Filter

Expand All | Collapse All

Next-Generation Firewall Docs

Getting Started
Administration
Networking
Quick Start
Reference
Incidents & Alerts
Release Notes
Select a Document
- PAN-OS 12.1
- PAN-OS 11.2
- PAN-OS 11.1
- PAN-OS 11.0 (EoL)
- PAN-OS 10.2
- PAN-OS 10.1 (EoL)
- PAN-OS 10.0 (EoL)
- PAN-OS 9.1 (EoL)
- PAN-OS 9.0 (EoL)
- PAN-OS 8.1 (EoL)
Help
Select a Document
- PAN-OS 12.1
- PAN-OS 11.2
- PAN-OS 11.1
- PAN-OS 10.2
- PAN-OS 10.1

Focus

Limitations in PAN-OS 11.1

Table of Contents

Filter

Expand All | Collapse All

Next-Generation Firewall Docs

Getting Started
Administration
Networking
Quick Start
Reference
Incidents & Alerts
Release Notes
Select a Document
- PAN-OS 12.1
- PAN-OS 11.2
- PAN-OS 11.1
- PAN-OS 11.0 (EoL)
- PAN-OS 10.2
- PAN-OS 10.1 (EoL)
- PAN-OS 10.0 (EoL)
- PAN-OS 9.1 (EoL)
- PAN-OS 9.0 (EoL)
- PAN-OS 8.1 (EoL)
Help
Select a Document
- PAN-OS 12.1
- PAN-OS 11.2
- PAN-OS 11.1
- PAN-OS 10.2
- PAN-OS 10.1

Associated Content and Software Versions

Limitations in PAN-OS 11.1

What are the limitations related to PAN-OS 11.1 releases?

The following are limitations associated with PAN-OS 11.1.

Issue ID	Description
PAN-282022 `This issue is now resolved. See` PAN-OS 11.1.4-h16 Addressed Issues `and` PAN-OS 11.1.6-h5 Addressed Issues`.`	Panorama M-600 and M-700 appliances are not supported on the following releases: 11.1.4-h15 11.1.6-h4
PAN-280598	NGFW clusters don't support Persistent NAT for DIPP.
PAN-265738	NAT is not configurable when HA clusters are configured. HA clusters do not support NAT.
PAN-216214	For Panorama-managed firewalls in an Active/Active and Active/Passive High Availability (HA) configuration where you configure the firewall HA settings (DeviceHigh Availability) in a template or template stack (PanoramaTemplates), performing a local commit on one of the HA firewalls triggers an HA config sync on the peer firewall. This causes the HA settings to display as overridden despite no config override occurring.
PAN-259522	PA-7500 Series firewalls in an NGFW cluster do not support the failover of application-level gateway (ALG) sessions.
PAN-248739	In cases where traffic flow is redirected through the IFL/HSCI between NGFW cluster nodes, you might experience packet drops and intermittent failures with the establishment of new connections if the total bandwidth throughput is over 370G if you're using 400G HSCI. If you're using100G HSCI, anything over 80G will start seeing packet drops.
PAN-247583	(`PA-7500 firewall only`) Dual stacking for IPv4 and IPv6 addresses on the log ports is not supported. When enabling dual stacking, IPv4 is used by default, which disables any IPv6 log forwarding to external destinations. In order to forward logs to IPv6 endpoints, remove the IPv4 address and use an IPv6 address for the log interface.
PAN-246825	ECMP is not supported for equal-cost routes where one or more of those routes has a virtual router or logical router as the next hop. None of the equal-cost routes will be installed in the Forwarding Information Base (FIB).
PAN-240517	Enter any random username and password (or just press enter) in the pop-up dialog on the satellite to retrigger the authentication process in the following cases: A scenario where the portal is running PAN-OS 11.1.3 and the satellite is running version earlier to 11.1.3, and the satellite cookie has expired. In this case, when you attempt to enable the serial number and IP address authentication method without adding the satellite IP address in the IP allow list on the portal, satellite authentication fails. The failure is due to a missing IP address in the IP allow list. A scenario where the portal is running PAN-OS 11.1.3 and the satellite is running version earlier to 10.2.8, if the satellite cookie expires before enabling the serial number and IP address authentication method on the portal, satellite authentication will fail due to satellite cookie expiration.
PAN-224255	(`PA-455 firewall only`) The hardware can detect the presence of a power adapter but does not detect voltage or functionality. As a result, the firewall’s Alarm feature is unavailable to the power supply and is only raised when the device reaches temperature limits. Furthermore, the firewall does not display power supply details in system logs or the CLI.
PAN-222118	When the preferred lifetime of the IPv6 address on the MGT interface expires, existing IPv6 sessions are disconnected. RFC 8415 indicates that existing communications must remain for the duration of the valid lifetime if the preferred lifetime expires (sessions must be active during the time between the preferred lifetime and valid lifetime). However, the NGFW limitation is that sessions are lost when the preferred lifetime expires.
PAN-218067	By default, Next Generation firewalls and Panorama attempt to fetch the device certificate or Panorama device certificate with each commit even when the firewall is not using any Palo Alto Networks cloud service. You can prevent the firewall from attempting to fetch the device certificate for the following firewalls: M-300 appliance M-500 appliance PA-400 Series firewalls PA-1400 Series firewalls PA-3400 Series firewalls PA-5400 Series firewalls PA-5450 firewall PA-7500 Series firewalls To disable, log in to the firewall CLI or Panorama CLI and enter the following command: admin> request certificate auto-fetch disable
PAN-192679	(`PA-415 and PA-445 firewalls`) The hardware can detect the presence of a power adapter but does not detect voltage or functionality. As a result, the firewall’s Alarm feature is unavailable to the power supply and is only raised when the device reaches temperature limits. Furthermore, the firewall does not display power supply details in system logs or the CLI.

Associated Content and Software Versions