Prisma Access Known Issues

Prisma Access has the following known issues.
Issue ID
Description
CYR-17077
If you delete an explicit proxy configuration and then reconfigure it within 10 minutes of its deletion, Prisma Access cannot properly process the new configuration and explicit proxy functionality could be affected.
Workaround
: Wait at least 10 minutes after deleting an explicit proxy configuration before reconfiguring it.
CYR-17066
This issue is now resolved in plugin version 2.0.0-h3. See Prisma Access 2.0.0-h3 Innovation Addressed Issues.
In a multi-tenant deployment, exception errors are displayed because of inconsistent internal database entries.
CYR-17024
When using Panorama 10.
x
to manage Prisma Access, if you configure an Authentication Enforcement Profile under
Objects
Authentication
and specify an Authentication Profile that resides in a Shared location, you receive an error when committing the changes.
Workaround: If you use a Panorama 10.
x
to manage Prisma Access, do not use a shared Authentication Profile for any Authentication Enforcement Profile; instead, use an Authentication Profile that is under one of the Prisma Access Templates.
CYR-16801
When using explicit proxy, large HTTP file downloads are frequently interrupted.
Workaround
: Keep resuming the download until the file is completely downloaded. This issue is not seen when downloading HTTPS files.
CYR-16789
When performing a local commit or
Commit and Push
operation, you receive the error
Internal Server Error: Failed to aggregate bandwidth configuration
.
Workaround
: Check the DNS configuration of the Panorama appliance that manages Prisma Access, and check that Panorama is able to contact your network's DNS servers, then retry the operation.
CYR-16674
If you change the Explicit Proxy URL in Prisma Access but do not change the PAC file to reflect the change, the change won't be applied.
Workaround
: Upload a new PAC file with the same changes as you made in the Explicit Proxy URL.
CYR-16673
If you change the proxy FQDN, the changes are not immediately reflected after the job status completes.
Workaround
: Workaround: Wait 10 to 15 minutes for the changes to be reflected after the Job status shows as
Completed
on Panorama.
CYR-16666
When using explicit proxy, the current user count and 90 day user count functionality is not populated for customers who have onboarded their tenant in the Africa, Europe & Middle East and Asia, Australia, & Japan theaters. Onboarded locations in the North America & South America locations report their user count correctly.
CYR-16665
When using explicit proxy, the IP address might not be correct in the Current Users area. The correct value displays in the Traffic logs and in other areas in explicit proxy.
CYR-16664
If Directory Sync is enabled for explicit proxy, the current user count displays as 0, but the 90 days count displays correctly.
CYR-16662
When in multi-tenant mode, an empty field displays in the Push Scope.
CYR-16642
There is a delay observed to populate the Rule Usage column on the Policies page.
Workaround
: Refresh the page by clicking on the refresh button on the right side.
In addition, the Preview Rules tab doesn’t display the Rule Hit counters.
Workaround
: Click the
Used
link on
Rule Usage
column to display the Rule Hit count for the rule.
CYR-16615
The maximum length of a URL that can be used with explicit proxy is 1280 characters.
CYR-16583
WildFire logs show explicit proxy logs as having a source zone of Proxy. If you use a name of Proxy for Clean Pipe instances or remote networks, you will not be able to differentiate between explicit proxy logs and logs with the clean pipe or remote network name of Proxy.
Workaround
: If you use explicit proxy, do not specify a name of Proxy for any Clean Pipe instances or remote networks.
CYR-16580
The
Panorama
Cloud Services
Status
Monitor
Mobile Users
Explicit Proxy
page incorrectly shows the current number of users as 0.
CYR-16571
If you have an evaluation license for explicit proxy and you receive a pop-up window notifying you when the license expires, a message displays that shows the
gpaas
service twice.
CYR-16549
After a commit and push operation, jobs either become stuck in
init
state or fail to complete.
Workaround
: The issue might be with an EDL update being processed at the same time as the commit operation. To workaround the issue, select
Objects
External Dynamic Lists
and change the
Check for updates
setting from
Every five minutes
to
Hourly
or later.
CYR-16130
When configuring a Mobile Users - GlobalProtect deployment using SAML authentication, you receive a
pangp.gpcloudservice.com is missing certificate
error when you commit your configuration changes.
Workaround
: Add the missing certificate in your SAML IdP configuration by selecting
Device
Mobile_User_Template
Authentication Profile
in Panorama and adding the certificate.
CYR-16097
A webpage may contain links of resources from the domains other than the domain from where the webpage is served. Most modern browsers do not send any cookie along with the requests to get the resources from those third-party domains for security reasons. Since there is no cookie present to identify the user for those third-party domains, the user name cannot be logged in the traffic logs for those domains.
In addition, there will be some connections that Prisma Access redirects for authenticating a user. Logs for such connections will not have any username.
CYR-16073
When using traffic steering, if you specify External Dynamic List that has an IP address and port, traffic is not forwarded to the target.
