Focus

Changes to Default Behavior in PAN-OS 11.1

Table of Contents

Filter

Expand All | Collapse All

Next-Generation Firewall Docs

Getting Started
Administration
Version
- Cloud Management of NGFWs
- PAN-OS 10.0 (EoL)
- PAN-OS 10.1
- PAN-OS 10.2
- PAN-OS 11.0
- PAN-OS 11.1 & Later
- PAN-OS 9.1
Networking
Version
- PAN-OS 10.1
- PAN-OS 10.2
- PAN-OS 11.0
- PAN-OS 11.1 & Later
AIOps
Incidents & Alerts
Release Notes
Version
- Cloud Management and AIOps for NGFW
- PAN-OS 10.0 (EoL)
- PAN-OS 10.1
- PAN-OS 10.2
- PAN-OS 11.0
- PAN-OS 11.1
- PAN-OS 11.2
- PAN-OS 8.1 (EoL)
- PAN-OS 9.0 (EoL)
- PAN-OS 9.1

Changes to Default Behavior

Limitations

Changes to Default Behavior in PAN-OS 11.1

What default behavior changes impact PAN-OS 11.1?

The following table details the changes in default behavior upon upgrade to PAN-OS® 11.1. You may also want to review the Upgrade/Downgrade Considerations before upgrading to this release.

Feature	Change
Authentication for explicit proxy	When you upgrade to PAN-OS 11.1, the firewall evaluates the authentication policy for every explicit proxy traffic policy match.
Authentication sequence	In PAN-OS 11.1 and previous versions, when you select the Exit the sequence on failed authentication option, the firewall ends the authentication sequence when the authentication profile successfully authenticates the user or the firewall has unsuccessfully attempted authentication with all authentication profiles. In PAN-OS 11.1.1, when you select the Exit the sequence on failed authentication option, the authentication sequence ends when the authentication profile authenticates successfully or fails the authentication.
Panorama Management of Multi-Vsys Firewalls `Upgrade from PAN-OS 10.1 to PAN-OS 11.1 using Skip Software Version Upgrade only`	For multi-vsys firewalls managed by a Panorama managed server, configuration objects in the Shared device group are now pushed to a Panorama Shared configuration context for all virtual systems rather than duplicating the shared configuration to each virtual system to reduce the operational burden of scaling configurations for multi-vsys firewalls. As a result, you must delete or rename any locally configured firewall Shared object that has an identical name to an object in the Panorama Shared configuration. Otherwise, configuration pushes from Panorama fail after the upgrade and display the error <object-name> is already in use . The following configurations cannot be added to the Shared Panorama location and are replicated to the Panorama location of each vsys of a multi-vsys firewall. Pre and Post Rules External Dynamic Lists (EDL) Security Profile Groups HIP objects and profiles Custom objects Decryption profiles SD-WAN Link Management Profiles
	Palo Alto Networks recommends that if a multi-vsys firewall is managed by Panorama, then all vsys configurations should be managed by Panorama. This helps avoid commit failures on the managed multi-vsys firewall and allows you to take advantage of optimized shared object pushes from Panorama.

Changes to Default Behavior

Limitations

Next-Generation Firewall Docs

Changes to Default Behavior in PAN-OS 11.1

Next-Generation Firewall Docs

Changes to Default Behavior in PAN-OS 11.1

Recommended For You

Activation & Onboarding

Next-Generation Firewalls

Cloud-Delivered Security Services

Network Security

Visibility & Monitoring

Best Practices

Experts Corner