PAN-OS 10.2.9 Known Issues
Table of Contents
Expand All
|
Collapse All
Next-Generation Firewall Docs
-
Cloud Management of NGFWs
- Cloud Management of NGFWs
- PAN-OS 10.0 (EoL)
- PAN-OS 10.1
- PAN-OS 10.2
- PAN-OS 11.0 (EoL)
- PAN-OS 11.1 & Later
- PAN-OS 9.1 (EoL)
-
-
-
- Configure a Filter Access List
- Configure a Filter Prefix List
- Configure a Filter Community List
- Configure a BGP Filter Route Map
- Configure a Filter Route Maps Redistribution List
- Configure a Filter AS Path Access List
- Configure an Address Family Profile
- Configure a BGP Authentication Profile
- Configure a BGP Redistribution Profile
- Configure a BGP Filtering Profile
- Configure an OSPF Authentication Profile
- Configure a Logical Router
- Configure a Static Route
- Configure OSPF
- Configure BGP
- Configure an IPSec Tunnel
- Web Proxy
- Cheat Sheet: GlobalProtect for Cloud Management of NGFWs
-
PAN-OS 10.1
- PAN-OS 10.1
- PAN-OS 10.2
- PAN-OS 11.0 (EoL)
- PAN-OS 11.1 & Later
-
- Tap Interfaces
-
- Layer 2 and Layer 3 Packets over a Virtual Wire
- Port Speeds of Virtual Wire Interfaces
- LLDP over a Virtual Wire
- Aggregated Interfaces for a Virtual Wire
- Virtual Wire Support of High Availability
- Zone Protection for a Virtual Wire Interface
- VLAN-Tagged Traffic
- Virtual Wire Subinterfaces
- Configure Virtual Wires
- Configure an Aggregate Interface Group
- Configure Bonjour Reflector for Network Segmentation
- Use Interface Management Profiles to Restrict Access
-
- DNS Overview
- DNS Proxy Object
- DNS Server Profile
- Multi-Tenant DNS Deployments
- Configure a DNS Proxy Object
- Configure a DNS Server Profile
- Use Case 1: Firewall Requires DNS Resolution
- Use Case 2: ISP Tenant Uses DNS Proxy to Handle DNS Resolution for Security Policies, Reporting, and Services within its Virtual System
- Use Case 3: Firewall Acts as DNS Proxy Between Client and Server
- DNS Proxy Rule and FQDN Matching
-
- NAT Rule Capacities
- Dynamic IP and Port NAT Oversubscription
- Dataplane NAT Memory Statistics
-
- Translate Internal Client IP Addresses to Your Public IP Address (Source DIPP NAT)
- Enable Clients on the Internal Network to Access your Public Servers (Destination U-Turn NAT)
- Enable Bi-Directional Address Translation for Your Public-Facing Servers (Static Source NAT)
- Configure Destination NAT with DNS Rewrite
- Configure Destination NAT Using Dynamic IP Addresses
- Modify the Oversubscription Rate for DIPP NAT
- Reserve Dynamic IP NAT Addresses
- Disable NAT for a Specific Host or Interface
-
- Network Packet Broker Overview
- How Network Packet Broker Works
- Prepare to Deploy Network Packet Broker
- Configure Transparent Bridge Security Chains
- Configure Routed Layer 3 Security Chains
- Network Packet Broker HA Support
- User Interface Changes for Network Packet Broker
- Limitations of Network Packet Broker
- Troubleshoot Network Packet Broker
-
-
PAN-OS 10.2
- Cloud Management and AIOps for NGFW
- PAN-OS 10.0 (EoL)
- PAN-OS 10.1
- PAN-OS 10.2
- PAN-OS 11.0 (EoL)
- PAN-OS 11.1
- PAN-OS 11.2
- PAN-OS 8.1 (EoL)
- PAN-OS 9.0 (EoL)
- PAN-OS 9.1 (EoL)
-
- Content Inspection Features
- URL Filtering Features
- Panorama Features
- Networking Features
- GlobalProtect Features
- Management Features
- Decryption Features
- App-ID Features
- IoT Security Features
- Mobile Infrastructure Security Features
