PAN-OS 9.1.12 Known Issues
Table of Contents
Expand All
|
Collapse All
Next-Generation Firewall Docs
-
-
- Cloud Management of NGFWs
- PAN-OS 10.0 (EoL)
- PAN-OS 10.1
- PAN-OS 10.2
- PAN-OS 11.0
- PAN-OS 11.1 & Later
- PAN-OS 9.1 (EoL)
-
- PAN-OS 10.1
- PAN-OS 10.2
- PAN-OS 11.0
- PAN-OS 11.1 & Later
-
-
-
- Cloud Management and AIOps for NGFW
- PAN-OS 10.0 (EoL)
- PAN-OS 10.1
- PAN-OS 10.2
- PAN-OS 11.0
- PAN-OS 11.1
- PAN-OS 11.2
- PAN-OS 8.1 (EoL)
- PAN-OS 9.0 (EoL)
- PAN-OS 9.1 (EoL)
End-of-Life (EoL)
PAN-OS 9.1.12 Known Issues
Review the known issues specific to the PAN-OS 9.1.12 release.
The following list includes all known issues that impact
the PAN-OS® 9.1.12 release. This list includes both outstanding
issues and issues that are addressed in Panorama™, GlobalProtect™,
VM-Series, and WildFire®, as well as known issues that apply more
generally or that are not identified by a specific issue ID.
For a complete list of existing and addressed known issues in
all PAN-OS 9.1 releases, see the Known Issues Related to PAN-OS 9.1 Releases.
Issue ID | Description |
---|---|
— | Upgrading Panorama with a local Log Collector
and Dedicated Log Collectors to PAN-OS 8.1 or a later PAN-OS release
can take up to six hours to complete due to significant infrastructure
changes. Ensure uninterrupted power to all appliances throughout
the upgrade process. |
— | A critical System log is generated on the
VM-Series firewall if the minimum memory requirement for the model is
not available.
|
PLUG-380 | When you rename a device group, template,
or template stack in Panorama that is part of a VMware NSX service
definition, the new name is not reflected in NSX Manager. Therefore,
any ESXi hosts that you add to a vSphere cluster are not added to
the correct device group, template, or template stack and your Security
policy is not pushed to VM-Series firewalls that you deploy after
you rename those objects. There is no impact to existing VM-Series
firewalls. |
PAN-223365
|
The Panorama management server is unable to query any logs if the
ElasticSearch health status for any Log Collector (PanoramaManaged Collector is degraded.
Workaround:
Log in to the Log Collector
CLI and reboot.
Alternatively, you can contact Palo Alto Networks Customer
Support to restart the ElasticSearch process without
rebooting the Log Collector.
|
PAN-199557
|
On M-600 appliances in an Active/Passive high availability (HA)
configuration, the configd process
restarts due to a memory leak on the
Active Panorama HA peer. This
causes the Panorama web interface and CLI to become unresponsive.
Workaround: Manually reboot the
Active Panorama HA peer.
|
PAN-197341 | On the Panorama management server, if you
create multiple device group Objects with
the same name in the Shared device group and any additional device
groups (PanoramaDevice Groups)
under the same device group hierarchy that are used in one or more Policies,
renaming the object with a shared name in any device group causes
the object name to change in the policies where it is used. This
issue applies only to device group objects that can be referenced in
a Security policy rule. For example:
Changing
the name of the address object in the Shared device
group causes the references in the Policy rule to use the renamed Shared object instead
of the device group object. |
PAN-186937 This issue is
now resolved. See PAN-OS 9.1.14 Addressed Issues. | The firewall drops Encapsulating Security
Payload (ESP) IPsec packets that originate from the same firewall. This
behavior occurs when you enable Strict IP Address Check in
the Zone Protection profile (Packet Based Attack Protection tab,
IP Drop section) and the packet’s source IP address is the same
as the egress interface address. Workaround: Disable
the Strict IP Address Check option in the
Zone Protection profile. Alternatively, downgrade to 9.1.11 or earlier
or upgrade to 10.0.0 or later if you want to enable the Strict
IP Address Check. |
PAN-178194 | Firewalls licensed for Advanced URL Filtering generate
a message indicating that a License required for URL
filtering to function is unavailable displays at the
bottom of the UI, due to a PAN-OS UI issue. This error does not
affect the operation of Advanced URL Filtering or URL Filtering. |
PAN-159295 This issue is
now resolved. See PAN-OS 9.1.13 Addressed Issues. | Scheduled configuration export files saved
in the /tmp folder are not periodically purged, which causes the root
partition to fill up. |
PAN-154266 | When an application matches an SD-WAN policy
and some sessions for the same application do not match an SD-WAN
policy, the SD-WAN Monitoring—Traffic Characteristics screen displays
the Links Used information with an SD-WAN policy and a null policy.
