Cloud-delivered security posture audit for Palo Alto Prisma Access tenants.
Unlike on-premises PAN-OS firewall audits that inspect a single device, this
skill evaluates the distributed SASE fabric: security policies governing
mobile users and remote network sites, GlobalProtect Cloud Service client
configuration, threat prevention profiles applied across compute locations,
service connection health to on-premises data centers, and decryption
coverage across all traffic flows.
Covers Prisma Access managed through Strata Cloud Manager (SCM) and legacy
Panorama Cloud Services plugin deployments. Reference
references/api-reference.md for Strata Cloud Manager API endpoints,
authentication flows, and response structures used throughout this audit.
Follow this audit flow sequentially. Each step builds on prior findings.
The procedure moves from tenant-level infrastructure inventory through
policy analysis per traffic type to logging and visibility validation.
Authenticate to the Strata Cloud Manager API using OAuth 2.0 client
credentials flow. See references/api-reference.md for the token endpoint
and required parameters.
Retrieve tenant information and compute location status:
GET https://api.sase.paloaltonetworks.com/sse/config/v1/prisma-access-config
Authorization: Bearer <access_token>
Record the following:
Enumerate mobile user regions and remote network sites:
GET https://api.sase.paloaltonetworks.com/sse/config/v1/mobile-users/regions
GET https://api.sase.paloaltonetworks.com/sse/config/v1/remote-networks
[Mobile Users] Count active compute locations and verify geographic coverage
matches the organization's user distribution.
[Remote Networks] List all configured remote network sites, their IKE
gateway addresses, and tunnel status. Flag any site showing tunnel-down state.
Retrieve security policies applied to GlobalProtect mobile users:
GET https://api.sase.paloaltonetworks.com/sse/config/v1/security-rules
?folder=Mobile Users
[Mobile Users] Evaluate each rule against these criteria:
application: any combined with action: allow bypass App-ID identification entirely. Flag as Critical.
Profile Group or individual profiles permit traffic without threat
inspection. Check profile_setting on each rule.
any for both source anddestination address — evaluate whether address objects or address groups
can narrow the scope.
service: any instead of service: application-default — App-ID enforcement is strongest when
applications are restricted to their standard ports.
precede broad allow rules. Misordered rules may permit traffic before
a deny can evaluate.
Calculate the App-ID adoption ratio: count rules using specific App-IDs
versus rules with application: any. Mature deployments target >80% named
App-ID usage.
Retrieve security policies applied to remote network sites:
GET https://api.sase.paloaltonetworks.com/sse/config/v1/security-rules
?folder=Remote Networks
[Remote Networks] In addition to the rule-level checks in Step 2, evaluate:
organizational standards (AES-256-GCM preferred, minimum AES-256-CBC).
Check IKE version (IKEv2 required), DH group (minimum Group 14), and
SA lifetime settings.
GET https://api.sase.paloaltonetworks.com/sse/config/v1/ike-gateways
GET https://api.sase.paloaltonetworks.com/sse/config/v1/ipsec-tunnels
For BGP, verify peer ASN, advertised prefixes, and route filters. For
static routes, confirm next-hop reachability and subnet accuracy.
GET https://api.sase.paloaltonetworks.com/sse/config/v1/bgp-routing
is fully tunneled through Prisma Access (recommended for consistent
inspection) or split-tunneled with direct internet breakout. Split-tunnel
configurations must ensure local breakout traffic still traverses a
security policy.
actual usage. Sites consistently exceeding allocation experience packet
drops or degraded performance.
Retrieve all Security Profile Groups and individual profiles:
GET https://api.sase.paloaltonetworks.com/sse/config/v1/security-profile-groups
GET https://api.sase.paloaltonetworks.com/sse/config/v1/anti-spyware-profiles
GET https://api.sase.paloaltonetworks.com/sse/config/v1/vulnerability-protection-profiles
GET https://api.sase.paloaltonetworks.com/sse/config/v1/wildfire-anti-virus-profiles
Evaluate each profile type:
reset-both or drop forall decoders (HTTP, SMTP, IMAP, POP3, FTP, SMB). Default profiles using
alert only are insufficient — flag as High finding.
domains are blocked, and spyware severity levels critical/high/medium
are set to reset-both or drop.
severity signatures use reset-both action. Default profile uses alert
for informational — acceptable. Check for custom exceptions that weaken
protection.
