PAN-OS 10.2.11 Known Issues
Table of Contents
Expand All
|
Collapse All
Next-Generation Firewall Docs
-
-
- Cloud Management of NGFWs
- PAN-OS 10.0 (EoL)
- PAN-OS 10.1
- PAN-OS 10.2
- PAN-OS 11.0
- PAN-OS 11.1 & Later
- PAN-OS 9.1 (EoL)
-
- PAN-OS 10.1
- PAN-OS 10.2
- PAN-OS 11.0
- PAN-OS 11.1 & Later
-
-
- Cloud Management and AIOps for NGFW
- PAN-OS 10.0 (EoL)
- PAN-OS 10.1
- PAN-OS 10.2
- PAN-OS 11.0
- PAN-OS 11.1
- PAN-OS 11.2
- PAN-OS 8.1 (EoL)
- PAN-OS 9.0 (EoL)
- PAN-OS 9.1 (EoL)
PAN-OS 10.2.11 Known Issues
PAN-OSĀ® 10.2.11 known issues.
The following list includes only outstanding known issues specific to PAN-OSĀ®
10.2.11. This list includes issues specific to Panoramaā¢, GlobalProtectā¢, VM-Series
plugins, and WildFireĀ®, as well as known issues that apply more generally or that are
not identified by an issue ID.
Issue ID | Description |
---|---|
WF500-5854 | The WildFire analysis report on the firewall log
viewer (MonitoringWildFire Submissions) does not display the following data fields: File
Type, SHA-256, MD-5, and File Size". Workaround:
Download and open the WildFire analysis report in the PDF format
using the link in the upper right-hand corner of the
Detailed Log View. |
WF500-5843 | In a WildFire appliance cluster, issuing the
show cluster-all peers CLI command when a
node within the cluster is being rebooted generates the following
error: Server error : An error
occured. |
WF500-5840 | The sample analysis statistics that are returned when
issuing the show wildfire local statistics
CLI command in WildFire appliance cluster deployments may not
accurately reflect the number of samples that have been
processed. |
WF500-5823 | The following WildFire appliance CLI command does not
return a signature generation status as expected: show
wildfire global signature-status. This does not
corrupt or otherwise prevent the WildFire appliance from analyzing a
sample. |
WF500-5781 | The WildFire appliance might erroneously generate and
log the following device certification error: Device
certificate is missing or invalid. It cannot be
renewed. |
WF500-5754 | In WildFire appliance clusters, issuing the
show cluster controller CLI command
generates an error when an IPv6 address is configured for the
management interface but not for the cluster
interface. Workaround: Ensure all WildFire
appliance interfaces that are enabled use matching protocols (all
IPv4 or all IPv6). |
WF500-5632 | The number of registered WildFire appliances reported
in Panorama (PanoramaManaged WildFire AppliancesFirewalls ConnectedView) does not accurately reflect the current status of
connected WildFire appliances. |
PAN-265336
This issue is now resolved. See PAN-OS 10.2.11-h2 Addressed Issues.
|
Copper ports flap when generating a technical support file, executing
telemetry, or retrieving port status using a Management Data
Input/Output (MDIO) read.
|
PAN-264680
This issue is now resolved. See PAN-OS 10.2.11-h3 Addressed Issues.
|
(PA-220 firewalls only) DeviceSetup is not displayed when the Enterprise Data Loss
Prevention (E-DLP) plugin is installed.
Workaround: Uninstall the Enterprise DLP plugin.
|
PAN-264580
|
(PA-3400 Series firewalls only) Upgrading to PAN-OS 10.2.11
results in the following error: Target image
validation failed with error invalid literal for int() with base
10.
|
PAN-263226 |
When SSL decryption is enabled and Client Hello messages span
multiple TCP segments, elements from the proxy_l2info memory pool
may not be freed properly. Memory leaks in this pool cause some SSL
decryption sessions to fail.
