| AIOPS-11286 |
When you have Colo-Connect enabled, cross-connects and
connections-related information may not be up to date on subtenants
in a multitenant environment.
|
| CYR-61950 | When activating the license on Panorama in a multitenant
deployment, the option to enable Autonomous DEM is not available.
|
| CYR-59509 | After upgrading the Cloud Services plugin from 5.1 to 5.2
or later, the previously-configured Roles were not applied to the
configuration, even though the configuration appears in the Panorama UI.
This condition causes the administrator to not be able to view the Cloud
Services tab in Panorama. Workaround: Go to , Disable and
Enable the Plugins
choice in the Plugins tab, and Push your
changes to Panorama. |
| CYR-59494 | The list of Remote Networks on the Remote Networks status
page always displays a count of 0 items. Workaround: Ignore the
total number of items that display. The Remote Network details
display correctly on the Status page, only the number of items is
incorrect. |
| CYR-56688 |
If you delete Internal Host Detection in the Default agent settings (), the Internal Host Detection settings are not
removed from the configuration in the Cloud Services plugin (), causing the Internal Host Detection settings to
reappear in the Default agent settings.
Workaround: Either remove the Internal host detection from the
Cloud Services plugin configuration, or rename the Default agent
settings.
|
| CYR-55477 | If you have a site-based license for remote networks, the
Status page in Panorama () incorrectly shows the allocated and available Remote
Network bandwidth as 0. |
| CYR-54556 |
When using explicit proxy nodes, you must configure at least one
domain under in Strata Cloud Manager. Failing to do so results in
a commit failure.
|
| CYR-54543 | Panorama Plugin-based GlobalProtect logout fails when
there is a special character in username or computer name. |
| CYR-55402 | The Global Portal Config for Internal Host Detection will
overwrite the Internal Host Detection in the Portal Agent Config. But,
if there are multiple agent configs, it will overwrite the very first
config in the list, not DEFAULT. It depends on which config is at the
top of the list. |
| CYR-54002 |
Geo-location is not functional for IPv6 only deployments.
Workaround: Implement a dual stack deployment. IPv6 native
deployments determine their location by latency probes, which may
result in incorrect portal selection and incorrect language
selection.
|
| CYR-54342 | In , the time stamp for Bandwidth is
incorrect. |
| CYR-52409 |
When you have an existing deployment and upgrade to IP Optimization,
and if you have configured an Automatic Restoration of VPN
Connection Timeout value in the GlobalProtect portal for
greater than 30 minutes, a commit validation is seen after the
upgrade to Prisma Access 6.0.
Workaround: Revert your commit, change Automatic
Restoration of VPN Connection Timeout to a value lower than
30 minutes, and redo the Commit and Push operation.
|
| CYR-52287 |
Panorama incorrectly allows users to configure QoS profiles with
Egress Guaranteed values exceeding Egress Max values. This is an
invalid configuration.
Workaround: Configure an Egress Guaranteed value that is not
greater than the Egress Max value.
|
| CYR-52286 | When onboarding a remote network using a site-based
license, Panorama incorrectly allows you to create Remote Networks
without attaching a QoS Profile. However, when you perform a commit
operation, the commit fails with the error Failed to
process Remote Network configuration (NETP_ERROR-200, details:).
Please try again.
Workaround: When configuring a site-based remote network,
attach a QoS profile to the remote network. |
| CYR-52233 |
When you set up secure inbound access for remote networks, a
Bandwidth field displays with fields for
site-based licenses, even though your deployment uses aggregate
bandwidth.
Workaround: Select the bandwidth for the compute location to
which the location corresponds.
|
| CYR-51257 | Strata Logging Service logs related to ZTNA Connector
might not be seen in the Strata Cloud Manager log viewer for FedRAMP
deployments. |
| CYR-51157 | Secure Inbound Access is not supported with Remote
Networks—High Performance deployments. |
| CYR-51156 | BGP MRAI values are not applied to Remote Networks—High
Performance deployments. |
| CYR-51029 | IPv6 information is absent in the Panorama ( page) and Strata Cloud Manager pages if the config
service is enabled on the tenant. |
| CYR-50900 |
If you select a Mobile Users configuration item and you don't have a
Mobile Users license, you might receive an error upon commit.
