Known Issues Related to PAN-OS 7.1 Releases
List of known issues in the PAN-OS® 7.1 release.
The following list describes WildFire Known Issues, GlobalProtect Known Issues, and Firewall and Panorama Known Issues in the PAN-OS 7.1 release:
For recent updates to known issues for a given PAN-OS release, refer to https://live.paloaltonetworks.com/t5/Articles/Critical-Issues-Addressed-in-PAN-OS-Releases/ta-p/52882. Starting with PAN-OS 7.1.5, these release notes identify all unresolved known issues using new issue ID numbers that include a product-specific prefix. Known issues for earlier releases use both their new issue IDs and their original issue IDs (in parentheses).
WildFire Known Issues
This issue is now resolved.
When PAN-OS 7.1 was first released, firewalls could not forward files to the WildFire Japan cloud for analysis. This issue is resolved for all PAN-OS 7.1 releases due to an update to the WildFire Japan cloud in August 2016.
When using a web browser to view a WildFire Analysis Report from a firewall that is using a WF-500 appliance for file sample analysis, the report may not appear until the browser downloads the WF-500 certificate. This issue occurs after upgrading a firewall and the WF-500 appliance to a PAN-OS 6.1 or later release.
Workaround:Browse to the IP address or hostname of the WF-500 appliance, which will temporarily download the certificate into the browser. For example, if the IP address of the WF-500 is 10.3.4.99, open a browser and enter https://10.3.4.99. You can then access the report from the firewall by selecting Monitor> WildFire Submissions, clicking log details, and then clicking the WildFire Analysis Report tab.
GlobalProtect Known Issues
If you configure GlobalProtect portals and gateways to use client certificates and LDAP as two factors of authentication, Chromebook users that are running Chrome OS 47 or later versions can encounter excessive prompts to select a client certificate.
Workaround:To prevent excessive prompts, configure a policy in the Google Admin console to specify the client certificate and deploy that policy to your managed Chromebooks:
By default, the GlobalProtect app adds a route on iOS mobile devices that causes traffic to the GP-100 GlobalProtect Mobile Security Manager to bypass the VPN tunnel.
Workaround:To configure the GlobalProtect app on iOS mobile devices to route all traffic—including traffic to the GP-100 GlobalProtect Mobile Security Manager—to pass through the VPN tunnel, perform the following tasks on the firewall hosting the GlobalProtect gateway (Network > GlobalProtect > Gateways ><gateway-config> > Agent > Client Settings > <client-settings-config> > Network Settings > Access Route):
For the GlobalProtect app to access an MDM server through a Squid proxy, you must add the MDM server SSL access ports to the proxy server allow list. For example, if the SSL access port is 8443, add acl SSL_ports port 8443 to the allow list.
Firewall and Panorama Known Issues
When you rename a device group, template, or template stack in Panorama that is part of a VMware NSX service definition, the new name is not reflected in NSX Manager. Therefore, any ESXi hosts that you add to a vSphere cluster are not added to the correct device group, template, or template stack and your Security policy is not pushed to VM-Series firewalls that you deploy after you rename those objects. There is no impact to existing VM-Series firewalls.
ElasticSearch is forced to restart when the
masterdprocess misses too many heartbeat messages on the Panorama management server resulting in a delay in a log query and ingestion.
There is an issue when you implement a new firewall bootstrap with a USB drive where the bootstrap fails and displays the following error message:
no USB device found.
Workaround:Perform a factory reset or run the
request system private-data-resetCLI command and then proceed with bootstrapping.
PA-7000 Series firewalls only) There is an issue where internal path monitoring fails when the firewall processes corrupt packets.
Fixed an issue where a failed commit or commit validation followed by a non-user-committed event (such as an FQDN refresh, an external dynamic list refresh, or an antivirus update) resulted in an unexpected change to the configuration that caused the firewall to drop traffic.
(PAN-OS 7.1.18 and later PAN-OS 7.1 releases) After a high availability (HA) firewall cluster with graceful restart enabled on routing protocols fails over, it does not immediately display the connected, static, and host routes as Active. This issue does not impact performance and the routes typically display as Active, again, within 30 seconds after the failover.
Firewalls in an active/active high availability (HA) deployment, with a default session setup and owner configuration, drop packets in a GlobalProtect VPN tunnel that uses a floating IP address.
After 30,000 or more end users log in to the GlobalProtect gateway within a two- to three-hour period, the firewall web interface responds slowly, commits take longer than expected or intermittently fail, and Tech Support File generation times out and fails.
The name for an address object, address group, or an external dynamic list must be unique. Duplicate names for these objects can result in unexpected behavior when you reference the object in a policy rule.
The firewall does not apply password profile settings (Device > Password Profiles) to administrator accounts.
Firewalls randomly retain IP address-to-username mappings even after receiving information via User-ID Redistribution that the mapping was deleted or expired.
The request system external-list show type ip name <EDL_name> CLI command does not display external dynamic list entries after you restart the management server (mgmtsrvr) process.
The management server process (mgmtsrvr) on the firewall restarts whenever you push configurations from the Panorama management server.
The VM-Series firewall for NSX randomly disrupts traffic due to high CPU usage by the pan_task process.
The firewall generates System logs with High severity for Dataplane under severe load conditions that do not affect traffic.
On PA-7000 Series firewalls, one or more dataplanes do not pass traffic when you run several operational commands (from any firewall user interface or from the Panorama management server) while committing changes to device or network settings or while installing a content update.
Workaround:Perform another commit.
Commits fail on a PA-7000 Series firewall when the firewall configuration grows so large that it exhausts the internal configuration memory or the CTD memory buffer on the Network Processing Card (NPC).
Workaround:Upgrade your firewall to PAN-OS 8.0.9 or a later release. The extended memory NPCs (PAN-PA-7000-20GXM-NPC and PAN-PA-7000-20GQXM-NPC) offer additional memory, which accommodates larger configurations.
On PA-7000 Series firewalls, one or more dataplanes do not pass traffic when you run several operational commands (from any firewall user interface or from the Panorama management server) while committing changes to device or network settings or while installing a content update.
Workaround:Perform another commit.
On PA-7000 Series firewalls in a high availability (HA) configuration, the HA3 link does not come up after you upgrade to PAN-OS 7.1.14 or a later 7.1 release.
Workaround:Unplug and replug the HSCI modules.
On the Panorama management server, a policy rule dialog automatically closes within a couple of seconds after you open it to create or edit a rule.
On a PA-5000 Series firewall configured to use an IPSec tunnel containing multiple proxy IDs (Network > IPSec Tunnels > <tunnel> > Proxy IDs), the firewall drops tunneled traffic after clear text sessions are established on a dataplane other than the first dataplane (DP0).
Workaround:Use Palo Alto Networks firewalls on both ends of the IPSec tunnel, or use one proxy ID per tunnel, or use only DP0 for establishing clear text sessions (run the set session processing-cpu dp0 CLI command).
On firewalls in an active/active high availability (HA) configuration, the primary firewall, with a floating IP address bound to it, sends ARP probes containing the MAC address of the secondary firewall instead of the primary. Sending ARP probes with the incorrect MAC address causes the secondary firewall to drop traffic.
The firewall stops enforcing policy after an automatic or manual refresh of an External Dynamic List (EDL) that has an invalid IP address or that resides on an unreachable web server.
Workaround:Do not refresh EDLs that have invalid IP addresses or that reside on unreachable web servers.
Root partition utilization approaches the maximum capacity because the firewall doesn't remove WildFire download logs that are due for removal.
Workaround:Manually kill the WildFire download processes.
SNMP managers do not display object identifiers (OIDs) for the Ethernet1/3, Ethernet1/4, and Ethernet1/5 interfaces of M-500 appliances.
The firewall dataplane slows significantly and, in some cases, stops responding if you use nested wildcards ("*") with "." or "/" as delimiters in the URLs of a custom URL category (Objects > Custom Objects > URL Category) or in the Allow List of a URL Filtering profile (Objects > Security Profiles > URL Filtering > <URL-filtering-profile> > Overrides).
Workaround:The best practice is to use a single wildcard to cover multiple tokens or a caret (^) to target a single token. For details, see the article Nested Wildcard in URLs May- Severely Affect Performance.
The Panorama management server doesn't display an Override button for Objects > External Dynamic Lists in child device groups that inherit the objects from parent device groups.
On PA-5000 Series firewalls running PAN-OS 7.1.12 or a later 7.0 release, insufficient proxy memory causes decryption failures and prevents users from accessing the GlobalProtect portal or gateway.
PAN-OS removes the IP address-to-username mappings of end users who log in to a GlobalProtect internal gateway within a second of logging out from it.
The User-ID process (useridd) produces an error message (Server error : Client useridd not ready) and stops responding during a commit operation.
Switching firewalls to FIPS-CC mode sets the Base DN to None and disables the Verify Server Certificate for SSL sessions option for LDAP server profiles that you view or edit in the web interface (Device > Server Profiles > LDAP).
Workaround:Use the CLI (set shared server-profile ldap) or PAN-OS XML API to configure the Base DN and Verify Server Certificate for SSL sessions option for LDAP server profiles.
On firewalls in an active/passive high availability (HA) configuration with link or path monitoring enabled, a failover resulting from a link or path failure intermittently causes the deletion of host, connected, static, and dynamic routes (both OSPF and BGP) from the forwarding information base (FIB) on the firewall peer that becomes active. The link or path failure also causes the intermittent sending of unnecessary BGP withdrawal messages to BGP peers.
End users cannot access websites for which the firewall applies Decryption policy and uses Online Certificate Status Protocol (OCSP) to verify the status of certificates. The issue occurs in cases where the certificate cache on the firewall is modified during the access attempts.
Firewalls report an interface speed of zero for some interfaces instead of the maximum possible speed when you run an SNMP query for the ifHighSpeed object (OID 22.214.171.124.126.96.36.199.1.1.15).
On occasion, the App-ID for an application that is using SSL is identified incorrectly. This issue occurs when a server hosts multiple applications on the same port, and the firewall has identified traffic for an application using this port on the server and then inaccurately records other applications on this server-port combination as the previously identified application.
After you disable the Skip Auth on IKE Rekey option in the GlobalProtect gateway, the firewall still applies the option: end users with endpoints that use Extended Authentication (X-Auth) don't have to re-authenticate when the key used to establish the IPSec tunnel expires (Network > GlobalProtect > Gateways > <gateway> > Agent > Tunnel Settings).
The WF-500 appliance sends ICMP unreachable messages from the VM Interface to the Management interface.
VM-Series firewalls cannot monitor more than 500 virtual machine (VM) information sources (Device > VM Information Sources).
(PAN-OS 7.1.11 and later 7.1 releases) Firewalls do not send queries for updated user mappings to User-ID agents; instead, the firewalls wait until the agents learn and forward new user mappings. In a deployment that includes Windows-based User-ID agent 7.0.7 or earlier agent releases, this delay in updating user mappings on the firewalls disrupts user-based policy enforcement because the firewalls prematurely remove user mappings received from those agents (see WINAGENT-53 in the User-ID Agent 7.0.8 Addressed Issues list).
Workaround:Upgrade the Windows-based User-ID agents to User-ID agent 7.0.8 or a later release. Alternatively, run the debug user-id query-unknown-ip yes CLI command on firewalls so that they will query the agents running an earlier User-ID agent release; however, if you use the alternate workaround, you must re-run the debug user-id command every time the firewall reboots.
The Panorama management server stops responding after you use a PAN-OS XML API call to rename a policy rule or object and you accidentally use its old name as the new name.
Blocking proxy sessions to enforce Decryption policy rules causes packet buffer depletion, which eventually results in packet loss.
PA-5000 Series firewalls in an active/active high availability (HA) configuration intermittently drop packets due to a race condition that occurs when the session owner and session setup are on different HA peers.
On VM-Series firewalls, the session capacity drops to 1,248 after you activate a capacity license.
Traffic delays occur on PA-7000 Series firewalls due to packet buffer congestion when the all_pktprocprocess stops responding due to an incorrect Policy Based Forwarding (PBF) policy rule ID that references an invalid egress interface.
The firewall dataplane restarts while processing traffic after you enable SSL Inbound Inspection but not SSL Forward Proxy decryption.
After you rename an object in a device group on the Panorama management server, a commit error occurs because policies in the child device groups still reference the object by its old name.
Endpoints failed to authenticate to GlobalProtect through Kerberos when you specify an FQDN instead of an IP address in the Kerberos server profile (Device > Server Profiles > Kerberos).
Workaround:Replace the FQDN with the IP address in the Kerberos server profile.
The firewall stops submitting samples to WildFire for analysis until you run the debug wildfire reset dp-receiver CLI command.
PA-3000 Series firewalls intermittently drop long-lived sessions that are active during a content update if you immediately follow the update with an Antivirus or WildFire update.
The firewall mgmtsrvr process and other processes repeatedly restart due to abnormal system memory usage when a connection failure occurs between the firewall and a syslog server that use TCP over SSL/TLS to communicate.
