Prisma Access
Prisma Access Known Issues
Table of Contents
Expand All
|
Collapse All
Prisma Access Docs
-
- 6.1 Preferred and Innovation
- 6.0 Preferred and Innovation
- 5.2 Preferred and Innovation
- 5.1 Preferred and Innovation
- 5.0 Preferred and Innovation
- 4.2 Preferred
- 4.1 Preferred
- 4.0 Preferred
- 3.2 Preferred and Innovation
- 3.1 Preferred and Innovation
- 3.0 Preferred and Innovation
- 2.2 Preferred
-
-
- 4.0 & Later
- Prisma Access China
-
-
Prisma Access Known Issues
| Where Can I Use This? | What Do I Need? |
|---|---|
|
|
Prisma Access has the following known issues.
|
Issue ID
|
Description
|
|---|---|
| AIOPS-11286 |
When you have Colo-Connect enabled, cross-connects and
connections-related information may not be up to date on subtenants
in a multitenant environment.
|
| CYR-60741 | To enable Private App Access when using the Explicit Proxy and the ZTNA Connector, currently, you have to onboard a Service Connection (SC). |
| CYR-59509 This issue is resolved in Prisma Access
6.1.0. | After upgrading the Cloud Services plugin from 5.1 to 5.2 or later, the previously configured Roles were not applied to the configuration, even though the configuration appears in the Panorama UI. This condition causes the administrator to not be able to view the Cloud Services tab in Panorama. |
| CYR-59494 | The list of Remote Networks on the Remote Networks status page always displays a count of 0 items. |
| CYR-59382 | When onboarding a legacy (non-remote network high performance) site on Panorama, commit fails because of a missing QoS profile. |
| CYR-57699 |
When you select dynamic routing for server-initiated traffic, you
have to input the peer AS number to complete the configuration. This
number is internally set as the private BGP AS 65533.
Currently, the UI does not show this AS number, hindering the
configuration process.
|
| CYR-56125 |
If you have a SASE private location configured across multiple
tenants, the location does not display in the Strata Cloud Manager
UI.
|
| CYR-55824 |
The following issues are seen with configuring active and passive
tunnels for a Remote Network configuration with Site-Based
licensing:
For a site that uses BGP with active/passive tunnels, configure BGP
on active tunnel and select BGP config "Same as Primary" on passive
tunnel.
|
| CYR-55477 | If you have a site-based license for remote networks, the Status page in Panorama (Panorama Cloud ServicesStatus) incorrectly shows the allocated and available Remote Network bandwidth as 0. |
| CYR-55402 | Global portal configuration for internal host detection will overwrite internal host detection in portal agent configuration. But, if there are multiple agent configurations, it will overwrite the very first configuration in the list, not the default. It depends on which configuration is at the top of the list. |
| CYR-54556 This issue is resolved in Prisma Access
6.1.0. |
When using explicit proxy nodes, you must configure at least one
domain under WorkflowsPrisma Access SetupExplicit Proxy Advanced Security Settings Authentication settings Domains Used in Authentication Flow in Strata Cloud Manager. Failing to do so results in
a commit failure.
|
| CYR-54002 | Geo-location is not functional for dual-stack and IPv6 only deployments. |
| CYR-52233 |
When you set up secure inbound access for remote networks, a
Bandwidth field displays with fields for
site-based licenses, even though your deployment uses aggregate
bandwidth.
|
| CYR-51257 This issue is resolved in Prisma Access
6.1.0. | Strata Logging Service logs related to ZTNA Connector might not be seen in the Strata Cloud Manager log viewer for FedRAMP deployments. |
| CYR-51157 | Secure Inbound Access is not supported with Remote Networks—High Performance deployments. |
| CYR-51156 | BGP MRAI values are not applied to Remote Networks—High Performance deployments. |
| CYR-50900 This issue is resolved in Prisma Access
6.1.0. |
If you select a Mobile Users configuration item and you don't have a
Mobile Users license, you might receive an error upon commit.
