Known Issues Related to PAN-OS 10.0 Releases
Focus
Focus

Known Issues Related to PAN-OS 10.0 Releases

Table of Contents
End-of-Life (EoL)

Known Issues Related to PAN-OS 10.0 Releases

List of known issues in all PAN-OS® 10.0 releases.
The Consolidated List of PAN-OS 10.0 Known Issues includes all known issues that impact the PAN-OS® 10.0 release. This list includes both outstanding issues and issues that are addressed in Panorama™, GlobalProtect™, VM-Series plugins, and WildFire®, as well as known issues that apply more general or that are not identified by a specific issue ID.
To review the subset of outstanding known issues for a specific PAN-OS 10.0 maintenance release, see the following lists:

Consolidated List of PAN-OS 10.0 Known Issues

Issue ID
Description
If you use Panorama to retrieve logs from Cortex Data Lake (CDL), new log fields (including for Device-ID, Decryption, and GlobalProtect) are not visible on the Panorama web interface.
Workaround: Enable duplicate logging to send the logs to CDL and Panorama. This workaround does not support Panorama virtual appliances in Management Only mode.
Upgrading a PA-220 firewall takes up to an hour or more.
PA-220 firewalls are experiencing slower web interface and CLI performance times.
Upgrading Panorama with a local Log Collector and Dedicated Log Collectors to PAN-OS 8.1 or a later PAN-OS release can take up to six hours to complete due to significant infrastructure changes. Ensure uninterrupted power to all appliances throughout the upgrade process.
A critical System log is generated on the VM-Series firewall if the minimum memory requirement for the model is not available.
  • When the memory allocated is less than 4.5GB, you cannot upgrade the firewall. The following error message displays: Failed to install 9.0.0 with the following error: VM-50 in 9.0.0 requires 5.5GB memory, VM-50 Lite requires 4.5GB memory.Please configure this VM with enough memory before upgrading.
  • If the memory allocation is more than 4.5GB but less that the licensed capacity requirement for the model, it will default to the capacity associated with the VM-50.
    The System log message System capacity adjusted to VM-50 capacity due to insufficient memory for VM-<xxx> license, indicates that you must allocate the additional memory required for licensed capacity for the firewall model.
APPORTAL-3313
Changes to an IoT Security subscription license take up to 24 hours to have effect on the IoT Security app.
APPORTAL-3309
An IoT Security production license cannot be installed on a firewall that still has a valid IoT Security eval or trial license.
Workaround: Wait until the 30-day eval or trial license expires and then install the production license.
APL-7916
Traffic logs forwarded to Cortex Data Lake by a Panorama-managed firewall in a high availability (HA) cluster may appear duplicated in the Panorama Traffic logs (MonitorTraffic).
APL-8269
For data retrieved from Cortex Data Lake, the Threat Name column in PanoramaACCthreat-activity appears blank.
PLUG-380
When you rename a device group, template, or template stack in Panorama that is part of a VMware NSX service definition, the new name is not reflected in NSX Manager. Therefore, any ESXi hosts that you add to a vSphere cluster are not added to the correct device group, template, or template stack and your Security policy is not pushed to VM-Series firewalls that you deploy after you rename those objects. There is no impact to existing VM-Series firewalls.
WF500-5471
After using the firewall CLI to add a WildFire appliance with an IPv6 address, the initial connection may fail.
Workaround: Retry connecting after you restart the web server with the following command: debug software restart process web-server.
PAN-197341
On the Panorama management server, if you create multiple device group Objects with the same name in the Shared device group and any additional device groups (PanoramaDevice Groups) under the same device group hierarchy that are used in one or more Policies, renaming the object with a shared name in any device group causes the object name to change in the policies where it is used. This issue applies only to device group objects that can be referenced in a Security policy rule.
For example:
  1. You create a parent device group DG-A and a child device group DG-B.
  2. You create address objects called AddressObjA in the Shared, DG-A and DG-B device groups and add AddressObjA to a Security policy rule under DG-A and DG-B.
  3. Later, you change the AddressObjA name in the Shared device group to AddressObjB.
Changing the name of the address object in the Shared device group causes the references in the Policy rule to use the renamed Shared object instead of the device group object.
PAN-185966
The debug skip-cert-renewal-check-syslog yes command is not available on Log Collector CLI to stop the Dedicated Log Collector from trying to renew the device certificate and displaying the following error:
No valid device certificate found
PAN-180661
On the Panorama management server, pushing an unsupported Minimum Password Complexity (DeviceSetupManagement) to a managed firewall erroneously displays commit time out as the reason the commit failed.
PAN-178194
A UI issue in PAN-OS renders the contents of the Inline ML tab in the URL Filtering Profile inaccessible on firewalls licensed for Advanced URL Filtering. Additionally, a message indicating that a License required for URL filtering to function is unavailable displays at the bottom of the UI. These errors do not affect the operation of Advanced URL Filtering or URL Filtering Inline ML.
Workaround: Configuration settings for URL Filtering Inline ML must be applied through the CLI. The following configuration commands are available:
  • Define URL exceptions for specific web sites—
    admin# set profiles url-filtering <url_filtering_profile_name> mlav-category-exception
  • Configuration settings for each inline ML model—
    admin# set profiles url-filtering <url_filtering_profile_name> mlav-engine-urlbased-enabled
PAN-177363
This issue is now resolved. See PAN-OS 10.0.9 Addressed Issues.
