Load results after virtual router migration displays the truncated loopback, and the firewall difference will show this difference.

When a URL filtering or tenant restriction profile is configured together with a SaaS Security profile and all are referenced in the same profile group, conflicts may occur. Merging them into a single URL filtering profile can result in a commit failure on the firewall.

Workaround: Remove the SaaS Security profile from the profile group.

In Strata Cloud Manager, the ADNS option appears under the forwarding profile settings within the connectivity object configuration, even though ADNS is not yet supported in the current Prisma Access Agent releases. The option is shown as disabled by default, but since the functionality is not implemented in the agent software, this setting should not be used.

Workaround: Administrators should ignore the ADNS option in Strata Cloud Manager until agent support becomes available in a future release.

When you create a snippet and associate it with a vsys, if the snippet contains an interface variable with a resolved value and you use that variable in a logical router, zone, or NAT policy, the push operation fails.

Workaround: Avoid configuring interface, logical router, or zone settings at the snippet level when the snippet is associated with vsys.

As part of the NGFW migration, you need to choose the Distribution Groups to migrate. However, distribution group named All or ngfw-shared cannot be selcted, as these names are reserved in Strata Cloud Manager for Global and All Firewalls, respectively.

Workaround: Perform the Push Config from Strata Cloud Manager instead of from the wizard.

Local configuration management feature is not currently supported for Device Setup widgets and several other objects. Support for these will be added in a future update.

The dampening profile configuration is not available under Device SettingsRoutingProfilesBGP in Strata Cloud Manager.

On the AI Access Security Use Case page (InsightsAI Access), changing the application tag for a container app does not automatically update the tags for its child apps.

Two discrete applications with the same App-ID are displayed in the list of Applications (ManageConfigurationNGFW & Prisma AccessObjectsApplicationApplications) and Application Filters (ManageConfigurationNGFW & Prisma AccessObjectsApplicationApplications Filters) if the application is available as part of the predefined apps provided with your currently installed dataplane version and delivered from the App-ID Cloud Engine (ACE). The two discrete App-IDs may have different attributes, such as Tags and the Risk Score.

For example, ChatGPT is available as a predefined app and is also delivered from ACE. In this case, you see two entries of ChatGPT when you view your Applications and Application Filters.

Dynamic Privilege Access: Do not use special characters in project names, otherwise Strata Cloud Manager will issue a "Malformed Request" error message when you try to save the project configuration.

On a Prisma Access tenant where Dynamic Privilege Access is enabled, a Mobile UserAccess Agent configuration push will fail without first configuring a project in Strata Cloud Manager.

Workaround: Configure at least one project before you do a push config.

Configure Remote Network TunnelProtocol doesn't support Any as the option for proxy-id- protocol configuration.

When configuring a Security policy rule (ManageConfigurationNGFW and Prisma AccessSecurity ServicesSecurity Policy), you're able to select address objects created outside of your scope management configuration (ManageConfigurationNGFW and Prisma AccessAccess ControlScope Management).