- Authentication Features
- Virtualization Features
- Hardware Features
- Enterprise Data Loss Prevention Features
-
- PAN-OS 10.2.10 Known Issues
- PAN-OS 10.2.10-h10 Addressed Issues
- PAN-OS 10.2.10-h9 Addressed Issues
- PAN-OS 10.2.10-h7 Addressed Issues
- PAN-OS 10.2.10-h5 Addressed Issues
- PAN-OS 10.2.10-h4 Addressed Issues
- PAN-OS 10.2.10-h3 Addressed Issues
- PAN-OS 10.2.10-h2 Addressed Issues
- PAN-OS 10.2.10 Addressed Issues
-
- PAN-OS 10.2.7 Known Issues
- PAN-OS 10.2.7-h19 Addressed Issues
- PAN-OS 10.2.7-h18 Addressed Issues
- PAN-OS 10.2.7-h16 Addressed Issues
- PAN-OS 10.2.7-h12 Addressed Issues
- PAN-OS 10.2.7-h8 Addressed Issues
- PAN-OS 10.2.7-h6 Addressed Issues
- PAN-OS 10.2.7-h3 Addressed Issues
- PAN-OS 10.2.7-h1 Addressed Issues
- PAN-OS 10.2.7 Addressed Issues
PAN-OS 10.2.9 Known Issues
PAN-OS® 10.2.9 known issues.
The following list includes only outstanding known issues
specific to PAN-OS® 10.2.9. This list includes issues
specific to Panorama™, GlobalProtect™, VM-Series plugins, and WildFire®,
as well as known issues that apply more generally or that are not
identified by an issue ID.
Issue ID | Description |
---|---|
WF500-5854 | The WildFire analysis report on the firewall
log viewer (MonitoringWildFire Submissions)
does not display the following data fields: File Type, SHA-256,
MD-5, and File Size". Workaround: Download and open
the WildFire analysis report in the PDF format using the link in
the upper right-hand corner of the Detailed Log View. |
WF500-5843 | In a WildFire appliance cluster, issuing
the show cluster-all peers CLI command when
a node within the cluster is being rebooted generates the following
error: Server error : An error occured. |
WF500-5840 | The sample analysis statistics that are
returned when issuing the show wildfire local statistics CLI
command in WildFire appliance cluster deployments may not accurately
reflect the number of samples that have been processed. |
WF500-5823 | The following WildFire appliance CLI command
does not return a signature generation status as expected: show wildfire global signature-status.
This does not corrupt or otherwise prevent the WildFire appliance
from analyzing a sample. |
WF500-5781 | The WildFire appliance might erroneously
generate and log the following device certification error: Device certificate is missing or invalid. It cannot be renewed. |
WF500-5754 | In WildFire appliance clusters, issuing
the show cluster controller CLI command generates
an error when an IPv6 address is configured for the management interface
but not for the cluster interface. Workaround: Ensure
all WildFire appliance interfaces that are enabled use matching
protocols (all IPv4 or all IPv6). |
WF500-5632 | The number of registered WildFire appliances
reported in Panorama (PanoramaManaged WildFire AppliancesFirewalls ConnectedView) does not accurately reflect the
current status of connected WildFire appliances. |
PAN-262287
This issue is now resolved. See PAN-OS 10.2.9-h14 Addressed Issues.
|
Dereferencing a NULL pointer that occurs might cause
pan_task processes to crash.
|
PAN-263226 (PAN-OS 10.2.9-h9 only) |
When SSL decryption is enabled and Client Hello messages span
multiple TCP segments, elements from the proxy_l2info memory pool
may not be freed properly. Memory leaks in this pool cause some SSL
decryption sessions to fail.
