>
    Prisma Access Known Issues
    Focus
    Download PDF
    Focus
    1. Home
    2. Prisma Access
    3. Prisma Access Release Information
    4. Prisma Access Known Issues
    Download PDF
    Prisma Access

    Prisma Access Known Issues

    Table of Contents

    Prisma Access Known Issues

    Where Can I Use This?What Do I Need?
    • Prisma Access (Managed by Panorama)
    • Prisma Access license
    • Minimum Required Prisma Access Version 6.0 Preferred or Innovation
    Prisma Access has the following known issues.
    Issue ID
    Description
    AIOPS-11286
    When you have Colo-Connect enabled, cross-connects and connections-related information may not be up to date on subtenants in a multitenant environment.
    CYR-56688
    If you delete Internal Host Detection in the Default agent settings (NetworkGlobalProtectPortals <portal-config>Agent DEFAULTInternal), the Internal Host Detection settings are not removed from the configuration in the Cloud Services plugin (PanoramaCloud ServicesConfiguration Mobile Users—GlobalProtectOnboarding > GeneralInternal Host Detection), causing the Internal Host Detection settings to reappear in the Default agent settings.
    Workaround: Either remove the Internal host detection from the Cloud Services plugin configuration, or rename the Default agent settings.
    CYR-54556
    When using explicit proxy nodes, you must configure at least one domain under WorkflowsPrisma Access SetupExplicit Proxy Advanced Security Settings Authentication settings Domains Used in Authentication Flow in Strata Cloud Manager. Failing to do so results in a commit failure.
    CYR-54543
    This issue is now resolved in Prisma Access 6.0.0-h17. See Prisma Access 6.0.0-h22 Addressed Issues.
    		Panorama Plugin-based GlobalProtect logout fails when there is a special character in username or computer name.
    CYR-54002
    Geo-location is not functional for IPv6 only deployments.
    Workaround: Implement a dual stack deployment. IPv6 native deployments determine their location by latency probes, which may result in incorrect portal selection and incorrect language selection.
    CYR-53726For tenants using site-based licensing for branch sites, the site license type may display as Unknown for certain branch sites within SCMMonitorBranch Sites.
    CYR-54342 In InsightsData CentersZTNA ConnectorsFQDNsBandwidth, the time stamp for Bandwidth is incorrect.
    CYR-52409
    When you have an existing deployment and upgrade to IP Optimization, and if you have configured an Automatic Restoration of VPN Connection Timeout value in the GlobalProtect portal for greater than 30 minutes, a commit validation is seen after the upgrade to Prisma Access 6.0.
    Workaround: Revert your commit, change Automatic Restoration of VPN Connection Timeout to a value lower than 30 minutes, and redo the Commit and Push operation.
    CYR-52287
    Panorama incorrectly allows users to configure QoS profiles with Egress Guaranteed values exceeding Egress Max values. This is an invalid configuration.
    Workaround: Configure an Egress Guaranteed value that is not greater than the Egress Max value.
    CYR-52286 When onboarding a remote network using a site-based license, Panorama incorrectly allows you to create Remote Networks without attaching a QoS Profile. However, when you perform a commit operation, the commit fails with the error Failed to process Remote Network configuration (NETP_ERROR-200, details:). Please try again.
    Workaround: When configuring a site-based remote network, attach a QoS profile to the remote network.
    CYR-52233
    When you set up secure inbound access for remote networks, a Bandwidth field displays with fields for site-based licenses, even though your deployment uses aggregate bandwidth.
    Workaround: Select the bandwidth for the compute location to which the location corresponds.
    CYR-51257 Strata Logging Service logs related to ZTNA Connector might not be seen in the Strata Cloud Manager log viewer for FedRAMP deployments.
    CYR-51157 Secure Inbound Access is not supported with Remote Networks—High Performance deployments.
    CYR-51156 BGP MRAI values are not applied to Remote Networks—High Performance deployments.
    CYR-51029 IPv6 information is absent in the Panorama (PanoramaCloud ServicesStatusMonitor page) and Strata Cloud Manager pages if the config service is enabled on the tenant.
    CYR-50900
    If you select a Mobile Users configuration item and you don't have a Mobile Users license, you might receive an error upon commit.
    Workaround: Do not select a Mobile Users configuration item if you don't have a Mobile Users license.
    CYR-50870 When attempting to onboard a large number of ZTNA connector applications (more than 500), the application might not be onboarded and a 502 Server Error: Bad Gateway for url error might be encountered.
    Workaround: Attempt to re-onboard the application that failed.
    CYR-49865 In Mobile Users—GlobalProtect setup with IPv6 enabled, when a GlobalProtect client with only an IPv4 address connects to an IPv6-enabled gateway, edge localization is not working when users try to connect to an edge location. This behavior affects both existing deployments that have IP Optimization enabled and deployments that don't have IP Optimization enabled.
    CYR-49816
    The username in XAU within the Connect request won't be normalized to reflect the primary attribute in the directory setting. Instead, it will be the base64 encoded username carried in the authentication JWT token within the request.
    CYR-49758
    If the request includes a valid JWT token, the parsed username in the JWT will be used instead of the special authentication bypass username inserted by explicit proxy.
    CYR-49265 When using Traffic replication, statistics do not display for deployments in the France North region.Workaround: To enable traffic replication for the France North region deployment , select the check box "Europe Northwest (Paris)" under the traffic replication tab and not France North.
    CYR-48823
    Double decryption isn't supported. Therefore, when sending a CONNECT request over an SSL tunnel, inserting headers in the underlying actual request isn't supported.
    CYR-48331Mobile Users—GlobalProtect users cannot perform an Auto or Transparent upgrade because a security policy is blocking the upgrade.
    Workaround: Create a Custom URL category for the URL pan-gp-client.s3.dualstack.us-west-2.amazonaws.com and allow traffic from the URL in the rule. You can also allow only the download for *.pkg and *.msi files for greater granularity in the rule.
    CYR-47807
    After creating filter rules, if you try to assign them to a filter group without selecting OK on the main BGP Filtering widget, the filter rules will not appear in the dropdown selection.
    Workaround:
    1. Create one or more BGP Filters.
    2. Click OK on the BGP Filtering widget.
    3. Reopen the BGP Filtering widget using the gear icon.
    Then the BGP Filters display during BGP Filter Group creation.
    CYR-47616Increasing the subnet mask on an existing mobile user IP address pool (for example, if you change 10.6.0.0/18 to 10.6.0.0/17), or changing the region of an existing IP address pool, can cause issues for existing connected users.
    Workaround: Perform one or more of the following actions:
    • Have the GlobalProtect mobile user refresh their connection.
      Any changes to the GlobalProtect IP address pool scope (increasing the existing pool or using a completely different pool) would cause issues to the existing connected users, which can only be resolved after a successful GlobalProtect refresh where the app acquires the IP address from the newly allocated pool.
    • Add another address block to the mobile users IP address pool instead of changing the subnet in the existing pool.
      For example, instead of changing a subnet in the pool from /18 to /17, consider adding another /18 address to the existing pool and leave the existing pool intact.
    CYR-47139
    ZTNA Connectors are disabled in a ZTNA Connector - Explicit Proxy integration if ZTNA Connector application blocks or connector blocks are configured with RFC6598 addresses that conflict with Explicit Proxy addresses.
    Workaround: If you have integrated ZTNA Connector with Explicit Proxy, do not use the "100.64.0.0/15", "100.72.0.0/15", or "100.88.0.0/15" subnets for:
    • ZTNA Connector Application Blocks
    • ZTNA Connector Connector Blocks
    • IP subnets configured in ZTNA Connector that you have associated with applications
    CYR-47038
    HTTP header insertion on Remote Networks is not supported when using Proxy Mode on Remote Networks and Source IP based visibility and enforcement is enabled.
    Workaround: Use HTTP header insertion on explicit proxy nodes.
    CYR-46759UDP Settings for DNS Queries are not honored in Explicit Proxy.
