Changes to Default Behavior in Prisma Access Agent
Review the changes to default behavior in Prisma Access Agent.
Where Can I Use This?
What Do I Need?
Prisma Access (Managed by Panorama or Strata Cloud Manager)
NGFW (Managed by Panorama)
Check the prerequisites for the
deployment you're using
Contact your Palo Alto Networks account representative to
activate the Prisma Access Agent feature
Changes to default behavior in the Prisma Access Agent are provided.
Changes to Default Behavior in Prisma Access Agent 25.4
Review the changes to default behavior in Prism Access Agent 25.4.
Default Behavior Changes for Enhanced Anti-Tamper Protection
The enhanced anti-tamper protection introduces several changes to default
behavior that affect how administrators configure and users interact with
protected Prisma Access Agents. These changes apply only to Strata Cloud Manager Managed Prisma Access.
Panorama Managed
Prisma Access and NGFW still use the previous anti-tamper
implementation.
The system now provides several
types of passwords users can enter depending on their intended
action—the Privileged Access Token serves as the emergency password, the
Privileged Access one-time password (OTP) for executing privileged
operations, and operation-specific OTPs for targeted operations like
disabling or uninstalling the agent. This hierarchy of passwords
replaces the previous single-password validation where a correctly
entered password granted universal access.
The system automatically
provides and refreshes unique OTPs per user or user group and operation
type, replacing the manual password management where administrators set
a single static password across all devices. The system invalidates OTPs
immediately after each use, eliminating the previous behavior where
passwords remained valid indefinitely until manually changed.
Successful authentication with the
Privileged Access Token or Privileged Access OTP now starts a
configurable time window during which additional privileged operations
don’t require reauthentication. The default tamper protection autoenable
duration is 30 minutes. After this duration has elapsed, the anti-tamper
protection will automatically reenable. The previous behavior required
password entry for every privileged operation regardless of timing or
previous authentication status.
Default Behavior Changes for Administrator-Initiated Collection of
Diagnostics
You can now trigger
diagnostic collection for specific endpoints directly from ManagePrisma Access Agent. This replaces event-triggered diagnostic collection in
the previous implementation.
The default
diagnostic data retention period is 45 days and is configurable for up
to two years. This replaces the previous fixed data retention period of
45 days.
The system provides delta log
collection capturing incremental logs from the past 10 minutes to reduce
data volume and improve collection performance. This replaces the full
log collection from endpoints in the previous implementation.
Endpoint insights
commands are no longer available in Prisma Access Agent 25.4. Use the
Prisma Access Agent setup page to enable or disable endpoint insights.
Use the ActionsCollect Diagnostics menu in ManagePrisma Access Agent to trigger the collection of diagnostics on-demand.