PDF, MS Office, JAR, Flash, Linux pkg) are forwarded to WildFire for
analysis. Verify WildFire verdict actions block malicious and grayware.
BAT, SCR, MSI) are blocked on relevant protocols.
[Mobile Users] [Remote Networks] Verify that all allow rules in both
folders reference a Security Profile Group containing the above profiles.
Rules without profile binding pass traffic uninspected.
Review URL Filtering and DNS Security configurations:
GET https://api.sase.paloaltonetworks.com/sse/config/v1/url-filtering-profiles
GET https://api.sase.paloaltonetworks.com/sse/config/v1/dns-security-profiles
phishing, command-and-control, grayware, newly-registered-domain) are set
to block. Check that the Advanced URL Filtering license is active for
inline ML-based analysis of unknown URLs.
appropriateness — overly broad allow-list categories can bypass security.
DNS-layer threat categories (DGA, DNS tunneling, newly seen domains)
are set to sinkhole or block.
visibility and inline controls are configured. Check for sanctioned vs
unsanctioned SaaS application policies.
[Mobile Users] Review GlobalProtect Cloud Service configuration:
GET https://api.sase.paloaltonetworks.com/sse/config/v1/mobile-agent/global-settings
GET https://api.sase.paloaltonetworks.com/sse/config/v1/hip-profiles
GET https://api.sase.paloaltonetworks.com/sse/config/v1/hip-objects
Evaluate the following:
against the currently deployed versions across the user population.
Clients older than the current major release minus one are a compliance
risk. Query Prisma Access Insights for version distribution.
configuration uses full-tunnel (all traffic through Prisma Access) or
split-tunnel (specified apps/domains bypass the tunnel). Full-tunnel is
recommended for consistent security inspection.
for minimum OS patch level, disk encryption status, antivirus presence
and currency, host firewall state, and certificate validity. HIP profiles
should enforce compliance gates — non-compliant devices receive restricted
access.
machine-level authentication before user login. Required for environments
needing machine certificate-based access.
enforces always-on VPN with no user-disable option. Check for disable-
override password protection.
authentication. SAML with MFA is recommended for mobile users.
[Service Connections] Verify connectivity between Prisma Access and
on-premises data centers:
GET https://api.sase.paloaltonetworks.com/sse/config/v1/service-connections
Evaluate each service connection:
stable (no recent flaps). Check tunnel uptime and last state change.
advertised to Prisma Access via BGP. Verify that Prisma Access is
advertising the expected mobile user and remote network subnets back
to on-premises.
Service connections nearing capacity cause traffic drops for mobile users
accessing on-premises resources.
and bandwidth guarantees align with business application priority.
for each data center. Single service connections are a single point of
failure. Check failover behavior — active/passive or active/active.
Evaluate SSL/TLS decryption coverage across the Prisma Access tenant:
GET https://api.sase.paloaltonetworks.com/sse/config/v1/decryption-rules
?folder=Mobile Users
GET https://api.sase.paloaltonetworks.com/sse/config/v1/decryption-rules
?folder=Remote Networks
[Mobile Users] [Remote Networks] Check decryption configuration:
(SSL Forward Proxy) and which bypass decryption. Internet-bound traffic
from all user and branch sources should be decrypted for full threat
inspection.
pinning, client certificate mutual TLS) and compliance exclusions
(financial, healthcare categories). Verify exclusion lists are minimal
and documented with justification.
properly distributed to all endpoints. Mobile user devices must trust the
decryption CA to avoid certificate errors. Check certificate expiration.
decrypted with alerts. Only TLS 1.2 and 1.3 should be permitted without
findings.
assess whether decryption processing introduces latency. Check Prisma
Access Insights for decryption-related performance metrics.
Verify log forwarding and monitoring configuration:
GET https://api.sase.paloaltonetworks.com/sse/config/v1/log-forwarding-profiles
threat, URL, data, WildFire, authentication, HIP match, decryption) are
forwarded to Cortex Data Lake. Missing log types create visibility gaps.
retention periods meet compliance requirements. Check for capacity
warnings.
that Autonomous DEM is enabled for mobile users. Check that application
performance monitoring targets are configured for critical SaaS
applications (Microsoft 365, Salesforce, ServiceNow, etc.).
verify syslog or HTTPS forwarding is functional and that log ingestion
rates match expected volume.
tunnel down, license expiration, compute location capacity, high threat
volume.
