Prisma Access Known Issues
Focus
Focus
Prisma Access

Prisma Access Known Issues

Table of Contents

Prisma Access Known Issues

Where Can I Use This?What Do I Need?
  • Prisma Access (Managed by Panorama)
  • Minimum Required Prisma Access Version 5.2 or 5.2.1 Preferred or Innovation
Prisma Access has the following known issues.
Issue ID
Description
AIOPS-11286
When you have Colo-Connect enabled, cross-connects and connections-related information may not be up to date on subtenants in a multitenant environment.
CYR-47616Increasing the subnet mask on an existing mobile user IP address pool (for example, if you change 10.6.0.0/18 to 10.6.0.0/17), or changing the region of an existing IP address pool, can cause issues for existing connected users.
Workaround: Perform one or more of the following actions:
  • Have the GlobalProtect mobile user refresh their connection.
    Any changes to the GlobalProtect IP address pool scope (increasing the existing pool or using a completely different pool) would cause issues to the existing connected users, which can only be resolved after a successful GlobalProtect refresh where the app acquires the IP address from the newly allocated pool.
  • Add another address block to the mobile users IP address pool instead of changing the subnet in the existing pool.
    For example, instead of changing a subnet in the pool from /18 to /17, consider adding another /18 address to the existing pool and leave the existing pool intact.
CYR-47139
ZTNA Connectors are disabled in a ZTNA Connector - Explicit Proxy integration if ZTNA Connector application blocks or connector blocks are configured with RFC6598 addresses that conflict with Explicit Proxy addresses.
Workaround: If you have integrated ZTNA Connector with Explicit Proxy, do not use the "100.64.0.0/15", "100.72.0.0/15", or "100.88.0.0/15" subnets for:
  • ZTNA Connector Application Blocks
  • ZTNA Connector Connector Blocks
  • IP subnets configured in ZTNA Connector that you have associated with applications
CYR-46759UDP Settings for DNS Queries are not honored in Explicit Proxy.
CYR-46627Explicit Proxy is not supported if Accept Default Route over Service Connection is enabled.
CYR-46445
A transient error related to port 6081 that was processed on an NAT device caused the ZTNA Connector to go down.
Workaround: When ZTNA Connector traffic is passing through a NAT device, make sure the NAT session is not mapped to port 6081.
CYR-46349When using Remote Networks with Explicit Proxy with Traffic Steering in China, do not configure traffic steering rules with URL Category.
CYR-46191
If the Explicit Proxy is configured with Private Application Access enabled and ZTNA Connector is added to the configuration, another commit from Panorama or Strata Cloud Manager might be required.
Workaround: Make a small modification to the Explicit Proxy configuration on the Panorama or Strata Cloud Manager that manages Prisma Access and Push your changes.
CYR-46170
If you have enabled DDNS and you later push a service subnet change to your mobile users, you must also restart the DDNS plugin on your Mobile User gateway for DDNS to pick up the change.
Workaround: Enter the following command:
debug software restart process pl-ddns
CYR-46145
When the Prisma Access autonomous system number or Prisma Access infra subnet is updated for an existing Prisma Access tenant, where ZTNA Connector and corresponding applications are onboarded, there will be outage for around 5 minutes after the update.
CYR-46093If your deployment has implemented the functinality to support up to 25,000 remote networks and 50,000 IKE gateways, aggregate bandwidth usage statistics displays No data for the specified time period instead of the usage statistics.
CYR-45440
When configuring Admin Roles, the access information is not always saved correctly.
Workaround: Click the Plugins/Cloud Services Plugins twice or more in the Admin Roles area, to make sure the access information is saved correctly. Click OK and Open again to confirm if the changes are saved.
CYR-45415Administrators with read-only or disabled access to the Cloud Services plugin can modify the configuration outside of the cloud services plugin that affects cloud-services behavior, such as templates, device-groups, removing Cloud Serivices configuration, uninstalling the cloud-services plugin, and loading configuration files.
CYR-45517In the Colo-Connect tab, a read-only user is able to delete onboarding entries.
CYR-45440
When configuring Admin Roles, the access information is not always saved correctly.
Workaround: Click the Plugins/Cloud Services Plugins twice or more in the Admin Roles area, to make sure the access information is saved correctly. Click OK and Open again to confirm if the changes are saved.
CYR-45415Administrators with read-only or disabled access to the Cloud Services plugin can modify the configuration outside of the cloud services plugin that affects cloud-services behavior, such as templates, device-groups, removing Cloud Serivices configuration, uninstalling the cloud-services plugin, and loading configuration files.
CYR-44433The status for Remote Network jobs that were successful can change from Success to Pending state.
CYR-44202Administrative users with read-only access to the Cloud Services plugin are able to modify the RBI tab.
CYR-43425You cannot specify Outbound Routes for the Service for service connections if those service connections use RFC 6598 addresses.
CYR-43400
This issue is now resolved in Prisma Access 5.2.0. See Prisma Access 5.2.0 Addressed Issues.
For connectors onboarded in ZTNA connector groups with Preserve User ID checked, ActionsDiagnosticsping from the internal interface to the data center apps does not work.
CYR-43262
This issue is now resolved in Prisma Access 5.2.0. See Prisma Access 5.2.0 Addressed Issues.
Remote network API requests for Remote Network onboarding returns a commit validation error on the Cloud Services plugin if BGP configuration is included in the payload.
CYR-43222
This issue is now resolved in Prisma Access 5.2.0. See Prisma Access 5.2.0 Addressed Issues.
Application targets assigned to User ID-based ZTNA Connector groups do not support a Probing Type of icmp ping.
Workaround: Use a Probing Type of none or tcp ping for the application.
CYR-43147For autoscaled ZTNA connectors, during scale in, existing long lived sessions may be dropped prematurely that are handled by the ZTNA connector that is marked for scale in. There should be no impact for new traffic sessions post scale in.
CYR-43132During sub-tenant creation on Panorama, you cannot configure units for Remote Networks if the Mobile Users configuration is left blank, and vice versa.
CYR-42919This issue is now resolved in Prisma Access 5.2.1. See Prisma Access 5.2.1 Addressed Issues.
When attempting to modify or delete Connector IP Blocks in ZTNA Connector, the changes are not applied after a Commit and Push.
Workaround: Perform two more Commit and Push operations to apply the changes.
CYR-42312User-ID Across NAT is not supported with Colo-Connect.
CYR-42259Explicit Proxy Private App Access does not work when RFC6598 is enabled.
CYR-42244If you are requesting a Prisma Access gateway name change as part of the Business Continuity for Mergers and Acquisitions feature, the updated FQDN does not display in Strata Cloud Manager or Panorama.
Workaround: Reach out to your Palo Alto Networks account team, who will open an SRE case to update the FQDN for the gateway.
CYR-42188When using Explicit Proxy Private App Access, DNS over TCP does not function; however DNS over UDP functions correctly.
CYR-42130Colo-Connect routing information does not display in the Serviceability Commands area.
CYR-42018If you have IP Optimization enabled, TLS 1.3 support for GlobalProtect is not supported.
Workaround: Use a maximum TLS version of 1.2.
CYR-41990IPv6-to-IPv6 or IPv6-to-IPv4 source or destination traffic does not support the URL filtering actions Continue and Override.
CYR-41838The egress IP address for Remote Networks - High Performance deployments displays twice when you retrieve it using the Prisma Access API.
Workaround: Ignore the duplicate IP address.
CYR-41813ZTNA Connector onboarding is not supported in the Switzerland, France, Qatar or Taiwan locations. There is no workaround.
CYR-41228If you have IP Optimization enabled, you cannot use the SP interconnect feature.
CYR-41067An incorrect Prisma Access version displays in the Prisma Access Version area of the UI. In Strata Cloud Manager, the version displays in ManageConfigurationNGFW and Prisma AccessOverviewPrisma Access Version; in Panorama Managed Prisma Access, the version displays in PanoramaCloud ServicesConfigurationService SetupPrisma Access Version.
CYR-40503IPv6 is not supported in the South Africa Central and Canada West locations.
CYR-40404
An FQDN target matching a wildcard might not be discovered for a connector group if the application is not accessible from some of the ZTNA connectors in the connector group.
All connectors in a given group should be able to use DNS to resolve the application and access the application for the application to be auto-discovered in the group.
Workaround: Associate the application object to the required connector group from Strata Cloud Manager.
CYR-39930Cortex Data Lake logs are not exported from tenants that have the IP Optimization feature enabled.
CYR-39795
After installation of the Cloud Services plugin, an Explicit Proxy Kerberos server profile (default_server_profile) is installed by the __cloud_services user, even though Explicit Proxy is not enabled.
Workaround: Ignore the changes.
CYR-39551
If you set up Prisma Access Dynamic DNS with an authentication type of TSIG, you should upload a .key file for the TSIG key file. The key file is considered not valid if it has non-ASCII characters in the content. If you provide a .key file for TSIG authentication with non-ASCII characters and you click OK, an error Please upload a file with the .key extension displays.
Workaround: Provide a valid tsig key file.
CYR-39153
When performing an upgrade to a ZTNA Connector Group, there can be failures intermittently during the upgrade operation. For example, the upgrade status displays as partial_success or failed, even though some of the affected connectors are later upgraded successfully.
Workaround: Retry the Connector Group upgrade at a later time. ZTNA Connector rechecks and provides you with the appropriate status of the Connector Groups.
CYR-39148When configuring Colo-Connect, Commit and Push operations to Colo Connect Device Groups may intermittently fail.
Workaround: Retry the Commit and Push operation to the Colo-Connect Device Group.
CYR-39028
If you are upgrading your ZTNA Connector from 4.1 to a later Prisma Access version and the ZTNA connector application pools are configured within the RFC6598 address space (100.64.0.0/16 and 100.65.0.0/16), ZTNA connector traffic may be blocked on the MU-SPN.
Workaround: Contact your Prisma Access team to update the SaaS Agent version of all your Prisma Access tenants.
CYR-38619Tenants that are onboarded in Switzerland and France cannot use ZTNA Connector.
CYR-38120All available locations do not show up in the list view in the Mobile Users—Explicit Proxy setup page.
Workaround: Use the map view to select the missing locations.
CYR-38076
The correct EBGP Router address does not display in the Remote Networks Network Details page (Remote Networks SetupRemote NetworksEBGP Router) and instead shows the Loopback IP address of the remote network.
CYR-37983If you have IPv6 enabled for a Mobile Users—GlobalProtect user, retrieving the HIP report causes a crash.
Workaround: If the GlobalProtect client is ipv6 enabled, run the HIP report using the client's IPv6 address. If the GlobalProtect client is IPv4 only, run the HIP report using the client's ipv4 address.
CYR-37923After creating a new URL category or security rule or an EDL, a local Panorama commit is required before using that object in RBI security rule associations.
CYR-37906
If, when updating the ports for an existing wildcard object, you put spaces between the ports, a 500 internal server error is displayed.
Workaround: Do not put spaces between the ports. For example, instead of 1-2, 80, 100-300, put 1-2,80,100-300.
CYR-37887
If you are using ZTNA Connector as part of the 30-day trial and have not purchased a license, onboarding might fail with a message that Something went wrong when you click the Enable ZTNA Connector button.
Workaround: Refresh the UI to complete the onboarding of the ZTNA Connector feature.
CYR-37826
If two or more ZTNA connector applications have the same FQDN, an Application Custom rule conflict message could display in the SD-WAN portal.
Workaround: This message is spurious and can be ignored.
CYR-37797The status page asks you for a one-time password (OTP) after a plugin upgrade.
Workaround: Delete the expired license keys, delete the Panorama certificate, and retrieve the licenses and verify if the license keys are valid after you retrieve them; then, generate the OTP to verify.
