Prisma Access Audit — Prisma Access SASE 安全审计

Name: Prisma Access Audit — Prisma Access SASE 安全审计
Author: Vahagn Madatyan

Vahagn Madatyan

☁️ Prisma Access Audit — Prisma Access SASE 安全审计

v1.0.0

Palo Alto Prisma Access SASE 安全审计技能，对移动用户和远程网络的安全策略进行评估，审查 GlobalProtect Cloud Service 配置，验证服务连接健康状态，评估威胁防护配置文件，并跨 Prisma Access 租户进行 Strata Cloud Manager 姿态分析。

0· 61·0 当前·0 累计

by @vahagn-madatyan (Vahagn Madatyan)·MIT-0

生产力工具

下载技能包

License

MIT-0

最后更新

2026/4/1

安全扫描

VirusTotal

Pending

查看报告

OpenClaw

可疑

medium confidence

技能的行为（Prisma Access API 调用和遥测查询）与其声明的审计目的相匹配，但存在打包和凭证声明的不一致性，以及对所需凭证和遥测端点缺乏明确说明。

评估建议

该技能似乎能实现其声称的功能（针对 Prisma Access 的只读审计），但在安装或提供凭证之前，应解决打包不一致的问题。要求发布者：(1) 明确列出所需凭证和环境变量（OAuth client_id/client_secret vs. Panorama API key vs. Cortex Data Lake token）并提供准确的环境变量名称；(2) 确认最小所需角色（优先选择只读审计员或绑定到 TSG 的服务账户，而非管理员凭证）；(3) 说明如何处理/存储任何检索到的用户/遥测数据（用户名、IP、客户端版本）；(4) 提供针对非生产租户的测试模式或只读验证运行。在这些问题得到解答之前，应避免提供高权限凭证，并优先选择短期、最低权限的服务账户。...

详细分析 ▾

ℹ 用途与能力

名称、描述和 SKILL.md 都描述了 Prisma Access SASE 审计，运行时指令仅调用 Prisma/SCM/Insights API——这与声明的目的相符。然而，提交文件顶部的注册元数据未列出所需的环境变量，而 SKILL.md 元数据声明了必需的 PRISMA_ACCESS_API_KEY，流程文档中描述了 OAuth 客户端凭证或 Panorama API 密钥；这种不匹配（以及前置条件中额外提及的 Cortex Data Lake 访问）不一致，应予以澄清。

✓ 指令范围

指令专注于查询 Strata Cloud Manager、Prisma Access Insights 和（旧版）Panorama Cloud Services 端点，以枚举租户、策略、隧道和遥测数据。这些步骤不指示读取无关的本地文件或向 Palo Alto 域之外的外部端点发送数据。它们将检索潜在的敏感租户/配置和已连接用户遥测数据（用户名、客户端 IP、GP 客户端版本），这对于审计是预期的，但却是必须保护的敏感数据。

✓ 安装机制

这是一个纯指令技能，没有安装规范和代码文件——它不会写入磁盘或下载外部工件。这降低了文件系统/执行风险。

⚠ 凭证需求

SKILL.md 元数据和流程文档引用了 OAuth client_id/client_secret、Panorama 用户名/密码（API 密钥）以及 Cortex Data Lake 访问，但注册级需求未列出任何环境变量。该技能似乎至少需要一个 Prisma 凭证，可能还需要额外的遥测凭证，但这些凭证并未一致地声明。在没有清晰、一致声明的情况下要求多个高权限密钥（client_secret、绑定到 TSG 的服务账户或 Panorama 管理员凭证）是一个比例性和透明度问题。

✓ 持久化与权限

该技能不是始终启用的，仅可由用户调用。它不请求持久安装，不修改其他技能，除了调用文档化的 Palo Alto API 外不声明任何平台权限。

安全有层次，运行前请审查代码。

License

MIT-0

可自由使用、修改和再分发，无需署名。

查看条款 ↗

运行时依赖

无特殊依赖

版本

latestv1.0.02026/4/1

Palo Alto Prisma Access SASE 审计技能的首次发布。提供 Prisma Access 跨移动用户和远程网络的安全态势全面审计。评估 GlobalProtect Cloud Service 配置、安全策略、威胁防护配置文件和服务连接健康状态。支持 Strata Cloud Manager 和 Panorama Cloud Services 插件管理的部署。提供策略缺口、配置文件覆盖、隧道状态和配置漂移检查。需要 Prisma Access API 凭证才能使用。

● Pending

安装命令点击复制

官方npx clawhub@latest install prisma-access-audit

镜像加速npx clawhub@latest install prisma-access-audit --registry https://cn.clawhub-mirror.com

技能文档

针对 Palo Alto Prisma Access 租户的安全态势云端审计。与检查单个设备的本地 PAN-OS 防火墙审计不同，此技能评估分布式 SASE 结构：管理移动用户和远程网络站点的安全策略、GlobalProtect Cloud Service 客户端配置、跨计算位置的威胁防护配置文件、到本地数据中心的服务连接健康状态，以及所有流量流中的解密覆盖范围。

涵盖通过 Strata Cloud Manager (SCM) 和传统 Panorama Cloud Services 插件部署管理的 Prisma Access。

有关此审计中使用的 Strata Cloud Manager API 端点、身份验证流程和响应结构，请参阅 references/api-reference.md。

使用场景

从本地防火墙迁移到 Prisma Access 后的安全策略审查
移动用户策略缺口分析——验证 GlobalProtect 用户获得与本地同等或更强的保护
远程网络分支安全验证——确保 IKE/IPSec 隧道在所有站点强制执行一致的策略
威胁防护配置文件覆盖审计——确认防病毒、反间谍软件、漏洞保护和 WildFire 绑定到所有允许规则
服务连接健康评估——验证 Prisma Access 与本地数据中心之间的连接和路由
GlobalProtect 客户端合规性审查——检查客户端版本、HIP 强制和始终在线 VPN 配置
Strata Cloud Manager 配置漂移检测——将运行状态与预期基线进行比较
Prisma Access 基础设施更新或 GlobalProtect 客户端推广前的预升级基线捕获

前置条件

Prisma Access API 凭证——Strata Cloud Manager OAuth 2.0 客户端凭证（带 TSG ID 的服务账户）或传统 Panorama Cloud Services 插件 API 密钥
了解移动用户区域部署——哪些计算位置服务哪些用户群体以及预期的地理覆盖范围
了解远程网络拓扑——站点名称、IKE 对等地址、预期隧道数量以及每个分支的带宽分配
记录的安全策略意图——要检查哪些流量类别、允许/拒绝哪些应用程序，以及每个策略规则预期的 Security Profile Group 分配
GlobalProtect 客户端版本要求——组织可接受的最低客户端版本和 HIP 检查阈值
访问 Cortex Data Lake 进行日志关联——验证策略执行与流量和威胁日志中的预期行为匹配

流程

按顺序遵循此审计流程。每个步骤都建立在前一个发现的基础上。流程从租户级基础设施清单开始，然后按流量类型进行策略分析，最后是日志和可见性验证。

步骤 1：租户和基础设施清单

使用 OAuth 2.0 客户端凭证流程向 Strata Cloud Manager API 进行身份验证。请参阅 references/api-reference.md 了解令牌端点和所需参数。

检索租户信息和计算位置状态：

GET https://api.sase.paloaltonetworks.com/sse/config/v1/prisma-access-config
Authorization: Bearer

记录以下内容：

租户 ID 和 TSG ID——确认您正在审计正确的租户
计算位置——列出移动用户和远程网络的所有活动区域
许可层级——Prisma Access 版本（Business、Business Premium 或 Enterprise）决定可用功能
带宽分配——分配的總带宽和每个区域的分布

