PAN-OS 10.2.10 Known Issues
Table of Contents
Expand All
|
Collapse All
Next-Generation Firewall Docs
-
-
- Cloud Management of NGFWs
- PAN-OS 10.0 (EoL)
- PAN-OS 10.1
- PAN-OS 10.2
- PAN-OS 11.0 (EoL)
- PAN-OS 11.1 & Later
- PAN-OS 9.1 (EoL)
-
- PAN-OS 10.1
- PAN-OS 10.2
- PAN-OS 11.0 (EoL)
- PAN-OS 11.1 & Later
-
-
- Cloud Management and AIOps for NGFW
- PAN-OS 10.0 (EoL)
- PAN-OS 10.1
- PAN-OS 10.2
- PAN-OS 11.0 (EoL)
- PAN-OS 11.1
- PAN-OS 11.2
- PAN-OS 8.1 (EoL)
- PAN-OS 9.0 (EoL)
- PAN-OS 9.1 (EoL)
PAN-OS 10.2.10 Known Issues
PAN-OSĀ® 10.2.10 known issues.
The following list includes only outstanding known issues
specific to PAN-OSĀ® 10.2.10. This list includes issues
specific to Panoramaā¢, GlobalProtectā¢, VM-Series plugins, and WildFireĀ®,
as well as known issues that apply more generally or that are not
identified by an issue ID.
Issue ID | Description |
---|---|
WF500-5854 | The WildFire analysis report on the firewall
log viewer (MonitoringWildFire Submissions)
does not display the following data fields: File Type, SHA-256,
MD-5, and File Size". Workaround: Download and open
the WildFire analysis report in the PDF format using the link in
the upper right-hand corner of the Detailed Log View. |
WF500-5843 | In a WildFire appliance cluster, issuing
the show cluster-all peers CLI command when
a node within the cluster is being rebooted generates the following
error: Server error : An error occured. |
WF500-5840 | The sample analysis statistics that are
returned when issuing the show wildfire local statistics CLI
command in WildFire appliance cluster deployments may not accurately
reflect the number of samples that have been processed. |
WF500-5823 | The following WildFire appliance CLI command
does not return a signature generation status as expected: show wildfire global signature-status.
This does not corrupt or otherwise prevent the WildFire appliance
from analyzing a sample. |
WF500-5781 | The WildFire appliance might erroneously
generate and log the following device certification error: Device certificate is missing or invalid. It cannot be renewed. |
WF500-5754 | In WildFire appliance clusters, issuing
the show cluster controller CLI command generates
an error when an IPv6 address is configured for the management interface
but not for the cluster interface. Workaround: Ensure
all WildFire appliance interfaces that are enabled use matching
protocols (all IPv4 or all IPv6). |
WF500-5632 | The number of registered WildFire appliances
reported in Panorama (PanoramaManaged WildFire AppliancesFirewalls ConnectedView) does not accurately reflect the
current status of connected WildFire appliances. |
PAN-263226 (PAN-OS 10.2.10-h2 and 10.2.10-h3 only) |
When SSL decryption is enabled and Client Hello messages span
multiple TCP segments, elements from the proxy_l2info memory pool
may not be freed properly. Memory leaks in this pool cause some SSL
decryption sessions to fail.
Workaround: Disable Client Hello accumulation using the
debug dataplane set ssl-decrypt
accumulate-client-hello disable yes CLI command.
|
PAN-262287
This issue is now resolved. See PAN-OS 10.2.10-h4 Addressed Issues.
|
Dereferencing a NULL pointer that occurs might cause
pan_task processes to crash.
|
PAN-260851
|
From the NGFW or Panorama CLI, you can override the existing
application tag even if Disable Override is enabled for the
application (ObjectsApplications) tag.
|
PAN-259997
This issue is now resolved. See PAN-OS 10.2.10-h3 Addressed Issues.
|
On PA-3410, PA-3420, and PA-3430 firewalls, the install fails when
upgrading from PAN-OS 10.2.3-h3 and later 10.2 releases to PAN-OS
10.2.10 due the number of configured vsys zones exceeding the zone
limit in PAN-OS 10.2.10.
