Prisma Access Addressed Issues

The following topics describe issues that have been addressed in Prisma Access:

Prisma Access 2.1.0-h6 Innovation Addressed Issues

Issue ID
Description
CYR-19128
Fixed an issue where, after an upgrade from 2.0 Preferred to 2.1 Innovation, DNS proxy settings were removed in the UI and an error
domain-list-unexpected here
was displayed.
CYR-18703
Fixed an issue where, when configuring Explicit Proxy, a PAC file that was more than 2 KB could not be uploaded successfully. Explicit proxy supports a maximum PAC file size of 256 KB.
CYR-17039
Fixed an issue where, after clicking the
Monitor
tab to check service connection or mobile user details, the UI did not display pertinent data.

Prisma Access 2.1.0 Innovation Addressed Issues

Issue ID
Description
CYR-18368
Fixed an issue where, if you had a Prisma Access Edition license that is for Mobile Users only or Remote Networks only, the URL example that displayed in the API key window under the existing API endpoint section was incorrect.
CYR-17868
Fixed an issue where, when attempting to retrieve Logging Status information from Troubleshooting Commands (
Panorama
Cloud Services
Configuration
Service Setup
Service Operations
Troubleshooting Commands
) and selecting
All
locations or
All
remote networks, the request timed out.
CYR-17421
Fixed an issue where, when changing the Backbone Routing modes, administrators were not made aware that changing the modes could result in a brief interruption (up to two minutes) to the traffic flow between service connections.
CYR-17402
Fixed an issue where remote networks that aggregate bandwidth by compute location instead of by location could not be onboarded in bulk by exporting, modifying, and then importing a CSV file.
CYR-17274
Fixed an issue where, after a dataplane upgrade in a multi-tenant deployment, checking the status of a tenant from
Panorama
Cloud Services
Status
showed an inconsistent state.
CYR-16875
Fixed an issue where an administrator could not import a domain list in Mobile Users and Remote network configurations (
Panorama
Cloud Services
Configuration
Mobile Users / Remote Networks
Onboarding
Network Services
Internal Domain
Domain List
Import
) from any Windows client browsers.
CYR-16664
Fixed an issue where, if Directory Sync is enabled for explicit proxy, the current user count displayed as 0, but the 90 days count displayed correctly.
CYR-16662
Fixed an issue where, when in multi-tenant mode, an empty field displayed in the
Push Scope
.
CYR-16448
Fixed an issue where, on rare occasions, Open Shortest Path First (OSPF) links flapped.
CYR-14383
Fixed an issue where, when using an antivirus profile attached to a security policy rule, files were not being scanned during an FTP session.
CYR-13702
Fixed an issue where, when you selected
Panorama
Cloud Services
Status
Monitor
Cortex Data Lake
, the Service Status area displayed
No data to display
, even though Cortex Data Lake was working normally.

Prisma Access 2.0.0-h6 Innovation Addressed Issues

Issue ID
Description
CYR-17204
Fixed an issue where, during a restart or reboot of Panorama, existing cloud licenses were not being correctly detected.

Prisma Access 2.0.0-h5 Innovation Addressed Issues

Issue ID
Description
CYR-17240
Fixed an issue where the URL of the endpoint did not populate in the API Key window (
Panorama
Cloud Services
Configuration
Service Setup
Generate API Key
).
CYR-16972
Fixed an issue where invalid domain names with wildcards such as .panw.*local were not called out as invalid during a commit operation. Domain names with wildcards such as *.panw.local are allowed.

Prisma Access 2.0.0-h3 Innovation Addressed Issues

Issue ID
Description
CYR-17244
Fixed an issue where, after an upgrade from DLP on Prisma Access to the DLP plugin, there was a conflict between the Cloud Services plugin and the DLP plugin when rendering pages in the
Monitor
tab in Panorama.
CYR-17184
Fixed an issue where invalid domain names with wildcards such as .panw.*local were not called out as invalid during a commit operation. Domain names with wildcards such as *.panw.local are allowed.
CYR-17066
Fixed an issue where, in a multi-tenant deployment, exception errors were displayed because of inconsistent internal database entries.

