Prisma Access
Prisma Access Known Issues
Table of Contents
Expand All
|
Collapse All
Prisma Access Docs
-
-
- Prisma Access China
- 4.0 & Later
- 3.2 Preferred and Innovation
- 3.1 Preferred and Innovation
- 3.0 Preferred and Innovation
- 2.2 Preferred
-
-
-
- 5.2 Preferred and Innovation
- 5.1 Preferred and Innovation
- 5.0 Preferred and Innovation
- 4.2 Preferred
- 4.1 Preferred
- 4.0 Preferred
- 3.2 Preferred and Innovation
- 3.1 Preferred and Innovation
- 3.0 Preferred and Innovation
- 2.2 Preferred
Prisma Access Known Issues
Where Can I Use This? | What Do I Need? |
---|---|
|
|
Prisma Access has the following known issues.
Issue ID
|
Description
|
---|---|
ADI-20366 |
To use ZTNA Connector on a Panorama Managed Prisma Access tenant you
must file a support ticket to get the feature enabled. The feature
is enabled by default on Prisma Access (Managed by Strata Cloud Manager) tenants that
have been upgraded to Prisma Access 4.0.
|
ADI-20335 |
If you use RFC 6598 addresses in your environment and want to set up
ZTNA Connector on a Prisma Access (Managed by Strata Cloud Manager) tenant, you must
file a ticket to enable the functionality to define IP pools to
reserve for Prisma Access to enable connectivity to your connector
VMs and your apps.
|
CYR-41067 | An incorrect Prisma Access version displays in the Prisma Access Version area of the UI. In Strata Cloud Manager, the version displays in ManageConfigurationNGFW and Prisma AccessOverviewPrisma Access Version; in Panorama Managed Prisma Access, the version displays in PanoramaCloud ServicesConfigurationService SetupPrisma Access Version. |
CYR-35437 | For ZTNA Connector deployments, commit failures occur
when remote network names are longer than 31
characters. Workaround: Use remote network names that
are 31 characters or less in ZTNA Connector deployments.
|
CYR-34193 | If a Service connection is not in an operational state, the Status displayed under Cloud ServicesStatusNetwork DetailsService ConnectionBGP StatusPeer might not be correct. |
CYR-34173 | When configuring multiple GlobalProtect portals with Traffic Steering, do not configure Accept Default Routes over Service Connections (PanoramaCloud ServicesConfigurationTraffic SteeringSettingsAccept Default Route over Service Connection); if you do, mobile users cannot connect to the secondary portal. |
CYR-34078 |
If you configure a Colo-Connect subnet before configuring and
performing a Commit and Push operation for the Infrastructure
Subnet, Colo-Connect Commit and Push operations would fail.
Workaround: complete the following steps:
1. Configure the Infrastructure Subnet and perform a
Commit and Push operation.
2. Configure the Colo-Connect subnet and perform a Commit
and Push operation, making sure to select
Colo-Connect in the Push
Scope.
|
CYR-33877 | If, during Explicit Proxy setup, you select Skip authentication to skip authentication for an address object, and then later want to enable authentication by deselecting Skip authentication for that address object, it can take up to 24 hours for the change to take effect after you make the change and Commit and Push your changes. |
CYR-33853 |
You cannot create two dedicated links and then perform a commit and
push operation.
Workaround: When creating dedicated links,
commit and push after creating each link.
|
CYR-33815 | To enable Source IP based Visibility and Enforcement in Explicit Proxy, you must also enable Enable Agent Proxy (for Cloud Managed Prisma Access) or Use GlobalProtect Agent to Authenticate (for Panorama Managed Prisma Access), even if you have not enabled the Explicit Proxy-GlobalProtect agent functionality. |
CYR-33776 | If you use the next-generation CASB-X SKU and havea
standalone DLP, Saas Security Inline, or legacy CASBlicense, or if you
have an evaluation CASB-X license andwant to convert it to a paid CASB-X
license, your PrismaAccess deployment must have a minimum 4.1
dataplaneversion combination. Workaround: Reach out to your
Palo Alto Networks account team to open an SRE case to upgrade the
4.1 Prisma Access dataplane matrix. |
CYR-33759 | If you navigate to MonitorApplicationsZTNA Targets, click on any given application, and then click the All Application Targets hyperlink on the top left, you are incorrectly redirected to the MonitorData Centers page instead of the MonitorApplications page. |
CYR-33707 |
If you change Colo-Connect service connection roles (for example,
from Active/Active to Active/Backup) and change the bandwidth on
VLANs at the same time, an error displays after a Commit and Push
operation.
Workaround: Perform bandwidth changes and service connection
roles in different commit and push operations.
|
CYR-33695 | Traffic steering rules cannot be disabled or moved. In other cases, an No object to edit in move handler error is encountered and no changes can be applied to the traffic steering rule. |
CYR-33625 |
When configuring Colo-Connect for the first time and performing a
partial commit, you receive a
'Colo_Connect_Device_Group' is
invalid error.
Workaround: When configuring Colo-Connect for the first time,
Commit all changes for the first commit
and push operation and do not perform a partial commit, or the
commit will fail.
|
CYR-33584 | In a multi-tenant deployment, if the first tenant's license expires, all sub-tenants license are also marked as expired. |
CYR-33553 |
The Connector availability graph shown under MonitorData CentersZTNA ConnectorsConnectors<connector-name>Device metric displays the graph in complete red color even when
the connector IPSec tunnel has been continuously up for the last 24
hours.
|
CYR-33471 |
If you enable multi-tenancy, create a new sub tenant, configure
Mobile Users—GlobalProtect, Remote Networks, and Colo-Connect device
groups, then configure Colo-Connect subnets and VLANs, and a partial
commit fails with an Unable to retrieve last in-sync
configuration for the device error.
Workaround: Perform a Commit and Push operation when
configuring Colo-Connect for the first time instead of a partial
commit.
|
CYR-33454 |
If you configure Prisma Access in a in a multi-tenant deployment,
perform a Commit and Push, then configure Colo-Connect, the choice
to Commit and Push your changes is grayed out.
Workaround: Click CommitCommit to Panorama, then Commit Push to Devices, click Edit Selections and
make sure that Colo-Connect is selected in
the Push Scope; then, retry the commit and
push operation.
|
CYR-33199 | Current user counts and 90 day user counts are not correct for Kerberos authenticated users. |
CYR-33180 | In order to use the Prisma Access Explicit Proxy Connectivity in GlobalProtect for Always-On Internet Security feature, you must onboard at least one mobile user gateway. |
CYR-33145 |
When a Prisma Access license for any service type expires, any Commit
All operation fails a generic Commit
Failed error message.
Workaround: Make sure that your all your Prisma Access
licenses have not expired before performing commits.
|
CYR-32782 | If you delete a Colo-Connect service connection and then Commit and Push your changes, wait at least five minutes after the Commit operation to delete Colo-Connect subnets, links, and VLANs. It can take some time to delete Colo-Connect service connections. |
CYR-32713 |
ZTNA Connector can fail to retrieve the correct DNS configuration,
which causes ZTNA connector traffic to fail, when the following
conditions apply:
Workaround: Refresh the GlobalProtect connection to get
correct DNS server configuration. In the case of all applications
going down for a tenant, refresh the GlobalProtect again when some
or all applications in ZTNA connector are back up.
|
CYR-32687 | EDLs, Address objects of type IP Wildcard
Mask and FQDN, and Dynamic
Address Groups do not work on decryption policies when Agent or Kerberos
authentication is used with Explicit Proxy. Workaround: Use
Address objects of IP Netmask, IP Range, or Address groups in the
decryption policies. |
CYR-32666 | When importing a previously saved Panorama configuration
that included a Colo-Connect configuration, or reverting from a
previously-saved configuration, you receive errors if the following
conditions are present:
Workaround: Colo-Connect service connections cannot be
onboarded unless their corresponding VLANs are in an Active state.
Delete any Colo-Connect service connections before exporting or
reverting a Panorama image; then, re-create the Colo-Connect service
connections after importing the new image. |
CYR-32661 | When GlobalProtect is connected in Proxy mode or Tunnel and Proxy mode, user logins will not count toward the number of current users or the number of users logged in over the past 90 days under Mobile Users—Explicit Proxy. |
CYR-32564 |
ZTNA Connector app traffic is detected as a threat and dropped for
Prisma Access Cloud Management if the default URL category is
used.
Workaround: Perform one or more of the following steps as
required:
|
CYR-32517 This issue is now resolved in plugin
version 4.1. See Prisma Access 4.1
Addressed Issues. |
If you deploy a mobile users location that already has a location
deployed in the same compute location, you might receive only one
public IP address for the newly-deployed location instead of
two.
Workaround: Enable the IP Allow Listing feature to receive
more than one IP address.
|
CYR-32511 | You can configure IPv6 DNS addresses even if IPv6 is disabled. |
CYR-32431 |
When configuring Explicit Proxy, when you add Trusted Source Address
values under Authentication Settings, configure other settings, and
then return to the Authentication Settings tab, the trusted source
addresses might not display correctly.
