Prisma Access Known Issues

Prisma Access has the following known issues.
Issue ID
Description
CYR-11902
This issue is now resolved in plugin version 1.6.0-h1. See Prisma Access 1.6.0-h1 Addressed Issues.
When using the Directory Sync service with Prisma Access and performing a Commit operation, the operation does not complete.
Workaround:
Make sure that the groups you use with Directory Sync do not have any of the following special characters:
  • " (Double quotes)
  • ' (Apostrophe)
  • < (less than sign)
  • > (greater than sign)
  • & (ampersand)
CYR-11752
This issue is now resolved in plugin version 1.6.0-h1. See Prisma Access 1.6.0-h1 Addressed Issues.
When using a Panorama running PAN-OS 9.1 in multi-tenant mode and log in as a tenant-level user, you cannot add remote networks or configure mobile users.
Workaround:
Log in as the admin user and perform the remote network or mobile user configuration.
CYR-11532
If you use traffic forwarding rules with service connections and you have a traffic rule configured with the
Source
as a specific region and the
URL
includes a wild card, and the source address of the traffic does not match the rule, the URL specified in the rule cannot be reached.
Workaround:
Configure the source address in the traffic rule as Any.
CYR-11504
If you have configured a remote network for secure inbound access to a remote network site, do not configure a service connection to redirect mobile user and remote network internet traffic using policy-based forwarding (PBF) traffic forwarding rules; these two functionalities are not compatible.
CYR-11467
When you check the Cortex Data Lake Status at
Panorama
Cloud Services
Status
Status
Cortex Data Lake
, the statistics displayed there might not display accurate storage and retention information.
Workaround:
Go to the hub and select
Cortex Data Lake
to see the most up-to-date information.
CYR-11496
If you enable ECMP on a remote network, the values shown in the Statistics tab under
Panorama
Cloud Services
Status
Monitor
Remote Networks
for
Ingress Peak Bandwidth (Mbps)
are correct; however, if you click the hyperlink for this value, the pop-up window that displays might show an incorrect value.
CYR-11414
When creating a new mobile user deployment in multi-tenant mode, you receive an error that the Portal Hostname is not available when you assign it during mobile user onboarding.
Workaround:
Before you begin your mobile user configuration, add an Infrastructure Subnet, commit all your changes to Panorama, and push the configuration changes to Prisma Access.
CYR-11201
Some files are being skipped for DLP scanning when using OneDrive to upload multiple files.
CYR-11087
When using DLP on Prisma Access, you can upload up to 25 files at a time.
CYR-11019
When attaching a parent Device Group to a new remote network tenant in multi-tenant mode, the administrator is unable to attach device groups and templates.
Workaround:
Log out, then log back in to Panorama.
CYR-10909
If you use Box to upload multiple files, and one or more of the files are larger than 5 MB, the upload of all files will not complete. To continue, find the files in Box that are larger than 5 MB and click
X
to stop the download of those files.
CYR-10623
When you check the status in a multi-tenant deployment by selecting
Panorama
Cloud Services
Status
, the information in the
All Tenants
area displays twice.
CYR-10445
DLP on Prisma Access is not supported in a Prisma Access multi-tenant deployment.
CYR-10387
If you have DLP on Prisma Access enabled for more than one Prisma Access instance in a single Customer Support Portal (CSP) account, data filtering profiles are synchronized across all instances. This behavior can result in unexpected consequences; for example, the deletion of a custom data pattern or data filtering profile for one instance does not delete that pattern or profile for other instances in the CSP account. For this reason, Palo Alto Networks recommends that you move each Prisma Access instance to its own CSP account.
CYR-10053
If you change the master key in Panorama (in
Device
Master Key and Diagnostics
), the master key for Cloud Services is not synchronized with this master key.
Workaround:
Select
Panorama
Cloud Services
Configuration
Service Setup
Service Operations
Edit Master Key
and manually change the master key to be the same as the Panorama master key.
CYR-10044
When using Slack to upload multiple files, the Slack client treats the multiple file upload as a single request. If one of the files is not successfully uploaded, Slack retries the upload of all files a maximum of three times. If, after three retries, Slack cannot upload one or more of the files, the Slack client displays an error in the UI and doesn't upload any of the files.
CYR-10043
When you upload a file using Slack, and the file is blocked, Slack detects the block operation as an upload failure and retries the file upload, which results in the same file being uploaded and blocked twice.
Workaround:
This is normal Slack file upload behavior. Be aware that a single file that is uploaded using Slack might appear twice in the data filtering logs as being blocked.
CYR-9613
When you delete a data filtering profile from a Prisma Access device group that is not shared, the profile name still appears when you add or configure a Security Profile Group, in the
Data Filtering Profile
area.
CYR-9502
This issue is now resolved in plugin version 1.5.1. See Prisma Access 1.5.1 Addressed Issues.
When the bandwidth for a remote network was changed, a new
Service IP Address
was created for the remote network, instead of retaining its existing
Service IP Address
. This behavior has been observed in the US West, South Korea, Ireland, and France North locations.
Workaround:
After you change the bandwidth of a remote network connection, run the API script to retrieve the new
Service IP Address
.
CYR-9455
In a GlobalProtect deployment where the portal has multiple agent configs, when a GlobalProtect client logs in using the app, the portal looks for a matching agent config for the client by checking its OS type along with the config selection criteria. The agent configs are checked from top to bottom. If the OS type matches, but the config selection criteria does not, GlobalProtect marks the agent config as non-matching and moves to the next agent config to check for a match; however it no longer checks the OS type in these agent configs, and only looks for a match of the config selection criteria. This condition can cause the client to receive an agent config that has matching config selection criteria, but a non-matching OS type.
CYR-9348
When configuring HIP redistribution, you cannot retrieve HIP information and set policies for the following use cases:
  • A user connected to a Prisma Access location (gateway) who attempts to access an internal resource.
  • A user protected by a remote network who attempts to access a resource from another remote network.
CYR-9213
When using DLP on Prisma Access, when you upload a .docx file using SharePoint that was exported from Google Docs, the upload fails.
CYR-9183
When setting up the GlobalProtect gateway connection settings (
Network
GlobalProtect
Gateways
Agent
Connection Settings
) and specifying a Netmask to
Restrict Authentication Cookie Usage
, the commit fails if only a
Source IPv4 Netmask
is specified.
Workaround:
Specify a
Source IPv6 Netmask
of
0
, which disables the option for the specified IP address type.
CYR-9079
This issue is now resolved in plugin version 1.6. See Prisma Access 1.6.0 Addressed Issues.
Certificate profiles do not display in the HIP Objects' certificate profile (
Objects
GlobalProtect
HIP Objects
<hip-object-name>
Certificate
Certificate Profile
) if the HIP object is
Shared
(that is, not under a specific device group).
CYR-9061
If using Slack, Box, or Gmail to upload a file using DLP on Prisma Access, the response page is not displayed to the client if the upload is blocked.
CYR-9007
When you upload multiple files, and one file exceeds the maximum latency or maximum file setting, any remaining files in the upload queue will not be scanned.
Workaround:
Re-attempt the multiple file upload operation without the file that exceeded the maximum file size or latency setting.
CYR-9003
Reverse DNS queries do not work in Prisma Access.
Workaround:
Because type A and AAAA queries for internal domains work, you can specify
*.in-addr.arpa
in a query so that Prisma Access sends all reverse DNS queries to internal DNS servers.
CYR-8787
When you Commit and Push changes to the Prisma Access security infrastructure, the Push Scope does not display the device group or template that was changed.
Workaround:
Select
Commit
Commit and Push
, and under
Push Scope
, select
Edit Selections
Prisma Access
and select the
Mobile Users
,
Remote Networks
, or
Service Setup
device group or template to which you want to commit changes.
CYR-8245
When you onboard a mobile user location, you cannot see or select all locations in a region if you are using Panorama with a Firefox browser version earlier than 65.
Workaround: Use a Firefox version with a version of 65 or later, or a different browser (for example, Chrome).
CYR-8244
When performing a
Commit and Push
operation for the Clean Pipe service, you receive an error that the Clean Pipe service had insufficient license resources, even though you have sufficient licensed bandwidth.
Workaround:
Select
Panorama
Licenses
, then select
Retrieve license keys from license server
to retrieve the Clean Pipe licenses again.
CYR-8238
This issue is now resolved in plugin version 1.5. See Prisma Access 1.5.0 Addressed Issues.
The RIB In and RIB Out tabs under
Panorama
Cloud Services
Status
Network Details
Service Connection
Show BGP Status
and
Panorama
Cloud Services
Status
Network Details
Remote Networks
Show BGP Status
are displaying null pages.
CYR-8017
If you add an existing template under one of the template stacks of Prisma Access (for example,
Service_Conn_Template_Stack
,
Mobile_User_Template_Stack
, or
Remote_Network_Template_Stack
), you cannot use objects of the added template in other Prisma Access templates that are part of the same template stack.
Previously, you could view and use objects from existing templates in Prisma Access templates if the templates were a part of a Prisma Access-specific template stack, which is not standard Panorama behavior.
CYR-7907
In multi-tenant mode, Prisma Access automatically creates a set of templates, template stacks, and device groups for each tenant you create for remote networks, mobile users, and the Clean Pipe service. Prisma Access creates tenant-specific sets for all products, even if you are licensed for only one Prisma Access type.
When you delete a tenant, Prisma Access deletes the template and device group set for which you are licensed, but does not delete the unlicensed set. For example, if you have a remote network deployment and delete a tenant, Prisma Access does not delete the set it created for the mobile users and Clean Pipe.
Workaround:
Manually delete the unused, unlicensed set of templates, template stacks, and device groups after you delete a tenant.
CYR-7900
The Traffic Forwarding feature (
Panorama
Cloud Services
Configuration
Service Setup
Settings
Traffic Forwarding
) is not supported with multi-tenant deployments.
CYR-7814
This issue is now resolved in plugin version 1.6. See Prisma Access 1.6.0 Addressed Issues.
Secondary tunnels are not supported with Prisma Access/AWS integrations that use dynamic (BGP) routing.
CYR-7795
When performing a commit operation, the commit fails with the Last Push State Details showing as
The Prisma Access Infrastructure team is looking into the commit issue. Go to the Cloud Services > Status > Status tab for real-time Status Information
. This message might be repeated multiple times in the window.
Workaround:
Wait 30 minutes, then retry the commit operation. This commit issue is temporary and is related to Prisma Access infrastructure.
CYR-7702
When you log out a Prisma Access mobile user from the
Current Users
window, the user still displays in the window after the logout operation.
Workaround:
Close and then reopen the
Current Users
window to show the correct user status.
CYR-7440
If you have two Panoramas set up in an active-primary and passive-secondary setup for Prisma Access, you cannot log out mobile users from the passive-secondary Panorama.
CYR-7332
When you try to configure an Infrastructure Subnet (
Panorama
Cloud Services
Configuration
Service Setup
Settings
) in multi-tenant mode, you can receive an
Operation Failed
message.
Workaround:
Refresh the Panorama UI to have Prisma Access correctly apply the infrastructure subnet to the tenant's configuration.
CYR-7128
When you perform a
Commit All
operation for mobile users, Prisma Access should display the commit status for portals and gateways separately; however, Prisma Access is displaying failures for portals under gateway status, and is displaying commit failures for gateways under portal status.
Workaround:
Enter the
debug plugins cloud_services prisma-access get-job-result jobid
commit-job-id-number
command, where
commit-job-id-number
is the ID of the commit operation that failed, to check and verify the commit operation for portals and gateways.
CYR-6475
When you select the
Overlapped Subnets
check box when configuring a remote network, the source zone in the traffic logs changes to the remote network name that is configured in
Panorama
Cloud Services
Configuration
Remote Networks
Onboarding
Name
.
CYR-6384
Pre-defined IKE Crypto, IPSec Crypto, and IKE Gateways templates do not display.
Workaround:
Select
Panorama
Cloud Services
Configuration
Service Setup
(for service connections) or
Panorama
Cloud Services
Configuration
Remote Networks
(for remote network connections), click the gear icon in the
Settings
area to open the
Settings
, then click
OK
.
CYR-6369
When in multi-tenant mode, if you create a custom admin user with an Admin Role Profile that has Read Only access to the Panorama tab and has Plugin access disabled, that user can view, configure, and commit changes for subtenants.
Workaround:
Disable access to the Panorama tab in the Admin Role Profile.
CYR-6317
Administrative users who configure Prisma Access using Panorama 9.0 can configure unsupported features. Prisma Access removes any unsupported features during the commit operation so that these features are not enabled in the cloud.
Workaround:
Make sure features in use are available in PAN-OS 8.1.
CYR-6241
For releases before 1.3.1, Prisma Access did not always enforce the minimum IP pool requirement for all regions in a mobile user deployment. In some cases, you could have specified an IP pool in the Americas region and that pool applied to all locations where you had deployed the Prisma Access gateways. When you perform your first commit after upgrading the Cloud Services plugin, Prisma Access checks that you have allocated an IP pool for all locations where you have deployed Prisma Access gateways, and you might receive a message that your IP pool is not sufficient for the deployed regions.
Workaround:
If you receive this message, either specify an IP pool for the regions that do not have them, specify a Worldwide IP pool, or remove the locations in regions that do not have IP pools.
