Enhanced anti-tamper protection for Prisma Access Agent extends the current anti-tamper protection implementation by introducing a secure and flexible approach to protecting agent services, processes, files, and registries from unauthorized tampering. The enhanced anti-tamper protection provides unique one-time passwords (OTPs) and more granular configuration where you can configure privileged access tokens per user and user group, enabling more granular control over who can modify the agent and when.

Enhanced anti-tamper protection supports the following use cases:

The enhanced anti-tamper protection introduces several types of access passwords to address different scenarios. The Privileged Access Token serves as an emergency override solution for critical situations, such as when a device loses network connectivity. The Privileged Access OTP enables end users to execute any privileged command for troubleshooting. Specific operation OTPs are also available for targeted actions like disabling or uninstalling the agent. You can configure the duration for which protection remains disabled after using these tokens, with values ranging from 30-480 minutes.

Role-based access control (RBAC) ensures that only authorized administrators, such as superusers or security administrators, can access the Privileged Access Token. Any administrator who has access to the Inventory page can view and copy OTPs. All OTPs are automatically refreshed after one-time usage and are never stored on the endpoint, maintaining a secure environment even if a device is compromised.

Your organization might face challenges with agent connections traversing multiple ISPs and network hops, resulting in varying MTU values lower than the standard 1500 bytes. This situation can lead to excessive fragmentation, additional overhead, lower throughput, and dropped packets, ultimately causing poor performance and user frustration. Manual configuration of optimal MTU in such diverse environments is time-consuming, repetitive, and not scalable.

The optimized Prisma Access Agent MTU feature addresses these pain points by automatically determining and applying the optimal maximum transmission unit (MTU) size for agent connections. Optimized MTU is enabled by default in Prisma Access Agent to help improve connection stability and performance without manual intervention across various network conditions. This feature supports IPv4 tunnels and is compatible with IPSec and SSL tunnel protocols. It's valuable for organizations with remote users connecting through different ISPs or those frequently encountering MTU-related connectivity issues. By utilizing this feature, you can expect improved network throughput, reduced packet fragmentation, fewer retransmissions, enhanced end-user experience, and increased productivity. You might also experience a decrease in support escalations related to connection performance issues.

Originally available on Windows Prisma Access Agents, optimized MTU support is extended to macOS agents, providing consistent MTU optimization across both major desktop platforms.

Although optimized MTU is enabled by default for all Prisma Access Agents, you can manually configure and override the PMTU value if needed.

Prisma Access Agent extends client certificate authentication support to Panorama Managed Prisma Access and NGFW deployments, enabling you to implement certificate-based security controls through the Prisma Access Agent Manager (EPM) configuration interface. This feature provides you with three authentication options: Client Certificate through Cloud Identity Engine, Client Certificate OR SAML through Cloud Identity Engine, and Client Certificate AND SAML through Cloud Identity Engine. You can configure these options based on your organization's security requirements and compliance needs. Certificate authentication is essential when you need strong device identity verification before granting network access. This capability enables you to enforce certificate-based policies consistently across NGFW and Prisma Access gateways in hybrid deployments. The feature integrates with Cloud Identity Engine to provide centralized certificate management and validation.

Match criteria for user authentication now includes endpoint operating system (OS) type support in the Prisma Access Agent configuration interface for Panorama Managed Prisma Access and NGFW deployments, enabling you to create authentication policies based on operating system types. This feature enables you to apply different authentication requirements for the supported OS types. You can configure platform-specific authentication rules that align with your organization's security posture for different OS types. This capability is valuable when you need to implement varying security controls based on device capabilities or organizational policies. Platform-based authentication helps you balance security requirements with user experience across diverse endpoint environments.

Prisma Access Agent extends configuration validation and notification capabilities to Panorama managed deployments, providing you with real-time alerts about outdated or invalid configurations that could impact service availability. When you initially set up the agent using the Prisma Access Agent configuration interface (EPM), the agent inherits objects managed in Panorama like gateway settings and certificates. After the initial setup, any changes in Panorama are not reflected in the EPM, causing the agent configurations in the EPM to become outdated. The Prisma Access Agent configuration interface now displays notification banners when dependent objects such as gateways or certificates become stale. For example, you will receive notifications when gateways deleted on Panorama remain in use in EPM configurations, or when expired or deleted authentication override certificates on Panorama remain in use in the EPM configuration interface. You will also receive a notification when certificate profiles in the HIP section of the Prisma Access Agent Settings page become outdated. These notifications appear as banners that can’t be dismissed across all configuration pages until you resolve the underlying issues, ensuring that critical configuration problems are not overlooked or ignored.

Session timeout controls for Prisma Access Agent are extended to Panorama Managed Prisma Access and NGFW deployments, providing you with granular control over user session duration and expiration handling. You can configure session timeouts in days, minutes, or hours based on your security policies. The feature includes a notification system that warns users before their session expires, with a default value of 0 and a maximum of 120 minutes for the notification period. You can customize the session timeout expiration message to provide users with appropriate guidance when their session ends. This capability helps you enforce security policies while providing users with adequate warning to save their work and maintain productivity.

To streamline the troubleshooting process, Prisma Access Agent now directly integrates the Access Experience icon into its main application interface, giving your users a convenient way to get help for their issues. This applies if you enabled the installation of the Access Experience app along with the installation of Prisma Access Agent. With this feature, you no longer need to instruct users to find and click a separate icon in the Windows system tray or macOS menu bar when they encounter connectivity issues. Instead, users simply open the Prisma Access Agent app and access the integrated Access Experience icon, creating a more intuitive workflow for resolving problems. This integration reduces interface clutter and provides a more straightforward path to diagnostic tools.

The streamlined path to Access Experience provides your users with immediate access to troubleshooting resources for connectivity issues, device health assessments, and other common access problems. When users encounter difficulties, they can launch the Prisma Access Agent, click the Access Experience icon within the application, and immediately access diagnostic and self-help tools. To enable your users to access the Access Experience app from Prisma Access Agent, you will need to configure the agent to install Access Experience with Prisma Access Agent.

Enhance Prisma Access Agent traffic enforcement by blocking all non-TCP and non-UDP traffic when the agent is connected to the tunnel. This feature expands Prisma Access Agent protocol coverage by implementing controls to block all non-TCP and non-UDP traffic in kernel mode, providing an option to enforce security policy for these protocol types.

When you enable this feature in your Prisma Access Agent deployment, the system blocks non-TCP and non-UDP traffic while the tunnel is active. This applies to protocols like ICMP, GRE, IPSec, and other IP-based protocols, ensuring these protocols can’t bypass your security policy. You can optionally allow ICMP traffic for network troubleshooting while still blocking other non-TCP and non-UDP traffic.

This capability supports organizations that need strict traffic control for specific projects or users by ensuring that non-TCP and non-UDP traffic gets blocked when the agent is connected. The feature integrates with existing Prisma Access Agent forwarding profiles and rules, enhancing your security posture without disrupting current configurations.

You can configure the feature with two primary options: blocking all non-TCP and non-UDP traffic when connected to the tunnel, and optionally allowing ICMP traffic for troubleshooting purposes. The ICMP allowance option becomes available only when you enable the primary blocking feature, providing flexibility for network diagnostics while maintaining security controls.