Limitations in PAN-OS 10.1
Focus
Focus

Limitations in PAN-OS 10.1

Table of Contents

Limitations in PAN-OS 10.1

What are the limitations related to PAN-OS 10.1 releases?
The following are limitations associated with PAN-OS 10.1.
Issue ID
Description
PAN-246825
ECMP is not supported for equal-cost routes where one or more of those routes has a virtual router as the next hop. None of the equal-cost routes will be installed in the Forwarding Information Base (FIB).
PAN-216214
For Panorama-managed firewalls in an Active/Active High Availability (HA) configuration where you configure the firewall HA settings (DeviceHigh Availability) in a template or template stack (PanoramaTemplates), performing a local commit on one of the HA firewalls triggers an HA config sync on the peer firewall. This causes the HA settings to display as overridden despite no config override occurring.
PAN-218372
Commits on Panorama and configuration pushes from Panorama to managed firewalls fail because the auto-commit process gets stuck at 55%.
Workaround: Reset the impacted firewall to the factory default settings and push the configuration changes to the managed firewall.
To reset the firewall to factory defaults, perform the following steps:
  1. Save and export the Panorama and the firewall configurations.
  2. Reset the impacted firewall to factory default settings.
  3. Add the firewall back to Panorama.
  4. Add the firewall back to the appropriate device group.
  5. Add the firewall back to the appropriate template stack.
  6. Select Commit and Commit Push your Panorama managed configuration to the factory reset firewall.
PAN-218067
By default, Next Generation firewalls attempt to fetch the device certificate with each commit even when the firewall is not using any Palo Alto Networks cloud service.
You can prevent the firewall from attempting to fetch the device certificate for the following firewalls:
  • PA-410, PA-440, PA-450, and PA-460 firewalls
  • PA-5450 firewall
To disable, log in to the firewall CLI and enter the following command:
admin> request certificate auto-fetch disable
PAN-215869
PAN-OS logs (MonitorLogs) experience a significant delay before they are displayed if NetFlow (DeviceServer ProfilesNetFlow) is enabled on an interface (NetworkInterface). This may result in log loss if the volume of delayed logs exceeds the logging buffer available on the firewall.
The following firewalls are impacted:
  • PA-410 (PAN-OS 10.1.2 and later releases)
  • PA-440, PA-450, and PA-460 Firewalls
  • PA-800 Series Firewalls
  • PA-3200 Series Firewalls
PAN-205166
(PA-440, PA-450, and PA-460 firewalls only) The CLI does not display system information about the power supply when entering the show system environmentals command. As a result, the CLI cannot be used to view the current status of the power adapter.
Workaround: To manually interpret the status of the firewall's power adapter, verify that your power cable connections are secure and that the LED on the power adapter is on. If the LED is not illuminated even though the power cable connections are secure, your power adapter has failed.
PAN-190727
(PA-5450 only) Log interfaces must be configured to ensure they are not in the same subnetwork as the management interface. Configuring both interfaces in the same subnetwork can cause connectivity issues and result in the wrong interface being used for log forwarding.
PAN-187615
SSL/TLS session resumption fails on PA firewalls using TLSv1.3 with an x25519 ECDSA key.
Workaround:
  • Use an RSA certificate.
  • If you must use an ECDSA certificate, send secp521r1 as the elliptic curve parameter in the Client Hello message.
PAN-186061
On the Panorama management server, pushing a configuration change to managed firewalls fails if a HIP Profile (ObjectsGlobalProtectHIP Profiles) is associated with a Security (PoliciesSecurity) or Authentication (PoliciesAuthentication) policy rule. This applies to:
  • Panorama running PAN-OS 10.1.4 or earlier 10.1 release, managing firewalls running PAN-OS 10.0.9 or later 10.0 release where the Security and Authentication policy rules were created from the CLI.
  • (SD-WAN) Panorama running PAN-OS 10.1.4 or earlier 10.1 release, managing firewalls running PAN-OS 10.0.9 or later 10.0 release and are leveraging the Panorama plugin for SD-WAN auto-generated generate BGP policy.
Workaround: Remove any HIP Profiles associated with a Security or Authentication policy rule from the Panorama CLI.
