Deploying Palo Alto Networks Prisma Access for SASE-based zero trust network access using GlobalProtect agents, ZTNA Connectors, security policy enforcement, and integration with Strata Cloud Manager for unified security management.
Works with
AI-first code editor with Composer
Before installing skills in Cursor, ensure your development environment meets these requirements:
node --versiondeploying-palo-alto-prisma-access-zero-trustExecute the skills CLI command in your project's root directory to begin installation:
Fetches deploying-palo-alto-prisma-access-zero-trust from mukul975/Anthropic-Cybersecurity-Skills and configures it for Cursor.
The CLI shows a list of agents. Use arrow keys and space to select Cursor:
Confirm successful installation by checking the skill directory location:
Restart Cursor to activate deploying-palo-alto-prisma-access-zero-trust. Access via /deploying-palo-alto-prisma-access-zero-trust in your agent's command palette.
We perform automated surface-level scans (Gen AI Scanner, Socket, Snyk) during installation. These checks detect common vulnerabilities but do not guarantee complete security. Always review skill source code and verify the publisher's reputation before production use.
Skills execute code in your environment. Always review source, verify the publisher, and test in isolation before production.
Submit your Claude Code skill and start earning
Automate repetitive workflows and reduce manual effort
Example
Generate reports, summarize documents, draft communications
Save 3-5 hours per week on routine tasks
Learn new skills, understand complex topics, get expert guidance
Example
Explain concepts, provide examples, suggest learning resources
Accelerate learning and skill development by 2x
Enhance output quality through reviews, suggestions, and refinements
Example
Review drafts, suggest improvements, catch errors
Improve work quality by 30-40% with less effort
0
total installs
0
this week
8.6K
GitHub stars
0
upvotes
Run in your terminal
0
installs
0
this week
8.6K
stars
| name | deploying-palo-alto-prisma-access-zero-trust |
| description | 'Deploying Palo Alto Networks Prisma Access for SASE-based zero trust network access using GlobalProtect agents, ZTNA Connectors, security policy enforcement, and integration with Strata Cloud Manager for unified security management. ' |
| domain | cybersecurity |
| subdomain | zero-trust-architecture |
| tags | - prisma-access - palo-alto - ztna - sase - globalprotect - strata-cloud-manager - zero-trust |
| version | '1.0' |
| author | mahipal |
| license | Apache-2.0 |
| nist_ai_rmf | - GOVERN-1.1 - MEASURE-2.7 - MANAGE-3.1 |
| nist_csf | - PR.AA-01 - PR.AA-05 - PR.IR-01 - GV.PO-01 |
Do not use for small organizations (< 200 users) where simpler ZTNA solutions suffice, for environments requiring only web application access without full network security, or when budget constraints preclude enterprise SASE licensing.
Set up the cloud infrastructure for mobile user and remote network connections.
Strata Cloud Manager > Prisma Access > Infrastructure Settings:
Mobile Users Configuration:
- Service Connection: Auto-selected based on user location
- DNS Servers: 10.1.1.10, 10.1.1.11 (corporate DNS)
- IP Pool for Mobile Users: 10.100.0.0/16
- Authentication: SAML with Okta (Primary), Entra ID (Secondary)
- GlobalProtect Portal: portal.company.com
- GlobalProtect Gateway: Auto (nearest Prisma Access location)
Infrastructure Subnet:
- Range: 172.16.0.0/16
- Allocation: /24 per Prisma Access location
Install ZTNA Connectors to provide secure access to internal applications.
# Deploy ZTNA Connector on VMware (OVA)
# Download OVA from Strata Cloud Manager > Prisma Access > ZTNA Connectors
# AWS deployment via CloudFormation
aws cloudformation create-stack \
--stack-name prisma-ztna-connector \
--template-url https://prisma-access-connector-templates.s3.amazonaws.com/ztna-connector-aws.yaml \
--parameters \
ParameterKey=VpcId,ParameterValue=vpc-PROD \
ParameterKey=SubnetId,ParameterValue=subnet-PRIVATE \
ParameterKey=InstanceType,ParameterValue=m5.xlarge \
ParameterKey=TenantServiceGroup,ParameterValue=TSG_ID \
ParameterKey=ConnectorName,ParameterValue=dc-east-connector-01
# Verify connector registration
# Strata Cloud Manager > Prisma Access > ZTNA Connectors
# Status should show "Connected" with nearest Prisma Access location
# Deploy second connector for HA
# ZTNA Connector auto-discovers nearest Prisma Access location
# IPSec tunnel uses: ecp384/aes256/sha512 for IKE and ESP
# Bandwidth: up to 2 Gbps per connector
Create application definitions pointing to internal applications via ZTNA Connectors.