Sessions that do not have an SD-WAN policy ID are filtered from
Links Used. Workaround: If you want to see session
logs that include a default selection, create a catch-all SD-WAN
policy rule and place it last in the list of SD-WAN policies. |
PAN-154247 | On the Panorama management server, context switching
to and from the managed firewall web interface may cause the Panorama
administrator to be logged out. Workaround: Log out
and back in to the Panorama web interface. |
PAN-153803 | On the Panorama management server, scheduled email
PDF reports (MonitorPDF Reports)
fail if a GIF image is used in the header or footer. |
PAN-146573 | PA-7000 series firewalls configured with
a large number of interfaces experience impacted performance and
possible timeouts when performing SNMP queries. |
PAN-146485 | On the Panorama management server, adding, deleting,
or modifying the upstream NAT configuration (PanoramaSD-WANDevices)
does not display the branch template stack as out of sync. Additionally,
adding, deleting, or modifying the BGP configuration (PanoramaSD-WANDevices)
does not display the hub and branch template stacks as out of sync.
For example, modifying the BGP configuration on the branch firewall
does not cause the hub template stack to display as out of sync,
nor does modifying the BGP configuration on the hub firewall cause
the branch template stack as out of sync. Workaround: After
performing a configuration change, Commit and Push the
configuration changes to all hub and branch firewalls in the VPN
cluster containing the firewall with the modified configuration. |
PAN-144889 | (PAN-OS 9.1.2-h1 and later releases
only) On the Panorama management server, adding, deleting,
or modifying the original subnet IP, or adding a new subnet after
you successfully configure a tunnel IP subnet, for the SD-WAN 1.0.2
plugin does not display the managed firewall templates (PanoramaManaged DevicesSummary) as Out of Sync. Workaround:
When modifying the original subnet IP, or adding a new subnet, push
the template configuration changes to your managed firewalls and Force
Template Values (CommitPush to DevicesEdit Selections). |
PAN-140959 | The Panorama management server allows you
to downgrade Zero Touch Provisioning (ZTP) firewalls to PAN-OS 9.1.2
and earlier releases where ZTP functionality is not supported. |
PAN-134456 | SNMP traps configured to use the dataplane
port in service routes are still sent using the management interface. Workaround: Use
a destination-based service route for the SNMP trap server. |
PAN-134053 | ACC does not filter WildFire logs from Dynamic
User Groups. |
PAN-130550 | (PA-3200 Series, PA-5220, PA-5250, PA-5260, and
PA-7000 Series firewalls) For traffic between virtual systems
(inter-vsys traffic), the firewall cannot perform source NAT using
dynamic IP (DIP) address translation. Workaround: Use
source NAT with Dynamic IP and Port (DIPP) translation on inter-vsys traffic. |
PAN-127813 | In the current release, SD-WAN auto-provisioning configures
hubs and branches in a hub and spoke model, where branches don’t
communicate with each other. Expected branch routes are for generic
prefixes, which can be configured in the hub and advertised to all
branches. Branches with unique prefixes are not published up to
the hub. Workaround: Add any specific prefixes for
branches to the hub advertise-list configuration. |
PAN-127550 | Panorama supports only incremental additions
for CSV imports when the SD-WAN plugin is enabled. Delete devices
manually in the web interface or CLI. |
PAN-127474 | When you configure a Server Profile, the
custom log format for GlobalProtect logs is missing. |
PAN-127206 | If you use the CLI to enable the cleartext
option for the Include Username in HTTP Header Insertion Entries feature,
the authentication request to the firewall may become unresponsive
or time out. |
PAN-123277 | Dynamic tags from other sources are accessible using
the CLI but do not display on the Panorama web interface. |
PAN-123040 | When you try to view network QoS statistics
on an SD-WAN branch or hub, the QoS statistics and the hit count
for the QoS rules don’t display. A workaround exists for this issue.
