When PAN-OS 7.1 was first released, firewalls could not forward files to the WildFire Japan cloud for analysis. This issue is resolved for all PAN-OS 7.1 releases due to an update to the WildFire Japan cloud in August 2016.

When using a web browser to view a WildFire Analysis Report from a firewall that is using a WF-500 appliance for file sample analysis, the report may not appear until the browser downloads the WF-500 certificate. This issue occurs after upgrading a firewall and the WF-500 appliance to a PAN-OS 6.1 or later release.

If you configure GlobalProtect portals and gateways to use client certificates and LDAP as two factors of authentication, Chromebook users that are running Chrome OS 47 or later versions can encounter excessive prompts to select a client certificate.

Log in to the Google Admin console (https://admin.google.com) and select Device management > Chrome management > User settings.
In the Client Certificates section, enter the following URL pattern to Automatically Select Client Certificate for These Sites:
{"pattern":
"https://[*.]", "filter":{}}
Click Save. The Google Admin console deploys the policy to all devices within a few minutes.

By default, the GlobalProtect app adds a route on iOS mobile devices that causes traffic to the GP-100 GlobalProtect Mobile Security Manager to bypass the VPN tunnel.

Add 0.0.0.0/0 as an access route.
Enter the IP address for the GlobalProtect Mobile Security Manager as an additional access route.

For the GlobalProtect app to access an MDM server through a Squid proxy, you must add the MDM server SSL access ports to the proxy server allow list. For example, if the SSL access port is 8443, add acl SSL_ports port 8443 to the allow list.

When you rename a device group, template, or template stack in Panorama that is part of a VMware NSX service definition, the new name is not reflected in NSX Manager. Therefore, any ESXi hosts that you add to a vSphere cluster are not added to the correct device group, template, or template stack and your Security policy is not pushed to VM-Series firewalls that you deploy after you rename those objects. There is no impact to existing VM-Series firewalls.

Fixed an issue where a failed commit or commit validation followed by a non-user-committed event (such as an FQDN refresh, an external dynamic list refresh, or an antivirus update) resulted in an unexpected change to the configuration that caused the firewall to drop traffic.

(PAN-OS 7.1.18 and later PAN-OS 7.1 releases) After a high availability (HA) firewall cluster with graceful restart enabled on routing protocols fails over, it does not immediately display the connected, static, and host routes as Active. This issue does not impact performance and the routes typically display as Active, again, within 30 seconds after the failover.

Firewalls in an active/active high availability (HA) deployment, with a default session setup and owner configuration, drop packets in a GlobalProtect VPN tunnel that uses a floating IP address.

After 30,000 or more end users log in to the GlobalProtect gateway within a two- to three-hour period, the firewall web interface responds slowly, commits take longer than expected or intermittently fail, and Tech Support File generation times out and fails.

The name for an address object, address group, or an external dynamic list must be unique. Duplicate names for these objects can result in unexpected behavior when you reference the object in a policy rule.

The firewall does not apply password profile settings (Device > Password Profiles) to administrator accounts.

Firewalls randomly retain IP address-to-username mappings even after receiving information via User-ID Redistribution that the mapping was deleted or expired.

The request system external-list show type ip name <EDL_name> CLI command does not display external dynamic list entries after you restart the management server (mgmtsrvr) process.

The management server process (mgmtsrvr) on the firewall restarts whenever you push configurations from the Panorama management server.

The VM-Series firewall for NSX randomly disrupts traffic due to high CPU usage by the pan_task process.

The firewall generates System logs with High severity for Dataplane under severe load conditions that do not affect traffic.

On PA-7000 Series firewalls, one or more dataplanes do not pass traffic when you run several operational commands (from any firewall user interface or from the Panorama management server) while committing changes to device or network settings or while installing a content update.

Commits fail on a PA-7000 Series firewall when the firewall configuration grows so large that it exhausts the internal configuration memory or the CTD memory buffer on the Network Processing Card (NPC).

On PA-7000 Series firewalls, one or more dataplanes do not pass traffic when you run several operational commands (from any firewall user interface or from the Panorama management server) while committing changes to device or network settings or while installing a content update.

On PA-7000 Series firewalls in a high availability (HA) configuration, the HA3 link does not come up after you upgrade to PAN-OS 7.1.14 or a later 7.1 release.

On the Panorama management server, a policy rule dialog automatically closes within a couple of seconds after you open it to create or edit a rule.

On a PA-5000 Series firewall configured to use an IPSec tunnel containing multiple proxy IDs (Network > IPSec Tunnels > <tunnel> > Proxy IDs), the firewall drops tunneled traffic after clear text sessions are established on a dataplane other than the first dataplane (DP0).

On firewalls in an active/active high availability (HA) configuration, the primary firewall, with a floating IP address bound to it, sends ARP probes containing the MAC address of the secondary firewall instead of the primary. Sending ARP probes with the incorrect MAC address causes the secondary firewall to drop traffic.

