Skip to main content

Palo Alto Prisma SASE Integration Guide

Overview

The Palo Alto Prisma SASE integration connects NINA workflows to the platform-management services of Palo Alto Networks' Prisma SASE platform — everything on the unified SASE API except the Prisma Access security configuration (which has its own dedicated integration). It covers 10 resources and 199 operations, generated directly from Palo Alto's official OpenAPI specifications, allowing your workflows to manage identity and access, tenancy, subscriptions, SaaS security posture, aggregate monitoring, service-provider interconnects, notifications, and the Prisma Browser for MSP.

Prisma SASE is Palo Alto's umbrella cloud platform. Prisma Access (the cloud-delivered firewall/ZTNA security product) is one product within it and is handled by the separate Palo Alto Prisma Access integration. This integration covers the surrounding platform services — the "plumbing" that administers the tenant rather than enforcing network security.

Status

The integration covers the shared-host Prisma SASE platform services on api.sase.paloaltonetworks.com:

Supported Resource Categories

  • Identity & Access Management (iam, 23 operations): access policies, custom roles, roles, permissions, permission sets, service accounts (incl. secret reset), and SSO users
  • Tenancy (tenancy, 7 operations): tenant service groups and their ancestor/child hierarchy
  • Subscription (subscription, 3 operations): tenant instances and licenses
  • SaaS Security Posture Management (sspm, 18 operations, read-only): registered apps, catalog, controls, plugins, plugin users, and ticketing-integration lookups
  • Identity Security Posture Management (identitySspm, 21 operations): identity providers, SaaS instances/accounts, MFA activity, CSV reports, and tickets
  • Aggregate Monitoring (aggregateMonitoring, 36 operations): multi-tenant monitoring of alerts, applications, incidents, threats, URLs, service connectivity, locations, and custom dashboards
  • SP Interconnect (spInterconnect, 30 operations): service-provider interconnects, physical connections, IP pools, VLAN attachments, regions, settings, and interconnect monitoring
  • Multi-Tenant Notifications (notifications, 12 operations): notification lists and notification profiles
  • Prisma Browser for MSP (prismaBrowserMsp, 17 operations): browser usage/security reports, summaries, and tenant management
  • Configuration Orchestration (configOrchestration, 32 operations): remote networks, IKE/IPSec crypto profiles, IKE gateways, bandwidth allocations (v1 + v2), and location information

Key Capabilities

  • Schema-driven dispatch: every operation is declaratively described — adding a new operation is a schema-only change as Palo Alto evolves the API
  • Authoritative field documentation: parameter descriptions, enums, and constraints are pulled directly from Palo Alto's OpenAPI specs and surface in the workflow editor as tooltips
  • OAuth2 client-credentials authentication: identical to Prisma Access — stateless, token-cached, mutex-protected for concurrent workers, and refreshed automatically before expiry
  • Query-style monitoring: the monitoring and report surfaces (aggregateMonitoring, prismaBrowserMsp) accept rich filter objects in the request body for time-ranged, multi-tenant queries
  • Action endpoints: non-CRUD verbs such as resetServiceAccount, listAncestorsTenantServiceGroup, and acceptInterconnectsVlanAttachment are first-class operations

Important Notes

  • Distinct from the Prisma Access integration: this integration targets platform/management services, not the Prisma Access security configuration. There is no overlap in operations — use Palo Alto Prisma Access for security rules, objects, and profiles.
  • Shares the same authentication as Prisma Access: the OAuth2 service-account flow and credential fields are identical. A single service account with the right roles can power both integrations, but you configure a separate credential per integration.
  • No folder/container model: unlike Prisma Access (which scopes nearly everything to a folder), these services are not container-scoped. Parameters are passed directly per the API path.
  • TSG-ID scope: every API call is scoped to a single Tenant Service Group (TSG). If your organisation has multiple TSGs, configure separate credentials.
  • Read-heavy surfaces: sspm is entirely read-only, and aggregateMonitoring / prismaBrowserMsp are predominantly reporting queries.

Not Currently Supported

The following Palo Alto SASE surfaces are not part of this integration:

  • Prisma Access configuration (/sse/config/v1/...): handled by the dedicated Palo Alto Prisma Access integration
  • Prisma SaaS (CASB): SaaS application security and DLP — separate product on a separate host (api.aperture.paloaltonetworks.com) with no published OpenAPI
  • Prisma SD-WAN (CloudGenix): software-defined WAN — separate product, separate SDK
  • 5G security services (manage-services-5g, monitor-services-5g): mobile-network security — hosted on a different base URL (stratacloudmanager.paloaltonetworks.com); excluded from v1 and could be added later as a second base URL
  • On-premises PAN-OS / Panorama: handled by the separate Palo Alto integration

For comprehensive information about the Prisma SASE platform APIs, refer to the developer docs at https://pan.dev/sase/docs/.


