Prisma Access Known Issues
Table of Contents
Expand All
|
Collapse All
Prisma Access Docs
-
-
- Prisma Access China
- 4.0 & Later
- 3.2 Preferred and Innovation
- 3.1 Preferred and Innovation
- 3.0 Preferred and Innovation
- 2.2 Preferred
-
-
-
- 5.2 Preferred and Innovation
- 5.1 Preferred and Innovation
- 5.0 Preferred and Innovation
- 4.2 Preferred
- 4.1 Preferred
- 4.0 Preferred
- 3.2 Preferred and Innovation
- 3.1 Preferred and Innovation
- 3.0 Preferred and Innovation
- 2.2 Preferred
Prisma Access Known Issues
Prisma Access has the following
known issues.
Issue ID | Description |
---|---|
CYR-20895 | If you have created a remote networks deployment
that allocates bandwidth by compute location and then delete the
remote network license, any commit for changes to features that
are still licensed fail with an Failed plugin validation error. Workaround:
Delete the unused remote network configuration by opening a CLI
session with admin-level privileges, entering configure to
enter configuration mode, and then entering delete plugins
cloud_services remote-networks. Then, retry the commit
operation |
CYR-20729 | When completing a mobile user setup in a
FedRAMP Moderate deployment and configuring the mobile user IP address
pool, you receive an Operation Failed message
with text that indicates that Prisma Access could not auto-generate
an authentication cookie certificate. In addition, when committing
and pushing your changes, you receive a validation error related
to a cookie decryption certificate. Workaround: Create
a signed certificate and apply it to the Mobile Users—GlobalProtect
configuration by completing the following steps:
|
CYR-20348 | When upgrading from Prisma Access 2.1 to
2.2, a local Commit to Panorama or Validate
Changes request fails with the message domain-list unexpected here. |
CYR-19983 | If you Enable IPv6,
select the compute locations in IPv6 Availability,
commit and push your changes, then deselect Enable IPv6,
the selections you made in the IPv6 Availability tab
become deselected. Workaround: Re-select the compute
locations in the IPv6 Availability tab. |
CYR-19975 | When you Enable IPv6, a window displays
asking you to enable Telemetry Data Collection. Workaround:
Click Remind Me Later to dismiss the window. |
CYR-19653 | If, when using Explicit Proxy, when the
following conditions exist, mobile users might experience issues
with CORS requests and non-decrypted traffic:
Workaround:
Clear your browser's cache to re-authenticate with the ACS. |
CYR-19646 | BGP addresses ending with .0 or .255 are
not allowed to be entered in the UI as peer BGP addresses for service
connections or remote networks, regardless of the subnet being used. Workaround:
Use CLI commands to enter the .0 or .255 address by logging in to
the Panorama that manages Prisma Access and entering one of the
following commands: set plugins cloud_services service-connection onboarding sc-name protocol
bgp peer-ip-address ip-address set
plugins cloud_services remote-networks onboarding rn-name protocol
bgp peer-ip-address ip-address Where sc-name or rn-name is
the name of the service connection or remote network connection. |
CYR-19598 | When using explicit proxy, some users might
experience an issue where some websites are not able to be accessed
after the Authentication Cache Service (ACS) Cookie Lifetime has
expired. This condition can persist for up to five minutes. Workaround:
Browse a different website to re-authenticate to ACS and refresh
the ACS cookie. |
CYR-19503 | IP precedence-based classification is not
working for Prisma Access, when using either IPv4 or IPv6 IP addresses. |
CYR-19487 | When you enable IPv6 for a single tenant
in a multi-tenant deployment, the UI page refreshes and displays
the Cloud ServicesConfiguration page,
where you select the drop-down for all tenants. |
CYR-19350 | When any change is made to an authentication
profile, the LDAP server or local user database in a shared context
removes the user group mapping information from Prisma Access. |
CYR-19282 | When configuring mobile users DNS settings
in the Network Services tab, you should not
enter Custom DNS Server IP addresses (either
IPv4 or IPv6) without also specifying a Domain List. Workaround:
Specify a Domain List. |
CYR-19198 | If you add an IPv6 address pool to your
Mobile Users—GlobalProtect deployment, select the regions to Enable
IPv6 in the IPv6 Availability tab, and Commit
and Push your changes, the pools appear in the IPv6
Availability tab. If you then disable all regions, effectively disabling
IPv6, and then Commit and Push your changes,
the IPv6 address pools still display in the IPv6 Address Pool tab. Workaround:
There is no workaround. If you later enable IPv6 for one or more
regions, you can use the existing IPv6 address pool. You can also
specify a different IPv6 address in the IP Pools and,
after you commit and push your changes, the new IPv6 Address pool
overwrites the existing addresses and displays in the IPv6 Availability
tab. |
CYR-19093 | In a multi-tenant deployment, you receive
a Configuration committed successfully message
along with a Not all Commit-All jobs got triggered message. Workaround:
Select CommitCommit
and Push, Edit Selections,
and in the Prisma Access tab, make sure that
the Push Scope includes the changes you made
for the Prisma Access configuration. Depending on the changes you
made, select one or more of the Remote Networks, Mobile Users, Service
Setup, and Explicit Proxy choices. |
CYR-19030 | If you are sinkholing IPv6 traffic, the
policy rule hit counts for traffic that matches the IPv6 sinkhole
policy do not increment when entering the CLI command show
rule-hit-count vsys vsys-name vsys1 rule-base security rules all. |
CYR-18757 | In a multi-tenant deployment, admin users
that have more than one access domain cannot configure new remote
networks or service connections, and can only view what is already
deployed. Workaround: Create the access domain first,
then select the access domain you created when you convert the single tenant
to a multi-tenant setup. |
CYR-18234 | When you select Integrate with
Prisma SD-WAN, the integration fails. |
CYR-18157 | When downloading a large file (including
but not limited to programs, browser extensions, or apps) using
Explicit Proxy, if the download takes longer than the cookie lifetime,
the download fails when the cookie expires. |
CYR-17868 This issue is now resolved
in plugin version 2.1.0. See Prisma Access 2.1.0 Innovation Addressed Issues. | When attempting to retrieve Logging Status
information from Troubleshooting Commands (PanoramaCloud ServicesConfigurationService SetupService OperationsTroubleshooting Commands) and
selecting All locations or All remote
networks, the request times out. Workaround: The issue
might be with one or more locations or remote networks being slow
to respond. Try selecting a single mobile user location or remote
network. |
CYR-17848 | If you are using a Panorama with a version
of PAN-OS 10.1 to manage Prisma Access, and you migrate a Remote
Network deployment from allocating bandwidth by location to allocating
bandwidth by compute location, the migration banner displays the
location names in an incorrect (large) font. Workaround:
No workaround is required. There is no change to the migration functionality;
the only issue is with the font displayed during the migration. |
CYR-17826 | When using Troubleshooting Commands (PanoramaCloud ServicesConfigurationService SetupService OperationsTroubleshooting Commands)
with Panoramas that are in High Availability mode, the commands
cannot be run from the passive Panorama. |
CYR-17739 | When configuring an Explicit Proxy deployment,
if you onboard your deployment, then retrieve the Explicit Proxy
public IP addresses, you will receive the active IP addresses to
add to your allow list, but will not receive the pre-allocated backup
IP addresses. Workaround: Retrieve the Explicit Proxy
IP addresses before you onboard your deployment by specifying an addrType of all and
a location of all. |
CYR-17710 This issue is now resolved
in plugin version 2.2.0. See Prisma Access 2.2.0 Preferred Addressed Issues. | When using DLP to check a downloaded .xlsx
file, the original size of the file is below the maximum DLP file
size. However, after the file is extracted, the file size exceeds
the maximum file size for DLP and a 400 Bad request error
is received. |
CYR-17402 This issue is now resolved
in plugin version 2.1.0. See Prisma Access 2.1.0 Innovation Addressed Issues. | Remote networks that aggregate bandwidth
by compute location instead of by location cannot be onboarded in
bulk by exporting, modifying, and then importing a CSV file. |
CYR-17077 | If you delete an explicit proxy configuration
and then reconfigure it within 10 minutes of its deletion, Prisma
Access cannot properly process the new configuration and explicit
proxy functionality could be affected. Workaround:
Wait at least 10 minutes after deleting an explicit proxy configuration
before reconfiguring it. |
CYR-17066 This issue is now resolved
in plugin version 2.0.0-h3. See Prisma Access 2.0.0-h3 Innovation Addressed Issues. | In a multi-tenant deployment, exception
errors are displayed because of inconsistent internal database entries. |
CYR-17024 | When using Panorama 10.x to manage
Prisma Access, if you configure an Authentication Enforcement Profile
under ObjectsAuthentication and
specify an Authentication Profile that resides in a Shared location,
you receive an error when committing the changes. Workaround:
If you use a Panorama 10.x to manage Prisma Access, do not
use a shared Authentication Profile for any Authentication Enforcement
Profile; instead, use an Authentication Profile that is under one
of the Prisma Access Templates. |
CYR-16965 | When using explicit proxy, there could be
a delay when displaying user details under Current User
Count due to a log ingestion issue between explicit
proxy and Strata Logging Service. |
CYR-16801 This issue is now resolved
in plugin version 2.0.0-h6. See Prisma Access 2.0.0-h6 Innovation Addressed Issues. | When using explicit proxy, large HTTP file
downloads are frequently interrupted. Workaround:
Keep resuming the download until the file is completely downloaded.
This issue is not seen when downloading HTTPS files. |
CYR-16789 | When performing a local commit or Commit
and Push operation, you receive the error Internal Server Error: Failed to aggregate bandwidth configuration. Workaround:
Check the DNS configuration of the Panorama appliance that manages
Prisma Access, and check that Panorama is able to contact your network's
DNS servers, then retry the operation. |
CYR-16735 | If, during Explicit Proxy onboarding, you
onboard a large number of locations, the Explicit Proxy status might
display its status incorrectly (for example, a status of ERROR might
display when the onboarding was successful). |
CYR-16674 | If you change the Explicit Proxy URL in
Prisma Access but do not change the PAC file to reflect the change,
the change won't be applied. Workaround: Upload a new
PAC file with the same changes as you made in the Explicit Proxy
URL. |
CYR-16673 | If you change the proxy FQDN, the changes
are not immediately reflected after the job status completes. Workaround:
Workaround: Wait 10 to 15 minutes for the changes to be reflected
after the Job status shows as Completed on
Panorama. |
CYR-16666 | When using explicit proxy, the current user
count and 90 day user count functionality is not populated for customers
who have onboarded their tenant in the Africa, Europe & Middle
East and Asia, Australia, & Japan theaters. Onboarded locations
in the North America & South America locations report their
user count correctly. |
CYR-16665 | When using explicit proxy, the IP address
might not be correct in the Current Users area. The correct value
displays in the Traffic logs and in other areas in explicit proxy. |
CYR-16664 This issue is now resolved
in plugin version 2.1.0. See Prisma Access 2.1.0 Innovation Addressed Issues. | If Directory Sync is enabled for explicit
proxy, the current user count displays as 0, but the 90 days count
displays correctly. |
CYR-16662 This issue is now resolved
in plugin version 2.1.0. See Prisma Access 2.1.0 Innovation Addressed Issues. | When in multi-tenant mode, an empty field
displays in the Push Scope. |
CYR-16642 | There is a delay observed to populate the
Rule Usage column on the Policies page. Workaround:
Refresh the page by clicking on the refresh button on the right
side. In addition, the Preview Rules tab does not display
the Rule Hit counters. Workaround: Click the Used link
on Rule Usage column to display the Rule
Hit count for the rule. |
CYR-16615 | The maximum length of a URL that can be
used with explicit proxy is 1280 characters. |
CYR-16583 | WildFire logs show explicit proxy logs as
having a source zone of Proxy. If you use a name of Proxy for Clean
Pipe instances or remote networks, you will not be able to differentiate
between explicit proxy logs and logs with the clean pipe or remote
network name of Proxy. Workaround: If you use explicit
proxy, do not specify a name of Proxy for any Clean Pipe instances
or remote networks. |
CYR-16580 | The PanoramaCloud ServicesStatusMonitorMobile UsersExplicit Proxy page incorrectly
shows the current number of users as 0. |
CYR-16549 This issue is now resolved
in plugin version 2.2.0. See Prisma Access 2.2.0 Preferred Addressed Issues. | After a commit and push operation, jobs
either become stuck in init state or
fail to complete. Workaround: The issue might be with
an EDL update being processed at the same time as the commit operation.
To workaround the issue, select ObjectsExternal Dynamic Lists and
change the Check for updates setting from Every
five minutes to Hourly or later. |
CYR-16284 | When you enter the show pbf extended-address all command
to retrieve the traffic steering cache, an FQDN displays with an
asterisk, such as *.example.com. Workaround: No workaround
is required. The displayed FQDN is correlated to the FQDN server
that presented the certificate. |
CYR-16130 | When configuring a Mobile Users - GlobalProtect
deployment using SAML authentication, you receive a pangp.gpcloudservice.com is missing certificate error
when you commit your configuration changes. Workaround:
Add the missing certificate in your SAML IdP configuration by selecting DeviceMobile_User_TemplateAuthentication Profile in Panorama
and adding the certificate. |
CYR-16097 | A webpage may contain links of resources
from the domains other than the domain from where the webpage is
served. Most modern browsers do not send any cookie along with the
requests to get the resources from those third-party domains for
security reasons. Since there is no cookie present to identify the
user for those third-party domains, the user name cannot be logged
in the traffic logs for those domains. In addition, there
will be some connections that Prisma Access redirects for authenticating
a user. Logs for such connections will not have any username. |
CYR-16073 | When using traffic steering, if you specify
External Dynamic List that has an IP address and port, traffic is
not forwarded to the target. Workaround: Remove the
port number from the IP address. |
CYR-16015 | When using explicit proxy, if you update
the cookie lifetime to a shorter lifetime than the previously configured
value, the new lifetime value does not apply to users who are already
logged in until the original longer life time expires. New users
logging into the service receive the new shorter cookie life time. |
CYR-15926 | Explicit proxy configuration changes are
not applied to the configuration after a commit. Workaround:
If you are not seeing the changes after retrying the commit operation,
contact Palo Alto Networks support. |
CYR-15792 | If, when configuring Explicit Proxy, you
upload a PAC file before committing and pushing your configuration
changes, the PAC file configuration changes are not correctly processed. Workaround:
Commit and push your configuration changes before uploading the
PAC file. |
CYR-15338 | In a multi-tenant environment, tenant names
with a period (.) in the name cause configuration tabs to
be grayed out after commit. Workaround: Do not create
tenants that have a period in their name. |
CYR-15267 | When administrators log out a mobile user
who is logged in using SAML from the Prisma Access status page (PanoramaCloud ServicesStatusStatusCurrent
Users), a Single Logout (SLO) request
is not generated. As a result, the user is logged out of the gateway
but is not logged out of the IdP, and if the client SAML cookie
is still valid, the user can reconnect without having to input credentials. |
CYR-15099 This issue is now resolved
in plugin version 2.0. See Prisma Access 2.0 Innovation Addressed Issues. | When you create a traffic steering rule,
Prisma Access does not auto-populate the Source User, Dynamic User
Group, External Dynamic List (EDL), or custom URL category in the
user interface. Workaround: Open a CLI session with
the Panorama that manages Prisma access, enter configuration mode,
and enter the set plugins cloud_services multi-tenant tenants tenant-name pbf
rules traffic-steering-rule source [ enabled | [ action [ forward | no-pbf ]]
| [ category custom-url-category|
[ destination [DAG dag-name ]]
| [service [any | service-http | service-https | other-value ]]
| [ source source-options]
| [ source-user source-user-name ]]
to have the shared objects available for selection. |
CYR-15095 This issue is now resolved
in plugin version 1.8. See Prisma Access 2.0 Innovation Addressed Issues. | When using Panoramas with a version of 10.0
to manage Prisma Access, if you reference an EDL with a Type of
Predefined URL List in a security policy rule, commits fail with
an error indicating a disallowed keyword, invalid reference, or
invalid category. Workaround: Dereference the EDL in
the security policy. |
CYR-15091 | Extra IPSec termination nodes are allocated
to a compute location if you allocate bandwidth multiple times in
a very short time interval. |
CYR-15042 This issue is now resolved
in plugin version 2.0. See Prisma Access 2.0 Innovation Addressed Issues. | Auto-population of users and user groups
from a master device is not supported in multi-tenant mode. |
CYR-14997 | When you allocate Bandwidth to a compute
location from the Onboarding section, that allocation is not reflected
immediately in the Bandwidth Allocation tab until you manually refresh
the page. Workaround: Manually refresh the Panorama
that manages Prisma Access. |
CYR-14937 | When you upgrade the Cloud Services plugin
and then perform a commit operation, not all Prisma Access components
are selected in the Push Scope. Workaround: Select CommitCommit and Push, Edit Selections in
the Push Scope, and make sure that all Prisma
Access components (Service Setup, Remote
Networks, Mobile User, and Clean Pipe,
depending on your license) are selected before committing and pushing
your changes. |
CYR-14984 | When you change the name of a target service
connection group for traffic steering, the updated target name does
not display in the Traffic Steering Rules area. Workaround:
Refresh the Panorama browser. |
CYR-14980 | If you use IKEv2 with certificate-based
authentication, only SHA1 is supported in IKE crypto profiles (Phase
1). Workaround: Use an IKEv2 (Phase 1) cryptographic profile
of SHA1 on your customer premises equipment and in Prisma Access. |
CYR-14902 This issue is now resolved
in plugin version 1.8. See Prisma Access 2.0 Innovation Addressed Issues. | If you allocate bandwidth when onboarding
a remote network location and then reselect the same location or
choose another location in the same compute location without clicking OK,
the allocate bandwidth window redisplays. Workaround:
Click OK after allocating compute location
bandwidth when onboarding a remote network location. |
CYR-14876 This issue is now resolved
in plugin version 2.0. See Prisma Access 2.0 Innovation Addressed Issues. | If you edit traffic steering rules or enable
a default route over service connections after you migrate from
single tenant to multi-tenant mode, the push scope for Prisma Access
Device Groups is not populated. Workaround: Select CommitCommit and Push, Edit Selections in
the Push Scope, and make sure that you select
all device groups (Service Setup, Remote
Networks, Mobile User, and Clean Pipe,
depending on your license) before committing and pushing your changes. |
CYR-14816 | If a service connection loses both its active
and backup connectivity, mobile users lose connectivity to users
and resources connected to Remote Networks and Service Connections. |
CYR-14754 | If you have two Panorama appliances configured
in high-availability mode, the passive Panorama will display an out of sync message
during a commit and push operation. Workaround: Open
a command-line interface (CLI) session on both the passive and active
Panorama and enter the following commands: username@hostname> debugmd5sum_cache clear username@hostname> configure username@hostname# commit force |
CYR-14728 | Prisma Access bypasses Traffic Steering
for rules with a service type of HTTP or HTTPS if you use an application
override policy for TCP ports 80 and 443. In addition, traffic
steering does not work for URLs from URL categories referenced in
the traffic forwarding rule if you have configured an application
override policy for TCP ports 80 or 443. |
CYR-14727 | Mobile user route summarization is not supported
in hot potato routing mode. |
CYR-14693 | When using hot potato routing, Mobile User
route summarization may add extra latency for traffic between mobile
users and headquarters or branch traffic. |
CYR-14673 | After you create a traffic steering rule
with an IP address, IP address group, EDL, or custom URL category
as a Shared object, make changes to any of those objects, and then
commit and push your changes, only the Shared object displays in
the Push Scope. Prisma Access device groups doesn't get displayed
in the push scope. Workaround: Select CommitCommit and Push, Edit Selections in
the Push Scope, and make sure that you select
all device groups (Service Setup, Remote
Networks, Mobile User, and Clean Pipe,
depending on your license) before committing and pushing your changes. |
CYR-14613 | When adding or deleting URLs to a custom
URL category, Prisma Access does not purge its cache, and the change
does not immediately take effect. Workaround: Perform
one of the following actions:
|
CYR-14603 | To make sure that Prisma Access can distinguish
between users if the same username is shared between users who authenticate
locally and users who authenticate using LDAP, you should authenticate
LDAP users in the format of domain/username and authenticate local
users in the format of username (without the domain name). |
CYR-14584 This issue is now resolved
in plugin version 2.0. See Prisma Access 2.0 Innovation Addressed Issues. | UDP packets that Prisma Access receives
between 1439 and 1500 bytes are dropped in some situations (for
example, if NAT Traversal is enabled). Workaround:
Reduce the MTU size on your customer premises equipment to 1400
or below. |
CYR-14383 This issue is now resolved
in plugin version 2.1. See Prisma Access 2.0 Innovation Addressed Issues. | When using an antivirus profile attached
to a security policy rule, files are not being scanned during an
FTP session. |
CYR-14382 This issue is now resolved
in plugin version 2.1. See Prisma Access 2.0 Innovation Addressed Issues. | When using WildFire in remote network deployments,
if you upgrade your Prisma Access dataplane to a version of 10.0.3
or later, you cannot retrieve the latest WildFire signatures in
real-time. Prisma Access uses its default method of updating WildFire
signatures every five minutes. |
CYR-14278 This issue is now resolved
in plugin version 1.8.0. See Prisma Access 1.8 Addressed Issues. | When you make changes to traffic steering
forwarding rules, then commit and push your changes, your changes
do not appear in the Push Scope. Workaround: Modify
the Push Scope by clicking Edit Selections,
then selecting the device group or groups you changed (Service
Setup, Remote Networks, Mobile Users,
or all three). |
CYR-14259 This issue is now resolved
in plugin version 1.8.0. See Prisma Access 1.8 Addressed Issues. | When you create a traffic forwarding rule
for traffic steering, predefined URL categories might display as
choices along with custom URL categories. Workaround:
Predefined URL categories are not supported; do not select them
when configuring a traffic forwarding rule for traffic steering.
Select custom URL categories instead. |
CYR-14110 | If Panorama access is disabled in an Admin
Role Profile, you can still see the contents of the plugin, but
the fields are read-only. |
CYR-13823 | When you upgrade the Cloud Services plugin
to 1.7, Prisma Access prepends an asterisk to URLs in custom URL
categories, if you use this category in a traffic steering forwarding
rule. If you use the same URL category policies for both traffic
steering and other security policy rules, these changes apply to
both the traffic steering rules and other security policy rules. If
you have custom URL categories that are not used in traffic steering
forwarding rules, Prisma Access does not change the URLs in those
categories. |
CYR-13822 | Prisma Access prepends an asterisk to URLs
in custom URL categories, which doubles the number of URLs entered
in a custom URL category. Prisma Access supports a maximum of 300,000
URLs in URL category entries; if you use custom URLs for traffic
steering and are close to this limit, the doubling of URLs might
cause your deployment to exceed the limit of URLs. |
CYR-13772 This issue is now resolved
in plugin version 1.8.0. See Prisma Access 1.8 Addressed Issues. | External Dynamic Lists (EDLs) are not supported
when using traffic forwarding rules to direct internet-based traffic
to service connections. Workaround: Use IP-based EDLs
only. |
CYR-13751 | If you used policy-based forwarding rules
to forward internet-bound traffic to service connections in Prisma
Access 1.6, Prisma Access makes the following additions to URLs
in custom URL categories after you upgrade from 1.6 to 1.7:
If you already have added URLs with wildcards,
Prisma Access might add URLs that duplicate existing URLs after
the upgrade. |
CYR-13702 This issue is now resolved
in plugin version 2.1.0. See Prisma Access 2.1.0 Innovation Addressed Issues. | When you select PanoramaCloud ServicesStatusMonitorStrata Logging Service,
the Service Status area displays No data to display, even
though Strata Logging Service is working normally. Workaround:
Select the Table view icon on the top right side of the page to
view a tabular view of the statistics instead of the Gauge view. |
CYR-13662 | After you make configuration changes to
an existing service connection or remote network connection (for
example, changing the bandwidth, region, QoS, or BGP values), the
job details in the Deployment Status page (PanoramaCloud ServicesStatusStatusDeployment Statusdetails) might display a value
of TIMEOUT, even if the job completed successfully. |
CYR-13652 This issue is now resolved
in plugin version 1.8.0. See Prisma Access 1.8 Addressed Issues. | If you configure traffic steering (using
PBF rules to forward internet-directed traffic using a service connection)
in multi-tenancy mode, the Target Service Connections do not display
in the policy-based forwarding rule. Workaround: Refresh
the browser, then recreate Target Service Connections
for Traffic Forwarding and the PBF rule. |
CYR-13612 | Prisma Access does not support FTP data
transfers in active mode. |
CYR-13511 | When Prisma Access performs a dataplane
upgrade on a mobile user instance (an upgrade to a Prisma Access
gateway or portal), any failed commits on the instance that were
performed before the upgrade will not be applied to the upgraded
instance. |
CYR-13370 This issue is now resolved
in plugin version 2.0.0. See Prisma Access 2.0 Innovation Addressed Issues. | External Dynamic Lists (EDLs) are not supported
when using traffic forwarding rules to direct internet-based traffic
to service connections. Workaround: Use IP-based EDLs
only. |
CYR-13317 | During a Prisma Access dataplane upgrade,
BGP statistics may not be available for 30 minutes in the Network
Details page. This unavailability has no impact on dataplane traffic. |
CYR-13290 This issue is now resolved
in plugin version 1.8.0. See Prisma Access 1.8 Addressed Issues. | If you are using URLs or URL categories
as a match criteria in a policy-based forwarding rule for traffic
steering, the initial packets (for example, a TCP handshake) intermittently
do not match the rule for the users who connect to a matching URL
for the first time. |
CYR-13179 | If you use Microsoft Edge or Firefox when
using traffic steering, the browser does not forward traffic on
its first attempt. Workaround: Refresh the browser,
then retry the operation. |
CYR-12912 | If, in a traffic steering deployment with
multiple traffic forwarding rules, two URLs in two separate rules
resolve to the same IP address, Prisma Access sends traffic to the
first rule in the list and will not use the second traffic rule.
