Known Issues
Focus
Focus
AI Runtime Security

Known Issues

Table of Contents

Known Issues

A list of known issues in AI Runtime Security.
Review the list of known issues as per the latest release for AI Runtime Security:
Issue ID
Description
PAN-256741Traffic Routing Blocked Between `fw-trust-vpc` and `app-vpc`
Traffic routing between fw-trust-vpc and app-vpc via VPC peering is currently blocked because the route export from fw-trust-vpc to app-vpc for 0.0.0.0/0 to ILB is hindered by an existing default gateway route in the app-vpc.
Workaround: Create a default route in the app-vpc which uses the AI Runtime Security ILB as the next hop. This ensures traffic routes correctly through the AI Runtime Security instance(firewall), enforcing security policies.
PLUG-16395IPv6 Tags harvesting is not supported.
AIFW-421Missing CIDR retrieval during AI Runtime Security deployment
While deploying an AI Runtime Security instance (Insights → AI Runtime Security) in Strata Cloud Manager, selecting the application namespace does not retrieve the cluster pod and service CIDR.
Workaround: After generating the Terraform configuration, please whitelist these CIDR values in the Firewall Trust VPC firewall rule.
PAN-263750No Detection Logs for GenAI LLM Apps in AI Security Threat Logs
Detection logs for AI threats are missing in the AI security threat logs under Strata Cloud Manager (Incidents and Alerts → Log Viewer) when AI models are targeted by GenAI prompts.
This issue occurs when AI LLM Applications are defined in the security policy, but the necessary dependent applications (such as SSL and web browsing) are not included. As a result, the AI Runtime Security instance provides inaccurate threat verdicts.
Workaround: Navigate to Manage → Configuration → NGFW and Prisma Access → Security Services → Security Policy and scope it to your AI Runtime Security instance. Edit the policy to include the dependent apps (web browsing and SSL apps). This will ensure the AI Runtime Security instance detects and logs AI security threats correctly in the Log Viewer.
ADI-34273AI Security Profile Deletion Failure After Scope Relocation
When moving an AI Security profile (Manage → Configuration → NGFW and Prisma Access → Security Services → AI Security) in Strata Cloud Manager from one device scope to another, deleting the security profile in the new device scope fails.
ADI-34257Cloning a security policy rule (Manage → Configuration → NGFW and Prisma Access → Security Services → Security Policy) in Strata Cloud Manager that uses an AI profile group does not update the AI profile usage in the cloned rule.
PAN-266547Tag Collector in TC Mode enters Maintenance Mode after upgrade to `v11.2.3`
The issue occurs when you upgrade the AI Runtime Security tag collector from `v11.2.2-h1` to `v11.2.3`, the tag-collector enters a rebooting loop and eventually goes to maintenance mode.
Workaround: Don’t upgrade to `v11.2.3` as the auto-commit feature is not triggered in `v11.2.3`.
PAN-266547Tag Collector running `v11.2.2-h1` enters Maintenance Mode with instance types other than `n2-standard-4` and `Standard_DS3_v2` post bootstrap. This is due to incorrect capacity file computation and excessive memory usage.
Workaround: Use `n2-standard-4` or `Standard_DS3_v2` instance sizes for running `v11.2.2-h1` to avoid this issue.
PAN-265124K8s Pod Outbound Traffic Blocked by DNS-Security
When an "allow-all" rule is configured in Strata Cloud Manager (Manage → Configuration → NGFW and Prisma Access → Security Services → Security Policy) with the default "best-practice" Profile Group, outbound traffic from a K8s pod to the internet may be blocked due to DNS-Security restrictions.
Workaround: To ensure outbound traffic functions correctly on Azure/AWS, set the security Profile Group to "None" instead of "best-practice."