Changes to Default Behavior in PAN-OS 10.2

What default behavior changes impact PAN-OS 10.2?
The following table details the changes in default behavior upon upgrade to PAN-OS® 10.2. You may also want to review the Upgrade/Downgrade Considerations before upgrading to this release.
Administrator Login
Usernames that contain all numbers are no longer valid. For example, the username
does not work.
Usernames that include at least one alphabetical or legal symbol character are valid, such as
, and
Masterd Rename
With PAN-OS 10.2 all instances of masterd in the CLI were replaced with MD.
Shared Configuration Objects for Multi-vsys Firewall Managed by Panorama
For multi-vsys firewalls managed by a Panorama managed server, configuration objects in the Shared device group are now pushed to a Panorama Shared configuration context for all virtual systems rather than duplicating the shared configuration to each virtual system to reduce the operational burden of scaling configurations for multi-vsys firewalls.
The following configurations cannot be added to the Shared Panorama location and are replicated to the Panorama location of each vsys of a multi-vsys firewall.
  • Pre and Post Rules
  • External Dynamic Lists (EDL)
  • Security Profile Groups
  • HIP objects and profiles
  • Custom objects
  • Decryption profiles
  • SD-WAN Link Management Profiles
On upgrade to PAN-OS 10.2, it is required that all certificates meet the following minimum requirements:
  • RSA 2048 bits or greater, or ECDSA 256 bits or greater
  • Digest of SHA256 or greater
See the PAN-OS Administrator's Guide or Panorama Administrator's Guide for more information on regenerating or re-importing your certificates.
Advanced Routing Engine
With Advanced Routing enabled, by default connected peers prefer a link-local next-hop address over a global next-hop address.
Advanced Routing Engine and BFD
On a firewall with Advanced Routing enabled, BFD session establishment for iBGP peers is changed. Any iBGP peers over a loopback address are not considered to be directly connected and therefore should enable the multihop option in the BFD profile and specify Minimum Rx TTL accordingly.
Selective Push for Prisma Access (Panorama Managed)
PAN-OS 10.2.2 and later releases
Pushing selective configuration changes to Prisma Access in Panorama Managed Prisma Access deployments is no longer supported.
To push selective configuration changes to Prisma Access:
  1. Commit
    Commit to Panorama
    and select only the configuration changes you want to push.
  2. Push your configuration changes to Prisma Access.
Scheduled Log Export
Scheduled log exports (
Log Export
) may not export logs as scheduled if multiple logs are scheduled to export at the same time.
When scheduling your log exports, maintain at least 6 hours between each scheduled log export.
Test SCP Server Connection
PAN-OS 10.2.4 and later releases
To test the SCP server connection when you schedule a configuration export (
Schedule Config Export
) or log export (
Scheduled Log Export
), a new pop-up window is displayed requiring you to enter the SCP server clear text
Confirm Password
to test the SCP server connection and enable the secure transfer of data.
You must also enter the clear text SCP server
Confirm Password
when you test the SCP server connection from the firewall or Panorama CLI.
test scp-server-connection initiate <ip> username <username> password <clear-text-password>
Enterprise data loss prevention (DLP) Predefined Data Filtering Profiles
After successful upgrade to PAN-OS 10.2.4 with Panorama plugin for Enterprise DLP 3.0.4 or later release installed, the default
File Direction
for predefined data filtering profiles (
Data Filtering Profiles
) is

Recommended For You