When a new Explicit Proxy instance is created, the threat logs may not send device group information. This behavior can occur in a new deployment or can change in an existing deployment after a maintenance activity or infrastructure upgrade.

Workaround

: Select All instead of a specific Device Group when viewing logs.

In a multi-tenant environment, you cannot enable the EDL Custom Category End Token Support feature until all your tenants have had their infrastructure and dataplane upgraded to meet the requirements for the 3.0 Cloud Services plugin.

Workaround

: Wait until all your tenants have had their infrastructure and dataplane upgraded before enabling the EDL Custom Category End Token Support feature.

You cannot make any configuration changes in the Advanced tab under Explicit Proxy Settings (

Panorama

Cloud Services

Configuration

Explicit Proxy

Settings

Advanced

).

Workaround

: There is no workaround. This functionality will be supported in a future Prisma Access release.

If you install an Innovation release, configure a feature that is only supported on an Innovation release, and then migrate from an Innovation to a Preferred release, you receive a commit validation error after making configuration changes in the Cloud Services plugin.

Workaround

: Delete the unsupported feature by creating a CLI session with the Panorama that manages Prisma Access in configuration mode and entering the

delete plugins cloud_services <feature-name>

command, where

<feature-name>

is the name of the feature that is unsupported in the Preferred release.

When using the Egress IP Allow List feature in Prisma Access, you might experience the following issues when using the UI:

When using the Enterprise DLP plugin with Prisma Access, an uploaded file that matched a Block action on a data filtering profile was not blocked from being uploaded, along with an error

DLP Skipped: missing boundary m

in the Data Filtering logs.

When configuring QoS for remote networks (

Panorama

Cloud Services

Configuration

Remote Networks

Settings

QoS

), you can select

None

as a

QoS Profile

.

Workaround

: Select a valid QoS profile to enable QoS.

None

is an invalid selection.

When configuring QoS for a newly-added site (

Panorama

Cloud Services

Configuration

Remote Networks

Settings

QoS

), the

Allocation Ratio

displays as

NaN%

.

Workaround

: Ignore the invalid display; however, Prisma Access sets the

Allocation Ratio

for newly-added remote networks as

0

and you must change the

Allocation Ratio

to use QoS for the new remote network.

If you are configuring a Mobile User - GlobalProtect deployment, if you do not enable the allow listing feature when configuring or onboarding the mobile user deployment, the plugin logs might display spurious messages that are similar to the following messages:

Workaround

: Ignore the plugin messages; these messages do not affect normal Prisma Access operation.

In a situation where other locations in the same compute region have had an autoscale event, a newly-onboarded location might show a

Provisioning Status

of

Not Provisioned

in the Egress IP Allow List table (

Panorama

Cloud Services

Configuration

Mobile Users—GlobalProtect

). Normally this status displays if the IP addresses have been confirmed as allow listed but the location has not yet been onboarded.

Workaround

: Autoscale events affect all the onboarded locations in a compute location. In this case, it is possible that Prisma Access allocated more then two IP addresses for the newly-added location, and those IP addresses were not yet confirmed as allow listed. If you receive a

Provisioning Status

of

Not Provisioned

for a newly-onboarded location, make sure that all of the IP addresses that were allocated for that location have been confirmed as allow listed.

When Prisma Access creates a new compute location and remaps an existing remote network location to that new location, if you do not delete and re-add the existing compute location to take advantage of the latest compute location-to-location mapping, you cannot view bandwidth statistics for the remapped location.

Workaround

: Delete and re-add the remote network location that is associated with the new compute location. The Service IP Address will change, so you will have to change the IP address for the IPSec tunnel on your CPE to the new Service IP Address, and you will need to commit and push your changes twice (once after you delete the location, and once after you re-add it).

When configuring more than 63 HIP profiles in a Mobile Users—GlobalProtect deployment, an error message with multiple occurrences of the word

Error:

is received during commit.

Workaround

: A Mobile Users—GlobalProtect deployment supports a maximum of 63 HIP Profiles; do not configure more than 63 HIP profiles.

Cortex Data Lake failed to reconnect after a disconnect if a management IP address used for logging had an IP address assignment type of DHCP.

When you run the API to retrieve Prisma Access IP addresses with a

serviceType

of

all

, the API times out if your deployment has a large number of Remote Networks.

Workaround

: If you have a large number of remote networks, specify a

serviceType

of

remote_network

instead of

all

when running the API.

If you have created a remote network deployment that allocates bandwidth by compute location and then delete the remote network license, any commit for changes to features that are still licensed fail with an

Failed plugin validation

error.

Workaround

: Delete the unused remote network configuration by opening a CLI session with admin-level privileges, entering

configure

to enter configuration mode, and then entering

delete plugins cloud_services remote-networks

. Then, retry the commit operation.

If the dataplane is not compatible with the plugin you are running, a generic message indicating that the Panorama is undergoing maintenance displays in the

Panorama Alert

and

Plugin Alert

fields in

Panorama

Cloud Services

Configuration

Service Setup

.

When completing a mobile user setup in a FedRAMP Moderate deployment and configuring the mobile user IP address pool, you receive an

Operation Failed

message with text that indicates that Prisma Access could not auto-generate an authentication cookie certificate. In addition, when committing and pushing your changes, you receive a validation error related to a cookie decryption certificate.

