Limitations in PAN-OS 11.1
Table of Contents
Expand All
|
Collapse All
Next-Generation Firewall Docs
-
-
-
-
-
-
-
- PAN-OS 12.1
- PAN-OS 11.2
- PAN-OS 11.1
- PAN-OS 11.0 (EoL)
- PAN-OS 10.2
- PAN-OS 10.1
- PAN-OS 10.0 (EoL)
- PAN-OS 9.1 (EoL)
- PAN-OS 9.0 (EoL)
- PAN-OS 8.1 (EoL)
-
- PAN-OS 12.1
- PAN-OS 11.2
- PAN-OS 11.1
- PAN-OS 10.2
- PAN-OS 10.1
Limitations in PAN-OS 11.1
What are the limitations related to PAN-OS 11.1 releases?
The following are limitations associated with PAN-OS 11.1.
|
Issue ID
|
Description
|
|---|---|
|
PAN-282022
This issue is now resolved. See PAN-OS 11.1.4-h16 Addressed Issues
and
PAN-OS 11.1.6-h5 Addressed Issues.
|
Panorama M-600 and M-700 appliances are not supported on the
following releases:
|
|
PAN-280598
|
NGFW clusters don't support Persistent NAT for DIPP.
|
|
PAN-265738
|
NAT is not configurable when HA clusters are configured. HA clusters
do not support NAT.
|
|
PAN-259522
|
PA-7500 Series firewalls in an NGFW cluster do not support the
failover of application-level gateway (ALG) sessions.
|
|
PAN-248739
|
In cases where traffic flow is redirected through the IFL/HSCI
between NGFW cluster nodes, you might experience packet drops and
intermittent failures with the establishment of new connections if
the total bandwidth throughput is over 370G if you're using 400G
HSCI. If you're using100G HSCI, anything over 80G will start seeing
packet drops.
|
|
PAN-247583
|
(PA-7500 firewall only) Dual stacking for IPv4 and IPv6
addresses on the log ports is not supported. When enabling dual
stacking, IPv4 is used by default, which disables any IPv6 log
forwarding to external destinations. In order to forward logs to
IPv6 endpoints, remove the IPv4 address and use an IPv6 address for
the log interface.
|
|
PAN-246825
|
ECMP is not supported for equal-cost routes where one or more of
those routes has a virtual router or logical router as the next hop.
None of the equal-cost routes will be installed in the Forwarding
Information Base (FIB).
|
|
PAN-240517
|
Enter any random username and password (or just press enter) in the
pop-up dialog on the satellite to retrigger the authentication
process in the following cases:
|
|
PAN-224255
|
(PA-455 firewall only) The hardware can detect the presence
of a power adapter but does not detect voltage or functionality. As
a result, the firewall’s Alarm feature is unavailable to the power
supply and is only raised when the device reaches temperature
limits. Furthermore, the firewall does not display power supply
details in system logs or the CLI.
|
|
PAN-222118
|
When the preferred lifetime of the IPv6 address on the MGT interface
expires, existing IPv6 sessions are disconnected. RFC 8415 indicates
that existing communications must remain for the duration of the
valid lifetime if the preferred lifetime expires (sessions must be
active during the time between the preferred lifetime and valid
lifetime). However, the NGFW limitation is that sessions are lost
when the preferred lifetime expires.
|
|
PAN-218067
|
By default, Next Generation firewalls and Panorama attempt to fetch
the device certificate or
Panorama device
certificate with each commit even when the firewall is
not using any Palo Alto Networks cloud
service.
You can prevent the firewall from attempting to fetch the device
certificate for the following firewalls:
To disable, log in to the firewall CLI
or Panorama CLI and enter the
following command:
|
|
PAN-192679
|
(PA-415 and PA-445 firewalls) The hardware can detect the
presence of a power adapter but does not detect voltage or
functionality. As a result, the firewall’s Alarm feature is
unavailable to the power supply and is only raised when the device
reaches temperature limits. Furthermore, the firewall does not
display power supply details in system logs or the CLI.
|