Workaround: Do not select a Mobile Users configuration item if
you don't have a Mobile Users license.
|
| CYR-50870 | When attempting to onboard a large number of ZTNA
connector applications (more than 500), the application might not be
onboarded and a 502 Server Error: Bad Gateway for
url error might be encountered. Workaround:
Attempt to re-onboard the application that failed. |
| CYR-49865 | In Mobile Users—GlobalProtect setup with IPv6 enabled,
when a GlobalProtect client with only an IPv4 address connects to an
IPv6-enabled gateway, edge localization is not working when users try to
connect to an edge location. This behavior affects both existing
deployments that have IP Optimization enabled and deployments that don't
have IP Optimization enabled. |
| CYR-49816 |
The username in XAU within the Connect request
won't be normalized to reflect the primary attribute in the
directory setting. Instead, it will be the base64 encoded username
carried in the authentication JWT token within the request.
|
| CYR-49758 |
If the request includes a valid JWT token, the parsed username in the
JWT will be used instead of the special authentication bypass
username inserted by explicit proxy.
|
| CYR-49265 | When using Traffic replication, statistics do not display
for deployments in the France North region.Workaround: To enable traffic
replication for the France North region deployment , select the check
box "Europe Northwest (Paris)" under the traffic replication tab and not
France North. |
| CYR-48823 |
Double decryption isn't supported. Therefore, when sending a CONNECT
request over an SSL tunnel, inserting headers in the underlying
actual request isn't supported.
|
| CYR-48331 | Mobile Users—GlobalProtect users cannot perform an Auto
or Transparent upgrade because a security policy is blocking the
upgrade. Workaround: Create a Custom URL category for
the URL pan-gp-client.s3.dualstack.us-west-2.amazonaws.com and allow
traffic from the URL in the rule. You can also allow only the
download for *.pkg and *.msi files for greater granularity in the
rule. |
| CYR-47807 |
After creating filter rules, if you try to assign them to a filter
group without selecting OK on the main BGP
Filtering widget, the filter rules will not appear in the dropdown
selection.
Workaround:
- Create one or more BGP Filters.
- Click OK on the BGP Filtering
widget.
- Reopen the BGP Filtering widget using the gear icon.
Then the BGP Filters display during BGP Filter Group creation.
|
| CYR-47616 | Increasing the subnet mask on an existing mobile user IP
address pool (for example, if you change 10.6.0.0/18 to 10.6.0.0/17), or
changing the region of an existing IP address pool, can cause issues for
existing connected users. Workaround: Perform one or more of
the following actions: - Have the GlobalProtect mobile user refresh their connection.
Any changes to the GlobalProtect IP address pool scope
(increasing the existing pool or using a completely
different pool) would cause issues to the existing connected
users, which can only be resolved after a successful
GlobalProtect refresh where the app acquires the IP address
from the newly allocated pool. - Add another address block to the mobile users IP address pool
instead of changing the subnet in the existing pool.
For
example, instead of changing a subnet in the pool from /18
to /17, consider adding another /18 address to the existing
pool and leave the existing pool intact.
|
| CYR-47139 |
ZTNA Connectors are disabled in a ZTNA Connector - Explicit Proxy
integration if ZTNA Connector application blocks or connector blocks
are configured with RFC6598 addresses that conflict with Explicit
Proxy addresses.
Workaround: If you have integrated ZTNA Connector with
Explicit Proxy, do not use the "100.64.0.0/15", "100.72.0.0/15", or
"100.88.0.0/15" subnets for:
- ZTNA Connector Application Blocks
- ZTNA Connector Connector Blocks
- IP subnets configured in ZTNA Connector that you have associated
with applications
|
| CYR-47038 |
HTTP header insertion on Remote Networks is not supported when using
Proxy Mode on Remote Networks and Source IP based
visibility and enforcement is enabled.