The firewall stops enforcing policy after an automatic or manual refresh of an External Dynamic List (EDL) that has an invalid IP address or that resides on an unreachable web server.

Root partition utilization approaches the maximum capacity because the firewall doesn't remove WildFire download logs that are due for removal.

SNMP managers do not display object identifiers (OIDs) for the Ethernet1/3, Ethernet1/4, and Ethernet1/5 interfaces of M-500 appliances.

The firewall dataplane slows significantly and, in some cases, stops responding if you use nested wildcards ("*") with "." or "/" as delimiters in the URLs of a custom URL category (Objects > Custom Objects > URL Category) or in the Allow List of a URL Filtering profile (Objects > Security Profiles > URL Filtering > <URL-filtering-profile> > Overrides).

The Panorama management server doesn't display an Override button for Objects > External Dynamic Lists in child device groups that inherit the objects from parent device groups.

On PA-5000 Series firewalls running PAN-OS 7.1.12 or a later 7.0 release, insufficient proxy memory causes decryption failures and prevents users from accessing the GlobalProtect portal or gateway.

PAN-OS removes the IP address-to-username mappings of end users who log in to a GlobalProtect internal gateway within a second of logging out from it.

The User-ID process (useridd) produces an error message (Server error : Client useridd not ready) and stops responding during a commit operation.

Switching firewalls to FIPS-CC mode sets the Base DN to None and disables the Verify Server Certificate for SSL sessions option for LDAP server profiles that you view or edit in the web interface (Device > Server Profiles > LDAP).

On firewalls in an active/passive high availability (HA) configuration with link or path monitoring enabled, a failover resulting from a link or path failure intermittently causes the deletion of host, connected, static, and dynamic routes (both OSPF and BGP) from the forwarding information base (FIB) on the firewall peer that becomes active. The link or path failure also causes the intermittent sending of unnecessary BGP withdrawal messages to BGP peers.

End users cannot access websites for which the firewall applies Decryption policy and uses Online Certificate Status Protocol (OCSP) to verify the status of certificates. The issue occurs in cases where the certificate cache on the firewall is modified during the access attempts.

Firewalls report an interface speed of zero for some interfaces instead of the maximum possible speed when you run an SNMP query for the ifHighSpeed object (OID 1.3.6.1.2.1.31.1.1.1.15).

On occasion, the App-ID for an application that is using SSL is identified incorrectly. This issue occurs when a server hosts multiple applications on the same port, and the firewall has identified traffic for an application using this port on the server and then inaccurately records other applications on this server-port combination as the previously identified application.

After you disable the Skip Auth on IKE Rekey option in the GlobalProtect gateway, the firewall still applies the option: end users with endpoints that use Extended Authentication (X-Auth) don't have to re-authenticate when the key used to establish the IPSec tunnel expires (Network > GlobalProtect > Gateways > <gateway> > Agent > Tunnel Settings).

The WF-500 appliance sends ICMP unreachable messages from the VM Interface to the Management interface.

VM-Series firewalls cannot monitor more than 500 virtual machine (VM) information sources (Device > VM Information Sources).

(PAN-OS 7.1.11 and later 7.1 releases) Firewalls do not send queries for updated user mappings to User-ID agents; instead, the firewalls wait until the agents learn and forward new user mappings. In a deployment that includes Windows-based User-ID agent 7.0.7 or earlier agent releases, this delay in updating user mappings on the firewalls disrupts user-based policy enforcement because the firewalls prematurely remove user mappings received from those agents (see WINAGENT-53 in the User-ID Agent 7.0.8 Addressed Issues list).

The Panorama management server stops responding after you use a PAN-OS XML API call to rename a policy rule or object and you accidentally use its old name as the new name.

Blocking proxy sessions to enforce Decryption policy rules causes packet buffer depletion, which eventually results in packet loss.

PA-5000 Series firewalls in an active/active high availability (HA) configuration intermittently drop packets due to a race condition that occurs when the session owner and session setup are on different HA peers.

On VM-Series firewalls, the session capacity drops to 1,248 after you activate a capacity license.

Traffic delays occur on PA-7000 Series firewalls due to packet buffer congestion when the all_pktprocprocess stops responding due to an incorrect Policy Based Forwarding (PBF) policy rule ID that references an invalid egress interface.

The firewall dataplane restarts while processing traffic after you enable SSL Inbound Inspection but not SSL Forward Proxy decryption.

After you rename an object in a device group on the Panorama management server, a commit error occurs because policies in the child device groups still reference the object by its old name.

Endpoints failed to authenticate to GlobalProtect through Kerberos when you specify an FQDN instead of an IP address in the Kerberos server profile (Device > Server Profiles > Kerberos).

The firewall stops submitting samples to WildFire for analysis until you run the debug wildfire reset dp-receiver CLI command.

PA-3000 Series firewalls intermittently drop long-lived sessions that are active during a content update if you immediately follow the update with an Antivirus or WildFire update.

