Configure General Global Settings for the Prisma Access Agent
Focus
Focus
Prisma Access Agent

Configure General Global Settings for the Prisma Access Agent

Table of Contents

Configure General Global Settings for the Prisma Access Agent

Configure general global agent settings for Prisma Access Agent, such as configuring the anti-tamper protection settings, authentication override settings, and inactivity timeout settings.
Where Can I Use This?What Do I Need?
  • Prisma Access (Managed by Strata Cloud Manager)
  • Prisma Access (Managed by Panorama)
  • NGFW (Managed by Panorama)
  • Check the prerequisites for the deployment you're using
  • Contact your Palo Alto Networks account representative to activate the Prisma Access Agent feature
You can customize the global agent settings that apply to Prisma Access Agents across all endpoints.
General global agent settings include setting up the anti-tamper feature that prevents users from tampering with the Prisma Access Agent, such as uninstalling it from an end user's device. In addition, you can configure the authentication override settings, the inactivity timeout setting, and block the login of quarantined devices.
  1. Navigate to the Prisma Access Agent setup.
    • From Strata Cloud Manager:
      1. Log in to Strata Cloud Manager as the administrator.
      2. Select WorkflowsPrisma Access SetupAccess AgentPrisma Access Agent.
    • From Panorama:
      1. From the Cloud Services plugin in Panorama, select PanoramaCloud ServicesPrisma Access AgentLaunch Prisma Access Agent.
      2. Select WorkflowsPrisma Access AgentSetupPrisma Access Agent.
  2. Edit the Global Agent Settings.
  3. (Strata Cloud Manager only) Select General.
  4. (Prisma Access Agent 25.3.1 and earlier versions in Panorama Managed deployments) Enable anti-tamper protection to prevent unauthorized users from tampering with the Prisma Access Agent.
    (Prisma Access Agent version 25.4 in Strata Cloud Manager Managed deployments) The Anti-Tamper Password configuration section is no longer in the global agent settings. It now resides in the Agent Settings page to provide anti-tamper protection at a more granular level, with the ability to enable or disable protection for specific users and user groups. You can review the feature, migration approach, and learn how to configure Anti-Tamper Protection for Prisma Access Agents.
  5. Configure Authentication Override settings to allow Prisma Access to generate and accept secure, encrypted cookies for user authentication. Authentication override allows the user to provide login credentials only once during the specified Cookie Lifetime.
    • Generate cookie for authentication override—Enables Prisma Access to generate encrypted endpoint-specific cookies and issue authentication cookies to the endpoint. Default: Enabled.
    • Accept cookie for authentication override—Enables Prisma Access to authenticate users with a valid, encrypted cookie. When the app presents a valid cookie, Prisma Access verifies that the cookie was encrypted by Prisma Access originally, decrypts the cookie, and then authenticates the user. Default: Enabled.
    • Certificate to Encrypt/Decrypt Cookie—Select a certificate to use to encrypt and decrypt the cookie. For NGFW deployments, this certificate is the same one that you imported in the Infrastructure settings.
    • Cookie Lifetime—Specifies the hours, days, or weeks for which the cookie is valid (default is 24 hours). The range for hours is 1-72; the range for weeks is 1-52; and the range for days is 1-365. After the cookie expires, the user must reenter their login credentials. Prisma Access then encrypts a new cookie to send to the agent. This value can be the same as or different from the cookie lifetime that you configure.
  6. (Strata Cloud Manager) Configure Timeout settings for the Prisma Access Agent.
    The Inactivity Logout setting applies to both Prisma Access Agent and GlobalProtect. Any changes you make will be reflected and used for GlobalProtect, and vice versa.
    • Inactivity Logout—Specify the amount of time after which idle users are logged out of the Prisma Access Agent.
      You can use the inactivity logout period to enforce a security policy to monitor traffic from endpoints while connected to Prisma Access and to quickly log out inactive Prisma Access Agent sessions. You can enforce a shorter inactivity logout period. Users are logged out if the Prisma Access Agent has not routed traffic through the tunnel or if the gateway does not receive a HIP check from the endpoint within the configured time period.
    • Notify Before Inactivity Logout (min)—Specify when to notify the user before a Prisma Access Agent session logs out automatically due to inactivity. This period of time must be less than the period for the Inactivity Logout.
      For example, if you set Notify Before Inactivity Logout to 20 minutes, the app will display the notification to the user 20 minutes before the inactive session expires. If you don't want the notification to be displayed, set the value to 0. You can enter a value between 0-120 minutes. The default is 0 minutes.
    • Inactivity Logout Message—Create a custom message that you want to display to users when their inactive sessions are about to end due to inactivity. The maximum length for the message is 127 characters.
  7. (Strata Cloud Manager) Block Login for Quarantined Devices to prevent Prisma Access Agent users from logging in from quarantined devices.
    If a user attempts to log in from a quarantined device when this setting is enabled, the Prisma Access Agent notifies the user that the device is quarantined and the user cannot log in from that device. If this setting is not enabled, the user receives the notification but is able to log in from that device.
    The Block Login for Quarantined Devices setting applies to both Prisma Access Agent and GlobalProtect. Any changes you make will be reflected and used for GlobalProtect, and vice versa.
  8. Save your settings.