Please contact Support for information about the workaround. |
PAN-120440 | There is an issue on M-500 Panorama management servers
where any ethernet interface with an IPv6 address having Private
PAN-DB-URL connectivity only supports the following format: 2001:DB9:85A3:0:0:8A2E:370:2. |
PAN-120303 | There is an issue where the firewall remains connected
to the PAN-DB-URL server through the old management IP address on
the M-500 Panorama management server, even when you configured the
Eth1/1 interface. Workaround: Update the PAN-DB-URL IP
address on the firewall using one of the methods below.
|
PAN-118065 | (M-Series Panorama management servers
in Management Only mode) When you delete the local Log Collector (PanoramaManaged Collectors),
it disables the 1/1 ethernet interface in the Panorama configuration
as expected but the interface still displays as Up when you execute
the show interface all command in the CLI
after you commit. Workaround: Disable the 1/1 ethernet interface
before you delete the local log collector and then commit the configuration
change. |
PAN-116017 | (Google Cloud Platform (GCP) only)
The firewall does not accept the DNS value from the initial configuration
(init-cfg) file when you bootstrap the firewall. Workaround: Add
DNS value as part of the bootstrap.xml in the bootstrap folder and
complete the bootstrap process. |
PAN-115816 | (Microsoft Azure only) There is
an intermittent issue where an Ethernet (eth1) interface does not
come up when you first boot up the firewall. Workaround: Reboot
the firewall. |
PAN-114495 | Alibaba Cloud runs on a KVM hypervisor and supports
two Virtio modes: DPDK (default) and MMAP. If you deploy a VM-Series
firewall running PAN-OS 9.0 in DPDK packet mode and you then switch
to MMAP packet mode, the VM-Series firewall duplicates packets that originate
from or terminate on the firewall. As an example, if a load balancer
or a server behind the firewall pings the VM-Series firewall after
you switch from DPDK packet mode to MMAP packet mode, the firewall
duplicates the ping packets. Throughput traffic is not duplicated
if you deploy the VM-Series firewall using MMAP packet mode. |
PAN-112694 | (Firewalls with multiple virtual systems only)
If you configure dynamic DNS (DDNS) on a new interface (associated
with vsys1 or another virtual system) and you then create a New Certificate
Profile from the drop-down, you must set the location for the Certificate Profile
to Shared. If you configure DDNS on an existing interface and then
create a new Certificate Profile, we also recommend that you choose
the Shared location instead of a specific virtual system. Alternatively,
you can select a preexisting certificate profile instead of creating
a new one. |
PAN-112456 | You can temporarily submit a change request
for a URL Category with more than two suggested categories. However,
we support only two suggested categories so add no more than two
suggested categories to a change request until we address this issue.