Dedicated Log Collector system and config logs cannot be ingested and are dropped when they are forwarded to a Panorama management server in Management Only mode, resulting in Dedicated Log Collector system and config logs not being viewable on Panorama in Management Only mode.
PAN-174004
On the Panorama management server, local or Dedicated Log Collector mode cannot successfully join an ElasticSearch cluster when added to a Collector Group (PanoramaCollector Groups) if the SSH key length for a Log Collector in the cluster is greater than 2048 characters.
PAN-173509
This issue is now resolved. See PAN-OS 10.0.9 Addressed Issues.
Superuser administrators with read-only privileges (DeviceAdministrators and PanoramaAdministrators) are unable to view the hardware ACL blocking setting and duration in the CLI using the commands:
admin> show system setting hardware-acl-blocking-enable
admin> show system setting hardware-acl-blocking-duration
PAN-171938
No results are displayed when you Show Application Filter for a Security policy rule (PoliciesSecurityApplicationValueShow Application Filter).
PAN-171673
On the Panorama management server, the ACC returns inaccurate results when you filter for New App-ID using the App-usage widget.
PAN-171512
In 10.0, 9 GB of memory might be insufficient for the VM-300 depending upon the feature set or combination of feature sets used on the firewall.
Workaround: If you experience memory resource related issues, increase memory to 11 GB to accommodate the additional memory requirements of some of the features or combination of features. Alternately, you can Enable ZRAM on the VM-Series Firewall to improve memory usage.
PAN-169433
This issue is now resolved. See PAN-OS 10.0.9 Addressed Issues.
On the Panorama management server, clicking Run Now for a custom report (MonitorManage Custom Reports) with 32 or more filters in the Query Builder returns the result No matching records
PAN-168113
On the Panorama management server, you are unable to configure a master key (DeviceMaster Key and Diagnostics) for a managed firewall if an interface (NetworkInterfacesEthernet) references a zone pushed from Panorama.
Workaround: Remove the referenced zone from the interface configuration to successfully configure a master key.
PAN-167401
This issue is now resolved. See PAN-OS 10.0.6 Addressed Issues
Fixed an issue where, when a firewall or Panorama appliance configured with a proxy was upgraded to PAN-OS 10.0.3 or a later release, it failed to connect to edge service.
PAN-164885
On the Panorama management server, pushes to managed firewalls (CommitPush to Devices or Commit and Push) may fail when an EDL (ObjectsExternal Dynamic Lists) is configured to Check for updates every 5 minutes due to the commit and EDL fetch processes overlapping. This is more likely to occur when multiple EDLs are configured to check for updates every 5 minutes.
PAN-163676
Next-Gen Firewalls are unable to connect to a syslog server when the certificates required to connect to the syslog server are part of a Certificate Profile (DeviceCertificate ManagementCertificate Profile) if the Use OCSP setting is enabled to check the revocation status of certificates.
Workaround: Enable Use CRL to check the revocation status of certificates in the Certificate Profile.
PAN-162743
In some cases, the firewall may not receive updates for the Device Dictionary, which causes the firewall to replace new attributes in the IP address-to-device mappings with “unknown.”
Workaround: Reboot the firewall.
PAN-161955
Firewalls erroneously generate a high severity system log (MonitorLogsSystem) when the firewall connects to a syslog server.
PAN-162088
On the Panorama management server in a high availability (HA) configuration, content updates (PanoramaDynamic Updates) manually uploaded to the active HA peer are not synchronized to the passive HA peer when you Install a content update and enable Sync to HA Peer.
PAN-160163
This issue is now resolved. See PAN-OS 10.0.4 Addressed Issues.
Icons in the left sidebar have multiple layers. This issue does not affect any functionality.
PAN-160410
In the ACC, data cannot be imported or exported when a User filter (ACCNetwork ActivitySet Tab FiltersUser) that contains characters not supported by URL format, such as DOMAIN/USER, is applies to the Network Activity widget.
PAN-157885
This issue is now resolved. See PAN-OS 10.0.4 Addressed Issues.
When you configure an SD-WAN full mesh VPN cluster, Auto VPN automatically creates an M x N mesh between all devices you add, regardless of whether they are branches or hubs. This mesh configuration will have tunnels that connect low-cost services to higher-cost services and there is no way for you to prioritize the tunnel preference. For example, a low-cost broadband link at site A will create a VPN tunnel to a high-cost LTE link at site B and traffic will be sent over the tunnel members of the virtual interface without prioritization.
PAN-157444
As a result of a telemetry handling update, the Source Zone field in the DNS analytics logs (viewable in the DNS Analytics tab within AutoFocus) might not display correct results.
PAN-157327
On downgrade to PAN-OS 9.1, Enterprise Data Loss Prevention (DLP) filtering settings (DeviceSetupDLP) are not removed and cause commit errors for the downgraded firewall if you do not uninstall the Enterprise DLP plugin before downgrade.
Workaround: After you successfully downgrade a managed firewall to PAN-OS 9.1, commit and push from Panorama to remove the Enterprise DLP filtering settings and complete the downgrade.
  1. Downgrade your managed firewall to PAN-OS 9.1
  2. Log in to the firewall web interface and view the Tasks to verify all auto commits related to the downgrade have completed successfully.
