Prisma Access Known Issues
Table of Contents
Expand All
|
Collapse All
Prisma Access Docs
-
-
- Prisma Access China
- 4.0 & Later
- 3.2 Preferred and Innovation
- 3.1 Preferred and Innovation
- 3.0 Preferred and Innovation
- 2.2 Preferred
-
-
-
- 5.2 Preferred and Innovation
- 5.1 Preferred and Innovation
- 5.0 Preferred and Innovation
- 4.2 Preferred
- 4.1 Preferred
- 4.0 Preferred
- 3.2 Preferred and Innovation
- 3.1 Preferred and Innovation
- 3.0 Preferred and Innovation
- 2.2 Preferred
Prisma Access Known Issues
Prisma Access has the following
known issues.
Issue ID | Description |
---|---|
CYR-23496 | When a new Explicit Proxy instance is created,
the threat logs may not send device group information. This behavior
can occur in a new deployment or can change in an existing deployment
after a maintenance activity or infrastructure upgrade. Workaround:
Select All instead of a specific Device Group when viewing logs. |
CYR-22879 | In a multi-tenant environment, you cannot enable
the EDL Custom Category End Token Support feature until all your
tenants have had their infrastructure and dataplane upgraded to meet
the requirements for the 3.0 Cloud Services plugin. Workaround:
Wait until all your tenants have had their infrastructure and dataplane
upgraded before enabling the EDL Custom Category End Token Support feature. |
CYR-22759 | You cannot make any configuration changes
in the Advanced tab under Explicit Proxy Settings (PanoramaCloud ServicesConfigurationExplicit ProxySettingsAdvanced). Workaround:
There is no workaround. This functionality will be supported in
a future Prisma Access release. |
CYR-22525 | If you install an Innovation release, configure
a feature that is only supported on an Innovation release, and then
migrate from an Innovation to a Preferred release, you receive a commit
validation error after making configuration changes in the Cloud
Services plugin. Workaround: Delete the unsupported
feature by creating a CLI session with the Panorama that manages
Prisma Access in configuration mode and entering the delete plugins cloud_services <feature-name>command,
where <feature-name> is the name of the feature
that is unsupported in the Preferred release. |
CYR-22629 | When using the Egress IP Allow List feature in
Prisma Access, you might experience the following issues when using
the UI:
|
CYR-22201 | When using the Enterprise DLP plugin with Prisma
Access, an uploaded file that matched a Block action on a data filtering
profile was not blocked from being uploaded, along with an error DLP Skipped: missing boundary m in
the Data Filtering logs. |
CYR-22142 | When configuring QoS for remote networks (PanoramaCloud ServicesConfigurationRemote NetworksSettingsQoS),
you can select None as a QoS Profile. Workaround:
Select a valid QoS profile to enable QoS. None is
an invalid selection. |
CYR-22127 This issue is now resolved
in plugin version 3.0.0-h24. See Prisma Access 3.0.0-h24 Preferred and Innovation Addressed Issues. | When configuring QoS for a newly-added site (PanoramaCloud ServicesConfigurationRemote NetworksSettingsQoS),
the Allocation Ratio displays as NaN%. Workaround:
Ignore the invalid display; however, Prisma Access sets the Allocation
Ratio for newly-added remote networks as 0 and
you must change the Allocation Ratio to use
QoS for the new remote network. |
CYR-22043 | If you are configuring a Mobile User - GlobalProtect
deployment, if you do not enable the allow listing feature when
configuring or onboarding the mobile user deployment, the plugin
logs might display spurious messages that are similar to the following
messages: 2022-01-13 13:14:27.217 -0800 INFO: [access-domain-xpaths] Sending result back <result><status>pass</status><msg>cloud_services</msg><msg>cloud_services/access-domain</msg></result>2022-01-13 13:14:27.290 -0800 ERROR: [get_ip_allowlist_addresses] yes-allow-list node not found! Please config yes-allow-list under ip-allow-list node. Workaround:
Ignore the plugin messages; these messages do not affect normal
Prisma Access operation. |
CYR-21756 | In a situation where other locations in
the same compute region have had an autoscale event, a newly-onboarded
location might show a Provisioning Status of Not
Provisioned in the Egress IP Allow List table (PanoramaCloud ServicesConfigurationMobile Users—GlobalProtect).
Normally this status displays if the IP addresses have been confirmed
as allow listed but the location has not yet been onboarded. Workaround:
Autoscale events affect all the onboarded locations in a compute
location. In this case, it is possible that Prisma Access allocated
more then two IP addresses for the newly-added location, and those
IP addresses were not yet confirmed as allow listed. If you receive
a Provisioning Status of Not Provisioned for
a newly-onboarded location, make sure that all of the IP addresses
that were allocated for that location have been confirmed as allow listed. |
CYR-21629 | When Prisma Access creates a new compute
location and remaps an existing remote network location to that
new location, if you do not delete and re-add the existing compute location
to take advantage of the latest compute location-to-location mapping,
you cannot view bandwidth statistics for the remapped location. Workaround:
Delete and re-add the remote network location that is associated
with the new compute location. The Service IP Address will change,
so you will have to change the IP address for the IPSec tunnel on your
CPE to the new Service IP Address, and you will need to commit and
push your changes twice (once after you delete the location, and
once after you re-add it). |
CYR-21553 | When configuring more than 63 HIP profiles
in a Mobile Users—GlobalProtect deployment, an error message with
multiple occurrences of the word Error: is received
during commit. Workaround: A Mobile Users—GlobalProtect
deployment supports a maximum of 63 HIP Profiles; do not configure more
than 63 HIP profiles. |
CYR-21138 | Strata Logging Service failed to reconnect after
a disconnect if a management IP address used for logging had an
IP address assignment type of DHCP. |
CYR-21092 | When you run the API to retrieve Prisma Access
IP addresses with a serviceType of all,
the API times out if your deployment has a large number of Remote Networks. Workaround:
If you have a large number of remote networks, specify a serviceType of remote_network instead
of all when running the API. |
CYR-20895 | If you have created a remote network deployment
that allocates bandwidth by compute location and then delete the
remote network license, any commit for changes to features that are
still licensed fail with an Failed plugin validation error. Workaround:
Delete the unused remote network configuration by opening a CLI
session with admin-level privileges, entering configure to enter
configuration mode, and then entering delete plugins cloud_services remote-networks.
