Known Issues Related to PAN-OS 10.0 Releases
Table of Contents
Expand All
|
Collapse All
Next-Generation Firewall Docs
-
-
- Cloud Management of NGFWs
- PAN-OS 10.0 (EoL)
- PAN-OS 10.1
- PAN-OS 10.2
- PAN-OS 11.0 (EoL)
- PAN-OS 11.1 & Later
- PAN-OS 9.1 (EoL)
-
- PAN-OS 10.1
- PAN-OS 10.2
- PAN-OS 11.0 (EoL)
- PAN-OS 11.1 & Later
-
-
- Cloud Management and AIOps for NGFW
- PAN-OS 10.0 (EoL)
- PAN-OS 10.1
- PAN-OS 10.2
- PAN-OS 11.0 (EoL)
- PAN-OS 11.1
- PAN-OS 11.2
- PAN-OS 8.1 (EoL)
- PAN-OS 9.0 (EoL)
- PAN-OS 9.1 (EoL)
End-of-Life (EoL)
Known Issues Related to PAN-OS 10.0 Releases
List of known issues in all PAN-OS® 10.0 releases.
The Consolidated List of PAN-OS 10.0 Known Issues includes
all known issues that impact the PAN-OS® 10.0 release.
This list includes both outstanding issues and issues that are addressed
in Panorama™, GlobalProtect™, VM-Series plugins, and WildFire®,
as well as known issues that apply more general or that are not
identified by a specific issue ID.
To review the subset of outstanding known issues for a specific
PAN-OS 10.0 maintenance release, see the following lists:
Consolidated List of PAN-OS 10.0 Known Issues
Issue ID | Description |
---|---|
— | If you use Panorama to retrieve logs from
Cortex Data Lake (CDL), new log fields (including for Device-ID, Decryption,
and GlobalProtect) are not visible on the Panorama web interface. Workaround: Enable duplicate logging to send
the logs to CDL and Panorama. This workaround does not support Panorama
virtual appliances in Management Only mode. |
— | Upgrading a PA-220 firewall takes up to
an hour or more. |
— | PA-220 firewalls are experiencing slower
web interface and CLI performance times. |
— | Upgrading Panorama with a local Log Collector
and Dedicated Log Collectors to PAN-OS 8.1 or a later PAN-OS release
can take up to six hours to complete due to significant infrastructure
changes. Ensure uninterrupted power to all appliances throughout
the upgrade process. |
— | A critical System log is generated on the
VM-Series firewall if the minimum memory requirement for the model
is not available.
|
APPORTAL-3313 | Changes to an IoT Security subscription
license take up to 24 hours to have effect on the IoT Security app. |
APPORTAL-3309 | An IoT Security production license cannot
be installed on a firewall that still has a valid IoT Security eval
or trial license. Workaround: Wait until the 30-day eval
or trial license expires and then install the production license. |
APL-7916 | Traffic logs forwarded to Cortex Data Lake
by a Panorama-managed firewall in a high availability (HA) cluster
may appear duplicated in the Panorama Traffic logs (MonitorTraffic). |
APL-8269 | For data retrieved from Cortex Data Lake,
the Threat Name column in PanoramaACCthreat-activity appears blank. |
PLUG-380 | When you rename a device group, template,
or template stack in Panorama that is part of a VMware NSX service
definition, the new name is not reflected in NSX Manager. Therefore,
any ESXi hosts that you add to a vSphere cluster are not added to
the correct device group, template, or template stack and your Security policy
is not pushed to VM-Series firewalls that you deploy after you rename
those objects. There is no impact to existing VM-Series firewalls. |
WF500-5471 | After using the firewall CLI to add a WildFire appliance
with an IPv6 address, the initial connection may fail. Workaround: Retry
connecting after you restart the web server with the following command: debug software restart process web-server. |
PAN-197341 | On the Panorama management server, if you
create multiple device group Objects with
the same name in the Shared device group and any additional device
groups (PanoramaDevice Groups)
under the same device group hierarchy that are used in one or more Policies,
renaming the object with a shared name in any device group causes
the object name to change in the policies where it is used. This
issue applies only to device group objects that can be referenced
in a Security policy rule. For example:
Changing
the name of the address object in the Shared device
group causes the references in the Policy rule to use the renamed Shared object instead
of the device group object. |
PAN-185966 | The debug skip-cert-renewal-check-syslog yes command
is not available on Log Collector CLI to stop the Dedicated Log
Collector from trying to renew the device certificate and displaying
the following error: No valid device certificate found |
PAN-180661 | On the Panorama management server, pushing
an unsupported Minimum Password Complexity (DeviceSetupManagement)
to a managed firewall erroneously displays commit time out as the
reason the commit failed. |
PAN-178194 | A UI issue in PAN-OS renders the contents
of the Inline ML tab in the URL
Filtering Profile inaccessible on firewalls licensed
for Advanced URL Filtering. Additionally, a message indicating that
a License required for URL filtering to function is
unavailable displays at the bottom of the UI. These errors do not
affect the operation of Advanced URL Filtering or URL Filtering
Inline ML. Workaround: Configuration settings for URL
Filtering Inline ML must be applied through the CLI. The following
configuration commands are available:
|
PAN-177363 This issue is
now resolved. See PAN-OS 10.0.9 Addressed Issues. | Dedicated Log Collector system and config
logs cannot be ingested and are dropped when they are forwarded