Workaround: Before installing PAN-OS 10.2.10, reduce the
number of security zones to 40 zones or fewer for PA-3410 and
PA-3420 firewalls, and to 100 zones or fewer for PA-3430
firewalls.
|
PAN-259769 |
GlobalProtect portal is not accessible via a web browser and the app
displays the error
ERR_EMPTY_RESPONSE.
|
PAN-259733
This issue is now resolved. See PAN-OS 10.2.10-h2 Addressed Issues.
|
Custom reports created in PAN-OS are not deleted as expected,
resulting in high memory use by the reportd process.
This can lead to issues, such as out-of-memory conditions, content
installation failures, and unexpected firewall reboots.
|
PAN-259344
This issue is now resolved. See PAN-OS 10.2.10-h3 Addressed Issues.
|
Performing a configuration commit on a firewall, either locally or
from Panorama, causes a memory leak by the configd
process and results in an out-of-memory (OOM) condition.
|
PAN-257957
This issue is now resolved. See PAN-OS 10.2.12 Addressed Issues.Affects 10.2.10-h3 and
later 10.2 releases.
|
If you enable FIPS-CC mode and use the PAP or CHAP authentication
methods for your RADIUS server, the authd process may restart
unexpectedly. To avoid this issue, use one of the following
workarounds:
|
PAN-234015
|
The X-Forwarded-For (XFF) value is not displayed in traffic logs.
|
PAN-226361
This issue is now resolved. See PAN-OS 10.2.10-h7 Addressed Issues.
|
Sessions might end unexpectedly with the error
resources-unavailable when the
firewall incorrectly interprets the Content and Threat Detection
(CTD) global packet queue as being full.
|
PAN-223365
|
The Panorama management server is unable to query any logs if the
ElasticSearch health status for any Log Collector (PanoramaManaged Collector is degraded.
Workaround:
Log in to the Log Collector
CLI and restart ElasticSearch.
|
PAN-229865
|
Upgrading a PA-220 firewall running a PAN-OS 10.1 release fails when
the target PAN-OS upgrade version is PAN-OS 10.2.5.
Workaround: On your upgrade path to PAN-OS 10.2.5, first
upgrade to PAN-OS 10.2.4 and then upgrade to PAN-OS 10.2.5.
|
PAN-223677
|
(PA-3410, PA-3420, PA-3430, PA-3440, PA-5410, PA-5420, and
PA-5430 firewalls) By enabling Lockless QoS feature, a
slight degradation in App-ID and Threat performance is expected.
|
PAN-222586
|
On PA-5410, PA-5420, and PA-5430 firewalls, the Filter dropdown
menus, Forward Methods, and Built-In Actions for Correlation Log
settings (DeviceLog Settings) are not displayed and cannot be configured.
|
PAN-221775
|
A Malformed Request error is displayed
when you Test Connection for an email server
profile (DeviceServer ProfilesEmail) using SMTP over TLS and the
Password includes an ampersand
(&).
|
PAN-217307
This issue is now resolved. See PAN-OS 10.2.11 Addressed Issues.
|
The following Security policy rule (PoliciesSecurity) filters return no results:
log-start eq no
log-end eq no
log-end eq yes
|
PAN-213746 | On the Panorama management server, the Hostkey displayed
as undefined undefined if you override
an SSH Service Profile (DeviceCertificate ManagementSSH Service
Profile) Hostkey configured in a Template
from the Template Stack. |
PAN-213119
|
PA-5410 and PA-5420 firewalls display the following error when you
view the Block IP list (MonitorBlock IP):
show -> dis-block-table is
unexpected
|
PAN-212889 | On the Panorama management server, different
threat names are used when querying the same threat in the Threat Monitor (MonitorApp ScopeThreat Monitor) and ACC.