The firewall mgmtsrvr process and other processes repeatedly restart due to abnormal system memory usage when a connection failure occurs between the firewall and a syslog server that use TCP over SSL/TLS to communicate.

After using a Panorama management server running PAN-OS 7.1 to Force Template Values when pushing device group or template configurations to firewalls running an earlier PAN-OS release, FQDN refreshes fail on the firewalls.

The Panorama management server cannot deploy antivirus or WildFire updates to firewalls that already have later versions of the updates.

In rare cases, when the firewall is under a heavy load, some PAN-OS software update-related processes stall and do not recover.

Panorama cannot push address group objects from device groups to managed firewalls if zones specify the objects in the User Identification ACL include or exclude lists (Network > Zones) and if the Share Unused Address and Service Objects with Devices option is disabled (Panorama > Setup > Management > Panorama Settings).

Loading a partial configuration (using the load config partial CLI command) changes the port numbers in service and service group objects.

A PA-7000 Series firewall running PAN-OS 7.1.12 or an earlier release stops saving and displaying new logs due to a memory leak after a Panorama management server running a PAN-OS 8.0 release pushes a predefined report that specifies a field that is unrecognized by the firewall running the earlier PAN-OS release (Monitor > Reports > Mobile Network Reports).

Firewalls in an active/passive HA configuration with OSPF or BGP graceful restart enabled take longer than expected to fail over.

Deploy your firewalls in an active/active HA configuration.
Disable OSPF or BGP graceful restart.
Set the Promotion Hold Time and Additional Master Hold Up Time to 0ms in the HA configuration (Device > High Availability > Election Settings).

In rare cases on a Panorama management server in a high availability (HA) configuration, the virtual machine (VM) auth key disappears after you reboot the active HA peer.

Dynamic address updates take several minutes to complete on Panorama in NSX deployments.

PA-7000 Series firewalls forward a SIP INVITE based on route lookup instead of Policy-Based Forwarding (PBF) policy.

In a high availability (HA) hardware security module (HSM) configuration, the crypto process (cryptod) for the SafeNet resource library in SafeNet Client 6.2.2 stops responding when the route to the HSM changes. This process also stops responding intermittently when the cryptod process tries to close the HSM sessions.

PA-7000 Series firewalls configured in tap mode don’t close offloaded sessions after processing the associated traffic; the sessions remain open until they time out.

After bootup, the firewall displays error messages such as Error: sysd_construct_sync_importer(sysd_sync.c:328): sysd_sync_register() failed: (111) Unknown error code, even though the bootup is successful.

Administrators with a custom role cannot delete packet captures.

Several dataplane processes stop responding when the firewall processes VPN traffic with IP packet chains, which were usually triggered by IP fragmentation or SSL decryption operations.

On firewalls with multiple virtual systems, custom spyware signatures work only on vsys1.

On PA-7000 Series firewalls, Generic Routing Encapsulation (GRE) session creation fails when the firewalls receive GRE packets with a Point-to-Point Protocol (PPP) payload.

On PA-7000 Series firewalls, disabling the option to Turn on QoS feature on this interface (Network > QoS) reduces throughput on 40Gbps interfaces.

A Panorama management server running a PAN-OS 8.0 release or PAN-OS 7.1.8 or later 7.1 release does not display logs from PA-7000 Series firewalls running a PAN-OS 7.1 or 7.0 release.

When migrating URL categories from BrightCloud to PAN-DB, Panorama does not apply the migration to pre-rules and post-rules.

A regression introduced in PAN-OS 7.1.9 causes the firewall dataplane to restart in certain cases when combined with content updates. For details, including the relevance of content release version 709, refer to the associated Customer Advisory.

The firewall doesn't decrypt VPN traffic for packets of certain sizes if you set the Encryption algorithm to aes-256-gcm in the IPSec Crypto profile used for the VPN tunnel (Network > Network Profiles > IPSec Crypto).

Firewalls configured to use a SafeNet hardware security module (HSM) server successfully create a support file when you export support file from the web interface but they incorrectly return the following error message: op command for client cryptod time out as client is not available. This issue also occurs when requesting the support file using the request hsm support-info CLI command but you can confirm that the support info file was created successfully by using a different HSM-related command, such as show hsm state , after you request the HSM support file.

As of PAN-OS 7.1.9, the PA-200 firewalls no longer store the previous WildFire content package after a WildFire content update. As a result, the option to revert to the previous WildFire package is no longer available on the web interface. However, the CLI command for this task (request wildfire downgrade install previous) was not removed and now results in an error message (downgrade job failed).

Loading a configuration other than running-config.xml when downgrading from PAN-OS 7.1.8 to a PAN-OS 7.0 release removes authentication profiles from GlobalProtect portals and gateways, which causes an auto-commit failure.

Panorama does not push a shared address object to firewalls when the object is part of a dynamic address group that uses a tag.

After a firewall successfully installs a content update received from Panorama, Panorama displays a failure message for the update if the associated job ID on the firewall is higher than 65536.

The firewall does not clear IP address-to-username mappings or username-to-group mappings after reaching the limit for the number of user groups (100,000), which causes commit failures with the errors user-id is not registerd and ser-ID manager was reset. Commit is required to reinitialize User-ID.

The firewall drops sessions after only 30 seconds of idle traffic instead of after the session timeout associated with the application.

On the PA-500 firewall, insufficient memory allocation causes SSL decryption errors that result in SSL session failures, and Traffic logs display the Session End Reason as decrypt-error or decrypt-cert-validation.

On firewalls in an active/passive HA configuration, a link-monitoring failure causes a delay in OSPF convergence on the firewall that becomes active after HA failover.

Panorama does not display HA firewalls (Panorama > Managed Devices) after the configd process stops.

End users who ignore the Duo V2 authentication prompt until it times out can still authenticate successfully to a GlobalProtect portal configured for two-factor authentication.

In PAN-OS 7.1.7, deactivating a VM-Series firewall from Panorama completes successfully, but the web interface does not update to show that deactivation is complete.

A firewall in FIPS-CC mode reboots in maintenance mode after you download GlobalProtect Client software that is listed under Device > GlobalProtect Client but is unavailable on the Palo Alto Networks Update Server.

The Panorama log collector does not support the server-verification CLI configuration, thereby preventing you from using the CLI to install content and software updates in a secure manner.

In PAN-OS 7.1.7, when deactivating a VM-Series firewall from Panorama, if Panorama has the Verify Update Server Identity setting enabled (Panorama > Setup > Services > Verify Update Server Identity), but the firewall has the setting disabled (Device > Setup > Services), deactivation on the firewall does not complete successfully and the firewall becomes unreachable.

Firewalls running in FIPS-CC mode do not allow import of SHA-1 CA certificates even when the private key is not included; instead, firewalls display the following error:

Import of <cert name> failed

. Unsupported digest or keys used in FIPS-CC mode.

The firewall maps users to the Kerberos Realm defined in authentication profiles (Device > Authentication Profiles) instead of extracting the realm from Kerberos tickets.

(PAN-OS 7.1.5 and later releases only) When the PAN-OS XML API sends user mappings with no timeout value to a firewall that has the Enable User Identification Timeout option disabled, the firewall assigns the mappings a timeout of 60 minutes instead of never.

The firewall incorrectly generates packet diagnostic logs and captures packets for sessions that are not part of a packet filter (Monitor > Packet Capture).

When you use a license authorization code (capacity license or a bundle) to bootstrap a VM-Series firewall, the capacity license is not applied. This issue occurs because the firewall does not reboot after the license is applied.

On PA-3000 Series firewalls, you cannot configure a QoS Profile to have a maximum egress bandwidth (Egress Max) higher than 1Gbps for an aggregate group interface (Network > Network Profiles > QoS Profile).

The GlobalProtect agent fails to connect using a client certificate if the intermediate CA is signed using the ECDSA hash algorithm.

When a Multicast Forwarding Information Base (MFIB) times out, the packet processing process (flow_ctrl) stops, which intermittently causes the firewall dataplane to restart.

In PAN-OS 7.1.6, SSL sessions are discarded if the server certificate chain size exceeds 23KB. See Changes to Default Behavior for more information about this issue.

On PA-7000 Series and PA-5000 Series firewalls, users who access applications over SSL VPN or IPSec tunnels through GlobalProtect experienced one-directional traffic.

On PA-7000 Series firewalls and Panorama Log Collectors, log collection processes consume excess memory and do not process logs as expected. This issue occurs when DNS response times are slow and scheduled reports contain fields that require DNS lookups.

SSH sessions are incorrectly subjected to a URL category lookup even when SSH decryption is not enabled. As a result, SSH traffic is blocked when you enable forward proxy and configure a deny rule to match all traffic whose URL category is Unknown.

Installing a content update or committing configuration changes on the firewall causes RTP sessions that were created from predict sessions to move from an active state to a discard state.

Entering vSphere maintenance mode on a VM-Series firewall without first shutting down the Guest OS for the agent VMs causes the firewall to shut down abruptly, and results in issues after the firewall is powered on again. Refer to Issue 1332563 in the VMware release notes: www.vmware.com/support/pubs/nsx_pubs.htmlWorkaround: VM-Series firewalls are Service Virtual Machines (SVMs) pinned to ESXi hosts and should not be migrated. Before you enter vSphere maintenance mode, use the VMware tools to ensure a graceful shutdown of the VM-Series firewall.

The firewall captures packets of IP addresses that are not included in the packet filter (Monitor > Packet Capture).

The Network Monitor report (Monitor > App Scope > Network Monitor) displays only partial data when you select Source or Destination for a data set that includes a large number of source or destination IP addresses and usernames. However, the report does display all data as expected when you instead select Application or Application Category for a large data set.

VM-Series firewalls don't apply NAT translation to the ports in the via and contact headers of Session Initiation Protocol (SIP) sessions after you enable Dynamic IP and Port (DIPP) NAT.