Workaround: Disable Client Hello accumulation using the
debug dataplane set ssl-decrypt
accumulate-client-hello disable yes CLI command.
|
PAN-260851
|
From the NGFW or Panorama CLI, you can override the existing
application tag even if Disable Override is enabled for the
application (ObjectsApplications) tag.
|
PAN-259769 |
GlobalProtect portal is not accessible via a web browser and the app
displays the error
ERR_EMPTY_RESPONSE.
|
PAN-251895
This issue is now resolved. See PAN-OS 10.2.10 Addressed Issues.
|
When Inline Cloud Analysis features are enabled, the firewall
experiences a slow packet buffer leak, resulting in poor performance
and dropped traffic.
Workaround: Disable WildFire Inline Cloud Analysis and
Advanced Threat Prevention Inline Cloud Analysis on the
firewall.
|
PAN-251639
This issue is now resolved. See. PAN-OS 10.2.9-h9 Addressed Issues.
This issue is now resolved. See PAN-OS 10.2.10 Addressed Issues.
|
An out of memory condition might occur due to a memory leak in the
varrcvr process when a Wildfire Analysis security
profile is enabled.
|
PAN-234015
|
The X-Forwarded-For (XFF) value is not displayed in traffic logs.
|
PAN-223365
|
The Panorama management server is unable to query any logs if the
ElasticSearch health status for any Log Collector (PanoramaManaged Collector is degraded.
Workaround:
Log in to the Log Collector
CLI and restart ElasticSearch.
|
PAN-229865
|
Upgrading a PA-220 firewall running a PAN-OS 10.1 release fails when
the target PAN-OS upgrade version is PAN-OS 10.2.5.
Workaround: On your upgrade path to PAN-OS 10.2.5, first
upgrade to PAN-OS 10.2.4 and then upgrade to PAN-OS 10.2.5.
|
PAN-226361
This issue is now resolved. See PAN-OS 10.2.9-h14 Addressed Issues.
|
Sessions might end unexpectedly with the error
resources-unavailable when the
firewall incorrectly interprets the Content and Threat Detection
(CTD) global packet queue as being full.
|
PAN-223677
|
(PA-3410, PA-3420, PA-3430, PA-3440, PA-5410, PA-5420, and
PA-5430 firewalls) By enabling Lockless QoS feature, a
slight degradation in App-ID and Threat performance is expected.
|
PAN-222586
|
On PA-5410, PA-5420, and PA-5430 firewalls, the Filter dropdown
menus, Forward Methods, and Built-In Actions for Correlation Log
settings (DeviceLog Settings) are not displayed and cannot be configured.
|
PAN-221775
|
A Malformed Request error is displayed
when you Test Connection for an email server
profile (DeviceServer ProfilesEmail) using SMTP over TLS and the
Password includes an ampersand
(&).
|
PAN-217307
This issue is now resolved. See PAN-OS 10.2.11 Addressed Issues.
|
The following Security policy rule (PoliciesSecurity) filters return no results:
log-start eq no
log-end eq no
log-end eq yes
|
PAN-213746 | On the Panorama management server, the Hostkey displayed
as undefined undefined if you override
an SSH Service Profile (DeviceCertificate ManagementSSH Service
Profile) Hostkey configured in a Template
from the Template Stack. |
PAN-213119
|
PA-5410 and PA-5420 firewalls display the following error when you
view the Block IP list (MonitorBlock IP):
show -> dis-block-table is
unexpected
|
PAN-212889 | On the Panorama management server, different
threat names are used when querying the same threat in the Threat Monitor (MonitorApp ScopeThreat Monitor) and ACC.
This results in the ACC displaying no data to display when you
are redirected to the ACC after clicking a threat name in the Threat
Monitor and filtering the same threat name in the Global Filters. |
PAN-212533 | Modifying the Administrator Type for
an existing administrator (DeviceAdministrators or PanoramaAdministrators) from Superuser to
a Role-Based custom admin, or vice versa,
does not modify the access privileges of the administrator. |
PAN-211531 | On the Panorama management server, admins can still perform a selective push to managed firewalls when Push All Changes and Push for Other Admins are disabled in the admin role profile (PanoramaAdmin Roles). |
PAN-209288
|
Certificates are not successfully generated using SCEP (DeviceCertificate ManagementSCEP).
|
PAN-208622 | A file upload to Box.com exceeding 6 files
gets stuck and fails to upload if you specify an Enterprise DLP
data filtering profile (ObjectsDLPData Filtering Profiles with
the Action set to Block to a Security
policy rule (PoliciesSecurity). |
PAN-204689 | Upon upgrade to PAN-OS 10.2.4, the following GlobalProtect
settings do not work:
|
PAN-196758 | On the Panorama management server, pushing
a configuration change to firewalls leveraging SD-WAN erroneously
show the auto-provisioned BGP configurations for SD-WAN as being
edited or deleted despite no edits or deletions being made when
you Preview Changes (CommitPush to DevicesEdit Selections or CommitCommit and PushEdit Selections). |
PAN-196504 | License deactivation fails for VM-Series firewalls licensed using PA-VM Bundle 3 (BND3). |
PAN-194996 | When using a 10.2.2 Panorama to manage a
Panorama Managed Prisma Access 3.1.2 deployment, allocating bandwidth
for a remote network deployment fails (the OK button is grayed out). Workaround:
Retry the operation. |
PAN-194519 | (PA-5450 firewall only) Trying
to configure a custom payload format under DeviceServer ProfilesHTTP yields
a Javascript error. |
PAN-194515 | (PA-5450 firewall only) The Panorama
web interface does not display any predefined template stack variables
in the dropdown menu under DeviceSetupLog InterfaceIP Address. Workaround: Configure
the log interface IP address on the individual firewall web interface
instead of on Panorama. |
PAN-194424 | (PA-5450 firewall only) Upgrading
to PAN-OS 10.2.2 while having a log interface configured can cause
both the log interface and the management interface to remain connected
to the log collector. Workaround: Restart the log receiver service
by running the following CLI command:
|
PAN-194202 | (PA-5450 firewall only) If the
management interface and logging interface are configured on the
same subnetwork, the firewall conducts log forwarding using the management
interface instead of the logging interface. |
PAN-190727 | (PA-5450 firewall only) Documentation
for configuring the log interface is unavailable on the web interface and
in the PAN-OS Administrator’s Guide. |
PAN-189111 | After deleting an MP pod and it comes up,
the show routing command output appears
empty and traffic stops working. |
PAN-189076 | On a firewall with Advanced Routing enabled,
OSPFv3 peers using a broadcast link and a designated router (DR) priority
of 0 (zero) are stuck in a two-way state after HA failover. Workaround: Configure
at least one OSPFv3 neighbor with a non-zero priority setting in
the same broadcast domain. |
PAN-188358 | After triggering a soft reboot on a M-700
appliance, the Management port LEDs do not light up when a 10G Ethernet cable
is plugged in. |
PAN-187685 | On the Panorama management server, the Template Status
displays no synchronization status (PanoramaManaged DevicesSummary)
after a bootstrapped firewall is successfully added to Panorama. Workaround: After
the bootstrapped firewall is successfully added to Panorama, log in to the Panorama web interface and
select CommitPush
to Devices. |
PAN-187643 | If you enable SCTP security using a Panorama
template when SCTP INIT Flood Protection is enabled
in the Zone Protection profile using Panorama and you commit all
changes, the commit is successful but the SCTP INIT option
is not available in the Zone Protection profile. Workaround: Log
out of the firewall and log in again to make the SCIT
INIT option available on the web interface. |
PAN-187612 | On the Panorama management server, not all
data profiles (ObjectsDLP
Data Filtering Profiles) are displayed
after you:
Workaround: Log
in to the Panorama CLI and reset the DLP plugin. admin > request plugins dlp reset |
PAN-187407 | The configured Advanced Threat Prevention
inline cloud analysis action for a given model might not be honored
under the following condition: If the firewall is set to Hold
client request for category lookup and the action set
to Reset-Both and the URL cache has been
cleared, the first request for inline cloud analysis will be bypassed. |
PAN-187370 | On a firewall with Advanced Routing enabled,
if there is also a logical router instance that uses the default
configuration and has no interfaces assigned to it, this will result
