Known Issues Related to PAN-OS 9.0
List of known issues in all PAN-OS® 9.0 releases.
The Consolidated List of PAN-OS 9.0 Known Issues includes all known issues that impact a PAN-OS 9.0 release. This list includes both outstanding issues and issues that are addressed in Panorama™, GlobalProtect™, VM-Series plugins, and WildFire®, as well as known issues that apply more generally or that are not identified by a specific issue ID.
To review the subset of outstanding known issues for a specific PAN-OS 9.0 maintenance release, see the following lists:
Consolidated List of PAN-OS 9.0 Known Issues
PAN-OS 9.0 Known Issue Description
Upgrading Panorama with a local Log Collector and Dedicated Log Collectors to PAN-OS 8.1 or a later PAN-OS release can take up to six hours to complete due to significant infrastructure changes. Ensure uninterrupted power to all appliances throughout the upgrade process.
A critical System log is generated on the VM-Series firewall if the minimum memory requirement for the model is not available.
The Create Date shown when using the
show wildfire global sample-status sha256 equalor
show wildfire global sample-analysisCLI command is two hours behind the actual time for WF-500 appliance samples.
This issue is resolved after you upgrade to VM-Series plugin 1.0.3 and reboot the firewall.
PAN-OS 9.0.2 and later releases on AWS and GCP only) You cannot swap the management interface.
This issue is resolved after you upgrade to VM-Series plugin 1.0.3 and reboot the firewall.
Microsoft Azure only) The firewall drops packets due to larger than expected packet sizes when Accelerated networking is enabled on the firewall (
This issue is resolved with VM-Series plugin 1.0.3.
Microsoft Azure only) There is an intermittent issue where the secondary IP address becomes associated with the passive firewall after multiple failovers.
Workaround:Reassign IP addresses to the active and passive firewalls in Azure as needed.
PAYG licenses only) Your pay-as-you-go (PAYG) license is not retained when you upgrade from a PAN-OS 8.1 release to a PAN-OS 9.0 release.
Workaround:Upgrade to VM-Series plugin 1.0.2 (or later) after you upgrade to a PAN-OS 9.0 release and then reboot the firewall to recover your PAYG license.
If you bootstrap a PAN-OS 9.0.1 image while using VM-Series plugin 1.0.0, the firewall will not apply the capacity license. To downgrade the VM-Series plugin from version 1.0.2 to 1.0.0, first bootstrap the PAN-OS 9.0.1 image and then downgrade the plugin.
This issue is resolved with VM-Series plugin 1.0.2.
After a high availability (HA) failover, the dataplane interface on a VM-Series firewall on Azure with Accelerated Networking (SR-IOV) becomes disabled when, as a result of the failover, the secondary IP address is detached from or attached to the firewall and moved to its HA peer.
This issue is resolved with VM-Series plugin 1.0.3.
When a VM-Series firewall on AWS running on a C5 or M5 instance experiences a high availability (HA) failover, the dataplane interfaces from the previously active firewall are not moved to the newly active (previously passive) peer.
Workaround:Check for the latest VM-Series plugin version and install the VM-Series plugin 9.0.0 version; the built-in version is 9.0.0-c29.
On the VM-Series firewall on AWS, when you change the instance type, the firewall no longer has a serial number or a license. Additionally, if you manage this firewall using Panorama, it is no longer connected to Panorama.
When you rename a device group, template, or template stack in Panorama that is part of a VMware NSX service definition, the new name is not reflected in NSX Manager. Therefore, any ESXi hosts that you add to a vSphere cluster are not added to the correct device group, template, or template stack and your Security policy is not pushed to VM-Series firewalls that you deploy after you rename those objects. There is no impact to existing VM-Series firewalls.
Firewalls licensed for Advanced URL Filtering generate a message indicating that a
License required for URL filtering to functionis unavailable displays at the bottom of the UI, due to a PAN-OS UI issue. This error does not affect the operation of Advanced URL Filtering or URL Filtering.
Dedicated Log Collector system and config logs cannot be ingested and are dropped when they are forwarded to a Panorama management server in Management Only mode, resulting in Dedicated Log Collector system and config logs not being viewable on Panorama in Management Only mode.
On the Panorama management server, local or Dedicated Log Collector mode cannot successfully join an ElasticSearch cluster when added to a Collector Group (
) if the SSH key length for a Log Collector in the cluster is greater than 2048 characters.
