Prisma Access Known Issues
Prisma Access has the following known issues.
While browsing through various tabs under in the Panorama UI under
, a blank pop-up window might display with a title of
Workaround:This issue has not been found to create any functional impact. Closing the window and refreshing the UI should solve the display issue.
While browsing through various tabs under in the Panorama UI under
, a blank pop-up window might display with a title of
Workaround:This issue has not been found to create any functional impact. Closing the window and refreshing the UI should solve the display issue.
If you have QoS enabled in a Remote Network compute location, and you reduce the bandwidth for a compute location enough that Prisma Access removes an IPSec termination node from that compute location, QoS is disabled for that compute location.
Workaround: After the IPSec termination node has been deprovisioned, re-enable QoS for that compute location.
When using a Panorama running 10.2 to manage Panorama Managed Prisma Access, Inactivity-Logout values can only be configured using minutes.
If you are managing an on-premise or VM firewall running 10.0 with a Panorama running 10.1 or 10.2, an
Inactivity-Logoutconfigured on Panorama is configured as
disconnect-on-idleon the managed firewall.
If you are using a Panorama with a version of 10.2 or later to manage Prisma Access and you specify Prisma Access to append the ending token to URLs in URL filtering configuration under
, this setting might differ from the Append Ending Token setting in the
Workaround: Make sure that the two values are the same in Panorama.
When using a 10.2.2 Panorama to manage a Panorama Managed Prisma Access 3.1.2 deployment, when attempting to download Preview Rules in the Mobile_User_Device_Group (
500 Internal Server Erroris received.
In the Policies tab, when you click the Preview Rules button, the Export button is clickable but not exporting in PDF/CSV format. This caveat applies to the Explicit_Proxy_Device_Group, Mobile_User_Device_Group, Remote_Network_Device_Group, and Service_Conn_Device_Group.
When using the South Africa West, France North, Ireland, Bahrain, or South Korea Explicit Proxy locations, mobile users have difficulty connecting to some websites.
Workaround: Deactivate these locations and use any of the Explicit Proxy supported locations.
After an upgrade from the 2.2 Preferred Cloud Services plugin to 3.x, the Troubleshooting Commands (
) failed to display the Logging status, Routing information, EDL info, EDL status, EDL refresh, and Search EDL fields.
When onboarding a remote network and selecting options such as
Summarize Mobile User Routes before advertising,
Don't Advertise Prisma Access Routes, or
Advertise Default Route, an
Object already existserror is displayed.
Workaround: Cancel the current onboarding attempt and retry the operation. This error is transient and subsequent retries should not experience this issue.
You cannot switch from the Map view to the Table view for Service Stats for all Prisma Access services (
Mobile Users—Explicit Proxy, or
Cortex Data Lake) because the map and table icons on the top right of the UI do not display.
If you have enabled cloud provider redundancy for service connections, the Redundancy Assessment area in the Network Details tab (
) shows (link to published locations).
When, in an Explicit Proxy deployment that does not have Remote Networks onboarded, you select
Forward Remote Network traffic to Explicit Proxyin the
Advancedtab, the first three octets of the IP addresses display as None (for example,
Workaround: Onboard a remote network and
Commit and Pushyour changes, making sure that both
Remote Networksare selected in the Push Scope.
When configuring service connections, the Manage Site does not display in the Service Connections tab.
Workaround: Refresh the Panorama that manages Prisma Access. You might have to perform an additional refresh to get the Manage Sites area to display.
If you have QoS profiles with a
Class Bandwidth Typeof
Mbps, validation fails and you receive the following error:
For QoS profile
, summation of its class egress-guaranteed is
, which is larger than its egress-max
This error displays if all of the following conditions are true:
If you have an
Egress Guaranteedvalue of 0 in the
Profilearea, the summation of the
Egress Guaranteedvalues in the
Classesfield cannot exceed the
Egress Maxvalue in the
This restriction applies to all QoS profiles in the template stack, even if they are not being used.
Workaround: Delete the profile, or modify any QoS Profiles so that the summation of the Egress Guaranteed values in the Classes field does not exceed the Egress Max value in the Profile area.
If you onboard service connections using the Cloud Services plugin 3.0 in multitenant mode, you cannot view the service connections in the drop-down list if you perform the following actions:
Workaround: Do not load a configuration from a previous plugin version after upgrading to a newer plugin version. The configuration load also causes the previous plugin version to be loaded, which is an unsupported configuration.
When changing the Local IP Address in the BGP tab for a Remote Network connection that uses BGP, the following issues can be seen:
Workaround: Refresh the Panorama UI. If a refresh does not fix the issue, change the Local IP Address to a placeholder value, click
OK, and then re-enter the correct Local IP Address.
When a new Explicit Proxy instance is created, the threat logs may not send device group information. This behavior can occur in a new deployment or can change in an existing deployment after a maintenance activity or infrastructure upgrade.
Workaround: Select All instead of a specific Device Group when viewing logs.
