Limitations in PAN-OS 11.0

What are the limitations related to PAN-OS 11.0 releases?
The following are limitations associated with PAN-OS 11.0.
Issue ID
The following limitations apply for on-premises Explicit Proxy:
  • On-premises Explicit Proxy does not support multi-tenancy.
  • On-premises Explicit Proxy supports authentication using SAML and Kerberos.
  • On-premises Explicit Proxy requires decryption (TLS 1.3 is recommended).
  • On-premises Explicit Proxy requires port 8080.
  • On-premises Explicit Proxy requires PAC files to direct traffic to the on-premises Explicit Proxy.
  • On-premises Explicit Proxy supports customer-based hosting for their individual PAC files.
  • On-premises Explicit Proxy supports inbound proxy chaining with XFF and XAU HTTP headers.
  • On-premises Explicit Proxy supports HTTP/2 for Kerberos only; HTTP/2 for SAML is not supported in this release.
In Advanced Routing mode, BGP peer groups and peers allow IPv6 NLRI to be transported over an IPv6 MP-BGP peer and allow IPv6 NLRI to be transported over an IPv4 MP-BGP peer. If you want to use IPv4 multicast, you are limited to only IPv4 with that peer. The firewall does not support SAFI IPv6 multicast at all.
For CN-Series deployments using the Advanced Routing Engine with the Kubernetes 3.0.0 plugin, you must configure Advanced Routing manually on the template stack:
  1. Set the flag
    in the pan-cn-mgmt-configmap-0.yaml file.
  2. Manually enable Advanced Routing on the Panorama template, then commit and push the configuration.
PAN-OS logs (
) experience a significant delay before they are displayed if NetFlow (
Server Profiles
) is enabled on an interface (
). This may result in log loss if the volume of delayed logs exceeds the logging buffer available on the firewall.
The following firewalls are impacted:
  • PA-400 Series Firewalls
  • PA-800 Series Firewalls
  • PA-1400 Series Firewalls
  • PA-3200 Series Firewalls
  • PA-3400 Series Firewalls
DHCPv6 Client with Prefix Delegation is currently incompatible with GlobalProtect. You cannot configure GP gateways with dynamic IPv6 addresses.
In IPSec transport mode, the traffic does not flow if you configure BGP routes in a tunnel interface. While using IPSec transport mode for BGP routes, configure the BGP routes on a physical interface (for example, ethernet 1/1) and not the tunnel interface.
While IPSec tunnel mode for BGP routes works with the tunnel interface, IPSec transport mode for BGP routes works with the physical interface only.
On the PA-5440 firewall, the valid range to configure the maximum number of site-to-site VPN tunnels is from 0 to 10,000.
set import resource max-site-to-site-vpn-tunnels <0-10000>
PA-415 and PA-445 firewalls
) The hardware can detect the presence of a power adapter but does not detect voltage or functionality. As a result, the firewall’s Alarm feature is unavailable to the power supply and is only raised when the device reaches temperature limits. Furthermore, the firewall does not display power supply details in system logs or the CLI.

Recommended For You