  3. Log in to the Panorama web interface and CommitCommit and Push to your managed firewall downgraded to PAN-OS 9.1.
PAN-157240
When a firewall has hardware offloading turned on and OSPF enabled, if ECMP is enabled or disabled for a virtual router during a configuration commit, OSPF sessions may get stuck in Exchange Start state.
Workaround: Disable OSPF when enabling or disabling ECMP, and then re-enable OSPF in the next commit.
PAN-156598
(Panorama only) If you configure a standard custom vulnerability signature in a custom Vulnerability Protection profile in a shared device group, the shared profile custom signatures do not populate in the other device groups when you configure a combination custom vulnerability signature.
Workaround: Use the CLI to update the combination signature.
PAN-156023
If the firewall fails a file system integrity check while FIPS-CC mode is enabled, the appliance will receive a hash mismatch error and enter maintenance mode on the next reboot.
Workaround: Upgrade to PAN-OS 10.0.2.
PAN- 155147
(VM-Series Firewalls on Azure only) For VM-Series firewall on Azure that use accelerated networking interfaces, hot plug notifications cause some traffic disruption. These hotplug notification events are generated on Azure, typically when the host is undergoing any maintenance or migrations on their end, and these events are not initiated or controlled by the VM-Series firewall.
PAN-154292
On the Panorama management server, downgrading from a PAN-OS 10.0 release to a PAN-OS 9.1 release causes Panorama commit (CommitCommit to Panorama) failures if a custom report (MonitorManage Custom Reports) is configured to Group By Session ID.
Workaround: After successful downgrade, reconfigure the Group By setting in the custom report.
PAN-154266
When an application matches an SD-WAN policy and some sessions for the same application do not match an SD-WAN policy, the SD-WAN Monitoring—Traffic Characteristics screen displays the Links Used information with an SD-WAN policy and a null policy. Sessions that do not have an SD-WAN policy ID are filtered from Links Used.
Workaround: If you want to see session logs that include a default selection, create a catch-all SD-WAN policy rule and place it last in the list of SD-WAN policies.
PAN-154247
This issue is now resolved. See PAN-OS 10.0.2 Addressed Issues.
On the Panorama management server, context switching to and from the managed firewall web interface may cause the Panorama administrator to be logged out.
Workaround: Log out and back in to the Panorama web interface.
PAN-154034
On the Panorama management server, the Type column in the System logs (MonitorLogsSystem) for managed firewalls running a PAN-OS 9.1 release erroneously display iot as the type.
PAN-154032
On the Panorama management server, downgrading to PAN-OS 9.1 with the Panorama plugin for Cisco TrustSec version 1.0.2 installed does not automatically transform the plugin to be compatible with PAN-OS 9.1
Workaround: After successful downgrade to PAN-OS 9.1, Remove Config (PanoramaPlugins) of the Panorama plugin for Cisco TrustSec and then reconfigure the plugin.
PAN-153803
On the Panorama management server, scheduled email PDF reports (MonitorPDF Reports) fail if a GIF image is used in the header or footer.
PAN-153727
This issue is now resolved. See PAN-OS 10.0.1 Addressed Issues.
When using the Chrome browser on an Apple MAC laptop, firewalls managed by the Panorama management server running PAN-OS 10.0.1 may not display when you Edit Selections (CommitCommit and Push or CommitPush to Devices)when you push a configuration change to managed firewalls.
Workaround: Log in to the Panorama web interface using the Safari browser or manually adjust the size of the Push Scope Selection window until the managed firewalls are displayed.
PAN-153557
On the Panorama management server CLI, the overall report status for a report query is marked as Done despite reports generated from logs in the Cortex Data Lake (CDL) from the PODamericas Collector Group jobs are still in a Running state.
PAN-153231
This issue is now resolved. See PAN-OS 10.0.2 Addressed Issues.
PA-7080 Series firewalls deployed with 100G-NPC cards and legacy cards using older system management controllers (SMC) with over 2,500 IPSec tunnels commit successfully but the 100G-NPC cards fail and display as down.
PAN-153068
The Bonjour Reflector option is supported on up to 16 interfaces. If you enable it on more than 16 interfaces, the commit succeeds and the Bonjour Reflector option is enabled only for the first 16 interfaces and ignored for any additional interfaces.
PAN-152458
On the VM-Series firewall on Microsoft Hyper-V, when upgrading to PAN-OS 10.0.0 or later, ethernet packets might be dropped after adding VLAN tags during egress from a subinterface.
Workaround: Create the Hyper-V Virtual Switch with MTU size 1504, store as persistent and reboot for the changes to take effect. Before upgrading PAN-OS, access the VM-Series firewall CLI and set the MTU size on firewall interfaces to 1504.
PAN-152433
When you have an active/passive HA pair of PA-3200 Series firewalls running PAN-OS 10.0.0 with NAT configured, if you upgrade one firewall to PAN-OS 10.0.1, the firewall goes to non-functional state due to a NAT oversubscription mismatch between the HA peers. The same non-functional state results if both HA peers are running PAN-OS 10.0.1 and you downgrade one to PAN-OS 10.00. The upgraded or downgraded firewall goes to non-functional state because PAN-OS 10.0.0 and 10.0.1 have different default NAT oversubscription rates.
