An issue exists where Prisma Access Agent fails to trigger internal gateway authentication and update IP-user mapping when transitioning between networks while multiple Ethernet interfaces remain active simultaneously. This occurs specifically when a Windows 11 laptop, connected to LAN via Prisma Access Agent to an NGFW firewall, reconnects the LAN cable after switching to Wi-Fi, resulting in both network interfaces being active for several seconds during the transition.

While Prisma Access Agent successfully reauthenticates to the Prisma Access Agent Manager and updates IP-user mapping when switching from LAN to Wi-Fi with a single active interface, it fails to perform the same authentication process when reconnecting to LAN while Wi-Fi remains connected. This causes traffic impact as the source user/IP becomes unknown to the internal gateway due to the outdated IP-user mapping.

Workaround: Enable the Windows 11 Prevent Wi-Fi when on Ethernet setting, which prevents both interfaces from remaining connected simultaneously during network transitions.

An issue exists where the Prisma Access Service (PASrv) continues to attempt authentication even when Prisma Access Agent is explicitly disabled. This behavior has been observed in staging environments where users have disabled agent due to Prisma Access Agent Manager (EPM) login issues and switched to GlobalProtect as an alternative solution. Despite the agent being confirmed as disabled through the pacli switchto status command, which shows Prisma Access Agent: Disabled and GlobalProtect: Enabled, the PASrv service continues to periodically attempt login operations in the background.

An issue exists where Prisma Access Agent incorrectly reuses SAML authentication requests between different Windows user sessions on the same device. When a user logs off from Windows and a different user logs in, the SAML authentication request carries the same SAML request data from the previous session, causing the agent to maintain connectivity to the gateway using the original user's credentials rather than authenticating the new user. When the original user logs back in following an OS reboot, the agent continues to use the cached authentication from the first session.