Workaround: Use HTTP header insertion on explicit proxy
nodes.
|
| CYR-46759 | UDP Settings for DNS Queries are not honored in Explicit
Proxy. |
| CYR-46627 | Explicit Proxy is not supported if Accept
Default Route over Service Connection is
enabled. |
| CYR-46445 |
A transient error related to port 6081 that was processed on an NAT
device caused the ZTNA Connector to go down.
Workaround: When ZTNA Connector traffic is passing through a
NAT device, make sure the NAT session is not mapped to port
6081.
|
| CYR-46349 | When using Remote Networks with Explicit Proxy with
Traffic Steering in China, do not configure traffic steering rules with
URL Category. |
| CYR-46191 |
If the Explicit Proxy is configured with Private Application Access
enabled and ZTNA Connector is added to the configuration, another
commit from Panorama or Strata Cloud Manager might be required.
Workaround: Make a small modification to the Explicit Proxy
configuration on the Panorama or Strata Cloud Manager that manages
Prisma Access and Push your changes.
|
| CYR-46145 |
When the Prisma Access autonomous system number or Prisma Access
infra subnet is updated for an existing Prisma Access tenant, where
ZTNA Connector and corresponding applications are onboarded, there
will be outage for around 5 minutes after the update.
|
| CYR-46093 | If your deployment has implemented the functinality to
support up to 25,000 remote networks and 50,000 IKE gateways, aggregate
bandwidth usage statistics displays No data for the
specified time period instead of the usage
statistics. |
| CYR-45855 | You cannot change the Infrastructure Subnet or the BGP AS
number for Remote Networks—High Performance deployments. |
| CYR-45415 | Administrators with read-only or disabled access to the
Cloud Services plugin can modify the configuration outside of the cloud
services plugin that affects cloud-services behavior, such as templates,
device-groups, removing Cloud Serivices configuration, uninstalling the
cloud-services plugin, and loading configuration files. |
| CYR-44202 | Administrative users with read-only access to the Cloud
Services plugin are able to modify the RBI tab. |
| CYR-43425 | You cannot specify Outbound Routes for the
Service for service connections if those service
connections use RFC 6598 addresses. |
| CYR-43147 | For autoscaled ZTNA connectors, during scale in, existing
long lived sessions may be dropped prematurely that are handled by the
ZTNA connector that is marked for scale in. There should be no impact
for new traffic sessions post scale in. |
| CYR-43132 | During sub-tenant creation on Panorama, you cannot
configure units for Remote Networks if the Mobile Users configuration is
left blank, and vice versa. |
| CYR-42312 | User-ID Across NAT is not supported with
Colo-Connect. |
| CYR-42259 | Explicit Proxy Private App Access does not work when
RFC6598 is enabled. |
| CYR-42244 | If you are requesting a Prisma Access gateway name change
as part of the Business Continuity for Mergers and Acquisitions feature,
the updated FQDN does not display in Strata Cloud Manager or
Panorama. Workaround: Reach out to your Palo Alto
Networks account team, who will open an SRE case to update the FQDN
for the gateway. |
| CYR-42188 | When using Explicit Proxy Private App Access, DNS over
TCP does not function; however DNS over UDP functions correctly. |
| CYR-42130 | Colo-Connect routing information does not display in the
Serviceability Commands area. |
| CYR-42018 | If you have IP Optimization enabled, TLS 1.3 support for
GlobalProtect is not supported. Workaround: Use a maximum TLS
version of 1.2. |
| CYR-41990 | IPv6-to-IPv6 or IPv6-to-IPv4 source or destination
traffic does not support the URL filtering actions
Continue and
Override. |
| CYR-41228 | If you have IP Optimization enabled, you cannot use the
SP interconnect feature. |
| CYR-41067 | An incorrect Prisma Access version displays in the Prisma
Access Version area of the UI. In Strata Cloud Manager, the version
displays in ; in Panorama Managed Prisma Access, the version displays
in . |
| CYR-40404 |
An FQDN target matching a wildcard might not be discovered for a
connector group if the application is not accessible from some of
the ZTNA connectors in the connector group.
