Changes to Default Behavior in PAN-OS 10.2

What default behavior changes impact PAN-OS 10.2?

The following table details the changes in default behavior upon upgrade to PAN-OS® 10.2. You may also want to review the Upgrade/Downgrade Considerations before upgrading to this release.

Feature	Change
Masterd Rename	With PAN-OS 10.2 all instances of masterd in the CLI were replaced with MD.
Shared Configuration Objects for Multi-vsys Firewall Managed by Panorama	For multi-vsys firewalls managed by a Panorama managed server, configuration objects in the Shared device group are now pushed to a Panorama Shared configuration context for all virtual systems rather than duplicating the shared configuration to each virtual system to reduce the operational burden of scaling configurations for multi-vsys firewalls. The following configurations cannot be added to the Shared Panorama location and are replicated to the Panorama location of each vsys of a multi-vsys firewall. Pre and Post Rules External Dynamic Lists (EDL) Security Profile Groups HIP objects and profiles Custom objects Decryption profiles SD-WAN Link Management Profiles
Certificates	On upgrade to PAN-OS 10.2, it is required that all certificates meet the following minimum requirements: RSA 2048 bits or greater, or ECDSA 256 bits or greater Digest of SHA256 or greater See the PAN-OS Administrator's Guide or Panorama Administrator's Guide for more information on regenerating or re-importing your certificates.
Advanced Routing Engine	With Advanced Routing enabled, by default connected peers prefer a link-local next-hop address over a global next-hop address.
Advanced Routing Engine and BFD	On a firewall with Advanced Routing enabled, BFD session establishment for iBGP peers is changed. Any iBGP peers over a loopback address are not considered to be directly connected and therefore should enable the multihop option in the BFD profile and specify Minimum Rx TTL accordingly.