After successfully completing a partial commit, the Commit Status messages includes the message
Changes to all template configuration.
Workaround: Ignore the message regarding all templates being changed. The partial commit was performed only for the template or Commit Scope you specified.
After upgrading the Cloud Services plugin from 2.0 to 3.1 in a multi-tenant Prisma Access-Prisma SD-WAN deployment that uses an on-premise CloudBlade, the on-premise CloudBlade cannot push new configuration to a Prisma Access tenant.
After migrating from a remote network deployment that allocates bandwidth by location to one that allocates bandwidth by compute location, QoS statistics are not displayed for inbound access sites.
If you use the remote network aggregate bandwidth model and you enable QoS for a remote network (
) that has ECMP enabled, you must select
Customize Per Siteand click
OKor you will receive an error on commit.
When you log out mobile users from the
area using the
Logoutfunction, or if you log out a user using CLI, the user is successfully logged out, but the
Current Usersarea might still show the user as being logged in for up to five minutes after the logout activity occurred. This behavior is the result of Prisma Access refreshing the status of logged-in users every five minutes. If you have configured a Connect Method of
User-logon (Always On)or
Pre-logon (Always On), and if the user reconnects during the five minute refresh interval, the user might not be reflected as being logged out in the
Workaround: View the login and logout events from the GlobalProtect logs.
In a multi-tenant environment, you cannot enable the EDL Custom Category End Token Support feature until all your tenants have had their infrastructure and dataplane upgraded to meet the requirements for the 3.0 Cloud Services plugin.
Workaround: Wait until all your tenants have had their infrastructure and dataplane upgraded before enabling the EDL Custom Category End Token Support feature.
When viewing the Push State Details after a commit to a device group, you see a message similar to
Interface tunnel.2 has no zone configuration’.
Workaround: This is a spurious message related to a backup tunnel configuration and can be ignored.
When using Traffic Steering, when a user matches a URL in an EDL, pre-defined URL category, or Custom URL Category, the first two sessions are not directed to the target for internet-bound traffic.
You cannot make any configuration changes in the Advanced tab under Explicit Proxy Settings (
Workaround: There is no workaround. This functionality will be supported in a future Prisma Access release.
When using the Egress IP Allow List feature in Prisma Access, you might experience the following issues when using the UI:
If you install an Innovation release, configure a feature that is only supported on an Innovation release, and then migrate from an Innovation to a Preferred release, you receive a commit validation error after making configuration changes in the Cloud Services plugin.
Workaround: Delete the unsupported feature by creating a CLI session with the Panorama that manages Prisma Access in configuration mode and entering the
delete plugins cloud_services <feature-name>command, where
<feature-name>is the name of the feature that is unsupported in the Preferred release.
When using the Enterprise DLP plugin with Prisma Access, an uploaded file that matched a Block action on a data filtering profile was not blocked from being uploaded, along with an error
DLP Skipped: missing boundary min the Data Filtering logs.
When configuring QoS for remote networks (
), you can select
Workaround: Select a valid QoS profile to enable QoS.
Noneis an invalid selection.
When configuring QoS for a newly-added site (
Allocation Ratiodisplays as
Workaround: Ignore the invalid display; however, Prisma Access sets the
Allocation Ratiofor newly-added remote networks as
0and you must change the
Allocation Ratioto use QoS for the new remote network.
When viewing logs for an Explicit Proxy deployment, duplicate log entries might be seen. This behavior does not affect Prisma Access functionality.
If you are configuring a Mobile User - GlobalProtect deployment, if you do not enable the allow listing feature when configuring or onboarding the mobile user deployment, the plugin logs might display spurious messages that are similar to the following messages:
Workaround: Ignore the plugin messages; these messages do not affect normal Prisma Access operation.
In a situation where other locations in the same compute region have had an autoscale event, a newly-onboarded location might show a
Not Provisionedin the Egress IP Allow List table (
). Normally this status displays if the IP addresses have been confirmed as allow listed but the location has not yet been onboarded.
Workaround: Autoscale events affect all the onboarded locations in a compute location. In this case, it is possible that Prisma Access allocated more then two IP addresses for the newly-added location, and those IP addresses were not yet confirmed as allow listed. If you receive a
Not Provisionedfor a newly-onboarded location, make sure that all of the IP addresses that were allocated for that location have been confirmed as allow listed.
If, when in an Explicit Proxy deployment that is forwarding remote network traffic to Explicit Proxy, if you deselect the Forward Remote Network Traffic to Explicit Proxy check box in the Advanced tab, the IP addresses that were allocated by Explicit Proxy still display in the Advanced tab.
Workaround: Refresh the Panorama UI to clear the IP addresses in the UI.
When Prisma Access creates a new compute location and remaps an existing remote network location to that new location, if you do not delete and re-add the existing compute location to take advantage of the latest compute location-to-location mapping, you cannot view bandwidth statistics for the remapped location.
