Changes to Default Behavior in PAN-OS 11.0
Focus
Focus

Changes to Default Behavior in PAN-OS 11.0

Table of Contents
End-of-Life (EoL)

Changes to Default Behavior in PAN-OS 11.0

What default behavior changes impact PAN-OS 11.0?
The following table details the changes in default behavior upon upgrade to PAN-OSĀ® 11.0. You may also want to review the Upgrade/Downgrade Considerations before upgrading to this release.
FeatureChange
Minimum System Memory Requirement for the Panorama Virtual Appliance
Palo Alto Networks has increased the recommended Panorama virtual appliance memory requirement to a minimum of 64GB, up from 32GB. This impacts Panorama virtual appliances in Panorama and Log Collector mode to avoid any logging, management, and operational performance issues related to an under-provisioned Panorama virtual appliance.
For new Panorama virtual appliance deployments, Palo Alto Networks recommends deploying the virtual machine with a minimum of 64GB. For existing Panroama virtual appliance deployments, See Increase the CPUs and Memory of the Panorama Virtual Appliance to increase the memory for an existing Panorama virtual appliance after successful upgrade to PAN-OS 11.0.
Custom Syslog Format
The maximum characters supported for a custom syslog format (DeviceServer ProfilesSyslog and PanoramaServer ProfilesSyslog) is increased to 4,096 characters.
Panorama Memory Management
Rather than automatically restarting the Panorama management server, a critical system log (MonitorLogsSystem) is now generated to alert that a Panorama reboot (PanoramaSetupOperations) is required when the configd process responsible for configuration management and Panorama operations encounters memory issues
Test SCP Server Connection
To test the SCP server connection when you schedule a configuration export (PanoramaSchedule Config Export) or log export (DeviceScheduled Log Export), a new pop-up window is displayed requiring you to enter the SCP server clear textPassword and Confirm Password to test the SCP server connection and enable the secure transfer of data.
You must also enter the clear text SCP server Password and Confirm Password when you test the SCP server connection from the firewall or Panorama CLI.
admin>test scp-server-connection initiate <ip> username <username> password <clear-text-password>
Panorama Management of Multi-Vsys Firewalls
Upgrade to PAN-OS 11.0 using Skip Software Version Upgrade only
For multi-vsys firewalls managed by a Panorama managed server, configuration objects in the Shared device group are now pushed to a Panorama Shared configuration context for all virtual systems rather than duplicating the shared configuration to each virtual system to reduce the operational burden of scaling configurations for multi-vsys firewalls.
As a result, you must delete or rename any locally configured firewall Shared object that has an identical name to an object in the Panorama Shared configuration. Otherwise, configuration pushes from Panorama fail after the upgrade and display the error <object-name> is already in use.
The following configurations cannot be added to the Shared Panorama location and are replicated to the Panorama location of each vsys of a multi-vsys firewall.
  • Pre and Post Rules
  • External Dynamic Lists (EDL)
  • Security Profile Groups
  • HIP objects and profiles
  • Custom objects
  • Decryption profiles
  • SD-WAN Link Management Profiles
Palo Alto Networks recommends that if a multi-vsys firewall is managed by Panorama, then all vsys configurations should be managed by Panorama.
This helps avoid commit failures on the managed multi-vsys firewall and allows you to take advantage of optimized shared object pushes from Panorama.