Workaround:In PAN-OS 7.1.11 and later 7.1 releases, you can stop the continuous restarts by running the debug syslog-ng restart CLI command to restart the syslog-ng process. Alternatively, for all PAN-OS 7.1 releases, you can use UDP for communication between the firewall and syslog server.
After using a Panorama management server running PAN-OS 7.1 to Force Template Values when pushing device group or template configurations to firewalls running an earlier PAN-OS release, FQDN refreshes fail on the firewalls.
Workaround:When pushing device group or template configurations, don’t Force Template Values. If you already did, run the commit force configuration mode command at the CLI of each affected firewall to resolve the issue. Another workaround is to upgrade the firewalls to the same PAN-OS release as Panorama.
The Panorama management server cannot deploy antivirus or WildFire updates to firewalls that already have later versions of the updates.
In rare cases, when the firewall is under a heavy load, some PAN-OS software update-related processes stall and do not recover.
Workaround:Reboot the firewall.
Panorama cannot push address group objects from device groups to managed firewalls if zones specify the objects in the User Identification ACL include or exclude lists (Network > Zones) and if the Share Unused Address and Service Objects with Devices option is disabled (Panorama > Setup > Management > Panorama Settings).
Workaround:After an explicit deny-all-and-log rule, create a security policy rule that includes the Address or Address Group objects. The deny-all-and-log rule handles all sessions not handled by any previous rule. The security policy rule containing the address objects, while it would never be used, allows you to push the address objects to managed firewalls.
Loading a partial configuration (using the load config partial CLI command) changes the port numbers in service and service group objects.
Workaround:Remove any duplicate service, service group, application, or application group objects from the configuration that you will load.
A PA-7000 Series firewall running PAN-OS 7.1.12 or an earlier release stops saving and displaying new logs due to a memory leak after a Panorama management server running a PAN-OS 8.0 release pushes a predefined report that specifies a field that is unrecognized by the firewall running the earlier PAN-OS release (Monitor > Reports > Mobile Network Reports).
Workaround:Disable GTP reports in Panorama 8.0.
Firewalls in an active/passive HA configuration with OSPF or BGP graceful restart enabled take longer than expected to fail over.
In rare cases on a Panorama management server in a high availability (HA) configuration, the virtual machine (VM) auth key disappears after you reboot the active HA peer.
Workaround:Generate a new key, update the firewall init-cfg.txt file with the new key, and reboot the firewall.
Dynamic address updates take several minutes to complete on Panorama in NSX deployments.
PA-7000 Series firewalls forward a SIP INVITE based on route lookup instead of Policy-Based Forwarding (PBF) policy.
In a high availability (HA) hardware security module (HSM) configuration, the crypto process (cryptod) for the SafeNet resource library in SafeNet Client 6.2.2 stops responding when the route to the HSM changes. This process also stops responding intermittently when the cryptod process tries to close the HSM sessions.
PA-7000 Series firewalls configured in tap mode don’t close offloaded sessions after processing the associated traffic; the sessions remain open until they time out.
Workaround:Configure the firewalls in virtual wire mode instead of tap mode, or disable session offloading by running the set session off load no CLI command.
After bootup, the firewall displays error messages such as Error: sysd_construct_sync_importer(sysd_sync.c:328): sysd_sync_register() failed: (111) Unknown error code, even though the bootup is successful.
Workaround:Ignore the error messages; they do not affect the firewall operations.
Administrators with a custom role cannot delete packet captures.
Several dataplane processes stop responding when the firewall processes VPN traffic with IP packet chains, which were usually triggered by IP fragmentation or SSL decryption operations.
On firewalls with multiple virtual systems, custom spyware signatures work only on vsys1.
On PA-7000 Series firewalls, Generic Routing Encapsulation (GRE) session creation fails when the firewalls receive GRE packets with a Point-to-Point Protocol (PPP) payload.
On PA-7000 Series firewalls, disabling the option to Turn on QoS feature on this interface (Network > QoS) reduces throughput on 40Gbps interfaces.
A Panorama management server running a PAN-OS 8.0 release or PAN-OS 7.1.8 or later 7.1 release does not display logs from PA-7000 Series firewalls running a PAN-OS 7.1 or 7.0 release.
Workaround:Run the debug skip-condor-reports no command and then the debug software restart process reportd command on the Panorama management server so that it can successfully query PA-7000 Series firewalls running a PAN-OS 7.1 release.Do not use the debug skip-condor-reports no command to work around this issue if you use Panorama running a PAN-OS 8.0 release to manage a PA-7000 Series firewall running a PAN-OS 7.0 release (see PAN-77033 in the PAN-OS 7.0 or PAN-OS 8.0 Release Notes).
This issue is now resolved (requires content release version 718 or later). SeePAN-OS 7.1.11 Addressed Issues
When migrating URL categories from BrightCloud to PAN-DB, Panorama does not apply the migration to pre-rules and post-rules.
A regression introduced in PAN-OS 7.1.9 causes the firewall dataplane to restart in certain cases when combined with content updates. For details, including the relevance of content release version 709, refer to the associated Customer Advisory.
The firewall doesn't decrypt VPN traffic for packets of certain sizes if you set the Encryption algorithm to aes-256-gcm in the IPSec Crypto profile used for the VPN tunnel (Network > Network Profiles > IPSec Crypto).
Workaround:Select an Encryption algorithm other than aes-256-gcm.
Firewalls configured to use a SafeNet hardware security module (HSM) server successfully create a support file when you export support file from the web interface but they incorrectly return the following error message: op command for client cryptod time out as client is not available. This issue also occurs when requesting the support file using the request hsm support-info CLI command but you can confirm that the support info file was created successfully by using a different HSM-related command, such as show hsm state , after you request the HSM support file.
As of PAN-OS 7.1.9, the PA-200 firewalls no longer store the previous WildFire content package after a WildFire content update. As a result, the option to revert to the previous WildFire package is no longer available on the web interface. However, the CLI command for this task (request wildfire downgrade install previous) was not removed and now results in an error message (downgrade job failed).
Loading a configuration other than running-config.xml when downgrading from PAN-OS 7.1.8 to a PAN-OS 7.0 release removes authentication profiles from GlobalProtect portals and gateways, which causes an auto-commit failure.
Workaround:Select running-config.xml when downgrading from PAN-OS 7.1.8 to a PAN-OS 7.0 release.
Panorama does not push a shared address object to firewalls when the object is part of a dynamic address group that uses a tag.
After a firewall successfully installs a content update received from Panorama, Panorama displays a failure message for the update if the associated job ID on the firewall is higher than 65536.
The firewall does not clear IP address-to-username mappings or username-to-group mappings after reaching the limit for the number of user groups (100,000), which causes commit failures with the errors user-id is not registerd and ser-ID manager was reset. Commit is required to reinitialize User-ID.
