Palo Alto Prisma SASE Integration Guide
Overview
The Palo Alto Prisma SASE integration connects NINA workflows to the platform-management services of Palo Alto Networks' Prisma SASE platform — everything on the unified SASE API except the Prisma Access security configuration (which has its own dedicated integration). It covers 10 resources and 199 operations, generated directly from Palo Alto's official OpenAPI specifications, allowing your workflows to manage identity and access, tenancy, subscriptions, SaaS security posture, aggregate monitoring, service-provider interconnects, notifications, and the Prisma Browser for MSP.
Prisma SASE is Palo Alto's umbrella cloud platform. Prisma Access (the cloud-delivered firewall/ZTNA security product) is one product within it and is handled by the separate Palo Alto Prisma Access integration. This integration covers the surrounding platform services — the "plumbing" that administers the tenant rather than enforcing network security.
Status
The integration covers the shared-host Prisma SASE platform services on api.sase.paloaltonetworks.com:
Supported Resource Categories
- Identity & Access Management (
iam, 23 operations): access policies, custom roles, roles, permissions, permission sets, service accounts (incl. secret reset), and SSO users - Tenancy (
tenancy, 7 operations): tenant service groups and their ancestor/child hierarchy - Subscription (
subscription, 3 operations): tenant instances and licenses - SaaS Security Posture Management (
sspm, 18 operations, read-only): registered apps, catalog, controls, plugins, plugin users, and ticketing-integration lookups - Identity Security Posture Management (
identitySspm, 21 operations): identity providers, SaaS instances/accounts, MFA activity, CSV reports, and tickets - Aggregate Monitoring (
aggregateMonitoring, 36 operations): multi-tenant monitoring of alerts, applications, incidents, threats, URLs, service connectivity, locations, and custom dashboards - SP Interconnect (
spInterconnect, 30 operations): service-provider interconnects, physical connections, IP pools, VLAN attachments, regions, settings, and interconnect monitoring - Multi-Tenant Notifications (
notifications, 12 operations): notification lists and notification profiles - Prisma Browser for MSP (
prismaBrowserMsp, 17 operations): browser usage/security reports, summaries, and tenant management - Configuration Orchestration (
configOrchestration, 32 operations): remote networks, IKE/IPSec crypto profiles, IKE gateways, bandwidth allocations (v1 + v2), and location information
Key Capabilities
- Schema-driven dispatch: every operation is declaratively described — adding a new operation is a schema-only change as Palo Alto evolves the API
- Authoritative field documentation: parameter descriptions, enums, and constraints are pulled directly from Palo Alto's OpenAPI specs and surface in the workflow editor as tooltips
- OAuth2 client-credentials authentication: identical to Prisma Access — stateless, token-cached, mutex-protected for concurrent workers, and refreshed automatically before expiry
- Query-style monitoring: the monitoring and report surfaces (
aggregateMonitoring,prismaBrowserMsp) accept rich filter objects in the request body for time-ranged, multi-tenant queries - Action endpoints: non-CRUD verbs such as
resetServiceAccount,listAncestorsTenantServiceGroup, andacceptInterconnectsVlanAttachmentare first-class operations
Important Notes
- Distinct from the Prisma Access integration: this integration targets platform/management services, not the Prisma Access security configuration. There is no overlap in operations — use Palo Alto Prisma Access for security rules, objects, and profiles.
- Shares the same authentication as Prisma Access: the OAuth2 service-account flow and credential fields are identical. A single service account with the right roles can power both integrations, but you configure a separate credential per integration.
- No folder/container model: unlike Prisma Access (which scopes nearly everything to a
folder), these services are not container-scoped. Parameters are passed directly per the API path. - TSG-ID scope: every API call is scoped to a single Tenant Service Group (TSG). If your organisation has multiple TSGs, configure separate credentials.
- Read-heavy surfaces:
sspmis entirely read-only, andaggregateMonitoring/prismaBrowserMspare predominantly reporting queries.
