Traffic routing between fw-trust-vpc and app-vpc via VPC peering is currently blocked because the route export from fw-trust-vpc to app-vpc for 0.0.0.0/0 to ILB is hindered by an existing default gateway route in the app-vpc.

Workaround: Create a default route in the app-vpc which uses the AI Runtime Security ILB as the next hop. This ensures traffic routes correctly through the AI Runtime Security instance(firewall), enforcing security policies.

While deploying an AI Runtime Security instance (Insights → AI Runtime Security) in Strata Cloud Manager, selecting the application namespace does not retrieve the cluster pod and service CIDR.

Workaround: After generating the Terraform configuration, please whitelist these CIDR values in the Firewall Trust VPC firewall rule.

Detection logs for AI threats are missing in the AI security threat logs under Strata Cloud Manager (Incidents and Alerts → Log Viewer) when AI models are targeted by GenAI prompts.

This issue occurs when AI LLM Applications are defined in the security policy, but the necessary dependent applications (such as SSL and web browsing) are not included. As a result, the AI Runtime Security instance provides inaccurate threat verdicts.

Workaround: Navigate to Manage → Configuration → NGFW and Prisma Access → Security Services → Security Policy and scope it to your AI Runtime Security instance. Edit the policy to include the dependent apps (web browsing and SSL apps). This will ensure the AI Runtime Security instance detects and logs AI security threats correctly in the Log Viewer.

When moving an AI Security profile (Manage → Configuration → NGFW and Prisma Access → Security Services → AI Security) in Strata Cloud Manager from one device scope to another, deleting the security profile in the new device scope fails.

The issue occurs when you upgrade the AI Runtime Security tag collector from `v11.2.2-h1` to `v11.2.3`, the tag-collector enters a rebooting loop and eventually goes to maintenance mode.

Workaround: Don’t upgrade to `v11.2.3` as the auto-commit feature is not triggered in `v11.2.3`.

Workaround: Use `n2-standard-4` or `Standard_DS3_v2` instance sizes for running `v11.2.2-h1` to avoid this issue.

When an "allow-all" rule is configured in Strata Cloud Manager (Manage → Configuration → NGFW and Prisma Access → Security Services → Security Policy) with the default "best-practice" Profile Group, outbound traffic from a K8s pod to the internet may be blocked due to DNS-Security restrictions.

Workaround: To ensure outbound traffic functions correctly on Azure/AWS, set the security Profile Group to "None" instead of "best-practice."