Prisma Access Known Issues
Table of Contents
Expand All
|
Collapse All
Prisma Access Docs
-
-
- Prisma Access China
- 4.0 & Later
- 3.2 Preferred and Innovation
- 3.1 Preferred and Innovation
- 3.0 Preferred and Innovation
- 2.2 Preferred
-
-
-
- 5.2 Preferred and Innovation
- 5.1 Preferred and Innovation
- 5.0 Preferred and Innovation
- 4.2 Preferred
- 4.1 Preferred
- 4.0 Preferred
- 3.2 Preferred and Innovation
- 3.1 Preferred and Innovation
- 3.0 Preferred and Innovation
- 2.2 Preferred
Prisma Access Known Issues
Prisma Access has the following
known issues.
Issue ID | Description |
---|---|
CYR-25766 | While browsing through various tabs under
in the Panorama UI under PanoramaCloud Services, a blank pop-up
window might display with a title of Error. Workaround: This
issue has not been found to create any functional impact. Closing
the window and refreshing the UI should solve the display issue. |
CYR-25759 | While browsing through various tabs under
in the Panorama UI under PanoramaCloud Services, a blank pop-up
window might display with a title of Operation Failed. Workaround: This
issue has not been found to create any functional impact. Closing
the window and refreshing the UI should solve the display issue. |
CYR-25627 | If you have QoS enabled in a Remote Network
compute location, and you reduce the bandwidth for a compute location
enough that Prisma Access removes an IPSec termination node from
that compute location, QoS is disabled for that compute location. Workaround:
After the IPSec termination node has been deprovisioned, re-enable
QoS for that compute location. |
CYR-25505 | When using a Panorama running 10.2 to manage
Panorama Managed Prisma Access, Inactivity-Logout values can only
be configured using minutes. |
CYR-25503 | If you are managing an on-premise or VM
firewall running 10.0 with a Panorama running 10.1 or 10.2, an Inactivity-Logout configured
on Panorama is configured as disconnect-on-idle on
the managed firewall. |
CYR-24654 | If you are using a Panorama with a version
of 10.2 or later to manage Prisma Access and you specify Prisma
Access to append the ending token to URLs in URL filtering configuration
under PanoramaCloud ServicesConfigurationService SetupSettingsAdvanced,
this setting might differ from the Append Ending Token setting in
the DeviceSetupURL Filtering area. Workaround:
Make sure that the two values are the same in Panorama. |
CYR-25402 This issue is now resolved
in plugin version 3.1.0. See Prisma Access 3.1.0 Addressed Issues. | When using a 10.2.2 Panorama to manage a
Panorama Managed Prisma Access 3.1.2 deployment, when attempting
to download Preview Rules in the Mobile_User_Device_Group (PoliciesPreview RulesPDF/CSV), a 500 Internal Server Error is
received. |
CYR-24568 This issue is now resolved
in plugin version 3.1.0-h62. See Prisma Access 3.1.0-h62 Addressed Issues. | In the Policies tab, when you click the Preview
Rules button, the Export button is clickable but not exporting in
PDF/CSV format. This caveat applies to the Explicit_Proxy_Device_Group, Mobile_User_Device_Group, Remote_Network_Device_Group,
and Service_Conn_Device_Group. |
CYR-24538 | When using the South Africa West, France
North, Ireland, Bahrain, or South Korea Explicit Proxy locations,
mobile users have difficulty connecting to some websites. Workaround:
Deactivate these locations and use any of the Explicit Proxy supported locations. |
CYR-24323 | After an upgrade from the 2.2 Preferred Cloud
Services plugin to 3.x, the Troubleshooting Commands (PanoramaCloud ServicesConfigurationService SetupTroubleshooting Commands) failed
to display the Logging status, Routing information, EDL info, EDL
status, EDL refresh, and Search EDL fields. |
CYR-24033 | When onboarding a remote network and selecting
options such as Summarize Mobile User Routes before advertising, Enable
BGP, Don't Advertise Prisma Access Routes, or Advertise
Default Route, an Object already exists error
is displayed. Workaround: Cancel the current onboarding
attempt and retry the operation. This error is transient and subsequent
retries should not experience this issue. |
CYR-23861 | You cannot switch from the Map view to the
Table view for Service Stats for all Prisma Access services (PanoramaCloud ServicesStatusMonitorService Connection, Remote
Networks, Mobile Users—GlobalProtect, Mobile
Users—Explicit Proxy, or Strata Logging Service)
because the map and table icons on the top right of the UI do not display. |
CYR-23829 | If you have enabled cloud provider redundancy
for service connections, the Redundancy Assessment area in the Network Details
tab (PanoramaCloud ServicesStatusNetwork DetailsService Connection) shows (link
to published locations). |
CYR-23761 | When, in an Explicit Proxy deployment that
does not have Remote Networks onboarded, you select Forward Remote
Network traffic to Explicit Proxy in the Advanced tab,
the first three octets of the IP addresses display as None (for
example, None.254 instead of 172.25.255.254). Workaround:
Onboard a remote network and Commit and Push your
changes, making sure that both Explicit Proxy and Remote Networks are
selected in the Push Scope. |
CYR-23758 | When configuring service connections, the
Manage Site does not display in the Service Connections tab. Workaround:
Refresh the Panorama that manages Prisma Access. You might have
to perform an additional refresh to get the Manage Sites area to
display. |
CYR-23628 | If you have QoS profiles with a Class
Bandwidth Type of Mbps, validation
fails and you receive the following error: For QoS profile profile-name , summation of its class egress-guaranteed is Mbps-value , which is larger than its egress-max Mbps-value. This
error displays if all of the following conditions are true:
If
you have an Egress Guaranteed value of 0
in the Profile area, the summation of the Egress Guaranteed values
in the Classes field cannot exceed the Egress Max value
in the Profile area. This restriction
applies to all QoS profiles in the template stack, even if they
are not being used. Workaround: Delete the profile,
or modify any QoS Profiles so that the summation of the Egress Guaranteed
values in the Classes field does not exceed the Egress Max value
in the Profile area. |
CYR-23538 | If you onboard service connections using the
Cloud Services plugin 3.0 in multitenant mode, you cannot view the
service connections in the drop-down list if you perform the following
actions:
Workaround:
Do not load a configuration from a previous plugin version after
upgrading to a newer plugin version. The configuration load also
causes the previous plugin version to be loaded, which is an unsupported