to a Panorama management server in Management Only mode, resulting
in Dedicated Log Collector system and config logs not being viewable
on Panorama in Management Only mode. |
PAN-174004 | On the Panorama management server, local
or Dedicated Log Collector mode cannot successfully join an ElasticSearch
cluster when added to a Collector Group (PanoramaCollector Groups) if the SSH
key length for a Log Collector in the cluster is greater than 2048
characters. |
PAN-173509 This issue is
now resolved. See PAN-OS 10.0.9 Addressed Issues. | Superuser administrators with read-only
privileges (DeviceAdministrators and PanoramaAdministrators)
are unable to view the hardware ACL blocking setting and duration
in the CLI using the commands:
|
PAN-171938 | No results are displayed when you Show
Application Filter for a Security policy rule (PoliciesSecurityApplicationValueShow Application Filter). |
PAN-171673 | On the Panorama management server, the ACC returns
inaccurate results when you filter for New App-ID using
the App-usage widget. |
PAN-171512 | In 10.0, 9 GB of memory might be insufficient
for the VM-300 depending upon the feature set or combination of
feature sets used on the firewall. Workaround: If you
experience memory resource related issues, increase memory to 11 GB
to accommodate the additional memory requirements of some of the
features or combination of features. Alternately, you can Enable ZRAM on the VM-Series
Firewall to improve memory usage. |
PAN-169433 This issue is
now resolved. See PAN-OS 10.0.9 Addressed Issues. | On the Panorama management server, clicking Run
Now for a custom report (MonitorManage Custom Reports) with
32 or more filters in the Query Builder returns the result No matching records |
PAN-168113 | On the Panorama management server, you are unable
to configure a master key (DeviceMaster Key and Diagnostics)
for a managed firewall if an interface (NetworkInterfacesEthernet)
references a zone pushed from Panorama. Workaround: Remove
the referenced zone from the interface configuration to successfully configure
a master key. |
PAN-167401 This issue is
now resolved. See PAN-OS 10.0.6 Addressed Issues | Fixed an issue where, when a firewall or
Panorama appliance configured with a proxy was upgraded to PAN-OS
10.0.3 or a later release, it failed to connect to edge service. |
PAN-164885 | On the Panorama management server, pushes
to managed firewalls (CommitPush to Devices or Commit
and Push) may fail when an EDL (ObjectsExternal Dynamic Lists) is
configured to Check for updates every 5 minutes
due to the commit and EDL fetch processes overlapping. This is more
likely to occur when multiple EDLs are configured to check for updates
every 5 minutes. |
PAN-163676 | Next-Gen Firewalls are unable to connect
to a syslog server when the certificates required to connect to the
syslog server are part of a Certificate Profile (DeviceCertificate ManagementCertificate Profile) if the Use
OCSP setting is enabled to check the revocation status
of certificates. Workaround: Enable Use CRL to
check the revocation status of certificates in the Certificate Profile. |
PAN-162743 | In some cases, the firewall may not receive updates
for the Device Dictionary, which causes the firewall to replace
new attributes in the IP address-to-device mappings with “unknown.” Workaround:
Reboot the firewall. |
PAN-161955 | Firewalls erroneously generate a high severity
system log (MonitorLogsSystem) when the firewall connects
to a syslog server. |
PAN-162088 | On the Panorama management server in a high availability
(HA) configuration, content updates (PanoramaDynamic Updates) manually uploaded
to the active HA peer are not synchronized to the passive HA peer
when you Install a content update and enable Sync
to HA Peer. |
PAN-160163 This issue is
now resolved. See PAN-OS 10.0.4 Addressed Issues. | Icons in the left sidebar have multiple
layers. This issue does not affect any functionality. |
PAN-160410 | In the ACC, data
cannot be imported or exported when a User filter (ACCNetwork ActivitySet Tab FiltersUser)
that contains characters not supported by URL format, such as DOMAIN/USER,
is applies to the Network Activity widget. |
PAN-157885 This issue is
now resolved. See PAN-OS 10.0.4 Addressed Issues. | When you configure an SD-WAN full mesh VPN cluster,
Auto VPN automatically creates an M x N mesh between all devices
you add, regardless of whether they are branches or hubs. This mesh
configuration will have tunnels that connect low-cost services to
higher-cost services and there is no way for you to prioritize the tunnel
preference. For example, a low-cost broadband link at site A will
create a VPN tunnel to a high-cost LTE link at site B and traffic
will be sent over the tunnel members of the virtual interface without prioritization. |
PAN-157444 | As a result of a telemetry handling update,
the Source Zone field in the DNS analytics logs (viewable in the
DNS Analytics tab within AutoFocus) might not display correct results. |
PAN-157327 | On downgrade to PAN-OS 9.1, Enterprise Data
Loss Prevention (DLP) filtering settings (DeviceSetupDLP)
are not removed and cause commit errors for the downgraded firewall
if you do not uninstall the Enterprise DLP plugin before downgrade. Workaround: After
you successfully downgrade a managed firewall to PAN-OS 9.1, commit and
push from Panorama to remove the Enterprise DLP filtering settings
and complete the downgrade.
|
PAN-157240 | When a firewall has hardware offloading
turned on and OSPF enabled, if ECMP is enabled or disabled for a virtual
router during a configuration commit, OSPF sessions may get stuck
in Exchange Start state. Workaround: Disable OSPF when enabling
or disabling ECMP, and then re-enable OSPF in the next commit. |
PAN-156598 | (Panorama only) If you configure
a standard custom vulnerability signature in a custom Vulnerability
Protection profile in a shared device group, the shared profile
custom signatures do not populate in the other device groups when
you configure a combination custom vulnerability signature. Workaround: Use
the CLI to update the combination signature. |
PAN-156023 | If the firewall fails a file system integrity
check while FIPS-CC mode is enabled, the appliance will receive a
hash mismatch error and enter maintenance mode on the next reboot. Workaround: Upgrade
to PAN-OS 10.0.2. |
PAN- 155147 | (VM-Series Firewalls on Azure only)
For VM-Series firewall on Azure that use accelerated networking
interfaces, hot plug notifications cause some traffic disruption.
These hotplug notification events are generated on Azure, typically
when the host is undergoing any maintenance or migrations on their
end, and these events are not initiated or controlled by the VM-Series
firewall. |
PAN-154292 | On the Panorama management server, downgrading
from a PAN-OS 10.0 release to a PAN-OS 9.1 release causes Panorama
commit (CommitCommit
to Panorama) failures if a custom report (MonitorManage Custom Reports)
is configured to Group By Session ID. Workaround: After
successful downgrade, reconfigure the Group By setting in the custom
report. |
PAN-154266 | When an application matches an SD-WAN policy and
some sessions for the same application do not match an SD-WAN policy,
the SD-WAN Monitoring—Traffic Characteristics screen displays the
Links Used information with an SD-WAN policy and a null policy.
Sessions that do not have an SD-WAN policy ID are filtered from
Links Used. Workaround: If you want to see session
logs that include a default selection, create a catch-all SD-WAN
policy rule and place it last in the list of SD-WAN policies. |
PAN-154247 This issue is
now resolved. See PAN-OS 10.0.2 Addressed Issues. | On the Panorama management server, context switching
to and from the managed firewall web interface may cause the Panorama
administrator to be logged out. Workaround: Log out
and back in to the Panorama web interface. |
PAN-154034 | On the Panorama management server, the Type column
in the System logs (MonitorLogsSystem)
for managed firewalls running a PAN-OS 9.1 release erroneously display iot as
the type. |
PAN-154032 | On the Panorama management server, downgrading
to PAN-OS 9.1 with the Panorama plugin for Cisco TrustSec version
1.0.2 installed does not automatically transform the plugin to be
compatible with PAN-OS 9.1 Workaround: After successful downgrade
to PAN-OS 9.1, Remove Config (PanoramaPlugins)
of the Panorama plugin for Cisco TrustSec and then reconfigure the
plugin. |
PAN-153803 | On the Panorama management server, scheduled email
PDF reports (MonitorPDF Reports)
fail if a GIF image is used in the header or footer. |
PAN-153727 This issue is
now resolved. See PAN-OS 10.0.1 Addressed Issues. | When using the Chrome browser on an Apple
MAC laptop, firewalls managed by the Panorama management server
running PAN-OS 10.0.1 may not display when you Edit Selections (CommitCommit and Push or CommitPush to Devices)when you push
a configuration change to managed firewalls. Workaround: Log
in to the Panorama web interface using the Safari browser or manually
adjust the size of the Push Scope Selection window until the managed
firewalls are displayed. |
PAN-153557 | On the Panorama management server CLI, the overall
report status for a report query is marked as Done despite
reports generated from logs in the Cortex Data Lake (CDL) from the
PODamericas Collector Group jobs are still in a Running state. |
PAN-153231 This issue is
now resolved. See PAN-OS 10.0.2 Addressed Issues. | PA-7080 Series firewalls deployed with 100G-NPC cards
and legacy cards using older system management controllers (SMC)
with over 2,500 IPSec tunnels commit successfully but the 100G-NPC
cards fail and display as down. |
PAN-153068 | The Bonjour Reflector option is supported
on up to 16 interfaces. If you enable it on more than 16 interfaces, the
commit succeeds and the Bonjour Reflector option is enabled only
for the first 16 interfaces and ignored for any additional interfaces. |
PAN-152458 | On the VM-Series firewall on Microsoft Hyper-V, when
upgrading to PAN-OS 10.0.0 or later, ethernet packets might be dropped
after adding VLAN tags during egress from a subinterface. Workaround:
Create the Hyper-V Virtual Switch with MTU size 1504, store as persistent and
reboot for the changes to take effect. Before upgrading PAN-OS,
access the VM-Series firewall CLI and set the MTU size on firewall
interfaces to 1504. |
PAN-152433 | When you have an active/passive HA pair
of PA-3200 Series firewalls running PAN-OS 10.0.0 with NAT configured,
if you upgrade one firewall to PAN-OS 10.0.1, the firewall goes
to non-functional state due to a NAT oversubscription mismatch between
the HA peers. The same non-functional state results if both HA peers
are running PAN-OS 10.0.1 and you downgrade one to PAN-OS 10.00.
