| CYR-56688 |
If you delete Internal Host Detection in the Default agent settings (), the Internal Host Detection settings are not
removed from the configuration in the Cloud Services plugin (), causing the Internal Host Detection settings to
reappear in the Default agent settings.
Workaround: Either remove the Internal host detection from the
Cloud Services plugin configuration, or rename the Default agent
settings.
|
| CYR-55402 | The Global Portal Config for Internal Host Detection will
overwrite the Internal Host Detection in the Portal Agent Config. But,
if there are multiple agent configs, it will overwrite the very first
config in the list, not DEFAULT. It depends on which config is at the
top of the list. |
| CYR-54543 | Panorama Plugin-based GlobalProtect logout fails when
there is a special character in username or computer name. |
| CYR-46170 |
If you have enabled DDNS and you later push a service subnet change
to your mobile users, you must also restart the DDNS plugin on your
Mobile User gateway for DDNS to pick up the change.
Workaround: Enter the following command:
debug software restart process pl-ddns
|
| CYR-45112 | The external gateway configuration is grayed out when
upgrading the Cloud Services plugin to versions 5.1.0 or later. |
| CYR-43425 | You cannot specify Outbound Routes for the
Service for service connections if those service
connections use RFC 6598 addresses. |
| CYR-43401 | For connectors onboarded in ZTNA connector groups with
Preserve User ID checked, from the internal interface to the data center apps does
not work. |
| CYR-43400 | For connectors onboarded in ZTNA connector groups with
Preserve User ID checked, from the internal interface to the data center apps does
not work. |
| CYR-43262 | Remote network API requests for Remote Network onboarding
returns a commit validation error on the Cloud Services plugin if BGP
configuration is included in the payload. |
| CYR-43222 | Application targets assigned to User ID-based ZTNA
Connector groups do not support a Probing Type of
icmp ping. Workaround: Use a
Probing Type of
none or tcp ping
for the application. |
| CYR-43147 | For autoscaled ZTNA connectors, during scale in, existing
long lived sessions may be dropped prematurely that are handled by the
ZTNA connector that is marked for scale in. There should be no impact
for new traffic sessions post scale in. |
| CYR-42919 |
When attempting to modify or delete Connector IP Blocks in ZTNA
Connector, the changes are not applied after a Commit and Push.
Workaround: Perform two more Commit and Push operations to
apply the changes.
|
| CYR-42742 | When a ZTNA Connector application IP pool is a subset of
the subnet being advertised from the data center to Prisma Access
through a service connection, traffic destined to ZTNA Connector FQDNs
are incorrectly routed to the service connection. Workaround:
Configure ZTNA connector application IP pools that do not overlap
with the subnets advertised by the service connection. |
| CYR-42312 | User-ID Across NAT is not supported with
Colo-Connect. |
| CYR-42259 | Explicit Proxy Private App Access does not work when
RFC6598 is enabled. |
| CYR-42244 | If you are requesting a Prisma Access gateway name change
as part of the Business Continuity for Mergers and Acquisitions feature,
the updated FQDN does not display in Strata Cloud Manager or
Panorama. Workaround: Reach out to your Palo Alto
Networks account team, who will open an SRE case to update the FQDN
for the gateway. |
| CYR-42191 | When using Dynamic DNS, the authentication type can be
TSIG or Kerberos. - If you choose a TSIG authentication type, upload a .key file
where the contents of the file can be retrieved from the DNS
server itself in the following format:
"
key "ddns-gp" {
algorithm hmac-sha256;
secret "aBCDeFGhIjKlmnO58SGeW+8odCZHT+SNSabcdZmKP5M=";
};
- If you choose a Kerberos authentication type, upload an auth key
through a .key file that has the base64 encoded string of the
Kerberos key retrieved from the DNS server, for
example:
"
ABCDEFGHIJKLMNOPQRSTUV5WXYZOUy5DT00ADUFabcDluaXN0cmF0b3IAAAABAAAAAAEAEgAg3aBcdE3Fg4IAaQOWMUpzN4hCtNnVcrjbFndYPQVvYVg=
"
|
| CYR-42188 | When using Explicit Proxy Private App Access, DNS over
TCP does not function; however DNS over UDP functions correctly. |
| CYR-42146 |
IP Optimization has the following caveats for IPv6:
- If you have IP Optimization enabled, you cannot configure
IPv6.
- If you have IPv6 enabled, you cannot enable IP Optimization.
Workaround: If you have IP Optimization enabled, make sure
that you have not enabled IPv6 and, if it is enabled, disable it in (in Strata Cloud Manager) or (in Panorama).
|
| CYR-42130 | Colo-Connect routing information does not display in the
Serviceability Commands area. |
| CYR-42018 | If you have IP Optimization enabled, TLS 1.3 support for
GlobalProtect is not supported. Workaround: Use a maximum TLS
version of 1.2. |
| CYR-41990 | IPv6-to-IPv6 or IPv6-to-IPv4 source or destination
traffic does not support the URL filtering actions
Continue and
Override. |
| CYR-41813 | ZTNA Connector onboarding is not supported in the
Switzerland, France, Qatar or Taiwan locations. There is no
workaround. |
| CYR-41228 | If you have IP Optimization enabled, you cannot use the
SP interconnect feature. |
| CYR-41067 | An incorrect Prisma Access version displays in the Prisma
Access Version area of the UI. In Strata Cloud Manager, the version
displays in ; in Panorama Managed Prisma Access, the version displays
in . |
| CYR-40404 |
An FQDN target matching a wildcard might not be discovered for a
connector group if the application is not accessible from some of
the ZTNA connectors in the connector group.
All connectors in a given group should be able to use DNS to resolve
the application and access the application for the application to be
auto-discovered in the group.
Workaround: Associate the application object to the required
connector group from Strata Cloud Manager.
|
| CYR-39795 |
After installation of the Cloud Services plugin, an Explicit Proxy
Kerberos server profile (default_server_profile) is installed by the
__cloud_services user, even though Explicit Proxy is not enabled.
Workaround: Ignore the changes.
|
| CYR-39551 |
If you set up Prisma Access Dynamic DNS with an authentication type
of TSIG, you should upload a .key file for the TSIG key file. The
key file is considered not valid if it has non-ASCII characters in
the content. If you provide a .key file for TSIG authentication with
non-ASCII characters and you click OK, an
error Please upload a file with the .key
extension displays.
Workaround: Provide a valid tsig key file.
|
| CYR-39153 |
When performing an upgrade to a ZTNA Connector Group, there can be
failures intermittently during the upgrade operation. For example,
the upgrade status displays as
partial_success or
failed, even though some of the
affected connectors are later upgraded successfully.
Workaround: Retry the Connector Group upgrade at a later time.
ZTNA Connector rechecks and provides you with the appropriate status
of the Connector Groups.
|
| CYR-39148 | When configuring Colo-Connect, Commit and
Push operations to Colo Connect Device Groups may
intermittently fail. Workaround: Retry the Commit
and Push operation to the Colo-Connect Device
Group. |
| CYR-39028 |
If you are upgrading your ZTNA Connector from 4.1 to a later Prisma
Access version and the ZTNA connector application pools are
configured within the RFC6598 address space (100.64.0.0/16 and
100.65.0.0/16), ZTNA connector traffic may be blocked on the
MU-SPN.
Workaround: Contact your Prisma Access team to update the SaaS
Agent version of all your Prisma Access tenants.
|
| CYR-38619 | Tenants that are onboarded in Switzerland and France
cannot use ZTNA Connector. |
| CYR-38120 | All available locations do not show up in the list view
in the Mobile Users—Explicit Proxy setup page. Workaround: Use
the map view to select the missing locations. |
| CYR-37983 | If you have IPv6 enabled for a Mobile Users—GlobalProtect
user, retrieving the HIP report causes a crash. Workaround: If
the GlobalProtect client is ipv6 enabled, run the HIP report using
the client's IPv6 address. If the GlobalProtect client is IPv4 only,
run the HIP report using the client's ipv4 address. |
| CYR-37923 | After creating a new URL category or security rule or an
EDL, a local Panorama commit is required before using that object in RBI
security rule associations. |
| CYR-37906 |
If, when updating the ports for an existing wildcard object, you put
spaces between the ports, a 500 internal
server error is displayed.
Workaround: Do not put spaces between the ports. For example,
instead of 1-2, 80, 100-300, put
1-2,80,100-300.
|
| CYR-37887 |
If you are using ZTNA Connector as part of the 30-day trial and have
not purchased a license, onboarding might fail with a message that
Something went wrong when you click
the Enable ZTNA Connector button.
Workaround: Refresh the UI to complete the onboarding of the
ZTNA Connector feature.
|
| CYR-37826 |
If two or more ZTNA connector applications have the same FQDN, an
Application Custom rule conflict
message could display in the SD-WAN portal.
Workaround: This message is spurious and can be ignored.
|
| CYR-37797 | The status page asks you for a one-time password (OTP)
after a plugin upgrade. Workaround: Delete the expired license
keys, delete the Panorama certificate, and retrieve the licenses and
verify if the license keys are valid after you retrieve them; then,
generate the OTP to verify. |
| CYR-37755 |
If you configure a Wildcard Target in ZTNA Connector, and if you try
to change the port of an application that was discovered as a result
of that target and was added to the FQDN Target, you receive an
error that the name is too long.
