Prisma Access Known Issues
Prisma Access has the following
known issues.
Issue ID | Description |
|---|---|
CYR-23496 | When a new Explicit Proxy instance is created,
the threat logs may not send device group information. This behavior
can occur in a new deployment or can change in an existing deployment
after a maintenance activity or infrastructure upgrade. Workaround :
Select All instead of a specific Device Group when viewing logs. |
CYR-22879 | In a multi-tenant environment, you cannot
enable the EDL Custom Category End Token Support feature until all your
tenants have had their infrastructure and dataplane upgraded to
meet the requirements for the 3.0 Cloud Services plugin. Workaround :
Wait until all your tenants have had their infrastructure and dataplane
upgraded before enabling the EDL Custom Category End Token Support feature. |
CYR-22759 | You cannot make any configuration changes
in the Advanced tab under Explicit Proxy Settings ( Panorama Cloud Services Configuration Explicit Proxy Settings Advanced Workaround :
There is no workaround. This functionality will be supported in
a future Prisma Access release. |
CYR-22525 | If you install an Innovation release, configure
a feature that is only supported on an Innovation release, and then migrate
from an Innovation to a Preferred release, you receive a commit
validation error after making configuration changes in the Cloud
Services plugin. Workaround : Delete the unsupported feature
by creating a CLI session with the Panorama that manages Prisma
Access in configuration mode and entering the delete plugins cloud_services <feature-name> command,
where <feature-name> is the name of the feature
that is unsupported in the Preferred release. |
CYR-22629 | When using the Egress IP Allow List feature
in Prisma Access, you might experience the following issues when using
the UI:
|
CYR-22201 | When using the Enterprise DLP plugin with
Prisma Access, an uploaded file that matched a Block action on a data
filtering profile was not blocked from being uploaded, along with
an error DLP Skipped: missing boundary m in
the Data Filtering logs. |
CYR-22142 | When configuring QoS for remote networks ( Panorama Cloud Services Configuration Remote Networks Settings QoS None as a QoS Profile .Workaround :
Select a valid QoS profile to enable QoS. None is
an invalid selection. |
CYR-22127 This issue is now resolved
in plugin version 3.0.0-h24. See Prisma Access 3.0.0-h24 Preferred and Innovation Addressed Issues. | When configuring QoS for a newly-added site ( Panorama Cloud Services Configuration Remote Networks Settings QoS Allocation Ratio displays as NaN% .Workaround :
Ignore the invalid display; however, Prisma Access sets the Allocation Ratio for
newly-added remote networks as 0 and you
must change the Allocation Ratio to use QoS
for the new remote network. |
CYR-22043 | If you are configuring a Mobile User - GlobalProtect deployment,
if you do not enable the allow listing feature when configuring
or onboarding the mobile user deployment, the plugin logs might
display spurious messages that are similar to the following messages:
Workaround :
Ignore the plugin messages; these messages do not affect normal
Prisma Access operation. |
CYR-21756 | In a situation where other locations in
the same compute region have had an autoscale event, a newly-onboarded
location might show a Provisioning Status of Not
Provisioned in the Egress IP Allow List table (Panorama Cloud Services Configuration Mobile Users—GlobalProtect Workaround :
Autoscale events affect all the onboarded locations in a compute
location. In this case, it is possible that Prisma Access allocated
more then two IP addresses for the newly-added location, and those
IP addresses were not yet confirmed as allow listed. If you receive
a Provisioning Status of Not Provisioned for
a newly-onboarded location, make sure that all of the IP addresses
that were allocated for that location have been confirmed as allow
listed. |
CYR-21629 | When Prisma Access creates a new compute
location and remaps an existing remote network location to that
new location, if you do not delete and re-add the existing compute location
to take advantage of the latest compute location-to-location mapping,
you cannot view bandwidth statistics for the remapped location. Workaround :
Delete and re-add the remote network location that is associated
with the new compute location. The Service IP Address will change,
so you will have to change the IP address for the IPSec tunnel on your
CPE to the new Service IP Address, and you will need to commit and
push your changes twice (once after you delete the location, and
once after you re-add it). |
CYR-21553 | When configuring more than 63 HIP profiles
in a Mobile Users—GlobalProtect deployment, an error message with multiple
occurrences of the word Error: is received
during commit.Workaround : A Mobile Users—GlobalProtect
deployment supports a maximum of 63 HIP Profiles; do not configure
more than 63 HIP profiles. |
CYR-21138 | Cortex Data Lake failed to reconnect after
a disconnect if a management IP address used for logging had an
IP address assignment type of DHCP. |
CYR-21092 | When you run the API to retrieve Prisma
Access IP addresses with a serviceType of all ,
the API times out if your deployment has a large number of Remote
Networks.Workaround : If you have a large number of
remote networks, specify a serviceType of remote_network instead
of all when running the API. |
CYR-20895 | If you have created a remote network deployment
that allocates bandwidth by compute location and then delete the remote
network license, any commit for changes to features that are still
licensed fail with an Failed plugin validation error.Workaround :
Delete the unused remote network configuration by opening a CLI
session with admin-level privileges, entering configure to
enter configuration mode, and then entering delete plugins cloud_services remote-networks .
