Focus

Changes to Default Behavior in PAN-OS 10.2

Table of Contents

Filter

Expand All | Collapse All

Next-Generation Firewall Docs

Getting Started
Administration
Networking
Quick Start
Reference
Incidents & Alerts
Release Notes
Select a Document
- PAN-OS 12.1
- PAN-OS 11.2
- PAN-OS 11.1
- PAN-OS 11.0 (EoL)
- PAN-OS 10.2
- PAN-OS 10.1 (EoL)
- PAN-OS 10.0 (EoL)
- PAN-OS 9.1 (EoL)
- PAN-OS 9.0 (EoL)
- PAN-OS 8.1 (EoL)
Help
Select a Document
- PAN-OS 12.1
- PAN-OS 11.2
- PAN-OS 11.1
- PAN-OS 10.2
- PAN-OS 10.1

Changes to Default Behavior

Limitations

Changes to Default Behavior in PAN-OS 10.2

What default behavior changes impact PAN-OS 10.2?

The following table details the changes in default behavior upon upgrade to PAN-OS® 10.2. You may also want to review the Upgrade/Downgrade Considerations before upgrading to this release.

Feature	Change
Authentication Override	This change in behavior applies only if you have set the Authentication Override Cookie Lifetime value higher than the Tunnel Login Lifetime. On PAN-OS versions 10.2 through 10.2.13, the Authentication Override Cookie Lifetime can exceed the Tunnel Login Lifetime value. On PAN-OS versions 10.2.14 and later 10.2.x versions, the Authentication Override Cookie Lifetime cannot exceed the Tunnel Login Lifetime value. Even if you set the authentication override cookie lifetime to be higher, it will remain valid only for the duration of the tunnel login lifetime. This change further strengthens the security of the authentication override cookie by preventing its use after the tunnel login lifetime expires.
Managed Device Traffic to Panorama	PAN-OS 10.2 uses TLS version 1.3 to encrypt the service certificate and handshake messages between Panorama, managed firewalls, and Dedicated Log Collectors. As a result, the App-ID traffic between Panorama, managed firewalls, and Dedicated Log Collectors is reclassified from panorama to ssl. As a result, a Security policy rule is required to allow the ssl application. This allows Panorama, managed firewalls, and Dedicated Log Collectors to continue communication after successful upgrade to PAN-OS 10.2. Review the Ports Used for Panorama for more information on the destination ports required for managed device communication with Panorama.
Panorama Management Compatibility (`PAN-OS 10.2.7 and later releases`)	Panorama can manage a firewall running a higher version of PAN-OS within the same release train. For example, a Panorama appliance running PAN-OS 10.2.7 can manage a firewall running PAN-OS 10.2.8 or later 10.2 releases, but it cannot manage a firewall running 11.0 or higher versions. Panorama does not support any new features, optimizations, or platforms introduced in the later versions of PAN-OS or installed plugins. For information on new features, see the PAN-OS or Plugin Release Notes, and see the Compatibility Matrix for version compatibility. It is a best practice that Panorama runs the same or a later PAN-OS version than the firewall it is managing.
Administrator Login	Usernames that contain all numbers are no longer valid. For example, the username 12345678 does not work. Usernames that include at least one alphabetical or legal symbol character are valid, such as 1234_567, 1234a789_, and c7897432.
Masterd Rename	With PAN-OS 10.2 all instances of masterd in the CLI were replaced with MD.
Panorama Management of Multi-Vsys Firewalls	For multi-vsys firewalls managed by a Panorama managed server, configuration objects in the Shared device group are now pushed to a Panorama Shared configuration context for all virtual systems rather than duplicating the shared configuration to each virtual system to reduce the operational burden of scaling configurations for multi-vsys firewalls. As a result, you must delete or rename any locally configured firewall Shared object that has an identical name to an object in the Panorama Shared configuration. Otherwise, configuration pushes from Panorama fail after the upgrade and display the error <object-name> is already in use. The following configurations cannot be added to the Shared Panorama location and are replicated to the Panorama location of each vsys of a multi-vsys firewall. Pre and Post Rules External Dynamic Lists (EDL) Security Profile Groups HIP objects and profiles Custom objects Decryption profiles SD-WAN Link Management Profiles
Panorama Management of Multi-Vsys Firewalls	Palo Alto Networks recommends that if a multi-vsys firewall is managed by Panorama, then all vsys configurations should be managed by Panorama. This helps avoid commit failures on the managed multi-vsys firewall and allows you to take advantage of optimized shared object pushes from Panorama.
Certificates	On upgrade to PAN-OS 10.2, it is required that all certificates meet the following minimum requirements: RSA 2048 bits or greater, or ECDSA 256 bits or greater Digest of SHA256 or greater See the PAN-OS Administrator's Guide or Panorama Administrator's Guide for more information on regenerating or re-importing your certificates.
Advanced Routing Engine	With Advanced Routing enabled, by default connected peers prefer a link-local next-hop address over a global next-hop address.
Advanced Routing Engine and BFD	On a firewall with Advanced Routing enabled, BFD session establishment for iBGP peers is changed. Any iBGP peers over a loopback address are not considered to be directly connected and therefore should enable the multihop option in the BFD profile and specify Minimum Rx TTL accordingly.