|
| CYR-49816 |
The username in XAU within the Connect request
won't be normalized to reflect the primary attribute in the
directory setting. Instead, it will be the base64 encoded username
carried in the authentication JWT token within the request.
|
| CYR-49758 |
If the request includes a valid JWT token, the parsed username in the
JWT will be used instead of the special authentication bypass
username inserted by explicit proxy.
|
| CYR-49265 This issue is resolved in Prisma Access
6.1.0. | When using Traffic replication, statistics do not display for deployments in the France North region. |
| CYR-48823 |
Double decryption isn't supported. Therefore, when sending a CONNECT
request over an SSL tunnel, inserting headers in the underlying
actual request isn't supported.
|
| CYR-48331 This issue is resolved in Prisma Access
6.1.0. | Mobile Users—GlobalProtect users cannot perform an Auto or Transparent upgrade because a security policy is blocking the upgrade. |
| CYR-47807 |
After creating filter rules, if you try to assign them to a filter
group without selecting OK on the main BGP
Filtering widget, the filter rules will not appear in the dropdown
selection.
|
| CYR-47616 This issue is resolved in Prisma Access
6.1.0. | Increasing the subnet mask on an existing mobile user IP address pool (for example, if you change 10.6.0.0/18 to 10.6.0.0/17), or changing the region of an existing IP address pool, can cause issues for existing connected users. |
| CYR-47139 |
ZTNA Connectors are disabled in a ZTNA Connector - Explicit Proxy
integration if ZTNA Connector application blocks or connector blocks
are configured with RFC6598 addresses that conflict with Explicit
Proxy addresses.
|
| CYR-47038 |
HTTP header insertion on Remote Networks is not supported when using
Proxy Mode on Remote Networks and Source IP based
visibility and enforcement is enabled.
|
| CYR-46759 | UDP Settings for DNS Queries are not honored in Explicit Proxy. |
| CYR-46627 | Explicit Proxy is not supported if Accept Default Route over Service Connection is enabled. |
| CYR-46445 This issue is resolved in Prisma Access
6.1.0. |
A transient error related to port 6081 that was processed on an NAT
device caused the ZTNA Connector to go down.
|
| CYR-46349 | When using Remote Networks with Explicit Proxy with Traffic Steering in China, do not configure traffic steering rules with URL Category. |
| CYR-46191 |
If the Explicit Proxy is configured with Private Application Access
enabled and ZTNA Connector is added to the configuration, another
commit from Panorama or Strata Cloud Manager might be required.
|
| CYR-46093 | If your deployment has implemented the functinality to support up to 25,000 remote networks and 50,000 IKE gateways, aggregate bandwidth usage statistics displays No data for the specified time period instead of the usage statistics. |
| CYR-45855 This issue is resolved in Prisma Access
6.1.0. | You cannot change the Infrastructure Subnet or the BGP AS number for Remote Networks—High Performance deployments. |
| CYR-45415 This issue is resolved in Prisma Access
6.1.0. | Administrators with read-only or disabled access to the Cloud Services plugin can modify the configuration outside of the cloud services plugin that affects cloud-services behavior, such as templates, device-groups, removing Cloud Serivices configuration, uninstalling the cloud-services plugin, and loading configuration files. |
| CYR-44202 This issue is resolved in Prisma Access
6.1.0. | Administrative users with read-only access to the Cloud Services plugin are able to modify the RBI tab. |
| CYR-43425 This issue is resolved in Prisma Access
6.1.0. | You cannot specify Outbound Routes for the Service for service connections if those service connections use RFC 6598 addresses. |
| CYR-43147 This issue is resolved in Prisma Access
6.1.0. | For autoscaled ZTNA connectors, during scale in, existing long lived sessions may be dropped prematurely that are handled by the ZTNA connector that is marked for scale in. There should be no impact for new traffic sessions post scale in. |
| CYR-43132 | During sub-tenant creation on Panorama, you cannot configure units for Remote Networks if the Mobile Users configuration is left blank, and vice versa. |
| CYR-42312 | User-ID Across NAT is not supported with Colo-Connect. |