Not Currently Supported
The following Palo Alto SASE surfaces are not part of this integration:
- Prisma Access configuration (
/sse/config/v1/...): handled by the dedicated Palo Alto Prisma Access integration - Prisma SaaS (CASB): SaaS application security and DLP — separate product on a separate host (
api.aperture.paloaltonetworks.com) with no published OpenAPI - Prisma SD-WAN (CloudGenix): software-defined WAN — separate product, separate SDK
- 5G security services (
manage-services-5g,monitor-services-5g): mobile-network security — hosted on a different base URL (stratacloudmanager.paloaltonetworks.com); excluded from v1 and could be added later as a second base URL - On-premises PAN-OS / Panorama: handled by the separate Palo Alto integration
For comprehensive information about the Prisma SASE platform APIs, refer to the developer docs at https://pan.dev/sase/docs/.
Credential Configuration
Before using the Palo Alto Prisma SASE integration, configure OAuth2 client-credentials authentication. The flow and fields are identical to the Palo Alto Prisma Access integration.
Authentication Method
Prisma SASE uses OAuth2 client credentials flow scoped to your Tenant Service Group (TSG):
| Field | Description | Example / Default |
|---|---|---|
| Client ID | OAuth2 client ID provisioned in the Palo Alto Networks Identity Provider | abc12345 |
| Client Secret | OAuth2 client secret paired with the Client ID | xxxxxxxx... (treat as a password) |
| TSG ID | Tenant Service Group ID — the OAuth2 scope (tsg_id:<TSG_ID>) | 1234567890 |
| Base URL | Strata Cloud Manager / SASE API base URL | https://api.sase.paloaltonetworks.com |
| Auth Base URL | Identity Provider URL for token requests | https://auth.apps.paloaltonetworks.com |
The integration handles token acquisition, caching (5-minute refresh buffer), and concurrent-worker safety automatically. You never need to manage tokens directly.
Generating Client Credentials
Client credentials are provisioned through the Strata Cloud Manager UI:
- Sign in to the Strata Cloud Manager.
- Navigate to Settings → Identity & Access → Service Accounts.
- Click Add Service Account.
- Provide a descriptive name (e.g. "NINA Platform Automation").
- Assign roles appropriate to the services your workflows touch (see Required Permissions below).
- Click Save. The Client ID and Client Secret are displayed once — copy and store them securely.
Where to find your TSG ID:
- The TSG ID appears in the SCM URL when you're signed in:
https://stratacloudmanager.paloaltonetworks.com/.../tsg/<TSG_ID>/... - Alternatively, navigate to Settings → Tenant Information
Important Security Notes:
- Client Secrets are credentials — never commit them to version control or share them in workflow configuration
- Use dedicated service accounts with the minimum required role assignments
- Tokens issued by this flow are short-lived (15 minutes) — the integration refreshes them automatically
- Rotate Client Secrets periodically per your organisation's security policy
Required Permissions
The minimum permissions depend on which services your workflows use:
- IAM / tenancy / subscription (create, update, delete): tenant-administrator-level roles. Read operations need a read role.
- SSPM / identity-SSPM: SaaS Security Posture Management access (read; CSV-report and ticket operations require the relevant SSPM role).
- Aggregate monitoring / notifications / Prisma Browser for MSP: multi-tenant (MSP) monitoring roles — typically only available on partner/multi-tenant tenants.
- SP interconnect: service-provider interconnect roles — available on service-provider tenants.
If a service is not enabled or licensed on your tenant, calls to its resources return
403/404. This is expected — the integration exposes the full platform surface; your tenant's licensing determines which parts respond.