Auto Web Interface Refresh for XML API `PAN-OS 10.2.5 and later releases`	When making successful XML API calls on a firewall, the web interface will refresh after an interval of 10 seconds.
Selective Push for Prisma Access (Panorama Managed) `PAN-OS 10.2.2 and later releases`	Pushing selective configuration changes to Prisma Access in Panorama Managed Prisma Access deployments is no longer supported. To push selective configuration changes to Prisma Access: CommitCommit to Panorama and select only the configuration changes you want to push. Push your configuration changes to Prisma Access.
Scheduled Log Export	Scheduled log exports (DeviceLog Export) may not export logs as scheduled if multiple logs are scheduled to export at the same time. Workaround: When scheduling your log exports, maintain at least 6 hours between each scheduled log export.
Test SCP Server Connection `PAN-OS 10.2.4 and later releases`	To test the SCP server connection when you schedule a configuration export (PanoramaSchedule Config Export) or log export (DeviceScheduled Log Export), a new pop-up window is displayed requiring you to enter the SCP server clear textPassword and Confirm Password to test the SCP server connection and enable the secure transfer of data. You must also enter the clear text SCP server Password and Confirm Password when you test the SCP server connection from the firewall or Panorama CLI. admin>test scp-server-connection initiate <ip> username <username> password <clear-text-password>
Enterprise data loss prevention (DLP) Predefined Data Filtering Profiles	After successful upgrade to PAN-OS 10.2.4 with Panorama plugin for Enterprise DLP 3.0.4 or later release installed, the default File Direction for predefined data filtering profiles (ObjectsDLPData Filtering Profiles) is Both.
Authentication for SAML and client certificate	In PAN-OS 9.1 and earlier versions, if you configured client certificate authentication, the firewall applied the policy rule using the domain of the certificate. In PAN-OS 10.2 and later versions, if you configure both SAML authentication and client certificate authentication, the firewall applies the policy rule using the SAML domain. If you do not configure the SAML domain when using both SAML and client certificate authentication, the firewall may not be able to authenticate users successfully. If the SAML username differs from the certificate username, delete the username from the client certificate profile and commit the changes; otherwise, authentication is not successful.
Domain Fronting Detection `PAN-OS 10.2.9-h8 and later PAN-OS 10.2.9 releases` `PAN-OS 10.2.11 and later`	Domain Fronting Detection is a feature that was released in PAN-OS 10.2 that enabled detection of a TLS evasion technique that can circumvent URL filtering database solutions and facilitate data exfiltration, contained in HTTP request payloads using HTTP/1.x and HTTP/2 protocols. Due to excessive false-positives generated by this detection when inspecting HTTP/2 requests, the firewall no longer generates threat logs alerts for HTTP/2 requests in PAN-OS 10.2.9-h8 and later PAN-OS 10.2.9 releases and PAN-OS 10.2.11 and later.
Default User-ID TLS Version	To improve security and reduce the risk of vulnerabilities, the default TLS version that the firewall uses is upgraded to TLS version 1.3 when you upgrade to PAN-OS 10.2 from a previous version.
Name change for User-ID Application	The name of the application the firewall uses for User-ID changes from "paloalto-userid-agent" to "ssl" when you upgrade to PAN-OS 10.2 from a previous version. If you have any security policy rules to allow traffic for "paloalto-userid-agent" you must update them to allow traffic for "ssl" instead and commit the changes to the configuration. This change also applies to the traffic logs.
Collector Groups `PAN-OS 10.2.9 and later 10.2 releases`	You can configure a Collector Group with two Log Collectors. When one Log Collector goes down, the Collector Group still remains operational.
Automatic OpenConfig Installation `PAN-OS 10.2.11 and later 10.2 releases`	The 2.0.2 version of the OpenConfig plugin is automatically installed to enable on-demand telemetry streaming. When telemetry is enabled on the device, OpenConfig establishes a connection to AIOps for NGFW. Upon successful plugin initialization, the __openconfig user becomes visible in administrative sessions, and all telemetry traffic is routed through the OpenConfig plugin.
Automated Commit Recovery (`PAN-OS 10.2.15 and later 10.2 releases`)	The automated commit recovery feature default iteration and timeout values have changed. The default iteration value has changed from 1 to 5 seconds, and the timeout value has changed from 10 to 30 seconds.

Changes to Default Behavior

Limitations

Next-Generation Firewall Docs

Changes to Default Behavior in PAN-OS 10.2

Next-Generation Firewall Docs

Changes to Default Behavior in PAN-OS 10.2

Activation and Onboarding

Next-Generation Firewalls

SASE

Cloud-Delivered Security Services

Network Security

Endpoints

Visibility & Monitoring

FedRAMP

Hardware Reference

Hardware Quick Start Guides

Virtual ION Deployment

3rd Party Integrations

Best Practices

Experts Corner