PAN-OS 11.2.4 Known Issues
Focus
Focus

PAN-OS 11.2.4 Known Issues

Table of Contents

PAN-OS 11.2.4 Known Issues

PAN-OSĀ® 11.2.4 known issues.
The following list includes only outstanding known issues specific to PAN-OSĀ® 11.2.4. This list includes issues specific to Panoramaā„¢, GlobalProtectā„¢, VM-Series plugins, and WildFireĀ®, as well as known issues that apply more generally or that are not identified by an issue ID.
Issue ID
Description
PAN-292202
The system logs repeatedly displayed the alert `Clearing snmpd.log due to log overflow` due to the SNMP counters rolling over. This is a benign message and does not impact device functionality.
PAN-290088
When pushing configurations from Panorama to a firewall, a memory leak might occur in the firewall's configd process, particularly when the configurations contain shared policies. Each configuration push causes the configd process to consume additional memory that is not released after the commit completes.
PAN-286848
This issue is now resolved. See PAN-OS 11.2.7 Addressed Issues
ECMP incorrectly balances sessions across links based on the configured metric, which leads to an imbalance in traffic distribution and results in traffic assignment shifting disproportionately to routes with lower metrics.
PAN-286306
This issue is now resolved. See PAN-OS 11.2.4-h10 Addressed Issues
When getting transceiver information from ESCC for SFP 25G modules, the transceiver code incorrectly displays Unknown instead of 25GBase-SR.
PAN-286255
This issue affects PAN-OS 11.2.4-h6
This issue is now resolved. See PAN-OS 11.2.4-h7 Addressed Issues.
When a firewall receives an unexpected termination request for certain SSL sessions, NGFW dataplane might experience a slow buffer resource leak.
Workaround: Disable accumulation proxy on the NGFW.
PAN-286231
When performing a partial Commit and Push on Panorama, there is a risk that unintended configuration changes might be pushed to a firewall.
This issue is more likely to occur in the following scenarios:
  • When you run Commit and Push operations as a single action.
  • When you trigger multiple parallel commit-all jobs at the same time.
  • Device groups and templates have different configuration synchronization versions.
Workaround: Perform one of the following steps:
  • Perform commit and push as two separate, sequential steps.
  • Perform a full push instead of selective push.
PAN-285894
This issue is now resolved. See PAN-OS 11.2.7 Addressed Issues
If the Preserve Pre-NAT feature is enabled, dataplane crashes may occur, which could result in firewall reboots.
Workaround: Disable the Preserve Pre-NAT feature using the set deviceconfig setting preserve-prenat-feature no CLI command.
PAN-285590
VM-Series firewalls deployed behind an AWS GWLB might experience 100% dataplane CPU utilization when an Anti-Spyware profile is applied to traffic.
PAN-283467
This issue is now resolved. See PAN-OS 11.2.6 Addressed Issues
(PA-3400 Series firewalls only) The firewall might unexpectedly reboot and enter maintenance mode due to a ctd-agent out-of-memory (OOM) condition when undergoing advanced services load testing with a high volume of IoT EAL log forwarding.
Workaround: Limit the number of EAL logs generated by the firewall using the following CLI command: debug iot eal key-value EAL_PENDING_BYTES=1000.
PAN-282236
(PAN-OS 11.2.4-h5 only)
The firewall doesn't reassemble IPv6 packets correctly after they are fragmented. IPv6 SSL sessions may not be established if the client hello arrives in multiple segments.
PAN-281885
When exporting and importing the CSV file, the hash values of pre-shared key (PSK) variables set at template and template stack levels inconsistently change, resulting in both variables displaying the same hash value.
PAN-280471
When applying filters or searching for logs in the PanoramaMonitorLogssection, you might experience slow performance.
PAN-279746 (PAN-OS 11.2.4-h1 through PAN-OS 11.2.4-h5)
An SSL/TLS Client Hello may not be transmitted out of the firewall if the Client Hello arrives in multiple TCP segments and the traffic is not subject to SSL decryption (for example, SMTP over SSL).
PAN-279621
This issue is now resolved. See PAN-OS 11.2.6 Addressed Issues
Early aging and removal of firewall session while they are still active can lead to intermittent instabilities and crashes for proxy traffic, the Content and Threat detection engine, and any data-path processing.
