Prisma Access Addressed Issues

The following topics describe issues that have been addressed in Prisma Access by the Prisma Access:

Prisma Access 1.6.0-h1 Addressed Issues

Issue ID
Description
CYR-11902
Fixed an issue where, when using the Directory Sync service with Prisma Access with groups that used special characters, commit operations failed.
CYR-11840
Fixed an issue where user names with special characters were not processed correctly.
CYR-11822
Fixed an issue where, in a multi-tenant deployment, hot potato routing-related configuration did not become enabled for a tenant.
CYR-11760
Fixed an intermittent issue where logs were delayed or missing when querying for logs by applying filters. To leverage this fix, you must upgrade your minimum Panorama version to 9.0.9 as well as upgrade the Cloud Services plugin to 1.6.0-h1.
CYR-11752
Fixed an issue where, when using a Panorama running PAN-OS 9.1 in multi-tenant mode and logging in as a tenant-level user, you could not add remote networks or configure mobile users.

Prisma Access 1.6.0 Addressed Issues

Issue ID
Description
CYR-11159
Fixed an issue where a SIP Message is not parsed correctly when a packet is received in separate segments, which caused the receiver to receive a corrupted message.
CYR-11037
Fixed an issue where multiple GlobalProtect portals in Prisma Access were not being selected in the correct order (GlobalProtect was caching the previous profile that was used).
CYR-10838
Fixed a firewall issue on firewalls where a process (
userid
) restarted while processing incorrect IP address-to-username mappings that contained blank usernames from User-ID agents.
CYR-10836
Fixed an issue where, after enabling a Cortex Data Lake license, the management plane memory utilization would increase unexpectedly when some connections between the firewall and Customer Support Portal server were blocked, leading to multiple process restarts due to an out-of-memory (OOM) condition.
CYR-10835
Fixed an issue where Security Assertion Markup Language (SAML) response validation failed with a certificate mismatch error, even if the firewall had the same certificate on IdP.
CYR-10734
Fixed an issue where a Commit and Push operation from Panorama failed in passive firewalls when pushing a large number of new Security policy rules to both firewalls in a high availability (HA) pair.
CYR-10728
Fixed an issue where connections proxied by the firewall (such as SSL Decryption, GlobalProtect portal and gateway connections, and SIP over TCP) failed due to a buffer allocation failure. Some connections failed with a
proxy decrypt failure
message.
CYR-10655
Fixed an issue where a Commit operation failed because of memory and deadlock issues in the Prisma Access infrastructure.
CYR-10569
Fixed an issue where an administrator could not create a large number of additional remote network tunnels in a multi-tenant configuration.
CYR-10444
Fixed an issue where, when using DLP on Prisma Access, you can configure a security policy in a non-Prisma Access device group; however, if you are using the same parent device group for on-premise firewalls and Prisma Access firewalls, committing your changes will fail, because the on-premise firewalls do not have references to the data filtering profile in the Prisma Access device group.
CYR-10319
Fixed an issue where Prisma Access could not display the Verify Account window to enter the one-time password (OTP) for account verification.
CYR-10303
Fixed an issue on the firewalls where the dataplane restarted unexpectedly when processing HTTP/2 traffic if packet-diag debugs were enabled.
This fix is available in PAN-OS releases 9.0.6 and later and 9.1.0 and later.
CYR-10239
Fixed an issue where logs for the Clean Pipe service were not being forwarded to Cortex Data Lake.
CYR-9751
Fixed an issue where, after installing the plugin but before the account has been verified with a one-time password (OTP), Panorama could not retrieve the logs from Cortex Data Lake.
CYR-9698
Fixed an issue where users were experiencing connection failures to the India West Prisma Access location.
CYR-9638
Fixed an issue where WildFire logs were not displaying in Cortex Data Lake because a new enum was added in the subtype of threat logs for next-generation firewalls, which changed the integer value of the subtype.
CYR-9540
Fixed an issue where the Detailed Log View of DLP data filtering logs from one location could not be viewed if the Panorama running Prisma Access was in another location.
CYR-9079
Fixed an issue where certificate profiles do not display in the HIP Objects' certificate profile (
Objects
GlobalProtect
HIP Objects
<hip-object-name>
Certificate
Certificate Profile
) if the HIP object is
Shared
(that is, not under a specific device group).
CYR-7814
Fixed an issue where secondary tunnels are not supported with Prisma Access/AWS integrations that use dynamic (BGP) routing.