If you submit more than two suggested categories, we will use only
the first two categories you enter. |
PAN-111928 | Invalid configuration errors are not displayed
as expected when you revert a Panorama management server configuration. Workaround: After
you revert the Panorama configuration, Commit (CommitCommit to Panorama)
the reverted configuration to display the invalid configuration errors. |
PAN-111866 | The push scope selection on the Panorama
web interface displays incorrectly even though the commit scope
displays as expected. This issue occurs when one administrator makes
configuration changes to separate device groups or templates that
affect multiple firewalls and a different administrator attempts
to push those changes. Workaround: Perform one of the following
tasks.
|
PAN-111729 | If you disable DPDK mode and enable it again,
you must immediately reboot the firewall. |
PAN-111670 | Tagged VLAN traffic fails when sent through
an SR-IOV adapter. |
PAN-111251 | Using the CLI to enable or disable DNS Rewrite under
a Destination NAT policy rule has no effect. |
PAN-110794 | DGA-based threats shown in the firewall
threat log display the same name for all such instances. |
PAN-109759 | The firewall does not generate a notification
for the GlobalProtect client when the firewall denies an unencrypted
TLS session due to an authentication policy match. |
PAN-109526 | The system log does not correctly display
the URL for CRL files; instead, the URLs are displayed with encoded characters. |
PAN-106675 | After upgrading the Panorama management
server to PAN-OS 8.1 or a later release, predefined reports do not display
a list of top attackers. Workaround: Create new threat summary
reports (MonitorPDF
ReportsManage PDF Summary) containing
the top attackers to mimic the predefined reports. |
PAN-104780 | If you configure a HIP object to match only
when a connecting endpoint is managed (ObjectsGlobalProtectHIP Objects<hip-object>GeneralManaged), iOS and Android endpoints
that are managed by AirWatch are unable to successfully match the
HIP object and the HIP report incorrectly indicates that these endpoints
are not managed. This issue occurs because GlobalProtect gateways
cannot correctly identify the managed status of these endpoints. Additionally,
iOS endpoints that are managed by AirWatch are unable to match HIP
objects based on the endpoint serial number because GlobalProtect
gateways cannot identify the serial numbers of these endpoints; these
serial numbers do not appear in the HIP report. |
PAN-103276 | Adding a disk to a virtual appliance running Panorama
8.1 or a later release on VMware ESXi 6.5 update1 causes the Panorama
virtual appliance and host web client to become unresponsive. Workaround: Upgrade
the ESXi host to ESXi 6.5 update2 and add the disk again. |
PAN-101688 | (Panorama plugins) The IP address-to-tag
mapping information registered on a firewall or virtual system is
not deleted when you remove the firewall or virtual system from
a Device Group. Workaround: Log in to the CLI on the firewall
and enter the following command to unregister the IP address-to-tag
mappings: debug object registered-ip clear all. |
PAN-101537 | After you configure and push address and
address group objects in Shared and vsys-specific device groups from
the Panorama management server to managed firewalls, executing the show log <log-type> direction equal <direction> <dst> | <src> in <object-name> command
on a managed firewall only returns address and address group objects
pushed form the Shared device group. Workaround: Specify
the vsys in the query string: admin> set system target-vsys <vsys-name> admin> show log <log-type> direction equal <direction> query equal ‘vsys eq <vsys-name>’ <dst> | <src> in <object-name> |
PAN-98520 | When booting or rebooting a PA-7000 Series
Firewall with the SMC-B installed, the BIOS console output displays attempts
to connect to the card's controller in the System Memory Speed section.