Then, retry the commit operation. |
CYR-20731 | If the dataplane is not compatible with
the plugin you are running, a generic message indicating that the
Panorama is undergoing maintenance displays in the Panorama
Alert and Plugin Alert fields
in PanoramaCloud ServicesConfigurationService Setup. |
CYR-20729 | When completing a mobile user setup in a FedRAMP
Moderate deployment and configuring the mobile user IP address pool,
you receive an Operation Failed message with
text that indicates that Prisma Access could not auto-generate an
authentication cookie certificate. In addition, when committing and
pushing your changes, you receive a validation error related to
a cookie decryption certificate. Workaround: Create
a signed certificate and apply it to the Mobile Users—GlobalProtect
configuration by completing the following steps:
|
CYR-20496 | If you are using a Panorama of a version
or 10.0 or lower, and you configure an invalid destination port
value anywhere in Panorama (for example, in ObjectsServices), a commit-all operation
fails with a vague error related to a module or device having a Non digit value. Workaround:
Fix the invalid port configuration, then retry the commit-all operation.
Panoramas running 10.1 or later disallow you from configuring an
invalid destination port value. |
CYR-20348 | When upgrading from Prisma Access 2.1 to 2.2,
a local Commit to Panorama or Validate Changes request
fails with the message domain-list unexpected here. |
CYR-19983 | If you Enable IPv6,
select the compute locations in IPv6 Availability, commit
and push your changes, then deselect Enable IPv6,
the selections you made in the IPv6 Availability tab
become deselected. Workaround: Re-select the compute
locations in the IPv6 Availability tab. |
CYR-19975 | When you Enable IPv6, a window displays asking
you to enable Telemetry Data Collection. Workaround:
Click Remind Me Later to dismiss the window. |
CYR-19888 | If you have applied QoS to your remote network
deployment but have not yet committed and pushed your changes, the
QoS statistics screens display blank information. Workaround: Commit
and Push your QoS changes for the QoS statistics to display. |
CYR-19653 | If, when using Explicit Proxy, when the following
conditions exist, mobile users might experience issues with CORS
requests and non-decrypted traffic:
Workaround:
Clear your browser's cache to re-authenticate with the ACS. |
CYR-19646 | BGP addresses ending with .0 or .255 are not
allowed to be entered in the UI as peer BGP addresses for service
connections or remote networks, regardless of the subnet being used. Workaround:
Use CLI commands to enter the .0 or .255 address by logging in to
the Panorama that manages Prisma Access and entering one of the
following commands: set plugins cloud_services service-connection
onboarding sc-name protocol
bgp peer-ip-address ip-address set
plugins cloud_services remote-networks onboarding rn-name protocol
bgp peer-ip-address ip-address Where sc-name or rn-name is
the name of the service connection or remote network connection. |
CYR-19598 This issue is now resolved
in plugin version 3.0.0. See Prisma Access 3.0.0 Preferred and Innovation Addressed Issues. | When using explicit proxy, some users might
experience an issue where some websites are not able to be accessed
after the Authentication Cache Service (ACS) Cookie Lifetime has
expired. This condition can persist for up to five minutes. Workaround:
Browse a different website to re-authenticate to ACS and refresh
the ACS cookie. |
CYR-19503 | IP precedence-based classification is not working
for Prisma Access, when using either IPv4 or IPv6 IP addresses. |
CYR-19487 | When you enable IPv6 for a single tenant
in a multi-tenant deployment, the UI page refreshes and displays
the Cloud ServicesConfiguration page,
where you select the drop-down for all tenants. |
CYR-19350 This issue is now resolved
in plugin version 2.2.0. See Prisma Access 2.2.0 Preferred Addressed Issues. | When any change is made to an authentication
profile, the LDAP server or local user database in a shared context
removes the user group mapping information from Prisma Access. |
CYR-19282 | When configuring mobile users DNS settings
in the Network Services tab, you should not
enter Custom DNS Server IP addresses (either
IPv4 or IPv6) without also specifying a Domain List. Workaround:
Specify a Domain List. |
CYR-19198 | If you add an IPv6 address pool to your Mobile
Users—GlobalProtect deployment, select the regions to Enable IPv6 in
the IPv6 Availability tab, and Commit and Push your changes,
the pools appear in the IPv6 Availability tab. If you then disable
all regions, effectively disabling IPv6, and then Commit and
Push your changes, the IPv6 address pools still display
in the IPv6 Address Pool tab. Workaround: There
is no workaround. If you later enable IPv6 for one or more regions,
you can use the existing IPv6 address pool. You can also specify
a different IPv6 address in the IP Pools and,
after you commit and push your changes, the new IPv6 Address pool overwrites
the existing addresses and displays in the IPv6 Availability tab. |
CYR-19099 | When viewing or changing QoS settings for Remote
Networks in Panorama Cloud ServicesConfigurationRemote NetworksSettingsQoS,
a newly-added compute location or location does not display. In
addition, a newly-onboarded location does not display in the Site
Allocation (Customize Per Site) page. Workaround: Refresh
the Panorama that manages Prisma Access. |
CYR-19093 | In a multi-tenant deployment, you receive a Configuration committed successfully message
along with a Not all Commit-All jobs got triggered message. Workaround:
Select CommitCommit
and Push, Edit Selections,
and in the Prisma Access tab, make sure that
the Push Scope includes the changes you made
for the Prisma Access configuration. Depending on the changes you
made, select one or more of the Remote Networks, Mobile Users, Service Setup,
and Explicit Proxy choices. |
CYR-19030 | If you are sinkholing IPv6 traffic, the
policy rule hit counts for traffic that matches the IPv6 sinkhole
policy do not increment when entering the CLI command show rule-hit-count
vsys vsys-name vsys1 rule-base security rules all. |
CYR-19017 | IPv6-related choices under Cloud ServicesConfigurationService ConnectionBGP are
displayed, even if IPv6 is not enabled. Workaround:
If you do not have IPv6 enabled, do not select the Exchange
both IPv4 and IPv6 routes over IPv4 peering, Exchange
IPv4 routes over IPv4 peer and IPv6 routes over IPv6 peer,
and Exchange IPv6 routes over IPv6 peering BGP
peering choices. |
CYR-18757 | In a multi-tenant deployment, admin users that
have more than one access domain cannot configure new remote networks
or service connections, and can only view what is already deployed. Workaround:
Create the access domain first, then select the access domain you
created when you convert the single tenant to a multi-tenant setup. |
CYR-18234 | When you select Integrate with
Prisma SD-WAN, the integration fails. |
CYR-18157 | When downloading a large file (including but
not limited to programs, browser extensions, or apps) using Explicit
Proxy, if the download takes longer than the cookie lifetime, the download
fails when the cookie expires. |
CYR-18156 | If, after signing in to Explicit Proxy,
you open a link that contains a file to download, the file downloads
successfully but the Explicit Proxy sign-in page continues to display. Workaround:
Since the link contained a downloaded file, there is no page to display
and the current page does not refresh. Select another webpage to
navigate away from the sign-in page. |
CYR-17868 This issue is now resolved
in plugin version 2.1.0. See Prisma Access 2.1.0 Innovation Addressed Issues. | When attempting to retrieve Logging Status
information from Troubleshooting Commands (PanoramaCloud ServicesConfigurationService SetupService OperationsTroubleshooting Commands) and selecting All locations
or All remote networks, the request times
out. Workaround: The issue might be with one or more
locations or remote networks being slow to respond. Try selecting
a single mobile user location or remote network. |
CYR-17848 | If you are using a Panorama with a version of
PAN-OS 10.1 to manage Prisma Access, and you migrate a Remote Network
deployment from allocating bandwidth by location to allocating bandwidth
by compute location, the migration banner displays the location
names in an incorrect (large) font. Workaround: No
workaround is required. There is no change to the migration functionality;
the only issue is with the font displayed during the migration. |
CYR-17826 | When using Troubleshooting Commands (PanoramaCloud ServicesConfigurationService SetupService OperationsTroubleshooting Commands)
with Panoramas that are in High Availability mode, the commands
cannot be run from the passive Panorama. |
CYR-17739 | When configuring an Explicit Proxy deployment,
if you onboard your deployment, then retrieve the Explicit Proxy
public IP addresses, you will receive the active IP addresses to
add to your allow list, but will not receive the pre-allocated backup
IP addresses. Workaround: Retrieve the Explicit Proxy
IP addresses before you onboard your deployment by specifying an addrType of all and
a location of all. |
CYR-17710 This issue is now resolved
in plugin version 2.2.0. See Prisma Access 2.2.0 Preferred Addressed Issues. | When using DLP to check a downloaded .xlsx
file, the original size of the file is below the maximum DLP file
size. However, after the file is extracted, the file size exceeds
the maximum file size for DLP and a 400 Bad request error
is received. |
CYR-17402 This issue is now resolved
in plugin version 2.1.0. See Prisma Access 2.1.0 Innovation Addressed Issues. | Remote networks that aggregate bandwidth
by compute location instead of by location cannot be onboarded in
bulk by exporting, modifying, and then importing a CSV file. |
CYR-17077 | If you delete an explicit proxy configuration and
then reconfigure it within 10 minutes of its deletion, Prisma Access
cannot properly process the new configuration and explicit proxy functionality
could be affected. Workaround: Wait at least 10 minutes
after deleting an explicit proxy configuration before reconfiguring
it. |
CYR-17066 This issue is now resolved
in plugin version 2.0.0-h3. See Prisma Access 2.0.0-h3 Innovation Addressed Issues. | In a multi-tenant deployment, exception errors
are displayed because of inconsistent internal database entries. |
CYR-17024 | When using Panorama 10.x to manage
Prisma Access, if you configure an Authentication Enforcement Profile
under ObjectsAuthentication and
specify an Authentication Profile that resides in a Shared location,
you receive an error when committing the changes. Workaround:
If you use a Panorama 10.x to manage Prisma Access, do not
use a shared Authentication Profile for any Authentication Enforcement
Profile; instead, use an Authentication Profile that is under one
of the Prisma Access Templates. |
CYR-16965 | When using explicit proxy, there could be
a delay when displaying user details under Current User
Count due to a log ingestion issue between explicit proxy
and Strata Logging Service. |
CYR-16801 This issue is now resolved
in plugin version 2.0.0-h6. See Prisma Access 2.0.0-h6 Innovation Addressed Issues. | When using explicit proxy, large HTTP file downloads
are frequently interrupted. Workaround: Keep resuming the
download until the file is completely downloaded. This issue is
not seen when downloading HTTPS files. |
CYR-16789 | When performing a local commit or Commit
and Push operation, you receive the error Internal Server Error: Failed to aggregate bandwidth configuration. Workaround:
Check the DNS configuration of the Panorama appliance that manages
Prisma Access, and check that Panorama is able to contact your network's
DNS servers, then retry the operation. |
CYR-16735 | If, during Explicit Proxy onboarding, you onboard
a large number of locations, the Explicit Proxy status might display
its status incorrectly (for example, a status of ERROR might display when
the onboarding was successful). |
CYR-16674 | If you change the Explicit Proxy URL in Prisma
Access but do not change the PAC file to reflect the change, the
change won't be applied. Workaround: Upload a new PAC
file with the same changes as you made in the Explicit Proxy URL. |
CYR-16673 | If you change the proxy FQDN, the changes are
not immediately reflected after the job status completes. Workaround:
Workaround: Wait 10 to 15 minutes for the changes to be reflected
after the Job status shows as Completed on Panorama. |
CYR-16664 This issue is now resolved
in plugin version 2.1.0. See Prisma Access 2.1.0 Innovation Addressed Issues. | If Directory Sync is enabled for explicit proxy,
the current user count displays as 0, but the 90 days count displays
correctly. |
CYR-16662 This issue is now resolved
in plugin version 2.1.0. See Prisma Access 2.1.0 Innovation Addressed Issues. | When in multi-tenant mode, an empty field displays
in the Push Scope. |
CYR-16642 | There is a delay observed to populate the Rule
Usage column on the Policies page. Workaround: Refresh
the page by clicking on the refresh button on the right side. In
addition, the Preview Rules tab does not display the Rule Hit counters. Workaround:
Click the Used link on Rule Usage column
to display the Rule Hit count for the rule. |
CYR-16615 | The maximum length of a URL that can be used
with explicit proxy is 1280 characters. |
CYR-16583 | WildFire logs show explicit proxy logs as having
a source zone of Proxy. If you use a name of Proxy for Clean Pipe
instances or remote networks, you will not be able to differentiate between
explicit proxy logs and logs with the clean pipe or remote network
name of Proxy. Workaround: If you use explicit proxy,
do not specify a name of Proxy for any Clean Pipe instances or remote
networks. |
CYR-16580 | The PanoramaCloud ServicesStatusMonitorMobile UsersExplicit Proxy page incorrectly
shows the current number of users as 0. |
CYR-16549 This issue is now resolved
in plugin version 2.2.0. See Prisma Access 2.2.0 Preferred Addressed Issues. | After a commit and push operation, jobs either
become stuck in init state or fail
to complete. Workaround: The issue might be with an
EDL update being processed at the same time as the commit operation.
To workaround the issue, select ObjectsExternal Dynamic Lists and
change the Check for updates setting from Every
five minutes to Hourly or later. |
CYR-16351 | When using Explicit Proxy, initial DNS Queries
(first leg) and Initial HTTP connect messages (first logs) are not
seen in the traffic logs in Panorama. |
CYR-16284 | When you enter the show pbf extended-address
all command to retrieve the traffic steering cache, an
FQDN displays with an asterisk, such as *.example.com. Workaround:
No workaround is required. The displayed FQDN is correlated to the
FQDN server that presented the certificate. |
CYR-16130 | When configuring a Mobile Users - GlobalProtect
deployment using SAML authentication, you receive a pangp.gpcloudservice.com is missing certificate error when
you commit your configuration changes. Workaround:
Add the missing certificate in your SAML IdP configuration by selecting DeviceMobile_User_TemplateAuthentication Profile in Panorama and
adding the certificate. |
CYR-16097 | A webpage may contain links of resources from
the domains other than the domain from where the webpage is served.
Most modern browsers do not send any cookie along with the requests
to get the resources from those third-party domains for security
reasons. Since there is no cookie present to identify the user for those
third-party domains, the user name cannot be logged in the traffic
logs for those domains. In addition, there will be some connections that
Prisma Access redirects for authenticating a user. Logs for such
connections will not have any username. |
CYR-16073 | When using traffic steering, if you specify External
Dynamic List that has an IP address and port, traffic is not forwarded
to the target. Workaround: Remove the port number from
the IP address. |
CYR-16015 | When using explicit proxy, if you update the
cookie lifetime to a shorter lifetime than the previously configured
value, the new lifetime value does not apply to users who are already logged
in until the original longer life time expires. New users logging
into the service receive the new shorter cookie life time. |
CYR-15926 | Explicit proxy configuration changes are not
applied to the configuration after a commit. Workaround:
If you are not seeing the changes after retrying the commit operation,
contact Palo Alto Networks support. |
CYR-15792 | If, when configuring Explicit Proxy, you upload
a PAC file before committing and pushing your configuration changes,
the PAC file configuration changes are not correctly processed. Workaround:
Commit and push your configuration changes before uploading the
PAC file. |
CYR-15338 This issue is now resolved
in plugin version 3.0.0-h24. See Prisma Access 3.0.0-h24 Preferred and Innovation Addressed Issues. | In a multi-tenant environment, tenant names
with a period (.) in the name cause configuration tabs to
be grayed out after commit. Workaround: Do not create tenants
that have a period in their name. |
CYR-15267 | When administrators log out a mobile user who
is logged in using SAML from the Prisma Access status page (PanoramaCloud ServicesStatusStatusCurrent Users),
a Single Logout (SLO) request is not generated. As a result, the
user is logged out of the gateway but is not logged out of the IdP,
and if the client SAML cookie is still valid, the user can reconnect without
having to input credentials. |
CYR-15099 This issue is now resolved
in plugin version 2.0. See Prisma Access 2.0 Innovation Addressed Issues. | When you create a traffic steering rule, Prisma
Access does not auto-populate the Source User, Dynamic User Group,
External Dynamic List (EDL), or custom URL category in the user interface. Workaround:
Open a CLI session with the Panorama that manages Prisma access,
enter configuration mode, and enter the set plugins cloud_services multi-tenant
tenants tenant-name pbf rules traffic-steering-rule source [ enabled |
[ action [ forward | no-pbf ]]
| [ category custom-url-category|
[ destination [DAG dag-name ]]
| [service [any | service-http | service-https | other-value ]]
| [ source source-options]
| [ source-user source-user-name ]]
to have the shared objects available for selection. |
CYR-15095 This issue is now resolved
in plugin version 1.8. See Prisma Access 2.0 Innovation Addressed Issues. | When using Panoramas with a version of 10.0
to manage Prisma Access, if you reference an EDL with a Type of
Predefined URL List in a security policy rule, commits fail with
an error indicating a disallowed keyword, invalid reference, or
invalid category. Workaround: Dereference the EDL in
the security policy. |
CYR-15091 | Extra IPSec termination nodes are allocated
to a compute location if you allocate bandwidth multiple times in
a very short time interval. |
CYR-15042 This issue is now resolved
in plugin version 2.0. See Prisma Access 2.0 Innovation Addressed Issues. | Auto-population of users and user groups from
a master device is not supported in multi-tenant mode. |
CYR-14997 | When you allocate Bandwidth to a compute location
from the Onboarding section, that allocation is not reflected immediately
in the Bandwidth Allocation tab until you manually refresh the page. Workaround:
Manually refresh the Panorama that manages Prisma Access. |
CYR-14937 | When you upgrade the Cloud Services plugin
and then perform a commit operation, not all Prisma Access components
are selected in the Push Scope. Workaround: Select CommitCommit and Push, Edit
Selections in the Push Scope,
and make sure that all Prisma Access components (Service
Setup, Remote Networks, Mobile
User, and Clean Pipe, depending on
your license) are selected before committing and pushing your changes. |
CYR-14984 | When you change the name of a target service
connection group for traffic steering, the updated target name does
not display in the Traffic Steering Rules area. Workaround:
Refresh the Panorama browser. |
CYR-14980 | If you use IKEv2 with certificate-based authentication,
only SHA1 is supported in IKE crypto profiles (Phase 1). Workaround:
Use an IKEv2 (Phase 1) cryptographic profile of SHA1 on your customer
premises equipment and in Prisma Access. |
CYR-14902 This issue is now resolved
in plugin version 1.8. See Prisma Access 2.0 Innovation Addressed Issues. | If you allocate bandwidth when onboarding a
remote network location and then reselect the same location or choose
another location in the same compute location without clicking OK,
the allocate bandwidth window redisplays. Workaround:
Click OK after allocating compute location
bandwidth when onboarding a remote network location. |
CYR-14876 This issue is now resolved
in plugin version 2.0. See Prisma Access 2.0 Innovation Addressed Issues. | If you edit traffic steering rules or enable
a default route over service connections after you migrate from
single tenant to multi-tenant mode, the push scope for Prisma Access
Device Groups is not populated. Workaround: Select CommitCommit and Push, Edit
Selections in the Push Scope,
and make sure that you select all device groups (Service
Setup, Remote Networks, Mobile
User, and Clean Pipe, depending on
your license) before committing and pushing your changes. |
CYR-14816 | If a service connection loses both its active and
backup connectivity, mobile users lose connectivity to users and
resources connected to Remote Networks and Service Connections. |
CYR-14754 | If you have two Panorama appliances configured
in high-availability mode, the passive Panorama will display an out of sync message
during a commit and push operation. Workaround: Open
a command-line interface (CLI) session on both the passive and active
Panorama and enter the following commands: username@hostname> debugmd5sum_cache clear username@hostname> configure username@hostname# commit
force |
CYR-14728 | Prisma Access bypasses Traffic Steering
for rules with a service type of HTTP or HTTPS if you use an application
override policy for TCP ports 80 and 443. In addition, traffic
steering does not work for URLs from URL categories referenced in
the traffic forwarding rule if you have configured an application
override policy for TCP ports 80 or 443. |
CYR-14727 | Mobile user route summarization is not supported
in hot potato routing mode. |
CYR-14693 | When using hot potato routing, Mobile User route
summarization may add extra latency for traffic between mobile users
and headquarters or branch traffic. |
CYR-14673 | After you create a traffic steering rule
with an IP address, IP address group, EDL, or custom URL category
as a Shared object, make changes to any of those objects, and then
commit and push your changes, only the Shared object displays in
the Push Scope. Prisma Access device groups doesn't get displayed
in the push scope. Workaround: Select CommitCommit and Push, Edit
Selections in the Push Scope,
and make sure that you select all device groups (Service
Setup, Remote Networks, Mobile
User, and Clean Pipe, depending on
your license) before committing and pushing your changes. |
CYR-14613 | When adding or deleting URLs to a custom URL
category, Prisma Access does not purge its cache, and the change
does not immediately take effect. Workaround: Perform
one of the following actions:
|
CYR-14603 | To make sure that Prisma Access can distinguish
between users if the same username is shared between users who authenticate
locally and users who authenticate using LDAP, you should authenticate
LDAP users in the format of domain/username and authenticate local
users in the format of username (without the domain name). |
CYR-14584 This issue is now resolved
in plugin version 2.0. See Prisma Access 2.0 Innovation Addressed Issues. | UDP packets that Prisma Access receives between
1439 and 1500 bytes are dropped in some situations (for example,
if NAT Traversal is enabled). Workaround: Reduce the
MTU size on your customer premises equipment to 1400 or below. |
CYR-14383 This issue is now resolved
in plugin version 2.1. See Prisma Access 2.0 Innovation Addressed Issues. | When using an antivirus profile attached
to a security policy rule, files are not being scanned during an
FTP session. |
CYR-14382 This issue is now resolved
in plugin version 2.1. See Prisma Access 2.0 Innovation Addressed Issues. | When using WildFire in remote network deployments,
if you upgrade your Prisma Access dataplane to a version of 10.0.3
or later, you cannot retrieve the latest WildFire signatures in real-time.
Prisma Access uses its default method of updating WildFire signatures
every five minutes. |
CYR-14278 This issue is now resolved
in plugin version 1.8.0. See Prisma Access 1.8 Addressed Issues. | When you make changes to traffic steering forwarding
rules, then commit and push your changes, your changes do not appear
in the Push Scope. Workaround: Modify the Push Scope
by clicking Edit Selections, then selecting
the device group or groups you changed (Service Setup, Remote
Networks, Mobile Users, or all three). |
CYR-14277 | Do not create any custom URL categories that
start with GPCS-, gpcs-.
or custom_url_category_pbf. |
CYR-14259 This issue is now resolved
in plugin version 1.8.0. See Prisma Access 1.8 Addressed Issues. | When you create a traffic forwarding rule for
traffic steering, predefined URL categories might display as choices
along with custom URL categories. Workaround: Predefined
URL categories are not supported; do not select them when configuring
a traffic forwarding rule for traffic steering. Select custom URL
categories instead. |
CYR-14110 | If Panorama access is disabled in an Admin Role
Profile, you can still see the contents of the plugin, but the fields
are read-only. |
CYR-13823 | When you upgrade the Cloud Services plugin
to 1.7, Prisma Access prepends an asterisk to URLs in custom URL
categories, if you use this category in a traffic steering forwarding
rule. If you use the same URL category policies for both traffic
steering and other security policy rules, these changes apply to
both the traffic steering rules and other security policy rules. If
you have custom URL categories that are not used in traffic steering
forwarding rules, Prisma Access does not change the URLs in those categories. |
CYR-13822 | Prisma Access prepends an asterisk to URLs
in custom URL categories, which doubles the number of URLs entered
in a custom URL category. Prisma Access supports a maximum of 300,000
URLs in URL category entries; if you use custom URLs for traffic
steering and are close to this limit, the doubling of URLs might
cause your deployment to exceed the limit of URLs. |
CYR-13772 This issue is now resolved
in plugin version 1.8.0. See Prisma Access 1.8 Addressed Issues. | External Dynamic Lists (EDLs) are not supported
when using traffic forwarding rules to direct internet-based traffic
to service connections. Workaround: Use IP-based EDLs
only. |
CYR-13751 | If you used policy-based forwarding rules to
forward internet-bound traffic to service connections in Prisma
Access 1.6, Prisma Access makes the following additions to URLs
in custom URL categories after you upgrade from 1.6 to 1.7:
If
you already have added URLs with wildcards, Prisma Access might
add URLs that duplicate existing URLs after the upgrade. |
CYR-13702 This issue is now resolved
in plugin version 2.1.0. See Prisma Access 2.1.0 Innovation Addressed Issues. | When you select PanoramaCloud ServicesStatusMonitorStrata Logging Service,
the Service Status area displays No data to display,
even though Strata Logging Service is working normally. Workaround:
Select the Table view icon on the top right side of the page to
view a tabular view of the statistics instead of the Gauge view. |
CYR-13662 | After you make configuration changes to
an existing service connection or remote network connection (for
example, changing the bandwidth, region, QoS, or BGP values), the
job details in the Deployment Status page (PanoramaCloud ServicesStatusStatusDeployment Statusdetails) might display a value
of TIMEOUT, even if the job completed successfully. |
CYR-13652 This issue is now resolved
in plugin version 1.8.0. See Prisma Access 1.8 Addressed Issues. | If you configure traffic steering (using
PBF rules to forward internet-directed traffic using a service connection)
in multi-tenancy mode, the Target Service Connections do not display
in the policy-based forwarding rule. Workaround: Refresh
the browser, then recreate Target Service Connections
for Traffic Forwarding and the PBF rule. |
CYR-13612 | Prisma Access does not support FTP data transfers
in active mode. |
CYR-13511 | When Prisma Access performs a dataplane upgrade
on a mobile user instance (an upgrade to a Prisma Access gateway
or portal), any failed commits on the instance that were performed before
the upgrade will not be applied to the upgraded instance. |
CYR-13370 This issue is now resolved
in plugin version 2.0.0. See Prisma Access 2.0 Innovation Addressed Issues. | External Dynamic Lists (EDLs) are not supported
when using traffic forwarding rules to direct internet-based traffic
to service connections. Workaround: Use IP-based EDLs
only. |
CYR-13317 | During a Prisma Access dataplane upgrade, BGP
statistics may not be available for 30 minutes in the Network Details
page. This unavailability has no impact on dataplane traffic. |
CYR-13290 This issue is now resolved
in plugin version 1.8.0. See Prisma Access 1.8 Addressed Issues. | If you are using URLs or URL categories
as a match criteria in a policy-based forwarding rule for traffic
steering, the initial packets (for example, a TCP handshake) intermittently
do not match the rule for the users who connect to a matching URL
for the first time. |
CYR-13179 | If you use Microsoft Edge or Firefox when using
traffic steering, the browser does not forward traffic on its first
attempt. Workaround: Refresh the browser, then retry
the operation. |
CYR-12912 | If, in a traffic steering deployment with multiple
traffic forwarding rules, two URLs in two separate rules resolve
to the same IP address, Prisma Access sends traffic to the first
rule in the list and will not use the second traffic rule. Traffic steering
evaluates multiple traffic forwarding rules in order from top to
bottom. |
CYR-12700 | For a Prisma Access deployment with two Panoramas
configured in high availability, you are able to request an upgrade
to the GlobalProtect software version on the passive Panorama. Software
upgrade requests are not applied if you request them on the passive
Panorama. Workaround: Do not request software upgrades
on the passive Panorama; only request upgrades using the active Panorama. |
CYR-12509 | When using traffic steering, Palo Alto Networks
does not recommend using multiple service connections (whether dedicated
or non-dedicated) in a target service connection group that is referenced
in a traffic steering rule. |
CYR-12166 | Prisma Access does not support a rule type of
Intrazone if the source and destination zones are both Trust. |
CYR-11496 | If you enable ECMP on a remote network, the
values shown in the Statistics tab under PanoramaCloud ServicesStatusMonitorRemote Networks for Ingress
Peak Bandwidth (Mbps) are correct; however, if you click
the hyperlink for this value, the pop-up window that displays might
show an incorrect value. |
CYR-11414 | When creating a new mobile user deployment
in multi-tenant mode, you receive an error that the Portal Hostname
is not available when you assign it during mobile user onboarding. Workaround: Before
you begin your mobile user configuration, add an Infrastructure
Subnet, commit all your changes to Panorama, and push the configuration
changes to Prisma Access. |
CYR-11201 | Some files are being skipped for DLP scanning
when using OneDrive to upload multiple files. |
CYR-11087 | When using DLP on Prisma Access, you can upload
up to 25 files at a time. |
CYR-11019 | When attaching a parent Device Group to
a new remote network tenant in multi-tenant mode, the administrator
is unable to attach device groups and templates. Workaround: Log
out, then log back in to Panorama. |
CYR-10909 | If you use Box to upload multiple files,
and one or more of the files are larger than 5 MB, the upload of
all files will not complete. To continue, find the files in Box
that are larger than 5 MB and click X to
stop the download of those files. |
CYR-10623 This issue is now resolved
in plugin version 2.0.0. See Prisma Access 2.0 Innovation Addressed Issues. | When you check the status in a multi-tenant
deployment by selecting PanoramaCloud ServicesStatus,
the information in the All Tenants area displays
twice. |
CYR-10445 | DLP on Prisma Access is not supported in
a Prisma Access multi-tenant deployment. |
CYR-10387 This issue is now resolved
in plugin version 2.0.0. See Prisma Access 2.0 Innovation Addressed Issues. | If you have DLP on Prisma Access enabled for
more than one Prisma Access instance in a single Customer Support
Portal (CSP) account, data filtering profiles are synchronized across
all instances. This behavior can result in unexpected consequences;
for example, the deletion of a custom data pattern or data filtering
profile for one instance does not delete that pattern or profile
for other instances in the CSP account. For this reason, Palo Alto
Networks recommends that you move each Prisma Access instance to
its own CSP account. |
CYR-10053 | If you change the master key in Panorama (in DeviceMaster Key and Diagnostics),
the master key for Cloud Services is not synchronized with this
master key. Workaround: Select PanoramaCloud ServicesConfigurationService SetupService OperationsEdit Master Key and manually
change the master key to be the same as the Panorama master key. |
CYR-10044 | When using Slack to upload multiple files, the
Slack client treats the multiple file upload as a single request.