Traffic steering evaluates multiple traffic forwarding rules in
order from top to bottom. |
CYR-12700 | For a Prisma Access deployment with two
Panoramas configured in high availability, you are able to request
an upgrade to the GlobalProtect software version on the passive
Panorama. Software upgrade requests are not applied if you request
them on the passive Panorama. Workaround: Do not request
software upgrades on the passive Panorama; only request upgrades
using the active Panorama. |
CYR-12509 | When using traffic steering, Palo Alto Networks
does not recommend using multiple service connections (whether dedicated
or non-dedicated) in a target service connection group that is referenced
in a traffic steering rule. |
CYR-12166 | Prisma Access does not support a rule type
of Intrazone if the source and destination zones are both Trust. |
CYR-11496 | If you enable ECMP on a remote network,
the values shown in the Statistics tab under PanoramaCloud ServicesStatusMonitorRemote Networks for Ingress
Peak Bandwidth (Mbps) are correct; however, if you click
the hyperlink for this value, the pop-up window that displays might
show an incorrect value. |
CYR-11414 | When creating a new mobile user deployment
in multi-tenant mode, you receive an error that the Portal Hostname
is not available when you assign it during mobile user onboarding. Workaround: Before
you begin your mobile user configuration, add an Infrastructure
Subnet, commit all your changes to Panorama, and push the configuration
changes to Prisma Access. |
CYR-11201 | Some files are being skipped for DLP scanning
when using OneDrive to upload multiple files. |
CYR-11087 | When using DLP on Prisma Access, you can
upload up to 25 files at a time. |
CYR-11019 | When attaching a parent Device Group to
a new remote network tenant in multi-tenant mode, the administrator
is unable to attach device groups and templates. Workaround: Log
out, then log back in to Panorama. |
CYR-10909 | If you use Box to upload multiple files,
and one or more of the files are larger than 5 MB, the upload of
all files will not complete. To continue, find the files in Box
that are larger than 5 MB and click X to
stop the download of those files. |
CYR-10623 This issue is now resolved
in plugin version 2.0.0. See Prisma Access 2.0 Innovation Addressed Issues. | When you check the status in a multi-tenant
deployment by selecting PanoramaCloud ServicesStatus,
the information in the All Tenants area displays
twice. |
CYR-10445 | DLP on Prisma Access is not supported in
a Prisma Access multi-tenant deployment. |
CYR-10387 This issue is now resolved
in plugin version 2.0.0. See Prisma Access 2.0 Innovation Addressed Issues. | If you have DLP on Prisma Access enabled
for more than one Prisma Access instance in a single Customer Support
Portal (CSP) account, data filtering profiles are synchronized across
all instances. This behavior can result in unexpected consequences;
for example, the deletion of a custom data pattern or data filtering
profile for one instance does not delete that pattern or profile
for other instances in the CSP account. For this reason, Palo Alto
Networks recommends that you move each Prisma Access instance to
its own CSP account. |
CYR-10053 | If you change the master key in Panorama
(in DeviceMaster
Key and Diagnostics), the master key for
Cloud Services is not synchronized with this master key. Workaround: Select PanoramaCloud ServicesConfigurationService SetupService OperationsEdit Master Key and
manually change the master key to be the same as the Panorama master
key. |
CYR-10044 | When using Slack to upload multiple files,
the Slack client treats the multiple file upload as a single request.
If one of the files is not successfully uploaded, Slack retries
the upload of all files a maximum of three times. If, after three
retries, Slack cannot upload one or more of the files, the Slack
client displays an error in the UI and doesn't upload any of the
files. |
CYR-10043 | When you upload a file using Slack, and
the file is blocked, Slack detects the block operation as an upload
failure and retries the file upload, which results in the same file
being uploaded and blocked twice. Workaround: This
is normal Slack file upload behavior. Be aware that a single file
that is uploaded using Slack might appear twice in the data filtering
logs as being blocked. |
CYR-9613 | When you delete a data filtering profile
from a Prisma Access device group that is not shared, the profile
name still appears when you add or configure a Security Profile
Group, in the Data Filtering Profile area. |
CYR-9455 | In a GlobalProtect deployment where the
portal has multiple agent configs, when a GlobalProtect client logs
in using the app, the portal looks for a matching agent config for
the client by checking its OS type along with the config selection
criteria. The agent configs are checked from top to bottom. If the
OS type matches, but the config selection criteria does not, GlobalProtect
marks the agent config as non-matching and moves to the next agent
config to check for a match; however it no longer checks the OS
type in these agent configs, and only looks for a match of the config
selection criteria. This condition can cause the client to receive
an agent config that has matching config selection criteria, but a
non-matching OS type. |
CYR-9348 | When configuring HIP redistribution, you
cannot retrieve HIP information and set policies for the following
use cases:
|
CYR-9213 | When using DLP on Prisma Access, when you
upload a .docx file using SharePoint that was exported from Google
Docs, the upload fails. |
CYR-9183 | When setting up the GlobalProtect gateway
connection settings (NetworkGlobalProtectGatewaysAgentConnection Settings)
and specifying a Netmask to Restrict Authentication Cookie Usage,
the commit fails if only a Source IPv4 Netmask is
specified. Workaround: Specify a Source
IPv6 Netmask of 0, which disables
the option for the specified IP address type. |
CYR-9061 | If using Slack, Box, or Gmail to upload
a file using DLP on Prisma Access, the response page is not displayed
to the client if the upload is blocked. |
CYR-9003 | Reverse DNS queries do not work in Prisma
Access. Workaround: Because type A and AAAA queries
for internal domains work, you can specify *.in-addr.arpa in
a query so that Prisma Access sends all reverse DNS queries to internal
DNS servers. |
CYR-8244 | When performing a Commit and
Push operation for the Clean Pipe service, you receive
an error that the Clean Pipe service had insufficient license resources,
even though you have sufficient licensed bandwidth. Workaround: Select PanoramaLicenses,
then select Retrieve license keys from license server to
retrieve the Clean Pipe licenses again. |
CYR-8017 | If you add an existing template under one
of the template stacks of Prisma Access (for example, Service_Conn_Template_Stack, Mobile_User_Template_Stack,
or Remote_Network_Template_Stack), you cannot
use objects of the added template in other Prisma Access templates
that are part of the same template stack. Previously, you
could view and use objects from existing templates in Prisma Access
templates if the templates were a part of a Prisma Access-specific
template stack, which is not standard Panorama behavior. |
CYR-7907 | In multi-tenant mode, Prisma Access automatically
creates a set of templates, template stacks, and device groups for
each tenant you create for remote networks, mobile users, and the
Clean Pipe service. Prisma Access creates tenant-specific sets for
all products, even if you are licensed for only one Prisma Access
type. When you delete a tenant, Prisma Access deletes the
template and device group set for which you are licensed, but does
not delete the unlicensed set. For example, if you have a remote
network deployment and delete a tenant, Prisma Access does not delete
the set it created for the mobile users and Clean Pipe. Workaround: Manually
delete the unused, unlicensed set of templates, template stacks,
and device groups after you delete a tenant. |
CYR-7900 | The Traffic Forwarding feature (PanoramaCloud ServicesConfigurationService SetupSettingsTraffic Forwarding)
is not supported with multi-tenant deployments. |
CYR-7702 | When you log out a Prisma Access mobile
user from the Current Users window, the user
still displays in the window after the logout operation. Workaround: Close
and then reopen the Current Users window
to show the correct user status. |
CYR-7440 | If you have two Panoramas set up in an active-primary
and passive-secondary setup for Prisma Access, you cannot log out
mobile users from the passive-secondary Panorama. |
CYR-7332 | When you try to configure an Infrastructure
Subnet (PanoramaCloud
Services ConfigurationService SetupSettings) in multi-tenant mode,
you can receive an Operation Failed message. Workaround: Refresh
the Panorama UI to have Prisma Access correctly apply the infrastructure
subnet to the tenant's configuration. |
CYR-7128 | When you perform a Commit All operation
for mobile users, Prisma Access should display the commit status
for portals and gateways separately; however, Prisma Access is displaying
failures for portals under gateway status, and is displaying commit
failures for gateways under portal status. Workaround: Enter
the debug plugins cloud_services prisma-access get-job-result
jobid commit-job-id-number command,
where commit-job-id-number is the ID of the commit operation
that failed, to check and verify the commit operation for portals
and gateways. |
CYR-6384 | Pre-defined IKE Crypto, IPSec Crypto, and
IKE Gateways templates do not display. Workaround: Select PanoramaCloud ServicesConfigurationService Setup (for
service connections) or PanoramaCloud ServicesConfigurationRemote Networks (for remote
network connections), click the gear icon in the Settings area
to open the Settings, then click OK. |
CYR-6369 | When in multi-tenant mode, if you create
a custom admin user with an Admin Role Profile that has Read Only
access to the Panorama tab and has Plugin access disabled, that
user can view, configure, and commit changes for subtenants. Workaround: Disable
access to the Panorama tab in the Admin Role Profile. |
CYR-6108 | When you configure Clientless VPN with Prisma
Access, the default security rule configuration uses the application-default
service, which blocks clientless-vpn traffic. Workaround: Change
the default security rule to any service or service-http and service-https. |
CYR-6107 | When configuring multi-tenant, if you create
any device groups that are children or grandchildren of other device
groups you create under the Shared parent device group, select only
the device group at the lowest hierarchical level (child or grandchild)
when you associate the device group to an access domain; do not
select the parent. |
CYR-6080 | You cannot reset the rule hit count for
all Authentication and Application Override policies. Workaround: Reset
rules using a list of rules or a rule name for Authentication and Application
Override policies. |
CYR-6013 | When you migrate a single tenant to multi-tenant
mode, you must do a local commit and then push the configuration
before you add more tenants. |
CYR-5888 | When using the multi-tenant feature and
creating template stacks and templates for a tenant, the Description of the
template stacks and templates do not display in the PanoramaTemplates page. |
CYR-5867 | After upgrading to a new version of the
Cloud Services plugin, you are able to downgrade. The downgrade
operation should be disallowed. Workaround: Do not
downgrade the Cloud Services plugin after you have upgraded it. |
CYR-5842 | When using the multi-tenant feature and
migrating the first tenant to multi-tenancy, you can select template
stacks and templates that are not associated with the tenant that
you want to migrate, including templates that are used with on-premise
firewalls. Workaround: When you convert to multi-tenant mode,
be sure to choose only those templates that you want to associate to
the first tenant to migrate. |
CYR-5690 | When configuring multi-tenancy, if you are
planning to later configure Prisma Access for mobile users, you
must do a local Commit of the your changes for the plugin (CommitCommit to Panorama)
after you add templates, template stacks, and device groups for
each tenant and before you onboard each tenant. |
CYR-5563 | When using the multi-tenancy feature, users
who manage single tenants cannot see the system logs. The MonitorLogsSystem choice
is not available. This limitation applies to all Administrators
who have an administrative role of Device Group and Template. Only superusers
can view system logs in multi-tenancy mode. |
CYR-5561 | When using the multi-tenancy feature and
