Resolve Prisma Access Agent Problems by Running Commands in a Remote Shell

Table of Contents

Learn how to troubleshoot Prisma Access Agent problems by running commands in a remote shell.

Where Can I Use This?	What Do I Need?
Prisma Access (Managed by Strata Cloud Manager) Prisma Access (Managed by Panorama) NGFW (Managed by Panorama)	Check the prerequisites for the deployment you're using Contact your Palo Alto Networks account representative to activate the Prisma Access Agent feature

To investigate and resolve Prisma Access Agent issues effectively, such as an end user's inability to access corporate resources, you’ll likely need to physically access the end user's device to collect relevant data, diagnose the issue, and fix the issue. However, in today's remote-first work environment, it’s becoming more difficult to gain physical access to an end user's device for troubleshooting.

Using the Inventory page (ManagePrisma Access Agent), you can:

Conveniently access any end user's device that is running the Prisma Access Agent remotely by starting a terminal session (remote shell) on the device, provided that you have permission from the end user.
Initiate a remote shell from the device details page.
When the remote shell is initiated, the user is prompted to accept the request to allow the administrator to open a remote shell. When the user accepts the request, a live terminal window appears for you to enter shell commands to diagnose an issue.

Because any command that you enter and any output in the remote shell session will be logged, ensure that you do not enter any input or produce output that contains sensitive information.

Select ManagePrisma Access Agent.
(Optional) Set the Time Range for which you want to view the data. You can select a preset time range or customize the time range.
In the Devices table, scroll through the list to find the device or search for a device.
Select the hostname of the device for which you want to open a remote shell.
In the device details page, click Remote Shell.

The Remote Shell is not available to administrators with the View Only Administrator role.
Wait for the end user to confirm the remote access.
On the endpoint, the user is prompted to accept the remote shell request.
If the user accepts the remote shell request, a live terminal window appears.

If the user denies the request or does not respond within 2 minutes, you are notified that the terminal session cannot be established due to the lack of permission.
Run any shell commands that are needed to diagnose or resolve an issue.

For example, you can run Prisma Access Agent Commands in the remote shell.
When you have finished with your remote session, Disconnect the remote shell, which terminates the session.
You can choose to save the remote session activity to a log file by clicking Yes.

This action exports all the terminal session activity to a log file, including any commands that were run and the command output. Any action, from the initiation of the shell to the types of commands, is logged in the appropriate Prisma Access Agent log or management log, along with the timestamp and administrator identity.

The log file in .txt format is saved to the download location specified by your web browser.