If one of the files is not successfully uploaded, Slack retries
the upload of all files a maximum of three times. If, after three retries,
Slack cannot upload one or more of the files, the Slack client displays
an error in the UI and doesn't upload any of the files. |
CYR-10043 | When you upload a file using Slack, and
the file is blocked, Slack detects the block operation as an upload
failure and retries the file upload, which results in the same file
being uploaded and blocked twice. Workaround: This
is normal Slack file upload behavior. Be aware that a single file
that is uploaded using Slack might appear twice in the data filtering
logs as being blocked. |
CYR-9613 | When you delete a data filtering profile from
a Prisma Access device group that is not shared, the profile name
still appears when you add or configure a Security Profile Group,
in the Data Filtering Profile area. |
CYR-9455 | In a GlobalProtect deployment where the portal
has multiple agent configs, when a GlobalProtect client logs in
using the app, the portal looks for a matching agent config for
the client by checking its OS type along with the config selection
criteria. The agent configs are checked from top to bottom. If the
OS type matches, but the config selection criteria does not, GlobalProtect
marks the agent config as non-matching and moves to the next agent
config to check for a match; however it no longer checks the OS
type in these agent configs, and only looks for a match of the config
selection criteria. This condition can cause the client to receive
an agent config that has matching config selection criteria, but
a non-matching OS type. |
CYR-9348 | When configuring HIP redistribution, you cannot
retrieve HIP information and set policies for the following use
cases:
|
CYR-9213 | When using DLP on Prisma Access, when you
upload a .docx file using SharePoint that was exported from Google
Docs, the upload fails. |
CYR-9183 | When setting up the GlobalProtect gateway connection
settings (NetworkGlobalProtectGatewaysAgentConnection Settings)
and specifying a Netmask to Restrict Authentication Cookie
Usage, the commit fails if only a Source
IPv4 Netmask is specified. Workaround: Specify
a Source IPv6 Netmask of 0,
which disables the option for the specified IP address type. |
CYR-9061 | If using Slack, Box, or Gmail to upload
a file using DLP on Prisma Access, the response page is not displayed
to the client if the upload is blocked. |
CYR-9003 | Reverse DNS queries do not work in Prisma Access. Workaround: Because
type A and AAAA queries for internal domains work, you can specify *.in-addr.arpa in
a query so that Prisma Access sends all reverse DNS queries to internal
DNS servers. |
CYR-8244 | When performing a Commit and
Push operation for the Clean Pipe service, you receive
an error that the Clean Pipe service had insufficient license resources, even
though you have sufficient licensed bandwidth. Workaround: Select PanoramaLicenses,
then select Retrieve license keys from license server to
retrieve the Clean Pipe licenses again. |
CYR-8017 | If you add an existing template under one of
the template stacks of Prisma Access (for example, Service_Conn_Template_Stack, Mobile_User_Template_Stack,
or Remote_Network_Template_Stack), you cannot
use objects of the added template in other Prisma Access templates that
are part of the same template stack. Previously, you could
view and use objects from existing templates in Prisma Access templates
if the templates were a part of a Prisma Access-specific template
stack, which is not standard Panorama behavior. |
CYR-7907 | In multi-tenant mode, Prisma Access automatically
creates a set of templates, template stacks, and device groups for
each tenant you create for remote networks, mobile users, and the
Clean Pipe service. Prisma Access creates tenant-specific sets for
all products, even if you are licensed for only one Prisma Access type. When
you delete a tenant, Prisma Access deletes the template and device
group set for which you are licensed, but does not delete the unlicensed
set. For example, if you have a remote network deployment and delete
a tenant, Prisma Access does not delete the set it created for the mobile
users and Clean Pipe. Workaround: Manually delete the
unused, unlicensed set of templates, template stacks, and device
groups after you delete a tenant. |
CYR-7900 | The Traffic Forwarding feature (PanoramaCloud ServicesConfigurationService SetupSettingsTraffic Forwarding)
is not supported with multi-tenant deployments. |
CYR-7702 | When you log out a Prisma Access mobile user
from the Current Users window, the user still
displays in the window after the logout operation. Workaround: Close
and then reopen the Current Users window
to show the correct user status. |
CYR-7440 | If you have two Panoramas set up in an active-primary
and passive-secondary setup for Prisma Access, you cannot log out
mobile users from the passive-secondary Panorama. |
CYR-7332 | When you try to configure an Infrastructure Subnet (PanoramaCloud Services ConfigurationService SetupSettings) in multi-tenant mode,
you can receive an Operation Failed message. Workaround: Refresh
the Panorama UI to have Prisma Access correctly apply the infrastructure
subnet to the tenant's configuration. |
CYR-7128 | When you perform a Commit All operation
for mobile users, Prisma Access should display the commit status for
portals and gateways separately; however, Prisma Access is displaying
failures for portals under gateway status, and is displaying commit failures
for gateways under portal status. Workaround: Enter
the debug plugins cloud_services prisma-access get-job-result jobid commit-job-id-number command,
where commit-job-id-number is the ID of the commit
operation that failed, to check and verify the commit operation
for portals and gateways. |
CYR-6384 | Pre-defined IKE Crypto, IPSec Crypto, and IKE
Gateways templates do not display. Workaround: Select PanoramaCloud ServicesConfigurationService Setup (for service
connections) or PanoramaCloud ServicesConfigurationRemote Networks (for
remote network connections), click the gear icon in the Settings area
to open the Settings, then click OK. |
CYR-6369 | When in multi-tenant mode, if you create
a custom admin user with an Admin Role Profile that has Read Only
access to the Panorama tab and has Plugin access disabled, that
user can view, configure, and commit changes for subtenants. Workaround: Disable
access to the Panorama tab in the Admin Role Profile. |
CYR-6108 | When you configure Clientless VPN with Prisma
Access, the default security rule configuration uses the application-default
service, which blocks clientless-vpn traffic. Workaround: Change
the default security rule to any service or service-http and service-https. |
CYR-6107 | When configuring multi-tenant, if you create
any device groups that are children or grandchildren of other device
groups you create under the Shared parent device group, select only
the device group at the lowest hierarchical level (child or grandchild)
when you associate the device group to an access domain; do not
select the parent. |
CYR-6080 | You cannot reset the rule hit count for
all Authentication and Application
Override policies. Workaround: Reset rules using
a list of rules or a rule name for Authentication and Application
Override policies. |
CYR-6013 | When you migrate a single tenant to multi-tenant
mode, you must do a local commit and then push the configuration
before you add more tenants. |
CYR-5888 | When using the multi-tenant feature and creating
template stacks and templates for a tenant, the Description of
