PAN-OS 11.2.4 Known Issues
Table of Contents
Expand All
|
Collapse All
Next-Generation Firewall Docs
-
-
-
-
-
-
-
- PAN-OS 12.1
- PAN-OS 11.2
- PAN-OS 11.1
- PAN-OS 11.0 (EoL)
- PAN-OS 10.2
- PAN-OS 10.1
- PAN-OS 10.0 (EoL)
- PAN-OS 9.1 (EoL)
- PAN-OS 9.0 (EoL)
- PAN-OS 8.1 (EoL)
-
- PAN-OS 12.1
- PAN-OS 11.2
- PAN-OS 11.1
- PAN-OS 10.2
- PAN-OS 10.1
PAN-OS 11.2.4 Known Issues
PAN-OSĀ® 11.2.4 known issues.
The following list includes only outstanding known issues specific to PAN-OSĀ® 11.2.4.
This list includes issues specific to Panoramaā¢, GlobalProtectā¢, VM-Series plugins, and
WildFireĀ®, as well as known issues that apply more generally or that are not identified
by an issue ID.
Issue ID | Description |
|---|---|
|
PAN-292202
|
The system logs repeatedly displayed the alert `Clearing snmpd.log
due to log overflow` due to the SNMP counters rolling over. This is
a benign message and does not impact device functionality.
|
|
PAN-290088
|
When pushing configurations from Panorama to a firewall, a memory
leak might occur in the firewall's configd process,
particularly when the configurations contain shared policies. Each
configuration push causes the configd process to
consume additional memory that is not released after the commit
completes.
|
|
PAN-286848
This issue is now resolved. See PAN-OS 11.2.7 Addressed Issues
|
ECMP incorrectly balances sessions across links based on the
configured metric, which leads to an imbalance in traffic
distribution and results in traffic assignment shifting
disproportionately to routes with lower metrics.
|
|
PAN-286306
This issue is now resolved. See PAN-OS 11.2.4-h10 Addressed Issues
|
When getting transceiver information from ESCC for SFP 25G modules,
the transceiver code incorrectly displays
Unknown instead of
25GBase-SR.
|
|
PAN-286255
This issue affects PAN-OS 11.2.4-h6
This issue is now resolved. See PAN-OS 11.2.4-h7 Addressed Issues.
|
When a firewall receives an unexpected termination request for
certain SSL sessions, NGFW dataplane might experience a slow buffer
resource leak.
Workaround: Disable accumulation proxy on the NGFW.
|
|
PAN-286231
|
When performing a partial Commit and Push on Panorama, there
is a risk that unintended configuration changes might be pushed to a
firewall.
This issue is more likely to occur in the following scenarios:
Workaround: Perform one of the following steps:
|
|
PAN-285894
This issue is now resolved. See PAN-OS 11.2.7 Addressed Issues
|
If the Preserve Pre-NAT feature is enabled, dataplane crashes may
occur, which could result in firewall reboots.
Workaround: Disable the Preserve Pre-NAT feature using the
set deviceconfig setting preserve-prenat-feature
no CLI command.
|
|
PAN-285590
| VM-Series firewalls deployed behind an AWS GWLB might experience 100% dataplane CPU utilization when an Anti-Spyware profile is applied to traffic. |
|
PAN-283467
This issue is now resolved. See PAN-OS 11.2.6 Addressed Issues
|
(PA-3400 Series firewalls only) The firewall might
unexpectedly reboot and enter maintenance mode due to a
ctd-agent out-of-memory (OOM) condition when
undergoing advanced services load testing with a high volume of IoT
EAL log forwarding.
Workaround: Limit the number of EAL logs generated by the
firewall using the following CLI command: debug iot eal
key-value EAL_PENDING_BYTES=1000.
|
|
PAN-282236
(PAN-OS 11.2.4-h5 only)
|
The firewall doesn't reassemble IPv6 packets correctly after they are
fragmented. IPv6 SSL sessions may not be established if the client
hello arrives in multiple segments.
|
|
PAN-281885
|
When exporting and importing the CSV file, the hash values of
pre-shared key (PSK) variables set at template and template stack
levels inconsistently change, resulting in both variables displaying
the same hash value.
|
|
PAN-280471
|
When applying filters or searching for logs in the PanoramaMonitorLogssection, you might experience slow performance.
|
|
PAN-279746 (PAN-OS 11.2.4-h1 through PAN-OS
11.2.4-h5)
|
An SSL/TLS Client Hello may not be transmitted out of the firewall if
the Client Hello arrives in multiple TCP segments and the traffic is
not subject to SSL decryption (for example, SMTP over SSL).
