Prisma Access Known Issues
Focus
Focus
Prisma Access

Prisma Access Known Issues

Table of Contents

Prisma Access Known Issues

Where Can I Use This?What Do I Need?
  • Prisma Access (Managed by Panorama)
  • Minimum Required Prisma Access Version 4.0 Preferred
Prisma Access has the following known issues.
Issue ID
Description
ADI-20366
To use ZTNA Connector on a Panorama Managed Prisma Access tenant you must file a support ticket to get the feature enabled. The feature is enabled by default on Prisma Access (Managed by Strata Cloud Manager) tenants that have been upgraded to Prisma Access 4.0.
ADI-20335
If you use RFC 6598 addresses in your environment and want to set up ZTNA Connector on a Prisma Access (Managed by Strata Cloud Manager) tenant, you must file a ticket to enable the functionality to define IP pools to reserve for Prisma Access to enable connectivity to your connector VMs and your apps.
CYR-33199Current user counts and 90 day user counts are not correct for Kerberos authenticated users.
CYR-33180
In order to use the Prisma Access Explicit Proxy Connectivity in GlobalProtect for Always-On Internet Security feature you must onboard at least one mobile user gateway.
CYR-32888
On macOS endpoints running Safari and connected to Prisma Access in Tunnel and Proxy mode or proxy mode, browsing through explicit proxy is slow.
Workaround: Remove any references to isResolvable() in your PAC file.
CYR-32713
ZTNA Connector can fail to retrieve the correct DNS configuration, which causes ZTNA connector traffic to fail, when the following conditions apply:
  • When the first application is onboarded in ZTNA connector
  • When all applications are removed (deboarded) from ZTNA Connector
Workaround: Refresh the GlobalProtect connection to get correct DNS server configuration. In the case of all applications going down for a tenant, refresh the GlobalProtect again when some or all applications in ZTNA connector are back up.
CYR-32564
ZTNA Connector app traffic is detected as a threat and dropped for Prisma Access Cloud Management if the default URL category is used.
Workaround: Perform one or more of the following steps as required:
  1. Create a custom URL category and add application FQDNs for the onboarded applications for ZTNA connector.
  2. If you are using a default profile group, clone a new group and attach the custom URL category you created in Step 1. If you are using a custom profile group, attach the custom URL category you created in step 1.
  3. Make sure that you attach either the cloned profile group or the custom profile group (from step 2) to the security policy you created to allow traffic destined to ZTNA connector applications.
CYR-32517
If you deploy a mobile users location that already has a location deployed in the same compute location, you might receive only one public IP address for the newly-deployed location instead of two.
Workaround: Enable the IP Allow Listing feature to receive more than one IP address.
CYR-32511You can configure IPv6 DNS addresses even if IPv6 is disabled.
CYR-32191
ZTNA Connector is not supported in multitenant environments.
CYR-32188
In Prisma Access Insights, the Connector Availability graph for a given ZTNA Connector will not show up if the IPSec tunnel between the connector and the ZTNA Tunnel Terminator (ZTT) has been up without interruption for the last 24 hours. The Connector Availability graph shows up only if the tunnel has gone down at least once within the last 24 hours.
CYR-32170When using ZTNA Connector, diagnostic tools such as ping, traceroute and nslookup that are accessible from the ZTNA Connector UI ConnectorsActionsDiagnostics icon are not functional.
CYR-32006
When using Dynamic DNS (DDNS) registration using the Cloud Services plugin 3.2, nsupdate commands are not working as expected, which causes issues with DDNS update queries.
CYR-32004
Due to a limitation in the number of IPSec profiles currently supported in Prisma Access, when deploying ZTNA Connector you can onboard a maximum of 100 connector VMs per tenant.
CYR-31623
Only one Panorama HA pair can be associated with a CDL instance.
CYR-31603
ZTNA Connectors with two interfaces are not supported in a Connector Group enabled for AWS Auto Scale. This is due to an AWS Auto Scale group limitation that ties both interfaces to the same subnet. See this article for details.
Workaround: ZTNA Connectors with two interfaces are supported in Connector Groups that are not enabled for AWS Auto Scale. Ensure that all ZTNA Connectors with two interfaces are contained in a Connector Group that is not enabled for AWS Auto Scale.
CYR-31205
In mobile user deployments for GlobalProtect in Tunnel and Proxy mode or proxy mode,commit will fail if you don't attach either a SAML or Kerberos authentication profile in your explicit proxy configuration even if you enable Use GlobalProtect Agent to Authenticate.
CYR-31187
In order to use the Prisma Access Explicit Proxy Connectivity in GlobalProtect for Always-On Internet Security functionality, the default PAC file URL does not populate properly unless you do a commit and push to both Mobile Users—GlobalProtect and Mobile Users—Explicit Proxy.
Workaround: Make sure you Commit and Push to both Mobile Users—GlobalProtect and Mobile Users—Explicit Proxy when configuring Prisma Access Explicit Proxy connectivity in GlobalProtect.
CYR-30504
In some cases, attempts to retrieve aggregate bandwidth statistics are timing out.
Workaround: Try again, or go to Prisma Access Insights to view the aggregate bandwidth statistics.
CYR-30434
Renaming an authentication profile immediately after creating it causes a new authentication profile to be created.
Workaround: Do not make changes to a profile immediately after creating it.
CYR-30044
Predefined EDLs aren't being populated in the Block Settings list in a new Explicit Proxy deployment.
Workaround: Onboard your Explicit Proxy deployment, do a Commit and Push, and then go back and update the EDL in your block Settings.
CYR-29964
Attempts to reuse a certificate signing request (CSR) to generate a certificate results in a "Requested entity already exists" error.
Workaround: Do no reuse CSRs.
CYR-29933
Attempts to use the verdicts:all -X "DELETE" API call more than one time per hour result in the {"code" :8, "message" : "Too many requests" error.
Workaround: Do not use this API call more than one time per hour.
CYR-29700
If you configure multiple GlobalProtect portals in a multitenant Prisma Access Panorama Managed multitenant deployment, committing changes on a per-username basis fails with a "global-protect-portal-8443 should have the value "GlobalProtect_Portal_8443" but it is [None]" error.
Workaround: If you have enabled multiple GlobalProtect portals and have a Prisma Access multi-tenant deployment, perform Commit All commit operations instead of committing on a per-user basis.