Creating a Palo Alto Prisma SASE Credential in NINA
- Navigate to the Credentials section in NINA
- Click Add New Credential
- Fill in the credential details:
- Name: A descriptive name (e.g. "Prisma SASE Platform")
- Description: Optional details about the credential's purpose
- Integration Service: Select "Palo Alto Prisma SASE"
- Auth Type: "Service Account (OAuth2)" (only option available)
- Client ID: Paste your Client ID
- Client Secret: Paste your Client Secret
- TSG ID: Paste your Tenant Service Group ID
- Base URL and Auth Base URL: leave as default unless your tenant runs in a regional cloud
- Click Test Connection to verify credentials (this performs a token exchange)
- Click Save to store the credential
Supported Resources and Operations
The full operation matrix is generated from the Palo Alto OpenAPI specs and includes 10 resources × 199 operations. Operation keys are camelCase; CRUD resources follow a list/create/get/update/delete shape, while monitoring and report surfaces use descriptive query keys.
Identity & Access Management (iam)
| Operation | Method | Path stem |
|---|---|---|
listAccessPolicies, createAccessPolicy, getAccessPolicy, deleteAccessPolicy | GET/POST/GET/DELETE | /iam/v1/access_policies |
listCustomRoles, createCustomRole, getCustomRole, updateCustomRole, deleteCustomRole | CRUD | /iam/v1/custom_roles |
listRoles, getRole | GET | /iam/v1/roles |
listPermissions, getPermission | GET | /iam/v1/permissions |
listPermissionSets, getPermissionSet | GET | /iam/v1/permission_sets |
listServiceAccounts, createServiceAccount, getServiceAccount, updateServiceAccount, deleteServiceAccount, resetServiceAccount | CRUD + action | /iam/v1/service_accounts |
listSsoUsers, createSsoUser | GET/POST | /iam/v1/sso_users |
Tenancy (tenancy)
| Operation | Method | Path stem |
|---|---|---|
listTenantServiceGroups, createTenantServiceGroup, getTenantServiceGroup, updateTenantServiceGroup, deleteTenantServiceGroup | CRUD | /tenancy/v1/tenant_service_groups |
listAncestorsTenantServiceGroup, listChildrenTenantServiceGroup | POST | /tenancy/v1/tenant_service_groups/{tsg_id}/operations/... |
Subscription (subscription)
| Operation | Method | Path stem |
|---|---|---|
listInstances, createInstance | GET/POST | /subscription/v1/instances |
listLicenses | GET | /subscription/v1/licenses |
SaaS Security Posture Management (sspm, read-only)
| Operation | Path stem |
|---|---|
listApps, getApp, configsApp, settingsApp | /sspm/api/v1/apps |
listCatalogApps, getCatalogApp, configsCatalogApp, scopesCatalogApp, getCatalogControl | /sspm/api/v1/catalog/... |
listPlugins, getPlugin, listPluginsClassificationAggregates | /sspm/api/v1/plugins |
listPluginUsers, pluginsPluginUser | /sspm/api/v1/plugin-users |
getIntegrationIntegrationsIssue, getIntegrationIntegrationsProject, projectsIntegrationIntegration, infoAuth | /sspm/api/v1/integration/..., /sspm/api/v1/auth/... |
Identity Security Posture Management (identitySspm)
| Operation | Path stem |
|---|---|
listIdps, createIdp, featureStateIdp, getAccountsLogoutIdp, createAccountsLogoutIdp | /sspm/identity/v1/idps |
idpAccountsCountIdp, idpAccountsCsvReportIdp | /sspm/identity/v1/idps/{idpId}/idp_accounts |
mfaActivityIdp, mfaActivityCountIdp, mfaActivityCountByAppTypeIdp, mfaActivityCsvReportIdp | /sspm/identity/v1/idps/{idpId}/mfa_activity |
listSaasInstances, saasAccountsSaasInstance, saasAccountsCountSaasInstance, saasAccountsCsvReportSaasInstance, saasActivitySaasInstance | /sspm/identity/v1/saas_instances |
getTickets, createTickets, deleteTickets, issuesTicket | /sspm/identity/v1/{saasInstanceId}/tickets |
getCatalog | /sspm/identity/v1/catalog/{appType} |
Aggregate Monitoring (aggregateMonitoring, query-style)
Multi-tenant monitoring. Most operations are POST with a filter object in the body (time range, tenant scope, paging).