Workaround

: Create a signed certificate and apply it to the Mobile Users—GlobalProtect configuration by completing the following steps:

If you are using a Panorama of a version or 10.0 or lower, and you configure an invalid destination port value anywhere in Panorama (for example, in

Objects

Services

), a commit-all operation fails with a vague error related to a module or device having a

Non digit

value.

Workaround

: Fix the invalid port configuration, then retry the commit-all operation. Panoramas running 10.1 or later disallow you from configuring an invalid destination port value.

When upgrading from Prisma Access 2.1 to 2.2, a local

Commit to Panorama

or

Validate Changes

request fails with the message

domain-list unexpected here

.

If you

Enable IPv6

, select the compute locations in

IPv6 Availability

, commit and push your changes, then deselect

Enable IPv6

, the selections you made in the

IPv6 Availability

tab become deselected.

Workaround

: Re-select the compute locations in the

IPv6 Availability

tab.

When you Enable IPv6, a window displays asking you to enable Telemetry Data Collection.

Workaround

: Click

Remind Me Later

to dismiss the window.

If you have applied QoS to your remote network deployment but have not yet committed and pushed your changes, the QoS statistics screens display blank information.

Workaround

:

Commit and Push

your QoS changes for the QoS statistics to display.

If, when using Explicit Proxy, when the following conditions exist, mobile users might experience issues with CORS requests and non-decrypted traffic:

Workaround

: Clear your browser's cache to re-authenticate with the ACS.

BGP addresses ending with .0 or .255 are not allowed to be entered in the UI as peer BGP addresses for service connections or remote networks, regardless of the subnet being used.

Workaround

: Use CLI commands to enter the .0 or .255 address by logging in to the Panorama that manages Prisma Access and entering one of the following commands:

set plugins cloud_services service-connection onboarding

sc-name

protocol bgp peer-ip-address

ip-address

set plugins cloud_services remote-networks onboarding

rn-name

protocol bgp peer-ip-address

ip-address

Where

sc-name

or

rn-name

is the name of the service connection or remote network connection.

When using explicit proxy, some users might experience an issue where some websites are not able to be accessed after the Authentication Cache Service (ACS) Cookie Lifetime has expired. This condition can persist for up to five minutes.

Workaround

: Browse a different website to re-authenticate to ACS and refresh the ACS cookie.

IP precedence-based classification is not working for Prisma Access, when using either IPv4 or IPv6 IP addresses.

When you enable IPv6 for a single tenant in a multi-tenant deployment, the UI page refreshes and displays the

Cloud Services

Configuration

page, where you select the drop-down for all tenants.

When any change is made to an authentication profile, the LDAP server or local user database in a shared context removes the user group mapping information from Prisma Access.

When configuring mobile users DNS settings in the

Network Services

tab, you should not enter

Custom DNS Server

IP addresses (either IPv4 or IPv6) without also specifying a

Domain List

.

Workaround

: Specify a

Domain List

.

If you add an IPv6 address pool to your Mobile Users—GlobalProtect deployment, select the regions to

Enable IPv6

in the IPv6 Availability tab, and

Commit and Push

your changes, the pools appear in the IPv6 Availability tab. If you then disable all regions, effectively disabling IPv6, and then

Commit and Push

your changes, the IPv6 address pools still display in the IPv6 Address Pool tab.

Workaround

: There is no workaround. If you later enable IPv6 for one or more regions, you can use the existing IPv6 address pool. You can also specify a different IPv6 address in the

IP Pools

and, after you commit and push your changes, the new IPv6 Address pool overwrites the existing addresses and displays in the IPv6 Availability tab.

When viewing or changing QoS settings for Remote Networks in

Panorama

Cloud Services

Configuration

Remote Networks

Settings

QoS

, a newly-added compute location or location does not display.

In addition, a newly-onboarded location does not display in the Site Allocation (Customize Per Site) page.

Workaround

: Refresh the Panorama that manages Prisma Access.

In a multi-tenant deployment, you receive a

Configuration committed successfully

message along with a

Not all Commit-All jobs got triggered

message.

Workaround

: Select

Commit

Commit and Push

,

Edit Selections

, and in the

Prisma Access

tab, make sure that the

Push Scope

includes the changes you made for the Prisma Access configuration. Depending on the changes you made, select one or more of the

Remote Networks

,

Mobile Users

,

Service Setup

, and

Explicit Proxy

choices.

If you are sinkholing IPv6 traffic, the policy rule hit counts for traffic that matches the IPv6 sinkhole policy do not increment when entering the CLI command

show rule-hit-count vsys vsys-name vsys1 rule-base security rules all

.

IPv6-related choices under

Cloud Services

Configuration

Service Connection

BGP

are displayed, even if IPv6 is not enabled.

Workaround

: If you do not have IPv6 enabled, do not select the

Exchange both IPv4 and IPv6 routes over IPv4 peering

,

Exchange IPv4 routes over IPv4 peer and IPv6 routes over IPv6 peer

, and

Exchange IPv6 routes over IPv6 peering

BGP peering choices.

In a multi-tenant deployment, admin users that have more than one access domain cannot configure new remote networks or service connections, and can only view what is already deployed.

Workaround

: Create the access domain first, then select the access domain you created when you convert the single tenant to a multi-tenant setup.

