Known or Addressed
PAN-OS
Bug ID
Description (Database last updated 10-07-2024)
Known
9.1.19
—
Upgrading Panorama with a local Log Collector and Dedicated Log Collectors to PAN-OS 8.1 or a later PAN-OS release can take up to six hours to complete due to significant infrastructure changes. Ensure uninterrupted power to all appliances throughout the upgrade process.
Known
9.1.19
—
A critical System log is generated on the VM-Series firewall if the minimum memory requirement for the model is not available.
  • When the memory allocated is less than 4.5GB, you cannot upgrade the firewall. The following error message displays:
    Failed to install 9.0.0 with the following error: VM-50 in 9.0.0 requires 5.5GB memory, VM-50 Lite requires 4.5GB memory.Please configure this VM with enough memory before upgrading.
  • If the memory allocation is more than 4.5GB but less that the licensed capacity requirement for the model, it will default to the capacity associated with the VM-50.
    The System log message
    System capacity adjusted to VM-50 capacity due to insufficient memory for VM-
    <xxx>
    license
    , indicates that you must allocate the additional memory required for licensed capacity for the firewall model.
Known
9.1.19
PLUG-380
When you rename a device group, template, or template stack in Panorama that is part of a VMware NSX service definition, the new name is not reflected in NSX Manager. Therefore, any ESXi hosts that you add to a vSphere cluster are not added to the correct device group, template, or template stack and your Security policy is not pushed to VM-Series firewalls that you deploy after you rename those objects. There is no impact to existing VM-Series firewalls.
Known
9.1.19
PAN-223365
The Panorama management server is unable to query any logs if the ElasticSearch health status for any Log Collector (
Panorama
Managed Collector
is degraded.
Workaround:
Log in to the Log Collector CLI and reboot. 
admin
request restart system
Alternatively, you can contact Palo Alto Networks Customer Support to restart the ElasticSearch process without rebooting the Log Collector.
Known
9.1.19
PAN-221015
On M-600 appliances in Panorama or Log Collector mode, the
es-1
and
es-2
ElasticSearch processes fail to restart when the M-600 appliance is rebooted. The results in the Managed Collector
ES
health status (
Panorama
Managed Collectors
Health Status
) to be degraded.
Workaround:
Log in to the Panorama or Log Collector CLI experiencing degraded ElasticSearch health and restart all ElasticSearch processes. 
admin>
debug elasticsearch es-restart optional all
Known
9.1.19
PAN-197859
On firewalls running LSVPN with tunnel monitoring enabled, upgrades to 9.1.14 or later cause the LSVPN tunnels to flap.
Known
9.1.19
PAN-197341
On the Panorama management server, if you create multiple device group
Objects
with the same name in the Shared device group and any additional device groups (
Panorama
Device Groups
) under the same device group hierarchy that are used in one or more
Policies
, renaming the object with a shared name in any device group causes the object name to change in the policies where it is used. This issue applies only to device group objects that can be referenced in a Security policy rule.
For example:
  1. You create a parent device group
    DG-A
    and a child device group
    DG-B
    .
  2. You create address objects called
    AddressObjA
    in the
    Shared
    ,
    DG-A
    and
    DG-B
    device groups and add
    AddressObjA
    to a Security policy rule under
    DG-A
    and
    DG-B
    .
  3. Later, you change the
    AddressObjA
    name in the
    Shared
    device group to
    AddressObjB
    .
Changing the name of the address object in the
Shared
device group causes the references in the Policy rule to use the renamed
Shared
object instead of the device group object.
Known
9.1.19
PAN-178194
Firewalls licensed for Advanced URL Filtering generate a message indicating that a
License required for URL filtering to function
is unavailable displays at the bottom of the UI, due to a PAN-OS UI issue. This error does not affect the operation of Advanced URL Filtering or URL Filtering.
Known
9.1.19
PAN-154266
When an application matches an SD-WAN policy and some sessions for the same application do not match an SD-WAN policy, the SD-WAN Monitoring—Traffic Characteristics screen displays the Links Used information with an SD-WAN policy and a null policy. Sessions that do not have an SD-WAN policy ID are filtered from Links Used.
Workaround
: If you want to see session logs that include a default selection, create a catch-all SD-WAN policy rule and place it last in the list of SD-WAN policies.
Known
9.1.19
PAN-154247
On the Panorama management server, context switching to and from the managed firewall web interface may cause the Panorama administrator to be logged out.
Workaround:
Log out and back in to the Panorama web interface.
Known
9.1.19
PAN-153803
On the Panorama management server, scheduled email PDF reports (
Monitor
PDF Reports
) fail if a GIF image is used in the header or footer.
Known
9.1.19
PAN-146573
PA-7000 series firewalls configured with a large number of interfaces experience impacted performance and possible timeouts when performing SNMP queries.
Known
9.1.19
PAN-146485
On the Panorama management server, adding, deleting, or modifying the upstream NAT configuration (
Panorama
SD-WAN
Devices
) does not display the branch template stack as
out of sync
.
Additionally, adding, deleting, or modifying the BGP configuration (
Panorama
SD-WAN
Devices
) does not display the hub and branch template stacks as
out of sync
. For example, modifying the BGP configuration on the branch firewall does not cause the hub template stack to display as
out of sync
, nor does modifying the BGP configuration on the hub firewall cause the branch template stack as
out of sync
.
Workaround:
After performing a configuration change,
Commit and Push
the configuration changes to all hub and branch firewalls in the VPN cluster containing the firewall with the modified configuration.
Known
9.1.19
PAN-144889
(
PAN-OS 9.1.2-h1 and later releases only
) On the Panorama management server, adding, deleting, or modifying the original subnet IP, or adding a new subnet after you successfully configure a tunnel IP subnet, for the SD-WAN 1.0.2 plugin does not display the managed firewall templates (
Panorama
Managed Devices
Summary
) as
Out of Sync
.
Workaround
: When modifying the original subnet IP, or adding a new subnet, push the template configuration changes to your managed firewalls and
Force Template Values
(
Commit
Push to Devices
Edit Selections
).
Known
9.1.19
PAN-140959
The Panorama management server allows you to downgrade Zero Touch Provisioning (ZTP) firewalls to PAN-OS 9.1.2 and earlier releases where ZTP functionality is not supported.
Known
9.1.19
PAN-134456
SNMP traps configured to use the dataplane port in service routes are still sent using the management interface.
Workaround:
Use a destination-based service route for the SNMP trap server.
Known
9.1.19
PAN-134053
ACC does not filter WildFire logs from Dynamic User Groups.
Known
9.1.19
PAN-130550
(
PA-3200 Series, PA-5220, PA-5250, PA-5260, and PA-7000 Series firewalls
) For traffic between virtual systems (inter-vsys traffic), the firewall cannot perform source NAT using dynamic IP (DIP) address translation.
Workaround:
Use source NAT with Dynamic IP and Port (DIPP) translation on inter-vsys traffic.
Known
9.1.19
PAN-127813
In the current release, SD-WAN auto-provisioning configures hubs and branches in a hub and spoke model, where branches don’t communicate with each other. Expected branch routes are for generic prefixes, which can be configured in the hub and advertised to all branches. Branches with unique prefixes are not published up to the hub.
Workaround:
Add any specific prefixes for branches to the hub advertise-list configuration.
Known
9.1.19
PAN-127550
Panorama supports only incremental additions for CSV imports when the SD-WAN plugin is enabled. Delete devices manually in the web interface or CLI.
Known
9.1.19
PAN-127474
When you configure a Server Profile, the custom log format for GlobalProtect logs is missing.
Known
9.1.19
PAN-127206
If you use the CLI to enable the cleartext option for the Include Username in HTTP Header Insertion Entries feature, the authentication request to the firewall may become unresponsive or time out.
Known
9.1.19
PAN-123277
Dynamic tags from other sources are accessible using the CLI but do not display on the Panorama web interface.
Known
9.1.19
PAN-123040
When you try to view network QoS statistics on an SD-WAN branch or hub, the QoS statistics and the hit count for the QoS rules don’t display. A workaround exists for this issue. Please contact Support for information about the workaround.
Known
9.1.19
PAN-120440
There is an issue on M-500 Panorama management servers where any ethernet interface with an IPv6 address having Private PAN-DB-URL connectivity only supports the following format:
2001:DB9:85A3:0:0:8A2E:370:2
.
Known
9.1.19
PAN-120303
There is an issue where the firewall remains connected to the PAN-DB-URL server through the old management IP address on the M-500 Panorama management server, even when you configured the Eth1/1 interface.
Workaround:
Update the PAN-DB-URL IP address on the firewall using one of the methods below.
  • Modify the PAN-DB Server IP address on the managed firewall.
    1. On the web interface, delete the
      PAN-DB Server
      IP address (
      Device
      Setup
      Content ID
      URL Filtering
      settings).
    2. Commit
      your changes.
    3. Add the new M-500 Eth1/1 IP PAN-DB IP address.
    4. Commit
      your changes.
  • Restart the firewall ( devsrvr ) process.
    1. Log in to the firewall CLI.
    2. Restart the devsrvr process:
      debug software restart process device-server
Known
9.1.19
PAN-118065
(
M-Series Panorama management servers in Management Only mode
) When you delete the local Log Collector (
Panorama
Managed Collectors
), it disables the 1/1 ethernet interface in the Panorama configuration as expected but the interface still displays as Up when you execute the
show interface all
command in the CLI after you commit.
Workaround:
Disable the 1/1 ethernet interface before you delete the local log collector and then commit the configuration change.
Known
9.1.19
PAN-116017
(
Google Cloud Platform (GCP) only
) The firewall does not accept the DNS value from the initial configuration (init-cfg) file when you bootstrap the firewall.
Workaround:
Add DNS value as part of the bootstrap.xml in the bootstrap folder and complete the bootstrap process.
Known
9.1.19
PAN-115816
(
Microsoft Azure only
) There is an intermittent issue where an Ethernet (eth1) interface does not come up when you first boot up the firewall.
Workaround:
Reboot the firewall.
Known
9.1.19
PAN-114495
Alibaba Cloud runs on a KVM hypervisor and supports two Virtio modes: DPDK (default) and MMAP. If you deploy a VM-Series firewall running PAN-OS 9.0 in DPDK packet mode and you then switch to MMAP packet mode, the VM-Series firewall duplicates packets that originate from or terminate on the firewall. As an example, if a load balancer or a server behind the firewall pings the VM-Series firewall after you switch from DPDK packet mode to MMAP packet mode, the firewall duplicates the ping packets.
Throughput traffic is not duplicated if you deploy the VM-Series firewall using MMAP packet mode.
Known
9.1.19
PAN-112694
(
Firewalls with multiple virtual systems only
) If you configure dynamic DNS (DDNS) on a new interface (associated with vsys1 or another virtual system) and you then create a
New
Certificate Profile from the drop-down, you must set the location for the Certificate Profile to Shared. If you configure DDNS on an existing interface and then create a new Certificate Profile, we also recommend that you choose the Shared location instead of a specific virtual system. Alternatively, you can select a preexisting certificate profile instead of creating a new one.
Known
9.1.19
PAN-112456
You can temporarily submit a change request for a URL Category with more than two suggested categories. However, we support only two suggested categories so add no more than two suggested categories to a change request until we address this issue. If you submit more than two suggested categories, we will use only the first two categories you enter.
Known
9.1.19
PAN-111928
Invalid configuration errors are not displayed as expected when you revert a Panorama management server configuration.
Workaround:
After you revert the Panorama configuration,
Commit
(
Commit
Commit to Panorama
) the reverted configuration to display the invalid configuration errors.
Known
9.1.19
PAN-111866
The push scope selection on the Panorama web interface displays incorrectly even though the commit scope displays as expected. This issue occurs when one administrator makes configuration changes to separate device groups or templates that affect multiple firewalls and a different administrator attempts to push those changes.
Workaround:
Perform one of the following tasks.
  • Initiate a
    Commit to Panorama
    operation followed by a
    Push to Devices
    operation for the modified device group and template configurations.
  • Manually select the devices that belong to the modified device group and template configurations.
Known
9.1.19
PAN-111729
If you disable DPDK mode and enable it again, you must immediately reboot the firewall.
Known
9.1.19
PAN-111670
Tagged VLAN traffic fails when sent through an SR-IOV adapter.
Known
9.1.19
PAN-111251
Using the CLI to enable or disable DNS Rewrite under a Destination NAT policy rule has no effect.
Known
9.1.19
PAN-110794
DGA-based threats shown in the firewall threat log display the same name for all such instances.
Known
9.1.19
PAN-109759
The firewall does not generate a notification for the GlobalProtect client when the firewall denies an unencrypted TLS session due to an authentication policy match.
Known
9.1.19
PAN-109526
The system log does not correctly display the URL for CRL files; instead, the URLs are displayed with encoded characters.
Known
9.1.19
PAN-106675
After upgrading the Panorama management server to PAN-OS 8.1 or a later release, predefined reports do not display a list of top attackers.
Workaround:
Create new threat summary reports (
Monitor
PDF Reports
Manage PDF Summary
) containing the top attackers to mimic the predefined reports.
Known
9.1.19
PAN-104780
If you configure a HIP object to match only when a connecting endpoint is managed (
Objects
GlobalProtect
HIP Objects
<hip-object>
General
Managed
), iOS and Android endpoints that are managed by AirWatch are unable to successfully match the HIP object and the HIP report incorrectly indicates that these endpoints are not managed. This issue occurs because GlobalProtect gateways cannot correctly identify the managed status of these endpoints.
Additionally, iOS endpoints that are managed by AirWatch are unable to match HIP objects based on the endpoint serial number because GlobalProtect gateways cannot identify the serial numbers of these endpoints; these serial numbers do not appear in the HIP report.
Known
9.1.19
PAN-103276
Adding a disk to a virtual appliance running Panorama 8.1 or a later release on VMware ESXi 6.5 update1 causes the Panorama virtual appliance and host web client to become unresponsive.
Workaround:
Upgrade the ESXi host to ESXi 6.5 update2 and add the disk again.
Known
9.1.19
PAN-101688
(
Panorama plugins
) The IP address-to-tag mapping information registered on a firewall or virtual system is not deleted when you remove the firewall or virtual system from a Device Group.
Workaround:
Log in to the CLI on the firewall and enter the following command to unregister the IP address-to-tag mappings:
debug object registered-ip clear all
.
Known
9.1.19
PAN-101537
After you configure and push address and address group objects in Shared and vsys-specific device groups from the Panorama management server to managed firewalls, executing the
show log
<log-type>
direction equal
<direction>
<dst>
|
<src>
in
<object-name>
command on a managed firewall only returns address and address group objects pushed form the Shared device group.
Workaround:
Specify the vsys in the query string:
admin>
set system target-vsys
<vsys-name>
admin>
show log
<log-type>
direction equal
<direction>
query equal ‘vsys eq
<vsys-name>
’
<dst>
|
<src>
in
<object-name>
Known
9.1.19
PAN-98520
When booting or rebooting a PA-7000 Series Firewall with the SMC-B installed, the BIOS console output displays attempts to connect to the card's controller in the System Memory Speed section. The messages can be ignored.
Known
9.1.19
PAN-97757
GlobalProtect authentication fails with an
Invalid username/password
error (because the user is not found in
Allow List
) after you enable GlobalProtect authentication cookies and add a RADIUS group to the
Allow List
of the authentication profile used to authenticate to GlobalProtect.
Workaround:
Disable GlobalProtect authentication cookies. Alternatively, disable (clear)
Retrieve user group from RADIUS
in the authentication profile and configure group mapping from Active Directory (AD) through LDAP.
Known
9.1.19
PAN-97524
(
Panorama management server only
) The Security Zone and Virtual System columns (
Network
tab) display
None
after a Device Group and Template administrator with read-only privileges performs a context switch.
Known
9.1.19
PAN-96985
The
request shutdown system
command does not shut down the Panorama management server.
Known
9.1.19
PAN-96960
You cannot restart or shutdown a Panorama on KVM from the Virtual-manager console or virsch CLI.
Known
9.1.19
PAN-96446
A firewall that is not included in a Collector Group fails to generate a system log if logs are dropped when forwarded to a Panorama management server that is running in Management Only mode.
Known
9.1.19
PAN-95773
On VM-Series firewalls that have Data Plane Development Kit (DPDK) enabled and that use the i40e network interface card (NIC), the
show session info
CLI command displays an inaccurate throughput and packet rate.
Workaround:
Disable DPDK by running the
set system setting dpdk-pkt-io off
CLI command.
Known
9.1.19
PAN-95511
The name for an address object, address group, or an external dynamic list must be unique. Duplicate names for these objects can result in unexpected behavior when you reference the object in a policy rule.
Known
9.1.19
PAN-95028
For administrator accounts that you created in PAN-OS 8.0.8 and earlier releases, the firewall does not apply password profile settings (
Device
Password Profiles
) until after you upgrade to PAN-OS 8.0.9 or a later release and then only after you modify the account passwords. (Administrator accounts that you create in PAN-OS 8.0.9 or a later release do not require you to change the passwords to apply password profile settings.)
Known
9.1.19
PAN-94846
When DPDK is enabled on the VM-Series firewall with i40e virtual function (VF) driver, the VF does not detect the link status of the physical link. The VF link status remains up, regardless of changes to the physical link state.
Known
9.1.19
PAN-94093
HTTP Header Insertion does not work when jumbo frames are received out of order.
Known
9.1.19
PAN-93968
The firewall and Panorama web interfaces display vulnerability threat IDs that are not available in PAN-OS 9.0 releases (
Objects
Security Profiles
Vulnerability Protection
<profile>
Exceptions
). To confirm whether a particular threat ID is available in your release, monitor the release notes for each new Applications and Threats content update or check the Palo Alto Networks Threat Vault to see the minimum PAN-OS release version for a threat signature.
Known
9.1.19
PAN-93607
When you configure a VM-500 firewall with an SCTP Protection profile (
Objects
Security Profiles
SCTP Protection
) and you try to add the profile to an existing Security Profile Group (
Objects
Security Profile Groups
), the Security Profile Group doesn’t list the SCTP Protection profile in its drop-down list of available profiles.
Workaround:
Create a new Security Profile Group and select the SCTP Protection profile from there.
Known
9.1.19
PAN-93532
When you configure a firewall running PAN-OS 9.0 as an nCipher HSM client, the web interface on the firewall displays the nCipher server status as Not Authenticated, even though the HSM state is up (
Device
Setup
HSM
).
Known
9.1.19
PAN-93193
The memory-optimized VM-50 Lite intermittently performs slowly and stops processing traffic when memory utilization is critically high. To prevent this issue, make sure that you do not:
  • Switch to the firewall
    Context
    on the Panorama management server.
  • Commit changes when a dynamic update is being installed.
  • Generate a custom report when a dynamic update is being installed.
  • Generate custom reports during a commit.
Workaround:
When the firewall performs slowly, or you see a critical System log for memory utilization, wait for 5 minutes and then manually reboot the firewall.
Use the Task Manager to verify that you are not performing memory intensive tasks such as installing dynamic updates, committing changes or generating reports, at the same time, on the firewall.
Known
9.1.19
PAN-91802
On a VM-Series firewall, the
clear session all
CLI command does not clear GTP sessions.
Known
9.1.19
PAN-83610
In rare cases, a PA-5200 Series firewall (with an FE100 network processor) that has session offload enabled (default) incorrectly resets the UDP checksum of outgoing UDP packets.
Workaround:
In PAN-OS 8.0.6 and later releases, you can persistently disable session offload for only UDP traffic using the
set session udp-off load no
CLI command.
Known
9.1.19
PAN-83236
The VM-Series firewall on Google Compute Platform does not publish firewall metrics to Google Stack Monitoring when you manually configure a DNS server IP address (
Device
Setup
Services
).
Workaround:
The VM-Series firewall on Google Cloud Platform must use the DNS server that Google provides.
Known
9.1.19
PAN-83215
SSL decryption based on ECDSA certificates does not work when you import the ECDSA private keys onto an nCipher nShield hardware security module (HSM).
Known
9.1.19
PAN-81521
Endpoints failed to authenticate to GlobalProtect through Kerberos when you specify an FQDN instead of an IP address in the Kerberos server profile (
Device
Server Profiles
Kerberos
).
Workaround:
Replace the FQDN with the IP address in the Kerberos server profile.
Known
9.1.19
PAN-77125
PA-7000 Series, PA-5200 Series, and PA-3200 Series firewalls configured in tap mode don’t close offloaded sessions after processing the associated traffic; the sessions remain open until they time out.
Workaround:
Configure the firewalls in virtual wire mode instead of tap mode, or disable session offloading by running the
set session off load no
CLI command.
Known
9.1.19
PAN-75457
(
PAN-OS 8.0.1 and later releases
) In WildFire appliance clusters that have three or more nodes, the Panorama management server does not support changing node roles. In a three-node cluster for example, you cannot use Panorama to configure the worker node as a controller node by adding the HA and cluster controller configurations, configure an existing controller node as a worker node by removing the HA configuration, and then commit and push the configuration. Attempts to change cluster node roles from Panorama results in a validation error—the commit fails and the cluster becomes unresponsive.
Known
9.1.19
PAN-73530
The firewall does not generate a packet capture (pcap) when a Data Filtering profile blocks files.
Known
9.1.19
PAN-73401
(
PAN-OS 8.0.1 and later releases
) When you import a two-node WildFire appliance cluster into the Panorama management server, the controller nodes report their state as out-of-sync if either of the following conditions exist:
  • You did not configure a worker list to add at least one worker node to the cluster. (In a two-node cluster, both nodes are controller nodes configured as an HA pair. Adding a worker node would make the cluster a three-node cluster.)
  • You did not configure a service advertisement (either by enabling or not enabling advertising DNS service on the controller nodes).
Workaround:
There are three possible workarounds to sync the controller nodes:
  • After you import the two-node cluster into Panorama, push the configuration from Panorama to the cluster. After the push succeeds, Panorama reports that the controller nodes are in sync.
  • Configure a worker list on the cluster controller: 
    admin@wf500(active-controller)# 
    set
deviceconfig cluster mode controller worker-list 
    <worker-ip-address>
    (
    <worker-ip-address>
    is the IP address of the worker node you are adding to the cluster.) This creates a three-node cluster. After you import the cluster into Panorama, Panorama reports that the controller nodes are in sync. When you want the cluster to have only two nodes, use a different workaround.
  • Configure service advertisement on the local CLI of the cluster controller and then import the configuration into Panorama. The service advertisement can advertise that DNS is or is not enabled. 
    admin@wf500(active-controller)# 
    set
deviceconfig cluster mode controller service-advertisement dns-service
enabled
yes
    or 
    admin@wf500(active-controller)# 
    set
deviceconfig cluster mode controller service-advertisement dns-service
enabled
no
    Both commands result in Panorama reporting that the controller nodes are in sync.
Known
9.1.19
PAN-71329
Local users and user groups in the Shared location (all virtual systems) are not available to be part of the user-to-application mapping for GlobalProtect Clientless VPN applications (
Network
GlobalProtect
Portals
<portal>
Clientless VPN
Applications
).
Workaround:
Create users and user groups in specific virtual systems on firewalls that have multiple virtual systems. For single virtual systems (like VM-Series firewalls), users and user groups are created under Shared and are not configurable for Clientless VPN applications.
Known
9.1.19
PAN-70906
If the PAN-OS web interface and the GlobalProtect portal are enabled on the same IP address, then when a user logs out of the GlobalProtect portal, the administrative user is also logged out from the PAN-OS web interface.
Workaround:
Use the IP address to access the PAN-OS web interface and an FQDN to access the GlobalProtect portal.
Known
9.1.19
PAN-69505
When viewing an external dynamic list that requires client authentication and you
Test Source URL
, the firewall fails to indicate whether it can reach the external dynamic list server and returns a URL access error (
Objects
External Dynamic Lists
).
Known
9.1.19
PAN-41558
When you use a firewall loopback interface as a GlobalProtect gateway interface, traffic is not routed correctly for third-party IPSec clients, such as strongSwan.
Workaround:
Use a physical firewall interface instead of a loopback firewall interface as the GlobalProtect gateway interface for third-party IPSec clients. Alternatively, configure the loopback interface that is used as the GlobalProtect gateway to be in the same zone as the physical ingress interface for third-party IPSec traffic.
Known
9.1.19
PAN-40079
The VM-Series firewall on KVM, for all supported Linux distributions, does not support the Broadcom network adapters for PCI pass-through functionality.
Known
9.1.19
PAN-39636
Regardless of the
Time Frame
you specify for a scheduled custom report on a Panorama M-Series appliance, the earliest possible start date for the report data is effectively the date when you configured the report (
Monitor
Manage Custom Reports
). For example, if you configure the report on the 15th of the month and set the
Time Frame
to
Last 30 Days
, the report that Panorama generates on the 16th will include only data from the 15th onward. This issue applies only to scheduled reports; on-demand reports include all data within the specified
Time Frame
.
Workaround:
To generate an on-demand report, click
Run Now
when you configure the custom report.
Known
9.1.19
PAN-38255
When you perform a factory reset on a Panorama virtual appliance and configure the serial number, logging does not work until you reboot Panorama or execute the
debug software restart process management-server
CLI command.
Known
9.1.19
PAN-31832
The following issues apply when configuring a firewall to use a hardware security module (HSM):
  • nCipher nShield Connect
    —The firewall requires at least four minutes to detect that an HSM was disconnected, causing SSL functionality to be unavailable during the delay.
  • SafeNet Network
    —When losing connectivity to either or both HSMs in an HA configuration, the display of information from the
    show high-availability state
    and
    show hsm info
    commands are blocked for 20 seconds.
Known
9.1.18
—
Upgrading Panorama with a local Log Collector and Dedicated Log Collectors to PAN-OS 8.1 or a later PAN-OS release can take up to six hours to complete due to significant infrastructure changes. Ensure uninterrupted power to all appliances throughout the upgrade process.
Known
9.1.18
—
A critical System log is generated on the VM-Series firewall if the minimum memory requirement for the model is not available.
  • When the memory allocated is less than 4.5GB, you cannot upgrade the firewall. The following error message displays:
    Failed to install 9.0.0 with the following error: VM-50 in 9.0.0 requires 5.5GB memory, VM-50 Lite requires 4.5GB memory.Please configure this VM with enough memory before upgrading.
  • If the memory allocation is more than 4.5GB but less that the licensed capacity requirement for the model, it will default to the capacity associated with the VM-50.
    The System log message
    System capacity adjusted to VM-50 capacity due to insufficient memory for VM-
    <xxx>
    license
    , indicates that you must allocate the additional memory required for licensed capacity for the firewall model.
Known
9.1.18
PLUG-380
When you rename a device group, template, or template stack in Panorama that is part of a VMware NSX service definition, the new name is not reflected in NSX Manager. Therefore, any ESXi hosts that you add to a vSphere cluster are not added to the correct device group, template, or template stack and your Security policy is not pushed to VM-Series firewalls that you deploy after you rename those objects. There is no impact to existing VM-Series firewalls.
Known
9.1.18
PAN-223365
The Panorama management server is unable to query any logs if the ElasticSearch health status for any Log Collector (
Panorama
Managed Collector
is degraded.
Workaround:
Log in to the Log Collector CLI and reboot. 
admin
request restart system
Alternatively, you can contact Palo Alto Networks Customer Support to restart the ElasticSearch process without rebooting the Log Collector.
Known
9.1.18
PAN-221015
On M-600 appliances in Panorama or Log Collector mode, the
es-1
and
es-2
ElasticSearch processes fail to restart when the M-600 appliance is rebooted. The results in the Managed Collector
ES
health status (
Panorama
Managed Collectors
Health Status
) to be degraded.
Workaround:
Log in to the Panorama or Log Collector CLI experiencing degraded ElasticSearch health and restart all ElasticSearch processes. 
admin>
debug elasticsearch es-restart optional all
Known
9.1.18
PAN-197859
On firewalls running LSVPN with tunnel monitoring enabled, upgrades to 9.1.14 or later cause the LSVPN tunnels to flap.
Known
9.1.18
PAN-197341
On the Panorama management server, if you create multiple device group
Objects
with the same name in the Shared device group and any additional device groups (
Panorama
Device Groups
) under the same device group hierarchy that are used in one or more
Policies
, renaming the object with a shared name in any device group causes the object name to change in the policies where it is used. This issue applies only to device group objects that can be referenced in a Security policy rule.
For example:
  1. You create a parent device group
    DG-A
    and a child device group
    DG-B
    .
  2. You create address objects called
    AddressObjA
    in the
    Shared
    ,
    DG-A
    and
    DG-B
    device groups and add
    AddressObjA
    to a Security policy rule under
    DG-A
    and
    DG-B
    .
  3. Later, you change the
    AddressObjA
    name in the
    Shared
    device group to
    AddressObjB
    .
Changing the name of the address object in the
Shared
device group causes the references in the Policy rule to use the renamed
Shared
object instead of the device group object.
Known
9.1.18
PAN-178194
Firewalls licensed for Advanced URL Filtering generate a message indicating that a
License required for URL filtering to function
is unavailable displays at the bottom of the UI, due to a PAN-OS UI issue. This error does not affect the operation of Advanced URL Filtering or URL Filtering.
Known
9.1.18
PAN-154266
When an application matches an SD-WAN policy and some sessions for the same application do not match an SD-WAN policy, the SD-WAN Monitoring—Traffic Characteristics screen displays the Links Used information with an SD-WAN policy and a null policy. Sessions that do not have an SD-WAN policy ID are filtered from Links Used.
Workaround
: If you want to see session logs that include a default selection, create a catch-all SD-WAN policy rule and place it last in the list of SD-WAN policies.
Known
9.1.18
PAN-154247
On the Panorama management server, context switching to and from the managed firewall web interface may cause the Panorama administrator to be logged out.
Workaround:
Log out and back in to the Panorama web interface.
Known
9.1.18
PAN-153803
On the Panorama management server, scheduled email PDF reports (
Monitor
PDF Reports
) fail if a GIF image is used in the header or footer.
Known
9.1.18
PAN-146573
PA-7000 series firewalls configured with a large number of interfaces experience impacted performance and possible timeouts when performing SNMP queries.
Known
9.1.18
PAN-146485
On the Panorama management server, adding, deleting, or modifying the upstream NAT configuration (
Panorama
SD-WAN
Devices
) does not display the branch template stack as
out of sync
.
Additionally, adding, deleting, or modifying the BGP configuration (
Panorama
SD-WAN
Devices
) does not display the hub and branch template stacks as
out of sync
. For example, modifying the BGP configuration on the branch firewall does not cause the hub template stack to display as
out of sync
, nor does modifying the BGP configuration on the hub firewall cause the branch template stack as
out of sync
.
Workaround:
After performing a configuration change,
Commit and Push
the configuration changes to all hub and branch firewalls in the VPN cluster containing the firewall with the modified configuration.
Known
9.1.18
PAN-144889
(
PAN-OS 9.1.2-h1 and later releases only
) On the Panorama management server, adding, deleting, or modifying the original subnet IP, or adding a new subnet after you successfully configure a tunnel IP subnet, for the SD-WAN 1.0.2 plugin does not display the managed firewall templates (
Panorama
Managed Devices
Summary
) as
Out of Sync
.
Workaround
: When modifying the original subnet IP, or adding a new subnet, push the template configuration changes to your managed firewalls and
Force Template Values
(
Commit
Push to Devices
Edit Selections
).
Known
9.1.18
PAN-140959
The Panorama management server allows you to downgrade Zero Touch Provisioning (ZTP) firewalls to PAN-OS 9.1.2 and earlier releases where ZTP functionality is not supported.
Known
9.1.18
PAN-134456
SNMP traps configured to use the dataplane port in service routes are still sent using the management interface.
Workaround:
Use a destination-based service route for the SNMP trap server.
Known
9.1.18
PAN-134053
ACC does not filter WildFire logs from Dynamic User Groups.
Known
9.1.18
PAN-130550
(
PA-3200 Series, PA-5220, PA-5250, PA-5260, and PA-7000 Series firewalls
) For traffic between virtual systems (inter-vsys traffic), the firewall cannot perform source NAT using dynamic IP (DIP) address translation.
Workaround:
Use source NAT with Dynamic IP and Port (DIPP) translation on inter-vsys traffic.
Known
9.1.18
PAN-127813
In the current release, SD-WAN auto-provisioning configures hubs and branches in a hub and spoke model, where branches don’t communicate with each other. Expected branch routes are for generic prefixes, which can be configured in the hub and advertised to all branches. Branches with unique prefixes are not published up to the hub.
Workaround:
Add any specific prefixes for branches to the hub advertise-list configuration.
Known
9.1.18
PAN-127550
Panorama supports only incremental additions for CSV imports when the SD-WAN plugin is enabled. Delete devices manually in the web interface or CLI.
Known
9.1.18
PAN-127474
When you configure a Server Profile, the custom log format for GlobalProtect logs is missing.
Known
9.1.18
PAN-127206
If you use the CLI to enable the cleartext option for the Include Username in HTTP Header Insertion Entries feature, the authentication request to the firewall may become unresponsive or time out.
Known
9.1.18
PAN-123277
Dynamic tags from other sources are accessible using the CLI but do not display on the Panorama web interface.
Known
9.1.18
PAN-123040
When you try to view network QoS statistics on an SD-WAN branch or hub, the QoS statistics and the hit count for the QoS rules don’t display. A workaround exists for this issue. Please contact Support for information about the workaround.
Known
9.1.18
PAN-120440
There is an issue on M-500 Panorama management servers where any ethernet interface with an IPv6 address having Private PAN-DB-URL connectivity only supports the following format:
2001:DB9:85A3:0:0:8A2E:370:2
.
Known
9.1.18
PAN-120303
There is an issue where the firewall remains connected to the PAN-DB-URL server through the old management IP address on the M-500 Panorama management server, even when you configured the Eth1/1 interface.
Workaround:
Update the PAN-DB-URL IP address on the firewall using one of the methods below.
  • Modify the PAN-DB Server IP address on the managed firewall.
    1. On the web interface, delete the
      PAN-DB Server
      IP address (
      Device
      Setup
      Content ID
      URL Filtering
      settings).
    2. Commit
      your changes.
    3. Add the new M-500 Eth1/1 IP PAN-DB IP address.
    4. Commit
      your changes.
  • Restart the firewall ( devsrvr ) process.
    1. Log in to the firewall CLI.
    2. Restart the devsrvr process:
      debug software restart process device-server
Known
9.1.18
PAN-118065
(
M-Series Panorama management servers in Management Only mode
) When you delete the local Log Collector (
Panorama
Managed Collectors
), it disables the 1/1 ethernet interface in the Panorama configuration as expected but the interface still displays as Up when you execute the
show interface all
command in the CLI after you commit.
Workaround:
Disable the 1/1 ethernet interface before you delete the local log collector and then commit the configuration change.
Known
9.1.18
PAN-116017
(
Google Cloud Platform (GCP) only
) The firewall does not accept the DNS value from the initial configuration (init-cfg) file when you bootstrap the firewall.
Workaround:
Add DNS value as part of the bootstrap.xml in the bootstrap folder and complete the bootstrap process.
Known
9.1.18
PAN-115816
(
Microsoft Azure only
) There is an intermittent issue where an Ethernet (eth1) interface does not come up when you first boot up the firewall.
Workaround:
Reboot the firewall.
Known
9.1.18
PAN-114495
Alibaba Cloud runs on a KVM hypervisor and supports two Virtio modes: DPDK (default) and MMAP. If you deploy a VM-Series firewall running PAN-OS 9.0 in DPDK packet mode and you then switch to MMAP packet mode, the VM-Series firewall duplicates packets that originate from or terminate on the firewall. As an example, if a load balancer or a server behind the firewall pings the VM-Series firewall after you switch from DPDK packet mode to MMAP packet mode, the firewall duplicates the ping packets.
Throughput traffic is not duplicated if you deploy the VM-Series firewall using MMAP packet mode.
Known
9.1.18
PAN-112694
(
Firewalls with multiple virtual systems only
) If you configure dynamic DNS (DDNS) on a new interface (associated with vsys1 or another virtual system) and you then create a
New
Certificate Profile from the drop-down, you must set the location for the Certificate Profile to Shared. If you configure DDNS on an existing interface and then create a new Certificate Profile, we also recommend that you choose the Shared location instead of a specific virtual system. Alternatively, you can select a preexisting certificate profile instead of creating a new one.
Known
9.1.18
PAN-112456
You can temporarily submit a change request for a URL Category with more than two suggested categories. However, we support only two suggested categories so add no more than two suggested categories to a change request until we address this issue. If you submit more than two suggested categories, we will use only the first two categories you enter.
Known
9.1.18
PAN-111928
Invalid configuration errors are not displayed as expected when you revert a Panorama management server configuration.
Workaround:
After you revert the Panorama configuration,
Commit
(
Commit
Commit to Panorama
) the reverted configuration to display the invalid configuration errors.
Known
9.1.18
PAN-111866
The push scope selection on the Panorama web interface displays incorrectly even though the commit scope displays as expected. This issue occurs when one administrator makes configuration changes to separate device groups or templates that affect multiple firewalls and a different administrator attempts to push those changes.
Workaround:
Perform one of the following tasks.
  • Initiate a
    Commit to Panorama
    operation followed by a
    Push to Devices
    operation for the modified device group and template configurations.
  • Manually select the devices that belong to the modified device group and template configurations.
Known
9.1.18
PAN-111729
If you disable DPDK mode and enable it again, you must immediately reboot the firewall.
Known
9.1.18
PAN-111670
Tagged VLAN traffic fails when sent through an SR-IOV adapter.
Known
9.1.18
PAN-111251
Using the CLI to enable or disable DNS Rewrite under a Destination NAT policy rule has no effect.
Known
9.1.18
PAN-110794
DGA-based threats shown in the firewall threat log display the same name for all such instances.
Known
9.1.18
PAN-109759
The firewall does not generate a notification for the GlobalProtect client when the firewall denies an unencrypted TLS session due to an authentication policy match.
Known
9.1.18
PAN-109526
The system log does not correctly display the URL for CRL files; instead, the URLs are displayed with encoded characters.
Known
9.1.18
PAN-106675
After upgrading the Panorama management server to PAN-OS 8.1 or a later release, predefined reports do not display a list of top attackers.
Workaround:
Create new threat summary reports (
Monitor
PDF Reports
Manage PDF Summary
) containing the top attackers to mimic the predefined reports.
Known
9.1.18
PAN-104780
If you configure a HIP object to match only when a connecting endpoint is managed (
Objects
GlobalProtect
HIP Objects
<hip-object>
General
Managed
), iOS and Android endpoints that are managed by AirWatch are unable to successfully match the HIP object and the HIP report incorrectly indicates that these endpoints are not managed. This issue occurs because GlobalProtect gateways cannot correctly identify the managed status of these endpoints.
Additionally, iOS endpoints that are managed by AirWatch are unable to match HIP objects based on the endpoint serial number because GlobalProtect gateways cannot identify the serial numbers of these endpoints; these serial numbers do not appear in the HIP report.
Known
9.1.18
PAN-103276
Adding a disk to a virtual appliance running Panorama 8.1 or a later release on VMware ESXi 6.5 update1 causes the Panorama virtual appliance and host web client to become unresponsive.
Workaround:
Upgrade the ESXi host to ESXi 6.5 update2 and add the disk again.
Known
9.1.18
PAN-101688
(
Panorama plugins
) The IP address-to-tag mapping information registered on a firewall or virtual system is not deleted when you remove the firewall or virtual system from a Device Group.
Workaround:
Log in to the CLI on the firewall and enter the following command to unregister the IP address-to-tag mappings:
debug object registered-ip clear all
.
Known
9.1.18
PAN-101537
After you configure and push address and address group objects in Shared and vsys-specific device groups from the Panorama management server to managed firewalls, executing the
show log
<log-type>
direction equal
<direction>
<dst>
|
<src>
in
<object-name>
command on a managed firewall only returns address and address group objects pushed form the Shared device group.
Workaround:
Specify the vsys in the query string:
admin>
set system target-vsys
<vsys-name>
admin>
show log
<log-type>
direction equal
<direction>
query equal ‘vsys eq
<vsys-name>
’
<dst>
|
<src>
in
<object-name>
Known
9.1.18
PAN-98520
When booting or rebooting a PA-7000 Series Firewall with the SMC-B installed, the BIOS console output displays attempts to connect to the card's controller in the System Memory Speed section. The messages can be ignored.
Known
9.1.18
PAN-97757
GlobalProtect authentication fails with an
Invalid username/password
error (because the user is not found in
Allow List
) after you enable GlobalProtect authentication cookies and add a RADIUS group to the
Allow List
of the authentication profile used to authenticate to GlobalProtect.
Workaround:
Disable GlobalProtect authentication cookies. Alternatively, disable (clear)
Retrieve user group from RADIUS
in the authentication profile and configure group mapping from Active Directory (AD) through LDAP.
Known
9.1.18
PAN-97524
(
Panorama management server only
) The Security Zone and Virtual System columns (
Network
tab) display
None
after a Device Group and Template administrator with read-only privileges performs a context switch.
Known
9.1.18
PAN-96985
The
request shutdown system
command does not shut down the Panorama management server.
Known
9.1.18
PAN-96960
You cannot restart or shutdown a Panorama on KVM from the Virtual-manager console or virsch CLI.
Known
9.1.18
PAN-96446
A firewall that is not included in a Collector Group fails to generate a system log if logs are dropped when forwarded to a Panorama management server that is running in Management Only mode.
Known
9.1.18
PAN-95773
On VM-Series firewalls that have Data Plane Development Kit (DPDK) enabled and that use the i40e network interface card (NIC), the
show session info
CLI command displays an inaccurate throughput and packet rate.
Workaround:
Disable DPDK by running the
set system setting dpdk-pkt-io off
CLI command.
Known
9.1.18
PAN-95511
The name for an address object, address group, or an external dynamic list must be unique. Duplicate names for these objects can result in unexpected behavior when you reference the object in a policy rule.
Known
9.1.18
PAN-95028
For administrator accounts that you created in PAN-OS 8.0.8 and earlier releases, the firewall does not apply password profile settings (
Device
Password Profiles
) until after you upgrade to PAN-OS 8.0.9 or a later release and then only after you modify the account passwords. (Administrator accounts that you create in PAN-OS 8.0.9 or a later release do not require you to change the passwords to apply password profile settings.)
Known
9.1.18
PAN-94846
When DPDK is enabled on the VM-Series firewall with i40e virtual function (VF) driver, the VF does not detect the link status of the physical link. The VF link status remains up, regardless of changes to the physical link state.
Known
9.1.18
PAN-94093
HTTP Header Insertion does not work when jumbo frames are received out of order.
Known
9.1.18
PAN-93968
The firewall and Panorama web interfaces display vulnerability threat IDs that are not available in PAN-OS 9.0 releases (
Objects
Security Profiles
Vulnerability Protection
<profile>
Exceptions
). To confirm whether a particular threat ID is available in your release, monitor the release notes for each new Applications and Threats content update or check the Palo Alto Networks Threat Vault to see the minimum PAN-OS release version for a threat signature.
Known
9.1.18
PAN-93607
When you configure a VM-500 firewall with an SCTP Protection profile (
Objects
Security Profiles
SCTP Protection
) and you try to add the profile to an existing Security Profile Group (
Objects
Security Profile Groups
), the Security Profile Group doesn’t list the SCTP Protection profile in its drop-down list of available profiles.
Workaround:
Create a new Security Profile Group and select the SCTP Protection profile from there.
Known
9.1.18
PAN-93532
When you configure a firewall running PAN-OS 9.0 as an nCipher HSM client, the web interface on the firewall displays the nCipher server status as Not Authenticated, even though the HSM state is up (
Device
Setup
HSM
).
Known
9.1.18
PAN-93193
The memory-optimized VM-50 Lite intermittently performs slowly and stops processing traffic when memory utilization is critically high. To prevent this issue, make sure that you do not:
  • Switch to the firewall
    Context
    on the Panorama management server.
  • Commit changes when a dynamic update is being installed.
  • Generate a custom report when a dynamic update is being installed.
  • Generate custom reports during a commit.
Workaround:
When the firewall performs slowly, or you see a critical System log for memory utilization, wait for 5 minutes and then manually reboot the firewall.
Use the Task Manager to verify that you are not performing memory intensive tasks such as installing dynamic updates, committing changes or generating reports, at the same time, on the firewall.
Known
9.1.18
PAN-91802
On a VM-Series firewall, the
clear session all
CLI command does not clear GTP sessions.
Known
9.1.18
PAN-83610
In rare cases, a PA-5200 Series firewall (with an FE100 network processor) that has session offload enabled (default) incorrectly resets the UDP checksum of outgoing UDP packets.
Workaround:
In PAN-OS 8.0.6 and later releases, you can persistently disable session offload for only UDP traffic using the
set session udp-off load no
CLI command.
Known
9.1.18
PAN-83236
The VM-Series firewall on Google Compute Platform does not publish firewall metrics to Google Stack Monitoring when you manually configure a DNS server IP address (
Device
Setup
Services
).
Workaround:
The VM-Series firewall on Google Cloud Platform must use the DNS server that Google provides.
Known
9.1.18
PAN-83215
SSL decryption based on ECDSA certificates does not work when you import the ECDSA private keys onto an nCipher nShield hardware security module (HSM).
Known
9.1.18
PAN-81521
Endpoints failed to authenticate to GlobalProtect through Kerberos when you specify an FQDN instead of an IP address in the Kerberos server profile (
Device
Server Profiles
Kerberos
).
Workaround:
Replace the FQDN with the IP address in the Kerberos server profile.
Known
9.1.18
PAN-77125
PA-7000 Series, PA-5200 Series, and PA-3200 Series firewalls configured in tap mode don’t close offloaded sessions after processing the associated traffic; the sessions remain open until they time out.
Workaround:
Configure the firewalls in virtual wire mode instead of tap mode, or disable session offloading by running the
set session off load no
CLI command.
Known
9.1.18
PAN-75457
(
PAN-OS 8.0.1 and later releases
) In WildFire appliance clusters that have three or more nodes, the Panorama management server does not support changing node roles. In a three-node cluster for example, you cannot use Panorama to configure the worker node as a controller node by adding the HA and cluster controller configurations, configure an existing controller node as a worker node by removing the HA configuration, and then commit and push the configuration. Attempts to change cluster node roles from Panorama results in a validation error—the commit fails and the cluster becomes unresponsive.
Known
9.1.18
PAN-73530
The firewall does not generate a packet capture (pcap) when a Data Filtering profile blocks files.
Known
9.1.18
PAN-73401
(
PAN-OS 8.0.1 and later releases
) When you import a two-node WildFire appliance cluster into the Panorama management server, the controller nodes report their state as out-of-sync if either of the following conditions exist:
  • You did not configure a worker list to add at least one worker node to the cluster. (In a two-node cluster, both nodes are controller nodes configured as an HA pair. Adding a worker node would make the cluster a three-node cluster.)
  • You did not configure a service advertisement (either by enabling or not enabling advertising DNS service on the controller nodes).
Workaround:
There are three possible workarounds to sync the controller nodes:
  • After you import the two-node cluster into Panorama, push the configuration from Panorama to the cluster. After the push succeeds, Panorama reports that the controller nodes are in sync.
  • Configure a worker list on the cluster controller: 
    admin@wf500(active-controller)# 
    set
deviceconfig cluster mode controller worker-list 
    <worker-ip-address>
    (
    <worker-ip-address>
    is the IP address of the worker node you are adding to the cluster.) This creates a three-node cluster. After you import the cluster into Panorama, Panorama reports that the controller nodes are in sync. When you want the cluster to have only two nodes, use a different workaround.
  • Configure service advertisement on the local CLI of the cluster controller and then import the configuration into Panorama. The service advertisement can advertise that DNS is or is not enabled. 
    admin@wf500(active-controller)# 
    set
deviceconfig cluster mode controller service-advertisement dns-service
enabled
yes
    or 
    admin@wf500(active-controller)# 
    set
deviceconfig cluster mode controller service-advertisement dns-service
enabled
no
    Both commands result in Panorama reporting that the controller nodes are in sync.
Known
9.1.18
PAN-71329
Local users and user groups in the Shared location (all virtual systems) are not available to be part of the user-to-application mapping for GlobalProtect Clientless VPN applications (
Network
GlobalProtect
Portals
<portal>
Clientless VPN
Applications
).
Workaround:
Create users and user groups in specific virtual systems on firewalls that have multiple virtual systems. For single virtual systems (like VM-Series firewalls), users and user groups are created under Shared and are not configurable for Clientless VPN applications.
Known
9.1.18
PAN-70906
If the PAN-OS web interface and the GlobalProtect portal are enabled on the same IP address, then when a user logs out of the GlobalProtect portal, the administrative user is also logged out from the PAN-OS web interface.
Workaround:
Use the IP address to access the PAN-OS web interface and an FQDN to access the GlobalProtect portal.
Known
9.1.18
PAN-69505
When viewing an external dynamic list that requires client authentication and you
Test Source URL
, the firewall fails to indicate whether it can reach the external dynamic list server and returns a URL access error (
Objects
External Dynamic Lists
).
Known
9.1.18
PAN-41558
When you use a firewall loopback interface as a GlobalProtect gateway interface, traffic is not routed correctly for third-party IPSec clients, such as strongSwan.
Workaround:
Use a physical firewall interface instead of a loopback firewall interface as the GlobalProtect gateway interface for third-party IPSec clients. Alternatively, configure the loopback interface that is used as the GlobalProtect gateway to be in the same zone as the physical ingress interface for third-party IPSec traffic.
Known
9.1.18
PAN-40079
The VM-Series firewall on KVM, for all supported Linux distributions, does not support the Broadcom network adapters for PCI pass-through functionality.
Known
9.1.18
PAN-39636
Regardless of the
Time Frame
you specify for a scheduled custom report on a Panorama M-Series appliance, the earliest possible start date for the report data is effectively the date when you configured the report (
Monitor
Manage Custom Reports
). For example, if you configure the report on the 15th of the month and set the
Time Frame
to
Last 30 Days
, the report that Panorama generates on the 16th will include only data from the 15th onward. This issue applies only to scheduled reports; on-demand reports include all data within the specified
Time Frame
.
Workaround:
To generate an on-demand report, click
Run Now
when you configure the custom report.
Known
9.1.18
PAN-38255
When you perform a factory reset on a Panorama virtual appliance and configure the serial number, logging does not work until you reboot Panorama or execute the
debug software restart process management-server
CLI command.
Known
9.1.18
PAN-31832
The following issues apply when configuring a firewall to use a hardware security module (HSM):
  • nCipher nShield Connect
    —The firewall requires at least four minutes to detect that an HSM was disconnected, causing SSL functionality to be unavailable during the delay.
  • SafeNet Network
    —When losing connectivity to either or both HSMs in an HA configuration, the display of information from the
    show high-availability state
    and
    show hsm info
    commands are blocked for 20 seconds.
Known
9.1.17
—
Upgrading Panorama with a local Log Collector and Dedicated Log Collectors to PAN-OS 8.1 or a later PAN-OS release can take up to six hours to complete due to significant infrastructure changes. Ensure uninterrupted power to all appliances throughout the upgrade process.
Known
9.1.17
—
A critical System log is generated on the VM-Series firewall if the minimum memory requirement for the model is not available.
  • When the memory allocated is less than 4.5GB, you cannot upgrade the firewall. The following error message displays:
    Failed to install 9.0.0 with the following error: VM-50 in 9.0.0 requires 5.5GB memory, VM-50 Lite requires 4.5GB memory.Please configure this VM with enough memory before upgrading.
  • If the memory allocation is more than 4.5GB but less that the licensed capacity requirement for the model, it will default to the capacity associated with the VM-50.
    The System log message
    System capacity adjusted to VM-50 capacity due to insufficient memory for VM-
    <xxx>
    license
    , indicates that you must allocate the additional memory required for licensed capacity for the firewall model.
Known
9.1.17
PLUG-380
When you rename a device group, template, or template stack in Panorama that is part of a VMware NSX service definition, the new name is not reflected in NSX Manager. Therefore, any ESXi hosts that you add to a vSphere cluster are not added to the correct device group, template, or template stack and your Security policy is not pushed to VM-Series firewalls that you deploy after you rename those objects. There is no impact to existing VM-Series firewalls.
Known
9.1.17
PAN-242561
This issue is now resolved. See
PAN-OS 9.1.18 Addressed Issues
.
GlobalProtect tunnel might disconnect shortly after being established when SSL is used as a transport protocol.
Workaround
: Disable Internet Protocol version 6 (TCP/IPv6) on the PANGP Virtual Network Adapter.
Known
9.1.17
PAN-223365
The Panorama management server is unable to query any logs if the ElasticSearch health status for any Log Collector (
Panorama
Managed Collector
is degraded.
Workaround:
Log in to the Log Collector CLI and reboot. 
admin
request restart system
Alternatively, you can contact Palo Alto Networks Customer Support to restart the ElasticSearch process without rebooting the Log Collector.
Known
9.1.17
PAN-221015
On M-600 appliances in Panorama or Log Collector mode, the
es-1
and
es-2
ElasticSearch processes fail to restart when the M-600 appliance is rebooted. The results in the Managed Collector
ES
health status (
Panorama
Managed Collectors
Health Status
) to be degraded.
Workaround:
Log in to the Panorama or Log Collector CLI experiencing degraded ElasticSearch health and restart all ElasticSearch processes. 
admin>
debug elasticsearch es-restart optional all
Known
9.1.17
PAN-197859
On firewalls running LSVPN with tunnel monitoring enabled, upgrades to 9.1.14 or later cause the LSVPN tunnels to flap.
Known
9.1.17
PAN-197341
On the Panorama management server, if you create multiple device group
Objects
with the same name in the Shared device group and any additional device groups (
Panorama
Device Groups
) under the same device group hierarchy that are used in one or more
Policies
, renaming the object with a shared name in any device group causes the object name to change in the policies where it is used. This issue applies only to device group objects that can be referenced in a Security policy rule.
For example:
  1. You create a parent device group
    DG-A
    and a child device group
    DG-B
    .
  2. You create address objects called
    AddressObjA
    in the
    Shared
    ,
    DG-A
    and
    DG-B
    device groups and add
    AddressObjA
    to a Security policy rule under
    DG-A
    and
    DG-B
    .
  3. Later, you change the
    AddressObjA
    name in the
    Shared
    device group to
    AddressObjB
    .
Changing the name of the address object in the
Shared
device group causes the references in the Policy rule to use the renamed
Shared
object instead of the device group object.
Known
9.1.17
PAN-178194
Firewalls licensed for Advanced URL Filtering generate a message indicating that a
License required for URL filtering to function
is unavailable displays at the bottom of the UI, due to a PAN-OS UI issue. This error does not affect the operation of Advanced URL Filtering or URL Filtering.
Known
9.1.17
PAN-154266
When an application matches an SD-WAN policy and some sessions for the same application do not match an SD-WAN policy, the SD-WAN Monitoring—Traffic Characteristics screen displays the Links Used information with an SD-WAN policy and a null policy. Sessions that do not have an SD-WAN policy ID are filtered from Links Used.
Workaround
: If you want to see session logs that include a default selection, create a catch-all SD-WAN policy rule and place it last in the list of SD-WAN policies.
Known
9.1.17
PAN-154247
On the Panorama management server, context switching to and from the managed firewall web interface may cause the Panorama administrator to be logged out.
Workaround:
Log out and back in to the Panorama web interface.
Known
9.1.17
PAN-153803
On the Panorama management server, scheduled email PDF reports (
Monitor
PDF Reports
) fail if a GIF image is used in the header or footer.
Known
9.1.17
PAN-146573
PA-7000 series firewalls configured with a large number of interfaces experience impacted performance and possible timeouts when performing SNMP queries.
Known
9.1.17
PAN-146485
On the Panorama management server, adding, deleting, or modifying the upstream NAT configuration (
Panorama
SD-WAN
Devices
) does not display the branch template stack as
out of sync
.
Additionally, adding, deleting, or modifying the BGP configuration (
Panorama
SD-WAN
Devices
) does not display the hub and branch template stacks as
out of sync
. For example, modifying the BGP configuration on the branch firewall does not cause the hub template stack to display as
out of sync
, nor does modifying the BGP configuration on the hub firewall cause the branch template stack as
out of sync
.
Workaround:
After performing a configuration change,
Commit and Push
the configuration changes to all hub and branch firewalls in the VPN cluster containing the firewall with the modified configuration.
Known
9.1.17
PAN-144889
(
PAN-OS 9.1.2-h1 and later releases only
) On the Panorama management server, adding, deleting, or modifying the original subnet IP, or adding a new subnet after you successfully configure a tunnel IP subnet, for the SD-WAN 1.0.2 plugin does not display the managed firewall templates (
Panorama
Managed Devices
Summary
) as
Out of Sync
.
Workaround
: When modifying the original subnet IP, or adding a new subnet, push the template configuration changes to your managed firewalls and
Force Template Values
(
Commit
Push to Devices
Edit Selections
).
Known
9.1.17
PAN-140959
The Panorama management server allows you to downgrade Zero Touch Provisioning (ZTP) firewalls to PAN-OS 9.1.2 and earlier releases where ZTP functionality is not supported.
Known
9.1.17
PAN-134456
SNMP traps configured to use the dataplane port in service routes are still sent using the management interface.
Workaround:
Use a destination-based service route for the SNMP trap server.
Known
9.1.17
PAN-134053
ACC does not filter WildFire logs from Dynamic User Groups.
Known
9.1.17
PAN-130550
(
PA-3200 Series, PA-5220, PA-5250, PA-5260, and PA-7000 Series firewalls
) For traffic between virtual systems (inter-vsys traffic), the firewall cannot perform source NAT using dynamic IP (DIP) address translation.
Workaround:
Use source NAT with Dynamic IP and Port (DIPP) translation on inter-vsys traffic.
Known
9.1.17
PAN-127813
In the current release, SD-WAN auto-provisioning configures hubs and branches in a hub and spoke model, where branches don’t communicate with each other. Expected branch routes are for generic prefixes, which can be configured in the hub and advertised to all branches. Branches with unique prefixes are not published up to the hub.
Workaround:
Add any specific prefixes for branches to the hub advertise-list configuration.
Known
9.1.17
PAN-127550
Panorama supports only incremental additions for CSV imports when the SD-WAN plugin is enabled. Delete devices manually in the web interface or CLI.
Known
9.1.17
PAN-127474
When you configure a Server Profile, the custom log format for GlobalProtect logs is missing.
Known
9.1.17
PAN-127206
If you use the CLI to enable the cleartext option for the Include Username in HTTP Header Insertion Entries feature, the authentication request to the firewall may become unresponsive or time out.
Known
9.1.17
PAN-123277
Dynamic tags from other sources are accessible using the CLI but do not display on the Panorama web interface.
Known
9.1.17
PAN-123040
When you try to view network QoS statistics on an SD-WAN branch or hub, the QoS statistics and the hit count for the QoS rules don’t display. A workaround exists for this issue. Please contact Support for information about the workaround.
Known
9.1.17
PAN-120440
There is an issue on M-500 Panorama management servers where any ethernet interface with an IPv6 address having Private PAN-DB-URL connectivity only supports the following format:
2001:DB9:85A3:0:0:8A2E:370:2
.
Known
9.1.17
PAN-120303
There is an issue where the firewall remains connected to the PAN-DB-URL server through the old management IP address on the M-500 Panorama management server, even when you configured the Eth1/1 interface.
Workaround:
Update the PAN-DB-URL IP address on the firewall using one of the methods below.
  • Modify the PAN-DB Server IP address on the managed firewall.
    1. On the web interface, delete the
      PAN-DB Server
      IP address (
      Device
      Setup
      Content ID
      URL Filtering
      settings).
    2. Commit
      your changes.
    3. Add the new M-500 Eth1/1 IP PAN-DB IP address.
    4. Commit
      your changes.
  • Restart the firewall ( devsrvr ) process.
    1. Log in to the firewall CLI.
    2. Restart the devsrvr process:
      debug software restart process device-server
Known
9.1.17
PAN-118065
(
M-Series Panorama management servers in Management Only mode
) When you delete the local Log Collector (
Panorama
Managed Collectors
), it disables the 1/1 ethernet interface in the Panorama configuration as expected but the interface still displays as Up when you execute the
show interface all
command in the CLI after you commit.
Workaround:
Disable the 1/1 ethernet interface before you delete the local log collector and then commit the configuration change.
Known
9.1.17
PAN-116017
(
Google Cloud Platform (GCP) only
) The firewall does not accept the DNS value from the initial configuration (init-cfg) file when you bootstrap the firewall.
Workaround:
Add DNS value as part of the bootstrap.xml in the bootstrap folder and complete the bootstrap process.
Known
9.1.17
PAN-115816
(
Microsoft Azure only
) There is an intermittent issue where an Ethernet (eth1) interface does not come up when you first boot up the firewall.
Workaround:
Reboot the firewall.
Known
9.1.17
PAN-114495
Alibaba Cloud runs on a KVM hypervisor and supports two Virtio modes: DPDK (default) and MMAP. If you deploy a VM-Series firewall running PAN-OS 9.0 in DPDK packet mode and you then switch to MMAP packet mode, the VM-Series firewall duplicates packets that originate from or terminate on the firewall. As an example, if a load balancer or a server behind the firewall pings the VM-Series firewall after you switch from DPDK packet mode to MMAP packet mode, the firewall duplicates the ping packets.
Throughput traffic is not duplicated if you deploy the VM-Series firewall using MMAP packet mode.
Known
9.1.17
PAN-112694
(
Firewalls with multiple virtual systems only
) If you configure dynamic DNS (DDNS) on a new interface (associated with vsys1 or another virtual system) and you then create a
New
Certificate Profile from the drop-down, you must set the location for the Certificate Profile to Shared. If you configure DDNS on an existing interface and then create a new Certificate Profile, we also recommend that you choose the Shared location instead of a specific virtual system. Alternatively, you can select a preexisting certificate profile instead of creating a new one.
Known
9.1.17
PAN-112456
You can temporarily submit a change request for a URL Category with more than two suggested categories. However, we support only two suggested categories so add no more than two suggested categories to a change request until we address this issue. If you submit more than two suggested categories, we will use only the first two categories you enter.
Known
9.1.17
PAN-111928
Invalid configuration errors are not displayed as expected when you revert a Panorama management server configuration.
Workaround:
After you revert the Panorama configuration,
Commit
(
Commit
Commit to Panorama
) the reverted configuration to display the invalid configuration errors.
Known
9.1.17
PAN-111866
The push scope selection on the Panorama web interface displays incorrectly even though the commit scope displays as expected. This issue occurs when one administrator makes configuration changes to separate device groups or templates that affect multiple firewalls and a different administrator attempts to push those changes.
Workaround:
Perform one of the following tasks.
  • Initiate a
    Commit to Panorama
    operation followed by a
    Push to Devices
    operation for the modified device group and template configurations.
  • Manually select the devices that belong to the modified device group and template configurations.
Known
9.1.17
PAN-111729
If you disable DPDK mode and enable it again, you must immediately reboot the firewall.
Known
9.1.17
PAN-111670
Tagged VLAN traffic fails when sent through an SR-IOV adapter.
Known
9.1.17
PAN-111251
Using the CLI to enable or disable DNS Rewrite under a Destination NAT policy rule has no effect.
Known
9.1.17
PAN-110794
DGA-based threats shown in the firewall threat log display the same name for all such instances.
Known
9.1.17
PAN-109759
The firewall does not generate a notification for the GlobalProtect client when the firewall denies an unencrypted TLS session due to an authentication policy match.
Known
9.1.17
PAN-109526
The system log does not correctly display the URL for CRL files; instead, the URLs are displayed with encoded characters.
Known
9.1.17
PAN-106675
After upgrading the Panorama management server to PAN-OS 8.1 or a later release, predefined reports do not display a list of top attackers.
Workaround:
Create new threat summary reports (
Monitor
PDF Reports
Manage PDF Summary
) containing the top attackers to mimic the predefined reports.
Known
9.1.17
PAN-104780
If you configure a HIP object to match only when a connecting endpoint is managed (
Objects
GlobalProtect
HIP Objects
<hip-object>
General
Managed
), iOS and Android endpoints that are managed by AirWatch are unable to successfully match the HIP object and the HIP report incorrectly indicates that these endpoints are not managed. This issue occurs because GlobalProtect gateways cannot correctly identify the managed status of these endpoints.
Additionally, iOS endpoints that are managed by AirWatch are unable to match HIP objects based on the endpoint serial number because GlobalProtect gateways cannot identify the serial numbers of these endpoints; these serial numbers do not appear in the HIP report.
Known
9.1.17
PAN-103276
Adding a disk to a virtual appliance running Panorama 8.1 or a later release on VMware ESXi 6.5 update1 causes the Panorama virtual appliance and host web client to become unresponsive.
Workaround:
Upgrade the ESXi host to ESXi 6.5 update2 and add the disk again.
Known
9.1.17
PAN-101688
(
Panorama plugins
) The IP address-to-tag mapping information registered on a firewall or virtual system is not deleted when you remove the firewall or virtual system from a Device Group.
Workaround:
Log in to the CLI on the firewall and enter the following command to unregister the IP address-to-tag mappings:
debug object registered-ip clear all
.
Known
9.1.17
PAN-101537
After you configure and push address and address group objects in Shared and vsys-specific device groups from the Panorama management server to managed firewalls, executing the
show log
<log-type>
direction equal
<direction>
<dst>
|
<src>
in
<object-name>
command on a managed firewall only returns address and address group objects pushed form the Shared device group.
Workaround:
Specify the vsys in the query string:
admin>
set system target-vsys
<vsys-name>
admin>
show log
<log-type>
direction equal
<direction>
query equal ‘vsys eq
<vsys-name>
’
<dst>
|
<src>
in
<object-name>
Known
9.1.17
PAN-98520
When booting or rebooting a PA-7000 Series Firewall with the SMC-B installed, the BIOS console output displays attempts to connect to the card's controller in the System Memory Speed section. The messages can be ignored.
Known
9.1.17
PAN-97757
GlobalProtect authentication fails with an
Invalid username/password
error (because the user is not found in
Allow List
) after you enable GlobalProtect authentication cookies and add a RADIUS group to the
Allow List
of the authentication profile used to authenticate to GlobalProtect.
Workaround:
Disable GlobalProtect authentication cookies. Alternatively, disable (clear)
Retrieve user group from RADIUS
in the authentication profile and configure group mapping from Active Directory (AD) through LDAP.
Known
9.1.17
PAN-97524
(
Panorama management server only
) The Security Zone and Virtual System columns (
Network
tab) display
None
after a Device Group and Template administrator with read-only privileges performs a context switch.
Known
9.1.17
PAN-96985
The
request shutdown system
command does not shut down the Panorama management server.
Known
9.1.17
PAN-96960
You cannot restart or shutdown a Panorama on KVM from the Virtual-manager console or virsch CLI.
Known
9.1.17
PAN-96446
A firewall that is not included in a Collector Group fails to generate a system log if logs are dropped when forwarded to a Panorama management server that is running in Management Only mode.
Known
9.1.17
PAN-95773
On VM-Series firewalls that have Data Plane Development Kit (DPDK) enabled and that use the i40e network interface card (NIC), the
show session info
CLI command displays an inaccurate throughput and packet rate.
Workaround:
Disable DPDK by running the
set system setting dpdk-pkt-io off
CLI command.
Known
9.1.17
PAN-95511
The name for an address object, address group, or an external dynamic list must be unique. Duplicate names for these objects can result in unexpected behavior when you reference the object in a policy rule.
Known
9.1.17
PAN-95028
For administrator accounts that you created in PAN-OS 8.0.8 and earlier releases, the firewall does not apply password profile settings (
Device
Password Profiles
) until after you upgrade to PAN-OS 8.0.9 or a later release and then only after you modify the account passwords. (Administrator accounts that you create in PAN-OS 8.0.9 or a later release do not require you to change the passwords to apply password profile settings.)
Known
9.1.17
PAN-94846
When DPDK is enabled on the VM-Series firewall with i40e virtual function (VF) driver, the VF does not detect the link status of the physical link. The VF link status remains up, regardless of changes to the physical link state.
Known
9.1.17
PAN-94093
HTTP Header Insertion does not work when jumbo frames are received out of order.
Known
9.1.17
PAN-93968
The firewall and Panorama web interfaces display vulnerability threat IDs that are not available in PAN-OS 9.0 releases (
Objects
Security Profiles
Vulnerability Protection
<profile>
Exceptions
). To confirm whether a particular threat ID is available in your release, monitor the release notes for each new Applications and Threats content update or check the Palo Alto Networks Threat Vault to see the minimum PAN-OS release version for a threat signature.
Known
9.1.17
PAN-93607
When you configure a VM-500 firewall with an SCTP Protection profile (
Objects
Security Profiles
SCTP Protection
) and you try to add the profile to an existing Security Profile Group (
Objects
Security Profile Groups
), the Security Profile Group doesn’t list the SCTP Protection profile in its drop-down list of available profiles.
Workaround:
Create a new Security Profile Group and select the SCTP Protection profile from there.
Known
9.1.17
PAN-93532
When you configure a firewall running PAN-OS 9.0 as an nCipher HSM client, the web interface on the firewall displays the nCipher server status as Not Authenticated, even though the HSM state is up (
Device
Setup
HSM
).
Known
9.1.17
PAN-93193
The memory-optimized VM-50 Lite intermittently performs slowly and stops processing traffic when memory utilization is critically high. To prevent this issue, make sure that you do not:
  • Switch to the firewall
    Context
    on the Panorama management server.
  • Commit changes when a dynamic update is being installed.
  • Generate a custom report when a dynamic update is being installed.
  • Generate custom reports during a commit.
Workaround:
When the firewall performs slowly, or you see a critical System log for memory utilization, wait for 5 minutes and then manually reboot the firewall.
Use the Task Manager to verify that you are not performing memory intensive tasks such as installing dynamic updates, committing changes or generating reports, at the same time, on the firewall.
Known
9.1.17
PAN-91802
On a VM-Series firewall, the
clear session all
CLI command does not clear GTP sessions.
Known
9.1.17
PAN-83610
In rare cases, a PA-5200 Series firewall (with an FE100 network processor) that has session offload enabled (default) incorrectly resets the UDP checksum of outgoing UDP packets.
Workaround:
In PAN-OS 8.0.6 and later releases, you can persistently disable session offload for only UDP traffic using the
set session udp-off load no
CLI command.
Known
9.1.17
PAN-83236
The VM-Series firewall on Google Compute Platform does not publish firewall metrics to Google Stack Monitoring when you manually configure a DNS server IP address (
Device
Setup
Services
).
Workaround:
The VM-Series firewall on Google Cloud Platform must use the DNS server that Google provides.
Known
9.1.17
PAN-83215
SSL decryption based on ECDSA certificates does not work when you import the ECDSA private keys onto an nCipher nShield hardware security module (HSM).
Known
9.1.17
PAN-81521
Endpoints failed to authenticate to GlobalProtect through Kerberos when you specify an FQDN instead of an IP address in the Kerberos server profile (
Device
Server Profiles
Kerberos
).
Workaround:
Replace the FQDN with the IP address in the Kerberos server profile.
Known
9.1.17
PAN-77125
PA-7000 Series, PA-5200 Series, and PA-3200 Series firewalls configured in tap mode don’t close offloaded sessions after processing the associated traffic; the sessions remain open until they time out.
Workaround:
Configure the firewalls in virtual wire mode instead of tap mode, or disable session offloading by running the
set session off load no
CLI command.
Known
9.1.17
PAN-75457
(
PAN-OS 8.0.1 and later releases
) In WildFire appliance clusters that have three or more nodes, the Panorama management server does not support changing node roles. In a three-node cluster for example, you cannot use Panorama to configure the worker node as a controller node by adding the HA and cluster controller configurations, configure an existing controller node as a worker node by removing the HA configuration, and then commit and push the configuration. Attempts to change cluster node roles from Panorama results in a validation error—the commit fails and the cluster becomes unresponsive.
Known
9.1.17
PAN-73530
The firewall does not generate a packet capture (pcap) when a Data Filtering profile blocks files.
Known
9.1.17
PAN-73401
(
PAN-OS 8.0.1 and later releases
) When you import a two-node WildFire appliance cluster into the Panorama management server, the controller nodes report their state as out-of-sync if either of the following conditions exist:
  • You did not configure a worker list to add at least one worker node to the cluster. (In a two-node cluster, both nodes are controller nodes configured as an HA pair. Adding a worker node would make the cluster a three-node cluster.)
  • You did not configure a service advertisement (either by enabling or not enabling advertising DNS service on the controller nodes).
Workaround:
There are three possible workarounds to sync the controller nodes:
  • After you import the two-node cluster into Panorama, push the configuration from Panorama to the cluster. After the push succeeds, Panorama reports that the controller nodes are in sync.
  • Configure a worker list on the cluster controller: 
    admin@wf500(active-controller)# 
    set
deviceconfig cluster mode controller worker-list 
    <worker-ip-address>
    (
    <worker-ip-address>
    is the IP address of the worker node you are adding to the cluster.) This creates a three-node cluster. After you import the cluster into Panorama, Panorama reports that the controller nodes are in sync. When you want the cluster to have only two nodes, use a different workaround.
  • Configure service advertisement on the local CLI of the cluster controller and then import the configuration into Panorama. The service advertisement can advertise that DNS is or is not enabled. 
    admin@wf500(active-controller)# 
    set
deviceconfig cluster mode controller service-advertisement dns-service
enabled
yes
    or 
    admin@wf500(active-controller)# 
    set
deviceconfig cluster mode controller service-advertisement dns-service
enabled
no
    Both commands result in Panorama reporting that the controller nodes are in sync.
Known
9.1.17
PAN-71329
Local users and user groups in the Shared location (all virtual systems) are not available to be part of the user-to-application mapping for GlobalProtect Clientless VPN applications (
Network
GlobalProtect
Portals
<portal>
Clientless VPN
Applications
).
Workaround:
Create users and user groups in specific virtual systems on firewalls that have multiple virtual systems. For single virtual systems (like VM-Series firewalls), users and user groups are created under Shared and are not configurable for Clientless VPN applications.
Known
9.1.17
PAN-70906
If the PAN-OS web interface and the GlobalProtect portal are enabled on the same IP address, then when a user logs out of the GlobalProtect portal, the administrative user is also logged out from the PAN-OS web interface.
Workaround:
Use the IP address to access the PAN-OS web interface and an FQDN to access the GlobalProtect portal.
Known
9.1.17
PAN-69505
When viewing an external dynamic list that requires client authentication and you
Test Source URL
, the firewall fails to indicate whether it can reach the external dynamic list server and returns a URL access error (
Objects
External Dynamic Lists
).
Known
9.1.17
PAN-41558
When you use a firewall loopback interface as a GlobalProtect gateway interface, traffic is not routed correctly for third-party IPSec clients, such as strongSwan.
Workaround:
Use a physical firewall interface instead of a loopback firewall interface as the GlobalProtect gateway interface for third-party IPSec clients. Alternatively, configure the loopback interface that is used as the GlobalProtect gateway to be in the same zone as the physical ingress interface for third-party IPSec traffic.
Known
9.1.17
PAN-40079
The VM-Series firewall on KVM, for all supported Linux distributions, does not support the Broadcom network adapters for PCI pass-through functionality.
Known
9.1.17
PAN-39636
Regardless of the
Time Frame
you specify for a scheduled custom report on a Panorama M-Series appliance, the earliest possible start date for the report data is effectively the date when you configured the report (
Monitor
Manage Custom Reports
). For example, if you configure the report on the 15th of the month and set the
Time Frame
to
Last 30 Days
, the report that Panorama generates on the 16th will include only data from the 15th onward. This issue applies only to scheduled reports; on-demand reports include all data within the specified
Time Frame
.
Workaround:
To generate an on-demand report, click
Run Now
when you configure the custom report.
Known
9.1.17
PAN-38255
When you perform a factory reset on a Panorama virtual appliance and configure the serial number, logging does not work until you reboot Panorama or execute the
debug software restart process management-server
CLI command.
Known
9.1.17
PAN-31832
The following issues apply when configuring a firewall to use a hardware security module (HSM):
  • nCipher nShield Connect
    —The firewall requires at least four minutes to detect that an HSM was disconnected, causing SSL functionality to be unavailable during the delay.
  • SafeNet Network
    —When losing connectivity to either or both HSMs in an HA configuration, the display of information from the
    show high-availability state
    and
    show hsm info
    commands are blocked for 20 seconds.
Known
9.1.16
—
Upgrading Panorama with a local Log Collector and Dedicated Log Collectors to PAN-OS 8.1 or a later PAN-OS release can take up to six hours to complete due to significant infrastructure changes. Ensure uninterrupted power to all appliances throughout the upgrade process.
Known
9.1.16
—
A critical System log is generated on the VM-Series firewall if the minimum memory requirement for the model is not available.
  • When the memory allocated is less than 4.5GB, you cannot upgrade the firewall. The following error message displays:
    Failed to install 9.0.0 with the following error: VM-50 in 9.0.0 requires 5.5GB memory, VM-50 Lite requires 4.5GB memory.Please configure this VM with enough memory before upgrading.
  • If the memory allocation is more than 4.5GB but less that the licensed capacity requirement for the model, it will default to the capacity associated with the VM-50.
    The System log message
    System capacity adjusted to VM-50 capacity due to insufficient memory for VM-
    <xxx>
    license
    , indicates that you must allocate the additional memory required for licensed capacity for the firewall model.
Known
9.1.16
PLUG-380
When you rename a device group, template, or template stack in Panorama that is part of a VMware NSX service definition, the new name is not reflected in NSX Manager. Therefore, any ESXi hosts that you add to a vSphere cluster are not added to the correct device group, template, or template stack and your Security policy is not pushed to VM-Series firewalls that you deploy after you rename those objects. There is no impact to existing VM-Series firewalls.
Known
9.1.16
PAN-223365
The Panorama management server is unable to query any logs if the ElasticSearch health status for any Log Collector (
Panorama
Managed Collector
is degraded.
Workaround:
Log in to the Log Collector CLI and reboot. 
admin
request restart system
Alternatively, you can contact Palo Alto Networks Customer Support to restart the ElasticSearch process without rebooting the Log Collector.
Known
9.1.16
PAN-221015
On M-600 appliances in Panorama or Log Collector mode, the
es-1
and
es-2
ElasticSearch processes fail to restart when the M-600 appliance is rebooted. The results in the Managed Collector
ES
health status (
Panorama
Managed Collectors
Health Status
) to be degraded.
Workaround:
Log in to the Panorama or Log Collector CLI experiencing degraded ElasticSearch health and restart all ElasticSearch processes. 
admin>
debug elasticsearch es-restart optional all
Known
9.1.16
PAN-197859
On firewalls running LSVPN with tunnel monitoring enabled, upgrades to 9.1.14 or later cause the LSVPN tunnels to flap.
Known
9.1.16
PAN-197341
On the Panorama management server, if you create multiple device group
Objects
with the same name in the Shared device group and any additional device groups (
Panorama
Device Groups
) under the same device group hierarchy that are used in one or more
Policies
, renaming the object with a shared name in any device group causes the object name to change in the policies where it is used. This issue applies only to device group objects that can be referenced in a Security policy rule.
For example:
  1. You create a parent device group
    DG-A
    and a child device group
    DG-B
    .
  2. You create address objects called
    AddressObjA
    in the
    Shared
    ,
    DG-A
    and
    DG-B
    device groups and add
    AddressObjA
    to a Security policy rule under
    DG-A
    and
    DG-B
    .
  3. Later, you change the
    AddressObjA
    name in the
    Shared
    device group to
    AddressObjB
    .
Changing the name of the address object in the
Shared
device group causes the references in the Policy rule to use the renamed
Shared
object instead of the device group object.
Known
9.1.16
PAN-178194
Firewalls licensed for Advanced URL Filtering generate a message indicating that a
License required for URL filtering to function
is unavailable displays at the bottom of the UI, due to a PAN-OS UI issue. This error does not affect the operation of Advanced URL Filtering or URL Filtering.
Known
9.1.16
PAN-154266
When an application matches an SD-WAN policy and some sessions for the same application do not match an SD-WAN policy, the SD-WAN Monitoring—Traffic Characteristics screen displays the Links Used information with an SD-WAN policy and a null policy. Sessions that do not have an SD-WAN policy ID are filtered from Links Used.
Workaround
: If you want to see session logs that include a default selection, create a catch-all SD-WAN policy rule and place it last in the list of SD-WAN policies.
Known
9.1.16
PAN-154247
On the Panorama management server, context switching to and from the managed firewall web interface may cause the Panorama administrator to be logged out.
Workaround:
Log out and back in to the Panorama web interface.
Known
9.1.16
PAN-153803
On the Panorama management server, scheduled email PDF reports (
Monitor
PDF Reports
) fail if a GIF image is used in the header or footer.
Known
9.1.16
PAN-146573
PA-7000 series firewalls configured with a large number of interfaces experience impacted performance and possible timeouts when performing SNMP queries.
Known
9.1.16
PAN-146485
On the Panorama management server, adding, deleting, or modifying the upstream NAT configuration (
Panorama
SD-WAN
Devices
) does not display the branch template stack as
out of sync
.
Additionally, adding, deleting, or modifying the BGP configuration (
Panorama
SD-WAN
Devices
) does not display the hub and branch template stacks as
out of sync
. For example, modifying the BGP configuration on the branch firewall does not cause the hub template stack to display as
out of sync
, nor does modifying the BGP configuration on the hub firewall cause the branch template stack as
out of sync
.
Workaround:
After performing a configuration change,
Commit and Push
the configuration changes to all hub and branch firewalls in the VPN cluster containing the firewall with the modified configuration.
Known
9.1.16
PAN-144889
(
PAN-OS 9.1.2-h1 and later releases only
) On the Panorama management server, adding, deleting, or modifying the original subnet IP, or adding a new subnet after you successfully configure a tunnel IP subnet, for the SD-WAN 1.0.2 plugin does not display the managed firewall templates (
Panorama
Managed Devices
Summary
) as
Out of Sync
.
Workaround
: When modifying the original subnet IP, or adding a new subnet, push the template configuration changes to your managed firewalls and
Force Template Values
(
Commit
Push to Devices
Edit Selections
).
Known
9.1.16
PAN-140959
The Panorama management server allows you to downgrade Zero Touch Provisioning (ZTP) firewalls to PAN-OS 9.1.2 and earlier releases where ZTP functionality is not supported.
Known
9.1.16
PAN-134456
SNMP traps configured to use the dataplane port in service routes are still sent using the management interface.
Workaround:
Use a destination-based service route for the SNMP trap server.
Known
9.1.16
PAN-134053
ACC does not filter WildFire logs from Dynamic User Groups.
Known
9.1.16
PAN-130550
(
PA-3200 Series, PA-5220, PA-5250, PA-5260, and PA-7000 Series firewalls
) For traffic between virtual systems (inter-vsys traffic), the firewall cannot perform source NAT using dynamic IP (DIP) address translation.
Workaround:
Use source NAT with Dynamic IP and Port (DIPP) translation on inter-vsys traffic.
Known
9.1.16
PAN-127813
In the current release, SD-WAN auto-provisioning configures hubs and branches in a hub and spoke model, where branches don’t communicate with each other. Expected branch routes are for generic prefixes, which can be configured in the hub and advertised to all branches. Branches with unique prefixes are not published up to the hub.
Workaround:
Add any specific prefixes for branches to the hub advertise-list configuration.
Known
9.1.16
PAN-127550
Panorama supports only incremental additions for CSV imports when the SD-WAN plugin is enabled. Delete devices manually in the web interface or CLI.
Known
9.1.16
PAN-127474
When you configure a Server Profile, the custom log format for GlobalProtect logs is missing.
Known
9.1.16
PAN-127206
If you use the CLI to enable the cleartext option for the Include Username in HTTP Header Insertion Entries feature, the authentication request to the firewall may become unresponsive or time out.
Known
9.1.16
PAN-123277
Dynamic tags from other sources are accessible using the CLI but do not display on the Panorama web interface.
Known
9.1.16
PAN-123040
When you try to view network QoS statistics on an SD-WAN branch or hub, the QoS statistics and the hit count for the QoS rules don’t display. A workaround exists for this issue. Please contact Support for information about the workaround.
Known
9.1.16
PAN-120440
There is an issue on M-500 Panorama management servers where any ethernet interface with an IPv6 address having Private PAN-DB-URL connectivity only supports the following format:
2001:DB9:85A3:0:0:8A2E:370:2
.
Known
9.1.16
PAN-120303
There is an issue where the firewall remains connected to the PAN-DB-URL server through the old management IP address on the M-500 Panorama management server, even when you configured the Eth1/1 interface.
Workaround:
Update the PAN-DB-URL IP address on the firewall using one of the methods below.
  • Modify the PAN-DB Server IP address on the managed firewall.
    1. On the web interface, delete the
      PAN-DB Server
      IP address (
      Device
      Setup
      Content ID
      URL Filtering
      settings).
    2. Commit
      your changes.
    3. Add the new M-500 Eth1/1 IP PAN-DB IP address.
    4. Commit
      your changes.
  • Restart the firewall ( devsrvr ) process.
    1. Log in to the firewall CLI.
    2. Restart the devsrvr process:
      debug software restart process device-server
Known
9.1.16
PAN-118065
(
M-Series Panorama management servers in Management Only mode
) When you delete the local Log Collector (
Panorama
Managed Collectors
), it disables the 1/1 ethernet interface in the Panorama configuration as expected but the interface still displays as Up when you execute the
show interface all
command in the CLI after you commit.
Workaround:
Disable the 1/1 ethernet interface before you delete the local log collector and then commit the configuration change.
Known
9.1.16
PAN-116017
(
Google Cloud Platform (GCP) only
) The firewall does not accept the DNS value from the initial configuration (init-cfg) file when you bootstrap the firewall.
Workaround:
Add DNS value as part of the bootstrap.xml in the bootstrap folder and complete the bootstrap process.
Known
9.1.16
PAN-115816
(
Microsoft Azure only
) There is an intermittent issue where an Ethernet (eth1) interface does not come up when you first boot up the firewall.
Workaround:
Reboot the firewall.
Known
9.1.16
PAN-114495
Alibaba Cloud runs on a KVM hypervisor and supports two Virtio modes: DPDK (default) and MMAP. If you deploy a VM-Series firewall running PAN-OS 9.0 in DPDK packet mode and you then switch to MMAP packet mode, the VM-Series firewall duplicates packets that originate from or terminate on the firewall. As an example, if a load balancer or a server behind the firewall pings the VM-Series firewall after you switch from DPDK packet mode to MMAP packet mode, the firewall duplicates the ping packets.
Throughput traffic is not duplicated if you deploy the VM-Series firewall using MMAP packet mode.
Known
9.1.16
PAN-112694
(
Firewalls with multiple virtual systems only
) If you configure dynamic DNS (DDNS) on a new interface (associated with vsys1 or another virtual system) and you then create a
New
Certificate Profile from the drop-down, you must set the location for the Certificate Profile to Shared. If you configure DDNS on an existing interface and then create a new Certificate Profile, we also recommend that you choose the Shared location instead of a specific virtual system. Alternatively, you can select a preexisting certificate profile instead of creating a new one.
Known
9.1.16
PAN-112456
You can temporarily submit a change request for a URL Category with more than two suggested categories. However, we support only two suggested categories so add no more than two suggested categories to a change request until we address this issue. If you submit more than two suggested categories, we will use only the first two categories you enter.
Known
9.1.16
PAN-111928
Invalid configuration errors are not displayed as expected when you revert a Panorama management server configuration.
Workaround:
After you revert the Panorama configuration,
Commit
(
Commit
Commit to Panorama
) the reverted configuration to display the invalid configuration errors.
Known
9.1.16
PAN-111866
The push scope selection on the Panorama web interface displays incorrectly even though the commit scope displays as expected. This issue occurs when one administrator makes configuration changes to separate device groups or templates that affect multiple firewalls and a different administrator attempts to push those changes.
Workaround:
Perform one of the following tasks.
  • Initiate a
    Commit to Panorama
    operation followed by a
    Push to Devices
    operation for the modified device group and template configurations.
  • Manually select the devices that belong to the modified device group and template configurations.
Known
9.1.16
PAN-111729
If you disable DPDK mode and enable it again, you must immediately reboot the firewall.
Known
9.1.16
PAN-111670
Tagged VLAN traffic fails when sent through an SR-IOV adapter.
Known
9.1.16
PAN-111251
Using the CLI to enable or disable DNS Rewrite under a Destination NAT policy rule has no effect.
Known
9.1.16
PAN-110794
DGA-based threats shown in the firewall threat log display the same name for all such instances.
Known
9.1.16
PAN-109759
The firewall does not generate a notification for the GlobalProtect client when the firewall denies an unencrypted TLS session due to an authentication policy match.
Known
9.1.16
PAN-109526
The system log does not correctly display the URL for CRL files; instead, the URLs are displayed with encoded characters.
Known
9.1.16
PAN-106675
After upgrading the Panorama management server to PAN-OS 8.1 or a later release, predefined reports do not display a list of top attackers.
Workaround:
Create new threat summary reports (
Monitor
PDF Reports
Manage PDF Summary
) containing the top attackers to mimic the predefined reports.
Known
9.1.16
PAN-104780
If you configure a HIP object to match only when a connecting endpoint is managed (
Objects
GlobalProtect
HIP Objects
<hip-object>
General
Managed
), iOS and Android endpoints that are managed by AirWatch are unable to successfully match the HIP object and the HIP report incorrectly indicates that these endpoints are not managed. This issue occurs because GlobalProtect gateways cannot correctly identify the managed status of these endpoints.
Additionally, iOS endpoints that are managed by AirWatch are unable to match HIP objects based on the endpoint serial number because GlobalProtect gateways cannot identify the serial numbers of these endpoints; these serial numbers do not appear in the HIP report.
Known
9.1.16
PAN-103276
Adding a disk to a virtual appliance running Panorama 8.1 or a later release on VMware ESXi 6.5 update1 causes the Panorama virtual appliance and host web client to become unresponsive.
Workaround:
Upgrade the ESXi host to ESXi 6.5 update2 and add the disk again.
Known
9.1.16
PAN-101688
(
Panorama plugins
) The IP address-to-tag mapping information registered on a firewall or virtual system is not deleted when you remove the firewall or virtual system from a Device Group.
Workaround:
Log in to the CLI on the firewall and enter the following command to unregister the IP address-to-tag mappings:
debug object registered-ip clear all
.
Known
9.1.16
PAN-101537
After you configure and push address and address group objects in Shared and vsys-specific device groups from the Panorama management server to managed firewalls, executing the
show log
<log-type>
direction equal
<direction>
<dst>
|
<src>
in
<object-name>
command on a managed firewall only returns address and address group objects pushed form the Shared device group.
Workaround:
Specify the vsys in the query string:
admin>
set system target-vsys
<vsys-name>
admin>
show log
<log-type>
direction equal
<direction>
query equal ‘vsys eq
<vsys-name>
’
<dst>
|
<src>
in
<object-name>
Known
9.1.16
PAN-98520
When booting or rebooting a PA-7000 Series Firewall with the SMC-B installed, the BIOS console output displays attempts to connect to the card's controller in the System Memory Speed section. The messages can be ignored.
Known
9.1.16
PAN-97757
GlobalProtect authentication fails with an
Invalid username/password
error (because the user is not found in
Allow List
) after you enable GlobalProtect authentication cookies and add a RADIUS group to the
Allow List
of the authentication profile used to authenticate to GlobalProtect.
Workaround:
Disable GlobalProtect authentication cookies. Alternatively, disable (clear)
Retrieve user group from RADIUS
in the authentication profile and configure group mapping from Active Directory (AD) through LDAP.
Known
9.1.16
PAN-97524
(
Panorama management server only
) The Security Zone and Virtual System columns (
Network
tab) display
None
after a Device Group and Template administrator with read-only privileges performs a context switch.
Known
9.1.16
PAN-96985
The
request shutdown system
command does not shut down the Panorama management server.
Known
9.1.16
PAN-96960
You cannot restart or shutdown a Panorama on KVM from the Virtual-manager console or virsch CLI.
Known
9.1.16
PAN-96446
A firewall that is not included in a Collector Group fails to generate a system log if logs are dropped when forwarded to a Panorama management server that is running in Management Only mode.
Known
9.1.16
PAN-95773
On VM-Series firewalls that have Data Plane Development Kit (DPDK) enabled and that use the i40e network interface card (NIC), the
show session info
CLI command displays an inaccurate throughput and packet rate.
Workaround:
Disable DPDK by running the
set system setting dpdk-pkt-io off
CLI command.
Known
9.1.16
PAN-95511
The name for an address object, address group, or an external dynamic list must be unique. Duplicate names for these objects can result in unexpected behavior when you reference the object in a policy rule.
Known
9.1.16
PAN-95028
For administrator accounts that you created in PAN-OS 8.0.8 and earlier releases, the firewall does not apply password profile settings (
Device
Password Profiles
) until after you upgrade to PAN-OS 8.0.9 or a later release and then only after you modify the account passwords. (Administrator accounts that you create in PAN-OS 8.0.9 or a later release do not require you to change the passwords to apply password profile settings.)
Known
9.1.16
PAN-94846
When DPDK is enabled on the VM-Series firewall with i40e virtual function (VF) driver, the VF does not detect the link status of the physical link. The VF link status remains up, regardless of changes to the physical link state.
Known
9.1.16
PAN-94093
HTTP Header Insertion does not work when jumbo frames are received out of order.
Known
9.1.16
PAN-93968
The firewall and Panorama web interfaces display vulnerability threat IDs that are not available in PAN-OS 9.0 releases (
Objects
Security Profiles
Vulnerability Protection
<profile>
Exceptions
). To confirm whether a particular threat ID is available in your release, monitor the release notes for each new Applications and Threats content update or check the Palo Alto Networks Threat Vault to see the minimum PAN-OS release version for a threat signature.
Known
9.1.16
PAN-93607
When you configure a VM-500 firewall with an SCTP Protection profile (
Objects
Security Profiles
SCTP Protection
) and you try to add the profile to an existing Security Profile Group (
Objects
Security Profile Groups
), the Security Profile Group doesn’t list the SCTP Protection profile in its drop-down list of available profiles.
Workaround:
Create a new Security Profile Group and select the SCTP Protection profile from there.
Known
9.1.16
PAN-93532
When you configure a firewall running PAN-OS 9.0 as an nCipher HSM client, the web interface on the firewall displays the nCipher server status as Not Authenticated, even though the HSM state is up (
Device
Setup
HSM
).
Known
9.1.16
PAN-93193
The memory-optimized VM-50 Lite intermittently performs slowly and stops processing traffic when memory utilization is critically high. To prevent this issue, make sure that you do not:
  • Switch to the firewall
    Context
    on the Panorama management server.
  • Commit changes when a dynamic update is being installed.
  • Generate a custom report when a dynamic update is being installed.
  • Generate custom reports during a commit.
Workaround:
When the firewall performs slowly, or you see a critical System log for memory utilization, wait for 5 minutes and then manually reboot the firewall.
Use the Task Manager to verify that you are not performing memory intensive tasks such as installing dynamic updates, committing changes or generating reports, at the same time, on the firewall.
Known
9.1.16
PAN-91802
On a VM-Series firewall, the
clear session all
CLI command does not clear GTP sessions.
Known
9.1.16
PAN-83610
In rare cases, a PA-5200 Series firewall (with an FE100 network processor) that has session offload enabled (default) incorrectly resets the UDP checksum of outgoing UDP packets.
Workaround:
In PAN-OS 8.0.6 and later releases, you can persistently disable session offload for only UDP traffic using the
set session udp-off load no
CLI command.
Known
9.1.16
PAN-83236
The VM-Series firewall on Google Compute Platform does not publish firewall metrics to Google Stack Monitoring when you manually configure a DNS server IP address (
Device
Setup
Services
).
Workaround:
The VM-Series firewall on Google Cloud Platform must use the DNS server that Google provides.
Known
9.1.16
PAN-83215
SSL decryption based on ECDSA certificates does not work when you import the ECDSA private keys onto an nCipher nShield hardware security module (HSM).
Known
9.1.16
PAN-81521
Endpoints failed to authenticate to GlobalProtect through Kerberos when you specify an FQDN instead of an IP address in the Kerberos server profile (
Device
Server Profiles
Kerberos
).
Workaround:
Replace the FQDN with the IP address in the Kerberos server profile.
Known
9.1.16
PAN-77125
PA-7000 Series, PA-5200 Series, and PA-3200 Series firewalls configured in tap mode don’t close offloaded sessions after processing the associated traffic; the sessions remain open until they time out.
Workaround:
Configure the firewalls in virtual wire mode instead of tap mode, or disable session offloading by running the
set session off load no
CLI command.
Known
9.1.16
PAN-75457
(
PAN-OS 8.0.1 and later releases
) In WildFire appliance clusters that have three or more nodes, the Panorama management server does not support changing node roles. In a three-node cluster for example, you cannot use Panorama to configure the worker node as a controller node by adding the HA and cluster controller configurations, configure an existing controller node as a worker node by removing the HA configuration, and then commit and push the configuration. Attempts to change cluster node roles from Panorama results in a validation error—the commit fails and the cluster becomes unresponsive.
Known
9.1.16
PAN-73530
The firewall does not generate a packet capture (pcap) when a Data Filtering profile blocks files.
Known
9.1.16
PAN-73401
(
PAN-OS 8.0.1 and later releases
) When you import a two-node WildFire appliance cluster into the Panorama management server, the controller nodes report their state as out-of-sync if either of the following conditions exist:
  • You did not configure a worker list to add at least one worker node to the cluster. (In a two-node cluster, both nodes are controller nodes configured as an HA pair. Adding a worker node would make the cluster a three-node cluster.)
  • You did not configure a service advertisement (either by enabling or not enabling advertising DNS service on the controller nodes).
Workaround:
There are three possible workarounds to sync the controller nodes:
  • After you import the two-node cluster into Panorama, push the configuration from Panorama to the cluster. After the push succeeds, Panorama reports that the controller nodes are in sync.
  • Configure a worker list on the cluster controller: 
    admin@wf500(active-controller)# 
    set
deviceconfig cluster mode controller worker-list 
    <worker-ip-address>
    (
    <worker-ip-address>
    is the IP address of the worker node you are adding to the cluster.) This creates a three-node cluster. After you import the cluster into Panorama, Panorama reports that the controller nodes are in sync. When you want the cluster to have only two nodes, use a different workaround.
  • Configure service advertisement on the local CLI of the cluster controller and then import the configuration into Panorama. The service advertisement can advertise that DNS is or is not enabled. 
    admin@wf500(active-controller)# 
    set
deviceconfig cluster mode controller service-advertisement dns-service
enabled
yes
    or 
    admin@wf500(active-controller)# 
    set
deviceconfig cluster mode controller service-advertisement dns-service
enabled
no
    Both commands result in Panorama reporting that the controller nodes are in sync.
Known
9.1.16
PAN-71329
Local users and user groups in the Shared location (all virtual systems) are not available to be part of the user-to-application mapping for GlobalProtect Clientless VPN applications (
Network
GlobalProtect
Portals
<portal>
Clientless VPN
Applications
).
Workaround:
Create users and user groups in specific virtual systems on firewalls that have multiple virtual systems. For single virtual systems (like VM-Series firewalls), users and user groups are created under Shared and are not configurable for Clientless VPN applications.
Known
9.1.16
PAN-70906
If the PAN-OS web interface and the GlobalProtect portal are enabled on the same IP address, then when a user logs out of the GlobalProtect portal, the administrative user is also logged out from the PAN-OS web interface.
Workaround:
Use the IP address to access the PAN-OS web interface and an FQDN to access the GlobalProtect portal.
Known
9.1.16
PAN-69505
When viewing an external dynamic list that requires client authentication and you
Test Source URL
, the firewall fails to indicate whether it can reach the external dynamic list server and returns a URL access error (
Objects
External Dynamic Lists
).
Known
9.1.16
PAN-41558
When you use a firewall loopback interface as a GlobalProtect gateway interface, traffic is not routed correctly for third-party IPSec clients, such as strongSwan.
Workaround:
Use a physical firewall interface instead of a loopback firewall interface as the GlobalProtect gateway interface for third-party IPSec clients. Alternatively, configure the loopback interface that is used as the GlobalProtect gateway to be in the same zone as the physical ingress interface for third-party IPSec traffic.
Known
9.1.16
PAN-40079
The VM-Series firewall on KVM, for all supported Linux distributions, does not support the Broadcom network adapters for PCI pass-through functionality.
Known
9.1.16
PAN-39636
Regardless of the
Time Frame
you specify for a scheduled custom report on a Panorama M-Series appliance, the earliest possible start date for the report data is effectively the date when you configured the report (
Monitor
Manage Custom Reports
). For example, if you configure the report on the 15th of the month and set the
Time Frame
to
Last 30 Days
, the report that Panorama generates on the 16th will include only data from the 15th onward. This issue applies only to scheduled reports; on-demand reports include all data within the specified
Time Frame
.
Workaround:
To generate an on-demand report, click
Run Now
when you configure the custom report.
Known
9.1.16
PAN-38255
When you perform a factory reset on a Panorama virtual appliance and configure the serial number, logging does not work until you reboot Panorama or execute the
debug software restart process management-server
CLI command.
Known
9.1.16
PAN-31832
The following issues apply when configuring a firewall to use a hardware security module (HSM):
  • nCipher nShield Connect
    —The firewall requires at least four minutes to detect that an HSM was disconnected, causing SSL functionality to be unavailable during the delay.
  • SafeNet Network
    —When losing connectivity to either or both HSMs in an HA configuration, the display of information from the
    show high-availability state
    and
    show hsm info
    commands are blocked for 20 seconds.
Known
9.1.15
—
Upgrading Panorama with a local Log Collector and Dedicated Log Collectors to PAN-OS 8.1 or a later PAN-OS release can take up to six hours to complete due to significant infrastructure changes. Ensure uninterrupted power to all appliances throughout the upgrade process.
Known
9.1.15
—
A critical System log is generated on the VM-Series firewall if the minimum memory requirement for the model is not available.
  • When the memory allocated is less than 4.5GB, you cannot upgrade the firewall. The following error message displays:
    Failed to install 9.0.0 with the following error: VM-50 in 9.0.0 requires 5.5GB memory, VM-50 Lite requires 4.5GB memory.Please configure this VM with enough memory before upgrading.
  • If the memory allocation is more than 4.5GB but less that the licensed capacity requirement for the model, it will default to the capacity associated with the VM-50.
    The System log message
    System capacity adjusted to VM-50 capacity due to insufficient memory for VM-
    <xxx>
    license
    , indicates that you must allocate the additional memory required for licensed capacity for the firewall model.
Known
9.1.15
PLUG-380
When you rename a device group, template, or template stack in Panorama that is part of a VMware NSX service definition, the new name is not reflected in NSX Manager. Therefore, any ESXi hosts that you add to a vSphere cluster are not added to the correct device group, template, or template stack and your Security policy is not pushed to VM-Series firewalls that you deploy after you rename those objects. There is no impact to existing VM-Series firewalls.
Known
9.1.15
PAN-223365
The Panorama management server is unable to query any logs if the ElasticSearch health status for any Log Collector (
Panorama
Managed Collector
is degraded.
Workaround:
Log in to the Log Collector CLI and reboot. 
admin
request restart system
Alternatively, you can contact Palo Alto Networks Customer Support to restart the ElasticSearch process without rebooting the Log Collector.
Known
9.1.15
PAN-221015
On M-600 appliances in Panorama or Log Collector mode, the
es-1
and
es-2
ElasticSearch processes fail to restart when the M-600 appliance is rebooted. The results in the Managed Collector
ES
health status (
Panorama
Managed Collectors
Health Status
) to be degraded.
Workaround:
Log in to the Panorama or Log Collector CLI experiencing degraded ElasticSearch health and restart all ElasticSearch processes. 
admin>
debug elasticsearch es-restart optional all
Known
9.1.15
PAN-199557
On M-600 appliances in an Active/Passive high availability (HA) configuration, the
configd
process restarts due to a memory leak on the
Active
Panorama HA peer. This causes the Panorama web interface and CLI to become unresponsive.
Workaround:
Manually reboot the
Active
Panorama HA peer.
Known
9.1.15
PAN-197919
This issue is now resolved. See
PAN-OS 9.1.16 Addressed Issues
.
When path monitoring for a static route is configured with a new Ping Interval value, that value does not get used as intended.
Workaround
: Disable and re-enable path monitoring for that static route to change that Ping Interval value.
Known
9.1.15
PAN-197859
On firewalls running LSVPN with tunnel monitoring enabled, upgrades to 9.1.14 or later cause the LSVPN tunnels to flap.
Known
9.1.15
PAN-197341
On the Panorama management server, if you create multiple device group
Objects
with the same name in the Shared device group and any additional device groups (
Panorama
Device Groups
) under the same device group hierarchy that are used in one or more
Policies
, renaming the object with a shared name in any device group causes the object name to change in the policies where it is used. This issue applies only to device group objects that can be referenced in a Security policy rule.
For example:
  1. You create a parent device group
    DG-A
    and a child device group
    DG-B
    .
  2. You create address objects called
    AddressObjA
    in the
    Shared
    ,
    DG-A
    and
    DG-B
    device groups and add
    AddressObjA
    to a Security policy rule under
    DG-A
    and
    DG-B
    .
  3. Later, you change the
    AddressObjA
    name in the
    Shared
    device group to
    AddressObjB
    .
Changing the name of the address object in the
Shared
device group causes the references in the Policy rule to use the renamed
Shared
object instead of the device group object.
Known
9.1.15
PAN-178194
Firewalls licensed for Advanced URL Filtering generate a message indicating that a
License required for URL filtering to function
is unavailable displays at the bottom of the UI, due to a PAN-OS UI issue. This error does not affect the operation of Advanced URL Filtering or URL Filtering.
Known
9.1.15
PAN-154266
When an application matches an SD-WAN policy and some sessions for the same application do not match an SD-WAN policy, the SD-WAN Monitoring—Traffic Characteristics screen displays the Links Used information with an SD-WAN policy and a null policy. Sessions that do not have an SD-WAN policy ID are filtered from Links Used.
Workaround
: If you want to see session logs that include a default selection, create a catch-all SD-WAN policy rule and place it last in the list of SD-WAN policies.
Known
9.1.15
PAN-154247
On the Panorama management server, context switching to and from the managed firewall web interface may cause the Panorama administrator to be logged out.
Workaround:
Log out and back in to the Panorama web interface.
Known
9.1.15
PAN-153803
On the Panorama management server, scheduled email PDF reports (
Monitor
PDF Reports
) fail if a GIF image is used in the header or footer.
Known
9.1.15
PAN-146573
PA-7000 series firewalls configured with a large number of interfaces experience impacted performance and possible timeouts when performing SNMP queries.
Known
9.1.15
PAN-146485
On the Panorama management server, adding, deleting, or modifying the upstream NAT configuration (
Panorama
SD-WAN
Devices
) does not display the branch template stack as
out of sync
.
Additionally, adding, deleting, or modifying the BGP configuration (
Panorama
SD-WAN
Devices
) does not display the hub and branch template stacks as
out of sync
. For example, modifying the BGP configuration on the branch firewall does not cause the hub template stack to display as
out of sync
, nor does modifying the BGP configuration on the hub firewall cause the branch template stack as
out of sync
.
Workaround:
After performing a configuration change,
Commit and Push
the configuration changes to all hub and branch firewalls in the VPN cluster containing the firewall with the modified configuration.
Known
9.1.15
PAN-144889
(
PAN-OS 9.1.2-h1 and later releases only
) On the Panorama management server, adding, deleting, or modifying the original subnet IP, or adding a new subnet after you successfully configure a tunnel IP subnet, for the SD-WAN 1.0.2 plugin does not display the managed firewall templates (
Panorama
Managed Devices
Summary
) as
Out of Sync
.
Workaround
: When modifying the original subnet IP, or adding a new subnet, push the template configuration changes to your managed firewalls and
Force Template Values
(
Commit
Push to Devices
Edit Selections
).
Known
9.1.15
PAN-140959
The Panorama management server allows you to downgrade Zero Touch Provisioning (ZTP) firewalls to PAN-OS 9.1.2 and earlier releases where ZTP functionality is not supported.
Known
9.1.15
PAN-134456
SNMP traps configured to use the dataplane port in service routes are still sent using the management interface.
Workaround:
Use a destination-based service route for the SNMP trap server.
Known
9.1.15
PAN-134053
ACC does not filter WildFire logs from Dynamic User Groups.
Known
9.1.15
PAN-130550
(
PA-3200 Series, PA-5220, PA-5250, PA-5260, and PA-7000 Series firewalls
) For traffic between virtual systems (inter-vsys traffic), the firewall cannot perform source NAT using dynamic IP (DIP) address translation.
Workaround:
Use source NAT with Dynamic IP and Port (DIPP) translation on inter-vsys traffic.
Known
9.1.15
PAN-127813
In the current release, SD-WAN auto-provisioning configures hubs and branches in a hub and spoke model, where branches don’t communicate with each other. Expected branch routes are for generic prefixes, which can be configured in the hub and advertised to all branches. Branches with unique prefixes are not published up to the hub.
Workaround:
Add any specific prefixes for branches to the hub advertise-list configuration.
Known
9.1.15
PAN-127550
Panorama supports only incremental additions for CSV imports when the SD-WAN plugin is enabled. Delete devices manually in the web interface or CLI.
Known
9.1.15
PAN-127474
When you configure a Server Profile, the custom log format for GlobalProtect logs is missing.
Known
9.1.15
PAN-127206
If you use the CLI to enable the cleartext option for the Include Username in HTTP Header Insertion Entries feature, the authentication request to the firewall may become unresponsive or time out.
Known
9.1.15
PAN-123277
Dynamic tags from other sources are accessible using the CLI but do not display on the Panorama web interface.
Known
9.1.15
PAN-123040
When you try to view network QoS statistics on an SD-WAN branch or hub, the QoS statistics and the hit count for the QoS rules don’t display. A workaround exists for this issue. Please contact Support for information about the workaround.
Known
9.1.15
PAN-120440
There is an issue on M-500 Panorama management servers where any ethernet interface with an IPv6 address having Private PAN-DB-URL connectivity only supports the following format:
2001:DB9:85A3:0:0:8A2E:370:2
.
Known
9.1.15
PAN-120303
There is an issue where the firewall remains connected to the PAN-DB-URL server through the old management IP address on the M-500 Panorama management server, even when you configured the Eth1/1 interface.
Workaround:
Update the PAN-DB-URL IP address on the firewall using one of the methods below.
  • Modify the PAN-DB Server IP address on the managed firewall.
    1. On the web interface, delete the
      PAN-DB Server
      IP address (
      Device
      Setup
      Content ID
      URL Filtering
      settings).
    2. Commit
      your changes.
    3. Add the new M-500 Eth1/1 IP PAN-DB IP address.
    4. Commit
      your changes.
  • Restart the firewall ( devsrvr ) process.
    1. Log in to the firewall CLI.
    2. Restart the devsrvr process:
      debug software restart process device-server
Known
9.1.15
PAN-118065
(
M-Series Panorama management servers in Management Only mode
) When you delete the local Log Collector (
Panorama
Managed Collectors
), it disables the 1/1 ethernet interface in the Panorama configuration as expected but the interface still displays as Up when you execute the
show interface all
command in the CLI after you commit.
Workaround:
Disable the 1/1 ethernet interface before you delete the local log collector and then commit the configuration change.
Known
9.1.15
PAN-116017
(
Google Cloud Platform (GCP) only
) The firewall does not accept the DNS value from the initial configuration (init-cfg) file when you bootstrap the firewall.
Workaround:
Add DNS value as part of the bootstrap.xml in the bootstrap folder and complete the bootstrap process.
Known
9.1.15
PAN-115816
(
Microsoft Azure only
) There is an intermittent issue where an Ethernet (eth1) interface does not come up when you first boot up the firewall.
Workaround:
Reboot the firewall.
Known
9.1.15
PAN-114495
Alibaba Cloud runs on a KVM hypervisor and supports two Virtio modes: DPDK (default) and MMAP. If you deploy a VM-Series firewall running PAN-OS 9.0 in DPDK packet mode and you then switch to MMAP packet mode, the VM-Series firewall duplicates packets that originate from or terminate on the firewall. As an example, if a load balancer or a server behind the firewall pings the VM-Series firewall after you switch from DPDK packet mode to MMAP packet mode, the firewall duplicates the ping packets.
Throughput traffic is not duplicated if you deploy the VM-Series firewall using MMAP packet mode.
Known
9.1.15
PAN-112694
(
Firewalls with multiple virtual systems only
) If you configure dynamic DNS (DDNS) on a new interface (associated with vsys1 or another virtual system) and you then create a
New
Certificate Profile from the drop-down, you must set the location for the Certificate Profile to Shared. If you configure DDNS on an existing interface and then create a new Certificate Profile, we also recommend that you choose the Shared location instead of a specific virtual system. Alternatively, you can select a preexisting certificate profile instead of creating a new one.
Known
9.1.15
PAN-112456
You can temporarily submit a change request for a URL Category with more than two suggested categories. However, we support only two suggested categories so add no more than two suggested categories to a change request until we address this issue. If you submit more than two suggested categories, we will use only the first two categories you enter.
Known
9.1.15
PAN-111928
Invalid configuration errors are not displayed as expected when you revert a Panorama management server configuration.
Workaround:
After you revert the Panorama configuration,
Commit
(
Commit
Commit to Panorama
) the reverted configuration to display the invalid configuration errors.
Known
9.1.15
PAN-111866
The push scope selection on the Panorama web interface displays incorrectly even though the commit scope displays as expected. This issue occurs when one administrator makes configuration changes to separate device groups or templates that affect multiple firewalls and a different administrator attempts to push those changes.
Workaround:
Perform one of the following tasks.
  • Initiate a
    Commit to Panorama
    operation followed by a
    Push to Devices
    operation for the modified device group and template configurations.
  • Manually select the devices that belong to the modified device group and template configurations.
Known
9.1.15
PAN-111729
If you disable DPDK mode and enable it again, you must immediately reboot the firewall.
Known
9.1.15
PAN-111670
Tagged VLAN traffic fails when sent through an SR-IOV adapter.
Known
9.1.15
PAN-111251
Using the CLI to enable or disable DNS Rewrite under a Destination NAT policy rule has no effect.
Known
9.1.15
PAN-110794
DGA-based threats shown in the firewall threat log display the same name for all such instances.
Known
9.1.15
PAN-109759
The firewall does not generate a notification for the GlobalProtect client when the firewall denies an unencrypted TLS session due to an authentication policy match.
Known
9.1.15
PAN-109526
The system log does not correctly display the URL for CRL files; instead, the URLs are displayed with encoded characters.
Known
9.1.15
PAN-106675
After upgrading the Panorama management server to PAN-OS 8.1 or a later release, predefined reports do not display a list of top attackers.
Workaround:
Create new threat summary reports (
Monitor
PDF Reports
Manage PDF Summary
) containing the top attackers to mimic the predefined reports.
Known
9.1.15
PAN-104780
If you configure a HIP object to match only when a connecting endpoint is managed (
Objects
GlobalProtect
HIP Objects
<hip-object>
General
Managed
), iOS and Android endpoints that are managed by AirWatch are unable to successfully match the HIP object and the HIP report incorrectly indicates that these endpoints are not managed. This issue occurs because GlobalProtect gateways cannot correctly identify the managed status of these endpoints.
Additionally, iOS endpoints that are managed by AirWatch are unable to match HIP objects based on the endpoint serial number because GlobalProtect gateways cannot identify the serial numbers of these endpoints; these serial numbers do not appear in the HIP report.
Known
9.1.15
PAN-103276
Adding a disk to a virtual appliance running Panorama 8.1 or a later release on VMware ESXi 6.5 update1 causes the Panorama virtual appliance and host web client to become unresponsive.
Workaround:
Upgrade the ESXi host to ESXi 6.5 update2 and add the disk again.
Known
9.1.15
PAN-101688
(
Panorama plugins
) The IP address-to-tag mapping information registered on a firewall or virtual system is not deleted when you remove the firewall or virtual system from a Device Group.
Workaround:
Log in to the CLI on the firewall and enter the following command to unregister the IP address-to-tag mappings:
debug object registered-ip clear all
.
Known
9.1.15
PAN-101537
After you configure and push address and address group objects in Shared and vsys-specific device groups from the Panorama management server to managed firewalls, executing the
show log
<log-type>
direction equal
<direction>
<dst>
|
<src>
in
<object-name>
command on a managed firewall only returns address and address group objects pushed form the Shared device group.
Workaround:
Specify the vsys in the query string:
admin>
set system target-vsys
<vsys-name>
admin>
show log
<log-type>
direction equal
<direction>
query equal ‘vsys eq
<vsys-name>
’
<dst>
|
<src>
in
<object-name>
Known
9.1.15
PAN-98520
When booting or rebooting a PA-7000 Series Firewall with the SMC-B installed, the BIOS console output displays attempts to connect to the card's controller in the System Memory Speed section. The messages can be ignored.
Known
9.1.15
PAN-97757
GlobalProtect authentication fails with an
Invalid username/password
error (because the user is not found in
Allow List
) after you enable GlobalProtect authentication cookies and add a RADIUS group to the
Allow List
of the authentication profile used to authenticate to GlobalProtect.
Workaround:
Disable GlobalProtect authentication cookies. Alternatively, disable (clear)
Retrieve user group from RADIUS
in the authentication profile and configure group mapping from Active Directory (AD) through LDAP.
Known
9.1.15
PAN-97524
(
Panorama management server only
) The Security Zone and Virtual System columns (
Network
tab) display
None
after a Device Group and Template administrator with read-only privileges performs a context switch.
Known
9.1.15
PAN-96985
The
request shutdown system
command does not shut down the Panorama management server.
Known
9.1.15
PAN-96960
You cannot restart or shutdown a Panorama on KVM from the Virtual-manager console or virsch CLI.
Known
9.1.15
PAN-96446
A firewall that is not included in a Collector Group fails to generate a system log if logs are dropped when forwarded to a Panorama management server that is running in Management Only mode.
Known
9.1.15
PAN-95773
On VM-Series firewalls that have Data Plane Development Kit (DPDK) enabled and that use the i40e network interface card (NIC), the
show session info
CLI command displays an inaccurate throughput and packet rate.
Workaround:
Disable DPDK by running the
set system setting dpdk-pkt-io off
CLI command.
Known
9.1.15
PAN-95511
The name for an address object, address group, or an external dynamic list must be unique. Duplicate names for these objects can result in unexpected behavior when you reference the object in a policy rule.
Known
9.1.15
PAN-95028
For administrator accounts that you created in PAN-OS 8.0.8 and earlier releases, the firewall does not apply password profile settings (
Device
Password Profiles
) until after you upgrade to PAN-OS 8.0.9 or a later release and then only after you modify the account passwords. (Administrator accounts that you create in PAN-OS 8.0.9 or a later release do not require you to change the passwords to apply password profile settings.)
Known
9.1.15
PAN-94846
When DPDK is enabled on the VM-Series firewall with i40e virtual function (VF) driver, the VF does not detect the link status of the physical link. The VF link status remains up, regardless of changes to the physical link state.
Known
9.1.15
PAN-94093
HTTP Header Insertion does not work when jumbo frames are received out of order.
Known
9.1.15
PAN-93968
The firewall and Panorama web interfaces display vulnerability threat IDs that are not available in PAN-OS 9.0 releases (
Objects
Security Profiles
Vulnerability Protection
<profile>
Exceptions
). To confirm whether a particular threat ID is available in your release, monitor the release notes for each new Applications and Threats content update or check the Palo Alto Networks Threat Vault to see the minimum PAN-OS release version for a threat signature.
Known
9.1.15
PAN-93607
When you configure a VM-500 firewall with an SCTP Protection profile (
Objects
Security Profiles
SCTP Protection
) and you try to add the profile to an existing Security Profile Group (
Objects
Security Profile Groups
), the Security Profile Group doesn’t list the SCTP Protection profile in its drop-down list of available profiles.
Workaround:
Create a new Security Profile Group and select the SCTP Protection profile from there.
Known
9.1.15
PAN-93532
When you configure a firewall running PAN-OS 9.0 as an nCipher HSM client, the web interface on the firewall displays the nCipher server status as Not Authenticated, even though the HSM state is up (
Device
Setup
HSM
).
Known
9.1.15
PAN-93193
The memory-optimized VM-50 Lite intermittently performs slowly and stops processing traffic when memory utilization is critically high. To prevent this issue, make sure that you do not:
  • Switch to the firewall
    Context
    on the Panorama management server.
  • Commit changes when a dynamic update is being installed.
  • Generate a custom report when a dynamic update is being installed.
  • Generate custom reports during a commit.
Workaround:
When the firewall performs slowly, or you see a critical System log for memory utilization, wait for 5 minutes and then manually reboot the firewall.
Use the Task Manager to verify that you are not performing memory intensive tasks such as installing dynamic updates, committing changes or generating reports, at the same time, on the firewall.
Known
9.1.15
PAN-91802
On a VM-Series firewall, the
clear session all
CLI command does not clear GTP sessions.
Known
9.1.15
PAN-83610
In rare cases, a PA-5200 Series firewall (with an FE100 network processor) that has session offload enabled (default) incorrectly resets the UDP checksum of outgoing UDP packets.
Workaround:
In PAN-OS 8.0.6 and later releases, you can persistently disable session offload for only UDP traffic using the
set session udp-off load no
CLI command.
Known
9.1.15
PAN-83236
The VM-Series firewall on Google Compute Platform does not publish firewall metrics to Google Stack Monitoring when you manually configure a DNS server IP address (
Device
Setup
Services
).
Workaround:
The VM-Series firewall on Google Cloud Platform must use the DNS server that Google provides.
Known
9.1.15
PAN-83215
SSL decryption based on ECDSA certificates does not work when you import the ECDSA private keys onto an nCipher nShield hardware security module (HSM).
Known
9.1.15
PAN-81521
Endpoints failed to authenticate to GlobalProtect through Kerberos when you specify an FQDN instead of an IP address in the Kerberos server profile (
Device
Server Profiles
Kerberos
).
Workaround:
Replace the FQDN with the IP address in the Kerberos server profile.
Known
9.1.15
PAN-77125
PA-7000 Series, PA-5200 Series, and PA-3200 Series firewalls configured in tap mode don’t close offloaded sessions after processing the associated traffic; the sessions remain open until they time out.
Workaround:
Configure the firewalls in virtual wire mode instead of tap mode, or disable session offloading by running the
set session off load no
CLI command.
Known
9.1.15
PAN-75457
(
PAN-OS 8.0.1 and later releases
) In WildFire appliance clusters that have three or more nodes, the Panorama management server does not support changing node roles. In a three-node cluster for example, you cannot use Panorama to configure the worker node as a controller node by adding the HA and cluster controller configurations, configure an existing controller node as a worker node by removing the HA configuration, and then commit and push the configuration. Attempts to change cluster node roles from Panorama results in a validation error—the commit fails and the cluster becomes unresponsive.
Known
9.1.15
PAN-73530
The firewall does not generate a packet capture (pcap) when a Data Filtering profile blocks files.
Known
9.1.15
PAN-73401
(
PAN-OS 8.0.1 and later releases
) When you import a two-node WildFire appliance cluster into the Panorama management server, the controller nodes report their state as out-of-sync if either of the following conditions exist:
  • You did not configure a worker list to add at least one worker node to the cluster. (In a two-node cluster, both nodes are controller nodes configured as an HA pair. Adding a worker node would make the cluster a three-node cluster.)
  • You did not configure a service advertisement (either by enabling or not enabling advertising DNS service on the controller nodes).
Workaround:
There are three possible workarounds to sync the controller nodes:
  • After you import the two-node cluster into Panorama, push the configuration from Panorama to the cluster. After the push succeeds, Panorama reports that the controller nodes are in sync.
  • Configure a worker list on the cluster controller: 
    admin@wf500(active-controller)# 
    set
deviceconfig cluster mode controller worker-list 
    <worker-ip-address>
    (
    <worker-ip-address>
    is the IP address of the worker node you are adding to the cluster.) This creates a three-node cluster. After you import the cluster into Panorama, Panorama reports that the controller nodes are in sync. When you want the cluster to have only two nodes, use a different workaround.
  • Configure service advertisement on the local CLI of the cluster controller and then import the configuration into Panorama. The service advertisement can advertise that DNS is or is not enabled. 
    admin@wf500(active-controller)# 
    set
deviceconfig cluster mode controller service-advertisement dns-service
enabled
yes
    or 
    admin@wf500(active-controller)# 
    set
deviceconfig cluster mode controller service-advertisement dns-service
enabled
no
    Both commands result in Panorama reporting that the controller nodes are in sync.
Known
9.1.15
PAN-71329
Local users and user groups in the Shared location (all virtual systems) are not available to be part of the user-to-application mapping for GlobalProtect Clientless VPN applications (
Network
GlobalProtect
Portals
<portal>
Clientless VPN
Applications
).
Workaround:
Create users and user groups in specific virtual systems on firewalls that have multiple virtual systems. For single virtual systems (like VM-Series firewalls), users and user groups are created under Shared and are not configurable for Clientless VPN applications.
Known
9.1.15
PAN-70906
If the PAN-OS web interface and the GlobalProtect portal are enabled on the same IP address, then when a user logs out of the GlobalProtect portal, the administrative user is also logged out from the PAN-OS web interface.
Workaround:
Use the IP address to access the PAN-OS web interface and an FQDN to access the GlobalProtect portal.
Known
9.1.15
PAN-69505
When viewing an external dynamic list that requires client authentication and you
Test Source URL
, the firewall fails to indicate whether it can reach the external dynamic list server and returns a URL access error (
Objects
External Dynamic Lists
).
Known
9.1.15
PAN-41558
When you use a firewall loopback interface as a GlobalProtect gateway interface, traffic is not routed correctly for third-party IPSec clients, such as strongSwan.
Workaround:
Use a physical firewall interface instead of a loopback firewall interface as the GlobalProtect gateway interface for third-party IPSec clients. Alternatively, configure the loopback interface that is used as the GlobalProtect gateway to be in the same zone as the physical ingress interface for third-party IPSec traffic.
Known
9.1.15
PAN-40079
The VM-Series firewall on KVM, for all supported Linux distributions, does not support the Broadcom network adapters for PCI pass-through functionality.
Known
9.1.15
PAN-39636
Regardless of the
Time Frame
you specify for a scheduled custom report on a Panorama M-Series appliance, the earliest possible start date for the report data is effectively the date when you configured the report (
Monitor
Manage Custom Reports
). For example, if you configure the report on the 15th of the month and set the
Time Frame
to
Last 30 Days
, the report that Panorama generates on the 16th will include only data from the 15th onward. This issue applies only to scheduled reports; on-demand reports include all data within the specified
Time Frame
.
Workaround:
To generate an on-demand report, click
Run Now
when you configure the custom report.
Known
9.1.15
PAN-38255
When you perform a factory reset on a Panorama virtual appliance and configure the serial number, logging does not work until you reboot Panorama or execute the
debug software restart process management-server
CLI command.
Known
9.1.15
PAN-31832
The following issues apply when configuring a firewall to use a hardware security module (HSM):
  • nCipher nShield Connect
    —The firewall requires at least four minutes to detect that an HSM was disconnected, causing SSL functionality to be unavailable during the delay.
  • SafeNet Network
    —When losing connectivity to either or both HSMs in an HA configuration, the display of information from the
    show high-availability state
    and
    show hsm info
    commands are blocked for 20 seconds.
Known
9.1.14
—
Upgrading Panorama with a local Log Collector and Dedicated Log Collectors to PAN-OS 8.1 or a later PAN-OS release can take up to six hours to complete due to significant infrastructure changes. Ensure uninterrupted power to all appliances throughout the upgrade process.
Known
9.1.14
—
A critical System log is generated on the VM-Series firewall if the minimum memory requirement for the model is not available.
  • When the memory allocated is less than 4.5GB, you cannot upgrade the firewall. The following error message displays:
    Failed to install 9.0.0 with the following error: VM-50 in 9.0.0 requires 5.5GB memory, VM-50 Lite requires 4.5GB memory.Please configure this VM with enough memory before upgrading.
  • If the memory allocation is more than 4.5GB but less that the licensed capacity requirement for the model, it will default to the capacity associated with the VM-50.
    The System log message
    System capacity adjusted to VM-50 capacity due to insufficient memory for VM-
    <xxx>
    license
    , indicates that you must allocate the additional memory required for licensed capacity for the firewall model.
Known
9.1.14
PLUG-380
When you rename a device group, template, or template stack in Panorama that is part of a VMware NSX service definition, the new name is not reflected in NSX Manager. Therefore, any ESXi hosts that you add to a vSphere cluster are not added to the correct device group, template, or template stack and your Security policy is not pushed to VM-Series firewalls that you deploy after you rename those objects. There is no impact to existing VM-Series firewalls.
Known
9.1.14
PAN-223365
The Panorama management server is unable to query any logs if the ElasticSearch health status for any Log Collector (
Panorama
Managed Collector
is degraded.
Workaround:
Log in to the Log Collector CLI and reboot. 
admin
request restart system
Alternatively, you can contact Palo Alto Networks Customer Support to restart the ElasticSearch process without rebooting the Log Collector.
Known
9.1.14
PAN-221015
On M-600 appliances in Panorama or Log Collector mode, the
es-1
and
es-2
ElasticSearch processes fail to restart when the M-600 appliance is rebooted. The results in the Managed Collector
ES
health status (
Panorama
Managed Collectors
Health Status
) to be degraded.
Workaround:
Log in to the Panorama or Log Collector CLI experiencing degraded ElasticSearch health and restart all ElasticSearch processes. 
admin>
debug elasticsearch es-restart optional all
Known
9.1.14
PAN-199557
On M-600 appliances in an Active/Passive high availability (HA) configuration, the
configd
process restarts due to a memory leak on the
Active
Panorama HA peer. This causes the Panorama web interface and CLI to become unresponsive.
Workaround:
Manually reboot the
Active
Panorama HA peer.
Known
9.1.14
PAN-197919
This issue is now resolved. See
PAN-OS 9.1.16 Addressed Issues
.
When path monitoring for a static route is configured with a new Ping Interval value, that value does not get used as intended.
Workaround
: Disable and re-enable path monitoring for that static route to change that Ping Interval value.
Known
9.1.14
PAN-197859
On firewalls running LSVPN with tunnel monitoring enabled, upgrades to 9.1.14 or later cause the LSVPN tunnels to flap.
Known
9.1.14
PAN-197341
On the Panorama management server, if you create multiple device group
Objects
with the same name in the Shared device group and any additional device groups (
Panorama
Device Groups
) under the same device group hierarchy that are used in one or more
Policies
, renaming the object with a shared name in any device group causes the object name to change in the policies where it is used. This issue applies only to device group objects that can be referenced in a Security policy rule.
For example:
  1. You create a parent device group
    DG-A
    and a child device group
    DG-B
    .
  2. You create address objects called
    AddressObjA
    in the
    Shared
    ,
    DG-A
    and
    DG-B
    device groups and add
    AddressObjA
    to a Security policy rule under
    DG-A
    and
    DG-B
    .
  3. Later, you change the
    AddressObjA
    name in the
    Shared
    device group to
    AddressObjB
    .
Changing the name of the address object in the
Shared
device group causes the references in the Policy rule to use the renamed
Shared
object instead of the device group object.
Known
9.1.14
PAN-194395
This issue is now resolved. See
PAN-OS 9.1.14-h1 Addressed Issues
.
The firewall drops all decrypted outbound (SSL Forward Proxy) HTTP/2 traffic after you upgrade to PAN-OS 9.1.14. Dropping this traffic prevents users from loading HTTP/2 web pages and accessing websites that use HTTP/2.
Workaround
: On the SSL Forward Proxy tab in the Decryption profile attached to the Decryption Policy rule that controls the HTTP/2 traffic, select
Strip ALPN
. When you
Strip ALPN
, the firewall negotiates HTTP/1.1 instead of HTTP/2.
Known
9.1.14
PAN-178194
Firewalls licensed for Advanced URL Filtering generate a message indicating that a
License required for URL filtering to function
is unavailable displays at the bottom of the UI, due to a PAN-OS UI issue. This error does not affect the operation of Advanced URL Filtering or URL Filtering.
Known
9.1.14
PAN-154266
When an application matches an SD-WAN policy and some sessions for the same application do not match an SD-WAN policy, the SD-WAN Monitoring—Traffic Characteristics screen displays the Links Used information with an SD-WAN policy and a null policy. Sessions that do not have an SD-WAN policy ID are filtered from Links Used.
Workaround
: If you want to see session logs that include a default selection, create a catch-all SD-WAN policy rule and place it last in the list of SD-WAN policies.
Known
9.1.14
PAN-154247
On the Panorama management server, context switching to and from the managed firewall web interface may cause the Panorama administrator to be logged out.
Workaround:
Log out and back in to the Panorama web interface.
Known
9.1.14
PAN-153803
On the Panorama management server, scheduled email PDF reports (
Monitor
PDF Reports
) fail if a GIF image is used in the header or footer.
Known
9.1.14
PAN-146573
PA-7000 series firewalls configured with a large number of interfaces experience impacted performance and possible timeouts when performing SNMP queries.
Known
9.1.14
PAN-146485
On the Panorama management server, adding, deleting, or modifying the upstream NAT configuration (
Panorama
SD-WAN
Devices
) does not display the branch template stack as
out of sync
.
Additionally, adding, deleting, or modifying the BGP configuration (
Panorama
SD-WAN
Devices
) does not display the hub and branch template stacks as
out of sync
. For example, modifying the BGP configuration on the branch firewall does not cause the hub template stack to display as
out of sync
, nor does modifying the BGP configuration on the hub firewall cause the branch template stack as
out of sync
.
Workaround:
After performing a configuration change,
Commit and Push
the configuration changes to all hub and branch firewalls in the VPN cluster containing the firewall with the modified configuration.
Known
9.1.14
PAN-144889
(
PAN-OS 9.1.2-h1 and later releases only
) On the Panorama management server, adding, deleting, or modifying the original subnet IP, or adding a new subnet after you successfully configure a tunnel IP subnet, for the SD-WAN 1.0.2 plugin does not display the managed firewall templates (
Panorama
Managed Devices
Summary
) as
Out of Sync
.
Workaround
: When modifying the original subnet IP, or adding a new subnet, push the template configuration changes to your managed firewalls and
Force Template Values
(
Commit
Push to Devices
Edit Selections
).
Known
9.1.14
PAN-140959
The Panorama management server allows you to downgrade Zero Touch Provisioning (ZTP) firewalls to PAN-OS 9.1.2 and earlier releases where ZTP functionality is not supported.
Known
9.1.14
PAN-134456
SNMP traps configured to use the dataplane port in service routes are still sent using the management interface.
Workaround:
Use a destination-based service route for the SNMP trap server.
Known
9.1.14
PAN-134053
ACC does not filter WildFire logs from Dynamic User Groups.
Known
9.1.14
PAN-130550
(
PA-3200 Series, PA-5220, PA-5250, PA-5260, and PA-7000 Series firewalls
) For traffic between virtual systems (inter-vsys traffic), the firewall cannot perform source NAT using dynamic IP (DIP) address translation.
Workaround:
Use source NAT with Dynamic IP and Port (DIPP) translation on inter-vsys traffic.
Known
9.1.14
PAN-127813
In the current release, SD-WAN auto-provisioning configures hubs and branches in a hub and spoke model, where branches don’t communicate with each other. Expected branch routes are for generic prefixes, which can be configured in the hub and advertised to all branches. Branches with unique prefixes are not published up to the hub.
Workaround:
Add any specific prefixes for branches to the hub advertise-list configuration.
Known
9.1.14
PAN-127550
Panorama supports only incremental additions for CSV imports when the SD-WAN plugin is enabled. Delete devices manually in the web interface or CLI.
Known
9.1.14
PAN-127474
When you configure a Server Profile, the custom log format for GlobalProtect logs is missing.
Known
9.1.14
PAN-127206
If you use the CLI to enable the cleartext option for the Include Username in HTTP Header Insertion Entries feature, the authentication request to the firewall may become unresponsive or time out.
Known
9.1.14
PAN-123277
Dynamic tags from other sources are accessible using the CLI but do not display on the Panorama web interface.
Known
9.1.14
PAN-123040
When you try to view network QoS statistics on an SD-WAN branch or hub, the QoS statistics and the hit count for the QoS rules don’t display. A workaround exists for this issue. Please contact Support for information about the workaround.
Known
9.1.14
PAN-120440
There is an issue on M-500 Panorama management servers where any ethernet interface with an IPv6 address having Private PAN-DB-URL connectivity only supports the following format:
2001:DB9:85A3:0:0:8A2E:370:2
.
Known
9.1.14
PAN-120303
There is an issue where the firewall remains connected to the PAN-DB-URL server through the old management IP address on the M-500 Panorama management server, even when you configured the Eth1/1 interface.
Workaround:
Update the PAN-DB-URL IP address on the firewall using one of the methods below.
  • Modify the PAN-DB Server IP address on the managed firewall.
    1. On the web interface, delete the
      PAN-DB Server
      IP address (
      Device
      Setup
      Content ID
      URL Filtering
      settings).
    2. Commit
      your changes.
    3. Add the new M-500 Eth1/1 IP PAN-DB IP address.
    4. Commit
      your changes.
  • Restart the firewall ( devsrvr ) process.
    1. Log in to the firewall CLI.
    2. Restart the devsrvr process:
      debug software restart process device-server
Known
9.1.14
PAN-118065
(
M-Series Panorama management servers in Management Only mode
) When you delete the local Log Collector (
Panorama
Managed Collectors
), it disables the 1/1 ethernet interface in the Panorama configuration as expected but the interface still displays as Up when you execute the
show interface all
command in the CLI after you commit.
Workaround:
Disable the 1/1 ethernet interface before you delete the local log collector and then commit the configuration change.
Known
9.1.14
PAN-116017
(
Google Cloud Platform (GCP) only
) The firewall does not accept the DNS value from the initial configuration (init-cfg) file when you bootstrap the firewall.
Workaround:
Add DNS value as part of the bootstrap.xml in the bootstrap folder and complete the bootstrap process.
Known
9.1.14
PAN-115816
(
Microsoft Azure only
) There is an intermittent issue where an Ethernet (eth1) interface does not come up when you first boot up the firewall.
Workaround:
Reboot the firewall.
Known
9.1.14
PAN-114495
Alibaba Cloud runs on a KVM hypervisor and supports two Virtio modes: DPDK (default) and MMAP. If you deploy a VM-Series firewall running PAN-OS 9.0 in DPDK packet mode and you then switch to MMAP packet mode, the VM-Series firewall duplicates packets that originate from or terminate on the firewall. As an example, if a load balancer or a server behind the firewall pings the VM-Series firewall after you switch from DPDK packet mode to MMAP packet mode, the firewall duplicates the ping packets.
Throughput traffic is not duplicated if you deploy the VM-Series firewall using MMAP packet mode.
Known
9.1.14
PAN-112694
(
Firewalls with multiple virtual systems only
) If you configure dynamic DNS (DDNS) on a new interface (associated with vsys1 or another virtual system) and you then create a
New
Certificate Profile from the drop-down, you must set the location for the Certificate Profile to Shared. If you configure DDNS on an existing interface and then create a new Certificate Profile, we also recommend that you choose the Shared location instead of a specific virtual system. Alternatively, you can select a preexisting certificate profile instead of creating a new one.
Known
9.1.14
PAN-112456
You can temporarily submit a change request for a URL Category with more than two suggested categories. However, we support only two suggested categories so add no more than two suggested categories to a change request until we address this issue. If you submit more than two suggested categories, we will use only the first two categories you enter.
Known
9.1.14
PAN-111928
Invalid configuration errors are not displayed as expected when you revert a Panorama management server configuration.
Workaround:
After you revert the Panorama configuration,
Commit
(
Commit
Commit to Panorama
) the reverted configuration to display the invalid configuration errors.
Known
9.1.14
PAN-111866
The push scope selection on the Panorama web interface displays incorrectly even though the commit scope displays as expected. This issue occurs when one administrator makes configuration changes to separate device groups or templates that affect multiple firewalls and a different administrator attempts to push those changes.
Workaround:
Perform one of the following tasks.
  • Initiate a
    Commit to Panorama
    operation followed by a
    Push to Devices
    operation for the modified device group and template configurations.
  • Manually select the devices that belong to the modified device group and template configurations.