The upgraded or downgraded firewall goes to non-functional state
because PAN-OS 10.0.0 and 10.0.1 have different default NAT oversubscription rates. Workaround:
After an upgrade or downgrade, modify the NAT oversubscription rate
on one firewall so that the rates on the HA pair match. |
PAN-152263 This issue is
now resolved. See PAN-OS 10.0.1 Addressed Issues. | The Azure auto scaling templates in the GitHub repository require
a Panorama virtual appliance with the Panorama plugin for Azure v2.0.0.The
Panorama hardware appliances do not support the Azure auto scaling
templates. |
PAN-151909 This issue is
now resolved. See PAN-OS 10.0.1 Addressed Issues. | On the Panorama management server, Preview
Changes (CommitCommit to Panorama) incorrectly displays
an existing route as Added and the new route as an existing route
in the Candidate Configuration when you configure a new virtual
router route (NetworkVirtual Router) |
PAN-151238 | There is a known issue where M-100 appliances
are able to download and install a PAN-OS 10.0 release image even
though the M-100 appliance is no longer supported after PAN-OS 9.1.
(Refer to the hardware end-of-life dates.) |
PAN-151231 This issue is
now resolved. See PAN-OS 10.0.1 Addressed Issues. | On the Panorama management server, you are unable
to commit any configuration changes after you successfully downgrade
from PAN-OS 10.0 to PAN-OS 9.1 or earlier release due to custom
admin roles (PanoramaAdmin Roles)
configured on Panorama. Workaround: Log in to the Panorama CLI and
load the running config
|
PAN-151198 | On the Panorama management server, read-only Panorama
administrators (PanoramaAdministrators)
can load managed firewall configuration Backups (PanoramaManaged DevicesSummary). |
PAN-151115 This issue is
now resolved. See PAN-OS 10.0.1 Addressed Issues. | If a Security rule uses a IP Address External Dynamic
List (EDL) for IPv6 traffic, the information for the EDL does not
display in the Source EDL or Destination EDL columns in the logs. |
PAN-151085 | On a PA-7000 Series firewall chassis having multiple
slots, when HA clustering is enabled on an active/active HA pair,
the session table count for one of the peers can show a higher count
than the actual number of active sessions on that peer. This behavior
can be seen when the session is being set up on a non-cache slot
(for example, when a session distribution policy is set to round-robin
or session-load); it is caused by the additional cache lookup that
happens when HA cluster participation is enabled. |
PAN-151049 This issue is
now resolved. See PAN-OS 10.0.1 Addressed Issues. | Multi-plugin support for Panorama is not
enabled by default on Panorama 10.0.0. Workaround:
Enable multi-plugin support by accessing the Panorama CLI and executing
the commands request feature enable yes feature-name dau3 and debug software restart process configd. |
PAN-150998 This issue is
now resolved. See PAN-OS 10.0.1 Addressed Issues. | If you deploy a VM-Series firewall on VMware
NSX that has been assigned a serial number that was used by a previously
deactivated firewall, the new firewall might be deployed in a deactivated
or partially deactivated state. Workaround: You must
delete the firewall in NSX Manager. In Panorama, delete the firewall from
the Template Stack, Device Group, and Managed Devices lists and
Commit your changes. The redeploy the firewall. |
PAN-150898 This issue is
now resolved. See PAN-OS 10.0.1 Addressed Issues. | If you downgrade from PAN-OS 10.0 to PAN-OS 9.1,
a commit error occurs if the HA1 interface isn’t configured. Workaround: You
can either select the PAN-OS 9.1 configuration you were using before
you upgraded to PAN-OS 10.0 or, before you downgrade to PAN-OS 9.1,
you can use the CLI configuration command to configure the HA1 interface
(set deviceconfig high-availability interface ha1)
and commit. |
PAN-150872 This issue is
now resolved. See PAN-OS 10.0.1 Addressed Issues. | Samples processed using WildFire inline
ML on the PA-220, PA-820, and PA-850 appliances do not support automatic
false-positive correction. |
PAN-150801 | Automatic quarantine of a device based on forwarding
profile or log setting does not work on the PA-7000 Series firewalls. |
PAN-150714 This issue is
now resolved. See PAN-OS 10.0.1 Addressed Issues. | The Panorama management server continues
to forward syslogs to a syslog server over the management interface
when configured to forward syslogs over the Ethernet1/1 interface (PanoramaSetupInterfaces). |
PAN-150515 This issue is
now resolved. See PAN-OS 10.0.0 Addressed Issues. | After you install the device certificate
on a new Panorama management server, Panorama is not able to connect
to the IoT Security edge service. Workaround: Restart
Panorama to connect to the IoT Security edge service. |
PAN-150345 | During updates to the Device Dictionary,
the IoT Security service does not push new Device-ID attributes (such
as new device profiles) to the firewall until a manual commit occurs. Workaround: Perform
a force commit to push the attributes in the content update to the firewall. |
PAN-150361 | In an Active-Passive high availability (HA) configuration,
an error displays if you create a device object on the passive device. Workaround: Load
the running configuration and perform a force commit to sync the devices. |
PAN-149913 | On the firewall CLI, the show system info command
displays the management IP address of the firewall as the Ethernet1/1
interface IP address. On the Panorama management server, the
IPv4 address (PanoramaManaged DevicesSummary) displays the Ethernet1/1
interface IP address. |
PAN-149687 This issue is
now resolved. See PAN-OS 10.0.0 Addressed Issues. | When you install an IoT Security eval license
on a firewall, the Device Object page in the firewall web interface
erroneously displays a message that a license is required for the
page to function although it actually functions properly. |
PAN-148971 | If you enter a search term for Events that
are related to IoT in the System logs and apply the filter, the page
displays an Invalid term error. Workaround: Specify iot as
the Type Attribute to filter the logs and
use the search term as the Description Attribute.
