Prisma Access Agent
Prisma Access Agent Commands
Table of Contents
Prisma Access Agent Commands
Learn about the Prisma Access Agent commands that you can run on the Prisma Access command-line tool.
Where Can I Use This? | What Do I Need? |
---|---|
|
|
The administrator can run Prisma Access Agent commands using the Prisma Access
command line (PACli) tool to gain visibility into the Prisma Access Agent
deployment. They can run the Prisma Access Agent commands
in a terminal session on your device or in a remote shell.
Usage
To issue Prisma Access Agent commands on the Prisma Access command-line tool, use the
following syntax:
- For macOS
agents:
/Applications/Prisma\ Access\ Agent.app/Contents/Helpers/pacli /? | [command] [/? | help | options]]
- For Windows
agents:
"C:\Program Files\Palo Alto Networks\Prisma Access Agent\pacli" /? | [command] [/? | help | options]]
If you enter the pacli command without arguments or with the
/? option, the list of available Prisma Access Agent commands is
displayed.
If you set up an environment variable for the PACli tool
(pacli), you can just enter pacli
<command> without the folder path.
The following tables contain descriptions of the Prisma Access Agent commands and
associated options that you can run on the Prisma Access command line. In the
command input and output, the terms "EPM" and "epm" refer to the agent management
plane or Prisma Access Agent Manger (also known to end users as the server). The
management plane communicates with the agent, such as sending commands and
configurations to the agent, routing authentication requests to the Cloud Identity
Engine, and once authenticated, providing the agent with a token for the
gateways.
Command | Description |
---|---|
version | Shows the version of the Prisma Access Agent that’s running on the endpoint |
connect | Creates a tunnel connection for Prisma Access Agent traffic by
connecting to a gateway. To connect to a location, enter
pacli connect <gateway
name> To get a list of the Prisma Access
locations where your users can connect to, enter
pacli gateway To connect to the
best available location, enter pacli connect
--best |
disconnect | Stops the tunnel connection by disconnecting from the gateway |
status | Shows the current Prisma Access Agent status. You can view the
following status:
|
protect | Enables or disables the feature that protects the Prisma Access
Agent from being tampered with on the endpoint, such as the
unauthorized uninstallation of the agent. You can specify the
following options:
|
epm | Performs agent management actions using the following options:
If you enter pacli epm incorrectly or
without any arguments, the list of available options is
displayed. |
config | Manages the local configuration of the Prisma Access Agent. You
can use the following options:
|
loglevel | Manipulates the logging level of Prisma Access Agent logs using
the following options:
|
event | Shows a list of Prisma Access Agent events |
command | Triggers a command that is sent from the server (EPM) to the client (Prisma Access Agent). |
gateway | Gets a list of the Prisma Access locations where your users can connect to |
enable | Enables the Prisma Access Agent |
disable | Disables the Prisma Access Agent. Requires the anti-tamper unlock password. |
hip | Runs host information profile actions:
|
tunnel | Shows the status of the tunnel, including the name and IP address of the Prisma Access location, and the type of tunnel that has been established. Also shows the MTU size and the volume of data that the agent transmitted and received. |
getlogs | Creates a zip package of all local Prisma Access Agent logs. |
adem | Shows the current status of the Autonomous DEM agent (if it is installed on the endpoint). |
project | Allows you to
connect to a different project for Dynamic Privilege Access
enabled agents. You can enter one of the following options:
For example, to log in or to switch to a project, enter
pacli login my_project. |
traffic | Shows the agent's traffic forwarding rules and the traffic
routing logs respectively, such as how traffic is routed for each
connection and whether it is through the tunnel or directly to the
internet. This command will print the active rules in a tabular
format on the command line. You can use the following options:
|
switchto | Switches between the Prisma Access Agent and the GlobalProtect
app, if both apps are installed on an endpoint. You can enter one of
the following options:
Switching to an app will automatically disable the
previously active app. |
wpp | Enables Prisma Access Agent driver logging using the Windows software trace preprocessor (WPP) (Windows-only). You can start, stop, or reset the software trace preprocessor. |
dlp status | Shows the status for the Endpoint Data Loss Prevention feature. |