Workaround: Delete and re-add the remote network location that is associated with the new compute location. The Service IP Address will change, so you will have to change the IP address for the IPSec tunnel on your CPE to the new Service IP Address, and you will need to commit and push your changes twice (once after you delete the location, and once after you re-add it).
When configuring the IP addresses to use to forward remote network traffic to Explicit Proxy in the Explicit Proxy Advanced settings (
), Remote Networks does not display in the Push Scope for a Commit and Push operation.
Mobile Users—Explicit Proxy
Remote Networksas well as
Explicit Proxyin the Push Scope before performing a Commit and Push operation. Forwarding traffic from remote networks to Explicit Proxy requires that you commit and push changes to both Explicit Proxy and remote networks.
When configuring more than 63 HIP profiles in a Mobile Users—GlobalProtect deployment, an error message with multiple occurrences of the word
Error:is received during commit.
Workaround: A Mobile Users—GlobalProtect deployment supports a maximum of 63 HIP Profiles; do not configure more than 63 HIP profiles.
Cortex Data Lake failed to reconnect after a disconnect if a management IP address used for logging had an IP address assignment type of DHCP.
When you run the API to retrieve Prisma Access IP addresses with a
all, the API times out if your deployment has a large number of Remote Networks.
Workaround: If you have a large number of remote networks, specify a
allwhen running the API.
If you have created a remote network deployment that allocates bandwidth by compute location and then delete the remote network license, any commit for changes to features that are still licensed fail with an
Failed plugin validationerror.
Workaround: Delete the unused remote network configuration by opening a CLI session with admin-level privileges, entering
configureto enter configuration mode, and then entering
delete plugins cloud_services remote-networks. Then, retry the commit operation.
If the dataplane is not compatible with the plugin you are running, a generic message indicating that the Panorama is undergoing maintenance displays in the
Plugin Alertfields in
When completing a mobile user setup in a FedRAMP Moderate deployment and configuring the mobile user IP address pool, you receive an
Operation Failedmessage with text that indicates that Prisma Access could not auto-generate an authentication cookie certificate. In addition, when committing and pushing your changes, you receive a validation error related to a cookie decryption certificate.
Workaround: Create a signed certificate and apply it to the Mobile Users—GlobalProtect configuration by completing the following steps:
If you are using a Panorama of a version or 10.0 or lower, and you configure an invalid destination port value anywhere in Panorama (for example, in
), a commit-all operation fails with a vague error related to a module or device having a
Workaround: Fix the invalid port configuration, then retry the commit-all operation. Panoramas running 10.1 or later disallow you from configuring an invalid destination port value.
When upgrading from Prisma Access 2.1 to 2.2, a local
Commit to Panoramaor
Validate Changesrequest fails with the message
domain-list unexpected here.
Enable IPv6, select the compute locations in
IPv6 Availability, commit and push your changes, then deselect
Enable IPv6, the selections you made in the
IPv6 Availabilitytab become deselected.
Workaround: Re-select the compute locations in the
When you Enable IPv6, a window displays asking you to enable Telemetry Data Collection.
Remind Me Laterto dismiss the window.
If you have applied QoS to your remote network deployment but have not yet committed and pushed your changes, the QoS statistics screens display blank information.
Commit and Pushyour QoS changes for the QoS statistics to display.
If, when using Explicit Proxy, when the following conditions exist, mobile users might experience issues with CORS requests and non-decrypted traffic:
Workaround: Clear your browser's cache to re-authenticate with the ACS.
BGP addresses ending with .0 or .255 are not allowed to be entered in the UI as peer BGP addresses for service connections or remote networks, regardless of the subnet being used.
Workaround: Use CLI commands to enter the .0 or .255 address by logging in to the Panorama that manages Prisma Access and entering one of the following commands:
set plugins cloud_services service-connection onboarding
protocol bgp peer-ip-address
set plugins cloud_services remote-networks onboarding
protocol bgp peer-ip-address
rn-nameis the name of the service connection or remote network connection.
When using explicit proxy, some users might experience an issue where some websites are not able to be accessed after the Authentication Cache Service (ACS) Cookie Lifetime has expired. This condition can persist for up to five minutes.
Workaround: Browse a different website to re-authenticate to ACS and refresh the ACS cookie.
If you have IPv6 enabled in your Prisma Access deployment, the Private IPv4 address of mobile users (
) is displayed, but the IPv6 Private IPv6 address of mobile users is not.
IP precedence-based classification is not working for Prisma Access, when using either IPv4 or IPv6 IP addresses.
When you enable IPv6 for a single tenant in a multi-tenant deployment, the UI page refreshes and displays the
page, where you select the drop-down for all tenants.
When configuring mobile users DNS settings in the
Network Servicestab, you should not enter
Custom DNS ServerIP addresses (either IPv4 or IPv6) without also specifying a
Workaround: Specify a
If you add an IPv6 address pool to your Mobile Users—GlobalProtect deployment, select the regions to
Enable IPv6in the IPv6 Availability tab, and
Commit and Pushyour changes, the pools appear in the IPv6 Availability tab. If you then disable all regions, effectively disabling IPv6, and then
Commit and Pushyour changes, the IPv6 address pools still display in the IPv6 Address Pool tab.
