Prisma Access Agent
Prisma Access Agent Deployment Configuration
Table of Contents
Prisma Access Agent Deployment Configuration
Learn how to modify the configuration of the Prisma Access Agent
before deploying the agent to your endpoints.
| Where Can I Use This? | What Do I Need? |
|---|---|
|
|
After you finish onboarding your mobile users, your Prisma Access Agent
configurations, along with the Prisma Access tenant ID and Prisma Access server URL,
are saved to the Prisma Access Agent configuration file. You can download this
configuration file when you download the Prisma Access agent package from the Endpoint Management
page (ConfigurationEndpoint Management). The configuration file is used during the installation of the Prisma Access
Agent on your end users' devices.
Before you deploy the Prisma Access Agent to your end users' devices, you can
optionally edit the configuration file to modify the following options:
- Set the server URL (the Prisma Access Agent domain)
- Permanently enable or disable the feature to access Prisma Access Agents using a remote shell from the Endpoint Management page in Strata Cloud Manager
- If the GlobalProtect app is running on your end users' devices, choose whether to enable or disable the GlobalProtect app during the installation of the Prisma Access Agent
- Enable pre-logon for Prisma Access Agent
- Use the default system browser for SAML authentication on the endpoint
Updating this file is optional, as the configuration already contains default
settings or settings that you configured during the Prisma Access Agent onboarding
process.
The "enable_dlp": true setting is no
longer required to enable Endpoint DLP during the installation of
Prisma Access Agent. If you set it previously (before Prisma Access Agent version
25.3.1.14), remove it from the config.json file.
Prisma Access Agent Configuration File
To install the Prisma Access Agent with your configuration, you must put the
configuration file with a predefined name (such as config.json)
in the same folder as the Prisma Access Agent installation package. The Prisma
Access Agent installer will look for this file during the agent startup, read all
the supported values in the file, and configure the agent accordingly.
The following example shows the typical contents that you can have in a configuration
file:
{
"server_url": "xxx.epm.gpcloudservice.com",
"tenant_id": "xxxxxxxxxx",
"disable_remote_shell": false,
"unload_gp": true,
"pre_logon_supported": true
}You can modify the following fields and values in JSON format:
| Field | Value |
|---|---|
| disable_remote_shell | false | true Specifies whether to remove
the feature to access a Prisma Access Agent for troubleshooting
using a remote shell. The value is of type
boolean. Default:
false If you set the value to
true, the remote shell capabilities
are disabled at deployment and cannot be reenabled until you
remove the Prisma Access Agent and reinstall it. |
| pre_logon_supported | false | true When set to
true, enables the pre-logon
feature on endpoints. Pre-logon support for Prisma Access Agent
establishes a secure tunnel before a user logs into their
device, which can provide essential network access for managing
and updating remote devices without requiring a user to log in
to their device. Default:
false |
| server_url | The FQDN for the Prisma Access Agent domain without the https:// protocol. The server_url value is of type string. The server URL has this format: xxx.epm.gpcloudservice.com |
| tenant_id | The ID for your Prisma Access tenant. The tenant ID corresponds
to the Strata Logging Service Instance (Tenant)
ID. The tenant_id is of type
string and is a numerical value. This field
will be removed after the endpoint is able to resolve the tenant
ID from the FQDN. |
| unload_gp | false | true If the GlobalProtect app is
installed on the end user's device, specifies whether to disable
the GlobalProtect app during the installation of the Prisma
Access Agent. Default: false If you
set the value to true, the GlobalProtect
app is disabled upon the installation of the Prisma Access
Agent. After the installation, users can switch between the Prisma
Access Agent and GlobalProtect app. |
| use_external_browser_for_auth | false | true When set to
true, uses the default system browser
instead of the embedded
browser for SAML authentication. Default:
false |
For Windows MSI packages, the following table shows the MSI properties and the
corresponding Prisma Access Agent configuration file settings:
| MSI Property Name | Configuration Setting | Notes |
|---|---|---|
| CONFIG | — | The full path to the Prisma Access Agent configuration file. Default: config.json |
| DISABLE_REMOTE_SHELL | disable_remote_shell | For Boolean values in MSI, specify 1 for the true value, and an empty value for the false value. |
| PRE_LOGON_SUPPORTED | pre_logon_supported | For Boolean values in MSI, specify 1 for the true value, and an empty value for the false value. |
| SERVER_URL | server_url | — |
| TENANT_ID | tenant_id | — |
| UNLOAD_GP | unload_gp | For Boolean values in MSI, specify 1 for the true value, and an empty value for the false value. |
| USE_EXTERNAL_BROWSER_FOR_AUTH | use_external_browser_for_auth | For Boolean values in MSI, specify 1 for the true value, and an empty value for the false value. |
Change the Prisma Access Agent Server Address
If a Prisma Access Agent is not connected to Prisma Access and the agent cannot be
found in the inventory, an incorrect
address for server might have been configured. You can change the address by using
the PACLI tool.
- Issue the following command in a terminal window or command prompt:
- On macOS
agents:
/Applications/Prisma\ Access\ Agent.app/Contents/Helpers/pacli epm address <xxx>.epm.gpcloudservice.com 443 <tenant-id>
- On Windows
agents:
"C:\Program Files\Palo Alto Networks\Prisma Access Agent\pacli" epm address <xxx>.epm.gpcloudservice.com 443 <tenant-id>
where <xxx>.epm.gpcloudservice.com is the FQDN for the Prisma Access Agent domain without the https:// protocol, and <tenant-id> is the Prisma Access tenant ID. 443 is the port number for the server address. - On macOS
agents:
- When prompted, enter the supervisor password (also known as the anti-tamper unlock password). If no supervisor password is assigned, you can enter any password or a blank password. You can enable or change the anti-tamper unlock password in Strata Cloud Manager.When the address is successfully changed, the following message is displayed:
Successfully set EPM address
- To verify the server address setting, issue the following command:
- On macOS
agents:
/Applications/Prisma\ Access\ Agent.app/Contents/Helpers/pacli epm status
- On Windows
agents:
"C:\Program Files\Palo Alto Networks\Prisma Access Agent\PACli" epm status
The following example output is shown:EPM Status: Up EPM Communication: WebSocket Current time: 2024-05-13 13:46:22, Pacific Daylight Time Last EPM Keepalive: 2024-05-13 13:46:22 Last Successful Login: Never EPM Token Expiry: Never User Refresh Token Expiry: 2024-05-17 09:32:35 Agent Refresh Token Expiry: 2024-11-09 11:34:03 EPM Address: xxx.epm.gpcloudservice.com Machine ID: xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx
The following fields are for Dynamic Privilege Access enabled agents only:PBA Status: Enabled Project Name: Example-Project
The Last Successful Login and EPM Token Expiry fields are shown as Never because the Prisma Access Agent needs to authenticate to the server. To authenticate to the server, log in to the Prisma Access agent. - On macOS
agents: