An issue exists where the Prisma Access Agent might incorrectly remain bound to port 0 when switching between Prisma Access Agent Manager (EPM) configurations with different proxy settings, causing endpoint traffic to Explicit Proxy (EP) to fail.

When the Prisma Access Agent initially connects to an EPM without agent proxy configured, it binds to port 0 after a system restart on the endpoint. If the system subsequently switches to a different EPM that has a proxy port configured, the agent might fail to update its port binding and incorrectly remain bound to port 0. This results in endpoint traffic destined for the Explicit Proxy failing to function properly.

Workaround: To resolve this issue, restart the endpoint, and then run the pacli proxy disable command, followed by the pacli proxy enable command. This forces the agent to properly initialize with the correct proxy port configuration from the new EPM.

An issue exists where the reasoning for blocked non-TCP, non-UDP, and ICMP traffic is not logged in the PACli logs or network manager logs. When Prisma Access Agent forwarding profiles block this type of traffic, administrators cannot view the verdict reasoning or decision details through either the PACli command-line interface or network manager logs, making it difficult to audit and troubleshoot blocked traffic for these protocol types.