configuration. |
CYR-23526 | When changing the Local IP Address in the
BGP tab for a Remote Network connection that uses BGP, the following
issues can be seen:
Workaround:
Refresh the Panorama UI. If a refresh does not fix the issue, change
the Local IP Address to a placeholder value, click OK,
and then re-enter the correct Local IP Address. |
CYR-23496 | When a new Explicit Proxy instance is created,
the threat logs may not send device group information. This behavior
can occur in a new deployment or can change in an existing deployment
after a maintenance activity or infrastructure upgrade. Workaround:
Select All instead of a specific Device Group when viewing logs. |
CYR-23448 | After successfully completing a partial commit,
the Commit Status messages includes the message Changes to all template configuration. Workaround:
Ignore the message regarding all templates being changed. The partial
commit was performed only for the template or Commit Scope you specified. |
CYR-23400 | After upgrading the Cloud Services plugin from
2.0 to 3.1 in a multi-tenant Prisma Access-Prisma SD-WAN deployment
that uses an on-premise CloudBlade, the on-premise CloudBlade cannot
push new configuration to a Prisma Access tenant. |
CYR-23367 | After migrating from a remote network deployment
that allocates bandwidth by location to one that allocates bandwidth
by compute location, QoS statistics are not displayed for inbound
access sites. |
CYR-23238 | If you use the remote network aggregate bandwidth
model and you enable QoS for a remote network (PanoramaCloud ServicesConfigurationRemote NetworksSettingsQoS) that has ECMP enabled,
you must select Customize Per Site and click OK or
you will receive an error on commit. |
CYR-23058 | When you log out mobile users from the PanoramaCloud ServicesStatusStatusMobile Users—GlobalProtect area
using the Logout function, or if you log
out a user using CLI, the user is successfully logged out, but the Current
Users area might still show the user as being logged
in for up to five minutes after the logout activity occurred. This
behavior is the result of Prisma Access refreshing the status of
logged-in users every five minutes. If you have configured a Connect
Method of User-logon (Always On) or Pre-logon
(Always On), and if the user reconnects during the five
minute refresh interval, the user might not be reflected as being
logged out in the Current Users area. Workaround: View
the login and logout events from the GlobalProtect logs. |
CYR-22879 | In a multi-tenant environment, you cannot
enable the EDL Custom Category End Token Support feature until all
your tenants have had their infrastructure and dataplane upgraded
to meet the requirements for the 3.0 Cloud Services plugin. Workaround:
Wait until all your tenants have had their infrastructure and dataplane
upgraded before enabling the EDL Custom Category End Token Support feature. |
CYR-22827 | When viewing the Push State Details after
a commit to a device group, you see a message similar to Interface tunnel.2 has no zone configuration’. Workaround:
This is a spurious message related to a backup tunnel configuration
and can be ignored. |
CYR-22821 | When using Traffic Steering, when a user matches
a URL in an EDL, pre-defined URL category, or Custom URL Category,
the first two sessions are not directed to the target for internet-bound
traffic. |
CYR-22759 | You cannot make any configuration changes
in the Advanced tab under Explicit Proxy Settings (PanoramaCloud ServicesConfigurationExplicit ProxySettingsAdvanced). Workaround:
There is no workaround. This functionality will be supported in
a future Prisma Access release. |
CYR-22629 | When using the Egress IP Allow List feature
in Prisma Access, you might experience the following issues when
using the UI:
|
CYR-22525 | If you install an Innovation release, configure
a feature that is only supported on an Innovation release, and then
migrate from an Innovation to a Preferred release, you receive a commit
validation error after making configuration changes in the Cloud
Services plugin. Workaround: Delete the unsupported
feature by creating a CLI session with the Panorama that manages
Prisma Access in configuration mode and entering the delete plugins cloud_services <feature-name> command,
where <feature-name> is the name of the feature
that is unsupported in the Preferred release. |
CYR-22201 | When using the Enterprise DLP plugin with
Prisma Access, an uploaded file that matched a Block action on a
data filtering profile was not blocked from being uploaded, along
with an error DLP Skipped: missing boundary m in
the Data Filtering logs. |
CYR-22142 | When configuring QoS for remote networks (PanoramaCloud ServicesConfigurationRemote NetworksSettingsQoS),
you can select None as a QoS Profile. Workaround:
Select a valid QoS profile to enable QoS. None is
an invalid selection. |
CYR-22127 This issue is now resolved
in plugin version 3.1.0. See Prisma Access 3.1.0 Addressed Issues. | When configuring QoS for a newly-added site (PanoramaCloud ServicesConfigurationRemote NetworksSettingsQoS),
the Allocation Ratio displays as NaN%. Workaround:
Ignore the invalid display; however, Prisma Access sets the Allocation
Ratio for newly-added remote networks as 0 and
you must change the Allocation Ratio to use
QoS for the new remote network. |
CYR-22066 | When viewing logs for an Explicit Proxy deployment,
duplicate log entries might be seen. This behavior does not affect
Prisma Access functionality. |
CYR-22043 | If you are configuring a Mobile User - GlobalProtect
deployment, if you do not enable the allow listing feature when
configuring or onboarding the mobile user deployment, the plugin
logs might display spurious messages that are similar to the following
messages: 2022-01-13 13:14:27.217 -0800 INFO: [access-domain-xpaths] Sending result back <result><status>pass</status><msg>cloud_services</msg><msg>cloud_services/access-domain</msg></result>2022-01-13 13:14:27.290 -0800 ERROR: [get_ip_allowlist_addresses] yes-allow-list node not found! Please config yes-allow-list under ip-allow-list node. Workaround:
Ignore the plugin messages; these messages do not affect normal
Prisma Access operation. |
CYR-21756 This issue is now resolved
in plugin version 3.1.0. See Prisma Access 3.1.0 Addressed Issues. | In a situation where other locations in the
same compute region have had an autoscale event, a newly-onboarded
location might show a Provisioning Status of Not Provisioned in
the Egress IP Allow List table (PanoramaCloud ServicesConfigurationMobile Users—GlobalProtect).