|
|
PAN-279621
This issue is now resolved. See PAN-OS 11.2.6 Addressed Issues
|
Early aging and removal of firewall session while they are still
active can lead to intermittent instabilities and crashes for proxy
traffic, the Content and Threat detection engine, and any data-path
processing.
|
|
PAN-279604
(PAN-OS 11.2.4-h4 only)
|
The scheduled SaaS application usage reports are incorrectly
generated and only the login page appears instead of the intended
report content.
|
|
PAN-279415
|
Service routes configured for a data plane interface might
incorrectly route traffic through the management plane interface
instead. This issue impacts Syslog and CRL status traffic when the
service route lacks a specific destination custom service route.
|
|
PAN-278322
| VM-Series firewalls deployed behind an AWS GWLB might display an incorrect or empty Source User field in traffic logs and session details. |
|
PAN-276920
|
URL filtering response pages may load slowly or fail to display when
users request websites that are blocked in the URL Filtering profile
(site access for the corresponding URL category is
block, continue,
or override) attached to the matching
Security policy rule. This occurs on an intermittent basis.
|
| PAN-275905 (PAN-OS 11.2.4-h4
only) |
A high volume of incoming logs to a Collector Group can significantly
increase CPU usage on the Elasticsearch and Management Server,
potentially causing process instability or crashes.
|
|
PAN-275601
This issue is now resolved. See PAN-OS 11.2.8 Addressed Issues
|
When Panorama is not internet-connected and you try to upload images
to the managed firewalls by using the
Validate option, the upload fails with
the following error: Failed to create multi-upload
job. No valid software deploy targets found.
|
|
PAN-273300
This issue is now resolved. See PAN-OS 11.2.5 Addressed Issues
|
When upgrading Panorama from PAN-OS 10.2 or PAN-OS 11.0 to PAN-OS
11.1 or a later release, Panorama fails to upgrade if it is
operating within a Collector Group. The following error
appears:Error: Traceback (most recent call
last):File "/opt/panrepo/releases/<PANOS release
version>/validate"... (min ([dts['min'] for dts in
10g_type_intv_dir.values() if dts|'min']])-strftime
('%Y-%m-%d'),
|
|
PAN-275077
| DNS Security intermittently logs malicious domain URLs as alert instead of taking a sinkhole action, even when configured to sinkhole malicious DNS domains. |
|
PAN-275047
This issue is now resolved. See PAN-OS 11.2.7 Addressed Issues
|
(VM-Series firewalls only) After an upgrade, the firewall is
unable to send logs to the Strata Logging Service (SLS) when using a
specific proxy server, and the SSL connection status displays as
failed when attempting to forward logs through the web proxy.
|
|
PAN-274314
This issue is now resolved. See PAN-OS 11.2.6 Addressed Issues
|
(PA-1400 Series firewalls, PA-3400 Series firewalls, and PA-5400
Series firewalls only) When the pan_task
process restarts, control plane packets are dropped, which can
impact LACP and pings to host interfaces.
|
|
PAN-274146
| VM-Series firewalls deployed behind an AWS GWLB might crash and reboot unexpectedly if tunnel sessions are moving through the firewall. |
| PAN-272085 (PAN-OS 11.2.4-h4
only) This issue is now resolved. See PAN-OS 11.2.5 Addressed Issues. |
When DoH is enabled for DNS Security, multiple DoH transactions in a
single HTTP/1 connection might unexpectedly cause the firewall to
crash and reboot.
Workaround: Manually disable DoH support for DNS Security
using the set deviceconfig setting dns-over-https enable
no CLI command. Alternatively, you can remove the
DNS Security configuration used to handle DoH traffic.
|
| PAN-271913 (PAN-OS 11.2.4-h9
only) This issue is now resolved. See PAN-OS 11.2.5 Addressed Issues. |
Firewalls in HA configurations were experiencing consistent memory
leaks on the active firewall, leading unexpected failovers while
using Cloud Identity Engine (CIE).
|
|
PAN-270549
|
When a client sends a large Client Hello followed by TLS early data
and the early data arrives in a separate packet from the last Client
Hello packet, the accumulation proxy fails to process the record
correctly.
Workaround: Disable accumulation proxy using the
debug dataplane set ssl-decrypt
accumulate-client-hello disable yes CLI command, and
then reboot the firewall.
|
|
PAN-270224
PAN-OS 11.2.4-h4 only
This issue is now resolved. See PAN-OS 11.2.5 Addressed Issues.
|
When querying for logs in the Monitor tab in
Panorama, some forwarded logs might be missing from the results.
|
|
PAN-269106
PAN-OS 11.2.4-h4 only
This issue is now resolved. See PAN-OS 11.2.5 Addressed Issues.
|
When using a cloud-based ML detection engine (MICA), the
wifclient might crash during server
cert verification for MICA gRPC connections and cause the dataplane
to restart. On certain platforms, this might cause the firewall to
reboot.
Workaround: Disable CRL using the following CLI
command:debug iot eal key-value
PAN_ICD_SERVER_CERT_USE_CRL=False
|
|
PAN-269027
This issue is now resolved. See PAN-OS 11.2.5 Addressed Issues.
|
External dynamic lists cause the commit time on the firewall to be
higher than expected.
|
| PAN-268705 |
The firewall intermittently fails to process FTP traffic.
Workaround: Configure an application override policy rule for
FTP applications.
|
|
PAN-268229
|
If you configure an IPSec tunnel, when traffic from the tunnel
egresses the firewall on an ECMP route, the firewall stops
responding.
Workaround: Disable ECMP for the virtual router or logical
router to avoid this issue.
|
|
PAN-268127
This issue is now resolved. See PAN-OS 11.2.5 Addressed Issues.
|
Tagging a firewall in Panorama produces an error,
TypeError: Cannot read properties of undefined
(reading 'serial'), and does not tag as
expected.
|
|
PAN-266900
This issue is now resolved. See PAN-OS 11.2.5 Addressed Issues.
|
In Panorama, the OK button does not work when
trying to install configurations to a managed firewall from the Managed DevicesSummaryInstall, even after selecting the update type and file from
the dropdown and choosing the firewall.
|
|
PAN-263987
|
When a NAT traversal (NAT-T or UDP encapsulation) IPSec tunnel is
terminated on a Palo Alto Networks firewall and the NAT rule applied
to the NAT-T IPSec tunnel is also on the same firewall, then the
data traffic flowing through the NAT-T IPSec tunnel can't be NATed
correctly.
|
|
PAN-263973
This issue is now resolved. See PAN-OS 11.2.5 Addressed Issues.
|
After upgrading, the log collectors might experience a low incoming
logging rate.
|
|
PAN-263208
This issue is now resolved. See PAN-OS 11.2.5 Addressed Issues.
|
(PA-5440 and PA-5445 firewalls only) High system load can
cause the firewall to generate interrupts and trigger dataplane
crashes.
|
|
PAN-261429
This issue is now resolved. See PAN-OS 11.2.6 Addressed Issues
|
The command show auth
radius-require-msg-authentic might return no output.
|
|
PAN-260851
|
From the NGFW or Panorama CLI, you can override the existing
application tag even if Disable Override is enabled for the
application (ObjectsApplications) tag.
|
|
PAN-260212
|
When viewing Applications (ObjectsApplications), child App-IDs may be listed under the incorrect
container App-ID.
|
|
PAN-259853
|
When the DHCP server is enabled for GlobalProtect, the commit error
message is not properly displayed when Any is
selected as the source interface in the service router configuration
( DeviceSetupServiceService Router Configuration).
|
|
PAN-259423
|
When the GlobalProtect DHCP feature is enabled with two primary DHCP
servers on the GlobalProtect gateway, the gpsvc gets stuck during
renewal and after HA failover.
|
|
PAN-258680
This issue is now resolved. See
PAN-OS 11.2.5 Addressed Issues.
|
When you remove Security profile groups from a Security policy rule
via the CLI and then do a partial commit, the Security policy rule
is deleted.
Workaround: Perform one of the following:
|
|
PAN-258570
This issue affects PAN-OS 11.2.4-h4.
This issue is now resolved. See
PAN-OS 11.2.5 Addressed Issues.
|
The varrcvr process might progressively use more memory
resulting in unexpected reboots when WildFire file forwarding is
handling PE files.
|
|
PAN-257267
This issue is now resolved. See PAN-OS 11.2.5 Addressed Issues
|
(VM-Series firewalls only) A warning message stating that
the configuration size exceeded the maximum recommended
configuration size, was observed during commit completion and
critical system log in the VM-Series firewall.
|
|
PAN-254901
This issue is now resolved. See PAN-OS 11.2.5 Addressed Issues
|
If the GlobalProtect license is not installed or is invalid on the
device, GlobalProtect user-to-IP address mapping is unexpectedly
removed, despite the fact that the tunnel for a specific user is
active and traffic is successfully passing through it. Due to the
user-to-IP mapping being removed, the traffic matches the wrong
policy.
|
|
PAN-254108
|
when upgrading or downgrading a Panorama management server (PanoramaSoftware), managed device (PanoramaDevice DeploymentSoftware), or standalone firewall (DeviceSoftware), Base Releases and
Preferred Releases settings are checked
(enabled) by default and cause no PAN-OS software images to
display.
Workaround: Uncheck (disable) Base
Releases or Preferred
Releases to display either the available base PAN-OS
or preferred PAN-OS releases available to download and install.
|
|
PAN-253963
|
The auto commit job may take longer than expected to complete when
the Panorama management server is in Panorama or Log Collector
mode.
|
|
PAN-250062
|
Device telemetry might fail at configured intervals due to bundle generation issues.
|
|
PAN-248836
|
The Advanced DNS Security trial license and trial license information
cannot be activated and viewed, respectively, on a managed firewall
(with expired or active status) from Panorama. These tasks can only
be performed on the firewall.
|
|
PAN-239612
|
When the firewall is running PAN-OS 11.2.0 and Advanced Routing is
enabled, DHCPv4 relay agent functions successfully, but DHCPv6 relay
agent doesn't work.
|
|
PAN-236649
|
If you change the configuration of a firewall acting as a PPPoEv4 or
PPPoEv6 client, old routes from the Forwarding Information Base
(FIB) and route table for an inherited configuration with
dynamic-identifier or client remain visible. Old routes also remain
visible for an inherited interface when you execute the CLI command,
show interface all.
Workaround: Unconfigure and configure the Inherited
Interface.
|
|
PAN-206909
|
The Dedicated Log Collector is unable to reconnect to the Panorama
management server if the configd
process crashes. This results in the Dedicated Log Collector losing
connectivity to Panorama despite the managed collector connection
Status (PanoramaManaged Collector) displaying connected
and the managed colletor Health status
displaying as healthy.
This results in the local Panorama config and system logs not being
forwarded to the Dedicated Log Collector. Firewall log forwarding to
the disconnected Dedicated Log Collector is not impacted.
Workaround: Restart the mgmtsrvr
process on the Dedicated Log Collector.
|
|
PAN-197588
|
The PAN-OS ACC (Application Command Center) does not display a widget
detailing statistics and data associated with vulnerability exploits
that have been detected using inline cloud analysis.
|
|
PAN-197419
|
(PA-1400 Series firewalls only) In NetworkInterfaceEthernet, the power over Ethernet (PoE) ports do not display a
Tag value.
|
|
PAN-196758
|
On the Panorama management server, pushing a configuration change to
firewalls leveraging SD-WAN erroneously show the auto-provisioned
BGP configurations for SD-WAN as being edited or deleted despite no
edits or deletions being made when you Preview
Changes (CommitPush to DevicesEdit Selections or CommitCommit and PushEdit Selections).
|
|
PAN-195968
|
(PA-1400 Series firewalls only) When using the CLI to
configure power over Ethernet (PoE) on a non-PoE port, the CLI
prints an error depending on whether an interface type was selected
on the non-PoE port or not. If an interface type, such as tap, Layer
2, or virtual wire, was selected before PoE was configured, the
error message will not include the interface name (eg. ethernet1/4).
If an interface type was not selected before PoE was configured, the
error message will include the interface name.
|
|
PAN-187685
|
On the Panorama management server, the Template Status displays no
synchronization status (PanoramaManaged DevicesSummary) after a bootstrapped firewall is successfully added
to Panorama.
Workaround: After the bootstrapped firewall is successfully
added to Panorama, log in to the Panorama web
interface and select CommitPush to Devices.
|
|
PAN-187407
|
The configured Advanced Threat Prevention inline cloud analysis
action for a given model might not be honored under the following
condition: If the firewall is set to Hold client request
for category lookup and the action set to
Reset-Both and the URL cache has been
cleared, the first request for inline cloud analysis will be
bypassed.
|
|
PAN-184406
|
Using the CLI to add a RAID disk pair to an M-700 appliance causes
the dmdb process to crash.
Workaround: Contact customer support to stop the dmdb process
before adding a RAID disk pair to a M-700 appliance.
|
|
PAN-183404
|
Static IP addresses are not recognized when "and" operators are used
with IP CIDR range.
|
|
PAN-181933
|
If you use multiple log forwarding cards (LFCs) on the PA-7000
series, all of the cards may not receive all of the updates and the
mappings for the clients may become out of sync, which causes the
firewall to not correctly populate the Source User column in the
session logs.
|