Prisma Access
Prisma Access Known Issues
Table of Contents
Expand All
|
Collapse All
Prisma Access Docs
-
-
- Prisma Access China
- 4.0 & Later
- 3.2 Preferred and Innovation
- 3.1 Preferred and Innovation
- 3.0 Preferred and Innovation
- 2.2 Preferred
-
-
-
- 5.2 Preferred and Innovation
- 5.1 Preferred and Innovation
- 5.0 Preferred and Innovation
- 4.2 Preferred
- 4.1 Preferred
- 4.0 Preferred
- 3.2 Preferred and Innovation
- 3.1 Preferred and Innovation
- 3.0 Preferred and Innovation
- 2.2 Preferred
Prisma Access Known Issues
Where Can I Use This? | What Do I Need? |
---|---|
|
|
Prisma Access has the following known issues.
Issue ID
|
Description
|
---|---|
AIOPS-11286 |
When you have Colo-Connect enabled, cross-connects and
connections-related information may not be up to date on subtenants
in a multitenant environment.
|
CYR-47616 | Increasing the subnet mask on an existing mobile user IP
address pool (for example, if you change 10.6.0.0/18 to 10.6.0.0/17), or
changing the region of an existing IP address pool, can cause issues for
existing connected users. Workaround: Perform one or more of
the following actions:
|
CYR-47139 |
ZTNA Connectors are disabled in a ZTNA Connector - Explicit Proxy
integration if ZTNA Connector application blocks or connector blocks
are configured with RFC6598 addresses that conflict with Explicit
Proxy addresses.
Workaround: If you have integrated ZTNA Connector with
Explicit Proxy, do not use the "100.64.0.0/15", "100.72.0.0/15", or
"100.88.0.0/15" subnets for:
|
CYR-46759 | UDP Settings for DNS Queries are not honored in Explicit Proxy. |
CYR-46627 | Explicit Proxy is not supported if Accept Default Route over Service Connection is enabled. |
CYR-46445 |
A transient error related to port 6081 that was processed on an NAT
device caused the ZTNA Connector to go down.
Workaround: When ZTNA Connector traffic is passing through a
NAT device, make sure the NAT session is not mapped to port
6081.
|
CYR-46349 | When using Remote Networks with Explicit Proxy with Traffic Steering in China, do not configure traffic steering rules with URL Category. |
CYR-46191 |
If the Explicit Proxy is configured with Private Application Access
enabled and ZTNA Connector is added to the configuration, another
commit from Panorama or Strata Cloud Manager might be required.
Workaround: Make a small modification to the Explicit Proxy
configuration on the Panorama or Strata Cloud Manager that manages
Prisma Access and Push your changes.
|
CYR-46170 |
If you have enabled DDNS and you later push a service subnet change
to your mobile users, you must also restart the DDNS plugin on your
Mobile User gateway for DDNS to pick up the change.
Workaround: Enter the following command:
debug software restart process pl-ddns
|
CYR-46145 |
When the Prisma Access autonomous system number or Prisma Access
infra subnet is updated for an existing Prisma Access tenant, where
ZTNA Connector and corresponding applications are onboarded, there
will be outage for around 5 minutes after the update.
|
CYR-46093 | If your deployment has implemented the functinality to support up to 25,000 remote networks and 50,000 IKE gateways, aggregate bandwidth usage statistics displays No data for the specified time period instead of the usage statistics. |
CYR-45440 |
When configuring Admin Roles, the access information is not always
saved correctly.
Workaround: Click the Plugins/Cloud Services Plugins twice or
more in the Admin Roles area, to make sure the access information is
saved correctly. Click OK and Open again to confirm if the changes
are saved.
|
CYR-45415 | Administrators with read-only or disabled access to the Cloud Services plugin can modify the configuration outside of the cloud services plugin that affects cloud-services behavior, such as templates, device-groups, removing Cloud Serivices configuration, uninstalling the cloud-services plugin, and loading configuration files. |
CYR-45517 | In the Colo-Connect tab, a read-only user is able to delete onboarding entries. |
CYR-45440 |
When configuring Admin Roles, the access information is not always
saved correctly.
Workaround: Click the Plugins/Cloud Services Plugins twice or
more in the Admin Roles area, to make sure the access information is
saved correctly. Click OK and
Open again to confirm if the changes are
saved.
|
CYR-45415 | Administrators with read-only or disabled access to the Cloud Services plugin can modify the configuration outside of the cloud services plugin that affects cloud-services behavior, such as templates, device-groups, removing Cloud Serivices configuration, uninstalling the cloud-services plugin, and loading configuration files. |
CYR-44433 | The status for Remote Network jobs that were successful can change from Success to Pending state. |
CYR-44202 | Administrative users with read-only access to the Cloud Services plugin are able to modify the RBI tab. |
CYR-43425 | You cannot specify Outbound Routes for the Service for service connections if those service connections use RFC 6598 addresses. |
CYR-43400 This issue is now resolved in Prisma Access
5.2.0. See Prisma Access 5.2.0 Addressed Issues. | For connectors onboarded in ZTNA connector groups with Preserve User ID checked, ActionsDiagnosticsping from the internal interface to the data center apps does not work. |
CYR-43262 This issue is now resolved in Prisma Access 5.2.0. See Prisma Access 5.2.0 Addressed Issues. | Remote network API requests for Remote Network onboarding returns a commit validation error on the Cloud Services plugin if BGP configuration is included in the payload. |
CYR-43222 This issue is now resolved in Prisma Access 5.2.0. See Prisma Access 5.2.0 Addressed Issues. | Application targets assigned to User ID-based ZTNA
Connector groups do not support a Probing Type of
icmp ping. Workaround: Use a
Probing Type of
none or tcp ping
for the application. |
CYR-43147 | For autoscaled ZTNA connectors, during scale in, existing long lived sessions may be dropped prematurely that are handled by the ZTNA connector that is marked for scale in. There should be no impact for new traffic sessions post scale in. |
CYR-43132 | During sub-tenant creation on Panorama, you cannot configure units for Remote Networks if the Mobile Users configuration is left blank, and vice versa. |
CYR-42919This issue is now resolved in Prisma Access 5.2.1. See Prisma Access 5.2.1 Addressed Issues. |
When attempting to modify or delete Connector IP Blocks in ZTNA
Connector, the changes are not applied after a Commit and Push.
Workaround: Perform two more Commit and Push operations to
apply the changes.
|
CYR-42312 | User-ID Across NAT is not supported with Colo-Connect. |
CYR-42259 | Explicit Proxy Private App Access does not work when RFC6598 is enabled. |
CYR-42244 | If you are requesting a Prisma Access gateway name change
as part of the Business Continuity for Mergers and Acquisitions feature,
the updated FQDN does not display in Strata Cloud Manager or
Panorama. Workaround: Reach out to your Palo Alto
Networks account team, who will open an SRE case to update the FQDN
for the gateway. |
CYR-42188 | When using Explicit Proxy Private App Access, DNS over TCP does not function; however DNS over UDP functions correctly. |
CYR-42130 | Colo-Connect routing information does not display in the Serviceability Commands area. |
CYR-42018 | If you have IP Optimization enabled, TLS 1.3 support for
GlobalProtect is not supported. Workaround: Use a maximum TLS
version of 1.2. |
CYR-41990 | IPv6-to-IPv6 or IPv6-to-IPv4 source or destination traffic does not support the URL filtering actions Continue and Override. |
CYR-41838 | The egress IP address for Remote Networks - High
Performance deployments displays twice when you retrieve it using the
Prisma Access API. Workaround: Ignore the duplicate IP
address. |
CYR-41813 | ZTNA Connector onboarding is not supported in the Switzerland, France, Qatar or Taiwan locations. There is no workaround. |
CYR-41228 | If you have IP Optimization enabled, you cannot use the SP interconnect feature. |
CYR-41067 | An incorrect Prisma Access version displays in the Prisma Access Version area of the UI. In Strata Cloud Manager, the version displays in ManageConfigurationNGFW and Prisma AccessOverviewPrisma Access Version; in Panorama Managed Prisma Access, the version displays in PanoramaCloud ServicesConfigurationService SetupPrisma Access Version. |
CYR-40503 | IPv6 is not supported in the South Africa Central and Canada West locations. |
CYR-40404 |
An FQDN target matching a wildcard might not be discovered for a
connector group if the application is not accessible from some of
the ZTNA connectors in the connector group.
All connectors in a given group should be able to use DNS to resolve
the application and access the application for the application to be
auto-discovered in the group.
Workaround: Associate the application object to the required
connector group from Strata Cloud Manager.
|
CYR-39930 | Cortex Data Lake logs are not exported from tenants that have the IP Optimization feature enabled. |
CYR-39795 |
After installation of the Cloud Services plugin, an Explicit Proxy
Kerberos server profile (default_server_profile) is installed by the
__cloud_services user, even though Explicit Proxy is not enabled.
Workaround: Ignore the changes.
|
CYR-39551 |
If you set up Prisma Access Dynamic DNS with an authentication type
of TSIG, you should upload a .key file for the TSIG key file. The
key file is considered not valid if it has non-ASCII characters in
the content. If you provide a .key file for TSIG authentication with
non-ASCII characters and you click OK, an
error Please upload a file with the .key
extension displays.
Workaround: Provide a valid tsig key file.
|
CYR-39153 |
When performing an upgrade to a ZTNA Connector Group, there can be
failures intermittently during the upgrade operation. For example,
the upgrade status displays as
partial_success or
failed, even though some of the
affected connectors are later upgraded successfully.
Workaround: Retry the Connector Group upgrade at a later time.
ZTNA Connector rechecks and provides you with the appropriate status
of the Connector Groups.
|
CYR-39148 | When configuring Colo-Connect, Commit and
Push operations to Colo Connect Device Groups may
intermittently fail. Workaround: Retry the Commit
and Push operation to the Colo-Connect Device
Group. |
CYR-39028 |
If you are upgrading your ZTNA Connector from 4.1 to a later Prisma
Access version and the ZTNA connector application pools are
configured within the RFC6598 address space (100.64.0.0/16 and
100.65.0.0/16), ZTNA connector traffic may be blocked on the
MU-SPN.
Workaround: Contact your Prisma Access team to update the SaaS
Agent version of all your Prisma Access tenants.
|
CYR-38619 | Tenants that are onboarded in Switzerland and France cannot use ZTNA Connector. |
CYR-38120 | All available locations do not show up in the list view
in the Mobile Users—Explicit Proxy setup page. Workaround: Use
the map view to select the missing locations. |
CYR-38076 |
The correct EBGP Router address does not display in the Remote
Networks Network Details page (Remote Networks SetupRemote NetworksEBGP Router) and instead shows the Loopback IP address of the
remote network.
|
CYR-37983 | If you have IPv6 enabled for a Mobile Users—GlobalProtect
user, retrieving the HIP report causes a crash. Workaround: If
the GlobalProtect client is ipv6 enabled, run the HIP report using
the client's IPv6 address. If the GlobalProtect client is IPv4 only,
run the HIP report using the client's ipv4 address. |
CYR-37923 | After creating a new URL category or security rule or an EDL, a local Panorama commit is required before using that object in RBI security rule associations. |
CYR-37906 |
If, when updating the ports for an existing wildcard object, you put
spaces between the ports, a 500 internal
server error is displayed.
Workaround: Do not put spaces between the ports. For example,
instead of 1-2, 80, 100-300, put
1-2,80,100-300.
|
CYR-37887 |
If you are using ZTNA Connector as part of the 30-day trial and have
not purchased a license, onboarding might fail with a message that
Something went wrong when you click
the Enable ZTNA Connector button.
Workaround: Refresh the UI to complete the onboarding of the
ZTNA Connector feature.
|
CYR-37826 |
If two or more ZTNA connector applications have the same FQDN, an
Application Custom rule conflict
message could display in the SD-WAN portal.
