Known Issues Related to PAN-OS 9.0
Table of Contents
Expand All
|
Collapse All
Next-Generation Firewall Docs
-
-
- Cloud Management of NGFWs
- PAN-OS 10.0 (EoL)
- PAN-OS 10.1
- PAN-OS 10.2
- PAN-OS 11.0 (EoL)
- PAN-OS 11.1 & Later
- PAN-OS 9.1 (EoL)
-
- PAN-OS 10.1
- PAN-OS 10.2
- PAN-OS 11.0 (EoL)
- PAN-OS 11.1 & Later
-
-
- Cloud Management and AIOps for NGFW
- PAN-OS 10.0 (EoL)
- PAN-OS 10.1
- PAN-OS 10.2
- PAN-OS 11.0 (EoL)
- PAN-OS 11.1
- PAN-OS 11.2
- PAN-OS 8.1 (EoL)
- PAN-OS 9.0 (EoL)
- PAN-OS 9.1 (EoL)
End-of-Life (EoL)
Known Issues Related to PAN-OS 9.0
List of known issues in all PAN-OS® 9.0 releases.
The Consolidated List of PAN-OS 9.0 Known Issues includes
all known issues that impact a PAN-OS 9.0 release. This list includes
both outstanding issues and issues that are addressed in Panorama™,
GlobalProtect™, VM-Series plugins, and WildFire®, as well as known
issues that apply more generally or that are not identified by a
specific issue ID.
To review the subset of outstanding known issues for a specific
PAN-OS 9.0 maintenance release, see the following lists:
Consolidated List of PAN-OS 9.0 Known Issues
Issue ID | PAN-OS 9.0 Known Issue Description |
---|---|
— | Upgrading Panorama with a local Log Collector
and Dedicated Log Collectors to PAN-OS 8.1 or a later PAN-OS release
can take up to six hours to complete due to significant infrastructure
changes. Ensure uninterrupted power to all appliances throughout
the upgrade process. |
— | A critical System log is generated on the
VM-Series firewall if the minimum memory requirement for the model is
not available.
|
WF500-4200 | The Create Date shown when using the show wildfire global sample-status sha256 equal<hash> or show wildfire global sample-analysis CLI
command is two hours behind the actual time for WF-500 appliance samples. |
PLUG-1854 This issue is
resolved after you upgrade to VM-Series plugin 1.0.3 and reboot
the firewall. | (PAN-OS 9.0.2 and later releases on
AWS and GCP only) You cannot swap the management interface. |
PLUG-1827 This issue is
resolved after you upgrade to VM-Series plugin 1.0.3 and reboot
the firewall. | (Microsoft Azure only) The firewall
drops packets due to larger than expected packet sizes when Accelerated
networking is enabled on the firewall (SettingsNetworking). |
PLUG-1709 This issue is
resolved with VM-Series plugin 1.0.3. | (Microsoft Azure only) There is
an intermittent issue where the secondary IP address becomes associated
with the passive firewall after multiple failovers. Workaround: Reassign
IP addresses to the active and passive firewalls in Azure as needed. |
PLUG-1694 | (PAYG licenses only) Your pay-as-you-go (PAYG)
license is not retained when you upgrade from a PAN-OS 8.1 release
to a PAN-OS 9.0 release. Workaround: Upgrade to VM-Series plugin
1.0.2 (or later) after you upgrade to a PAN-OS 9.0 release and then
reboot the firewall to recover your PAYG license. |
PLUG-1681 | If you bootstrap a PAN-OS 9.0.1 image while
using VM-Series plugin 1.0.0, the firewall will not apply the capacity
license. To downgrade the VM-Series plugin from version 1.0.2 to
1.0.0, first bootstrap the PAN-OS 9.0.1 image and then downgrade
the plugin. |
PLUG-1642 This issue is
resolved with VM-Series plugin 1.0.2. | After a high availability (HA) failover,
the dataplane interface on a VM-Series firewall on Azure with Accelerated Networking
(SR-IOV) becomes disabled when, as a result of the failover, the
secondary IP address is detached from or attached to the firewall
and moved to its HA peer. |
PLUG-1503 This issue is
resolved with VM-Series plugin 1.0.3. | When a VM-Series firewall on AWS running
on a C5 or M5 instance experiences a high availability (HA) failover, the
dataplane interfaces from the previously active firewall are not
moved to the newly active (previously passive) peer. Workaround: Check
for the latest VM-Series plugin version and install the VM-Series
plugin 9.0.0 version; the built-in version is 9.0.0-c29. |
PLUG-1074 | On the VM-Series firewall on AWS, when you
change the instance type, the firewall no longer has a serial number
or a license. Additionally, if you manage this firewall using Panorama,
it is no longer connected to Panorama. |
PLUG-380 | When you rename a device group, template,
or template stack in Panorama that is part of a VMware NSX service
definition, the new name is not reflected in NSX Manager. Therefore,
any ESXi hosts that you add to a vSphere cluster are not added to
the correct device group, template, or template stack and your Security
policy is not pushed to VM-Series firewalls that you deploy after
you rename those objects. There is no impact to existing VM-Series
firewalls. |
PAN-204689
|
Upon upgrade to PAN-OS 9.0.17, the following GlobalProtect
settings do not work:
|
PAN-178194 | Firewalls licensed for Advanced URL Filtering generate
a message indicating that a License required for URL
filtering to function is unavailable displays at the
bottom of the UI, due to a PAN-OS UI issue. This error does not
affect the operation of Advanced URL Filtering or URL Filtering. |
PAN-177363 | Dedicated Log Collector system and config
logs cannot be ingested and are dropped when they are forwarded
to a Panorama management server in Management Only mode, resulting
in Dedicated Log Collector system and config logs not being viewable
on Panorama in Management Only mode. |
PAN-174004 | On the Panorama management server, local
or Dedicated Log Collector mode cannot successfully join an ElasticSearch