All connectors in a given group should be able to use DNS to resolve
the application and access the application for the application to be
auto-discovered in the group.
Workaround: Associate the application object to the required
connector group from Strata Cloud Manager.
|
| CYR-39795 |
After installation of the Cloud Services plugin, an Explicit Proxy
Kerberos server profile (default_server_profile) is installed by the
__cloud_services user, even though Explicit Proxy is not enabled.
Workaround: Ignore the changes.
|
| CYR-39551 |
If you set up Prisma Access Dynamic DNS with an authentication type
of TSIG, you should upload a .key file for the TSIG key file. The
key file is considered not valid if it has non-ASCII characters in
the content. If you provide a .key file for TSIG authentication with
non-ASCII characters and you click OK, an
error Please upload a file with the .key
extension displays.
Workaround: Provide a valid tsig key file.
|
| CYR-39153 |
When performing an upgrade to a ZTNA Connector Group, there can be
failures intermittently during the upgrade operation. For example,
the upgrade status displays as
partial_success or
failed, even though some of the
affected connectors are later upgraded successfully.
Workaround: Retry the Connector Group upgrade at a later time.
ZTNA Connector rechecks and provides you with the appropriate status
of the Connector Groups.
|
| CYR-39148 | When configuring Colo-Connect, Commit and
Push operations to Colo Connect Device Groups may
intermittently fail. Workaround: Retry the Commit
and Push operation to the Colo-Connect Device
Group. |
| CYR-39028 |
If you are upgrading your ZTNA Connector from 4.1 to a later Prisma
Access version and the ZTNA connector application pools are
configured within the RFC6598 address space (100.64.0.0/16 and
100.65.0.0/16), ZTNA connector traffic may be blocked on the
MU-SPN.
Workaround: Contact your Prisma Access team to update the SaaS
Agent version of all your Prisma Access tenants.
|
| CYR-38619 | Tenants that are onboarded in Switzerland and France
cannot use ZTNA Connector. |
| CYR-38120 | All available locations do not show up in the list view
in the Mobile Users—Explicit Proxy setup page. Workaround: Use
the map view to select the missing locations. |
| CYR-37983 | If you have IPv6 enabled for a Mobile Users—GlobalProtect
user, retrieving the HIP report causes a crash. Workaround: If
the GlobalProtect client is ipv6 enabled, run the HIP report using
the client's IPv6 address. If the GlobalProtect client is IPv4 only,
run the HIP report using the client's ipv4 address. |
| CYR-37923 | After creating a new URL category or security rule or an
EDL, a local Panorama commit is required before using that object in RBI
security rule associations. |
| CYR-37906 |
If, when updating the ports for an existing wildcard object, you put
spaces between the ports, a 500 internal
server error is displayed.
Workaround: Do not put spaces between the ports. For example,
instead of 1-2, 80, 100-300, put
1-2,80,100-300.
|
| CYR-37887 |
If you are using ZTNA Connector as part of the 30-day trial and have
not purchased a license, onboarding might fail with a message that
Something went wrong when you click
the Enable ZTNA Connector button.
Workaround: Refresh the UI to complete the onboarding of the
ZTNA Connector feature.
|
| CYR-37826 |
If two or more ZTNA connector applications have the same FQDN, an
Application Custom rule conflict
message could display in the SD-WAN portal.
Workaround: This message is spurious and can be ignored.
|
| CYR-37797 | The status page asks you for a one-time password (OTP)
after a plugin upgrade. Workaround: Delete the expired license
keys, delete the Panorama certificate, and retrieve the licenses and
verify if the license keys are valid after you retrieve them; then,
generate the OTP to verify. |
| CYR-37755 |
If you configure a Wildcard Target in ZTNA Connector, and if you try
to change the port of an application that was discovered as a result
of that target and was added to the FQDN Target, you receive an
error that the name is too long.
Workaround: While application names can be a maximum of 32
characters long, changing the port number makes the name too long in
the ZTNA Connector infrastructure. If you encounter this error, try
to give the application a shorter name.
|
| CYR-37706 |
When using Explicit Proxy, an excessive amount of threat logs
display.
