Next-Generation Firewall
PAN-OS 12.1.2 Known Issues
Table of Contents
Expand All
|
Collapse All
Next-Generation Firewall Docs
-
-
-
-
-
-
-
- PAN-OS 12.1
- PAN-OS 11.2
- PAN-OS 11.1
- PAN-OS 11.0 (EoL)
- PAN-OS 10.2
- PAN-OS 10.1
- PAN-OS 10.0 (EoL)
- PAN-OS 9.1 (EoL)
- PAN-OS 9.0 (EoL)
- PAN-OS 8.1 (EoL)
-
- PAN-OS 12.1
- PAN-OS 11.2
- PAN-OS 11.1
- PAN-OS 10.2
- PAN-OS 10.1
PAN-OS 12.1.2 Known Issues
What is the list of known issues for PAN-OS 12.1.2?
The following list includes known issues specific to PAN-OS 12.1.2.
Issue ID
|
Description
|
---|---|
PAN-300850
|
Manual scheduling of cloud verdicts is required if a new host in an
Host Compliance Service-enabled environment has a refresh event
entry without a corresponding update event entry.
|
PAN-300809
|
Host Compliance Service connectivity will not work if it is connected
with management IP which is configured with DHCP mode.
|
PAN-300677
|
Panorama cannot display Threat log entries (Monitor > Logs >
Threat) when the managed log collector is running a lower
PAN-OS release than Panorama.
Workaround: Upgrade the log collectors to the same version as
Panorama.
|
PAN-300627
|
AutoCommit fails when the Traffic Object is used on AI Runtime
Security, which consequently impacts the workloads that utilize
overlapping subnets.
|
PAN-300483
|
(PA-7500 firewall only) Enabling FIPS-CC mode causes the
firewall to go into maintenance mode.
Workaround: After the firewall goes into maintenance mode,
perform an additional reboot. The firewall will successfully start
up in FIPS-CC mode.
|
PAN-300467
|
WildFire WF-500 appliances running PAN-OS 10.x or PAN-OS 11.x cannot
be managed by Panorama running PAN-OS 12.1.2 due to connectivity
issues.
Workaround: Upgrade your WildFire appliances to PAN-OS 12.1.2
or later.
|
PAN-300407
|
The Release Note URL column in the Panorama > Plugins page is
empty.
Release Notes for the plugins are available in the plugins release notes or
in their individual product release notes.
|
PAN-300230
|
(NGFW Cluster) In an NGFW cluster, your pings to the HSCI-B
link might fail, even when the link indicates it is up. In the event
that the HSCI-A link is brought down or unplugged, the cluster node
will transition to failed state, avoiding split brain as both HSCI
links are down in this case.
Workaround: Reboot the cluster node to resolve the HSCI-B ping
issue.
|
PAN-300192
|
If the Host Compliance Service is configured with a service route
pointing to an unreachable IP address, the
gp_broker process may stop working
when you enable-disable the Host Compliance Service.
|
PAN-300114
|
VM entered maintenance mode during a downgrade from version 12.1.2 to
11.2.7, when executed through the CLI.
Workaround: Download and install the required version of
PAN-OS through the UI instead of the CLI.
|
PAN-300069
|
(PA-410 firewall only) Loading a saved config file can take
up to 5 minutes.
|
PAN-300053
|
When you use the CLI command request system fqdn
refresh to trigger another IP address resolution of
configured FQDN entries, the firewall might get into an error state
where the DNS Proxy cache received and stored a new IP address for a
particular FQDN entry via this command. However, the Device-Server
(and the Security rule) still have the old IP address for that FQDN
entry.
Workaround: Avoid using the CLI command: request
system fqdn refresh. Use the following command
instead (for a particular domain-name or an entire list):
clear dns-proxy cache all domain-name
<domain_name>. To correct the error state where
the DNS Proxy cache and Device-Server and Security rule are already
storing different IP addresses, use the following CLI command:
debug device-server dump fqdn type resync vsys
<vsys_name> fqdn-name <domain_name>
|
PAN-300025
|
If Azure hotplug events occur, the firewall may experience a
brdagent crash and data interfaces may
transition to an unknown state, leading to traffic disruption.
Workaround: Reboot the VM if the
brdagent crash does not trigger a device
reboot.
|
PAN-299562
|
SSL proxy sessions fail when clients send a Client Hello with TLSv1.2
and TLSv1.3, and exclusively prefer the secp192 elliptic curve.
Workaround: To address this, configure a decryption profile to
use TLSv1.2 as the maximum supported TLS version. Then, apply this
profile to the decryption policy rules for the affected clients and
servers. This enables the client to modify its preferred curves,
facilitating successful session establishment.
|
PAN-299387 |
(NGFW Cluster) When an NGFW cluster has only one firewall
node present and powered up, that node is stuck in UNKNOWN state
after you reboot it and it comes back up. The issue occurs in two
scenarios:
The expected behavior is that if no peer device is available (at a
port autonegotiation or link level for HSCI-A or HSCI-B), then a
cluster device should go to INITIAL state, followed by ONLINE state
(and not remain in UNKNOWN state).