When you select

Integrate with Prisma SD-WAN

, the integration fails.

When downloading a large file (including but not limited to programs, browser extensions, or apps) using Explicit Proxy, if the download takes longer than the cookie lifetime, the download fails when the cookie expires.

If, after signing in to Explicit Proxy, you open a link that contains a file to download, the file downloads successfully but the Explicit Proxy sign-in page continues to display.

Workaround

: Since the link contained a downloaded file, there is no page to display and the current page does not refresh. Select another webpage to navigate away from the sign-in page.

When attempting to retrieve Logging Status information from Troubleshooting Commands (

Panorama

Cloud Services

Configuration

Service Setup

Service Operations

Troubleshooting Commands

) and selecting

All

locations or

All

remote networks, the request times out.

Workaround

: The issue might be with one or more locations or remote networks being slow to respond. Try selecting a single mobile user location or remote network.

If you are using a Panorama with a version of PAN-OS 10.1 to manage Prisma Access, and you migrate a Remote Network deployment from allocating bandwidth by location to allocating bandwidth by compute location, the migration banner displays the location names in an incorrect (large) font.

Workaround

: No workaround is required. There is no change to the migration functionality; the only issue is with the font displayed during the migration.

When using Troubleshooting Commands (

Panorama

Cloud Services

Configuration

Service Setup

Service Operations

Troubleshooting Commands

) with Panoramas that are in High Availability mode, the commands cannot be run from the passive Panorama.

When configuring an Explicit Proxy deployment, if you onboard your deployment, then retrieve the Explicit Proxy public IP addresses, you will receive the active IP addresses to add to your allow list, but will not receive the pre-allocated backup IP addresses.

Workaround

: Retrieve the Explicit Proxy IP addresses before you onboard your deployment by specifying an

addrType

of

all

and a

location

of

all

.

When using DLP to check a downloaded .xlsx file, the original size of the file is below the maximum DLP file size. However, after the file is extracted, the file size exceeds the maximum file size for DLP and a

400 Bad request

error is received.

Remote networks that aggregate bandwidth by compute location instead of by location cannot be onboarded in bulk by exporting, modifying, and then importing a CSV file.

If you delete an explicit proxy configuration and then reconfigure it within 10 minutes of its deletion, Prisma Access cannot properly process the new configuration and explicit proxy functionality could be affected.

Workaround

: Wait at least 10 minutes after deleting an explicit proxy configuration before reconfiguring it.

In a multi-tenant deployment, exception errors are displayed because of inconsistent internal database entries.

When using Panorama 10.

x

to manage Prisma Access, if you configure an Authentication Enforcement Profile under

Objects

Authentication

and specify an Authentication Profile that resides in a Shared location, you receive an error when committing the changes.

Workaround

: If you use a Panorama 10.

x

to manage Prisma Access, do not use a shared Authentication Profile for any Authentication Enforcement Profile; instead, use an Authentication Profile that is under one of the Prisma Access Templates.

When using explicit proxy, there could be a delay when displaying user details under

Current User Count

due to a log ingestion issue between explicit proxy and Cortex Data Lake.

When using explicit proxy, large HTTP file downloads are frequently interrupted.

Workaround

: Keep resuming the download until the file is completely downloaded. This issue is not seen when downloading HTTPS files.

When performing a local commit or

Commit and Push

operation, you receive the error

Internal Server Error: Failed to aggregate bandwidth configuration

.

Workaround

: Check the DNS configuration of the Panorama appliance that manages Prisma Access, and check that Panorama is able to contact your network's DNS servers, then retry the operation.

If, during Explicit Proxy onboarding, you onboard a large number of locations, the Explicit Proxy status might display its status incorrectly (for example, a status of ERROR might display when the onboarding was successful).

If you change the Explicit Proxy URL in Prisma Access but do not change the PAC file to reflect the change, the change won't be applied.

Workaround

: Upload a new PAC file with the same changes as you made in the Explicit Proxy URL.

If you change the proxy FQDN, the changes are not immediately reflected after the job status completes.

Workaround

: Workaround: Wait 10 to 15 minutes for the changes to be reflected after the Job status shows as

Completed

on Panorama.

If Directory Sync is enabled for explicit proxy, the current user count displays as 0, but the 90 days count displays correctly.

When in multi-tenant mode, an empty field displays in the Push Scope.

There is a delay observed to populate the Rule Usage column on the Policies page.

Workaround

: Refresh the page by clicking on the refresh button on the right side.

In addition, the Preview Rules tab does not display the Rule Hit counters.

Workaround

: Click the

Used

link on

Rule Usage

column to display the Rule Hit count for the rule.

The maximum length of a URL that can be used with explicit proxy is 1280 characters.

WildFire logs show explicit proxy logs as having a source zone of Proxy. If you use a name of Proxy for Clean Pipe instances or remote networks, you will not be able to differentiate between explicit proxy logs and logs with the clean pipe or remote network name of Proxy.

Workaround

: If you use explicit proxy, do not specify a name of Proxy for any Clean Pipe instances or remote networks.

The

Panorama

Cloud Services

Status

Monitor

Mobile Users

Explicit Proxy

page incorrectly shows the current number of users as 0.

After a commit and push operation, jobs either become stuck in

init

state or fail to complete.