枚举移动用户区域和远程网络站点：

GET https://api.sase.paloaltonetworks.com/sse/config/v1/mobile-users/regions
GET https://api.sase.paloaltonetworks.com/sse/config/v1/remote-networks

[移动用户] 统计活动计算位置并验证地理覆盖范围是否与组织的用户分布匹配。

[远程网络] 列出所有配置的远程网络站点、其 IKE 网关地址和隧道状态。标记任何显示隧道关闭状态的站点。

步骤 2：安全策略审计（移动用户）

检索应用于 GlobalProtect 移动用户的安全策略：

GET https://api.sase.paloaltonetworks.com/sse/config/v1/security-rules
?folder=Mobile Users

[移动用户] 根据以下标准评估每个规则：

过度宽松的应用程序： 结合 application: any 和 action: allow 的规则完全绕过 App-ID 识别。标记为严重。
缺少 Security Profile Group： 没有绑定 Security Profile Group 或单独配置文件的允许规则允许流量不受威胁检查。在每个规则上检查 profile_setting。
源/目标范围： 对源和目标地址都使用 any 的规则——评估是否可以使用地址对象或地址组缩小范围。
服务端口使用： 使用 service: any 而非 service: application-default 的规则——当应用程序限制为标准端口时，App-ID 强制执行最强。
规则顺序： 验证已知恶意类别的拒绝/丢弃规则是否在宽松允许规则之前。顺序错误的规则可能在拒绝规则评估之前就允许了流量。

计算 App-ID 采用率：统计使用特定 App-ID 的规则与使用 application: any 的规则的数量。成熟部署的目标是 >80% 的命名 App-ID 使用率。

步骤 3：安全策略审计（远程网络）

检索应用于远程网络站点的安全策略：

GET https://api.sase.paloaltonetworks.com/sse/config/v1/security-rules
?folder=Remote Networks

[远程网络] 除了步骤 2 中的规则级检查外，还要评估：

IKE/IPSec 隧道配置： 验证加密算法是否符合组织标准（首选 AES-256-GCM，最低 AES-256-CBC）。检查 IKE 版本（需要 IKEv2）、DH 组（最低 Group 14）和 SA 生命周期设置。

GET https://api.sase.paloaltonetworks.com/sse/config/v1/ike-gateways
GET https://api.sase.paloaltonetworks.com/sse/config/v1/ipsec-tunnels

路由验证： 检查每个站点的 BGP 或静态路由配置。对于 BGP，验证对等 ASN、播发的前缀和路由过滤器。对于静态路由，确认下一跳可达性和子网准确性。

GET https://api.sase.paloaltonetworks.com/sse/config/v1/bgp-routing

拆分隧道与完全隧道态势： 确定分支流量是通过 Prisma Access 完全隧道化（推荐用于一致检查）还是拆分隧道化并直接访问互联网。拆分隧道配置必须确保本地 breakout 流量仍然通过安全策略。

带宽分配： 验证每个站点的带宽分配与实际使用情况是否匹配。持续超出分配的站点会出现数据包丢失或性能下降。

步骤 4：威胁防护配置文件评估

检索所有 Security Profile Groups 和单独配置文件：

GET https://api.sase.paloaltonetworks.com/sse/config/v1/security-profile-groups
GET https://api.sase.paloaltonetworks.com/sse/config/v1/anti-spyware-profiles
GET https://api.sase.paloaltonetworks.com/sse/config/v1/vulnerability-protection-profiles
GET https://api.sase.paloaltonetworks.com/sse/config/v1/wildfire-anti-virus-profiles

评估每种配置文件类型：

防病毒配置文件： 验证所有解码器（HTTP、SMTP、IMAP、POP3、FTP、SMB）的操作设置为 reset-both 或 drop。仅使用 alert 的默认配置文件不足——标记为高风险发现。
反间谍软件配置文件： 检查是否启用了 DNS sinkhole、是否阻止了僵尸网络域，以及间谍软件严重级别 critical/high/medium 是否设置为 reset-both 或 drop。
漏洞保护配置文件： 验证严重和高严重性签名使用 reset-both 操作。默认配置文件对信息性内容使用 alert——可以接受。检查是否存在削弱保护的定制例外。
WildFire 配置文件： 确认所有文件类型（PE、APK、Mac OS X、ELF、PDF、MS Office、JAR、Flash、Linux pkg）都转发到 WildFire 进行分析。验证 WildFire verdict 操作阻止恶意软件和灰色软件。
文件阻止配置文件： 验证高风险文件类型（EXE、DLL、BAT、SCR、MSI）在相关协议上被阻止。

[移动用户] [远程网络] 验证两个文件夹中的所有允许规则都引用包含上述配置文件的 Security Profile Group。没有配置文件绑定的规则将使流量未经检查。

步骤 5：URL 过滤和 DNS 安全审查

URL 过滤和 DNS 安全配置：

GET https://api.sase.paloaltonetworks.com/sse/config/v1/url-filtering-profiles
GET https://api.sase.paloaltonetworks.com/sse/config/v1/dns-security-profiles

URL 过滤类别： 验证高风险类别（恶意软件、网络钓鱼、命令和控制、灰色软件、新注册域名）设置为 block。检查 Advanced URL Filtering 许可证是否处于活动状态，以对未知 URL 进行基于 ML 的内联分析。
自定义 URL 类别： 审查任何自定义 URL 类别的适当性——过于宽松的允许列表类别可能会绕过安全。
DNS 安全： 确认应用了 DNS 安全策略，并且 DNS 层威胁类别（DGA、DNS 隧道化、新发现的域）设置为 sinkhole 或 block。
CASB / SaaS 安全： 如果获得许可，验证 SaaS 应用程序可见性和内联控件是否已配置。检查批准与未批准的 SaaS 应用程序策略。

步骤 6：GlobalProtect 客户端配置

[移动用户] 审查 GlobalProtect Cloud Service 配置：

GET https://api.sase.paloaltonetworks.com/sse/config/v1/mobile-agent/global-settings
GET https://api.sase.paloaltonetworks.com/sse/config/v1/hip-profiles
GET https://api.sase.paloaltonetworks.com/sse/config/v1/hip-objects

评估以下内容：

客户端版本时效性： 检查跨用户群体部署的当前版本，支持的最低客户端版本。落后于当前主要版本一个以上版本的客户端存在合规风险。从 Prisma Access Insights 查询版本分布。
拆分隧道配置： 验证 GlobalProtect 门户配置是使用完全隧道（所有流量通过 Prisma Access）还是拆分隧道（指定的应用/域绕过隧道）。推荐使用完全隧道以确保一致的安全检查。
HIP（主机信息配置文件）检查： 验证 HIP 对象检查最低 OS 补丁级别、磁盘加密状态、防病毒存在性和时效性、主机防火墙状态以及证书有效性。HIP 配置文件应强制执行合规门控——不合规的设备将获得受限访问。
预登录隧道： 检查是否为机器级身份验证（在用户登录之前）配置了预登录隧道。需要基于机器证书访问的环境需要此配置。
始终在线 VPN 强制： 验证 GlobalProtect 配置强制始终在线 VPN 且没有用户禁用选项。检查禁用覆盖密码保护。
身份验证方法： 审查 SAML、证书或 LDAP/Kerberos 身份验证。建议对移动用户使用带 MFA 的 SAML。