Then, retry the commit operation. |
CYR-20731 | If the dataplane is not compatible with
the plugin you are running, a generic message indicating that the
Panorama is undergoing maintenance displays in the Panorama
Alert and Plugin Alert fields
in Panorama Cloud
Services Configuration Service Setup |
CYR-20729 | When completing a mobile user setup in a
FedRAMP Moderate deployment and configuring the mobile user IP address
pool, you receive an Operation Failed message
with text that indicates that Prisma Access could not auto-generate
an authentication cookie certificate. In addition, when committing
and pushing your changes, you receive a validation error related
to a cookie decryption certificate. Workaround : Create
a signed certificate and apply it to the Mobile Users—GlobalProtect
configuration by completing the following steps:
|
CYR-20496 | If you are using a Panorama of a version
or 10.0 or lower, and you configure an invalid destination port
value anywhere in Panorama (for example, in Objects Services Non digit value. Workaround :
Fix the invalid port configuration, then retry the commit-all operation. Panoramas
running 10.1 or later disallow you from configuring an invalid destination
port value. |
CYR-20348 | When upgrading from Prisma Access 2.1 to
2.2, a local Commit to Panorama or Validate
Changes request fails with the message domain-list unexpected here . |
CYR-19983 | If you Enable IPv6 ,
select the compute locations in IPv6 Availability ,
commit and push your changes, then deselect Enable IPv6 ,
the selections you made in the IPv6 Availability tab
become deselected. Workaround : Re-select the compute locations
in the IPv6 Availability tab. |
CYR-19975 | When you Enable IPv6, a window displays
asking you to enable Telemetry Data Collection. Workaround :
Click Remind Me Later to dismiss the window. |
CYR-19888 | If you have applied QoS to your remote network deployment
but have not yet committed and pushed your changes, the QoS statistics
screens display blank information. Workaround : Commit
and Push your QoS changes for the QoS statistics to display. |
CYR-19653 | If, when using Explicit Proxy, when the
following conditions exist, mobile users might experience issues
with CORS requests and non-decrypted traffic:
Workaround :
Clear your browser's cache to re-authenticate with the ACS. |
CYR-19646 | BGP addresses ending with .0 or .255 are
not allowed to be entered in the UI as peer BGP addresses for service connections
or remote networks, regardless of the subnet being used. Workaround :
Use CLI commands to enter the .0 or .255 address by logging in to
the Panorama that manages Prisma Access and entering one of the
following commands: set plugins cloud_services service-connection
onboarding sc-name protocol
bgp peer-ip-address ip-address set
plugins cloud_services remote-networks onboarding rn-name protocol
bgp peer-ip-address ip-address Where sc-name or rn-name is
the name of the service connection or remote network connection. |
CYR-19598 This issue is now resolved
in plugin version 3.0.0. See Prisma Access 3.0.0 Preferred and Innovation Addressed Issues. | When using explicit proxy, some users might experience
an issue where some websites are not able to be accessed after the
Authentication Cache Service (ACS) Cookie Lifetime has expired.
This condition can persist for up to five minutes. Workaround :
Browse a different website to re-authenticate to ACS and refresh
the ACS cookie. |
CYR-19503 | IP precedence-based classification is not
working for Prisma Access, when using either IPv4 or IPv6 IP addresses. |
CYR-19487 | When you enable IPv6 for a single tenant
in a multi-tenant deployment, the UI page refreshes and displays the Cloud Services Configuration |
CYR-19350 This issue is now resolved
in plugin version 2.2.0. See Prisma Access 2.2.0 Preferred Addressed Issues. | When any change is made to an authentication
profile, the LDAP server or local user database in a shared context removes
the user group mapping information from Prisma Access. |
CYR-19282
| When configuring mobile users DNS settings
in the Network Services tab, you should not
enter Custom DNS Server IP addresses (either
IPv4 or IPv6) without also specifying a Domain List .Workaround :
Specify a Domain List . |
CYR-19198 | If you add an IPv6 address pool to your
Mobile Users—GlobalProtect deployment, select the regions to Enable
IPv6 in the IPv6 Availability tab, and Commit
and Push your changes, the pools appear in the IPv6
Availability tab. If you then disable all regions, effectively disabling
IPv6, and then Commit and Push your changes, the
IPv6 address pools still display in the IPv6 Address Pool tab. Workaround :
There is no workaround. If you later enable IPv6 for one or more
regions, you can use the existing IPv6 address pool. You can also specify
a different IPv6 address in the IP Pools and,
after you commit and push your changes, the new IPv6 Address pool
overwrites the existing addresses and displays in the IPv6 Availability
tab. |
CYR-19099 | When viewing or changing QoS settings for
Remote Networks in Panorama Cloud Services Configuration Remote Networks Settings QoS In addition, a newly-onboarded
location does not display in the Site Allocation (Customize Per
Site) page. Workaround : Refresh the Panorama that manages
Prisma Access. |
CYR-19093 | In a multi-tenant deployment, you receive
a Configuration committed successfully message
along with a Not all Commit-All jobs got triggered message.Workaround :
Select Commit Commit
and Push Edit Selections ,
and in the Prisma Access tab, make sure that
the Push Scope includes the changes you made
for the Prisma Access configuration. Depending on the changes you
made, select one or more of the Remote Networks , Mobile
Users , Service Setup , and Explicit Proxy choices. |
CYR-19030 | If you are sinkholing IPv6 traffic, the
policy rule hit counts for traffic that matches the IPv6 sinkhole
policy do not increment when entering the CLI command show
rule-hit-count vsys vsys-name vsys1 rule-base security rules all . |
CYR-19017 | IPv6-related choices under Cloud Services Configuration Service Connection BGP Workaround :
If you do not have IPv6 enabled, do not select the Exchange
both IPv4 and IPv6 routes over IPv4 peering , Exchange
IPv4 routes over IPv4 peer and IPv6 routes over IPv6 peer ,
and Exchange IPv6 routes over IPv6 peering BGP
peering choices. |
CYR-18757 | In a multi-tenant deployment, admin users
that have more than one access domain cannot configure new remote networks
or service connections, and can only view what is already deployed. Workaround :
Create the access domain first, then select the access domain you
created when you convert the single tenant to a multi-tenant setup. |
CYR-18234 | When you select Integrate with
Prisma SD-WAN , the integration fails. |
CYR-18157 | When downloading a large file (including
but not limited to programs, browser extensions, or apps) using Explicit