Workaround

: The issue might be with an EDL update being processed at the same time as the commit operation. To workaround the issue, select

Objects

External Dynamic Lists

and change the

Check for updates

setting from

Every five minutes

to

Hourly

or later.

When using Explicit Proxy, initial DNS Queries (first leg) and Initial HTTP connect messages (first logs) are not seen in the traffic logs in Panorama.

When you enter the

show pbf extended-address all

command to retrieve the traffic steering cache, an FQDN displays with an asterisk, such as *.example.com.

Workaround

: No workaround is required. The displayed FQDN is correlated to the FQDN server that presented the certificate.

When configuring a Mobile Users - GlobalProtect deployment using SAML authentication, you receive a

pangp.gpcloudservice.com is missing certificate

error when you commit your configuration changes.

Workaround

: Add the missing certificate in your SAML IdP configuration by selecting

Device

Mobile_User_Template

Authentication Profile

in Panorama and adding the certificate.

A webpage may contain links of resources from the domains other than the domain from where the webpage is served. Most modern browsers do not send any cookie along with the requests to get the resources from those third-party domains for security reasons. Since there is no cookie present to identify the user for those third-party domains, the user name cannot be logged in the traffic logs for those domains.

In addition, there will be some connections that Prisma Access redirects for authenticating a user. Logs for such connections will not have any username.

When using traffic steering, if you specify External Dynamic List that has an IP address and port, traffic is not forwarded to the target.

Workaround

: Remove the port number from the IP address.

When using explicit proxy, if you update the cookie lifetime to a shorter lifetime than the previously configured value, the new lifetime value does not apply to users who are already logged in until the original longer life time expires. New users logging into the service receive the new shorter cookie life time.

Explicit proxy configuration changes are not applied to the configuration after a commit.

Workaround

: If you are not seeing the changes after retrying the commit operation, contact Palo Alto Networks support.

If, when configuring Explicit Proxy, you upload a PAC file before committing and pushing your configuration changes, the PAC file configuration changes are not correctly processed.

Workaround

: Commit and push your configuration changes before uploading the PAC file.

In a multi-tenant environment, tenant names with a period (

.

) in the name cause configuration tabs to be grayed out after commit.

Workaround

: Do not create tenants that have a period in their name.

When administrators log out a mobile user who is logged in using SAML from the Prisma Access status page (

Panorama

Cloud Services

Status

Status

Current Users

), a Single Logout (SLO) request is not generated. As a result, the user is logged out of the gateway but is not logged out of the IdP, and if the client SAML cookie is still valid, the user can reconnect without having to input credentials.

When you create a traffic steering rule, Prisma Access does not auto-populate the Source User, Dynamic User Group, External Dynamic List (EDL), or custom URL category in the user interface.

Workaround

: Open a CLI session with the Panorama that manages Prisma access, enter configuration mode, and enter the

set plugins cloud_services multi-tenant tenants

tenant-name

pbf rules

traffic-steering-rule

source

[

enabled

| [

action

[

forward

|

no-pbf

]] | [

category

custom-url-category

| [

destination

[

DAG

dag-name

]] | [

service

[

any

|

service-http

|

service-https

|

other-value

]] | [

source

source-options

] | [

source-user

source-user-name

]] to have the shared objects available for selection.

When using Panoramas with a version of 10.0 to manage Prisma Access, if you reference an EDL with a Type of Predefined URL List in a security policy rule, commits fail with an error indicating a disallowed keyword, invalid reference, or invalid category.

Workaround

: Dereference the EDL in the security policy.

Extra IPSec termination nodes are allocated to a compute location if you allocate bandwidth multiple times in a very short time interval.

Auto-population of users and user groups from a master device is not supported in multi-tenant mode.

When you allocate Bandwidth to a compute location from the Onboarding section, that allocation is not reflected immediately in the Bandwidth Allocation tab until you manually refresh the page.

Workaround

: Manually refresh the Panorama that manages Prisma Access.

When you upgrade the Cloud Services plugin and then perform a commit operation, not all Prisma Access components are selected in the Push Scope.

Workaround

: Select

Commit

Commit and Push

,

Edit Selections

in the

Push Scope

, and make sure that all Prisma Access components (

Service Setup

,

Remote Networks

,

Mobile User

, and

Clean Pipe

, depending on your license) are selected before committing and pushing your changes.

When you change the name of a target service connection group for traffic steering, the updated target name does not display in the Traffic Steering Rules area.

Workaround

: Refresh the Panorama browser.

If you use IKEv2 with certificate-based authentication, only SHA1 is supported in IKE crypto profiles (Phase 1).

Workaround

: Use an IKEv2 (Phase 1) cryptographic profile of SHA1 on your customer premises equipment and in Prisma Access.

If you allocate bandwidth when onboarding a remote network location and then reselect the same location or choose another location in the same compute location without clicking

OK

, the allocate bandwidth window redisplays.

Workaround

: Click

OK

after allocating compute location bandwidth when onboarding a remote network location.

If you edit traffic steering rules or enable a default route over service connections after you migrate from single tenant to multi-tenant mode, the push scope for Prisma Access Device Groups is not populated.