步骤 7：服务连接验证

[服务连接] 验证 Prisma Access 与本地数据中心之间的连接：

GET https://api.sase.paloaltonetworks.com/sse/config/v1/service-connections

评估每个服务连接：

隧道状态： 验证 IKE/IPSec 隧道已建立且稳定（最近没有波动）。检查隧道正常运行时间和最后状态更改。
路由播发： 确认本地路由正确播发到 Prisma Access。验证 Prisma Access 是否将预期的移动用户和远程网络子网播发回本地。
带宽分配： 检查分配的带宽与利用率。接近容量的服务连接会导致移动用户访问本地资源时流量丢失。
QoS 配置： 如果配置了 QoS，验证流量分类和带宽保证是否与业务应用程序优先级一致。
冗余： 验证每个数据中心都存在主用和备用服务连接。单一服务连接是单点故障。检查故障切换行为——主备或双活。

步骤 8：解密策略审查

评估跨 Prisma Access 租户的 SSL/TLS 解密覆盖范围：

GET https://api.sase.paloaltonetworks.com/sse/config/v1/decryption-rules
?folder=Mobile Users
GET https://api.sase.paloaltonetworks.com/sse/config/v1/decryption-rules
?folder=Remote Networks

[移动用户] [远程网络] 检查解密配置：

解密规则覆盖范围： 识别哪些流量流被解密（SSL 转发代理），哪些绕过解密。来自所有用户和分支源的互联网流量应该被解密以进行完整威胁检查。
解密排除： 审查技术排除（证书固定、客户端证书相互 TLS）和平规排除（金融、医疗类别）。验证排除列表最少并有正当理由记录。
证书链： 验证转发信任 CA 证书已正确分发到所有端点。移动用户设备必须信任解密 CA 以避免证书错误。检查证书过期时间。
TLS 版本强制： 验证 TLS 1.0 和 1.1 被阻止或带警报解密。只应允许 TLS 1.2 和 1.3 且无发现。
性能影响： 对于带宽有限的远程网络站点，评估解密处理是否引入延迟。从 Prisma Access Insights 检查与解密相关的性能指标。

步骤 9：日志和可见性

验证日志转发和监控配置：

GET https://api.sase.paloaltonetworks.com/sse/config/v1/log-forwarding-profiles

Cortex Data Lake 转发： 确认所有日志类型（流量、威胁、URL、数据、WildFire、身份验证、HIP 匹配、解密）都转发到 Cortex Data Lake。缺失的日志类型会造成可见性缺口。
日志保留： 验证 Cortex Data Lake 存储分配和保留期限是否符合合规要求。检查容量警告。
自主 DEM（数字体验监控）： 如果获得许可，验证移动用户是否启用了自主 DEM。检查是否为关键 SaaS 应用程序（Microsoft 365、Salesforce、ServiceNow 等）配置了应用程序性能监控目标。
外部 SIEM 转发： 如果日志转发到外部 SIEM，验证 syslog 或 HTTPS 转发是否正常运行，日志摄取速率是否与预期量匹配。
警报配置： 检查关键事件配置警报——隧道关闭、许可证过期、计算位置容量、高威胁量。

阈值表

安全策略覆盖

指标	正常	警告	严重
App-ID 采用（命名 App-ID / 总允许规则）	>80%	50-80%	<50%
Security Profile Group 绑定（带 SPG 的允许规则）	>95%	80-95%	<80%
带 `application: any` + `service: any` 的规则	0	1-3	>3
规则库中的禁用规则	<5% 总数	5-15%	>15%
隐藏/不可达规则	0	1-5	>5

威胁防护配置文件强度

配置文件类型	正常	警告	严重
防病毒——所有解码器的操作	reset-both / drop	1-2 个解码器警报	仅警报或默认未更改
反间谍软件——严重/高严重性操作	reset-both / drop	仅严重时丢弃	仅警报
反间谍软件——DNS sinkhole	启用	不适用	禁用
漏洞保护——严重/高操作	reset-both	仅严重时丢弃	仅警报
WildFire——转发的文件类型	所有文件类型	缺少 1-2 种类型	缺少 >2 种类型或禁用
文件阻止——高风险文件类型	阻止（EXE/DLL/BAT/SCR）	部分覆盖	未配置
URL 过滤——高风险类别	阻止（恶意软件/网络钓鱼/C2）	部分类别警报	允许或未配置
DNS 安全——威胁类别	Sinkhole / 阻止	部分警报	未配置

GlobalProtect 客户端合规性

指标	正常	警告	严重
客户端版本时效性（N-1 主要版本内）	>95% 合规	80-95% 合规	<80% 合规
HIP 合规率（通过 HIP 检查的设备）	>90%	70-90%	<70%
始终在线 VPN 强制	启用，无覆盖	启用，覆盖需密码	禁用
预登录隧道（如需要）	配置并活跃	配置，间歇性	未配置
身份验证方法	带 MFA 的 SAML	无 MFA 的 SAML	LDAP/仅密码

服务连接健康

指标	正常	警告	严重
隧道状态	开启，稳定 >7 天	波动（24 小时内 >2 次状态更改）	关闭
带宽利用率	<70% 已分配	70-90% 已分配	>90% 已分配
冗余	主用 + 备用活跃	单一连接，已配置备份	单一连接，无备份
BGP 对等状态	已建立，交换路由	已建立，缺少路由	关闭/未配置
路由播发准确性	所有预期前缀存在	缺少非关键前缀	缺少关键前缀

解密覆盖

指标	正常	警告	严重
解密的互联网流量	>80% 会话	50-80% 会话	<50% 会话
解密排除数量	<20 类别/域	20-50	>50
TLS 1.0/1.1 流量	阻止	带警报解密	允许不检查
转发信任 CA 证书有效性	>90 天到期	30-90 天	<30 天或已过期

决策树

移动用户策略缺口优先级

移动用户允许规则已识别
├── 是否有 Security Profile Group？
│   ├── 否 → 高：立即添加 SPG
│   │   └── 流量类型？
│   │       ├── 互联网绑定 → 绑定完整 SPG（AV+AS+VP+URL+WF+FB）
│   │       ├── 通过服务连接访问本地 → 标准 SPG（AV+AS+VP）
│   │       └── SaaS 直接访问 → 完整 SPG + URL 过滤 + CASB
│   └── 是 → 检查 SPG 完整性
│       ├── 缺少 WildFire → 中：添加 WF 配置文件以实现零日覆盖
│       ├── 缺少 URL 过滤 → 中：添加 URL 以实现 Web 威胁保护
│       └── 所有配置文件存在 → 正常
│           ├── 应用程序 = any？
│           ├── 是 + 服务 = any → 严重：完全开放规则
│           │   └── 审查 Prisma Access Insights 流量日志以了解实际应用使用情况
│           │   → 用特定 App-ID 替换
│           ├── 是 + 服务 = 特定端口 → 高：端口上的 App-ID 绕过
│           │   └── 从流量日志识别该端口上的应用程序
│           │   → 用命名 App-ID + application-default 替换
│           └── 命名 App-ID → 正常
│               ├── 是否解密？
│               ├── 否 → SPG 检查仅限于元数据
│               │   └── 为此流量流添加解密规则
│               └── 是 → 完整检查有效
│                   └── 是否强制 HIP？
│                       ├── 否 → 评估添加 HIP 配置文件以实现设备合规
│                       └── 是 → 验证 HIP 检查是否符合组织策略