Known
9.1.14
PAN-111729
If you disable DPDK mode and enable it again, you must immediately reboot the firewall.
Known
9.1.14
PAN-111670
Tagged VLAN traffic fails when sent through an SR-IOV adapter.
Known
9.1.14
PAN-111251
Using the CLI to enable or disable DNS Rewrite under a Destination NAT policy rule has no effect.
Known
9.1.14
PAN-110794
DGA-based threats shown in the firewall threat log display the same name for all such instances.
Known
9.1.14
PAN-109759
The firewall does not generate a notification for the GlobalProtect client when the firewall denies an unencrypted TLS session due to an authentication policy match.
Known
9.1.14
PAN-109526
The system log does not correctly display the URL for CRL files; instead, the URLs are displayed with encoded characters.
Known
9.1.14
PAN-106675
After upgrading the Panorama management server to PAN-OS 8.1 or a later release, predefined reports do not display a list of top attackers.
Workaround:
Create new threat summary reports (
Monitor
PDF Reports
Manage PDF Summary
) containing the top attackers to mimic the predefined reports.
Known
9.1.14
PAN-104780
If you configure a HIP object to match only when a connecting endpoint is managed (
Objects
GlobalProtect
HIP Objects
<hip-object>
General
Managed
), iOS and Android endpoints that are managed by AirWatch are unable to successfully match the HIP object and the HIP report incorrectly indicates that these endpoints are not managed. This issue occurs because GlobalProtect gateways cannot correctly identify the managed status of these endpoints.
Additionally, iOS endpoints that are managed by AirWatch are unable to match HIP objects based on the endpoint serial number because GlobalProtect gateways cannot identify the serial numbers of these endpoints; these serial numbers do not appear in the HIP report.
Known
9.1.14
PAN-103276
Adding a disk to a virtual appliance running Panorama 8.1 or a later release on VMware ESXi 6.5 update1 causes the Panorama virtual appliance and host web client to become unresponsive.
Workaround:
Upgrade the ESXi host to ESXi 6.5 update2 and add the disk again.
Known
9.1.14
PAN-101688
(
Panorama plugins
) The IP address-to-tag mapping information registered on a firewall or virtual system is not deleted when you remove the firewall or virtual system from a Device Group.
Workaround:
Log in to the CLI on the firewall and enter the following command to unregister the IP address-to-tag mappings:
debug object registered-ip clear all
.
Known
9.1.14
PAN-101537
After you configure and push address and address group objects in Shared and vsys-specific device groups from the Panorama management server to managed firewalls, executing the
show log
<log-type>
direction equal
<direction>
<dst>
|
<src>
in
<object-name>
command on a managed firewall only returns address and address group objects pushed form the Shared device group.
Workaround:
Specify the vsys in the query string:
admin>
set system target-vsys
<vsys-name>
admin>
show log
<log-type>
direction equal
<direction>
query equal ‘vsys eq
<vsys-name>
’
<dst>
|
<src>
in
<object-name>
Known
9.1.14
PAN-98520
When booting or rebooting a PA-7000 Series Firewall with the SMC-B installed, the BIOS console output displays attempts to connect to the card's controller in the System Memory Speed section. The messages can be ignored.
Known
9.1.14
PAN-97757
GlobalProtect authentication fails with an
Invalid username/password
error (because the user is not found in
Allow List
) after you enable GlobalProtect authentication cookies and add a RADIUS group to the
Allow List
of the authentication profile used to authenticate to GlobalProtect.
Workaround:
Disable GlobalProtect authentication cookies. Alternatively, disable (clear)
Retrieve user group from RADIUS
in the authentication profile and configure group mapping from Active Directory (AD) through LDAP.
Known
9.1.14
PAN-97524
(
Panorama management server only
) The Security Zone and Virtual System columns (
Network
tab) display
None
after a Device Group and Template administrator with read-only privileges performs a context switch.
Known
9.1.14
PAN-96985
The
request shutdown system
command does not shut down the Panorama management server.
Known
9.1.14
PAN-96960
You cannot restart or shutdown a Panorama on KVM from the Virtual-manager console or virsch CLI.
Known
9.1.14
PAN-96446
A firewall that is not included in a Collector Group fails to generate a system log if logs are dropped when forwarded to a Panorama management server that is running in Management Only mode.
Known
9.1.14
PAN-95773
On VM-Series firewalls that have Data Plane Development Kit (DPDK) enabled and that use the i40e network interface card (NIC), the
show session info
CLI command displays an inaccurate throughput and packet rate.
Workaround:
Disable DPDK by running the
set system setting dpdk-pkt-io off
CLI command.
Known
9.1.14
PAN-95511
The name for an address object, address group, or an external dynamic list must be unique. Duplicate names for these objects can result in unexpected behavior when you reference the object in a policy rule.
Known
9.1.14
PAN-95028
For administrator accounts that you created in PAN-OS 8.0.8 and earlier releases, the firewall does not apply password profile settings (
Device
Password Profiles
) until after you upgrade to PAN-OS 8.0.9 or a later release and then only after you modify the account passwords. (Administrator accounts that you create in PAN-OS 8.0.9 or a later release do not require you to change the passwords to apply password profile settings.)
Known
9.1.14
PAN-94846
When DPDK is enabled on the VM-Series firewall with i40e virtual function (VF) driver, the VF does not detect the link status of the physical link. The VF link status remains up, regardless of changes to the physical link state.
Known
9.1.14
PAN-94093
HTTP Header Insertion does not work when jumbo frames are received out of order.
Known
9.1.14
PAN-93968
The firewall and Panorama web interfaces display vulnerability threat IDs that are not available in PAN-OS 9.0 releases (
Objects
Security Profiles
Vulnerability Protection
<profile>
Exceptions
). To confirm whether a particular threat ID is available in your release, monitor the release notes for each new Applications and Threats content update or check the Palo Alto Networks Threat Vault to see the minimum PAN-OS release version for a threat signature.
Known
9.1.14
PAN-93607
When you configure a VM-500 firewall with an SCTP Protection profile (
Objects
Security Profiles
SCTP Protection
) and you try to add the profile to an existing Security Profile Group (
Objects
Security Profile Groups
), the Security Profile Group doesn’t list the SCTP Protection profile in its drop-down list of available profiles.
Workaround:
Create a new Security Profile Group and select the SCTP Protection profile from there.
Known
9.1.14
PAN-93532
When you configure a firewall running PAN-OS 9.0 as an nCipher HSM client, the web interface on the firewall displays the nCipher server status as Not Authenticated, even though the HSM state is up (
Device
Setup
HSM
).
Known
9.1.14
PAN-93193
The memory-optimized VM-50 Lite intermittently performs slowly and stops processing traffic when memory utilization is critically high. To prevent this issue, make sure that you do not:
  • Switch to the firewall
    Context
    on the Panorama management server.
  • Commit changes when a dynamic update is being installed.
  • Generate a custom report when a dynamic update is being installed.
  • Generate custom reports during a commit.
Workaround:
When the firewall performs slowly, or you see a critical System log for memory utilization, wait for 5 minutes and then manually reboot the firewall.
Use the Task Manager to verify that you are not performing memory intensive tasks such as installing dynamic updates, committing changes or generating reports, at the same time, on the firewall.
Known
9.1.14
PAN-91802
On a VM-Series firewall, the
clear session all
CLI command does not clear GTP sessions.
Known
9.1.14
PAN-83610
In rare cases, a PA-5200 Series firewall (with an FE100 network processor) that has session offload enabled (default) incorrectly resets the UDP checksum of outgoing UDP packets.
Workaround:
In PAN-OS 8.0.6 and later releases, you can persistently disable session offload for only UDP traffic using the
set session udp-off load no
CLI command.
Known
9.1.14
PAN-83236
The VM-Series firewall on Google Compute Platform does not publish firewall metrics to Google Stack Monitoring when you manually configure a DNS server IP address (
Device
Setup
Services
).
Workaround:
The VM-Series firewall on Google Cloud Platform must use the DNS server that Google provides.
Known
9.1.14
PAN-83215
SSL decryption based on ECDSA certificates does not work when you import the ECDSA private keys onto an nCipher nShield hardware security module (HSM).
Known
9.1.14
PAN-81521
Endpoints failed to authenticate to GlobalProtect through Kerberos when you specify an FQDN instead of an IP address in the Kerberos server profile (
Device
Server Profiles
Kerberos
).
Workaround:
Replace the FQDN with the IP address in the Kerberos server profile.
Known
9.1.14
PAN-77125
PA-7000 Series, PA-5200 Series, and PA-3200 Series firewalls configured in tap mode don’t close offloaded sessions after processing the associated traffic; the sessions remain open until they time out.
Workaround:
Configure the firewalls in virtual wire mode instead of tap mode, or disable session offloading by running the
set session off load no
CLI command.
Known
9.1.14
PAN-75457
(
PAN-OS 8.0.1 and later releases
) In WildFire appliance clusters that have three or more nodes, the Panorama management server does not support changing node roles. In a three-node cluster for example, you cannot use Panorama to configure the worker node as a controller node by adding the HA and cluster controller configurations, configure an existing controller node as a worker node by removing the HA configuration, and then commit and push the configuration. Attempts to change cluster node roles from Panorama results in a validation error—the commit fails and the cluster becomes unresponsive.
Known
9.1.14
PAN-73530
The firewall does not generate a packet capture (pcap) when a Data Filtering profile blocks files.
Known
9.1.14
PAN-73401
(
PAN-OS 8.0.1 and later releases
) When you import a two-node WildFire appliance cluster into the Panorama management server, the controller nodes report their state as out-of-sync if either of the following conditions exist:
  • You did not configure a worker list to add at least one worker node to the cluster. (In a two-node cluster, both nodes are controller nodes configured as an HA pair. Adding a worker node would make the cluster a three-node cluster.)
  • You did not configure a service advertisement (either by enabling or not enabling advertising DNS service on the controller nodes).
Workaround:
There are three possible workarounds to sync the controller nodes:
  • After you import the two-node cluster into Panorama, push the configuration from Panorama to the cluster. After the push succeeds, Panorama reports that the controller nodes are in sync.
  • Configure a worker list on the cluster controller: 
    admin@wf500(active-controller)# 
    set
deviceconfig cluster mode controller worker-list 
    <worker-ip-address>
    (
    <worker-ip-address>
    is the IP address of the worker node you are adding to the cluster.) This creates a three-node cluster. After you import the cluster into Panorama, Panorama reports that the controller nodes are in sync. When you want the cluster to have only two nodes, use a different workaround.
  • Configure service advertisement on the local CLI of the cluster controller and then import the configuration into Panorama. The service advertisement can advertise that DNS is or is not enabled. 
    admin@wf500(active-controller)# 
    set
deviceconfig cluster mode controller service-advertisement dns-service
enabled
yes
    or 
    admin@wf500(active-controller)# 
    set
deviceconfig cluster mode controller service-advertisement dns-service
enabled
no
    Both commands result in Panorama reporting that the controller nodes are in sync.
Known
9.1.14
PAN-71329
Local users and user groups in the Shared location (all virtual systems) are not available to be part of the user-to-application mapping for GlobalProtect Clientless VPN applications (
Network
GlobalProtect
Portals
<portal>
Clientless VPN
Applications
).
Workaround:
Create users and user groups in specific virtual systems on firewalls that have multiple virtual systems. For single virtual systems (like VM-Series firewalls), users and user groups are created under Shared and are not configurable for Clientless VPN applications.
Known
9.1.14
PAN-70906
If the PAN-OS web interface and the GlobalProtect portal are enabled on the same IP address, then when a user logs out of the GlobalProtect portal, the administrative user is also logged out from the PAN-OS web interface.
Workaround:
Use the IP address to access the PAN-OS web interface and an FQDN to access the GlobalProtect portal.
Known
9.1.14
PAN-69505
When viewing an external dynamic list that requires client authentication and you
Test Source URL
, the firewall fails to indicate whether it can reach the external dynamic list server and returns a URL access error (
Objects
External Dynamic Lists
).
Known
9.1.14
PAN-41558
When you use a firewall loopback interface as a GlobalProtect gateway interface, traffic is not routed correctly for third-party IPSec clients, such as strongSwan.
Workaround:
Use a physical firewall interface instead of a loopback firewall interface as the GlobalProtect gateway interface for third-party IPSec clients. Alternatively, configure the loopback interface that is used as the GlobalProtect gateway to be in the same zone as the physical ingress interface for third-party IPSec traffic.
Known
9.1.14
PAN-40079
The VM-Series firewall on KVM, for all supported Linux distributions, does not support the Broadcom network adapters for PCI pass-through functionality.
Known
9.1.14
PAN-39636
Regardless of the
Time Frame
you specify for a scheduled custom report on a Panorama M-Series appliance, the earliest possible start date for the report data is effectively the date when you configured the report (
Monitor
Manage Custom Reports
). For example, if you configure the report on the 15th of the month and set the
Time Frame
to
Last 30 Days
, the report that Panorama generates on the 16th will include only data from the 15th onward. This issue applies only to scheduled reports; on-demand reports include all data within the specified
Time Frame
.
Workaround:
To generate an on-demand report, click
Run Now
when you configure the custom report.
Known
9.1.14
PAN-38255
When you perform a factory reset on a Panorama virtual appliance and configure the serial number, logging does not work until you reboot Panorama or execute the
debug software restart process management-server
CLI command.
Known
9.1.14
PAN-31832
The following issues apply when configuring a firewall to use a hardware security module (HSM):
  • nCipher nShield Connect
    —The firewall requires at least four minutes to detect that an HSM was disconnected, causing SSL functionality to be unavailable during the delay.
  • SafeNet Network
    —When losing connectivity to either or both HSMs in an HA configuration, the display of information from the
    show high-availability state
    and
    show hsm info
    commands are blocked for 20 seconds.
Known
9.1.13
—
Upgrading Panorama with a local Log Collector and Dedicated Log Collectors to PAN-OS 8.1 or a later PAN-OS release can take up to six hours to complete due to significant infrastructure changes. Ensure uninterrupted power to all appliances throughout the upgrade process.
Known
9.1.13
—
A critical System log is generated on the VM-Series firewall if the minimum memory requirement for the model is not available.
  • When the memory allocated is less than 4.5GB, you cannot upgrade the firewall. The following error message displays:
    Failed to install 9.0.0 with the following error: VM-50 in 9.0.0 requires 5.5GB memory, VM-50 Lite requires 4.5GB memory.Please configure this VM with enough memory before upgrading.
  • If the memory allocation is more than 4.5GB but less that the licensed capacity requirement for the model, it will default to the capacity associated with the VM-50.
    The System log message
    System capacity adjusted to VM-50 capacity due to insufficient memory for VM-
    <xxx>
    license
    , indicates that you must allocate the additional memory required for licensed capacity for the firewall model.
Known
9.1.13
PLUG-380
When you rename a device group, template, or template stack in Panorama that is part of a VMware NSX service definition, the new name is not reflected in NSX Manager. Therefore, any ESXi hosts that you add to a vSphere cluster are not added to the correct device group, template, or template stack and your Security policy is not pushed to VM-Series firewalls that you deploy after you rename those objects. There is no impact to existing VM-Series firewalls.
Known
9.1.13
PAN-223365
The Panorama management server is unable to query any logs if the ElasticSearch health status for any Log Collector (
Panorama
Managed Collector
is degraded.
Workaround:
Log in to the Log Collector CLI and reboot. 
admin
request restart system
Alternatively, you can contact Palo Alto Networks Customer Support to restart the ElasticSearch process without rebooting the Log Collector.
Known
9.1.13
PAN-221015
On M-600 appliances in Panorama or Log Collector mode, the
es-1
and
es-2
ElasticSearch processes fail to restart when the M-600 appliance is rebooted. The results in the Managed Collector
ES
health status (
Panorama
Managed Collectors
Health Status
) to be degraded.
Workaround:
Log in to the Panorama or Log Collector CLI experiencing degraded ElasticSearch health and restart all ElasticSearch processes. 
admin>
debug elasticsearch es-restart optional all
Known
9.1.13
PAN-199557
On M-600 appliances in an Active/Passive high availability (HA) configuration, the
configd
process restarts due to a memory leak on the
Active
Panorama HA peer. This causes the Panorama web interface and CLI to become unresponsive.
Workaround:
Manually reboot the
Active
Panorama HA peer.
Known
9.1.13
PAN-197341
On the Panorama management server, if you create multiple device group
Objects
with the same name in the Shared device group and any additional device groups (
Panorama
Device Groups
) under the same device group hierarchy that are used in one or more
Policies
, renaming the object with a shared name in any device group causes the object name to change in the policies where it is used. This issue applies only to device group objects that can be referenced in a Security policy rule.
For example:
  1. You create a parent device group
    DG-A
    and a child device group
    DG-B
    .
  2. You create address objects called
    AddressObjA
    in the
    Shared
    ,
    DG-A
    and
    DG-B
    device groups and add
    AddressObjA
    to a Security policy rule under
    DG-A
    and
    DG-B
    .
  3. Later, you change the
    AddressObjA
    name in the
    Shared
    device group to
    AddressObjB
    .
Changing the name of the address object in the
Shared
device group causes the references in the Policy rule to use the renamed
Shared
object instead of the device group object.
Known
9.1.13
PAN-186937
This issue is now resolved. See
PAN-OS 9.1.14 Addressed Issues
.
The firewall drops Encapsulating Security Payload (ESP) IPsec packets that originate from the same firewall. This behavior occurs when you enable
Strict IP Address Check
in the Zone Protection profile (Packet Based Attack Protection tab, IP Drop section) and the packet’s source IP address is the same as the egress interface address.
Workaround
: Disable the
Strict IP Address Check
option in the Zone Protection profile. Alternatively, downgrade to 9.1.11 or earlier or upgrade to 10.0.0 or later if you want to enable the
Strict IP Address Check
.
Known
9.1.13
PAN-178194
Firewalls licensed for Advanced URL Filtering generate a message indicating that a
License required for URL filtering to function
is unavailable displays at the bottom of the UI, due to a PAN-OS UI issue. This error does not affect the operation of Advanced URL Filtering or URL Filtering.
Known
9.1.13
PAN-154266
When an application matches an SD-WAN policy and some sessions for the same application do not match an SD-WAN policy, the SD-WAN Monitoring—Traffic Characteristics screen displays the Links Used information with an SD-WAN policy and a null policy. Sessions that do not have an SD-WAN policy ID are filtered from Links Used.
Workaround
: If you want to see session logs that include a default selection, create a catch-all SD-WAN policy rule and place it last in the list of SD-WAN policies.
Known
9.1.13
PAN-154247
On the Panorama management server, context switching to and from the managed firewall web interface may cause the Panorama administrator to be logged out.
Workaround:
Log out and back in to the Panorama web interface.
Known
9.1.13
PAN-153803
On the Panorama management server, scheduled email PDF reports (
Monitor
PDF Reports
) fail if a GIF image is used in the header or footer.
Known
9.1.13
PAN-146573
PA-7000 series firewalls configured with a large number of interfaces experience impacted performance and possible timeouts when performing SNMP queries.
Known
9.1.13
PAN-146485
On the Panorama management server, adding, deleting, or modifying the upstream NAT configuration (
Panorama
SD-WAN
Devices
) does not display the branch template stack as
out of sync
.
Additionally, adding, deleting, or modifying the BGP configuration (
Panorama
SD-WAN
Devices
) does not display the hub and branch template stacks as
out of sync
. For example, modifying the BGP configuration on the branch firewall does not cause the hub template stack to display as
out of sync
, nor does modifying the BGP configuration on the hub firewall cause the branch template stack as
out of sync
.
Workaround:
After performing a configuration change,
Commit and Push
the configuration changes to all hub and branch firewalls in the VPN cluster containing the firewall with the modified configuration.
Known
9.1.13
PAN-144889
(
PAN-OS 9.1.2-h1 and later releases only
) On the Panorama management server, adding, deleting, or modifying the original subnet IP, or adding a new subnet after you successfully configure a tunnel IP subnet, for the SD-WAN 1.0.2 plugin does not display the managed firewall templates (
Panorama
Managed Devices
Summary
) as
Out of Sync
.
Workaround
: When modifying the original subnet IP, or adding a new subnet, push the template configuration changes to your managed firewalls and
Force Template Values
(
Commit
Push to Devices
Edit Selections
).
Known
9.1.13
PAN-140959
The Panorama management server allows you to downgrade Zero Touch Provisioning (ZTP) firewalls to PAN-OS 9.1.2 and earlier releases where ZTP functionality is not supported.
Known
9.1.13
PAN-134456
SNMP traps configured to use the dataplane port in service routes are still sent using the management interface.
Workaround:
Use a destination-based service route for the SNMP trap server.
Known
9.1.13
PAN-134053
ACC does not filter WildFire logs from Dynamic User Groups.
Known
9.1.13
PAN-130550
(
PA-3200 Series, PA-5220, PA-5250, PA-5260, and PA-7000 Series firewalls
) For traffic between virtual systems (inter-vsys traffic), the firewall cannot perform source NAT using dynamic IP (DIP) address translation.
Workaround:
Use source NAT with Dynamic IP and Port (DIPP) translation on inter-vsys traffic.
Known
9.1.13
PAN-127813
In the current release, SD-WAN auto-provisioning configures hubs and branches in a hub and spoke model, where branches don’t communicate with each other. Expected branch routes are for generic prefixes, which can be configured in the hub and advertised to all branches. Branches with unique prefixes are not published up to the hub.
Workaround:
Add any specific prefixes for branches to the hub advertise-list configuration.
Known
9.1.13
PAN-127550
Panorama supports only incremental additions for CSV imports when the SD-WAN plugin is enabled. Delete devices manually in the web interface or CLI.
Known
9.1.13
PAN-127474
When you configure a Server Profile, the custom log format for GlobalProtect logs is missing.
Known
9.1.13
PAN-127206
If you use the CLI to enable the cleartext option for the Include Username in HTTP Header Insertion Entries feature, the authentication request to the firewall may become unresponsive or time out.
Known
9.1.13
PAN-123277
Dynamic tags from other sources are accessible using the CLI but do not display on the Panorama web interface.
Known
9.1.13
PAN-123040
When you try to view network QoS statistics on an SD-WAN branch or hub, the QoS statistics and the hit count for the QoS rules don’t display. A workaround exists for this issue. Please contact Support for information about the workaround.
Known
9.1.13
PAN-120440
There is an issue on M-500 Panorama management servers where any ethernet interface with an IPv6 address having Private PAN-DB-URL connectivity only supports the following format:
2001:DB9:85A3:0:0:8A2E:370:2
.
Known
9.1.13
PAN-120303
There is an issue where the firewall remains connected to the PAN-DB-URL server through the old management IP address on the M-500 Panorama management server, even when you configured the Eth1/1 interface.
Workaround:
Update the PAN-DB-URL IP address on the firewall using one of the methods below.
  • Modify the PAN-DB Server IP address on the managed firewall.
    1. On the web interface, delete the
      PAN-DB Server
      IP address (
      Device
      Setup
      Content ID
      URL Filtering
      settings).
    2. Commit
      your changes.
    3. Add the new M-500 Eth1/1 IP PAN-DB IP address.
    4. Commit
      your changes.
  • Restart the firewall ( devsrvr ) process.
    1. Log in to the firewall CLI.
    2. Restart the devsrvr process:
      debug software restart process device-server
Known
9.1.13
PAN-118065
(
M-Series Panorama management servers in Management Only mode
) When you delete the local Log Collector (
Panorama
Managed Collectors
), it disables the 1/1 ethernet interface in the Panorama configuration as expected but the interface still displays as Up when you execute the
show interface all
command in the CLI after you commit.
Workaround:
Disable the 1/1 ethernet interface before you delete the local log collector and then commit the configuration change.
Known
9.1.13
PAN-116017
(
Google Cloud Platform (GCP) only
) The firewall does not accept the DNS value from the initial configuration (init-cfg) file when you bootstrap the firewall.
Workaround:
Add DNS value as part of the bootstrap.xml in the bootstrap folder and complete the bootstrap process.
Known
9.1.13
PAN-115816
(
Microsoft Azure only
) There is an intermittent issue where an Ethernet (eth1) interface does not come up when you first boot up the firewall.
Workaround:
Reboot the firewall.
Known
9.1.13
PAN-114495
Alibaba Cloud runs on a KVM hypervisor and supports two Virtio modes: DPDK (default) and MMAP. If you deploy a VM-Series firewall running PAN-OS 9.0 in DPDK packet mode and you then switch to MMAP packet mode, the VM-Series firewall duplicates packets that originate from or terminate on the firewall. As an example, if a load balancer or a server behind the firewall pings the VM-Series firewall after you switch from DPDK packet mode to MMAP packet mode, the firewall duplicates the ping packets.
Throughput traffic is not duplicated if you deploy the VM-Series firewall using MMAP packet mode.
Known
9.1.13
PAN-112694
(
Firewalls with multiple virtual systems only
) If you configure dynamic DNS (DDNS) on a new interface (associated with vsys1 or another virtual system) and you then create a
New
Certificate Profile from the drop-down, you must set the location for the Certificate Profile to Shared. If you configure DDNS on an existing interface and then create a new Certificate Profile, we also recommend that you choose the Shared location instead of a specific virtual system. Alternatively, you can select a preexisting certificate profile instead of creating a new one.
Known
9.1.13
PAN-112456
You can temporarily submit a change request for a URL Category with more than two suggested categories. However, we support only two suggested categories so add no more than two suggested categories to a change request until we address this issue. If you submit more than two suggested categories, we will use only the first two categories you enter.
Known
9.1.13
PAN-111928
Invalid configuration errors are not displayed as expected when you revert a Panorama management server configuration.
Workaround:
After you revert the Panorama configuration,
Commit
(
Commit
Commit to Panorama
) the reverted configuration to display the invalid configuration errors.
Known
9.1.13
PAN-111866
The push scope selection on the Panorama web interface displays incorrectly even though the commit scope displays as expected. This issue occurs when one administrator makes configuration changes to separate device groups or templates that affect multiple firewalls and a different administrator attempts to push those changes.
Workaround:
Perform one of the following tasks.
  • Initiate a
    Commit to Panorama
    operation followed by a
    Push to Devices
    operation for the modified device group and template configurations.
  • Manually select the devices that belong to the modified device group and template configurations.
Known
9.1.13
PAN-111729
If you disable DPDK mode and enable it again, you must immediately reboot the firewall.
Known
9.1.13
PAN-111670
Tagged VLAN traffic fails when sent through an SR-IOV adapter.
Known
9.1.13
PAN-111251
Using the CLI to enable or disable DNS Rewrite under a Destination NAT policy rule has no effect.
Known
9.1.13
PAN-110794
DGA-based threats shown in the firewall threat log display the same name for all such instances.
Known
9.1.13
PAN-109759
The firewall does not generate a notification for the GlobalProtect client when the firewall denies an unencrypted TLS session due to an authentication policy match.
Known
9.1.13
PAN-109526
The system log does not correctly display the URL for CRL files; instead, the URLs are displayed with encoded characters.
Known
9.1.13
PAN-106675
After upgrading the Panorama management server to PAN-OS 8.1 or a later release, predefined reports do not display a list of top attackers.
Workaround:
Create new threat summary reports (
Monitor
PDF Reports
Manage PDF Summary
) containing the top attackers to mimic the predefined reports.
Known
9.1.13
PAN-104780
If you configure a HIP object to match only when a connecting endpoint is managed (
Objects
GlobalProtect
HIP Objects
<hip-object>
General
Managed
), iOS and Android endpoints that are managed by AirWatch are unable to successfully match the HIP object and the HIP report incorrectly indicates that these endpoints are not managed. This issue occurs because GlobalProtect gateways cannot correctly identify the managed status of these endpoints.
Additionally, iOS endpoints that are managed by AirWatch are unable to match HIP objects based on the endpoint serial number because GlobalProtect gateways cannot identify the serial numbers of these endpoints; these serial numbers do not appear in the HIP report.
Known
9.1.13
PAN-103276
Adding a disk to a virtual appliance running Panorama 8.1 or a later release on VMware ESXi 6.5 update1 causes the Panorama virtual appliance and host web client to become unresponsive.
Workaround:
Upgrade the ESXi host to ESXi 6.5 update2 and add the disk again.
Known
9.1.13
PAN-101688
(
Panorama plugins
) The IP address-to-tag mapping information registered on a firewall or virtual system is not deleted when you remove the firewall or virtual system from a Device Group.
Workaround:
Log in to the CLI on the firewall and enter the following command to unregister the IP address-to-tag mappings:
debug object registered-ip clear all
.
Known
9.1.13
PAN-101537
After you configure and push address and address group objects in Shared and vsys-specific device groups from the Panorama management server to managed firewalls, executing the
show log
<log-type>
direction equal
<direction>
<dst>
|
<src>
in
<object-name>
command on a managed firewall only returns address and address group objects pushed form the Shared device group.
Workaround:
Specify the vsys in the query string:
admin>
set system target-vsys
<vsys-name>
admin>
show log
<log-type>
direction equal
<direction>
query equal ‘vsys eq
<vsys-name>
’
<dst>
|
<src>
in
<object-name>
Known
9.1.13
PAN-98520
When booting or rebooting a PA-7000 Series Firewall with the SMC-B installed, the BIOS console output displays attempts to connect to the card's controller in the System Memory Speed section. The messages can be ignored.
Known
9.1.13
PAN-97757
GlobalProtect authentication fails with an
Invalid username/password
error (because the user is not found in
Allow List
) after you enable GlobalProtect authentication cookies and add a RADIUS group to the
Allow List
of the authentication profile used to authenticate to GlobalProtect.
Workaround:
Disable GlobalProtect authentication cookies. Alternatively, disable (clear)
Retrieve user group from RADIUS
in the authentication profile and configure group mapping from Active Directory (AD) through LDAP.
Known
9.1.13
PAN-97524
(
Panorama management server only
) The Security Zone and Virtual System columns (
Network
tab) display
None
after a Device Group and Template administrator with read-only privileges performs a context switch.
Known
9.1.13
PAN-96985
The
request shutdown system
command does not shut down the Panorama management server.
Known
9.1.13
PAN-96960
You cannot restart or shutdown a Panorama on KVM from the Virtual-manager console or virsch CLI.
Known
9.1.13
PAN-96446
A firewall that is not included in a Collector Group fails to generate a system log if logs are dropped when forwarded to a Panorama management server that is running in Management Only mode.
Known
9.1.13
PAN-95773
On VM-Series firewalls that have Data Plane Development Kit (DPDK) enabled and that use the i40e network interface card (NIC), the
show session info
CLI command displays an inaccurate throughput and packet rate.
Workaround:
Disable DPDK by running the
set system setting dpdk-pkt-io off
CLI command.
Known
9.1.13
PAN-95511
The name for an address object, address group, or an external dynamic list must be unique. Duplicate names for these objects can result in unexpected behavior when you reference the object in a policy rule.
Known
9.1.13
PAN-95028
For administrator accounts that you created in PAN-OS 8.0.8 and earlier releases, the firewall does not apply password profile settings (
Device
Password Profiles
) until after you upgrade to PAN-OS 8.0.9 or a later release and then only after you modify the account passwords. (Administrator accounts that you create in PAN-OS 8.0.9 or a later release do not require you to change the passwords to apply password profile settings.)
Known
9.1.13
PAN-94846
When DPDK is enabled on the VM-Series firewall with i40e virtual function (VF) driver, the VF does not detect the link status of the physical link. The VF link status remains up, regardless of changes to the physical link state.
Known
9.1.13
PAN-94093
HTTP Header Insertion does not work when jumbo frames are received out of order.
Known
9.1.13
PAN-93968
The firewall and Panorama web interfaces display vulnerability threat IDs that are not available in PAN-OS 9.0 releases (
Objects
Security Profiles
Vulnerability Protection
<profile>
Exceptions
). To confirm whether a particular threat ID is available in your release, monitor the release notes for each new Applications and Threats content update or check the Palo Alto Networks Threat Vault to see the minimum PAN-OS release version for a threat signature.
Known
9.1.13
PAN-93607
When you configure a VM-500 firewall with an SCTP Protection profile (
Objects
Security Profiles
SCTP Protection
) and you try to add the profile to an existing Security Profile Group (
Objects
Security Profile Groups
), the Security Profile Group doesn’t list the SCTP Protection profile in its drop-down list of available profiles.
Workaround:
Create a new Security Profile Group and select the SCTP Protection profile from there.
Known
9.1.13
PAN-93532
When you configure a firewall running PAN-OS 9.0 as an nCipher HSM client, the web interface on the firewall displays the nCipher server status as Not Authenticated, even though the HSM state is up (
Device
Setup
HSM
).
Known
9.1.13
PAN-93193
The memory-optimized VM-50 Lite intermittently performs slowly and stops processing traffic when memory utilization is critically high. To prevent this issue, make sure that you do not:
  • Switch to the firewall
    Context
    on the Panorama management server.
  • Commit changes when a dynamic update is being installed.
  • Generate a custom report when a dynamic update is being installed.
  • Generate custom reports during a commit.
Workaround:
When the firewall performs slowly, or you see a critical System log for memory utilization, wait for 5 minutes and then manually reboot the firewall.
Use the Task Manager to verify that you are not performing memory intensive tasks such as installing dynamic updates, committing changes or generating reports, at the same time, on the firewall.
Known
9.1.13
PAN-91802
On a VM-Series firewall, the
clear session all
CLI command does not clear GTP sessions.
Known
9.1.13
PAN-83610
In rare cases, a PA-5200 Series firewall (with an FE100 network processor) that has session offload enabled (default) incorrectly resets the UDP checksum of outgoing UDP packets.
Workaround:
In PAN-OS 8.0.6 and later releases, you can persistently disable session offload for only UDP traffic using the
set session udp-off load no
CLI command.
Known
9.1.13
PAN-83236
The VM-Series firewall on Google Compute Platform does not publish firewall metrics to Google Stack Monitoring when you manually configure a DNS server IP address (
Device
Setup
Services
).
Workaround:
The VM-Series firewall on Google Cloud Platform must use the DNS server that Google provides.
Known
9.1.13
PAN-83215
SSL decryption based on ECDSA certificates does not work when you import the ECDSA private keys onto an nCipher nShield hardware security module (HSM).
Known
9.1.13
PAN-81521
Endpoints failed to authenticate to GlobalProtect through Kerberos when you specify an FQDN instead of an IP address in the Kerberos server profile (
Device
Server Profiles
Kerberos
).
Workaround:
Replace the FQDN with the IP address in the Kerberos server profile.
Known
9.1.13
PAN-77125
PA-7000 Series, PA-5200 Series, and PA-3200 Series firewalls configured in tap mode don’t close offloaded sessions after processing the associated traffic; the sessions remain open until they time out.
Workaround:
Configure the firewalls in virtual wire mode instead of tap mode, or disable session offloading by running the
set session off load no
CLI command.
Known
9.1.13
PAN-75457
(
PAN-OS 8.0.1 and later releases
) In WildFire appliance clusters that have three or more nodes, the Panorama management server does not support changing node roles. In a three-node cluster for example, you cannot use Panorama to configure the worker node as a controller node by adding the HA and cluster controller configurations, configure an existing controller node as a worker node by removing the HA configuration, and then commit and push the configuration. Attempts to change cluster node roles from Panorama results in a validation error—the commit fails and the cluster becomes unresponsive.
Known
9.1.13
PAN-73530
The firewall does not generate a packet capture (pcap) when a Data Filtering profile blocks files.
Known
9.1.13
PAN-73401
(
PAN-OS 8.0.1 and later releases
) When you import a two-node WildFire appliance cluster into the Panorama management server, the controller nodes report their state as out-of-sync if either of the following conditions exist:
  • You did not configure a worker list to add at least one worker node to the cluster. (In a two-node cluster, both nodes are controller nodes configured as an HA pair. Adding a worker node would make the cluster a three-node cluster.)
  • You did not configure a service advertisement (either by enabling or not enabling advertising DNS service on the controller nodes).
Workaround:
There are three possible workarounds to sync the controller nodes:
  • After you import the two-node cluster into Panorama, push the configuration from Panorama to the cluster. After the push succeeds, Panorama reports that the controller nodes are in sync.
  • Configure a worker list on the cluster controller: 
    admin@wf500(active-controller)# 
    set
deviceconfig cluster mode controller worker-list 
    <worker-ip-address>
    (
    <worker-ip-address>
    is the IP address of the worker node you are adding to the cluster.) This creates a three-node cluster. After you import the cluster into Panorama, Panorama reports that the controller nodes are in sync. When you want the cluster to have only two nodes, use a different workaround.
  • Configure service advertisement on the local CLI of the cluster controller and then import the configuration into Panorama. The service advertisement can advertise that DNS is or is not enabled. 
    admin@wf500(active-controller)# 
    set
deviceconfig cluster mode controller service-advertisement dns-service
enabled
yes
    or 
    admin@wf500(active-controller)# 
    set
deviceconfig cluster mode controller service-advertisement dns-service
enabled
no
    Both commands result in Panorama reporting that the controller nodes are in sync.
Known
9.1.13
PAN-71329
Local users and user groups in the Shared location (all virtual systems) are not available to be part of the user-to-application mapping for GlobalProtect Clientless VPN applications (
Network
GlobalProtect
Portals
<portal>
Clientless VPN
Applications
).
Workaround:
Create users and user groups in specific virtual systems on firewalls that have multiple virtual systems. For single virtual systems (like VM-Series firewalls), users and user groups are created under Shared and are not configurable for Clientless VPN applications.
Known
9.1.13
PAN-70906
If the PAN-OS web interface and the GlobalProtect portal are enabled on the same IP address, then when a user logs out of the GlobalProtect portal, the administrative user is also logged out from the PAN-OS web interface.
Workaround:
Use the IP address to access the PAN-OS web interface and an FQDN to access the GlobalProtect portal.
Known
9.1.13
PAN-69505
When viewing an external dynamic list that requires client authentication and you
Test Source URL
, the firewall fails to indicate whether it can reach the external dynamic list server and returns a URL access error (
Objects
External Dynamic Lists
).
Known
9.1.13
PAN-41558
When you use a firewall loopback interface as a GlobalProtect gateway interface, traffic is not routed correctly for third-party IPSec clients, such as strongSwan.
Workaround:
Use a physical firewall interface instead of a loopback firewall interface as the GlobalProtect gateway interface for third-party IPSec clients. Alternatively, configure the loopback interface that is used as the GlobalProtect gateway to be in the same zone as the physical ingress interface for third-party IPSec traffic.
Known
9.1.13
PAN-40079
The VM-Series firewall on KVM, for all supported Linux distributions, does not support the Broadcom network adapters for PCI pass-through functionality.
Known
9.1.13
PAN-39636
Regardless of the
Time Frame
you specify for a scheduled custom report on a Panorama M-Series appliance, the earliest possible start date for the report data is effectively the date when you configured the report (
Monitor
Manage Custom Reports
). For example, if you configure the report on the 15th of the month and set the
Time Frame
to
Last 30 Days
, the report that Panorama generates on the 16th will include only data from the 15th onward. This issue applies only to scheduled reports; on-demand reports include all data within the specified
Time Frame
.
Workaround:
To generate an on-demand report, click
Run Now
when you configure the custom report.
Known
9.1.13
PAN-38255
When you perform a factory reset on a Panorama virtual appliance and configure the serial number, logging does not work until you reboot Panorama or execute the
debug software restart process management-server
CLI command.
Known
9.1.13
PAN-31832
The following issues apply when configuring a firewall to use a hardware security module (HSM):
  • nCipher nShield Connect
    —The firewall requires at least four minutes to detect that an HSM was disconnected, causing SSL functionality to be unavailable during the delay.
  • SafeNet Network
    —When losing connectivity to either or both HSMs in an HA configuration, the display of information from the
    show high-availability state
    and
    show hsm info
    commands are blocked for 20 seconds.
Known
9.1.12
—
Upgrading Panorama with a local Log Collector and Dedicated Log Collectors to PAN-OS 8.1 or a later PAN-OS release can take up to six hours to complete due to significant infrastructure changes. Ensure uninterrupted power to all appliances throughout the upgrade process.
Known
9.1.12
—
A critical System log is generated on the VM-Series firewall if the minimum memory requirement for the model is not available.
  • When the memory allocated is less than 4.5GB, you cannot upgrade the firewall. The following error message displays:
    Failed to install 9.0.0 with the following error: VM-50 in 9.0.0 requires 5.5GB memory, VM-50 Lite requires 4.5GB memory.Please configure this VM with enough memory before upgrading.
  • If the memory allocation is more than 4.5GB but less that the licensed capacity requirement for the model, it will default to the capacity associated with the VM-50.
    The System log message
    System capacity adjusted to VM-50 capacity due to insufficient memory for VM-
    <xxx>
    license
    , indicates that you must allocate the additional memory required for licensed capacity for the firewall model.
Known
9.1.12
PLUG-380
When you rename a device group, template, or template stack in Panorama that is part of a VMware NSX service definition, the new name is not reflected in NSX Manager. Therefore, any ESXi hosts that you add to a vSphere cluster are not added to the correct device group, template, or template stack and your Security policy is not pushed to VM-Series firewalls that you deploy after you rename those objects. There is no impact to existing VM-Series firewalls.
Known
9.1.12
PAN-223365
The Panorama management server is unable to query any logs if the ElasticSearch health status for any Log Collector (
Panorama
Managed Collector
is degraded.
Workaround:
Log in to the Log Collector CLI and reboot. 
admin
request restart system
Alternatively, you can contact Palo Alto Networks Customer Support to restart the ElasticSearch process without rebooting the Log Collector.
Known
9.1.12
PAN-199557
On M-600 appliances in an Active/Passive high availability (HA) configuration, the
configd
process restarts due to a memory leak on the
Active
Panorama HA peer. This causes the Panorama web interface and CLI to become unresponsive.
Workaround:
Manually reboot the
Active
Panorama HA peer.
Known
9.1.12
PAN-197341
On the Panorama management server, if you create multiple device group
Objects
with the same name in the Shared device group and any additional device groups (
Panorama
Device Groups
) under the same device group hierarchy that are used in one or more
Policies
, renaming the object with a shared name in any device group causes the object name to change in the policies where it is used. This issue applies only to device group objects that can be referenced in a Security policy rule.
For example:
  1. You create a parent device group
    DG-A
    and a child device group
    DG-B
    .
  2. You create address objects called
    AddressObjA
    in the
    Shared
    ,
    DG-A
    and
    DG-B
    device groups and add
    AddressObjA
    to a Security policy rule under
    DG-A
    and
    DG-B
    .
  3. Later, you change the
    AddressObjA
    name in the
    Shared
    device group to
    AddressObjB
    .
Changing the name of the address object in the
Shared
device group causes the references in the Policy rule to use the renamed
Shared
object instead of the device group object.
Known
9.1.12
PAN-186937
This issue is now resolved. See
PAN-OS 9.1.14 Addressed Issues
.
The firewall drops Encapsulating Security Payload (ESP) IPsec packets that originate from the same firewall. This behavior occurs when you enable
Strict IP Address Check
in the Zone Protection profile (Packet Based Attack Protection tab, IP Drop section) and the packet’s source IP address is the same as the egress interface address.
Workaround
: Disable the
Strict IP Address Check
option in the Zone Protection profile. Alternatively, downgrade to 9.1.11 or earlier or upgrade to 10.0.0 or later if you want to enable the
Strict IP Address Check
.
Known
9.1.12
PAN-178194
Firewalls licensed for Advanced URL Filtering generate a message indicating that a
License required for URL filtering to function
is unavailable displays at the bottom of the UI, due to a PAN-OS UI issue. This error does not affect the operation of Advanced URL Filtering or URL Filtering.
Known
9.1.12
PAN-159295
This issue is now resolved. See
PAN-OS 9.1.13 Addressed Issues
.
Scheduled configuration export files saved in the /tmp folder are not periodically purged, which causes the root partition to fill up.
Known
9.1.12
PAN-154266
When an application matches an SD-WAN policy and some sessions for the same application do not match an SD-WAN policy, the SD-WAN Monitoring—Traffic Characteristics screen displays the Links Used information with an SD-WAN policy and a null policy. Sessions that do not have an SD-WAN policy ID are filtered from Links Used.
Workaround
: If you want to see session logs that include a default selection, create a catch-all SD-WAN policy rule and place it last in the list of SD-WAN policies.
Known
9.1.12
PAN-154247
On the Panorama management server, context switching to and from the managed firewall web interface may cause the Panorama administrator to be logged out.
Workaround:
Log out and back in to the Panorama web interface.
Known
9.1.12
PAN-153803
On the Panorama management server, scheduled email PDF reports (
Monitor
PDF Reports
) fail if a GIF image is used in the header or footer.
Known
9.1.12
PAN-146573
PA-7000 series firewalls configured with a large number of interfaces experience impacted performance and possible timeouts when performing SNMP queries.
Known
9.1.12
PAN-146485
On the Panorama management server, adding, deleting, or modifying the upstream NAT configuration (
Panorama
SD-WAN
Devices
) does not display the branch template stack as
out of sync
.
Additionally, adding, deleting, or modifying the BGP configuration (
Panorama
SD-WAN
Devices
) does not display the hub and branch template stacks as
out of sync
. For example, modifying the BGP configuration on the branch firewall does not cause the hub template stack to display as
out of sync
, nor does modifying the BGP configuration on the hub firewall cause the branch template stack as
out of sync
.
Workaround:
After performing a configuration change,
Commit and Push
the configuration changes to all hub and branch firewalls in the VPN cluster containing the firewall with the modified configuration.
Known
9.1.12
PAN-144889
(
PAN-OS 9.1.2-h1 and later releases only
) On the Panorama management server, adding, deleting, or modifying the original subnet IP, or adding a new subnet after you successfully configure a tunnel IP subnet, for the SD-WAN 1.0.2 plugin does not display the managed firewall templates (
Panorama
Managed Devices
Summary
) as
Out of Sync
.
Workaround
: When modifying the original subnet IP, or adding a new subnet, push the template configuration changes to your managed firewalls and
Force Template Values
(
Commit
Push to Devices
Edit Selections
).
Known
9.1.12
PAN-140959
The Panorama management server allows you to downgrade Zero Touch Provisioning (ZTP) firewalls to PAN-OS 9.1.2 and earlier releases where ZTP functionality is not supported.
Known
9.1.12
PAN-134456
SNMP traps configured to use the dataplane port in service routes are still sent using the management interface.
Workaround:
Use a destination-based service route for the SNMP trap server.
Known
9.1.12
PAN-134053
ACC does not filter WildFire logs from Dynamic User Groups.
Known
9.1.12
PAN-130550
(
PA-3200 Series, PA-5220, PA-5250, PA-5260, and PA-7000 Series firewalls
) For traffic between virtual systems (inter-vsys traffic), the firewall cannot perform source NAT using dynamic IP (DIP) address translation.
Workaround:
Use source NAT with Dynamic IP and Port (DIPP) translation on inter-vsys traffic.
Known
9.1.12
PAN-127813
In the current release, SD-WAN auto-provisioning configures hubs and branches in a hub and spoke model, where branches don’t communicate with each other. Expected branch routes are for generic prefixes, which can be configured in the hub and advertised to all branches. Branches with unique prefixes are not published up to the hub.
Workaround:
Add any specific prefixes for branches to the hub advertise-list configuration.
Known
9.1.12
PAN-127550
Panorama supports only incremental additions for CSV imports when the SD-WAN plugin is enabled. Delete devices manually in the web interface or CLI.
Known
9.1.12
PAN-127474
When you configure a Server Profile, the custom log format for GlobalProtect logs is missing.
Known
9.1.12
PAN-127206
If you use the CLI to enable the cleartext option for the Include Username in HTTP Header Insertion Entries feature, the authentication request to the firewall may become unresponsive or time out.
Known
9.1.12
PAN-123277
Dynamic tags from other sources are accessible using the CLI but do not display on the Panorama web interface.
Known
9.1.12
PAN-123040
When you try to view network QoS statistics on an SD-WAN branch or hub, the QoS statistics and the hit count for the QoS rules don’t display. A workaround exists for this issue. Please contact Support for information about the workaround.
Known
9.1.12
PAN-120440
There is an issue on M-500 Panorama management servers where any ethernet interface with an IPv6 address having Private PAN-DB-URL connectivity only supports the following format:
2001:DB9:85A3:0:0:8A2E:370:2
.
Known
9.1.12
PAN-120303
There is an issue where the firewall remains connected to the PAN-DB-URL server through the old management IP address on the M-500 Panorama management server, even when you configured the Eth1/1 interface.
Workaround:
Update the PAN-DB-URL IP address on the firewall using one of the methods below.
  • Modify the PAN-DB Server IP address on the managed firewall.
    1. On the web interface, delete the
      PAN-DB Server
      IP address (
      Device
      Setup
      Content ID
      URL Filtering
      settings).
    2. Commit
      your changes.
    3. Add the new M-500 Eth1/1 IP PAN-DB IP address.
    4. Commit
      your changes.
  • Restart the firewall ( devsrvr ) process.
    1. Log in to the firewall CLI.
    2. Restart the devsrvr process:
      debug software restart process device-server
Known
9.1.12
PAN-118065
(
M-Series Panorama management servers in Management Only mode
) When you delete the local Log Collector (
Panorama
Managed Collectors
), it disables the 1/1 ethernet interface in the Panorama configuration as expected but the interface still displays as Up when you execute the
show interface all
command in the CLI after you commit.
Workaround:
Disable the 1/1 ethernet interface before you delete the local log collector and then commit the configuration change.
Known
9.1.12
PAN-116017
(
Google Cloud Platform (GCP) only
) The firewall does not accept the DNS value from the initial configuration (init-cfg) file when you bootstrap the firewall.
Workaround:
Add DNS value as part of the bootstrap.xml in the bootstrap folder and complete the bootstrap process.
Known
9.1.12
PAN-115816
(
Microsoft Azure only
) There is an intermittent issue where an Ethernet (eth1) interface does not come up when you first boot up the firewall.
Workaround:
Reboot the firewall.
Known
9.1.12
PAN-114495
Alibaba Cloud runs on a KVM hypervisor and supports two Virtio modes: DPDK (default) and MMAP. If you deploy a VM-Series firewall running PAN-OS 9.0 in DPDK packet mode and you then switch to MMAP packet mode, the VM-Series firewall duplicates packets that originate from or terminate on the firewall. As an example, if a load balancer or a server behind the firewall pings the VM-Series firewall after you switch from DPDK packet mode to MMAP packet mode, the firewall duplicates the ping packets.
Throughput traffic is not duplicated if you deploy the VM-Series firewall using MMAP packet mode.
Known
9.1.12
PAN-112694
(
Firewalls with multiple virtual systems only
) If you configure dynamic DNS (DDNS) on a new interface (associated with vsys1 or another virtual system) and you then create a
New
Certificate Profile from the drop-down, you must set the location for the Certificate Profile to Shared. If you configure DDNS on an existing interface and then create a new Certificate Profile, we also recommend that you choose the Shared location instead of a specific virtual system. Alternatively, you can select a preexisting certificate profile instead of creating a new one.
Known
9.1.12
PAN-112456
You can temporarily submit a change request for a URL Category with more than two suggested categories. However, we support only two suggested categories so add no more than two suggested categories to a change request until we address this issue. If you submit more than two suggested categories, we will use only the first two categories you enter.
Known
9.1.12
PAN-111928
Invalid configuration errors are not displayed as expected when you revert a Panorama management server configuration.
Workaround:
After you revert the Panorama configuration,
Commit
(
Commit
Commit to Panorama
) the reverted configuration to display the invalid configuration errors.
Known
9.1.12
PAN-111866
The push scope selection on the Panorama web interface displays incorrectly even though the commit scope displays as expected. This issue occurs when one administrator makes configuration changes to separate device groups or templates that affect multiple firewalls and a different administrator attempts to push those changes.
Workaround:
Perform one of the following tasks.
  • Initiate a
    Commit to Panorama
    operation followed by a
    Push to Devices
    operation for the modified device group and template configurations.
  • Manually select the devices that belong to the modified device group and template configurations.
Known
9.1.12
PAN-111729
If you disable DPDK mode and enable it again, you must immediately reboot the firewall.
Known
9.1.12
PAN-111670
Tagged VLAN traffic fails when sent through an SR-IOV adapter.
Known
9.1.12
PAN-111251
Using the CLI to enable or disable DNS Rewrite under a Destination NAT policy rule has no effect.
Known
9.1.12
PAN-110794
DGA-based threats shown in the firewall threat log display the same name for all such instances.
Known
9.1.12
PAN-109759
The firewall does not generate a notification for the GlobalProtect client when the firewall denies an unencrypted TLS session due to an authentication policy match.
Known
9.1.12
PAN-109526
The system log does not correctly display the URL for CRL files; instead, the URLs are displayed with encoded characters.
Known
9.1.12
PAN-106675
After upgrading the Panorama management server to PAN-OS 8.1 or a later release, predefined reports do not display a list of top attackers.
Workaround:
Create new threat summary reports (
Monitor
PDF Reports
Manage PDF Summary
) containing the top attackers to mimic the predefined reports.
Known
9.1.12
PAN-104780
If you configure a HIP object to match only when a connecting endpoint is managed (
Objects
GlobalProtect
HIP Objects
<hip-object>
General
Managed
), iOS and Android endpoints that are managed by AirWatch are unable to successfully match the HIP object and the HIP report incorrectly indicates that these endpoints are not managed. This issue occurs because GlobalProtect gateways cannot correctly identify the managed status of these endpoints.
Additionally, iOS endpoints that are managed by AirWatch are unable to match HIP objects based on the endpoint serial number because GlobalProtect gateways cannot identify the serial numbers of these endpoints; these serial numbers do not appear in the HIP report.
Known
9.1.12
PAN-103276
Adding a disk to a virtual appliance running Panorama 8.1 or a later release on VMware ESXi 6.5 update1 causes the Panorama virtual appliance and host web client to become unresponsive.
Workaround:
Upgrade the ESXi host to ESXi 6.5 update2 and add the disk again.
Known
9.1.12
PAN-101688
(
Panorama plugins
) The IP address-to-tag mapping information registered on a firewall or virtual system is not deleted when you remove the firewall or virtual system from a Device Group.
Workaround:
Log in to the CLI on the firewall and enter the following command to unregister the IP address-to-tag mappings:
debug object registered-ip clear all
.
Known
9.1.12
PAN-101537
After you configure and push address and address group objects in Shared and vsys-specific device groups from the Panorama management server to managed firewalls, executing the
show log
<log-type>
direction equal
<direction>
<dst>
|
<src>
in
<object-name>
command on a managed firewall only returns address and address group objects pushed form the Shared device group.
Workaround:
Specify the vsys in the query string:
admin>
set system target-vsys
<vsys-name>
admin>
show log
<log-type>
direction equal
<direction>
query equal ‘vsys eq
<vsys-name>
’
<dst>
|
<src>
in
<object-name>
Known
9.1.12
PAN-98520
When booting or rebooting a PA-7000 Series Firewall with the SMC-B installed, the BIOS console output displays attempts to connect to the card's controller in the System Memory Speed section. The messages can be ignored.
Known
9.1.12
PAN-97757
GlobalProtect authentication fails with an
Invalid username/password
error (because the user is not found in
Allow List
) after you enable GlobalProtect authentication cookies and add a RADIUS group to the
Allow List
of the authentication profile used to authenticate to GlobalProtect.
Workaround:
Disable GlobalProtect authentication cookies. Alternatively, disable (clear)
Retrieve user group from RADIUS
in the authentication profile and configure group mapping from Active Directory (AD) through LDAP.
Known
9.1.12
PAN-97524
(
Panorama management server only
) The Security Zone and Virtual System columns (
Network
tab) display
None
after a Device Group and Template administrator with read-only privileges performs a context switch.
Known
9.1.12
PAN-96985
The
request shutdown system
command does not shut down the Panorama management server.
Known
9.1.12
PAN-96960
You cannot restart or shutdown a Panorama on KVM from the Virtual-manager console or virsch CLI.
Known
9.1.12
PAN-96446
A firewall that is not included in a Collector Group fails to generate a system log if logs are dropped when forwarded to a Panorama management server that is running in Management Only mode.
Known
9.1.12
PAN-95773
On VM-Series firewalls that have Data Plane Development Kit (DPDK) enabled and that use the i40e network interface card (NIC), the
show session info
CLI command displays an inaccurate throughput and packet rate.
Workaround:
Disable DPDK by running the
set system setting dpdk-pkt-io off
CLI command.
Known
9.1.12
PAN-95511
The name for an address object, address group, or an external dynamic list must be unique. Duplicate names for these objects can result in unexpected behavior when you reference the object in a policy rule.
Known
9.1.12
PAN-95028
For administrator accounts that you created in PAN-OS 8.0.8 and earlier releases, the firewall does not apply password profile settings (
Device
Password Profiles
) until after you upgrade to PAN-OS 8.0.9 or a later release and then only after you modify the account passwords. (Administrator accounts that you create in PAN-OS 8.0.9 or a later release do not require you to change the passwords to apply password profile settings.)
Known
9.1.12
PAN-94846
When DPDK is enabled on the VM-Series firewall with i40e virtual function (VF) driver, the VF does not detect the link status of the physical link. The VF link status remains up, regardless of changes to the physical link state.
Known
9.1.12
PAN-94093
HTTP Header Insertion does not work when jumbo frames are received out of order.
Known
9.1.12
PAN-93968
The firewall and Panorama web interfaces display vulnerability threat IDs that are not available in PAN-OS 9.0 releases (
Objects
Security Profiles
Vulnerability Protection
<profile>
Exceptions
). To confirm whether a particular threat ID is available in your release, monitor the release notes for each new Applications and Threats content update or check the Palo Alto Networks Threat Vault to see the minimum PAN-OS release version for a threat signature.
Known
9.1.12
PAN-93607
When you configure a VM-500 firewall with an SCTP Protection profile (
Objects
Security Profiles
SCTP Protection
) and you try to add the profile to an existing Security Profile Group (
Objects
Security Profile Groups
), the Security Profile Group doesn’t list the SCTP Protection profile in its drop-down list of available profiles.
Workaround:
Create a new Security Profile Group and select the SCTP Protection profile from there.
Known
9.1.12
PAN-93532
When you configure a firewall running PAN-OS 9.0 as an nCipher HSM client, the web interface on the firewall displays the nCipher server status as Not Authenticated, even though the HSM state is up (
Device
Setup
HSM
).
Known
9.1.12
PAN-93193
The memory-optimized VM-50 Lite intermittently performs slowly and stops processing traffic when memory utilization is critically high. To prevent this issue, make sure that you do not:
  • Switch to the firewall
    Context
    on the Panorama management server.
  • Commit changes when a dynamic update is being installed.
  • Generate a custom report when a dynamic update is being installed.
  • Generate custom reports during a commit.
Workaround:
When the firewall performs slowly, or you see a critical System log for memory utilization, wait for 5 minutes and then manually reboot the firewall.
Use the Task Manager to verify that you are not performing memory intensive tasks such as installing dynamic updates, committing changes or generating reports, at the same time, on the firewall.
Known
9.1.12
PAN-91802
On a VM-Series firewall, the
clear session all
CLI command does not clear GTP sessions.
Known
9.1.12
PAN-83610
In rare cases, a PA-5200 Series firewall (with an FE100 network processor) that has session offload enabled (default) incorrectly resets the UDP checksum of outgoing UDP packets.
Workaround:
In PAN-OS 8.0.6 and later releases, you can persistently disable session offload for only UDP traffic using the
set session udp-off load no
CLI command.
Known
9.1.12
PAN-83236
The VM-Series firewall on Google Compute Platform does not publish firewall metrics to Google Stack Monitoring when you manually configure a DNS server IP address (
Device
Setup
Services
).
Workaround:
The VM-Series firewall on Google Cloud Platform must use the DNS server that Google provides.
Known
9.1.12
PAN-83215
SSL decryption based on ECDSA certificates does not work when you import the ECDSA private keys onto an nCipher nShield hardware security module (HSM).
Known
9.1.12
PAN-81521
Endpoints failed to authenticate to GlobalProtect through Kerberos when you specify an FQDN instead of an IP address in the Kerberos server profile (
Device
Server Profiles
Kerberos
).
Workaround:
Replace the FQDN with the IP address in the Kerberos server profile.
Known
9.1.12
PAN-77125
PA-7000 Series, PA-5200 Series, and PA-3200 Series firewalls configured in tap mode don’t close offloaded sessions after processing the associated traffic; the sessions remain open until they time out.
Workaround:
Configure the firewalls in virtual wire mode instead of tap mode, or disable session offloading by running the
set session off load no
CLI command.
Known
9.1.12
PAN-75457
(
PAN-OS 8.0.1 and later releases
) In WildFire appliance clusters that have three or more nodes, the Panorama management server does not support changing node roles. In a three-node cluster for example, you cannot use Panorama to configure the worker node as a controller node by adding the HA and cluster controller configurations, configure an existing controller node as a worker node by removing the HA configuration, and then commit and push the configuration. Attempts to change cluster node roles from Panorama results in a validation error—the commit fails and the cluster becomes unresponsive.
Known
9.1.12
PAN-73530
The firewall does not generate a packet capture (pcap) when a Data Filtering profile blocks files.
Known
9.1.12
PAN-73401
(
PAN-OS 8.0.1 and later releases
) When you import a two-node WildFire appliance cluster into the Panorama management server, the controller nodes report their state as out-of-sync if either of the following conditions exist:
  • You did not configure a worker list to add at least one worker node to the cluster. (In a two-node cluster, both nodes are controller nodes configured as an HA pair. Adding a worker node would make the cluster a three-node cluster.)
  • You did not configure a service advertisement (either by enabling or not enabling advertising DNS service on the controller nodes).
Workaround:
There are three possible workarounds to sync the controller nodes:
  • After you import the two-node cluster into Panorama, push the configuration from Panorama to the cluster. After the push succeeds, Panorama reports that the controller nodes are in sync.
  • Configure a worker list on the cluster controller: 
    admin@wf500(active-controller)# 
    set
deviceconfig cluster mode controller worker-list 
    <worker-ip-address>
    (
    <worker-ip-address>
    is the IP address of the worker node you are adding to the cluster.) This creates a three-node cluster. After you import the cluster into Panorama, Panorama reports that the controller nodes are in sync. When you want the cluster to have only two nodes, use a different workaround.
  • Configure service advertisement on the local CLI of the cluster controller and then import the configuration into Panorama. The service advertisement can advertise that DNS is or is not enabled. 
    admin@wf500(active-controller)# 
    set
deviceconfig cluster mode controller service-advertisement dns-service
enabled
yes
    or 
    admin@wf500(active-controller)# 
    set
deviceconfig cluster mode controller service-advertisement dns-service
enabled
no
    Both commands result in Panorama reporting that the controller nodes are in sync.
Known
9.1.12
PAN-71329
Local users and user groups in the Shared location (all virtual systems) are not available to be part of the user-to-application mapping for GlobalProtect Clientless VPN applications (
Network
GlobalProtect
Portals
<portal>
Clientless VPN
Applications
).
Workaround:
Create users and user groups in specific virtual systems on firewalls that have multiple virtual systems. For single virtual systems (like VM-Series firewalls), users and user groups are created under Shared and are not configurable for Clientless VPN applications.
Known
9.1.12
PAN-70906
If the PAN-OS web interface and the GlobalProtect portal are enabled on the same IP address, then when a user logs out of the GlobalProtect portal, the administrative user is also logged out from the PAN-OS web interface.
Workaround:
Use the IP address to access the PAN-OS web interface and an FQDN to access the GlobalProtect portal.
Known
9.1.12
PAN-69505
When viewing an external dynamic list that requires client authentication and you
Test Source URL
, the firewall fails to indicate whether it can reach the external dynamic list server and returns a URL access error (
Objects
External Dynamic Lists
).
Known
9.1.12
PAN-41558
When you use a firewall loopback interface as a GlobalProtect gateway interface, traffic is not routed correctly for third-party IPSec clients, such as strongSwan.
Workaround:
Use a physical firewall interface instead of a loopback firewall interface as the GlobalProtect gateway interface for third-party IPSec clients. Alternatively, configure the loopback interface that is used as the GlobalProtect gateway to be in the same zone as the physical ingress interface for third-party IPSec traffic.
Known
9.1.12
PAN-40079
The VM-Series firewall on KVM, for all supported Linux distributions, does not support the Broadcom network adapters for PCI pass-through functionality.
Known
9.1.12
PAN-39636
Regardless of the
Time Frame
you specify for a scheduled custom report on a Panorama M-Series appliance, the earliest possible start date for the report data is effectively the date when you configured the report (
Monitor
Manage Custom Reports
). For example, if you configure the report on the 15th of the month and set the
Time Frame
to
Last 30 Days
, the report that Panorama generates on the 16th will include only data from the 15th onward. This issue applies only to scheduled reports; on-demand reports include all data within the specified
Time Frame
.
Workaround:
To generate an on-demand report, click
Run Now
when you configure the custom report.
Known
9.1.12
PAN-38255
When you perform a factory reset on a Panorama virtual appliance and configure the serial number, logging does not work until you reboot Panorama or execute the
debug software restart process management-server
CLI command.
Known
9.1.12
PAN-31832
The following issues apply when configuring a firewall to use a hardware security module (HSM):
  • nCipher nShield Connect
    —The firewall requires at least four minutes to detect that an HSM was disconnected, causing SSL functionality to be unavailable during the delay.
  • SafeNet Network
    —When losing connectivity to either or both HSMs in an HA configuration, the display of information from the
    show high-availability state
    and
    show hsm info
    commands are blocked for 20 seconds.
Known
9.1.11
—
Upgrading Panorama with a local Log Collector and Dedicated Log Collectors to PAN-OS 8.1 or a later PAN-OS release can take up to six hours to complete due to significant infrastructure changes. Ensure uninterrupted power to all appliances throughout the upgrade process.
Known
9.1.11
—
A critical System log is generated on the VM-Series firewall if the minimum memory requirement for the model is not available.
  • When the memory allocated is less than 4.5GB, you cannot upgrade the firewall. The following error message displays:
    Failed to install 9.0.0 with the following error: VM-50 in 9.0.0 requires 5.5GB memory, VM-50 Lite requires 4.5GB memory.Please configure this VM with enough memory before upgrading.
  • If the memory allocation is more than 4.5GB but less that the licensed capacity requirement for the model, it will default to the capacity associated with the VM-50.
    The System log message
    System capacity adjusted to VM-50 capacity due to insufficient memory for VM-
    <xxx>
    license
    , indicates that you must allocate the additional memory required for licensed capacity for the firewall model.
Known
9.1.11
PLUG-380
When you rename a device group, template, or template stack in Panorama that is part of a VMware NSX service definition, the new name is not reflected in NSX Manager. Therefore, any ESXi hosts that you add to a vSphere cluster are not added to the correct device group, template, or template stack and your Security policy is not pushed to VM-Series firewalls that you deploy after you rename those objects. There is no impact to existing VM-Series firewalls.
Known
9.1.11
PAN-223365
The Panorama management server is unable to query any logs if the ElasticSearch health status for any Log Collector (
Panorama
Managed Collector
is degraded.
Workaround:
Log in to the Log Collector CLI and reboot. 
admin
request restart system
Alternatively, you can contact Palo Alto Networks Customer Support to restart the ElasticSearch process without rebooting the Log Collector.
Known
9.1.11
PAN-199557
On M-600 appliances in an Active/Passive high availability (HA) configuration, the
configd
process restarts due to a memory leak on the
Active
Panorama HA peer. This causes the Panorama web interface and CLI to become unresponsive.
Workaround:
Manually reboot the
Active
Panorama HA peer.
Known
9.1.11
PAN-197341
On the Panorama management server, if you create multiple device group
Objects
with the same name in the Shared device group and any additional device groups (
Panorama
Device Groups
) under the same device group hierarchy that are used in one or more
Policies
, renaming the object with a shared name in any device group causes the object name to change in the policies where it is used. This issue applies only to device group objects that can be referenced in a Security policy rule.
For example:
  1. You create a parent device group
    DG-A
    and a child device group
    DG-B
    .
  2. You create address objects called
    AddressObjA
    in the
    Shared
    ,
    DG-A
    and
    DG-B
    device groups and add
    AddressObjA
    to a Security policy rule under
    DG-A
    and
    DG-B
    .
  3. Later, you change the
    AddressObjA
    name in the
    Shared
    device group to
    AddressObjB
    .
Changing the name of the address object in the
Shared
device group causes the references in the Policy rule to use the renamed
Shared
object instead of the device group object.
Known
9.1.11
PAN-178194
Firewalls licensed for Advanced URL Filtering generate a message indicating that a
License required for URL filtering to function
is unavailable displays at the bottom of the UI, due to a PAN-OS UI issue. This error does not affect the operation of Advanced URL Filtering or URL Filtering.
Known
9.1.11
PAN-154266
When an application matches an SD-WAN policy and some sessions for the same application do not match an SD-WAN policy, the SD-WAN Monitoring—Traffic Characteristics screen displays the Links Used information with an SD-WAN policy and a null policy. Sessions that do not have an SD-WAN policy ID are filtered from Links Used.
Workaround
: If you want to see session logs that include a default selection, create a catch-all SD-WAN policy rule and place it last in the list of SD-WAN policies.
Known
9.1.11
PAN-154247
On the Panorama management server, context switching to and from the managed firewall web interface may cause the Panorama administrator to be logged out.
Workaround:
Log out and back in to the Panorama web interface.
Known
9.1.11
PAN-153803
On the Panorama management server, scheduled email PDF reports (
Monitor
PDF Reports
) fail if a GIF image is used in the header or footer.
Known
9.1.11
PAN-146573
PA-7000 series firewalls configured with a large number of interfaces experience impacted performance and possible timeouts when performing SNMP queries.
Known
9.1.11
PAN-146485
On the Panorama management server, adding, deleting, or modifying the upstream NAT configuration (
Panorama
SD-WAN
Devices
) does not display the branch template stack as
out of sync
.
Additionally, adding, deleting, or modifying the BGP configuration (
Panorama
SD-WAN
Devices
) does not display the hub and branch template stacks as
out of sync
. For example, modifying the BGP configuration on the branch firewall does not cause the hub template stack to display as
out of sync
, nor does modifying the BGP configuration on the hub firewall cause the branch template stack as
out of sync
.
Workaround:
After performing a configuration change,
Commit and Push
the configuration changes to all hub and branch firewalls in the VPN cluster containing the firewall with the modified configuration.
Known
9.1.11
PAN-144889
(
PAN-OS 9.1.2-h1 and later releases only
) On the Panorama management server, adding, deleting, or modifying the original subnet IP, or adding a new subnet after you successfully configure a tunnel IP subnet, for the SD-WAN 1.0.2 plugin does not display the managed firewall templates (
Panorama
Managed Devices
Summary
) as
Out of Sync
.
Workaround
: When modifying the original subnet IP, or adding a new subnet, push the template configuration changes to your managed firewalls and
Force Template Values
(
Commit
Push to Devices
Edit Selections
).
Known
9.1.11
PAN-140959
The Panorama management server allows you to downgrade Zero Touch Provisioning (ZTP) firewalls to PAN-OS 9.1.2 and earlier releases where ZTP functionality is not supported.
Known
9.1.11
PAN-134456
SNMP traps configured to use the dataplane port in service routes are still sent using the management interface.
Workaround:
Use a destination-based service route for the SNMP trap server.
Known
9.1.11
PAN-134053
ACC does not filter WildFire logs from Dynamic User Groups.
Known
9.1.11
PAN-130550
(
PA-3200 Series, PA-5220, PA-5250, PA-5260, and PA-7000 Series firewalls
) For traffic between virtual systems (inter-vsys traffic), the firewall cannot perform source NAT using dynamic IP (DIP) address translation.
Workaround:
Use source NAT with Dynamic IP and Port (DIPP) translation on inter-vsys traffic.
Known
9.1.11
PAN-127813
In the current release, SD-WAN auto-provisioning configures hubs and branches in a hub and spoke model, where branches don’t communicate with each other. Expected branch routes are for generic prefixes, which can be configured in the hub and advertised to all branches. Branches with unique prefixes are not published up to the hub.
Workaround:
Add any specific prefixes for branches to the hub advertise-list configuration.
Known
9.1.11
PAN-127550
Panorama supports only incremental additions for CSV imports when the SD-WAN plugin is enabled. Delete devices manually in the web interface or CLI.
Known
9.1.11
PAN-127474
When you configure a Server Profile, the custom log format for GlobalProtect logs is missing.
Known
9.1.11
PAN-127206
If you use the CLI to enable the cleartext option for the Include Username in HTTP Header Insertion Entries feature, the authentication request to the firewall may become unresponsive or time out.
Known
9.1.11
PAN-123277
Dynamic tags from other sources are accessible using the CLI but do not display on the Panorama web interface.
Known
9.1.11
PAN-123040
When you try to view network QoS statistics on an SD-WAN branch or hub, the QoS statistics and the hit count for the QoS rules don’t display. A workaround exists for this issue. Please contact Support for information about the workaround.
Known
9.1.11
PAN-120440
There is an issue on M-500 Panorama management servers where any ethernet interface with an IPv6 address having Private PAN-DB-URL connectivity only supports the following format:
2001:DB9:85A3:0:0:8A2E:370:2
.
Known
9.1.11
PAN-120303
There is an issue where the firewall remains connected to the PAN-DB-URL server through the old management IP address on the M-500 Panorama management server, even when you configured the Eth1/1 interface.
Workaround:
Update the PAN-DB-URL IP address on the firewall using one of the methods below.
  • Modify the PAN-DB Server IP address on the managed firewall.
    1. On the web interface, delete the
      PAN-DB Server
      IP address (
      Device
      Setup
      Content ID
      URL Filtering
      settings).
    2. Commit
      your changes.
    3. Add the new M-500 Eth1/1 IP PAN-DB IP address.
    4. Commit
      your changes.
  • Restart the firewall ( devsrvr ) process.
    1. Log in to the firewall CLI.
    2. Restart the devsrvr process:
      debug software restart process device-server
Known
9.1.11
PAN-118065
(
M-Series Panorama management servers in Management Only mode
) When you delete the local Log Collector (
Panorama
Managed Collectors
), it disables the 1/1 ethernet interface in the Panorama configuration as expected but the interface still displays as Up when you execute the
show interface all
command in the CLI after you commit.
Workaround:
Disable the 1/1 ethernet interface before you delete the local log collector and then commit the configuration change.
Known
9.1.11
PAN-116017
(
Google Cloud Platform (GCP) only
) The firewall does not accept the DNS value from the initial configuration (init-cfg) file when you bootstrap the firewall.
Workaround:
Add DNS value as part of the bootstrap.xml in the bootstrap folder and complete the bootstrap process.
Known
9.1.11
PAN-115816
(
Microsoft Azure only
) There is an intermittent issue where an Ethernet (eth1) interface does not come up when you first boot up the firewall.
Workaround:
Reboot the firewall.
Known
9.1.11
PAN-114495
Alibaba Cloud runs on a KVM hypervisor and supports two Virtio modes: DPDK (default) and MMAP. If you deploy a VM-Series firewall running PAN-OS 9.0 in DPDK packet mode and you then switch to MMAP packet mode, the VM-Series firewall duplicates packets that originate from or terminate on the firewall. As an example, if a load balancer or a server behind the firewall pings the VM-Series firewall after you switch from DPDK packet mode to MMAP packet mode, the firewall duplicates the ping packets.
Throughput traffic is not duplicated if you deploy the VM-Series firewall using MMAP packet mode.
Known
9.1.11
PAN-112694
(
Firewalls with multiple virtual systems only
) If you configure dynamic DNS (DDNS) on a new interface (associated with vsys1 or another virtual system) and you then create a
New
Certificate Profile from the drop-down, you must set the location for the Certificate Profile to Shared. If you configure DDNS on an existing interface and then create a new Certificate Profile, we also recommend that you choose the Shared location instead of a specific virtual system. Alternatively, you can select a preexisting certificate profile instead of creating a new one.
Known
9.1.11
PAN-112456
You can temporarily submit a change request for a URL Category with more than two suggested categories. However, we support only two suggested categories so add no more than two suggested categories to a change request until we address this issue. If you submit more than two suggested categories, we will use only the first two categories you enter.
Known
9.1.11
PAN-111928
Invalid configuration errors are not displayed as expected when you revert a Panorama management server configuration.
Workaround:
After you revert the Panorama configuration,
Commit
(
Commit
Commit to Panorama
) the reverted configuration to display the invalid configuration errors.
Known
9.1.11
PAN-111866
The push scope selection on the Panorama web interface displays incorrectly even though the commit scope displays as expected. This issue occurs when one administrator makes configuration changes to separate device groups or templates that affect multiple firewalls and a different administrator attempts to push those changes.
Workaround:
Perform one of the following tasks.
  • Initiate a
    Commit to Panorama
    operation followed by a
    Push to Devices
    operation for the modified device group and template configurations.
  • Manually select the devices that belong to the modified device group and template configurations.
Known
9.1.11
PAN-111729
If you disable DPDK mode and enable it again, you must immediately reboot the firewall.
Known
9.1.11
PAN-111670
Tagged VLAN traffic fails when sent through an SR-IOV adapter.
Known
9.1.11
PAN-111251
Using the CLI to enable or disable DNS Rewrite under a Destination NAT policy rule has no effect.
Known
9.1.11
PAN-110794
DGA-based threats shown in the firewall threat log display the same name for all such instances.
Known
9.1.11
PAN-109759
The firewall does not generate a notification for the GlobalProtect client when the firewall denies an unencrypted TLS session due to an authentication policy match.
Known
9.1.11
PAN-109526
The system log does not correctly display the URL for CRL files; instead, the URLs are displayed with encoded characters.
Known
9.1.11
PAN-106675
After upgrading the Panorama management server to PAN-OS 8.1 or a later release, predefined reports do not display a list of top attackers.
Workaround:
Create new threat summary reports (
Monitor
PDF Reports
Manage PDF Summary
) containing the top attackers to mimic the predefined reports.
Known
9.1.11
PAN-104780
If you configure a HIP object to match only when a connecting endpoint is managed (
Objects
GlobalProtect
HIP Objects
<hip-object>
General
Managed
), iOS and Android endpoints that are managed by AirWatch are unable to successfully match the HIP object and the HIP report incorrectly indicates that these endpoints are not managed. This issue occurs because GlobalProtect gateways cannot correctly identify the managed status of these endpoints.
Additionally, iOS endpoints that are managed by AirWatch are unable to match HIP objects based on the endpoint serial number because GlobalProtect gateways cannot identify the serial numbers of these endpoints; these serial numbers do not appear in the HIP report.
Known
9.1.11
PAN-103276
Adding a disk to a virtual appliance running Panorama 8.1 or a later release on VMware ESXi 6.5 update1 causes the Panorama virtual appliance and host web client to become unresponsive.
Workaround:
Upgrade the ESXi host to ESXi 6.5 update2 and add the disk again.
Known
9.1.11
PAN-101688
(
Panorama plugins
) The IP address-to-tag mapping information registered on a firewall or virtual system is not deleted when you remove the firewall or virtual system from a Device Group.
Workaround:
Log in to the CLI on the firewall and enter the following command to unregister the IP address-to-tag mappings:
debug object registered-ip clear all
.
Known
9.1.11
PAN-101537
After you configure and push address and address group objects in Shared and vsys-specific device groups from the Panorama management server to managed firewalls, executing the
show log
<log-type>
direction equal
<direction>
<dst>
|
<src>
in
<object-name>
command on a managed firewall only returns address and address group objects pushed form the Shared device group.
Workaround:
Specify the vsys in the query string:
admin>
set system target-vsys
<vsys-name>
admin>
show log
<log-type>
direction equal
<direction>
query equal ‘vsys eq
<vsys-name>
’
<dst>
|
<src>
in
<object-name>
Known
9.1.11
PAN-98520
When booting or rebooting a PA-7000 Series Firewall with the SMC-B installed, the BIOS console output displays attempts to connect to the card's controller in the System Memory Speed section. The messages can be ignored.
Known
9.1.11
PAN-97757
GlobalProtect authentication fails with an
Invalid username/password
error (because the user is not found in
Allow List
) after you enable GlobalProtect authentication cookies and add a RADIUS group to the
Allow List
of the authentication profile used to authenticate to GlobalProtect.
Workaround:
Disable GlobalProtect authentication cookies. Alternatively, disable (clear)
Retrieve user group from RADIUS
in the authentication profile and configure group mapping from Active Directory (AD) through LDAP.
Known
9.1.11
PAN-97524
(
Panorama management server only
) The Security Zone and Virtual System columns (
Network
tab) display
None
after a Device Group and Template administrator with read-only privileges performs a context switch.
Known
9.1.11
PAN-96985
The
request shutdown system
command does not shut down the Panorama management server.
Known
9.1.11
PAN-96960
You cannot restart or shutdown a Panorama on KVM from the Virtual-manager console or virsch CLI.
Known
9.1.11
PAN-96446
A firewall that is not included in a Collector Group fails to generate a system log if logs are dropped when forwarded to a Panorama management server that is running in Management Only mode.
Known
9.1.11
PAN-95773
On VM-Series firewalls that have Data Plane Development Kit (DPDK) enabled and that use the i40e network interface card (NIC), the
show session info
CLI command displays an inaccurate throughput and packet rate.
Workaround:
Disable DPDK by running the
set system setting dpdk-pkt-io off
CLI command.
Known
9.1.11
PAN-95511
The name for an address object, address group, or an external dynamic list must be unique. Duplicate names for these objects can result in unexpected behavior when you reference the object in a policy rule.
Known
9.1.11
PAN-95028
For administrator accounts that you created in PAN-OS 8.0.8 and earlier releases, the firewall does not apply password profile settings (
Device
Password Profiles
) until after you upgrade to PAN-OS 8.0.9 or a later release and then only after you modify the account passwords. (Administrator accounts that you create in PAN-OS 8.0.9 or a later release do not require you to change the passwords to apply password profile settings.)
Known
9.1.11
PAN-94846
When DPDK is enabled on the VM-Series firewall with i40e virtual function (VF) driver, the VF does not detect the link status of the physical link. The VF link status remains up, regardless of changes to the physical link state.
Known
9.1.11
PAN-94093
HTTP Header Insertion does not work when jumbo frames are received out of order.
Known
9.1.11
PAN-93968
The firewall and Panorama web interfaces display vulnerability threat IDs that are not available in PAN-OS 9.0 releases (
Objects
Security Profiles
Vulnerability Protection
<profile>
Exceptions
). To confirm whether a particular threat ID is available in your release, monitor the release notes for each new Applications and Threats content update or check the Palo Alto Networks Threat Vault to see the minimum PAN-OS release version for a threat signature.
Known
9.1.11
PAN-93607
When you configure a VM-500 firewall with an SCTP Protection profile (
Objects
Security Profiles
SCTP Protection
) and you try to add the profile to an existing Security Profile Group (
Objects
Security Profile Groups
), the Security Profile Group doesn’t list the SCTP Protection profile in its drop-down list of available profiles.
Workaround:
Create a new Security Profile Group and select the SCTP Protection profile from there.
Known
9.1.11
PAN-93532
When you configure a firewall running PAN-OS 9.0 as an nCipher HSM client, the web interface on the firewall displays the nCipher server status as Not Authenticated, even though the HSM state is up (
Device
Setup
HSM
).
Known
9.1.11
PAN-93193
The memory-optimized VM-50 Lite intermittently performs slowly and stops processing traffic when memory utilization is critically high. To prevent this issue, make sure that you do not:
  • Switch to the firewall
    Context
    on the Panorama management server.
  • Commit changes when a dynamic update is being installed.
  • Generate a custom report when a dynamic update is being installed.
  • Generate custom reports during a commit.
Workaround:
When the firewall performs slowly, or you see a critical System log for memory utilization, wait for 5 minutes and then manually reboot the firewall.
Use the Task Manager to verify that you are not performing memory intensive tasks such as installing dynamic updates, committing changes or generating reports, at the same time, on the firewall.
Known
9.1.11
PAN-91802
On a VM-Series firewall, the
clear session all
CLI command does not clear GTP sessions.
Known
9.1.11
PAN-83610
In rare cases, a PA-5200 Series firewall (with an FE100 network processor) that has session offload enabled (default) incorrectly resets the UDP checksum of outgoing UDP packets.
Workaround:
In PAN-OS 8.0.6 and later releases, you can persistently disable session offload for only UDP traffic using the
set session udp-off load no
CLI command.
Known
9.1.11
PAN-83236
The VM-Series firewall on Google Compute Platform does not publish firewall metrics to Google Stack Monitoring when you manually configure a DNS server IP address (
Device
Setup
Services
).
Workaround:
The VM-Series firewall on Google Cloud Platform must use the DNS server that Google provides.
Known
9.1.11
PAN-83215
SSL decryption based on ECDSA certificates does not work when you import the ECDSA private keys onto an nCipher nShield hardware security module (HSM).
Known
9.1.11
PAN-81521
Endpoints failed to authenticate to GlobalProtect through Kerberos when you specify an FQDN instead of an IP address in the Kerberos server profile (
Device
Server Profiles
Kerberos
).
Workaround:
Replace the FQDN with the IP address in the Kerberos server profile.
Known
9.1.11
PAN-77125
PA-7000 Series, PA-5200 Series, and PA-3200 Series firewalls configured in tap mode don’t close offloaded sessions after processing the associated traffic; the sessions remain open until they time out.
Workaround:
Configure the firewalls in virtual wire mode instead of tap mode, or disable session offloading by running the
set session off load no
CLI command.
Known
9.1.11
PAN-75457
(
PAN-OS 8.0.1 and later releases
) In WildFire appliance clusters that have three or more nodes, the Panorama management server does not support changing node roles. In a three-node cluster for example, you cannot use Panorama to configure the worker node as a controller node by adding the HA and cluster controller configurations, configure an existing controller node as a worker node by removing the HA configuration, and then commit and push the configuration. Attempts to change cluster node roles from Panorama results in a validation error—the commit fails and the cluster becomes unresponsive.
Known
9.1.11
PAN-73530
The firewall does not generate a packet capture (pcap) when a Data Filtering profile blocks files.
Known
9.1.11
PAN-73401
(
PAN-OS 8.0.1 and later releases
) When you import a two-node WildFire appliance cluster into the Panorama management server, the controller nodes report their state as out-of-sync if either of the following conditions exist:
  • You did not configure a worker list to add at least one worker node to the cluster. (In a two-node cluster, both nodes are controller nodes configured as an HA pair. Adding a worker node would make the cluster a three-node cluster.)
  • You did not configure a service advertisement (either by enabling or not enabling advertising DNS service on the controller nodes).
Workaround:
There are three possible workarounds to sync the controller nodes:
  • After you import the two-node cluster into Panorama, push the configuration from Panorama to the cluster. After the push succeeds, Panorama reports that the controller nodes are in sync.
  • Configure a worker list on the cluster controller: 
    admin@wf500(active-controller)# 
    set
deviceconfig cluster mode controller worker-list 
    <worker-ip-address>
    (
    <worker-ip-address>
    is the IP address of the worker node you are adding to the cluster.) This creates a three-node cluster. After you import the cluster into Panorama, Panorama reports that the controller nodes are in sync. When you want the cluster to have only two nodes, use a different workaround.
  • Configure service advertisement on the local CLI of the cluster controller and then import the configuration into Panorama. The service advertisement can advertise that DNS is or is not enabled. 
    admin@wf500(active-controller)# 
    set
deviceconfig cluster mode controller service-advertisement dns-service
enabled
yes
    or 
    admin@wf500(active-controller)# 
    set
deviceconfig cluster mode controller service-advertisement dns-service
enabled
no
    Both commands result in Panorama reporting that the controller nodes are in sync.
Known
9.1.11
PAN-71329
Local users and user groups in the Shared location (all virtual systems) are not available to be part of the user-to-application mapping for GlobalProtect Clientless VPN applications (
Network
GlobalProtect
Portals
<portal>
Clientless VPN
Applications
).
Workaround:
Create users and user groups in specific virtual systems on firewalls that have multiple virtual systems. For single virtual systems (like VM-Series firewalls), users and user groups are created under Shared and are not configurable for Clientless VPN applications.
Known
9.1.11
PAN-70906
If the PAN-OS web interface and the GlobalProtect portal are enabled on the same IP address, then when a user logs out of the GlobalProtect portal, the administrative user is also logged out from the PAN-OS web interface.
Workaround:
Use the IP address to access the PAN-OS web interface and an FQDN to access the GlobalProtect portal.
Known
9.1.11
PAN-69505
When viewing an external dynamic list that requires client authentication and you
Test Source URL
, the firewall fails to indicate whether it can reach the external dynamic list server and returns a URL access error (
Objects
External Dynamic Lists
).
Known
9.1.11
PAN-41558
When you use a firewall loopback interface as a GlobalProtect gateway interface, traffic is not routed correctly for third-party IPSec clients, such as strongSwan.
Workaround:
Use a physical firewall interface instead of a loopback firewall interface as the GlobalProtect gateway interface for third-party IPSec clients. Alternatively, configure the loopback interface that is used as the GlobalProtect gateway to be in the same zone as the physical ingress interface for third-party IPSec traffic.
Known
9.1.11
PAN-40079
The VM-Series firewall on KVM, for all supported Linux distributions, does not support the Broadcom network adapters for PCI pass-through functionality.
Known
9.1.11
PAN-39636
Regardless of the
Time Frame
you specify for a scheduled custom report on a Panorama M-Series appliance, the earliest possible start date for the report data is effectively the date when you configured the report (
Monitor
Manage Custom Reports
). For example, if you configure the report on the 15th of the month and set the
Time Frame
to
Last 30 Days
, the report that Panorama generates on the 16th will include only data from the 15th onward. This issue applies only to scheduled reports; on-demand reports include all data within the specified
Time Frame
.
Workaround:
To generate an on-demand report, click
Run Now
when you configure the custom report.
Known
9.1.11
PAN-38255
When you perform a factory reset on a Panorama virtual appliance and configure the serial number, logging does not work until you reboot Panorama or execute the
debug software restart process management-server
CLI command.
Known
9.1.11
PAN-31832
The following issues apply when configuring a firewall to use a hardware security module (HSM):
  • nCipher nShield Connect
    —The firewall requires at least four minutes to detect that an HSM was disconnected, causing SSL functionality to be unavailable during the delay.
  • SafeNet Network
    —When losing connectivity to either or both HSMs in an HA configuration, the display of information from the
    show high-availability state
    and
    show hsm info
    commands are blocked for 20 seconds.
Known
9.1.10
—
Upgrading Panorama with a local Log Collector and Dedicated Log Collectors to PAN-OS 8.1 or a later PAN-OS release can take up to six hours to complete due to significant infrastructure changes. Ensure uninterrupted power to all appliances throughout the upgrade process.
Known
9.1.10
—
A critical System log is generated on the VM-Series firewall if the minimum memory requirement for the model is not available.
  • When the memory allocated is less than 4.5GB, you cannot upgrade the firewall. The following error message displays:
    Failed to install 9.0.0 with the following error: VM-50 in 9.0.0 requires 5.5GB memory, VM-50 Lite requires 4.5GB memory.Please configure this VM with enough memory before upgrading.
  • If the memory allocation is more than 4.5GB but less that the licensed capacity requirement for the model, it will default to the capacity associated with the VM-50.
    The System log message
    System capacity adjusted to VM-50 capacity due to insufficient memory for VM-
    <xxx>
    license
    , indicates that you must allocate the additional memory required for licensed capacity for the firewall model.
Known
9.1.10
PLUG-380
When you rename a device group, template, or template stack in Panorama that is part of a VMware NSX service definition, the new name is not reflected in NSX Manager. Therefore, any ESXi hosts that you add to a vSphere cluster are not added to the correct device group, template, or template stack and your Security policy is not pushed to VM-Series firewalls that you deploy after you rename those objects. There is no impact to existing VM-Series firewalls.
Known
9.1.10
PAN-223365
The Panorama management server is unable to query any logs if the ElasticSearch health status for any Log Collector (
Panorama
Managed Collector
is degraded.
Workaround:
Log in to the Log Collector CLI and reboot. 
admin
request restart system
Alternatively, you can contact Palo Alto Networks Customer Support to restart the ElasticSearch process without rebooting the Log Collector.
Known
9.1.10
PAN-199557
On M-600 appliances in an Active/Passive high availability (HA) configuration, the
configd
process restarts due to a memory leak on the
Active
Panorama HA peer. This causes the Panorama web interface and CLI to become unresponsive.
Workaround:
Manually reboot the
Active
Panorama HA peer.
Known
9.1.10
PAN-197341
On the Panorama management server, if you create multiple device group
Objects
with the same name in the Shared device group and any additional device groups (
Panorama
Device Groups
) under the same device group hierarchy that are used in one or more
Policies
, renaming the object with a shared name in any device group causes the object name to change in the policies where it is used. This issue applies only to device group objects that can be referenced in a Security policy rule.
For example:
  1. You create a parent device group
    DG-A
    and a child device group
    DG-B
    .
  2. You create address objects called
    AddressObjA
    in the
    Shared
    ,
    DG-A
    and
    DG-B
    device groups and add
    AddressObjA
    to a Security policy rule under
    DG-A
    and
    DG-B
    .
  3. Later, you change the
    AddressObjA
    name in the
    Shared
    device group to
    AddressObjB
    .
Changing the name of the address object in the
Shared
device group causes the references in the Policy rule to use the renamed
Shared
object instead of the device group object.
Known
9.1.10
PAN-178194
Firewalls licensed for Advanced URL Filtering generate a message indicating that a
License required for URL filtering to function
is unavailable displays at the bottom of the UI, due to a PAN-OS UI issue. This error does not affect the operation of Advanced URL Filtering or URL Filtering.
Known
9.1.10
PAN-154266
When an application matches an SD-WAN policy and some sessions for the same application do not match an SD-WAN policy, the SD-WAN Monitoring—Traffic Characteristics screen displays the Links Used information with an SD-WAN policy and a null policy. Sessions that do not have an SD-WAN policy ID are filtered from Links Used.
Workaround
: If you want to see session logs that include a default selection, create a catch-all SD-WAN policy rule and place it last in the list of SD-WAN policies.
Known
9.1.10
PAN-154247
On the Panorama management server, context switching to and from the managed firewall web interface may cause the Panorama administrator to be logged out.
Workaround:
Log out and back in to the Panorama web interface.
Known
9.1.10
PAN-153803
On the Panorama management server, scheduled email PDF reports (
Monitor
PDF Reports
) fail if a GIF image is used in the header or footer.
Known
9.1.10
PAN-146573
PA-7000 series firewalls configured with a large number of interfaces experience impacted performance and possible timeouts when performing SNMP queries.
Known
9.1.10
PAN-146485
On the Panorama management server, adding, deleting, or modifying the upstream NAT configuration (
Panorama
SD-WAN
Devices
) does not display the branch template stack as
out of sync
.
Additionally, adding, deleting, or modifying the BGP configuration (
Panorama
SD-WAN
Devices
) does not display the hub and branch template stacks as
out of sync
. For example, modifying the BGP configuration on the branch firewall does not cause the hub template stack to display as
out of sync
, nor does modifying the BGP configuration on the hub firewall cause the branch template stack as
out of sync
.
Workaround:
After performing a configuration change,
Commit and Push
the configuration changes to all hub and branch firewalls in the VPN cluster containing the firewall with the modified configuration.
Known
9.1.10
PAN-144889
(
PAN-OS 9.1.2-h1 and later releases only
) On the Panorama management server, adding, deleting, or modifying the original subnet IP, or adding a new subnet after you successfully configure a tunnel IP subnet, for the SD-WAN 1.0.2 plugin does not display the managed firewall templates (
Panorama
Managed Devices
Summary
) as
Out of Sync
.
Workaround
: When modifying the original subnet IP, or adding a new subnet, push the template configuration changes to your managed firewalls and
Force Template Values
(
Commit
Push to Devices
Edit Selections
).
Known
9.1.10
PAN-140959
The Panorama management server allows you to downgrade Zero Touch Provisioning (ZTP) firewalls to PAN-OS 9.1.2 and earlier releases where ZTP functionality is not supported.
Known
9.1.10
PAN-134456
SNMP traps configured to use the dataplane port in service routes are still sent using the management interface.
Workaround:
Use a destination-based service route for the SNMP trap server.
Known
9.1.10
PAN-134053
ACC does not filter WildFire logs from Dynamic User Groups.
Known
9.1.10
PAN-130550
(
PA-3200 Series, PA-5220, PA-5250, PA-5260, and PA-7000 Series firewalls
) For traffic between virtual systems (inter-vsys traffic), the firewall cannot perform source NAT using dynamic IP (DIP) address translation.
Workaround:
Use source NAT with Dynamic IP and Port (DIPP) translation on inter-vsys traffic.
Known
9.1.10
PAN-127813
In the current release, SD-WAN auto-provisioning configures hubs and branches in a hub and spoke model, where branches don’t communicate with each other. Expected branch routes are for generic prefixes, which can be configured in the hub and advertised to all branches. Branches with unique prefixes are not published up to the hub.
Workaround:
Add any specific prefixes for branches to the hub advertise-list configuration.
Known
9.1.10
PAN-127550
Panorama supports only incremental additions for CSV imports when the SD-WAN plugin is enabled. Delete devices manually in the web interface or CLI.
Known
9.1.10
PAN-127474
When you configure a Server Profile, the custom log format for GlobalProtect logs is missing.
Known
9.1.10
PAN-127206
If you use the CLI to enable the cleartext option for the Include Username in HTTP Header Insertion Entries feature, the authentication request to the firewall may become unresponsive or time out.
Known
9.1.10
PAN-124956
This issue is now resolved. See
PAN-OS 9.1.11 Addressed Issues
.
There is an issue where VM-Series firewalls do not support packet buffer protection.
Known
9.1.10
PAN-123277
Dynamic tags from other sources are accessible using the CLI but do not display on the Panorama web interface.
Known
9.1.10
PAN-123040
When you try to view network QoS statistics on an SD-WAN branch or hub, the QoS statistics and the hit count for the QoS rules don’t display. A workaround exists for this issue. Please contact Support for information about the workaround.
Known
9.1.10
PAN-120440
There is an issue on M-500 Panorama management servers where any ethernet interface with an IPv6 address having Private PAN-DB-URL connectivity only supports the following format:
2001:DB9:85A3:0:0:8A2E:370:2
.
Known
9.1.10
PAN-120303
There is an issue where the firewall remains connected to the PAN-DB-URL server through the old management IP address on the M-500 Panorama management server, even when you configured the Eth1/1 interface.
Workaround:
Update the PAN-DB-URL IP address on the firewall using one of the methods below.
  • Modify the PAN-DB Server IP address on the managed firewall.
    1. On the web interface, delete the
      PAN-DB Server
      IP address (
      Device
      Setup
      Content ID
      URL Filtering
      settings).
    2. Commit
      your changes.
    3. Add the new M-500 Eth1/1 IP PAN-DB IP address.
    4. Commit
      your changes.
  • Restart the firewall ( devsrvr ) process.
    1. Log in to the firewall CLI.
    2. Restart the devsrvr process:
      debug software restart process device-server
Known
9.1.10
PAN-118065
(
M-Series Panorama management servers in Management Only mode
) When you delete the local Log Collector (
Panorama
Managed Collectors
), it disables the 1/1 ethernet interface in the Panorama configuration as expected but the interface still displays as Up when you execute the
show interface all
command in the CLI after you commit.
Workaround:
Disable the 1/1 ethernet interface before you delete the local log collector and then commit the configuration change.
Known
9.1.10
PAN-116017
(
Google Cloud Platform (GCP) only
) The firewall does not accept the DNS value from the initial configuration (init-cfg) file when you bootstrap the firewall.
Workaround:
Add DNS value as part of the bootstrap.xml in the bootstrap folder and complete the bootstrap process.
Known
9.1.10
PAN-115816
(
Microsoft Azure only
) There is an intermittent issue where an Ethernet (eth1) interface does not come up when you first boot up the firewall.
Workaround:
Reboot the firewall.
Known
9.1.10
PAN-114495
Alibaba Cloud runs on a KVM hypervisor and supports two Virtio modes: DPDK (default) and MMAP. If you deploy a VM-Series firewall running PAN-OS 9.0 in DPDK packet mode and you then switch to MMAP packet mode, the VM-Series firewall duplicates packets that originate from or terminate on the firewall. As an example, if a load balancer or a server behind the firewall pings the VM-Series firewall after you switch from DPDK packet mode to MMAP packet mode, the firewall duplicates the ping packets.
Throughput traffic is not duplicated if you deploy the VM-Series firewall using MMAP packet mode.
Known
9.1.10
PAN-112694
(
Firewalls with multiple virtual systems only
) If you configure dynamic DNS (DDNS) on a new interface (associated with vsys1 or another virtual system) and you then create a
New
Certificate Profile from the drop-down, you must set the location for the Certificate Profile to Shared. If you configure DDNS on an existing interface and then create a new Certificate Profile, we also recommend that you choose the Shared location instead of a specific virtual system. Alternatively, you can select a preexisting certificate profile instead of creating a new one.
Known
9.1.10
PAN-112456
You can temporarily submit a change request for a URL Category with more than two suggested categories. However, we support only two suggested categories so add no more than two suggested categories to a change request until we address this issue. If you submit more than two suggested categories, we will use only the first two categories you enter.
Known
9.1.10
PAN-111928
Invalid configuration errors are not displayed as expected when you revert a Panorama management server configuration.
Workaround:
After you revert the Panorama configuration,
Commit
(
Commit
Commit to Panorama
) the reverted configuration to display the invalid configuration errors.
Known
9.1.10
PAN-111866
The push scope selection on the Panorama web interface displays incorrectly even though the commit scope displays as expected. This issue occurs when one administrator makes configuration changes to separate device groups or templates that affect multiple firewalls and a different administrator attempts to push those changes.
Workaround:
Perform one of the following tasks.
  • Initiate a
    Commit to Panorama
    operation followed by a
    Push to Devices
    operation for the modified device group and template configurations.
  • Manually select the devices that belong to the modified device group and template configurations.
Known
9.1.10
PAN-111729
If you disable DPDK mode and enable it again, you must immediately reboot the firewall.
Known
9.1.10
PAN-111670
Tagged VLAN traffic fails when sent through an SR-IOV adapter.
Known
9.1.10
PAN-111251
Using the CLI to enable or disable DNS Rewrite under a Destination NAT policy rule has no effect.
Known
9.1.10
PAN-110794
DGA-based threats shown in the firewall threat log display the same name for all such instances.
Known
9.1.10
PAN-109759
The firewall does not generate a notification for the GlobalProtect client when the firewall denies an unencrypted TLS session due to an authentication policy match.
Known
9.1.10
PAN-109526
The system log does not correctly display the URL for CRL files; instead, the URLs are displayed with encoded characters.
Known
9.1.10
PAN-106675
After upgrading the Panorama management server to PAN-OS 8.1 or a later release, predefined reports do not display a list of top attackers.
Workaround:
Create new threat summary reports (
Monitor
PDF Reports
Manage PDF Summary
) containing the top attackers to mimic the predefined reports.
Known
9.1.10
PAN-104780
If you configure a HIP object to match only when a connecting endpoint is managed (
Objects
GlobalProtect
HIP Objects
<hip-object>
General
Managed
), iOS and Android endpoints that are managed by AirWatch are unable to successfully match the HIP object and the HIP report incorrectly indicates that these endpoints are not managed. This issue occurs because GlobalProtect gateways cannot correctly identify the managed status of these endpoints.
Additionally, iOS endpoints that are managed by AirWatch are unable to match HIP objects based on the endpoint serial number because GlobalProtect gateways cannot identify the serial numbers of these endpoints; these serial numbers do not appear in the HIP report.
Known
9.1.10
PAN-103276
Adding a disk to a virtual appliance running Panorama 8.1 or a later release on VMware ESXi 6.5 update1 causes the Panorama virtual appliance and host web client to become unresponsive.
Workaround:
Upgrade the ESXi host to ESXi 6.5 update2 and add the disk again.
Known
9.1.10
PAN-101688
(
Panorama plugins
) The IP address-to-tag mapping information registered on a firewall or virtual system is not deleted when you remove the firewall or virtual system from a Device Group.
Workaround:
Log in to the CLI on the firewall and enter the following command to unregister the IP address-to-tag mappings:
debug object registered-ip clear all
.
Known
9.1.10
PAN-101537
After you configure and push address and address group objects in Shared and vsys-specific device groups from the Panorama management server to managed firewalls, executing the
show log
<log-type>
direction equal
<direction>
<dst>
|
<src>
in
<object-name>
command on a managed firewall only returns address and address group objects pushed form the Shared device group.
Workaround:
Specify the vsys in the query string:
admin>
set system target-vsys
<vsys-name>
admin>
show log
<log-type>
direction equal
<direction>
query equal ‘vsys eq
<vsys-name>
’
<dst>
|
<src>
in
<object-name>
Known
9.1.10
PAN-98520
When booting or rebooting a PA-7000 Series Firewall with the SMC-B installed, the BIOS console output displays attempts to connect to the card's controller in the System Memory Speed section. The messages can be ignored.
Known
9.1.10
PAN-97757
GlobalProtect authentication fails with an
Invalid username/password
error (because the user is not found in
Allow List
) after you enable GlobalProtect authentication cookies and add a RADIUS group to the
Allow List
of the authentication profile used to authenticate to GlobalProtect.
Workaround:
Disable GlobalProtect authentication cookies. Alternatively, disable (clear)
Retrieve user group from RADIUS
in the authentication profile and configure group mapping from Active Directory (AD) through LDAP.
Known
9.1.10
PAN-97524
(
Panorama management server only
) The Security Zone and Virtual System columns (
Network
tab) display
None
after a Device Group and Template administrator with read-only privileges performs a context switch.
Known
9.1.10
PAN-96985
The
request shutdown system
command does not shut down the Panorama management server.
Known
9.1.10
PAN-96960
You cannot restart or shutdown a Panorama on KVM from the Virtual-manager console or virsch CLI.
Known
9.1.10
PAN-96446
A firewall that is not included in a Collector Group fails to generate a system log if logs are dropped when forwarded to a Panorama management server that is running in Management Only mode.
Known
9.1.10
PAN-95773
On VM-Series firewalls that have Data Plane Development Kit (DPDK) enabled and that use the i40e network interface card (NIC), the
show session info
CLI command displays an inaccurate throughput and packet rate.
Workaround:
Disable DPDK by running the
set system setting dpdk-pkt-io off
CLI command.
Known
9.1.10
PAN-95511
The name for an address object, address group, or an external dynamic list must be unique. Duplicate names for these objects can result in unexpected behavior when you reference the object in a policy rule.
Known
9.1.10
PAN-95028
For administrator accounts that you created in PAN-OS 8.0.8 and earlier releases, the firewall does not apply password profile settings (
Device
Password Profiles
) until after you upgrade to PAN-OS 8.0.9 or a later release and then only after you modify the account passwords. (Administrator accounts that you create in PAN-OS 8.0.9 or a later release do not require you to change the passwords to apply password profile settings.)
Known
9.1.10
PAN-94846
When DPDK is enabled on the VM-Series firewall with i40e virtual function (VF) driver, the VF does not detect the link status of the physical link. The VF link status remains up, regardless of changes to the physical link state.
Known
9.1.10
PAN-94093
HTTP Header Insertion does not work when jumbo frames are received out of order.
Known
9.1.10
PAN-93968
The firewall and Panorama web interfaces display vulnerability threat IDs that are not available in PAN-OS 9.0 releases (
Objects
Security Profiles
Vulnerability Protection
<profile>
Exceptions
). To confirm whether a particular threat ID is available in your release, monitor the release notes for each new Applications and Threats content update or check the Palo Alto Networks Threat Vault to see the minimum PAN-OS release version for a threat signature.
Known
9.1.10
PAN-93607
When you configure a VM-500 firewall with an SCTP Protection profile (
Objects
Security Profiles
SCTP Protection
) and you try to add the profile to an existing Security Profile Group (
Objects
Security Profile Groups
), the Security Profile Group doesn’t list the SCTP Protection profile in its drop-down list of available profiles.
Workaround:
Create a new Security Profile Group and select the SCTP Protection profile from there.
Known
9.1.10
PAN-93532
When you configure a firewall running PAN-OS 9.0 as an nCipher HSM client, the web interface on the firewall displays the nCipher server status as Not Authenticated, even though the HSM state is up (
Device
Setup
HSM
).
Known
9.1.10
PAN-93193
The memory-optimized VM-50 Lite intermittently performs slowly and stops processing traffic when memory utilization is critically high. To prevent this issue, make sure that you do not:
  • Switch to the firewall
    Context
    on the Panorama management server.
  • Commit changes when a dynamic update is being installed.
  • Generate a custom report when a dynamic update is being installed.
  • Generate custom reports during a commit.
Workaround:
When the firewall performs slowly, or you see a critical System log for memory utilization, wait for 5 minutes and then manually reboot the firewall.
Use the Task Manager to verify that you are not performing memory intensive tasks such as installing dynamic updates, committing changes or generating reports, at the same time, on the firewall.
Known
9.1.10
PAN-91802
On a VM-Series firewall, the
clear session all
CLI command does not clear GTP sessions.
Known
9.1.10
PAN-83610
In rare cases, a PA-5200 Series firewall (with an FE100 network processor) that has session offload enabled (default) incorrectly resets the UDP checksum of outgoing UDP packets.
Workaround:
In PAN-OS 8.0.6 and later releases, you can persistently disable session offload for only UDP traffic using the
set session udp-off load no
CLI command.
Known
9.1.10
PAN-83236
The VM-Series firewall on Google Compute Platform does not publish firewall metrics to Google Stack Monitoring when you manually configure a DNS server IP address (
Device
Setup
Services
).
Workaround:
The VM-Series firewall on Google Cloud Platform must use the DNS server that Google provides.
Known
9.1.10
PAN-83215
SSL decryption based on ECDSA certificates does not work when you import the ECDSA private keys onto an nCipher nShield hardware security module (HSM).
Known
9.1.10
PAN-81521
Endpoints failed to authenticate to GlobalProtect through Kerberos when you specify an FQDN instead of an IP address in the Kerberos server profile (
Device
Server Profiles
Kerberos
).
Workaround:
Replace the FQDN with the IP address in the Kerberos server profile.
Known
9.1.10
PAN-77125
PA-7000 Series, PA-5200 Series, and PA-3200 Series firewalls configured in tap mode don’t close offloaded sessions after processing the associated traffic; the sessions remain open until they time out.
Workaround:
Configure the firewalls in virtual wire mode instead of tap mode, or disable session offloading by running the
set session off load no
CLI command.
Known
9.1.10
PAN-75457
(
PAN-OS 8.0.1 and later releases
) In WildFire appliance clusters that have three or more nodes, the Panorama management server does not support changing node roles. In a three-node cluster for example, you cannot use Panorama to configure the worker node as a controller node by adding the HA and cluster controller configurations, configure an existing controller node as a worker node by removing the HA configuration, and then commit and push the configuration. Attempts to change cluster node roles from Panorama results in a validation error—the commit fails and the cluster becomes unresponsive.
Known
9.1.10
PAN-73530
The firewall does not generate a packet capture (pcap) when a Data Filtering profile blocks files.
Known
9.1.10
PAN-73401
(
PAN-OS 8.0.1 and later releases
) When you import a two-node WildFire appliance cluster into the Panorama management server, the controller nodes report their state as out-of-sync if either of the following conditions exist:
  • You did not configure a worker list to add at least one worker node to the cluster. (In a two-node cluster, both nodes are controller nodes configured as an HA pair. Adding a worker node would make the cluster a three-node cluster.)
  • You did not configure a service advertisement (either by enabling or not enabling advertising DNS service on the controller nodes).
Workaround:
There are three possible workarounds to sync the controller nodes:
  • After you import the two-node cluster into Panorama, push the configuration from Panorama to the cluster. After the push succeeds, Panorama reports that the controller nodes are in sync.
  • Configure a worker list on the cluster controller: 
    admin@wf500(active-controller)# 
    set
deviceconfig cluster mode controller worker-list 
    <worker-ip-address>
    (
    <worker-ip-address>
    is the IP address of the worker node you are adding to the cluster.) This creates a three-node cluster. After you import the cluster into Panorama, Panorama reports that the controller nodes are in sync. When you want the cluster to have only two nodes, use a different workaround.
  • Configure service advertisement on the local CLI of the cluster controller and then import the configuration into Panorama. The service advertisement can advertise that DNS is or is not enabled. 
    admin@wf500(active-controller)# 
    set
deviceconfig cluster mode controller service-advertisement dns-service
enabled
yes
    or 
    admin@wf500(active-controller)# 
    set
deviceconfig cluster mode controller service-advertisement dns-service
enabled
no
    Both commands result in Panorama reporting that the controller nodes are in sync.
Known
9.1.10
PAN-71329
Local users and user groups in the Shared location (all virtual systems) are not available to be part of the user-to-application mapping for GlobalProtect Clientless VPN applications (
Network
GlobalProtect
Portals
<portal>
Clientless VPN
Applications
).
Workaround:
Create users and user groups in specific virtual systems on firewalls that have multiple virtual systems. For single virtual systems (like VM-Series firewalls), users and user groups are created under Shared and are not configurable for Clientless VPN applications.
Known
9.1.10
PAN-70906
If the PAN-OS web interface and the GlobalProtect portal are enabled on the same IP address, then when a user logs out of the GlobalProtect portal, the administrative user is also logged out from the PAN-OS web interface.
Workaround:
Use the IP address to access the PAN-OS web interface and an FQDN to access the GlobalProtect portal.
Known
9.1.10
PAN-69505
When viewing an external dynamic list that requires client authentication and you
Test Source URL
, the firewall fails to indicate whether it can reach the external dynamic list server and returns a URL access error (
Objects
External Dynamic Lists
).
Known
9.1.10
PAN-41558
When you use a firewall loopback interface as a GlobalProtect gateway interface, traffic is not routed correctly for third-party IPSec clients, such as strongSwan.
Workaround:
Use a physical firewall interface instead of a loopback firewall interface as the GlobalProtect gateway interface for third-party IPSec clients. Alternatively, configure the loopback interface that is used as the GlobalProtect gateway to be in the same zone as the physical ingress interface for third-party IPSec traffic.
Known
9.1.10
PAN-40079
The VM-Series firewall on KVM, for all supported Linux distributions, does not support the Broadcom network adapters for PCI pass-through functionality.
Known
9.1.10
PAN-39636
Regardless of the
Time Frame
you specify for a scheduled custom report on a Panorama M-Series appliance, the earliest possible start date for the report data is effectively the date when you configured the report (
Monitor
Manage Custom Reports
). For example, if you configure the report on the 15th of the month and set the
Time Frame
to
Last 30 Days
, the report that Panorama generates on the 16th will include only data from the 15th onward. This issue applies only to scheduled reports; on-demand reports include all data within the specified
Time Frame
.
Workaround:
To generate an on-demand report, click
Run Now
when you configure the custom report.
Known
9.1.10
PAN-38255
When you perform a factory reset on a Panorama virtual appliance and configure the serial number, logging does not work until you reboot Panorama or execute the
debug software restart process management-server
CLI command.
Known
9.1.10
PAN-31832
The following issues apply when configuring a firewall to use a hardware security module (HSM):
  • nCipher nShield Connect
    —The firewall requires at least four minutes to detect that an HSM was disconnected, causing SSL functionality to be unavailable during the delay.
  • SafeNet Network
    —When losing connectivity to either or both HSMs in an HA configuration, the display of information from the
    show high-availability state
    and
    show hsm info
    commands are blocked for 20 seconds.
Known
9.1.9
—
Upgrading Panorama with a local Log Collector and Dedicated Log Collectors to PAN-OS 8.1 or a later PAN-OS release can take up to six hours to complete due to significant infrastructure changes. Ensure uninterrupted power to all appliances throughout the upgrade process.
Known
9.1.9
—
A critical System log is generated on the VM-Series firewall if the minimum memory requirement for the model is not available.
  • When the memory allocated is less than 4.5GB, you cannot upgrade the firewall. The following error message displays:
    Failed to install 9.0.0 with the following error: VM-50 in 9.0.0 requires 5.5GB memory, VM-50 Lite requires 4.5GB memory.Please configure this VM with enough memory before upgrading.
  • If the memory allocation is more than 4.5GB but less that the licensed capacity requirement for the model, it will default to the capacity associated with the VM-50.
    The System log message
    System capacity adjusted to VM-50 capacity due to insufficient memory for VM-
    <xxx>
    license
    , indicates that you must allocate the additional memory required for licensed capacity for the firewall model.
Known
9.1.9
PLUG-380
When you rename a device group, template, or template stack in Panorama that is part of a VMware NSX service definition, the new name is not reflected in NSX Manager. Therefore, any ESXi hosts that you add to a vSphere cluster are not added to the correct device group, template, or template stack and your Security policy is not pushed to VM-Series firewalls that you deploy after you rename those objects. There is no impact to existing VM-Series firewalls.
Known
9.1.9
PAN-223365
The Panorama management server is unable to query any logs if the ElasticSearch health status for any Log Collector (
Panorama
Managed Collector
is degraded.
Workaround:
Log in to the Log Collector CLI and reboot. 
admin
request restart system
Alternatively, you can contact Palo Alto Networks Customer Support to restart the ElasticSearch process without rebooting the Log Collector.
Known
9.1.9
PAN-199557
On M-600 appliances in an Active/Passive high availability (HA) configuration, the
configd
process restarts due to a memory leak on the
Active
Panorama HA peer. This causes the Panorama web interface and CLI to become unresponsive.
Workaround:
Manually reboot the
Active
Panorama HA peer.
Known
9.1.9
PAN-197341
On the Panorama management server, if you create multiple device group
Objects
with the same name in the Shared device group and any additional device groups (
Panorama
Device Groups
) under the same device group hierarchy that are used in one or more
Policies
, renaming the object with a shared name in any device group causes the object name to change in the policies where it is used. This issue applies only to device group objects that can be referenced in a Security policy rule.
For example:
  1. You create a parent device group
    DG-A
    and a child device group
    DG-B
    .
  2. You create address objects called
    AddressObjA
    in the
    Shared
    ,
    DG-A
    and
    DG-B
    device groups and add
    AddressObjA
    to a Security policy rule under
    DG-A
    and
    DG-B
    .
  3. Later, you change the
    AddressObjA
    name in the
    Shared
    device group to
    AddressObjB
    .
Changing the name of the address object in the
Shared
device group causes the references in the Policy rule to use the renamed
Shared
object instead of the device group object.
Known
9.1.9
PAN-178194
Firewalls licensed for Advanced URL Filtering generate a message indicating that a
License required for URL filtering to function
is unavailable displays at the bottom of the UI, due to a PAN-OS UI issue. This error does not affect the operation of Advanced URL Filtering or URL Filtering.
Known
9.1.9
PAN-162748
This issue is now resolved. See
PAN-OS 9.1.9 Addressed Issues
.
GlobalProtect clients in systems with umlaut diacritics in the serial number are unable to log in to the GlobalProtect gateway.
Known
9.1.9
PAN-154266
When an application matches an SD-WAN policy and some sessions for the same application do not match an SD-WAN policy, the SD-WAN Monitoring—Traffic Characteristics screen displays the Links Used information with an SD-WAN policy and a null policy. Sessions that do not have an SD-WAN policy ID are filtered from Links Used.
Workaround
: If you want to see session logs that include a default selection, create a catch-all SD-WAN policy rule and place it last in the list of SD-WAN policies.
Known
9.1.9
PAN-154247
On the Panorama management server, context switching to and from the managed firewall web interface may cause the Panorama administrator to be logged out.
Workaround:
Log out and back in to the Panorama web interface.
Known
9.1.9
PAN-153803
On the Panorama management server, scheduled email PDF reports (
Monitor
PDF Reports
) fail if a GIF image is used in the header or footer.
Known
9.1.9
PAN-151909
This issue is now resolved. See
PAN-OS 9.1.10 Addressed Issues
.
On the Panorama management server, Preview Changes (
Commit
Commit to Panorama
) incorrectly displays an existing route as Added and the new route as an existing route in the Candidate Configuration when you configure a new virtual router route (
Network
Virtual Router
).
Known
9.1.9
PAN-146573
PA-7000 series firewalls configured with a large number of interfaces experience impacted performance and possible timeouts when performing SNMP queries.
Known
9.1.9
PAN-146485
On the Panorama management server, adding, deleting, or modifying the upstream NAT configuration (
Panorama
SD-WAN
Devices
) does not display the branch template stack as
out of sync
.
Additionally, adding, deleting, or modifying the BGP configuration (
Panorama
SD-WAN
Devices
) does not display the hub and branch template stacks as
out of sync
. For example, modifying the BGP configuration on the branch firewall does not cause the hub template stack to display as
out of sync
, nor does modifying the BGP configuration on the hub firewall cause the branch template stack as
out of sync
.
Workaround:
After performing a configuration change,
Commit and Push
the configuration changes to all hub and branch firewalls in the VPN cluster containing the firewall with the modified configuration.
Known
9.1.9
PAN-144889
(
PAN-OS 9.1.2-h1 and later releases only
) On the Panorama management server, adding, deleting, or modifying the original subnet IP, or adding a new subnet after you successfully configure a tunnel IP subnet, for the SD-WAN 1.0.2 plugin does not display the managed firewall templates (
Panorama
Managed Devices
Summary
) as
Out of Sync
.
Workaround
: When modifying the original subnet IP, or adding a new subnet, push the template configuration changes to your managed firewalls and
Force Template Values
(
Commit
Push to Devices
Edit Selections
).
Known
9.1.9
PAN-136701
(
PA-7000b Series firewalls only
) Packets for new sessions drop when handling predict sessions.
Workaround:
Use the following CLi commands to bypass this issue:
  • set session hwpredict disable yes
  • show session hwpredict status
Known
9.1.9
PAN-140959
The Panorama management server allows you to downgrade Zero Touch Provisioning (ZTP) firewalls to PAN-OS 9.1.2 and earlier releases where ZTP functionality is not supported.
Known
9.1.9
PAN-134456
SNMP traps configured to use the dataplane port in service routes are still sent using the management interface.
Workaround:
Use a destination-based service route for the SNMP trap server.
Known
9.1.9
PAN-134053
ACC does not filter WildFire logs from Dynamic User Groups.
Known
9.1.9
PAN-130550
(
PA-3200 Series, PA-5220, PA-5250, PA-5260, and PA-7000 Series firewalls
) For traffic between virtual systems (inter-vsys traffic), the firewall cannot perform source NAT using dynamic IP (DIP) address translation.
Workaround:
Use source NAT with Dynamic IP and Port (DIPP) translation on inter-vsys traffic.
Known
9.1.9
PAN-127813
In the current release, SD-WAN auto-provisioning configures hubs and branches in a hub and spoke model, where branches don’t communicate with each other. Expected branch routes are for generic prefixes, which can be configured in the hub and advertised to all branches. Branches with unique prefixes are not published up to the hub.
Workaround:
Add any specific prefixes for branches to the hub advertise-list configuration.
Known
9.1.9
PAN-127550
Panorama supports only incremental additions for CSV imports when the SD-WAN plugin is enabled. Delete devices manually in the web interface or CLI.
Known
9.1.9
PAN-127474
When you configure a Server Profile, the custom log format for GlobalProtect logs is missing.
Known
9.1.9
PAN-127206
If you use the CLI to enable the cleartext option for the Include Username in HTTP Header Insertion Entries feature, the authentication request to the firewall may become unresponsive or time out.
Known
9.1.9
PAN-124956
This issue is now resolved. See
PAN-OS 9.1.11 Addressed Issues
.
There is an issue where VM-Series firewalls do not support packet buffer protection.
Known
9.1.9
PAN-123277
Dynamic tags from other sources are accessible using the CLI but do not display on the Panorama web interface.
Known
9.1.9
PAN-123040
When you try to view network QoS statistics on an SD-WAN branch or hub, the QoS statistics and the hit count for the QoS rules don’t display. A workaround exists for this issue. Please contact Support for information about the workaround.
Known
9.1.9
PAN-120440
There is an issue on M-500 Panorama management servers where any ethernet interface with an IPv6 address having Private PAN-DB-URL connectivity only supports the following format:
2001:DB9:85A3:0:0:8A2E:370:2
.
Known
9.1.9
PAN-120303
There is an issue where the firewall remains connected to the PAN-DB-URL server through the old management IP address on the M-500 Panorama management server, even when you configured the Eth1/1 interface.
Workaround:
Update the PAN-DB-URL IP address on the firewall using one of the methods below.
  • Modify the PAN-DB Server IP address on the managed firewall.
    1. On the web interface, delete the
      PAN-DB Server
      IP address (
      Device
      Setup
      Content ID
      URL Filtering
      settings).
    2. Commit
      your changes.
    3. Add the new M-500 Eth1/1 IP PAN-DB IP address.
    4. Commit
      your changes.
  • Restart the firewall ( devsrvr ) process.
    1. Log in to the firewall CLI.
    2. Restart the devsrvr process:
      debug software restart process device-server
Known
9.1.9
PAN-118065
(
M-Series Panorama management servers in Management Only mode
) When you delete the local Log Collector (
Panorama
Managed Collectors
), it disables the 1/1 ethernet interface in the Panorama configuration as expected but the interface still displays as Up when you execute the
show interface all
command in the CLI after you commit.
Workaround:
Disable the 1/1 ethernet interface before you delete the local log collector and then commit the configuration change.
Known
9.1.9
PAN-116017
(
Google Cloud Platform (GCP) only
) The firewall does not accept the DNS value from the initial configuration (init-cfg) file when you bootstrap the firewall.
Workaround:
Add DNS value as part of the bootstrap.xml in the bootstrap folder and complete the bootstrap process.
Known
9.1.9
PAN-115816
(
Microsoft Azure only
) There is an intermittent issue where an Ethernet (eth1) interface does not come up when you first boot up the firewall.
Workaround:
Reboot the firewall.
Known
9.1.9
PAN-114495
Alibaba Cloud runs on a KVM hypervisor and supports two Virtio modes: DPDK (default) and MMAP. If you deploy a VM-Series firewall running PAN-OS 9.0 in DPDK packet mode and you then switch to MMAP packet mode, the VM-Series firewall duplicates packets that originate from or terminate on the firewall. As an example, if a load balancer or a server behind the firewall pings the VM-Series firewall after you switch from DPDK packet mode to MMAP packet mode, the firewall duplicates the ping packets.
Throughput traffic is not duplicated if you deploy the VM-Series firewall using MMAP packet mode.
Known
9.1.9
PAN-112694
(
Firewalls with multiple virtual systems only
) If you configure dynamic DNS (DDNS) on a new interface (associated with vsys1 or another virtual system) and you then create a
New
Certificate Profile from the drop-down, you must set the location for the Certificate Profile to Shared. If you configure DDNS on an existing interface and then create a new Certificate Profile, we also recommend that you choose the Shared location instead of a specific virtual system. Alternatively, you can select a preexisting certificate profile instead of creating a new one.
Known
9.1.9
PAN-112456
You can temporarily submit a change request for a URL Category with more than two suggested categories. However, we support only two suggested categories so add no more than two suggested categories to a change request until we address this issue. If you submit more than two suggested categories, we will use only the first two categories you enter.
Known
9.1.9
PAN-111928
Invalid configuration errors are not displayed as expected when you revert a Panorama management server configuration.
Workaround:
After you revert the Panorama configuration,
Commit
(
Commit
Commit to Panorama
) the reverted configuration to display the invalid configuration errors.
Known
9.1.9
PAN-111866
The push scope selection on the Panorama web interface displays incorrectly even though the commit scope displays as expected. This issue occurs when one administrator makes configuration changes to separate device groups or templates that affect multiple firewalls and a different administrator attempts to push those changes.
Workaround:
Perform one of the following tasks.
  • Initiate a
    Commit to Panorama
    operation followed by a
    Push to Devices
    operation for the modified device group and template configurations.
  • Manually select the devices that belong to the modified device group and template configurations.
Known
9.1.9
PAN-111729
If you disable DPDK mode and enable it again, you must immediately reboot the firewall.
Known
9.1.9
PAN-111670
Tagged VLAN traffic fails when sent through an SR-IOV adapter.
Known
9.1.9
PAN-111251
Using the CLI to enable or disable DNS Rewrite under a Destination NAT policy rule has no effect.
Known
9.1.9
PAN-110794
DGA-based threats shown in the firewall threat log display the same name for all such instances.
Known
9.1.9
PAN-109759
The firewall does not generate a notification for the GlobalProtect client when the firewall denies an unencrypted TLS session due to an authentication policy match.
Known
9.1.9
PAN-109526
The system log does not correctly display the URL for CRL files; instead, the URLs are displayed with encoded characters.
Known
9.1.9
PAN-106675
After upgrading the Panorama management server to PAN-OS 8.1 or a later release, predefined reports do not display a list of top attackers.
Workaround:
Create new threat summary reports (
Monitor
PDF Reports
Manage PDF Summary
) containing the top attackers to mimic the predefined reports.
Known
9.1.9
PAN-104780
If you configure a HIP object to match only when a connecting endpoint is managed (
Objects
GlobalProtect
HIP Objects
<hip-object>
General
Managed
), iOS and Android endpoints that are managed by AirWatch are unable to successfully match the HIP object and the HIP report incorrectly indicates that these endpoints are not managed. This issue occurs because GlobalProtect gateways cannot correctly identify the managed status of these endpoints.
Additionally, iOS endpoints that are managed by AirWatch are unable to match HIP objects based on the endpoint serial number because GlobalProtect gateways cannot identify the serial numbers of these endpoints; these serial numbers do not appear in the HIP report.
Known
9.1.9
PAN-103276
Adding a disk to a virtual appliance running Panorama 8.1 or a later release on VMware ESXi 6.5 update1 causes the Panorama virtual appliance and host web client to become unresponsive.
Workaround:
Upgrade the ESXi host to ESXi 6.5 update2 and add the disk again.
Known
9.1.9
PAN-101688
(
Panorama plugins
) The IP address-to-tag mapping information registered on a firewall or virtual system is not deleted when you remove the firewall or virtual system from a Device Group.
Workaround:
Log in to the CLI on the firewall and enter the following command to unregister the IP address-to-tag mappings:
debug object registered-ip clear all
.
Known
9.1.9
PAN-101537
After you configure and push address and address group objects in Shared and vsys-specific device groups from the Panorama management server to managed firewalls, executing the
show log
<log-type>
direction equal
<direction>
<dst>
|
<src>
in
<object-name>
command on a managed firewall only returns address and address group objects pushed form the Shared device group.
Workaround:
Specify the vsys in the query string:
admin>
set system target-vsys
<vsys-name>
admin>
show log
<log-type>
direction equal
<direction>
query equal ‘vsys eq
<vsys-name>
’
<dst>
|
<src>
in
<object-name>
Known
9.1.9
PAN-98520
When booting or rebooting a PA-7000 Series Firewall with the SMC-B installed, the BIOS console output displays attempts to connect to the card's controller in the System Memory Speed section. The messages can be ignored.
Known
9.1.9
PAN-97757
GlobalProtect authentication fails with an
Invalid username/password
error (because the user is not found in
Allow List
) after you enable GlobalProtect authentication cookies and add a RADIUS group to the
Allow List
of the authentication profile used to authenticate to GlobalProtect.
Workaround:
Disable GlobalProtect authentication cookies. Alternatively, disable (clear)
Retrieve user group from RADIUS
in the authentication profile and configure group mapping from Active Directory (AD) through LDAP.
Known
9.1.9
PAN-97524
(
Panorama management server only
) The Security Zone and Virtual System columns (
Network
tab) display
None
after a Device Group and Template administrator with read-only privileges performs a context switch.
Known
9.1.9
PAN-96985
The
request shutdown system
command does not shut down the Panorama management server.
Known
9.1.9
PAN-96960
You cannot restart or shutdown a Panorama on KVM from the Virtual-manager console or virsch CLI.
Known
9.1.9
PAN-96446
A firewall that is not included in a Collector Group fails to generate a system log if logs are dropped when forwarded to a Panorama management server that is running in Management Only mode.
Known
9.1.9
PAN-95773
On VM-Series firewalls that have Data Plane Development Kit (DPDK) enabled and that use the i40e network interface card (NIC), the
show session info
CLI command displays an inaccurate throughput and packet rate.
Workaround:
Disable DPDK by running the
set system setting dpdk-pkt-io off
CLI command.
Known
9.1.9
PAN-95511
The name for an address object, address group, or an external dynamic list must be unique. Duplicate names for these objects can result in unexpected behavior when you reference the object in a policy rule.
Known
9.1.9
PAN-95028
For administrator accounts that you created in PAN-OS 8.0.8 and earlier releases, the firewall does not apply password profile settings (
Device
Password Profiles
) until after you upgrade to PAN-OS 8.0.9 or a later release and then only after you modify the account passwords. (Administrator accounts that you create in PAN-OS 8.0.9 or a later release do not require you to change the passwords to apply password profile settings.)
Known
9.1.9
PAN-94846
When DPDK is enabled on the VM-Series firewall with i40e virtual function (VF) driver, the VF does not detect the link status of the physical link. The VF link status remains up, regardless of changes to the physical link state.
Known
9.1.9
PAN-94093
HTTP Header Insertion does not work when jumbo frames are received out of order.
Known
9.1.9
PAN-93968
The firewall and Panorama web interfaces display vulnerability threat IDs that are not available in PAN-OS 9.0 releases (
Objects
Security Profiles
Vulnerability Protection
<profile>
Exceptions
). To confirm whether a particular threat ID is available in your release, monitor the release notes for each new Applications and Threats content update or check the Palo Alto Networks Threat Vault to see the minimum PAN-OS release version for a threat signature.
Known
9.1.9
PAN-93607
When you configure a VM-500 firewall with an SCTP Protection profile (
Objects
Security Profiles
SCTP Protection
) and you try to add the profile to an existing Security Profile Group (
Objects
Security Profile Groups
), the Security Profile Group doesn’t list the SCTP Protection profile in its drop-down list of available profiles.
Workaround:
Create a new Security Profile Group and select the SCTP Protection profile from there.
Known
9.1.9
PAN-93532
When you configure a firewall running PAN-OS 9.0 as an nCipher HSM client, the web interface on the firewall displays the nCipher server status as Not Authenticated, even though the HSM state is up (
Device
Setup
HSM
).
Known
9.1.9
PAN-93193
The memory-optimized VM-50 Lite intermittently performs slowly and stops processing traffic when memory utilization is critically high. To prevent this issue, make sure that you do not:
  • Switch to the firewall
    Context
    on the Panorama management server.
  • Commit changes when a dynamic update is being installed.
  • Generate a custom report when a dynamic update is being installed.
  • Generate custom reports during a commit.
Workaround:
When the firewall performs slowly, or you see a critical System log for memory utilization, wait for 5 minutes and then manually reboot the firewall.
Use the Task Manager to verify that you are not performing memory intensive tasks such as installing dynamic updates, committing changes or generating reports, at the same time, on the firewall.
Known
9.1.9
PAN-91802
On a VM-Series firewall, the
clear session all
CLI command does not clear GTP sessions.
Known
9.1.9
PAN-83610
In rare cases, a PA-5200 Series firewall (with an FE100 network processor) that has session offload enabled (default) incorrectly resets the UDP checksum of outgoing UDP packets.
Workaround:
In PAN-OS 8.0.6 and later releases, you can persistently disable session offload for only UDP traffic using the
set session udp-off load no
CLI command.
Known
9.1.9
PAN-83236
The VM-Series firewall on Google Compute Platform does not publish firewall metrics to Google Stack Monitoring when you manually configure a DNS server IP address (
Device
Setup
Services
).
Workaround:
The VM-Series firewall on Google Cloud Platform must use the DNS server that Google provides.
Known
9.1.9
PAN-83215
SSL decryption based on ECDSA certificates does not work when you import the ECDSA private keys onto an nCipher nShield hardware security module (HSM).
Known
9.1.9
PAN-81521
Endpoints failed to authenticate to GlobalProtect through Kerberos when you specify an FQDN instead of an IP address in the Kerberos server profile (
Device
Server Profiles
Kerberos
).
Workaround:
Replace the FQDN with the IP address in the Kerberos server profile.
Known
9.1.9
PAN-77125
PA-7000 Series, PA-5200 Series, and PA-3200 Series firewalls configured in tap mode don’t close offloaded sessions after processing the associated traffic; the sessions remain open until they time out.
Workaround:
Configure the firewalls in virtual wire mode instead of tap mode, or disable session offloading by running the
set session off load no
CLI command.
Known
9.1.9
PAN-75457
(
PAN-OS 8.0.1 and later releases
) In WildFire appliance clusters that have three or more nodes, the Panorama management server does not support changing node roles. In a three-node cluster for example, you cannot use Panorama to configure the worker node as a controller node by adding the HA and cluster controller configurations, configure an existing controller node as a worker node by removing the HA configuration, and then commit and push the configuration. Attempts to change cluster node roles from Panorama results in a validation error—the commit fails and the cluster becomes unresponsive.
Known
9.1.9
PAN-73530
The firewall does not generate a packet capture (pcap) when a Data Filtering profile blocks files.
Known
9.1.9
PAN-73401
(
PAN-OS 8.0.1 and later releases
) When you import a two-node WildFire appliance cluster into the Panorama management server, the controller nodes report their state as out-of-sync if either of the following conditions exist:
  • You did not configure a worker list to add at least one worker node to the cluster. (In a two-node cluster, both nodes are controller nodes configured as an HA pair. Adding a worker node would make the cluster a three-node cluster.)
  • You did not configure a service advertisement (either by enabling or not enabling advertising DNS service on the controller nodes).
Workaround:
There are three possible workarounds to sync the controller nodes:
  • After you import the two-node cluster into Panorama, push the configuration from Panorama to the cluster. After the push succeeds, Panorama reports that the controller nodes are in sync.
  • Configure a worker list on the cluster controller: 
    admin@wf500(active-controller)# 
    set
deviceconfig cluster mode controller worker-list 
    <worker-ip-address>
    (
    <worker-ip-address>
    is the IP address of the worker node you are adding to the cluster.) This creates a three-node cluster. After you import the cluster into Panorama, Panorama reports that the controller nodes are in sync. When you want the cluster to have only two nodes, use a different workaround.
  • Configure service advertisement on the local CLI of the cluster controller and then import the configuration into Panorama. The service advertisement can advertise that DNS is or is not enabled. 
    admin@wf500(active-controller)# 
    set
deviceconfig cluster mode controller service-advertisement dns-service
enabled
yes
    or 
    admin@wf500(active-controller)# 
    set
deviceconfig cluster mode controller service-advertisement dns-service
enabled
no
    Both commands result in Panorama reporting that the controller nodes are in sync.
Known
9.1.9
PAN-71329
Local users and user groups in the Shared location (all virtual systems) are not available to be part of the user-to-application mapping for GlobalProtect Clientless VPN applications (
Network
GlobalProtect
Portals
<portal>
Clientless VPN
Applications
).
Workaround:
Create users and user groups in specific virtual systems on firewalls that have multiple virtual systems. For single virtual systems (like VM-Series firewalls), users and user groups are created under Shared and are not configurable for Clientless VPN applications.
Known
9.1.9
PAN-70906
If the PAN-OS web interface and the GlobalProtect portal are enabled on the same IP address, then when a user logs out of the GlobalProtect portal, the administrative user is also logged out from the PAN-OS web interface.
Workaround:
Use the IP address to access the PAN-OS web interface and an FQDN to access the GlobalProtect portal.
Known
9.1.9
PAN-69505
When viewing an external dynamic list that requires client authentication and you
Test Source URL
, the firewall fails to indicate whether it can reach the external dynamic list server and returns a URL access error (
Objects
External Dynamic Lists
).
Known
9.1.9
PAN-41558
When you use a firewall loopback interface as a GlobalProtect gateway interface, traffic is not routed correctly for third-party IPSec clients, such as strongSwan.
Workaround:
Use a physical firewall interface instead of a loopback firewall interface as the GlobalProtect gateway interface for third-party IPSec clients. Alternatively, configure the loopback interface that is used as the GlobalProtect gateway to be in the same zone as the physical ingress interface for third-party IPSec traffic.
Known
9.1.9
PAN-40079
The VM-Series firewall on KVM, for all supported Linux distributions, does not support the Broadcom network adapters for PCI pass-through functionality.