    CYR-46627Explicit Proxy is not supported if Accept Default Route over Service Connection is enabled.
    CYR-46445
    A transient error related to port 6081 that was processed on an NAT device caused the ZTNA Connector to go down.
    Workaround: When ZTNA Connector traffic is passing through a NAT device, make sure the NAT session is not mapped to port 6081.
    CYR-46349When using Remote Networks with Explicit Proxy with Traffic Steering in China, do not configure traffic steering rules with URL Category.
    CYR-46191
    If the Explicit Proxy is configured with Private Application Access enabled and ZTNA Connector is added to the configuration, another commit from Panorama or Strata Cloud Manager might be required.
    Workaround: Make a small modification to the Explicit Proxy configuration on the Panorama or Strata Cloud Manager that manages Prisma Access and Push your changes.
    CYR-46145
    When the Prisma Access autonomous system number or Prisma Access infra subnet is updated for an existing Prisma Access tenant, where ZTNA Connector and corresponding applications are onboarded, there will be outage for around 5 minutes after the update.
    CYR-46093If your deployment has implemented the functinality to support up to 25,000 remote networks and 50,000 IKE gateways, aggregate bandwidth usage statistics displays No data for the specified time period instead of the usage statistics.
    CYR-45855You cannot change the Infrastructure Subnet or the BGP AS number for Remote Networks—High Performance deployments.
    CYR-45415Administrators with read-only or disabled access to the Cloud Services plugin can modify the configuration outside of the cloud services plugin that affects cloud-services behavior, such as templates, device-groups, removing Cloud Serivices configuration, uninstalling the cloud-services plugin, and loading configuration files.
    CYR-44202Administrative users with read-only access to the Cloud Services plugin are able to modify the RBI tab.
    CYR-43425You cannot specify Outbound Routes for the Service for service connections if those service connections use RFC 6598 addresses.
    CYR-43147For autoscaled ZTNA connectors, during scale in, existing long lived sessions may be dropped prematurely that are handled by the ZTNA connector that is marked for scale in. There should be no impact for new traffic sessions post scale in.
    CYR-43132During sub-tenant creation on Panorama, you cannot configure units for Remote Networks if the Mobile Users configuration is left blank, and vice versa.
    CYR-42312User-ID Across NAT is not supported with Colo-Connect.
    CYR-42259Explicit Proxy Private App Access does not work when RFC6598 is enabled.
    CYR-42244If you are requesting a Prisma Access gateway name change as part of the Business Continuity for Mergers and Acquisitions feature, the updated FQDN does not display in Strata Cloud Manager or Panorama.
    Workaround: Reach out to your Palo Alto Networks account team, who will open an SRE case to update the FQDN for the gateway.
    CYR-42188When using Explicit Proxy Private App Access, DNS over TCP does not function; however DNS over UDP functions correctly.
    CYR-42130Colo-Connect routing information does not display in the Serviceability Commands area.
    CYR-42018If you have IP Optimization enabled, TLS 1.3 support for GlobalProtect is not supported.
    Workaround: Use a maximum TLS version of 1.2.
    CYR-41990IPv6-to-IPv6 or IPv6-to-IPv4 source or destination traffic does not support the URL filtering actions Continue and Override.
    CYR-41228If you have IP Optimization enabled, you cannot use the SP interconnect feature.
    CYR-41067An incorrect Prisma Access version displays in the Prisma Access Version area of the UI. In Strata Cloud Manager, the version displays in ManageConfigurationNGFW and Prisma AccessOverviewPrisma Access Version; in Panorama Managed Prisma Access, the version displays in PanoramaCloud ServicesConfigurationService SetupPrisma Access Version.
    CYR-40404
    An FQDN target matching a wildcard might not be discovered for a connector group if the application is not accessible from some of the ZTNA connectors in the connector group.
    All connectors in a given group should be able to use DNS to resolve the application and access the application for the application to be auto-discovered in the group.
    Workaround: Associate the application object to the required connector group from Strata Cloud Manager.