Superuser administrators with read-only privileges (
) are unable to view the hardware ACL blocking setting and duration in the CLI using the commands:
On the Panorama management server, you are unable to configure a master key (
) for a managed firewall if an interface (
Master Key and Diagnostics
) references a zone pushed from Panorama.
Workaround:Remove the referenced zone from the interface configuration to successfully configure a master key.
On the Panorama management server, pushes to managed firewalls (
Push to Devices
Commit and Push) may fail when an EDL (
) is configured to
External Dynamic Lists
Check for updatesevery 5 minutes due to the commit and EDL fetch processes overlapping. This is more likely to occur when multiple EDLs are configured to check for updates every 5 minutes.
On the Panorama management server in a high availability (HA) configuration, content updates (
) manually uploaded to the active HA peer are not synchronized to the passive HA peer when you
Installa content update and enable
Sync to HA Peer.
Firewalls erroneously generate a
highseverity system log (
) when the firewall connects to a syslog server.
ACC, data cannot be imported or exported when a
) that contains characters not supported by URL format, such as
Set Tab Filters
DOMAIN/USER, is applies to the
When a firewall has hardware offloading turned on and OSPF enabled, if ECMP is enabled or disabled for a virtual router during a configuration commit, OSPF sessions may get stuck in Exchange Start state.
Workaround:Disable OSPF when enabling or disabling ECMP, and then re-enable OSPF in the next commit.
On the Panorama management server, context switching to and from the managed firewall web interface may cause the Panorama administrator to be logged out.
Workaround:Log out and back in to the Panorama web interface.
On the Panorama management server, scheduled email PDF reports (
) fail if a GIF image is used in the header or footer.
On the VM-Series firewall on Microsoft Hyper-V, when upgrading to PAN-OS 9.0.8 or later, ethernet packets might be dropped after adding VLAN tags during egress from a subinterface.
Workaround: Create the Hyper-V Virtual Switch with MTU size 1504, store as persistent and reboot for the changes to take effect. Before upgrading PAN-OS, access the VM-Series firewall CLI and set the MTU size on firewall interfaces to 1504.
On the Panorama management server,
) incorrectly displays an existing route as Added and the new route as an existing route in the Candidate Configuration when you configure a new virtual router route (
Commit to Panorama
On the Panorama management server, read-only Panorama administrators (
) can load managed firewall configuration Backups (
This issue is now resolved. SeePAN-OS 9.0.9-h1 Addressed Issues
Dataplane processes restart when attempting to access websites that have the
NotBeforeattribute less than or equal to Unix Epoch Time in the server certificate with forward proxy enabled.
VM-Series firewalls only) Bootstrapping with .xfr images is not supported.When you use an image with the.xfr filename to bootstrap, it fails with the error
No image found.
PA-7000 Series firewalls configured with a large number of interfaces experience impacted performance and possible timeouts when performing SNMP queries.
ElasticSearch is forced to restart when the
masterdprocess misses too many heartbeat messages on the Panorama management server resulting in a delay in a log query and ingestion.
PA-7000b Series firewalls only) Packets for new sessions drop when handling predict sessions.
Workaround:Use the following CLI command to bypass this issue:
To enable hwpredict again
set session hwpredict disable no.
To verify the current settings,
show session hwpredict status.
The Panorama management server in Management Only mode may become inaccessible or unresponsive due to insufficient disk space in the
/opt/mongobufferpartition required for Panorama logs.
Workaround:Contact Palo Alto Networks Support to repartition the
/opt/mongobufferdisk partition table.
The Panorama management server does not check for duplicate addresses in address groups (
) and duplicate services in service groups (
) when created from the CLI.
There is an issue when you implement a new firewall bootstrap with a USB drive where the bootstrap fails and displays the following error message:
no USB device found.
Workaround:Perform a factory reset or run the
request system private-data-resetCLI command and then proceed with bootstrapping.
This issue is now resolved. SeePAN-OS 9.0.9 Addressed Issues
The Name log filter (
) is not maintained when viewing the Log Viewer for a Security policy rule (
) from the drop-down menu.
PA-3200 Series, PA-5220, PA-5250, PA-5260, and PA-7000 Series firewalls) For traffic between virtual systems (inter-vsys traffic), the firewall cannot perform source NAT using dynamic IP (DIP) address translation.
Workaround: Use source NAT with Dynamic IP and Port (DIPP) translation on inter-vsys traffic.