Workaround: There is no workaround. If you later enable IPv6 for one or more regions, you can use the existing IPv6 address pool. You can also specify a different IPv6 address in the
IP Poolsand, after you commit and push your changes, the new IPv6 Address pool overwrites the existing addresses and displays in the IPv6 Availability tab.
When viewing or changing QoS settings for Remote Networks in
, a newly-added compute location or location does not display.
In addition, a newly-onboarded location does not display in the Site Allocation (Customize Per Site) page.
Workaround: Refresh the Panorama that manages Prisma Access.
In a multi-tenant deployment, you receive a
Configuration committed successfullymessage along with a
Not all Commit-All jobs got triggeredmessage.
Workaround: Either upgrade your Panorama to a minimum version of 10.1.4, or select
Commit and Push
Edit Selections, and in the
Prisma Accesstab, make sure that the
Push Scopeincludes the changes you made for the Prisma Access configuration. Depending on the changes you made, select one or more of the
Service Setup, and
If you are sinkholing IPv6 traffic, the policy rule hit counts for traffic that matches the IPv6 sinkhole policy do not increment when entering the CLI command
show rule-hit-count vsys vsys-name vsys1 rule-base security rules all.
IPv6-related choices under
are displayed, even if IPv6 is not enabled.
Workaround: If you do not have IPv6 enabled, do not select the
Exchange both IPv4 and IPv6 routes over IPv4 peering,
Exchange IPv4 routes over IPv4 peer and IPv6 routes over IPv6 peer, and
Exchange IPv6 routes over IPv6 peeringBGP peering choices.
In a multi-tenant deployment, admin users that have more than one access domain cannot configure new remote networks or service connections, and can only view what is already deployed.
Workaround: Create the access domain first, then select the access domain you created when you convert the single tenant to a multi-tenant setup.
When you select
Integrate with Prisma SD-WAN, the integration fails.
When downloading a large file (including but not limited to programs, browser extensions, or apps) using Explicit Proxy, if the download takes longer than the cookie lifetime, the download fails when the cookie expires.
If, after signing in to Explicit Proxy, you open a link that contains a file to download, the file downloads successfully but the Explicit Proxy sign-in page continues to display.
Workaround: Since the link contained a downloaded file, there is no page to display and the current page does not refresh. Select another webpage to navigate away from the sign-in page.
If you are using a Panorama with a version of PAN-OS 10.1 to manage Prisma Access, and you migrate a Remote Network deployment from allocating bandwidth by location to allocating bandwidth by compute location, the migration banner displays the location names in an incorrect (large) font.
Workaround: No workaround is required. There is no change to the migration functionality; the only issue is with the font displayed during the migration.
When using Troubleshooting Commands (
) with Panoramas that are in High Availability mode, the commands cannot be run from the passive Panorama.
When configuring an Explicit Proxy deployment, if you onboard your deployment, then retrieve the Explicit Proxy public IP addresses, you will receive the active IP addresses to add to your allow list, but will not receive the pre-allocated backup IP addresses.
Workaround: Retrieve the Explicit Proxy IP addresses before you onboard your deployment by specifying an
If you delete an explicit proxy configuration and then reconfigure it within 10 minutes of its deletion, Prisma Access cannot properly process the new configuration and explicit proxy functionality could be affected.
Workaround: Wait at least 10 minutes after deleting an explicit proxy configuration before reconfiguring it.
When using Panorama 10.
xto manage Prisma Access, if you configure an Authentication Enforcement Profile under
and specify an Authentication Profile that resides in a Shared location, you receive an error when committing the changes.
Workaround: If you use a Panorama 10.
xto manage Prisma Access, do not use a shared Authentication Profile for any Authentication Enforcement Profile; instead, use an Authentication Profile that is under one of the Prisma Access Templates.
When using explicit proxy, there could be a delay when displaying user details under
Current User Countdue to a log ingestion issue between explicit proxy and Cortex Data Lake.
When performing a local commit or
Commit and Pushoperation, you receive the error
Internal Server Error: Failed to aggregate bandwidth configuration.
Workaround: Check the DNS configuration of the Panorama appliance that manages Prisma Access, and check that Panorama is able to contact your network's DNS servers, then retry the operation.
If, during Explicit Proxy onboarding, you onboard a large number of locations, the Explicit Proxy status might display its status incorrectly (for example, a status of ERROR might display when the onboarding was successful).
If you change the Explicit Proxy URL in Prisma Access but do not change the PAC file to reflect the change, the change won't be applied.
Workaround: Upload a new PAC file with the same changes as you made in the Explicit Proxy URL.
If you change the proxy FQDN, the changes are not immediately reflected after the job status completes.
Workaround: Workaround: Wait 10 to 15 minutes for the changes to be reflected after the Job status shows as
There is a delay observed to populate the Rule Usage column on the Policies page.
Workaround: Refresh the page by clicking on the refresh button on the right side.
