Prisma Access Known Issues
Focus
Focus
Prisma Access

Prisma Access Known Issues

Table of Contents

Prisma Access Known Issues

Where Can I Use This?What Do I Need?
  • Prisma Access (Managed by Panorama)
  • Minimum Required Prisma Access Version 4.1 Preferred
Prisma Access has the following known issues.
Issue ID
Description
ADI-20366
To use ZTNA Connector on a Panorama Managed Prisma Access tenant you must file a support ticket to get the feature enabled. The feature is enabled by default on Prisma Access (Managed by Strata Cloud Manager) tenants that have been upgraded to Prisma Access 4.0.
ADI-20335
If you use RFC 6598 addresses in your environment and want to set up ZTNA Connector on a Prisma Access (Managed by Strata Cloud Manager) tenant, you must file a ticket to enable the functionality to define IP pools to reserve for Prisma Access to enable connectivity to your connector VMs and your apps.
CYR-41067An incorrect Prisma Access version displays in the Prisma Access Version area of the UI. In Strata Cloud Manager, the version displays in ManageConfigurationNGFW and Prisma AccessOverviewPrisma Access Version; in Panorama Managed Prisma Access, the version displays in PanoramaCloud ServicesConfigurationService SetupPrisma Access Version.
CYR-35437For ZTNA Connector deployments, commit failures occur when remote network names are longer than 31 characters.
Workaround: Use remote network names that are 31 characters or less in ZTNA Connector deployments.
CYR-34193If a Service connection is not in an operational state, the Status displayed under Cloud ServicesStatusNetwork DetailsService ConnectionBGP StatusPeer might not be correct.
CYR-34173When configuring multiple GlobalProtect portals with Traffic Steering, do not configure Accept Default Routes over Service Connections (PanoramaCloud ServicesConfigurationTraffic SteeringSettingsAccept Default Route over Service Connection); if you do, mobile users cannot connect to the secondary portal.
CYR-34078
If you configure a Colo-Connect subnet before configuring and performing a Commit and Push operation for the Infrastructure Subnet, Colo-Connect Commit and Push operations would fail.
Workaround: complete the following steps:
1. Configure the Infrastructure Subnet and perform a Commit and Push operation.
2. Configure the Colo-Connect subnet and perform a Commit and Push operation, making sure to select Colo-Connect in the Push Scope.
CYR-33877If, during Explicit Proxy setup, you select Skip authentication to skip authentication for an address object, and then later want to enable authentication by deselecting Skip authentication for that address object, it can take up to 24 hours for the change to take effect after you make the change and Commit and Push your changes.
CYR-33853
You cannot create two dedicated links and then perform a commit and push operation.
Workaround: When creating dedicated links, commit and push after creating each link.
CYR-33815To enable Source IP based Visibility and Enforcement in Explicit Proxy, you must also enable Enable Agent Proxy (for Cloud Managed Prisma Access) or Use GlobalProtect Agent to Authenticate (for Panorama Managed Prisma Access), even if you have not enabled the Explicit Proxy-GlobalProtect agent functionality.
CYR-33776If you use the next-generation CASB-X SKU and havea standalone DLP, Saas Security Inline, or legacy CASBlicense, or if you have an evaluation CASB-X license andwant to convert it to a paid CASB-X license, your PrismaAccess deployment must have a minimum 4.1 dataplaneversion combination.
Workaround: Reach out to your Palo Alto Networks account team to open an SRE case to upgrade the 4.1 Prisma Access dataplane matrix.
CYR-33759If you navigate to MonitorApplicationsZTNA Targets, click on any given application, and then click the All Application Targets hyperlink on the top left, you are incorrectly redirected to the MonitorData Centers page instead of the MonitorApplications page.
CYR-33707
If you change Colo-Connect service connection roles (for example, from Active/Active to Active/Backup) and change the bandwidth on VLANs at the same time, an error displays after a Commit and Push operation.
Workaround: Perform bandwidth changes and service connection roles in different commit and push operations.
CYR-33695Traffic steering rules cannot be disabled or moved. In other cases, an No object to edit in move handler error is encountered and no changes can be applied to the traffic steering rule.
CYR-33625
When configuring Colo-Connect for the first time and performing a partial commit, you receive a 'Colo_Connect_Device_Group' is invalid error.
Workaround: When configuring Colo-Connect for the first time, Commit all changes for the first commit and push operation and do not perform a partial commit, or the commit will fail.
CYR-33584In a multi-tenant deployment, if the first tenant's license expires, all sub-tenants license are also marked as expired.