PAN-279604
(PAN-OS 11.2.4-h4 only)
The scheduled SaaS application usage reports are incorrectly generated and only the login page appears instead of the intended report content.
PAN-279415
Service routes configured for a data plane interface might incorrectly route traffic through the management plane interface instead. This issue impacts Syslog and CRL status traffic when the service route lacks a specific destination custom service route.
PAN-278322
VM-Series firewalls deployed behind an AWS GWLB might display an incorrect or empty Source User field in traffic logs and session details.
PAN-276920
URL filtering response pages may load slowly or fail to display when users request websites that are blocked in the URL Filtering profile (site access for the corresponding URL category is block, continue, or override) attached to the matching Security policy rule. This occurs on an intermittent basis.
PAN-275905
(PAN-OS 11.2.4-h4 only)
A high volume of incoming logs to a Collector Group can significantly increase CPU usage on the Elasticsearch and Management Server, potentially causing process instability or crashes.
PAN-275601
This issue is now resolved. See PAN-OS 11.2.8 Addressed Issues
When Panorama is not internet-connected and you try to upload images to the managed firewalls by using the Validate option, the upload fails with the following error: Failed to create multi-upload job. No valid software deploy targets found.
PAN-273300
This issue is now resolved. See PAN-OS 11.2.5 Addressed Issues
When upgrading Panorama from PAN-OS 10.2 or PAN-OS 11.0 to PAN-OS 11.1 or a later release, Panorama fails to upgrade if it is operating within a Collector Group. The following error appears:Error: Traceback (most recent call last):File "/opt/panrepo/releases/<PANOS release version>/validate"... (min ([dts['min'] for dts in 10g_type_intv_dir.values() if dts|'min']])-strftime ('%Y-%m-%d'),
PAN-275077
DNS Security intermittently logs malicious domain URLs as alert instead of taking a sinkhole action, even when configured to sinkhole malicious DNS domains.
PAN-275047
This issue is now resolved. See PAN-OS 11.2.7 Addressed Issues
(VM-Series firewalls only) After an upgrade, the firewall is unable to send logs to the Strata Logging Service (SLS) when using a specific proxy server, and the SSL connection status displays as failed when attempting to forward logs through the web proxy.
PAN-274314
This issue is now resolved. See PAN-OS 11.2.6 Addressed Issues
(PA-1400 Series firewalls, PA-3400 Series firewalls, and PA-5400 Series firewalls only) When the pan_task process restarts, control plane packets are dropped, which can impact LACP and pings to host interfaces.
PAN-274146
VM-Series firewalls deployed behind an AWS GWLB might crash and reboot unexpectedly if tunnel sessions are moving through the firewall.
PAN-272085
(PAN-OS 11.2.4-h4 only)
This issue is now resolved. See PAN-OS 11.2.5 Addressed Issues.
When DoH is enabled for DNS Security, multiple DoH transactions in a single HTTP/1 connection might unexpectedly cause the firewall to crash and reboot.
Workaround: Manually disable DoH support for DNS Security using the set deviceconfig setting dns-over-https enable no CLI command. Alternatively, you can remove the DNS Security configuration used to handle DoH traffic.
PAN-271913
(PAN-OS 11.2.4-h9 only)
This issue is now resolved. See PAN-OS 11.2.5 Addressed Issues.
Firewalls in HA configurations were experiencing consistent memory leaks on the active firewall, leading unexpected failovers while using Cloud Identity Engine (CIE).
PAN-270549
When a client sends a large Client Hello followed by TLS early data and the early data arrives in a separate packet from the last Client Hello packet, the accumulation proxy fails to process the record correctly.
Workaround: Disable accumulation proxy using the debug dataplane set ssl-decrypt accumulate-client-hello disable yes CLI command, and then reboot the firewall.
PAN-270224
PAN-OS 11.2.4-h4 only
This issue is now resolved. See PAN-OS 11.2.5 Addressed Issues.
When querying for logs in the Monitor tab in Panorama, some forwarded logs might be missing from the results.
PAN-269106
PAN-OS 11.2.4-h4 only
This issue is now resolved. See PAN-OS 11.2.5 Addressed Issues.