  1. Log in to the Panorama CLI.
  2. Remove any HIP Profile associated with a policy rule.
    admin> configure
    Security policy rule command
    admin# delete device-group <device-group-name> <pre-rulebase or post-rulebase> security rules <rule-name> hip-profiles
    Authentication policy rule command
    admin# delete device-group <device-group-name> <pre-rulebase or post-rulebase> authentication rules <rule-name> hip-profiles
  3. Commit
    admin# commit
Alternatively, upgrade to PAN-OS 10.1.5 or later release to avoid needing to remove HIP Profile association from your Security and Authentication policy rules.
  • Firewall or Panorama local commit may fail and display the error hip-profiles unexpected here after the following PAN-OS upgrades:
    • From 10.0.x version to 10.0.9 or 10.1.5 version
    • From 10.1.x version to 10.1.5.version
Workaround: Load the running configuration.
  1. Log in to the Panorama CLI.
  2. Load the running config.
    admin> config
    admin# load config from running-config.xml
    admin# commit force
  3. Push to your managed firewalls from Panorama.
    Continue to the next step only if the push fails again.
  4. Load the running config.
    admin> config
    admin# load config from running-config.xml
    admin# commit force
PAN-182912
Due to a change in default root partition threshold, PAN-OS may print a critical log on a PA-7050 stating that disk usage has exceeded the limit.
Workaround: Replace the first-generation PA-7050 SMC (Switch Management Card) with the second-generation SMC-B.
PAN-175545
(PAN-OS 10.1.2 and later versions) The PA-410 does not write session logs locally. As a result, the PAN-OS Web Interface does not display any logs in the Monitor tab.
PAN-174817
When an external dynamic list is added to an Anti-Spyware Profile and configured as an allow list, the EDL policy action of allow does not have precedence over the domain policy action specified under DNS Security. As a result, when there is a domain match to an entry in the EDL and a DNS Security domain category, the action specified under DNS Security is still applied, even when the EDL is explicitly configured with an action of Allow.
Workaround: Configure the EDL with an Alert action. This generates threat logs on the firewall but will apply the EDL action instead of DNS Security action. Alternatively, add DNS domain exceptions to the DNS Domain/FQDN Allow List located in the DNS Exceptions tab in your Anti-Spyware Profile.
PAN-174784
Up to 100,000 daily summary logs can be processed for Scheduled and Run Now custom reports (MonitorManage Custom Reports) when configured for the last calendar day. This can result in the generated report not displaying all relevant log data generated in the last calendar day.
PAN-174442
When a Certificate Profile (Device > Certificate Management > Certificate Profile) is configured to Block session if certificate status cannot be retrieved within timeout, the firewall allows client certificate validation to go through even if the CRL Distribution Point or OCSP Responder is unreachable.
Workaround: You must also enable Block session if certificate status is unknown to ensure Block session if certificate status cannot be retrieved within timeout is effective.
PAN-174038
In an SD-WAN configuration, when a GlobalProtect Gateway is terminated on a loopback interface, if the tunnel protocol is udp-encapsulated ESP (IPSec), the return traffic from the Gateway toward the client is load-balanced across all of the SD-WAN member interfaces and cannot be subjected to an SD-WAN policy.
PAN-172401
The PA-400 Series data port drops traffic when the local link speed is forced to 10Mbs/100Mbs while the remote peer link speed is set to autonegotiate.
PAN-172383
When the App-ID Cloud Engine (ACE) is enabled on Panorama and you downgrade from PAN-OS 10.1 to PAN-OS 10.0, it takes a longer time than expected for the software installation to complete. The amount of time depends on the size of the ACE configuration (how many ACE App-IDs are used in Security policy, either directly or through an Application Filter or an Application Group).
The extra time is required to check for cloud application references, including processing time to check references for applications, application containers, application types, and application tags across the entire configuration. It also takes extra time to check for redundancy between predefined (content-provided) and cloud applications, and after all checks are complete, to produce a list of ACE applications that you must remove from Security policy before the downgrade can succeed.
PAN-172302
(PAN-OS 10.1.0 and 10.1.1) The PA-400 Series management port link goes down when a remote peer link speed is set to Auto OFF or forced to 100Mbs.
PAN-171283
When you run the App-ID Cloud Engine (ACE) service on firewalls in an HA cluster, after a cluster failover, the sessions based on ACE App-IDs move to the failover firewall. However, as with other applications, on failover some session information is not retained.
