PAN-OS 10.0.2 Known Issues
Review the known issues specific to the PAN-OS 10.0.2
release.
The following list includes only outstanding known issues
specific to PAN-OS
®
10.0.2. This list includes issues
specific to Panorama™, GlobalProtect™, VM-Series plugins, and WildFire®,
as well as known issues that apply more generally or that are not
identified by an issue ID. For a complete list of existing and addressed
known issues in all PAN-OS 10.0 releases, see the Known Issues Related to PAN-OS 10.0 Releases.Issue ID | Description |
---|---|
— | Not all screenshots are updated in the documentation
for 10.0. |
— | New features for PAN-OS 10.0.2 are not included
in on-device help. Refer to docs.paloaltonetworks.com for the
latest version. |
— | If you use Panorama to retrieve logs from
Cortex Data Lake (CDL), new log fields (including for Device-ID, Decryption,
and GlobalProtect) are not visible on the Panorama web interface. Workaround: Enable duplicate logging to send
the logs to CDL and Panorama. This workaround does not support Panorama
virtual appliances in Management Only mode. |
— | Upgrading a PA-220 firewall takes up to
an hour or more. |
— | PA-220 firewalls are experiencing slower
web interface and CLI performance times. |
— | Upgrading Panorama with a local Log Collector
and Dedicated Log Collectors to PAN-OS 8.1 or a later PAN-OS release
can take up to six hours to complete due to significant infrastructure
changes. Ensure uninterrupted power to all appliances throughout
the upgrade process. |
— | A critical System log is generated on the
VM-Series firewall if the minimum memory requirement for the model
is not available.
|
APPORTAL-3313 | Changes to an IoT Security subscription
license take up to 24 hours to have effect on the IoT Security app. |
APPORTAL-3309 | An IoT Security production license cannot
be installed on a firewall that still has a valid IoT Security eval
or trial license. Workaround: Wait until the 30-day
eval or trial license expires and then install the production license. |
APL-8269 | For data retrieved from Cortex Data Lake,
the Threat Name column in Panorama ACC threat-activity |
PLUG-380 | When you rename a device group, template,
or template stack in Panorama that is part of a VMware NSX service definition,
the new name is not reflected in NSX Manager. Therefore, any ESXi
hosts that you add to a vSphere cluster are not added to the correct
device group, template, or template stack and your Security policy
is not pushed to VM-Series firewalls that you deploy after you rename
those objects. There is no impact to existing VM-Series firewalls. |
WF500-5471 | After using the firewall CLI to add a WildFire
appliance with an IPv6 address, the initial connection may fail. Workaround: Retry
connecting after you restart the web server with the following command: debug software restart process web-server . |
PAN-157444 | As a result of a telemetry handling update,
the Source Zone field in the DNS analytics logs (viewable in the
DNS Analytics tab within AutoFocus) might not display correct results. |
PAN-157327 | On downgrade to PAN-OS 9.1, Enterprise Data
Loss Prevention (DLP) filtering settings ( Device Setup DLP Workaround: After
you successfully downgrade a managed firewall to PAN-OS 9.1, commit
and push from Panorama to remove the Enterprise DLP filtering settings and
complete the downgrade.
|
PAN-157103 | Multi-channel functionality may not be properly
utilized on an VM-Series firewall deployed in VMware NSX-V after the
service is first deployed. Workaround : Execute the
command debug dataplane pow status to view
the number of channels being utilized by the dataplane.
If
multi-channel functionality is not working, disable your NSX-V security
policy and reapply it. Then reboot the VM-Series firewall. When
the firewall is back up, verify that multi-channel functionality
is working by executing the command debug dataplane pow status .