For example: ( subtype eq iot ) and ( description contains 'gRPC connection' ). |
PAN-148924 | In an active-passive HA configuration, tags
for dynamic user groups are not persistent after rebooting the firewall
because the active firewall does not sync the tags to the passive
firewall during failover. |
PAN-148359 This issue is
now resolved. See PAN-OS 10.0.1 Addressed Issues. | SD-WAN server-to-client symmetric return
does not function correctly under certain circumstances, and the
issue can also affect path selection of parent/child applications,
such as FTP. |
PAN-146995 | After downgrading a Panorama management
server from PAN-OS 10.0 to PAN-OS 9.1, the VLD and logd processes
may crash when Panorama reboots. Workaround: Panorama
automatically restarts the VLD and logd processes. |
PAN-146807 | Changing the device group configured in
a monitoring definition from a child DG to a parent DG, or vice
versa, might cause firewalls configured in the child DG to lose
IP tag mapping information received from the monitoring definition.
Only firewalls assigned to the parent DG receive IP tag mapping
updates. Workaround: Perform a manual config sync on
the device group that lost the IP tag mapping information. |
PAN-146030 This issue is
now resolved. See PAN-OS 10.0.2 Addressed Issues. | Enhanced application logging is not supported
for firewalls connected to Cortex Data Lake through a proxy server. |
PAN-145460 | CN-MGMT pods fail to connect to the Panorama management
server when using the Kubernetes plugin. Workaround: Commit the
Panorama configuration after the CN-MGMT pod successfully registers
with Panorama. |
PAN-143132 | Fetching the device certificate from the
Palo Alto Networks Customer Support Portal (CSP) may fail and displays
the following error in the CLI: ERROR Failed to process S1C msg: ErrorWorkaround: Retrying
fetching the device certificate from the Palo Alto Networks CSP. |
PAN-141630 | Current performance limitation: single data
plane use only. The PA-5200 Series and PA-7000 Series firewalls
that support 5G network slice security, 5G equipment ID security,
and 5G subscriber ID security use a single data plane only, which
currently limits the firewall performance. |
PAN-140959 | The Panorama management server allows you
to downgrade Zero Touch Provisioning (ZTP) firewalls to PAN-OS 9.1.2
and earlier releases where ZTP functionality is not supported. |
PAN-140084 This issue is
now resolved. See PAN-OS 10.0.1 Addressed Issues. | There is an issue where the default Dynamic
IP and Port (DIPP) NAT oversubscription rate is set to 2. |
PAN-140008 | ElasticSearch is forced to restart when
the masterd process misses too many
heartbeat messages on the Panorama management server resulting in
a delay in a log query and ingestion. |
PAN-138537 | ElasticSearch does not form a cluster when
all of the following conditions are met for a Collector Group (PanoramaCollector Groups)
resulting in loss of logs:
Workaround: Add
the specified ciphers to the SSH Service profile and Commit
and Push the configuration change to the Collector Group.
