What are the limitations related to PAN-OS 12.1 releases?
The following are limitations associated with PAN-OS 12.1.
Issue ID
Description
PLUG-18442
Adding unique vSphere cluster names across different data
centers on the vCenter isn't supported.
PAN-298514
WildFire clusters operating in FIPS-CC mode are not currently
supported in PAN-OS 12.1.2.
PAN-297731
In an AI HSF cluster, the MTU of the external interfaces on
AI-Gateway nodes cannot exceed 8650 in jumbo mode
PAN-293738
When you enable DNS Rewrite, the firewall doesn't honor the TSIG
(transaction signature authentication) flag and updates the DNS
response packet regardless of the TSIG flag.
PAN-289560
When NGFWs drop TLSv1.3 forward proxy sessions due to an unavailable
HSM, the decryption logs record the wrong reason.
PAN-282032
Traffic forwarding issues occur due to stale orphan flows
resulting in traffic drops or a silent discard in new sessions.
Workaround:
Check Flow Table Usage: Run the following command
on all gateway nodes in the cluster:
debug dataplane sw-asic dump flow-table
info
Analyze the flow table entries and look for the
following values in the output:
Number of flows supported
Number of allocated flows
If the allocated flows exceed 90% of the supported
capacity and the count isn’t decreasing, then the issue is
likely present.
Reboot Gateway Nodes: Perform a graceful shutdown
or reboot all gateway nodes in the vm-hsf cluster.
Verify Flow Table Cleanup: After the reboot, rerun
the flow table command and check if the Number of
allocated flows has decreased.
Test the traffic flow: Send new traffic flows and
verify if they are processed correctly.
PAN-275659
Modifications to TI interfaces (including changes to the TI
checkbox, IP addresses, port groups, vmnic, or other interface
settings), are not advised.
Workaround: If you need to modify the TI interfaces,
ensure that you reboot the cluster.
PAN-275628
IPv6 for management interfaces of cluster nodes is not
supported by VM HSF.
PAN-274758
Multiple reboots of one or more gateway nodes could lead to
unexpected traffic loss in the cluster.
Workaround: Restart all the nodes in the cluster to recover
it.
PAN-270126
If a content mismatch is observed on nodes in a cluster,
then Cluster nodes transition to a warning state.
Workaround: Install same content versions across all the nodes
and the Panorama.
PAN-216214
For Panorama-managed firewalls in an Active/Active and Active/Passive
High Availability (HA) configuration where you configure the
firewall HA settings (DeviceHigh Availability) in a template or template stack (PanoramaTemplates), performing a local commit on one of the HA
firewalls triggers an HA config sync on the peer firewall. This
causes the HA settings to display as overridden despite no config
override occurring.
