(Firewalls in active/passive high availability (HA) configurations only) When attempting to synchronize the running configuration with an HA peer, particularly during script runs involving different topology builds (e.g., during a smoke runlist), the synchronization process fails. This results in an error indicating that the running configuration could not be synchronized with the HA peer.

If the node is seen stuck with fault "session clearing fault". Node reboot is the workaround to get the node back in online state after all other fault conditions are removed.

If the node is seen stuck with fault "session clearing fault". Node reboot is the workaround to get the node back in online state after all other fault conditions are removed.

Panorama cannot display Threat log entries (Monitor > Logs > Threat) when the managed log collector is running a lower PAN-OS release than Panorama. Workaround: Upgrade the log collectors to the same version as Panorama.

(NGFW Cluster) In an NGFW cluster, your pings to the HSCI-B link might fail, even when the link indicates it is up. In the event that the HSCI-A link is brought down or unplugged, the cluster node will transition to failed state, avoiding split brain as both HSCI links are down in this case. Workaround: Reboot the cluster node to resolve the HSCI-B ping issue.

When a client sends a Client Hello with Transport Layer Security (TLS) 1.3 or TLS 1.2, using only the p-192 elliptic curve and some non-perfect forward secrecy (PFS) ciphers, the firewall discards the Client Hello. The firewall should allow the connection to proceed using TLS 1.2, maintaining backward compatibility with previous releases.

Draft for review: After you change the system mode on an M-700 appliance from Panorama mode to PAN-DB private cloud mode, the snmpd process fails to work.

When a Panorama appliance (running PAN-OS 12.1.2 or higher) manages firewalls running PAN-OS versions lower than 12.1.2, and an NTP server configuration template includes SHA256 or SHA512 as the authentication mechanism, pushing this template to the firewalls running PAN-OS versions lower than 12.1.2 will cause the commit operation to fail. Workaround: Create two separate templates: one for firewalls running PAN-OS 12.1.2 or higher (which can include SHA256/SHA512 authentication) and another for firewalls running PAN-OS versions lower than 12.1.2 (which should use other authentication algorithms such as SHA1, MD5, or Autokey). Then, push the appropriate template to the corresponding devices from Panorama.

PAN-OS 12.1.2 and later 12.1 releases support a Load Balanced DNS configuration for an address object. If there are two address objects with same FQDN, but one object has Load Balanced DNS enabled and other object has Load Balanced DNS disabled, then the policy match for the removed IP addresses doesn't work as expected. Workaround: Enable (or disable) Load Balanced DNS consistently for an FQDN that is used with multiple address objects.

In PAN-OS 12.1.2 and later 12.1 releases, PAN-OS can obtain resolved IP addresses from a Load balanced DNS server and use them in a policy match. However, this functionality does not work as intended when the DNS cache reuse flag is enabled. When the DNS cache reuse flag is enabled, the DNS resolution works as if the Load balanced DNS flag (for an Address object) is disabled.

The following error is thrown when an existing template overrides the SD-WAN configuration followed by the commit and push from Panorama to the firewall.

BGP is invalid. AS number does not fit in 2 byte AS format

This issue occurs because different AS formats are present on the Panorama and the firewall (the firewall configuration is generated by the SD-WAN plugin). That is, both the hub and branch firewall must have the same AS format in hub-and-spoke topology. In full mesh topology, all the firewalls must have the same AS format.