If you still experience log loss due to the ElasticSearch cluster
not being formed, contact Palo Alto Networks Support to
restart the ElasticSearch service. |
PAN-136763 | On the Panorama management server, managed firewalls
display as disconnected when installing
a PAN-OS software update (PanoramaDevice DeploymentSoftware)
but display as connected when you view
your managed firewalls Summary (PanoramaManaged DevicesSummary)
and from the CLI. Workaround: Log out and log back
in to the Panorama web interface. |
PAN-136701 | (PA-7000b Series firewalls only)
Packets for new sessions drop when handling predict sessions. Workaround: Use
the following CLi commands to bypass this issue:
|
PAN-135742 | There is an issue in HTTP2 session decryption where
the App-ID in the decryption log is the App-ID of the parent session
(which is web-browsing). |
PAN-134053 | ACC does not filter WildFire logs from Dynamic User
Groups. |
PAN-132598 | The Panorama management server does not
check for duplicate addresses in address groups (ObjectsAddress Groups)
and duplicate services in service groups (ObjectsService Groups) when created
from the CLI. |
PAN-130550 | (PA-3200 Series, PA-5220, PA-5250, PA-5260, and
PA-7000 Series firewalls) For traffic between virtual systems
(inter-vsys traffic), the firewall cannot perform source NAT using
dynamic IP (DIP) address translation. Workaround: Use
source NAT with Dynamic IP and Port (DIPP) translation on inter-vsys traffic. |
PAN-127206 | If you use the CLI to enable the cleartext
option for the Include Username in HTTP Header Insertion Entries feature,
the authentication request to the firewall may become unresponsive
or time out. |
PAN-123805 | On the managed firewall web interface, the
Secure Communication Settings (DeviceSetupManagement) configuration
does display a green cog widget to indicate that the configuration
was pushed from the Panorama management server. |
PAN-123277 | Dynamic tags from other sources are accessible using
the CLI but do not display on the Panorama web interface. |
PAN-121678 | (PA-7000b Series only) The following error
during secure boot has no impact and can be ignored: [ 0.672461] Device 'efifb.0' does not have a release() function, it is broken and must be fixed.[ 2.026107] EFI: Problem loading in-kernel X.509 certificate (-65)Maintenance Mode filesystem size: 2.0G |
PAN-120440 | There is an issue on M-500 Panorama management servers
where any ethernet interface with an IPv6 address having Private
PAN-DB-URL connectivity only supports the following format: 2001:DB9:85A3:0:0:8A2E:370:2. |
PAN-120423 | PAN-OS 10.0.0 does not support the XML API
for GlobalProtect logs. |
PAN-120303 | There is an issue where the firewall remains connected
to the PAN-DB-URL server through the old management IP address on
the M-500 Panorama management server, even when you configured the Eth1/1
interface. Workaround: Update the PAN-DB-URL IP address
on the firewall using one of the methods below.
|
PAN-116017 | (Google Cloud Platform (GCP) only)
The firewall does not accept the DNS value from the initial configuration
(init-cfg) file when you bootstrap the firewall. Workaround: Add
DNS value as part of the bootstrap.xml in the bootstrap folder and
complete the bootstrap process. |
PAN-115816 | (Microsoft Azure only) There is
an intermittent issue where an Ethernet (eth1) interface does not
come up when you first boot up the firewall. Workaround: Reboot
the firewall. |
PAN-114495 | Alibaba Cloud runs on a KVM hypervisor and supports
two Virtio modes: DPDK (default) and MMAP. If you deploy a VM-Series
firewall running PAN-OS 9.0 in DPDK packet mode and you then switch
to MMAP packet mode, the VM-Series firewall duplicates packets that originate
from or terminate on the firewall. As an example, if a load balancer
or a server behind the firewall pings the VM-Series firewall after
you switch from DPDK packet mode to MMAP packet mode, the firewall duplicates
the ping packets. Throughput traffic is not duplicated if
you deploy the VM-Series firewall using MMAP packet mode. |
PAN-112694 | (Firewalls with multiple virtual systems only)
If you configure dynamic DNS (DDNS) on a new interface (associated
with vsys1 or another virtual system) and you then create a New Certificate
Profile from the drop-down, you must set the location for the Certificate Profile
to Shared. If you configure DDNS on an existing interface and then
create a new Certificate Profile, we also recommend that you choose
the Shared location instead of a specific virtual system. Alternatively,
you can select a preexisting certificate profile instead of creating
a new one. |
PAN-112456 | You can temporarily submit a change request
for a URL Category with three suggested categories; however, only
two categories are supported. Do not add more than two suggested
categories to a change request until we address this issue. If you
submit more than two suggested categories, only the first two categories
in the change request are evaluated. |
PAN-112135 | You cannot unregister tags for a subnet
or range in a dynamic address group from the web interface. Workaround: Use
an XML API request to unregister the tags for the subnet or range. |
PAN-111928 | Invalid configuration errors are not displayed
as expected when you revert a Panorama management server configuration. Workaround: After
you revert the Panorama configuration, Commit (CommitCommit to Panorama)
the reverted configuration to display the invalid configuration errors. |
PAN-111866 | The push scope selection on the Panorama
web interface displays incorrectly even though the commit scope
displays as expected. This issue occurs when one administrator makes
configuration changes to separate device groups or templates that
affect multiple firewalls and a different administrator attempts
to push those changes. Workaround: Perform one of the following
tasks.