Proxy, if the download takes longer than the cookie lifetime, the
download fails when the cookie expires. |
CYR-18156 | If, after signing in to Explicit Proxy,
you open a link that contains a file to download, the file downloads
successfully but the Explicit Proxy sign-in page continues to display. Workaround :
Since the link contained a downloaded file, there is no page to
display and the current page does not refresh. Select another webpage
to navigate away from the sign-in page. |
CYR-17868 This issue is now resolved
in plugin version 2.1.0. See Prisma Access 2.1.0 Innovation Addressed Issues. | When attempting to retrieve Logging Status information
from Troubleshooting Commands ( Panorama Cloud Services Configuration Service Setup Service Operations Troubleshooting Commands All locations or All remote
networks, the request times out.Workaround : The issue
might be with one or more locations or remote networks being slow
to respond. Try selecting a single mobile user location or remote network. |
CYR-17848 | If you are using a Panorama with a version
of PAN-OS 10.1 to manage Prisma Access, and you migrate a Remote Network
deployment from allocating bandwidth by location to allocating bandwidth
by compute location, the migration banner displays the location
names in an incorrect (large) font. Workaround : No
workaround is required. There is no change to the migration functionality;
the only issue is with the font displayed during the migration. |
CYR-17826 | When using Troubleshooting Commands ( Panorama Cloud Services Configuration Service Setup Service Operations Troubleshooting Commands |
CYR-17739 | When configuring an Explicit Proxy deployment,
if you onboard your deployment, then retrieve the Explicit Proxy public
IP addresses, you will receive the active IP addresses to add to
your allow list, but will not receive the pre-allocated backup IP
addresses. Workaround : Retrieve the Explicit Proxy IP
addresses before you onboard your deployment by specifying an addrType of all and
a location of all . |
CYR-17710 This issue is now resolved
in plugin version 2.2.0. See Prisma Access 2.2.0 Preferred Addressed Issues. | When using DLP to check a downloaded .xlsx
file, the original size of the file is below the maximum DLP file
size. However, after the file is extracted, the file size exceeds
the maximum file size for DLP and a 400 Bad request error
is received. |
CYR-17402 This issue is now resolved
in plugin version 2.1.0. See Prisma Access 2.1.0 Innovation Addressed Issues. | Remote networks that aggregate bandwidth
by compute location instead of by location cannot be onboarded in
bulk by exporting, modifying, and then importing a CSV file. |
CYR-17077 | If you delete an explicit proxy configuration
and then reconfigure it within 10 minutes of its deletion, Prisma
Access cannot properly process the new configuration and explicit proxy
functionality could be affected. Workaround : Wait at
least 10 minutes after deleting an explicit proxy configuration
before reconfiguring it. |
CYR-17066 This issue is now resolved
in plugin version 2.0.0-h3. See Prisma Access 2.0.0-h3 Innovation Addressed Issues. | In a multi-tenant deployment, exception
errors are displayed because of inconsistent internal database entries. |
CYR-17024 | When using Panorama 10. x to manage Prisma
Access, if you configure an Authentication Enforcement Profile under Objects Authentication Workaround :
If you use a Panorama 10.x to manage Prisma Access, do not
use a shared Authentication Profile for any Authentication Enforcement
Profile; instead, use an Authentication Profile that is under one
of the Prisma Access Templates. |
CYR-16965 | When using explicit proxy, there could be
a delay when displaying user details under Current User Count due
to a log ingestion issue between explicit proxy and Cortex Data
Lake. |
CYR-16801 This issue is now resolved
in plugin version 2.0.0-h6. See Prisma Access 2.0.0-h6 Innovation Addressed Issues. | When using explicit proxy, large HTTP file
downloads are frequently interrupted. Workaround :
Keep resuming the download until the file is completely downloaded.
This issue is not seen when downloading HTTPS files. |
CYR-16789 | When performing a local commit or Commit
and Push operation, you receive the error Internal Server Error: Failed to aggregate bandwidth configuration .Workaround :
Check the DNS configuration of the Panorama appliance that manages Prisma
Access, and check that Panorama is able to contact your network's
DNS servers, then retry the operation. |
CYR-16735 | If, during Explicit Proxy onboarding, you
onboard a large number of locations, the Explicit Proxy status might display
its status incorrectly (for example, a status of ERROR might display
when the onboarding was successful). |
CYR-16674 | If you change the Explicit Proxy URL in
Prisma Access but do not change the PAC file to reflect the change,
the change won't be applied. Workaround : Upload a new
PAC file with the same changes as you made in the Explicit Proxy URL. |
CYR-16673 | If you change the proxy FQDN, the changes
are not immediately reflected after the job status completes. Workaround :
Workaround: Wait 10 to 15 minutes for the changes to be reflected
after the Job status shows as Completed on Panorama. |
CYR-16664 This issue is now resolved
in plugin version 2.1.0. See Prisma Access 2.1.0 Innovation Addressed Issues. | If Directory Sync is enabled for explicit
proxy, the current user count displays as 0, but the 90 days count displays
correctly. |
CYR-16662 This issue is now resolved
in plugin version 2.1.0. See Prisma Access 2.1.0 Innovation Addressed Issues. | When in multi-tenant mode, an empty field
displays in the Push Scope. |
CYR-16642 | There is a delay observed to populate the
Rule Usage column on the Policies page. Workaround :
Refresh the page by clicking on the refresh button on the right
side.In addition, the Preview Rules tab does not display
the Rule Hit counters. Workaround : Click the Used link
on Rule Usage column to display the Rule
Hit count for the rule. |
CYR-16615 | The maximum length of a URL that can be
used with explicit proxy is 1280 characters. |
CYR-16583 | WildFire logs show explicit proxy logs as
having a source zone of Proxy. If you use a name of Proxy for Clean Pipe
instances or remote networks, you will not be able to differentiate
between explicit proxy logs and logs with the clean pipe or remote
network name of Proxy. Workaround : If you use explicit
proxy, do not specify a name of Proxy for any Clean Pipe instances
or remote networks. |
CYR-16580 | The Panorama Cloud Services Status Monitor Mobile Users Explicit Proxy |
CYR-16549 This issue is now resolved
in plugin version 2.2.0. See Prisma Access 2.2.0 Preferred Addressed Issues. | After a commit and push operation, jobs
either become stuck in init state or
fail to complete.Workaround : The issue might be with
an EDL update being processed at the same time as the commit operation.
To workaround the issue, select Objects External Dynamic Lists Check for updates setting from Every
five minutes to Hourly or later. |
CYR-16351 | When using Explicit Proxy, initial DNS Queries
(first leg) and Initial HTTP connect messages (first logs) are not seen
in the traffic logs in Panorama. |
CYR-16284 | When you enter the show pbf extended-address
all command to retrieve the traffic steering cache, an
FQDN displays with an asterisk, such as *.example.com.Workaround :
No workaround is required. The displayed FQDN is correlated to the
FQDN server that presented the certificate. |
CYR-16130 | When configuring a Mobile Users - GlobalProtect deployment
using SAML authentication, you receive a pangp.gpcloudservice.com is missing certificate error
when you commit your configuration changes.Workaround :
Add the missing certificate in your SAML IdP configuration by selecting Device Mobile_User_Template Authentication Profile |
CYR-16097 | A webpage may contain links of resources
from the domains other than the domain from where the webpage is served.
Most modern browsers do not send any cookie along with the requests
to get the resources from those third-party domains for security
reasons. Since there is no cookie present to identify the user for
those third-party domains, the user name cannot be logged in the
traffic logs for those domains. In addition, there will be
some connections that Prisma Access redirects for authenticating
a user. Logs for such connections will not have any username. |
CYR-16073 | When using traffic steering, if you specify
External Dynamic List that has an IP address and port, traffic is
not forwarded to the target. Workaround : Remove the
port number from the IP address. |
CYR-16015 | When using explicit proxy, if you update
the cookie lifetime to a shorter lifetime than the previously configured value,
the new lifetime value does not apply to users who are already logged
in until the original longer life time expires. New users logging
into the service receive the new shorter cookie life time. |
CYR-15926 | Explicit proxy configuration changes are
not applied to the configuration after a commit. Workaround :
If you are not seeing the changes after retrying the commit operation,
contact Palo Alto Networks support. |
CYR-15874 | IdP authentication failures cause an internal
server error message to be displayed to the mobile user. |
CYR-15792 | If, when configuring Explicit Proxy, you
upload a PAC file before committing and pushing your configuration changes,
the PAC file configuration changes are not correctly processed. Workaround :
Commit and push your configuration changes before uploading the
PAC file. |
CYR-15338 This issue is now resolved
in plugin version 3.0.0-h24. See Prisma Access 3.0.0-h24 Preferred and Innovation Addressed Issues. | In a multi-tenant environment, tenant names
with a period ( . ) in the name cause configuration tabs to be
grayed out after commit.Workaround : Do not create
tenants that have a period in their name. |
CYR-15333 | After removing LDAP group mapping configuration, Prisma
Access lost group mapping retrieved from Directory Sync. |
CYR-15267 | When administrators log out a mobile user
who is logged in using SAML from the Prisma Access status page ( Panorama Cloud Services Status Status Current Users |
CYR-15099 This issue is now resolved
in plugin version 2.0. See Prisma Access 2.0 Innovation Addressed Issues. | When you create a traffic steering rule,
Prisma Access does not auto-populate the Source User, Dynamic User Group,
External Dynamic List (EDL), or custom URL category in the user
interface. Workaround : Open a CLI session with the Panorama
that manages Prisma access, enter configuration mode, and enter
the set plugins cloud_services multi-tenant tenants tenant-name pbf rules traffic-steering-rule source [ enabled |
[ action [ forward | no-pbf ]]
| [ category custom-url-category |
[ destination [DAG dag-name ]]
| [service [any | service-http | service-https | other-value ]]
| [ source source-options ]
| [ source-user source-user-name ]]
to have the shared objects available for selection. |
CYR-15095 This issue is now resolved
in plugin version 1.8. See Prisma Access 2.0 Innovation Addressed Issues. | When using Panoramas with a version of 10.0
to manage Prisma Access, if you reference an EDL with a Type of
Predefined URL List in a security policy rule, commits fail with
an error indicating a disallowed keyword, invalid reference, or
invalid category. Workaround : Dereference the EDL in
the security policy. |
CYR-15091 | Extra IPSec termination nodes are allocated
to a compute location if you allocate bandwidth multiple times in
a very short time interval. |
CYR-15042 This issue is now resolved
in plugin version 2.0. See Prisma Access 2.0 Innovation Addressed Issues. | Auto-population of users and user groups
from a master device is not supported in multi-tenant mode. |
CYR-14997 | When you allocate Bandwidth to a compute
location from the Onboarding section, that allocation is not reflected immediately
in the Bandwidth Allocation tab until you manually refresh the page. Workaround :
Manually refresh the Panorama that manages Prisma Access. |
CYR-14937 | When you upgrade the Cloud Services plugin
and then perform a commit operation, not all Prisma Access components
are selected in the Push Scope. Workaround : Select Commit Commit and Push Edit Selections in
the Push Scope , and make sure that all Prisma
Access components (Service Setup , Remote
Networks , Mobile User , and Clean
Pipe , depending on your license) are selected before
committing and pushing your changes. |
CYR-14984 | When you change the name of a target service connection
group for traffic steering, the updated target name does not display
in the Traffic Steering Rules area. Workaround : Refresh
the Panorama browser. |
CYR-14980 | If you use IKEv2 with certificate-based
authentication, only SHA1 is supported in IKE crypto profiles (Phase
1). Workaround : Use an IKEv2 (Phase 1) cryptographic
profile of SHA1 on your customer premises equipment and in Prisma
Access. |
CYR-14902 This issue is now resolved
in plugin version 1.8. See Prisma Access 2.0 Innovation Addressed Issues. | If you allocate bandwidth when onboarding
a remote network location and then reselect the same location or choose
another location in the same compute location without clicking OK ,
the allocate bandwidth window redisplays.Workaround :
Click OK after allocating compute location bandwidth
when onboarding a remote network location. |
CYR-14876 This issue is now resolved
in plugin version 2.0. See Prisma Access 2.0 Innovation Addressed Issues. | If you edit traffic steering rules or enable
a default route over service connections after you migrate from
single tenant to multi-tenant mode, the push scope for Prisma Access
Device Groups is not populated. Workaround : Select Commit Commit and Push Edit Selections in
the Push Scope , and make sure that you select
all device groups (Service Setup , Remote
Networks , Mobile User , and Clean
Pipe , depending on your license) before committing and
pushing your changes. |
CYR-14816 | If a service connection loses both its active
and backup connectivity, mobile users lose connectivity to users
and resources connected to Remote Networks and Service Connections. |
CYR-14754 | If you have two Panorama appliances configured
in high-availability mode, the passive Panorama will display an out of sync message during
a commit and push operation.Workaround : Open a command-line interface
(CLI) session on both the passive and active Panorama and enter
the following commands:username@hostname> debugmd5sum_cache clear username@hostname> configure username@hostname# commit force |
CYR-14728 | Prisma Access bypasses Traffic Steering
for rules with a service type of HTTP or HTTPS if you use an application override
policy for TCP ports 80 and 443. In addition, traffic steering
does not work for URLs from URL categories referenced in the traffic
forwarding rule if you have configured an application override policy
for TCP ports 80 or 443. |
CYR-14727 | Mobile user route summarization is not supported
in hot potato routing mode. |
CYR-14693 | When using hot potato routing, Mobile User
route summarization may add extra latency for traffic between mobile
users and headquarters or branch traffic. |
CYR-14673 | After you create a traffic steering rule
with an IP address, IP address group, EDL, or custom URL category
as a Shared object, make changes to any of those objects, and then
commit and push your changes, only the Shared object displays in
the Push Scope. Prisma Access device groups doesn't get displayed
in the push scope. Workaround : Select Commit Commit and Push Edit Selections in
the Push Scope , and make sure that you select
all device groups (Service Setup , Remote
Networks , Mobile User , and Clean
Pipe , depending on your license) before committing and
pushing your changes. |
CYR-14613 | When adding or deleting URLs to a custom
URL category, Prisma Access does not purge its cache, and the change
does not immediately take effect. Workaround : Perform
one of the following actions:
|
CYR-14603 | To make sure that Prisma Access can distinguish between
users if the same username is shared between users who authenticate
locally and users who authenticate using LDAP, you should authenticate
LDAP users in the format of domain/username and authenticate local
users in the format of username (without the domain name). |
CYR-14584 This issue is now resolved
in plugin version 2.0. See Prisma Access 2.0 Innovation Addressed Issues. | UDP packets that Prisma Access receives
between 1439 and 1500 bytes are dropped in some situations (for example,
if NAT Traversal is enabled). Workaround : Reduce the
MTU size on your customer premises equipment to 1400 or below. |
CYR-14383 This issue is now resolved
in plugin version 2.1. See Prisma Access 2.0 Innovation Addressed Issues. | When using an antivirus profile attached
to a security policy rule, files are not being scanned during an
FTP session. |
CYR-14382 This issue is now resolved
in plugin version 2.1. See Prisma Access 2.0 Innovation Addressed Issues. | When using WildFire in remote network deployments,
if you upgrade your Prisma Access dataplane to a version of 10.0.3
or later, you cannot retrieve the latest WildFire signatures in
real-time. Prisma Access uses its default method of updating WildFire
signatures every five minutes. |
CYR-14278 This issue is now resolved
in plugin version 1.8.0. See Prisma Access 1.8 Addressed Issues. | When you make changes to traffic steering
forwarding rules, then commit and push your changes, your changes
do not appear in the Push Scope. Workaround : Modify
the Push Scope by clicking Edit Selections ,
then selecting the device group or groups you changed (Service
Setup , Remote Networks , Mobile
Users , or all three). |
CYR-14277 | Do not create any custom URL categories
that start with GPCS- , gpcs- .
or custom_url_category_pbf . |
CYR-14259 This issue is now resolved
in plugin version 1.8.0. See Prisma Access 1.8 Addressed Issues. | When you create a traffic forwarding rule
for traffic steering, predefined URL categories might display as
choices along with custom URL categories. Workaround :
Predefined URL categories are not supported; do not select them
when configuring a traffic forwarding rule for traffic steering.
Select custom URL categories instead. |
CYR-14110 | If Panorama access is disabled in an Admin
Role Profile, you can still see the contents of the plugin, but
the fields are read-only. |
CYR-13823 | When you upgrade the Cloud Services plugin
to 1.7, Prisma Access prepends an asterisk to URLs in custom URL categories,
if you use this category in a traffic steering forwarding rule.
If you use the same URL category policies for both traffic steering
and other security policy rules, these changes apply to both the
traffic steering rules and other security policy rules. If
you have custom URL categories that are not used in traffic steering
forwarding rules, Prisma Access does not change the URLs in those
categories. |
CYR-13822 | Prisma Access prepends an asterisk to URLs
in custom URL categories, which doubles the number of URLs entered
in a custom URL category. Prisma Access supports a maximum of 300,000
URLs in URL category entries; if you use custom URLs for traffic
steering and are close to this limit, the doubling of URLs might
cause your deployment to exceed the limit of URLs. |
CYR-13772 This issue is now resolved
in plugin version 1.8.0. See Prisma Access 1.8 Addressed Issues. | External Dynamic Lists (EDLs) are not supported
when using traffic forwarding rules to direct internet-based traffic to
service connections. Workaround : Use IP-based EDLs only. |
CYR-13751 | If you used policy-based forwarding rules
to forward internet-bound traffic to service connections in Prisma
Access 1.6, Prisma Access makes the following additions to URLs
in custom URL categories after you upgrade from 1.6 to 1.7:
If you already have added URLs with wildcards,
Prisma Access might add URLs that duplicate existing URLs after
the upgrade. |
CYR-13702 This issue is now resolved
in plugin version 2.1.0. See Prisma Access 2.1.0 Innovation Addressed Issues. | When you select Panorama Cloud Services Status Monitor Cortex Data Lake No data to display ,
even though Cortex Data Lake is working normally.Workaround :
Select the Table view icon on the top right side of the page to
view a tabular view of the statistics instead of the Gauge view. |
CYR-13662 | After you make configuration changes to
an existing service connection or remote network connection (for example,
changing the bandwidth, region, QoS, or BGP values), the job details
in the Deployment Status page ( Panorama Cloud Services Status Status Deployment Status details |
CYR-13652 This issue is now resolved
in plugin version 1.8.0. See Prisma Access 1.8 Addressed Issues. | If you configure traffic steering (using
PBF rules to forward internet-directed traffic using a service connection) in
multi-tenancy mode, the Target Service Connections do not display
in the policy-based forwarding rule. Workaround : Refresh
the browser, then recreate Target Service Connections
for Traffic Forwarding and the PBF rule. |
CYR-13612 | Prisma Access does not support FTP data
transfers in active mode. |
CYR-13511 | When Prisma Access performs a dataplane
upgrade on a mobile user instance (an upgrade to a Prisma Access gateway
or portal), any failed commits on the instance that were performed
before the upgrade will not be applied to the upgraded instance. |
CYR-13370 This issue is now resolved
in plugin version 2.0.0. See Prisma Access 2.0 Innovation Addressed Issues. | External Dynamic Lists (EDLs) are not supported
when using traffic forwarding rules to direct internet-based traffic to
service connections. Workaround : Use IP-based EDLs
only. |
CYR-13317 | During a Prisma Access dataplane upgrade,
BGP statistics may not be available for 30 minutes in the Network Details
page. This unavailability has no impact on dataplane traffic. |
CYR-13290 This issue is now resolved
in plugin version 1.8.0. See Prisma Access 1.8 Addressed Issues. | If you are using URLs or URL categories
as a match criteria in a policy-based forwarding rule for traffic
steering, the initial packets (for example, a TCP handshake) intermittently
do not match the rule for the users who connect to a matching URL
for the first time. |
CYR-13179 | If you use Microsoft Edge or Firefox when
using traffic steering, the browser does not forward traffic on
its first attempt. Workaround : Refresh the browser,
then retry the operation. |
CYR-12912 | If, in a traffic steering deployment with
multiple traffic forwarding rules, two URLs in two separate rules
resolve to the same IP address, Prisma Access sends traffic to the
first rule in the list and will not use the second traffic rule.
Traffic steering evaluates multiple traffic forwarding rules in
order from top to bottom. |
CYR-12700 | For a Prisma Access deployment with two
Panoramas configured in high availability, you are able to request
an upgrade to the GlobalProtect software version on the passive Panorama.
Software upgrade requests are not applied if you request them on
the passive Panorama. Workaround : Do not request software upgrades
on the passive Panorama; only request upgrades using the active
Panorama. |
CYR-12509 | When using traffic steering, Palo Alto Networks
does not recommend using multiple service connections (whether dedicated
or non-dedicated) in a target service connection group that is referenced
in a traffic steering rule. |
CYR-12166 | Prisma Access does not support a rule type
of Intrazone if the source and destination zones are both Trust. |
CYR-11496 | If you enable ECMP on a remote network,
the values shown in the Statistics tab under Panorama Cloud Services Status Monitor Remote Networks Ingress
Peak Bandwidth (Mbps) are correct; however, if you click
the hyperlink for this value, the pop-up window that displays might
show an incorrect value. |
CYR-11414 | When creating a new mobile user deployment
in multi-tenant mode, you receive an error that the Portal Hostname
is not available when you assign it during mobile user onboarding. Workaround: Before
you begin your mobile user configuration, add an Infrastructure
Subnet, commit all your changes to Panorama, and push the configuration
changes to Prisma Access. |
CYR-11201 | Some files are being skipped for DLP scanning
when using OneDrive to upload multiple files. |
CYR-11087 | When using DLP on Prisma Access, you can
upload up to 25 files at a time. |
CYR-11019 | When attaching a parent Device Group to
a new remote network tenant in multi-tenant mode, the administrator
is unable to attach device groups and templates. Workaround: Log
out, then log back in to Panorama. |
CYR-10909 | If you use Box to upload multiple files,
and one or more of the files are larger than 5 MB, the upload of
all files will not complete. To continue, find the files in Box
that are larger than 5 MB and click X to
stop the download of those files. |
CYR-10623 This issue is now resolved
in plugin version 2.0.0. See Prisma Access 2.0 Innovation Addressed Issues. | When you check the status in a multi-tenant deployment
by selecting Panorama Cloud
Services Status All Tenants area displays
twice. |
CYR-10445 | DLP on Prisma Access is not supported in
a Prisma Access multi-tenant deployment. |
CYR-10387 This issue is now resolved
in plugin version 2.0.0. See Prisma Access 2.0 Innovation Addressed Issues. | If you have DLP on Prisma Access enabled
for more than one Prisma Access instance in a single Customer Support
Portal (CSP) account, data filtering profiles are synchronized across
all instances. This behavior can result in unexpected consequences;
for example, the deletion of a custom data pattern or data filtering
profile for one instance does not delete that pattern or profile
for other instances in the CSP account. For this reason, Palo Alto
Networks recommends that you move each Prisma Access instance to its
own CSP account. |
CYR-10053 | If you change the master key in Panorama
(in Device Master
Key and Diagnostics Workaround: Select Panorama Cloud Services Configuration Service Setup Service Operations Edit Master Key |
CYR-10044 | When using Slack to upload multiple files,
the Slack client treats the multiple file upload as a single request.
If one of the files is not successfully uploaded, Slack retries
the upload of all files a maximum of three times. If, after three retries,
Slack cannot upload one or more of the files, the Slack client displays
an error in the UI and doesn't upload any of the files. |
CYR-10043 | When you upload a file using Slack, and
the file is blocked, Slack detects the block operation as an upload failure
and retries the file upload, which results in the same file being
uploaded and blocked twice. Workaround: This is normal
Slack file upload behavior. Be aware that a single file that is
uploaded using Slack might appear twice in the data filtering logs
as being blocked. |
CYR-9613 | When you delete a data filtering profile
from a Prisma Access device group that is not shared, the profile
name still appears when you add or configure a Security Profile
Group, in the Data Filtering Profile area. |
CYR-9455 | In a GlobalProtect deployment where the
portal has multiple agent configs, when a GlobalProtect client logs
in using the app, the portal looks for a matching agent config for
the client by checking its OS type along with the config selection
criteria. The agent configs are checked from top to bottom. If the
OS type matches, but the config selection criteria does not, GlobalProtect
marks the agent config as non-matching and moves to the next agent
config to check for a match; however it no longer checks the OS
type in these agent configs, and only looks for a match of the config selection
criteria. This condition can cause the client to receive an agent
config that has matching config selection criteria, but a non-matching
OS type. |
CYR-9348 | When configuring HIP redistribution, you
cannot retrieve HIP information and set policies for the following
use cases:
|
CYR-9213 | When using DLP on Prisma Access, when you
upload a .docx file using SharePoint that was exported from Google Docs,
the upload fails. |
CYR-9183 | When setting up the GlobalProtect gateway
connection settings ( Network GlobalProtect Gateways Agent Connection Settings Restrict Authentication Cookie Usage ,
the commit fails if only a Source IPv4 Netmask is specified.Workaround: Specify
a Source IPv6 Netmask of 0 ,
which disables the option for the specified IP address type. |
CYR-9061 | If using Slack, Box, or Gmail to upload
a file using DLP on Prisma Access, the response page is not displayed
to the client if the upload is blocked. |
CYR-9003 | Reverse DNS queries do not work in Prisma Access. Workaround: Because
type A and AAAA queries for internal domains work, you can specify *.in-addr.arpa in
a query so that Prisma Access sends all reverse DNS queries to internal
DNS servers. |
CYR-8244 | When performing a Commit and Push operation
for the Clean Pipe service, you receive an error that the Clean
Pipe service had insufficient license resources, even though you
have sufficient licensed bandwidth.Workaround: Select Panorama Licenses Retrieve license keys from license server to
retrieve the Clean Pipe licenses again. |
CYR-8017 | If you add an existing template under one
of the template stacks of Prisma Access (for example, Service_Conn_Template_Stack , Mobile_User_Template_Stack ,
or Remote_Network_Template_Stack ), you cannot
use objects of the added template in other Prisma Access templates
that are part of the same template stack.Previously, you
could view and use objects from existing templates in Prisma Access
templates if the templates were a part of a Prisma Access-specific
template stack, which is not standard Panorama behavior. |
CYR-7907 | In multi-tenant mode, Prisma Access automatically creates
a set of templates, template stacks, and device groups for each
tenant you create for remote networks, mobile users, and the Clean
Pipe service. Prisma Access creates tenant-specific sets for all
products, even if you are licensed for only one Prisma Access type. When
you delete a tenant, Prisma Access deletes the template and device
group set for which you are licensed, but does not delete the unlicensed
set. For example, if you have a remote network deployment and delete
a tenant, Prisma Access does not delete the set it created for the
mobile users and Clean Pipe. Workaround: Manually
delete the unused, unlicensed set of templates, template stacks,
and device groups after you delete a tenant. |
CYR-7900 | The Traffic Forwarding feature ( Panorama Cloud Services Configuration Service Setup Settings Traffic Forwarding |
CYR-7702 | When you log out a Prisma Access mobile
user from the Current Users window, the user
still displays in the window after the logout operation.Workaround: Close
and then reopen the Current Users window
to show the correct user status. |
CYR-7440 | If you have two Panoramas set up in an active-primary and
passive-secondary setup for Prisma Access, you cannot log out mobile
users from the passive-secondary Panorama. |
CYR-7332 | When you try to configure an Infrastructure
Subnet ( Panorama Cloud
Services Configuration Service Setup Settings Operation Failed message. Workaround: Refresh
the Panorama UI to have Prisma Access correctly apply the infrastructure
subnet to the tenant's configuration. |
CYR-7128 | When you perform a Commit All operation
for mobile users, Prisma Access should display the commit status
for portals and gateways separately; however, Prisma Access is displaying
failures for portals under gateway status, and is displaying commit failures
for gateways under portal status.Workaround: Enter
the debug plugins cloud_services prisma-access get-job-result
jobid commit-job-id-number command, where commit-job-id-number is
the ID of the commit operation that failed, to check and verify the
commit operation for portals and gateways. |
CYR-6384 | Pre-defined IKE Crypto, IPSec Crypto, and
IKE Gateways templates do not display. Workaround: Select Panorama Cloud Services Configuration Service Setup Panorama Cloud Services Configuration Remote Networks Settings area
to open the Settings , then click OK . |
CYR-6369 | When in multi-tenant mode, if you create
a custom admin user with an Admin Role Profile that has Read Only access
to the Panorama tab and has Plugin access disabled, that user can
view, configure, and commit changes for subtenants. Workaround: Disable
access to the Panorama tab in the Admin Role Profile. |
CYR-6108 | When you configure Clientless VPN with Prisma
Access, the default security rule configuration uses the application-default
service, which blocks clientless-vpn traffic. Workaround: Change
the default security rule to any service or service-http and service-https. |
CYR-6107 | When configuring multi-tenant, if you create
any device groups that are children or grandchildren of other device
groups you create under the Shared parent device group, select only
the device group at the lowest hierarchical level (child or grandchild)
when you associate the device group to an access domain; do not
select the parent. |
CYR-6080 | You cannot reset the rule hit count for
all Authentication and Application
Override policies.Workaround: Reset rules
using a list of rules or a rule name for Authentication and Application
Override policies. |
CYR-6013 | When you migrate a single tenant to multi-tenant mode,
