Known Issues

Here are the known issues we’re working on for Cloud Managed Prisma Access, where you’re using the Prisma Access app as your management interface.
If you’re using Panorama to manage Prisma Access, refer to these Panorama Managed Prisma Access release notes instead.

Logging Issue

Logging to the Cortex Data Lake is not enabled by default. Prisma Access does not generate traffic logs without Cortex Data Lake logging turned on, and the Explore section of the app shows as empty.
To turn on Cortex Data Lake logging:
  1. Select
    Policies
    Internet Access
    and add or update a policy rule.
  2. Select
    Actions
    and enable
    Log Forwarding
    to
    Logging Service
    (Cortex Data Lake was previously called the Logging Service).
    policy-actions-log-cortex-data-lake.png

ADI-2551

The SAML IdP profile that you use to set up mobile user authentication (
Configure
Mobile Users
User Authentication
must have a different name than the SAML IdP profile that you use to set up clientless VPN (
Configure
Mobile Users
Clientless VPN
). You’ll see an error when you perform a commit if the user authentication and clientless VPN configurations both reference the same SAML IdP profile.
Workaround:
Give SAML IdP profiles unique names when referenced in different configurations. It's okay if the SAML IdP profiles contain the same information, as long as the name is unique.

ADI-2389

Sometimes a
Commit and Push
for service type configuration (Mobile Users, Remote Networks, or Service Connections) can cause the dashboard status for a different service type to show as out of sync.
Workaround:
Push the latest configuration changes for the service type that's out of sync.

ADI-2326

Clientless VPN zones are not yet supported to be used in policy.

ADI-2297

Clientless VPN doesn’t work when the User Authentication Method for Mobile Users is set to
Temporary test users
(
Configure
Mobile Users
Configure
User Authentication
). You can use the
Temporary test users
setting as an authentication method during onboarding, but Prisma Access won’t prompt you to update this setting later.
Workaround:
When setting up your Mobile Users configuration, if your Clientless VPN Authentication Method is set to
Use existing SAML configuration
, double-check that your User Authentication Method is configured to use SAML (
Configure
Mobile Users
User Authentication
Authentication Method
).

ADI-2277

After your first configuration commit, the Prisma Access dashboard might take a few minutes to refresh and display updated status.

ADI-2224

The Remote Networks widget on the Prisma Access dashboard sometimes does not display bandwidth details for branch locations.

ADI-2009

When setting up IPSec Peer Authentication for a remote network, you can choose to use a dynamic IP address on your branch IPSec device as the IPSec tunnel endpoint. If you use a dynamic IP address, you must set the Branch Access IKE ID or the Prisma Access IKE ID to enable the IPSec peers to authenticate. Right now, the Prisma Access app interface doesn't show the IKE ID fields as mandatory fields, but you must choose one of the two options to successfully set up your configuration.

ADI-1763

When setting up your Mobile Users configuration, an error might display with the description "Failed to process management request". This might indicate incomplete configuration settings.
Workaround:
Refresh your browser, or in the
Commit
settings dropdown,
Revert
your configuration.

ADI-1446

Errors that occur the first time you onboard a location, might not be displayed in the Prisma Access
Jobs
history (within
Commit
settings).
Workaround:
To check if there’s been an error onboarding a new location, go the
Dashboard
and expand the widget for the corresponding service (Mobile Users, Remote Networks, or Service Connections). If there’s been an error, Config Status will have a link to the Validation Error, and you can click on that link to learn more.

Recommended For You