Workaround
: Remove the port number from the IP address.
CYR-16015
If you update the cookie lifetime to a shorter lifetime than the previously configured value, the new lifetime value is not updated for websites or internet domains that mobile users have previously visited.
CYR-15926
Explicit proxy configuration changes are not applied to the configuration after a commit.
Workaround
: If you are not seeing the changes after retrying the commit operation, contact Palo Alto Networks support.
CYR-15874
IdP authentication failures cause an internal server error' message to be displayed to the mobile user.
CYR-15338
In a multi-tenant environment, tenant names with a period (
.
) in the name cause configuration tabs to be grayed out after commit.
Workaround
: Do not create tenants that have a period in their name.
CYR-15333
After removing LDAP group mapping configuration, Prisma Access lost group mapping retrieved from Directory Sync.
CYR-15267
When administrators log out a mobile user who is logged in using SAML from the Prisma Access status page (
Panorama
Cloud Services
Status
Status
Current Users
), a Single Logout (SLO) request is not generated. As a result, the user is logged out of the gateway but is not logged out of the IdP, and if the client SAML cookie is still valid, the user can reconnect without having to input credentials.
CYR-15256
The Panorama that manages Prisma Access does not detect hit counts for rules.
CYR-15099
This issue is now resolved in plugin version 2.0. See Prisma Access 2.0 Innovation Addressed Issues.
When you create a traffic steering rule, Prisma Access does not auto-populate the Source User, Dynamic User Group, External Dynamic List (EDL), or custom URL category in the user interface.
Workaround
: Open a CLI session with the Panorama that manages Prisma access, enter configuration mode, and enter the
set plugins cloud_services multi-tenant tenants
tenant-name
pbf rules
traffic-steering-rule
source
[
enabled
| [
action
[
forward
|
no-pbf
]] | [
category
custom-url-category
| [
destination
[
DAG
dag-name
]] | [
service
[
any
|
service-http
|
service-https
|
other-value
]] | [
source
source-options
] | [
source-user
source-user-name
]] to have the shared objects available for selection.
CYR-15095
When using Panoramas with a version of 10.0 to manage Prisma Access, if you reference an EDL with a Type of Predefined URL List in a security policy rule, commits fail with an error indicating a disallowed keyword, invalid reference, or invalid category.
Workaround
: Dereference the EDL in the security policy.
CYR-15091
Extra IPSec termination nodes are allocated to a compute location if you allocate bandwidth multiple times in a very short time interval.
CYR-15042
This issue is now resolved in plugin version 2.0. See Prisma Access 2.0 Innovation Addressed Issues.
Auto-population of users and user groups from a master device is not supported in multi-tenant mode.
CYR-14997
When you allocate Bandwidth to a compute location from the Onboarding section, that allocation is not reflected immediately in the Bandwidth Allocation tab until you manually refresh the page.
Workaround
: Manually refresh the Panorama that manages Prisma Access.
CYR-14937
When you upgrade from the Cloud Services plugin 1.7 to 1.8 and then perform a commit operation, not all Prisma Access components are selected in the Push Scope.
Workaround
: Select
Commit
Commit and Push
,
Edit Selections
in the
Push Scope
, and make sure that all Prisma Access components (
Service Setup
,
Remote Networks
,
Mobile User
, and
Clean Pipe
, depending on your license) are selected before committing and pushing your changes.
CYR-14902
If you allocate bandwidth when onboarding a remote network location and then reselect the same location or choose another location in the same compute location without clicking
OK
, the allocate bandwidth window redisplays.
Workaround
: Click
OK
after allocating compute location bandwidth when onboarding a remote network location.
CYR-14984
When you change the name of a target service connection group for traffic steering, the updated target name does not display in the Traffic Steering Rules area.
Workaround
: Refresh the Panorama browser.
CYR-14980
If you use IKEv2 with certificate-based authentication, only SHA1 is supported in IKE crypto profiles (Phase 1).
Workaround
: Use an IKEv2 (Phase 1) cryptographic profile of SHA1 on your customer premises equipment and in Prisma Access.
CYR-14876
This issue is now resolved in plugin version 2.0. See Prisma Access 2.0 Innovation Addressed Issues.
If you edit traffic steering rules or enable a default route over service connections after you migrate from single tenant to multi-tenant mode, the push scope for Prisma Access Device Groups is not populated.
Workaround
: Select
Commit
Commit and Push
,
Edit Selections
in the
Push Scope
, and make sure that you select all device groups (
Service Setup
,
Remote Networks
,
Mobile User
, and
Clean Pipe
, depending on your license) before committing and pushing your changes.
CYR-14816
If a service connection loses both its active and backup connectivity, mobile users lose connectivity to users and resources connected to Remote Networks and Service Connections.
CYR-14754
If you have two Panorama appliances configured in high-availability mode, the passive Panorama will display an
out of sync
message during a commit and push operation.