The firewall drops sessions after only 30 seconds of idle traffic instead of after the session timeout associated with the application.
On the PA-500 firewall, insufficient memory allocation causes SSL decryption errors that result in SSL session failures, and Traffic logs display the Session End Reason as decrypt-error or decrypt-cert-validation.
On firewalls in an active/passive HA configuration, a link-monitoring failure causes a delay in OSPF convergence on the firewall that becomes active after HA failover.
Workaround:Set the Promotion Hold Time and Additional Master Hold Up Time to 0ms in the HA configuration (Device > High Availability > Election Settings).
Panorama does not display HA firewalls (Panorama > Managed Devices) after the configd process stops.
End users who ignore the Duo V2 authentication prompt until it times out can still authenticate successfully to a GlobalProtect portal configured for two-factor authentication.
In PAN-OS 7.1.7, deactivating a VM-Series firewall from Panorama completes successfully, but the web interface does not update to show that deactivation is complete.
Workaround:View deactivation status from Managed Devices (Panorama > Managed Devices).
A firewall in FIPS-CC mode reboots in maintenance mode after you download GlobalProtect Client software that is listed under Device > GlobalProtect Client but is unavailable on the Palo Alto Networks Update Server.
The Panorama log collector does not support the server-verification CLI configuration, thereby preventing you from using the CLI to install content and software updates in a secure manner.
Workaround:Use the log collector CLI command request license api-key delete and then install content and software updates from Panorama.
In PAN-OS 7.1.7, when deactivating a VM-Series firewall from Panorama, if Panorama has the Verify Update Server Identity setting enabled (Panorama > Setup > Services > Verify Update Server Identity), but the firewall has the setting disabled (Device > Setup > Services), deactivation on the firewall does not complete successfully and the firewall becomes unreachable.
Workaround:Ensure Panorama and the VM-Series firewall both have the Verify Update Server Identitysetting enabled before deactivating the firewall.
Firewalls running in FIPS-CC mode do not allow import of SHA-1 CA certificates even when the private key is not included; instead, firewalls display the following error:
Import of <cert name> failed. Unsupported digest or keys used in FIPS-CC mode.
The firewall maps users to the Kerberos Realm defined in authentication profiles (Device > Authentication Profiles) instead of extracting the realm from Kerberos tickets.
(PAN-OS 7.1.5 and later releases only) When the PAN-OS XML API sends user mappings with no timeout value to a firewall that has the Enable User Identification Timeout option disabled, the firewall assigns the mappings a timeout of 60 minutes instead of never.
The firewall incorrectly generates packet diagnostic logs and captures packets for sessions that are not part of a packet filter (Monitor > Packet Capture).
When you use a license authorization code (capacity license or a bundle) to bootstrap a VM-Series firewall, the capacity license is not applied. This issue occurs because the firewall does not reboot after the license is applied.
Workaround:Use the request restart software CLI command or reboot the firewall manually to activate the session capacity for the VM-Series model.
On PA-3000 Series firewalls, you cannot configure a QoS Profile to have a maximum egress bandwidth (Egress Max) higher than 1Gbps for an aggregate group interface (Network > Network Profiles > QoS Profile).
The GlobalProtect agent fails to connect using a client certificate if the intermediate CA is signed using the ECDSA hash algorithm.
When a Multicast Forwarding Information Base (MFIB) times out, the packet processing process (flow_ctrl) stops, which intermittently causes the firewall dataplane to restart.
This issue is now resolved. SeePAN-OS 7.1.7 Addressed Issues
In PAN-OS 7.1.6, SSL sessions are discarded if the server certificate chain size exceeds 23KB. See Changes to Default Behavior for more information about this issue.
Workaround:Exclude the affected site from decryption. Refer to live.paloaltonetworks.com/t5/Learning-Articles/How-to-Exclude-a-Site-from-SSL-Decryption/ta-p/56738.
On PA-7000 Series and PA-5000 Series firewalls, users who access applications over SSL VPN or IPSec tunnels through GlobalProtect experienced one-directional traffic.
On PA-7000 Series firewalls and Panorama Log Collectors, log collection processes consume excess memory and do not process logs as expected. This issue occurs when DNS response times are slow and scheduled reports contain fields that require DNS lookups.
Workaround:Use the debug management-server report-namelookup disable CLI command to disable DNS lookups for reporting purposes.
SSH sessions are incorrectly subjected to a URL category lookup even when SSH decryption is not enabled. As a result, SSH traffic is blocked when you enable forward proxy and configure a deny rule to match all traffic whose URL category is Unknown.
Installing a content update or committing configuration changes on the firewall causes RTP sessions that were created from predict sessions to move from an active state to a discard state.
Entering vSphere maintenance mode on a VM-Series firewall without first shutting down the Guest OS for the agent VMs causes the firewall to shut down abruptly, and results in issues after the firewall is powered on again. Refer to Issue 1332563 in the VMware release notes: www.vmware.com/support/pubs/nsx_pubs.htmlWorkaround: VM-Series firewalls are Service Virtual Machines (SVMs) pinned to ESXi hosts and should not be migrated. Before you enter vSphere maintenance mode, use the VMware tools to ensure a graceful shutdown of the VM-Series firewall.
The firewall captures packets of IP addresses that are not included in the packet filter (Monitor > Packet Capture).
The Network Monitor report (Monitor > App Scope > Network Monitor) displays only partial data when you select Source or Destination for a data set that includes a large number of source or destination IP addresses and usernames. However, the report does display all data as expected when you instead select Application or Application Category for a large data set.
VM-Series firewalls don't apply NAT translation to the ports in the via and contact headers of Session Initiation Protocol (SIP) sessions after you enable Dynamic IP and Port (DIPP) NAT.
In PAN-OS 7.1 and later releases, the maximum number of address objects you can resolve for an FQDN is increased from 10 of each address type (IPv4 and IPv6) to a maximum of 32 each. However, the combination of IPv4 and IPv6 addresses cannot exceed 512B; if it does, addresses that are not included in the first 512B are dropped and not resolved.
If you delete the proxy server configuration on the firewall for the AutoFocus service, the configuration remains.
Workaround:Use the request restart software CLI command or reboot the firewall to clean up the proxy server configuration.
The automatic license deactivation workflow for firewalls with direct internet access does not work.
Workaround:Use the request license deactivate key features <name> mode manual CLI command to Deactivate a Feature License or Subscription Using the CLI. To Deactivate a VM, choose Complete Manually (instead of Continue) and follow the steps to manually deactivate the VM.