It should now show multiple channels being utilized.
|
PAN-156645 | If the SD-WAN interface was Down and it
comes Up during a commit (for example, if you configure it from Down
to Auto), SD-WAN ignores the change and keeps the link Down in the
SD-WAN connection. In this case, SD-WAN won't choose to send traffic
to this link. If this is the only link to the internet, this behavior
may cause an outage, including failure of the IKE negotiation between the
Branch and Hub, and such Tunnel will be down. Workaround :
Commit again or toggle the interface link Down and Up; the SD-WAN
statistics will be correct and the problem will resolve. |
PAN-156598 | ( Panorama only ) If you configure
a standard custom vulnerability signature in a custom Vulnerability Protection
profile in a shared device group, the shared profile custom signatures
do not populate in the other device groups when you configure a
combination custom vulnerability signature.Workaround: Use
the CLI to update the combination signature. |
PAN-154292 | On the Panorama management server, downgrading
from a PAN-OS 10.0 release to a PAN-OS 9.1 release causes Panorama
commit ( Commit Commit
to Panorama Monitor Manage Custom Reports Session ID .Workaround: After
successful downgrade, reconfigure the Group By setting in the custom
report. |
PAN-154266 | When an application matches an SD-WAN policy
and some sessions for the same application do not match an SD-WAN
policy, the SD-WAN Monitoring—Traffic Characteristics screen displays
the Links Used information with an SD-WAN policy and a null policy.
Sessions that do not have an SD-WAN policy ID are filtered from
Links Used. Workaround : If you want to see session
logs that include a default selection, create a catch-all SD-WAN policy
rule and place it last in the list of SD-WAN policies. |
PAN-154034 | On the Panorama management server, the Type
column in the System logs ( Monitor Logs System iot as
the type. |
PAN-154032 | On the Panorama management server, downgrading
to PAN-OS 9.1 with the Panorama plugin for Cisco TrustSec version
1.0.2 installed does not automatically transform the plugin to be
compatible with PAN-OS 9.1 Workaround: After successful
downgrade to PAN-OS 9.1, Remove Config (Panorama Plugins |
PAN-153803 | On the Panorama management server, scheduled
email PDF reports ( Monitor PDF Reports |
PAN-153557 | On the Panorama management server CLI, the
overall report status for a report query is marked as Done despite reports
generated from logs in the Cortex Data Lake (CDL) from the PODamericas
Collector Group jobs are still in a Running state. |
PAN-153068 | The Bonjour Reflector option is supported
on up to 16 interfaces. If you enable it on more than 16 interfaces, the
commit succeeds and the Bonjour Reflector option is enabled only
for the first 16 interfaces and ignored for any additional interfaces. |
PAN-152825 | On the Panorama management server, you cannot
view the SD-WAN license installed on an SD-WAN firewall ( Panorama Device Deployment Licenses Workaround: Log in to the Panorama CLI and
enter the following command to view the SDWAN license information
for your managed firewalls.
|
PAN-152433 | When you have an active/passive HA pair
of PA-3200 Series firewalls running PAN-OS 10.0.0 with NAT configured,
if you upgrade one firewall to PAN-OS 10.0.1, the firewall goes
to non-functional state due to a NAT oversubscription mismatch between
the HA peers. The same non-functional state results if both HA peers
are running PAN-OS 10.0.1 and you downgrade one to PAN-OS 10.00.
The upgraded or downgraded firewall goes to non-functional state
because PAN-OS 10.0.0 and 10.0.1 have different default NAT oversubscription
rates. Workaround : After an upgrade or downgrade, modify the
NAT oversubscription rate on one firewall so that the rates on the
HA pair match. |
PAN-151238 | There is a known issue where M-100 appliances
are able to download and install a PAN-OS 10.0 release image even
though the M-100 appliance is no longer supported after PAN-OS 9.1.
