PAN-OS 10.2.11 Known Issues

The WildFire analysis report on the firewall log viewer (MonitoringWildFire Submissions) does not display the following data fields: File Type, SHA-256, MD-5, and File Size".

Workaround: Download and open the WildFire analysis report in the PDF format using the link in the upper right-hand corner of the Detailed Log View.

In a WildFire appliance cluster, issuing the show cluster-all peers CLI command when a node within the cluster is being rebooted generates the following error: Server error : An error occured.

The sample analysis statistics that are returned when issuing the show wildfire local statistics CLI command in WildFire appliance cluster deployments may not accurately reflect the number of samples that have been processed.

The following WildFire appliance CLI command does not return a signature generation status as expected: show wildfire global signature-status. This does not corrupt or otherwise prevent the WildFire appliance from analyzing a sample.

The WildFire appliance might erroneously generate and log the following device certification error: Device certificate is missing or invalid. It cannot be renewed.

In WildFire appliance clusters, issuing the show cluster controller CLI command generates an error when an IPv6 address is configured for the management interface but not for the cluster interface.

Workaround: Ensure all WildFire appliance interfaces that are enabled use matching protocols (all IPv4 or all IPv6).

The number of registered WildFire appliances reported in Panorama (PanoramaManaged WildFire AppliancesFirewalls ConnectedView) does not accurately reflect the current status of connected WildFire appliances.

(PA-220 firewalls only) DeviceSetup is not displayed when the Enterprise Data Loss Prevention (E-DLP) plugin is installed.

Workaround: Uninstall the Enterprise DLP plugin.

From the NGFW or Panorama CLI, you can override the existing application tag even if Disable Override is enabled for the application (ObjectsApplications) tag.

The Panorama management server is unable to query any logs if the ElasticSearch health status for any Log Collector (PanoramaManaged Collector is degraded.

Workaround: Log in to the Log Collector CLI and restart ElasticSearch.

admindebug elasticsearch es-restart all

Upgrading a PA-220 firewall running a PAN-OS 10.1 release fails when the target PAN-OS upgrade version is PAN-OS 10.2.5.

Workaround: On your upgrade path to PAN-OS 10.2.5, first upgrade to PAN-OS 10.2.4 and then upgrade to PAN-OS 10.2.5.

On PA-5410, PA-5420, and PA-5430 firewalls, the Filter dropdown menus, Forward Methods, and Built-In Actions for Correlation Log settings (DeviceLog Settings) are not displayed and cannot be configured.

A Malformed Request error is displayed when you Test Connection for an email server profile (DeviceServer ProfilesEmail) using SMTP over TLS and the Password includes an ampersand (&).

On the Panorama management server, the Hostkey displayed as undefined undefined if you override an SSH Service Profile (DeviceCertificate ManagementSSH Service Profile) Hostkey configured in a Template from the Template Stack.

PA-5410 and PA-5420 firewalls display the following error when you view the Block IP list (MonitorBlock IP):

On the Panorama management server, different threat names are used when querying the same threat in the Threat Monitor (MonitorApp ScopeThreat Monitor) and ACC. This results in the ACC displaying no data to display when you are redirected to the ACC after clicking a threat name in the Threat Monitor and filtering the same threat name in the Global Filters.

Modifying the Administrator Type for an existing administrator (DeviceAdministrators or PanoramaAdministrators) from Superuser to a Role-Based custom admin, or vice versa, does not modify the access privileges of the administrator.

Certificates are not successfully generated using SCEP (DeviceCertificate ManagementSCEP).

A file upload to Box.com exceeding 6 files gets stuck and fails to upload if you specify an Enterprise DLP data filtering profile (ObjectsDLPData Filtering Profiles with the Action set to Block to a Security policy rule (PoliciesSecurity).

Upon upgrade to PAN-OS 10.2.4, the following GlobalProtect settings do not work:

On the Panorama management server, pushing a configuration change to firewalls leveraging SD-WAN erroneously show the auto-provisioned BGP configurations for SD-WAN as being edited or deleted despite no edits or deletions being made when you Preview Changes (CommitPush to DevicesEdit Selections or CommitCommit and PushEdit Selections).

When using a 10.2.2 Panorama to manage a Panorama Managed Prisma Access 3.1.2 deployment, allocating bandwidth for a remote network deployment fails (the OK button is grayed out).

Workaround: Retry the operation.

(PA-5450 firewall only) Trying to configure a custom payload format under DeviceServer ProfilesHTTP yields a JavaScript error.

(PA-5450 firewall only) The Panorama web interface does not display any predefined template stack variables in the dropdown menu under DeviceSetupLog InterfaceIP Address.

Workaround: Configure the log interface IP address on the individual firewall web interface instead of on Panorama.

(PA-5450 firewall only) Upgrading to PAN-OS 10.2.2 while having a log interface configured can cause both the log interface and the management interface to remain connected to the log collector.

