Configure General Global Settings for Prisma Access Agents
Focus
Focus
Prisma Access

Configure General Global Settings for Prisma Access Agents

Table of Contents

Configure General Global Settings for Prisma Access Agents

Configure general global agent settings such as the antitamper password and authentication override.
Where Can I Use This?What Do I Need?
  • Prisma Access (Managed by Strata Cloud Manager)
  • Prisma Access 5.1 Innovation
  • Prisma Access license with the Mobile User subscription
  • macOS 12 or later desktop devices or Windows 10 version 2024 or later or Windows 11 desktop devices
  • Role: Superuser
You can customize the global agent settings that apply to Prisma Access Agents across all endpoints.
General global agent settings include setting up the anti-tamper feature that prevents users from tampering with the Prisma Access Agent, such as uninstalling it from an end user's device. In addition, you can configure the authentication override settings, the inactivity timeout setting, and block the login of quarantined devices.
  1. From Strata Cloud Manager, select WorkflowsPrisma Access SetupAccess AgentPrisma Access Agent.
  2. Edit the Global Agent Settings.
  3. Select General.
  4. Configure an anti-tamper unlock password.
    You can safeguard the Prisma Access Agent by enabling the anti-tamper feature, which prevents any unauthorized user from tampering with the Prisma Access Agent. The anti-tamper feature can protect the following Prisma Access Agent resources on your endpoints:
    • Prisma Access Agent folders and files—Unauthorized users cannot delete or rename any Prisma Access Agent-related files and folders.
    • Prisma Access Agent services and host information profile (HIP) processes—Unauthorized users cannot stop any Prisma Access Agent-related services and HIP processes. The HIP processes collect information about the host that the Prisma Access Agent is running on and submits the host information to Prisma Access for inspection. If a user tries to stop a process, they must supply the anti-tamper unlock password.
    • Prisma Access Agent Registry keys (on Windows) or .plist file (on macOS)—Unauthorized users cannot delete or update the Windows Registry keys or .plist file for the Prisma Access Agent.
    • The PACli command-line interface—Unauthorized users cannot disable the Prisma Access Agent or the anti-tamper feature using the PACli command-line interface. Administrators and authorized users who need to perform certain actions for troubleshooting at the command line must provide the anti-tamper unlock (supervisor) password when prompted.
    To unlock the anti-tamper feature to troubleshoot the Prisma Access Agent, you need to set up an anti-tamper unlock password (also known as the supervisor password).
    1. Enable the anti-tamper password.
      If you don't enable the anti-tamper password, no password is assigned, and a user can enter any password (including an empty password) when prompted at the Prisma Access Agent command line.
      If you disable the anti-tamper password after enabling it, users can run certain PACli commands on the agent, such as the pacli disable, pacli hip status, pacli protect disable, and pacli switchto GlobalProtect commands, without providing the supervisor password. They only need to press Enter when prompted for the password.
    2. Enter the Password, and then Confirm Password by reentering the password. The password must have a minimum of eight alphanumeric characters.
      If you do not provide a password, the default password will be used. By default, the anti-tamper password is set to the first three characters of the Prisma Access tenant name in uppercase, plus the Prisma Access Data Region in lowercase, plus the last five digits of the Prisma Access Instance ID, for example: PANamericas56789.
      You can obtain the Prisma Access Instance ID and Data Region by selecting SettingsTenants<your_tenant> and selecting the View Support Info tool tip next to the serial number for Prisma Access.
      To provide a higher level of security for your agents, set up a new anti-tamper unlock password to override the default password, as the default password might not be the most secure.
  5. Configure Authentication Override settings to allow Prisma Access to generate and accept secure, encrypted cookies for user authentication. Authentication override allows the user to provide login credentials only once during the specified Cookie Lifetime.
    • Generate cookie for authentication override—Enables Prisma Access to generate encrypted endpoint-specific cookies and issue authentication cookies to the endpoint.
    • Accept cookie for authentication override—Enables Prisma Access to authenticate users with a valid, encrypted cookie. When the app presents a valid cookie, Prisma Access verifies that the cookie was encrypted by Prisma Access originally, decrypts the cookie, and then authenticates the user.
    • Certificate to Encrypt/Decrypt Cookie—Select an RSA certificate to use to encrypt and decrypt the cookie.
    • Cookie Lifetime—Specifies the hours, days, or weeks for which the cookie is valid (default is 24 hours). The range for hours is 1-72; the range for weeks is 1-52; and the range for days is 1-365. After the cookie expires, the user must reenter their login credentials. Prisma Access then encrypts a new cookie to send to the agent. This value can be the same as or different from the cookie lifetime that you configure.
  6. Enter the number of minutes for the Inactivity Logout to specify the amount of time after which idle users are logged out of the Prisma Access Agent.
    You can use the inactivity logout period to enforce a security policy to monitor traffic from endpoints while connected to Prisma Access and to quickly log out inactive Prisma Access Agent sessions. You can enforce a shorter inactivity logout period. Users are logged out if the Prisma Access Agent has not routed traffic through the tunnel or if the gateway does not receive a HIP check from the endpoint within the configured time period.
  7. Block Login for Quarantined Devices to prevent Prisma Access Agent users from logging in from quarantined devices.
    If a user attempts to log in from a quarantined device when this setting is enabled, the Prisma Access Agent notifies the user that the device is quarantined and the user cannot log in from that device. If this setting is not enabled, the user receives the notification but is able to log in from that device.
  8. Save your settings.