Prisma Access Administration
  • Prisma Access Administration
  • Prisma Access Documentation
  • All Documentation
>
Switch Between the Prisma Access Agent and GlobalProtect App
Focus
Download PDF
Focus
  1. Home
  2. Prisma Access
  3. Prisma Access Administration
  4. Configure Dynamic Privilege Access Settings
  5. Use the Prisma Access Agent to Access Your Projects
  6. Switch Between the Prisma Access Agent and GlobalProtect App
Download PDF
Prisma Access

Switch Between the Prisma Access Agent and GlobalProtect App

Table of Contents

Switch Between the Prisma Access Agent and GlobalProtect App

You can switch between the Prisma Access Agent and GlobalProtect using either the Prisma Access Agent app or the Prisma Access command-line tool.
Where Can I Use This?What Do I Need?
  • Prisma Access Agent
  • macOS 12 or later desktop devices or Windows 10 version 2024 or later or Windows 11 desktop devices
  • Internet access
In some organizations, the Prisma Access Agent is installed on user devices that already have the GlobalProtect app installed. After installing the Prisma Access Agent, you can switch between the Prisma Access Agent and the GlobalProtect app as needed.
After switching to the GlobalProtect app, the Prisma Access Agent is in the disabled state. In the disabled state:
  • All traffic to Prisma Access locations are disabled, and multi-factor authentication (MFA) is disabled.
    Both Prisma Access Agent and GlobalProtect use the same GlobalProtect port to listen to MFA requests (for additional authentication for certain applications), but only one agent can use the port at a time. When you disable the Prisma Access Agent, the port will be released for use by GlobalProtect.
  • Communication with the server persists so the agent can continue to receive staged rollout upgrades, ADEM notifications, remote shell requests from the administrator, and perform HIP checks.
  • If configured by the administrator, the anti-tamper feature will continue to function to protect the agent from unauthorized tampering.
  • On macOS devices, the system and network extensions for Prisma Access Agent will continue to be active, and the content filter will also continue to be active.
  • If you switch to another server, the Prisma Access Agent will be re-enabled automatically. If the you try to connect to a Prisma Access location while the agent is disabled, the agent will connect to the best location.
You can use either the Prisma Access Agent app or the Prisma Access command-line tool (PACli) to switch between the two apps.

Switch Between the Prisma Access Agent and GlobalProtect App (Using the Prisma Access Agent App)

Learn how to switch between the Prisma Access Agent and GlobalProtect app using the agent apps.
Before switching to the GlobalProtect™ app, you need to disable the Prisma Access Agent. If your administrator configured the feature to allow users to disable the Prisma Access Agent, you can use the app to disable the Prisma Access Agent. After you disable the Prisma Access Agent, you can start the GlobalProtect app.
Your administrator must contact the Palo Alto Networks team to enable this tenant-level feature. It's not available as an agent setting on Strata Cloud Manager.
  • To switch from the Prisma Access Agent to the GlobalProtect app:
    1. Open the Prisma Access Agent.
      If you're disabling the agent for the first time, open the Prisma Access Agent app and sign out of the Prisma Access Agent.
      1. Select the hamburger menu and select Sign Out.
      2. Log in to the Prisma Access Agent app again to make the Disable link appear in the preferences window.
    2. Click the hamburger menu to open the preferences window.
    3. Disable the Prisma Access Agent.
    4. Close the preferences window by clicking the X.
      The Prisma Access Agent is disabled.
    5. Start the GlobalProtect app and Connect to GlobalProtect.
  • To switch from the GlobalProtect app back to the Prisma Access Agent:
    1. Open the GlobalProtect app.
    2. Click the options menu and select Disconnect.
    3. Launch the Prisma Access Agent app.
    4. Click the hamburger menu to open the preferences window.
    5. Enable the Prisma Access Agent.
    6. Close the preferences window by clicking the X.
    7. If the agent is in Always On mode, the agent is enabled and will connect to the best location.
      If the agent is in On-Demand mode, the Prisma Access Agent is enabled but remains disconnected. Click the lock icon to connect to the Prisma Access location.