Credential Configuration

Before using the Palo Alto Prisma SASE integration, configure OAuth2 client-credentials authentication. The flow and fields are identical to the Palo Alto Prisma Access integration.

Authentication Method

Prisma SASE uses OAuth2 client credentials flow scoped to your Tenant Service Group (TSG):

FieldDescriptionExample / Default
Client IDOAuth2 client ID provisioned in the Palo Alto Networks Identity Providerabc12345
Client SecretOAuth2 client secret paired with the Client IDxxxxxxxx... (treat as a password)
TSG IDTenant Service Group ID — the OAuth2 scope (tsg_id:<TSG_ID>)1234567890
Base URLStrata Cloud Manager / SASE API base URLhttps://api.sase.paloaltonetworks.com
Auth Base URLIdentity Provider URL for token requestshttps://auth.apps.paloaltonetworks.com

The integration handles token acquisition, caching (5-minute refresh buffer), and concurrent-worker safety automatically. You never need to manage tokens directly.

Generating Client Credentials

Client credentials are provisioned through the Strata Cloud Manager UI:

  1. Sign in to the Strata Cloud Manager.
  2. Navigate to SettingsIdentity & AccessService Accounts.
  3. Click Add Service Account.
  4. Provide a descriptive name (e.g. "NINA Platform Automation").
  5. Assign roles appropriate to the services your workflows touch (see Required Permissions below).
  6. Click Save. The Client ID and Client Secret are displayed once — copy and store them securely.

Where to find your TSG ID:

  • The TSG ID appears in the SCM URL when you're signed in: https://stratacloudmanager.paloaltonetworks.com/.../tsg/<TSG_ID>/...
  • Alternatively, navigate to SettingsTenant Information

Important Security Notes:

  • Client Secrets are credentials — never commit them to version control or share them in workflow configuration
  • Use dedicated service accounts with the minimum required role assignments
  • Tokens issued by this flow are short-lived (15 minutes) — the integration refreshes them automatically
  • Rotate Client Secrets periodically per your organisation's security policy

Required Permissions

The minimum permissions depend on which services your workflows use:

  • IAM / tenancy / subscription (create, update, delete): tenant-administrator-level roles. Read operations need a read role.
  • SSPM / identity-SSPM: SaaS Security Posture Management access (read; CSV-report and ticket operations require the relevant SSPM role).
  • Aggregate monitoring / notifications / Prisma Browser for MSP: multi-tenant (MSP) monitoring roles — typically only available on partner/multi-tenant tenants.
  • SP interconnect: service-provider interconnect roles — available on service-provider tenants.

If a service is not enabled or licensed on your tenant, calls to its resources return 403/404. This is expected — the integration exposes the full platform surface; your tenant's licensing determines which parts respond.

Creating a Palo Alto Prisma SASE Credential in NINA

  1. Navigate to the Credentials section in NINA
  2. Click Add New Credential
  3. Fill in the credential details:
    • Name: A descriptive name (e.g. "Prisma SASE Platform")
    • Description: Optional details about the credential's purpose
    • Integration Service: Select "Palo Alto Prisma SASE"
    • Auth Type: "Service Account (OAuth2)" (only option available)
    • Client ID: Paste your Client ID
    • Client Secret: Paste your Client Secret
    • TSG ID: Paste your Tenant Service Group ID
    • Base URL and Auth Base URL: leave as default unless your tenant runs in a regional cloud
  4. Click Test Connection to verify credentials (this performs a token exchange)
  5. Click Save to store the credential

Supported Resources and Operations

The full operation matrix is generated from the Palo Alto OpenAPI specs and includes 10 resources × 199 operations. Operation keys are camelCase; CRUD resources follow a list/create/get/update/delete shape, while monitoring and report surfaces use descriptive query keys.

