Limitations in PAN-OS 11.1
Focus
Focus

Limitations in PAN-OS 11.1

Table of Contents

Limitations in PAN-OS 11.1

What are the limitations related to PAN-OS 11.1 releases?
The following are limitations associated with PAN-OS 11.1.
Issue ID
Description
PAN-265738
NAT is not configurable when HA clusters are configured. HA clusters do not support NAT.
PAN-259522
PA-7500 Series firewalls in an NGFW cluster do not support the failover of application-level gateway (ALG) sessions.
PAN-248739
In cases where traffic flow is redirected through the IFL/HSCI between NGFW cluster nodes, you might experience packet drops and intermittent failures with the establishment of new connections if the total bandwidth throughput is over 370G if you're using 400G HSCI. If you're using100G HSCI, anything over 80G will start seeing packet drops.
PAN-246825
ECMP is not supported for equal-cost routes where one or more of those routes has a virtual router or logical router as the next hop. None of the equal-cost routes will be installed in the Forwarding Information Base (FIB).
PAN-240517
Enter any random username and password (or just press enter) in the pop-up dialog on the satellite to retrigger the authentication process in the following cases:
  • A scenario where the portal is running PAN-OS 11.1.3 and the satellite is running version earlier to 11.1.3, and the satellite cookie has expired. In this case, when you attempt to enable the serial number and IP address authentication method without adding the satellite IP address in the IP allow list on the portal, satellite authentication fails. The failure is due to a missing IP address in the IP allow list.
  • A scenario where the portal is running PAN-OS 11.1.3 and the satellite is running version earlier to 10.2.8, if the satellite cookie expires before enabling the serial number and IP address authentication method on the portal, satellite authentication will fail due to satellite cookie expiration.
PAN-222118
When the preferred lifetime of the IPv6 address on the MGT interface expires, existing IPv6 sessions are disconnected. RFC 8415 indicates that existing communications must remain for the duration of the valid lifetime if the preferred lifetime expires (sessions must be active during the time between the preferred lifetime and valid lifetime). However, the NGFW limitation is that sessions are lost when the preferred lifetime expires.
PAN-218067
By default, Next Generation firewalls and Panorama attempt to fetch the device certificate or Panorama device certificate with each commit even when the firewall is not using any Palo Alto Networks cloud service.
You can prevent the firewall from attempting to fetch the device certificate for the following firewalls:
  • M-300 appliance
  • M-500 appliance
  • PA-400 Series firewalls
  • PA-1400 Series firewalls
  • PA-3400 Series firewalls
  • PA-5400 Series firewalls
  • PA-5450 firewall
  • PA-7500 Series firewalls
To disable, log in to the firewall CLI or Panorama CLI and enter the following command:
admin> request certificate auto-fetch disable