The following table details the changes
in default behavior upon upgrade to PAN-OS® 10.2. You may also want
to review the Upgrade/Downgrade Considerations before upgrading
to this release.
With PAN-OS 10.2 all instances of masterd
in the CLI were replaced with MD.
Shared Configuration Objects
for Multi-vsys Firewall Managed by Panorama
For multi-vsys firewalls managed
by a Panorama managed server, configuration objects in the Shared
device group are now pushed to a Panorama Shared configuration context
for all virtual systems rather than duplicating the shared configuration
to each virtual system to reduce the operational burden of scaling
configurations for multi-vsys firewalls.
The following configurations
cannot be added to the Shared Panorama location and are replicated
to the Panorama location of each vsys of a multi-vsys firewall.
Pre and Post Rules
External Dynamic Lists (EDL)
Security Profile Groups
HIP objects and profiles
SD-WAN Link Management Profiles
On upgrade to PAN-OS 10.2, it is required
that all certificates meet the following minimum requirements:
RSA 2048 bits or greater, or ECDSA
256 bits or greater
With Advanced Routing enabled, by default connected
peers prefer a link-local next-hop address over a global next-hop
Advanced Routing Engine and BFD
On a firewall with Advanced Routing enabled,
BFD session establishment for iBGP peers is changed. Any iBGP peers
over a loopback address are not considered to be directly connected
and therefore should enable the multihop option in the BFD profile and
specify Minimum Rx TTL accordingly.
Selective Push for Prisma Access (Panorama