    CYR-39795
    After installation of the Cloud Services plugin, an Explicit Proxy Kerberos server profile (default_server_profile) is installed by the __cloud_services user, even though Explicit Proxy is not enabled.
    Workaround: Ignore the changes.
    CYR-39551
    If you set up Prisma Access Dynamic DNS with an authentication type of TSIG, you should upload a .key file for the TSIG key file. The key file is considered not valid if it has non-ASCII characters in the content. If you provide a .key file for TSIG authentication with non-ASCII characters and you click OK, an error Please upload a file with the .key extension displays.
    Workaround: Provide a valid tsig key file.
    CYR-39153
    When performing an upgrade to a ZTNA Connector Group, there can be failures intermittently during the upgrade operation. For example, the upgrade status displays as partial_success or failed, even though some of the affected connectors are later upgraded successfully.
    Workaround: Retry the Connector Group upgrade at a later time. ZTNA Connector rechecks and provides you with the appropriate status of the Connector Groups.
    CYR-39148
    This issue is now resolved in Prisma Access 6.0.0. See Prisma Access 6.0.0 Addressed Issues.
    		When configuring Colo-Connect, Commit and Push operations to Colo Connect Device Groups may intermittently fail.
    Workaround: Retry the Commit and Push operation to the Colo-Connect Device Group.
    CYR-39028
    If you are upgrading your ZTNA Connector from 4.1 to a later Prisma Access version and the ZTNA connector application pools are configured within the RFC6598 address space (100.64.0.0/16 and 100.65.0.0/16), ZTNA connector traffic may be blocked on the MU-SPN.
    Workaround: Contact your Prisma Access team to update the SaaS Agent version of all your Prisma Access tenants.
    CYR-38619Tenants that are onboarded in Switzerland and France cannot use ZTNA Connector.
    CYR-38120All available locations do not show up in the list view in the Mobile Users—Explicit Proxy setup page.
    Workaround: Use the map view to select the missing locations.
    CYR-37983If you have IPv6 enabled for a Mobile Users—GlobalProtect user, retrieving the HIP report causes a crash.
    Workaround: If the GlobalProtect client is ipv6 enabled, run the HIP report using the client's IPv6 address. If the GlobalProtect client is IPv4 only, run the HIP report using the client's ipv4 address.
    CYR-37923After creating a new URL category or security rule or an EDL, a local Panorama commit is required before using that object in RBI security rule associations.
    CYR-37906
    If, when updating the ports for an existing wildcard object, you put spaces between the ports, a 500 internal server error is displayed.
    Workaround: Do not put spaces between the ports. For example, instead of 1-2, 80, 100-300, put 1-2,80,100-300.
    CYR-37887
    If you are using ZTNA Connector as part of the 30-day trial and have not purchased a license, onboarding might fail with a message that Something went wrong when you click the Enable ZTNA Connector button.
    Workaround: Refresh the UI to complete the onboarding of the ZTNA Connector feature.
    CYR-37826
    If two or more ZTNA connector applications have the same FQDN, an Application Custom rule conflict message could display in the SD-WAN portal.
    Workaround: This message is spurious and can be ignored.
    CYR-37797The status page asks you for a one-time password (OTP) after a plugin upgrade.
    Workaround: Delete the expired license keys, delete the Panorama certificate, and retrieve the licenses and verify if the license keys are valid after you retrieve them; then, generate the OTP to verify.
    CYR-37755
    If you configure a Wildcard Target in ZTNA Connector, and if you try to change the port of an application that was discovered as a result of that target and was added to the FQDN Target, you receive an error that the name is too long.
    Workaround: While application names can be a maximum of 32 characters long, changing the port number makes the name too long in the ZTNA Connector infrastructure. If you encounter this error, try to give the application a shorter name.
    CYR-37706
    When using Explicit Proxy, an excessive amount of threat logs display.
    Workaround: Ignore the threat logs. These logs have no impact on Explicit Proxy functionality.
    CYR-37673Clicking the Panorama Cloud ServicesStatusStatusRemote Browser IsolationActive Isolated Session link does not open the MonitorSubscription Usage page in Prisma Access Cloud Management or Strata Cloud Manager.