| CYR-42259 This issue is resolved in Prisma Access
6.1.0. | Explicit Proxy Private App Access does not work when RFC6598 is enabled. |
| CYR-42244 | If you are requesting a Prisma Access gateway name change as part of the Business Continuity for Mergers and Acquisitions feature, the updated FQDN does not display in Strata Cloud Manager or Panorama. |
| CYR-42188 This issue is resolved in Prisma Access
6.1.0. | When using Explicit Proxy Private App Access, DNS over TCP does not function; however DNS over UDP functions correctly. |
| CYR-42130 | Colo-Connect routing information does not display in the Serviceability Commands area. |
| CYR-42018 | If you have IP Optimization enabled, TLS 1.3 support for GlobalProtect is not supported. |
| CYR-41990 | IPv6-to-IPv6 or IPv6-to-IPv4 source or destination traffic does not support the URL filtering actions Continue and Override. |
| CYR-41228 | If you have IP Optimization enabled, you cannot use the SP interconnect feature. |
| CYR-41067 This issue is resolved in Prisma Access
6.1.0. | An incorrect Prisma Access version displays in the Prisma Access Version area of the UI. In Strata Cloud Manager, the version displays in ManageConfigurationNGFW and Prisma AccessOverviewPrisma Access Version; in Panorama Managed Prisma Access, the version displays in PanoramaCloud ServicesConfigurationService SetupPrisma Access Version. |
| CYR-40404 |
An FQDN target matching a wildcard might not be discovered for a
connector group if the application is not accessible from some of
the ZTNA connectors in the connector group.
All connectors in a given group should be able to use DNS to resolve
the application and access the application for the application to be
auto-discovered in the group.
|
| CYR-39795 |
After installation of the Cloud Services plugin, an Explicit Proxy
Kerberos server profile (default_server_profile) is installed by the
__cloud_services user, even though Explicit Proxy is not enabled.
|
| CYR-39551 |
If you set up Prisma Access Dynamic DNS with an authentication type
of TSIG, you should upload a .key file for the TSIG key file. The
key file is considered not valid if it has non-ASCII characters in
the content. If you provide a .key file for TSIG authentication with
non-ASCII characters and you click OK, an
error Please upload a file with the .key
extension displays.
|
| CYR-38120 | All available locations do not show up in the list view in the Mobile Users—Explicit Proxy setup page. |
| CYR-37923 | After creating a new URL category or security rule or an EDL, a local Panorama commit is required before using that object in RBI security rule associations. |
| CYR-37887 |
If you are using ZTNA Connector as part of the 30-day trial and have
not purchased a license, onboarding might fail with a message that
Something went wrong when you click
the Enable ZTNA Connector button.
|
| CYR-37797 | The status page asks you for a one-time password (OTP) after a plugin upgrade. |
| CYR-37706 This issue is resolved in Prisma Access
6.1.0. |
When using Explicit Proxy, an excessive amount of threat logs
display.
|
| CYR-37356 |
If you renew the App Acceleration license after is has expired
(including the grace period for the license), the renewal does not
take effect immediately.
|
| CYR-36749 This issue is resolved in Prisma Access
6.1.0. | ZTNA connector flow logs related to netflow may not be visible in the Strata Cloud Manager Log Viewer. |
| CYR-34720 This issue is resolved in Prisma Access
6.1.0. | GlobalProtect DDNS functionality does not work when using a Panorama running 10.1.x to manage Prisma Access with the Cloud Services plugin. |
| CYR-33877 This issue is resolved in Prisma Access
6.1.0. | If, during Explicit Proxy setup, you select Skip authentication to skip authentication for an address object, and then later want to enable authentication by deselecting Skip authentication for that address object, it can take up to 24 hours for the change to take effect after you make the change and Commit and Push your changes. |
| CYR-33471 This issue is resolved in Prisma Access
6.1.0. |
If you enable multi-tenancy, create a new sub tenant, configure
Mobile Users—GlobalProtect, Remote Networks, and Colo-Connect device
groups, then configure Colo-Connect subnets and VLANs, and a partial
commit fails with an Unable to retrieve last in-sync
configuration for the device error.