Switch Between the Prisma Access Agent and GlobalProtect App (Using the PACli Tool)

Learn how to switch between the Prisma Access Agent and GlobalProtect app using the command line.
To switch between the Prisma Access Agent and the GlobalProtect app, run the Prisma Access command-line tool (PACli). When switching to the GlobalProtect app, the PACli tool will prompt you for the anti-tamper unlock password if the administrator set one up during the onboarding of the Prisma Access Agent. Switching to the desired app disables the app that you're currently using.
  1. To switch from the Prisma Access Agent to the GlobalProtect app:
    1. Run the switchto command to switch agents:
      • On macOS devices, open a Terminal window and issue the following command:
        sudo /Applications/Prisma\ Access\ Agent.app/Contents/Helpers/pacli switchto GlobalProtect
      • On Windows devices, open a Command Prompt window and issue the following command:
        "C:\Program Files\Palo Alto Networks\Prisma Access Agent\pacli" switchto GlobalProtect
    2. (macOS) Enter the admin password when prompted.
    3. If prompted, enter Y to switch to the GlobalProtect app.
    4. If prompted for a supervisor password, enter the anti-tamper unlock password.
      The following text shows an example of switching from the Prisma Access Agent to GlobalProtect on a macOS device:
      <username@hostname> ~ % cd /Applications/Prisma\ Access\ Agent.app/Contents/Helpers
<username@hostname> Helpers % sudo ./pacli switchto GlobalProtect  
Enter supervisor password:
Disabled Prisma Access Agent.
Starting the GlobalProtect service. This can take up to 60 seconds...
Successfuly started GlobalProtect. Switch complete.
<username@hostname> Helpers %
      This action stops the Prisma Access Agent service, and starts the GlobalProtect service. An entry is written to the Prisma Access Agent logs indicating that the Prisma Access Agent has been disabled. For example, the following events are logged:
      <username@hostname> ~ % cd /Applications/Prisma\ Access\ Agent.app/Contents/Helpers
<username@hostname> Helpers % ./pacli event
.
.
740      2024-12-11 23:20:57  Tamper Detection   Agent is disabled
741      2024-12-11 23:20:57  Agent Tunnel       Tunnel disconnected
.
.
    5. (Optional) Show the status of the switchto command by running the pacli switchto status command.
      The following text shows an example of checking the status of the switchto command on macOS:
      <username@hostname> ~ % cd /Applications/Prisma\ Access\ Agent.app/Contents/Helpers
<username@hostname> Helpers % sudo ./pacli switchto status
Prisma Access Agent:      Disabled
GlobalProtect:            Enabled
<username@hostname> Helpers %
  2. To switch back to the Prisma Access Agent:
    1. Run the switchto command to switch agents:
      • On macOS devices, open a Terminal window and issue the following command:
        sudo /Applications/Prisma\ Access\ Agent.app/Contents/Helpers/pacli switchto PrismaAccessAgent
      • On Windows devices, open a Command Prompt window and issue the following command:
        "C:\Program Files\Palo Alto Networks\Prisma Access Agent\pacli" switchto PrismaAccessAgent
    2. (macOS) Enter the admin password when prompted.
    3. If prompted, enter Y to switch to the Prisma Access Agent.
    4. If prompted for a supervisor password, enter the anti-tamper unlock password.
      The following text shows an example of switching from the GlobalProtect app to the Prisma Access Agent on a macOS device:
      <username@hostname> ~ % cd /Applications/Prisma\ Access\ Agent.app/Contents/Helpers
<username@hostname> Helpers % sudo ./pacli switchto PrismaAccessAgent
Password:
Enter supervisor password:
Stopping the GlobalProtect service. This can take up to 60 seconds...
Disabled GlobalProtect.
Successfuly started Prisma Access Agent. Switch complete.
<username@hostname> Helpers %
      This action stops the GlobalProtect service and starts the Prisma Access Agent service. An entry is written to the Prisma Access Agent logs indicating that the Prisma Access Agent has been enabled. For example, the following events are logged:
      <username@hostname> ~ % cd /Applications/Prisma\ Access\ Agent.app/Contents/Helpers
<username@hostname> Helpers % ./pacli event
.
.
742      2024-12-11 23:21:05  Tamper Detection   Agent is enabled
743      2024-12-11 23:21:21  Agent Tunnel       Tunnel connected
.
.
      After switching back to the Prisma Access Agent, if the agent is in Always On mode, the agent will be enabled and will connect to the best location. If the agent is in On-Demand mode, the agent will be enabled but disconnected.
    5. (Optional) Show the status of the switchto command by running the pacli switchto status command.
      The following text shows an example of checking the status of the switchto command on macOS:
      <username@hostname> ~ % cd /Applications/Prisma\ Access\ Agent.app/Contents/Helpers
<username@hostname> Helpers % sudo ./pacli switchto status
Prisma Access Agent:      Enabled
GlobalProtect:            Disabled
<username@hostname> Helpers %

Technical Documentation

Company

Legal Notices

© 2025 Palo Alto Networks, Inc. All rights reserved.