Known Issues for the CN-Series on Version 10.0

List of known issues specific to the CN-Series firewall on PAN-OS® 10.0.
The following list includes the known issues that are specific to the CN-Series firewall on PAN-OS® 10.0 release. Refer to the related PAN-OS and the Kubernetes plugin release notes for additional issues that may impact you.
Issue ID
PAN-OS 10.0 Known Issue Description
In some conditions, the dataplane interfaces are not released when the secured application pods are deleted.
Restart the corresponding dataplane pod.
CN-Series is not supported on Kubespray (Self-managed) Clusters on AWS.
You cannot change or modify the license bundle after you deploy the CN-MGMT pods. This license bundle is mapped to the PAN_BUNDLE_TYPE you specify in the PAN-CN-MGMT-Configmap.yaml when deploying the CN-MGMT pods.
To modify the license bundle, you need to delete all the resources associated with the CN-MGMT and CN-NGFW pods such as the persistent volumes and the persistent volume claim, and redeploy the CN-Series firewalls.
All CN-Series components that enable the CN-MGMT and CN-NGFW pods must be deployed within a single namespace. Deploying the components in different namespaces in a single cluster is not supported.
A commit failure occurs on CN-MGMT pods when the configured security policies on Panorama require a minimum content version for the applications and threat updates.
This issue occurs because the CN-Series image is not packaged with any content updates. When the CN-MGMT connects to Panorama any Security policy rules that are dependent on content will fail.
Manually install the content version and perform a manual
from Panorama for the selected CN-MGMT pods.
Managed Devices
does not accurately display the resource utilization for the storage mounted to the CN-MGMT pods deployed on-premises Kubernetes clusters.
This issue is resolved with Kubernetes plugin 1.0.1 as PLUG-5569.
On occasion, CN-MGMT pods fail to connect to Panorama.
the Panorama configuration after the CN-MGMT pod successfully registers with Panorama.
On AKS, it takes 15 minutes for the CN-MGMT pods to be in a ready state.
Auto-commit may be unsuccessful when a CN-MGMT pod fails, and the other peer in the pair takes over all the CN-NGFW pods. You must wait for all the CN-NGFW pods to connect, and CN-MGMT pod will resume functioning.
Etcd communication between CN-MGMT pods are not encrypted in EKS. This is related to an Amazon EKS issue.
In-cluster load balancing with IP Virtual Server (IPVS) mode is not supported.
On Panorama, you cannot use the
show interface all
CLI command is disabled for CN-MGMT pods.
Use Panorama to accurately view the interfaces and interface status on the CN-MGMT pods.
The CN-Series firewall is not supported on multi-homed networks. The CN-Series firewall supports multi-homed networks with PAN-OS 10.0.1 on OpenShift deployments that use the Multus CNI.
If IPv6 stack is not enabled/supported on the cluster nodes, the CN-MGMT and CN-NGFW pods cannot be deployed.
When using SCP to export tech-support files from the CN-MGMT firewall for troubleshooting, you may see the following errors:
  • (change-directory) cannot change current directory - Permission denied: "/root"
  • tar returned nonzero status 1. The tech support tarball may be incomplete and / or corrupted.
These errors do not impact the SCP export.
Kubectl logs for CN-MGMT and CN-NGFW may display time in different formats/zones when the Panorama and Kubernetes cluster are in different time zone. Initial logs are based on compute node (or cluster) time zone.
After you perform a Panorama
, it will reflect the time zone from Panorama.
Disconnected or terminated CN-MGMT pods are displayed on the
Managed Devices
for 90 days.
Manually delete these pods under the respective Device Group.

Recommended For You