Prisma Access 2.0 Innovation Addressed Issues

Issue ID
Description
CYR-16435
Fixed an issue where GlobalProtect user traffic did not correctly match Security policy rules that had host information profile (HIP) objects and profiles.
CYR-16423
Fixed an issue where Data Loss Prevention (DLP) did not support the upload of Office Open XML (OOXML) files generated from Google suite applications such as Google Docs, Slides, and Sheets.
CYR-15981
Fixed an issue where, in a multi-tenant deployment, exception errors were displayed because of inconsistent internal database entries.
CYR-15904
Fixed an issue where, after selecting Enable automatic IKE peer host routes for Remote Networks and Service Connections, the static IKE peer host route IP address was not installed.
CYR-15867
Fixed an issue where an error was received while generating a client certificate using CLI. This certificate allows communication between the GlobalProtect app and Cortex Data Lake.
CYR-15321
Fixed an issue where, when mobile users were logging in to GlobalProtect, the one-time push (OTP) window that had the information required to log in using multi-factor authentication (MFA) was hidden behind the MFA window.
CYR-15099
Fixed an issue where new shared objects that are created after enabling multi-tenancy are not available for selection in a traffic steering rule.
CYR-15042
Fixed an issue where auto-population of users and user groups from a master device were not supported in multi-tenant mode.
CYR-14961
Fixed an issue where, because an internal symmetric check was removed for traffic between service connections (Corporate Access Nodes) starting with Prisma Access 2.0 Preferred, some datacenter-to-datacenter (service connection-to-service connection) traffic originating from or behind a service connection might be logged twice.
CYR-14876
Fixed an issue where, if you edit traffic steering rules or enable a default route over service connections after you migrate from single tenant to multi-tenant mode, the push scope for Prisma Access Device Groups is not populated.
CYR-14584
Fixed an issue where UDP packets that Prisma Access received between 1439 and 1500 bytes were dropped in some situations (for example, if NAT Traversal is enabled).
CYR-14535
Fixed an issue where, because an internal symmetric check was removed for traffic between service connections (Corporate Access Nodes) starting with Prisma Access 2.0 Preferred, some datacenter-to-datacenter (service connection-to-service connection) traffic originating from or behind a service connection could bypass an application override.
CYR-14382
Fixed an issue where, when using WildFire in remote network deployments, if you upgraded your Prisma Access dataplane to a version of 10.0.3 or later, you could not retrieve the latest WildFire signatures in real-time.
CYR-13370
Fixed an issue where External Dynamic Lists (EDLs) were not supported when using traffic forwarding rules to direct internet-based traffic to service connections.
CYR-10623
Fixed an issue where, when you checked the status in a multi-tenant deployment by selecting
Panorama
Cloud Services
Status
, the information in the
All Tenants
area displayed twice.
CYR-10387
Fixed an issue where, if you have DLP on Prisma Access enabled for more than one Prisma Access instance in a single Customer Support Portal (CSP) account, data filtering profiles were synchronized across all instances.

Prisma Access 1.8.0-h3 Addressed Issues

Issue ID
Description
CYR-16148
Fixed the following issues when viewing the status information for a Clean Pipe deployment:
  • Status showed as not being configured when it was configured.
  • Status information was out of sync with the actual configuration.

Prisma Access 1.8.0-h2 Addressed Issues

Issue ID
Description
CYR-15981
Fixed an issue where, in a multi-tenant deployment, exception errors were displayed because of inconsistent internal database entries.
CYR-15904
Fixed an issue where, after selecting
Enable automatic IKE peer host routes for Remote Networks and Service Connections
, the static IKE peer host route IP address was not installed.
CYR-15867
Fixed an issue where an error was received while generating a client certificate using CLI. This certificate allows communication between the GlobalProtect app and Cortex Data Lake.

Prisma Access 1.8.0-h1 Addressed Issues

Issue ID
Description
CYR-15346
Fixed an issue where data filtering profiles were not being created for mobile user device groups.

Prisma Access 1.8 Addressed Issues

Issue ID
Description
CYR-15095
Fixed an issue where, when using Panoramas with a version of 10.0 to manage Prisma Access, if you reference an EDL with a Type of Predefined URL List in a security policy rule, commits failed with an error indicating a disallowed keyword, invalid reference, or invalid category.
CYR-14902
Fixed an issue where, if you allocated bandwidth when onboarding a remote network location and then reselected the same location or choose another location in the same compute location without clicking
OK
, the allocate bandwidth window redisplayed.
CYR-14278
Fixed an issue where, when you make changes to traffic steering forwarding rules, then commit and push your changes, your changes do not appear in the Push Scope.
CYR-14259
Fixed an issue where, when you created a traffic forwarding rule for traffic steering, predefined URL categories might display as choices.
CYR-13772
Fixed an issue where External Dynamic Lists (EDLs) were not supported when using traffic forwarding rules to direct internet-based traffic to service connections.
CYR-13652
Fixed an issue where, if you configured traffic steering in multi-tenancy mode, the Target Service Connections did not display in the policy-based traffic steering rule.
CYR-13290
Fixed an issue where, if you were using URLs or URL categories as a match criteria in a policy-based forwarding rule for traffic steering, the initial packets (for example, a TCP handshake) intermittently did not match the rule for the users who connected to a matching URL for the first time.