Known
9.1.9
PAN-39636
Regardless of the
Time Frame
you specify for a scheduled custom report on a Panorama M-Series appliance, the earliest possible start date for the report data is effectively the date when you configured the report (
Monitor
Manage Custom Reports
). For example, if you configure the report on the 15th of the month and set the
Time Frame
to
Last 30 Days
, the report that Panorama generates on the 16th will include only data from the 15th onward. This issue applies only to scheduled reports; on-demand reports include all data within the specified
Time Frame
.
Workaround:
To generate an on-demand report, click
Run Now
when you configure the custom report.
Known
9.1.9
PAN-38255
When you perform a factory reset on a Panorama virtual appliance and configure the serial number, logging does not work until you reboot Panorama or execute the
debug software restart process management-server
CLI command.
Known
9.1.9
PAN-31832
The following issues apply when configuring a firewall to use a hardware security module (HSM):
  • nCipher nShield Connect
    —The firewall requires at least four minutes to detect that an HSM was disconnected, causing SSL functionality to be unavailable during the delay.
  • SafeNet Network
    —When losing connectivity to either or both HSMs in an HA configuration, the display of information from the
    show high-availability state
    and
    show hsm info
    commands are blocked for 20 seconds.
Known
9.1.8
—
Upgrading Panorama with a local Log Collector and Dedicated Log Collectors to PAN-OS 8.1 or a later PAN-OS release can take up to six hours to complete due to significant infrastructure changes. Ensure uninterrupted power to all appliances throughout the upgrade process.
Known
9.1.8
—
A critical System log is generated on the VM-Series firewall if the minimum memory requirement for the model is not available.
  • When the memory allocated is less than 4.5GB, you cannot upgrade the firewall. The following error message displays:
    Failed to install 9.0.0 with the following error: VM-50 in 9.0.0 requires 5.5GB memory, VM-50 Lite requires 4.5GB memory.Please configure this VM with enough memory before upgrading.
  • If the memory allocation is more than 4.5GB but less that the licensed capacity requirement for the model, it will default to the capacity associated with the VM-50.
    The System log message
    System capacity adjusted to VM-50 capacity due to insufficient memory for VM-
    <xxx>
    license
    , indicates that you must allocate the additional memory required for licensed capacity for the firewall model.
Known
9.1.8
PLUG-380
When you rename a device group, template, or template stack in Panorama that is part of a VMware NSX service definition, the new name is not reflected in NSX Manager. Therefore, any ESXi hosts that you add to a vSphere cluster are not added to the correct device group, template, or template stack and your Security policy is not pushed to VM-Series firewalls that you deploy after you rename those objects. There is no impact to existing VM-Series firewalls.
Known
9.1.8
PAN-223365
The Panorama management server is unable to query any logs if the ElasticSearch health status for any Log Collector (
Panorama
Managed Collector
is degraded.
Workaround:
Log in to the Log Collector CLI and reboot. 
admin
request restart system
Alternatively, you can contact Palo Alto Networks Customer Support to restart the ElasticSearch process without rebooting the Log Collector.
Known
9.1.8
PAN-199557
On M-600 appliances in an Active/Passive high availability (HA) configuration, the
configd
process restarts due to a memory leak on the
Active
Panorama HA peer. This causes the Panorama web interface and CLI to become unresponsive.
Workaround:
Manually reboot the
Active
Panorama HA peer.
Known
9.1.8
PAN-197341
On the Panorama management server, if you create multiple device group
Objects
with the same name in the Shared device group and any additional device groups (
Panorama
Device Groups
) under the same device group hierarchy that are used in one or more
Policies
, renaming the object with a shared name in any device group causes the object name to change in the policies where it is used. This issue applies only to device group objects that can be referenced in a Security policy rule.
For example:
  1. You create a parent device group
    DG-A
    and a child device group
    DG-B
    .
  2. You create address objects called
    AddressObjA
    in the
    Shared
    ,
    DG-A
    and
    DG-B
    device groups and add
    AddressObjA
    to a Security policy rule under
    DG-A
    and
    DG-B
    .
  3. Later, you change the
    AddressObjA
    name in the
    Shared
    device group to
    AddressObjB
    .
Changing the name of the address object in the
Shared
device group causes the references in the Policy rule to use the renamed
Shared
object instead of the device group object.
Known
9.1.8
PAN-178194
Firewalls licensed for Advanced URL Filtering generate a message indicating that a
License required for URL filtering to function
is unavailable displays at the bottom of the UI, due to a PAN-OS UI issue. This error does not affect the operation of Advanced URL Filtering or URL Filtering.
Known
9.1.8
PAN-162748
This issue is now resolved. See
PAN-OS 9.1.9 Addressed Issues
.
GlobalProtect clients in systems with umlaut diacritics in the serial number are unable to log in to the GlobalProtect gateway.
Known
9.1.8
PAN-154266
When an application matches an SD-WAN policy and some sessions for the same application do not match an SD-WAN policy, the SD-WAN Monitoring—Traffic Characteristics screen displays the Links Used information with an SD-WAN policy and a null policy. Sessions that do not have an SD-WAN policy ID are filtered from Links Used.
Workaround
: If you want to see session logs that include a default selection, create a catch-all SD-WAN policy rule and place it last in the list of SD-WAN policies.
Known
9.1.8
PAN-154247
On the Panorama management server, context switching to and from the managed firewall web interface may cause the Panorama administrator to be logged out.
Workaround:
Log out and back in to the Panorama web interface.
Known
9.1.8
PAN-153803
On the Panorama management server, scheduled email PDF reports (
Monitor
PDF Reports
) fail if a GIF image is used in the header or footer.
Known
9.1.8
PAN-151909
This issue is now resolved. See
PAN-OS 9.1.10 Addressed Issues
.
On the Panorama management server, Preview Changes (
Commit
Commit to Panorama
) incorrectly displays an existing route as Added and the new route as an existing route in the Candidate Configuration when you configure a new virtual router route (
Network
Virtual Router
).
Known
9.1.8
PAN-146573
PA-7000 series firewalls configured with a large number of interfaces experience impacted performance and possible timeouts when performing SNMP queries.
Known
9.1.8
PAN-146485
On the Panorama management server, adding, deleting, or modifying the upstream NAT configuration (
Panorama
SD-WAN
Devices
) does not display the branch template stack as
out of sync
.
Additionally, adding, deleting, or modifying the BGP configuration (
Panorama
SD-WAN
Devices
) does not display the hub and branch template stacks as
out of sync
. For example, modifying the BGP configuration on the branch firewall does not cause the hub template stack to display as
out of sync
, nor does modifying the BGP configuration on the hub firewall cause the branch template stack as
out of sync
.
Workaround:
After performing a configuration change,
Commit and Push
the configuration changes to all hub and branch firewalls in the VPN cluster containing the firewall with the modified configuration.
Known
9.1.8
PAN-144889
(
PAN-OS 9.1.2-h1 and later releases only
) On the Panorama management server, adding, deleting, or modifying the original subnet IP, or adding a new subnet after you successfully configure a tunnel IP subnet, for the SD-WAN 1.0.2 plugin does not display the managed firewall templates (
Panorama
Managed Devices
Summary
) as
Out of Sync
.
Workaround
: When modifying the original subnet IP, or adding a new subnet, push the template configuration changes to your managed firewalls and
Force Template Values
(
Commit
Push to Devices
Edit Selections
).
Known
9.1.8
PAN-140959
The Panorama management server allows you to downgrade Zero Touch Provisioning (ZTP) firewalls to PAN-OS 9.1.2 and earlier releases where ZTP functionality is not supported.
Known
9.1.8
PAN-136701
(
PA-7000b Series firewalls only
) Packets for new sessions drop when handling predict sessions.
Workaround:
Use the following CLi commands to bypass this issue:
  • set session hwpredict disable yes
  • show session hwpredict status
Known
9.1.8
PAN-134456
SNMP traps configured to use the dataplane port in service routes are still sent using the management interface.
Workaround:
Use a destination-based service route for the SNMP trap server.
Known
9.1.8
PAN-134053
ACC does not filter WildFire logs from Dynamic User Groups.
Known
9.1.8
PAN-130550
(
PA-3200 Series, PA-5220, PA-5250, PA-5260, and PA-7000 Series firewalls
) For traffic between virtual systems (inter-vsys traffic), the firewall cannot perform source NAT using dynamic IP (DIP) address translation.
Workaround:
Use source NAT with Dynamic IP and Port (DIPP) translation on inter-vsys traffic.
Known
9.1.8
PAN-127813
In the current release, SD-WAN auto-provisioning configures hubs and branches in a hub and spoke model, where branches don’t communicate with each other. Expected branch routes are for generic prefixes, which can be configured in the hub and advertised to all branches. Branches with unique prefixes are not published up to the hub.
Workaround:
Add any specific prefixes for branches to the hub advertise-list configuration.
Known
9.1.8
PAN-127550
Panorama supports only incremental additions for CSV imports when the SD-WAN plugin is enabled. Delete devices manually in the web interface or CLI.
Known
9.1.8
PAN-127474
When you configure a Server Profile, the custom log format for GlobalProtect logs is missing.
Known
9.1.8
PAN-127206
If you use the CLI to enable the cleartext option for the Include Username in HTTP Header Insertion Entries feature, the authentication request to the firewall may become unresponsive or time out.
Known
9.1.8
PAN-124956
This issue is now resolved. See
PAN-OS 9.1.11 Addressed Issues
.
There is an issue where VM-Series firewalls do not support packet buffer protection.
Known
9.1.8
PAN-123277
Dynamic tags from other sources are accessible using the CLI but do not display on the Panorama web interface.
Known
9.1.8
PAN-123040
When you try to view network QoS statistics on an SD-WAN branch or hub, the QoS statistics and the hit count for the QoS rules don’t display. A workaround exists for this issue. Please contact Support for information about the workaround.
Known
9.1.8
PAN-120440
There is an issue on M-500 Panorama management servers where any ethernet interface with an IPv6 address having Private PAN-DB-URL connectivity only supports the following format:
2001:DB9:85A3:0:0:8A2E:370:2
.
Known
9.1.8
PAN-120423
This issue is now resolved. See
PAN-OS 9.1.9 Addressed Issues
.
PAN-OS 9.1.0 does not support the XML API for GlobalProtect logs.
Known
9.1.8
PAN-120303
There is an issue where the firewall remains connected to the PAN-DB-URL server through the old management IP address on the M-500 Panorama management server, even when you configured the Eth1/1 interface.
Workaround:
Update the PAN-DB-URL IP address on the firewall using one of the methods below.
  • Modify the PAN-DB Server IP address on the managed firewall.
    1. On the web interface, delete the
      PAN-DB Server
      IP address (
      Device
      Setup
      Content ID
      URL Filtering
      settings).
    2. Commit
      your changes.
    3. Add the new M-500 Eth1/1 IP PAN-DB IP address.
    4. Commit
      your changes.
  • Restart the firewall ( devsrvr ) process.
    1. Log in to the firewall CLI.
    2. Restart the devsrvr process:
      debug software restart process device-server
Known
9.1.8
PAN-118065
(
M-Series Panorama management servers in Management Only mode
) When you delete the local Log Collector (
Panorama
Managed Collectors
), it disables the 1/1 ethernet interface in the Panorama configuration as expected but the interface still displays as Up when you execute the
show interface all
command in the CLI after you commit.
Workaround:
Disable the 1/1 ethernet interface before you delete the local log collector and then commit the configuration change.
Known
9.1.8
PAN-116017
(
Google Cloud Platform (GCP) only
) The firewall does not accept the DNS value from the initial configuration (init-cfg) file when you bootstrap the firewall.
Workaround:
Add DNS value as part of the bootstrap.xml in the bootstrap folder and complete the bootstrap process.
Known
9.1.8
PAN-115816
(
Microsoft Azure only
) There is an intermittent issue where an Ethernet (eth1) interface does not come up when you first boot up the firewall.
Workaround:
Reboot the firewall.
Known
9.1.8
PAN-114495
Alibaba Cloud runs on a KVM hypervisor and supports two Virtio modes: DPDK (default) and MMAP. If you deploy a VM-Series firewall running PAN-OS 9.0 in DPDK packet mode and you then switch to MMAP packet mode, the VM-Series firewall duplicates packets that originate from or terminate on the firewall. As an example, if a load balancer or a server behind the firewall pings the VM-Series firewall after you switch from DPDK packet mode to MMAP packet mode, the firewall duplicates the ping packets.
Throughput traffic is not duplicated if you deploy the VM-Series firewall using MMAP packet mode.
Known
9.1.8
PAN-112694
(
Firewalls with multiple virtual systems only
) If you configure dynamic DNS (DDNS) on a new interface (associated with vsys1 or another virtual system) and you then create a
New
Certificate Profile from the drop-down, you must set the location for the Certificate Profile to Shared. If you configure DDNS on an existing interface and then create a new Certificate Profile, we also recommend that you choose the Shared location instead of a specific virtual system. Alternatively, you can select a preexisting certificate profile instead of creating a new one.
Known
9.1.8
PAN-112456
You can temporarily submit a change request for a URL Category with more than two suggested categories. However, we support only two suggested categories so add no more than two suggested categories to a change request until we address this issue. If you submit more than two suggested categories, we will use only the first two categories you enter.
Known
9.1.8
PAN-111928
Invalid configuration errors are not displayed as expected when you revert a Panorama management server configuration.
Workaround:
After you revert the Panorama configuration,
Commit
(
Commit
Commit to Panorama
) the reverted configuration to display the invalid configuration errors.
Known
9.1.8
PAN-111866
The push scope selection on the Panorama web interface displays incorrectly even though the commit scope displays as expected. This issue occurs when one administrator makes configuration changes to separate device groups or templates that affect multiple firewalls and a different administrator attempts to push those changes.
Workaround:
Perform one of the following tasks.
  • Initiate a
    Commit to Panorama
    operation followed by a
    Push to Devices
    operation for the modified device group and template configurations.
  • Manually select the devices that belong to the modified device group and template configurations.
Known
9.1.8
PAN-111729
If you disable DPDK mode and enable it again, you must immediately reboot the firewall.
Known
9.1.8
PAN-111670
Tagged VLAN traffic fails when sent through an SR-IOV adapter.
Known
9.1.8
PAN-111251
Using the CLI to enable or disable DNS Rewrite under a Destination NAT policy rule has no effect.
Known
9.1.8
PAN-110794
DGA-based threats shown in the firewall threat log display the same name for all such instances.
Known
9.1.8
PAN-109759
The firewall does not generate a notification for the GlobalProtect client when the firewall denies an unencrypted TLS session due to an authentication policy match.
Known
9.1.8
PAN-109526
The system log does not correctly display the URL for CRL files; instead, the URLs are displayed with encoded characters.
Known
9.1.8
PAN-106675
After upgrading the Panorama management server to PAN-OS 8.1 or a later release, predefined reports do not display a list of top attackers.
Workaround:
Create new threat summary reports (
Monitor
PDF Reports
Manage PDF Summary
) containing the top attackers to mimic the predefined reports.
Known
9.1.8
PAN-104780
If you configure a HIP object to match only when a connecting endpoint is managed (
Objects
GlobalProtect
HIP Objects
<hip-object>
General
Managed
), iOS and Android endpoints that are managed by AirWatch are unable to successfully match the HIP object and the HIP report incorrectly indicates that these endpoints are not managed. This issue occurs because GlobalProtect gateways cannot correctly identify the managed status of these endpoints.
Additionally, iOS endpoints that are managed by AirWatch are unable to match HIP objects based on the endpoint serial number because GlobalProtect gateways cannot identify the serial numbers of these endpoints; these serial numbers do not appear in the HIP report.
Known
9.1.8
PAN-103276
Adding a disk to a virtual appliance running Panorama 8.1 or a later release on VMware ESXi 6.5 update1 causes the Panorama virtual appliance and host web client to become unresponsive.
Workaround:
Upgrade the ESXi host to ESXi 6.5 update2 and add the disk again.
Known
9.1.8
PAN-101688
(
Panorama plugins
) The IP address-to-tag mapping information registered on a firewall or virtual system is not deleted when you remove the firewall or virtual system from a Device Group.
Workaround:
Log in to the CLI on the firewall and enter the following command to unregister the IP address-to-tag mappings:
debug object registered-ip clear all
.
Known
9.1.8
PAN-101537
After you configure and push address and address group objects in Shared and vsys-specific device groups from the Panorama management server to managed firewalls, executing the
show log
<log-type>
direction equal
<direction>
<dst>
|
<src>
in
<object-name>
command on a managed firewall only returns address and address group objects pushed form the Shared device group.
Workaround:
Specify the vsys in the query string:
admin>
set system target-vsys
<vsys-name>
admin>
show log
<log-type>
direction equal
<direction>
query equal ‘vsys eq
<vsys-name>
’
<dst>
|
<src>
in
<object-name>
Known
9.1.8
PAN-98520
When booting or rebooting a PA-7000 Series Firewall with the SMC-B installed, the BIOS console output displays attempts to connect to the card's controller in the System Memory Speed section. The messages can be ignored.
Known
9.1.8
PAN-97757
GlobalProtect authentication fails with an
Invalid username/password
error (because the user is not found in
Allow List
) after you enable GlobalProtect authentication cookies and add a RADIUS group to the
Allow List
of the authentication profile used to authenticate to GlobalProtect.
Workaround:
Disable GlobalProtect authentication cookies. Alternatively, disable (clear)
Retrieve user group from RADIUS
in the authentication profile and configure group mapping from Active Directory (AD) through LDAP.
Known
9.1.8
PAN-97524
(
Panorama management server only
) The Security Zone and Virtual System columns (
Network
tab) display
None
after a Device Group and Template administrator with read-only privileges performs a context switch.
Known
9.1.8
PAN-96985
The
request shutdown system
command does not shut down the Panorama management server.
Known
9.1.8
PAN-96960
You cannot restart or shutdown a Panorama on KVM from the Virtual-manager console or virsch CLI.
Known
9.1.8
PAN-96446
A firewall that is not included in a Collector Group fails to generate a system log if logs are dropped when forwarded to a Panorama management server that is running in Management Only mode.
Known
9.1.8
PAN-95773
On VM-Series firewalls that have Data Plane Development Kit (DPDK) enabled and that use the i40e network interface card (NIC), the
show session info
CLI command displays an inaccurate throughput and packet rate.
Workaround:
Disable DPDK by running the
set system setting dpdk-pkt-io off
CLI command.
Known
9.1.8
PAN-95511
The name for an address object, address group, or an external dynamic list must be unique. Duplicate names for these objects can result in unexpected behavior when you reference the object in a policy rule.
Known
9.1.8
PAN-95028
For administrator accounts that you created in PAN-OS 8.0.8 and earlier releases, the firewall does not apply password profile settings (
Device
Password Profiles
) until after you upgrade to PAN-OS 8.0.9 or a later release and then only after you modify the account passwords. (Administrator accounts that you create in PAN-OS 8.0.9 or a later release do not require you to change the passwords to apply password profile settings.)
Known
9.1.8
PAN-94846
When DPDK is enabled on the VM-Series firewall with i40e virtual function (VF) driver, the VF does not detect the link status of the physical link. The VF link status remains up, regardless of changes to the physical link state.
Known
9.1.8
PAN-94093
HTTP Header Insertion does not work when jumbo frames are received out of order.
Known
9.1.8
PAN-93968
The firewall and Panorama web interfaces display vulnerability threat IDs that are not available in PAN-OS 9.0 releases (
Objects
Security Profiles
Vulnerability Protection
<profile>
Exceptions
). To confirm whether a particular threat ID is available in your release, monitor the release notes for each new Applications and Threats content update or check the Palo Alto Networks Threat Vault to see the minimum PAN-OS release version for a threat signature.
Known
9.1.8
PAN-93607
When you configure a VM-500 firewall with an SCTP Protection profile (
Objects
Security Profiles
SCTP Protection
) and you try to add the profile to an existing Security Profile Group (
Objects
Security Profile Groups
), the Security Profile Group doesn’t list the SCTP Protection profile in its drop-down list of available profiles.
Workaround:
Create a new Security Profile Group and select the SCTP Protection profile from there.
Known
9.1.8
PAN-93532
When you configure a firewall running PAN-OS 9.0 as an nCipher HSM client, the web interface on the firewall displays the nCipher server status as Not Authenticated, even though the HSM state is up (
Device
Setup
HSM
).
Known
9.1.8
PAN-93193
The memory-optimized VM-50 Lite intermittently performs slowly and stops processing traffic when memory utilization is critically high. To prevent this issue, make sure that you do not:
  • Switch to the firewall
    Context
    on the Panorama management server.
  • Commit changes when a dynamic update is being installed.
  • Generate a custom report when a dynamic update is being installed.
  • Generate custom reports during a commit.
Workaround:
When the firewall performs slowly, or you see a critical System log for memory utilization, wait for 5 minutes and then manually reboot the firewall.
Use the Task Manager to verify that you are not performing memory intensive tasks such as installing dynamic updates, committing changes or generating reports, at the same time, on the firewall.
Known
9.1.8
PAN-91802
On a VM-Series firewall, the
clear session all
CLI command does not clear GTP sessions.
Known
9.1.8
PAN-83610
In rare cases, a PA-5200 Series firewall (with an FE100 network processor) that has session offload enabled (default) incorrectly resets the UDP checksum of outgoing UDP packets.
Workaround:
In PAN-OS 8.0.6 and later releases, you can persistently disable session offload for only UDP traffic using the
set session udp-off load no
CLI command.
Known
9.1.8
PAN-83236
The VM-Series firewall on Google Compute Platform does not publish firewall metrics to Google Stack Monitoring when you manually configure a DNS server IP address (
Device
Setup
Services
).
Workaround:
The VM-Series firewall on Google Cloud Platform must use the DNS server that Google provides.
Known
9.1.8
PAN-83215
SSL decryption based on ECDSA certificates does not work when you import the ECDSA private keys onto an nCipher nShield hardware security module (HSM).
Known
9.1.8
PAN-81521
Endpoints failed to authenticate to GlobalProtect through Kerberos when you specify an FQDN instead of an IP address in the Kerberos server profile (
Device
Server Profiles
Kerberos
).
Workaround:
Replace the FQDN with the IP address in the Kerberos server profile.
Known
9.1.8
PAN-77125
PA-7000 Series, PA-5200 Series, and PA-3200 Series firewalls configured in tap mode don’t close offloaded sessions after processing the associated traffic; the sessions remain open until they time out.
Workaround:
Configure the firewalls in virtual wire mode instead of tap mode, or disable session offloading by running the
set session off load no
CLI command.
Known
9.1.8
PAN-75457
(
PAN-OS 8.0.1 and later releases
) In WildFire appliance clusters that have three or more nodes, the Panorama management server does not support changing node roles. In a three-node cluster for example, you cannot use Panorama to configure the worker node as a controller node by adding the HA and cluster controller configurations, configure an existing controller node as a worker node by removing the HA configuration, and then commit and push the configuration. Attempts to change cluster node roles from Panorama results in a validation error—the commit fails and the cluster becomes unresponsive.
Known
9.1.8
PAN-73530
The firewall does not generate a packet capture (pcap) when a Data Filtering profile blocks files.
Known
9.1.8
PAN-73401
(
PAN-OS 8.0.1 and later releases
) When you import a two-node WildFire appliance cluster into the Panorama management server, the controller nodes report their state as out-of-sync if either of the following conditions exist:
  • You did not configure a worker list to add at least one worker node to the cluster. (In a two-node cluster, both nodes are controller nodes configured as an HA pair. Adding a worker node would make the cluster a three-node cluster.)
  • You did not configure a service advertisement (either by enabling or not enabling advertising DNS service on the controller nodes).
Workaround:
There are three possible workarounds to sync the controller nodes:
  • After you import the two-node cluster into Panorama, push the configuration from Panorama to the cluster. After the push succeeds, Panorama reports that the controller nodes are in sync.
  • Configure a worker list on the cluster controller: 
    admin@wf500(active-controller)# 
    set
deviceconfig cluster mode controller worker-list 
    <worker-ip-address>
    (
    <worker-ip-address>
    is the IP address of the worker node you are adding to the cluster.) This creates a three-node cluster. After you import the cluster into Panorama, Panorama reports that the controller nodes are in sync. When you want the cluster to have only two nodes, use a different workaround.
  • Configure service advertisement on the local CLI of the cluster controller and then import the configuration into Panorama. The service advertisement can advertise that DNS is or is not enabled. 
    admin@wf500(active-controller)# 
    set
deviceconfig cluster mode controller service-advertisement dns-service
enabled
yes
    or 
    admin@wf500(active-controller)# 
    set
deviceconfig cluster mode controller service-advertisement dns-service
enabled
no
    Both commands result in Panorama reporting that the controller nodes are in sync.
Known
9.1.8
PAN-71329
Local users and user groups in the Shared location (all virtual systems) are not available to be part of the user-to-application mapping for GlobalProtect Clientless VPN applications (
Network
GlobalProtect
Portals
<portal>
Clientless VPN
Applications
).
Workaround:
Create users and user groups in specific virtual systems on firewalls that have multiple virtual systems. For single virtual systems (like VM-Series firewalls), users and user groups are created under Shared and are not configurable for Clientless VPN applications.
Known
9.1.8
PAN-70906
If the PAN-OS web interface and the GlobalProtect portal are enabled on the same IP address, then when a user logs out of the GlobalProtect portal, the administrative user is also logged out from the PAN-OS web interface.
Workaround:
Use the IP address to access the PAN-OS web interface and an FQDN to access the GlobalProtect portal.
Known
9.1.8
PAN-69505
When viewing an external dynamic list that requires client authentication and you
Test Source URL
, the firewall fails to indicate whether it can reach the external dynamic list server and returns a URL access error (
Objects
External Dynamic Lists
).
Known
9.1.8
PAN-41558
When you use a firewall loopback interface as a GlobalProtect gateway interface, traffic is not routed correctly for third-party IPSec clients, such as strongSwan.
Workaround:
Use a physical firewall interface instead of a loopback firewall interface as the GlobalProtect gateway interface for third-party IPSec clients. Alternatively, configure the loopback interface that is used as the GlobalProtect gateway to be in the same zone as the physical ingress interface for third-party IPSec traffic.
Known
9.1.8
PAN-40079
The VM-Series firewall on KVM, for all supported Linux distributions, does not support the Broadcom network adapters for PCI pass-through functionality.
Known
9.1.8
PAN-39636
Regardless of the
Time Frame
you specify for a scheduled custom report on a Panorama M-Series appliance, the earliest possible start date for the report data is effectively the date when you configured the report (
Monitor
Manage Custom Reports
). For example, if you configure the report on the 15th of the month and set the
Time Frame
to
Last 30 Days
, the report that Panorama generates on the 16th will include only data from the 15th onward. This issue applies only to scheduled reports; on-demand reports include all data within the specified
Time Frame
.
Workaround:
To generate an on-demand report, click
Run Now
when you configure the custom report.
Known
9.1.8
PAN-38255
When you perform a factory reset on a Panorama virtual appliance and configure the serial number, logging does not work until you reboot Panorama or execute the
debug software restart process management-server
CLI command.
Known
9.1.8
PAN-31832
The following issues apply when configuring a firewall to use a hardware security module (HSM):
  • nCipher nShield Connect
    —The firewall requires at least four minutes to detect that an HSM was disconnected, causing SSL functionality to be unavailable during the delay.
  • SafeNet Network
    —When losing connectivity to either or both HSMs in an HA configuration, the display of information from the
    show high-availability state
    and
    show hsm info
    commands are blocked for 20 seconds.
Known
9.1.7
—
Upgrading Panorama with a local Log Collector and Dedicated Log Collectors to PAN-OS 8.1 or a later PAN-OS release can take up to six hours to complete due to significant infrastructure changes. Ensure uninterrupted power to all appliances throughout the upgrade process.
Known
9.1.7
—
A critical System log is generated on the VM-Series firewall if the minimum memory requirement for the model is not available.
  • When the memory allocated is less than 4.5GB, you cannot upgrade the firewall. The following error message displays:
    Failed to install 9.0.0 with the following error: VM-50 in 9.0.0 requires 5.5GB memory, VM-50 Lite requires 4.5GB memory.Please configure this VM with enough memory before upgrading.
  • If the memory allocation is more than 4.5GB but less that the licensed capacity requirement for the model, it will default to the capacity associated with the VM-50.
    The System log message
    System capacity adjusted to VM-50 capacity due to insufficient memory for VM-
    <xxx>
    license
    , indicates that you must allocate the additional memory required for licensed capacity for the firewall model.
Known
9.1.7
PLUG-380
When you rename a device group, template, or template stack in Panorama that is part of a VMware NSX service definition, the new name is not reflected in NSX Manager. Therefore, any ESXi hosts that you add to a vSphere cluster are not added to the correct device group, template, or template stack and your Security policy is not pushed to VM-Series firewalls that you deploy after you rename those objects. There is no impact to existing VM-Series firewalls.
Known
9.1.7
PAN-223365
The Panorama management server is unable to query any logs if the ElasticSearch health status for any Log Collector (
Panorama
Managed Collector
is degraded.
Workaround:
Log in to the Log Collector CLI and reboot. 
admin
request restart system
Alternatively, you can contact Palo Alto Networks Customer Support to restart the ElasticSearch process without rebooting the Log Collector.
Known
9.1.7
PAN-199557
On M-600 appliances in an Active/Passive high availability (HA) configuration, the
configd
process restarts due to a memory leak on the
Active
Panorama HA peer. This causes the Panorama web interface and CLI to become unresponsive.
Workaround:
Manually reboot the
Active
Panorama HA peer.
Known
9.1.7
PAN-197341
On the Panorama management server, if you create multiple device group
Objects
with the same name in the Shared device group and any additional device groups (
Panorama
Device Groups
) under the same device group hierarchy that are used in one or more
Policies
, renaming the object with a shared name in any device group causes the object name to change in the policies where it is used. This issue applies only to device group objects that can be referenced in a Security policy rule.
For example:
  1. You create a parent device group
    DG-A
    and a child device group
    DG-B
    .
  2. You create address objects called
    AddressObjA
    in the
    Shared
    ,
    DG-A
    and
    DG-B
    device groups and add
    AddressObjA
    to a Security policy rule under
    DG-A
    and
    DG-B
    .
  3. Later, you change the
    AddressObjA
    name in the
    Shared
    device group to
    AddressObjB
    .
Changing the name of the address object in the
Shared
device group causes the references in the Policy rule to use the renamed
Shared
object instead of the device group object.
Known
9.1.7
PAN-178194
Firewalls licensed for Advanced URL Filtering generate a message indicating that a
License required for URL filtering to function
is unavailable displays at the bottom of the UI, due to a PAN-OS UI issue. This error does not affect the operation of Advanced URL Filtering or URL Filtering.
Known
9.1.7
PAN-162748
This issue is now resolved. See
PAN-OS 9.1.9 Addressed Issues
.
GlobalProtect clients in systems with umlaut diacritics in the serial number are unable to log in to the GlobalProtect gateway.
Known
9.1.7
PAN-161121
This issue is now resolved. See
PAN-OS 9.1.8 Addressed Issues
.
On the Panorama management server, invalid reference errors occur when attempting to delete an address object (
Objects
Addresses
) after removing the address object reference from an address group (
Objects
Address Groups
) resulting in you being unable commit and push the configuration to managed firewalls.
Workaround:
Log in to the Panorama CLI and restart
configd
. 
admin>
 debug software restart process configd
Known
9.1.7
PAN-154266
When an application matches an SD-WAN policy and some sessions for the same application do not match an SD-WAN policy, the SD-WAN Monitoring—Traffic Characteristics screen displays the Links Used information with an SD-WAN policy and a null policy. Sessions that do not have an SD-WAN policy ID are filtered from Links Used.
Workaround
: If you want to see session logs that include a default selection, create a catch-all SD-WAN policy rule and place it last in the list of SD-WAN policies.
Known
9.1.7
PAN-154247
On the Panorama management server, context switching to and from the managed firewall web interface may cause the Panorama administrator to be logged out.
Workaround:
Log out and back in to the Panorama web interface.
Known
9.1.7
PAN-153803
On the Panorama management server, scheduled email PDF reports (
Monitor
PDF Reports
) fail if a GIF image is used in the header or footer.
Known
9.1.7
PAN-151909
This issue is now resolved. See
PAN-OS 9.1.10 Addressed Issues
.
On the Panorama management server, Preview Changes (
Commit
Commit to Panorama
) incorrectly displays an existing route as Added and the new route as an existing route in the Candidate Configuration when you configure a new virtual router route (
Network
Virtual Router
).
Known
9.1.7
PAN-148359
This issue is now resolved. See
PAN-OS 9.1.8 Addressed Issues
.
SD-WAN server-to-client symmetric return does not function correctly under certain circumstances, and the issue can also affect path selection of parent/child applications, such as FTP.
Known
9.1.7
PAN-146573
PA-7000 series firewalls configured with a large number of interfaces experience impacted performance and possible timeouts when performing SNMP queries.
Known
9.1.7
PAN-146485
On the Panorama management server, adding, deleting, or modifying the upstream NAT configuration (
Panorama
SD-WAN
Devices
) does not display the branch template stack as
out of sync
.
Additionally, adding, deleting, or modifying the BGP configuration (
Panorama
SD-WAN
Devices
) does not display the hub and branch template stacks as
out of sync
. For example, modifying the BGP configuration on the branch firewall does not cause the hub template stack to display as
out of sync
, nor does modifying the BGP configuration on the hub firewall cause the branch template stack as
out of sync
.
Workaround:
After performing a configuration change,
Commit and Push
the configuration changes to all hub and branch firewalls in the VPN cluster containing the firewall with the modified configuration.
Known
9.1.7
PAN-144889
(
PAN-OS 9.1.2-h1 and later releases only
) On the Panorama management server, adding, deleting, or modifying the original subnet IP, or adding a new subnet after you successfully configure a tunnel IP subnet, for the SD-WAN 1.0.2 plugin does not display the managed firewall templates (
Panorama
Managed Devices
Summary
) as
Out of Sync
.
Workaround
: When modifying the original subnet IP, or adding a new subnet, push the template configuration changes to your managed firewalls and
Force Template Values
(
Commit
Push to Devices
Edit Selections
).
Known
9.1.7
PAN-140959
The Panorama management server allows you to downgrade Zero Touch Provisioning (ZTP) firewalls to PAN-OS 9.1.2 and earlier releases where ZTP functionality is not supported.
Known
9.1.7
PAN-136701
(
PA-7000b Series firewalls only
) Packets for new sessions drop when handling predict sessions.
Workaround:
Use the following CLi commands to bypass this issue:
  • set session hwpredict disable yes
  • show session hwpredict status
Known
9.1.7
PAN-134456
SNMP traps configured to use the dataplane port in service routes are still sent using the management interface.
Workaround:
Use a destination-based service route for the SNMP trap server.
Known
9.1.7
PAN-134053
ACC does not filter WildFire logs from Dynamic User Groups.
Known
9.1.7
PAN-130550
(
PA-3200 Series, PA-5220, PA-5250, PA-5260, and PA-7000 Series firewalls
) For traffic between virtual systems (inter-vsys traffic), the firewall cannot perform source NAT using dynamic IP (DIP) address translation.
Workaround:
Use source NAT with Dynamic IP and Port (DIPP) translation on inter-vsys traffic.
Known
9.1.7
PAN-127813
In the current release, SD-WAN auto-provisioning configures hubs and branches in a hub and spoke model, where branches don’t communicate with each other. Expected branch routes are for generic prefixes, which can be configured in the hub and advertised to all branches. Branches with unique prefixes are not published up to the hub.
Workaround:
Add any specific prefixes for branches to the hub advertise-list configuration.
Known
9.1.7
PAN-127550
Panorama supports only incremental additions for CSV imports when the SD-WAN plugin is enabled. Delete devices manually in the web interface or CLI.
Known
9.1.7
PAN-127474
When you configure a Server Profile, the custom log format for GlobalProtect logs is missing.
Known
9.1.7
PAN-127206
If you use the CLI to enable the cleartext option for the Include Username in HTTP Header Insertion Entries feature, the authentication request to the firewall may become unresponsive or time out.
Known
9.1.7
PAN-124956
This issue is now resolved. See
PAN-OS 9.1.11 Addressed Issues
.
There is an issue where VM-Series firewalls do not support packet buffer protection.
Known
9.1.7
PAN-123277
Dynamic tags from other sources are accessible using the CLI but do not display on the Panorama web interface.
Known
9.1.7
PAN-123040
When you try to view network QoS statistics on an SD-WAN branch or hub, the QoS statistics and the hit count for the QoS rules don’t display. A workaround exists for this issue. Please contact Support for information about the workaround.
Known
9.1.7
PAN-120440
There is an issue on M-500 Panorama management servers where any ethernet interface with an IPv6 address having Private PAN-DB-URL connectivity only supports the following format:
2001:DB9:85A3:0:0:8A2E:370:2
.
Known
9.1.7
PAN-120423
This issue is now resolved. See
PAN-OS 9.1.9 Addressed Issues
.
PAN-OS 9.1.0 does not support the XML API for GlobalProtect logs.
Known
9.1.7
PAN-120303
There is an issue where the firewall remains connected to the PAN-DB-URL server through the old management IP address on the M-500 Panorama management server, even when you configured the Eth1/1 interface.
Workaround:
Update the PAN-DB-URL IP address on the firewall using one of the methods below.
  • Modify the PAN-DB Server IP address on the managed firewall.
    1. On the web interface, delete the
      PAN-DB Server
      IP address (
      Device
      Setup
      Content ID
      URL Filtering
      settings).
    2. Commit
      your changes.
    3. Add the new M-500 Eth1/1 IP PAN-DB IP address.
    4. Commit
      your changes.
  • Restart the firewall ( devsrvr ) process.
    1. Log in to the firewall CLI.
    2. Restart the devsrvr process:
      debug software restart process device-server
Known
9.1.7
PAN-118065
(
M-Series Panorama management servers in Management Only mode
) When you delete the local Log Collector (
Panorama
Managed Collectors
), it disables the 1/1 ethernet interface in the Panorama configuration as expected but the interface still displays as Up when you execute the
show interface all
command in the CLI after you commit.
Workaround:
Disable the 1/1 ethernet interface before you delete the local log collector and then commit the configuration change.
Known
9.1.7
PAN-116017
(
Google Cloud Platform (GCP) only
) The firewall does not accept the DNS value from the initial configuration (init-cfg) file when you bootstrap the firewall.
Workaround:
Add DNS value as part of the bootstrap.xml in the bootstrap folder and complete the bootstrap process.
Known
9.1.7
PAN-115816
(
Microsoft Azure only
) There is an intermittent issue where an Ethernet (eth1) interface does not come up when you first boot up the firewall.
Workaround:
Reboot the firewall.
Known
9.1.7
PAN-114495
Alibaba Cloud runs on a KVM hypervisor and supports two Virtio modes: DPDK (default) and MMAP. If you deploy a VM-Series firewall running PAN-OS 9.0 in DPDK packet mode and you then switch to MMAP packet mode, the VM-Series firewall duplicates packets that originate from or terminate on the firewall. As an example, if a load balancer or a server behind the firewall pings the VM-Series firewall after you switch from DPDK packet mode to MMAP packet mode, the firewall duplicates the ping packets.
Throughput traffic is not duplicated if you deploy the VM-Series firewall using MMAP packet mode.
Known
9.1.7
PAN-112694
(
Firewalls with multiple virtual systems only
) If you configure dynamic DNS (DDNS) on a new interface (associated with vsys1 or another virtual system) and you then create a
New
Certificate Profile from the drop-down, you must set the location for the Certificate Profile to Shared. If you configure DDNS on an existing interface and then create a new Certificate Profile, we also recommend that you choose the Shared location instead of a specific virtual system. Alternatively, you can select a preexisting certificate profile instead of creating a new one.
Known
9.1.7
PAN-112456
You can temporarily submit a change request for a URL Category with more than two suggested categories. However, we support only two suggested categories so add no more than two suggested categories to a change request until we address this issue. If you submit more than two suggested categories, we will use only the first two categories you enter.
Known
9.1.7
PAN-111928
Invalid configuration errors are not displayed as expected when you revert a Panorama management server configuration.
Workaround:
After you revert the Panorama configuration,
Commit
(
Commit
Commit to Panorama
) the reverted configuration to display the invalid configuration errors.
Known
9.1.7
PAN-111866
The push scope selection on the Panorama web interface displays incorrectly even though the commit scope displays as expected. This issue occurs when one administrator makes configuration changes to separate device groups or templates that affect multiple firewalls and a different administrator attempts to push those changes.
Workaround:
Perform one of the following tasks.
  • Initiate a
    Commit to Panorama
    operation followed by a
    Push to Devices
    operation for the modified device group and template configurations.
  • Manually select the devices that belong to the modified device group and template configurations.
Known
9.1.7
PAN-111729
If you disable DPDK mode and enable it again, you must immediately reboot the firewall.
Known
9.1.7
PAN-111670
Tagged VLAN traffic fails when sent through an SR-IOV adapter.
Known
9.1.7
PAN-111251
Using the CLI to enable or disable DNS Rewrite under a Destination NAT policy rule has no effect.
Known
9.1.7
PAN-110794
DGA-based threats shown in the firewall threat log display the same name for all such instances.
Known
9.1.7
PAN-109759
The firewall does not generate a notification for the GlobalProtect client when the firewall denies an unencrypted TLS session due to an authentication policy match.
Known
9.1.7
PAN-109526
The system log does not correctly display the URL for CRL files; instead, the URLs are displayed with encoded characters.
Known
9.1.7
PAN-106675
After upgrading the Panorama management server to PAN-OS 8.1 or a later release, predefined reports do not display a list of top attackers.
Workaround:
Create new threat summary reports (
Monitor
PDF Reports
Manage PDF Summary
) containing the top attackers to mimic the predefined reports.
Known
9.1.7
PAN-104780
If you configure a HIP object to match only when a connecting endpoint is managed (
Objects
GlobalProtect
HIP Objects
<hip-object>
General
Managed
), iOS and Android endpoints that are managed by AirWatch are unable to successfully match the HIP object and the HIP report incorrectly indicates that these endpoints are not managed. This issue occurs because GlobalProtect gateways cannot correctly identify the managed status of these endpoints.
Additionally, iOS endpoints that are managed by AirWatch are unable to match HIP objects based on the endpoint serial number because GlobalProtect gateways cannot identify the serial numbers of these endpoints; these serial numbers do not appear in the HIP report.
Known
9.1.7
PAN-103276
Adding a disk to a virtual appliance running Panorama 8.1 or a later release on VMware ESXi 6.5 update1 causes the Panorama virtual appliance and host web client to become unresponsive.
Workaround:
Upgrade the ESXi host to ESXi 6.5 update2 and add the disk again.
Known
9.1.7
PAN-101688
(
Panorama plugins
) The IP address-to-tag mapping information registered on a firewall or virtual system is not deleted when you remove the firewall or virtual system from a Device Group.
Workaround:
Log in to the CLI on the firewall and enter the following command to unregister the IP address-to-tag mappings:
debug object registered-ip clear all
.
Known
9.1.7
PAN-101537
After you configure and push address and address group objects in Shared and vsys-specific device groups from the Panorama management server to managed firewalls, executing the
show log
<log-type>
direction equal
<direction>
<dst>
|
<src>
in
<object-name>
command on a managed firewall only returns address and address group objects pushed form the Shared device group.
Workaround:
Specify the vsys in the query string:
admin>
set system target-vsys
<vsys-name>
admin>
show log
<log-type>
direction equal
<direction>
query equal ‘vsys eq
<vsys-name>
’
<dst>
|
<src>
in
<object-name>
Known
9.1.7
PAN-98520
When booting or rebooting a PA-7000 Series Firewall with the SMC-B installed, the BIOS console output displays attempts to connect to the card's controller in the System Memory Speed section. The messages can be ignored.
Known
9.1.7
PAN-97757
GlobalProtect authentication fails with an
Invalid username/password
error (because the user is not found in
Allow List
) after you enable GlobalProtect authentication cookies and add a RADIUS group to the
Allow List
of the authentication profile used to authenticate to GlobalProtect.
Workaround:
Disable GlobalProtect authentication cookies. Alternatively, disable (clear)
Retrieve user group from RADIUS
in the authentication profile and configure group mapping from Active Directory (AD) through LDAP.
Known
9.1.7
PAN-97524
(
Panorama management server only
) The Security Zone and Virtual System columns (
Network
tab) display
None
after a Device Group and Template administrator with read-only privileges performs a context switch.
Known
9.1.7
PAN-96985
The
request shutdown system
command does not shut down the Panorama management server.
Known
9.1.7
PAN-96960
You cannot restart or shutdown a Panorama on KVM from the Virtual-manager console or virsch CLI.
Known
9.1.7
PAN-96446
A firewall that is not included in a Collector Group fails to generate a system log if logs are dropped when forwarded to a Panorama management server that is running in Management Only mode.
Known
9.1.7
PAN-95773
On VM-Series firewalls that have Data Plane Development Kit (DPDK) enabled and that use the i40e network interface card (NIC), the
show session info
CLI command displays an inaccurate throughput and packet rate.
Workaround:
Disable DPDK by running the
set system setting dpdk-pkt-io off
CLI command.
Known
9.1.7
PAN-95511
The name for an address object, address group, or an external dynamic list must be unique. Duplicate names for these objects can result in unexpected behavior when you reference the object in a policy rule.
Known
9.1.7
PAN-95028
For administrator accounts that you created in PAN-OS 8.0.8 and earlier releases, the firewall does not apply password profile settings (
Device
Password Profiles
) until after you upgrade to PAN-OS 8.0.9 or a later release and then only after you modify the account passwords. (Administrator accounts that you create in PAN-OS 8.0.9 or a later release do not require you to change the passwords to apply password profile settings.)
Known
9.1.7
PAN-94846
When DPDK is enabled on the VM-Series firewall with i40e virtual function (VF) driver, the VF does not detect the link status of the physical link. The VF link status remains up, regardless of changes to the physical link state.
Known
9.1.7
PAN-94093
HTTP Header Insertion does not work when jumbo frames are received out of order.
Known
9.1.7
PAN-93968
The firewall and Panorama web interfaces display vulnerability threat IDs that are not available in PAN-OS 9.0 releases (
Objects
Security Profiles
Vulnerability Protection
<profile>
Exceptions
). To confirm whether a particular threat ID is available in your release, monitor the release notes for each new Applications and Threats content update or check the Palo Alto Networks Threat Vault to see the minimum PAN-OS release version for a threat signature.
Known
9.1.7
PAN-93607
When you configure a VM-500 firewall with an SCTP Protection profile (
Objects
Security Profiles
SCTP Protection
) and you try to add the profile to an existing Security Profile Group (
Objects
Security Profile Groups
), the Security Profile Group doesn’t list the SCTP Protection profile in its drop-down list of available profiles.
Workaround:
Create a new Security Profile Group and select the SCTP Protection profile from there.
Known
9.1.7
PAN-93532
When you configure a firewall running PAN-OS 9.0 as an nCipher HSM client, the web interface on the firewall displays the nCipher server status as Not Authenticated, even though the HSM state is up (
Device
Setup
HSM
).
Known
9.1.7
PAN-93193
The memory-optimized VM-50 Lite intermittently performs slowly and stops processing traffic when memory utilization is critically high. To prevent this issue, make sure that you do not:
  • Switch to the firewall
    Context
    on the Panorama management server.
  • Commit changes when a dynamic update is being installed.
  • Generate a custom report when a dynamic update is being installed.
  • Generate custom reports during a commit.
Workaround:
When the firewall performs slowly, or you see a critical System log for memory utilization, wait for 5 minutes and then manually reboot the firewall.
Use the Task Manager to verify that you are not performing memory intensive tasks such as installing dynamic updates, committing changes or generating reports, at the same time, on the firewall.
Known
9.1.7
PAN-91802
On a VM-Series firewall, the
clear session all
CLI command does not clear GTP sessions.
Known
9.1.7
PAN-83610
In rare cases, a PA-5200 Series firewall (with an FE100 network processor) that has session offload enabled (default) incorrectly resets the UDP checksum of outgoing UDP packets.
Workaround:
In PAN-OS 8.0.6 and later releases, you can persistently disable session offload for only UDP traffic using the
set session udp-off load no
CLI command.
Known
9.1.7
PAN-83236
The VM-Series firewall on Google Compute Platform does not publish firewall metrics to Google Stack Monitoring when you manually configure a DNS server IP address (
Device
Setup
Services
).
Workaround:
The VM-Series firewall on Google Cloud Platform must use the DNS server that Google provides.
Known
9.1.7
PAN-83215
SSL decryption based on ECDSA certificates does not work when you import the ECDSA private keys onto an nCipher nShield hardware security module (HSM).
Known
9.1.7
PAN-81521
Endpoints failed to authenticate to GlobalProtect through Kerberos when you specify an FQDN instead of an IP address in the Kerberos server profile (
Device
Server Profiles
Kerberos
).
Workaround:
Replace the FQDN with the IP address in the Kerberos server profile.
Known
9.1.7
PAN-77125
PA-7000 Series, PA-5200 Series, and PA-3200 Series firewalls configured in tap mode don’t close offloaded sessions after processing the associated traffic; the sessions remain open until they time out.
Workaround:
Configure the firewalls in virtual wire mode instead of tap mode, or disable session offloading by running the
set session off load no
CLI command.
Known
9.1.7
PAN-75457
(
PAN-OS 8.0.1 and later releases
) In WildFire appliance clusters that have three or more nodes, the Panorama management server does not support changing node roles. In a three-node cluster for example, you cannot use Panorama to configure the worker node as a controller node by adding the HA and cluster controller configurations, configure an existing controller node as a worker node by removing the HA configuration, and then commit and push the configuration. Attempts to change cluster node roles from Panorama results in a validation error—the commit fails and the cluster becomes unresponsive.
Known
9.1.7
PAN-73530
The firewall does not generate a packet capture (pcap) when a Data Filtering profile blocks files.
Known
9.1.7
PAN-73401
(
PAN-OS 8.0.1 and later releases
) When you import a two-node WildFire appliance cluster into the Panorama management server, the controller nodes report their state as out-of-sync if either of the following conditions exist:
  • You did not configure a worker list to add at least one worker node to the cluster. (In a two-node cluster, both nodes are controller nodes configured as an HA pair. Adding a worker node would make the cluster a three-node cluster.)
  • You did not configure a service advertisement (either by enabling or not enabling advertising DNS service on the controller nodes).
Workaround:
There are three possible workarounds to sync the controller nodes:
  • After you import the two-node cluster into Panorama, push the configuration from Panorama to the cluster. After the push succeeds, Panorama reports that the controller nodes are in sync.
  • Configure a worker list on the cluster controller: 
    admin@wf500(active-controller)# 
    set
deviceconfig cluster mode controller worker-list 
    <worker-ip-address>
    (
    <worker-ip-address>
    is the IP address of the worker node you are adding to the cluster.) This creates a three-node cluster. After you import the cluster into Panorama, Panorama reports that the controller nodes are in sync. When you want the cluster to have only two nodes, use a different workaround.
  • Configure service advertisement on the local CLI of the cluster controller and then import the configuration into Panorama. The service advertisement can advertise that DNS is or is not enabled. 
    admin@wf500(active-controller)# 
    set
deviceconfig cluster mode controller service-advertisement dns-service
enabled
yes
    or 
    admin@wf500(active-controller)# 
    set
deviceconfig cluster mode controller service-advertisement dns-service
enabled
no
    Both commands result in Panorama reporting that the controller nodes are in sync.
Known
9.1.7
PAN-71329
Local users and user groups in the Shared location (all virtual systems) are not available to be part of the user-to-application mapping for GlobalProtect Clientless VPN applications (
Network
GlobalProtect
Portals
<portal>
Clientless VPN
Applications
).
Workaround:
Create users and user groups in specific virtual systems on firewalls that have multiple virtual systems. For single virtual systems (like VM-Series firewalls), users and user groups are created under Shared and are not configurable for Clientless VPN applications.
Known
9.1.7
PAN-70906
If the PAN-OS web interface and the GlobalProtect portal are enabled on the same IP address, then when a user logs out of the GlobalProtect portal, the administrative user is also logged out from the PAN-OS web interface.
Workaround:
Use the IP address to access the PAN-OS web interface and an FQDN to access the GlobalProtect portal.
Known
9.1.7
PAN-69505
When viewing an external dynamic list that requires client authentication and you
Test Source URL
, the firewall fails to indicate whether it can reach the external dynamic list server and returns a URL access error (
Objects
External Dynamic Lists
).
Known
9.1.7
PAN-41558
When you use a firewall loopback interface as a GlobalProtect gateway interface, traffic is not routed correctly for third-party IPSec clients, such as strongSwan.
Workaround:
Use a physical firewall interface instead of a loopback firewall interface as the GlobalProtect gateway interface for third-party IPSec clients. Alternatively, configure the loopback interface that is used as the GlobalProtect gateway to be in the same zone as the physical ingress interface for third-party IPSec traffic.
Known
9.1.7
PAN-40079
The VM-Series firewall on KVM, for all supported Linux distributions, does not support the Broadcom network adapters for PCI pass-through functionality.
Known
9.1.7
PAN-39636
Regardless of the
Time Frame
you specify for a scheduled custom report on a Panorama M-Series appliance, the earliest possible start date for the report data is effectively the date when you configured the report (
Monitor
Manage Custom Reports
). For example, if you configure the report on the 15th of the month and set the
Time Frame
to
Last 30 Days
, the report that Panorama generates on the 16th will include only data from the 15th onward. This issue applies only to scheduled reports; on-demand reports include all data within the specified
Time Frame
.
Workaround:
To generate an on-demand report, click
Run Now
when you configure the custom report.
Known
9.1.7
PAN-38255
When you perform a factory reset on a Panorama virtual appliance and configure the serial number, logging does not work until you reboot Panorama or execute the
debug software restart process management-server
CLI command.
Known
9.1.7
PAN-31832
The following issues apply when configuring a firewall to use a hardware security module (HSM):
  • nCipher nShield Connect
    —The firewall requires at least four minutes to detect that an HSM was disconnected, causing SSL functionality to be unavailable during the delay.
  • SafeNet Network
    —When losing connectivity to either or both HSMs in an HA configuration, the display of information from the
    show high-availability state
    and
    show hsm info
    commands are blocked for 20 seconds.
Known
9.1.6
—
Upgrading Panorama with a local Log Collector and Dedicated Log Collectors to PAN-OS 8.1 or a later PAN-OS release can take up to six hours to complete due to significant infrastructure changes. Ensure uninterrupted power to all appliances throughout the upgrade process.
Known
9.1.6
—
A critical System log is generated on the VM-Series firewall if the minimum memory requirement for the model is not available.
  • When the memory allocated is less than 4.5GB, you cannot upgrade the firewall. The following error message displays:
    Failed to install 9.0.0 with the following error: VM-50 in 9.0.0 requires 5.5GB memory, VM-50 Lite requires 4.5GB memory.Please configure this VM with enough memory before upgrading.
  • If the memory allocation is more than 4.5GB but less that the licensed capacity requirement for the model, it will default to the capacity associated with the VM-50.
    The System log message
    System capacity adjusted to VM-50 capacity due to insufficient memory for VM-
    <xxx>
    license
    , indicates that you must allocate the additional memory required for licensed capacity for the firewall model.
Known
9.1.6
PLUG-380
When you rename a device group, template, or template stack in Panorama that is part of a VMware NSX service definition, the new name is not reflected in NSX Manager. Therefore, any ESXi hosts that you add to a vSphere cluster are not added to the correct device group, template, or template stack and your Security policy is not pushed to VM-Series firewalls that you deploy after you rename those objects. There is no impact to existing VM-Series firewalls.
Known
9.1.6
PAN-223365
The Panorama management server is unable to query any logs if the ElasticSearch health status for any Log Collector (
Panorama
Managed Collector
is degraded.
Workaround:
Log in to the Log Collector CLI and reboot. 
admin
request restart system
Alternatively, you can contact Palo Alto Networks Customer Support to restart the ElasticSearch process without rebooting the Log Collector.
Known
9.1.6
PAN-199557
On M-600 appliances in an Active/Passive high availability (HA) configuration, the
configd
process restarts due to a memory leak on the
Active
Panorama HA peer. This causes the Panorama web interface and CLI to become unresponsive.
Workaround:
Manually reboot the
Active
Panorama HA peer.
Known
9.1.6
PAN-197341
On the Panorama management server, if you create multiple device group
Objects
with the same name in the Shared device group and any additional device groups (
Panorama
Device Groups
) under the same device group hierarchy that are used in one or more
Policies
, renaming the object with a shared name in any device group causes the object name to change in the policies where it is used. This issue applies only to device group objects that can be referenced in a Security policy rule.
For example:
  1. You create a parent device group
    DG-A
    and a child device group
    DG-B
    .
  2. You create address objects called
    AddressObjA
    in the
    Shared
    ,
    DG-A
    and
    DG-B
    device groups and add
    AddressObjA
    to a Security policy rule under
    DG-A
    and
    DG-B
    .
  3. Later, you change the
    AddressObjA
    name in the
    Shared
    device group to
    AddressObjB
    .
Changing the name of the address object in the
Shared
device group causes the references in the Policy rule to use the renamed
Shared
object instead of the device group object.
Known
9.1.6
PAN-178194
Firewalls licensed for Advanced URL Filtering generate a message indicating that a
License required for URL filtering to function
is unavailable displays at the bottom of the UI, due to a PAN-OS UI issue. This error does not affect the operation of Advanced URL Filtering or URL Filtering.
Known
9.1.6
PAN-162748
This issue is now resolved. See
PAN-OS 9.1.9 Addressed Issues
.
GlobalProtect clients in systems with umlaut diacritics in the serial number are unable to log in to the GlobalProtect gateway.
Known
9.1.6
PAN-160633
This issue is now resolved. See
PAN-OS 9.1.17 Addressed Issues
.
(
PA-3200 Series, PA-5200 Series, and PA-7000 Series firewalls only
) The dataplane restarts repeatedly due to internal path monitoring failures until a power cycle.
Known
9.1.6
PAN-154266
When an application matches an SD-WAN policy and some sessions for the same application do not match an SD-WAN policy, the SD-WAN Monitoring—Traffic Characteristics screen displays the Links Used information with an SD-WAN policy and a null policy. Sessions that do not have an SD-WAN policy ID are filtered from Links Used.
Workaround
: If you want to see session logs that include a default selection, create a catch-all SD-WAN policy rule and place it last in the list of SD-WAN policies.
Known
9.1.6
PAN-154247
On the Panorama management server, context switching to and from the managed firewall web interface may cause the Panorama administrator to be logged out.
Workaround:
Log out and back in to the Panorama web interface.
Known
9.1.6
PAN-153803
On the Panorama management server, scheduled email PDF reports (
Monitor
PDF Reports
) fail if a GIF image is used in the header or footer.
Known
9.1.6
PAN-151909
This issue is now resolved. See
PAN-OS 9.1.10 Addressed Issues
.
On the Panorama management server, Preview Changes (
Commit
Commit to Panorama
) incorrectly displays an existing route as Added and the new route as an existing route in the Candidate Configuration when you configure a new virtual router route (
Network
Virtual Router
).
Known
9.1.6
PAN-148359
This issue is now resolved. See
PAN-OS 9.1.8 Addressed Issues
.
SD-WAN server-to-client symmetric return does not function correctly under certain circumstances, and the issue can also affect path selection of parent/child applications, such as FTP.
Known
9.1.6
PAN-146573
PA-7000 series firewalls configured with a large number of interfaces experience impacted performance and possible timeouts when performing SNMP queries.
Known
9.1.6
PAN-146485
On the Panorama management server, adding, deleting, or modifying the upstream NAT configuration (
Panorama
SD-WAN
Devices
) does not display the branch template stack as
out of sync
.
Additionally, adding, deleting, or modifying the BGP configuration (
Panorama
SD-WAN
Devices
) does not display the hub and branch template stacks as
out of sync
. For example, modifying the BGP configuration on the branch firewall does not cause the hub template stack to display as
out of sync
, nor does modifying the BGP configuration on the hub firewall cause the branch template stack as
out of sync
.
Workaround:
After performing a configuration change,
Commit and Push
the configuration changes to all hub and branch firewalls in the VPN cluster containing the firewall with the modified configuration.
Known
9.1.6
PAN-144889
(
PAN-OS 9.1.2-h1 and later releases only
) On the Panorama management server, adding, deleting, or modifying the original subnet IP, or adding a new subnet after you successfully configure a tunnel IP subnet, for the SD-WAN 1.0.2 plugin does not display the managed firewall templates (
Panorama
Managed Devices
Summary
) as
Out of Sync
.
Workaround
: When modifying the original subnet IP, or adding a new subnet, push the template configuration changes to your managed firewalls and
Force Template Values
(
Commit
Push to Devices
Edit Selections
).
Known
9.1.6
PAN-140959
The Panorama management server allows you to downgrade Zero Touch Provisioning (ZTP) firewalls to PAN-OS 9.1.2 and earlier releases where ZTP functionality is not supported.
Known
9.1.6
PAN-136701
(
PA-7000b Series firewalls only
) Packets for new sessions drop when handling predict sessions.
Workaround:
Use the following CLi commands to bypass this issue:
  • set session hwpredict disable yes
  • show session hwpredict status
Known
9.1.6
PAN-134456
SNMP traps configured to use the dataplane port in service routes are still sent using the management interface.
Workaround:
Use a destination-based service route for the SNMP trap server.
Known
9.1.6
PAN-134053
ACC does not filter WildFire logs from Dynamic User Groups.
Known
9.1.6
PAN-130550
(
PA-3200 Series, PA-5220, PA-5250, PA-5260, and PA-7000 Series firewalls
) For traffic between virtual systems (inter-vsys traffic), the firewall cannot perform source NAT using dynamic IP (DIP) address translation.
Workaround:
Use source NAT with Dynamic IP and Port (DIPP) translation on inter-vsys traffic.
Known
9.1.6
PAN-127813
In the current release, SD-WAN auto-provisioning configures hubs and branches in a hub and spoke model, where branches don’t communicate with each other. Expected branch routes are for generic prefixes, which can be configured in the hub and advertised to all branches. Branches with unique prefixes are not published up to the hub.
Workaround:
Add any specific prefixes for branches to the hub advertise-list configuration.
Known
9.1.6
PAN-127550
Panorama supports only incremental additions for CSV imports when the SD-WAN plugin is enabled. Delete devices manually in the web interface or CLI.
Known
9.1.6
PAN-127474
When you configure a Server Profile, the custom log format for GlobalProtect logs is missing.
Known
9.1.6
PAN-127206
If you use the CLI to enable the cleartext option for the Include Username in HTTP Header Insertion Entries feature, the authentication request to the firewall may become unresponsive or time out.
Known
9.1.6
PAN-124956
This issue is now resolved. See
PAN-OS 9.1.11 Addressed Issues
.
There is an issue where VM-Series firewalls do not support packet buffer protection.
Known
9.1.6
PAN-123277
Dynamic tags from other sources are accessible using the CLI but do not display on the Panorama web interface.
Known
9.1.6
PAN-123040
When you try to view network QoS statistics on an SD-WAN branch or hub, the QoS statistics and the hit count for the QoS rules don’t display. A workaround exists for this issue. Please contact Support for information about the workaround.
Known
9.1.6
PAN-120440
There is an issue on M-500 Panorama management servers where any ethernet interface with an IPv6 address having Private PAN-DB-URL connectivity only supports the following format:
2001:DB9:85A3:0:0:8A2E:370:2
.
Known
9.1.6
PAN-120423
This issue is now resolved. See
PAN-OS 9.1.9 Addressed Issues
.
PAN-OS 9.1.0 does not support the XML API for GlobalProtect logs.
Known
9.1.6
PAN-120303
There is an issue where the firewall remains connected to the PAN-DB-URL server through the old management IP address on the M-500 Panorama management server, even when you configured the Eth1/1 interface.
Workaround:
Update the PAN-DB-URL IP address on the firewall using one of the methods below.
  • Modify the PAN-DB Server IP address on the managed firewall.
    1. On the web interface, delete the
      PAN-DB Server
      IP address (
      Device
      Setup
      Content ID
      URL Filtering
      settings).
    2. Commit
      your changes.
    3. Add the new M-500 Eth1/1 IP PAN-DB IP address.
    4. Commit
      your changes.
  • Restart the firewall ( devsrvr ) process.
    1. Log in to the firewall CLI.
    2. Restart the devsrvr process:
      debug software restart process device-server
Known
9.1.6
PAN-118065
(
M-Series Panorama management servers in Management Only mode
) When you delete the local Log Collector (
Panorama
Managed Collectors
), it disables the 1/1 ethernet interface in the Panorama configuration as expected but the interface still displays as Up when you execute the
show interface all
command in the CLI after you commit.
Workaround:
Disable the 1/1 ethernet interface before you delete the local log collector and then commit the configuration change.
Known
9.1.6
PAN-116017
(
Google Cloud Platform (GCP) only
) The firewall does not accept the DNS value from the initial configuration (init-cfg) file when you bootstrap the firewall.
Workaround:
Add DNS value as part of the bootstrap.xml in the bootstrap folder and complete the bootstrap process.
Known
9.1.6
PAN-115816
(
Microsoft Azure only
) There is an intermittent issue where an Ethernet (eth1) interface does not come up when you first boot up the firewall.
Workaround:
Reboot the firewall.
Known
9.1.6
PAN-114495
Alibaba Cloud runs on a KVM hypervisor and supports two Virtio modes: DPDK (default) and MMAP. If you deploy a VM-Series firewall running PAN-OS 9.0 in DPDK packet mode and you then switch to MMAP packet mode, the VM-Series firewall duplicates packets that originate from or terminate on the firewall. As an example, if a load balancer or a server behind the firewall pings the VM-Series firewall after you switch from DPDK packet mode to MMAP packet mode, the firewall duplicates the ping packets.
Throughput traffic is not duplicated if you deploy the VM-Series firewall using MMAP packet mode.
Known
9.1.6
PAN-112694
(
Firewalls with multiple virtual systems only
) If you configure dynamic DNS (DDNS) on a new interface (associated with vsys1 or another virtual system) and you then create a
New
Certificate Profile from the drop-down, you must set the location for the Certificate Profile to Shared. If you configure DDNS on an existing interface and then create a new Certificate Profile, we also recommend that you choose the Shared location instead of a specific virtual system. Alternatively, you can select a preexisting certificate profile instead of creating a new one.
Known
9.1.6
PAN-112456
You can temporarily submit a change request for a URL Category with more than two suggested categories. However, we support only two suggested categories so add no more than two suggested categories to a change request until we address this issue. If you submit more than two suggested categories, we will use only the first two categories you enter.
Known
9.1.6
PAN-111928
Invalid configuration errors are not displayed as expected when you revert a Panorama management server configuration.
Workaround:
After you revert the Panorama configuration,
Commit
(
Commit
Commit to Panorama
) the reverted configuration to display the invalid configuration errors.
Known
9.1.6
PAN-111866
The push scope selection on the Panorama web interface displays incorrectly even though the commit scope displays as expected. This issue occurs when one administrator makes configuration changes to separate device groups or templates that affect multiple firewalls and a different administrator attempts to push those changes.
Workaround:
Perform one of the following tasks.
  • Initiate a
    Commit to Panorama
    operation followed by a
    Push to Devices
    operation for the modified device group and template configurations.
  • Manually select the devices that belong to the modified device group and template configurations.
Known
9.1.6
PAN-111729
If you disable DPDK mode and enable it again, you must immediately reboot the firewall.
Known
9.1.6
PAN-111670
Tagged VLAN traffic fails when sent through an SR-IOV adapter.
Known
9.1.6
PAN-111251
Using the CLI to enable or disable DNS Rewrite under a Destination NAT policy rule has no effect.
Known
9.1.6
PAN-110794
DGA-based threats shown in the firewall threat log display the same name for all such instances.
Known
9.1.6
PAN-109759
The firewall does not generate a notification for the GlobalProtect client when the firewall denies an unencrypted TLS session due to an authentication policy match.
Known
9.1.6
PAN-109526
The system log does not correctly display the URL for CRL files; instead, the URLs are displayed with encoded characters.
Known
9.1.6
PAN-106675
After upgrading the Panorama management server to PAN-OS 8.1 or a later release, predefined reports do not display a list of top attackers.
Workaround:
Create new threat summary reports (
Monitor
PDF Reports
Manage PDF Summary
) containing the top attackers to mimic the predefined reports.
Known
9.1.6
PAN-104780
If you configure a HIP object to match only when a connecting endpoint is managed (
Objects
GlobalProtect
HIP Objects
<hip-object>
General
Managed
), iOS and Android endpoints that are managed by AirWatch are unable to successfully match the HIP object and the HIP report incorrectly indicates that these endpoints are not managed. This issue occurs because GlobalProtect gateways cannot correctly identify the managed status of these endpoints.
Additionally, iOS endpoints that are managed by AirWatch are unable to match HIP objects based on the endpoint serial number because GlobalProtect gateways cannot identify the serial numbers of these endpoints; these serial numbers do not appear in the HIP report.
Known
9.1.6
PAN-103276
Adding a disk to a virtual appliance running Panorama 8.1 or a later release on VMware ESXi 6.5 update1 causes the Panorama virtual appliance and host web client to become unresponsive.
Workaround:
Upgrade the ESXi host to ESXi 6.5 update2 and add the disk again.
Known
9.1.6
PAN-101688
(
Panorama plugins
) The IP address-to-tag mapping information registered on a firewall or virtual system is not deleted when you remove the firewall or virtual system from a Device Group.
Workaround:
Log in to the CLI on the firewall and enter the following command to unregister the IP address-to-tag mappings:
debug object registered-ip clear all
.
Known
9.1.6
PAN-101537
After you configure and push address and address group objects in Shared and vsys-specific device groups from the Panorama management server to managed firewalls, executing the
show log
<log-type>
direction equal
<direction>
<dst>
|
<src>
in
<object-name>
command on a managed firewall only returns address and address group objects pushed form the Shared device group.
Workaround:
Specify the vsys in the query string:
admin>
set system target-vsys
<vsys-name>
admin>
show log
<log-type>
direction equal
<direction>
query equal ‘vsys eq
<vsys-name>
’
<dst>
|
<src>
in
<object-name>
Known
9.1.6
PAN-98520
When booting or rebooting a PA-7000 Series Firewall with the SMC-B installed, the BIOS console output displays attempts to connect to the card's controller in the System Memory Speed section. The messages can be ignored.
Known
9.1.6
PAN-97757
GlobalProtect authentication fails with an
Invalid username/password
error (because the user is not found in
Allow List
) after you enable GlobalProtect authentication cookies and add a RADIUS group to the
Allow List
of the authentication profile used to authenticate to GlobalProtect.
Workaround:
Disable GlobalProtect authentication cookies. Alternatively, disable (clear)
Retrieve user group from RADIUS
in the authentication profile and configure group mapping from Active Directory (AD) through LDAP.
Known
9.1.6
PAN-97524
(
Panorama management server only
) The Security Zone and Virtual System columns (
Network
tab) display
None
after a Device Group and Template administrator with read-only privileges performs a context switch.
Known
9.1.6
PAN-96985
The
request shutdown system
command does not shut down the Panorama management server.
Known
9.1.6
PAN-96960
You cannot restart or shutdown a Panorama on KVM from the Virtual-manager console or virsch CLI.
Known
9.1.6
PAN-96446
A firewall that is not included in a Collector Group fails to generate a system log if logs are dropped when forwarded to a Panorama management server that is running in Management Only mode.
Known
9.1.6
PAN-95773
On VM-Series firewalls that have Data Plane Development Kit (DPDK) enabled and that use the i40e network interface card (NIC), the
show session info
CLI command displays an inaccurate throughput and packet rate.
Workaround:
Disable DPDK by running the
set system setting dpdk-pkt-io off
CLI command.
Known
9.1.6
PAN-95511
The name for an address object, address group, or an external dynamic list must be unique. Duplicate names for these objects can result in unexpected behavior when you reference the object in a policy rule.
Known
9.1.6
PAN-95028
For administrator accounts that you created in PAN-OS 8.0.8 and earlier releases, the firewall does not apply password profile settings (
Device
Password Profiles
) until after you upgrade to PAN-OS 8.0.9 or a later release and then only after you modify the account passwords. (Administrator accounts that you create in PAN-OS 8.0.9 or a later release do not require you to change the passwords to apply password profile settings.)
Known
9.1.6
PAN-94846
When DPDK is enabled on the VM-Series firewall with i40e virtual function (VF) driver, the VF does not detect the link status of the physical link. The VF link status remains up, regardless of changes to the physical link state.
Known
9.1.6
PAN-94093
HTTP Header Insertion does not work when jumbo frames are received out of order.
Known
9.1.6
PAN-93968
The firewall and Panorama web interfaces display vulnerability threat IDs that are not available in PAN-OS 9.0 releases (
Objects
Security Profiles
Vulnerability Protection
<profile>
Exceptions
). To confirm whether a particular threat ID is available in your release, monitor the release notes for each new Applications and Threats content update or check the Palo Alto Networks Threat Vault to see the minimum PAN-OS release version for a threat signature.
Known
9.1.6
PAN-93607
When you configure a VM-500 firewall with an SCTP Protection profile (
Objects
Security Profiles
SCTP Protection
) and you try to add the profile to an existing Security Profile Group (
Objects
Security Profile Groups
), the Security Profile Group doesn’t list the SCTP Protection profile in its drop-down list of available profiles.
Workaround:
Create a new Security Profile Group and select the SCTP Protection profile from there.
Known
9.1.6
PAN-93532
When you configure a firewall running PAN-OS 9.0 as an nCipher HSM client, the web interface on the firewall displays the nCipher server status as Not Authenticated, even though the HSM state is up (
Device
Setup
HSM
).
Known
9.1.6
PAN-93193
The memory-optimized VM-50 Lite intermittently performs slowly and stops processing traffic when memory utilization is critically high. To prevent this issue, make sure that you do not:
  • Switch to the firewall
    Context
    on the Panorama management server.
  • Commit changes when a dynamic update is being installed.
  • Generate a custom report when a dynamic update is being installed.
  • Generate custom reports during a commit.
Workaround:
When the firewall performs slowly, or you see a critical System log for memory utilization, wait for 5 minutes and then manually reboot the firewall.
Use the Task Manager to verify that you are not performing memory intensive tasks such as installing dynamic updates, committing changes or generating reports, at the same time, on the firewall.
Known
9.1.6
PAN-91802
On a VM-Series firewall, the
clear session all
CLI command does not clear GTP sessions.
Known
9.1.6
PAN-83610
In rare cases, a PA-5200 Series firewall (with an FE100 network processor) that has session offload enabled (default) incorrectly resets the UDP checksum of outgoing UDP packets.
Workaround:
In PAN-OS 8.0.6 and later releases, you can persistently disable session offload for only UDP traffic using the
set session udp-off load no
CLI command.
Known
9.1.6
PAN-83236
The VM-Series firewall on Google Compute Platform does not publish firewall metrics to Google Stack Monitoring when you manually configure a DNS server IP address (
Device
Setup
Services
).
Workaround:
The VM-Series firewall on Google Cloud Platform must use the DNS server that Google provides.
Known
9.1.6
PAN-83215
SSL decryption based on ECDSA certificates does not work when you import the ECDSA private keys onto an nCipher nShield hardware security module (HSM).
Known
9.1.6
PAN-81521
Endpoints failed to authenticate to GlobalProtect through Kerberos when you specify an FQDN instead of an IP address in the Kerberos server profile (
Device
Server Profiles
Kerberos
).
Workaround:
Replace the FQDN with the IP address in the Kerberos server profile.
Known
9.1.6
PAN-77125
PA-7000 Series, PA-5200 Series, and PA-3200 Series firewalls configured in tap mode don’t close offloaded sessions after processing the associated traffic; the sessions remain open until they time out.
Workaround:
Configure the firewalls in virtual wire mode instead of tap mode, or disable session offloading by running the
set session off load no
CLI command.
Known
9.1.6
PAN-75457
(
PAN-OS 8.0.1 and later releases
) In WildFire appliance clusters that have three or more nodes, the Panorama management server does not support changing node roles. In a three-node cluster for example, you cannot use Panorama to configure the worker node as a controller node by adding the HA and cluster controller configurations, configure an existing controller node as a worker node by removing the HA configuration, and then commit and push the configuration. Attempts to change cluster node roles from Panorama results in a validation error—the commit fails and the cluster becomes unresponsive.
Known
9.1.6
PAN-73530
The firewall does not generate a packet capture (pcap) when a Data Filtering profile blocks files.
Known
9.1.6
PAN-73401
(
PAN-OS 8.0.1 and later releases
) When you import a two-node WildFire appliance cluster into the Panorama management server, the controller nodes report their state as out-of-sync if either of the following conditions exist:
  • You did not configure a worker list to add at least one worker node to the cluster. (In a two-node cluster, both nodes are controller nodes configured as an HA pair. Adding a worker node would make the cluster a three-node cluster.)
  • You did not configure a service advertisement (either by enabling or not enabling advertising DNS service on the controller nodes).
Workaround:
There are three possible workarounds to sync the controller nodes:
  • After you import the two-node cluster into Panorama, push the configuration from Panorama to the cluster. After the push succeeds, Panorama reports that the controller nodes are in sync.
  • Configure a worker list on the cluster controller: 
    admin@wf500(active-controller)# 
    set
deviceconfig cluster mode controller worker-list 
    <worker-ip-address>
    (
    <worker-ip-address>
    is the IP address of the worker node you are adding to the cluster.) This creates a three-node cluster. After you import the cluster into Panorama, Panorama reports that the controller nodes are in sync. When you want the cluster to have only two nodes, use a different workaround.
  • Configure service advertisement on the local CLI of the cluster controller and then import the configuration into Panorama. The service advertisement can advertise that DNS is or is not enabled. 
    admin@wf500(active-controller)# 
    set
deviceconfig cluster mode controller service-advertisement dns-service
enabled
yes
    or 
    admin@wf500(active-controller)# 
    set
deviceconfig cluster mode controller service-advertisement dns-service
enabled
no
    Both commands result in Panorama reporting that the controller nodes are in sync.
Known
9.1.6
PAN-71329
Local users and user groups in the Shared location (all virtual systems) are not available to be part of the user-to-application mapping for GlobalProtect Clientless VPN applications (
Network
GlobalProtect
Portals
<portal>
Clientless VPN
Applications
).
Workaround:
Create users and user groups in specific virtual systems on firewalls that have multiple virtual systems. For single virtual systems (like VM-Series firewalls), users and user groups are created under Shared and are not configurable for Clientless VPN applications.
Known
9.1.6
PAN-70906
If the PAN-OS web interface and the GlobalProtect portal are enabled on the same IP address, then when a user logs out of the GlobalProtect portal, the administrative user is also logged out from the PAN-OS web interface.
Workaround:
Use the IP address to access the PAN-OS web interface and an FQDN to access the GlobalProtect portal.
Known
9.1.6
PAN-69505
When viewing an external dynamic list that requires client authentication and you
Test Source URL
, the firewall fails to indicate whether it can reach the external dynamic list server and returns a URL access error (
Objects
External Dynamic Lists
).
Known
9.1.6
PAN-41558
When you use a firewall loopback interface as a GlobalProtect gateway interface, traffic is not routed correctly for third-party IPSec clients, such as strongSwan.
Workaround:
Use a physical firewall interface instead of a loopback firewall interface as the GlobalProtect gateway interface for third-party IPSec clients. Alternatively, configure the loopback interface that is used as the GlobalProtect gateway to be in the same zone as the physical ingress interface for third-party IPSec traffic.
Known
9.1.6
PAN-40079
The VM-Series firewall on KVM, for all supported Linux distributions, does not support the Broadcom network adapters for PCI pass-through functionality.
Known
9.1.6
PAN-39636
Regardless of the
Time Frame
you specify for a scheduled custom report on a Panorama M-Series appliance, the earliest possible start date for the report data is effectively the date when you configured the report (
Monitor
Manage Custom Reports
). For example, if you configure the report on the 15th of the month and set the
Time Frame
to
Last 30 Days
, the report that Panorama generates on the 16th will include only data from the 15th onward. This issue applies only to scheduled reports; on-demand reports include all data within the specified
Time Frame
.
Workaround:
To generate an on-demand report, click
Run Now
when you configure the custom report.
Known
9.1.6
PAN-38255
When you perform a factory reset on a Panorama virtual appliance and configure the serial number, logging does not work until you reboot Panorama or execute the
debug software restart process management-server
CLI command.
Known
9.1.6
PAN-31832
The following issues apply when configuring a firewall to use a hardware security module (HSM):
  • nCipher nShield Connect
    —The firewall requires at least four minutes to detect that an HSM was disconnected, causing SSL functionality to be unavailable during the delay.
  • SafeNet Network
    —When losing connectivity to either or both HSMs in an HA configuration, the display of information from the
    show high-availability state
    and
    show hsm info
    commands are blocked for 20 seconds.
Known
9.1.5
—
Upgrading Panorama with a local Log Collector and Dedicated Log Collectors to PAN-OS 8.1 or a later PAN-OS release can take up to six hours to complete due to significant infrastructure changes. Ensure uninterrupted power to all appliances throughout the upgrade process.
Known
9.1.5
—
A critical System log is generated on the VM-Series firewall if the minimum memory requirement for the model is not available.
  • When the memory allocated is less than 4.5GB, you cannot upgrade the firewall. The following error message displays:
    Failed to install 9.0.0 with the following error: VM-50 in 9.0.0 requires 5.5GB memory, VM-50 Lite requires 4.5GB memory.Please configure this VM with enough memory before upgrading.
  • If the memory allocation is more than 4.5GB but less that the licensed capacity requirement for the model, it will default to the capacity associated with the VM-50.
    The System log message
    System capacity adjusted to VM-50 capacity due to insufficient memory for VM-
    <xxx>
    license
    , indicates that you must allocate the additional memory required for licensed capacity for the firewall model.
Known
9.1.5
PLUG-380
When you rename a device group, template, or template stack in Panorama that is part of a VMware NSX service definition, the new name is not reflected in NSX Manager. Therefore, any ESXi hosts that you add to a vSphere cluster are not added to the correct device group, template, or template stack and your Security policy is not pushed to VM-Series firewalls that you deploy after you rename those objects. There is no impact to existing VM-Series firewalls.
Known
9.1.5
PAN-223365
The Panorama management server is unable to query any logs if the ElasticSearch health status for any Log Collector (
Panorama
Managed Collector
is degraded.
Workaround:
Log in to the Log Collector CLI and reboot. 
admin
request restart system
Alternatively, you can contact Palo Alto Networks Customer Support to restart the ElasticSearch process without rebooting the Log Collector.
Known
9.1.5
PAN-199557
On M-600 appliances in an Active/Passive high availability (HA) configuration, the
configd
process restarts due to a memory leak on the
Active
Panorama HA peer. This causes the Panorama web interface and CLI to become unresponsive.
Workaround:
Manually reboot the
Active
Panorama HA peer.
Known
9.1.5
PAN-197341
On the Panorama management server, if you create multiple device group
Objects
with the same name in the Shared device group and any additional device groups (
Panorama
Device Groups
) under the same device group hierarchy that are used in one or more
Policies
, renaming the object with a shared name in any device group causes the object name to change in the policies where it is used. This issue applies only to device group objects that can be referenced in a Security policy rule.
For example:
  1. You create a parent device group
    DG-A
    and a child device group
    DG-B
    .
  2. You create address objects called
    AddressObjA
    in the
    Shared
    ,
    DG-A
    and
    DG-B
    device groups and add
    AddressObjA
    to a Security policy rule under
    DG-A
    and
    DG-B
    .
  3. Later, you change the
    AddressObjA
    name in the
    Shared
    device group to
    AddressObjB
    .
Changing the name of the address object in the
Shared
device group causes the references in the Policy rule to use the renamed
Shared
object instead of the device group object.
Known
9.1.5
PAN-178194
Firewalls licensed for Advanced URL Filtering generate a message indicating that a
License required for URL filtering to function
is unavailable displays at the bottom of the UI, due to a PAN-OS UI issue. This error does not affect the operation of Advanced URL Filtering or URL Filtering.
Known
9.1.5
PAN-154266
When an application matches an SD-WAN policy and some sessions for the same application do not match an SD-WAN policy, the SD-WAN Monitoring—Traffic Characteristics screen displays the Links Used information with an SD-WAN policy and a null policy. Sessions that do not have an SD-WAN policy ID are filtered from Links Used.
Workaround
: If you want to see session logs that include a default selection, create a catch-all SD-WAN policy rule and place it last in the list of SD-WAN policies.
Known
9.1.5
PAN-154247
On the Panorama management server, context switching to and from the managed firewall web interface may cause the Panorama administrator to be logged out.
Workaround:
Log out and back in to the Panorama web interface.
Known
9.1.5
PAN-153803
On the Panorama management server, scheduled email PDF reports (
Monitor
PDF Reports
) fail if a GIF image is used in the header or footer.
Known
9.1.5
PAN-151909
This issue is now resolved. See
PAN-OS 9.1.10 Addressed Issues
.
On the Panorama management server, Preview Changes (
Commit
Commit to Panorama
) incorrectly displays an existing route as Added and the new route as an existing route in the Candidate Configuration when you configure a new virtual router route (
Network
Virtual Router
).
Known
9.1.5
PAN-148359
This issue is now resolved. See
PAN-OS 9.1.8 Addressed Issues
.
SD-WAN server-to-client symmetric return does not function correctly under certain circumstances, and the issue can also affect path selection of parent/child applications, such as FTP.
Known
9.1.5
PAN-146573
PA-7000 series firewalls configured with a large number of interfaces experience impacted performance and possible timeouts when performing SNMP queries.
Known
9.1.5
PAN-146485
On the Panorama management server, adding, deleting, or modifying the upstream NAT configuration (
Panorama
SD-WAN
Devices
) does not display the branch template stack as
out of sync
.
Additionally, adding, deleting, or modifying the BGP configuration (
Panorama
SD-WAN
Devices
) does not display the hub and branch template stacks as
out of sync
. For example, modifying the BGP configuration on the branch firewall does not cause the hub template stack to display as
out of sync
, nor does modifying the BGP configuration on the hub firewall cause the branch template stack as
out of sync
.
Workaround:
After performing a configuration change,
Commit and Push
the configuration changes to all hub and branch firewalls in the VPN cluster containing the firewall with the modified configuration.
Known
9.1.5
PAN-144889
(
PAN-OS 9.1.2-h1 and later releases only
) On the Panorama management server, adding, deleting, or modifying the original subnet IP, or adding a new subnet after you successfully configure a tunnel IP subnet, for the SD-WAN 1.0.2 plugin does not display the managed firewall templates (
Panorama
Managed Devices
Summary
) as
Out of Sync
.
Workaround
: When modifying the original subnet IP, or adding a new subnet, push the template configuration changes to your managed firewalls and
Force Template Values
(
Commit
Push to Devices
Edit Selections
).
Known
9.1.5
PAN-140959
The Panorama management server allows you to downgrade Zero Touch Provisioning (ZTP) firewalls to PAN-OS 9.1.2 and earlier releases where ZTP functionality is not supported.
Known
9.1.5
PAN-136701
(
PA-7000b Series firewalls only
) Packets for new sessions drop when handling predict sessions.
Workaround:
Use the following CLi commands to bypass this issue:
  • set session hwpredict disable yes
  • show session hwpredict status
Known
9.1.5
PAN-134456
SNMP traps configured to use the dataplane port in service routes are still sent using the management interface.
Workaround:
Use a destination-based service route for the SNMP trap server.
Known
9.1.5
PAN-134053
ACC does not filter WildFire logs from Dynamic User Groups.
Known
9.1.5
PAN-130550
(
PA-3200 Series, PA-5220, PA-5250, PA-5260, and PA-7000 Series firewalls
) For traffic between virtual systems (inter-vsys traffic), the firewall cannot perform source NAT using dynamic IP (DIP) address translation.
Workaround:
Use source NAT with Dynamic IP and Port (DIPP) translation on inter-vsys traffic.
Known
9.1.5
PAN-127813
In the current release, SD-WAN auto-provisioning configures hubs and branches in a hub and spoke model, where branches don’t communicate with each other. Expected branch routes are for generic prefixes, which can be configured in the hub and advertised to all branches. Branches with unique prefixes are not published up to the hub.
Workaround:
Add any specific prefixes for branches to the hub advertise-list configuration.
Known
9.1.5
PAN-127550
Panorama supports only incremental additions for CSV imports when the SD-WAN plugin is enabled. Delete devices manually in the web interface or CLI.
Known
9.1.5
PAN-127474
When you configure a Server Profile, the custom log format for GlobalProtect logs is missing.
Known
9.1.5
PAN-127206
If you use the CLI to enable the cleartext option for the Include Username in HTTP Header Insertion Entries feature, the authentication request to the firewall may become unresponsive or time out.
Known
9.1.5
PAN-124956
This issue is now resolved. See
PAN-OS 9.1.11 Addressed Issues
.
There is an issue where VM-Series firewalls do not support packet buffer protection.
Known
9.1.5
PAN-123277
Dynamic tags from other sources are accessible using the CLI but do not display on the Panorama web interface.
Known
9.1.5
PAN-123040
When you try to view network QoS statistics on an SD-WAN branch or hub, the QoS statistics and the hit count for the QoS rules don’t display. A workaround exists for this issue. Please contact Support for information about the workaround.
Known
9.1.5
PAN-121484
This issue is now resolved. See
PAN-OS 9.1.6 Addressed Issues
.
The dataplane sends positive acknowledgments to predict-status checks from FPP when the corresponding predict is deleted, which causes SIP and RTSP applications to perform less than the expected achievable performance.
Known
9.1.5
PAN-120440
There is an issue on M-500 Panorama management servers where any ethernet interface with an IPv6 address having Private PAN-DB-URL connectivity only supports the following format:
2001:DB9:85A3:0:0:8A2E:370:2
.
Known
9.1.5
PAN-120423
This issue is now resolved. See
PAN-OS 9.1.9 Addressed Issues
.
PAN-OS 9.1.0 does not support the XML API for GlobalProtect logs.
Known
9.1.5
PAN-120303
There is an issue where the firewall remains connected to the PAN-DB-URL server through the old management IP address on the M-500 Panorama management server, even when you configured the Eth1/1 interface.
Workaround:
Update the PAN-DB-URL IP address on the firewall using one of the methods below.
  • Modify the PAN-DB Server IP address on the managed firewall.
    1. On the web interface, delete the
      PAN-DB Server
      IP address (
      Device
      Setup
      Content ID
      URL Filtering
      settings).
    2. Commit
      your changes.
    3. Add the new M-500 Eth1/1 IP PAN-DB IP address.
    4. Commit
      your changes.
  • Restart the firewall ( devsrvr ) process.
    1. Log in to the firewall CLI.
    2. Restart the devsrvr process:
      debug software restart process device-server
Known
9.1.5
PAN-118065
(
M-Series Panorama management servers in Management Only mode
) When you delete the local Log Collector (
Panorama
Managed Collectors
), it disables the 1/1 ethernet interface in the Panorama configuration as expected but the interface still displays as Up when you execute the
show interface all
command in the CLI after you commit.
Workaround:
Disable the 1/1 ethernet interface before you delete the local log collector and then commit the configuration change.
Known
9.1.5
PAN-116017
(
Google Cloud Platform (GCP) only
) The firewall does not accept the DNS value from the initial configuration (init-cfg) file when you bootstrap the firewall.
Workaround:
Add DNS value as part of the bootstrap.xml in the bootstrap folder and complete the bootstrap process.
Known
9.1.5
PAN-115816
(
Microsoft Azure only
) There is an intermittent issue where an Ethernet (eth1) interface does not come up when you first boot up the firewall.
Workaround:
Reboot the firewall.
Known
9.1.5
PAN-114495
Alibaba Cloud runs on a KVM hypervisor and supports two Virtio modes: DPDK (default) and MMAP. If you deploy a VM-Series firewall running PAN-OS 9.0 in DPDK packet mode and you then switch to MMAP packet mode, the VM-Series firewall duplicates packets that originate from or terminate on the firewall. As an example, if a load balancer or a server behind the firewall pings the VM-Series firewall after you switch from DPDK packet mode to MMAP packet mode, the firewall duplicates the ping packets.
Throughput traffic is not duplicated if you deploy the VM-Series firewall using MMAP packet mode.
Known
9.1.5
PAN-112694
(
Firewalls with multiple virtual systems only
) If you configure dynamic DNS (DDNS) on a new interface (associated with vsys1 or another virtual system) and you then create a
New
Certificate Profile from the drop-down, you must set the location for the Certificate Profile to Shared. If you configure DDNS on an existing interface and then create a new Certificate Profile, we also recommend that you choose the Shared location instead of a specific virtual system. Alternatively, you can select a preexisting certificate profile instead of creating a new one.
Known
9.1.5
PAN-112456
You can temporarily submit a change request for a URL Category with more than two suggested categories. However, we support only two suggested categories so add no more than two suggested categories to a change request until we address this issue. If you submit more than two suggested categories, we will use only the first two categories you enter.
Known
9.1.5
PAN-111928
Invalid configuration errors are not displayed as expected when you revert a Panorama management server configuration.
Workaround:
After you revert the Panorama configuration,
Commit
(
Commit
Commit to Panorama
) the reverted configuration to display the invalid configuration errors.
Known
9.1.5
PAN-111866
The push scope selection on the Panorama web interface displays incorrectly even though the commit scope displays as expected. This issue occurs when one administrator makes configuration changes to separate device groups or templates that affect multiple firewalls and a different administrator attempts to push those changes.
Workaround:
Perform one of the following tasks.
  • Initiate a
    Commit to Panorama
    operation followed by a
    Push to Devices
    operation for the modified device group and template configurations.
  • Manually select the devices that belong to the modified device group and template configurations.
Known
9.1.5
PAN-111729
If you disable DPDK mode and enable it again, you must immediately reboot the firewall.
Known
9.1.5
PAN-111670
Tagged VLAN traffic fails when sent through an SR-IOV adapter.
Known
9.1.5
PAN-111251
Using the CLI to enable or disable DNS Rewrite under a Destination NAT policy rule has no effect.
Known
9.1.5
PAN-110794
DGA-based threats shown in the firewall threat log display the same name for all such instances.
Known
9.1.5
PAN-109759
The firewall does not generate a notification for the GlobalProtect client when the firewall denies an unencrypted TLS session due to an authentication policy match.
Known
9.1.5
PAN-109526
The system log does not correctly display the URL for CRL files; instead, the URLs are displayed with encoded characters.
Known
9.1.5
PAN-106675
After upgrading the Panorama management server to PAN-OS 8.1 or a later release, predefined reports do not display a list of top attackers.
Workaround:
Create new threat summary reports (
Monitor
PDF Reports
Manage PDF Summary
) containing the top attackers to mimic the predefined reports.
Known
9.1.5
PAN-104780
If you configure a HIP object to match only when a connecting endpoint is managed (
Objects
GlobalProtect
HIP Objects
<hip-object>
General
Managed
), iOS and Android endpoints that are managed by AirWatch are unable to successfully match the HIP object and the HIP report incorrectly indicates that these endpoints are not managed. This issue occurs because GlobalProtect gateways cannot correctly identify the managed status of these endpoints.
Additionally, iOS endpoints that are managed by AirWatch are unable to match HIP objects based on the endpoint serial number because GlobalProtect gateways cannot identify the serial numbers of these endpoints; these serial numbers do not appear in the HIP report.
Known
9.1.5
PAN-103276
Adding a disk to a virtual appliance running Panorama 8.1 or a later release on VMware ESXi 6.5 update1 causes the Panorama virtual appliance and host web client to become unresponsive.
Workaround:
Upgrade the ESXi host to ESXi 6.5 update2 and add the disk again.
Known
9.1.5
PAN-101688
(
Panorama plugins
) The IP address-to-tag mapping information registered on a firewall or virtual system is not deleted when you remove the firewall or virtual system from a Device Group.
Workaround:
Log in to the CLI on the firewall and enter the following command to unregister the IP address-to-tag mappings:
debug object registered-ip clear all
.
Known
9.1.5
PAN-101537
After you configure and push address and address group objects in Shared and vsys-specific device groups from the Panorama management server to managed firewalls, executing the
show log
<log-type>
direction equal
<direction>
<dst>
|
<src>
in
<object-name>
command on a managed firewall only returns address and address group objects pushed form the Shared device group.
Workaround:
Specify the vsys in the query string:
admin>
set system target-vsys
<vsys-name>
admin>
show log
<log-type>
direction equal
<direction>
query equal ‘vsys eq
<vsys-name>
’
<dst>
|
<src>
in
<object-name>
Known
9.1.5
PAN-98520
When booting or rebooting a PA-7000 Series Firewall with the SMC-B installed, the BIOS console output displays attempts to connect to the card's controller in the System Memory Speed section. The messages can be ignored.
Known
9.1.5
PAN-97757
GlobalProtect authentication fails with an
Invalid username/password
error (because the user is not found in
Allow List
) after you enable GlobalProtect authentication cookies and add a RADIUS group to the
Allow List
of the authentication profile used to authenticate to GlobalProtect.
Workaround:
Disable GlobalProtect authentication cookies. Alternatively, disable (clear)
Retrieve user group from RADIUS
in the authentication profile and configure group mapping from Active Directory (AD) through LDAP.
Known
9.1.5
PAN-97524
(
Panorama management server only
) The Security Zone and Virtual System columns (
Network
tab) display
None
after a Device Group and Template administrator with read-only privileges performs a context switch.
Known
9.1.5
PAN-96985
The
request shutdown system
command does not shut down the Panorama management server.
Known
9.1.5
PAN-96960
You cannot restart or shutdown a Panorama on KVM from the Virtual-manager console or virsch CLI.
Known
9.1.5
PAN-96446
A firewall that is not included in a Collector Group fails to generate a system log if logs are dropped when forwarded to a Panorama management server that is running in Management Only mode.
Known
9.1.5
PAN-95773
On VM-Series firewalls that have Data Plane Development Kit (DPDK) enabled and that use the i40e network interface card (NIC), the
show session info
CLI command displays an inaccurate throughput and packet rate.
Workaround:
Disable DPDK by running the
set system setting dpdk-pkt-io off
CLI command.
Known
9.1.5
PAN-95511
The name for an address object, address group, or an external dynamic list must be unique. Duplicate names for these objects can result in unexpected behavior when you reference the object in a policy rule.
Known
9.1.5
PAN-95028
For administrator accounts that you created in PAN-OS 8.0.8 and earlier releases, the firewall does not apply password profile settings (
Device
Password Profiles
) until after you upgrade to PAN-OS 8.0.9 or a later release and then only after you modify the account passwords. (Administrator accounts that you create in PAN-OS 8.0.9 or a later release do not require you to change the passwords to apply password profile settings.)
Known
9.1.5
PAN-94846
When DPDK is enabled on the VM-Series firewall with i40e virtual function (VF) driver, the VF does not detect the link status of the physical link. The VF link status remains up, regardless of changes to the physical link state.
Known
9.1.5
PAN-94093
HTTP Header Insertion does not work when jumbo frames are received out of order.
Known
9.1.5
PAN-93968
The firewall and Panorama web interfaces display vulnerability threat IDs that are not available in PAN-OS 9.0 releases (
Objects
Security Profiles
Vulnerability Protection
<profile>
Exceptions
). To confirm whether a particular threat ID is available in your release, monitor the release notes for each new Applications and Threats content update or check the Palo Alto Networks Threat Vault to see the minimum PAN-OS release version for a threat signature.
Known
9.1.5
PAN-93607
When you configure a VM-500 firewall with an SCTP Protection profile (
Objects
Security Profiles
SCTP Protection
) and you try to add the profile to an existing Security Profile Group (
Objects
Security Profile Groups
), the Security Profile Group doesn’t list the SCTP Protection profile in its drop-down list of available profiles.
Workaround:
Create a new Security Profile Group and select the SCTP Protection profile from there.
Known
9.1.5
PAN-93532
When you configure a firewall running PAN-OS 9.0 as an nCipher HSM client, the web interface on the firewall displays the nCipher server status as Not Authenticated, even though the HSM state is up (
Device
Setup
HSM
).
Known
9.1.5
PAN-93193
The memory-optimized VM-50 Lite intermittently performs slowly and stops processing traffic when memory utilization is critically high. To prevent this issue, make sure that you do not:
  • Switch to the firewall
    Context
    on the Panorama management server.
  • Commit changes when a dynamic update is being installed.
  • Generate a custom report when a dynamic update is being installed.
  • Generate custom reports during a commit.
Workaround:
When the firewall performs slowly, or you see a critical System log for memory utilization, wait for 5 minutes and then manually reboot the firewall.
Use the Task Manager to verify that you are not performing memory intensive tasks such as installing dynamic updates, committing changes or generating reports, at the same time, on the firewall.
Known
9.1.5
PAN-91802
On a VM-Series firewall, the
clear session all
CLI command does not clear GTP sessions.
Known
9.1.5
PAN-83610
In rare cases, a PA-5200 Series firewall (with an FE100 network processor) that has session offload enabled (default) incorrectly resets the UDP checksum of outgoing UDP packets.
Workaround:
In PAN-OS 8.0.6 and later releases, you can persistently disable session offload for only UDP traffic using the
set session udp-off load no
CLI command.
Known
9.1.5
PAN-83236
The VM-Series firewall on Google Compute Platform does not publish firewall metrics to Google Stack Monitoring when you manually configure a DNS server IP address (
Device
Setup
Services
).
Workaround:
The VM-Series firewall on Google Cloud Platform must use the DNS server that Google provides.
Known
9.1.5
PAN-83215
SSL decryption based on ECDSA certificates does not work when you import the ECDSA private keys onto an nCipher nShield hardware security module (HSM).
Known
9.1.5
PAN-81521
Endpoints failed to authenticate to GlobalProtect through Kerberos when you specify an FQDN instead of an IP address in the Kerberos server profile (
Device
Server Profiles
Kerberos
).
Workaround:
Replace the FQDN with the IP address in the Kerberos server profile.
Known
9.1.5
PAN-77125
PA-7000 Series, PA-5200 Series, and PA-3200 Series firewalls configured in tap mode don’t close offloaded sessions after processing the associated traffic; the sessions remain open until they time out.
Workaround:
Configure the firewalls in virtual wire mode instead of tap mode, or disable session offloading by running the
set session off load no
CLI command.
Known
9.1.5
PAN-75457
(
PAN-OS 8.0.1 and later releases
) In WildFire appliance clusters that have three or more nodes, the Panorama management server does not support changing node roles. In a three-node cluster for example, you cannot use Panorama to configure the worker node as a controller node by adding the HA and cluster controller configurations, configure an existing controller node as a worker node by removing the HA configuration, and then commit and push the configuration. Attempts to change cluster node roles from Panorama results in a validation error—the commit fails and the cluster becomes unresponsive.
Known
9.1.5
PAN-73530
The firewall does not generate a packet capture (pcap) when a Data Filtering profile blocks files.
Known
9.1.5
PAN-73401
(
PAN-OS 8.0.1 and later releases
) When you import a two-node WildFire appliance cluster into the Panorama management server, the controller nodes report their state as out-of-sync if either of the following conditions exist:
  • You did not configure a worker list to add at least one worker node to the cluster. (In a two-node cluster, both nodes are controller nodes configured as an HA pair. Adding a worker node would make the cluster a three-node cluster.)
  • You did not configure a service advertisement (either by enabling or not enabling advertising DNS service on the controller nodes).
Workaround:
There are three possible workarounds to sync the controller nodes:
  • After you import the two-node cluster into Panorama, push the configuration from Panorama to the cluster. After the push succeeds, Panorama reports that the controller nodes are in sync.
  • Configure a worker list on the cluster controller: 
    admin@wf500(active-controller)# 
    set
deviceconfig cluster mode controller worker-list 
    <worker-ip-address>
    (
    <worker-ip-address>
    is the IP address of the worker node you are adding to the cluster.) This creates a three-node cluster. After you import the cluster into Panorama, Panorama reports that the controller nodes are in sync. When you want the cluster to have only two nodes, use a different workaround.
  • Configure service advertisement on the local CLI of the cluster controller and then import the configuration into Panorama. The service advertisement can advertise that DNS is or is not enabled. 
    admin@wf500(active-controller)# 
    set
deviceconfig cluster mode controller service-advertisement dns-service
enabled
yes
    or 
    admin@wf500(active-controller)# 
    set
deviceconfig cluster mode controller service-advertisement dns-service
enabled
no
    Both commands result in Panorama reporting that the controller nodes are in sync.
Known
9.1.5
PAN-71329
Local users and user groups in the Shared location (all virtual systems) are not available to be part of the user-to-application mapping for GlobalProtect Clientless VPN applications (
Network
GlobalProtect
Portals
<portal>
Clientless VPN
Applications
).
Workaround:
Create users and user groups in specific virtual systems on firewalls that have multiple virtual systems. For single virtual systems (like VM-Series firewalls), users and user groups are created under Shared and are not configurable for Clientless VPN applications.
Known
9.1.5
PAN-70906
If the PAN-OS web interface and the GlobalProtect portal are enabled on the same IP address, then when a user logs out of the GlobalProtect portal, the administrative user is also logged out from the PAN-OS web interface.
Workaround:
Use the IP address to access the PAN-OS web interface and an FQDN to access the GlobalProtect portal.
Known
9.1.5
PAN-69505
When viewing an external dynamic list that requires client authentication and you
Test Source URL
, the firewall fails to indicate whether it can reach the external dynamic list server and returns a URL access error (
Objects
External Dynamic Lists
).
Known
9.1.5
PAN-41558
When you use a firewall loopback interface as a GlobalProtect gateway interface, traffic is not routed correctly for third-party IPSec clients, such as strongSwan.
Workaround:
Use a physical firewall interface instead of a loopback firewall interface as the GlobalProtect gateway interface for third-party IPSec clients. Alternatively, configure the loopback interface that is used as the GlobalProtect gateway to be in the same zone as the physical ingress interface for third-party IPSec traffic.
Known
9.1.5
PAN-40079
The VM-Series firewall on KVM, for all supported Linux distributions, does not support the Broadcom network adapters for PCI pass-through functionality.
Known
9.1.5
PAN-39636
Regardless of the
Time Frame
you specify for a scheduled custom report on a Panorama M-Series appliance, the earliest possible start date for the report data is effectively the date when you configured the report (
Monitor
Manage Custom Reports
). For example, if you configure the report on the 15th of the month and set the
Time Frame
to
Last 30 Days
, the report that Panorama generates on the 16th will include only data from the 15th onward. This issue applies only to scheduled reports; on-demand reports include all data within the specified
Time Frame
.
Workaround:
To generate an on-demand report, click
Run Now
when you configure the custom report.
Known
9.1.5
PAN-38255
When you perform a factory reset on a Panorama virtual appliance and configure the serial number, logging does not work until you reboot Panorama or execute the
debug software restart process management-server
CLI command.
Known
9.1.5
PAN-31832
The following issues apply when configuring a firewall to use a hardware security module (HSM):
  • nCipher nShield Connect
    —The firewall requires at least four minutes to detect that an HSM was disconnected, causing SSL functionality to be unavailable during the delay.
  • SafeNet Network
    —When losing connectivity to either or both HSMs in an HA configuration, the display of information from the
    show high-availability state
    and
    show hsm info
    commands are blocked for 20 seconds.
Known
9.1.4
—
Upgrading Panorama with a local Log Collector and Dedicated Log Collectors to PAN-OS 8.1 or a later PAN-OS release can take up to six hours to complete due to significant infrastructure changes. Ensure uninterrupted power to all appliances throughout the upgrade process.
Known
9.1.4
—
A critical System log is generated on the VM-Series firewall if the minimum memory requirement for the model is not available.
  • When the memory allocated is less than 4.5GB, you cannot upgrade the firewall. The following error message displays:
    Failed to install 9.0.0 with the following error: VM-50 in 9.0.0 requires 5.5GB memory, VM-50 Lite requires 4.5GB memory.Please configure this VM with enough memory before upgrading.
  • If the memory allocation is more than 4.5GB but less that the licensed capacity requirement for the model, it will default to the capacity associated with the VM-50.
    The System log message
    System capacity adjusted to VM-50 capacity due to insufficient memory for VM-
    <xxx>
    license
    , indicates that you must allocate the additional memory required for licensed capacity for the firewall model.
Known
9.1.4
PLUG-380
When you rename a device group, template, or template stack in Panorama that is part of a VMware NSX service definition, the new name is not reflected in NSX Manager. Therefore, any ESXi hosts that you add to a vSphere cluster are not added to the correct device group, template, or template stack and your Security policy is not pushed to VM-Series firewalls that you deploy after you rename those objects. There is no impact to existing VM-Series firewalls.
Known
9.1.4
PAN-223365
The Panorama management server is unable to query any logs if the ElasticSearch health status for any Log Collector (
Panorama
Managed Collector
is degraded.
Workaround:
Log in to the Log Collector CLI and reboot. 
admin
request restart system
Alternatively, you can contact Palo Alto Networks Customer Support to restart the ElasticSearch process without rebooting the Log Collector.
Known
9.1.4
PAN-199557
On M-600 appliances in an Active/Passive high availability (HA) configuration, the
configd
process restarts due to a memory leak on the
Active
Panorama HA peer. This causes the Panorama web interface and CLI to become unresponsive.
Workaround:
Manually reboot the
Active
Panorama HA peer.
Known
9.1.4
PAN-197341
On the Panorama management server, if you create multiple device group
Objects
with the same name in the Shared device group and any additional device groups (
Panorama
Device Groups
) under the same device group hierarchy that are used in one or more
Policies
, renaming the object with a shared name in any device group causes the object name to change in the policies where it is used. This issue applies only to device group objects that can be referenced in a Security policy rule.
For example:
  1. You create a parent device group
    DG-A
    and a child device group
    DG-B
    .
  2. You create address objects called
    AddressObjA
    in the
    Shared
    ,
    DG-A
    and
    DG-B
    device groups and add
    AddressObjA
    to a Security policy rule under
    DG-A
    and
    DG-B
    .
  3. Later, you change the
    AddressObjA
    name in the
    Shared
    device group to
    AddressObjB
    .
Changing the name of the address object in the
Shared
device group causes the references in the Policy rule to use the renamed
Shared
object instead of the device group object.
Known
9.1.4
PAN-178194
Firewalls licensed for Advanced URL Filtering generate a message indicating that a
License required for URL filtering to function
is unavailable displays at the bottom of the UI, due to a PAN-OS UI issue. This error does not affect the operation of Advanced URL Filtering or URL Filtering.
Known
9.1.4
PAN-154266
When an application matches an SD-WAN policy and some sessions for the same application do not match an SD-WAN policy, the SD-WAN Monitoring—Traffic Characteristics screen displays the Links Used information with an SD-WAN policy and a null policy. Sessions that do not have an SD-WAN policy ID are filtered from Links Used.
Workaround
: If you want to see session logs that include a default selection, create a catch-all SD-WAN policy rule and place it last in the list of SD-WAN policies.
Known
9.1.4
PAN-154247
On the Panorama management server, context switching to and from the managed firewall web interface may cause the Panorama administrator to be logged out.
Workaround:
Log out and back in to the Panorama web interface.
Known
9.1.4
PAN-153803
On the Panorama management server, scheduled email PDF reports (
Monitor
PDF Reports
) fail if a GIF image is used in the header or footer.
Known
9.1.4
PAN-151909
This issue is now resolved. See
PAN-OS 9.1.10 Addressed Issues
.
On the Panorama management server, Preview Changes (
Commit
Commit to Panorama
) incorrectly displays an existing route as Added and the new route as an existing route in the Candidate Configuration when you configure a new virtual router route (
Network
Virtual Router
).
Known
9.1.4
PAN-148359
This issue is now resolved. See
PAN-OS 9.1.8 Addressed Issues
.
SD-WAN server-to-client symmetric return does not function correctly under certain circumstances, and the issue can also affect path selection of parent/child applications, such as FTP.
Known
9.1.4
PAN-146573
PA-7000 series firewalls configured with a large number of interfaces experience impacted performance and possible timeouts when performing SNMP queries.
Known
9.1.4
PAN-146485
On the Panorama management server, adding, deleting, or modifying the upstream NAT configuration (
Panorama
SD-WAN
Devices
) does not display the branch template stack as
out of sync
.
Additionally, adding, deleting, or modifying the BGP configuration (
Panorama
SD-WAN
Devices
) does not display the hub and branch template stacks as
out of sync
. For example, modifying the BGP configuration on the branch firewall does not cause the hub template stack to display as
out of sync
, nor does modifying the BGP configuration on the hub firewall cause the branch template stack as
out of sync
.
Workaround:
After performing a configuration change,
Commit and Push
the configuration changes to all hub and branch firewalls in the VPN cluster containing the firewall with the modified configuration.
Known
9.1.4
PAN-144889
(
PAN-OS 9.1.2-h1 and later releases only
) On the Panorama management server, adding, deleting, or modifying the original subnet IP, or adding a new subnet after you successfully configure a tunnel IP subnet, for the SD-WAN 1.0.2 plugin does not display the managed firewall templates (
Panorama
Managed Devices
Summary
) as
Out of Sync
.
Workaround
: When modifying the original subnet IP, or adding a new subnet, push the template configuration changes to your managed firewalls and
Force Template Values
(
Commit
Push to Devices
Edit Selections
).
Known
9.1.4
PAN-140959
The Panorama management server allows you to downgrade Zero Touch Provisioning (ZTP) firewalls to PAN-OS 9.1.2 and earlier releases where ZTP functionality is not supported.
Known
9.1.4
PAN-136701
(
PA-7000b Series firewalls only
) Packets for new sessions drop when handling predict sessions.
Workaround:
Use the following CLi commands to bypass this issue:
  • set session hwpredict disable yes
  • show session hwpredict status
Known
9.1.4
PAN-140084
This issue is now resolved. See
PAN-OS 9.1.5 Addressed Issues
.
There is an issue where the default Dynamic IP and Port (DIPP) NAT oversubscription rate is set to 2.
Known
9.1.4
PAN-136701
(
PA-7000b Series firewalls only
) Packets for new sessions drop when handling predict sessions.
Workaround:
Use the following CLi commands to bypass this issue:
  • set session hwpredict disable yes
  • show session hwpredict status
Known
9.1.4
PAN-134456
SNMP traps configured to use the dataplane port in service routes are still sent using the management interface.
Workaround:
Use a destination-based service route for the SNMP trap server.
Known
9.1.4
PAN-134053
ACC does not filter WildFire logs from Dynamic User Groups.
Known
9.1.4
PAN-130550
(
PA-3200 Series, PA-5220, PA-5250, PA-5260, and PA-7000 Series firewalls
) For traffic between virtual systems (inter-vsys traffic), the firewall cannot perform source NAT using dynamic IP (DIP) address translation.
Workaround:
Use source NAT with Dynamic IP and Port (DIPP) translation on inter-vsys traffic.
Known
9.1.4
PAN-127813
In the current release, SD-WAN auto-provisioning configures hubs and branches in a hub and spoke model, where branches don’t communicate with each other. Expected branch routes are for generic prefixes, which can be configured in the hub and advertised to all branches. Branches with unique prefixes are not published up to the hub.
Workaround:
Add any specific prefixes for branches to the hub advertise-list configuration.
Known
9.1.4
PAN-127550
Panorama supports only incremental additions for CSV imports when the SD-WAN plugin is enabled. Delete devices manually in the web interface or CLI.
Known
9.1.4
PAN-127474
When you configure a Server Profile, the custom log format for GlobalProtect logs is missing.
Known
9.1.4
PAN-127206
If you use the CLI to enable the cleartext option for the Include Username in HTTP Header Insertion Entries feature, the authentication request to the firewall may become unresponsive or time out.
Known
9.1.4
PAN-124956
This issue is now resolved. See
PAN-OS 9.1.11 Addressed Issues
.
There is an issue where VM-Series firewalls do not support packet buffer protection.
Known
9.1.4
PAN-123277
Dynamic tags from other sources are accessible using the CLI but do not display on the Panorama web interface.
Known
9.1.4
PAN-123040
When you try to view network QoS statistics on an SD-WAN branch or hub, the QoS statistics and the hit count for the QoS rules don’t display. A workaround exists for this issue. Please contact Support for information about the workaround.
Known
9.1.4
PAN-121484
This issue is now resolved. See
PAN-OS 9.1.6 Addressed Issues
.
The dataplane sends positive acknowledgments to predict-status checks from FPP when the corresponding predict is deleted, which causes SIP and RTSP applications to perform less than the expected achievable performance.
Known
9.1.4
PAN-120440
There is an issue on M-500 Panorama management servers where any ethernet interface with an IPv6 address having Private PAN-DB-URL connectivity only supports the following format:
2001:DB9:85A3:0:0:8A2E:370:2
.
Known
9.1.4
PAN-120423
PAN-OS 9.1.0 does not support the XML API for GlobalProtect logs.
Known
9.1.4
PAN-120303
There is an issue where the firewall remains connected to the PAN-DB-URL server through the old management IP address on the M-500 Panorama management server, even when you configured the Eth1/1 interface.
Workaround:
Update the PAN-DB-URL IP address on the firewall using one of the methods below.
  • Modify the PAN-DB Server IP address on the managed firewall.
    1. On the web interface, delete the
      PAN-DB Server
      IP address (
      Device
      Setup
      Content ID
      URL Filtering
      settings).
    2. Commit
      your changes.
    3. Add the new M-500 Eth1/1 IP PAN-DB IP address.
    4. Commit
      your changes.
  • Restart the firewall ( devsrvr ) process.
    1. Log in to the firewall CLI.
    2. Restart the devsrvr process:
      debug software restart process device-server
Known
9.1.4
PAN-118065
(
M-Series Panorama management servers in Management Only mode
) When you delete the local Log Collector (
Panorama
Managed Collectors
), it disables the 1/1 ethernet interface in the Panorama configuration as expected but the interface still displays as Up when you execute the
show interface all
command in the CLI after you commit.
Workaround:
Disable the 1/1 ethernet interface before you delete the local log collector and then commit the configuration change.
Known
9.1.4
PAN-116017
(
Google Cloud Platform (GCP) only
) The firewall does not accept the DNS value from the initial configuration (init-cfg) file when you bootstrap the firewall.
Workaround:
Add DNS value as part of the bootstrap.xml in the bootstrap folder and complete the bootstrap process.
Known
9.1.4
PAN-115816
(
Microsoft Azure only
) There is an intermittent issue where an Ethernet (eth1) interface does not come up when you first boot up the firewall.
Workaround:
Reboot the firewall.
Known
9.1.4
PAN-114495
Alibaba Cloud runs on a KVM hypervisor and supports two Virtio modes: DPDK (default) and MMAP. If you deploy a VM-Series firewall running PAN-OS 9.0 in DPDK packet mode and you then switch to MMAP packet mode, the VM-Series firewall duplicates packets that originate from or terminate on the firewall. As an example, if a load balancer or a server behind the firewall pings the VM-Series firewall after you switch from DPDK packet mode to MMAP packet mode, the firewall duplicates the ping packets.
Throughput traffic is not duplicated if you deploy the VM-Series firewall using MMAP packet mode.
Known
9.1.4
PAN-112694
(
Firewalls with multiple virtual systems only
) If you configure dynamic DNS (DDNS) on a new interface (associated with vsys1 or another virtual system) and you then create a
New
Certificate Profile from the drop-down, you must set the location for the Certificate Profile to Shared. If you configure DDNS on an existing interface and then create a new Certificate Profile, we also recommend that you choose the Shared location instead of a specific virtual system. Alternatively, you can select a preexisting certificate profile instead of creating a new one.
Known
9.1.4
PAN-112456
You can temporarily submit a change request for a URL Category with more than two suggested categories. However, we support only two suggested categories so add no more than two suggested categories to a change request until we address this issue. If you submit more than two suggested categories, we will use only the first two categories you enter.
Known
9.1.4
PAN-111928
Invalid configuration errors are not displayed as expected when you revert a Panorama management server configuration.
Workaround:
After you revert the Panorama configuration,
Commit
(
Commit
Commit to Panorama
) the reverted configuration to display the invalid configuration errors.
Known
9.1.4
PAN-111866
The push scope selection on the Panorama web interface displays incorrectly even though the commit scope displays as expected. This issue occurs when one administrator makes configuration changes to separate device groups or templates that affect multiple firewalls and a different administrator attempts to push those changes.
Workaround:
Perform one of the following tasks.
  • Initiate a
    Commit to Panorama
    operation followed by a
    Push to Devices
    operation for the modified device group and template configurations.
  • Manually select the devices that belong to the modified device group and template configurations.
Known
9.1.4
PAN-111729
If you disable DPDK mode and enable it again, you must immediately reboot the firewall.
Known
9.1.4
PAN-111670
Tagged VLAN traffic fails when sent through an SR-IOV adapter.
Known
9.1.4
PAN-111251
Using the CLI to enable or disable DNS Rewrite under a Destination NAT policy rule has no effect.
Known
9.1.4
PAN-110794
DGA-based threats shown in the firewall threat log display the same name for all such instances.
Known
9.1.4
PAN-109759
The firewall does not generate a notification for the GlobalProtect client when the firewall denies an unencrypted TLS session due to an authentication policy match.
Known
9.1.4
PAN-109526
The system log does not correctly display the URL for CRL files; instead, the URLs are displayed with encoded characters.
Known
9.1.4
PAN-106675
After upgrading the Panorama management server to PAN-OS 8.1 or a later release, predefined reports do not display a list of top attackers.
Workaround:
Create new threat summary reports (
Monitor
PDF Reports
Manage PDF Summary
) containing the top attackers to mimic the predefined reports.
Known
9.1.4
PAN-104780
If you configure a HIP object to match only when a connecting endpoint is managed (
Objects
GlobalProtect
HIP Objects
<hip-object>
General
Managed
), iOS and Android endpoints that are managed by AirWatch are unable to successfully match the HIP object and the HIP report incorrectly indicates that these endpoints are not managed. This issue occurs because GlobalProtect gateways cannot correctly identify the managed status of these endpoints.
Additionally, iOS endpoints that are managed by AirWatch are unable to match HIP objects based on the endpoint serial number because GlobalProtect gateways cannot identify the serial numbers of these endpoints; these serial numbers do not appear in the HIP report.
Known
9.1.4
PAN-103276
Adding a disk to a virtual appliance running Panorama 8.1 or a later release on VMware ESXi 6.5 update1 causes the Panorama virtual appliance and host web client to become unresponsive.
Workaround:
Upgrade the ESXi host to ESXi 6.5 update2 and add the disk again.
Known
9.1.4
PAN-103018
This issue is now resolved. See
PAN-OS 9.1.5 Addressed Issues
(
Panorama plugins
) When you use the AND/OR boolean operators to define the match criteria for Dynamic Address Groups on Panorama, the boolean operators do not function properly. The member IP addresses are not included in the address group as expected.
Known
9.1.4
PAN-101688
(
Panorama plugins
) The IP address-to-tag mapping information registered on a firewall or virtual system is not deleted when you remove the firewall or virtual system from a Device Group.
Workaround:
Log in to the CLI on the firewall and enter the following command to unregister the IP address-to-tag mappings:
debug object registered-ip clear all
.
Known
9.1.4
PAN-101537
After you configure and push address and address group objects in Shared and vsys-specific device groups from the Panorama management server to managed firewalls, executing the
show log
<log-type>
direction equal
<direction>
<dst>
|
<src>
in
<object-name>
command on a managed firewall only returns address and address group objects pushed form the Shared device group.
Workaround:
Specify the vsys in the query string:
admin>
set system target-vsys
<vsys-name>
admin>
show log
<log-type>
direction equal
<direction>
query equal ‘vsys eq
<vsys-name>
’
<dst>
|
<src>
in
<object-name>
Known
9.1.4
PAN-98520
When booting or rebooting a PA-7000 Series Firewall with the SMC-B installed, the BIOS console output displays attempts to connect to the card's controller in the System Memory Speed section. The messages can be ignored.
Known
9.1.4
PAN-97757
GlobalProtect authentication fails with an
Invalid username/password
error (because the user is not found in
Allow List
) after you enable GlobalProtect authentication cookies and add a RADIUS group to the
Allow List
of the authentication profile used to authenticate to GlobalProtect.
Workaround:
Disable GlobalProtect authentication cookies. Alternatively, disable (clear)
Retrieve user group from RADIUS
in the authentication profile and configure group mapping from Active Directory (AD) through LDAP.
Known
9.1.4
PAN-97524
(
Panorama management server only
) The Security Zone and Virtual System columns (
Network
tab) display
None
after a Device Group and Template administrator with read-only privileges performs a context switch.
Known
9.1.4
PAN-96985
The
request shutdown system
command does not shut down the Panorama management server.
Known
9.1.4
PAN-96960
You cannot restart or shutdown a Panorama on KVM from the Virtual-manager console or virsch CLI.
Known
9.1.4
PAN-96446
A firewall that is not included in a Collector Group fails to generate a system log if logs are dropped when forwarded to a Panorama management server that is running in Management Only mode.
Known
9.1.4
PAN-95773
On VM-Series firewalls that have Data Plane Development Kit (DPDK) enabled and that use the i40e network interface card (NIC), the
show session info
CLI command displays an inaccurate throughput and packet rate.
Workaround:
Disable DPDK by running the
set system setting dpdk-pkt-io off
CLI command.
Known
9.1.4
PAN-95511
The name for an address object, address group, or an external dynamic list must be unique. Duplicate names for these objects can result in unexpected behavior when you reference the object in a policy rule.
Known
9.1.4
PAN-95028
For administrator accounts that you created in PAN-OS 8.0.8 and earlier releases, the firewall does not apply password profile settings (
Device
Password Profiles
) until after you upgrade to PAN-OS 8.0.9 or a later release and then only after you modify the account passwords. (Administrator accounts that you create in PAN-OS 8.0.9 or a later release do not require you to change the passwords to apply password profile settings.)
Known
9.1.4
PAN-94846
When DPDK is enabled on the VM-Series firewall with i40e virtual function (VF) driver, the VF does not detect the link status of the physical link. The VF link status remains up, regardless of changes to the physical link state.
Known
9.1.4
PAN-94093
HTTP Header Insertion does not work when jumbo frames are received out of order.
Known
9.1.4
PAN-93968
The firewall and Panorama web interfaces display vulnerability threat IDs that are not available in PAN-OS 9.0 releases (
Objects
Security Profiles
Vulnerability Protection
<profile>
Exceptions
). To confirm whether a particular threat ID is available in your release, monitor the release notes for each new Applications and Threats content update or check the Palo Alto Networks Threat Vault to see the minimum PAN-OS release version for a threat signature.
Known
9.1.4
PAN-93607
When you configure a VM-500 firewall with an SCTP Protection profile (
Objects
Security Profiles
SCTP Protection
) and you try to add the profile to an existing Security Profile Group (
Objects
Security Profile Groups
), the Security Profile Group doesn’t list the SCTP Protection profile in its drop-down list of available profiles.
Workaround:
Create a new Security Profile Group and select the SCTP Protection profile from there.
Known
9.1.4
PAN-93532
When you configure a firewall running PAN-OS 9.0 as an nCipher HSM client, the web interface on the firewall displays the nCipher server status as Not Authenticated, even though the HSM state is up (
Device
Setup
HSM
).
Known
9.1.4
PAN-93193
The memory-optimized VM-50 Lite intermittently performs slowly and stops processing traffic when memory utilization is critically high. To prevent this issue, make sure that you do not:
  • Switch to the firewall
    Context
    on the Panorama management server.
  • Commit changes when a dynamic update is being installed.
  • Generate a custom report when a dynamic update is being installed.
  • Generate custom reports during a commit.
Workaround:
When the firewall performs slowly, or you see a critical System log for memory utilization, wait for 5 minutes and then manually reboot the firewall.
Use the Task Manager to verify that you are not performing memory intensive tasks such as installing dynamic updates, committing changes or generating reports, at the same time, on the firewall.
Known
9.1.4
PAN-91802
On a VM-Series firewall, the
clear session all
CLI command does not clear GTP sessions.
Known
9.1.4
PAN-83610
In rare cases, a PA-5200 Series firewall (with an FE100 network processor) that has session offload enabled (default) incorrectly resets the UDP checksum of outgoing UDP packets.
Workaround:
In PAN-OS 8.0.6 and later releases, you can persistently disable session offload for only UDP traffic using the
set session udp-off load no
CLI command.
Known
9.1.4
PAN-83236
The VM-Series firewall on Google Compute Platform does not publish firewall metrics to Google Stack Monitoring when you manually configure a DNS server IP address (
Device
Setup
Services
).
Workaround:
The VM-Series firewall on Google Cloud Platform must use the DNS server that Google provides.
Known
9.1.4
PAN-83215
SSL decryption based on ECDSA certificates does not work when you import the ECDSA private keys onto an nCipher nShield hardware security module (HSM).
Known
9.1.4
PAN-81521
Endpoints failed to authenticate to GlobalProtect through Kerberos when you specify an FQDN instead of an IP address in the Kerberos server profile (
Device
Server Profiles
Kerberos
).
Workaround:
Replace the FQDN with the IP address in the Kerberos server profile.
Known
9.1.4
PAN-77125
PA-7000 Series, PA-5200 Series, and PA-3200 Series firewalls configured in tap mode don’t close offloaded sessions after processing the associated traffic; the sessions remain open until they time out.
Workaround:
Configure the firewalls in virtual wire mode instead of tap mode, or disable session offloading by running the
set session off load no
CLI command.
Known
9.1.4
PAN-75457
(
PAN-OS 8.0.1 and later releases
) In WildFire appliance clusters that have three or more nodes, the Panorama management server does not support changing node roles. In a three-node cluster for example, you cannot use Panorama to configure the worker node as a controller node by adding the HA and cluster controller configurations, configure an existing controller node as a worker node by removing the HA configuration, and then commit and push the configuration. Attempts to change cluster node roles from Panorama results in a validation error—the commit fails and the cluster becomes unresponsive.
Known
9.1.4
PAN-73530
The firewall does not generate a packet capture (pcap) when a Data Filtering profile blocks files.
Known
9.1.4
PAN-73401
(
PAN-OS 8.0.1 and later releases
) When you import a two-node WildFire appliance cluster into the Panorama management server, the controller nodes report their state as out-of-sync if either of the following conditions exist:
  • You did not configure a worker list to add at least one worker node to the cluster. (In a two-node cluster, both nodes are controller nodes configured as an HA pair. Adding a worker node would make the cluster a three-node cluster.)
  • You did not configure a service advertisement (either by enabling or not enabling advertising DNS service on the controller nodes).
Workaround:
There are three possible workarounds to sync the controller nodes:
  • After you import the two-node cluster into Panorama, push the configuration from Panorama to the cluster. After the push succeeds, Panorama reports that the controller nodes are in sync.
  • Configure a worker list on the cluster controller: 
    admin@wf500(active-controller)# 
    set
deviceconfig cluster mode controller worker-list 
    <worker-ip-address>
    (
    <worker-ip-address>
    is the IP address of the worker node you are adding to the cluster.) This creates a three-node cluster. After you import the cluster into Panorama, Panorama reports that the controller nodes are in sync. When you want the cluster to have only two nodes, use a different workaround.
  • Configure service advertisement on the local CLI of the cluster controller and then import the configuration into Panorama. The service advertisement can advertise that DNS is or is not enabled. 
    admin@wf500(active-controller)# 
    set
deviceconfig cluster mode controller service-advertisement dns-service
enabled
yes
    or 
    admin@wf500(active-controller)# 
    set
deviceconfig cluster mode controller service-advertisement dns-service
enabled
no
    Both commands result in Panorama reporting that the controller nodes are in sync.
Known
9.1.4
PAN-71329
Local users and user groups in the Shared location (all virtual systems) are not available to be part of the user-to-application mapping for GlobalProtect Clientless VPN applications (
Network
GlobalProtect
Portals
<portal>
Clientless VPN
Applications
).
Workaround:
Create users and user groups in specific virtual systems on firewalls that have multiple virtual systems. For single virtual systems (like VM-Series firewalls), users and user groups are created under Shared and are not configurable for Clientless VPN applications.
Known
9.1.4
PAN-70906
If the PAN-OS web interface and the GlobalProtect portal are enabled on the same IP address, then when a user logs out of the GlobalProtect portal, the administrative user is also logged out from the PAN-OS web interface.
Workaround:
Use the IP address to access the PAN-OS web interface and an FQDN to access the GlobalProtect portal.
Known
9.1.4
PAN-69505
When viewing an external dynamic list that requires client authentication and you
Test Source URL
, the firewall fails to indicate whether it can reach the external dynamic list server and returns a URL access error (
Objects
External Dynamic Lists
).
Known
9.1.4
PAN-41558
When you use a firewall loopback interface as a GlobalProtect gateway interface, traffic is not routed correctly for third-party IPSec clients, such as strongSwan.
Workaround:
Use a physical firewall interface instead of a loopback firewall interface as the GlobalProtect gateway interface for third-party IPSec clients. Alternatively, configure the loopback interface that is used as the GlobalProtect gateway to be in the same zone as the physical ingress interface for third-party IPSec traffic.
Known
9.1.4
PAN-40079
The VM-Series firewall on KVM, for all supported Linux distributions, does not support the Broadcom network adapters for PCI pass-through functionality.
Known
9.1.4
PAN-39636
Regardless of the
Time Frame
you specify for a scheduled custom report on a Panorama M-Series appliance, the earliest possible start date for the report data is effectively the date when you configured the report (
Monitor
Manage Custom Reports
). For example, if you configure the report on the 15th of the month and set the
Time Frame
to
Last 30 Days
, the report that Panorama generates on the 16th will include only data from the 15th onward. This issue applies only to scheduled reports; on-demand reports include all data within the specified
Time Frame
.
Workaround:
To generate an on-demand report, click
Run Now
when you configure the custom report.
Known
9.1.4
PAN-38255
When you perform a factory reset on a Panorama virtual appliance and configure the serial number, logging does not work until you reboot Panorama or execute the
debug software restart process management-server
CLI command.
Known
9.1.4
PAN-31832
The following issues apply when configuring a firewall to use a hardware security module (HSM):
  • nCipher nShield Connect
    —The firewall requires at least four minutes to detect that an HSM was disconnected, causing SSL functionality to be unavailable during the delay.
  • SafeNet Network
    —When losing connectivity to either or both HSMs in an HA configuration, the display of information from the
    show high-availability state
    and
    show hsm info
    commands are blocked for 20 seconds.
Known
9.1.3
—
Upgrading Panorama with a local Log Collector and Dedicated Log Collectors to PAN-OS 8.1 or a later PAN-OS release can take up to six hours to complete due to significant infrastructure changes. Ensure uninterrupted power to all appliances throughout the upgrade process.
Known
9.1.3
—
A critical System log is generated on the VM-Series firewall if the minimum memory requirement for the model is not available.
  • When the memory allocated is less than 4.5GB, you cannot upgrade the firewall. The following error message displays:
    Failed to install 9.0.0 with the following error: VM-50 in 9.0.0 requires 5.5GB memory, VM-50 Lite requires 4.5GB memory.Please configure this VM with enough memory before upgrading.
  • If the memory allocation is more than 4.5GB but less that the licensed capacity requirement for the model, it will default to the capacity associated with the VM-50.
    The System log message
    System capacity adjusted to VM-50 capacity due to insufficient memory for VM-
    <xxx>
    license
    , indicates that you must allocate the additional memory required for licensed capacity for the firewall model.
Known
9.1.3
PLUG-380
When you rename a device group, template, or template stack in Panorama that is part of a VMware NSX service definition, the new name is not reflected in NSX Manager. Therefore, any ESXi hosts that you add to a vSphere cluster are not added to the correct device group, template, or template stack and your Security policy is not pushed to VM-Series firewalls that you deploy after you rename those objects. There is no impact to existing VM-Series firewalls.
Known
9.1.3
PAN-223365
The Panorama management server is unable to query any logs if the ElasticSearch health status for any Log Collector (
Panorama
Managed Collector
is degraded.
Workaround:
Log in to the Log Collector CLI and reboot. 
admin
request restart system
Alternatively, you can contact Palo Alto Networks Customer Support to restart the ElasticSearch process without rebooting the Log Collector.
Known
9.1.3
PAN-199557
On M-600 appliances in an Active/Passive high availability (HA) configuration, the
configd
process restarts due to a memory leak on the
Active
Panorama HA peer. This causes the Panorama web interface and CLI to become unresponsive.
Workaround:
Manually reboot the
Active
Panorama HA peer.
Known
9.1.3
PAN-197341
On the Panorama management server, if you create multiple device group
Objects
with the same name in the Shared device group and any additional device groups (
Panorama
Device Groups
) under the same device group hierarchy that are used in one or more
Policies
, renaming the object with a shared name in any device group causes the object name to change in the policies where it is used. This issue applies only to device group objects that can be referenced in a Security policy rule.
For example:
  1. You create a parent device group
    DG-A
    and a child device group
    DG-B
    .
  2. You create address objects called
    AddressObjA
    in the
    Shared
    ,
    DG-A
    and
    DG-B
    device groups and add
    AddressObjA
    to a Security policy rule under
    DG-A
    and
    DG-B
    .
  3. Later, you change the
    AddressObjA
    name in the
    Shared
    device group to
    AddressObjB
    .
Changing the name of the address object in the
Shared
device group causes the references in the Policy rule to use the renamed
Shared
object instead of the device group object.
Known
9.1.3
PAN-178194
Firewalls licensed for Advanced URL Filtering generate a message indicating that a
License required for URL filtering to function
is unavailable displays at the bottom of the UI, due to a PAN-OS UI issue. This error does not affect the operation of Advanced URL Filtering or URL Filtering.
Known
9.1.3
PAN-154266
When an application matches an SD-WAN policy and some sessions for the same application do not match an SD-WAN policy, the SD-WAN Monitoring—Traffic Characteristics screen displays the Links Used information with an SD-WAN policy and a null policy. Sessions that do not have an SD-WAN policy ID are filtered from Links Used.
Workaround
: If you want to see session logs that include a default selection, create a catch-all SD-WAN policy rule and place it last in the list of SD-WAN policies.
Known
9.1.3
PAN-154247
On the Panorama management server, context switching to and from the managed firewall web interface may cause the Panorama administrator to be logged out.
Workaround:
Log out and back in to the Panorama web interface.
Known
9.1.3
PAN-153803
On the Panorama management server, scheduled email PDF reports (
Monitor
PDF Reports
) fail if a GIF image is used in the header or footer.
Known
9.1.3
PAN-151909
This issue is now resolved. See
PAN-OS 9.1.10 Addressed Issues
.
On the Panorama management server, Preview Changes (
Commit
Commit to Panorama
) incorrectly displays an existing route as Added and the new route as an existing route in the Candidate Configuration when you configure a new virtual router route (
Network
Virtual Router
).
Known
9.1.3
PAN-150172
This issue is now resolved. See
PAN-OS 9.1.3-h1 Addressed Issues
.
Dataplane processes restart when attempting to access websites that have the
NotBefore
attribute less than or equal to Unix Epoch Time in the server certificate with forward proxy enabled.
Known
9.1.3
PAN-149913
On the firewall CLI, the
show system info
command displays the management IP address of the firewall as the Ethernet1/1 interface IP address.
On the Panorama management server, the IPv4 address (
Panorama
Managed Devices
Summary
) displays the Ethernet1/1 interface IP address.
Known
9.1.3
PAN-146573
PA-7000 series firewalls configured with a large number of interfaces experience impacted performance and possible timeouts when performing SNMP queries.
Known
9.1.3
PAN-146485
On the Panorama management server, adding, deleting, or modifying the upstream NAT configuration (
Panorama
SD-WAN
Devices
) does not display the branch template stack as
out of sync
.
Additionally, adding, deleting, or modifying the BGP configuration (
Panorama
SD-WAN
Devices
) does not display the hub and branch template stacks as
out of sync
. For example, modifying the BGP configuration on the branch firewall does not cause the hub template stack to display as
out of sync
, nor does modifying the BGP configuration on the hub firewall cause the branch template stack as
out of sync
.
Workaround:
After performing a configuration change,
Commit and Push
the configuration changes to all hub and branch firewalls in the VPN cluster containing the firewall with the modified configuration.
Known
9.1.3
PAN-144889
(
PAN-OS 9.1.2-h1 and later releases only
) On the Panorama management server, adding, deleting, or modifying the original subnet IP, or adding a new subnet after you successfully configure a tunnel IP subnet, for the SD-WAN 1.0.2 plugin does not display the managed firewall templates (
Panorama
Managed Devices
Summary
) as
Out of Sync
.