Strata Cloud Manager > Prisma Access > Applications:
Application 1: Internal Wiki
- FQDN: wiki.internal.corp
- Port: TCP 443
- ZTNA Connector: dc-east-connector-01
- Protocol: HTTPS
- Health Check: Enabled (HTTP GET /health)
Application 2: Source Code Repository
- FQDN: git.internal.corp
- Ports: TCP 22, 443
- ZTNA Connector: dc-east-connector-01, dc-east-connector-02
- Protocol: HTTPS, SSH
Application 3: Finance ERP
- FQDN: erp.internal.corp
- Port: TCP 443
- ZTNA Connector: dc-east-connector-01
- Protocol: HTTPS
- User Authentication: Required (re-auth every 2h)
Strata Cloud Manager > Policies > Security Policy:
Rule 1: Engineering Access to Dev Tools
Source: User Group "Engineering" (from Okta SAML)
Destination: Application "Source Code Repository", "Internal Wiki"
HIP Profile: "Managed Device with CrowdStrike"
Action: Allow
Logging: Enabled
Threat Prevention: Best Practice profile
Rule 2: Finance Access to ERP
Source: User Group "Finance"
Destination: Application "Finance ERP"
HIP Profile: "Compliant Device - High Security"
Action: Allow
SSL Decryption: Forward Proxy
DLP Profile: "Financial Data Protection"
Rule 3: Default Deny Private Apps
Source: Any
Destination: Any Private App
Action: Deny
Logging: Enabled
Define device posture requirements using HIP checks.
Strata Cloud Manager > Objects > GlobalProtect > HIP Objects:
HIP Object: "CrowdStrike Running"
- Vendor: CrowdStrike
- Product: Falcon Sensor
- Is Running: Yes
- Minimum Version: 7.10
HIP Object: "Disk Encryption Enabled"
- Windows: BitLocker = Encrypted
- macOS: FileVault = Encrypted
HIP Object: "OS Patch Level"
- Windows: >= 10.0.22631
- macOS: >= 14.0
HIP Profile: "Managed Device with CrowdStrike"
- Match: "CrowdStrike Running" AND "Disk Encryption Enabled"
HIP Profile: "Compliant Device - High Security"
- Match: "CrowdStrike Running" AND "Disk Encryption Enabled" AND "OS Patch Level"
Roll out the GlobalProtect agent for secure connectivity.
# Deploy GlobalProtect via Intune (Windows)
# MSI download from Strata Cloud Manager > GlobalProtect > Agent Downloads
# GlobalProtect pre-deployment configuration
# pre-deploy.xml for automated portal connection:
cat > pre-deploy.xml << 'EOF'
<GlobalProtect>
<Settings>
<portal>portal.company.com</portal>
<connect-method>pre-logon</connect-method>
<authentication-override>
<generate-cookie>yes</generate-cookie>
<cookie-lifetime>24</cookie-lifetime>
</authentication-override>
</Settings>
</GlobalProtect>
EOF
# Verify GlobalProtect connection status
# GlobalProtect system tray > Settings > Connection Details
# Should show: Connected to nearest Prisma Access gateway
# IPSec tunnel established with full threat prevention
Set up Cortex Data Lake integration and monitoring dashboards.