CYR-33553
The Connector availability graph shown under MonitorData CentersZTNA ConnectorsConnectors<connector-name>Device metric displays the graph in complete red color even when the connector IPSec tunnel has been continuously up for the last 24 hours.
CYR-33471
If you enable multi-tenancy, create a new sub tenant, configure Mobile Users—GlobalProtect, Remote Networks, and Colo-Connect device groups, then configure Colo-Connect subnets and VLANs, and a partial commit fails with an Unable to retrieve last in-sync configuration for the device error.
Workaround: Perform a Commit and Push operation when configuring Colo-Connect for the first time instead of a partial commit.
CYR-33454
If you configure Prisma Access in a in a multi-tenant deployment, perform a Commit and Push, then configure Colo-Connect, the choice to Commit and Push your changes is grayed out.
Workaround: Click CommitCommit to Panorama, then Commit Push to Devices, click Edit Selections and make sure that Colo-Connect is selected in the Push Scope; then, retry the commit and push operation.
CYR-33199Current user counts and 90 day user counts are not correct for Kerberos authenticated users.
CYR-33180In order to use the Prisma Access Explicit Proxy Connectivity in GlobalProtect for Always-On Internet Security feature, you must onboard at least one mobile user gateway.
CYR-33145
When a Prisma Access license for any service type expires, any Commit All operation fails a generic Commit Failed error message.
Workaround: Make sure that your all your Prisma Access licenses have not expired before performing commits.
CYR-32782If you delete a Colo-Connect service connection and then Commit and Push your changes, wait at least five minutes after the Commit operation to delete Colo-Connect subnets, links, and VLANs. It can take some time to delete Colo-Connect service connections.
CYR-32713
ZTNA Connector can fail to retrieve the correct DNS configuration, which causes ZTNA connector traffic to fail, when the following conditions apply:
  • When the first application is onboarded in ZTNA connector
  • When all applications are removed (deboarded) from ZTNA Connector
Workaround: Refresh the GlobalProtect connection to get correct DNS server configuration. In the case of all applications going down for a tenant, refresh the GlobalProtect again when some or all applications in ZTNA connector are back up.
CYR-32687EDLs, Address objects of type IP Wildcard Mask and FQDN, and Dynamic Address Groups do not work on decryption policies when Agent or Kerberos authentication is used with Explicit Proxy.
Workaround: Use Address objects of IP Netmask, IP Range, or Address groups in the decryption policies.
CYR-32666When importing a previously saved Panorama configuration that included a Colo-Connect configuration, or reverting from a previously-saved configuration, you receive errors if the following conditions are present:
  • You are loading a Configuration that has Colo-Connect service connections configured.
  • You are loading an empty Prisma Access configuration.
  • You revert from a previously-saved configuration, and the following conditions are present:
    • A Colo-Connect configuration (with service connections) exists on the current configuration and a Colo-Connect configuration does not exist on the configuration to which you want to revert.
    • A Colo-Connect configuration does not exist on the current configuration and a Colo-Connect configuration (with service connections) exists on the configuration to which you want to revert.
    • A Colo-Connect configuration (with service connections) exists on the current configuration and also exists on the configuration to which you want to revert.
Workaround: Colo-Connect service connections cannot be onboarded unless their corresponding VLANs are in an Active state. Delete any Colo-Connect service connections before exporting or reverting a Panorama image; then, re-create the Colo-Connect service connections after importing the new image.
CYR-32661When GlobalProtect is connected in Proxy mode or Tunnel and Proxy mode, user logins will not count toward the number of current users or the number of users logged in over the past 90 days under Mobile Users—Explicit Proxy.
CYR-32564
ZTNA Connector app traffic is detected as a threat and dropped for Prisma Access Cloud Management if the default URL category is used.
Workaround: Perform one or more of the following steps as required:
  1. Create a custom URL category and add application FQDNs for the onboarded applications for ZTNA connector.
  2. If you are using a default profile group, clone a new group and attach the custom URL category you created in Step 1. If you are using a custom profile group, attach the custom URL category you created in step 1.
  3. Make sure that you attach either the cloned profile group or the custom profile group (from step 2) to the security policy you created to allow traffic destined to ZTNA connector applications.
CYR-32517
This issue is now resolved in plugin version 4.1. See Prisma Access 4.1 Addressed Issues.
If you deploy a mobile users location that already has a location deployed in the same compute location, you might receive only one public IP address for the newly-deployed location instead of two.
Workaround: Enable the IP Allow Listing feature to receive more than one IP address.
CYR-32511You can configure IPv6 DNS addresses even if IPv6 is disabled.