(Refer to the hardware end-of-life dates.) |
PAN-151198 | On the Panorama management server, read-only Panorama
administrators ( Panorama Administrators Panorama Managed Devices Summary |
PAN-151115 | If a Security rule uses a IP Address External
Dynamic List (EDL) for IPv6 traffic, the information for the EDL
does not display in the Source EDL or Destination EDL columns in
the logs. |
PAN-151085 | On a PA-7000 Series firewall chassis having
multiple slots, when HA clustering is enabled on an active/active HA
pair, the session table count for one of the peers can show a higher
count than the actual number of active sessions on that peer. This
behavior can be seen when the session is being set up on a non-cache
slot (for example, when a session distribution policy is set to round-robin
or session-load); it is caused by the additional cache lookup that
happens when HA cluster participation is enabled. |
PAN-150998 | If you deploy a VM-Series firewall on VMware
NSX that has been assigned a serial number that was used by a previously
deactivated firewall, the new firewall might be deployed in a deactivated
or partially deactivated state. Workaround: You must
delete the firewall in NSX Manager. In Panorama, delete the firewall
from the Template Stack, Device Group, and Managed Devices lists and
Commit your changes. The redeploy the firewall. |
PAN-150801 | Automatic quarantine of a device based on
forwarding profile or log setting does not work on the PA-7000 Series firewalls. |
PAN-150515 | After you install the device certificate
on a new Panorama management server, Panorama is not able to connect
to the IoT Security edge service. Workaround: Restart
Panorama to connect to the IoT Security edge service. |
PAN-150345 | During updates to the Device Dictionary,
the IoT Security service does not push new Device-ID attributes
(such as new device profiles) to the firewall until a manual commit occurs. Workaround: Perform
a force commit to push the attributes in the content update to the
firewall. |
PAN-150361 | In an Active-Passive high availability (HA)
configuration, an error displays if you create a device object on
the passive device. Workaround: Load the running configuration
and perform a force commit to sync the devices. |
PAN-148971 | If you enter a search term for Events that
are related to IoT in the System logs and apply the filter, the
page displays an Invalid term error. Workaround: Specify iot as
the Type Attribute to filter the logs and
use the search term as the Description Attribute .
For example: ( subtype eq iot ) and ( description contains 'gRPC connection' ) . |
PAN-148924 | In an active-passive HA configuration, tags
for dynamic user groups are not persistent after rebooting the firewall because
the active firewall does not sync the tags to the passive firewall
during failover. |
PAN-146995 | After downgrading a Panorama management
server from PAN-OS 10.0 to PAN-OS 9.1, the VLD and logd processes may
crash when Panorama reboots.Workaround: Panorama automatically
restarts the VLD and logd processes. |
PAN-146807 | Changing the device group configured in
a monitoring definition from a child DG to a parent DG, or vice
versa, might cause firewalls configured in the child DG to lose
IP tag mapping information received from the monitoring definition.
Only firewalls assigned to the parent DG receive IP tag mapping
updates. Workaround : Perform a manual config sync on
the device group that lost the IP tag mapping information. |
PAN-146573 | PA-7000 Series firewalls configured with
a large number of interfaces experience impacted performance and possible
timeouts when performing SNMP queries. |
PAN-146485 | On the Panorama management server, adding,
deleting, or modifying the upstream NAT configuration ( Panorama SD-WAN Devices out of sync .Additionally,
adding, deleting, or modifying the BGP configuration ( Panorama SD-WAN Devices out of sync .
For example, modifying the BGP configuration on the branch firewall
does not cause the hub template stack to display as out of sync ,
nor does modifying the BGP configuration on the hub firewall cause
the branch template stack as out of sync .Workaround: After
performing a configuration change, Commit and Push the
configuration changes to all hub and branch firewalls in the VPN
cluster containing the firewall with the modified configuration. |
PAN-145460 | CN-MGMT pods fail to connect to the Panorama management
server when using the Kubernetes plugin. Workaround: Commit the
Panorama configuration after the CN-MGMT pod successfully registers
with Panorama. |
PAN-144889 | On the Panorama management server, adding,
