npx skills add mukul975/Anthropic-Cybersecurity-SkillsMITRE ATT&CK
NIST CSF 2.0
When to Use
- When implementing enterprise-grade SASE with integrated ZTNA, SWG, CASB, and FWaaS
- When replacing both VPN and branch office firewalls with cloud-delivered security
- When needing advanced threat prevention (WildFire, DNS Security) for remote access traffic
- When deploying zero trust for both mobile users and remote network (branch) connections
- When integrating ZTNA with existing Palo Alto NGFW infrastructure via Strata Cloud Manager
Do not use for small organizations (< 200 users) where simpler ZTNA solutions suffice, for environments requiring only web application access without full network security, or when budget constraints preclude enterprise SASE licensing.
Prerequisites
- Prisma Access license (Business Premium or equivalent)
- Strata Cloud Manager (SCM) tenant configured
- GlobalProtect agent for endpoint deployment
- ZTNA Connector VM: 4 vCPU, 8GB RAM, 128GB disk (VMware, AWS, Azure, or GCP)
- Identity provider: Okta, Entra ID, Ping Identity (SAML 2.0)
- Palo Alto Cortex Data Lake for log storage
Workflow
Step 1: Configure Prisma Access Infrastructure in Strata Cloud Manager
Set up the cloud infrastructure for mobile user and remote network connections.
Strata Cloud Manager > Prisma Access > Infrastructure Settings:
Mobile Users Configuration:
- Service Connection: Auto-selected based on user location
- DNS Servers: 10.1.1.10, 10.1.1.11 (corporate DNS)
- IP Pool for Mobile Users: 10.100.0.0/16
- Authentication: SAML with Okta (Primary), Entra ID (Secondary)
- GlobalProtect Portal: portal.company.com
- GlobalProtect Gateway: Auto (nearest Prisma Access location)
Infrastructure Subnet:
- Range: 172.16.0.0/16
- Allocation: /24 per Prisma Access locationStep 2: Deploy ZTNA Connectors for Private Application Access
Install ZTNA Connectors to provide secure access to internal applications.
# Deploy ZTNA Connector on VMware (OVA)
# Download OVA from Strata Cloud Manager > Prisma Access > ZTNA Connectors
# AWS deployment via CloudFormation
aws cloudformation create-stack \
--stack-name prisma-ztna-connector \
--template-url https://prisma-access-connector-templates.s3.amazonaws.com/ztna-connector-aws.yaml \
--parameters \
ParameterKey=VpcId,ParameterValue=vpc-PROD \
ParameterKey=SubnetId,ParameterValue=subnet-PRIVATE \
ParameterKey=InstanceType,ParameterValue=m5.xlarge \
ParameterKey=TenantServiceGroup,ParameterValue=TSG_ID \
ParameterKey=ConnectorName,ParameterValue=dc-east-connector-01
# Verify connector registration
# Strata Cloud Manager > Prisma Access > ZTNA Connectors
# Status should show "Connected" with nearest Prisma Access location
# Deploy second connector for HA
# ZTNA Connector auto-discovers nearest Prisma Access location
# IPSec tunnel uses: ecp384/aes256/sha512 for IKE and ESP
# Bandwidth: up to 2 Gbps per connectorStep 3: Define Application Definitions and Access Policies
Create application definitions pointing to internal applications via ZTNA Connectors.
Strata Cloud Manager > Prisma Access > Applications:
Application 1: Internal Wiki
- FQDN: wiki.internal.corp
- Port: TCP 443
- ZTNA Connector: dc-east-connector-01
- Protocol: HTTPS
- Health Check: Enabled (HTTP GET /health)
Application 2: Source Code Repository
- FQDN: git.internal.corp
- Ports: TCP 22, 443
- ZTNA Connector: dc-east-connector-01, dc-east-connector-02
- Protocol: HTTPS, SSH
Application 3: Finance ERP
- FQDN: erp.internal.corp
- Port: TCP 443
- ZTNA Connector: dc-east-connector-01
- Protocol: HTTPS
- User Authentication: Required (re-auth every 2h)
Strata Cloud Manager > Policies > Security Policy:
Rule 1: Engineering Access to Dev Tools
Source: User Group "Engineering" (from Okta SAML)
Destination: Application "Source Code Repository", "Internal Wiki"
HIP Profile: "Managed Device with CrowdStrike"
Action: Allow
Logging: Enabled
Threat Prevention: Best Practice profile
Rule 2: Finance Access to ERP
Source: User Group "Finance"
Destination: Application "Finance ERP"
HIP Profile: "Compliant Device - High Security"
Action: Allow
SSL Decryption: Forward Proxy
DLP Profile: "Financial Data Protection"
Rule 3: Default Deny Private Apps
Source: Any
Destination: Any Private App
Action: Deny
Logging: EnabledStep 4: Configure Host Information Profile (HIP) for Device Posture
Define device posture requirements using HIP checks.