|
| CYR-33454 |
If you configure Prisma Access in a in a multi-tenant deployment,
perform a Commit and Push, then configure Colo-Connect, the choice
to Commit and Push your changes is grayed out.
|
| CYR-33199 | Current user counts and 90 day user counts are not correct for Kerberos authenticated users. |
| CYR-33145 |
When a Prisma Access license for any service type expires, any Commit
All operation fails a generic Commit
Failed error message.
|
| CYR-32687 This issue is resolved in Prisma Access
6.1.0. | EDLs, Address objects of type IP Wildcard Mask and FQDN, and Dynamic Address Groups do not work on decryption policies when Agent or Kerberos authentication is used with Explicit Proxy. |
| CYR-32666 | When importing a previously saved Panorama configuration
that included a Colo-Connect configuration, or reverting from a
previously-saved configuration, you receive errors if the following
conditions are present:
|
| CYR-32661 | When GlobalProtect is connected in Proxy mode or Tunnel and Proxy mode, user logins will not count toward the number of current users or the number of users logged in over the past 90 days under Mobile Users—Explicit Proxy. |
| CYR-32511 This issue is resolved in Prisma Access
6.1.0. | You can configure IPv6 DNS addresses even if IPv6 is disabled. |
| CYR-32431 This issue is resolved in Prisma Access
6.1.0. |
When configuring Explicit Proxy, when you add Trusted Source Address
values under Authentication Settings, configure other settings, and
then return to the Authentication Settings tab, the trusted source
addresses might not display correctly.
|
| CYR-31603 This issue is resolved in Prisma Access
6.1.0. |
ZTNA Connectors with two interfaces are not supported in a Connector
Group enabled for AWS Auto Scale. This is due to an AWS Auto Scale
group limitation that ties both interfaces to the same subnet. See
this article for
details.
|
| CYR-31187 This issue is resolved in Prisma Access
6.1.0. | In order to use the Prisma Access Explicit Proxy Connectivity in GlobalProtect for Always-On Internet Security functionality, the default PAC file URL does not populate properly unless you do a commit and push to both Mobile Users—GlobalProtect and Mobile Users—Explicit Proxy. |
| CYR-30966 | When all users are removed from a group, CIE does not sync the empty group to the firewalls. This is expected behavior. |
| CYR-30414 | If you have enabled multiple portals in a multitenant deployment that has only one tenant, and you then disable the multiple portal functionality on that single tenant, you are able to see both portals on the UI. |
| CYR-29964 This issue is resolved in Prisma Access
6.1.0. |
Attempts to reuse a certificate signing request (CSR) to generate a
certificate results in a "Requested entity already
exists" error.
|
| CYR-29933 This issue is resolved in Prisma Access
6.1.0. |
Attempts to use the verdicts:all -X
"DELETE" API call more than one time per hour result
in the {"code" :8, "message" : "Too many
requests" error.
|
| CYR-29700 |
If you configure multiple GlobalProtect portals in a multitenant
Prisma Access Panorama Managed multitenant deployment, committing
changes on a per-username basis fails with a
"global-protect-portal-8443 should have the value
"GlobalProtect_Portal_8443" but it is [None]"
error.
|
| CYR-26112 | If you do not have a Net Interconnect license, all Remote Networks in a theater are fully meshed, but if you haven't onboarded a Service Connection in a theater, the Remote Networks cannot be reached from Remote Networks in other theaters. |
Known Issues for Dynamic Privilege Access
|
Issue ID
|
Description
|
|---|---|
| NETVIS-1363 | In Insights on Strata Cloud Manager, the Project Connectivity History view in the user details page shows only the project name and no other detail when the Prisma Access Agent user is connected. The Project Connectivity History is blank when the user is not connected. |
| EPM-2954 |
User groups that have more than 50000 users are not supported in
the project configuration of Dynamic Privilege Access. Make sure
that the user group associated with a project has less than
50000 users.
