Limitations

What are the limitations related to PAN-OS 8.1 releases?
The following are limitations associated with PAN-OS 8.1 releases.
Issue ID
Description
Beginning in PAN-OS 8.1.3, firewalls and appliances perform a software integrity check periodically when they are running and when they reboot. If you simultaneously boot up multiple instances of a VM-Series firewall on a host or you enable CPU over-subscription on a VM-Series firewall, the firewall boots in to maintenance mode when a processing delay results in a response timeout during the integrity check. If your firewall goes in to maintenance mode, please check the error and warnings in the fips.log file.
A reboot always occurs during an upgrade so if you enabled CPU over-subscription on your VM-Series firewall, consider upgrading your firewall during a maintenance window.
PAN-85036
If you use the Panorama management server to manage the configuration of an active/active firewall HA pair, you must set the Device ID for each firewall HA peer before upgrading Panorama to PAN-OS 8.1. If you upgrade without setting the Device IDs, which determine which peer will be active-primary, you cannot commit configuration changes to Panorama.
PAN-81719
You cannot form an HA pair of Panorama management servers on AWS instances when the management interface on one HA peer is assigned an Elastic Public IP address or when the HA peers are in different Virtual Private Clouds (VPCs).
PAN-79669
The firewall blocks an HTTPS session when the hardware security module (HSM) is down and a Decryption policy for inbound inspection uses the default decryption profile for an ECDSA certificate.

Related Documentation