In PAN-OS 7.1 and later releases, the maximum number of address objects you can resolve for an FQDN is increased from 10 of each address type (IPv4 and IPv6) to a maximum of 32 each. However, the combination of IPv4 and IPv6 addresses cannot exceed 512B; if it does, addresses that are not included in the first 512B are dropped and not resolved.

If you delete the proxy server configuration on the firewall for the AutoFocus service, the configuration remains.

For a firewall in an HA active/active configuration, session timeouts for some traffic unexpectedly refresh after a commit or HA sync attempt.

The automatic license deactivation workflow for firewalls with direct internet access does not work.

Deleting the default administrator account on a VM-Series firewall in AWS causes the firewall to go into maintenance mode. This occurs because, to reboot successfully, the firewall requires the SSH key associated with the administrator account (the private key— ssh-key —used to provision the firewall in AWS).

If you configure the GlobalProtect portal or gateway to authenticate using an authentication sequence and then specify a domain\user in the User/User Group settings of an agent configuration, authentication using secure encrypted cookies will fail.

The pan-comm option for restarting the dataplane communication process is not available in the debug software restart process operational CLI command.

By default, the AutoFocus URL in the AutoFocus settings (Device > Setup > Management) is pre-configured with the correct URL for connecting to AutoFocus but the firewall will fail to connect to AutoFocus if you don't manually re-enter the URL. This issue occurs only when you initially configure AutoFocus settings (for example, after performing a factory reset of the firewall or after upgrading to PAN-OS 7.1).

The VM-Series for Azure is supported in the Azure Resource Manager (ARM) environment only. You cannot export the VM-Series firewall or its VHD disk image from Azure and deploy it in a local or private data center. Also, you cannot re-import a VM-Series firewall or its VHD disk image into the ARM environment.

You cannot configure multiple DNS proxy objects that specify for the firewall to listen for DNS requests on the same interface (Network > DNS Proxy > Interfaces). If multiple DNS proxy objects are configured with the same interface, only the first DNS proxy object settings are applied.

To modify a DNS proxy object that specifies only one interface, delete the DNS proxy object and reconfigure the object with an interface that is not shared among any other objects.
To modify a DNS proxy object configured with multiple interfaces, delete the interface that is shared with other DNS proxy objects. Click OK to save the modified object and Commit.

Performing an AutoFocus remote search that is targeted to a PAN-OS firewall or Panorama does not work correctly when the search condition contains a single or double quotation mark.

The Administrator Use Only option (Template > Device > Radius Profile) is not available in PAN-OS 7.1.0 or PAN-OS 7.1.1.

During the connection of a satellite to the GlobalProtect gateway, the Online Certificate Status Protocol (OCSP) verification for the GlobalProtect certificate fails because the OCSP response does not contain the signature certificate.

High availability (HA) for VM-Series firewalls does not work in AWS regions that do not support the signature version 2 signing process for EC2 API calls. Unsupported regions include AWS EU (Frankfurt) and Korea (Seoul).

The firewall does not display the SaaS Application Usage report (Monitor > PDF Reports > SaaS Application Usage) if you Close the job execution status dialog (appears when you click Run Now to generate a SaaS report) and move to another tab and continue to Commit changes before the SaaS report finishes generating.

When you change the reporting period for a scheduled report, such as the SaaS Application Usage PDF report, the report can have incomplete or no data for the reporting period.

If you create a log filter by clicking a value in the Destination Country or Source Country column of a log page (such as the Monitor > Logs > Traffic page), the filter does not work because the filter string uses the country name instead of the country code. This issue occurs only when the value is a country; the filter works for other types of regions (such as city names).

If a call manager or SIP proxy is in a different zone than either the called or the calling party, using the hold and resume feature can result in one-way audio.

Simultaneous transfer of large files from two different SMB servers over a GlobalProtect connection from a Windows 8 client causes the connection to fail.

When the firewall is processing a high volume of BFD sessions for routing peers that use BGP, OSPF or RIP, and the firewall is also processing a high volume of packets that belong to existing sessions and are not offloaded, the BFD sessions to those peers will flap when the firewall receives a content update.

There is an issue where PA-7000 Series firewalls experience BGP disconnections because the firewall fails to send keepalive messages to neighbors within specified timers.

An ungraceful reboot on a VM-Series firewall causes Dynamic IP address information to get out of sync.

The FPGA intermittently fails to initialize on PA-5000 Series firewalls.

In Traffic logs, the following session end reasons for Captive Portal or a GlobalProtect SSL VPN tunnel indicate the incorrect reason for session termination: decrypt-cert-validation, decrypt-unsupport-param, or decrypt-error.

The botnet log cleanup job on a PA-7000 Series firewall runs two hours before the system-generated botnet reports are triggered, which results in empty or no botnet reports when no logs are collected between jobs.

Decrypted SSH sessions are not mirrored to the decrypt mirror interface as expected.