Workaround
: Open a command-line interface (CLI) session on both the passive and active Panorama and enter the following commands:
username@hostname>
debugmd5sum_cache clear
username@hostname>
configure
username@hostname#
commit force
CYR-14728
Prisma Access bypasses Traffic Steering for rules with a service type of HTTP or HTTPS if you use an application override policy for TCP ports 80 and 443.
In addition, traffic steering does not work for URLs from URL categories referenced in the traffic forwarding rule if you have configured an application override policy for TCP ports 80 or 443.
CYR-14727
Mobile user route summarization is not supported in hot potato routing mode.
CYR-14693
When using hot potato routing, Mobile User route summarization may add extra latency for traffic between mobile users and headquarters or branch traffic.
CYR-14673
After you create a traffic steering rule with an IP address, IP address group, EDL, or custom URL category as a Shared object, make changes to any of those objects, and then commit and push your changes, only the Shared object displays in the Push Scope. Prisma Access device groups doesn't get displayed in the push scope.
Workaround
: Select
Commit
Commit and Push
,
Edit Selections
in the
Push Scope
, and make sure that you select all device groups (
Service Setup
,
Remote Networks
,
Mobile User
, and
Clean Pipe
, depending on your license) before committing and pushing your changes.
CYR-14613
When adding or deleting URLs to a custom URL category, Prisma Access does not purge its cache, and the change does not immediately take effect.
Workaround
: Perform one of the following actions:
  • Wait 24 hours for Prisma Access to automatically clear the cache, or manually clear the Panorama’s browser cache.
  • Remove the custom URL category, perform a commit and push operation, then re-add the custom URL category and perform another commit and push operation.
CYR-14603
To make sure that Prisma Access can distinguish between users if the same username is shared between users who authenticate locally and users who authenticate using LDAP, you should authenticate LDAP users in the format of domain/username and authenticate local users in the format of username (without the domain name).
CYR-14584
This issue is now resolved in plugin version 2.0. See Prisma Access 2.0 Innovation Addressed Issues.
UDP packets that Prisma Access receives between 1439 and 1500 bytes are dropped in some situations (for example, if NAT Traversal is enabled).
Workaround
: Reduce the MTU size on your customer premises equipment to 1400 or below.
CYR-14383
When using an antivirus profile attached to a security policy rule, files are not being scanned during an FTP session.
CYR-14382
When using WildFire in remote network deployments, if you upgrade your Prisma Access dataplane to a version of 10.0.3 or later, you cannot retrieve the latest WildFire signatures in real-time. Prisma Access uses its default method of updating WildFire signatures every five minutes.
CYR-14278
This issue is now resolved in plugin version 1.8.0. See Prisma Access 1.8 Addressed Issues.
When you make changes to traffic steering forwarding rules, then commit and push your changes, your changes do not appear in the Push Scope.
Workaround
: Modify the Push Scope by clicking
Edit Selections
, then selecting the device group or groups you changed (
Service Setup
,
Remote Networks
,
Mobile Users
, or all three).
CYR-14259
When you create a traffic forwarding rule for traffic steering, predefined URL categories might display as choices along with custom URL categories.
Workaround
: Predefined URL categories are not supported; do not select them when configuring a traffic forwarding rule for traffic steering. Select custom URL categories instead.
CYR-14110
If Panorama access is disabled in an Admin Role Profile, you can still see the contents of the plugin, but the fields are read-only.
CYR-13823
When you upgrade the Cloud Services plugin to 1.7, Prisma Access prepends an asterisk to URLs in custom URL categories, if you use this category in a traffic steering forwarding rule. If you use the same URL category policies for both traffic steering and other security policy rules, these changes apply to both the traffic steering rules and other security policy rules.
If you have custom URL categories that are not used in traffic steering forwarding rules, Prisma Access does not change the URLs in those categories.
CYR-13822
Prisma Access prepends an asterisk to URLs in custom URL categories, which doubles the number of URLs entered in a custom URL category. Prisma Access supports a maximum of 300,000 URLs in URL category entries; if you use custom URLs for traffic steering and are close to this limit, the doubling of URLs might cause your deployment to exceed the limit of URLs.
CYR-13772
This issue is now resolved in plugin version 1.8.0. See Prisma Access 1.8 Addressed Issues.
External Dynamic Lists (EDLs) are not supported when using traffic forwarding rules to direct internet-based traffic to service connections.
Workaround
: Use IP-based EDLs only.
CYR-13751
If you used policy-based forwarding rules to forward internet-bound traffic to service connections in Prisma Access 1.6, Prisma Access makes the following additions to URLs in custom URL categories after you upgrade from 1.6 to 1.7:
  • A URL of example.com has a URL of *.example.com added
  • A URL of www.example.com has a URL of *.www.example.com added
  • A URL of fqdn.example.com has a URL of *.fqdn.example.com added
  • A URL of www.fqdn.example.com has a URL of *.www.fqdn.example.com added
If you already have added URLs with wildcards, Prisma Access might add URLs that duplicate existing URLs after the upgrade.
