>
    Strata Copilot
    Prisma Access Agent Commands (PACli)
    Focus
    Download PDF
    Focus
    1. Home
    2. Prisma Access Agent
    3. Prisma Access Agent Administration
    4. Troubleshoot Prisma Access Agents
    5. Prisma Access Agent Commands (PACli)
    Download PDF
    Prisma Access Agent

    Prisma Access Agent Commands (PACli)

    Table of Contents

    Prisma Access Agent Commands (PACli)

    Learn about the Prisma Access Agent commands that you can run on the Prisma Access command-line tool.
    Where Can I Use This?What Do I Need?
    • Prisma Access (Managed by Strata Cloud Manager)
    • Prisma Access (Managed by Panorama)
    • NGFW (Managed by Panorama)
    • Check the prerequisites for the deployment you're using
    • macOS, Windows, or Linux devices
    • Contact your Palo Alto Networks account representative to activate the Prisma Access Agent feature
    You can run Prisma Access Agent commands using the Prisma Access command line (PACli) tool to gain visibility into your Prisma Access Agent deployment. You can run the Prisma Access Agent commands on behalf of a user in a terminal session on the endpoint itself or in a remote shell.

    Usage

    To issue Prisma Access Agent commands on the Prisma Access command-line tool, use the following syntax:
    • For macOS agents:
      /Applications/Prisma\ Access\ Agent.app/Contents/Helpers/pacli /? | [command] [/? | help | options]]
    • For Windows agents:
      "C:\Program Files\Palo Alto Networks\Prisma Access Agent\pacli" /? | [command] [/? | help | options]]
    • For Linux agents:
      pacli /? | [command] [/? | help | options]]
    If you enter the pacli command without arguments or with the /? option, the list of available Prisma Access Agent commands is displayed.
    If you set up an environment variable for the PACli tool (pacli), you can just enter pacli <command> without the folder path.
    The following tables contain descriptions of the Prisma Access Agent commands and associated options that you can run on the Prisma Access command line. In the command input and output, the terms "EPM" and "epm" refer to the Endpoint Manager or Prisma Access Agent Manager (also known to end users as the server). The Endpoint Manager communicates with the agent, such as sending commands and configurations to the agent, routing authentication requests to the Cloud Identity Engine, and once authenticated, providing the agent with a token for the gateways.
    (macOS and Windows agents only) Some commands also support integration with third-party applications, such as a unified login portal, that need to programmatically control Prisma Access Agent authentication and connectivity without user interaction with the agent. These commands and their expected JSON response fields are listed in order of use in Commands for Third-Party Integration below.
    CommandDescription
    versionShows the version of the Prisma Access Agent that’s running on the endpoint
    captive-portal(Not supported on Prisma Access Agent Linux) Shows the presence of a captive portal with the pacli captive-portal status command
    connectCreates a tunnel connection for Prisma Access Agent traffic by connecting to a gateway.
    • To connect to a location, enter pacli connect <gateway name>
    • To get a list of the Prisma Access locations where your users can connect to, enter pacli gateway
      To connect to the best available location, enter pacli connect --best
    disconnectStops the tunnel connection by disconnecting from the gateway
    statusShows the current Prisma Access Agent status. You can view the following status:
    • State—Shows the state of the Prisma Access Agent
    • Mode—Shows the mode the Prisma Access Agent is running in (Always On or On Demand)
    • Tunnel—Shows the state of the Prisma Access Agent connection
    • HIP Status—Shows whether your device is compliant
    • EPM Status—Shows the status of the endpoint manager
    • EPM Last Seen—Shows the last time your device connected to the to the endpoint manager
    • Local Hostname—Shows the hostname of the end-user device
    protect(Not supported on Prisma Access Agent Linux) Enables or disables the feature that protects the Prisma Access Agent from being tampered with on the endpoint, such as the unauthorized uninstallation of the agent. You can specify the following options:
    • status—Displays the protection status of the Prisma Access Agent files and folders, Prisma Access Agent processes, Prisma Access Agent registry keys (Windows-only), and Prisma Access Agent services and HIP processes.
    • enable—Enables the anti-tamper feature.
    • disable—Disables the anti-tamper feature. Requires the anti-tamper unlock password.
    epmPerforms endpoint management actions using the following options:
    • status—Shows the current status of the service that manages Prisma Access Agents.
    • address—Sets the URL for the endpoint manager. You can add, delete, list, or set (connect) to a specified server URL.
    • signout—Disconnects the Prisma Access Agent from the endpoint manager and discards the token that the agent management authentication service generated. The token enables the agent to communicate with any endpoint manager component.
      If you enter pacli epm signout --keep, the command will disconnect the agent from the endpoint manager without discarding the token.