Tarball images for bootstrapping firewalls that are created using a Mac OS (BSD-based tar format) are incompatible with the Debian-based tar format used by PAN-OS firewalls.

For the VM-Series NSX edition firewall, when you add or modify an NSX service profile zone on Panorama, you must perform a Panorama commit and then perform a device group commit with the Include Device and Network Templates option selected. To successfully redirect traffic to the VM-Series NSX edition firewall, you must perform both a Template and a Device Group commit when you modify the zone configuration to ensure that the zones are available on the firewall.

When you open the SaaS Application Usage Report (Monitor > PDF Reports > SaaS Application Usage) on multiple tabs in a browser, each for a different virtual system (vsys), and you attempt to export PDFs from each tab, only the first request is accurate; all successive attempts will result in PDFs that are duplicates of the first report.

A Panorama management server running on an M-Series appliance cannot connect to a SafeNet Network or nCipher nShield Connect hardware security module (HSM).

When you push configurations to a specific device group, the Panorama web interface displays a commit failure message (commit timed out) even though the operation succeeded.

On the NSX Manager, when you unbind an NSX Security Group from an NSX Security Policy rule, the dynamic tag and registered IP address are updated on Panorama but are not updated on the VM-Series firewalls.

If a security group overlap occurs in an NSX Security policy where the same security group is weighted with a higher and a lower priority value, the traffic may be redirected to the wrong service profile (VM-Series firewall instance). This issue occurs because an NSX Security policy with a higher weight does not always take precedence over a policy with a lower weight.

When using the CLI to configure the management interface as a DHCP client, the commit fails if you do not provide all four DHCP parameters in the command. For a successful commit when using the set deviceconfig system type dhcp-client command, you must include each of the following parameters: accept-dhcp-domain, accept-dhcp-hostname, send-client-id, and send-hostname.

Canceling pending commits does not immediately remove them from the commit queue. The commits remain in the queue until PAN-OS dequeues them.

BFD sessions are not established between two RIP peers when there are no RIP advertisements.

The NSX Manager fails to redirect traffic to the VM-Series firewall when you define new Service Profile zones for NSX on Panorama. This issue occurs intermittently on the NSX Manager when you define security rules to redirect traffic to the new service profiles that are available for traffic introspection and results in the following error:

Firewall configuration is not in sync with NSX Manager. Conflict with Service Profile Oddhost on service (Palo Alto Networks NGFW) when binding to host<name>

.

A Palo Alto Networks firewall, M-100 appliance, or WF-500 appliance configured to use FIPS operational mode will fail to boot when rebooting after an upgrade to PAN-OS 7.0 or later releases.

For the VM-Series firewall, if you manually reset a heartbeat failure alarm on the vCenter server to indicate that the VM-Series firewall is healthy (change color to green), the vCenter server does not trigger a heartbeat failure alarm again.

FIPS-CC mode is not supported on the VM-Series firewall on Microsoft Hyper-V. Although the option for FIPS-CC mode is displayed in the maintenance mode menu, you cannot enable this option.

The firewall does not update some processes as expected (such as mgmtsrvr, reportd, logd, and pan_log_receiver) when you specify a new DNS server (Device > Setup > Services [> Global ]), which causes the firewall to continue forwarding some DNS requests to the previously configured DNS server instead of the current one.

On PA-7000 Series firewalls, one data port must be configured as a log card interface because the traffic and logging capabilities of this platform exceed the capabilities of the management port. A log card interface performs WildFire file-forwarding and log forwarding for syslog, email, and SNMP and these services require DNS support. If you have set up a custom service route for the firewall to use to perform DNS queries, services using the log card interface might not be able to generate DNS requests. This is only an issue if you’ve configured the firewall to use a service route for DNS requests, and in this case, you must perform the following workaround to enable communication between the firewall data plane and the log card interface.

Enabling or disabling BFD for BGP or changing a BFD profile that a BGP peer uses causes the connection to the BGP peer to flap.

Destination-based service routes do not work for RADIUS authentication servers.

WildFire Analysis reports do not display as expected in the WildFire Analysis Report tab (Monitor > Logs > WildFire Submissions > Detailed Log View) on PA-7000 Series firewalls running PAN-OS 7.0.2 and later releases.

When you enable jumbo frames on a VM-Series firewall in AWS using the set deviceconfig setting jumbo-frame mtu configuration mode CLI command, the maximum transmission unit (MTU) size on the interfaces does not increase. The MTU on each interface remains at a maximum value of 1500 bytes.

The VM-Series firewall on Citrix SDX does not support jumbo frames.

IPv6-to-IPv6 Network Prefix Translation (NPTv6) is not supported when configured on a shared gateway.

The URL block page does not display as expected when proxied requests from client use CONNECT method.

If you log in to Panorama as a Device Group and Template administrator and rename a device group, the Panorama > Device Groups page no longer displays any device groups.

Web pages using the HTTP Strict Transport Security (HSTS) protocol sometimes do not display properly for end users.

When you use a Mac OS Safari browser, client certificates will not work for Captive Portal authentication.