Deleting the default administrator account on a VM-Series firewall in AWS causes the firewall to go into maintenance mode. This occurs because, to reboot successfully, the firewall requires the SSH key associated with the administrator account (the private key— ssh-key —used to provision the firewall in AWS).
If you configure the GlobalProtect portal or gateway to authenticate using an authentication sequence and then specify a domain\user in the User/User Group settings of an agent configuration, authentication using secure encrypted cookies will fail.
The pan-comm option for restarting the dataplane communication process is not available in the debug software restart process operational CLI command.
By default, the AutoFocus URL in the AutoFocus settings (Device > Setup > Management) is pre-configured with the correct URL for connecting to AutoFocus but the firewall will fail to connect to AutoFocus if you don't manually re-enter the URL. This issue occurs only when you initially configure AutoFocus settings (for example, after performing a factory reset of the firewall or after upgrading to PAN-OS 7.1).
Workaround:When initially enabling AutoFocus threat intelligence on the firewall, you must delete the default AutoFocus URL and manually re-enter the address (https://autofocus.paloaltonetworks.com:10443).
The VM-Series for Azure is supported in the Azure Resource Manager (ARM) environment only. You cannot export the VM-Series firewall or its VHD disk image from Azure and deploy it in a local or private data center. Also, you cannot re-import a VM-Series firewall or its VHD disk image into the ARM environment.
You cannot configure multiple DNS proxy objects that specify for the firewall to listen for DNS requests on the same interface (Network > DNS Proxy > Interfaces). If multiple DNS proxy objects are configured with the same interface, only the first DNS proxy object settings are applied.
Workaround:If there are DNS proxy objects configured with the same interface, you must modify the DNS proxy objects so that each object specifies unique interfaces:
Performing an AutoFocus remote search that is targeted to a PAN-OS firewall or Panorama does not work correctly when the search condition contains a single or double quotation mark.
The Administrator Use Only option (Template > Device > Radius Profile) is not available in PAN-OS 7.1.0 or PAN-OS 7.1.1.
During the connection of a satellite to the GlobalProtect gateway, the Online Certificate Status Protocol (OCSP) verification for the GlobalProtect certificate fails because the OCSP response does not contain the signature certificate.
High availability (HA) for VM-Series firewalls does not work in AWS regions that do not support the signature version 2 signing process for EC2 API calls. Unsupported regions include AWS EU (Frankfurt) and Korea (Seoul).
The firewall does not display the SaaS Application Usage report (Monitor > PDF Reports > SaaS Application Usage) if you Close the job execution status dialog (appears when you click Run Now to generate a SaaS report) and move to another tab and continue to Commit changes before the SaaS report finishes generating.
When you change the reporting period for a scheduled report, such as the SaaS Application Usage PDF report, the report can have incomplete or no data for the reporting period.
Workaround:If you need to change the reporting period for any scheduled report, create a new report for the desired time period instead of modifying the time period on an existing report.
If you create a log filter by clicking a value in the Destination Country or Source Country column of a log page (such as the Monitor > Logs > Traffic page), the filter does not work because the filter string uses the country name instead of the country code. This issue occurs only when the value is a country; the filter works for other types of regions (such as city names).
Workaround:Manually change the country name to the country code in the filter string (for example, change United States to US).
If a call manager or SIP proxy is in a different zone than either the called or the calling party, using the hold and resume feature can result in one-way audio.
Workaround:If using NAT, configure the call manager and local phone in the same zone.
This issue is now resolved with a workaround. SeePAN-OS 7.1.2 Addressed Issues
Simultaneous transfer of large files from two different SMB servers over a GlobalProtect connection from a Windows 8 client causes the connection to fail.
Workaround:In PAN-OS 7.1.2 and later releases, enable Heuristics on Windows 8 clients or set the tunnel interface MTU size to 1,300 to avoid this issue.
When the firewall is processing a high volume of BFD sessions for routing peers that use BGP, OSPF or RIP, and the firewall is also processing a high volume of packets that belong to existing sessions and are not offloaded, the BFD sessions to those peers will flap when the firewall receives a content update.
There is an issue where PA-7000 Series firewalls experience BGP disconnections because the firewall fails to send keepalive messages to neighbors within specified timers.
An ungraceful reboot on a VM-Series firewall causes Dynamic IP address information to get out of sync.
The FPGA intermittently fails to initialize on PA-5000 Series firewalls.
In Traffic logs, the following session end reasons for Captive Portal or a GlobalProtect SSL VPN tunnel indicate the incorrect reason for session termination: decrypt-cert-validation, decrypt-unsupport-param, or decrypt-error.
The botnet log cleanup job on a PA-7000 Series firewall runs two hours before the system-generated botnet reports are triggered, which results in empty or no botnet reports when no logs are collected between jobs.
Decrypted SSH sessions are not mirrored to the decrypt mirror interface as expected.
Tarball images for bootstrapping firewalls that are created using a Mac OS (BSD-based tar format) are incompatible with the Debian-based tar format used by PAN-OS firewalls.
Workaround:Use a Windows system to create a tarball image that is compatible with the firewalls.
For the VM-Series NSX edition firewall, when you add or modify an NSX service profile zone on Panorama, you must perform a Panorama commit and then perform a device group commit with the Include Device and Network Templates option selected. To successfully redirect traffic to the VM-Series NSX edition firewall, you must perform both a Template and a Device Group commit when you modify the zone configuration to ensure that the zones are available on the firewall.
When you open the SaaS Application Usage Report (Monitor > PDF Reports > SaaS Application Usage) on multiple tabs in a browser, each for a different virtual system (vsys), and you attempt to export PDFs from each tab, only the first request is accurate; all successive attempts will result in PDFs that are duplicates of the first report.
Workaround:Export only one PDF at a time and wait for that export process to finish before you trigger the next export request.
A Panorama management server running on an M-Series appliance cannot connect to a SafeNet Network or nCipher nShield Connect hardware security module (HSM).
When you push configurations to a specific device group, the Panorama web interface displays a commit failure message (commit timed out) even though the operation succeeded.
On the NSX Manager, when you unbind an NSX Security Group from an NSX Security Policy rule, the dynamic tag and registered IP address are updated on Panorama but are not updated on the VM-Series firewalls.
Workaround:To push the Dynamic Address Group updates to the VM-Series firewalls, you need to manually synchronize the configuration with the NSX Manager. (Panorama > VMware Service Manager, and select NSX Config-Sync).
If a security group overlap occurs in an NSX Security policy where the same security group is weighted with a higher and a lower priority value, the traffic may be redirected to the wrong service profile (VM-Series firewall instance). This issue occurs because an NSX Security policy with a higher weight does not always take precedence over a policy with a lower weight.
