PAN-OS 10.1.1 Known Issues
What is the list of known issues for PAN-OS 10.1.1?
The following list includes only outstanding known issues
specific to PAN-OS
®
10.1.1. This list includes issues
specific to Panorama™, GlobalProtect™, VM-Series plugins, and WildFire®,
as well as known issues that apply more generally or that are not
identified by an issue ID.Issue ID | Description |
---|---|
— | If you use Panorama to retrieve logs from
Cortex Data Lake (CDL), new log fields (including for Device-ID,
Decryption, and GlobalProtect) are not visible on the Panorama web
interface. Workaround: Enable duplicate logging to send
the logs to CDL and Panorama. This workaround does not support Panorama virtual
appliances in Management Only mode. |
— | Upgrading a PA-220 firewall takes up to
an hour or more. |
— | PA-220 firewalls are experiencing slower
web interface and CLI performance times. |
— | Upgrading Panorama with a local Log Collector
and Dedicated Log Collectors to PAN-OS 8.1 or a later PAN-OS release
can take up to six hours to complete due to significant infrastructure
changes. Ensure uninterrupted power to all appliances throughout
the upgrade process. |
— | A critical System log is generated on the
VM-Series firewall if the minimum memory requirement for the model
is not available.
|
APPORTAL-3313 | Changes to an IoT Security subscription
license take up to 24 hours to have effect on the IoT Security app. |
APPORTAL-3309 | An IoT Security production license cannot
be installed on a firewall that still has a valid IoT Security eval
or trial license. Workaround: Wait until the 30-day
eval or trial license expires and then install the production license. |
APL-15000 | When you move a firewall from one Cortex
Data Lake instance to another, it can take up to an hour for the
firewall to begin sending logs to the new instance. |
APL-8269 | For data retrieved from Cortex Data Lake,
the Threat Name column in Panorama ACC threat-activity |
PLUG-380 | When you rename a device group, template,
or template stack in Panorama that is part of a VMware NSX service
definition, the new name is not reflected in NSX Manager. Therefore,
any ESXi hosts that you add to a vSphere cluster are not added to
the correct device group, template, or template stack and your Security
policy is not pushed to VM-Series firewalls that you deploy after
you rename those objects. There is no impact to existing VM-Series
firewalls. |
WF500-5559 | An intermittent error while analyzing signed
PE samples on the WildFire appliance might cause analysis failures. |
WF500-5471 | After using the firewall CLI to add a WildFire
appliance with an IPv6 address, the initial connection may fail. Workaround: Retry
connecting after you restart the web server with the following command: debug software restart process web-server . |
PAN-196758 | On the Panorama management server, pushing
a configuration change to firewalls leveraging SD-WAN erroneously
show the auto-provisioned BGP configurations for SD-WAN as being edited
or deleted despite no edits or deletions being made when you Preview
Changes (Commit Push to Devices Edit Selections Commit Commit and Push Edit Selections |
PAN-194519 | ( PA-5450 firewall only ) Trying
to configure a custom payload format under Device Server Profiles HTTP |
PAN-194515 | ( PA-5450 firewall only ) The Panorama
web interface does not display any predefined template stack variables
in the dropdown menu under Device Setup Log Interface IP Address Workaround: Configure
the log interface IP address on the individual firewall web interface
instead of on Panorama. |
PAN-192403 | ( PA-5450 firewall only ) There is
no commit warning in the web interface when configuring the management
interface and logging interface in the same subnetwork. Having both interfaces
in the same subnetwork can cause routing and connectivity issues. |
PAN-190727 | ( PA-5450 firewall only ) Documentation
for configuring the log interface is unavailable on the web interface
and in the PAN-OS Administrator’s Guide. |
PAN-186262 | The Panorama management server in Panorama
or Log Collector mode may become unresponsive as Elasticsearch accumulates
internal connections related to logging processes. The chances Panorama
becomes unresponsive increases the longer Panorama remains powered
on. Workaround: Reboot Panorama if it becomes unresponsive. |
PAN-181116 | After upgrading to PAN-OS 10.1, some GlobalProtect
tunnels fall back to SSL instead of IPSec due to the inadvertent encapsulation
of the ICMP keepalive response from the firewall. |
PAN-180661 | On the Panorama management server, pushing
an unsupported Minimum Password Complexity ( Device Setup Management commit time out as
the reason the commit failed. |
PAN-178194 | A UI issue in PAN-OS renders the contents
of the Inline ML tab in the URL
Filtering Profile inaccessible on firewalls licensed for
Advanced URL Filtering. Additionally, a message indicating that
a License required for URL filtering to function is unavailable
