Limitations
Table of Contents
Expand All
|
Collapse All
Next-Generation Firewall Docs
-
PAN-OS 11.1 & Later
- PAN-OS 11.1 & Later
- PAN-OS 11.0 (EoL)
- PAN-OS 10.2
- PAN-OS 10.1
- PAN-OS 10.0 (EoL)
- PAN-OS 9.1 (EoL)
- Cloud Management of NGFWs
-
- Management Interfaces
-
- Launch the Web Interface
- Use the Administrator Login Activity Indicators to Detect Account Misuse
- Manage and Monitor Administrative Tasks
- Commit, Validate, and Preview Firewall Configuration Changes
- Commit Selective Configuration Changes
- Export Configuration Table Data
- Use Global Find to Search the Firewall or Panorama Management Server
- Manage Locks for Restricting Configuration Changes
-
-
- Define Access to the Web Interface Tabs
- Provide Granular Access to the Monitor Tab
- Provide Granular Access to the Policy Tab
- Provide Granular Access to the Objects Tab
- Provide Granular Access to the Network Tab
- Provide Granular Access to the Device Tab
- Define User Privacy Settings in the Admin Role Profile
- Restrict Administrator Access to Commit and Validate Functions
- Provide Granular Access to Global Settings
- Provide Granular Access to the Panorama Tab
- Provide Granular Access to Operations Settings
- Panorama Web Interface Access Privileges
-
- Reset the Firewall to Factory Default Settings
-
- Plan Your Authentication Deployment
- Pre-Logon for SAML Authentication
- Configure SAML Authentication
- Configure Kerberos Single Sign-On
- Configure Kerberos Server Authentication
- Configure TACACS+ Authentication
- Configure TACACS Accounting
- Configure RADIUS Authentication
- Configure LDAP Authentication
- Configure Local Database Authentication
- Configure an Authentication Profile and Sequence
- Test Authentication Server Connectivity
- Troubleshoot Authentication Issues
-
- Keys and Certificates
- Default Trusted Certificate Authorities (CAs)
- Certificate Deployment
- Configure the Master Key
- Export a Certificate and Private Key
- Configure a Certificate Profile
- Configure an SSL/TLS Service Profile
- Configure an SSH Service Profile
- Replace the Certificate for Inbound Management Traffic
- Configure the Key Size for SSL Forward Proxy Server Certificates
-
- HA Overview
-
- Prerequisites for Active/Active HA
- Configure Active/Active HA
-
- Use Case: Configure Active/Active HA with Route-Based Redundancy
- Use Case: Configure Active/Active HA with Floating IP Addresses
- Use Case: Configure Active/Active HA with ARP Load-Sharing
- Use Case: Configure Active/Active HA with Floating IP Address Bound to Active-Primary Firewall
- Use Case: Configure Active/Active HA with Source DIPP NAT Using Floating IP Addresses
- Use Case: Configure Separate Source NAT IP Address Pools for Active/Active HA Firewalls
- Use Case: Configure Active/Active HA for ARP Load-Sharing with Destination NAT
- Use Case: Configure Active/Active HA for ARP Load-Sharing with Destination NAT in Layer 3
- HA Clustering Overview
- HA Clustering Best Practices and Provisioning
- Configure HA Clustering
- Refresh HA1 SSH Keys and Configure Key Options
- HA Firewall States
- Reference: HA Synchronization
-
- Use the Dashboard
- Monitor Applications and Threats
- Monitor Block List
-
- Report Types
- View Reports
- Configure the Expiration Period and Run Time for Reports
- Disable Predefined Reports
- Custom Reports
- Generate Custom Reports
- Generate the SaaS Application Usage Report
- Manage PDF Summary Reports
- Generate User/Group Activity Reports
- Manage Report Groups
- Schedule Reports for Email Delivery
- Manage Report Storage Capacity
- View Policy Rule Usage