Strata Cloud Manager > Prisma Access > Monitoring:
Log Forwarding:
- Cortex Data Lake: Enabled (all log types)
- SIEM Forwarding: Splunk HEC (https://splunk-hec.company.com:8088)
- Log Types: Traffic, Threat, URL, WildFire, GlobalProtect, HIP Match
Dashboard Monitoring:
- Mobile Users: Active connections, locations, bandwidth
- ZTNA Connectors: Health, latency, tunnel status
- Security Events: Threats blocked, DLP violations, HIP failures
- Application Usage: Top apps, top users, denied access attempts
Alerting:
- ZTNA Connector down: Email + PagerDuty
- HIP failure rate > 10%: Email to IT
- Threat detected on mobile user: SOC alert
| Term | Definition |
|---|---|
| Prisma Access | Palo Alto's cloud-delivered SASE platform providing FWaaS, SWG, CASB, DLP, and ZTNA from a single architecture |
| ZTNA Connector | VM-based connector establishing IPSec tunnels from internal networks to Prisma Access for private application access |
| GlobalProtect | Endpoint agent providing secure connectivity to Prisma Access with HIP checks and always-on VPN |
| Host Information Profile (HIP) | Device posture checks evaluating endpoint security state (EDR, encryption, patches) before granting access |
| Strata Cloud Manager | Unified management console for Prisma Access, NGFW, and Prisma Cloud security policy |
| Cortex Data Lake | Cloud-based log storage and analytics platform for Palo Alto security telemetry |
Context: A manufacturing company with 5,000 users across 15 offices is consolidating VPN, SWG, and branch firewalls into Prisma Access SASE. Users access 50+ internal applications and need consistent security regardless of location.
Approach:
Pitfalls: ZTNA Connector requires minimum 4 vCPU and 8GB RAM; under-provisioning causes latency. GlobalProtect pre-logon requires machine certificates for authentication before user login. HIP check intervals should be 60 seconds minimum to avoid performance impact. Plan for a 4-6 week pilot before full deployment.
Prisma Access ZTNA Deployment Report
==================================================
Organization: ManufactureCorp
Deployment Date: 2026-02-23
INFRASTRUCTURE:
ZTNA Connectors: 6 (2x DC-East, 2x DC-West, 2x DC-EU)
Prisma Access Locations: 8 (auto-selected)
GlobalProtect Portal: portal.manufacturecorp.com
APPLICATION ACCESS:
Defined Applications: 52
Active ZTNA Connections: 3,247
Average Latency: 12ms
ENDPOINT DEPLOYMENT:
GlobalProtect Deployed: 4,812 / 5,000 (96.2%)
HIP Compliant: 4,567 / 4,812 (94.9%)
HIP Failures: 245 (top: missing patches 120, encryption 85)
SECURITY (last 30 days):
Threats Blocked: 1,234
DLP Violations: 89
URL Blocked: 45,678
WildFire Submissions: 2,345
Prerequisites
Time Estimate
15-45 minutes depending on use case complexity
Steps
Common Pitfalls
✓ Do
✗ Don't
💡 Pro Tips
✓ Use when
Use when skill capabilities match your task, clear ROI on time saved, and you can validate outputs. Best for repetitive tasks, learning, and quality improvement.
✗ Avoid when
Avoid when task requires deep expertise you can't validate, involves sensitive decisions, or when learning process is more valuable than speed of completion.
mukul975/Anthropic-Cybersecurity-Skills
mukul975/Anthropic-Cybersecurity-Skills
mukul975/Anthropic-Cybersecurity-Skills
mukul975/Anthropic-Cybersecurity-Skills
mukul975/Anthropic-Cybersecurity-Skills
mukul975/Anthropic-Cybersecurity-Skills
deploying-palo-alto-prisma-access-zero-trust reduced setup friction for our internal harness; good balance of opinion and flexibility.
Keeps context tight: deploying-palo-alto-prisma-access-zero-trust is the kind of skill you can hand to a new teammate without a long onboarding doc.
deploying-palo-alto-prisma-access-zero-trust fits our agent workflows well — practical, well scoped, and easy to wire into existing repos.
Registry listing for deploying-palo-alto-prisma-access-zero-trust matched our evaluation — installs cleanly and behaves as described in the markdown.
Keeps context tight: deploying-palo-alto-prisma-access-zero-trust is the kind of skill you can hand to a new teammate without a long onboarding doc.
deploying-palo-alto-prisma-access-zero-trust fits our agent workflows well — practical, well scoped, and easy to wire into existing repos.
deploying-palo-alto-prisma-access-zero-trust is among the better-maintained entries we tried; worth keeping pinned for repeat workflows.
Registry listing for deploying-palo-alto-prisma-access-zero-trust matched our evaluation — installs cleanly and behaves as described in the markdown.
Solid pick for teams standardizing on skills: deploying-palo-alto-prisma-access-zero-trust is focused, and the summary matches what you get after install.
deploying-palo-alto-prisma-access-zero-trust is among the better-maintained entries we tried; worth keeping pinned for repeat workflows.
showing 1-10 of 52