displays at the bottom of the UI. These errors do not affect the
operation of Advanced URL Filtering or URL Filtering Inline ML.Workaround: Configuration
settings for URL Filtering Inline ML must be applied through the
CLI. The following configuration commands are available:
|
PAN-178190 | Traffic, threat, and URL logs are not viewable
from the firewall web interface ( Monitor Logs |
PAN-175685 | ( PA-7000 Series and PA-5450 firewall
only ) When the MPC (Management Processor Card) or SMC (Switch
Management Card) is removed from one chassis and placed in another, PAN-OS
will incorrectly cache and display the chassis serial number of
the former chassis. |
PAN-175149 | ( PA-800 and PA-7000 Series firewalls
and the PA-220 firewall only ) Fixed an issue where ACC and
scheduled reports (Monitor Manage Manage Custom Reports |
PAN-174982 | In HA active/active configurations where,
when interfaces that were associated with a virtual router were
deleted, the configuration change did not sync. |
PAN-174254 | Gateway Load Balancer (GWLB) inspection
is disabled on the VM-Series firewall for AWS after a reboot. Workaround: Enable
GWLB inspection. |
PAN-173509 | Superuser administrators with read-only
privileges ( Device Administrators Panorama Administrators
|
PAN-172515 | If you downgrade from PAN-OS 10.1 to an
earlier version and you have configured the Cloud Authentication
Service in an Authentication profile, the firewall does not remove
the Cloud Authentication Service from the Authentication profile,
displays the authentication method as None, and any subsequent commits
are not successful. Workaround: Delete the Authentication
profile that is configured for the Cloud Authentication Service
then commit your changes. |
PAN-172492 | You can create and commit a log forwarding
profile ( Objects Log
Forwarding Filter . |
PAN-172454 | If the firewall communicates with the Cloud
Identity Engine before you install the device certificate on the
firewall or Panorama, all subsequent queries to the Cloud Identity
Engine fail. Workaround : Use the debug software
restart process dscd to restart the connection to the
Cloud Identity Engine. |
PAN-172276 | Changing the port speed on a PA-400 Series
firewall from auto-negotiate to 1G may cause the dataplane port
to flap intermittently and result in a loss of traffic. |
PAN-172274 | When you activate the advanced URL filtering
license, your license entitlements for PAN-DB and advanced URL filtering might
not display correctly on the firewall — this is a display anomaly,
not a licensing issue, and does not affect access to the services. Workaround: Issue
the following command to retrieve and update the licenses: license request fetch . |
PAN-172113 | If you request a User Activity Report on
Panorama and the vsys key value in the XML is an unsupported value,
the resulting job becomes unresponsive at 10% and does not complete
until you manually stop the job in the web interface. Workaround: Change
the vsys key to a valid device group, commit your changes, and run
the User Activity Report again. |
PAN-172091 | If you have configured a virtual system
as a User-ID hub and a firewall that receives IP address-to-username
mapping from the hub has a security policy that includes a QoS policy
rule, the firewall does not match the user to the QoS policy rule
if the traffic attempts to access a virtual system that is not the
hub. |
PAN-172208 | The PA-5450 firewall may reload in rare
conditions while handling high stress SSL traffic when CPU utilization
reaches 100% or packet broker capacity exceeds 40%. |
PAN-172171 | In an HA Active/Passive configuration using
Auto mode, a Passive PA-5450 firewall under traffic stress can get
stuck in maintenance mode after receiving the slot7-path_monitor Path monitor failure service
failure.Workaround: Use Active/Passive Shutdown mode
instead of Auto mode. |
PAN-172132 | QoS fails to run on a tunnel interface (for
example, tunnel.1). |
PAN-172095 | PA-7050 firewalls may experience some log
loss if the VLD process crashes. |
PAN-172067 | When you configure an HTTP server profile
( Device Server Profiles HTTP Panorama Server Profiles HTTP Username and Password fields
are always required regardless of whether Tag Registration is
enabled.Workaround: When you configure an HTTP server
profile, always enter a username and password to successfully create the
HTTP server profile.You must enter a username and password
even if the HTTP server does not require it. The HTTP server ignores
the username and password if they are not required for the firewall to
connect. |
PAN-172061 | A process ( all_pktproc )
can cause intermittent crashes on the Passive PA-5450 firewall in
an Active/Passive HA pair. This issue may be seen during an upgrade
or reload of the firewall with traffic and when clearing sessions. |
PAN-171982 | For PA-7000 Series Legacy firewalls, you
are unable to view logs ( Monitor ) on the
web interface or in the CLI (show log <logtype> )Workaround: Log in to the firewall CLI and
restart the vldmgr process.