cluster when added to a Collector Group (PanoramaCollector Groups) if the SSH
key length for a Log Collector in the cluster is greater than 2048
characters. |
PAN-173509 | Superuser administrators with read-only
privileges (DeviceAdministrators and PanoramaAdministrators)
are unable to view the hardware ACL blocking setting and duration
in the CLI using the commands:
|
PAN-168113 | On the Panorama management server, you are unable
to configure a master key (DeviceMaster Key and Diagnostics)
for a managed firewall if an interface (NetworkInterfacesEthernet)
references a zone pushed from Panorama. Workaround: Remove
the referenced zone from the interface configuration to successfully configure
a master key. |
PAN-164885 | On the Panorama management server, pushes
to managed firewalls (CommitPush to Devices or Commit
and Push) may fail when an EDL (ObjectsExternal Dynamic Lists) is
configured to Check for updates every 5 minutes
due to the commit and EDL fetch processes overlapping. This is more
likely to occur when multiple EDLs are configured to check for updates
every 5 minutes. |
PAN-162088 | On the Panorama management server in a high availability
(HA) configuration, content updates (PanoramaDynamic Updates) manually uploaded to
the active HA peer are not synchronized to the passive HA peer when
you Install a content update and enable Sync
to HA Peer. |
PAN-161955 | Firewalls erroneously generate a high severity
system log (MonitorLogsSystem) when the firewall connects
to a syslog server. |
PAN-160410 | In the ACC, data
cannot be imported or exported when a User filter (ACCNetwork ActivitySet Tab FiltersUser)
that contains characters not supported by URL format, such as DOMAIN/USER,
is applies to the Network Activity widget. |
PAN-157240 | When a firewall has hardware offloading
turned on and OSPF enabled, if ECMP is enabled or disabled for a virtual
router during a configuration commit, OSPF sessions may get stuck
in Exchange Start state. Workaround: Disable OSPF when enabling
or disabling ECMP, and then re-enable OSPF in the next commit. |
PAN-154247 | On the Panorama management server, context switching
to and from the managed firewall web interface may cause the Panorama
administrator to be logged out. Workaround: Log out
and back in to the Panorama web interface. |
PAN-153803 | On the Panorama management server, scheduled email
PDF reports (MonitorPDF Reports)
fail if a GIF image is used in the header or footer. |
PAN-152458 | On the VM-Series firewall on Microsoft Hyper-V, when
upgrading to PAN-OS 9.0.8 or later, ethernet packets might be dropped
after adding VLAN tags during egress from a subinterface. Workaround:
Create the Hyper-V Virtual Switch with MTU size 1504, store as persistent
and reboot for the changes to take effect. Before upgrading PAN-OS,
access the VM-Series firewall CLI and set the MTU size on firewall
interfaces to 1504. |
PAN-151909 | On the Panorama management server, Preview
Changes (CommitCommit to Panorama) incorrectly displays
an existing route as Added and the new route as an existing route
in the Candidate Configuration when you configure a new virtual
router route (NetworkVirtual Router) |
PAN-151198 | On the Panorama management server, read-only Panorama
administrators (PanoramaAdministrators)
can load managed firewall configuration Backups (PanoramaManaged DevicesSummary). |
PAN-150172 This issue is
now resolved. See PAN-OS 9.0.9-h1 Addressed Issues. | Dataplane processes restart when attempting
to access websites that have the NotBefore attribute
less than or equal to Unix Epoch Time in the server certificate with
forward proxy enabled. |
PAN-147331 | (VM-Series firewalls only) Bootstrapping with
.xfr images is not supported.When you use an image with the.xfr
filename to bootstrap, it fails with the error No image found. |
PAN-146573 | PA-7000 Series firewalls configured with
a large number of interfaces experience impacted performance and
possible timeouts when performing SNMP queries. |
PAN-140008 | ElasticSearch is forced to restart when
the masterd process misses too many
heartbeat messages on the Panorama management server resulting in
a delay in a log query and ingestion. |
PAN-136701 | (PA-7000b Series firewalls only)
Packets for new sessions drop when handling predict sessions. Workaround: Use
the following CLI command to bypass this issue:
To
enable hwpredict again set session hwpredict disable no. To
verify the current settings, show session hwpredict status. |
PAN-133782 | The Panorama management server in Management Only
mode may become inaccessible or unresponsive due to insufficient
disk space in the /opt/mongobuffer partition
required for Panorama logs. Workaround: Contact Palo Alto Networks Support to
repartition the /opt/mongobuffer disk partition
table. |
PAN-132598 | The Panorama management server does not
check for duplicate addresses in address groups (ObjectsAddress Groups)
and duplicate services in service groups (ObjectsService Groups) when created
from the CLI. |
PAN-131915 | There is an issue when you implement a new
firewall bootstrap with a USB drive where the bootstrap fails and displays
the following error message: no USB device found. Workaround: Perform
a factory reset or run the request system private-data-reset CLI
command and then proceed with bootstrapping. |
PAN-131792 This issue is
now resolved. SeePAN-OS 9.0.9 Addressed Issues. | The Name log filter (MonitorLogsTraffic)
is not maintained when viewing the Log Viewer for a Security policy
