To use ZTNA Connector on a Panorama Managed Prisma Access tenant you must file a support ticket to get the feature enabled. The feature is enabled by default on Prisma Access (Managed by Strata Cloud Manager) tenants that have been upgraded to Prisma Access 4.0.

If you use RFC 6598 addresses in your environment and want to set up ZTNA Connector on a Prisma Access (Managed by Strata Cloud Manager) tenant, you must file a ticket to enable the functionality to define IP pools to reserve for Prisma Access to enable connectivity to your connector VMs and your apps.

In order to use the Prisma Access Explicit Proxy Connectivity in GlobalProtect for Always-On Internet Security feature you must onboard at least one mobile user gateway.

On macOS endpoints running Safari and connected to Prisma Access in Tunnel and Proxy mode or proxy mode, browsing through explicit proxy is slow.

Workaround: Remove any references to isResolvable() in your PAC file.

ZTNA Connector can fail to retrieve the correct DNS configuration, which causes ZTNA connector traffic to fail, when the following conditions apply:

• When the first application is onboarded in ZTNA connector
• When all applications are removed (deboarded) from ZTNA Connector

Workaround: Refresh the GlobalProtect connection to get correct DNS server configuration. In the case of all applications going down for a tenant, refresh the GlobalProtect again when some or all applications in ZTNA connector are back up.

ZTNA Connector app traffic is detected as a threat and dropped for Prisma Access Cloud Management if the default URL category is used.

Workaround: Perform one or more of the following steps as required:

If you deploy a mobile users location that already has a location deployed in the same compute location, you might receive only one public IP address for the newly-deployed location instead of two.

Workaround: Enable the IP Allow Listing feature to receive more than one IP address.

ZTNA Connector is not supported in multitenant environments.

In Prisma Access Insights, the Connector Availability graph for a given ZTNA Connector will not show up if the IPSec tunnel between the connector and the ZTNA Tunnel Terminator (ZTT) has been up without interruption for the last 24 hours. The Connector Availability graph shows up only if the tunnel has gone down at least once within the last 24 hours.

When using Dynamic DNS (DDNS) registration using the Cloud Services plugin 3.2, nsupdate commands are not working as expected, which causes issues with DDNS update queries.

Due to a limitation in the number of IPSec profiles currently supported in Prisma Access, when deploying ZTNA Connector you can onboard a maximum of 100 connector VMs per tenant.

ZTNA Connectors with two interfaces are not supported in a Connector Group enabled for AWS Auto Scale. This is due to an AWS Auto Scale group limitation that ties both interfaces to the same subnet. See this article for details.

In mobile user deployments for GlobalProtect in Tunnel and Proxy mode or proxy mode,commit will fail if you don't attach either a SAML or Kerberos authentication profile in your explicit proxy configuration even if you enable Use GlobalProtect Agent to Authenticate.

In order to use the Prisma Access Explicit Proxy Connectivity in GlobalProtect for Always-On Internet Security functionality, the default PAC file URL does not populate properly unless you do a commit and push to both Mobile Users—GlobalProtect and Mobile Users—Explicit Proxy.

Workaround: Make sure you Commit and Push to both Mobile Users—GlobalProtect and Mobile Users—Explicit Proxy when configuring Prisma Access Explicit Proxy connectivity in GlobalProtect.

Workaround: Delete empty groups from Firewall configurations.

Attempts to reuse a certificate signing request (CSR) to generate a certificate results in a "Requested entity already exists" error.

Workaround: Do no reuse CSRs.

Attempts to use the verdicts:all -X "DELETE" API call more than one time per hour result in the {"code" :8, "message" : "Too many requests" error.

Workaround: Do not use this API call more than one time per hour.