Normally this status displays if the IP addresses have been confirmed
as allow listed but the location has not yet been onboarded. Workaround:
Autoscale events affect all the onboarded locations in a compute
location. In this case, it is possible that Prisma Access allocated
more then two IP addresses for the newly-added location, and those
IP addresses were not yet confirmed as allow listed. If you receive
a Provisioning Status of Not Provisioned for
a newly-onboarded location, make sure that all of the IP addresses
that were allocated for that location have been confirmed as allow listed. |
CYR-21665 | If, when in an Explicit Proxy deployment that
is forwarding remote network traffic to Explicit Proxy, if you deselect
the Forward Remote Network Traffic to Explicit Proxy check box in
the Advanced tab, the IP addresses that were allocated by Explicit
Proxy still display in the Advanced tab. Workaround:
Refresh the Panorama UI to clear the IP addresses in the UI. |
CYR-21629 | When Prisma Access creates a new compute
location and remaps an existing remote network location to that
new location, if you do not delete and re-add the existing compute
location to take advantage of the latest compute location-to-location
mapping, you cannot view bandwidth statistics for the remapped location. Workaround:
Delete and re-add the remote network location that is associated
with the new compute location. The Service IP Address will change,
so you will have to change the IP address for the IPSec tunnel on
your CPE to the new Service IP Address, and you will need to commit
and push your changes twice (once after you delete the location,
and once after you re-add it). |
CYR-21565 | When configuring the IP addresses to use to
forward remote network traffic to Explicit Proxy in the Explicit
Proxy Advanced settings (PanoramaCloud ServicesConfiguration Mobile Users—Explicit ProxySettingsAdvanced), Remote Networks
does not display in the Push Scope for a Commit and Push operation. Workaround:
Select Remote Networks as well as Explicit Proxy in
the Push Scope before performing a Commit and Push operation. Forwarding
traffic from remote networks to Explicit Proxy requires that you commit
and push changes to both Explicit Proxy and remote networks. |
CYR-21553 This issue is now resolved
in plugin version 3.1.0. See Prisma Access 3.1.0 Addressed Issues. | When configuring more than 63 HIP profiles
in a Mobile Users—GlobalProtect deployment, an error message with
multiple occurrences of the word Error: is received
during commit. Workaround: A Mobile Users—GlobalProtect
deployment supports a maximum of 63 HIP Profiles; do not configure more
than 63 HIP profiles. |
CYR-21138 | Strata Logging Service failed to reconnect after
a disconnect if a management IP address used for logging had an
IP address assignment type of DHCP. |
CYR-21092 | When you run the API to retrieve Prisma Access
IP addresses with a serviceType of all,
the API times out if your deployment has a large number of Remote
Networks. Workaround: If you have a large number of
remote networks, specify a serviceType of remote_network instead
of all when running the API. |
CYR-20895 | If you have created a remote network deployment
that allocates bandwidth by compute location and then delete the
remote network license, any commit for changes to features that
are still licensed fail with an Failed plugin validation error. Workaround:
Delete the unused remote network configuration by opening a CLI
session with admin-level privileges, entering configure to
enter configuration mode, and then entering delete plugins cloud_services remote-networks.
Then, retry the commit operation. |
CYR-20731 | If the dataplane is not compatible with the
plugin you are running, a generic message indicating that the Panorama
is undergoing maintenance displays in the Panorama Alert and Plugin
Alert fields in PanoramaCloud ServicesConfigurationService Setup. |
CYR-20729 | When completing a mobile user setup in a
FedRAMP Moderate deployment and configuring the mobile user IP address
pool, you receive an Operation Failed message
with text that indicates that Prisma Access could not auto-generate
an authentication cookie certificate. In addition, when committing
and pushing your changes, you receive a validation error related
to a cookie decryption certificate. Workaround: Create
a signed certificate and apply it to the Mobile Users—GlobalProtect
configuration by completing the following steps:
|
CYR-20496 | If you are using a Panorama of a version or
10.0 or lower, and you configure an invalid destination port value
anywhere in Panorama (for example, in ObjectsServices), a commit-all operation
fails with a vague error related to a module or device having a Non digit value. Workaround:
Fix the invalid port configuration, then retry the commit-all operation.
Panoramas running 10.1 or later disallow you from configuring an
invalid destination port value. |
CYR-20348 | When upgrading from Prisma Access 2.1 to
2.2, a local Commit to Panorama or Validate
Changes request fails with the message domain-list unexpected here. |
CYR-19983 This issue is now resolved
in plugin version 3.1.0. See Prisma Access 3.1.0 Addressed Issues. | If you Enable IPv6,
select the compute locations in IPv6 Availability, commit
and push your changes, then deselect Enable IPv6,
the selections you made in the IPv6 Availability tab
become deselected. Workaround: Re-select the compute
locations in the IPv6 Availability tab. |
CYR-19975 | When you Enable IPv6, a window displays
asking you to enable Telemetry Data Collection. Workaround:
Click Remind Me Later to dismiss the window. |
CYR-19888 | If you have applied QoS to your remote network
deployment but have not yet committed and pushed your changes, the
QoS statistics screens display blank information. Workaround: Commit
and Push your QoS changes for the QoS statistics to display. |
CYR-19653 | If, when using Explicit Proxy, when the following
conditions exist, mobile users might experience issues with CORS
requests and non-decrypted traffic:
Workaround:
Clear your browser's cache to re-authenticate with the ACS. |
CYR-19646 | BGP addresses ending with .0 or .255 are not
allowed to be entered in the UI as peer BGP addresses for service
connections or remote networks, regardless of the subnet being used. Workaround:
Use CLI commands to enter the .0 or .255 address by logging in to
the Panorama that manages Prisma Access and entering one of the
following commands: set plugins cloud_services service-connection
onboarding sc-name protocol
bgp peer-ip-address ip-address set
plugins cloud_services remote-networks onboarding rn-name protocol
bgp peer-ip-address ip-address Where sc-name or rn-name is
the name of the service connection or remote network connection. |
CYR-19598 This issue is now resolved
in plugin version 3.0.0. See Prisma Access 3.0.0 Preferred and Innovation Addressed Issues. | When using explicit proxy, some users might
experience an issue where some websites are not able to be accessed
after the Authentication Cache Service (ACS) Cookie Lifetime has
expired. This condition can persist for up to five minutes. Workaround:
Browse a different website to re-authenticate to ACS and refresh
the ACS cookie. |
CYR-19545 | If you have IPv6 enabled in your Prisma Access
deployment, the Private IPv4 address of mobile users (PanoramaCloud ServicesStatusMonitorMobile Users—GlobalProtectLocationsUsers)
is displayed, but the IPv6 Private IPv6 address of mobile users
is not. |
CYR-19503 | IP precedence-based classification is not working
