Limitations in PAN-OS 11.0
Table of Contents
Expand All
|
Collapse All
Next-Generation Firewall Docs
-
Cloud Management of NGFWs
- Cloud Management of NGFWs
- PAN-OS 10.0 (EoL)
- PAN-OS 10.1
- PAN-OS 10.2
- PAN-OS 11.0 (EoL)
- PAN-OS 11.1 & Later
- PAN-OS 9.1 (EoL)
-
-
-
- Configure a Filter Access List
- Configure a Filter Prefix List
- Configure a Filter Community List
- Configure a BGP Filter Route Map
- Configure a Filter Route Maps Redistribution List
- Configure a Filter AS Path Access List
- Configure an Address Family Profile
- Configure a BGP Authentication Profile
- Configure a BGP Redistribution Profile
- Configure a BGP Filtering Profile
- Configure an OSPF Authentication Profile
- Configure a Logical Router
- Configure a Static Route
- Configure OSPF
- Configure BGP
- Configure an IPSec Tunnel
- Web Proxy
- Cheat Sheet: GlobalProtect for Cloud Management of NGFWs
-
PAN-OS 10.1
- PAN-OS 10.1
- PAN-OS 10.2
- PAN-OS 11.0 (EoL)
- PAN-OS 11.1 & Later
-
- Tap Interfaces
-
- Layer 2 and Layer 3 Packets over a Virtual Wire
- Port Speeds of Virtual Wire Interfaces
- LLDP over a Virtual Wire
- Aggregated Interfaces for a Virtual Wire
- Virtual Wire Support of High Availability
- Zone Protection for a Virtual Wire Interface
- VLAN-Tagged Traffic
- Virtual Wire Subinterfaces
- Configure Virtual Wires
- Configure an Aggregate Interface Group
- Configure Bonjour Reflector for Network Segmentation
- Use Interface Management Profiles to Restrict Access
-
- DNS Overview
- DNS Proxy Object
- DNS Server Profile
- Multi-Tenant DNS Deployments
- Configure a DNS Proxy Object
- Configure a DNS Server Profile
- Use Case 1: Firewall Requires DNS Resolution
- Use Case 2: ISP Tenant Uses DNS Proxy to Handle DNS Resolution for Security Policies, Reporting, and Services within its Virtual System
- Use Case 3: Firewall Acts as DNS Proxy Between Client and Server
- DNS Proxy Rule and FQDN Matching
-
- NAT Rule Capacities
- Dynamic IP and Port NAT Oversubscription
- Dataplane NAT Memory Statistics
-
- Translate Internal Client IP Addresses to Your Public IP Address (Source DIPP NAT)
- Enable Clients on the Internal Network to Access your Public Servers (Destination U-Turn NAT)
- Enable Bi-Directional Address Translation for Your Public-Facing Servers (Static Source NAT)
- Configure Destination NAT with DNS Rewrite
- Configure Destination NAT Using Dynamic IP Addresses
- Modify the Oversubscription Rate for DIPP NAT
- Reserve Dynamic IP NAT Addresses
- Disable NAT for a Specific Host or Interface
-
- Network Packet Broker Overview
- How Network Packet Broker Works
- Prepare to Deploy Network Packet Broker
- Configure Transparent Bridge Security Chains
- Configure Routed Layer 3 Security Chains
- Network Packet Broker HA Support
- User Interface Changes for Network Packet Broker
- Limitations of Network Packet Broker
- Troubleshoot Network Packet Broker
-
-
PAN-OS 11.0 (EoL)
- Cloud Management and AIOps for NGFW
- PAN-OS 10.0 (EoL)
- PAN-OS 10.1
- PAN-OS 10.2
- PAN-OS 11.0 (EoL)
- PAN-OS 11.1
- PAN-OS 11.2
- PAN-OS 8.1 (EoL)
- PAN-OS 9.0 (EoL)
- PAN-OS 9.1 (EoL)
-
- Networking Features
- Panorama Features
- Management Features
- Certificate Management Features
- Cloud Identity Features
- Content Inspection Features
- IoT Security Features
- Mobile Infrastructure Security Features
- SD-WAN Features
- Virtualization Features
- Advanced WildFire Features
- GlobalProtect Features
- Hardware Features
- Enterprise Data Loss Prevention Features
End-of-Life (EoL)
Limitations in PAN-OS 11.0
What are the limitations related to PAN-OS 11.0 releases?
