Limitations
Table of Contents
Expand all | Collapse all
-
-
-
-
- Features Introduced in Zero Touch Provisioning 2.0
- Known Issues in the Zero Touch Provisioning 2.0.4 Release
- Known Issues in the Zero Touch Provisioning 2.0.3 Release
- Known Issues in the Zero Touch Provisioning 2.0.2 Release
- Known Issues in the Zero Touch Provisioning 2.0.1 Release
- Known Issues in the Zero Touch Provisioning 2.0.0 Release
- Limitations
-
-
Limitations
Limitations related to SD-WAN plugin.
The following are limitations associated
with SD-WAN Plugin:
- Limitations Introduced in SD-WAN Plugin 3.0
- Limitations Introduced in SD-WAN Plugin 2.2
- Limitations Introduced in SD-WAN Plugin 2.0
- Limitations Introduced in SD-WAN Plugin 1.0
Limitations Introduced in SD-WAN Plugin 3.0
Issue ID | Description |
|---|---|
— | SD-WAN Plugin 3.0 does not function with
the Advanced Routing Engine; do not enable Advanced Routing. |
Limitations Introduced in SD-WAN Plugin 2.2
|
Issue ID
|
Description
|
|---|---|
| Prisma Access Hub Support(SD-WAN plugin 2.2 and later versions) |
(SD-WAN plugin 2.2 and later versions) When you enable
Zone to PA
Hub, first ensure that your firewall supports enough
zones. Because when the Zone to PA Hub predefined zone is
configured, the SD-WAN plugin consumes one zone from the total
available zones from the firewall. Therefore, the lower-end
firewall models that support up to 15 zones will have an impact
on the available zones when you configure Zone to PA
Hub.
|
Limitations Introduced in SD-WAN Plugin 2.0
Issue ID | Description |
|---|---|
PLUG-9544 | When you use SD-WAN plugin 2.2 and later
releases to onboard PAN-OS firewalls to Prisma Access, one of the
first steps on Panorama is to specify the BGP Prisma Address Pool.
If you subsequently change the BGP Prisma Address Pool, the change
is not reflected on the Prisma Access firewall. |
PLUG-5953 | Installation of SD-WAN Plugin 2.0 requires
Panorama to be running PAN-OS 10.0.2 or a later 10.0 release and
should fail on a Panorama running PAN-OS 9.1.x. The issue is that
installation of SD-WAN Plugin 2.0 is currently being allowed on
a Panorama running PAN-OS 9.1.4. |
PAN-156322 | If you configure a PA-220 firewall as an
SD-WAN branch or hub with an Error Correction Profile for FEC or
packet duplication, the branch or hub achieves little or no performance
gain due to the CPU limitations on a PA-220 firewall. |
PAN-149708 | Adaptive SaaS monitoring using a SaaS Quality
profile (ObjectsSD-WAN
Link ManagementSaaS Quality Profile)
is supported only for TCP SaaS applications. Adaptive SaaS monitoring
is not supported for any SSL-proxied traffic. |
PAN-127813 | In the current release, SD-WAN auto-provisioning
configures hubs and branches in a hub and spoke model, where branches
do not communicate with each other. Expected branch routes are for
generic prefixes, which can be configured in the hub and advertised
to all b branches. Branches with unique prefixes are not published
up to the hub. Workaround: Add any specific prefixes
for branches to the hub advertise-list configuration. |
Limitations Introduced in SD-WAN Plugin 1.0
Issue ID | Description |
|---|---|
— | (SD-WAN Failover from a DIA Link to
an MPLS Link) Direct Internet Access (DIA) failover to MPLS
is for traffic with new sessions, not for existing sessions. |
— | (SD-WAN Failover from a DIA Link to
an MPLS Link) All firewalls in a VPN cluster must have one
or more routes to reach the MPLS interface IP addresses on a peer
firewall. |
|
PAN-224568
|
The SD-WAN supports point-to-point VPLS deployment only. For such
point-to-point connections, you must set the default gateway to
the IP address of the connecting peer.
|
PAN-169169 | For multi-vsys firewalls, all SD-WAN enabled
interfaces and configurations must be configured on vsys1. SD-WAN
does not support an SD-WAN configuration across multiple virtual
systems of a multi-VSYS firewall. |
PAN-142282 | (SD-WAN Failover from a DIA Link to
an MPLS Link) The first SYN packet for FTP data over MPLS is
always dropped in FTP active mode only. |
PAN-142213 | (SD-WAN Failover from a DIA Link to
an MPLS Link) The VPN Data Tunnel Support setting
in an SD-WAN interface profile must be the same on all devices in
a cluster: disabled or enabled. Otherwise, hub-initiated traffic
will not work, nor will traffic going from a branch to another branch
through the hub. |
PAN-142180 | (SD-WAN Failover from a DIA Link to
an MPLS Link) When VPN Data Tunnel Support is
disabled, branch-to-branch traffic doesn’t work if BranchA-to-Hub
selects a tunnel over DIA link and Hub-to-BranchB selects the MPLS
link. |
PAN-127550 | Panorama supports only incremental additions
for CSV imports when the SD-WAN plugin is enabled. Devices already
added are not removed when importing a new CSV device list. If needed,
delete devices manually in the web interface or CLI. |
PAN-127432 | (SD-WAN Failover from a DIA Link to
an MPLS Link) A predict session cannot be matched for traffic
through a tunnel: FTP data sometimes fails on firewalls with multiple
data planes. This limitation exists for traffic between a branch
and hubs, including DIA traffic that fails over to an MPLS tunnel. |