Workaround
: When modifying the original subnet IP, or adding a new subnet, push the template configuration changes to your managed firewalls and
Force Template Values
(
Commit
Push to Devices
Edit Selections
).
Known
9.1.3
PAN-140959
The Panorama management server allows you to downgrade Zero Touch Provisioning (ZTP) firewalls to PAN-OS 9.1.2 and earlier releases where ZTP functionality is not supported.
Known
9.1.3
PAN-140084
This issue is now resolved. See
PAN-OS 9.1.5 Addressed Issues
.
There is an issue where the default Dynamic IP and Port (DIPP) NAT oversubscription rate is set to 2.
Known
9.1.3
PAN-136701
(
PA-7000b Series firewalls only
) Packets for new sessions drop when handling predict sessions.
Workaround:
Use the following CLi commands to bypass this issue:
  • set session hwpredict disable yes
  • show session hwpredict status
Known
9.1.3
PAN-134456
SNMP traps configured to use the dataplane port in service routes are still sent using the management interface.
Workaround:
Use a destination-based service route for the SNMP trap server.
Known
9.1.3
PAN-134053
ACC does not filter WildFire logs from Dynamic User Groups.
Known
9.1.3
PAN-130550
(
PA-3200 Series, PA-5220, PA-5250, PA-5260, and PA-7000 Series firewalls
) For traffic between virtual systems (inter-vsys traffic), the firewall cannot perform source NAT using dynamic IP (DIP) address translation.
Workaround:
Use source NAT with Dynamic IP and Port (DIPP) translation on inter-vsys traffic.
Known
9.1.3
PAN-127813
In the current release, SD-WAN auto-provisioning configures hubs and branches in a hub and spoke model, where branches don’t communicate with each other. Expected branch routes are for generic prefixes, which can be configured in the hub and advertised to all branches. Branches with unique prefixes are not published up to the hub.
Workaround:
Add any specific prefixes for branches to the hub advertise-list configuration.
Known
9.1.3
PAN-127550
Panorama supports only incremental additions for CSV imports when the SD-WAN plugin is enabled. Delete devices manually in the web interface or CLI.
Known
9.1.3
PAN-127474
When you configure a Server Profile, the custom log format for GlobalProtect logs is missing.
Known
9.1.3
PAN-127206
If you use the CLI to enable the cleartext option for the Include Username in HTTP Header Insertion Entries feature, the authentication request to the firewall may become unresponsive or time out.
Known
9.1.3
PAN-124956
This issue is now resolved. See
PAN-OS 9.1.11 Addressed Issues
.
There is an issue where VM-Series firewalls do not support packet buffer protection.
Known
9.1.3
PAN-123277
Dynamic tags from other sources are accessible using the CLI but do not display on the Panorama web interface.
Known
9.1.3
PAN-123040
When you try to view network QoS statistics on an SD-WAN branch or hub, the QoS statistics and the hit count for the QoS rules don’t display. A workaround exists for this issue. Please contact Support for information about the workaround.
Known
9.1.3
PAN-121484
This issue is now resolved. See
PAN-OS 9.1.6 Addressed Issues
.
The dataplane sends positive acknowledgments to predict-status checks from FPP when the corresponding predict is deleted, which causes SIP and RTSP applications to perform less than the expected achievable performance.
Known
9.1.3
PAN-120440
There is an issue on M-500 Panorama management servers where any ethernet interface with an IPv6 address having Private PAN-DB-URL connectivity only supports the following format:
2001:DB9:85A3:0:0:8A2E:370:2
.
Known
9.1.3
PAN-120423
This issue is now resolved. See
PAN-OS 9.1.9 Addressed Issues
.
PAN-OS 9.1.0 does not support the XML API for GlobalProtect logs.
Known
9.1.3
PAN-120303
There is an issue where the firewall remains connected to the PAN-DB-URL server through the old management IP address on the M-500 Panorama management server, even when you configured the Eth1/1 interface.
Workaround:
Update the PAN-DB-URL IP address on the firewall using one of the methods below.
  • Modify the PAN-DB Server IP address on the managed firewall.
    1. On the web interface, delete the
      PAN-DB Server
      IP address (
      Device
      Setup
      Content ID
      URL Filtering
      settings).
    2. Commit
      your changes.
    3. Add the new M-500 Eth1/1 IP PAN-DB IP address.
    4. Commit
      your changes.
  • Restart the firewall ( devsrvr ) process.
    1. Log in to the firewall CLI.
    2. Restart the devsrvr process:
      debug software restart process device-server
Known
9.1.3
PAN-118065
(
M-Series Panorama management servers in Management Only mode
) When you delete the local Log Collector (
Panorama
Managed Collectors
), it disables the 1/1 ethernet interface in the Panorama configuration as expected but the interface still displays as Up when you execute the
show interface all
command in the CLI after you commit.
Workaround:
Disable the 1/1 ethernet interface before you delete the local log collector and then commit the configuration change.
Known
9.1.3
PAN-116017
(
Google Cloud Platform (GCP) only
) The firewall does not accept the DNS value from the initial configuration (init-cfg) file when you bootstrap the firewall.
Workaround:
Add DNS value as part of the bootstrap.xml in the bootstrap folder and complete the bootstrap process.
Known
9.1.3
PAN-115816
(
Microsoft Azure only
) There is an intermittent issue where an Ethernet (eth1) interface does not come up when you first boot up the firewall.
Workaround:
Reboot the firewall.
Known
9.1.3
PAN-114495
Alibaba Cloud runs on a KVM hypervisor and supports two Virtio modes: DPDK (default) and MMAP. If you deploy a VM-Series firewall running PAN-OS 9.0 in DPDK packet mode and you then switch to MMAP packet mode, the VM-Series firewall duplicates packets that originate from or terminate on the firewall. As an example, if a load balancer or a server behind the firewall pings the VM-Series firewall after you switch from DPDK packet mode to MMAP packet mode, the firewall duplicates the ping packets.
Throughput traffic is not duplicated if you deploy the VM-Series firewall using MMAP packet mode.
Known
9.1.3
PAN-112694
(
Firewalls with multiple virtual systems only
) If you configure dynamic DNS (DDNS) on a new interface (associated with vsys1 or another virtual system) and you then create a
New
Certificate Profile from the drop-down, you must set the location for the Certificate Profile to Shared. If you configure DDNS on an existing interface and then create a new Certificate Profile, we also recommend that you choose the Shared location instead of a specific virtual system. Alternatively, you can select a preexisting certificate profile instead of creating a new one.
Known
9.1.3
PAN-112456
You can temporarily submit a change request for a URL Category with more than two suggested categories. However, we support only two suggested categories so add no more than two suggested categories to a change request until we address this issue. If you submit more than two suggested categories, we will use only the first two categories you enter.
Known
9.1.3
PAN-111928
Invalid configuration errors are not displayed as expected when you revert a Panorama management server configuration.
Workaround:
After you revert the Panorama configuration,
Commit
(
Commit
Commit to Panorama
) the reverted configuration to display the invalid configuration errors.
Known
9.1.3
PAN-111866
The push scope selection on the Panorama web interface displays incorrectly even though the commit scope displays as expected. This issue occurs when one administrator makes configuration changes to separate device groups or templates that affect multiple firewalls and a different administrator attempts to push those changes.
Workaround:
Perform one of the following tasks.
  • Initiate a
    Commit to Panorama
    operation followed by a
    Push to Devices
    operation for the modified device group and template configurations.
  • Manually select the devices that belong to the modified device group and template configurations.
Known
9.1.3
PAN-111729
If you disable DPDK mode and enable it again, you must immediately reboot the firewall.
Known
9.1.3
PAN-111670
Tagged VLAN traffic fails when sent through an SR-IOV adapter.
Known
9.1.3
PAN-111251
Using the CLI to enable or disable DNS Rewrite under a Destination NAT policy rule has no effect.
Known
9.1.3
PAN-110794
DGA-based threats shown in the firewall threat log display the same name for all such instances.
Known
9.1.3
PAN-109759
The firewall does not generate a notification for the GlobalProtect client when the firewall denies an unencrypted TLS session due to an authentication policy match.
Known
9.1.3
PAN-109526
The system log does not correctly display the URL for CRL files; instead, the URLs are displayed with encoded characters.
Known
9.1.3
PAN-106675
After upgrading the Panorama management server to PAN-OS 8.1 or a later release, predefined reports do not display a list of top attackers.
Workaround:
Create new threat summary reports (
Monitor
PDF Reports
Manage PDF Summary
) containing the top attackers to mimic the predefined reports.
Known
9.1.3
PAN-104780
If you configure a HIP object to match only when a connecting endpoint is managed (
Objects
GlobalProtect
HIP Objects
<hip-object>
General
Managed
), iOS and Android endpoints that are managed by AirWatch are unable to successfully match the HIP object and the HIP report incorrectly indicates that these endpoints are not managed. This issue occurs because GlobalProtect gateways cannot correctly identify the managed status of these endpoints.
Additionally, iOS endpoints that are managed by AirWatch are unable to match HIP objects based on the endpoint serial number because GlobalProtect gateways cannot identify the serial numbers of these endpoints; these serial numbers do not appear in the HIP report.
Known
9.1.3
PAN-103276
Adding a disk to a virtual appliance running Panorama 8.1 or a later release on VMware ESXi 6.5 update1 causes the Panorama virtual appliance and host web client to become unresponsive.
Workaround:
Upgrade the ESXi host to ESXi 6.5 update2 and add the disk again.
Known
9.1.3
PAN-103018
This issue is now resolved. See
PAN-OS 9.1.5 Addressed Issues
(
Panorama plugins
) When you use the AND/OR boolean operators to define the match criteria for Dynamic Address Groups on Panorama, the boolean operators do not function properly. The member IP addresses are not included in the address group as expected.
Known
9.1.3
PAN-101688
(
Panorama plugins
) The IP address-to-tag mapping information registered on a firewall or virtual system is not deleted when you remove the firewall or virtual system from a Device Group.
Workaround:
Log in to the CLI on the firewall and enter the following command to unregister the IP address-to-tag mappings:
debug object registered-ip clear all
.
Known
9.1.3
PAN-101537
After you configure and push address and address group objects in Shared and vsys-specific device groups from the Panorama management server to managed firewalls, executing the
show log
<log-type>
direction equal
<direction>
<dst>
|
<src>
in
<object-name>
command on a managed firewall only returns address and address group objects pushed form the Shared device group.
Workaround:
Specify the vsys in the query string:
admin>
set system target-vsys
<vsys-name>
admin>
show log
<log-type>
direction equal
<direction>
query equal ‘vsys eq
<vsys-name>
’
<dst>
|
<src>
in
<object-name>
Known
9.1.3
PAN-98520
When booting or rebooting a PA-7000 Series Firewall with the SMC-B installed, the BIOS console output displays attempts to connect to the card's controller in the System Memory Speed section. The messages can be ignored.
Known
9.1.3
PAN-97757
GlobalProtect authentication fails with an
Invalid username/password
error (because the user is not found in
Allow List
) after you enable GlobalProtect authentication cookies and add a RADIUS group to the
Allow List
of the authentication profile used to authenticate to GlobalProtect.
Workaround:
Disable GlobalProtect authentication cookies. Alternatively, disable (clear)
Retrieve user group from RADIUS
in the authentication profile and configure group mapping from Active Directory (AD) through LDAP.
Known
9.1.3
PAN-97524
(
Panorama management server only
) The Security Zone and Virtual System columns (
Network
tab) display
None
after a Device Group and Template administrator with read-only privileges performs a context switch.
Known
9.1.3
PAN-96985
The
request shutdown system
command does not shut down the Panorama management server.
Known
9.1.3
PAN-96960
You cannot restart or shutdown a Panorama on KVM from the Virtual-manager console or virsch CLI.
Known
9.1.3
PAN-96446
A firewall that is not included in a Collector Group fails to generate a system log if logs are dropped when forwarded to a Panorama management server that is running in Management Only mode.
Known
9.1.3
PAN-95773
On VM-Series firewalls that have Data Plane Development Kit (DPDK) enabled and that use the i40e network interface card (NIC), the
show session info
CLI command displays an inaccurate throughput and packet rate.
Workaround:
Disable DPDK by running the
set system setting dpdk-pkt-io off
CLI command.
Known
9.1.3
PAN-95511
The name for an address object, address group, or an external dynamic list must be unique. Duplicate names for these objects can result in unexpected behavior when you reference the object in a policy rule.
Known
9.1.3
PAN-95028
For administrator accounts that you created in PAN-OS 8.0.8 and earlier releases, the firewall does not apply password profile settings (
Device
Password Profiles
) until after you upgrade to PAN-OS 8.0.9 or a later release and then only after you modify the account passwords. (Administrator accounts that you create in PAN-OS 8.0.9 or a later release do not require you to change the passwords to apply password profile settings.)
Known
9.1.3
PAN-94846
When DPDK is enabled on the VM-Series firewall with i40e virtual function (VF) driver, the VF does not detect the link status of the physical link. The VF link status remains up, regardless of changes to the physical link state.
Known
9.1.3
PAN-94093
HTTP Header Insertion does not work when jumbo frames are received out of order.
Known
9.1.3
PAN-93968
The firewall and Panorama web interfaces display vulnerability threat IDs that are not available in PAN-OS 9.0 releases (
Objects
Security Profiles
Vulnerability Protection
<profile>
Exceptions
). To confirm whether a particular threat ID is available in your release, monitor the release notes for each new Applications and Threats content update or check the Palo Alto Networks Threat Vault to see the minimum PAN-OS release version for a threat signature.
Known
9.1.3
PAN-93607
When you configure a VM-500 firewall with an SCTP Protection profile (
Objects
Security Profiles
SCTP Protection
) and you try to add the profile to an existing Security Profile Group (
Objects
Security Profile Groups
), the Security Profile Group doesn’t list the SCTP Protection profile in its drop-down list of available profiles.
Workaround:
Create a new Security Profile Group and select the SCTP Protection profile from there.
Known
9.1.3
PAN-93532
When you configure a firewall running PAN-OS 9.0 as an nCipher HSM client, the web interface on the firewall displays the nCipher server status as Not Authenticated, even though the HSM state is up (
Device
Setup
HSM
).
Known
9.1.3
PAN-93193
The memory-optimized VM-50 Lite intermittently performs slowly and stops processing traffic when memory utilization is critically high. To prevent this issue, make sure that you do not:
  • Switch to the firewall
    Context
    on the Panorama management server.
  • Commit changes when a dynamic update is being installed.
  • Generate a custom report when a dynamic update is being installed.
  • Generate custom reports during a commit.
Workaround:
When the firewall performs slowly, or you see a critical System log for memory utilization, wait for 5 minutes and then manually reboot the firewall.
Use the Task Manager to verify that you are not performing memory intensive tasks such as installing dynamic updates, committing changes or generating reports, at the same time, on the firewall.
Known
9.1.3
PAN-91802
On a VM-Series firewall, the
clear session all
CLI command does not clear GTP sessions.
Known
9.1.3
PAN-83610
In rare cases, a PA-5200 Series firewall (with an FE100 network processor) that has session offload enabled (default) incorrectly resets the UDP checksum of outgoing UDP packets.
Workaround:
In PAN-OS 8.0.6 and later releases, you can persistently disable session offload for only UDP traffic using the
set session udp-off load no
CLI command.
Known
9.1.3
PAN-83236
The VM-Series firewall on Google Compute Platform does not publish firewall metrics to Google Stack Monitoring when you manually configure a DNS server IP address (
Device
Setup
Services
).
Workaround:
The VM-Series firewall on Google Cloud Platform must use the DNS server that Google provides.
Known
9.1.3
PAN-83215
SSL decryption based on ECDSA certificates does not work when you import the ECDSA private keys onto an nCipher nShield hardware security module (HSM).
Known
9.1.3
PAN-81521
Endpoints failed to authenticate to GlobalProtect through Kerberos when you specify an FQDN instead of an IP address in the Kerberos server profile (
Device
Server Profiles
Kerberos
).
Workaround:
Replace the FQDN with the IP address in the Kerberos server profile.
Known
9.1.3
PAN-77125
PA-7000 Series, PA-5200 Series, and PA-3200 Series firewalls configured in tap mode don’t close offloaded sessions after processing the associated traffic; the sessions remain open until they time out.
Workaround:
Configure the firewalls in virtual wire mode instead of tap mode, or disable session offloading by running the
set session off load no
CLI command.
Known
9.1.3
PAN-75457
(
PAN-OS 8.0.1 and later releases
) In WildFire appliance clusters that have three or more nodes, the Panorama management server does not support changing node roles. In a three-node cluster for example, you cannot use Panorama to configure the worker node as a controller node by adding the HA and cluster controller configurations, configure an existing controller node as a worker node by removing the HA configuration, and then commit and push the configuration. Attempts to change cluster node roles from Panorama results in a validation error—the commit fails and the cluster becomes unresponsive.
Known
9.1.3
PAN-73530
The firewall does not generate a packet capture (pcap) when a Data Filtering profile blocks files.
Known
9.1.3
PAN-73401
(
PAN-OS 8.0.1 and later releases
) When you import a two-node WildFire appliance cluster into the Panorama management server, the controller nodes report their state as out-of-sync if either of the following conditions exist:
  • You did not configure a worker list to add at least one worker node to the cluster. (In a two-node cluster, both nodes are controller nodes configured as an HA pair. Adding a worker node would make the cluster a three-node cluster.)
  • You did not configure a service advertisement (either by enabling or not enabling advertising DNS service on the controller nodes).
Workaround:
There are three possible workarounds to sync the controller nodes:
  • After you import the two-node cluster into Panorama, push the configuration from Panorama to the cluster. After the push succeeds, Panorama reports that the controller nodes are in sync.
  • Configure a worker list on the cluster controller: 
    admin@wf500(active-controller)# 
    set
deviceconfig cluster mode controller worker-list 
    <worker-ip-address>
    (
    <worker-ip-address>
    is the IP address of the worker node you are adding to the cluster.) This creates a three-node cluster. After you import the cluster into Panorama, Panorama reports that the controller nodes are in sync. When you want the cluster to have only two nodes, use a different workaround.
  • Configure service advertisement on the local CLI of the cluster controller and then import the configuration into Panorama. The service advertisement can advertise that DNS is or is not enabled. 
    admin@wf500(active-controller)# 
    set
deviceconfig cluster mode controller service-advertisement dns-service
enabled
yes
    or 
    admin@wf500(active-controller)# 
    set
deviceconfig cluster mode controller service-advertisement dns-service
enabled
no
    Both commands result in Panorama reporting that the controller nodes are in sync.
Known
9.1.3
PAN-71329
Local users and user groups in the Shared location (all virtual systems) are not available to be part of the user-to-application mapping for GlobalProtect Clientless VPN applications (
Network
GlobalProtect
Portals
<portal>
Clientless VPN
Applications
).
Workaround:
Create users and user groups in specific virtual systems on firewalls that have multiple virtual systems. For single virtual systems (like VM-Series firewalls), users and user groups are created under Shared and are not configurable for Clientless VPN applications.
Known
9.1.3
PAN-70906
If the PAN-OS web interface and the GlobalProtect portal are enabled on the same IP address, then when a user logs out of the GlobalProtect portal, the administrative user is also logged out from the PAN-OS web interface.
Workaround:
Use the IP address to access the PAN-OS web interface and an FQDN to access the GlobalProtect portal.
Known
9.1.3
PAN-69505
When viewing an external dynamic list that requires client authentication and you
Test Source URL
, the firewall fails to indicate whether it can reach the external dynamic list server and returns a URL access error (
Objects
External Dynamic Lists
).
Known
9.1.3
PAN-41558
When you use a firewall loopback interface as a GlobalProtect gateway interface, traffic is not routed correctly for third-party IPSec clients, such as strongSwan.
Workaround:
Use a physical firewall interface instead of a loopback firewall interface as the GlobalProtect gateway interface for third-party IPSec clients. Alternatively, configure the loopback interface that is used as the GlobalProtect gateway to be in the same zone as the physical ingress interface for third-party IPSec traffic.
Known
9.1.3
PAN-40079
The VM-Series firewall on KVM, for all supported Linux distributions, does not support the Broadcom network adapters for PCI pass-through functionality.
Known
9.1.3
PAN-39636
Regardless of the
Time Frame
you specify for a scheduled custom report on a Panorama M-Series appliance, the earliest possible start date for the report data is effectively the date when you configured the report (
Monitor
Manage Custom Reports
). For example, if you configure the report on the 15th of the month and set the
Time Frame
to
Last 30 Days
, the report that Panorama generates on the 16th will include only data from the 15th onward. This issue applies only to scheduled reports; on-demand reports include all data within the specified
Time Frame
.
Workaround:
To generate an on-demand report, click
Run Now
when you configure the custom report.
Known
9.1.3
PAN-38255
When you perform a factory reset on a Panorama virtual appliance and configure the serial number, logging does not work until you reboot Panorama or execute the
debug software restart process management-server
CLI command.
Known
9.1.3
PAN-31832
The following issues apply when configuring a firewall to use a hardware security module (HSM):
  • nCipher nShield Connect
    —The firewall requires at least four minutes to detect that an HSM was disconnected, causing SSL functionality to be unavailable during the delay.
  • SafeNet Network
    —When losing connectivity to either or both HSMs in an HA configuration, the display of information from the
    show high-availability state
    and
    show hsm info
    commands are blocked for 20 seconds.
Known
9.1.2
—
Upgrading Panorama with a local Log Collector and Dedicated Log Collectors to PAN-OS 8.1 or a later PAN-OS release can take up to six hours to complete due to significant infrastructure changes. Ensure uninterrupted power to all appliances throughout the upgrade process.
Known
9.1.2
—
A critical System log is generated on the VM-Series firewall if the minimum memory requirement for the model is not available.
  • When the memory allocated is less than 4.5GB, you cannot upgrade the firewall. The following error message displays:
    Failed to install 9.0.0 with the following error: VM-50 in 9.0.0 requires 5.5GB memory, VM-50 Lite requires 4.5GB memory.Please configure this VM with enough memory before upgrading.
  • If the memory allocation is more than 4.5GB but less that the licensed capacity requirement for the model, it will default to the capacity associated with the VM-50.
    The System log message
    System capacity adjusted to VM-50 capacity due to insufficient memory for VM-
    <xxx>
    license
    , indicates that you must allocate the additional memory required for licensed capacity for the firewall model.
Known
9.1.2
PLUG-380
When you rename a device group, template, or template stack in Panorama that is part of a VMware NSX service definition, the new name is not reflected in NSX Manager. Therefore, any ESXi hosts that you add to a vSphere cluster are not added to the correct device group, template, or template stack and your Security policy is not pushed to VM-Series firewalls that you deploy after you rename those objects. There is no impact to existing VM-Series firewalls.
Known
9.1.2
PAN-223365
The Panorama management server is unable to query any logs if the ElasticSearch health status for any Log Collector (
Panorama
Managed Collector
is degraded.
Workaround:
Log in to the Log Collector CLI and reboot. 
admin
request restart system
Alternatively, you can contact Palo Alto Networks Customer Support to restart the ElasticSearch process without rebooting the Log Collector.
Known
9.1.2
PAN-199557
On M-600 appliances in an Active/Passive high availability (HA) configuration, the
configd
process restarts due to a memory leak on the
Active
Panorama HA peer. This causes the Panorama web interface and CLI to become unresponsive.
Workaround:
Manually reboot the
Active
Panorama HA peer.
Known
9.1.2
PAN-197341
On the Panorama management server, if you create multiple device group
Objects
with the same name in the Shared device group and any additional device groups (
Panorama
Device Groups
) under the same device group hierarchy that are used in one or more
Policies
, renaming the object with a shared name in any device group causes the object name to change in the policies where it is used. This issue applies only to device group objects that can be referenced in a Security policy rule.
For example:
  1. You create a parent device group
    DG-A
    and a child device group
    DG-B
    .
  2. You create address objects called
    AddressObjA
    in the
    Shared
    ,
    DG-A
    and
    DG-B
    device groups and add
    AddressObjA
    to a Security policy rule under
    DG-A
    and
    DG-B
    .
  3. Later, you change the
    AddressObjA
    name in the
    Shared
    device group to
    AddressObjB
    .
Changing the name of the address object in the
Shared
device group causes the references in the Policy rule to use the renamed
Shared
object instead of the device group object.
Known
9.1.2
PAN-178194
Firewalls licensed for Advanced URL Filtering generate a message indicating that a
License required for URL filtering to function
is unavailable displays at the bottom of the UI, due to a PAN-OS UI issue. This error does not affect the operation of Advanced URL Filtering or URL Filtering.
Known
9.1.2
PAN-154247
On the Panorama management server, context switching to and from the managed firewall web interface may cause the Panorama administrator to be logged out.
Workaround:
Log out and back in to the Panorama web interface.
Known
9.1.2
PAN-153803
On the Panorama management server, scheduled email PDF reports (
Monitor
PDF Reports
) fail if a GIF image is used in the header or footer.
Known
9.1.2
PAN-151909
This issue is now resolved. See
PAN-OS 9.1.10 Addressed Issues
.
On the Panorama management server, Preview Changes (
Commit
Commit to Panorama
) incorrectly displays an existing route as Added and the new route as an existing route in the Candidate Configuration when you configure a new virtual router route (
Network
Virtual Router
).
Known
9.1.2
PAN-146573
PA-7000 series firewalls configured with a large number of interfaces experience impacted performance and possible timeouts when performing SNMP queries.
Known
9.1.2
PAN-144889
(
PAN-OS 9.1.2-h1 and later releases only
) On the Panorama management server, adding, deleting, or modifying the original subnet IP, or adding a new subnet after you successfully configure a tunnel IP subnet, for the SD-WAN 1.0.2 plugin does not display the managed firewall templates (
Panorama
Managed Devices
Summary
) as
Out of Sync
.
Workaround
: When modifying the original subnet IP, or adding a new subnet, push the template configuration changes to your managed firewalls and
Force Template Values
(
Commit
Push to Devices
Edit Selections
).
Known
9.1.2
PAN-144073
On the Panorama management server, hub and branch firewall latency, jitter, and packet loss data is not updated when monitoring SD-WAN link performance (
Panorama
SD-WAN
Monitoring
).
Known
9.1.2
PAN-140084
This issue is now resolved. See
PAN-OS 9.1.5 Addressed Issues
.
There is an issue where the default Dynamic IP and Port (DIPP) NAT oversubscription rate is set to 2.
Known
9.1.2
PAN-136701
(
PA-7000b Series firewalls only
) Packets for new sessions drop when handling predict sessions.
Workaround:
(
PAN-OS 9.1.3 and later versions only)
Use the following CLi commands to bypass this issue:
  • set session hwpredict disable yes
  • show session hwpredict status
Known
9.1.2
PAN-134456
SNMP traps configured to use the dataplane port in service routes are still sent using the management interface.
Workaround:
Use a destination-based service route for the SNMP trap server.
Known
9.1.2
PAN-134053
ACC does not filter WildFire logs from Dynamic User Groups.
Known
9.1.2
PAN-130550
(
PA-3200 Series, PA-5220, PA-5250, PA-5260, and PA-7000 Series firewalls
) For traffic between virtual systems (inter-vsys traffic), the firewall cannot perform source NAT using dynamic IP (DIP) address translation.
Workaround:
Use source NAT with Dynamic IP and Port (DIPP) translation on inter-vsys traffic.
Known
9.1.2
PAN-127813
In the current release, SD-WAN auto-provisioning configures hubs and branches in a hub and spoke model, where branches don’t communicate with each other. Expected branch routes are for generic prefixes, which can be configured in the hub and advertised to all branches. Branches with unique prefixes are not published up to the hub.
Workaround:
Add any specific prefixes for branches to the hub advertise-list configuration.
Known
9.1.2
PAN-127550
Panorama supports only incremental additions for CSV imports when the SD-WAN plugin is enabled. Delete devices manually in the web interface or CLI.
Known
9.1.2
PAN-127474
When you configure a Server Profile, the custom log format for GlobalProtect logs is missing.
Known
9.1.2
PAN-127206
If you use the CLI to enable the cleartext option for the Include Username in HTTP Header Insertion Entries feature, the authentication request to the firewall may become unresponsive or time out.
Known
9.1.2
PAN-124956
This issue is now resolved. See
PAN-OS 9.1.11 Addressed Issues
.
There is an issue where VM-Series firewalls do not support packet buffer protection.
Known
9.1.2
PAN-123277
Dynamic tags from other sources are accessible using the CLI but do not display on the Panorama web interface.
Known
9.1.2
PAN-123040
When you try to view network QoS statistics on an SD-WAN branch or hub, the QoS statistics and the hit count for the QoS rules don’t display. A workaround exists for this issue. Please contact Support for information about the workaround.
Known
9.1.2
PAN-120440
There is an issue on M-500 Panorama management servers where any ethernet interface with an IPv6 address having Private PAN-DB-URL connectivity only supports the following format:
2001:DB9:85A3:0:0:8A2E:370:2
.
Known
9.1.2
PAN-120423
This issue is now resolved. See
PAN-OS 9.1.9 Addressed Issues
.
PAN-OS 9.1.0 does not support the XML API for GlobalProtect logs.
Known
9.1.2
PAN-120303
There is an issue where the firewall remains connected to the PAN-DB-URL server through the old management IP address on the M-500 Panorama management server, even when you configured the Eth1/1 interface.
Workaround:
Update the PAN-DB-URL IP address on the firewall using one of the methods below.
  • Modify the PAN-DB Server IP address on the managed firewall.
    1. On the web interface, delete the
      PAN-DB Server
      IP address (
      Device
      Setup
      Content ID
      URL Filtering
      settings).
    2. Commit
      your changes.
    3. Add the new M-500 Eth1/1 IP PAN-DB IP address.
    4. Commit
      your changes.
  • Restart the firewall ( devsrvr ) process.
    1. Log in to the firewall CLI.
    2. Restart the devsrvr process:
      debug software restart process device-server
Known
9.1.2
PAN-118065
(
M-Series Panorama management servers in Management Only mode
) When you delete the local Log Collector (
Panorama
Managed Collectors
), it disables the 1/1 ethernet interface in the Panorama configuration as expected but the interface still displays as Up when you execute the
show interface all
command in the CLI after you commit.
Workaround:
Disable the 1/1 ethernet interface before you delete the local log collector and then commit the configuration change.
Known
9.1.2
PAN-116017
(
Google Cloud Platform (GCP) only
) The firewall does not accept the DNS value from the initial configuration (init-cfg) file when you bootstrap the firewall.
Workaround:
Add DNS value as part of the bootstrap.xml in the bootstrap folder and complete the bootstrap process.
Known
9.1.2
PAN-115816
(
Microsoft Azure only
) There is an intermittent issue where an Ethernet (eth1) interface does not come up when you first boot up the firewall.
Workaround:
Reboot the firewall.
Known
9.1.2
PAN-114495
Alibaba Cloud runs on a KVM hypervisor and supports two Virtio modes: DPDK (default) and MMAP. If you deploy a VM-Series firewall running PAN-OS 9.0 in DPDK packet mode and you then switch to MMAP packet mode, the VM-Series firewall duplicates packets that originate from or terminate on the firewall. As an example, if a load balancer or a server behind the firewall pings the VM-Series firewall after you switch from DPDK packet mode to MMAP packet mode, the firewall duplicates the ping packets.
Throughput traffic is not duplicated if you deploy the VM-Series firewall using MMAP packet mode.
Known
9.1.2
PAN-112694
(
Firewalls with multiple virtual systems only
) If you configure dynamic DNS (DDNS) on a new interface (associated with vsys1 or another virtual system) and you then create a
New
Certificate Profile from the drop-down, you must set the location for the Certificate Profile to Shared. If you configure DDNS on an existing interface and then create a new Certificate Profile, we also recommend that you choose the Shared location instead of a specific virtual system. Alternatively, you can select a preexisting certificate profile instead of creating a new one.
Known
9.1.2
PAN-112456
You can temporarily submit a change request for a URL Category with more than two suggested categories. However, we support only two suggested categories so add no more than two suggested categories to a change request until we address this issue. If you submit more than two suggested categories, we will use only the first two categories you enter.
Known
9.1.2
PAN-111928
Invalid configuration errors are not displayed as expected when you revert a Panorama management server configuration.
Workaround:
After you revert the Panorama configuration,
Commit
(
Commit
Commit to Panorama
) the reverted configuration to display the invalid configuration errors.
Known
9.1.2
PAN-111866
The push scope selection on the Panorama web interface displays incorrectly even though the commit scope displays as expected. This issue occurs when one administrator makes configuration changes to separate device groups or templates that affect multiple firewalls and a different administrator attempts to push those changes.
Workaround:
Perform one of the following tasks.
  • Initiate a
    Commit to Panorama
    operation followed by a
    Push to Devices
    operation for the modified device group and template configurations.
  • Manually select the devices that belong to the modified device group and template configurations.
Known
9.1.2
PAN-111729
If you disable DPDK mode and enable it again, you must immediately reboot the firewall.
Known
9.1.2
PAN-111670
Tagged VLAN traffic fails when sent through an SR-IOV adapter.
Known
9.1.2
PAN-111251
Using the CLI to enable or disable DNS Rewrite under a Destination NAT policy rule has no effect.
Known
9.1.2
PAN-110794
DGA-based threats shown in the firewall threat log display the same name for all such instances.
Known
9.1.2
PAN-109759
The firewall does not generate a notification for the GlobalProtect client when the firewall denies an unencrypted TLS session due to an authentication policy match.
Known
9.1.2
PAN-109526
The system log does not correctly display the URL for CRL files; instead, the URLs are displayed with encoded characters.
Known
9.1.2
PAN-106675
After upgrading the Panorama management server to PAN-OS 8.1 or a later release, predefined reports do not display a list of top attackers.
Workaround:
Create new threat summary reports (
Monitor
PDF Reports
Manage PDF Summary
) containing the top attackers to mimic the predefined reports.
Known
9.1.2
PAN-104780
If you configure a HIP object to match only when a connecting endpoint is managed (
Objects
GlobalProtect
HIP Objects
<hip-object>
General
Managed
), iOS and Android endpoints that are managed by AirWatch are unable to successfully match the HIP object and the HIP report incorrectly indicates that these endpoints are not managed. This issue occurs because GlobalProtect gateways cannot correctly identify the managed status of these endpoints.
Additionally, iOS endpoints that are managed by AirWatch are unable to match HIP objects based on the endpoint serial number because GlobalProtect gateways cannot identify the serial numbers of these endpoints; these serial numbers do not appear in the HIP report.
Known
9.1.2
PAN-103276
Adding a disk to a virtual appliance running Panorama 8.1 or a later release on VMware ESXi 6.5 update1 causes the Panorama virtual appliance and host web client to become unresponsive.
Workaround:
Upgrade the ESXi host to ESXi 6.5 update2 and add the disk again.
Known
9.1.2
PAN-103018
This issue is now resolved. See
PAN-OS 9.1.5 Addressed Issues
(
Panorama plugins
) When you use the AND/OR boolean operators to define the match criteria for Dynamic Address Groups on Panorama, the boolean operators do not function properly. The member IP addresses are not included in the address group as expected.
Known
9.1.2
PAN-101688
(
Panorama plugins
) The IP address-to-tag mapping information registered on a firewall or virtual system is not deleted when you remove the firewall or virtual system from a Device Group.
Workaround:
Log in to the CLI on the firewall and enter the following command to unregister the IP address-to-tag mappings:
debug object registered-ip clear all
.
Known
9.1.2
PAN-101537
After you configure and push address and address group objects in Shared and vsys-specific device groups from the Panorama management server to managed firewalls, executing the
show log
<log-type>
direction equal
<direction>
<dst>
|
<src>
in
<object-name>
command on a managed firewall only returns address and address group objects pushed form the Shared device group.
Workaround:
Specify the vsys in the query string:
admin>
set system target-vsys
<vsys-name>
admin>
show log
<log-type>
direction equal
<direction>
query equal ‘vsys eq
<vsys-name>
’
<dst>
|
<src>
in
<object-name>
Known
9.1.2
PAN-98520
When booting or rebooting a PA-7000 Series Firewall with the SMC-B installed, the BIOS console output displays attempts to connect to the card's controller in the System Memory Speed section. The messages can be ignored.
Known
9.1.2
PAN-97757
GlobalProtect authentication fails with an
Invalid username/password
error (because the user is not found in
Allow List
) after you enable GlobalProtect authentication cookies and add a RADIUS group to the
Allow List
of the authentication profile used to authenticate to GlobalProtect.
Workaround:
Disable GlobalProtect authentication cookies. Alternatively, disable (clear)
Retrieve user group from RADIUS
in the authentication profile and configure group mapping from Active Directory (AD) through LDAP.
Known
9.1.2
PAN-97524
(
Panorama management server only
) The Security Zone and Virtual System columns (
Network
tab) display
None
after a Device Group and Template administrator with read-only privileges performs a context switch.
Known
9.1.2
PAN-96985
The
request shutdown system
command does not shut down the Panorama management server.
Known
9.1.2
PAN-96960
You cannot restart or shutdown a Panorama on KVM from the Virtual-manager console or virsch CLI.
Known
9.1.2
PAN-96446
A firewall that is not included in a Collector Group fails to generate a system log if logs are dropped when forwarded to a Panorama management server that is running in Management Only mode.
Known
9.1.2
PAN-95773
On VM-Series firewalls that have Data Plane Development Kit (DPDK) enabled and that use the i40e network interface card (NIC), the
show session info
CLI command displays an inaccurate throughput and packet rate.
Workaround:
Disable DPDK by running the
set system setting dpdk-pkt-io off
CLI command.
Known
9.1.2
PAN-95511
The name for an address object, address group, or an external dynamic list must be unique. Duplicate names for these objects can result in unexpected behavior when you reference the object in a policy rule.
Known
9.1.2
PAN-95028
For administrator accounts that you created in PAN-OS 8.0.8 and earlier releases, the firewall does not apply password profile settings (
Device
Password Profiles
) until after you upgrade to PAN-OS 8.0.9 or a later release and then only after you modify the account passwords. (Administrator accounts that you create in PAN-OS 8.0.9 or a later release do not require you to change the passwords to apply password profile settings.)
Known
9.1.2
PAN-94846
When DPDK is enabled on the VM-Series firewall with i40e virtual function (VF) driver, the VF does not detect the link status of the physical link. The VF link status remains up, regardless of changes to the physical link state.
Known
9.1.2
PAN-94093
HTTP Header Insertion does not work when jumbo frames are received out of order.
Known
9.1.2
PAN-93968
The firewall and Panorama web interfaces display vulnerability threat IDs that are not available in PAN-OS 9.0 releases (
Objects
Security Profiles
Vulnerability Protection
<profile>
Exceptions
). To confirm whether a particular threat ID is available in your release, monitor the release notes for each new Applications and Threats content update or check the Palo Alto Networks Threat Vault to see the minimum PAN-OS release version for a threat signature.
Known
9.1.2
PAN-93607
When you configure a VM-500 firewall with an SCTP Protection profile (
Objects
Security Profiles
SCTP Protection
) and you try to add the profile to an existing Security Profile Group (
Objects
Security Profile Groups
), the Security Profile Group doesn’t list the SCTP Protection profile in its drop-down list of available profiles.
Workaround:
Create a new Security Profile Group and select the SCTP Protection profile from there.
Known
9.1.2
PAN-93532
When you configure a firewall running PAN-OS 9.0 as an nCipher HSM client, the web interface on the firewall displays the nCipher server status as Not Authenticated, even though the HSM state is up (
Device
Setup
HSM
).
Known
9.1.2
PAN-93193
The memory-optimized VM-50 Lite intermittently performs slowly and stops processing traffic when memory utilization is critically high. To prevent this issue, make sure that you do not:
  • Switch to the firewall
    Context
    on the Panorama management server.
  • Commit changes when a dynamic update is being installed.
  • Generate a custom report when a dynamic update is being installed.
  • Generate custom reports during a commit.
Workaround:
When the firewall performs slowly, or you see a critical System log for memory utilization, wait for 5 minutes and then manually reboot the firewall.
Use the Task Manager to verify that you are not performing memory intensive tasks such as installing dynamic updates, committing changes or generating reports, at the same time, on the firewall.
Known
9.1.2
PAN-91802
On a VM-Series firewall, the
clear session all
CLI command does not clear GTP sessions.
Known
9.1.2
PAN-83610
In rare cases, a PA-5200 Series firewall (with an FE100 network processor) that has session offload enabled (default) incorrectly resets the UDP checksum of outgoing UDP packets.
Workaround:
In PAN-OS 8.0.6 and later releases, you can persistently disable session offload for only UDP traffic using the
set session udp-off load no
CLI command.
Known
9.1.2
PAN-83236
The VM-Series firewall on Google Compute Platform does not publish firewall metrics to Google Stack Monitoring when you manually configure a DNS server IP address (
Device
Setup
Services
).
Workaround:
The VM-Series firewall on Google Cloud Platform must use the DNS server that Google provides.
Known
9.1.2
PAN-83215
SSL decryption based on ECDSA certificates does not work when you import the ECDSA private keys onto an nCipher nShield hardware security module (HSM).
Known
9.1.2
PAN-81521
Endpoints failed to authenticate to GlobalProtect through Kerberos when you specify an FQDN instead of an IP address in the Kerberos server profile (
Device
Server Profiles
Kerberos
).
Workaround:
Replace the FQDN with the IP address in the Kerberos server profile.
Known
9.1.2
PAN-77125
PA-7000 Series, PA-5200 Series, and PA-3200 Series firewalls configured in tap mode don’t close offloaded sessions after processing the associated traffic; the sessions remain open until they time out.
Workaround:
Configure the firewalls in virtual wire mode instead of tap mode, or disable session offloading by running the
set session off load no
CLI command.
Known
9.1.2
PAN-75457
(
PAN-OS 8.0.1 and later releases
) In WildFire appliance clusters that have three or more nodes, the Panorama management server does not support changing node roles. In a three-node cluster for example, you cannot use Panorama to configure the worker node as a controller node by adding the HA and cluster controller configurations, configure an existing controller node as a worker node by removing the HA configuration, and then commit and push the configuration. Attempts to change cluster node roles from Panorama results in a validation error—the commit fails and the cluster becomes unresponsive.
Known
9.1.2
PAN-73530
The firewall does not generate a packet capture (pcap) when a Data Filtering profile blocks files.
Known
9.1.2
PAN-73401
(
PAN-OS 8.0.1 and later releases
) When you import a two-node WildFire appliance cluster into the Panorama management server, the controller nodes report their state as out-of-sync if either of the following conditions exist:
  • You did not configure a worker list to add at least one worker node to the cluster. (In a two-node cluster, both nodes are controller nodes configured as an HA pair. Adding a worker node would make the cluster a three-node cluster.)
  • You did not configure a service advertisement (either by enabling or not enabling advertising DNS service on the controller nodes).
Workaround:
There are three possible workarounds to sync the controller nodes:
  • After you import the two-node cluster into Panorama, push the configuration from Panorama to the cluster. After the push succeeds, Panorama reports that the controller nodes are in sync.
  • Configure a worker list on the cluster controller: 
    admin@wf500(active-controller)# 
    set
deviceconfig cluster mode controller worker-list 
    <worker-ip-address>
    (
    <worker-ip-address>
    is the IP address of the worker node you are adding to the cluster.) This creates a three-node cluster. After you import the cluster into Panorama, Panorama reports that the controller nodes are in sync. When you want the cluster to have only two nodes, use a different workaround.
  • Configure service advertisement on the local CLI of the cluster controller and then import the configuration into Panorama. The service advertisement can advertise that DNS is or is not enabled. 
    admin@wf500(active-controller)# 
    set
deviceconfig cluster mode controller service-advertisement dns-service
enabled
yes
    or 
    admin@wf500(active-controller)# 
    set
deviceconfig cluster mode controller service-advertisement dns-service
enabled
no
    Both commands result in Panorama reporting that the controller nodes are in sync.
Known
9.1.2
PAN-71329
Local users and user groups in the Shared location (all virtual systems) are not available to be part of the user-to-application mapping for GlobalProtect Clientless VPN applications (
Network
GlobalProtect
Portals
<portal>
Clientless VPN
Applications
).
Workaround:
Create users and user groups in specific virtual systems on firewalls that have multiple virtual systems. For single virtual systems (like VM-Series firewalls), users and user groups are created under Shared and are not configurable for Clientless VPN applications.
Known
9.1.2
PAN-70906
If the PAN-OS web interface and the GlobalProtect portal are enabled on the same IP address, then when a user logs out of the GlobalProtect portal, the administrative user is also logged out from the PAN-OS web interface.
Workaround:
Use the IP address to access the PAN-OS web interface and an FQDN to access the GlobalProtect portal.
Known
9.1.2
PAN-69505
When viewing an external dynamic list that requires client authentication and you
Test Source URL
, the firewall fails to indicate whether it can reach the external dynamic list server and returns a URL access error (
Objects
External Dynamic Lists
).
Known
9.1.2
PAN-41558
When you use a firewall loopback interface as a GlobalProtect gateway interface, traffic is not routed correctly for third-party IPSec clients, such as strongSwan.
Workaround:
Use a physical firewall interface instead of a loopback firewall interface as the GlobalProtect gateway interface for third-party IPSec clients. Alternatively, configure the loopback interface that is used as the GlobalProtect gateway to be in the same zone as the physical ingress interface for third-party IPSec traffic.
Known
9.1.2
PAN-40079
The VM-Series firewall on KVM, for all supported Linux distributions, does not support the Broadcom network adapters for PCI pass-through functionality.
Known
9.1.2
PAN-39636
Regardless of the
Time Frame
you specify for a scheduled custom report on a Panorama M-Series appliance, the earliest possible start date for the report data is effectively the date when you configured the report (
Monitor
Manage Custom Reports
). For example, if you configure the report on the 15th of the month and set the
Time Frame
to
Last 30 Days
, the report that Panorama generates on the 16th will include only data from the 15th onward. This issue applies only to scheduled reports; on-demand reports include all data within the specified
Time Frame
.
Workaround:
To generate an on-demand report, click
Run Now
when you configure the custom report.
Known
9.1.2
PAN-38255
When you perform a factory reset on a Panorama virtual appliance and configure the serial number, logging does not work until you reboot Panorama or execute the
debug software restart process management-server
CLI command.
Known
9.1.2
PAN-31832
The following issues apply when configuring a firewall to use a hardware security module (HSM):
  • nCipher nShield Connect
    —The firewall requires at least four minutes to detect that an HSM was disconnected, causing SSL functionality to be unavailable during the delay.
  • SafeNet Network
    —When losing connectivity to either or both HSMs in an HA configuration, the display of information from the
    show high-availability state
    and
    show hsm info
    commands are blocked for 20 seconds.
Known
9.1.1
—
Upgrading Panorama with a local Log Collector and Dedicated Log Collectors to PAN-OS 8.1 or a later PAN-OS release can take up to six hours to complete due to significant infrastructure changes. Ensure uninterrupted power to all appliances throughout the upgrade process.
Known
9.1.1
—
A critical System log is generated on the VM-Series firewall if the minimum memory requirement for the model is not available.
  • When the memory allocated is less than 4.5GB, you cannot upgrade the firewall. The following error message displays:
    Failed to install 9.0.0 with the following error: VM-50 in 9.0.0 requires 5.5GB memory, VM-50 Lite requires 4.5GB memory.Please configure this VM with enough memory before upgrading.
  • If the memory allocation is more than 4.5GB but less that the licensed capacity requirement for the model, it will default to the capacity associated with the VM-50.
    The System log message
    System capacity adjusted to VM-50 capacity due to insufficient memory for VM-
    <xxx>
    license
    , indicates that you must allocate the additional memory required for licensed capacity for the firewall model.
Known
9.1.1
PLUG-380
When you rename a device group, template, or template stack in Panorama that is part of a VMware NSX service definition, the new name is not reflected in NSX Manager. Therefore, any ESXi hosts that you add to a vSphere cluster are not added to the correct device group, template, or template stack and your Security policy is not pushed to VM-Series firewalls that you deploy after you rename those objects. There is no impact to existing VM-Series firewalls.
Known
9.1.1
PAN-223365
The Panorama management server is unable to query any logs if the ElasticSearch health status for any Log Collector (
Panorama
Managed Collector
is degraded.
Workaround:
Log in to the Log Collector CLI and reboot. 
admin
request restart system
Alternatively, you can contact Palo Alto Networks Customer Support to restart the ElasticSearch process without rebooting the Log Collector.
Known
9.1.1
PAN-199557
On M-600 appliances in an Active/Passive high availability (HA) configuration, the
configd
process restarts due to a memory leak on the
Active
Panorama HA peer. This causes the Panorama web interface and CLI to become unresponsive.
Workaround:
Manually reboot the
Active
Panorama HA peer.
Known
9.1.1
PAN-197341
On the Panorama management server, if you create multiple device group
Objects
with the same name in the Shared device group and any additional device groups (
Panorama
Device Groups
) under the same device group hierarchy that are used in one or more
Policies
, renaming the object with a shared name in any device group causes the object name to change in the policies where it is used. This issue applies only to device group objects that can be referenced in a Security policy rule.
For example:
  1. You create a parent device group
    DG-A
    and a child device group
    DG-B
    .
  2. You create address objects called
    AddressObjA
    in the
    Shared
    ,
    DG-A
    and
    DG-B
    device groups and add
    AddressObjA
    to a Security policy rule under
    DG-A
    and
    DG-B
    .
  3. Later, you change the
    AddressObjA
    name in the
    Shared
    device group to
    AddressObjB
    .
Changing the name of the address object in the
Shared
device group causes the references in the Policy rule to use the renamed
Shared
object instead of the device group object.
Known
9.1.1
PAN-178194
Firewalls licensed for Advanced URL Filtering generate a message indicating that a
License required for URL filtering to function
is unavailable displays at the bottom of the UI, due to a PAN-OS UI issue. This error does not affect the operation of Advanced URL Filtering or URL Filtering.
Known
9.1.1
PAN-157240
When a firewall has hardware offloading turned on and OSPF enabled, if ECMP is enabled or disabled for a virtual router during a configuration commit, OSPF sessions may get stuck in Exchange Start state.
Workaround:
Disable OSPF when enabling or disabling ECMP, and then re-enable OSPF in the next commit.
Known
9.1.1
PAN-154247
On the Panorama management server, context switching to and from the managed firewall web interface may cause the Panorama administrator to be logged out.
Workaround:
Log out and back in to the Panorama web interface.
Known
9.1.1
PAN-153803
On the Panorama management server, scheduled email PDF reports (
Monitor
PDF Reports
) fail if a GIF image is used in the header or footer.
Known
9.1.1
PAN-151198
On the Panorama management server, read-only Panorama administrators (
Panorama
Administrators
) can load managed firewall configuration Backups (
Panorama
Managed Devices
Summary
).
Known
9.1.1
PAN-146573
PA-7000 series firewalls configured with a large number of interfaces experience impacted performance and possible timeouts when performing SNMP queries.
Known
9.1.1
PAN-140084
This issue is now resolved. See
PAN-OS 9.1.5 Addressed Issues
.
There is an issue where the default Dynamic IP and Port (DIPP) NAT oversubscription rate is set to 2.
Known
9.1.1
PAN-136763
On the Panorama management server, managed firewalls display as
disconnected
when installing a PAN-OS software update (
Panorama
Device Deployment
Software
) but display as
connected
when you view your managed firewalls Summary (
Panorama
Managed Devices
Summary
) and from the CLI.
Workaround:
Log out and log back in to the Panorama web interface.
Known
9.1.1
PAN-136701
(
PA-7000b Series firewalls only
) Packets for new sessions drop when handling predict sessions.
Workaround:
(
PAN-OS 9.1.3 and later versions only)
Use the following CLi commands to bypass this issue:
  • set session hwpredict disable yes
  • show session hwpredict status
Known
9.1.1
PAN-135260
This issue is now resolved. See
PAN-OS 9.1.2 Addressed Issues
.
(
PA-7000 Series firewalls only
) There is an intermittent issue where the dataplane process ( all_pktproc_X ) on a Network Processing Card (NPC) restarts unexpectedly when processing IPSec tunnel traffic. This issue can occur on any NPC card in any slot.
Known
9.1.1
PAN-134456
SNMP traps configured to use the dataplane port in service routes are still sent using the management interface.
Workaround:
Use a destination-based service route for the SNMP trap server.
Known
9.1.1
PAN-134053
ACC does not filter WildFire logs from Dynamic User Groups.
Known
9.1.1
PAN-130550
(
PA-3200 Series, PA-5220, PA-5250, PA-5260, and PA-7000 Series firewalls
) For traffic between virtual systems (inter-vsys traffic), the firewall cannot perform source NAT using dynamic IP (DIP) address translation.
Workaround:
Use source NAT with Dynamic IP and Port (DIPP) translation on inter-vsys traffic.
Known
9.1.1
PAN-127813
In the current release, SD-WAN auto-provisioning configures hubs and branches in a hub and spoke model, where branches don’t communicate with each other. Expected branch routes are for generic prefixes, which can be configured in the hub and advertised to all branches. Branches with unique prefixes are not published up to the hub.
Workaround:
Add any specific prefixes for branches to the hub advertise-list configuration.
Known
9.1.1
PAN-127550
Panorama supports only incremental additions for CSV imports when the SD-WAN plugin is enabled. Delete devices manually in the web interface or CLI.
Known
9.1.1
PAN-127474
When you configure a Server Profile, the custom log format for GlobalProtect logs is missing.
Known
9.1.1
PAN-127206
If you use the CLI to enable the cleartext option for the Include Username in HTTP Header Insertion Entries feature, the authentication request to the firewall may become unresponsive or time out.
Known
9.1.1
PAN-124956
This issue is now resolved. See
PAN-OS 9.1.11 Addressed Issues
.
There is an issue where VM-Series firewalls do not support packet buffer protection.
Known
9.1.1
PAN-123277
Dynamic tags from other sources are accessible using the CLI but do not display on the Panorama web interface.
Known
9.1.1
PAN-123040
When you try to view network QoS statistics on an SD-WAN branch or hub, the QoS statistics and the hit count for the QoS rules don’t display. A workaround exists for this issue. Please contact Support for information about the workaround.
Known
9.1.1
PAN-120440
There is an issue on M-500 Panorama management servers where any ethernet interface with an IPv6 address having Private PAN-DB-URL connectivity only supports the following format:
2001:DB9:85A3:0:0:8A2E:370:2
.
Known
9.1.1
PAN-120423
This issue is now resolved. See
PAN-OS 9.1.9 Addressed Issues
.
PAN-OS 9.1.0 does not support the XML API for GlobalProtect logs.
Known
9.1.1
PAN-120303
There is an issue where the firewall remains connected to the PAN-DB-URL server through the old management IP address on the M-500 Panorama management server, even when you configured the Eth1/1 interface.
Workaround:
Update the PAN-DB-URL IP address on the firewall using one of the methods below.
  • Modify the PAN-DB Server IP address on the managed firewall.
    1. On the web interface, delete the
      PAN-DB Server
      IP address (
      Device
      Setup
      Content ID
      URL Filtering
      settings).
    2. Commit
      your changes.
    3. Add the new M-500 Eth1/1 IP PAN-DB IP address.
    4. Commit
      your changes.
  • Restart the firewall ( devsrvr ) process.
    1. Log in to the firewall CLI.
    2. Restart the devsrvr process:
      debug software restart process device-server
Known
9.1.1
PAN-118065
(
M-Series Panorama management servers in Management Only mode
) When you delete the local Log Collector (
Panorama
Managed Collectors
), it disables the 1/1 ethernet interface in the Panorama configuration as expected but the interface still displays as Up when you execute the
show interface all
command in the CLI after you commit.
Workaround:
Disable the 1/1 ethernet interface before you delete the local log collector and then commit the configuration change.
Known
9.1.1
PAN-116017
(
Google Cloud Platform (GCP) only
) The firewall does not accept the DNS value from the initial configuration (init-cfg) file when you bootstrap the firewall.
Workaround:
Add DNS value as part of the bootstrap.xml in the bootstrap folder and complete the bootstrap process.
Known
9.1.1
PAN-115816
(
Microsoft Azure only
) There is an intermittent issue where an Ethernet (eth1) interface does not come up when you first boot up the firewall.
Workaround:
Reboot the firewall.
Known
9.1.1
PAN-114495
Alibaba Cloud runs on a KVM hypervisor and supports two Virtio modes: DPDK (default) and MMAP. If you deploy a VM-Series firewall running PAN-OS 9.0 in DPDK packet mode and you then switch to MMAP packet mode, the VM-Series firewall duplicates packets that originate from or terminate on the firewall. As an example, if a load balancer or a server behind the firewall pings the VM-Series firewall after you switch from DPDK packet mode to MMAP packet mode, the firewall duplicates the ping packets.
Throughput traffic is not duplicated if you deploy the VM-Series firewall using MMAP packet mode.
Known
9.1.1
PAN-112694
(
Firewalls with multiple virtual systems only
) If you configure dynamic DNS (DDNS) on a new interface (associated with vsys1 or another virtual system) and you then create a
New
Certificate Profile from the drop-down, you must set the location for the Certificate Profile to Shared. If you configure DDNS on an existing interface and then create a new Certificate Profile, we also recommend that you choose the Shared location instead of a specific virtual system. Alternatively, you can select a preexisting certificate profile instead of creating a new one.
Known
9.1.1
PAN-112456
You can temporarily submit a change request for a URL Category with more than two suggested categories. However, we support only two suggested categories so add no more than two suggested categories to a change request until we address this issue. If you submit more than two suggested categories, we will use only the first two categories you enter.
Known
9.1.1
PAN-111928
Invalid configuration errors are not displayed as expected when you revert a Panorama management server configuration.
Workaround:
After you revert the Panorama configuration,
Commit
(
Commit
Commit to Panorama
) the reverted configuration to display the invalid configuration errors.
Known
9.1.1
PAN-111866
The push scope selection on the Panorama web interface displays incorrectly even though the commit scope displays as expected. This issue occurs when one administrator makes configuration changes to separate device groups or templates that affect multiple firewalls and a different administrator attempts to push those changes.
Workaround:
Perform one of the following tasks.
  • Initiate a
    Commit to Panorama
    operation followed by a
    Push to Devices
    operation for the modified device group and template configurations.
  • Manually select the devices that belong to the modified device group and template configurations.
Known
9.1.1
PAN-111729
If you disable DPDK mode and enable it again, you must immediately reboot the firewall.
Known
9.1.1
PAN-111670
Tagged VLAN traffic fails when sent through an SR-IOV adapter.
Known
9.1.1
PAN-111251
Using the CLI to enable or disable DNS Rewrite under a Destination NAT policy rule has no effect.
Known
9.1.1
PAN-110794
DGA-based threats shown in the firewall threat log display the same name for all such instances.
Known
9.1.1
PAN-109759
The firewall does not generate a notification for the GlobalProtect client when the firewall denies an unencrypted TLS session due to an authentication policy match.
Known
9.1.1
PAN-109526
The system log does not correctly display the URL for CRL files; instead, the URLs are displayed with encoded characters.
Known
9.1.1
PAN-106675
After upgrading the Panorama management server to PAN-OS 8.1 or a later release, predefined reports do not display a list of top attackers.
Workaround:
Create new threat summary reports (
Monitor
PDF Reports
Manage PDF Summary
) containing the top attackers to mimic the predefined reports.
Known
9.1.1
PAN-104780
If you configure a HIP object to match only when a connecting endpoint is managed (
Objects
GlobalProtect
HIP Objects
<hip-object>
General
Managed
), iOS and Android endpoints that are managed by AirWatch are unable to successfully match the HIP object and the HIP report incorrectly indicates that these endpoints are not managed. This issue occurs because GlobalProtect gateways cannot correctly identify the managed status of these endpoints.
Additionally, iOS endpoints that are managed by AirWatch are unable to match HIP objects based on the endpoint serial number because GlobalProtect gateways cannot identify the serial numbers of these endpoints; these serial numbers do not appear in the HIP report.
Known
9.1.1
PAN-103276
Adding a disk to a virtual appliance running Panorama 8.1 or a later release on VMware ESXi 6.5 update1 causes the Panorama virtual appliance and host web client to become unresponsive.
Workaround:
Upgrade the ESXi host to ESXi 6.5 update2 and add the disk again.
Known
9.1.1
PAN-103018
This issue is now resolved. See
PAN-OS 9.1.5 Addressed Issues
(
Panorama plugins
) When you use the AND/OR boolean operators to define the match criteria for Dynamic Address Groups on Panorama, the boolean operators do not function properly. The member IP addresses are not included in the address group as expected.
Known
9.1.1
PAN-101688
(
Panorama plugins
) The IP address-to-tag mapping information registered on a firewall or virtual system is not deleted when you remove the firewall or virtual system from a Device Group.
Workaround:
Log in to the CLI on the firewall and enter the following command to unregister the IP address-to-tag mappings:
debug object registered-ip clear all
.
Known
9.1.1
PAN-101537
After you configure and push address and address group objects in Shared and vsys-specific device groups from the Panorama management server to managed firewalls, executing the
show log
<log-type>
direction equal
<direction>
<dst>
|
<src>
in
<object-name>
command on a managed firewall only returns address and address group objects pushed form the Shared device group.
Workaround:
Specify the vsys in the query string:
admin>
set system target-vsys
<vsys-name>
admin>
show log
<log-type>
direction equal
<direction>
query equal ‘vsys eq
<vsys-name>
’
<dst>
|
<src>
in
<object-name>
Known
9.1.1
PAN-98520
When booting or rebooting a PA-7000 Series Firewall with the SMC-B installed, the BIOS console output displays attempts to connect to the card's controller in the System Memory Speed section. The messages can be ignored.
Known
9.1.1
PAN-97757
GlobalProtect authentication fails with an
Invalid username/password
error (because the user is not found in
Allow List
) after you enable GlobalProtect authentication cookies and add a RADIUS group to the
Allow List
of the authentication profile used to authenticate to GlobalProtect.
Workaround:
Disable GlobalProtect authentication cookies. Alternatively, disable (clear)
Retrieve user group from RADIUS
in the authentication profile and configure group mapping from Active Directory (AD) through LDAP.
Known
9.1.1
PAN-97524
(
Panorama management server only
) The Security Zone and Virtual System columns (
Network
tab) display
None
after a Device Group and Template administrator with read-only privileges performs a context switch.
Known
9.1.1
PAN-96985
The
request shutdown system
command does not shut down the Panorama management server.
Known
9.1.1
PAN-96960
You cannot restart or shutdown a Panorama on KVM from the Virtual-manager console or virsch CLI.
Known
9.1.1
PAN-96446
A firewall that is not included in a Collector Group fails to generate a system log if logs are dropped when forwarded to a Panorama management server that is running in Management Only mode.
Known
9.1.1
PAN-95773
On VM-Series firewalls that have Data Plane Development Kit (DPDK) enabled and that use the i40e network interface card (NIC), the
show session info
CLI command displays an inaccurate throughput and packet rate.
Workaround:
Disable DPDK by running the
set system setting dpdk-pkt-io off
CLI command.
Known
9.1.1
PAN-95511
The name for an address object, address group, or an external dynamic list must be unique. Duplicate names for these objects can result in unexpected behavior when you reference the object in a policy rule.
Known
9.1.1
PAN-95028
For administrator accounts that you created in PAN-OS 8.0.8 and earlier releases, the firewall does not apply password profile settings (
Device
Password Profiles
) until after you upgrade to PAN-OS 8.0.9 or a later release and then only after you modify the account passwords. (Administrator accounts that you create in PAN-OS 8.0.9 or a later release do not require you to change the passwords to apply password profile settings.)
Known
9.1.1
PAN-94846
When DPDK is enabled on the VM-Series firewall with i40e virtual function (VF) driver, the VF does not detect the link status of the physical link. The VF link status remains up, regardless of changes to the physical link state.
Known
9.1.1
PAN-94093
HTTP Header Insertion does not work when jumbo frames are received out of order.
Known
9.1.1
PAN-93968
The firewall and Panorama web interfaces display vulnerability threat IDs that are not available in PAN-OS 9.0 releases (
Objects
Security Profiles
Vulnerability Protection
<profile>
Exceptions
). To confirm whether a particular threat ID is available in your release, monitor the release notes for each new Applications and Threats content update or check the Palo Alto Networks Threat Vault to see the minimum PAN-OS release version for a threat signature.
Known
9.1.1
PAN-93607
When you configure a VM-500 firewall with an SCTP Protection profile (
Objects
Security Profiles
SCTP Protection
) and you try to add the profile to an existing Security Profile Group (
Objects
Security Profile Groups
), the Security Profile Group doesn’t list the SCTP Protection profile in its drop-down list of available profiles.
Workaround:
Create a new Security Profile Group and select the SCTP Protection profile from there.
Known
9.1.1
PAN-93532
When you configure a firewall running PAN-OS 9.0 as an nCipher HSM client, the web interface on the firewall displays the nCipher server status as Not Authenticated, even though the HSM state is up (
Device
Setup
HSM
).
Known
9.1.1
PAN-93193
The memory-optimized VM-50 Lite intermittently performs slowly and stops processing traffic when memory utilization is critically high. To prevent this issue, make sure that you do not:
  • Switch to the firewall
    Context
    on the Panorama management server.
  • Commit changes when a dynamic update is being installed.
  • Generate a custom report when a dynamic update is being installed.
  • Generate custom reports during a commit.
Workaround:
When the firewall performs slowly, or you see a critical System log for memory utilization, wait for 5 minutes and then manually reboot the firewall.
Use the Task Manager to verify that you are not performing memory intensive tasks such as installing dynamic updates, committing changes or generating reports, at the same time, on the firewall.
Known
9.1.1
PAN-91802
On a VM-Series firewall, the
clear session all
CLI command does not clear GTP sessions.
Known
9.1.1
PAN-83610
In rare cases, a PA-5200 Series firewall (with an FE100 network processor) that has session offload enabled (default) incorrectly resets the UDP checksum of outgoing UDP packets.
Workaround:
In PAN-OS 8.0.6 and later releases, you can persistently disable session offload for only UDP traffic using the
set session udp-off load no
CLI command.
Known
9.1.1
PAN-83236
The VM-Series firewall on Google Compute Platform does not publish firewall metrics to Google Stack Monitoring when you manually configure a DNS server IP address (
Device
Setup
Services
).
Workaround:
The VM-Series firewall on Google Cloud Platform must use the DNS server that Google provides.
Known
9.1.1
PAN-83215
SSL decryption based on ECDSA certificates does not work when you import the ECDSA private keys onto an nCipher nShield hardware security module (HSM).
Known
9.1.1
PAN-81521
Endpoints failed to authenticate to GlobalProtect through Kerberos when you specify an FQDN instead of an IP address in the Kerberos server profile (
Device
Server Profiles
Kerberos
).
Workaround:
Replace the FQDN with the IP address in the Kerberos server profile.
Known
9.1.1
PAN-77125
PA-7000 Series, PA-5200 Series, and PA-3200 Series firewalls configured in tap mode don’t close offloaded sessions after processing the associated traffic; the sessions remain open until they time out.
Workaround:
Configure the firewalls in virtual wire mode instead of tap mode, or disable session offloading by running the
set session off load no
CLI command.
Known
9.1.1
PAN-75457
(
PAN-OS 8.0.1 and later releases
) In WildFire appliance clusters that have three or more nodes, the Panorama management server does not support changing node roles. In a three-node cluster for example, you cannot use Panorama to configure the worker node as a controller node by adding the HA and cluster controller configurations, configure an existing controller node as a worker node by removing the HA configuration, and then commit and push the configuration. Attempts to change cluster node roles from Panorama results in a validation error—the commit fails and the cluster becomes unresponsive.
Known
9.1.1
PAN-73530
The firewall does not generate a packet capture (pcap) when a Data Filtering profile blocks files.
Known
9.1.1
PAN-73401
(
PAN-OS 8.0.1 and later releases
) When you import a two-node WildFire appliance cluster into the Panorama management server, the controller nodes report their state as out-of-sync if either of the following conditions exist:
  • You did not configure a worker list to add at least one worker node to the cluster. (In a two-node cluster, both nodes are controller nodes configured as an HA pair. Adding a worker node would make the cluster a three-node cluster.)
  • You did not configure a service advertisement (either by enabling or not enabling advertising DNS service on the controller nodes).
Workaround:
There are three possible workarounds to sync the controller nodes:
  • After you import the two-node cluster into Panorama, push the configuration from Panorama to the cluster. After the push succeeds, Panorama reports that the controller nodes are in sync.
  • Configure a worker list on the cluster controller: 
    admin@wf500(active-controller)# 
    set
deviceconfig cluster mode controller worker-list 
    <worker-ip-address>
    (
    <worker-ip-address>
    is the IP address of the worker node you are adding to the cluster.) This creates a three-node cluster. After you import the cluster into Panorama, Panorama reports that the controller nodes are in sync. When you want the cluster to have only two nodes, use a different workaround.
  • Configure service advertisement on the local CLI of the cluster controller and then import the configuration into Panorama. The service advertisement can advertise that DNS is or is not enabled. 
    admin@wf500(active-controller)# 
    set
deviceconfig cluster mode controller service-advertisement dns-service
enabled
yes
    or 
    admin@wf500(active-controller)# 
    set
deviceconfig cluster mode controller service-advertisement dns-service
enabled
no
    Both commands result in Panorama reporting that the controller nodes are in sync.
Known
9.1.1
PAN-71329
Local users and user groups in the Shared location (all virtual systems) are not available to be part of the user-to-application mapping for GlobalProtect Clientless VPN applications (
Network
GlobalProtect
Portals
<portal>
Clientless VPN
Applications
).
Workaround:
Create users and user groups in specific virtual systems on firewalls that have multiple virtual systems. For single virtual systems (like VM-Series firewalls), users and user groups are created under Shared and are not configurable for Clientless VPN applications.
Known
9.1.1
PAN-70906
If the PAN-OS web interface and the GlobalProtect portal are enabled on the same IP address, then when a user logs out of the GlobalProtect portal, the administrative user is also logged out from the PAN-OS web interface.
Workaround:
Use the IP address to access the PAN-OS web interface and an FQDN to access the GlobalProtect portal.
Known
9.1.1
PAN-69505
When viewing an external dynamic list that requires client authentication and you
Test Source URL
, the firewall fails to indicate whether it can reach the external dynamic list server and returns a URL access error (
Objects
External Dynamic Lists
).
Known
9.1.1
PAN-41558
When you use a firewall loopback interface as a GlobalProtect gateway interface, traffic is not routed correctly for third-party IPSec clients, such as strongSwan.
Workaround:
Use a physical firewall interface instead of a loopback firewall interface as the GlobalProtect gateway interface for third-party IPSec clients. Alternatively, configure the loopback interface that is used as the GlobalProtect gateway to be in the same zone as the physical ingress interface for third-party IPSec traffic.
Known
9.1.1
PAN-40079
The VM-Series firewall on KVM, for all supported Linux distributions, does not support the Broadcom network adapters for PCI pass-through functionality.
Known
9.1.1
PAN-39636
Regardless of the
Time Frame
you specify for a scheduled custom report on a Panorama M-Series appliance, the earliest possible start date for the report data is effectively the date when you configured the report (
Monitor
Manage Custom Reports
). For example, if you configure the report on the 15th of the month and set the
Time Frame
to
Last 30 Days
, the report that Panorama generates on the 16th will include only data from the 15th onward. This issue applies only to scheduled reports; on-demand reports include all data within the specified
Time Frame
.
Workaround:
To generate an on-demand report, click
Run Now
when you configure the custom report.
Known
9.1.1
PAN-38255
When you perform a factory reset on a Panorama virtual appliance and configure the serial number, logging does not work until you reboot Panorama or execute the
debug software restart process management-server
CLI command.
Known
9.1.1
PAN-31832
The following issues apply when configuring a firewall to use a hardware security module (HSM):
  • nCipher nShield Connect
    —The firewall requires at least four minutes to detect that an HSM was disconnected, causing SSL functionality to be unavailable during the delay.
  • SafeNet Network
    —When losing connectivity to either or both HSMs in an HA configuration, the display of information from the
    show high-availability state
    and
    show hsm info
    commands are blocked for 20 seconds.
Known
10.1.0
—
If you use Panorama to retrieve logs from Cortex Data Lake (CDL), new log fields (including for Device-ID, Decryption, and GlobalProtect) are not visible on the Panorama web interface.
Workaround:
Enable duplicate logging to send the logs to CDL and Panorama. This workaround does not support Panorama virtual appliances in Management Only mode .
Known
10.1.0
—
Upgrading a PA-220 firewall takes up to an hour or more.
Known
10.1.0
—
PA-220 firewalls are experiencing slower web interface and CLI performance times.
Known
10.1.0
—
Upgrading Panorama with a local Log Collector and Dedicated Log Collectors to PAN-OS 8.1 or a later PAN-OS release can take up to six hours to complete due to significant infrastructure changes. Ensure uninterrupted power to all appliances throughout the upgrade process.
Known
10.1.0
—
A critical System log is generated on the VM-Series firewall if the minimum memory requirement for the model is not available.
  • When the memory allocated is less than 4.5GB, you cannot upgrade the firewall. The following error message displays:
    Failed to install 9.0.0 with the following error: VM-50 in 9.0.0 requires 5.5GB memory, VM-50 Lite requires 4.5GB memory.Please configure this VM with enough memory before upgrading.
  • If the memory allocation is more than 4.5GB but less that the licensed capacity requirement for the model, it will default to the capacity associated with the VM-50.
    The System log message
    System capacity adjusted to VM-50 capacity due to insufficient memory for VM-
    <xxx>
    license
    , indicates that you must allocate the additional memory required for licensed capacity for the firewall model.
Known
10.1.0
APPORTAL-3313
Changes to an IoT Security subscription license take up to 24 hours to have effect on the IoT Security app.
Known
10.1.0
APPORTAL-3309
An IoT Security production license cannot be installed on a firewall that still has a valid IoT Security eval or trial license.
Workaround:
Wait until the 30-day eval or trial license expires and then install the production license.
Known
10.1.0
APL-15000
When you move a firewall from one Cortex Data Lake instance to another, it can take up to an hour for the firewall to begin sending logs to the new instance.
Known
10.1.0
APL-8269
For data retrieved from Cortex Data Lake, the Threat Name column in
Panorama
ACC
threat-activity
appears blank.
Known
10.1.0
PLUG-380
When you rename a device group, template, or template stack in Panorama that is part of a VMware NSX service definition, the new name is not reflected in NSX Manager. Therefore, any ESXi hosts that you add to a vSphere cluster are not added to the correct device group, template, or template stack and your Security policy is not pushed to VM-Series firewalls that you deploy after you rename those objects. There is no impact to existing VM-Series firewalls.
Known
10.1.0
WF500-5559
An intermittent error while analyzing signed PE samples on the WildFire appliance might cause analysis failures.
Known
10.1.0
WF500-5471
After using the firewall CLI to add a WildFire appliance with an IPv6 address, the initial connection may fail.
Workaround:
Retry connecting after you restart the web server with the following command:
debug software restart process web-server
.
Known
10.1.0
PAN-228273
On the Panorama management server in FIPS-CC mode, the ElasticSearch cluster fails to come up and the
show log-collector-es-cluster health
command displays the
status
is
red
. This results in log ingestion issues for Panorama in Panorama only or Log Collector mode.
Known
10.1.0
PAN-227344
On the Panorama management server, PDF Summary Reports (
Monitor
PDF Reports
Manage PDF Summary
) display no data and are blank when predefined reports are included in the summary report.
Known
10.1.0
PAN-223488
On the M-600 appliance, closed ElasticSearch shards are not deleted from the M-600 appliance. This causes the ElasticSearch shard purging to not work as expected, resulting in high disk usage.
Known
10.1.0
PAN-223365
The Panorama management server is unable to query any logs if the ElasticSearch health status for any Log Collector (
Panorama
Managed Collector
is degraded.
Workaround:
Log in to the Log Collector CLI and restart ElasticSearch. 
admin
debug elasticsearch es-restart all
Known
10.1.0
PAN-217307
This issue is now resolved. See
PAN-OS 10.1.14 Addressed Issues
.
The following Security policy rule (
Policies
Security
) filters return no results:
log-start eq no
log-end eq no
log-end eq yes
Known
10.1.0
PAN-217307
The ElasticSearch process on the M-600 appliance in Log Collector mode may enter a continuous reboot cycle. This results in the M-600 appliance becoming unresponsive, consuming logging disk space, and preventing new log ingestion.
Known
10.1.0
PAN-216214
For Panorama-managed firewalls in an Active/Active High Availability (HA) configuration where you configure the firewall HA settings (
Device
High Availability
) in a template or template stack (
Panorama
Templates
), performing a local commit on one of the HA firewalls triggers an HA config sync on the peer firewall. This causes the HA peer configuration to go
Out of Sync
.
Known
10.1.0
PAN-213746
On the Panorama management server, the
Hostkey
displayed as
undefined undefined
if you override an SSH Service Profile (
Device
Certificate Management
SSH Service Profile
) Hostkey configured in a Template from the Template Stack.
Known
10.1.0
PAN-212889
This issue is now resolved. See PAN-OS 10.1.11 Addressed Issues
.
On the Panorama management server, different threat names are used when querying the same threat in the Threat Monitor (
Monitor
App Scope
Threat Monitor
) and
ACC
. This results in the ACC displaying
no data to display
when you are redirected to the ACC after clicking a threat name in the Threat Monitor.
Known
10.1.0
PAN-208325
This issue is now resolved. See
PAN-OS 10.1.10 Addressed Issues
.
The following NextGen firewalls are unable to automatically renew the device certificate (
Device
Setup
Management
or
Panorama
Setup
Management
).
  • PA-410 Firewall
  • PA-440, PA-450, and PA-460 Firewalls
  • PA-5450 Firewall
Workaround:
Log in to the firewall CLI and fetch the device certificate. 
admin>
request certificate fetch
Known
10.1.0
PAN-206909
The Dedicated Log Collector is unable to reconnect to the Panorama management server if the
configd
process crashes. This results in the Dedicated Log Collector losing connectivity to Panorama despite the managed collector connection
Status
(
Panorama
Managed Collector
) displaying
connected
and the managed colletor
Health
status displaying as healthy.
This results in the local Panorama config and system logs not being forwarded to the Dedicated Log Collector. Firewall log forwarding to the disconnected Dedicated Log Collector is not impacted.
Workaround:
Restart the
mgmtsrvr
process on the Dedicated Log Collector.
  2. Confirm the Dedicated Log Collector is disconnected from Panorama. 
    admin>
     show panorama-status
    Verify the
    Connected
    status is
    no
    .
  3. Restart the
    mgmtsrvr
    process. 
    admin>
     debug software restart process management-server
Known
10.1.0
PAN-206268
This issue is now resolved. See
PAN-OS 10.1.10 Addressed Issues
.
On the Panorama management server, the Auth Key field was erroneously displayed when you configure the Panorama Settings (
Device
Setup
Management
) as part of a template or template stack configuration.
Known
10.1.0
PAN-206243
The PA-220 firewall reaches the maximum disk usage capacity multiple a day that requires a disk cleanup. A critical system log (
Monitor
Logs
System
) is generated each time the firewall reaches maximum disk usage capacity.
Known
10.1.0
PAN-205187
ElasticSearch may not start properly when a newly installed Panorama virtual appliance powers on for the first time, resulting in the Panorama virtual appliance being unable to query logs forwarded from the managed firewall to a Log Collector.
Workaround:
Log in to the Panorama CLI and start the PAN-OS software. 
admin>
request restart software
Known
10.1.0
PAN-201855
On the Panorama management server, cloning any template (
Panorama
Templates
) corrupts certificates (
Device
Certificate Management
Certificates
) with the
Block Private Key Export
setting enabled across all templates. This results in managed firewalls experiencing issues wherever the corrupted certificate is referenced.
For example, you have template A, B, and C where templates A and B have certificates with the
Block Private Key Export
setting enabled. Cloning template C corrupts the certificates with
Block Private Key Export
setting enabled in templates A and B.
Workaround:
After cloning a template, delete and re-import the corrupted certificates.
Known
10.1.0
PAN-199557
On M-600 appliances in an Active/Passive high availability (HA) configuration, the
configd
process restarts due to a memory leak on the
Active
Panorama HA peer. This causes the Panorama web interface and CLI to become unresponsive.
Workaround:
Manually reboot the
Active
Panorama HA peer.
Known
10.1.0
PAN-197341
On the Panorama management server, if you create multiple device group
Objects
with the same name in the Shared device group and any additional device groups (
Panorama
Device Groups
) under the same device group hierarchy that are used in one or more
Policies
, renaming the object with a shared name in any device group causes the object name to change in the policies where it is used. This issue applies only to device group objects that can be referenced in a Security policy rule.
For example:
  1. You create a parent device group
    DG-A
    and a child device group
    DG-B
    .
  2. You create address objects called
    AddressObjA
    in the
    Shared
    ,
    DG-A
    and
    DG-B
    device groups and add
    AddressObjA
    to a Security policy rule under
    DG-A
    and
    DG-B
    .
  3. Later, you change the
    AddressObjA
    name in the
    Shared
    device group to
    AddressObjB
    .
Changing the name of the address object in the
Shared
device group causes the references in the Policy rule to use the renamed
Shared
object instead of the device group object.
Known
10.1.0
PAN-196758
On the Panorama management server, pushing a configuration change to firewalls leveraging SD-WAN erroneously show the auto-provisioned BGP configurations for SD-WAN as being edited or deleted despite no edits or deletions being made when you
Preview Changes
(
Commit
Push to Devices
Edit Selections
or
Commit
Commit and Push
Edit Selections
).
Known
10.1.0
PAN-194519
This issue is now resolved. See
PAN-OS 10.1.9 Addressed Issues
.
(
PA-5450 firewall only
) Trying to configure a custom payload format under
Device
Server Profiles
HTTP
yields a Javascript error.
Known
10.1.0
PAN-194515
(
PA-5450 firewall only
) The Panorama web interface does not display any predefined template stack variables in the dropdown menu under
Device
Setup
Log Interface
IP Address
.
Workaround:
Configure the log interface IP address on the individual firewall web interface instead of on Panorama.
Known
10.1.0
PAN-193336
All logs (
Monitor
Logs
) generated by a firewall running a PAN-OS 10.0 release are not accessible if you downgrade from PAN-OS 10.1 to PAN-OS 10.0, and then upgrade back to PAN-OS 10.1.
Known
10.1.0
PAN-192403
This issue is now resolved. See
PAN-OS 10.1.6-h3 Addressed Issues
.
(
PA-5450 firewall only
) There is no commit warning in the web interface when configuring the management interface and logging interface in the same subnetwork. Having both interfaces in the same subnetwork can cause routing and connectivity issues.
Known
10.1.0
PAN-190727
(
PA-5450 firewall only
) Documentation for configuring the log interface is unavailable on the web interface and in the PAN-OS Administrator’s Guide.
Known
10.1.0
PAN-187685
On the Panorama management server, the Template Status displays no synchronization status (
Panorama
Managed Devices
Summary
) after a bootstrapped firewall is successfully added to Panorama.
Workaround:
After the bootstrapped firewall is successfully added to Panorama, log in to the Panorama web interface and select
Commit
Push to Devices
.
Known
10.1.0
PAN-186913
On the Panorama management server,
Validate Device Group
(
Commit
Commit and Push
erroneously issues a CommitAll operation instead of a ValidateAll operation when multiple device groups are included in the push and results in no configuration validation.
Known
10.1.0
PAN-186262
The Panorama management server in Panorama or Log Collector mode may become unresponsive as Elasticsearch accumulates internal connections related to logging processes. The chances Panorama becomes unresponsive increases the longer Panorama remains powered on.
Workaround:
Reboot Panorama if it becomes unresponsive.
Known
10.1.0
PAN-185966
The
debug skip-cert-renewal-check-syslog yes
command is not available on Log Collector CLI to stop the Dedicated Log Collector from trying to renew the device certificate and displaying the following error:
No valid device certificate found
Known
10.1.0
PAN-180661
This issue is now resolved. See
PAN-OS 10.1.6 Addressed Issues
.
On the Panorama management server, pushing an unsupported Minimum Password Complexity (
Device
Setup
Management
) to a managed firewall erroneously displays
commit time out
as the reason the commit failed.
Known
10.1.0
PAN-188052
Devices in FIPS-CC mode are unable to connect to servers utilizing ECDSA-based host keys that impacts exporting logs (
Device
Scheduled Log Export
), exporting configurations (
Device
Scheduled Config Export
), or the
scp export
command in the CLI.
Workaround:
Use RSA-based host keys on the destination server.
Known
10.1.0
PAN-185286
This issue is now resolved. See
PAN-OS 10.1.7 Addressed Issues
.
(
PA-5400 Series firewalls only
) On the Panorama management server, the device health resources (
Panorama
Managed Devices
Health
) do not populate.
Known
10.1.0
PAN-178194
This issue is now resolved. See
PAN-OS 10.1.7 Addressed Issues
.
A UI issue in PAN-OS renders the contents of the
Inline ML
tab in the
URL Filtering Profile
inaccessible on firewalls licensed for Advanced URL Filtering. Additionally, a message indicating that a
License required for URL filtering to function
is unavailable displays at the bottom of the UI. These errors do not affect the operation of Advanced URL Filtering or URL Filtering Inline ML.
Workaround:
Configuration settings for URL Filtering Inline ML must be applied through the CLI. The following configuration commands are available:
  • Define URL exceptions for specific web sites— 
    admin#
     set profiles url-filtering <url_filtering_profile_name> mlav-category-exception
  • Configuration settings for each inline ML model— 
    admin#
     set profiles url-filtering <url_filtering_profile_name> mlav-engine-urlbased-enabled
Known
10.1.0
PAN-177363
Dedicated Log Collector system and config logs cannot be ingested and are dropped when they are forwarded to a Panorama management server in Management Only mode, resulting in Dedicated Log Collector system and config logs not being viewable on Panorama in Management Only mode.
Known
10.1.0
PAN-175717
This issue is now resolved. See
PAN-OS 10.1.5 Addressed Issues
Firewalls managed by a Panorama management server enter maintenance mode if:
  • Panorama is running PAN-OS 10.2 and managed firewalls are downgraded from PAN-OS 10.2 to PAN-OS 10.1.4 or earlier PAN-OS release.
  • Panorama is upgraded from PAN-OS 10.1 to PAN-OS 10.2 and managed firewalls are running PAN-OS 10.1.4 or earlier PAN-OS 10.1 release.
Workaround:
When downgrading managed firewalls, downgrade to PAN-OS 10.1.5 first and then continue on your downgrade path. When upgrading Panorama, upgrade to PAN-OS 10.1.5 first and then continue on your upgrade path.
Known
10.1.0
PAN-175685
This issue is now resolved. See
PAN-OS 10.1.2 Addressed Issues
.
(
PA-7000 Series and PA-5450 firewall only
) When the MPC (Management Processor Card) or SMC (Switch Management Card) is removed from one chassis and placed in another, PAN-OS will incorrectly cache and display the chassis serial number of the former chassis.
Known
10.1.0
PAN-175149
For the PA-220 firewall, and the PA-800 and PA-7000 Series firewalls, the
ACC
and scheduled reports (
Monitor
Manage
Manage Custom Reports
) erroneously display the IPv6 address instead of the IPv4 address.
Known
10.1.0
PAN-174254
This issue is now resolved. See
PAN-OS 10.1.2 Addressed Issues
.
Gateway Load Balancer (GWLB) inspection is disabled on the VM-Series firewall for AWS after a reboot.
Workaround:
Enable GWLB inspection.
Known
10.1.0
PAN-174094
This issue has been resolved. See
PAN-OS 10.1.1 Addressed Issues
.
SaaS Policy Recommendation does not work on firewalls because the SaaS Security Inline policy recommendation license check fails. When this occurs, the bottom ribbon on
Device
Policy Recommendation
SaaS
displays the message
SaaS Security license is required for feature to function
in red text.
On Panorama, the
SaaS Inline Security
column in
Panorama
Device Deployment
Licenses
shows that the SaaS Security Inline license is not present on the managed firewall.
Workaround
: If Panorama manages the firewall, use Panorama to import SaaS policy recommendations and then push them to the firewall.
Known
10.1.0
PAN-174004
On the Panorama management server, local or Dedicated Log Collector mode cannot successfully join an ElasticSearch cluster when added to a Collector Group (
Panorama
Collector Groups
) if the SSH key length for a Log Collector in the cluster is greater than 2048 characters.
Known
10.1.0
PAN-173509
This issue is now resolved. See
PAN-OS 10.1.5 Addressed Issues
.
Superuser administrators with read-only privileges (
Device
Administrators
and
Panorama
Administrators
) are unable to view the hardware ACL blocking setting and duration in the CLI using the commands: 
admin>
 show system setting hardware-acl-blocking-enable
admin>
 show system setting hardware-acl-blocking-duration
Known
10.1.0
PAN-172515
This issue is now resolved. See
PAN-OS 10.1.2 Addressed Issues
.
If you downgrade from PAN-OS 10.1 to an earlier version and you have configured the Cloud Authentication Service in an Authentication profile, the firewall does not remove the Cloud Authentication Service from the Authentication profile, displays the authentication method as None, and any subsequent commits are not successful.
Workaround:
Delete the Authentication profile that is configured for the Cloud Authentication Service then commit your changes.
Known
10.1.0
PAN-172492
This issue is now resolved. See
PAN-OS 10.1.2 Addressed Issues
.
You can create and commit a log forwarding profile (
Objects
Log Forwarding
) with an invalid
Filter
.
Known
10.1.0
PAN-172454
This issue is now resolved. See
PAN-OS 10.1.2 Addressed Issues
.
If the firewall communicates with the Cloud Identity Engine before you install the device certificate on the firewall or Panorama, all subsequent queries to the Cloud Identity Engine fail.
Workaround
: Use the
debug software restart process dscd
to restart the connection to the Cloud Identity Engine.
Known
10.1.0
PAN-172419
This issue has been resolved. See
PAN-OS 10.1.1 Addressed Issues
.
Hot-swapping or hot-plugging a transceiver in the HSCI-A or HSCI-B port on the PA-5450 firewall may cause the device to reboot unexpectedly.
Known
10.1.0
PAN-172386
This issue has been resolved. See
PAN-OS 10.1.1 Addressed Issues
.
A Passive PA-5450 firewall in an Active/Passive HA pair will continue to process traffic even if its port(s) are in a Disabled state when the ports do not link up initially due to local or remote faults.
Known
10.1.0
PAN-172276
This issue is now resolved. See
PAN-OS 10.1.2 Addressed Issues
.
Changing the port speed on a PA-400 Series firewall from auto-negotiate to 1G may cause the dataplane port to flap intermittently and result in a loss of traffic.
Known
10.1.0
PAN-172274
When you activate the advanced URL filtering license, your license entitlements for PAN-DB and advanced URL filtering might not display correctly on the firewall — this is a display anomaly, not a licensing issue, and does not affect access to the services.
Workaround:
Issue the following command to retrieve and update the licenses:
license request fetch
.
Known
10.1.0
PAN-172113
If you request a User Activity Report on Panorama and the vsys key value in the XML is an unsupported value, the resulting job becomes unresponsive at 10% and does not complete until you manually stop the job in the web interface.
Workaround:
Change the vsys key to a valid device group, commit your changes, and run the User Activity Report again.
Known
10.1.0
PAN-172091
If you have configured a virtual system as a User-ID hub and a firewall that receives IP address-to-username mapping from the hub has a security policy that includes a QoS policy rule, the firewall does not match the user to the QoS policy rule if the traffic attempts to access a virtual system that is not the hub.
Known
10.1.0
PAN-172208
This issue is now resolved. See
PAN-OS 10.1.3 Addressed Issues
.
The PA-5450 firewall may reload in rare conditions while handling high stress SSL traffic when CPU utilization reaches 100% or packet broker capacity exceeds 40%.
Known
10.1.0
PAN-172171
In an HA Active/Passive configuration using Auto mode, a Passive PA-5450 firewall under traffic stress can get stuck in maintenance mode after receiving the
slot7-path_monitor Path monitor failure
service failure.
Workaround:
Use Active/Passive Shutdown mode instead of Auto mode.
Known
10.1.0
PAN-172132
This issue is now resolved by PAN-189643. See
PAN-OS 10.1.6 Addressed Issues
.
QoS fails to run on a tunnel interface (for example, tunnel.1).
Known
10.1.0
PAN-172067
When you configure a HTTP server profile (
Device
Server Profiles
HTTP
or
Panorama
Server Profiles
HTTP
), the
Username
and
Password
fields are always required regardless of whether
Tag Registration
is enabled.
Workaround:
When you configure an HTTP server profile, always enter a username and password to successfully create the HTTP server profile.
You must enter a username and password even if the HTTP server does not require it. The HTTP server ignores the username and password if they are not required for the firewall to connect.
Known
10.1.0
PAN-172061
A process (allpktproc) can cause intermittent crashes on the Passive PA-5450 firewall in an Active/Passive HA pair. This issue may be seen during an upgrade or reload of the firewall with traffic and when clearing sessions.
Known
10.1.0
PAN-164707
This issue is now resolved. See
PAN-OS 10.1.1 Addressed Issues
.
For PA-7000 Series Legacy firewalls, you are unable to view logs (
Monitor
) on the web interface or in the CLI (
show log <logtype>
)
Workaround:
Log in to the firewall CLI and restart the vldmgr process. 
admin>
 debug software restart process vldmgr
Known
10.1.0
PAN-171938
No results are displayed when you
Show Application Filter
for a Security policy rule (
Policies
Security
Application
Value
Show Application Filter
).
Known
10.1.0
PAN-171898
This issue has been resolved. See
PAN-OS 10.1.1 Addressed Issues
.
PA-5450 firewalls may not get full 10G throughput when traffic is sent from 100G/40G interfaces to 10G interfaces.
Known
10.1.0
PAN-171839
The Enable Bonjour Reflector option under
Network
Interfaces
Layer 3 Interface
IPv4
is not supported on the PA-5450 firewall.
Known
10.1.0
PAN-171750
This issue has been resolved. See
PAN-OS 10.1.1 Addressed Issues
.
The PA-5450 firewall's HSCI interface does not recognize a hot-swapped 40G or 100G transceiver.
Workaround:
Power down the firewall before removing and installing a 40G or 100G transceiver. After the transceiver is installed, power on the firewall.
Known
10.1.0
PAN-171744
This issue is now resolved. See
PAN-OS 10.1.2 Addressed Issues
.
No data is displayed for the Forward Error Correction (FEC) plot for SD-WAN application performance (
Panorama
SD-WAN
Monitoring
).
Known
10.1.0
PAN-171723
If you use Panorama to push a configuration that uses App-ID Cloud Engine (ACE) App-IDs and then you downgrade the firewall from PAN-OS 10.1 to PAN-OS 10.0, the installation succeeds but after you reboot, the auto-commit fails.
Workaround:
Remove all ACE application configurations before downgrading.
Known
10.1.0
PAN-171714
This issue is now resolved. See
PAN-OS 10.1.7 Addressed Issues
.
If you use the NetBIOS format (
domain\user
) for the IP address-to-username mapping and the firewall receives the group mapping information from the Cloud Identity Engine, the firewall does not successfully match the user to the correct group.
Known
10.1.0
PAN-171706
This issue is now resolved. See
PAN-OS 10.1.11 Addressed Issues
.
If you are using Panorama to manage firewalls with multiple virtual systems and the virtual system that is the User-ID hub uses an alias, the local commit on Panorama is successful but the commit to the firewall fails.
Known
10.1.0
PAN-171703
On the Panorama management server, the GlobalProtect Activity widget (
ACC
GlobalProtect Activity
) and GlobalProtect logs (
Monitor
Logs
GlobalProtect
) do not display if a
Device Group
is selected.
Workaround:
Select the
All
device group to view the GlobalProtect Activity widget and GlobalProtect logs.
Known
10.1.0
PAN-171673
On the Panorama management server, the
ACC
returns inaccurate results when you filter for
New App-ID
in the
Application
usage widget.
Known
10.1.0
PAN-171635
If you have an on-premise Active Directory and there is an existing group mapping configuration on the firewall, if you migrate the group mapping to the Cloud Identity Engine, the firewall does not remove the existing group mapping even if the configuration is disabled and the firewall is rebooted, which may conflict with new mappings from the Cloud Identity Engine.
Workaround
: Use the
debug user-id clear domain-map
command to remove the existing group mappings from the firewall.
Known
10.1.0
PAN-171224
On the Panorama management server, a custom report (
Monitor
Managed Custom Reports
) with a high volume of unique data objects is not generated when you click
Run Now
.
Known
10.1.0
PAN-171145
If you edit or remove the value for the
mail
attribute in your on-premise Active Directory, the changes may not be immediately reflected on the firewall after it syncs with the Cloud Identity Engine.
Known
10.1.0
PAN-171127
This issue is now resolved. See
PAN-OS 10.1.4 Addressed Issues
On the Panorama management server, custom reports (
Monitor
Manage Custom Reports
) for the
Device Application Statistics
and
Device Traffic Summary
databases display
null
for the Application fields.
Known
10.1.0
PAN-171069
Local Log Collectors for Panorama management servers in active/passive high availability (HA) configuration cannot be added to the same Collector Group (
Panorama
Collector Groups
).
Workaround:
Before you upgrade your Panorama servers to PAN-OS 10.1.0, configure HA (
Panorama
High Availability
), add the local Log Collectors of the HA peers to the same Collector Group, and upgrade to PAN 10.1.0.
Known
10.1.0
PAN-170923
In
Policies
Security
Policy Optimizer
New App Viewer
, when you select a Security policy rule in the bottom portion of the screen, the application data in the application browser (top portion of screen) does not match the Apps Seen on the selected rule. In addition, filtering in the application browser based on Apps Seen does not work.
Known
10.1.0
PAN-170473
This issue has been resolved. See
PAN-OS 10.1.1 Addressed Issues
.
SSL traffic is not decrypted on inbound inspection when the private key is using a hardware security module (HSM).
Known
10.1.0
PAN-170462
This issue is now resolved. See
PAN-OS 10.1.6 Addressed Issues
.
SaaS applications downloaded from the App-ID Cloud Engine (ACE) do not appear in daily application reports (
Monitor
Reports
Application Reports
) or in the
Application
column of the
Application Usage
widget in
ACC
Network Activity
.
Known
10.1.0
PAN-170270
Using the CLI to power on a PA-5450 Networking Card (NC) in an Active HA firewall can cause its Passive peer to temporarily go down.
Known
10.1.0
PAN-170174
This issue has been resolved. See
PAN-OS 10.1.1 Addressed Issues
.
A CN-NGFW pod might incorrectly restart multiple times after bring up due to eth0 being unavailable when kubelet runs network checks on eth0. The following error is seen in the DP node journalctl logs: "failed to read pod IP from plugin/docker: networkPlugin cni failed on the status hook for pod "pan-ngfw-dep-<>_kube-system": unexpected address output".
Workaround
: Redeploy the CN-NGFW pod
Known
10.1.0
PAN-169906
The CN-Series Firewall as a Kubernetes Service does not support AF_XDP when deployed in CentOS.
Known
10.1.0
PAN-169433
On the Panorama management server, clicking
Run Now
for a custom report (
Monitor
Manage Custom Reports
) with 32 or more filters in the Query Builder returns the result
No matching records
Known
10.1.0
PAN-168920
This issue has been resolved. See
PAN-OS 10.1.1 Addressed Issues
.
On a PA-5450 firewall, QoS does not honor the guaranteed bandwidth for classes set to a Priority of real-time.
Known
10.1.0
PAN-168636
Connecting to the App-ID Cloud Engine (ACE) cloud using a management port with explicit proxy configured on it is not supported. Instead, use a data plane interface for the service route ( Prepare to Deploy App-ID Cloud Engine describes how to do this.)
Known
10.1.0
PAN-168113
On the Panorama management server, you are unable to configure a master key (
Device
Master Key and Diagnostics
) for a managed firewall if an interface (
Network
Interfaces
Ethernet
) references a zone pushed from Panorama.
Workaround:
Remove the referenced zone from the interface configuration to successfully configure a master key.
Known
10.1.0
PAN-167847
If you issue the command
opof stats
, then clear the results {opof stats -c}, the Active Sessions value is sometimes invalid. For example, you might see a negative number or an excessively large number.
Workaround:
Re-run the
opof stats
command after the offload completes.
Known
10.1.0
PAN-167401
When a firewall or Panorama appliance configured with a proxy is upgraded to PAN-OS 10.0.3 or a later release, it fails to connect to edge service.
Known
10.1.0
PAN-166464
This issue is now resolved. See
PAN-OS 10.1.6-h6 Addressed Issues
.
PAN-OS reports the PA-5450 fan numbers incorrectly by listing them in the opposite order. This does not affect fan operation. For further information, contact Customer Support.
Known
10.1.0
PAN-166398
This issue is now resolved. See
PAN-OS 10.1.1 Addressed Issues
.
On PA-5450 Next-Generation firewalls, when you configure path or latency monitoring on the Health Monitor tab in the Packet Broker profile (
Objects
Packet Broker
), after a firewall restart, the path health monitor may be disabled due to a configuration synchronization issue, so the firewall may not be aware of path failures.
Workaround:
Change the health monitoring configuration and commit the change to prevent this issue from occurring.
Known
10.1.0
PAN-165669
If you configure a group that the firewall retrieves from the Cloud Identity Engine as the
user in
value in a filter query, Panorama is unable to retrieve the group membership and as a result, is unable to display this data in logs and custom reports.
Known
10.1.0
PAN-165225
There is an issue where
hwpredict
is enabled by default, and you have to disable it via the CLI.
Known
10.1.0
PAN-164922
On the Panorama management server, a context switch to a managed firewall running a PAN-OS 8.1.0 to 8.1.19 release fails.
Known
10.1.0
PAN-164885
On the Panorama management server, pushes to managed firewalls (
Commit
Push to Devices
or
Commit and Push
) may fail when an EDL (
Objects
External Dynamic Lists
) is configured to
Check for updates
every 5 minutes due to the commit and EDL fetch processes overlapping. This is more likely to occur when multiple EDLs are configured to check for updates every 5 minutes.
Known
10.1.0
PAN-164841
A successful deployment of a Panorama virtual appliance on Amazon Web Services (AWS), Microsoft Azure, or Google Cloud Product (GCP) is inaccessible when deploying using the PAN-OS 10.1.0-b6 release.
Known
10.1.0
PAN-164647
On the Panorama management server, activating a license (
Panorama
Device Deployment
Licenses
) on managed firewalls in a high availability (HA) configuration causes the Safari web browser to become unresponsive.
Workaround:
Log in to the Panorama web interface from a web browser other than Safari to successfully activate a license on managed firewalls in an HA configuration.
Known
10.1.0
PAN-164586
If you use a value other than
mail
for the user or group email attribute in the Cloud Identity Engine, it displays in
user@domain
format in the CLI output.
Known
10.1.0
PAN-163966
On the Panorama management server, the
ACC
and on demand reports (
Monitor
Manage Custom Reports
) are unable to fetch Directory Sync group membership when the Source User Group filter query is applied, resulting in no data being displayed for the filter when Directory Sync is configured as the Source User for a policy rule.
Known
10.1.0
PAN-163676
Next-Gen Firewalls are unable to connect to a syslog server when the certificates required to connect to the syslog server are part of a Certificate Profile (
Device
Certificate Management
Certificate Profile
) if the
Use OCSP
setting is enabled to check the revocation status of certificates.
Workaround:
Enable
Use CRL
to check the revocation status of certificates in the Certificate Profile.
Known
10.1.0
PAN-162836
On the VM-Series firewall, if you select
Device
Licenses
Deactivate VM
a popup window opens and you can choose
Subscriptions
or
Support
and press
Continue
to remove licenses and register the changes with the license server. When the license removal is complete the
Deactivate VM
window does not update its text to exclude deactivated licenses or close the window.
Workaround
: Wait until the license deactivation is complete, and click
Cancel
to close the window.
Known
10.1.0
PAN-162164
This issue is now resolved. See
PAN-OS 10.1.6 Addressed Issues
.
When upgrading a multi-dataplane firewall from PAN-OS 10.0 to 10.1, if the configuration includes the DHCP Broadcast Session option enabled, the commit fails. Auto-commit is not affected.
Workaround:
Load the configuration from running config (load config from running-config.xml) and perform a commit.
Known
10.1.0
PAN-162088
This issue is now resolved. See
PAN-OS 10.1.9 Addressed Issues
.
On the Panorama management server in a high availability (HA) configuration, content updates (
Panorama
Dynamic Updates
) manually uploaded to the active HA peer are not synchronized to the passive HA peer when you
Install
a content update and enable
Sync to HA Peer
.
Known
10.1.0
PAN-161666
The firewall includes any users configured in the Cloud Identity Engine in the count of groups. As a result, some CLI command output does not accurately display the number of groups the firewall has retrieved from the Cloud Identity Engine and counts users as groups in the
No. of Groups
in the command output. If the attempt to retrieve the user or group fails, the information for the user or group still displays in the CLI command output.
Known
10.1.0
PAN-161451
If you issue the command
opof stats
, there are occasional zero packet and byte counts coming from the DPDK counters. This occurs when a session is in the tcp-reuse state, and has no impact on the existing session.
Known
10.1.0
PAN-160238
If you migrate traffic from a firewall running a PAN-OS version earlier than 9.0 to a firewall running PAN-OS 9.0 or later, you experience intermittent VXLAN packet drops if TCI policy is not configured for inspecting VXLAN traffic flows.
Workaround:
On the new firewall, create an app override for VXLAN outer headers as described in What is an Application Override? and the video tutorial How to Configure an Application Override Policy on the Palo Alto Networks Firewall .
PAN-OS version 9.0 can inspect both inner and outer VXLAN flows. If you want to inspect inner flows, you must define a tunnel content inspection (TCI) policy.
Known
10.1.0
PAN-157444
As a result of a telemetry handling update, the Source Zone field in the DNS analytics logs (viewable in the DNS Analytics tab within AutoFocus) might not display correct results.
Known
10.1.0
PAN-157327
On downgrade to PAN-OS 9.1, Enterprise Data Loss Prevention (DLP) filtering settings (
Device
Setup
DLP
) are not removed and cause commit errors for the downgraded firewall if you do not uninstall the Enterprise DLP plugin before downgrade.
Workaround:
After you successfully downgrade a managed firewall to PAN-OS 9.1, commit and push from Panorama to remove the Enterprise DLP filtering settings and complete the downgrade.
  1. Downgrade your managed firewall to PAN-OS 9.1
  2. Log in to the firewall web interface and view the
    Tasks
    to verify all auto commits related to the downgrade have completed successfully.
  3. Log in to the Panorama web interface and
    Commit
    Commit and Push
    to your managed firewall downgraded to PAN-OS 9.1.
Known
10.1.0
PAN-157103
Multi-channel functionality may not be properly utilized on an VM-Series firewall deployed in VMware NSX-V after the service is first deployed.
Workaround
: Execute the command
debug dataplane pow status
to view the number of channels being utilized by the dataplane. 
Per pan-task Netx statisticsCounter Name    1   2   3   4   5   6   Total---------------------------------------------ready_dvf       2   0   0   0   0   0     2
If multi-channel functionality is not working, disable your NSX-V security policy and reapply it. Then reboot the VM-Series firewall. When the firewall is back up, verify that multi-channel functionality is working by executing the command
debug dataplane pow status
. It should now show multiple channels being utilized. 
Per pan-task Netx statisticsCounter Name    1   2   3   4   5   6   Total---------------------------------------------ready_dvf       1   1   0   0   0   0     2
Known
10.1.0
PAN-156598
(
Panorama only
) If you configure a standard custom vulnerability signature in a custom Vulnerability Protection profile in a shared device group, the shared profile custom signatures do not populate in the other device groups when you configure a combination custom vulnerability signature.
Workaround:
Use the CLI to update the combination signature.
Known
10.1.0
PAN-154292
On the Panorama management server, downgrading from a PAN-OS 10.0 release to a PAN-OS 9.1 release causes Panorama commit (
Commit
Commit to Panorama
) failures if a custom report (
Monitor
Manage Custom Reports
) is configured to Group By
Session ID
.
Workaround:
After successful downgrade, reconfigure the Group By setting in the custom report.
Known
10.1.0
PAN-154053
This issue has been resolved. See
PAN-OS 10.1.1 Addressed Issues
.
If two or more PA-5450 fan assemblies fail, the firewall shuts down without providing a console or CLI error message about the fan failure.
Known
10.1.0
PAN-154034
On the Panorama management server, the Type column in the System logs (
Monitor
Logs
System
) for managed firewalls running a PAN-OS 9.1 release erroneously display
iot
as the type.
Known
10.1.0
PAN-154032
On the Panorama management server, downgrading to PAN-OS 9.1 with the Panorama plugin for Cisco TrustSec version 1.0.2 installed does not automatically transform the plugin to be compatible with PAN-OS 9.1
Workaround:
After successful downgrade to PAN-OS 9.1,
Remove Config
(
Panorama
Plugins
) of the Panorama plugin for Cisco TrustSec and then reconfigure the plugin.
Known
10.1.0
PAN-153803
On the Panorama management server, scheduled email PDF reports (
Monitor
PDF Reports
) fail if a GIF image is used in the header or footer.
Known
10.1.0
PAN-153557
On the Panorama management server CLI, the overall report status for a report query is marked as
Done
despite reports generated from logs in the Cortex Data Lake (CDL) from the PODamericas Collector Group jobs are still in a
Running
state.
Known
10.1.0
PAN-153068
The Bonjour Reflector option is supported on up to 16 interfaces. If you enable it on more than 16 interfaces, the commit succeeds and the Bonjour Reflector option is enabled only for the first 16 interfaces and ignored for any additional interfaces.
Known
10.1.0
PAN-151238
There is a known issue where M-100 appliances are able to download and install a PAN-OS 10.0 release image even though the M-100 appliance is no longer supported after PAN-OS 9.1. (Refer to the hardware end-of-life dates .)
Known
10.1.0
PAN-151085
On a PA-7000 Series firewall chassis having multiple slots, when HA clustering is enabled on an active/active HA pair, the session table count for one of the peers can show a higher count than the actual number of active sessions on that peer. This behavior can be seen when the session is being set up on a non-cache slot (for example, when a session distribution policy is set to round-robin or session-load); it is caused by the additional cache lookup that happens when HA cluster participation is enabled.
Known
10.1.0
PAN-150801
Automatic quarantine of a device based on forwarding profile or log setting does not work on the PA-7000 Series firewalls.
Known
10.1.0
PAN-150515
After you install the device certificate on a new Panorama management server, Panorama is not able to connect to the IoT Security edge service.
Workaround:
Restart Panorama to connect to the IoT Security edge service.
Known
10.1.0
PAN-150345
During updates to the Device Dictionary, the IoT Security service does not push new Device-ID attributes (such as new device profiles) to the firewall until a manual commit occurs.
Workaround:
Perform a force commit to push the attributes in the content update to the firewall.
Known
10.1.0
PAN-150361
In an Active-Passive high availability (HA) configuration, an error displays if you create a device object on the passive device.
Workaround:
Load the running configuration and perform a force commit to sync the devices.
Known
10.1.0
PAN-148971
If you enter a search term for Events that are related to IoT in the System logs and apply the filter, the page displays an
Invalid term
error.
Workaround:
Specify
iot
as the
Type Attribute
to filter the logs and use the search term as the
Description Attribute
. For example:
( subtype eq iot ) and ( description contains 'gRPC connection' )
.
Known
10.1.0
PAN-148924
In an active-passive HA configuration, tags for dynamic user groups are not persistent after rebooting the firewall because the active firewall does not sync the tags to the passive firewall during failover.
Known
10.1.0
PAN-146995
After downgrading a Panorama management server from PAN-OS 10.0 to PAN-OS 9.1, the
VLD
and
logd
processes may crash when Panorama reboots.
Workaround:
Panorama automatically restarts the
VLD
and
logd
processes.
Known
10.1.0
PAN-146807
Changing the device group configured in a monitoring definition from a child DG to a parent DG, or vice versa, might cause firewalls configured in the child DG to lose IP tag mapping information received from the monitoring definition. Only firewalls assigned to the parent DG receive IP tag mapping updates.
Workaround
: Perform a manual config sync on the device group that lost the IP tag mapping information.
Known
10.1.0
PAN-146485
On the Panorama management server, adding, deleting, or modifying the upstream NAT configuration (
Panorama
SD-WAN
Devices
) does not display the branch template stack as
out of sync
.
Additionally, adding, deleting, or modifying the BGP configuration (
Panorama
SD-WAN
Devices
) does not display the hub and branch template stacks as
out of sync
. For example, modifying the BGP configuration on the branch firewall does not cause the hub template stack to display as
out of sync
, nor does modifying the BGP configuration on the hub firewall cause the branch template stack as
out of sync
.
Workaround:
After performing a configuration change,
Commit and Push
the configuration changes to all hub and branch firewalls in the VPN cluster containing the firewall with the modified configuration.
Known
10.1.0
PAN-145460
CN-MGMT pods fail to connect to the Panorama management server when using the Kubernetes plugin.
Workaround:
Commit
the Panorama configuration after the CN-MGMT pod successfully registers with Panorama.
Known
10.1.0
PAN-144889
On the Panorama management server, adding, deleting, or modifying the original subnet IP, or adding a new subnet after you successfully configure a tunnel IP subnet, for the SD-WAN 1.0.2 plugin does not display the managed firewall templates (
Panorama
Managed Devices
Summary
) as
Out of Sync
.
Workaround
: When modifying the original subnet IP, or adding a new subnet, push the template configuration changes to your managed firewalls and
Force Template Values
(
Commit
Push to Devices
Edit Selections
).
Known
10.1.0
PAN-143132
Fetching the device certificate from the Palo Alto Networks Customer Support Portal (CSP) may fail and displays the following error in the CLI:
ERROR Failed to process S1C msg: Error
Workaround:
Retrying fetching the device certificate from the Palo Alto Networks CSP.
Known
10.1.0
PAN-141630
Current performance limitation: single data plane use only. The PA-5200 Series and PA-7000 Series firewalls that support 5G network slice security, 5G equipment ID security, and 5G subscriber ID security use a single data plane only, which currently limits the firewall performance.
Known
10.1.0
PAN-140959
The Panorama management server allows you to downgrade Zero Touch Provisioning (ZTP) firewalls to PAN-OS 9.1.2 and earlier releases where ZTP functionality is not supported.
Known
10.1.0
PAN-140008
ElasticSearch is forced to restart when the
masterd
process misses too many heartbeat messages on the Panorama management server resulting in a delay in a log query and ingestion.
Known
10.1.0
PAN-136763
On the Panorama management server, managed firewalls display as
disconnected
when installing a PAN-OS software update (
Panorama
Device Deployment
Software
) but display as
connected
when you view your managed firewalls Summary (
Panorama
Managed Devices
Summary
) and from the CLI.
Workaround:
Log out and log back in to the Panorama web interface.
Known
10.1.0
PAN-135742
There is an issue in HTTP2 session decryption where the App-ID in the decryption log is the App-ID of the parent session (which is web-browsing).
Known
10.1.0
PAN-134053
ACC does not filter WildFire logs from Dynamic User Groups.
Known
10.1.0
PAN-132598
The Panorama management server does not check for duplicate addresses in address groups (
Objects
Address Groups
) and duplicate services in service groups (
Objects
Service Groups
) when created from the CLI.
Known
10.1.0
PAN-130550
(
PA-3200 Series, PA-5220, PA-5250, PA-5260, and PA-7000 Series firewalls
) For traffic between virtual systems (inter-vsys traffic), the firewall cannot perform source NAT using dynamic IP (DIP) address translation.
Workaround:
Use source NAT with Dynamic IP and Port (DIPP) translation on inter-vsys traffic.
Known
10.1.0
PAN-127813
In the current release, SD-WAN auto-provisioning configures hubs and branches in a hub and spoke model, where branches don’t communicate with each other. Expected branch routes are for generic prefixes, which can be configured in the hub and advertised to all branches. Branches with unique prefixes are not published up to the hub.
Workaround:
Add any specific prefixes for branches to the hub advertise-list configuration.
Known
10.1.0
PAN-127206
If you use the CLI to enable the cleartext option for the Include Username in HTTP Header Insertion Entries feature, the authentication request to the firewall may become unresponsive or time out.
Known
10.1.0
PAN-123277
Dynamic tags from other sources are accessible using the CLI but do not display on the Panorama web interface.
Known
10.1.0
PAN-123040
When you try to view network QoS statistics on an SD-WAN branch or hub, the QoS statistics and the hit count for the QoS rules don’t display. A workaround exists for this issue. Please contact Support for information about the workaround.
Known
10.1.0
PAN-120440
There is an issue on M-500 Panorama management servers where any ethernet interface with an IPv6 address having Private PAN-DB-URL connectivity only supports the following format:
2001:DB9:85A3:0:0:8A2E:370:2
.
Known
10.1.0
PAN-120423
PAN-OS 10.0.0 does not support the XML API for GlobalProtect logs.
Known
10.1.0
PAN-120303
There is an issue where the firewall remains connected to the PAN-DB-URL server through the old management IP address on the M-500 Panorama management server, even when you configured the Eth1/1 interface.
Workaround:
Update the PAN-DB-URL IP address on the firewall using one of the methods below.
  • Modify the PAN-DB Server IP address on the managed firewall.
    1. On the web interface, delete the
      PAN-DB Server
      IP address (
      Device
      Setup
      Content ID
      URL Filtering
      settings).
    2. Commit
      your changes.
    3. Add the new M-500 Eth1/1 IP PAN-DB IP address.
    4. Commit
      your changes.
  • Restart the firewall ( devsrvr ) process.
    1. Log in to the firewall CLI.
    2. Restart the devsrvr process:
      debug software restart process device-server
Known
10.1.0
PAN-116017
(
Google Cloud Platform (GCP) only
) The firewall does not accept the DNS value from the initial configuration (init-cfg) file when you bootstrap the firewall.
Workaround:
Add DNS value as part of the bootstrap.xml in the bootstrap folder and complete the bootstrap process.
Known
10.1.0
PAN-115816
(
Microsoft Azure only
) There is an intermittent issue where an Ethernet (eth1) interface does not come up when you first boot up the firewall.
Workaround:
Reboot the firewall.
Known
10.1.0
PAN-114495
Alibaba Cloud runs on a KVM hypervisor and supports two Virtio modes: DPDK (default) and MMAP. If you deploy a VM-Series firewall running PAN-OS 9.0 in DPDK packet mode and you then switch to MMAP packet mode, the VM-Series firewall duplicates packets that originate from or terminate on the firewall. As an example, if a load balancer or a server behind the firewall pings the VM-Series firewall after you switch from DPDK packet mode to MMAP packet mode, the firewall duplicates the ping packets.
Throughput traffic is not duplicated if you deploy the VM-Series firewall using MMAP packet mode.
Known
10.1.0
PAN-112694
(
Firewalls with multiple virtual systems only
) If you configure dynamic DNS (DDNS) on a new interface (associated with vsys1 or another virtual system) and you then create a
New
Certificate Profile from the drop-down, you must set the location for the Certificate Profile to Shared. If you configure DDNS on an existing interface and then create a new Certificate Profile, we also recommend that you choose the Shared location instead of a specific virtual system. Alternatively, you can select a preexisting certificate profile instead of creating a new one.
Known
10.1.0
PAN-112456
You can temporarily submit a change request for a URL Category with three suggested categories; however, only two categories are supported. Do not add more than two suggested categories to a change request until we address this issue. If you submit more than two suggested categories, only the first two categories in the change request are evaluated.
Known
10.1.0
PAN-112135
You cannot unregister tags for a subnet or range in a dynamic address group from the web interface.
Workaround:
Use an XML API request to unregister the tags for the subnet or range.
Known
10.1.0
PAN-111928
Invalid configuration errors are not displayed as expected when you revert a Panorama management server configuration.
Workaround:
After you revert the Panorama configuration,
Commit
(
Commit
Commit to Panorama
) the reverted configuration to display the invalid configuration errors.
Known
10.1.0
PAN-111866
The push scope selection on the Panorama web interface displays incorrectly even though the commit scope displays as expected. This issue occurs when one administrator makes configuration changes to separate device groups or templates that affect multiple firewalls and a different administrator attempts to push those changes.
Workaround:
Perform one of the following tasks.
  • Initiate a
    Commit to Panorama
    operation followed by a
    Push to Devices
    operation for the modified device group and template configurations.
  • Manually select the devices that belong to the modified device group and template configurations.
Known
10.1.0
PAN-111729
If you disable DPDK mode and enable it again, you must immediately reboot the firewall.
Known
10.1.0
PAN-111670
Tagged VLAN traffic fails when sent through an SR-IOV adapter.
Known
10.1.0
PAN-110794
DGA-based threats shown in the firewall threat log display the same name for all such instances.
Known
10.1.0
PAN-109759
This issue is now resolved. See
PAN-OS 10.1.2 Addressed Issues
The firewall does not generate a notification for the GlobalProtect client when the firewall denies an unencrypted TLS session due to an authentication policy match.
Known
10.1.0
PAN-109526
The system log does not correctly display the URL for CRL files; instead, the URLs are displayed with encoded characters.
Known
10.1.0
PAN-104780
If you configure a HIP object to match only when a connecting endpoint is managed (
Objects
GlobalProtect
HIP Objects
<hip-object>
General
Managed
), iOS and Android endpoints that are managed by AirWatch are unable to successfully match the HIP object and the HIP report incorrectly indicates that these endpoints are not managed. This issue occurs because GlobalProtect gateways cannot correctly identify the managed status of these endpoints.
Additionally, iOS endpoints that are managed by AirWatch are unable to match HIP objects based on the endpoint serial number because GlobalProtect gateways cannot identify the serial numbers of these endpoints; these serial numbers do not appear in the HIP report.
Known
10.1.0
PAN-103276
Adding a disk to a virtual appliance running Panorama 8.1 or a later release on VMware ESXi 6.5 update1 causes the Panorama virtual appliance and host web client to become unresponsive.
Workaround:
Upgrade the ESXi host to ESXi 6.5 update2 and add the disk again.
Known
10.1.0
PAN-101688
(
Panorama plugins
) The IP address-to-tag mapping information registered on a firewall or virtual system is not deleted when you remove the firewall or virtual system from a Device Group.
Workaround:
Log in to the CLI on the firewall and enter the following command to unregister the IP address-to-tag mappings:
debug object registered-ip clear all
.
Known
10.1.0
PAN-101537
After you configure and push address and address group objects in Shared and vsys-specific device groups from the Panorama management server to managed firewalls, executing the
show log
<log-type>
direction equal
<direction>
<dst>
|
<src>
in
<object-name>
command on a managed firewall only returns address and address group objects pushed form the Shared device group.
Workaround:
Specify the vsys in the query string:
admin>
set system target-vsys
<vsys-name>
admin>
show log
<log-type>
direction equal
<direction>
query equal ‘vsys eq
<vsys-name>
’
<dst>
|
<src>
in
<object-name>
Known
10.1.0
PAN-98520
When booting or rebooting a PA-7000 Series Firewall with the SMC-B installed, the BIOS console output displays attempts to connect to the card's controller in the System Memory Speed section. The messages can be ignored.
Known
10.1.0
PAN-97757
GlobalProtect authentication fails with an
Invalid username/password
error (because the user is not found in
Allow List
) after you enable GlobalProtect authentication cookies and add a RADIUS group to the
Allow List
of the authentication profile used to authenticate to GlobalProtect.
Workaround:
Disable GlobalProtect authentication cookies. Alternatively, disable (clear)
Retrieve user group from RADIUS
in the authentication profile and configure group mapping from Active Directory (AD) through LDAP.
Known
10.1.0
PAN-97524
(
Panorama management server only
) The Security Zone and Virtual System columns (
Network
tab) display
None
after a Device Group and Template administrator with read-only privileges performs a context switch.
Known
10.1.0
PAN-96446
A firewall that is not included in a Collector Group fails to generate a system log if logs are dropped when forwarded to a Panorama management server that is running in Management Only mode.
Known
10.1.0
PAN-95773
On VM-Series firewalls that have Data Plane Development Kit (DPDK) enabled and that use the i40e network interface card (NIC), the
show session info
CLI command displays an inaccurate throughput and packet rate.
Workaround:
Disable DPDK by running the
set system setting dpdk-pkt-io off
CLI command.
Known
10.1.0
PAN-95028
For administrator accounts that you created in PAN-OS 8.0.8 and earlier releases, the firewall does not apply password profile settings (
Device
Password Profiles
) until after you upgrade to PAN-OS 8.0.9 or a later release and then only after you modify the account passwords. (Administrator accounts that you create in PAN-OS 8.0.9 or a later release do not require you to change the passwords to apply password profile settings.)
Known
10.1.0
PAN-94846
When DPDK is enabled on the VM-Series firewall with i40e virtual function (VF) driver, the VF does not detect the link status of the physical link. The VF link status remains up, regardless of changes to the physical link state.
Known
10.1.0
PAN-94093
HTTP Header Insertion does not work when jumbo frames are received out of order.
Known
10.1.0
PAN-93968
The firewall and Panorama web interfaces display vulnerability threat IDs that are not available in PAN-OS 9.0 releases (
Objects
Security Profiles
Vulnerability Protection
<profile>
Exceptions
). To confirm whether a particular threat ID is available in your release, monitor the release notes for each new Applications and Threats content update or check the Palo Alto Networks Threat Vault to see the minimum PAN-OS release version for a threat signature.
Known
10.1.0
PAN-93607
When you configure a VM-500 firewall with an SCTP Protection profile (
Objects
Security Profiles
SCTP Protection
) and you try to add the profile to an existing Security Profile Group (
Objects
Security Profile Groups
), the Security Profile Group doesn’t list the SCTP Protection profile in its drop-down list of available profiles.
Workaround:
Create a new Security Profile Group and select the SCTP Protection profile from there.
Known
10.1.0
PAN-93532
When you configure a firewall running PAN-OS 9.0 as an nCipher HSM client, the web interface on the firewall displays the nCipher server status as Not Authenticated, even though the HSM state is up (
Device
Setup
HSM
).
Known
10.1.0
PAN-93193
The memory-optimized VM-50 Lite intermittently performs slowly and stops processing traffic when memory utilization is critically high. To prevent this issue, make sure that you do not:
  • Switch to the firewall
    Context
    on the Panorama management server.
  • Commit changes when a dynamic update is being installed.
  • Generate a custom report when a dynamic update is being installed.
  • Generate custom reports during a commit.
Workaround:
When the firewall performs slowly, or you see a critical System log for memory utilization, wait for 5 minutes and then manually reboot the firewall.
Use the Task Manager to verify that you are not performing memory intensive tasks such as installing dynamic updates, committing changes or generating reports, at the same time, on the firewall.
Known
10.1.0
PAN-91802
On a VM-Series firewall, the
clear session all
CLI command does not clear GTP sessions.
Known
10.1.0
PAN-83610
In rare cases, a PA-5200 Series firewall (with an FE100 network processor) that has session offload enabled (default) incorrectly resets the UDP checksum of outgoing UDP packets.
Workaround:
In PAN-OS 8.0.6 and later releases, you can persistently disable session offload for only UDP traffic using the
set session udp-off load no
CLI command.
Known
10.1.0
PAN-83236
The VM-Series firewall on Google Compute Platform does not publish firewall metrics to Google Stack Monitoring when you manually configure a DNS server IP address (
Device
Setup
Services
).
Workaround:
The VM-Series firewall on Google Cloud Platform must use the DNS server that Google provides.
Known
10.1.0
PAN-83215
SSL decryption based on ECDSA certificates does not work when you import the ECDSA private keys onto an nCipher nShield hardware security module (HSM).
Known
10.1.0
PAN-81521
Endpoints failed to authenticate to GlobalProtect through Kerberos when you specify an FQDN instead of an IP address in the Kerberos server profile (
Device
Server Profiles
Kerberos
).
Workaround:
Replace the FQDN with the IP address in the Kerberos server profile.
Known
10.1.0
PAN-77125
PA-7000 Series, PA-5450, PA-5200 Series, and PA-3200 Series firewalls configured in tap mode don’t close offloaded sessions after processing the associated traffic; the sessions remain open until they time out.
Workaround:
Configure the firewalls in virtual wire mode instead of tap mode, or disable session offloading by running the
set session off load no
CLI command.
Known
10.1.0
PAN-75457
In WildFire appliance clusters that have three or more nodes, the Panorama management server does not support changing node roles. In a three-node cluster for example, you cannot use Panorama to configure the worker node as a controller node by adding the HA and cluster controller configurations, configure an existing controller node as a worker node by removing the HA configuration, and then commit and push the configuration. Attempts to change cluster node roles from Panorama results in a validation error—the commit fails and the cluster becomes unresponsive.
Known
10.1.0
PAN-73530
The firewall does not generate a packet capture (pcap) when a Data Filtering profile blocks files.
Known
10.1.0
PAN-73401
When you import a two-node WildFire appliance cluster into the Panorama management server, the controller nodes report their state as out-of-sync if either of the following conditions exist:
  • You did not configure a worker list to add at least one worker node to the cluster. (In a two-node cluster, both nodes are controller nodes configured as an HA pair. Adding a worker node would make the cluster a three-node cluster.)
  • You did not configure a service advertisement (either by enabling or not enabling advertising DNS service on the controller nodes).
Workaround:
There are three possible workarounds to sync the controller nodes:
  • After you import the two-node cluster into Panorama, push the configuration from Panorama to the cluster. After the push succeeds, Panorama reports that the controller nodes are in sync.
  • Configure a worker list on the cluster controller: 
    admin@wf500(active-controller)# 
    set
deviceconfig cluster mode controller worker-list 
    <worker-ip-address>
    (
    <worker-ip-address>
    is the IP address of the worker node you are adding to the cluster.) This creates a three-node cluster. After you import the cluster into Panorama, Panorama reports that the controller nodes are in sync. When you want the cluster to have only two nodes, use a different workaround.
  • Configure service advertisement on the local CLI of the cluster controller and then import the configuration into Panorama. The service advertisement can advertise that DNS is or is not enabled. 
    admin@wf500(active-controller)# 
    set
deviceconfig cluster mode controller service-advertisement dns-service
enabled
yes
    or 
    admin@wf500(active-controller)# 
    set
deviceconfig cluster mode controller service-advertisement dns-service
enabled
no
    Both commands result in Panorama reporting that the controller nodes are in sync.
Known
10.1.0
PAN-70906
If the PAN-OS web interface and the GlobalProtect portal are enabled on the same IP address, then when a user logs out of the GlobalProtect portal, the administrative user is also logged out from the PAN-OS web interface.
Workaround:
Use the IP address to access the PAN-OS web interface and an FQDN to access the GlobalProtect portal.
Known
10.1.0
PAN-69505
When viewing an external dynamic list that requires client authentication and you
Test Source URL
, the firewall fails to indicate whether it can reach the external dynamic list server and returns a URL access error (
Objects
External Dynamic Lists
).
Known
10.1.0
PAN-40079
The VM-Series firewall on KVM, for all supported Linux distributions, does not support the Broadcom network adapters for PCI pass-through functionality.
Known
10.1.0
PAN-39636
Regardless of the
Time Frame
you specify for a scheduled custom report on a Panorama M-Series appliance, the earliest possible start date for the report data is effectively the date when you configured the report (
Monitor
Manage Custom Reports
). For example, if you configure the report on the 15th of the month and set the
Time Frame
to
Last 30 Days
, the report that Panorama generates on the 16th will include only data from the 15th onward. This issue applies only to scheduled reports; on-demand reports include all data within the specified
Time Frame
.
Workaround:
To generate an on-demand report, click
Run Now
when you configure the custom report.
Known
10.1.0
PAN-38255
When you perform a factory reset on a Panorama virtual appliance and configure the serial number, logging does not work until you reboot Panorama or execute the
debug software restart process management-server
CLI command.
Known
10.1.0
PAN-31832
The following issues apply when configuring a firewall to use a hardware security module (HSM):
  • nCipher nShield Connect
    —The firewall requires at least four minutes to detect that an HSM was disconnected, causing SSL functionality to be unavailable during the delay.
  • SafeNet Network
    —When losing connectivity to either or both HSMs in an HA configuration, the display of information from the
    show high-availability state
    and
    show hsm info
    commands are blocked for 20 seconds.
Addressed
10.1.0
APL-14490
Fixed an issue where the option to toggle log ingestion or storage for devices in the Cortex Data Lake app did not function.
Addressed
10.1.0
PAN-164564
Fixed an issue where stats API attempted to get stats from an unavailable port.
Addressed
10.1.0
PAN-146573
(
PA-7000 Series firewalls only
) Fixed an issue where firewalls configured with a large number of interfaces experienced impacted performance and timeouts when performing SNMP queries.
Addressed
10.1.0
PAN-142099
Fixed an issue for Panorama to allow changing MTU for mgmt interface.
Known
10.1.1
—
If you use Panorama to retrieve logs from Cortex Data Lake (CDL), new log fields (including for Device-ID, Decryption, and GlobalProtect) are not visible on the Panorama web interface.
Workaround:
Enable duplicate logging to send the logs to CDL and Panorama. This workaround does not support Panorama virtual appliances in Management Only mode .
Known
10.1.1
—
Upgrading a PA-220 firewall takes up to an hour or more.
Known
10.1.1
—
PA-220 firewalls are experiencing slower web interface and CLI performance times.
Known
10.1.1
—
Upgrading Panorama with a local Log Collector and Dedicated Log Collectors to PAN-OS 8.1 or a later PAN-OS release can take up to six hours to complete due to significant infrastructure changes. Ensure uninterrupted power to all appliances throughout the upgrade process.
Known
10.1.1
—
A critical System log is generated on the VM-Series firewall if the minimum memory requirement for the model is not available.
  • When the memory allocated is less than 4.5GB, you cannot upgrade the firewall. The following error message displays:
    Failed to install 9.0.0 with the following error: VM-50 in 9.0.0 requires 5.5GB memory, VM-50 Lite requires 4.5GB memory.Please configure this VM with enough memory before upgrading.
  • If the memory allocation is more than 4.5GB but less than the licensed capacity requirement for the model, it will default to the capacity associated with the VM-50.
    The System log message
    System capacity adjusted to VM-50 capacity due to insufficient memory for VM-
    <xxx>
    license
    , indicates that you must allocate the additional memory required for licensed capacity for the firewall model.
Known
10.1.1
APPORTAL-3313
Changes to an IoT Security subscription license take up to 24 hours to have effect on the IoT Security app.
Known
10.1.1
APPORTAL-3309
An IoT Security production license cannot be installed on a firewall that still has a valid IoT Security eval or trial license.
Workaround:
Wait until the 30-day eval or trial license expires and then install the production license.
Known
10.1.1
APL-15000
When you move a firewall from one Cortex Data Lake instance to another, it can take up to an hour for the firewall to begin sending logs to the new instance.
Known
10.1.1
APL-8269
For data retrieved from Cortex Data Lake, the Threat Name column in
Panorama
ACC
threat-activity
appears blank.
Known
10.1.1
PLUG-380
When you rename a device group, template, or template stack in Panorama that is part of a VMware NSX service definition, the new name is not reflected in NSX Manager. Therefore, any ESXi hosts that you add to a vSphere cluster are not added to the correct device group, template, or template stack and your Security policy is not pushed to VM-Series firewalls that you deploy after you rename those objects. There is no impact to existing VM-Series firewalls.
Known
10.1.1
WF500-5559
An intermittent error while analyzing signed PE samples on the WildFire appliance might cause analysis failures.
Known
10.1.1
WF500-5471
After using the firewall CLI to add a WildFire appliance with an IPv6 address, the initial connection may fail.
Workaround:
Retry connecting after you restart the web server with the following command:
debug software restart process web-server
.
Known
10.1.1
PAN-228273
On the Panorama management server in FIPS-CC mode, the ElasticSearch cluster fails to come up and the
show log-collector-es-cluster health
command displays the
status
is
red
. This results in log ingestion issues for Panorama in Panorama only or Log Collector mode.
Known
10.1.1
PAN-227344
On the Panorama management server, PDF Summary Reports (
Monitor
PDF Reports
Manage PDF Summary
) display no data and are blank when predefined reports are included in the summary report.
Known
10.1.1
PAN-223488
This issue is now resolved. See
PAN-OS 10.1.12 Addressed Issues
.
On the M-600 appliance, closed ElasticSearch shards are not deleted from the M-600 appliance. This causes the ElasticSearch shard purging to not work as expected, resulting in high disk usage.
Known
10.1.1
PAN-223365
The Panorama management server is unable to query any logs if the ElasticSearch health status for any Log Collector (
Panorama
Managed Collector
is degraded.
Workaround:
Log in to the Log Collector CLI and restart ElasticSearch. 
admin
debug elasticsearch es-restart all
Known
10.1.1
PAN-218521
The ElasticSearch process on the M-600 appliance in Log Collector mode may enter a continuous reboot cycle. This results in the M-600 appliance becoming unresponsive, consuming logging disk space, and preventing new log ingestion.
Known
10.1.1
PAN-217307
This issue is now resolved. See
PAN-OS 10.1.14 Addressed Issues
.
The following Security policy rule (
Policies
Security
) filters return no results:
log-start eq no
log-end eq no
log-end eq yes
Known
10.1.1
PAN-216214
For Panorama-managed firewalls in an Active/Active High Availability (HA) configuration where you configure the firewall HA settings (
Device
High Availability
) in a template or template stack (
Panorama
Templates
), performing a local commit on one of the HA firewalls triggers an HA config sync on the peer firewall. This causes the HA peer configuration to go
Out of Sync
.
Known
10.1.1
PAN-213746
On the Panorama management server, the
Hostkey
displayed as
undefined undefined
if you override an SSH Service Profile (
Device
Certificate Management
SSH Service Profile
) Hostkey configured in a Template from the Template Stack.
Known
10.1.1
PAN-212889
This issue is now resolved. See PAN-OS 10.1.11 Addressed Issues
.
On the Panorama management server, different threat names are used when querying the same threat in the Threat Monitor (
Monitor
App Scope
Threat Monitor
) and
ACC
. This results in the ACC displaying
no data to display
when you are redirected to the ACC after clicking a threat name in the Threat Monitor.
Known
10.1.1
PAN-208325
The following NextGen firewalls are unable to automatically renew the device certificate (
Device
Setup
Management
or
Panorama
Setup
Management
).
  • PA-410 Firewall
  • PA-440, PA-450, and PA-460 Firewalls
  • PA-5450 Firewall
Workaround:
Log in to the firewall CLI and fetch the device certificate. 
admin>
request certificate fetch
Known
10.1.1
PAN-206268
This issue is now resolved. See
PAN-OS 10.1.10 Addressed Issues
.
On the Panorama management server, the Auth Key field was erroneously displayed when you configure the Panorama Settings (
Device
Setup
Management
) as part of a template or template stack configuration.
Known
10.1.1
PAN-206243
The PA-220 firewall reaches the maximum disk usage capacity multiple a day that requires a disk cleanup. A critical system log (
Monitor
Logs
System
) is generated each time the firewall reaches maximum disk usage capacity.
Known
10.1.1
PAN-205187
ElasticSearch may not start properly when a newly installed Panorama virtual appliance powers on for the first time, resulting in the Panorama virtual appliance being unable to query logs forwarded from the managed firewall to a Log Collector.
Workaround:
Log in to the Panorama CLI and start the PAN-OS software. 
admin>
request restart software
Known
10.1.1
PAN-201855
On the Panorama management server, cloning any template (
Panorama
Templates
) corrupts certificates (
Device
Certificate Management
Certificates
) with the
Block Private Key Export
setting enabled across all templates. This results in managed firewalls experiencing issues wherever the corrupted certificate is referenced.
For example, you have template A, B, and C where templates A and B have certificates with the
Block Private Key Export
setting enabled. Cloning template C corrupts the certificates with
Block Private Key Export
setting enabled in templates A and B.
Workaround:
After cloning a template, delete and re-import the corrupted certificates.
Known
10.1.1
PAN-199557
On M-600 appliances in an Active/Passive high availability (HA) configuration, the
configd
process restarts due to a memory leak on the
Active
Panorama HA peer. This causes the Panorama web interface and CLI to become unresponsive.
Workaround:
Manually reboot the
Active
Panorama HA peer.
Known
10.1.1
PAN-197341
On the Panorama management server, if you create multiple device group
Objects
with the same name in the Shared device group and any additional device groups (
Panorama
Device Groups
) under the same device group hierarchy that are used in one or more
Policies
, renaming the object with a shared name in any device group causes the object name to change in the policies where it is used. This issue applies only to device group objects that can be referenced in a Security policy rule.
