Identified - Urgent message for Cortex Data Lake customers with firewalls onboarded via Panorama. Please read this Customer Advisory for more information. https://live.paloaltonetworks.com/t5/customer-advisories/panorama-on-boarded-firewall-certificate-issue-cortex-data-lake/ta-p/328630
May 19, 18:14 UTC

Update - We are continuing to work on a fix for this issue.
Jun 16, 00:02 UTC

Identified - Starting June 9, 2020 00:00 UTC, Prisma Access deployments using the Cloud Services 1.5 plugin are not supported for use with Prisma Access, and you will not be able to make any changes or commits with the Cloud Services 1.5 plugin. The Cloud Services plugin 1.6 requires Panorama version 9.0.4 and later or 9.1.1 and later; however, for 9.1.x Panorama upgrades, do not upgrade your Panorama to 9.1.x until you install the Cloud Services plugin 1.6 because the 1.4 or 1.5 plugins do not support PAN-OS 9.1.x. You must upgrade the Cloud Services plugin version to 1.6 before upgrading your Panorama to 9.1.1.

If you have additional questions, please contact your Palo Alto Networks representative.

For more information, see the Palo Alto Networks Live article at Prisma Access Panorama Version Upgrade Required
May 29, 09:53 UTC

Monitoring - To promote public health during the COVID-19 outbreak and reduce unnecessary exposure to risk, you may have elected to support your workforce to work from home. If you have a large number of employees working remotely, Prisma Access for Mobile Users provides a scalable way for your remote workers to securely access your organization’s applications and resources - both cloud-based and on-site.

When a large number of mobile users concurrently access a Prisma Access location, Prisma Access detects the increase in mobile users and adds a gateway to accommodate the additional users and enable a steady, predictable performance (also known as an auto-scale event). If you expect that a large number of users will be accessing Prisma Access, Palo Alto Networks recommends the following best practices:

- Make sure that your mobile user IP address pool is sufficient. As a guideline, verify that you have at least twice the number of IP addresses in the pool than the number of user devices that will connect to Prisma Access. This over-allocation ensures that enough IP addresses are available for auto-scale events. If you cannot allocate a sufficiently large IP address pool, contact Palo Alto Networks support to review an alternate design, which may include deploying a NAT policy in your data center.

- Proactively whitelist both the active and reserved gateway and portal IP addresses, so that your users do not lose any connectivity, if you whitelist Prisma Access IP addresses on your network.

To whitelist the gateway and portal IP addresses, run the API script and run commands with a serviceType of gp_gateway and gp_portal and an addrType of active (to get the currently-active gateway and portal addresses) and reserved (to get the IP addresses that are held in reserve for activation on a scaling event).

You can also set up a mechanism to be notified of IP address changes when Prisma Access auto-scales to support the increase in demand. If you have a script running on a web server that can process HTTP Post Notifications, add an IP Change Event Notification URL so that you are notified of changes to IP addresses. You can then re-run the API script to retrieve the new addresses, on-demand.

- Exclude video traffic, which uses high bandwidth and is a low security risk, from being sent to Prisma Access. GlobalProtect provides several configuration options to exclude video streaming traffic from being tunneled to Prisma Access. This configuration ensures prioritization of traffic for business critical applications. The following are some examples for video traffic exclusion:
-- Lower-risk video streaming applications such as YouTube or Netflix
-- Low-risk client applications such as RingCentral
-- Traffic destined to a specified domain name
Mar 13, 19:58 UTC