Workaround: Refresh the Panorama that manages Prisma Access,
then return to the Authentication Settings tab to see the
addresses.
|
CYR-32191 |
ZTNA Connector is not supported in multitenant environments.
|
CYR-32188 |
In Prisma Access Insights, the Connector Availability graph for a
given ZTNA Connector will not show up if the IPSec tunnel between
the connector and the ZTNA Tunnel Terminator (ZTT) has been up
without interruption for the last 24 hours. The Connector
Availability graph shows up only if the tunnel has gone down at
least once within the last 24 hours.
|
CYR-32170 | When using ZTNA Connector, diagnostic tools such as ping, traceroute and nslookup that are accessible from the ZTNA Connector UI ConnectorsActionsDiagnostics icon are not functional. |
CYR-32006 |
When using Dynamic DNS (DDNS) registration using the Cloud Services
plugin 3.2, nsupdate commands are not working as expected, which
causes issues with DDNS update queries.
|
CYR-32004 |
Due to a limitation in the number of IPSec profiles currently
supported in Prisma Access, when deploying ZTNA Connector you can
onboard a maximum of 100 connector VMs per tenant.
|
CYR-31623 |
Only one Panorama HA pair can be associated with a CDL instance.
|
CYR-31603 | ZTNA Connectors with two interfaces are not supported
in a Connector Group enabled for AWS Auto Scale. This is due to an
AWS Auto Scale group limitation that ties both interfaces to the
same subnet. See this article for
details. Workaround: ZTNA Connectors with two interfaces
are supported in Connector Groups that are not enabled for AWS Auto
Scale. Ensure that all ZTNA Connectors with two interfaces are contained
in a Connector Group that is not enabled for AWS Auto Scale. |
CYR-31187 | In order to use the Prisma Access Explicit Proxy
Connectivity in GlobalProtect for Always-On Internet Security
functionality, the default PAC file URL does not populate properly
unless you do a commit and push to both Mobile Users—GlobalProtect and
Mobile Users—Explicit Proxy. Workaround: When
you Commit and Push, make sure that you choose both Mobile
Users—GlobalProtect and Mobile Users—Explicit Proxy in the Push
Scope when configuring Prisma Access Explicit Proxy connectivity in
GlobalProtect. |
CYR-30504 |
In some cases, attempts to retrieve aggregate bandwidth statistics
are timing out.
Workaround: Try again, or go to Prisma Access Insights to view
the aggregate bandwidth statistics.
|
CYR-30434 |
Renaming an authentication profile immediately after creating it
causes a new authentication profile to be created.
Workaround: Do not make changes to a profile immediately after
creating it.
|
CYR-30414 | If you have enabled multiple portals in a multitenant
deployment that has only one tenant, and you then disable the multiple
portal functionality on that single tenant, you are able to see both
portals on the UI. Workaround: Open a CLI session on the
Panorama that manages Prisma Access and enter the following
commands, then perform a local commit on the
Panorama: set plugins cloud_services multi-tenant
tenants
<tenant_name>
mobile-users multi-portal-multi-auth
no request plugins cloud_services gpcs
multi-tenant tenant-name
<tenant_name>
multi_portal_on_off |
CYR-30044 |
Predefined EDLs aren't being populated in the Block Settings list in
a new Explicit Proxy deployment.
Workaround: Onboard your Explicit Proxy deployment, do a
Commit and Push, and then go back and update the EDL in your block
Settings.
|
CYR-29964 |
Attempts to reuse a certificate signing request (CSR) to generate a
certificate results in a "Requested entity already
exists" error.
Workaround: Do not reuse CSRs.
|
CYR-29933 |
Attempts to use the verdicts:all -X
"DELETE" API call more than one time per hour result
in the {"code" :8, "message" : "Too many
requests" error.
Workaround: Do not use this API call more than one time per
hour.
|
CYR-29700 |
If you configure multiple GlobalProtect portals in a multitenant
Prisma Access Panorama Managed multitenant deployment, committing
changes on a per-username basis fails with a
"global-protect-portal-8443 should have the value
"GlobalProtect_Portal_8443" but it is [None]"
error.
Workaround: If you have enabled multiple GlobalProtect portals
and have a Prisma Access multi-tenant deployment, perform Commit All
commit operations instead of committing on a per-user basis.
|
CYR-29160 | If the Panorama that manages Prisma Access is configured
in FIPS mode and you select Generate Certificate for
GlobalProtect App Log Collection and Autonomous DEM, the
certificate does not get
downloaded. Workaround: This functionality
is not available on Panorama appliances in FIPS mode until your
Prisma Access dataplane is upgraded to 10.2.4. |