Prisma Access Known Issues

Prisma Access

Prisma Access Known Issues

Table of Contents

Prisma Access
Known Issues

Where Can I Use This?
What Do I Need?
  • Prisma Access (Panorama Managed)
  • Minimum Required Prisma Access Version
    4.0 Preferred
Prisma Access has the following known issues.
Issue ID
To use ZTNA Connector on a Panorama Managed Prisma Access tenant you must file a support ticket to get the feature enabled. The feature is enabled by default on Cloud Managed Prisma Access tenants that have been upgraded to Prisma Access 4.0.
If you use RFC 6598 addresses in your environment and want to set up ZTNA Connector on a Cloud Managed Prisma Access tenant, you must file a ticket to enable the functionality to define IP pools to reserve for Prisma Access to enable connectivity to your connector VMs and your apps.
Current user counts and 90 day user counts are not correct for Kerberos authenticated users.
In order to use the Prisma Access Explicit Proxy Connectivity in GlobalProtect for Always-On Internet Security feature you must onboard at least one mobile user gateway.
On macOS endpoints running Safari and connected to Prisma Access in Tunnel and Proxy mode or proxy mode, browsing through explicit proxy is slow.
Remove any references to
in your PAC file.
ZTNA Connector can fail to retrieve the correct DNS configuration, which causes ZTNA connector traffic to fail, when the following conditions apply:
  • When the first application is onboarded in ZTNA connector
  • When all applications are removed (deboarded) from ZTNA Connector
: Refresh the GlobalProtect connection to get correct DNS server configuration. In the case of all applications going down for a tenant, refresh the GlobalProtect again when some or all applications in ZTNA connector are back up.
ZTNA Connector app traffic is detected as a threat and dropped for Prisma Access Cloud Management if the default URL category is used.
: Perform one or more of the following steps as required:
  1. Create a custom URL category and add application FQDNs for the onboarded applications for ZTNA connector.
  2. If you are using a default profile group, clone a new group and attach the custom URL category you created in Step 1. If you are using a custom profile group, attach the custom URL category you created in step 1.
  3. Make sure that you attach either the cloned profile group or the custom profile group (from step 2) to the security policy you created to allow traffic destined to ZTNA connector applications.
If you deploy a mobile users location that already has a location deployed in the same compute location, you might receive only one public IP address for the newly-deployed location instead of two.
: Enable the IP Allow Listing feature to receive more than one IP address.
You can configure IPv6 DNS addresses even if IPv6 is disabled.
ZTNA Connector is not supported in multitenant environments.
In Prisma Access Insights, the Connector Availability graph for a given ZTNA Connector will not show up if the IPSec tunnel between the connector and the ZTNA Tunnel Terminator (ZTT) has been up without interruption for the last 24 hours. The Connector Availability graph shows up only if the tunnel has gone down at least once within the last 24 hours.
When using ZTNA Connector, diagnostic tools such as ping, traceroute and nslookup that are accessible from the ZTNA Connector UI
icon are not functional.
When using Dynamic DNS (DDNS) registration using the Cloud Services plugin 3.2, nsupdate commands are not working as expected, which causes issues with DDNS update queries.
Due to a limitation in the number of IPSec profiles currently supported in Prisma Access, when deploying ZTNA Connector you can onboard a maximum of 100 connector VMs per tenant.
Only one Panorama HA pair can be associated with a CDL instance.
ZTNA Connectors with two interfaces are not supported in a Connector Group enabled for AWS Auto Scale. This is due to an AWS Auto Scale group limitation that ties both interfaces to the same subnet. See this article for details.
ZTNA Connectors with two interfaces are supported in Connector Groups that are not enabled for AWS Auto Scale. Ensure that all ZTNA Connectors with two interfaces are contained in a Connector Group that is not enabled for AWS Auto Scale.
In mobile user deployments for GlobalProtect in Tunnel and Proxy mode or proxy mode,commit will fail if you don't attach either a SAML or Kerberos authentication profile in your explicit proxy configuration even if you enable
Use GlobalProtect Agent to Authenticate
In order to use the Prisma Access Explicit Proxy Connectivity in GlobalProtect for Always-On Internet Security functionality, the default PAC file URL does not populate properly unless you do a commit and push to both Mobile Users—GlobalProtect and Mobile Users—Explicit Proxy.
: Make sure you Commit and Push to both Mobile Users—GlobalProtect and Mobile Users—Explicit Proxy when configuring Prisma Access Explicit Proxy connectivity in GlobalProtect.
In some cases, attempts to retrieve aggregate bandwidth statistics are timing out.
: Try again, or go to Prisma Access Insights to view the aggregate bandwidth statistics.
Renaming an authentication profile immediately after creating it causes a new authentication profile to be created.
: Do not make changes to a profile immediately after creating it.
Predefined EDLs aren't being populated in the Block Settings list in a new Explicit Proxy deployment.
: Onboard your Explicit Proxy deployment, do a Commit and Push, and then go back and update the EDL in your block Settings.
Attempts to reuse a certificate signing request (CSR) to generate a certificate results in a
"Requested entity already exists"
: Do no reuse CSRs.
Attempts to use the
verdicts:all -X "DELETE"
API call more than one time per hour result in the
{"code" :8, "message" : "Too many requests"
: Do not use this API call more than one time per hour.
If you configure multiple GlobalProtect portals in a multitenant Prisma Access Panorama Managed multitenant deployment, committing changes on a per-username basis fails with a
"global-protect-portal-8443 should have the value "GlobalProtect_Portal_8443" but it is [None]"
: If you have enabled multiple GlobalProtect portals and have a Prisma Access multi-tenant deployment, perform Commit All commit operations instead of committing on a per-user basis.

Recommended For You