Prisma Access Known Issues
Prisma Access has the following known issues.
When using a Panorama running PAN-OS 9.1 in multi-tenant mode and log in as a tenant-level user, you cannot add remote networks or configure mobile users.
Workaround:Log in as the admin user and perform the remote network or mobile user configuration.
If you use traffic forwarding rules with service connections and you have a traffic rule configured with the
Sourceas a specific region and the
URLincludes a wild card, and the source address of the traffic does not match the rule, the URL specified in the rule cannot be reached.
Workaround:Configure the source address in the traffic rule as Any.
If you have configured a remote network for secure inbound access to a remote network site, do not configure a service connection to redirect mobile user and remote network internet traffic using policy-based forwarding (PBF) traffic forwarding rules; these two functionalities are not compatible.
When you check the Cortex Data Lake Status at
, the statistics displayed there might not display accurate storage and retention information.
Cortex Data Lake
Workaround:Go to the hub and select
Cortex Data Laketo see the most up-to-date information.
If you enable ECMP on a remote network, the values shown in the Statistics tab under
Ingress Peak Bandwidth (Mbps)are correct; however, if you click the hyperlink for this value, the pop-up window that displays might show an incorrect value.
When creating a new mobile user deployment in multi-tenant mode, you receive an error that the Portal Hostname is not available when you assign it during mobile user onboarding.
Workaround:Before you begin your mobile user configuration, add an Infrastructure Subnet, commit all your changes to Panorama, and push the configuration changes to Prisma Access.
Some files are being skipped for DLP scanning when using OneDrive to upload multiple files.
When using DLP on Prisma Access, you can upload up to 25 files at a time.
When attaching a parent Device Group to a new remote network tenant in multi-tenant mode, the administrator is unable to attach device groups and templates.
Workaround:Log out, then log back in to Panorama.
If you use Box to upload multiple files, and one or more of the files are larger than 5 MB, the upload of all files will not complete. To continue, find the files in Box that are larger than 5 MB and click
Xto stop the download of those files.
When you check the status in a multi-tenant deployment by selecting
, the information in the
All Tenantsarea displays twice.
DLP on Prisma Access is not supported in a Prisma Access multi-tenant deployment.
If you have DLP on Prisma Access enabled for more than one Prisma Access instance in a single Customer Support Portal (CSP) account, data filtering profiles are synchronized across all instances. This behavior can result in unexpected consequences; for example, the deletion of a custom data pattern or data filtering profile for one instance does not delete that pattern or profile for other instances in the CSP account. For this reason, Palo Alto Networks recommends that you move each Prisma Access instance to its own CSP account.
If you change the master key in Panorama (in
), the master key for Cloud Services is not synchronized with this master key.
Master Key and Diagnostics
and manually change the master key to be the same as the Panorama master key.
Edit Master Key
When using Slack to upload multiple files, the Slack client treats the multiple file upload as a single request. If one of the files is not successfully uploaded, Slack retries the upload of all files a maximum of three times. If, after three retries, Slack cannot upload one or more of the files, the Slack client displays an error in the UI and doesn't upload any of the files.
When you upload a file using Slack, and the file is blocked, Slack detects the block operation as an upload failure and retries the file upload, which results in the same file being uploaded and blocked twice.
Workaround:This is normal Slack file upload behavior. Be aware that a single file that is uploaded using Slack might appear twice in the data filtering logs as being blocked.
When you delete a data filtering profile from a Prisma Access device group that is not shared, the profile name still appears when you add or configure a Security Profile Group, in the
Data Filtering Profilearea.
When the bandwidth for a remote network was changed, a new
Service IP Addresswas created for the remote network, instead of retaining its existing
Service IP Address. This behavior has been observed in the US West, South Korea, Ireland, and France North locations.
Workaround:After you change the bandwidth of a remote network connection, run the API script to retrieve the new
Service IP Address.
In a GlobalProtect deployment where the portal has multiple agent configs, when a GlobalProtect client logs in using the app, the portal looks for a matching agent config for the client by checking its OS type along with the config selection criteria. The agent configs are checked from top to bottom. If the OS type matches, but the config selection criteria does not, GlobalProtect marks the agent config as non-matching and moves to the next agent config to check for a match; however it no longer checks the OS type in these agent configs, and only looks for a match of the config selection criteria. This condition can cause the client to receive an agent config that has matching config selection criteria, but a non-matching OS type.
When configuring HIP redistribution, you cannot retrieve HIP information and set policies for the following use cases:
When using DLP on Prisma Access, when you upload a .docx file using SharePoint that was exported from Google Docs, the upload fails.
When setting up the GlobalProtect gateway connection settings (
) and specifying a Netmask to
Restrict Authentication Cookie Usage, the commit fails if only a
Source IPv4 Netmaskis specified.
Source IPv6 Netmaskof
0, which disables the option for the specified IP address type.
Certificate profiles do not display in the HIP Objects' certificate profile (
) if the HIP object is
Shared(that is, not under a specific device group).
If using Slack, Box, or Gmail to upload a file using DLP on Prisma Access, the response page is not displayed to the client if the upload is blocked.
When you upload multiple files, and one file exceeds the maximum latency or maximum file setting, any remaining files in the upload queue will not be scanned.
Workaround:Re-attempt the multiple file upload operation without the file that exceeded the maximum file size or latency setting.
Reverse DNS queries do not work in Prisma Access.
Workaround:Because type A and AAAA queries for internal domains work, you can specify
*.in-addr.arpain a query so that Prisma Access sends all reverse DNS queries to internal DNS servers.
When you Commit and Push changes to the Prisma Access security infrastructure, the Push Scope does not display the device group or template that was changed.
, and under
Commit and Push
Push Scope, select
and select the
Remote Networks, or
Service Setupdevice group or template to which you want to commit changes.
When you onboard a mobile user location, you cannot see or select all locations in a region if you are using Panorama with a Firefox browser version earlier than 65.
Workaround: Use a Firefox version with a version of 65 or later, or a different browser (for example, Chrome).
When performing a
Commit and Pushoperation for the Clean Pipe service, you receive an error that the Clean Pipe service had insufficient license resources, even though you have sufficient licensed bandwidth.
, then select
Retrieve license keys from license serverto retrieve the Clean Pipe licenses again.
The RIB In and RIB Out tabs under
Show BGP Status
are displaying null pages.
Show BGP Status
If you add an existing template under one of the template stacks of Prisma Access (for example,
Remote_Network_Template_Stack), you cannot use objects of the added template in other Prisma Access templates that are part of the same template stack.
Previously, you could view and use objects from existing templates in Prisma Access templates if the templates were a part of a Prisma Access-specific template stack, which is not standard Panorama behavior.
In multi-tenant mode, Prisma Access automatically creates a set of templates, template stacks, and device groups for each tenant you create for remote networks, mobile users, and the Clean Pipe service. Prisma Access creates tenant-specific sets for all products, even if you are licensed for only one Prisma Access type.
When you delete a tenant, Prisma Access deletes the template and device group set for which you are licensed, but does not delete the unlicensed set. For example, if you have a remote network deployment and delete a tenant, Prisma Access does not delete the set it created for the mobile users and Clean Pipe.
Workaround:Manually delete the unused, unlicensed set of templates, template stacks, and device groups after you delete a tenant.
The Traffic Forwarding feature (
) is not supported with multi-tenant deployments.
Secondary tunnels are not supported with Prisma Access/AWS integrations that use dynamic (BGP) routing.
When performing a commit operation, the commit fails with the Last Push State Details showing as
The Prisma Access Infrastructure team is looking into the commit issue. Go to the Cloud Services > Status > Status tab for real-time Status Information. This message might be repeated multiple times in the window.
Workaround:Wait 30 minutes, then retry the commit operation. This commit issue is temporary and is related to Prisma Access infrastructure.
When you log out a Prisma Access mobile user from the
Current Userswindow, the user still displays in the window after the logout operation.
Workaround:Close and then reopen the
Current Userswindow to show the correct user status.
If you have two Panoramas set up in an active-primary and passive-secondary setup for Prisma Access, you cannot log out mobile users from the passive-secondary Panorama.
When you try to configure an Infrastructure Subnet (
) in multi-tenant mode, you can receive an
Workaround:Refresh the Panorama UI to have Prisma Access correctly apply the infrastructure subnet to the tenant's configuration.
When you perform a
Commit Alloperation for mobile users, Prisma Access should display the commit status for portals and gateways separately; however, Prisma Access is displaying failures for portals under gateway status, and is displaying commit failures for gateways under portal status.
debug plugins cloud_services prisma-access get-job-result jobid
commit-job-id-numberis the ID of the commit operation that failed, to check and verify the commit operation for portals and gateways.
When you select the
Overlapped Subnetscheck box when configuring a remote network, the source zone in the traffic logs changes to the remote network name that is configured in
Pre-defined IKE Crypto, IPSec Crypto, and IKE Gateways templates do not display.
(for service connections) or
(for remote network connections), click the gear icon in the
Settingsarea to open the
Settings, then click
When in multi-tenant mode, if you create a custom admin user with an Admin Role Profile that has Read Only access to the Panorama tab and has Plugin access disabled, that user can view, configure, and commit changes for subtenants.
Workaround:Disable access to the Panorama tab in the Admin Role Profile.
Administrative users who configure Prisma Access using Panorama 9.0 can configure unsupported features. Prisma Access removes any unsupported features during the commit operation so that these features are not enabled in the cloud.
Workaround:Make sure features in use are available in PAN-OS 8.1.
For releases before 1.3.1, Prisma Access did not always enforce the minimum IP pool requirement for all regions in a mobile user deployment. In some cases, you could have specified an IP pool in the Americas region and that pool applied to all locations where you had deployed the Prisma Access gateways. When you perform your first commit after upgrading the Cloud Services plugin, Prisma Access checks that you have allocated an IP pool for all locations where you have deployed Prisma Access gateways, and you might receive a message that your IP pool is not sufficient for the deployed regions.
Workaround:If you receive this message, either specify an IP pool for the regions that do not have them, specify a Worldwide IP pool, or remove the locations in regions that do not have IP pools.
When you configure Clientless VPN with Prisma Access, the default security rule configuration uses the application-default service, which blocks clientless-vpn traffic.
Workaround:Change the default security rule to any service or service-http and service-https.
When configuring multi-tenant, if you create any device groups that are children or grandchildren of other device groups you create under the Shared parent device group, select only the device group at the lowest hierarchical level (child or grandchild) when you associate the device group to an access domain; do not select the parent.
You cannot reset the rule hit count for all
Workaround:Reset rules using a list of rules or a rule name for
When you migrate a single tenant to multi-tenant mode, you must do a local commit and then push the configuration before you add more tenants.
When using the multi-tenant feature and creating template stacks and templates for a tenant, the
Descriptionof the template stacks and templates do not display in the
After upgrading to a new version of the Cloud Services plugin, you are able to downgrade. The downgrade operation should be disallowed.
Workaround:Do not downgrade the Cloud Services plugin after you have upgraded it.
When using the multi-tenant feature and migrating the first tenant to multi-tenancy, you can select template stacks and templates that are not associated with the tenant that you want to migrate, including templates that are used with on-premise firewalls.
Workaround:When you convert to multi-tenant mode, be sure to choose only those templates that you want to associate to the first tenant to migrate.
When you create tenant names for the multi-tenancy feature, avoid using names like
Tenant-3, and so on. The system logs reserve a small number of characters for the tenant name in the log output and, if tenants have similar names, it can be difficult to associate the tenant with the logs. We recommend using a unique and short name for tenants (for example,
When configuring multi-tenancy, if you are planning to later configure Prisma Access for mobile users, you must do a local Commit of the your changes for the plugin (
) after you add templates, template stacks, and device groups for each tenant and before you onboard each tenant.
Commit to Panorama
When using the multi-tenancy feature, users who manage single tenants cannot see the system logs. The
choice is not available. This limitation applies to all Administrators who have an administrative role of Device Group and Template. Only superusers can view system logs in multi-tenancy mode.
When using the multi-tenancy feature and logged in as a tenant-level administrative user, opening the Panorama Task Manager (clicking
Tasksat the bottom of the Panorama web interface) shows all tasks for all tenants, including any tasks done at the superuser (Admin) level.
When you enable multi-tenancy and migrate your configuration to the first sub-tenant, CLI commands are not supported for this operation. As a result, you must, use the Panorama user interface (UI).
When configuring a tenant in multi-tenancy mode, create a unique name for each IPSec tunnel and IKE gateway for service connections and remote network connections, and try to use a name that will not be duplicated by another tenant. While there is no effect to functionality, you cannot delete an IPSec tunnel or IKE gateway if another tenant is using a tunnel or gateway with the same name.
If you configure a mobile user IP address pool for a single region instead of Worldwide, mobile users can still view and attempt to connect to all available gateway regions from their GlobalProtect app. This attempt fails because there is no IP address pool to allocate for other regions.