for Prisma Access, when using either IPv4 or IPv6 IP addresses. |
CYR-19487 | When you enable IPv6 for a single tenant in
a multi-tenant deployment, the UI page refreshes and displays the Cloud ServicesConfiguration page,
where you select the drop-down for all tenants. |
CYR-19282 | When configuring mobile users DNS settings
in the Network Services tab, you should not
enter Custom DNS Server IP addresses (either
IPv4 or IPv6) without also specifying a Domain List. Workaround:
Specify a Domain List. |
CYR-19198 | If you add an IPv6 address pool to your Mobile
Users—GlobalProtect deployment, select the regions to Enable IPv6 in
the IPv6 Availability tab, and Commit and Push your
changes, the pools appear in the IPv6 Availability tab. If you then disable
all regions, effectively disabling IPv6, and then Commit
and Push your changes, the IPv6 address pools still
display in the IPv6 Address Pool tab. Workaround: There
is no workaround. If you later enable IPv6 for one or more regions,
you can use the existing IPv6 address pool. You can also specify a
different IPv6 address in the IP Pools and,
after you commit and push your changes, the new IPv6 Address pool overwrites
the existing addresses and displays in the IPv6 Availability tab. |
CYR-19099 | When viewing or changing QoS settings for
Remote Networks in Panorama Cloud ServicesConfigurationRemote NetworksSettingsQoS, a newly-added compute
location or location does not display. In addition, a newly-onboarded
location does not display in the Site Allocation (Customize Per
Site) page. Workaround: Refresh the Panorama that manages
Prisma Access. |
CYR-19093 | In a multi-tenant deployment, you receive
a Configuration committed successfully message
along with a Not all Commit-All jobs got triggered message. Workaround:
Either upgrade your Panorama to a minimum version of 10.1.4, or
select CommitCommit
and Push, Edit Selections,
and in the Prisma Access tab, make sure that
the Push Scope includes the changes you made
for the Prisma Access configuration. Depending on the changes you
made, select one or more of the Remote Networks, Mobile Users, Service Setup,
and Explicit Proxy choices. |
CYR-19030 | If you are sinkholing IPv6 traffic, the policy
rule hit counts for traffic that matches the IPv6 sinkhole policy
do not increment when entering the CLI command show rule-hit-count
vsys vsys-name vsys1 rule-base security rules all. |
CYR-19017 This issue is now resolved
in plugin version 3.1.0. See Prisma Access 3.1.0 Addressed Issues. | IPv6-related choices under Cloud ServicesConfigurationService ConnectionBGP are displayed,
even if IPv6 is not enabled. Workaround: If you do
not have IPv6 enabled, do not select the Exchange both
IPv4 and IPv6 routes over IPv4 peering, Exchange
IPv4 routes over IPv4 peer and IPv6 routes over IPv6 peer,
and Exchange IPv6 routes over IPv6 peering BGP
peering choices. |
CYR-18757 | In a multi-tenant deployment, admin users
that have more than one access domain cannot configure new remote
networks or service connections, and can only view what is already
deployed. Workaround: Create the access domain first,
then select the access domain you created when you convert the single
tenant to a multi-tenant setup. |
CYR-18234 | When you select Integrate with
Prisma SD-WAN, the integration fails. |
CYR-18157 | When downloading a large file (including but
not limited to programs, browser extensions, or apps) using Explicit
Proxy, if the download takes longer than the cookie lifetime, the
download fails when the cookie expires. |
CYR-18156 | If, after signing in to Explicit Proxy,
you open a link that contains a file to download, the file downloads
successfully but the Explicit Proxy sign-in page continues to display. Workaround:
Since the link contained a downloaded file, there is no page to display
and the current page does not refresh. Select another webpage to
navigate away from the sign-in page. |
CYR-17848 | If you are using a Panorama with a version
of PAN-OS 10.1 to manage Prisma Access, and you migrate a Remote
Network deployment from allocating bandwidth by location to allocating
bandwidth by compute location, the migration banner displays the location
names in an incorrect (large) font. Workaround: No workaround
is required. There is no change to the migration functionality;
the only issue is with the font displayed during the migration. |
CYR-17826 | When using Troubleshooting Commands (PanoramaCloud ServicesConfigurationService SetupService OperationsTroubleshooting Commands)
with Panoramas that are in High Availability mode, the commands
cannot be run from the passive Panorama. |
CYR-17739 This issue is now resolved
in plugin version 3.1.0. See Prisma Access 3.1.0 Addressed Issues. | When configuring an Explicit Proxy deployment,
if you onboard your deployment, then retrieve the Explicit Proxy
public IP addresses, you will receive the active IP addresses to
add to your allow list, but will not receive the pre-allocated backup
IP addresses. Workaround: Retrieve the Explicit Proxy
IP addresses before you onboard your deployment by specifying an addrType of all and
a location of all. |
CYR-17077 | If you delete an explicit proxy configuration
and then reconfigure it within 10 minutes of its deletion, Prisma
Access cannot properly process the new configuration and explicit
proxy functionality could be affected. Workaround:
Wait at least 10 minutes after deleting an explicit proxy configuration
before reconfiguring it. |
CYR-17024 | When using Panorama 10.x to manage
Prisma Access, if you configure an Authentication Enforcement Profile
under ObjectsAuthentication and
specify an Authentication Profile that resides in a Shared location,
you receive an error when committing the changes. Workaround:
If you use a Panorama 10.x to manage Prisma Access, do not
use a shared Authentication Profile for any Authentication Enforcement Profile;
instead, use an Authentication Profile that is under one of the
Prisma Access Templates. |
CYR-16965 | When using explicit proxy, there could be a
delay when displaying user details under Current User
Count due to a log ingestion issue between explicit proxy
and Strata Logging Service. |
CYR-16789 | When performing a local commit or Commit
and Push operation, you receive the error Internal Server Error: Failed to aggregate bandwidth configuration. Workaround:
Check the DNS configuration of the Panorama appliance that manages
Prisma Access, and check that Panorama is able to contact your network's DNS
servers, then retry the operation. |
CYR-16735 | If, during Explicit Proxy onboarding, you onboard
a large number of locations, the Explicit Proxy status might display
its status incorrectly (for example, a status of ERROR might display
when the onboarding was successful). |
CYR-16674 | If you change the Explicit Proxy URL in Prisma
Access but do not change the PAC file to reflect the change, the
change won't be applied. Workaround: Upload a new PAC
file with the same changes as you made in the Explicit Proxy URL. |
CYR-16673 | If you change the proxy FQDN, the changes
are not immediately reflected after the job status completes. Workaround:
Workaround: Wait 10 to 15 minutes for the changes to be reflected
after the Job status shows as Completed on Panorama. |
CYR-16642 | There is a delay observed to populate the Rule
Usage column on the Policies page. Workaround: Refresh
the page by clicking on the refresh button on the right side. In
addition, the Preview Rules tab does not display the Rule Hit counters. Workaround:
