Prisma Access Known Issues
Prisma Access has the following known issues.
When administrators log out a mobile user who is logged in using SAML from the Prisma Access status page (
), a Single Logout (SLO) request is not generated. As a result, the user is logged out of the gateway but is not logged out of the IdP, and if the client SAML cookie is still valid, the user can reconnect without having to input credentials.
If you have two Panorama appliances configured in high-availability mode, the passive Panorama will display an
out of syncmessage during a commit and push operation.
Workaround: Open a command-line interface (CLI) session on both the passive and active Panorama and enter the following commands:
When using an antivirus profile attached to a security policy rule, files are not being scanned during an FTP session.
When you make changes to traffic steering forwarding rules, then commit and push your changes, your changes do not appear in the Push Scope.
Workaround: Modify the Push Scope by clicking
Edit Selections, then selecting the device group or groups you changed (
Mobile Users, or all three).
When you create a traffic forwarding rule for traffic steering, predefined URL categories might display as choices along with custom URL categories.
Workaround: Predefined URL categories are not supported; do not select them when configuring a traffic forwarding rule for traffic steering. Select custom URL categories instead.
When you upgrade the Cloud Services plugin to 1.7, Prisma Access prepends an asterisk to URLs in custom URL categories, if you use this category in a traffic steering forwarding rule. If you use the same URL category policies for both traffic steering and other security policy rules, these changes apply to both the traffic steering rules and other security policy rules.
If you have custom URL categories that are not used in traffic steering forwarding rules, Prisma Access does not change the URLs in those categories.
Prisma Access prepends an asterisk to URLs in custom URL categories, which doubles the number of URLs entered in a custom URL category. Prisma Access supports a maximum of 300,000 URLs in URL category entries; if you use custom URLs for traffic steering and are close to this limit, the doubling of URLs might cause your deployment to exceed the limit of URLs.
External Dynamic Lists (EDLs) are not supported when using traffic forwarding rules to direct internet-based traffic to service connections.
Workaround: Use IP-based EDLs only.
If you used policy-based forwarding rules to forward internet-bound traffic to service connections in Prisma Access 1.6, Prisma Access makes the following additions to URLs in custom URL categories after you upgrade from 1.6 to 1.7:
If you already have added URLs with wildcards, Prisma Access might add URLs that duplicate existing URLs after the upgrade.
When you select
, the Service Status area displays
Cortex Data Lake
No data to display, even though Cortex Data Lake is working normally.
Workaround: Select the Table view icon on the top right side of the page to view a tabular view of the statistics instead of the Gauge view.
After you make configuration changes to an existing service connection or remote network connection (for example, changing the bandwidth, region, QoS, or BGP values), the job details in the Deployment Status page (
) might display a value of TIMEOUT, even if the job completed successfully.
If you configure traffic steering (using PBF rules to forward internet-directed traffic using a service connection) in multi-tenancy mode, the Target Service Connections do not display in the policy-based forwarding rule.
Workaround: Refresh the browser, then recreate
Target Service Connections for Traffic Forwardingand the PBF rule.
Prisma Access does not support FTP data transfers in active mode.
When Prisma Access performs a dataplane upgrade on a mobile user instance (an upgrade to a Prisma Access gateway or portal), any failed commits on the instance that were performed before the upgrade will not be applied to the upgraded instance.
External Dynamic Lists (EDLs) are not supported when using traffic forwarding rules to direct internet-based traffic to service connections.
Workaround: Use IP-based EDLs only.
During a Prisma Access dataplane upgrade, BGP statistics may not be available for 30 minutes in the Network Details page. This unavailability has no impact on dataplane traffic.
If you use Microsoft Edge or Firefox when using traffic steering, the browser does not forward traffic on its first attempt.
Workaround: Refresh the browser, then retry the operation.
If you are using URLs or URL categories as a match criteria in a policy-based forwarding rule for traffic steering, the initial packets (for example, a TCP handshake) intermittently do not match the rule for the users who connect to a matching URL for the first time.
If, in a traffic steering deployment with multiple traffic forwarding rules, two URLs in two separate rules resolve to the same IP address, Prisma Access sends traffic to the first rule in the list and will not use the second traffic rule. Traffic steering evaluates multiple traffic forwarding rules in order from top to bottom.
For a Prisma Access deployment with two Panoramas configured in high availability, you are able to request an upgrade to the GlobalProtect software version on the passive Panorama. Software upgrade requests are not applied if you request them on the passive Panorama.
Workaround: Do not request software upgrades on the passive Panorama; only request upgrades using the active Panorama.
After selecting Accept Default Routes over Service Connections, or after configuring forwarding rules for traffic steering, and then committing your changes, the Prisma Access components do not display in the Push Scope.
Commit and Push
Edit Selectionsin the
Push Scope, select
Prisma Access, select
Mobile Users, and click
OK. Alternatively, upgrade your Panorama to a minimum version of 9.0.11 for 9.0.x versions, 9.1.5 for 9.1.x versions, or 10.0.2 for 10.0.x versions.
When using service connections to forward internet-bound traffic, multiple traffic forwarding rules are not processed top to bottom.
Prisma Access does not support a rule type of Intrazone if the source and destination zones are both Trust.
When using a Panorama running PAN-OS 9.1 in multi-tenant mode and log in as a tenant-level user, you cannot add remote networks or configure mobile users.
Workaround:Log in as the admin user and perform the remote network or mobile user configuration.
If you use traffic forwarding rules with service connections and you have a traffic rule configured with the
Sourceas a specific region and the
URLincludes a wild card, and the source address of the traffic does not match the rule, the URL specified in the rule cannot be reached.
Workaround:Configure the source address in the traffic rule as Any.
If you have configured a remote network for secure inbound access to a remote network site, do not configure a service connection to redirect mobile user and remote network internet traffic using policy-based forwarding (PBF) traffic forwarding rules; these two functionalities are not compatible.
If you enable ECMP on a remote network, the values shown in the Statistics tab under
Ingress Peak Bandwidth (Mbps)are correct; however, if you click the hyperlink for this value, the pop-up window that displays might show an incorrect value.
When you check the Cortex Data Lake Status at
, the statistics displayed there might not display accurate storage and retention information.
Cortex Data Lake
Workaround:Go to the hub and select
Cortex Data Laketo see the most up-to-date information.
When creating a new mobile user deployment in multi-tenant mode, you receive an error that the Portal Hostname is not available when you assign it during mobile user onboarding.
Workaround:Before you begin your mobile user configuration, add an Infrastructure Subnet, commit all your changes to Panorama, and push the configuration changes to Prisma Access.
Some files are being skipped for DLP scanning when using OneDrive to upload multiple files.
When using DLP on Prisma Access, you can upload up to 25 files at a time.
When attaching a parent Device Group to a new remote network tenant in multi-tenant mode, the administrator is unable to attach device groups and templates.
Workaround:Log out, then log back in to Panorama.
If you use Box to upload multiple files, and one or more of the files are larger than 5 MB, the upload of all files will not complete. To continue, find the files in Box that are larger than 5 MB and click
Xto stop the download of those files.
Traffic statistics for remote networks might exceed the configured bandwidth; for example, a remote network configured for 300 Mbps might show an ingress or egress peak bandwidth that is higher than 300 Mbps.
Workaround:No workaround is required. Because Prisma Access measures the peak bandwidth values using a short time interval, the peak bandwidth might occasionally exceed the configured remote network values.
When you check the status in a multi-tenant deployment by selecting
, the information in the
All Tenantsarea displays twice.
DLP on Prisma Access is not supported in a Prisma Access multi-tenant deployment.
If you have DLP on Prisma Access enabled for more than one Prisma Access instance in a single Customer Support Portal (CSP) account, data filtering profiles are synchronized across all instances. This behavior can result in unexpected consequences; for example, the deletion of a custom data pattern or data filtering profile for one instance does not delete that pattern or profile for other instances in the CSP account. For this reason, Palo Alto Networks recommends that you move each Prisma Access instance to its own CSP account.
If you change the master key in Panorama (in
), the master key for Cloud Services is not synchronized with this master key.
Master Key and Diagnostics
and manually change the master key to be the same as the Panorama master key.