Workaround: After an upgrade or downgrade, modify the NAT oversubscription rate on one firewall so that the rates on the HA pair match.
PAN-152263
This issue is now resolved. See PAN-OS 10.0.1 Addressed Issues.
The Azure auto scaling templates in the GitHub repository require a Panorama virtual appliance with the Panorama plugin for Azure v2.0.0.The Panorama hardware appliances do not support the Azure auto scaling templates.
PAN-151909
This issue is now resolved. See PAN-OS 10.0.1 Addressed Issues.
On the Panorama management server, Preview Changes (CommitCommit to Panorama) incorrectly displays an existing route as Added and the new route as an existing route in the Candidate Configuration when you configure a new virtual router route (NetworkVirtual Router)
PAN-151238
There is a known issue where M-100 appliances are able to download and install a PAN-OS 10.0 release image even though the M-100 appliance is no longer supported after PAN-OS 9.1. (Refer to the hardware end-of-life dates.)
PAN-151231
This issue is now resolved. See PAN-OS 10.0.1 Addressed Issues.
On the Panorama management server, you are unable to commit any configuration changes after you successfully downgrade from PAN-OS 10.0 to PAN-OS 9.1 or earlier release due to custom admin roles (PanoramaAdmin Roles) configured on Panorama.
Workaround: Log in to the Panorama CLI and load the running config
admin> configure
admin# load config from running-config.xml
admin# commit force
PAN-151198
On the Panorama management server, read-only Panorama administrators (PanoramaAdministrators) can load managed firewall configuration Backups (PanoramaManaged DevicesSummary).
PAN-151115
This issue is now resolved. See PAN-OS 10.0.1 Addressed Issues.
If a Security rule uses a IP Address External Dynamic List (EDL) for IPv6 traffic, the information for the EDL does not display in the Source EDL or Destination EDL columns in the logs.
PAN-151085
On a PA-7000 Series firewall chassis having multiple slots, when HA clustering is enabled on an active/active HA pair, the session table count for one of the peers can show a higher count than the actual number of active sessions on that peer. This behavior can be seen when the session is being set up on a non-cache slot (for example, when a session distribution policy is set to round-robin or session-load); it is caused by the additional cache lookup that happens when HA cluster participation is enabled.
PAN-151049
This issue is now resolved. See PAN-OS 10.0.1 Addressed Issues.
Multi-plugin support for Panorama is not enabled by default on Panorama 10.0.0.
Workaround: Enable multi-plugin support by accessing the Panorama CLI and executing the commands request feature enable yes feature-name dau3 and debug software restart process configd.
PAN-150998
This issue is now resolved. See PAN-OS 10.0.1 Addressed Issues.
If you deploy a VM-Series firewall on VMware NSX that has been assigned a serial number that was used by a previously deactivated firewall, the new firewall might be deployed in a deactivated or partially deactivated state.
Workaround: You must delete the firewall in NSX Manager. In Panorama, delete the firewall from the Template Stack, Device Group, and Managed Devices lists and Commit your changes. The redeploy the firewall.
PAN-150898
This issue is now resolved. See PAN-OS 10.0.1 Addressed Issues.
If you downgrade from PAN-OS 10.0 to PAN-OS 9.1, a commit error occurs if the HA1 interface isn’t configured.
Workaround: You can either select the PAN-OS 9.1 configuration you were using before you upgraded to PAN-OS 10.0 or, before you downgrade to PAN-OS 9.1, you can use the CLI configuration command to configure the HA1 interface (set deviceconfig high-availability interface ha1) and commit.
PAN-150872
This issue is now resolved. See PAN-OS 10.0.1 Addressed Issues.
Samples processed using WildFire inline ML on the PA-220, PA-820, and PA-850 appliances do not support automatic false-positive correction.
PAN-150801
Automatic quarantine of a device based on forwarding profile or log setting does not work on the PA-7000 Series firewalls.
PAN-150714
This issue is now resolved. See PAN-OS 10.0.1 Addressed Issues.
The Panorama management server continues to forward syslogs to a syslog server over the management interface when configured to forward syslogs over the Ethernet1/1 interface (PanoramaSetupInterfaces).
PAN-150515
This issue is now resolved. See PAN-OS 10.0.0 Addressed Issues.
After you install the device certificate on a new Panorama management server, Panorama is not able to connect to the IoT Security edge service.
Workaround: Restart Panorama to connect to the IoT Security edge service.
PAN-150345
During updates to the Device Dictionary, the IoT Security service does not push new Device-ID attributes (such as new device profiles) to the firewall until a manual commit occurs.
Workaround: Perform a force commit to push the attributes in the content update to the firewall.
PAN-150361
In an Active-Passive high availability (HA) configuration, an error displays if you create a device object on the passive device.
Workaround: Load the running configuration and perform a force commit to sync the devices.
PAN-149913
On the firewall CLI, the show system info command displays the management IP address of the firewall as the Ethernet1/1 interface IP address.
On the Panorama management server, the IPv4 address (PanoramaManaged DevicesSummary) displays the Ethernet1/1 interface IP address.
PAN-149687
This issue is now resolved. See PAN-OS 10.0.0 Addressed Issues.
When you install an IoT Security eval license on a firewall, the Device Object page in the firewall web interface erroneously displays a message that a license is required for the page to function although it actually functions properly.
PAN-148971
If you enter a search term for Events that are related to IoT in the System logs and apply the filter, the page displays an Invalid term error.