There is an issue where the firewall incorrectly interprets an external dynamic list MineMeld instability error code as an empty external dynamic list.
This issue is now resolved. SeePAN-OS 9.0.10 Addressed Issues
Preview Changesunder a specific device group results in the following error message:
Parameter device group missing.
PA-5250, PA-5260, and PA-5280 firewalls with 100GB AOC cables only) When you upgrade the first peer in a high availability (HA) configuration to PAN-OS 9.0.3 or a later PAN-OS 9.0 release, the High Speed Chassis Interconnect (HSCI) port does not come up due to an FEC mismatch until after you finish upgrading the second peer.
This issue is now resolved. SeePAN-OS 9.0.5 Addressed Issues
VM-Series firewalls only) The non-blocking pattern match setting is enabled by default, which results in CTD performance degradation.
Workaround:Manually disable the feature and improve performance by using the following CLI command:
set system setting ctd nonblocking-pattern-match disable.
PA-7000 Series firewalls only) There is an issue where internal path monitoring fails when the firewall processes corrupt packets.
There is an issue where Panorama management servers deployed using the C5 or M5 instance types on Amazon Web Services (AWS) cause the Panorama instance to stop responding in regions that support these instance types.
VM-Series firewalls only) There is an issue where custom images do not function as expected for PAN-OS 9.0.
Workaround:Use PAN-OS 8.1 for creating custom images.
There is an issue where VM-Series firewalls do not support packet buffer protection.
PA-3200 Series, PA-5200 Series, and PA-7000 Series firewalls running PAN-OS 9.0.5 only) There is an intermittent issue where a process (all_pktproc) stops responding due to a Work Query Entry (WQE) corruption that is caused by duplicate child sessions.
PAN-OS 9.0.3 and later releases only) The
Remove Configbutton on
does not remove the configuration for any plugins you have set up on Panorama.
Workaround:Manually remove the plugin configuration. Manually delete the plugin configuration. Select your plugin on Panorama, clear the values from all fields and
PA-7000 series firewalls using PA-7000-20G-NPC cards only) There is an intermittent issue where an out-of-memory (OOM) condition causes dataplane or internal path monitoring to stop responding.
There is an issue on M-500 Panorama management servers where any ethernet interface with an IPv6 address having Private PAN-DB-URL connectivity only supports the following format:
There is an issue where the firewall remains connected to the PAN-DB-URL server through the old management IP address on the M-500 Panorama management server, even when you configured the Eth1/1 interface.
Workaround:Update the PAN-DB-URL IP address on the firewall using one of the methods below.
There is an issue where after you deploy Panorama in Azure, you cannot log in to Panorama with the username and password that was provided during the deployment process.
PA-5250, PA-5260, PA-5280, and PA-7000 Series firewalls only) There is an issue where the QSFP28 port does not come up with the TR-FC13L-N00 version of the PAN-QSFP28-100GBASE-LR4 optical transceiver on firewalls running a PAN-OS 9.0 release. For assistance, please contact Support.
PAN-OS 9.0.2 and later releases only) There is an intermittent issue where a Panorama management server and managing Prisma™ Access or Cortex™ Data Lake fails to authorize one-time-password (OTP) submissions during the onboarding process.
Workaround:Downgrade to PAN-OS 9.0.1.
There is an issue where an API call against a Panorama management server, which triggers the
request analyze-shared-policycommand causes Panorama to reboot after you execute the command.
M-Series Panorama management servers in Management Only mode) When you delete the local Log Collector (
), it disables the 1/1 ethernet interface in the Panorama configuration as expected but the interface still displays as Up when you execute the
show interface allcommand in the CLI after you commit.
Workaround:Disable the 1/1 ethernet interface before you delete the local log collector and then commit the configuration change.
This issue is now resolved. SeePAN-OS 9.0.3 Addressed Issues
Affects PA-3000 series appliances only) There is an infrequently encountered issue where a low memory condition intermittently prevents decoders from loading, leading to traffic inspection issues related to the impacted decoder(s).
The logs are not visible after you upgrade a Panorama management server in an HA configuration from PAN-OS 8.1 to PAN-OS 9.0.
Workaround:After you complete the upgrade, log in to the web interface of the primary Panorama HA peer and perform a Collector Group push (
) or log in to the CLI of the primary Panorama HA peer and
Push to Devices
commit forcethe local configuration.
