Firewalls and appliances perform a software integrity check periodically when they are running and when they reboot. If you simultaneously boot up multiple instances of a VM-Series firewall on a host or you enable CPU over-subscription on a VM-Series firewall, the firewall boots in to maintenance mode when a processing delay results in a response timeout during the integrity check. If your firewall goes in to maintenance mode, please check the error and warnings in the fips.log file.

A reboot always occurs during an upgrade so if you enabled CPU over-subscription on your VM-Series firewall, consider upgrading your firewall during a maintenance window.

(

Releases earlier than PAN-OS 9.1.14-h6 and PAN-OS 9.1.15-h1

) Due to a component change, PAN-OS 9.1.15 and versions earlier than PAN-OS 9.1.14-h6 are no longer supported on later hardware revisions of the PA-5200 Series.

Up to 100,000 daily summary logs can be processed for Scheduled and Run Now custom reports (

Monitor

Manage Custom Reports

) when configured for the last calendar day. This can result in the generated report not displaying all relevant log data generated in the last calendar day.

When a Certificate Profile (

Device > Certificate Management > Certificate Profile

) is configured to

Block session if certificate status cannot be retrieved within timeout

, the firewall allows client certificate validation to go through even if the CRL Distribution Point or OCSP Responder is unreachable.

Workaround:

You must also enable

Block session if certificate status is unknown

to ensure

Block session if certificate status cannot be retrieved within timeout

is effective.

In an SD-WAN configuration, when a GlobalProtect Gateway is terminated on a loopback interface, if the tunnel protocol is udp-encapsulated ESP (IPSec), the return traffic from the Gateway toward the client is load-balanced across all of the SD-WAN member interfaces and cannot be subjected to an SD-WAN policy.

Workaround:

Configure the same time zone for the Dedicated Log Collectors you are querying.

Log in to the Log Collector CLI.

Set the time zone for the Dedicated Log Collector.

admin> 
configure

admin# 
set deviceconfig timezone <time_zone>

admin# 
commit

(

PAN-OS 9.1.9 and later 9.1 releases

) BGP supports a maximum of 255 AS numbers in an AS_PATH list for a prefix.

On the Panorama management server, forwarded logs (

Monitor

Logs

Traffic

) do not display if the latency between the Log Collectors exceeds 10ms when the Log Collectors in a Collector Group (

Panorama

Collector Groups

) are located on different Local Area Networks (LANs).

Workaround:

When deploying your Log Collectors in a Collector Group, ensure they are both deployed on the same LAN or that the latency between Log Collectors in the Collector Group does not exceed 10ms.

On the Panorama management server, scheduled email PDF reports (

Monitor

PDF Reports

) fail if a GIF image is used in the header of footer.

(

PAN-OS 9.1.6 and later 9.1 releases

) If the number of SD-WAN policies is close to capacity, sometimes renaming a policy results in the following error:

SD-WAN policy capacity exceeded by editing rule ‘xxxxxx’. Delete the rule and add again to fix. 

If deleting the rule and adding it again doesn’t work, take the following steps:

If your SD-WAN configuration uses auto VPN configuration of hub priority for BGP local preference and you have multiple hubs with the same priority, Panorama appropriately enables ECMP to select a path from among multiple paths to the same destination. The limitation is that the ECMP

Symmetric Return

setting is not supported on SD-WAN interfaces.

(

PAN-OS 9.1.2 and later 9.1 releases

) In an SD-WAN Hub-Spoke configuration, suppose Branch A and Branch B each have an MPLS link to the hub and all devices have

VPN Data Tunnel Support

disabled. For traffic from Branch A to Branch B, if Branch A selects a tunnel to go through the hub and the hub selects the MPLS link to reach Branch B, the traffic will fail because return traffic may go to Branch A directly through MPLS, without going through the hub. (The next packet from Branch A to Branch B is dropped at the hub because the TCP three-way handshake fails.)

You must Contact Palo Alto Networks Support before you downgrade a Panorama management server, PA-7000 Series firewall, and PA-5200 Series firewall to avoid commit failures on successful downgrade to PAN-OS 9.0.

Upgrading a Panorama management server deployed on Amazon Web Services (AWS) using a C5 or M5 instance type to PAN-OS 9.1.1 causes the Panorama virtual appliance to become unresponsive.

On the Panorama management server, scheduled content updates (

Panorama

Device Deployment

Dynamic Updates

) for managed VM-Series firewalls configured to

Download Only

cause commit failures for the VM-Series firewalls.

Workaround:

Configure scheduled content updates for VM-Series firewalls to

Download and Install

.

If an admin user password is changed but no commit is performed afterward, the new password does not persistent after a reboot. Instead, the admin user can still use the old password to log in, and the calculation of expiry days is incorrect based on the password change timestamp in the database.

After adding a new virtual system from the CLI, you must log out and log back in to see the new virtual system within the CLI.

After upgrading the Panorama management server to PAN-OS 8.1 or a later release, predefined reports do not display a list of top attackers.

Workaround:

Create new threat summary reports (

Monitor

PDF Reports

Manage PDF Summary

) containing the top attackers to mimic the predefined reports.

After an HA firewall fails over to its HA peer, sessions established before the failover might not undergo the following actions in a reliable manner:

(

Affects only PA-7000 Series firewalls that do not use second-generation PA-7050-SMC-B or PA-7080-SMC-B Switch Management Cards

) When you deploy the firewall in a network that uses Dynamic IP and Port (DIPP) NAT translation with PPTP, client systems are limited to using a translated IP address-and-port pair for only one connection. This issue occurs because the PPTP protocol uses a TCP signaling (control) protocol that exchanges data using Generic Routing Encapsulation (GRE) version 1 and the hardware cannot correlate the call-id in the GRE version 1 header with the correct dataplane (the one that owns the predict session of GRE). This issue occurs even if you configure the Dynamic IP and Port (DIPP)

NAT Oversubscription Rate

to allow multiple connections (

Device

Setup

Session

Session Settings

NAT Oversubscription

).

Workaround:

Upgrade to a second-generation SMC-B card.

The

commit all

job is executed from Panorama to the firewall only if the newly added firewall is running PAN-OS 8.1 or a later release with

Auto Push on 1st Connect

enabled.