Changes to Default Behavior in Prisma Access Agent
Focus
Focus
Prisma Access Agent

Changes to Default Behavior in Prisma Access Agent

Table of Contents

Changes to Default Behavior in Prisma Access Agent

Review the changes to default behavior in Prisma Access Agent.
Where Can I Use This?What Do I Need?
  • Prisma Access (Managed by Panorama or Strata Cloud Manager)
  • NGFW (Managed by Panorama)
  • Check the prerequisites for the deployment you're using
  • Contact your Palo Alto Networks account representative to activate the Prisma Access Agent feature
Changes to default behavior in the Prisma Access Agent are provided.

Changes to Default Behavior in Prisma Access Agent 25.4

Review the changes to default behavior in Prism Access Agent 25.4.

Changes in Default Behavior for Enhanced Anti-Tamper Protection

The enhanced anti-tamper protection introduces several changes to default behavior that affect how administrators configure and users interact with protected Prisma Access Agents. These changes apply only to Strata Cloud Manager Managed Prisma Access. Panorama Managed Prisma Access and NGFW still use the previous anti-tamper implementation.
  • The system now provides several types of passwords users can enter depending on their intended action—the Privileged Access Token serves as the emergency password, the Privileged Access one-time password (OTP) for executing privileged operations, and operation-specific OTPs for targeted operations like disabling or uninstalling the agent. This hierarchy of passwords replaces the previous single-password validation where a correctly entered password granted universal access.
  • The system automatically provides and refreshes unique OTPs per user or user group and operation type, replacing the manual password management where administrators set a single static password across all devices. The system invalidates OTPs immediately after each use, eliminating the previous behavior where passwords remained valid indefinitely until manually changed.
  • Successful authentication with the Privileged Access Token or Privileged Access OTP now starts a configurable time window during which additional privileged operations don’t require reauthentication. The default tamper protection autoenable duration is 30 minutes. After this duration has elapsed, the anti-tamper protection will automatically reenable. The previous behavior required password entry for every privileged operation regardless of timing or previous authentication status.

Changes in Default Behavior for Administrator-Initiated Collection of Diagnostics

  • You can now trigger diagnostic collection for specific endpoints directly from ConfigurationEndpoint Management. This replaces event-triggered diagnostic collection in the previous implementation.
  • The default diagnostic data retention period is 45 days and is configurable for up to two years. This replaces the previous fixed data retention period of 45 days.
  • The system provides delta log collection capturing incremental logs from the past 10 minutes to reduce data volume and improve collection performance. This replaces the full log collection from endpoints in the previous implementation.
  • Endpoint insights commands are no longer available in Prisma Access Agent 25.4. Use the Prisma Access Agent setup page to enable or disable endpoint insights. Use the ActionsCollect Diagnostics menu in ConfigurationEndpoint Management to trigger the collection of diagnostics on-demand.

Changes in Default Behavior for ICMP Traffic Handling in Prisma Access Agent

Starting with Prisma Access Agent version 25.4, the default behavior for ICMP traffic has changed, and you should be aware of this change when planning your upgrade strategy.
In previous versions of Prisma Access Agent (< 25.4), ICMP traffic was blocked by default. However, with Prisma Access Agent version 25.4, ICMP traffic is now allowed direct by default.
With Strata Cloud Manager R4, you gain granular control over this behavior through new configuration options. You can use Block Non-TCP and Non-UDP based traffic when connected to tunnel to block all non-TCP and non-UDP traffic. When you select this option, an additional setting Allow ICMP for troubleshooting becomes available, giving you control over ICMP traffic specifically while other non-TCP or non-UDP traffic remains blocked.
To maintain control over ICMP traffic behavior, you should follow a specific upgrade sequence:
  1. Upgrade Strata Cloud Manager to R4.
  2. Configure the Block Non-TCP and Non-UDP based traffic when connected to tunnel and Allow ICMP for troubleshooting in the Forwarding Profiles Setup in Strata Cloud Manager to match the desired behavior.
  3. Upgrade Prisma Access Agent to version 25.4.
This sequence ensures you have the configuration options available before the agent behavior changes, enabling you to block ICMP traffic if your security policies require it.
This change provides you with broader flexibility and control over all non-TCP and non-UDP traffic. Once you have fully upgraded to both Strata Cloud Manager R4 and Prisma Access Agent 25.4, you can block non-TCP and non-UDP traffic and independently control ICMP traffic based on your operational needs. When you choose to block non-TCP and non-UDP traffic, you still have the option to selectively allow ICMP for troubleshooting purposes.
Review your current security policies regarding ICMP traffic and plan your upgrade strategy to ensure continuity with your organization's requirements.