Focus

Prisma AIRS

Addressed Issues

Table of Contents

Addressed Issues

Addressed issues in Prisma AIRS.

Review the addressed issues in Prisma AIRS.

ISSUE ID	DESCRIPTION
PAN-318125	On newly bootstrapped 12.1.6 AI-Runtime Firewalls using an AIRS authcode, the AI Profile fails to be applied on the firewall. Workaround: Reboot the VM.
PAN-265124	K8s Pod Outbound Traffic Blocked by DNS-Security When an "allow-all" rule is configured in Strata Cloud Manager (Manage → Configuration → NGFW and Prisma Access → Security Services → Security Policy) with the default "best-practice" Profile Group, outbound traffic from a K8s pod to the internet may be blocked due to DNS-Security restrictions. Workaround: To ensure outbound traffic functions correctly on Azure/AWS, set the security Profile Group to "None" instead of "best-practice."
ADI-34257	Cloning a security policy rule (Manage → Configuration → NGFW and Prisma Access → Security Services → Security Policy) in Strata Cloud Manager that uses an AI profile group does not update the AI profile usage in the cloned rule.
ADI-34273	When moving an AI Security profile (Manage → Configuration → NGFW and Prisma Access → Security Services → AI Security) in Strata Cloud Manager from one device scope to another, deleting the security profile in the new device scope fails.
PAN-264445 Fixed in 11.2.3-h1	SSL traffic failed between secure pods with decryption enabled, leading to SSL handshake problems as packets were routed to the incorrect endpoint.
PAN-268187 Fixed in 11.2.3-h1	Traffic log incorrectly showed non-AI HTTP/2 traffic as AI traffic. Logs are now accurate, reflecting only actual AI traffic.
PAN-266218 Fixed in 11.2.3-h1	Kubernetes cluster ID from the CNI was not detected, resulting in missing AWS traffic object IDs in east-west and outbound traffic session information.
PAN-266219 Fixed in 11.2.3-h1	Kubernetes cluster ID was missing in the HTTP/2 traffic logs under Incidents and Alerts → Log Viewer → Firewall/AI Security on the Strata Cloud Manager.

PAN-CNI 4.0.x

Refer to the following table to see what has changed with each Prisma AIRS CNI release.

ISSUE ID	DESCRIPTION
CN-304	Incorrect file permissions within the PAN-CNI container image affected logrotate configuration files, stopping the log rotation process and causing pan-cni.log to grow until disk space was fully depleted. This issue is now resolved.
CN-305	In Azure AKS environments, the one-hour rotation of service account tokens caused PAN-CNI to become inoperable after one hour of operation. This issue is now resolved.
CN-306	When workloads lacked labels, PAN-CNI could not start the associated pod successfully. This issue is now resolved.
CN-307	When annotations existed at both the namespace and pod levels, PAN-CNI repeatedly attempted to register the same routes during CIDR steering. This issue is now resolved; namespace-level annotations take precedence over pod-level annotations.