Workaround: Specify iot as the Type Attribute to filter the logs and use the search term as the Description Attribute. For example: ( subtype eq iot ) and ( description contains 'gRPC connection' ).
PAN-148924
In an active-passive HA configuration, tags for dynamic user groups are not persistent after rebooting the firewall because the active firewall does not sync the tags to the passive firewall during failover.
PAN-148359
This issue is now resolved. See PAN-OS 10.0.1 Addressed Issues.
SD-WAN server-to-client symmetric return does not function correctly under certain circumstances, and the issue can also affect path selection of parent/child applications, such as FTP.
PAN-146995
After downgrading a Panorama management server from PAN-OS 10.0 to PAN-OS 9.1, the VLD and logd processes may crash when Panorama reboots.
Workaround: Panorama automatically restarts the VLD and logd processes.
PAN-146807
Changing the device group configured in a monitoring definition from a child DG to a parent DG, or vice versa, might cause firewalls configured in the child DG to lose IP tag mapping information received from the monitoring definition. Only firewalls assigned to the parent DG receive IP tag mapping updates.
Workaround: Perform a manual config sync on the device group that lost the IP tag mapping information.
PAN-146030
This issue is now resolved. See PAN-OS 10.0.2 Addressed Issues.
Enhanced application logging is not supported for firewalls connected to Cortex Data Lake through a proxy server.
PAN-145460
CN-MGMT pods fail to connect to the Panorama management server when using the Kubernetes plugin.
Workaround: Commit the Panorama configuration after the CN-MGMT pod successfully registers with Panorama.
PAN-143132
Fetching the device certificate from the Palo Alto Networks Customer Support Portal (CSP) may fail and displays the following error in the CLI:
ERROR Failed to process S1C msg: Error
Workaround: Retrying fetching the device certificate from the Palo Alto Networks CSP.
PAN-141630
Current performance limitation: single data plane use only. The PA-5200 Series and PA-7000 Series firewalls that support 5G network slice security, 5G equipment ID security, and 5G subscriber ID security use a single data plane only, which currently limits the firewall performance.
PAN-140959
The Panorama management server allows you to downgrade Zero Touch Provisioning (ZTP) firewalls to PAN-OS 9.1.2 and earlier releases where ZTP functionality is not supported.
PAN-140084
This issue is now resolved. See PAN-OS 10.0.1 Addressed Issues.
There is an issue where the default Dynamic IP and Port (DIPP) NAT oversubscription rate is set to 2.
PAN-140008
ElasticSearch is forced to restart when the masterd process misses too many heartbeat messages on the Panorama management server resulting in a delay in a log query and ingestion.
PAN-138537
ElasticSearch does not form a cluster when all of the following conditions are met for a Collector Group (PanoramaCollector Groups) resulting in loss of logs:
  • The Collector Group consisters of two or more Log Collectors.
  • The Panorama management server is in a high availability (HA) configuration.
  • The SSH Service Profile (PanoramaCertificate ManagementSSH Service Profile) does not include the following ciphers.
    • aes128-cbc
    • aes256-cbc
    • aes128-ct
Workaround: Add the specified ciphers to the SSH Service profile and Commit and Push the configuration change to the Collector Group. If you still experience log loss due to the ElasticSearch cluster not being formed, contact Palo Alto Networks Support to restart the ElasticSearch service.
PAN-136763
On the Panorama management server, managed firewalls display as disconnected when installing a PAN-OS software update (PanoramaDevice DeploymentSoftware) but display as connected when you view your managed firewalls Summary (PanoramaManaged DevicesSummary) and from the CLI.
Workaround: Log out and log back in to the Panorama web interface.
PAN-136701
(PA-7000b Series firewalls only) Packets for new sessions drop when handling predict sessions.
Workaround: Use the following CLi commands to bypass this issue:
  • set session hwpredict disable yes
  • show session hwpredict status
PAN-135742
There is an issue in HTTP2 session decryption where the App-ID in the decryption log is the App-ID of the parent session (which is web-browsing).
PAN-134053
ACC does not filter WildFire logs from Dynamic User Groups.
PAN-132598
The Panorama management server does not check for duplicate addresses in address groups (ObjectsAddress Groups) and duplicate services in service groups (ObjectsService Groups) when created from the CLI.
PAN-130550
(PA-3200 Series, PA-5220, PA-5250, PA-5260, and PA-7000 Series firewalls) For traffic between virtual systems (inter-vsys traffic), the firewall cannot perform source NAT using dynamic IP (DIP) address translation.
Workaround: Use source NAT with Dynamic IP and Port (DIPP) translation on inter-vsys traffic.
PAN-127206
If you use the CLI to enable the cleartext option for the Include Username in HTTP Header Insertion Entries feature, the authentication request to the firewall may become unresponsive or time out.
PAN-123805
On the managed firewall web interface, the Secure Communication Settings (DeviceSetupManagement) configuration does display a green cog widget to indicate that the configuration was pushed from the Panorama management server.
PAN-123277
Dynamic tags from other sources are accessible using the CLI but do not display on the Panorama web interface.
