Prisma Access
Prisma Access Known Issues
Table of Contents
Expand All
|
Collapse All
Prisma Access Docs
-
- 6.0 Preferred and Innovation
- 5.2 Preferred and Innovation
- 5.1 Preferred and Innovation
- 5.0 Preferred and Innovation
- 4.2 Preferred
- 4.1 Preferred
- 4.0 Preferred
- 3.2 Preferred and Innovation
- 3.1 Preferred and Innovation
- 3.0 Preferred and Innovation
- 2.2 Preferred
-
-
- 4.0 & Later
- Prisma Access China
-
-
Prisma Access Known Issues
Where Can I Use This? | What Do I Need? |
---|---|
|
|
Prisma Access has the following known issues.
Issue ID
|
Description
|
---|---|
AIOPS-11286 |
When you have Colo-Connect enabled, cross-connects and
connections-related information may not be up to date on subtenants
in a multitenant environment.
|
CYR-56688 |
If you delete Internal Host Detection in the Default agent settings (NetworkGlobalProtectPortals <portal-config>Agent DEFAULTInternal), the Internal Host Detection settings are not
removed from the configuration in the Cloud Services plugin (PanoramaCloud ServicesConfiguration Mobile Users—GlobalProtectOnboarding > GeneralInternal Host Detection), causing the Internal Host Detection settings to
reappear in the Default agent settings.
Workaround: Either remove the Internal host detection from the
Cloud Services plugin configuration, or rename the Default agent
settings.
|
CYR-54556 |
When using explicit proxy nodes, you must configure at least one
domain under WorkflowsPrisma Access SetupExplicit Proxy Advanced Security Settings Authentication settings Domains Used in Authentication Flow in Strata Cloud Manager. Failing to do so results in
a commit failure.
|
CYR-54543 This issue is now resolved in Prisma Access 6.0.0-h17. See Prisma Access 6.0.0-h22 Addressed Issues. | Panorama Plugin-based GlobalProtect logout fails when there is a special character in username or computer name. |
CYR-54002 |
Geo-location is not functional for IPv6 only deployments.
Workaround: Implement a dual stack deployment. IPv6 native
deployments determine their location by latency probes, which may
result in incorrect portal selection and incorrect language
selection.
|
CYR-53726 | For tenants using site-based licensing for branch sites, the site license type may display as Unknown for certain branch sites within SCMMonitorBranch Sites. |
CYR-54342 | In InsightsData CentersZTNA ConnectorsFQDNsBandwidth, the time stamp for Bandwidth is incorrect. |
CYR-52409 |
When you have an existing deployment and upgrade to IP Optimization,
and if you have configured an Automatic Restoration of VPN
Connection Timeout value in the GlobalProtect portal for
greater than 30 minutes, a commit validation is seen after the
upgrade to Prisma Access 6.0.
Workaround: Revert your commit, change Automatic
Restoration of VPN Connection Timeout to a value lower than
30 minutes, and redo the Commit and Push operation.
|
CYR-52287 |
Panorama incorrectly allows users to configure QoS profiles with
Egress Guaranteed values exceeding Egress Max values. This is an
invalid configuration.
Workaround: Configure an Egress Guaranteed value that is not
greater than the Egress Max value.
|
CYR-52286 | When onboarding a remote network using a site-based
license, Panorama incorrectly allows you to create Remote Networks
without attaching a QoS Profile. However, when you perform a commit
operation, the commit fails with the error Failed to
process Remote Network configuration (NETP_ERROR-200, details:).
Please try again.
Workaround: When configuring a site-based remote network,
attach a QoS profile to the remote network. |
CYR-52233 |
When you set up secure inbound access for remote networks, a
Bandwidth field displays with fields for
site-based licenses, even though your deployment uses aggregate
bandwidth.
