>
    Strata Copilot
    Install, Manage, and Uninstall the Prisma Access Agent (Linux)
    Focus
    Download PDF
    Focus
    1. Home
    2. Prisma Access Agent
    3. Prisma Access Agent User Guide
    4. Prisma Access Agent for Desktop Devices
    5. Install the Prisma Access Agent
    6. Install, Manage, and Uninstall the Prisma Access Agent (Linux)
    Download PDF
    Prisma Access Agent

    Install, Manage, and Uninstall the Prisma Access Agent (Linux)

    Table of Contents

    Install, Manage, and Uninstall the Prisma Access Agent (Linux)

    Learn how to manually install and uninstall the Prisma Access Agent on a Linux device.
    If your administrator did not deploy the Prisma Access Agent to your Linux device, you can install it manually. The Prisma Access Agent installation package uses the portable AppImage format that eliminates dependency conflicts and works across different Linux configurations without requiring package manager modifications. The Prisma Access Agent Linux AppImage encapsulates all agent components and their dependencies as a read-only squashfs file system image that mounts upon execution, ensuring consistent deployment.
    This procedure outlines how to install, verify, upgrade, and uninstall the Prisma Access Agent on a supported Linux distribution.

    Install the Prisma Access Agent on Linux

    Complete the following steps to manually install the Prisma Access Agent on your Linux device.
    Before you begin, complete the relevant preinstall tasks for Prisma Access Agents on Linux.
    1. (All supported Linux distributions except NixOS) Download and install the Prisma Access Agent:
      1. Download the Prisma Access Agent package from your designated download location (provided by your administrator). The package name is in the following format:
        PrismaAccessAgent_<architecture>_<version>.AppImage
        Where:
        • <architecture> identifies the platform architecture (x86_64 or arm64)
        • <version> identifies the current version number of the Prisma Access Agent AppImage
      2. Set the appropriate execute permissions to the Prisma Access Agent package. For example, for Prisma Access Agent version 25.7.0.10 on x86_64, enter the following command:
        sudo chmod 755 ./PrismaAccessAgent_x86_64_25.7.0.10.AppImage
      3. When running any AppImage, it mounts itself to a temporary directory under /tmp/<directory_name>. Therefore, ensure that:
        • The /tmp directory has executable permissions for both user and root accounts
        • Users have read and executable permissions for all files within the /opt/paloaltonetworks/prismaaccessagent directory tree
      4. Install the Prisma Access Agent from the command line.
        sudo -E ./PrismaAccessAgent_<architecture>_<version>.AppImage -i
        The following sample image shows the terminal output showing the successful completion of the agent installation on Ubuntu:
        (Prisma Access Agent 26.2) During installation, the agent detects your desktop environment and installs only the system tray dependencies your environment requires:
        • Gnome — The installer checks for the gnome-shell-extension-appindicator extension and installs it if it is not already present.
        • KDE — The agent uses the native KStatusNotifierItem protocol to render the system tray icon. No additional packages are installed.
        • Other desktop environments — The installer proceeds without installing any UI dependencies and displays the following warning: 
          [WARNING] Unsupported Desktop Environment Detected: <desktop_environment_name>
The Prisma Access Agent is optimized for Gnome and KDE.
On your current environment, the system tray icon and UI pop-ups may not render correctly.
The background agent services will still function as expected.
Do you wish to proceed with the installation? [y/N]:
    2. (NixOS) (Prisma Access Agent 26.2) Download and install the Prisma Access Agent package for NixOS. In addition to the Prisma Access Agent AppImage, NixOS requires a separate installer archive (.tar.gz), which contains the NixOS-specific configuration and installer script.
      Prisma Access Agent integrates with NixOS by defining the AppImage as a custom app package. This process uses the paa_nixos_configuration.nix file and paa_nixos_installer.sh script for system management. The paa_nixos_configuration.nix file declares how NixOS imports the AppImage into its store, defines the PASrv executable as a Systemd service, and integrates the PAGui UI application.
      1. Download the Prisma Access Agent AppImage and NixOS installer archive to the same folder on your computer:
        • PrismaAccessAgent_<architecture>_<version>.AppImage
        • paa_nixos_installer_<version>.tar.gz
      2. Go to the folder containing the installer archive and AppImage and extract the installer archive:
        tar -zxvf paa_nixos_installer_<version>.tar.gz
        After extraction, your folder should contain the following files:
        • PrismaAccessAgent_<architecture>_<version>.AppImage
        • paa_nixos_installer.sh
        • paa_nixos_configuration.nix
      3. Install the Prisma Access Agent using the dedicated NixOS installer script, which integrates the agent declaratively into your system, treating it as a custom package.
        1. Run the NixOS installer script with the install option as a user.
          ./paa_nixos_installer.sh --install
          The script displays installation messages, including steps such as "creating config directories," "copying app image," and "adding PA configuration to the NixOS configuration."
          The installer script will show the following message and prompt the user to enter their sudo user password:
          PrismaAccessAgent for NixOS
[sudo] password for <username>
          The following sample image shows the terminal output showing the successful completion of the NixOS installer script:
        2. Log out and log back into your desktop session. After login, the Prisma Access Agent system tray icon will be visible on your desktop.
    3. (Ubuntu 22 on ARM64) For Prisma Access Agent to function properly on a VM, complete the following steps:
      1. Edit the 50-cloud.init.yaml file:
        sudo nano /etc/netplan/50-cloud-init.yaml
      2. In the YAML file, insert the renderer: NetworkManager statement in the network field and save your changes. For example:
        network:
     ethernets:
          ens160:
               dhcp4: true
     version: 2
     renderer: NetworkManager
      3. To have the YAML changes persist across an instance reboot, create the /etc/cloud/cloud.cfg.d/99-disable-network-config.cfg file with the following content:
        network: {config: disabled}
      4. Apply the change:
        sudo netplan apply
      5. Restart the network manager service:
        sudo systemctl restart NetworkManager.service
    4. (Ubuntu 22.04) Perform a system reboot.