Prisma Access 1.7.0-h4 Addressed Issues

Issue ID
Description
CYR-15407
Fixed an issue where Cortex Data Lake experienced errors when processing scheduled report requests.

Prisma Access 1.7.0-h3 Addressed Issues

Issue ID
Description
CYR-14607
Fixed an issue where mobile user gateways were temporarily not associated with a tenant.

Prisma Access 1.7.0-h2 Addressed Issues

Issue ID
Description
CYR-14121
Fixed an issue where commit operations failed with a message that indicated that the size of the configured IP address pool was not sufficient for the number of locations for a mobile users deployment, even though the IP address pool was sufficient.
CYR-14041
Fixed an issue where commit operations failed with a
primary-public-dns is invalid
error message.
CYR-13909
Fixed an issue where the
Panorama
Cloud Services
Status
page had a status of
Loading
and status details would not load.

Prisma Access 1.7.0 Addressed Issues

Issue ID
Description
CYR-13442
Fixed an issue where, when configuring the GlobalProtect gateway settings for Prisma Access (
GlobalProtect
Gateways
Authentication
), a new profile could not be added.
CYR-13246
Fixed an issue where, when using Prisma Access with DNS sinkholing, you needed to add rules to allow DNS traffic to both trust and untrust zones to allow inspection of DNS traffic.
CYR-13030
Fixed an issue where users with a non-Admin account could not log in to Prisma Access that had multi-tenancy enabled.
CYR-12710
Fixed an issue when, after a push operation was performed for Prisma Access mobile users, the Prisma Access gateways and portals went into maintenance mode.
CYR-12692
Fixed an issue where, after importing a domain list that contained wildcards into Prisma Access, the asterisks (
*
) were removed from the domains in the list.
CYR-12574
Fixed an issue where some Prisma Access gateways were not set correctly as external gateways (Prisma Access gateways are always set as external gateways).
CYR-12427
Fixed an issue where, after disabling
Enable Secondary WAN
with service connections that had BGP enabled, commit failures occurred.
CYR-12403
Fixed an issue where, when using service connections to forward internet-bound traffic, multiple traffic forwarding rules were not processed in a top-down manner.
CYR-12298
Fixed an issue where, after selecting Accept Default Routes over Service Connections, or after configuring forwarding rules for traffic steering, and then committing your changes, the Prisma Access components did not display in the Push Scope.
CYR-12133
Fixed an issue where, when exporting
Users (Last 90 days)
information to a CSV file, the CSV formatting was incorrect.
CYR-12113
Fixed an issue where detailed HIP reports were not available after an infrastructure upgrade.
CYR-11627
Fixed an issue where, when the User-ID agent is configured, the current user count showing in Panorama could be less than the actual login count.
CYR-11532
Fixed an issue where, if you used traffic forwarding rules with service connections and you had a traffic rule configured with the
Source
as a specific region and the
URL
included a wild card, and the source address of the traffic did not match the rule, the URL specified in the rule could not be reached.
CYR-11504
Fixed an issue where, if you configured a remote network for secure inbound access to a remote network site, you should not configure a service connection to redirect mobile user and remote network internet traffic using policy-based forwarding (PBF) traffic forwarding rules because the two functionalities were not compatible.
CYR-11173
Fixed an issue where SAML authentication was failing when using a Safari browser.
CYR-9007
Fixed an issue where, when you uploaded multiple files, and one file exceeded the maximum latency or maximum file setting, any remaining files in the upload queue were not scanned.

Prisma Access 1.6.1 Addressed Issues

Issue ID
Description
CYR-12146
Fixed an issue where Prisma Access was not advertising mobile user subnets through BGP.
CYR-11781
Fixed an issue where the API script was returning extra portal IP addresses when requesting gateway IP addresses.
CYR-11459
Fixed an issue where, when a client tries to log in to the auto-scaled gateway, the MFA response lands on the incorrect gateway.
CYR-11444
Fixed an issue where user-to-IP address mapping entries showed
Never
as the idle timeout and maximum timeout values instead of showing the actual values.