rule (PoliciesSecurity) from
the drop-down menu. |
PAN-130550 | (PA-3200 Series, PA-5220, PA-5250, PA-5260, and
PA-7000 Series firewalls) For traffic between virtual systems
(inter-vsys traffic), the firewall cannot perform source NAT using
dynamic IP (DIP) address translation. Workaround: Use
source NAT with Dynamic IP and Port (DIPP) translation on inter-vsys traffic. |
PAN-130069 This issue
is now resolved. See PAN-OS 9.0.6 Addressed
Issues. | There is an issue where the firewall incorrectly interprets
an external dynamic list MineMeld instability error code as an empty
external dynamic list. |
PAN-128650 This issue is
now resolved. See PAN-OS 9.0.10 Addressed Issues | Selecting Preview Changes under
a specific device group results in the following error message: Parameter device group missing. |
PAN-128269 This issue
is now resolved. See PAN-OS 9.0.6 Addressed
Issues. | (PA-5250, PA-5260, and PA-5280 firewalls
with 100GB AOC cables only) When you upgrade the first peer
in a high availability (HA) configuration to PAN-OS 9.0.3 or a later
PAN-OS 9.0 release, the High Speed Chassis Interconnect (HSCI) port
does not come up due to an FEC mismatch until after you finish upgrading
the second peer. |
PAN-127189 This issue is
now resolved. See PAN-OS 9.0.5 Addressed Issues | (VM-Series firewalls only) The non-blocking
pattern match setting is enabled by default, which results in CTD
performance degradation. Workaround: Manually disable
the feature and improve performance by using the following CLI command: set system setting ctd nonblocking-pattern-match disable. |
PAN-126921 This issue
is now resolved. See PAN-OS 9.0.5 Addressed Issues . | (PA-7000 Series firewalls only)
There is an issue where internal path monitoring fails when the firewall
processes corrupt packets. |
PAN-125775 This issue
is now resolved. See PAN-OS 9.0.5 Addressed Issues . | There is an issue where Panorama management servers
deployed using the C5 or M5 instance types on Amazon Web Services
(AWS) cause the Panorama instance to stop responding in regions
that support these instance types. |
PAN-125121 This issue
is now resolved. See PAN-OS 9.0.5 Addressed Issues . | (VM-Series firewalls only) There
is an issue where custom images do not function as expected for
PAN-OS 9.0. Workaround: Use PAN-OS 8.1 for creating
custom images. |
PAN-124956 | There is an issue where VM-Series firewalls
do not support packet buffer protection. |
PAN-123322 This issue
is now resolved. See PAN-OS 9.0.6 Addressed
Issues. | (PA-3200 Series, PA-5200 Series, and
PA-7000 Series firewalls running PAN-OS 9.0.5 only) There is
an intermittent issue where a process (all_pktproc)
stops responding due to a Work Query Entry (WQE) corruption that
is caused by duplicate child sessions. |
PAN-121449 This issue
is now resolved. See PAN-OS 9.0.4 Addressed Issues . | (PAN-OS 9.0.3 and later releases only) The Remove
Config button on PanoramaPlugins does not remove the
configuration for any plugins you have set up on Panorama. Workaround: Manually
remove the plugin configuration. Manually delete the plugin configuration.
Select your plugin on Panorama, clear the values from all fields
and Commit your changes. |
PAN-120662 This issue
is now resolved. See PAN-OS 9.0.4 Addressed Issues . | (PA-7000 series firewalls using PA-7000-20G-NPC
cards only) There is an intermittent issue where an out-of-memory
(OOM) condition causes dataplane or internal path monitoring to
stop responding. |
PAN-120440 | There is an issue on M-500 Panorama management servers
where any ethernet interface with an IPv6 address having Private
PAN-DB-URL connectivity only supports the following format: 2001:DB9:85A3:0:0:8A2E:370:2. |
PAN-120303 | There is an issue where the firewall remains connected
to the PAN-DB-URL server through the old management IP address on
the M-500 Panorama management server, even when you configured the
Eth1/1 interface. Workaround: Update the PAN-DB-URL IP
address on the firewall using one of the methods below.
|
PAN-118628 This issue
is now resolved. See PAN-OS 9.0.5 Addressed Issues . | There is an issue where after you deploy
Panorama in Azure, you cannot log in to Panorama with the username
and password that was provided during the deployment process. |
PAN-118525 This issue
is now resolved. See PAN-OS 9.0.3 Addressed Issues . | (PA-5250, PA-5260, PA-5280, and PA-7000 Series
firewalls only) There is an issue where the QSFP28 port does
not come up with the TR-FC13L-N00 version of the PAN-QSFP28-100GBASE-LR4
optical transceiver on firewalls running a PAN-OS 9.0 release. For assistance,
please contact Support. |
PAN-118414 | (PAN-OS 9.0.2 and later releases only) There
is an intermittent issue where a Panorama management server and
managing Prisma™ Access or Cortex™ Data Lake fails to authorize
one-time-password (OTP) submissions during the onboarding process. Workaround: Downgrade
to PAN-OS 9.0.1. |
PAN-118108 This issue
is now resolved. See PAN-OS 9.0.6 Addressed
Issues. | There is an issue where an API call against
a Panorama management server, which triggers the request analyze-shared-policy command
causes Panorama to reboot after you execute the command. |
PAN-118065 | (M-Series Panorama management servers
in Management Only mode) When you delete the local Log Collector (PanoramaManaged Collectors),
it disables the 1/1 ethernet interface in the Panorama configuration
as expected but the interface still displays as Up when you execute
the show interface all command in the CLI