PAN-121678
(PA-7000b Series only) The following error during secure boot has no impact and can be ignored:
[ 0.672461] Device 'efifb.0' does not have a release() function, it is broken and must be fixed.[ 2.026107] EFI: Problem loading in-kernel X.509 certificate (-65)Maintenance Mode filesystem size: 2.0G
PAN-120440
There is an issue on M-500 Panorama management servers where any ethernet interface with an IPv6 address having Private PAN-DB-URL connectivity only supports the following format: 2001:DB9:85A3:0:0:8A2E:370:2.
PAN-120423
PAN-OS 10.0.0 does not support the XML API for GlobalProtect logs.
PAN-120303
There is an issue where the firewall remains connected to the PAN-DB-URL server through the old management IP address on the M-500 Panorama management server, even when you configured the Eth1/1 interface.
Workaround: Update the PAN-DB-URL IP address on the firewall using one of the methods below.
  • Modify the PAN-DB Server IP address on the managed firewall.
    1. On the web interface, delete the PAN-DB Server IP address (DeviceSetupContent IDURL Filtering settings).
    2. Commit your changes.
    3. Add the new M-500 Eth1/1 IP PAN-DB IP address.
    4. Commit your changes.
  • Restart the firewall (devsrvr) process.
    1. Log in to the firewall CLI.
    2. Restart the devsrvr process: debug software restart process device-server
PAN-116017
(Google Cloud Platform (GCP) only) The firewall does not accept the DNS value from the initial configuration (init-cfg) file when you bootstrap the firewall.
Workaround: Add DNS value as part of the bootstrap.xml in the bootstrap folder and complete the bootstrap process.
PAN-115816
(Microsoft Azure only) There is an intermittent issue where an Ethernet (eth1) interface does not come up when you first boot up the firewall.
Workaround: Reboot the firewall.
PAN-114495
Alibaba Cloud runs on a KVM hypervisor and supports two Virtio modes: DPDK (default) and MMAP. If you deploy a VM-Series firewall running PAN-OS 9.0 in DPDK packet mode and you then switch to MMAP packet mode, the VM-Series firewall duplicates packets that originate from or terminate on the firewall. As an example, if a load balancer or a server behind the firewall pings the VM-Series firewall after you switch from DPDK packet mode to MMAP packet mode, the firewall duplicates the ping packets.
Throughput traffic is not duplicated if you deploy the VM-Series firewall using MMAP packet mode.
PAN-112694
(Firewalls with multiple virtual systems only) If you configure dynamic DNS (DDNS) on a new interface (associated with vsys1 or another virtual system) and you then create a New Certificate Profile from the drop-down, you must set the location for the Certificate Profile to Shared. If you configure DDNS on an existing interface and then create a new Certificate Profile, we also recommend that you choose the Shared location instead of a specific virtual system. Alternatively, you can select a preexisting certificate profile instead of creating a new one.
PAN-112456
You can temporarily submit a change request for a URL Category with three suggested categories; however, only two categories are supported. Do not add more than two suggested categories to a change request until we address this issue. If you submit more than two suggested categories, only the first two categories in the change request are evaluated.
PAN-112135
You cannot unregister tags for a subnet or range in a dynamic address group from the web interface.
Workaround: Use an XML API request to unregister the tags for the subnet or range.
PAN-111928
Invalid configuration errors are not displayed as expected when you revert a Panorama management server configuration.
Workaround: After you revert the Panorama configuration, Commit (CommitCommit to Panorama) the reverted configuration to display the invalid configuration errors.
PAN-111866
The push scope selection on the Panorama web interface displays incorrectly even though the commit scope displays as expected. This issue occurs when one administrator makes configuration changes to separate device groups or templates that affect multiple firewalls and a different administrator attempts to push those changes.
Workaround: Perform one of the following tasks.
  • Initiate a Commit to Panorama operation followed by a Push to Devices operation for the modified device group and template configurations.
  • Manually select the devices that belong to the modified device group and template configurations.
PAN-111729
If you disable DPDK mode and enable it again, you must immediately reboot the firewall.
PAN-111670
Tagged VLAN traffic fails when sent through an SR-IOV adapter.
PAN-110794
DGA-based threats shown in the firewall threat log display the same name for all such instances.
PAN-109759
The firewall does not generate a notification for the GlobalProtect client when the firewall denies an unencrypted TLS session due to an authentication policy match.
PAN-109526
The system log does not correctly display the URL for CRL files; instead, the URLs are displayed with encoded characters.
PAN-104780
If you configure a HIP object to match only when a connecting endpoint is managed (ObjectsGlobalProtectHIP Objects<hip-object>GeneralManaged), iOS and Android endpoints that are managed by AirWatch are unable to successfully match the HIP object and the HIP report incorrectly indicates that these endpoints are not managed. This issue occurs because GlobalProtect gateways cannot correctly identify the managed status of these endpoints.
Additionally, iOS endpoints that are managed by AirWatch are unable to match HIP objects based on the endpoint serial number because GlobalProtect gateways cannot identify the serial numbers of these endpoints; these serial numbers do not appear in the HIP report.
PAN-103276
Adding a disk to a virtual appliance running Panorama 8.1 or a later release on VMware ESXi 6.5 update1 causes the Panorama virtual appliance and host web client to become unresponsive.
Workaround: Upgrade the ESXi host to ESXi 6.5 update2 and add the disk again.
PAN-101688
(Panorama plugins) The IP address-to-tag mapping information registered on a firewall or virtual system is not deleted when you remove the firewall or virtual system from a Device Group.
