An issue exists with Prisma Access Agent on Arch Linux ARM where HIP reports are not sent to gateways after successful Prisma Access Agent Manager (endpoint manager) authentication and gateway connection. The agent shows empty HIP status despite active gateway and websocket connections. This occurs because outbound TCP SYN packets are blocked due to missing source application configuration in firewall rules on Arch Linux. The issue can block users if previous HIP reports don't match policy requirements.

Workaround: Add the destination domain (e.g., gpcloudservice.com) to the firewall allow list to resolve the SYN packet blockage and enable proper HIP report transmission.

An issue exists with Prisma Access Agent for Linux on Arch Linux ARM where the websocket connection to the Prisma Access Agent Manager (or endpoint manager) goes down after authentication, causing HIP and keepalive failures. The agent cannot obtain source application information on this platform, resulting in endpoint manager traffic being incorrectly routed through the tunnel instead of direct connection.

Workaround: For single Prisma Access tenant deployments without enforcer mode, administrators must add Prisma Access Agent endpoint manager FQDN rules for both DATA and DNS traffic to go via DIRECT in the forwarding profiles. In enforcer scenarios where users switch between tenants, administrators need to configure DATA and DNS destination rules for all essential domains to go via DIRECT:

• *.epm.gpcloudservice.com (endpoint manager domain)
• *.gw.gpcloudservice.com (gateway domain)

An issue exists with Prisma Access Agent for Linux where SSH incoming connections do not work. When attempting to SSH into an endpoint that has the Prisma Access Agent installed, the connection fails. This prevents remote SSH access to devices running the agent, blocking workflows that rely on SSH connectivity.

An issue exists with Prisma Access Agent for Linux where application filtering does not work on Arch Linux ARM due to eBPF failing to load. Traffic steering according to forwarding profiles fails when the tunnel is disconnected, causing traffic to hit default rules instead of configured policies.

An issue exists with Prisma Access Agent for Linux where root users can delete nftable rules, resulting in all traffic bypassing the network filtering module.

Prisma Access Agent for Linux does not currently support Docker traffic for system updates or package installations within containers. When you run Docker containers on a Linux device with Prisma Access Agent active, all outgoing traffic from Docker is routed through the secure tunnel by default, which causes system updates and package installations to fail within the container environment.

Workaround: For agents running in on-demand mode, temporarily disconnect the Prisma Access Agent tunnel to perform container updates or install packages, then reconnect the tunnel after completing these operations.