Workaround

: Select

Commit

Commit and Push

,

Edit Selections

in the

Push Scope

, and make sure that you select all device groups (

Service Setup

,

Remote Networks

,

Mobile User

, and

Clean Pipe

, depending on your license) before committing and pushing your changes.

If a service connection loses both its active and backup connectivity, mobile users lose connectivity to users and resources connected to Remote Networks and Service Connections.

If you have two Panorama appliances configured in high-availability mode, the passive Panorama will display an

out of sync

message during a commit and push operation.

Workaround

: Open a command-line interface (CLI) session on both the passive and active Panorama and enter the following commands:

username@hostname>

debugmd5sum_cache clear

username@hostname>

configure

username@hostname#

commit force

Prisma Access bypasses Traffic Steering for rules with a service type of HTTP or HTTPS if you use an application override policy for TCP ports 80 and 443.

In addition, traffic steering does not work for URLs from URL categories referenced in the traffic forwarding rule if you have configured an application override policy for TCP ports 80 or 443.

Mobile user route summarization is not supported in hot potato routing mode.

When using hot potato routing, Mobile User route summarization may add extra latency for traffic between mobile users and headquarters or branch traffic.

After you create a traffic steering rule with an IP address, IP address group, EDL, or custom URL category as a Shared object, make changes to any of those objects, and then commit and push your changes, only the Shared object displays in the Push Scope. Prisma Access device groups doesn't get displayed in the push scope.

Workaround

: Select

Commit

Commit and Push

,

Edit Selections

in the

Push Scope

, and make sure that you select all device groups (

Service Setup

,

Remote Networks

,

Mobile User

, and

Clean Pipe

, depending on your license) before committing and pushing your changes.

When adding or deleting URLs to a custom URL category, Prisma Access does not purge its cache, and the change does not immediately take effect.

Workaround

: Perform one of the following actions:

To make sure that Prisma Access can distinguish between users if the same username is shared between users who authenticate locally and users who authenticate using LDAP, you should authenticate LDAP users in the format of domain/username and authenticate local users in the format of username (without the domain name).

UDP packets that Prisma Access receives between 1439 and 1500 bytes are dropped in some situations (for example, if NAT Traversal is enabled).

Workaround

: Reduce the MTU size on your customer premises equipment to 1400 or below.

When using an antivirus profile attached to a security policy rule, files are not being scanned during an FTP session.

When using WildFire in remote network deployments, if you upgrade your Prisma Access dataplane to a version of 10.0.3 or later, you cannot retrieve the latest WildFire signatures in real-time. Prisma Access uses its default method of updating WildFire signatures every five minutes.

When you make changes to traffic steering forwarding rules, then commit and push your changes, your changes do not appear in the Push Scope.

Workaround

: Modify the Push Scope by clicking

Edit Selections

, then selecting the device group or groups you changed (

Service Setup

,

Remote Networks

,

Mobile Users

, or all three).

Do not create any custom URL categories that start with

GPCS-

,

gpcs-

. or

custom_url_category_pbf

.

When you create a traffic forwarding rule for traffic steering, predefined URL categories might display as choices along with custom URL categories.

Workaround

: Predefined URL categories are not supported; do not select them when configuring a traffic forwarding rule for traffic steering. Select custom URL categories instead.

If Panorama access is disabled in an Admin Role Profile, you can still see the contents of the plugin, but the fields are read-only.

When you upgrade the Cloud Services plugin to 1.7, Prisma Access prepends an asterisk to URLs in custom URL categories, if you use this category in a traffic steering forwarding rule. If you use the same URL category policies for both traffic steering and other security policy rules, these changes apply to both the traffic steering rules and other security policy rules.

If you have custom URL categories that are not used in traffic steering forwarding rules, Prisma Access does not change the URLs in those categories.

Prisma Access prepends an asterisk to URLs in custom URL categories, which doubles the number of URLs entered in a custom URL category. Prisma Access supports a maximum of 300,000 URLs in URL category entries; if you use custom URLs for traffic steering and are close to this limit, the doubling of URLs might cause your deployment to exceed the limit of URLs.

External Dynamic Lists (EDLs) are not supported when using traffic forwarding rules to direct internet-based traffic to service connections.

Workaround

: Use IP-based EDLs only.

If you used policy-based forwarding rules to forward internet-bound traffic to service connections in Prisma Access 1.6, Prisma Access makes the following additions to URLs in custom URL categories after you upgrade from 1.6 to 1.7:

If you already have added URLs with wildcards, Prisma Access might add URLs that duplicate existing URLs after the upgrade.

When you select

Panorama

Cloud Services

Status

Monitor

Cortex Data Lake

, the Service Status area displays

No data to display

, even though Cortex Data Lake is working normally.

Workaround

: Select the Table view icon on the top right side of the page to view a tabular view of the statistics instead of the Gauge view.

After you make configuration changes to an existing service connection or remote network connection (for example, changing the bandwidth, region, QoS, or BGP values), the job details in the Deployment Status page (

Panorama

Cloud Services

Status

Status

Deployment Status

details

) might display a value of TIMEOUT, even if the job completed successfully.

If you configure traffic steering (using PBF rules to forward internet-directed traffic using a service connection) in multi-tenancy mode, the Target Service Connections do not display in the policy-based forwarding rule.

Workaround

: Refresh the browser, then recreate

Target Service Connections for Traffic Forwarding

and the PBF rule.