CYR-6108
When you configure Clientless VPN with Prisma Access, the default security rule configuration uses the application-default service, which blocks clientless-vpn traffic.
Workaround:
Change the default security rule to any service or service-http and service-https.
CYR-6107
When configuring multi-tenant, if you create any device groups that are children or grandchildren of other device groups you create under the Shared parent device group, select only the device group at the lowest hierarchical level (child or grandchild) when you associate the device group to an access domain; do not select the parent.
CYR-6080
You cannot reset the rule hit count for all
Authentication
and
Application Override
policies.
Workaround:
Reset rules using a list of rules or a rule name for
Authentication
and
Application Override
policies.
CYR-6013
When you migrate a single tenant to multi-tenant mode, you must do a local commit and then push the configuration before you add more tenants.
CYR-5888
When using the multi-tenant feature and creating template stacks and templates for a tenant, the
Description
of the template stacks and templates do not display in the
Panorama
Templates
page.
CYR-5867
After upgrading to a new version of the Cloud Services plugin, you are able to downgrade. The downgrade operation should be disallowed.
Workaround:
Do not downgrade the Cloud Services plugin after you have upgraded it.
CYR-5842
When using the multi-tenant feature and migrating the first tenant to multi-tenancy, you can select template stacks and templates that are not associated with the tenant that you want to migrate, including templates that are used with on-premise firewalls.
Workaround:
When you convert to multi-tenant mode, be sure to choose only those templates that you want to associate to the first tenant to migrate.
CYR-5700
When you create tenant names for the multi-tenancy feature, avoid using names like
Tenant-1
,
Tenant-2
,
Tenant-3
, and so on. The system logs reserve a small number of characters for the tenant name in the log output and, if tenants have similar names, it can be difficult to associate the tenant with the logs. We recommend using a unique and short name for tenants (for example,
Acme
or
Hooli
).
CYR-5690
When configuring multi-tenancy, if you are planning to later configure Prisma Access for mobile users, you must do a local Commit of the your changes for the plugin (
Commit
Commit to Panorama
) after you add templates, template stacks, and device groups for each tenant and before you onboard each tenant.
CYR-5563
When using the multi-tenancy feature, users who manage single tenants cannot see the system logs. The
Monitor
Logs
System
choice is not available. This limitation applies to all Administrators who have an administrative role of Device Group and Template. Only superusers can view system logs in multi-tenancy mode.
CYR-5561
When using the multi-tenancy feature and logged in as a tenant-level administrative user, opening the Panorama Task Manager (clicking
Tasks
at the bottom of the Panorama web interface) shows all tasks for all tenants, including any tasks done at the superuser (Admin) level.
CYR-5476
When you enable multi-tenancy and migrate your configuration to the first sub-tenant, CLI commands are not supported for this operation. As a result, you must, use the Panorama user interface (UI).
CYR-5427
When configuring a tenant in multi-tenancy mode, create a unique name for each IPSec tunnel and IKE gateway for service connections and remote network connections, and try to use a name that will not be duplicated by another tenant. While there is no effect to functionality, you cannot delete an IPSec tunnel or IKE gateway if another tenant is using a tunnel or gateway with the same name.
CYR-5159
If you configure a mobile user IP address pool for a single region instead of Worldwide, mobile users can still view and attempt to connect to all available gateway regions from their GlobalProtect app. This attempt fails because there is no IP address pool to allocate for other regions.
Workaround:
To allow mobile users to manually select a gateway, either configure an IP address pool for the region in the location where you want the users to connect, or configure a Worldwide IP address pool for mobile users in Prisma Access to allow them to select all the locations you have deployed.
CYR-5139
In an environment with on-premise firewalls on each side of Prisma Access and the remote network connections to which the on-premise firewalls are connected are in different regions, users behind one on-premise firewall cannot contact users behind another on-premise firewall unless you have configured an explicit policy to allow traffic between zone Trust and zone Trust.
CYR-5098
If you change the master key in Panorama (in Device > Master Key and Diagnostics), the master key for Cloud Services is not synchronized with this master key.
Workaround:
Select Panorama > Cloud Services > Configuration > Service Setup > Service Operations > Edit Master Key and manually change the master key to be the same as the Panorama master key.
CYR-5062
When regular dynamic updates are downloaded to Panorama (by default, every Wednesday at 01:02), the MD5 checksum is changed. This condition can cause the Panorama configuration and the Prisma Access infrastructure to lose synchronization. While no tunnels are affected by this out of synchronization state, the status for Service Connections, Remote Networks, Mobile Users, and the Logging Service show a
Config Status
of
Out of Sync
.