Prisma Access 1.6.0-h1 Addressed Issues

Issue ID
Description
CYR-11851
Fixed an issue where AS-PATHs were not prepended correctly for a backup service connection in a multi-tenant environment.
CYR-11840
Fixed an issue where user names with special characters were not reported correctly.
CYR-11822
Fixed an issue where, in a multi-tenant deployment, hot potato routing-related configuration did not become enabled for a tenant.
CYR-11760
Fixed an intermittent issue where logs were delayed or missing when querying for logs by applying filters. To leverage this fix, you must upgrade your minimum Panorama version to 9.0.9 as well as upgrade the Cloud Services plugin to 1.6.0-h1.
CYR-11752
Fixed an issue where, when using a Panorama running PAN-OS 9.1 in multi-tenant mode and logging in as a tenant-level user, you could not add remote networks or configure mobile users.
CYR-10789
Fixed an issue where traffic statistics for remote networks exceeded the configured bandwidth (for example, a remote network configured for 300 Mbps might show an ingress or egress peak bandwidth that is higher than 300 Mbps.)

Prisma Access 1.6.0 Addressed Issues

Issue ID
Description
CYR-11467
Fixed an issue where, when you checked the Cortex Data Lake Status at
Panorama
Cloud Services
Status
Status
Cortex Data Lake
, the statistics displayed there did not display accurate storage and retention information.
CYR-11159
Fixed an issue where a SIP Message is not parsed correctly when a packet is received in separate segments, which caused the receiver to receive a corrupted message.
CYR-11037
Fixed an issue where multiple GlobalProtect portals in Prisma Access were not being selected in the correct order (GlobalProtect was caching the previous profile that was used).
CYR-10838
Fixed a firewall issue on firewalls where a process (
userid
) restarted while processing incorrect IP address-to-username mappings that contained blank usernames from User-ID agents.
CYR-10836
Fixed an issue where, after enabling a Cortex Data Lake license, the management plane memory utilization would increase unexpectedly when some connections between the firewall and Customer Support Portal server were blocked, leading to multiple process restarts due to an out-of-memory (OOM) condition.
CYR-10835
Fixed an issue where Security Assertion Markup Language (SAML) response validation failed with a certificate mismatch error, even if the firewall had the same certificate on IdP.
CYR-10734
Fixed an issue where a Commit and Push operation from Panorama failed in passive firewalls when pushing a large number of new Security policy rules to both firewalls in a high availability (HA) pair.
CYR-10728
Fixed an issue where connections proxied by the firewall (such as SSL Decryption, GlobalProtect portal and gateway connections, and SIP over TCP) failed due to a buffer allocation failure. Some connections failed with a
proxy decrypt failure
message.
CYR-10655
Fixed an issue where a Commit operation failed because of memory and deadlock issues in the Prisma Access infrastructure.
CYR-10569
Fixed an issue where an administrator could not create a large number of additional remote network tunnels in a multi-tenant configuration.
CYR-10474
Fixed an issue where Prisma Access was using the management interface for certificate revocation list (CRL) checks (the management interface is not supported in Prisma Access).
CYR-10444
Fixed an issue where, when using DLP on Prisma Access, you can configure a security policy in a non-Prisma Access device group; however, if you are using the same parent device group for on-premise firewalls and Prisma Access firewalls, committing your changes will fail, because the on-premise firewalls do not have references to the data filtering profile in the Prisma Access device group.
CYR-10319
Fixed an issue where Prisma Access could not display the Verify Account window to enter the one-time password (OTP) for account verification.
CYR-10303
Fixed an issue on the firewalls where the dataplane restarted unexpectedly when processing HTTP/2 traffic if packet-diag debugs were enabled.
This fix is available in PAN-OS releases 9.0.6 and later and 9.1.0 and later.
CYR-10239
Fixed an issue where logs for the Clean Pipe service were not being forwarded to Cortex Data Lake.
If you continue to encounter this issue, select
Panorama
Cloud Services
Clean Pipe
, click the gear icon in the
Settings
area to edit the settings, click
OK
, then perform a push operation to the Clean Pipe service.
CYR-9751
Fixed an issue where, after installing the plugin but before the account has been verified with a one-time password (OTP), Panorama could not retrieve the logs from Cortex Data Lake.
CYR-9698
Fixed an issue where users were experiencing connection failures to the India West Prisma Access location.
CYR-9638
Fixed an issue where WildFire logs were not displaying in Cortex Data Lake because a new enum was added in the subtype of threat logs for next-generation firewalls, which changed the integer value of the subtype.
CYR-9540
Fixed an issue where the Detailed Log View of DLP data filtering logs from one location could not be viewed if the Panorama running Prisma Access was in another location.
CYR-9079
Fixed an issue where certificate profiles do not display in the HIP Objects' certificate profile (
Objects
GlobalProtect
HIP Objects
<hip-object-name>
Certificate
Certificate Profile
) if the HIP object is
Shared
(that is, not under a specific device group).
CYR-7814
Fixed an issue where secondary tunnels are not supported with Prisma Access/AWS integrations that use dynamic (BGP) routing.
CYR-3968
Fixed an issue where remote network statistics (
Panorama
Cloud Services
Status
Remote Networks
Status
and
Panorama
Cloud Services
Status
Remote Networks
Statistics
) can take up to 1 minute to display after a traffic event occurs.

