# Palo Alto Networks SASE/Prisma Access

### Overview

The Veza integration for Palo Alto Networks enables the discovery of applications, users, roles, and permissions from the Palo Alto Networks SASE platform. Veza uses Palo Alto Networks APIs to populate the Access Graph with entities and metadata.

This document explains how to enable and create a Palo Alto Networks integration. See [notes and supported entities](#notes-and-supported-entities) for more details.

### Configuring Palo Alto Networks SASE / Prisma Access

Before adding the integration to Veza, create a service account for the connection and record your tenant ID.

To create a service user on the Palo Alto Networks platform, follow these steps:

1. Browse to your Strata Cloud Manager instance as an administrator.
2. In the left navigation pane, click the **Settings** gear. Click **Identity & Access**.
3. In the **Identity & Access** pane that appears, record and store the tenant ID (TSG ID) displayed at the top of the pane, then click the **Add Identity** button.
4. In the modal that appears, provide the following information:
   * **Identity Type**: `Service Account`
   * **Service Account Name**: Enter a unique name for the service account (ex: `svc-veza-integration`)
   * **Service Account Contact**: Enter an optional email for the owner of the service account
   * **Description**: Enter an optional description for the service account's purpose
5. Click **Next**.
6. On the **Client Credentials** screen that appears, copy and save the **Client ID** and **Client Secret**. Click **Next**.
7. On the **Assign Roles** screen, click the dropdown menu under **Apps & Services** and enable `All Apps & Services`. Click the **Role** box and pick `View Only Administrator`.

### Configuring Palo Alto Networks on the Veza Platform

To enable Veza to gather data from the Palo Alto Networks platform, follow these steps:

1. In Veza, open the **Integrations** page.
2. Click **Add New** and pick Palo Alto Networks as the type of integration to add. Click **Next**.
3. Enter the required information (below) and Save the configuration.

| Field         | Notes                                                                                                                                            |
| ------------- | ------------------------------------------------------------------------------------------------------------------------------------------------ |
| Name          | A unique display name for the Palo Alto Networks connection                                                                                      |
| Client ID     | The Client ID recorded earlier                                                                                                                   |
| Client Secret | The Client Secret recorded earlier                                                                                                               |
| Tenant ID     | The Tenant ID recorded earlier                                                                                                                   |
| Region        | The `x-panw-region` for the tenant. See [Palo Alto Documentation](https://pan.dev/sase/docs/api-call/#x-panw-region-values) for available values |

### Notes and Supported Entities

The connector discovers the following entities and attributes:

#### Palo Alto Applications

The connector discovers the following applications on the Palo Alto Networks platform:

| Application           |
| --------------------- |
| AIOps for NGFW        |
| AIOps for NGFW Free   |
| Cloud Identity Engine |
| Cortex Data Lake      |
| Enterprise DLP        |
| IoT Security          |
| Next-Generation CASB  |
| Prisma Access +NGFW   |
| Prisma SD-WAN         |

#### Palo Alto Networks User

The connector discovers human users and service account users.

| Attribute        | Notes                                                             |
| ---------------- | ----------------------------------------------------------------- |
| `description`    | The optional description of the user (service account only)       |
| `email`          | The users's email address                                         |
| `inherited_from` | The Tenant ID from which the user account is inherited            |
| `tsg_id`         | The Tenant ID on which the user is defined (service account only) |
| `type`           | The type of user (`human` or `service account`)                   |

#### Palo Alto Networks Role

The connector discovers both built-in and custom roles and their permissions.

| Attribute | Notes                                                                  |
| --------- | ---------------------------------------------------------------------- |
| `id`      | The ID of the role on the Palo Alto Networks platform                  |
| `name`    | The human-readable name of the role on the Palo Alto Networks platform |


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://docs.veza.com/4yItIzMvkpAvMVFAamTf/integrations/integrations/panw.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.