CYR-13702
When you select
Panorama
Cloud Services
Status
Monitor
Cortex Data Lake
, the Service Status area displays
No data to display
, even though Cortex Data Lake is working normally.
Workaround
: Select the Table view icon on the top right side of the page to view a tabular view of the statistics instead of the Gauge view.
CYR-13662
After you make configuration changes to an existing service connection or remote network connection (for example, changing the bandwidth, region, QoS, or BGP values), the job details in the Deployment Status page (
Panorama
Cloud Services
Status
Status
Deployment Status
details
) might display a value of TIMEOUT, even if the job completed successfully.
CYR-13652
This issue is now resolved in plugin version 1.8.0. See Prisma Access 1.8 Addressed Issues.
If you configure traffic steering (using PBF rules to forward internet-directed traffic using a service connection) in multi-tenancy mode, the Target Service Connections do not display in the policy-based forwarding rule.
Workaround
: Refresh the browser, then recreate
Target Service Connections for Traffic Forwarding
and the PBF rule.
CYR-13612
Prisma Access does not support FTP data transfers in active mode.
CYR-13511
When Prisma Access performs a dataplane upgrade on a mobile user instance (an upgrade to a Prisma Access gateway or portal), any failed commits on the instance that were performed before the upgrade will not be applied to the upgraded instance.
CYR-13370
External Dynamic Lists (EDLs) are not supported when using traffic forwarding rules to direct internet-based traffic to service connections.
Workaround
: Use IP-based EDLs only.
CYR-13317
During a Prisma Access dataplane upgrade, BGP statistics may not be available for 30 minutes in the Network Details page. This unavailability has no impact on dataplane traffic.
CYR-13290
This issue is now resolved in plugin version 1.8.0. See Prisma Access 1.8 Addressed Issues.
If you are using URLs or URL categories as a match criteria in a policy-based forwarding rule for traffic steering, the initial packets (for example, a TCP handshake) intermittently do not match the rule for the users who connect to a matching URL for the first time.
CYR-13179
If you use Microsoft Edge or Firefox when using traffic steering, the browser does not forward traffic on its first attempt.
Workaround
: Refresh the browser, then retry the operation.
CYR-12912
If, in a traffic steering deployment with multiple traffic forwarding rules, two URLs in two separate rules resolve to the same IP address, Prisma Access sends traffic to the first rule in the list and will not use the second traffic rule. Traffic steering evaluates multiple traffic forwarding rules in order from top to bottom.
CYR-12700
For a Prisma Access deployment with two Panoramas configured in high availability, you are able to request an upgrade to the GlobalProtect software version on the passive Panorama. Software upgrade requests are not applied if you request them on the passive Panorama.
Workaround
: Do not request software upgrades on the passive Panorama; only request upgrades using the active Panorama.
CYR-12509
When using traffic steering, Palo Alto Networks does not recommend using multiple service connections (whether dedicated or non-dedicated) in a target service connection group that is referenced in a traffic steering rule.
CYR-12403
This issue is now resolved in plugin version 1.7.0. See Prisma Access 1.7.0 Addressed Issues.
When using service connections to forward internet-bound traffic, multiple traffic forwarding rules are not processed top to bottom.
CYR-12298
After selecting Accept Default Routes over Service Connections, or after configuring forwarding rules for traffic steering, and then committing your changes, the Prisma Access components do not display in the Push Scope.
Workaround
: Select
Commit
Commit and Push
,
Edit Selections
in the
Push Scope
, select
Prisma Access
, select
Mobile Users
, and click
OK
. Alternatively, upgrade your Panorama to a minimum version of 9.0.11 for 9.0.x versions, 9.1.5 for 9.1.x versions, or 10.0.2 for 10.0.x versions.
CYR-12166
Prisma Access does not support a rule type of Intrazone if the source and destination zones are both Trust.
CYR-11752
This issue is now resolved in plugin version 1.6.0-h1. See Prisma Access 1.6.0-h1 Addressed Issues.
When using a Panorama running PAN-OS 9.1 in multi-tenant mode and log in as a tenant-level user, you cannot add remote networks or configure mobile users.
Workaround:
Log in as the admin user and perform the remote network or mobile user configuration.
CYR-11532
This issue is now resolved in plugin version 1.7.0. See Prisma Access 1.7.0 Addressed Issues.
If you use traffic forwarding rules with service connections and you have a traffic rule configured with the
Source
as a specific region and the
URL
includes a wild card, and the source address of the traffic does not match the rule, the URL specified in the rule cannot be reached.
Workaround:
Configure the source address in the traffic rule as Any.
