The following table includes
limitations associated with PAN-OS® 7.1 releases.
PA-7000 Series firewalls only
When you deploy the firewall in a network that uses Dynamic IP and
Port (DIPP) NAT translation with PPTP, client systems are limited
to using a translated IP address-and-port pair for only one connection.
This issue occurs because the PPTP protocol uses a TCP signaling
(control) protocol that exchanges data using Generic Routing Encapsulation
(GRE) version 1 and the hardware cannot correlate the call-id in
the GRE version 1 header with the correct dataplane (the one that
owns the predict session of GRE). This issue occurs even if you
configure the Dynamic IP and Port (DIPP)
to allow multiple connections (
If the firewall collects IP address-to-username
mappings by monitoring numerous servers at short intervals (
Palo Alto Networks
User-ID Agent Setup
Server Log Monitor Frequency
in networks with high user log-in rates, the best practice is to
deploy Windows-based User-ID agents instead of the PAN-OS integrated
User-ID agent. Using Windows-based User-ID agents avoids the risk
of the firewall running out of memory while querying the servers.