Prisma Access 1.5.1 Addressed Issues

Issue ID
Description
CYR-9826
Fixed an issue where some applications, URLs, and threats could not be properly identified.
CYR-9626
Fixed an issue where onboarding a Clean Pipe instance failed with the message
Fail to load completions for regions from cloud service
.
CYR-9502
Fixed an issue where, when the bandwidth for a remote network was changed, a new Service IP address was created for the remote network, instead of retaining its existing service IP address. This behavior has been observed in the US West, South Korea, Ireland, and France North locations.
CYR-9394
Fixed an issue where, when mobile users were using the Clientless VPN application, they were not being directed to the company-specific domain name and instead were being redirected to the Prisma Access-specific domain
companyname
.gpcloudservice.com
. In addition, when using Microsoft SAML, users were being redirected to
https://
companyname
.gpcloudservice.com:443/SAML20/SP
.

Prisma Access 1.5.0 Addressed Issues

Issue ID
Description
CYR-9179
Fixed an issue where searches did not work in Route Information Base (RIB) queries.
CYR-8945
Fixed an issue where mobile users in the Costa Rica location were getting the Canada East location as an alternative gateway, although other gateways had a better latency.
CYR-8836
Fixed an issue where mobile users were experiencing intermittent timeouts when authenticating.
CYR-8787
Fixed an issue where, when you Commit and Push changes to the Prisma Access security infrastructure, the Push Scope did not display the device group or template that was changed.
CYR-8712
Fixed an issue where SAML authentication failed with a
Failure while validating the signature of SAML
message, even though the certificates on IDP and firewall side are identical.
CYR-8467
Fixed an issue where a commit and push operation did not get distributed to the entire Prisma Access infrastructure.
CYR-8461
Fixed an issue where Prisma Access was sending logs that indicated that NTP was having synchronization issues.
CYR-8447
Fixed an issue where Public ASN numbers were not allowed when onboarding a Clean Pipe.
CYR-8408
Fixed an issue where the Clean Pipe Pairing Key was incorrectly spelled in the Cloud Services plugin user interface.
CYR-8382
Fixed an issue where, when the Manual option was checked in the Portal config, and
Manual Gateway Locations
were selected during mobile user onboarding, a push attempt failed with a
manual constraints failed
error message.
CYR-8381
Fixed an issue where users could not reach the internet after
Overlapped Subnets
was enabled for two remote network connections.
CYR-8238
Fixed an issue where the Local RIB and RIB Out tabs under
Panorama
Cloud Services
Status
Network Details
Service Connection
Show BGP Status
and
Panorama
Cloud Services
Status
Network Details
Remote Networks
Show BGP Status
are displaying null pages.
CYR-8224
Fixed an issue where a large number of login and timeout events were being experienced from the Prisma Access gateway.
CYR-6271
Fixed an issue where a connection from the GlobalProtect app to the Prisma Access portal was timing out with a
Portal Not Found
error.
CYR-5388
Fixed an issue where a service connection was showing a status of
Down
even though the IPSec tunnel was up.
CYR-950
Fixed an issue where you could not view detailed information on HIP Match logs on
Monitor
Logs
HIP Match
.