Workaround: Disable Client Hello accumulation using the
debug dataplane set ssl-decrypt
accumulate-client-hello disable yes CLI command.
|
PAN-262287
This issue is now resolved. See PAN-OS 10.2.11-h4 Addressed Issues.
|
Dereferencing a NULL pointer that occurs might cause
pan_task processes to crash.
|
PAN-260851
|
From the NGFW or Panorama CLI, you can override the existing
application tag even if Disable Override is enabled for the
application (ObjectsApplications) tag.
|
PAN-259769 |
GlobalProtect portal is not accessible via a web browser and the app
displays the error
ERR_EMPTY_RESPONSE.
|
PAN-257957
This issue is now resolved. See PAN-OS 10.2.12 Addressed Issues.Affects 10.2.11-h1 and
later 10.2 releases.
|
If you enable FIPS-CC mode and use the PAP or CHAP authentication
methods for your RADIUS server, the authd process may restart
unexpectedly. To avoid this issue, use one of the following
workarounds:
|
PAN-257601
Fixed in PAN-OS
10.2.11. Affects 10.2.11-h2 and later 10.2 releases.
|
(PA-5450 firewalls only) Networking cards can experience an
internal link fault, causing path monitoring failure on the
Dataplane Processing Card (DPC).
|
PAN-234015
|
The X-Forwarded-For (XFF) value is not displayed in Traffic logs.
|
PAN-223365
|
The Panorama management server is unable to query any logs if the
ElasticSearch health status for any Log Collector (PanoramaManaged Collector is degraded.
Workaround:
Log in to the Log Collector
CLI and restart ElasticSearch.
|
PAN-229865
|
Upgrading a PA-220 firewall running a PAN-OS 10.1 release fails when
the target PAN-OS upgrade version is PAN-OS 10.2.5.
Workaround: On your upgrade path to PAN-OS 10.2.5, first
upgrade to PAN-OS 10.2.4 and then upgrade to PAN-OS 10.2.5.
|
PAN-226361
This issue is now resolved. See PAN-OS 10.2.11-h4 Addressed Issues.
|
Sessions might end unexpectedly with the error
resources-unavailable when the
firewall incorrectly interprets the Content and Threat Detection
(CTD) global packet queue as being full.
|
PAN-223677
|
(PA-3410, PA-3420, PA-3430, PA-3440, PA-5410, PA-5420, and
PA-5430 firewalls) By enabling the Lockless QoS feature, a
slight degradation in App-ID and Threat performance is expected.
|
PAN-222586
|
On PA-5410, PA-5420, and PA-5430 firewalls, the Filter dropdown
menus, Forward Methods, and Built-In Actions for Correlation Log
settings (DeviceLog Settings) are not displayed and cannot be configured.
|
PAN-221775
|
A Malformed Request error is displayed
when you Test Connection for an email server
profile (DeviceServer ProfilesEmail) using SMTP over TLS and the
Password includes an ampersand
(&).
|
PAN-213746 | On the Panorama management server, the
Hostkey displayed as
undefined undefined if you override
an SSH Service Profile (DeviceCertificate ManagementSSH Service Profile) Hostkey configured in a Template from the Template
Stack. |
PAN-213119
|
PA-5410 and PA-5420 firewalls display the following error when you
view the Block IP list (MonitorBlock IP):
show -> dis-block-table is
unexpected
|
PAN-212889 | On the Panorama management server, different threat
names are used when querying the same threat in the Threat Monitor (MonitorApp ScopeThreat Monitor) and ACC. This results in the
ACC displaying no data to display when
you are redirected to the ACC after clicking a threat name in the
Threat Monitor and filtering the same threat name in the Global
Filters. |
PAN-212533 | Modifying the Administrator
Type for an existing administrator (DeviceAdministrators or PanoramaAdministrators) from Superuser to a
Role-Based custom admin, or vice versa,
does not modify the access privileges of the
administrator. |
PAN-211531 | On the Panorama management server, admins can still perform a selective push to managed firewalls when Push All Changes and Push for Other Admins are disabled in the admin role profile (PanoramaAdmin Roles). |
PAN-209288
|
Certificates are not successfully generated using SCEP (DeviceCertificate ManagementSCEP).