    • fetch—Retrieves the Prisma Access Agent configuration immediately.
    • set-token—Resets the token that the agent management authentication service generated. The Prisma Access Agent uses the token to communicate with any agent management component.
    If you enter pacli epm incorrectly or without any arguments, the list of available options is displayed.
    configManages the local configuration of the Prisma Access Agent. You can use the following options:
    • import—Imports the configuration from a configuration file
    • export—Exports the configuration to a file
    loglevelManipulates the logging level of Prisma Access Agent logs using the following options:
    • status—Shows the current verbosity level of the logs
    • set—Sets the verbosity level of the logs
    eventShows a list of Prisma Access Agent events
    commandTriggers a command that is sent from the server (endpoint manager) to the client (Prisma Access Agent).
    gatewayGets a list of the Prisma Access locations where your users can connect to
    enableEnables the Prisma Access Agent
    disableDisables the Prisma Access Agent. Requires the anti-tamper unlock password.
    hipRuns host information profile actions:
    • status—Shows the current HIP status
    • version—Shows the version of the HIP library
    • resend—Sends a HIP report to the current Prisma Access location and endpoint manager
    • update—Updates the HIP library (if an update is available)
    • notification—Shows the HIP notifications that the agent received
    tunnelShows the status of the tunnel, including the name and IP address of the Prisma Access location, and the type of tunnel that has been established. Also shows the MTU size and the volume of data that the agent transmitted and received.
    getlogsCreates a zip package of all local Prisma Access Agent logs.
    adem(Not supported on Prisma Access Agent Linux) Shows the current status of the Autonomous DEM agent (if it is installed on the endpoint).
    project(Not supported on Prisma Access Agent Linux) Allows you to connect to a different project for Dynamic Privilege Access enabled agents. You can enter one of the following options:
    • logout—Log out of the current project.
    • login <project_name>—Log in to a project by specifying the project name. The maximum length for the project name is 32 characters.
    • list—Show the list of projects that the user has access to.
    For example, to log in or to switch to a project, enter pacli login my_project.
    trafficShows the agent's traffic forwarding rules and the traffic routing logs respectively, such as how traffic is routed for each connection and whether it is through the tunnel or directly to the internet. This command will print the active rules in a tabular format on the command line. You can use the following options:
    • show—Show the traffic forwarding rules in a forwarding profile
    • show <n>—Show a specific traffic forwarding rule by specifying the row number
    • log—Show the entries in the network connection (traffic routing) log
    • log <n>—Show a specific row in the network connection log by specifying the row number
    • export <filename>—Export the traffic forwarding rules to a file
    • import <filename>—Import the traffic forwarding rules from a file
    • user-location—Shows the user's currently detected locations, including the detection method (reverse DNS or private IP address match) and which forwarding profile rules apply
    switchtoSwitches between the Prisma Access Agent and the GlobalProtect app, if both apps are installed on an endpoint. You can enter one of the following options:
    • GlobalProtect—Switches to the GlobalProtect app. Requires the anti-tamper unlock password.
    • PrismaAccessAgent—Switches to the Prisma Access Agent.
    Switching to an app will automatically disable the previously active app.
    wpp(Windows agents) Enables Prisma Access Agent driver logging using the Windows software trace preprocessor (WPP) (Windows-only). You can start, stop, or reset the software trace preprocessor.
    dlp status(Not supported on Prisma Access Agent Linux) Shows the status for the Endpoint Data Loss Prevention feature.
    proxy(Not supported on Prisma Access Agent Linux) Manages the local proxy functionality. You can use the following options with the command:
    • status—Show the local proxy status
    • enable—Enable the local proxy
    • disable—Disable the local proxy
    browser(Not supported on Prisma Access Agent Linux) Manages the Prisma Access Agent embedded browser. You can use the following options with the command:
    • status—Show the current browser setting
    • internal—Set the embedded browser for Prisma Access Agent authentication.
    • system—Set the default system browser for Prisma Access Agent authentication.
    eie(Not supported on Prisma Access Agent Linux) Manages Prisma Access Agent endpoint insights. You can use the following options with the command:
    • status—Show the endpoint insights status
    • enable—Enable endpoint insights
    • disable—Disable endpoint insights
    • trigger -d "<description>"—User issue reporting with description to trigger the collection of diagnostics
    (macOS and Windows agents only) You can also use Prisma Access Agent commands to integrate with a third-party app to programmatically control authentication and connectivity.

    © 2026 Palo Alto Networks, Inc. All rights reserved.