In addition, the Preview Rules tab does not display the Rule Hit counters.
Workaround: Click the
Rule Usagecolumn to display the Rule Hit count for the rule.
The maximum length of a URL that can be used with explicit proxy is 1280 characters.
WildFire logs show explicit proxy logs as having a source zone of Proxy. If you use a name of Proxy for Clean Pipe instances or remote networks, you will not be able to differentiate between explicit proxy logs and logs with the clean pipe or remote network name of Proxy.
Workaround: If you use explicit proxy, do not specify a name of Proxy for any Clean Pipe instances or remote networks.
page incorrectly shows the current number of users as 0.
When using Explicit Proxy, initial DNS Queries (first leg) and Initial HTTP connect messages (first logs) are not seen in the traffic logs in Panorama.
When you enter the
show pbf extended-address allcommand to retrieve the traffic steering cache, an FQDN displays with an asterisk, such as *.example.com.
Workaround: No workaround is required. The displayed FQDN is correlated to the FQDN server that presented the certificate.
When configuring a Mobile Users - GlobalProtect deployment using SAML authentication, you receive a
pangp.gpcloudservice.com is missing certificateerror when you commit your configuration changes.
Workaround: Add the missing certificate in your SAML IdP configuration by selecting
in Panorama and adding the certificate.
A webpage may contain links of resources from the domains other than the domain from where the webpage is served. Most modern browsers do not send any cookie along with the requests to get the resources from those third-party domains for security reasons. Since there is no cookie present to identify the user for those third-party domains, the user name cannot be logged in the traffic logs for those domains.
In addition, there will be some connections that Prisma Access redirects for authenticating a user. Logs for such connections will not have any username.
When using traffic steering, if you specify External Dynamic List that has an IP address and port, traffic is not forwarded to the target.
Workaround: Remove the port number from the IP address.
When using explicit proxy, if you update the cookie lifetime to a shorter lifetime than the previously configured value, the new lifetime value does not apply to users who are already logged in until the original longer life time expires. New users logging into the service receive the new shorter cookie life time.
Explicit proxy configuration changes are not applied to the configuration after a commit.
Workaround: If you are not seeing the changes after retrying the commit operation, contact Palo Alto Networks support.
If, when configuring Explicit Proxy, you upload a PAC file before committing and pushing your configuration changes, the PAC file configuration changes are not correctly processed.
Workaround: Commit and push your configuration changes before uploading the PAC file.
In a multi-tenant environment, tenant names with a period (
.) in the name cause configuration tabs to be grayed out after commit.
Workaround: Do not create tenants that have a period in their name.
When administrators log out a mobile user who is logged in using SAML from the Prisma Access status page (
), a Single Logout (SLO) request is not generated. As a result, the user is logged out of the gateway but is not logged out of the IdP, and if the client SAML cookie is still valid, the user can reconnect without having to input credentials.
Extra IPSec termination nodes are allocated to a compute location if you allocate bandwidth multiple times in a very short time interval.
When you allocate Bandwidth to a compute location from the Onboarding section, that allocation is not reflected immediately in the Bandwidth Allocation tab until you manually refresh the page.
Workaround: Manually refresh the Panorama that manages Prisma Access.
When you upgrade the Cloud Services plugin and then perform a commit operation, not all Prisma Access components are selected in the Push Scope.
Commit and Push
Edit Selectionsin the
Push Scope, and make sure that all Prisma Access components (
Mobile User, and
Clean Pipe, depending on your license) are selected before committing and pushing your changes.
When you change the name of a target service connection group for traffic steering, the updated target name does not display in the Traffic Steering Rules area.
Workaround: Refresh the Panorama browser.
If you use IKEv2 with certificate-based authentication, only SHA1 is supported in IKE crypto profiles (Phase 1).
Workaround: Use an IKEv2 (Phase 1) cryptographic profile of SHA1 on your customer premises equipment and in Prisma Access.
If a service connection loses both its active and backup connectivity, mobile users lose connectivity to users and resources connected to Remote Networks and Service Connections.
If you have two Panorama appliances configured in high-availability mode, the passive Panorama will display an
out of syncmessage during a commit and push operation.
Workaround: Open a command-line interface (CLI) session on both the passive and active Panorama and enter the following commands:
Prisma Access bypasses Traffic Steering for rules with a service type of HTTP or HTTPS if you use an application override policy for TCP ports 80 and 443.
In addition, traffic steering does not work for URLs from URL categories referenced in the traffic forwarding rule if you have configured an application override policy for TCP ports 80 or 443.
Mobile user route summarization is not supported in hot potato routing mode.
When using hot potato routing, Mobile User route summarization may add extra latency for traffic between mobile users and headquarters or branch traffic.
After you create a traffic steering rule with an IP address, IP address group, EDL, or custom URL category as a Shared object, make changes to any of those objects, and then commit and push your changes, only the Shared object displays in the Push Scope. Prisma Access device groups doesn't get displayed in the push scope.