the template stacks and templates do not display in the PanoramaTemplates page. |
CYR-5867 | After upgrading to a new version of the Cloud
Services plugin, you are able to downgrade. The downgrade operation
should be disallowed. Workaround: Do not downgrade
the Cloud Services plugin after you have upgraded it. |
CYR-5842 | When using the multi-tenant feature and migrating
the first tenant to multi-tenancy, you can select template stacks
and templates that are not associated with the tenant that you want
to migrate, including templates that are used with on-premise firewalls. Workaround: When
you convert to multi-tenant mode, be sure to choose only those templates
that you want to associate to the first tenant to migrate. |
CYR-5690 | When configuring multi-tenancy, if you are planning
to later configure Prisma Access for mobile users, you must do a
local Commit of the your changes for the plugin (CommitCommit to Panorama)
after you add templates, template stacks, and device groups for
each tenant and before you onboard each tenant. |
CYR-5563 | When using the multi-tenancy feature, users
who manage single tenants cannot see the system logs. The MonitorLogsSystem choice
is not available. This limitation applies to all Administrators
who have an administrative role of Device Group and Template. Only
superusers can view system logs in multi-tenancy mode. |
CYR-5561 | When using the multi-tenancy feature and logged
in as a tenant-level administrative user, opening the Panorama Task
Manager (clicking Tasks at the bottom of the
Panorama web interface) shows all tasks for all tenants, including
any tasks done at the superuser (Admin) level. |
CYR-5476 | When you enable multi-tenancy and migrate
your configuration to the first sub-tenant, CLI commands are not
supported for this operation. As a result, you must, use the Panorama
user interface (UI). |
CYR-5159 | If you configure a mobile user IP address pool
for a single region instead of Worldwide, mobile users can still
view and attempt to connect to all available gateway regions from their
GlobalProtect app. This attempt fails because there is no IP address
pool to allocate for other regions. Workaround: To
allow mobile users to manually select a gateway, either configure
an IP address pool for the region in the location where you want
the users to connect, or configure a Worldwide IP address pool for
mobile users in Prisma Access to allow them to select all the locations
you have deployed. |
CYR-5139 | In an environment with on-premise firewalls
on each side of Prisma Access and the remote network connections
to which the on-premise firewalls are connected are in different
regions, users behind one on-premise firewall cannot contact users
behind another on-premise firewall unless you have configured an
explicit policy to allow traffic between zone Trust and zone Trust. |
CYR-5098 | If you change the master key in Panorama (in
Device > Master Key and Diagnostics), the master key for Cloud Services
is not synchronized with this master key. Workaround: Select Panorama
> Cloud Services > Configuration > Service Setup > Service Operations
> Edit Master Key and manually change the master key to be the same
as the Panorama master key. |
CYR-5062 | When regular dynamic updates are downloaded
to Panorama (by default, every Wednesday at 01:02), the MD5 checksum
is changed. This condition can cause the Panorama configuration
and the Prisma Access infrastructure to lose synchronization. While
no tunnels are affected by this out of synchronization state, the
status for Service Connections, Remote Networks, Mobile Users, and
the Logging Service show a Config Status of Out
of Sync. Workaround: Perform a Commit and Push operation
on the Panorama. |
CYR-4010 | The BGP router configuration on the Prisma Access
firewalls can receive a maximum of 15000 prefixes from each peer.
And the total number of routes (static and dynamic) learned through
BGP cannot exceed 25000. Exporting more than 25000 routes may adversely
affect traffic flow on your network. |
CYR-3952 | After you generate a new API key by selecting Panorama Cloud ServicesConfigurationService SetupGenerate new API Key, the previous API
key is still valid for a period of time (up to five minutes). You
use this API to retrieve the list of IP addresses for your Prisma
Access firewalls. |
CYR-3638 | For service and remote network connections
that have BGP enabled, the Prisma Access ignores any route it receives
from a neighbor with an AS number in its AS_PATH list that duplicates
an AS number in the Prisma Access AS infrastructure (Infra-AS). |
CYR-3469 | If you have configured a Notification
URL, when you onboard a new remote network location,
two notifications are sent to the URL instead of only one. |
CYR-3385 | When you configure the same AS number for
the service connection and remote network location(s), the routes
are not imported in to the firewall on the remote network location. |
CYR-3330 | Mobile users cannot connect to remote network
locations without a service connection. |
CYR-3114 | If your commit fails when you onboard Prisma
Access components for the first time, the Task Manager does not
always describe the cause of the failure. Workaround: To
find the errors, select PanoramaCloud ServicesStatusMonitor and click the Status tab.
Invalid configurations are indicated with a red bubble in the Config
Status column and an error of Validation Error. |
CYR-3034 | When configuring SAML, you must perform all
configuration with a role of Superuser, including any configuration
you perform for SAML using CLI. |
CYR-2648 | The PanoramaCloud ServicesConfiguration page
is grayed out when Panorama is not in sync with NTP. Workaround: Make
sure to synchronize time with NTP (PanoramaSetupServicesNTP). |
CYR-2633 | You cannot change the region associated with
multiple remote network locations in a single commit push to the
Prisma Access. Workaround: If you need to change
the region on more than one remote network location, change them
one at a time and complete the commit push before changing the region
on the next remote network. |
CYR-2578 | Master Keys do not work for two Panorama appliances
set as HA primary and secondary appliances. Workaround: Deselect
the Enable HA check box on the secondary
Panorama appliance and commit the changes, set the same Master Key
on both the primary and secondary Panorama appliance, then re-enable
HA on the secondary Panorama appliance and commit the changes. |
CYR-2028 | The DeviceSetupManagement page is
not available on the Panorama appliance running the Prisma Access
plugin. You cannot configure NT LAN Manager (NTLM). |
CYR-1836 | You cannot enforce MFA when users at one of
your corporate HQ locations attempts to access a resource at a remote
network location. |
CYR-1646 | Although Panorama allows you to delete the
Mobile_User_Template that was created when the Prisma Access was
provisioned, deleting this template also deletes your onboarding configuration
and, upon commit, removes your Prisma Access for mobile users configuration. |
CYR-1189 | When you onboard a new service connection
or a remote network, the count for service connection and total
remote peers displayed on PanoramaCloud ServicesStatusStatus is inaccurate until
the provisioning is complete. |
CYR-1120 | On Panorama, you cannot validate commit on
a device group or template configuration before pushing the configuration
to the Prisma Access infrastructure for remote networks and mobile
users. |
CYR-575 | You cannot configure the Prisma Access gateway
as an internal gateway. |