Workaround: Ignore the threat logs. These logs have no impact
on Explicit Proxy functionality.
|
| CYR-37673 | Clicking the link does not open the page in Prisma Access Cloud Management or Strata Cloud
Manager. |
| CYR-37466 | If you enable Colo-Connect, do not enable Bidirectional
Forwarding Detection (BFD) on your VLAN. |
| CYR-37356 |
If you renew the App Acceleration license after is has expired
(including the grace period for the license), the renewal does not
take effect immediately.
Workaround: Wait approximately one hour after license renewal
before using App Acceleration.
|
| CYR-37290 | When onboarding a ZTNA Connector, you receive a
declaim requested by root error.
Workaround: Delete the connector that had the error
and create a new one. |
| CYR-37227 |
The creation of the IP subnet-based Connector Group sometimes fails
with a group already exists message,
even though the group does not exist.
Workaround: Use another name for the IP subnet-based Connector
Group.
|
| CYR-37208 | When using Prisma Access Clean Pipe, the Network
Details page () does not show Clean Pipe entries. |
| CYR-36749 | ZTNA connector flow logs related to netflow may not be
visible in the Strata Cloud Manager Log Viewer. |
| CYR-34999 | For Panorama Prisma Access tenants, if ZTNA Connectors
are onboarded, the Provision Progress for service connections () is showing provisioning progress for both ZTNA
Connectors and Service Connections. |
| CYR-34720 | GlobalProtect DDNS functionality does not work when using
a Panorama running 10.1.x to manage Prisma Access with the Cloud
Services plugin. |
| CYR-33877 | If, during Explicit Proxy setup, you select
Skip authentication to skip authentication
for an address object, and then later want to enable authentication by
deselecting Skip authentication for that address
object, it can take up to 24 hours for the change to take effect after
you make the change and Commit and Push your
changes. |
| CYR-33471 |
If you enable multi-tenancy, create a new sub tenant, configure
Mobile Users—GlobalProtect, Remote Networks, and Colo-Connect device
groups, then configure Colo-Connect subnets and VLANs, and a partial
commit fails with an Unable to retrieve last in-sync
configuration for the device error.
Workaround: Perform a Commit and Push operation when
configuring Colo-Connect for the first time instead of a partial
commit.
|
| CYR-33454 |
If you configure Prisma Access in a in a multi-tenant deployment,
perform a Commit and Push, then configure Colo-Connect, the choice
to Commit and Push your changes is grayed out.
Workaround: Click , then , click Edit Selections and
make sure that Colo-Connect is selected in
the Push Scope; then, retry the commit and
push operation.
|
| CYR-33199 | Current user counts and 90 day user counts are not
correct for Kerberos authenticated users. |
| CYR-33145 |
When a Prisma Access license for any service type expires, any Commit
All operation fails a generic Commit
Failed error message.
Workaround: Make sure that your all your Prisma Access
licenses have not expired before performing commits.
|
| CYR-32687 | EDLs, Address objects of type IP Wildcard
Mask and FQDN, and Dynamic
Address Groups do not work on decryption policies when Agent or Kerberos
authentication is used with Explicit Proxy. Workaround: Use
Address objects of IP Netmask, IP Range, or Address groups in the
decryption policies. |
| CYR-32666 | When importing a previously saved Panorama configuration
that included a Colo-Connect configuration, or reverting from a
previously-saved configuration, you receive errors if the following
conditions are present:- You are loading a Configuration that has Colo-Connect service
connections configured.
- You are loading an empty Prisma Access configuration.
- You revert from a previously-saved configuration, and the
following conditions are present:
- A Colo-Connect configuration (with service connections)
exists on the current configuration and a Colo-Connect
configuration does not exist on the configuration to
which you want to revert.
- A Colo-Connect configuration does not exist on the
current configuration and a Colo-Connect configuration
(with service connections) exists on the configuration
to which you want to revert.