Workaround: Select the bandwidth for the compute location to
which the location corresponds.
|
CYR-51257 | Strata Logging Service logs related to ZTNA Connector might not be seen in the Strata Cloud Manager log viewer for FedRAMP deployments. |
CYR-51157 | Secure Inbound Access is not supported with Remote Networks—High Performance deployments. |
CYR-51156 | BGP MRAI values are not applied to Remote Networks—High Performance deployments. |
CYR-51029 | IPv6 information is absent in the Panorama (PanoramaCloud ServicesStatusMonitor page) and Strata Cloud Manager pages if the config service is enabled on the tenant. |
CYR-50900 |
If you select a Mobile Users configuration item and you don't have a
Mobile Users license, you might receive an error upon commit.
Workaround: Do not select a Mobile Users configuration item if
you don't have a Mobile Users license.
|
CYR-50870 | When attempting to onboard a large number of ZTNA
connector applications (more than 500), the application might not be
onboarded and a 502 Server Error: Bad Gateway for
url error might be encountered. Workaround:
Attempt to re-onboard the application that failed. |
CYR-49865 | In Mobile Users—GlobalProtect setup with IPv6 enabled, when a GlobalProtect client with only an IPv4 address connects to an IPv6-enabled gateway, edge localization is not working when users try to connect to an edge location. This behavior affects both existing deployments that have IP Optimization enabled and deployments that don't have IP Optimization enabled. |
CYR-49816 |
The username in XAU within the Connect request
won't be normalized to reflect the primary attribute in the
directory setting. Instead, it will be the base64 encoded username
carried in the authentication JWT token within the request.
|
CYR-49758 |
If the request includes a valid JWT token, the parsed username in the
JWT will be used instead of the special authentication bypass
username inserted by explicit proxy.
|
CYR-49265 | When using Traffic replication, statistics do not display for deployments in the France North region.Workaround: To enable traffic replication for the France North region deployment , select the check box "Europe Northwest (Paris)" under the traffic replication tab and not France North. |
CYR-48823 |
Double decryption isn't supported. Therefore, when sending a CONNECT
request over an SSL tunnel, inserting headers in the underlying
actual request isn't supported.
|
CYR-48331 | Mobile Users—GlobalProtect users cannot perform an Auto
or Transparent upgrade because a security policy is blocking the
upgrade. Workaround: Create a Custom URL category for
the URL pan-gp-client.s3.dualstack.us-west-2.amazonaws.com and allow
traffic from the URL in the rule. You can also allow only the
download for *.pkg and *.msi files for greater granularity in the
rule. |
CYR-47807 |
After creating filter rules, if you try to assign them to a filter
group without selecting OK on the main BGP
Filtering widget, the filter rules will not appear in the dropdown
selection.
Workaround:
Then the BGP Filters display during BGP Filter Group creation.
|
CYR-47616 | Increasing the subnet mask on an existing mobile user IP
address pool (for example, if you change 10.6.0.0/18 to 10.6.0.0/17), or
changing the region of an existing IP address pool, can cause issues for
existing connected users. Workaround: Perform one or more of
the following actions:
|
CYR-47139 |
ZTNA Connectors are disabled in a ZTNA Connector - Explicit Proxy
integration if ZTNA Connector application blocks or connector blocks
are configured with RFC6598 addresses that conflict with Explicit
Proxy addresses.
Workaround: If you have integrated ZTNA Connector with
Explicit Proxy, do not use the "100.64.0.0/15", "100.72.0.0/15", or
"100.88.0.0/15" subnets for:
|
CYR-47038 |
HTTP header insertion on Remote Networks is not supported when using
Proxy Mode on Remote Networks and Source IP based
visibility and enforcement is enabled.
Workaround: Use HTTP header insertion on explicit proxy
nodes.
|
CYR-46759 | UDP Settings for DNS Queries are not honored in Explicit Proxy. |
CYR-46627 | Explicit Proxy is not supported if Accept Default Route over Service Connection is enabled. |
CYR-46445 |
A transient error related to port 6081 that was processed on an NAT
device caused the ZTNA Connector to go down.