after you commit. Workaround: Disable the 1/1 ethernet interface
before you delete the local log collector and then commit the configuration
change. |
PAN-118008 This issue
is now resolved. See PAN-OS 9.0.3 Addressed Issues. | (Affects PA-3000 series appliances only) There
is an infrequently encountered issue where a low memory condition
intermittently prevents decoders from loading, leading to traffic
inspection issues related to the impacted decoder(s). |
PAN-117918 | The logs are not visible after you upgrade
a Panorama management server in an HA configuration from PAN-OS
8.1 to PAN-OS 9.0. Workaround: After you complete the upgrade,
log in to the web interface of the primary Panorama HA peer and
perform a Collector Group push (CommitPush to DevicesEdit Selections)
or log in to the CLI of the primary Panorama HA peer and commit
force the local configuration. |
PAN-117424 This issue
is now resolved. See PAN-OS 9.0.3 Addressed Issues . | Cortex Data Lake without Panorama—where
we removed Panorama as a requirement to send logs to Cortex Data
Lake—was introduced in PAN-OS 9.0.2, and was not initially supported
for PA-220 and PA-800 Series firewalls. This issue details an update
we made to support this feature across all firewall platforms. If
you successfully onboarded the firewall to Cortex Data Lake before
PAN-OS 9.0.3 released, this issue does not impact you. But following
the release of PAN-OS 9.0.3, this feature is no longer supported
in PAN-OS 9.0.2. If this is a feature you would like to implement,
you’ll need to upgrade to PAN-OS 9.0.3. Here’s how you can get
started with Cortex Data Lake now. |
PAN-117043 This issue
is now resolved. See PAN-OS 9.0.7 Addressed Issues. | There is an issue on the Panorama management server
and all supported firewalls where special characters contained in
the tag names of the Security policy rules returns the following
error message: group-tag is invalid when
you commit or push a configuration. Workaround: Modify
the tags and group tags (ObjectsTags) to exclude special characters. |
PAN-116436 This issue
is now resolved. See PAN-OS 9.0.4 Addressed Issues . | (Panorama virtual appliances only)
There is a disk space calculation error that eventually leads to
an erroneous opt/panlogs/ partition full condition and causes a
process (CDB) to stop responding. |
PAN-116084 This issue
is now resolved. See PAN-OS 9.0.2 Addressed Issues . | VM-Series firewalls on Microsoft Azure deployed using
MMAP drops traffic when the firewall experiences heavy traffic. |
PAN-116069 This issue
is now resolved. See PAN-OS 9.0.3 Addressed Issues . | (PA-200 firewalls only) There is
a rare out-of-memory (OOM) condition. |
PAN-116017 | (Google Cloud Platform (GCP) only)
The firewall does not accept the DNS value from the initial configuration
(init-cfg) file when you bootstrap the firewall. Workaround: Add
DNS value as part of the bootstrap.xml in the bootstrap folder and
complete the bootstrap process. |
PAN-115816 | (Microsoft Azure only) There is
an intermittent issue where an Ethernet (eth1) interface does not
come up when you first boot up the firewall. Workaround: Reboot
the firewall. |
PAN-115733 | (PAN-OS firewalls in an HA configuration only)
There is a rare issue where data interfaces do not come up after
you reboot the firewall when running a C5 or M5 instance type in
AWS. Workaround: Reboot the firewall. |
PAN-114495 | Alibaba Cloud runs on a KVM hypervisor and supports
two Virtio modes: DPDK (default) and MMAP. If you deploy a VM-Series
firewall running PAN-OS 9.0 in DPDK packet mode and you then switch
to MMAP packet mode, the VM-Series firewall duplicates packets that originate
from or terminate on the firewall. As an example, if a load balancer
or a server behind the firewall pings the VM-Series firewall after
you switch from DPDK packet mode to MMAP packet mode, the firewall
duplicates the ping packets. Throughput traffic is not duplicated
if you deploy the VM-Series firewall using MMAP packet mode. |
PAN-113614 This issue
is now resolved. See PAN-OS 9.0.3 Addressed Issues . | There is an issue with a memory leak associated with
commits on Panorama appliances that eventually causes an unexpected
restart of the configuration (configd) process. |
PAN-113501 This issue
is now resolved. See PAN-OS 9.0.4 Addressed Issues . | The Panorama management server returns a
Secure Copy (SCP) server connection error after you create an SCP
Scheduled Config Export profile (PanoramaScheduled Config Export) due
to the SCP server password exceeding 15 characters in length. |
PAN-113340 This issue
is now resolved. See PAN-OS 9.0.3 Addressed Issues . | (PA-200 firewalls only) There is
an issue where the management plane memory is lower than expected,
which causes the management plane to restart. |
PAN-113117 This issue
is now resolved. See PAN-OS 9.0.3 Addressed Issues . | A newly launched firewall does not get its configuration
from Panorama when it first connects if you installed the VM-Series
plugin on Panorama. When a newly launched firewall that is bootstrapped
connects to Panorama, a process restart occurs on Panorama. Upon restart,
you are logged out of the user interface and you need to log in
and push the device group and template configuration to the newly
connected firewall. |
PAN-113098 | In the firewall web interface, you can temporarily submit
change requests for the following URL categories: insufficient-content,
high-risk, medium-risk, low-risk, and newly-registered-domains.