|
PAN-171938 | No results are displayed when you Show
Application Filter for a Security policy rule (Policies Security Application Value Show Application Filter |
PAN-171839 | The Enable Bonjour Reflector option under Network Interfaces Layer 3 Interface IPv4 |
PAN-171744 | No data is displayed for the Forward Error
Correction (FEC) plot for SD-WAN application performance ( Panorama SD-WAN Monitoring |
PAN-171723 | If you use Panorama to push a configuration
that uses App-ID Cloud Engine (ACE) App-IDs and then you downgrade
the firewall from PAN-OS 10.1 to PAN-OS 10.0, the installation succeeds
but after you reboot, the auto-commit fails. Workaround: Remove
all ACE application configurations before downgrading. |
PAN-171714 | If you use the NetBIOS format ( domain\user )
for the IP address-to-username mapping and the firewall receives
the group mapping information from the Cloud Identity Engine, the firewall
does not successfully match the user to the correct group. |
PAN-171706 | If you are using Panorama to manage firewalls
with multiple virtual systems and the virtual system that is the
User-ID hub uses an alias, the local commit on Panorama is successful
but the commit to the firewall fails. |
PAN-171673 | On the Panorama management server, the ACC returns inaccurate
results when you filter for New App-ID using
the App-usage widget. |
PAN-171635 | If you have an on-premise Active Directory
and there is an existing group mapping configuration on the firewall,
if you migrate the group mapping to the Cloud Identity Engine, the firewall
does not remove the existing group mapping even if the configuration
is disabled and the firewall is rebooted, which may conflict with
new mappings from the Cloud Identity Engine. Workaround :
Use the debug user-id clear domain-map command
to remove the existing group mappings from the firewall. |
PAN-171224 | On the Panorama management server, a custom
report ( Monitor Managed
Custom Reports Run Now . |
PAN-171145 | If you edit or remove the value for the mail attribute
in your on-premise Active Directory, the changes may not be immediately
reflected on the firewall after it syncs with the Cloud Identity
Engine. |
PAN-171127 | On the Panorama management server, custom
reports ( Monitor Manage
Custom Reports Device Application
Statistics and Device Traffic Summary databases
display null for the Application fields. |
PAN-170923 | In Policies Security Policy Optimizer New App Viewer |
PAN-170462 | SaaS applications downloaded from the App-ID
Cloud Engine (ACE) do not appear in daily application reports ( Monitor Reports Application
Reports Application column
of the Application Usage widget in ACC Network Activity |
PAN-170270 | Using the CLI to power on a PA-5450 Networking
Card (NC) in an Active HA firewall can cause its Passive peer to
temporarily go down. |
PAN-169906 | The CN-Series Firewall as a Kubernetes Service
does not support AF_XDP when deployed in CentOS. |
PAN-168636 | Connecting to the App-ID Cloud Engine (ACE)
cloud using a management port with explicit proxy configured on
it is not supported. Instead, use a data plane interface for the
service route (Prepare to Deploy App-ID Cloud
Engine describes how to do this.) |
PAN-168113 | On the Panorama management server, you are
unable to configure a master key ( Device Master Key and Diagnostics Network Interfaces Ethernet Workaround: Remove
the referenced zone from the interface configuration to successfully
configure a master key. |
PAN-167847 | If you issue the command opof stats ,
then clear the results {opof stats -c}, the Active Sessions value
is sometimes invalid. For example, you might see a negative number
or an excessively large number.Workaround: Re-run
the opof stats command after the offload
completes. |
PAN-167401 | When a firewall or Panorama appliance configured
with a proxy is upgraded to PAN-OS 10.0.3 or a later release, it
fails to connect to edge service. |
PAN-166464 | PAN-OS reports the PA-5450 fan numbers incorrectly
by listing them in the opposite order. This does not affect fan
operation. For further information, contact Customer Support. |
PAN-166398 | On PA-5450 Next-Generation firewalls, when
you configure path or latency monitoring on the Health Monitor tab
in the Packet Broker profile ( Objects Packet Broker Workaround: Change
the health monitoring configuration and commit the change to prevent
this issue from occurring. |
PAN-165669 | If you configure a group that the firewall
retrieves from the Cloud Identity Engine as the user in value
in a filter query, Panorama is unable to retrieve the group membership
and as a result, is unable to display this data in logs and custom
reports. |
PAN-165225 | There is an issue where hwpredict is
enabled by default, and you have to disable it via the CLI. |
PAN-164922 | On the Panorama management server, a context
switch to a managed firewall running a PAN-OS 8.1.0 to 8.1.19 release fails. |
PAN-164885 | On the Panorama management server, pushes
to managed firewalls ( Commit Push to Devices Commit
and Push ) may fail when an EDL (Objects External Dynamic Lists Check for updates every 5 minutes due
to the commit and EDL fetch processes overlapping. This is more
likely to occur when multiple EDLs are configured to check for updates
every 5 minutes. |
PAN-164841 | A successful deployment of a Panorama virtual
appliance on Amazon Web Services (AWS), Microsoft Azure, or Google
Cloud Platform (GCP) is inaccessible when deploying using the PAN-OS
10.1.0-b6 release. |
PAN-164647 | On the Panorama management server, activating
a license ( Panorama Device
Deployment Licenses Workaround: Log in to the Panorama web interface from
a web browser other than Safari to successfully activate a license on
managed firewalls in an HA configuration. |
PAN-164586 | If you use a value other than mail for
the user or group email attribute in the Cloud Identity Engine,
it displays in user@domain format in
the CLI output. |
PAN-163966 | On the Panorama management server, the ACC and
on demand reports (Monitor Manage Custom Reports |
PAN-162836 | On the VM-Series firewall, if you select Device Licenses Deactivate VM Subscriptions or Support and
press Continue to remove licenses and register
the changes with the license server. When the license removal is
complete the Deactivate VM window does not
update its text to exclude deactivated licenses or close the window.Workaround :
Wait until the license deactivation is complete, and click Cancel to
close the window. |
PAN-162164 | When upgrading a multi-dataplane firewall
from PAN-OS 10.0 to 10.1, if the configuration includes the DHCP
Broadcast Session option enabled, the commit fails. Auto-commit
is not affected. Workaround: Load the configuration
from running config (load config from running-config.xml) and perform
a commit. |
PAN-162088 | On the Panorama management server in a high
availability (HA) configuration, content updates ( Panorama Dynamic Updates Install a content
update and enable Sync to HA Peer . |
PAN-161666 | The firewall includes any users configured
in the Cloud Identity Engine in the count of groups. As a result,
some CLI command output does not accurately display the number of
groups the firewall has retrieved from the Cloud Identity Engine
and counts users as groups in the No. of Groups in
the command output. If the attempt to retrieve the user or group
fails, the information for the user or group still displays in the
CLI command output. |
PAN-161451 | If you issue the command opof stats ,
there are occasional zero packet and byte counts coming from the
DPDK counters. This occurs when a session is in the tcp-reuse state,
and has no impact on the existing session. |
PAN-160238 | If you migrate traffic from a firewall running
a PAN-OS version earlier than 9.0 to a firewall running PAN-OS 9.0
or later, you experience intermittent VXLAN packet drops if TCI
policy is not configured for inspecting VXLAN traffic flows. Workaround: On
the new firewall, create an app override for VXLAN outer headers
as described in What is an Application Override? and
the video tutorial How to Configure an Application
Override Policy on the Palo Alto Networks Firewall.PAN-OS
version 9.0 can inspect both inner and outer VXLAN flows. If you
want to inspect inner flows, you must define a tunnel content inspection
(TCI) policy. |
PAN-157444 | As a result of a telemetry handling update,
the Source Zone field in the DNS analytics logs (viewable in the
DNS Analytics tab within AutoFocus) might not display correct results. |
PAN-157327 | On downgrade to PAN-OS 9.1, Enterprise Data
Loss Prevention (DLP) filtering settings ( Device Setup DLP Workaround: After
you successfully downgrade a managed firewall to PAN-OS 9.1, commit
and push from Panorama to remove the Enterprise DLP filtering settings
and complete the downgrade.
|
PAN-157103 | Multi-channel functionality may not be properly
utilized on an VM-Series firewall deployed in VMware NSX-V after
the service is first deployed. Workaround : Execute
the command debug dataplane pow status to
view the number of channels being utilized by the dataplane.
If
multi-channel functionality is not working, disable your NSX-V security
policy and reapply it. Then reboot the VM-Series firewall. When
the firewall is back up, verify that multi-channel functionality
is working by executing the command debug dataplane pow status .
It should now show multiple channels being utilized.