Prisma Access 1.5.1 Addressed Issues

Issue ID
Description
CYR-9826
Fixed an issue where some applications, URLs, and threats could not be properly identified.
CYR-9626
Fixed an issue where onboarding a Clean Pipe instance failed with the message
Fail to load completions for regions from cloud service
.
CYR-9502
Fixed an issue where, when the bandwidth for a remote network was changed, a new Service IP address was created for the remote network, instead of retaining its existing service IP address. This behavior has been observed in the US West, South Korea, Ireland, and France North locations.
CYR-9394
Fixed an issue where, when mobile users were using the Clientless VPN application, they were not being directed to the company-specific domain name and instead were being redirected to the Prisma Access-specific domain
companyname
.gpcloudservice.com
. In addition, when using Microsoft SAML, users were being redirected to
https://
companyname
.gpcloudservice.com:443/SAML20/SP
.

Prisma Access 1.5.0 Addressed Issues

Issue ID
Description
CYR-9179
Fixed an issue where searches did not work in Route Information Base (RIB) queries.
CYR-8945
Fixed an issue where mobile users in the Costa Rica location were getting the Canada East location as an alternative gateway, although other gateways had a better latency.
CYR-8836
Fixed an issue where mobile users were experiencing intermittent timeouts when authenticating.
CYR-8712
Fixed an issue where SAML authentication failed with a
Failure while validating the signature of SAML
message, even though the certificates on IDP and firewall side are identical.
CYR-8467
Fixed an issue where a commit and push operation did not get distributed to the entire Prisma Access infrastructure.
CYR-8461
Fixed an issue where Prisma Access was sending logs that indicated that NTP was having synchronization issues.
CYR-8447
Fixed an issue where Public ASN numbers were not allowed when onboarding a Clean Pipe.
CYR-8408
Fixed an issue where the Clean Pipe Pairing Key was incorrectly spelled in the Cloud Services plugin user interface.
CYR-8382
Fixed an issue where, when the Manual option was checked in the Portal config, and
Manual Gateway Locations
were selected during mobile user onboarding, a push attempt failed with a
manual constraints failed
error message.
CYR-8381
Fixed an issue where users could not reach the internet after
Overlapped Subnets
was enabled for two remote network connections.
CYR-8238
Fixed an issue where the Local RIB and RIB Out tabs under
Panorama
Cloud Services
Status
Network Details
Service Connection
Show BGP Status
and
Panorama
Cloud Services
Status
Network Details
Remote Networks
Show BGP Status
are displaying null pages.
CYR-8224
Fixed an issue where a large number of login and timeout events were being experienced from the Prisma Access gateway.
CYR-6271
Fixed an issue where a connection from the GlobalProtect app to the Prisma Access portal was timing out with a
Portal Not Found
error.
CYR-5388
Fixed an issue where a service connection was showing a status of
Down
even though the IPSec tunnel was up.
CYR-950
Fixed an issue where you could not view detailed information on HIP Match logs on
Monitor
Logs
HIP Match
.

Prisma Access 1.4.0-h2 Addressed Issues

Issue ID
Description
CYR-8447
Fixed an issue where Public ASN numbers were not allowed when onboarding a Clean Pipe.
CYR-8408
Fixed an issue where the Clean Pipe Pairing Key was incorrectly spelled in the Cloud Services plugin user interface.
CYR-8350
Fixed an issue where customers with only a Mobile Users license could not enable multi-tenancy.
CYR-8251
Fixed an issue where a mobile users commit operation failed with an error of
hostname should end with .gpcloudservice.com
.