Commit and Push
Edit Selectionsin the
Push Scope, and make sure that you select all device groups (
Mobile User, and
Clean Pipe, depending on your license) before committing and pushing your changes.
When adding or deleting URLs to a custom URL category, Prisma Access does not purge its cache, and the change does not immediately take effect.
Workaround: Perform one of the following actions:
To make sure that Prisma Access can distinguish between users if the same username is shared between users who authenticate locally and users who authenticate using LDAP, you should authenticate LDAP users in the format of domain/username and authenticate local users in the format of username (without the domain name).
Do not create any custom URL categories that start with
If Panorama access is disabled in an Admin Role Profile, you can still see the contents of the plugin, but the fields are read-only.
When you upgrade the Cloud Services plugin to 1.7, Prisma Access prepends an asterisk to URLs in custom URL categories, if you use this category in a traffic steering forwarding rule. If you use the same URL category policies for both traffic steering and other security policy rules, these changes apply to both the traffic steering rules and other security policy rules.
If you have custom URL categories that are not used in traffic steering forwarding rules, Prisma Access does not change the URLs in those categories.
Prisma Access prepends an asterisk to URLs in custom URL categories, which doubles the number of URLs entered in a custom URL category. Prisma Access supports a maximum of 300,000 URLs in URL category entries; if you use custom URLs for traffic steering and are close to this limit, the doubling of URLs might cause your deployment to exceed the limit of URLs.
If you used policy-based forwarding rules to forward internet-bound traffic to service connections in Prisma Access 1.6, Prisma Access makes the following additions to URLs in custom URL categories after you upgrade from 1.6 to 1.7:
If you already have added URLs with wildcards, Prisma Access might add URLs that duplicate existing URLs after the upgrade.
After you make configuration changes to an existing service connection or remote network connection (for example, changing the bandwidth, region, QoS, or BGP values), the job details in the Deployment Status page (
) might display a value of TIMEOUT, even if the job completed successfully.
Prisma Access does not support FTP data transfers in active mode.
When Prisma Access performs a dataplane upgrade on a mobile user instance (an upgrade to a Prisma Access gateway or portal), any failed commits on the instance that were performed before the upgrade will not be applied to the upgraded instance.
During a Prisma Access dataplane upgrade, BGP statistics may not be available for 30 minutes in the Network Details page. This unavailability has no impact on dataplane traffic.
If you use Microsoft Edge or Firefox when using traffic steering, the browser does not forward traffic on its first attempt.
Workaround: Refresh the browser, then retry the operation.
If, in a traffic steering deployment with multiple traffic forwarding rules, two URLs in two separate rules resolve to the same IP address, Prisma Access sends traffic to the first rule in the list and will not use the second traffic rule. Traffic steering evaluates multiple traffic forwarding rules in order from top to bottom.
For a Prisma Access deployment with two Panoramas configured in high availability, you are able to request an upgrade to the GlobalProtect software version on the passive Panorama. Software upgrade requests are not applied if you request them on the passive Panorama.
Workaround: Do not request software upgrades on the passive Panorama; only request upgrades using the active Panorama.
When using traffic steering, Palo Alto Networks does not recommend using multiple service connections (whether dedicated or non-dedicated) in a target service connection group that is referenced in a traffic steering rule.
Prisma Access does not support a rule type of Intrazone if the source and destination zones are both Trust.
When entering CLI to retrieve Prisma Access job status, an
invalid tokenmessage is received.
If you enable ECMP on a remote network, the values shown in the Statistics tab under
Ingress Peak Bandwidth (Mbps)are correct; however, if you click the hyperlink for this value, the pop-up window that displays might show an incorrect value.
When creating a new mobile user deployment in multi-tenant mode, you receive an error that the Portal Hostname is not available when you assign it during mobile user onboarding.
Workaround:Before you begin your mobile user configuration, add an Infrastructure Subnet, commit all your changes to Panorama, and push the configuration changes to Prisma Access.
Some files are being skipped for DLP scanning when using OneDrive to upload multiple files.
When using DLP on Prisma Access, you can upload up to 25 files at a time.
When attaching a parent Device Group to a new remote network tenant in multi-tenant mode, the administrator is unable to attach device groups and templates.
Workaround:Log out, then log back in to Panorama.
If you use Box to upload multiple files, and one or more of the files are larger than 5 MB, the upload of all files will not complete. To continue, find the files in Box that are larger than 5 MB and click
Xto stop the download of those files.
DLP on Prisma Access is not supported in a Prisma Access multi-tenant deployment.
If you change the master key in Panorama (in
), the master key for Cloud Services is not synchronized with this master key.
Master Key and Diagnostics
and manually change the master key to be the same as the Panorama master key.
Edit Master Key
When using Slack to upload multiple files, the Slack client treats the multiple file upload as a single request. If one of the files is not successfully uploaded, Slack retries the upload of all files a maximum of three times. If, after three retries, Slack cannot upload one or more of the files, the Slack client displays an error in the UI and doesn't upload any of the files.