    Verify the Prisma Access Agent Installation and Connectivity

    After installation, confirm that the agent is running, connected, and enforcing security policies as expected.
    1. Check the Prisma Access Agent user interface (UI).
      1. After logging in to your desktop session, the Prisma Access Agent UI should automatically launch.
      2. Log in to Prisma Access using your credentials within the UI.
      3. Confirm that the agent displays a Connected status.
    2. Use the command-line interface (pacli) to check the agent status.
      1. Run the following command to show the status of the agent:
        pacli status
      2. Run the following command to show the status of the tunnel:
        pacli tunnel
      3. Run the following command to view traffic logs and policy enforcement.
        pacli traffic show
      4. Check the Host Information Profile (HIP) status.
        pacli hip status
      5. View HIP notifications.
        pacli hip notification
      6. Test network connectivity and policy enforcement.
        1. Run the following command to verify direct access to a common website, such as google.com.
          curl google.com
        2. Ping a common website such as google.com to verify tunnel connectivity.
          ping google.com
        3. Attempt to access a known blocked site (for example, amazon.com) to confirm policy enforcement.

    Upgrade the Prisma Access Agent on Linux

    Upgrade the Prisma Access Agent to ensure you have the latest features and security updates.
    1. (All supported Linux distributions except NixOS) Upgrade the agent as follows:
      1. Download the new Prisma Access Agent package from your designated download location. The package name is in the following format:
        PrismaAccessAgent_<architecture>_<new-version>.AppImage
      2. Set the appropriate execute permissions to the Prisma Access Agent package. For example:
        sudo chmod 755 ./PrismaAccessAgent_<architecture>_<new-version>.AppImage
      3. Run the following command to upgrade the agent:
        sudo -E ./PrismaAccessAgent_<architecture>_<new-version>.AppImage -u
    2. (NixOS) Upgrade the agent as follows:
      1. Download the new Prisma Access Agent AppImage and NixOS installer archive to the same folder on your computer:
        • PrismaAccessAgent_<architecture>_<new-version>.AppImage
        • paa_nixos_installer_<new-version>.tar.gz
      2. Extract the new installer archive to the same directory as the new Prisma Acess Agent AppImage.
        tar -zxvf paa_nixos_installer_<new-version>.tar.gz
      3. Run the NixOS installer script with the upgrade option as a user.
        ./paa_nixos_installer.sh --upgrade
        The script performs a version check, uninstalls the old agent (without removing your user configurations), and then installs the new agent.
      4. Log out and log back into your desktop session.

    Uninstall the Prisma Access Agent on Linux

    You can uninstall the Prisma Access Agent manually if you no longer need to use it. Keep in mind that by uninstalling the agent, you will no longer have access to your corporate network, and your endpoint won't be protected by your organization's security policies.
    Complete the following steps to uninstall the agent from the Prisma Access Agent command-line interface (pacli).
    1. (All supported Linux distributions except NixOS) Uninstall Prisma Access Agent by completing the following steps.
      1. Run the following command:
        sudo -E ./PrismaAccessAgent_<architecture>_<version>.AppImage -r
      2. Enter your sudo password (user account password) when prompted.
    2. (NixOS) Complete the following steps to remove all Prisma Access Agent components and configurations from your NixOS system, reverting the changes made during installation.
      1. Execute the NixOS installer script with the remove option as a user.
        ./paa_nixos_installer.sh --remove
        The script stops the Prisma Access Agent UI and service, disables and removes the Systemd service configuration, removes soft links, and deletes the AppImage from the installation directory.
      2. Log out and log back into your desktop session.

    © 2026 Palo Alto Networks, Inc. All rights reserved.