- A Colo-Connect configuration (with service connections)
exists on the current configuration and also exists on
the configuration to which you want to revert.
Workaround: Colo-Connect service connections cannot be
onboarded unless their corresponding VLANs are in an Active state.
Delete any Colo-Connect service connections before exporting or
reverting a Panorama image; then, re-create the Colo-Connect service
connections after importing the new image. |
| CYR-32661 | When GlobalProtect is connected in Proxy mode or Tunnel
and Proxy mode, user logins will not count toward the number of current
users or the number of users logged in over the past 90 days under
Mobile Users—Explicit Proxy. |
| CYR-32564 |
ZTNA Connector app traffic is detected as a threat and dropped for
Prisma Access Cloud Management if the default URL category is
used.
Workaround: Perform one or more of the following steps as
required:
- Create a custom URL category and add application FQDNs for the
onboarded applications for ZTNA connector.
- If you are using a default profile group, clone a new group and
attach the custom URL category you created in Step 1. If you are
using a custom profile group, attach the custom URL category you
created in step 1.
- Make sure that you attach either the cloned profile group or the
custom profile group (from step 2) to the security policy you
created to allow traffic destined to ZTNA connector
applications.
|
| CYR-32511 | You can configure IPv6 DNS addresses even if IPv6 is
disabled. |
| CYR-32431 |
When configuring Explicit Proxy, when you add Trusted Source Address
values under Authentication Settings, configure other settings, and
then return to the Authentication Settings tab, the trusted source
addresses might not display correctly.
Workaround: Refresh the Panorama that manages Prisma Access,
then return to the Authentication Settings tab to see the
addresses.
|
| CYR-31603 | ZTNA Connectors with two interfaces are not supported
in a Connector Group enabled for AWS Auto Scale. This is due to an
AWS Auto Scale group limitation that ties both interfaces to the
same subnet. See this article for
details. |
| CYR-31187 | In order to use the Prisma Access Explicit Proxy
Connectivity in GlobalProtect for Always-On Internet Security
functionality, the default PAC file URL does not populate properly
unless you do a commit and push to both Mobile Users—GlobalProtect and
Mobile Users—Explicit Proxy. Workaround: When
you Commit and Push, make sure that you choose both Mobile
Users—GlobalProtect and Mobile Users—Explicit Proxy in the Push
Scope when configuring Prisma Access Explicit Proxy connectivity in
GlobalProtect. |
| CYR-30966 | When all users are removed from a group, CIE does not
sync the empty group to the firewalls. This is expected
behavior. Workaround: Delete empty groups from Firewall
configurations. |
| CYR-30414 | If you have enabled multiple portals in a multitenant
deployment that has only one tenant, and you then disable the multiple
portal functionality on that single tenant, you are able to see both
portals on the UI. Workaround: Open a CLI session on the
Panorama that manages Prisma Access and enter the following
commands, then perform a local commit on the
Panorama: set plugins cloud_services multi-tenant
tenants
<tenant_name>
mobile-users multi-portal-multi-auth
no request plugins cloud_services gpcs
multi-tenant tenant-name
<tenant_name>
multi_portal_on_off |
| CYR-30044 |
Predefined EDLs aren't being populated in the Block Settings list in
a new Explicit Proxy deployment.
Workaround: Onboard your Explicit Proxy deployment, perform a
Commit and Push operation, and then go back and update the EDL in
your block Settings.
|
| CYR-29964 |
Attempts to reuse a certificate signing request (CSR) to generate a
certificate results in a "Requested entity already
exists" error.
Workaround: Do not reuse CSRs.
|
| CYR-29933 |
Attempts to use the verdicts:all -X
"DELETE" API call more than one time per hour result
in the {"code" :8, "message" : "Too many
requests" error.
Workaround: Do not use this API call more than one time per
hour.
|
| CYR-29700 |
If you configure multiple GlobalProtect portals in a multitenant
Prisma Access Panorama Managed multitenant deployment, committing
changes on a per-username basis fails with a
"global-protect-portal-8443 should have the value
"GlobalProtect_Portal_8443" but it is [None]"
error.