|
PAN-156598 | ( Panorama only ) If you configure
a standard custom vulnerability signature in a custom Vulnerability
Protection profile in a shared device group, the shared profile
custom signatures do not populate in the other device groups when
you configure a combination custom vulnerability signature.Workaround: Use
the CLI to update the combination signature. |
PAN-154292 | On the Panorama management server, downgrading
from a PAN-OS 10.0 release to a PAN-OS 9.1 release causes Panorama commit
( Commit Commit to
Panorama Monitor Manage Custom
Reports Session
ID .Workaround: After successful downgrade,
reconfigure the Group By setting in the custom report. |
PAN-154034 | On the Panorama management server, the Type
column in the System logs ( Monitor Logs System iot as
the type. |
PAN-154032 | On the Panorama management server, downgrading
to PAN-OS 9.1 with the Panorama plugin for Cisco TrustSec version
1.0.2 installed does not automatically transform the plugin to be compatible
with PAN-OS 9.1 Workaround: After successful downgrade
to PAN-OS 9.1, Remove Config (Panorama Plugins |
PAN-153803 | On the Panorama management server, scheduled
email PDF reports ( Monitor PDF Reports |
PAN-153557 | On the Panorama management server CLI, the
overall report status for a report query is marked as Done despite
reports generated from logs in the Cortex Data Lake (CDL) from the PODamericas
Collector Group jobs are still in a Running state. |
PAN-153068 | The Bonjour Reflector option is supported
on up to 16 interfaces. If you enable it on more than 16 interfaces,
the commit succeeds and the Bonjour Reflector option is enabled only
for the first 16 interfaces and ignored for any additional interfaces. |
PAN-151238 | There is a known issue where M-100 appliances
are able to download and install a PAN-OS 10.0 release image even
though the M-100 appliance is no longer supported after PAN-OS 9.1. (Refer
to the hardware end-of-life dates.) |
PAN-151085 | On a PA-7000 Series firewall chassis having
multiple slots, when HA clustering is enabled on an active/active
HA pair, the session table count for one of the peers can show a
higher count than the actual number of active sessions on that peer. This
behavior can be seen when the session is being set up on a non-cache
slot (for example, when a session distribution policy is set to
round-robin or session-load); it is caused by the additional cache
lookup that happens when HA cluster participation is enabled. |
PAN-150801 | Automatic quarantine of a device based on
forwarding profile or log setting does not work on the PA-7000 Series
firewalls. |
PAN-150515 | After you install the device certificate
on a new Panorama management server, Panorama is not able to connect
to the IoT Security edge service. Workaround: Restart
Panorama to connect to the IoT Security edge service. |
PAN-150345 | During updates to the Device Dictionary,
the IoT Security service does not push new Device-ID attributes
(such as new device profiles) to the firewall until a manual commit
occurs. Workaround: Perform a force commit to push
the attributes in the content update to the firewall. |
PAN-150361 | In an Active-Passive high availability (HA)
configuration, an error displays if you create a device object on
the passive device. Workaround: Load the running configuration
and perform a force commit to sync the devices. |
PAN-148971 | If you enter a search term for Events that
are related to IoT in the System logs and apply the filter, the
page displays an Invalid term error. Workaround: Specify iot as
the Type Attribute to filter the logs and
use the search term as the Description Attribute . For
example: ( subtype eq iot ) and ( description contains 'gRPC connection' ) . |
PAN-148924 | In an active-passive HA configuration, tags
for dynamic user groups are not persistent after rebooting the firewall
because the active firewall does not sync the tags to the passive
firewall during failover. |
PAN-146995 | After downgrading a Panorama management
server from PAN-OS 10.0 to PAN-OS 9.1, the VLD and logd processes
may crash when Panorama reboots.Workaround: Panorama
automatically restarts the VLD and logd processes. |
PAN-146807 | Changing the device group configured in
a monitoring definition from a child DG to a parent DG, or vice
versa, might cause firewalls configured in the child DG to lose
IP tag mapping information received from the monitoring definition.
Only firewalls assigned to the parent DG receive IP tag mapping updates. Workaround :
Perform a manual config sync on the device group that lost the IP
tag mapping information. |
PAN-146485 | On the Panorama management server, adding,
deleting, or modifying the upstream NAT configuration ( Panorama SD-WAN Devices out of sync .Additionally,
adding, deleting, or modifying the BGP configuration ( Panorama SD-WAN Devices out of sync . For
example, modifying the BGP configuration on the branch firewall
does not cause the hub template stack to display as out of sync ,
nor does modifying the BGP configuration on the hub firewall cause
the branch template stack as out of sync .Workaround: After
performing a configuration change, Commit and Push the
configuration changes to all hub and branch firewalls in the VPN
cluster containing the firewall with the modified configuration. |
PAN-145460 | CN-MGMT pods fail to connect to the Panorama
management server when using the Kubernetes plugin. Workaround: Commit the
Panorama configuration after the CN-MGMT pod successfully registers
with Panorama. |
