Changes to Default Behavior in PAN-OS 11.1
Focus
Focus

Changes to Default Behavior in PAN-OS 11.1

Table of Contents

Changes to Default Behavior in PAN-OS 11.1

What default behavior changes impact PAN-OS 11.1?
The following table details the changes in default behavior upon upgrade to PAN-OSĀ® 11.1. You may also want to review the Upgrade/Downgrade Considerations before upgrading to this release.
FeatureChange
Log Collectors
Ports 9300, 9301, and 9302 are now used for communication among Log Collectors in a Collector Group for log distribution and must be opened on your network.
Authentication for explicit proxy
When you upgrade to PAN-OS 11.1, the firewall evaluates the authentication policy for every explicit proxy traffic policy match.
Authentication sequence
In PAN-OS 11.1 and previous versions, when you select the Exit the sequence on failed authentication option, the firewall ends the authentication sequence when the authentication profile successfully authenticates the user or the firewall has unsuccessfully attempted authentication with all authentication profiles.
In PAN-OS 11.1.1, when you select the Exit the sequence on failed authentication option, the authentication sequence ends when the authentication profile authenticates successfully or fails the authentication.
Panorama Management of Multi-Vsys Firewalls
Upgrade from PAN-OS 10.1 to PAN-OS 11.1 using Skip Software Version Upgrade only
For multi-vsys firewalls managed by a Panorama managed server, configuration objects in the Shared device group are now pushed to a Panorama Shared configuration context for all virtual systems rather than duplicating the shared configuration to each virtual system to reduce the operational burden of scaling configurations for multi-vsys firewalls.
As a result, you must delete or rename any locally configured firewall Shared object that has an identical name to an object in the Panorama Shared configuration. Otherwise, configuration pushes from Panorama fail after the upgrade and display the error <object-name> is already in use.
The following configurations cannot be added to the Shared Panorama location and are replicated to the Panorama location of each vsys of a multi-vsys firewall.
  • Pre and Post Rules
  • External Dynamic Lists (EDL)
  • Security Profile Groups
  • HIP objects and profiles
  • Custom objects
  • Decryption profiles
  • SD-WAN Link Management Profiles
Palo Alto Networks recommends that if a multi-vsys firewall is managed by Panorama, then all vsys configurations should be managed by Panorama.
This helps avoid commit failures on the managed multi-vsys firewall and allows you to take advantage of optimized shared object pushes from Panorama.