- Use External Services for Monitoring
- Configure Log Forwarding
- Configure Email Alerts
-
- Configure Syslog Monitoring
-
- Traffic Log Fields
- Threat Log Fields
- URL Filtering Log Fields
- Data Filtering Log Fields
- HIP Match Log Fields
- GlobalProtect Log Fields
- IP-Tag Log Fields
- User-ID Log Fields
- Decryption Log Fields
- Tunnel Inspection Log Fields
- SCTP Log Fields
- Authentication Log Fields
- Config Log Fields
- System Log Fields
- Correlated Events Log Fields
- GTP Log Fields
- Audit Log Fields
- Syslog Severity
- Custom Log/Event Format
- Escape Sequences
- Forward Logs to an HTTP/S Destination
- Firewall Interface Identifiers in SNMP Managers and NetFlow Collectors
- Monitor Transceivers
-
- User-ID Overview
- Enable User-ID
- Map Users to Groups
- Enable User- and Group-Based Policy
- Enable Policy for Users with Multiple Accounts
- Verify the User-ID Configuration
-
- App-ID Overview
- App-ID and HTTP/2 Inspection
- Manage Custom or Unknown Applications
- Safely Enable Applications on Default Ports
- Applications with Implicit Support
-
- Prepare to Deploy App-ID Cloud Engine
- Enable or Disable the App-ID Cloud Engine
- App-ID Cloud Engine Processing and Policy Usage
- New App Viewer (Policy Optimizer)
- Add Apps to an Application Filter with Policy Optimizer
- Add Apps to an Application Group with Policy Optimizer
- Add Apps Directly to a Rule with Policy Optimizer
- Replace an RMA Firewall (ACE)
- Impact of License Expiration or Disabling ACE
- Commit Failure Due to Cloud Content Rollback
- Troubleshoot App-ID Cloud Engine
- Application Level Gateways
- Disable the SIP Application-level Gateway (ALG)
- Maintain Custom Timeouts for Data Center Applications
-
- Decryption Overview
-
- Keys and Certificates for Decryption Policies
- SSL Forward Proxy
- SSL Forward Proxy Decryption Profile
- SSL Inbound Inspection
- SSL Inbound Inspection Decryption Profile
- SSL Protocol Settings Decryption Profile
- SSH Proxy
- SSH Proxy Decryption Profile
- Profile for No Decryption
- SSL Decryption for Elliptical Curve Cryptography (ECC) Certificates
- Perfect Forward Secrecy (PFS) Support for SSL Decryption
- SSL Decryption and Subject Alternative Names (SANs)
- TLSv1.3 Decryption
- High Availability Not Supported for Decrypted Sessions
- Decryption Mirroring
- Configure SSL Forward Proxy
- Configure SSL Inbound Inspection
- Configure SSH Proxy
- Configure Server Certificate Verification for Undecrypted Traffic
- Post-Quantum Cryptography Detection and Control
- Enable Users to Opt Out of SSL Decryption
- Temporarily Disable SSL Decryption
- Configure Decryption Port Mirroring
- Verify Decryption
- Activate Free Licenses for Decryption Features
-
- Policy Types
- Policy Objects
- Track Rules Within a Rulebase
- Enforce Policy Rule Description, Tag, and Audit Comment
- Move or Clone a Policy Rule or Object to a Different Virtual System
-
- External Dynamic List
- Built-in External Dynamic Lists
- Configure the Firewall to Access an External Dynamic List
- Retrieve an External Dynamic List from the Web Server
- View External Dynamic List Entries
- Exclude Entries from an External Dynamic List
- Enforce Policy on an External Dynamic List
- Find External Dynamic Lists That Failed Authentication
- Disable Authentication for an External Dynamic List
- Register IP Addresses and Tags Dynamically
- Use Dynamic User Groups in Policy
- Use Auto-Tagging to Automate Security Actions
- CLI Commands for Dynamic IP Addresses and Tags
- Application Override Policy
- Test Policy Rules
-
- Network Segmentation Using Zones
- How Do Zones Protect the Network?