Workaround:Make sure that members that are assigned to a security group are not overlapping with another security group and that each security group is assigned to a unique NSX Security policy rule. This allows you to ensure that NSX Security policy does not redirect traffic to the wrong service profile (VM-Series firewall).
When using the CLI to configure the management interface as a DHCP client, the commit fails if you do not provide all four DHCP parameters in the command. For a successful commit when using the set deviceconfig system type dhcp-client command, you must include each of the following parameters: accept-dhcp-domain, accept-dhcp-hostname, send-client-id, and send-hostname.
Canceling pending commits does not immediately remove them from the commit queue. The commits remain in the queue until PAN-OS dequeues them.
BFD sessions are not established between two RIP peers when there are no RIP advertisements.
Workaround:Enable RIP on another interface to provide RIP advertisements from a remote peer.
The NSX Manager fails to redirect traffic to the VM-Series firewall when you define new Service Profile zones for NSX on Panorama. This issue occurs intermittently on the NSX Manager when you define security rules to redirect traffic to the new service profiles that are available for traffic introspection and results in the following error:
Firewall configuration is not in sync with NSX Manager. Conflict with Service Profile Oddhost on service (Palo Alto Networks NGFW) when binding to host<name>.
A Palo Alto Networks firewall, M-100 appliance, or WF-500 appliance configured to use FIPS operational mode will fail to boot when rebooting after an upgrade to PAN-OS 7.0 or later releases.
Workaround:Enable FIPS and Common Criteria support on all Palo Alto Networks firewalls and appliances before you upgrade to a PAN-OS 7.0 or later release.
For the VM-Series firewall, if you manually reset a heartbeat failure alarm on the vCenter server to indicate that the VM-Series firewall is healthy (change color to green), the vCenter server does not trigger a heartbeat failure alarm again.
FIPS-CC mode is not supported on the VM-Series firewall on Microsoft Hyper-V. Although the option for FIPS-CC mode is displayed in the maintenance mode menu, you cannot enable this option.
The firewall does not update some processes as expected (such as mgmtsrvr, reportd, logd, and pan_log_receiver) when you specify a new DNS server (Device > Setup > Services [> Global ]), which causes the firewall to continue forwarding some DNS requests to the previously configured DNS server instead of the current one.
On PA-7000 Series firewalls, one data port must be configured as a log card interface because the traffic and logging capabilities of this platform exceed the capabilities of the management port. A log card interface performs WildFire file-forwarding and log forwarding for syslog, email, and SNMP and these services require DNS support. If you have set up a custom service route for the firewall to use to perform DNS queries, services using the log card interface might not be able to generate DNS requests. This is only an issue if you’ve configured the firewall to use a service route for DNS requests, and in this case, you must perform the following workaround to enable communication between the firewall data plane and the log card interface.
Workaround:Enable the DNS Proxy on the firewall, and do not specify an interface for the DNS proxy object (leave the field Network > DNS Proxy > Interface clear). See the steps to enable DNS proxy or use the CLI command set deviceconfig system dns-setting dns-proxy-object.
Enabling or disabling BFD for BGP or changing a BFD profile that a BGP peer uses causes the connection to the BGP peer to flap.
Destination-based service routes do not work for RADIUS authentication servers.
Workaround:Use service-specific service routes instead of destination-based service routes for RADIUS authentication servers.
WildFire Analysis reports do not display as expected in the WildFire Analysis Report tab (Monitor > Logs > WildFire Submissions > Detailed Log View) on PA-7000 Series firewalls running PAN-OS 7.0.2 and later releases.
Workaround:Use the WildFire portal (https://wildfire.paloaltonetworks.com) or the WildFire API to retrieve WildFire Analysis reports.
When you enable jumbo frames on a VM-Series firewall in AWS using the set deviceconfig setting jumbo-frame mtu configuration mode CLI command, the maximum transmission unit (MTU) size on the interfaces does not increase. The MTU on each interface remains at a maximum value of 1500 bytes.
The VM-Series firewall on Citrix SDX does not support jumbo frames.
IPv6-to-IPv6 Network Prefix Translation (NPTv6) is not supported when configured on a shared gateway.
The URL block page does not display as expected when proxied requests from client use CONNECT method.
If you log in to Panorama as a Device Group and Template administrator and rename a device group, the Panorama > Device Groups page no longer displays any device groups.
Workaround:After you rename a device group, perform a commit, log out, and log back in; the page then displays the device groups with the updated values.
Web pages using the HTTP Strict Transport Security (HSTS) protocol sometimes do not display properly for end users.
Workaround:End users must import an appropriate forward-proxy-certificate for their browsers.
When you use a Mac OS Safari browser, client certificates will not work for Captive Portal authentication.
Workaround:On a Mac OS system, instruct end users to use a different browser (for example, Mozilla Firefox or Google Chrome).
On a firewall with multiple virtual systems, if you add an authentication profile to a virtual system and give the profile the same name as an authentication sequence in Shared, reference errors occur. The same errors occur if the profile is in Shared and the sequence with the same name is in a virtual system.
Workaround:When creating authentication profiles and sequences, always enter unique names, regardless of their location. For existing authentication profiles and sequences with similar names, rename the ones that are currently assigned to configurations (for example, a GlobalProtect gateway) to ensure uniqueness.
On the ACC > Network Activity tab, if you add the label Unknown as a global filter, the filter gets added as A1 and query results display A1 instead of Unknown.
The link on a 1Gbps SFP port on a VM-Series firewall deployed on a Citrix SDX server does not come up when successive failovers are triggered. This behavior is only observed in an active/active HA configuration.
Workaround:Use a 10Gbps SFP port instead of the 1Gbps SFP port on the VM-Series firewall deployed on a Citrix SDX server.
WildFire analysis reports cannot be viewed on firewalls running PAN-OS 6.1 release versions if connected to a WF-500 appliance in Common Criteria mode that is running PAN-OS 7.0 or later releases.
Vulnerability detection of SSLv3 fails when SSL decryption is enabled. This occurs when you attach a Vulnerability Protection profile (that detects SSLv3—CVE-2014-3566) to a Security policy rule and that Security policy rule and an SSL Decryption policy rule are configured on the same virtual system in the same zone. After performing SSL decryption, the firewall sees decrypted data and no longer sees the SSL version number. In this case, the SSLv3 vulnerability is not identified.
Workaround:PAN-OS 7.0 introduced enhancements to SSL Decryption that enable you to prohibit the inherently weaker SSL/TLS versions, which are more vulnerable to attacks. For example, you can use a Decryption Profile to enforce a minimum protocol version of TLS 1.2 or select Block sessions with unsupported versions to disallow unsupported protocol versions (Objects > Decryption Profile > SSL Decryption > SSL Forward Proxy and/or SSL Inbound Inspection).