    CYR-37466If you enable Colo-Connect, do not enable Bidirectional Forwarding Detection (BFD) on your VLAN.
    CYR-37356
    If you renew the App Acceleration license after is has expired (including the grace period for the license), the renewal does not take effect immediately.
    Workaround: Wait approximately one hour after license renewal before using App Acceleration.
    CYR-37290When onboarding a ZTNA Connector, you receive a declaim requested by root error.
    Workaround: Delete the connector that had the error and create a new one.
    CYR-37227
    The creation of the IP subnet-based Connector Group sometimes fails with a group already exists message, even though the group does not exist.
    Workaround: Use another name for the IP subnet-based Connector Group.
    CYR-37208When using Prisma Access Clean Pipe, the Network Details page (PanoramaCloud ServicesStatusStatusNetwork Details) does not show Clean Pipe entries.
    CYR-36749ZTNA connector flow logs related to netflow may not be visible in the Strata Cloud Manager Log Viewer.
    CYR-34999For Panorama Prisma Access tenants, if ZTNA Connectors are onboarded, the Provision Progress for service connections (PanoramaCloud ServicesStatusStatusService ConnectionsProvision Progress) is showing provisioning progress for both ZTNA Connectors and Service Connections.
    CYR-34720GlobalProtect DDNS functionality does not work when using a Panorama running 10.1.x to manage Prisma Access with the Cloud Services plugin.
    CYR-33877If, during Explicit Proxy setup, you select Skip authentication to skip authentication for an address object, and then later want to enable authentication by deselecting Skip authentication for that address object, it can take up to 24 hours for the change to take effect after you make the change and Commit and Push your changes.
    CYR-33471
    If you enable multi-tenancy, create a new sub tenant, configure Mobile Users—GlobalProtect, Remote Networks, and Colo-Connect device groups, then configure Colo-Connect subnets and VLANs, and a partial commit fails with an Unable to retrieve last in-sync configuration for the device error.
    Workaround: Perform a Commit and Push operation when configuring Colo-Connect for the first time instead of a partial commit.
    CYR-33454
    If you configure Prisma Access in a in a multi-tenant deployment, perform a Commit and Push, then configure Colo-Connect, the choice to Commit and Push your changes is grayed out.
    Workaround: Click CommitCommit to Panorama, then Commit Push to Devices, click Edit Selections and make sure that Colo-Connect is selected in the Push Scope; then, retry the commit and push operation.
    CYR-33199Current user counts and 90 day user counts are not correct for Kerberos authenticated users.
    CYR-33145
    When a Prisma Access license for any service type expires, any Commit All operation fails a generic Commit Failed error message.
    Workaround: Make sure that your all your Prisma Access licenses have not expired before performing commits.
    CYR-32687EDLs, Address objects of type IP Wildcard Mask and FQDN, and Dynamic Address Groups do not work on decryption policies when Agent or Kerberos authentication is used with Explicit Proxy.
    Workaround: Use Address objects of IP Netmask, IP Range, or Address groups in the decryption policies.
    CYR-32666When importing a previously saved Panorama configuration that included a Colo-Connect configuration, or reverting from a previously-saved configuration, you receive errors if the following conditions are present:
    • You are loading a Configuration that has Colo-Connect service connections configured.
    • You are loading an empty Prisma Access configuration.
    • You revert from a previously-saved configuration, and the following conditions are present:
      • A Colo-Connect configuration (with service connections) exists on the current configuration and a Colo-Connect configuration does not exist on the configuration to which you want to revert.
      • A Colo-Connect configuration does not exist on the current configuration and a Colo-Connect configuration (with service connections) exists on the configuration to which you want to revert.
      • A Colo-Connect configuration (with service connections) exists on the current configuration and also exists on the configuration to which you want to revert.
    Workaround: Colo-Connect service connections cannot be onboarded unless their corresponding VLANs are in an Active state. Delete any Colo-Connect service connections before exporting or reverting a Panorama image; then, re-create the Colo-Connect service connections after importing the new image.
