When multilogging destination is enabled, the logs are seen on Panorama and syslog server, but no logs are seen on the log analytics workspace.

Workaround: If you want to use syslog along with log analytics workspace, change the service route to destination based instead of service based route.

For

Destination Based Routing

configuration, select destination, add your syslog server private IP, and then select

loopback.3

as the source interface.

Default rules in Panorama are overridden by the Cloud NGFW resource. Parameters such as

Profile

and

Action

are not retained. For example, if you configure an action to

Allow

, it reverts to

Deny

; if you configure a logging profile, it reverts to

None

.

A self-signed certificate can erroneously be associated with a rulestack, despite the absence of a resource name.

Panorama does not always automatically push content and antivirus updates to newly created Cloud NGFW for Azure resources.

QoS profiles (provided by a device template) are not removed when displayed in the Panorama virtual appliance.

Creating a large number of local rules can cause a HTTP error (503 Server Error: Service Unavailable).

Deployment status information in the Azure portal is truncated without displaying complete information.

Firewall creation fails when you enable non-RFC 1918 addresses without enabling DNS Proxy.

When a Cloud NGFW for Azure resource connects to Panorama for the first time, the template stack associated with the resource's Cloud Device Group is out of sync.

Cloud NGFW resources managed by a Panorama HA pair might be listed in the cloud device group by its serial number (instead of device name) on the secondary Panorama. However, on the primary Panorama, the Cloud NGFW resource is listed by its device name.

Configured dynamic address group tags and IP addresses are not listed in child Cloud Device Groups when the parent device group does not have a dynamic address group configured.