Identity & Access Management (iam)

OperationMethodPath stem
listAccessPolicies, createAccessPolicy, getAccessPolicy, deleteAccessPolicyGET/POST/GET/DELETE/iam/v1/access_policies
listCustomRoles, createCustomRole, getCustomRole, updateCustomRole, deleteCustomRoleCRUD/iam/v1/custom_roles
listRoles, getRoleGET/iam/v1/roles
listPermissions, getPermissionGET/iam/v1/permissions
listPermissionSets, getPermissionSetGET/iam/v1/permission_sets
listServiceAccounts, createServiceAccount, getServiceAccount, updateServiceAccount, deleteServiceAccount, resetServiceAccountCRUD + action/iam/v1/service_accounts
listSsoUsers, createSsoUserGET/POST/iam/v1/sso_users

Tenancy (tenancy)

OperationMethodPath stem
listTenantServiceGroups, createTenantServiceGroup, getTenantServiceGroup, updateTenantServiceGroup, deleteTenantServiceGroupCRUD/tenancy/v1/tenant_service_groups
listAncestorsTenantServiceGroup, listChildrenTenantServiceGroupPOST/tenancy/v1/tenant_service_groups/{tsg_id}/operations/...

Subscription (subscription)

OperationMethodPath stem
listInstances, createInstanceGET/POST/subscription/v1/instances
listLicensesGET/subscription/v1/licenses

SaaS Security Posture Management (sspm, read-only)

OperationPath stem
listApps, getApp, configsApp, settingsApp/sspm/api/v1/apps
listCatalogApps, getCatalogApp, configsCatalogApp, scopesCatalogApp, getCatalogControl/sspm/api/v1/catalog/...
listPlugins, getPlugin, listPluginsClassificationAggregates/sspm/api/v1/plugins
listPluginUsers, pluginsPluginUser/sspm/api/v1/plugin-users
getIntegrationIntegrationsIssue, getIntegrationIntegrationsProject, projectsIntegrationIntegration, infoAuth/sspm/api/v1/integration/..., /sspm/api/v1/auth/...

Identity Security Posture Management (identitySspm)

OperationPath stem
listIdps, createIdp, featureStateIdp, getAccountsLogoutIdp, createAccountsLogoutIdp/sspm/identity/v1/idps
idpAccountsCountIdp, idpAccountsCsvReportIdp/sspm/identity/v1/idps/{idpId}/idp_accounts
mfaActivityIdp, mfaActivityCountIdp, mfaActivityCountByAppTypeIdp, mfaActivityCsvReportIdp/sspm/identity/v1/idps/{idpId}/mfa_activity
listSaasInstances, saasAccountsSaasInstance, saasAccountsCountSaasInstance, saasAccountsCsvReportSaasInstance, saasActivitySaasInstance/sspm/identity/v1/saas_instances
getTickets, createTickets, deleteTickets, issuesTicket/sspm/identity/v1/{saasInstanceId}/tickets
getCatalog/sspm/identity/v1/catalog/{appType}

Aggregate Monitoring (aggregateMonitoring, query-style)

Multi-tenant monitoring. Most operations are POST with a filter object in the body (time range, tenant scope, paging).

Operation groupExamplesPath stem
Alertsalerts, alertsList/mt/monitor/v1/agg/alerts
Applicationsapplications, applicationsList, applicationsSource, applicationsSummary, applicationUsage/mt/monitor/v1/agg/applications
IncidentsincidentsCount, incidentsList, incidentsImpactedList, incidentsTenants, incidentsTrends/mt/monitor/v1/agg/incidents
Threatsthreats, threatsList, threatsSource, threatsSummary/mt/monitor/v1/agg/threats
URLsurlSummary, urlLogs/mt/monitor/v1/agg/url
Service connectivityserviceConnectivity, serviceConnectivityCdlStatus, serviceConnectivityGatewayStatus, serviceConnectivityTopOutliers, serviceConnectivityUniqueUsers, serviceConnectivityLicenseAllocated/mt/monitor/v1/agg/serviceConnectivity
Locations / tenantslocationList, locationsTenants, locationsUsers/mt/monitor/v1/agg/location*
Custom dashboardscustomAppMonitorApplications, customLicenseUtilization, customTenantHierarchy, …/mt/monitor/v1/agg/custom/...