-
PAN-OS 11.1 & Later
- PAN-OS 11.1 & Later
- PAN-OS 11.0 (EoL)
- PAN-OS 10.2
- PAN-OS 10.1
-
- Tap Interfaces
-
- Layer 2 and Layer 3 Packets over a Virtual Wire
- Port Speeds of Virtual Wire Interfaces
- LLDP over a Virtual Wire
- Aggregated Interfaces for a Virtual Wire
- Virtual Wire Support of High Availability
- Zone Protection for a Virtual Wire Interface
- VLAN-Tagged Traffic
- Virtual Wire Subinterfaces
- Configure Virtual Wires
- Configure a PPPoE Client on a Subinterface
- Configure an IPv6 PPPoE Client
- Configure an Aggregate Interface Group
- Configure Bonjour Reflector for Network Segmentation
- Use Interface Management Profiles to Restrict Access
-
- DHCP Overview
- Firewall as a DHCP Server and Client
- Firewall as a DHCPv6 Client
- DHCP Messages
- Dynamic IPv6 Addressing on the Management Interface
- Configure an Interface as a DHCP Server
- Configure an Interface as a DHCPv4 Client
- Configure an Interface as a DHCPv6 Client with Prefix Delegation
- Configure the Management Interface as a DHCP Client
- Configure the Management Interface for Dynamic IPv6 Address Assignment
- Configure an Interface as a DHCP Relay Agent
-
- DNS Overview
- DNS Proxy Object
- DNS Server Profile
- Multi-Tenant DNS Deployments
- Configure a DNS Proxy Object
- Configure a DNS Server Profile
- Use Case 1: Firewall Requires DNS Resolution
- Use Case 2: ISP Tenant Uses DNS Proxy to Handle DNS Resolution for Security Policies, Reporting, and Services within its Virtual System
- Use Case 3: Firewall Acts as DNS Proxy Between Client and Server
- DNS Proxy Rule and FQDN Matching
-
- NAT Rule Capacities
- Dynamic IP and Port NAT Oversubscription
- Dataplane NAT Memory Statistics
-
- Translate Internal Client IP Addresses to Your Public IP Address (Source DIPP NAT)
- Create a Source NAT Rule with Persistent DIPP
- PAN-OS
- Strata Cloud Manager
- Enable Clients on the Internal Network to Access your Public Servers (Destination U-Turn NAT)
- Enable Bi-Directional Address Translation for Your Public-Facing Servers (Static Source NAT)
- Configure Destination NAT with DNS Rewrite
- Configure Destination NAT Using Dynamic IP Addresses
- Modify the Oversubscription Rate for DIPP NAT
- Reserve Dynamic IP NAT Addresses
- Disable NAT for a Specific Host or Interface
-
- Network Packet Broker Overview
- How Network Packet Broker Works
- Prepare to Deploy Network Packet Broker
- Configure Transparent Bridge Security Chains
- Configure Routed Layer 3 Security Chains
- Network Packet Broker HA Support
- User Interface Changes for Network Packet Broker
- Limitations of Network Packet Broker
- Troubleshoot Network Packet Broker
-
- Enable Advanced Routing
- Logical Router Overview
- Configure a Logical Router
- Create a Static Route
- Configure BGP on an Advanced Routing Engine
- Create BGP Routing Profiles
- Create Filters for the Advanced Routing Engine
- Configure OSPFv2 on an Advanced Routing Engine
- Create OSPF Routing Profiles
- Configure OSPFv3 on an Advanced Routing Engine
- Create OSPFv3 Routing Profiles
- Configure RIPv2 on an Advanced Routing Engine
- Create RIPv2 Routing Profiles
- Create BFD Profiles
- Configure IPv4 Multicast
- Configure MSDP
- Create Multicast Routing Profiles
- Create an IPv4 MRoute
-
-
PAN-OS 10.0 (EoL)
- PAN-OS 11.2
- PAN-OS 11.1
- PAN-OS 11.0 (EoL)
- PAN-OS 10.2
- PAN-OS 10.1
- PAN-OS 10.0 (EoL)
- PAN-OS 9.1 (EoL)
- PAN-OS 9.0 (EoL)
- PAN-OS 8.1 (EoL)
- Cloud Management and AIOps for NGFW
-
-
- Enterprise Data Loss Prevention Features
- IoT Security Features
- Content Inspection Features
- Decryption Features
- GlobalProtect Features
- Management Features
- Certificate Management Features
- Panorama Features
- Networking Features
- User-ID Features
- Policy Features
- Authentication Features
- WildFire Features
- Virtualization Features
- SD-WAN Features
- Mobile Infrastructure Security Features
- New Hardware Introduced with PAN-OS 10.0
- Changes to Default Behavior
- Associated Software and Content Versions
- Limitations
-
-
- PAN-OS 10.0.12 Known Issues
- PAN-OS 10.0.11 Known Issues
- PAN-OS 10.0.10 Known Issues
- PAN-OS 10.0.9 Known Issues
- PAN-OS 10.0.8 Known Issues
- PAN-OS 10.0.7 Known Issues
- PAN-OS 10.0.6 Known Issues
- PAN-OS 10.0.5 Known Issues
- PAN-OS 10.0.4 Known Issues
- PAN-OS 10.0.3 Known Issues
- PAN-OS 10.0.2 Known Issues
- PAN-OS 10.0.1 Known Issues
- Known Issues for the CN-Series on Version 10.0
-
-
-
- PAN-OS 10.0.12-h6 Addressed Issues
- PAN-OS 10.0.12-h5 Addressed Issues
- PAN-OS 10.0.12-h4 Addressed Issues
- PAN-OS 10.0.12-h3 Addressed Issues
- PAN-OS 10.0.12-h1 Addressed Issues
- PAN-OS 10.0.12 Addressed Issues
- PAN-OS 10.0.11-h4 Addressed Issues
- PAN-OS 10.0.11-h3 Addressed Issues
- PAN-OS 10.0.11-h1 Addressed Issues
- PAN-OS 10.0.11 Addressed Issues
- PAN-OS 10.0.10-h1 Addressed Issues
- PAN-OS 10.0.10 Addressed Issues
- PAN-OS 10.0.9 Addressed Issues
- PAN-OS 10.0.8-h11 Addressed Issues
- PAN-OS 10.0.8-h10 Addressed Issues
- PAN-OS 10.0.8-h8 Addressed Issues
- PAN-OS 10.0.8-h4 Addressed Issues
- PAN-OS 10.0.8 Addressed Issues
- PAN-OS 10.0.7 Addressed Issues
- PAN-OS 10.0.6 Addressed Issues
- PAN-OS 10.0.5 Addressed Issues
- PAN-OS 10.0.4 Addressed Issues
- PAN-OS 10.0.3 Addressed Issues
- PAN-OS 10.0.2 Addressed Issues
- PAN-OS 10.0.1 Addressed Issues
- PAN-OS 10.0.0 Addressed Issues
End-of-Life (EoL)
Limitations
What are the limitations related to PAN-OS 10.0 releases?
The following are limitations
associated with PAN-OS 10.0.
Issue ID | Description |
---|---|
— This limitation is now resolved. See
PAN-146030 in PAN-OS 10.0.2 Addressed Issues. | If you use a proxy to transmit logs between
the firewall and Cortex Data Lake (CDL), you can only transmit session
logs after you upgrade to PAN-OS 10.0.0; transmitting Enhanced Application
Logs (EAL logs) with a proxy is not currently supported. If you
want to upgrade to PAN-OS 10.0.0 and are unable or do not want to
reconfigure your network without the proxy, you must disable EAL
log forwarding globally and in the log forwarding profile because
the new service route for EAL logs does not currently support proxies.
If you choose this option, features for Cortex XDR and IoT Security
are not fully functional because they require EAL logs in addition
to session logs. Using proxies to transmit EAL logs between the
firewall and CDL will be supported in a future PAN-OS version. |
— | Firewalls and appliances perform
a software integrity check periodically when they are running and when
they reboot. If you simultaneously boot up multiple instances of
a VM-Series firewall on a host or you enable CPU over-subscription
on a VM-Series firewall, the firewall boots in to maintenance mode
when a processing delay results in a response timeout during the
integrity check. If your firewall goes in to maintenance mode, please check
the error and warnings in the fips.log file. A reboot always
occurs during an upgrade so if you enabled CPU over-subscription
on your VM-Series firewall, consider upgrading your firewall during
a maintenance window. |
APL-11339 | (PAN-OS 10.0.2 and later 10.0 releases) GTP
and SCTP predefined reports on Cortex Data Lake logs are not supported. |
PAN-182912 | Due to a change in default root partition
threshold, PAN-OS may print a critical log on a PA-7050 stating
that disk usage has exceeded the limit. Workaround: Replace
the first-generation PA-7050 SMC (Switch Management Card) with the
second-generation SMC-B. |
PAN-174784 | Up to 100,000 daily summary logs can be processed
for Scheduled and Run Now custom reports (MonitorManage Custom Reports) when
configured for the last calendar day. This can result in the generated report
not displaying all relevant log data generated in the last calendar
day. |
PAN-174442 | When a Certificate Profile (Device > Certificate
Management > Certificate Profile) is configured to Block
session if certificate status cannot be retrieved within timeout,
the firewall allows client certificate validation to go through even
if the CRL Distribution Point or OCSP Responder is unreachable. Workaround: You
must also enable Block session if certificate status is unknown to
ensure Block session if certificate status cannot be retrieved
within timeout is effective. |
PAN-174038 | In an SD-WAN configuration, when a GlobalProtect Gateway
is terminated on a loopback interface, if the tunnel protocol is
udp-encapsulated ESP (IPSec), the return traffic from the Gateway
toward the client is load-balanced across all of the SD-WAN member interfaces
and cannot be subjected to an SD-WAN policy. |
PAN-172144
| On a Panorama management server deployed on VMware ESXi that is
managing Dedicated Log Collectors, filtering traffic logs (MonitorLogsTraffic) using the (time_generated_geq)
filter does not return results for the specified Generate
Time if the Dedicated Log Collectors are in different
time zones. Workaround: Configure the same time zone for the
Dedicated Log Collectors you are querying.
