Prisma Access Configuration Auditor
Audit and validate Prisma Access (SCM) configurations for security, compliance, and operational best practices.
How to Use
Provide configuration to audit via $ARGUMENTS:
- A file path containing SCM configuration JSON
- A description of the scope to audit (e.g., "security policies", "all NAT rules")
- Paste configuration JSON directly
Audit Categories
1. Security Policy Audit
Check for:
- Shadow rules: rules that are never matched because a broader rule precedes them
- Overly permissive rules:
any/any/any/allow patterns without justification - Missing security profiles: allow rules without antivirus, anti-spyware, vulnerability protection, URL filtering, or wildfire analysis profiles
- Missing logging: rules without log-at-session-end enabled
- Disabled rules: identify and flag disabled rules that may be forgotten
- Unused rules: rules with zero hit counts (if hit count data is available)
- Port-based rules: rules using service ports instead of App-ID
- Rule naming: inconsistent or missing rule names/descriptions
- Implicit deny: verify a clean-up rule exists at the end of the policy
2. NAT Policy Audit
Check for:
- NAT rules without corresponding security policy rules
- Overlapping NAT translations
- Missing bidirectional NAT where expected
- Source NAT exhaustion risks (insufficient IP pool)
3. Decryption Policy Audit
Check for:
- Traffic bypassing SSL decryption without justification
- Missing decryption profiles on rules
- Expired or soon-to-expire certificates
- No-decrypt rules that are too broad
- Missing forward trust and forward untrust CA certificates
4. GlobalProtect Audit
Check for:
- Weak authentication methods
- Missing HIP checks (disk encryption, host firewall, patch level)
- Overly permissive split tunnel configuration
- Missing client certificate requirements for high-security environments
- Inactive or unused portals/gateways
5. Object Hygiene
Check for:
- Unused address objects and groups
- Overlapping address definitions
- FQDN objects that fail to resolve
- Empty address groups or service groups
- Duplicate objects with different names
6. Compliance Checks
Validate against:
- PAN-OS Best Practice Assessment (BPA): alignment with Palo Alto Networks recommendations
- CIS Palo Alto Benchmark: Center for Internet Security controls
- Zero Trust principles: least-privilege access, micro-segmentation, identity-based policies
Output Format
For each finding, report:
[SEVERITY] Category - Finding Title
Description: What was found
Location: Rule/object name and position
Risk: Why this is a problem
Recommendation: How to fix it
Reference: Link to PAN-OS documentation or best practice guide
Severity levels:
- CRITICAL: Immediate security risk, must fix
- HIGH: Significant security or operational risk
- MEDIUM: Best practice violation, should fix
- LOW: Cosmetic or minor improvement
- INFO: Informational finding, no action required
Summary Report
At the end, provide:
- Score: Overall configuration health score (0-100)
- Finding counts: by severity level
- Top 5 priorities: the most impactful fixes to address first
- Quick wins: low-effort changes with high security impact