An issue exists where the Prisma Access Agent on macOS and Windows forwarding profile domain/FQDN list is case-sensitive, leading to inconsistent forwarding rule evaluation. When users perform DNS queries for domains configured in Forwarding profile rules, the agent matches the rule correctly only when the query uses the exact same case as configured. For example, querying a domain in lowercase (such as "example.com") matches the configured rule as expected, but querying the same domain in uppercase (such as "EXAMPLE.COM") fails to match the same rule and instead falls through to the default rule, even though DNS resolution succeeds in both cases. This issue affects both Windows and macOS workstations. The expected behavior is that FQDN matching should be case-insensitive, as DNS itself is case-insensitive by standard.

An issue exists in the Prisma Access Agent for macOS where the Use Single Sign-on (Mac) agent setting does not work as expected. When Use Single Sign-on (Mac) is enabled for macOS devices that support with Platform SSO, the Prisma Access Agent embedded browser briefly appears before disappearing during authentication. The expected behavior is that when Use Single Sign-on (Mac) is enabled, the embedded browser should not appear at all and authentication should proceed directly using Platform SSO. This issue also occurs when the setting is disable.

An issue exists in Prisma Access Agent where OPSWAT's missing-patch lookup fails when an allowlist security policy is enforced that blocks all traffic through the tunnel without explicitly allowing traffic to OS update servers. This occurs because OPSWAT uses the system's native update service to perform patch lookups—Software Update on macOS (communicating with swdist.apple.com and swscan.apple.com) and Windows Update on Windows (communicating with slscr.update.microsoft.com)—and Prisma Access Agent does not provide an implicit rule to exempt this traffic from the tunnel. As a result, HIP missing patch collection does not function when the security policy drops traffic to these endpoints.

Recommended Solution: Configure the firewall to allow traffic to OS update endpoints (*.apple.com for macOS or *.update.microsoft.com for Windows).

Alternative Workaround: Configure a forwarding profile that excludes DNS and network traffic to *.apple.com and *.update.microsoft.com traffic from the tunnel (by setting Connectivity to Direct in the forwarding rule).