Workaround: While application names can be a maximum of 32
characters long, changing the port number makes the name too long in
the ZTNA Connector infrastructure. If you encounter this error, try
to give the application a shorter name.
|
| CYR-37706 |
When using Explicit Proxy, an excessive amount of threat logs
display.
Workaround: Ignore the threat logs. These logs have no impact
on Explicit Proxy functionality.
|
| CYR-37673 | Clicking the link does not open the page in Prisma Access Cloud Management or Strata Cloud
Manager. |
| CYR-37466 | If you enable Colo-Connect, do not enable Bidirectional
Forwarding Detection (BFD) on your VLAN. |
| CYR-37356 |
If you renew the App Acceleration license after is has expired
(including the grace period for the license), the renewal does not
take effect immediately.
Workaround: Wait approximately one hour after license renewal
before using App Acceleration.
|
| CYR-37290 | When onboarding a ZTNA Connector, you receive a
declaim requested by root error.
Workaround: Delete the connector that had the error
and create a new one. |
| CYR-37227 |
The creation of the IP subnet-based Connector Group sometimes fails
with a group already exists message,
even though the group does not exist.
Workaround: Use another name for the IP subnet-based Connector
Group.
|
| CYR-37208 | When using Prisma Access Clean Pipe, the Network
Details page () does not show Clean Pipe entries. |
| CYR-36749 | ZTNA connector flow logs related to netflow may not be
visible in the Strata Cloud Manager Log Viewer. |
| CYR-34999 | For Panorama Prisma Access tenants, if ZTNA Connectors
are onboarded, the Provision Progress for service connections () is showing provisioning progress for both ZTNA
Connectors and Service Connections. |
| CYR-34720 | GlobalProtect DDNS functionality does not work when using
a Panorama running 10.1.x to manage Prisma Access with the Cloud
Services plugin. |
| CYR-33877 | If, during Explicit Proxy setup, you select
Skip authentication to skip authentication
for an address object, and then later want to enable authentication by
deselecting Skip authentication for that address
object, it can take up to 24 hours for the change to take effect after
you make the change and Commit and Push your
changes. |
| CYR-33471 |
If you enable multi-tenancy, create a new sub tenant, configure
Mobile Users—GlobalProtect, Remote Networks, and Colo-Connect device
groups, then configure Colo-Connect subnets and VLANs, and a partial
commit fails with an Unable to retrieve last in-sync
configuration for the device error.
Workaround: Perform a Commit and Push operation when
configuring Colo-Connect for the first time instead of a partial
commit.
|
| CYR-33454 |
If you configure Prisma Access in a in a multi-tenant deployment,
perform a Commit and Push, then configure Colo-Connect, the choice
to Commit and Push your changes is grayed out.
Workaround: Click , then , click Edit Selections and
make sure that Colo-Connect is selected in
the Push Scope; then, retry the commit and
push operation.
|
| CYR-33199 | Current user counts and 90 day user counts are not
correct for Kerberos authenticated users. |
| CYR-33145 |
When a Prisma Access license for any service type expires, any Commit
All operation fails a generic Commit
Failed error message.
Workaround: Make sure that your all your Prisma Access
licenses have not expired before performing commits.
|
| CYR-32687 | EDLs, Address objects of type IP Wildcard
Mask and FQDN, and Dynamic
Address Groups do not work on decryption policies when Agent or Kerberos
authentication is used with Explicit Proxy. Workaround: Use
Address objects of IP Netmask, IP Range, or Address groups in the
decryption policies. |
| CYR-32666 | When importing a previously saved Panorama configuration
that included a Colo-Connect configuration, or reverting from a
previously-saved configuration, you receive errors if the following
conditions are present:- You are loading a Configuration that has Colo-Connect service
connections configured.
- You are loading an empty Prisma Access configuration.
- You revert from a previously-saved configuration, and the
following conditions are present:
- A Colo-Connect configuration (with service connections)
exists on the current configuration and a Colo-Connect
configuration does not exist on the configuration to
which you want to revert.
- A Colo-Connect configuration does not exist on the
current configuration and a Colo-Connect configuration
(with service connections) exists on the configuration
to which you want to revert.
- A Colo-Connect configuration (with service connections)
exists on the current configuration and also exists on
the configuration to which you want to revert.
Workaround: Colo-Connect service connections cannot be
onboarded unless their corresponding VLANs are in an Active state.