Workaround: Log in to the CLI on the firewall and enter the following command to unregister the IP address-to-tag mappings: debug object registered-ip clear all.
PAN-101537
After you configure and push address and address group objects in Shared and vsys-specific device groups from the Panorama management server to managed firewalls, executing the show log <log-type> direction equal <direction> <dst> | <src> in <object-name> command on a managed firewall only returns address and address group objects pushed form the Shared device group.
Workaround: Specify the vsys in the query string:
admin> set system target-vsys <vsys-name>
admin> show log <log-type> direction equal <direction> query equal ‘vsys eq <vsys-name><dst> | <src> in <object-name>
PAN-98520
When booting or rebooting a PA-7000 Series Firewall with the SMC-B installed, the BIOS console output displays attempts to connect to the card's controller in the System Memory Speed section. The messages can be ignored.
PAN-97757
GlobalProtect authentication fails with an Invalid username/password error (because the user is not found in Allow List) after you enable GlobalProtect authentication cookies and add a RADIUS group to the Allow List of the authentication profile used to authenticate to GlobalProtect.
Workaround: Disable GlobalProtect authentication cookies. Alternatively, disable (clear) Retrieve user group from RADIUS in the authentication profile and configure group mapping from Active Directory (AD) through LDAP.
PAN-97524
(Panorama management server only) The Security Zone and Virtual System columns (Network tab) display None after a Device Group and Template administrator with read-only privileges performs a context switch.
PAN-96446
A firewall that is not included in a Collector Group fails to generate a system log if logs are dropped when forwarded to a Panorama management server that is running in Management Only mode.
PAN-95773
On VM-Series firewalls that have Data Plane Development Kit (DPDK) enabled and that use the i40e network interface card (NIC), the show session info CLI command displays an inaccurate throughput and packet rate.
Workaround: Disable DPDK by running the set system setting dpdk-pkt-io off CLI command.
PAN-95511
The name for an address object, address group, or an external dynamic list must be unique. Duplicate names for these objects can result in unexpected behavior when you reference the object in a policy rule.
PAN-95028
For administrator accounts that you created in PAN-OS 8.0.8 and earlier releases, the firewall does not apply password profile settings (DevicePassword Profiles) until after you upgrade to PAN-OS 8.0.9 or a later release and then only after you modify the account passwords. (Administrator accounts that you create in PAN-OS 8.0.9 or a later release do not require you to change the passwords to apply password profile settings.)
PAN-94846
When DPDK is enabled on the VM-Series firewall with i40e virtual function (VF) driver, the VF does not detect the link status of the physical link. The VF link status remains up, regardless of changes to the physical link state.
PAN-94093
HTTP Header Insertion does not work when jumbo frames are received out of order.
PAN-93968
The firewall and Panorama web interfaces display vulnerability threat IDs that are not available in PAN-OS 9.0 releases (ObjectsSecurity ProfilesVulnerability Protection<profile>Exceptions). To confirm whether a particular threat ID is available in your release, monitor the release notes for each new Applications and Threats content update or check the Palo Alto Networks Threat Vault to see the minimum PAN-OS release version for a threat signature.
PAN-93607
When you configure a VM-500 firewall with an SCTP Protection profile (ObjectsSecurity ProfilesSCTP Protection) and you try to add the profile to an existing Security Profile Group (ObjectsSecurity Profile Groups), the Security Profile Group doesn’t list the SCTP Protection profile in its drop-down list of available profiles.
Workaround: Create a new Security Profile Group and select the SCTP Protection profile from there.
PAN-93532
When you configure a firewall running PAN-OS 9.0 as an nCipher HSM client, the web interface on the firewall displays the nCipher server status as Not Authenticated, even though the HSM state is up (DeviceSetupHSM).
PAN-93193
The memory-optimized VM-50 Lite intermittently performs slowly and stops processing traffic when memory utilization is critically high. To prevent this issue, make sure that you do not:
  • Switch to the firewall Context on the Panorama management server.
  • Commit changes when a dynamic update is being installed.
  • Generate a custom report when a dynamic update is being installed.
  • Generate custom reports during a commit.
Workaround: When the firewall performs slowly, or you see a critical System log for memory utilization, wait for 5 minutes and then manually reboot the firewall.
Use the Task Manager to verify that you are not performing memory intensive tasks such as installing dynamic updates, committing changes or generating reports, at the same time, on the firewall.
PAN-91802
On a VM-Series firewall, the clear session all CLI command does not clear GTP sessions.
PAN-83610
In rare cases, a PA-5200 Series firewall (with an FE100 network processor) that has session offload enabled (default) incorrectly resets the UDP checksum of outgoing UDP packets.
Workaround: In PAN-OS 8.0.6 and later releases, you can persistently disable session offload for only UDP traffic using the set session udp-off load no CLI command.
PAN-83236
The VM-Series firewall on Google Compute Platform does not publish firewall metrics to Google Stack Monitoring when you manually configure a DNS server IP address (DeviceSetupServices).
Workaround: The VM-Series firewall on Google Cloud Platform must use the DNS server that Google provides.
PAN-83215
SSL decryption based on ECDSA certificates does not work when you import the ECDSA private keys onto an nCipher nShield hardware security module (HSM).
