Changes to Default Behavior in PAN-OS 10.1

What default behavior changes impact PAN-OS 10.1?
The following table details the changes in default behavior upon upgrade to PAN-OS® 10.1. You may also want to review the Upgrade/Downgrade Considerations before upgrading to this release.
Satellite Authentication
Beginning with PAN-OS 10.1, satellites can no longer perform initial authentication to the portal using only the satellite serial number. Instead, the satellite administrator must manually authenticate to the portal using the username and password associated with a local database authentication profile to establish the initial connection with the portal. Upon successful authentication, the portal generates a satellite cookie, which it uses to authenticate the satellite on subsequent sessions. The cookie lifetime is 180 days, after which the satellite administrator must manually authenticate again in order for the portal to issue a new cookie. This behavior is only supported on PAN-OS 10.1 or later releases. If you have a portal running 10.1 or later, with satellites running an earlier version of PAN-OS, the satellites will no longer be able to authenticate to the portal. Additionally, any satellites running on PAN-OS 10.1 or later that previously authenticated using serial numbers will require manual authentication.
Authentication Key for Secure Onboarding
A device registration authentication key is now required to securely onboard new firewalls, Log Collectors, and WildFire appliances running PAN-OS 10.1.0 and later releases. The device registration authentication key is used for mutual authentication between the Panorama management server and the firewall, Log Collector, or WildFire appliance on first connection. See the PAN-OS 10.1 New Features Guide for more information.
Persistent Uncommitted Changes on PAN-OS
On upgrade to PAN-OS 10.1, all uncommitted configuration changes on firewalls and Panorama are preserved if the management process, firewall, or Panorama restart before you can commit the changes. This is supported for PA-Series and VM-Series firewalls and Panorama M-Series and virtual appliances.
Device Group Push from Panorama to a Multi-VSYS Firewall.
One or more device group pushes from Panorama to multiple VSYS on a multi-VSYS firewall are now bundled as a single commit job on the managed firewall to reduce the overall commit job completion time.
Software Next Generation Firewall Credits
In PAN-OS 10.1 you can use Software Next Generation Firewall credits to license VM-Series firewalls deployed with up to 32 vCPUs. Previously Software Next Generation Firewall Credits could license no more than 16 vCPUs.
VM-700 Deployment on Hyper-V
When a VM-700 is deployed on Hyper-V there is a drop in performance if the host physical function (PF) max transmission unit (MTU) is set 1504 while the device MTU is set to 1500 and the device maximum segment size (MSS) is set to 1460.To work around this issue, set the host PF MTU to 1500 and on the device, set the MTU to 1496 and the MSS to 1456.
Reduced Session Capacity on the PA-3260
The maximum number of sessions supported on the PA-3260 firewall are reduced from 3M to 2.2M to preserve Dataplane memory.
Log Forwarding on the PA-7000 Series Firewall
Beginning with PAN-OS 10.1, the PA-7000 Series Firewall only uses the logging port and the corresponding log card (LPC or LFC) to forward system and configuration logs.
System and configuration logs are not forwarded if the corresponding (LPC or LFC) is not configured.
SNMP Traps
By default, SNMP Traps are now forwarded on the logging port of the LFC introduced for the PA-7000 Series and PA-5400 Series firewalls in PAN-OS 10.1.
For PA-7000 Series firewalls, SNMP Traps are not forwarded if the LFC is not configured.
Preview Changes
After you upgrade Panorama to PAN-OS 10.1,
Preview Changes
Preview Changes
) shows that HIP Profiles called
were added to each Security policy rule for any managed firewall running PAN-OS 9.1 or earlier release instead of
. This is due to a change to the XML file Panorama uses to compare the running and candidate configurations in PAN-OS 10.0 and later releases. You can ignore this error as the push will succeed.
Authentication Settings for Panorama Managed Firewalls
If you configure the
Failed Attempts
Authentication Setting (
) for managed firewalls as part of a template or template stack configuration on Panorama, the minimum value for the setting is

Recommended For You