>
    Strata Copilot
    Prisma Browser Guest Mode
    Focus
    Download PDF
    Focus
    1. Home
    2. Prisma Browser
    3. Prisma Access Browser Administration
    4. Prisma Browser Guest Mode
    Download PDF
    Prisma Browser

    Prisma Browser Guest Mode

    Table of Contents

    Prisma Browser Guest Mode

    Prisma Browser Guest Mode
    Where Can I Use This?What Do I Need?
    • Windows deployment
    • Prisma Browser v149 or later
    This article discusses the following topics:
    • Overview - What Guest Mode is, and when it applies.
    • Configuration - Enabling Guest Mode via registry keys
    • Behavior - User experience in a Guest session
    • Security Consideration - Risks of unauthorized activation and recommended guardrails to protect your environment
    : Guest Mode bypasses all Prisma Browser security controls by design. Before enabling Guest Mode, review the Security Considerations section to understand the risks and consider deploying the recommendations.
    In exclusive browser environments where Prisma Browser is the only installed browser, users who cannot log in to the managed environment are unable to access the internet. Guest Mode addresses this by providing an ephemeral solution for unmanaged web access directly from the login page.
    Guest Mode bypasses all Prisma Browser security controls by design. When enabled, it opens an unmanaged browser window with no DLP, URL filtering, threat prevention, or policy enforcement.

    Guest Mode Configuration

    Guest Mode is only supported in Microsoft Windows.
    Guest Mode is enabled via a local registry key. Administrators should deploy this key to target endpoints where emergency internet access is required.
    Registry Path: HKLM\SOFTWARE\Policies\PaloAltoNetworks\PrismaAccessBrowser
    PropertyValue
    Value NameGuestModeAccessibility
    Value TypeREG_DWORD
    Value Data1 (Enabled) or 0 (Disabled)

    Guest Session Behavior

    When a user selects "Continue as Guest" on the login screen, the browser initiates an ephemeral session with the following characteristics:
    • An unmanaged Chromium window opens, visually distinct from managed sessions.
    • No security policies (DLP, URL filtering, threat prevention) are enforced.
    • All session data (history, cookies, cache) is discarded immediately upon closing the window.

    Guest Mode Limitations

    • Private Applications: Applications accessed via Prisma Browser tunneling are unavailable.
    • IdP Enforcement: Guest Mode does not bypass identity-based access controls at the application layer; IdP-protected apps remain inaccessible.

    Security Considerations

    Risk: Authorized Guest Mode Activation

    Any entity with write access to the registry can enable Guest Mode, potentially allowing local administrators or malware to bypass enterprise security policies or establish exfiltration channels.

    Recommendations

    1. Restrict Registry Key Write Access

    Harden registry ACLs to limit write access strictly to SYSTEM and Domain Admins, explicitly removing write permissions for the local Administrators group.

    2. Monitor for Unauthorized Changes

    Utilize SIEM or EDR solutions to alert on modifications to the Guest Mode registry key, specifically monitoring for Event ID 4657 when the subject is not a trusted service account.

    3. Use Group Policy to Enforce Key Values

    Deploy the configuration as a GPO Policy rather than a Preference. This ensures the value is re-applied every 90 minutes, automatically reverting local tampering.

    4. Endpoint Detection Rules

    Configure Cortex XDR or similar platforms to flag any process other than approved management tools (e.g., gpupdate.exe) writing to the PaloAltoNetworks registry path.

    Summary - Defense in Depth Approach

    ConditionAction
    Key set to 1 by a local user accountHigh-priority alert
    Key set to 1 outside approved change windowMedium-priority alert
    Key set to 1 on endpoints not in the approved Guest Mode OUHigh-priority alert

    Use Group Policy to Enforce Key Value

    Deploy the key as a Policy (not a Preference) via GPO. Policy-based registry values are re-applied at every Group Policy refresh interval (default: 90 minutes), automatically reverting any local tampering.
    Steps:
    1. Create a policy that sets GuestModeAccessibility = 0
    2. Link it to all OUs except those where Guest Mode is explicitly needed during outages
    3. Any local modification will be overwritten at the next GP refresh cycle

    Endpoint Detection Rules

    Create detection rules in your EDR/XDR platform (e.g., Cortex XDR) to flag processes writing to the PaloAltoNetworks\PrismaAccessBrowser registry path that are not:
    • gpupdate.exe or svchost.exe (Group Policy client)
    • Your approved configuration management tool
    Summary of Defense-in-Depth Approach
    LayerControlPurpose
    PreventiveRegistry ACLsBlock unauthorized writes
    DetectiveSIEM/EDR alertsDetect unauthorized activation
    CorrectiveGPO refresh cycleRestore correct state

    © 2026 Palo Alto Networks, Inc. All rights reserved.