Prisma Access Agent
Prisma Access Agent Commands
Table of Contents
Expand All
|
Collapse All
Prisma Access Agent Docs
-
-
- Configure the Prisma Access Agent (Coexistence Tenant)
- Set Up the Infrastructure for Prisma Access Agents
- Configure General Global Settings for the Prisma Access Agent
- Configure a Certificate to Decrypt the Authentication Override Cookie (Panorama Managed NGFW)
- Export the Authentication Override Cookie for Connecting to an On-Premises NGFW Gateway (Coexistence Tenant)
- Push the Prisma Access Agent Configuration
-
- Prisma Access Agent Overview
-
- Install the Prisma Access Agent
- Log in to the Prisma Access Agent
- Change Prisma Access Agent App Settings
- Connect the Prisma Access Agent to a Different Location
- Connect the Prisma Access Agent to a Different Server
- View Prisma Access Agent Notifications
- Disconnect the Prisma Access Agent from a Location
- Disable the Prisma Access Agent
- Log out of the Prisma Access Agent
- Get Help for Prisma Access Agent Issues
- Switch Between the Prisma Access Agent and GlobalProtect App
- Prisma Access Agent Commands
Prisma Access Agent Commands
Learn about the Prisma Access Agent commands that you can run on the Prisma Access command-line tool.
| Where Can I Use This? | What Do I Need? |
|---|---|
|
|
You can run Prisma Access Agent commands using the Prisma Access command line (PACli)
tool to gain visibility into your Prisma Access Agent deployment. You can run the
Prisma Access Agent commands in a terminal session on the endpoint itself or in a
remote shell.
Usage
To issue Prisma Access Agent commands on the Prisma Access command-line
tool, use the following syntax:
- For macOS
agents:
/Applications/Prisma\ Access\ Agent.app/Contents/Helpers/pacli /? | [command] [/? | help | options]]
- For Windows
agents:
"C:\Program Files\Palo Alto Networks\Prisma Access Agent\pacli" /? | [command] [/? | help | options]]
If you enter the pacli command without arguments or with the
/? option, the list of available Prisma Access Agent commands is
displayed.
If you set up an environment variable for the PACli tool
(pacli), you can just enter pacli
<command> without the folder path.
The following tables contain descriptions of the Prisma Access Agent commands and
associated options that you can run on the Prisma Access command line. In the
command input and output, the terms "EPM" and "epm" refer to the agent management
plane or Prisma Access Agent Manger (also known to end users as the server). The
management plane communicates with the agent, such as sending commands and
configurations to the agent, routing authentication requests to the Cloud Identity
Engine, and once authenticated, providing the agent with a token for the
gateways.
| Command | Description |
|---|---|
| version | Shows the version of the Prisma Access Agent that’s running on the endpoint |
| connect | Creates a tunnel connection for Prisma Access Agent traffic by
connecting to a gateway. To connect to a location, enter
pacli connect <gateway
name> To get a list of the Prisma Access
locations where your users can connect to, enter
pacli gateway To connect to the
best available location, enter pacli connect
--best |
| disconnect | Stops the tunnel connection by disconnecting from the gateway |
| status | Shows the current Prisma Access Agent status. You can view
the following status:
|
| protect | Enables or disables the feature that protects the Prisma Access Agent from being tampered with on the endpoint,
such as the unauthorized uninstallation of the agent. You can
specify the following options:
|
| epm | Performs agent management actions using the following options:
If you enter pacli epm incorrectly or
without any arguments, the list of available options is
displayed. |
| config | Manages the local configuration of the Prisma Access Agent.
You can use the following options:
|
| loglevel | Manipulates the logging level of Prisma Access Agent logs
using the following options:
|
| event | Shows a list of Prisma Access Agent events |
| command | Triggers a command that is sent from the server (EPM) to the client (Prisma Access Agent). |
| gateway | Gets a list of the Prisma Access locations where your users can connect to |
| enable | Enables the Prisma Access Agent |
| disable | Disables the Prisma Access Agent. Requires the anti-tamper unlock password. |
| hip | Runs host information profile actions:
|
| tunnel | Shows the status of the tunnel, including the name and IP address of the Prisma Access location, and the type of tunnel that has been established. Also shows the MTU size and the volume of data that the agent transmitted and received. |
| getlogs | Creates a zip package of all local Prisma Access Agent logs. |
| adem | Shows the current status of the Autonomous DEM agent (if it is installed on the endpoint). |
| project | Allows you to
connect to a different project for Dynamic Privilege Access
enabled agents. You can enter one of the following options:
For example, to log in or to switch to a project, enter
pacli login my_project. |
| traffic | Shows the agent's traffic forwarding rules and the traffic
routing logs respectively, such as how traffic is routed for each
connection and whether it is through the tunnel or directly to the
internet. This command will print the active rules in a tabular
format on the command line. You can use the following options:
|
| switchto | Switches between the Prisma Access Agent and the
GlobalProtect app, if both apps are installed on an endpoint. You
can enter one of the following options:
Switching to an app will automatically disable the
previously active app. |
| wpp | Enables Prisma Access Agent driver logging using the Windows software trace preprocessor (WPP) (Windows-only). You can start, stop, or reset the software trace preprocessor. |
| dlp status | Shows the status for the Endpoint Data Loss Prevention feature. |