远程网络安全态势修复

远程网络站点已识别
├── 隧道状态？
│   ├── 关闭 → 严重：恢复连接
│   │   ├── 检查 IKE 阶段 1（对等 IP、预共享密钥、提案）
│   │   ├── 检查 IKE 阶段 2（代理 ID、加密不匹配）
│   │   └── 验证本地防火墙允许 IKE/NAT-T（UDP 500/4500）
│   ├── 波动 → 高：调查稳定性
│   │   ├── 检查 DPD（对等死检测）设置
│   │   ├── 审查分支站点的 ISP 稳定性
│   │   └── 验证对等方之间的 SA 生命周期对齐
│   └── 稳定 → 继续策略审计
│       ├── 加密强度？
│       ├── 低于最低标准（3DES、DH Group 2/5）→ 高：升级提案
│       │   └── 目标：AES-256-GCM、IKEv2、DH Group 19/20
│       └── 符合标准 → 正常
│           ├── 路由正确？
│           ├── BGP：缺少预期前缀 → 验证路由过滤和播发
│           ├── 静态：下一跳不正确 → 修正路由配置
│           └── 路由存在且准确 → 正常
│               ├── 拆分隧道还是完全隧道？
│               ├── 拆分隧道无本地安全 → 高：未检查流量风险
│               │   └── 迁移到完全隧道或添加本地安全堆栈
│               └── 完全隧道或带本地检查的拆分隧道 → 正常
│                   └── 带宽是否足够？
│                       ├── >90% 利用率 → 警告：升级分配
│                       ├── 70-90% 利用率 → 监控趋势
│                       └── <70% → 正常

威胁防护配置文件强化路径

威胁防护配置文件审计
├── 使用默认（最佳实践）配置文件？
│   ├── 是 → 可接受的基线
│   │   └── 审查组织定制需求
│   └── 否 → 存在定制配置文件
│       ├── 比默认弱？→ 发现：强化至匹配或超过
│       └── 比默认强？→ 正常，记录定制
│           ├── 防病毒配置文件
│           ├── 任何解码器设置为仅警报？→ 高：更改为 reset-both
│           └── 所有解码器 reset-both/drop → 正常
│           ├── 反间谍软件配置文件
│           ├── DNS sinkhole 禁用？→ 高：立即启用
│           ├── 严重/高严重性 = 警报？→ 高：更改为 reset-both
│           └── 正确配置 → 正常
│           ├── 漏洞保护配置文件
│           ├── 减少覆盖的定制例外？→ 审查每个例外
│           │   └── 仍需要例外？→ 记录正当理由
│           │   └── 不再需要 → 移除例外
│           └── 标准严重性操作 → 正常
│               └── WildFire 配置文件
│                   ├── 未转发文件类型？→ 中：添加缺失的文件类型
│                   ├── verdict 操作 = 警报对于恶意软件？→ 高：更改为丢弃
│                   └── 完整覆盖，阻止恶意软件 → 正常

报告模板

PRISMA ACCESS SASE 审计报告
================================
租户：[租户名称]
租户 ID：[租户 ID]
TSG ID：[TSG ID]
Prisma Access 版本：[Business / Business Premium / Enterprise]
审计日期：[时间戳]
执行者：[操作员/代理]
基础设施概览：
计算位置（移动用户）：[数量] — [区域列表]
远程网络站点：[数量] — [站点列表]
服务连接：[数量] — [数据中心列表]
总带宽分配：[Mbps]
Strata Cloud Manager 版本：[版本]
移动用户发现：
安全规则总数（移动用户文件夹）：[数量]
允许规则：[n] | 拒绝规则：[n] | 丢弃规则：[n]
带 Security Profile Group 的规则：[n] / [允许数量] ([%])
App-ID 采用：[n]% 的允许规则使用命名 App-ID
GlobalProtect 客户端合规性：[n]% 使用当前版本
HIP 合规率：[n]%
发现：
[严重性] [类别] — [描述]
   规则：[规则名称]
   文件夹：移动用户
   问题：[具体问题]
   建议：[具体修复]
远程网络发现：
远程网络站点总数：[数量]
隧道开启的站点：[n] / [总数]
完全隧道态势的站点：[n] / [总数]
安全规则（远程网络文件夹）：[数量]
带 Security Profile Group 的规则：[n] / [允许数量] ([%])
发现：
[严重性] [类别] — [描述]
   站点：[站点名称]
   问题：[具体问题——隧道、路由、策略或加密]
   建议：[具体修复]
威胁防护评估：
配置的 Security Profile Groups：[数量]
防病毒配置文件：[数量] — [强度评估]
反间谍软件配置文件：[数量] — DNS sinkhole：[启用/禁用]
漏洞保护配置文件：[数量] — [定制例外数量]
WildFire 配置文件：[数量] — 转发的文件类型：[列表]
URL 过滤：Advanced URL Filtering 许可证：[活动/非活动]
DNS 安全：[已配置/未配置]
发现：
[严重性] [配置文件类型] — [描述]
   配置文件：[配置文件名称]
   问题：[具体弱点]
   建议：[具体修复]
解密覆盖：
移动用户解密规则：[数量]
远程网络解密规则：[数量]
估计解密的会话：[%]
解密排除：[类别/域数量]
转发信任 CA 过期：[日期]
TLS 1.0/1.1 处理：[阻止/允许/解密]
发现：
[严重性] — [描述]
   范围：[移动用户 / 远程网络 / 两者]
   问题：[具体缺口]
   建议：[具体修复]
服务连接状态：
服务连接：[数量]
所有隧道开启：[是/否]
冗余：[全部冗余 / 发现缺口]
带宽利用率：[平均 %]
发现：
[严重性] — [描述]
   连接：[服务连接名称]
   问题：[隧道、路由、带宽或冗余]
   建议：[具体修复]
严重性摘要：
严重：[数量]
高：[数量]
中：[数量]
低/信息：[数量]
修复路线图：
阶段 1（立即 — 0-7 天）：
[需要立即采取行动的关键发现]
阶段 2（短期 — 7-30 天）：
[高发现和快速修复]
阶段 3（中期 — 30-90 天）：
[中发现、配置文件强化、App-ID 迁移]
阶段 4（持续）：
[持续监控、季度重新审计、策略生命周期]下次审计：[基于发现 — 严重：30 天，高：90 天，清洁：180 天]

故障排除

API 身份验证 — Strata Cloud Manager 与传统方式

Strata Cloud Manager 使用 OAuth 2.0 客户端凭证流程。使用绑定到租户服务组 (TSG) ID 的服务账户进行身份验证。令牌端点是 https://auth.apps.paloaltonetworks.com/oauth2/access_token。

常见身份验证失败：

TSG ID 无效： scope 参数必须包含 tsg_id:。省略此参数或使用错误的 TSG ID 会返回 401 错误。
客户端密钥过期： 服务账户密钥具有可配置的过期时间。通过 Strata Cloud Manager > Identity & Access 重新生成。
角色不足： 服务账户至少需要 Auditor 或 View-Only Administrator 角色才能读取配置。

传统 Panorama Cloud Services 插件 API 使用从 Panorama 生成的 API 密钥。如果组织已迁移到 Strata Cloud Manager，传统 API 可能返回过时的配置。始终确认哪个管理平面是权威的。

计算位置容量

Prisma Access 计算位置在峰值使用期间可能达到容量。如果移动用户连接被拒绝或性能下降：

通过 Prisma Access Insights 或自主 DEM 仪表板检查计算位置利用率。
验证移动用户区域在地理上分布以平衡负载——避免将所有用户集中在一个区域。
审查每个计算位置的带宽分配。分配不足会在真正达到容量之前触发节流。

GlobalProtect 客户端兼容性

GlobalProtect 客户端兼容性问题通常由以下原因引起：

版本不匹配： 云端交付的 GlobalProtect 基础设施独立于客户端软件进行更新。落后两个以上主要版本的客户端可能无法连接或失去功能支持。检查 Prisma Access 兼容性矩阵。
特定于 OS 的问题： macOS 系统扩展要求（Network Extension vs Kernel Extension）在不同 OS 版本之间变化。Windows 客户端可能与第三方 VPN 或端点安全软件冲突。
MDM 部署的配置： 移动设备管理推送的配置文件可能会覆盖门户交付的设置。验证 MDM 配置与门户/网关设置一致。