|
| EPM-1589 |
When configuring forwarding profiles, even though Strata Cloud
Manager allows you to configure IP addresses with wildcards,
using wildcard characters in destination IP addresses, such as
10.*.*.*, is not supported as it will
cause inconsistent behavior in forwarding profiles.
|
| EPM-1399 This issue is resolved in Prisma Access
6.1.0. |
Changing a project name in the Projects
tab of the Dynamic Privilege Access page in Strata Cloud Manager is not supported at this time.
|
| DRS-4907 This issue is resolved in Prisma Access
6.1.0. |
Updates made in the Identity Provider (IdP) are not immediately
reflected in the Cloud Identity Engine and Prisma Access Agent
management plane. This delay occurs because the Cloud Identity
Engine needs to sync with the IdP to capture the changes. The
Cloud Identity Engine runs sync jobs every 5 minutes, but only
when no other sync is in progress. The duration of the sync
process is affected by the magnitude of changes in the Cloud
Identity Engine directory, meaning larger or more numerous
changes will result in a longer sync time. After the sync is
complete, it can take up to 15 minutes for the changes to appear
in the Prisma Access Agent management plane.
|
| DRS-4691 This issue is resolved in Prisma Access
6.1.0. |
When searching for a user group in Cloud Identity Engine or
Strata Cloud Manager using the Text
Search option, surround the user group name with
double quotes. For example, when searching for a user group
named EXAMPLE.User_Group, enter "EXAMPLE.User_Group".
|
| ADI-33262 This issue is resolved in Prisma
Access 6.1.0. |
On a Prisma Access tenant where Dynamic Privilege Access is
enabled, a Mobile User ContainerAccess Agent configuration push will fail without first
configuring a project in Strata Cloud Manager.
|
| ADI-31601 |
On a Dynamic Privilege Access enabled tenant, Strata Cloud
Manager allows you to configure more than 100 IP pools per
project, even though it will cause the push config to fail with
a generic error.
|
| ADI-31538 |
An issue exists where, when setting up a forwarding profile, the
forwarding profile Type is displayed as
"ZTNA Agent" instead of "Prisma Access Agent". Also, if you
select Add Forwarding Profile, the
drop-down shows "ZTNA Agent" instead of "Prisma Access
Agent".
|
| ADI-31523 This issue is resolved in Prisma
Access 6.1.0. |
Do not create snippets with descriptions that contain special
characters. Snippet descriptions that contain special characters
such as ! ~ @ # $ % ^ & * ( ) _ + are
not supported.
|
| ADI-30902 |
Strata Cloud Manager uses the user and user group information
from a Cloud Identity Engine directory in multiple
configurations, such as Dynamic Privilege Access project
configurations, Prisma Access Agent settings, security policies,
and staged rollout configurations. After making these
configurations, if you delete the directory from Cloud Identity
Engine but don't delete the Strata Cloud Manager configurations
that reference those users and user groups, you might encounter
unexpected errors, such as "500 Internal Server Error."
|
| ADI-29665 |
Do not use special characters in project names, otherwise Strata
Cloud Manager will issue a "Malformed Request" error message
when you try to save the project configuration.
|
| ADI-29434 |
In the Agent Settings page in Strata Cloud Manager, the
recommended value for the Session timeout
is 7 days.
|
| ADI-29272 |
When creating a snippet, if you disable the Add prefix
to object names option, ensure that you don't
use duplicate agent settings names in two different snippets,
since it can result in unexpected behavior.
|
| ADI-26493 This issue is resolved in Prisma
Access 6.1.0. |
In Access AgentInfrastructure Settings in Strata Cloud Manager, the OnPrem
DHCP Server option in the Client IP Pool
Allocation section is not selectable. This is working as
intended since OnPrem DHCP Server is
not supported for Dynamic Privilege Access.
This option will be renamed to OnPrem DHCP Server
(Preview Only) so that existing Dynamic
Privilege Access enabled Prisma Access tenants can function
correctly.
|