| Operation group | Examples | Path stem |
|---|---|---|
| Alerts | alerts, alertsList | /mt/monitor/v1/agg/alerts |
| Applications | applications, applicationsList, applicationsSource, applicationsSummary, applicationUsage | /mt/monitor/v1/agg/applications |
| Incidents | incidentsCount, incidentsList, incidentsImpactedList, incidentsTenants, incidentsTrends | /mt/monitor/v1/agg/incidents |
| Threats | threats, threatsList, threatsSource, threatsSummary | /mt/monitor/v1/agg/threats |
| URLs | urlSummary, urlLogs | /mt/monitor/v1/agg/url |
| Service connectivity | serviceConnectivity, serviceConnectivityCdlStatus, serviceConnectivityGatewayStatus, serviceConnectivityTopOutliers, serviceConnectivityUniqueUsers, serviceConnectivityLicenseAllocated | /mt/monitor/v1/agg/serviceConnectivity |
| Locations / tenants | locationList, locationsTenants, locationsUsers | /mt/monitor/v1/agg/location* |
| Custom dashboards | customAppMonitorApplications, customLicenseUtilization, customTenantHierarchy, … | /mt/monitor/v1/agg/custom/... |
SP Interconnect (spInterconnect)
| Operation group | Examples | Path stem |
|---|---|---|
| Interconnects | listInterconnects, createInterconnect, getInterconnect, deleteInterconnect | /mt/sp-interconnect/interconnects |
| Physical connections | listInterconnectsPhysicalConnections, createInterconnectsPhysicalConnection, getInterconnectsPhysicalConnection, deleteInterconnectsPhysicalConnection | /mt/sp-interconnect/interconnects/physical-connections |
| IP pools | getIpPoolInterconnect, createIpPoolInterconnect, updateIpPoolInterconnect, deleteIpPoolInterconnect | /mt/sp-interconnect/interconnects/{id}/ip-pool |
| VLAN attachments | getVlanAttachmentsInterconnect, createVlanAttachmentsInterconnect, getInterconnectsVlanAttachment, deleteInterconnectsVlanAttachment, acceptInterconnectsVlanAttachment, logsInterconnectsVlanAttachment | /mt/sp-interconnect/interconnects/{id}/vlan-attachments |
| Regions / settings | listRegions, listRegionsPhysicalConnections, listSettings, createSetting | /mt/sp-interconnect/regions, /mt/sp-interconnect/settings |
| Monitoring | createInterconnectsThroughput, createInterconnectsTraffic, createVlanAttachmentsLatency, createVlanAttachmentsStat, listIpPoolUsage | /mt/sp-interconnect/monitor/... |
Multi-Tenant Notifications (notifications)
| Operation | Path stem |
|---|---|
createList, createListCount, createListState, getListState | /api/cloud/2.0/agg/notifications/list |
listProfiles, createProfile, getProfile, deleteProfile, updateProfilesOpstate, createProfilesRetryOp, createProfilesWebhookTest, listProfilesTypes | /api/cloud/2.0/agg/notifications/profiles |
Prisma Browser for MSP (prismaBrowserMsp, query-style)
| Operation group | Examples | Path stem |
|---|---|---|
| Reports | reportCount, reportMalwareBlocked, reportMaliciousWebsite, reportWebsiteBlocked, reportWebsiteCategory, reportExtensionBlocked, reportExtensionCategory, reportMalwareWebsite | /mt/pab/report/... |
| Summaries | summary, summaryCie, summaryTenants | /mt/pab/summary |
| Tenant | tenant, tenantAuthProfile, tenantDirectories, tenantLicenses, tenantRegion, tenantUserGroup | /mt/pab/tenant/... |
Configuration Orchestration (configOrchestration)
| Operation group | Examples | Path stem |
|---|---|---|
| Remote networks | listRemoteNetworks, createRemoteNetwork, updateRemoteNetwork, deleteRemoteNetworks, listRemoteNetworksRead | /v1/remote-networks |
| Bandwidth allocations | listBandwidthAllocations, createBandwidthAllocation, listBandwidthAllocationsV2, createBandwidthAllocationV2 | /v1/bandwidth-allocations, /v2/bandwidth-allocations |
| IKE/IPSec crypto | listIkeCryptoProfiles, createIkeCryptoProfile, listIpsecCryptoProfiles, createIpsecCryptoProfile | /v1/ike-crypto-profiles, /v1/ipsec-crypto-profiles |
| Read variants | listIkeGatewaysRead, createIkeGatewaysRead, createRemoteNetworksRead | /v1/*-read |
| Location info | listLocationInformations, createLocationInformation | /v1/location-informations |
The
*-readoperations are read-oriented endpoints exposed by the Configuration Orchestration API (they accept query parameters viaPOST). Prefer them for retrieval-only flows where the API documents a-readcompanion.
Examples
Example: List IAM Service Accounts
{
"resource": "iam",
"operation": "listServiceAccounts",
"parameters": {}
}
Example: Reset a Service Account's Secret
{
"resource": "iam",
"operation": "resetServiceAccount",
"parameters": {
"id": "svc-acct-12345"
}
}
Example: Get a Tenant Service Group
{
"resource": "tenancy",
"operation": "getTenantServiceGroup",
"parameters": {
"tsg_id": "1234567890"
}
}
Example: List Tenant Licenses
{
"resource": "subscription",
"operation": "listLicenses",
"parameters": {}
}
Example: Query Aggregate Threats (multi-tenant)
{
"resource": "aggregateMonitoring",
"operation": "threatsList",
"parameters": {
"start_time": "2026-06-01T00:00:00Z",
"end_time": "2026-06-18T00:00:00Z",
"tenants": ["tenant-a", "tenant-b"],
"limit": 100
}
}
Example: List SSPM Registered Apps
{
"resource": "sspm",
"operation": "listApps",
"parameters": {}
}
Example: Create a Notification Profile
{
"resource": "notifications",
"operation": "createProfile",
"parameters": {
"name": "SOC Webhook",
"type": "webhook",
"webhook_url": "https://soc.example.com/hooks/prisma"
}
}
Integration in Workflow Context
Prisma SASE platform services are most useful for governance, reporting, and tenant lifecycle automation.
Common Workflow Patterns
- Access review automation: Schedule Node → Prisma SASE (
iam.listServiceAccounts,iam.listAccessPolicies) → Script Node (format) → SharePoint Node (upload review) - Compromised service-account response: Alert → Prisma SASE (
iam.resetServiceAccount) → Ticket Node → Slack notify - Multi-tenant threat reporting (MSP): Schedule Node → Prisma SASE (
aggregateMonitoring.threatsList,aggregateMonitoring.incidentsTrends) → Script Node → Email Node - SaaS posture monitoring: Schedule Node → Prisma SASE (
sspm.listApps,identitySspm.mfaActivityIdp) → Script Node (flag risky apps) → Ticket Node - Tenant onboarding: Provisioning Trigger → Prisma SASE (
tenancy.createTenantServiceGroup) → Prisma SASE (subscription.createInstance) → Document Node (record) - Notification fan-out: Incident → Prisma SASE (
notifications.createProfile/notifications.createList) → downstream notify
Best Practices
- Use a dedicated service account with the minimum roles for the services your workflows touch — easier to revoke and audit.
- Rotate Client Secrets periodically. The integration's token cache means rotation is safe at any time — workflows pick up the new secret on next token refresh.
- Expect licensing-gated 403/404s: the integration exposes the full platform surface. If a service isn't licensed on your tenant, its operations return errors — that's expected, not a bug.
