The following table details the changes
in default behavior upon upgrade to PAN-OS® 10.2. You may also want
to review the Upgrade/Downgrade Considerations before upgrading
to this release.
Usernames that contain all numbers are no longer
valid. For example, the username
Usernames that include at least one alphabetical
or legal symbol character are valid, such as
With PAN-OS 10.2 all instances of masterd
in the CLI were replaced with MD.
Shared Configuration Objects
for Multi-vsys Firewall Managed by Panorama
For multi-vsys firewalls managed
by a Panorama managed server, configuration objects in the Shared
device group are now pushed to a Panorama Shared configuration context
for all virtual systems rather than duplicating the shared configuration
to each virtual system to reduce the operational burden of scaling
configurations for multi-vsys firewalls.
The following configurations
cannot be added to the Shared Panorama location and are replicated to
the Panorama location of each vsys of a multi-vsys firewall.
Pre and Post Rules
External Dynamic Lists (EDL)
Security Profile Groups
HIP objects and profiles
SD-WAN Link Management Profiles
On upgrade to PAN-OS 10.2, it is required that
all certificates meet the following minimum requirements:
RSA 2048 bits or greater, or ECDSA 256
bits or greater
With Advanced Routing enabled, by default connected
peers prefer a link-local next-hop address over a global next-hop
Advanced Routing Engine and BFD
On a firewall with Advanced Routing enabled, BFD
session establishment for iBGP peers is changed. Any iBGP peers
over a loopback address are not considered to be directly connected
and therefore should enable the multihop option in the BFD profile
and specify Minimum Rx TTL accordingly.
Auto Web Interface Refresh for XML API
PAN-OS 10.2.5 and later releases
When making successful XML API calls on a firewall, the
web interface will refresh after an interval of 10 seconds.
Selective Push for Prisma Access (Panorama