Workaround: This message is spurious and can be ignored.
|
CYR-37797 | The status page asks you for a one-time password (OTP)
after a plugin upgrade. Workaround: Delete the expired license
keys, delete the Panorama certificate, and retrieve the licenses and
verify if the license keys are valid after you retrieve them; then,
generate the OTP to verify. |
CYR-37755 |
If you configure a Wildcard Target in ZTNA Connector, and if you try
to change the port of an application that was discovered as a result
of that target and was added to the FQDN Target, you receive an
error that the name is too long.
Workaround: While application names can be a maximum of 32
characters long, changing the port number makes the name too long in
the ZTNA Connector infrastructure. If you encounter this error, try
to give the application a shorter name.
|
CYR-37706 |
When using Explicit Proxy, an excessive amount of threat logs
display.
Workaround: Ignore the threat logs. These logs have no impact
on Explicit Proxy functionality.
|
CYR-37673 | Clicking the Panorama Cloud ServicesStatusStatusRemote Browser IsolationActive Isolated Session link does not open the MonitorSubscription Usage page in Prisma Access Cloud Management or Strata Cloud Manager. |
CYR-37500 | If you have enabled IPv6 for remote networks, the public IPv6 Address is not displayed for edge locations. |
CYR-37466 | If you enable Colo-Connect, do not enable Bidirectional Forwarding Detection (BFD) on your VLAN. |
CYR-37356 |
If you renew the App Acceleration license after is has expired
(including the grace period for the license), the renewal does not
take effect immediately.
Workaround: Wait approximately one hour after license renewal
before using App Acceleration.
|
CYR-37290 | When onboarding a ZTNA Connector, you receive a
declaim requested by root error.
Workaround: Delete the connector that had the error
and create a new one. |
CYR-37227 |
The creation of the IP subnet-based Connector Group sometimes fails
with a group already exists message,
even though the group does not exist.
Workaround: Use another name for the IP subnet-based Connector
Group.
|
CYR-37208 | When using Prisma Access Clean Pipe, the Network Details page (PanoramaCloud ServicesStatusStatusNetwork Details) does not show Clean Pipe entries. |
CYR-36749 | ZTNA connector flow logs related to netflow may not be visible in the Strata Cloud Manager Log Viewer. |
CYR-35506 | If you have enabled IPv6 for a tenant, deleting the
tenant does not free up the IPv6 prefixes that were allocated to it and
those prefixes are not usable again. Workaround: Do not delete
a tenant that has IPv6 enabled. |
CYR-34999 | For Panorama Prisma Access tenants, if ZTNA Connectors are onboarded, the Provision Progress for service connections (PanoramaCloud ServicesStatusStatusService ConnectionsProvision Progress) is showing provisioning progress for both ZTNA Connectors and Service Connections. |
CYR-34770 | If you configure multiple portals in Prisma Access for the Mobile Users—GlobalProtect deployment, you must configure authentication profile under Client Authentication on all portals. If you do not configure at least one auth profile, an authentication cookie will not generated and the multi portal feature will not work as desired. |
CYR-34720 | GlobalProtect DDNS functionality does not work when using a Panorama running 10.1.x to manage Prisma Access with the Cloud Services plugin. |
CYR-33877 | If, during Explicit Proxy setup, you select Skip authentication to skip authentication for an address object, and then later want to enable authentication by deselecting Skip authentication for that address object, it can take up to 24 hours for the change to take effect after you make the change and Commit and Push your changes. |
CYR-33471 |
If you enable multi-tenancy, create a new sub tenant, configure
Mobile Users—GlobalProtect, Remote Networks, and Colo-Connect device
groups, then configure Colo-Connect subnets and VLANs, and a partial
commit fails with an Unable to retrieve last in-sync
configuration for the device error.
Workaround: Perform a Commit and Push operation when
configuring Colo-Connect for the first time instead of a partial
commit.
|
CYR-33454 |
If you configure Prisma Access in a in a multi-tenant deployment,
perform a Commit and Push, then configure Colo-Connect, the choice
to Commit and Push your changes is grayed out.
Workaround: Click CommitCommit to Panorama, then Commit Push to Devices, click Edit Selections and
make sure that Colo-Connect is selected in
the Push Scope; then, retry the commit and
push operation.
|
CYR-33199 | Current user counts and 90 day user counts are not correct for Kerberos authenticated users. |
CYR-33145 |
When a Prisma Access license for any service type expires, any Commit
All operation fails a generic Commit
Failed error message.
Workaround: Make sure that your all your Prisma Access
licenses have not expired before performing commits.
|
CYR-32687 | EDLs, Address objects of type IP Wildcard
Mask and FQDN, and Dynamic
Address Groups do not work on decryption policies when Agent or Kerberos
authentication is used with Explicit Proxy. Workaround: Use
Address objects of IP Netmask, IP Range, or Address groups in the
decryption policies. |
CYR-32666 | When importing a previously saved Panorama configuration
that included a Colo-Connect configuration, or reverting from a
previously-saved configuration, you receive errors if the following
conditions are present:
Workaround: Colo-Connect service connections cannot be
onboarded unless their corresponding VLANs are in an Active state.
Delete any Colo-Connect service connections before exporting or
reverting a Panorama image; then, re-create the Colo-Connect service
connections after importing the new image. |
CYR-32661 | When GlobalProtect is connected in Proxy mode or Tunnel and Proxy mode, user logins will not count toward the number of current users or the number of users logged in over the past 90 days under Mobile Users—Explicit Proxy. |
CYR-32564 |
ZTNA Connector app traffic is detected as a threat and dropped for
Prisma Access Cloud Management if the default URL category is
used.
Workaround: Perform one or more of the following steps as
required:
|
CYR-32511 | You can configure IPv6 DNS addresses even if IPv6 is disabled. |
CYR-32431 |
When configuring Explicit Proxy, when you add Trusted Source Address
values under Authentication Settings, configure other settings, and
then return to the Authentication Settings tab, the trusted source
addresses might not display correctly.
Workaround: Refresh the Panorama that manages Prisma Access,
then return to the Authentication Settings tab to see the
addresses.
|
CYR-32191 |
ZTNA Connector is not supported in multitenant environments.
|
CYR-32004 |
Due to a limitation in the number of IPSec profiles currently
supported in Prisma Access, when deploying ZTNA Connector you can
onboard a maximum of 100 connector VMs per tenant.
|
CYR-31603 | ZTNA Connectors with two interfaces are not supported
in a Connector Group enabled for AWS Auto Scale. This is due to an
AWS Auto Scale group limitation that ties both interfaces to the
same subnet. See this article for
details. Workaround: ZTNA Connectors with two interfaces
are supported in Connector Groups that are not enabled for AWS Auto
Scale. Ensure that all ZTNA Connectors with two interfaces are contained
in a Connector Group that is not enabled for AWS Auto Scale. |
CYR-31187 | In order to use the Prisma Access Explicit Proxy
Connectivity in GlobalProtect for Always-On Internet Security
functionality, the default PAC file URL does not populate properly
unless you do a commit and push to both Mobile Users—GlobalProtect and
Mobile Users—Explicit Proxy. Workaround: When
you Commit and Push, make sure that you choose both Mobile
Users—GlobalProtect and Mobile Users—Explicit Proxy in the Push
Scope when configuring Prisma Access Explicit Proxy connectivity in
GlobalProtect. |
CYR-30414 | If you have enabled multiple portals in a multitenant
deployment that has only one tenant, and you then disable the multiple
portal functionality on that single tenant, you are able to see both
portals on the UI. Workaround: Open a CLI session on the
Panorama that manages Prisma Access and enter the following
commands, then perform a local commit on the
Panorama: set plugins cloud_services multi-tenant
tenants
<tenant_name>
mobile-users multi-portal-multi-auth
no request plugins cloud_services gpcs
multi-tenant tenant-name
<tenant_name>
multi_portal_on_off |
CYR-30044 |
Predefined EDLs aren't being populated in the Block Settings list in
a new Explicit Proxy deployment.
Workaround: Onboard your Explicit Proxy deployment, perform a
Commit and Push operation, and then go back and update the EDL in
your block Settings.
|
CYR-29964 |
Attempts to reuse a certificate signing request (CSR) to generate a
certificate results in a "Requested entity already
exists" error.
Workaround: Do not reuse CSRs.
|
CYR-29933 |
Attempts to use the verdicts:all -X
"DELETE" API call more than one time per hour result
in the {"code" :8, "message" : "Too many
requests" error.
Workaround: Do not use this API call more than one time per
hour.
|
CYR-29700 |
If you configure multiple GlobalProtect portals in a multitenant
Prisma Access Panorama Managed multitenant deployment, committing
changes on a per-username basis fails with a
"global-protect-portal-8443 should have the value
"GlobalProtect_Portal_8443" but it is [None]"
error.
Workaround: If you have enabled multiple GlobalProtect portals
and have a Prisma Access multi-tenant deployment, perform Commit All
commit operations instead of committing on a per-user basis.
|
CYR-29160 | If the Panorama that manages Prisma Access is configured
in FIPS mode and you select Generate Certificate for
GlobalProtect App Log Collection and Autonomous DEM, the
certificate does not get
downloaded. Workaround: This functionality
is not available on Panorama appliances in FIPS mode until your
Prisma Access dataplane is upgraded to 10.2.4. |
CYR-26112 | If you do not have a Net Interconnect license, all Remote
Networks in a theater are fully meshed, but if you haven't onboarded a
Service Connection in a theater, the Remote Networks cannot be reached
from Remote Networks in other theaters. Workaround: Either
purchase a Net Interconnect license or onboard a service connection
in a theater to have the Remote Networks communicate with other
theaters. |
Known Issues for Dynamic Privilege Access
Issue ID
|
Description
|
---|---|
PANG-4881 |
If the web browser that the user used to authenticate the Prisma
Access Agent remains open, traffic from the web browser to
Prisma Access Agent will be sent over the tunnel
regardless of how the forwarding profile is configured.
|
PANG-4870 |
On macOS devices that have the Prisma Access Agent installed, if
you remove the full disk access for the security extension for
the Prisma Access Agent (after granting full disk access
previously), the Prisma Access Agent will get stuck in the
disabled mode.
Workaround: Grant access to the security extension by
selecting System SettingsPrivacy & Security Full Disk Access and enabling the
securityExtension from the list of
apps.
|
PANG-4825 |
When configuring forwarding profiles, an issue exists where
configuring large numbers of forwarding rules for source
applications, destination domains, and IP addresses (routes) can
cause high CPU utilization.
Workaround: Do not configure more than 100
forwarding rules for source applications, destination domains,
and IP addresses.
|
NETVIS-1363 | In Insights on Strata Cloud Manager, the Project Connectivity History view in the user details page shows only the project name and no other detail when the Prisma Access Agent user is connected. The Project Connectivity History is blank when the user is not connected. |
NETVIS-1293 |
In Insights, the Project Connectivity
History doesn't show the correct data when the
Time Range is set to Past
3 Hours, Past 1 Hour, and
Past 15 Minutes.
|
NETVIS-1263 |
In Insights, the number of connected users listed in the Projects
tab might not be accurate. In some cases, the number of
connected users in the Project tab does not match the number of
users in the Users tab. For example, when the same user is
connected to two projects on different devices, the number of
connected users in the Projects tab does not match the number of
users in the Users tab.
|
NETVIS-1207 |
In Insights, the Projects tab does not show all the IP pools that
are configured for a project. Only the IP pools that are in use
are shown.
|
EPM-2954 |
User groups that have more than 50000 users are not supported in
the project configuration of Dynamic Privilege Access. Make sure
that the user group associated with a project has less than
50000 users.
|
EPM-1589 |
When configuring forwarding profiles, even though Strata Cloud
Manager allows you to configure IP addresses with wildcards,
using wildcard characters in destination IP addresses, such as
10.*.*.*, is not supported as it will
cause inconsistent behavior in forwarding profiles.
|
EPM-1399 |
Changing a project name in the Projects
tab of the Dynamic Privilege Access page in Strata Cloud Manager is not supported at this time.
Workaround: To rename a project, delete the existing
project and perform an Access Agent push configuration, then
create the project with the new name and perform an Access Agent
push configuration.
|
EPM-646 |
On a Prisma Access tenant where Dynamic Privilege Access is
enabled, a configuration push will fail if you try to push the
Prisma Access Agent infrastructure configuration without first
configuring any projects.
Workaround: Configure at least one project before you do a
push config.
|
DRS-5152 |
An issue exists where the duration for synchronizing directory
changes in the Cloud Identity Engine varies based on the
directory and the volume of changes. If the directory changes
are minimal, the Cloud Identity Engine usually completes the
sync in minutes. However, if there are numerous changes in the
directory, the directory sync might take hours to complete.
|
DRS-4907 |
Updates made in the Identity Provider (IdP) are not immediately
reflected in the Cloud Identity Engine and Prisma Access Agent
management plane. This delay occurs because the Cloud Identity
Engine needs to sync with the IdP to capture the changes. The
Cloud Identity Engine runs sync jobs every 5 minutes, but only
when no other sync is in progress. The duration of the sync
process is affected by the magnitude of changes in the Cloud
Identity Engine directory, meaning larger or more numerous
changes will result in a longer sync time. After the sync is
complete, it can take up to 15 minutes for the changes to appear
in the Prisma Access Agent management plane.
|
DRS-4691 |
When searching for a user group in Cloud Identity Engine or
Strata Cloud Manager using the Text
Search option, surround the user group name with
double quotes. For example, when searching for a user group
named EXAMPLE.User_Group, enter "EXAMPLE.User_Group".
|
DRS-4406 |
When configuring a project in Strata Cloud Manager, you cannot
search for a User group by providing a
partial user group name.
Workaround: To search for a user group, enter the complete
User group name.
|
DOCS-7025 |
An issue exists in Dynamic Privilege Access where existing IP
pools configured in a project cannot be modified.
Workaround: To modify an existing IP pool, delete the
existing IP pool in a project and save the project. Then, edit
the project again to add the new IP pool. For example, to change
the IP pool address from 10.10.10.0/25 to 10.10.10.0/24, delete
the existing pool in the project, save the project, and edit the
project again to add the new IP pool.
|
DOCS-5681 |
Enabling ZTNA Connector on a Dynamic Privilege Access enabled
tenant is not supported in Prisma Access 5.2.
Enabling ZTNA Connector on a Dynamic Privilege Access enabled
tenant can cause issues in routing. Service might also be
impacted because Strata Cloud Manager does not support the
deletion of ZTNA Connector once it has been created.
|
DOCS-5611 |
When authorizing user group mapping in Cloud Identity Engine for
Dynamic Privilege Access, when selecting the SAML attributes you
want Prisma Access to use for authentication, ensure that you
select a Username Attribute that contains
/identity/claims/name.
If you select the wrong username attribute, your users will not
be able to authenticate to their projects.
|
DOCS-5463 |
An issue exists where random tunnel disconnects can occur if the
Collect HIP Data option is not
enabled in the Agent Settings page. Therefore, do not disable
Collect HIP Data in the Host
Information Profile (HIP) section of the Access Agent Settings
page.
|
DOCS-3650 |
For Cloud Identity Engine authentication to work on a Dynamic
Privilege Access enabled Prisma Access tenant, ensure that a
user group is not mapped to multiple SAML applications in the
identity provider (IdP).
If multiple apps are mapped to a user group, Cloud Identity
Engine cannot determine which SAML app to connect to during
authentication because there is no unique mapping.
|
ADI-33262 |
On a Prisma Access tenant where Dynamic Privilege Access is
enabled, a Mobile User ContainerAccess Agent configuration push will fail without first
configuring a project in Strata Cloud Manager.
Workaround: Configure at least one project before you do a
push config.
|
ADI-31750 |
The number of IP pools that are supported per project is 50. The
performance will be impacted if the number of IP pools per
project exceeds 50.
Workaround: Allocate no more than 50 IP pools per
project.
|
ADI-31601 |
On a Dynamic Privilege Access enabled tenant, Strata Cloud
Manager allows you to configure more than 100 IP pools per
project, even though it will cause the push config to fail with
a generic error.
Workaround: Do not configure more than 100 IP pools per
project.
|
ADI-31538 |
An issue exists where, when setting up a forwarding profile, the
forwarding profile Type is displayed as
"ZTNA Agent" instead of "Prisma Access Agent". Also, if you
select Add Forwarding Profile, the
drop-down shows "ZTNA Agent" instead of "Prisma Access
Agent".
Workaround: None. The forwarding profile type will be
changed to "Prisma Access Agent" in the future.
|
ADI-31523 |
Do not create snippets with descriptions that contain special
characters. Snippet descriptions that contain special characters
such as ! ~ @ # $ % ^ & * ( ) _ + are
not supported.
|
ADI-31306 |
When setting up a forwarding profile, an issue exists where all
the options in the Traffic Enforcement
section of the Forwarding Profile page are enabled by default.
Enabling all of these options by default can cause unexpected or
undesirable behavior.
Workaround: Disable these options for Dynamic Privilege
Access.
|
ADI-31305 |
When setting up a forwarding profile, an issue exists where the
Enforce FQDN DNS resolution using tunnel DNS
servers and Resolve all FQDNs using
DNS servers that are assigned by the tunnel (Windows agents
only) options are shown in the
Traffic Enforcement section of the
Forwarding Profile page.
These two options should not be shown since the intended
functionality of these options can be configured using the
forwarding profile rules.
|
ADI-30902 |
Strata Cloud Manager uses the user and user group information
from a Cloud Identity Engine directory in multiple
configurations, such as Dynamic Privilege Access project
configurations, Prisma Access Agent settings, security policies,
and staged rollout configurations. After making these
configurations, if you delete the directory from Cloud Identity
Engine but don't delete the Strata Cloud Manager configurations
that reference those users and user groups, you might encounter
unexpected errors, such as "500 Internal Server Error."
Workaround: When you remove a directory from Cloud
Identity Engine, you must also delete the Strata Cloud Manager
configurations that reference the users and user groups in that
directory.
|
ADI-30468 |
An issue exists in the Access AgentInfrastructure Settings page in Strata Cloud Manager, where both the
Prisma Access Managed and
OnPrem DHCP Server options appear in
the Client IP Pool Allocation section.
When provisioning users on a General Availability Prisma Access
tenant with Dynamic Privilege Access enabled, ensure that you
do not select OnPrem DHCP
Server because the configuration cannot be
reverted once you save it. OnPrem DHCP
Server is not supported for Dynamic
Privilege Access General Availability tenants and will be
removed from Strata Cloud Manager in a future release. If you
select OnPrem DHCP Server, your tenant
will be rendered unusable for basic Dynamic Privilege Access
workflows.
|
ADI-29665 |
Do not use special characters in project names, otherwise Strata
Cloud Manager will issue a "Malformed Request" error message
when you try to save the project configuration.
|
ADI-29434 |
In the Agent Settings page in Strata Cloud Manager, the
recommended value for the Session timeout
is 7 days.
|
ADI-29272 |
When creating a snippet, if you disable the Add prefix
to object names option, ensure that you don't
use duplicate agent settings names in two different snippets,
since it can result in unexpected behavior.
|
ADI-26493 |
In Access AgentInfrastructure Settings in Strata Cloud Manager, the OnPrem
DHCP Server option in the Client IP Pool
Allocation section is not selectable. This is working as
intended since OnPrem DHCP Server is
not supported for Dynamic Privilege Access.
This option will be renamed to OnPrem DHCP Server
(Preview Only) so that existing Dynamic
Privilege Access enabled Prisma Access tenants can function
correctly.
|
ADI-24562 |
An issue exists where you are allowed to create more than one
project with the same domain and user group if those projects
were configured from different configuration snippets. Avoid
this configuration because it can cause unexpected behavior in
some Strata Cloud Manager workflows.
Workaround: Do not configure different projects using the
same domain and user group.
|