    CYR-32661When GlobalProtect is connected in Proxy mode or Tunnel and Proxy mode, user logins will not count toward the number of current users or the number of users logged in over the past 90 days under Mobile Users—Explicit Proxy.
    CYR-32564
    ZTNA Connector app traffic is detected as a threat and dropped for Prisma Access Cloud Management if the default URL category is used.
    Workaround: Perform one or more of the following steps as required:
    1. Create a custom URL category and add application FQDNs for the onboarded applications for ZTNA connector.
    2. If you are using a default profile group, clone a new group and attach the custom URL category you created in Step 1. If you are using a custom profile group, attach the custom URL category you created in step 1.
    3. Make sure that you attach either the cloned profile group or the custom profile group (from step 2) to the security policy you created to allow traffic destined to ZTNA connector applications.
    CYR-32511You can configure IPv6 DNS addresses even if IPv6 is disabled.
    CYR-32431
    When configuring Explicit Proxy, when you add Trusted Source Address values under Authentication Settings, configure other settings, and then return to the Authentication Settings tab, the trusted source addresses might not display correctly.
    Workaround: Refresh the Panorama that manages Prisma Access, then return to the Authentication Settings tab to see the addresses.
    CYR-31603
    ZTNA Connectors with two interfaces are not supported in a Connector Group enabled for AWS Auto Scale. This is due to an AWS Auto Scale group limitation that ties both interfaces to the same subnet. See this article for details.
    Workaround: ZTNA Connectors with two interfaces are supported in Connector Groups that are not enabled for AWS Auto Scale. Ensure that all ZTNA Connectors with two interfaces are contained in a Connector Group that is not enabled for AWS Auto Scale.
    CYR-31187In order to use the Prisma Access Explicit Proxy Connectivity in GlobalProtect for Always-On Internet Security functionality, the default PAC file URL does not populate properly unless you do a commit and push to both Mobile Users—GlobalProtect and Mobile Users—Explicit Proxy.
    Workaround: When you Commit and Push, make sure that you choose both Mobile Users—GlobalProtect and Mobile Users—Explicit Proxy in the Push Scope when configuring Prisma Access Explicit Proxy connectivity in GlobalProtect.
    CYR-30966When all users are removed from a group, CIE does not sync the empty group to the firewalls. This is expected behavior.
    Workaround: Delete empty groups from Firewall configurations.
    CYR-30414If you have enabled multiple portals in a multitenant deployment that has only one tenant, and you then disable the multiple portal functionality on that single tenant, you are able to see both portals on the UI.
    Workaround: Open a CLI session on the Panorama that manages Prisma Access and enter the following commands, then perform a local commit on the Panorama:
    set plugins cloud_services multi-tenant tenants <tenant_name> mobile-users multi-portal-multi-auth no
    request plugins cloud_services gpcs multi-tenant tenant-name <tenant_name> multi_portal_on_off
    CYR-30044
    This issue is now resolved in Prisma Access 6.0.0. See Prisma Access 6.0.0 Addressed Issues.
    Predefined EDLs aren't being populated in the Block Settings list in a new Explicit Proxy deployment.
    Workaround: Onboard your Explicit Proxy deployment, perform a Commit and Push operation, and then go back and update the EDL in your block Settings.
    CYR-29964
    Attempts to reuse a certificate signing request (CSR) to generate a certificate results in a "Requested entity already exists" error.
    Workaround: Do not reuse CSRs.
    CYR-29933
    Attempts to use the verdicts:all -X "DELETE" API call more than one time per hour result in the {"code" :8, "message" : "Too many requests" error.
    Workaround: Do not use this API call more than one time per hour.
    CYR-29700
    If you configure multiple GlobalProtect portals in a multitenant Prisma Access Panorama Managed multitenant deployment, committing changes on a per-username basis fails with a "global-protect-portal-8443 should have the value "GlobalProtect_Portal_8443" but it is [None]" error.
