New Features - Prisma Access Agent - 25.7

Mobile Users with Prisma® Access Agents might need to disconnect the agent app due to various issues, such as connectivity or performance problems, customer site restrictions, or when accessing sanctioned applications directly. This creates security gaps due to the lack of security inspection for internet or Software as a Service (SaaS) traffic. Advanced DNS Security Resolver addresses this challenge by providing DNS security for Prisma Access Agent users whenever the user is disconnected from Prisma Access Agent, ensuring security protections remain in place at all times.

When you enable Advanced DNS Security Resolver for Prisma Access Agents, the agent routes DNS traffic to Palo Alto Networks DNS resolvers over HTTPS (DoH) whenever the primary tunnel connection is disconnected. The feature intercepts DNS queries and forwards them through encrypted connections, ensuring visibility and control over DNS requests even when users disconnect from the tunnel. The service supports user-authenticated modes, with long-lived device tokens valid for up to six months.

With this feature, forwarding of traffic to Advanced DNS Security Resolver relies on the same forwarding profiles the agent receives, giving you full control over what DNS traffic is resolved through Advanced DNS Security Resolver and what is allowed to go direct. The feature provides threat protection by blocking malicious domains using DNS Security for DNS requests, and user-specific, administrator-configured DNS Security policies you add to Advanced DNS Security Resolver. You can deploy Advanced DNS Security Resolver for Prisma Access Agent as a fallback mechanism that activates when primary tunnel connections are disrupted.

When an iOS device connects to a network with a captive portal (such as hotel or airport Wi-Fi login pages), the iOS Network Enforcer in always-on or per-app Prisma Access Agent deployments can block access to the captive portal, preventing end users from connecting to the internet. While iOS attempts to handle this natively, the operating system (OS)-level detection can be inconsistent, causing the login screen to never appear.

In per-app deployments, if the OS fails to present the login page automatically, the app now displays a local notification stating a captive portal is present. Users can tap this notification to manually open the captive portal within the Prisma® Access Agent embedded browser and complete authentication. Users can then enter required credentials, accept terms of service, and complete the authentication process successfully to access the internet.

You can now use the enhanced anti-tamper protection capabilities for Prisma® Access Agent in Panorama Managed deployments, extending support beyond the existing Strata Cloud Manager managed Prisma Access environments where this feature is already generally available. This extension provides you with granular control over agent protection through unique one-time passwords and emergency access options across your Panorama Managed Prisma Access and NGFW deployments.

Enhanced anti-tamper protection supports the following use cases:

• Granular anti-tamper protection—Gives you the flexibility to configure anti-tamper settings (also called privileged access protection settings) at a per-user or per-user group level.
• Selective protection for operational teams—Temporarily disable privileged access protection for certain users or user groups who need the ability to modify files and folders, such as DevOps users, while maintaining anti-tamper protection for the rest of your users and user groups.
• Streamlined bulk operations—Allow certain users to perform batch operations such as installing Prisma Access Agent on endpoints for specific users or user groups.
• Offline access continuity—For emergency situations, such as when a device loses network connectivity, an emergency Privileged Access Token allows authorized users to perform necessary maintenance.
• User-initiated troubleshooting—Provides time-bound access for problem resolution by providing time-limited Privileged Access OTPs for specific troubleshooting scenarios. This enables self-service problem resolutions while maintaining security controls.

You can implement stronger authentication controls using Privileged Access Tokens, one-time passwords, and role-based access control that prevent unauthorized users from disabling or modifying agent configurations, ensuring your security policies remain enforced at endpoints. You should consider implementing these enhancements when your Panorama-managed deployment requires stronger endpoint security controls, particularly where agent tampering poses significant risks. This extension ensures feature parity between Strata Cloud Manager and Panorama Managed deployments, allowing you to leverage consistent anti-tamper protection regardless of your management platform.

Mobile devices without passcode protection pose a significant security risk, as they can be easily exploited if lost or stolen, allowing unauthorized access to sensitive corporate data. Host Information Profile (HIP) data collection in Prisma Access Agent mitigates this threat by automatically detecting whether a device has a passcode configured.

This capability allows administrators to define and enforce granular security policies that restrict network access based on passcode presence. Prisma Access Agent continuously validates the passcode status against the required HIP profile. This automated enforcement ensures that only secure devices can access critical resources, reducing the attack surface associated with device theft or loss or unauthorized user access.

Creating secure tunnel connections when users are within internal corporate networks can be redundant and reduce network performance. Internal Host Detection in Prisma® Access Agent provides intelligent network awareness by automatically identifying whether a client device is connected to the corporate internal network or an external network, enabling seamless connection management and optimized security policies.

The Internal Host Detection feature of Prisma Access Agent is now supported on iOS, Android, and ChromoeOS endpoints as well. The feature monitors network connectivity using reverse DNS lookup of internal domains and based on this real-time network assessment, Prisma Access Agent automatically determines the best way to achieve secure connectivity without user intervention.

When an endpoint is detected on the internal corporate network, the secure tunnel is automatically suppressed to prevent unnecessary connections and rely on the internal network to provide security and private app access. Conversely, when the endpoint moves to an external network, the tunnel automatically reconnects to maintain security protection. This automated behavior optimizes network performance and ensures users remain protected, without requiring manual end-user intervention.