|
PAN-111729 | If you disable DPDK mode and enable it again,
you must immediately reboot the firewall. |
PAN-111670 | Tagged VLAN traffic fails when sent through
an SR-IOV adapter. |
PAN-110794 | DGA-based threats shown in the firewall
threat log display the same name for all such instances. |
PAN-109759 | The firewall does not generate a notification
for the GlobalProtect client when the firewall denies an unencrypted
TLS session due to an authentication policy match. |
PAN-109526 | The system log does not correctly display
the URL for CRL files; instead, the URLs are displayed with encoded
characters. |
PAN-104780 | If you configure a HIP object to match only
when a connecting endpoint is managed (ObjectsGlobalProtectHIP Objects<hip-object>GeneralManaged), iOS and Android endpoints
that are managed by AirWatch are unable to successfully match the
HIP object and the HIP report incorrectly indicates that these endpoints
are not managed. This issue occurs because GlobalProtect gateways
cannot correctly identify the managed status of these endpoints. Additionally,
iOS endpoints that are managed by AirWatch are unable to match HIP
objects based on the endpoint serial number because GlobalProtect
gateways cannot identify the serial numbers of these endpoints; these
serial numbers do not appear in the HIP report. |
PAN-103276 | Adding a disk to a virtual appliance running Panorama
8.1 or a later release on VMware ESXi 6.5 update1 causes the Panorama
virtual appliance and host web client to become unresponsive. Workaround: Upgrade
the ESXi host to ESXi 6.5 update2 and add the disk again. |
PAN-101688 | (Panorama plugins) The IP address-to-tag
mapping information registered on a firewall or virtual system is
not deleted when you remove the firewall or virtual system from
a Device Group. Workaround: Log in to the CLI on the firewall
and enter the following command to unregister the IP address-to-tag
mappings: debug object registered-ip clear all. |
PAN-101537 | After you configure and push address and
address group objects in Shared and vsys-specific device groups from
the Panorama management server to managed firewalls, executing the show log <log-type> direction equal <direction> <dst> | <src> in <object-name> command
on a managed firewall only returns address and address group objects
pushed form the Shared device group. Workaround: Specify
the vsys in the query string: admin> set system target-vsys <vsys-name> admin> show log <log-type> direction equal <direction> query equal ‘vsys eq <vsys-name>’ <dst> | <src> in <object-name> |
PAN-98520 | When booting or rebooting a PA-7000 Series Firewall
with the SMC-B installed, the BIOS console output displays attempts
to connect to the card's controller in the System Memory Speed section.
The messages can be ignored. |
PAN-97757 | GlobalProtect authentication fails with
an Invalid username/password error
(because the user is not found in Allow List) after
you enable GlobalProtect authentication cookies and add a RADIUS
group to the Allow List of the authentication
profile used to authenticate to GlobalProtect. Workaround: Disable
GlobalProtect authentication cookies. Alternatively, disable (clear) Retrieve
user group from RADIUS in the authentication profile
and configure group mapping from Active Directory (AD) through LDAP. |
PAN-97524 | (Panorama management server only) The
Security Zone and Virtual System columns (Network tab)
display None after a Device Group and
Template administrator with read-only privileges performs a context
switch. |
PAN-96446 | A firewall that is not included in a Collector
Group fails to generate a system log if logs are dropped when forwarded
to a Panorama management server that is running in Management Only
mode. |
PAN-95773 | On VM-Series firewalls that have Data Plane Development
Kit (DPDK) enabled and that use the i40e network interface card
(NIC), the show session info CLI command
displays an inaccurate throughput and packet rate. Workaround: Disable
DPDK by running the set system setting dpdk-pkt-io off CLI
command. |
PAN-95511 | The name for an address object, address
group, or an external dynamic list must be unique. Duplicate names for
these objects can result in unexpected behavior when you reference
the object in a policy rule. |
PAN-95028 | For administrator accounts that you created
in PAN-OS 8.0.8 and earlier releases, the firewall does not apply
password profile settings (DevicePassword Profiles) until after
you upgrade to PAN-OS 8.0.9 or a later release and then only after
you modify the account passwords. (Administrator accounts that you
create in PAN-OS 8.0.9 or a later release do not require you to
change the passwords to apply password profile settings.) |
PAN-94846 | When DPDK is enabled on the VM-Series firewall with
i40e virtual function (VF) driver, the VF does not detect the link
status of the physical link. The VF link status remains up, regardless
of changes to the physical link state. |
PAN-94093 | HTTP Header Insertion does not work when
jumbo frames are received out of order. |
PAN-93968 | The firewall and Panorama web interfaces
display vulnerability threat IDs that are not available in PAN-OS 9.0
releases (ObjectsSecurity ProfilesVulnerability Protection<profile>Exceptions). To confirm whether
a particular threat ID is available in your release, monitor the
release notes for each new Applications and Threats content update
or check the Palo Alto Networks Threat Vault to see the
minimum PAN-OS release version for a threat signature. |
PAN-93607 | When you configure a VM-500
firewall with an SCTP Protection profile (ObjectsSecurity ProfilesSCTP Protection)
and you try to add the profile to an existing Security Profile Group (ObjectsSecurity Profile Groups),
the Security Profile Group doesn’t list the SCTP Protection profile
in its drop-down list of available profiles. Workaround: Create
a new Security Profile Group and select the SCTP Protection profile
from there. |
PAN-93532 | When you configure a firewall
running PAN-OS 9.0 as an nCipher HSM client, the web interface on
the firewall displays the nCipher server status as Not Authenticated,
