PAN-OS 11.2.3 Known Issues
Table of Contents
Expand All
|
Collapse All
Next-Generation Firewall Docs
-
-
- Cloud Management of NGFWs
- PAN-OS 10.0 (EoL)
- PAN-OS 10.1
- PAN-OS 10.2
- PAN-OS 11.0 (EoL)
- PAN-OS 11.1 & Later
- PAN-OS 9.1 (EoL)
-
- PAN-OS 10.1
- PAN-OS 10.2
- PAN-OS 11.0 (EoL)
- PAN-OS 11.1 & Later
-
-
- Cloud Management and AIOps for NGFW
- PAN-OS 10.0 (EoL)
- PAN-OS 10.1
- PAN-OS 10.2
- PAN-OS 11.0 (EoL)
- PAN-OS 11.1
- PAN-OS 11.2
- PAN-OS 8.1 (EoL)
- PAN-OS 9.0 (EoL)
- PAN-OS 9.1 (EoL)
PAN-OS 11.2.3 Known Issues
PAN-OSĀ® 11.2.3 known issues.
The following list includes only outstanding known issues specific to PAN-OSĀ® 11.2.3.
This list includes issues specific to Panoramaā¢, GlobalProtectā¢, VM-Series plugins, and
WildFireĀ®, as well as known issues that apply more generally or that are not identified
by an issue ID.
Issue ID | Description |
---|---|
PAN-260851
|
From the NGFW or Panorama CLI, you can override the existing
application tag even if Disable Override is enabled for the
application (ObjectsApplications) tag.
|
PAN-260212
|
When viewing Applications (ObjectsApplications), child App-IDs may be listed under the incorrect
container App-ID.
|
PAN-259853
|
When the DHCP server is enabled for GlobalProtect, the commit error
message is not properly displayed when Any is
selected as the source interface in the service router configuration
( DeviceSetupServiceService Router Configuration).
|
PAN-259423
|
When the GlobalProtect DHCP feature is enabled with two primary DHCP
servers on the GlobalProtect gateway, the gpsvc gets stuck during
renewal and after HA failover.
|
PAN-254236
|
TLSv1.3 hybridized Kyber support in the latest versions of Chrome and
Edge browsers results in dropped Client Hello packets when SSL/TLS
handshake inspection is enabled.
Workaround: Disable SSL/TLS handshake
inspection.
|
PAN-254108
|
when upgrading or downgrading a Panorama management server (PanoramaSoftware), managed device (PanoramaDevice DeploymentSoftware), or standalone firewall (DeviceSoftware), Base Releases and
Preferred Releases settings are checked
(enabled) by default and cause no PAN-OS software images to
display.
Workaround: Uncheck (disable) Base
Releases or Preferred
Releases to display either the available base PAN-OS
or preferred PAN-OS releases available to download and install.
|
PAN-253963
|
The auto commit job may take longer than expected to complete when
the Panorama management server is in Panorama or Log Collector
mode.
|
PAN-252661
|
If you change the service route of gp-ip-mgmt in Device > Setup >
Services > Service Features > gp-ip-mgmt and Commit,
the change wonāt take effect. gp-ip-mgmt continues to use the last
committed service route.
Workaround: After you change the service route interface for
gp-ip-mgmt, navigate to either a GlobalProtect portal or gateway,
click OK to save the configuration, and Commit the
changes. This commit will include the service route change.
|
PAN-251639
|
When a Wildfire Analysis security profile is enabled, an out of
memory condition might occur due to a memory leak in the
varrcvr process.
|
PAN-250246
|
Panorama and the firewall display inconsistent IP addresses for
device group members after manually syncing.
|
PAN-250062
|
Device telemetry might fail at configured intervals due to bundle generation issues.
|
PAN-248836
|
The Advanced DNS Security trial license and trial license information
cannot be activated and viewed, respectively, on a managed firewall
(with expired or active status) from Panorama. These tasks can only
be performed on the firewall.
|
PAN-247728
|
When Advanced Routing is enabled, IP multicast is not supported. An
upcoming version will provide support for this feature. Customers
who have multicast configured or who plan to deploy multicast
routing should not upgrade to 11.2.0. Additionally, when Advanced
Routing is enabled, the BGP dampening configuration isn't applied to
any peers or peer group; the configuration is preserved but has no
effect on BGP. Customers can use BGP even if they have applied a
Dampening profile to a specific set of peers. The issue doesn't
affect any other BGP features.