CYR-11504
This issue is now resolved in plugin version 1.7.0. See Prisma Access 1.7.0 Addressed Issues.
If you have configured a remote network for secure inbound access to a remote network site, do not configure a service connection to redirect mobile user and remote network internet traffic using policy-based forwarding (PBF) traffic forwarding rules; these two functionalities are not compatible.
CYR-11496
If you enable ECMP on a remote network, the values shown in the Statistics tab under
Panorama
Cloud Services
Status
Monitor
Remote Networks
for
Ingress Peak Bandwidth (Mbps)
are correct; however, if you click the hyperlink for this value, the pop-up window that displays might show an incorrect value.
CYR-11467
When you check the Cortex Data Lake Status at
Panorama
Cloud Services
Status
Status
Cortex Data Lake
, the statistics displayed there might not display accurate storage and retention information.
Workaround:
Go to the hub and select
Cortex Data Lake
to see the most up-to-date information.
CYR-11414
When creating a new mobile user deployment in multi-tenant mode, you receive an error that the Portal Hostname is not available when you assign it during mobile user onboarding.
Workaround:
Before you begin your mobile user configuration, add an Infrastructure Subnet, commit all your changes to Panorama, and push the configuration changes to Prisma Access.
CYR-11201
Some files are being skipped for DLP scanning when using OneDrive to upload multiple files.
CYR-11087
When using DLP on Prisma Access, you can upload up to 25 files at a time.
CYR-11019
When attaching a parent Device Group to a new remote network tenant in multi-tenant mode, the administrator is unable to attach device groups and templates.
Workaround:
Log out, then log back in to Panorama.
CYR-10909
If you use Box to upload multiple files, and one or more of the files are larger than 5 MB, the upload of all files will not complete. To continue, find the files in Box that are larger than 5 MB and click
X
to stop the download of those files.
CYR-10789
This issue is now resolved in plugin version 1.7.0. See Prisma Access 1.7.0 Addressed Issues.
Traffic statistics for remote networks might exceed the configured bandwidth; for example, a remote network configured for 300 Mbps might show an ingress or egress peak bandwidth that is higher than 300 Mbps.
Workaround:
No workaround is required. Because Prisma Access measures the peak bandwidth values using a short time interval, the peak bandwidth might occasionally exceed the configured remote network values.
CYR-10623
When you check the status in a multi-tenant deployment by selecting
Panorama
Cloud Services
Status
, the information in the
All Tenants
area displays twice.
CYR-10445
DLP on Prisma Access is not supported in a Prisma Access multi-tenant deployment.
CYR-10387
If you have DLP on Prisma Access enabled for more than one Prisma Access instance in a single Customer Support Portal (CSP) account, data filtering profiles are synchronized across all instances. This behavior can result in unexpected consequences; for example, the deletion of a custom data pattern or data filtering profile for one instance does not delete that pattern or profile for other instances in the CSP account. For this reason, Palo Alto Networks recommends that you move each Prisma Access instance to its own CSP account.
CYR-10053
If you change the master key in Panorama (in
Device
Master Key and Diagnostics
), the master key for Cloud Services is not synchronized with this master key.
Workaround:
Select
Panorama
Cloud Services
Configuration
Service Setup
Service Operations
Edit Master Key
and manually change the master key to be the same as the Panorama master key.
CYR-10044
When using Slack to upload multiple files, the Slack client treats the multiple file upload as a single request. If one of the files is not successfully uploaded, Slack retries the upload of all files a maximum of three times. If, after three retries, Slack cannot upload one or more of the files, the Slack client displays an error in the UI and doesn't upload any of the files.
CYR-10043
When you upload a file using Slack, and the file is blocked, Slack detects the block operation as an upload failure and retries the file upload, which results in the same file being uploaded and blocked twice.
Workaround:
This is normal Slack file upload behavior. Be aware that a single file that is uploaded using Slack might appear twice in the data filtering logs as being blocked.
CYR-9613
When you delete a data filtering profile from a Prisma Access device group that is not shared, the profile name still appears when you add or configure a Security Profile Group, in the
Data Filtering Profile
area.
CYR-9502
This issue is now resolved in plugin version 1.5.1. See Prisma Access 1.5.1 Addressed Issues.
When the bandwidth for a remote network was changed, a new
Service IP Address
was created for the remote network, instead of retaining its existing
Service IP Address
. This behavior has been observed in the US West, South Korea, Ireland, and France North locations.
Workaround:
After you change the bandwidth of a remote network connection, run the API script to retrieve the new
Service IP Address
.
CYR-9455
In a GlobalProtect deployment where the portal has multiple agent configs, when a GlobalProtect client logs in using the app, the portal looks for a matching agent config for the client by checking its OS type along with the config selection criteria. The agent configs are checked from top to bottom. If the OS type matches, but the config selection criteria does not, GlobalProtect marks the agent config as non-matching and moves to the next agent config to check for a match; however it no longer checks the OS type in these agent configs, and only looks for a match of the config selection criteria. This condition can cause the client to receive an agent config that has matching config selection criteria, but a non-matching OS type.