deleting, or modifying the original subnet IP, or adding a new subnet
after you successfully configure a tunnel IP subnet, for the SD-WAN
1.0.2 plugin does not display the managed firewall templates ( Panorama Managed Devices Summary Out of Sync .Workaround :
When modifying the original subnet IP, or adding a new subnet, push
the template configuration changes to your managed firewalls and Force
Template Values (Commit Push to Devices Edit Selections |
PAN-143132 | Fetching the device certificate from the
Palo Alto Networks Customer Support Portal (CSP) may fail and displays
the following error in the CLI: ERROR Failed to process S1C msg: Error Workaround: Retrying
fetching the device certificate from the Palo Alto Networks CSP. |
PAN-141630 | Current performance limitation: single data
plane use only. The PA-5200 Series and PA-7000 Series firewalls that
support 5G network slice security, 5G equipment ID security, and
5G subscriber ID security use a single data plane only, which currently
limits the firewall performance. |
PAN-140959 | The Panorama management server allows you
to downgrade Zero Touch Provisioning (ZTP) firewalls to PAN-OS 9.1.2
and earlier releases where ZTP functionality is not supported. |
PAN-140008 | ElasticSearch is forced to restart when
the masterd process misses too many
heartbeat messages on the Panorama management server resulting in
a delay in a log query and ingestion. |
PAN-136763 | On the Panorama management server, managed
firewalls display as disconnected when
installing a PAN-OS software update (Panorama Device Deployment Software connected when you view
your managed firewalls Summary (Panorama Managed Devices Summary Workaround: Log out and log back
in to the Panorama web interface. |
PAN-135742 | There is an issue in HTTP2 session decryption
where the App-ID in the decryption log is the App-ID of the parent session
(which is web-browsing). |
PAN-134053 | ACC does not filter WildFire logs from Dynamic
User Groups. |
PAN-132598 | The Panorama management server does not
check for duplicate addresses in address groups ( Objects Address Groups Objects Service Groups |
PAN-130550 | ( PA-3200 Series, PA-5220, PA-5250, PA-5260,
and PA-7000 Series firewalls ) For traffic between virtual systems (inter-vsys
traffic), the firewall cannot perform source NAT using dynamic IP
(DIP) address translation.Workaround: Use source NAT
with Dynamic IP and Port (DIPP) translation on inter-vsys traffic. |
PAN-127813 | In the current release, SD-WAN auto-provisioning configures
hubs and branches in a hub and spoke model, where branches don’t
communicate with each other. Expected branch routes are for generic
prefixes, which can be configured in the hub and advertised to all branches.
Branches with unique prefixes are not published up to the hub. Workaround: Add
any specific prefixes for branches to the hub advertise-list configuration. |
PAN-127550 | Panorama supports only incremental additions
for CSV imports when the SD-WAN plugin is enabled. Delete devices
manually in the web interface or CLI. |
PAN-127206 | If you use the CLI to enable the cleartext
option for the Include Username in HTTP Header Insertion Entries feature,
the authentication request to the firewall may become unresponsive
or time out. |
PAN-123805 | On the managed firewall web interface, the
Secure Communication Settings ( Device Setup Management |
PAN-123277 | Dynamic tags from other sources are accessible
using the CLI but do not display on the Panorama web interface. |
PAN-123040 | When you try to view network QoS statistics
on an SD-WAN branch or hub, the QoS statistics and the hit count
for the QoS rules don’t display. A workaround exists for this issue.
Please contact Support for information about the workaround. |
PAN-121678 | ( PA-7000b Series only ) The following
error during secure boot has no impact and can be ignored:[ 0.672461] Device 'efifb.0' does not have a release() function, it is broken and must be fixed.[ 2.026107] EFI: Problem loading in-kernel X.509 certificate (-65)Maintenance Mode filesystem size: 2.0G |
PAN-120440 | There is an issue on M-500 Panorama management servers
where any ethernet interface with an IPv6 address having Private
PAN-DB-URL connectivity only supports the following format: 2001:DB9:85A3:0:0:8A2E:370:2 . |
PAN-120423 | PAN-OS 10.0.0 does not support the XML API
for GlobalProtect logs. |
PAN-120303 | There is an issue where the firewall remains
connected to the PAN-DB-URL server through the old management IP address
on the M-500 Panorama management server, even when you configured
the Eth1/1 interface. Workaround: Update the PAN-DB-URL
IP address on the firewall using one of the methods below.