For ACE App-IDs, the operational command admin@pan-os-fw> show session id <session> shows the application as being 0 instead of showing the name of the application. This does not affect Security policy enforcement after the failover.
PAN-171057
PoliciesSecurityPolicy OptimizerNew App Viewer displays rules that do not have new applications if the functional applications are in an app container.
For example, a Security policy allow rule includes an app container for the “exampleapp” application. The firewall sees the functional application “exampleapp-post” for the first time. Because the allow rule includes the new app’s container, the firewall should not see it as a new application. However, the New App Viewer shows the rule as having seen a new application even though the app container includes it in the rule.
PAN-168234
The Cisco TrustSec, Zero Touch Provisioning (ZTP), and Enterprise Data Loss Prevention (DLP) plugins are not supported on a Panorama™ management server in FIPS-CC mode and cause a commit failure if installed on Panorama in FIPS-CC mode.
PAN-167996
When the firewall downloads App-IDs from the App-ID Cloud Engine, if the App-ID of a cloud-delivered application is the same as a the App-ID of a custom application that already exists on the firewall, the commit fails. (Two applications cannot have the same App-ID.)
Workaround: Rename the custom application to remove the conflict with the cloud-delivered App-ID, or if the custom application and cloud-delivered application are the same application, you can delete the custom application and use the cloud-delivered application.
PAN-167335
Only packets within the first client-to-server HTTP/1.0 and HTTP/1.1 transaction header sections are matched against cloud-based App-ID signatures. This means that after the first transaction, functional apps are identified as base applications.
PAN-165116
When you Commit changes on the firewall, if you configure a Security policy rule with an application that has application dependencies (the application depends on other applications to work) and you did not add the application dependencies to the rule, a warning appears that shows the application dependencies to add to the rule. For example, if you configure a rule with the “google-surveys-base” application but do not add the application dependency “google-base” to the rule, the commit warning appears.
For App-ID Cloud Engine (ACE) applications, the application dependency warning only appears if you add the ACE application to the rule directly or using an Application Group. If you add ACE applications to the rule using an Application Filter, then commit actions don’t warn you if application dependencies are missing.
PAN-159293
Certification Revocation List (CRL) in Distinguished Encoding Rules (DER) format may erroneously return errors for VM-Series firewalls despite being able to successfully pull the CRL to verify that the syslog server certificate is still valid.
PAN-152433
When you have an active/passive HA pair of PA-3200 Series firewalls running PAN-OS 10.0.0 with NAT configured, if you upgrade one firewall to PAN-OS 10.0.1, the firewall goes to non-functional state due to a NAT oversubscription mismatch between the HA peers. The same non-functional state results if both HA peers are running PAN-OS 10.0.1 and you downgrade one to PAN-OS 10.00. The upgraded or downgraded firewall goes to non-functional state because PAN-OS 10.0.0 and 10.0.1 have different default NAT oversubscription rates.
Workaround: After an upgrade or downgrade, modify the NAT oversubscription rate on one firewall so that the rates on the HA pair match.
PAN-146573
PA-7000 Series firewalls configured with a large number of interfaces experience impacted performance and possible timeouts when performing SNMP queries.
PAN-121678
(PA-7000b Series only) The following error during secure boot has no impact and can be ignored:
[ 0.672461] Device 'efifb.0' does not have a release() function, it is broken and must be fixed.[ 2.026107] EFI: Problem loading in-kernel X.509 certificate (-65)Maintenance Mode filesystem size: 2.0G
PAN-106675
After upgrading the Panorama management server to PAN-OS 8.1 or a later release, predefined reports do not display a list of top attackers.
Workaround: Create new threat summary reports (MonitorPDF ReportsManage PDF Summary) containing the top attackers to mimic the predefined reports.
PAN-99845
After an HA firewall fails over to its HA peer, sessions established before the failover might not undergo the following actions in a reliable manner:
  • SIP call modifications (some examples include resuming a call that was on hold, transferring a call, and picking up a parked call).
  • Call tear-down.
PAN-41558
When you use a firewall loopback interface as a GlobalProtect gateway interface, traffic is not routed correctly for third-party IPSec clients, such as strongSwan.
Workaround: Use a physical firewall interface instead of a loopback firewall interface as the GlobalProtect gateway interface for third-party IPSec clients. Alternatively, configure the loopback interface that is used as the GlobalProtect gateway to be in the same zone as the physical ingress interface for third-party IPSec traffic.