Prisma Access Configuration Generator
Generate production-ready Prisma Access configurations for Strata Cloud Manager (SCM).
Supported Configuration Types
When the user specifies $ARGUMENTS, generate the corresponding configuration. If no type is specified, ask which configuration they need.
Security Policy Rules
- Pre-rules and post-rules
- Source/destination zones, addresses, and users
- Application and service definitions
- Security profiles (antivirus, anti-spyware, vulnerability protection, URL filtering, file blocking, wildfire)
- Log forwarding profiles
- Rule ordering and positioning
NAT Rules
- Source NAT (dynamic IP and port, dynamic IP, static IP)
- Destination NAT
- Bidirectional NAT
- NAT for GlobalProtect and service connections
Decryption Policy
- SSL forward proxy rules
- SSL inbound inspection rules
- Decryption profiles
- Certificate management considerations
- No-decrypt rules for sensitive categories
URL Filtering Profiles
- Category-based actions (allow, alert, block, continue, override)
- Custom URL categories
- Credential phishing prevention
- HTTP header insertion
GlobalProtect Configuration
- Portal configuration
- Gateway configuration
- Authentication profiles (SAML, LDAP, RADIUS, client certificate)
- HIP profiles and HIP objects
- Split tunneling configuration
- Agent configuration (connect method, auto-restore)
Address Objects and Groups
- IP netmask, IP range, IP wildcard mask, FQDN
- Address groups (static and dynamic)
Service Connections
- IPSec tunnel configuration
- BGP routing
- Static routes
- QoS profiles
Other SCM Objects
- Application filters and application groups
- Custom applications (signatures)
- External dynamic lists (EDL)
- Tags and tag groups
- Log forwarding profiles
- Security profile groups
Output Format
Always output configurations as SCM API-compatible JSON payloads that can be directly used with the Strata Cloud Manager API:
POST https://api.sase.paloaltonetworks.com/sse/config/v1/{resource}
Include:
- The JSON payload body
- The target API endpoint path
- The required
folder parameter (e.g., "Prisma Access", "Mobile Users", "Remote Networks") - Any query parameters needed
Best Practices to Follow
When generating configurations, always apply these Palo Alto Networks best practices:
- Security policies: Use application-based rules instead of port-based; enable logging on all rules; apply security profiles to all allow rules
- Zone design: Use distinct zones for Mobile Users, Remote Networks, and Service Connections
- Naming conventions: Use clear, descriptive names with consistent prefixes (e.g.,
PA-SEC-, PA-NAT-, PA-DEC-) - Rule ordering: Place more specific rules before general rules; deny rules before allow rules where applicable
- Profile recommendations: Apply best-practice security profile groups; use strict profiles for sensitive traffic
- Logging: Enable log-at-session-end for all rules; configure log forwarding to a SIEM or Cortex Data Lake