - On macOS
agents:
- When prompted, enter the supervisor password (also known as the anti-tamper unlock password). If no supervisor password is assigned, you can enter any password or a blank password. You can enable or change the anti-tamper unlock password in Strata Cloud Manager.When the address is successfully changed, the following message is displayed:
Successfully set EPM address
- To verify the server address setting, issue the following command:
- On macOS
agents:
/Applications/Prisma\ Access\ Agent.app/Contents/Helpers/pacli epm status
- On Windows
agents:
"C:\Program Files\Palo Alto Networks\Prisma Access Agent\PACli" epm status
The following example output is shown:EPM Status: Up EPM Communication: WebSocket Current time: 2024-05-13 13:46:22, Pacific Daylight Time Last EPM Keepalive: 2024-05-13 13:46:22 Last Successful Login: Never EPM Token Expiry: Never User Refresh Token Expiry: 2024-05-17 09:32:35 Agent Refresh Token Expiry: 2024-11-09 11:34:03 EPM Address: xxx.epm.gpcloudservice.com Machine ID: xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx
The following fields are for Dynamic Privilege Access enabled agents only:PBA Status: Enabled Project Name: Example-Project
The Last Successful Login and EPM Token Expiry fields are shown as Never because the Prisma Access Agent needs to authenticate to the server. To authenticate to the server, log in to the Prisma Access agent. - On macOS
agents: