On firewalls running PAN-OS 12.1, IPsec VPN tunnels to third-party peer devices may experience intermittent traffic loss during rekey operations. When a new Security Association (SA) forms before the old SA expires, traffic may stop flowing until the older SA naturally expires or you manually clear it. During this time, the output of show vpn ipsec-sa may show two SAs for the same proxy ID. This issue primarily affects tunnels to third-party peer devices and does not occur with Palo Alto Networks to Palo Alto Networks tunnels.

Workaround: Manually clear the affected Security Association using the command clear vpn ipsec-sa tunnel <tunnel-name> to restore connectivity.

(PA-7500 series only) PA-7500 series firewalls running PAN-OS 12.1.5 release do not support encryption on HA1 and HA1-backup interfaces. As a result, attempting to execute the request high-availability session-reestablish command will fail with the following error.

ERROR: Encryption is not enabled for HA

(PA-5500 Series firewalls in cluster configurations only) When a firewall node is removed from a PA-5500 Series cluster, after the cluster commit and reboot, the node starts in standalone mode with a default virtual wire (vwire) configuration loaded. This default configuration is missing zone assignments for ports eth1/1 and eth1/2, which causes commit operations to fail. Even if zones are manually assigned to these ports, subsequent commit attempts will fail with a no UUId for rule1 error.

Workaround: To resolve this, either:

On firewalls with TPM (Trusted Platform Module) support, device certificate renewals may fail due to a disk partition being full. This latter occurs because temporary files aren't being deleted during device certificate status checks.

In generated PDF upgrade check reports, long remediation URLs might be truncated due to UI framework export limitations, leaving only the first line hyperlinked. However, these links remain fully functional within the Panorama web interface. The PDF link directs to the correct destination if the complete URL is copied from the PDF and pasted in the browser.

(PA-5500 series only) In some rare cases, the front panel PSU status LED might show amber, even when the LEDs on the PSU show green.

(PA-5500 series only) When the firewall is initially powered on, the FAN-0 LED does not turn on. The fan functions correctly, but the LED doesn't reflect the status.

Workaround: Remove and reinsert the fan to turn on the LED.

Packets are dropped on SD-WAN interfaces if they require fragmentation for an interface but have the Don't Fragment (DF) bit set. This results in unexpected packet drops. This affects client to server sessions when using SD-WAN for NGFW.

Workaround: Allow fragmenting packets with DF bit set (debug dataplane set ip4-ignore-df yes).

Strata Logging Service (SLS) log-forwarding streams intermittently show as inactive. When checking the status of log-forwarding connections, one or more streams are reported as inactive. Restarting the log-receiver process temporarily resolves the issue, but the streams become inactive again after approximately 1-2 hours. This intermittent inactivity results in log loss.

Manual scheduling of cloud verdicts is required if a new host in an Host Compliance Service-enabled environment has a refresh event entry without a corresponding update event entry.

Host Compliance Service connectivity will not work if it is connected with management IP which is configured with DHCP mode.

Panorama cannot display Threat log entries (Monitor > Logs > Threat) when the managed log collector is running a lower PAN-OS release than Panorama.

Workaround: Upgrade the log collectors to the same version as Panorama.

AutoCommit fails when the Traffic Object is used on AI Runtime Security, which consequently impacts the workloads that utilize overlapping subnets.

(PA-7500 firewall only) Enabling FIPS-CC mode causes the firewall to go into maintenance mode.

Workaround: After the firewall goes into maintenance mode, perform an additional reboot. The firewall will successfully start up in FIPS-CC mode.

WildFire WF-500 appliances running PAN-OS 10.x or PAN-OS 11.x cannot be managed by Panorama running PAN-OS 12.1.2 due to connectivity issues.

Workaround: Upgrade your WildFire appliances to PAN-OS 12.1.2 or later.

The Release Note URL column in the Panorama > Plugins page is empty.