For example:
  1. You create a parent device group
    DG-A
    and a child device group
    DG-B
    .
  2. You create address objects called
    AddressObjA
    in the
    Shared
    ,
    DG-A
    and
    DG-B
    device groups and add
    AddressObjA
    to a Security policy rule under
    DG-A
    and
    DG-B
    .
  3. Later, you change the
    AddressObjA
    name in the
    Shared
    device group to
    AddressObjB
    .
Changing the name of the address object in the
Shared
device group causes the references in the Policy rule to use the renamed
Shared
object instead of the device group object.
Known
10.1.1
PAN-196758
On the Panorama management server, pushing a configuration change to firewalls leveraging SD-WAN erroneously show the auto-provisioned BGP configurations for SD-WAN as being edited or deleted despite no edits or deletions being made when you
Preview Changes
(
Commit
Push to Devices
Edit Selections
or
Commit
Commit and Push
Edit Selections
).
Known
10.1.1
PAN-194519
This issue is now resolved. See
PAN-OS 10.1.9 Addressed Issues
.
(
PA-5450 firewall only
) Trying to configure a custom payload format under
Device
Server Profiles
HTTP
yields a Javascript error.
Known
10.1.1
PAN-194515
(
PA-5450 firewall only
) The Panorama web interface does not display any predefined template stack variables in the dropdown menu under
Device
Setup
Log Interface
IP Address
.
Workaround:
Configure the log interface IP address on the individual firewall web interface instead of on Panorama.
Known
10.1.1
PAN-193518
All logs (
Monitor
Logs
) generated by a firewall running a PAN-OS 10.0 release are not accessible if you downgrade from PAN-OS 10.1 to PAN-OS 10.0, and then upgrade back to PAN-OS 10.1.
Known
10.1.1
PAN-192403
This issue is now resolved. See
PAN-OS 10.1.6-h3 Addressed Issues
.
(
PA-5450 firewall only
) There is no commit warning in the web interface when configuring the management interface and logging interface in the same subnetwork. Having both interfaces in the same subnetwork can cause routing and connectivity issues.
Known
10.1.1
PAN-190727
(
PA-5450 firewall only
) Documentation for configuring the log interface is unavailable on the web interface and in the PAN-OS Administrator’s Guide.
Known
10.1.1
PAN-188052
Devices in FIPS-CC mode are unable to connect to servers utilizing ECDSA-based host keys that impacts exporting logs (
Device
Scheduled Log Export
), exporting configurations (
Device
Scheduled Config Export
), or the
scp export
command in the CLI.
Workaround:
Use RSA-based host keys on the destination server.
Known
10.1.1
PAN-187685
On the Panorama management server, the Template Status displays no synchronization status (
Panorama
Managed Devices
Summary
) after a bootstrapped firewall is successfully added to Panorama.
Workaround:
After the bootstrapped firewall is successfully added to Panorama, log in to the Panorama web interface and select
Commit
Push to Devices
.
Known
10.1.1
PAN-186262
The Panorama management server in Panorama or Log Collector mode may become unresponsive as Elasticsearch accumulates internal connections related to logging processes. The chances Panorama becomes unresponsive increases the longer Panorama remains powered on.
Workaround:
Reboot Panorama if it becomes unresponsive.
Known
10.1.1
PAN-185286
This issue is now resolved. See
PAN-OS 10.1.7 Addressed Issues
.
(
PA-5400 Series firewalls only
) On the Panorama management server, the device health resources (
Panorama
Managed Devices
Health
) do not populate.
Known
10.1.1
PAN-181116
After upgrading to PAN-OS 10.1, some GlobalProtect tunnels fall back to SSL instead of IPSec due to the inadvertent encapsulation of the ICMP keepalive response from the firewall.
Known
10.1.1
PAN-180661
This issue is now resolved. See
PAN-OS 10.1.6 Addressed Issues
.
On the Panorama management server, pushing an unsupported Minimum Password Complexity (
Device
Setup
Management
) to a managed firewall erroneously displays
commit time out
as the reason the commit failed.
Known
10.1.1
PAN-178194
This issue is now resolved. See
PAN-OS 10.1.7 Addressed Issues
.
A UI issue in PAN-OS renders the contents of the
Inline ML
tab in the
URL Filtering Profile
inaccessible on firewalls licensed for Advanced URL Filtering. Additionally, a message indicating that a
License required for URL filtering to function
is unavailable displays at the bottom of the UI. These errors do not affect the operation of Advanced URL Filtering or URL Filtering Inline ML.
Workaround:
Configuration settings for URL Filtering Inline ML must be applied through the CLI. The following configuration commands are available:
  • Define URL exceptions for specific web sites— 
    admin#
     set profiles url-filtering <url_filtering_profile_name> mlav-category-exception
  • Configuration settings for each inline ML model— 
    admin#
     set profiles url-filtering <url_filtering_profile_name> mlav-engine-urlbased-enabled
Known
10.1.1
PAN-178190
Traffic, threat, and URL logs are not viewable from the firewall web interface (
Monitor
Logs
) and CLI after upgrade to PAN-OS 10.1.1.
Known
10.1.1
PAN-175717
This issue is now resolved. See
PAN-OS 10.1.5 Addressed Issues
.
Firewalls managed by a Panorama management server enter maintenance mode if:
  • Panorama is running PAN-OS 10.2 and managed firewalls are downgraded from PAN-OS 10.2 to PAN-OS 10.1.4 or earlier PAN-OS release.
  • Panorama is upgraded from PAN-OS 10.1 to PAN-OS 10.2 and managed firewalls are running PAN-OS 10.1.4 or earlier PAN-OS 10.1 release.
Workaround:
When downgrading managed firewalls, downgrade to PAN-OS 10.1.5 first and then continue on your downgrade path. When upgrading Panorama, upgrade to PAN-OS 10.1.5 first and then continue on your upgrade path.
Known
10.1.1
PAN-175685
This issue is now resolved. See
PAN-OS 10.1.2 Addressed Issues
.
(
PA-7000 Series and PA-5450 firewall only
) When the MPC (Management Processor Card) or SMC (Switch Management Card) is removed from one chassis and placed in another, PAN-OS will incorrectly cache and display the chassis serial number of the former chassis.
Known
10.1.1
PAN-175149
(
PA-800 and PA-7000 Series firewalls and the PA-220 firewall only
) Fixed an issue where ACC and scheduled reports (
Monitor
Manage
Manage Custom Reports
) incorrectly displayed the IPv6 address instead of the IPv4 address.
Known
10.1.1
PAN-174982
In HA active/active configurations where, when interfaces that were associated with a virtual router were deleted, the configuration change did not sync.
Known
10.1.1
PAN-174254
This issue is now resolved. See
PAN-OS 10.1.2 Addressed Issues
.
Gateway Load Balancer (GWLB) inspection is disabled on the VM-Series firewall for AWS after a reboot.
Workaround:
Enable GWLB inspection.
Known
10.1.1
PAN-173509
This issue is now resolved. See
PAN-OS 10.1.5 Addressed Issues
.
Superuser administrators with read-only privileges (
Device
Administrators
and
Panorama
Administrators
) are unable to view the hardware ACL blocking setting and duration in the CLI using the commands: 
admin>
 show system setting hardware-acl-blocking-enable
admin>
 show system setting hardware-acl-blocking-duration
Known
10.1.1
PAN-172515
This issue is now resolved. See
PAN-OS 10.1.2 Addressed Issues
.
If you downgrade from PAN-OS 10.1 to an earlier version and you have configured the Cloud Authentication Service in an Authentication profile, the firewall does not remove the Cloud Authentication Service from the Authentication profile, displays the authentication method as None, and any subsequent commits are not successful.
Workaround:
Delete the Authentication profile that is configured for the Cloud Authentication Service then commit your changes.
Known
10.1.1
PAN-172492
This issue is now resolved. See
PAN-OS 10.1.2 Addressed Issues
.
You can create and commit a log forwarding profile (
Objects
Log Forwarding
) with an invalid
Filter
.
Known
10.1.1
PAN-172454
This issue is now resolved. See
PAN-OS 10.1.2 Addressed Issues
.
If the firewall communicates with the Cloud Identity Engine before you install the device certificate on the firewall or Panorama, all subsequent queries to the Cloud Identity Engine fail.
Workaround
: Use the
debug software restart process dscd
to restart the connection to the Cloud Identity Engine.
Known
10.1.1
PAN-172276
This issue is now resolved. See
PAN-OS 10.1.2 Addressed Issues
.
Changing the port speed on a PA-400 Series firewall from auto-negotiate to 1G may cause the dataplane port to flap intermittently and result in a loss of traffic.
Known
10.1.1
PAN-172274
When you activate the advanced URL filtering license, your license entitlements for PAN-DB and advanced URL filtering might not display correctly on the firewall — this is a display anomaly, not a licensing issue, and does not affect access to the services.
Workaround:
Issue the following command to retrieve and update the licenses:
license request fetch
.
Known
10.1.1
PAN-172113
If you request a User Activity Report on Panorama and the vsys key value in the XML is an unsupported value, the resulting job becomes unresponsive at 10% and does not complete until you manually stop the job in the web interface.
Workaround:
Change the vsys key to a valid device group, commit your changes, and run the User Activity Report again.
Known
10.1.1
PAN-172091
If you have configured a virtual system as a User-ID hub and a firewall that receives IP address-to-username mapping from the hub has a security policy that includes a QoS policy rule, the firewall does not match the user to the QoS policy rule if the traffic attempts to access a virtual system that is not the hub.
Known
10.1.1
PAN-172208
This issue is now resolved. See
PAN-OS 10.1.3 Addressed Issues
.
The PA-5450 firewall may reload in rare conditions while handling high stress SSL traffic when CPU utilization reaches 100% or packet broker capacity exceeds 40%.
Known
10.1.1
PAN-172171
This issue is now resolved by PAN-189643. See
PAN-OS 10.1.6 Addressed Issues
.
In an HA Active/Passive configuration using Auto mode, a Passive PA-5450 firewall under traffic stress can get stuck in maintenance mode after receiving the
slot7-path_monitor Path monitor failure
service failure.
Workaround:
Use Active/Passive Shutdown mode instead of Auto mode.
Known
10.1.1
PAN-172132
This issue is now resolved by PAN-189643. See
PAN-OS 10.1.6 Addressed Issues
.
QoS fails to run on a tunnel interface (for example, tunnel.1).
Known
10.1.1
PAN-172067
When you configure an HTTP server profile (
Device
Server Profiles
HTTP
or
Panorama
Server Profiles
HTTP
), the
Username
and
Password
fields are always required regardless of whether
Tag Registration
is enabled.
Workaround:
When you configure an HTTP server profile, always enter a username and password to successfully create the HTTP server profile.
You must enter a username and password even if the HTTP server does not require it. The HTTP server ignores the username and password if they are not required for the firewall to connect.
Known
10.1.1
PAN-172061
A process (
all_pktproc
) can cause intermittent crashes on the Passive PA-5450 firewall in an Active/Passive HA pair. This issue may be seen during an upgrade or reload of the firewall with traffic and when clearing sessions.
Known
10.1.1
PAN-171938
No results are displayed when you
Show Application Filter
for a Security policy rule (
Policies
Security
Application
Value
Show Application Filter
).
Known
10.1.1
PAN-171839
The Enable Bonjour Reflector option under
Network
Interfaces
Layer 3 Interface
IPv4
is not supported on the PA-5450 firewall.
Known
10.1.1
PAN-171744
This issue is now resolved. See
PAN-OS 10.1.2 Addressed Issues
.
No data is displayed for the Forward Error Correction (FEC) plot for SD-WAN application performance (
Panorama
SD-WAN
Monitoring
).
Known
10.1.1
PAN-171723
If you use Panorama to push a configuration that uses App-ID Cloud Engine (ACE) App-IDs and then you downgrade the firewall from PAN-OS 10.1 to PAN-OS 10.0, the installation succeeds but after you reboot, the auto-commit fails.
Workaround:
Remove all ACE application configurations before downgrading.
Known
10.1.1
PAN-171714
This issue is now resolved. See
PAN-OS 10.1.7 Addressed Issues
.
If you use the NetBIOS format (
domain\user
) for the IP address-to-username mapping and the firewall receives the group mapping information from the Cloud Identity Engine, the firewall does not successfully match the user to the correct group.
Known
10.1.1
PAN-171706
This issue is now resolved. See
PAN-OS 10.1.11 Addressed Issues
.
If you are using Panorama to manage firewalls with multiple virtual systems and the virtual system that is the User-ID hub uses an alias, the local commit on Panorama is successful but the commit to the firewall fails.
Known
10.1.1
PAN-171673
On the Panorama management server, the
ACC
returns inaccurate results when you filter for
New App-ID
in the
Application
usage widget.
Known
10.1.1
PAN-171635
If you have an on-premise Active Directory and there is an existing group mapping configuration on the firewall, if you migrate the group mapping to the Cloud Identity Engine, the firewall does not remove the existing group mapping even if the configuration is disabled and the firewall is rebooted, which may conflict with new mappings from the Cloud Identity Engine.
Workaround
: Use the
debug user-id clear domain-map
command to remove the existing group mappings from the firewall.
Known
10.1.1
PAN-171224
On the Panorama management server, a custom report (
Monitor
Managed Custom Reports
) with a high volume of unique data objects is not generated when you click
Run Now
.
Known
10.1.1
PAN-171145
If you edit or remove the value for the
mail
attribute in your on-premise Active Directory, the changes may not be immediately reflected on the firewall after it syncs with the Cloud Identity Engine.
Known
10.1.1
PAN-171127
This issue is now resolved. See
PAN-OS 10.1.4 Addressed Issues
On the Panorama management server, custom reports (
Monitor
Manage Custom Reports
) for the
Device Application Statistics
and
Device Traffic Summary
databases display
null
for the Application fields.
Known
10.1.1
PAN-170923
In
Policies
Security
Policy Optimizer
New App Viewer
, when you select a Security policy rule in the bottom portion of the screen, the application data in the application browser (top portion of screen) does not match the Apps Seen on the selected rule. In addition, filtering in the application browser based on Apps Seen does not work.
Known
10.1.1
PAN-170462
This issue is now resolved. See
PAN-OS 10.1.6 Addressed Issues
.
SaaS applications downloaded from the App-ID Cloud Engine (ACE) do not appear in daily application reports (
Monitor
Reports
Application Reports
) or in the
Application
column of the
Application Usage
widget in
ACC
Network Activity
.
Known
10.1.1
PAN-170270
Using the CLI to power on a PA-5450 Networking Card (NC) in an Active HA firewall can cause its Passive peer to temporarily go down.
Known
10.1.1
PAN-169906
The CN-Series Firewall as a Kubernetes Service does not support AF_XDP when deployed in CentOS.
Known
10.1.1
PAN-168636
Connecting to the App-ID Cloud Engine (ACE) cloud using a management port with explicit proxy configured on it is not supported. Instead, use a data plane interface for the service route ( Prepare to Deploy App-ID Cloud Engine describes how to do this.)
Known
10.1.1
PAN-168113
On the Panorama management server, you are unable to configure a master key (
Device
Master Key and Diagnostics
) for a managed firewall if an interface (
Network
Interfaces
Ethernet
) references a zone pushed from Panorama.
Workaround:
Remove the referenced zone from the interface configuration to successfully configure a master key.
Known
10.1.1
PAN-167847
If you issue the command
opof stats
, then clear the results {opof stats -c}, the Active Sessions value is sometimes invalid. For example, you might see a negative number or an excessively large number.
Workaround:
Re-run the
opof stats
command after the offload completes.
Known
10.1.1
PAN-167401
When a firewall or Panorama appliance configured with a proxy is upgraded to PAN-OS 10.0.3 or a later release, it fails to connect to edge service.
Known
10.1.1
PAN-166464
This issue is now resolved. See
PAN-OS 10.1.6-h6 Addressed Issues
.
PAN-OS reports the PA-5450 fan numbers incorrectly by listing them in the opposite order. This does not affect fan operation. For further information, contact Customer Support.
Known
10.1.1
PAN-165669
If you configure a group that the firewall retrieves from the Cloud Identity Engine as the
user in
value in a filter query, Panorama is unable to retrieve the group membership and as a result, is unable to display this data in logs and custom reports.
Known
10.1.1
PAN-165225
There is an issue where
hwpredict
is enabled by default, and you have to disable it via the CLI.
Known
10.1.1
PAN-164922
On the Panorama management server, a context switch to a managed firewall running a PAN-OS 8.1.0 to 8.1.19 release fails.
Known
10.1.1
PAN-164885
On the Panorama management server, pushes to managed firewalls (
Commit
Push to Devices
or
Commit and Push
) may fail when an EDL (
Objects
External Dynamic Lists
) is configured to
Check for updates
every 5 minutes due to the commit and EDL fetch processes overlapping. This is more likely to occur when multiple EDLs are configured to check for updates every 5 minutes.
Known
10.1.1
PAN-164841
A successful deployment of a Panorama virtual appliance on Amazon Web Services (AWS), Microsoft Azure, or Google Cloud Platform (GCP) is inaccessible when deploying using the PAN-OS 10.1.0-b6 release.
Known
10.1.1
PAN-164647
On the Panorama management server, activating a license (
Panorama
Device Deployment
Licenses
) on managed firewalls in a high availability (HA) configuration causes the Safari web browser to become unresponsive.
Workaround:
Log in to the Panorama web interface from a web browser other than Safari to successfully activate a license on managed firewalls in an HA configuration.
Known
10.1.1
PAN-164586
If you use a value other than
mail
for the user or group email attribute in the Cloud Identity Engine, it displays in
user@domain
format in the CLI output.
Known
10.1.1
PAN-163966
On the Panorama management server, the
ACC
and on demand reports (
Monitor
Manage Custom Reports
) are unable to fetch Directory Sync group membership when the Source User Group filter query is applied, resulting in no data being displayed for the filter when Directory Sync is configured as the Source User for a policy rule.
Known
10.1.1
PAN-162836
On the VM-Series firewall, if you select
Device
Licenses
Deactivate VM
a popup window opens and you can choose
Subscriptions
or
Support
and press
Continue
to remove licenses and register the changes with the license server. When the license removal is complete the
Deactivate VM
window does not update its text to exclude deactivated licenses or close the window.
Workaround
: Wait until the license deactivation is complete, and click
Cancel
to close the window.
Known
10.1.1
PAN-162164
This issue is now resolved. See
PAN-OS 10.1.6 Addressed Issues
.
When upgrading a multi-dataplane firewall from PAN-OS 10.0 to 10.1, if the configuration includes the DHCP Broadcast Session option enabled, the commit fails. Auto-commit is not affected.
Workaround:
Load the configuration from running config (load config from running-config.xml) and perform a commit.
Known
10.1.1
PAN-162088
This issue is now resolved. See
PAN-OS 10.1.9 Addressed Issues
.
On the Panorama management server in a high availability (HA) configuration, content updates (
Panorama
Dynamic Updates
) manually uploaded to the active HA peer are not synchronized to the passive HA peer when you
Install
a content update and enable
Sync to HA Peer
.
Known
10.1.1
PAN-161666
The firewall includes any users configured in the Cloud Identity Engine in the count of groups. As a result, some CLI command output does not accurately display the number of groups the firewall has retrieved from the Cloud Identity Engine and counts users as groups in the
No. of Groups
in the command output. If the attempt to retrieve the user or group fails, the information for the user or group still displays in the CLI command output.
Known
10.1.1
PAN-161451
If you issue the command
opof stats
, there are occasional zero packet and byte counts coming from the DPDK counters. This occurs when a session is in the tcp-reuse state, and has no impact on the existing session.
Known
10.1.1
PAN-160238
If you migrate traffic from a firewall running a PAN-OS version earlier than 9.0 to a firewall running PAN-OS 9.0 or later, you experience intermittent VXLAN packet drops if TCI policy is not configured for inspecting VXLAN traffic flows.
Workaround:
On the new firewall, create an app override for VXLAN outer headers as described in What is an Application Override? and the video tutorial How to Configure an Application Override Policy on the Palo Alto Networks Firewall .
PAN-OS version 9.0 can inspect both inner and outer VXLAN flows. If you want to inspect inner flows, you must define a tunnel content inspection (TCI) policy.
Known
10.1.1
PAN-157444
As a result of a telemetry handling update, the Source Zone field in the DNS analytics logs (viewable in the DNS Analytics tab within AutoFocus) might not display correct results.
Known
10.1.1
PAN-157327
On downgrade to PAN-OS 9.1, Enterprise Data Loss Prevention (DLP) filtering settings (
Device
Setup
DLP
) are not removed and cause commit errors for the downgraded firewall if you do not uninstall the Enterprise DLP plugin before downgrade.
Workaround:
After you successfully downgrade a managed firewall to PAN-OS 9.1, commit and push from Panorama to remove the Enterprise DLP filtering settings and complete the downgrade.
  1. Downgrade your managed firewall to PAN-OS 9.1
  2. Log in to the firewall web interface and view the
    Tasks
    to verify all auto commits related to the downgrade have completed successfully.
  3. Log in to the Panorama web interface and
    Commit
    Commit and Push
    to your managed firewall downgraded to PAN-OS 9.1.
Known
10.1.1
PAN-157103
Multi-channel functionality may not be properly utilized on an VM-Series firewall deployed in VMware NSX-V after the service is first deployed.
Workaround
: Execute the command
debug dataplane pow status
to view the number of channels being utilized by the dataplane. 
Per pan-task Netx statisticsCounter Name    1   2   3   4   5   6   Total---------------------------------------------ready_dvf       2   0   0   0   0   0     2
If multi-channel functionality is not working, disable your NSX-V security policy and reapply it. Then reboot the VM-Series firewall. When the firewall is back up, verify that multi-channel functionality is working by executing the command
debug dataplane pow status
. It should now show multiple channels being utilized. 
Per pan-task Netx statisticsCounter Name    1   2   3   4   5   6   Total---------------------------------------------ready_dvf       1   1   0   0   0   0     2
Known
10.1.1
PAN-156598
(
Panorama only
) If you configure a standard custom vulnerability signature in a custom Vulnerability Protection profile in a shared device group, the shared profile custom signatures do not populate in the other device groups when you configure a combination custom vulnerability signature.
Workaround:
Use the CLI to update the combination signature.
Known
10.1.1
PAN-154292
On the Panorama management server, downgrading from a PAN-OS 10.0 release to a PAN-OS 9.1 release causes Panorama commit (
Commit
Commit to Panorama
) failures if a custom report (
Monitor
Manage Custom Reports
) is configured to Group By
Session ID
.
Workaround:
After successful downgrade, reconfigure the Group By setting in the custom report.
Known
10.1.1
PAN-154034
On the Panorama management server, the Type column in the System logs (
Monitor
Logs
System
) for managed firewalls running a PAN-OS 9.1 release erroneously display
iot
as the type.
Known
10.1.1
PAN-154032
On the Panorama management server, downgrading to PAN-OS 9.1 with the Panorama plugin for Cisco TrustSec version 1.0.2 installed does not automatically transform the plugin to be compatible with PAN-OS 9.1
Workaround:
After successful downgrade to PAN-OS 9.1,
Remove Config
(
Panorama
Plugins
) of the Panorama plugin for Cisco TrustSec and then reconfigure the plugin.
Known
10.1.1
PAN-153803
On the Panorama management server, scheduled email PDF reports (
Monitor
PDF Reports
) fail if a GIF image is used in the header or footer.
Known
10.1.1
PAN-153557
On the Panorama management server CLI, the overall report status for a report query is marked as
Done
despite reports generated from logs in the Cortex Data Lake (CDL) from the PODamericas Collector Group jobs are still in a
Running
state.
Known
10.1.1
PAN-153068
The Bonjour Reflector option is supported on up to 16 interfaces. If you enable it on more than 16 interfaces, the commit succeeds and the Bonjour Reflector option is enabled only for the first 16 interfaces and ignored for any additional interfaces.
Known
10.1.1
PAN-151238
There is a known issue where M-100 appliances are able to download and install a PAN-OS 10.0 release image even though the M-100 appliance is no longer supported after PAN-OS 9.1. (Refer to the hardware end-of-life dates .)
Known
10.1.1
PAN-151085
On a PA-7000 Series firewall chassis having multiple slots, when HA clustering is enabled on an active/active HA pair, the session table count for one of the peers can show a higher count than the actual number of active sessions on that peer. This behavior can be seen when the session is being set up on a non-cache slot (for example, when a session distribution policy is set to round-robin or session-load); it is caused by the additional cache lookup that happens when HA cluster participation is enabled.
Known
10.1.1
PAN-150801
Automatic quarantine of a device based on forwarding profile or log setting does not work on the PA-7000 Series firewalls.
Known
10.1.1
PAN-150515
After you install the device certificate on a new Panorama management server, Panorama is not able to connect to the IoT Security edge service.
Workaround:
Restart Panorama to connect to the IoT Security edge service.
Known
10.1.1
PAN-150345
During updates to the Device Dictionary, the IoT Security service does not push new Device-ID attributes (such as new device profiles) to the firewall until a manual commit occurs.
Workaround:
Perform a force commit to push the attributes in the content update to the firewall.
Known
10.1.1
PAN-150361
In an Active-Passive high availability (HA) configuration, an error displays if you create a device object on the passive device.
Workaround:
Load the running configuration and perform a force commit to sync the devices.
Known
10.1.1
PAN-148971
If you enter a search term for Events that are related to IoT in the System logs and apply the filter, the page displays an
Invalid term
error.
Workaround:
Specify
iot
as the
Type Attribute
to filter the logs and use the search term as the
Description Attribute
. For example:
( subtype eq iot ) and ( description contains 'gRPC connection' )
.
Known
10.1.1
PAN-148924
In an active-passive HA configuration, tags for dynamic user groups are not persistent after rebooting the firewall because the active firewall does not sync the tags to the passive firewall during failover.
Known
10.1.1
PAN-146995
After downgrading a Panorama management server from PAN-OS 10.0 to PAN-OS 9.1, the
VLD
and
logd
processes may crash when Panorama reboots.
Workaround:
Panorama automatically restarts the
VLD
and
logd
processes.
Known
10.1.1
PAN-146807
Changing the device group configured in a monitoring definition from a child DG to a parent DG, or vice versa, might cause firewalls configured in the child DG to lose IP tag mapping information received from the monitoring definition. Only firewalls assigned to the parent DG receive IP tag mapping updates.
Workaround
: Perform a manual config sync on the device group that lost the IP tag mapping information.
Known
10.1.1
PAN-146485
On the Panorama management server, adding, deleting, or modifying the upstream NAT configuration (
Panorama
SD-WAN
Devices
) does not display the branch template stack as
out of sync
.
Additionally, adding, deleting, or modifying the BGP configuration (
Panorama
SD-WAN
Devices
) does not display the hub and branch template stacks as
out of sync
. For example, modifying the BGP configuration on the branch firewall does not cause the hub template stack to display as
out of sync
, nor does modifying the BGP configuration on the hub firewall cause the branch template stack as
out of sync
.
Workaround:
After performing a configuration change,
Commit and Push
the configuration changes to all hub and branch firewalls in the VPN cluster containing the firewall with the modified configuration.
Known
10.1.1
PAN-145460
CN-MGMT pods fail to connect to the Panorama management server when using the Kubernetes plugin.
Workaround:
Commit
the Panorama configuration after the CN-MGMT pod successfully registers with Panorama.
Known
10.1.1
PAN-144889
On the Panorama management server, adding, deleting, or modifying the original subnet IP, or adding a new subnet after you successfully configure a tunnel IP subnet, for the SD-WAN 1.0.2 plugin does not display the managed firewall templates (
Panorama
Managed Devices
Summary
) as
Out of Sync
.
Workaround
: When modifying the original subnet IP, or adding a new subnet, push the template configuration changes to your managed firewalls and
Force Template Values
(
Commit
Push to Devices
Edit Selections
).
Known
10.1.1
PAN-143132
Fetching the device certificate from the Palo Alto Networks Customer Support Portal (CSP) may fail and displays the following error in the CLI:
ERROR Failed to process S1C msg: Error
Workaround:
Retrying fetching the device certificate from the Palo Alto Networks CSP.
Known
10.1.1
PAN-141630
Current performance limitation: single data plane use only. The PA-5200 Series and PA-7000 Series firewalls that support 5G network slice security, 5G equipment ID security, and 5G subscriber ID security use a single data plane only, which currently limits the firewall performance.
Known
10.1.1
PAN-140959
The Panorama management server allows you to downgrade Zero Touch Provisioning (ZTP) firewalls to PAN-OS 9.1.2 and earlier releases where ZTP functionality is not supported.
Known
10.1.1
PAN-140008
ElasticSearch is forced to restart when the
masterd
process misses too many heartbeat messages on the Panorama management server resulting in a delay in a log query and ingestion.
Known
10.1.1
PAN-136763
On the Panorama management server, managed firewalls display as
disconnected
when installing a PAN-OS software update (
Panorama
Device Deployment
Software
) but display as
connected
when you view your managed firewalls Summary (
Panorama
Managed Devices
Summary
) and from the CLI.
Workaround:
Log out and log back in to the Panorama web interface.
Known
10.1.1
PAN-135742
There is an issue in HTTP2 session decryption where the App-ID in the decryption log is the App-ID of the parent session (which is web-browsing).
Known
10.1.1
PAN-134053
ACC does not filter WildFire logs from Dynamic User Groups.
Known
10.1.1
PAN-132598
The Panorama management server does not check for duplicate addresses in address groups (
Objects
Address Groups
) and duplicate services in service groups (
Objects
Service Groups
) when created from the CLI.
Known
10.1.1
PAN-130550
(
PA-3200 Series, PA-5220, PA-5250, PA-5260, and PA-7000 Series firewalls
) For traffic between virtual systems (inter-vsys traffic), the firewall cannot perform source NAT using dynamic IP (DIP) address translation.
Workaround:
Use source NAT with Dynamic IP and Port (DIPP) translation on inter-vsys traffic.
Known
10.1.1
PAN-127813
In the current release, SD-WAN auto-provisioning configures hubs and branches in a hub and spoke model, where branches don’t communicate with each other. Expected branch routes are for generic prefixes, which can be configured in the hub and advertised to all branches. Branches with unique prefixes are not published up to the hub.
Workaround:
Add any specific prefixes for branches to the hub advertise-list configuration.
Known
10.1.1
PAN-127206
If you use the CLI to enable the cleartext option for the Include Username in HTTP Header Insertion Entries feature, the authentication request to the firewall may become unresponsive or time out.
Known
10.1.1
PAN-123277
Dynamic tags from other sources are accessible using the CLI but do not display on the Panorama web interface.
Known
10.1.1
PAN-123040
When you try to view network QoS statistics on an SD-WAN branch or hub, the QoS statistics and the hit count for the QoS rules don’t display. A workaround exists for this issue. Please contact Support for information about the workaround.
Known
10.1.1
PAN-120440
There is an issue on M-500 Panorama management servers where any ethernet interface with an IPv6 address having Private PAN-DB-URL connectivity only supports the following format:
2001:DB9:85A3:0:0:8A2E:370:2
.
Known
10.1.1
PAN-120423
PAN-OS 10.0.0 does not support the XML API for GlobalProtect logs.
Known
10.1.1
PAN-120303
There is an issue where the firewall remains connected to the PAN-DB-URL server through the old management IP address on the M-500 Panorama management server, even when you configured the Eth1/1 interface.
Workaround:
Update the PAN-DB-URL IP address on the firewall using one of the methods below.
  • Modify the PAN-DB Server IP address on the managed firewall.
    1. On the web interface, delete the
      PAN-DB Server
      IP address (
      Device
      Setup
      Content ID
      URL Filtering
      settings).
    2. Commit
      your changes.
    3. Add the new M-500 Eth1/1 IP PAN-DB IP address.
    4. Commit
      your changes.
  • Restart the firewall ( devsrvr ) process.
    1. Log in to the firewall CLI.
    2. Restart the devsrvr process:
      debug software restart process device-server
Known
10.1.1
PAN-116017
(
Google Cloud Platform (GCP) only
) The firewall does not accept the DNS value from the initial configuration (init-cfg) file when you bootstrap the firewall.
Workaround:
Add DNS value as part of the bootstrap.xml in the bootstrap folder and complete the bootstrap process.
Known
10.1.1
PAN-115816
(
Microsoft Azure only
) There is an intermittent issue where an Ethernet (eth1) interface does not come up when you first boot up the firewall.
Workaround:
Reboot the firewall.
Known
10.1.1
PAN-114495
Alibaba Cloud runs on a KVM hypervisor and supports two Virtio modes: DPDK (default) and MMAP. If you deploy a VM-Series firewall running PAN-OS 9.0 in DPDK packet mode and you then switch to MMAP packet mode, the VM-Series firewall duplicates packets that originate from or terminate on the firewall. As an example, if a load balancer or a server behind the firewall pings the VM-Series firewall after you switch from DPDK packet mode to MMAP packet mode, the firewall duplicates the ping packets.
Throughput traffic is not duplicated if you deploy the VM-Series firewall using MMAP packet mode.
Known
10.1.1
PAN-112694
(
Firewalls with multiple virtual systems only
) If you configure dynamic DNS (DDNS) on a new interface (associated with vsys1 or another virtual system) and you then create a
New
Certificate Profile from the drop-down, you must set the location for the Certificate Profile to Shared. If you configure DDNS on an existing interface and then create a new Certificate Profile, we also recommend that you choose the Shared location instead of a specific virtual system. Alternatively, you can select a preexisting certificate profile instead of creating a new one.
Known
10.1.1
PAN-112456
You can temporarily submit a change request for a URL Category with three suggested categories; however, only two categories are supported. Do not add more than two suggested categories to a change request until we address this issue. If you submit more than two suggested categories, only the first two categories in the change request are evaluated.
Known
10.1.1
PAN-112135
You cannot unregister tags for a subnet or range in a dynamic address group from the web interface.
Workaround:
Use an XML API request to unregister the tags for the subnet or range.
Known
10.1.1
PAN-111928
Invalid configuration errors are not displayed as expected when you revert a Panorama management server configuration.
Workaround:
After you revert the Panorama configuration,
Commit
(
Commit
Commit to Panorama
) the reverted configuration to display the invalid configuration errors.
Known
10.1.1
PAN-111866
The push scope selection on the Panorama web interface displays incorrectly even though the commit scope displays as expected. This issue occurs when one administrator makes configuration changes to separate device groups or templates that affect multiple firewalls and a different administrator attempts to push those changes.
Workaround:
Perform one of the following tasks.
  • Initiate a
    Commit to Panorama
    operation followed by a
    Push to Devices
    operation for the modified device group and template configurations.
  • Manually select the devices that belong to the modified device group and template configurations.
Known
10.1.1
PAN-111729
If you disable DPDK mode and enable it again, you must immediately reboot the firewall.
Known
10.1.1
PAN-111670
Tagged VLAN traffic fails when sent through an SR-IOV adapter.
Known
10.1.1
PAN-110794
DGA-based threats shown in the firewall threat log display the same name for all such instances.
Known
10.1.1
PAN-109759
This issue is now resolved. See
PAN-OS 10.1.2 Addressed Issues
The firewall does not generate a notification for the GlobalProtect client when the firewall denies an unencrypted TLS session due to an authentication policy match.
Known
10.1.1
PAN-109526
The system log does not correctly display the URL for CRL files; instead, the URLs are displayed with encoded characters.
Known
10.1.1
PAN-104780
If you configure a HIP object to match only when a connecting endpoint is managed (
Objects
GlobalProtect
HIP Objects
<hip-object>
General
Managed
), iOS and Android endpoints that are managed by AirWatch are unable to successfully match the HIP object and the HIP report incorrectly indicates that these endpoints are not managed. This issue occurs because GlobalProtect gateways cannot correctly identify the managed status of these endpoints.
Additionally, iOS endpoints that are managed by AirWatch are unable to match HIP objects based on the endpoint serial number because GlobalProtect gateways cannot identify the serial numbers of these endpoints; these serial numbers do not appear in the HIP report.
Known
10.1.1
PAN-103276
Adding a disk to a virtual appliance running Panorama 8.1 or a later release on VMware ESXi 6.5 update1 causes the Panorama virtual appliance and host web client to become unresponsive.
Workaround:
Upgrade the ESXi host to ESXi 6.5 update2 and add the disk again.
Known
10.1.1
PAN-101688
(
Panorama plugins
) The IP address-to-tag mapping information registered on a firewall or virtual system is not deleted when you remove the firewall or virtual system from a Device Group.
Workaround:
Log in to the CLI on the firewall and enter the following command to unregister the IP address-to-tag mappings:
debug object registered-ip clear all
.
Known
10.1.1
PAN-101537
After you configure and push address and address group objects in Shared and vsys-specific device groups from the Panorama management server to managed firewalls, executing the
show log
<log-type>
direction equal
<direction>
<dst>
|
<src>
in
<object-name>
command on a managed firewall only returns address and address group objects pushed form the Shared device group.
Workaround:
Specify the vsys in the query string:
admin>
set system target-vsys
<vsys-name>
admin>
show log
<log-type>
direction equal
<direction>
query equal ‘vsys eq
<vsys-name>
’
<dst>
|
<src>
in
<object-name>
Known
10.1.1
PAN-98520
When booting or rebooting a PA-7000 Series Firewall with the SMC-B installed, the BIOS console output displays attempts to connect to the card's controller in the System Memory Speed section. The messages can be ignored.
Known
10.1.1
PAN-97757
GlobalProtect authentication fails with an
Invalid username/password
error (because the user is not found in
Allow List
) after you enable GlobalProtect authentication cookies and add a RADIUS group to the
Allow List
of the authentication profile used to authenticate to GlobalProtect.
Workaround:
Disable GlobalProtect authentication cookies. Alternatively, disable (clear)
Retrieve user group from RADIUS
in the authentication profile and configure group mapping from Active Directory (AD) through LDAP.
Known
10.1.1
PAN-97524
(
Panorama management server only
) The Security Zone and Virtual System columns (
Network
tab) display
None
after a Device Group and Template administrator with read-only privileges performs a context switch.
Known
10.1.1
PAN-96446
A firewall that is not included in a Collector Group fails to generate a system log if logs are dropped when forwarded to a Panorama management server that is running in Management Only mode.
Known
10.1.1
PAN-95773
On VM-Series firewalls that have Data Plane Development Kit (DPDK) enabled and that use the i40e network interface card (NIC), the
show session info
CLI command displays an inaccurate throughput and packet rate.
Workaround:
Disable DPDK by running the
set system setting dpdk-pkt-io off
CLI command.
Known
10.1.1
PAN-95028
For administrator accounts that you created in PAN-OS 8.0.8 and earlier releases, the firewall does not apply password profile settings (
Device
Password Profiles
) until after you upgrade to PAN-OS 8.0.9 or a later release and then only after you modify the account passwords. (Administrator accounts that you create in PAN-OS 8.0.9 or a later release do not require you to change the passwords to apply password profile settings.)
Known
10.1.1
PAN-94846
When DPDK is enabled on the VM-Series firewall with i40e virtual function (VF) driver, the VF does not detect the link status of the physical link. The VF link status remains up, regardless of changes to the physical link state.
Known
10.1.1
PAN-94093
HTTP Header Insertion does not work when jumbo frames are received out of order.
Known
10.1.1
PAN-93968
The firewall and Panorama web interfaces display vulnerability threat IDs that are not available in PAN-OS 9.0 releases (
Objects
Security Profiles
Vulnerability Protection
<profile>
Exceptions
). To confirm whether a particular threat ID is available in your release, monitor the release notes for each new Applications and Threats content update or check the Palo Alto Networks Threat Vault to see the minimum PAN-OS release version for a threat signature.
Known
10.1.1
PAN-93607
When you configure a VM-500 firewall with an SCTP Protection profile (
Objects
Security Profiles
SCTP Protection
) and you try to add the profile to an existing Security Profile Group (
Objects
Security Profile Groups
), the Security Profile Group doesn’t list the SCTP Protection profile in its drop-down list of available profiles.
Workaround:
Create a new Security Profile Group and select the SCTP Protection profile from there.
Known
10.1.1
PAN-93532
When you configure a firewall running PAN-OS 9.0 as an nCipher HSM client, the web interface on the firewall displays the nCipher server status as Not Authenticated, even though the HSM state is up (
Device
Setup
HSM
).
Known
10.1.1
PAN-93193
The memory-optimized VM-50 Lite intermittently performs slowly and stops processing traffic when memory utilization is critically high. To prevent this issue, make sure that you do not:
  • Switch to the firewall
    Context
    on the Panorama management server.
  • Commit changes when a dynamic update is being installed.
  • Generate a custom report when a dynamic update is being installed.
  • Generate custom reports during a commit.
Workaround:
When the firewall performs slowly, or you see a critical System log for memory utilization, wait for 5 minutes and then manually reboot the firewall.
Use the Task Manager to verify that you are not performing memory intensive tasks such as installing dynamic updates, committing changes or generating reports, at the same time, on the firewall.
Known
10.1.1
PAN-91802
On a VM-Series firewall, the
clear session all
CLI command does not clear GTP sessions.
Known
10.1.1
PAN-83610
In rare cases, a PA-5200 Series firewall (with an FE100 network processor) that has session offload enabled (default) incorrectly resets the UDP checksum of outgoing UDP packets.
Workaround:
In PAN-OS 8.0.6 and later releases, you can persistently disable session offload for only UDP traffic using the
set session udp-off load no
CLI command.
Known
10.1.1
PAN-83236
The VM-Series firewall on Google Cloud Platform does not publish firewall metrics to Google Stack Monitoring when you manually configure a DNS server IP address (
Device
Setup
Services
).
Workaround:
The VM-Series firewall on Google Cloud Platform must use the DNS server that Google provides.
Known
10.1.1
PAN-83215
SSL decryption based on ECDSA certificates does not work when you import the ECDSA private keys onto an nCipher nShield hardware security module (HSM).
Known
10.1.1
PAN-81521
Endpoints failed to authenticate to GlobalProtect through Kerberos when you specify an FQDN instead of an IP address in the Kerberos server profile (
Device
Server Profiles
Kerberos
).
Workaround:
Replace the FQDN with the IP address in the Kerberos server profile.
Known
10.1.1
PAN-77125
PA-7000 Series, PA-5450, PA-5200 Series, and PA-3200 Series firewalls configured in tap mode don’t close offloaded sessions after processing the associated traffic; the sessions remain open until they time out.
Workaround:
Configure the firewalls in virtual wire mode instead of tap mode, or disable session offloading by running the
set session off load no
CLI command.
Known
10.1.1
PAN-75457
In WildFire appliance clusters that have three or more nodes, the Panorama management server does not support changing node roles. In a three-node cluster for example, you cannot use Panorama to configure the worker node as a controller node by adding the HA and cluster controller configurations, configure an existing controller node as a worker node by removing the HA configuration, and then commit and push the configuration. Attempts to change cluster node roles from Panorama results in a validation error—the commit fails and the cluster becomes unresponsive.
Known
10.1.1
PAN-73530
The firewall does not generate a packet capture (pcap) when a Data Filtering profile blocks files.
Known
10.1.1
PAN-73401
When you import a two-node WildFire appliance cluster into the Panorama management server, the controller nodes report their state as out-of-sync if either of the following conditions exist:
  • You did not configure a worker list to add at least one worker node to the cluster. (In a two-node cluster, both nodes are controller nodes configured as an HA pair. Adding a worker node would make the cluster a three-node cluster.)
  • You did not configure a service advertisement (either by enabling or not enabling advertising DNS service on the controller nodes).
Workaround:
There are three possible workarounds to sync the controller nodes:
  • After you import the two-node cluster into Panorama, push the configuration from Panorama to the cluster. After the push succeeds, Panorama reports that the controller nodes are in sync.
  • Configure a worker list on the cluster controller: 
    admin@wf500(active-controller)# 
    set
deviceconfig cluster mode controller worker-list 
    <worker-ip-address>
    (
    <worker-ip-address>
    is the IP address of the worker node you are adding to the cluster.) This creates a three-node cluster. After you import the cluster into Panorama, Panorama reports that the controller nodes are in sync. When you want the cluster to have only two nodes, use a different workaround.
  • Configure service advertisement on the local CLI of the cluster controller and then import the configuration into Panorama. The service advertisement can advertise that DNS is or is not enabled. 
    admin@wf500(active-controller)# 
    set
deviceconfig cluster mode controller service-advertisement dns-service
enabled
yes
    or 
    admin@wf500(active-controller)# 
    set
deviceconfig cluster mode controller service-advertisement dns-service
enabled
no
    Both commands result in Panorama reporting that the controller nodes are in sync.
Known
10.1.1
PAN-70906
If the PAN-OS web interface and the GlobalProtect portal are enabled on the same IP address, then when a user logs out of the GlobalProtect portal, the administrative user is also logged out from the PAN-OS web interface.
Workaround:
Use the IP address to access the PAN-OS web interface and an FQDN to access the GlobalProtect portal.
Known
10.1.1
PAN-69505
When viewing an external dynamic list that requires client authentication and you
Test Source URL
, the firewall fails to indicate whether it can reach the external dynamic list server and returns a URL access error (
Objects
External Dynamic Lists
).
Known
10.1.1
PAN-40079
The VM-Series firewall on KVM, for all supported Linux distributions, does not support the Broadcom network adapters for PCI pass-through functionality.
Known
10.1.1
PAN-39636
Regardless of the
Time Frame
you specify for a scheduled custom report on a Panorama M-Series appliance, the earliest possible start date for the report data is effectively the date when you configured the report (
Monitor
Manage Custom Reports
). For example, if you configure the report on the 15th of the month and set the
Time Frame
to
Last 30 Days
, the report that Panorama generates on the 16th will include only data from the 15th onward. This issue applies only to scheduled reports; on-demand reports include all data within the specified
Time Frame
.
Workaround:
To generate an on-demand report, click
Run Now
when you configure the custom report.
Known
10.1.1
PAN-38255
When you perform a factory reset on a Panorama virtual appliance and configure the serial number, logging does not work until you reboot Panorama or execute the
debug software restart process management-server
CLI command.
Known
10.1.1
PAN-31832
The following issues apply when configuring a firewall to use a hardware security module (HSM):
  • nCipher nShield Connect
    —The firewall requires at least four minutes to detect that an HSM was disconnected, causing SSL functionality to be unavailable during the delay.
  • SafeNet Network
    —When losing connectivity to either or both HSMs in an HA configuration, the display of information from the
    show high-availability state
    and
    show hsm info
    commands are blocked for 20 seconds.
Addressed
10.1.1
WF500-5568
Fixed an issue where a firewall in FIPS mode running PAN-OS 8.1.18 or a later version failed to connect with a WildFire appliance in normal mode.
Addressed
10.1.1
WF500-5559
Fixed an issue where an intermittent error while analyzing signed PE samples on the WildFire appliance might have caused analysis failures.
Addressed
10.1.1
PAN-174094
Fixed an issue where SaaS Policy Recommendation didn’t work on firewalls because the SaaS Security Inline policy recommendation license check failed.
Addressed
10.1.1
PAN-172419
Fixed an issue where hot-swapping or hot-plugging a transceiver in the HSCI-A or HSCI-B port on the PA-5450 firewall caused the firewall to reboot unexpectedly.
Addressed
10.1.1
PAN-172386
(
Passive PA-5450 firewalls in an HA active/passive configuration only
) Fixed an issue where, when the ports do not link up initially due to local or remote faults, the firewall continued to process traffic even when its port(s) were in a Disabled state.
Addressed
10.1.1
PAN-172063
Fixed an issue where the outbound/inbound interface was not populated for session logs that were forwarded to Panorama.
Addressed
10.1.1
PAN-171898
(
PA-5450 firewalls only
) Fixed an issue where firewalls did not get full 10G throughput when traffic was sent from 100G or 40G interfaces to 10G interfaces.
Addressed
10.1.1
PAN-171750
(
PA-5450 firewalls only
) Fixed an issue where the HSCI interface didn’t recognize a hot-swapped 40G or 100G transceiver.
Addressed
10.1.1
PAN-171703
Fixed an issue where
GlobalProtect Activity
did not display when a device group was selected.
Addressed
10.1.1
PAN-171290
Fixed an issue where Panorama deployed in Google Cloud Platform (GCP) failed to the renew management server DHCP IP.
Addressed
10.1.1
PAN-170936
Fixed an issue where the firewall egressed offloaded frames out of order after an explicit commit (
Commit
on the firewall or
Commit All Changes
on Panorama) or an implicit comment such as an Antivirus update, Dynamic Update, or WildFire update.
Note
This issue persists for a network-related configuration and commit.
Addressed
10.1.1
PAN-170825
Fixed an issue where, when a partial
Preview Change
job failed, a process ( configd ) stopped responding.
Addressed
10.1.1
PAN-170740
Fixed an issue with the google-docs-uploading application that occurred if a Security policy rule was applied to a Security profile and traffic was decrypted.
Addressed
10.1.1
PAN-170610
Fixed an issue where SD-WAN SaaS monitoring traffic was incorrectly dropped by a Security policy that included a deny rule.
Addressed
10.1.1
PAN-170473
Fixed an issue where SSL traffic wasn’t decrypted on inbound inspection when the private key used a hardware security module (HSM).
Addressed
10.1.1
PAN-170314
Fixed an issue where PAN-DB URL cloud updates failed because a process ( devsrvr ) did not fetch serial numbers, which prevented the PAN_DB URL cloud from connecting after first deployment.
Addressed
10.1.1
PAN-170174
Fixed an issue where a CN-NGFW pod repeatedly restarted due to eth0 being unavailable when kubelet ran network checks on eth0. The following error displayed in the dataplane node
journalctl
logs: f
ailed to read pod IP from plugin/docker: networkPlugin cni failed on the status hook for pod "pan-ngfw-dep-<>_kube-system": unexpected address output
.
Addressed
10.1.1
PAN-169064
Fixed an issue where the management CPU remained at 100% due to a large number of configured User-ID agents.
Addressed
10.1.1
PAN-168646
Fixed an issue where Elasticsearch didn't start up in a new Log Collector deployment or downgrade because the Log Collector could not register the service.
Addressed
10.1.1
PAN-168920
(
PA-5450 firewalls only
) Fixed an issue where QoS didn’t honor the guaranteed bandwidth for classes set to a Priority of real-time.
Addressed
10.1.1
PAN-168418
Fixed an issue where, when an MLAV URL with an exception list was configured and forward proxy was enabled, a process ( all_pktproc ) repeatedly restarted, which resulted in the firewall rebooting.
Addressed
10.1.1
PAN-167989
Fixed a timing issue between downloading and installing threads that occurred when Panorama pushed content updates and the firewall fetched content updates simultaneously.
Addressed
10.1.1
PAN-166398
(
PA-5450 firewalls only
) Fixed an issue where, when you configured path or latency monitoring on the
Health Monitor
tab in the packet broker profile (
Objects
Packet Broker
), the path health monitor was disabled due to a configuration synchronization issue after a reboot.
Addressed
10.1.1
PAN-165025
Fixed an issue where, when default interzone and intrazone Security policy rules were overwritten, the rules did not display hit counts.
Addressed
10.1.1
PAN-164707
(
PA-7000 Series firewalls only
) Fixed an issue where logs were not viewable via the web interface in the
Monitor
tab or via the CLI.
Addressed
10.1.1
PAN-164392
Fixed an issue where an out-of-memory (OOM) condition occurred due to a memory leak related to a process ( logrcvr ).
Addressed
10.1.1
PAN-163800
Fixed an intermittent issue where the presence of an Anti-Spyware profile in a Security policy rule that matched DNS traffic caused DNS responses to be malformed in transit.
Addressed
10.1.1
PAN-162442
Fixed an issue in HA active/active configurations where deleting an interface not associated with a virtual router did not sync the configuration change.
Addressed
10.1.1
PAN-158932
Fixed an issue where an increase was observed on
spyware_state
, which caused latency.
Addressed
10.1.1
PAN-158649
Fixed an issue where commits to the Prisma Access Remote networks from Panorama were failing when the management server on the cloud firewall failed to exit cleanly and reported the following error:
pan_check_cert_status(pan_crl_ocsp.c:284): sysd write failed (TIMEOUT)
Addressed
10.1.1
PAN-157715
Fixed an intermittent issue where SMB file transfer operations failed due to packet drops that were caused by the Content and Threat Detection (CTD) queue filling up quickly. This fix introduces a new CLI command which, when enabled, prevent these failures:
set system setting ctd nonblocking-pattern-match-qsizecheck [enable|disable]
.
Addressed
10.1.1
PAN-156388
Fixed an issue where a process ( useridd ) stopped responding while attempting to remove all HIP reports on the disk.
Addressed
10.1.1
PAN-154053
Fixed an issue where, when two or more PA-5450 fan assemblies failed, the firewall shut down without providing a console or CLI error message about the fan failure.
Known
10.1.2
—
If you use Panorama to retrieve logs from Cortex Data Lake (CDL), new log fields (including for Device-ID, Decryption, and GlobalProtect) are not visible on the Panorama web interface.
Workaround:
Enable duplicate logging to send the logs to CDL and Panorama. This workaround does not support Panorama virtual appliances in Management Only mode .
Known
10.1.2
—
Upgrading a PA-220 firewall takes up to an hour or more.
Known
10.1.2
—
PA-220 firewalls are experiencing slower web interface and CLI performance times.
Known
10.1.2
—
Upgrading Panorama with a local Log Collector and Dedicated Log Collectors to PAN-OS 8.1 or a later PAN-OS release can take up to six hours to complete due to significant infrastructure changes. Ensure uninterrupted power to all appliances throughout the upgrade process.
Known
10.1.2
—
A critical System log is generated on the VM-Series firewall if the minimum memory requirement for the model is not available.
  • When the memory allocated is less than 4.5GB, you cannot upgrade the firewall. The following error message displays:
    Failed to install 9.0.0 with the following error: VM-50 in 9.0.0 requires 5.5GB memory, VM-50 Lite requires 4.5GB memory.Please configure this VM with enough memory before upgrading.
  • If the memory allocation is more than 4.5GB but less than the licensed capacity requirement for the model, it will default to the capacity associated with the VM-50.
    The System log message
    System capacity adjusted to VM-50 capacity due to insufficient memory for VM-
    <xxx>
    license
    , indicates that you must allocate the additional memory required for licensed capacity for the firewall model.
Known
10.1.2
APPORTAL-3313
Changes to an IoT Security subscription license take up to 24 hours to have effect on the IoT Security app.
Known
10.1.2
APPORTAL-3309
An IoT Security production license cannot be installed on a firewall that still has a valid IoT Security eval or trial license.
Workaround:
Wait until the 30-day eval or trial license expires and then install the production license.
Known
10.1.2
APL-15000
When you move a firewall from one Cortex Data Lake instance to another, it can take up to an hour for the firewall to begin sending logs to the new instance.
Known
10.1.2
APL-8269
For data retrieved from Cortex Data Lake, the Threat Name column in
Panorama
ACC
threat-activity
appears blank.
Known
10.1.2
PLUG-380
When you rename a device group, template, or template stack in Panorama that is part of a VMware NSX service definition, the new name is not reflected in NSX Manager. Therefore, any ESXi hosts that you add to a vSphere cluster are not added to the correct device group, template, or template stack and your Security policy is not pushed to VM-Series firewalls that you deploy after you rename those objects. There is no impact to existing VM-Series firewalls.
Known
10.1.2
WF500-5559
An intermittent error while analyzing signed PE samples on the WildFire appliance might cause analysis failures.
Known
10.1.2
WF500-5471
After using the firewall CLI to add a WildFire appliance with an IPv6 address, the initial connection may fail.
Workaround:
Retry connecting after you restart the web server with the following command:
debug software restart process web-server
.
Known
10.1.2
PAN-228273
On the Panorama management server in FIPS-CC mode, the ElasticSearch cluster fails to come up and the
show log-collector-es-cluster health
command displays the
status
is
red
. This results in log ingestion issues for Panorama in Panorama only or Log Collector mode.
Known
10.1.2
PAN-227344
On the Panorama management server, PDF Summary Reports (
Monitor
PDF Reports
Manage PDF Summary
) display no data and are blank when predefined reports are included in the summary report.
Known
10.1.2
PAN-223488
This issue is now resolved. See
PAN-OS 10.1.12 Addressed Issues
.
On the M-600 appliance, closed ElasticSearch shards are not deleted from the M-600 appliance. This causes the ElasticSearch shard purging to not work as expected, resulting in high disk usage.
Known
10.1.2
PAN-223365
The Panorama management server is unable to query any logs if the ElasticSearch health status for any Log Collector (
Panorama
Managed Collector
is degraded.
Workaround:
Log in to the Log Collector CLI and restart ElasticSearch. 
admin
debug elasticsearch es-restart all
Known
10.1.2
PAN-218521
The ElasticSearch process on the M-600 appliance in Log Collector mode may enter a continuous reboot cycle. This results in the M-600 appliance becoming unresponsive, consuming logging disk space, and preventing new log ingestion.
Known
10.1.2
PAN-217307
This issue is now resolved. See
PAN-OS 10.1.14 Addressed Issues
.
The following Security policy rule (
Policies
Security
) filters return no results:
log-start eq no
log-end eq no
log-end eq yes
Known
10.1.2
PAN-216214
For Panorama-managed firewalls in an Active/Active High Availability (HA) configuration where you configure the firewall HA settings (
Device
High Availability
) in a template or template stack (
Panorama
Templates
), performing a local commit on one of the HA firewalls triggers an HA config sync on the peer firewall. This causes the HA peer configuration to go
Out of Sync
.
Known
10.1.2
PAN-213746
On the Panorama management server, the
Hostkey
displayed as
undefined undefined
if you override an SSH Service Profile (
Device
Certificate Management
SSH Service Profile
) Hostkey configured in a Template from the Template Stack.
Known
10.1.2
PAN-212889
This issue is now resolved. See PAN-OS 10.1.11 Addressed Issues
.
On the Panorama management server, different threat names are used when querying the same threat in the Threat Monitor (
Monitor
App Scope
Threat Monitor
) and
ACC
. This results in the ACC displaying
no data to display
when you are redirected to the ACC after clicking a threat name in the Threat Monitor.
Known
10.1.2
PAN-208325
This issue is now resolved. See
PAN-OS 10.1.10 Addressed Issues
.
The following NextGen firewalls are unable to automatically renew the device certificate (
Device
Setup
Management
or
Panorama
Setup
Management
).
  • PA-410 Firewall
  • PA-440, PA-450, and PA-460 Firewalls
  • PA-5450 Firewall
Workaround:
Log in to the firewall CLI and fetch the device certificate. 
admin>
request certificate fetch
Known
10.1.2
PAN-206268
This issue is now resolved. See
PAN-OS 10.1.10 Addressed Issues
.
On the Panorama management server, the Auth Key field was erroneously displayed when you configure the Panorama Settings (
Device
Setup
Management
) as part of a template or template stack configuration.
Known
10.1.2
PAN-206243
The PA-220 firewall reaches the maximum disk usage capacity multiple a day that requires a disk cleanup. A critical system log (
Monitor
Logs
System
) is generated each time the firewall reaches maximum disk usage capacity.
Known
10.1.2
PAN-205187
ElasticSearch may not start properly when a newly installed Panorama virtual appliance powers on for the first time, resulting in the Panorama virtual appliance being unable to query logs forwarded from the managed firewall to a Log Collector.
Workaround:
Log in to the Panorama CLI and start the PAN-OS software. 
admin>
request restart software
Known
10.1.2
PAN-201855
On the Panorama management server, cloning any template (
Panorama
Templates
) corrupts certificates (
Device
Certificate Management
Certificates
) with the
Block Private Key Export
setting enabled across all templates. This results in managed firewalls experiencing issues wherever the corrupted certificate is referenced.
For example, you have template A, B, and C where templates A and B have certificates with the
Block Private Key Export
setting enabled. Cloning template C corrupts the certificates with
Block Private Key Export
setting enabled in templates A and B.
Workaround:
After cloning a template, delete and re-import the corrupted certificates.
Known
10.1.2
PAN-199557
On M-600 appliances in an Active/Passive high availability (HA) configuration, the
configd
process restarts due to a memory leak on the
Active
Panorama HA peer. This causes the Panorama web interface and CLI to become unresponsive.
Workaround:
Manually reboot the
Active
Panorama HA peer.
Known
10.1.2
PAN-197341
On the Panorama management server, if you create multiple device group
Objects
with the same name in the Shared device group and any additional device groups (
Panorama
Device Groups
) under the same device group hierarchy that are used in one or more
Policies
, renaming the object with a shared name in any device group causes the object name to change in the policies where it is used. This issue applies only to device group objects that can be referenced in a Security policy rule.
For example:
  1. You create a parent device group
    DG-A
    and a child device group
    DG-B
    .
  2. You create address objects called
    AddressObjA
    in the
    Shared
    ,
    DG-A
    and
    DG-B
    device groups and add
    AddressObjA
    to a Security policy rule under
    DG-A
    and
    DG-B
    .
  3. Later, you change the
    AddressObjA
    name in the
    Shared
    device group to
    AddressObjB
    .
Changing the name of the address object in the
Shared
device group causes the references in the Policy rule to use the renamed
Shared
object instead of the device group object.
Known
10.1.2
PAN-196758
On the Panorama management server, pushing a configuration change to firewalls leveraging SD-WAN erroneously show the auto-provisioned BGP configurations for SD-WAN as being edited or deleted despite no edits or deletions being made when you
Preview Changes
(
Commit
Push to Devices
Edit Selections
or
Commit
Commit and Push
Edit Selections
).
Known
10.1.2
PAN-194519
This issue is now resolved. See
PAN-OS 10.1.9 Addressed Issues
.
(
PA-5450 firewall only
) Trying to configure a custom payload format under
Device
Server Profiles
HTTP
yields a Javascript error.
Known
10.1.2
PAN-194515
(
PA-5450 firewall only
) The Panorama web interface does not display any predefined template stack variables in the dropdown menu under
Device
Setup
Log Interface
IP Address
.
Workaround:
Configure the log interface IP address on the individual firewall web interface instead of on Panorama.
Known
10.1.2
PAN-193518
All logs (
Monitor
Logs
) generated by a firewall running a PAN-OS 10.0 release are not accessible if you downgrade from PAN-OS 10.1 to PAN-OS 10.0, and then upgrade back to PAN-OS 10.1.
Known
10.1.2
PAN-192403
This issue is now resolved. See
PAN-OS 10.1.6-h3 Addressed Issues
.
(
PA-5450 firewall only
) There is no commit warning in the web interface when configuring the management interface and logging interface in the same subnetwork. Having both interfaces in the same subnetwork can cause routing and connectivity issues.
Known
10.1.2
PAN-190727
(
PA-5450 firewall only
) Documentation for configuring the log interface is unavailable on the web interface and in the PAN-OS Administrator’s Guide.
Known
10.1.2
PAN-188052
Devices in FIPS-CC mode are unable to connect to servers utilizing ECDSA-based host keys that impacts exporting logs (
Device
Scheduled Log Export
), exporting configurations (
Device
Scheduled Config Export
), or the
scp export
command in the CLI.
Workaround:
Use RSA-based host keys on the destination server.
Known
10.1.2
PAN-187685
On the Panorama management server, the Template Status displays no synchronization status (
Panorama
Managed Devices
Summary
) after a bootstrapped firewall is successfully added to Panorama.
Workaround:
After the bootstrapped firewall is successfully added to Panorama, log in to the Panorama web interface and select
Commit
Push to Devices
.
Known
10.1.2
PAN-186262
The Panorama management server in Panorama or Log Collector mode may become unresponsive as Elasticsearch accumulates internal connections related to logging processes. The chances Panorama becomes unresponsive increases the longer Panorama remains powered on.
Workaround:
Reboot Panorama if it becomes unresponsive.
Known
10.1.2
PAN-185286
This issue is now resolved. See
PAN-OS 10.1.7 Addressed Issues
.
(
PA-5400 Series firewalls only
) On the Panorama management server, the device health resources (
Panorama
Managed Devices
Health
) do not populate.
Known
10.1.2
PAN-181116
This issue is now resolved. See
PAN-OS 10.1.5 Addressed Issues
.
After upgrading to PAN-OS 10.1, some GlobalProtect tunnels fall back to SSL instead of IPSec due to the inadvertent encapsulation of the ICMP keepalive response from the firewall.
Known
10.1.2
PAN-180661
This issue is now resolved. See
PAN-OS 10.1.6 Addressed Issues
.
On the Panorama management server, pushing an unsupported Minimum Password Complexity (
Device
Setup
Management
) to a managed firewall erroneously displays
commit time out
as the reason the commit failed.
Known
10.1.2
PAN-178194
This issue is now resolved. See
PAN-OS 10.1.7 Addressed Issues
.
A UI issue in PAN-OS renders the contents of the
Inline ML
tab in the
URL Filtering Profile
inaccessible on firewalls licensed for Advanced URL Filtering. Additionally, a message indicating that a
License required for URL filtering to function
is unavailable displays at the bottom of the UI. These errors do not affect the operation of Advanced URL Filtering or URL Filtering Inline ML.
Workaround:
Configuration settings for URL Filtering Inline ML must be applied through the CLI. The following configuration commands are available:
  • Define URL exceptions for specific web sites— 
    admin#
     set profiles url-filtering <url_filtering_profile_name> mlav-category-exception
  • Configuration settings for each inline ML model— 
    admin#
     set profiles url-filtering <url_filtering_profile_name> mlav-engine-urlbased-enabled
Known
10.1.2
PAN-178190
Traffic, threat, and URL logs are not viewable from the firewall web interface (
Monitor
Logs
) and CLI after upgrade to PAN-OS 10.1.2.
Known
10.1.2
PAN-177455
This issue is now resolved. See
PAN-OS 10.1.6 Addressed Issues
.
PAN-OS 10.1.2 is not supported on PA-7000 Series firewalls with HA (High Availability) clustering enabled and using an HA4 communication link. Attempting to load PAN-OS 10.1.2 on the firewall causes the PA-7000 100G NPC to go offline. As a result, the firewall fails to boot normally and enters maintenance mode. HA Pairs of Active-Passive and Active-Active firewalls are not affected.
Known
10.1.2
PAN-175717
This issue is now resolved. See
PAN-OS 10.1.5 Addressed Issues
Firewalls managed by a Panorama management server enter maintenance mode if:
  • Panorama is running PAN-OS 10.2 and managed firewalls are downgraded from PAN-OS 10.2 to PAN-OS 10.1.4 or earlier PAN-OS release.
  • Panorama is upgraded from PAN-OS 10.1 to PAN-OS 10.2 and managed firewalls are running PAN-OS 10.1.4 or earlier PAN-OS 10.1 release.
Workaround:
When downgrading managed firewalls, downgrade to PAN-OS 10.1.5 first and then continue on your downgrade path. When upgrading Panorama, upgrade to PAN-OS 10.1.5 first and then continue on your upgrade path.
Known
10.1.2
PAN-175149
(
PA-800 and PA-7000 Series firewalls and the PA-220 firewall only
) Fixed an issue where ACC and scheduled reports (
Monitor
Manage
Manage Custom Reports
) incorrectly displayed the IPv6 address instead of the IPv4 address.
Known
10.1.2
PAN-174982
In HA active/active configurations where, when interfaces that were associated with a virtual router were deleted, the configuration change did not sync.
Known
10.1.2
PAN-174201
This issue is now resolved. See
PAN-OS 10.1.3 Addressed Issues
.
The vldmgr process stops responding after upgrading to PAN-OS 10.1.0 if logs are in the burst list.
Known
10.1.2
PAN-173509
This issue is now resolved. See
PAN-OS 10.1.5 Addressed Issues
.
Superuser administrators with read-only privileges (
Device
Administrators
and
Panorama
Administrators
) are unable to view the hardware ACL blocking setting and duration in the CLI using the commands: 
admin>
 show system setting hardware-acl-blocking-enable
admin>
 show system setting hardware-acl-blocking-duration
Known
10.1.2
PAN-172274
When you activate the advanced URL filtering license, your license entitlements for PAN-DB and advanced URL filtering might not display correctly on the firewall — this is a display anomaly, not a licensing issue, and does not affect access to the services.
Workaround:
Issue the following command to retrieve and update the licenses:
license request fetch
.
Known
10.1.2
PAN-172113
If you request a User Activity Report on Panorama and the vsys key value in the XML is an unsupported value, the resulting job becomes unresponsive at 10% and does not complete until you manually stop the job in the web interface.
Workaround:
Change the vsys key to a valid device group, commit your changes, and run the User Activity Report again.
Known
10.1.2
PAN-172091
If you have configured a virtual system as a User-ID hub and a firewall that receives IP address-to-username mapping from the hub has a security policy that includes a QoS policy rule, the firewall does not match the user to the QoS policy rule if the traffic attempts to access a virtual system that is not the hub.
Known
10.1.2
PAN-172208
This issue is now resolved. See
PAN-OS 10.1.3 Addressed Issues
.
The PA-5450 firewall may reload in rare conditions while handling high stress SSL traffic when CPU utilization reaches 100% or packet broker capacity exceeds 40%.
Known
10.1.2
PAN-172171
This issue is now resolved. See
PAN-OS 10.1.3 Addressed Issues
.
In an HA Active/Passive configuration using Auto mode, a Passive PA-5450 firewall under traffic stress can get stuck in maintenance mode after receiving the
slot7-path_monitor Path monitor failure
service failure.
Workaround:
Use Active/Passive Shutdown mode instead of Auto mode.
Known
10.1.2
PAN-172132
This issue is now resolved by PAN-189643. See
PAN-OS 10.1.6 Addressed Issues
.
QoS fails to run on a tunnel interface (for example, tunnel.1).
Known
10.1.2
PAN-172067
When you configure an HTTP server profile (
Device
Server Profiles
HTTP
or
Panorama
Server Profiles
HTTP
), the
Username
and
Password
fields are always required regardless of whether
Tag Registration
is enabled.
Workaround:
When you configure an HTTP server profile, always enter a username and password to successfully create the HTTP server profile.
You must enter a username and password even if the HTTP server does not require it. The HTTP server ignores the username and password if they are not required for the firewall to connect.
Known
10.1.2
PAN-172061
A process (
all_pktproc
) can cause intermittent crashes on the Passive PA-5450 firewall in an Active/Passive HA pair. This issue may be seen during an upgrade or reload of the firewall with traffic and when clearing sessions.
Known
10.1.2
PAN-171938
No results are displayed when you
Show Application Filter
for a Security policy rule (
Policies
Security
Application
Value
Show Application Filter
).
Known
10.1.2
PAN-171839
The Enable Bonjour Reflector option under
Network
Interfaces
Layer 3 Interface
IPv4
is not supported on the PA-5450 firewall.
Known
10.1.2
PAN-171723
If you use Panorama to push a configuration that uses App-ID Cloud Engine (ACE) App-IDs and then you downgrade the firewall from PAN-OS 10.1 to PAN-OS 10.0, the installation succeeds but after you reboot, the auto-commit fails.
Workaround:
Remove all ACE application configurations before downgrading.
Known
10.1.2
PAN-171714
This issue is now resolved. See
PAN-OS 10.1.7 Addressed Issues
.
If you use the NetBIOS format (
domain\user
) for the IP address-to-username mapping and the firewall receives the group mapping information from the Cloud Identity Engine, the firewall does not successfully match the user to the correct group.
Known
10.1.2
PAN-171706
This issue is now resolved. See
PAN-OS 10.1.11 Addressed Issues
.
If you are using Panorama to manage firewalls with multiple virtual systems and the virtual system that is the User-ID hub uses an alias, the local commit on Panorama is successful but the commit to the firewall fails.
Known
10.1.2
PAN-171673
On the Panorama management server, the
ACC
returns inaccurate results when you filter for
New App-ID
in the
Application
usage widget.
Known
10.1.2
PAN-171635
If you have an on-premise Active Directory and there is an existing group mapping configuration on the firewall, if you migrate the group mapping to the Cloud Identity Engine, the firewall does not remove the existing group mapping even if the configuration is disabled and the firewall is rebooted, which may conflict with new mappings from the Cloud Identity Engine.
Workaround
: Use the
debug user-id clear domain-map
command to remove the existing group mappings from the firewall.
Known
10.1.2
PAN-171224
On the Panorama management server, a custom report (
Monitor
Managed Custom Reports
) with a high volume of unique data objects is not generated when you click
Run Now
.
Known
10.1.2
PAN-171145
If you edit or remove the value for the
mail
attribute in your on-premise Active Directory, the changes may not be immediately reflected on the firewall after it syncs with the Cloud Identity Engine.
Known
10.1.2
PAN-171127
This issue is now resolved. See
PAN-OS 10.1.4 Addressed Issues
On the Panorama management server, custom reports (
Monitor
Manage Custom Reports
) for the
Device Application Statistics
and
Device Traffic Summary
databases display
null
for the Application fields.
Known
10.1.2
PAN-170923
In
Policies
Security
Policy Optimizer
New App Viewer
, when you select a Security policy rule in the bottom portion of the screen, the application data in the application browser (top portion of screen) does not match the Apps Seen on the selected rule. In addition, filtering in the application browser based on Apps Seen does not work.
Known
10.1.2
PAN-170462
This issue is now resolved. See
PAN-OS 10.1.6 Addressed Issues
.
SaaS applications downloaded from the App-ID Cloud Engine (ACE) do not appear in daily application reports (
Monitor
Reports
Application Reports
) or in the
Application
column of the
Application Usage
widget in
ACC
Network Activity
.
Known
10.1.2
PAN-170270
Using the CLI to power on a PA-5450 Networking Card (NC) in an Active HA firewall can cause its Passive peer to temporarily go down.
Known
10.1.2
PAN-169906
The CN-Series Firewall as a Kubernetes Service does not support AF_XDP when deployed in CentOS.
Known
10.1.2
PAN-168636
Connecting to the App-ID Cloud Engine (ACE) cloud using a management port with explicit proxy configured on it is not supported. Instead, use a data plane interface for the service route ( Prepare to Deploy App-ID Cloud Engine describes how to do this.)
Known
10.1.2
PAN-168113
On the Panorama management server, you are unable to configure a master key (
Device
Master Key and Diagnostics
) for a managed firewall if an interface (
Network
Interfaces
Ethernet
) references a zone pushed from Panorama.
Workaround:
Remove the referenced zone from the interface configuration to successfully configure a master key.
Known
10.1.2
PAN-167847
If you issue the command
opof stats
, then clear the results {opof stats -c}, the Active Sessions value is sometimes invalid. For example, you might see a negative number or an excessively large number.
Workaround:
Re-run the
opof stats
command after the offload completes.
Known
10.1.2
PAN-167401
When a firewall or Panorama appliance configured with a proxy is upgraded to PAN-OS 10.0.3 or a later release, it fails to connect to edge service.
Known
10.1.2
PAN-166464
This issue is now resolved. See
PAN-OS 10.1.6-h6 Addressed Issues
.
PAN-OS reports the PA-5450 fan numbers incorrectly by listing them in the opposite order. This does not affect fan operation. For further information, contact Customer Support.
Known
10.1.2
PAN-165669
If you configure a group that the firewall retrieves from the Cloud Identity Engine as the
user in
value in a filter query, Panorama is unable to retrieve the group membership and as a result, is unable to display this data in logs and custom reports.
Known
10.1.2
PAN-164922
On the Panorama management server, a context switch to a managed firewall running a PAN-OS 8.1.0 to 8.1.19 release fails.
Known
10.1.2
PAN-164885
On the Panorama management server, pushes to managed firewalls (
Commit
Push to Devices
or
Commit and Push
) may fail when an EDL (
Objects
External Dynamic Lists
) is configured to
Check for updates
every 5 minutes due to the commit and EDL fetch processes overlapping. This is more likely to occur when multiple EDLs are configured to check for updates every 5 minutes.
Known
10.1.2
PAN-164841
A successful deployment of a Panorama virtual appliance on Amazon Web Services (AWS), Microsoft Azure, or Google Cloud Platform (GCP) is inaccessible when deploying using the PAN-OS 10.1.0-b6 release.
Known
10.1.2
PAN-164647
On the Panorama management server, activating a license (
Panorama
Device Deployment
Licenses
) on managed firewalls in a high availability (HA) configuration causes the Safari web browser to become unresponsive.
Workaround:
Log in to the Panorama web interface from a web browser other than Safari to successfully activate a license on managed firewalls in an HA configuration.
Known
10.1.2
PAN-164586
If you use a value other than
mail
for the user or group email attribute in the Cloud Identity Engine, it displays in
user@domain
format in the CLI output.
Known
10.1.2
PAN-163966
On the Panorama management server, the
ACC
and on demand reports (
Monitor
Manage Custom Reports
) are unable to fetch Directory Sync group membership when the Source User Group filter query is applied, resulting in no data being displayed for the filter when Directory Sync is configured as the Source User for a policy rule.
Known
10.1.2
PAN-162836
On the VM-Series firewall, if you select
Device
Licenses
Deactivate VM
a popup window opens and you can choose
Subscriptions
or
Support
and press
Continue
to remove licenses and register the changes with the license server. When the license removal is complete the
Deactivate VM
window does not update its text to exclude deactivated licenses or close the window.
Workaround
: Wait until the license deactivation is complete, and click
Cancel
to close the window.
Known
10.1.2
PAN-162164
This issue is now resolved. See
PAN-OS 10.1.6 Addressed Issues
.
When upgrading a multi-dataplane firewall from PAN-OS 10.0 to 10.1, if the configuration includes the DHCP Broadcast Session option enabled, the commit fails. Auto-commit is not affected.
Workaround:
Load the configuration from running config (load config from running-config.xml) and perform a commit.
Known
10.1.2
PAN-162088
This issue is now resolved. See
PAN-OS 10.1.9 Addressed Issues
.
On the Panorama management server in a high availability (HA) configuration, content updates (
Panorama
Dynamic Updates
) manually uploaded to the active HA peer are not synchronized to the passive HA peer when you
Install
a content update and enable
Sync to HA Peer
.
Known
10.1.2
PAN-161666
The firewall includes any users configured in the Cloud Identity Engine in the count of groups. As a result, some CLI command output does not accurately display the number of groups the firewall has retrieved from the Cloud Identity Engine and counts users as groups in the
No. of Groups
in the command output. If the attempt to retrieve the user or group fails, the information for the user or group still displays in the CLI command output.
Known
10.1.2
PAN-161451
If you issue the command
opof stats
, there are occasional zero packet and byte counts coming from the DPDK counters. This occurs when a session is in the tcp-reuse state, and has no impact on the existing session.
Known
10.1.2
PAN-160238
If you migrate traffic from a firewall running a PAN-OS version earlier than 9.0 to a firewall running PAN-OS 9.0 or later, you experience intermittent VXLAN packet drops if TCI policy is not configured for inspecting VXLAN traffic flows.
Workaround:
On the new firewall, create an app override for VXLAN outer headers as described in What is an Application Override? and the video tutorial How to Configure an Application Override Policy on the Palo Alto Networks Firewall .
PAN-OS version 9.0 can inspect both inner and outer VXLAN flows. If you want to inspect inner flows, you must define a tunnel content inspection (TCI) policy.
Known
10.1.2
PAN-157444
As a result of a telemetry handling update, the Source Zone field in the DNS analytics logs (viewable in the DNS Analytics tab within AutoFocus) might not display correct results.
Known
10.1.2
PAN-157327
On downgrade to PAN-OS 9.1, Enterprise Data Loss Prevention (DLP) filtering settings (
Device
Setup
DLP
) are not removed and cause commit errors for the downgraded firewall if you do not uninstall the Enterprise DLP plugin before downgrade.
Workaround:
After you successfully downgrade a managed firewall to PAN-OS 9.1, commit and push from Panorama to remove the Enterprise DLP filtering settings and complete the downgrade.
  1. Downgrade your managed firewall to PAN-OS 9.1
  2. Log in to the firewall web interface and view the
    Tasks
    to verify all auto commits related to the downgrade have completed successfully.
  3. Log in to the Panorama web interface and
    Commit
    Commit and Push
    to your managed firewall downgraded to PAN-OS 9.1.
Known
10.1.2
PAN-157103
Multi-channel functionality may not be properly utilized on an VM-Series firewall deployed in VMware NSX-V after the service is first deployed.
Workaround
: Execute the command
debug dataplane pow status
to view the number of channels being utilized by the dataplane. 
Per pan-task Netx statisticsCounter Name    1   2   3   4   5   6   Total---------------------------------------------ready_dvf       2   0   0   0   0   0     2
If multi-channel functionality is not working, disable your NSX-V security policy and reapply it. Then reboot the VM-Series firewall. When the firewall is back up, verify that multi-channel functionality is working by executing the command
debug dataplane pow status
. It should now show multiple channels being utilized. 
Per pan-task Netx statisticsCounter Name    1   2   3   4   5   6   Total---------------------------------------------ready_dvf       1   1   0   0   0   0     2
Known
10.1.2
PAN-156598
(
Panorama only
) If you configure a standard custom vulnerability signature in a custom Vulnerability Protection profile in a shared device group, the shared profile custom signatures do not populate in the other device groups when you configure a combination custom vulnerability signature.
Workaround:
Use the CLI to update the combination signature.
Known
10.1.2
PAN-154292
On the Panorama management server, downgrading from a PAN-OS 10.0 release to a PAN-OS 9.1 release causes Panorama commit (
Commit
Commit to Panorama
) failures if a custom report (
Monitor
Manage Custom Reports
) is configured to Group By
Session ID
.
Workaround:
After successful downgrade, reconfigure the Group By setting in the custom report.
Known
10.1.2
PAN-154034
On the Panorama management server, the Type column in the System logs (
Monitor
Logs
System
) for managed firewalls running a PAN-OS 9.1 release erroneously display
iot
as the type.
Known
10.1.2
PAN-154032
On the Panorama management server, downgrading to PAN-OS 9.1 with the Panorama plugin for Cisco TrustSec version 1.0.2 installed does not automatically transform the plugin to be compatible with PAN-OS 9.1
Workaround:
After successful downgrade to PAN-OS 9.1,
Remove Config
(
Panorama
Plugins
) of the Panorama plugin for Cisco TrustSec and then reconfigure the plugin.
Known
10.1.2
PAN-153803
On the Panorama management server, scheduled email PDF reports (
Monitor
PDF Reports
) fail if a GIF image is used in the header or footer.
Known
10.1.2
PAN-153557
On the Panorama management server CLI, the overall report status for a report query is marked as
Done
despite reports generated from logs in the Cortex Data Lake (CDL) from the PODamericas Collector Group jobs are still in a
Running
state.
Known
10.1.2
PAN-153068
The Bonjour Reflector option is supported on up to 16 interfaces. If you enable it on more than 16 interfaces, the commit succeeds and the Bonjour Reflector option is enabled only for the first 16 interfaces and ignored for any additional interfaces.
Known
10.1.2
PAN-151238
There is a known issue where M-100 appliances are able to download and install a PAN-OS 10.0 release image even though the M-100 appliance is no longer supported after PAN-OS 9.1. (Refer to the hardware end-of-life dates .)
Known
10.1.2
PAN-151085
On a PA-7000 Series firewall chassis having multiple slots, when HA clustering is enabled on an active/active HA pair, the session table count for one of the peers can show a higher count than the actual number of active sessions on that peer. This behavior can be seen when the session is being set up on a non-cache slot (for example, when a session distribution policy is set to round-robin or session-load); it is caused by the additional cache lookup that happens when HA cluster participation is enabled.
Known
10.1.2
PAN-150801
Automatic quarantine of a device based on forwarding profile or log setting does not work on the PA-7000 Series firewalls.
Known
10.1.2
PAN-150515
After you install the device certificate on a new Panorama management server, Panorama is not able to connect to the IoT Security edge service.
Workaround:
Restart Panorama to connect to the IoT Security edge service.
Known
10.1.2
PAN-150345
During updates to the Device Dictionary, the IoT Security service does not push new Device-ID attributes (such as new device profiles) to the firewall until a manual commit occurs.
Workaround:
Perform a force commit to push the attributes in the content update to the firewall.
Known
10.1.2
PAN-150361
In an Active-Passive high availability (HA) configuration, an error displays if you create a device object on the passive device.
Workaround:
Load the running configuration and perform a force commit to sync the devices.
Known
10.1.2
PAN-148971
If you enter a search term for Events that are related to IoT in the System logs and apply the filter, the page displays an
Invalid term
error.
Workaround:
Specify
iot
as the
Type Attribute
to filter the logs and use the search term as the
Description Attribute
. For example:
( subtype eq iot ) and ( description contains 'gRPC connection' )
.
Known
10.1.2
PAN-148924
In an active-passive HA configuration, tags for dynamic user groups are not persistent after rebooting the firewall because the active firewall does not sync the tags to the passive firewall during failover.
Known
10.1.2
PAN-146995
After downgrading a Panorama management server from PAN-OS 10.0 to PAN-OS 9.1, the
VLD
and
logd
processes may crash when Panorama reboots.
Workaround:
Panorama automatically restarts the
VLD
and
logd
processes.
Known
10.1.2
PAN-146807
Changing the device group configured in a monitoring definition from a child DG to a parent DG, or vice versa, might cause firewalls configured in the child DG to lose IP tag mapping information received from the monitoring definition. Only firewalls assigned to the parent DG receive IP tag mapping updates.
Workaround
: Perform a manual config sync on the device group that lost the IP tag mapping information.
Known
10.1.2
PAN-146485
On the Panorama management server, adding, deleting, or modifying the upstream NAT configuration (
Panorama
SD-WAN
Devices
) does not display the branch template stack as
out of sync
.
Additionally, adding, deleting, or modifying the BGP configuration (
Panorama
SD-WAN
Devices
) does not display the hub and branch template stacks as
out of sync
. For example, modifying the BGP configuration on the branch firewall does not cause the hub template stack to display as
out of sync
, nor does modifying the BGP configuration on the hub firewall cause the branch template stack as
out of sync
.
Workaround:
After performing a configuration change,
Commit and Push
the configuration changes to all hub and branch firewalls in the VPN cluster containing the firewall with the modified configuration.
Known
10.1.2
PAN-145460
CN-MGMT pods fail to connect to the Panorama management server when using the Kubernetes plugin.
Workaround:
Commit
the Panorama configuration after the CN-MGMT pod successfully registers with Panorama.
Known
10.1.2
PAN-144889
On the Panorama management server, adding, deleting, or modifying the original subnet IP, or adding a new subnet after you successfully configure a tunnel IP subnet, for the SD-WAN 1.0.2 plugin does not display the managed firewall templates (
Panorama
Managed Devices
Summary
) as
Out of Sync
.
Workaround
: When modifying the original subnet IP, or adding a new subnet, push the template configuration changes to your managed firewalls and
Force Template Values
(
Commit
Push to Devices
Edit Selections
).
Known
10.1.2
PAN-143132
Fetching the device certificate from the Palo Alto Networks Customer Support Portal (CSP) may fail and displays the following error in the CLI:
ERROR Failed to process S1C msg: Error
Workaround:
Retrying fetching the device certificate from the Palo Alto Networks CSP.
Known
10.1.2
PAN-141630
Current performance limitation: single data plane use only. The PA-5200 Series and PA-7000 Series firewalls that support 5G network slice security, 5G equipment ID security, and 5G subscriber ID security use a single data plane only, which currently limits the firewall performance.
Known
10.1.2
PAN-140959
The Panorama management server allows you to downgrade Zero Touch Provisioning (ZTP) firewalls to PAN-OS 9.1.2 and earlier releases where ZTP functionality is not supported.
Known
10.1.2
PAN-140008
ElasticSearch is forced to restart when the
masterd
process misses too many heartbeat messages on the Panorama management server resulting in a delay in a log query and ingestion.
Known
10.1.2
PAN-136763
On the Panorama management server, managed firewalls display as
disconnected
when installing a PAN-OS software update (
Panorama
Device Deployment
Software
) but display as
connected
when you view your managed firewalls Summary (
Panorama
Managed Devices
Summary
) and from the CLI.
Workaround:
Log out and log back in to the Panorama web interface.
Known
10.1.2
PAN-135742
There is an issue in HTTP2 session decryption where the App-ID in the decryption log is the App-ID of the parent session (which is web-browsing).
Known
10.1.2
PAN-134053
ACC does not filter WildFire logs from Dynamic User Groups.
Known
10.1.2
PAN-132598
The Panorama management server does not check for duplicate addresses in address groups (
Objects
Address Groups
) and duplicate services in service groups (
Objects
Service Groups
) when created from the CLI.
Known
10.1.2
PAN-130550
(
PA-3200 Series, PA-5220, PA-5250, PA-5260, and PA-7000 Series firewalls
) For traffic between virtual systems (inter-vsys traffic), the firewall cannot perform source NAT using dynamic IP (DIP) address translation.
Workaround:
Use source NAT with Dynamic IP and Port (DIPP) translation on inter-vsys traffic.
Known
10.1.2
PAN-127813
In the current release, SD-WAN auto-provisioning configures hubs and branches in a hub and spoke model, where branches don’t communicate with each other. Expected branch routes are for generic prefixes, which can be configured in the hub and advertised to all branches. Branches with unique prefixes are not published up to the hub.
Workaround:
Add any specific prefixes for branches to the hub advertise-list configuration.
Known
10.1.2
PAN-127206
If you use the CLI to enable the cleartext option for the Include Username in HTTP Header Insertion Entries feature, the authentication request to the firewall may become unresponsive or time out.
Known
10.1.2
PAN-123277
Dynamic tags from other sources are accessible using the CLI but do not display on the Panorama web interface.
Known
10.1.2
PAN-123040
When you try to view network QoS statistics on an SD-WAN branch or hub, the QoS statistics and the hit count for the QoS rules don’t display. A workaround exists for this issue. Please contact Support for information about the workaround.
Known
10.1.2
PAN-120440
There is an issue on M-500 Panorama management servers where any ethernet interface with an IPv6 address having Private PAN-DB-URL connectivity only supports the following format:
2001:DB9:85A3:0:0:8A2E:370:2
.
Known
10.1.2
PAN-120423
PAN-OS 10.0.0 does not support the XML API for GlobalProtect logs.
Known
10.1.2
PAN-120303
There is an issue where the firewall remains connected to the PAN-DB-URL server through the old management IP address on the M-500 Panorama management server, even when you configured the Eth1/1 interface.
Workaround:
Update the PAN-DB-URL IP address on the firewall using one of the methods below.
  • Modify the PAN-DB Server IP address on the managed firewall.
    1. On the web interface, delete the
      PAN-DB Server
      IP address (
      Device
      Setup
      Content ID
      URL Filtering
      settings).
    2. Commit
      your changes.
    3. Add the new M-500 Eth1/1 IP PAN-DB IP address.
    4. Commit
      your changes.
  • Restart the firewall ( devsrvr ) process.
    1. Log in to the firewall CLI.
    2. Restart the devsrvr process:
      debug software restart process device-server
Known
10.1.2
PAN-116017
(
Google Cloud Platform (GCP) only
) The firewall does not accept the DNS value from the initial configuration (init-cfg) file when you bootstrap the firewall.
Workaround:
Add DNS value as part of the bootstrap.xml in the bootstrap folder and complete the bootstrap process.
Known
10.1.2
PAN-115816
(
Microsoft Azure only
) There is an intermittent issue where an Ethernet (eth1) interface does not come up when you first boot up the firewall.
Workaround:
Reboot the firewall.
Known
10.1.2
PAN-114495
Alibaba Cloud runs on a KVM hypervisor and supports two Virtio modes: DPDK (default) and MMAP. If you deploy a VM-Series firewall running PAN-OS 9.0 in DPDK packet mode and you then switch to MMAP packet mode, the VM-Series firewall duplicates packets that originate from or terminate on the firewall. As an example, if a load balancer or a server behind the firewall pings the VM-Series firewall after you switch from DPDK packet mode to MMAP packet mode, the firewall duplicates the ping packets.
Throughput traffic is not duplicated if you deploy the VM-Series firewall using MMAP packet mode.
Known
10.1.2
PAN-112694
(
Firewalls with multiple virtual systems only
) If you configure dynamic DNS (DDNS) on a new interface (associated with vsys1 or another virtual system) and you then create a
New
Certificate Profile from the drop-down, you must set the location for the Certificate Profile to Shared. If you configure DDNS on an existing interface and then create a new Certificate Profile, we also recommend that you choose the Shared location instead of a specific virtual system. Alternatively, you can select a preexisting certificate profile instead of creating a new one.
Known
10.1.2
PAN-112456
You can temporarily submit a change request for a URL Category with three suggested categories; however, only two categories are supported. Do not add more than two suggested categories to a change request until we address this issue. If you submit more than two suggested categories, only the first two categories in the change request are evaluated.
Known
10.1.2
PAN-112135
You cannot unregister tags for a subnet or range in a dynamic address group from the web interface.
Workaround:
Use an XML API request to unregister the tags for the subnet or range.
Known
10.1.2
PAN-111928
Invalid configuration errors are not displayed as expected when you revert a Panorama management server configuration.
Workaround:
After you revert the Panorama configuration,
Commit
(
Commit
Commit to Panorama
) the reverted configuration to display the invalid configuration errors.
Known
10.1.2
PAN-111866
The push scope selection on the Panorama web interface displays incorrectly even though the commit scope displays as expected. This issue occurs when one administrator makes configuration changes to separate device groups or templates that affect multiple firewalls and a different administrator attempts to push those changes.
Workaround:
Perform one of the following tasks.
  • Initiate a
    Commit to Panorama
    operation followed by a
    Push to Devices
    operation for the modified device group and template configurations.
  • Manually select the devices that belong to the modified device group and template configurations.
Known
10.1.2
PAN-111729
If you disable DPDK mode and enable it again, you must immediately reboot the firewall.
Known
10.1.2
PAN-111670
Tagged VLAN traffic fails when sent through an SR-IOV adapter.
Known
10.1.2
PAN-110794
DGA-based threats shown in the firewall threat log display the same name for all such instances.
Known
10.1.2
PAN-109526
The system log does not correctly display the URL for CRL files; instead, the URLs are displayed with encoded characters.
Known
10.1.2
PAN-104780
If you configure a HIP object to match only when a connecting endpoint is managed (
Objects
GlobalProtect
HIP Objects
<hip-object>
General
Managed
), iOS and Android endpoints that are managed by AirWatch are unable to successfully match the HIP object and the HIP report incorrectly indicates that these endpoints are not managed. This issue occurs because GlobalProtect gateways cannot correctly identify the managed status of these endpoints.
Additionally, iOS endpoints that are managed by AirWatch are unable to match HIP objects based on the endpoint serial number because GlobalProtect gateways cannot identify the serial numbers of these endpoints; these serial numbers do not appear in the HIP report.
Known
10.1.2
PAN-103276
Adding a disk to a virtual appliance running Panorama 8.1 or a later release on VMware ESXi 6.5 update1 causes the Panorama virtual appliance and host web client to become unresponsive.
Workaround:
Upgrade the ESXi host to ESXi 6.5 update2 and add the disk again.
Known
10.1.2
PAN-101688
(
Panorama plugins
) The IP address-to-tag mapping information registered on a firewall or virtual system is not deleted when you remove the firewall or virtual system from a Device Group.
Workaround:
Log in to the CLI on the firewall and enter the following command to unregister the IP address-to-tag mappings:
debug object registered-ip clear all
.
Known
10.1.2
PAN-101537
After you configure and push address and address group objects in Shared and vsys-specific device groups from the Panorama management server to managed firewalls, executing the
show log
<log-type>
direction equal
<direction>
<dst>
|
<src>
in
<object-name>
command on a managed firewall only returns address and address group objects pushed form the Shared device group.
Workaround:
Specify the vsys in the query string:
admin>
set system target-vsys
<vsys-name>
admin>
show log
<log-type>
direction equal
<direction>
query equal ‘vsys eq
<vsys-name>
’
<dst>
|
<src>
in
<object-name>
Known
10.1.2
PAN-98520
When booting or rebooting a PA-7000 Series Firewall with the SMC-B installed, the BIOS console output displays attempts to connect to the card's controller in the System Memory Speed section. The messages can be ignored.
Known
10.1.2
PAN-97757
GlobalProtect authentication fails with an
Invalid username/password
error (because the user is not found in
Allow List
) after you enable GlobalProtect authentication cookies and add a RADIUS group to the
Allow List
of the authentication profile used to authenticate to GlobalProtect.
Workaround:
Disable GlobalProtect authentication cookies. Alternatively, disable (clear)
Retrieve user group from RADIUS
in the authentication profile and configure group mapping from Active Directory (AD) through LDAP.
Known
10.1.2
PAN-97524
(
Panorama management server only
) The Security Zone and Virtual System columns (
Network
tab) display
None
after a Device Group and Template administrator with read-only privileges performs a context switch.
Known
10.1.2
PAN-96446
A firewall that is not included in a Collector Group fails to generate a system log if logs are dropped when forwarded to a Panorama management server that is running in Management Only mode.
Known
10.1.2
PAN-95773
On VM-Series firewalls that have Data Plane Development Kit (DPDK) enabled and that use the i40e network interface card (NIC), the
show session info
CLI command displays an inaccurate throughput and packet rate.
Workaround:
Disable DPDK by running the
set system setting dpdk-pkt-io off
CLI command.
Known
10.1.2
PAN-95028
For administrator accounts that you created in PAN-OS 8.0.8 and earlier releases, the firewall does not apply password profile settings (
Device
Password Profiles
) until after you upgrade to PAN-OS 8.0.9 or a later release and then only after you modify the account passwords. (Administrator accounts that you create in PAN-OS 8.0.9 or a later release do not require you to change the passwords to apply password profile settings.)
Known
10.1.2
PAN-94846
When DPDK is enabled on the VM-Series firewall with i40e virtual function (VF) driver, the VF does not detect the link status of the physical link. The VF link status remains up, regardless of changes to the physical link state.
Known
10.1.2
PAN-94093
HTTP Header Insertion does not work when jumbo frames are received out of order.
Known
10.1.2
PAN-93968
The firewall and Panorama web interfaces display vulnerability threat IDs that are not available in PAN-OS 9.0 releases (
Objects
Security Profiles
Vulnerability Protection
<profile>
Exceptions
). To confirm whether a particular threat ID is available in your release, monitor the release notes for each new Applications and Threats content update or check the Palo Alto Networks Threat Vault to see the minimum PAN-OS release version for a threat signature.
Known
10.1.2
PAN-93607
When you configure a VM-500 firewall with an SCTP Protection profile (
Objects
Security Profiles
SCTP Protection
) and you try to add the profile to an existing Security Profile Group (
Objects
Security Profile Groups
), the Security Profile Group doesn’t list the SCTP Protection profile in its drop-down list of available profiles.
Workaround:
Create a new Security Profile Group and select the SCTP Protection profile from there.
Known
10.1.2
PAN-93532
When you configure a firewall running PAN-OS 9.0 as an nCipher HSM client, the web interface on the firewall displays the nCipher server status as Not Authenticated, even though the HSM state is up (
Device
Setup
HSM
).
Known
10.1.2
PAN-93193
The memory-optimized VM-50 Lite intermittently performs slowly and stops processing traffic when memory utilization is critically high. To prevent this issue, make sure that you do not:
  • Switch to the firewall
    Context
    on the Panorama management server.
  • Commit changes when a dynamic update is being installed.
  • Generate a custom report when a dynamic update is being installed.
  • Generate custom reports during a commit.
Workaround:
When the firewall performs slowly, or you see a critical System log for memory utilization, wait for 5 minutes and then manually reboot the firewall.
Use the Task Manager to verify that you are not performing memory intensive tasks such as installing dynamic updates, committing changes or generating reports, at the same time, on the firewall.
Known
10.1.2
PAN-91802
On a VM-Series firewall, the
clear session all
CLI command does not clear GTP sessions.
Known
10.1.2
PAN-83610
In rare cases, a PA-5200 Series firewall (with an FE100 network processor) that has session offload enabled (default) incorrectly resets the UDP checksum of outgoing UDP packets.
Workaround:
In PAN-OS 8.0.6 and later releases, you can persistently disable session offload for only UDP traffic using the
set session udp-off load no
CLI command.
Known
10.1.2
PAN-83236
The VM-Series firewall on Google Cloud Platform does not publish firewall metrics to Google Stack Monitoring when you manually configure a DNS server IP address (
Device
Setup
Services
).
Workaround:
The VM-Series firewall on Google Cloud Platform must use the DNS server that Google provides.
Known
10.1.2
PAN-83215
SSL decryption based on ECDSA certificates does not work when you import the ECDSA private keys onto an nCipher nShield hardware security module (HSM).
Known
10.1.2
PAN-81521
Endpoints failed to authenticate to GlobalProtect through Kerberos when you specify an FQDN instead of an IP address in the Kerberos server profile (
Device
Server Profiles
Kerberos
).
Workaround:
Replace the FQDN with the IP address in the Kerberos server profile.
Known
10.1.2
PAN-77125
PA-7000 Series, PA-5450, PA-5200 Series, and PA-3200 Series firewalls configured in tap mode don’t close offloaded sessions after processing the associated traffic; the sessions remain open until they time out.
Workaround:
Configure the firewalls in virtual wire mode instead of tap mode, or disable session offloading by running the
set session off load no
CLI command.
Known
10.1.2
PAN-75457
In WildFire appliance clusters that have three or more nodes, the Panorama management server does not support changing node roles. In a three-node cluster for example, you cannot use Panorama to configure the worker node as a controller node by adding the HA and cluster controller configurations, configure an existing controller node as a worker node by removing the HA configuration, and then commit and push the configuration. Attempts to change cluster node roles from Panorama results in a validation error—the commit fails and the cluster becomes unresponsive.
Known
10.1.2
PAN-73530
The firewall does not generate a packet capture (pcap) when a Data Filtering profile blocks files.
Known
10.1.2
PAN-73401
When you import a two-node WildFire appliance cluster into the Panorama management server, the controller nodes report their state as out-of-sync if either of the following conditions exist:
  • You did not configure a worker list to add at least one worker node to the cluster. (In a two-node cluster, both nodes are controller nodes configured as an HA pair. Adding a worker node would make the cluster a three-node cluster.)
  • You did not configure a service advertisement (either by enabling or not enabling advertising DNS service on the controller nodes).
Workaround:
There are three possible workarounds to sync the controller nodes:
  • After you import the two-node cluster into Panorama, push the configuration from Panorama to the cluster. After the push succeeds, Panorama reports that the controller nodes are in sync.
  • Configure a worker list on the cluster controller: 
    admin@wf500(active-controller)# 
    set
deviceconfig cluster mode controller worker-list 
    <worker-ip-address>
    (
    <worker-ip-address>
    is the IP address of the worker node you are adding to the cluster.) This creates a three-node cluster. After you import the cluster into Panorama, Panorama reports that the controller nodes are in sync. When you want the cluster to have only two nodes, use a different workaround.
  • Configure service advertisement on the local CLI of the cluster controller and then import the configuration into Panorama. The service advertisement can advertise that DNS is or is not enabled. 
    admin@wf500(active-controller)# 
    set
deviceconfig cluster mode controller service-advertisement dns-service
enabled
yes
    or 
    admin@wf500(active-controller)# 
    set
deviceconfig cluster mode controller service-advertisement dns-service
enabled
no
    Both commands result in Panorama reporting that the controller nodes are in sync.
Known
10.1.2
PAN-70906
If the PAN-OS web interface and the GlobalProtect portal are enabled on the same IP address, then when a user logs out of the GlobalProtect portal, the administrative user is also logged out from the PAN-OS web interface.
Workaround:
Use the IP address to access the PAN-OS web interface and an FQDN to access the GlobalProtect portal.
Known
10.1.2
PAN-69505
When viewing an external dynamic list that requires client authentication and you
Test Source URL
, the firewall fails to indicate whether it can reach the external dynamic list server and returns a URL access error (
Objects
External Dynamic Lists
).
Known
10.1.2
PAN-40079
The VM-Series firewall on KVM, for all supported Linux distributions, does not support the Broadcom network adapters for PCI pass-through functionality.
Known
10.1.2
PAN-39636
Regardless of the
Time Frame
you specify for a scheduled custom report on a Panorama M-Series appliance, the earliest possible start date for the report data is effectively the date when you configured the report (
Monitor
Manage Custom Reports
). For example, if you configure the report on the 15th of the month and set the
Time Frame
to
Last 30 Days
, the report that Panorama generates on the 16th will include only data from the 15th onward. This issue applies only to scheduled reports; on-demand reports include all data within the specified
Time Frame
.
Workaround:
To generate an on-demand report, click
Run Now
when you configure the custom report.
Known
10.1.2
PAN-38255
When you perform a factory reset on a Panorama virtual appliance and configure the serial number, logging does not work until you reboot Panorama or execute the
debug software restart process management-server
CLI command.
Known
10.1.2
PAN-31832
The following issues apply when configuring a firewall to use a hardware security module (HSM):
  • nCipher nShield Connect
    —The firewall requires at least four minutes to detect that an HSM was disconnected, causing SSL functionality to be unavailable during the delay.
  • SafeNet Network
    —When losing connectivity to either or both HSMs in an HA configuration, the display of information from the
    show high-availability state
    and
    show hsm info
    commands are blocked for 20 seconds.
Addressed
10.1.2
PAN-175685
(
PA-7000 Series and PA-5450 firewalls only
) Fixed an issue where PAN-OS displayed the incorrect chassis serial number when an MPC (Management Processor Card) or SMC (Switch Management Card) was moved from one chassis to another.
Addressed
10.1.2
PAN-174448
Fixed an issue where Zero-Touch Provisioning (ZTP) configuration wasn't removed after disabling it, which resulted in predefined configurations to be loaded after a reboot.
Addressed
10.1.2
PAN-174326
A fix was made to address an OS command injection vulnerability in the PAN-OS web interface that enabled an authenticated administrator to execute arbitrary OS commands to escalate privileges ( CVE-2021-3050 ).
Addressed
10.1.2
PAN-174254
(
VM-Series firewalls deployed in Amazon Web Services (AWS) only
) Fixed an issue where Gateway Load Balancer (GWLB) inspection incorrectly displayed as false after a reboot.
Addressed
10.1.2
PAN-174244
Fixed an issue where a sudden increase in URL data approached the maximum cache capacity of the firewall.
Addressed
10.1.2
PAN-174049
Fixed an issue where a process ( authd ) used old Thermite certificate post renewals, which caused authentication failures when using the Cloud Authentication service.
Addressed
10.1.2
PAN-173903
Fixed an issue where clicking a hyperlink on a web page caused the web browser to download a file instead.
Addressed
10.1.2
PAN-172518
Fixed an issue where a race condition occurred and caused a process ( useridd ) to restart.
Addressed
10.1.2
PAN-172515
Fixed an issue where, when downgrading from PAN-OS 10.1 to an earlier version, with Cloud Authentication Service configured in an Authentication profile, the firewall did not remove the Cloud Authentication Service from the Authentication profile and displayed the authentication method as
None
, and subsequent commits failed.
Addressed
10.1.2
PAN-172490
Fixed an issue on firewalls in HA configuration where HA-2 links continuously flapped on HSCI interfaces after upgrading to PAN-OS 8.1.19.
Addressed
10.1.2
PAN-172454
Fixed an issue where, when the firewall communicated with the Cloud Identity Engine before the device certificate was installed on the firewall or Panorama, subsequent queries to the Cloud Identity Engine failed.
Addressed
10.1.2
PAN-172295
Fixed an issue where a HIP database cache loop caused high CPU utilization on a process ( useridd ) and caused IP address-to-user mapping redistribution failure.
Addressed
10.1.2
PAN-172276
(
PA-400 Series firewalls only
) Fixed an intermittent issue where changing the port speed from auto-negotiate to 1G caused the dataplane port to flap, which resulted in lost traffic.
Addressed
10.1.2
PAN-172125
Fixed an intermittent issue where processing HIP messages in the ( useridd ) process caused a memory leak.
Addressed
10.1.2
PAN-171878
Fixed an issue with SD-WAN path selection logic that caused an all_pktproc dataplane to stop responding.
Addressed
10.1.2
PAN-171744
Fixed an issue where no data was displayed for the Forward Error Correction (FEC) plot for SD-WAN application performance (
Panorama
SD-WAN
Monitoring
).
Addressed
10.1.2
PAN-171442
Fixed an issue on Amazon Web Services (AWS) Gateway Load Balancer (GWLB) deployments with overlay routing and cross-zone load balancing enabled where packets were forwarded to the incorrect GWLB interface.
Addressed
10.1.2
PAN-171203
Fixed an issue in an HA configuration where, when one firewall was active and its peer was in a suspended state, the suspended firewall continued to send traffic, which triggered the detection of duplicate MAC addresses.
Addressed
10.1.2
PAN-170681
Fixed an issue where the data redistribution agent and the data redistribution client failed to connect due to the agent not sending a SSL Server hello response.
Addressed
10.1.2
PAN-170103
Fixed an issue where a process ( ikemgr ) stopped responding while making configuration changes. This issue occurred if Site-to-Site IPSec was using certification-based authentication.
Addressed
10.1.2
PAN-169566
Fixed an issue where configuration files were not exported using the scheduled Secure Copy (SCP).
Addressed
10.1.2
PAN-168903
Fixed an issue where deleting licenses on the firewall incorrectly set the GlobalProtect gateway license node to
false
. The firewall displayed the following error message during a GlobalProtect application connection:
Could not connect to the gateway. The device or feature requires a GlobalProtect subscription license
, even though the gateway firewall had a valid gateway license.
Addressed
10.1.2
PAN-168718
Fixed an issue where, when a client or server received partial application data, the record was partially processed by legacy code. This caused decryption to fail when a decryption profile protocol was set to a maximum of TLSv1.3.
Addressed
10.1.2
PAN-167115
Fixed an issue where, after upgrading to 10.0.3, admin sessions on Panorama were not logged out after the idle timeout expired.
Addressed
10.1.2
PAN-167099
Fixed a configuration management issue that resulted in a process ( ikemgr ) failing to recognize changes in subsequent commits.
Addressed
10.1.2
PAN-109759
Fixed an issue where the firewall did not generate a notification for the GlobalProtect client when the firewall denied unencrypted TLS sessions due to an authentication policy match.
Addressed
10.1.2
PAN-165225
Fixed an issue where
hwpredict
was enabled by default.
Addressed
10.1.2
PAN-161745
Fixed an issue where the time-to-live (TTL) value received from the DNS server reset to 0 on DNS secure TCP transactions when anti-spyware profiles were used, which caused DNS dynamic updates to fail.
Addressed
10.1.2
PAN-158958
Fixed an issue where the
debug sslmgr view crl
command failed when an ampersand (&) character was included in the URL for the certificate revocation list (CRL).
Addressed
10.1.2
PAN-157518
Fixed an issue where using tags to target a device group in a Security policy rule did not work, and the rule was displayed in all device groups (
Preview Rules
).
Addressed
10.1.2
PAN-157027
Fixed an issue where, when stateless GTP-U traffic hit a multi-dataplane firewall, an inter-dataplane fragmentation loop occurred, which caused high dataplane resource usage.
Addressed
10.1.2
PAN-154905
(
Panorama appliances on PAN-OS 10.0 releases only
) Fixed an issue with Security policy rule configuration where, in the
Source
and
Destination
tabs, the
Query Traffic
setting was not available for Address Groups.
Addressed
10.1.2
PAN-138727
A fix was made to address a time-of-check to time-of-use (TOCTOU) race condition in the PAN-OS web interface that enabled an authenticated administrator with permission to upload plugins to execute arbitrary code with root user privileges ( CVE-2021-3054 ).
Addressed
10.1.2
PAN-136961
Fixed an issue where during QoS config generation the Aggregate Ethernet (AE) subnets were incorrectly calculated cumulatively across all AEs instead of calculating just the total subnets of an AE.
Known
10.1.3
—
If you use Panorama to retrieve logs from Cortex Data Lake (CDL), new log fields (including for Device-ID, Decryption, and GlobalProtect) are not visible on the Panorama web interface.
Workaround:
Enable duplicate logging to send the logs to CDL and Panorama. This workaround does not support Panorama virtual appliances in Management Only mode .
Known
10.1.3
—
Upgrading a PA-220 firewall takes up to an hour or more.
Known
10.1.3
—
PA-220 firewalls are experiencing slower web interface and CLI performance times.
Known
10.1.3
—
Upgrading Panorama with a local Log Collector and Dedicated Log Collectors to PAN-OS 8.1 or a later PAN-OS release can take up to six hours to complete due to significant infrastructure changes. Ensure uninterrupted power to all appliances throughout the upgrade process.
Known
10.1.3
—
A critical System log is generated on the VM-Series firewall if the minimum memory requirement for the model is not available.
  • When the memory allocated is less than 4.5GB, you cannot upgrade the firewall. The following error message displays:
    Failed to install 9.0.0 with the following error: VM-50 in 9.0.0 requires 5.5GB memory, VM-50 Lite requires 4.5GB memory.Please configure this VM with enough memory before upgrading.
  • If the memory allocation is more than 4.5GB but less than the licensed capacity requirement for the model, it will default to the capacity associated with the VM-50.
    The System log message
    System capacity adjusted to VM-50 capacity due to insufficient memory for VM-
    <xxx>
    license
    , indicates that you must allocate the additional memory required for licensed capacity for the firewall model.
Known
10.1.3
APPORTAL-3313
Changes to an IoT Security subscription license take up to 24 hours to have effect on the IoT Security app.
Known
10.1.3
APPORTAL-3309
An IoT Security production license cannot be installed on a firewall that still has a valid IoT Security eval or trial license.
Workaround:
Wait until the 30-day eval or trial license expires and then install the production license.
Known
10.1.3
APL-15000
When you move a firewall from one Cortex Data Lake instance to another, it can take up to an hour for the firewall to begin sending logs to the new instance.
Known
10.1.3
APL-8269
For data retrieved from Cortex Data Lake, the Threat Name column in
Panorama
ACC
threat-activity
appears blank.
Known
10.1.3
PLUG-380
When you rename a device group, template, or template stack in Panorama that is part of a VMware NSX service definition, the new name is not reflected in NSX Manager. Therefore, any ESXi hosts that you add to a vSphere cluster are not added to the correct device group, template, or template stack and your Security policy is not pushed to VM-Series firewalls that you deploy after you rename those objects. There is no impact to existing VM-Series firewalls.
Known
10.1.3
WF500-5559
An intermittent error while analyzing signed PE samples on the WildFire appliance might cause analysis failures.
Known
10.1.3
WF500-5471
After using the firewall CLI to add a WildFire appliance with an IPv6 address, the initial connection may fail.
Workaround:
Retry connecting after you restart the web server with the following command:
debug software restart process web-server
.
Known
10.1.3
PAN-228273
On the Panorama management server in FIPS-CC mode, the ElasticSearch cluster fails to come up and the
show log-collector-es-cluster health
command displays the
status
is
red
. This results in log ingestion issues for Panorama in Panorama only or Log Collector mode.
Known
10.1.3
PAN-227344
On the Panorama management server, PDF Summary Reports (
Monitor
PDF Reports
Manage PDF Summary
) display no data and are blank when predefined reports are included in the summary report.
Known
10.1.3
PAN-223488
This issue is now resolved. See
PAN-OS 10.1.12 Addressed Issues
.
On the M-600 appliance, closed ElasticSearch shards are not deleted from the M-600 appliance. This causes the ElasticSearch shard purging to not work as expected, resulting in high disk usage.
Known
10.1.3
PAN-223365
The Panorama management server is unable to query any logs if the ElasticSearch health status for any Log Collector (
Panorama
Managed Collector
is degraded.
Workaround:
Log in to the Log Collector CLI and restart ElasticSearch. 
admin
debug elasticsearch es-restart all
Known
10.1.3
PAN-218521
The ElasticSearch process on the M-600 appliance in Log Collector mode may enter a continuous reboot cycle. This results in the M-600 appliance becoming unresponsive, consuming logging disk space, and preventing new log ingestion.
Known
10.1.3
PAN-217307
This issue is now resolved. See
PAN-OS 10.1.14 Addressed Issues
.
The following Security policy rule (
Policies
Security
) filters return no results:
log-start eq no
log-end eq no
log-end eq yes
Known
10.1.3
PAN-216214
For Panorama-managed firewalls in an Active/Active High Availability (HA) configuration where you configure the firewall HA settings (
Device
High Availability
) in a template or template stack (
Panorama
Templates
), performing a local commit on one of the HA firewalls triggers an HA config sync on the peer firewall. This causes the HA peer configuration to go
Out of Sync
.
Known
10.1.3
PAN-213746
On the Panorama management server, the
Hostkey
displayed as
undefined undefined
if you override an SSH Service Profile (
Device
Certificate Management
SSH Service Profile
) Hostkey configured in a Template from the Template Stack.
Known
10.1.3
PAN-212889
This issue is now resolved. See PAN-OS 10.1.11 Addressed Issues
.
On the Panorama management server, different threat names are used when querying the same threat in the Threat Monitor (
Monitor
App Scope
Threat Monitor
) and
ACC
. This results in the ACC displaying
no data to display
when you are redirected to the ACC after clicking a threat name in the Threat Monitor and filtering the same threat name in the Global Filters.
Known
10.1.3
PAN-208325
This issue is now resolved. See
PAN-OS 10.1.10 Addressed Issues
.
The following NextGen firewalls are unable to automatically renew the device certificate (
Device
Setup
Management
or
Panorama
Setup
Management
).
  • PA-410 Firewall
  • PA-440, PA-450, and PA-460 Firewalls
  • PA-5450 Firewall
Workaround:
Log in to the firewall CLI and fetch the device certificate. 
admin>
request certificate fetch
Known
10.1.3
PAN-206268
This issue is now resolved. See
PAN-OS 10.1.10 Addressed Issues
.
On the Panorama management server, the Auth Key field was erroneously displayed when you configure the Panorama Settings (
Device
Setup
Management
) as part of a template or template stack configuration.
Known
10.1.3
PAN-206243
The PA-220 firewall reaches the maximum disk usage capacity multiple a day that requires a disk cleanup. A critical system log (
Monitor
Logs
System
) is generated each time the firewall reaches maximum disk usage capacity.
Known
10.1.3
PAN-205187
ElasticSearch may not start properly when a newly installed Panorama virtual appliance powers on for the first time, resulting in the Panorama virtual appliance being unable to query logs forwarded from the managed firewall to a Log Collector.
Workaround:
Log in to the Panorama CLI and start the PAN-OS software. 
admin>
request restart software
Known
10.1.3
PAN-201855
On the Panorama management server, cloning any template (
Panorama
Templates
) corrupts certificates (
Device
Certificate Management
Certificates
) with the
Block Private Key Export
setting enabled across all templates. This results in managed firewalls experiencing issues wherever the corrupted certificate is referenced.
For example, you have template A, B, and C where templates A and B have certificates with the
Block Private Key Export
setting enabled. Cloning template C corrupts the certificates with
Block Private Key Export
setting enabled in templates A and B.
Workaround:
After cloning a template, delete and re-import the corrupted certificates.
Known
10.1.3
PAN-199557
On M-600 appliances in an Active/Passive high availability (HA) configuration, the
configd
process restarts due to a memory leak on the
Active
Panorama HA peer. This causes the Panorama web interface and CLI to become unresponsive.
Workaround:
Manually reboot the
Active
Panorama HA peer.
Known
10.1.3
PAN-197341
On the Panorama management server, if you create multiple device group
Objects
with the same name in the Shared device group and any additional device groups (
Panorama
Device Groups
) under the same device group hierarchy that are used in one or more
Policies
, renaming the object with a shared name in any device group causes the object name to change in the policies where it is used. This issue applies only to device group objects that can be referenced in a Security policy rule.
For example:
  1. You create a parent device group
    DG-A
    and a child device group
    DG-B
    .
  2. You create address objects called
    AddressObjA
    in the
    Shared
    ,
    DG-A
    and
    DG-B
    device groups and add
    AddressObjA
    to a Security policy rule under
    DG-A
    and
    DG-B
    .
  3. Later, you change the
    AddressObjA
    name in the
    Shared
    device group to
    AddressObjB
    .
Changing the name of the address object in the
Shared
device group causes the references in the Policy rule to use the renamed
Shared
object instead of the device group object.
Known
10.1.3
PAN-196758
On the Panorama management server, pushing a configuration change to firewalls leveraging SD-WAN erroneously show the auto-provisioned BGP configurations for SD-WAN as being edited or deleted despite no edits or deletions being made when you
Preview Changes
(
Commit
Push to Devices
Edit Selections
or
Commit
Commit and Push
Edit Selections
).
Known
10.1.3
PAN-194519
This issue is now resolved. See
PAN-OS 10.1.9 Addressed Issues
.
(
PA-5450 firewall only
) Trying to configure a custom payload format under
Device
Server Profiles
HTTP
yields a Javascript error.
Known
10.1.3
PAN-194515
(
PA-5450 firewall only
) The Panorama web interface does not display any predefined template stack variables in the dropdown menu under
Device
Setup
Log Interface
IP Address
.
Workaround:
Configure the log interface IP address on the individual firewall web interface instead of on Panorama.
Known
10.1.3
PAN-193518
All logs (
Monitor
Logs
) generated by a firewall running a PAN-OS 10.0 release are not accessible if you downgrade from PAN-OS 10.1 to PAN-OS 10.0, and then upgrade back to PAN-OS 10.1.
Workaround:
If you need to downgrade from PAN-OS 10.1 to PAN-OS 10.0 and then back to PAN-OS 10.1, downgrade to PAN-OS 10.0.11 to ensure that all logs ingested while running a PAN-OS 10.0 release remain accessible after upgrade back to PAN-OS 10.1.
Known
10.1.3
PAN-192403
This issue is now resolved. See
PAN-OS 10.1.6-h3 Addressed Issues
.
(
PA-5450 firewall only
) There is no commit warning in the web interface when configuring the management interface and logging interface in the same subnetwork. Having both interfaces in the same subnetwork can cause routing and connectivity issues.
Known
10.1.3
PAN-190727
(
PA-5450 firewall only
) Documentation for configuring the log interface is unavailable on the web interface and in the PAN-OS Administrator’s Guide.
Known
10.1.3
PAN-188052
Devices in FIPS-CC mode are unable to connect to servers utilizing ECDSA-based host keys that impacts exporting logs (
Device
Scheduled Log Export
), exporting configurations (
Device
Scheduled Config Export
), or the
scp export
command in the CLI.
Workaround:
Use RSA-based host keys on the destination server.
Known
10.1.3
PAN-187685
On the Panorama management server, the Template Status displays no synchronization status (
Panorama
Managed Devices
Summary
) after a bootstrapped firewall is successfully added to Panorama.
Workaround:
After the bootstrapped firewall is successfully added to Panorama, log in to the Panorama web interface and select
Commit
Push to Devices
.
Known
10.1.3
PAN-186283
Templates appear out-of-sync on Panorama after successfully deploying the CFT stack using the Panorama plugin for AWS 3.0.2.
Workaround
: Use
Commit
Push to Devices
to synchronize the templates.
Known
10.1.3
PAN-186282
Panorama deployed in active/passive high availability does not display dynamic address group match criteria received from AWS by the Panorama plugin for AWS 3.0.2.
Known
10.1.3
PAN-186262
The Panorama management server in Panorama or Log Collector mode may become unresponsive as Elasticsearch accumulates internal connections related to logging processes. The chances Panorama becomes unresponsive increases the longer Panorama remains powered on.
Workaround:
Reboot Panorama if it becomes unresponsive.
Known
10.1.3
PAN-185286
This issue is now resolved. See
PAN-OS 10.1.7 Addressed Issues
.
(
PA-5400 Series firewalls only
) On the Panorama management server, the device health resources (
Panorama
Managed Devices
Health
) do not populate.
Known
10.1.3
PAN-182048
Shared device groups on Panorama do not learn IP address information received from AWS by the Panorama plugin for AWS 3.0.2.
Workaround
: When configuring a dynamic address group, specify an individual device group instead of selecting
Shared
.
Known
10.1.3
PAN-182010
On the Panorama management server, a managed firewall running any PAN-OS 10.1 version cannot reconnect to Panorama if the managed firewall was originally added to Panorama management using the device registration authentication key (
Panorama
Device Registration Auth Key
) and has the device certificate (
Device
Setup
Management
Device Certificate
) installed at the time of reconnect.
Known
10.1.3
PAN-181116
This issue is now resolved. See
PAN-OS 10.1.5 Addressed Issues
.
After upgrading to PAN-OS 10.1, some GlobalProtect tunnels fall back to SSL instead of IPSec due to the inadvertent encapsulation of the ICMP keepalive response from the firewall.
Known
10.1.3
PAN-180661
This issue is now resolved. See
PAN-OS 10.1.6 Addressed Issues
.
On the Panorama management server, pushing an unsupported Minimum Password Complexity (
Device
Setup
Management
) to a managed firewall erroneously displays
commit time out
as the reason the commit failed.
Known
10.1.3
PAN-178194
This issue is now resolved. See
PAN-OS 10.1.7 Addressed Issues
.
A UI issue in PAN-OS renders the contents of the
Inline ML
tab in the
URL Filtering Profile
inaccessible on firewalls licensed for Advanced URL Filtering. Additionally, a message indicating that a
License required for URL filtering to function
is unavailable displays at the bottom of the UI. These errors do not affect the operation of Advanced URL Filtering or URL Filtering Inline ML.
Workaround:
Configuration settings for URL Filtering Inline ML must be applied through the CLI. The following configuration commands are available:
  • Define URL exceptions for specific web sites— 
    admin#
     set profiles url-filtering <url_filtering_profile_name> mlav-category-exception
  • Configuration settings for each inline ML model— 
    admin#
     set profiles url-filtering <url_filtering_profile_name> mlav-engine-urlbased-enabled
Known
10.1.3
PAN-177455
This issue is now resolved. See
PAN-OS 10.1.6 Addressed Issues
.
PAN-OS 10.1.2 is not supported on PA-7000 Series firewalls with HA (High Availability) clustering enabled and using an HA4 communication link. Attempting to load PAN-OS 10.1.2 on the firewall causes the PA-7000 100G NPC to go offline. As a result, the firewall fails to boot normally and enters maintenance mode. HA Pairs of Active-Passive and Active-Active firewalls are not affected.
Known
10.1.3
PAN-176983
This issue is now resolved.
See PAN-OS 10.1.4 Addressed Issues .
On the Panorama management server running PAN-OS 10.1.3 or later release, adding a firewall running PAN-OS 10.1.3 or later release to Panorama management is supported only from the firewall CLI.
Workaround:
Add the device registration authentication key from the firewall CLI.
  2. Add a firewall to Panorama and configure the device registration authentication key.
    Do not add the device registration authentication key created on Panorama when configuring the Panorama IP settings on the firewall web interface.
  4. Add the device registration authentication key. 
    admin>
     request authkey set <auth key>
Known
10.1.3
PAN-175717
This issue is now resolved. See
PAN-OS 10.1.5 Addressed Issues
.
Firewalls managed by a Panorama management server enter maintenance mode if:
  • Panorama is running PAN-OS 10.2 and managed firewalls are downgraded from PAN-OS 10.2 to PAN-OS 10.1.4 or earlier PAN-OS release.
  • Panorama is upgraded from PAN-OS 10.1 to PAN-OS 10.2 and managed firewalls are running PAN-OS 10.1.4 or earlier PAN-OS 10.1 release.
Workaround:
When downgrading managed firewalls, downgrade to PAN-OS 10.1.5 first and then continue on your downgrade path. When upgrading Panorama, upgrade to PAN-OS 10.1.5 first and then continue on your upgrade path.
Known
10.1.3
PAN-174982
In HA active/active configurations where, when interfaces that were associated with a virtual router were deleted, the configuration change did not sync.
Known
10.1.3
PAN-173509
This issue is now resolved. See
PAN-OS 10.1.5 Addressed Issues
.
Superuser administrators with read-only privileges (
Device
Administrators
and
Panorama
Administrators
) are unable to view the hardware ACL blocking setting and duration in the CLI using the commands: 
admin>
 show system setting hardware-acl-blocking-enable
admin>
 show system setting hardware-acl-blocking-duration
Known
10.1.3
PAN-172274
When you activate the advanced URL filtering license, your license entitlements for PAN-DB and advanced URL filtering might not display correctly on the firewall — this is a display anomaly, not a licensing issue, and does not affect access to the services.
Workaround:
Issue the following command to retrieve and update the licenses:
license request fetch
.
Known
10.1.3
PAN-172113
If you request a User Activity Report on Panorama and the vsys key value in the XML is an unsupported value, the resulting job becomes unresponsive at 10% and does not complete until you manually stop the job in the web interface.
Workaround:
Change the vsys key to a valid device group, commit your changes, and run the User Activity Report again.
Known
10.1.3
PAN-172132
This issue is now resolved by PAN-189643. See
PAN-OS 10.1.6 Addressed Issues
.
QoS fails to run on a tunnel interface (for example, tunnel.1).
Known
10.1.3
PAN-172067
When you configure an HTTP server profile (
Device
Server Profiles
HTTP
or
Panorama
Server Profiles
HTTP
), the
Username
and
Password
fields are always required regardless of whether
Tag Registration
is enabled.
Workaround:
When you configure an HTTP server profile, always enter a username and password to successfully create the HTTP server profile.
You must enter a username and password even if the HTTP server does not require it. The HTTP server ignores the username and password if they are not required for the firewall to connect.
Known
10.1.3
PAN-172061
A process (
all_pktproc
) can cause intermittent crashes on the Passive PA-5450 firewall in an Active/Passive HA pair. This issue may be seen during an upgrade or reload of the firewall with traffic and when clearing sessions.
Known
10.1.3
PAN-171938
No results are displayed when you
Show Application Filter
for a Security policy rule (
Policies
Security
Application
Value
Show Application Filter
).
Known
10.1.3
PAN-171723
If you use Panorama to push a configuration that uses App-ID Cloud Engine (ACE) App-IDs and then you downgrade the firewall from PAN-OS 10.1 to PAN-OS 10.0, the installation succeeds but after you reboot, the auto-commit fails.
Workaround:
Remove all ACE application configurations before downgrading.
Known
10.1.3
PAN-171714
This issue is now resolved. See
PAN-OS 10.1.7 Addressed Issues
.
If you use the NetBIOS format (
domain\user
) for the IP address-to-username mapping and the firewall receives the group mapping information from the Cloud Identity Engine, the firewall does not successfully match the user to the correct group.
Known
10.1.3
PAN-171706
This issue is now resolved. See
PAN-OS 10.1.11 Addressed Issues
.
If you are using Panorama to manage firewalls with multiple virtual systems and the virtual system that is the User-ID hub uses an alias, the local commit on Panorama is successful but the commit to the firewall fails.
Known
10.1.3
PAN-171673
On the Panorama management server, the
ACC
returns inaccurate results when you filter for
New App-ID
in the
Application
usage widget.
Known
10.1.3
PAN-171635
If you have an on-premise Active Directory and there is an existing group mapping configuration on the firewall, if you migrate the group mapping to the Cloud Identity Engine, the firewall does not remove the existing group mapping even if the configuration is disabled and the firewall is rebooted, which may conflict with new mappings from the Cloud Identity Engine.
Workaround
: Use the
debug user-id clear domain-map
command to remove the existing group mappings from the firewall.
Known
10.1.3
PAN-171224
On the Panorama management server, a custom report (
Monitor
Managed Custom Reports
) with a high volume of unique data objects is not generated when you click
Run Now
.
Known
10.1.3
PAN-171145
If you edit or remove the value for the
mail
attribute in your on-premise Active Directory, the changes may not be immediately reflected on the firewall after it syncs with the Cloud Identity Engine.
Known
10.1.3
PAN-171127
This issue is now resolved. See
PAN-OS 10.1.4 Addressed Issues
On the Panorama management server, custom reports (
Monitor
Manage Custom Reports
) for the
Device Application Statistics
and
Device Traffic Summary
databases display
null
for the Application fields.
Known
10.1.3
PAN-170923
In
Policies
Security
Policy Optimizer
New App Viewer
, when you select a Security policy rule in the bottom portion of the screen, the application data in the application browser (top portion of screen) does not match the Apps Seen on the selected rule. In addition, filtering in the application browser based on Apps Seen does not work.
Known
10.1.3
PAN-170462
This issue is now resolved. See
PAN-OS 10.1.6 Addressed Issues
.
SaaS applications downloaded from the App-ID Cloud Engine (ACE) do not appear in daily application reports (
Monitor
Reports
Application Reports
) or in the
Application
column of the
Application Usage
widget in
ACC
Network Activity
.
Known
10.1.3
PAN-170270
Using the CLI to power on a PA-5450 Networking Card (NC) in an Active HA firewall can cause its Passive peer to temporarily go down.
Known
10.1.3
PAN-169906
The CN-Series Firewall as a Kubernetes Service does not support AF_XDP when deployed in CentOS.
Known
10.1.3
PAN-168636
Connecting to the App-ID Cloud Engine (ACE) cloud using a management port with explicit proxy configured on it is not supported. Instead, use a data plane interface for the service route ( Prepare to Deploy App-ID Cloud Engine describes how to do this.)
Known
10.1.3
PAN-168113
On the Panorama management server, you are unable to configure a master key (
Device
Master Key and Diagnostics
) for a managed firewall if an interface (
Network
Interfaces
Ethernet
) references a zone pushed from Panorama.
Workaround:
Remove the referenced zone from the interface configuration to successfully configure a master key.
Known
10.1.3
PAN-167847
If you issue the command
opof stats
, then clear the results {opof stats -c}, the Active Sessions value is sometimes invalid. For example, you might see a negative number or an excessively large number.
Workaround:
Re-run the
opof stats
command after the offload completes.
Known
10.1.3
PAN-167401
When a firewall or Panorama appliance configured with a proxy is upgraded to PAN-OS 10.0.3 or a later release, it fails to connect to edge service.
Known
10.1.3
PAN-166464
This issue is now resolved. See
PAN-OS 10.1.6-h6 Addressed Issues
.
PAN-OS reports the PA-5450 fan numbers incorrectly by listing them in the opposite order. This does not affect fan operation. For further information, contact Customer Support.
Known
10.1.3
PAN-165669
If you configure a group that the firewall retrieves from the Cloud Identity Engine as the
user in
value in a filter query, Panorama is unable to retrieve the group membership and as a result, is unable to display this data in logs and custom reports.
Known
10.1.3
PAN-164922
On the Panorama management server, a context switch to a managed firewall running a PAN-OS 8.1.0 to 8.1.19 release fails.
Known
10.1.3
PAN-164885
On the Panorama management server, pushes to managed firewalls (
Commit
Push to Devices
or
Commit and Push
) may fail when an EDL (
Objects
External Dynamic Lists
) is configured to
Check for updates
every 5 minutes due to the commit and EDL fetch processes overlapping. This is more likely to occur when multiple EDLs are configured to check for updates every 5 minutes.
Known
10.1.3
PAN-164841
A successful deployment of a Panorama virtual appliance on Amazon Web Services (AWS), Microsoft Azure, or Google Cloud Platform (GCP) is inaccessible when deploying using the PAN-OS 10.1.0-b6 release.
Known
10.1.3
PAN-164647
On the Panorama management server, activating a license (
Panorama
Device Deployment
Licenses
) on managed firewalls in a high availability (HA) configuration causes the Safari web browser to become unresponsive.
Workaround:
Log in to the Panorama web interface from a web browser other than Safari to successfully activate a license on managed firewalls in an HA configuration.
Known
10.1.3
PAN-164618
The VM-Series firewall CLI and system logs display the license name
VM-SERIES-X
, while the user interface displays
VM-FLEX-X
(in both cases
X
is the number of vCPUs). In future releases the user interface will use the
VM-SERIES-X
format.
Known
10.1.3
PAN-164586
If you use a value other than
mail
for the user or group email attribute in the Cloud Identity Engine, it displays in
user@domain
format in the CLI output.
Known
10.1.3
PAN-163966
On the Panorama management server, the
ACC
and on demand reports (
Monitor
Manage Custom Reports
) are unable to fetch Directory Sync group membership when the Source User Group filter query is applied, resulting in no data being displayed for the filter when Directory Sync is configured as the Source User for a policy rule.
Known
10.1.3
PAN-162836
On the VM-Series firewall, if you select
Device
Licenses
Deactivate VM
a popup window opens and you can choose
Subscriptions
or
Support
and press
Continue
to remove licenses and register the changes with the license server. When the license removal is complete the
Deactivate VM
window does not update its text to exclude deactivated licenses or close the window.
Workaround
: Wait until the license deactivation is complete, and click
Cancel
to close the window.
Known
10.1.3
PAN-162164
This issue is now resolved. See
PAN-OS 10.1.6 Addressed Issues
.
When upgrading a multi-dataplane firewall from PAN-OS 10.0 to 10.1, if the configuration includes the DHCP Broadcast Session option enabled, the commit fails. Auto-commit is not affected.
Workaround:
Load the configuration from running config (load config from running-config.xml) and perform a commit.
Known
10.1.3
PAN-162088
This issue is now resolved. See
PAN-OS 10.1.9 Addressed Issues
.
On the Panorama management server in a high availability (HA) configuration, content updates (
Panorama
Dynamic Updates
) manually uploaded to the active HA peer are not synchronized to the passive HA peer when you
Install
a content update and enable
Sync to HA Peer
.
Known
10.1.3
PAN-161666
The firewall includes any users configured in the Cloud Identity Engine in the count of groups. As a result, some CLI command output does not accurately display the number of groups the firewall has retrieved from the Cloud Identity Engine and counts users as groups in the
No. of Groups
in the command output. If the attempt to retrieve the user or group fails, the information for the user or group still displays in the CLI command output.
Known
10.1.3
PAN-161451
If you issue the command
opof stats
, there are occasional zero packet and byte counts coming from the DPDK counters. This occurs when a session is in the tcp-reuse state, and has no impact on the existing session.
Known
10.1.3
PAN-160238
If you migrate traffic from a firewall running a PAN-OS version earlier than 9.0 to a firewall running PAN-OS 9.0 or later, you experience intermittent VXLAN packet drops if TCI policy is not configured for inspecting VXLAN traffic flows.
Workaround:
On the new firewall, create an app override for VXLAN outer headers as described in What is an Application Override? and the video tutorial How to Configure an Application Override Policy on the Palo Alto Networks Firewall .
PAN-OS version 9.0 can inspect both inner and outer VXLAN flows. If you want to inspect inner flows, you must define a tunnel content inspection (TCI) policy.
Known
10.1.3
PAN-157444
As a result of a telemetry handling update, the Source Zone field in the DNS analytics logs (viewable in the DNS Analytics tab within AutoFocus) might not display correct results.
Known
10.1.3
PAN-157327
On downgrade to PAN-OS 9.1, Enterprise Data Loss Prevention (DLP) filtering settings (
Device
Setup
DLP
) are not removed and cause commit errors for the downgraded firewall if you do not uninstall the Enterprise DLP plugin before downgrade.
Workaround:
After you successfully downgrade a managed firewall to PAN-OS 9.1, commit and push from Panorama to remove the Enterprise DLP filtering settings and complete the downgrade.
  1. Downgrade your managed firewall to PAN-OS 9.1
  2. Log in to the firewall web interface and view the
    Tasks
    to verify all auto commits related to the downgrade have completed successfully.
  3. Log in to the Panorama web interface and
    Commit
    Commit and Push
    to your managed firewall downgraded to PAN-OS 9.1.
Known
10.1.3
PAN-157103
Multi-channel functionality may not be properly utilized on an VM-Series firewall deployed in VMware NSX-V after the service is first deployed.
Workaround
: Execute the command
debug dataplane pow status
to view the number of channels being utilized by the dataplane. 
Per pan-task Netx statisticsCounter Name    1   2   3   4   5   6   Total---------------------------------------------ready_dvf       2   0   0   0   0   0     2
If multi-channel functionality is not working, disable your NSX-V security policy and reapply it. Then reboot the VM-Series firewall. When the firewall is back up, verify that multi-channel functionality is working by executing the command
debug dataplane pow status
. It should now show multiple channels being utilized. 
Per pan-task Netx statisticsCounter Name    1   2   3   4   5   6   Total---------------------------------------------ready_dvf       1   1   0   0   0   0     2
Known
10.1.3
PAN-156598
(
Panorama only
) If you configure a standard custom vulnerability signature in a custom Vulnerability Protection profile in a shared device group, the shared profile custom signatures do not populate in the other device groups when you configure a combination custom vulnerability signature.
Workaround:
Use the CLI to update the combination signature.
