>
    Strata Copilot
    Limitations in PAN-OS 12.1
    Focus
    Download PDF
    Focus
    1. Home
    2. Next-Generation Firewall
    3. Limitations
    4. Limitations in PAN-OS 12.1
    Download PDF
    Next-Generation Firewall

    Limitations in PAN-OS 12.1

    Table of Contents

    Limitations in PAN-OS 12.1

    What are the limitations related to PAN-OS 12.1 releases?
    The following are limitations associated with PAN-OS 12.1.
    Issue ID
    Description
    PLUG-18442
    Adding unique vSphere cluster names across different data centers on the vCenter isn't supported.
    PAN-298514
    WildFire clusters operating in FIPS-CC mode are not currently supported in PAN-OS 12.1.2.
    PAN-297731
    		In an AI HSF cluster, the MTU of the external interfaces on AI-Gateway nodes cannot exceed 8650 in jumbo mode
    PAN-293738
    When you enable DNS Rewrite, the firewall doesn't honor the TSIG (transaction signature authentication) flag and updates the DNS response packet regardless of the TSIG flag.
    PAN-289560
    When NGFWs drop TLSv1.3 forward proxy sessions due to an unavailable HSM, the decryption logs record the wrong reason.
    PAN-286331
    When you enable QoS on physical interface of the firewalls (PA-3200, PA-5200, PA-7000, PA-7050, PA-7080, PA-5450, PA-7500, and PA-5500), you can configure bandwidth at four distinct levels per port:
    • Per-class egress maximum bandwidth within a profile
    • Per-profile egress maximum bandwidth
    • Egress maximum bandwidth for cleartext traffic
    • Per-interface egress maximum bandwidth
    However, if your profile contains real-time classes, you must configure egress maximum bandwidth for each real-time individual class. If you don't configure this per-class bandwidth with real-time class, your total maximum bandwidth may exceed the limits you set at the profile level or cleartext traffic level.
    PAN-282032
    Traffic forwarding issues occur due to stale orphan flows resulting in traffic drops or a silent discard in new sessions.
    Workaround:
    1. Check Flow Table Usage: Run the following command on all gateway nodes in the cluster:
      debug dataplane sw-asic dump flow-table info
    2. Analyze the flow table entries and look for the following values in the output:
      • Number of flows supported
      • Number of allocated flows
      If the allocated flows exceed 90% of the supported capacity and the count isn’t decreasing, then the issue is likely present.
    3. Reboot Gateway Nodes: Perform a graceful shutdown or reboot all gateway nodes in the vm-hsf cluster.
    4. Verify Flow Table Cleanup: After the reboot, rerun the flow table command and check if the Number of allocated flows has decreased.
    5. Test the traffic flow: Send new traffic flows and verify if they are processed correctly.
    PAN-275659
    Modifications to TI interfaces (including changes to the TI checkbox, IP addresses, port groups, vmnic, or other interface settings), are not advised.
    Workaround: If you need to modify the TI interfaces, ensure that you reboot the cluster.
    PAN-275628
    IPv6 for management interfaces of cluster nodes is not supported by VM HSF.
    PAN-274758
    Multiple reboots of one or more gateway nodes could lead to unexpected traffic loss in the cluster.
    Workaround: Restart all the nodes in the cluster to recover it.
    PAN-270126
    If a content mismatch is observed on nodes in a cluster, then Cluster nodes transition to a warning state.
    Workaround: Install same content versions across all the nodes and the Panorama.
    PAN-216214
    For Panorama-managed firewalls in an Active/Active and Active/Passive High Availability (HA) configuration where you configure the firewall HA settings (DeviceHigh Availability) in a template or template stack (PanoramaTemplates), performing a local commit on one of the HA firewalls triggers an HA config sync on the peer firewall. This causes the HA settings to display as overridden despite no config override occurring.

    © 2026 Palo Alto Networks, Inc. All rights reserved.