Workaround:
Perform a
Commit
and
Push
operation on the Panorama.
CYR-4954
After you upgrade the Cloud Services plugin from version 1.1.0 to 1.3.0, Configuration Assistant screens may display on the
Panorama
Cloud Services
Configuration
Service Setup
,
Remote Networks
, and
Mobile Users
tabs, even though you might have already used the Configuration Assistant before.
Workaround:
Click
Don't Show Again
when the screens display. These screens do not affect existing system configurations.
CYR-4010
The BGP router configuration on the Prisma Access firewalls can receive a maximum of 15000 prefixes from each peer. And the total number of routes (static and dynamic) learned through BGP cannot exceed 25000. Exporting more than 25000 routes may adversely affect traffic flow on your network.
CYR-3968
Remote Network statistics (
Panorama
Cloud Services
Status
Remote Networks
Status
and
Panorama
Cloud Services
Status
Remote Networks
Statistics
) can take up to 1 minute to display after a traffic event occurs.
CYR-3952
After you generate a new API key by selecting
Panorama
Cloud Services
Configuration
Service Setup
Generate new API Key
, the previous API key is still valid for a period of time (up to five minutes). You use this API to retrieve the list of IP addresses for your Prisma Access firewalls.
CYR-3645
To use tunnel monitoring with BGP, the IP address that you are monitoring on the Prisma Access firewall must be part of a static subnet configured on a remote network location. The IP address cannot be a BGP exported subnet.
CYR-3638
For service and remote network connections that have BGP enabled, the Prisma Access ignores any route it receives from a neighbor with an AS number in its AS_PATH list that duplicates an AS number in the Prisma Access AS infrastructure (Infra-AS).
CYR-3544
The default priority of the cloud gateways in the Prisma Access are set to
None
instead of
Highest
.
CYR-3469
If you have configured a
Notification URL
, when you onboard a new remote network location, two notifications are sent to the URL instead of only one.
CYR-3385
When you configure the same AS number for the service connection and remote network location(s), the routes are not imported in to the firewall on the remote network location.
CYR-3330
Mobile users cannot connect to remote network locations without a service connection.
CYR-3114
If your commit fails when you onboard Prisma Access components for the first time, the Task Manager does not always describe the cause of the failure.
Workaround:
To find the errors, select
Panorama
Cloud Services
Status
Monitor
and click the
Status
tab. Invalid configurations are indicated with a red bubble in the
Config Status
column and an error of
Validation Error
.
CYR-3034
When configuring SAML, you must perform all configuration with a role of Superuser, including any configuration you perform for SAML using CLI.
CYR-2648
The 
Panorama
Cloud Services
Configuration
 page is grayed out when Panorama is not in sync with NTP.
Workaround:
Make sure to synchronize time with NTP (
Panorama
Setup
Services
NTP
).
CYR-2633
You cannot change the region associated with multiple remote network locations in a single commit push to the Prisma Access.
Workaround:
 If you need to change the region on more than one remote network location, change them one at a time and complete the commit push before changing the region on the next remote network.
CYR-2578
Master Keys do not work for two Panorama appliances set as HA primary and secondary appliances.
Workaround:
Deselect the
Enable HA
check box on the secondary Panorama appliance and commit the changes, set the same Master Key on both the primary and secondary Panorama appliance, then re-enable HA on the secondary Panorama appliance and commit the changes.
CYR-2028
The
Device
Setup
Management
page is not available on the Panorama appliance running the Prisma Access plugin. You cannot configure NT LAN Manager (NTLM).
CYR-1836
You cannot enforce MFA when users at one of your corporate HQ locations attempts to access a resource at a remote network location.
CYR-1646
Although Panorama allows you to delete the Mobile_User_Template that was created when the Prisma Access was provisioned, deleting this template also deletes your onboarding configuration and, upon commit, removes your Prisma Access for mobile users configuration.
CYR-1189
When you onboard a new service connection or a remote network, the count for service connection and total remote peers displayed on 
Panorama
Cloud Services
Status
Status
 is inaccurate until the provisioning is complete.
CYR-1120
On Panorama, you cannot validate commit on a device group or template configuration before pushing the configuration to the Prisma Access infrastructure for remote networks and mobile users.
CYR-950
This issue is now resolved in plugin version 1.5.0. See Prisma Access 1.5.0 Addressed Issues.
You cannot view detailed HIP reports from the  
Monitor
Logs
HIP Match
.
CYR-575
You cannot configure the Prisma Access gateway as an internal gateway.

Recommended For You