PAN-OS 11.2.0 Known Issues
Table of Contents
Expand All
|
Collapse All
Next-Generation Firewall Docs
-
-
- Cloud Management of NGFWs
- PAN-OS 10.0 (EoL)
- PAN-OS 10.1
- PAN-OS 10.2
- PAN-OS 11.0
- PAN-OS 11.1 & Later
- PAN-OS 9.1
-
- PAN-OS 10.1
- PAN-OS 10.2
- PAN-OS 11.0
- PAN-OS 11.1 & Later
-
-
-
- Cloud Management and AIOps for NGFW
- PAN-OS 10.0 (EoL)
- PAN-OS 10.1
- PAN-OS 10.2
- PAN-OS 11.0
- PAN-OS 11.1
- PAN-OS 11.2
- PAN-OS 8.1 (EoL)
- PAN-OS 9.0 (EoL)
- PAN-OS 9.1
PAN-OS 11.2.0 Known Issues
What is the list of known issues for PAN-OS 11.2.0?
The following list includes only outstanding known issues specific to PAN-OS
®
11.2.0.
This list includes issues specific to Panorama™, GlobalProtect™, VM-Series plugins, and
WildFire®, as well as known issues that apply more generally or that are not identified
by an issue ID.Issue ID | Description |
|---|---|
PAN-254305 | DHCP request is not sent when the service route is configured. |
PAN-254236 | TLSv1.3 hybridized Kyber support in the latest versions of Chrome and
Edge browsers results in dropped Client Hello packets when SSL/TLS
handshake inspection is enabled. Workaround: Disable SSL/TLS handshake
inspection. |
PAN-254108 | when upgrading or downgrading a Panorama management server ( Panorama Software Panorama Device Deployment Software Device Software Base Releases and
Preferred Releases settings are checked
(enabled) by default and cause no PAN-OS software images to
display.Workaround: Uncheck (disable) Base
Releases or Preferred
Releases to display either the available base PAN-OS
or preferred PAN-OS releases available to download and install. |
PAN-253963 | The auto commit job may take longer than expected to complete when
the Panorama management server is in Panorama or Log Collector
mode. |
PAN-252661 | If you change the service route of gp-ip-mgmt in Device > Setup >
Services > Service Features > gp-ip-mgmt and Commit ,
the change won’t take effect. gp-ip-mgmt continues to use the last
committed service route.Workaround: After you change the service route interface for
gp-ip-mgmt, navigate to either a GlobalProtect portal or gateway,
click OK to save the configuration, and Commit the
changes. This commit will include the service route change. |
PAN-250246 | Panorama and the firewall display inconsistent IP addresses for
device group members after manually syncing. |
PAN-248836 | The Advanced DNS Security trial license and trial license information
cannot be activated and viewed, respectively, on a managed firewall
(with expired or active status) from Panorama. These tasks can only
be performed on the firewall. |
PAN-247728 | When Advanced Routing is enabled, IP multicast is not supported. An
upcoming version will provide support for this feature. Customers
who have multicast configured or who plan to deploy multicast
routing should not upgrade to 11.2.0. Additionally, when Advanced
Routing is enabled, the BGP dampening configuration isn't applied to
any peers or peer group; the configuration is preserved but has no
effect on BGP. Customers can use BGP even if they have applied a
Dampening profile to a specific set of peers. The issue doesn't
affect any other BGP features. |
PAN-241994 | The VMX hardware version was upgraded from vmx-10 to vmx-15 on ESXi
and NSX-T. Support for vmx-15 is supported on ESXi 6.7 U2 and
onwards. Palo Alto Networks recommends that you upgrade your ESXi
version if it is less than 6.7 U2. For more information, see the
compatibility matrix. |
PAN-239612 | When the firewall is running PAN-OS 11.2.0 and Advanced Routing is
enabled, DHCPv4 relay agent functions successfully, but DHCPv6 relay
agent doesn't work. |
PAN-236649 | If you change the configuration of a firewall acting as a PPPoEv4 or
PPPoEv6 client, old routes from the Forwarding Information Base
(FIB) and route table for an inherited configuration with
dynamic-identifier or client remain visible. Old routes also remain
visible for an inherited interface when you execute the CLI command,
show interface all .Workaround: Unconfigure and configure the Inherited
Interface. |
PAN-207442 | For M-700 appliances in an active/passive high availability ( Panorama High Availability active-primary HA peer
configuration sync to the
secondary-passive HA peer may fail.