Prisma Access 1.4.0-h2 Addressed Issues

Issue ID
Description
CYR-8447
Fixed an issue where Public ASN numbers were not allowed when onboarding a Clean Pipe.
CYR-8408
Fixed an issue where the Clean Pipe Pairing Key was incorrectly spelled in the Cloud Services plugin user interface.
CYR-8350
Fixed an issue where customers with only a Mobile Users license could not enable multi-tenancy.
CYR-8251
Fixed an issue where a mobile users commit operation failed with an error of
hostname should end with .gpcloudservice.com
.

Prisma Access 1.4 Addressed Issues

In addition to the following issues, GPC-8189 has been addressed, which affected GlobalProtect app users who select a manual gateway.
Issue ID
Description
CYR-7662
Fixed an issue where a Panorama appliance with the Cloud Services plugin installed (managing Prisma Access or Cortex Data Lake) failed to authorize one-time-password (OTP) submissions during the onboarding process.
CYR-6521
Fixed an issue where, when configuring multi-tenancy, the push scope is not automatically populated when changes are made to sub-tenant templates.
Workaround:
Select
Commit
Commit and Push
and
Edit Selections
in the Push Scope.Then select
Prisma Access
and select the tenant and service for which you want to make the changes, then select
Commit and Push
.
CYR-6416
Fixed an issue where, after upgrading from the Cloud Services plugin 1.3.0 to 1.3.1, previously-onboarded Mobile User locations can become deselected in the Onboarding area (
Panorama
Cloud Services
Configuration
Mobile Users
Configure
Locations
). All locations are still active, functional, and visible in the Status area (
Panorama
Cloud Services
Status
Monitor
Mobile Users
).
Workaround:
This is a rare occurrence. If your deployment experiences this issue, select
Panorama
Cloud Services
Configuration
Mobile Users
Configure
, click the
Locations
tab, re-select the gateways you previously onboarded, then
Save
and
Commit
your changes.
CYR-6332
Fixed an issue where logged-in Clientless VPN users are not listed in the Mobile Users Status page (
Panorama
Cloud Services
Status
Status
Mobile Users
).
CYR-6051
Fixed an issue where, when configuring multi-tenancy, when you delete a tenant, the system also deleted the templates and template stacks associated with the tenant. This can cause issues with on-premise firewalls or other devices that also use these templates.
Workaround:
Create unique template stacks and templates for each tenant, and do not share them with any other devices.
CYR-5984
Fixed an issue where, when using the multi-tenant feature and logging in to a single tenant as a tenant-specific administrative user, the screen became blank and you cannot view the tenant information.
Workaround:
Select
Panorama
Cloud Services
Status
or
Panorama
Cloud Services
Configuration
and click the Refresh button (on the top right next to the Help button). It can take up to 10 seconds for the screen to display the tenant's configuration.

Prisma Access 1.3.1-h5 Addressed Issues

Issue ID
Description
CYR-6834
Fixed an issue where, when you upgraded the Cloud Services plugin and accessed the
Panorama
Cloud Services
Configuration
Mobile Users
page, you received an error that the portal hostname was invalid.

Prisma Access 1.3.1-h4 Addressed Issues

Issue ID
Description
CYR-6897
Fixed an issue where, when onboarding a remote network connection that was within the licensed bandwidth allocation, a message displayed indicating that there wasn't enough licensed bandwidth.

Prisma Access 1.3.1-h3 Addressed Issues

Issue ID
Description
CYR-6608
Fixed an issue where account verification failed when proxy servers are used with the Panorama appliance and the DNS servers are internal only.
CYR-6606
Fixed an issue where you could not see the QoS Profile choice in Panorama, in
Network
Network Profiles
QoS Profile
. You should see this choice in the
Service_Conn_Template
and the
Remote_Network_Template
, but not in the
Mobile_Users_Template
.
CYR-6557
Fixed an issue where, after upgrading to 1.3.1, commits failed with an error indicating that mobile user regions were not set.

