On PAN-OS 11.1.x versions, the Authentication Override Cookie Lifetime cannot exceed the Tunnel Login Lifetime value. Even if you set the authentication override cookie lifetime to be higher, it will remain valid only for the duration of the tunnel login lifetime. This change further strengthens the security of the authentication override cookie by preventing its use after the tunnel login lifetime expires.

Ports 9300, 9301, and 9302 are now used for communication among Log Collectors in a Collector Group for log distribution and must be opened on your network.

When High Speed Log Forwarding is enabled on a PA-7500, only Management Plane logs are affected. To view and store Data Plane logs, you must configure log forwarding and enable demo mode.

The minimum number of Log Collectors required for a Collector Group to be operational is based on the following formula where n equals the total number of Log Collectors in the Collector Group:

For example, if you configure a Collector Group with six Log Collectors, a minimum of four Log Collectors are required for the Collector Group to be operational.

Additionally, you should round down the minimum number of Log Collectors required if you have an odd number of Log Collectors in a Collector Group. For example, if you have three Log Collectors in a Collector Group, you need at least two Log Collectors for the Collector Group to remain operational.

When you upgrade the PAN-OS version from 11.0.x to 11.1.0, then:

• The Use Default Browser option gets enabled (check box selected) in the Client Authentication setting of the portal configuration if any of the portal agent configuration has Use Default Browser for SAML Authentication option enabled.

When you upgrade the PAN-OS version from 11.0.x to 11.1.0 and if the Use Default Browser for SAML Authentication option is set to No in the app settings, then the Use Default Browser option is not added and the option is not displayed on the Client Authentication screen.

If you downgrade the PAN-OS version from 11.1.0 to an earlier version, the Use Default Browser configuration that you have configured in the Client Authentication setting of the portal will be removed.

When you upgrade to PAN-OS 11.1, the firewall evaluates the authentication policy for every explicit proxy traffic policy match.

In PAN-OS 11.1 and previous versions, when you select the Exit the sequence on failed authentication option, the firewall ends the authentication sequence when the authentication profile successfully authenticates the user or the firewall has unsuccessfully attempted authentication with all authentication profiles.

In PAN-OS 11.1.1, when you select the Exit the sequence on failed authentication option, the authentication sequence ends when the authentication profile authenticates successfully or fails the authentication.

The 2.0.2 version of the OpenConfig plugin is automatically installed to enable on-demand telemetry streaming. When telemetry is enabled on the device, OpenConfig establishes a connection to AIOps for NGFW. Upon successful plugin initialization, the __openconfig user becomes visible in administrative sessions, and all telemetry traffic is routed through the OpenConfig plugin.

The automated commit recovery feature default iteration and timeout values have changed. The default iteration value has changed from 1 to 5 seconds, and the timeout value has changed from 10 to 30 seconds.