>
    Configure Enhanced Anti-Tamper Protection for Prisma Access Agents
    Focus
    Download PDF
    Focus
    1. Home
    2. Prisma Access Agent
    3. Prisma Access Agent Administration
    4. Configure the Prisma Access Agent
    5. Anti-Tamper Protection for Prisma Access Agents
    6. Configure Enhanced Anti-Tamper Protection for Prisma Access Agents
    Download PDF
    Prisma Access Agent

    Configure Enhanced Anti-Tamper Protection for Prisma Access Agents

    Table of Contents

    Configure Enhanced Anti-Tamper Protection for Prisma Access Agents

    Configure the Prisma Access Agent's anti-tamper protection features to protect agent processes, files, and registries from unauthorized tampering.
    Where Can I Use This?What Do I Need?
    • Prisma Access (Managed by Strata Cloud Manager)
    • Check the prerequisites for the deployment you're using
    • Prisma Access Agent 25.4
    • macOS 14 and later or Windows 10 version 2024 and later desktop devices
    • Contact your Palo Alto Networks account representative to activate the Prisma Access Agent feature
    Prisma Access Agent's anti-tamper feature protects the agent's services, processes, files, and registries from tampering by users. When configured, users require specific one-time passwords (OTPs) or a Privileged Access Token to perform privileged actions such as restarting agent services or uninstalling the agent.
    The enhanced anti-tamper functionality addresses several security concerns:
    • Provides unique per-device OTPs for specific privileged operations
    • Enforces role-based access controls (RBAC) for viewing or generating anti-tamper credentials
    • Maintains comprehensive audit trails for anti-tamper usage
    • Offers a "break glass in case of emergency" Privileged Access Token for use in case of the loss of network connectivity
    The anti-tamper protection system supports several types of passwords for different purposes:
    Password TypeExpires After First UseSystem GeneratedPurpose
    Disable Agent OTPYesYesSingle-use token for temporarily disabling the agent
    Uninstall Agent OTPYesYesSingle-use token for uninstalling the agent
    Privileged Access OTPYesYesUsed for any privileged operation including restarting agent services
    Privileged Access TokenNoNoAdministrator-defined emergency token for critical access scenarios
    All OTPs will refresh after one-time use and are never stored on the endpoint. The Privilege Access Token is static and does not expire after each use.
    This procedure does not apply to Prisma Access Agents deployed from Prisma Access (Managed by Panorama) or NGFW (Managed by Panorama). Prisma Access Agents from these deployments can continue to use the anti-tamper settings in the Global Agent Settings.
    To configure anti-tamper protection:
    1. Navigate to the Prisma Access Agent agent app settings page.
      1. Log in to Strata Cloud Manager as the administrator.
      2. Select WorkflowsPrisma Access SetupAccess AgentPrisma Access Agent.
    2. Add an agent setting or edit an existing agent setting.
      1. (Optional) Set up the Match Criteria such as OS and User Entities to deploy the agent settings to specific users or user groups.
      2. Configure the anti-tamper protection settings:
        1. In the App Configuration section, select Show Advanced OptionsAnti-Tamper.
        2. Configure the following anti-tamper options:
          • Privileged Access Protection—Select this option to enable anti-tamper protection on the endpoints that meet the Match Criteria. Enabling this option reveals the anti-tamper configuration options. (Default: Disabled)
          • Tamper Protection Auto Enable Duration (min)—Specify the duration (30-480 minutes) for which the end-user gains privileged access by providing the Privileged Access OTP or Privileged Access Token. (Default: 30 minutes)
          • Privileged Access Token—Enter and confirm an emergency access password for use in critical access scenarios. The token must have 8-16 alphanumeric characters with at least one uppercase letter, lowercase letter, number, and optionally one special character from the following set: @$!%*?&
            The Privileged Access Token and Tamper Protection Auto Enable Duration are required when you enable Privileged Access Protection.
          These settings are only visible to administrators with superuser privileges through RBAC controls.
        3. Save the agent configuration.
    3. (Optional): Set up the disable agent configuration.
      Configure the Disable Agent option:
      • Allow—Any user can disable the Prisma Access Agent without requiring a password.
      • Disallow—Does not allow users to disable the agent. The Disable option is not available in the Prisma Access Agent app.
      • Allow with OTP—Users can disable the agent only with a valid OTP or token.
    4. Push the Prisma Access Agent Configuration.
    5. View and access device-specific OTPs in the Inventory page in case you need to share the OTPs with your users.
      1. Select ManagePrisma Access Agent.
      2. Select a Hostname in the Devices table.
      3. In the window that slides open, view the Anti-Tamper section. Depending on the configuration, you will see the following combinations of fields:
        ConfigurationAnti-Tamper Fields
        • Privileged Access ProtectionDisabled
        • Disable Agent with OTPDisallow
        • Privileged Access ProtectionEnabled
        • Disable Agent with OTPDisallow
        • Privileged Access ProtectionEnabled
        • Disable Agent with OTPAllow
        • Privileged Access ProtectionDisabled
        • Disable Agent with OTPAllowed
      4. From this page, you can view and copy device-specific OTPs for:
        • Disabling the agent
        • Using privileged access (for any privileged command)
        • Uninstalling the agent
    6. Use the Privileged Access Token for emergency access.
      In case of emergency scenarios where normal access methods are unavailable:
      1. Use the Privileged Access Token (emergency access password) that you configured.
      2. This token works for all privileged operations on all agents.
      3. The token does not refresh after each use, unlike the OTPs.
      As a best practice, rotate the Privileged Access Token every three months for enhanced security.
    7. Verify that anti-tamper protection is enabled for the Prisma Access Agent on an endpoint by using the Prisma Access Agent command-line tool (PACli).
      1. Check the status of the anti-tamper protection by running the following command on an endpoint:
        • On macOS agents:
          /Applications/Prisma\ Access\ Agent.app/Contents/Helpers/pacli protect status
        • On Windows agents:
          "C:\Program Files\Palo Alto Networks\Prisma Access Agent\pacli" protect status
        If you successfully enabled anti-tamper protection, the following output should appear:
        Protection      State      
--------------- ---------- 
File            Enabled
Process         Enabled
Registry        Enabled
Service         Enabled
      2. Try to disable the anti-tamper protection by running the following command:
        pacli protect disable
        If you successfully enabled anti-tamper protection, the agent will prompt you to Enter password.
    8. Audit and monitor anti-tamper activities and OTP usage in the Log Viewer or Strata Logging Service.
      The system maintains comprehensive audit trails for anti-tamper activities:
      • OTP generation events
      • Successful and failed OTP validation attempts
      • Tamper-protection disablement events
      • Privileged command execution during tamper protection disabled periods
      These audit logs are available in the Event Log Viewer and are subject to RBAC permissions. For security, raw OTPs and tokens are never logged in the audit trails.

    © 2025 Palo Alto Networks, Inc. All rights reserved.