- Prefer read/
-readoperations for reporting flows to avoid accidental state changes. - Page through large monitoring queries using the API's
limit/offset(or cursor) fields in the request body. - Scope monitoring queries with time ranges: aggregate-monitoring queries over wide windows are expensive; constrain
start_time/end_time. - Handle 4xx errors gracefully: the SASE APIs return detailed error messages in the response body. Capture and log them.
- Share one service account across Access + SASE where appropriate, but keep separate NINA credentials per integration for clarity and least privilege.
Troubleshooting
| Issue | Resolution |
|---|---|
token fetch failed: status=401 | Client ID or Client Secret is incorrect, or the secret has been rotated. Regenerate the credential in SCM and update the NINA credential. |
token fetch failed: status=403 | The service account lacks an active role assignment on the TSG. Check Settings → Identity & Access in SCM. |
API error [403] on a resource | The service account is authenticated but lacks the role for that service, or the service isn't licensed on the tenant. |
API error [404] | The object doesn't exist, or the service/endpoint isn't available on your tenant (e.g. MSP/interconnect surfaces on a non-partner tenant). |
unsupported resource: <name> | The resource key doesn't match a registered resource. Valid keys: iam, tenancy, subscription, sspm, identitySspm, aggregateMonitoring, spInterconnect, notifications, prismaBrowserMsp, configOrchestration. |
unsupported operation: <res>.<op> | The operation key isn't defined for that resource. Check the operation tables in this guide. |
<param> is required | A required path placeholder (e.g. tsg_id, id, idpId, saasInstanceId) was not provided. |
received empty response from API | A non-DELETE call returned 200 with no body — usually a transient service issue; retry. |
Common Error Messages
| Error Message | Meaning | Solution |
|---|---|---|
clientId is required | Validation failed before any HTTP call | Provide all three required credential fields (clientId, clientSecret, tsgId) |
token fetch failed: status=401 body=invalid_client | Client ID/Secret pair is rejected by the IdP | Verify the credentials in SCM, regenerate the secret if unsure |
failed to obtain access token | Token endpoint not reachable | Check connectivity to auth.apps.paloaltonetworks.com and any corporate proxy settings |
Authentication & Token Lifecycle
The integration handles the OAuth2 client-credentials lifecycle transparently (identical to Prisma Access):
- On the first API call, the integration calls
POST {authBaseUrl}/oauth2/access_tokenwith HTTP Basic auth (clientId:clientSecret) and form bodygrant_type=client_credentials&scope=tsg_id:<TSG>. - The IdP returns an
access_token(JWT, ~15-minute lifetime) andexpires_in. - The token is cached on the integration instance, protected by a mutex for concurrent worker safety.
- Subsequent API calls reuse the cached token until 5 minutes before expiry, at which point it's automatically refreshed.
- The token is sent as
Authorization: Bearer <token>on every SASE API request.
Test Connection performs only the token exchange, so it validates credentials without depending on any particular service being licensed.
Additional Resources
- Prisma SASE platform API docs: https://pan.dev/sase/docs/
- OAuth2 Access Tokens: https://pan.dev/sase/docs/access-tokens/
- Strata Cloud Manager UI: https://stratacloudmanager.paloaltonetworks.com/
- OpenAPI specs (source of this integration's schema): https://github.com/PaloAltoNetworks/pan.dev/tree/master/openapi-specs/sase
- Companion integration: Palo Alto Prisma Access — for the Prisma Access security configuration surface
Support
If you encounter issues with the Palo Alto Prisma SASE integration, please contact our support team with:
- The operation you were attempting (resource and operation key)
- Any error messages received from the API (full response body)
- The TSG ID (do not share Client ID or Client Secret)
- Whether the issue reproduces on every call or intermittently
- The workflow context where the issue occurred
This information will help us provide faster and more accurate assistance.
Updated: 2026-06-18