What are the limitations related to PAN-OS 8.1 releases?
The following are limitations associated with PAN-OS 8.1 releases.
Issue ID
Beginning in PAN-OS 8.1.3, firewalls and appliances perform a software integrity check periodically when they are running and when they reboot. If you simultaneously boot up multiple instances of a VM-Series firewall on a host or you enable CPU over-subscription on a VM-Series firewall, the firewall boots in to maintenance mode when a processing delay results in a response timeout during the integrity check. If your firewall goes in to maintenance mode, please check the error and warnings in the fips.log file.
A reboot always occurs during an upgrade so if you enabled CPU over-subscription on your VM-Series firewall, consider upgrading your firewall during a maintenance window.
If you use the Panorama management server to manage the configuration of an active/active firewall HA pair, you must set the Device ID for each firewall HA peer before upgrading Panorama to PAN-OS 8.1. If you upgrade without setting the Device IDs, which determine which peer will be active-primary, you cannot commit configuration changes to Panorama.
You cannot form an HA pair of Panorama management servers on AWS instances when the management interface on one HA peer is assigned an Elastic Public IP address or when the HA peers are in different Virtual Private Clouds (VPCs).
The firewall blocks an HTTPS session when the hardware security module (HSM) is down and a Decryption policy for inbound inspection uses the default decryption profile for an ECDSA certificate.

Related Documentation