Skip to main content

Configuration Management

Prisma AIRS CLI exposes full CRUD over AIRS runtime configuration resources via airs runtime subcommand groups. All config management commands require Management API credentials (PANW_MGMT_CLIENT_ID, PANW_MGMT_CLIENT_SECRET, PANW_MGMT_TSG_ID).

Security Profiles

# CRUD
airs runtime profiles list
airs runtime profiles get <nameOrId>
airs runtime profiles get <nameOrId> --output json
airs runtime profiles create --name "My Profile" --prompt-injection block --toxic-content alert
airs runtime profiles update <nameOrId> --prompt-injection alert --malicious-code block
airs runtime profiles delete <nameOrId>
airs runtime profiles delete <nameOrId> --force --updated-by user@example.com

# Clean up old profile revisions (keeps only latest per name)
airs runtime profiles cleanup # preview only
airs runtime profiles cleanup --force # delete old revisions

create requires --name. All protection flags are optional — omitted sections get AIRS defaults.

update uses read-modify-write: fetches the current profile, merges only the flags you specify, PUTs the full payload. Existing policy sections (including topic-guardrails) are preserved.

See the CLI Reference — Profiles for the full flag table.

Custom Topics & Guardrail Optimization

# CRUD
airs runtime topics list [--limit <n>] [--offset <n>] [--output <format>]
airs runtime topics get <nameOrId> [--output pretty|json|yaml]
airs runtime topics update <topicId> --config <json-file>
airs runtime topics delete <topicId> [--force --updated-by <email>]

# Guardrail optimization (atomic commands for agent loops)
airs runtime topics create --name <name> --description <desc> --examples <ex1> <ex2> [--output json]
airs runtime topics apply --profile <name> --name <name> --intent <block|allow> [--output json]
airs runtime topics eval --profile <name> --prompts <csv> --topic <name> [--output json]
airs runtime topics revert --profile <name> --name <name> [--output json]
airs runtime topics sample [--output-file <path>]

See Guardrail Optimization for details on the optimization loop and AGENTS.md for the agent protocol.

API Keys

airs runtime api-keys list
airs runtime api-keys create --config apikey.json
airs runtime api-keys regenerate <apiKeyId> --interval 90 --unit days
airs runtime api-keys delete <apiKeyName> --updated-by user@example.com

Customer Apps

airs runtime customer-apps list
airs runtime customer-apps get <appName>
airs runtime customer-apps update <appId> --config app.json
airs runtime customer-apps delete <appName> --updated-by user@example.com

Deployment Profiles

airs runtime deployment-profiles list
airs runtime deployment-profiles list --unactivated

DLP Profiles

airs runtime dlp profiles list

Scan Logs

airs runtime scan-logs query --interval 24 --unit hours
airs runtime scan-logs query --interval 168 --unit hours --filter threat
airs runtime scan-logs query --interval 720 --unit hours --limit 100

Environment Variables

VariableDescription
PANW_AI_SEC_API_KEYPrisma AIRS API key for scan operations
PANW_MGMT_CLIENT_IDManagement API OAuth2 client ID (config management)
PANW_MGMT_CLIENT_SECRETManagement API OAuth2 client secret (config management)
PANW_MGMT_TSG_IDManagement API tenant service group ID (config management)