However, Palo Alto Networks does not support or process change requests
for these categories. |
PAN-112983 | (Firewalls with multiple virtual systems
only; no impact to Panorama) If you select any Location other than
Shared when you generate or import a new CA Certificate in a Certificate
Profile (DeviceCertificate ManagementCertificate Profile), the firewall
adds the newly generated or imported certificate to vsys1. For example,
if you specify vsys3 as the Location, Add a
CA Certificate, and then Generate a new certificate,
the firewall adds the certificate to vsys1 instead of vsys3. When
you click OK to configure the Certificate
Profile, the firewall returns an Operation Failed error message
because it sees a certificate for vsys1 added to vsys3. Workaround
1:
Workaround
2: When you generate or import a new certificate when you configure
a Certificate Profile for a vsys other than vsys1, specify the Location as
Shared. |
PAN-112814 This issue
is now resolved. See PAN-OS 9.0.2 Addressed Issues . | H.323-based calls lose audio when the predicted H.245
session cannot convert to Active status, which causes the firewall
to incorrectly drop H.245 traffic. |
PAN-112700 This issue
is now resolved. See PAN-OS 9.0.1 Addressed Issues . | (PA-7000 Series firewalls in an HA configuration only)
After you upgrade to PAN-OS 9.0, some logs may display a different
rule name than the rule name associated with the universally unique
identifier (UUID). Workaround: If you are using Panorama,
make a policy change (such as cloning a rule) in the corresponding
device group, commit the change, and push the updated policy to
managed devices. If you are not using Panorama to manage your firewalls,
make a policy change (such as cloning a rule) on the firewall and commit
the change. |
PAN-112699 This issue
is now resolved. See PAN-OS 9.0.2 Addressed Issues . | (VM-Series firewall on AWS running on
a C5 or M5 instance only) You cannot use the mgmt-interface-swap command
to swap the interfaces for deploying
a VM-Series firewall behind a web load balancer (such as AWS ALB
or Classic ELB). Workaround: Check for the latest VM-Series
plugin version and install the VM-Series plugin 9.0.0 version; the
built-in version is 9.0.0-c29. |
PAN-112694 | (Firewalls with multiple virtual systems only)
If you configure dynamic DNS (DDNS) on a new interface (associated
with vsys1 or another virtual system) and you then create a New Certificate
Profile from the drop-down, you must set the location for the Certificate Profile
to Shared. If you configure DDNS on an existing interface and then
create a new Certificate Profile, we also recommend that you choose
the Shared location instead of a specific virtual system. Alternatively,
you can select a preexisting certificate profile instead of creating
a new one. |
PAN-112626 This issue
is now resolved. See PAN-OS 9.0.2 Addressed Issues . | When you upgrade to PAN-OS 9.0 with a PAYG Bundle
2 license, the new DNS Security subscription is not available on
your VM-Series firewall. This subscription is included with
the BYOL and VM-Series ELA when you upgrade. |
PAN-112562 | The Log Forwarding Card (LFC)
subinterface incorrectly uses the interface IP address instead of
the subinterface IP address for all services that forward logs (such
as syslog, email, and SNMP) for selected virtual systems. |
PAN-112456 | You can temporarily submit a change request
for a URL Category with more than two suggested categories. However,
we support only two suggested categories so add no more than two
suggested categories to a change request until we address this issue.
If you submit more than two suggested categories, we will use only
the first two categories you enter. |
PAN-112340 This issue
is now resolved. See PAN-OS 9.0.2 Addressed Issues . | If you enable URL Filtering without enabling
Threat Prevention and your environment processes a large number
(thousands) of URL look-ups per second per dataplane, you are likely
to experience performance issues, including high CPU usage. |
PAN-111928 | Invalid configuration errors are not displayed
as expected when you revert a Panorama management server configuration. Workaround: After
you revert the Panorama configuration, Commit (CommitCommit to Panorama)
the reverted configuration to display the invalid configuration errors. |
PAN-111866 | The push scope selection on the Panorama
web interface displays incorrectly even though the commit scope
displays as expected. This issue occurs when one administrator makes
configuration changes to separate device groups or templates that
affect multiple firewalls and a different administrator attempts
to push those changes. Workaround: Perform one of the following
tasks.
|
PAN-111729 | If you disable DPDK mode and enable it again,
you must immediately reboot the firewall. |
PAN-111708 This issue
is now resolved. See PAN-OS 9.0.3 Addressed Issues . | (PA-3200 Series firewalls only)
There is a rare issue where a software issue causes the dataplane
to restart unexpectedly. |
PAN-111670 | Tagged VLAN traffic fails when sent through
an SR-IOV adapter. |
PAN-111553 This issue
is now resolved. See PAN-OS 9.0.2 Addressed Issues . | On the Panorama management server, the Include
Device and Network Templates setting is disabled by
default when you attempt to push changes to managed devices, which
causes your push to fail. Workaround: Before you commit
and push the configuration changes from Panorama to your managed
devices, edit the push scope (CommitPush to DevicesEdit Selections or CommitCommit and PushEdit Selections) to Include
Device and Network Templates. |
PAN-111251 This issue
is now resolved. See PAN-OS 9.0.2 Addressed Issues . | Using the CLI to enable or disable DNS Rewrite under
a Destination NAT policy rule has no effect. |
PAN-110794 | DGA-based threats shown in the firewall
threat log display the same name for all such instances. |
PAN-110603 | In some cases, when a port on an PA-7000
Series 100Gbps Network Processor Card (NPC) has an SFP+ transceiver
inserted but no cable is connected, the system detects a signal