|
PAN-116017 | ( Google Cloud Platform (GCP) only )
The firewall does not accept the DNS value from the initial configuration (init-cfg)
file when you bootstrap the firewall.Workaround: Add
DNS value as part of the bootstrap.xml in the bootstrap folder and
complete the bootstrap process. |
PAN-115816 | ( Microsoft Azure only ) There is
an intermittent issue where an Ethernet (eth1) interface does not
come up when you first boot up the firewall.Workaround: Reboot
the firewall. |
PAN-114495 | Alibaba Cloud runs on a KVM hypervisor and
supports two Virtio modes: DPDK (default) and MMAP. If you deploy
a VM-Series firewall running PAN-OS 9.0 in DPDK packet mode and
you then switch to MMAP packet mode, the VM-Series firewall duplicates
packets that originate from or terminate on the firewall. As an
example, if a load balancer or a server behind the firewall pings
the VM-Series firewall after you switch from DPDK packet mode to
MMAP packet mode, the firewall duplicates the ping packets. Throughput
traffic is not duplicated if you deploy the VM-Series firewall using
MMAP packet mode. |
PAN-112694 | ( Firewalls with multiple virtual systems
only ) If you configure dynamic DNS (DDNS) on a new interface (associated
with vsys1 or another virtual system) and you then create a New Certificate
Profile from the drop-down, you must set the location for the Certificate Profile
to Shared. If you configure DDNS on an existing interface and then
create a new Certificate Profile, we also recommend that you choose
the Shared location instead of a specific virtual system. Alternatively,
you can select a preexisting certificate profile instead of creating
a new one. |
PAN-112456 | You can temporarily submit a change request
for a URL Category with three suggested categories; however, only two
categories are supported. Do not add more than two suggested categories
to a change request until we address this issue. If you submit more
than two suggested categories, only the first two categories in
the change request are evaluated. |
PAN-112135 | You cannot unregister tags for a subnet
or range in a dynamic address group from the web interface. Workaround: Use
an XML API request to unregister the tags for the subnet or range. |
PAN-111928 | Invalid configuration errors are not displayed
as expected when you revert a Panorama management server configuration. Workaround: After
you revert the Panorama configuration, Commit (Commit Commit to Panorama |
PAN-111866 | The push scope selection on the Panorama
web interface displays incorrectly even though the commit scope displays
as expected. This issue occurs when one administrator makes configuration
changes to separate device groups or templates that affect multiple
firewalls and a different administrator attempts to push those changes. Workaround: Perform
one of the following tasks.
|
PAN-111729 | If you disable DPDK mode and enable it again,
you must immediately reboot the firewall. |
PAN-111670 | Tagged VLAN traffic fails when sent through
an SR-IOV adapter. |
PAN-110794 | DGA-based threats shown in the firewall
threat log display the same name for all such instances. |
PAN-109759 | The firewall does not generate a notification
for the GlobalProtect client when the firewall denies an unencrypted
TLS session due to an authentication policy match. |
PAN-109526 | The system log does not correctly display
the URL for CRL files; instead, the URLs are displayed with encoded characters. |
PAN-106675 | After upgrading the Panorama management
server to PAN-OS 8.1 or a later release, predefined reports do not display
a list of top attackers. Workaround: Create new threat
summary reports (Monitor PDF
Reports Manage PDF Summary |
PAN-104780 | If you configure a HIP object to match only
when a connecting endpoint is managed ( Objects GlobalProtect HIP Objects <hip-object> General Managed Additionally,
iOS endpoints that are managed by AirWatch are unable to match HIP
objects based on the endpoint serial number because GlobalProtect
gateways cannot identify the serial numbers of these endpoints;
these serial numbers do not appear in the HIP report. |
PAN-103276 | Adding a disk to a virtual appliance running
Panorama 8.1 or a later release on VMware ESXi 6.5 update1 causes
the Panorama virtual appliance and host web client to become unresponsive. Workaround: Upgrade
the ESXi host to ESXi 6.5 update2 and add the disk again. |
PAN-103018 | ( Panorama plugins ) When you use
the AND/OR boolean operators to define the match criteria for Dynamic Address
Groups on Panorama, the boolean operators do not function properly.
The member IP addresses are not included in the address group as
expected. |
PAN-101688 | ( Panorama plugins ) The IP address-to-tag
mapping information registered on a firewall or virtual system is not
deleted when you remove the firewall or virtual system from a Device
Group.Workaround: Log in to the CLI on the firewall
and enter the following command to unregister the IP address-to-tag
mappings: debug object registered-ip clear all . |
PAN-101537 | After you configure and push address and
address group objects in Shared and vsys-specific device groups
from the Panorama management server to managed firewalls, executing
the show log command
on a managed firewall only returns address and address group objects
pushed form the Shared device group.<log-type> direction equal <direction> <dst> | <src> in <object-name> Workaround: Specify
the vsys in the query string:admin> set system target-vsys <vsys-name> admin> show log <log-type> direction equal <direction> query equal ‘vsys eq <vsys-name> ’ <dst> | <src> in <object-name> |
PAN-98520 | When booting or rebooting a PA-7000 Series
Firewall with the SMC-B installed, the BIOS console output displays attempts
to connect to the card's controller in the System Memory Speed section.