Click the Used link on Rule Usage column to
display the Rule Hit count for the rule. |
CYR-16615 | The maximum length of a URL that can be
used with explicit proxy is 1280 characters. |
CYR-16583 | WildFire logs show explicit proxy logs as having
a source zone of Proxy. If you use a name of Proxy for Clean Pipe
instances or remote networks, you will not be able to differentiate
between explicit proxy logs and logs with the clean pipe or remote
network name of Proxy. Workaround: If you use explicit
proxy, do not specify a name of Proxy for any Clean Pipe instances
or remote networks. |
CYR-16580 | The PanoramaCloud ServicesStatusMonitorMobile UsersExplicit Proxy page incorrectly
shows the current number of users as 0. |
CYR-16351 | When using Explicit Proxy, initial DNS Queries
(first leg) and Initial HTTP connect messages (first logs) are not
seen in the traffic logs in Panorama. |
CYR-16284 | When you enter the show pbf extended-address
all command to retrieve the traffic steering cache, an
FQDN displays with an asterisk, such as *.example.com. Workaround:
No workaround is required. The displayed FQDN is correlated to the
FQDN server that presented the certificate. |
CYR-16130 | When configuring a Mobile Users - GlobalProtect
deployment using SAML authentication, you receive a pangp.gpcloudservice.com is missing certificate error
when you commit your configuration changes. Workaround:
Add the missing certificate in your SAML IdP configuration by selecting DeviceMobile_User_TemplateAuthentication Profile in Panorama
and adding the certificate. |
CYR-16097 | A webpage may contain links of resources
from the domains other than the domain from where the webpage is
served. Most modern browsers do not send any cookie along with the
requests to get the resources from those third-party domains for
security reasons. Since there is no cookie present to identify the
user for those third-party domains, the user name cannot be logged
in the traffic logs for those domains. In addition, there
will be some connections that Prisma Access redirects for authenticating
a user. Logs for such connections will not have any username. |
CYR-16073 | When using traffic steering, if you specify External
Dynamic List that has an IP address and port, traffic is not forwarded
to the target. Workaround: Remove the port number from
the IP address. |
CYR-16015 | When using explicit proxy, if you update the
cookie lifetime to a shorter lifetime than the previously configured
value, the new lifetime value does not apply to users who are already logged
in until the original longer life time expires. New users logging
into the service receive the new shorter cookie life time. |
CYR-15926 | Explicit proxy configuration changes are not
applied to the configuration after a commit. Workaround:
If you are not seeing the changes after retrying the commit operation,
contact Palo Alto Networks support. |
CYR-15792 | If, when configuring Explicit Proxy, you upload
a PAC file before committing and pushing your configuration changes,
the PAC file configuration changes are not correctly processed. Workaround:
Commit and push your configuration changes before uploading the
PAC file. |
CYR-15338 | In a multi-tenant environment, tenant names
with a period (.) in the name cause configuration tabs to
be grayed out after commit. Workaround: Do not create tenants
that have a period in their name. |
CYR-15267 | When administrators log out a mobile user
who is logged in using SAML from the Prisma Access status page (PanoramaCloud ServicesStatusStatusCurrent Users),
a Single Logout (SLO) request is not generated. As a result, the
user is logged out of the gateway but is not logged out of the IdP,
and if the client SAML cookie is still valid, the user can reconnect
without having to input credentials. |
CYR-15091 | Extra IPSec termination nodes are allocated
to a compute location if you allocate bandwidth multiple times in
a very short time interval. |
CYR-14997 | When you allocate Bandwidth to a compute
location from the Onboarding section, that allocation is not reflected
immediately in the Bandwidth Allocation tab until you manually refresh
the page. Workaround: Manually refresh the Panorama
that manages Prisma Access. |
CYR-14937 | When you upgrade the Cloud Services plugin
and then perform a commit operation, not all Prisma Access components
are selected in the Push Scope. Workaround: Select CommitCommit and Push, Edit
Selections in the Push Scope,
and make sure that all Prisma Access components (Service
Setup, Remote Networks, Mobile
User, and Clean Pipe, depending
on your license) are selected before committing and pushing your
changes. |
CYR-14984 | When you change the name of a target service
connection group for traffic steering, the updated target name does
not display in the Traffic Steering Rules area. Workaround:
Refresh the Panorama browser. |
CYR-14980 | If you use IKEv2 with certificate-based authentication,
only SHA1 is supported in IKE crypto profiles (Phase 1). Workaround:
Use an IKEv2 (Phase 1) cryptographic profile of SHA1 on your customer
premises equipment and in Prisma Access. |
CYR-14816 | If a service connection loses both its active
and backup connectivity, mobile users lose connectivity to users
and resources connected to Remote Networks and Service Connections. |
CYR-14754 | If you have two Panorama appliances configured
in high-availability mode, the passive Panorama will display an out of sync message
during a commit and push operation. Workaround: Open
a command-line interface (CLI) session on both the passive and active
Panorama and enter the following commands: username@hostname> debugmd5sum_cache clear username@hostname> configure username@hostname# commit
force |
CYR-14728 | Prisma Access bypasses Traffic Steering for
rules with a service type of HTTP or HTTPS if you use an application
override policy for TCP ports 80 and 443. In addition, traffic
steering does not work for URLs from URL categories referenced in
the traffic forwarding rule if you have configured an application
override policy for TCP ports 80 or 443. |
CYR-14727 | Mobile user route summarization is not supported
in hot potato routing mode. |
CYR-14693 | When using hot potato routing, Mobile User
route summarization may add extra latency for traffic between mobile
users and headquarters or branch traffic. |
CYR-14673 | After you create a traffic steering rule with
an IP address, IP address group, EDL, or custom URL category as
a Shared object, make changes to any of those objects, and then commit
and push your changes, only the Shared object displays in the Push
Scope. Prisma Access device groups doesn't get displayed in the
push scope. Workaround: Select CommitCommit and Push, Edit
Selections in the Push Scope,
and make sure that you select all device groups (Service
Setup, Remote Networks, Mobile
User, and Clean Pipe, depending
on your license) before committing and pushing your changes. |
CYR-14613 | When adding or deleting URLs to a custom
URL category, Prisma Access does not purge its cache, and the change
does not immediately take effect. Workaround: Perform
one of the following actions:
|
CYR-14603 | To make sure that Prisma Access can distinguish
between users if the same username is shared between users who authenticate
locally and users who authenticate using LDAP, you should authenticate
LDAP users in the format of domain/username and authenticate local
users in the format of username (without the domain name). |
CYR-14277 | Do not create any custom URL categories that
start with GPCS-, gpcs-.