and attempts to tune and link with that port. As a result, if the
device at the other end of the connection is rebooted or has an
HA failover event, the link is sometimes held down for an extended
period of time while the interface attempts to tune itself. Workaround: Connect
a cable to the installed SFP+ transceiver to allow the system to
tune and link. Then, when you disconnect the cable, the system will correctly
detect that the link is down. Alternatively, remove the SFP+ transceiver
from the port. |
PAN-109759 This issue
is now resolved. See PAN-OS 9.0.4 Addressed Issues . | The firewall does not generate a notification
for the GlobalProtect client when the firewall denies an unencrypted
TLS session due to an authentication policy match. |
PAN-109526 | The system log does not correctly display
the URL for CRL files; instead, the URLs are displayed with encoded characters. |
PAN-108113 This issue
is now resolved. See PAN-OS 9.0.1 Addressed Issues . | If you configure a firewall to use a static
route whose next hop is an FQDN and you configure Bidirectional Forwarding
Detection (BFD) for that static route, BFD is non-operational for
that static route. |
PAN-108111 This issue
is now resolved. See PAN-OS 9.0.1 Addressed Issues . | If you configure a firewall with a BGP peer
that is identified by an FQDN and you configure Bidirectional Forwarding
Detection (BFD) for that BGP peer, then BFD is non-operational for
that BGP peer. |
PAN-106989 | (PAN-OS 9.0.1 and later PAN-OS 9.0 releases)
There is a display-only issue on Panorama that results in a commit failed status
for Template Last Commit State (PanoramaManaged DevicesSummary). Workaround: Push
templates to managed devices. |
PAN-105210 | (Panorama in FIPS mode only when managing non-FIPS
firewalls) You cannot configure a GlobalProtect portal on Panorama
in FIPS mode when managing a non-FIPS firewall. If you attempt to
do so, you will receive the following error message: agent-user-override-key unexpected here Portal_fips. |
PAN-104808 This issue
is now resolved. See PAN-OS 9.0.4 Addressed Issues . | There is an issue where scheduled SaaS reports generate
and email empty PDF reports. Workaround: Manually generate
the report from the Panorama web interface. |
PAN-104780 | If you configure a HIP object to match only
when a connecting endpoint is managed (ObjectsGlobalProtectHIP Objects<hip-object>GeneralManaged), iOS and Android endpoints
that are managed by AirWatch are unable to successfully match the
HIP object and the HIP report incorrectly indicates that these endpoints
are not managed. This issue occurs because GlobalProtect gateways
cannot correctly identify the managed status of these endpoints. Additionally,
iOS endpoints that are managed by AirWatch are unable to match HIP
objects based on the endpoint serial number because GlobalProtect
gateways cannot identify the serial numbers of these endpoints; these
serial numbers do not appear in the HIP report. |
PAN-103336 | (HA configurations only) When you downgrade
a VM-Series firewall on Azure from PAN-OS 9.0 to an earlier release,
you do not receive warnings. Do not downgrade your firewall without
saving and exporting your current configuration. Workaround: Because
HA is not supported in earlier versions of VM-Series firewalls on Azure,
to prevent the loss of your configuration:
|
PAN-103276 | Adding a disk to a virtual appliance running Panorama
8.1 or a later release on VMware ESXi 6.5 update1 causes the Panorama
virtual appliance and host web client to become unresponsive. Workaround: Upgrade
the ESXi host to ESXi 6.5 update2 and add the disk again. |
PAN-103018 | (Panorama plugins) When you use
the AND/OR boolean operators to define the match criteria for Dynamic
Address Groups on Panorama, the boolean operators do not function
properly. The member IP addresses are not included in the address
group as expected. |
PAN-101688 | (Panorama plugins) The IP address-to-tag
mapping information registered on a firewall or virtual system is
not deleted when you remove the firewall or virtual system from
a Device Group. Workaround: Log in to the CLI on the firewall
and enter the following command to unregister the IP address-to-tag
mappings: debug object registered-ip clear all. |
PAN-101537 | After you configure and push address and
address group objects in Shared and vsys-specific device groups from
the Panorama management server to managed firewalls, executing the show log <log-type> direction equal <direction> <dst> | <src> in <object-name> command
on a managed firewall only returns address and address group objects
pushed form the Shared device group. Workaround: Specify
the vsys in the query string: admin> set system target-vsys <vsys-name> admin> show log <log-type> direction equal <direction> query equal ‘vsys eq <vsys-name>’ <dst> | <src> in <object-name> |
PAN-99483 This issue is
now resolved. See PAN-OS 9.0.3 Addressed Issues . | (PA-5250, PA-5260, and PA-5280 firewalls only)
When you deploy the firewall in a network that uses Dynamic IP and
Port (DIPP) NAT translation with PPTP, client systems are limited
to using a translated IP address-and-port pair for only one connection.
This issue occurs because the PPTP protocol uses a TCP signaling (control)
protocol that exchanges data using Generic Routing Encapsulation
(GRE) version 1 and the hardware cannot correlate the call-id in
the GRE version 1 header with the correct dataplane (the one that
owns the predict session of GRE). |
PAN-98803 | If you configure the Panorama plugin to
monitor virtual machines or endpoints in your AWS, Azure, or Cisco ACI
environment without installing the NSX plugin, the IP-address-to-tag
mappings for Dynamic Address Groups are not displayed on Panorama. Workaround: Install
the NSX plugin (you do not need to use the NSX plugin for the installation to
resolve this display issue). |
PAN-98520 | When booting or rebooting a PA-7000 Series
Firewall with the SMC-B installed, the BIOS console output displays attempts
to connect to the card's controller in the System Memory Speed section.
