Appliance Changes in PAN-OS 8.1

Changes to default behavior for hardware and virtual appliances running PAN-OS 8.1.
PAN-OS 8.1 has the following changes to default behavior specific to hardware and virtual appliances:
Appliance
Change
PA-200 firewalls
  • PAN-OS 8.1.8 and earlier releases
    —The session capacity was 64,000 sessions.
  • PAN-OS 8.1.9 and later PAN-OS 8.1 releases
    —The session capacity is 32,000 sessions.
PA-200 firewalls
  • PAN-OS 8.1.8 and earlier releases
    —Pre-defined and custom reports on Panorama using a remote database were automatically generated and pushed to firewalls every hour and local pre-defined reports were generated on firewalls every 24 hours.
  • PAN-OS 8.1.9 and later PAN-OS 8.1 releases
    —Daily generation of local pre-defined reports and hourly generation of scheduled reports pushed from Panorama are disabled by default.
    To enable daily generation of the pre-defined reports, go to the Logging and Reporting settings on the web interface (
    Device
    Setup
    Management
    Logging and Reporting settings
    ) and select the appropriate reports and then, on a firewall, use the
    debug predefined-default enable
    CLI command or, on Panorama, use the
    debug run-panorama-predefined-report yes
    CLI command.
    To enable hourly generation of Panorama-pushed scheduled reports, on the firewall, use the
    debug run-panorama-predefined-report yes
    CLI command.
PA-3260 firewalls, PA-5200 Series firewalls, PA-7050 firewalls, and PA-7080 firewalls
PAN-OS 8.1.9-h4 and later PAN-OS 8.1 releases
—Forward Error Correction (FEC) is enabled by default for active optical cable (AOC) modules on the listed firewalls. This means that if you plan to upgrade a firewall from an earlier PAN-OS release (where FEC is disabled) to PAN-OS 8.1.9-h4 or a later release, you should first enable FEC on the device connected to any quad small form-factor pluggable (QSFP) port (Ethernet 1/21, 1/22, 1/23, or 1/24). Thus, when the Ethernet port on the upgraded firewall comes up, there will not be an FEC mismatch between the firewall and the connected device, which causes the port to stay down.
PA-7000 Series Firewall Memory Limit for the Management Server
As of PAN-OS 8.1.17, the PA-7000 Series firewalls have new CLI commands to enable or disable resource control groups and new CLI commands to set an upper memory limit of 8G on a process (mgmtsrvr).
To enable resource-control groups, use:
debug software resource-control enable
To disable resource-control groups, use:
debug software resource-control disable
To set the memory limit, use:
debug management-server limit-memory enable
To remove the memory limit, use:
debug management-server limit-memory disable
Reboot the firewall to ensure the memory limit change takes effect.

Recommended For You