Cortex Data Lake without Panorama—where we removed Panorama as a requirement to send logs to Cortex Data Lake—was introduced in PAN-OS 9.0.2, and was not initially supported for PA-220 and PA-800 Series firewalls. This issue details an update we made to support this feature across all firewall platforms. If you successfully onboarded the firewall to Cortex Data Lake before PAN-OS 9.0.3 released, this issue does not impact you. But following the release of PAN-OS 9.0.3, this feature is no longer supported in PAN-OS 9.0.2. If this is a feature you would like to implement, you’ll need to upgrade to PAN-OS 9.0.3. Here’s how you can get started with Cortex Data Lake now.
This issue is now resolved. SeePAN-OS 9.0.7 Addressed Issues
There is an issue on the Panorama management server and all supported firewalls where special characters contained in the tag names of the Security policy rules returns the following error message:
group-tag is invalidwhen you commit or push a configuration.
Workaround:Modify the tags and group tags (
) to exclude special characters.
VM-Series firewalls on Microsoft Azure deployed using MMAP drops traffic when the firewall experiences heavy traffic.
PA-200 firewalls only) There is a rare out-of-memory (OOM) condition.
Google Cloud Platform (GCP) only) The firewall does not accept the DNS value from the initial configuration (init-cfg) file when you bootstrap the firewall.
Workaround:Add DNS value as part of the bootstrap.xml in the bootstrap folder and complete the bootstrap process.
Microsoft Azure only) There is an intermittent issue where an Ethernet (eth1) interface does not come up when you first boot up the firewall.
Workaround:Reboot the firewall.
PAN-OS firewalls in an HA configuration only) There is a rare issue where data interfaces do not come up after you reboot the firewall when running a C5 or M5 instance type in AWS.
Workaround:Reboot the firewall.
Alibaba Cloud runs on a KVM hypervisor and supports two Virtio modes: DPDK (default) and MMAP. If you deploy a VM-Series firewall running PAN-OS 9.0 in DPDK packet mode and you then switch to MMAP packet mode, the VM-Series firewall duplicates packets that originate from or terminate on the firewall. As an example, if a load balancer or a server behind the firewall pings the VM-Series firewall after you switch from DPDK packet mode to MMAP packet mode, the firewall duplicates the ping packets.
Throughput traffic is not duplicated if you deploy the VM-Series firewall using MMAP packet mode.
The Panorama management server returns a Secure Copy (SCP) server connection error after you create an SCP Scheduled Config Export profile (
) due to the SCP server password exceeding 15 characters in length.
Scheduled Config Export
PA-200 firewalls only) There is an issue where the management plane memory is lower than expected, which causes the management plane to restart.
A newly launched firewall does not get its configuration from Panorama when it first connects if you installed the VM-Series plugin on Panorama. When a newly launched firewall that is bootstrapped connects to Panorama, a process restart occurs on Panorama. Upon restart, you are logged out of the user interface and you need to log in and push the device group and template configuration to the newly connected firewall.
In the firewall web interface, you can temporarily submit change requests for the following URL categories: insufficient-content, high-risk, medium-risk, low-risk, and newly-registered-domains. However, Palo Alto Networks does not support or process change requests for these categories.
Firewalls with multiple virtual systems only; no impact to Panorama) If you select any Location other than Shared when you generate or import a new CA Certificate in a Certificate Profile (
), the firewall adds the newly generated or imported certificate to vsys1. For example, if you specify vsys3 as the
Adda CA Certificate, and then
Generatea new certificate, the firewall adds the certificate to vsys1 instead of vsys3. When you click
OKto configure the Certificate Profile, the firewall returns an
Operation Failederror message because it sees a certificate for vsys1 added to vsys3.
Workaround 2:When you generate or import a new certificate when you configure a Certificate Profile for a vsys other than vsys1, specify the
H.323-based calls lose audio when the predicted H.245 session cannot convert to Active status, which causes the firewall to incorrectly drop H.245 traffic.
PA-7000 Series firewalls in an HA configuration only) After you upgrade to PAN-OS 9.0, some logs may display a different rule name than the rule name associated with the universally unique identifier (UUID).
Workaround:If you are using Panorama, make a policy change (such as cloning a rule) in the corresponding device group, commit the change, and push the updated policy to managed devices. If you are not using Panorama to manage your firewalls, make a policy change (such as cloning a rule) on the firewall and commit the change.
