Known Issues

Here are the known issues we’re working on for Cloud Managed Prisma Access, where you’re using the Prisma Access app as your management interface.
If you’re using Panorama to manage Prisma Access, refer to these Panorama Managed Prisma Access release notes instead.

Logging Issue

Logging to the Cortex Data Lake is not enabled by default. Prisma Access does not generate traffic logs without Cortex Data Lake logging turned on, and the Explore section of the app shows as empty.
To turn on Cortex Data Lake logging:
  1. Select
    Internet Access
    and add or update a policy rule.
  2. Select
    and enable
    Log Forwarding
    Logging Service
    (Cortex Data Lake was previously called the Logging Service).


The SAML IdP profile that you use to set up mobile user authentication (
Mobile Users
User Authentication
must have a different name than the SAML IdP profile that you use to set up clientless VPN (
Mobile Users
Clientless VPN
). You’ll see an error when you perform a commit if the user authentication and clientless VPN configurations both reference the same SAML IdP profile.
Give SAML IdP profiles unique names when referenced in different configurations. It's okay if the SAML IdP profiles contain the same information, as long as the name is unique.


Sometimes a
Commit and Push
for service type configuration (Mobile Users, Remote Networks, or Service Connections) can cause the dashboard status for a different service type to show as out of sync.
Push the latest configuration changes for the service type that's out of sync.


Clientless VPN zones are not yet supported to be used in policy.


Clientless VPN doesn’t work when the User Authentication Method for Mobile Users is set to
Temporary test users
Mobile Users
User Authentication
). You can use the
Temporary test users
setting as an authentication method during onboarding, but Prisma Access won’t prompt you to update this setting later.
When setting up your Mobile Users configuration, if your Clientless VPN Authentication Method is set to
Use existing SAML configuration
, double-check that your User Authentication Method is configured to use SAML (
Mobile Users
User Authentication
Authentication Method


After your first configuration commit, the Prisma Access dashboard might take a few minutes to refresh and display updated status.


The Remote Networks widget on the Prisma Access dashboard sometimes does not display bandwidth details for branch locations.


When setting up IPSec Peer Authentication for a remote network, you can choose to use a dynamic IP address on your branch IPSec device as the IPSec tunnel endpoint. If you use a dynamic IP address, you must set the Branch Access IKE ID or the Prisma Access IKE ID to enable the IPSec peers to authenticate. Right now, the Prisma Access app interface doesn't show the IKE ID fields as mandatory fields, but you must choose one of the two options to successfully set up your configuration.


When setting up your Mobile Users configuration, an error might display with the description "Failed to process management request". This might indicate incomplete configuration settings.
Refresh your browser, or in the
settings dropdown,
your configuration.


Errors that occur the first time you onboard a location, might not be displayed in the Prisma Access
history (within
To check if there’s been an error onboarding a new location, go the
and expand the widget for the corresponding service (Mobile Users, Remote Networks, or Service Connections). If there’s been an error, Config Status will have a link to the Validation Error, and you can click on that link to learn more.

Recommended For You