Release Notes for the plugins are available in the plugins release notes or in their individual product release notes.

(NGFW Cluster) In an NGFW cluster, your pings to the HSCI-B link might fail, even when the link indicates it is up. In the event that the HSCI-A link is brought down or unplugged, the cluster node will transition to failed state, avoiding split brain as both HSCI links are down in this case.

Workaround: Reboot the cluster node to resolve the HSCI-B ping issue.

If the Host Compliance Service is configured with a service route pointing to an unreachable IP address, the gp_broker process may stop working when you enable-disable the Host Compliance Service.

VM entered maintenance mode during a downgrade from version 12.1.2 to 11.2.7, when executed through the CLI.

Workaround: Download and install the required version of PAN-OS through the UI instead of the CLI.

(PA-410 firewall only) Loading a saved config file can take up to 5 minutes.

When you use the CLI command request system fqdn refresh to trigger another IP address resolution of configured FQDN entries, the firewall might get into an error state where the DNS Proxy cache received and stored a new IP address for a particular FQDN entry via this command. However, the Device-Server (and the Security rule) still have the old IP address for that FQDN entry.

Workaround: Avoid using the CLI command: request system fqdn refresh. Use the following command instead (for a particular domain-name or an entire list): clear dns-proxy cache all domain-name <domain_name>. To correct the error state where the DNS Proxy cache and Device-Server and Security rule are already storing different IP addresses, use the following CLI command: debug device-server dump fqdn type resync vsys <vsys_name> fqdn-name <domain_name>

If Azure hotplug events occur, the firewall may experience a brdagent crash and data interfaces may transition to an unknown state, leading to traffic disruption.

Workaround: Reboot the VM if the brdagent crash does not trigger a device reboot.

SSL proxy sessions fail when clients send a Client Hello with TLSv1.2 and TLSv1.3, and exclusively prefer the secp192 elliptic curve.

Workaround: To address this, configure a decryption profile to use TLSv1.2 as the maximum supported TLS version. Then, apply this profile to the decryption policy rules for the affected clients and servers. This enables the client to modify its preferred curves, facilitating successful session establishment.

(NGFW Cluster) When an NGFW cluster has only one firewall node present and powered up, that node is stuck in UNKNOWN state after you reboot it and it comes back up. The issue occurs in two scenarios:

The expected behavior is that if no peer device is available (at a port autonegotiation or link level for HSCI-A or HSCI-B), then a cluster device should go to INITIAL state, followed by ONLINE state (and not remain in UNKNOWN state).

Workaround: To avoid this issue, connect the HSCI-A to HSCI-B in loopback to create a link partner.

On PA-5400 Series and PA-7500 Series firewalls, if you run certain types of CLI commands during or shortly after a commit, the commands will time out. The types of CLI commands impacted by this issue are IoT, Cloud-User-ID, and App-ID Cloud Engine CLI commands.

Workaround: Don't execute IoT, Cloud-User-ID, or App-ID Cloud Engine CLI commands during or shortly after a commit on a PA-5400 Series or PA-7500 Series firewall.

The remediation link included in the generated PDF of an upgrade check report might be pruned due to a text length limitation of the export function. The link remains fully functional and works correctly on the Panorama web interface.

After you enable the Enable Duplicate Logging (Cloud and On-Premise) setting on a firewall, clicking Status for Cloud Logging, does not display the logging service connection status.

(PA-5500 Series firewalls only) The Monitor tab in the Web Interface does not display a pop-up to indicate that high-speed log forwarding is enabled and that logs are only viewable from Panorama.

After you change the system mode on an M-700 appliance from Panorama mode to PAN-DB private cloud mode, the snmpd process fails to work.

In an AI Runtime Security environment, the Azure Container outbound traffic does not seem to be functional and the egress traffic is being misdirected to an incorrect cluster node port.