CYR-37755
If you configure a Wildcard Target in ZTNA Connector, and if you try to change the port of an application that was discovered as a result of that target and was added to the FQDN Target, you receive an error that the name is too long.
Workaround: While application names can be a maximum of 32 characters long, changing the port number makes the name too long in the ZTNA Connector infrastructure. If you encounter this error, try to give the application a shorter name.
CYR-37706
When using Explicit Proxy, an excessive amount of threat logs display.
Workaround: Ignore the threat logs. These logs have no impact on Explicit Proxy functionality.
CYR-37673Clicking the Panorama Cloud ServicesStatusStatusRemote Browser IsolationActive Isolated Session link does not open the MonitorSubscription Usage page in Prisma Access Cloud Management or Strata Cloud Manager.
CYR-37500If you have enabled IPv6 for remote networks, the public IPv6 Address is not displayed for edge locations.
CYR-37466If you enable Colo-Connect, do not enable Bidirectional Forwarding Detection (BFD) on your VLAN.
CYR-37356
If you renew the App Acceleration license after is has expired (including the grace period for the license), the renewal does not take effect immediately.
Workaround: Wait approximately one hour after license renewal before using App Acceleration.
CYR-37290When onboarding a ZTNA Connector, you receive a declaim requested by root error.
Workaround: Delete the connector that had the error and create a new one.
CYR-37227
The creation of the IP subnet-based Connector Group sometimes fails with a group already exists message, even though the group does not exist.
Workaround: Use another name for the IP subnet-based Connector Group.
CYR-37208When using Prisma Access Clean Pipe, the Network Details page (PanoramaCloud ServicesStatusStatusNetwork Details) does not show Clean Pipe entries.
CYR-36749ZTNA connector flow logs related to netflow may not be visible in the Strata Cloud Manager Log Viewer.
CYR-35506If you have enabled IPv6 for a tenant, deleting the tenant does not free up the IPv6 prefixes that were allocated to it and those prefixes are not usable again.
Workaround: Do not delete a tenant that has IPv6 enabled.
CYR-34999For Panorama Prisma Access tenants, if ZTNA Connectors are onboarded, the Provision Progress for service connections (PanoramaCloud ServicesStatusStatusService ConnectionsProvision Progress) is showing provisioning progress for both ZTNA Connectors and Service Connections.
CYR-34770If you configure multiple portals in Prisma Access for the Mobile Users—GlobalProtect deployment, you must configure authentication profile under Client Authentication on all portals. If you do not configure at least one auth profile, an authentication cookie will not generated and the multi portal feature will not work as desired.
CYR-34720GlobalProtect DDNS functionality does not work when using a Panorama running 10.1.x to manage Prisma Access with the Cloud Services plugin.
CYR-33877If, during Explicit Proxy setup, you select Skip authentication to skip authentication for an address object, and then later want to enable authentication by deselecting Skip authentication for that address object, it can take up to 24 hours for the change to take effect after you make the change and Commit and Push your changes.
CYR-33471
If you enable multi-tenancy, create a new sub tenant, configure Mobile Users—GlobalProtect, Remote Networks, and Colo-Connect device groups, then configure Colo-Connect subnets and VLANs, and a partial commit fails with an Unable to retrieve last in-sync configuration for the device error.
Workaround: Perform a Commit and Push operation when configuring Colo-Connect for the first time instead of a partial commit.
CYR-33454
If you configure Prisma Access in a in a multi-tenant deployment, perform a Commit and Push, then configure Colo-Connect, the choice to Commit and Push your changes is grayed out.
Workaround: Click CommitCommit to Panorama, then Commit Push to Devices, click Edit Selections and make sure that Colo-Connect is selected in the Push Scope; then, retry the commit and push operation.
CYR-33199Current user counts and 90 day user counts are not correct for Kerberos authenticated users.
CYR-33145
When a Prisma Access license for any service type expires, any Commit All operation fails a generic Commit Failed error message.
Workaround: Make sure that your all your Prisma Access licenses have not expired before performing commits.
CYR-32687EDLs, Address objects of type IP Wildcard Mask and FQDN, and Dynamic Address Groups do not work on decryption policies when Agent or Kerberos authentication is used with Explicit Proxy.
Workaround: Use Address objects of IP Netmask, IP Range, or Address groups in the decryption policies.
CYR-32666When importing a previously saved Panorama configuration that included a Colo-Connect configuration, or reverting from a previously-saved configuration, you receive errors if the following conditions are present:
  • You are loading a Configuration that has Colo-Connect service connections configured.
  • You are loading an empty Prisma Access configuration.
  • You revert from a previously-saved configuration, and the following conditions are present:
    • A Colo-Connect configuration (with service connections) exists on the current configuration and a Colo-Connect configuration does not exist on the configuration to which you want to revert.
    • A Colo-Connect configuration does not exist on the current configuration and a Colo-Connect configuration (with service connections) exists on the configuration to which you want to revert.
    • A Colo-Connect configuration (with service connections) exists on the current configuration and also exists on the configuration to which you want to revert.
Workaround: Colo-Connect service connections cannot be onboarded unless their corresponding VLANs are in an Active state. Delete any Colo-Connect service connections before exporting or reverting a Panorama image; then, re-create the Colo-Connect service connections after importing the new image.
CYR-32661When GlobalProtect is connected in Proxy mode or Tunnel and Proxy mode, user logins will not count toward the number of current users or the number of users logged in over the past 90 days under Mobile Users—Explicit Proxy.
CYR-32564
ZTNA Connector app traffic is detected as a threat and dropped for Prisma Access Cloud Management if the default URL category is used.
Workaround: Perform one or more of the following steps as required:
  1. Create a custom URL category and add application FQDNs for the onboarded applications for ZTNA connector.
  2. If you are using a default profile group, clone a new group and attach the custom URL category you created in Step 1. If you are using a custom profile group, attach the custom URL category you created in step 1.
  3. Make sure that you attach either the cloned profile group or the custom profile group (from step 2) to the security policy you created to allow traffic destined to ZTNA connector applications.
CYR-32511You can configure IPv6 DNS addresses even if IPv6 is disabled.
CYR-32431
When configuring Explicit Proxy, when you add Trusted Source Address values under Authentication Settings, configure other settings, and then return to the Authentication Settings tab, the trusted source addresses might not display correctly.
Workaround: Refresh the Panorama that manages Prisma Access, then return to the Authentication Settings tab to see the addresses.
CYR-32191
ZTNA Connector is not supported in multitenant environments.
CYR-32004
Due to a limitation in the number of IPSec profiles currently supported in Prisma Access, when deploying ZTNA Connector you can onboard a maximum of 100 connector VMs per tenant.
CYR-31603
ZTNA Connectors with two interfaces are not supported in a Connector Group enabled for AWS Auto Scale. This is due to an AWS Auto Scale group limitation that ties both interfaces to the same subnet. See this article for details.
Workaround: ZTNA Connectors with two interfaces are supported in Connector Groups that are not enabled for AWS Auto Scale. Ensure that all ZTNA Connectors with two interfaces are contained in a Connector Group that is not enabled for AWS Auto Scale.
CYR-31187In order to use the Prisma Access Explicit Proxy Connectivity in GlobalProtect for Always-On Internet Security functionality, the default PAC file URL does not populate properly unless you do a commit and push to both Mobile Users—GlobalProtect and Mobile Users—Explicit Proxy.
Workaround: When you Commit and Push, make sure that you choose both Mobile Users—GlobalProtect and Mobile Users—Explicit Proxy in the Push Scope when configuring Prisma Access Explicit Proxy connectivity in GlobalProtect.
CYR-30414If you have enabled multiple portals in a multitenant deployment that has only one tenant, and you then disable the multiple portal functionality on that single tenant, you are able to see both portals on the UI.
Workaround: Open a CLI session on the Panorama that manages Prisma Access and enter the following commands, then perform a local commit on the Panorama:
set plugins cloud_services multi-tenant tenants <tenant_name> mobile-users multi-portal-multi-auth no
request plugins cloud_services gpcs multi-tenant tenant-name <tenant_name> multi_portal_on_off
CYR-30044
Predefined EDLs aren't being populated in the Block Settings list in a new Explicit Proxy deployment.
Workaround: Onboard your Explicit Proxy deployment, perform a Commit and Push operation, and then go back and update the EDL in your block Settings.
CYR-29964
Attempts to reuse a certificate signing request (CSR) to generate a certificate results in a "Requested entity already exists" error.
Workaround: Do not reuse CSRs.
CYR-29933
Attempts to use the verdicts:all -X "DELETE" API call more than one time per hour result in the {"code" :8, "message" : "Too many requests" error.
Workaround: Do not use this API call more than one time per hour.
CYR-29700
If you configure multiple GlobalProtect portals in a multitenant Prisma Access Panorama Managed multitenant deployment, committing changes on a per-username basis fails with a "global-protect-portal-8443 should have the value "GlobalProtect_Portal_8443" but it is [None]" error.
Workaround: If you have enabled multiple GlobalProtect portals and have a Prisma Access multi-tenant deployment, perform Commit All commit operations instead of committing on a per-user basis.
CYR-29160If the Panorama that manages Prisma Access is configured in FIPS mode and you select Generate Certificate for GlobalProtect App Log Collection and Autonomous DEM, the certificate does not get downloaded.
Workaround: This functionality is not available on Panorama appliances in FIPS mode until your Prisma Access dataplane is upgraded to 10.2.4.
CYR-26112If you do not have a Net Interconnect license, all Remote Networks in a theater are fully meshed, but if you haven't onboarded a Service Connection in a theater, the Remote Networks cannot be reached from Remote Networks in other theaters.
Workaround: Either purchase a Net Interconnect license or onboard a service connection in a theater to have the Remote Networks communicate with other theaters.

Known Issues for Dynamic Privilege Access

Issue ID
Description
PANG-4881
If the web browser that the user used to authenticate the Prisma Access Agent remains open, traffic from the web browser to Prisma Access Agent will be sent over the tunnel regardless of how the forwarding profile is configured.
PANG-4870
On macOS devices that have the Prisma Access Agent installed, if you remove the full disk access for the security extension for the Prisma Access Agent (after granting full disk access previously), the Prisma Access Agent will get stuck in the disabled mode.
Workaround: Grant access to the security extension by selecting System SettingsPrivacy & Security Full Disk Access and enabling the securityExtension from the list of apps.
PANG-4825
When configuring forwarding profiles, an issue exists where configuring large numbers of forwarding rules for source applications, destination domains, and IP addresses (routes) can cause high CPU utilization.
Workaround: Do not configure more than 100 forwarding rules for source applications, destination domains, and IP addresses.
NETVIS-1363In Insights on Strata Cloud Manager, the Project Connectivity History view in the user details page shows only the project name and no other detail when the Prisma Access Agent user is connected. The Project Connectivity History is blank when the user is not connected.
NETVIS-1293
In Insights, the Project Connectivity History doesn't show the correct data when the Time Range is set to Past 3 Hours, Past 1 Hour, and Past 15 Minutes.
NETVIS-1263
In Insights, the number of connected users listed in the Projects tab might not be accurate. In some cases, the number of connected users in the Project tab does not match the number of users in the Users tab. For example, when the same user is connected to two projects on different devices, the number of connected users in the Projects tab does not match the number of users in the Users tab.
NETVIS-1207
In Insights, the Projects tab does not show all the IP pools that are configured for a project. Only the IP pools that are in use are shown.
EPM-2954
User groups that have more than 50000 users are not supported in the project configuration of Dynamic Privilege Access. Make sure that the user group associated with a project has less than 50000 users.
EPM-1589
When configuring forwarding profiles, even though Strata Cloud Manager allows you to configure IP addresses with wildcards, using wildcard characters in destination IP addresses, such as 10.*.*.*, is not supported as it will cause inconsistent behavior in forwarding profiles.
EPM-1399
Changing a project name in the Projects tab of the Dynamic Privilege Access page in Strata Cloud Manager is not supported at this time.
Workaround: To rename a project, delete the existing project and perform an Access Agent push configuration, then create the project with the new name and perform an Access Agent push configuration.
EPM-646
On a Prisma Access tenant where Dynamic Privilege Access is enabled, a configuration push will fail if you try to push the Prisma Access Agent infrastructure configuration without first configuring any projects.
Workaround: Configure at least one project before you do a push config.
DRS-5152
An issue exists where the duration for synchronizing directory changes in the Cloud Identity Engine varies based on the directory and the volume of changes. If the directory changes are minimal, the Cloud Identity Engine usually completes the sync in minutes. However, if there are numerous changes in the directory, the directory sync might take hours to complete.
DRS-4907
Updates made in the Identity Provider (IdP) are not immediately reflected in the Cloud Identity Engine and Prisma Access Agent management plane. This delay occurs because the Cloud Identity Engine needs to sync with the IdP to capture the changes. The Cloud Identity Engine runs sync jobs every 5 minutes, but only when no other sync is in progress. The duration of the sync process is affected by the magnitude of changes in the Cloud Identity Engine directory, meaning larger or more numerous changes will result in a longer sync time. After the sync is complete, it can take up to 15 minutes for the changes to appear in the Prisma Access Agent management plane.
DRS-4691
When searching for a user group in Cloud Identity Engine or Strata Cloud Manager using the Text Search option, surround the user group name with double quotes. For example, when searching for a user group named EXAMPLE.User_Group, enter "EXAMPLE.User_Group".
DRS-4406
When configuring a project in Strata Cloud Manager, you cannot search for a User group by providing a partial user group name.
Workaround: To search for a user group, enter the complete User group name.
DOCS-7025
An issue exists in Dynamic Privilege Access where existing IP pools configured in a project cannot be modified.
Workaround: To modify an existing IP pool, delete the existing IP pool in a project and save the project. Then, edit the project again to add the new IP pool. For example, to change the IP pool address from 10.10.10.0/25 to 10.10.10.0/24, delete the existing pool in the project, save the project, and edit the project again to add the new IP pool.
DOCS-5681
Enabling ZTNA Connector on a Dynamic Privilege Access enabled tenant is not supported in Prisma Access 5.2.
Enabling ZTNA Connector on a Dynamic Privilege Access enabled tenant can cause issues in routing. Service might also be impacted because Strata Cloud Manager does not support the deletion of ZTNA Connector once it has been created.
DOCS-5611
When authorizing user group mapping in Cloud Identity Engine for Dynamic Privilege Access, when selecting the SAML attributes you want Prisma Access to use for authentication, ensure that you select a Username Attribute that contains /identity/claims/name.
If you select the wrong username attribute, your users will not be able to authenticate to their projects.
DOCS-5463
An issue exists where random tunnel disconnects can occur if the Collect HIP Data option is not enabled in the Agent Settings page. Therefore, do not disable Collect HIP Data in the Host Information Profile (HIP) section of the Access Agent Settings page.
DOCS-3650
For Cloud Identity Engine authentication to work on a Dynamic Privilege Access enabled Prisma Access tenant, ensure that a user group is not mapped to multiple SAML applications in the identity provider (IdP).
If multiple apps are mapped to a user group, Cloud Identity Engine cannot determine which SAML app to connect to during authentication because there is no unique mapping.
ADI-33262
On a Prisma Access tenant where Dynamic Privilege Access is enabled, a Mobile User ContainerAccess Agent configuration push will fail without first configuring a project in Strata Cloud Manager.
Workaround: Configure at least one project before you do a push config.
ADI-31750
The number of IP pools that are supported per project is 50. The performance will be impacted if the number of IP pools per project exceeds 50.
Workaround: Allocate no more than 50 IP pools per project.
ADI-31601
On a Dynamic Privilege Access enabled tenant, Strata Cloud Manager allows you to configure more than 100 IP pools per project, even though it will cause the push config to fail with a generic error.
Workaround: Do not configure more than 100 IP pools per project.
ADI-31538
An issue exists where, when setting up a forwarding profile, the forwarding profile Type is displayed as "ZTNA Agent" instead of "Prisma Access Agent". Also, if you select Add Forwarding Profile, the drop-down shows "ZTNA Agent" instead of "Prisma Access Agent".
Workaround: None. The forwarding profile type will be changed to "Prisma Access Agent" in the future.
ADI-31523
Do not create snippets with descriptions that contain special characters. Snippet descriptions that contain special characters such as ! ~ @ # $ % ^ & * ( ) _ + are not supported.
ADI-31306
When setting up a forwarding profile, an issue exists where all the options in the Traffic Enforcement section of the Forwarding Profile page are enabled by default. Enabling all of these options by default can cause unexpected or undesirable behavior.
Workaround: Disable these options for Dynamic Privilege Access.
ADI-31305
When setting up a forwarding profile, an issue exists where the Enforce FQDN DNS resolution using tunnel DNS servers and Resolve all FQDNs using DNS servers that are assigned by the tunnel (Windows agents only) options are shown in the Traffic Enforcement section of the Forwarding Profile page.
These two options should not be shown since the intended functionality of these options can be configured using the forwarding profile rules.
ADI-30902
Strata Cloud Manager uses the user and user group information from a Cloud Identity Engine directory in multiple configurations, such as Dynamic Privilege Access project configurations, Prisma Access Agent settings, security policies, and staged rollout configurations. After making these configurations, if you delete the directory from Cloud Identity Engine but don't delete the Strata Cloud Manager configurations that reference those users and user groups, you might encounter unexpected errors, such as "500 Internal Server Error."
Workaround: When you remove a directory from Cloud Identity Engine, you must also delete the Strata Cloud Manager configurations that reference the users and user groups in that directory.
ADI-30468
An issue exists in the Access AgentInfrastructure Settings page in Strata Cloud Manager, where both the Prisma Access Managed and OnPrem DHCP Server options appear in the Client IP Pool Allocation section.
When provisioning users on a General Availability Prisma Access tenant with Dynamic Privilege Access enabled, ensure that you do not select OnPrem DHCP Server because the configuration cannot be reverted once you save it. OnPrem DHCP Server is not supported for Dynamic Privilege Access General Availability tenants and will be removed from Strata Cloud Manager in a future release. If you select OnPrem DHCP Server, your tenant will be rendered unusable for basic Dynamic Privilege Access workflows.
ADI-29665
Do not use special characters in project names, otherwise Strata Cloud Manager will issue a "Malformed Request" error message when you try to save the project configuration.
ADI-29434
In the Agent Settings page in Strata Cloud Manager, the recommended value for the Session timeout is 7 days.
ADI-29272
When creating a snippet, if you disable the Add prefix to object names option, ensure that you don't use duplicate agent settings names in two different snippets, since it can result in unexpected behavior.
ADI-26493
In Access AgentInfrastructure Settings in Strata Cloud Manager, the OnPrem DHCP Server option in the Client IP Pool Allocation section is not selectable. This is working as intended since OnPrem DHCP Server is not supported for Dynamic Privilege Access.
This option will be renamed to OnPrem DHCP Server (Preview Only) so that existing Dynamic Privilege Access enabled Prisma Access tenants can function correctly.
ADI-24562
An issue exists where you are allowed to create more than one project with the same domain and user group if those projects were configured from different configuration snippets. Avoid this configuration because it can cause unexpected behavior in some Strata Cloud Manager workflows.
Workaround: Do not configure different projects using the same domain and user group.