CYR-32431
When configuring Explicit Proxy, when you add Trusted Source Address values under Authentication Settings, configure other settings, and then return to the Authentication Settings tab, the trusted source addresses might not display correctly.
Workaround: Refresh the Panorama that manages Prisma Access, then return to the Authentication Settings tab to see the addresses.
CYR-32191
ZTNA Connector is not supported in multitenant environments.
CYR-32188
In Prisma Access Insights, the Connector Availability graph for a given ZTNA Connector will not show up if the IPSec tunnel between the connector and the ZTNA Tunnel Terminator (ZTT) has been up without interruption for the last 24 hours. The Connector Availability graph shows up only if the tunnel has gone down at least once within the last 24 hours.
CYR-32170When using ZTNA Connector, diagnostic tools such as ping, traceroute and nslookup that are accessible from the ZTNA Connector UI ConnectorsActionsDiagnostics icon are not functional.
CYR-32006
When using Dynamic DNS (DDNS) registration using the Cloud Services plugin 3.2, nsupdate commands are not working as expected, which causes issues with DDNS update queries.
CYR-32004
Due to a limitation in the number of IPSec profiles currently supported in Prisma Access, when deploying ZTNA Connector you can onboard a maximum of 100 connector VMs per tenant.
CYR-31623
Only one Panorama HA pair can be associated with a CDL instance.
CYR-31603
ZTNA Connectors with two interfaces are not supported in a Connector Group enabled for AWS Auto Scale. This is due to an AWS Auto Scale group limitation that ties both interfaces to the same subnet. See this article for details.
Workaround: ZTNA Connectors with two interfaces are supported in Connector Groups that are not enabled for AWS Auto Scale. Ensure that all ZTNA Connectors with two interfaces are contained in a Connector Group that is not enabled for AWS Auto Scale.
CYR-31187In order to use the Prisma Access Explicit Proxy Connectivity in GlobalProtect for Always-On Internet Security functionality, the default PAC file URL does not populate properly unless you do a commit and push to both Mobile Users—GlobalProtect and Mobile Users—Explicit Proxy.
Workaround: When you Commit and Push, make sure that you choose both Mobile Users—GlobalProtect and Mobile Users—Explicit Proxy in the Push Scope when configuring Prisma Access Explicit Proxy connectivity in GlobalProtect.
CYR-30504
In some cases, attempts to retrieve aggregate bandwidth statistics are timing out.
Workaround: Try again, or go to Prisma Access Insights to view the aggregate bandwidth statistics.
CYR-30434
Renaming an authentication profile immediately after creating it causes a new authentication profile to be created.
Workaround: Do not make changes to a profile immediately after creating it.
CYR-30414If you have enabled multiple portals in a multitenant deployment that has only one tenant, and you then disable the multiple portal functionality on that single tenant, you are able to see both portals on the UI.
Workaround: Open a CLI session on the Panorama that manages Prisma Access and enter the following commands, then perform a local commit on the Panorama:
set plugins cloud_services multi-tenant tenants <tenant_name> mobile-users multi-portal-multi-auth no
request plugins cloud_services gpcs multi-tenant tenant-name <tenant_name> multi_portal_on_off
CYR-30044
Predefined EDLs aren't being populated in the Block Settings list in a new Explicit Proxy deployment.
Workaround: Onboard your Explicit Proxy deployment, do a Commit and Push, and then go back and update the EDL in your block Settings.
CYR-29964
Attempts to reuse a certificate signing request (CSR) to generate a certificate results in a "Requested entity already exists" error.
Workaround: Do not reuse CSRs.
CYR-29933
Attempts to use the verdicts:all -X "DELETE" API call more than one time per hour result in the {"code" :8, "message" : "Too many requests" error.
Workaround: Do not use this API call more than one time per hour.
CYR-29700
If you configure multiple GlobalProtect portals in a multitenant Prisma Access Panorama Managed multitenant deployment, committing changes on a per-username basis fails with a "global-protect-portal-8443 should have the value "GlobalProtect_Portal_8443" but it is [None]" error.
Workaround: If you have enabled multiple GlobalProtect portals and have a Prisma Access multi-tenant deployment, perform Commit All commit operations instead of committing on a per-user basis.
CYR-29160If the Panorama that manages Prisma Access is configured in FIPS mode and you select Generate Certificate for GlobalProtect App Log Collection and Autonomous DEM, the certificate does not get downloaded.
Workaround: This functionality is not available on Panorama appliances in FIPS mode until your Prisma Access dataplane is upgraded to 10.2.4.