|
PAN-208622 | A file upload to Box.com exceeding 6 files gets stuck
and fails to upload if you specify an Enterprise DLP data filtering
profile (ObjectsDLPData Filtering Profiles with the Action set to
Block to a Security policy rule (PoliciesSecurity). |
PAN-204689 | Upon upgrade to PAN-OS 10.2.4, the following
GlobalProtect settings do not work:
|
PAN-196758 | On the Panorama management server, pushing a
configuration change to firewalls leveraging SD-WAN erroneously show
the auto-provisioned BGP configurations for SD-WAN as being edited
or deleted despite no edits or deletions being made when you
Preview Changes (CommitPush to DevicesEdit Selections or CommitCommit and PushEdit Selections). |
PAN-196504 | License deactivation fails for VM-Series firewalls licensed using PA-VM Bundle 3 (BND3). |
PAN-194996 | When using a 10.2.2 Panorama to manage a Panorama
Managed Prisma Access 3.1.2 deployment, allocating bandwidth for a
remote network deployment fails (the OK button is grayed
out). Workaround: Retry the operation. |
PAN-194519 | (PA-5450 firewall only) Trying to configure a
custom payload format under DeviceServer ProfilesHTTP yields a JavaScript error. |
PAN-194515 | (PA-5450 firewall only) The Panorama web
interface does not display any predefined template stack variables
in the dropdown menu under DeviceSetupLog InterfaceIP Address. Workaround: Configure the log interface
IP address on the individual firewall web interface instead of on
Panorama. |
PAN-194424 | (PA-5450 firewall only) Upgrading to PAN-OS
10.2.2 while having a log interface configured can cause both the
log interface and the management interface to remain connected to
the log collector. Workaround: Restart the log receiver
service by running the following CLI command:
|
PAN-194202 | (PA-5450 firewall only) If the management
interface and logging interface are configured on the same
subnetwork, the firewall conducts log forwarding using the
management interface instead of the logging interface. |
PAN-190727 | (PA-5450 firewall only) Documentation for
configuring the log interface is unavailable on the web interface
and in the PAN-OS Administratorās Guide. |
PAN-189111 | After deleting an MP pod and it comes up, the
show routing command output appears
empty and traffic stops working. |
PAN-189076 | On a firewall with Advanced Routing enabled, OSPFv3
peers using a broadcast link and a designated router (DR) priority
of 0 (zero) are stuck in a two-way state after HA
failover. Workaround: Configure at least one OSPFv3
neighbor with a non-zero priority setting in the same broadcast
domain. |
PAN-188358 | After triggering a soft reboot on an M-700 appliance,
the Management port LEDs do not light up when a 10G Ethernet cable
is plugged in. |
PAN-187685 | On the Panorama management server, the Template Status
displays no synchronization status (PanoramaManaged DevicesSummary) after a bootstrapped firewall is successfully added
to Panorama. Workaround: After the bootstrapped
firewall is successfully added to Panorama, log in to the Panorama web
interface and select CommitPush to Devices. |
PAN-187643 | If you enable SCTP security using a Panorama template
when SCTP INIT Flood Protection is enabled in
the Zone Protection profile using Panorama and you commit all
changes, the commit is successful but the SCTP
INIT option is not available in the Zone Protection
profile. Workaround: Log out of the firewall and log in
again to make the SCIT INIT option available
on the web interface. |
PAN-187612 | On the Panorama management server, not all data
profiles (ObjectsDLP Data Filtering Profiles) are displayed after you:
Workaround: Log in to the Panorama CLI and reset the DLP
plugin. admin > request plugins dlp
reset |
PAN-187407 | The configured Advanced Threat Prevention inline cloud
analysis action for a given model might not be honored under the
following condition: If the firewall is set to Hold
client request for category lookup and the action
set to Reset-Both and the URL cache has been
