Changes to Default Behavior

Changes to the default behavior in PAN-OS® 9.1.
The following table details the changes in default behavior upon upgrade to PAN-OS® 9.1. You may also want to review the CLI Changes in PAN-OS 9.1 and the Upgrade/Downgrade Considerations before upgrading to this release.
URL Filtering BrightCloud Support
With PAN-OS 9.1, BrightCloud is no longer supported as a URL Filtering vendor. Before you can upgrade to PAN-OS 9.1, you’ll first need to convert your BrightCloud URL Filtering license to a PAN-DB URL Filtering license (contact your sales representative to convert your license). Only upgrade to PAN-OS 9.1 after confirming that the PAN-DB URL Filtering license is active on your firewall.
PAN-OS REST API request parameters and error responses
  • The REST API methods now accept the API key only through a custom HTTP header and no longer as a query parameter. To authenticate your REST API request to the firewall or Panorama, use the custom HTTP header
    X-PAN-Key: <key>
    to include the API key in the HTTP header. This change applies only to the REST API; the XML API is unchanged.
  • The REST API methods now implement both
    with custom HTTP mappings instead of action query parameters. Examples of the new and previous conventions are below.
    Rename an address:
    • New convention:
      POST /restapi/<version>/objects/addresses:rename
    • Replaces:
      POST /restapi/<version>/objects/addresses?action=rename
    Move a security policy rule:
    • New convention:
      POST /restapi/<version>/policies/securityrules:move
    • Replaces:
      POST /restapi/<version>/policies/securityrules?action=move
  • There is a new error response format for all REST API methods. This new format offers consistent and reliable error reporting that includes both human-readable messages and parsable error codes. The format includes overall request status, product-specific error codes, and details that will give the caller the maximum amount of data available if an error does occur.
  • The REST API URIs now denote version with a
    prefix for versions 9.1 and beyond. Examples of the new and previous conventions are below:
    • New convention:
      GET /restapi/v9.1/objects/addresses
    • Replaces:
      GET /restapi/9.0/objects/addresses
URL Category Lookup Timeout
Cloud queries for uncached URL categories now have a default timeout of two seconds instead of five.
Also, you can now adjust this timeout in the web interface by navigating to
and changing the value for
Category lookup timeout
Web Interface Configuration to Hold Web Requests During URL Category Lookups
The web interface now features the option to hold web requests during URL category lookups. Enable this setting by navigating to
and checking the box next to
Hold client request for category lookup
GlobalProtect Host Information
On the ACC, the
GlobalProtect Host Information
widget under the Network Activity tab is now renamed
HIP Information
SCTP Service Object
In PAN-OS 9.1 and later versions, the Stream Control Transmission Protocol (SCTP) service object is no longer supported in policy rules.
SD-WAN Auto VPN Configuration
PAN-OS 9.1.2 and SD-WAN Plugin 1.0.2
Auto VPN configuration no longer creates VPN tunnels between SD-WAN hubs in a VPN cluster. (Auto VPN still creates VPN tunnels between a branch and a hub.) When you upgrade to PAN-OS 9.1.2 and SD-WAN Plugin 1.0 2 and push the configuration from Panorama, Panorama removes the VPN tunnels between hubs that it previously created.
SAML Authentication
PAN-OS 9.1.3 and later 9.1 releases
To ensure your users can continue to authenticate successfully with SAML Authentication, you must:
  • Ensure that you configure the signing certificate of your SAML Identity Provider as the
    Identity Provider Certificate
    on the SAML Identity Provider Server Profile.
  • Ensure that your SAML IdP sends signed SAML Responses, Assertions, or both.
PA-7000 Series Firewall Memory Limit for the Management Server
PAN-OS 9.1.5 and later 9.1 releases
As of PAN-OS 9.1.5, the PA-7000 Series firewalls have new CLI commands to enable or disable resource control groups and new CLI commands to set an upper memory limit of 8G on a process (mgmtsrvr).
To enable resource-control groups, use:
debug software resource-control enable
To disable resource-control groups, use:
debug software resource-control disable
To set the memory limit, use:
debug management-server limit-memory enable
To remove the memory limit, use:
debug management-server limit-memory disable
Reboot the firewall to ensure the memory limit change takes effect.

Recommended For You