When you upload a file using Slack, and the file is blocked, Slack detects the block operation as an upload failure and retries the file upload, which results in the same file being uploaded and blocked twice.
Workaround:This is normal Slack file upload behavior. Be aware that a single file that is uploaded using Slack might appear twice in the data filtering logs as being blocked.
When you delete a data filtering profile from a Prisma Access device group that is not shared, the profile name still appears when you add or configure a Security Profile Group, in the
Data Filtering Profilearea.
In a GlobalProtect deployment where the portal has multiple agent configs, when a GlobalProtect client logs in using the app, the portal looks for a matching agent config for the client by checking its OS type along with the config selection criteria. The agent configs are checked from top to bottom. If the OS type matches, but the config selection criteria does not, GlobalProtect marks the agent config as non-matching and moves to the next agent config to check for a match; however it no longer checks the OS type in these agent configs, and only looks for a match of the config selection criteria. This condition can cause the client to receive an agent config that has matching config selection criteria, but a non-matching OS type.
When configuring HIP redistribution, you cannot retrieve HIP information and set policies for the following use cases:
When using DLP on Prisma Access, when you upload a .docx file using SharePoint that was exported from Google Docs, the upload fails.
When setting up the GlobalProtect gateway connection settings (
) and specifying a Netmask to
Restrict Authentication Cookie Usage, the commit fails if only a
Source IPv4 Netmaskis specified.
Source IPv6 Netmaskof
0, which disables the option for the specified IP address type.
If using Slack, Box, or Gmail to upload a file using DLP on Prisma Access, the response page is not displayed to the client if the upload is blocked.
Reverse DNS queries do not work in Prisma Access.
Workaround:Because type A and AAAA queries for internal domains work, you can specify
*.in-addr.arpain a query so that Prisma Access sends all reverse DNS queries to internal DNS servers.
When performing a
Commit and Pushoperation for the Clean Pipe service, you receive an error that the Clean Pipe service had insufficient license resources, even though you have sufficient licensed bandwidth.
, then select
Retrieve license keys from license serverto retrieve the Clean Pipe licenses again.
If you add an existing template under one of the template stacks of Prisma Access (for example,
Remote_Network_Template_Stack), you cannot use objects of the added template in other Prisma Access templates that are part of the same template stack.
Previously, you could view and use objects from existing templates in Prisma Access templates if the templates were a part of a Prisma Access-specific template stack, which is not standard Panorama behavior.
In multi-tenant mode, Prisma Access automatically creates a set of templates, template stacks, and device groups for each tenant you create for remote networks, mobile users, and the Clean Pipe service. Prisma Access creates tenant-specific sets for all products, even if you are licensed for only one Prisma Access type.
When you delete a tenant, Prisma Access deletes the template and device group set for which you are licensed, but does not delete the unlicensed set. For example, if you have a remote network deployment and delete a tenant, Prisma Access does not delete the set it created for the mobile users and Clean Pipe.
Workaround:Manually delete the unused, unlicensed set of templates, template stacks, and device groups after you delete a tenant.
The Traffic Forwarding feature (
) is not supported with multi-tenant deployments.
When you log out a Prisma Access mobile user from the
Current Userswindow, the user still displays in the window after the logout operation.
Workaround:Close and then reopen the
Current Userswindow to show the correct user status.
If you have two Panoramas set up in an active-primary and passive-secondary setup for Prisma Access, you cannot log out mobile users from the passive-secondary Panorama.
When you try to configure an Infrastructure Subnet (
) in multi-tenant mode, you can receive an
Workaround:Refresh the Panorama UI to have Prisma Access correctly apply the infrastructure subnet to the tenant's configuration.
When you perform a
Commit Alloperation for mobile users, Prisma Access should display the commit status for portals and gateways separately; however, Prisma Access is displaying failures for portals under gateway status, and is displaying commit failures for gateways under portal status.
debug plugins cloud_services prisma-access get-job-result jobid
commit-job-id-numberis the ID of the commit operation that failed, to check and verify the commit operation for portals and gateways.
Pre-defined IKE Crypto, IPSec Crypto, and IKE Gateways templates do not display.
(for service connections) or
(for remote network connections), click the gear icon in the
Settingsarea to open the
Settings, then click
When in multi-tenant mode, if you create a custom admin user with an Admin Role Profile that has Read Only access to the Panorama tab and has Plugin access disabled, that user can view, configure, and commit changes for subtenants.
Workaround:Disable access to the Panorama tab in the Admin Role Profile.
When you configure Clientless VPN with Prisma Access, the default security rule configuration uses the application-default service, which blocks clientless-vpn traffic.
Workaround:Change the default security rule to any service or service-http and service-https.
When configuring multi-tenant, if you create any device groups that are children or grandchildren of other device groups you create under the Shared parent device group, select only the device group at the lowest hierarchical level (child or grandchild) when you associate the device group to an access domain; do not select the parent.