Organizations need consistent zero trust network access (ZTNA) across all endpoints, but Linux desktop environments often present integration challenges. Prisma® Access Agent for Linux addresses this by extending ZTNA capabilities to Linux desktop environments, supporting Ubuntu and Fedora distributions on both x86_64 and 64-bit ARM architectures with kernel versions 5.15 and higher. You can deploy the agent using a portable installation method that eliminates dependency conflicts and works across different Linux configurations without requiring package manager modifications.

The agent provides comprehensive traffic steering to enforce split-tunnel policy rules and forwarding profiles based on applications, domains, or IP addresses. You can authenticate using Security Assertion Markup Language (SAML) through your system's default browser. The agent operates in user interface (UI) mode for desktop environments accompanied by a limited command-line interface (CLI) for automated deployments and troubleshooting.

You benefit from unified management through existing Prisma Access Agent Manager infrastructure, host information profile (HIP) reporting for endpoint compliance, and comprehensive logging capabilities. Organizations with significant Linux desktop deployments can now extend their zero trust security posture to these critical endpoints while maintaining consistent security enforcement across mixed operating system environments.

Organizations deploying Prisma® Access Agent might face performance issues related to host information profile (HIP) data collection and reporting, such as:

• Collecting data from host information profile (HIP) compliance categories that are not required by your organization
• False HIP failures from frequent security updates with identical KB identifiers
• Unreliable report delivery due to network connectivity problems

You can now configure enhanced HIP capabilities to resolve these issues through three improvements.

• The Exclude Categories feature allows you to skip data collection for entire compliance categories like patch management or anti-malware, reducing processing overhead when certain checks are not relevant to your security requirements.
• You can configure patch exceptions to exclude specific security patches either permanently or temporarily by specifying KB article IDs, eliminating false failures from routine security updates.
• The HIP retry functionality automatically resubmits HIP reports when initial transmission fails due to network connectivity issues, performing up to three retry attempts with full logging to ensure reliable data delivery to gateways.

These enhancements reduce administrative overhead while supporting Zero Trust Network Access requirements across Windows and macOS platforms.

Organizations running multiple remote access agents on endpoints experience conflicts when agents compete for route control and DNS resolution, causing connectivity failures and inconsistent routing. These deployments are particularly common during extended Prisma® Access migrations where you might need to maintain legacy agents alongside Prisma Access for a period of time. They also occur during merger scenarios where employees access multiple company networks, or in consultant environments requiring simultaneous connections to client and corporate resources.

The third-party agent coexistence bypass feature resolves these conflicts by enabling you to configure Prisma Access Agent to ignore specific traffic through bypass rules in forwarding profiles. When you configure connections as bypass, Prisma Access Agent will not intercept or modify matching traffic, enabling third-party agents to handle those connections without interference.

You can configure bypass rules for network traffic only, DNS only, or both traffic types based on your requirements. When bypassed traffic matches third-party agent policy rules, those agents process the connections normally. If no third-party agent handles the bypassed traffic, the system sends traffic to the tunnel (if present) or directly to its destination (if the tunnel is not present). This capability enables staged migrations to Prisma Access from legacy solutions, operationally simplifies mergers and acquisitions, and enables consultants to work seamlessly.

With endpoint insights enabled, Prisma® Access Agent users can now report connectivity issues directly from the Prisma Access Agent app or command-line interface when problems occur, allowing administrators to collect diagnostic logs in real-time as issues happen rather than after the fact. This immediate reporting capability ensures administrators receive accurate troubleshooting data captured during the actual problem occurrence, improving diagnostic accuracy and reducing resolution time.

When users experience connectivity problems, they can provide problem context and consent to diagnostic collection directly through the agent, eliminating delays between issue occurrence and data collection. This real-time approach addresses the common challenge where log data collected hours or days after an incident may no longer reflect the actual problem conditions.

You can also configure user consent requirements for administrator-triggered diagnostic collection, balancing privacy requirements with troubleshooting needs. When diagnostics run, the system collects comprehensive troubleshooting data including system logs. The collected diagnostic data provides administrators with the information needed for troubleshooting analysis.

When end users report network access issues with their iOS, Android, or ChromeOS devices, administrators typically need to instruct them to manually collect and share diagnostic logs, creating a time-consuming back-and-forth process that delays issue resolution. End users often don't know how to perform these tasks or may be unavailable. This manual process extends support ticket resolution times and can leave critical connectivity issues unresolved.

The Prisma® Access Agent remote log collection feature eliminates these challenges by enabling you to retrieve agent logs directly through the Endpoint Management page without requiring any action from end users. When you initiate log collection through the Endpoint Management page, the system automatically generates comprehensive diagnostic logs on the mobile device and transmits them to you within moments.

The collected logs include agent operational data that provide the necessary information to diagnose connectivity problems, authentication failures, and other network access issues. You can download and analyze these logs following similar processes for Windows and macOS Prisma Access Agent deployments. The feature works when mobile devices are in a connected state and you can download and analyze the logs at any time.