VM-Series firewall on AWS running on a C5 or M5 instance only) You cannot use the
mgmt-interface-swapcommand to swap the interfaces for deploying a VM-Series firewall behind a web load balancer (such as AWS ALB or Classic ELB).
Workaround:Check for the latest VM-Series plugin version and install the VM-Series plugin 9.0.0 version; the built-in version is 9.0.0-c29.
Firewalls with multiple virtual systems only) If you configure dynamic DNS (DDNS) on a new interface (associated with vsys1 or another virtual system) and you then create a
NewCertificate Profile from the drop-down, you must set the location for the Certificate Profile to Shared. If you configure DDNS on an existing interface and then create a new Certificate Profile, we also recommend that you choose the Shared location instead of a specific virtual system. Alternatively, you can select a preexisting certificate profile instead of creating a new one.
When you upgrade to PAN-OS 9.0 with a PAYG Bundle 2 license, the new DNS Security subscription is not available on your VM-Series firewall.
This subscription is included with the BYOL and VM-Series ELA when you upgrade.
Log Forwarding Card(LFC) subinterface incorrectly uses the interface IP address instead of the subinterface IP address for all services that forward logs (such as syslog, email, and SNMP) for selected virtual systems.
You can temporarily submit a change request for a URL Category with more than two suggested categories. However, we support only two suggested categories so add no more than two suggested categories to a change request until we address this issue. If you submit more than two suggested categories, we will use only the first two categories you enter.
If you enable URL Filtering without enabling Threat Prevention and your environment processes a large number (thousands) of URL look-ups per second per dataplane, you are likely to experience performance issues, including high CPU usage.
Invalid configuration errors are not displayed as expected when you revert a Panorama management server configuration.
Workaround:After you revert the Panorama configuration,
) the reverted configuration to display the invalid configuration errors.
Commit to Panorama
The push scope selection on the Panorama web interface displays incorrectly even though the commit scope displays as expected. This issue occurs when one administrator makes configuration changes to separate device groups or templates that affect multiple firewalls and a different administrator attempts to push those changes.
Workaround:Perform one of the following tasks.
If you disable DPDK mode and enable it again, you must immediately reboot the firewall.
PA-3200 Series firewalls only) There is a rare issue where a software issue causes the dataplane to restart unexpectedly.
Tagged VLAN traffic fails when sent through an SR-IOV adapter.
On the Panorama management server, the
Include Device and Network Templatessetting is disabled by default when you attempt to push changes to managed devices, which causes your push to fail.
Workaround:Before you commit and push the configuration changes from Panorama to your managed devices, edit the push scope (
Push to Devices
Commit and Push
Include Device and Network Templates.
Using the CLI to enable or disable DNS Rewrite under a Destination NAT policy rule has no effect.
DGA-based threats shown in the firewall threat log display the same name for all such instances.
In some cases, when a port on an PA-7000 Series 100Gbps Network Processor Card (NPC) has an SFP+ transceiver inserted but no cable is connected, the system detects a signal and attempts to tune and link with that port. As a result, if the device at the other end of the connection is rebooted or has an HA failover event, the link is sometimes held down for an extended period of time while the interface attempts to tune itself.
Workaround:Connect a cable to the installed SFP+ transceiver to allow the system to tune and link. Then, when you disconnect the cable, the system will correctly detect that the link is down. Alternatively, remove the SFP+ transceiver from the port.
The firewall does not generate a notification for the GlobalProtect client when the firewall denies an unencrypted TLS session due to an authentication policy match.
The system log does not correctly display the URL for CRL files; instead, the URLs are displayed with encoded characters.
If you configure a firewall to use a static route whose next hop is an FQDN and you configure Bidirectional Forwarding Detection (BFD) for that static route, BFD is non-operational for that static route.
If you configure a firewall with a BGP peer that is identified by an FQDN and you configure Bidirectional Forwarding Detection (BFD) for that BGP peer, then BFD is non-operational for that BGP peer.
PAN-OS 9.0.1 and later PAN-OS 9.0 releases) There is a display-only issue on Panorama that results in a
commit failedstatus for Template Last Commit State (
Workaround:Push templates to managed devices.
Panorama in FIPS mode only when managing non-FIPS firewalls) You cannot configure a GlobalProtect portal on Panorama in FIPS mode when managing a non-FIPS firewall. If you attempt to do so, you will receive the following error message:
agent-user-override-key unexpected here Portal_fips.