服务连接 BGP 波动

服务连接上的 BGP 会话不稳定通常由以下原因导致：

保持计时器不匹配： Prisma Access 默认 BGP 保持时间为 90 秒。如果本地对等方使用更短的保持时间，并且由于拥塞而丢失保活，会话将下降。对齐计时器。
路由振荡： 如果本地路由器快速播发和撤回路由，Prisma Access BGP 将跟随。首先检查本地路由稳定性。
MTU 问题： 路径 MTU 不匹配导致 TCP 会话失败，可能影响 BGP。验证服务连接路径上的 MTU——典型的 IPSec 开销需要将 MTU 降低到 1400 或更低。
IKE DPD 敏感性： 激进的死对等检测设置结合瞬态数据包丢失会导致不必要的隧道重建。使用 10 秒的 DPD 间隔和 3 次重试作为基线。

解密证书分发

SSL 转发代理解密需要端点信任 Prisma Access 转发信任 CA 证书。分发挑战包括：

移动用户： 通过 MDM、GPO 或 GlobalProtect 客户端配置推送 CA 证书。通过检查样本设备上的证书存储来验证分发。
远程网络端点： 位于远程网络隧道后面的分支设备也必须信任 CA。如果分支用户通过 Prisma Access 访问互联网，他们的设备需要该证书。
证书过期： 监控转发信任 CA 证书过期。Prisma Access 生成具有可配置生命周期的证书——设置日历提醒以便续订。过期的 CA 会导致所有解密会话因证书错误而失败。
证书固定应用程序： 固定其服务器证书的应用程序（银行应用程序、某些医疗保健门户）将通过 SSL 转发代理失败。将这些添加到解密排除列表并记录正当理由。

Cloud-delivered security posture audit for Palo Alto Prisma Access tenants. Unlike on-premises PAN-OS firewall audits that inspect a single device, this skill evaluates the distributed SASE fabric: security policies governing mobile users and remote network sites, GlobalProtect Cloud Service client configuration, threat prevention profiles applied across compute locations, service connection health to on-premises data centers, and decryption coverage across all traffic flows.

Covers Prisma Access managed through Strata Cloud Manager (SCM) and legacy Panorama Cloud Services plugin deployments. Reference references/api-reference.md for Strata Cloud Manager API endpoints, authentication flows, and response structures used throughout this audit.

When to Use

Security policy review after SASE migration from on-premises firewalls to Prisma Access
Mobile user policy gap analysis — verifying GlobalProtect users receive equivalent or stronger protection than on-premises
Remote network branch security validation — ensuring IKE/IPSec tunnels enforce consistent policy across all sites
Threat prevention profile coverage audit — confirming antivirus, anti-spyware, vulnerability protection, and WildFire are bound to all allow rules
Service connection health assessment — validating connectivity and routing between Prisma Access and on-premises data centers
GlobalProtect client compliance review — checking client versions, HIP enforcement, and always-on VPN configuration
Strata Cloud Manager configuration drift detection — comparing running state against intended baseline
Pre-upgrade baseline capture before Prisma Access infrastructure updates or GlobalProtect client rollouts

Prerequisites

Prisma Access API credentials — either Strata Cloud Manager OAuth 2.0 client credentials (Service Account with TSG ID) or legacy Panorama Cloud Services plugin API key
Understanding of mobile user region deployment — which compute locations serve which user populations and the expected geographic coverage
Knowledge of remote network topology — site names, IKE peer addresses, expected tunnel counts, and bandwidth allocations per branch
Documented security policy intent — which traffic categories to inspect, which applications to allow/deny, and expected Security Profile Group assignments per policy rule
GlobalProtect client version requirements — minimum acceptable client version and HIP check thresholds for the organization
Access to Cortex Data Lake for log correlation — verifying that policy enforcement matches expected behavior in traffic and threat logs

Procedure

Follow this audit flow sequentially. Each step builds on prior findings. The procedure moves from tenant-level infrastructure inventory through policy analysis per traffic type to logging and visibility validation.

Step 1: Tenant and Infrastructure Inventory

Authenticate to the Strata Cloud Manager API using OAuth 2.0 client credentials flow. See references/api-reference.md for the token endpoint and required parameters.

Retrieve tenant information and compute location status:

GET https://api.sase.paloaltonetworks.com/sse/config/v1/prisma-access-config
Authorization: Bearer

Record the following:

Tenant ID and TSG ID — confirm you are auditing the correct tenant
Compute locations — list all active regions for mobile users and remote networks
License tier — Prisma Access edition (Business, Business Premium, or Enterprise) determines available features
Bandwidth allocation — total allocated bandwidth and per-region distribution

Enumerate mobile user regions and remote network sites:

GET https://api.sase.paloaltonetworks.com/sse/config/v1/mobile-users/regions
GET https://api.sase.paloaltonetworks.com/sse/config/v1/remote-networks

[Mobile Users] Count active compute locations and verify geographic coverage matches the organization's user distribution.

[Remote Networks] List all configured remote network sites, their IKE gateway addresses, and tunnel status. Flag any site showing tunnel-down state.

Step 2: Security Policy Audit (Mobile Users)

Retrieve security policies applied to GlobalProtect mobile users:

GET https://api.sase.paloaltonetworks.com/sse/config/v1/security-rules
  ?folder=Mobile Users

[Mobile Users] Evaluate each rule against these criteria:

Overly permissive application: Rules with application: any combined

with action: allow bypass App-ID identification entirely. Flag as Critical.

Missing Security Profile Group: Allow rules without a bound Security

Profile Group or individual profiles permit traffic without threat inspection. Check profile_setting on each rule.

Source/destination scope: Rules using any for both source and

destination address — evaluate whether address objects or address groups can narrow the scope.

Service port usage: Rules using service: any instead of

service: application-default — App-ID enforcement is strongest when applications are restricted to their standard ports.

Rule ordering: Verify that deny/drop rules for known-bad categories

precede broad allow rules. Misordered rules may permit traffic before a deny can evaluate.

Calculate the App-ID adoption ratio: count rules using specific App-IDs versus rules with application: any. Mature deployments target >80% named App-ID usage.

Step 3: Security Policy Audit (Remote Networks)

Retrieve security policies applied to remote network sites:

GET https://api.sase.paloaltonetworks.com/sse/config/v1/security-rules
  ?folder=Remote Networks

[Remote Networks] In addition to the rule-level checks in Step 2, evaluate:

IKE/IPSec tunnel configuration: Verify encryption algorithms meet

organizational standards (AES-256-GCM preferred, minimum AES-256-CBC). Check IKE version (IKEv2 required), DH group (minimum Group 14), and SA lifetime settings.

GET https://api.sase.paloaltonetworks.com/sse/config/v1/ike-gateways
GET https://api.sase.paloaltonetworks.com/sse/config/v1/ipsec-tunnels

Routing validation: Check BGP or static route configuration per site.

For BGP, verify peer ASN, advertised prefixes, and route filters. For static routes, confirm next-hop reachability and subnet accuracy.

GET https://api.sase.paloaltonetworks.com/sse/config/v1/bgp-routing

Split-tunnel vs full-tunnel posture: Determine whether branch traffic

is fully tunneled through Prisma Access (recommended for consistent inspection) or split-tunneled with direct internet breakout. Split-tunnel configurations must ensure local breakout traffic still traverses a security policy.

Bandwidth allocation: Verify per-site bandwidth allocation matches

actual usage. Sites consistently exceeding allocation experience packet drops or degraded performance.