    Workaround: If you have enabled multiple GlobalProtect portals and have a Prisma Access multi-tenant deployment, perform Commit All commit operations instead of committing on a per-user basis.
    CYR-26112If you do not have a Net Interconnect license, all Remote Networks in a theater are fully meshed, but if you haven't onboarded a Service Connection in a theater, the Remote Networks cannot be reached from Remote Networks in other theaters.
    Workaround: Either purchase a Net Interconnect license or onboard a service connection in a theater to have the Remote Networks communicate with other theaters.

    Known Issues for Dynamic Privilege Access

    Issue ID
    Description
    PANG-4870
    On macOS devices that have the Prisma Access Agent installed, if you remove the full disk access for the security extension for the Prisma Access Agent (after granting full disk access previously), the Prisma Access Agent will get stuck in the disabled mode.
    Workaround: Grant access to the security extension by selecting System SettingsPrivacy & Security Full Disk Access and enabling the securityExtension from the list of apps.
    PANG-4825
    When configuring forwarding profiles, an issue exists where configuring large numbers of forwarding rules for source applications, destination domains, and IP addresses (routes) can cause high CPU utilization.
    Workaround: Do not configure more than 100 forwarding rules for source applications, destination domains, and IP addresses.
    NETVIS-1363In Insights on Strata Cloud Manager, the Project Connectivity History view in the user details page shows only the project name and no other detail when the Prisma Access Agent user is connected. The Project Connectivity History is blank when the user is not connected.
    NETVIS-1263
    In Insights, the number of connected users listed in the Projects tab might not be accurate. In some cases, the number of connected users in the Project tab does not match the number of users in the Users tab. For example, when the same user is connected to two projects on different devices, the number of connected users in the Projects tab does not match the number of users in the Users tab.
    NETVIS-1207
    In Insights, the Projects tab does not show all the IP pools that are configured for a project. Only the IP pools that are in use are shown.
    EPM-2954
    User groups that have more than 50000 users are not supported in the project configuration of Dynamic Privilege Access. Make sure that the user group associated with a project has less than 50000 users.
    EPM-1589
    When configuring forwarding profiles, even though Strata Cloud Manager allows you to configure IP addresses with wildcards, using wildcard characters in destination IP addresses, such as 10.*.*.*, is not supported as it will cause inconsistent behavior in forwarding profiles.
    EPM-1399
    Changing a project name in the Projects tab of the Dynamic Privilege Access page in Strata Cloud Manager is not supported at this time.
    Workaround: To rename a project, delete the existing project and perform an Access Agent push configuration, then create the project with the new name and perform an Access Agent push configuration.
    EPM-646
    On a Prisma Access tenant where Dynamic Privilege Access is enabled, a configuration push will fail if you try to push the Prisma Access Agent infrastructure configuration without first configuring any projects.
    Workaround: Configure at least one project before you do a push config.
    DRS-4907
    Updates made in the Identity Provider (IdP) are not immediately reflected in the Cloud Identity Engine and Prisma Access Agent management plane. This delay occurs because the Cloud Identity Engine needs to sync with the IdP to capture the changes. The Cloud Identity Engine runs sync jobs every 5 minutes, but only when no other sync is in progress. The duration of the sync process is affected by the magnitude of changes in the Cloud Identity Engine directory, meaning larger or more numerous changes will result in a longer sync time. After the sync is complete, it can take up to 15 minutes for the changes to appear in the Prisma Access Agent management plane.
    DRS-4691
    When searching for a user group in Cloud Identity Engine or Strata Cloud Manager using the Text Search option, surround the user group name with double quotes. For example, when searching for a user group named EXAMPLE.User_Group, enter "EXAMPLE.User_Group".
    DRS-4406
    When configuring a project in Strata Cloud Manager, you cannot search for a User group by providing a partial user group name.
    Workaround: To search for a user group, enter the complete User group name.
    DOCS-7025
    An issue exists in Dynamic Privilege Access where existing IP pools configured in a project cannot be modified.