Prisma Access 1.3.1 Addressed Issues

Issue ID
Description
CYR-6131
Fixed an issue where the Online Help pages in the multi-tenancy area did not display the information for multi-tenancy in the topic that displays.
CYR-6105
Fixed an issue where a remote network could not be onboarded; clicking
OK
did not close the configuration window.
CYR-6006
Fixed an issue where an infrastructure subnet could not be specified on M-600 devices.
CYR-5793
Fixed an issue where, when you viewed mobile user information in the
Panorama
Cloud Services
Status
Status
area, users who are logged into multiple devices using the same gateway appeared in the list of logged-in users and previously logged-in users only once. The list correctly displayed the multiple device information if users were logged into multiple devices using different gateways.
CYR-5720
Fixed an issue where, when assigning IP address pools, if the total number of IP addresses for all regions equals 4,096, you receive a popup window that you need to configure a minimum of 4,096 addresses, even though you have configured the minimum.
CYR-5304
Fixed an issue where the addition of a new device group (
Service_Conn_Device_Group
) could cause commit-related errors.
CYR-4891
Fixed an issue where notifications for loopback IP (loopback_ip) addresses were not being sent when the loopback IP address changes.

Prisma Access 1.3.0-h6 Addressed Issues

Issue ID
Description
CYR-6267
Fixed an issue where the Cloud Services plugin displayed a blank screen after the Panorama virtual appliance was upgraded to 8.1.6.

Prisma Access 1.3.0 Addressed Issues

Issue ID
Description
CYR-5382
Fixed an issue where, after you upgrade the Panorama on which your Prisma Access plugin resides, you needed to Commit and Push your Prisma Access configuration. To do so, click
Commit
Commit to Panorama
and click
Commit
Commit and Push
. Then, click
Edit Selections
Prisma Access
, and select
Prisma Access for remote networks
,
Prisma Access for mobile users
, and
Prisma Access for service setup
. Then click
OK
and
Push
.
CYR-5360
Fixed an issue where policy rule hit counts for security policies that were renamed or deleted were appearing when using CLI commands.
CYR-5243
Fixed an issue where mobile users could not manually connect to a Prisma Access gateway because of a DNS resolution error.
CYR-5186
Fixed an issue where mobile users could not connect to a Prisma Access gateway because a DNS lookup resolved to multiple IP addresses.
CYR-5153
Fixed an issue where, if you had enabled BGP on your service connections or remote networks, when you viewed the
Show BGP status
table (available from
Panorama
Cloud Services
Status
Network Details
Service Connection
and
Panorama
Cloud Services
Status
Network Details
Remote Networks
), only the first 256 entries were shown in the
RIB-In
tab.
CYR-5089
Fixed an issue where downgrading the Panorama appliance from PAN-OS release 8.1 to 8.0 could cause the Prisma Access configuration to lose synchronization.
CYR-4980
Fixed an issue where, when using multi-tenancy, you could not create users with the ability to configure and manage a single tenant.
CYR-4876
Fixed an issue where threat packet captures could not be downloaded from the Cortex Data Lake. You must upgrade your Panorama to PAN-OS 8.1.6 to fix this issue.
CYR-4697
Fixed an issue where Network Address Translation-Traversal (NAT-T) was disabled by default. Enabling NAT-T allows customers to connect devices behind NAT to service connections and remote networks without having to enable NAT-T. If you use an Encapsulated Security Protocol (ESP) instead of UDP port 4500 and your peer is not behind NAT, you should disable NAT-T.
CYR-3344
Fixed an issue where, in Panorama, selecting
Network
GlobalProtect
Portals
GlobalProtect-portal-config
Agent
agent-config
App
and changing
Allow User to Disable GlobalProtect App
from
Allow
to
Allow with Ticket
did not display an 8-character hexadecimal ticket request number.
CYR-2437
Fixed an issue where, if configured Panorama to use a proxy server (
Panorama
Setup
Services
Proxy server
), all traffic to the Prisma Access and the Cortex Data Lake would bypass the proxy server.

Prisma Access 1.2.0-h2 Addressed Issues

Issue ID
Description
CYR-5074
Fixed an issue where, after upgrading to Prisma Access version 1.2 from a Panorama appliance running release 8.0, remote network and BGP information is missing from the
Panorama
Cloud Services
Status
Network Details
Remote Networks
area. In addition, BGP information is missing from the
Panorama
Cloud Services
Status
Network Details
Service Connection
area.

