Limitations
Focus
Focus

Limitations

Table of Contents
End-of-Life (EoL)

Limitations

What are the limitations related to PAN-OS 8.1 releases?
The following are limitations associated with PAN-OS 8.1 releases.
Issue ID
Description
Beginning in PAN-OS 8.1.3, firewalls and appliances perform a software integrity check periodically when they are running and when they reboot. If you simultaneously boot up multiple instances of a VM-Series firewall on a host or you enable CPU over-subscription on a VM-Series firewall, the firewall boots in to maintenance mode when a processing delay results in a response timeout during the integrity check. If your firewall goes in to maintenance mode, please check the error and warnings in the
fips.log
file.
A reboot always occurs during an upgrade so if you enabled CPU over-subscription on your VM-Series firewall, consider upgrading your firewall during a maintenance window.
PAN-208218
(
Releases earlier than PAN-OS 8.1.24-h2
) Due to a component change, versions earlier than PAN-OS 8.1.24-h2 are no longer supported on later hardware revisions of the PA-5200 Series.
PAN-174784
Up to 100,000 daily summary logs can be processed for Scheduled and Run Now custom reports (
Monitor
Manage Custom Reports
) when configured for the last calendar day. This can result in the generated report not displaying all relevant log data generated in the last calendar day.
PAN-174442
When a Certificate Profile (
Device > Certificate Management > Certificate Profile
) is configured to
Block session if certificate status cannot be retrieved within timeout
, the firewall allows client certificate validation to go through even if the CRL Distribution Point or OCSP Responder is unreachable.
Workaround:
You must also enable
Block session if certificate status is unknown
to ensure
Block session if certificate status cannot be retrieved within timeout
is effective.
PAN-159293
Certification Revocation List (CRL) in Distinguished Encoding Rules (DER) format may erroneously return errors for VM-Series firewalls despite being able to successfully pull the CRL to verify that the syslog server certificate is still valid.
PAN-158304
On the Panorama management server, forwarded logs (
Monitor
Logs
Traffic
) do not display if the latency between the Log Collectors exceeds 10ms when the Log Collectors in a Collector Group (
Panorama
Collector Groups
) are located on different Local Area Networks (LANs).
Workaround:
When deploying your Log Collectors in a Collector Group, ensure they are both deployed on the same LAN or that the latency between Log Collectors in the Collector Group does not exceed 10ms.
PAN-155882
There is a hardware limitation on PA-200 firewalls where the firewall does not have space for more than one software image before being upgraded to PAN-OS 8.1.17 or later releases.
Workaround:
To upgrade to PAN-OS 8.1.17 or later releases:
  1. Install and run PAN-OS 8.1.0.
  2. Delete the images for previously installed releases until only the image for PAN-OS 8.1.0 remains.
  3. Load the image for PAN-OS 8.1.17 or a later release, and install and run the release.
PAN-128908
If an admin user password is changed but no commit is performed afterward, the new password does not persistent after a reboot. Instead, the admin user can still use the old password to log in, and the calculation of expiry days is incorrect based on the password change timestamp in the database.
PAN-107306
If a server sends an HTTP response header and the contents of a file in different packets, the file is blocked even if the relevant File Blocking profile action is
continue
for that file type.
PAN-106675
After upgrading the Panorama management server to PAN-OS 8.1 or a later release, predefined reports do not display a list of top attackers.
Workaround:
Create new threat summary reports (
Monitor
PDF Reports
Manage PDF Summary
) containing the top attackers to mimic the predefined reports.
PAN-99483
(
PA-7000 Series firewalls only
) When you deploy the firewall in a network that uses Dynamic IP and Port (DIPP) NAT translation with PPTP, client systems are limited to using a translated IP address-and-port pair for only one connection. This issue occurs because the PPTP protocol uses a TCP signaling (control) protocol that exchanges data using Generic Routing Encapsulation (GRE) version 1 and the hardware cannot correlate the call-id in the GRE version 1 header with the correct dataplane (the one that owns the predict session of GRE). This issue occurs even if you configure the Dynamic IP and Port (DIPP)
NAT Oversubscription Rate
to allow multiple connections (
Device
Setup
Session
Session Settings
NAT Oversubscription
).
PAN-85036
If you use the Panorama management server to manage the configuration of an active/active firewall HA pair, you must set the Device ID for each firewall HA peer before upgrading Panorama to PAN-OS 8.1. If you upgrade without setting the Device IDs, which determine which peer will be active-primary, you cannot commit configuration changes to Panorama.
PAN-81719
You cannot form an HA pair of Panorama management servers on AWS instances when the management interface on one HA peer is assigned an Elastic Public IP address or when the HA peers are in different Virtual Private Clouds (VPCs).
PAN-79669
The firewall blocks an HTTPS session when the hardware security module (HSM) is down and a Decryption policy for inbound inspection uses the default decryption profile for an ECDSA certificate.

Recommended For You