The following are limitations
associated with PAN-OS 11.0.
Issue ID | Description |
---|---|
— | The following limitations apply for on-premises Explicit
Proxy:
|
— | In Advanced Routing mode, BGP peer groups
and peers allow IPv6 NLRI to be transported over an IPv6 MP-BGP
peer and allow IPv6 NLRI to be transported over an IPv4 MP-BGP peer.
If you want to use IPv4 multicast, you are limited to only IPv4
with that peer. The firewall does not support SAFI IPv6 multicast
at all. |
PLUG-10942 | For CN-Series deployments using the Advanced
Routing Engine with the Kubernetes 3.0.0 plugin, you must configure
Advanced Routing manually on the template stack:
|
PAN-265738
|
NAT is not configurable when HA clusters are configured. HA clusters
do not support NAT.
|
PAN-247465
|
(PA-7080 only) The firewall does not support Aquantia 10G
SFP transceivers.
|
PAN-246825
|
ECMP is not supported for equal-cost routes where one or more of
those routes has a virtual router or logical router as the next hop.
None of the equal-cost routes will be installed in the Forwarding
Information Base (FIB).
|
PAN-218067
|
By default, Next Generation firewalls and Panorama attempt to fetch
the device certificate or
Panorama device
certificate with each commit even when the firewall is
not using any Palo Alto Networks cloud
service.
You can prevent the firewall from attempting to fetch the device
certificate for the following firewalls:
To disable, log in to the firewall CLI
or Panorama CLI and enter the
following command:
|
PAN-216214
|
For Panorama-managed firewalls in an Active/Active High Availability
(HA) configuration where you configure the firewall HA settings (DeviceHigh Availability) in a template or template stack (PanoramaTemplates), performing a local commit on one of the HA
firewalls triggers an HA config sync on the peer firewall. This
causes the HA settings to display as overridden despite no config
override occurring.
|
PAN-215869
|
PAN-OS logs (MonitorLogs) experience a significant delay before they are
displayed if NetFlow (DeviceServer ProfilesNetFlow) is enabled on an interface (NetworkInterface). This may result in log loss if the volume of
delayed logs exceeds the logging buffer available on the
firewall.
The following firewalls are impacted:
|
PAN-205932 | DHCPv6 Client with Prefix Delegation is
currently incompatible with GlobalProtect. You cannot configure
GP gateways with dynamic IPv6 addresses. |
PAN-205166
|
(PA-440, PA-450, and PA-460 firewalls only) The CLI does not
display system information about the power supply when entering the
show system environmentals command.
As a result, the CLI cannot be used to view the current status of
the power adapter.
Workaround: To manually interpret the status of the firewall's
power adapter, verify that your power cable connections are secure
and that the LED on the power adapter is on. If the LED is not
illuminated even though the power cable connections are secure, your
power adapter has failed.
|
PAN-197412 | In IPSec transport mode, the traffic does
not flow if you configure BGP routes in a tunnel interface. While using
IPSec transport mode for BGP routes, configure the BGP routes on
a physical interface (for example, ethernet 1/1) and not the tunnel
interface. While IPSec tunnel mode for BGP routes works with the
tunnel interface, IPSec transport mode for BGP routes works with
the physical interface only. |
PAN-196530
|
On the PA-5440 firewall, the valid range to configure the maximum
number of site-to-site VPN tunnels is from 0 to 10,000.
admin@PA-5440# set import resource max-site-to-site-vpn-tunnels <0-10000>
|
PAN-192679 | (PA-415 and PA-445 firewalls) The hardware
can detect the presence of a power adapter but does not detect voltage
or functionality. As a result, the firewall’s Alarm feature is unavailable
to the power supply and is only raised when the device reaches temperature limits.
Furthermore, the firewall does not display power supply details
in system logs or the CLI. |