|
PAN-170979 | You can push HA path monitoring for a virtual
wire, VLAN, or virtual router only to firewalls running PAN-OS 10.0
or a later release. If you try to push the configuration to firewalls
running a release earlier than PAN-OS 10.0 (such as 9.1.x or 9.0.x),
the commit may fail or the commit may remove destination IP addresses from
the path group. |
PAN-160782 | (PAN-OS 10.0.5 and later 10.0 releases) BGP
supports a maximum of 255 AS numbers in an AS_PATH list for a prefix. |
PAN-159293 This limitation
is now resolved. See PAN-OS 10.0.7 Addressed Issues. | Certification Revocation List (CRL) in Distinguished Encoding Rules (DER) format may erroneously return errors for VM-Series firewalls despite being able to successfully pull the CRL to verify that the syslog server certificate is still valid. |
PAN-158548 | (PAN-OS 10.0.3 and later 10.0 releases) When
you configure SD-WAN DIA AnyPath with a Traffic Distribution profile
that lists link tags for hub virtual interfaces, the commit fails
if the Traffic Distribution profile is shared. Workaround:
Remove shared Traffic Distribution profiles and create them as Traffic Distribution
profiles for an individual Panorama Device Group. |
PAN-158304 | On the Panorama management server, forwarded logs (MonitorLogsTraffic)
do not display if the latency between the Log Collectors exceeds
10ms when the Log Collectors in a Collector Group (PanoramaCollector Groups)
are located on different Local Area Networks (LANs). Workaround: When
deploying your Log Collectors in a Collector Group, ensure they
are both deployed on the same LAN or that the latency between Log
Collectors in the Collector Group does not exceed 10ms. |
PAN-157443 | (PAN-OS 10.0.2 and later 10.0 releases) If
the number of SD-WAN policies is close to capacity, sometimes renaming
a policy results in the following error: SD-WAN policy capacity exceeded by editing rule ‘xxxxxx’. Delete the rule and add again to fix.If deleting the rule and adding it again doesn’t work, take the following steps:
|
PAN-156322 | (PAN-OS 10.0.2 and later 10.0 releases) If
you configure a PA-220 firewall as an SD-WAN branch or hub with
an Error Correction Profile for FEC or packet duplication, the branch
or hub achieves little or no performance gain due to the CPU limitations
on a PA-220 firewall. |
PAN-155812 | Only Selected Zone is supported
for SaaS Application Usage reports (MonitorPDF ReportsSaaS Application Usage) generated
from logs in the Cortex Data Lake (CDL). |
PAN-153803 | On the Panorama management
server, scheduled email PDF reports (MonitorPDF Reports) fail if a GIF
image is used in the header of footer. |
PAN-153727 | When using the Chrome browser on an Apple
MAC laptop, firewalls managed by a Panorama management server running
PAN-OS 10.0.1 may not display when you Edit Selections (CommitCommit and Push or CommitPush to Devices)
when you push a configuration change to managed firewalls. Workaround: Log in to the Panorama web interface using
the Safari browser or manually adjust the size of the Push Scope
Selection window until the managed firewalls are displayed. |
PAN-149426 This limitation
is now resolved. See PAN-OS 10.0.1 Addressed Issues. | Non-superuser administrators with all right enabled cannot Review Policies or Review Apps for downloaded or installed content versions. |
PAN-146573 | PA-7000 Series firewalls configured with
a large number of interfaces experience impacted performance and
possible timeouts when performing SNMP queries. |
PAN-146360 | If your multiple plugin deployment includes
a device group that contains VM-Series firewalls deployed on VMware
NSX and VM-Series firewalls deployed on another environment, such
as AWS, Azure, or vCenter, pushing policy created for the VM-Series
firewall on VMware NSX to non-NSX firewalls is not supported and returns
the following error: Details:
Workaround: Before
you push policy to the non-NSX firewalls in your device group, you
must disable the NSX policy rules before pushing to your firewalls. |
PAN-144864 | The Data Processing Card (DPC-A) is incompatible with
a PA-7000 Series firewall using the default session distribution
policy (ingress-slot). |
PAN-142331 | Firewalls with hyperscan signatures configured
do not support downgrade to PAN-OS 9.1 or earlier releases. |
PAN-142180 | In an SD-WAN Hub-Spoke configuration, suppose Branch
A and Branch B each have an MPLS link to the hub and all devices