| Metric | Normal | Warning | Critical |
|---|---|---|---|
| -------- | -------- | --------- | ---------- |
| App-ID adoption (named App-IDs / total allow rules) | >80% | 50-80% | <50% |
| Security Profile Group binding (allow rules with SPG) | >95% | 80-95% | <80% |
Rules with application: any + service: any | 0 | 1-3 | >3 |
| Disabled rules in rulebase | <5% of total | 5-15% | >15% |
| Shadowed / unreachable rules | 0 | 1-5 | >5 |
| Profile Type | Normal | Warning | Critical |
|---|---|---|---|
| -------------- | -------- | --------- | ---------- |
| Antivirus — action on all decoders | reset-both / drop | alert on 1-2 decoders | alert-only or default unchanged |
| Anti-Spyware — crit/high severity action | reset-both / drop | drop on critical only | alert-only |
| Anti-Spyware — DNS sinkhole | Enabled | N/A | Disabled |
| Vulnerability Protection — crit/high action | reset-both | drop on critical only | alert-only |
| WildFire — file types forwarded | All file types | Missing 1-2 types | Missing >2 types or disabled |
| File Blocking — high-risk file types | Blocked (EXE/DLL/BAT/SCR) | Partial coverage | Not configured |
| URL Filtering — high-risk categories | Block (malware/phishing/C2) | Alert on some categories | Allow or not configured |
| DNS Security — threat categories | Sinkhole / block | Alert on some | Not configured |
| Metric | Normal | Warning | Critical |
|---|---|---|---|
| -------- | -------- | --------- | ---------- |
| Client version currency (within N-1 major) | >95% compliant | 80-95% compliant | <80% compliant |
| HIP compliance rate (devices passing HIP checks) | >90% | 70-90% | <70% |
| Always-on VPN enforcement | Enabled, no override | Enabled with override password | Disabled |
| Pre-logon tunnel (if required) | Configured and active | Configured, intermittent | Not configured |
| Authentication method | SAML with MFA | SAML without MFA | LDAP/password only |
| Metric | Normal | Warning | Critical |
|---|---|---|---|
| -------- | -------- | --------- | ---------- |
| Tunnel status | Up, stable >7d | Flapping (>2 state changes/24h) | Down |
| Bandwidth utilization | <70% allocated | 70-90% allocated | >90% allocated |
| Redundancy | Primary + secondary active | Single connection, backup configured | Single connection, no backup |
| BGP peer state | Established, routes exchanged | Established, missing routes | Down / not configured |
| Route advertisement accuracy | All expected prefixes present | Missing non-critical prefixes | Missing critical prefixes |
| Metric | Normal | Warning | Critical |
|---|---|---|---|
| -------- | -------- | --------- | ---------- |
| Internet-bound traffic decrypted | >80% of sessions | 50-80% of sessions | <50% of sessions |
| Decryption exclusion count | <20 categories/domains | 20-50 | >50 |
| TLS 1.0/1.1 traffic | Blocked | Decrypted with alert | Permitted without inspection |
| Forward trust CA certificate validity | >90 days to expiry | 30-90 days | <30 days or expired |
Mobile User allow rule identified
├── Has Security Profile Group?
│ ├── No → HIGH: Add SPG immediately
│ │ └── Traffic type?
│ │ ├── Internet-bound → Bind full SPG (AV+AS+VP+URL+WF+FB)
│ │ ├── Access to on-prem via service connection → Standard SPG (AV+AS+VP)
│ │ └── SaaS direct access → Full SPG + URL Filtering + CASB
│ └── Yes → Check SPG completeness
│ ├── Missing WildFire → Medium: Add WF profile for zero-day coverage
│ ├── Missing URL Filtering → Medium: Add URL for web threat protection
│ └── All profiles present → OK
│
├── Application = any?
│ ├── Yes + Service = any → CRITICAL: Fully open rule
│ │ └── Review Prisma Access Insights traffic logs for actual app usage
│ │ → Replace with specific App-IDs
│ ├── Yes + Service = specific port → HIGH: App-ID bypass on port
│ │ └── Identify applications on that port from traffic logs
│ │ → Replace with named App-IDs + application-default
│ └── Named App-IDs → OK
│
├── Decrypted?
│ ├── No → SPG inspection limited to metadata
│ │ └── Add decryption rule for this traffic flow
│ └── Yes → Full inspection effective
│
└── HIP-enforced?
├── No → Evaluate adding HIP profile for device compliance
└── Yes → Verify HIP checks match organizational policy
Remote network site identified
├── Tunnel status?