When an Intel e810 NIC is configured in SR-IOV mode, sharing Virtual Functions (VFs) among multiple HSF cluster nodes and subsequently rebooting a cluster node while traffic is active may result in traffic disruption on other HSF cluster nodes utilizing the same NIC. It is recommended to refrain from sharing Intel e810 VFs across cluster nodes and to allocate one VF per Intel e810 PF.

After successfully generating a health check report for managed firewalls from Panorama, the progress bar does not appear and the latest health check reports are not displayed (Panorama > Device Deployment > Upgrade Check).

Workaround: Manually refresh the page to see the latest reports.

(NGFW Clusters) In an NGFW cluster, the leader can't retrieve the HIP Report from Panorama, nor synchronize it to the non-leader nodes. Unlike HA Active/Passive mode, both leader and non-leader nodes receive traffic in cluster mode. If the relevant HIP Report is missing, policies involving HIP may not work properly. The expected behavior is that when a non-leader node receives related traffic, it should request the corresponding HIP Report from the leader.

(NGFW Clusters) Firewalls in an NGFW cluster indicate they are in ONLINE state even though their configurations are different (they aren't synchronized).

Workaround: Push the configuration from Panorama to all cluster members at the same time; don't push to an individual firewall. If a cluster member isn't connected to Panorama during the push, the push will fail to the disconnected firewall, but will succeed to all connected firewalls.

When high speed logging is enabled on a PA-5560 device, the expected warning message is not displayed on the web interface. This prevents administrators from being notified that logs can only be viewed from Panorama.

PAN-OS 12.1.2 and later 12.1 releases support a Load Balanced DNS configuration for an address object. If there are two address objects with same FQDN, but one object has Load Balanced DNS enabled and other object has Load Balanced DNS disabled, then the policy match for the removed IP addresses doesn't work as expected.

Workaround: Enable (or disable) Load Balanced DNS consistently for an FQDN that is used with multiple address objects.

In Host Compliance Service, when you create a 'Shared' type Host Compliance Object for the 'Disk-Encryption' category, the State drop-down is automatically selected and cannot be edited. However, you can change the state later by editing the object, if required.

In PAN-OS 12.1.2 and later 12.1 releases, PAN-OS can obtain resolved IP addresses from a Load balanced DNS server and use them in a policy match. However, this functionality does not work as intended when the DNS cache reuse flag is enabled. When the DNS cache reuse flag is enabled, the DNS resolution works as if the Load balanced DNS flag (for an Address object) is disabled.

(NGFW Clusters) URL-continue and override continue selections will function like a general URL-block action.

When you use custom certificates for the connection between Panorama and a log collector, the automated renewal for the predefined ElasticSearch certificates gets disrupted.

Workaround: Remove the custom certificates before the ElasticSearch certificates expire. This allows the system to correctly identify and renew the predefined ElasticSearch certificates. After the renewal is complete, re-install the custom certificates.

LSVPN satellite certificates may be generated with serial numbers exceeding 40 hexadecimal characters. This causes certificate revocation and deletion operations to fail with the following error messages:

To resolve this issue, use the following CLI commands with the LSVPN satellite serial number to manually delete or revoke the affected certificates:

Delete certificate information:delete sslmgr-store certificate-info portal name <name> serialno <satellite_serial>

Revoke satellite certificates:delete sslmgr-store satellite-info-revoke-certificate portal <name> serialno <list_of_satellite_serials>

In a PA-VM or AI Runtime Security environment, it is observed that the Software Firewall Orchestration plugin deployed with a VM-Flex license and configured with 8-14 GB of memory may encounter traffic disruptions when jumbo frames are enabled. It is recommended to disable jumbo frames on these lower-end VMs in version 12.1.2 by executing the command: set system setting jumbo-frame off.

Enabling Advanced Routing through bootstrap on VM-Series and Prisma AIRS is not supported.

For Host Compliance Service, while configuring Mappings & Tags in CIE and when you click on the HIP Report tab, the following error message is displayed even when the response is successful: