PAN-OS 12.1.2 Known Issues
Focus
Focus
Next-Generation Firewall

PAN-OS 12.1.2 Known Issues

Table of Contents

PAN-OS 12.1.2 Known Issues

What is the list of known issues for PAN-OS 12.1.2?
The following list includes known issues specific to PAN-OS 12.1.2.
Issue ID
Description
PAN-300850
Manual scheduling of cloud verdicts is required if a new host in an Host Compliance Service-enabled environment has a refresh event entry without a corresponding update event entry.
PAN-300809
Host Compliance Service connectivity will not work if it is connected with management IP which is configured with DHCP mode.
PAN-300677
Panorama cannot display Threat log entries (Monitor > Logs > Threat) when the managed log collector is running a lower PAN-OS release than Panorama.
Workaround: Upgrade the log collectors to the same version as Panorama.
PAN-300627
AutoCommit fails when the Traffic Object is used on AI Runtime Security, which consequently impacts the workloads that utilize overlapping subnets.
PAN-300483
(PA-7500 firewall only) Enabling FIPS-CC mode causes the firewall to go into maintenance mode.
Workaround: After the firewall goes into maintenance mode, perform an additional reboot. The firewall will successfully start up in FIPS-CC mode.
PAN-300467
WildFire WF-500 appliances running PAN-OS 10.x or PAN-OS 11.x cannot be managed by Panorama running PAN-OS 12.1.2 due to connectivity issues.
Workaround: Upgrade your WildFire appliances to PAN-OS 12.1.2 or later.
PAN-300407
The Release Note URL column in the Panorama > Plugins page is empty.
Release Notes for the plugins are available in the plugins release notes or in their individual product release notes.
PAN-300230
(NGFW Cluster) In an NGFW cluster, your pings to the HSCI-B link might fail, even when the link indicates it is up. In the event that the HSCI-A link is brought down or unplugged, the cluster node will transition to failed state, avoiding split brain as both HSCI links are down in this case.
Workaround: Reboot the cluster node to resolve the HSCI-B ping issue.
PAN-300192
If the Host Compliance Service is configured with a service route pointing to an unreachable IP address, the gp_broker process may stop working when you enable-disable the Host Compliance Service.
PAN-300114
VM entered maintenance mode during a downgrade from version 12.1.2 to 11.2.7, when executed through the CLI.
Workaround: Download and install the required version of PAN-OS through the UI instead of the CLI.
PAN-300069
(PA-410 firewall only) Loading a saved config file can take up to 5 minutes.
PAN-300053
When you use the CLI command request system fqdn refresh to trigger another IP address resolution of configured FQDN entries, the firewall might get into an error state where the DNS Proxy cache received and stored a new IP address for a particular FQDN entry via this command. However, the Device-Server (and the Security rule) still have the old IP address for that FQDN entry.
Workaround: Avoid using the CLI command: request system fqdn refresh. Use the following command instead (for a particular domain-name or an entire list): clear dns-proxy cache all domain-name <domain_name>. To correct the error state where the DNS Proxy cache and Device-Server and Security rule are already storing different IP addresses, use the following CLI command: debug device-server dump fqdn type resync vsys <vsys_name> fqdn-name <domain_name>
PAN-300025
If Azure hotplug events occur, the firewall may experience a brdagent crash and data interfaces may transition to an unknown state, leading to traffic disruption.
Workaround: Reboot the VM if the brdagent crash does not trigger a device reboot.
PAN-299562
SSL proxy sessions fail when clients send a Client Hello with TLSv1.2 and TLSv1.3, and exclusively prefer the secp192 elliptic curve.
Workaround: To address this, configure a decryption profile to use TLSv1.2 as the maximum supported TLS version. Then, apply this profile to the decryption policy rules for the affected clients and servers. This enables the client to modify its preferred curves, facilitating successful session establishment.
PAN-299387
(NGFW Cluster) When an NGFW cluster has only one firewall node present and powered up, that node is stuck in UNKNOWN state after you reboot it and it comes back up. The issue occurs in two scenarios:
  • When there is only one node configured in the cluster (no peer is available or configured).
  • When the peer device in the cluster is completely powered down or unable to autonegotiate its connected HSCI ports. That is, two nodes are in the cluster, but only one node is booting up while the other remains down completely.
The expected behavior is that if no peer device is available (at a port autonegotiation or link level for HSCI-A or HSCI-B), then a cluster device should go to INITIAL state, followed by ONLINE state (and not remain in UNKNOWN state).
Workaround: To avoid this issue, connect the HSCI-A to HSCI-B in loopback to create a link partner.
PAN-299229
On PA-5400 Series and PA-7500 Series firewalls, if you run certain types of CLI commands during or shortly after a commit, the commands will time out. The types of CLI commands impacted by this issue are IoT, Cloud-User-ID, and App-ID Cloud Engine CLI commands.
Workaround: Don't execute IoT, Cloud-User-ID, or App-ID Cloud Engine CLI commands during or shortly after a commit on a PA-5400 Series or PA-7500 Series firewall.
PAN-299170
The remediation link included in the generated PDF of an upgrade check report might be pruned due to a text length limitation of the export function. The link remains fully functional and works correctly on the Panorama web interface.
PAN-299114
After you enable the Enable Duplicate Logging (Cloud and On-Premise) setting on a firewall, clicking Status for Cloud Logging, does not display the logging service connection status.
PAN-298540
(PA-5500 Series firewalls only) The Monitor tab in the Web Interface does not display a pop-up to indicate that high-speed log forwarding is enabled and that logs are only viewable from Panorama.
PAN-298083
After you change the system mode on an M-700 appliance from Panorama mode to PAN-DB private cloud mode, the snmpd process fails to work.
PAN-298047
In an AI Runtime Security environment, the Azure Container outbound traffic does not seem to be functional and the egress traffic is being misdirected to an incorrect cluster node port.
PAN-297772
When an Intel e810 NIC is configured in SR-IOV mode, sharing Virtual Functions (VFs) among multiple HSF cluster nodes and subsequently rebooting a cluster node while traffic is active may result in traffic disruption on other HSF cluster nodes utilizing the same NIC. It is recommended to refrain from sharing Intel e810 VFs across cluster nodes and to allocate one VF per Intel e810 PF.
PAN-297748
The FIPS test fails to start after issuing the following command: set deviceconfig setting management common-criteria self-test-schedule software-integrity start-time <time>
PAN-297114
After successfully generating a health check report for managed firewalls from Panorama, the progress bar does not appear and the latest health check reports are not displayed (Panorama > Device Deployment > Upgrade Check).
Workaround: Manually refresh the page to see the latest reports.
PAN-294687
(NGFW Clusters) In an NGFW cluster, the leader can't retrieve the HIP Report from Panorama, nor synchronize it to the non-leader nodes. Unlike HA Active/Passive mode, both leader and non-leader nodes receive traffic in cluster mode. If the relevant HIP Report is missing, policies involving HIP may not work properly. The expected behavior is that when a non-leader node receives related traffic, it should request the corresponding HIP Report from the leader.
PAN-293754
(NGFW Clusters) Firewalls in an NGFW cluster indicate they are in ONLINE state even though their configurations are different (they aren't synchronized).
Workaround: Push the configuration from Panorama to all cluster members at the same time; don't push to an individual firewall. If a cluster member isn't connected to Panorama during the push, the push will fail to the disconnected firewall, but will succeed to all connected firewalls.
PAN-293718
When high speed logging is enabled on a PA-5560 device, the expected warning message is not displayed on the web interface. This prevents administrators from being notified that logs can only be viewed from Panorama.
PAN-292601
PAN-OS 12.1.2 and later 12.1 releases support a Load Balanced DNS configuration for an address object. If there are two address objects with same FQDN, but one object has Load Balanced DNS enabled and other object has Load Balanced DNS disabled, then the policy match for the removed IP addresses doesn't work as expected.
Workaround: Enable (or disable) Load Balanced DNS consistently for an FQDN that is used with multiple address objects.
PAN-290692
In Host Compliance Service, when you create a 'Shared' type Host Compliance Object for the 'Disk-Encryption' category, the State drop-down is automatically selected and cannot be edited. However, you can change the state later by editing the object, if required.
PAN-289524
In PAN-OS 12.1.2 and later 12.1 releases, PAN-OS can obtain resolved IP addresses from a Load balanced DNS server and use them in a policy match. However, this functionality does not work as intended when the DNS cache reuse flag is enabled. When the DNS cache reuse flag is enabled, the DNS resolution works as if the Load balanced DNS flag (for an Address object) is disabled.
PAN-286496
(NGFW Clusters) URL-continue and override continue selections will function like a general URL-block action.
PLUG-21065
In a PA-VM or AI Runtime Security environment, it is observed that the Software Firewall Orchestration plugin deployed with a VM-Flex license and configured with 8-14 GB of memory may encounter traffic disruptions when jumbo frames are enabled. It is recommended to disable jumbo frames on these lower-end VMs in version 12.1.2 by executing the command: set system setting jumbo-frame off.
PLUG-19238
Enabling Advanced Routing through bootstrap on VM-Series and Prisma AIRS is not supported.
Workaround: After the firewall boots up, enable advanced routing using the CLI command set device-management general-settings advance-routing yes or enable advanced routing through the UI.