Workaround: When ZTNA Connector traffic is passing through a
NAT device, make sure the NAT session is not mapped to port
6081.
|
CYR-46349 | When using Remote Networks with Explicit Proxy with Traffic Steering in China, do not configure traffic steering rules with URL Category. |
CYR-46191 |
If the Explicit Proxy is configured with Private Application Access
enabled and ZTNA Connector is added to the configuration, another
commit from Panorama or Strata Cloud Manager might be required.
Workaround: Make a small modification to the Explicit Proxy
configuration on the Panorama or Strata Cloud Manager that manages
Prisma Access and Push your changes.
|
CYR-46145 |
When the Prisma Access autonomous system number or Prisma Access
infra subnet is updated for an existing Prisma Access tenant, where
ZTNA Connector and corresponding applications are onboarded, there
will be outage for around 5 minutes after the update.
|
CYR-46093 | If your deployment has implemented the functinality to support up to 25,000 remote networks and 50,000 IKE gateways, aggregate bandwidth usage statistics displays No data for the specified time period instead of the usage statistics. |
CYR-45855 | You cannot change the Infrastructure Subnet or the BGP AS number for Remote Networks—High Performance deployments. |
CYR-45415 | Administrators with read-only or disabled access to the Cloud Services plugin can modify the configuration outside of the cloud services plugin that affects cloud-services behavior, such as templates, device-groups, removing Cloud Serivices configuration, uninstalling the cloud-services plugin, and loading configuration files. |
CYR-44202 | Administrative users with read-only access to the Cloud Services plugin are able to modify the RBI tab. |
CYR-43425 | You cannot specify Outbound Routes for the Service for service connections if those service connections use RFC 6598 addresses. |
CYR-43147 | For autoscaled ZTNA connectors, during scale in, existing long lived sessions may be dropped prematurely that are handled by the ZTNA connector that is marked for scale in. There should be no impact for new traffic sessions post scale in. |
CYR-43132 | During sub-tenant creation on Panorama, you cannot configure units for Remote Networks if the Mobile Users configuration is left blank, and vice versa. |
CYR-42312 | User-ID Across NAT is not supported with Colo-Connect. |
CYR-42259 | Explicit Proxy Private App Access does not work when RFC6598 is enabled. |
CYR-42244 | If you are requesting a Prisma Access gateway name change
as part of the Business Continuity for Mergers and Acquisitions feature,
the updated FQDN does not display in Strata Cloud Manager or
Panorama. Workaround: Reach out to your Palo Alto
Networks account team, who will open an SRE case to update the FQDN
for the gateway. |
CYR-42188 | When using Explicit Proxy Private App Access, DNS over TCP does not function; however DNS over UDP functions correctly. |
CYR-42130 | Colo-Connect routing information does not display in the Serviceability Commands area. |
CYR-42018 | If you have IP Optimization enabled, TLS 1.3 support for
GlobalProtect is not supported. Workaround: Use a maximum TLS
version of 1.2. |
CYR-41990 | IPv6-to-IPv6 or IPv6-to-IPv4 source or destination traffic does not support the URL filtering actions Continue and Override. |
CYR-41228 | If you have IP Optimization enabled, you cannot use the SP interconnect feature. |
CYR-41067 | An incorrect Prisma Access version displays in the Prisma Access Version area of the UI. In Strata Cloud Manager, the version displays in ManageConfigurationNGFW and Prisma AccessOverviewPrisma Access Version; in Panorama Managed Prisma Access, the version displays in PanoramaCloud ServicesConfigurationService SetupPrisma Access Version. |
CYR-40404 |
An FQDN target matching a wildcard might not be discovered for a
connector group if the application is not accessible from some of
the ZTNA connectors in the connector group.
All connectors in a given group should be able to use DNS to resolve
the application and access the application for the application to be
auto-discovered in the group.
