Changes to Default Behavior
Changes to the default behavior in PAN-OS® 9.1.
URL Filtering BrightCloud Support
With PAN-OS 9.1, BrightCloud is no longer supported as a URL Filtering vendor. Before you can upgrade to PAN-OS 9.1, you’ll first need to convert your BrightCloud URL Filtering license to a PAN-DB URL Filtering license (contact your sales representative to convert your license). Only upgrade to PAN-OS 9.1 after confirming that the PAN-DB URL Filtering license is active on your firewall.
PAN-OS REST API request parameters and error responses
URL Category Lookup Timeout
Cloud queries for uncached URL categories now have a default timeout of two seconds instead of five.
Also, you can now adjust this timeout in the web interface by navigating to
and changing the value for
Category lookup timeout.
Web Interface Configuration to Hold Web Requests During URL Category Lookups
The web interface now features the option to hold web requests during URL category lookups. Enable this setting by navigating to
and checking the box next to
Hold client request for category lookup.
GlobalProtect Host Information
On the ACC, the
GlobalProtect Host Informationwidget under the Network Activity tab is now renamed
SCTP Service Object
In PAN-OS 9.1 and later versions, the Stream Control Transmission Protocol (SCTP) service object is no longer supported in policy rules.
SD-WAN Auto VPN Configuration
PAN-OS 9.1.2 and SD-WAN Plugin 1.0.2)
Auto VPN configuration no longer creates VPN tunnels between SD-WAN hubs in a VPN cluster. (Auto VPN still creates VPN tunnels between a branch and a hub.) When you upgrade to PAN-OS 9.1.2 and SD-WAN Plugin 1.0 2 and push the configuration from Panorama, Panorama removes the VPN tunnels between hubs that it previously created.
PAN-OS 9.1.3 and later 9.1 releases)
To ensure your users can continue to authenticate successfully with SAML Authentication, you must:
PA-7000 Series Firewall Memory Limit for the Management Server
PAN-OS 9.1.5 and later 9.1 releases)
As of PAN-OS 9.1.5, the PA-7000 Series firewalls have new CLI commands to enable or disable resource control groups and new CLI commands to set an upper memory limit of 8G on a process (mgmtsrvr).
To enable resource-control groups, use:
debug software resource-control enable
To disable resource-control groups, use:
debug software resource-control disable
To set the memory limit, use:
debug management-server limit-memory enable
To remove the memory limit, use:
debug management-server limit-memory disable
Reboot the firewall to ensure the memory limit change takes effect.
In prior releases, redistributed static routes in OSPF had the forwarding address set to 0.0.0.0 unconditionally. Beginning with PAN-OS 9.1, the forwarding address is set to the next hop if the next hop is part of the OSPF domain; otherwise, the forwarding address is set to 0.0.0.0.
PAN-OS 9.1.13 and later 9.1 releases)
Prior to PAN-OS 9.1.13, when one end of an IKEv2 tunnel was a PAN-OS firewall, even if an IKEv2 tunnel was configured with SHA2 authentication (sha512, sha384, or sha256), PAN-OS always used SHA1 authentication. Beginning with PAN-OS 9.1.13:
Recommended For You
Recommended videos not found.