Edit Master Key
When using Slack to upload multiple files, the Slack client treats the multiple file upload as a single request. If one of the files is not successfully uploaded, Slack retries the upload of all files a maximum of three times. If, after three retries, Slack cannot upload one or more of the files, the Slack client displays an error in the UI and doesn't upload any of the files.
When you upload a file using Slack, and the file is blocked, Slack detects the block operation as an upload failure and retries the file upload, which results in the same file being uploaded and blocked twice.
Workaround:This is normal Slack file upload behavior. Be aware that a single file that is uploaded using Slack might appear twice in the data filtering logs as being blocked.
When you delete a data filtering profile from a Prisma Access device group that is not shared, the profile name still appears when you add or configure a Security Profile Group, in the
Data Filtering Profilearea.
When the bandwidth for a remote network was changed, a new
Service IP Addresswas created for the remote network, instead of retaining its existing
Service IP Address. This behavior has been observed in the US West, South Korea, Ireland, and France North locations.
Workaround:After you change the bandwidth of a remote network connection, run the API script to retrieve the new
Service IP Address.
In a GlobalProtect deployment where the portal has multiple agent configs, when a GlobalProtect client logs in using the app, the portal looks for a matching agent config for the client by checking its OS type along with the config selection criteria. The agent configs are checked from top to bottom. If the OS type matches, but the config selection criteria does not, GlobalProtect marks the agent config as non-matching and moves to the next agent config to check for a match; however it no longer checks the OS type in these agent configs, and only looks for a match of the config selection criteria. This condition can cause the client to receive an agent config that has matching config selection criteria, but a non-matching OS type.
When configuring HIP redistribution, you cannot retrieve HIP information and set policies for the following use cases:
When using DLP on Prisma Access, when you upload a .docx file using SharePoint that was exported from Google Docs, the upload fails.
When setting up the GlobalProtect gateway connection settings (
) and specifying a Netmask to
Restrict Authentication Cookie Usage, the commit fails if only a
Source IPv4 Netmaskis specified.
Source IPv6 Netmaskof
0, which disables the option for the specified IP address type.
Certificate profiles do not display in the HIP Objects' certificate profile (
) if the HIP object is
Shared(that is, not under a specific device group).
If using Slack, Box, or Gmail to upload a file using DLP on Prisma Access, the response page is not displayed to the client if the upload is blocked.
When you upload multiple files, and one file exceeds the maximum latency or maximum file setting, any remaining files in the upload queue will not be scanned.
Workaround:Re-attempt the multiple file upload operation without the file that exceeded the maximum file size or latency setting.
Reverse DNS queries do not work in Prisma Access.
Workaround:Disable DNS Proxy and use internal DNS for all resolutions for both mobile users and service connections.
When you Commit and Push changes to the Prisma Access security infrastructure, the Push Scope does not display the device group or template that was changed.
, and under
Commit and Push
Push Scope, select
and select the
Remote Networks, or
Service Setupdevice group or template to which you want to commit changes.
When you onboard a mobile user location, you cannot see or select all locations in a region if you are using Panorama with a Firefox browser version earlier than 65.
Workaround: Use a Firefox version with a version of 65 or later, or a different browser (for example, Chrome).
When performing a
Commit and Pushoperation for the Clean Pipe service, you receive an error that the Clean Pipe service had insufficient license resources, even though you have sufficient licensed bandwidth.
, then select
Retrieve license keys from license serverto retrieve the Clean Pipe licenses again.
The RIB In and RIB Out tabs under
Show BGP Status
are displaying null pages.
Show BGP Status
If you add an existing template under one of the template stacks of Prisma Access (for example,
Remote_Network_Template_Stack), you cannot use objects of the added template in other Prisma Access templates that are part of the same template stack.
Previously, you could view and use objects from existing templates in Prisma Access templates if the templates were a part of a Prisma Access-specific template stack, which is not standard Panorama behavior.
In multi-tenant mode, Prisma Access automatically creates a set of templates, template stacks, and device groups for each tenant you create for remote networks, mobile users, and the Clean Pipe service. Prisma Access creates tenant-specific sets for all products, even if you are licensed for only one Prisma Access type.
