Changes to Default Behavior in PAN-OS 10.2

What default behavior changes impact PAN-OS 10.2?
The following table details the changes in default behavior upon upgrade to PAN-OS® 10.2. You may also want to review the Upgrade/Downgrade Considerations before upgrading to this release.
Masterd Rename
With PAN-OS 10.2 all instances of masterd in the CLI were replaced with MD.
Shared Configuration Objects for Multi-vsys Firewall Managed by Panorama
For multi-vsys firewalls managed by a Panorama managed server, configuration objects in the Shared device group are now pushed to a Panorama Shared configuration context for all virtual systems rather than duplicating the shared configuration to each virtual system to reduce the operational burden of scaling configurations for multi-vsys firewalls.
The following configurations cannot be added to the Shared Panorama location and are replicated to the Panorama location of each vsys of a multi-vsys firewall.
  • Pre and Post Rules
  • External Dynamic Lists (EDL)
  • Security Profile Groups
  • HIP objects and profiles
  • Custom objects
  • Decryption profiles
  • SD-WAN Link Management Profiles
On upgrade to PAN-OS 10.2, it is required that all certificates meet the following minimum requirements:
  • RSA 2048 bits or greater, or ECDSA 256 bits or greater
  • Digest of SHA256 or greater
See the PAN-OS Administrator's Guide or Panorama Administrator's Guide for more information on regenerating or re-importing your certificates.
Advanced Routing Engine
With Advanced Routing enabled, by default connected peers prefer a link-local next-hop address over a global next-hop address.
Advanced Routing Engine and BFD
On a firewall with Advanced Routing enabled, BFD session establishment for iBGP peers is changed. Any iBGP peers over a loopback address are not considered to be directly connected and therefore should enable the multihop option in the BFD profile and specify Minimum Rx TTL accordingly.

Recommended For You