Prisma Access Addressed Issues
Focus
Focus
Prisma Access

Prisma Access Addressed Issues

Table of Contents

Prisma Access Addressed Issues

Where Can I Use This?What Do I Need?
  • Prisma Access (Managed by Panorama)
  • Minimum Required Prisma Access Version 5.0 Preferred or Innovation
The following topics describe issues that have been addressed in Prisma Access 5.0.

Prisma Access 5.0.1 Addressed Issues

Issue IDDescription
AIOPS-8130Fixed an issue where the Top 5 Prisma Access Location widget showed exorbitant and incorrect numbers for the Bandwidth in the Remote Networks and Service Connections section.
CYR-38318Fixed an issue where the Withdraw Static Routes if Service Connection or Remote Networks IPSec tunnel is down choice was enabled by default and not configurable.
CYR-38250Fixed an issue where the Mobile Users—Explicit Proxy Users (last 90 days) incorrectly displayed the same users as Mobile Users—GlobalProtect.
CYR-38191Fixed an issue where the Total ZTNA Access Objects" widget incorrectly displayed the number of wildcards in addition to correctly displaying normal FQDN applications, subnet-based applications, and FQDN applications that were discovered as a result of creating a wildcard rule.
CYR-38034Fixed an issue where, if a ZTNA connector was rebooted and if the corresponding connector group contained applications with a Probing Type of icmp ping or none, there could have been an impact on the traffic traversing the rebooted ZTNA Connectors.
CYR-37171Fixed an issue where an evaluation license for the traffic replication feature could not be added on a production tenant.
CYR-36703Fixed an issue where users and user groups that were configured in Traffic Steering rules were not tracked by the Cloud Identity Engine's Directory Sync service.
CYR-33707Fixed an issue where, if you changed Colo-Connect service connection roles (for example, from Active/Active to Active/Backup) and changed the bandwidth on VLANs at the same time, an error displayed after a Commit and Push operation.
CYR-32713Fixed an issue where ZTNA Connector could fail to retrieve the correct DNS configuration, which causes ZTNA connector traffic to fail, when the following conditions apply:
  • When the first application was onboarded in ZTNA connector-
  • When all applications were removed (deboarded) from ZTNA Connector

Prisma Access 5.0.0-h66 Addressed Issues

Issue IDDescription
CYR-47969Fixed an issue where, after an upgrade of the Cloud Services plugin, The Cloud Services plugin Status page did not load.
CYR-47510Fixed an issue where clicking ECMP remote network configuration after an upgrade of the Cloud Services plugin resulted in a commit failure.
CYR-45932Fixed an issue where one-time push (OTP) verification was failing with the following error: "[get-panorama-cert.py:288] <class 'AttributeError'> ("'Pan_Plugin_Client' object has no attribute 'whitelist_keys'".
CYR-43938Fixed an issue where validation for a deployment with multiple portals in a multitenant setup was missing the template stack name, which caused commit validation to fail.
CYR-37017Fixed an issue where a configuration passed validation checks for the following invalid configuration:
  • The multi-portal feature was configured.
  • A certificate profile was configured.
  • An authentication profile was not configured.
CYR-35243Fixed an issue where the Cloud Services plugin did not display or hide multi-portal enablement based on the feature flag setting.

Prisma Access 5.0.0-h61 Addressed Issues

Issue IDDescription
CYR-47032Fixed an issue where, after a Panorama upgrade from 11.2 to 12.1, a commit operation failed after editing the login banner.
CYR-46728
Fixed an issue where the scheduled reports from Panorama were empty when a proxy server was configured.
CYR-46358Fixed an issue where a Failed Plugin validation error occurred on a non-Prisma Access Edition tenant during an upgrade to a Cloud Services plugin that had Colo-Connect changes.

Prisma Access 5.0.0-h60 Addressed Issues

Issue IDDescription
CYR-46782Fixed an issue where domain names that contained non-ASCII characters and were in the Panorama cache caused errors during the processing of nsupdate commands in the GlobalProtect DDNS feature.
CYR-46358Fixed an issue where a Failed Plugin validation error occurred on a non-Prisma Access Edition tenant during an upgrade to a Cloud Services plugin that had Colo-Connect changes.
CYR-45949Fixed an issue where if the UI was not able to access the Prisma Access infrastructure, the Mobile Users - Explicit Proxy onboarding location tab did not load and would keep buffering.
CYR-44969Fixed an issue where a user that was created using a role-based administrator was not able to see the Cloud Services configuration in the UI.
CYR-44496Fixed an issue where statistics where not populated in the UK region under PanoramaCloud ServicesStatusMonitorRemote Networks Bandwidth usage.
CYR-43473Fixed an intermittent issue where nsupdate records were not properly deleted from the DNS server for some endpoints configured with the Pre-Logon connect method.
CYR-34759Fixed an issue where, in a multitenant setup, a sub-tenant with a mobile users only license + ADEM AIOPS was not allocating units property in the Allocation tab.

Prisma Access 5.0.0-h53 Addressed Issues

Issue IDDescription
CYR-45874Fixed an issue where, in a Panorama managed multitenant mobile user deployment, enabling ADEM prevented local commits from being successful.
CYR-45143Fixed an issue where CloudBlade integrations were not working in FedRAMP high and FedRAMP moderate environments.

Prisma Access 5.0.0-h48 Addressed Issues

Issue IDDescription
CYR-44354Fixed an issue where a Prisma SD-WAN CloudBlade Version 4.0.0 stopped working without a proxy.

Prisma Access 5.0.0-h46 Addressed Issues

Issue IDDescription
CYR-43562Fixed an issue where the export of current users from the status page has:
  • Correct hostnames in the CSV2.
  • Computer name in the CSV3.
  • Fixed formatting errors in the CSV.
CYR-43502Fixed an issue where, during a Commit and Push operation, some invalid Prisma Access configurations were validates successfully in Panorama, but were not successfully pushed due to errors in the cloud-based infrastructure.
CYR-43237Fixed an issue where Panorama Managed Prisma Access deployments that use proxies did not work with Prisma SD-WAN deployments using Prisma Access CloudBlade Integration Release 4.0.0.
CYR-43132Fixed an issue where, during sub-tenant creation on Panorama, the user could not configure units for either Remote Networks or Mobile Users. You can now configure both units at the same time.
CYR-42787Fixed an issue where the sub-tenant summary was missing on Panorama Status page when the response from Prisma Access backend was not fetched successfully.
CYR-42499Fixed an issue where, in a new multitenant deployment that didn't have any existing configuration, administrators were not allowed to enter the sub-tenant name manually.

Prisma Access 5.0.0-h33 Addressed Issues

Issue IDDescription
CYR-41857Fixed an issue where if the user did not configure QoS profiles under NetworksQoS Profile, the local commit validation on Panorama plugin was getting skipped.
CYR-41569Fixed an issue where, when only one region was onboarded in a Mobile Users—GlobalProtect deployment, removing a location in that region resulted in a plugin validation error.
CYR-41472Fixed an issue in a multitenant environment where, if users did not provide units for Remote Networks or Mobile User in the sub-tenant creation tab, the error message displayed Please specify a bandwidth for your Clean Pipe deployment instead of Please specify a bandwidth for your Remote Networks/Mobile Users.
CYR-39874Fixed an issue where an Explicit Proxy template was created without Explicit Proxy being onboarded, which caused an issue when Explicit Proxy was onboarded later.

Prisma Access 5.0.0-h31 Addressed Issues

Issue IDDescription
CYR-41084Fixed an issue where, after disabling the Cloud Identity Engine integration with Prisma Access, existing Group Mapping Settings caused an error upon commit.
CYR-39553Fixed an issue where the Autonomous DEM AIOps Allocated Total number was incorrect for multitenant setups.
CYR-38605Fixed an issue where the rebranded Cortex Data Lake name of Strata Logging Service was not displaying correctly.
CYR-29408Fixed an issue where the Cloud Services plugin did not manage SDWAN devices that were deployed in Fedramp environments.

Prisma Access 5.0.0-h22 Addressed Issues

Issue IDDescription
CYR-39599Fixed an issue where some columns in the Egress IP Allowlist table displayed that were related to IPv6, even though the IPv6 feature had not been enabled.

Prisma Access 5.0.0-h21 Addressed Issues

Issue IDDescription
ARBI-2272Fixed an issue where clicking Active Isolated Sessions (StatusRemote Browser IsolationActive Isolated Sessions) did not open the link in Strata Cloud Manager.
CYR-39908Fixed an issue where multi-tenant deployments could not see the IP Optimization functionality in newly-added tenants.
CYR-39795Fixed an issue where, after installation of the Cloud Services plugin, an Explicit Proxy Kerberos server profile (default_server_profile) was installed by the __cloud_services user, even though Explicit Proxy was not enabled.
CYR-38814Fixed an issue where the Wildcard Top Down Match Mode check box did not display in a Panorama that manages Prisma Access in the DeviceSetupManagement area.

Prisma Access 5.0.0-h10 Addressed Issues

Issue IDDescription
CYR-38368Fixed an issue where, when you onboard a Service Connection using CLI, it didn't show up in the selection dropdown for the Traffic Steering Target window.
CYR-38120Fixed an issue where all available locations did not display in the list view in the Mobile Users—Explicit Proxy setup page.
CYR-38103Fixed an issue where the Backup SC drop-down list did not have selectable options due to a lack of a transport-type configuration in Service Connection entries that were configured using CLI.
CYR-37004Fixed an issue where panorama commit was failing with a profiles -> dlp-data-profiles unexpected here error after upgrading the Cloud Services plugin from 3.2.1 to a 4.0.0 or later version.
CYR-34770Fixed an issue where, if you configured multiple portals in Prisma Access for the Mobile Users—GlobalProtect deployment, you must also configure an authentication profile under Client Authentication on all portals.

Prisma Access 5.0.0 Addressed Issues

Issue IDDescription
CYR-39553
Fixed an issue where the Autonomous DEM AIOps Allocated total number is incorrect for multitenant setups.
CYR-38068Fixed an issue where an integration may not happen the first time a user tries to connect to "Managed Cloud WANs" in the integration page. If this is the case, the user may have to reenter the pairing key.
CYR-37003Fixed an issue where, after upgrading the Panorama that manages Prisma Access to 10.2, multitenant deployments had one or more sub-tenants deleted after a local commit was performed.
Note that, after you install the plugin that contains this hotfix and delete a tenant, the tenant is deleted locally on the Panorama but its configuration remains in the Prisma Access infrastructure. It is recommended that you backup your Panorama configuration before you delete any sub-tenants. To completely delete the tenant, reach out to your Palo Alto Networks account representative or partner, who will contact the SRE team and submit a request to delete the tenant from your infrastructure.
CYR-36709Fixed an issue where, when allocating bandwidth in legacy mode (on a per-location basis) for Remote Networks, onboarding of more than 250 RN sites was failing due to a SaaS agent Exception.
CYR-36121Fixed an issue where traffic steering network traffic was being dropped due to a route asymmetry issue.
CYR-35811Fixed an issue where a Commit and Push operation was failing due to an empty subtenant ID for a newly added subtenant.
CYR-34173Fixed an issue where, when configuring multiple GlobalProtect portals with Traffic Steering, you could not configure Accept Default Routes over Service Connections PanoramaCloud ServicesConfigurationTraffic SteeringSettingsAccept Default Route over Service Connection.
CYR-34078
Fixed an issue where, if you configured a Colo-Connect subnet before configuring and performing a Commit and Push operation for the Infrastructure Subnet, Colo-Connect Commit and Push operations would fail.
CYR-33815Fixed an issue where, to enable Source IP based Visibility and Enforcement in Explicit Proxy, you also had to enable Enable Agent Proxy (for Prisma Access (Managed by Strata Cloud Manager)) or Use GlobalProtect Agent to Authenticate (for Panorama Managed Prisma Access), even if you have not enabled the Explicit Proxy-GlobalProtect agent functionality.
CYR-33695Fixed an issue where traffic steering rules could not be disabled or moved. In other cases, an No object to edit in move handler error was encountered and no changes could be applied to the traffic steering rule.
CYR-33625
Fixed an issue where, when configuring Colo-Connect for the first time and performing a partial commit, you received a 'Colo_Connect_Device_Group' is invalid error.
CYR-33584Fixed an issue where, in a multi-tenant deployment, if the first tenant's license expired, all sub-tenants license were also marked as expired.
CYR-33553
Fixed an issue where the Connector availability graph shown under MonitorData CentersZTNA ConnectorsConnectors<connector-name>Device metric displayed the graph in complete red color even when the connector IPSec tunnel has been continuously up for the last 24 hours.
CYR-33539Fixed an issue where a new warning message displayed during a commit when Explicit Proxy is configured in a deployment with multiple tenants.
CYR-33180Fixed an issue where, in order to use the Prisma Access Explicit Proxy Connectivity in GlobalProtect for Always-On Internet Security feature, you had to onboard at least one mobile user gateway.
CYR-32782Fixed an issue where, if you deleted a Colo-Connect service connection and then Committed and Pushed your changes, it could can take some time to delete Colo-Connect service connections.
CYR-32188
Fixed an issue where, in Prisma Access Insights, the Connector Availability graph for a given ZTNA Connector did not show up if the IPSec tunnel between the connector and the ZTNA Tunnel Terminator (ZTT) had been up without interruption for the last 24 hours.
CYR-32170Fixed an issue where, when using ZTNA Connector, diagnostic tools such as ping, traceroute and nslookup that are accessible from the ZTNA Connector UI ConnectorsActionsDiagnostics icon were not functional.
CYR-32006
Fixed an issue where, when using Dynamic DNS (DDNS) registration using the Cloud Services plugin 3.2, nsupdate commands were not working as expected, which caused issues with DDNS update queries.
CYR-31623
Fixed an issue where only one Panorama HA pair could be associated with a CDL instance.
CYR-30610Fixed an issue where, in a Prisma Access multitenant deployment, Commit and Push operations were failing because subtenant IDs were not being populated correctly.