or custom_url_category_pbf. |
CYR-14110 | If Panorama access is disabled in an Admin
Role Profile, you can still see the contents of the plugin, but
the fields are read-only. |
CYR-13823 | When you upgrade the Cloud Services plugin
to 1.7, Prisma Access prepends an asterisk to URLs in custom URL
categories, if you use this category in a traffic steering forwarding
rule. If you use the same URL category policies for both traffic
steering and other security policy rules, these changes apply to
both the traffic steering rules and other security policy rules. If
you have custom URL categories that are not used in traffic steering
forwarding rules, Prisma Access does not change the URLs in those
categories. |
CYR-13822 | Prisma Access prepends an asterisk to URLs
in custom URL categories, which doubles the number of URLs entered
in a custom URL category. Prisma Access supports a maximum of 300,000
URLs in URL category entries; if you use custom URLs for traffic
steering and are close to this limit, the doubling of URLs might cause
your deployment to exceed the limit of URLs. |
CYR-13751 | If you used policy-based forwarding rules to
forward internet-bound traffic to service connections in Prisma
Access 1.6, Prisma Access makes the following additions to URLs
in custom URL categories after you upgrade from 1.6 to 1.7:
If
you already have added URLs with wildcards, Prisma Access might
add URLs that duplicate existing URLs after the upgrade. |
CYR-13662 | After you make configuration changes to an
existing service connection or remote network connection (for example,
changing the bandwidth, region, QoS, or BGP values), the job details
in the Deployment Status page (PanoramaCloud ServicesStatusStatusDeployment Statusdetails) might display a value
of TIMEOUT, even if the job completed successfully. |
CYR-13612 | Prisma Access does not support FTP data transfers
in active mode. |
CYR-13511 | When Prisma Access performs a dataplane
upgrade on a mobile user instance (an upgrade to a Prisma Access
gateway or portal), any failed commits on the instance that were
performed before the upgrade will not be applied to the upgraded
instance. |
CYR-13317 | During a Prisma Access dataplane upgrade,
BGP statistics may not be available for 30 minutes in the Network
Details page. This unavailability has no impact on dataplane traffic. |
CYR-13179 | If you use Microsoft Edge or Firefox when using
traffic steering, the browser does not forward traffic on its first
attempt. Workaround: Refresh the browser, then retry
the operation. |
CYR-12912 | If, in a traffic steering deployment with multiple
traffic forwarding rules, two URLs in two separate rules resolve
to the same IP address, Prisma Access sends traffic to the first rule
in the list and will not use the second traffic rule. Traffic steering
evaluates multiple traffic forwarding rules in order from top to bottom. |
CYR-12700 | For a Prisma Access deployment with two Panoramas
configured in high availability, you are able to request an upgrade
to the GlobalProtect software version on the passive Panorama. Software
upgrade requests are not applied if you request them on the passive Panorama. Workaround:
Do not request software upgrades on the passive Panorama; only request
upgrades using the active Panorama. |
CYR-12509 | When using traffic steering, Palo Alto Networks
does not recommend using multiple service connections (whether dedicated
or non-dedicated) in a target service connection group that is referenced
in a traffic steering rule. |
CYR-12166 | Prisma Access does not support a rule type
of Intrazone if the source and destination zones are both Trust. |
CYR-11897 | When entering CLI to retrieve Prisma Access
job status, an invalid token message
is received. |
CYR-11496 | If you enable ECMP on a remote network, the
values shown in the Statistics tab under PanoramaCloud ServicesStatusMonitorRemote Networks for Ingress
Peak Bandwidth (Mbps) are correct; however, if you click
the hyperlink for this value, the pop-up window that displays might
show an incorrect value. |
CYR-11414 | When creating a new mobile user deployment
in multi-tenant mode, you receive an error that the Portal Hostname
is not available when you assign it during mobile user onboarding. Workaround: Before
you begin your mobile user configuration, add an Infrastructure
Subnet, commit all your changes to Panorama, and push the configuration changes
to Prisma Access. |
CYR-11201 | Some files are being skipped for DLP scanning
when using OneDrive to upload multiple files. |
CYR-11087 | When using DLP on Prisma Access, you can
upload up to 25 files at a time. |
CYR-11019 | When attaching a parent Device Group to a
new remote network tenant in multi-tenant mode, the administrator
is unable to attach device groups and templates. Workaround: Log
out, then log back in to Panorama. |
CYR-10909 | If you use Box to upload multiple files, and
one or more of the files are larger than 5 MB, the upload of all
files will not complete. To continue, find the files in Box that
are larger than 5 MB and click X to stop
the download of those files. |
CYR-10445 | DLP on Prisma Access is not supported in a
Prisma Access multi-tenant deployment. |
CYR-10053 | If you change the master key in Panorama
(in DeviceMaster
Key and Diagnostics), the master key for
Cloud Services is not synchronized with this master key. Workaround: Select PanoramaCloud ServicesConfigurationService SetupService OperationsEdit Master Key and
manually change the master key to be the same as the Panorama master
key. |
CYR-10044 | When using Slack to upload multiple files,
the Slack client treats the multiple file upload as a single request.