logged in as a tenant-level administrative user, opening the Panorama
Task Manager (clicking Tasks at the bottom
of the Panorama web interface) shows all tasks for all tenants,
including any tasks done at the superuser (Admin) level. |
CYR-5476 | When you enable multi-tenancy and migrate
your configuration to the first sub-tenant, CLI commands are not
supported for this operation. As a result, you must, use the Panorama
user interface (UI). |
CYR-5159 | If you configure a mobile user IP address
pool for a single region instead of Worldwide, mobile users can
still view and attempt to connect to all available gateway regions
from their GlobalProtect app. This attempt fails because there is
no IP address pool to allocate for other regions. Workaround: To
allow mobile users to manually select a gateway, either configure
an IP address pool for the region in the location where you want
the users to connect, or configure a Worldwide IP address pool for
mobile users in Prisma Access to allow them to select all the locations
you have deployed. |
CYR-5139 | In an environment with on-premise firewalls
on each side of Prisma Access and the remote network connections
to which the on-premise firewalls are connected are in different
regions, users behind one on-premise firewall cannot contact users
behind another on-premise firewall unless you have configured an
explicit policy to allow traffic between zone Trust and zone Trust. |
CYR-5098 | If you change the master key in Panorama
(in Device > Master Key and Diagnostics), the master key for Cloud
Services is not synchronized with this master key. Workaround: Select
Panorama > Cloud Services > Configuration > Service Setup > Service
Operations > Edit Master Key and manually change the master key
to be the same as the Panorama master key. |
CYR-5062 | When regular dynamic updates are downloaded
to Panorama (by default, every Wednesday at 01:02), the MD5 checksum
is changed. This condition can cause the Panorama configuration
and the Prisma Access infrastructure to lose synchronization. While
no tunnels are affected by this out of synchronization state, the
status for Service Connections, Remote Networks, Mobile Users, and
the Logging Service show a Config Status of Out
of Sync. Workaround: Perform a Commit and Push operation
on the Panorama. |
CYR-4010 | The BGP router configuration on the Prisma
Access firewalls can receive a maximum of 15000 prefixes from each
peer. And the total number of routes (static and dynamic) learned
through BGP cannot exceed 25000. Exporting more than 25000 routes
may adversely affect traffic flow on your network. |
CYR-3952 | After you generate a new API key by selecting Panorama Cloud ServicesConfigurationService SetupGenerate new API Key, the previous
API key is still valid for a period of time (up to five minutes).
You use this API to retrieve the list of IP addresses for your Prisma
Access firewalls. |
CYR-3645 | To use tunnel monitoring with BGP, the IP
address that you are monitoring on the Prisma Access firewall must
be part of a static subnet configured on a remote network location.
The IP address cannot be a BGP exported subnet. |
CYR-3638 | For service and remote network connections
that have BGP enabled, the Prisma Access ignores any route it receives
from a neighbor with an AS number in its AS_PATH list that duplicates
an AS number in the Prisma Access AS infrastructure (Infra-AS). |
CYR-3469 | If you have configured a Notification URL,
when you onboard a new remote network location, two notifications
are sent to the URL instead of only one. |
CYR-3385 | When you configure the same AS number for
the service connection and remote network location(s), the routes
are not imported in to the firewall on the remote network location. |
CYR-3330 | Mobile users cannot connect to remote network
locations without a service connection. |
CYR-3114 | If your commit fails when you onboard Prisma
Access components for the first time, the Task Manager does not
always describe the cause of the failure. Workaround: To
find the errors, select PanoramaCloud ServicesStatusMonitor and click the Status tab.
Invalid configurations are indicated with a red bubble in the Config
Status column and an error of Validation Error. |
CYR-3034 | When configuring SAML, you must perform
all configuration with a role of Superuser, including any configuration
you perform for SAML using CLI. |
CYR-2648 | The PanoramaCloud ServicesConfiguration page
is grayed out when Panorama is not in sync with NTP. Workaround: Make
sure to synchronize time with NTP (PanoramaSetupServicesNTP). |
CYR-2633 | You cannot change the region associated
with multiple remote network locations in a single commit push to
the Prisma Access. Workaround: If you need
to change the region on more than one remote network location, change
them one at a time and complete the commit push before changing
the region on the next remote network. |
CYR-2578 | Master Keys do not work for two Panorama
appliances set as HA primary and secondary appliances. Workaround: Deselect
the Enable HA check box on the secondary
Panorama appliance and commit the changes, set the same Master Key
on both the primary and secondary Panorama appliance, then re-enable
HA on the secondary Panorama appliance and commit the changes. |
CYR-2028 | The DeviceSetupManagement page
is not available on the Panorama appliance running the Prisma Access
plugin. You cannot configure NT LAN Manager (NTLM). |
CYR-1836 | You cannot enforce MFA when users at one
of your corporate HQ locations attempts to access a resource at
a remote network location. |
CYR-1646 | Although Panorama allows you to delete the Mobile_User_Template
that was created when the Prisma Access was provisioned, deleting
this template also deletes your onboarding configuration and, upon
commit, removes your Prisma Access for mobile users configuration. |
CYR-1189 | When you onboard a new service connection
or a remote network, the count for service connection and total
remote peers displayed on PanoramaCloud ServicesStatusStatus is inaccurate
until the provisioning is complete. |
CYR-1120 | On Panorama, you cannot validate commit
on a device group or template configuration before pushing the configuration
to the Prisma Access infrastructure for remote networks and mobile
users. |
CYR-575 | You cannot configure the Prisma Access gateway
as an internal gateway. |