cleared, the first request for inline cloud analysis will be
bypassed. |
PAN-187370 | On a firewall with Advanced Routing enabled, if there
is also a logical router instance that uses the default
configuration and has no interfaces assigned to it, this will result
in terminating the management daemon and main routing daemon in the
firewall during commit. Workaround: Do not use a
logical router instance with no interfaces bound to it. |
PAN-186283 | Templates appear out-of-sync on Panorama after
successfully deploying the CFT stack using the Panorama plugin for
AWS. Workaround: Use CommitPush to Devices to synchronize the templates. |
PAN-186282 | On HA deployments on AWS and Azure, Panorama fails to
populate match criteria automatically when adding dynamic address
groups. Workaround: Reboot the Panorama HA
pair. |
PAN-184406 | Using the CLI to add a RAID disk pair to an M-700
appliance causes the dmdb process to crash. Workaround:
Contact customer support to stop the dmdb process before adding a
RAID disk pair to an M-700 appliance. |
PAN-183404 | Static IP addresses are not recognized when "and"
operators are used with IP CIDR range. |
PAN-181933 | If you use multiple log forwarding cards (LFCs) on the
PA-7000 Series, all of the cards may not receive all of the updates
and the mappings for the clients may become out of sync, which
causes the firewall to not correctly populate the Source User column
in the session logs. |
PAN-181823 | On a PA-5400 Series firewall (minus the PA-5450),
setting the peer port to forced 10M or 100M speed causes any
multi-gigabit RJ-45 ports on the firewall to go down if they are set
to Auto. |
PAN-180661 | On the Panorama management server, pushing an
unsupported Minimum Password Complexity (DeviceSetupManagement) to a managed firewall erroneously displays
commit time out as the reason the
commit failed. |
PAN-180104 | When upgrading a CN-Series as a DaemonSet
deployment to PAN-OS 10.2, CN-NGFW pods fail to connect to CN-MGMT
pod if the Kubernetes cluster previously had a CN-Series as a
DaemonSet deployment running PAN-OS 10.0 or
10.1. Workaround: Reboot the worker nodes before
upgrading to PAN-OS 10.2. |
PAN-178194 | A user interface issue in PAN-OS renders the contents
of the Inline ML tab in the URL
Filtering Profile inaccessible on firewalls licensed
for Advanced URL Filtering. Additionally, a message indicating that
a License required for URL filtering to
function is unavailable displays at the bottom of
the UI. These errors do not affect the operation of Advanced URL
Filtering or URL Filtering inline ML. Workaround:
Configuration settings for URL Filtering inline ML must be applied
through the CLI. The following configuration commands are
available:
|
PAN-177455 | PAN-OS 10.2.0 is not supported on PA-7000 Series
firewalls with HA (high availability) clustering enabled and using
an HA4 communication link. Attempting to load PAN-OS 10.2.0 on the
firewall causes the PA-7000 100G NPC to go offline. As a result, the
firewall fails to boot normally and enters maintenance mode. HA
pairs of Active-Passive and Active-Active firewalls are not
affected. |
PAN-175915 | When the firewall is deployed on N3 and N11 interfaces
in 5G networks and 5G-HTTP/2 traffic inspection is enabled in the
Mobile Network Protection Profile, the Traffic logs do not display
network slice SST and SD values. |
PAN-174982 | In HA active/active configurations where, when
interfaces that were associated with a virtual router were deleted,
the configuration change did not sync. |
PAN-172274 | When you activate the Advanced URL Filtering license,
your license entitlements for PAN-DB and Advanced URL Filtering
might not display correctly on the firewall ā this is a display
anomaly, not a licensing issue, and does not affect access to the
services. Workaround: Issue the following command to
retrieve and update the licenses: license request
fetch. |
PAN-171938 | No results are displayed when you Show
Application Filter for a Security policy rule (PoliciesSecurityApplicationValueShow Application Filter). |