If one of the files is not successfully uploaded, Slack retries
the upload of all files a maximum of three times. If, after three
retries, Slack cannot upload one or more of the files, the Slack
client displays an error in the UI and doesn't upload any of the files. |
CYR-10043 | When you upload a file using Slack, and the
file is blocked, Slack detects the block operation as an upload
failure and retries the file upload, which results in the same file
being uploaded and blocked twice. Workaround: This
is normal Slack file upload behavior. Be aware that a single file
that is uploaded using Slack might appear twice in the data filtering
logs as being blocked. |
CYR-9613 | When you delete a data filtering profile from
a Prisma Access device group that is not shared, the profile name
still appears when you add or configure a Security Profile Group,
in the Data Filtering Profile area. |
CYR-9455 | In a GlobalProtect deployment where the portal
has multiple agent configs, when a GlobalProtect client logs in
using the app, the portal looks for a matching agent config for
the client by checking its OS type along with the config selection
criteria. The agent configs are checked from top to bottom. If the
OS type matches, but the config selection criteria does not, GlobalProtect
marks the agent config as non-matching and moves to the next agent config
to check for a match; however it no longer checks the OS type in
these agent configs, and only looks for a match of the config selection
criteria. This condition can cause the client to receive an agent
config that has matching config selection criteria, but a non-matching
OS type. |
CYR-9348 | When configuring HIP redistribution, you cannot
retrieve HIP information and set policies for the following use
cases:
|
CYR-9213 | When using DLP on Prisma Access, when you
upload a .docx file using SharePoint that was exported from Google
Docs, the upload fails. |
CYR-9183 | When setting up the GlobalProtect gateway
connection settings (NetworkGlobalProtectGatewaysAgentConnection Settings)
and specifying a Netmask to Restrict Authentication Cookie
Usage, the commit fails if only a Source IPv4
Netmask is specified. Workaround: Specify
a Source IPv6 Netmask of 0,
which disables the option for the specified IP address type. |
CYR-9061 | If using Slack, Box, or Gmail to upload
a file using DLP on Prisma Access, the response page is not displayed
to the client if the upload is blocked. |
CYR-9003 | Reverse DNS queries do not work in Prisma
Access. Workaround: Because type A and AAAA queries
for internal domains work, you can specify *.in-addr.arpa in
a query so that Prisma Access sends all reverse DNS queries to internal
DNS servers. |
CYR-8244 | When performing a Commit and
Push operation for the Clean Pipe service, you receive
an error that the Clean Pipe service had insufficient license resources,
even though you have sufficient licensed bandwidth. Workaround: Select PanoramaLicenses,
then select Retrieve license keys from license server to
retrieve the Clean Pipe licenses again. |
CYR-8017 | If you add an existing template under one
of the template stacks of Prisma Access (for example, Service_Conn_Template_Stack, Mobile_User_Template_Stack,
or Remote_Network_Template_Stack), you cannot
use objects of the added template in other Prisma Access templates
that are part of the same template stack. Previously, you
could view and use objects from existing templates in Prisma Access
templates if the templates were a part of a Prisma Access-specific
template stack, which is not standard Panorama behavior. |
CYR-7907 | In multi-tenant mode, Prisma Access automatically
creates a set of templates, template stacks, and device groups for
each tenant you create for remote networks, mobile users, and the
Clean Pipe service. Prisma Access creates tenant-specific sets for
all products, even if you are licensed for only one Prisma Access
type. When you delete a tenant, Prisma Access deletes the
template and device group set for which you are licensed, but does
not delete the unlicensed set. For example, if you have a remote
network deployment and delete a tenant, Prisma Access does not delete
the set it created for the mobile users and Clean Pipe. Workaround: Manually delete
the unused, unlicensed set of templates, template stacks, and device
groups after you delete a tenant. |
CYR-7900 | The Traffic Forwarding feature (PanoramaCloud ServicesConfigurationService SetupSettingsTraffic Forwarding)
is not supported with multi-tenant deployments. |
CYR-7702 | When you log out a Prisma Access mobile user
from the Current Users window, the user still displays
in the window after the logout operation. Workaround: Close
and then reopen the Current Users window
to show the correct user status. |
CYR-7440 | If you have two Panoramas set up in an active-primary
and passive-secondary setup for Prisma Access, you cannot log out
mobile users from the passive-secondary Panorama. |
CYR-7332 | When you try to configure an Infrastructure
Subnet (PanoramaCloud
Services ConfigurationService
SetupSettings)
in multi-tenant mode, you can receive an Operation Failed message. Workaround: Refresh
the Panorama UI to have Prisma Access correctly apply the infrastructure
subnet to the tenant's configuration. |
CYR-7128 | When you perform a Commit All operation for
mobile users, Prisma Access should display the commit status for
portals and gateways separately; however, Prisma Access is displaying
failures for portals under gateway status, and is displaying commit
failures for gateways under portal status. Workaround: Enter
the debug plugins cloud_services prisma-access get-job-result jobid commit-job-id-number command,
where commit-job-id-number is the ID of the commit
operation that failed, to check and verify the commit operation
for portals and gateways. |
CYR-6384 | Pre-defined IKE Crypto, IPSec Crypto, and
IKE Gateways templates do not display. Workaround: Select PanoramaCloud ServicesConfigurationService Setup (for
service connections) or PanoramaCloud ServicesConfigurationRemote Networks (for remote
network connections), click the gear icon in the Settings area
to open the Settings, then click OK. |
CYR-6369 | When in multi-tenant mode, if you create a
custom admin user with an Admin Role Profile that has Read Only
access to the Panorama tab and has Plugin access disabled, that
user can view, configure, and commit changes for subtenants. Workaround: Disable access
to the Panorama tab in the Admin Role Profile. |
CYR-6108 | When you configure Clientless VPN with Prisma
Access, the default security rule configuration uses the application-default service,
which blocks clientless-vpn traffic. Workaround: Change
the default security rule to any service or service-http and service-https. |
CYR-6107 | When configuring multi-tenant, if you create
any device groups that are children or grandchildren of other device
groups you create under the Shared parent device group, select only
the device group at the lowest hierarchical level (child or grandchild)