CYR-9348
When configuring HIP redistribution, you cannot retrieve HIP information and set policies for the following use cases:
  • A user connected to a Prisma Access location (gateway) who attempts to access an internal resource.
  • A user protected by a remote network who attempts to access a resource from another remote network.
CYR-9213
When using DLP on Prisma Access, when you upload a .docx file using SharePoint that was exported from Google Docs, the upload fails.
CYR-9183
When setting up the GlobalProtect gateway connection settings (
Network
GlobalProtect
Gateways
Agent
Connection Settings
) and specifying a Netmask to
Restrict Authentication Cookie Usage
, the commit fails if only a
Source IPv4 Netmask
is specified.
Workaround:
Specify a
Source IPv6 Netmask
of
0
, which disables the option for the specified IP address type.
CYR-9079
This issue is now resolved in plugin version 1.6.0. See Prisma Access 1.6.0 Addressed Issues.
Certificate profiles do not display in the HIP Objects' certificate profile (
Objects
GlobalProtect
HIP Objects
<hip-object-name>
Certificate
Certificate Profile
) if the HIP object is
Shared
(that is, not under a specific device group).
CYR-9061
If using Slack, Box, or Gmail to upload a file using DLP on Prisma Access, the response page is not displayed to the client if the upload is blocked.
CYR-9007
When you upload multiple files, and one file exceeds the maximum latency or maximum file setting, any remaining files in the upload queue will not be scanned.
Workaround:
Re-attempt the multiple file upload operation without the file that exceeded the maximum file size or latency setting.
CYR-9003
Reverse DNS queries do not work in Prisma Access.
Workaround:
Because type A and AAAA queries for internal domains work, you can specify
*.in-addr.arpa
in a query so that Prisma Access sends all reverse DNS queries to internal DNS servers.
CYR-8787
When you Commit and Push changes to the Prisma Access security infrastructure, the Push Scope does not display the device group or template that was changed.
Workaround:
Select
Commit
Commit and Push
, and under
Push Scope
, select
Edit Selections
Prisma Access
and select the
Mobile Users
,
Remote Networks
, or
Service Setup
device group or template to which you want to commit changes.
CYR-8245
When you onboard a mobile user location, you cannot see or select all locations in a region if you are using Panorama with a Firefox browser version earlier than 65.
Workaround: Use a Firefox version with a version of 65 or later, or a different browser (for example, Chrome).
CYR-8244
When performing a
Commit and Push
operation for the Clean Pipe service, you receive an error that the Clean Pipe service had insufficient license resources, even though you have sufficient licensed bandwidth.
Workaround:
Select
Panorama
Licenses
, then select
Retrieve license keys from license server
to retrieve the Clean Pipe licenses again.
CYR-8238
This issue is now resolved in plugin version 1.5. See Prisma Access 1.5.0 Addressed Issues.
The RIB In and RIB Out tabs under
Panorama
Cloud Services
Status
Network Details
Service Connection
Show BGP Status
and
Panorama
Cloud Services
Status
Network Details
Remote Networks
Show BGP Status
are displaying null pages.
CYR-8017
If you add an existing template under one of the template stacks of Prisma Access (for example,
Service_Conn_Template_Stack
,
Mobile_User_Template_Stack
, or
Remote_Network_Template_Stack
), you cannot use objects of the added template in other Prisma Access templates that are part of the same template stack.
Previously, you could view and use objects from existing templates in Prisma Access templates if the templates were a part of a Prisma Access-specific template stack, which is not standard Panorama behavior.
CYR-7907
In multi-tenant mode, Prisma Access automatically creates a set of templates, template stacks, and device groups for each tenant you create for remote networks, mobile users, and the Clean Pipe service. Prisma Access creates tenant-specific sets for all products, even if you are licensed for only one Prisma Access type.
When you delete a tenant, Prisma Access deletes the template and device group set for which you are licensed, but does not delete the unlicensed set. For example, if you have a remote network deployment and delete a tenant, Prisma Access does not delete the set it created for the mobile users and Clean Pipe.
Workaround:
Manually delete the unused, unlicensed set of templates, template stacks, and device groups after you delete a tenant.
CYR-7900
The Traffic Forwarding feature (
Panorama
Cloud Services
Configuration
Service Setup
Settings
Traffic Forwarding
) is not supported with multi-tenant deployments.
CYR-7814
This issue is now resolved in plugin version 1.6.0. See Prisma Access 1.6.0 Addressed Issues.
Secondary tunnels are not supported with Prisma Access/AWS integrations that use dynamic (BGP) routing.
CYR-7702
When you log out a Prisma Access mobile user from the
Current Users
window, the user still displays in the window after the logout operation.
Workaround:
Close and then reopen the
Current Users
window to show the correct user status.