This results in the ACC displaying no data to display when you
are redirected to the ACC after clicking a threat name in the Threat
Monitor and filtering the same threat name in the Global Filters. |
PAN-212533 | Modifying the Administrator Type for
an existing administrator (DeviceAdministrators or PanoramaAdministrators) from Superuser to
a Role-Based custom admin, or vice versa,
does not modify the access privileges of the administrator. |
PAN-211531 | On the Panorama management server, admins can still perform a selective push to managed firewalls when Push All Changes and Push for Other Admins are disabled in the admin role profile (PanoramaAdmin Roles). |
PAN-209288
|
Certificates are not successfully generated using SCEP (DeviceCertificate ManagementSCEP).
|
PAN-208622 | A file upload to Box.com exceeding 6 files
gets stuck and fails to upload if you specify an Enterprise DLP
data filtering profile (ObjectsDLPData Filtering Profiles with
the Action set to Block to a Security
policy rule (PoliciesSecurity). |
PAN-204689 | Upon upgrade to PAN-OS 10.2.4, the following GlobalProtect
settings do not work:
|
PAN-196758 | On the Panorama management server, pushing
a configuration change to firewalls leveraging SD-WAN erroneously
show the auto-provisioned BGP configurations for SD-WAN as being
edited or deleted despite no edits or deletions being made when
you Preview Changes (CommitPush to DevicesEdit Selections or CommitCommit and PushEdit Selections). |
PAN-196504 | License deactivation fails for VM-Series firewalls licensed using PA-VM Bundle 3 (BND3). |
PAN-194996 | When using a 10.2.2 Panorama to manage a
Panorama Managed Prisma Access 3.1.2 deployment, allocating bandwidth
for a remote network deployment fails (the OK button is grayed out). Workaround:
Retry the operation. |
PAN-194519 | (PA-5450 firewall only) Trying
to configure a custom payload format under DeviceServer ProfilesHTTP yields
a Javascript error. |
PAN-194515 | (PA-5450 firewall only) The Panorama
web interface does not display any predefined template stack variables
in the dropdown menu under DeviceSetupLog InterfaceIP Address. Workaround: Configure
the log interface IP address on the individual firewall web interface
instead of on Panorama. |
PAN-194424 | (PA-5450 firewall only) Upgrading
to PAN-OS 10.2.2 while having a log interface configured can cause
both the log interface and the management interface to remain connected
to the log collector. Workaround: Restart the log receiver service
by running the following CLI command:
|
PAN-194202 | (PA-5450 firewall only) If the
management interface and logging interface are configured on the
same subnetwork, the firewall conducts log forwarding using the management
interface instead of the logging interface. |
PAN-190727 | (PA-5450 firewall only) Documentation
for configuring the log interface is unavailable on the web interface and
in the PAN-OS Administratorās Guide. |
PAN-189111 | After deleting an MP pod and it comes up,
the show routing command output appears
empty and traffic stops working. |
PAN-189076 | On a firewall with Advanced Routing enabled,
OSPFv3 peers using a broadcast link and a designated router (DR) priority
of 0 (zero) are stuck in a two-way state after HA failover. Workaround: Configure
at least one OSPFv3 neighbor with a non-zero priority setting in
the same broadcast domain. |
PAN-188358 | After triggering a soft reboot on a M-700
appliance, the Management port LEDs do not light up when a 10G Ethernet cable
is plugged in. |
PAN-187685 | On the Panorama management server, the Template Status
displays no synchronization status (PanoramaManaged DevicesSummary)
after a bootstrapped firewall is successfully added to Panorama. Workaround: After
the bootstrapped firewall is successfully added to Panorama, log in to the Panorama web interface and
select CommitPush
to Devices. |
PAN-187643 | If you enable SCTP security using a Panorama
template when SCTP INIT Flood Protection is enabled
in the Zone Protection profile using Panorama and you commit all
changes, the commit is successful but the SCTP INIT option
is not available in the Zone Protection profile. Workaround: Log
out of the firewall and log in again to make the SCIT
INIT option available on the web interface. |
PAN-187612 | On the Panorama management server, not all
data profiles (ObjectsDLP
Data Filtering Profiles) are displayed
after you:
Workaround: Log
