Configure Enhanced Anti-Tamper Protection for Prisma Access Agents
Focus
Focus
Prisma Access Agent

Configure Enhanced Anti-Tamper Protection for Prisma Access Agents

Table of Contents

Configure Enhanced Anti-Tamper Protection for Prisma Access Agents

Configure the Prisma Access Agent's anti-tamper protection features to protect agent processes, files, and registries from unauthorized tampering.
Where Can I Use This?What Do I Need?
  • Prisma Access (Managed by Strata Cloud Manager)
  • Check the prerequisites for the deployment you're using
  • Prisma Access Agent 25.4
  • macOS 14 and later or Windows 10 version 2024 and later desktop devices
  • Contact your Palo Alto Networks account representative to activate the Prisma Access Agent feature
Prisma Access Agent's anti-tamper feature protects the agent's services, processes, files, and registries from tampering by users. When configured, users require specific one-time passwords (OTPs) or a Privileged Access Token to perform privileged actions such as restarting agent services or uninstalling the agent.
The enhanced anti-tamper functionality addresses several security concerns:
  • Provides unique per-device OTPs for specific privileged operations
  • Enforces role-based access controls (RBAC) for viewing or generating anti-tamper credentials
  • Maintains comprehensive audit trails for anti-tamper usage
  • Offers a "break glass in case of emergency" Privileged Access Token for use in case of the loss of network connectivity
The anti-tamper protection system supports several types of passwords for different purposes:
Password TypeExpires After First UseSystem GeneratedPurpose
Disable Agent OTPYesYesSingle-use token for temporarily disabling the agent
Uninstall Agent OTPYesYesSingle-use token for uninstalling the agent
Privileged Access OTPYesYesUsed for any privileged operation including restarting agent services
Privileged Access TokenNoNoAdministrator-defined emergency token for critical access scenarios
All OTPs will refresh after one-time use and are never stored on the endpoint. The Privilege Access Token is static and does not expire after each use.
This procedure does not apply to Prisma Access Agents deployed from Prisma Access (Managed by Panorama) or NGFW (Managed by Panorama). Prisma Access Agents from these deployments can continue to use the anti-tamper settings in the Global Agent Settings.
To configure anti-tamper protection:
  1. Navigate to the Prisma Access Agent agent app settings page.
    1. Log in to Strata Cloud Manager as the administrator.
    2. Select WorkflowsPrisma Access SetupAccess AgentPrisma Access Agent.
  2. Add an agent setting or edit an existing agent setting.
    1. (Optional) Set up the Match Criteria such as OS and User Entities to deploy the agent settings to specific users or user groups.
    2. Configure the anti-tamper protection settings:
      1. In the App Configuration section, select Show Advanced OptionsAnti-Tamper.
      2. Configure the following anti-tamper options:
        • Privileged Access Protection—Select this option to enable anti-tamper protection on the endpoints that meet the Match Criteria. Enabling this option reveals the anti-tamper configuration options. (Default: Disabled)
        • Tamper Protection Auto Enable Duration (min)—Specify the duration (30-480 minutes) for which the end-user gains privileged access by providing the Privileged Access OTP or Privileged Access Token. (Default: 30 minutes)
        • Privileged Access Token—Enter and confirm an emergency access password for use in critical access scenarios. The token must have 8-16 alphanumeric characters with at least one uppercase letter, lowercase letter, number, and optionally one special character from the following set: @$!%*?&
          The Privileged Access Token and Tamper Protection Auto Enable Duration are required when you enable Privileged Access Protection.
        These settings are only visible to administrators with superuser privileges through RBAC controls.
      3. Save the agent configuration.
  3. (Optional): Set up the disable agent configuration.
    Configure the Disable Agent option:
    • Allow—Any user can disable the Prisma Access Agent without requiring a password.
    • Disallow—Does not allow users to disable the agent. The Disable option is not available in the Prisma Access Agent app.
    • Allow with OTP—Users can disable the agent only with a valid OTP or token.
  4. View and access device-specific OTPs in the Inventory page in case you need to share the OTPs with your users.
    1. Select ManagePrisma Access Agent.
    2. Select a Hostname in the Devices table.
    3. In the window that slides open, view the Anti-Tamper section. Depending on the configuration, you will see the following combinations of fields:
      ConfigurationAnti-Tamper Fields
      • Privileged Access ProtectionDisabled
      • Disable Agent with OTPDisallow
      • Privileged Access ProtectionEnabled
      • Disable Agent with OTPDisallow
      • Privileged Access ProtectionEnabled
      • Disable Agent with OTPAllow
      • Privileged Access ProtectionDisabled
      • Disable Agent with OTPAllowed
    4. From this page, you can view and copy device-specific OTPs for:
      • Disabling the agent
      • Using privileged access (for any privileged command)
      • Uninstalling the agent
  5. Use the Privileged Access Token for emergency access.
    In case of emergency scenarios where normal access methods are unavailable:
    1. Use the Privileged Access Token (emergency access password) that you configured.
    2. This token works for all privileged operations on all agents.
    3. The token does not refresh after each use, unlike the OTPs.
    As a best practice, rotate the Privileged Access Token every three months for enhanced security.
  6. Verify that anti-tamper protection is enabled for the Prisma Access Agent on an endpoint by using the Prisma Access Agent command-line tool (PACli).
    1. Check the status of the anti-tamper protection by running the following command on an endpoint:
      • On macOS agents:
        /Applications/Prisma\ Access\ Agent.app/Contents/Helpers/pacli protect status
      • On Windows agents:
        "C:\Program Files\Palo Alto Networks\Prisma Access Agent\pacli" protect status
      If you successfully enabled anti-tamper protection, the following output should appear:
      Protection      State      
      --------------- ---------- 
      File            Enabled
      Process         Enabled
      Registry        Enabled
      Service         Enabled
    2. Try to disable the anti-tamper protection by running the following command:
      pacli protect disable
      If you successfully enabled anti-tamper protection, the agent will prompt you to Enter password.
  7. Audit and monitor anti-tamper activities and OTP usage in the Log Viewer or Strata Logging Service.
    The system maintains comprehensive audit trails for anti-tamper activities:
    • OTP generation events
    • Successful and failed OTP validation attempts
    • Tamper-protection disablement events
    • Privileged command execution during tamper protection disabled periods
    These audit logs are available in the Event Log Viewer and are subject to RBAC permissions. For security, raw OTPs and tokens are never logged in the audit trails.