The messages can be ignored. |
PAN-97757 | GlobalProtect authentication fails with
an Invalid username/password error
(because the user is not found in Allow List )
after you enable GlobalProtect authentication cookies and add a
RADIUS group to the Allow List of the authentication
profile used to authenticate to GlobalProtect.Workaround: Disable
GlobalProtect authentication cookies. Alternatively, disable (clear) Retrieve
user group from RADIUS in the authentication profile
and configure group mapping from Active Directory (AD) through LDAP. |
PAN-97524 | ( Panorama management server only )
The Security Zone and Virtual System columns (Network tab)
display None after a Device Group and
Template administrator with read-only privileges performs a context
switch. |
PAN-96985 | The request shutdown system command
does not shut down the Panorama management server. |
PAN-96960 | You cannot restart or shutdown a Panorama
on KVM from the Virtual-manager console or virsch CLI. |
PAN-96446 | A firewall that is not included in a Collector
Group fails to generate a system log if logs are dropped when forwarded
to a Panorama management server that is running in Management Only
mode. |
PAN-95773 | On VM-Series firewalls that have Data Plane
Development Kit (DPDK) enabled and that use the i40e network interface
card (NIC), the show session info CLI command
displays an inaccurate throughput and packet rate.Workaround: Disable
DPDK by running the set system setting dpdk-pkt-io off CLI
command. |
PAN-95511 | The name for an address object, address
group, or an external dynamic list must be unique. Duplicate names for
these objects can result in unexpected behavior when you reference
the object in a policy rule. |
PAN-95028 | For administrator accounts that you created
in PAN-OS 8.0.8 and earlier releases, the firewall does not apply password
profile settings ( Device Password
Profiles |
PAN-94846 | When DPDK is enabled on the VM-Series firewall
with i40e virtual function (VF) driver, the VF does not detect the
link status of the physical link. The VF link status remains up,
regardless of changes to the physical link state. |
PAN-94093 | HTTP Header Insertion does not work when
jumbo frames are received out of order. |
PAN-93968 | The firewall and Panorama web interfaces
display vulnerability threat IDs that are not available in PAN-OS 9.0
releases ( Objects Security
Profiles Vulnerability Protection <profile> Exceptions |
PAN-93607 | When you configure a VM-500
firewall with an SCTP Protection profile ( Objects Security Profiles SCTP Protection Objects Security
Profile Groups Workaround: Create a new
Security Profile Group and select the SCTP Protection profile from
there. |
PAN-93532 | When you configure a firewall
running PAN-OS 9.0 as an nCipher HSM client, the web interface on
the firewall displays the nCipher server status as Not Authenticated, even
though the HSM state is up ( Device Setup HSM |
PAN-93193 | The memory-optimized VM-50
Lite intermittently performs slowly and stops processing traffic
when memory utilization is critically high. To prevent this issue, make
sure that you do not:
Workaround: When
the firewall performs slowly, or you see a critical System log for
memory utilization, wait for 5 minutes and then manually reboot
the firewall.Use the Task Manager to verify that you are
not performing memory intensive tasks such as installing dynamic
updates, committing changes or generating reports, at the same time,
on the firewall. |
PAN-91802 | On a VM-Series firewall, the clear
session all CLI command does not clear GTP sessions. |
PAN-84488 | On PA-7000 Series and PA-5200 Series firewalls,
client systems can use a translated IP address-and-port pair for only
one connection even if you configure the Dynamic IP and Port (DIPP) NAT
Oversubscription Rate to allow multiple connections
(Device Setup Session Session Settings NAT Oversubscription |
PAN-83610 | In rare cases, a PA-5200 Series firewall
(with an FE100 network processor) that has session offload enabled (default)
incorrectly resets the UDP checksum of outgoing UDP packets. Workaround: In
PAN-OS 8.0.6 and later releases, you can persistently disable session
offload for only UDP traffic using the set session udp-off load no CLI command. |
PAN-83236 | The VM-Series firewall on Google
