Set Up Anti-Tampering for Prisma Access Agent
Focus
Focus
Prisma Access Agent

Set Up Anti-Tampering for Prisma Access Agent

Table of Contents

Set Up Anti-Tampering for Prisma Access Agent

Learn how to enable the anti-tamper feature, which prevents users from tampering with the Prisma Access Agent.
Where Can I Use This?What Do I Need?
  • Prisma Access (Managed by Panorama)
  • NGFW (Managed by Panorama)
  • Check the prerequisites for the deployment you're using
  • Prisma Access Agent 25.3.1 and earlier versions
  • macOS 14 and later or Windows 10 version 2024 and later desktop devices
  • Contact your Palo Alto Networks account representative to activate the Prisma Access Agent feature
(Prisma Access Agent version 25.4 in Strata Cloud Manager Managed deployments) The Anti-Tamper Password configuration section is no longer in the global agent settings. It now resides in the Agent Settings page to provide anti-tamper protection at a more granular level, with the ability to enable or disable protection for specific users and user groups. You can review the feature, migration approach, and learn how to configure Anti-Tamper Protection for Prisma Access Agents.
(Prisma Access Agent 25.3.1 and earlier versions in Panorama Managed deployments) Certain users, including those with administrative privileges, might attempt to bypass security controls by tampering with secure access agents, creating significant vulnerabilities in your security posture. Prisma Access Agent's anti-tamper feature addresses this challenge by preventing unauthorized modifications to your security infrastructure, ensuring that your Zero Trust security controls remain continuously operational.
The feature prevents always-on security bypass attempts by blocking actions such as stopping, killing, or uninstalling the agent, or modifying critical agent registries and plists. You're also protected against agent spoofing, where insider threats or compromised endpoints might attempt to modify agent files, folders, processes, or HIP reports to circumvent security measures. By implementing this protection, you ensure that your security controls remain intact and effective, regardless of user privilege levels or sophisticated bypass attempts.
The anti-tamper feature can protect the following Prisma Access Agent resources on your endpoints:
  • Prisma Access Agent folders and files—Users can’t modify any Prisma Access Agent-related files and folders, including rewriting, renaming, or deleting the files and folders.
  • Prisma Access Agent services and host information profile (HIP) processes—Users can’t spoof any Prisma Access Agent-related services and HIP processes. The HIP processes collect information about the host that the Prisma Access Agent is running on and submits the host information to Prisma Access for inspection. If a user tries to stop a process, they must supply the anti-tamper unlock password.
  • Prisma Access Agent Registry keys (on Windows) or .plist file (on macOS)—Users can’t modify the Windows Registry keys or .plist file for Prisma Access Agent.
  • The PACli command-line interface—Users can’t disable the Prisma Access Agent or the anti-tamper feature using the PACli command-line interface. Administrators and authorized users who need to perform certain actions for troubleshooting at the command line must provide an anti-tamper unlock password when prompted.
  1. Navigate to the Prisma Access Agent setup page.
    • For Prisma Access (Managed by Panorama) deployments:
      1. From the Cloud Services plugin in Panorama, select PanoramaCloud ServicesPrisma Access Agent.
      2. Click Launch Prisma Access Agent.
      3. Select WorkflowsPrisma Access AgentSetupPrisma Access Agent.
    • For NGFW (Managed by Panorama) deployments:
      1. Log in to Strata Cloud Manager as the administrator.
      2. Select WorkflowsPrisma Access AgentSetupPrisma Access Agent.
  2. Edit the Global Agent Settings.
  3. Configure an anti-tamper unlock password (also known as the supervisor password), which you will need to enter when performing certain actions to troubleshoot the agent, such as agent upgrades or downgrades.
    1. Enable the anti-tamper feature.
      You can set up an anti-tamper unlock password only if you enable the anti-tamper feature.
    2. Enter the anti-tamper unlock Password and Confirm Password. The password must have a minimum of eight alphanumeric characters. If you enable the anti-tamper feature but don’t provide an anti-tamper unlock password, the push configuration will fail.
  4. Save your settings and push the configuration.
  5. Verify that anti-tamper protection is enabled for the Prisma Access Agent on an endpoint by using the Prisma Access Agent command-line tool (PACli).
    1. Check the status of the anti-tamper protection by running the following command on an endpoint:
      • On macOS agents:
        /Applications/Prisma\ Access\ Agent.app/Contents/Helpers/pacli protect status
      • On Windows agents:
        "C:\Program Files\Palo Alto Networks\Prisma Access Agent\pacli" protect status
      If you successfully enabled anti-tamper protection, the following output should appear:
      Protection      State      
      --------------- ---------- 
      File            Enabled
      Process         Enabled
      Registry        Enabled
      Service         Enabled
    2. Try to disable the Prisma Access Agent by running the following command:
      pacli disable
      If you successfully enabled anti-tamper protection, the agent will prompt you for the anti-tamper unlock password.