PAN-144889 | On the Panorama management server, adding,
deleting, or modifying the original subnet IP, or adding a new subnet
after you successfully configure a tunnel IP subnet, for the SD-WAN 1.0.2
plugin does not display the managed firewall templates ( Panorama Managed Devices Summary Out of Sync .Workaround :
When modifying the original subnet IP, or adding a new subnet, push
the template configuration changes to your managed firewalls and Force
Template Values (Commit Push to Devices Edit Selections |
PAN-143132 | Fetching the device certificate from the
Palo Alto Networks Customer Support Portal (CSP) may fail and displays
the following error in the CLI: ERROR Failed to process S1C msg: Error Workaround: Retrying
fetching the device certificate from the Palo Alto Networks CSP. |
PAN-141630 | Current performance limitation: single data
plane use only. The PA-5200 Series and PA-7000 Series firewalls
that support 5G network slice security, 5G equipment ID security,
and 5G subscriber ID security use a single data plane only, which currently
limits the firewall performance. |
PAN-140959 | The Panorama management server allows you
to downgrade Zero Touch Provisioning (ZTP) firewalls to PAN-OS 9.1.2
and earlier releases where ZTP functionality is not supported. |
PAN-140008 | ElasticSearch is forced to restart when
the masterd process misses too many
heartbeat messages on the Panorama management server resulting in
a delay in a log query and ingestion. |
PAN-136763 | On the Panorama management server, managed
firewalls display as disconnected when
installing a PAN-OS software update (Panorama Device Deployment Software connected when you view
your managed firewalls Summary (Panorama Managed Devices Summary Workaround: Log out and log back
in to the Panorama web interface. |
PAN-135742 | There is an issue in HTTP2 session decryption
where the App-ID in the decryption log is the App-ID of the parent
session (which is web-browsing). |
PAN-134053 | ACC does not filter WildFire logs from Dynamic
User Groups. |
PAN-132598 | The Panorama management server does not
check for duplicate addresses in address groups ( Objects Address Groups Objects Service Groups |
PAN-130550 | ( PA-3200 Series, PA-5220, PA-5250, PA-5260,
and PA-7000 Series firewalls ) For traffic between virtual systems
(inter-vsys traffic), the firewall cannot perform source NAT using
dynamic IP (DIP) address translation.Workaround: Use
source NAT with Dynamic IP and Port (DIPP) translation on inter-vsys
traffic. |
PAN-127813 | In the current release, SD-WAN auto-provisioning
configures hubs and branches in a hub and spoke model, where branches don’t
communicate with each other. Expected branch routes are for generic
prefixes, which can be configured in the hub and advertised to all
branches. Branches with unique prefixes are not published up to
the hub. Workaround: Add any specific prefixes for
branches to the hub advertise-list configuration. |
PAN-127206 | If you use the CLI to enable the cleartext
option for the Include Username in HTTP Header Insertion Entries
feature, the authentication request to the firewall may become unresponsive
or time out. |
PAN-123277 | Dynamic tags from other sources are accessible
using the CLI but do not display on the Panorama web interface. |
PAN-123040 | When you try to view network QoS statistics
on an SD-WAN branch or hub, the QoS statistics and the hit count
for the QoS rules don’t display. A workaround exists for this issue.
Please contact Support for information about the workaround. |
PAN-120440 | There is an issue on M-500 Panorama management
servers where any ethernet interface with an IPv6 address having Private
PAN-DB-URL connectivity only supports the following format: 2001:DB9:85A3:0:0:8A2E:370:2 . |
PAN-120423 | PAN-OS 10.0.0 does not support the XML API
for GlobalProtect logs. |
PAN-120303 | There is an issue where the firewall remains
connected to the PAN-DB-URL server through the old management IP
address on the M-500 Panorama management server, even when you configured
the Eth1/1 interface. Workaround: Update the PAN-DB-URL
IP address on the firewall using one of the methods below.
|
PAN-116017 | ( Google Cloud Platform (GCP) only )
The firewall does not accept the DNS value from the initial configuration
(init-cfg) file when you bootstrap the firewall.Workaround: Add
DNS value as part of the bootstrap.xml in the bootstrap folder and
complete the bootstrap process. |
PAN-115816 | ( Microsoft Azure only ) There is
an intermittent issue where an Ethernet (eth1) interface does not
come up when you first boot up the firewall.Workaround: Reboot
the firewall. |
PAN-114495 | Alibaba Cloud runs on a KVM hypervisor and
supports two Virtio modes: DPDK (default) and MMAP. If you deploy
a VM-Series firewall running PAN-OS 9.0 in DPDK packet mode and
you then switch to MMAP packet mode, the VM-Series firewall duplicates packets
that originate from or terminate on the firewall. As an example,
if a load balancer or a server behind the firewall pings the VM-Series
firewall after you switch from DPDK packet mode to MMAP packet mode,
the firewall duplicates the ping packets. Throughput traffic
is not duplicated if you deploy the VM-Series firewall using MMAP
packet mode. |
PAN-112694 | ( Firewalls with multiple virtual systems
only ) If you configure dynamic DNS (DDNS) on a new interface
(associated with vsys1 or another virtual system) and you then create
a New Certificate Profile from the drop-down,
you must set the location for the Certificate Profile to Shared.