when you associate the device group to an access domain; do not select
the parent. |
CYR-6080 | You cannot reset the rule hit count for
all Authentication and Application
Override policies. Workaround: Reset rules using
a list of rules or a rule name for Authentication and Application
Override policies. |
CYR-6013 | When you migrate a single tenant to multi-tenant
mode, you must do a local commit and then push the configuration
before you add more tenants. |
CYR-5867 | After upgrading to a new version of the Cloud
Services plugin, you are able to downgrade. The downgrade operation
should be disallowed. Workaround: Do not downgrade
the Cloud Services plugin after you have upgraded it. |
CYR-5842 | When using the multi-tenant feature and migrating
the first tenant to multi-tenancy, you can select template stacks
and templates that are not associated with the tenant that you want
to migrate, including templates that are used with on-premise firewalls. Workaround: When
you convert to multi-tenant mode, be sure to choose only those templates
that you want to associate to the first tenant to migrate. |
CYR-5690 | When configuring multi-tenancy, if you are
planning to later configure Prisma Access for mobile users, you
must do a local Commit of the your changes for the plugin (CommitCommit to Panorama)
after you add templates, template stacks, and device groups for
each tenant and before you onboard each tenant. |
CYR-5563 | When using the multi-tenancy feature, users
who manage single tenants cannot see the system logs. The MonitorLogsSystem choice
is not available. This limitation applies to all Administrators
who have an administrative role of Device Group and Template. Only
superusers can view system logs in multi-tenancy mode. |
CYR-5561 | When using the multi-tenancy feature and
logged in as a tenant-level administrative user, opening the Panorama
Task Manager (clicking Tasks at the bottom
of the Panorama web interface) shows all tasks for all tenants,
including any tasks done at the superuser (Admin) level. |
CYR-5476 | When you enable multi-tenancy and migrate
your configuration to the first sub-tenant, CLI commands are not
supported for this operation. As a result, you must, use the Panorama
user interface (UI). |
CYR-5159 | If you configure a mobile user IP address pool
for a single region instead of Worldwide, mobile users can still
view and attempt to connect to all available gateway regions from their
GlobalProtect app. This attempt fails because there is no IP address
pool to allocate for other regions. Workaround: To
allow mobile users to manually select a gateway, either configure
an IP address pool for the region in the location where you want
the users to connect, or configure a Worldwide IP address pool for
mobile users in Prisma Access to allow them to select all the locations
you have deployed. |
CYR-5139 | In an environment with on-premise firewalls
on each side of Prisma Access and the remote network connections
to which the on-premise firewalls are connected are in different
regions, users behind one on-premise firewall cannot contact users
behind another on-premise firewall unless you have configured an
explicit policy to allow traffic between zone Trust and zone Trust. |
CYR-5098 | If you change the master key in Panorama
(in Device > Master Key and Diagnostics), the master key for Cloud
Services is not synchronized with this master key. Workaround: Select Panorama
> Cloud Services > Configuration > Service Setup > Service Operations
> Edit Master Key and manually change the master key to be the same
as the Panorama master key. |
CYR-5062 | When regular dynamic updates are downloaded
to Panorama (by default, every Wednesday at 01:02), the MD5 checksum
is changed. This condition can cause the Panorama configuration
and the Prisma Access infrastructure to lose synchronization. While
no tunnels are affected by this out of synchronization state, the
status for Service Connections, Remote Networks, Mobile Users, and
the Logging Service show a Config Status of Out
of Sync. Workaround: Perform a Commit and Push operation
on the Panorama. |
CYR-4010 | The BGP router configuration on the Prisma
Access firewalls can receive a maximum of 15000 prefixes from each
peer. And the total number of routes (static and dynamic) learned through
BGP cannot exceed 25000. Exporting more than 25000 routes may adversely
affect traffic flow on your network. |
CYR-3952 | After you generate a new API key by selecting Panorama Cloud ServicesConfigurationService SetupGenerate new API Key, the previous API
key is still valid for a period of time (up to five minutes). You
use this API to retrieve the list of IP addresses for your Prisma
Access firewalls. |
CYR-3638 | For service and remote network connections
that have BGP enabled, the Prisma Access ignores any route it receives
from a neighbor with an AS number in its AS_PATH list that duplicates
an AS number in the Prisma Access AS infrastructure (Infra-AS). |
CYR-3469 | If you have configured a Notification
URL, when you onboard a new remote network location,
two notifications are sent to the URL instead of only one. |
CYR-3385 | When you configure the same AS number for
the service connection and remote network location(s), the routes
are not imported in to the firewall on the remote network location. |
CYR-3330 | Mobile users cannot connect to remote network
locations without a service connection. |
CYR-3034 | When configuring SAML, you must perform
all configuration with a role of Superuser, including any configuration
you perform for SAML using CLI. |
CYR-2648 | The PanoramaCloud ServicesConfiguration page
is grayed out when Panorama is not in sync with NTP. Workaround: Make
sure to synchronize time with NTP (PanoramaSetupServicesNTP). |
CYR-2578 | Master Keys do not work for two Panorama
appliances set as HA primary and secondary appliances. Workaround: Deselect
the Enable HA check box on the secondary
Panorama appliance and commit the changes, set the same Master Key on
both the primary and secondary Panorama appliance, then re-enable
HA on the secondary Panorama appliance and commit the changes. |
CYR-2028 | The DeviceSetupManagement page
is not available on the Panorama appliance running the Prisma Access
plugin. You cannot configure NT LAN Manager (NTLM). |
CYR-1646 | Although Panorama allows you to delete the
Mobile_User_Template that was created when the Prisma Access was
provisioned, deleting this template also deletes your onboarding
configuration and, upon commit, removes your Prisma Access for mobile
users configuration. |
CYR-1189 | When you onboard a new service connection
or a remote network, the count for service connection and total
remote peers displayed on PanoramaCloud ServicesStatusStatus is inaccurate
until the provisioning is complete. |
CYR-1120 | On Panorama, you cannot validate commit
on a device group or template configuration before pushing the configuration to
the Prisma Access infrastructure for remote networks and mobile
users. |
CYR-575 | You cannot configure the Prisma Access gateway
as an internal gateway. |