Prisma Access Agent Commands

Table of Contents

Switch Between the Prisma Access Agent and GlobalProtect App

Prisma Access Agent Commands

Learn about the Prisma Access Agent commands that you can run on the Prisma Access command-line tool.

Where Can I Use This?	What Do I Need?
Prisma Access Agent	Minimum Prisma Access Agent version: 25.1.14 macOS 14 and later or Windows 10 version 2024 and later desktop devices Internet access

The administrator can run Prisma Access Agent commands using the Prisma Access command line (PACli) tool to gain visibility into the Prisma Access Agent deployment. They can run the Prisma Access Agent commands in a terminal session on your device or in a remote shell.

Usage

To issue Prisma Access Agent commands on the Prisma Access command-line tool, use the following syntax:

For macOS agents:

/Applications/Prisma\ Access\ Agent.app/Contents/Helpers/pacli /? | [command] [/? | help | options]]

For Windows agents:

"C:\Program Files\Palo Alto Networks\Prisma Access Agent\pacli" /? | [command] [/? | help | options]]

If you enter the pacli command without arguments or with the /? option, the list of available Prisma Access Agent commands is displayed.

If you set up an environment variable for the PACli tool (pacli), you can just enter pacli <command> without the folder path.

The following tables contain descriptions of the Prisma Access Agent commands and associated options that you can run on the Prisma Access command line. In the command input and output, the terms "EPM" and "epm" refer to the agent management plane or Prisma Access Agent Manger (also known to end users as the server). The management plane communicates with the agent, such as sending commands and configurations to the agent, routing authentication requests to the Cloud Identity Engine, and once authenticated, providing the agent with a token for the gateways.

Command	Description
version	Shows the version of the Prisma Access Agent that’s running on the endpoint
connect	Creates a tunnel connection for Prisma Access Agent traffic by connecting to a gateway. To connect to a location, enter pacli connect <gateway name> To get a list of the Prisma Access locations where your users can connect to, enter pacli gateway To connect to the best available location, enter pacli connect --best
disconnect	Stops the tunnel connection by disconnecting from the gateway
status	Shows the current Prisma Access Agent status. You can view the following status: State—Shows the state of the Prisma Access Agent Mode—Shows the mode the Prisma Access Agent is running in (Always On or On Demand) Tunnel—Shows the state of the Prisma Access Agent connection HIP Status—Shows whether your device is compliant EPM Status—Shows the status of the EPM EPM Last Seen—Shows the last time your device connected to the to the EPM Local Hostname—Shows the hostname of the end-user device
protect	Enables or disables the feature that protects the Prisma Access Agent from being tampered with on the endpoint, such as the unauthorized uninstallation of the agent. You can specify the following options: status—Displays the protection status of the Prisma Access Agent files and folders, Prisma Access Agent processes, Prisma Access Agent registry keys (Windows-only), and Prisma Access Agent services and HIP processes. enable—Enables the anti-tamper feature. disable—Disables the anti-tamper feature. Requires the anti-tamper unlock password.
epm	Performs agent management actions using the following options: status—Shows the current status of the service that manages Prisma Access Agents. address—Sets the URL for the EPM. You can add, delete, list, or set (connect) to a specified server URL. signout—Disconnects the Prisma Access Agent from the EPM and discards the token that the agent management authentication service generated. The token enables the agent to communicate with any EPM component. If you enter pacli epm signout --keep, the command will disconnect the agent from the EPM without discarding the token. fetch—Retrieves the Prisma Access Agent configuration immediately. set-token—Resets the token that the agent management authentication service generated. The Prisma Access Agent uses the token to communicate with any agent management component. If you enter pacli epm incorrectly or without any arguments, the list of available options is displayed.
config	Manages the local configuration of the Prisma Access Agent. You can use the following options: import—Imports the configuration from a configuration file export—Exports the configuration to a file
loglevel	Manipulates the logging level of Prisma Access Agent logs using the following options: status—Shows the current verbosity level of the logs set—Sets the verbosity level of the logs
event	Shows a list of Prisma Access Agent events
command	Triggers a command that is sent from the server (EPM) to the client (Prisma Access Agent).
gateway	Gets a list of the Prisma Access locations where your users can connect to
enable	Enables the Prisma Access Agent
disable	Disables the Prisma Access Agent. Requires the anti-tamper unlock password.
hip	Runs host information profile actions: status—Shows the current HIP status version—Shows the version of the HIP library resend—Sends a HIP report to the current Prisma Access location and EPM update—Updates the HIP library (if an update is available) notification—Shows the HIP notifications that the agent received
tunnel	Shows the status of the tunnel, including the name and IP address of the Prisma Access location, and the type of tunnel that has been established. Also shows the MTU size and the volume of data that the agent transmitted and received.
getlogs	Creates a zip package of all local Prisma Access Agent logs.
adem	Shows the current status of the Autonomous DEM agent (if it is installed on the endpoint).
project	Allows you to connect to a different project for Dynamic Privilege Access enabled agents. You can enter one of the following options: logout—Log out of the current project. login <project_name>—Log in to a project by specifying the project name. The maximum length for the project name is 32 characters. list—Show the list of projects that the user has access to. For example, to log in or to switch to a project, enter pacli login my_project.
traffic	Shows the agent's traffic forwarding rules and the traffic routing logs respectively, such as how traffic is routed for each connection and whether it is through the tunnel or directly to the internet. This command will print the active rules in a tabular format on the command line. You can use the following options: show—Show the traffic forwarding rules in a forwarding profile show <n>—Show a specific traffic forwarding rule by specifying the row number log—Show the entries in the network connection (traffic routing) log log <n>—Show a specific row in the network connection log by specifying the row number export <filename>—Export the traffic forwarding rules to a file import <filename>—Import the traffic forwarding rules from a file
switchto	Switches between the Prisma Access Agent and the GlobalProtect app, if both apps are installed on an endpoint. You can enter one of the following options: GlobalProtect—Switches to the GlobalProtect app. Requires the anti-tamper unlock password. PrismaAccessAgent—Switches to the Prisma Access Agent. Switching to an app will automatically disable the previously active app.
wpp	Enables Prisma Access Agent driver logging using the Windows software trace preprocessor (WPP) (Windows-only). You can start, stop, or reset the software trace preprocessor.
dlp status	Shows the status for the Endpoint Data Loss Prevention feature.

Switch Between the Prisma Access Agent and GlobalProtect App

Prisma Access Agent for iOS

Prisma Access Agent Docs

Prisma Access Agent Commands

Prisma Access Agent Docs

Prisma Access Agent Commands

Usage

Activation & Onboarding

SASE

Cloud-Delivered Security Services

Network Security

Visibility & Monitoring

Best Practices

Experts Corner