Limitations
Table of Contents
Expand all | Collapse all
-
-
- App-ID Changes in PAN-OS 8.1
- Authentication Changes in PAN-OS 8.1
- Content Inspection Changes in PAN-OS 8.1
- GlobalProtect Changes in PAN-OS 8.1
- User-ID Changes in PAN-OS 8.1
- Panorama Changes in PAN-OS 8.1
- Networking Changes in PAN-OS 8.1
- Virtualization Changes in PAN-OS 8.1
- Appliance Changes in PAN-OS 8.1
- Associated Software and Content Versions
- Limitations
-
- PAN-OS 8.1.25 Addressed Issues
- PAN-OS 8.1.24-h2 Addressed Issues
- PAN-OS 8.1.24-h1 Addressed Issues
- PAN-OS 8.1.24 Addressed Issues
- PAN-OS 8.1.23-h1 Addressed Issues
- PAN-OS 8.1.23 Addressed Issues
- PAN-OS 8.1.22 Addressed Issues
- PAN-OS 8.1.21-h1 Addressed Issues
- PAN-OS 8.1.21 Addressed Issues
- PAN-OS 8.1.20-h1 Addressed Issues
- PAN-OS 8.1.20 Addressed Issues
- PAN-OS 8.1.19 Addressed Issues
- PAN-OS 8.1.18 Addressed Issues
- PAN-OS 8.1.17 Addressed Issues
- PAN-OS 8.1.16 Addressed Issues
- PAN-OS 8.1.15-h3 Addressed Issues
- PAN-OS 8.1.15 Addressed Issues
- PAN-OS 8.1.14-h2 Addressed Issues
- PAN-OS 8.1.14 Addressed Issues
- PAN-OS 8.1.13 Addressed Issues
- PAN-OS 8.1.12 Addressed Issues
- PAN-OS 8.1.11 Addressed Issues
- PAN-OS 8.1.10 Addressed Issues
- PAN-OS 8.1.9-h4 Addressed Issues
- PAN-OS 8.1.9 Addressed Issues
- PAN-OS 8.1.8-h5 Addressed Issues
- PAN-OS 8.1.8 Addressed Issues
- PAN-OS 8.1.7 Addressed Issues
- PAN-OS 8.1.6-h2 Addressed Issues
- PAN-OS 8.1.6 Addressed Issues
- PAN-OS 8.1.5 Addressed Issues
- PAN-OS 8.1.4-h2 Addressed Issues
- PAN-OS 8.1.4 Addressed Issues
- PAN-OS 8.1.3 Addressed Issues
- PAN-OS 8.1.2 Addressed Issues
- PAN-OS 8.1.1 Addressed Issues
- PAN-OS 8.1.0 Addressed Issues
Limitations
What are the limitations related to PAN-OS 8.1 releases?
The following are limitations
associated with PAN-OS 8.1 releases.
Issue ID | Description |
---|---|
— | Beginning in PAN-OS 8.1.3,
firewalls and appliances perform a software integrity check periodically
when they are running and when they reboot. If you simultaneously
boot up multiple instances of a VM-Series firewall on a host or
you enable CPU over-subscription on a VM-Series firewall, the firewall
boots in to maintenance mode when a processing delay results in
a response timeout during the integrity check. If your firewall
goes in to maintenance mode, please check the error and warnings
in the fips.log file.A reboot always
occurs during an upgrade so if you enabled CPU over-subscription
on your VM-Series firewall, consider upgrading your firewall during
a maintenance window. |
PAN-208218 | ( Releases earlier than PAN-OS 8.1.24-h2 ) Due to a component
change, versions earlier than PAN-OS 8.1.24-h2 are no longer
supported on later hardware revisions of the PA-5200 Series. |
PAN-174784 | Up to 100,000 daily summary logs can be
processed for Scheduled and Run Now custom reports ( Monitor Manage Custom Reports |
PAN-174442 | When a Certificate Profile ( Device >
Certificate Management > Certificate Profile ) is configured
to Block session if certificate status cannot be retrieved within timeout ,
the firewall allows client certificate validation to go through
even if the CRL Distribution Point or OCSP Responder is unreachable.Workaround: You
must also enable Block session if certificate status is unknown to
ensure Block session if certificate status cannot be retrieved
within timeout is effective. |
PAN-159293 | Certification Revocation List (CRL)
in Distinguished Encoding Rules (DER) format may erroneously return
errors for VM-Series firewalls despite being able to successfully
pull the CRL to verify that the syslog server certificate is still
valid. |
PAN-158304 | On the Panorama management server, forwarded
logs ( Monitor Logs Traffic Panorama Collector Groups Workaround: When
deploying your Log Collectors in a Collector Group, ensure they
are both deployed on the same LAN or that the latency between Log
Collectors in the Collector Group does not exceed 10ms. |
PAN-155882 | There is a hardware limitation
on PA-200 firewalls where the firewall does not have space for more
than one software image before being upgraded to PAN-OS 8.1.17 or
later releases. Workaround: To upgrade to PAN-OS 8.1.17
or later releases:
|
PAN-128908 | If an admin user password is changed but
no commit is performed afterward, the new password does not persistent
after a reboot. Instead, the admin user can still use the old password
to log in, and the calculation of expiry days is incorrect based
on the password change timestamp in the database. |
PAN-107306 | If a server sends an HTTP response header
and the contents of a file in different packets, the file is blocked
even if the relevant File Blocking profile action is continue for that
file type. |
PAN-106675 | After upgrading the Panorama management
server to PAN-OS 8.1 or a later release, predefined reports do not
display a list of top attackers. Workaround: Create
new threat summary reports (Monitor PDF Reports Manage PDF Summary |
PAN-99483 | ( PA-7000 Series firewalls only )
When you deploy the firewall in a network that uses Dynamic IP and
Port (DIPP) NAT translation with PPTP, client systems are limited
to using a translated IP address-and-port pair for only one connection.
This issue occurs because the PPTP protocol uses a TCP signaling
(control) protocol that exchanges data using Generic Routing Encapsulation
(GRE) version 1 and the hardware cannot correlate the call-id in
the GRE version 1 header with the correct dataplane (the one that
owns the predict session of GRE). This issue occurs even if you
configure the Dynamic IP and Port (DIPP) NAT Oversubscription
Rate to allow multiple connections (Device Setup Session Session Settings NAT Oversubscription |
PAN-85036 | If you use the Panorama management
server to manage the configuration of an active/active firewall
HA pair, you must set the Device ID for each firewall HA peer before
upgrading Panorama to PAN-OS 8.1. If you upgrade without setting
the Device IDs, which determine which peer will be active-primary,
you cannot commit configuration changes to Panorama. |
PAN-81719 | You cannot form an HA pair of Panorama management
servers on AWS instances when the management interface on one HA
peer is assigned an Elastic Public IP address or when the HA peers
are in different Virtual Private Clouds (VPCs). |
PAN-79669 | The firewall blocks an HTTPS session when
the hardware security module (HSM) is down and a Decryption policy
for inbound inspection uses the default decryption profile for an
ECDSA certificate. |