PAN-81521
Endpoints failed to authenticate to GlobalProtect through Kerberos when you specify an FQDN instead of an IP address in the Kerberos server profile (DeviceServer ProfilesKerberos).
Workaround: Replace the FQDN with the IP address in the Kerberos server profile.
PAN-77125
PA-7000 Series, PA-5200 Series, and PA-3200 Series firewalls configured in tap mode don’t close offloaded sessions after processing the associated traffic; the sessions remain open until they time out.
Workaround: Configure the firewalls in virtual wire mode instead of tap mode, or disable session offloading by running the set session off load no CLI command.
PAN-75457
In WildFire appliance clusters that have three or more nodes, the Panorama management server does not support changing node roles. In a three-node cluster for example, you cannot use Panorama to configure the worker node as a controller node by adding the HA and cluster controller configurations, configure an existing controller node as a worker node by removing the HA configuration, and then commit and push the configuration. Attempts to change cluster node roles from Panorama results in a validation error—the commit fails and the cluster becomes unresponsive.
PAN-73530
The firewall does not generate a packet capture (pcap) when a Data Filtering profile blocks files.
PAN-73401
When you import a two-node WildFire appliance cluster into the Panorama management server, the controller nodes report their state as out-of-sync if either of the following conditions exist:
  • You did not configure a worker list to add at least one worker node to the cluster. (In a two-node cluster, both nodes are controller nodes configured as an HA pair. Adding a worker node would make the cluster a three-node cluster.)
  • You did not configure a service advertisement (either by enabling or not enabling advertising DNS service on the controller nodes).
Workaround: There are three possible workarounds to sync the controller nodes:
  • After you import the two-node cluster into Panorama, push the configuration from Panorama to the cluster. After the push succeeds, Panorama reports that the controller nodes are in sync.
  • Configure a worker list on the cluster controller:
    admin@wf500(active-controller)# set
    deviceconfig cluster mode controller worker-list <worker-ip-address>
    (<worker-ip-address> is the IP address of the worker node you are adding to the cluster.) This creates a three-node cluster. After you import the cluster into Panorama, Panorama reports that the controller nodes are in sync. When you want the cluster to have only two nodes, use a different workaround.
  • Configure service advertisement on the local CLI of the cluster controller and then import the configuration into Panorama. The service advertisement can advertise that DNS is or is not enabled.
    admin@wf500(active-controller)# set
    deviceconfig cluster mode controller service-advertisement dns-service
    enabled
    yes
    or
    admin@wf500(active-controller)# set
    deviceconfig cluster mode controller service-advertisement dns-service
    enabled
    no
    Both commands result in Panorama reporting that the controller nodes are in sync.
PAN-70906
If the PAN-OS web interface and the GlobalProtect portal are enabled on the same IP address, then when a user logs out of the GlobalProtect portal, the administrative user is also logged out from the PAN-OS web interface.
Workaround: Use the IP address to access the PAN-OS web interface and an FQDN to access the GlobalProtect portal.
PAN-69505
When viewing an external dynamic list that requires client authentication and you Test Source URL, the firewall fails to indicate whether it can reach the external dynamic list server and returns a URL access error (ObjectsExternal Dynamic Lists).
PAN-41558
When you use a firewall loopback interface as a GlobalProtect gateway interface, traffic is not routed correctly for third-party IPSec clients, such as strongSwan.
Workaround: Use a physical firewall interface instead of a loopback firewall interface as the GlobalProtect gateway interface for third-party IPSec clients. Alternatively, configure the loopback interface that is used as the GlobalProtect gateway to be in the same zone as the physical ingress interface for third-party IPSec traffic.
PAN-40079
The VM-Series firewall on KVM, for all supported Linux distributions, does not support the Broadcom network adapters for PCI pass-through functionality.
PAN-39636
Regardless of the Time Frame you specify for a scheduled custom report on a Panorama M-Series appliance, the earliest possible start date for the report data is effectively the date when you configured the report (MonitorManage Custom Reports). For example, if you configure the report on the 15th of the month and set the Time Frame to Last 30 Days, the report that Panorama generates on the 16th will include only data from the 15th onward. This issue applies only to scheduled reports; on-demand reports include all data within the specified Time Frame.
Workaround: To generate an on-demand report, click Run Now when you configure the custom report.
PAN-38255
When you perform a factory reset on a Panorama virtual appliance and configure the serial number, logging does not work until you reboot Panorama or execute the debug software restart process management-server CLI command.
PAN-31832
The following issues apply when configuring a firewall to use a hardware security module (HSM):
  • nCipher nShield Connect—The firewall requires at least four minutes to detect that an HSM was disconnected, causing SSL functionality to be unavailable during the delay.
  • SafeNet Network—When losing connectivity to either or both HSMs in an HA configuration, the display of information from the show high-availability state and show hsm info commands are blocked for 20 seconds.
PAN-118887
This issue is now resolved. See PAN-OS 10.0.2 Addressed Issues.
The new pattern-matching engine in PAN-OS 10.0 does not support the regular expression (regex) character \C. If you try to use this character in a pattern that is only compatible with the new engine, you will see a warning when you try to save the signature.
Example of an invalid signature: ab\Cde
Explanation: Only the new engine allows you to create signatures with fewer than seven literal characters.
Example of a valid signature: ab\Cdefgh
Explanation: This signature is compatible with the former pattern-matching engine, which matches \C to any literal character.