│ ├── Down → CRITICAL: Restore connectivity
│ │ ├── Check IKE Phase 1 (peer IP, pre-shared key, proposals)
│ │ ├── Check IKE Phase 2 (proxy IDs, encryption mismatch)
│ │ └── Verify on-prem firewall allows IKE/NAT-T (UDP 500/4500)
│ ├── Flapping → HIGH: Investigate stability
│ │ ├── Check DPD (Dead Peer Detection) settings
│ │ ├── Review ISP stability at branch site
│ │ └── Verify SA lifetime alignment between peers
│ └── Stable → Continue to policy audit
│
├── Encryption strength?
│ ├── Below minimum (3DES, DH Group 2/5) → HIGH: Upgrade proposals
│ │ └── Target: AES-256-GCM, IKEv2, DH Group 19/20
│ └── Meets standard → OK
│
├── Routing correct?
│ ├── BGP: Missing expected prefixes → Verify route filters and advertisements
│ ├── Static: Incorrect next-hop → Correct route configuration
│ └── Routes present and accurate → OK
│
├── Split-tunnel or full-tunnel?
│ ├── Split-tunnel without local security → HIGH: Risk of uninspected traffic
│ │ └── Migrate to full-tunnel or add local security stack
│ └── Full-tunnel or split with local inspection → OK
│
└── Bandwidth adequate?
├── >90% utilization → WARNING: Upgrade allocation
├── 70-90% utilization → Monitor trend
└── <70% → OK
Threat prevention profile audit
├── Using default (best-practice) profiles?
│ ├── Yes → Acceptable baseline
│ │ └── Review for organizational customization needs
│ └── No → Custom profiles exist
│ ├── Weaker than defaults? → FINDING: Strengthen to match or exceed
│ └── Stronger than defaults? → OK, document customizations
│
├── Antivirus profile
│ ├── Any decoder set to alert-only? → HIGH: Change to reset-both
│ └── All decoders reset-both/drop → OK
│
├── Anti-Spyware profile
│ ├── DNS sinkhole disabled? → HIGH: Enable immediately
│ ├── Critical/high severity = alert? → HIGH: Change to reset-both
│ └── Properly configured → OK
│
├── Vulnerability Protection profile
│ ├── Custom exceptions reducing coverage? → Review each exception
│ │ └── Exception still required? → Document justification
│ │ └── No longer needed → Remove exception
│ └── Standard severity actions → OK
│
└── WildFire profile
├── File types not forwarded? → Medium: Add missing file types
├── Verdict action = alert for malicious? → HIGH: Change to drop
└── Full coverage, block malicious → OK
PRISMA ACCESS SASE AUDIT REPORT
=================================
Tenant: [tenant name]
Tenant ID: [tenant ID]
TSG ID: [TSG ID]
Prisma Access Edition: [Business / Business Premium / Enterprise]
Audit Date: [timestamp]
Performed By: [operator/agent]
INFRASTRUCTURE OVERVIEW:
- Compute locations (Mobile Users): [count] — [region list]
- Remote network sites: [count] — [site list]
- Service connections: [count] — [data center list]
- Total bandwidth allocation: [Mbps]
- Strata Cloud Manager version: [version]
MOBILE USER FINDINGS:
- Total security rules (Mobile Users folder): [count]
- Allow rules: [n] | Deny rules: [n] | Drop rules: [n]
- Rules with Security Profile Groups: [n] / [allow count] ([%])
- App-ID adoption: [n]% of allow rules use named App-IDs
- GlobalProtect client compliance: [n]% on current version
- HIP compliance rate: [n]%
Findings:
1. [Severity] [Category] — [Description]
Rule: [rule name]
Folder: Mobile Users
Issue: [specific problem]
Recommendation: [specific remediation]
REMOTE NETWORK FINDINGS:
- Total remote network sites: [count]
- Sites with tunnel up: [n] / [total]
- Sites with full-tunnel posture: [n] / [total]
- Security rules (Remote Networks folder): [count]
- Rules with Security Profile Groups: [n] / [allow count] ([%])
Findings:
1. [Severity] [Category] — [Description]
Site: [site name]
Issue: [specific problem — tunnel, routing, policy, or encryption]
Recommendation: [specific remediation]
THREAT PREVENTION ASSESSMENT:
- Security Profile Groups configured: [count]
- Antivirus profiles: [count] — [strength assessment]
- Anti-Spyware profiles: [count] — DNS sinkhole: [enabled/disabled]
- Vulnerability Protection profiles: [count] — [custom exceptions count]
- WildFire profiles: [count] — file types forwarded: [list]
- URL Filtering: Advanced URL Filtering license: [active/inactive]
- DNS Security: [configured/not configured]
Findings:
