End-of-Life (EoL)


The following table includes limitations associated with PAN-OS® 7.1 releases.
Issue ID
PA-7000 Series firewalls only
) When you deploy the firewall in a network that uses Dynamic IP and Port (DIPP) NAT translation with PPTP, client systems are limited to using a translated IP address-and-port pair for only one connection. This issue occurs because the PPTP protocol uses a TCP signaling (control) protocol that exchanges data using Generic Routing Encapsulation (GRE) version 1 and the hardware cannot correlate the call-id in the GRE version 1 header with the correct dataplane (the one that owns the predict session of GRE). This issue occurs even if you configure the Dynamic IP and Port (DIPP)
NAT Oversubscription Rate
to allow multiple connections (
Session Settings
NAT Oversubscription
If the firewall collects IP address-to-username mappings by monitoring numerous servers at short intervals (
User Identification
User Mapping
Palo Alto Networks User-ID Agent Setup
Server Monitor
Server Log Monitor Frequency
) in networks with high user log-in rates, the best practice is to deploy Windows-based User-ID agents instead of the PAN-OS integrated User-ID agent. Using Windows-based User-ID agents avoids the risk of the firewall running out of memory while querying the servers.

Recommended For You