Prisma Access 1.4 Addressed Issues

In addition to the following issues, GPC-8189 has been addressed, which affected GlobalProtect app users who select a manual gateway.
Issue ID
Description
CYR-7662
Fixed an issue where a Panorama appliance with the Cloud Services plugin installed (managing Prisma Access or Cortex Data Lake) failed to authorize one-time-password (OTP) submissions during the onboarding process.
CYR-6521
Fixed an issue where, when configuring multi-tenancy, the push scope is not automatically populated when changes are made to sub-tenant templates.
Workaround:
Select
Commit
Commit and Push
and
Edit Selections
in the Push Scope.Then select
Prisma Access
and select the tenant and service for which you want to make the changes, then select
Commit and Push
.
CYR-6416
Fixed an issue where, after upgrading from the Cloud Services plugin 1.3.0 to 1.3.1, previously-onboarded Mobile User locations can become deselected in the Onboarding area (
Panorama
Cloud Services
Configuration
Mobile Users
Configure
Locations
). All locations are still active, functional, and visible in the Status area (
Panorama
Cloud Services
Status
Monitor
Mobile Users
).
Workaround:
This is a rare occurrence. If your deployment experiences this issue, select
Panorama
Cloud Services
Configuration
Mobile Users
Configure
, click the
Locations
tab, re-select the gateways you previously onboarded, then
Save
and
Commit
your changes.
CYR-6332
Fixed an issue where logged-in Clientless VPN users are not listed in the Mobile Users Status page (
Panorama
Cloud Services
Status
Status
Mobile Users
).
CYR-6051
Fixed an issue where, when configuring multi-tenancy, when you delete a tenant, the system also deleted the templates and template stacks associated with the tenant. This can cause issues with on-premise firewalls or other devices that also use these templates.
Workaround:
Create unique template stacks and templates for each tenant, and do not share them with any other devices.
CYR-5984
Fixed an issue where, when using the multi-tenant feature and logging in to a single tenant as a tenant-specific administrative user, the screen became blank and you cannot view the tenant information.
Workaround:
Select
Panorama
Cloud Services
Status
or
Panorama
Cloud Services
Configuration
and click the Refresh button (on the top right next to the Help button). It can take up to 10 seconds for the screen to display the tenant's configuration.

Prisma Access 1.3.1-h5 Addressed Issues

Issue ID
Description
CYR-6834
Fixed an issue where, when you upgraded the Cloud Services plugin and accessed the
Panorama
Cloud Services
Configuration
Mobile Users
page, you received an error that the portal hostname was invalid.

Prisma Access 1.3.1-h4 Addressed Issues

Issue ID
Description
CYR-6897
Fixed an issue where, when onboarding a remote network connection that was within the licensed bandwidth allocation, a message displayed indicating that there wasn't enough licensed bandwidth.

Prisma Access 1.3.1-h3 Addressed Issues

Issue ID
Description
CYR-6608
Fixed an issue where account verification failed when proxy servers are used with the Panorama appliance and the DNS servers are internal only.
CYR-6606
Fixed an issue where you could not see the QoS Profile choice in Panorama, in
Network
Network Profiles
QoS Profile
. You should see this choice in the
Service_Conn_Template
and the
Remote_Network_Template
, but not in the
Mobile_Users_Template
.
CYR-6557
Fixed an issue where, after upgrading to 1.3.1, commits failed with an error indicating that mobile user regions were not set.

Prisma Access 1.3.1 Addressed Issues

Issue ID
Description
CYR-6131
Fixed an issue where the Online Help pages in the multi-tenancy area did not display the information for multi-tenancy in the topic that displays.
CYR-6105
Fixed an issue where a remote network could not be onboarded; clicking
OK
did not close the configuration window.
CYR-6006
Fixed an issue where an infrastructure subnet could not be specified on M-600 devices.
CYR-5793
Fixed an issue where, when you viewed mobile user information in the
Panorama
Cloud Services
Status
Status
area, users who are logged into multiple devices using the same gateway appeared in the list of logged-in users and previously logged-in users only once. The list correctly displayed the multiple device information if users were logged into multiple devices using different gateways.
CYR-5720
Fixed an issue where, when assigning IP address pools, if the total number of IP addresses for all regions equals 4,096, you receive a popup window that you need to configure a minimum of 4,096 addresses, even though you have configured the minimum.
CYR-5304
Fixed an issue where the addition of a new device group (
Service_Conn_Device_Group
) could cause commit-related errors.
CYR-4891
Fixed an issue where notifications for loopback IP (loopback_ip) addresses were not being sent when the loopback IP address changes.

