In a Panorama HA configuration, if the primary Panorama is not active and a new HSF cluster node is created, the cluster node might remain in the 'init' state. This occurs because the synchronization of IPsec keys fails.

Workaround: The primary Panorama must be active to bring up a new cluster node.

An incompatibility in configuration was detected on nodes subsequent to a Panorama HA upgrade in a Prisma AIRS HSF cluster, causing the nodes to transition into a failed state.

Workaround: After a software upgrade for an HA Panorama, you must manually full push the configuration to all cluster nodes.

Occasionally, after the deployment of a new Prisma AIRS HSF cluster or a critical service restart on a node, some nodes may fail to process traffic due to a CVM and SMT mismatch.

Workaround: To recover, simultaneously reboot all nodes within the cluster.

In Prisma AIRS HSF clusters, leader re-election issues are observed following cluster control or traffic link failures.

Workaround:

Occasionally, when a node transitions to a failed state due to a fault, it may become stuck in a session clearing fault state.

Workaround: Reboot the node after removing all the fault conditions.

A cluster node may occasionally become stuck in the init state during state transitions, usually due to the reason Session table sharding not complete.

Workaround: Reboot the node after removing all the fault conditions.

KVM Prisma AIrs HSF cluster VMs utilizing the virtio interface type default to a single queue.

Workaround: To increase the number of queues, you must shut down the VM and modify the interface XML within the domain configuration.

In deployments where there is no Security Lifecycle Review (SLR) firewall deployed but a regular Prisma AIRS inline firewall exists, the Overview section of the SLR report fails to display some information; for example, the Application Inventory Overview in the Traffic Flow Overview page. This issue only occurs when the firewall sends logs to the Strata Logging Service (SLS) in large volumes.

During a scale-in event, terminating an instance may take approximately 15 minutes to perform the delicensing workflow and effectively release CSP credits.

When you download a deployment Terraform with traffic steering inspection enabled, the `pan-cni-svc-eps.yaml` file may incorrectly contain multiple endpoints, even if you selected only one zone in the deployment workflow. This can cause the Helm installation to fail.

Workaround: Manually modify the pan-cni-svc-eps.yaml file to remove the extra endpoint information, and ensure it reflects only the zones you selected during configuration.

Prisma AIRS: Network intercept may not fully discover unprotected pod traffic in Kubernetes clusters running on AWS. This impacts the visibility of such traffic in the Strata Cloud Manager discovery command center despite enabling AWS VPC flow logs.

Workaround: To discover the pod’s traffic, add the AmazonEKSAdminViewPolicy to the K8s cluster for the role you created when applying the onboarding Terraform.

Prisma AIRS: Network intercept may not immediately display unprotected model traffic on the Models page for AWS environments. This occurs because the system cannot properly match instance identifiers between flow logs and model invocation logs, particularly when instance profiles and IAM roles use different naming conventions. As a result, AI traffic from applications to Bedrock models may not appear in the Models page despite being actively used.

Verify your Strata Logging Service license status when creating a deployment profile in the Customer Support Portal. If the Strata Logging Service has expired, renew it before onboarding a cloud account to ensure successful onboarding Terraform generation.

Traffic routing between fw-trust-vpc and app-vpc via VPC peering is currently blocked because the route export from fw-trust-vpc to app-vpc for 0.0.0.0/0 to ILB is hindered by an existing default gateway route in the app-vpc.

Workaround: Create a default route in the app-vpc which uses the Prisma AIRS ILB as the next hop. This ensures traffic routes correctly through the Prisma AIRS: Network intercept (AI firewall), enforcing security policies.

While deploying an Prisma AIRS: Network intercept in Strata Cloud Manager, selecting the application namespace does not retrieve the cluster pod and service CIDR.

Workaround: After generating the Terraform configuration, please whitelist these CIDR values in the Firewall Trust VPC firewall rule.

The issue occurs when you upgrade the AI Runtime Security tag collector from `v11.2.2-h1` to `v11.2.3`, the tag-collector enters a rebooting loop and eventually goes to maintenance mode.

Workaround: Don’t upgrade to `v11.2.3` as the auto-commit feature is not triggered in `v11.2.3`.

Workaround: Use `n2-standard-4` or `Standard_DS3_v2` instance sizes for running `v11.2.2-h1` to avoid this issue.