On firewalls running PAN-OS 12.1, IPsec VPN tunnels to third-party peer devices may experience intermittent traffic loss during rekey operations. When a new Security Association (SA) forms before the old SA expires, traffic may stop flowing until the older SA naturally expires or you manually clear it. During this time, the output of show vpn ipsec-sa may show two SAs for the same proxy ID. This issue primarily affects tunnels to third-party peer devices and does not occur with Palo Alto Networks to Palo Alto Networks tunnels.

Workaround: Manually clear the affected Security Association using the command clear vpn ipsec-sa tunnel <tunnel-name> to restore connectivity.

Firewalls may restart unexpectedly due to an internal error in content inspection processing. This issue can occur when the firewall is performing antivirus scanning, URL filtering, or WildFire analysis.

(PA-5500 series only) In some rare cases, the front panel PSU status LED might show amber, even when the LEDs on the PSU show green.

(PA-5500 series only) When the firewall is initially powered on, the FAN-0 LED does not turn on. The fan functions correctly, but the LED doesn't reflect the status.

Workaround: Remove and reinsert the fan to turn on the LED.

(PA-7500 firewalls only) Intermittent internet connectivity failures on the logging interface might trigger a dataplane disconnect from Strata Logging Service (SLS) and WildFire cloud.

The timing of GlobalProtect lifetime expiry or inactivity logout notifications used for GlobalProtect SSL tunnels may cause the pan_task process to stop responding and the dataplane to restart.

Workaround: Select Network > GlobalProtect > Gateways > <gateway-config> > Agent > <agent-config> > Connection Settings and change the value of both Notify Before Lifetime Expires (min) and Notify Before Inactivity Logout (min) to 0.

Traffic interruption may occur when inspection of HTTP/2 traffic is enabled.

Workaround: Disable HTTP/2 server push using the set deviceconfig setting http2 server-push no CLI command.

Traffic that is incorrectly identified as unknown-tcp/unknown-udp eventually drops due to an App-ID resource limitation issue.

After upgrading to an affected release, SNMP monitoring systems such as SolarWinds may report 100% usage for hardware packet buffers on PA-3400 Series and PA-5450 firewalls, even when the firewall is idle and packet buffer utilization is normal. The packet buffer utilization oid is fixed to not show incorrect values.

Manual scheduling of cloud verdicts is required if a new host in an Host Compliance Service-enabled environment has a refresh event entry without a corresponding update event entry.

Host Compliance Service connectivity will not work if it is connected with management IP which is configured with DHCP mode.

Panorama cannot display Threat log entries (Monitor > Logs > Threat) when the managed log collector is running a lower PAN-OS release than Panorama.

Workaround: Upgrade the log collectors to the same version as Panorama.

AutoCommit fails when the Traffic Object is used on AI Runtime Security, which consequently impacts the workloads that utilize overlapping subnets.

(PA-7500 firewall only) Enabling FIPS-CC mode causes the firewall to go into maintenance mode.

Workaround: After the firewall goes into maintenance mode, perform an additional reboot. The firewall will successfully start up in FIPS-CC mode.

WildFire WF-500 appliances running PAN-OS 10.x or PAN-OS 11.x cannot be managed by Panorama running PAN-OS 12.1.2 due to connectivity issues.

Workaround: Upgrade your WildFire appliances to PAN-OS 12.1.2 or later.

The Release Note URL column in the Panorama > Plugins page is empty.

Release Notes for the plugins are available in the plugins release notes or in their individual product release notes.

(NGFW Cluster) In an NGFW cluster, your pings to the HSCI-B link might fail, even when the link indicates it is up. In the event that the HSCI-A link is brought down or unplugged, the cluster node will transition to failed state, avoiding split brain as both HSCI links are down in this case.

Workaround: Reboot the cluster node to resolve the HSCI-B ping issue.

If the Host Compliance Service is configured with a service route pointing to an unreachable IP address, the gp_broker process may stop working when you enable-disable the Host Compliance Service.

VM entered maintenance mode during a downgrade from version 12.1.2 to 11.2.7, when executed through the CLI.