Prisma Access 1.3.0-h6 Addressed Issues

Issue ID
Description
CYR-6267
Fixed an issue where the Cloud Services plugin displayed a blank screen after the Panorama virtual appliance was upgraded to 8.1.6.

Prisma Access 1.3.0 Addressed Issues

Issue ID
Description
CYR-5382
Fixed an issue where, after you upgrade the Panorama on which your Prisma Access plugin resides, you needed to Commit and Push your Prisma Access configuration. To do so, click
Commit
Commit to Panorama
and click
Commit
Commit and Push
. Then, click
Edit Selections
Prisma Access
, and select
Prisma Access for remote networks
,
Prisma Access for mobile users
, and
Prisma Access for service setup
. Then click
OK
and
Push
.
CYR-5360
Fixed an issue where policy rule hit counts for security policies that were renamed or deleted were appearing when using CLI commands.
CYR-5243
Fixed an issue where mobile users could not manually connect to a Prisma Access gateway because of a DNS resolution error.
CYR-5186
Fixed an issue where mobile users could not connect to a Prisma Access gateway because a DNS lookup resolved to multiple IP addresses.
CYR-5153
Fixed an issue where, if you had enabled BGP on your service connections or remote networks, when you viewed the
Show BGP status
table (available from
Panorama
Cloud Services
Status
Network Details
Service Connection
and
Panorama
Cloud Services
Status
Network Details
Remote Networks
), only the first 256 entries were shown in the
RIB-In
tab.
CYR-5089
Fixed an issue where downgrading the Panorama appliance from PAN-OS release 8.1 to 8.0 could cause the Prisma Access configuration to lose synchronization.
CYR-4980
Fixed an issue where, when using multi-tenancy, you could not create users with the ability to configure and manage a single tenant.
CYR-4876
Fixed an issue where threat packet captures could not be downloaded from the Cortex Data Lake. You must upgrade your Panorama to PAN-OS 8.1.6 to fix this issue.
CYR-4697
Fixed an issue where Network Address Translation-Traversal (NAT-T) was disabled by default. Enabling NAT-T allows customers to connect devices behind NAT to service connections and remote networks without having to enable NAT-T. If you use an Encapsulated Security Protocol (ESP) instead of UDP port 4500 and your peer is not behind NAT, you should disable NAT-T.
CYR-3344
Fixed an issue where, in Panorama, selecting
Network
GlobalProtect
Portals
GlobalProtect-portal-config
Agent
agent-config
App
and changing
Allow User to Disable GlobalProtect App
from
Allow
to
Allow with Ticket
did not display an 8-character hexadecimal ticket request number.
CYR-2437
Fixed an issue where, if configured Panorama to use a proxy server (
Panorama
Setup
Services
Proxy server
), all traffic to the Prisma Access and the Cortex Data Lake would bypass the proxy server.

Prisma Access 1.2.0-h2 Addressed Issues

Issue ID
Description
CYR-5074
Fixed an issue where, after upgrading to Prisma Access version 1.2 from a Panorama appliance running release 8.0, remote network and BGP information is missing from the
Panorama
Cloud Services
Status
Network Details
Remote Networks
area. In addition, BGP information is missing from the
Panorama
Cloud Services
Status
Network Details
Service Connection
area.

