PAN-OS 10.0.12 Known Issues
Table of Contents
Expand All
|
Collapse All
Next-Generation Firewall Docs
-
-
- Cloud Management of NGFWs
- PAN-OS 10.0 (EoL)
- PAN-OS 10.1
- PAN-OS 10.2
- PAN-OS 11.0 (EoL)
- PAN-OS 11.1 & Later
- PAN-OS 9.1 (EoL)
-
- PAN-OS 10.1
- PAN-OS 10.2
- PAN-OS 11.0 (EoL)
- PAN-OS 11.1 & Later
-
-
- Cloud Management and AIOps for NGFW
- PAN-OS 10.0 (EoL)
- PAN-OS 10.1
- PAN-OS 10.2
- PAN-OS 11.0 (EoL)
- PAN-OS 11.1
- PAN-OS 11.2
- PAN-OS 8.1 (EoL)
- PAN-OS 9.0 (EoL)
- PAN-OS 9.1 (EoL)
End-of-Life (EoL)
PAN-OS 10.0.12 Known Issues
Review the known issues specific to the PAN-OS 10.0.12 release.
The following list includes only outstanding known issues specific to PAN-OS®
10.0.11. This list includes issues specific to Panorama™, GlobalProtect™, VM-Series
plugins, and WildFire®, as well as known issues that apply more generally or that are
not identified by an issue ID. For a complete list of existing and addressed known
issues in all PAN-OS 10.0 releases, see the Known Issues Related to PAN-OS 10.0 Releases.
Issue ID
|
Description
|
---|---|
—
|
If you use Panorama to retrieve logs from Cortex Data Lake (CDL), new
log fields (including for Device-ID, Decryption, and GlobalProtect)
are not visible on the Panorama web interface.
Workaround: Enable duplicate logging to send
the logs to CDL and Panorama. This workaround does not support
Panorama virtual appliances in Management Only mode.
|
—
|
Upgrading a PA-220 firewall takes up to an hour or more.
|
—
|
PA-220 firewalls are experiencing slower web interface and CLI
performance times.
|
—
|
Upgrading Panorama with a local Log Collector and Dedicated Log
Collectors to PAN-OS 8.1 or a later PAN-OS release can take up to
six hours to complete due to significant infrastructure changes.
Ensure uninterrupted power to all appliances throughout the upgrade
process.
|
—
|
A critical System log is generated on the VM-Series firewall if the
minimum memory requirement for the model is not available.
|
APPORTAL-3313
|
Changes to an IoT Security subscription license take up to 24 hours
to have effect on the IoT Security app.
|
APPORTAL-3309
|
An IoT Security production license cannot be installed on a firewall
that still has a valid IoT Security eval or trial license.
Workaround: Wait until the 30-day eval or trial license
expires and then install the production license.
|
APL-8269
|
For data retrieved from Cortex Data Lake, the Threat Name column in PanoramaACCthreat-activity appears blank.
|
PLUG-380
|
When you rename a device group, template, or template stack in
Panorama that is part of a VMware NSX service definition, the new
name is not reflected in NSX Manager. Therefore, any ESXi hosts that
you add to a vSphere cluster are not added to the correct device
group, template, or template stack and your Security policy is not
pushed to VM-Series firewalls that you deploy after you rename those
objects. There is no impact to existing VM-Series firewalls.
|
WF500-5471
|
After using the firewall CLI to add a WildFire appliance with an IPv6
address, the initial connection may fail.
Workaround: Retry connecting after you restart the web server
with the following command: debug software restart
process web-server.
|
PAN-204689
|
Upon upgrade to PAN-OS 10.0.12, the following GlobalProtect settings
do not work:
|
PAN-188052
|
Devices in FIPS-CC mode are unable to connect to servers utilizing
ECDSA-based host keys that impacts exporting logs (DeviceScheduled Log Export), exporting configurations (DeviceScheduled Config Export), or the scp export command in
the CLI.