The messages can be ignored. |
PAN-97757 | GlobalProtect authentication fails with
an Invalid username/password error
(because the user is not found in Allow List) after
you enable GlobalProtect authentication cookies and add a RADIUS
group to the Allow List of the authentication
profile used to authenticate to GlobalProtect. Workaround: Disable
GlobalProtect authentication cookies. Alternatively, disable (clear) Retrieve
user group from RADIUS in the authentication profile
and configure group mapping from Active Directory (AD) through LDAP. |
PAN-97524 | (Panorama management server only)
The Security Zone and Virtual System columns (Network tab)
display None after a Device Group and
Template administrator with read-only privileges performs a context
switch. |
PAN-96985 | The request shutdown system command
does not shut down the Panorama management server. |
PAN-96960 | You cannot restart or shutdown a Panorama
on KVM from the Virtual-manager console or virsch CLI. |
PAN-96446 | A firewall that is not included in a Collector
Group fails to generate a system log if logs are dropped when forwarded
to a Panorama management server that is running in Management Only
mode. |
PAN-95773 | On VM-Series firewalls that have Data Plane Development
Kit (DPDK) enabled and that use the i40e network interface card
(NIC), the show session info CLI command
displays an inaccurate throughput and packet rate. Workaround: Disable
DPDK by running the set system setting dpdk-pkt-io off CLI
command. |
PAN-95717 | After 30,000 or more end users log in to
the GlobalProtect gateway within a two- to three-hour period, the
firewall web interface responds slowly, commits take longer than
expected or intermittently fail, and Tech Support File generation
times out and fails. |
PAN-95602 | In a deployment where a Log Collector connects
to Panorama management servers in a high availability (HA) configuration,
after you switch the Log Collector appliance to Panorama mode, commit
operations fail on the appliance. Workaround: Remove
the following node from the running-config.xml file on the Log Collector before
switching it to Panorama mode: devices/entry[@name='localhost.localdomain']/deviceconfig/system/panorama-server-2 |
PAN-95511 | The name for an address object, address
group, or an external dynamic list must be unique. Duplicate names for
these objects can result in unexpected behavior when you reference
the object in a policy rule. |
PAN-95028 | For administrator accounts that you created
in PAN-OS 8.0.8 and earlier releases, the firewall does not apply
password profile settings (DevicePassword Profiles) until after
you upgrade to PAN-OS 8.0.9 or a later release and then only after
you modify the account passwords. (Administrator accounts that you
create in PAN-OS 8.0.9 or a later release do not require you to
change the passwords to apply password profile settings.) |
PAN-94966 | After you delete disconnected and connected Terminal
Server (TS) agents in the same operation, the firewall still displays
the IP address-to-port-user mappings (show user ip-port-user-mapping CLI
command) for the disconnected TS agents you deleted (DeviceUser IdentificationTerminal Services Agents). Workaround: Do
not delete both disconnected and connected TS agents in the same operation. |
PAN-94846 | When DPDK is enabled on the VM-Series firewall with
i40e virtual function (VF) driver, the VF does not detect the link
status of the physical link. The VF link status remains up, regardless
of changes to the physical link state. |
PAN-94093 | HTTP Header Insertion does not work when
jumbo frames are received out of order. |
PAN-93968 | The firewall and Panorama web interfaces
display vulnerability threat IDs that are not available in PAN-OS 9.0
releases (ObjectsSecurity
ProfilesVulnerability Protection<profile>Exceptions). To
confirm whether a particular threat ID is available in your release,
monitor the release notes for each new Applications and Threats
content update or check the Palo Alto Networks Threat Vault to see the minimum
PAN-OS release version for a threat signature. |
PAN-93842 | The logging status of a Panorama
Log Collector deployed on AWS or Azure displays as disconnected
when you configure the ethernet1/1 to ethernet1/5 interfaces for
log collection (PanoramaManaged CollectorsInterfaces). This results in firewalls
not sending logs to the Log Collector. Workaround: Configure
the management (MGT) interface for log collection. |
PAN-93607 | When you configure a VM-500
firewall with an SCTP Protection profile (ObjectsSecurity ProfilesSCTP Protection)
and you try to add the profile to an existing Security Profile Group (ObjectsSecurity Profile Groups),
the Security Profile Group doesn’t list the SCTP Protection profile
in its drop-down list of available profiles. Workaround: Create
a new Security Profile Group and select the SCTP Protection profile
from there. |
PAN-93532 | When you configure a firewall
running PAN-OS 9.0 as an nCipher HSM client, the web interface on
the firewall displays the nCipher server status as Not Authenticated, even
though the HSM state is up (DeviceSetupHSM). |
PAN-93193 | The memory-optimized VM-50
Lite intermittently performs slowly and stops processing traffic
when memory utilization is critically high. To prevent this issue,
make sure that you do not:
Workaround: When
the firewall performs slowly, or you see a critical System log for memory
utilization, wait for 5 minutes and then manually reboot the firewall. Use
the Task Manager to verify that you are not performing memory intensive
tasks such as installing dynamic updates, committing changes or
generating reports, at the same time, on the firewall. |
PAN-92155 This
issue is now resolved. See PAN-OS 9.0.1 Addressed Issues . | You cannot configure an IP
address using templates for HA2 (DeviceHigh AvailabilityData Link (HA2))
when set to IP or Ethernet for Panorama management servers in a
high availability (HA) configuration. Workaround: Configure
HA2 in the CLI using the following commands: > configure # set template <template_name> config deviceconfig high-availability interface ha2 ip-address <IP_address> |
PAN-91802 | On a VM-Series firewall, the clear session
all CLI command does not clear GTP sessions. |
PAN-88987 This
issue is now resolved. See PAN-OS 9.0.3 Addressed Issues . | When you configure a PA-5220
firewall with Dynamic IP and Port (DIPP) NAT, the number of translated IP
addresses cannot exceed 3,000; otherwise, the commit fails. |
PAN-86903 | In rare cases, PA-800 Series firewalls shut themselves
down due to a false over-current measurement. |
PAN-85691 This issue is
now resolved. See PAN-OS
9.0.1 Addressed Issues . | Authentication policy rules based on multi-factor authentication
(MFA) don't block connections to an MFA vendor when the MFA server
