Filter

Expand All | Collapse All

Next-Generation Firewall Docs

Getting Started
Administration
Networking
Quick Start
Reference
Incidents & Alerts
Release Notes
Select a Document
- PAN-OS 12.1
- PAN-OS 11.2
- PAN-OS 11.1
- PAN-OS 11.0 (EoL)
- PAN-OS 10.2
- PAN-OS 10.1
- PAN-OS 10.0 (EoL)
- PAN-OS 9.1 (EoL)
- PAN-OS 9.0 (EoL)
- PAN-OS 8.1 (EoL)
Help
Select a Document
- PAN-OS 12.1
- PAN-OS 11.2
- PAN-OS 11.1
- PAN-OS 10.2
- PAN-OS 10.1

Focus

Next-Generation Firewall

Limitations in PAN-OS 12.1

Table of Contents

Filter

Expand All | Collapse All

Next-Generation Firewall Docs

Getting Started
Administration
Networking
Quick Start
Reference
Incidents & Alerts
Release Notes
Select a Document
- PAN-OS 12.1
- PAN-OS 11.2
- PAN-OS 11.1
- PAN-OS 11.0 (EoL)
- PAN-OS 10.2
- PAN-OS 10.1
- PAN-OS 10.0 (EoL)
- PAN-OS 9.1 (EoL)
- PAN-OS 9.0 (EoL)
- PAN-OS 8.1 (EoL)
Help
Select a Document
- PAN-OS 12.1
- PAN-OS 11.2
- PAN-OS 11.1
- PAN-OS 10.2
- PAN-OS 10.1

Associated Content and Software Versions

Limitations in PAN-OS 12.1

What are the limitations related to PAN-OS 12.1 releases?

The following are limitations associated with PAN-OS 12.1.

Issue ID	Description
PLUG-18442	Adding unique vSphere cluster names across different data centers on the vCenter isn't supported.
PAN-298514	WildFire clusters operating in FIPS-CC mode are not currently supported in PAN-OS 12.1.2.
PAN-297731	In an AI HSF cluster, the MTU of the external interfaces on AI-Gateway nodes cannot exceed 8650 in jumbo mode
PAN-293738	When you enable DNS Rewrite, the firewall doesn't honor the TSIG (transaction signature authentication) flag and updates the DNS response packet regardless of the TSIG flag.
PAN-289560	When NGFWs drop TLSv1.3 forward proxy sessions due to an unavailable HSM, the decryption logs record the wrong reason.
PAN-282032	Traffic forwarding issues occur due to stale orphan flows resulting in traffic drops or a silent discard in new sessions. Workaround: Check Flow Table Usage: Run the following command on all gateway nodes in the cluster: debug dataplane sw-asic dump flow-table info Analyze the flow table entries and look for the following values in the output: Number of flows supported Number of allocated flows If the allocated flows exceed 90% of the supported capacity and the count isn’t decreasing, then the issue is likely present. Reboot Gateway Nodes: Perform a graceful shutdown or reboot all gateway nodes in the vm-hsf cluster. Verify Flow Table Cleanup: After the reboot, rerun the flow table command and check if the Number of allocated flows has decreased. Test the traffic flow: Send new traffic flows and verify if they are processed correctly.
PAN-275659	Modifications to TI interfaces (including changes to the TI checkbox, IP addresses, port groups, vmnic, or other interface settings), are not advised. Workaround: If you need to modify the TI interfaces, ensure that you reboot the cluster.
PAN-275628	IPv6 for management interfaces of cluster nodes is not supported by VM HSF.
PAN-274758	Multiple reboots of one or more gateway nodes could lead to unexpected traffic loss in the cluster. Workaround: Restart all the nodes in the cluster to recover it.
PAN-270126	If a content mismatch is observed on nodes in a cluster, then Cluster nodes transition to a warning state. Workaround: Install same content versions across all the nodes and the Panorama.

Associated Content and Software Versions