Limitations in PAN-OS 11.0
Table of Contents
Expand All
|
Collapse All
Next-Generation Firewall Docs
-
-
- Cloud Management of NGFWs
- PAN-OS 10.0 (EoL)
- PAN-OS 10.1
- PAN-OS 10.2
- PAN-OS 11.0 (EoL)
- PAN-OS 11.1 & Later
- PAN-OS 9.1 (EoL)
-
- PAN-OS 10.1
- PAN-OS 10.2
- PAN-OS 11.0 (EoL)
- PAN-OS 11.1 & Later
-
-
- Cloud Management and AIOps for NGFW
- PAN-OS 10.0 (EoL)
- PAN-OS 10.1
- PAN-OS 10.2
- PAN-OS 11.0 (EoL)
- PAN-OS 11.1
- PAN-OS 11.2
- PAN-OS 8.1 (EoL)
- PAN-OS 9.0 (EoL)
- PAN-OS 9.1 (EoL)
End-of-Life (EoL)
Limitations in PAN-OS 11.0
What are the limitations related to PAN-OS 11.0 releases?
The following are limitations
associated with PAN-OS 11.0.
Issue ID | Description |
---|---|
— | The following limitations apply for on-premises Explicit
Proxy:
|
— | In Advanced Routing mode, BGP peer groups
and peers allow IPv6 NLRI to be transported over an IPv6 MP-BGP
peer and allow IPv6 NLRI to be transported over an IPv4 MP-BGP peer.
If you want to use IPv4 multicast, you are limited to only IPv4
with that peer. The firewall does not support SAFI IPv6 multicast
at all. |
PLUG-10942 | For CN-Series deployments using the Advanced
Routing Engine with the Kubernetes 3.0.0 plugin, you must configure
Advanced Routing manually on the template stack:
|
PAN-265738
|
NAT is not configurable when HA clusters are configured. HA clusters
do not support NAT.
|
PAN-247465
|
(PA-7080 only) The firewall does not support Aquantia 10G
SFP transceivers.
|
PAN-246825
|
ECMP is not supported for equal-cost routes where one or more of
those routes has a virtual router or logical router as the next hop.
None of the equal-cost routes will be installed in the Forwarding
Information Base (FIB).
|
PAN-218067
|
By default, Next Generation firewalls and Panorama attempt to fetch
the device certificate or
Panorama device
certificate with each commit even when the firewall is
not using any Palo Alto Networks cloud
service.
You can prevent the firewall from attempting to fetch the device
certificate for the following firewalls:
To disable, log in to the firewall CLI
or Panorama CLI and enter the
following command:
|
PAN-216214
|
For Panorama-managed firewalls in an Active/Active High Availability
(HA) configuration where you configure the firewall HA settings (DeviceHigh Availability) in a template or template stack (PanoramaTemplates), performing a local commit on one of the HA
firewalls triggers an HA config sync on the peer firewall. This
causes the HA settings to display as overridden despite no config
override occurring.
|
PAN-215869
|
PAN-OS logs (MonitorLogs) experience a significant delay before they are
displayed if NetFlow (DeviceServer ProfilesNetFlow) is enabled on an interface (NetworkInterface). This may result in log loss if the volume of
delayed logs exceeds the logging buffer available on the
firewall.
The following firewalls are impacted:
|
PAN-205932 | DHCPv6 Client with Prefix Delegation is
currently incompatible with GlobalProtect. You cannot configure
GP gateways with dynamic IPv6 addresses. |
PAN-205166
|
(PA-440, PA-450, and PA-460 firewalls only) The CLI does not
display system information about the power supply when entering the
show system environmentals command.
As a result, the CLI cannot be used to view the current status of
the power adapter.
Workaround: To manually interpret the status of the firewall's
power adapter, verify that your power cable connections are secure
and that the LED on the power adapter is on. If the LED is not
illuminated even though the power cable connections are secure, your
power adapter has failed.
|
PAN-197412 | In IPSec transport mode, the traffic does
not flow if you configure BGP routes in a tunnel interface. While using
IPSec transport mode for BGP routes, configure the BGP routes on
a physical interface (for example, ethernet 1/1) and not the tunnel
interface. While IPSec tunnel mode for BGP routes works with the
tunnel interface, IPSec transport mode for BGP routes works with
the physical interface only. |
PAN-196530
|
On the PA-5440 firewall, the valid range to configure the maximum
number of site-to-site VPN tunnels is from 0 to 10,000.
admin@PA-5440# set import resource max-site-to-site-vpn-tunnels <0-10000>
|
PAN-192679 | (PA-415 and PA-445 firewalls) The hardware
can detect the presence of a power adapter but does not detect voltage
or functionality. As a result, the firewall’s Alarm feature is unavailable
to the power supply and is only raised when the device reaches temperature limits.
Furthermore, the firewall does not display power supply details
in system logs or the CLI. |