Prisma Access 1.2.0 Addressed Issues

Issue ID
Description
CYR-4695
Fixed an issue where insufficient internal DNS domains were available in the Prisma Access mobile users configuration. The maximum number of DNS domain entries is now 1,024.
CYR-4542
Fixed an issue where mobile users were being routed to a Prisma Access gateway in a region that were farther from their location than other gateways.
CYR-4495
Fixed an issue where the Cortex Data Lake license was displaying a different region than the region for which it had been registered.
CYR-4261
Fixed an issue where a valid commit operation failed with the reason
ssl-tls-service-profile 'SSL_FOR_GPaaS_Cert' is not a valid reference
.
CYR-4250
Fixed an issue where a DNS CNAME to another DNS name was not resolving to an IP address.
CYR-4246
Fixed a reporting issue where the peak bandwidth time was not displaying when you hover over the fields in
Panorama
Cloud Services
Status
Remote Networks
Statistics
Ingress Peak Bandwidth (Mbps)
and
Egress Peak Bandwidth (Mbps)
fields.
CYR-4188
Fixed an upgrade issue where a commit failed with the error
Validation Failure - plugins > cloud_services > logging-service not expected here
.
CYR-4122
Fixed an issue where the status and usage statistics displayed on
Panorama
Cloud Services
Status
Monitor
was reset for
Peak Ingress Egress Throughput
,
Peak Egress Throughput
,
Peak Ingress Egress Throughput Timestamp
, and
Peak Egress Throughput Timestamp
. This reset occurred after a maintenance window for the Prisma Access or on an HA failover of the remote network firewalls in the cloud infrastructure.
CYR-4082
Fixed an issue where the
Show BGP Status
link on
Panorama
Cloud Services
Status
Network Details
did not always display BGP status information.
Workaround
: Refresh the BGP status window to fetch the information.
CYR-4047
Fixed a commit synchronization issue where a commit operation was not synchronized correctly with other commit operations.
CYR-4013
Fixed a consistent naming issue so that parameters in the command to retrieve the Public IP (Egress IP) and Loopback IP addresses are more descriptive. In the $fwType area, gpcs_gw is changed to gpcs_gp_gw, gpcs_pt is changed to gpcs_gp_portal, and remote_network is changed to gpcs_remote_network. In the $addrtype area, egressip is changed to public_ip and loopbackip is changed to loopback_ip.
CYR-3667
Fixed a statistics display issue where all records in the
Panorama
Cloud Services
Status
Remote Networks
Statistics
area were not being displayed.
CYR-3397
Fixed an update issue where Apple device and iOS updates could not be downloaded from the internet.
CYR-2876
Fixed an issue where only subnets greater than or equal to /19 could be specified for the IP address pool for mobile users. Now, you can specify a minimum of a /20 subnet (minimum of 4,096 available IP addresses) in different regions or globally.
CYR-2657
Fixed an issue where the plugin was unable to get the default GlobalProtect Portal domain. A fix has been added to renew the Cortex Data Lake certificate automatically. Previously, the error message
The plugin is unable to get the default GlobalProtect Portal domain
displayed. This issue could have occurred when you completed the one-time password (OTP) account verification process when only the Cortex Data Lake license was activated in Panorama, and then activated the Prisma Access licenses for remote networks or mobile users.
Workaround:
To fix this issue, redo the OTP verification by navigating to Panorama, selecting
Panorama
Cloud Services
Configuration
, and clicking
Verify
.

Prisma Access 1.1.0 Addressed Issues

Issue ID
Description
CYR-3508
Fixed a bulk import issue that occurred when you exported your existing remote network configuration with dynamic IP addresses for both the Primary Peer and the Secondary Peer, and then imported that configuration back in to Panorama.
CYR-3314
You can now authenticate mobile users to GlobalProtect gateways in the cloud using SAML authentication.
CYR-3036
Fixed a license validation error that prevented you from allocating more bandwidth to a remote network that you had already onboarded.
CYR-3013
Fixed a display issue with duplicate entries on
Panorama
Cloud Services
Status
Monitor
for cloud firewalls in each region where you had onboarded remote networks.
CYR-2924
The logs on Panorama display the message:
Unableto connect to API gateway
. You can ignore this message because the firewalls can successfully communicate with Cortex Data Lake.
CYR-2888
Fixed an issue where, for IPSec tunnels configured with Proxy IDs, Panorama does not display the IPSec tunnel status accurately even though the tunnel is up.
Workaround:
Remove the Proxy ID configuration for the IPSec tunnel.
CYR-2662
Fixed a display issue that occurred when you reinstalled the cloud services plugin and loaded a previously saved Prisma Access configuration snapshot.
CYR-2199
The certificate warning no longer displays when an Android device connects to the GlobalProtect portal that uses the default domain.
CYR-445
The Prisma Access firewalls can now ingest User-ID mappings using the User-ID Syslog listener.

Recommended For You