Prisma Access does not support FTP data transfers in active mode.

When Prisma Access performs a dataplane upgrade on a mobile user instance (an upgrade to a Prisma Access gateway or portal), any failed commits on the instance that were performed before the upgrade will not be applied to the upgraded instance.

External Dynamic Lists (EDLs) are not supported when using traffic forwarding rules to direct internet-based traffic to service connections.

Workaround

: Use IP-based EDLs only.

During a Prisma Access dataplane upgrade, BGP statistics may not be available for 30 minutes in the Network Details page. This unavailability has no impact on dataplane traffic.

If you are using URLs or URL categories as a match criteria in a policy-based forwarding rule for traffic steering, the initial packets (for example, a TCP handshake) intermittently do not match the rule for the users who connect to a matching URL for the first time.

If you use Microsoft Edge or Firefox when using traffic steering, the browser does not forward traffic on its first attempt.

Workaround

: Refresh the browser, then retry the operation.

If, in a traffic steering deployment with multiple traffic forwarding rules, two URLs in two separate rules resolve to the same IP address, Prisma Access sends traffic to the first rule in the list and will not use the second traffic rule. Traffic steering evaluates multiple traffic forwarding rules in order from top to bottom.

For a Prisma Access deployment with two Panoramas configured in high availability, you are able to request an upgrade to the GlobalProtect software version on the passive Panorama. Software upgrade requests are not applied if you request them on the passive Panorama.

Workaround

: Do not request software upgrades on the passive Panorama; only request upgrades using the active Panorama.

When using traffic steering, Palo Alto Networks does not recommend using multiple service connections (whether dedicated or non-dedicated) in a target service connection group that is referenced in a traffic steering rule.

Prisma Access does not support a rule type of Intrazone if the source and destination zones are both Trust.

If you enable ECMP on a remote network, the values shown in the Statistics tab under

Panorama

Cloud Services

Status

Monitor

Remote Networks

for

Ingress Peak Bandwidth (Mbps)

are correct; however, if you click the hyperlink for this value, the pop-up window that displays might show an incorrect value.

When creating a new mobile user deployment in multi-tenant mode, you receive an error that the Portal Hostname is not available when you assign it during mobile user onboarding.

Workaround:

Before you begin your mobile user configuration, add an Infrastructure Subnet, commit all your changes to Panorama, and push the configuration changes to Prisma Access.

Some files are being skipped for DLP scanning when using OneDrive to upload multiple files.

When using DLP on Prisma Access, you can upload up to 25 files at a time.

When attaching a parent Device Group to a new remote network tenant in multi-tenant mode, the administrator is unable to attach device groups and templates.

Workaround:

Log out, then log back in to Panorama.

If you use Box to upload multiple files, and one or more of the files are larger than 5 MB, the upload of all files will not complete. To continue, find the files in Box that are larger than 5 MB and click

X

to stop the download of those files.

When you check the status in a multi-tenant deployment by selecting

Panorama

Cloud Services

Status

, the information in the

All Tenants

area displays twice.

DLP on Prisma Access is not supported in a Prisma Access multi-tenant deployment.

If you have DLP on Prisma Access enabled for more than one Prisma Access instance in a single Customer Support Portal (CSP) account, data filtering profiles are synchronized across all instances. This behavior can result in unexpected consequences; for example, the deletion of a custom data pattern or data filtering profile for one instance does not delete that pattern or profile for other instances in the CSP account. For this reason, Palo Alto Networks recommends that you move each Prisma Access instance to its own CSP account.

If you change the master key in Panorama (in

Device

Master Key and Diagnostics

), the master key for Cloud Services is not synchronized with this master key.

Workaround:

Select

Panorama

Cloud Services

Configuration

Service Setup

Service Operations

Edit Master Key

and manually change the master key to be the same as the Panorama master key.

When using Slack to upload multiple files, the Slack client treats the multiple file upload as a single request. If one of the files is not successfully uploaded, Slack retries the upload of all files a maximum of three times. If, after three retries, Slack cannot upload one or more of the files, the Slack client displays an error in the UI and doesn't upload any of the files.

When you upload a file using Slack, and the file is blocked, Slack detects the block operation as an upload failure and retries the file upload, which results in the same file being uploaded and blocked twice.

Workaround:

This is normal Slack file upload behavior. Be aware that a single file that is uploaded using Slack might appear twice in the data filtering logs as being blocked.

When you delete a data filtering profile from a Prisma Access device group that is not shared, the profile name still appears when you add or configure a Security Profile Group, in the

Data Filtering Profile

area.

In a GlobalProtect deployment where the portal has multiple agent configs, when a GlobalProtect client logs in using the app, the portal looks for a matching agent config for the client by checking its OS type along with the config selection criteria. The agent configs are checked from top to bottom. If the OS type matches, but the config selection criteria does not, GlobalProtect marks the agent config as non-matching and moves to the next agent config to check for a match; however it no longer checks the OS type in these agent configs, and only looks for a match of the config selection criteria. This condition can cause the client to receive an agent config that has matching config selection criteria, but a non-matching OS type.

When configuring HIP redistribution, you cannot retrieve HIP information and set policies for the following use cases:

When using DLP on Prisma Access, when you upload a .docx file using SharePoint that was exported from Google Docs, the upload fails.