When you delete a tenant, Prisma Access deletes the template and device group set for which you are licensed, but does not delete the unlicensed set. For example, if you have a remote network deployment and delete a tenant, Prisma Access does not delete the set it created for the mobile users and Clean Pipe.
Workaround:Manually delete the unused, unlicensed set of templates, template stacks, and device groups after you delete a tenant.
The Traffic Forwarding feature (
) is not supported with multi-tenant deployments.
Secondary tunnels are not supported with Prisma Access/AWS integrations that use dynamic (BGP) routing.
When you log out a Prisma Access mobile user from the
Current Userswindow, the user still displays in the window after the logout operation.
Workaround:Close and then reopen the
Current Userswindow to show the correct user status.
If you have two Panoramas set up in an active-primary and passive-secondary setup for Prisma Access, you cannot log out mobile users from the passive-secondary Panorama.
When you try to configure an Infrastructure Subnet (
) in multi-tenant mode, you can receive an
Workaround:Refresh the Panorama UI to have Prisma Access correctly apply the infrastructure subnet to the tenant's configuration.
When you perform a
Commit Alloperation for mobile users, Prisma Access should display the commit status for portals and gateways separately; however, Prisma Access is displaying failures for portals under gateway status, and is displaying commit failures for gateways under portal status.
debug plugins cloud_services prisma-access get-job-result jobid
commit-job-id-numberis the ID of the commit operation that failed, to check and verify the commit operation for portals and gateways.
Pre-defined IKE Crypto, IPSec Crypto, and IKE Gateways templates do not display.
(for service connections) or
(for remote network connections), click the gear icon in the
Settingsarea to open the
Settings, then click
When in multi-tenant mode, if you create a custom admin user with an Admin Role Profile that has Read Only access to the Panorama tab and has Plugin access disabled, that user can view, configure, and commit changes for subtenants.
Workaround:Disable access to the Panorama tab in the Admin Role Profile.
When you configure Clientless VPN with Prisma Access, the default security rule configuration uses the application-default service, which blocks clientless-vpn traffic.
Workaround:Change the default security rule to any service or service-http and service-https.
When configuring multi-tenant, if you create any device groups that are children or grandchildren of other device groups you create under the Shared parent device group, select only the device group at the lowest hierarchical level (child or grandchild) when you associate the device group to an access domain; do not select the parent.
You cannot reset the rule hit count for all
Workaround:Reset rules using a list of rules or a rule name for
When you migrate a single tenant to multi-tenant mode, you must do a local commit and then push the configuration before you add more tenants.
When using the multi-tenant feature and creating template stacks and templates for a tenant, the
Descriptionof the template stacks and templates do not display in the
After upgrading to a new version of the Cloud Services plugin, you are able to downgrade. The downgrade operation should be disallowed.
Workaround:Do not downgrade the Cloud Services plugin after you have upgraded it.
When using the multi-tenant feature and migrating the first tenant to multi-tenancy, you can select template stacks and templates that are not associated with the tenant that you want to migrate, including templates that are used with on-premise firewalls.
Workaround:When you convert to multi-tenant mode, be sure to choose only those templates that you want to associate to the first tenant to migrate.
When configuring multi-tenancy, if you are planning to later configure Prisma Access for mobile users, you must do a local Commit of the your changes for the plugin (
) after you add templates, template stacks, and device groups for each tenant and before you onboard each tenant.
Commit to Panorama
When using the multi-tenancy feature, users who manage single tenants cannot see the system logs. The
choice is not available. This limitation applies to all Administrators who have an administrative role of Device Group and Template. Only superusers can view system logs in multi-tenancy mode.
When using the multi-tenancy feature and logged in as a tenant-level administrative user, opening the Panorama Task Manager (clicking
Tasksat the bottom of the Panorama web interface) shows all tasks for all tenants, including any tasks done at the superuser (Admin) level.
When you enable multi-tenancy and migrate your configuration to the first sub-tenant, CLI commands are not supported for this operation. As a result, you must, use the Panorama user interface (UI).
If you configure a mobile user IP address pool for a single region instead of Worldwide, mobile users can still view and attempt to connect to all available gateway regions from their GlobalProtect app. This attempt fails because there is no IP address pool to allocate for other regions.
Workaround:To allow mobile users to manually select a gateway, either configure an IP address pool for the region in the location where you want the users to connect, or configure a Worldwide IP address pool for mobile users in Prisma Access to allow them to select all the locations you have deployed.
In an environment with on-premise firewalls on each side of Prisma Access and the remote network connections to which the on-premise firewalls are connected are in different regions, users behind one on-premise firewall cannot contact users behind another on-premise firewall unless you have configured an explicit policy to allow traffic between zone Trust and zone Trust.
If you change the master key in Panorama (in Device > Master Key and Diagnostics), the master key for Cloud Services is not synchronized with this master key.
Workaround:Select Panorama > Cloud Services > Configuration > Service Setup > Service Operations > Edit Master Key and manually change the master key to be the same as the Panorama master key.
When regular dynamic updates are downloaded to Panorama (by default, every Wednesday at 01:02), the MD5 checksum is changed. This condition can cause the Panorama configuration and the Prisma Access infrastructure to lose synchronization. While no tunnels are affected by this out of synchronization state, the status for Service Connections, Remote Networks, Mobile Users, and the Logging Service show a
Out of Sync.
Pushoperation on the Panorama.
The BGP router configuration on the Prisma Access firewalls can receive a maximum of 15000 prefixes from each peer. And the total number of routes (static and dynamic) learned through BGP cannot exceed 25000. Exporting more than 25000 routes may adversely affect traffic flow on your network.
Remote Network statistics (
) can take up to 1 minute to display after a traffic event occurs.
After you generate a new API key by selecting
, the previous API key is still valid for a period of time (up to five minutes). You use this API to retrieve the list of IP addresses for your Prisma Access firewalls.
Generate new API Key
To use tunnel monitoring with BGP, the IP address that you are monitoring on the Prisma Access firewall must be part of a static subnet configured on a remote network location. The IP address cannot be a BGP exported subnet.
For service and remote network connections that have BGP enabled, the Prisma Access ignores any route it receives from a neighbor with an AS number in its AS_PATH list that duplicates an AS number in the Prisma Access AS infrastructure (Infra-AS).
The default priority of the cloud gateways in the Prisma Access are set to
If you have configured a
Notification URL, when you onboard a new remote network location, two notifications are sent to the URL instead of only one.
When you configure the same AS number for the service connection and remote network location(s), the routes are not imported in to the firewall on the remote network location.
Mobile users cannot connect to remote network locations without a service connection.
If your commit fails when you onboard Prisma Access components for the first time, the Task Manager does not always describe the cause of the failure.
Workaround:To find the errors, select
and click the
Statustab. Invalid configurations are indicated with a red bubble in the
Config Statuscolumn and an error of
When configuring SAML, you must perform all configuration with a role of Superuser, including any configuration you perform for SAML using CLI.
page is grayed out when Panorama is not in sync with NTP.
Workaround:Make sure to synchronize time with NTP (
You cannot change the region associated with multiple remote network locations in a single commit push to the Prisma Access.
Workaround:If you need to change the region on more than one remote network location, change them one at a time and complete the commit push before changing the region on the next remote network.
Master Keys do not work for two Panorama appliances set as HA primary and secondary appliances.
Enable HAcheck box on the secondary Panorama appliance and commit the changes, set the same Master Key on both the primary and secondary Panorama appliance, then re-enable HA on the secondary Panorama appliance and commit the changes.
page is not available on the Panorama appliance running the Prisma Access plugin. You cannot configure NT LAN Manager (NTLM).
You cannot enforce MFA when users at one of your corporate HQ locations attempts to access a resource at a remote network location.
Although Panorama allows you to delete the Mobile_User_Template that was created when the Prisma Access was provisioned, deleting this template also deletes your onboarding configuration and, upon commit, removes your Prisma Access for mobile users configuration.
When you onboard a new service connection or a remote network, the count for service connection and total remote peers displayed on
is inaccurate until the provisioning is complete.
On Panorama, you cannot validate commit on a device group or template configuration before pushing the configuration to the Prisma Access infrastructure for remote networks and mobile users.
You cannot view detailed HIP reports from the
You cannot configure the Prisma Access gateway as an internal gateway.
Recommended For You
Recommended videos not found.