Known
10.1.3
PAN-154292
On the Panorama management server, downgrading from a PAN-OS 10.0 release to a PAN-OS 9.1 release causes Panorama commit (
Commit
Commit to Panorama
) failures if a custom report (
Monitor
Manage Custom Reports
) is configured to Group By
Session ID
.
Workaround:
After successful downgrade, reconfigure the Group By setting in the custom report.
Known
10.1.3
PAN-154034
On the Panorama management server, the Type column in the System logs (
Monitor
Logs
System
) for managed firewalls running a PAN-OS 9.1 release erroneously display
iot
as the type.
Known
10.1.3
PAN-154032
On the Panorama management server, downgrading to PAN-OS 9.1 with the Panorama plugin for Cisco TrustSec version 1.0.2 installed does not automatically transform the plugin to be compatible with PAN-OS 9.1
Workaround:
After successful downgrade to PAN-OS 9.1,
Remove Config
(
Panorama
Plugins
) of the Panorama plugin for Cisco TrustSec and then reconfigure the plugin.
Known
10.1.3
PAN-153803
On the Panorama management server, scheduled email PDF reports (
Monitor
PDF Reports
) fail if a GIF image is used in the header or footer.
Known
10.1.3
PAN-153557
On the Panorama management server CLI, the overall report status for a report query is marked as
Done
despite reports generated from logs in the Cortex Data Lake (CDL) from the PODamericas Collector Group jobs are still in a
Running
state.
Known
10.1.3
PAN-153068
The Bonjour Reflector option is supported on up to 16 interfaces. If you enable it on more than 16 interfaces, the commit succeeds and the Bonjour Reflector option is enabled only for the first 16 interfaces and ignored for any additional interfaces.
Known
10.1.3
PAN-151238
There is a known issue where M-100 appliances are able to download and install a PAN-OS 10.0 release image even though the M-100 appliance is no longer supported after PAN-OS 9.1. (Refer to the hardware end-of-life dates .)
Known
10.1.3
PAN-151198
On the Panorama management server, read-only Panorama administrators (
Panorama
Administrators
) can load managed firewall configuration Backups (
Panorama
Managed Devices
Summary
).
Known
10.1.3
PAN-151085
On a PA-7000 Series firewall chassis having multiple slots, when HA clustering is enabled on an active/active HA pair, the session table count for one of the peers can show a higher count than the actual number of active sessions on that peer. This behavior can be seen when the session is being set up on a non-cache slot (for example, when a session distribution policy is set to round-robin or session-load); it is caused by the additional cache lookup that happens when HA cluster participation is enabled.
Known
10.1.3
PAN-150801
Automatic quarantine of a device based on forwarding profile or log setting does not work on the PA-7000 Series firewalls.
Known
10.1.3
PAN-150515
After you install the device certificate on a new Panorama management server, Panorama is not able to connect to the IoT Security edge service.
Workaround:
Restart Panorama to connect to the IoT Security edge service.
Known
10.1.3
PAN-150345
During updates to the Device Dictionary, the IoT Security service does not push new Device-ID attributes (such as new device profiles) to the firewall until a manual commit occurs.
Workaround:
Perform a force commit to push the attributes in the content update to the firewall.
Known
10.1.3
PAN-150361
In an Active-Passive high availability (HA) configuration, an error displays if you create a device object on the passive device.
Workaround:
Load the running configuration and perform a force commit to sync the devices.
Known
10.1.3
PAN-148971
If you enter a search term for Events that are related to IoT in the System logs and apply the filter, the page displays an
Invalid term
error.
Workaround:
Specify
iot
as the
Type Attribute
to filter the logs and use the search term as the
Description Attribute
. For example:
( subtype eq iot ) and ( description contains 'gRPC connection' )
.
Known
10.1.3
PAN-148924
In an active-passive HA configuration, tags for dynamic user groups are not persistent after rebooting the firewall because the active firewall does not sync the tags to the passive firewall during failover.
Known
10.1.3
PAN-146995
After downgrading a Panorama management server from PAN-OS 10.0 to PAN-OS 9.1, the
VLD
and
logd
processes may crash when Panorama reboots.
Workaround:
Panorama automatically restarts the
VLD
and
logd
processes.
Known
10.1.3
PAN-146807
Changing the device group configured in a monitoring definition from a child DG to a parent DG, or vice versa, might cause firewalls configured in the child DG to lose IP tag mapping information received from the monitoring definition. Only firewalls assigned to the parent DG receive IP tag mapping updates.
Workaround
: Perform a manual config sync on the device group that lost the IP tag mapping information.
Known
10.1.3
PAN-146485
On the Panorama management server, adding, deleting, or modifying the upstream NAT configuration (
Panorama
SD-WAN
Devices
) does not display the branch template stack as
out of sync
.
Additionally, adding, deleting, or modifying the BGP configuration (
Panorama
SD-WAN
Devices
) does not display the hub and branch template stacks as
out of sync
. For example, modifying the BGP configuration on the branch firewall does not cause the hub template stack to display as
out of sync
, nor does modifying the BGP configuration on the hub firewall cause the branch template stack as
out of sync
.
Workaround:
After performing a configuration change,
Commit and Push
the configuration changes to all hub and branch firewalls in the VPN cluster containing the firewall with the modified configuration.
Known
10.1.3
PAN-145460
CN-MGMT pods fail to connect to the Panorama management server when using the Kubernetes plugin.
Workaround:
Commit
the Panorama configuration after the CN-MGMT pod successfully registers with Panorama.
Known
10.1.3
PAN-144889
On the Panorama management server, adding, deleting, or modifying the original subnet IP, or adding a new subnet after you successfully configure a tunnel IP subnet, for the SD-WAN 1.0.2 plugin does not display the managed firewall templates (
Panorama
Managed Devices
Summary
) as
Out of Sync
.
Workaround
: When modifying the original subnet IP, or adding a new subnet, push the template configuration changes to your managed firewalls and
Force Template Values
(
Commit
Push to Devices
Edit Selections
).
Known
10.1.3
PAN-143132
Fetching the device certificate from the Palo Alto Networks Customer Support Portal (CSP) may fail and displays the following error in the CLI:
ERROR Failed to process S1C msg: Error
Workaround:
Retrying fetching the device certificate from the Palo Alto Networks CSP.
Known
10.1.3
PAN-141630
Current performance limitation: single data plane use only. The PA-5200 Series and PA-7000 Series firewalls that support 5G network slice security, 5G equipment ID security, and 5G subscriber ID security use a single data plane only, which currently limits the firewall performance.
Known
10.1.3
PAN-140959
The Panorama management server allows you to downgrade Zero Touch Provisioning (ZTP) firewalls to PAN-OS 9.1.2 and earlier releases where ZTP functionality is not supported.
Known
10.1.3
PAN-140008
ElasticSearch is forced to restart when the
masterd
process misses too many heartbeat messages on the Panorama management server resulting in a delay in a log query and ingestion.
Known
10.1.3
PAN-136763
On the Panorama management server, managed firewalls display as
disconnected
when installing a PAN-OS software update (
Panorama
Device Deployment
Software
) but display as
connected
when you view your managed firewalls Summary (
Panorama
Managed Devices
Summary
) and from the CLI.
Workaround:
Log out and log back in to the Panorama web interface.
Known
10.1.3
PAN-135742
There is an issue in HTTP2 session decryption where the App-ID in the decryption log is the App-ID of the parent session (which is web-browsing).
Known
10.1.3
PAN-134053
ACC does not filter WildFire logs from Dynamic User Groups.
Known
10.1.3
PAN-132598
The Panorama management server does not check for duplicate addresses in address groups (
Objects
Address Groups
) and duplicate services in service groups (
Objects
Service Groups
) when created from the CLI.
Known
10.1.3
PAN-130550
(
PA-3200 Series, PA-5220, PA-5250, PA-5260, and PA-7000 Series firewalls
) For traffic between virtual systems (inter-vsys traffic), the firewall cannot perform source NAT using dynamic IP (DIP) address translation.
Workaround:
Use source NAT with Dynamic IP and Port (DIPP) translation on inter-vsys traffic.
Known
10.1.3
PAN-127813
In the current release, SD-WAN auto-provisioning configures hubs and branches in a hub and spoke model, where branches don’t communicate with each other. Expected branch routes are for generic prefixes, which can be configured in the hub and advertised to all branches. Branches with unique prefixes are not published up to the hub.
Workaround:
Add any specific prefixes for branches to the hub advertise-list configuration.
Known
10.1.3
PAN-127206
If you use the CLI to enable the cleartext option for the Include Username in HTTP Header Insertion Entries feature, the authentication request to the firewall may become unresponsive or time out.
Known
10.1.3
PAN-123277
Dynamic tags from other sources are accessible using the CLI but do not display on the Panorama web interface.
Known
10.1.3
PAN-123040
When you try to view network QoS statistics on an SD-WAN branch or hub, the QoS statistics and the hit count for the QoS rules don’t display. A workaround exists for this issue. Please contact Support for information about the workaround.
Known
10.1.3
PAN-120440
There is an issue on M-500 Panorama management servers where any ethernet interface with an IPv6 address having Private PAN-DB-URL connectivity only supports the following format:
2001:DB9:85A3:0:0:8A2E:370:2
.
Known
10.1.3
PAN-120423
PAN-OS 10.0.0 does not support the XML API for GlobalProtect logs.
Known
10.1.3
PAN-120303
There is an issue where the firewall remains connected to the PAN-DB-URL server through the old management IP address on the M-500 Panorama management server, even when you configured the Eth1/1 interface.
Workaround:
Update the PAN-DB-URL IP address on the firewall using one of the methods below.
  • Modify the PAN-DB Server IP address on the managed firewall.
    1. On the web interface, delete the
      PAN-DB Server
      IP address (
      Device
      Setup
      Content ID
      URL Filtering
      settings).
    2. Commit
      your changes.
    3. Add the new M-500 Eth1/1 IP PAN-DB IP address.
    4. Commit
      your changes.
  • Restart the firewall ( devsrvr ) process.
    1. Log in to the firewall CLI.
    2. Restart the devsrvr process:
      debug software restart process device-server
Known
10.1.3
PAN-116017
(
Google Cloud Platform (GCP) only
) The firewall does not accept the DNS value from the initial configuration (init-cfg) file when you bootstrap the firewall.
Workaround:
Add DNS value as part of the bootstrap.xml in the bootstrap folder and complete the bootstrap process.
Known
10.1.3
PAN-115816
(
Microsoft Azure only
) There is an intermittent issue where an Ethernet (eth1) interface does not come up when you first boot up the firewall.
Workaround:
Reboot the firewall.
Known
10.1.3
PAN-114495
Alibaba Cloud runs on a KVM hypervisor and supports two Virtio modes: DPDK (default) and MMAP. If you deploy a VM-Series firewall running PAN-OS 9.0 in DPDK packet mode and you then switch to MMAP packet mode, the VM-Series firewall duplicates packets that originate from or terminate on the firewall. As an example, if a load balancer or a server behind the firewall pings the VM-Series firewall after you switch from DPDK packet mode to MMAP packet mode, the firewall duplicates the ping packets.
Throughput traffic is not duplicated if you deploy the VM-Series firewall using MMAP packet mode.
Known
10.1.3
PAN-112694
(
Firewalls with multiple virtual systems only
) If you configure dynamic DNS (DDNS) on a new interface (associated with vsys1 or another virtual system) and you then create a
New
Certificate Profile from the drop-down, you must set the location for the Certificate Profile to Shared. If you configure DDNS on an existing interface and then create a new Certificate Profile, we also recommend that you choose the Shared location instead of a specific virtual system. Alternatively, you can select a preexisting certificate profile instead of creating a new one.
Known
10.1.3
PAN-112456
You can temporarily submit a change request for a URL Category with three suggested categories; however, only two categories are supported. Do not add more than two suggested categories to a change request until we address this issue. If you submit more than two suggested categories, only the first two categories in the change request are evaluated.
Known
10.1.3
PAN-112135
You cannot unregister tags for a subnet or range in a dynamic address group from the web interface.
Workaround:
Use an XML API request to unregister the tags for the subnet or range.
Known
10.1.3
PAN-111928
Invalid configuration errors are not displayed as expected when you revert a Panorama management server configuration.
Workaround:
After you revert the Panorama configuration,
Commit
(
Commit
Commit to Panorama
) the reverted configuration to display the invalid configuration errors.
Known
10.1.3
PAN-111866
The push scope selection on the Panorama web interface displays incorrectly even though the commit scope displays as expected. This issue occurs when one administrator makes configuration changes to separate device groups or templates that affect multiple firewalls and a different administrator attempts to push those changes.
Workaround:
Perform one of the following tasks.
  • Initiate a
    Commit to Panorama
    operation followed by a
    Push to Devices
    operation for the modified device group and template configurations.
  • Manually select the devices that belong to the modified device group and template configurations.
Known
10.1.3
PAN-111729
If you disable DPDK mode and enable it again, you must immediately reboot the firewall.
Known
10.1.3
PAN-111670
Tagged VLAN traffic fails when sent through an SR-IOV adapter.
Known
10.1.3
PAN-110794
DGA-based threats shown in the firewall threat log display the same name for all such instances.
Known
10.1.3
PAN-109526
The system log does not correctly display the URL for CRL files; instead, the URLs are displayed with encoded characters.
Known
10.1.3
PAN-104780
If you configure a HIP object to match only when a connecting endpoint is managed (
Objects
GlobalProtect
HIP Objects
<hip-object>
General
Managed
), iOS and Android endpoints that are managed by AirWatch are unable to successfully match the HIP object and the HIP report incorrectly indicates that these endpoints are not managed. This issue occurs because GlobalProtect gateways cannot correctly identify the managed status of these endpoints.
Additionally, iOS endpoints that are managed by AirWatch are unable to match HIP objects based on the endpoint serial number because GlobalProtect gateways cannot identify the serial numbers of these endpoints; these serial numbers do not appear in the HIP report.
Known
10.1.3
PAN-103276
Adding a disk to a virtual appliance running Panorama 8.1 or a later release on VMware ESXi 6.5 update1 causes the Panorama virtual appliance and host web client to become unresponsive.
Workaround:
Upgrade the ESXi host to ESXi 6.5 update2 and add the disk again.
Known
10.1.3
PAN-101688
(
Panorama plugins
) The IP address-to-tag mapping information registered on a firewall or virtual system is not deleted when you remove the firewall or virtual system from a Device Group.
Workaround:
Log in to the CLI on the firewall and enter the following command to unregister the IP address-to-tag mappings:
debug object registered-ip clear all
.
Known
10.1.3
PAN-101537
After you configure and push address and address group objects in Shared and vsys-specific device groups from the Panorama management server to managed firewalls, executing the
show log
<log-type>
direction equal
<direction>
<dst>
|
<src>
in
<object-name>
command on a managed firewall only returns address and address group objects pushed form the Shared device group.
Workaround:
Specify the vsys in the query string:
admin>
set system target-vsys
<vsys-name>
admin>
show log
<log-type>
direction equal
<direction>
query equal ‘vsys eq
<vsys-name>
’
<dst>
|
<src>
in
<object-name>
Known
10.1.3
PAN-98520
When booting or rebooting a PA-7000 Series Firewall with the SMC-B installed, the BIOS console output displays attempts to connect to the card's controller in the System Memory Speed section. The messages can be ignored.
Known
10.1.3
PAN-97757
GlobalProtect authentication fails with an
Invalid username/password
error (because the user is not found in
Allow List
) after you enable GlobalProtect authentication cookies and add a RADIUS group to the
Allow List
of the authentication profile used to authenticate to GlobalProtect.
Workaround:
Disable GlobalProtect authentication cookies. Alternatively, disable (clear)
Retrieve user group from RADIUS
in the authentication profile and configure group mapping from Active Directory (AD) through LDAP.
Known
10.1.3
PAN-97524
(
Panorama management server only
) The Security Zone and Virtual System columns (
Network
tab) display
None
after a Device Group and Template administrator with read-only privileges performs a context switch.
Known
10.1.3
PAN-96446
A firewall that is not included in a Collector Group fails to generate a system log if logs are dropped when forwarded to a Panorama management server that is running in Management Only mode.
Known
10.1.3
PAN-95773
On VM-Series firewalls that have Data Plane Development Kit (DPDK) enabled and that use the i40e network interface card (NIC), the
show session info
CLI command displays an inaccurate throughput and packet rate.
Workaround:
Disable DPDK by running the
set system setting dpdk-pkt-io off
CLI command.
Known
10.1.3
PAN-95028
For administrator accounts that you created in PAN-OS 8.0.8 and earlier releases, the firewall does not apply password profile settings (
Device
Password Profiles
) until after you upgrade to PAN-OS 8.0.9 or a later release and then only after you modify the account passwords. (Administrator accounts that you create in PAN-OS 8.0.9 or a later release do not require you to change the passwords to apply password profile settings.)
Known
10.1.3
PAN-94846
When DPDK is enabled on the VM-Series firewall with i40e virtual function (VF) driver, the VF does not detect the link status of the physical link. The VF link status remains up, regardless of changes to the physical link state.
Known
10.1.3
PAN-94093
HTTP Header Insertion does not work when jumbo frames are received out of order.
Known
10.1.3
PAN-93968
The firewall and Panorama web interfaces display vulnerability threat IDs that are not available in PAN-OS 9.0 releases (
Objects
Security Profiles
Vulnerability Protection
<profile>
Exceptions
). To confirm whether a particular threat ID is available in your release, monitor the release notes for each new Applications and Threats content update or check the Palo Alto Networks Threat Vault to see the minimum PAN-OS release version for a threat signature.
Known
10.1.3
PAN-93607
When you configure a VM-500 firewall with an SCTP Protection profile (
Objects
Security Profiles
SCTP Protection
) and you try to add the profile to an existing Security Profile Group (
Objects
Security Profile Groups
), the Security Profile Group doesn’t list the SCTP Protection profile in its drop-down list of available profiles.
Workaround:
Create a new Security Profile Group and select the SCTP Protection profile from there.
Known
10.1.3
PAN-93532
When you configure a firewall running PAN-OS 9.0 as an nCipher HSM client, the web interface on the firewall displays the nCipher server status as Not Authenticated, even though the HSM state is up (
Device
Setup
HSM
).
Known
10.1.3
PAN-93193
The memory-optimized VM-50 Lite intermittently performs slowly and stops processing traffic when memory utilization is critically high. To prevent this issue, make sure that you do not:
  • Switch to the firewall
    Context
    on the Panorama management server.
  • Commit changes when a dynamic update is being installed.
  • Generate a custom report when a dynamic update is being installed.
  • Generate custom reports during a commit.
Workaround:
When the firewall performs slowly, or you see a critical System log for memory utilization, wait for 5 minutes and then manually reboot the firewall.
Use the Task Manager to verify that you are not performing memory intensive tasks such as installing dynamic updates, committing changes or generating reports, at the same time, on the firewall.
Known
10.1.3
PAN-91802
On a VM-Series firewall, the
clear session all
CLI command does not clear GTP sessions.
Known
10.1.3
PAN-83610
In rare cases, a PA-5200 Series firewall (with an FE100 network processor) that has session offload enabled (default) incorrectly resets the UDP checksum of outgoing UDP packets.
Workaround:
In PAN-OS 8.0.6 and later releases, you can persistently disable session offload for only UDP traffic using the
set session udp-off load no
CLI command.
Known
10.1.3
PAN-83236
The VM-Series firewall on Google Cloud Platform does not publish firewall metrics to Google Stack Monitoring when you manually configure a DNS server IP address (
Device
Setup
Services
).
Workaround:
The VM-Series firewall on Google Cloud Platform must use the DNS server that Google provides.
Known
10.1.3
PAN-83215
SSL decryption based on ECDSA certificates does not work when you import the ECDSA private keys onto an nCipher nShield hardware security module (HSM).
Known
10.1.3
PAN-81521
Endpoints failed to authenticate to GlobalProtect through Kerberos when you specify an FQDN instead of an IP address in the Kerberos server profile (
Device
Server Profiles
Kerberos
).
Workaround:
Replace the FQDN with the IP address in the Kerberos server profile.
Known
10.1.3
PAN-77125
PA-7000 Series, PA-5450, PA-5200 Series, and PA-3200 Series firewalls configured in tap mode don’t close offloaded sessions after processing the associated traffic; the sessions remain open until they time out.
Workaround:
Configure the firewalls in virtual wire mode instead of tap mode, or disable session offloading by running the
set session off load no
CLI command.
Known
10.1.3
PAN-75457
In WildFire appliance clusters that have three or more nodes, the Panorama management server does not support changing node roles. In a three-node cluster for example, you cannot use Panorama to configure the worker node as a controller node by adding the HA and cluster controller configurations, configure an existing controller node as a worker node by removing the HA configuration, and then commit and push the configuration. Attempts to change cluster node roles from Panorama results in a validation error—the commit fails and the cluster becomes unresponsive.
Known
10.1.3
PAN-73530
The firewall does not generate a packet capture (pcap) when a Data Filtering profile blocks files.
Known
10.1.3
PAN-73401
When you import a two-node WildFire appliance cluster into the Panorama management server, the controller nodes report their state as out-of-sync if either of the following conditions exist:
  • You did not configure a worker list to add at least one worker node to the cluster. (In a two-node cluster, both nodes are controller nodes configured as an HA pair. Adding a worker node would make the cluster a three-node cluster.)
  • You did not configure a service advertisement (either by enabling or not enabling advertising DNS service on the controller nodes).
Workaround:
There are three possible workarounds to sync the controller nodes:
  • After you import the two-node cluster into Panorama, push the configuration from Panorama to the cluster. After the push succeeds, Panorama reports that the controller nodes are in sync.
  • Configure a worker list on the cluster controller: 
    admin@wf500(active-controller)# 
    set
deviceconfig cluster mode controller worker-list 
    <worker-ip-address>
    (
    <worker-ip-address>
    is the IP address of the worker node you are adding to the cluster.) This creates a three-node cluster. After you import the cluster into Panorama, Panorama reports that the controller nodes are in sync. When you want the cluster to have only two nodes, use a different workaround.
  • Configure service advertisement on the local CLI of the cluster controller and then import the configuration into Panorama. The service advertisement can advertise that DNS is or is not enabled. 
    admin@wf500(active-controller)# 
    set
deviceconfig cluster mode controller service-advertisement dns-service
enabled
yes
    or 
    admin@wf500(active-controller)# 
    set
deviceconfig cluster mode controller service-advertisement dns-service
enabled
no
    Both commands result in Panorama reporting that the controller nodes are in sync.
Known
10.1.3
PAN-70906
If the PAN-OS web interface and the GlobalProtect portal are enabled on the same IP address, then when a user logs out of the GlobalProtect portal, the administrative user is also logged out from the PAN-OS web interface.
Workaround:
Use the IP address to access the PAN-OS web interface and an FQDN to access the GlobalProtect portal.
Known
10.1.3
PAN-69505
When viewing an external dynamic list that requires client authentication and you
Test Source URL
, the firewall fails to indicate whether it can reach the external dynamic list server and returns a URL access error (
Objects
External Dynamic Lists
).
Known
10.1.3
PAN-40079
The VM-Series firewall on KVM, for all supported Linux distributions, does not support the Broadcom network adapters for PCI pass-through functionality.
Known
10.1.3
PAN-39636
Regardless of the
Time Frame
you specify for a scheduled custom report on a Panorama M-Series appliance, the earliest possible start date for the report data is effectively the date when you configured the report (
Monitor
Manage Custom Reports
). For example, if you configure the report on the 15th of the month and set the
Time Frame
to
Last 30 Days
, the report that Panorama generates on the 16th will include only data from the 15th onward. This issue applies only to scheduled reports; on-demand reports include all data within the specified
Time Frame
.
Workaround:
To generate an on-demand report, click
Run Now
when you configure the custom report.
Known
10.1.3
PAN-38255
When you perform a factory reset on a Panorama virtual appliance and configure the serial number, logging does not work until you reboot Panorama or execute the
debug software restart process management-server
CLI command.
Known
10.1.3
PAN-31832
The following issues apply when configuring a firewall to use a hardware security module (HSM):
  • nCipher nShield Connect
    —The firewall requires at least four minutes to detect that an HSM was disconnected, causing SSL functionality to be unavailable during the delay.
  • SafeNet Network
    —When losing connectivity to either or both HSMs in an HA configuration, the display of information from the
    show high-availability state
    and
    show hsm info
    commands are blocked for 20 seconds.
Addressed
10.1.3-h3
PAN-237935
Extended the offline PAN-DB, Panorama, and WildFire certificates which were previously set to expire on September 2, 2024.
Addressed
10.1.3-h3
PAN-237876
Extended the firewall Panorama root CA certificate which was previously set to expire on April 7th, 2024.
Addressed
10.1.3-h3
PAN-231771
Fixed an issue where the firewall issued /box/getserv/ requests with PAN-OS 7.1.0 and did not take device certificates.
Addressed
10.1.3-h3
PAN-227568
When a device certificate is installed, renewed, or removed, the firewall will reconnect to the WildFire cloud to use the newest certificate.
Addressed
10.1.3-h3
PAN-215576
Fixed an issue where the
userID-Agent
and
TS-Agent
certificates were set to expire on November 18, 2024. With this fix, the expiration date has been extended to January 2032.
Addressed
10.1.3-h2
PAN-202450
Fixed an issue where the
device-client-cert
was set to expire on December 31, 2023. With this fix, the expiration date has been extended.
Addressed
10.1.3-h2
PAN-198372
Fixed an issue where the
root-cert
was set to expire on December 31, 2023. With this fix, the expiration date has been extended.
Addressed
10.1.3-h1
Issue ID
Description
Addressed
10.1.3-h1
PAN-182010
Fixed an issue on Panorama where a managed firewall running a PAN-OS 10.1 version did not reconnect to Panorama. This issue occurred when a managed firewall was added to Panorama management using the device registration authentication key and also had the device certificate installed at the time of the reconnect.
Addressed
10.1.3
—
Fixed a Denial-of-Service (DoS) vulnerability in the GlobalProtect portal and gateway ( CVE-2021-3063 ).
Addressed
10.1.3
PAN-179112
Enhancements were added to improve system stability and debuggability.
Addressed
10.1.3
PAN-178190
Fixed an issue where the firewall incorrectly set the disk quota
cfg.diskquota.traffic
to 0 after upgrading to a PAN-OS 10.0 release. With this fix, the log disk quota will be retained correctly after upgrade.
Addressed
10.1.3
PAN-177941
Fixed an issue where the
bcm.log
and
brdagent_stdout.log-<datestamp>
files filled up the root disk space.
Addressed
10.1.3
PAN-177892
Fixed a memory leak issue where
panio
failed to start, which resulted in
dp-monitor
failing to capture the complete
panio
output.
Addressed
10.1.3
PAN-177881
Fixed an issue where VLAN tags were not properly processed in Layer 2 switching mode between interfaces with different tags.
Addressed
10.1.3
PAN-176862
(
VM-Series firewalls only
) Fixed an issue where the firewall didn't attempt to connect to a log collector when the management IP address used DHCP.
Addressed
10.1.3
PAN-176661
Fixed an issue in Simple Certificate Enrollment Protocol (SCEP) ( CVE-2021-3060 ).
Addressed
10.1.3
PAN-176655 and PAN-158334
A fix was made to address an OS command injection vulnerability in the PAN-OS CLI that enabled an authenticated administrator with access to the CLI to execute arbitrary OS commands to escalate privileges ( CVE-2021-3061 ).
Addressed
10.1.3
PAN-176653
A fix was made to address an OS command injection vulnerability in the PAN-OS web interface that enabled an authenticated administrator with permissions to use XML API to execute arbitrary OS commands to escalate privileges ( CVE-2021-3058 ).
Addressed
10.1.3
PAN-176618
A fix was made to address an OS command injection vulnerability in PAN-OS that existed when performing dynamic updates ( CVE-2021-3059 ).
Addressed
10.1.3
PAN-176433
Fixed an issue where the Zero Touch Provisioning (ZTP) plugin on Panorama was unable to sync with the ZTP service and displayed the following error message:
Failed to fetch sync status
.
Addressed
10.1.3
PAN-176277
Fixed a timing issue that impacted tunnel renegotiation and monitoring.
Addressed
10.1.3
PAN-176026
Fixed an issue where connections from firewalls running PAN-OS 10.1.0 to a Panorama appliance running PAN-OS 10.1.0 broke unexpectedly.
Addressed
10.1.3
PAN-175652
Fixed an issue where SSL decryption failed for websites when they were accessed from Google Chrome version 92 or higher.
Addressed
10.1.3
PAN-174843
Fixed an issue where a process ( logd ) stopped responding.
Addressed
10.1.3
PAN-174671
Fixed an issue with incorrect measurement of packet buffer protection latency.
Addressed
10.1.3
PAN-174587
Fixed an issue where, in the case of multiple AWS Partner Network (APN) connections, the GPRS Tunneling Protocol (GTPv2) Create Session Requests were sent to the firewall within a short interval, which caused the firewall to create the GTP-sessions incorrectly.
Addressed
10.1.3
PAN-174448
Fixed an issue where ZTP configurations weren't removed after disabling them, which resulted in predefined configurations to be loaded after a reboot.
Addressed
10.1.3
PAN-174201
Fixed an issue where, when logs were in the burst list, the vldmgr process stopped responding after upgrading to PAN-OS 10.1.0.
Addressed
10.1.3
PAN-174200
Fixed an issue where a role-based admin user was unable to edit, add, or view interfaces if dashboard permissions were disabled.
Addressed
10.1.3
PAN-173828
(
PA-7000 Series firewalls with 20GQ Network Processing Cards (NPCs) only
) Fixed an issue on high availabilities active/passive configurations where data ports on the passive firewall sent out packets, which caused a MAC flap on upstream firewalls.
Addressed
10.1.3
PAN-173157
Fixed an issue with the HA1 monitor hold timer where the configured value was not assigned to the HA1 backup interface, which used the default hold timer (3000 milliseconds), which resulted in failover events taking longer than expected.
Addressed
10.1.3
PAN-173076
(
Panorama appliances in FIPS mode only
) Fixed an issue where the FIPS Panorama / FIPS firewall schema didn't prune non-FIPS options from the Clientless VPN.
Addressed
10.1.3
PAN-172580
Fixed an intermittent issue where commits failed after a commit validation and were modified for custom URL category objects.
Addressed
10.1.3
PAN-172208
(
PA-5450 firewalls only
) Fixed a rare issue where the firewall reloaded while handling high stress SSL traffic when CPU utilization reached 100% or the packet broker capacity exceeded 40%.
Addressed
10.1.3
PAN-172171
Fixed an issue where a Passive PA-5450 firewall in an Active/Passive HA configuration using Auto mode would get stuck in maintenance mode after receiving the
slot7-path_monitor Path monitor failure
system failure.
Addressed
10.1.3
PAN-172091
Fixed an issue where, when you configured a virtual system (vsys) as a User-ID hub, and a firewall that receives IP address-to-username mapping from the hub had a Security policy that includes a QoS policy rule, the firewall did not match the user to the QoS policy rule if the traffic attempted to access a vsys that was not the hub.
Addressed
10.1.3
PAN-170574
(
Panorama appliances on Microsoft Azure and Amazon Web Services (AWS) only
) Fixed an issue where Panorama sent
127.0.0.1
as the NAS-IP-Address in RADIUS messages.
Addressed
10.1.3
PAN-170466
Fixed an memory reference issue related to the devsrvr process that caused the process to stop responding.
Addressed
10.1.3
PAN-169793
Fixed an issue where using cookies to authenticate MacOS users didn't work due to the client agent not providing the
phpsessionid
set from the sent GlobalProtect messages during the connection. As a result, the firewall was unable to find and include the portal authentication cookie in the response message.
Addressed
10.1.3
PAN-169687
Fixed an issue where SNMP returned an improper status for an unsupported interface type.
Addressed
10.1.3
PAN-169105
Fixed an issue on the Panorama web interface where a Network File System (NFS) storage partition displayed the incorrect storage size.
Addressed
10.1.3
PAN-168261
Fixed a cosmetic issue where the WildFire submission log displayed the
sha256
of the original email link.
Addressed
10.1.3
PAN-167849
Fixed an issue where URL-Filtering incorrectly identified the firewall serial number in the certificate
Common Name
field as the IP address.
Addressed
10.1.3
PAN-167266
Fixed an issue on multi-dataplane firewalls with high CPU use on dataplane 0 that caused an internal loop of forward/host sessions on the firewall.
Addressed
10.1.3
PAN-166978
Fixed an issue where the URL-Filtering cloud connection failed with the following error message:
bind failed with errno 97
.
Addressed
10.1.3
PAN-166202
Fixed an issue with an extra character in HTTP Strict Transport Security (HSTS) regression tests when accessing the GlobalProtect gateway.
Addressed
10.1.3
PAN-165433
Fixed an intermittent issue where Cortex Data Lake failed to reconnect after a disconnect if a management IP address used for logging had an IP address assignment type of DHCP.
Addressed
10.1.3
PAN-163448
Fixed an issue when using ixgb drivers with SR-IOV and DPDK that caused OSPF multicast traffic to be filtered by the physical function driver.
Addressed
10.1.3
PAN-162936
Fixed an issue where the all_pktproc process stopped responding on GTP-U session traffic when attempting to send out packets held in software buffers.
Addressed
10.1.3
PAN-162374
Fixed an issue where the firewall rebooted unexpectedly and displayed the following message:
Reboot SYSTEM REBOOT Masterd Initiated
.
Addressed
10.1.3
PAN-161940
Fixed an issue where the firewall did not honor the peer RX interval timeout in a Bidirectional Forwarding Detection (BFD) INIT state.
Addressed
10.1.3
PAN-157962
Fixed an issue where IPv6 prefixes were advertised via IPv4 BGP peering when MP-BGP was not enabled.
Known
10.1.4
—
If you use Panorama to retrieve logs from Cortex Data Lake (CDL), new log fields (including for Device-ID, Decryption, and GlobalProtect) are not visible on the Panorama web interface.
Workaround:
Enable duplicate logging to send the logs to CDL and Panorama. This workaround does not support Panorama virtual appliances in Management Only mode .
Known
10.1.4
—
Upgrading a PA-220 firewall takes up to an hour or more.
Known
10.1.4
—
PA-220 firewalls are experiencing slower web interface and CLI performance times.
Known
10.1.4
—
Upgrading Panorama with a local Log Collector and Dedicated Log Collectors to PAN-OS 8.1 or a later PAN-OS release can take up to six hours to complete due to significant infrastructure changes. Ensure uninterrupted power to all appliances throughout the upgrade process.
Known
10.1.4
—
A critical System log is generated on the VM-Series firewall if the minimum memory requirement for the model is not available.
  • When the memory allocated is less than 4.5GB, you cannot upgrade the firewall. The following error message displays:
    Failed to install 9.0.0 with the following error: VM-50 in 9.0.0 requires 5.5GB memory, VM-50 Lite requires 4.5GB memory.Please configure this VM with enough memory before upgrading.
  • If the memory allocation is more than 4.5GB but less than the licensed capacity requirement for the model, it will default to the capacity associated with the VM-50.
    The System log message
    System capacity adjusted to VM-50 capacity due to insufficient memory for VM-
    <xxx>
    license
    , indicates that you must allocate the additional memory required for licensed capacity for the firewall model.
Known
10.1.4
APPORTAL-3313
Changes to an IoT Security subscription license take up to 24 hours to have effect on the IoT Security app.
Known
10.1.4
APPORTAL-3309
An IoT Security production license cannot be installed on a firewall that still has a valid IoT Security eval or trial license.
Workaround:
Wait until the 30-day eval or trial license expires and then install the production license.
Known
10.1.4
APL-15000
When you move a firewall from one Cortex Data Lake instance to another, it can take up to an hour for the firewall to begin sending logs to the new instance.
Known
10.1.4
APL-8269
For data retrieved from Cortex Data Lake, the Threat Name column in
Panorama
ACC
threat-activity
appears blank.
Known
10.1.4
PLUG-380
When you rename a device group, template, or template stack in Panorama that is part of a VMware NSX service definition, the new name is not reflected in NSX Manager. Therefore, any ESXi hosts that you add to a vSphere cluster are not added to the correct device group, template, or template stack and your Security policy is not pushed to VM-Series firewalls that you deploy after you rename those objects. There is no impact to existing VM-Series firewalls.
Known
10.1.4
WF500-5559
An intermittent error while analyzing signed PE samples on the WildFire appliance might cause analysis failures.
Known
10.1.4
WF500-5471
After using the firewall CLI to add a WildFire appliance with an IPv6 address, the initial connection may fail.
Workaround:
Retry connecting after you restart the web server with the following command:
debug software restart process web-server
.
Known
10.1.4
PAN-228273
On the Panorama management server in FIPS-CC mode, the ElasticSearch cluster fails to come up and the
show log-collector-es-cluster health
command displays the
status
is
red
. This results in log ingestion issues for Panorama in Panorama only or Log Collector mode.
Known
10.1.4
PAN-227344
On the Panorama management server, PDF Summary Reports (
Monitor
PDF Reports
Manage PDF Summary
) display no data and are blank when predefined reports are included in the summary report.
Known
10.1.4
PAN-223488
This issue is now resolved. See
PAN-OS 10.1.12 Addressed Issues
.
On the M-600 appliance, closed ElasticSearch shards are not deleted from the M-600 appliance. This causes the ElasticSearch shard purging to not work as expected, resulting in high disk usage.
Known
10.1.4
PAN-223365
The Panorama management server is unable to query any logs if the ElasticSearch health status for any Log Collector (
Panorama
Managed Collector
is degraded.
Workaround:
Log in to the Log Collector CLI and restart ElasticSearch. 
admin
debug elasticsearch es-restart all
Known
10.1.4
PAN-218521
The ElasticSearch process on the M-600 appliance in Log Collector mode may enter a continuous reboot cycle. This results in the M-600 appliance becoming unresponsive, consuming logging disk space, and preventing new log ingestion.
Known
10.1.4
PAN-217307
This issue is now resolved. See
PAN-OS 10.1.14 Addressed Issues
.
The following Security policy rule (
Policies
Security
) filters return no results:
log-start eq no
log-end eq no
log-end eq yes
Known
10.1.4
PAN-216214
For Panorama-managed firewalls in an Active/Active High Availability (HA) configuration where you configure the firewall HA settings (
Device
High Availability
) in a template or template stack (
Panorama
Templates
), performing a local commit on one of the HA firewalls triggers an HA config sync on the peer firewall. This causes the HA peer configuration to go
Out of Sync
.
Known
10.1.4
PAN-213746
On the Panorama management server, the
Hostkey
displayed as
undefined undefined
if you override an SSH Service Profile (
Device
Certificate Management
SSH Service Profile
) Hostkey configured in a Template from the Template Stack.
Known
10.1.4
PAN-212889
This issue is now resolved. See PAN-OS 10.1.11 Addressed Issues
.
On the Panorama management server, different threat names are used when querying the same threat in the Threat Monitor (
Monitor
App Scope
Threat Monitor
) and
ACC
. This results in the ACC displaying
no data to display
when you are redirected to the ACC after clicking a threat name in the Threat Monitor and filtering the same threat name in the Global Filters.
Known
10.1.4
PAN-208325
This issue is now resolved. See
PAN-OS 10.1.10 Addressed Issues
.
The following NextGen firewalls are unable to automatically renew the device certificate (
Device
Setup
Management
or
Panorama
Setup
Management
).
  • PA-410 Firewall
  • PA-440, PA-450, and PA-460 Firewalls
  • PA-5450 Firewall
Workaround:
Log in to the firewall CLI and fetch the device certificate. 
admin>
request certificate fetch
Known
10.1.4
PAN-206268
This issue is now resolved. See
PAN-OS 10.1.10 Addressed Issues
.
On the Panorama management server, the Auth Key field was erroneously displayed when you configure the Panorama Settings (
Device
Setup
Management
) as part of a template or template stack configuration.
Known
10.1.4
PAN-206243
The PA-220 firewall reaches the maximum disk usage capacity multiple a day that requires a disk cleanup. A critical system log (
Monitor
Logs
System
) is generated each time the firewall reaches maximum disk usage capacity.
Known
10.1.4
PAN-205187
ElasticSearch may not start properly when a newly installed Panorama virtual appliance powers on for the first time, resulting in the Panorama virtual appliance being unable to query logs forwarded from the managed firewall to a Log Collector.
Workaround:
Log in to the Panorama CLI and start the PAN-OS software. 
admin>
request restart software
Known
10.1.4
PAN-201855
On the Panorama management server, cloning any template (
Panorama
Templates
) corrupts certificates (
Device
Certificate Management
Certificates
) with the
Block Private Key Export
setting enabled across all templates. This results in managed firewalls experiencing issues wherever the corrupted certificate is referenced.
For example, you have template A, B, and C where templates A and B have certificates with the
Block Private Key Export
setting enabled. Cloning template C corrupts the certificates with
Block Private Key Export
setting enabled in templates A and B.
Workaround:
After cloning a template, delete and re-import the corrupted certificates.
Known
10.1.4
PAN-199557
On M-600 appliances in an Active/Passive high availability (HA) configuration, the
configd
process restarts due to a memory leak on the
Active
Panorama HA peer. This causes the Panorama web interface and CLI to become unresponsive.
Workaround:
Manually reboot the
Active
Panorama HA peer.
Known
10.1.4
PAN-197341
On the Panorama management server, if you create multiple device group
Objects
with the same name in the Shared device group and any additional device groups (
Panorama
Device Groups
) under the same device group hierarchy that are used in one or more
Policies
, renaming the object with a shared name in any device group causes the object name to change in the policies where it is used. This issue applies only to device group objects that can be referenced in a Security policy rule.
For example:
  1. You create a parent device group
    DG-A
    and a child device group
    DG-B
    .
  2. You create address objects called
    AddressObjA
    in the
    Shared
    ,
    DG-A
    and
    DG-B
    device groups and add
    AddressObjA
    to a Security policy rule under
    DG-A
    and
    DG-B
    .
  3. Later, you change the
    AddressObjA
    name in the
    Shared
    device group to
    AddressObjB
    .
Changing the name of the address object in the
Shared
device group causes the references in the Policy rule to use the renamed
Shared
object instead of the device group object.
Known
10.1.4
PAN-196758
On the Panorama management server, pushing a configuration change to firewalls leveraging SD-WAN erroneously show the auto-provisioned BGP configurations for SD-WAN as being edited or deleted despite no edits or deletions being made when you
Preview Changes
(
Commit
Push to Devices
Edit Selections
or
Commit
Commit and Push
Edit Selections
).
Known
10.1.4
PAN-194519
This issue is now resolved. See
PAN-OS 10.1.9 Addressed Issues
.
(
PA-5450 firewall only
) Trying to configure a custom payload format under
Device
Server Profiles
HTTP
yields a Javascript error.
Known
10.1.4
PAN-194515
(
PA-5450 firewall only
) The Panorama web interface does not display any predefined template stack variables in the dropdown menu under
Device
Setup
Log Interface
IP Address
.
Workaround:
Configure the log interface IP address on the individual firewall web interface instead of on Panorama.
Known
10.1.4
PAN-193518
All logs (
Monitor
Logs
) generated by a firewall running a PAN-OS 10.0 release are not accessible if you downgrade from PAN-OS 10.1 to PAN-OS 10.0, and then upgrade back to PAN-OS 10.1.
Workaround:
If you need to downgrade from PAN-OS 10.1 to PAN-OS 10.0 and then back to PAN-OS 10.1, downgrade to PAN-OS 10.0.11 to ensure that all logs ingested while running a PAN-OS 10.0 release remain accessible after upgrade back to PAN-OS 10.1.
Known
10.1.4
PAN-192403
This issue is now resolved. See
PAN-OS 10.1.6-h3 Addressed Issues
.
(
PA-5450 firewall only
) There is no commit warning in the web interface when configuring the management interface and logging interface in the same subnetwork. Having both interfaces in the same subnetwork can cause routing and connectivity issues.
Known
10.1.4
PAN-190727
(
PA-5450 firewall only
) Documentation for configuring the log interface is unavailable on the web interface and in the PAN-OS Administrator’s Guide.
Known
10.1.4
PAN-188052
Devices in FIPS-CC mode are unable to connect to servers utilizing ECDSA-based host keys that impacts exporting logs (
Device
Scheduled Log Export
), exporting configurations (
Device
Scheduled Config Export
), or the
scp export
command in the CLI.
Workaround:
Use RSA-based host keys on the destination server.
Known
10.1.4
PAN-187685
On the Panorama management server, the Template Status displays no synchronization status (
Panorama
Managed Devices
Summary
) after a bootstrapped firewall is successfully added to Panorama.
Workaround:
After the bootstrapped firewall is successfully added to Panorama, log in to the Panorama web interface and select
Commit
Push to Devices
.
Known
10.1.4
PAN-186262
The Panorama management server in Panorama or Log Collector mode may become unresponsive as Elasticsearch accumulates internal connections related to logging processes. The chances Panorama becomes unresponsive increases the longer Panorama remains powered on.
Workaround:
Reboot Panorama if it becomes unresponsive.
Known
10.1.4
PAN-185286
This issue is now resolved. See
PAN-OS 10.1.7 Addressed Issues
.
(
PA-5400 Series firewalls only
) On the Panorama management server, the device health resources (
Panorama
Managed Devices
Health
) do not populate.
Known
10.1.4
PAN-181116
This issue is now resolved. See
PAN-OS 10.1.5 Addressed Issues
.
After upgrading to PAN-OS 10.1, some GlobalProtect tunnels fall back to SSL instead of IPSec due to the inadvertent encapsulation of the ICMP keepalive response from the firewall.
Known
10.1.4
PAN-180661
This issue is now resolved. See
PAN-OS 10.1.6 Addressed Issues
.
On the Panorama management server, pushing an unsupported Minimum Password Complexity (
Device
Setup
Management
) to a managed firewall erroneously displays
commit time out
as the reason the commit failed.
Known
10.1.4
PAN-178194
This issue is now resolved. See
PAN-OS 10.1.7 Addressed Issues
.
A UI issue in PAN-OS renders the contents of the
Inline ML
tab in the
URL Filtering Profile
inaccessible on firewalls licensed for Advanced URL Filtering. Additionally, a message indicating that a
License required for URL filtering to function
is unavailable displays at the bottom of the UI. These errors do not affect the operation of Advanced URL Filtering or URL Filtering Inline ML.
Workaround:
Configuration settings for URL Filtering Inline ML must be applied through the CLI. The following configuration commands are available:
  • Define URL exceptions for specific web sites— 
    admin#
     set profiles url-filtering <url_filtering_profile_name> mlav-category-exception
  • Configuration settings for each inline ML model— 
    admin#
     set profiles url-filtering <url_filtering_profile_name> mlav-engine-urlbased-enabled
Known
10.1.4
PAN-177455
This issue is now resolved. See
PAN-OS 10.1.6 Addressed Issues
.
PAN-OS 10.1.2 is not supported on PA-7000 Series firewalls with HA (High Availability) clustering enabled and using an HA4 communication link. Attempting to load PAN-OS 10.1.2 on the firewall causes the PA-7000 100G NPC to go offline. As a result, the firewall fails to boot normally and enters maintenance mode. HA Pairs of Active-Passive and Active-Active firewalls are not affected.
Known
10.1.4
PAN-175717
This issue is now resolved. See
PAN-OS 10.1.5 Addressed Issues
.
Firewalls managed by a Panorama management server enter maintenance mode if:
  • Panorama is running PAN-OS 10.2 and managed firewalls are downgraded from PAN-OS 10.2 to PAN-OS 10.1.4 or earlier PAN-OS release.
  • Panorama is upgraded from PAN-OS 10.1 to PAN-OS 10.2 and managed firewalls are running PAN-OS 10.1.4 or earlier PAN-OS 10.1 release.
Workaround:
When downgrading managed firewalls, downgrade to PAN-OS 10.1.5 first and then continue on your downgrade path. When upgrading Panorama, upgrade to PAN-OS 10.1.5 first and then continue on your upgrade path.
Known
10.1.4
PAN-174982
In HA active/active configurations where, when interfaces that were associated with a virtual router were deleted, the configuration change did not sync.
Known
10.1.4
PAN-173509
This issue is now resolved. See
PAN-OS 10.1.5 Addressed Issues
.
Superuser administrators with read-only privileges (
Device
Administrators
and
Panorama
Administrators
) are unable to view the hardware ACL blocking setting and duration in the CLI using the commands: 
admin>
 show system setting hardware-acl-blocking-enable
admin>
 show system setting hardware-acl-blocking-duration
Known
10.1.4
PAN-172274
When you activate the advanced URL filtering license, your license entitlements for PAN-DB and advanced URL filtering might not display correctly on the firewall — this is a display anomaly, not a licensing issue, and does not affect access to the services.
Workaround:
Issue the following command to retrieve and update the licenses:
license request fetch
.
Known
10.1.4
PAN-172113
If you request a User Activity Report on Panorama and the vsys key value in the XML is an unsupported value, the resulting job becomes unresponsive at 10% and does not complete until you manually stop the job in the web interface.
Workaround:
Change the vsys key to a valid device group, commit your changes, and run the User Activity Report again.
Known
10.1.4
PAN-172132
This issue is now resolved by PAN-189643. See
PAN-OS 10.1.6 Addressed Issues
.
QoS fails to run on a tunnel interface (for example, tunnel.1).
Known
10.1.4
PAN-172067
When you configure an HTTP server profile (
Device
Server Profiles
HTTP
or
Panorama
Server Profiles
HTTP
), the
Username
and
Password
fields are always required regardless of whether
Tag Registration
is enabled.
Workaround:
When you configure an HTTP server profile, always enter a username and password to successfully create the HTTP server profile.
You must enter a username and password even if the HTTP server does not require it. The HTTP server ignores the username and password if they are not required for the firewall to connect.
Known
10.1.4
PAN-172061
A process (
all_pktproc
) can cause intermittent crashes on the Passive PA-5450 firewall in an Active/Passive HA pair. This issue may be seen during an upgrade or reload of the firewall with traffic and when clearing sessions.
Known
10.1.4
PAN-171938
No results are displayed when you
Show Application Filter
for a Security policy rule (
Policies
Security
Application
Value
Show Application Filter
).
Known
10.1.4
PAN-171723
If you use Panorama to push a configuration that uses App-ID Cloud Engine (ACE) App-IDs and then you downgrade the firewall from PAN-OS 10.1 to PAN-OS 10.0, the installation succeeds but after you reboot, the auto-commit fails.
Workaround:
Remove all ACE application configurations before downgrading.
Known
10.1.4
PAN-171714
This issue is now resolved. See
PAN-OS 10.1.7 Addressed Issues
.
If you use the NetBIOS format (
domain\user
) for the IP address-to-username mapping and the firewall receives the group mapping information from the Cloud Identity Engine, the firewall does not successfully match the user to the correct group.
Known
10.1.4
PAN-171706
This issue is now resolved. See
PAN-OS 10.1.11 Addressed Issues
.
If you are using Panorama to manage firewalls with multiple virtual systems and the virtual system that is the User-ID hub uses an alias, the local commit on Panorama is successful but the commit to the firewall fails.
Known
10.1.4
PAN-171673
On the Panorama management server, the
ACC
returns inaccurate results when you filter for
New App-ID
in the
Application
usage widget.
Known
10.1.4
PAN-171635
If you have an on-premise Active Directory and there is an existing group mapping configuration on the firewall, if you migrate the group mapping to the Cloud Identity Engine, the firewall does not remove the existing group mapping even if the configuration is disabled and the firewall is rebooted, which may conflict with new mappings from the Cloud Identity Engine.
Workaround
: Use the
debug user-id clear domain-map
command to remove the existing group mappings from the firewall.
Known
10.1.4
PAN-171224
On the Panorama management server, a custom report (
Monitor
Managed Custom Reports
) with a high volume of unique data objects is not generated when you click
Run Now
.
Known
10.1.4
PAN-171145
If you edit or remove the value for the
mail
attribute in your on-premise Active Directory, the changes may not be immediately reflected on the firewall after it syncs with the Cloud Identity Engine.
Known
10.1.4
PAN-170923
In
Policies
Security
Policy Optimizer
New App Viewer
, when you select a Security policy rule in the bottom portion of the screen, the application data in the application browser (top portion of screen) does not match the Apps Seen on the selected rule. In addition, filtering in the application browser based on Apps Seen does not work.
Known
10.1.4
PAN-170462
This issue is now resolved. See
PAN-OS 10.1.6 Addressed Issues
.
SaaS applications downloaded from the App-ID Cloud Engine (ACE) do not appear in daily application reports (
Monitor
Reports
Application Reports
) or in the
Application
column of the
Application Usage
widget in
ACC
Network Activity
.
Known
10.1.4
PAN-170270
Using the CLI to power on a PA-5450 Networking Card (NC) in an Active HA firewall can cause its Passive peer to temporarily go down.
Known
10.1.4
PAN-169906
The CN-Series Firewall as a Kubernetes Service does not support AF_XDP when deployed in CentOS.
Known
10.1.4
PAN-168636
Connecting to the App-ID Cloud Engine (ACE) cloud using a management port with explicit proxy configured on it is not supported. Instead, use a data plane interface for the service route ( Prepare to Deploy App-ID Cloud Engine describes how to do this.)
Known
10.1.4
PAN-168113
On the Panorama management server, you are unable to configure a master key (
Device
Master Key and Diagnostics
) for a managed firewall if an interface (
Network
Interfaces
Ethernet
) references a zone pushed from Panorama.
Workaround:
Remove the referenced zone from the interface configuration to successfully configure a master key.
Known
10.1.4
PAN-167847
If you issue the command
opof stats
, then clear the results {opof stats -c}, the Active Sessions value is sometimes invalid. For example, you might see a negative number or an excessively large number.
Workaround:
Re-run the
opof stats
command after the offload completes.
Known
10.1.4
PAN-167401
When a firewall or Panorama appliance configured with a proxy is upgraded to PAN-OS 10.0.3 or a later release, it fails to connect to edge service.
Known
10.1.4
PAN-166464
This issue is now resolved. See
PAN-OS 10.1.6-h6 Addressed Issues
.
PAN-OS reports the PA-5450 fan numbers incorrectly by listing them in the opposite order. This does not affect fan operation. For further information, contact Customer Support.
Known
10.1.4
PAN-165669
If you configure a group that the firewall retrieves from the Cloud Identity Engine as the
user in
value in a filter query, Panorama is unable to retrieve the group membership and as a result, is unable to display this data in logs and custom reports.
Known
10.1.4
PAN-164922
On the Panorama management server, a context switch to a managed firewall running a PAN-OS 8.1.0 to 8.1.19 release fails.
Known
10.1.4
PAN-164885
On the Panorama management server, pushes to managed firewalls (
Commit
Push to Devices
or
Commit and Push
) may fail when an EDL (
Objects
External Dynamic Lists
) is configured to
Check for updates
every 5 minutes due to the commit and EDL fetch processes overlapping. This is more likely to occur when multiple EDLs are configured to check for updates every 5 minutes.
Known
10.1.4
PAN-164841
A successful deployment of a Panorama virtual appliance on Amazon Web Services (AWS), Microsoft Azure, or Google Cloud Platform (GCP) is inaccessible when deploying using the PAN-OS 10.1.0-b6 release.
Known
10.1.4
PAN-164647
On the Panorama management server, activating a license (
Panorama
Device Deployment
Licenses
) on managed firewalls in a high availability (HA) configuration causes the Safari web browser to become unresponsive.
Workaround:
Log in to the Panorama web interface from a web browser other than Safari to successfully activate a license on managed firewalls in an HA configuration.
Known
10.1.4
PAN-164618
The VM-Series firewall CLI and system logs display the license name
VM-SERIES-X
, while the user interface displays
VM-FLEX-X
(in both cases
X
is the number of vCPUs). In future releases the user interface will use the
VM-SERIES-X
format.
Known
10.1.4
PAN-164586
If you use a value other than
mail
for the user or group email attribute in the Cloud Identity Engine, it displays in
user@domain
format in the CLI output.
Known
10.1.4
PAN-163966
On the Panorama management server, the
ACC
and on demand reports (
Monitor
Manage Custom Reports
) are unable to fetch Directory Sync group membership when the Source User Group filter query is applied, resulting in no data being displayed for the filter when Directory Sync is configured as the Source User for a policy rule.
Known
10.1.4
PAN-162836
On the VM-Series firewall, if you select
Device
Licenses
Deactivate VM
a popup window opens and you can choose
Subscriptions
or
Support
and press
Continue
to remove licenses and register the changes with the license server. When the license removal is complete the
Deactivate VM
window does not update its text to exclude deactivated licenses or close the window.
Workaround
: Wait until the license deactivation is complete, and click
Cancel
to close the window.
Known
10.1.4
PAN-162164
This issue is now resolved. See
PAN-OS 10.1.6 Addressed Issues
.
When upgrading a multi-dataplane firewall from PAN-OS 10.0 to 10.1, if the configuration includes the DHCP Broadcast Session option enabled, the commit fails. Auto-commit is not affected.
Workaround:
Load the configuration from running config (load config from running-config.xml) and perform a commit.
Known
10.1.4
PAN-162088
This issue is now resolved. See
PAN-OS 10.1.9 Addressed Issues
.
On the Panorama management server in a high availability (HA) configuration, content updates (
Panorama
Dynamic Updates
) manually uploaded to the active HA peer are not synchronized to the passive HA peer when you
Install
a content update and enable
Sync to HA Peer
.
Known
10.1.4
PAN-161666
The firewall includes any users configured in the Cloud Identity Engine in the count of groups. As a result, some CLI command output does not accurately display the number of groups the firewall has retrieved from the Cloud Identity Engine and counts users as groups in the
No. of Groups
in the command output. If the attempt to retrieve the user or group fails, the information for the user or group still displays in the CLI command output.
Known
10.1.4
PAN-161451
If you issue the command
opof stats
, there are occasional zero packet and byte counts coming from the DPDK counters. This occurs when a session is in the tcp-reuse state, and has no impact on the existing session.
Known
10.1.4
PAN-160238
If you migrate traffic from a firewall running a PAN-OS version earlier than 9.0 to a firewall running PAN-OS 9.0 or later, you experience intermittent VXLAN packet drops if TCI policy is not configured for inspecting VXLAN traffic flows.
Workaround:
On the new firewall, create an app override for VXLAN outer headers as described in What is an Application Override? and the video tutorial How to Configure an Application Override Policy on the Palo Alto Networks Firewall .
PAN-OS version 9.0 can inspect both inner and outer VXLAN flows. If you want to inspect inner flows, you must define a tunnel content inspection (TCI) policy.
Known
10.1.4
PAN-157444
As a result of a telemetry handling update, the Source Zone field in the DNS analytics logs (viewable in the DNS Analytics tab within AutoFocus) might not display correct results.
Known
10.1.4
PAN-157327
On downgrade to PAN-OS 9.1, Enterprise Data Loss Prevention (DLP) filtering settings (
Device
Setup
DLP
) are not removed and cause commit errors for the downgraded firewall if you do not uninstall the Enterprise DLP plugin before downgrade.
Workaround:
After you successfully downgrade a managed firewall to PAN-OS 9.1, commit and push from Panorama to remove the Enterprise DLP filtering settings and complete the downgrade.
  1. Downgrade your managed firewall to PAN-OS 9.1
  2. Log in to the firewall web interface and view the
    Tasks
    to verify all auto commits related to the downgrade have completed successfully.
  3. Log in to the Panorama web interface and
    Commit
    Commit and Push
    to your managed firewall downgraded to PAN-OS 9.1.
Known
10.1.4
PAN-157103
Multi-channel functionality may not be properly utilized on an VM-Series firewall deployed in VMware NSX-V after the service is first deployed.
Workaround
: Execute the command
debug dataplane pow status
to view the number of channels being utilized by the dataplane. 
Per pan-task Netx statisticsCounter Name    1   2   3   4   5   6   Total---------------------------------------------ready_dvf       2   0   0   0   0   0     2
If multi-channel functionality is not working, disable your NSX-V security policy and reapply it. Then reboot the VM-Series firewall. When the firewall is back up, verify that multi-channel functionality is working by executing the command
debug dataplane pow status
. It should now show multiple channels being utilized. 
Per pan-task Netx statisticsCounter Name    1   2   3   4   5   6   Total---------------------------------------------ready_dvf       1   1   0   0   0   0     2
Known
10.1.4
PAN-156598
(
Panorama only
) If you configure a standard custom vulnerability signature in a custom Vulnerability Protection profile in a shared device group, the shared profile custom signatures do not populate in the other device groups when you configure a combination custom vulnerability signature.
Workaround:
Use the CLI to update the combination signature.
Known
10.1.4
PAN-154292
On the Panorama management server, downgrading from a PAN-OS 10.0 release to a PAN-OS 9.1 release causes Panorama commit (
Commit
Commit to Panorama
) failures if a custom report (
Monitor
Manage Custom Reports
) is configured to Group By
Session ID
.
Workaround:
After successful downgrade, reconfigure the Group By setting in the custom report.
Known
10.1.4
PAN-154034
On the Panorama management server, the Type column in the System logs (
Monitor
Logs
System
) for managed firewalls running a PAN-OS 9.1 release erroneously display
iot
as the type.
Known
10.1.4
PAN-154032
On the Panorama management server, downgrading to PAN-OS 9.1 with the Panorama plugin for Cisco TrustSec version 1.0.2 installed does not automatically transform the plugin to be compatible with PAN-OS 9.1
Workaround:
After successful downgrade to PAN-OS 9.1,
Remove Config
(
Panorama
Plugins
) of the Panorama plugin for Cisco TrustSec and then reconfigure the plugin.
Known
10.1.4
PAN-153803
On the Panorama management server, scheduled email PDF reports (
Monitor
PDF Reports
) fail if a GIF image is used in the header or footer.
Known
10.1.4
PAN-153557
On the Panorama management server CLI, the overall report status for a report query is marked as
Done
despite reports generated from logs in the Cortex Data Lake (CDL) from the PODamericas Collector Group jobs are still in a
Running
state.
Known
10.1.4
PAN-153068
The Bonjour Reflector option is supported on up to 16 interfaces. If you enable it on more than 16 interfaces, the commit succeeds and the Bonjour Reflector option is enabled only for the first 16 interfaces and ignored for any additional interfaces.
Known
10.1.4
PAN-151238
There is a known issue where M-100 appliances are able to download and install a PAN-OS 10.0 release image even though the M-100 appliance is no longer supported after PAN-OS 9.1. (Refer to the hardware end-of-life dates .)
Known
10.1.4
PAN-151085
On a PA-7000 Series firewall chassis having multiple slots, when HA clustering is enabled on an active/active HA pair, the session table count for one of the peers can show a higher count than the actual number of active sessions on that peer. This behavior can be seen when the session is being set up on a non-cache slot (for example, when a session distribution policy is set to round-robin or session-load); it is caused by the additional cache lookup that happens when HA cluster participation is enabled.
Known
10.1.4
PAN-150801
Automatic quarantine of a device based on forwarding profile or log setting does not work on the PA-7000 Series firewalls.
Known
10.1.4
PAN-150515
After you install the device certificate on a new Panorama management server, Panorama is not able to connect to the IoT Security edge service.
Workaround:
Restart Panorama to connect to the IoT Security edge service.
Known
10.1.4
PAN-150345
During updates to the Device Dictionary, the IoT Security service does not push new Device-ID attributes (such as new device profiles) to the firewall until a manual commit occurs.
Workaround:
Perform a force commit to push the attributes in the content update to the firewall.
Known
10.1.4
PAN-150361
In an Active-Passive high availability (HA) configuration, an error displays if you create a device object on the passive device.
Workaround:
Load the running configuration and perform a force commit to sync the devices.
Known
10.1.4
PAN-148971
If you enter a search term for Events that are related to IoT in the System logs and apply the filter, the page displays an
Invalid term
error.
Workaround:
Specify
iot
as the
Type Attribute
to filter the logs and use the search term as the
Description Attribute
. For example:
( subtype eq iot ) and ( description contains 'gRPC connection' )
.
Known
10.1.4
PAN-148924
In an active-passive HA configuration, tags for dynamic user groups are not persistent after rebooting the firewall because the active firewall does not sync the tags to the passive firewall during failover.
Known
10.1.4
PAN-146995
After downgrading a Panorama management server from PAN-OS 10.0 to PAN-OS 9.1, the
VLD
and
logd
processes may crash when Panorama reboots.
Workaround:
Panorama automatically restarts the
VLD
and
logd
processes.
Known
10.1.4
PAN-146807
Changing the device group configured in a monitoring definition from a child DG to a parent DG, or vice versa, might cause firewalls configured in the child DG to lose IP tag mapping information received from the monitoring definition. Only firewalls assigned to the parent DG receive IP tag mapping updates.
Workaround
: Perform a manual config sync on the device group that lost the IP tag mapping information.
Known
10.1.4
PAN-146485
On the Panorama management server, adding, deleting, or modifying the upstream NAT configuration (
Panorama
SD-WAN
Devices
) does not display the branch template stack as
out of sync
.
Additionally, adding, deleting, or modifying the BGP configuration (
Panorama
SD-WAN
Devices
) does not display the hub and branch template stacks as
out of sync
. For example, modifying the BGP configuration on the branch firewall does not cause the hub template stack to display as
out of sync
, nor does modifying the BGP configuration on the hub firewall cause the branch template stack as
out of sync
.
Workaround:
After performing a configuration change,
Commit and Push
the configuration changes to all hub and branch firewalls in the VPN cluster containing the firewall with the modified configuration.
Known
10.1.4
PAN-145460
CN-MGMT pods fail to connect to the Panorama management server when using the Kubernetes plugin.
Workaround:
Commit
the Panorama configuration after the CN-MGMT pod successfully registers with Panorama.
Known
10.1.4
PAN-144889
On the Panorama management server, adding, deleting, or modifying the original subnet IP, or adding a new subnet after you successfully configure a tunnel IP subnet, for the SD-WAN 1.0.2 plugin does not display the managed firewall templates (
Panorama
Managed Devices
Summary
) as
Out of Sync
.
Workaround
: When modifying the original subnet IP, or adding a new subnet, push the template configuration changes to your managed firewalls and
Force Template Values
(
Commit
Push to Devices
Edit Selections
).
Known
10.1.4
PAN-143132
Fetching the device certificate from the Palo Alto Networks Customer Support Portal (CSP) may fail and displays the following error in the CLI:
ERROR Failed to process S1C msg: Error
Workaround:
Retrying fetching the device certificate from the Palo Alto Networks CSP.
Known
10.1.4
PAN-141630
Current performance limitation: single data plane use only. The PA-5200 Series and PA-7000 Series firewalls that support 5G network slice security, 5G equipment ID security, and 5G subscriber ID security use a single data plane only, which currently limits the firewall performance.
Known
10.1.4
PAN-140959
The Panorama management server allows you to downgrade Zero Touch Provisioning (ZTP) firewalls to PAN-OS 9.1.2 and earlier releases where ZTP functionality is not supported.
Known
10.1.4
PAN-140008
ElasticSearch is forced to restart when the
masterd
process misses too many heartbeat messages on the Panorama management server resulting in a delay in a log query and ingestion.
Known
10.1.4
PAN-136763
On the Panorama management server, managed firewalls display as
disconnected
when installing a PAN-OS software update (
Panorama
Device Deployment
Software
) but display as
connected
when you view your managed firewalls Summary (
Panorama
Managed Devices
Summary
) and from the CLI.
Workaround:
Log out and log back in to the Panorama web interface.
Known
10.1.4
PAN-135742
There is an issue in HTTP2 session decryption where the App-ID in the decryption log is the App-ID of the parent session (which is web-browsing).
Known
10.1.4
PAN-134053
ACC does not filter WildFire logs from Dynamic User Groups.
Known
10.1.4
PAN-132598
The Panorama management server does not check for duplicate addresses in address groups (
Objects
Address Groups
) and duplicate services in service groups (
Objects
Service Groups
) when created from the CLI.
Known
10.1.4
PAN-130550
(
PA-3200 Series, PA-5220, PA-5250, PA-5260, and PA-7000 Series firewalls
) For traffic between virtual systems (inter-vsys traffic), the firewall cannot perform source NAT using dynamic IP (DIP) address translation.
Workaround:
Use source NAT with Dynamic IP and Port (DIPP) translation on inter-vsys traffic.
Known
10.1.4
PAN-127813
In the current release, SD-WAN auto-provisioning configures hubs and branches in a hub and spoke model, where branches don’t communicate with each other. Expected branch routes are for generic prefixes, which can be configured in the hub and advertised to all branches. Branches with unique prefixes are not published up to the hub.
Workaround:
Add any specific prefixes for branches to the hub advertise-list configuration.
Known
10.1.4
PAN-127206
If you use the CLI to enable the cleartext option for the Include Username in HTTP Header Insertion Entries feature, the authentication request to the firewall may become unresponsive or time out.
Known
10.1.4
PAN-123277
Dynamic tags from other sources are accessible using the CLI but do not display on the Panorama web interface.
Known
10.1.4
PAN-123040
When you try to view network QoS statistics on an SD-WAN branch or hub, the QoS statistics and the hit count for the QoS rules don’t display. A workaround exists for this issue. Please contact Support for information about the workaround.
Known
10.1.4
PAN-120440
There is an issue on M-500 Panorama management servers where any ethernet interface with an IPv6 address having Private PAN-DB-URL connectivity only supports the following format:
2001:DB9:85A3:0:0:8A2E:370:2
.
Known
10.1.4
PAN-120423
PAN-OS 10.0.0 does not support the XML API for GlobalProtect logs.
Known
10.1.4
PAN-120303
There is an issue where the firewall remains connected to the PAN-DB-URL server through the old management IP address on the M-500 Panorama management server, even when you configured the Eth1/1 interface.
Workaround:
Update the PAN-DB-URL IP address on the firewall using one of the methods below.
  • Modify the PAN-DB Server IP address on the managed firewall.
    1. On the web interface, delete the
      PAN-DB Server
      IP address (
      Device
      Setup
      Content ID
      URL Filtering
      settings).
    2. Commit
      your changes.
    3. Add the new M-500 Eth1/1 IP PAN-DB IP address.
    4. Commit
      your changes.
  • Restart the firewall ( devsrvr ) process.
    1. Log in to the firewall CLI.
    2. Restart the devsrvr process:
      debug software restart process device-server
Known
10.1.4
PAN-116017
(
Google Cloud Platform (GCP) only
) The firewall does not accept the DNS value from the initial configuration (init-cfg) file when you bootstrap the firewall.
Workaround:
Add DNS value as part of the bootstrap.xml in the bootstrap folder and complete the bootstrap process.
Known
10.1.4
PAN-115816
(
Microsoft Azure only
) There is an intermittent issue where an Ethernet (eth1) interface does not come up when you first boot up the firewall.
Workaround:
Reboot the firewall.
Known
10.1.4
PAN-114495
Alibaba Cloud runs on a KVM hypervisor and supports two Virtio modes: DPDK (default) and MMAP. If you deploy a VM-Series firewall running PAN-OS 9.0 in DPDK packet mode and you then switch to MMAP packet mode, the VM-Series firewall duplicates packets that originate from or terminate on the firewall. As an example, if a load balancer or a server behind the firewall pings the VM-Series firewall after you switch from DPDK packet mode to MMAP packet mode, the firewall duplicates the ping packets.
Throughput traffic is not duplicated if you deploy the VM-Series firewall using MMAP packet mode.
Known
10.1.4
PAN-112694
(
Firewalls with multiple virtual systems only
) If you configure dynamic DNS (DDNS) on a new interface (associated with vsys1 or another virtual system) and you then create a
New
Certificate Profile from the drop-down, you must set the location for the Certificate Profile to Shared. If you configure DDNS on an existing interface and then create a new Certificate Profile, we also recommend that you choose the Shared location instead of a specific virtual system. Alternatively, you can select a preexisting certificate profile instead of creating a new one.
Known
10.1.4
PAN-112456
You can temporarily submit a change request for a URL Category with three suggested categories; however, only two categories are supported. Do not add more than two suggested categories to a change request until we address this issue. If you submit more than two suggested categories, only the first two categories in the change request are evaluated.
Known
10.1.4
PAN-112135
You cannot unregister tags for a subnet or range in a dynamic address group from the web interface.
Workaround:
Use an XML API request to unregister the tags for the subnet or range.
Known
10.1.4
PAN-111928
Invalid configuration errors are not displayed as expected when you revert a Panorama management server configuration.
Workaround:
After you revert the Panorama configuration,
Commit
(
Commit
Commit to Panorama
) the reverted configuration to display the invalid configuration errors.
Known
10.1.4
PAN-111866
The push scope selection on the Panorama web interface displays incorrectly even though the commit scope displays as expected. This issue occurs when one administrator makes configuration changes to separate device groups or templates that affect multiple firewalls and a different administrator attempts to push those changes.
Workaround:
Perform one of the following tasks.
  • Initiate a
    Commit to Panorama
    operation followed by a
    Push to Devices
    operation for the modified device group and template configurations.
  • Manually select the devices that belong to the modified device group and template configurations.
Known
10.1.4
PAN-111729
If you disable DPDK mode and enable it again, you must immediately reboot the firewall.
Known
10.1.4
PAN-111670
Tagged VLAN traffic fails when sent through an SR-IOV adapter.
Known
10.1.4
PAN-110794
DGA-based threats shown in the firewall threat log display the same name for all such instances.
Known
10.1.4
PAN-109526
The system log does not correctly display the URL for CRL files; instead, the URLs are displayed with encoded characters.
Known
10.1.4
PAN-104780
If you configure a HIP object to match only when a connecting endpoint is managed (
Objects
GlobalProtect
HIP Objects
<hip-object>
General
Managed
), iOS and Android endpoints that are managed by AirWatch are unable to successfully match the HIP object and the HIP report incorrectly indicates that these endpoints are not managed. This issue occurs because GlobalProtect gateways cannot correctly identify the managed status of these endpoints.
Additionally, iOS endpoints that are managed by AirWatch are unable to match HIP objects based on the endpoint serial number because GlobalProtect gateways cannot identify the serial numbers of these endpoints; these serial numbers do not appear in the HIP report.
Known
10.1.4
PAN-103276
Adding a disk to a virtual appliance running Panorama 8.1 or a later release on VMware ESXi 6.5 update1 causes the Panorama virtual appliance and host web client to become unresponsive.
Workaround:
Upgrade the ESXi host to ESXi 6.5 update2 and add the disk again.
Known
10.1.4
PAN-101688
(
Panorama plugins
) The IP address-to-tag mapping information registered on a firewall or virtual system is not deleted when you remove the firewall or virtual system from a Device Group.
Workaround:
Log in to the CLI on the firewall and enter the following command to unregister the IP address-to-tag mappings:
debug object registered-ip clear all
.
Known
10.1.4
PAN-101537
After you configure and push address and address group objects in Shared and vsys-specific device groups from the Panorama management server to managed firewalls, executing the
show log
<log-type>
direction equal
<direction>
<dst>
|
<src>
in
<object-name>
command on a managed firewall only returns address and address group objects pushed form the Shared device group.
Workaround:
Specify the vsys in the query string:
admin>
set system target-vsys
<vsys-name>
admin>
show log
<log-type>
direction equal
<direction>
query equal ‘vsys eq
<vsys-name>
’
<dst>
|
<src>
in
<object-name>
Known
10.1.4
PAN-98520
When booting or rebooting a PA-7000 Series Firewall with the SMC-B installed, the BIOS console output displays attempts to connect to the card's controller in the System Memory Speed section. The messages can be ignored.
Known
10.1.4
PAN-97757
GlobalProtect authentication fails with an
Invalid username/password
error (because the user is not found in
Allow List
) after you enable GlobalProtect authentication cookies and add a RADIUS group to the
Allow List
of the authentication profile used to authenticate to GlobalProtect.
Workaround:
Disable GlobalProtect authentication cookies. Alternatively, disable (clear)
Retrieve user group from RADIUS
in the authentication profile and configure group mapping from Active Directory (AD) through LDAP.
Known
10.1.4
PAN-97524
(
Panorama management server only
) The Security Zone and Virtual System columns (
Network
tab) display
None
after a Device Group and Template administrator with read-only privileges performs a context switch.
Known
10.1.4
PAN-96446
A firewall that is not included in a Collector Group fails to generate a system log if logs are dropped when forwarded to a Panorama management server that is running in Management Only mode.
Known
10.1.4
PAN-95773
On VM-Series firewalls that have Data Plane Development Kit (DPDK) enabled and that use the i40e network interface card (NIC), the
show session info
CLI command displays an inaccurate throughput and packet rate.
Workaround:
Disable DPDK by running the
set system setting dpdk-pkt-io off
CLI command.
Known
10.1.4
PAN-95028
For administrator accounts that you created in PAN-OS 8.0.8 and earlier releases, the firewall does not apply password profile settings (
Device
Password Profiles
) until after you upgrade to PAN-OS 8.0.9 or a later release and then only after you modify the account passwords. (Administrator accounts that you create in PAN-OS 8.0.9 or a later release do not require you to change the passwords to apply password profile settings.)
Known
10.1.4
PAN-94846
When DPDK is enabled on the VM-Series firewall with i40e virtual function (VF) driver, the VF does not detect the link status of the physical link. The VF link status remains up, regardless of changes to the physical link state.
Known
10.1.4
PAN-94093
HTTP Header Insertion does not work when jumbo frames are received out of order.
Known
10.1.4
PAN-93968
The firewall and Panorama web interfaces display vulnerability threat IDs that are not available in PAN-OS 9.0 releases (
Objects
Security Profiles
Vulnerability Protection
<profile>
Exceptions
). To confirm whether a particular threat ID is available in your release, monitor the release notes for each new Applications and Threats content update or check the Palo Alto Networks Threat Vault to see the minimum PAN-OS release version for a threat signature.
Known
10.1.4
PAN-93607
When you configure a VM-500 firewall with an SCTP Protection profile (
Objects
Security Profiles
SCTP Protection
) and you try to add the profile to an existing Security Profile Group (
Objects
Security Profile Groups
), the Security Profile Group doesn’t list the SCTP Protection profile in its drop-down list of available profiles.
Workaround:
Create a new Security Profile Group and select the SCTP Protection profile from there.
Known
10.1.4
PAN-93532
When you configure a firewall running PAN-OS 9.0 as an nCipher HSM client, the web interface on the firewall displays the nCipher server status as Not Authenticated, even though the HSM state is up (
Device
Setup
HSM
).
Known
10.1.4
PAN-93193
The memory-optimized VM-50 Lite intermittently performs slowly and stops processing traffic when memory utilization is critically high. To prevent this issue, make sure that you do not:
  • Switch to the firewall
    Context
    on the Panorama management server.
  • Commit changes when a dynamic update is being installed.
  • Generate a custom report when a dynamic update is being installed.
  • Generate custom reports during a commit.
Workaround:
When the firewall performs slowly, or you see a critical System log for memory utilization, wait for 5 minutes and then manually reboot the firewall.
Use the Task Manager to verify that you are not performing memory intensive tasks such as installing dynamic updates, committing changes or generating reports, at the same time, on the firewall.
Known
10.1.4
PAN-91802
On a VM-Series firewall, the
clear session all
CLI command does not clear GTP sessions.
Known
10.1.4
PAN-83610
In rare cases, a PA-5200 Series firewall (with an FE100 network processor) that has session offload enabled (default) incorrectly resets the UDP checksum of outgoing UDP packets.
Workaround:
In PAN-OS 8.0.6 and later releases, you can persistently disable session offload for only UDP traffic using the
set session udp-off load no
CLI command.
Known
10.1.4
PAN-83236
The VM-Series firewall on Google Cloud Platform does not publish firewall metrics to Google Stack Monitoring when you manually configure a DNS server IP address (
Device
Setup
Services
).
Workaround:
The VM-Series firewall on Google Cloud Platform must use the DNS server that Google provides.
Known
10.1.4
PAN-83215
SSL decryption based on ECDSA certificates does not work when you import the ECDSA private keys onto an nCipher nShield hardware security module (HSM).
Known
10.1.4
PAN-81521
Endpoints failed to authenticate to GlobalProtect through Kerberos when you specify an FQDN instead of an IP address in the Kerberos server profile (
Device
Server Profiles
Kerberos
).
Workaround:
Replace the FQDN with the IP address in the Kerberos server profile.
Known
10.1.4
PAN-77125
PA-7000 Series, PA-5450, PA-5200 Series, and PA-3200 Series firewalls configured in tap mode don’t close offloaded sessions after processing the associated traffic; the sessions remain open until they time out.
Workaround:
Configure the firewalls in virtual wire mode instead of tap mode, or disable session offloading by running the
set session off load no
CLI command.
Known
10.1.4
PAN-75457
In WildFire appliance clusters that have three or more nodes, the Panorama management server does not support changing node roles. In a three-node cluster for example, you cannot use Panorama to configure the worker node as a controller node by adding the HA and cluster controller configurations, configure an existing controller node as a worker node by removing the HA configuration, and then commit and push the configuration. Attempts to change cluster node roles from Panorama results in a validation error—the commit fails and the cluster becomes unresponsive.
Known
10.1.4
PAN-73530
The firewall does not generate a packet capture (pcap) when a Data Filtering profile blocks files.
Known
10.1.4
PAN-73401
When you import a two-node WildFire appliance cluster into the Panorama management server, the controller nodes report their state as out-of-sync if either of the following conditions exist:
  • You did not configure a worker list to add at least one worker node to the cluster. (In a two-node cluster, both nodes are controller nodes configured as an HA pair. Adding a worker node would make the cluster a three-node cluster.)
  • You did not configure a service advertisement (either by enabling or not enabling advertising DNS service on the controller nodes).
Workaround:
There are three possible workarounds to sync the controller nodes:
  • After you import the two-node cluster into Panorama, push the configuration from Panorama to the cluster. After the push succeeds, Panorama reports that the controller nodes are in sync.
  • Configure a worker list on the cluster controller: 
    admin@wf500(active-controller)# 
    set
deviceconfig cluster mode controller worker-list 
    <worker-ip-address>
    (
    <worker-ip-address>
    is the IP address of the worker node you are adding to the cluster.) This creates a three-node cluster. After you import the cluster into Panorama, Panorama reports that the controller nodes are in sync. When you want the cluster to have only two nodes, use a different workaround.
  • Configure service advertisement on the local CLI of the cluster controller and then import the configuration into Panorama. The service advertisement can advertise that DNS is or is not enabled. 
    admin@wf500(active-controller)# 
    set
deviceconfig cluster mode controller service-advertisement dns-service
enabled
yes
    or 
    admin@wf500(active-controller)# 
    set
deviceconfig cluster mode controller service-advertisement dns-service
enabled
no
    Both commands result in Panorama reporting that the controller nodes are in sync.
Known
10.1.4
PAN-70906
If the PAN-OS web interface and the GlobalProtect portal are enabled on the same IP address, then when a user logs out of the GlobalProtect portal, the administrative user is also logged out from the PAN-OS web interface.
Workaround:
Use the IP address to access the PAN-OS web interface and an FQDN to access the GlobalProtect portal.
Known
10.1.4
PAN-69505
When viewing an external dynamic list that requires client authentication and you
Test Source URL
, the firewall fails to indicate whether it can reach the external dynamic list server and returns a URL access error (
Objects
External Dynamic Lists
).
Known
10.1.4
PAN-40079
The VM-Series firewall on KVM, for all supported Linux distributions, does not support the Broadcom network adapters for PCI pass-through functionality.
Known
10.1.4
PAN-39636
Regardless of the
Time Frame
you specify for a scheduled custom report on a Panorama M-Series appliance, the earliest possible start date for the report data is effectively the date when you configured the report (
Monitor
Manage Custom Reports
). For example, if you configure the report on the 15th of the month and set the
Time Frame
to
Last 30 Days
, the report that Panorama generates on the 16th will include only data from the 15th onward. This issue applies only to scheduled reports; on-demand reports include all data within the specified
Time Frame
.
Workaround:
To generate an on-demand report, click
Run Now
when you configure the custom report.
Known
10.1.4
PAN-38255
When you perform a factory reset on a Panorama virtual appliance and configure the serial number, logging does not work until you reboot Panorama or execute the
debug software restart process management-server
CLI command.
Known
10.1.4
PAN-31832
The following issues apply when configuring a firewall to use a hardware security module (HSM):
  • nCipher nShield Connect
    —The firewall requires at least four minutes to detect that an HSM was disconnected, causing SSL functionality to be unavailable during the delay.
  • SafeNet Network
    —When losing connectivity to either or both HSMs in an HA configuration, the display of information from the
    show high-availability state
    and
    show hsm info
    commands are blocked for 20 seconds.
Addressed
10.1.4-h6
PAN-237935
Extended the offline PAN-DB, Panorama, and WildFire certificates which were previously set to expire on September 2, 2024.
Addressed
10.1.4-h6
PAN-237876
Extended the firewall Panorama root CA certificate which was previously set to expire on April 7th, 2024.
Addressed
10.1.4-h6
PAN-231771
Fixed an issue where the firewall issued /box/getserv/ requests with PAN-OS 7.1.0 and did not take device certificates.
Addressed
10.1.4-h6
PAN-227568
When a device certificate is installed, renewed, or removed, the firewall will reconnect to the WildFire cloud to use the newest certificate.
Addressed
10.1.4-h6
PAN-215576
Fixed an issue where the
userID-Agent
and
TS-Agent
certificates were set to expire on November 18, 2024. With this fix, the expiration date has been extended to January 2032.
Addressed
10.1.4-h4
Issue ID
Description
Addressed
10.1.4-h4
PAN-187438
(
PA-5400 Series firewalls only
) Fixed an issue where HSCI interfaces didn’t come up when using BiDi transceivers.
Addressed
10.1.4-h4
PAN-185750
Updated an issue to eliminate failed
pan_comm
software issues that caused the dataplane to restart unexpectedly.
Addressed
10.1.4-h4
PAN-181116
Fixed an issue where, after upgrading to a PAN-OS 10.1 release, GlobalProtect tunnels fell back to SSL instead of IPSec due to the inadvertent encapsulation of the ICMP keepalive response from the firewall.
Addressed
10.1.4-h2
Issue ID
Description
Addressed
10.1.4-h2
PAN-184445
Fixed an issue where, after upgrading Panorama and enabling
Share Unused Address and Service Objects with Devices
, address objects using tags to dynamic address groups were removed after a full commit.
Addressed
10.1.4-h2
PAN-178381
Fixed an issue on Panorama where logs didn't display under the
Monitor
tab and the Elasticsearch process did not work after upgrading to a PAN-OS 10.1 release.
Addressed
10.1.4
PAN-183767
Fixed an issue where downloading Dynamic Updates files failed when connected to the static update server at
us-static.updates.paloaltonetworks.com
.
Addressed
10.1.4
PAN-183274
(
PA-400 Series firewalls only
) Fixed a rare issue where abnormal power downs occurred.
Addressed
10.1.4
PAN-181309
Fixed an issue where Panorama was inaccessible due to the configd process not responding.
Addressed
10.1.4
PAN-180511
(
PA-400 Series and PA-5400 Series firewalls only
) Fixed an issue where technical support file generation restarted the firewall.
Addressed
10.1.4
PAN-180402
Fixed an issue where a null tunnel configuration pointer caused a process ( tund ) to stop responding.
Addressed
10.1.4
PAN-178953
Fixed an issue with the GlobalProtect Clientless VPN where, when an application sent a negative max age value on a cookie, part of the cookie was retained by PAN-OS and used for the subsequent connection on the user session.
Addressed
10.1.4
PAN-178190
Fixed an issue where the firewall incorrectly set the disk quota
cfg.diskquota.traffic
to 0 after upgrading to a PAN-OS 10.0 release. With this fix, the log disk quota will be retained correctly after upgrade.
Addressed
10.1.4
PAN-178047
(
CN-Series firewalls only
) Fixed an issue where propagating IP address tag mappings to the firewall took longer than expected, which resulted in traffic not matching Security policy rules with Dynamic Address Groups.
Addressed
10.1.4
PAN-177119
Fixed an issue with the GlobalProtect gateway where SMS-message-based multi-factor authentication (MFA) did not display a prompt to enter the authentication code.
Addressed
10.1.4
PAN-176983
(
Panorama management server on PAN-OS 10.1.3 or a later release only
) Fixed an issue where adding a firewall on PAN-OS 10.1.3 or a later release to Panorama management was only supported from the firewall CLI.
Addressed
10.1.4
PAN-176392
(
PA-7000 Series firewall only
) Fixed a an issue where persistent sessions did not properly age out when removing a Data Processing Card (DPC).
Addressed
10.1.4
PAN-176341
Fixed an issue where a delay to detect when an interface was down after a cable pull caused traffic to be black-holed to the downed link for 10 or more seconds.
Addressed
10.1.4
PAN-176283
(
PA-7000 Series firewalls with Data Processing Cards (DPCs) only
) Fixed an issue where packet loss occurred when quality of service was enabled on an aggregate interface.
Addressed
10.1.4
PAN-176118
Fixed an issue where firewalls configured with a mixed mode of interfaces stopped processing Layer-3-tagged traffic.
Addressed
10.1.4
PAN-176054
Fixed an intermittent issue where users did not have access to resources due to a HIP check failure that was caused by the HIP data not being synced between the management plane and the dataplane.
Addressed
10.1.4
PAN-175923
Fixed an issue where a process ( tund ) stopped responding when enabling IPSec tunnel monitoring.
Addressed
10.1.4
PAN-174886
Fixed an issue where scheduled customer reports displayed as empty when the configured destination was an address group.
Addressed
10.1.4
PAN-174345
Fixed an issue where a process all_pktproc stopped responding after upgrading the firewall.
Addressed
10.1.4
PAN-174055
Fixed an issue where SNMP readings reported as 0 for dataplane interface packet statistics for Amazon Web Services (AWS) m5n.4xlarge instance types. This issue occurred because the physical port counters read from MAC addresses were reported as 0.
Addressed
10.1.4
PAN-173978
Fixed an issue where the Elasticsearch process continuously restarted if zero-length files were present.
Addressed
10.1.4
PAN-173973
(
PA-7000 Series firewalls only
) Fixed an issue where flaps occurred when Link State Pass Through was enabled.
Addressed
10.1.4
PAN-173216
Fixed an issue where the firewall incorrectly handled HTML pages when accessed via the GlobalProtect Clientless VPN.
Addressed
10.1.4
PAN-172464
Fixed an issue where unicast DHCP discover or request packets were silently dropped.
Addressed
10.1.4
PAN-172200
Fixed an issue where a process ( configd ) restarted due to memory corruption in the
show dynamic-address-group
CLI command during commits, commit and push operations, and high availability Panorama syncs.
Addressed
10.1.4
PAN-172179
(
PA-7000b firewalls only
) Fixed an issue where, when GTP-U tunnel acceleration was enabled but Mobile Network Protection was not enabled on the corresponding policy, GPRS tunneling protocol (GTP-U) traffic was dropped.
Addressed
10.1.4
PAN-171696
(
PA-800 and PA-400 Series firewalls and PA-220 firewalls only
) Fixed an issue where the management plane CPU was incorrectly reported to be high.
Addressed
10.1.4
PAN-171380
Fixed an issue where loading configuration versions in Panorama added unnecessary IDs to the configuration.
Addressed
10.1.4
PAN-171174
Console debug output was enhanced to address issues that led to a loss of SSH and web interface access.
Addressed
10.1.4
PAN-171127
Fixed an issue on Panorama where custom reports (
Monitor
Manage Custom Reports
) for
Device Application Statistics
and
Device Traffic Summary
databases displayed null for the
Application
field.
Addressed
10.1.4
PAN-171104
Fixed an issue where a race-condition check returned a false negative, which caused a process ( all_task ) to stop responding and generate a core file.
Addressed
10.1.4
PAN-170997
Fixed an issue where FQDN service routes were not installed after a system reboot.
Addressed
10.1.4
PAN-169300
Debug logs were added to troubleshoot WildFire submission issues.
Addressed
10.1.4
PAN-169173
Fixed an issue where, if you continuously performed partial commits of a configuration with a high number of Dynamic Address Groups, Panorama became unresponsive and commits were slower than expected.
Addressed
10.1.4
PAN-165235
Fixed an issue where the handover handling between LTE and 3G on S5 and S8 to Gn/Gp was not working properly and led to stateful inspection failures.
Addressed
10.1.4
PAN-164450
Fixed an intermittent issue where the firewall dropped GTPv2 Create Session Response packets with the cause
Partially Accepted
.
Addressed
10.1.4
PAN-164335
Fixed an issue that caused false positives on GTPv2 vulnerability signatures.
Addressed
10.1.4
PAN-163692
Fixed an issue where the firewall did not create new GTP-C sessions when a Create Session Request message was retransmitted and a completely new Create Session Response message was returned.
Addressed
10.1.4
PAN-163261
Fixed an intermittent issue where the firewall dropped GTPv2 Modify Bearer Request packets with the following error message:
Abnormal GTPv2-C message with missing mandatory IE
.
Addressed
10.1.4
PAN-161496
Fixed an issue when calculating the incremental checksum after a post-NAT translation where the arguments to
pan_in_cksm32_diff
overflowed the 32-bit integer.
Known
10.1.5
—
If you use Panorama to retrieve logs from Cortex Data Lake (CDL), new log fields (including for Device-ID, Decryption, and GlobalProtect) are not visible on the Panorama web interface.
Workaround:
Enable duplicate logging to send the logs to CDL and Panorama. This workaround does not support Panorama virtual appliances in Management Only mode .
Known
10.1.5
—
Upgrading a PA-220 firewall takes up to an hour or more.
Known
10.1.5
—
PA-220 firewalls are experiencing slower web interface and CLI performance times.
Known
10.1.5
—
Upgrading Panorama with a local Log Collector and Dedicated Log Collectors to PAN-OS 8.1 or a later PAN-OS release can take up to six hours to complete due to significant infrastructure changes. Ensure uninterrupted power to all appliances throughout the upgrade process.
Known
10.1.5
—
A critical System log is generated on the VM-Series firewall if the minimum memory requirement for the model is not available.
  • When the memory allocated is less than 4.5GB, you cannot upgrade the firewall. The following error message displays:
    Failed to install 9.0.0 with the following error: VM-50 in 9.0.0 requires 5.5GB memory, VM-50 Lite requires 4.5GB memory.Please configure this VM with enough memory before upgrading.
  • If the memory allocation is more than 4.5GB but less than the licensed capacity requirement for the model, it will default to the capacity associated with the VM-50.
    The System log message
    System capacity adjusted to VM-50 capacity due to insufficient memory for VM-
    <xxx>
    license
    , indicates that you must allocate the additional memory required for licensed capacity for the firewall model.
Known
10.1.5
APPORTAL-3313
Changes to an IoT Security subscription license take up to 24 hours to have effect on the IoT Security app.
Known
10.1.5
APPORTAL-3309
An IoT Security production license cannot be installed on a firewall that still has a valid IoT Security eval or trial license.
Workaround:
Wait until the 30-day eval or trial license expires and then install the production license.
Known
10.1.5
APL-15000
When you move a firewall from one Cortex Data Lake instance to another, it can take up to an hour for the firewall to begin sending logs to the new instance.
Known
10.1.5
APL-8269
For data retrieved from Cortex Data Lake, the Threat Name column in
Panorama
ACC
threat-activity
appears blank.
Known
10.1.5
PLUG-380
When you rename a device group, template, or template stack in Panorama that is part of a VMware NSX service definition, the new name is not reflected in NSX Manager. Therefore, any ESXi hosts that you add to a vSphere cluster are not added to the correct device group, template, or template stack and your Security policy is not pushed to VM-Series firewalls that you deploy after you rename those objects. There is no impact to existing VM-Series firewalls.
Known
10.1.5
WF500-5559
An intermittent error while analyzing signed PE samples on the WildFire appliance might cause analysis failures.
Known
10.1.5
WF500-5471
After using the firewall CLI to add a WildFire appliance with an IPv6 address, the initial connection may fail.
Workaround:
Retry connecting after you restart the web server with the following command:
debug software restart process web-server
.
Known
10.1.5
PAN-228273
On the Panorama management server in FIPS-CC mode, the ElasticSearch cluster fails to come up and the
show log-collector-es-cluster health
command displays the
status
is
red
. This results in log ingestion issues for Panorama in Panorama only or Log Collector mode.
Known
10.1.5
PAN-227344
On the Panorama management server, PDF Summary Reports (
Monitor
PDF Reports
Manage PDF Summary
) display no data and are blank when predefined reports are included in the summary report.
Known
10.1.5
PAN-223488
This issue is now resolved.
PAN-OS 10.1.12 Addressed Issues
.
On the M-600 appliance, closed ElasticSearch shards are not deleted from the M-600 appliance. This causes the ElasticSearch shard purging to not work as expected, resulting in high disk usage.
Known
10.1.5
PAN-223365
The Panorama management server is unable to query any logs if the ElasticSearch health status for any Log Collector (
Panorama
Managed Collector
is degraded.
Workaround:
Log in to the Log Collector CLI and restart ElasticSearch. 
admin
debug elasticsearch es-restart all
Known
10.1.5
PAN-218521
The ElasticSearch process on the M-600 appliance in Log Collector mode may enter a continuous reboot cycle. This results in the M-600 appliance becoming unresponsive, consuming logging disk space, and preventing new log ingestion.
Known
10.1.5
PAN-217307
This issue is now resolved. See
PAN-OS 10.1.14 Addressed Issues
.
The following Security policy rule (
Policies
Security
) filters return no results:
log-start eq no
log-end eq no
log-end eq yes
Known
10.1.5
PAN-216214
For Panorama-managed firewalls in an Active/Active High Availability (HA) configuration where you configure the firewall HA settings (
Device
High Availability
) in a template or template stack (
Panorama
Templates
), performing a local commit on one of the HA firewalls triggers an HA config sync on the peer firewall. This causes the HA peer configuration to go
Out of Sync
.
Known
10.1.5
PAN-215679
After installing the VM-Series firewall on Azure Stack HCI or Hyper-V, the memory usage increases to 70%.
Known
10.1.5
PAN-213746
On the Panorama management server, the
Hostkey
displayed as
undefined undefined
if you override an SSH Service Profile (
Device
Certificate Management
SSH Service Profile
) Hostkey configured in a Template from the Template Stack.
Known
10.1.5
PAN-212889
This issue is now resolved. See PAN-OS 10.1.11 Addressed Issues
.
On the Panorama management server, different threat names are used when querying the same threat in the Threat Monitor (
Monitor
App Scope
Threat Monitor
) and
ACC
. This results in the ACC displaying
no data to display
when you are redirected to the ACC after clicking a threat name in the Threat Monitor and filtering the same threat name in the Global Filters.
Known
10.1.5
PAN-208325
This issue is now resolved. See
PAN-OS 10.1.10 Addressed Issues
.
The following NextGen firewalls are unable to automatically renew the device certificate (
Device
Setup
Management
or
Panorama
Setup
Management
).
  • PA-410 Firewall
  • PA-440, PA-450, and PA-460 Firewalls
  • PA-5450 Firewall
Workaround:
Log in to the firewall CLI and fetch the device certificate. 
admin>
request certificate fetch
Known
10.1.5
PAN-206268
This issue is now resolved. See
PAN-OS 10.1.10 Addressed Issues
.
On the Panorama management server, the Auth Key field was erroneously displayed when you configure the Panorama Settings (
Device
Setup
Management
) as part of a template or template stack configuration.
Known
10.1.5
PAN-206243
The PA-220 firewall reaches the maximum disk usage capacity multiple a day that requires a disk cleanup. A critical system log (
Monitor
Logs
System
) is generated each time the firewall reaches maximum disk usage capacity.
Known
10.1.5
PAN-205187
ElasticSearch may not start properly when a newly installed Panorama virtual appliance powers on for the first time, resulting in the Panorama virtual appliance being unable to query logs forwarded from the managed firewall to a Log Collector.
Workaround:
Log in to the Panorama CLI and start the PAN-OS software. 
admin>
request restart software
Known
10.1.5
PAN-201855
On the Panorama management server, cloning any template (
Panorama
Templates
) corrupts certificates (
Device
Certificate Management
Certificates
) with the
Block Private Key Export
setting enabled across all templates. This results in managed firewalls experiencing issues wherever the corrupted certificate is referenced.
For example, you have template A, B, and C where templates A and B have certificates with the
Block Private Key Export
setting enabled. Cloning template C corrupts the certificates with
Block Private Key Export
setting enabled in templates A and B.
Workaround:
After cloning a template, delete and re-import the corrupted certificates.
Known
10.1.5
PAN-199557
On M-600 appliances in an Active/Passive high availability (HA) configuration, the
configd
process restarts due to a memory leak on the
Active
Panorama HA peer. This causes the Panorama web interface and CLI to become unresponsive.
Workaround:
Manually reboot the
Active
Panorama HA peer.
Known
10.1.5
PAN-197341
On the Panorama management server, if you create multiple device group
Objects
with the same name in the Shared device group and any additional device groups (
Panorama
Device Groups
) under the same device group hierarchy that are used in one or more
Policies
, renaming the object with a shared name in any device group causes the object name to change in the policies where it is used. This issue applies only to device group objects that can be referenced in a Security policy rule.
For example:
  1. You create a parent device group
    DG-A
    and a child device group
    DG-B
    .
  2. You create address objects called
    AddressObjA
    in the
    Shared
    ,
    DG-A
    and
    DG-B
    device groups and add
    AddressObjA
    to a Security policy rule under
    DG-A
    and
    DG-B
    .
  3. Later, you change the
    AddressObjA
    name in the
    Shared
    device group to
    AddressObjB
    .
Changing the name of the address object in the
Shared
device group causes the references in the Policy rule to use the renamed
Shared
object instead of the device group object.
Known
10.1.5
PAN-197097
This issue is now resolved. See
PAN-OS 10.1.9 Addressed Issues
.
Large Scale VPN (LSVPN) does not support IPv6 addresses on the satellite firewall.
Known
10.1.5
PAN-196758
On the Panorama management server, pushing a configuration change to firewalls leveraging SD-WAN erroneously show the auto-provisioned BGP configurations for SD-WAN as being edited or deleted despite no edits or deletions being made when you
Preview Changes
(
Commit
Push to Devices
Edit Selections
or
Commit
Commit and Push
Edit Selections
).
Known
10.1.5
PAN-196309
(
PA-5450 firewall only
) In PAN-OS 10.1.5-h1, a firewall configured with a Policy-Based Forwarding policy flaps when a commit is performed, even when the next hop is reachable.
Known
10.1.5
PAN-194519
This issue is now resolved. See
PAN-OS 10.1.9 Addressed Issues
.
(
PA-5450 firewall only
) Trying to configure a custom payload format under
Device
Server Profiles
HTTP
yields a Javascript error.
Known
10.1.5
PAN-194515
(
PA-5450 firewall only
) The Panorama web interface does not display any predefined template stack variables in the dropdown menu under
Device
Setup
Log Interface
IP Address
.
Workaround:
Configure the log interface IP address on the individual firewall web interface instead of on Panorama.
Known
10.1.5
PAN-193518
All logs (
Monitor
Logs
) generated by a firewall running a PAN-OS 10.0 release are not accessible if you downgrade from PAN-OS 10.1 to PAN-OS 10.0, and then upgrade back to PAN-OS 10.1.
Workaround:
If you need to downgrade from PAN-OS 10.1 to PAN-OS 10.0 and then back to PAN-OS 10.1, downgrade to PAN-OS 10.0.11 to ensure that all logs ingested while running a PAN-OS 10.0 release remain accessible after upgrade back to PAN-OS 10.1.
Known
10.1.5
PAN-192403
This issue is now resolved. See
PAN-OS 10.1.6-h3 Addressed Issues
.
(
PA-5450 firewall only
) There is no commit warning in the web interface when configuring the management interface and logging interface in the same subnetwork. Having both interfaces in the same subnetwork can cause routing and connectivity issues.
Known
10.1.5
PAN-191558
This issue is now resolved. See
PAN-OS 10.1.6-h3 Addressed Issues
.
After an upgrade to PAN-OS 10.1.5, Global Find did not display all results related to a searched item.
Known
10.1.5
PAN-190727
(
PA-5450 firewall only
) Documentation for configuring the log interface is unavailable on the web interface and in the PAN-OS Administrator’s Guide.
Known
10.1.5
PAN-189057
This issue is now resolved. See
PAN-OS 10.1.9 Addressed Issues
.
On the Panorama management server, Panorama enters a
non-functional
state due to
php.debug.log
life taking up too much space.
Workaround:
Disable the debug flag for Panorama.
  2. In the same browser you are logged into the Panorama web interface, enter the following URL.
    https://<panorama_ip>/debug
  3. Uncheck (disable)
    Debug
    or
    Clear Debug
    .
  4. (
    HA configuration
    ) Repeat this step on each Panorama high availability (HA) peer if Panorama is in a HA configuration.
Known
10.1.5
PAN-188052
Devices in FIPS-CC mode are unable to connect to servers utilizing ECDSA-based host keys that impacts exporting logs (
Device
Scheduled Log Export
), exporting configurations (
Device
Scheduled Config Export
), or the
scp export
command in the CLI.
Workaround:
Use RSA-based host keys on the destination server.
Known
10.1.5
PAN-187685
On the Panorama management server, the Template Status displays no synchronization status (
Panorama
Managed Devices
Summary
) after a bootstrapped firewall is successfully added to Panorama.
Workaround:
After the bootstrapped firewall is successfully added to Panorama, log in to the Panorama web interface and select
Commit
Push to Devices
.
Known
10.1.5
PAN-185286
This issue is now resolved. See
PAN-OS 10.1.7 Addressed Issues
.
(
PA-5400 Series firewalls only
) On the Panorama management server, the device health resources (
Panorama
Managed Devices
Health
) do not populate.
Known
10.1.5
PAN-180661
This issue is now resolved. See
PAN-OS 10.1.6 Addressed Issues
.
On the Panorama management server, pushing an unsupported Minimum Password Complexity (
Device
Setup
Management
) to a managed firewall erroneously displays
commit time out
as the reason the commit failed.
Known
10.1.5
PAN-178194
This issue is now resolved. See
PAN-OS 10.1.7 Addressed Issues
.
A UI issue in PAN-OS renders the contents of the
Inline ML
tab in the
URL Filtering Profile
inaccessible on firewalls licensed for Advanced URL Filtering. Additionally, a message indicating that a
License required for URL filtering to function
is unavailable displays at the bottom of the UI. These errors do not affect the operation of Advanced URL Filtering or URL Filtering Inline ML.
Workaround:
Configuration settings for URL Filtering Inline ML must be applied through the CLI. The following configuration commands are available:
  • Define URL exceptions for specific web sites— 
    admin#
     set profiles url-filtering <url_filtering_profile_name> mlav-category-exception
  • Configuration settings for each inline ML model— 
    admin#
     set profiles url-filtering <url_filtering_profile_name> mlav-engine-urlbased-enabled
Known
10.1.5
PAN-177455
This issue is now resolved. See
PAN-OS 10.1.6 Addressed Issues
.
PAN-OS 10.1.2 is not supported on PA-7000 Series firewalls with HA (High Availability) clustering enabled and using an HA4 communication link. Attempting to load PAN-OS 10.1.2 on the firewall causes the PA-7000 100G NPC to go offline. As a result, the firewall fails to boot normally and enters maintenance mode. HA Pairs of Active-Passive and Active-Active firewalls are not affected.
Known
10.1.5
PAN-175022
This issue is now resolved. See
PAN-OS 10.1.6 Addressed Issues
.
The PAN-OS web interface table of contents do not display or the help contents reload continuously.
Known
10.1.5
PAN-174982
In HA active/active configurations where, when interfaces that were associated with a virtual router were deleted, the configuration change did not sync.
Known
10.1.5
PAN-172274
When you activate the advanced URL filtering license, your license entitlements for PAN-DB and advanced URL filtering might not display correctly on the firewall — this is a display anomaly, not a licensing issue, and does not affect access to the services.
Workaround:
Issue the following command to retrieve and update the licenses:
license request fetch
.
Known
10.1.5
PAN-172113
If you request a User Activity Report on Panorama and the vsys key value in the XML is an unsupported value, the resulting job becomes unresponsive at 10% and does not complete until you manually stop the job in the web interface.
Workaround:
Change the vsys key to a valid device group, commit your changes, and run the User Activity Report again.
Known
10.1.5
PAN-172132
This issue is now resolved by PAN-189643. See
PAN-OS 10.1.6 Addressed Issues
.
QoS fails to run on a tunnel interface (for example, tunnel.1).
Known
10.1.5
PAN-172067
When you configure an HTTP server profile (
Device
Server Profiles
HTTP
or
Panorama
Server Profiles
HTTP
), the
Username
and
Password
fields are always required regardless of whether
Tag Registration
is enabled.
Workaround:
When you configure an HTTP server profile, always enter a username and password to successfully create the HTTP server profile.
You must enter a username and password even if the HTTP server does not require it. The HTTP server ignores the username and password if they are not required for the firewall to connect.
Known
10.1.5
PAN-172061
A process (
all_pktproc
) can cause intermittent crashes on the Passive PA-5450 firewall in an Active/Passive HA pair. This issue may be seen during an upgrade or reload of the firewall with traffic and when clearing sessions.
Known
10.1.5
PAN-171938
No results are displayed when you
Show Application Filter
for a Security policy rule (
Policies
Security
Application
Value
Show Application Filter
).
Known
10.1.5
PAN-171723
If you use Panorama to push a configuration that uses App-ID Cloud Engine (ACE) App-IDs and then you downgrade the firewall from PAN-OS 10.1 to PAN-OS 10.0, the installation succeeds but after you reboot, the auto-commit fails.
Workaround:
Remove all ACE application configurations before downgrading.
Known
10.1.5
PAN-171714
This issue is now resolved. See
PAN-OS 10.1.7 Addressed Issues
.
If you use the NetBIOS format (
domain\user
) for the IP address-to-username mapping and the firewall receives the group mapping information from the Cloud Identity Engine, the firewall does not successfully match the user to the correct group.
Known
10.1.5
PAN-171706
This issue is now resolved. See
PAN-OS 10.1.11 Addressed Issues
.
If you are using Panorama to manage firewalls with multiple virtual systems and the virtual system that is the User-ID hub uses an alias, the local commit on Panorama is successful but the commit to the firewall fails.
Known
10.1.5
PAN-171673
On the Panorama management server, the
ACC
returns inaccurate results when you filter for
New App-ID
in the
Application
usage widget.
Known
10.1.5
PAN-171635
If you have an on-premise Active Directory and there is an existing group mapping configuration on the firewall, if you migrate the group mapping to the Cloud Identity Engine, the firewall does not remove the existing group mapping even if the configuration is disabled and the firewall is rebooted, which may conflict with new mappings from the Cloud Identity Engine.
Workaround
: Use the
debug user-id clear domain-map
command to remove the existing group mappings from the firewall.
Known
10.1.5
PAN-171224
On the Panorama management server, a custom report (
Monitor
Managed Custom Reports
) with a high volume of unique data objects is not generated when you click
Run Now
.
Known
10.1.5
PAN-171145
If you edit or remove the value for the
mail
attribute in your on-premise Active Directory, the changes may not be immediately reflected on the firewall after it syncs with the Cloud Identity Engine.
Known
10.1.5
PAN-170923
In
Policies
Security
Policy Optimizer
New App Viewer
, when you select a Security policy rule in the bottom portion of the screen, the application data in the application browser (top portion of screen) does not match the Apps Seen on the selected rule. In addition, filtering in the application browser based on Apps Seen does not work.
Known
10.1.5
PAN-170462
This issue is now resolved. See
PAN-OS 10.1.6 Addressed Issues
.
SaaS applications downloaded from the App-ID Cloud Engine (ACE) do not appear in daily application reports (
Monitor
Reports
Application Reports
) or in the
Application
column of the
Application Usage
widget in
ACC
Network Activity
.
Known
10.1.5
PAN-170270
Using the CLI to power on a PA-5450 Networking Card (NC) in an Active HA firewall can cause its Passive peer to temporarily go down.
Known
10.1.5
PAN-169906
The CN-Series Firewall as a Kubernetes Service does not support AF_XDP when deployed in CentOS.
Known
10.1.5
PAN-168636
Connecting to the App-ID Cloud Engine (ACE) cloud using a management port with explicit proxy configured on it is not supported. Instead, use a data plane interface for the service route ( Prepare to Deploy App-ID Cloud Engine describes how to do this.)
Known
10.1.5
PAN-168113
On the Panorama management server, you are unable to configure a master key (
Device
Master Key and Diagnostics
) for a managed firewall if an interface (
Network
Interfaces
Ethernet
) references a zone pushed from Panorama.
Workaround:
Remove the referenced zone from the interface configuration to successfully configure a master key.
Known
10.1.5
PAN-167847
If you issue the command
opof stats
, then clear the results {opof stats -c}, the Active Sessions value is sometimes invalid. For example, you might see a negative number or an excessively large number.
Workaround:
Re-run the
opof stats
command after the offload completes.
Known
10.1.5
PAN-167401
When a firewall or Panorama appliance configured with a proxy is upgraded to PAN-OS 10.0.3 or a later release, it fails to connect to edge service.
Known
10.1.5
PAN-166464
This issue is now resolved. See
PAN-OS 10.1.6-h6 Addressed Issues
.
PAN-OS reports the PA-5450 fan numbers incorrectly by listing them in the opposite order. This does not affect fan operation. For further information, contact Customer Support.
Known
10.1.5
PAN-165669
If you configure a group that the firewall retrieves from the Cloud Identity Engine as the
user in
value in a filter query, Panorama is unable to retrieve the group membership and as a result, is unable to display this data in logs and custom reports.
Known
10.1.5
PAN-164922
On the Panorama management server, a context switch to a managed firewall running a PAN-OS 8.1.0 to 8.1.19 release fails.
Known
10.1.5
PAN-164885
On the Panorama management server, pushes to managed firewalls (
Commit
Push to Devices
or
Commit and Push
) may fail when an EDL (
Objects
External Dynamic Lists
) is configured to
Check for updates
every 5 minutes due to the commit and EDL fetch processes overlapping. This is more likely to occur when multiple EDLs are configured to check for updates every 5 minutes.
Known
10.1.5
PAN-164841
A successful deployment of a Panorama virtual appliance on Amazon Web Services (AWS), Microsoft Azure, or Google Cloud Platform (GCP) is inaccessible when deploying using the PAN-OS 10.1.0-b6 release.
Known
10.1.5
PAN-164647
On the Panorama management server, activating a license (
Panorama
Device Deployment
Licenses
) on managed firewalls in a high availability (HA) configuration causes the Safari web browser to become unresponsive.
Workaround:
Log in to the Panorama web interface from a web browser other than Safari to successfully activate a license on managed firewalls in an HA configuration.
Known
10.1.5
PAN-164618
The VM-Series firewall CLI and system logs display the license name
VM-SERIES-X
, while the user interface displays
VM-FLEX-X
(in both cases
X
is the number of vCPUs). In future releases the user interface will use the
VM-SERIES-X
format.
Known
10.1.5
PAN-164586
If you use a value other than
mail
for the user or group email attribute in the Cloud Identity Engine, it displays in
user@domain
format in the CLI output.
Known
10.1.5
PAN-163966
On the Panorama management server, the
ACC
and on demand reports (
Monitor
Manage Custom Reports
) are unable to fetch Directory Sync group membership when the Source User Group filter query is applied, resulting in no data being displayed for the filter when Directory Sync is configured as the Source User for a policy rule.
Known
10.1.5
PAN-162836
On the VM-Series firewall, if you select
Device
Licenses
Deactivate VM
a popup window opens and you can choose
Subscriptions
or
Support
and press
Continue
to remove licenses and register the changes with the license server. When the license removal is complete the
Deactivate VM
window does not update its text to exclude deactivated licenses or close the window.
Workaround
: Wait until the license deactivation is complete, and click
Cancel
to close the window.
Known
10.1.5
PAN-162164
This issue is now resolved. See
PAN-OS 10.1.6 Addressed Issues
.
When upgrading a multi-dataplane firewall from PAN-OS 10.0 to 10.1, if the configuration includes the DHCP Broadcast Session option enabled, the commit fails. Auto-commit is not affected.
Workaround:
Load the configuration from running config (load config from running-config.xml) and perform a commit.
Known
10.1.5
PAN-162088
This issue is now resolved. See
PAN-OS 10.1.9 Addressed Issues
.
On the Panorama management server in a high availability (HA) configuration, content updates (
Panorama
Dynamic Updates
) manually uploaded to the active HA peer are not synchronized to the passive HA peer when you
Install
a content update and enable
Sync to HA Peer
.
Known
10.1.5
PAN-161666
The firewall includes any users configured in the Cloud Identity Engine in the count of groups. As a result, some CLI command output does not accurately display the number of groups the firewall has retrieved from the Cloud Identity Engine and counts users as groups in the
No. of Groups
in the command output. If the attempt to retrieve the user or group fails, the information for the user or group still displays in the CLI command output.
Known
10.1.5
PAN-161451
If you issue the command
opof stats
, there are occasional zero packet and byte counts coming from the DPDK counters. This occurs when a session is in the tcp-reuse state, and has no impact on the existing session.
Known
10.1.5
PAN-160238
If you migrate traffic from a firewall running a PAN-OS version earlier than 9.0 to a firewall running PAN-OS 9.0 or later, you experience intermittent VXLAN packet drops if TCI policy is not configured for inspecting VXLAN traffic flows.
Workaround:
On the new firewall, create an app override for VXLAN outer headers as described in What is an Application Override? and the video tutorial How to Configure an Application Override Policy on the Palo Alto Networks Firewall .
PAN-OS version 9.0 can inspect both inner and outer VXLAN flows. If you want to inspect inner flows, you must define a tunnel content inspection (TCI) policy.
Known
10.1.5
PAN-157444
As a result of a telemetry handling update, the Source Zone field in the DNS analytics logs (viewable in the DNS Analytics tab within AutoFocus) might not display correct results.
Known
10.1.5
PAN-157327
On downgrade to PAN-OS 9.1, Enterprise Data Loss Prevention (DLP) filtering settings (
Device
Setup
DLP
) are not removed and cause commit errors for the downgraded firewall if you do not uninstall the Enterprise DLP plugin before downgrade.
Workaround:
After you successfully downgrade a managed firewall to PAN-OS 9.1, commit and push from Panorama to remove the Enterprise DLP filtering settings and complete the downgrade.
  1. Downgrade your managed firewall to PAN-OS 9.1
  2. Log in to the firewall web interface and view the
    Tasks
    to verify all auto commits related to the downgrade have completed successfully.
  3. Log in to the Panorama web interface and
    Commit
    Commit and Push
    to your managed firewall downgraded to PAN-OS 9.1.
Known
10.1.5
PAN-157103
Multi-channel functionality may not be properly utilized on an VM-Series firewall deployed in VMware NSX-V after the service is first deployed.
Workaround
: Execute the command
debug dataplane pow status
to view the number of channels being utilized by the dataplane. 
Per pan-task Netx statisticsCounter Name    1   2   3   4   5   6   Total---------------------------------------------ready_dvf       2   0   0   0   0   0     2
If multi-channel functionality is not working, disable your NSX-V security policy and reapply it. Then reboot the VM-Series firewall. When the firewall is back up, verify that multi-channel functionality is working by executing the command
debug dataplane pow status
. It should now show multiple channels being utilized. 
Per pan-task Netx statisticsCounter Name    1   2   3   4   5   6   Total---------------------------------------------ready_dvf       1   1   0   0   0   0     2
Known
10.1.5
PAN-156598
(
Panorama only
) If you configure a standard custom vulnerability signature in a custom Vulnerability Protection profile in a shared device group, the shared profile custom signatures do not populate in the other device groups when you configure a combination custom vulnerability signature.
Workaround:
Use the CLI to update the combination signature.
Known
10.1.5
PAN-154292
On the Panorama management server, downgrading from a PAN-OS 10.0 release to a PAN-OS 9.1 release causes Panorama commit (
Commit
Commit to Panorama
) failures if a custom report (
Monitor
Manage Custom Reports
) is configured to Group By
Session ID
.
Workaround:
After successful downgrade, reconfigure the Group By setting in the custom report.
Known
10.1.5
PAN-154034
On the Panorama management server, the Type column in the System logs (
Monitor
Logs
System
) for managed firewalls running a PAN-OS 9.1 release erroneously display
iot
as the type.
Known
10.1.5
PAN-154032
On the Panorama management server, downgrading to PAN-OS 9.1 with the Panorama plugin for Cisco TrustSec version 1.0.2 installed does not automatically transform the plugin to be compatible with PAN-OS 9.1
Workaround:
After successful downgrade to PAN-OS 9.1,
Remove Config
(
Panorama
Plugins
) of the Panorama plugin for Cisco TrustSec and then reconfigure the plugin.
Known
10.1.5
PAN-153803
On the Panorama management server, scheduled email PDF reports (
Monitor
PDF Reports
) fail if a GIF image is used in the header or footer.
Known
10.1.5
PAN-153557
On the Panorama management server CLI, the overall report status for a report query is marked as
Done
despite reports generated from logs in the Cortex Data Lake (CDL) from the PODamericas Collector Group jobs are still in a
Running
state.
Known
10.1.5
PAN-153068
The Bonjour Reflector option is supported on up to 16 interfaces. If you enable it on more than 16 interfaces, the commit succeeds and the Bonjour Reflector option is enabled only for the first 16 interfaces and ignored for any additional interfaces.
Known
10.1.5
PAN-151238
There is a known issue where M-100 appliances are able to download and install a PAN-OS 10.0 release image even though the M-100 appliance is no longer supported after PAN-OS 9.1. (Refer to the hardware end-of-life dates .)
Known
10.1.5
PAN-151085
On a PA-7000 Series firewall chassis having multiple slots, when HA clustering is enabled on an active/active HA pair, the session table count for one of the peers can show a higher count than the actual number of active sessions on that peer. This behavior can be seen when the session is being set up on a non-cache slot (for example, when a session distribution policy is set to round-robin or session-load); it is caused by the additional cache lookup that happens when HA cluster participation is enabled.
Known
10.1.5
PAN-150801
Automatic quarantine of a device based on forwarding profile or log setting does not work on the PA-7000 Series firewalls.
Known
10.1.5
PAN-150515
After you install the device certificate on a new Panorama management server, Panorama is not able to connect to the IoT Security edge service.
Workaround:
Restart Panorama to connect to the IoT Security edge service.
Known
10.1.5
PAN-150345
During updates to the Device Dictionary, the IoT Security service does not push new Device-ID attributes (such as new device profiles) to the firewall until a manual commit occurs.
Workaround:
Perform a force commit to push the attributes in the content update to the firewall.
Known
10.1.5
PAN-150361
In an Active-Passive high availability (HA) configuration, an error displays if you create a device object on the passive device.
Workaround:
Load the running configuration and perform a force commit to sync the devices.
Known
10.1.5
PAN-148971
If you enter a search term for Events that are related to IoT in the System logs and apply the filter, the page displays an
Invalid term
error.
Workaround:
Specify
iot
as the
Type Attribute
to filter the logs and use the search term as the
Description Attribute
. For example:
( subtype eq iot ) and ( description contains 'gRPC connection' )
.
Known
10.1.5
PAN-148924
In an active-passive HA configuration, tags for dynamic user groups are not persistent after rebooting the firewall because the active firewall does not sync the tags to the passive firewall during failover.
Known
10.1.5
PAN-146995
After downgrading a Panorama management server from PAN-OS 10.0 to PAN-OS 9.1, the
VLD
and
logd
processes may crash when Panorama reboots.
Workaround:
Panorama automatically restarts the
VLD
and
logd
processes.
Known
10.1.5
PAN-146807
Changing the device group configured in a monitoring definition from a child DG to a parent DG, or vice versa, might cause firewalls configured in the child DG to lose IP tag mapping information received from the monitoring definition. Only firewalls assigned to the parent DG receive IP tag mapping updates.
Workaround
: Perform a manual config sync on the device group that lost the IP tag mapping information.
Known
10.1.5
PAN-146485
On the Panorama management server, adding, deleting, or modifying the upstream NAT configuration (
Panorama
SD-WAN
Devices
) does not display the branch template stack as
out of sync
.
Additionally, adding, deleting, or modifying the BGP configuration (
Panorama
SD-WAN
Devices
) does not display the hub and branch template stacks as
out of sync
. For example, modifying the BGP configuration on the branch firewall does not cause the hub template stack to display as
out of sync
, nor does modifying the BGP configuration on the hub firewall cause the branch template stack as
out of sync
.
Workaround:
After performing a configuration change,
Commit and Push
the configuration changes to all hub and branch firewalls in the VPN cluster containing the firewall with the modified configuration.
Known
10.1.5
PAN-145460
CN-MGMT pods fail to connect to the Panorama management server when using the Kubernetes plugin.
Workaround:
Commit
the Panorama configuration after the CN-MGMT pod successfully registers with Panorama.
Known
10.1.5
PAN-144889
On the Panorama management server, adding, deleting, or modifying the original subnet IP, or adding a new subnet after you successfully configure a tunnel IP subnet, for the SD-WAN 1.0.2 plugin does not display the managed firewall templates (
Panorama
Managed Devices
Summary
) as
Out of Sync
.
Workaround
: When modifying the original subnet IP, or adding a new subnet, push the template configuration changes to your managed firewalls and
Force Template Values
(
Commit
Push to Devices
Edit Selections
).
Known
10.1.5
PAN-143132
Fetching the device certificate from the Palo Alto Networks Customer Support Portal (CSP) may fail and displays the following error in the CLI:
ERROR Failed to process S1C msg: Error
Workaround:
Retrying fetching the device certificate from the Palo Alto Networks CSP.
Known
10.1.5
PAN-141630
Current performance limitation: single data plane use only. The PA-5200 Series and PA-7000 Series firewalls that support 5G network slice security, 5G equipment ID security, and 5G subscriber ID security use a single data plane only, which currently limits the firewall performance.
Known
10.1.5
PAN-140959
The Panorama management server allows you to downgrade Zero Touch Provisioning (ZTP) firewalls to PAN-OS 9.1.2 and earlier releases where ZTP functionality is not supported.
Known
10.1.5
PAN-140008
ElasticSearch is forced to restart when the
masterd
process misses too many heartbeat messages on the Panorama management server resulting in a delay in a log query and ingestion.
Known
10.1.5
PAN-136763
On the Panorama management server, managed firewalls display as
disconnected
when installing a PAN-OS software update (
Panorama
Device Deployment
Software
) but display as
connected
when you view your managed firewalls Summary (
Panorama
Managed Devices
Summary
) and from the CLI.
Workaround:
Log out and log back in to the Panorama web interface.
Known
10.1.5
PAN-135742
There is an issue in HTTP2 session decryption where the App-ID in the decryption log is the App-ID of the parent session (which is web-browsing).
Known
10.1.5
PAN-134053
ACC does not filter WildFire logs from Dynamic User Groups.
Known
10.1.5
PAN-132598
The Panorama management server does not check for duplicate addresses in address groups (
Objects
Address Groups
) and duplicate services in service groups (
Objects
Service Groups
) when created from the CLI.
Known
10.1.5
PAN-130550
(
PA-3200 Series, PA-5220, PA-5250, PA-5260, and PA-7000 Series firewalls
) For traffic between virtual systems (inter-vsys traffic), the firewall cannot perform source NAT using dynamic IP (DIP) address translation.
Workaround:
Use source NAT with Dynamic IP and Port (DIPP) translation on inter-vsys traffic.
Known
10.1.5
PAN-127813
In the current release, SD-WAN auto-provisioning configures hubs and branches in a hub and spoke model, where branches don’t communicate with each other. Expected branch routes are for generic prefixes, which can be configured in the hub and advertised to all branches. Branches with unique prefixes are not published up to the hub.
Workaround:
Add any specific prefixes for branches to the hub advertise-list configuration.
Known
10.1.5
PAN-127206
If you use the CLI to enable the cleartext option for the Include Username in HTTP Header Insertion Entries feature, the authentication request to the firewall may become unresponsive or time out.
Known
10.1.5
PAN-123277
Dynamic tags from other sources are accessible using the CLI but do not display on the Panorama web interface.
Known
10.1.5
PAN-123040
When you try to view network QoS statistics on an SD-WAN branch or hub, the QoS statistics and the hit count for the QoS rules don’t display. A workaround exists for this issue. Please contact Support for information about the workaround.
Known
10.1.5
PAN-120440
There is an issue on M-500 Panorama management servers where any ethernet interface with an IPv6 address having Private PAN-DB-URL connectivity only supports the following format:
2001:DB9:85A3:0:0:8A2E:370:2
.
Known
10.1.5
PAN-120423
PAN-OS 10.0.0 does not support the XML API for GlobalProtect logs.
Known
10.1.5
PAN-120303
There is an issue where the firewall remains connected to the PAN-DB-URL server through the old management IP address on the M-500 Panorama management server, even when you configured the Eth1/1 interface.
Workaround:
Update the PAN-DB-URL IP address on the firewall using one of the methods below.
  • Modify the PAN-DB Server IP address on the managed firewall.
    1. On the web interface, delete the
      PAN-DB Server
      IP address (
      Device
      Setup
      Content ID
      URL Filtering
      settings).
    2. Commit
      your changes.
    3. Add the new M-500 Eth1/1 IP PAN-DB IP address.
    4. Commit
      your changes.
  • Restart the firewall ( devsrvr ) process.
    1. Log in to the firewall CLI.
    2. Restart the devsrvr process:
      debug software restart process device-server
Known
10.1.5
PAN-116017
(
Google Cloud Platform (GCP) only
) The firewall does not accept the DNS value from the initial configuration (init-cfg) file when you bootstrap the firewall.
Workaround:
Add DNS value as part of the bootstrap.xml in the bootstrap folder and complete the bootstrap process.
Known
10.1.5
PAN-115816
(
Microsoft Azure only
) There is an intermittent issue where an Ethernet (eth1) interface does not come up when you first boot up the firewall.
Workaround:
Reboot the firewall.
Known
10.1.5
PAN-114495
Alibaba Cloud runs on a KVM hypervisor and supports two Virtio modes: DPDK (default) and MMAP. If you deploy a VM-Series firewall running PAN-OS 9.0 in DPDK packet mode and you then switch to MMAP packet mode, the VM-Series firewall duplicates packets that originate from or terminate on the firewall. As an example, if a load balancer or a server behind the firewall pings the VM-Series firewall after you switch from DPDK packet mode to MMAP packet mode, the firewall duplicates the ping packets.
Throughput traffic is not duplicated if you deploy the VM-Series firewall using MMAP packet mode.
Known
10.1.5
PAN-112694
(
Firewalls with multiple virtual systems only
) If you configure dynamic DNS (DDNS) on a new interface (associated with vsys1 or another virtual system) and you then create a
New
Certificate Profile from the drop-down, you must set the location for the Certificate Profile to Shared. If you configure DDNS on an existing interface and then create a new Certificate Profile, we also recommend that you choose the Shared location instead of a specific virtual system. Alternatively, you can select a preexisting certificate profile instead of creating a new one.
Known
10.1.5
PAN-112456
You can temporarily submit a change request for a URL Category with three suggested categories; however, only two categories are supported. Do not add more than two suggested categories to a change request until we address this issue. If you submit more than two suggested categories, only the first two categories in the change request are evaluated.
Known
10.1.5
PAN-112135
You cannot unregister tags for a subnet or range in a dynamic address group from the web interface.
Workaround:
Use an XML API request to unregister the tags for the subnet or range.
Known
10.1.5
PAN-111928
Invalid configuration errors are not displayed as expected when you revert a Panorama management server configuration.
Workaround:
After you revert the Panorama configuration,
Commit
(
Commit
Commit to Panorama
) the reverted configuration to display the invalid configuration errors.
Known
10.1.5
PAN-111866
The push scope selection on the Panorama web interface displays incorrectly even though the commit scope displays as expected. This issue occurs when one administrator makes configuration changes to separate device groups or templates that affect multiple firewalls and a different administrator attempts to push those changes.
Workaround:
Perform one of the following tasks.
  • Initiate a
    Commit to Panorama
    operation followed by a
    Push to Devices
    operation for the modified device group and template configurations.
  • Manually select the devices that belong to the modified device group and template configurations.
Known
10.1.5
PAN-111729
If you disable DPDK mode and enable it again, you must immediately reboot the firewall.
Known
10.1.5
PAN-111670
Tagged VLAN traffic fails when sent through an SR-IOV adapter.
Known
10.1.5
PAN-110794
DGA-based threats shown in the firewall threat log display the same name for all such instances.
Known
10.1.5
PAN-109526
The system log does not correctly display the URL for CRL files; instead, the URLs are displayed with encoded characters.
Known
10.1.5
PAN-104780
If you configure a HIP object to match only when a connecting endpoint is managed (
Objects
GlobalProtect
HIP Objects
<hip-object>
General
Managed
), iOS and Android endpoints that are managed by AirWatch are unable to successfully match the HIP object and the HIP report incorrectly indicates that these endpoints are not managed. This issue occurs because GlobalProtect gateways cannot correctly identify the managed status of these endpoints.
Additionally, iOS endpoints that are managed by AirWatch are unable to match HIP objects based on the endpoint serial number because GlobalProtect gateways cannot identify the serial numbers of these endpoints; these serial numbers do not appear in the HIP report.
Known
10.1.5
PAN-103276
Adding a disk to a virtual appliance running Panorama 8.1 or a later release on VMware ESXi 6.5 update1 causes the Panorama virtual appliance and host web client to become unresponsive.
Workaround:
Upgrade the ESXi host to ESXi 6.5 update2 and add the disk again.
Known
10.1.5
PAN-101688
(
Panorama plugins
) The IP address-to-tag mapping information registered on a firewall or virtual system is not deleted when you remove the firewall or virtual system from a Device Group.
Workaround:
Log in to the CLI on the firewall and enter the following command to unregister the IP address-to-tag mappings:
debug object registered-ip clear all
.
Known
10.1.5
PAN-101537
After you configure and push address and address group objects in Shared and vsys-specific device groups from the Panorama management server to managed firewalls, executing the
show log
<log-type>
direction equal
<direction>
<dst>
|
<src>
in
<object-name>
command on a managed firewall only returns address and address group objects pushed form the Shared device group.
Workaround:
Specify the vsys in the query string:
admin>
set system target-vsys
<vsys-name>
admin>
show log
<log-type>
direction equal
<direction>
query equal ‘vsys eq
<vsys-name>
’
<dst>
|
<src>
in
<object-name>
Known
10.1.5
PAN-98520
When booting or rebooting a PA-7000 Series Firewall with the SMC-B installed, the BIOS console output displays attempts to connect to the card's controller in the System Memory Speed section. The messages can be ignored.
Known
10.1.5
PAN-97757
GlobalProtect authentication fails with an
Invalid username/password
error (because the user is not found in
Allow List
) after you enable GlobalProtect authentication cookies and add a RADIUS group to the
Allow List
of the authentication profile used to authenticate to GlobalProtect.
Workaround:
Disable GlobalProtect authentication cookies. Alternatively, disable (clear)
Retrieve user group from RADIUS
in the authentication profile and configure group mapping from Active Directory (AD) through LDAP.
Known
10.1.5
PAN-97524
(
Panorama management server only
) The Security Zone and Virtual System columns (
Network
tab) display
None
after a Device Group and Template administrator with read-only privileges performs a context switch.
Known
10.1.5
PAN-96446
A firewall that is not included in a Collector Group fails to generate a system log if logs are dropped when forwarded to a Panorama management server that is running in Management Only mode.
Known
10.1.5
PAN-95773
On VM-Series firewalls that have Data Plane Development Kit (DPDK) enabled and that use the i40e network interface card (NIC), the
show session info
CLI command displays an inaccurate throughput and packet rate.
Workaround:
Disable DPDK by running the
set system setting dpdk-pkt-io off
CLI command.
Known
10.1.5
PAN-95028
For administrator accounts that you created in PAN-OS 8.0.8 and earlier releases, the firewall does not apply password profile settings (
Device
Password Profiles
) until after you upgrade to PAN-OS 8.0.9 or a later release and then only after you modify the account passwords. (Administrator accounts that you create in PAN-OS 8.0.9 or a later release do not require you to change the passwords to apply password profile settings.)
Known
10.1.5
PAN-94846
When DPDK is enabled on the VM-Series firewall with i40e virtual function (VF) driver, the VF does not detect the link status of the physical link. The VF link status remains up, regardless of changes to the physical link state.
Known
10.1.5
PAN-94093
HTTP Header Insertion does not work when jumbo frames are received out of order.
Known
10.1.5
PAN-93968
The firewall and Panorama web interfaces display vulnerability threat IDs that are not available in PAN-OS 9.0 releases (
Objects
Security Profiles
Vulnerability Protection
<profile>
Exceptions
). To confirm whether a particular threat ID is available in your release, monitor the release notes for each new Applications and Threats content update or check the Palo Alto Networks Threat Vault to see the minimum PAN-OS release version for a threat signature.
Known
10.1.5
PAN-93607
When you configure a VM-500 firewall with an SCTP Protection profile (
Objects
Security Profiles
SCTP Protection
) and you try to add the profile to an existing Security Profile Group (
Objects
Security Profile Groups
), the Security Profile Group doesn’t list the SCTP Protection profile in its drop-down list of available profiles.
Workaround:
Create a new Security Profile Group and select the SCTP Protection profile from there.
Known
10.1.5
PAN-93532
When you configure a firewall running PAN-OS 9.0 as an nCipher HSM client, the web interface on the firewall displays the nCipher server status as Not Authenticated, even though the HSM state is up (
Device
Setup
HSM
).
Known
10.1.5
PAN-93193
The memory-optimized VM-50 Lite intermittently performs slowly and stops processing traffic when memory utilization is critically high. To prevent this issue, make sure that you do not:
  • Switch to the firewall
    Context
    on the Panorama management server.
  • Commit changes when a dynamic update is being installed.
  • Generate a custom report when a dynamic update is being installed.
  • Generate custom reports during a commit.
Workaround:
When the firewall performs slowly, or you see a critical System log for memory utilization, wait for 5 minutes and then manually reboot the firewall.
Use the Task Manager to verify that you are not performing memory intensive tasks such as installing dynamic updates, committing changes or generating reports, at the same time, on the firewall.
Known
10.1.5
PAN-91802
On a VM-Series firewall, the
clear session all
CLI command does not clear GTP sessions.
Known
10.1.5
PAN-83610
In rare cases, a PA-5200 Series firewall (with an FE100 network processor) that has session offload enabled (default) incorrectly resets the UDP checksum of outgoing UDP packets.
Workaround:
In PAN-OS 8.0.6 and later releases, you can persistently disable session offload for only UDP traffic using the
set session udp-off load no
CLI command.
Known
10.1.5
PAN-83236
The VM-Series firewall on Google Cloud Platform does not publish firewall metrics to Google Stack Monitoring when you manually configure a DNS server IP address (
Device
Setup
Services
).
Workaround:
The VM-Series firewall on Google Cloud Platform must use the DNS server that Google provides.
Known
10.1.5
PAN-83215
SSL decryption based on ECDSA certificates does not work when you import the ECDSA private keys onto an nCipher nShield hardware security module (HSM).
Known
10.1.5
PAN-81521
Endpoints failed to authenticate to GlobalProtect through Kerberos when you specify an FQDN instead of an IP address in the Kerberos server profile (
Device
Server Profiles
Kerberos
).
Workaround:
Replace the FQDN with the IP address in the Kerberos server profile.
Known
10.1.5
PAN-77125
PA-7000 Series, PA-5450, PA-5200 Series, and PA-3200 Series firewalls configured in tap mode don’t close offloaded sessions after processing the associated traffic; the sessions remain open until they time out.
Workaround:
Configure the firewalls in virtual wire mode instead of tap mode, or disable session offloading by running the
set session off load no
CLI command.
Known
10.1.5
PAN-75457
In WildFire appliance clusters that have three or more nodes, the Panorama management server does not support changing node roles. In a three-node cluster for example, you cannot use Panorama to configure the worker node as a controller node by adding the HA and cluster controller configurations, configure an existing controller node as a worker node by removing the HA configuration, and then commit and push the configuration. Attempts to change cluster node roles from Panorama results in a validation error—the commit fails and the cluster becomes unresponsive.
Known
10.1.5
PAN-73530
The firewall does not generate a packet capture (pcap) when a Data Filtering profile blocks files.