SP Interconnect (spInterconnect)

Operation groupExamplesPath stem
InterconnectslistInterconnects, createInterconnect, getInterconnect, deleteInterconnect/mt/sp-interconnect/interconnects
Physical connectionslistInterconnectsPhysicalConnections, createInterconnectsPhysicalConnection, getInterconnectsPhysicalConnection, deleteInterconnectsPhysicalConnection/mt/sp-interconnect/interconnects/physical-connections
IP poolsgetIpPoolInterconnect, createIpPoolInterconnect, updateIpPoolInterconnect, deleteIpPoolInterconnect/mt/sp-interconnect/interconnects/{id}/ip-pool
VLAN attachmentsgetVlanAttachmentsInterconnect, createVlanAttachmentsInterconnect, getInterconnectsVlanAttachment, deleteInterconnectsVlanAttachment, acceptInterconnectsVlanAttachment, logsInterconnectsVlanAttachment/mt/sp-interconnect/interconnects/{id}/vlan-attachments
Regions / settingslistRegions, listRegionsPhysicalConnections, listSettings, createSetting/mt/sp-interconnect/regions, /mt/sp-interconnect/settings
MonitoringcreateInterconnectsThroughput, createInterconnectsTraffic, createVlanAttachmentsLatency, createVlanAttachmentsStat, listIpPoolUsage/mt/sp-interconnect/monitor/...

Multi-Tenant Notifications (notifications)

OperationPath stem
createList, createListCount, createListState, getListState/api/cloud/2.0/agg/notifications/list
listProfiles, createProfile, getProfile, deleteProfile, updateProfilesOpstate, createProfilesRetryOp, createProfilesWebhookTest, listProfilesTypes/api/cloud/2.0/agg/notifications/profiles

Prisma Browser for MSP (prismaBrowserMsp, query-style)

Operation groupExamplesPath stem
ReportsreportCount, reportMalwareBlocked, reportMaliciousWebsite, reportWebsiteBlocked, reportWebsiteCategory, reportExtensionBlocked, reportExtensionCategory, reportMalwareWebsite/mt/pab/report/...
Summariessummary, summaryCie, summaryTenants/mt/pab/summary
Tenanttenant, tenantAuthProfile, tenantDirectories, tenantLicenses, tenantRegion, tenantUserGroup/mt/pab/tenant/...

Configuration Orchestration (configOrchestration)

Operation groupExamplesPath stem
Remote networkslistRemoteNetworks, createRemoteNetwork, updateRemoteNetwork, deleteRemoteNetworks, listRemoteNetworksRead/v1/remote-networks
Bandwidth allocationslistBandwidthAllocations, createBandwidthAllocation, listBandwidthAllocationsV2, createBandwidthAllocationV2/v1/bandwidth-allocations, /v2/bandwidth-allocations
IKE/IPSec cryptolistIkeCryptoProfiles, createIkeCryptoProfile, listIpsecCryptoProfiles, createIpsecCryptoProfile/v1/ike-crypto-profiles, /v1/ipsec-crypto-profiles
Read variantslistIkeGatewaysRead, createIkeGatewaysRead, createRemoteNetworksRead/v1/*-read
Location infolistLocationInformations, createLocationInformation/v1/location-informations

The *-read operations are read-oriented endpoints exposed by the Configuration Orchestration API (they accept query parameters via POST). Prefer them for retrieval-only flows where the API documents a -read companion.


Examples

Example: List IAM Service Accounts

{
"resource": "iam",
"operation": "listServiceAccounts",
"parameters": {}
}

Example: Reset a Service Account's Secret

{
"resource": "iam",
"operation": "resetServiceAccount",
"parameters": {
"id": "svc-acct-12345"
}
}

Example: Get a Tenant Service Group

{
"resource": "tenancy",
"operation": "getTenantServiceGroup",
"parameters": {
"tsg_id": "1234567890"
}
}

Example: List Tenant Licenses

{
"resource": "subscription",
"operation": "listLicenses",
"parameters": {}
}

Example: Query Aggregate Threats (multi-tenant)

{
"resource": "aggregateMonitoring",
"operation": "threatsList",
"parameters": {
"start_time": "2026-06-01T00:00:00Z",
"end_time": "2026-06-18T00:00:00Z",
"tenants": ["tenant-a", "tenant-b"],
"limit": 100
}
}

Example: List SSPM Registered Apps

{
"resource": "sspm",
"operation": "listApps",
"parameters": {}
}

Example: Create a Notification Profile

{
"resource": "notifications",
"operation": "createProfile",
"parameters": {
"name": "SOC Webhook",
"type": "webhook",
"webhook_url": "https://soc.example.com/hooks/prisma"
}
}

Integration in Workflow Context

Prisma SASE platform services are most useful for governance, reporting, and tenant lifecycle automation.