If you configure DDNS on an existing interface and then create a
new Certificate Profile, we also recommend that you choose the Shared location
instead of a specific virtual system. Alternatively, you can select
a preexisting certificate profile instead of creating a new one. |
PAN-112456 | You can temporarily submit a change request
for a URL Category with three suggested categories; however, only
two categories are supported. Do not add more than two suggested categories
to a change request until we address this issue. If you submit more
than two suggested categories, only the first two categories in
the change request are evaluated. |
PAN-112135 | You cannot unregister tags for a subnet
or range in a dynamic address group from the web interface. Workaround: Use
an XML API request to unregister the tags for the subnet or range. |
PAN-111928 | Invalid configuration errors are not displayed
as expected when you revert a Panorama management server configuration. Workaround: After
you revert the Panorama configuration, Commit (Commit Commit to Panorama |
PAN-111866 | The push scope selection on the Panorama
web interface displays incorrectly even though the commit scope
displays as expected. This issue occurs when one administrator makes configuration
changes to separate device groups or templates that affect multiple
firewalls and a different administrator attempts to push those changes. Workaround: Perform
one of the following tasks.
|
PAN-111729 | If you disable DPDK mode and enable it again,
you must immediately reboot the firewall. |
PAN-111670 | Tagged VLAN traffic fails when sent through
an SR-IOV adapter. |
PAN-110794 | DGA-based threats shown in the firewall
threat log display the same name for all such instances. |
PAN-109759 | The firewall does not generate a notification
for the GlobalProtect client when the firewall denies an unencrypted TLS
session due to an authentication policy match. |
PAN-109526 | The system log does not correctly display
the URL for CRL files; instead, the URLs are displayed with encoded
characters. |
PAN-104780 | If you configure a HIP object to match only
when a connecting endpoint is managed ( Objects GlobalProtect HIP Objects <hip-object> General Managed Additionally,
iOS endpoints that are managed by AirWatch are unable to match HIP
objects based on the endpoint serial number because GlobalProtect
gateways cannot identify the serial numbers of these endpoints;
these serial numbers do not appear in the HIP report. |
PAN-103276 | Adding a disk to a virtual appliance running
Panorama 8.1 or a later release on VMware ESXi 6.5 update1 causes
the Panorama virtual appliance and host web client to become unresponsive. Workaround: Upgrade
the ESXi host to ESXi 6.5 update2 and add the disk again. |
PAN-101688 | ( Panorama plugins ) The IP address-to-tag
mapping information registered on a firewall or virtual system is
not deleted when you remove the firewall or virtual system from
a Device Group.Workaround: Log in to the CLI on the
firewall and enter the following command to unregister the IP address-to-tag mappings: debug object registered-ip clear all . |
PAN-101537 | After you configure and push address and
address group objects in Shared and vsys-specific device groups
from the Panorama management server to managed firewalls, executing the show log command
on a managed firewall only returns address and address group objects
pushed form the Shared device group.<log-type> direction equal <direction> <dst> | <src> in <object-name> Workaround: Specify
the vsys in the query string:admin> set system target-vsys <vsys-name> admin> show log <log-type> direction equal <direction> query equal ‘vsys eq <vsys-name> ’ <dst> | <src> in <object-name> |
PAN-98520 | When booting or rebooting a PA-7000 Series
Firewall with the SMC-B installed, the BIOS console output displays
attempts to connect to the card's controller in the System Memory
Speed section. The messages can be ignored. |
PAN-97757 | GlobalProtect authentication fails with
an Invalid username/password error
(because the user is not found in Allow List )
after you enable GlobalProtect authentication cookies and add a
RADIUS group to the Allow List of the authentication
profile used to authenticate to GlobalProtect.Workaround: Disable
GlobalProtect authentication cookies. Alternatively, disable (clear) Retrieve
user group from RADIUS in the authentication profile
and configure group mapping from Active Directory (AD) through LDAP. |
PAN-97524 | ( Panorama management server only )
The Security Zone and Virtual System columns (Network tab)
display None after a Device Group and
Template administrator with read-only privileges performs a context
switch. |
PAN-96985 | The request shutdown system command
does not shut down the Panorama management server. |
PAN-96960 | You cannot restart or shutdown a Panorama
on KVM from the Virtual-manager console or virsch CLI. |
PAN-96446 | A firewall that is not included in a Collector
Group fails to generate a system log if logs are dropped when forwarded
to a Panorama management server that is running in Management Only
mode. |
PAN-95773 | On VM-Series firewalls that have Data Plane
Development Kit (DPDK) enabled and that use the i40e network interface
card (NIC), the show session info CLI command
displays an inaccurate throughput and packet rate.Workaround: Disable
DPDK by running the set system setting dpdk-pkt-io off CLI
command. |
PAN-95028 | For administrator accounts that you created
in PAN-OS 8.0.8 and earlier releases, the firewall does not apply
password profile settings ( Device Password Profiles |
PAN-94846 | When DPDK is enabled on the VM-Series firewall
with i40e virtual function (VF) driver, the VF does not detect the
link status of the physical link. The VF link status remains up, regardless