Step 4: Threat Prevention Profile Assessment

Retrieve all Security Profile Groups and individual profiles:

GET https://api.sase.paloaltonetworks.com/sse/config/v1/security-profile-groups
GET https://api.sase.paloaltonetworks.com/sse/config/v1/anti-spyware-profiles
GET https://api.sase.paloaltonetworks.com/sse/config/v1/vulnerability-protection-profiles
GET https://api.sase.paloaltonetworks.com/sse/config/v1/wildfire-anti-virus-profiles

Evaluate each profile type:

Antivirus profile: Verify action is set to reset-both or drop for

all decoders (HTTP, SMTP, IMAP, POP3, FTP, SMB). Default profiles using alert only are insufficient — flag as High finding.

Anti-Spyware profile: Check that DNS sinkhole is enabled, botnet

domains are blocked, and spyware severity levels critical/high/medium are set to reset-both or drop.

Vulnerability Protection profile: Verify that critical and high

severity signatures use reset-both action. Default profile uses alert for informational — acceptable. Check for custom exceptions that weaken protection.

WildFire profile: Confirm all file types (PE, APK, Mac OS X, ELF,

PDF, MS Office, JAR, Flash, Linux pkg) are forwarded to WildFire for analysis. Verify WildFire verdict actions block malicious and grayware.

File Blocking profile: Validate that high-risk file types (EXE, DLL,

BAT, SCR, MSI) are blocked on relevant protocols.

[Mobile Users] [Remote Networks] Verify that all allow rules in both folders reference a Security Profile Group containing the above profiles. Rules without profile binding pass traffic uninspected.

Step 5: URL Filtering and DNS Security

Review URL Filtering and DNS Security configurations:

GET https://api.sase.paloaltonetworks.com/sse/config/v1/url-filtering-profiles
GET https://api.sase.paloaltonetworks.com/sse/config/v1/dns-security-profiles

URL Filtering categories: Verify that high-risk categories (malware,

phishing, command-and-control, grayware, newly-registered-domain) are set to block. Check that the Advanced URL Filtering license is active for inline ML-based analysis of unknown URLs.

Custom URL categories: Review any custom URL categories for

appropriateness — overly broad allow-list categories can bypass security.

DNS Security: Confirm DNS Security policy is applied and that

DNS-layer threat categories (DGA, DNS tunneling, newly seen domains) are set to sinkhole or block.

CASB / SaaS Security: If licensed, verify that SaaS application

visibility and inline controls are configured. Check for sanctioned vs unsanctioned SaaS application policies.

Step 6: GlobalProtect Client Configuration

[Mobile Users] Review GlobalProtect Cloud Service configuration:

GET https://api.sase.paloaltonetworks.com/sse/config/v1/mobile-agent/global-settings
GET https://api.sase.paloaltonetworks.com/sse/config/v1/hip-profiles
GET https://api.sase.paloaltonetworks.com/sse/config/v1/hip-objects

Evaluate the following:

Client version currency: Check minimum supported client version

against the currently deployed versions across the user population. Clients older than the current major release minus one are a compliance risk. Query Prisma Access Insights for version distribution.

Split-tunnel configuration: Verify whether the GlobalProtect portal

configuration uses full-tunnel (all traffic through Prisma Access) or split-tunnel (specified apps/domains bypass the tunnel). Full-tunnel is recommended for consistent security inspection.

HIP (Host Information Profile) checks: Verify that HIP objects check

for minimum OS patch level, disk encryption status, antivirus presence and currency, host firewall state, and certificate validity. HIP profiles should enforce compliance gates — non-compliant devices receive restricted access.

Pre-logon tunnel: Check whether a pre-logon tunnel is configured for

machine-level authentication before user login. Required for environments needing machine certificate-based access.

Always-on VPN enforcement: Verify that the GlobalProtect configuration

enforces always-on VPN with no user-disable option. Check for disable- override password protection.

Authentication method: Review SAML, certificate, or LDAP/Kerberos

authentication. SAML with MFA is recommended for mobile users.

Step 7: Service Connection Validation

[Service Connections] Verify connectivity between Prisma Access and on-premises data centers:

GET https://api.sase.paloaltonetworks.com/sse/config/v1/service-connections

Evaluate each service connection:

Tunnel status: Verify IKE/IPSec tunnel is established and has been

stable (no recent flaps). Check tunnel uptime and last state change.

Routing advertisements: Confirm that on-premises routes are correctly

advertised to Prisma Access via BGP. Verify that Prisma Access is advertising the expected mobile user and remote network subnets back to on-premises.

Bandwidth allocation: Check allocated bandwidth versus utilization.

Service connections nearing capacity cause traffic drops for mobile users accessing on-premises resources.

QoS configuration: If QoS is configured, verify traffic classification

and bandwidth guarantees align with business application priority.

Redundancy: Verify that primary and secondary service connections exist

for each data center. Single service connections are a single point of failure. Check failover behavior — active/passive or active/active.

Step 8: Decryption Policy Review

Evaluate SSL/TLS decryption coverage across the Prisma Access tenant:

GET https://api.sase.paloaltonetworks.com/sse/config/v1/decryption-rules
  ?folder=Mobile Users
GET https://api.sase.paloaltonetworks.com/sse/config/v1/decryption-rules
  ?folder=Remote Networks

[Mobile Users] [Remote Networks] Check decryption configuration:

Decryption rule coverage: Identify which traffic flows are decrypted

(SSL Forward Proxy) and which bypass decryption. Internet-bound traffic from all user and branch sources should be decrypted for full threat inspection.

Decryption exclusions: Review technical exclusions (certificate

pinning, client certificate mutual TLS) and compliance exclusions (financial, healthcare categories). Verify exclusion lists are minimal and documented with justification.

Certificate chain: Validate that the forward trust CA certificate is

properly distributed to all endpoints. Mobile user devices must trust the decryption CA to avoid certificate errors. Check certificate expiration.

TLS version enforcement: Verify that TLS 1.0 and 1.1 are blocked or

decrypted with alerts. Only TLS 1.2 and 1.3 should be permitted without findings.

Performance impact: For remote network sites with limited bandwidth,

assess whether decryption processing introduces latency. Check Prisma Access Insights for decryption-related performance metrics.

Step 9: Logging and Visibility

Verify log forwarding and monitoring configuration:

GET https://api.sase.paloaltonetworks.com/sse/config/v1/log-forwarding-profiles

Cortex Data Lake forwarding: Confirm that all log types (traffic,

threat, URL, data, WildFire, authentication, HIP match, decryption) are forwarded to Cortex Data Lake. Missing log types create visibility gaps.

Log retention: Verify Cortex Data Lake storage allocation and

retention periods meet compliance requirements. Check for capacity warnings.

Autonomous DEM (Digital Experience Monitoring): If licensed, verify

that Autonomous DEM is enabled for mobile users. Check that application performance monitoring targets are configured for critical SaaS applications (Microsoft 365, Salesforce, ServiceNow, etc.).

External SIEM forwarding: If logs are forwarded to an external SIEM,

verify syslog or HTTPS forwarding is functional and that log ingestion rates match expected volume.

Alert configuration: Check for configured alerts on critical events —

tunnel down, license expiration, compute location capacity, high threat volume.