Common Workflow Patterns

  1. Access review automation: Schedule Node → Prisma SASE (iam.listServiceAccounts, iam.listAccessPolicies) → Script Node (format) → SharePoint Node (upload review)
  2. Compromised service-account response: Alert → Prisma SASE (iam.resetServiceAccount) → Ticket Node → Slack notify
  3. Multi-tenant threat reporting (MSP): Schedule Node → Prisma SASE (aggregateMonitoring.threatsList, aggregateMonitoring.incidentsTrends) → Script Node → Email Node
  4. SaaS posture monitoring: Schedule Node → Prisma SASE (sspm.listApps, identitySspm.mfaActivityIdp) → Script Node (flag risky apps) → Ticket Node
  5. Tenant onboarding: Provisioning Trigger → Prisma SASE (tenancy.createTenantServiceGroup) → Prisma SASE (subscription.createInstance) → Document Node (record)
  6. Notification fan-out: Incident → Prisma SASE (notifications.createProfile / notifications.createList) → downstream notify

Best Practices

  1. Use a dedicated service account with the minimum roles for the services your workflows touch — easier to revoke and audit.
  2. Rotate Client Secrets periodically. The integration's token cache means rotation is safe at any time — workflows pick up the new secret on next token refresh.
  3. Expect licensing-gated 403/404s: the integration exposes the full platform surface. If a service isn't licensed on your tenant, its operations return errors — that's expected, not a bug.
  4. Prefer read/-read operations for reporting flows to avoid accidental state changes.
  5. Page through large monitoring queries using the API's limit/offset (or cursor) fields in the request body.
  6. Scope monitoring queries with time ranges: aggregate-monitoring queries over wide windows are expensive; constrain start_time/end_time.
  7. Handle 4xx errors gracefully: the SASE APIs return detailed error messages in the response body. Capture and log them.
  8. Share one service account across Access + SASE where appropriate, but keep separate NINA credentials per integration for clarity and least privilege.

Troubleshooting

IssueResolution
token fetch failed: status=401Client ID or Client Secret is incorrect, or the secret has been rotated. Regenerate the credential in SCM and update the NINA credential.
token fetch failed: status=403The service account lacks an active role assignment on the TSG. Check Settings → Identity & Access in SCM.
API error [403] on a resourceThe service account is authenticated but lacks the role for that service, or the service isn't licensed on the tenant.
API error [404]The object doesn't exist, or the service/endpoint isn't available on your tenant (e.g. MSP/interconnect surfaces on a non-partner tenant).
unsupported resource: <name>The resource key doesn't match a registered resource. Valid keys: iam, tenancy, subscription, sspm, identitySspm, aggregateMonitoring, spInterconnect, notifications, prismaBrowserMsp, configOrchestration.
unsupported operation: <res>.<op>The operation key isn't defined for that resource. Check the operation tables in this guide.
<param> is requiredA required path placeholder (e.g. tsg_id, id, idpId, saasInstanceId) was not provided.
received empty response from APIA non-DELETE call returned 200 with no body — usually a transient service issue; retry.

Common Error Messages

Error MessageMeaningSolution
clientId is requiredValidation failed before any HTTP callProvide all three required credential fields (clientId, clientSecret, tsgId)
token fetch failed: status=401 body=invalid_clientClient ID/Secret pair is rejected by the IdPVerify the credentials in SCM, regenerate the secret if unsure
failed to obtain access tokenToken endpoint not reachableCheck connectivity to auth.apps.paloaltonetworks.com and any corporate proxy settings

Authentication & Token Lifecycle

The integration handles the OAuth2 client-credentials lifecycle transparently (identical to Prisma Access):

  1. On the first API call, the integration calls POST {authBaseUrl}/oauth2/access_token with HTTP Basic auth (clientId:clientSecret) and form body grant_type=client_credentials&scope=tsg_id:<TSG>.
  2. The IdP returns an access_token (JWT, ~15-minute lifetime) and expires_in.
  3. The token is cached on the integration instance, protected by a mutex for concurrent worker safety.
  4. Subsequent API calls reuse the cached token until 5 minutes before expiry, at which point it's automatically refreshed.
  5. The token is sent as Authorization: Bearer <token> on every SASE API request.

Test Connection performs only the token exchange, so it validates credentials without depending on any particular service being licensed.


Additional Resources


Support

If you encounter issues with the Palo Alto Prisma SASE integration, please contact our support team with:

  • The operation you were attempting (resource and operation key)
  • Any error messages received from the API (full response body)
  • The TSG ID (do not share Client ID or Client Secret)
  • Whether the issue reproduces on every call or intermittently
  • The workflow context where the issue occurred

This information will help us provide faster and more accurate assistance.

Updated: 2026-06-18