CN-Series Firewall Release Notes
  • CN-Series Firewall Release Notes
  • CN-Series Documentation
  • All Documentation
>
Known Issues in CN-Series 10.x
Focus
Download PDF
Focus
  1. Home
  2. CN-Series
  3. CN-Series 10.x
  4. Known Issues in CN-Series 10.x
Download PDF
CN-Series

Known Issues in CN-Series 10.x

Table of Contents

Known Issues in CN-Series 10.x

Review the list of known issues for CN-Series 10.x.
Issue ID
Description
PAN-207845
On the CN-Series firewall deployed as a Kubernetes Service, the CN-NGFW pods might not come up as expected on some host operating systems.
Workaround: Modify the CN-NGFW yaml file by setting the security context to priveleged:true.
securityContext:
            capabilities:
              add: ["ALL"]
            privileged: true
PAN-205310
When a data plane (DP) pod is disconnected from the management (MP) pod for more than a minute, the DP strongswan process restarts to reconnect to the MP pod. This results in strongswan exit crash and core file generation. Though this is a harmless response, in the newer PAN-OS versions (10.2.4, 10.1.9, and 11.0.1), the reconnecting mechanism is changed to avoid strongswan exit crash and core file generation.
PAN-211381
The CN-Series 10.1.9 firewall is deployed with 125 pods, 250 interfaces template from kubernetes plugin 2.0.2 using the new template K8S-Network-Setup-V1-125 through 10.1.9 panorama. When you downgrade the CN-Series 10.1.9 with 125 pods, 250 interfaces to CN-Series 10.1.8 while keeping K8s Plugin 2.0.2- this will cause an Auto-commit failure on the CN-MGMT pod. This is because CN-Series 10.1.8 template can only support 30 interfaces, while with CN-Series 10.1.9 can support upto 125 pods, 250 interfaces.
Workaround:
  1. It is not recommended to install the kubernetes plugin 2.0.2 on Panorama 10.1.8 or earlier version. If you are using Panorama 10.1.8 or earlier version, you must stop using 125 pods, 250 interfaces template.
  2. Before downgrading the CN-Series to 10.1.8, perform the following steps from Panorama:
    1. Disassociate the 125 interfaces template from template-stack and then associate the 30 interface Template. Ensure maximum secured application pod count does not exceed 30.
    2. Commit and Push to CN.
    3. Downgrade the CN.
PAN-213188
In PAN-OS 10.1.10 and PAN-OS 10.2.4 version, the CN-MGMT pod fails on Kubernetes version 1.25.x.
Workaround: In pan-cn-mgmt.yaml file, go to Containers section, change the command script from:
command: ["/sbin/pan_start"]
to:
command: ["/bin/bash", "-c", "mv /sbin/cgroups_setup /root/; /sbin/pan_start"]
CN-177
The inbound traffic to secured applications fails to work with PAN-CNI 3.0.3 and 3.0.4 for Azure Kubernetes Service (AKS).
Workaround: Use PAN-CNI 3.0.2 for AKS to deploy the CN-Series firewall successfully.
PLUG-17100
When onboarding an OpenShift 4.15 cluster, the cluster validation fails with an SSL certificate error.
Workaround: If the Kubernetes plugin cannot connect to the Kubernetes API server, use IP address instead of DNS name in the API server configuration setup.

Technical Documentation

Company

Legal Notices

© 2025 Palo Alto Networks, Inc. All rights reserved.

xThanks for visiting https://docs.paloaltonetworks.com. To improve your experience when accessing content across our site, please add the domain to the allow list on your ad blocker application.