of changes to the physical link state. |
PAN-94093 | HTTP Header Insertion does not work when
jumbo frames are received out of order. |
PAN-93968 | The firewall and Panorama web interfaces
display vulnerability threat IDs that are not available in PAN-OS
9.0 releases ( Objects Security
Profiles Vulnerability Protection <profile> Exceptions |
PAN-93607 | When you configure a VM-500
firewall with an SCTP Protection profile ( Objects Security Profiles SCTP Protection Objects Security Profile Groups Workaround: Create
a new Security Profile Group and select the SCTP Protection profile
from there. |
PAN-93532 | When you configure a firewall
running PAN-OS 9.0 as an nCipher HSM client, the web interface on
the firewall displays the nCipher server status as Not Authenticated,
even though the HSM state is up ( Device Setup HSM |
PAN-93193 | The memory-optimized VM-50
Lite intermittently performs slowly and stops processing traffic
when memory utilization is critically high. To prevent this issue,
make sure that you do not:
Workaround: When
the firewall performs slowly, or you see a critical System log for
memory utilization, wait for 5 minutes and then manually reboot
the firewall.Use the Task Manager to verify that you are
not performing memory intensive tasks such as installing dynamic
updates, committing changes or generating reports, at the same time, on
the firewall. |
PAN-91802 | On a VM-Series firewall, the clear
session all CLI command does not clear GTP sessions. |
PAN-83610 | In rare cases, a PA-5200 Series firewall
(with an FE100 network processor) that has session offload enabled
(default) incorrectly resets the UDP checksum of outgoing UDP packets. Workaround: In
PAN-OS 8.0.6 and later releases, you can persistently disable session
offload for only UDP traffic using the set session udp-off load no CLI
command. |
PAN-83236 | The VM-Series firewall on Google
Cloud Platform does not publish firewall metrics to Google Stack
Monitoring when you manually configure a DNS server IP address ( Device Setup Services Workaround: The
VM-Series firewall on Google Cloud Platform must use the DNS server
that Google provides. |
PAN-83215 | SSL decryption based on ECDSA
certificates does not work when you import the ECDSA private keys
onto an nCipher nShield hardware security module (HSM). |
PAN-81521 | Endpoints failed to authenticate to GlobalProtect
through Kerberos when you specify an FQDN instead of an IP address
in the Kerberos server profile ( Device Server Profiles Kerberos Workaround: Replace
the FQDN with the IP address in the Kerberos server profile. |
PAN-77125 | PA-7000 Series, PA-5450, PA-5200
Series, and PA-3200 Series firewalls configured in tap mode don’t
close offloaded sessions after processing the associated traffic;
the sessions remain open until they time out. Workaround: Configure
the firewalls in virtual wire mode instead of tap mode, or disable
session offloading by running the set session off load no CLI
command. |
PAN-75457 | In WildFire appliance clusters that have
three or more nodes, the Panorama management server does not support
changing node roles. In a three-node cluster for example, you cannot
use Panorama to configure the worker node as a controller node by adding
the HA and cluster controller configurations, configure an existing
controller node as a worker node by removing the HA configuration,
and then commit and push the configuration. Attempts to change cluster
node roles from Panorama results in a validation error—the commit
fails and the cluster becomes unresponsive. |
PAN-73530 | The firewall does not generate a packet
capture (pcap) when a Data Filtering profile blocks files. |
PAN-73401 | When you import a two-node WildFire appliance
cluster into the Panorama management server, the controller nodes
report their state as out-of-sync if either of the following conditions
exist:
Workaround: There
are three possible workarounds to sync the controller nodes:
|
PAN-70906 | If the PAN-OS web interface and the GlobalProtect
portal are enabled on the same IP address, then when a user logs
out of the GlobalProtect portal, the administrative user is also
logged out from the PAN-OS web interface. Workaround: Use
the IP address to access the PAN-OS web interface and an FQDN to
access the GlobalProtect portal. |
PAN-69505 | When viewing an external dynamic list that
requires client authentication and you Test Source URL ,
the firewall fails to indicate whether it can reach the external
dynamic list server and returns a URL access error (Objects External Dynamic Lists |
PAN-40079 | The VM-Series firewall on KVM, for all supported
Linux distributions, does not support the Broadcom network adapters for
PCI pass-through functionality. |
PAN-39636 | Regardless of the Time Frame you
specify for a scheduled custom report on a Panorama M-Series appliance,
the earliest possible start date for the report data is effectively
the date when you configured the report (Monitor Manage Custom Reports Time Frame to Last 30
Days , the report that Panorama generates on the 16th
will include only data from the 15th onward. This issue applies
only to scheduled reports; on-demand reports include all data within
the specified Time Frame .Workaround: To
generate an on-demand report, click Run Now when
you configure the custom report. |
PAN-38255 | When you perform a factory reset on a Panorama
virtual appliance and configure the serial number, logging does
not work until you reboot Panorama or execute the debug software restart process management-server CLI command. |
PAN-31832 | The following issues apply when configuring
a firewall to use a hardware security module (HSM):
|
Most Popular
Recommended For You
Recommended Videos
Recommended videos not found.