When setting up the GlobalProtect gateway connection settings (

Network

GlobalProtect

Gateways

Agent

Connection Settings

) and specifying a Netmask to

Restrict Authentication Cookie Usage

, the commit fails if only a

Source IPv4 Netmask

is specified.

Workaround:

Specify a

Source IPv6 Netmask

of

0

, which disables the option for the specified IP address type.

If using Slack, Box, or Gmail to upload a file using DLP on Prisma Access, the response page is not displayed to the client if the upload is blocked.

Reverse DNS queries do not work in Prisma Access.

Workaround:

Because type A and AAAA queries for internal domains work, you can specify

*.in-addr.arpa

in a query so that Prisma Access sends all reverse DNS queries to internal DNS servers.

When performing a

Commit and Push

operation for the Clean Pipe service, you receive an error that the Clean Pipe service had insufficient license resources, even though you have sufficient licensed bandwidth.

Workaround:

Select

Panorama

Licenses

, then select

Retrieve license keys from license server

to retrieve the Clean Pipe licenses again.

If you add an existing template under one of the template stacks of Prisma Access (for example,

Service_Conn_Template_Stack

,

Mobile_User_Template_Stack

, or

Remote_Network_Template_Stack

), you cannot use objects of the added template in other Prisma Access templates that are part of the same template stack.

Previously, you could view and use objects from existing templates in Prisma Access templates if the templates were a part of a Prisma Access-specific template stack, which is not standard Panorama behavior.

In multi-tenant mode, Prisma Access automatically creates a set of templates, template stacks, and device groups for each tenant you create for remote networks, mobile users, and the Clean Pipe service. Prisma Access creates tenant-specific sets for all products, even if you are licensed for only one Prisma Access type.

When you delete a tenant, Prisma Access deletes the template and device group set for which you are licensed, but does not delete the unlicensed set. For example, if you have a remote network deployment and delete a tenant, Prisma Access does not delete the set it created for the mobile users and Clean Pipe.

Workaround:

Manually delete the unused, unlicensed set of templates, template stacks, and device groups after you delete a tenant.

The Traffic Forwarding feature (

Panorama

Cloud Services

Configuration

Service Setup

Settings

Traffic Forwarding

) is not supported with multi-tenant deployments.

When you log out a Prisma Access mobile user from the

Current Users

window, the user still displays in the window after the logout operation.

Workaround:

Close and then reopen the

Current Users

window to show the correct user status.

If you have two Panoramas set up in an active-primary and passive-secondary setup for Prisma Access, you cannot log out mobile users from the passive-secondary Panorama.

When you try to configure an Infrastructure Subnet (

Panorama

Cloud Services

Configuration

Service Setup

Settings

) in multi-tenant mode, you can receive an

Operation Failed

message.

Workaround:

Refresh the Panorama UI to have Prisma Access correctly apply the infrastructure subnet to the tenant's configuration.

When you perform a

Commit All

operation for mobile users, Prisma Access should display the commit status for portals and gateways separately; however, Prisma Access is displaying failures for portals under gateway status, and is displaying commit failures for gateways under portal status.

Workaround:

Enter the

debug plugins cloud_services prisma-access get-job-result jobid

commit-job-id-number

command, where

commit-job-id-number

is the ID of the commit operation that failed, to check and verify the commit operation for portals and gateways.

Pre-defined IKE Crypto, IPSec Crypto, and IKE Gateways templates do not display.

Workaround:

Select

Panorama

Cloud Services

Configuration

Service Setup

(for service connections) or

Panorama

Cloud Services

Configuration

Remote Networks

(for remote network connections), click the gear icon in the

Settings

area to open the

Settings

, then click

OK

.

When in multi-tenant mode, if you create a custom admin user with an Admin Role Profile that has Read Only access to the Panorama tab and has Plugin access disabled, that user can view, configure, and commit changes for subtenants.

Workaround:

Disable access to the Panorama tab in the Admin Role Profile.

When you configure Clientless VPN with Prisma Access, the default security rule configuration uses the application-default service, which blocks clientless-vpn traffic.

Workaround:

Change the default security rule to any service or service-http and service-https.

When configuring multi-tenant, if you create any device groups that are children or grandchildren of other device groups you create under the Shared parent device group, select only the device group at the lowest hierarchical level (child or grandchild) when you associate the device group to an access domain; do not select the parent.

You cannot reset the rule hit count for all

Authentication

and

Application Override

policies.

Workaround:

Reset rules using a list of rules or a rule name for

Authentication

and

Application Override

policies.

When you migrate a single tenant to multi-tenant mode, you must do a local commit and then push the configuration before you add more tenants.

When using the multi-tenant feature and creating template stacks and templates for a tenant, the

Description

of the template stacks and templates do not display in the

Panorama

Templates

page.

After upgrading to a new version of the Cloud Services plugin, you are able to downgrade. The downgrade operation should be disallowed.

Workaround:

Do not downgrade the Cloud Services plugin after you have upgraded it.

When using the multi-tenant feature and migrating the first tenant to multi-tenancy, you can select template stacks and templates that are not associated with the tenant that you want to migrate, including templates that are used with on-premise firewalls.

Workaround:

When you convert to multi-tenant mode, be sure to choose only those templates that you want to associate to the first tenant to migrate.