1. [Severity] [Profile Type] — [Description]
Profile: [profile name]
Issue: [specific weakness]
Recommendation: [specific remediation]
DECRYPTION COVERAGE:
- Mobile User decryption rules: [count]
- Remote Network decryption rules: [count]
- Estimated sessions decrypted: [%]
- Decryption exclusions: [count categories/domains]
- Forward trust CA expiry: [date]
- TLS 1.0/1.1 handling: [blocked/allowed/decrypted]
Findings:
1. [Severity] — [Description]
Scope: [Mobile Users / Remote Networks / Both]
Issue: [specific gap]
Recommendation: [specific remediation]
SERVICE CONNECTION STATUS:
- Service connections: [count]
- All tunnels up: [yes/no]
- Redundancy: [all redundant / gaps identified]
- Bandwidth utilization: [average %]
Findings:
1. [Severity] — [Description]
Connection: [service connection name]
Issue: [tunnel, routing, bandwidth, or redundancy]
Recommendation: [specific remediation]
SEVERITY SUMMARY:
- Critical: [count]
- High: [count]
- Medium: [count]
- Low / Informational: [count]
REMEDIATION ROADMAP:
Phase 1 (Immediate — 0-7 days):
- [Critical findings requiring immediate action]
Phase 2 (Short-term — 7-30 days):
- [High findings and quick wins]
Phase 3 (Medium-term — 30-90 days):
- [Medium findings, profile hardening, App-ID migration]
Phase 4 (Ongoing):
- [Continuous monitoring, quarterly re-audit, policy lifecycle]
NEXT AUDIT: [based on findings — CRITICAL: 30d, HIGH: 90d, clean: 180d]
Strata Cloud Manager uses OAuth 2.0 client credentials flow. Authenticate
with a Service Account bound to a Tenant Service Group (TSG) ID. The token
endpoint is https://auth.apps.paloaltonetworks.com/oauth2/access_token.
Common authentication failures:
scope parameter must include tsg_id:.Omitting this or using an incorrect TSG ID returns a 401 error.
expiration. Regenerate via Strata Cloud Manager > Identity & Access.
Auditor or View-Only Administrator role to read configuration.
Legacy Panorama Cloud Services plugin API uses an API key generated from
Panorama. If the organization has migrated to Strata Cloud Manager, the
legacy API may return stale configuration. Always confirm which management
plane is authoritative.
Prisma Access compute locations can reach capacity during peak usage. If
mobile user connections are refused or performance degrades:
Autonomous DEM dashboard.
balance load — avoid funneling all users through a single region.
triggers throttling before true capacity is reached.
GlobalProtect client compatibility issues commonly arise from:
independently from client software. Clients more than two major versions
behind may fail to connect or lose feature support. Check the Prisma
Access compatibility matrix.
Extension vs Kernel Extension) change across OS versions. Windows clients
may conflict with third-party VPN or endpoint security software.
may override portal-delivered settings. Verify MDM configuration aligns
with portal/gateway settings.
BGP session instability on service connections typically results from:
90 seconds. If the on-premises peer uses a shorter hold time and
keepalives are lost due to congestion, the session drops. Align timers.
routes rapidly, Prisma Access BGP will follow. Check on-premises routing
stability first.
affect BGP. Verify MTU along the service connection path — typical IPSec
overhead requires reducing MTU to 1400 or lower.
with transient packet loss cause unnecessary tunnel rebuilds. Use a DPD
interval of 10 seconds with a retry of 3 as a baseline.
SSL Forward Proxy decryption requires endpoints to trust the Prisma Access
forward trust CA certificate. Distribution challenges include:
client configuration. Verify distribution by checking certificate store
on sample devices.
must also trust the CA. If branch users access the internet via Prisma
Access, their devices need the certificate.
Prisma Access generates certificates with configurable lifetimes — set
calendar reminders for renewal. An expired CA causes all decrypted
sessions to fail with certificate errors.
certificates (banking apps, certain healthcare portals) will fail through
SSL Forward Proxy. Add these to the decryption exclusion list with
documented justification.
共 1 个版本