Workaround: If you have enabled multiple GlobalProtect portals
and have a Prisma Access multi-tenant deployment, perform Commit All
commit operations instead of committing on a per-user basis.
|
| CYR-26112 | If you do not have a Net Interconnect license, all Remote
Networks in a theater are fully meshed, but if you haven't onboarded a
Service Connection in a theater, the Remote Networks cannot be reached
from Remote Networks in other theaters. Workaround: Either
purchase a Net Interconnect license or onboard a service connection
in a theater to have the Remote Networks communicate with other
theaters. |
|
ZY-6093
|
For specific applications involving developer code (such as code AI
or similar), the Private App Security OWASP best practices policy
might get hits that are triggered by the nature of the app (for
example, code snippets detected in the app requests could be
interpreted as injection attempts). For such scenarios, we recommend
creating an OWASP Best Practices policy clone, set it in Preview
mode, analyze the alerts, and define proper exceptions to eliminate
such false positives.
|
|
ZY-5969
|
Private App Security rules inspect HTTP request data to identify
threats. When a rule flags a hit that is proved to be a false
positive (for example, securing a coding app), it's crucial to apply
the correct exclusion to prevent false positives. WAF rules
primarily inspect two main variables that include cookie data: - REQUEST_HEADERS—This variable inspects all request headers
as a whole, which inherently includes any cookie
header.
- REQUEST_COOKIES—Some rules specifically inspect the Cookie
header content by itself. In this case, the WAF log
explicitly states that a REQUEST_COOKIE (or a similar cookie
variable) matched.
To help create a proper exception for a false positive, Private App
Security provides a field called "exclusionConfiguration" and
applies the exclusion to the precise variable that triggered the
match.
|
|
ZY-5589
|
Due to the nature of distributed systems, this change introduces a
small, expected delay of up to a few seconds in how rate limits are
applied across all locations.
The configured time window for global rate limits (for example, 60
requests per 60 seconds) may now have a slight differential,
typically up to a few seconds. For example, a 60-second limit might
take up to 63 seconds to reset fully. This is a result of the
necessary propagation delay, as data is aggregated from various data
centers to our central service for processing. This approach is
essential for maintaining the robustness and scalability of our
platform.
This change is part of an ongoing effort to enhance the stability and
performance of our services. The slight timing differential is an
expected trade-off for a more reliable and scalable rate-limiting
system.
|
|
ZY-2603
|
Private App Security only inspects traffic destined to the private
application accessed through GlobalProtect or Prisma Access Agent
and remote networks connected over IPsec tunnels.
|
|
ZY-2151
|
Threats—Non-SNI and mTLS traffic can be used to bypass the app
security traffic inspection flow. An attacker could leverage this to
bypass security controls by crafting requests using these protocols.
This creates a significant security gap, as malicious traffic using
these protocols would not be inspected or blocked by the WAF or
other Private App Security components.
Countermeasures—To mitigate the security risk of bypassing
Private App Security for non-SNI and mTLS traffic: - Enforce SNI and Inspect mTLS Traffic—Configure a reverse
proxy or load balancer to enforce SNI for all incoming HTTPS
connections. For mTLS traffic, terminate the mTLS connection
at the proxy/load balancer and then re-encrypt the traffic
with a separate certificate for inspection by the Private
App Security infrastructure.
- Deploy a reverse proxy or load balancer capable of
SNI enforcement and mTLS termination.
- Configure the proxy/load balancer to reject
connections without SNI.
- For mTLS, configure the proxy/load balancer to act
as the server for the initial mTLS handshake.
Validate the client certificate and then establish a
new TLS connection to the back-end server using a
certificate trusted by the Private App Security
infrastructure.
- Integrate the proxy/load balancer with the Private
App Security components (such as WAF) to ensure all
decrypted traffic is inspected.
|
|
ZY-1166
|
When you update the expired CA certificate in Strata Cloud Manager,
it can take up to 90 minutes for the change to fully reach the
dataplane. Make sure to plan ahead and replace certificates well
before they expire, keeping this propagation time in mind.
|
