When you upgrade to the latest Prisma Access Agent Manager (EPM), the default for Block Non-TCP and Non-UDP based traffic when connected to tunnel is disabled. An issue exists where the pacli traffic show command output incorrectly shows Allow non-tunnel outbound ICMP when connected to tunnel as true.

When the Block Non-TCP and Non-UDP based traffic when connected to tunnel option is disabled, the Allow ICMP for troubleshooting value should be passed as true. Currently, the Allow ICMP for troubleshooting value is incorrectly being passed as false (disabled), which should block ICMP traffic that goes out of the tunnel. However, ICMP traffic is actually being allowed through the physical adapter, creating a discrepancy between the configuration and actual traffic behavior.

This results in inconsistent ICMP traffic handling where the configuration indicates ICMP should be blocked, but the traffic is actually permitted.

An issue exists where the Prisma Access Agent might incorrectly remain bound to port 0 when switching between Prisma Access Agent Manager (EPM) configurations with different proxy settings, causing endpoint traffic to Explicit Proxy (EP) to fail.

When the Prisma Access Agent initially connects to an EPM without agent proxy configured, it binds to port 0 after a system restart on the endpoint. If the system subsequently switches to a different EPM that has a proxy port configured, the agent might fail to update its port binding and incorrectly remain bound to port 0. This results in endpoint traffic destined for the Explicit Proxy failing to function properly.

Workaround: To resolve this issue, restart the endpoint, and then run the pacli proxy disable command, followed by the pacli proxy enable command. This forces the agent to properly initialize with the correct proxy port configuration from the new EPM.

An issue exists where the embedded browser intermittently displays as blank or empty after installing Prisma Access Agent version 25.4 on Windows 11 systems. The embedded browser window appears but shows no content, preventing users from completing authentication or accessing websites through the agent's built-in browser component.

Workaround: Restart the endpoint.

An issue exists where the reasoning for blocked non-TCP, non-UDP, and ICMP traffic is not logged in the PACli logs or network manager logs. When Prisma Access Agent forwarding profiles block this type of traffic, administrators cannot view the verdict reasoning or decision details through either the PACli command-line interface or network manager logs, making it difficult to audit and troubleshoot blocked traffic for these protocol types.