profile specifies a Certificate Profile that has the wrong certificate
authority (CA) certificate. |
PAN-84670 This issue is
now resolved. See PAN-OS 9.0.4 Addressed Issues . | When you disable decryption for HTTPS traffic,
end users who don't have valid authentication timestamps can access
HTTPS services and applications regardless of Authentication policy. Workaround: Create
a Security policy rule that blocks HTTPS traffic that is not decrypted. |
PAN-83610 | In rare cases, a PA-5200 Series firewall
(with an FE100 network processor) that has session offload enabled (default)
incorrectly resets the UDP checksum of outgoing UDP packets. Workaround: In
PAN-OS 8.0.6 and later releases, you can persistently disable session
offload for only UDP traffic using the set session udp-off load no CLI
command. |
PAN-83598 | VM-Series firewalls cannot monitor more
than 500 virtual machine (VM) information sources (DeviceVM Information Sources). |
PAN-83236 | The VM-Series firewall on Google
Compute Platform does not publish firewall metrics to Google Stack Monitoring
when you manually configure a DNS server IP address (DeviceSetupServices). Workaround: The
VM-Series firewall on Google Cloud Platform must use the DNS server
that Google provides. |
PAN-83215 | SSL decryption based on ECDSA
certificates does not work when you import the ECDSA private keys
onto an nCipher nShield hardware security module (HSM). |
PAN-81521 | Endpoints failed to authenticate to GlobalProtect through
Kerberos when you specify an FQDN instead of an IP address in the
Kerberos server profile (DeviceServer ProfilesKerberos). Workaround: Replace
the FQDN with the IP address in the Kerberos server profile. |
PAN-79423 | Panorama cannot push address group objects
from device groups to managed firewalls when zones specify the objects
in the User Identification ACL include or exclude lists (NetworkZones)
and the Share Unused Address and Service Objects with
Devices option is disabled (PanoramaSetupManagementPanorama Settings). |
PAN-77125 | PA-7000 Series, PA-5200 Series,
and PA-3200 Series firewalls configured in tap mode don’t close offloaded
sessions after processing the associated traffic; the sessions remain
open until they time out. Workaround: Configure the
firewalls in virtual wire mode instead of tap mode, or disable session offloading
by running the set session off load no CLI
command. |
PAN-75457 | (PAN-OS 8.0.1 and later releases)
In WildFire appliance clusters that have three or more nodes, the
Panorama management server does not support changing node roles.
In a three-node cluster for example, you cannot use Panorama to
configure the worker node as a controller node by adding the HA
and cluster controller configurations, configure an existing controller
node as a worker node by removing the HA configuration, and then commit
and push the configuration. Attempts to change cluster node roles
from Panorama results in a validation error—the commit fails and
the cluster becomes unresponsive. |
PAN-73530 | The firewall does not generate a packet
capture (pcap) when a Data Filtering profile blocks files. |
PAN-73401 | (PAN-OS 8.0.1 and later releases)
When you import a two-node WildFire appliance cluster into the Panorama
management server, the controller nodes report their state as out-of-sync
if either of the following conditions exist:
Workaround: There are three possible workarounds
to sync the controller nodes:
|
PAN-71329 | Local users and user groups in the Shared
location (all virtual systems) are not available to be part of the user-to-application
mapping for GlobalProtect Clientless VPN applications (NetworkGlobalProtectPortals<portal>Clientless VPNApplications). Workaround: Create
users and user groups in specific virtual systems on firewalls that
have multiple virtual systems. For single virtual systems (like VM-Series
firewalls), users and user groups are created under Shared and are
not configurable for Clientless VPN applications. |
PAN-70906 | If the PAN-OS web interface and the GlobalProtect portal
are enabled on the same IP address, then when a user logs out of
the GlobalProtect portal, the administrative user is also logged
out from the PAN-OS web interface. Workaround: Use
the IP address to access the PAN-OS web interface and an FQDN to
access the GlobalProtect portal. |
PAN-69505 | When viewing an external dynamic list that
requires client authentication and you Test Source URL,
the firewall fails to indicate whether it can reach the external
dynamic list server and returns a URL access error (ObjectsExternal Dynamic Lists). |
PAN-41558 | When you use a firewall loopback interface
as a GlobalProtect gateway interface, traffic is not routed correctly
for third-party IPSec clients, such as strongSwan. Workaround: Use
a physical firewall interface instead of a loopback firewall interface
as the GlobalProtect gateway interface for third-party IPSec clients.
Alternatively, configure the loopback interface that is used as
the GlobalProtect gateway to be in the same zone as the physical
ingress interface for third-party IPSec traffic. |
PAN-40079 | The VM-Series firewall on KVM, for all supported Linux distributions, does not support the Broadcom network adapters for PCI pass-through functionality. |
PAN-39636 | Regardless of the Time Frame you
specify for a scheduled custom report on a Panorama M-Series appliance,
the earliest possible start date for the report data is effectively
the date when you configured the report (MonitorManage Custom Reports). For
example, if you configure the report on the 15th of the month and
set the Time Frame to Last 30
Days, the report that Panorama generates on the 16th
will include only data from the 15th onward. This issue applies
only to scheduled reports; on-demand reports include all data within
the specified Time Frame. Workaround: To
generate an on-demand report, click Run Now when
you configure the custom report. |
PAN-38255 | When you perform a factory reset on a Panorama virtual appliance and configure the serial number, logging does not work until you reboot Panorama or execute the debug software restart process management-server CLI command. |
PAN-31832 | The following issues apply when configuring
a firewall to use a hardware security module (HSM):
|
PAN-25046 | Firewalls store SSH host keys used for SCP
log exports in the known hosts file. In an HA deployment, PAN-OS
synchronizes the SCP log export configuration between the firewall
HA peers (DeviceScheduled
Log Export), but not the known host file.
When a failover occurs, the SCP log export fails. Workaround: Log
in to each peer in HA, select DeviceScheduled Log Export<log_export_configuration>,
and Test SCP server connection to confirm
the host key so that SCP log forwarding continues to work after
a failover. |