Workaround: Use RSA-based host keys on the destination
server.
|
PAN-178194
|
A UI issue in PAN-OS renders the contents of the Inline
ML tab in the URL Filtering
Profile inaccessible on firewalls licensed for
Advanced URL Filtering. Additionally, a message indicating that a
License required for URL filtering to
function is unavailable displays at the bottom of
the UI. These errors do not affect the operation of Advanced URL
Filtering or URL Filtering Inline ML.
Workaround: Configuration settings for URL Filtering Inline ML
must be applied through the CLI. The following configuration
commands are available:
|
PAN-157444
|
As a result of a telemetry handling update, the Source Zone field in
the DNS analytics logs (viewable in the DNS Analytics tab within
AutoFocus) might not display correct results.
|
PAN-157327
|
On downgrade to PAN-OS 9.1, Enterprise Data Loss Prevention (DLP)
filtering settings (DeviceSetupDLP) are not removed and cause commit errors for the
downgraded firewall if you do not uninstall the Enterprise DLP
plugin before downgrade.
Workaround: After you successfully downgrade a managed
firewall to PAN-OS 9.1, commit and push from Panorama to remove the
Enterprise DLP filtering settings and complete the downgrade.
|
PAN-157103
|
Multi-channel functionality may not be properly utilized on an
VM-Series firewall deployed in VMware NSX-V after the service is
first deployed.
Workaround: Execute the command debug dataplane pow
status to view the number of channels being utilized
by the dataplane.
Per pan-task Netx statisticsCounter Name 1 2 3 4 5 6 Total---------------------------------------------ready_dvf 2 0 0 0 0 0 2 If multi-channel functionality is not working, disable your NSX-V
security policy and reapply it. Then reboot the VM-Series firewall.
When the firewall is back up, verify that multi-channel
functionality is working by executing the command debug
dataplane pow status. It should now show multiple
channels being utilized.
Per pan-task Netx statisticsCounter Name 1 2 3 4 5 6 Total---------------------------------------------ready_dvf 1 1 0 0 0 0 2 |
PAN-156645
|
If the SD-WAN interface was Down and it comes Up during a commit (for
example, if you configure it from Down to Auto), SD-WAN ignores the
change and keeps the link Down in the SD-WAN connection. In this
case, SD-WAN won't choose to send traffic to this link. If this is
the only link to the internet, this behavior may cause an outage,
including failure of the IKE negotiation between the Branch and Hub,
and such Tunnel will be down.
Workaround: Commit again or toggle the interface link Down and
Up; the SD-WAN statistics will be correct and the problem will
resolve.
|
PAN-156598
|
(Panorama only) If you configure a standard custom
vulnerability signature in a custom Vulnerability Protection profile
in a shared device group, the shared profile custom signatures do
not populate in the other device groups when you configure a
combination custom vulnerability signature.
Workaround: Use the CLI to update the combination
signature.
|
PAN-154292
|
On the Panorama management server, downgrading from a PAN-OS 10.0
release to a PAN-OS 9.1 release causes Panorama commit (CommitCommit to Panorama) failures if a custom report (MonitorManage Custom Reports) is configured to Group By Session
ID.
Workaround: After successful downgrade, reconfigure the Group
By setting in the custom report.
|
PAN-154266
|
When an application matches an SD-WAN policy and some sessions for
the same application do not match an SD-WAN policy, the SD-WAN
Monitoring—Traffic Characteristics screen displays the Links Used
information with an SD-WAN policy and a null policy. Sessions that
do not have an SD-WAN policy ID are filtered from Links Used.
Workaround: If you want to see session logs that include a
default selection, create a catch-all SD-WAN policy rule and place
it last in the list of SD-WAN policies.
|
PAN-154034
|
On the Panorama management server, the Type column in the System logs (MonitorLogsSystem) for managed firewalls running a PAN-OS 9.1 release
erroneously display iot as the
type.
|
PAN-154032
|
On the Panorama management server, downgrading to PAN-OS 9.1 with the
Panorama plugin for Cisco TrustSec version 1.0.2 installed does not
automatically transform the plugin to be compatible with PAN-OS
9.1
Workaround: After successful downgrade to PAN-OS 9.1,
Remove Config (PanoramaPlugins) of the Panorama plugin for Cisco TrustSec and then
reconfigure the plugin.
|
PAN-153803
|
On the Panorama management server, scheduled email PDF reports (MonitorPDF Reports) fail if a GIF image is used in the header or
footer.
|
PAN-153557
|
On the Panorama management server CLI, the overall report status for
a report query is marked as Done
despite reports generated from logs in the Cortex Data Lake (CDL)
from the PODamericas Collector Group jobs are still in a
Running state.
|
PAN-153068
|
The Bonjour Reflector option is supported on up to 16 interfaces. If
you enable it on more than 16 interfaces, the commit succeeds and
the Bonjour Reflector option is enabled only for the first 16
interfaces and ignored for any additional interfaces.
|
PAN-152825
|
On the Panorama management server, you cannot view the SD-WAN license
installed on an SD-WAN firewall (PanoramaDevice DeploymentLicenses).
Workaround:
Log in to the Panorama CLI
and enter the following command to view the SDWAN license
information for your managed firewalls.
|
PAN-152433
|
When you have an active/passive HA pair of PA-3200 Series firewalls
running PAN-OS 10.0.0 with NAT configured, if you upgrade one
firewall to PAN-OS 10.0.1, the firewall goes to non-functional state
due to a NAT oversubscription mismatch between the HA peers. The
same non-functional state results if both HA peers are running
PAN-OS 10.0.1 and you downgrade one to PAN-OS 10.00. The upgraded or
downgraded firewall goes to non-functional state because PAN-OS
10.0.0 and 10.0.1 have different default NAT oversubscription
rates.
Workaround: After an upgrade or downgrade, modify the NAT
oversubscription rate on one firewall so that the rates on the HA
pair match.
|
PAN-151238
|
There is a known issue where M-100 appliances are able to download
and install a PAN-OS 10.0 release image even though the M-100
appliance is no longer supported after PAN-OS 9.1. (Refer to the
hardware end-of-life
dates.)
|
PAN-151198
|
On the Panorama management server, read-only Panorama administrators (PanoramaAdministrators) can load managed firewall configuration Backups (PanoramaManaged DevicesSummary).
|
PAN-151115
|
If a Security rule uses a IP Address External Dynamic List (EDL) for
IPv6 traffic, the information for the EDL does not display in the
Source EDL or Destination EDL columns in the logs.
|
PAN-151085
|
On a PA-7000 Series firewall chassis having multiple slots, when HA
clustering is enabled on an active/active HA pair, the session table
count for one of the peers can show a higher count than the actual
number of active sessions on that peer. This behavior can be seen
when the session is being set up on a non-cache slot (for example,
when a session distribution policy is set to round-robin or
session-load); it is caused by the additional cache lookup that
happens when HA cluster participation is enabled.
|
PAN-150801
|
Automatic quarantine of a device based on forwarding profile or log
setting does not work on the PA-7000 Series firewalls.
|
PAN-150515
|
After you install the device certificate on a new Panorama management
server, Panorama is not able to connect to the IoT Security edge
service.
Workaround: Restart Panorama to connect to the IoT Security
edge service.
|
PAN-150345
|
During updates to the Device Dictionary, the IoT Security service
does not push new Device-ID attributes (such as new device profiles)
to the firewall until a manual commit occurs.
Workaround: Perform a force commit to push the attributes in
the content update to the firewall.
|
PAN-150361
|
In an Active-Passive high availability (HA) configuration, an error
displays if you create a device object on the passive device.
Workaround: Load the running configuration and perform a force
commit to sync the devices.
|
PAN-148971
|
If you enter a search term for Events that are related to IoT in the
System logs and apply the filter, the page displays an
Invalid term error.
Workaround: Specify iot as the
Type Attribute to filter the logs and use
the search term as the Description Attribute.
