: Limitations
Table of Contents
End-of-Life (EoL)


What are the limitations related to PAN-OS 10.0 releases?
The following are limitations associated with PAN-OS 10.0.
Issue ID
This limitation is now resolved. See PAN-146030 in PAN-OS 10.0.2 Addressed Issues.
If you use a proxy to transmit logs between the firewall and Cortex Data Lake (CDL), you can only transmit session logs after you upgrade to PAN-OS 10.0.0; transmitting Enhanced Application Logs (EAL logs) with a proxy is not currently supported. If you want to upgrade to PAN-OS 10.0.0 and are unable or do not want to reconfigure your network without the proxy, you must disable EAL log forwarding globally and in the log forwarding profile because the new service route for EAL logs does not currently support proxies. If you choose this option, features for Cortex XDR and IoT Security are not fully functional because they require EAL logs in addition to session logs. Using proxies to transmit EAL logs between the firewall and CDL will be supported in a future PAN-OS version.
Firewalls and appliances perform a software integrity check periodically when they are running and when they reboot. If you simultaneously boot up multiple instances of a VM-Series firewall on a host or you enable CPU over-subscription on a VM-Series firewall, the firewall boots in to maintenance mode when a processing delay results in a response timeout during the integrity check. If your firewall goes in to maintenance mode, please check the error and warnings in the fips.log file.
A reboot always occurs during an upgrade so if you enabled CPU over-subscription on your VM-Series firewall, consider upgrading your firewall during a maintenance window.
PAN-OS 10.0.2 and later 10.0 releases
) GTP and SCTP predefined reports on Cortex Data Lake logs are not supported.
Due to a change in default root partition threshold, PAN-OS may print a critical log on a PA-7050 stating that disk usage has exceeded the limit.
Replace the first-generation PA-7050 SMC (Switch Management Card) with the second-generation SMC-B.
Up to 100,000 daily summary logs can be processed for Scheduled and Run Now custom reports (
Manage Custom Reports
) when configured for the last calendar day. This can result in the generated report not displaying all relevant log data generated in the last calendar day.
When a Certificate Profile (
Device > Certificate Management > Certificate Profile
) is configured to
Block session if certificate status cannot be retrieved within timeout
, the firewall allows client certificate validation to go through even if the CRL Distribution Point or OCSP Responder is unreachable.
You must also enable
Block session if certificate status is unknown
to ensure
Block session if certificate status cannot be retrieved within timeout
is effective.
In an SD-WAN configuration, when a GlobalProtect Gateway is terminated on a loopback interface, if the tunnel protocol is udp-encapsulated ESP (IPSec), the return traffic from the Gateway toward the client is load-balanced across all of the SD-WAN member interfaces and cannot be subjected to an SD-WAN policy.
On a Panorama management server deployed on VMware ESXi that is managing Dedicated Log Collectors, filtering traffic logs (
) using the
filter does not return results for the specified
Generate Time
if the Dedicated Log Collectors are in different time zones.
Configure the same time zone for the Dedicated Log Collectors you are querying.
  1. Log in to the Log Collector CLI.
  2. Set the time zone for the Dedicated Log Collector.
    set deviceconfig timezone <time_zone>
You can push HA path monitoring for a virtual wire, VLAN, or virtual router only to firewalls running PAN-OS 10.0 or a later release. If you try to push the configuration to firewalls running a release earlier than PAN-OS 10.0 (such as 9.1.x or 9.0.x), the commit may fail or the commit may remove destination IP addresses from the path group.
PAN-OS 10.0.5 and later 10.0 releases
) BGP supports a maximum of 255 AS numbers in an AS_PATH list for a prefix.
This limitation is now resolved. See
PAN-OS 10.0.7 Addressed Issues
Certification Revocation List (CRL) in Distinguished Encoding Rules (DER) format may erroneously return errors for VM-Series firewalls despite being able to successfully pull the CRL to verify that the syslog server certificate is still valid.
PAN-OS 10.0.3 and later 10.0 releases
) When you configure SD-WAN DIA AnyPath with a Traffic Distribution profile that lists link tags for hub virtual interfaces, the commit fails if the Traffic Distribution profile is shared.
: Remove shared Traffic Distribution profiles and create them as Traffic Distribution profiles for an individual Panorama Device Group.
On the Panorama management server, forwarded logs (
) do not display if the latency between the Log Collectors exceeds 10ms when the Log Collectors in a Collector Group (
Collector Groups
) are located on different Local Area Networks (LANs).
When deploying your Log Collectors in a Collector Group, ensure they are both deployed on the same LAN or that the latency between Log Collectors in the Collector Group does not exceed 10ms.
PAN-OS 10.0.2 and later 10.0 releases
) If the number of SD-WAN policies is close to capacity, sometimes renaming a policy results in the following error:
SD-WAN policy capacity exceeded by editing rule ‘xxxxxx’. Delete the rule and add again to fix.
If deleting the rule and adding it again doesn’t work, take the following steps:
  1. Delete the renamed policy.
  2. Issue the CLI command:
    debug device-server reset id-manager type sdwan-rule
  3. Add the policy again.
PAN-OS 10.0.2 and later 10.0 releases
) If you configure a PA-220 firewall as an SD-WAN branch or hub with an Error Correction Profile for FEC or packet duplication, the branch or hub achieves little or no performance gain due to the CPU limitations on a PA-220 firewall.
Selected Zone
is supported for SaaS Application Usage reports (
PDF Reports
SaaS Application Usage
) generated from logs in the Cortex Data Lake (CDL).
