Palo Alto Networks Prisma AIRS

Palo Alto Networks Prisma AIRS™ is a purpose-built, centralized security platform that protects your entire AI ecosystem. It provides comprehensive protection for AI applications, models, data, and agents through real-time threat detection and inline security enforcement across all OSI layers (1-7).

Prisma AIRS offers two protection modes:

• Network Intercept: Real-time, inline protection for cloud network architectures
• API Intercept: Security-as-Code embedded directly into your applications

To get started with Prisma AIRS, visit their documentation:

​

Using Prisma AIRS with Portkey

​

1. Set Up Prisma AIRS

Before integrating with Portkey:

• Onboard and activate Prisma AIRS in Strata Cloud Manager
• Create security profiles with your desired threat detection rules
• Note your Profile Name - you’ll need this for Portkey configuration

​

2. Add Prisma AIRS Credentials to Portkey

• Navigate to the Integrations page under Settings
• Click on the edit button for the Palo Alto Networks Prisma AIRS integration
• Add your Prisma AIRS credentials (API keys from Strata Cloud Manager)

​

3. Add Prisma AIRS Guardrail Check

• Navigate to the Guardrails page and click the Create button
• Search for “PANW Prisma AIRS Guardrail” and click Add
• Configure the guardrail parameters:
  • Profile Name (required): Enter the security profile name from your Prisma AIRS configuration
  • AI Model: Specify the AI model identifier (optional)
  • App User: Specify the application user context (optional)
• Set any actions you want on your check, and create the Guardrail!

​

4. Add Guardrail ID to a Config and Make Your Request

• When you save a Guardrail, you’ll get an associated Guardrail ID - add this ID to the input_guardrails or output_guardrails params in your Portkey Config
• Create these Configs in Portkey UI, save them, and get an associated Config ID to attach to your requests. More here.

Here’s an example config:

{
  "input_guardrails": ["guardrails-id-xxx", "guardrails-id-yyy"],
  "output_guardrails": ["guardrails-id-xxx", "guardrails-id-yyy"]
}

const portkey = new Portkey({
    apiKey: "PORTKEY_API_KEY",
    config: "pc-***" // Supports a string config id or a config object
});

const portkey = new Portkey({
    apiKey: "PORTKEY_API_KEY",
    config: "pc-***" // Supports a string config id or a config object
});

portkey = Portkey(
    api_key="PORTKEY_API_KEY",
    config="pc-***" # Supports a string config id or a config object
)

const openai = new OpenAI({
  apiKey: 'OPENAI_API_KEY',
  baseURL: PORTKEY_GATEWAY_URL,
  defaultHeaders: createHeaders({
    apiKey: "PORTKEY_API_KEY",
    config: "CONFIG_ID"
  })
});

client = OpenAI(
    api_key="OPENAI_API_KEY", # defaults to os.environ.get("OPENAI_API_KEY")
    base_url=PORTKEY_GATEWAY_URL,
    default_headers=createHeaders(
        provider="openai",
        api_key="PORTKEY_API_KEY", # defaults to os.environ.get("PORTKEY_API_KEY")
        config="CONFIG_ID"
    )
)

curl https://api.portkey.ai/v1/chat/completions \
  -H "Content-Type: application/json" \
  -H "Authorization: Bearer $OPENAI_API_KEY" \
  -H "x-portkey-api-key: $PORTKEY_API_KEY" \
  -H "x-portkey-config: $CONFIG_ID" \
  -d '{
    "model": "gpt-3.5-turbo",
    "messages": [{
        "role": "user",
        "content": "Hello!"
      }]
  }'

For more, refer to the Config documentation.

Your requests are now protected by Prisma AIRS’s comprehensive AI security capabilities, and you can see the verdict and any actions taken directly in your Portkey logs!

​

What Prisma AIRS Protects Against

Prisma AIRS provides multi-layered protection against various AI-specific threats:

​

Security Threats Detected

1. Prompt Injections: Detects and blocks attempts to manipulate AI behavior through malicious prompts
2. Sensitive Data Leakage: Prevents PII, secrets, and confidential information from being exposed
3. Insecure Outputs: Blocks responses containing malware, malicious URLs, or harmful content
4. Model DoS Attacks: Protects against attempts to overwhelm or disable AI models
5. Jailbreak Attempts: Identifies and prevents attempts to bypass AI safety mechanisms
6. Toxic Content: Filters harmful, offensive, or inappropriate content

​

Protection Layers

• Network Level (OSI Layers 1-7): Complete inline protection for all network traffic
• API Level (OSI Layers 4-7): Security-as-Code embedded directly in your applications
• Real-time Analysis: Continuous monitoring and threat detection
• Policy Enforcement: Custom security rules based on your organization’s requirements

​

Best Practices

1. Profile Configuration: Create different security profiles in Prisma AIRS for different use cases (development, staging, production)
2. Context Awareness: Use the aiModel and appUser parameters to provide context for better threat detection
3. Monitoring: Regularly review both Portkey logs and Prisma AIRS dashboard for security insights
4. Policy Updates: Keep your Prisma AIRS security policies updated based on emerging threats

​

Get Support

If you face any issues with the Prisma AIRS integration, reach out to:

• Portkey team on the community forum
• Palo Alto Networks support through your enterprise account

​

Learn More

• Palo Alto Networks Prisma AIRS Documentation
• Prisma AIRS API Reference
• AI Security Best Practices