Compute Platform does not publish firewall metrics to Google Stack
Monitoring when you manually configure a DNS server IP address ( Device Setup Services Workaround: The
VM-Series firewall on Google Cloud Platform must use the DNS server
that Google provides. |
PAN-83215 | SSL decryption based on ECDSA
certificates does not work when you import the ECDSA private keys
onto an nCipher nShield hardware security module (HSM). |
PAN-81521 | Endpoints failed to authenticate to GlobalProtect
through Kerberos when you specify an FQDN instead of an IP address
in the Kerberos server profile ( Device Server Profiles Kerberos Workaround: Replace
the FQDN with the IP address in the Kerberos server profile. |
PAN-77125 | PA-7000 Series, PA-5200 Series,
and PA-3200 Series firewalls configured in tap mode don’t close
offloaded sessions after processing the associated traffic; the sessions
remain open until they time out. Workaround: Configure
the firewalls in virtual wire mode instead of tap mode, or disable
session offloading by running the set session off load no CLI
command. |
PAN-75457 | In WildFire appliance clusters that have
three or more nodes, the Panorama management server does not support
changing node roles. In a three-node cluster for example, you cannot
use Panorama to configure the worker node as a controller node by
adding the HA and cluster controller configurations, configure an
existing controller node as a worker node by removing the HA configuration,
and then commit and push the configuration. Attempts to change cluster
node roles from Panorama results in a validation error—the commit
fails and the cluster becomes unresponsive. |
PAN-73530 | The firewall does not generate a packet
capture (pcap) when a Data Filtering profile blocks files. |
PAN-73401 | When you import a two-node WildFire appliance
cluster into the Panorama management server, the controller nodes
report their state as out-of-sync if either of the following conditions
exist:
Workaround: There
are three possible workarounds to sync the controller nodes:
|
PAN-70906 | If the PAN-OS web interface and the GlobalProtect
portal are enabled on the same IP address, then when a user logs
out of the GlobalProtect portal, the administrative user is also
logged out from the PAN-OS web interface. Workaround: Use
the IP address to access the PAN-OS web interface and an FQDN to
access the GlobalProtect portal. |
PAN-69505 | When viewing an external dynamic list that
requires client authentication and you Test Source URL ,
the firewall fails to indicate whether it can reach the external
dynamic list server and returns a URL access error (Objects External Dynamic Lists |
PAN-41558 | When you use a firewall loopback interface
as a GlobalProtect gateway interface, traffic is not routed correctly
for third-party IPSec clients, such as strongSwan. Workaround: Use
a physical firewall interface instead of a loopback firewall interface
as the GlobalProtect gateway interface for third-party IPSec clients.
Alternatively, configure the loopback interface that is used as
the GlobalProtect gateway to be in the same zone as the physical
ingress interface for third-party IPSec traffic. |
PAN-40079 | The VM-Series firewall on KVM, for all supported
Linux distributions, does not support the Broadcom network adapters
for PCI pass-through functionality. |
PAN-39636 | Regardless of the Time Frame you
specify for a scheduled custom report on a Panorama M-Series appliance,
the earliest possible start date for the report data is effectively
the date when you configured the report (Monitor Manage Custom Reports Time
Frame to Last 30 Days , the report
that Panorama generates on the 16th will include only data from
the 15th onward. This issue applies only to scheduled reports; on-demand
reports include all data within the specified Time Frame .Workaround: To
generate an on-demand report, click Run Now when
you configure the custom report. |
PAN-38255 | When you perform a factory reset on a Panorama
virtual appliance and configure the serial number, logging does not
work until you reboot Panorama or execute the debug software restart process management-server CLI command. |
PAN-31832 | The following issues apply when configuring
a firewall to use a hardware security module (HSM):
|
Recommended For You
Recommended Videos
Recommended videos not found.