On the Panorama management server, scheduled email PDF reports (
PDF Reports
) fail if a GIF image is used in the header of footer.
When using the Chrome browser on an Apple MAC laptop, firewalls managed by a Panorama management server running PAN-OS 10.0.1 may not display when you
Edit Selections
Commit and Push
Push to Devices
) when you push a configuration change to managed firewalls.
Log in to the Panorama web interface using the Safari browser or manually adjust the size of the Push Scope Selection window until the managed firewalls are displayed.
This limitation is now resolved. See PAN-OS 10.0.1 Addressed Issues.
Non-superuser administrators with all right enabled cannot
Review Policies
Review Apps
for downloaded or installed content versions.
PA-7000 Series firewalls configured with a large number of interfaces experience impacted performance and possible timeouts when performing SNMP queries.
If your multiple plugin deployment includes a device group that contains VM-Series firewalls deployed on VMware NSX and VM-Series firewalls deployed on another environment, such as AWS, Azure, or vCenter, pushing policy created for the VM-Series firewall on VMware NSX to non-NSX firewalls is not supported and returns the following error:
  • In VSYS vsys1 from zone <zone-name> of type unknown and to zone <zone-name> of type unknown are incompatible in security rule nsx-policy
  • Configuration is invalid
Before you push policy to the non-NSX firewalls in your device group, you must disable the NSX policy rules before pushing to your firewalls.
The Data Processing Card (DPC-A) is incompatible with a PA-7000 Series firewall using the default session distribution policy (ingress-slot).
Firewalls with hyperscan signatures configured do not support downgrade to PAN-OS 9.1 or earlier releases.
In an SD-WAN Hub-Spoke configuration, suppose Branch A and Branch B each have an MPLS link to the hub and all devices have
VPN Data Tunnel Support
disabled. For traffic from Branch A to Branch B, if Branch A selects a tunnel to go through the hub and the hub selects the MPLS link to reach Branch B, the traffic will fail because return traffic may go to Branch A directly through MPLS, without going through the hub. (The next packet from Branch A to Branch B is dropped at the hub because the TCP three-way handshake fails.)
The front panel “link” and “activity” LEDs for ports 5, 6, 11, and 12 will not work on the PAN-PA-7000-20GQ-NPC when a 1G module is installed.
On the PA-3200 Series, PA-5200 Series, and PA-7000 Series firewalls, which support more than eight aggregate Ethernet (AE) interface groups, QoS is supported on only the first eight AE interface groups.
On the Panorama management server, scheduled content updates (
Device Deployment
Dynamic Updates
) for managed VM-Series firewalls configured to
Download Only
cause commit failures for the VM-Series firewalls.
Configure scheduled content updates for VM-Series firewalls to
Download and Install
On the Panorama management server, Device Group and Template administrators can only view the system logs (
) for
device groups.
In an SD-WAN configuration, traffic does not flow unencrypted over an MPLS link; it will always be encrypted. When traffic is routed to a virtual SD-WAN interface of VPN tunnel links, if the MPLS link is selected, the firewall sends the traffic over the tunnel.
If you assign a parent device group with one or more child device groups in an access domain (
Access Domains
), the administrator can only view the configuration and system logs for the parent device group and not the child device group(s).
Enable access to both the parent and required child device group(s).
Configuring the timeout, retries, and ipsec-encryption parameters for communication between the management plane and the dataplane is not supported.
After adding a new virtual system from the CLI, you must log out and log back in to see the new virtual system within the CLI.
After upgrading the Panorama management server to PAN-OS 8.1 or a later release, predefined reports do not display a list of top attackers.
Create new threat summary reports (
PDF Reports
Manage PDF Summary
) containing the top attackers to mimic the predefined reports.
After an HA firewall fails over to its HA peer, sessions established before the failover might not undergo the following actions in a reliable manner:
  • SIP call modifications (some examples include resuming a call that was on hold, transferring a call, and picking up a parked call).
  • Call tear-down.
Affects only PA-7000 Series firewalls that do not use second-generation PA-7050-SMC-B or PA-7080-SMC-B Switch Management Cards
) When you deploy the firewall in a network that uses Dynamic IP and Port (DIPP) NAT translation with PPTP, client systems are limited to using a translated IP address-and-port pair for only one connection. This issue occurs because the PPTP protocol uses a TCP signaling (control) protocol that exchanges data using Generic Routing Encapsulation (GRE) version 1 and the hardware cannot correlate the call-id in the GRE version 1 header with the correct dataplane (the one that owns the predict session of GRE). This issue occurs even if you configure the Dynamic IP and Port (DIPP)
NAT Oversubscription Rate
to allow multiple connections (
Session Settings
NAT Oversubscription
Upgrade to a second-generation SMC-B card.
commit all
job is executed from Panorama to the firewall only if the newly added firewall is running PAN-OS 8.1 or a later release with
Auto Push on 1st Connect
When performing destination NAT to a translated address that is
Dynamic IP (with session distribution)
, the firewall does not remove duplicate IP addresses from the list of destination IP addresses before the firewall distributes sessions. The firewall distributes sessions to the duplicate addresses in the same way it distributes sessions to non-duplicate addresses.
PAN-OS 10.0.8 and later 10.0 releases
) When configuring Prisma Access Hub Support for SD-WAN, it is not recommended to bring up the SD-WAN instance using the same IPSec termination node as an existing Prisma Access instance. If possible, use an alternative IPSec termination node.

Recommended For You