Strata Cloud Manager > Objects > GlobalProtect > HIP Objects:
HIP Object: "CrowdStrike Running"
- Vendor: CrowdStrike
- Product: Falcon Sensor
- Is Running: Yes
- Minimum Version: 7.10
HIP Object: "Disk Encryption Enabled"
- Windows: BitLocker = Encrypted
- macOS: FileVault = Encrypted
HIP Object: "OS Patch Level"
- Windows: >= 10.0.22631
- macOS: >= 14.0
HIP Profile: "Managed Device with CrowdStrike"
- Match: "CrowdStrike Running" AND "Disk Encryption Enabled"
HIP Profile: "Compliant Device - High Security"
- Match: "CrowdStrike Running" AND "Disk Encryption Enabled" AND "OS Patch Level"Step 5: Deploy GlobalProtect Agent to Endpoints
Roll out the GlobalProtect agent for secure connectivity.
# Deploy GlobalProtect via Intune (Windows)
# MSI download from Strata Cloud Manager > GlobalProtect > Agent Downloads
# GlobalProtect pre-deployment configuration
# pre-deploy.xml for automated portal connection:
cat > pre-deploy.xml << 'EOF'
<GlobalProtect>
<Settings>
<portal>portal.company.com</portal>
<connect-method>pre-logon</connect-method>
<authentication-override>
<generate-cookie>yes</generate-cookie>
<cookie-lifetime>24</cookie-lifetime>
</authentication-override>
</Settings>
</GlobalProtect>
EOF
# Verify GlobalProtect connection status
# GlobalProtect system tray > Settings > Connection Details
# Should show: Connected to nearest Prisma Access gateway
# IPSec tunnel established with full threat preventionStep 6: Configure Logging and Monitoring
Set up Cortex Data Lake integration and monitoring dashboards.
Strata Cloud Manager > Prisma Access > Monitoring:
Log Forwarding:
- Cortex Data Lake: Enabled (all log types)
- SIEM Forwarding: Splunk HEC (https://splunk-hec.company.com:8088)
- Log Types: Traffic, Threat, URL, WildFire, GlobalProtect, HIP Match
Dashboard Monitoring:
- Mobile Users: Active connections, locations, bandwidth
- ZTNA Connectors: Health, latency, tunnel status
- Security Events: Threats blocked, DLP violations, HIP failures
- Application Usage: Top apps, top users, denied access attempts
Alerting:
- ZTNA Connector down: Email + PagerDuty
- HIP failure rate > 10%: Email to IT
- Threat detected on mobile user: SOC alertKey Concepts
| Term | Definition |
|---|---|
| Prisma Access | Palo Alto's cloud-delivered SASE platform providing FWaaS, SWG, CASB, DLP, and ZTNA from a single architecture |
| ZTNA Connector | VM-based connector establishing IPSec tunnels from internal networks to Prisma Access for private application access |
| GlobalProtect | Endpoint agent providing secure connectivity to Prisma Access with HIP checks and always-on VPN |
| Host Information Profile (HIP) | Device posture checks evaluating endpoint security state (EDR, encryption, patches) before granting access |
| Strata Cloud Manager | Unified management console for Prisma Access, NGFW, and Prisma Cloud security policy |
| Cortex Data Lake | Cloud-based log storage and analytics platform for Palo Alto security telemetry |
Tools & Systems
- Prisma Access: Cloud-delivered SASE with integrated ZTNA, SWG, CASB, DLP, FWaaS
- Strata Cloud Manager (SCM): Unified policy management across Palo Alto security products
- GlobalProtect Agent: Endpoint connectivity agent with HIP data collection
- ZTNA Connector: Outbound-only tunnel connector for internal application access
- Cortex Data Lake: Centralized log storage with analytics and threat detection
- WildFire: Cloud-based malware analysis and prevention integrated with Prisma Access
Common Scenarios
Scenario: Enterprise SASE Migration for 5,000-User Organization
Context: A manufacturing company with 5,000 users across 15 offices is consolidating VPN, SWG, and branch firewalls into Prisma Access SASE. Users access 50+ internal applications and need consistent security regardless of location.