There is an issue where scheduled SaaS reports generate and email empty PDF reports.
Workaround:Manually generate the report from the Panorama web interface.
If you configure a HIP object to match only when a connecting endpoint is managed (
), iOS and Android endpoints that are managed by AirWatch are unable to successfully match the HIP object and the HIP report incorrectly indicates that these endpoints are not managed. This issue occurs because GlobalProtect gateways cannot correctly identify the managed status of these endpoints.
Additionally, iOS endpoints that are managed by AirWatch are unable to match HIP objects based on the endpoint serial number because GlobalProtect gateways cannot identify the serial numbers of these endpoints; these serial numbers do not appear in the HIP report.
HA configurations only) When you downgrade a VM-Series firewall on Azure from PAN-OS 9.0 to an earlier release, you do not receive warnings. Do not downgrade your firewall without saving and exporting your current configuration.
Workaround:Because HA is not supported in earlier versions of VM-Series firewalls on Azure, to prevent the loss of your configuration:
Adding a disk to a virtual appliance running Panorama 8.1 or a later release on VMware ESXi 6.5 update1 causes the Panorama virtual appliance and host web client to become unresponsive.
Workaround:Upgrade the ESXi host to ESXi 6.5 update2 and add the disk again.
Panorama plugins) When you use the AND/OR boolean operators to define the match criteria for Dynamic Address Groups on Panorama, the boolean operators do not function properly. The member IP addresses are not included in the address group as expected.
Panorama plugins) The IP address-to-tag mapping information registered on a firewall or virtual system is not deleted when you remove the firewall or virtual system from a Device Group.
Workaround:Log in to the CLI on the firewall and enter the following command to unregister the IP address-to-tag mappings:
debug object registered-ip clear all.
After you configure and push address and address group objects in Shared and vsys-specific device groups from the Panorama management server to managed firewalls, executing the
show logcommand on a managed firewall only returns address and address group objects pushed form the Shared device group.
Workaround:Specify the vsys in the query string:
set system target-vsys
<direction>query equal ‘vsys eq
PA-5250, PA-5260, and PA-5280 firewalls only) When you deploy the firewall in a network that uses Dynamic IP and Port (DIPP) NAT translation with PPTP, client systems are limited to using a translated IP address-and-port pair for only one connection. This issue occurs because the PPTP protocol uses a TCP signaling (control) protocol that exchanges data using Generic Routing Encapsulation (GRE) version 1 and the hardware cannot correlate the call-id in the GRE version 1 header with the correct dataplane (the one that owns the predict session of GRE).
If you configure the Panorama plugin to monitor virtual machines or endpoints in your AWS, Azure, or Cisco ACI environment without installing the NSX plugin, the IP-address-to-tag mappings for Dynamic Address Groups are not displayed on Panorama.
Workaround:Install the NSX plugin (you do not need to use the NSX plugin for the installation to resolve this display issue).
When booting or rebooting a PA-7000 Series Firewall with the SMC-B installed, the BIOS console output displays attempts to connect to the card's controller in the System Memory Speed section. The messages can be ignored.
GlobalProtect authentication fails with an
Invalid username/passworderror (because the user is not found in
Allow List) after you enable GlobalProtect authentication cookies and add a RADIUS group to the
Allow Listof the authentication profile used to authenticate to GlobalProtect.
Workaround:Disable GlobalProtect authentication cookies. Alternatively, disable (clear)
Retrieve user group from RADIUSin the authentication profile and configure group mapping from Active Directory (AD) through LDAP.
Panorama management server only) The Security Zone and Virtual System columns (
Noneafter a Device Group and Template administrator with read-only privileges performs a context switch.
request shutdown systemcommand does not shut down the Panorama management server.
You cannot restart or shutdown a Panorama on KVM from the Virtual-manager console or virsch CLI.
A firewall that is not included in a Collector Group fails to generate a system log if logs are dropped when forwarded to a Panorama management server that is running in Management Only mode.
On VM-Series firewalls that have Data Plane Development Kit (DPDK) enabled and that use the i40e network interface card (NIC), the
show session infoCLI command displays an inaccurate throughput and packet rate.
Workaround:Disable DPDK by running the
set system setting dpdk-pkt-io offCLI command.
