Configuration Management
Prisma AIRS CLI exposes full CRUD over AIRS runtime configuration resources via airs runtime subcommand groups. All config management commands require Management API credentials (PANW_MGMT_CLIENT_ID, PANW_MGMT_CLIENT_SECRET, PANW_MGMT_TSG_ID).
Security Profiles
# CRUD
airs runtime profiles list
airs runtime profiles get <nameOrId>
airs runtime profiles get <nameOrId> --output json
airs runtime profiles create --name "My Profile" --prompt-injection block --toxic-content alert
airs runtime profiles update <nameOrId> --prompt-injection alert --malicious-code block
airs runtime profiles delete <nameOrId>
airs runtime profiles delete <nameOrId> --force --updated-by user@example.com
# Clean up old profile revisions (keeps only latest per name)
airs runtime profiles cleanup # preview only
airs runtime profiles cleanup --force # delete old revisions
create requires --name. All protection flags are optional — omitted sections get AIRS defaults.
update uses read-modify-write: fetches the current profile, merges only the flags you specify, PUTs the full payload. Existing policy sections (including topic-guardrails) are preserved.
See the CLI Reference — Profiles for the full flag table.
Custom Topics & Guardrail Optimization
# CRUD
airs runtime topics list [--limit <n>] [--offset <n>] [--output <format>]
airs runtime topics get <nameOrId> [--output pretty|json|yaml]
airs runtime topics update <topicId> --config <json-file>
airs runtime topics delete <topicId> [--force --updated-by <email>]
# Guardrail optimization (atomic commands for agent loops)
airs runtime topics create --name <name> --description <desc> --examples <ex1> <ex2> [--output json]
airs runtime topics apply --profile <name> --name <name> --intent <block|allow> [--output json]
airs runtime topics eval --profile <name> --prompts <csv> --topic <name> [--output json]
airs runtime topics revert --profile <name> --name <name> [--output json]
airs runtime topics sample [--output-file <path>]
See Guardrail Optimization for details on the optimization loop and AGENTS.md for the agent protocol.
API Keys
airs runtime api-keys list
airs runtime api-keys create --config apikey.json
airs runtime api-keys regenerate <apiKeyId> --interval 90 --unit days
airs runtime api-keys delete <apiKeyName> --updated-by user@example.com
Customer Apps
airs runtime customer-apps list
airs runtime customer-apps get <appName>
airs runtime customer-apps update <appId> --config app.json
airs runtime customer-apps delete <appName> --updated-by user@example.com
Deployment Profiles
airs runtime deployment-profiles list
airs runtime deployment-profiles list --unactivated
DLP Profiles
airs runtime dlp profiles list
Scan Logs
airs runtime scan-logs query --interval 24 --unit hours
airs runtime scan-logs query --interval 168 --unit hours --filter threat
airs runtime scan-logs query --interval 720 --unit hours --limit 100
Environment Variables
| Variable | Description |
|---|---|
PANW_AI_SEC_API_KEY | Prisma AIRS API key for scan operations |
PANW_MGMT_CLIENT_ID | Management API OAuth2 client ID (config management) |
PANW_MGMT_CLIENT_SECRET | Management API OAuth2 client secret (config management) |
PANW_MGMT_TSG_ID | Management API tenant service group ID (config management) |