Known Issues

The following list describes known issues and limitations in PAN-OS 9.0 XFR.
Issue ID
Description
PAN-126580
The VM-Series firewall deployed on KVM or ESXi go in to maintenance mode. This issue occurs only when it is configured with 2 NUMA nodes/sockets and is enabled for jumbo frames in DPDK mode.
Workaround
: Configure the firewall with just 1 NUMA node/socket.
  • On ESXi, to configure 1 NUMA node: Select 
    Edit VM
    VM Options
    Advanced
    Edit Settings
    And edit 
    numa.autosize.vcpu.maxPerVirtualNode
     to add all CPUs for the VM to the same node. 
  • On KVM, to configure 1 NUMA node:
    Edit the VM xml file and edit the numa tag to add all CPUs for the VM in the same cell/node.
    <cpu mode='host-model'> <model fallback='allow'/> <numa> <cell id='0' cpus='0-15' memory='58720256' unit='KiB'/> </numa> </cpu>
PAN-125166
VM-Series firewall interfaces that are using SR-IOV stop transmitting packets if you change the maximum transmission unit (MTU) directly on the physical function on the host while the firewall is powered on.
Workaround
: Shut down the VM-Series firewall and re-add the SR-IOV configuration. See this article for details on the SR-IOV configuration. 
PAN-124265
Active-active HA is not supported on the VM-Series firewall on ESXi with SR-IOV, or KVM with SR-IOV.
PAN-124071
When using SR-IOV on the VM-Series firewall on KVM, traffic (both data and HA packets for session state synchronization) does not pass through the firewall if the MTU size is not set to 1600 bytes.
Workaround:
 Set the MTU size to 1600 bytes on the host physical interface. 
PAN-123583
You cannot install the PAN-OS-9.0.3.xfr software image when you manually upload and install the software image.
Workaround
: If you use Panorama to manage your VM-Series firewalls, you can download the image from 
Panorama
Device Deployment
Software
 and install it on the VM-Series firewalls. If you do not use Panorama, download the software image from the Palo Alto Networks Support portal. And log in to the firewall and select 
Device
Software
 to manually upload the image. Select 
Upload only to device (do not install)
, and after it is done 
Install
 the image. 
You must install the VM-Series plugin 1.0.5 on the firewall before you install PAN-OS-9.0.3.xfr. 

Recommended For You