Typing user group names instead of selecting from a drop-down when configuring policy rules disrupts the enforcement of rules that are based on those groups in cases where the firewall has not finished processing group mappings retrieved from an LDAP server.
Workaround:The best practice when configuring group-based policy rules is to first commit any changes to group mapping configurations, verify that the firewall has processed the groups it retrieved (run the show user group CLI command), and then select the groups from a drop-down instead of typing the group names.
When you use a firewall loopback interface as a GlobalProtect gateway interface, traffic is not routed correctly for third-party IPSec clients, such as strongSwan.
Workaround:Use a physical firewall interface instead of a loopback firewall interface as the GlobalProtect gateway interface for third-party IPSec clients. Alternatively, configure the loopback interface that is used as the GlobalProtect gateway to be in the same zone as the physical ingress interface for third-party IPSec traffic.
When you configure a firewall to retrieve a WildFire signature package, the System log shows unknown version for the package. For example, after a scheduled WildFire package update, the system log shows: WildFire package upgraded from version <unknown version> to 38978-45470. This is a cosmetic issue only and does not prevent the WildFire package from installing.
If you access Device > Log Settings on a device running a PAN-OS 7.0 or later release and then use the CLI to downgrade the device to PAN-OS 6.1 or an earlier release and reboot, an error message appears the next time you access Log Settings. This occurs because PAN-OS 7.0 and later releases display Log Settings in a single page whereas PAN-OS 6.1 and earlier releases display the settings in multiple sub-pages. To clear the message, navigate to another page and return to any Log Settings sub-page; the error will not recur in subsequent sessions.
In the WildFire Submissions logs, the email recipient address is not correctly mapped to a username when configuring LDAP group mappings that are pushed in a Panorama template.
The VM-Series firewall on KVM, for all supported Linux distributions, does not support the Broadcom network adapters for PCI pass-through functionality.
The VM-Series firewall on KVM running on Ubuntu 12.04 LTS does not support PCI pass-through functionality.
The URL logging rate is reduced when HTTP header logging is enabled in the URL Filtering profile (Objects > Security Profiles > URL Filtering >
<URL Filtering profile>> Settings).
Regardless of the Time Frame you specify for a scheduled custom report on a Panorama M-Series appliance, the earliest possible start date for the report data is effectively the date when you configured the report. For example, if you configure the report on the 15th of the month and set the Time Frame to Last 30 Days, the report that Panorama generates on the 16th will include only data from the 15th onward. This issue applies only to scheduled reports; on-demand reports include all data within the specified Time Frame.
Workaround:To generate an on-demand report, click Run Now when you configure the custom report.
Unused NAT IP address pools are not cleared after a single commit, so a commit fails if the combined cache of unused pools, existing used pools, and new pools exceeds the memory limit.
Workaround:Commit a second time, which clears the old pool allocation.
Configurations pushed from Panorama 6.1 and later releases to firewalls running PAN-OS 6.0.3 or earlier PAN-OS 6.0 releases will fail to commit due to an unexpected Rule Type error. This issue is caused by the new Rule Type setting in Security policy rules that was not included in the upgrade transform and, therefore, the new rule types are not recognized on devices running PAN-OS 6.0.3 or earlier releases.
Workaround:Only upgrade Panorama to version 6.1 or later releases if you are also planning to upgrade all managed firewalls running PAN-OS 6.0.3 or an earlier PAN-OS 6.0 release to a PAN-OS 6.0.4 or later release before pushing a configuration to the devices.
If you perform a factory reset on a Panorama virtual appliance and configure the serial number, logging does not work until you reboot Panorama or execute the debug software restart management-server CLI command.
Due to a limitation related to the Ethernet chip driving the SFP+ ports, PA-5050 and PA-5060 firewalls will not perform link fault signaling as standardized when a fiber in the fiber pair is cut or disconnected.
After deploying the VM-Series firewall, when the firewall connects to Panorama, you must issue a Panorama commit to ensure that Panorama recognizes the firewall as a managed device. If you reboot Panorama without committing the changes, the firewall will not connect back to Panorama; although the device group will display the list of devices, the device will not display in Panorama > Managed Devices.
Further, if Panorama is configured in an HA configuration, the VM-Series firewall is not added to the passive Panorama peer until the active Panorama peer synchronizes the configuration. During this time, the passive Panorama peer will log a critical message: vm-cfg: failed to process registration from svm device. vm-state: active. This message is logged until you commit the changes on the active Panorama, which then initiates synchronization between the Panorama HA peers and the VM-Series firewall is added to the passive Panorama peer.
Workaround:To reestablish the connection to the managed devices, commit your changes to Panorama (click Commit and select Commit Type Panorama). In case of an HA setup, the commit will initiate the synchronization of the running configuration between the Panorama peers.
On the Panorama web interface, the Policies > Security > Post Rules > Combined Rules Preview window does not display post rules and local rules for managed devices.
Live migration of the VM-Series firewall is not supported when you enable SSL decryption using the SSL forward proxy method. Use SSL inbound inspection if you need support for live migration.
(VM-Series for NSX firewalls only) When deleting the VM-Series configuration, all VMs are deleted successfully; however, sometimes a few instances still remain in the datastore.
Workaround:Manually delete the VM-Series firewalls from the datastore.
(VM-Series for NSX firewalls only) In some scenarios, traffic from newly added guests or virtual machines is not steered to the VM-Series NSX edition firewall even when the guests belong to a Security Group and are attached to a Security Policy that redirects traffic to that VM-Series firewall.
Workaround:Reapply the Security Policy on the NSX Manager.
A VM-Series firewall on an ESXi host fails to deploy with an error message: Invalid OVF Format in Agent Configuration.
Workaround:Use the following command to restart the ESX Agent Manager process on the vCenter Server: /etc/init.d/vmware-vpxd tomcat-restart.
If an HA failover occurs on Panorama at the time that the NSX Manager is deploying the VM-Series NSX edition firewall, the licensing process fails with the error: vm-cfg: failed to process registration from svm device. vm-state: active.
Workaround:Delete the unlicensed instance of the VM-Series firewall on each ESXi host and then redeploy the Palo Alto Networks next-generation firewall service from the NSX Manager.
When viewing the Session Browser (Monitor > Session Browser), using the global refresh option (top right corner) to update the list of sessions causes the Filter menu to display incorrectly and clears any previously selected filters.
Workaround:To maintain and apply selected filters to an updated list of sessions, click the green arrow to the right of the Filters field instead of the global (or browser) refresh option.
(VM-Series for NSX firewalls only) When the datastore is migrated for a guest, all current sessions are no longer steered to the VM-Series firewall. However, all new sessions are secured properly.
When deploying the VM-Series firewall, the Task Console displays Error while enabling agent. Cannot complete the operation. See the event log for details. This error displays even for a successful deployment. You can ignore the message if the VM-Series firewall is successfully deployed.
The Service dialog for adding or editing a service object in the web interface displays the incorrect port range for both source and destination ports: 1-65535. The correct port range is 0-65535 and specifying port number 0 for either a source or destination port is successful.
If you deploy the VM-Series firewall and then assign the firewall to a template, the change is not recorded in the bootstrap file.
Workaround:Delete the Palo Alto Networks NGFW Service on the NSX Manager, and verify that the template is specified on Panorama > VMware Service Manager, register the service, and re-deploy the VM-Series firewall.
When an ESXi host is rebooted or shut down, the functional status of the guests is not updated. Because the IP address is not updated, the dynamic tags do not accurately reflect the functional state of the guests that are unavailable.
The vCenter Server/vmtools displayed the IP Address for a guest incorrectly after vlan tags were added to an Ethernet port. The display did not accurately show the IP addresses associated with the tagged Ethernet port and the untagged Ethernet port. This issue was seen on some Linux OS versions such as Ubuntu.
When you edit a traffic introspection rule (to steer traffic to the VM-Series firewall) on the NSX Manager, an invalid (tcp) port number error—or invalid (udp) port number error—displays when you remove the destination (TCP or UDP) port.
Workaround:Delete the rule and add a new one.
When defining traffic introspection rules (to steer traffic to the VM-Series firewall) on the NSX Manager, either the source or the destination for the rule must reference the name of a Security Group; you cannot create a rule from any to any Security Group.
Workaround:To redirect all traffic to the VM-Series firewall, you must create a Security Group that includes all the guests in the cluster. Then you can define a security policy that redirects traffic from and to the cluster so that the firewall can inspect and enforce policy on the east-west traffic.
Duplicate packets are being steered to the VM-Series firewall. This issue occurs if you enable distributed vSwitch for steering in promiscuous mode.
Workaround:Disable promiscuous mode.
On a VM-Series NSX edition firewall, when adding or removing a Security Group (Container) that is bound to a Security Policy, Panorama does not get a dynamic update of the added or removed Security Group.
Workaround:On Panorama > VMware Service Manager, click Synchronize Dynamic Objects to initiate a manual synchronization to get the latest update.
On a VM-Series NSX edition firewall, Dynamic Tags (update) do not reflect the actual IP address set on the guest. This issue occurs because the vCenter Server cannot accurately view the IP address of the guest.
Adding or removing ports on the Citrix SDX server after deploying the VM-Series firewall can cause a configuration mismatch on the firewall. To avoid the need to reconfigure the interfaces, consider the total number of data ports that you require on the firewall and assign the relevant number of ports on the SDX server when deploying the VM-Series firewall.
For example, if you assign ports 1/3 and 1/4 on the SDX server as data interfaces on the VM-Series firewall, the ports are mapped to eth1 and eth2. If you then add port 1/1 or 1/2 on the SDX server, eth1 will be mapped to 1/1 or 1/2, eth2 will be mapped to 1/3 and eth3 to1/4. If ports 1/3 and 1/4 were set up as a virtual wire, this remapping will require you to reconfigure the network interfaces on the firewall.
The following issues apply when configuring a firewall to use a hardware security module (HSM):
After you configure a Panorama M-Series appliance for HA and synchronize the configuration, the Log Collector of the passive peer cannot connect to the active peer until you reboot the passive peer.
The Panorama virtual appliance does not write summary logs for traffic and threats as expected after you enter the clear log command.
Workaround:Reboot Panorama management server (Panorama > Setup > Operations) to enable summary logs.
In some configurations, when you switch context from Panorama and access the web interface of a managed device, you are unable to upgrade the PAN-OS software image.
Workaround:Use the Panorama > Device Deployment > Software tab to deploy and install the software image on the managed device.
You cannot configure the management IP address on an M-100 appliance while it is operating as the secondary passive peer in an HA pair.
Workaround:To set the IP address for the management interface, you must suspend the active Panorama peer, promote the passive peer to active state, change the configuration, and then reset the active peer to active state.
By default, the hostname is not included in the IP header of syslog messages sent from the firewall. However, some syslog implementations require this field to be present.
Workaround:Enable the firewall to include the IP address of the firewall as the hostname in the syslog header by selecting Send Hostname in Syslog (Device > Setup).
If a Panorama Log Collector MGT port is configured with an IPv4 address and you want to have only an IPv6 address configured, you can use the Panorama web interface to configure the new IPv6 address but you cannot use Panorama to remove the IPv4 address.
Workaround:Configure the MGT port with the new IPv6 address and then apply the configuration to the Log Collector and test connectivity using the IPv6 address to ensure that you do not lose access when you remove the IPv4 address. After you confirm the Log Collector is accessible using the IPv6 address, go to the CLI on the Log Collector and remove the IPv4 address (using the delete deviceconfig system ip-address command) and then commit your changes.
If you add a Decryption policy rule that instructs the firewall to block SSL traffic that was not previously being blocked, the firewall continues to forward the traffic that is not, yet, decrypted.
Workaround:Use the debug dataplane reset ssl-decrypt exclude-cache command to clear the SSL decrypt exclude cache.
SSH host keys used for SCP log export are stored in the known hosts file on the firewall. In an HA configuration, the SCP log export configuration is synchronized with the peer device, but the known host file is not synchronized. When a failover occurs, the SCP log export fails.
Workaround:Log in to each peer in HA and Test SCP server connection to confirm the host key so that SCP log forwarding continues to work after a failover.
When you use Panorama templates to schedule a log export (Device > Scheduled Log Export) to an SCP server, you must log in to each managed device and Test SCP server connection after the template is pushed. The connection is not established until the firewall accepts the host key for the SCP server.
Attempts to reset the master key from the web interface (Panorama > Master Key and Diagnostics) or the CLI on Panorama will fail. However, this should not cause a problem when pushing a configuration from Panorama to a device because it is not necessary for the keys to match.
If a client PC uses RDP to connect to a server running remote desktop services and the user logs in to the remote server with a different username, when the User-ID agent queries the Active Directory server to gather user to IP mapping from the security logs, the second username will be retrieved. For example, if UserA logs in to a client PC and then logs in to the remote server using the username for UserB, the security log on the Active Directory server will record UserA, but will then be updated with UserB. The username UserB is then picked up by the User-ID agent for the user to IP mapping information, which is not the intended user mapping.
Recommended For You
Recommended videos not found.