The firewall now proxies all decrypted inbound traffic to servers, so SSL Inbound Inspection cannot decrypt some inbound sessions, such as sessions with client authentication or pinned certificates. In addition, the firewall does not support High Availability sync for decrypted SSL sessions.

Beginning with PAN-OS 10.1, satellites can no longer perform initial authentication to the portal using only the satellite serial number. Instead, the satellite administrator must manually authenticate to the portal using the username and password associated with a local database authentication profile to establish the initial connection with the portal. Upon successful authentication, the portal generates a satellite cookie, which it uses to authenticate the satellite on subsequent sessions. The cookie lifetime is 180 days, after which the satellite administrator must manually authenticate again in order for the portal to issue a new cookie. This behavior is only supported on PAN-OS 10.1 or later releases. If you have a portal running 10.1 or later, with satellites running an earlier version of PAN-OS, the satellites will no longer be able to authenticate to the portal. Additionally, any satellites running on PAN-OS 10.1 or later that previously authenticated using serial numbers will require manual authentication.

The keyword to configure Per-App VPN on Android devices from an MDM changed from

block list

and

allow list

to

blocklist

and

allowlist

upon upgrade to PAN-OS 10.1. You will need to change your MDM configuration for this setting upon upgrade.

A device registration authentication key is now required to securely onboard new firewalls, Log Collectors, and WildFire appliances running PAN-OS 10.1.0 and later releases. The device registration authentication key is used for mutual authentication between the Panorama management server and the firewall, Log Collector, or WildFire appliance on first connection. See the PAN-OS 10.1 New Features Guide for more information.

On upgrade to PAN-OS 10.1, all uncommitted configuration changes on firewalls and Panorama are preserved if the management process, firewall, or Panorama restart before you can commit the changes. This is supported for PA-Series and VM-Series firewalls and Panorama M-Series and virtual appliances.

One or more device group pushes from Panorama to multiple VSYS on a multi-VSYS firewall are now bundled as a single commit job on the managed firewall to reduce the overall commit job completion time.

When a VM-700 is deployed on Hyper-V there is a drop in performance if the host physical function (PF) max transmission unit (MTU) is set 1504 while the device MTU is set to 1500 and the device maximum segment size (MSS) is set to 1460.To work around this issue, set the host PF MTU to 1500 and on the device, set the MTU to 1496 and the MSS to 1456.

The maximum number of sessions supported on the PA-3260 firewall are reduced from 3M to 2.2M to preserve Dataplane memory.

Beginning with PAN-OS 10.1, the PA-7000 Series Firewall only uses the logging port and the corresponding log card (LPC or LFC) to forward system and configuration logs.

System and configuration logs are not forwarded if the corresponding (LPC or LFC) is not configured.

By default, SNMP Traps are now forwarded on the logging port of the LFC introduced for the PA-7000 Series and PA-5400 Series firewalls in PAN-OS 10.1.

For PA-7000 Series firewalls, SNMP Traps are not forwarded if the LFC is not configured.

After you upgrade Panorama to PAN-OS 10.1,

Preview Changes

(

Commit

Preview Changes

) shows that HIP Profiles called

source-hip-any

and

destination-hip-any

were added to each Security policy rule for any managed firewall running PAN-OS 9.1 or earlier release instead of

hip-profiles-any

. This is due to a change to the XML file Panorama uses to compare the running and candidate configurations in PAN-OS 10.0 and later releases. You can ignore this error as the push will succeed.

If you configure the

Failed Attempts

Authentication Setting (

Device

Setup

Management

) for managed firewalls as part of a template or template stack configuration on Panorama, the minimum value for the setting is

1

.

To allow you to customize the window size when you

Enable Replay Protection

during IPSec tunnel configuration, an

Anti-Replay Window

has been added. You can select an anti-replay window size of 64, 128, 256, 512, 1024, 2048, or 4096.

In addition, the default size of the anti-replay window has been increased to 1024.