CYR-7440
If you have two Panoramas set up in an active-primary and passive-secondary setup for Prisma Access, you cannot log out mobile users from the passive-secondary Panorama.
CYR-7332
When you try to configure an Infrastructure Subnet (
Panorama
Cloud Services
Configuration
Service Setup
Settings
) in multi-tenant mode, you can receive an
Operation Failed
message.
Workaround:
Refresh the Panorama UI to have Prisma Access correctly apply the infrastructure subnet to the tenant's configuration.
CYR-7128
When you perform a
Commit All
operation for mobile users, Prisma Access should display the commit status for portals and gateways separately; however, Prisma Access is displaying failures for portals under gateway status, and is displaying commit failures for gateways under portal status.
Workaround:
Enter the
debug plugins cloud_services prisma-access get-job-result jobid
commit-job-id-number
command, where
commit-job-id-number
is the ID of the commit operation that failed, to check and verify the commit operation for portals and gateways.
CYR-6384
Pre-defined IKE Crypto, IPSec Crypto, and IKE Gateways templates do not display.
Workaround:
Select
Panorama
Cloud Services
Configuration
Service Setup
(for service connections) or
Panorama
Cloud Services
Configuration
Remote Networks
(for remote network connections), click the gear icon in the
Settings
area to open the
Settings
, then click
OK
.
CYR-6369
When in multi-tenant mode, if you create a custom admin user with an Admin Role Profile that has Read Only access to the Panorama tab and has Plugin access disabled, that user can view, configure, and commit changes for subtenants.
Workaround:
Disable access to the Panorama tab in the Admin Role Profile.
CYR-6108
When you configure Clientless VPN with Prisma Access, the default security rule configuration uses the application-default service, which blocks clientless-vpn traffic.
Workaround:
Change the default security rule to any service or service-http and service-https.
CYR-6107
When configuring multi-tenant, if you create any device groups that are children or grandchildren of other device groups you create under the Shared parent device group, select only the device group at the lowest hierarchical level (child or grandchild) when you associate the device group to an access domain; do not select the parent.
CYR-6080
You cannot reset the rule hit count for all
Authentication
and
Application Override
policies.
Workaround:
Reset rules using a list of rules or a rule name for
Authentication
and
Application Override
policies.
CYR-6013
When you migrate a single tenant to multi-tenant mode, you must do a local commit and then push the configuration before you add more tenants.
CYR-5888
When using the multi-tenant feature and creating template stacks and templates for a tenant, the
Description
of the template stacks and templates do not display in the
Panorama
Templates
page.
CYR-5867
After upgrading to a new version of the Cloud Services plugin, you are able to downgrade. The downgrade operation should be disallowed.
Workaround:
Do not downgrade the Cloud Services plugin after you have upgraded it.
CYR-5842
When using the multi-tenant feature and migrating the first tenant to multi-tenancy, you can select template stacks and templates that are not associated with the tenant that you want to migrate, including templates that are used with on-premise firewalls.
Workaround:
When you convert to multi-tenant mode, be sure to choose only those templates that you want to associate to the first tenant to migrate.
CYR-5690
When configuring multi-tenancy, if you are planning to later configure Prisma Access for mobile users, you must do a local Commit of the your changes for the plugin (
Commit
Commit to Panorama
) after you add templates, template stacks, and device groups for each tenant and before you onboard each tenant.
CYR-5563
When using the multi-tenancy feature, users who manage single tenants cannot see the system logs. The
Monitor
Logs
System
choice is not available. This limitation applies to all Administrators who have an administrative role of Device Group and Template. Only superusers can view system logs in multi-tenancy mode.
CYR-5561
When using the multi-tenancy feature and logged in as a tenant-level administrative user, opening the Panorama Task Manager (clicking
Tasks
at the bottom of the Panorama web interface) shows all tasks for all tenants, including any tasks done at the superuser (Admin) level.
CYR-5476
When you enable multi-tenancy and migrate your configuration to the first sub-tenant, CLI commands are not supported for this operation. As a result, you must, use the Panorama user interface (UI).
CYR-5159
If you configure a mobile user IP address pool for a single region instead of Worldwide, mobile users can still view and attempt to connect to all available gateway regions from their GlobalProtect app. This attempt fails because there is no IP address pool to allocate for other regions.
Workaround:
To allow mobile users to manually select a gateway, either configure an IP address pool for the region in the location where you want the users to connect, or configure a Worldwide IP address pool for mobile users in Prisma Access to allow them to select all the locations you have deployed.
CYR-5139
In an environment with on-premise firewalls on each side of Prisma Access and the remote network connections to which the on-premise firewalls are connected are in different regions, users behind one on-premise firewall cannot contact users behind another on-premise firewall unless you have configured an explicit policy to allow traffic between zone Trust and zone Trust.
