Limitations
Limitations related to PAN-OS 9.1 releases.
The following are limitations
associated with PAN-OS 9.1.
Issue ID | Description |
|---|---|
— | Firewalls and appliances perform
a software integrity check periodically when they are running and
when they reboot. If you simultaneously boot up multiple instances
of a VM-Series firewall on a host or you enable CPU over-subscription
on a VM-Series firewall, the firewall boots in to maintenance mode
when a processing delay results in a response timeout during the
integrity check. If your firewall goes in to maintenance mode, please
check the error and warnings in the fips.log file. A reboot
always occurs during an upgrade so if you enabled CPU over-subscription
on your VM-Series firewall, consider upgrading your firewall during
a maintenance window. |
PAN-215869 | PAN-OS logs ( Monitor Logs Device Server Profiles NetFlow Network Interface The following firewalls are impacted:
|
PAN-208218 | ( Releases earlier than PAN-OS 9.1.14-h6 and PAN-OS
9.1.15-h1 ) Due to a component change, PAN-OS 9.1.15 and
versions earlier than PAN-OS 9.1.14-h6 are no longer supported on
later hardware revisions of the PA-5200 Series. |
PAN-174784 | Up to 100,000 daily summary logs can be
processed for Scheduled and Run Now custom reports ( Monitor Manage Custom Reports |
PAN-174442 | When a Certificate Profile ( Device >
Certificate Management > Certificate Profile ) is configured
to Block session if certificate status cannot be retrieved within timeout ,
the firewall allows client certificate validation to go through
even if the CRL Distribution Point or OCSP Responder is unreachable.Workaround: You
must also enable Block session if certificate status is unknown to
ensure Block session if certificate status cannot be retrieved
within timeout is effective. |
PAN-174038 | In an SD-WAN configuration, when a GlobalProtect
Gateway is terminated on a loopback interface, if the tunnel protocol
is udp-encapsulated ESP (IPSec), the return traffic from the Gateway toward
the client is load-balanced across all of the SD-WAN member interfaces
and cannot be subjected to an SD-WAN policy. |
PAN-172144 | On a Panorama management server deployed on
VMware ESXi that is managing Dedicated Log Collectors, filtering
traffic logs ( Monitor Logs Traffic (time_generated_geq) filter
does not return results for the specified Generate Time if
the Dedicated Log Collectors are in different time zones.Workaround: Configure
the same time zone for the Dedicated Log Collectors you are querying.
|
PAN-160782 | ( PAN-OS 9.1.9 and later 9.1 releases )
BGP supports a maximum of 255 AS numbers in an AS_PATH list for
a prefix. |
PAN-159293 This issue is
now released. See PAN-OS 9.1.11 Addressed Issues | Certification Revocation List (CRL)
in Distinguished Encoding Rules (DER) format may erroneously return
errors despite being able to successfully pull the CRL to verify
that the syslog server certificate is still valid. |
PAN-158304 | On the Panorama management server, forwarded
logs ( Monitor Logs Traffic Panorama Collector Groups Workaround: When
deploying your Log Collectors in a Collector Group, ensure they
are both deployed on the same LAN or that the latency between Log
Collectors in the Collector Group does not exceed 10ms. |
PAN-153803 | On the Panorama management
server, scheduled email PDF reports ( Monitor PDF Reports |
PAN-157443 | ( PAN-OS 9.1.6 and later 9.1 releases )
If the number of SD-WAN policies is close to capacity, sometimes
renaming a policy results in the following error: If deleting the rule and adding it again doesn’t work, take the following steps:
|
PAN-151900 | If your SD-WAN configuration uses auto VPN
configuration of hub priority for BGP local preference and you have
multiple hubs with the same priority, Panorama appropriately enables
ECMP to select a path from among multiple paths to the same destination.
The limitation is that the ECMP Symmetric Return setting
is not supported on SD-WAN interfaces. |
PAN-142180 | ( PAN-OS 9.1.2 and later 9.1 releases )
In an SD-WAN Hub-Spoke configuration, suppose Branch A and Branch
B each have an MPLS link to the hub and all devices have VPN
Data Tunnel Support disabled. For traffic from Branch
A to Branch B, if Branch A selects a tunnel to go through the hub
and the hub selects the MPLS link to reach Branch B, the traffic
will fail because return traffic may go to Branch A directly through
MPLS, without going through the hub. (The next packet from Branch
A to Branch B is dropped at the hub because the TCP three-way handshake
fails.) |
PAN-142114 | You must Contact Palo Alto Networks Support before
you downgrade a Panorama management server, PA-7000 Series firewall,
and PA-5200 Series firewall to avoid commit failures on successful
downgrade to PAN-OS 9.0. |
PAN-142084 | Upgrading a Panorama management server deployed
on Amazon Web Services (AWS) using a C5 or M5 instance type to PAN-OS
9.1.1 causes the Panorama virtual appliance to become unresponsive. |
PAN-137615 | On the Panorama management server, scheduled
content updates ( Panorama Device Deployment Dynamic Updates Download
Only cause commit failures for the VM-Series firewalls.Workaround: Configure
scheduled content updates for VM-Series firewalls to Download
and Install . |
PAN-128908 | If an admin user password is changed but
no commit is performed afterward, the new password does not persistent
after a reboot. Instead, the admin user can still use the old password
to log in, and the calculation of expiry days is incorrect based
on the password change timestamp in the database. |
PAN-107142 | After adding a new virtual system from the
CLI, you must log out and log back in to see the new virtual system
within the CLI. |
PAN-106675 | After upgrading the Panorama management
server to PAN-OS 8.1 or a later release, predefined reports do not
display a list of top attackers. Workaround: Create
new threat summary reports (Monitor PDF Reports Manage PDF Summary |
PAN-99845 | After an HA firewall fails
over to its HA peer, sessions established before the failover might
not undergo the following actions in a reliable manner:
|
PAN-99483 | ( Affects only PA-7000 Series firewalls
that do not use second-generation PA-7050-SMC-B or PA-7080-SMC-B
Switch Management Cards ) When you deploy the firewall in a
network that uses Dynamic IP and Port (DIPP) NAT translation with
PPTP, client systems are limited to using a translated IP address-and-port
pair for only one connection. This issue occurs because the PPTP
protocol uses a TCP signaling (control) protocol that exchanges
data using Generic Routing Encapsulation (GRE) version 1 and the
hardware cannot correlate the call-id in the GRE version 1 header
with the correct dataplane (the one that owns the predict session
of GRE). This issue occurs even if you configure the Dynamic IP and
Port (DIPP) NAT Oversubscription Rate to allow
multiple connections (Device Setup Session Session
Settings NAT Oversubscription Workaround: Upgrade
to a second-generation SMC-B card. |
PAN-97821 | The commit all job
is executed from Panorama to the firewall only if the newly added
firewall is running PAN-OS 8.1 or a later release with Auto
Push on 1st Connect enabled. |
PAN-92719 | When performing destination NAT to a translated
address that is Dynamic IP (with session distribution) ,
the firewall does not remove duplicate IP addresses from the list
of destination IP addresses before the firewall distributes sessions.
The firewall distributes sessions to the duplicate addresses in
the same way it distributes sessions to non-duplicate addresses. |
Most Popular
Recommended For You
Recommended Videos
Recommended videos not found.