Threshold Tables

Security Policy Coverage

Metric	Normal	Warning	Critical
App-ID adoption (named App-IDs / total allow rules)	>80%	50-80%	<50%
Security Profile Group binding (allow rules with SPG)	>95%	80-95%	<80%
Rules with `application: any` + `service: any`	0	1-3	>3
Disabled rules in rulebase	<5% of total	5-15%	>15%
Shadowed / unreachable rules	0	1-5	>5

Threat Prevention Profile Strength

Profile Type	Normal	Warning	Critical
Antivirus — action on all decoders	reset-both / drop	alert on 1-2 decoders	alert-only or default unchanged
Anti-Spyware — crit/high severity action	reset-both / drop	drop on critical only	alert-only
Anti-Spyware — DNS sinkhole	Enabled	N/A	Disabled
Vulnerability Protection — crit/high action	reset-both	drop on critical only	alert-only
WildFire — file types forwarded	All file types	Missing 1-2 types	Missing >2 types or disabled
File Blocking — high-risk file types	Blocked (EXE/DLL/BAT/SCR)	Partial coverage	Not configured
URL Filtering — high-risk categories	Block (malware/phishing/C2)	Alert on some categories	Allow or not configured
DNS Security — threat categories	Sinkhole / block	Alert on some	Not configured

GlobalProtect Client Compliance

Metric	Normal	Warning	Critical
Client version currency (within N-1 major)	>95% compliant	80-95% compliant	<80% compliant
HIP compliance rate (devices passing HIP checks)	>90%	70-90%	<70%
Always-on VPN enforcement	Enabled, no override	Enabled with override password	Disabled
Pre-logon tunnel (if required)	Configured and active	Configured, intermittent	Not configured
Authentication method	SAML with MFA	SAML without MFA	LDAP/password only

Service Connection Health

Metric	Normal	Warning	Critical
Tunnel status	Up, stable >7d	Flapping (>2 state changes/24h)	Down
Bandwidth utilization	<70% allocated	70-90% allocated	>90% allocated
Redundancy	Primary + secondary active	Single connection, backup configured	Single connection, no backup
BGP peer state	Established, routes exchanged	Established, missing routes	Down / not configured
Route advertisement accuracy	All expected prefixes present	Missing non-critical prefixes	Missing critical prefixes

Decryption Coverage

Metric	Normal	Warning	Critical
Internet-bound traffic decrypted	>80% of sessions	50-80% of sessions	<50% of sessions
Decryption exclusion count	<20 categories/domains	20-50	>50
TLS 1.0/1.1 traffic	Blocked	Decrypted with alert	Permitted without inspection
Forward trust CA certificate validity	>90 days to expiry	30-90 days	<30 days or expired

Decision Trees

Mobile User Policy Gap Prioritization

Mobile User allow rule identified
├── Has Security Profile Group?
│   ├── No → HIGH: Add SPG immediately
│   │   └── Traffic type?
│   │       ├── Internet-bound → Bind full SPG (AV+AS+VP+URL+WF+FB)
│   │       ├── Access to on-prem via service connection → Standard SPG (AV+AS+VP)
│   │       └── SaaS direct access → Full SPG + URL Filtering + CASB
│   └── Yes → Check SPG completeness
│       ├── Missing WildFire → Medium: Add WF profile for zero-day coverage
│       ├── Missing URL Filtering → Medium: Add URL for web threat protection
│       └── All profiles present → OK
│
├── Application = any?
│   ├── Yes + Service = any → CRITICAL: Fully open rule
│   │   └── Review Prisma Access Insights traffic logs for actual app usage
│   │       → Replace with specific App-IDs
│   ├── Yes + Service = specific port → HIGH: App-ID bypass on port
│   │   └── Identify applications on that port from traffic logs
│   │       → Replace with named App-IDs + application-default
│   └── Named App-IDs → OK
│
├── Decrypted?
│   ├── No → SPG inspection limited to metadata
│   │   └── Add decryption rule for this traffic flow
│   └── Yes → Full inspection effective
│
└── HIP-enforced?
    ├── No → Evaluate adding HIP profile for device compliance
    └── Yes → Verify HIP checks match organizational policy

Remote Network Security Posture Remediation

Remote network site identified
├── Tunnel status?
│   ├── Down → CRITICAL: Restore connectivity
│   │   ├── Check IKE Phase 1 (peer IP, pre-shared key, proposals)
│   │   ├── Check IKE Phase 2 (proxy IDs, encryption mismatch)
│   │   └── Verify on-prem firewall allows IKE/NAT-T (UDP 500/4500)
│   ├── Flapping → HIGH: Investigate stability
│   │   ├── Check DPD (Dead Peer Detection) settings
│   │   ├── Review ISP stability at branch site
│   │   └── Verify SA lifetime alignment between peers
│   └── Stable → Continue to policy audit
│
├── Encryption strength?
│   ├── Below minimum (3DES, DH Group 2/5) → HIGH: Upgrade proposals
│   │   └── Target: AES-256-GCM, IKEv2, DH Group 19/20
│   └── Meets standard → OK
│
├── Routing correct?
│   ├── BGP: Missing expected prefixes → Verify route filters and advertisements
│   ├── Static: Incorrect next-hop → Correct route configuration
│   └── Routes present and accurate → OK
│
├── Split-tunnel or full-tunnel?
│   ├── Split-tunnel without local security → HIGH: Risk of uninspected traffic
│   │   └── Migrate to full-tunnel or add local security stack
│   └── Full-tunnel or split with local inspection → OK
│
└── Bandwidth adequate?
    ├── >90% utilization → WARNING: Upgrade allocation
    ├── 70-90% utilization → Monitor trend
    └── <70% → OK

Threat Prevention Profile Strengthening Path

Threat prevention profile audit
├── Using default (best-practice) profiles?
│   ├── Yes → Acceptable baseline
│   │   └── Review for organizational customization needs
│   └── No → Custom profiles exist
│       ├── Weaker than defaults? → FINDING: Strengthen to match or exceed
│       └── Stronger than defaults? → OK, document customizations
│
├── Antivirus profile
│   ├── Any decoder set to alert-only? → HIGH: Change to reset-both
│   └── All decoders reset-both/drop → OK
│
├── Anti-Spyware profile
│   ├── DNS sinkhole disabled? → HIGH: Enable immediately
│   ├── Critical/high severity = alert? → HIGH: Change to reset-both
│   └── Properly configured → OK
│
├── Vulnerability Protection profile
│   ├── Custom exceptions reducing coverage? → Review each exception
│   │   └── Exception still required? → Document justification
│   │       └── No longer needed → Remove exception
│   └── Standard severity actions → OK
│
└── WildFire profile
    ├── File types not forwarded? → Medium: Add missing file types
    ├── Verdict action = alert for malicious? → HIGH: Change to drop
    └── Full coverage, block malicious → OK