even though the HSM state is up (DeviceSetupHSM). |
PAN-93193 | The memory-optimized VM-50
Lite intermittently performs slowly and stops processing traffic
when memory utilization is critically high. To prevent this issue, make
sure that you do not:
Workaround: When
the firewall performs slowly, or you see a critical System log for memory
utilization, wait for 5 minutes and then manually reboot the firewall. Use
the Task Manager to verify that you are not performing memory intensive
tasks such as installing dynamic updates, committing changes or
generating reports, at the same time, on the firewall. |
PAN-91802 | On a VM-Series firewall, the clear session
all CLI command does not clear GTP sessions. |
PAN-83610 | In rare cases, a PA-5200 Series firewall
(with an FE100 network processor) that has session offload enabled
(default) incorrectly resets the UDP checksum of outgoing UDP packets. Workaround: In
PAN-OS 8.0.6 and later releases, you can persistently disable session
offload for only UDP traffic using the set session udp-off load no CLI
command. |
PAN-83236 | The VM-Series firewall on Google
Compute Platform does not publish firewall metrics to Google Stack Monitoring
when you manually configure a DNS server IP address (DeviceSetupServices). Workaround: The
VM-Series firewall on Google Cloud Platform must use the DNS server
that Google provides. |
PAN-83215 | SSL decryption based on ECDSA
certificates does not work when you import the ECDSA private keys
onto an nCipher nShield hardware security module (HSM). |
PAN-81521 | Endpoints failed to authenticate to GlobalProtect through
Kerberos when you specify an FQDN instead of an IP address in the
Kerberos server profile (DeviceServer ProfilesKerberos). Workaround: Replace
the FQDN with the IP address in the Kerberos server profile. |
PAN-77125 | PA-7000 Series, PA-5200 Series,
and PA-3200 Series firewalls configured in tap mode don’t close offloaded
sessions after processing the associated traffic; the sessions remain
open until they time out. Workaround: Configure the
firewalls in virtual wire mode instead of tap mode, or disable session
offloading by running the set session off load no CLI
command. |
PAN-75457 | In WildFire appliance clusters that have
three or more nodes, the Panorama management server does not support
changing node roles. In a three-node cluster for example, you cannot
use Panorama to configure the worker node as a controller node by
adding the HA and cluster controller configurations, configure an
existing controller node as a worker node by removing the HA configuration,
and then commit and push the configuration. Attempts to change cluster
node roles from Panorama results in a validation error—the commit
fails and the cluster becomes unresponsive. |
PAN-73530 | The firewall does not generate a packet
capture (pcap) when a Data Filtering profile blocks files. |
PAN-73401 | When you import a two-node WildFire appliance cluster
into the Panorama management server, the controller nodes report
their state as out-of-sync if either of the following conditions
exist:
Workaround: There are three possible workarounds
to sync the controller nodes:
|
PAN-70906 | If the PAN-OS web interface and the GlobalProtect portal
are enabled on the same IP address, then when a user logs out of
the GlobalProtect portal, the administrative user is also logged
out from the PAN-OS web interface. Workaround: Use
the IP address to access the PAN-OS web interface and an FQDN to
access the GlobalProtect portal. |
PAN-69505 | When viewing an external dynamic list that requires
client authentication and you Test Source URL,
the firewall fails to indicate whether it can reach the external
dynamic list server and returns a URL access error (ObjectsExternal Dynamic Lists). |
PAN-41558 | When you use a firewall loopback interface
as a GlobalProtect gateway interface, traffic is not routed correctly
for third-party IPSec clients, such as strongSwan. Workaround: Use
a physical firewall interface instead of a loopback firewall interface
as the GlobalProtect gateway interface for third-party IPSec clients.
Alternatively, configure the loopback interface that is used as
the GlobalProtect gateway to be in the same zone as the physical
ingress interface for third-party IPSec traffic. |
PAN-40079 | The VM-Series firewall on KVM, for all supported Linux distributions, does not support the Broadcom network adapters for PCI pass-through functionality. |
PAN-39636 | Regardless of the Time Frame you
specify for a scheduled custom report on a Panorama M-Series appliance,
the earliest possible start date for the report data is effectively
the date when you configured the report (MonitorManage Custom Reports). For
example, if you configure the report on the 15th of the month and
set the Time Frame to Last 30
Days, the report that Panorama generates on the 16th
will include only data from the 15th onward. This issue applies
only to scheduled reports; on-demand reports include all data within
the specified Time Frame. Workaround: To
generate an on-demand report, click Run Now when
you configure the custom report. |
PAN-38255 | When you perform a factory reset on a Panorama virtual appliance and configure the serial number, logging does not work until you reboot Panorama or execute the debug software restart process management-server CLI command. |
PAN-31832 | The following issues apply when configuring
a firewall to use a hardware security module (HSM):
|
PAN-118887 This issue is
now resolved. See PAN-OS 10.0.2 Addressed Issues. | The new pattern-matching engine in PAN-OS
10.0 does not support the regular expression (regex) character \C.
If you try to use this character in a pattern that is only compatible
with the new engine, you will see a warning when you try to save the
signature. Example of an invalid signature: ab\Cde Explanation:
Only the new engine allows you to create signatures with fewer than
seven literal characters. Example of a valid signature: ab\Cdefgh Explanation:
This signature is compatible with the former pattern-matching engine,
which matches \C to any literal character. |