in terminating the management daemon and main routing daemon in
the firewall during commit. Workaround: Do not use
a logical router instance with no interfaces bound to it. |
PAN-186283 | Templates appear out-of-sync on Panorama
after successfully deploying the CFT stack using the Panorama plugin for
AWS. Workaround: Use CommitPush to Devices to synchronize
the templates. |
PAN-186282 | On HA deployments on AWS and Azure, Panorama
fails to populate match criteria automatically when adding dynamic address
groups. Workaround: Reboot the Panorama HA pair. |
PAN-184406 | Using the CLI to add a RAID disk pair to
an M-700 appliance causes the dmdb process to crash. Workaround: Contact
customer support to stop the dmdb process before adding a RAID disk
pair to a M-700 appliance. |
PAN-183404 | Static IP addresses are not recognized when
"and" operators are used with IP CIDR range. |
PAN-181933 | If you use multiple log forwarding cards
(LFCs) on the PA-7000 series, all of the cards may not receive all
of the updates and the mappings for the clients may become out of sync,
which causes the firewall to not correctly populate the Source User
column in the session logs. |
PAN-181823 | On a PA-5400 Series firewall (minus the
PA-5450), setting the peer port to forced 10M or 100M speed causes
any multi-gigabit RJ-45 ports on the firewall to go down if they
are set to Auto. |
PAN-180661 | On the Panorama management server, pushing
an unsupported Minimum Password Complexity (DeviceSetupManagement)
to a managed firewall erroneously displays commit time out as
the reason the commit failed. |
PAN-180104 | When upgrading a CN-Series
as a DaemonSet deployment to PAN-OS 10.2, CN-NGFW pods fail to connect
to CN-MGMT pod if the Kubernetes cluster previously had a CN-Series
as a DaemonSet deployment running PAN-OS 10.0 or 10.1. Workaround:
Reboot the worker nodes before upgrading to PAN-OS 10.2. |
PAN-178194 | A user interface issue in PAN-OS renders
the contents of the Inline ML tab in the URL
Filtering Profile inaccessible on firewalls licensed
for Advanced URL Filtering. Additionally, a message indicating that
a License required for URL filtering to function is
unavailable displays at the bottom of the UI. These errors do not
affect the operation of Advanced URL Filtering or URL Filtering
Inline ML. Workaround: Configuration settings for URL Filtering
Inline ML must be applied through the CLI. The following configuration
commands are available:
|
PAN-177455 | PAN-OS 10.2.0 is not supported on PA-7000
Series firewalls with HA (High Availability) clustering enabled
and using an HA4 communication link. Attempting to load PAN-OS 10.2.0
on the firewall causes the PA-7000 100G NPC to go offline. As a
result, the firewall fails to boot normally and enters maintenance
mode. HA Pairs of Active-Passive and Active-Active firewalls are
not affected. |
PAN-175915 | When the firewall is deployed on N3 and
N11 interfaces in 5G networks and 5G-HTTP/2 traffic inspection is
enabled in the Mobile Network Protection Profile, the traffic logs
do not display network slice SST and SD values. |
PAN-174982 | In HA active/active configurations where,
when interfaces that were associated with a virtual router were
deleted, the configuration change did not sync. |
PAN-172274 | When you activate the advanced URL filtering
license, your license entitlements for PAN-DB and advanced URL filtering
might not display correctly on the firewall — this is a display
anomaly, not a licensing issue, and does not affect access to the
services. Workaround: Issue the following command to
retrieve and update the licenses: license request fetch. |
PAN-171938 | No results are displayed when you Show Application
Filter for a Security policy rule (PoliciesSecurityApplicationValueShow Application Filter). |
PAN-164885
This issue is now resolved. See PAN-OS 10.2.10 Addressed Issues.
|
On the Panorama management server, pushes to managed firewalls (CommitPush to Devices or Commit and Push) may fail
when an EDL (ObjectsExternal Dynamic Lists) is configured to Check for
updates every 5 minutes due to the commit and EDL
fetch processes overlapping. This is more likely to occur when
multiple EDLs are configured to check for updates every 5
minutes.
|