On a firewall with multiple virtual systems, if you add an authentication profile to a virtual system and give the profile the same name as an authentication sequence in Shared, reference errors occur. The same errors occur if the profile is in Shared and the sequence with the same name is in a virtual system.

On the ACC > Network Activity tab, if you add the label Unknown as a global filter, the filter gets added as A1 and query results display A1 instead of Unknown.

The link on a 1Gbps SFP port on a VM-Series firewall deployed on a Citrix SDX server does not come up when successive failovers are triggered. This behavior is only observed in an active/active HA configuration.

WildFire analysis reports cannot be viewed on firewalls running PAN-OS 6.1 release versions if connected to a WF-500 appliance in Common Criteria mode that is running PAN-OS 7.0 or later releases.

Vulnerability detection of SSLv3 fails when SSL decryption is enabled. This occurs when you attach a Vulnerability Protection profile (that detects SSLv3—CVE-2014-3566) to a Security policy rule and that Security policy rule and an SSL Decryption policy rule are configured on the same virtual system in the same zone. After performing SSL decryption, the firewall sees decrypted data and no longer sees the SSL version number. In this case, the SSLv3 vulnerability is not identified.

Typing user group names instead of selecting from a drop-down when configuring policy rules disrupts the enforcement of rules that are based on those groups in cases where the firewall has not finished processing group mappings retrieved from an LDAP server.

When you use a firewall loopback interface as a GlobalProtect gateway interface, traffic is not routed correctly for third-party IPSec clients, such as strongSwan.

When you configure a firewall to retrieve a WildFire signature package, the System log shows unknown version for the package. For example, after a scheduled WildFire package update, the system log shows: WildFire package upgraded from version <unknown version> to 38978-45470. This is a cosmetic issue only and does not prevent the WildFire package from installing.

If you access Device > Log Settings on a device running a PAN-OS 7.0 or later release and then use the CLI to downgrade the device to PAN-OS 6.1 or an earlier release and reboot, an error message appears the next time you access Log Settings. This occurs because PAN-OS 7.0 and later releases display Log Settings in a single page whereas PAN-OS 6.1 and earlier releases display the settings in multiple sub-pages. To clear the message, navigate to another page and return to any Log Settings sub-page; the error will not recur in subsequent sessions.

In the WildFire Submissions logs, the email recipient address is not correctly mapped to a username when configuring LDAP group mappings that are pushed in a Panorama template.

The VM-Series firewall on KVM, for all supported Linux distributions, does not support the Broadcom network adapters for PCI pass-through functionality.

The VM-Series firewall on KVM running on Ubuntu 12.04 LTS does not support PCI pass-through functionality.

The URL logging rate is reduced when HTTP header logging is enabled in the URL Filtering profile (Objects > Security Profiles > URL Filtering >

<URL Filtering profile>

> Settings).

Regardless of the Time Frame you specify for a scheduled custom report on a Panorama M-Series appliance, the earliest possible start date for the report data is effectively the date when you configured the report. For example, if you configure the report on the 15th of the month and set the Time Frame to Last 30 Days, the report that Panorama generates on the 16th will include only data from the 15th onward. This issue applies only to scheduled reports; on-demand reports include all data within the specified Time Frame.

Unused NAT IP address pools are not cleared after a single commit, so a commit fails if the combined cache of unused pools, existing used pools, and new pools exceeds the memory limit.

Configurations pushed from Panorama 6.1 and later releases to firewalls running PAN-OS 6.0.3 or earlier PAN-OS 6.0 releases will fail to commit due to an unexpected Rule Type error. This issue is caused by the new Rule Type setting in Security policy rules that was not included in the upgrade transform and, therefore, the new rule types are not recognized on devices running PAN-OS 6.0.3 or earlier releases.

If you perform a factory reset on a Panorama virtual appliance and configure the serial number, logging does not work until you reboot Panorama or execute the debug software restart management-server CLI command.

Due to a limitation related to the Ethernet chip driving the SFP+ ports, PA-5050 and PA-5060 firewalls will not perform link fault signaling as standardized when a fiber in the fiber pair is cut or disconnected.

After deploying the VM-Series firewall, when the firewall connects to Panorama, you must issue a Panorama commit to ensure that Panorama recognizes the firewall as a managed device. If you reboot Panorama without committing the changes, the firewall will not connect back to Panorama; although the device group will display the list of devices, the device will not display in Panorama > Managed Devices.

On the Panorama web interface, the Policies > Security > Post Rules > Combined Rules Preview window does not display post rules and local rules for managed devices.

Live migration of the VM-Series firewall is not supported when you enable SSL decryption using the SSL forward proxy method. Use SSL inbound inspection if you need support for live migration.

(VM-Series for NSX firewalls only) When deleting the VM-Series configuration, all VMs are deleted successfully; however, sometimes a few instances still remain in the datastore.