Report Template

PRISMA ACCESS SASE AUDIT REPORT
=================================
Tenant: [tenant name]
Tenant ID: [tenant ID]
TSG ID: [TSG ID]
Prisma Access Edition: [Business / Business Premium / Enterprise]
Audit Date: [timestamp]
Performed By: [operator/agent]
INFRASTRUCTURE OVERVIEW:
Compute locations (Mobile Users): [count] — [region list]
Remote network sites: [count] — [site list]
Service connections: [count] — [data center list]
Total bandwidth allocation: [Mbps]
Strata Cloud Manager version: [version]
MOBILE USER FINDINGS:
Total security rules (Mobile Users folder): [count]
Allow rules: [n] | Deny rules: [n] | Drop rules: [n]
Rules with Security Profile Groups: [n] / [allow count] ([%])
App-ID adoption: [n]% of allow rules use named App-IDs
GlobalProtect client compliance: [n]% on current version
HIP compliance rate: [n]%
  Findings:
  1. [Severity] [Category] — [Description]
     Rule: [rule name]
     Folder: Mobile Users
     Issue: [specific problem]
     Recommendation: [specific remediation]
REMOTE NETWORK FINDINGS:
Total remote network sites: [count]
Sites with tunnel up: [n] / [total]
Sites with full-tunnel posture: [n] / [total]
Security rules (Remote Networks folder): [count]
Rules with Security Profile Groups: [n] / [allow count] ([%])
  Findings:
  1. [Severity] [Category] — [Description]
     Site: [site name]
     Issue: [specific problem — tunnel, routing, policy, or encryption]
     Recommendation: [specific remediation]
THREAT PREVENTION ASSESSMENT:
Security Profile Groups configured: [count]
Antivirus profiles: [count] — [strength assessment]
Anti-Spyware profiles: [count] — DNS sinkhole: [enabled/disabled]
Vulnerability Protection profiles: [count] — [custom exceptions count]
WildFire profiles: [count] — file types forwarded: [list]
URL Filtering: Advanced URL Filtering license: [active/inactive]
DNS Security: [configured/not configured]
  Findings:
  1. [Severity] [Profile Type] — [Description]
     Profile: [profile name]
     Issue: [specific weakness]
     Recommendation: [specific remediation]
DECRYPTION COVERAGE:
Mobile User decryption rules: [count]
Remote Network decryption rules: [count]
Estimated sessions decrypted: [%]
Decryption exclusions: [count categories/domains]
Forward trust CA expiry: [date]
TLS 1.0/1.1 handling: [blocked/allowed/decrypted]
  Findings:
  1. [Severity] — [Description]
     Scope: [Mobile Users / Remote Networks / Both]
     Issue: [specific gap]
     Recommendation: [specific remediation]
SERVICE CONNECTION STATUS:
Service connections: [count]
All tunnels up: [yes/no]
Redundancy: [all redundant / gaps identified]
Bandwidth utilization: [average %]
  Findings:
  1. [Severity] — [Description]
     Connection: [service connection name]
     Issue: [tunnel, routing, bandwidth, or redundancy]
     Recommendation: [specific remediation]
SEVERITY SUMMARY:
Critical: [count]
High: [count]
Medium: [count]
Low / Informational: [count]
REMEDIATION ROADMAP:
Phase 1 (Immediate — 0-7 days):
  - [Critical findings requiring immediate action]
Phase 2 (Short-term — 7-30 days):
  - [High findings and quick wins]
Phase 3 (Medium-term — 30-90 days):
  - [Medium findings, profile hardening, App-ID migration]
Phase 4 (Ongoing):
  - [Continuous monitoring, quarterly re-audit, policy lifecycle]NEXT AUDIT: [based on findings — CRITICAL: 30d, HIGH: 90d, clean: 180d]

Troubleshooting

API Authentication — Strata Cloud Manager vs Legacy

Strata Cloud Manager uses OAuth 2.0 client credentials flow. Authenticate with a Service Account bound to a Tenant Service Group (TSG) ID. The token endpoint is https://auth.apps.paloaltonetworks.com/oauth2/access_token. Common authentication failures:

Invalid TSG ID: The scope parameter must include tsg_id:.

Omitting this or using an incorrect TSG ID returns a 401 error.

Expired client secret: Service Account secrets have configurable

expiration. Regenerate via Strata Cloud Manager > Identity & Access.

Insufficient role: The Service Account must have at minimum the

Auditor or View-Only Administrator role to read configuration.

Legacy Panorama Cloud Services plugin API uses an API key generated from Panorama. If the organization has migrated to Strata Cloud Manager, the legacy API may return stale configuration. Always confirm which management plane is authoritative.

Compute Location Capacity

Prisma Access compute locations can reach capacity during peak usage. If mobile user connections are refused or performance degrades:

Check compute location utilization via Prisma Access Insights or the

Autonomous DEM dashboard.

Verify that mobile user regions are distributed geographically to

balance load — avoid funneling all users through a single region.

Review bandwidth allocation per compute location. Insufficient allocation

triggers throttling before true capacity is reached.

GlobalProtect Client Compatibility

GlobalProtect client compatibility issues commonly arise from:

Version mismatch: Cloud-delivered GlobalProtect infrastructure updates

independently from client software. Clients more than two major versions behind may fail to connect or lose feature support. Check the Prisma Access compatibility matrix.

OS-specific issues: macOS system extension requirements (Network

Extension vs Kernel Extension) change across OS versions. Windows clients may conflict with third-party VPN or endpoint security software.

MDM-deployed configuration: Mobile Device Management-pushed profiles

may override portal-delivered settings. Verify MDM configuration aligns with portal/gateway settings.

Service Connection BGP Flapping

BGP session instability on service connections typically results from:

Hold timer mismatch: Prisma Access uses a default BGP hold time of

90 seconds. If the on-premises peer uses a shorter hold time and keepalives are lost due to congestion, the session drops. Align timers.

Route oscillation: If the on-premises router advertises and withdraws

routes rapidly, Prisma Access BGP will follow. Check on-premises routing stability first.

MTU issues: Path MTU mismatches cause TCP session failures that can

affect BGP. Verify MTU along the service connection path — typical IPSec overhead requires reducing MTU to 1400 or lower.

IKE DPD sensitivity: Aggressive Dead Peer Detection settings combined

with transient packet loss cause unnecessary tunnel rebuilds. Use a DPD interval of 10 seconds with a retry of 3 as a baseline.

Decryption Certificate Distribution

SSL Forward Proxy decryption requires endpoints to trust the Prisma Access forward trust CA certificate. Distribution challenges include:

Mobile users: Push the CA certificate via MDM, GPO, or GlobalProtect

client configuration. Verify distribution by checking certificate store on sample devices.

Remote network endpoints: Branch devices behind remote network tunnels

must also trust the CA. If branch users access the internet via Prisma Access, their devices need the certificate.

Certificate expiration: Monitor forward trust CA certificate expiration.

Prisma Access generates certificates with configurable lifetimes — set calendar reminders for renewal. An expired CA causes all decrypted sessions to fail with certificate errors.

Certificate pinning applications: Applications that pin their server

certificates (banking apps, certain healthcare portals) will fail through SSL Forward Proxy. Add these to the decryption exclusion list with documented justification.

数据来源：ClawHub ↗ · 中文优化：龙虾技能库

OpenClaw 技能定制 / 插件定制 / 私有工作流定制

免费技能或插件可能存在安全风险，如需更匹配、更安全的方案，建议联系付费定制

了解定制服务

License

运行时依赖

版本

安装命令 点击复制

技能文档

使用场景

前置条件

流程

步骤 1：租户和基础设施清单

步骤 2：安全策略审计（移动用户）

步骤 3：安全策略审计（远程网络）

步骤 4：威胁防护配置文件评估

步骤 5：URL 过滤和 DNS 安全审查

步骤 6：GlobalProtect 客户端配置

步骤 7：服务连接验证

步骤 8：解密策略审查

步骤 9：日志和可见性

阈值表

安全策略覆盖

威胁防护配置文件强度

GlobalProtect 客户端合规性

服务连接健康

解密覆盖

决策树

移动用户策略缺口优先级

远程网络安全态势修复

威胁防护配置文件强化路径

报告模板

故障排除

API 身份验证 — Strata Cloud Manager 与传统方式

计算位置容量

GlobalProtect 客户端兼容性

服务连接 BGP 波动

解密证书分发

When to Use

Prerequisites

Procedure

Step 1: Tenant and Infrastructure Inventory

Step 2: Security Policy Audit (Mobile Users)

Step 3: Security Policy Audit (Remote Networks)

Step 4: Threat Prevention Profile Assessment

Step 5: URL Filtering and DNS Security

Step 6: GlobalProtect Client Configuration

Step 7: Service Connection Validation

Step 8: Decryption Policy Review

Step 9: Logging and Visibility

Threshold Tables

Security Policy Coverage

Threat Prevention Profile Strength

GlobalProtect Client Compliance

Service Connection Health

Decryption Coverage

Decision Trees

Mobile User Policy Gap Prioritization

Remote Network Security Posture Remediation

Threat Prevention Profile Strengthening Path

Report Template

Troubleshooting

API Authentication — Strata Cloud Manager vs Legacy

Compute Location Capacity

GlobalProtect Client Compatibility

Service Connection BGP Flapping

Decryption Certificate Distribution

安装命令点击复制