Control Editing of Server FQDN

Where Can I Use This?	What Do I Need?
Prisma Access (Managed by Strata Cloud Manager) Prisma Access (Managed by Panorama) NGFW (Managed by Panorama)	Check the prerequisites for the deployment you're using Minimum Prisma Access Agent version: 25.6.1 macOS or Windows desktop devices Contact your Palo Alto Networks account representative to activate the Prisma Access Agent feature

Prisma® Access Agent provides the ability to control whether end users can change or edit the server name, also known as the Prisma Access Agent Manager server FQDN, in the Prisma Access Agent app. By restricting this ability, you can enforce Always-on security postures and prevent unauthorized changes that might bypass security controls.

This feature introduces a configuration setting Allow User to Edit/Add Server Name that determines whether users can modify server settings in the agent. When disabled, users cannot add new FQDNs or modify existing entries, ensuring that the security configuration remains as defined by you.

You can configure this setting on a per-user or per-user-group basis for granular control across your environment.

User Experience

When users launch the Prisma Access Agent application, their ability to modify server connections depends on your configuration of the Allow User to Edit/Add Server Name setting. With restrictions enabled (the default setting), users experience a streamlined interface where the option to edit or add new server connections is hidden.

• When signing in to the Prisma Access Agent app, the Server Name field in the login window is not editable.
• The add and delete buttons in the Server Information section of the agent settings window (accessible from the hamburger menu) that normally enables adding new server FQDN entries is not displayed. Users can view the current server connection information, but the fields appear gray and cannot be edited. If you configured multiple server connections, users can still select between these existing options to establish connections to different authorized servers.

When restrictions are disabled, users have full control over server connections. They can edit the server name when signing in, and they can add, edit, and remove server entries through the Prisma Access Agent settings window. This flexible mode provides convenience for trusted users or testing environments but reduces security control.

Command-Line Interface Experience

The Prisma Access Agent command-line interface (PACli) also provides commands for managing Prisma Access Agent Manager server FQDN addresses include adding, deleting, listing, and setting the active server connection.

When you restrict FQDN editing, users will not be able to modify server connections through PACli using the following commands:

pacli epm address add

pacli epm address delete

pacli epm address set

If you enabled anti-tamper protection for the agent, users will be able to modify server connections using these commands provided that they enter the Privileged Access one-time password (OTP). Without this password, the commands fail, preventing unauthorized changes to server connections.

The pacli epm address list command remains accessible without requiring the Privileged Access OTP, enabling users to view their configured server options without modifying them. This maintains visibility while preserving security controls.

When you allow FQDN editing, pacli epm address commands function without requiring the Privileged Access OTP, maintaining backward compatibility with existing workflows. Commands execute directly, enabling users to add, delete, or switch between server connections through the command line.

To allow or disallow editing of the server FQDN:

1. Navigate to the Prisma Access Agent Setting page.

   • From Strata Cloud Manager:
     1. Select ConfigurationNGFW and Prisma AccessConfiguration ScopeAccess AgentSetupPrisma Access Agent.
   • From Panorama:
     1. From the Cloud Services plugin in Panorama, select PanoramaCloud ServicesPrisma Access AgentLaunch Prisma Access Agent.
     2. Select ConfigurationPrisma Access AgentSettingsPrisma Access Agent.
2. Add an agent setting or edit an existing agent setting.

   1. Select the match criteria (OS and User Entities) for the user or user group that will receive this configuration.
   2. In the App Configuration section, select Allow User to Edit/Add Server Name to permit your users to edit the server FQDN, or deselect the option to prevent users from editing the server FQDN.

      Default: Enabled

      As a best practice, disable this option to prevent users from adding or editing the server name, potentially bypassing the security controls that you established. When disabled (the default and recommended setting), users cannot add new server connections or modify existing ones. They can still select from pre-existing server connections if you are using multiple servers.
   3. Configure other agent settings if needed and Save the settings.
   4. Push the Prisma Access Agent Configuration.
3. Verify that the setting has been deployed to your endpoints.

   When the setting is disabled, the Server Name in the Prisma Access Agent login window is not editable. When enabled, the Server Name is editable.

   When disabled, the server name in the Prisma Access Agent settings window is static. When enabled, a plus icon appears next to the server name for users to add other server names.