When using a cloud-based ML detection engine (MICA), the wifclient might crash during server cert verification for MICA gRPC connections and cause the dataplane to restart. On certain platforms, this might cause the firewall to reboot.
Workaround: Disable CRL using the following CLI command:debug iot eal key-value PAN_ICD_SERVER_CERT_USE_CRL=False
PAN-269027
This issue is now resolved. See PAN-OS 11.2.5 Addressed Issues.
External dynamic lists cause the commit time on the firewall to be higher than expected.
PAN-268705
The firewall intermittently fails to process FTP traffic.
Workaround: Configure an application override policy rule for FTP applications.
PAN-268229
If you configure an IPSec tunnel, when traffic from the tunnel egresses the firewall on an ECMP route, the firewall stops responding.
Workaround: Disable ECMP for the virtual router or logical router to avoid this issue.
PAN-268127
This issue is now resolved. See PAN-OS 11.2.5 Addressed Issues.
Tagging a firewall in Panorama produces an error, TypeError: Cannot read properties of undefined (reading 'serial'), and does not tag as expected.
PAN-266900
This issue is now resolved. See PAN-OS 11.2.5 Addressed Issues.
In Panorama, the OK button does not work when trying to install configurations to a managed firewall from the Managed DevicesSummaryInstall, even after selecting the update type and file from the dropdown and choosing the firewall.
PAN-263987
When a NAT traversal (NAT-T or UDP encapsulation) IPSec tunnel is terminated on a Palo Alto Networks firewall and the NAT rule applied to the NAT-T IPSec tunnel is also on the same firewall, then the data traffic flowing through the NAT-T IPSec tunnel can't be NATed correctly.
PAN-263973
This issue is now resolved. See PAN-OS 11.2.5 Addressed Issues.
After upgrading, the log collectors might experience a low incoming logging rate.
PAN-263208
This issue is now resolved. See PAN-OS 11.2.5 Addressed Issues.
(PA-5440 and PA-5445 firewalls only) High system load can cause the firewall to generate interrupts and trigger dataplane crashes.
PAN-261429
This issue is now resolved. See PAN-OS 11.2.6 Addressed Issues
The command show auth radius-require-msg-authentic might return no output.
PAN-260851
From the NGFW or Panorama CLI, you can override the existing application tag even if Disable Override is enabled for the application (ObjectsApplications) tag.
PAN-260212
When viewing Applications (ObjectsApplications), child App-IDs may be listed under the incorrect container App-ID.
PAN-259853
When the DHCP server is enabled for GlobalProtect, the commit error message is not properly displayed when Any is selected as the source interface in the service router configuration ( DeviceSetupServiceService Router Configuration).
PAN-259423
When the GlobalProtect DHCP feature is enabled with two primary DHCP servers on the GlobalProtect gateway, the gpsvc gets stuck during renewal and after HA failover.
PAN-258680
This issue is now resolved. See PAN-OS 11.2.5 Addressed Issues.
When you remove Security profile groups from a Security policy rule via the CLI and then do a partial commit, the Security policy rule is deleted.
Workaround: Perform one of the following:
  • Perform a full commit.
  • Remove the profile setting group manually in the UI by changing the Profile Group to None, and then, perform a partial commit.
PAN-258570
This issue affects PAN-OS 11.2.4-h4.
This issue is now resolved. See PAN-OS 11.2.5 Addressed Issues.
The varrcvr process might progressively use more memory resulting in unexpected reboots when WildFire file forwarding is handling PE files.
PAN-257267
This issue is now resolved. See PAN-OS 11.2.5 Addressed Issues
(VM-Series firewalls only) A warning message stating that the configuration size exceeded the maximum recommended configuration size, was observed during commit completion and critical system log in the VM-Series firewall.
PAN-254901
This issue is now resolved. See PAN-OS 11.2.5 Addressed Issues
If the GlobalProtect license is not installed or is invalid on the device, GlobalProtect user-to-IP address mapping is unexpectedly removed, despite the fact that the tunnel for a specific user is active and traffic is successfully passing through it. Due to the user-to-IP mapping being removed, the traffic matches the wrong policy.
PAN-254108
when upgrading or downgrading a Panorama management server (PanoramaSoftware), managed device (PanoramaDevice DeploymentSoftware), or standalone firewall (DeviceSoftware), Base Releases and Preferred Releases settings are checked (enabled) by default and cause no PAN-OS software images to display.
Workaround: Uncheck (disable) Base Releases or Preferred Releases to display either the available base PAN-OS or preferred PAN-OS releases available to download and install.
PAN-253963
The auto commit job may take longer than expected to complete when the Panorama management server is in Panorama or Log Collector mode.
PAN-250062
Device telemetry might fail at configured intervals due to bundle generation issues.
PAN-248836
The Advanced DNS Security trial license and trial license information cannot be activated and viewed, respectively, on a managed firewall (with expired or active status) from Panorama. These tasks can only be performed on the firewall.
PAN-239612
When the firewall is running PAN-OS 11.2.0 and Advanced Routing is enabled, DHCPv4 relay agent functions successfully, but DHCPv6 relay agent doesn't work.
PAN-236649
If you change the configuration of a firewall acting as a PPPoEv4 or PPPoEv6 client, old routes from the Forwarding Information Base (FIB) and route table for an inherited configuration with dynamic-identifier or client remain visible. Old routes also remain visible for an inherited interface when you execute the CLI command, show interface all.
Workaround: Unconfigure and configure the Inherited Interface.
PAN-206909
The Dedicated Log Collector is unable to reconnect to the Panorama management server if the configd process crashes. This results in the Dedicated Log Collector losing connectivity to Panorama despite the managed collector connection Status (PanoramaManaged Collector) displaying connected and the managed colletor Health status displaying as healthy.
This results in the local Panorama config and system logs not being forwarded to the Dedicated Log Collector. Firewall log forwarding to the disconnected Dedicated Log Collector is not impacted.
Workaround: Restart the mgmtsrvr process on the Dedicated Log Collector.
  1. Confirm the Dedicated Log Collector is disconnected from Panorama.
    admin> show panorama-status
    Verify the Connected status is no.
  2. Restart the mgmtsrvr process.
    admin> debug software restart process management-server
PAN-197588
The PAN-OS ACC (Application Command Center) does not display a widget detailing statistics and data associated with vulnerability exploits that have been detected using inline cloud analysis.
PAN-197419
(PA-1400 Series firewalls only) In NetworkInterfaceEthernet, the power over Ethernet (PoE) ports do not display a Tag value.
PAN-196758
On the Panorama management server, pushing a configuration change to firewalls leveraging SD-WAN erroneously show the auto-provisioned BGP configurations for SD-WAN as being edited or deleted despite no edits or deletions being made when you Preview Changes (CommitPush to DevicesEdit Selections or CommitCommit and PushEdit Selections).
PAN-195968
(PA-1400 Series firewalls only) When using the CLI to configure power over Ethernet (PoE) on a non-PoE port, the CLI prints an error depending on whether an interface type was selected on the non-PoE port or not. If an interface type, such as tap, Layer 2, or virtual wire, was selected before PoE was configured, the error message will not include the interface name (eg. ethernet1/4). If an interface type was not selected before PoE was configured, the error message will include the interface name.
PAN-187685
On the Panorama management server, the Template Status displays no synchronization status (PanoramaManaged DevicesSummary) after a bootstrapped firewall is successfully added to Panorama.
Workaround: After the bootstrapped firewall is successfully added to Panorama, log in to the Panorama web interface and select CommitPush to Devices.
PAN-187407
The configured Advanced Threat Prevention inline cloud analysis action for a given model might not be honored under the following condition: If the firewall is set to Hold client request for category lookup and the action set to Reset-Both and the URL cache has been cleared, the first request for inline cloud analysis will be bypassed.
PAN-184406
Using the CLI to add a RAID disk pair to an M-700 appliance causes the dmdb process to crash.
Workaround: Contact customer support to stop the dmdb process before adding a RAID disk pair to a M-700 appliance.
PAN-183404
Static IP addresses are not recognized when "and" operators are used with IP CIDR range.
PAN-181933
If you use multiple log forwarding cards (LFCs) on the PA-7000 series, all of the cards may not receive all of the updates and the mappings for the clients may become out of sync, which causes the firewall to not correctly populate the Source User column in the session logs.