have VPN Data Tunnel Support disabled. For
traffic from Branch A to Branch B, if Branch A selects a tunnel
to go through the hub and the hub selects the MPLS link to reach Branch
B, the traffic will fail because return traffic may go to Branch
A directly through MPLS, without going through the hub. (The next
packet from Branch A to Branch B is dropped at the hub because the
TCP three-way handshake fails.) |
PAN-141738 | The front panel “link” and “activity” LEDs
for ports 5, 6, 11, and 12 will not work on the PAN-PA-7000-20GQ-NPC
when a 1G module is installed. |
PAN-141623 | On the PA-3200 Series, PA-5200 Series, and PA-7000
Series firewalls, which support more than eight aggregate Ethernet
(AE) interface groups, QoS is supported on only the first eight
AE interface groups. |
PAN-137615 | On the Panorama management server, scheduled content
updates (PanoramaDevice DeploymentDynamic Updates) for managed VM-Series
firewalls configured to Download Only cause
commit failures for the VM-Series firewalls. Workaround: Configure
scheduled content updates for VM-Series firewalls to Download
and Install. |
PAN-130652 | On the Panorama management server, Device Group
and Template administrators can only view the system logs (MonitorLogsSystem)
for All device groups. |
PAN-126625 | In an SD-WAN configuration, traffic does
not flow unencrypted over an MPLS link; it will always be encrypted.
When traffic is routed to a virtual SD-WAN interface of VPN tunnel
links, if the MPLS link is selected, the firewall sends the traffic
over the tunnel. |
PAN-119888 | If you assign a parent device group with
one or more child device groups in an access domain (PanoramaAccess Domains),
the administrator can only view the configuration and system logs
for the parent device group and not the child device group(s). Workaround: Enable
access to both the parent and required child device group(s). |
PAN-114117 | Configuring the timeout, retries, and ipsec-encryption
parameters for communication between the management plane and the
dataplane is not supported. |
PAN-107142 | After adding a new virtual system from the
CLI, you must log out and log back in to see the new virtual system
within the CLI. |
PAN-106675 | After upgrading the Panorama management
server to PAN-OS 8.1 or a later release, predefined reports do not
display a list of top attackers. Workaround: Create
new threat summary reports (MonitorPDF ReportsManage PDF Summary) containing
the top attackers to mimic the predefined reports. |
PAN-99845 | After an HA firewall fails
over to its HA peer, sessions established before the failover might
not undergo the following actions in a reliable manner:
|
PAN-99483 | (Affects only PA-7000 Series firewalls
that do not use second-generation PA-7050-SMC-B or PA-7080-SMC-B
Switch Management Cards) When you deploy the firewall in a
network that uses Dynamic IP and Port (DIPP) NAT translation with
PPTP, client systems are limited to using a translated IP address-and-port
pair for only one connection. This issue occurs because the PPTP
protocol uses a TCP signaling (control) protocol that exchanges
data using Generic Routing Encapsulation (GRE) version 1 and the
hardware cannot correlate the call-id in the GRE version 1 header
with the correct dataplane (the one that owns the predict session
of GRE). This issue occurs even if you configure the Dynamic IP and
Port (DIPP) NAT Oversubscription Rate to
allow multiple connections (DeviceSetupSessionSession SettingsNAT Oversubscription). Workaround: Upgrade
to a second-generation SMC-B card. |
PAN-97821 | The commit all job
is executed from Panorama to the firewall only if the newly added
firewall is running PAN-OS 8.1 or a later release with Auto
Push on 1st Connect enabled. |
PAN-92719 | When performing destination NAT to a translated address
that is Dynamic IP (with session distribution),
the firewall does not remove duplicate IP addresses from the list
of destination IP addresses before the firewall distributes sessions.
The firewall distributes sessions to the duplicate addresses in the
same way it distributes sessions to non-duplicate addresses. |
PLUG-9370 | (PAN-OS 10.0.8 and later 10.0 releases) When
configuring Prisma Access Hub Support for SD-WAN, it is not recommended
to bring up the SD-WAN instance using the same IPSec termination
node as an existing Prisma Access instance. If possible, use an alternative
IPSec termination node. |