Workaround: Associate the application object to the required
connector group from Strata Cloud Manager.
|
CYR-39795 |
After installation of the Cloud Services plugin, an Explicit Proxy
Kerberos server profile (default_server_profile) is installed by the
__cloud_services user, even though Explicit Proxy is not enabled.
Workaround: Ignore the changes.
|
CYR-39551 |
If you set up Prisma Access Dynamic DNS with an authentication type
of TSIG, you should upload a .key file for the TSIG key file. The
key file is considered not valid if it has non-ASCII characters in
the content. If you provide a .key file for TSIG authentication with
non-ASCII characters and you click OK, an
error Please upload a file with the .key
extension displays.
Workaround: Provide a valid tsig key file.
|
CYR-39153 |
When performing an upgrade to a ZTNA Connector Group, there can be
failures intermittently during the upgrade operation. For example,
the upgrade status displays as
partial_success or
failed, even though some of the
affected connectors are later upgraded successfully.
Workaround: Retry the Connector Group upgrade at a later time.
ZTNA Connector rechecks and provides you with the appropriate status
of the Connector Groups.
|
CYR-39148 This issue is now resolved in Prisma Access 6.0.0. See Prisma Access 6.0.0 Addressed Issues. | When configuring Colo-Connect, Commit and
Push operations to Colo Connect Device Groups may
intermittently fail. Workaround: Retry the Commit
and Push operation to the Colo-Connect Device
Group. |
CYR-39028 |
If you are upgrading your ZTNA Connector from 4.1 to a later Prisma
Access version and the ZTNA connector application pools are
configured within the RFC6598 address space (100.64.0.0/16 and
100.65.0.0/16), ZTNA connector traffic may be blocked on the
MU-SPN.
Workaround: Contact your Prisma Access team to update the SaaS
Agent version of all your Prisma Access tenants.
|
CYR-38619 | Tenants that are onboarded in Switzerland and France cannot use ZTNA Connector. |
CYR-38120 | All available locations do not show up in the list view
in the Mobile Users—Explicit Proxy setup page. Workaround: Use
the map view to select the missing locations. |
CYR-37983 | If you have IPv6 enabled for a Mobile Users—GlobalProtect
user, retrieving the HIP report causes a crash. Workaround: If
the GlobalProtect client is ipv6 enabled, run the HIP report using
the client's IPv6 address. If the GlobalProtect client is IPv4 only,
run the HIP report using the client's ipv4 address. |
CYR-37923 | After creating a new URL category or security rule or an EDL, a local Panorama commit is required before using that object in RBI security rule associations. |
CYR-37906 |
If, when updating the ports for an existing wildcard object, you put
spaces between the ports, a 500 internal
server error is displayed.
Workaround: Do not put spaces between the ports. For example,
instead of 1-2, 80, 100-300, put
1-2,80,100-300.
|
CYR-37887 |
If you are using ZTNA Connector as part of the 30-day trial and have
not purchased a license, onboarding might fail with a message that
Something went wrong when you click
the Enable ZTNA Connector button.
Workaround: Refresh the UI to complete the onboarding of the
ZTNA Connector feature.
|
CYR-37826 |
If two or more ZTNA connector applications have the same FQDN, an
Application Custom rule conflict
message could display in the SD-WAN portal.
Workaround: This message is spurious and can be ignored.
|
CYR-37797 | The status page asks you for a one-time password (OTP)
after a plugin upgrade. Workaround: Delete the expired license
keys, delete the Panorama certificate, and retrieve the licenses and
verify if the license keys are valid after you retrieve them; then,
generate the OTP to verify. |
CYR-37755 |
If you configure a Wildcard Target in ZTNA Connector, and if you try
to change the port of an application that was discovered as a result
of that target and was added to the FQDN Target, you receive an
error that the name is too long.
Workaround: While application names can be a maximum of 32
characters long, changing the port number makes the name too long in
the ZTNA Connector infrastructure. If you encounter this error, try
to give the application a shorter name.
|
CYR-37706 |
When using Explicit Proxy, an excessive amount of threat logs
display.
Workaround: Ignore the threat logs. These logs have no impact
on Explicit Proxy functionality.
|
CYR-37673 | Clicking the Panorama Cloud ServicesStatusStatusRemote Browser IsolationActive Isolated Session link does not open the MonitorSubscription Usage page in Prisma Access Cloud Management or Strata Cloud Manager. |
CYR-37466 | If you enable Colo-Connect, do not enable Bidirectional Forwarding Detection (BFD) on your VLAN. |
CYR-37356 |
If you renew the App Acceleration license after is has expired
(including the grace period for the license), the renewal does not
take effect immediately.
Workaround: Wait approximately one hour after license renewal
before using App Acceleration.
|
CYR-37290 | When onboarding a ZTNA Connector, you receive a
declaim requested by root error.
Workaround: Delete the connector that had the error
and create a new one. |
CYR-37227 |
The creation of the IP subnet-based Connector Group sometimes fails
with a group already exists message,
even though the group does not exist.
Workaround: Use another name for the IP subnet-based Connector
Group.
|
CYR-37208 | When using Prisma Access Clean Pipe, the Network Details page (PanoramaCloud ServicesStatusStatusNetwork Details) does not show Clean Pipe entries. |
CYR-36749 | ZTNA connector flow logs related to netflow may not be visible in the Strata Cloud Manager Log Viewer. |
CYR-34999 | For Panorama Prisma Access tenants, if ZTNA Connectors are onboarded, the Provision Progress for service connections (PanoramaCloud ServicesStatusStatusService ConnectionsProvision Progress) is showing provisioning progress for both ZTNA Connectors and Service Connections. |
CYR-34720 | GlobalProtect DDNS functionality does not work when using a Panorama running 10.1.x to manage Prisma Access with the Cloud Services plugin. |
CYR-33877 | If, during Explicit Proxy setup, you select Skip authentication to skip authentication for an address object, and then later want to enable authentication by deselecting Skip authentication for that address object, it can take up to 24 hours for the change to take effect after you make the change and Commit and Push your changes. |
CYR-33471 |
If you enable multi-tenancy, create a new sub tenant, configure
Mobile Users—GlobalProtect, Remote Networks, and Colo-Connect device
groups, then configure Colo-Connect subnets and VLANs, and a partial
commit fails with an Unable to retrieve last in-sync
configuration for the device error.
Workaround: Perform a Commit and Push operation when
configuring Colo-Connect for the first time instead of a partial
commit.
|
CYR-33454 |
If you configure Prisma Access in a in a multi-tenant deployment,
perform a Commit and Push, then configure Colo-Connect, the choice
to Commit and Push your changes is grayed out.
Workaround: Click CommitCommit to Panorama, then Commit Push to Devices, click Edit Selections and
make sure that Colo-Connect is selected in
the Push Scope; then, retry the commit and
push operation.
|
CYR-33199 | Current user counts and 90 day user counts are not correct for Kerberos authenticated users. |
CYR-33145 |
When a Prisma Access license for any service type expires, any Commit
All operation fails a generic Commit
Failed error message.
Workaround: Make sure that your all your Prisma Access
licenses have not expired before performing commits.
|
CYR-32687 | EDLs, Address objects of type IP Wildcard
Mask and FQDN, and Dynamic
Address Groups do not work on decryption policies when Agent or Kerberos
authentication is used with Explicit Proxy. Workaround: Use
Address objects of IP Netmask, IP Range, or Address groups in the
decryption policies. |
CYR-32666 | When importing a previously saved Panorama configuration
that included a Colo-Connect configuration, or reverting from a
previously-saved configuration, you receive errors if the following
conditions are present:
Workaround: Colo-Connect service connections cannot be
onboarded unless their corresponding VLANs are in an Active state.
Delete any Colo-Connect service connections before exporting or
reverting a Panorama image; then, re-create the Colo-Connect service
connections after importing the new image. |
CYR-32661 | When GlobalProtect is connected in Proxy mode or Tunnel and Proxy mode, user logins will not count toward the number of current users or the number of users logged in over the past 90 days under Mobile Users—Explicit Proxy. |
CYR-32564 |
ZTNA Connector app traffic is detected as a threat and dropped for
Prisma Access Cloud Management if the default URL category is
used.
Workaround: Perform one or more of the following steps as
required:
|
CYR-32511 | You can configure IPv6 DNS addresses even if IPv6 is disabled. |
CYR-32431 |
When configuring Explicit Proxy, when you add Trusted Source Address
values under Authentication Settings, configure other settings, and
then return to the Authentication Settings tab, the trusted source
addresses might not display correctly.
Workaround: Refresh the Panorama that manages Prisma Access,
then return to the Authentication Settings tab to see the
addresses.
|
CYR-31603 | ZTNA Connectors with two interfaces are not supported
in a Connector Group enabled for AWS Auto Scale. This is due to an
AWS Auto Scale group limitation that ties both interfaces to the
same subnet. See this article for
details. Workaround: ZTNA Connectors with two interfaces
are supported in Connector Groups that are not enabled for AWS Auto
Scale. Ensure that all ZTNA Connectors with two interfaces are contained
in a Connector Group that is not enabled for AWS Auto Scale. |
CYR-31187 | In order to use the Prisma Access Explicit Proxy
Connectivity in GlobalProtect for Always-On Internet Security
functionality, the default PAC file URL does not populate properly
unless you do a commit and push to both Mobile Users—GlobalProtect and
Mobile Users—Explicit Proxy. Workaround: When
you Commit and Push, make sure that you choose both Mobile
Users—GlobalProtect and Mobile Users—Explicit Proxy in the Push
Scope when configuring Prisma Access Explicit Proxy connectivity in
GlobalProtect. |
CYR-30966 | When all users are removed from a group, CIE does not
sync the empty group to the firewalls. This is expected
behavior. Workaround: Delete empty groups from Firewall
configurations. |
CYR-30414 | If you have enabled multiple portals in a multitenant
deployment that has only one tenant, and you then disable the multiple
portal functionality on that single tenant, you are able to see both
portals on the UI. Workaround: Open a CLI session on the
Panorama that manages Prisma Access and enter the following
commands, then perform a local commit on the
Panorama: set plugins cloud_services multi-tenant
tenants
<tenant_name>
mobile-users multi-portal-multi-auth
no request plugins cloud_services gpcs
multi-tenant tenant-name
<tenant_name>
multi_portal_on_off |
CYR-30044 This issue is now resolved in Prisma Access 6.0.0. See Prisma Access 6.0.0 Addressed Issues. |
Predefined EDLs aren't being populated in the Block Settings list in
a new Explicit Proxy deployment.
Workaround: Onboard your Explicit Proxy deployment, perform a
Commit and Push operation, and then go back and update the EDL in
your block Settings.
|
CYR-29964 |
Attempts to reuse a certificate signing request (CSR) to generate a
certificate results in a "Requested entity already
exists" error.
Workaround: Do not reuse CSRs.
|
CYR-29933 |
Attempts to use the verdicts:all -X
"DELETE" API call more than one time per hour result
in the {"code" :8, "message" : "Too many
requests" error.
Workaround: Do not use this API call more than one time per
hour.
|
CYR-29700 |
If you configure multiple GlobalProtect portals in a multitenant
Prisma Access Panorama Managed multitenant deployment, committing
changes on a per-username basis fails with a
"global-protect-portal-8443 should have the value
"GlobalProtect_Portal_8443" but it is [None]"
error.
Workaround: If you have enabled multiple GlobalProtect portals
and have a Prisma Access multi-tenant deployment, perform Commit All
commit operations instead of committing on a per-user basis.
|
CYR-26112 | If you do not have a Net Interconnect license, all Remote
Networks in a theater are fully meshed, but if you haven't onboarded a
Service Connection in a theater, the Remote Networks cannot be reached
from Remote Networks in other theaters. Workaround: Either
purchase a Net Interconnect license or onboard a service connection
in a theater to have the Remote Networks communicate with other
theaters. |
Known Issues for Dynamic Privilege Access
Issue ID
|
Description
|
---|---|
PANG-4870 |
On macOS devices that have the Prisma Access Agent installed, if
you remove the full disk access for the security extension for
the Prisma Access Agent (after granting full disk access
previously), the Prisma Access Agent will get stuck in the
disabled mode.