    Workaround: To modify an existing IP pool, delete the existing IP pool in a project and save the project. Then, edit the project again to add the new IP pool. For example, to change the IP pool address from 10.10.10.0/25 to 10.10.10.0/24, delete the existing pool in the project, save the project, and edit the project again to add the new IP pool.
    DOCS-5681
    Enabling ZTNA Connector on a Dynamic Privilege Access enabled tenant is not supported in Prisma Access 6.0.
    Enabling ZTNA Connector on a Dynamic Privilege Access enabled tenant can cause issues in routing. Service might also be impacted because Strata Cloud Manager does not support the deletion of ZTNA Connector once it has been created.
    DOCS-5611
    When authorizing user group mapping in Cloud Identity Engine for Dynamic Privilege Access, when selecting the SAML attributes you want Prisma Access to use for authentication, ensure that you select a Username Attribute that contains /identity/claims/name.
    If you select the wrong username attribute, your users will not be able to authenticate to their projects.
    DOCS-5463
    An issue exists where random tunnel disconnects can occur if the Collect HIP Data option is not enabled in the Agent Settings page. Therefore, do not disable Collect HIP Data in the Host Information Profile (HIP) section of the Access Agent Settings page.
    DOCS-3650
    For Cloud Identity Engine authentication to work on a Dynamic Privilege Access enabled Prisma Access tenant, ensure that a user group is not mapped to multiple SAML applications in the identity provider (IdP).
    If multiple apps are mapped to a user group, Cloud Identity Engine cannot determine which SAML app to connect to during authentication because there is no unique mapping.
    ADI-33262
    On a Prisma Access tenant where Dynamic Privilege Access is enabled, a Mobile User ContainerAccess Agent configuration push will fail without first configuring a project in Strata Cloud Manager.
    Workaround: Configure at least one project before you do a push config.
    ADI-31601
    On a Dynamic Privilege Access enabled tenant, Strata Cloud Manager allows you to configure more than 100 IP pools per project, even though it will cause the push config to fail with a generic error.
    Workaround: Do not configure more than 100 IP pools per project.
    ADI-31538
    An issue exists where, when setting up a forwarding profile, the forwarding profile Type is displayed as "ZTNA Agent" instead of "Prisma Access Agent". Also, if you select Add Forwarding Profile, the drop-down shows "ZTNA Agent" instead of "Prisma Access Agent".
    Workaround: None. The forwarding profile type will be changed to "Prisma Access Agent" in the future.
    ADI-31523
    Do not create snippets with descriptions that contain special characters. Snippet descriptions that contain special characters such as ! ~ @ # $ % ^ & * ( ) _ + are not supported.
    ADI-30902
    Strata Cloud Manager uses the user and user group information from a Cloud Identity Engine directory in multiple configurations, such as Dynamic Privilege Access project configurations, Prisma Access Agent settings, security policies, and staged rollout configurations. After making these configurations, if you delete the directory from Cloud Identity Engine but don't delete the Strata Cloud Manager configurations that reference those users and user groups, you might encounter unexpected errors, such as "500 Internal Server Error."
    Workaround: When you remove a directory from Cloud Identity Engine, you must also delete the Strata Cloud Manager configurations that reference the users and user groups in that directory.
    ADI-29665
    Do not use special characters in project names, otherwise Strata Cloud Manager will issue a "Malformed Request" error message when you try to save the project configuration.
    ADI-29434
    In the Agent Settings page in Strata Cloud Manager, the recommended value for the Session timeout is 7 days.
    ADI-29272
    When creating a snippet, if you disable the Add prefix to object names option, ensure that you don't use duplicate agent settings names in two different snippets, since it can result in unexpected behavior.
    ADI-26493
    In Access AgentInfrastructure Settings in Strata Cloud Manager, the OnPrem DHCP Server option in the Client IP Pool Allocation section is not selectable. This is working as intended since OnPrem DHCP Server is not supported for Dynamic Privilege Access.
    This option will be renamed to OnPrem DHCP Server (Preview Only) so that existing Dynamic Privilege Access enabled Prisma Access tenants can function correctly.

    © 2025 Palo Alto Networks, Inc. All rights reserved.