Workaround:To allow mobile users to manually select a gateway, either configure an IP address pool for the region in the location where you want the users to connect, or configure a Worldwide IP address pool for mobile users in Prisma Access to allow them to select all the locations you have deployed.
In an environment with on-premise firewalls on each side of Prisma Access and the remote network connections to which the on-premise firewalls are connected are in different regions, users behind one on-premise firewall cannot contact users behind another on-premise firewall unless you have configured an explicit policy to allow traffic between zone Trust and zone Trust.
If you change the master key in Panorama (in Device > Master Key and Diagnostics), the master key for Cloud Services is not synchronized with this master key.
Workaround:Select Panorama > Cloud Services > Configuration > Service Setup > Service Operations > Edit Master Key and manually change the master key to be the same as the Panorama master key.
When regular dynamic updates are downloaded to Panorama (by default, every Wednesday at 01:02), the MD5 checksum is changed. This condition can cause the Panorama configuration and the Prisma Access infrastructure to lose synchronization. While no tunnels are affected by this out of synchronization state, the status for Service Connections, Remote Networks, Mobile Users, and the Logging Service show a
Out of Sync.
Pushoperation on the Panorama.
After you upgrade the Cloud Services plugin from version 1.1.0 to 1.3.0, Configuration Assistant screens may display on the
Remote Networks, and
Mobile Userstabs, even though you might have already used the Configuration Assistant before.
Don't Show Againwhen the screens display. These screens do not affect existing system configurations.
The BGP router configuration on the Prisma Access firewalls can receive a maximum of 15000 prefixes from each peer. And the total number of routes (static and dynamic) learned through BGP cannot exceed 25000. Exporting more than 25000 routes may adversely affect traffic flow on your network.
Remote Network statistics (
) can take up to 1 minute to display after a traffic event occurs.
After you generate a new API key by selecting
, the previous API key is still valid for a period of time (up to five minutes). You use this API to retrieve the list of IP addresses for your Prisma Access firewalls.
Generate new API Key
To use tunnel monitoring with BGP, the IP address that you are monitoring on the Prisma Access firewall must be part of a static subnet configured on a remote network location. The IP address cannot be a BGP exported subnet.
For service and remote network connections that have BGP enabled, the Prisma Access ignores any route it receives from a neighbor with an AS number in its AS_PATH list that duplicates an AS number in the Prisma Access AS infrastructure (Infra-AS).
The default priority of the cloud gateways in the Prisma Access are set to
If you have configured a
Notification URL, when you onboard a new remote network location, two notifications are sent to the URL instead of only one.
When you configure the same AS number for the service connection and remote network location(s), the routes are not imported in to the firewall on the remote network location.
Mobile users cannot connect to remote network locations without a service connection.
If your commit fails when you onboard Prisma Access components for the first time, the Task Manager does not always describe the cause of the failure.
Workaround:To find the errors, select
and click the
Statustab. Invalid configurations are indicated with a red bubble in the
Config Statuscolumn and an error of
When configuring SAML, you must perform all configuration with a role of Superuser, including any configuration you perform for SAML using CLI.
page is grayed out when Panorama is not in sync with NTP.
Workaround:Make sure to synchronize time with NTP (
You cannot change the region associated with multiple remote network locations in a single commit push to the Prisma Access.
Workaround:If you need to change the region on more than one remote network location, change them one at a time and complete the commit push before changing the region on the next remote network.
Master Keys do not work for two Panorama appliances set as HA primary and secondary appliances.
Enable HAcheck box on the secondary Panorama appliance and commit the changes, set the same Master Key on both the primary and secondary Panorama appliance, then re-enable HA on the secondary Panorama appliance and commit the changes.
page is not available on the Panorama appliance running the Prisma Access plugin. You cannot configure NT LAN Manager (NTLM).
You cannot enforce MFA when users at one of your corporate HQ locations attempts to access a resource at a remote network location.
Although Panorama allows you to delete the Mobile_User_Template that was created when the Prisma Access was provisioned, deleting this template also deletes your onboarding configuration and, upon commit, removes your Prisma Access for mobile users configuration.
When you onboard a new service connection or a remote network, the count for service connection and total remote peers displayed on
is inaccurate until the provisioning is complete.
On Panorama, you cannot validate commit on a device group or template configuration before pushing the configuration to the Prisma Access infrastructure for remote networks and mobile users.
You cannot view detailed HIP reports from the
You cannot configure the Prisma Access gateway as an internal gateway.
Recommended For You
Recommended videos not found.