Prisma AIRS
Known Issues
Table of Contents
Known Issues
A list of known issues in Prisma AIRS.
Review the list of known issues as per the latest release for Prisma AIRS:
|
Issue ID
|
Description
|
|---|---|
| AIFW-3035 |
During a scale-in event, terminating an instance may take
approximately 15 minutes to perform the delicensing workflow and
effectively release CSP credits.
|
| AIFW-1555 |
Helm Installation Fails Due to Incorrect Endpoints in YAML
When you download a deployment Terraform with traffic steering
inspection enabled, the `pan-cni-svc-eps.yaml` file may incorrectly
contain multiple endpoints, even if you selected only one zone in
the deployment
workflow. This can cause the Helm installation to
fail.
Workaround: Manually modify the
pan-cni-svc-eps.yaml file to remove the extra
endpoint information, and ensure it reflects only the zones you
selected during configuration.
|
| AIFW-790 |
Pod Traffic Discovery Limitation in AWS Kubernetes
Clusters
Prisma AIRS: Network intercept may
not fully discover unprotected pod traffic in Kubernetes clusters
running on AWS. This impacts the visibility of such traffic in the
Strata Cloud Manager discovery command center despite enabling AWS VPC flow logs.
Workaround: To discover the pod’s traffic, add the
AmazonEKSAdminViewPolicy to the K8s cluster for the role
you created when applying the onboarding Terraform.
|
| AIFW-717 |
Model Traffic Display Delay in AWS Environments
Prisma AIRS: Network intercept may
not immediately display unprotected model traffic on the Models page for AWS
environments. This occurs because the system cannot properly match
instance identifiers between flow logs and model invocation logs,
particularly when instance profiles and IAM roles use different
naming conventions. As a result, AI traffic from applications to
Bedrock models may not appear in the Models page despite being
actively used.
|
| AIFW-750 | When you destroy the `security_project` Terraform, the Terraform deployment screen (Insights → AI Runtime Security) still shows the firewall with a Deployed status. You can manually delete the Terraform item for the firewall from the deployment screen. |
| AIFW-720 | The onboarding workflow in Strata Cloud Manager fails if your Strata Logging Service has
expired. Verify your Strata Logging Service license status
when creating a deployment profile in the Customer Support Portal.
If the Strata Logging Service has expired, renew it before
onboarding a cloud account to ensure successful onboarding Terraform
generation. |
| AIFW-506 | The Application breakdown section on the Applications page () may show a discrepancy in the total number of
applications. The breakdown of VM and Pod applications may not sum up to
the total number of applications displayed at the top of the page. This
is because some applications are categorized as both VM and Pod types,
ltheir inclusion in both respective counts within the breakdown.
However, the total application count remains accurate, representing the
unique number of applications across all types.
|
| PAN-280130 | GKE Autopilot clusters do not support Helm deployments due to restrictions on modifying the kube-system namespace. |
| AIFW-690 | GCP account onboarding requires a 10-second wait after a successful Terraform application before clicking "Done" to complete the process. |
| PAN-256741 | Traffic Routing Blocked Between `fw-trust-vpc` and
`app-vpc` Traffic routing between fw-trust-vpc and app-vpc via
VPC peering is currently blocked because the route export from
fw-trust-vpc to app-vpc for 0.0.0.0/0 to ILB is hindered by an
existing default gateway route in the app-vpc.
Workaround: Create a default route in the app-vpc
which uses the Prisma AIRS ILB as the next
hop. This ensures traffic routes correctly through the Prisma AIRS: Network intercept (AI firewall),
enforcing security policies. |
| PLUG-16395 | IPv6 Tags harvesting is not supported. |
| AIFW-421 | Missing CIDR retrieval during AI Runtime Security
deployment While deploying an Prisma AIRS: Network intercept in Strata Cloud Manager,
selecting the application namespace does not retrieve the cluster
pod and service CIDR. Workaround: After generating the
Terraform configuration, please whitelist these CIDR values in the
Firewall Trust VPC firewall rule. |
| PAN-266547 | Tag Collector in TC Mode enters Maintenance Mode after upgrade to
`v11.2.3` The issue occurs when you upgrade the AI
Runtime Security tag collector from `v11.2.2-h1` to `v11.2.3`, the
tag-collector enters a rebooting loop and eventually goes to
maintenance mode. Workaround: Don’t upgrade
to `v11.2.3` as the auto-commit feature is not triggered in
`v11.2.3`. |
| PAN-266547 | Tag Collector running `v11.2.2-h1` enters Maintenance Mode with
instance types other than `n2-standard-4` and `Standard_DS3_v2` post
bootstrap. This is due to incorrect capacity file computation and
excessive memory usage. Workaround: Use `n2-standard-4` or
`Standard_DS3_v2` instance sizes for running `v11.2.2-h1` to avoid
this issue. |