|
PAN-241994
|
The VMX hardware version was upgraded from vmx-10 to vmx-15 on ESXi
and NSX-T. Support for vmx-15 is supported on ESXi 6.7 U2 and
onwards. Palo Alto Networks recommends that you upgrade your ESXi
version if it is less than 6.7 U2. For more information, see the
compatibility matrix.
|
PAN-239612
|
When the firewall is running PAN-OS 11.2.0 and Advanced Routing is
enabled, DHCPv4 relay agent functions successfully, but DHCPv6 relay
agent doesn't work.
|
PAN-236649
|
If you change the configuration of a firewall acting as a PPPoEv4 or
PPPoEv6 client, old routes from the Forwarding Information Base
(FIB) and route table for an inherited configuration with
dynamic-identifier or client remain visible. Old routes also remain
visible for an inherited interface when you execute the CLI command,
show interface all.
Workaround: Unconfigure and configure the Inherited
Interface.
|
PAN-234015
|
The X-Forwarded-For (XFF) value is not displayed in traffic logs.
|
PAN-207442
|
For M-700 appliances in an active/passive high availability (PanoramaHigh Availability) configuration, the
active-primary HA peer
configuration sync to the
secondary-passive HA peer may fail.
When the config sync fails, the job Results is
Successful
(Tasks), however the sync status on the
Dashboard displays as Out
of Sync for both HA peers.
Workaround: Perform a local commit on the
active-primary HA peer and then
synchronize the HA configuration.
|
PAN-206909
|
The Dedicated Log Collector is unable to reconnect to the Panorama
management server if the configd
process crashes. This results in the Dedicated Log Collector losing
connectivity to Panorama despite the managed collector connection
Status (PanoramaManaged Collector) displaying connected
and the managed colletor Health status
displaying as healthy.
This results in the local Panorama config and system logs not being
forwarded to the Dedicated Log Collector. Firewall log forwarding to
the disconnected Dedicated Log Collector is not impacted.
Workaround: Restart the mgmtsrvr
process on the Dedicated Log Collector.
|
PAN-197588
|
The PAN-OS ACC (Application Command Center) does not display a widget
detailing statistics and data associated with vulnerability exploits
that have been detected using inline cloud analysis.
|
PAN-197419
|
(PA-1400 Series firewalls only) In NetworkInterfaceEthernet, the power over Ethernet (PoE) ports do not display a
Tag value.
|
PAN-196758
|
On the Panorama management server, pushing a configuration change to
firewalls leveraging SD-WAN erroneously show the auto-provisioned
BGP configurations for SD-WAN as being edited or deleted despite no
edits or deletions being made when you Preview
Changes (CommitPush to DevicesEdit Selections or CommitCommit and PushEdit Selections).
|
PAN-195968
|
(PA-1400 Series firewalls only) When using the CLI to
configure power over Ethernet (PoE) on a non-PoE port, the CLI
prints an error depending on whether an interface type was selected
on the non-PoE port or not. If an interface type, such as tap, Layer
2, or virtual wire, was selected before PoE was configured, the
error message will not include the interface name (eg. ethernet1/4).
If an interface type was not selected before PoE was configured, the
error message will include the interface name.
|
PAN-187685
|
On the Panorama management server, the Template Status displays no
synchronization status (PanoramaManaged DevicesSummary) after a bootstrapped firewall is successfully added
to Panorama.
Workaround: After the bootstrapped firewall is successfully
added to Panorama, log in to the Panorama web
interface and select CommitPush to Devices.
|
PAN-187407
|
The configured Advanced Threat Prevention inline cloud analysis
action for a given model might not be honored under the following
condition: If the firewall is set to Hold client request
for category lookup and the action set to
Reset-Both and the URL cache has been
cleared, the first request for inline cloud analysis will be
bypassed.
|
PAN-184406
|
Using the CLI to add a RAID disk pair to an M-700 appliance causes
the dmdb process to crash.
Workaround: Contact customer support to stop the dmdb process
before adding a RAID disk pair to a M-700 appliance.
|
PAN-183404
|
Static IP addresses are not recognized when "and" operators are used
with IP CIDR range.
|
PAN-181933
|
If you use multiple log forwarding cards (LFCs) on the PA-7000
series, all of the cards may not receive all of the updates and the
mappings for the clients may become out of sync, which causes the
firewall to not correctly populate the Source User column in the
session logs.
|