Approach:
- Deploy ZTNA Connectors at 3 data centers (2 per DC for HA) for internal application access
- Configure GlobalProtect with pre-logon connection for always-on security
- Define 50+ application definitions in SCM with FQDN and port mappings
- Create HIP profiles: Standard (encryption + AV), Enhanced (+ CrowdStrike + patches)
- Build security policies mapping user groups to applications with HIP requirements
- Enable threat prevention profiles (Anti-Spyware, Anti-Virus, WildFire, URL Filtering)
- Deploy GlobalProtect agent via SCCM to all 5,000 endpoints in phases
- Configure Cortex Data Lake forwarding to Splunk for SOC monitoring
- Decommission VPN concentrators and branch firewall appliances
Pitfalls: ZTNA Connector requires minimum 4 vCPU and 8GB RAM; under-provisioning causes latency. GlobalProtect pre-logon requires machine certificates for authentication before user login. HIP check intervals should be 60 seconds minimum to avoid performance impact. Plan for a 4-6 week pilot before full deployment.
Output Format
Prisma Access ZTNA Deployment Report
==================================================
Organization: ManufactureCorp
Deployment Date: 2026-02-23
INFRASTRUCTURE:
ZTNA Connectors: 6 (2x DC-East, 2x DC-West, 2x DC-EU)
Prisma Access Locations: 8 (auto-selected)
GlobalProtect Portal: portal.manufacturecorp.com
APPLICATION ACCESS:
Defined Applications: 52
Active ZTNA Connections: 3,247
Average Latency: 12ms
ENDPOINT DEPLOYMENT:
GlobalProtect Deployed: 4,812 / 5,000 (96.2%)
HIP Compliant: 4,567 / 4,812 (94.9%)
HIP Failures: 245 (top: missing patches 120, encryption 85)
SECURITY (last 30 days):
Threats Blocked: 1,234
DLP Violations: 89
URL Blocked: 45,678
WildFire Submissions: 2,345References and resources
Everything below is rendered for inspection. Script files are read-only and never run.
References 1
api-reference.md1.7 KB
Palo Alto Prisma Access Zero Trust — API Reference
Authentication
| Parameter | Value |
|---|---|
| Token URL | https://auth.apps.paloaltonetworks.com/oauth2/access_token |
| Grant Type | client_credentials |
| Scope | tsg_id:<tenant_service_group_id> |
SASE Configuration API Endpoints
| Method | Endpoint | Description |
|---|---|---|
| GET | /sse/config/v1/remote-networks |
List remote network connections |
| GET | /sse/config/v1/service-connections |
List service connections |
| GET | /sse/config/v1/ike-gateways |
List IKE gateway configurations |
| GET | /sse/config/v1/security-rules |
List security policy rules |
| GET | /sse/config/v1/hip-profiles |
List Host Information Profiles |
| GET | /sse/config/v1/mobile-agent/global-settings |
GlobalProtect mobile user config |
| POST | /sse/config/v1/security-rules |
Create security rule |
| PUT | /sse/config/v1/security-rules/{id} |
Update security rule |
Base URL
https://api.sase.paloaltonetworks.comSecurity Rule Actions
| Action | Description |
|---|---|
allow |
Permit traffic matching rule |
deny |
Block traffic matching rule |
drop |
Silently drop traffic |
reset-client |
Send TCP RST to client |
HIP Match Criteria
| Field | Description |
|---|---|
disk-encryption |
Require disk encryption enabled |
firewall |
Require host firewall active |
patch-management |
Require OS patches current |
anti-malware |
Require AV/EDR running |
External References
Scripts 1
agent.py4.8 KB
#!/usr/bin/env python3
"""Palo Alto Prisma Access zero trust deployment audit agent."""
import json
import sys
import argparse
from datetime import datetime
try:
import requests
except ImportError:
print("Install: pip install requests")
sys.exit(1)
class PrismaAccessClient:
"""Client for Prisma Access Cloud Management API."""
def __init__(self, tsg_id, client_id, client_secret):
self.base_url = "https://api.sase.paloaltonetworks.com"
self.tsg_id = tsg_id
self.token = self._authenticate(client_id, client_secret)
def _authenticate(self, client_id, client_secret):
resp = requests.post(
"https://auth.apps.paloaltonetworks.com/oauth2/access_token",
data={
"grant_type": "client_credentials",
"scope": f"tsg_id:{self.tsg_id}",
},
auth=(client_id, client_secret),
timeout=15,
)
resp.raise_for_status()
return resp.json()["access_token"]
def _get(self, path, params=None):
headers = {"Authorization": f"Bearer {self.token}"}
resp = requests.get(f"{self.base_url}{path}", headers=headers,
params=params, timeout=15)
resp.raise_for_status()
return resp.json()
def list_remote_networks(self):
return self._get("/sse/config/v1/remote-networks").get("data", [])
def list_service_connections(self):
return self._get("/sse/config/v1/service-connections").get("data", [])
def list_ike_gateways(self):
return self._get("/sse/config/v1/ike-gateways").get("data", [])
def list_security_rules(self):
return self._get("/sse/config/v1/security-rules").get("data", [])
def list_hip_profiles(self):
return self._get("/sse/config/v1/hip-profiles").get("data", [])
def get_mobile_users_config(self):
return self._get("/sse/config/v1/mobile-agent/global-settings").get("data", {})
def audit_security_rules(rules):
"""Check for overly permissive security rules."""
findings = []
for rule in rules:
if rule.get("action") == "allow":
src = rule.get("source", [])
dst = rule.get("destination", [])
if "any" in src and "any" in dst:
findings.append({
"rule": rule.get("name", ""),
"issue": "Allow-any-to-any rule detected",
"severity": "HIGH",
})
if not rule.get("log_end", False):
findings.append({
"rule": rule.get("name", ""),
"issue": "Logging not enabled on rule",
"severity": "MEDIUM",
})
return findings
def run_audit(tsg_id, client_id, client_secret):
"""Execute Prisma Access zero trust audit."""
print(f"\n{'='*60}")
print(f" PRISMA ACCESS ZERO TRUST AUDIT")
print(f" Generated: {datetime.utcnow().isoformat()} UTC")
print(f"{'='*60}\n")
client = PrismaAccessClient(tsg_id, client_id, client_secret)
report = {}
networks = client.list_remote_networks()
report["remote_networks"] = len(networks)
print(f"--- REMOTE NETWORKS ({len(networks)}) ---")
for n in networks[:10]:
print(f" {n.get('name', '')}: region={n.get('region', '')}")
connections = client.list_service_connections()
report["service_connections"] = len(connections)
print(f"\n--- SERVICE CONNECTIONS ({len(connections)}) ---")
for c in connections[:10]:
print(f" {c.get('name', '')}: {c.get('ipsec_tunnel', '')}")
rules = client.list_security_rules()
findings = audit_security_rules(rules)
report["security_rules"] = len(rules)
report["findings"] = findings
print(f"\n--- SECURITY RULES ({len(rules)}) ---")
print(f" Findings: {len(findings)}")
for f in findings[:10]:
print(f" [{f['severity']}] {f['rule']}: {f['issue']}")
hip = client.list_hip_profiles()
report["hip_profiles"] = len(hip)
print(f"\n--- HIP PROFILES ({len(hip)}) ---")
for h in hip[:5]:
print(f" {h.get('name', '')}")
return report
def main():
parser = argparse.ArgumentParser(description="Prisma Access Zero Trust Audit")
parser.add_argument("--tsg-id", required=True, help="Tenant Service Group ID")
parser.add_argument("--client-id", required=True, help="OAuth client ID")
parser.add_argument("--client-secret", required=True, help="OAuth client secret")
parser.add_argument("--output", help="Save report to JSON file")
args = parser.parse_args()
report = run_audit(args.tsg_id, args.client_id, args.client_secret)
if args.output:
with open(args.output, "w") as f:
json.dump(report, f, indent=2, default=str)
print(f"\n[+] Report saved to {args.output}")
if __name__ == "__main__":
main()