Known
10.1.5
PAN-73401
When you import a two-node WildFire appliance cluster into the Panorama management server, the controller nodes report their state as out-of-sync if either of the following conditions exist:
  • You did not configure a worker list to add at least one worker node to the cluster. (In a two-node cluster, both nodes are controller nodes configured as an HA pair. Adding a worker node would make the cluster a three-node cluster.)
  • You did not configure a service advertisement (either by enabling or not enabling advertising DNS service on the controller nodes).
Workaround:
There are three possible workarounds to sync the controller nodes:
  • After you import the two-node cluster into Panorama, push the configuration from Panorama to the cluster. After the push succeeds, Panorama reports that the controller nodes are in sync.
  • Configure a worker list on the cluster controller: 
    admin@wf500(active-controller)# 
    set
deviceconfig cluster mode controller worker-list 
    <worker-ip-address>
    (
    <worker-ip-address>
    is the IP address of the worker node you are adding to the cluster.) This creates a three-node cluster. After you import the cluster into Panorama, Panorama reports that the controller nodes are in sync. When you want the cluster to have only two nodes, use a different workaround.
  • Configure service advertisement on the local CLI of the cluster controller and then import the configuration into Panorama. The service advertisement can advertise that DNS is or is not enabled. 
    admin@wf500(active-controller)# 
    set
deviceconfig cluster mode controller service-advertisement dns-service
enabled
yes
    or 
    admin@wf500(active-controller)# 
    set
deviceconfig cluster mode controller service-advertisement dns-service
enabled
no
    Both commands result in Panorama reporting that the controller nodes are in sync.
Known
10.1.5
PAN-70906
If the PAN-OS web interface and the GlobalProtect portal are enabled on the same IP address, then when a user logs out of the GlobalProtect portal, the administrative user is also logged out from the PAN-OS web interface.
Workaround:
Use the IP address to access the PAN-OS web interface and an FQDN to access the GlobalProtect portal.
Known
10.1.5
PAN-69505
When viewing an external dynamic list that requires client authentication and you
Test Source URL
, the firewall fails to indicate whether it can reach the external dynamic list server and returns a URL access error (
Objects
External Dynamic Lists
).
Known
10.1.5
PAN-40079
The VM-Series firewall on KVM, for all supported Linux distributions, does not support the Broadcom network adapters for PCI pass-through functionality.
Known
10.1.5
PAN-39636
Regardless of the
Time Frame
you specify for a scheduled custom report on a Panorama M-Series appliance, the earliest possible start date for the report data is effectively the date when you configured the report (
Monitor
Manage Custom Reports
). For example, if you configure the report on the 15th of the month and set the
Time Frame
to
Last 30 Days
, the report that Panorama generates on the 16th will include only data from the 15th onward. This issue applies only to scheduled reports; on-demand reports include all data within the specified
Time Frame
.
Workaround:
To generate an on-demand report, click
Run Now
when you configure the custom report.
Known
10.1.5
PAN-38255
When you perform a factory reset on a Panorama virtual appliance and configure the serial number, logging does not work until you reboot Panorama or execute the
debug software restart process management-server
CLI command.
Known
10.1.5
PAN-31832
The following issues apply when configuring a firewall to use a hardware security module (HSM):
  • nCipher nShield Connect
    —The firewall requires at least four minutes to detect that an HSM was disconnected, causing SSL functionality to be unavailable during the delay.
  • SafeNet Network
    —When losing connectivity to either or both HSMs in an HA configuration, the display of information from the
    show high-availability state
    and
    show hsm info
    commands are blocked for 20 seconds.
Addressed
10.1.5-h4
PAN-237935
Extended the offline PAN-DB, Panorama, and WildFire certificates which were previously set to expire on September 2, 2024.
Addressed
10.1.5-h4
PAN-237876
Extended the firewall Panorama root CA certificate which was previously set to expire on April 7th, 2024.
Addressed
10.1.5-h4
PAN-231771
Fixed an issue where the firewall issued /box/getserv/ requests with PAN-OS 7.1.0 and did not take device certificates.
Addressed
10.1.5-h4
PAN-227568
When a device certificate is installed, renewed, or removed, the firewall will reconnect to the WildFire cloud to use the newest certificate.
Addressed
10.1.5-h4
PAN-215576
Fixed an issue where the
userID-Agent
and
TS-Agent
certificates were set to expire on November 18, 2024. With this fix, the expiration date has been extended to January 2032.
Addressed
10.1.5-h3
PAN-202450
Fixed an issue where the
device-client-cert
was set to expire on December 31, 2023. With this fix, the expiration date has been extended.
Addressed
10.1.5-h3
PAN-198372
Fixed an issue where the
root-cert
was set to expire on December 31, 2023. With this fix, the expiration date has been extended.
Addressed
10.1.5-h2
Issue ID
Description
Addressed
10.1.5-h2
PAN-191629
(
PA-5450 firewalls only
) Fixed an issue where the hourly summary log was limited to 100,001 lines when summarized, which resulted in inconsistent report results when using summary logs.
Addressed
10.1.5-h2
PAN-190660
Fixed an issue where the vld process stopped responding when Elasticsearch had no data.
Addressed
10.1.5-h2
PAN-190644
Fixed an issue where Elasticsearch removed indices earlier than the configured retention period.
Addressed
10.1.5-h2
PAN-190409
(
PA-5450 and PA-3200 Series firewalls that use an FE101 processor only
) Fixed an issue where packets in the same session were forwarded through a different member of an aggregate ethernet group when the session was offloaded. The fix is that you can use the following CLI command to change the default tag setting to the tuple setting:
admin@firewall> set session lag-flow-key-type ?
> tag tag
> tuple tuple
tag
is the default behavior (tag based on the CPU, tuple based on the FE).
tuple
is the new behavior, where both CPU and FE use the same selection algorithm.
Use the following command to display the algorithm:
admin@firewall> show session lag-flow-key-type
dp0: tuple based on fe100
dp1: tuple based on fe100
Addressed
10.1.5-h2
PAN-189375
Fixed an issue where, when migrating the firewall, the firewall dropped packets when trying to re-use the TCP session.
Addressed
10.1.5-h2
PAN-188097
Fixed an issue where the firewall stopped allocating new sessions with increments in the counter session_alloc_failure. This was caused by GPRS tunneling protocol (GTP-U) tunnel session aging processing issue.
Addressed
10.1.5-h2
PAN-183529
(
PA-5450 firewalls only
) Fixed an issue where upgrading the firewall caused corrupted log records to be created, which caused the logrcvr process to fail. This resulted in the auto-commit process required to bring up the firewall after a reboot to fail and, subsequently, the firewall to become unresponsive.
Addressed
10.1.5-h2
PAN-181277
Fixed an issue where VPN tunnels in SD-WAN flapped due to duplicate tunnel IDs.
Addressed
10.1.5-h1
Issue ID
Description
Addressed
10.1.5-h1
PAN-190175 and PAN-190223
A fix was made to address an OpenSSL infinite loop vulnerability in the PAN-OS software ( CVE-2022-0778 ).
Addressed
10.1.5-h1
PAN-189643
Fixed an issue where, when QoS was enabled on an IPSec tunnel, traffic failed due to applying the wrong tunnel QoS ID.
Addressed
10.1.5-h1
PAN-178450 and PAN-177905
Fixed an issue where icons weren't displayed for clientless VPN applications.
Addressed
10.1.5
PAN-189769
Fixed an issue on Amazon Web Services (AWS) Gateway Load Balancer (GWLB) deployments with overlay routing enabled where, when a single firewall was the backend of multiple GWLBs, packets were re-encapsulated with an incorrect source IP address.
Addressed
10.1.5
PAN-189665
(
FIPS-CC enabled firewalls only
) Fixed an issue where the firewall was unable to connect to log collectors after an upgrade due to missing cipher suites.
Addressed
10.1.5
PAN-189468
Fixed an issue where the firewall onboard packet processor used by the PAN-OS content-inspection (CTD) engine can generate high dataplane resource usage when overwhelmed by a session with an unusually high number of packets. This can result in
resource-unavailable
messages due to the content inspection queue filling up. Factors related to the likelihood of an occurrence include enablement of content-inspection based features that are configured in such a way that might process thousands of packets in rapid succession (such as SMB file transfers). This can cause poor performance for the affected session and other sessions using the same packet processor. PA-3000 series and VM-Series firewalls are not impacted.
Addressed
10.1.5
PAN-189230
(
VM-Series firewalls only
) Fixed an issue that caused the pan_task process to stop responding with floating point exception (FPE) when there was a module of 0 on the queue number.
Addressed
10.1.5
PAN-188883
Fixed an issue where, when pre-generated license key files were manually uploaded via the web interface, they weren't properly recognized by PAN-OS and didn't display a serial number or initiate a reboot.
Addressed
10.1.5
PAN-187894
(
VM-Series firewalls only
) Fixed an issue with
vm_license_response.log
that consumed a large portion of the root partition.
Addressed
10.1.5
PAN-187769
(
VM-Series firewalls in Microsoft Azure environments only
) Fixed a Data Plane Development Kit (DPDK) issue where interfaces remained in a link-down state after an Azure hot plug event. This issue occurred due to a hot plug of Accelerated Networking interfaces on the Azure backend caused by host updates, which led to Virtual Function unregister/Register messages on the VM side.
Addressed
10.1.5
PAN-187438
(
PA-5400 Series firewalls only
) Fixed an issue where HSCI interfaces didn’t come up when using BiDi transceivers.
Addressed
10.1.5
PAN-186785
Fixed an issue where, after logging in, Panorama displayed a 500 error page after five minutes of logging for dynamic group template admin types with access to approximately 115 managed devices or 120 dynamic groups.
Addressed
10.1.5
PAN-186725
Fixed an issue where index creation failed when Elasticsearch attempted to create a new index with a duplicate index name.
Addressed
10.1.5
PAN-186646
(
PA-5400 Series firewalls only
) Fixed an issue where traffic flow through IKE NATT IPSec S2S tunnels broke on tunnel rekey with multiple data processing cards (DPC).
Addressed
10.1.5
PAN-186516
Fixed an issue where log queries that included WildFire submission logs returned more slowly than expected.
Addressed
10.1.5
PAN-186402
(
PA-440 Series firewalls only
) Fixed an issue where the firewall's maximum tunnel limit was incorrect.
Addressed
10.1.5
PAN-185750
Updated an issue to eliminate failed
pan_comm
software issues that caused the dataplane to restart unexpectedly
Addressed
10.1.5
PAN-185726
Fixed an issue where the dataplane exited during IPSec encapsulation and decapsulation offload operations.
Addressed
10.1.5
PAN-185695
(
PA-5400 Series firewalls only
) Fixed an issue where up to 75% traffic loss occurred on GlobalProtect tunnels with multiple DPCs.
Addressed
10.1.5
PAN-185359
Fixed an issue where you were unable to reference shared address objects as a BGP peer address (
Virtual Router > BGP > Peer Group > Peer Address
).
Addressed
10.1.5
PAN-185164
Fixed an issue where processing corrupted IoT messages caused the
wificlient
process to restart.
Addressed
10.1.5
PAN-185163
Fixed an issue where the distributord process hit the FD limit, which caused User-ID redistribution to not function properly.
Addressed
10.1.5
PAN-184761
Fixed an issue where Security policies were deleted on managed devices upon a successful push from Panorama to multiple device groups. This occurred when the Security policies had
device_tags
selected in the target section.
Addressed
10.1.5
PAN-184445
Fixed an issue where, after upgrading the Panorama, tagged address objects used in dynamic address groups were removed after a full commit and push. This issue occurred when the setting
Share Unused Address and Service Objects with Devices
was left unchecked.
Addressed
10.1.5
PAN-184432
Fixed an issue where the logrcvr process stopped responding due to a heartbeat failure that was caused by sysd nodes being stuck on logdb_writers for system, configuration, and alarm logs.
Addressed
10.1.5
PAN-184224
Fixed an issue on Panorama where you were unable to select a template variable in
Templates > Device > Log Forwarding Card > Log Forwarding Card Interface > Network > IP address location
.
Addressed
10.1.5
PAN-184076
Fixed an issue on the firewall web interface where logs were delayed when querying for logs.
Addressed
10.1.5
PAN-184047
Fixed an issue where Terminal Service agent (TS agent) connections with a certificate profile and the certificate chain on the TS agent failed. This occurred because common name validation and key usage checks were being performed in the root or intermediate certificate.
Addressed
10.1.5
PAN-183774
Fixed an memory leak issue in the mgmtsrvr process, which resulted in an out-of-memory (OOM) condition and high availability (HA) failover.
Addressed
10.1.5
PAN-183428
Fixed an issue where, when exporting or pushing a device configuration bundle from Panorama, a validation error occurred with GlobalProtect gateway inactivity logout time.
Addressed
10.1.5
PAN-183239
Fixed an issue where the firewall randomly disconnected from the WildFire URL cloud.
Addressed
10.1.5
PAN-183112
Fixed an issue where the threat log type
ml-virus
wasn't forwarded to Panorama or to external servers.
Addressed
10.1.5
PAN-182954
(
PA-7000 Series firewalls with Log Processing Cards (LPC) only
) Fixed an issue where excessive threat ID lookups caused logs to be lost.
Addressed
10.1.5
PAN-182903
Fixed an issue where SD-WAN failover on a hub or branch in full mesh took longer than expected.
Addressed
10.1.5
PAN-182732
Fixed an issue where the GlobalProtect gateway inactivity timer wasn't refreshed even though traffic was passing through the tunnel.
Addressed
10.1.5
PAN-182634
(
PA-400 Series firewalls only
) Fixed an issue where the firewall detected a Power Supply Unit (PSU) failure for the opposite side when disconnecting a PSU from the device. This issue occurred when redundant PSUs were connected.
Addressed
10.1.5
PAN-181839
Fixed an issue where Panorama Global Search reported
No Matches found
while still returning results for matching entries on large configurations.
Addressed
10.1.5
PAN-181802
Fixed an issue where a memory utilization condition resulted in the web interface responding more slowly than expected and management server restarting.
Addressed
10.1.5
PAN-181706
Fixed an issue where the logrcvr process stopped responding after upgrading to PAN-OS 10.1.
Addressed
10.1.5
PAN-181579
Fixed an issue with the GlobalProtect gateway where the time-to-live (TTL) limit expired faster than real-time limit. As a result, a reconnection was required before the expected lifetime expiration.
Addressed
10.1.5
PAN-181558
Fixed an issue where the stats dump file was not generated properly.
Addressed
10.1.5
PAN-181360
Fixed an issue where staggering scheduled dynamic updates from Panorama to firewalls only worked for the first scheduled group and failed for the remaining groups of the same type.
Addressed
10.1.5
PAN-181116
Fixed memory corruption issues in PAN-OS 10.1.3 and 10.1.4 that caused the pan_comm process to stop responding and the dataplane to restart. These issues also caused GlobalProtect tunnels to fall back to SSL instead of IPSec due to the inadvertent encapsulation of the ICMP keepalive response from the firewall.
Addressed
10.1.5
PAN-181039
Fixed an issue with DNS cache depletion that caused continuous DNS retries.
Addressed
10.1.5
PAN-180916
Fixed an issue where DNS security caused the TTL value of the pointer record (PTR) to be overwritten with a value of 30 seconds.
Addressed
10.1.5
PAN-180760
Fixed an issue where users were unable to SSH to the firewall and encountered the following error message:
Could not chdir to home directory /opt/pancfg/home/user: Permission denied
.
Addressed
10.1.5
PAN-180095
Fixed an issue where Panorama serial-number-based redistribution agents did not redistribute HIP reports.
Addressed
10.1.5
PAN-179982
Fixed an issue where an OOM condition occurred due to quarantine list redistribution.
Addressed
10.1.5
PAN-179976
Fixed an issue where the WildFire Inline Machine Learning (ML) did not detect
mlav-test-pe-file.exe
when traffic was decrypted.
Addressed
10.1.5
PAN-179899
Fixed an issue where updating the master key did not update the SD-WAN preshared key (PSK).
Addressed
10.1.5
PAN-179886
Fixed an issue where new tunnels were unable to be established for Elasticsearch due to faulty logic that prevented old tunnels to be removed when a node went down.
Addressed
10.1.5
PAN-179413
Fixed an issue where GRE tunnels flapped during commit jobs.
Addressed
10.1.5
PAN-179321
A validation error was added to inform an administrator when a policy field contained the value
any
.
Addressed
10.1.5
PAN-179274
Fixed an issue on high availability configurations where, after upgrading to PAN-OS 9.1.10, PAN-OS 10.0.6, or PAN-OS 10.1.0, the HA1 and HA1-Backup link stayed down. This issue occurred when the peer firewall IP address was in a different subnet.
Addressed
10.1.5
PAN-179260
Fixed an issue where admins and other Superusers were unable to remove a commit lock that was taken by another admin user with the format <domain/user>. As a result, deleting the commit lock failed.
Addressed
10.1.5
PAN-179164
Fixed an issue where a web-proxy port number was added to the destination URL when captive portal authentication was run.
Addressed
10.1.5
PAN-179059
Fixed an issue where you were unable to delete dynamic address groups one at a time using XML API.
Addressed
10.1.5
PAN-178947
Fixed an issue where the useridd process stopped responding when a NULL reference attempted to be dereferenced. This issue occurred to IP address users being added.
Addressed
10.1.5
PAN-178860
Fixed an issue where quarantined devices appeared in the CLI but not the web interface.
Addressed
10.1.5
PAN-178672
Fixed an issue where a process ( useridd ) stopped responding due to buffer overflow.
Addressed
10.1.5
PAN-178615
Fixed an issue where restarting the management server created an invalid reference in the device server, which caused subsequent commits to fail.
Addressed
10.1.5
PAN-177981
(
PA-5450 firewalls only
) Fixed an issue where
High Speed Log Forwarding
was enabled when attempting to view local logs.
Addressed
10.1.5
PAN-177956
Fixed an issue where the CLI output of
show location ip <ip address>
returned unknown.
Addressed
10.1.5
PAN-177907
Fixed an issue where, after rebooting the firewall, FQDN address objects referred in rules in a virtual system (vsys) did not resolve when the vsys used a custom DNS proxy.
Addressed
10.1.5
PAN-177878
Fixed an issue where a role-based admin with
Operational Requests
enabled under the XML API section was unable to set the License Deactivation API key.
Addressed
10.1.5
PAN-177874
Fixed an issue where a process ( devsrvr ) stopped responding due to an unexpected returned value.
Addressed
10.1.5
PAN-177626
Fixed an issue where aggressive situations caused on-chip descriptor exhaustion.
Addressed
10.1.5
PAN-177551
A fix was made to address a vulnerability that enabled an authenticated network-based administrator to upload a specifically created configuration that disrupted system processes and was able to execute arbitrary code with root privileges when the configuration was committed ( CVE-2022-0024 ).
Addressed
10.1.5
PAN-177363
Fixed an issue where, when system logs and configuration logs on a dedicated log detector system were forwarded to a Panorama management server in Management Only mode, the logs were not ingested and were dropped. This caused the dedicated log detector system to not be viewable on a Panorama appliance in Management Only mode.
Addressed
10.1.5
PAN-177351
Fixed an issue where configurations failed when downgrading from PAN-OS 10.1.1 and later versions to PAN-OS 10.0.0 using the
autosaveconfig.xml
file.
Addressed
10.1.5
PAN-177187
Fixed an issue where reports using the decryption summary database and Panorama as data sources returned no results.
Addressed
10.1.5
PAN-177170
Fixed an issue on Panorama where a log collector group commit deleted the proxy settings configured on dedicated log collectors.
Addressed
10.1.5
PAN-177072
Fixed an intermittent issue where Panorama did not show new logs from firewalls.
Addressed
10.1.5
PAN-177060
Fixed an issue where, when the address object in the parent device group was renamed, and the address object was overridden in the child device group and called in a Security policy, the object in the Security policy was renamed as well.
Addressed
10.1.5
PAN-177054
Fixed an issue where, when you disabled a NAT rule, the
Destination Translation
value
none
displayed in blue and was still able to be modified to a different value.
Addressed
10.1.5
PAN-176997
Fixed an issue where log collectors generated
Failed to check IoT content upgrade
system logs even when no IoT license was installed.
Addressed
10.1.5
PAN-176889
Fixed an issue where the log collector continuously disconnected from Panorama due to high latency and a high number of packets in Send-Q.
Addressed
10.1.5
PAN-176746
Fixed an intermittent issue where traffic was lost when performing a failover in an HA active/passive setup.
Addressed
10.1.5
PAN-176376
Fixed an issue where importing a firewall configuration to Panorama failed if
Import device's shared objects into Panorama's shared context (device group specific objects will be created if unique)
was unchecked.
Addressed
10.1.5
PAN-176348
Fixed an issue where scheduled email alerts were not forwarded to all recipients in the override list.
Addressed
10.1.5
PAN-176280
Fixed an intermittent issue on Panorama where querying logs via the web interface or API did not return results.
Addressed
10.1.5
PAN-176262
Fixed an issue where the firewall didn't resolve specific domain names with multiple nested Canonical Name (CNAME) records when caching was enabled.
Addressed
10.1.5
PAN-176116
Fixed an issue where the header did not match the correct policy when IPv6 addresses were set in XFF header.
Addressed
10.1.5
PAN-176032
Fixed an issue where a process ( authd ) process stopped responding, which caused authentication to fail.
Addressed
10.1.5
PAN-176030
Fixed an issue where alerts related to syslog connections were not generated in the system logs.
Addressed
10.1.5
PAN-175717
Fixed an issue where firewalls managed by a Panorama management server entered maintenance mode if:
  • Panorama was running PAN-OS 10.2 and managed firewalls were downgraded from PAN-OS 10.2 to PAN-OS 10.1.4 or earlier PAN-OS release
  • Panorama was upgraded from PAN-OS 10.1 to PAN-OS 10.2 and managed firewalls were running PAN-OS 10.1.4 or earlier PAN-OS 10.1 release.
Addressed
10.1.5
PAN-175716
Fixed an issue where sorting address groups by name, address, or location did not work on a device group that was part of a nested device group.
Addressed
10.1.5
PAN-175628
(
PA-5200 Series firewalls only
) Fixed an issue where the firewall was unable to monitor AUX1 and AUX2 interfaces through SNMP.
Addressed
10.1.5
PAN-175570
Fixed an issue where log forwarding profiles did not show up in the dropdown under
Zones
.
Addressed
10.1.5
PAN-175509
Fixed an issue where a deadlock on
CONFIG_LOCK
caused both the web interface and CLI commands to time out until the mgmtsrvr process was restarted.
Addressed
10.1.5
PAN-175403
(
VM-Series firewalls only
) Fixed an issue where the firewall did not display any logs except for system logs.
Addressed
10.1.5
PAN-175399
Fixed an issue where enabling
Use proxy to fetch logs from Cortex Data Lake
caused Panorama to not show logs when queried.
Addressed
10.1.5
PAN-175307
Fixed an issue where Panorama commits were slower than expected and the configd process stopped responding due to a memory leak.
Addressed
10.1.5
PAN-175259
Fixed an issue where a Security policy configured with App-ID and set to
web-browsing
and
application-default service
allowed clear-text web-browsing on tcp/443.
Addressed
10.1.5
PAN-175161
Fixed an issue where changing SSL connection validation settings for system logs caused the mgmtsrvr process to stop responding.
Addressed
10.1.5
PAN-175141
Fixed an intermittent issue where IP address-to-username mappings were not created on a redistribution client if a logout and login message shared the same timestamp.
Addressed
10.1.5
PAN-174998
(
M-200 and M-500 appliances only
) Fixed a capacity issue that was caused by high operational activity and large configurations. This fix increases the virtual memory limit on the configd process to 32GB.
Addressed
10.1.5
PAN-174894
Fixed an issue where, when the TTL value for symmetric MAC entries weren't updated to other dataplanes and HA peers, timeouts occurred for traffic using policy-based forwarding (PBF) with symmetric returns.
Addressed
10.1.5
PAN-174864
Fixed an issue on the Panorama interface where
Deploying Master Key
to low-end devices resulted in a
Failed to communicate
message, even when the new master key was updated on the end device. This issue occurred because a master key deployment had insufficient time to process due to a connection timeout.
Addressed
10.1.5
PAN-174709
Fixed an OOM condition that occurred due to multiple parallel jobs being created by the scheduled log export feature.
Addressed
10.1.5
PAN-174680
Fixed an issue where, when adding new configurations, Panorama didn't display a list of suggested template variables when typing in a relevant field.
Addressed
10.1.5
PAN-174607
Fixed an intermittent issue where, when Security profiles were attached to a policy, files that were downloaded across TLS sessions decrypted by the firewall were malformed.
Addressed
10.1.5
PAN-174604
Fixed an issue where the email subject of scheduled reports was enclosed in single quotation marks.
Addressed
10.1.5
PAN-174564
(
VM-Series firewalls on a Kernel-based Virtual Machine (KVM) running on Proxmox Hypervisor only
) Fixed an issue where SSH traffic was identified as
unknown-TCP
.
Addressed
10.1.5
PAN-174347
Fixed an issue where sequence numbers were calculated incorrectly for traffic that was subject to Session Initiation Protocol (SIP) application-level gateway (ALG) when SIP TCP Clear Text Proxy was disabled.
Addressed
10.1.5
PAN-174011
Fixed an issue where Panorama failed to update shared policies during partial commits when a new device group was created but not yet committed.
Addressed
10.1.5
PAN-173893
Fixed a memory leak issue related to the ( useridd ) process that occurred when group mapping was enabled.
Addressed
10.1.5
PAN-173753
Fixed an issue where a bar or point on a
Network Monitor
graph had to be clicked more than once to properly redirect to the corresponding ACC report.
Addressed
10.1.5
PAN-173689
Fixed an issue where the dataplane restarted due to running out of memory in the policy cache.
Addressed
10.1.5
PAN-173545
Fixed an issue where exporting a device summary to CSV failed and displayed the following error message:
Error while exporting
.
Addressed
10.1.5
PAN-173509
Fixed an issue where Superuser administrators with read-only privileges (
Device > Administrators and Panorama > Administrators
) were unable to view the hardware ACL blocking setting and duration in the CLI using the following commands: 
  • show system setting hardware-acl-blocking-enable
  • show system setting hardware-acl-blocking-duration
Addressed
10.1.5
PAN-173267
Fixed an issue where log queries on Panorama appliances returned with no output and the error message
Schema file does not exist
displayed in the reported process log.
Addressed
10.1.5
PAN-173179
Fixed an issue where the
rem_addr
field in Terminal Access Controller Access-Control System (TACACS+) authentication displayed the management or service route IP address of the firewall instead of the source IP address of the user.
Addressed
10.1.5
PAN-172837
Fixed an intermittent issue where the firewall didn't generate block URL logs for URLs even though the websites were blocked in the client device.
Addressed
10.1.5
PAN-172748
(
VM-Series firewalls only
) Fixed an issue where a process ( all_task ) stopped responding.
Addressed
10.1.5
PAN-172404
Fixed an issue where the semi-colon (;) was not recognized as token separator while doing regex for URL category matching even though it is mentioned in the documentation.
Addressed
10.1.5
PAN-172396
Fixed a memory leak issue related to the useridd process.
Addressed
10.1.5
PAN-172316
Fixed an issue where the internal interface flow control that caused the monitoring process to incorrectly determine the interface to be malfunctioning.
Addressed
10.1.5
PAN-172295
Fixed an issue where a HIP database cache loop caused high CPU utilization on a process ( useridd ) and caused IP address-to-user mapping redistribution failure.
Addressed
10.1.5
PAN-172243
Fixed an issue where NetFlow traffic triggered a packet buffer leak.
Addressed
10.1.5
PAN-172056
(
VM-Series firewalls only
) The logging rate limit was improved to prevent log loss.
Addressed
10.1.5
PAN-171869
Fixed an issue where HIP profile objects in security policies and authentication policies were still visible in the CLI even after replacing them with source HIP and destination HIP objects.
Addressed
10.1.5
PAN-171367
Fixed an issue in active/active HA configurations where sessions disconnected during an upgrade from a PAN-OS 9.0 release to a PAN-OS 9.1 release.
Addressed
10.1.5
PAN-171345
Fixed an issue where firewalls experienced high packet descriptor usage due to internal communication associated with WildFire.
Addressed
10.1.5
PAN-171181
Fixed an issue where the IPSec tunnel configuration didn't load when a double quotation mark was added to the comment section of the IPSec tunnel
General
tab.
Addressed
10.1.5
PAN-170952
Fixed script issues that caused diagnostic data to not be collected after path monitor failure.
Addressed
10.1.5
PAN-170595
Fixed an issue with Content and Threat Detection where traffic patterns created a bus error, which caused the all_pktproc process to stop responding and the dataplane to restart.
Addressed
10.1.5
PAN-170297
Fixed an issue where
ACC > Threat
activity did not include the threat name after upgrading to a PAN-OS 10.0 release.
Addressed
10.1.5
PAN-169917
Fixed an issue on Panorama where AUX interface IP addresses did not populate when configuring service routes.
Addressed
10.1.5
PAN-169796
Fixed an issue where the high availability path group destination IP address was removed after pushing a PAN-OS 10 release template from Panorama to a firewall running a PAN-OS 9 release.
Addressed
10.1.5
PAN-169433
Fixed an issue on Panorama where clicking
Run Now
for a custom report with 32 or more filters in the Query Builder returned the following message:
No matching records
.
Addressed
10.1.5
PAN-168921
Fixed an issue on firewalls in HA active/active configurations where traffic with complete packets showed up as incomplete and was disconnected due to a non-session owner closing the session prematurely.
Addressed
10.1.5
PAN-168890
A CLI command was added to address an issue where a configured proxy server for a service route was automatically applied to the email server service route.
Addressed
10.1.5
PAN-168662
Fixed an issue on Panorama where multiple copies of logs were displayed for a single session.
Addressed
10.1.5
PAN-168635
Fixed an issue on the firewall where, when attempting to change the master key, the existing master key was not validated first. As a result, all firewall keys were corrupted.
Addressed
10.1.5
PAN-168286
Fixed a memory leak issue in the mgmtsrvr process that was caused by failed commit all operations.
Addressed
10.1.5
PAN-168189
Fixed an issue where, even when there was active multicast traffic, the firewall sent Protocol Independent Multicast (PIM) prune messages.
Addressed
10.1.5
PAN-167858
Fixed an issue where a DNS Security inspection identified a TCP DNS request that had two requests in one segment as a malformed packet and dropped the packet.
Addressed
10.1.5
PAN-167259
Fixed an issue where, after manually uploading WildFire images, the dropdown did not display any available files to choose from.
Addressed
10.1.5
PAN-166368
Fixed an issue on Panorama where long FQDN queries did not resolve due to the character limit being 64 characters.
Addressed
10.1.5
PAN-165147
Fixed an issue where, when there was a high volume of traffic for sessions with
Application Block Pages
enabled, other regular packets were dropped.
Addressed
10.1.5
PAN-164871
(
VM-Series firewalls only
) Fixed an intermittent issue where deactivating the firewall via XML API using manual mode failed. This occurred because the size of the license token file was incorrect.
Addressed
10.1.5
PAN-164631
Fixed an issue where the
stats dump
report was empty.
Addressed
10.1.5
PAN-163831
Fixed an issue where IPv6 addresses were displayed instead of IPv4 in custom reports.
Addressed
10.1.5
PAN-163245
Fixed an issue where a commit-all or push to the firewall from Panorama failed with the following error message:
client routed requesting last config in the middle of a commit/validate. Aborting current commit/validate
.
Addressed
10.1.5
PAN-162047
(
Firewalls in HA active/passive configurations only
) Fixed a routing table mis-sync issue where routes were missing on the passive firewall when GRE tunnels with keepalives were configured.
Addressed
10.1.5
PAN-161297
Fixed an interoperability issue with other vendors when IKEv2 used SHA2-based certificate authentication.
Addressed
10.1.5
PAN-161111
Fixed an issue where TLS 1.3 Forward Proxy Decryption failed with a malloc failure error. This issue was caused by the server certificate being very large.
Addressed
10.1.5
PAN-161031
Fixed an issue where authentication via LDAP server failed in FIPS-CC mode when the LDAP server profile was configured with the root certificate chain and
Verify server certificate for SSL sessions
options enabled.
Addressed
10.1.5
PAN-159835
Fixed an issue where, after an upgrade, the following error message was displayed:
Not enough space to load content to SHM
.
Addressed
10.1.5
PAN-158639
Fixed an issue on Panorama where logs that were forwarded to a collector group did not appear, and the log collector displayed the following error message:
es.init-status not ready in logjobq
.
Addressed
10.1.5
PAN-158541
Fixed an OOM condition on the dataplane on FIPS-mode firewall decryption that used DHE ciphers.
Addressed
10.1.5
PAN-158369
Fixed an issue where applications did not work via the Clientless VPN when they were configured on a vlan interface
Addressed
10.1.5
PAN-156289
Fixed an issue where the default severities for Content Update errors were inaccurate.
Addressed
10.1.5
PAN-151692
Fixed a permission issue where a Panorama administrator was unable to download or install dynamic updates (
Panorama > Device Deployment
).
Addressed
10.1.5
PAN-151302
(
PA-7000 Series firewalls with LFCs only
) Fixed an issue where the logging rate for the LFC was not displayed in
Panorama > Managed Devices > Health
.
Addressed
10.1.5
PAN-146734
Fixed an issue where, when a Panorama-pushed configuration was referenced in a local configuration, commits failed after updating the master key on the firewall, which resulted in the following error message:
Invalid candidate configuration. Master key change aborted...
.
Addressed
10.1.5
PAN-145833
(
PA-3200 Series firewalls only
) Fixed an issue where the firewall stopped recording dataplane diagnostic data in dp-monitor.log after a few hours of uptime.
Addressed
10.1.5
PAN-141454
Fixed an issue where the output of the CLI command
show running resource-monitor ingress-backlogs
displayed an incorrect total utilization value.
Known
10.1.6
—
If you use Panorama to retrieve logs from Cortex Data Lake (CDL), new log fields (including for Device-ID, Decryption, and GlobalProtect) are not visible on the Panorama web interface.
Workaround:
Enable duplicate logging to send the logs to CDL and Panorama. This workaround does not support Panorama virtual appliances in Management Only mode .
Known
10.1.6
—
Upgrading a PA-220 firewall takes up to an hour or more.
Known
10.1.6
—
PA-220 firewalls are experiencing slower web interface and CLI performance times.
Known
10.1.6
—
Upgrading Panorama with a local Log Collector and Dedicated Log Collectors to PAN-OS 8.1 or a later PAN-OS release can take up to six hours to complete due to significant infrastructure changes. Ensure uninterrupted power to all appliances throughout the upgrade process.
Known
10.1.6
—
A critical System log is generated on the VM-Series firewall if the minimum memory requirement for the model is not available.
  • When the memory allocated is less than 4.5GB, you cannot upgrade the firewall. The following error message displays:
    Failed to install 9.0.0 with the following error: VM-50 in 9.0.0 requires 5.5GB memory, VM-50 Lite requires 4.5GB memory.Please configure this VM with enough memory before upgrading.
  • If the memory allocation is more than 4.5GB but less than the licensed capacity requirement for the model, it will default to the capacity associated with the VM-50.
    The System log message
    System capacity adjusted to VM-50 capacity due to insufficient memory for VM-
    <xxx>
    license
    , indicates that you must allocate the additional memory required for licensed capacity for the firewall model.
Known
10.1.6
APPORTAL-3313
Changes to an IoT Security subscription license take up to 24 hours to have effect on the IoT Security app.
Known
10.1.6
APPORTAL-3309
An IoT Security production license cannot be installed on a firewall that still has a valid IoT Security eval or trial license.
Workaround:
Wait until the 30-day eval or trial license expires and then install the production license.
Known
10.1.6
APL-15000
When you move a firewall from one Cortex Data Lake instance to another, it can take up to an hour for the firewall to begin sending logs to the new instance.
Known
10.1.6
APL-8269
For data retrieved from Cortex Data Lake, the Threat Name column in
Panorama
ACC
threat-activity
appears blank.
Known
10.1.6
PLUG-380
When you rename a device group, template, or template stack in Panorama that is part of a VMware NSX service definition, the new name is not reflected in NSX Manager. Therefore, any ESXi hosts that you add to a vSphere cluster are not added to the correct device group, template, or template stack and your Security policy is not pushed to VM-Series firewalls that you deploy after you rename those objects. There is no impact to existing VM-Series firewalls.
Known
10.1.6
WF500-5559
An intermittent error while analyzing signed PE samples on the WildFire appliance might cause analysis failures.
Known
10.1.6
WF500-5471
After using the firewall CLI to add a WildFire appliance with an IPv6 address, the initial connection may fail.
Workaround:
Retry connecting after you restart the web server with the following command:
debug software restart process web-server
.
Known
10.1.6
PAN-228273
On the Panorama management server in FIPS-CC mode, the ElasticSearch cluster fails to come up and the
show log-collector-es-cluster health
command displays the
status
is
red
. This results in log ingestion issues for Panorama in Panorama only or Log Collector mode.
Known
10.1.6
PAN-227344
On the Panorama management server, PDF Summary Reports (
Monitor
PDF Reports
Manage PDF Summary
) display no data and are blank when predefined reports are included in the summary report.
Known
10.1.6
PAN-223488
This issue is now resolved. See
PAN-OS 10.1.12 Addressed Issues
.
On the M-600 appliance, closed ElasticSearch shards are not deleted from the M-600 appliance. This causes the ElasticSearch shard purging to not work as expected, resulting in high disk usage.
Known
10.1.6
PAN-223365
The Panorama management server is unable to query any logs if the ElasticSearch health status for any Log Collector (
Panorama
Managed Collector
is degraded.
Workaround:
Log in to the Log Collector CLI and restart ElasticSearch. 
admin
debug elasticsearch es-restart all
Known
10.1.6
PAN-218521
The ElasticSearch process on the M-600 appliance in Log Collector mode may enter a continuous reboot cycle. This results in the M-600 appliance becoming unresponsive, consuming logging disk space, and preventing new log ingestion.
Known
10.1.6
PAN-217307
This issue is now resolved. See
PAN-OS 10.1.14 Addressed Issues
.
The following Security policy rule (
Policies
Security
) filters return no results:
log-start eq no
log-end eq no
log-end eq yes
Known
10.1.6
PAN-216214
For Panorama-managed firewalls in an Active/Active High Availability (HA) configuration where you configure the firewall HA settings (
Device
High Availability
) in a template or template stack (
Panorama
Templates
), performing a local commit on one of the HA firewalls triggers an HA config sync on the peer firewall. This causes the HA peer configuration to go
Out of Sync
.
Known
10.1.6
PAN-213746
On the Panorama management server, the
Hostkey
displayed as
undefined undefined
if you override an SSH Service Profile (
Device
Certificate Management
SSH Service Profile
) Hostkey configured in a Template from the Template Stack.
Known
10.1.6
PAN-212889
This issue is now resolved. See PAN-OS 10.1.11 Addressed Issues
.
On the Panorama management server, different threat names are used when querying the same threat in the Threat Monitor (
Monitor
App Scope
Threat Monitor
) and
ACC
. This results in the ACC displaying
no data to display
when you are redirected to the ACC after clicking a threat name in the Threat Monitor and filtering the same threat name in the Global Filters.
Known
10.1.6
PAN-208325
This issue is now resolved. See
PAN-OS 10.1.10 Addressed Issues
.
The following NextGen firewalls are unable to automatically renew the device certificate (
Device
Setup
Management
or
Panorama
Setup
Management
).
  • PA-410 Firewall
  • PA-440, PA-450, and PA-460 Firewalls
  • PA-5450 Firewall
Workaround:
Log in to the firewall CLI and fetch the device certificate. 
admin>
request certificate fetch
Known
10.1.6
PAN-206268
This issue is now resolved. See
PAN-OS 10.1.10 Addressed Issues
.
On the Panorama management server, the Auth Key field was erroneously displayed when you configure the Panorama Settings (
Device
Setup
Management
) as part of a template or template stack configuration.
Known
10.1.6
PAN-206243
The PA-220 firewall reaches the maximum disk usage capacity multiple a day that requires a disk cleanup. A critical system log (
Monitor
Logs
System
) is generated each time the firewall reaches maximum disk usage capacity.
Known
10.1.6
PAN-205187
ElasticSearch may not start properly when a newly installed Panorama virtual appliance powers on for the first time, resulting in the Panorama virtual appliance being unable to query logs forwarded from the managed firewall to a Log Collector.
Workaround:
Log in to the Panorama CLI and start the PAN-OS software. 
admin>
request restart software
Known
10.1.6
PAN-201855
On the Panorama management server, cloning any template (
Panorama
Templates
) corrupts certificates (
Device
Certificate Management
Certificates
) with the
Block Private Key Export
setting enabled across all templates. This results in managed firewalls experiencing issues wherever the corrupted certificate is referenced.
For example, you have template A, B, and C where templates A and B have certificates with the
Block Private Key Export
setting enabled. Cloning template C corrupts the certificates with
Block Private Key Export
setting enabled in templates A and B.
Workaround:
After cloning a template, delete and re-import the corrupted certificates.
Known
10.1.6
PAN-201627
This issue is now resolved. See
PAN-OS 10.1.8 Addressed Issues
.
(
PAN-OS 10.1.6-h4 and later PAN-OS 10.1.6 hotfixes
) For next-generation firewall deployments where SD-WAN is configured, the dataplane could restart if all SD-WAN member links are down due to an out-of-memory condition. This could also happen during a device reboot when all SD-WAN tunnels are down.
Workaround:
Downgrade to PAN-OS 10.1.6-h3 or earlier, or upgrade to the latest PAN-OS 10.2 release.
Known
10.1.6
PAN-199557
On M-600 appliances in an Active/Passive high availability (HA) configuration, the
configd
process restarts due to a memory leak on the
Active
Panorama HA peer. This causes the Panorama web interface and CLI to become unresponsive.
Workaround:
Manually reboot the
Active
Panorama HA peer.
Known
10.1.6
PAN-198187
This issue is now resolved. See
PAN-OS 10.1.9 Addressed Issues
.
For firewalls managed by a Panorama management server, System logs (
Monitor
System
) may not display the
Commit Description
if you push (
Commit
Push to Devices
) to multiple device groups from Panorama.
Known
10.1.6
PAN-198174
When viewing traffic or threat logs from the firewall ACC or Monitor, performing a reverse DNS lookup, for example, when resolving IP addresses to domain names using the
Resolve Hostname
feature, can cause the appliance to crash and restart if DNS server settings have not been configured.
Workaround:
Provide a DNS server setting for the firewall (
Device
DNS Setup
Services
). If you cannot reference a valid DNS server, you can add a dummy address.
Known
10.1.6
PAN-197341
On the Panorama management server, if you create multiple device group
Objects
with the same name in the Shared device group and any additional device groups (
Panorama
Device Groups
) under the same device group hierarchy that are used in one or more
Policies
, renaming the object with a shared name in any device group causes the object name to change in the policies where it is used. This issue applies only to device group objects that can be referenced in a Security policy rule.
For example:
  1. You create a parent device group
    DG-A
    and a child device group
    DG-B
    .
  2. You create address objects called
    AddressObjA
    in the
    Shared
    ,
    DG-A
    and
    DG-B
    device groups and add
    AddressObjA
    to a Security policy rule under
    DG-A
    and
    DG-B
    .
  3. Later, you change the
    AddressObjA
    name in the
    Shared
    device group to
    AddressObjB
    .
Changing the name of the address object in the
Shared
device group causes the references in the Policy rule to use the renamed
Shared
object instead of the device group object.
Known
10.1.6
PAN-197097
This issue is now resolved. See
PAN-OS 10.1.9 Addressed Issues
.
Large Scale VPN (LSVPN) does not support IPv6 addresses on the satellite firewall.
Known
10.1.6
PAN-196758
On the Panorama management server, pushing a configuration change to firewalls leveraging SD-WAN erroneously show the auto-provisioned BGP configurations for SD-WAN as being edited or deleted despite no edits or deletions being made when you
Preview Changes
(
Commit
Push to Devices
Edit Selections
or
Commit
Commit and Push
Edit Selections
).
Known
10.1.6
PAN-194519
This issue is now resolved. See
PAN-OS 10.1.9 Addressed Issues
.
(
PA-5450 firewall only
) Trying to configure a custom payload format under
Device
Server Profiles
HTTP
yields a Javascript error.
Known
10.1.6
PAN-194515
(
PA-5450 firewall only
) The Panorama web interface does not display any predefined template stack variables in the dropdown menu under
Device
Setup
Log Interface
IP Address
.
Workaround:
Configure the log interface IP address on the individual firewall web interface instead of on Panorama.
Known
10.1.6
PAN-194424
(
PA-5450 firewall only
) Upgrading to PAN-OS 10.1.6-h2 while having a log interface configured can cause both the log interface and the management interface to remain connected to the log collector.
Workaround:
Restart the log receiver service by running the following CLI command: 
debug software restart process log-receiver
Known
10.1.6
PAN-194202
(
PA-5450 firewall only
) If the management interface and logging interface are configured on the same subnetwork, the firewall conducts log forwarding using the management interface instead of the logging interface.
Known
10.1.6
PAN-193518
All logs (
Monitor
Logs
) generated by a firewall running a PAN-OS 10.0 release are not accessible if you downgrade from PAN-OS 10.1 to PAN-OS 10.0, and then upgrade back to PAN-OS 10.1.
Workaround:
If you need to downgrade from PAN-OS 10.1 to PAN-OS 10.0 and then back to PAN-OS 10.1, downgrade to PAN-OS 10.0.11 to ensure that all logs ingested while running a PAN-OS 10.0 release remain accessible after upgrade back to PAN-OS 10.1.
Known
10.1.6
PAN-192403
This issue is now resolved. See
PAN-OS 10.1.6-h3 Addressed Issues
.
(
PA-5450 firewall only
) There is no commit warning in the web interface when configuring the management interface and logging interface in the same subnetwork. Having both interfaces in the same subnetwork can cause routing and connectivity issues.
Known
10.1.6
PAN-190727
(
PA-5450 firewall only
) Documentation for configuring the log interface is unavailable on the web interface and in the PAN-OS Administrator’s Guide.
Known
10.1.6
PAN-189057
This issue is now resolved. See
PAN-OS 10.1.9 Addressed Issues
.
On the Panorama management server, Panorama enters a
non-functional
state due to
php.debug.log
life taking up too much space.
Workaround:
Disable the debug flag for Panorama.
  2. In the same browser you are logged into the Panorama web interface, enter the following URL.
    https://<panorama_ip>/debug
  3. Uncheck (disable)
    Debug
    or
    Clear Debug
    .
  4. (
    HA configuration
    ) Repeat this step on each Panorama high availability (HA) peer if Panorama is in a HA configuration.
Known
10.1.6
PAN-188052
Devices in FIPS-CC mode are unable to connect to servers utilizing ECDSA-based host keys that impacts exporting logs (
Device
Scheduled Log Export
), exporting configurations (
Device
Scheduled Config Export
), or the
scp export
command in the CLI.
Workaround:
Use RSA-based host keys on the destination server.
Known
10.1.6
PAN-187685
On the Panorama management server, the Template Status displays no synchronization status (
Panorama
Managed Devices
Summary
) after a bootstrapped firewall is successfully added to Panorama.
Workaround:
After the bootstrapped firewall is successfully added to Panorama, log in to the Panorama web interface and select
Commit
Push to Devices
.
Known
10.1.6
PAN-185286
This issue is now resolved. See
PAN-OS 10.1.7 Addressed Issues
.
(
PA-5400 Series firewalls only
) On the Panorama management server, the device health resources (
Panorama
Managed Devices
Health
) do not populate.
Known
10.1.6
PAN-178194
This issue is now resolved. See
PAN-OS 10.1.7 Addressed Issues
.
A UI issue in PAN-OS renders the contents of the
Inline ML
tab in the
URL Filtering Profile
inaccessible on firewalls licensed for Advanced URL Filtering. Additionally, a message indicating that a
License required for URL filtering to function
is unavailable displays at the bottom of the UI. These errors do not affect the operation of Advanced URL Filtering or URL Filtering Inline ML.
Workaround:
Configuration settings for URL Filtering Inline ML must be applied through the CLI. The following configuration commands are available:
  • Define URL exceptions for specific web sites— 
    admin#
     set profiles url-filtering <url_filtering_profile_name> mlav-category-exception
  • Configuration settings for each inline ML model— 
    admin#
     set profiles url-filtering <url_filtering_profile_name> mlav-engine-urlbased-enabled
Known
10.1.6
PAN-174982
In HA active/active configurations where, when interfaces that were associated with a virtual router were deleted, the configuration change did not sync.
Known
10.1.6
PAN-172274
When you activate the advanced URL filtering license, your license entitlements for PAN-DB and advanced URL filtering might not display correctly on the firewall — this is a display anomaly, not a licensing issue, and does not affect access to the services.
Workaround:
Issue the following command to retrieve and update the licenses:
license request fetch
.
Known
10.1.6
PAN-172113
If you request a User Activity Report on Panorama and the vsys key value in the XML is an unsupported value, the resulting job becomes unresponsive at 10% and does not complete until you manually stop the job in the web interface.
Workaround:
Change the vsys key to a valid device group, commit your changes, and run the User Activity Report again.
Known
10.1.6
PAN-172067
When you configure an HTTP server profile (
Device
Server Profiles
HTTP
or
Panorama
Server Profiles
HTTP
), the
Username
and
Password
fields are always required regardless of whether
Tag Registration
is enabled.
Workaround:
When you configure an HTTP server profile, always enter a username and password to successfully create the HTTP server profile.
You must enter a username and password even if the HTTP server does not require it. The HTTP server ignores the username and password if they are not required for the firewall to connect.
Known
10.1.6
PAN-172061
A process (
all_pktproc
) can cause intermittent crashes on the Passive PA-5450 firewall in an Active/Passive HA pair. This issue may be seen during an upgrade or reload of the firewall with traffic and when clearing sessions.
Known
10.1.6
PAN-171938
No results are displayed when you
Show Application Filter
for a Security policy rule (
Policies
Security
Application
Value
Show Application Filter
).
Known
10.1.6
PAN-171723
If you use Panorama to push a configuration that uses App-ID Cloud Engine (ACE) App-IDs and then you downgrade the firewall from PAN-OS 10.1 to PAN-OS 10.0, the installation succeeds but after you reboot, the auto-commit fails.
Workaround:
Remove all ACE application configurations before downgrading.
Known
10.1.6
PAN-171714
This issue is now resolved. See
PAN-OS 10.1.7 Addressed Issues
.
If you use the NetBIOS format (
domain\user
) for the IP address-to-username mapping and the firewall receives the group mapping information from the Cloud Identity Engine, the firewall does not successfully match the user to the correct group.
Known
10.1.6
PAN-171706
This issue is now resolved. See
PAN-OS 10.1.11 Addressed Issues
.
If you are using Panorama to manage firewalls with multiple virtual systems and the virtual system that is the User-ID hub uses an alias, the local commit on Panorama is successful but the commit to the firewall fails.
Known
10.1.6
PAN-171673
On the Panorama management server, the
ACC
returns inaccurate results when you filter for
New App-ID
in the
Application
usage widget.
Known
10.1.6
PAN-171635
If you have an on-premise Active Directory and there is an existing group mapping configuration on the firewall, if you migrate the group mapping to the Cloud Identity Engine, the firewall does not remove the existing group mapping even if the configuration is disabled and the firewall is rebooted, which may conflict with new mappings from the Cloud Identity Engine.
Workaround
: Use the
debug user-id clear domain-map
command to remove the existing group mappings from the firewall.
Known
10.1.6
PAN-171224
On the Panorama management server, a custom report (
Monitor
Managed Custom Reports
) with a high volume of unique data objects is not generated when you click
Run Now
.
Known
10.1.6
PAN-171145
If you edit or remove the value for the
mail
attribute in your on-premise Active Directory, the changes may not be immediately reflected on the firewall after it syncs with the Cloud Identity Engine.
Known
10.1.6
PAN-170923
In
Policies
Security
Policy Optimizer
New App Viewer
, when you select a Security policy rule in the bottom portion of the screen, the application data in the application browser (top portion of screen) does not match the Apps Seen on the selected rule. In addition, filtering in the application browser based on Apps Seen does not work.
Known
10.1.6
PAN-170270
Using the CLI to power on a PA-5450 Networking Card (NC) in an Active HA firewall can cause its Passive peer to temporarily go down.
Known
10.1.6
PAN-169906
The CN-Series Firewall as a Kubernetes Service does not support AF_XDP when deployed in CentOS.
Known
10.1.6
PAN-168636
Connecting to the App-ID Cloud Engine (ACE) cloud using a management port with explicit proxy configured on it is not supported. Instead, use a data plane interface for the service route ( Prepare to Deploy App-ID Cloud Engine describes how to do this.)
Known
10.1.6
PAN-168113
On the Panorama management server, you are unable to configure a master key (
Device
Master Key and Diagnostics
) for a managed firewall if an interface (
Network
Interfaces
Ethernet
) references a zone pushed from Panorama.
Workaround:
Remove the referenced zone from the interface configuration to successfully configure a master key.
Known
10.1.6
PAN-167847
If you issue the command
opof stats
, then clear the results {opof stats -c}, the Active Sessions value is sometimes invalid. For example, you might see a negative number or an excessively large number.
Workaround:
Re-run the
opof stats
command after the offload completes.
Known
10.1.6
PAN-167401
When a firewall or Panorama appliance configured with a proxy is upgraded to PAN-OS 10.0.3 or a later release, it fails to connect to edge service.
Known
10.1.6
PAN-166464
This issue is now resolved. See
PAN-OS 10.1.6-h6 Addressed Issues
.
PAN-OS reports the PA-5450 fan numbers incorrectly by listing them in the opposite order. This does not affect fan operation. For further information, contact Customer Support.
Known
10.1.6
PAN-165669
If you configure a group that the firewall retrieves from the Cloud Identity Engine as the
user in
value in a filter query, Panorama is unable to retrieve the group membership and as a result, is unable to display this data in logs and custom reports.
Known
10.1.6
PAN-164922
On the Panorama management server, a context switch to a managed firewall running a PAN-OS 8.1.0 to 8.1.19 release fails.
Known
10.1.6
PAN-164885
On the Panorama management server, pushes to managed firewalls (
Commit
Push to Devices
or
Commit and Push
) may fail when an EDL (
Objects
External Dynamic Lists
) is configured to
Check for updates
every 5 minutes due to the commit and EDL fetch processes overlapping. This is more likely to occur when multiple EDLs are configured to check for updates every 5 minutes.
Known
10.1.6
PAN-164841
A successful deployment of a Panorama virtual appliance on Amazon Web Services (AWS), Microsoft Azure, or Google Cloud Platform (GCP) is inaccessible when deploying using the PAN-OS 10.1.0-b6 release.
Known
10.1.6
PAN-164647
On the Panorama management server, activating a license (
Panorama
Device Deployment
Licenses
) on managed firewalls in a high availability (HA) configuration causes the Safari web browser to become unresponsive.
Workaround:
Log in to the Panorama web interface from a web browser other than Safari to successfully activate a license on managed firewalls in an HA configuration.
Known
10.1.6
PAN-164618
The VM-Series firewall CLI and system logs display the license name
VM-SERIES-X
, while the user interface displays
VM-FLEX-X
(in both cases
X
is the number of vCPUs). In future releases the user interface will use the
VM-SERIES-X
format.
Known
10.1.6
PAN-164586
If you use a value other than
mail
for the user or group email attribute in the Cloud Identity Engine, it displays in
user@domain
format in the CLI output.
Known
10.1.6
PAN-163966
On the Panorama management server, the
ACC
and on demand reports (
Monitor
Manage Custom Reports
) are unable to fetch Directory Sync group membership when the Source User Group filter query is applied, resulting in no data being displayed for the filter when Directory Sync is configured as the Source User for a policy rule.
Known
10.1.6
PAN-162836
On the VM-Series firewall, if you select
Device
Licenses
Deactivate VM
a popup window opens and you can choose
Subscriptions
or
Support
and press
Continue
to remove licenses and register the changes with the license server. When the license removal is complete the
Deactivate VM
window does not update its text to exclude deactivated licenses or close the window.
Workaround
: Wait until the license deactivation is complete, and click
Cancel
to close the window.
Known
10.1.6
PAN-162088
This issue is now resolved. See
PAN-OS 10.1.9 Addressed Issues
.
On the Panorama management server in a high availability (HA) configuration, content updates (
Panorama
Dynamic Updates
) manually uploaded to the active HA peer are not synchronized to the passive HA peer when you
Install
a content update and enable
Sync to HA Peer
.
Known
10.1.6
PAN-161666
The firewall includes any users configured in the Cloud Identity Engine in the count of groups. As a result, some CLI command output does not accurately display the number of groups the firewall has retrieved from the Cloud Identity Engine and counts users as groups in the
No. of Groups
in the command output. If the attempt to retrieve the user or group fails, the information for the user or group still displays in the CLI command output.
Known
10.1.6
PAN-161451
If you issue the command
opof stats
, there are occasional zero packet and byte counts coming from the DPDK counters. This occurs when a session is in the tcp-reuse state, and has no impact on the existing session.
Known
10.1.6
PAN-160238
If you migrate traffic from a firewall running a PAN-OS version earlier than 9.0 to a firewall running PAN-OS 9.0 or later, you experience intermittent VXLAN packet drops if TCI policy is not configured for inspecting VXLAN traffic flows.
Workaround:
On the new firewall, create an app override for VXLAN outer headers as described in What is an Application Override? and the video tutorial How to Configure an Application Override Policy on the Palo Alto Networks Firewall .
PAN-OS version 9.0 can inspect both inner and outer VXLAN flows. If you want to inspect inner flows, you must define a tunnel content inspection (TCI) policy.
Known
10.1.6
PAN-157444
As a result of a telemetry handling update, the Source Zone field in the DNS analytics logs (viewable in the DNS Analytics tab within AutoFocus) might not display correct results.
Known
10.1.6
PAN-157327
On downgrade to PAN-OS 9.1, Enterprise Data Loss Prevention (DLP) filtering settings (
Device
Setup
DLP
) are not removed and cause commit errors for the downgraded firewall if you do not uninstall the Enterprise DLP plugin before downgrade.
Workaround:
After you successfully downgrade a managed firewall to PAN-OS 9.1, commit and push from Panorama to remove the Enterprise DLP filtering settings and complete the downgrade.
  1. Downgrade your managed firewall to PAN-OS 9.1
  2. Log in to the firewall web interface and view the
    Tasks
    to verify all auto commits related to the downgrade have completed successfully.
  3. Log in to the Panorama web interface and
    Commit
    Commit and Push
    to your managed firewall downgraded to PAN-OS 9.1.
Known
10.1.6
PAN-157103
Multi-channel functionality may not be properly utilized on an VM-Series firewall deployed in VMware NSX-V after the service is first deployed.
Workaround
: Execute the command
debug dataplane pow status
to view the number of channels being utilized by the dataplane. 
Per pan-task Netx statisticsCounter Name    1   2   3   4   5   6   Total---------------------------------------------ready_dvf       2   0   0   0   0   0     2
If multi-channel functionality is not working, disable your NSX-V security policy and reapply it. Then reboot the VM-Series firewall. When the firewall is back up, verify that multi-channel functionality is working by executing the command
debug dataplane pow status
. It should now show multiple channels being utilized. 
Per pan-task Netx statisticsCounter Name    1   2   3   4   5   6   Total---------------------------------------------ready_dvf       1   1   0   0   0   0     2
Known
10.1.6
PAN-156598
(
Panorama only
) If you configure a standard custom vulnerability signature in a custom Vulnerability Protection profile in a shared device group, the shared profile custom signatures do not populate in the other device groups when you configure a combination custom vulnerability signature.
Workaround:
Use the CLI to update the combination signature.
Known
10.1.6
PAN-154292
On the Panorama management server, downgrading from a PAN-OS 10.0 release to a PAN-OS 9.1 release causes Panorama commit (
Commit
Commit to Panorama
) failures if a custom report (
Monitor
Manage Custom Reports
) is configured to Group By
Session ID
.
Workaround:
After successful downgrade, reconfigure the Group By setting in the custom report.
Known
10.1.6
PAN-154034
On the Panorama management server, the Type column in the System logs (
Monitor
Logs
System
) for managed firewalls running a PAN-OS 9.1 release erroneously display
iot
as the type.
Known
10.1.6
PAN-154032
On the Panorama management server, downgrading to PAN-OS 9.1 with the Panorama plugin for Cisco TrustSec version 1.0.2 installed does not automatically transform the plugin to be compatible with PAN-OS 9.1
Workaround:
After successful downgrade to PAN-OS 9.1,
Remove Config
(
Panorama
Plugins
) of the Panorama plugin for Cisco TrustSec and then reconfigure the plugin.
Known
10.1.6
PAN-153803
On the Panorama management server, scheduled email PDF reports (
Monitor
PDF Reports
) fail if a GIF image is used in the header or footer.
Known
10.1.6
PAN-153557
On the Panorama management server CLI, the overall report status for a report query is marked as
Done
despite reports generated from logs in the Cortex Data Lake (CDL) from the PODamericas Collector Group jobs are still in a
Running
state.
Known
10.1.6
PAN-153068
The Bonjour Reflector option is supported on up to 16 interfaces. If you enable it on more than 16 interfaces, the commit succeeds and the Bonjour Reflector option is enabled only for the first 16 interfaces and ignored for any additional interfaces.
Known
10.1.6
PAN-151238
There is a known issue where M-100 appliances are able to download and install a PAN-OS 10.0 release image even though the M-100 appliance is no longer supported after PAN-OS 9.1. (Refer to the hardware end-of-life dates .)
Known
10.1.6
PAN-151085
On a PA-7000 Series firewall chassis having multiple slots, when HA clustering is enabled on an active/active HA pair, the session table count for one of the peers can show a higher count than the actual number of active sessions on that peer. This behavior can be seen when the session is being set up on a non-cache slot (for example, when a session distribution policy is set to round-robin or session-load); it is caused by the additional cache lookup that happens when HA cluster participation is enabled.
Known
10.1.6
PAN-150801
Automatic quarantine of a device based on forwarding profile or log setting does not work on the PA-7000 Series firewalls.
Known
10.1.6
PAN-150515
After you install the device certificate on a new Panorama management server, Panorama is not able to connect to the IoT Security edge service.
Workaround:
Restart Panorama to connect to the IoT Security edge service.
Known
10.1.6
PAN-150345
During updates to the Device Dictionary, the IoT Security service does not push new Device-ID attributes (such as new device profiles) to the firewall until a manual commit occurs.
Workaround:
Perform a force commit to push the attributes in the content update to the firewall.
Known
10.1.6
PAN-150361
In an Active-Passive high availability (HA) configuration, an error displays if you create a device object on the passive device.
Workaround:
Load the running configuration and perform a force commit to sync the devices.
Known
10.1.6
PAN-148971
If you enter a search term for Events that are related to IoT in the System logs and apply the filter, the page displays an
Invalid term
error.
Workaround:
Specify
iot
as the
Type Attribute
to filter the logs and use the search term as the
Description Attribute
. For example:
( subtype eq iot ) and ( description contains 'gRPC connection' )
.
Known
10.1.6
PAN-148924
In an active-passive HA configuration, tags for dynamic user groups are not persistent after rebooting the firewall because the active firewall does not sync the tags to the passive firewall during failover.
Known
10.1.6
PAN-146995
After downgrading a Panorama management server from PAN-OS 10.0 to PAN-OS 9.1, the
VLD
and
logd
processes may crash when Panorama reboots.
Workaround:
Panorama automatically restarts the
VLD
and
logd
processes.
Known
10.1.6
PAN-146807
Changing the device group configured in a monitoring definition from a child DG to a parent DG, or vice versa, might cause firewalls configured in the child DG to lose IP tag mapping information received from the monitoring definition. Only firewalls assigned to the parent DG receive IP tag mapping updates.
Workaround
: Perform a manual config sync on the device group that lost the IP tag mapping information.
Known
10.1.6
PAN-146485
On the Panorama management server, adding, deleting, or modifying the upstream NAT configuration (
Panorama
SD-WAN
Devices
) does not display the branch template stack as
out of sync
.
Additionally, adding, deleting, or modifying the BGP configuration (
Panorama
SD-WAN
Devices
) does not display the hub and branch template stacks as
out of sync
. For example, modifying the BGP configuration on the branch firewall does not cause the hub template stack to display as
out of sync
, nor does modifying the BGP configuration on the hub firewall cause the branch template stack as
out of sync
.
Workaround:
After performing a configuration change,
Commit and Push
the configuration changes to all hub and branch firewalls in the VPN cluster containing the firewall with the modified configuration.
Known
10.1.6
PAN-145460
CN-MGMT pods fail to connect to the Panorama management server when using the Kubernetes plugin.
Workaround:
Commit
the Panorama configuration after the CN-MGMT pod successfully registers with Panorama.
Known
10.1.6
PAN-144889
On the Panorama management server, adding, deleting, or modifying the original subnet IP, or adding a new subnet after you successfully configure a tunnel IP subnet, for the SD-WAN 1.0.2 plugin does not display the managed firewall templates (
Panorama
Managed Devices
Summary
) as
Out of Sync
.
Workaround
: When modifying the original subnet IP, or adding a new subnet, push the template configuration changes to your managed firewalls and
Force Template Values
(
Commit
Push to Devices
Edit Selections
).
Known
10.1.6
PAN-143132
Fetching the device certificate from the Palo Alto Networks Customer Support Portal (CSP) may fail and displays the following error in the CLI:
ERROR Failed to process S1C msg: Error
Workaround:
Retrying fetching the device certificate from the Palo Alto Networks CSP.
Known
10.1.6
PAN-141630
Current performance limitation: single data plane use only. The PA-5200 Series and PA-7000 Series firewalls that support 5G network slice security, 5G equipment ID security, and 5G subscriber ID security use a single data plane only, which currently limits the firewall performance.
Known
10.1.6
PAN-140959
The Panorama management server allows you to downgrade Zero Touch Provisioning (ZTP) firewalls to PAN-OS 9.1.2 and earlier releases where ZTP functionality is not supported.
Known
10.1.6
PAN-140008
ElasticSearch is forced to restart when the
masterd
process misses too many heartbeat messages on the Panorama management server resulting in a delay in a log query and ingestion.
Known
10.1.6
PAN-136763
On the Panorama management server, managed firewalls display as
disconnected
when installing a PAN-OS software update (
Panorama
Device Deployment
Software
) but display as
connected
when you view your managed firewalls Summary (
Panorama
Managed Devices
Summary
) and from the CLI.
Workaround:
Log out and log back in to the Panorama web interface.
Known
10.1.6
PAN-135742
There is an issue in HTTP2 session decryption where the App-ID in the decryption log is the App-ID of the parent session (which is web-browsing).
Known
10.1.6
PAN-134053
ACC does not filter WildFire logs from Dynamic User Groups.
Known
10.1.6
PAN-132598
The Panorama management server does not check for duplicate addresses in address groups (
Objects
Address Groups
) and duplicate services in service groups (
Objects
Service Groups
) when created from the CLI.
Known
10.1.6
PAN-130550
(
PA-3200 Series, PA-5220, PA-5250, PA-5260, and PA-7000 Series firewalls
) For traffic between virtual systems (inter-vsys traffic), the firewall cannot perform source NAT using dynamic IP (DIP) address translation.
Workaround:
Use source NAT with Dynamic IP and Port (DIPP) translation on inter-vsys traffic.
Known
10.1.6
PAN-127813
In the current release, SD-WAN auto-provisioning configures hubs and branches in a hub and spoke model, where branches don’t communicate with each other. Expected branch routes are for generic prefixes, which can be configured in the hub and advertised to all branches. Branches with unique prefixes are not published up to the hub.
Workaround:
Add any specific prefixes for branches to the hub advertise-list configuration.
Known
10.1.6
PAN-127206
If you use the CLI to enable the cleartext option for the Include Username in HTTP Header Insertion Entries feature, the authentication request to the firewall may become unresponsive or time out.
Known
10.1.6
PAN-123277
Dynamic tags from other sources are accessible using the CLI but do not display on the Panorama web interface.
Known
10.1.6
PAN-123040
When you try to view network QoS statistics on an SD-WAN branch or hub, the QoS statistics and the hit count for the QoS rules don’t display. A workaround exists for this issue. Please contact Support for information about the workaround.
Known
10.1.6
PAN-120440
There is an issue on M-500 Panorama management servers where any ethernet interface with an IPv6 address having Private PAN-DB-URL connectivity only supports the following format:
2001:DB9:85A3:0:0:8A2E:370:2
.
Known
10.1.6
PAN-120423
PAN-OS 10.0.0 does not support the XML API for GlobalProtect logs.
Known
10.1.6
PAN-120303
There is an issue where the firewall remains connected to the PAN-DB-URL server through the old management IP address on the M-500 Panorama management server, even when you configured the Eth1/1 interface.
Workaround:
Update the PAN-DB-URL IP address on the firewall using one of the methods below.
  • Modify the PAN-DB Server IP address on the managed firewall.
    1. On the web interface, delete the
      PAN-DB Server
      IP address (
      Device
      Setup
      Content ID
      URL Filtering
      settings).
    2. Commit
      your changes.
    3. Add the new M-500 Eth1/1 IP PAN-DB IP address.
    4. Commit
      your changes.
  • Restart the firewall ( devsrvr ) process.
    1. Log in to the firewall CLI.
    2. Restart the devsrvr process:
      debug software restart process device-server
Known
10.1.6
PAN-116017
(
Google Cloud Platform (GCP) only
) The firewall does not accept the DNS value from the initial configuration (init-cfg) file when you bootstrap the firewall.
Workaround:
Add DNS value as part of the bootstrap.xml in the bootstrap folder and complete the bootstrap process.
Known
10.1.6
PAN-115816
(
Microsoft Azure only
) There is an intermittent issue where an Ethernet (eth1) interface does not come up when you first boot up the firewall.
Workaround:
Reboot the firewall.
Known
10.1.6
PAN-114495
Alibaba Cloud runs on a KVM hypervisor and supports two Virtio modes: DPDK (default) and MMAP. If you deploy a VM-Series firewall running PAN-OS 9.0 in DPDK packet mode and you then switch to MMAP packet mode, the VM-Series firewall duplicates packets that originate from or terminate on the firewall. As an example, if a load balancer or a server behind the firewall pings the VM-Series firewall after you switch from DPDK packet mode to MMAP packet mode, the firewall duplicates the ping packets.
Throughput traffic is not duplicated if you deploy the VM-Series firewall using MMAP packet mode.
Known
10.1.6
PAN-112694
(
Firewalls with multiple virtual systems only
) If you configure dynamic DNS (DDNS) on a new interface (associated with vsys1 or another virtual system) and you then create a
New
Certificate Profile from the drop-down, you must set the location for the Certificate Profile to Shared. If you configure DDNS on an existing interface and then create a new Certificate Profile, we also recommend that you choose the Shared location instead of a specific virtual system. Alternatively, you can select a preexisting certificate profile instead of creating a new one.
Known
10.1.6
PAN-112456
You can temporarily submit a change request for a URL Category with three suggested categories; however, only two categories are supported. Do not add more than two suggested categories to a change request until we address this issue. If you submit more than two suggested categories, only the first two categories in the change request are evaluated.
Known
10.1.6
PAN-112135
You cannot unregister tags for a subnet or range in a dynamic address group from the web interface.
Workaround:
Use an XML API request to unregister the tags for the subnet or range.
Known
10.1.6
PAN-111928
Invalid configuration errors are not displayed as expected when you revert a Panorama management server configuration.
Workaround:
After you revert the Panorama configuration,
Commit
(
Commit
Commit to Panorama
) the reverted configuration to display the invalid configuration errors.
Known
10.1.6
PAN-111866
The push scope selection on the Panorama web interface displays incorrectly even though the commit scope displays as expected. This issue occurs when one administrator makes configuration changes to separate device groups or templates that affect multiple firewalls and a different administrator attempts to push those changes.
Workaround:
Perform one of the following tasks.
  • Initiate a
    Commit to Panorama
    operation followed by a
    Push to Devices
    operation for the modified device group and template configurations.
  • Manually select the devices that belong to the modified device group and template configurations.
Known
10.1.6
PAN-111729
If you disable DPDK mode and enable it again, you must immediately reboot the firewall.
Known
10.1.6
PAN-111670
Tagged VLAN traffic fails when sent through an SR-IOV adapter.
Known
10.1.6
PAN-110794
DGA-based threats shown in the firewall threat log display the same name for all such instances.
Known
10.1.6
PAN-109526
The system log does not correctly display the URL for CRL files; instead, the URLs are displayed with encoded characters.
Known
10.1.6
PAN-104780
If you configure a HIP object to match only when a connecting endpoint is managed (
Objects
GlobalProtect
HIP Objects
<hip-object>
General
Managed
), iOS and Android endpoints that are managed by AirWatch are unable to successfully match the HIP object and the HIP report incorrectly indicates that these endpoints are not managed. This issue occurs because GlobalProtect gateways cannot correctly identify the managed status of these endpoints.
Additionally, iOS endpoints that are managed by AirWatch are unable to match HIP objects based on the endpoint serial number because GlobalProtect gateways cannot identify the serial numbers of these endpoints; these serial numbers do not appear in the HIP report.
Known
10.1.6
PAN-103276
Adding a disk to a virtual appliance running Panorama 8.1 or a later release on VMware ESXi 6.5 update1 causes the Panorama virtual appliance and host web client to become unresponsive.
Workaround:
Upgrade the ESXi host to ESXi 6.5 update2 and add the disk again.
Known
10.1.6
PAN-101688
(
Panorama plugins
) The IP address-to-tag mapping information registered on a firewall or virtual system is not deleted when you remove the firewall or virtual system from a Device Group.
Workaround:
Log in to the CLI on the firewall and enter the following command to unregister the IP address-to-tag mappings:
debug object registered-ip clear all
.
Known
10.1.6
PAN-101537
After you configure and push address and address group objects in Shared and vsys-specific device groups from the Panorama management server to managed firewalls, executing the
show log
<log-type>
direction equal
<direction>
<dst>
|
<src>
in
<object-name>
command on a managed firewall only returns address and address group objects pushed form the Shared device group.
Workaround:
Specify the vsys in the query string:
admin>
set system target-vsys
<vsys-name>
admin>
show log
<log-type>
direction equal
<direction>
query equal ‘vsys eq
<vsys-name>
’
<dst>
|
<src>
in
<object-name>
Known
10.1.6
PAN-98520
When booting or rebooting a PA-7000 Series Firewall with the SMC-B installed, the BIOS console output displays attempts to connect to the card's controller in the System Memory Speed section. The messages can be ignored.
Known
10.1.6
PAN-97757
GlobalProtect authentication fails with an
Invalid username/password
error (because the user is not found in
Allow List
) after you enable GlobalProtect authentication cookies and add a RADIUS group to the
Allow List
of the authentication profile used to authenticate to GlobalProtect.
Workaround:
Disable GlobalProtect authentication cookies. Alternatively, disable (clear)
Retrieve user group from RADIUS
in the authentication profile and configure group mapping from Active Directory (AD) through LDAP.
Known
10.1.6
PAN-97524
(
Panorama management server only
) The Security Zone and Virtual System columns (
Network
tab) display
None
after a Device Group and Template administrator with read-only privileges performs a context switch.
Known
10.1.6
PAN-96446
A firewall that is not included in a Collector Group fails to generate a system log if logs are dropped when forwarded to a Panorama management server that is running in Management Only mode.
Known
10.1.6
PAN-95773
On VM-Series firewalls that have Data Plane Development Kit (DPDK) enabled and that use the i40e network interface card (NIC), the
show session info
CLI command displays an inaccurate throughput and packet rate.
Workaround:
Disable DPDK by running the
set system setting dpdk-pkt-io off
CLI command.
Known
10.1.6
PAN-95028
For administrator accounts that you created in PAN-OS 8.0.8 and earlier releases, the firewall does not apply password profile settings (
Device
Password Profiles
) until after you upgrade to PAN-OS 8.0.9 or a later release and then only after you modify the account passwords. (Administrator accounts that you create in PAN-OS 8.0.9 or a later release do not require you to change the passwords to apply password profile settings.)
Known
10.1.6
PAN-94846
When DPDK is enabled on the VM-Series firewall with i40e virtual function (VF) driver, the VF does not detect the link status of the physical link. The VF link status remains up, regardless of changes to the physical link state.
Known
10.1.6
PAN-94093
HTTP Header Insertion does not work when jumbo frames are received out of order.
Known
10.1.6
PAN-93968
The firewall and Panorama web interfaces display vulnerability threat IDs that are not available in PAN-OS 9.0 releases (
Objects
Security Profiles
Vulnerability Protection
<profile>
Exceptions
). To confirm whether a particular threat ID is available in your release, monitor the release notes for each new Applications and Threats content update or check the Palo Alto Networks Threat Vault to see the minimum PAN-OS release version for a threat signature.
Known
10.1.6
PAN-93607
When you configure a VM-500 firewall with an SCTP Protection profile (
Objects
Security Profiles
SCTP Protection
) and you try to add the profile to an existing Security Profile Group (
Objects
Security Profile Groups
), the Security Profile Group doesn’t list the SCTP Protection profile in its drop-down list of available profiles.
Workaround:
Create a new Security Profile Group and select the SCTP Protection profile from there.
Known
10.1.6
PAN-93532
When you configure a firewall running PAN-OS 9.0 as an nCipher HSM client, the web interface on the firewall displays the nCipher server status as Not Authenticated, even though the HSM state is up (
Device
Setup
HSM
).
Known
10.1.6
PAN-93193
The memory-optimized VM-50 Lite intermittently performs slowly and stops processing traffic when memory utilization is critically high. To prevent this issue, make sure that you do not:
  • Switch to the firewall
    Context
    on the Panorama management server.
  • Commit changes when a dynamic update is being installed.
  • Generate a custom report when a dynamic update is being installed.
  • Generate custom reports during a commit.
Workaround:
When the firewall performs slowly, or you see a critical System log for memory utilization, wait for 5 minutes and then manually reboot the firewall.
Use the Task Manager to verify that you are not performing memory intensive tasks such as installing dynamic updates, committing changes or generating reports, at the same time, on the firewall.
Known
10.1.6
PAN-91802
On a VM-Series firewall, the
clear session all
CLI command does not clear GTP sessions.
Known
10.1.6
PAN-83610
In rare cases, a PA-5200 Series firewall (with an FE100 network processor) that has session offload enabled (default) incorrectly resets the UDP checksum of outgoing UDP packets.
Workaround:
In PAN-OS 8.0.6 and later releases, you can persistently disable session offload for only UDP traffic using the
set session udp-off load no
CLI command.
Known
10.1.6
PAN-83236
The VM-Series firewall on Google Cloud Platform does not publish firewall metrics to Google Stack Monitoring when you manually configure a DNS server IP address (
Device
Setup
Services
).
Workaround:
The VM-Series firewall on Google Cloud Platform must use the DNS server that Google provides.
Known
10.1.6
PAN-83215
SSL decryption based on ECDSA certificates does not work when you import the ECDSA private keys onto an nCipher nShield hardware security module (HSM).
Known
10.1.6
PAN-81521
Endpoints failed to authenticate to GlobalProtect through Kerberos when you specify an FQDN instead of an IP address in the Kerberos server profile (
Device
Server Profiles
Kerberos
).
Workaround:
Replace the FQDN with the IP address in the Kerberos server profile.
Known
10.1.6
PAN-77125
PA-7000 Series, PA-5450, PA-5200 Series, and PA-3200 Series firewalls configured in tap mode don’t close offloaded sessions after processing the associated traffic; the sessions remain open until they time out.
Workaround:
Configure the firewalls in virtual wire mode instead of tap mode, or disable session offloading by running the
set session off load no
CLI command.
Known
10.1.6
PAN-75457
In WildFire appliance clusters that have three or more nodes, the Panorama management server does not support changing node roles. In a three-node cluster for example, you cannot use Panorama to configure the worker node as a controller node by adding the HA and cluster controller configurations, configure an existing controller node as a worker node by removing the HA configuration, and then commit and push the configuration. Attempts to change cluster node roles from Panorama results in a validation error—the commit fails and the cluster becomes unresponsive.
Known
10.1.6
PAN-73530
The firewall does not generate a packet capture (pcap) when a Data Filtering profile blocks files.
Known
10.1.6
PAN-73401
When you import a two-node WildFire appliance cluster into the Panorama management server, the controller nodes report their state as out-of-sync if either of the following conditions exist:
  • You did not configure a worker list to add at least one worker node to the cluster. (In a two-node cluster, both nodes are controller nodes configured as an HA pair. Adding a worker node would make the cluster a three-node cluster.)
  • You did not configure a service advertisement (either by enabling or not enabling advertising DNS service on the controller nodes).
Workaround:
There are three possible workarounds to sync the controller nodes:
  • After you import the two-node cluster into Panorama, push the configuration from Panorama to the cluster. After the push succeeds, Panorama reports that the controller nodes are in sync.
  • Configure a worker list on the cluster controller: 
    admin@wf500(active-controller)# 
    set
deviceconfig cluster mode controller worker-list 
    <worker-ip-address>
    (
    <worker-ip-address>
    is the IP address of the worker node you are adding to the cluster.) This creates a three-node cluster. After you import the cluster into Panorama, Panorama reports that the controller nodes are in sync. When you want the cluster to have only two nodes, use a different workaround.
  • Configure service advertisement on the local CLI of the cluster controller and then import the configuration into Panorama. The service advertisement can advertise that DNS is or is not enabled. 
    admin@wf500(active-controller)# 
    set
deviceconfig cluster mode controller service-advertisement dns-service
enabled
yes
    or 
    admin@wf500(active-controller)# 
    set
deviceconfig cluster mode controller service-advertisement dns-service
enabled
no
    Both commands result in Panorama reporting that the controller nodes are in sync.
Known
10.1.6
PAN-70906
If the PAN-OS web interface and the GlobalProtect portal are enabled on the same IP address, then when a user logs out of the GlobalProtect portal, the administrative user is also logged out from the PAN-OS web interface.
Workaround:
Use the IP address to access the PAN-OS web interface and an FQDN to access the GlobalProtect portal.
Known
10.1.6
PAN-69505
When viewing an external dynamic list that requires client authentication and you
Test Source URL
, the firewall fails to indicate whether it can reach the external dynamic list server and returns a URL access error (
Objects
External Dynamic Lists
).
Known
10.1.6
PAN-40079
The VM-Series firewall on KVM, for all supported Linux distributions, does not support the Broadcom network adapters for PCI pass-through functionality.
Known
10.1.6
PAN-39636
Regardless of the
Time Frame
you specify for a scheduled custom report on a Panorama M-Series appliance, the earliest possible start date for the report data is effectively the date when you configured the report (
Monitor
Manage Custom Reports
). For example, if you configure the report on the 15th of the month and set the
Time Frame
to
Last 30 Days
, the report that Panorama generates on the 16th will include only data from the 15th onward. This issue applies only to scheduled reports; on-demand reports include all data within the specified
Time Frame
.
Workaround:
To generate an on-demand report, click
Run Now
when you configure the custom report.
Known
10.1.6
PAN-38255
When you perform a factory reset on a Panorama virtual appliance and configure the serial number, logging does not work until you reboot Panorama or execute the
debug software restart process management-server
CLI command.
Known
10.1.6
PAN-31832
The following issues apply when configuring a firewall to use a hardware security module (HSM):
  • nCipher nShield Connect
    —The firewall requires at least four minutes to detect that an HSM was disconnected, causing SSL functionality to be unavailable during the delay.
  • SafeNet Network
    —When losing connectivity to either or both HSMs in an HA configuration, the display of information from the
    show high-availability state
    and
    show hsm info
    commands are blocked for 20 seconds.
Addressed
10.1.6-h8
PAN-237935
Extended the offline PAN-DB, Panorama, and WildFire certificates which were previously set to expire on September 2, 2024.
Addressed
10.1.6-h8
PAN-237876
Extended the firewall Panorama root CA certificate which was previously set to expire on April 7th, 2024.
Addressed
10.1.6-h8
PAN-231771
Fixed an issue where the firewall issued /box/getserv/ requests with PAN-OS 7.1.0 and did not take device certificates.
Addressed
10.1.6-h8
PAN-227568
When a device certificate is installed, renewed, or removed, the firewall will reconnect to the WildFire cloud to use the newest certificate.
Addressed
10.1.6-h8
PAN-215576
Fixed an issue where the
userID-Agent
and
TS-Agent
certificates were set to expire on November 18, 2024. With this fix, the expiration date has been extended to January 2032.
Addressed
10.1.6-h7
PAN-202450
Fixed an issue where the
device-client-cert
was set to expire on December 31, 2023. With this fix, the expiration date has been extended.
Addressed
10.1.6-h7
PAN-198372
Fixed an issue where the
root-cert
was set to expire on December 31, 2023. With this fix, the expiration date has been extended.
Addressed
10.1.6-h6
PAN-196993
Fixed an issue where an incorrect regex key was generated to invalidate the completions cache, which caused the configd process to stop responding.
Addressed
10.1.6-h6
PAN-195181
Added enhancements to improve the load on the pan_comm process during SNMP polling.
Addressed
10.1.6-h6
PAN-194826
(
WF-500 and WF-500-B appliances only
) Fixed an issue where log system forwarding did not work over a TLS connection.
Addressed
10.1.6-h6
PAN-194776
Fixed an issue on Amazon Web Services (AWS) Gateway Load Balancer (GWLB) deployments with overlay routing enabled where intra-zone packets were re-encapsulated with the incorrect source/destination MAC address.
Addressed
10.1.6-h6
PAN-194721
Fixed an issue where path monitor failure occurred, which caused slots to go down.
Addressed
10.1.6-h6
PAN-194694
Fixed an issue where multiple SNMP requests being made to the firewall caused in the pan_comm process to stop responding.
Addressed
10.1.6-h6
PAN-194645
(
PA-5400 Series firewalls only
) Fixed an issue where the Data Processing Card status was incorrectly shown as
config=None
Addressed
10.1.6-h6
PAN-194601
Fixed an issue that caused the all_task process to stop responding.
Addressed
10.1.6-h6
PAN-194406
Fixed an issue where the MTU from SD-WAN interfaces was recalculated after a configuration push from Panorama or a local commit, which caused traffic disruption.
Addressed
10.1.6-h6
PAN-194097
Fixed an issue on firewalls in high availability (HA) active/passive configurations where
_ha_d_session_msgbuf
overflowed on the passive firewall during an upgrade, which caused the firewall to enter a non-functional state.
Addressed
10.1.6-h6
PAN-193732
(
PA-5400 Series firewalls only
) Fixed an issue where the firewall incorrectly handled internal transactions.
Addressed
10.1.6-h6
PAN-193184
Fixed an issue where
IP-user-mapping
disappeared when login/logout events occurred at the same timestamp.
Addressed
10.1.6-h6
PAN-193132
(
PA-220 firewalls only
) Fixed an issue where a commit and push from Panorama caused high dataplane CPU utilization.
Addressed
10.1.6-h6
PAN-192999
A fix was made to address CVE-2022-0028 .
Addressed
10.1.6-h6
PAN-192758
(
PA-7000 Series firewalls only
) Fixed an issue where files failed to upload to the Wildfire public cloud.
Addressed
10.1.6-h6
PAN-192673
(
PA-7050-SMC-B firewalls only
) Fixed an issue where the LFC (log forwarding card) syslog-ng service failed to start after an upgrade.
Addressed
10.1.6-h6
PAN-192551
(
PA-5400 Series firewalls only
) Fixed an issue where the firewall incorrectly processed path monitoring packets, which caused a slot restart.
Addressed
10.1.6-h6
PAN-192052
Fixed an issue where, when next hop MAC address entries weren't found on the offload processor for active traffic, update messages flooded the firewall, which caused resource contention and traffic disruption.
Addressed
10.1.6-h6
PAN-182951
Fixed an issue where commits remained at 98% for an hour and then failed.
Addressed
10.1.6-h6
PAN-173469
Fixed an intermittent issue where websites were blocked and categorized as not resolved.
Addressed
10.1.6-h3
PAN-194408
Fixed an issue where, when policy rules had the apps that implicitly depended on web browsing configured with the service application default , traffic did not match the rule correctly.
Addressed
10.1.6-h3
PAN-194325
(
PA-5450 firewalls only
) Fixed an issue where the logging interface configuration was not correctly written to the syslog-ng configuration file.
Addressed
10.1.6-h3
PAN-192880
Fixed an issue where, when the firewall was configured for jumbo frames, an internal interface was not set with the correct MTU, which caused byte frames larger than 1500 to be dropped when a DF bit was set.
Addressed
10.1.6-h3
PAN-192403
(
PA-5450 firewalls only
) Fixed an issue on the web interface where, when configuring the management interface and logging interface in the same subnetwork, a commit warning was not displayed even though the configuration caused routing and connectivity issues.
Addressed
10.1.6-h3
PAN-191558
Fixed an issue where, after an upgrade to PAN-OS 10.1.5, Global Find did not display all results related to a searched item.
Addressed
10.1.6-h3
PAN-191257
Fixed an issue on the firewall where the useridd process stopped responding after a commit from Panorama. This occurred due to a timing issue where a HIP query from the dataplane was initiated before the process had finished initialization.
Addressed
10.1.6-h3
PAN-190811
(
PA-5450 firewalls only
) Fixed an issue where logs were forwarded through the management interface instead of the configured log interface to be used for forwarding.
Addressed
10.1.6-h3
PAN-190292
Fixed an issue where you could not configure a log interface as a service route (
Device
Setup
Services
Service Route
)
Addressed
10.1.6-h3
PAN-189762
Fixed an issue where a predict session didn't match with the traffic when both source NAT and destination NAT were enabled.
Addressed
10.1.6-h3
PAN-188833
Fixed an issue where shared address objects used as a source or destination in policies were cloned but not freed back after configuration commits.
Addressed
10.1.6-h3
PAN-187126
Fixed an issue where enabling DPDK mode on the dataplane interfaces of a Microsoft Azure instance caused the brdagent process to stop responding.
Addressed
10.1.6-h3
PAN-186075
(
VM-Series firewalls only
) Fixed an issue where the firewall rebooted after receiving large packets while in DPDK mode on Azure virtual machines running CX4 (MLx5) drivers.
Addressed
10.1.6-h3
PAN-186024
Fixed an issue where URL category match did not work for External Dynamic List URLS due to a leak related to the devsrvr process.
Addressed
10.1.6-h3
PAN-183166
Fixed an issue where system, configuration, and alarm logs were queued up on the logrcvr process and were not forwarded out or written to disk until an autocommit was passed.
Addressed
10.1.6
WF500-5509
(
WF-500 appliance only
) Fixed an issue where cloud inquiries were logged under the
SD-WAN
subtype.
Addressed
10.1.6
PAN-193579
Fixed an issue where new logs viewed from the CLI (show log <log_type>) and new syslogs forwarded to a syslog server contained additional, erroneous entries.
Addressed
10.1.6
PAN-192930
Fixed an issue where, when the default port was not TCP/443, implicitly used SSL applications were blocked by the Security policy as an SSL application and did not shift to the correct application.
Addressed
10.1.6
PAN-191629
(
PA-5450 firewalls only
) Fixed an issue where the hourly summary log was limited to 100,001 lines when summarized, which resulted in inconsistent report results when using summary logs.
Addressed
10.1.6
PAN-191470
Fixed an issue on Panorama where encrypted passwords were sent to firewalls on PAN-OS 10.1 releases during a multi-device group push, which caused client-based External Dynamic Lists (EDL) to fail.
Addressed
10.1.6
PAN-191466
Fixed an issue where you were unable to use the web interface to override IPsec tunnels pushed from Panorama
Addressed
10.1.6
PAN-191222
Fixed an issue where Panorama became inaccessible when after a push to the collector group.
Addressed
10.1.6
PAN-190728
Fixed an issue in an active/passive high availability (HA) configurations with link or path monitoring enabled where the aggregate ethernet interface went down before member interfaces went down.
Addressed
10.1.6
PAN-190675
Fixed an IoT cloud connectivity issue with the firewall dataplane when the
Data Services
service route was used and the egress interface had VLAN tagging.
Addressed
10.1.6
PAN-190660
Fixed an issue where the vld process stopped responding when Elasticsearch had no data.
Addressed
10.1.6
PAN-190644
Fixed an issue where Elasticsearch removed indices earlier than the configured retention period.
Addressed
10.1.6
PAN-190409
(
PA-5450 and PA-3200 Series firewalls that use an FE101 processor only
) Fixed an issue where packets in the same session were forwarded through a different member of an aggregate ethernet group when the session was offloaded. The fix is that you can use the following CLI command to change the default tag setting to the tuple setting:
admin@firewall> set session lag-flow-key-type ?
> tag tag
> tuple tuple
tag
is the default behavior (tag based on the CPU, tuple based on the FE).
tuple
is the new behavior, where both CPU and FE use the same selection algorithm.
Use the following command to display the algorithm:
admin@firewall> show session lag-flow-key-type
dp0: tuple based on fe100
dp1: tuple based on fe100
Addressed
10.1.6
PAN-189982
Fixed an issue where, when inputting tags, the scrollbar in the dialog box for the
tag
field obscured the down arrow.
Addressed
10.1.6
PAN-189643
Fixed an issue where, when Quality of Service (QoS) was enabled on an IPSec tunnel, traffic failed due to applying the wrong tunnel QoS ID.
Addressed
10.1.6
PAN-189182
Fixed an issue where the change summary didn't work after upgrading the Panorama appliance.
Addressed
10.1.6
PAN-189010
Fixed an issue on Panorama where a deadlock in the configd process caused both the web interface and the CLI to be inaccessible.
Addressed
10.1.6
PAN-188872
Fixed an out-of-memory (OOM) condition caused by a memory leak issue on the useridd process.
Addressed
10.1.6
PAN-188776
(
PA-5200 Series firewalls only
) Fixed an issue where the AUX-2 port required a reboot to link up after factory resetting the firewall.
Addressed
10.1.6
PAN-188336
Fixed an issue with the
dnsproxyd
process that caused the firewall to unexpectedly reboot.
Addressed
10.1.6
PAN-188303
Fixed an issue where the serial number displayed as
unknown
after running the
show system state
CLI command.
Addressed
10.1.6
PAN-188272
(
PA-5200 Series and PA-7000 Series firewalls only
) Fixed an issue where
Support UTF-8 For Log Output
wasn't visible on the web interface.
Addressed
10.1.6
PAN-188097
Fixed an issue where the firewall stopped allocating new sessions with increments in the counter session_alloc_failure. This was caused by GPRS tunneling protocol (GTP-U) tunnel session aging processing issue.
Addressed
10.1.6
PAN-188009
Fixed an issue where a firewall import to Panorama running a PAN-OS 10.1 release or a PAN-OS 10.2 release resulted in corrupted private information when the master key was not used.
Addressed
10.1.6
PAN-188005
Fixed an issue where the
var/off
file consumed more space than expected, which caused 100% root partition.
Addressed
10.1.6
PAN-187829
Fixed an issue where the
web_backend
and
httpd
processes leaked descriptors, which caused activities that depended on the processes, such as logging in to the web interface, to fail.
Addressed
10.1.6
PAN-187630
Fixed an issue where the all_task process stopped responding with a stack trace that contained the function
pan_agent_userpolicy_cache_find
.
Addressed
10.1.6
PAN-187558
Fixed an issue where the following error message flooded the system log:
Incremental update to DP failed
.
Addressed
10.1.6
PAN-186750
Fixed an issue where, after upgrading to a PAN-OS 10.1 release, SaaS reports generated on Panorama did not display
Applications at a glance
and most charts were missing data on the right side of the chart.
Addressed
10.1.6
PAN-186262
Fixed an issue where Panorama appliances in Panorama or Log Collector mode became unresponsive while Elasticsearch accumulated internal connections related to logging processes.
Addressed
10.1.6
PAN-186143
Fixed an issue where no local changes could be made on a Zero Touch Provisioning (ZTP) enabled device after an upgrade to a PAN-OS 10.1 release.
Addressed
10.1.6
PAN-185616
Fixed an issue where the firewall sent fewer logs to the system log server than expected. With this fix, the firewall accommodates a larger send queue for syslog forwarding to TCP syslog receivers.
Addressed
10.1.6
PAN-185558
Fixed an issue where Panorama log migration failed when old logs migrated to a newer format. This was due to older indices failing to close.
Addressed
10.1.6
PAN-185440
Fixed an issue where iOS devices incorrectly displayed as jailbroken under HIP match logs.
Addressed
10.1.6
PAN-185416
(
PA-220 firewalls only
) Fixed an issue where the firewall repeatedly rebooted every few hours.
Addressed
10.1.6
PAN-184979
Fixed an issue in multi-vsys environments where the DNS service route always used the management interface even when the dataplane interface was
Addressed
10.1.6
PAN-184621
Fixed an issue on FIPS-enabled devices where modifying any configuration of an existing GlobalProtect portal failed with the following error message:
Operation failed : Malformed request
.
Addressed
10.1.6
PAN-184291
Fixed an issue where the GlobalProtect portal generated a cookie with a domain as NULL instead of empty-domain, which caused users to be identified incorrectly.
Addressed
10.1.6
PAN-184071
Fixed an issue where tech support files were not generated.
Addressed
10.1.6
PAN-183788
Fixed an issue with SCEP certificate enrollment where the incorrect Registration Authority (RA) certificate was chosen to encrypt the enrollment request.
Addressed
10.1.6
PAN-183579
Fixed an issue where SD-WAN path monitoring failed over the interface directly connected to the ISP due to an unsupported ICMP probe format.
Addressed
10.1.6
PAN-183529
(
PA-5450 firewalls only
) Fixed an issue where upgrading the firewall caused corrupted log records to be created, which caused the logrcvr process to fail. This resulted in the auto-commit process required to bring up the firewall after a reboot to fail and, subsequently, the firewall to become unresponsive.
Addressed
10.1.6
PAN-183339
Fixed an issue where line breaks in a description were not visible.
Addressed
10.1.6
PAN-183327
(
Firewalls in HA configurations only
) Fixed an issue where policy based forwarding (PBF) sessions between virtual systems (vsys) weren't pushed to the high availability peer.
Addressed
10.1.6
PAN-183322
(
Firewalls in Hyper-V environments only
) Fixed an issue where, when upgrading PAN-OS 10.0.5 to PAN-OS 10.0.6 or later, the default Maximum Transmission Unit (MTU) is restored to 1500 from 1496.
Addressed
10.1.6
PAN-181604
Fixed an issue where
audit comment archive configuration logs (between commits)
were lost after each upgrade.
Addressed
10.1.6
PAN-181568
Fixed an issue where high dataplane CPU occurred when DNS Security was enabled on a firewall with many DNS sessions but less overall traffic.
Addressed
10.1.6
PAN-181277
Fixed an issue where VPN tunnels in SD-WAN flapped due to duplicate tunnel IDs.
Addressed
10.1.6
PAN-181262
Fixed an issue where, when the data loss prevention (DLP) plugin was installed, the Panorama web interface froze after previewing changes.
Addressed
10.1.6
PAN-181245
Fixed an internal path monitoring failure issue that caused the dataplane to go down.
Addressed
10.1.6
PAN-181215
Fixed an issue where the authd process didn't receive authentication requests due to internal socket errors.
Addressed
10.1.6
PAN-181031
Fixed an issue where the CN-NGFW (DP) folder on the CN-MGMT pod eventually consumed a large amount of space in the /var/log/pan because the old registered stale next-generation firewall logs were not being cleared.
Addressed
10.1.6
PAN-180934
Fixed an issue where, when decrypting at TLS1.3, websites failed to load due to the firewall incorrectly handling payload padding from the server.
Addressed
10.1.6
PAN-180661
Fixed an issue on Panorama where pushing an unsupported
Minimum Password Complexity
(
Device > Setup > Management
) to a managed firewall incorrectly displayed a commit timeout as the reason the commit failed.
Addressed
10.1.6
PAN-180396
Fixed an issue where Panorama displayed an error when generating a ticket to disable GlobalProtect for Prisma Access.
Addressed
10.1.6
PAN-180338
Fixed an issue where the CTD loop count wasn't accurately incremented.
Addressed
10.1.6
PAN-180125
Fixed an issue where either Elasticsearch es-1 or es-2 didn't start after rebooting the log collector.
Addressed
10.1.6
PAN-179184
Fixed an issue where Security Assertion Markup Language (SAML) authentication failed when multiple single sign-on (SSO) requests were sent at the same time from SSL VPN to the authd process on the firewall.
Addressed
10.1.6
PAN-178975
Fixed an issue where the local log collector was out of sync and displayed a public IP address mismatch for the management interface.
Addressed
10.1.6
PAN-178862
Fixed an issue where bootstrapped firewalls didn't associate with the configured template stack if the stack name had more than 31 characters.
Addressed
10.1.6
PAN-178450
Fixed an issue where icons weren't displayed for clientless VPN applications.
Addressed
10.1.6
PAN-177762
Fixed an issue where
wifclient
in PAN-OS 10.0 and later releases caused processing delays, on-chip descriptor spikes, and buffer usage.
Addressed
10.1.6
PAN-177671
Fixed an issue where, when SIP traffic traversing the firewall was sent with a high QoS differentiated service code (DSCP) value, the DSCP value was reset to the default setting (CS0) for the first data packet.
Addressed
10.1.6
PAN-177455
(
PA-7000 Series firewalls with HA clustering enabled and using HA4 communication links only
) Fixed an issue where loading PAN-OS 10.2.0 on the firewall caused the PA-7000 100G NPC (Network Processing Card) to go offline. As a result, the firewall failed to boot normally and entered maintenance.
Addressed
10.1.6
PAN-177409
Fixed an issue where, when the quarantine feature was enabled, every
hostid
lookup created a new entry in the cache memory instead of having a single cache entry for each IP address, which led to memory exhaustion.
Addressed
10.1.6
PAN-177063
Fixed an issue where decrypting large packets introduced congestion during content inspection, which caused processes to stop responding due to missed heartbeats.
Addressed
10.1.6
PAN-176437
(
PA-3200 Series firewalls only
) Fixed an issue where multiple processes stopped responding, which caused the firewall to reboot.
Addressed
10.1.6
PAN-175186
Fixed an issue where performing a commit-all operation with the API type
op
instead of
commit
resulted in Panorama returning the incorrect error message
Use type [commit-all]
instead of the correct error message to use the type
commit
.
Addressed
10.1.6
PAN-175022
Fixed an issue where the PAN-OS web interface table of contents did not display or the help contents reloaded continuously.
Addressed
10.1.6
PAN-175016
Fixed an issue where PDF summary reports were empty when they were generated by a user in a custom admin role.
Addressed
10.1.6
PAN-174660
Fixed an issue where the
devsrvr
process stopped responding after a local or Panorama pushed commit. This occurred when a single NAT policy contained more than 64 address objects.
Addressed
10.1.6
PAN-174514
(
VM-Series firewalls on Amazon Web Services (AWS) with Gateway Load Balancer (GWLB) enabled only
) Fixed an issue where the firewall didn't block access with a response page when accessing a blocked URL category.
Addressed
10.1.6
PAN-174161
Fixed an issue in Panorama that occurred when attempting to
disable override
on an object from a child device group did not work after cloning and renaming the object.
Addressed
10.1.6
PAN-173453
Fixed an issue where multiple heartbeat failures occurred, which resulted in high availability failover.
Addressed
10.1.6
PAN-172768
Fixed an issue where HIP report generation caused a memory leak on a process ( useridd ).
Addressed
10.1.6
PAN-172766
Fixed an issue on Panorama where a commit push to managed firewalls failed with
sctp-init is invalid
error even though SCTP settings were not configured in the corresponding template.
Addressed
10.1.6
PAN-170462
Fixed an issue where Saas applications downloaded from the App-ID Cloud Engine (ACE) didn't appear in daily application reports (
Monitor
Reports
Application Reports
) or in the Application column of the Application Usage widget in (
ACC
Network Activity
.
Addressed
10.1.6
PAN-168400
Fixed an issue where, after installing Cloud Services plugin 10.2, the
Plugin cloud_services
status (
Dashboard > High Availability
) displayed as
Mismatch
.
Addressed
10.1.6
PAN-168339
Fixed an issue where replacing SSL certificates for inbound management traffic did not work when
Block Private Key Export
was enabled.
Addressed
10.1.6
PAN-165660
Fixed an issue where, in scenarios with Fragmented Session Initiation Protocol (SIP), where the first packet arrived out of order, bypassing App-ID and Content and Threat Detection (CTD). With this fix, the out-of-order packet is transmitted after it has been queued and processed by APP-ID and CTD.
Addressed
10.1.6
PAN-163174
Fixed an issue on the firewall where, after a commit, GlobalProtect users saw SAML authentication failure due to an improper certificate revocation check.
Addressed
10.1.6
PAN-162444
Fixed an issue where the system state reported incorrect or missing capacity numbers for FQDN address objects.
Addressed
10.1.6
PAN-162164
Fixed an issue where, when upgrading a multi-dataplane firewall from a PAN-OS 10.0 to a PAN-OS 10.1 release, the commit failed if the DHCP Broadcast Session option was enabled in the configuration.
Addressed
10.1.6
PAN-159702
Fixed an issue where FQDN refresh did not work with the error
No name servers found!
, and no subsequent retries occur.
Addressed
10.1.6
PAN-155730
Fixed an issue where corrupted log index files were not automatically removed.
Addressed
10.1.6
PAN-142701
Fixed an issue where the firewall did not delete Stateless SCTP sessions after receiving an SCTP Abort packet.
Known
10.1.7
—
If you use Panorama to retrieve logs from Cortex Data Lake (CDL), new log fields (including for Device-ID, Decryption, and GlobalProtect) are not visible on the Panorama web interface.
Workaround:
Enable duplicate logging to send the logs to CDL and Panorama. This workaround does not support Panorama virtual appliances in Management Only mode .
Known
10.1.7
—
Upgrading a PA-220 firewall takes up to an hour or more.
Known
10.1.7
—
PA-220 firewalls are experiencing slower web interface and CLI performance times.
Known
10.1.7
—
Upgrading Panorama with a local Log Collector and Dedicated Log Collectors to PAN-OS 8.1 or a later PAN-OS release can take up to six hours to complete due to significant infrastructure changes. Ensure uninterrupted power to all appliances throughout the upgrade process.
Known
10.1.7
—
A critical System log is generated on the VM-Series firewall if the minimum memory requirement for the model is not available.
  • When the memory allocated is less than 4.5GB, you cannot upgrade the firewall. The following error message displays:
    Failed to install 9.0.0 with the following error: VM-50 in 9.0.0 requires 5.5GB memory, VM-50 Lite requires 4.5GB memory.Please configure this VM with enough memory before upgrading.
  • If the memory allocation is more than 4.5GB but less than the licensed capacity requirement for the model, it will default to the capacity associated with the VM-50.
    The System log message
    System capacity adjusted to VM-50 capacity due to insufficient memory for VM-
    <xxx>
    license
    , indicates that you must allocate the additional memory required for licensed capacity for the firewall model.
Known
10.1.7
APPORTAL-3313
Changes to an IoT Security subscription license take up to 24 hours to have effect on the IoT Security app.
Known
10.1.7
APPORTAL-3309
An IoT Security production license cannot be installed on a firewall that still has a valid IoT Security eval or trial license.
Workaround:
Wait until the 30-day eval or trial license expires and then install the production license.
Known
10.1.7
APL-15000
When you move a firewall from one Cortex Data Lake instance to another, it can take up to an hour for the firewall to begin sending logs to the new instance.
Known
10.1.7
APL-8269
For data retrieved from Cortex Data Lake, the Threat Name column in
Panorama
ACC
threat-activity
appears blank.
Known
10.1.7
PLUG-380
When you rename a device group, template, or template stack in Panorama that is part of a VMware NSX service definition, the new name is not reflected in NSX Manager. Therefore, any ESXi hosts that you add to a vSphere cluster are not added to the correct device group, template, or template stack and your Security policy is not pushed to VM-Series firewalls that you deploy after you rename those objects. There is no impact to existing VM-Series firewalls.
Known
10.1.7
WF500-5559
An intermittent error while analyzing signed PE samples on the WildFire appliance might cause analysis failures.
Known
10.1.7
WF500-5471
After using the firewall CLI to add a WildFire appliance with an IPv6 address, the initial connection may fail.
Workaround:
Retry connecting after you restart the web server with the following command:
debug software restart process web-server
.
Known
10.1.7
PAN-228273
On the Panorama management server in FIPS-CC mode, the ElasticSearch cluster fails to come up and the
show log-collector-es-cluster health
command displays the
status
is
red
. This results in log ingestion issues for Panorama in Panorama only or Log Collector mode.
Known
10.1.7
PAN-227344
On the Panorama management server, PDF Summary Reports (
Monitor
PDF Reports
Manage PDF Summary
) display no data and are blank when predefined reports are included in the summary report.
Known
10.1.7
PAN-223488
This issue is now resolved. See
PAN-OS 10.1.12 Addressed Issues
.
On the M-600 appliance, closed ElasticSearch shards are not deleted from the M-600 appliance. This causes the ElasticSearch shard purging to not work as expected, resulting in high disk usage.
Known
10.1.7
PAN-223365
The Panorama management server is unable to query any logs if the ElasticSearch health status for any Log Collector (
Panorama
Managed Collector
is degraded.
Workaround:
Log in to the Log Collector CLI and restart ElasticSearch. 
admin
debug elasticsearch es-restart all
Known
10.1.7
PAN-218521
The ElasticSearch process on the M-600 appliance in Log Collector mode may enter a continuous reboot cycle. This results in the M-600 appliance becoming unresponsive, consuming logging disk space, and preventing new log ingestion.
Known
10.1.7
PAN-217307
This issue is now resolved. See
PAN-OS 10.1.14 Addressed Issues
.
The following Security policy rule (
Policies
Security
) filters return no results:
log-start eq no
log-end eq no
log-end eq yes
Known
10.1.7
PAN-216214
For Panorama-managed firewalls in an Active/Active High Availability (HA) configuration where you configure the firewall HA settings (
Device
High Availability
) in a template or template stack (
Panorama
Templates
), performing a local commit on one of the HA firewalls triggers an HA config sync on the peer firewall. This causes the HA peer configuration to go
Out of Sync
.
Known
10.1.7
PAN-213746
On the Panorama management server, the
Hostkey
displayed as
undefined undefined
if you override an SSH Service Profile (
Device
Certificate Management
SSH Service Profile
) Hostkey configured in a Template from the Template Stack.
Known
10.1.7
PAN-212889
This issue is now resolved. See PAN-OS 10.1.11 Addressed Issues
.
On the Panorama management server, different threat names are used when querying the same threat in the Threat Monitor (
Monitor
App Scope
Threat Monitor
) and
ACC
. This results in the ACC displaying
no data to display
when you are redirected to the ACC after clicking a threat name in the Threat Monitor and filtering the same threat name in the Global Filters.
Known
10.1.7
PAN-208325
This issue is now resolved. See
PAN-OS 10.1.10 Addressed Issues
.
The following NextGen firewalls are unable to automatically renew the device certificate (
Device
Setup
Management
or
Panorama
Setup
Management
).
  • PA-410 Firewall
  • PA-440, PA-450, and PA-460 Firewalls
  • PA-5450 Firewall
Workaround:
Log in to the firewall CLI and fetch the device certificate. 
admin>
request certificate fetch
Known
10.1.7
PAN-208189
Traffic fails to match and reach all destinations if a Security policy rule includes FQDN objects that resolve to two or more IP addresses.
Known
10.1.7
PAN-206268
This issue is now resolved. See
PAN-OS 10.1.10 Addressed Issues
.
On the Panorama management server, the Auth Key field was erroneously displayed when you configure the Panorama Settings (
Device
Setup
Management
) as part of a template or template stack configuration.
Known
10.1.7
PAN-206243
The PA-220 firewall reaches the maximum disk usage capacity multiple a day that requires a disk cleanup. A critical system log (
Monitor
Logs
System
) is generated each time the firewall reaches maximum disk usage capacity.
Known
10.1.7
PAN-205187
ElasticSearch may not start properly when a newly installed Panorama virtual appliance powers on for the first time, resulting in the Panorama virtual appliance being unable to query logs forwarded from the managed firewall to a Log Collector.
Workaround:
Log in to the Panorama CLI and start the PAN-OS software. 
admin>
request restart software
Known
10.1.7
PAN-201855
On the Panorama management server, cloning any template (
Panorama
Templates
) corrupts certificates (
Device
Certificate Management
Certificates
) with the
Block Private Key Export
setting enabled across all templates. This results in managed firewalls experiencing issues wherever the corrupted certificate is referenced.
For example, you have template A, B, and C where templates A and B have certificates with the
Block Private Key Export
setting enabled. Cloning template C corrupts the certificates with
Block Private Key Export
setting enabled in templates A and B.
Workaround:
After cloning a template, delete and re-import the corrupted certificates.
Known
10.1.7
PAN-201627
This issue is now resolved. See
PAN-OS 10.1.8 Addressed Issues
.
For next-generation firewall deployments where SD-WAN is configured, the dataplane could restart if all SD-WAN member links are down due to an out-of-memory condition. This could also happen during a device reboot when all SD-WAN tunnels are down.
Workaround:
Downgrade to PAN-OS 10.1.6-h3 or earlier, or upgrade to the latest PAN-OS 10.2 release.
Known
10.1.7
PAN-199099
This issue is now resolved. See
PAN-OS 10.1.8 Addressed Issues
.
When decryption is enabled, Safari and Google Chrome browsers on Mac computers running macOS Monterey or later reject the server certificates firewalls present. The browsers cannot validate the chain of trust for the certificates because the Authority Key Identifier (AKID) of the server certificates and the Subject Key Identifier (SKID) of the forward trust certificate do not match.
Workaround:
Use a forward trust certificate that does not contain AKID or SKID extensions.
Known
10.1.7
PAN-198174
When viewing traffic or threat logs from the firewall ACC or Monitor, performing a reverse DNS lookup, for example, when resolving IP addresses to domain names using the
Resolve Hostname
feature, can cause the appliance to crash and restart if DNS server settings have not been configured.
Workaround:
Provide a DNS server setting for the firewall (
Device
DNS Setup
Services
). If you cannot reference a valid DNS server, you can add a dummy address.
Known
10.1.7
PAN-197341
On the Panorama management server, if you create multiple device group
Objects
with the same name in the Shared device group and any additional device groups (
Panorama
Device Groups
) under the same device group hierarchy that are used in one or more
Policies
, renaming the object with a shared name in any device group causes the object name to change in the policies where it is used. This issue applies only to device group objects that can be referenced in a Security policy rule.
For example:
  1. You create a parent device group
    DG-A
    and a child device group
    DG-B
    .
  2. You create address objects called
    AddressObjA
    in the
    Shared
    ,
    DG-A
    and
    DG-B
    device groups and add
    AddressObjA
    to a Security policy rule under
    DG-A
    and
    DG-B
    .
  3. Later, you change the
    AddressObjA
    name in the
    Shared
    device group to
    AddressObjB
    .
Changing the name of the address object in the
Shared
device group causes the references in the Policy rule to use the renamed
Shared
object instead of the device group object.
Known
10.1.7
PAN-197097
This issue is now resolved. See
PAN-OS 10.1.9 Addressed Issues
.
Large Scale VPN (LSVPN) does not support IPv6 addresses on the satellite firewall.
Known
10.1.7
PAN-196758
On the Panorama management server, pushing a configuration change to firewalls leveraging SD-WAN erroneously show the auto-provisioned BGP configurations for SD-WAN as being edited or deleted despite no edits or deletions being made when you
Preview Changes
(
Commit
Push to Devices
Edit Selections
or
Commit
Commit and Push
Edit Selections
).
Known
10.1.7
PAN-194519
This issue is now resolved. See
PAN-OS 10.1.9 Addressed Issues
.
(
PA-5450 firewall only
) Trying to configure a custom payload format under
Device
Server Profiles
HTTP
yields a Javascript error.
Known
10.1.7
PAN-194515
(
PA-5450 firewall only
) The Panorama web interface does not display any predefined template stack variables in the dropdown menu under
Device
Setup
Log Interface
IP Address
.
Workaround:
Configure the log interface IP address on the individual firewall web interface instead of on Panorama.
Known
10.1.7
PAN-194424
(
PA-5450 firewall only
) Upgrading to PAN-OS 10.1.6-h2 while having a log interface configured can cause both the log interface and the management interface to remain connected to the log collector.
Workaround:
Restart the log receiver service by running the following CLI command: 
debug software restart process log-receiver
Known
10.1.7
PAN-194202
(
PA-5450 firewall only
) If the management interface and logging interface are configured on the same subnetwork, the firewall conducts log forwarding using the management interface instead of the logging interface.
Known
10.1.7
PAN-193518
All logs (
Monitor
Logs
) generated by a firewall running a PAN-OS 10.0 release are not accessible if you downgrade from PAN-OS 10.1 to PAN-OS 10.0, and then upgrade back to PAN-OS 10.1.
Workaround:
If you need to downgrade from PAN-OS 10.1 to PAN-OS 10.0 and then back to PAN-OS 10.1, downgrade to PAN-OS 10.0.11 to ensure that all logs ingested while running a PAN-OS 10.0 release remain accessible after upgrade back to PAN-OS 10.1.
Known
10.1.7
PAN-190727
This issue is now resolved. See
PAN-OS 10.1.7 Addressed Issues
.
(
PA-5450 firewall only
) Documentation for configuring the log interface is unavailable on the web interface and in the PAN-OS Administrator’s Guide.
Known
10.1.7
PAN-189057
This issue is now resolved. See
PAN-OS 10.1.9 Addressed Issues
.
On the Panorama management server, Panorama enters a
non-functional
state due to
php.debug.log
life taking up too much space.
Workaround:
Disable the debug flag for Panorama.
  2. In the same browser you are logged into the Panorama web interface, enter the following URL.
    https://<panorama_ip>/debug
  3. Uncheck (disable)
    Debug
    or
    Clear Debug
    .
  4. (
    HA configuration
    ) Repeat this step on each Panorama high availability (HA) peer if Panorama is in a HA configuration.
Known
10.1.7
PAN-188052
Devices in FIPS-CC mode are unable to connect to servers utilizing ECDSA-based host keys that impacts exporting logs (
Device
Scheduled Log Export
), exporting configurations (
Device
Scheduled Config Export
), or the
scp export
command in the CLI.
Workaround:
Use RSA-based host keys on the destination server.
Known
10.1.7
PAN-187685
On the Panorama management server, the Template Status displays no synchronization status (
Panorama
Managed Devices
Summary
) after a bootstrapped firewall is successfully added to Panorama.
Workaround:
After the bootstrapped firewall is successfully added to Panorama, log in to the Panorama web interface and select
Commit
Push to Devices
.
Known
10.1.7
PAN-174982
In HA active/active configurations where, when interfaces that were associated with a virtual router were deleted, the configuration change did not sync.
Known
10.1.7
PAN-172274
When you activate the advanced URL filtering license, your license entitlements for PAN-DB and advanced URL filtering might not display correctly on the firewall — this is a display anomaly, not a licensing issue, and does not affect access to the services.
Workaround:
Issue the following command to retrieve and update the licenses:
license request fetch
.
Known
10.1.7
PAN-172113
If you request a User Activity Report on Panorama and the vsys key value in the XML is an unsupported value, the resulting job becomes unresponsive at 10% and does not complete until you manually stop the job in the web interface.
Workaround:
Change the vsys key to a valid device group, commit your changes, and run the User Activity Report again.
Known
10.1.7
PAN-172067
When you configure an HTTP server profile (
Device
Server Profiles
HTTP
or
Panorama
Server Profiles
HTTP
), the
Username
and
Password
fields are always required regardless of whether
Tag Registration
is enabled.
Workaround:
When you configure an HTTP server profile, always enter a username and password to successfully create the HTTP server profile.
You must enter a username and password even if the HTTP server does not require it. The HTTP server ignores the username and password if they are not required for the firewall to connect.
Known
10.1.7
PAN-172061
A process (
all_pktproc
) can cause intermittent crashes on the Passive PA-5450 firewall in an Active/Passive HA pair. This issue may be seen during an upgrade or reload of the firewall with traffic and when clearing sessions.
Known
10.1.7
PAN-171938
No results are displayed when you
Show Application Filter
for a Security policy rule (
Policies
Security
Application
Value
Show Application Filter
).
Known
10.1.7
PAN-171723
If you use Panorama to push a configuration that uses App-ID Cloud Engine (ACE) App-IDs and then you downgrade the firewall from PAN-OS 10.1 to PAN-OS 10.0, the installation succeeds but after you reboot, the auto-commit fails.
Workaround:
Remove all ACE application configurations before downgrading.
Known
10.1.7
PAN-171706
This issue is now resolved. See
PAN-OS 10.1.11 Addressed Issues
.
If you are using Panorama to manage firewalls with multiple virtual systems and the virtual system that is the User-ID hub uses an alias, the local commit on Panorama is successful but the commit to the firewall fails.
Known
10.1.7
PAN-171673
On the Panorama management server, the
ACC
returns inaccurate results when you filter for
New App-ID
in the
Application
usage widget.
Known
10.1.7
PAN-171635
If you have an on-premise Active Directory and there is an existing group mapping configuration on the firewall, if you migrate the group mapping to the Cloud Identity Engine, the firewall does not remove the existing group mapping even if the configuration is disabled and the firewall is rebooted, which may conflict with new mappings from the Cloud Identity Engine.
Workaround
: Use the
debug user-id clear domain-map
command to remove the existing group mappings from the firewall.
Known
10.1.7
PAN-171224
On the Panorama management server, a custom report (
Monitor
Managed Custom Reports
) with a high volume of unique data objects is not generated when you click
Run Now
.
Known
10.1.7
PAN-171145
If you edit or remove the value for the
mail
attribute in your on-premise Active Directory, the changes may not be immediately reflected on the firewall after it syncs with the Cloud Identity Engine.
Known
10.1.7
PAN-170923
In
Policies
Security
Policy Optimizer
New App Viewer
, when you select a Security policy rule in the bottom portion of the screen, the application data in the application browser (top portion of screen) does not match the Apps Seen on the selected rule. In addition, filtering in the application browser based on Apps Seen does not work.
Known
10.1.7
PAN-170270
Using the CLI to power on a PA-5450 Networking Card (NC) in an Active HA firewall can cause its Passive peer to temporarily go down.
Known
10.1.7
PAN-169906
The CN-Series Firewall as a Kubernetes Service does not support AF_XDP when deployed in CentOS.
Known
10.1.7
PAN-168636
Connecting to the App-ID Cloud Engine (ACE) cloud using a management port with explicit proxy configured on it is not supported. Instead, use a data plane interface for the service route ( Prepare to Deploy App-ID Cloud Engine describes how to do this.)
Known
10.1.7
PAN-168113
On the Panorama management server, you are unable to configure a master key (
Device
Master Key and Diagnostics
) for a managed firewall if an interface (
Network
Interfaces
Ethernet
) references a zone pushed from Panorama.
Workaround:
Remove the referenced zone from the interface configuration to successfully configure a master key.
Known
10.1.7
PAN-167847
If you issue the command
opof stats
, then clear the results {opof stats -c}, the Active Sessions value is sometimes invalid. For example, you might see a negative number or an excessively large number.
Workaround:
Re-run the
opof stats
command after the offload completes.
Known
10.1.7
PAN-167401
When a firewall or Panorama appliance configured with a proxy is upgraded to PAN-OS 10.0.3 or a later release, it fails to connect to edge service.
Known
10.1.7
PAN-165669
If you configure a group that the firewall retrieves from the Cloud Identity Engine as the
user in
value in a filter query, Panorama is unable to retrieve the group membership and as a result, is unable to display this data in logs and custom reports.
Known
10.1.7
PAN-164922
On the Panorama management server, a context switch to a managed firewall running a PAN-OS 8.1.0 to 8.1.19 release fails.
Known
10.1.7
PAN-164885
On the Panorama management server, pushes to managed firewalls (
Commit
Push to Devices
or
Commit and Push
) may fail when an EDL (
Objects
External Dynamic Lists
) is configured to
Check for updates
every 5 minutes due to the commit and EDL fetch processes overlapping. This is more likely to occur when multiple EDLs are configured to check for updates every 5 minutes.
Known
10.1.7
PAN-164841
A successful deployment of a Panorama virtual appliance on Amazon Web Services (AWS), Microsoft Azure, or Google Cloud Platform (GCP) is inaccessible when deploying using the PAN-OS 10.1.0-b6 release.
Known
10.1.7
PAN-164647
On the Panorama management server, activating a license (
Panorama
Device Deployment
Licenses
) on managed firewalls in a high availability (HA) configuration causes the Safari web browser to become unresponsive.
Workaround:
Log in to the Panorama web interface from a web browser other than Safari to successfully activate a license on managed firewalls in an HA configuration.
Known
10.1.7
PAN-164618
The VM-Series firewall CLI and system logs display the license name
VM-SERIES-X
, while the user interface displays
VM-FLEX-X
(in both cases
X
is the number of vCPUs). In future releases the user interface will use the
VM-SERIES-X
format.
Known
10.1.7
PAN-164586
If you use a value other than
mail
for the user or group email attribute in the Cloud Identity Engine, it displays in
user@domain
format in the CLI output.
Known
10.1.7
PAN-163966
On the Panorama management server, the
ACC
and on demand reports (
Monitor
Manage Custom Reports
) are unable to fetch Directory Sync group membership when the Source User Group filter query is applied, resulting in no data being displayed for the filter when Directory Sync is configured as the Source User for a policy rule.
Known
10.1.7
PAN-162836
On the VM-Series firewall, if you select
Device
Licenses
Deactivate VM
a popup window opens and you can choose
Subscriptions
or
Support
and press
Continue
to remove licenses and register the changes with the license server. When the license removal is complete the
Deactivate VM
window does not update its text to exclude deactivated licenses or close the window.
Workaround
: Wait until the license deactivation is complete, and click
Cancel
to close the window.
Known
10.1.7
PAN-162088
This issue is now resolved. See
PAN-OS 10.1.9 Addressed Issues
.
On the Panorama management server in a high availability (HA) configuration, content updates (
Panorama
Dynamic Updates
) manually uploaded to the active HA peer are not synchronized to the passive HA peer when you
Install
a content update and enable
Sync to HA Peer
.
Known
10.1.7
PAN-161666
The firewall includes any users configured in the Cloud Identity Engine in the count of groups. As a result, some CLI command output does not accurately display the number of groups the firewall has retrieved from the Cloud Identity Engine and counts users as groups in the
No. of Groups
in the command output. If the attempt to retrieve the user or group fails, the information for the user or group still displays in the CLI command output.
Known
10.1.7
PAN-161451
If you issue the command
opof stats
, there are occasional zero packet and byte counts coming from the DPDK counters. This occurs when a session is in the tcp-reuse state, and has no impact on the existing session.
Known
10.1.7
PAN-160238
If you migrate traffic from a firewall running a PAN-OS version earlier than 9.0 to a firewall running PAN-OS 9.0 or later, you experience intermittent VXLAN packet drops if TCI policy is not configured for inspecting VXLAN traffic flows.
Workaround:
On the new firewall, create an app override for VXLAN outer headers as described in What is an Application Override? and the video tutorial How to Configure an Application Override Policy on the Palo Alto Networks Firewall .
PAN-OS version 9.0 can inspect both inner and outer VXLAN flows. If you want to inspect inner flows, you must define a tunnel content inspection (TCI) policy.
Known
10.1.7
PAN-157444
As a result of a telemetry handling update, the Source Zone field in the DNS analytics logs (viewable in the DNS Analytics tab within AutoFocus) might not display correct results.
Known
10.1.7
PAN-157327
On downgrade to PAN-OS 9.1, Enterprise Data Loss Prevention (DLP) filtering settings (
Device
Setup
DLP
) are not removed and cause commit errors for the downgraded firewall if you do not uninstall the Enterprise DLP plugin before downgrade.
Workaround:
After you successfully downgrade a managed firewall to PAN-OS 9.1, commit and push from Panorama to remove the Enterprise DLP filtering settings and complete the downgrade.
  1. Downgrade your managed firewall to PAN-OS 9.1
  2. Log in to the firewall web interface and view the
    Tasks
    to verify all auto commits related to the downgrade have completed successfully.
  3. Log in to the Panorama web interface and
    Commit
    Commit and Push
    to your managed firewall downgraded to PAN-OS 9.1.
Known
10.1.7
PAN-157103
Multi-channel functionality may not be properly utilized on an VM-Series firewall deployed in VMware NSX-V after the service is first deployed.
Workaround
: Execute the command
debug dataplane pow status
to view the number of channels being utilized by the dataplane. 
Per pan-task Netx statisticsCounter Name    1   2   3   4   5   6   Total---------------------------------------------ready_dvf       2   0   0   0   0   0     2
If multi-channel functionality is not working, disable your NSX-V security policy and reapply it. Then reboot the VM-Series firewall. When the firewall is back up, verify that multi-channel functionality is working by executing the command
debug dataplane pow status
. It should now show multiple channels being utilized. 
Per pan-task Netx statisticsCounter Name    1   2   3   4   5   6   Total---------------------------------------------ready_dvf       1   1   0   0   0   0     2
Known
10.1.7
PAN-156598
(
Panorama only
) If you configure a standard custom vulnerability signature in a custom Vulnerability Protection profile in a shared device group, the shared profile custom signatures do not populate in the other device groups when you configure a combination custom vulnerability signature.
Workaround:
Use the CLI to update the combination signature.
Known
10.1.7
PAN-154292
On the Panorama management server, downgrading from a PAN-OS 10.0 release to a PAN-OS 9.1 release causes Panorama commit (
Commit
Commit to Panorama
) failures if a custom report (
Monitor
Manage Custom Reports
) is configured to Group By
Session ID
.
Workaround:
After successful downgrade, reconfigure the Group By setting in the custom report.
Known
10.1.7
PAN-154034
On the Panorama management server, the Type column in the System logs (
Monitor
Logs
System
) for managed firewalls running a PAN-OS 9.1 release erroneously display
iot
as the type.
Known
10.1.7
PAN-154032
On the Panorama management server, downgrading to PAN-OS 9.1 with the Panorama plugin for Cisco TrustSec version 1.0.2 installed does not automatically transform the plugin to be compatible with PAN-OS 9.1
Workaround:
After successful downgrade to PAN-OS 9.1,
Remove Config
(
Panorama
Plugins
) of the Panorama plugin for Cisco TrustSec and then reconfigure the plugin.
Known
10.1.7
PAN-153803
On the Panorama management server, scheduled email PDF reports (
Monitor
PDF Reports
) fail if a GIF image is used in the header or footer.
Known
10.1.7
PAN-153557
On the Panorama management server CLI, the overall report status for a report query is marked as
Done
despite reports generated from logs in the Cortex Data Lake (CDL) from the PODamericas Collector Group jobs are still in a
Running
state.
Known
10.1.7
PAN-153068
The Bonjour Reflector option is supported on up to 16 interfaces. If you enable it on more than 16 interfaces, the commit succeeds and the Bonjour Reflector option is enabled only for the first 16 interfaces and ignored for any additional interfaces.
Known
10.1.7
PAN-151238
There is a known issue where M-100 appliances are able to download and install a PAN-OS 10.0 release image even though the M-100 appliance is no longer supported after PAN-OS 9.1. (Refer to the hardware end-of-life dates .)
Known
10.1.7
PAN-151085
On a PA-7000 Series firewall chassis having multiple slots, when HA clustering is enabled on an active/active HA pair, the session table count for one of the peers can show a higher count than the actual number of active sessions on that peer. This behavior can be seen when the session is being set up on a non-cache slot (for example, when a session distribution policy is set to round-robin or session-load); it is caused by the additional cache lookup that happens when HA cluster participation is enabled.
Known
10.1.7
PAN-150801
Automatic quarantine of a device based on forwarding profile or log setting does not work on the PA-7000 Series firewalls.
Known
10.1.7
PAN-150515
After you install the device certificate on a new Panorama management server, Panorama is not able to connect to the IoT Security edge service.
Workaround:
Restart Panorama to connect to the IoT Security edge service.
Known
10.1.7
PAN-150345
During updates to the Device Dictionary, the IoT Security service does not push new Device-ID attributes (such as new device profiles) to the firewall until a manual commit occurs.
Workaround:
Perform a force commit to push the attributes in the content update to the firewall.
Known
10.1.7
PAN-150361
In an Active-Passive high availability (HA) configuration, an error displays if you create a device object on the passive device.
Workaround:
Load the running configuration and perform a force commit to sync the devices.
Known
10.1.7
PAN-148971
If you enter a search term for Events that are related to IoT in the System logs and apply the filter, the page displays an
Invalid term
error.
Workaround:
Specify
iot
as the
Type Attribute
to filter the logs and use the search term as the
Description Attribute
. For example:
( subtype eq iot ) and ( description contains 'gRPC connection' )
.
Known
10.1.7
PAN-148924
In an active-passive HA configuration, tags for dynamic user groups are not persistent after rebooting the firewall because the active firewall does not sync the tags to the passive firewall during failover.
Known
10.1.7
PAN-146995
After downgrading a Panorama management server from PAN-OS 10.0 to PAN-OS 9.1, the
VLD
and
logd
processes may crash when Panorama reboots.
Workaround:
Panorama automatically restarts the
VLD
and
logd
processes.
Known
10.1.7
PAN-146807
Changing the device group configured in a monitoring definition from a child DG to a parent DG, or vice versa, might cause firewalls configured in the child DG to lose IP tag mapping information received from the monitoring definition. Only firewalls assigned to the parent DG receive IP tag mapping updates.
Workaround
: Perform a manual config sync on the device group that lost the IP tag mapping information.
Known
10.1.7
PAN-146485
On the Panorama management server, adding, deleting, or modifying the upstream NAT configuration (
Panorama
SD-WAN
Devices
) does not display the branch template stack as
out of sync
.
Additionally, adding, deleting, or modifying the BGP configuration (
Panorama
SD-WAN
Devices
) does not display the hub and branch template stacks as
out of sync
. For example, modifying the BGP configuration on the branch firewall does not cause the hub template stack to display as
out of sync
, nor does modifying the BGP configuration on the hub firewall cause the branch template stack as
out of sync
.
Workaround:
After performing a configuration change,
Commit and Push
the configuration changes to all hub and branch firewalls in the VPN cluster containing the firewall with the modified configuration.
Known
10.1.7
PAN-145460
CN-MGMT pods fail to connect to the Panorama management server when using the Kubernetes plugin.
Workaround:
Commit
the Panorama configuration after the CN-MGMT pod successfully registers with Panorama.
Known
10.1.7
PAN-144889
On the Panorama management server, adding, deleting, or modifying the original subnet IP, or adding a new subnet after you successfully configure a tunnel IP subnet, for the SD-WAN 1.0.2 plugin does not display the managed firewall templates (
Panorama
Managed Devices
Summary
) as
Out of Sync
.
Workaround
: When modifying the original subnet IP, or adding a new subnet, push the template configuration changes to your managed firewalls and
Force Template Values
(
Commit
Push to Devices
Edit Selections
).
Known
10.1.7
PAN-143132
Fetching the device certificate from the Palo Alto Networks Customer Support Portal (CSP) may fail and displays the following error in the CLI:
ERROR Failed to process S1C msg: Error
Workaround:
Retrying fetching the device certificate from the Palo Alto Networks CSP.
Known
10.1.7
PAN-141630
Current performance limitation: single data plane use only. The PA-5200 Series and PA-7000 Series firewalls that support 5G network slice security, 5G equipment ID security, and 5G subscriber ID security use a single data plane only, which currently limits the firewall performance.
Known
10.1.7
PAN-140959
The Panorama management server allows you to downgrade Zero Touch Provisioning (ZTP) firewalls to PAN-OS 9.1.2 and earlier releases where ZTP functionality is not supported.
Known
10.1.7
PAN-140008
ElasticSearch is forced to restart when the
masterd
process misses too many heartbeat messages on the Panorama management server resulting in a delay in a log query and ingestion.
Known
10.1.7
PAN-136763
On the Panorama management server, managed firewalls display as
disconnected
when installing a PAN-OS software update (
Panorama
Device Deployment
Software
) but display as
connected
when you view your managed firewalls Summary (
Panorama
Managed Devices
Summary
) and from the CLI.
Workaround:
Log out and log back in to the Panorama web interface.
Known
10.1.7
PAN-135742
There is an issue in HTTP2 session decryption where the App-ID in the decryption log is the App-ID of the parent session (which is web-browsing).
Known
10.1.7
PAN-134053
ACC does not filter WildFire logs from Dynamic User Groups.
Known
10.1.7
PAN-132598
The Panorama management server does not check for duplicate addresses in address groups (
Objects
Address Groups
) and duplicate services in service groups (
Objects
Service Groups
) when created from the CLI.
Known
10.1.7
PAN-130550
(
PA-3200 Series, PA-5220, PA-5250, PA-5260, and PA-7000 Series firewalls
) For traffic between virtual systems (inter-vsys traffic), the firewall cannot perform source NAT using dynamic IP (DIP) address translation.
Workaround:
Use source NAT with Dynamic IP and Port (DIPP) translation on inter-vsys traffic.
Known
10.1.7
PAN-127813
In the current release, SD-WAN auto-provisioning configures hubs and branches in a hub and spoke model, where branches don’t communicate with each other. Expected branch routes are for generic prefixes, which can be configured in the hub and advertised to all branches. Branches with unique prefixes are not published up to the hub.
Workaround:
Add any specific prefixes for branches to the hub advertise-list configuration.
Known
10.1.7
PAN-127206
If you use the CLI to enable the cleartext option for the Include Username in HTTP Header Insertion Entries feature, the authentication request to the firewall may become unresponsive or time out.
Known
10.1.7
PAN-123277
Dynamic tags from other sources are accessible using the CLI but do not display on the Panorama web interface.
Known
10.1.7
PAN-123040
When you try to view network QoS statistics on an SD-WAN branch or hub, the QoS statistics and the hit count for the QoS rules don’t display. A workaround exists for this issue. Please contact Support for information about the workaround.
Known
10.1.7
PAN-120440
There is an issue on M-500 Panorama management servers where any ethernet interface with an IPv6 address having Private PAN-DB-URL connectivity only supports the following format:
2001:DB9:85A3:0:0:8A2E:370:2
.
Known
10.1.7
PAN-120423
PAN-OS 10.0.0 does not support the XML API for GlobalProtect logs.
Known
10.1.7
PAN-120303
There is an issue where the firewall remains connected to the PAN-DB-URL server through the old management IP address on the M-500 Panorama management server, even when you configured the Eth1/1 interface.
Workaround:
Update the PAN-DB-URL IP address on the firewall using one of the methods below.
  • Modify the PAN-DB Server IP address on the managed firewall.
    1. On the web interface, delete the
      PAN-DB Server
      IP address (
      Device
      Setup
      Content ID
      URL Filtering
      settings).
    2. Commit
      your changes.
    3. Add the new M-500 Eth1/1 IP PAN-DB IP address.
    4. Commit
      your changes.
  • Restart the firewall ( devsrvr ) process.
    1. Log in to the firewall CLI.
    2. Restart the devsrvr process:
      debug software restart process device-server
Known
10.1.7
PAN-116017
(
Google Cloud Platform (GCP) only
) The firewall does not accept the DNS value from the initial configuration (init-cfg) file when you bootstrap the firewall.
Workaround:
Add DNS value as part of the bootstrap.xml in the bootstrap folder and complete the bootstrap process.
Known
10.1.7
PAN-115816
(
Microsoft Azure only
) There is an intermittent issue where an Ethernet (eth1) interface does not come up when you first boot up the firewall.
Workaround:
Reboot the firewall.
Known
10.1.7
PAN-114495
Alibaba Cloud runs on a KVM hypervisor and supports two Virtio modes: DPDK (default) and MMAP. If you deploy a VM-Series firewall running PAN-OS 9.0 in DPDK packet mode and you then switch to MMAP packet mode, the VM-Series firewall duplicates packets that originate from or terminate on the firewall. As an example, if a load balancer or a server behind the firewall pings the VM-Series firewall after you switch from DPDK packet mode to MMAP packet mode, the firewall duplicates the ping packets.
Throughput traffic is not duplicated if you deploy the VM-Series firewall using MMAP packet mode.