Workaround: Download and install the required version of PAN-OS through the UI instead of the CLI.

(PA-410 firewall only) Loading a saved config file can take up to 5 minutes.

When you use the CLI command request system fqdn refresh to trigger another IP address resolution of configured FQDN entries, the firewall might get into an error state where the DNS Proxy cache received and stored a new IP address for a particular FQDN entry via this command. However, the Device-Server (and the Security rule) still have the old IP address for that FQDN entry.

Workaround: Avoid using the CLI command: request system fqdn refresh. Use the following command instead (for a particular domain-name or an entire list): clear dns-proxy cache all domain-name <domain_name>. To correct the error state where the DNS Proxy cache and Device-Server and Security rule are already storing different IP addresses, use the following CLI command: debug device-server dump fqdn type resync vsys <vsys_name> fqdn-name <domain_name>

If Azure hotplug events occur, the firewall may experience a brdagent crash and data interfaces may transition to an unknown state, leading to traffic disruption.

Workaround: Reboot the VM if the brdagent crash does not trigger a device reboot.

SSL proxy sessions fail when clients send a Client Hello with TLSv1.2 and TLSv1.3, and exclusively prefer the secp192 elliptic curve.

Workaround: To address this, configure a decryption profile to use TLSv1.2 as the maximum supported TLS version. Then, apply this profile to the decryption policy rules for the affected clients and servers. This enables the client to modify its preferred curves, facilitating successful session establishment.

(NGFW Cluster) When an NGFW cluster has only one firewall node present and powered up, that node is stuck in UNKNOWN state after you reboot it and it comes back up. The issue occurs in two scenarios:

The expected behavior is that if no peer device is available (at a port autonegotiation or link level for HSCI-A or HSCI-B), then a cluster device should go to INITIAL state, followed by ONLINE state (and not remain in UNKNOWN state).

Workaround: To avoid this issue, connect the HSCI-A to HSCI-B in loopback to create a link partner.

On PA-5400 Series and PA-7500 Series firewalls, if you run certain types of CLI commands during or shortly after a commit, the commands will time out. The types of CLI commands impacted by this issue are IoT, Cloud-User-ID, and App-ID Cloud Engine CLI commands.

Workaround: Don't execute IoT, Cloud-User-ID, or App-ID Cloud Engine CLI commands during or shortly after a commit on a PA-5400 Series or PA-7500 Series firewall.

The remediation link included in the generated PDF of an upgrade check report might be pruned due to a text length limitation of the export function. The link remains fully functional and works correctly on the Panorama web interface.

After you enable the Enable Duplicate Logging (Cloud and On-Premise) setting on a firewall, clicking Status for Cloud Logging, does not display the logging service connection status.

(PA-5500 Series firewalls only) The Monitor tab in the Web Interface does not display a pop-up to indicate that high-speed log forwarding is enabled and that logs are only viewable from Panorama.

After upgrading multi-vsys firewalls, the sequence of the virtual system IDs (vsys ID) changes causing autocommit failures with validation errors. This occurs when the multi-vsys firewall has virtual systems created and managed via Panorama, and the vsys ID sequence is broken because an unused virtual system was deleted and the change was pushed to the firewall.

After you change the system mode on an M-700 appliance from Panorama mode to PAN-DB private cloud mode, the snmpd process fails to work.

In an AI Runtime Security environment, the Azure Container outbound traffic does not seem to be functional and the egress traffic is being misdirected to an incorrect cluster node port.

When an Intel e810 NIC is configured in SR-IOV mode, sharing Virtual Functions (VFs) among multiple HSF cluster nodes and subsequently rebooting a cluster node while traffic is active may result in traffic disruption on other HSF cluster nodes utilizing the same NIC. It is recommended to refrain from sharing Intel e810 VFs across cluster nodes and to allocate one VF per Intel e810 PF.

A firewall may become unresponsive after an upgrade due to the `fsck` command scanning drive partitions in parallel with the root partition, causing the process to take an extended amount of time.

After successfully generating a health check report for managed firewalls from Panorama, the progress bar does not appear and the latest health check reports are not displayed (Panorama > Device Deployment > Upgrade Check).

Workaround: Manually refresh the page to see the latest reports.

A configd memory leak occurs post commit (during Panorama connectivity check), potentially leading to OOM (out of memory condition) and device reboot.

(NGFW Clusters) In an NGFW cluster, the leader can't retrieve the HIP Report from Panorama, nor synchronize it to the non-leader nodes. Unlike HA Active/Passive mode, both leader and non-leader nodes receive traffic in cluster mode. If the relevant HIP Report is missing, policies involving HIP may not work properly. The expected behavior is that when a non-leader node receives related traffic, it should request the corresponding HIP Report from the leader.

(NGFW Clusters) Firewalls in an NGFW cluster indicate they are in ONLINE state even though their configurations are different (they aren't synchronized).

Workaround: Push the configuration from Panorama to all cluster members at the same time; don't push to an individual firewall. If a cluster member isn't connected to Panorama during the push, the push will fail to the disconnected firewall, but will succeed to all connected firewalls.

When high speed logging is enabled on a PA-5560 device, the expected warning message is not displayed on the web interface. This prevents administrators from being notified that logs can only be viewed from Panorama.

PAN-OS 12.1.2 and later 12.1 releases support a Load Balanced DNS configuration for an address object. If there are two address objects with same FQDN, but one object has Load Balanced DNS enabled and other object has Load Balanced DNS disabled, then the policy match for the removed IP addresses doesn't work as expected.

Workaround: Enable (or disable) Load Balanced DNS consistently for an FQDN that is used with multiple address objects.

In Host Compliance Service, when you create a 'Shared' type Host Compliance Object for the 'Disk-Encryption' category, the State drop-down is automatically selected and cannot be edited. However, you can change the state later by editing the object, if required.

In PAN-OS 12.1.2 and later 12.1 releases, PAN-OS can obtain resolved IP addresses from a Load balanced DNS server and use them in a policy match. However, this functionality does not work as intended when the DNS cache reuse flag is enabled. When the DNS cache reuse flag is enabled, the DNS resolution works as if the Load balanced DNS flag (for an Address object) is disabled.

(NGFW Clusters) URL-continue and override continue selections will function like a general URL-block action.

When you use custom certificates for the connection between Panorama and a log collector, the automated renewal for the predefined ElasticSearch certificates gets disrupted.

Workaround: Remove the custom certificates before the ElasticSearch certificates expire. This allows the system to correctly identify and renew the predefined ElasticSearch certificates. After the renewal is complete, re-install the custom certificates.

(PA-7000 Series with Log Forwarding Card only) When the firewall is configured to forward logs to an external log collector or Strata Logging Service, the firewall root partition may reach high disk utilization, which can cause the firewall to become non-functional. This occurs when the log collector is temporarily unavailable or unable to process logs at the rate the firewall is sending them.

Workaround: To help prevent this issue, ensure network connectivity between the firewall and log collector is stable and verify that the log collector has sufficient capacity to handle the volume of logs generated by your deployment.

LSVPN satellite certificates may be generated with serial numbers exceeding 40 hexadecimal characters. This causes certificate revocation and deletion operations to fail with the following error messages:

To resolve this issue, use the following CLI commands with the LSVPN satellite serial number to manually delete or revoke the affected certificates:

Delete certificate information:delete sslmgr-store certificate-info portal name <name> serialno <satellite_serial>

Revoke satellite certificates:delete sslmgr-store satellite-info-revoke-certificate portal <name> serialno <list_of_satellite_serials>

In a PA-VM or AI Runtime Security environment, it is observed that the Software Firewall Orchestration plugin deployed with a VM-Flex license and configured with 8-14 GB of memory may encounter traffic disruptions when jumbo frames are enabled. It is recommended to disable jumbo frames on these lower-end VMs in version 12.1.2 by executing the command: set system setting jumbo-frame off.

Enabling Advanced Routing through bootstrap on VM-Series and Prisma AIRS is not supported.

For Host Compliance Service, while configuring Mappings & Tags in CIE and when you click on the HIP Report tab, the following error message is displayed even when the response is successful: