Limitations in PAN-OS 11.0
Focus
Focus

Limitations in PAN-OS 11.0

Table of Contents
End-of-Life (EoL)

Limitations in PAN-OS 11.0

What are the limitations related to PAN-OS 11.0 releases?
The following are limitations associated with PAN-OS 11.0.
Issue ID
Description
The following limitations apply for on-premises Explicit Proxy:
  • On-premises Explicit Proxy does not support multi-tenancy.
  • On-premises Explicit Proxy supports authentication using SAML and Kerberos.
  • On-premises Explicit Proxy requires decryption (TLS 1.3 is recommended).
  • On-premises Explicit Proxy requires port 8080.
  • On-premises Explicit Proxy requires PAC files to direct traffic to the on-premises Explicit Proxy.
  • On-premises Explicit Proxy supports customer-based hosting for their individual PAC files.
  • On-premises Explicit Proxy supports inbound proxy chaining with XFF and XAU HTTP headers.
  • On-premises Explicit Proxy supports HTTP/2 for Kerberos only; HTTP/2 for SAML is not supported in this release.
In Advanced Routing mode, BGP peer groups and peers allow IPv6 NLRI to be transported over an IPv6 MP-BGP peer and allow IPv6 NLRI to be transported over an IPv4 MP-BGP peer. If you want to use IPv4 multicast, you are limited to only IPv4 with that peer. The firewall does not support SAFI IPv6 multicast at all.
PLUG-10942
For CN-Series deployments using the Advanced Routing Engine with the Kubernetes 3.0.0 plugin, you must configure Advanced Routing manually on the template stack:
  1. Set the flag PAN_ADVANCED_ROUTING:”true” in the pan-cn-mgmt-configmap-0.yaml file.
  2. Manually enable Advanced Routing on the Panorama template, then commit and push the configuration.
PAN-265738
NAT is not configurable when HA clusters are configured. HA clusters do not support NAT.
PAN-247465
(PA-7080 only) The firewall does not support Aquantia 10G SFP transceivers.
PAN-246825
ECMP is not supported for equal-cost routes where one or more of those routes has a virtual router or logical router as the next hop. None of the equal-cost routes will be installed in the Forwarding Information Base (FIB).
PAN-218067
By default, Next Generation firewalls and Panorama attempt to fetch the device certificate or Panorama device certificate with each commit even when the firewall is not using any Palo Alto Networks cloud service.
You can prevent the firewall from attempting to fetch the device certificate for the following firewalls:
  • M-300 appliance
  • M-500 appliance
  • PA-400 Series firewalls
  • PA-1400 Series firewalls
  • PA-3400 Series firewalls
  • PA-5400 Series firewalls
  • PA-5450 firewall
To disable, log in to the firewall CLI or Panorama CLI and enter the following command:
admin> request certificate auto-fetch disable
Code copied to clipboard
Unable to copy due to lack of browser support.
PAN-216214
For Panorama-managed firewalls in an Active/Active High Availability (HA) configuration where you configure the firewall HA settings (DeviceHigh Availability) in a template or template stack (PanoramaTemplates), performing a local commit on one of the HA firewalls triggers an HA config sync on the peer firewall. This causes the HA settings to display as overridden despite no config override occurring.
PAN-215869
PAN-OS logs (MonitorLogs) experience a significant delay before they are displayed if NetFlow (DeviceServer ProfilesNetFlow) is enabled on an interface (NetworkInterface). This may result in log loss if the volume of delayed logs exceeds the logging buffer available on the firewall.
The following firewalls are impacted:
  • PA-400 Series Firewalls
  • PA-800 Series Firewalls
  • PA-1400 Series Firewalls
  • PA-3200 Series Firewalls
  • PA-3400 Series Firewalls
PAN-205932
DHCPv6 Client with Prefix Delegation is currently incompatible with GlobalProtect. You cannot configure GP gateways with dynamic IPv6 addresses.
PAN-205166
(PA-440, PA-450, and PA-460 firewalls only) The CLI does not display system information about the power supply when entering the show system environmentals command. As a result, the CLI cannot be used to view the current status of the power adapter.
Workaround: To manually interpret the status of the firewall's power adapter, verify that your power cable connections are secure and that the LED on the power adapter is on. If the LED is not illuminated even though the power cable connections are secure, your power adapter has failed.
PAN-197412
In IPSec transport mode, the traffic does not flow if you configure BGP routes in a tunnel interface. While using IPSec transport mode for BGP routes, configure the BGP routes on a physical interface (for example, ethernet 1/1) and not the tunnel interface.
While IPSec tunnel mode for BGP routes works with the tunnel interface, IPSec transport mode for BGP routes works with the physical interface only.
PAN-196530
On the PA-5440 firewall, the valid range to configure the maximum number of site-to-site VPN tunnels is from 0 to 10,000.
admin@PA-5440# set import resource max-site-to-site-vpn-tunnels <0-10000>
PAN-192679
(PA-415 and PA-445 firewalls) The hardware can detect the presence of a power adapter but does not detect voltage or functionality. As a result, the firewall’s Alarm feature is unavailable to the power supply and is only raised when the device reaches temperature limits. Furthermore, the firewall does not display power supply details in system logs or the CLI.