Limitations

The following table includes limitations associated with PAN-OS® 7.1 releases.

Issue ID	Description
PAN-99483	(`PA-7000 Series firewalls only`) When you deploy the firewall in a network that uses Dynamic IP and Port (DIPP) NAT translation with PPTP, client systems are limited to using a translated IP address-and-port pair for only one connection. This issue occurs because the PPTP protocol uses a TCP signaling (control) protocol that exchanges data using Generic Routing Encapsulation (GRE) version 1 and the hardware cannot correlate the call-id in the GRE version 1 header with the correct dataplane (the one that owns the predict session of GRE). This issue occurs even if you configure the Dynamic IP and Port (DIPP) NAT Oversubscription Rate to allow multiple connections ( Device Setup Session Session Settings NAT Oversubscription ).
PAN-76757	If the firewall collects IP address-to-username mappings by monitoring numerous servers at short intervals ( Device User Identification User Mapping Palo Alto Networks User-ID Agent Setup Server Monitor Server Log Monitor Frequency ) in networks with high user log-in rates, the best practice is to deploy Windows-based User-ID agents instead of the PAN-OS integrated User-ID agent. Using Windows-based User-ID agents avoids the risk of the firewall running out of memory while querying the servers.

Issue ID

Description

PAN-99483

(PA-7000 Series firewalls only) When you deploy the firewall in a network that uses Dynamic IP and Port (DIPP) NAT translation with PPTP, client systems are limited to using a translated IP address-and-port pair for only one connection. This issue occurs because the PPTP protocol uses a TCP signaling (control) protocol that exchanges data using Generic Routing Encapsulation (GRE) version 1 and the hardware cannot correlate the call-id in the GRE version 1 header with the correct dataplane (the one that owns the predict session of GRE). This issue occurs even if you configure the Dynamic IP and Port (DIPP)

NAT Oversubscription Rate

to allow multiple connections (

Device

Setup

Session

Session Settings

NAT Oversubscription

PAN-76757

If the firewall collects IP address-to-username mappings by monitoring numerous servers at short intervals (

Device

User Identification

User Mapping

Palo Alto Networks User-ID Agent Setup

Server Monitor

Server Log Monitor Frequency

) in networks with high user log-in rates, the best practice is to deploy Windows-based User-ID agents instead of the PAN-OS integrated User-ID agent. Using Windows-based User-ID agents avoids the risk of the firewall running out of memory while querying the servers.

Document:PAN-OS® Release Notes

Limitations

Limitations

Recommended For You

Document:PAN-OS® Release Notes

Limitations

Limitations

Recommended For You

Recommended Videos