>
    Known Issues for the CN-Series on Version 10.0
    Focus
    Download PDF
    Focus
    1. Home
    2. PAN-OS
    3. PAN-OS 10.0 Release Information
    4. Known Issues
    5. Known Issues for the CN-Series on Version 10.0
    Download PDF

    Known Issues for the CN-Series on Version 10.0

    Table of Contents
    End-of-Life (EoL)

    Known Issues for the CN-Series on Version 10.0

    List of known issues specific to the CN-Series firewall on PAN-OS® 10.0.
    The following list includes the known issues that are specific to the CN-Series firewall on PAN-OS® 10.0 release. Refer to the related PAN-OS and the Kubernetes plugin release notes for additional issues that may impact you.
    Issue ID
    PAN-OS 10.0 Known Issue Description
    PAN-179703
    In some conditions, the dataplane interfaces are not released when the secured application pods are deleted.
    Workaround: Restart the corresponding dataplane pod.
    PAN-150627
    CN-Series is not supported on Kubespray (Self-managed) Clusters on AWS.
    PAN-147698
    You cannot change or modify the license bundle after you deploy the CN-MGMT pods. This license bundle is mapped to the PAN_BUNDLE_TYPE you specify in the PAN-CN-MGMT-Configmap.yaml when deploying the CN-MGMT pods.
    To modify the license bundle, you need to delete all the resources associated with the CN-MGMT and CN-NGFW pods such as the persistent volumes and the persistent volume claim, and redeploy the CN-Series firewalls.
    PAN-147061
    All CN-Series components that enable the CN-MGMT and CN-NGFW pods must be deployed within a single namespace. Deploying the components in different namespaces in a single cluster is not supported.
    PAN-147022
    A commit failure occurs on CN-MGMT pods when the configured security policies on Panorama require a minimum content version for the applications and threat updates.
    This issue occurs because the CN-Series image is not packaged with any content updates. When the CN-MGMT connects to Panorama any Security policy rules that are dependent on content will fail.
    Workaround: Manually install the content version and perform a manual Commit from Panorama for the selected CN-MGMT pods.
    RLP—146384
    The PanoramaManaged DevicesHealthResources does not accurately display the resource utilization for the storage mounted to the CN-MGMT pods deployed on-premises Kubernetes clusters.
    PAN-145460
    This issue is resolved with Kubernetes plugin 1.0.1 as PLUG-5569.
    On occasion, CN-MGMT pods fail to connect to Panorama.
    Workaround: Commit the Panorama configuration after the CN-MGMT pod successfully registers with Panorama.
    PAN-134788
    On AKS, it takes 15 minutes for the CN-MGMT pods to be in a ready state.
    PAN-134198
    Auto-commit may be unsuccessful when a CN-MGMT pod fails, and the other peer in the pair takes over all the CN-NGFW pods. You must wait for all the CN-NGFW pods to connect, and CN-MGMT pod will resume functioning.
    PAN-127999
    Etcd communication between CN-MGMT pods are not encrypted in EKS. This is related to an Amazon EKS issue.
    PAN-124113
    In-cluster load balancing with IP Virtual Server (IPVS) mode is not supported.
    PAN-122288
    On Panorama, you cannot use the show interface all CLI command is disabled for CN-MGMT pods.
    Use Panorama to accurately view the interfaces and interface status on the CN-MGMT pods.
    PAN-121482
    The CN-Series firewall is not supported on multi-homed networks. The CN-Series firewall supports multi-homed networks with PAN-OS 10.0.1 on OpenShift deployments that use the Multus CNI.
    PAN-119874
    If IPv6 stack is not enabled/supported on the cluster nodes, the CN-MGMT and CN-NGFW pods cannot be deployed.
    PAN-115153
    When using SCP to export tech-support files from the CN-MGMT firewall for troubleshooting, you may see the following errors:
    • (change-directory) cannot change current directory - Permission denied: "/root"
    • tar returned nonzero status 1. The tech support tarball may be incomplete and / or corrupted.
    These errors do not impact the SCP export.
    PAN-114979
    Kubectl logs for CN-MGMT and CN-NGFW may display time in different formats/zones when the Panorama and Kubernetes cluster are in different time zone. Initial logs are based on compute node (or cluster) time zone.
    After you perform a Panorama Commit, it will reflect the time zone from Panorama.
    PAN-112245
    		Disconnected or terminated CN-MGMT pods are displayed on the PanoramaManaged Devices for 90 days.
    Workaround: Manually delete these pods under the respective Device Group.

    © 2025 Palo Alto Networks, Inc. All rights reserved.