Delete any Colo-Connect service connections before exporting or
reverting a Panorama image; then, re-create the Colo-Connect service
connections after importing the new image. |
| CYR-32661 | When GlobalProtect is connected in Proxy mode or Tunnel
and Proxy mode, user logins will not count toward the number of current
users or the number of users logged in over the past 90 days under
Mobile Users—Explicit Proxy. |
| CYR-32564 |
ZTNA Connector app traffic is detected as a threat and dropped for
Prisma Access Cloud Management if the default URL category is
used.
Workaround: Perform one or more of the following steps as
required:
- Create a custom URL category and add application FQDNs for the
onboarded applications for ZTNA connector.
- If you are using a default profile group, clone a new group and
attach the custom URL category you created in Step 1. If you are
using a custom profile group, attach the custom URL category you
created in step 1.
- Make sure that you attach either the cloned profile group or the
custom profile group (from step 2) to the security policy you
created to allow traffic destined to ZTNA connector
applications.
|
| CYR-32511 | You can configure IPv6 DNS addresses even if IPv6 is
disabled. |
| CYR-32431 |
When configuring Explicit Proxy, when you add Trusted Source Address
values under Authentication Settings, configure other settings, and
then return to the Authentication Settings tab, the trusted source
addresses might not display correctly.
Workaround: Refresh the Panorama that manages Prisma Access,
then return to the Authentication Settings tab to see the
addresses.
|
| CYR-32191 |
ZTNA Connector is not supported in multitenant environments.
|
| CYR-32004 |
Due to a limitation in the number of IPSec profiles currently
supported in Prisma Access, when deploying ZTNA Connector you can
onboard a maximum of 100 connector VMs per tenant.
|
| CYR-31603 | ZTNA Connectors with two interfaces are not supported
in a Connector Group enabled for AWS Auto Scale. This is due to an
AWS Auto Scale group limitation that ties both interfaces to the
same subnet. See this article for
details. |
| CYR-31187 | In order to use the Prisma Access Explicit Proxy
Connectivity in GlobalProtect for Always-On Internet Security
functionality, the default PAC file URL does not populate properly
unless you do a commit and push to both Mobile Users—GlobalProtect and
Mobile Users—Explicit Proxy. Workaround: When
you Commit and Push, make sure that you choose both Mobile
Users—GlobalProtect and Mobile Users—Explicit Proxy in the Push
Scope when configuring Prisma Access Explicit Proxy connectivity in
GlobalProtect. |
| CYR-30966 | When all users are removed from a group, CIE does not
sync the empty group to the firewalls. This is expected
behavior. Workaround: Delete empty groups from Firewall
configurations. |
| CYR-30414 | If you have enabled multiple portals in a multitenant
deployment that has only one tenant, and you then disable the multiple
portal functionality on that single tenant, you are able to see both
portals on the UI. Workaround: Open a CLI session on the
Panorama that manages Prisma Access and enter the following
commands, then perform a local commit on the
Panorama: set plugins cloud_services multi-tenant
tenants
<tenant_name>
mobile-users multi-portal-multi-auth
no request plugins cloud_services gpcs
multi-tenant tenant-name
<tenant_name>
multi_portal_on_off |
| CYR-30044 |
Predefined EDLs aren't being populated in the Block Settings list in
a new Explicit Proxy deployment.
Workaround: Onboard your Explicit Proxy deployment, perform a
Commit and Push operation, and then go back and update the EDL in
your block Settings.
|
| CYR-29964 |
Attempts to reuse a certificate signing request (CSR) to generate a
certificate results in a "Requested entity already
exists" error.
Workaround: Do not reuse CSRs.
|
| CYR-29933 |
Attempts to use the verdicts:all -X
"DELETE" API call more than one time per hour result
in the {"code" :8, "message" : "Too many
requests" error.
Workaround: Do not use this API call more than one time per
hour.
|
| CYR-29700 |
If you configure multiple GlobalProtect portals in a multitenant
Prisma Access Panorama Managed multitenant deployment, committing
changes on a per-username basis fails with a
"global-protect-portal-8443 should have the value
"GlobalProtect_Portal_8443" but it is [None]"
error.
Workaround: If you have enabled multiple GlobalProtect portals
and have a Prisma Access multi-tenant deployment, perform Commit All
commit operations instead of committing on a per-user basis.
|
| CYR-26112 | If you do not have a Net Interconnect license, all Remote
Networks in a theater are fully meshed, but if you haven't onboarded a
Service Connection in a theater, the Remote Networks cannot be reached
from Remote Networks in other theaters. Workaround: Either
purchase a Net Interconnect license or onboard a service connection
in a theater to have the Remote Networks communicate with other
theaters. |
