API Authentication — Strata Cloud Manager vs Legacy
Strata Cloud Manager uses OAuth 2.0 client credentials flow. Authenticate
with a Service Account bound to a Tenant Service Group (TSG) ID. The token
endpoint is https://auth.apps.paloaltonetworks.com/oauth2/access_token.
Common authentication failures:
Invalid TSG ID: The scope parameter must include tsg_id:.
Omitting this or using an incorrect TSG ID returns a 401 error.
Expired client secret: Service Account secrets have configurable
expiration. Regenerate via Strata Cloud Manager > Identity & Access.
Insufficient role: The Service Account must have at minimum the
Auditor or
View-Only Administrator role to read configuration.
Legacy Panorama Cloud Services plugin API uses an API key generated from
Panorama. If the organization has migrated to Strata Cloud Manager, the
legacy API may return stale configuration. Always confirm which management
plane is authoritative.
Compute Location Capacity
Prisma Access compute locations can reach capacity during peak usage. If
mobile user connections are refused or performance degrades:
Check compute location utilization via Prisma Access Insights or the
Autonomous DEM dashboard.
Verify that mobile user regions are distributed geographically to
balance load — avoid funneling all users through a single region.
Review bandwidth allocation per compute location. Insufficient allocation
triggers throttling before true capacity is reached.
GlobalProtect Client Compatibility
GlobalProtect client compatibility issues commonly arise from:
Version mismatch: Cloud-delivered GlobalProtect infrastructure updates
independently from client software. Clients more than two major versions
behind may fail to connect or lose feature support. Check the Prisma
Access compatibility matrix.
OS-specific issues: macOS system extension requirements (Network
Extension vs Kernel Extension) change across OS versions. Windows clients
may conflict with third-party VPN or endpoint security software.
MDM-deployed configuration: Mobile Device Management-pushed profiles
may override portal-delivered settings. Verify MDM configuration aligns
with portal/gateway settings.
Service Connection BGP Flapping
BGP session instability on service connections typically results from:
Hold timer mismatch: Prisma Access uses a default BGP hold time of
90 seconds. If the on-premises peer uses a shorter hold time and
keepalives are lost due to congestion, the session drops. Align timers.
Route oscillation: If the on-premises router advertises and withdraws
routes rapidly, Prisma Access BGP will follow. Check on-premises routing
stability first.
MTU issues: Path MTU mismatches cause TCP session failures that can
affect BGP. Verify MTU along the service connection path — typical IPSec
overhead requires reducing MTU to 1400 or lower.
IKE DPD sensitivity: Aggressive Dead Peer Detection settings combined
with transient packet loss cause unnecessary tunnel rebuilds. Use a DPD
interval of 10 seconds with a retry of 3 as a baseline.
Decryption Certificate Distribution
SSL Forward Proxy decryption requires endpoints to trust the Prisma Access
forward trust CA certificate. Distribution challenges include:
Mobile users: Push the CA certificate via MDM, GPO, or GlobalProtect
client configuration. Verify distribution by checking certificate store
on sample devices.
Remote network endpoints: Branch devices behind remote network tunnels
must also trust the CA. If branch users access the internet via Prisma
Access, their devices need the certificate.
Certificate expiration: Monitor forward trust CA certificate expiration.
Prisma Access generates certificates with configurable lifetimes — set
calendar reminders for renewal. An expired CA causes all decrypted
sessions to fail with certificate errors.
Certificate pinning applications: Applications that pin their server
certificates (banking apps, certain healthcare portals) will fail through
SSL Forward Proxy. Add these to the decryption exclusion list with
documented justification.
