Focus

Limitations in PAN-OS 11.1

Table of Contents

Filter

Expand All | Collapse All

Next-Generation Firewall Docs

Getting Started
Administration
Version
- Cloud Management of NGFWs
- PAN-OS 10.0 (EoL)
- PAN-OS 10.1
- PAN-OS 10.2
- PAN-OS 11.0
- PAN-OS 11.1 & Later
- PAN-OS 9.1 (EoL)
Networking
Version
- PAN-OS 10.1
- PAN-OS 10.2
- PAN-OS 11.0
- PAN-OS 11.1 & Later
Incidents & Alerts
Release Notes
Version
- Cloud Management and AIOps for NGFW
- PAN-OS 10.0 (EoL)
- PAN-OS 10.1
- PAN-OS 10.2
- PAN-OS 11.0
- PAN-OS 11.1
- PAN-OS 11.2
- PAN-OS 8.1 (EoL)
- PAN-OS 9.0 (EoL)
- PAN-OS 9.1 (EoL)

Limitations

Associated Content and Software Versions

Limitations in PAN-OS 11.1

What are the limitations related to PAN-OS 11.1 releases?

The following are limitations associated with PAN-OS 11.1.

Issue ID	Description
PAN-265738	NAT is not configurable when HA clusters are configured. HA clusters do not support NAT.
PAN-259522	PA-7500 Series firewalls in an NGFW cluster do not support the failover of application-level gateway (ALG) sessions.
PAN-248739	In cases where traffic flow is redirected through the IFL/HSCI between NGFW cluster nodes, you might experience packet drops and intermittent failures with the establishment of new connections if the total bandwidth throughput is over 370G if you're using 400G HSCI. If you're using100G HSCI, anything over 80G will start seeing packet drops.
PAN-246825	ECMP is not supported for equal-cost routes where one or more of those routes has a virtual router or logical router as the next hop. None of the equal-cost routes will be installed in the Forwarding Information Base (FIB).
PAN-240517	Enter any random username and password (or just press enter) in the pop-up dialog on the satellite to retrigger the authentication process in the following cases: A scenario where the portal is running PAN-OS 11.1.3 and the satellite is running version earlier to 11.1.3, and the satellite cookie has expired. In this case, when you attempt to enable the serial number and IP address authentication method without adding the satellite IP address in the IP allow list on the portal, satellite authentication fails. The failure is due to a missing IP address in the IP allow list. A scenario where the portal is running PAN-OS 11.1.3 and the satellite is running version earlier to 10.2.8, if the satellite cookie expires before enabling the serial number and IP address authentication method on the portal, satellite authentication will fail due to satellite cookie expiration.
PAN-222118	When the preferred lifetime of the IPv6 address on the MGT interface expires, existing IPv6 sessions are disconnected. RFC 8415 indicates that existing communications must remain for the duration of the valid lifetime if the preferred lifetime expires (sessions must be active during the time between the preferred lifetime and valid lifetime). However, the NGFW limitation is that sessions are lost when the preferred lifetime expires.
PAN-218067	By default, Next Generation firewalls and Panorama attempt to fetch the device certificate or Panorama device certificate with each commit even when the firewall is not using any Palo Alto Networks cloud service. You can prevent the firewall from attempting to fetch the device certificate for the following firewalls: M-300 appliance M-500 appliance PA-400 Series firewalls PA-1400 Series firewalls PA-3400 Series firewalls PA-5400 Series firewalls PA-5450 firewall PA-7500 Series firewalls To disable, log in to the firewall CLI or Panorama CLI and enter the following command: admin> request certificate auto-fetch disable

Limitations

Associated Content and Software Versions

Next-Generation Firewall Docs

Limitations in PAN-OS 11.1

Next-Generation Firewall Docs

Limitations in PAN-OS 11.1

Activation & Onboarding

Next-Generation Firewalls

Cloud-Delivered Security Services

Network Security

Visibility & Monitoring

Best Practices

Experts Corner