For example: ( subtype eq iot ) and ( description
contains 'gRPC connection' ).
|
PAN-148924
|
In an active-passive HA configuration, tags for dynamic user groups
are not persistent after rebooting the firewall because the active
firewall does not sync the tags to the passive firewall during
failover.
|
PAN-146995
|
After downgrading a Panorama management server from PAN-OS 10.0 to
PAN-OS 9.1, the VLD and
logd processes may crash when
Panorama reboots.
Workaround: Panorama automatically restarts the
VLD and
logd processes.
|
PAN-146807
|
Changing the device group configured in a monitoring definition from
a child DG to a parent DG, or vice versa, might cause firewalls
configured in the child DG to lose IP tag mapping information
received from the monitoring definition. Only firewalls assigned to
the parent DG receive IP tag mapping updates.
Workaround: Perform a manual config sync on the device group
that lost the IP tag mapping information.
|
PAN-146573
|
PA-7000 Series firewalls configured with a large number of interfaces
experience impacted performance and possible timeouts when
performing SNMP queries.
|
PAN-146485
|
On the Panorama management server, adding, deleting, or modifying the
upstream NAT configuration (PanoramaSD-WANDevices) does not display the branch template stack as
out of sync.
Additionally, adding, deleting, or modifying the BGP configuration (PanoramaSD-WANDevices) does not display the hub and branch template stacks
as out of sync. For example, modifying
the BGP configuration on the branch firewall does not cause the hub
template stack to display as out of
sync, nor does modifying the BGP configuration on
the hub firewall cause the branch template stack as
out of sync.
Workaround: After performing a configuration change,
Commit and Push the configuration changes
to all hub and branch firewalls in the VPN cluster containing the
firewall with the modified configuration.
|
PAN-145460
|
CN-MGMT pods fail to connect to the Panorama management server when
using the Kubernetes plugin.
Workaround:
Commit the Panorama configuration after the
CN-MGMT pod successfully registers with Panorama.
|
PAN-144889
|
On the Panorama management server, adding, deleting, or modifying the
original subnet IP, or adding a new subnet after you successfully
configure a tunnel IP subnet, for the SD-WAN 1.0.2 plugin does not
display the managed firewall templates (PanoramaManaged DevicesSummary) as Out of Sync.
Workaround: When modifying the original subnet IP, or adding a
new subnet, push the template configuration changes to your managed
firewalls and Force Template Values (CommitPush to DevicesEdit Selections).
|
PAN-143132
| Fetching the device certificate from the Palo Alto
Networks Customer Support Portal (CSP) may fail and displays the
following error in the CLI: ERROR Failed to process
S1C msg: ErrorWorkaround: Retrying fetching
the device certificate from the Palo Alto Networks CSP. |
PAN-141630
|
Current performance limitation: single data plane use only. The
PA-5200 Series and PA-7000 Series firewalls that support 5G network
slice security, 5G equipment ID security, and 5G subscriber ID
security use a single data plane only, which currently limits the
firewall performance.
|
PAN-140959
|
The Panorama management server allows you to downgrade Zero Touch
Provisioning (ZTP) firewalls to PAN-OS 9.1.2 and earlier releases
where ZTP functionality is not supported.
|
PAN-140008
|
ElasticSearch is forced to restart when the
masterd process misses too many
heartbeat messages on the Panorama management server resulting in a
delay in a log query and ingestion.
|
PAN-136763
|
On the Panorama management server, managed firewalls display as
disconnected when installing a
PAN-OS software update (PanoramaDevice DeploymentSoftware) but display as
connected when you view your
managed firewalls Summary (PanoramaManaged DevicesSummary) and from the CLI.
Workaround: Log out and log back in to the Panorama web
interface.
|
PAN-136701
|
(PA-7000b Series firewalls only) Packets for new sessions
drop when handling predict sessions.
Workaround: Use the following CLi commands to bypass this
issue:
|
PAN-135742
|
There is an issue in HTTP2 session decryption where the App-ID in the
decryption log is the App-ID of the parent session (which is
web-browsing).
|
PAN-134053
|
ACC does not filter WildFire logs from Dynamic User Groups.
|
PAN-132598
|
The Panorama management server does not check for duplicate addresses
in address groups (ObjectsAddress Groups) and duplicate services in service groups (ObjectsService Groups) when created from the CLI.
|
PAN-130550
|
(PA-3200 Series, PA-5220, PA-5250, PA-5260, and PA-7000 Series
firewalls) For traffic between virtual systems (inter-vsys
traffic), the firewall cannot perform source NAT using dynamic IP
(DIP) address translation.
Workaround: Use source NAT with Dynamic IP and Port (DIPP)
translation on inter-vsys traffic.
|
PAN-127813
|
In the current release, SD-WAN auto-provisioning configures hubs and
branches in a hub and spoke model, where branches don’t communicate
with each other. Expected branch routes are for generic prefixes,
which can be configured in the hub and advertised to all branches.
Branches with unique prefixes are not published up to the hub.
Workaround: Add any specific prefixes for branches to the hub
advertise-list configuration.
|
PAN-127206
|
If you use the CLI to enable the cleartext option for the Include
Username in HTTP Header Insertion Entries feature, the
authentication request to the firewall may become unresponsive or
time out.
|
PAN-123277
|
Dynamic tags from other sources are accessible using the CLI but do
not display on the Panorama web interface.
|
PAN-123040
|
When you try to view network QoS statistics on an SD-WAN branch or
hub, the QoS statistics and the hit count for the QoS rules don’t
display. A workaround exists for this issue. Please contact Support
for information about the workaround.
|
PAN-121678
|
(PA-7000b Series only) The following error during secure
boot has no impact and can be ignored:
[ 0.672461] Device 'efifb.0' does not have a release()
function, it is broken and must be fixed.[ 2.026107] EFI:
Problem loading in-kernel X.509 certificate (-65)Maintenance
Mode filesystem size: 2.0G
|
PAN-120440
|
There is an issue on M-500 Panorama management servers where any
ethernet interface with an IPv6 address having Private PAN-DB-URL
connectivity only supports the following format:
2001:DB9:85A3:0:0:8A2E:370:2.
|
PAN-120423
|
PAN-OS 10.0.0 does not support the XML API for GlobalProtect
logs.
|
PAN-120303
|
There is an issue where the firewall remains connected to the
PAN-DB-URL server through the old management IP address on the M-500
Panorama management server, even when you configured the Eth1/1
interface.
Workaround: Update the PAN-DB-URL IP address on the firewall
using one of the methods below.
|
PAN-116017
|
(Google Cloud Platform (GCP) only) The firewall does not
accept the DNS value from the initial configuration (init-cfg) file
when you bootstrap the firewall.
Workaround: Add DNS value as part of the bootstrap.xml in the
bootstrap folder and complete the bootstrap process.
|
PAN-115816
|
(Microsoft Azure only) There is an intermittent issue where
an Ethernet (eth1) interface does not come up when you first boot up
the firewall.
Workaround: Reboot the firewall.
|
PAN-114495
|
Alibaba Cloud runs on a KVM hypervisor and supports two Virtio modes:
DPDK (default) and MMAP. If you deploy a VM-Series firewall running
PAN-OS 9.0 in DPDK packet mode and you then switch to MMAP packet
mode, the VM-Series firewall duplicates packets that originate from
or terminate on the firewall. As an example, if a load balancer or a
server behind the firewall pings the VM-Series firewall after you
switch from DPDK packet mode to MMAP packet mode, the firewall
duplicates the ping packets.
Throughput traffic is not duplicated if you deploy the VM-Series
firewall using MMAP packet mode.
|
PAN-112694
|
(Firewalls with multiple virtual systems only) If you
configure dynamic DNS (DDNS) on a new interface (associated with
vsys1 or another virtual system) and you then create a
New Certificate Profile from the
drop-down, you must set the location for the Certificate Profile to
Shared. If you configure DDNS on an existing interface and then
create a new Certificate Profile, we also recommend that you choose
the Shared location instead of a specific virtual system.
Alternatively, you can select a preexisting certificate profile
instead of creating a new one.
|
PAN-112456
|
You can temporarily submit a change request for a URL Category with
three suggested categories; however, only two categories are
supported. Do not add more than two suggested categories to a change
request until we address this issue. If you submit more than two
suggested categories, only the first two categories in the change
request are evaluated.
|
PAN-112135
|
You cannot unregister tags for a subnet or range in a dynamic address
group from the web interface.
Workaround: Use an XML API request to unregister the tags for
the subnet or range.
|
PAN-111928
|
Invalid configuration errors are not displayed as expected when you
revert a Panorama management server configuration.
Workaround: After you revert the Panorama configuration,
Commit (CommitCommit to Panorama) the reverted configuration to display the invalid
configuration errors.
|
PAN-111866
|
The push scope selection on the Panorama web interface displays
incorrectly even though the commit scope displays as expected. This
issue occurs when one administrator makes configuration changes to
separate device groups or templates that affect multiple firewalls
and a different administrator attempts to push those changes.
Workaround: Perform one of the following tasks.
|
PAN-111729
|
If you disable DPDK mode and enable it again, you must immediately
reboot the firewall.
|
PAN-111670
|
Tagged VLAN traffic fails when sent through an SR-IOV adapter.
|
PAN-110794
|
DGA-based threats shown in the firewall threat log display the same
name for all such instances.
|
PAN-109759
|
The firewall does not generate a notification for the GlobalProtect
client when the firewall denies an unencrypted TLS session due to an
authentication policy match.
|
PAN-109526
|
The system log does not correctly display the URL for CRL files;
instead, the URLs are displayed with encoded characters.
|
PAN-106675
|
After upgrading the Panorama management server to PAN-OS 8.1 or a
later release, predefined reports do not display a list of top
attackers.
Workaround: Create new threat summary reports (MonitorPDF ReportsManage PDF Summary) containing the top attackers to mimic the predefined
reports.
|
PAN-104780
|
If you configure a HIP object to match only when a connecting
endpoint is managed (ObjectsGlobalProtectHIP Objects<hip-object>GeneralManaged), iOS and Android endpoints that are managed by
AirWatch are unable to successfully match the HIP object and the HIP
report incorrectly indicates that these endpoints are not managed.
This issue occurs because GlobalProtect gateways cannot correctly
identify the managed status of these endpoints.
Additionally, iOS endpoints that are managed by AirWatch are unable
to match HIP objects based on the endpoint serial number because
GlobalProtect gateways cannot identify the serial numbers of these
endpoints; these serial numbers do not appear in the HIP report.
|
PAN-103276
|
Adding a disk to a virtual appliance running Panorama 8.1 or a later
release on VMware ESXi 6.5 update1 causes the Panorama virtual
appliance and host web client to become unresponsive.
Workaround: Upgrade the ESXi host to ESXi 6.5 update2 and add
the disk again.
|
PAN-101688
|
(Panorama plugins) The IP address-to-tag mapping information
registered on a firewall or virtual system is not deleted when you
remove the firewall or virtual system from a Device Group.
Workaround: Log in to the CLI on the firewall and enter the
following command to unregister the IP address-to-tag mappings:
debug object registered-ip clear all.
|
PAN-101537
|
After you configure and push address and address group objects in
Shared and vsys-specific device groups from the Panorama management
server to managed firewalls, executing the show log
<log-type> direction equal
<direction>
<dst> | <src> in
<object-name> command on a
managed firewall only returns address and address group objects
pushed form the Shared device group.
Workaround: Specify the vsys in the query string:
admin>
set system target-vsys
<vsys-name>
admin>
show log <log-type> direction equal
<direction> query equal ‘vsys eq
<vsys-name>’
<dst> | <src> in
<object-name>
|
PAN-98520
|
When booting or rebooting a PA-7000 Series Firewall with the SMC-B
installed, the BIOS console output displays attempts to connect to
the card's controller in the System Memory Speed section. The
messages can be ignored.
|
PAN-97757
|
GlobalProtect authentication fails with an Invalid
username/password error (because the user is not
found in Allow List) after you enable
GlobalProtect authentication cookies and add a RADIUS group to the
Allow List of the authentication profile
used to authenticate to GlobalProtect.
Workaround: Disable GlobalProtect authentication cookies.
Alternatively, disable (clear) Retrieve user group from
RADIUS in the authentication profile and configure
group mapping from Active Directory (AD) through LDAP.
|
PAN-97524
|
(Panorama management server only) The Security Zone and
Virtual System columns (Network tab) display
None after a Device Group and
Template administrator with read-only privileges performs a context
switch.
|
PAN-96446
|
A firewall that is not included in a Collector Group fails to
generate a system log if logs are dropped when forwarded to a
Panorama management server that is running in Management Only
mode.
|
PAN-95773
|
On VM-Series firewalls that have Data Plane Development Kit (DPDK)
enabled and that use the i40e network interface card (NIC), the
show session info CLI command displays an
inaccurate throughput and packet rate.
Workaround: Disable DPDK by running the set system
setting dpdk-pkt-io off CLI command.
|
PAN-95511
|
The name for an address object, address group, or an external dynamic
list must be unique. Duplicate names for these objects can result in
unexpected behavior when you reference the object in a policy
rule.
|
PAN-95028
|
For administrator accounts that you created in PAN-OS 8.0.8 and
earlier releases, the firewall does not apply password profile
settings (DevicePassword Profiles) until after you upgrade to PAN-OS 8.0.9 or a later
release and then only after you modify the account passwords.
(Administrator accounts that you create in PAN-OS 8.0.9 or a later
release do not require you to change the passwords to apply password
profile settings.)
|
PAN-94846
|
When DPDK is enabled on the VM-Series firewall with i40e virtual
function (VF) driver, the VF does not detect the link status of the
physical link. The VF link status remains up, regardless of changes
to the physical link state.
|
PAN-94093
|
HTTP Header Insertion does not work when jumbo frames are received
out of order.
|
PAN-93968
|
The firewall and Panorama web interfaces display vulnerability threat
IDs that are not available in PAN-OS 9.0 releases (ObjectsSecurity ProfilesVulnerability Protection<profile>Exceptions). To confirm whether a particular threat ID is
available in your release, monitor the release notes for each new
Applications and Threats content update or check the Palo Alto
Networks Threat Vault to see the
minimum PAN-OS release version for a threat signature.
|
PAN-93607
|
When you configure a VM-500 firewall with an SCTP Protection profile (ObjectsSecurity ProfilesSCTP Protection) and you try to add the profile to an existing
Security Profile Group (ObjectsSecurity Profile Groups), the Security Profile Group doesn’t list the SCTP
Protection profile in its drop-down list of available profiles.
Workaround: Create a new Security Profile Group and select the
SCTP Protection profile from there.
|
PAN-93532
|
When you configure a firewall running PAN-OS 9.0 as an nCipher HSM
client, the web interface on the firewall displays the nCipher
server status as Not Authenticated, even though the HSM state is up (DeviceSetupHSM).
|
PAN-93193
|
The memory-optimized VM-50 Lite intermittently performs slowly and
stops processing traffic when memory utilization is critically high.
To prevent this issue, make sure that you do not:
Workaround: When the firewall performs slowly, or you see a
critical System log for memory utilization, wait for 5 minutes and
then manually reboot the firewall.
Use the Task Manager to verify that you are not performing memory
intensive tasks such as installing dynamic updates, committing
changes or generating reports, at the same time, on the
firewall.
|
PAN-91802
|
On a VM-Series firewall, the clear session all
CLI command does not clear GTP sessions.
|
PAN-83610
|
In rare cases, a PA-5200 Series firewall (with an FE100 network
processor) that has session offload enabled (default) incorrectly
resets the UDP checksum of outgoing UDP packets.
Workaround: In PAN-OS 8.0.6 and later releases, you can
persistently disable session offload for only UDP traffic using the
set session udp-off load no CLI
command.
|
PAN-83236
|
The VM-Series firewall on Google Compute Platform does not publish
firewall metrics to Google Stack Monitoring when you manually
configure a DNS server IP address (DeviceSetupServices).
Workaround: The VM-Series firewall on Google Cloud Platform
must use the DNS server that Google provides.
|
PAN-83215
|
SSL decryption based on ECDSA certificates does not work when you
import the ECDSA private keys onto an nCipher nShield hardware
security module (HSM).
|
PAN-81521
|
Endpoints failed to authenticate to GlobalProtect through Kerberos
when you specify an FQDN instead of an IP address in the Kerberos
server profile (DeviceServer ProfilesKerberos).
Workaround: Replace the FQDN with the IP address in the
Kerberos server profile.
|
PAN-77125
|
PA-7000 Series, PA-5200 Series, and PA-3200 Series firewalls
configured in tap mode don’t close offloaded sessions after
processing the associated traffic; the sessions remain open until
they time out.
Workaround: Configure the firewalls in virtual wire mode
instead of tap mode, or disable session offloading by running the
set session off load no CLI command.
|
PAN-75457
|
In WildFire appliance clusters that have three or more nodes, the
Panorama management server does not support changing node roles. In
a three-node cluster for example, you cannot use Panorama to
configure the worker node as a controller node by adding the HA and
cluster controller configurations, configure an existing controller
node as a worker node by removing the HA configuration, and then
commit and push the configuration. Attempts to change cluster node
roles from Panorama results in a validation error—the commit fails
and the cluster becomes unresponsive.
|
PAN-73530
|
The firewall does not generate a packet capture (pcap) when a Data
Filtering profile blocks files.
|
PAN-73401
|
When you import a two-node WildFire appliance cluster into the
Panorama management server, the controller nodes report their state
as out-of-sync if either of the following conditions exist:
Workaround: There are three possible workarounds to sync the
controller nodes:
|
PAN-70906
|
If the PAN-OS web interface and the GlobalProtect portal are enabled
on the same IP address, then when a user logs out of the
GlobalProtect portal, the administrative user is also logged out
from the PAN-OS web interface.
Workaround: Use the IP address to access the PAN-OS web
interface and an FQDN to access the GlobalProtect portal.
|
PAN-69505
|
When viewing an external dynamic list that requires client
authentication and you Test Source URL, the
firewall fails to indicate whether it can reach the external dynamic
list server and returns a URL access error (ObjectsExternal Dynamic Lists).
|
PAN-41558
|
When you use a firewall loopback interface as a GlobalProtect gateway
interface, traffic is not routed correctly for third-party IPSec
clients, such as strongSwan.
Workaround: Use a physical firewall interface instead of a
loopback firewall interface as the GlobalProtect gateway interface
for third-party IPSec clients. Alternatively, configure the loopback
interface that is used as the GlobalProtect gateway to be in the
same zone as the physical ingress interface for third-party IPSec
traffic.
|
PAN-40079
| The VM-Series firewall on KVM, for all supported Linux distributions, does not support the Broadcom network adapters for PCI pass-through functionality. |
PAN-39636
|
Regardless of the Time Frame you specify for a
scheduled custom report on a Panorama M-Series appliance, the
earliest possible start date for the report data is effectively the
date when you configured the report (MonitorManage Custom Reports). For example, if you configure the report on the
15th of the month and set the Time Frame to
Last 30 Days, the report that Panorama
generates on the 16th will include only data from the 15th onward.
This issue applies only to scheduled reports; on-demand reports
include all data within the specified Time
Frame.
Workaround: To generate an on-demand report, click
Run Now when you configure the custom
report.
|
PAN-38255
| When you perform a factory reset on a Panorama virtual appliance and configure the serial number, logging does not work until you reboot Panorama or execute the debug software restart process management-server CLI command. |
PAN-31832
|
The following issues apply when configuring a firewall to use a
hardware security module (HSM):
|