you must do a local commit and then push the configuration before
you add more tenants. |
CYR-5888 | When using the multi-tenant feature and
creating template stacks and templates for a tenant, the Description of
the template stacks and templates do not display in the Panorama Templates |
CYR-5867 | After upgrading to a new version of the
Cloud Services plugin, you are able to downgrade. The downgrade
operation should be disallowed. Workaround: Do not
downgrade the Cloud Services plugin after you have upgraded it. |
CYR-5842 | When using the multi-tenant feature and
migrating the first tenant to multi-tenancy, you can select template
stacks and templates that are not associated with the tenant that you
want to migrate, including templates that are used with on-premise
firewalls. Workaround: When you convert to multi-tenant
mode, be sure to choose only those templates that you want to associate
to the first tenant to migrate. |
CYR-5690 | When configuring multi-tenancy, if you are
planning to later configure Prisma Access for mobile users, you
must do a local Commit of the your changes for the plugin ( Commit Commit to Panorama |
CYR-5563 | When using the multi-tenancy feature, users
who manage single tenants cannot see the system logs. The Monitor Logs System |
CYR-5561 | When using the multi-tenancy feature and
logged in as a tenant-level administrative user, opening the Panorama Task
Manager (clicking Tasks at the bottom of
the Panorama web interface) shows all tasks for all tenants, including
any tasks done at the superuser (Admin) level. |
CYR-5476 | When you enable multi-tenancy and migrate
your configuration to the first sub-tenant, CLI commands are not supported
for this operation. As a result, you must, use the Panorama user
interface (UI). |
CYR-5159 | If you configure a mobile user IP address
pool for a single region instead of Worldwide, mobile users can
still view and attempt to connect to all available gateway regions
from their GlobalProtect app. This attempt fails because there is
no IP address pool to allocate for other regions. Workaround: To
allow mobile users to manually select a gateway, either configure
an IP address pool for the region in the location where you want
the users to connect, or configure a Worldwide IP address pool for mobile
users in Prisma Access to allow them to select all the locations
you have deployed. |
CYR-5139 | In an environment with on-premise firewalls
on each side of Prisma Access and the remote network connections
to which the on-premise firewalls are connected are in different regions,
users behind one on-premise firewall cannot contact users behind
another on-premise firewall unless you have configured an explicit
policy to allow traffic between zone Trust and zone Trust. |
CYR-5098 | If you change the master key in Panorama
(in Device > Master Key and Diagnostics), the master key for Cloud Services
is not synchronized with this master key. Workaround: Select
Panorama > Cloud Services > Configuration > Service Setup > Service Operations
> Edit Master Key and manually change the master key to be the same
as the Panorama master key. |
CYR-5062 | When regular dynamic updates are downloaded
to Panorama (by default, every Wednesday at 01:02), the MD5 checksum
is changed. This condition can cause the Panorama configuration
and the Prisma Access infrastructure to lose synchronization. While
no tunnels are affected by this out of synchronization state, the
status for Service Connections, Remote Networks, Mobile Users, and
the Logging Service show a Config Status of Out
of Sync .Workaround: Perform a Commit and Push operation
on the Panorama. |
CYR-4010 | The BGP router configuration on the Prisma
Access firewalls can receive a maximum of 15000 prefixes from each peer.
And the total number of routes (static and dynamic) learned through
BGP cannot exceed 25000. Exporting more than 25000 routes may adversely
affect traffic flow on your network. |
CYR-3952 | After you generate a new API key by selecting Panorama Cloud Services Configuration Service Setup Generate new API Key |
CYR-3638 | For service and remote network connections
that have BGP enabled, the Prisma Access ignores any route it receives from
a neighbor with an AS number in its AS_PATH list that duplicates
an AS number in the Prisma Access AS infrastructure (Infra-AS). |
CYR-3469 | If you have configured a Notification URL ,
when you onboard a new remote network location, two notifications
are sent to the URL instead of only one. |
CYR-3385 | When you configure the same AS number for
the service connection and remote network location(s), the routes
are not imported in to the firewall on the remote network location. |
CYR-3330 | Mobile users cannot connect to remote network locations
without a service connection. |
CYR-3114 | If your commit fails when you onboard Prisma
Access components for the first time, the Task Manager does not always
describe the cause of the failure. Workaround: To
find the errors, select Panorama Cloud Services Status Monitor Status tab.
Invalid configurations are indicated with a red bubble in the Config Status column
and an error of Validation Error . |
CYR-3034 | When configuring SAML, you must perform
all configuration with a role of Superuser, including any configuration
you perform for SAML using CLI. |
CYR-2648 | The Panorama Cloud Services Configuration Workaround: Make
sure to synchronize time with NTP (Panorama Setup Services NTP |
CYR-2633 | You cannot change the region associated
with multiple remote network locations in a single commit push to
the Prisma Access. Workaround: If you need
to change the region on more than one remote network location, change them
one at a time and complete the commit push before changing the region
on the next remote network. |
CYR-2578 | Master Keys do not work for two Panorama
appliances set as HA primary and secondary appliances. Workaround: Deselect
the Enable HA check box on the secondary
Panorama appliance and commit the changes, set the same Master Key
on both the primary and secondary Panorama appliance, then re-enable
HA on the secondary Panorama appliance and commit the changes. |
CYR-2028 | The Device Setup Management |
CYR-1836 | You cannot enforce MFA when users at one
of your corporate HQ locations attempts to access a resource at
a remote network location. |
CYR-1646 | Although Panorama allows you to delete the Mobile_User_Template
that was created when the Prisma Access was provisioned, deleting
this template also deletes your onboarding configuration and, upon
commit, removes your Prisma Access for mobile users configuration. |
CYR-1189 | When you onboard a new service connection
or a remote network, the count for service connection and total remote
peers displayed on Panorama Cloud Services Status Status |
CYR-1120 | On Panorama, you cannot validate commit
on a device group or template configuration before pushing the configuration
to the Prisma Access infrastructure for remote networks and mobile
users. |
CYR-575 | You cannot configure the Prisma Access gateway
as an internal gateway. |
Most Popular
Recommended For You
Recommended Videos
Recommended videos not found.