The messages can be ignored. |
PAN-97757 | GlobalProtect authentication fails with
an Invalid username/password error
(because the user is not found in Allow List) after
you enable GlobalProtect authentication cookies and add a RADIUS
group to the Allow List of the authentication
profile used to authenticate to GlobalProtect. Workaround: Disable
GlobalProtect authentication cookies. Alternatively, disable (clear) Retrieve
user group from RADIUS in the authentication profile
and configure group mapping from Active Directory (AD) through LDAP. |
PAN-97524 | (Panorama management server only)
The Security Zone and Virtual System columns (Network tab)
display None after a Device Group and
Template administrator with read-only privileges performs a context
switch. |
PAN-96985 | The request shutdown system command
does not shut down the Panorama management server. |
PAN-96960 | You cannot restart or shutdown a Panorama
on KVM from the Virtual-manager console or virsch CLI. |
PAN-96446 | A firewall that is not included in a Collector
Group fails to generate a system log if logs are dropped when forwarded
to a Panorama management server that is running in Management Only
mode. |
PAN-95773 | On VM-Series firewalls that have Data Plane Development
Kit (DPDK) enabled and that use the i40e network interface card
(NIC), the show session info CLI command
displays an inaccurate throughput and packet rate. Workaround: Disable
DPDK by running the set system setting dpdk-pkt-io off CLI
command. |
PAN-95511 | The name for an address object, address
group, or an external dynamic list must be unique. Duplicate names for
these objects can result in unexpected behavior when you reference
the object in a policy rule. |
PAN-95028 | For administrator accounts that you created
in PAN-OS 8.0.8 and earlier releases, the firewall does not apply
password profile settings (DevicePassword Profiles) until after
you upgrade to PAN-OS 8.0.9 or a later release and then only after
you modify the account passwords. (Administrator accounts that you
create in PAN-OS 8.0.9 or a later release do not require you to
change the passwords to apply password profile settings.) |
PAN-94846 | When DPDK is enabled on the VM-Series firewall with
i40e virtual function (VF) driver, the VF does not detect the link
status of the physical link. The VF link status remains up, regardless
of changes to the physical link state. |
PAN-94093 | HTTP Header Insertion does not work when
jumbo frames are received out of order. |
PAN-93968 | The firewall and Panorama web interfaces
display vulnerability threat IDs that are not available in PAN-OS 9.0
releases (ObjectsSecurity
ProfilesVulnerability Protection<profile>Exceptions). To
confirm whether a particular threat ID is available in your release,
monitor the release notes for each new Applications and Threats
content update or check the Palo Alto Networks Threat Vault to see the minimum
PAN-OS release version for a threat signature. |
PAN-93607 | When you configure a VM-500
firewall with an SCTP Protection profile (ObjectsSecurity ProfilesSCTP Protection)
and you try to add the profile to an existing Security Profile Group (ObjectsSecurity Profile Groups),
the Security Profile Group doesn’t list the SCTP Protection profile
in its drop-down list of available profiles. Workaround: Create
a new Security Profile Group and select the SCTP Protection profile
from there. |
PAN-93532 | When you configure a firewall
running PAN-OS 9.0 as an nCipher HSM client, the web interface on
the firewall displays the nCipher server status as Not Authenticated, even
though the HSM state is up (DeviceSetupHSM). |
PAN-93193 | The memory-optimized VM-50
Lite intermittently performs slowly and stops processing traffic
when memory utilization is critically high. To prevent this issue,
make sure that you do not:
Workaround: When
the firewall performs slowly, or you see a critical System log for memory
utilization, wait for 5 minutes and then manually reboot the firewall. Use
the Task Manager to verify that you are not performing memory intensive
tasks such as installing dynamic updates, committing changes or
generating reports, at the same time, on the firewall. |
PAN-91802 | On a VM-Series firewall, the clear session
all CLI command does not clear GTP sessions. |
PAN-83610 | In rare cases, a PA-5200 Series firewall
(with an FE100 network processor) that has session offload enabled (default)
incorrectly resets the UDP checksum of outgoing UDP packets. Workaround: In
PAN-OS 8.0.6 and later releases, you can persistently disable session
offload for only UDP traffic using the set session udp-off load no CLI
command. |
PAN-83236 | The VM-Series firewall on Google
Compute Platform does not publish firewall metrics to Google Stack Monitoring
when you manually configure a DNS server IP address (DeviceSetupServices). Workaround: The
VM-Series firewall on Google Cloud Platform must use the DNS server
that Google provides. |
PAN-83215 | SSL decryption based on ECDSA
certificates does not work when you import the ECDSA private keys
onto an nCipher nShield hardware security module (HSM). |
PAN-81521 | Endpoints failed to authenticate to GlobalProtect through
Kerberos when you specify an FQDN instead of an IP address in the
Kerberos server profile (DeviceServer ProfilesKerberos). Workaround: Replace
the FQDN with the IP address in the Kerberos server profile. |
PAN-77125 | PA-7000 Series, PA-5200 Series,
and PA-3200 Series firewalls configured in tap mode don’t close offloaded
sessions after processing the associated traffic; the sessions remain
open until they time out. Workaround: Configure the
firewalls in virtual wire mode instead of tap mode, or disable session offloading
by running the set session off load no CLI
command. |
PAN-75457 | (PAN-OS 8.0.1 and later releases)
In WildFire appliance clusters that have three or more nodes, the
Panorama management server does not support changing node roles.