Workaround: Grant access to the security extension by
selecting System SettingsPrivacy & Security Full Disk Access and enabling the
securityExtension from the list of
apps.
|
PANG-4825 |
When configuring forwarding profiles, an issue exists where
configuring large numbers of forwarding rules for source
applications, destination domains, and IP addresses (routes) can
cause high CPU utilization.
Workaround: Do not configure more than 100
forwarding rules for source applications, destination domains,
and IP addresses.
|
NETVIS-1363 | In Insights on Strata Cloud Manager, the Project Connectivity History view in the user details page shows only the project name and no other detail when the Prisma Access Agent user is connected. The Project Connectivity History is blank when the user is not connected. |
NETVIS-1263 |
In Insights, the number of connected users listed in the Projects
tab might not be accurate. In some cases, the number of
connected users in the Project tab does not match the number of
users in the Users tab. For example, when the same user is
connected to two projects on different devices, the number of
connected users in the Projects tab does not match the number of
users in the Users tab.
|
NETVIS-1207 |
In Insights, the Projects tab does not show all the IP pools that
are configured for a project. Only the IP pools that are in use
are shown.
|
EPM-2954 |
User groups that have more than 50000 users are not supported in
the project configuration of Dynamic Privilege Access. Make sure
that the user group associated with a project has less than
50000 users.
|
EPM-1589 |
When configuring forwarding profiles, even though Strata Cloud
Manager allows you to configure IP addresses with wildcards,
using wildcard characters in destination IP addresses, such as
10.*.*.*, is not supported as it will
cause inconsistent behavior in forwarding profiles.
|
EPM-1399 |
Changing a project name in the Projects
tab of the Dynamic Privilege Access page in Strata Cloud Manager is not supported at this time.
Workaround: To rename a project, delete the existing
project and perform an Access Agent push configuration, then
create the project with the new name and perform an Access Agent
push configuration.
|
EPM-646 |
On a Prisma Access tenant where Dynamic Privilege Access is
enabled, a configuration push will fail if you try to push the
Prisma Access Agent infrastructure configuration without first
configuring any projects.
Workaround: Configure at least one project before you do a
push config.
|
DRS-4907 |
Updates made in the Identity Provider (IdP) are not immediately
reflected in the Cloud Identity Engine and Prisma Access Agent
management plane. This delay occurs because the Cloud Identity
Engine needs to sync with the IdP to capture the changes. The
Cloud Identity Engine runs sync jobs every 5 minutes, but only
when no other sync is in progress. The duration of the sync
process is affected by the magnitude of changes in the Cloud
Identity Engine directory, meaning larger or more numerous
changes will result in a longer sync time. After the sync is
complete, it can take up to 15 minutes for the changes to appear
in the Prisma Access Agent management plane.
|
DRS-4691 |
When searching for a user group in Cloud Identity Engine or
Strata Cloud Manager using the Text
Search option, surround the user group name with
double quotes. For example, when searching for a user group
named EXAMPLE.User_Group, enter "EXAMPLE.User_Group".
|
DRS-4406 |
When configuring a project in Strata Cloud Manager, you cannot
search for a User group by providing a
partial user group name.
Workaround: To search for a user group, enter the complete
User group name.
|
DOCS-7025 |
An issue exists in Dynamic Privilege Access where existing IP
pools configured in a project cannot be modified.
Workaround: To modify an existing IP pool, delete the
existing IP pool in a project and save the project. Then, edit
the project again to add the new IP pool. For example, to change
the IP pool address from 10.10.10.0/25 to 10.10.10.0/24, delete
the existing pool in the project, save the project, and edit the
project again to add the new IP pool.
|
DOCS-5681 |
Enabling ZTNA Connector on a Dynamic Privilege Access enabled
tenant is not supported in Prisma Access 6.0.