Prisma Access 1.2.0 Addressed Issues

Issue ID
Description
CYR-4695
Fixed an issue where insufficient internal DNS domains were available in the Prisma Access mobile users configuration. The maximum number of DNS domain entries is now 1,024.
CYR-4542
Fixed an issue where mobile users were being routed to a Prisma Access gateway in a region that were farther from their location than other gateways.
CYR-4495
Fixed an issue where the Cortex Data Lake license was displaying a different region than the region for which it had been registered.
CYR-4261
Fixed an issue where a valid commit operation failed with the reason
ssl-tls-service-profile 'SSL_FOR_GPaaS_Cert' is not a valid reference
.
CYR-4250
Fixed an issue where a DNS CNAME to another DNS name was not resolving to an IP address.
CYR-4246
Fixed a reporting issue where the peak bandwidth time was not displaying when you hover over the fields in
Panorama
Cloud Services
Status
Remote Networks
Statistics
Ingress Peak Bandwidth (Mbps)
and
Egress Peak Bandwidth (Mbps)
fields.
CYR-4188
Fixed an upgrade issue where a commit failed with the error
Validation Failure - plugins > cloud_services > logging-service not expected here
.
CYR-4122
Fixed an issue where the status and usage statistics displayed on
Panorama
Cloud Services
Status
Monitor
was reset for
Peak Ingress Egress Throughput
,
Peak Egress Throughput
,
Peak Ingress Egress Throughput Timestamp
, and
Peak Egress Throughput Timestamp
. This reset occurred after a maintenance window for the Prisma Access or on an HA failover of the remote network firewalls in the cloud infrastructure.
CYR-4082
Fixed an issue where the
Show BGP Status
link on
Panorama
Cloud Services
Status
Network Details
did not always display BGP status information.
Workaround
: Refresh the BGP status window to fetch the information.
CYR-4047
Fixed a commit synchronization issue where a commit operation was not synchronized correctly with other commit operations.
CYR-4013
Fixed a consistent naming issue so that parameters in the command to retrieve the Public IP (Egress IP) and Loopback IP addresses are more descriptive. In the $fwType area, gpcs_gw is changed to gpcs_gp_gw, gpcs_pt is changed to gpcs_gp_portal, and remote_network is changed to gpcs_remote_network. In the $addrtype area, egressip is changed to public_ip and loopbackip is changed to loopback_ip.
CYR-3667
Fixed a statistics display issue where all records in the
Panorama
Cloud Services
Status
Remote Networks
Statistics
area were not being displayed.
CYR-3397
Fixed an update issue where Apple device and iOS updates could not be downloaded from the internet.
CYR-2876
Fixed an issue where only subnets greater than or equal to /19 could be specified for the IP address pool for mobile users. Now, you can specify a minimum of a /20 subnet (minimum of 4,096 available IP addresses) in different regions or globally.
CYR-2657
Fixed an issue where the plugin was unable to get the default GlobalProtect Portal domain. A fix has been added to renew the Cortex Data Lake certificate automatically. Previously, the error message
The plugin is unable to get the default GlobalProtect Portal domain
displayed. This issue could have occurred when you completed the one-time password (OTP) account verification process when only the Cortex Data Lake license was activated in Panorama, and then activated the Prisma Access licenses for remote networks or mobile users.
Workaround:
To fix this issue, redo the OTP verification by navigating to Panorama, selecting
Panorama
Cloud Services
Configuration
, and clicking
Verify
.

Prisma Access 1.1.0 Addressed Issues

Issue ID
Description
CYR-3508
Fixed a bulk import issue that occurred when you exported your existing remote network configuration with dynamic IP addresses for both the Primary Peer and the Secondary Peer, and then imported that configuration back in to Panorama.
CYR-3314
You can now authenticate mobile users to GlobalProtect gateways in the cloud using SAML authentication.
CYR-3036
Fixed a license validation error that prevented you from allocating more bandwidth to a remote network that you had already onboarded.
CYR-3013
Fixed a display issue with duplicate entries on
Panorama
Cloud Services
Status
Monitor
for cloud firewalls in each region where you had onboarded remote networks.
CYR-2924
The logs on Panorama display the message:
Unableto connect to API gateway
. You can ignore this message because the firewalls can successfully communicate with Cortex Data Lake.
CYR-2888
Fixed an issue where, for IPSec tunnels configured with Proxy IDs, Panorama does not display the IPSec tunnel status accurately even though the tunnel is up.
Workaround:
Remove the Proxy ID configuration for the IPSec tunnel.
CYR-2662
Fixed a display issue that occurred when you reinstalled the cloud services plugin and loaded a previously saved Prisma Access configuration snapshot.
CYR-2199
The certificate warning no longer displays when an Android device connects to the GlobalProtect portal that uses the default domain.
CYR-445
The Prisma Access firewalls can now ingest User-ID mappings using the User-ID Syslog listener.

Recommended For You