>
    Limitations in PAN-OS 10.2
    Focus
    Download PDF
    Focus
    1. Home
    2. PAN-OS
    3. Limitations
    4. Limitations in PAN-OS 10.2
    Download PDF

    Limitations in PAN-OS 10.2

    Table of Contents

    Limitations in PAN-OS 10.2

    What are the limitations related to PAN-OS 10.2 releases?
    The following are limitations associated with PAN-OS 10.2.
    Issue ID
    Description
    PAN-265738
    NAT is not configurable when HA clusters are configured. HA clusters don't support NAT.
    PAN-247465
    (PA-7080 only) The firewall does not support Aquantia 10G SFP transceivers.
    PAN-246825
    ECMP is not supported for equal-cost routes where one or more of those routes has a virtual router or logical router as the next hop. None of the equal-cost routes will be installed in the Forwarding Information Base (FIB).
    PAN-240517
    Enter any random username and password (or just press enter) in the pop-up dialog on the satellite to retrigger the authentication process in the following cases:
    • A scenario where the portal is running PAN-OS 10.2.8 and the satellite is running version earlier to 10.2.8, and the satellite cookie has expired. In this case, when you attempt to enable the serial number and IP address authentication method without adding the satellite IP address in the IP allow list on the portal, satellite authentication fails. The failure is due to a missing IP address in the IP allow list.
    • A scenario where the portal is running PAN-OS 10.2.8 and the satellite is running version earlier to 10.2.8, if the satellite cookie expires before enabling the serial number and IP address authentication method on the portal, satellite authentication will fail due to satellite cookie expiration.
    PAN-218067
    By default, Next Generation firewalls and Panorama attempt to fetch the device certificate or Panorama device certificate with each commit even when the firewall is not using any Palo Alto Networks cloud service.
    You can prevent the firewall from attempting to fetch the device certificate for the following firewalls:
    • M-300 appliance
    • M-500 appliance
    • PA-410, PA-440, PA-450, and PA-460 firewalls
    • PA-1400 Series firewalls
    • PA-3400 Series firewalls
    • PA-5410, PA-5420, and PA-5430 firewalls
    • PA-5450 firewall
    To disable, log in to the firewall CLI or Panorama CLI and enter the following command:
    admin> request certificate auto-fetch disable
    PAN-215869
    PAN-OS logs (MonitorLogs) experience a significant delay before they are displayed if NetFlow (DeviceServer ProfilesNetFlow) is enabled on an interface (NetworkInterface). This may result in log loss if the volume of delayed logs exceeds the logging buffer available on the firewall.
    The following firewalls are impacted:
    • PA-410, PA-440, PA-450, and PA-460 Firewalls
    • PA-800 Series Firewalls
    • PA-3200 Series Firewalls
    • PA-3400 Series Firewalls
    PAN-207505
    This issue is now resolved. See PAN-OS 11.0.0 Addressed Issues.
    Email schedules (MonitorPDF ReportsEmail Scheduler) are not supported for SaaS Application Usage (MonitorPDF ReportsSaaS Application Usage) reports.
    PAN-205166
    (PA-440, PA-450, and PA-460 firewalls only) The CLI does not display system information about the power supply when entering the show system environmentals command. As a result, the CLI cannot be used to view the current status of the power adapter.
    Workaround: To manually interpret the status of the firewall's power adapter, verify that your power cable connections are secure and that the LED on the power adapter is on. If the LED is not illuminated even though the power cable connections are secure, your power adapter has failed.
    PAN-190811
    This issue is now resolved. See PAN-OS 10.2.2 Addressed Issues.
    (PA-5450 only) Log interfaces must be configured to ensure they are not in the same subnetwork as the management interface. Configuring both interfaces in the same subnetwork can cause connectivity issues and result in the wrong interface being used for log forwarding.
    PAN-181823
    On a PA-5400 Series firewall (minus the PA-5450), setting the peer port to forced 10M or 100M speed causes any multi-gigabit RJ-45 ports on the firewall to go down if they are set to Auto.
    PAN-181229
    On the Panorama management server, a Shared tag (ObjectsTags) cannot be applied to a Shared application filter (ObjectsApplication Filters).
    PAN-174784
    Up to 100,000 daily summary logs can be processed for Scheduled and Run Now custom reports (MonitorManage Custom Reports) when configured for the last calendar day. This can result in the generated report not displaying all relevant log data generated in the last calendar day.
    PAN-172144
    		On a Panorama management server deployed on VMware ESXi that is managing Dedicated Log Collectors, filtering traffic logs (MonitorLogsTraffic) using the (time_generated_geq) filter does not return results for the specified Generate Time if the Dedicated Log Collectors are in different time zones.
    Workaround: Configure the same time zone for the Dedicated Log Collectors you are querying.
    1. Log in to the Log Collector CLI.
    2. Set the time zone for the Dedicated Log Collector.
      admin> configure
      admin# set deviceconfig timezone <time_zone>
      admin# commit

    © 2025 Palo Alto Networks, Inc. All rights reserved.