You cannot reset the rule hit count for all
Workaround:Reset rules using a list of rules or a rule name for
When you migrate a single tenant to multi-tenant mode, you must do a local commit and then push the configuration before you add more tenants.
After upgrading to a new version of the Cloud Services plugin, you are able to downgrade. The downgrade operation should be disallowed.
Workaround:Do not downgrade the Cloud Services plugin after you have upgraded it.
When using the multi-tenant feature and migrating the first tenant to multi-tenancy, you can select template stacks and templates that are not associated with the tenant that you want to migrate, including templates that are used with on-premise firewalls.
Workaround:When you convert to multi-tenant mode, be sure to choose only those templates that you want to associate to the first tenant to migrate.
When configuring multi-tenancy, if you are planning to later configure Prisma Access for mobile users, you must do a local Commit of the your changes for the plugin (
) after you add templates, template stacks, and device groups for each tenant and before you onboard each tenant.
Commit to Panorama
When using the multi-tenancy feature, users who manage single tenants cannot see the system logs. The
choice is not available. This limitation applies to all Administrators who have an administrative role of Device Group and Template. Only superusers can view system logs in multi-tenancy mode.
When using the multi-tenancy feature and logged in as a tenant-level administrative user, opening the Panorama Task Manager (clicking
Tasksat the bottom of the Panorama web interface) shows all tasks for all tenants, including any tasks done at the superuser (Admin) level.
When you enable multi-tenancy and migrate your configuration to the first sub-tenant, CLI commands are not supported for this operation. As a result, you must, use the Panorama user interface (UI).
If you configure a mobile user IP address pool for a single region instead of Worldwide, mobile users can still view and attempt to connect to all available gateway regions from their GlobalProtect app. This attempt fails because there is no IP address pool to allocate for other regions.
Workaround:To allow mobile users to manually select a gateway, either configure an IP address pool for the region in the location where you want the users to connect, or configure a Worldwide IP address pool for mobile users in Prisma Access to allow them to select all the locations you have deployed.
In an environment with on-premise firewalls on each side of Prisma Access and the remote network connections to which the on-premise firewalls are connected are in different regions, users behind one on-premise firewall cannot contact users behind another on-premise firewall unless you have configured an explicit policy to allow traffic between zone Trust and zone Trust.
If you change the master key in Panorama (in Device > Master Key and Diagnostics), the master key for Cloud Services is not synchronized with this master key.
Workaround:Select Panorama > Cloud Services > Configuration > Service Setup > Service Operations > Edit Master Key and manually change the master key to be the same as the Panorama master key.
When regular dynamic updates are downloaded to Panorama (by default, every Wednesday at 01:02), the MD5 checksum is changed. This condition can cause the Panorama configuration and the Prisma Access infrastructure to lose synchronization. While no tunnels are affected by this out of synchronization state, the status for Service Connections, Remote Networks, Mobile Users, and the Logging Service show a
Out of Sync.
Pushoperation on the Panorama.
The BGP router configuration on the Prisma Access firewalls can receive a maximum of 15000 prefixes from each peer. And the total number of routes (static and dynamic) learned through BGP cannot exceed 25000. Exporting more than 25000 routes may adversely affect traffic flow on your network.
After you generate a new API key by selecting
, the previous API key is still valid for a period of time (up to five minutes). You use this API to retrieve the list of IP addresses for your Prisma Access firewalls.
Generate new API Key
For service and remote network connections that have BGP enabled, the Prisma Access ignores any route it receives from a neighbor with an AS number in its AS_PATH list that duplicates an AS number in the Prisma Access AS infrastructure (Infra-AS).
If you have configured a
Notification URL, when you onboard a new remote network location, two notifications are sent to the URL instead of only one.
When you configure the same AS number for the service connection and remote network location(s), the routes are not imported in to the firewall on the remote network location.
Mobile users cannot connect to remote network locations without a service connection.
When configuring SAML, you must perform all configuration with a role of Superuser, including any configuration you perform for SAML using CLI.
page is grayed out when Panorama is not in sync with NTP.
Workaround:Make sure to synchronize time with NTP (
Master Keys do not work for two Panorama appliances set as HA primary and secondary appliances.
Enable HAcheck box on the secondary Panorama appliance and commit the changes, set the same Master Key on both the primary and secondary Panorama appliance, then re-enable HA on the secondary Panorama appliance and commit the changes.
page is not available on the Panorama appliance running the Prisma Access plugin. You cannot configure NT LAN Manager (NTLM).
Although Panorama allows you to delete the Mobile_User_Template that was created when the Prisma Access was provisioned, deleting this template also deletes your onboarding configuration and, upon commit, removes your Prisma Access for mobile users configuration.
When you onboard a new service connection or a remote network, the count for service connection and total remote peers displayed on
is inaccurate until the provisioning is complete.
On Panorama, you cannot validate commit on a device group or template configuration before pushing the configuration to the Prisma Access infrastructure for remote networks and mobile users.
You cannot configure the Prisma Access gateway as an internal gateway.
Recommended For You
Recommended videos not found.