After 30,000 or more end users log in to the GlobalProtect gateway within a two- to three-hour period, the firewall web interface responds slowly, commits take longer than expected or intermittently fail, and Tech Support File generation times out and fails.
In a deployment where a Log Collector connects to Panorama management servers in a high availability (HA) configuration, after you switch the Log Collector appliance to Panorama mode, commit operations fail on the appliance.
Workaround:Remove the following node from the running-config.xml file on the Log Collector before switching it to Panorama mode:
The name for an address object, address group, or an external dynamic list must be unique. Duplicate names for these objects can result in unexpected behavior when you reference the object in a policy rule.
For administrator accounts that you created in PAN-OS 8.0.8 and earlier releases, the firewall does not apply password profile settings (
) until after you upgrade to PAN-OS 8.0.9 or a later release and then only after you modify the account passwords. (Administrator accounts that you create in PAN-OS 8.0.9 or a later release do not require you to change the passwords to apply password profile settings.)
After you delete disconnected and connected Terminal Server (TS) agents in the same operation, the firewall still displays the IP address-to-port-user mappings (
show user ip-port-user-mappingCLI command) for the disconnected TS agents you deleted (
Terminal Services Agents
Workaround:Do not delete both disconnected and connected TS agents in the same operation.
When DPDK is enabled on the VM-Series firewall with i40e virtual function (VF) driver, the VF does not detect the link status of the physical link. The VF link status remains up, regardless of changes to the physical link state.
HTTP Header Insertion does not work when jumbo frames are received out of order.
The firewall and Panorama web interfaces display vulnerability threat IDs that are not available in PAN-OS 9.0 releases (
). To confirm whether a particular threat ID is available in your release, monitor the release notes for each new Applications and Threats content update or check the Palo Alto Networks Threat Vault to see the minimum PAN-OS release version for a threat signature.
The logging status of a Panorama Log Collector deployed on AWS or Azure displays as disconnected when you configure the ethernet1/1 to ethernet1/5 interfaces for log collection (
). This results in firewalls not sending logs to the Log Collector.
Workaround:Configure the management (MGT) interface for log collection.
When you configure a VM-500 firewall with an SCTP Protection profile (
) and you try to add the profile to an existing Security Profile Group (
), the Security Profile Group doesn’t list the SCTP Protection profile in its drop-down list of available profiles.
Security Profile Groups
Workaround:Create a new Security Profile Group and select the SCTP Protection profile from there.
When you configure a firewall running PAN-OS 9.0 as an nCipher HSM client, the web interface on the firewall displays the nCipher server status as Not Authenticated, even though the HSM state is up (
The memory-optimized VM-50 Lite intermittently performs slowly and stops processing traffic when memory utilization is critically high. To prevent this issue, make sure that you do not:
Workaround:When the firewall performs slowly, or you see a critical System log for memory utilization, wait for 5 minutes and then manually reboot the firewall.
Use the Task Manager to verify that you are not performing memory intensive tasks such as installing dynamic updates, committing changes or generating reports, at the same time, on the firewall.
You cannot configure an IP address using templates for HA2 (
) when set to IP or Ethernet for Panorama management servers in a high availability (HA) configuration.
Data Link (HA2)
Workaround:Configure HA2 in the CLI using the following commands:
On a VM-Series firewall, the
clear session allCLI command does not clear GTP sessions.
When you configure a PA-5220 firewall with Dynamic IP and Port (DIPP) NAT, the number of translated IP addresses cannot exceed 3,000; otherwise, the commit fails.
In rare cases, PA-800 Series firewalls shut themselves down due to a false over-current measurement.
Authentication policy rules based on multi-factor authentication (MFA) don't block connections to an MFA vendor when the MFA server profile specifies a Certificate Profile that has the wrong certificate authority (CA) certificate.
When you disable decryption for HTTPS traffic, end users who don't have valid authentication timestamps can access HTTPS services and applications regardless of Authentication policy.
Workaround:Create a Security policy rule that blocks HTTPS traffic that is not decrypted.
In rare cases, a PA-5200 Series firewall (with an FE100 network processor) that has session offload enabled (default) incorrectly resets the UDP checksum of outgoing UDP packets.
Workaround:In PAN-OS 8.0.6 and later releases, you can persistently disable session offload for only UDP traffic using the
set session udp-off load noCLI command.