When the config sync fails, the job Results is
Successful
(Tasks ), however the sync status on the
Dashboard displays as Out
of Sync for both HA peers.Workaround : Perform a local commit on the
active-primary HA peer and then
synchronize the HA configuration.
|
PAN-206909 | The Dedicated Log Collector is unable to reconnect to the Panorama
management server if the configd
process crashes. This results in the Dedicated Log Collector losing
connectivity to Panorama despite the managed collector connection
Status (Panorama Managed Collector connected
and the managed colletor Health status
displaying as healthy.This results in the local Panorama config and system logs not being
forwarded to the Dedicated Log Collector. Firewall log forwarding to
the disconnected Dedicated Log Collector is not impacted. Workaround: Restart the mgmtsrvr
process on the Dedicated Log Collector.
|
PAN-197588 | The PAN-OS ACC (Application Command Center) does not display a widget
detailing statistics and data associated with vulnerability exploits
that have been detected using inline cloud analysis. |
PAN-197419 | ( PA-1400 Series firewalls only ) In Network Interface Ethernet Tag value. |
PAN-196758 | On the Panorama management server, pushing a configuration change to
firewalls leveraging SD-WAN erroneously show the auto-provisioned
BGP configurations for SD-WAN as being edited or deleted despite no
edits or deletions being made when you Preview
Changes (Commit Push to Devices Edit Selections Commit Commit and Push Edit Selections |
PAN-195968 | ( PA-1400 Series firewalls only ) When using the CLI to
configure power over Ethernet (PoE) on a non-PoE port, the CLI
prints an error depending on whether an interface type was selected
on the non-PoE port or not. If an interface type, such as tap, Layer
2, or virtual wire, was selected before PoE was configured, the
error message will not include the interface name (eg. ethernet1/4).
If an interface type was not selected before PoE was configured, the
error message will include the interface name. |
PAN-187685 | On the Panorama management server, the Template Status displays no
synchronization status ( Panorama Managed Devices Summary Workaround: After the bootstrapped firewall is successfully
added to Panorama, log in to the Panorama web
interface and select Commit Push to Devices |
PAN-187407 | The configured Advanced Threat Prevention inline cloud analysis
action for a given model might not be honored under the following
condition: If the firewall is set to Hold client request
for category lookup and the action set to
Reset-Both and the URL cache has been
cleared, the first request for inline cloud analysis will be
bypassed. |
PAN-184406 | Using the CLI to add a RAID disk pair to an M-700 appliance causes
the dmdb process to crash. Workaround: Contact customer support to stop the dmdb process
before adding a RAID disk pair to a M-700 appliance. |
PAN-183404 | Static IP addresses are not recognized when "and" operators are used
with IP CIDR range. |
PAN-181933 | If you use multiple log forwarding cards (LFCs) on the PA-7000
series, all of the cards may not receive all of the updates and the
mappings for the clients may become out of sync, which causes the
firewall to not correctly populate the Source User column in the
session logs. |
PAN-164885 | On the Panorama management server, pushes to managed firewalls ( Commit Push to Devices Commit and Push ) may fail
when an EDL (Objects External Dynamic Lists Check for
updates every 5 minutes due to the commit and EDL
fetch processes overlapping. This is more likely to occur when
multiple EDLs are configured to check for updates every 5
minutes. |