Workaround: To avoid this issue, connect the HSCI-A to HSCI-B
in loopback to create a link partner.
|
PAN-299229 |
On PA-5400 Series and PA-7500 Series firewalls, if you run certain
types of CLI commands during or shortly after a commit, the commands
will time out. The types of CLI commands impacted by this issue are
IoT, Cloud-User-ID, and App-ID Cloud Engine CLI commands.
Workaround: Don't execute IoT, Cloud-User-ID, or App-ID Cloud
Engine CLI commands during or shortly after a commit on a PA-5400
Series or PA-7500 Series firewall.
|
PAN-299170 |
The remediation link included in the generated PDF of an upgrade
check report might be pruned due to a text length limitation of the
export function. The link remains fully functional and works
correctly on the Panorama web interface.
|
PAN-299114 |
After you enable the Enable Duplicate Logging (Cloud and
On-Premise) setting on a firewall, clicking
Status for Cloud Logging, does not
display the logging service connection status.
|
PAN-298540 |
(PA-5500 Series firewalls only) The
Monitor tab in the Web Interface does not
display a pop-up to indicate that high-speed log forwarding is
enabled and that logs are only viewable from Panorama.
|
PAN-298083 |
After you change the system mode on an M-700 appliance from Panorama
mode to PAN-DB private cloud mode, the snmpd
process fails to work.
|
PAN-298047 |
In an AI Runtime Security environment, the Azure Container outbound
traffic does not seem to be functional and the egress traffic is
being misdirected to an incorrect cluster node port.
|
PAN-297772 |
When an Intel e810 NIC is configured in SR-IOV mode, sharing Virtual
Functions (VFs) among multiple HSF cluster nodes and subsequently
rebooting a cluster node while traffic is active may result in
traffic disruption on other HSF cluster nodes utilizing the same
NIC. It is recommended to refrain from sharing Intel e810 VFs across
cluster nodes and to allocate one VF per Intel e810 PF.
|
PAN-297748
|
The FIPS test fails to start after issuing the following command:
set deviceconfig setting management common-criteria
self-test-schedule software-integrity start-time
<time>
|
PAN-297114
|
After successfully generating a health check report for managed
firewalls from Panorama, the progress bar does not appear and the
latest health check reports are not displayed (Panorama >
Device Deployment > Upgrade Check).
Workaround: Manually refresh the page to see the latest
reports.
|
PAN-294687
|
(NGFW Clusters) In an NGFW cluster, the leader can't
retrieve the HIP Report from Panorama, nor synchronize it to the
non-leader nodes. Unlike HA Active/Passive mode, both leader and
non-leader nodes receive traffic in cluster mode. If the relevant
HIP Report is missing, policies involving HIP may not work properly.
The expected behavior is that when a non-leader node receives
related traffic, it should request the corresponding HIP Report from
the leader.
|
PAN-293754
|
(NGFW Clusters) Firewalls in an NGFW cluster indicate they
are in ONLINE state even though their configurations are different
(they aren't synchronized).
Workaround: Push the configuration from Panorama to all
cluster members at the same time; don't push to an individual
firewall. If a cluster member isn't connected to Panorama during the
push, the push will fail to the disconnected firewall, but will
succeed to all connected firewalls.
|
PAN-293718
|
When high speed logging is enabled on a PA-5560 device, the expected
warning message is not displayed on the web interface. This prevents
administrators from being notified that logs can only be viewed from
Panorama.
|
PAN-292601
|
PAN-OS 12.1.2 and later 12.1 releases support a Load Balanced DNS
configuration for an address object. If there are two address
objects with same FQDN, but one object has Load Balanced DNS enabled
and other object has Load Balanced DNS disabled, then the policy
match for the removed IP addresses doesn't work as expected.
Workaround: Enable (or disable) Load Balanced DNS consistently
for an FQDN that is used with multiple address objects.
|
PAN-290692
|
In Host Compliance Service, when you create a 'Shared' type Host
Compliance Object for the 'Disk-Encryption' category, the State
drop-down is automatically selected and cannot be edited. However,
you can change the state later by editing the object, if
required.
|
PAN-289524
|
In PAN-OS 12.1.2 and later 12.1 releases, PAN-OS can obtain resolved
IP addresses from a Load balanced DNS server and use them in a
policy match. However, this functionality does not work as intended
when the DNS cache reuse flag is enabled. When the DNS cache reuse
flag is enabled, the DNS resolution works as if the Load balanced
DNS flag (for an Address object) is disabled.
|
PAN-286496
|
(NGFW Clusters) URL-continue and override continue
selections will function like a general URL-block action.
|
PLUG-21065
|
In a PA-VM or AI Runtime Security environment, it is
observed that the Software Firewall Orchestration plugin deployed
with a VM-Flex license and configured with 8-14 GB of memory may
encounter traffic disruptions when jumbo frames are enabled. It is
recommended to disable jumbo frames on these lower-end VMs in
version 12.1.2 by executing the command: set system setting
jumbo-frame off.
|
PLUG-19238
| Enabling Advanced Routing through bootstrap on
VM-Series and Prisma AIRS is not supported. Workaround:
After the firewall boots up, enable advanced routing using the CLI
command set device-management general-settings advance-routing yes or
enable advanced routing through the
UI. |