Enabling ZTNA Connector on a Dynamic Privilege Access enabled
tenant can cause issues in routing. Service might also be
impacted because Strata Cloud Manager does not support the
deletion of ZTNA Connector once it has been created.
|
DOCS-5611 |
When authorizing user group mapping in Cloud Identity Engine for
Dynamic Privilege Access, when selecting the SAML attributes you
want Prisma Access to use for authentication, ensure that you
select a Username Attribute that contains
/identity/claims/name.
If you select the wrong username attribute, your users will not
be able to authenticate to their projects.
|
DOCS-5463 |
An issue exists where random tunnel disconnects can occur if the
Collect HIP Data option is not
enabled in the Agent Settings page. Therefore, do not disable
Collect HIP Data in the Host
Information Profile (HIP) section of the Access Agent Settings
page.
|
DOCS-3650 |
For Cloud Identity Engine authentication to work on a Dynamic
Privilege Access enabled Prisma Access tenant, ensure that a
user group is not mapped to multiple SAML applications in the
identity provider (IdP).
If multiple apps are mapped to a user group, Cloud Identity
Engine cannot determine which SAML app to connect to during
authentication because there is no unique mapping.
|
ADI-33262 |
On a Prisma Access tenant where Dynamic Privilege Access is
enabled, a Mobile User ContainerAccess Agent configuration push will fail without first
configuring a project in Strata Cloud Manager.
Workaround: Configure at least one project before you do a
push config.
|
ADI-31601 |
On a Dynamic Privilege Access enabled tenant, Strata Cloud
Manager allows you to configure more than 100 IP pools per
project, even though it will cause the push config to fail with
a generic error.
Workaround: Do not configure more than 100 IP pools per
project.
|
ADI-31538 |
An issue exists where, when setting up a forwarding profile, the
forwarding profile Type is displayed as
"ZTNA Agent" instead of "Prisma Access Agent". Also, if you
select Add Forwarding Profile, the
drop-down shows "ZTNA Agent" instead of "Prisma Access
Agent".
Workaround: None. The forwarding profile type will be
changed to "Prisma Access Agent" in the future.
|
ADI-31523 |
Do not create snippets with descriptions that contain special
characters. Snippet descriptions that contain special characters
such as ! ~ @ # $ % ^ & * ( ) _ + are
not supported.
|
ADI-30902 |
Strata Cloud Manager uses the user and user group information
from a Cloud Identity Engine directory in multiple
configurations, such as Dynamic Privilege Access project
configurations, Prisma Access Agent settings, security policies,
and staged rollout configurations. After making these
configurations, if you delete the directory from Cloud Identity
Engine but don't delete the Strata Cloud Manager configurations
that reference those users and user groups, you might encounter
unexpected errors, such as "500 Internal Server Error."
Workaround: When you remove a directory from Cloud
Identity Engine, you must also delete the Strata Cloud Manager
configurations that reference the users and user groups in that
directory.
|
ADI-29665 |
Do not use special characters in project names, otherwise Strata
Cloud Manager will issue a "Malformed Request" error message
when you try to save the project configuration.
|
ADI-29434 |
In the Agent Settings page in Strata Cloud Manager, the
recommended value for the Session timeout
is 7 days.
|
ADI-29272 |
When creating a snippet, if you disable the Add prefix
to object names option, ensure that you don't
use duplicate agent settings names in two different snippets,
since it can result in unexpected behavior.
|
ADI-26493 |
In Access AgentInfrastructure Settings in Strata Cloud Manager, the OnPrem
DHCP Server option in the Client IP Pool
Allocation section is not selectable. This is working as
intended since OnPrem DHCP Server is
not supported for Dynamic Privilege Access.
This option will be renamed to OnPrem DHCP Server
(Preview Only) so that existing Dynamic
Privilege Access enabled Prisma Access tenants can function
correctly.
|