Focus

Changes to Default Behavior in PAN-OS 11.2

Table of Contents

Filter

Expand All | Collapse All

Next-Generation Firewall Docs

Getting Started
Administration
Networking
Quick Start
Reference
Incidents & Alerts
Release Notes
Select a Document
- PAN-OS 12.1
- PAN-OS 11.2
- PAN-OS 11.1
- PAN-OS 11.0 (EoL)
- PAN-OS 10.2
- PAN-OS 10.1
- PAN-OS 10.0 (EoL)
- PAN-OS 9.1 (EoL)
- PAN-OS 9.0 (EoL)
- PAN-OS 8.1 (EoL)
Help
Select a Document
- PAN-OS 12.1
- PAN-OS 11.2
- PAN-OS 11.1
- PAN-OS 10.2
- PAN-OS 10.1

Changes to Default Behavior

Limitations

Changes to Default Behavior in PAN-OS 11.2

What default behavior changes impact PAN-OS 11.2?

The following table details the changes in default behavior upon upgrade to PAN-OS® 11.2. You may also want to review the Upgrade/Downgrade Considerations before upgrading to this release.

Feature	Change
Preventing DoS Attacks with Enhanced DoS and PBP configurations	In PAN-OS 11.2.2 and previous versions, the default value of the hardware-acl-blocking duration is one second. In PAN-OS 11.2.3 and later 11.2 versions, the default value for the hardware-acl-blocking duration has been increased to 30 seconds.
IKE protocol version support (`PAN-OS 11.2 and later releases`)	We have changed the default IKE protocol version support from IKEv1 to IKEv2. If you have not configured the IKE protocol version in the IKE gateway configuration, then PAN-OS supports the IKEv2 protocol version by default. For VPN clusters, PAN-OS supports IKEv2 only mode by default and the support for IKEv1 only mode and IKEv2 preferred mode configuration are removed.
IKEv2 Gateway configuration Requires Explicit CLI Setting (`For firewalls running versions between 11.2.0 and 11.2.4 managed by Panorama running 11.2 or later versions`)	A configuration interpretation error occurs on the Panorama managed firewalls when establishing IKEv2 gateways through Panorama's default configuration settings. When you configure a new IKEv2 gateway on Panorama using the default settings, specifically the default IKE version (IKEv2) and default IKE and IPSec Crypto profiles without making any specific modifications to the crypto profile parameters and subsequently push this configuration to a managed firewall, the receiving firewall incorrectly interprets the new IKEv2 gateway as an IKEv1 gateway instead. To prevent this misinterpretation, you need to manually specify the IKE version as "IKEv2" through Panorama's CLI before committing and deploying the configuration on the firewalls. This issue specifically impacts firewalls running versions between 11.2.0 and 11.2.4 when they receive configurations from Panorama running version 11.2 or later versions.

Changes to Default Behavior

Limitations

Next-Generation Firewall Docs

Changes to Default Behavior in PAN-OS 11.2

Next-Generation Firewall Docs

Changes to Default Behavior in PAN-OS 11.2

Activation and Onboarding

Next-Generation Firewalls

SASE

Cloud-Delivered Security Services

Network Security

Endpoints

Visibility & Monitoring

FedRAMP

Hardware Reference

Hardware Quick Start Guides

Virtual ION Deployment

3rd Party Integrations

Best Practices

Experts Corner