In a three-node cluster for example, you cannot use Panorama to
configure the worker node as a controller node by adding the HA
and cluster controller configurations, configure an existing controller
node as a worker node by removing the HA configuration, and then commit
and push the configuration. Attempts to change cluster node roles
from Panorama results in a validation error—the commit fails and
the cluster becomes unresponsive. |
PAN-73530 | The firewall does not generate a packet
capture (pcap) when a Data Filtering profile blocks files. |
PAN-73401 | (PAN-OS 8.0.1 and later releases)
When you import a two-node WildFire appliance cluster into the Panorama
management server, the controller nodes report their state as out-of-sync
if either of the following conditions exist:
Workaround: There are three possible workarounds
to sync the controller nodes:
|
PAN-71329 | Local users and user groups in the Shared
location (all virtual systems) are not available to be part of the user-to-application
mapping for GlobalProtect Clientless VPN applications (NetworkGlobalProtectPortals<portal>Clientless VPNApplications). Workaround: Create
users and user groups in specific virtual systems on firewalls that
have multiple virtual systems. For single virtual systems (like VM-Series
firewalls), users and user groups are created under Shared and are
not configurable for Clientless VPN applications. |
PAN-70906 | If the PAN-OS web interface and the GlobalProtect portal
are enabled on the same IP address, then when a user logs out of
the GlobalProtect portal, the administrative user is also logged
out from the PAN-OS web interface. Workaround: Use
the IP address to access the PAN-OS web interface and an FQDN to
access the GlobalProtect portal. |
PAN-69505 | When viewing an external dynamic list that
requires client authentication and you Test Source URL,
the firewall fails to indicate whether it can reach the external
dynamic list server and returns a URL access error (ObjectsExternal Dynamic Lists). |
PAN-41558 | When you use a firewall loopback interface
as a GlobalProtect gateway interface, traffic is not routed correctly
for third-party IPSec clients, such as strongSwan. Workaround: Use
a physical firewall interface instead of a loopback firewall interface
as the GlobalProtect gateway interface for third-party IPSec clients.
Alternatively, configure the loopback interface that is used as
the GlobalProtect gateway to be in the same zone as the physical
ingress interface for third-party IPSec traffic. |
PAN-40079 | The VM-Series firewall on KVM, for all supported Linux distributions, does not support the Broadcom network adapters for PCI pass-through functionality. |
PAN-39636 | Regardless of the Time Frame you
specify for a scheduled custom report on a Panorama M-Series appliance,
the earliest possible start date for the report data is effectively
the date when you configured the report (MonitorManage Custom Reports). For
example, if you configure the report on the 15th of the month and
set the Time Frame to Last 30
Days, the report that Panorama generates on the 16th
will include only data from the 15th onward. This issue applies
only to scheduled reports; on-demand reports include all data within
the specified Time Frame. Workaround: To
generate an on-demand report, click Run Now when
you configure the custom report. |
PAN-38255 | When you perform a factory reset on a Panorama virtual appliance and configure the serial number, logging does not work until you reboot Panorama or execute the debug software restart process management-server CLI command. |
PAN-31832 | The following issues apply when configuring
a firewall to use a hardware security module (HSM):
|