The following table details the changes
in default behavior upon upgrade to PAN-OS® 10.2. You may also want
to review the Upgrade/Downgrade Considerations before upgrading
to this release.
With PAN-OS 10.2 all instances of masterd
in the CLI were replaced with MD.
Shared Configuration Objects
for Multi-vsys Firewall Managed by Panorama
For multi-vsys firewalls managed
by a Panorama managed server, configuration objects in the Shared
device group are now pushed to a Panorama Shared configuration context
for all virtual systems rather than duplicating the shared configuration
to each virtual system to reduce the operational burden of scaling
configurations for multi-vsys firewalls.
The following configurations
cannot be added to the Shared Panorama location and are replicated to
the Panorama location of each vsys of a multi-vsys firewall.
Pre and Post Rules
External Dynamic Lists (EDL)
Security Profile Groups
HIP objects and profiles
SD-WAN Link Management Profiles
On upgrade to PAN-OS 10.2, it is required that
all certificates meet the following minimum requirements:
RSA 2048 bits or greater, or ECDSA 256
bits or greater
With Advanced Routing enabled, by default connected
peers prefer a link-local next-hop address over a global next-hop
Advanced Routing Engine and BFD
On a firewall with Advanced Routing enabled, BFD
session establishment for iBGP peers is changed. Any iBGP peers
over a loopback address are not considered to be directly connected
and therefore should enable the multihop option in the BFD profile
and specify Minimum Rx TTL accordingly.