CYR-5098
If you change the master key in Panorama (in Device > Master Key and Diagnostics), the master key for Cloud Services is not synchronized with this master key.
Workaround:
Select Panorama > Cloud Services > Configuration > Service Setup > Service Operations > Edit Master Key and manually change the master key to be the same as the Panorama master key.
CYR-5062
When regular dynamic updates are downloaded to Panorama (by default, every Wednesday at 01:02), the MD5 checksum is changed. This condition can cause the Panorama configuration and the Prisma Access infrastructure to lose synchronization. While no tunnels are affected by this out of synchronization state, the status for Service Connections, Remote Networks, Mobile Users, and the Logging Service show a
Config Status
of
Out of Sync
.
Workaround:
Perform a
Commit
and
Push
operation on the Panorama.
CYR-4010
The BGP router configuration on the Prisma Access firewalls can receive a maximum of 15000 prefixes from each peer. And the total number of routes (static and dynamic) learned through BGP cannot exceed 25000. Exporting more than 25000 routes may adversely affect traffic flow on your network.
CYR-3968
This issue is now resolved in plugin version 1.6.0. See Prisma Access 1.6.0 Addressed Issues.
Remote Network statistics (
Panorama
Cloud Services
Status
Remote Networks
Status
and
Panorama
Cloud Services
Status
Remote Networks
Statistics
) can take up to 1 minute to display after a traffic event occurs.
CYR-3952
After you generate a new API key by selecting
Panorama
Cloud Services
Configuration
Service Setup
Generate new API Key
, the previous API key is still valid for a period of time (up to five minutes). You use this API to retrieve the list of IP addresses for your Prisma Access firewalls.
CYR-3645
To use tunnel monitoring with BGP, the IP address that you are monitoring on the Prisma Access firewall must be part of a static subnet configured on a remote network location. The IP address cannot be a BGP exported subnet.
CYR-3638
For service and remote network connections that have BGP enabled, the Prisma Access ignores any route it receives from a neighbor with an AS number in its AS_PATH list that duplicates an AS number in the Prisma Access AS infrastructure (Infra-AS).
CYR-3544
The default priority of the cloud gateways in the Prisma Access are set to
None
instead of
Highest
.
CYR-3469
If you have configured a
Notification URL
, when you onboard a new remote network location, two notifications are sent to the URL instead of only one.
CYR-3385
When you configure the same AS number for the service connection and remote network location(s), the routes are not imported in to the firewall on the remote network location.
CYR-3330
Mobile users cannot connect to remote network locations without a service connection.
CYR-3114
If your commit fails when you onboard Prisma Access components for the first time, the Task Manager does not always describe the cause of the failure.
Workaround:
To find the errors, select
Panorama
Cloud Services
Status
Monitor
and click the
Status
tab. Invalid configurations are indicated with a red bubble in the
Config Status
column and an error of
Validation Error
.
CYR-3034
When configuring SAML, you must perform all configuration with a role of Superuser, including any configuration you perform for SAML using CLI.
CYR-2648
The 
Panorama
Cloud Services
Configuration
 page is grayed out when Panorama is not in sync with NTP.
Workaround:
Make sure to synchronize time with NTP (
Panorama
Setup
Services
NTP
).
CYR-2633
You cannot change the region associated with multiple remote network locations in a single commit push to the Prisma Access.
Workaround:
 If you need to change the region on more than one remote network location, change them one at a time and complete the commit push before changing the region on the next remote network.
CYR-2578
Master Keys do not work for two Panorama appliances set as HA primary and secondary appliances.
Workaround:
Deselect the
Enable HA
check box on the secondary Panorama appliance and commit the changes, set the same Master Key on both the primary and secondary Panorama appliance, then re-enable HA on the secondary Panorama appliance and commit the changes.
CYR-2028
The
Device
Setup
Management
page is not available on the Panorama appliance running the Prisma Access plugin. You cannot configure NT LAN Manager (NTLM).
CYR-1836
You cannot enforce MFA when users at one of your corporate HQ locations attempts to access a resource at a remote network location.
CYR-1646
Although Panorama allows you to delete the Mobile_User_Template that was created when the Prisma Access was provisioned, deleting this template also deletes your onboarding configuration and, upon commit, removes your Prisma Access for mobile users configuration.
CYR-1189
When you onboard a new service connection or a remote network, the count for service connection and total remote peers displayed on 
Panorama
Cloud Services
Status
Status
 is inaccurate until the provisioning is complete.
CYR-1120
On Panorama, you cannot validate commit on a device group or template configuration before pushing the configuration to the Prisma Access infrastructure for remote networks and mobile users.
CYR-950
This issue is now resolved in plugin version 1.5.0. See Prisma Access 1.5.0 Addressed Issues.
You cannot view detailed HIP reports from the  
Monitor
Logs
HIP Match
.
CYR-575
You cannot configure the Prisma Access gateway as an internal gateway.

Recommended For You