Workaround: Restart the log receiver service by running the following CLI command:

(PA-5450 firewall only) If the management interface and logging interface are configured on the same subnetwork, the firewall conducts log forwarding using the management interface instead of the logging interface.

(PA-5450 firewall only) Documentation for configuring the log interface is unavailable on the web interface and in the PAN-OS Administrator’s Guide.

After deleting an MP pod and it comes up, the show routing command output appears empty and traffic stops working.

On a firewall with Advanced Routing enabled, OSPFv3 peers using a broadcast link and a designated router (DR) priority of 0 (zero) are stuck in a two-way state after HA failover.

Workaround: Configure at least one OSPFv3 neighbor with a non-zero priority setting in the same broadcast domain.

After triggering a soft reboot on an M-700 appliance, the Management port LEDs do not light up when a 10G Ethernet cable is plugged in.

On the Panorama management server, the Template Status displays no synchronization status (PanoramaManaged DevicesSummary) after a bootstrapped firewall is successfully added to Panorama.

Workaround: After the bootstrapped firewall is successfully added to Panorama, log in to the Panorama web interface and select CommitPush to Devices.

If you enable SCTP security using a Panorama template when SCTP INIT Flood Protection is enabled in the Zone Protection profile using Panorama and you commit all changes, the commit is successful but the SCTP INIT option is not available in the Zone Protection profile.

Workaround: Log out of the firewall and log in again to make the SCIT INIT option available on the web interface.

On the Panorama management server, not all data profiles (ObjectsDLP Data Filtering Profiles) are displayed after you:

Workaround: Log in to the Panorama CLI and reset the DLP plugin.

The configured Advanced Threat Prevention inline cloud analysis action for a given model might not be honored under the following condition: If the firewall is set to Hold client request for category lookup and the action set to Reset-Both and the URL cache has been cleared, the first request for inline cloud analysis will be bypassed.

On a firewall with Advanced Routing enabled, if there is also a logical router instance that uses the default configuration and has no interfaces assigned to it, this will result in terminating the management daemon and main routing daemon in the firewall during commit.

Workaround: Do not use a logical router instance with no interfaces bound to it.

Templates appear out-of-sync on Panorama after successfully deploying the CFT stack using the Panorama plugin for AWS.

Workaround: Use CommitPush to Devices to synchronize the templates.

On HA deployments on AWS and Azure, Panorama fails to populate match criteria automatically when adding dynamic address groups.

Workaround: Reboot the Panorama HA pair.

Using the CLI to add a RAID disk pair to an M-700 appliance causes the dmdb process to crash.

Workaround: Contact customer support to stop the dmdb process before adding a RAID disk pair to an M-700 appliance.

Static IP addresses are not recognized when "and" operators are used with IP CIDR range.

If you use multiple log forwarding cards (LFCs) on the PA-7000 Series, all of the cards may not receive all of the updates and the mappings for the clients may become out of sync, which causes the firewall to not correctly populate the Source User column in the session logs.

On a PA-5400 Series firewall (minus the PA-5450), setting the peer port to forced 10M or 100M speed causes any multi-gigabit RJ-45 ports on the firewall to go down if they are set to Auto.

On the Panorama management server, pushing an unsupported Minimum Password Complexity (DeviceSetupManagement) to a managed firewall erroneously displays commit time out as the reason the commit failed.

When upgrading a CN-Series as a DaemonSet deployment to PAN-OS 10.2, CN-NGFW pods fail to connect to CN-MGMT pod if the Kubernetes cluster previously had a CN-Series as a DaemonSet deployment running PAN-OS 10.0 or 10.1.

Workaround: Reboot the worker nodes before upgrading to PAN-OS 10.2.

A user interface issue in PAN-OS renders the contents of the Inline ML tab in the URL Filtering Profile inaccessible on firewalls licensed for Advanced URL Filtering. Additionally, a message indicating that a License required for URL filtering to function is unavailable displays at the bottom of the UI. These errors do not affect the operation of Advanced URL Filtering or URL Filtering inline ML.

Workaround: Configuration settings for URL Filtering inline ML must be applied through the CLI. The following configuration commands are available:

PAN-OS 10.2.0 is not supported on PA-7000 Series firewalls with HA (high availability) clustering enabled and using an HA4 communication link. Attempting to load PAN-OS 10.2.0 on the firewall causes the PA-7000 100G NPC to go offline. As a result, the firewall fails to boot normally and enters maintenance mode. HA pairs of Active-Passive and Active-Active firewalls are not affected.

When the firewall is deployed on N3 and N11 interfaces in 5G networks and 5G-HTTP/2 traffic inspection is enabled in the Mobile Network Protection Profile, the Traffic logs do not display network slice SST and SD values.

In HA active/active configurations where, when interfaces that were associated with a virtual router were deleted, the configuration change did not sync.

When you activate the Advanced URL Filtering license, your license entitlements for PAN-DB and Advanced URL Filtering might not display correctly on the firewall — this is a display anomaly, not a licensing issue, and does not affect access to the services.

Workaround: Issue the following command to retrieve and update the licenses: license request fetch.