When configuring multi-tenancy, if you are planning to later configure Prisma Access for mobile users, you must do a local Commit of the your changes for the plugin (

Commit

Commit to Panorama

) after you add templates, template stacks, and device groups for each tenant and before you onboard each tenant.

When using the multi-tenancy feature, users who manage single tenants cannot see the system logs. The

Monitor

Logs

System

choice is not available. This limitation applies to all Administrators who have an administrative role of Device Group and Template. Only superusers can view system logs in multi-tenancy mode.

When using the multi-tenancy feature and logged in as a tenant-level administrative user, opening the Panorama Task Manager (clicking

Tasks

at the bottom of the Panorama web interface) shows all tasks for all tenants, including any tasks done at the superuser (Admin) level.

When you enable multi-tenancy and migrate your configuration to the first sub-tenant, CLI commands are not supported for this operation. As a result, you must, use the Panorama user interface (UI).

If you configure a mobile user IP address pool for a single region instead of Worldwide, mobile users can still view and attempt to connect to all available gateway regions from their GlobalProtect app. This attempt fails because there is no IP address pool to allocate for other regions.

Workaround:

To allow mobile users to manually select a gateway, either configure an IP address pool for the region in the location where you want the users to connect, or configure a Worldwide IP address pool for mobile users in Prisma Access to allow them to select all the locations you have deployed.

In an environment with on-premise firewalls on each side of Prisma Access and the remote network connections to which the on-premise firewalls are connected are in different regions, users behind one on-premise firewall cannot contact users behind another on-premise firewall unless you have configured an explicit policy to allow traffic between zone Trust and zone Trust.

If you change the master key in Panorama (in Device > Master Key and Diagnostics), the master key for Cloud Services is not synchronized with this master key.

Workaround:

Select Panorama > Cloud Services > Configuration > Service Setup > Service Operations > Edit Master Key and manually change the master key to be the same as the Panorama master key.

When regular dynamic updates are downloaded to Panorama (by default, every Wednesday at 01:02), the MD5 checksum is changed. This condition can cause the Panorama configuration and the Prisma Access infrastructure to lose synchronization. While no tunnels are affected by this out of synchronization state, the status for Service Connections, Remote Networks, Mobile Users, and the Logging Service show a

Config Status

of

Out of Sync

.

Workaround:

Perform a

Commit

and

Push

operation on the Panorama.

The BGP router configuration on the Prisma Access firewalls can receive a maximum of 15000 prefixes from each peer. And the total number of routes (static and dynamic) learned through BGP cannot exceed 25000. Exporting more than 25000 routes may adversely affect traffic flow on your network.

After you generate a new API key by selecting

Panorama

Cloud Services

Configuration

Service Setup

Generate new API Key

, the previous API key is still valid for a period of time (up to five minutes). You use this API to retrieve the list of IP addresses for your Prisma Access firewalls.

For service and remote network connections that have BGP enabled, the Prisma Access ignores any route it receives from a neighbor with an AS number in its AS_PATH list that duplicates an AS number in the Prisma Access AS infrastructure (Infra-AS).

If you have configured a

Notification URL

, when you onboard a new remote network location, two notifications are sent to the URL instead of only one.

When you configure the same AS number for the service connection and remote network location(s), the routes are not imported in to the firewall on the remote network location.

Mobile users cannot connect to remote network locations without a service connection.

If your commit fails when you onboard Prisma Access components for the first time, the Task Manager does not always describe the cause of the failure.

Workaround:

To find the errors, select

Panorama

Cloud Services

Status

Monitor

and click the

Status

tab. Invalid configurations are indicated with a red bubble in the

Config Status

column and an error of

Validation Error

.

When configuring SAML, you must perform all configuration with a role of Superuser, including any configuration you perform for SAML using CLI.

The 

Panorama

Cloud Services

Configuration

 page is grayed out when Panorama is not in sync with NTP.

Workaround:

Make sure to synchronize time with NTP (

Panorama

Setup

Services

NTP

).

You cannot change the region associated with multiple remote network locations in a single commit push to the Prisma Access.

Workaround:

 If you need to change the region on more than one remote network location, change them one at a time and complete the commit push before changing the region on the next remote network.

Master Keys do not work for two Panorama appliances set as HA primary and secondary appliances.

Workaround:

Deselect the

Enable HA

check box on the secondary Panorama appliance and commit the changes, set the same Master Key on both the primary and secondary Panorama appliance, then re-enable HA on the secondary Panorama appliance and commit the changes.

The

Device

Setup

Management

page is not available on the Panorama appliance running the Prisma Access plugin. You cannot configure NT LAN Manager (NTLM).

You cannot enforce MFA when users at one of your corporate HQ locations attempts to access a resource at a remote network location.

Although Panorama allows you to delete the Mobile_User_Template that was created when the Prisma Access was provisioned, deleting this template also deletes your onboarding configuration and, upon commit, removes your Prisma Access for mobile users configuration.

When you onboard a new service connection or a remote network, the count for service connection and total remote peers displayed on 

Panorama

Cloud Services

Status

Status

 is inaccurate until the provisioning is complete.

On Panorama, you cannot validate commit on a device group or template configuration before pushing the configuration to the Prisma Access infrastructure for remote networks and mobile users.