in to the Panorama CLI and reset the DLP plugin. admin > request plugins dlp reset |
PAN-187407 | The configured Advanced Threat Prevention
inline cloud analysis action for a given model might not be honored
under the following condition: If the firewall is set to Hold
client request for category lookup and the action set
to Reset-Both and the URL cache has been
cleared, the first request for inline cloud analysis will be bypassed. |
PAN-187370 | On a firewall with Advanced Routing enabled,
if there is also a logical router instance that uses the default
configuration and has no interfaces assigned to it, this will result
in terminating the management daemon and main routing daemon in
the firewall during commit. Workaround: Do not use
a logical router instance with no interfaces bound to it. |
PAN-186283 | Templates appear out-of-sync on Panorama
after successfully deploying the CFT stack using the Panorama plugin for
AWS. Workaround: Use CommitPush to Devices to synchronize
the templates. |
PAN-186282 | On HA deployments on AWS and Azure, Panorama
fails to populate match criteria automatically when adding dynamic address
groups. Workaround: Reboot the Panorama HA pair. |
PAN-184406 | Using the CLI to add a RAID disk pair to
an M-700 appliance causes the dmdb process to crash. Workaround: Contact
customer support to stop the dmdb process before adding a RAID disk
pair to a M-700 appliance. |
PAN-183404 | Static IP addresses are not recognized when
"and" operators are used with IP CIDR range. |
PAN-181933 | If you use multiple log forwarding cards
(LFCs) on the PA-7000 series, all of the cards may not receive all
of the updates and the mappings for the clients may become out of sync,
which causes the firewall to not correctly populate the Source User
column in the session logs. |
PAN-181823 | On a PA-5400 Series firewall (minus the
PA-5450), setting the peer port to forced 10M or 100M speed causes
any multi-gigabit RJ-45 ports on the firewall to go down if they
are set to Auto. |
PAN-180661 | On the Panorama management server, pushing
an unsupported Minimum Password Complexity (DeviceSetupManagement)
to a managed firewall erroneously displays commit time out as
the reason the commit failed. |
PAN-180104 | When upgrading a CN-Series
as a DaemonSet deployment to PAN-OS 10.2, CN-NGFW pods fail to connect
to CN-MGMT pod if the Kubernetes cluster previously had a CN-Series
as a DaemonSet deployment running PAN-OS 10.0 or 10.1. Workaround:
Reboot the worker nodes before upgrading to PAN-OS 10.2. |
PAN-178194 | A user interface issue in PAN-OS renders
the contents of the Inline ML tab in the URL
Filtering Profile inaccessible on firewalls licensed
for Advanced URL Filtering. Additionally, a message indicating that
a License required for URL filtering to function is
unavailable displays at the bottom of the UI. These errors do not
affect the operation of Advanced URL Filtering or URL Filtering
Inline ML. Workaround: Configuration settings for URL Filtering
Inline ML must be applied through the CLI. The following configuration
commands are available:
|
PAN-177455 | PAN-OS 10.2.0 is not supported on PA-7000
Series firewalls with HA (High Availability) clustering enabled
and using an HA4 communication link. Attempting to load PAN-OS 10.2.0
on the firewall causes the PA-7000 100G NPC to go offline. As a
result, the firewall fails to boot normally and enters maintenance
mode. HA Pairs of Active-Passive and Active-Active firewalls are
not affected. |
PAN-175915 | When the firewall is deployed on N3 and
N11 interfaces in 5G networks and 5G-HTTP/2 traffic inspection is
enabled in the Mobile Network Protection Profile, the traffic logs
do not display network slice SST and SD values. |
PAN-174982 | In HA active/active configurations where,
when interfaces that were associated with a virtual router were
deleted, the configuration change did not sync. |
PAN-172274 | When you activate the advanced URL filtering
license, your license entitlements for PAN-DB and advanced URL filtering
might not display correctly on the firewall ā this is a display
anomaly, not a licensing issue, and does not affect access to the
services. Workaround: Issue the following command to
retrieve and update the licenses: license request fetch. |
PAN-171938 | No results are displayed when you Show Application
Filter for a Security policy rule (PoliciesSecurityApplicationValueShow Application Filter). |