The following table details the changes
in default behavior upon upgrade to PAN-OS® 10.2. You may also want
to review the Upgrade/Downgrade Considerations before upgrading
to this release.
Feature
Change
Managed Device Traffic to Panorama
PAN-OS 10.2 uses TLS version 1.3 to encrypt the service certificate
and handshake messages between Panorama, managed firewalls, and
Dedicated Log Collectors. As a result, the App-ID traffic between
Panorama, managed firewalls, and Dedicated Log Collectors is
reclassified from
panorama
to
ssl
.
As a result, a Security policy rule is required to allow the
ssl
application. This allows
Panorama, managed firewalls, and Dedicated Log Collectors to
continue communication after successful upgrade to PAN-OS 10.2.
Administrator Login
Usernames that contain all numbers are no longer
valid. For example, the username
12345678
does
not work.
Usernames that include at least one alphabetical
or legal symbol character are valid, such as
1234_567
,
1234a789_
,
and
c7897432
.
Masterd Rename
With PAN-OS 10.2 all instances of masterd
in the CLI were replaced with MD.
Panorama Management of Multi-Vsys Firewalls
For multi-vsys firewalls managed
by a Panorama managed server, configuration objects in the Shared
device group are now pushed to a Panorama Shared configuration context
for all virtual systems rather than duplicating the shared configuration
to each virtual system to reduce the operational burden of scaling
configurations for multi-vsys firewalls.
As a result, you must delete or rename any locally configured
firewall
Shared
object that has an identical
name to an object in the
Panorama Shared
configuration. Otherwise, configuration pushes from Panorama fail
after the upgrade and display the error
<object-name> is already in
use
.
The following configurations
cannot be added to the Shared Panorama location and are replicated to
the Panorama location of each vsys of a multi-vsys firewall.
Pre and Post Rules
External Dynamic Lists (EDL)
Security Profile Groups
HIP objects and profiles
Custom objects
Decryption profiles
SD-WAN Link Management Profiles
Palo Alto Networks recommends that if a multi-vsys firewall is
managed by Panorama, then all vsys configurations should be managed
by Panorama.
This helps avoid commit failures on the
managed multi-vsys firewall and allows you to take advantage of
optimized shared object
pushes from Panorama.
Certificates
On upgrade to PAN-OS 10.2, it is required that
all certificates meet the following minimum requirements:
RSA 2048 bits or greater, or ECDSA 256
bits or greater
With Advanced Routing enabled, by default connected
peers prefer a link-local next-hop address over a global next-hop
address.
Advanced Routing Engine and BFD
On a firewall with Advanced Routing enabled, BFD
session establishment for iBGP peers is changed. Any iBGP peers
over a loopback address are not considered to be directly connected
and therefore should enable the multihop option in the BFD profile
and specify Minimum Rx TTL accordingly.
Auto Web Interface Refresh for XML API
PAN-OS 10.2.5 and later releases
When making successful XML API calls on a firewall, the
web interface will refresh after an interval of 10 seconds.
Selective Push for Prisma Access (Panorama
Managed)