VM-Series firewalls cannot monitor more than 500 virtual machine (VM) information sources (
VM Information Sources
The VM-Series firewall on Google Compute Platform does not publish firewall metrics to Google Stack Monitoring when you manually configure a DNS server IP address (
Workaround:The VM-Series firewall on Google Cloud Platform must use the DNS server that Google provides.
SSL decryption based on ECDSA certificates does not work when you import the ECDSA private keys onto an nCipher nShield hardware security module (HSM).
Endpoints failed to authenticate to GlobalProtect through Kerberos when you specify an FQDN instead of an IP address in the Kerberos server profile (
Workaround:Replace the FQDN with the IP address in the Kerberos server profile.
Panorama cannot push address group objects from device groups to managed firewalls when zones specify the objects in the User Identification ACL include or exclude lists (
) and the
Share Unused Address and Service Objects with Devicesoption is disabled (
PA-7000 Series, PA-5200 Series, and PA-3200 Series firewalls configured in tap mode don’t close offloaded sessions after processing the associated traffic; the sessions remain open until they time out.
Workaround:Configure the firewalls in virtual wire mode instead of tap mode, or disable session offloading by running the
set session off load noCLI command.
PAN-OS 8.0.1 and later releases) In WildFire appliance clusters that have three or more nodes, the Panorama management server does not support changing node roles. In a three-node cluster for example, you cannot use Panorama to configure the worker node as a controller node by adding the HA and cluster controller configurations, configure an existing controller node as a worker node by removing the HA configuration, and then commit and push the configuration. Attempts to change cluster node roles from Panorama results in a validation error—the commit fails and the cluster becomes unresponsive.
The firewall does not generate a packet capture (pcap) when a Data Filtering profile blocks files.
PAN-OS 8.0.1 and later releases) When you import a two-node WildFire appliance cluster into the Panorama management server, the controller nodes report their state as out-of-sync if either of the following conditions exist:
Workaround:There are three possible workarounds to sync the controller nodes:
Local users and user groups in the Shared location (all virtual systems) are not available to be part of the user-to-application mapping for GlobalProtect Clientless VPN applications (
Workaround:Create users and user groups in specific virtual systems on firewalls that have multiple virtual systems. For single virtual systems (like VM-Series firewalls), users and user groups are created under Shared and are not configurable for Clientless VPN applications.
If the PAN-OS web interface and the GlobalProtect portal are enabled on the same IP address, then when a user logs out of the GlobalProtect portal, the administrative user is also logged out from the PAN-OS web interface.
Workaround:Use the IP address to access the PAN-OS web interface and an FQDN to access the GlobalProtect portal.
When viewing an external dynamic list that requires client authentication and you
Test Source URL, the firewall fails to indicate whether it can reach the external dynamic list server and returns a URL access error (
External Dynamic Lists
When you use a firewall loopback interface as a GlobalProtect gateway interface, traffic is not routed correctly for third-party IPSec clients, such as strongSwan.
Workaround:Use a physical firewall interface instead of a loopback firewall interface as the GlobalProtect gateway interface for third-party IPSec clients. Alternatively, configure the loopback interface that is used as the GlobalProtect gateway to be in the same zone as the physical ingress interface for third-party IPSec traffic.
The VM-Series firewall on KVM, for all supported Linux distributions, does not support the Broadcom network adapters for PCI pass-through functionality.
Regardless of the
Time Frameyou specify for a scheduled custom report on a Panorama M-Series appliance, the earliest possible start date for the report data is effectively the date when you configured the report (
). For example, if you configure the report on the 15th of the month and set the
Manage Custom Reports
Last 30 Days, the report that Panorama generates on the 16th will include only data from the 15th onward. This issue applies only to scheduled reports; on-demand reports include all data within the specified
Workaround:To generate an on-demand report, click
Run Nowwhen you configure the custom report.
When you perform a factory reset on a Panorama virtual appliance and configure the serial number, logging does not work until you reboot Panorama or execute the
debug software restart process management-serverCLI command.
The following issues apply when configuring a firewall to use a hardware security module (HSM):
Firewalls store SSH host keys used for SCP log exports in the known hosts file. In an HA deployment, PAN-OS synchronizes the SCP log export configuration between the firewall HA peers (
), but not the known host file. When a failover occurs, the SCP log export fails.
Scheduled Log Export
Workaround:Log in to each peer in HA, select
Scheduled Log Export
Test SCP server connectionto confirm the host key so that SCP log forwarding continues to work after a failover.
Recommended For You
Recommended videos not found.