(VM-Series for NSX firewalls only) In some scenarios, traffic from newly added guests or virtual machines is not steered to the VM-Series NSX edition firewall even when the guests belong to a Security Group and are attached to a Security Policy that redirects traffic to that VM-Series firewall.

A VM-Series firewall on an ESXi host fails to deploy with an error message: Invalid OVF Format in Agent Configuration.

If an HA failover occurs on Panorama at the time that the NSX Manager is deploying the VM-Series NSX edition firewall, the licensing process fails with the error: vm-cfg: failed to process registration from svm device. vm-state: active.

When viewing the Session Browser (Monitor > Session Browser), using the global refresh option (top right corner) to update the list of sessions causes the Filter menu to display incorrectly and clears any previously selected filters.

(VM-Series for NSX firewalls only) When the datastore is migrated for a guest, all current sessions are no longer steered to the VM-Series firewall. However, all new sessions are secured properly.

When deploying the VM-Series firewall, the Task Console displays Error while enabling agent. Cannot complete the operation. See the event log for details. This error displays even for a successful deployment. You can ignore the message if the VM-Series firewall is successfully deployed.

The Service dialog for adding or editing a service object in the web interface displays the incorrect port range for both source and destination ports: 1-65535. The correct port range is 0-65535 and specifying port number 0 for either a source or destination port is successful.

If you deploy the VM-Series firewall and then assign the firewall to a template, the change is not recorded in the bootstrap file.

When an ESXi host is rebooted or shut down, the functional status of the guests is not updated. Because the IP address is not updated, the dynamic tags do not accurately reflect the functional state of the guests that are unavailable.

The vCenter Server/vmtools displayed the IP Address for a guest incorrectly after vlan tags were added to an Ethernet port. The display did not accurately show the IP addresses associated with the tagged Ethernet port and the untagged Ethernet port. This issue was seen on some Linux OS versions such as Ubuntu.

When you edit a traffic introspection rule (to steer traffic to the VM-Series firewall) on the NSX Manager, an invalid (tcp) port number error—or invalid (udp) port number error—displays when you remove the destination (TCP or UDP) port.

When defining traffic introspection rules (to steer traffic to the VM-Series firewall) on the NSX Manager, either the source or the destination for the rule must reference the name of a Security Group; you cannot create a rule from any to any Security Group.

Duplicate packets are being steered to the VM-Series firewall. This issue occurs if you enable distributed vSwitch for steering in promiscuous mode.

On a VM-Series NSX edition firewall, when adding or removing a Security Group (Container) that is bound to a Security Policy, Panorama does not get a dynamic update of the added or removed Security Group.

On a VM-Series NSX edition firewall, Dynamic Tags (update) do not reflect the actual IP address set on the guest. This issue occurs because the vCenter Server cannot accurately view the IP address of the guest.

Adding or removing ports on the Citrix SDX server after deploying the VM-Series firewall can cause a configuration mismatch on the firewall. To avoid the need to reconfigure the interfaces, consider the total number of data ports that you require on the firewall and assign the relevant number of ports on the SDX server when deploying the VM-Series firewall.

The following issues apply when configuring a firewall to use a hardware security module (HSM):

nCipher nShield Connect—The firewall requires at least four minutes to detect that an HSM has been disconnected, causing SSL functionality to be unavailable during the delay.
SafeNet Network—When losing connectivity to either or both HSMs in an HA configuration, the display of information from the show ha-status and show hsm info commands is blocked for 20 seconds.

After you configure a Panorama M-Series appliance for HA and synchronize the configuration, the Log Collector of the passive peer cannot connect to the active peer until you reboot the passive peer.

The Panorama virtual appliance does not write summary logs for traffic and threats as expected after you enter the clear log command.

In some configurations, when you switch context from Panorama and access the web interface of a managed device, you are unable to upgrade the PAN-OS software image.

You cannot configure the management IP address on an M-100 appliance while it is operating as the secondary passive peer in an HA pair.

By default, the hostname is not included in the IP header of syslog messages sent from the firewall. However, some syslog implementations require this field to be present.

If a Panorama Log Collector MGT port is configured with an IPv4 address and you want to have only an IPv6 address configured, you can use the Panorama web interface to configure the new IPv6 address but you cannot use Panorama to remove the IPv4 address.

If you add a Decryption policy rule that instructs the firewall to block SSL traffic that was not previously being blocked, the firewall continues to forward the traffic that is not, yet, decrypted.

SSH host keys used for SCP log export are stored in the known hosts file on the firewall. In an HA configuration, the SCP log export configuration is synchronized with the peer device, but the known host file is not synchronized. When a failover occurs, the SCP log export fails.

When you use Panorama templates to schedule a log export (Device > Scheduled Log Export) to an SCP server, you must log in to each managed device and Test SCP server connection after the template is pushed. The connection is not established until the firewall accepts the host key for the SCP server.

Attempts to reset the master key from the web interface (Panorama > Master Key and Diagnostics) or the CLI on Panorama will fail. However, this should not cause a problem when pushing a configuration from Panorama to a device because it is not necessary for the keys to match.