Known
10.1.7
PAN-112694
(
Firewalls with multiple virtual systems only
) If you configure dynamic DNS (DDNS) on a new interface (associated with vsys1 or another virtual system) and you then create a
New
Certificate Profile from the drop-down, you must set the location for the Certificate Profile to Shared. If you configure DDNS on an existing interface and then create a new Certificate Profile, we also recommend that you choose the Shared location instead of a specific virtual system. Alternatively, you can select a preexisting certificate profile instead of creating a new one.
Known
10.1.7
PAN-112456
You can temporarily submit a change request for a URL Category with three suggested categories; however, only two categories are supported. Do not add more than two suggested categories to a change request until we address this issue. If you submit more than two suggested categories, only the first two categories in the change request are evaluated.
Known
10.1.7
PAN-112135
You cannot unregister tags for a subnet or range in a dynamic address group from the web interface.
Workaround:
Use an XML API request to unregister the tags for the subnet or range.
Known
10.1.7
PAN-111928
Invalid configuration errors are not displayed as expected when you revert a Panorama management server configuration.
Workaround:
After you revert the Panorama configuration,
Commit
(
Commit
Commit to Panorama
) the reverted configuration to display the invalid configuration errors.
Known
10.1.7
PAN-111866
The push scope selection on the Panorama web interface displays incorrectly even though the commit scope displays as expected. This issue occurs when one administrator makes configuration changes to separate device groups or templates that affect multiple firewalls and a different administrator attempts to push those changes.
Workaround:
Perform one of the following tasks.
  • Initiate a
    Commit to Panorama
    operation followed by a
    Push to Devices
    operation for the modified device group and template configurations.
  • Manually select the devices that belong to the modified device group and template configurations.
Known
10.1.7
PAN-111729
If you disable DPDK mode and enable it again, you must immediately reboot the firewall.
Known
10.1.7
PAN-111670
Tagged VLAN traffic fails when sent through an SR-IOV adapter.
Known
10.1.7
PAN-110794
DGA-based threats shown in the firewall threat log display the same name for all such instances.
Known
10.1.7
PAN-109526
The system log does not correctly display the URL for CRL files; instead, the URLs are displayed with encoded characters.
Known
10.1.7
PAN-104780
If you configure a HIP object to match only when a connecting endpoint is managed (
Objects
GlobalProtect
HIP Objects
<hip-object>
General
Managed
), iOS and Android endpoints that are managed by AirWatch are unable to successfully match the HIP object and the HIP report incorrectly indicates that these endpoints are not managed. This issue occurs because GlobalProtect gateways cannot correctly identify the managed status of these endpoints.
Additionally, iOS endpoints that are managed by AirWatch are unable to match HIP objects based on the endpoint serial number because GlobalProtect gateways cannot identify the serial numbers of these endpoints; these serial numbers do not appear in the HIP report.
Known
10.1.7
PAN-103276
Adding a disk to a virtual appliance running Panorama 8.1 or a later release on VMware ESXi 6.5 update1 causes the Panorama virtual appliance and host web client to become unresponsive.
Workaround:
Upgrade the ESXi host to ESXi 6.5 update2 and add the disk again.
Known
10.1.7
PAN-101688
(
Panorama plugins
) The IP address-to-tag mapping information registered on a firewall or virtual system is not deleted when you remove the firewall or virtual system from a Device Group.
Workaround:
Log in to the CLI on the firewall and enter the following command to unregister the IP address-to-tag mappings:
debug object registered-ip clear all
.
Known
10.1.7
PAN-101537
After you configure and push address and address group objects in Shared and vsys-specific device groups from the Panorama management server to managed firewalls, executing the
show log
<log-type>
direction equal
<direction>
<dst>
|
<src>
in
<object-name>
command on a managed firewall only returns address and address group objects pushed form the Shared device group.
Workaround:
Specify the vsys in the query string:
admin>
set system target-vsys
<vsys-name>
admin>
show log
<log-type>
direction equal
<direction>
query equal ‘vsys eq
<vsys-name>
’
<dst>
|
<src>
in
<object-name>
Known
10.1.7
PAN-98520
When booting or rebooting a PA-7000 Series Firewall with the SMC-B installed, the BIOS console output displays attempts to connect to the card's controller in the System Memory Speed section. The messages can be ignored.
Known
10.1.7
PAN-97757
GlobalProtect authentication fails with an
Invalid username/password
error (because the user is not found in
Allow List
) after you enable GlobalProtect authentication cookies and add a RADIUS group to the
Allow List
of the authentication profile used to authenticate to GlobalProtect.
Workaround:
Disable GlobalProtect authentication cookies. Alternatively, disable (clear)
Retrieve user group from RADIUS
in the authentication profile and configure group mapping from Active Directory (AD) through LDAP.
Known
10.1.7
PAN-97524
(
Panorama management server only
) The Security Zone and Virtual System columns (
Network
tab) display
None
after a Device Group and Template administrator with read-only privileges performs a context switch.
Known
10.1.7
PAN-96446
A firewall that is not included in a Collector Group fails to generate a system log if logs are dropped when forwarded to a Panorama management server that is running in Management Only mode.
Known
10.1.7
PAN-95773
On VM-Series firewalls that have Data Plane Development Kit (DPDK) enabled and that use the i40e network interface card (NIC), the
show session info
CLI command displays an inaccurate throughput and packet rate.
Workaround:
Disable DPDK by running the
set system setting dpdk-pkt-io off
CLI command.
Known
10.1.7
PAN-95028
For administrator accounts that you created in PAN-OS 8.0.8 and earlier releases, the firewall does not apply password profile settings (
Device
Password Profiles
) until after you upgrade to PAN-OS 8.0.9 or a later release and then only after you modify the account passwords. (Administrator accounts that you create in PAN-OS 8.0.9 or a later release do not require you to change the passwords to apply password profile settings.)
Known
10.1.7
PAN-94846
When DPDK is enabled on the VM-Series firewall with i40e virtual function (VF) driver, the VF does not detect the link status of the physical link. The VF link status remains up, regardless of changes to the physical link state.
Known
10.1.7
PAN-94093
HTTP Header Insertion does not work when jumbo frames are received out of order.
Known
10.1.7
PAN-93968
The firewall and Panorama web interfaces display vulnerability threat IDs that are not available in PAN-OS 9.0 releases (
Objects
Security Profiles
Vulnerability Protection
<profile>
Exceptions
). To confirm whether a particular threat ID is available in your release, monitor the release notes for each new Applications and Threats content update or check the Palo Alto Networks Threat Vault to see the minimum PAN-OS release version for a threat signature.
Known
10.1.7
PAN-93607
When you configure a VM-500 firewall with an SCTP Protection profile (
Objects
Security Profiles
SCTP Protection
) and you try to add the profile to an existing Security Profile Group (
Objects
Security Profile Groups
), the Security Profile Group doesn’t list the SCTP Protection profile in its drop-down list of available profiles.
Workaround:
Create a new Security Profile Group and select the SCTP Protection profile from there.
Known
10.1.7
PAN-93532
When you configure a firewall running PAN-OS 9.0 as an nCipher HSM client, the web interface on the firewall displays the nCipher server status as Not Authenticated, even though the HSM state is up (
Device
Setup
HSM
).
Known
10.1.7
PAN-93193
The memory-optimized VM-50 Lite intermittently performs slowly and stops processing traffic when memory utilization is critically high. To prevent this issue, make sure that you do not:
  • Switch to the firewall
    Context
    on the Panorama management server.
  • Commit changes when a dynamic update is being installed.
  • Generate a custom report when a dynamic update is being installed.
  • Generate custom reports during a commit.
Workaround:
When the firewall performs slowly, or you see a critical System log for memory utilization, wait for 5 minutes and then manually reboot the firewall.
Use the Task Manager to verify that you are not performing memory intensive tasks such as installing dynamic updates, committing changes or generating reports, at the same time, on the firewall.
Known
10.1.7
PAN-91802
On a VM-Series firewall, the
clear session all
CLI command does not clear GTP sessions.
Known
10.1.7
PAN-83610
In rare cases, a PA-5200 Series firewall (with an FE100 network processor) that has session offload enabled (default) incorrectly resets the UDP checksum of outgoing UDP packets.
Workaround:
In PAN-OS 8.0.6 and later releases, you can persistently disable session offload for only UDP traffic using the
set session udp-off load no
CLI command.
Known
10.1.7
PAN-83236
The VM-Series firewall on Google Cloud Platform does not publish firewall metrics to Google Stack Monitoring when you manually configure a DNS server IP address (
Device
Setup
Services
).
Workaround:
The VM-Series firewall on Google Cloud Platform must use the DNS server that Google provides.
Known
10.1.7
PAN-83215
SSL decryption based on ECDSA certificates does not work when you import the ECDSA private keys onto an nCipher nShield hardware security module (HSM).
Known
10.1.7
PAN-81521
Endpoints failed to authenticate to GlobalProtect through Kerberos when you specify an FQDN instead of an IP address in the Kerberos server profile (
Device
Server Profiles
Kerberos
).
Workaround:
Replace the FQDN with the IP address in the Kerberos server profile.
Known
10.1.7
PAN-77125
PA-7000 Series, PA-5450, PA-5200 Series, and PA-3200 Series firewalls configured in tap mode don’t close offloaded sessions after processing the associated traffic; the sessions remain open until they time out.
Workaround:
Configure the firewalls in virtual wire mode instead of tap mode, or disable session offloading by running the
set session off load no
CLI command.
Known
10.1.7
PAN-75457
In WildFire appliance clusters that have three or more nodes, the Panorama management server does not support changing node roles. In a three-node cluster for example, you cannot use Panorama to configure the worker node as a controller node by adding the HA and cluster controller configurations, configure an existing controller node as a worker node by removing the HA configuration, and then commit and push the configuration. Attempts to change cluster node roles from Panorama results in a validation error—the commit fails and the cluster becomes unresponsive.
Known
10.1.7
PAN-73530
The firewall does not generate a packet capture (pcap) when a Data Filtering profile blocks files.
Known
10.1.7
PAN-73401
When you import a two-node WildFire appliance cluster into the Panorama management server, the controller nodes report their state as out-of-sync if either of the following conditions exist:
  • You did not configure a worker list to add at least one worker node to the cluster. (In a two-node cluster, both nodes are controller nodes configured as an HA pair. Adding a worker node would make the cluster a three-node cluster.)
  • You did not configure a service advertisement (either by enabling or not enabling advertising DNS service on the controller nodes).
Workaround:
There are three possible workarounds to sync the controller nodes:
  • After you import the two-node cluster into Panorama, push the configuration from Panorama to the cluster. After the push succeeds, Panorama reports that the controller nodes are in sync.
  • Configure a worker list on the cluster controller: 
    admin@wf500(active-controller)# 
    set
deviceconfig cluster mode controller worker-list 
    <worker-ip-address>
    (
    <worker-ip-address>
    is the IP address of the worker node you are adding to the cluster.) This creates a three-node cluster. After you import the cluster into Panorama, Panorama reports that the controller nodes are in sync. When you want the cluster to have only two nodes, use a different workaround.
  • Configure service advertisement on the local CLI of the cluster controller and then import the configuration into Panorama. The service advertisement can advertise that DNS is or is not enabled. 
    admin@wf500(active-controller)# 
    set
deviceconfig cluster mode controller service-advertisement dns-service
enabled
yes
    or 
    admin@wf500(active-controller)# 
    set
deviceconfig cluster mode controller service-advertisement dns-service
enabled
no
    Both commands result in Panorama reporting that the controller nodes are in sync.
Known
10.1.7
PAN-70906
If the PAN-OS web interface and the GlobalProtect portal are enabled on the same IP address, then when a user logs out of the GlobalProtect portal, the administrative user is also logged out from the PAN-OS web interface.
Workaround:
Use the IP address to access the PAN-OS web interface and an FQDN to access the GlobalProtect portal.
Known
10.1.7
PAN-69505
When viewing an external dynamic list that requires client authentication and you
Test Source URL
, the firewall fails to indicate whether it can reach the external dynamic list server and returns a URL access error (
Objects
External Dynamic Lists
).
Known
10.1.7
PAN-40079
The VM-Series firewall on KVM, for all supported Linux distributions, does not support the Broadcom network adapters for PCI pass-through functionality.
Known
10.1.7
PAN-39636
Regardless of the
Time Frame
you specify for a scheduled custom report on a Panorama M-Series appliance, the earliest possible start date for the report data is effectively the date when you configured the report (
Monitor
Manage Custom Reports
). For example, if you configure the report on the 15th of the month and set the
Time Frame
to
Last 30 Days
, the report that Panorama generates on the 16th will include only data from the 15th onward. This issue applies only to scheduled reports; on-demand reports include all data within the specified
Time Frame
.
Workaround:
To generate an on-demand report, click
Run Now
when you configure the custom report.
Known
10.1.7
PAN-38255
When you perform a factory reset on a Panorama virtual appliance and configure the serial number, logging does not work until you reboot Panorama or execute the
debug software restart process management-server
CLI command.
Known
10.1.7
PAN-31832
The following issues apply when configuring a firewall to use a hardware security module (HSM):
  • nCipher nShield Connect
    —The firewall requires at least four minutes to detect that an HSM was disconnected, causing SSL functionality to be unavailable during the delay.
  • SafeNet Network
    —When losing connectivity to either or both HSMs in an HA configuration, the display of information from the
    show high-availability state
    and
    show hsm info
    commands are blocked for 20 seconds.
Addressed
10.1.7-h1
PAN-237935
Extended the offline PAN-DB, Panorama, and WildFire certificates which were previously set to expire on September 2, 2024.
Addressed
10.1.7-h1
PAN-237876
Extended the firewall Panorama root CA certificate which was previously set to expire on April 7th, 2024.
Addressed
10.1.7-h1
PAN-231771
Fixed an issue where the firewall issued /box/getserv/ requests with PAN-OS 7.1.0 and did not take device certificates.
Addressed
10.1.7-h1
PAN-227568
When a device certificate is installed, renewed, or removed, the firewall will reconnect to the WildFire cloud to use the newest certificate.
Addressed
10.1.7-h1
PAN-215576
Fixed an issue where the
userID-Agent
and
TS-Agent
certificates were set to expire on November 18, 2024. With this fix, the expiration date has been extended to January 2032.
Addressed
10.1.7
PAN-200771
Fixed an issue where syslog-ng was unable to start due to a design change in the syslog configuration file.
Addressed
10.1.7
PAN-199654
Fixed an issue where ACC reports did not work for custom RBAC users when more than 12 access domains were associated with the username.
Addressed
10.1.7
PAN-199311
Fixed an issue where the Log Forwarding Card (LFC) failed to forward logs to the syslog server.
Addressed
10.1.7
PAN-198509
Fixed an issue where commits failed due to insufficient CFG memory.
Addressed
10.1.7
PAN-198332
(
PA-5400 Series only
) Fixed an issue where swapping Network Processing Cards (NPCs) caused high root partition use.
Addressed
10.1.7
PAN-198244
Fixed an issue where using the
load config partial
CLI command to x-paths removed address object entries from address groups.
Addressed
10.1.7
PAN-197484
(
PA-5400 Series firewalls
) Fixed an issue where the firewall forwarded packets to the incorrect aggregate ethernet interface when Policy Based Forwarding (PBF) was used.
Addressed
10.1.7
PAN-197244
Fixed an issue on firewalls with Forward Proxy enabled where the all_pktproc process stopped responding due to missed heartbeats.
Addressed
10.1.7
PAN-196993
Fixed an issue where an incorrect regex key was generated to invalidate the completions cache, which caused the configd process to stop responding.
Addressed
10.1.7
PAN-196953
(
PA-5450 firewalls only
) Fixed an issue where jumbo frames were dropped.
Addressed
10.1.7
PAN-196445
Fixed an issue where restarting the NPC or the Data Processing Card (DPC) did not bring up all the network interfaces.
Addressed
10.1.7
PAN-196227
Fixed an issue where the logd process stopped responding, which caused Panorama to reboot into maintenance mode.
Addressed
10.1.7
PAN-196005
(
PA-3200 Series, PA-5200 Series, and PA-5400 Series firewalls only
) Fixed an issue where GlobalProtect IPSec tunnels disconnected at half the inactivity logout timer value.
Addressed
10.1.7
PAN-195707
Fixed an issue on Panorama appliances configured as log collectors where Panorama repeatedly rebooted into maintenance mode.
Addressed
10.1.7
PAN-195628
Fixed an issue that caused the pan_task process to miss heartbeats and stop responding.
Addressed
10.1.7
PAN-195625
Fixed an issue where authd frequently created SSL sessions, which resulted in an out-of-memory (OOM) condition.
Addressed
10.1.7
PAN-195360
Fixed an issue with firewalls in Microsoft Azure environments where BGP flapping occurred due to the firewall incorrectly treating capability from BGP peering as unsupported.
Addressed
10.1.7
PAN-195223
Fixed an issue where the all_pktproc process restarted when receiving a GTPv2 Modify Bearer Request packet if the Serving GPRS Support Node (SGSN) used the same key as the Serving Gateway (SGW).
Addressed
10.1.7
PAN-195181
Added enhancements to improve the load on the pan_comm process during SNMP polling.
Addressed
10.1.7
PAN-194958
Fixed an issue where using the
show routing protocol bgp loc-rib-detail
CLI command caused the CLI to stop responding.
Addressed
10.1.7
PAN-194826
(
WF-500 and WF-500-B appliances only
) Fixed an issue where log system forwarding did not work over a TLS connection.
Addressed
10.1.7
PAN-194776
Fixed an issue on Amazon Web Services (AWS) Gateway Load Balancer (GWLB) deployments with overlay routing enabled where intra-zone packets were re-encapsulated with the incorrect source/destination MAC address.
Addressed
10.1.7
PAN-194601
Fixed an issue that caused the all_task process to stop responding.
Addressed
10.1.7
PAN-194481
Fixed an issue in ESXi where the bootstrapped VM-Series firewalls with the Software Licensing Plugin had
:xxx
appended to their hostnames.
Addressed
10.1.7
PAN-194472
A CLI command was added to address an issue where packets were discarded due to the QoS queue limit being reached. This command enables you to modify the QoS queue size to accommodate more users.
Addressed
10.1.7
PAN-194408
Fixed an issue where, when policy rules had the apps that implicitly depended on web browsing configured with the service application default , traffic did not match the rule correctly.
Addressed
10.1.7
PAN-194406
Fixed an issue where the MTU from SD-WAN interfaces was recalculated after a configuration push from Panorama or a local commit, which caused traffic disruption.
Addressed
10.1.7
PAN-193981
(
VM-Series firewalls in Microsoft Azure environments only
) Fixed an issue where the firewall stopped monitoring high availability (HA) failure and floating IP addresses did not get moved to the newly active firewall.
Addressed
10.1.7
PAN-193765
Fixed an issue where commits failed the following error displayed in the configd log:
Unable to populate ids into candidate config: Error: Error populating id for ‘sg2+DMZ to FirstAM Scanner-1‘
.
Addressed
10.1.7
PAN-193763
Fixed an issue on the firewall where the dataplane CPU spiked, which caused traffic to be affected during commits or content updates.
Addressed
10.1.7
PAN-193707
Fixed an issue where SAML authentication failed during commits with the following error message:
revocation status could not be verified (reason: )
.
Addressed
10.1.7
PAN-193483
(
VM-Series firewalls only
) Fixed an issue where, during Layer-7 packet inspection where traffic was being inspected for threat signature and data patterns, multiple processes stopped responding.
Addressed
10.1.7
PAN-193392
Fixed an issue where RTP packets dropped due to conflicting duplicate flows.
Addressed
10.1.7
PAN-193175
Fixed an issue where
PBP Drops (8507)
threat logs were incorrectly logged as
SCTP Init Flood (8506)
.
Addressed
10.1.7
PAN-193132
(
PA-220 firewalls only
) Fixed an issue where a commit and push from Panorama caused high dataplane CPU utilization.
Addressed
10.1.7
PAN-192944
Fixed an issue where the logrcvr process caused an OOM condition.
Addressed
10.1.7
PAN-192758
(
PA-7000 Series firewalls only
) Fixed an issue where files failed to upload to the WildFire public cloud.
Addressed
10.1.7
PAN-192726
Fixed an issue where the firewall dropped TCP traffic inside IPSec tunnels.
Addressed
10.1.7
PAN-192725
Fixed an issue where the firewall failed to forward logs to Panorama when configured with IPv6 addressing only.
Addressed
10.1.7
PAN-192666
(
VM-Series firewalls only
) Fixed an issue where uploading certificates via API failed within the first 30 minutes of a bootstrap.
Addressed
10.1.7
PAN-192551
(
PA-5400 Series firewalls only
) Fixed an issue where the firewall incorrectly processed path monitoring packets, which caused a slot restart.
Addressed
10.1.7
PAN-192404
Fixed an issue where ARP broadcasts occurring in the same time interval and network segment as HA path monitoring pings triggered an ARP cache request, which prevented the firewall from sending ICMP echo requests to the monitored destination IP address and caused an HA path monitoring failover.
Addressed
10.1.7
PAN-192330
(
Bootstrapped VM-Series firewalls in Microsoft Azure environments only
) Fixed an issue where the firewall did not automatically receive the Cortex Data Lake license.
Addressed
10.1.7
PAN-192089
Fixed an issue on the web interface where the IPSec tunnel did not gray out after disabling it.
Addressed
10.1.7
PAN-191867
Fixed an issue where CPU stalls resulted in a slot restart.
Addressed
10.1.7
PAN-191847
Fixed an issue where the Panorama appliance was unable to generate scheduled custom reports due to the large number of files stored in the
opt/pancfg/mgmt/custom-reports
directory.
Addressed
10.1.7
PAN-191726
Fixed an issue where an SCP export of the device state from the firewall added single quotes ( ' ) to the filename.
Addressed
10.1.7
PAN-191558
Fixed an issue where, after an upgrade to PAN-OS 10.1.5, Global Find did not display all results related to a searched item.
Addressed
10.1.7
PAN-191381
Fixed an issue where multicast packets were dropped due to a large timeout value in the multicast FIB.
Addressed
10.1.7
PAN-191288
Fixed an issue where the firewall restarted due to a dnsproxy process crash.
Addressed
10.1.7
PAN-191269
Fixed an issue where the NAT pool leaked for passive mode FTP predict sessions.
Addressed
10.1.7
PAN-191218
(
PA-5400 Series firewalls only
) Fixed an issue where the session log storage quota could not be changed via the web interface.
Addressed
10.1.7
PAN-191163
Fixed an issue where the logrcvr process stopped responding when processing threat logs with HTTP2 and data capture flagged.
Addressed
10.1.7
PAN-191022
Fixed an issue where a full routing table caused many dataplane messages, which resulted in packet buffer congestion and packet drops.
Addressed
10.1.7
PAN-190811
(
PA-5450 firewalls only
) Fixed an issue where logs were forwarded through the management interface instead of the configured log interface to be used for forwarding.
Addressed
10.1.7
PAN-190727
(
PA-5450 firewall only
) Fixed an issue where documentation for configuring the log interface was unavailable on the web interface and in the PAN-OS Administrator’s Guide.
Addressed
10.1.7
PAN-190493
Fixed an issue where decrypted VLAN traffic on Virtual Wire (V-Wire) changed to VLAN ID 0.
Addressed
10.1.7
PAN-190492
Fixed an issue where the Panorama log collector group level SSH settings were not migrated to the new format when upgrading from a PAN-OS 9.1 release to a PAN-OS 10.0 release.
Addressed
10.1.7
PAN-190448
Fixed an issue in ACC reports where IPv6 addresses were displayed instead of IPv4 addresses.
Addressed
10.1.7
PAN-190292
Fixed an issue where you could not configure a log interface as a service route
Device > Setup > Services > Service Route
Addressed
10.1.7
PAN-190225
Fixed an issue on Panorama appliances in active/passive HA configurations where the passive appliance was unable to connect to the active appliance after resetting the secure connection state.
Addressed
10.1.7
PAN-189867
Fixed an issue where, when logging in to the GlobalProtect gateway, the authentication cookie was not reused.
Addressed
10.1.7
PAN-189861
Fixed an issue on firewalls in HA configurations where intermittent system alerts on the active firewall caused the pan_comm process to restart continuously.
Addressed
10.1.7
PAN-189762
Fixed an issue where a predict session didn't match with the traffic when both source NAT and destination NAT were enabled.
Addressed
10.1.7
PAN-189414
Fixed an issue where TCP packets were dropped during the first zone transfer when DNS security was enabled.
Addressed
10.1.7
PAN-189304
Fixed an issue where the Panorama appliance didn't display logs or generate reports for a device group containing MIPs platform that forwarded logs to Cortex Data Lake.
Addressed
10.1.7
PAN-189225
Fixed an issue where BGP routes were lost or uninstalled after disabling jumbo frames on the firewall.
Addressed
10.1.7
PAN-189206
Fixed an issue where Device Group and Template administrator roles didn't support a context switch between the Panorama and firewall web interfaces.
Addressed
10.1.7
PAN-189114
Fixed an issue where the dataplane went down, which caused an HA failover.
Addressed
10.1.7
PAN-188942
Fixed an issue where, when modifying a DNS proxy configuration, the server port number was transparently changed to port 1080 if an administrator changed only the server IP address.
Addressed
10.1.7
PAN-188867
Fixed an issue where the firewall dropped packets when the session payload was too large.
Addressed
10.1.7
PAN-188338
Fixed an issue where canceling a commit caused the commit process to remain at 70% and the firewall had to be rebooted.
Addressed
10.1.7
PAN-188096
(
VM-Series firewalls only
) Fixed an issue where, on firewalls licensed with Software NGFW Credit (VM-FLEX-4 and higher), HA clustering was unable to be established.
Addressed
10.1.7
PAN-187890
Fixed an issue where the Cortex Data Lake connection incorrectly displayed as disconnected when a service route was in use.
Addressed
10.1.7
PAN-187805
Fixed an issue where a process ( all_pktproc ) stopped responding and the dataplane restarted during certificate construction or destruction.
Addressed
10.1.7
PAN-187755
Fixed an issue where the maximum session timeout was not applied to the administrator as expected.
Addressed
10.1.7
PAN-187151
Fixed an issue where tunnel-monitoring interface was incorrectly shown as up instead of down.
Addressed
10.1.7
PAN-186995
Fixed an issue where the command to show IP address tags for Dynamic Address Groups displayed the error
start-point should be equal to or between 1 and 100000
even when the maximum registered IP address limit was greater than 100,000. With this fix, the show command will display IP address tags up to the correct maximum limit.
Addressed
10.1.7
PAN-186957
Fixed an issue where, in
SAML Metadata Export
, a drop-down did not appear in the input field when
IP or Hostname
was selected for
Type
.
Addressed
10.1.7
PAN-186891
Fixed an issue where NetFlow packets contained incorrect octet counts.
Addressed
10.1.7
PAN-186807
Fixed an issue where RAID rebuild occurred after a reboot due to the RAID array not being populated during the firewall bootup.
Addressed
10.1.7
PAN-186658
Fixed an issue where Panorama console sessions were not cleared on the firewall after the idle-timeout value expired.
Addressed
10.1.7
PAN-186584
Fixed an issue where SNMPv3 CPU use didn't match the firewall output for
show running resource-monitor
on single dataplane firewalls.
Addressed
10.1.7
PAN-186418
Fixed an issue where Panorama displayed a discrepancy in RAM configured on the VMware host.
Addressed
10.1.7
PAN-186075
(
VM-Series firewalls only
) Fixed an issue where the firewall rebooted after receiving large packets while in DPDK mode on Azure virtual machines running CX4 (MLx5) drivers.
Addressed
10.1.7
PAN-185789
Fixed an issue where the
show ntp
CLI command resulted in a
Rejected
status for NTP servers that used auto-key authentication.
Addressed
10.1.7
PAN-185787
Fixed an issue where logging in to the Panorama web interface did not work and the following error message displayed:
Timed out while getting config lock. Please try again
.
Addressed
10.1.7
PAN-185286
(
PA-5400 Series firewalls only
) Fixed an issue on Panorama where device health resources did not populate.
Addressed
10.1.7
PAN-184902
Fixed an issue where the
logd
process stopped responding on Panorama and wasn't able to receive logs from the firewall due to the event manager returning a null pointer.
Addressed
10.1.7
PAN-184845
Fixed an issue where Address Resolution Protocol (ARP) packets dropped due to ARP throttle.
Addressed
10.1.7
PAN-184771
Fixed an issue where the threat category in a schedule report incorrectly displayed as unknown.
Addressed
10.1.7
PAN-184702
(
M-700 appliances in Log Collector mode only
) Fixed an issue on the Panorama management server where the Panorama appliance failed to connect to Panorama when added as a managed log collector.
Addressed
10.1.7
PAN-184342
Fixed an issue where the firewall dropped the second TCP packet as non-syn TCP if it was SYN/ACK/PSH due to the incorrect expectation that the second packet would be SYN/ACK.
Addressed
10.1.7
PAN-184068
(
PA-5200 series firewalls only
) Fixed an issue where the firewall generated pause frames, which caused network latency.
Addressed
10.1.7
PAN-183949
Fixed an issue on the firewall where a script to send XML API queries to update the block list caused the sslmgr process to restart.
Addressed
10.1.7
PAN-183888
Fixed an issue on Panorama appliances with PA-5400 Series managed firewalls where
Monitor > Traffic
did not display logs.
Addressed
10.1.7
PAN-183826
Fixed an issue where, after clicking
WildFire Analysis Report
, the web interface failed to display the report with the following error message:
refused to connect
.
Addressed
10.1.7
PAN-183664
(
VM-Series firewalls only
) Fixed an issue where set core operations failed during Software NGFW FLEX licensing.
Addressed
10.1.7
PAN-183603
(
M-200 and M-600 appliances in Log Collector mode only
) Fixed a disk issue that occurred after an upgrade to PAN-OS 10.2 which prevented the ElasticSearch process from starting, which resulted in the dedicated log collector being unable to write new logs to logging disks.
Addressed
10.1.7
PAN-183270
Fixed an issue where a bootstrapped firewall connected only to the first log collector in a log collector group.
Addressed
10.1.7
PAN-183184
Fixed an issue where enabling SSL decryption with a Hardware Security Model (HSM) caused a dataplane restart.
Addressed
10.1.7
PAN-183166
Fixed an issue where system, configuration, and alarm logs were queued up on the logrcvr process and were not forwarded out or written to disk until an autocommit was passed.
Addressed
10.1.7
PAN-182951
Fixed an issue where commits remained at 98% for an hour and then failed.
Addressed
10.1.7
PAN-182539
Fixed an issue with Panorama appliances in HA configurations where dedicated log collectors did not send local system or configuration logs to both Panorama appliances.
Addressed
10.1.7
PAN-182212
Fixed an issue where SNMP reported the
panVsysActiveTcpCps
and
panVsysActiveUdpCps
value to be 0.
Addressed
10.1.7
PAN-182173
(
Panorama appliances in HA configurations only
) Fixed an issue where, when using Prisma Access multitenancy, the passive appliance didn't correctly update the tenant information after the tenant was deleted on the active appliance.
Addressed
10.1.7
PAN-182087
Fixed an issue where commit failures occurred due to validity checks performed against self-signing certificates not evaluating
Authentication Key Identifier
and
Subject Key Identifier
fields.
Addressed
10.1.7
PAN-180863
Fixed an issue where the authentication key was mandatory on the firewall to remove Panorama server details.
Addressed
10.1.7
PAN-179750
A CLI command was added to set the virtual memory limit in dedicated log collectors.
Addressed
10.1.7
PAN-179543
Fixed an issue where the flow_mgmt process stopped responding when attempting to clear the session table, which caused the dataplane to restart.
Addressed
10.1.7
PAN-179295
Fixed an issue where report generation did not work as expected due to missed parameters being passed during inter-daemon communication.
Addressed
10.1.7
PAN-178243
Fixed an issue where
Shared Gateway
was not visible in the
Virtual System
drop down when configuring a Layer3 aggregate subinterface.
Addressed
10.1.7
PAN-178194
Fixed an issue with the web interface where, when only the Advanced URL Filtering license was activated, the message
License required for URL filtering to function
was incorrectly displayed and the
URL Filtering Profile > Inline ML
section was disabled.
Addressed
10.1.7
PAN-177861
Fixed an issue with User ID redistribution where a system log with severity of
High
was generated each time a commit was performed. This issue occurred due to all UIA agent connections being reset after each commit.
Addressed
10.1.7
PAN-177482
Fixed an issue where
ACC > App Scope > Threat Monitor
showed
NO DATA TO DISPLAY
.
Addressed
10.1.7
PAN-176703
Fixed an issue that occurred after upgrading to a PAN-OS 9.0 or later release where commits to the firewall configuration failed with the following error message:
statistics-service is invalid
.
Addressed
10.1.7
PAN-175236
Fixed an issue in the template stack where you were unable to add routes under
GlobalProtect > Gateway > Satellite > Network Settings
.
Addressed
10.1.7
PAN-174809
Fixed an issue where a process ( all_pktproc ) restarted.
Addressed
10.1.7
PAN-174489
Fixed a source user mismatch issue that occurred when the same name was set as the actual domain for the overriding domain.
Addressed
10.1.7
PAN-173373
(
VM-Series firewalls in NSX-T deployments only
) Fixed an issue where deployments dropped packets with the counter
pan_netx_send_pkt error
.
Addressed
10.1.7
PAN-172834
Fixed a memory leak issue related to the useridd process that occurred when processing IP-address-to-username mappings.
Addressed
10.1.7
PAN-172501
Fixed an issue where you were unable to revert HA mode settings to the default values from the web interface.
Addressed
10.1.7
PAN-171714
Fixed an issue where, when NetBIOS format (domain\user) was used for the IP address-to-username mapping and the firewall received the group mapping information from the Cloud Identity Engine, the firewall did not match the user to the correct group.
Addressed
10.1.7
PAN-171690
Fixed an issue where logs were not displayed in
GlobalProtect Deployment Activity
with the message
No data to display
even though they were displayed in the
Monitor
tab.
Addressed
10.1.7
PAN-171497
Fixed an issue where, after a local user group was updated by adding or removing users, the local user group was removed from
groupdb
.
Addressed
10.1.7
PAN-171159
Fixed a memory leak on the configd process on Panorama caused during multi-clone operations for rules.
Addressed
10.1.7
PAN-169153
Fixed an issue where LDAP connections over TLS failed with untrusted certificates error even though
Verify Server Certificate for SSL sessions
option was not selected.
Addressed
10.1.7
PAN-168005
Fixed an issue where GlobalProtect was unable to connect to the gateway and displayed the error message
Could not connect to the gateway. The device or features requires a GlobalProtect subscription license
even though the gateway firewall had a valid gateway license.
Addressed
10.1.7
PAN-163906
Fixed an issue where commits failed due to a non-configuration error.
Addressed
10.1.7
PAN-163828
Fixed an issue where path MTU discovery did not work when the MTU was not configured manually on the tunnel interface.
Addressed
10.1.7
PAN-163261
Fixed an intermittent issue where the firewall dropped GTPv2 Modify Bearer Request packets with the following error message:
Abnormal GTPv2-C message with missing mandatory IE
.
Addressed
10.1.7
PAN-160238
Fixed an issue where intermittent VXLAN packet drops occurred if the TCI was not configured for inspecting VXLAN traffic. This issue occurred when traffic was migrated from a firewall running a PAN-OS version earlier than PAN-OS 9.0 to a firewall running PAN-OS 9.0 or later.
Addressed
10.1.7
PAN-157215
Fixed an issue that occurred when two FQDNs were resolved to the same IP address and were configured as the same src/dst of the same rule. If one FQDN was later resolved to a different IP address, the IP address resolved for the second FQDN was also changed, which caused traffic with the original IP address to hit the incorrect rule.
Addressed
10.1.7
PAN-151469
Fixed an issue where packets were dropped unexpectedly due to errors parsing the IP version field.
Known
10.1.8
—
If you use Panorama to retrieve logs from Cortex Data Lake (CDL), new log fields (including for Device-ID, Decryption, and GlobalProtect) are not visible on the Panorama web interface.
Workaround:
Enable duplicate logging to send the logs to CDL and Panorama. This workaround does not support Panorama virtual appliances in Management Only mode .
Known
10.1.8
—
Upgrading a PA-220 firewall takes up to an hour or more.
Known
10.1.8
—
PA-220 firewalls are experiencing slower web interface and CLI performance times.
Known
10.1.8
—
Upgrading Panorama with a local Log Collector and Dedicated Log Collectors to PAN-OS 8.1 or a later PAN-OS release can take up to six hours to complete due to significant infrastructure changes. Ensure uninterrupted power to all appliances throughout the upgrade process.
Known
10.1.8
—
A critical System log is generated on the VM-Series firewall if the minimum memory requirement for the model is not available.
  • When the memory allocated is less than 4.5GB, you cannot upgrade the firewall. The following error message displays:
    Failed to install 9.0.0 with the following error: VM-50 in 9.0.0 requires 5.5GB memory, VM-50 Lite requires 4.5GB memory.Please configure this VM with enough memory before upgrading.
  • If the memory allocation is more than 4.5GB but less than the licensed capacity requirement for the model, it will default to the capacity associated with the VM-50.
    The System log message
    System capacity adjusted to VM-50 capacity due to insufficient memory for VM-
    <xxx>
    license
    , indicates that you must allocate the additional memory required for licensed capacity for the firewall model.
Known
10.1.8
APPORTAL-3313
Changes to an IoT Security subscription license take up to 24 hours to have effect on the IoT Security app.
Known
10.1.8
APPORTAL-3309
An IoT Security production license cannot be installed on a firewall that still has a valid IoT Security eval or trial license.
Workaround:
Wait until the 30-day eval or trial license expires and then install the production license.
Known
10.1.8
APL-15000
When you move a firewall from one Cortex Data Lake instance to another, it can take up to an hour for the firewall to begin sending logs to the new instance.
Known
10.1.8
APL-8269
For data retrieved from Cortex Data Lake, the Threat Name column in
Panorama
ACC
threat-activity
appears blank.
Known
10.1.8
PLUG-380
When you rename a device group, template, or template stack in Panorama that is part of a VMware NSX service definition, the new name is not reflected in NSX Manager. Therefore, any ESXi hosts that you add to a vSphere cluster are not added to the correct device group, template, or template stack and your Security policy is not pushed to VM-Series firewalls that you deploy after you rename those objects. There is no impact to existing VM-Series firewalls.
Known
10.1.8
WF500-5559
An intermittent error while analyzing signed PE samples on the WildFire appliance might cause analysis failures.
Known
10.1.8
WF500-5471
After using the firewall CLI to add a WildFire appliance with an IPv6 address, the initial connection may fail.
Workaround:
Retry connecting after you restart the web server with the following command:
debug software restart process web-server
.
Known
10.1.8
PAN-228273
On the Panorama management server in FIPS-CC mode, the ElasticSearch cluster fails to come up and the
show log-collector-es-cluster health
command displays the
status
is
red
. This results in log ingestion issues for Panorama in Panorama only or Log Collector mode.
Known
10.1.8
PAN-227344
On the Panorama management server, PDF Summary Reports (
Monitor
PDF Reports
Manage PDF Summary
) display no data and are blank when predefined reports are included in the summary report.
Known
10.1.8
PAN-223488
This issue is now resolved. See
PAN-OS 10.1.12 Addressed Issues
.
On the M-600 appliance, closed ElasticSearch shards are not deleted from the M-600 appliance. This causes the ElasticSearch shard purging to not work as expected, resulting in high disk usage.
Known
10.1.8
PAN-223365
The Panorama management server is unable to query any logs if the ElasticSearch health status for any Log Collector (
Panorama
Managed Collector
is degraded.
Workaround:
Log in to the Log Collector CLI and restart ElasticSearch. 
admin
debug elasticsearch es-restart all
Known
10.1.8
PAN-219644
This issue is now resolved. See
PAN-OS 10.1.12 Addressed Issues
.
Firewalls forwarding logs to a syslog server over TLS (
Objects
Log Forwarding
) use the default Palo Alto Networks certificate instead of the custom certificate configured on the firewall.
Known
10.1.8
PAN-218521
The ElasticSearch process on the M-600 appliance in Log Collector mode may enter a continuous reboot cycle. This results in the M-600 appliance becoming unresponsive, consuming logging disk space, and preventing new log ingestion.
Known
10.1.8
PAN-217307
This issue is now resolved. See
PAN-OS 10.1.14 Addressed Issues
.
The following Security policy rule (
Policies
Security
) filters return no results:
log-start eq no
log-end eq no
log-end eq yes
Known
10.1.8
PAN-216214
For Panorama-managed firewalls in an Active/Active High Availability (HA) configuration where you configure the firewall HA settings (
Device
High Availability
) in a template or template stack (
Panorama
Templates
), performing a local commit on one of the HA firewalls triggers an HA config sync on the peer firewall. This causes the HA peer configuration to go
Out of Sync
.
Known
10.1.8
PAN-213746
On the Panorama management server, the
Hostkey
displayed as
undefined undefined
if you override an SSH Service Profile (
Device
Certificate Management
SSH Service Profile
) Hostkey configured in a Template from the Template Stack.
Known
10.1.8
PAN-212889
This issue is now resolved. See PAN-OS 10.1.11 Addressed Issues
.
On the Panorama management server, different threat names are used when querying the same threat in the Threat Monitor (
Monitor
App Scope
Threat Monitor
) and
ACC
. This results in the ACC displaying
no data to display
when you are redirected to the ACC after clicking a threat name in the Threat Monitor and filtering the same threat name in the Global Filters.
Known
10.1.8
PAN-208325
This issue is now resolved. See
PAN-OS 10.1.10 Addressed Issues
.
The following NextGen firewalls are unable to automatically renew the device certificate (
Device
Setup
Management
or
Panorama
Setup
Management
).
  • PA-410 Firewall
  • PA-440, PA-450, and PA-460 Firewalls
  • PA-5450 Firewall
Workaround:
Log in to the firewall CLI and fetch the device certificate. 
admin>
request certificate fetch
Known
10.1.8
PAN-208189
Traffic fails to match and reach all destinations if a Security policy rule includes FQDN objects that resolve to two or more IP addresses.
Known
10.1.8
PAN-206268
This issue is now resolved. See
PAN-OS 10.1.10 Addressed Issues
.
On the Panorama management server, the Auth Key field was erroneously displayed when you configure the Panorama Settings (
Device
Setup
Management
) as part of a template or template stack configuration.
Known
10.1.8
PAN-206243
This issue is now resolved. See
PAN-OS 10.1.9 Addressed Issues
.
The PA-220 firewall reaches the maximum disk usage capacity multiple a day that requires a disk cleanup. A critical system log (
Monitor
Logs
System
) is generated each time the firewall reaches maximum disk usage capacity.
Known
10.1.8
PAN-205187
ElasticSearch may not start properly when a newly installed Panorama virtual appliance powers on for the first time, resulting in the Panorama virtual appliance being unable to query logs forwarded from the managed firewall to a Log Collector.
Workaround:
Log in to the Panorama CLI and start the PAN-OS software. 
admin>
request restart software
Known
10.1.8
PAN-202339
This issue is now resolved. See
PAN-OS 10.1.9 Addressed Issues
.
The VM-Series firewall on AWS might display reduced throughput of SSL traffic.
Known
10.1.8
PAN-201855
On the Panorama management server, cloning any template (
Panorama
Templates
) corrupts certificates (
Device
Certificate Management
Certificates
) with the
Block Private Key Export
setting enabled across all templates. This results in managed firewalls experiencing issues wherever the corrupted certificate is referenced.
For example, you have template A, B, and C where templates A and B have certificates with the
Block Private Key Export
setting enabled. Cloning template C corrupts the certificates with
Block Private Key Export
setting enabled in templates A and B.
Workaround:
After cloning a template, delete and re-import the corrupted certificates.
Known
10.1.8
PAN-199557
On M-600 appliances in an Active/Passive high availability (HA) configuration, the
configd
process restarts due to a memory leak on the
Active
Panorama HA peer. This causes the Panorama web interface and CLI to become unresponsive.
Workaround:
Manually reboot the
Active
Panorama HA peer.
Known
10.1.8
PAN-198174
When viewing traffic or threat logs from the firewall ACC or Monitor, performing a reverse DNS lookup, for example, when resolving IP addresses to domain names using the
Resolve Hostname
feature, can cause the appliance to crash and restart if DNS server settings have not been configured.
Workaround:
Provide a DNS server setting for the firewall (
Device
DNS Setup
Services
). If you cannot reference a valid DNS server, you can add a dummy address.
Known
10.1.8
PAN-197341
On the Panorama management server, if you create multiple device group
Objects
with the same name in the Shared device group and any additional device groups (
Panorama
Device Groups
) under the same device group hierarchy that are used in one or more
Policies
, renaming the object with a shared name in any device group causes the object name to change in the policies where it is used. This issue applies only to device group objects that can be referenced in a Security policy rule.
For example:
  1. You create a parent device group
    DG-A
    and a child device group
    DG-B
    .
  2. You create address objects called
    AddressObjA
    in the
    Shared
    ,
    DG-A
    and
    DG-B
    device groups and add
    AddressObjA
    to a Security policy rule under
    DG-A
    and
    DG-B
    .
  3. Later, you change the
    AddressObjA
    name in the
    Shared
    device group to
    AddressObjB
    .
Changing the name of the address object in the
Shared
device group causes the references in the Policy rule to use the renamed
Shared
object instead of the device group object.
Known
10.1.8
PAN-197097
This issue is now resolved. See
PAN-OS 10.1.9 Addressed Issues
.
Large Scale VPN (LSVPN) does not support IPv6 addresses on the satellite firewall.
Known
10.1.8
PAN-196758
On the Panorama management server, pushing a configuration change to firewalls leveraging SD-WAN erroneously show the auto-provisioned BGP configurations for SD-WAN as being edited or deleted despite no edits or deletions being made when you
Preview Changes
(
Commit
Push to Devices
Edit Selections
or
Commit
Commit and Push
Edit Selections
).
Known
10.1.8
PAN-194519
This issue is now resolved. See
PAN-OS 10.1.9 Addressed Issues
.
(
PA-5450 firewall only
) Trying to configure a custom payload format under
Device
Server Profiles
HTTP
yields a Javascript error.
Known
10.1.8
PAN-194515
(
PA-5450 firewall only
) The Panorama web interface does not display any predefined template stack variables in the dropdown menu under
Device
Setup
Log Interface
IP Address
.
Workaround:
Configure the log interface IP address on the individual firewall web interface instead of on Panorama.
Known
10.1.8
PAN-194424
(
PA-5450 firewall only
) Upgrading to PAN-OS 10.1.6-h2 while having a log interface configured can cause both the log interface and the management interface to remain connected to the log collector.
Workaround:
Restart the log receiver service by running the following CLI command: 
debug software restart process log-receiver
Known
10.1.8
PAN-194202
(
PA-5450 firewall only
) If the management interface and Log Collector are configured on the same subnetwork, the firewall conducts log forwarding using the management interface instead of the logging interface.
Known
10.1.8
PAN-193518
All logs (
Monitor
Logs
) generated by a firewall running a PAN-OS 10.0 release are not accessible if you downgrade from PAN-OS 10.1 to PAN-OS 10.0, and then upgrade back to PAN-OS 10.1.
Workaround:
If you need to downgrade from PAN-OS 10.1 to PAN-OS 10.0 and then back to PAN-OS 10.1, downgrade to PAN-OS 10.0.11 to ensure that all logs ingested while running a PAN-OS 10.0 release remain accessible after upgrade back to PAN-OS 10.1.
Known
10.1.8
PAN-189057
This issue is now resolved. See
PAN-OS 10.1.9 Addressed Issues
.
On the Panorama management server, Panorama enters a
non-functional
state due to
php.debug.log
life taking up too much space.
Workaround:
Disable the debug flag for Panorama.
  2. In the same browser you are logged into the Panorama web interface, enter the following URL.
    https://<panorama_ip>/debug
  3. Uncheck (disable)
    Debug
    or
    Clear Debug
    .
  4. (
    HA configuration
    ) Repeat this step on each Panorama high availability (HA) peer if Panorama is in a HA configuration.
Known
10.1.8
PAN-188052
Devices in FIPS-CC mode are unable to connect to servers utilizing ECDSA-based host keys that impacts exporting logs (
Device
Scheduled Log Export
), exporting configurations (
Device
Scheduled Config Export
), or the
scp export
command in the CLI.
Workaround:
Use RSA-based host keys on the destination server.
Known
10.1.8
PAN-187685
On the Panorama management server, the Template Status displays no synchronization status (
Panorama
Managed Devices
Summary
) after a bootstrapped firewall is successfully added to Panorama.
Workaround:
After the bootstrapped firewall is successfully added to Panorama, log in to the Panorama web interface and select
Commit
Push to Devices
.
Known
10.1.8
PAN-179888
On the Panorama management server, the number of managed firewall (
Panorama
Managed Devices
Health
)
Power Supplies
displays an incorrect count of power supplies.
Known
10.1.8
PAN-174982
In HA active/active configurations where, when interfaces that were associated with a virtual router were deleted, the configuration change did not sync.
Known
10.1.8
PAN-172274
When you activate the advanced URL filtering license, your license entitlements for PAN-DB and advanced URL filtering might not display correctly on the firewall — this is a display anomaly, not a licensing issue, and does not affect access to the services.
Workaround:
Issue the following command to retrieve and update the licenses:
license request fetch
.
Known
10.1.8
PAN-172113
If you request a User Activity Report on Panorama and the vsys key value in the XML is an unsupported value, the resulting job becomes unresponsive at 10% and does not complete until you manually stop the job in the web interface.
Workaround:
Change the vsys key to a valid device group, commit your changes, and run the User Activity Report again.
Known
10.1.8
PAN-172067
When you configure an HTTP server profile (
Device
Server Profiles
HTTP
or
Panorama
Server Profiles
HTTP
), the
Username
and
Password
fields are always required regardless of whether
Tag Registration
is enabled.
Workaround:
When you configure an HTTP server profile, always enter a username and password to successfully create the HTTP server profile.
You must enter a username and password even if the HTTP server does not require it. The HTTP server ignores the username and password if they are not required for the firewall to connect.
Known
10.1.8
PAN-172061
A process (
all_pktproc
) can cause intermittent crashes on the Passive PA-5450 firewall in an Active/Passive HA pair. This issue may be seen during an upgrade or reload of the firewall with traffic and when clearing sessions.
Known
10.1.8
PAN-171938
No results are displayed when you
Show Application Filter
for a Security policy rule (
Policies
Security
Application
Value
Show Application Filter
).
Known
10.1.8
PAN-171723
If you use Panorama to push a configuration that uses App-ID Cloud Engine (ACE) App-IDs and then you downgrade the firewall from PAN-OS 10.1 to PAN-OS 10.0, the installation succeeds but after you reboot, the auto-commit fails.
Workaround:
Remove all ACE application configurations before downgrading.
Known
10.1.8
PAN-171706
This issue is now resolved. See
PAN-OS 10.1.11 Addressed Issues
.
If you are using Panorama to manage firewalls with multiple virtual systems and the virtual system that is the User-ID hub uses an alias, the local commit on Panorama is successful but the commit to the firewall fails.
Known
10.1.8
PAN-171673
On the Panorama management server, the
ACC
returns inaccurate results when you filter for
New App-ID
in the
Application
usage widget.
Known
10.1.8
PAN-171635
If you have an on-premise Active Directory and there is an existing group mapping configuration on the firewall, if you migrate the group mapping to the Cloud Identity Engine, the firewall does not remove the existing group mapping even if the configuration is disabled and the firewall is rebooted, which may conflict with new mappings from the Cloud Identity Engine.
Workaround
: Use the
debug user-id clear domain-map
command to remove the existing group mappings from the firewall.
Known
10.1.8
PAN-171224
On the Panorama management server, a custom report (
Monitor
Managed Custom Reports
) with a high volume of unique data objects is not generated when you click
Run Now
.
Known
10.1.8
PAN-171145
If you edit or remove the value for the
mail
attribute in your on-premise Active Directory, the changes may not be immediately reflected on the firewall after it syncs with the Cloud Identity Engine.
Known
10.1.8
PAN-170923
In
Policies
Security
Policy Optimizer
New App Viewer
, when you select a Security policy rule in the bottom portion of the screen, the application data in the application browser (top portion of screen) does not match the Apps Seen on the selected rule. In addition, filtering in the application browser based on Apps Seen does not work.
Known
10.1.8
PAN-170270
Using the CLI to power on a PA-5450 Networking Card (NC) in an Active HA firewall can cause its Passive peer to temporarily go down.
Known
10.1.8
PAN-169906
The CN-Series Firewall as a Kubernetes Service does not support AF_XDP when deployed in CentOS.
Known
10.1.8
PAN-168636
Connecting to the App-ID Cloud Engine (ACE) cloud using a management port with explicit proxy configured on it is not supported. Instead, use a data plane interface for the service route ( Prepare to Deploy App-ID Cloud Engine describes how to do this.)
Known
10.1.8
PAN-168113
On the Panorama management server, you are unable to configure a master key (
Device
Master Key and Diagnostics
) for a managed firewall if an interface (
Network
Interfaces
Ethernet
) references a zone pushed from Panorama.
Workaround:
Remove the referenced zone from the interface configuration to successfully configure a master key.
Known
10.1.8
PAN-167847
If you issue the command
opof stats
, then clear the results {opof stats -c}, the Active Sessions value is sometimes invalid. For example, you might see a negative number or an excessively large number.
Workaround:
Re-run the
opof stats
command after the offload completes.
Known
10.1.8
PAN-167401
When a firewall or Panorama appliance configured with a proxy is upgraded to PAN-OS 10.0.3 or a later release, it fails to connect to edge service.
Known
10.1.8
PAN-165669
If you configure a group that the firewall retrieves from the Cloud Identity Engine as the
user in
value in a filter query, Panorama is unable to retrieve the group membership and as a result, is unable to display this data in logs and custom reports.
Known
10.1.8
PAN-164922
On the Panorama management server, a context switch to a managed firewall running a PAN-OS 8.1.0 to 8.1.19 release fails.
Known
10.1.8
PAN-164885
On the Panorama management server, pushes to managed firewalls (
Commit
Push to Devices
or
Commit and Push
) may fail when an EDL (
Objects
External Dynamic Lists
) is configured to
Check for updates
every 5 minutes due to the commit and EDL fetch processes overlapping. This is more likely to occur when multiple EDLs are configured to check for updates every 5 minutes.
Known
10.1.8
PAN-164841
A successful deployment of a Panorama virtual appliance on Amazon Web Services (AWS), Microsoft Azure, or Google Cloud Platform (GCP) is inaccessible when deploying using the PAN-OS 10.1.0-b6 release.
Known
10.1.8
PAN-164647
On the Panorama management server, activating a license (
Panorama
Device Deployment
Licenses
) on managed firewalls in a high availability (HA) configuration causes the Safari web browser to become unresponsive.
Workaround:
Log in to the Panorama web interface from a web browser other than Safari to successfully activate a license on managed firewalls in an HA configuration.
Known
10.1.8
PAN-164618
The VM-Series firewall CLI and system logs display the license name
VM-SERIES-X
, while the user interface displays
VM-FLEX-X
(in both cases
X
is the number of vCPUs). In future releases the user interface will use the
VM-SERIES-X
format.
Known
10.1.8
PAN-164586
If you use a value other than
mail
for the user or group email attribute in the Cloud Identity Engine, it displays in
user@domain
format in the CLI output.
Known
10.1.8
PAN-163966
On the Panorama management server, the
ACC
and on demand reports (
Monitor
Manage Custom Reports
) are unable to fetch Directory Sync group membership when the Source User Group filter query is applied, resulting in no data being displayed for the filter when Directory Sync is configured as the Source User for a policy rule.
Known
10.1.8
PAN-162836
On the VM-Series firewall, if you select
Device
Licenses
Deactivate VM
a popup window opens and you can choose
Subscriptions
or
Support
and press
Continue
to remove licenses and register the changes with the license server. When the license removal is complete the
Deactivate VM
window does not update its text to exclude deactivated licenses or close the window.
Workaround
: Wait until the license deactivation is complete, and click
Cancel
to close the window.
Known
10.1.8
PAN-162088
This issue is now resolved. See
PAN-OS 10.1.9 Addressed Issues
.
On the Panorama management server in a high availability (HA) configuration, content updates (
Panorama
Dynamic Updates
) manually uploaded to the active HA peer are not synchronized to the passive HA peer when you
Install
a content update and enable
Sync to HA Peer
.
Known
10.1.8
PAN-161666
The firewall includes any users configured in the Cloud Identity Engine in the count of groups. As a result, some CLI command output does not accurately display the number of groups the firewall has retrieved from the Cloud Identity Engine and counts users as groups in the
No. of Groups
in the command output. If the attempt to retrieve the user or group fails, the information for the user or group still displays in the CLI command output.
Known
10.1.8
PAN-161451
If you issue the command
opof stats
, there are occasional zero packet and byte counts coming from the DPDK counters. This occurs when a session is in the tcp-reuse state, and has no impact on the existing session.
Known
10.1.8
PAN-160238
If you migrate traffic from a firewall running a PAN-OS version earlier than 9.0 to a firewall running PAN-OS 9.0 or later, you experience intermittent VXLAN packet drops if TCI policy is not configured for inspecting VXLAN traffic flows.
Workaround:
On the new firewall, create an app override for VXLAN outer headers as described in What is an Application Override? and the video tutorial How to Configure an Application Override Policy on the Palo Alto Networks Firewall .
PAN-OS version 9.0 can inspect both inner and outer VXLAN flows. If you want to inspect inner flows, you must define a tunnel content inspection (TCI) policy.
Known
10.1.8
PAN-157444
As a result of a telemetry handling update, the Source Zone field in the DNS analytics logs (viewable in the DNS Analytics tab within AutoFocus) might not display correct results.
Known
10.1.8
PAN-157327
On downgrade to PAN-OS 9.1, Enterprise Data Loss Prevention (DLP) filtering settings (
Device
Setup
DLP
) are not removed and cause commit errors for the downgraded firewall if you do not uninstall the Enterprise DLP plugin before downgrade.
Workaround:
After you successfully downgrade a managed firewall to PAN-OS 9.1, commit and push from Panorama to remove the Enterprise DLP filtering settings and complete the downgrade.
  1. Downgrade your managed firewall to PAN-OS 9.1
  2. Log in to the firewall web interface and view the
    Tasks
    to verify all auto commits related to the downgrade have completed successfully.
  3. Log in to the Panorama web interface and
    Commit
    Commit and Push
    to your managed firewall downgraded to PAN-OS 9.1.
Known
10.1.8
PAN-157103
Multi-channel functionality may not be properly utilized on an VM-Series firewall deployed in VMware NSX-V after the service is first deployed.
Workaround
: Execute the command
debug dataplane pow status
to view the number of channels being utilized by the dataplane. 
Per pan-task Netx statisticsCounter Name    1   2   3   4   5   6   Total---------------------------------------------ready_dvf       2   0   0   0   0   0     2
If multi-channel functionality is not working, disable your NSX-V security policy and reapply it. Then reboot the VM-Series firewall. When the firewall is back up, verify that multi-channel functionality is working by executing the command
debug dataplane pow status
. It should now show multiple channels being utilized. 
Per pan-task Netx statisticsCounter Name    1   2   3   4   5   6   Total---------------------------------------------ready_dvf       1   1   0   0   0   0     2
Known
10.1.8
PAN-156598
(
Panorama only
) If you configure a standard custom vulnerability signature in a custom Vulnerability Protection profile in a shared device group, the shared profile custom signatures do not populate in the other device groups when you configure a combination custom vulnerability signature.
Workaround:
Use the CLI to update the combination signature.
Known
10.1.8
PAN-154292
On the Panorama management server, downgrading from a PAN-OS 10.0 release to a PAN-OS 9.1 release causes Panorama commit (
Commit
Commit to Panorama
) failures if a custom report (
Monitor
Manage Custom Reports
) is configured to Group By
Session ID
.
Workaround:
After successful downgrade, reconfigure the Group By setting in the custom report.
Known
10.1.8
PAN-154034
On the Panorama management server, the Type column in the System logs (
Monitor
Logs
System
) for managed firewalls running a PAN-OS 9.1 release erroneously display
iot
as the type.
Known
10.1.8
PAN-154032
On the Panorama management server, downgrading to PAN-OS 9.1 with the Panorama plugin for Cisco TrustSec version 1.0.2 installed does not automatically transform the plugin to be compatible with PAN-OS 9.1
Workaround:
After successful downgrade to PAN-OS 9.1,
Remove Config
(
Panorama
Plugins
) of the Panorama plugin for Cisco TrustSec and then reconfigure the plugin.
Known
10.1.8
PAN-153803
On the Panorama management server, scheduled email PDF reports (
Monitor
PDF Reports
) fail if a GIF image is used in the header or footer.
Known
10.1.8
PAN-153557
On the Panorama management server CLI, the overall report status for a report query is marked as
Done
despite reports generated from logs in the Cortex Data Lake (CDL) from the PODamericas Collector Group jobs are still in a
Running
state.
Known
10.1.8
PAN-153068
The Bonjour Reflector option is supported on up to 16 interfaces. If you enable it on more than 16 interfaces, the commit succeeds and the Bonjour Reflector option is enabled only for the first 16 interfaces and ignored for any additional interfaces.
Known
10.1.8
PAN-151238
There is a known issue where M-100 appliances are able to download and install a PAN-OS 10.0 release image even though the M-100 appliance is no longer supported after PAN-OS 9.1. (Refer to the hardware end-of-life dates .)
Known
10.1.8
PAN-151085
On a PA-7000 Series firewall chassis having multiple slots, when HA clustering is enabled on an active/active HA pair, the session table count for one of the peers can show a higher count than the actual number of active sessions on that peer. This behavior can be seen when the session is being set up on a non-cache slot (for example, when a session distribution policy is set to round-robin or session-load); it is caused by the additional cache lookup that happens when HA cluster participation is enabled.
Known
10.1.8
PAN-150801
Automatic quarantine of a device based on forwarding profile or log setting does not work on the PA-7000 Series firewalls.
Known
10.1.8
PAN-150515
After you install the device certificate on a new Panorama management server, Panorama is not able to connect to the IoT Security edge service.
Workaround:
Restart Panorama to connect to the IoT Security edge service.
Known
10.1.8
PAN-150345
During updates to the Device Dictionary, the IoT Security service does not push new Device-ID attributes (such as new device profiles) to the firewall until a manual commit occurs.
Workaround:
Perform a force commit to push the attributes in the content update to the firewall.
Known
10.1.8
PAN-150361
In an Active-Passive high availability (HA) configuration, an error displays if you create a device object on the passive device.
Workaround:
Load the running configuration and perform a force commit to sync the devices.
Known
10.1.8
PAN-148971
If you enter a search term for Events that are related to IoT in the System logs and apply the filter, the page displays an
Invalid term
error.
Workaround:
Specify
iot
as the
Type Attribute
to filter the logs and use the search term as the
Description Attribute
. For example:
( subtype eq iot ) and ( description contains 'gRPC connection' )
.
Known
10.1.8
PAN-148924
In an active-passive HA configuration, tags for dynamic user groups are not persistent after rebooting the firewall because the active firewall does not sync the tags to the passive firewall during failover.
Known
10.1.8
PAN-146995
After downgrading a Panorama management server from PAN-OS 10.0 to PAN-OS 9.1, the
VLD
and
logd
processes may crash when Panorama reboots.
Workaround:
Panorama automatically restarts the
VLD
and
logd
processes.
Known
10.1.8
PAN-146807
Changing the device group configured in a monitoring definition from a child DG to a parent DG, or vice versa, might cause firewalls configured in the child DG to lose IP tag mapping information received from the monitoring definition. Only firewalls assigned to the parent DG receive IP tag mapping updates.
Workaround
: Perform a manual config sync on the device group that lost the IP tag mapping information.
Known
10.1.8
PAN-146485
On the Panorama management server, adding, deleting, or modifying the upstream NAT configuration (
Panorama
SD-WAN
Devices
) does not display the branch template stack as
out of sync
.
Additionally, adding, deleting, or modifying the BGP configuration (
Panorama
SD-WAN
Devices
) does not display the hub and branch template stacks as
out of sync
. For example, modifying the BGP configuration on the branch firewall does not cause the hub template stack to display as
out of sync
, nor does modifying the BGP configuration on the hub firewall cause the branch template stack as
out of sync
.
Workaround:
After performing a configuration change,
Commit and Push
the configuration changes to all hub and branch firewalls in the VPN cluster containing the firewall with the modified configuration.
Known
10.1.8
PAN-145460
CN-MGMT pods fail to connect to the Panorama management server when using the Kubernetes plugin.
Workaround:
Commit
the Panorama configuration after the CN-MGMT pod successfully registers with Panorama.
Known
10.1.8
PAN-144889
On the Panorama management server, adding, deleting, or modifying the original subnet IP, or adding a new subnet after you successfully configure a tunnel IP subnet, for the SD-WAN 1.0.2 plugin does not display the managed firewall templates (
Panorama
Managed Devices
Summary
) as
Out of Sync
.
Workaround
: When modifying the original subnet IP, or adding a new subnet, push the template configuration changes to your managed firewalls and
Force Template Values
(
Commit
Push to Devices
Edit Selections
).
Known
10.1.8
PAN-143132
Fetching the device certificate from the Palo Alto Networks Customer Support Portal (CSP) may fail and displays the following error in the CLI:
ERROR Failed to process S1C msg: Error
Workaround:
Retrying fetching the device certificate from the Palo Alto Networks CSP.
Known
10.1.8
PAN-141630
Current performance limitation: single data plane use only. The PA-5200 Series and PA-7000 Series firewalls that support 5G network slice security, 5G equipment ID security, and 5G subscriber ID security use a single data plane only, which currently limits the firewall performance.
Known
10.1.8
PAN-140959
The Panorama management server allows you to downgrade Zero Touch Provisioning (ZTP) firewalls to PAN-OS 9.1.2 and earlier releases where ZTP functionality is not supported.
Known
10.1.8
PAN-140008
ElasticSearch is forced to restart when the
masterd
process misses too many heartbeat messages on the Panorama management server resulting in a delay in a log query and ingestion.
Known
10.1.8
PAN-136763
On the Panorama management server, managed firewalls display as
disconnected
when installing a PAN-OS software update (
Panorama
Device Deployment
Software
) but display as
connected
when you view your managed firewalls Summary (
Panorama
Managed Devices
Summary
) and from the CLI.
Workaround:
Log out and log back in to the Panorama web interface.
Known
10.1.8
PAN-135742
There is an issue in HTTP2 session decryption where the App-ID in the decryption log is the App-ID of the parent session (which is web-browsing).
Known
10.1.8
PAN-134053
ACC does not filter WildFire logs from Dynamic User Groups.
Known
10.1.8
PAN-132598
The Panorama management server does not check for duplicate addresses in address groups (
Objects
Address Groups
) and duplicate services in service groups (
Objects
Service Groups
) when created from the CLI.
Known
10.1.8
PAN-130550
(
PA-3200 Series, PA-5220, PA-5250, PA-5260, and PA-7000 Series firewalls
) For traffic between virtual systems (inter-vsys traffic), the firewall cannot perform source NAT using dynamic IP (DIP) address translation.
Workaround:
Use source NAT with Dynamic IP and Port (DIPP) translation on inter-vsys traffic.
Known
10.1.8
PAN-127813
In the current release, SD-WAN auto-provisioning configures hubs and branches in a hub and spoke model, where branches don’t communicate with each other. Expected branch routes are for generic prefixes, which can be configured in the hub and advertised to all branches. Branches with unique prefixes are not published up to the hub.
Workaround:
Add any specific prefixes for branches to the hub advertise-list configuration.
Known
10.1.8
PAN-127206
If you use the CLI to enable the cleartext option for the Include Username in HTTP Header Insertion Entries feature, the authentication request to the firewall may become unresponsive or time out.
Known
10.1.8
PAN-123277
Dynamic tags from other sources are accessible using the CLI but do not display on the Panorama web interface.
Known
10.1.8
PAN-123040
When you try to view network QoS statistics on an SD-WAN branch or hub, the QoS statistics and the hit count for the QoS rules don’t display. A workaround exists for this issue. Please contact Support for information about the workaround.
Known
10.1.8
PAN-120440
There is an issue on M-500 Panorama management servers where any ethernet interface with an IPv6 address having Private PAN-DB-URL connectivity only supports the following format:
2001:DB9:85A3:0:0:8A2E:370:2
.
Known
10.1.8
PAN-120423
PAN-OS 10.0.0 does not support the XML API for GlobalProtect logs.
Known
10.1.8
PAN-120303
There is an issue where the firewall remains connected to the PAN-DB-URL server through the old management IP address on the M-500 Panorama management server, even when you configured the Eth1/1 interface.
Workaround:
Update the PAN-DB-URL IP address on the firewall using one of the methods below.
  • Modify the PAN-DB Server IP address on the managed firewall.
    1. On the web interface, delete the
      PAN-DB Server
      IP address (
      Device
      Setup
      Content ID
      URL Filtering
      settings).
    2. Commit
      your changes.
    3. Add the new M-500 Eth1/1 IP PAN-DB IP address.
    4. Commit
      your changes.
  • Restart the firewall ( devsrvr ) process.
    1. Log in to the firewall CLI.
    2. Restart the devsrvr process:
      debug software restart process device-server
Known
10.1.8
PAN-116017
(
Google Cloud Platform (GCP) only
) The firewall does not accept the DNS value from the initial configuration (init-cfg) file when you bootstrap the firewall.
Workaround:
Add DNS value as part of the bootstrap.xml in the bootstrap folder and complete the bootstrap process.
Known
10.1.8
PAN-115816
(
Microsoft Azure only
) There is an intermittent issue where an Ethernet (eth1) interface does not come up when you first boot up the firewall.
Workaround:
Reboot the firewall.
Known
10.1.8
PAN-114495
Alibaba Cloud runs on a KVM hypervisor and supports two Virtio modes: DPDK (default) and MMAP. If you deploy a VM-Series firewall running PAN-OS 9.0 in DPDK packet mode and you then switch to MMAP packet mode, the VM-Series firewall duplicates packets that originate from or terminate on the firewall. As an example, if a load balancer or a server behind the firewall pings the VM-Series firewall after you switch from DPDK packet mode to MMAP packet mode, the firewall duplicates the ping packets.
Throughput traffic is not duplicated if you deploy the VM-Series firewall using MMAP packet mode.
Known
10.1.8
PAN-112694
(
Firewalls with multiple virtual systems only
) If you configure dynamic DNS (DDNS) on a new interface (associated with vsys1 or another virtual system) and you then create a
New
Certificate Profile from the drop-down, you must set the location for the Certificate Profile to Shared. If you configure DDNS on an existing interface and then create a new Certificate Profile, we also recommend that you choose the Shared location instead of a specific virtual system. Alternatively, you can select a preexisting certificate profile instead of creating a new one.
Known
10.1.8
PAN-112456
You can temporarily submit a change request for a URL Category with three suggested categories; however, only two categories are supported. Do not add more than two suggested categories to a change request until we address this issue. If you submit more than two suggested categories, only the first two categories in the change request are evaluated.
Known
10.1.8
PAN-112135
You cannot unregister tags for a subnet or range in a dynamic address group from the web interface.
Workaround:
Use an XML API request to unregister the tags for the subnet or range.
Known
10.1.8
PAN-111928
Invalid configuration errors are not displayed as expected when you revert a Panorama management server configuration.
Workaround:
After you revert the Panorama configuration,
Commit
(
Commit
Commit to Panorama
) the reverted configuration to display the invalid configuration errors.
Known
10.1.8
PAN-111866
The push scope selection on the Panorama web interface displays incorrectly even though the commit scope displays as expected. This issue occurs when one administrator makes configuration changes to separate device groups or templates that affect multiple firewalls and a different administrator attempts to push those changes.
Workaround:
Perform one of the following tasks.
  • Initiate a
    Commit to Panorama
    operation followed by a
    Push to Devices
    operation for the modified device group and template configurations.
  • Manually select the devices that belong to the modified device group and template configurations.
Known
10.1.8
PAN-111729
If you disable DPDK mode and enable it again, you must immediately reboot the firewall.
Known
10.1.8
PAN-111670
Tagged VLAN traffic fails when sent through an SR-IOV adapter.
Known
10.1.8
PAN-110794
DGA-based threats shown in the firewall threat log display the same name for all such instances.
Known
10.1.8
PAN-109526
The system log does not correctly display the URL for CRL files; instead, the URLs are displayed with encoded characters.
Known
10.1.8
PAN-104780
If you configure a HIP object to match only when a connecting endpoint is managed (
Objects
GlobalProtect
HIP Objects
<hip-object>
General
Managed
), iOS and Android endpoints that are managed by AirWatch are unable to successfully match the HIP object and the HIP report incorrectly indicates that these endpoints are not managed. This issue occurs because GlobalProtect gateways cannot correctly identify the managed status of these endpoints.
Additionally, iOS endpoints that are managed by AirWatch are unable to match HIP objects based on the endpoint serial number because GlobalProtect gateways cannot identify the serial numbers of these endpoints; these serial numbers do not appear in the HIP report.
Known
10.1.8
PAN-103276
Adding a disk to a virtual appliance running Panorama 8.1 or a later release on VMware ESXi 6.5 update1 causes the Panorama virtual appliance and host web client to become unresponsive.
Workaround:
Upgrade the ESXi host to ESXi 6.5 update2 and add the disk again.
Known
10.1.8
PAN-101688
(
Panorama plugins
) The IP address-to-tag mapping information registered on a firewall or virtual system is not deleted when you remove the firewall or virtual system from a Device Group.
Workaround:
Log in to the CLI on the firewall and enter the following command to unregister the IP address-to-tag mappings:
debug object registered-ip clear all
.
Known
10.1.8
PAN-101537
After you configure and push address and address group objects in Shared and vsys-specific device groups from the Panorama management server to managed firewalls, executing the
show log
<log-type>
direction equal
<direction>
<dst>
|
<src>
in
<object-name>
command on a managed firewall only returns address and address group objects pushed form the Shared device group.
Workaround:
Specify the vsys in the query string:
admin>
set system target-vsys
<vsys-name>
admin>
show log
<log-type>
direction equal
<direction>
query equal ‘vsys eq
<vsys-name>
’
<dst>
|
<src>
in
<object-name>
Known
10.1.8
PAN-98520
When booting or rebooting a PA-7000 Series Firewall with the SMC-B installed, the BIOS console output displays attempts to connect to the card's controller in the System Memory Speed section. The messages can be ignored.
Known
10.1.8
PAN-97757
GlobalProtect authentication fails with an
Invalid username/password
error (because the user is not found in
Allow List
) after you enable GlobalProtect authentication cookies and add a RADIUS group to the
Allow List
of the authentication profile used to authenticate to GlobalProtect.
Workaround:
Disable GlobalProtect authentication cookies. Alternatively, disable (clear)
Retrieve user group from RADIUS
in the authentication profile and configure group mapping from Active Directory (AD) through LDAP.
Known
10.1.8
PAN-97524
(
Panorama management server only
) The Security Zone and Virtual System columns (
Network
tab) display
None
after a Device Group and Template administrator with read-only privileges performs a context switch.
Known
10.1.8
PAN-96446
A firewall that is not included in a Collector Group fails to generate a system log if logs are dropped when forwarded to a Panorama management server that is running in Management Only mode.
Known
10.1.8
PAN-95773
On VM-Series firewalls that have Data Plane Development Kit (DPDK) enabled and that use the i40e network interface card (NIC), the
show session info
CLI command displays an inaccurate throughput and packet rate.
Workaround:
Disable DPDK by running the
set system setting dpdk-pkt-io off
CLI command.
Known
10.1.8
PAN-95028
For administrator accounts that you created in PAN-OS 8.0.8 and earlier releases, the firewall does not apply password profile settings (
Device
Password Profiles
) until after you upgrade to PAN-OS 8.0.9 or a later release and then only after you modify the account passwords. (Administrator accounts that you create in PAN-OS 8.0.9 or a later release do not require you to change the passwords to apply password profile settings.)
Known
10.1.8
PAN-94846
When DPDK is enabled on the VM-Series firewall with i40e virtual function (VF) driver, the VF does not detect the link status of the physical link. The VF link status remains up, regardless of changes to the physical link state.
Known
10.1.8
PAN-94093
HTTP Header Insertion does not work when jumbo frames are received out of order.
Known
10.1.8
PAN-93968
The firewall and Panorama web interfaces display vulnerability threat IDs that are not available in PAN-OS 9.0 releases (
Objects
Security Profiles
Vulnerability Protection
<profile>
Exceptions
). To confirm whether a particular threat ID is available in your release, monitor the release notes for each new Applications and Threats content update or check the Palo Alto Networks Threat Vault to see the minimum PAN-OS release version for a threat signature.
Known
10.1.8
PAN-93607
When you configure a VM-500 firewall with an SCTP Protection profile (
Objects
Security Profiles
SCTP Protection
) and you try to add the profile to an existing Security Profile Group (
Objects
Security Profile Groups
), the Security Profile Group doesn’t list the SCTP Protection profile in its drop-down list of available profiles.
Workaround:
Create a new Security Profile Group and select the SCTP Protection profile from there.
Known
10.1.8
PAN-93532
When you configure a firewall running PAN-OS 9.0 as an nCipher HSM client, the web interface on the firewall displays the nCipher server status as Not Authenticated, even though the HSM state is up (
Device
Setup
HSM
).
Known
10.1.8
PAN-93193
The memory-optimized VM-50 Lite intermittently performs slowly and stops processing traffic when memory utilization is critically high. To prevent this issue, make sure that you do not:
  • Switch to the firewall
    Context
    on the Panorama management server.
  • Commit changes when a dynamic update is being installed.
  • Generate a custom report when a dynamic update is being installed.
  • Generate custom reports during a commit.
Workaround:
When the firewall performs slowly, or you see a critical System log for memory utilization, wait for 5 minutes and then manually reboot the firewall.
Use the Task Manager to verify that you are not performing memory intensive tasks such as installing dynamic updates, committing changes or generating reports, at the same time, on the firewall.
Known
10.1.8
PAN-91802
On a VM-Series firewall, the
clear session all
CLI command does not clear GTP sessions.
Known
10.1.8
PAN-83610
In rare cases, a PA-5200 Series firewall (with an FE100 network processor) that has session offload enabled (default) incorrectly resets the UDP checksum of outgoing UDP packets.
Workaround:
In PAN-OS 8.0.6 and later releases, you can persistently disable session offload for only UDP traffic using the
set session udp-off load no
CLI command.
Known
10.1.8
PAN-83236
The VM-Series firewall on Google Cloud Platform does not publish firewall metrics to Google Stack Monitoring when you manually configure a DNS server IP address (
Device
Setup
Services
).
Workaround:
The VM-Series firewall on Google Cloud Platform must use the DNS server that Google provides.
Known
10.1.8
PAN-83215
SSL decryption based on ECDSA certificates does not work when you import the ECDSA private keys onto an nCipher nShield hardware security module (HSM).
Known
10.1.8
PAN-81521
Endpoints failed to authenticate to GlobalProtect through Kerberos when you specify an FQDN instead of an IP address in the Kerberos server profile (
Device
Server Profiles
Kerberos
).
Workaround:
Replace the FQDN with the IP address in the Kerberos server profile.
Known
10.1.8
PAN-77125
PA-7000 Series, PA-5450, PA-5200 Series, and PA-3200 Series firewalls configured in tap mode don’t close offloaded sessions after processing the associated traffic; the sessions remain open until they time out.
Workaround:
Configure the firewalls in virtual wire mode instead of tap mode, or disable session offloading by running the
set session off load no
CLI command.
Known
10.1.8
PAN-75457
In WildFire appliance clusters that have three or more nodes, the Panorama management server does not support changing node roles. In a three-node cluster for example, you cannot use Panorama to configure the worker node as a controller node by adding the HA and cluster controller configurations, configure an existing controller node as a worker node by removing the HA configuration, and then commit and push the configuration. Attempts to change cluster node roles from Panorama results in a validation error—the commit fails and the cluster becomes unresponsive.
Known
10.1.8
PAN-73530
The firewall does not generate a packet capture (pcap) when a Data Filtering profile blocks files.
Known
10.1.8
PAN-73401
When you import a two-node WildFire appliance cluster into the Panorama management server, the controller nodes report their state as out-of-sync if either of the following conditions exist:
  • You did not configure a worker list to add at least one worker node to the cluster. (In a two-node cluster, both nodes are controller nodes configured as an HA pair. Adding a worker node would make the cluster a three-node cluster.)
  • You did not configure a service advertisement (either by enabling or not enabling advertising DNS service on the controller nodes).
Workaround:
There are three possible workarounds to sync the controller nodes:
  • After you import the two-node cluster into Panorama, push the configuration from Panorama to the cluster. After the push succeeds, Panorama reports that the controller nodes are in sync.
  • Configure a worker list on the cluster controller: 
    admin@wf500(active-controller)# 
    set
deviceconfig cluster mode controller worker-list 
    <worker-ip-address>
    (
    <worker-ip-address>
    is the IP address of the worker node you are adding to the cluster.) This creates a three-node cluster. After you import the cluster into Panorama, Panorama reports that the controller nodes are in sync. When you want the cluster to have only two nodes, use a different workaround.
  • Configure service advertisement on the local CLI of the cluster controller and then import the configuration into Panorama. The service advertisement can advertise that DNS is or is not enabled. 
    admin@wf500(active-controller)# 
    set
deviceconfig cluster mode controller service-advertisement dns-service
enabled
yes
    or 
    admin@wf500(active-controller)# 
    set
deviceconfig cluster mode controller service-advertisement dns-service
enabled
no
    Both commands result in Panorama reporting that the controller nodes are in sync.
Known
10.1.8
PAN-70906
If the PAN-OS web interface and the GlobalProtect portal are enabled on the same IP address, then when a user logs out of the GlobalProtect portal, the administrative user is also logged out from the PAN-OS web interface.
Workaround:
Use the IP address to access the PAN-OS web interface and an FQDN to access the GlobalProtect portal.
Known
10.1.8
PAN-69505
When viewing an external dynamic list that requires client authentication and you
Test Source URL
, the firewall fails to indicate whether it can reach the external dynamic list server and returns a URL access error (
Objects
External Dynamic Lists
).
Known
10.1.8
PAN-40079
The VM-Series firewall on KVM, for all supported Linux distributions, does not support the Broadcom network adapters for PCI pass-through functionality.
Known
10.1.8
PAN-39636
Regardless of the
Time Frame
you specify for a scheduled custom report on a Panorama M-Series appliance, the earliest possible start date for the report data is effectively the date when you configured the report (
Monitor
Manage Custom Reports
). For example, if you configure the report on the 15th of the month and set the
Time Frame
to
Last 30 Days
, the report that Panorama generates on the 16th will include only data from the 15th onward. This issue applies only to scheduled reports; on-demand reports include all data within the specified
Time Frame
.
Workaround:
To generate an on-demand report, click
Run Now
when you configure the custom report.
Known
10.1.8
PAN-38255
When you perform a factory reset on a Panorama virtual appliance and configure the serial number, logging does not work until you reboot Panorama or execute the
debug software restart process management-server
CLI command.
Known
10.1.8
PAN-31832
The following issues apply when configuring a firewall to use a hardware security module (HSM):
  • nCipher nShield Connect
    —The firewall requires at least four minutes to detect that an HSM was disconnected, causing SSL functionality to be unavailable during the delay.
  • SafeNet Network
    —When losing connectivity to either or both HSMs in an HA configuration, the display of information from the
    show high-availability state
    and
    show hsm info
    commands are blocked for 20 seconds.
Addressed
10.1.8-h7
PAN-237935
Extended the offline PAN-DB, Panorama, and WildFire certificates which were previously set to expire on September 2, 2024.
Addressed
10.1.8-h7
PAN-237876
Extended the firewall Panorama root CA certificate which was previously set to expire on April 7th, 2024.
Addressed
10.1.8-h7
PAN-231771
Fixed an issue where the firewall issued /box/getserv/ requests with PAN-OS 7.1.0 and did not take device certificates.
Addressed
10.1.8-h7
PAN-227568
When a device certificate is installed, renewed, or removed, the firewall will reconnect to the WildFire cloud to use the newest certificate.
Addressed
10.1.8-h7
PAN-215576
Fixed an issue where the
userID-Agent
and
TS-Agent
certificates were set to expire on November 18, 2024. With this fix, the expiration date has been extended to January 2032.
Addressed
10.1.8-h6
PAN-202450
Fixed an issue where the
device-client-cert
was set to expire on December 31, 2023. With this fix, the expiration date has been extended.
Addressed
10.1.8-h6
PAN-198372
Fixed an issue where the
root-cert
was set to expire on December 31, 2023. With this fix, the expiration date has been extended.
Addressed
10.1.8-h2
PAN-208724
Fixed an issue where port pause frame settings did not work as expected and incorrect pause frames occurred.
Addressed
10.1.8-h2
PAN-208718
Additional debug information was added to capture internal details during traffic congestion.
Addressed
10.1.8-h2
PAN-206658
Fixed a timeout issue in the Intel
ixgbe
driver that resulted in internal path monitoring failure.
Addressed
10.1.8-h2
PAN-206251
(
PA-7000 Series firewalls with Log Forwarding Cards (LFCs) only
) Fixed an issue where the logrcvr process did not send the
system-start
SNMP trap during startup.
Addressed
10.1.8-h2
PAN-205735
Fixed an issue where the mgmtsrvr process stopped responding, which caused the Panorama web interface to become inaccessible and return a
504 Gateway Not Reachable
page.
Addressed
10.1.8-h2
PAN-205030
Fixed an issue where, when a session hit policy based forwarding with symmetric return enabled was not offloaded, the firewall received excessive return-mac update messages, which resulted in resource contention and traffic disruption.
Addressed
10.1.8-h2
PAN-204335
Fixed an issue where Panorama became unresponsive, and when refreshed, the error
504 Gateway not Reachable
was displayed.
Addressed
10.1.8-h2
PAN-203851
Fixed an issue with firewalls in high availability (HA) configurations where host information profile (HIP) sync did not work between the active primary firewall and the active secondary firewall.
Addressed
10.1.8-h2
PAN-203653
Fixed an issue where dynamic updates were completed even when configuration commits failed, which caused the all_task process to stop responding.
Addressed
10.1.8-h2
PAN-203453
Fixed an issue on Panorama where the log query failed due to a high number of User-ID redistribution messages.
Addressed
10.1.8-h2
PAN-203402
Fixed an intermittent issue where forward session installs were delayed, which resulted in latencies.
Addressed
10.1.8-h2
PAN-203244
Fixed a path monitoring issue that caused traffic degradation.
Addressed
10.1.8-h2
PAN-202783
(
PA-7000 Series firewalls with 100G NPC (Network Processing Cards) only
) Fixed an issue where sudden, large bursts of traffic destined for an interface that was down caused packet buffers to fill, which stalled path monitor heartbeat packets.
Addressed
10.1.8-h2
PAN-202544
An enhancement was made to collect CPLD register data after a path monitor failure.
Addressed
10.1.8-h2
PAN-202543
An enhancement was made to improve path monitor data collection by verifying the status of the control network.
Addressed
10.1.8-h2
PAN-202535
Fixed an issue where the Device Telemetry configuration for a region was unable to be set or edited via the web interface.
Addressed
10.1.8-h2
PAN-202361
Fixed an issue where packets queued to the pan_task process were still transmitted when the process was not responding.
Addressed
10.1.8-h2
PAN-202101
Fixed an issue where firewalls stopped responding after an upgrade due to configuration corruption.
Addressed
10.1.8-h2
PAN-202012
A debug command was introduced to control Gzip encoding for the GlobalProtect Clientless VPN application.
Addressed
10.1.8-h2
PAN-201900
Fixed an internal path monitoring failure issue that caused the dataplane to go down.
Addressed
10.1.8-h2
PAN-201858
Fixed an issue where the SD-WAN interface Maximum Transmission Unit (MTU) led to incorrect fragmentation of IPSec traffic.
Addressed
10.1.8-h2
PAN-201627
Fixed an issue in next-generation firewall deployments where, when SD-WAN was configured, the dataplane restarted if all SD-WAN member links were down due to an out-of-memory (OOM) condition or during a reboot when all SD-WAN tunnels were down.
Addressed
10.1.8-h2
PAN-198718
(
PA-5280 firewalls only
) Fixed an issue where memory allocation failures caused increased decryption failures.
Addressed
10.1.8-h2
PAN-197582
Fixed an issue where, after upgrading to PAN-OS 10.1.6, the firewall reset SSL connections that used policy-based forwarding.
Addressed
10.1.8-h2
PAN-196261
Fixed an issue where inter-lc disconnected once every minute in the system logs.
Addressed
10.1.8-h2
PAN-194704
Fixed an issue with SIP ALG where improper NAT was applied when Destination NAT ran out of IP addresses.
Addressed
10.1.8-h2
PAN-194068
(
PA-5200 Series firewalls only
) Fixed an issue where the firewall unexpectedly rebooted with the log message
Heartbeat failed previously
.
Addressed
10.1.8-h2
PAN-193928
Fixed an intermittent issue where GlobalProtect logs were not visible under device groups (
Mobile_User_Device_Group
).
Addressed
10.1.8-h2
PAN-192456
Fixed an issue where GlobalProtect SSL VPN processing during a high traffic load caused the dataplane to stop responding.
Addressed
10.1.8-h2
PAN-191408
Fixed an issue where the firewall did not correctly receive dynamic address group information from Panorama after a reboot or initial connection.
Addressed
10.1.8-h2
PAN-184766
(
PA-5450 firewalls only
) Fixed an issue where the control packets for BGP, OSPF, and Bidirectional Forwarding Detection (BFD) were not assigned a QoS value of 5.
Addressed
10.1.8-h2
PAN-183757
(
PA-5200 Series and PA-7000 Series firewalls only
) Fixed an issue where uneven distribution of sessions caused packet latency.
Addressed
10.1.8-h2
PAN-172452
Fixed an issue where the log file did not include all logs.
Addressed
10.1.8-h2
PAN-171143
Fixed an issue where tech support files didn't collected DP3 logs.
Addressed
10.1.8-h2
PAN-167288
Fixed an issue with the pan_task process that caused the queue to build up.
Addressed
10.1.8
PAN-204830
Fixed an issue where logging in via the web interface or CLI did not work until an auto-commit was complete.
Addressed
10.1.8
PAN-203598
Fixed an issue where, when tunnel content inspection was enabled for VXLAN, ARP over VXLAN packets were dropped.
Addressed
10.1.8
PAN-201872
Fixed an issue where SMB performance caused overall network latency after an upgrade.
Addressed
10.1.8
PAN-201818
Fixed an issue where INIT SCTP packets were dropped after being processed by the CTD, and silent drops occurred even with SCTP no-drop function enabled.
Addressed
10.1.8
PAN-201627
Fixed an issue in next-generation firewall deployments where, when SD-WAN was configured, the dataplane restarted if all SD-WAN member links were down due to an out-of-memory (OOM) condition or during a reboot when all SD-WAN tunnels were down.
Addressed
10.1.8
PAN-201357
The CLI command
debug dataplane set pow no-desched yes
was added to address an issue where the all_pktproc process stopped responding and caused traffic issues.
Addressed
10.1.8
PAN-199726
Fixed an issue with firewalls in HA configurations where both firewalls responded with gARP messages after a switchover.
Addressed
10.1.8
PAN-199570
Fixed an issue where uploading certificates using a custom admin role did not work as expected after a context switch.
Addressed
10.1.8
PAN-199099
Fixed an issue where, when decryption was enabled, Safari and Google Chrome browsers on Apple Mac computers rejected the server certificate created by the firewall because the Authority Key Identifier was copied from the original server certificate and did not match the Subject Key Identifier on the forward trust certificate.
Addressed
10.1.8
PAN-198871
Fixed an issue when both URL and Advanced URL licenses were installed, the expiry date was not correctly checked.
Addressed
10.1.8
PAN-198733
(
PA-5450 firewalls only
) Fixed an issue where
tcpdump
was hardcoded to eth0 instead of bond0.
Addressed
10.1.8
PAN-198266
Fixed an issue where, when predicts for UDP packets were created, a configuration change occurred that triggered a new policy lookup, which caused the dataplane stopped responding when converting the predict. This resulted in a dataplane restart.
Addressed
10.1.8
PAN-198078
Fixed an issue where VXLAN keepalive packets were dropped randomly.
Addressed
10.1.8
PAN-197576
Fixed an issue where commits pushed from Panorama caused a memory leak related to the mgmtsrvr process.
Addressed
10.1.8
PAN-197386
Fixed an issue where traffic that was subject to network packet broker inspection entered a looping state due to incorrect session offload.
Addressed
10.1.8
PAN-196704
Fixed an issue where
Preview Changes on Panorama Push to Devices
incorrectly displayed changes to encrypted entries.
Addressed
10.1.8
PAN-196583
Fixed an issue where the Cisco TrustSEc plugin triggered a flood of redundant register/unregister messages due to a failed IP address tag database search.
Addressed
10.1.8
PAN-196558
Fixed an issue where IP address tag policy updates were delayed.
Addressed
10.1.8
PAN-196131
Fixed an issue where the comm process stopped responding when a show command was executed in two sessions.
Addressed
10.1.8
PAN-195107
(
PA-7000s Series firewalls with LFCs only
) Fixed an issue where the IP address of the LFC displayed as
unknown
.
Addressed
10.1.8
PAN-194795
Fixed an issue where a dataplane 1 VCCIO voltage fluctuation triggered the chassis master alarm.
Addressed
10.1.8
PAN-194615
Fixed an issue where the packet broker session timeout value did not match the master sessions timeout value after the firewall received a TCP FIN or RST packet. The fix ensures that Broker session times out within 1 second after the master session timed out.
Addressed
10.1.8
PAN-194441
Fixed an issue where the dataplane CPU usage was higher than expected due to packet looping in the broker session when the network packet broker was enabled.
Addressed
10.1.8
PAN-189720
Fixed an issue where commits failed when downgrading a Panorama appliance running a PAN-OS 10.1 release to a PAN-OS 10.0 release.
Addressed
10.1.8
PAN-189429
Fixed a memory leak that occurred when enabling XFF (x-forwarded-for) logging in a Security policy.
Addressed
10.1.8
PAN-189270
Fixed an issue that caused a memory leak on the reportd process.
Addressed
10.1.8
PAN-188118
Fixed an issue with firewalls in FIPS mode that prevented device telemetry from connecting.
Addressed
10.1.8
PAN-181759
(
Firewalls in active/active HA configurations only
) Fixed an issue where firewall configuration files were not synced.
Addressed
10.1.8
PAN-180039
Fixed an issue in 10.0.9, where executing the CLI command
show transceiver-detail all
resulted in the following error message:
An error occurred. See dagger.log for information.
.
Addressed
10.1.8
PAN-178613
(
PA-400 Series firewalls only
) Fixed an issue where multiple restarts related to the all_task process occurred.
Known
10.1.9
—
If you use Panorama to retrieve logs from Cortex Data Lake (CDL), new log fields (including for Device-ID, Decryption, and GlobalProtect) are not visible on the Panorama web interface.
Workaround:
Enable duplicate logging to send the logs to CDL and Panorama. This workaround does not support Panorama virtual appliances in Management Only mode .
Known
10.1.9
—
Upgrading a PA-220 firewall takes up to an hour or more.
Known
10.1.9
—
PA-220 firewalls are experiencing slower web interface and CLI performance times.
Known
10.1.9
—
Upgrading Panorama with a local Log Collector and Dedicated Log Collectors to PAN-OS 8.1 or a later PAN-OS release can take up to six hours to complete due to significant infrastructure changes. Ensure uninterrupted power to all appliances throughout the upgrade process.
Known
10.1.9
—
A critical System log is generated on the VM-Series firewall if the minimum memory requirement for the model is not available.
  • When the memory allocated is less than 4.5GB, you cannot upgrade the firewall. The following error message displays:
    Failed to install 9.0.0 with the following error: VM-50 in 9.0.0 requires 5.5GB memory, VM-50 Lite requires 4.5GB memory.Please configure this VM with enough memory before upgrading.
  • If the memory allocation is more than 4.5GB but less than the licensed capacity requirement for the model, it will default to the capacity associated with the VM-50.
    The System log message
    System capacity adjusted to VM-50 capacity due to insufficient memory for VM-
    <xxx>
    license
    , indicates that you must allocate the additional memory required for licensed capacity for the firewall model.
Known
10.1.9
APPORTAL-3313
Changes to an IoT Security subscription license take up to 24 hours to have effect on the IoT Security app.
Known
10.1.9
APPORTAL-3309
An IoT Security production license cannot be installed on a firewall that still has a valid IoT Security eval or trial license.
Workaround:
Wait until the 30-day eval or trial license expires and then install the production license.
Known
10.1.9
APL-15000
When you move a firewall from one Cortex Data Lake instance to another, it can take up to an hour for the firewall to begin sending logs to the new instance.
Known
10.1.9
APL-8269
For data retrieved from Cortex Data Lake, the Threat Name column in
Panorama
ACC
threat-activity
appears blank.
Known
10.1.9
PLUG-12041
On an OpenShift cluster, MP pod may crash when the number of underlying threads exceeds beyond the per pod maximum limit of 1024.
Workaround:
Increase the process ID (PID) limit to 2048 in worker nodes.
Known
10.1.9
PLUG-380
When you rename a device group, template, or template stack in Panorama that is part of a VMware NSX service definition, the new name is not reflected in NSX Manager. Therefore, any ESXi hosts that you add to a vSphere cluster are not added to the correct device group, template, or template stack and your Security policy is not pushed to VM-Series firewalls that you deploy after you rename those objects. There is no impact to existing VM-Series firewalls.
Known
10.1.9
WF500-5559
An intermittent error while analyzing signed PE samples on the WildFire appliance might cause analysis failures.
Known
10.1.9
WF500-5471
After using the firewall CLI to add a WildFire appliance with an IPv6 address, the initial connection may fail.
Workaround:
Retry connecting after you restart the web server with the following command:
debug software restart process web-server
.
Known
10.1.9
PAN-228273
On the Panorama management server in FIPS-CC mode, the ElasticSearch cluster fails to come up and the
show log-collector-es-cluster health
command displays the
status
is
red
. This results in log ingestion issues for Panorama in Panorama only or Log Collector mode.
Known
10.1.9
PAN-227344
On the Panorama management server, PDF Summary Reports (
Monitor
PDF Reports
Manage PDF Summary
) display no data and are blank when predefined reports are included in the summary report.
Known
10.1.9
PAN-223488
This issue is now resolved. See
PAN-OS 10.1.12 Addressed Issues
.
On the M-600 appliance, closed ElasticSearch shards are not deleted from the M-600 appliance. This causes the ElasticSearch shard purging to not work as expected, resulting in high disk usage.
Known
10.1.9
PAN-223365
The Panorama management server is unable to query any logs if the ElasticSearch health status for any Log Collector (
Panorama
Managed Collector
is degraded.
Workaround:
Log in to the Log Collector CLI and restart ElasticSearch. 
admin
debug elasticsearch es-restart all
Known
10.1.9
PAN-219824
File system checks on the logging drive may take more time depending on the usage and file system content, resulting in autocommits taking longer to complete than expected.
Known
10.1.9
PAN-219644
This issue is now resolved. See
PAN-OS 10.1.12 Addressed Issues
.
Firewalls forwarding logs to a syslog server over TLS (
Objects
Log Forwarding
) use the default Palo Alto Networks certificate instead of the custom certificate configured on the firewall.
Known
10.1.9
PAN-218521
The ElasticSearch process on the M-600 appliance in Log Collector mode may enter a continuous reboot cycle. This results in the M-600 appliance becoming unresponsive, consuming logging disk space, and preventing new log ingestion.
Known
10.1.9
PAN-217307
This issue is now resolved. See
PAN-OS 10.1.14 Addressed Issues
.
The following Security policy rule (
Policies
Security
) filters return no results:
log-start eq no
log-end eq no
log-end eq yes
Known
10.1.9
PAN-216314
This issue is now resolved. See
PAN-OS 10.1.9-h3 Addressed Issues
.
Upon upgrade or downgrade to or from PAN-OS 10.1.9 or 10.1.9-h1, offloaded application traffic sessions may disconnect after a period of time even if a session is active. The disconnect occurs after the application's default session timeout value is exceeded. This behavior affects only PAN-OS 10.1.9 and 10.1.9-h1. If you are on PAN-OS 10.1.9 and 10.1.9-h1, please use the following workaround. If you have already upgraded or downgraded to another PAN-OS version, use the following workaround in that version.
Workaround:
Run the CLI command
debug dataplane internal pdt fe100 csr wr_sem_ctrl_ctr_scan_dis value 0
to set the value to zero (0).
Known
10.1.9
PAN-216214
For Panorama-managed firewalls in an Active/Active High Availability (HA) configuration where you configure the firewall HA settings (
Device
High Availability
) in a template or template stack (
Panorama
Templates
), performing a local commit on one of the HA firewalls triggers an HA config sync on the peer firewall. This causes the HA peer configuration to go
Out of Sync
.
Known
10.1.9
PAN-213746
On the Panorama management server, the
Hostkey
displayed as
undefined undefined
if you override an SSH Service Profile (
Device
Certificate Management
SSH Service Profile
) Hostkey configured in a Template from the Template Stack.
Known
10.1.9
PAN-212889
This issue is now resolved. See PAN-OS 10.1.11 Addressed Issues
.
On the Panorama management server, different threat names are used when querying the same threat in the Threat Monitor (
Monitor
App Scope
Threat Monitor
) and
ACC
. This results in the ACC displaying
no data to display
when you are redirected to the ACC after clicking a threat name in the Threat Monitor.
Known
10.1.9
PAN-211728
For VM-Series firewalls leveraging SD-WAN and deployed on VMware ESXi running VMX-13, Auto-Commits fail after upgrade to PAN-OS 10.1.9 and display the error:
total SD-WAN interfaces 3 exceed the platform maximum 0
Workaround:
Attach a serial console to the VM-Series firewall before upgrade to PAN-OS 10.1.9.
Known
10.1.9
PAN-208325
This issue is now resolved. See
PAN-OS 10.1.10 Addressed Issues
.
The following NextGen firewalls are unable to automatically renew the device certificate (
Device
Setup
Management
or
Panorama
Setup
Management
).
  • PA-410 Firewall
  • PA-440, PA-450, and PA-460 Firewalls
  • PA-5450 Firewall
Workaround:
Log in to the firewall CLI and fetch the device certificate. 
admin>
request certificate fetch
Known
10.1.9
PAN-208189
Traffic fails to match and reach all destinations if a Security policy rule includes FQDN objects that resolve to two or more IP addresses.
Known
10.1.9
PAN-206268
This issue is now resolved. See
PAN-OS 10.1.10 Addressed Issues
.
On the Panorama management server, the Auth Key field was erroneously displayed when you configure the Panorama Settings (
Device
Setup
Management
) as part of a template or template stack configuration.
Known
10.1.9
PAN-204689
Upon upgrade to PAN-OS 10.1.9, the following GlobalProtect settings do not work:
  • Allow user to disconnect GlobalProtect App
    Allow with Passcode
  • Allow user to Disable GlobalProtect App
    Allow with Passcode
  • Allow User to Uninstall GlobalProtect App
    Allow with Password
Known
10.1.9
PAN-201855
On the Panorama management server, cloning any template (
Panorama
Templates
) corrupts certificates (
Device
Certificate Management
Certificates
) with the
Block Private Key Export
setting enabled across all templates. This results in managed firewalls experiencing issues wherever the corrupted certificate is referenced.
For example, you have template A, B, and C where templates A and B have certificates with the
Block Private Key Export
setting enabled. Cloning template C corrupts the certificates with
Block Private Key Export
setting enabled in templates A and B.
Workaround:
After cloning a template, delete and re-import the corrupted certificates.
Known
10.1.9
PAN-199557
On M-600 appliances in an Active/Passive high availability (HA) configuration, the
configd
process restarts due to a memory leak on the
Active
Panorama HA peer. This causes the Panorama web interface and CLI to become unresponsive.
Workaround:
Manually reboot the
Active
Panorama HA peer.
Known
10.1.9
PAN-197341
On the Panorama management server, if you create multiple device group
Objects
with the same name in the Shared device group and any additional device groups (
Panorama
Device Groups
) under the same device group hierarchy that are used in one or more
Policies
, renaming the object with a shared name in any device group causes the object name to change in the policies where it is used. This issue applies only to device group objects that can be referenced in a Security policy rule.
For example:
  1. You create a parent device group
    DG-A
    and a child device group
    DG-B
    .
  2. You create address objects called
    AddressObjA
    in the
    Shared
    ,
    DG-A
    and
    DG-B
    device groups and add
    AddressObjA
    to a Security policy rule under
    DG-A
    and
    DG-B
    .
  3. Later, you change the
    AddressObjA
    name in the
    Shared
    device group to
    AddressObjB
    .
Changing the name of the address object in the
Shared
device group causes the references in the Policy rule to use the renamed
Shared
object instead of the device group object.
Known
10.1.9
PAN-196758
On the Panorama management server, pushing a configuration change to firewalls leveraging SD-WAN erroneously show the auto-provisioned BGP configurations for SD-WAN as being edited or deleted despite no edits or deletions being made when you
Preview Changes
(
Commit
Push to Devices
Edit Selections
or
Commit
Commit and Push
Edit Selections
).
Known
10.1.9
PAN-194515
(
PA-5450 firewall only
) The Panorama web interface does not display any predefined template stack variables in the dropdown menu under
Device
Setup
Log Interface
IP Address
.
Workaround:
Configure the log interface IP address on the individual firewall web interface instead of on Panorama.
Known
10.1.9
PAN-194424
(
PA-5450 firewall only
) Upgrading to PAN-OS 10.1.6-h2 while having a log interface configured can cause both the log interface and the management interface to remain connected to the log collector.
Workaround:
Restart the log receiver service by running the following CLI command: 
debug software restart process log-receiver
Known
10.1.9
PAN-194202
(
PA-5450 firewall only
) If the management interface and Log Collector are configured on the same subnetwork, the firewall conducts log forwarding using the management interface instead of the logging interface.
Known
10.1.9
PAN-193518
All logs (
Monitor
Logs
) generated by a firewall running a PAN-OS 10.0 release are not accessible if you downgrade from PAN-OS 10.1 to PAN-OS 10.0, and then upgrade back to PAN-OS 10.1.
Workaround:
If you need to downgrade from PAN-OS 10.1 to PAN-OS 10.0 and then back to PAN-OS 10.1, downgrade to PAN-OS 10.0.11 to ensure that all logs ingested while running a PAN-OS 10.0 release remain accessible after upgrade back to PAN-OS 10.1.
Known
10.1.9
PAN-188052
Devices in FIPS-CC mode are unable to connect to servers utilizing ECDSA-based host keys that impacts exporting logs (
Device
Scheduled Log Export
), exporting configurations (
Device
Scheduled Config Export
), or the
scp export
command in the CLI.
Workaround:
Use RSA-based host keys on the destination server.
Known
10.1.9
PAN-187685
On the Panorama management server, the Template Status displays no synchronization status (
Panorama
Managed Devices
Summary
) after a bootstrapped firewall is successfully added to Panorama.
Workaround:
After the bootstrapped firewall is successfully added to Panorama, log in to the Panorama web interface and select
Commit
Push to Devices
.
Known
10.1.9
PAN-179888
On the Panorama management server, the number of managed firewall (
Panorama
Managed Devices
Health
)
Power Supplies
displays an incorrect count of power supplies.
Known
10.1.9
PAN-174982
In HA active/active configurations where, when interfaces that were associated with a virtual router were deleted, the configuration change did not sync.
Known
10.1.9
PAN-172274
When you activate the advanced URL filtering license, your license entitlements for PAN-DB and advanced URL filtering might not display correctly on the firewall — this is a display anomaly, not a licensing issue, and does not affect access to the services.
Workaround:
Issue the following command to retrieve and update the licenses:
license request fetch
.
Known
10.1.9
PAN-172113
If you request a User Activity Report on Panorama and the vsys key value in the XML is an unsupported value, the resulting job becomes unresponsive at 10% and does not complete until you manually stop the job in the web interface.
Workaround:
Change the vsys key to a valid device group, commit your changes, and run the User Activity Report again.
Known
10.1.9
PAN-172067
When you configure an HTTP server profile (
Device
Server Profiles
HTTP
or
Panorama
Server Profiles
HTTP
), the
Username
and
Password
fields are always required regardless of whether
Tag Registration
is enabled.
Workaround:
When you configure an HTTP server profile, always enter a username and password to successfully create the HTTP server profile.
You must enter a username and password even if the HTTP server does not require it. The HTTP server ignores the username and password if they are not required for the firewall to connect.
Known
10.1.9
PAN-172061
A process (
all_pktproc
) can cause intermittent crashes on the Passive PA-5450 firewall in an Active/Passive HA pair. This issue may be seen during an upgrade or reload of the firewall with traffic and when clearing sessions.
Known
10.1.9
PAN-171938
No results are displayed when you
Show Application Filter
for a Security policy rule (
Policies
Security
Application
Value
Show Application Filter
).
Known
10.1.9
PAN-171723
If you use Panorama to push a configuration that uses App-ID Cloud Engine (ACE) App-IDs and then you downgrade the firewall from PAN-OS 10.1 to PAN-OS 10.0, the installation succeeds but after you reboot, the auto-commit fails.
Workaround:
Remove all ACE application configurations before downgrading.
Known
10.1.9
PAN-171706
This issue is now resolved. See
PAN-OS 10.1.11 Addressed Issues
.
If you are using Panorama to manage firewalls with multiple virtual systems and the virtual system that is the User-ID hub uses an alias, the local commit on Panorama is successful but the commit to the firewall fails.
Known
10.1.9
PAN-171673
On the Panorama management server, the
ACC
returns inaccurate results when you filter for
New App-ID
in the
Application
usage widget.
Known
10.1.9
PAN-171635
If you have an on-premise Active Directory and there is an existing group mapping configuration on the firewall, if you migrate the group mapping to the Cloud Identity Engine, the firewall does not remove the existing group mapping even if the configuration is disabled and the firewall is rebooted, which may conflict with new mappings from the Cloud Identity Engine.
Workaround
: Use the
debug user-id clear domain-map
command to remove the existing group mappings from the firewall.
Known
10.1.9
PAN-171224
On the Panorama management server, a custom report (
Monitor
Managed Custom Reports
) with a high volume of unique data objects is not generated when you click
Run Now
.
Known
10.1.9
PAN-171145
If you edit or remove the value for the
mail
attribute in your on-premise Active Directory, the changes may not be immediately reflected on the firewall after it syncs with the Cloud Identity Engine.
Known
10.1.9
PAN-170923
In
Policies
Security
Policy Optimizer
New App Viewer
, when you select a Security policy rule in the bottom portion of the screen, the application data in the application browser (top portion of screen) does not match the Apps Seen on the selected rule. In addition, filtering in the application browser based on Apps Seen does not work.
Known
10.1.9
PAN-170270
Using the CLI to power on a PA-5450 Networking Card (NC) in an Active HA firewall can cause its Passive peer to temporarily go down.
Known
10.1.9
PAN-169906
The CN-Series Firewall as a Kubernetes Service does not support AF_XDP when deployed in CentOS.
Known
10.1.9
PAN-168636
Connecting to the App-ID Cloud Engine (ACE) cloud using a management port with explicit proxy configured on it is not supported. Instead, use a data plane interface for the service route ( Prepare to Deploy App-ID Cloud Engine describes how to do this.)
Known
10.1.9
PAN-168113
On the Panorama management server, you are unable to configure a master key (
Device
Master Key and Diagnostics
) for a managed firewall if an interface (
Network
Interfaces
Ethernet
) references a zone pushed from Panorama.
Workaround:
Remove the referenced zone from the interface configuration to successfully configure a master key.
Known
10.1.9
PAN-167847
If you issue the command
opof stats
, then clear the results {opof stats -c}, the Active Sessions value is sometimes invalid. For example, you might see a negative number or an excessively large number.
Workaround:
Re-run the
opof stats
command after the offload completes.
Known
10.1.9
PAN-167401
When a firewall or Panorama appliance configured with a proxy is upgraded to PAN-OS 10.0.3 or a later release, it fails to connect to edge service.
Known
10.1.9
PAN-165669
If you configure a group that the firewall retrieves from the Cloud Identity Engine as the
user in
value in a filter query, Panorama is unable to retrieve the group membership and as a result, is unable to display this data in logs and custom reports.
Known
10.1.9
PAN-164922
On the Panorama management server, a context switch to a managed firewall running a PAN-OS 8.1.0 to 8.1.19 release fails.
Known
10.1.9
PAN-164885
On the Panorama management server, pushes to managed firewalls (
Commit
Push to Devices
or
Commit and Push
) may fail when an EDL (
Objects
External Dynamic Lists
) is configured to
Check for updates
every 5 minutes due to the commit and EDL fetch processes overlapping. This is more likely to occur when multiple EDLs are configured to check for updates every 5 minutes.
Known
10.1.9
PAN-164841
A successful deployment of a Panorama virtual appliance on Amazon Web Services (AWS), Microsoft Azure, or Google Cloud Platform (GCP) is inaccessible when deploying using the PAN-OS 10.1.0-b6 release.
Known
10.1.9
PAN-164647
On the Panorama management server, activating a license (
Panorama
Device Deployment
Licenses
) on managed firewalls in a high availability (HA) configuration causes the Safari web browser to become unresponsive.
Workaround:
Log in to the Panorama web interface from a web browser other than Safari to successfully activate a license on managed firewalls in an HA configuration.
Known
10.1.9
PAN-164618
The VM-Series firewall CLI and system logs display the license name
VM-SERIES-X
, while the user interface displays
VM-FLEX-X
(in both cases
X
is the number of vCPUs). In future releases the user interface will use the
VM-SERIES-X
format.
Known
10.1.9
PAN-164586
If you use a value other than
mail
for the user or group email attribute in the Cloud Identity Engine, it displays in
user@domain
format in the CLI output.
Known
10.1.9
PAN-163966
On the Panorama management server, the
ACC
and on demand reports (
Monitor
Manage Custom Reports
) are unable to fetch Directory Sync group membership when the Source User Group filter query is applied, resulting in no data being displayed for the filter when Directory Sync is configured as the Source User for a policy rule.
Known
10.1.9
PAN-162836
On the VM-Series firewall, if you select
Device
Licenses
Deactivate VM
a popup window opens and you can choose
Subscriptions
or
Support
and press
Continue
to remove licenses and register the changes with the license server. When the license removal is complete the
Deactivate VM
window does not update its text to exclude deactivated licenses or close the window.
Workaround
: Wait until the license deactivation is complete, and click
Cancel
to close the window.
Known
10.1.9
PAN-161666
The firewall includes any users configured in the Cloud Identity Engine in the count of groups. As a result, some CLI command output does not accurately display the number of groups the firewall has retrieved from the Cloud Identity Engine and counts users as groups in the
No. of Groups
in the command output. If the attempt to retrieve the user or group fails, the information for the user or group still displays in the CLI command output.
Known
10.1.9
PAN-161451
If you issue the command
opof stats
, there are occasional zero packet and byte counts coming from the DPDK counters. This occurs when a session is in the tcp-reuse state, and has no impact on the existing session.
Known
10.1.9
PAN-160633
This issue is now resolved. See
PAN-OS 10.1.10-h2 Addressed Issues
.
(
PA-3200 Series, PA-5200 Series, and PA-7000 Series firewalls only
) The dataplane restarts repeatedly due to internal path monitoring failures until a power cycle.
Known
10.1.9
PAN-160238
If you migrate traffic from a firewall running a PAN-OS version earlier than 9.0 to a firewall running PAN-OS 9.0 or later, you experience intermittent VXLAN packet drops if TCI policy is not configured for inspecting VXLAN traffic flows.
Workaround:
On the new firewall, create an app override for VXLAN outer headers as described in What is an Application Override? and the video tutorial How to Configure an Application Override Policy on the Palo Alto Networks Firewall .
PAN-OS version 9.0 can inspect both inner and outer VXLAN flows. If you want to inspect inner flows, you must define a tunnel content inspection (TCI) policy.
Known
10.1.9
PAN-157444
As a result of a telemetry handling update, the Source Zone field in the DNS analytics logs (viewable in the DNS Analytics tab within AutoFocus) might not display correct results.
Known
10.1.9
PAN-157327
On downgrade to PAN-OS 9.1, Enterprise Data Loss Prevention (DLP) filtering settings (
Device
Setup
DLP
) are not removed and cause commit errors for the downgraded firewall if you do not uninstall the Enterprise DLP plugin before downgrade.
Workaround:
After you successfully downgrade a managed firewall to PAN-OS 9.1, commit and push from Panorama to remove the Enterprise DLP filtering settings and complete the downgrade.
  1. Downgrade your managed firewall to PAN-OS 9.1
  2. Log in to the firewall web interface and view the
    Tasks
    to verify all auto commits related to the downgrade have completed successfully.
  3. Log in to the Panorama web interface and
    Commit
    Commit and Push
    to your managed firewall downgraded to PAN-OS 9.1.
Known
10.1.9
PAN-157103
Multi-channel functionality may not be properly utilized on an VM-Series firewall deployed in VMware NSX-V after the service is first deployed.
Workaround
: Execute the command
debug dataplane pow status
to view the number of channels being utilized by the dataplane. 
Per pan-task Netx statisticsCounter Name    1   2   3   4   5   6   Total---------------------------------------------ready_dvf       2   0   0   0   0   0     2
If multi-channel functionality is not working, disable your NSX-V security policy and reapply it. Then reboot the VM-Series firewall. When the firewall is back up, verify that multi-channel functionality is working by executing the command
debug dataplane pow status
. It should now show multiple channels being utilized. 
Per pan-task Netx statisticsCounter Name    1   2   3   4   5   6   Total---------------------------------------------ready_dvf       1   1   0   0   0   0     2
Known
10.1.9
PAN-156598
(
Panorama only
) If you configure a standard custom vulnerability signature in a custom Vulnerability Protection profile in a shared device group, the shared profile custom signatures do not populate in the other device groups when you configure a combination custom vulnerability signature.
Workaround:
Use the CLI to update the combination signature.
Known
10.1.9
PAN-154292
On the Panorama management server, downgrading from a PAN-OS 10.0 release to a PAN-OS 9.1 release causes Panorama commit (
Commit
Commit to Panorama
) failures if a custom report (
Monitor
Manage Custom Reports
) is configured to Group By
Session ID
.
Workaround:
After successful downgrade, reconfigure the Group By setting in the custom report.
Known
10.1.9
PAN-154034
On the Panorama management server, the Type column in the System logs (
Monitor
Logs
System
) for managed firewalls running a PAN-OS 9.1 release erroneously display
iot
as the type.
Known
10.1.9
PAN-154032
On the Panorama management server, downgrading to PAN-OS 9.1 with the Panorama plugin for Cisco TrustSec version 1.0.2 installed does not automatically transform the plugin to be compatible with PAN-OS 9.1
Workaround:
After successful downgrade to PAN-OS 9.1,
Remove Config
(
Panorama
Plugins
) of the Panorama plugin for Cisco TrustSec and then reconfigure the plugin.
Known
10.1.9
PAN-153803
On the Panorama management server, scheduled email PDF reports (
Monitor
PDF Reports
) fail if a GIF image is used in the header or footer.
Known
10.1.9
PAN-153557
On the Panorama management server CLI, the overall report status for a report query is marked as
Done
despite reports generated from logs in the Cortex Data Lake (CDL) from the PODamericas Collector Group jobs are still in a
Running
state.
Known
10.1.9
PAN-153068
The Bonjour Reflector option is supported on up to 16 interfaces. If you enable it on more than 16 interfaces, the commit succeeds and the Bonjour Reflector option is enabled only for the first 16 interfaces and ignored for any additional interfaces.
Known
10.1.9
PAN-151238
There is a known issue where M-100 appliances are able to download and install a PAN-OS 10.0 release image even though the M-100 appliance is no longer supported after PAN-OS 9.1. (Refer to the hardware end-of-life dates .)
Known
10.1.9
PAN-151085
On a PA-7000 Series firewall chassis having multiple slots, when HA clustering is enabled on an active/active HA pair, the session table count for one of the peers can show a higher count than the actual number of active sessions on that peer. This behavior can be seen when the session is being set up on a non-cache slot (for example, when a session distribution policy is set to round-robin or session-load); it is caused by the additional cache lookup that happens when HA cluster participation is enabled.
Known
10.1.9
PAN-150801
Automatic quarantine of a device based on forwarding profile or log setting does not work on the PA-7000 Series firewalls.
Known
10.1.9
PAN-150515
After you install the device certificate on a new Panorama management server, Panorama is not able to connect to the IoT Security edge service.
Workaround:
Restart Panorama to connect to the IoT Security edge service.
Known
10.1.9
PAN-150345
During updates to the Device Dictionary, the IoT Security service does not push new Device-ID attributes (such as new device profiles) to the firewall until a manual commit occurs.
Workaround:
Perform a force commit to push the attributes in the content update to the firewall.
Known
10.1.9
PAN-150361
In an Active-Passive high availability (HA) configuration, an error displays if you create a device object on the passive device.
Workaround:
Load the running configuration and perform a force commit to sync the devices.
Known
10.1.9
PAN-148971
If you enter a search term for Events that are related to IoT in the System logs and apply the filter, the page displays an
Invalid term
error.
Workaround:
Specify
iot
as the
Type Attribute
to filter the logs and use the search term as the
Description Attribute
. For example:
( subtype eq iot ) and ( description contains 'gRPC connection' )
.
Known
10.1.9
PAN-148924
In an active-passive HA configuration, tags for dynamic user groups are not persistent after rebooting the firewall because the active firewall does not sync the tags to the passive firewall during failover.
Known
10.1.9
PAN-146995
After downgrading a Panorama management server from PAN-OS 10.0 to PAN-OS 9.1, the
VLD
and
logd
processes may crash when Panorama reboots.
Workaround:
Panorama automatically restarts the
VLD
and
logd
processes.
Known
10.1.9
PAN-146807
Changing the device group configured in a monitoring definition from a child DG to a parent DG, or vice versa, might cause firewalls configured in the child DG to lose IP tag mapping information received from the monitoring definition. Only firewalls assigned to the parent DG receive IP tag mapping updates.
Workaround
: Perform a manual config sync on the device group that lost the IP tag mapping information.
Known
10.1.9
PAN-146485
On the Panorama management server, adding, deleting, or modifying the upstream NAT configuration (
Panorama
SD-WAN
Devices
) does not display the branch template stack as
out of sync
.
Additionally, adding, deleting, or modifying the BGP configuration (
Panorama
SD-WAN
Devices
) does not display the hub and branch template stacks as
out of sync
. For example, modifying the BGP configuration on the branch firewall does not cause the hub template stack to display as
out of sync
, nor does modifying the BGP configuration on the hub firewall cause the branch template stack as
out of sync
.
Workaround:
After performing a configuration change,
Commit and Push
the configuration changes to all hub and branch firewalls in the VPN cluster containing the firewall with the modified configuration.
Known
10.1.9
PAN-145460
CN-MGMT pods fail to connect to the Panorama management server when using the Kubernetes plugin.
Workaround:
Commit
the Panorama configuration after the CN-MGMT pod successfully registers with Panorama.
Known
10.1.9
PAN-144889
On the Panorama management server, adding, deleting, or modifying the original subnet IP, or adding a new subnet after you successfully configure a tunnel IP subnet, for the SD-WAN 1.0.2 plugin does not display the managed firewall templates (
Panorama
Managed Devices
Summary
) as
Out of Sync
.
Workaround
: When modifying the original subnet IP, or adding a new subnet, push the template configuration changes to your managed firewalls and
Force Template Values
(
Commit
Push to Devices
Edit Selections
).
Known
10.1.9
PAN-143132
Fetching the device certificate from the Palo Alto Networks Customer Support Portal (CSP) may fail and displays the following error in the CLI:
ERROR Failed to process S1C msg: Error
Workaround:
Retrying fetching the device certificate from the Palo Alto Networks CSP.
Known
10.1.9
PAN-141630
Current performance limitation: single data plane use only. The PA-5200 Series and PA-7000 Series firewalls that support 5G network slice security, 5G equipment ID security, and 5G subscriber ID security use a single data plane only, which currently limits the firewall performance.
Known
10.1.9
PAN-140959
The Panorama management server allows you to downgrade Zero Touch Provisioning (ZTP) firewalls to PAN-OS 9.1.2 and earlier releases where ZTP functionality is not supported.
Known
10.1.9
PAN-140008
ElasticSearch is forced to restart when the
masterd
process misses too many heartbeat messages on the Panorama management server resulting in a delay in a log query and ingestion.
Known
10.1.9
PAN-136763
On the Panorama management server, managed firewalls display as
disconnected
when installing a PAN-OS software update (
Panorama
Device Deployment
Software
) but display as
connected
when you view your managed firewalls Summary (
Panorama
Managed Devices
Summary
) and from the CLI.
Workaround:
Log out and log back in to the Panorama web interface.
Known
10.1.9
PAN-135742
There is an issue in HTTP2 session decryption where the App-ID in the decryption log is the App-ID of the parent session (which is web-browsing).
Known
10.1.9
PAN-134053
ACC does not filter WildFire logs from Dynamic User Groups.
Known
10.1.9
PAN-132598
The Panorama management server does not check for duplicate addresses in address groups (
Objects
Address Groups
) and duplicate services in service groups (
Objects
Service Groups
) when created from the CLI.
Known
10.1.9
PAN-130550
(
PA-3200 Series, PA-5220, PA-5250, PA-5260, and PA-7000 Series firewalls
) For traffic between virtual systems (inter-vsys traffic), the firewall cannot perform source NAT using dynamic IP (DIP) address translation.
Workaround:
Use source NAT with Dynamic IP and Port (DIPP) translation on inter-vsys traffic.
Known
10.1.9
PAN-127813
In the current release, SD-WAN auto-provisioning configures hubs and branches in a hub and spoke model, where branches don’t communicate with each other. Expected branch routes are for generic prefixes, which can be configured in the hub and advertised to all branches. Branches with unique prefixes are not published up to the hub.
Workaround:
Add any specific prefixes for branches to the hub advertise-list configuration.
Known
10.1.9
PAN-127206
If you use the CLI to enable the cleartext option for the Include Username in HTTP Header Insertion Entries feature, the authentication request to the firewall may become unresponsive or time out.
Known
10.1.9
PAN-123277
Dynamic tags from other sources are accessible using the CLI but do not display on the Panorama web interface.
Known
10.1.9
PAN-123040
When you try to view network QoS statistics on an SD-WAN branch or hub, the QoS statistics and the hit count for the QoS rules don’t display. A workaround exists for this issue. Please contact Support for information about the workaround.
Known
10.1.9
PAN-120440
There is an issue on M-500 Panorama management servers where any ethernet interface with an IPv6 address having Private PAN-DB-URL connectivity only supports the following format:
2001:DB9:85A3:0:0:8A2E:370:2
.
Known
10.1.9
PAN-120423
PAN-OS 10.0.0 does not support the XML API for GlobalProtect logs.
Known
10.1.9
PAN-120303
There is an issue where the firewall remains connected to the PAN-DB-URL server through the old management IP address on the M-500 Panorama management server, even when you configured the Eth1/1 interface.
Workaround:
Update the PAN-DB-URL IP address on the firewall using one of the methods below.
  • Modify the PAN-DB Server IP address on the managed firewall.
    1. On the web interface, delete the
      PAN-DB Server
      IP address (
      Device
      Setup
      Content ID
      URL Filtering
      settings).
    2. Commit
      your changes.
    3. Add the new M-500 Eth1/1 IP PAN-DB IP address.
    4. Commit
      your changes.
  • Restart the firewall ( devsrvr ) process.
    1. Log in to the firewall CLI.
    2. Restart the devsrvr process:
      debug software restart process device-server
Known
10.1.9
PAN-116017
(
Google Cloud Platform (GCP) only
) The firewall does not accept the DNS value from the initial configuration (init-cfg) file when you bootstrap the firewall.
Workaround:
Add DNS value as part of the bootstrap.xml in the bootstrap folder and complete the bootstrap process.
Known
10.1.9
PAN-115816
(
Microsoft Azure only
) There is an intermittent issue where an Ethernet (eth1) interface does not come up when you first boot up the firewall.
Workaround:
Reboot the firewall.
Known
10.1.9
PAN-114495
Alibaba Cloud runs on a KVM hypervisor and supports two Virtio modes: DPDK (default) and MMAP. If you deploy a VM-Series firewall running PAN-OS 9.0 in DPDK packet mode and you then switch to MMAP packet mode, the VM-Series firewall duplicates packets that originate from or terminate on the firewall. As an example, if a load balancer or a server behind the firewall pings the VM-Series firewall after you switch from DPDK packet mode to MMAP packet mode, the firewall duplicates the ping packets.
Throughput traffic is not duplicated if you deploy the VM-Series firewall using MMAP packet mode.
Known
10.1.9
PAN-112694
(
Firewalls with multiple virtual systems only
) If you configure dynamic DNS (DDNS) on a new interface (associated with vsys1 or another virtual system) and you then create a
New
Certificate Profile from the drop-down, you must set the location for the Certificate Profile to Shared. If you configure DDNS on an existing interface and then create a new Certificate Profile, we also recommend that you choose the Shared location instead of a specific virtual system. Alternatively, you can select a preexisting certificate profile instead of creating a new one.
Known
10.1.9
PAN-112456
You can temporarily submit a change request for a URL Category with three suggested categories; however, only two categories are supported. Do not add more than two suggested categories to a change request until we address this issue. If you submit more than two suggested categories, only the first two categories in the change request are evaluated.
Known
10.1.9
PAN-112135
You cannot unregister tags for a subnet or range in a dynamic address group from the web interface.
Workaround:
Use an XML API request to unregister the tags for the subnet or range.
Known
10.1.9
PAN-111928
Invalid configuration errors are not displayed as expected when you revert a Panorama management server configuration.
Workaround:
After you revert the Panorama configuration,
Commit
(
Commit
Commit to Panorama
) the reverted configuration to display the invalid configuration errors.
Known
10.1.9
PAN-111866
The push scope selection on the Panorama web interface displays incorrectly even though the commit scope displays as expected. This issue occurs when one administrator makes configuration changes to separate device groups or templates that affect multiple firewalls and a different administrator attempts to push those changes.
Workaround:
Perform one of the following tasks.
  • Initiate a
    Commit to Panorama
    operation followed by a
    Push to Devices
    operation for the modified device group and template configurations.
  • Manually select the devices that belong to the modified device group and template configurations.
Known
10.1.9
PAN-111729
If you disable DPDK mode and enable it again, you must immediately reboot the firewall.
Known
10.1.9
PAN-111670
Tagged VLAN traffic fails when sent through an SR-IOV adapter.
Known
10.1.9
PAN-110794
DGA-based threats shown in the firewall threat log display the same name for all such instances.
Known
10.1.9
PAN-109526
The system log does not correctly display the URL for CRL files; instead, the URLs are displayed with encoded characters.
Known
10.1.9
PAN-104780
If you configure a HIP object to match only when a connecting endpoint is managed (
Objects
GlobalProtect
HIP Objects
<hip-object>
General
Managed
), iOS and Android endpoints that are managed by AirWatch are unable to successfully match the HIP object and the HIP report incorrectly indicates that these endpoints are not managed. This issue occurs because GlobalProtect gateways cannot correctly identify the managed status of these endpoints.
Additionally, iOS endpoints that are managed by AirWatch are unable to match HIP objects based on the endpoint serial number because GlobalProtect gateways cannot identify the serial numbers of these endpoints; these serial numbers do not appear in the HIP report.
Known
10.1.9
PAN-103276
Adding a disk to a virtual appliance running Panorama 8.1 or a later release on VMware ESXi 6.5 update1 causes the Panorama virtual appliance and host web client to become unresponsive.
Workaround:
Upgrade the ESXi host to ESXi 6.5 update2 and add the disk again.
Known
10.1.9
PAN-101688
(
Panorama plugins
) The IP address-to-tag mapping information registered on a firewall or virtual system is not deleted when you remove the firewall or virtual system from a Device Group.
Workaround:
Log in to the CLI on the firewall and enter the following command to unregister the IP address-to-tag mappings:
debug object registered-ip clear all
.
Known
10.1.9
PAN-101537
After you configure and push address and address group objects in Shared and vsys-specific device groups from the Panorama management server to managed firewalls, executing the
show log
<log-type>
direction equal
<direction>
<dst>
|
<src>
in
<object-name>
command on a managed firewall only returns address and address group objects pushed form the Shared device group.
Workaround:
Specify the vsys in the query string:
admin>
set system target-vsys
<vsys-name>
admin>
show log
<log-type>
direction equal
<direction>
query equal ‘vsys eq
<vsys-name>
’
<dst>
|
<src>
in
<object-name>
Known
10.1.9
PAN-98520
When booting or rebooting a PA-7000 Series Firewall with the SMC-B installed, the BIOS console output displays attempts to connect to the card's controller in the System Memory Speed section. The messages can be ignored.
Known
10.1.9
PAN-97757
GlobalProtect authentication fails with an
Invalid username/password
error (because the user is not found in
Allow List
) after you enable GlobalProtect authentication cookies and add a RADIUS group to the
Allow List
of the authentication profile used to authenticate to GlobalProtect.
Workaround:
Disable GlobalProtect authentication cookies. Alternatively, disable (clear)
Retrieve user group from RADIUS
in the authentication profile and configure group mapping from Active Directory (AD) through LDAP.
Known
10.1.9
PAN-97524
(
Panorama management server only
) The Security Zone and Virtual System columns (
Network
tab) display
None
after a Device Group and Template administrator with read-only privileges performs a context switch.
Known
10.1.9
PAN-96446
A firewall that is not included in a Collector Group fails to generate a system log if logs are dropped when forwarded to a Panorama management server that is running in Management Only mode.
Known
10.1.9
PAN-95773
On VM-Series firewalls that have Data Plane Development Kit (DPDK) enabled and that use the i40e network interface card (NIC), the
show session info
CLI command displays an inaccurate throughput and packet rate.
Workaround:
Disable DPDK by running the
set system setting dpdk-pkt-io off
CLI command.
Known
10.1.9
PAN-95028
For administrator accounts that you created in PAN-OS 8.0.8 and earlier releases, the firewall does not apply password profile settings (
Device
Password Profiles
) until after you upgrade to PAN-OS 8.0.9 or a later release and then only after you modify the account passwords. (Administrator accounts that you create in PAN-OS 8.0.9 or a later release do not require you to change the passwords to apply password profile settings.)
Known
10.1.9
PAN-94846
When DPDK is enabled on the VM-Series firewall with i40e virtual function (VF) driver, the VF does not detect the link status of the physical link. The VF link status remains up, regardless of changes to the physical link state.
Known
10.1.9
PAN-94093
HTTP Header Insertion does not work when jumbo frames are received out of order.
Known
10.1.9
PAN-93968
The firewall and Panorama web interfaces display vulnerability threat IDs that are not available in PAN-OS 9.0 releases (
Objects
Security Profiles
Vulnerability Protection
<profile>
Exceptions
). To confirm whether a particular threat ID is available in your release, monitor the release notes for each new Applications and Threats content update or check the Palo Alto Networks Threat Vault to see the minimum PAN-OS release version for a threat signature.
Known
10.1.9
PAN-93607
When you configure a VM-500 firewall with an SCTP Protection profile (
Objects
Security Profiles
SCTP Protection
) and you try to add the profile to an existing Security Profile Group (
Objects
Security Profile Groups
), the Security Profile Group doesn’t list the SCTP Protection profile in its drop-down list of available profiles.
Workaround:
Create a new Security Profile Group and select the SCTP Protection profile from there.
Known
10.1.9
PAN-93532
When you configure a firewall running PAN-OS 9.0 as an nCipher HSM client, the web interface on the firewall displays the nCipher server status as Not Authenticated, even though the HSM state is up (
Device
Setup
HSM
).
Known
10.1.9
PAN-93193
The memory-optimized VM-50 Lite intermittently performs slowly and stops processing traffic when memory utilization is critically high. To prevent this issue, make sure that you do not:
  • Switch to the firewall
    Context
    on the Panorama management server.
  • Commit changes when a dynamic update is being installed.
  • Generate a custom report when a dynamic update is being installed.
  • Generate custom reports during a commit.
Workaround:
When the firewall performs slowly, or you see a critical System log for memory utilization, wait for 5 minutes and then manually reboot the firewall.
Use the Task Manager to verify that you are not performing memory intensive tasks such as installing dynamic updates, committing changes or generating reports, at the same time, on the firewall.
Known
10.1.9
PAN-91802
On a VM-Series firewall, the
clear session all
CLI command does not clear GTP sessions.
Known
10.1.9
PAN-83610
In rare cases, a PA-5200 Series firewall (with an FE100 network processor) that has session offload enabled (default) incorrectly resets the UDP checksum of outgoing UDP packets.
Workaround:
In PAN-OS 8.0.6 and later releases, you can persistently disable session offload for only UDP traffic using the
set session udp-off load no
CLI command.
Known
10.1.9
PAN-83236
The VM-Series firewall on Google Cloud Platform does not publish firewall metrics to Google Stack Monitoring when you manually configure a DNS server IP address (
Device
Setup
Services
).
Workaround:
The VM-Series firewall on Google Cloud Platform must use the DNS server that Google provides.
Known
10.1.9
PAN-83215
SSL decryption based on ECDSA certificates does not work when you import the ECDSA private keys onto an nCipher nShield hardware security module (HSM).
Known
10.1.9
PAN-81521
Endpoints failed to authenticate to GlobalProtect through Kerberos when you specify an FQDN instead of an IP address in the Kerberos server profile (
Device
Server Profiles
Kerberos
).
Workaround:
Replace the FQDN with the IP address in the Kerberos server profile.
Known
10.1.9
PAN-77125
PA-7000 Series, PA-5450, PA-5200 Series, and PA-3200 Series firewalls configured in tap mode don’t close offloaded sessions after processing the associated traffic; the sessions remain open until they time out.
Workaround:
Configure the firewalls in virtual wire mode instead of tap mode, or disable session offloading by running the
set session off load no
CLI command.
Known
10.1.9
PAN-75457
In WildFire appliance clusters that have three or more nodes, the Panorama management server does not support changing node roles. In a three-node cluster for example, you cannot use Panorama to configure the worker node as a controller node by adding the HA and cluster controller configurations, configure an existing controller node as a worker node by removing the HA configuration, and then commit and push the configuration. Attempts to change cluster node roles from Panorama results in a validation error—the commit fails and the cluster becomes unresponsive.
Known
10.1.9
PAN-73530
The firewall does not generate a packet capture (pcap) when a Data Filtering profile blocks files.
Known
10.1.9
PAN-73401
When you import a two-node WildFire appliance cluster into the Panorama management server, the controller nodes report their state as out-of-sync if either of the following conditions exist:
  • You did not configure a worker list to add at least one worker node to the cluster. (In a two-node cluster, both nodes are controller nodes configured as an HA pair. Adding a worker node would make the cluster a three-node cluster.)
  • You did not configure a service advertisement (either by enabling or not enabling advertising DNS service on the controller nodes).
Workaround:
There are three possible workarounds to sync the controller nodes:
  • After you import the two-node cluster into Panorama, push the configuration from Panorama to the cluster. After the push succeeds, Panorama reports that the controller nodes are in sync.
  • Configure a worker list on the cluster controller: 
    admin@wf500(active-controller)# 
    set
deviceconfig cluster mode controller worker-list 
    <worker-ip-address>
    (
    <worker-ip-address>
    is the IP address of the worker node you are adding to the cluster.) This creates a three-node cluster. After you import the cluster into Panorama, Panorama reports that the controller nodes are in sync. When you want the cluster to have only two nodes, use a different workaround.
  • Configure service advertisement on the local CLI of the cluster controller and then import the configuration into Panorama. The service advertisement can advertise that DNS is or is not enabled. 
    admin@wf500(active-controller)# 
    set
deviceconfig cluster mode controller service-advertisement dns-service
enabled
yes
    or 
    admin@wf500(active-controller)# 
    set
deviceconfig cluster mode controller service-advertisement dns-service
enabled
no
    Both commands result in Panorama reporting that the controller nodes are in sync.
Known
10.1.9
PAN-70906
If the PAN-OS web interface and the GlobalProtect portal are enabled on the same IP address, then when a user logs out of the GlobalProtect portal, the administrative user is also logged out from the PAN-OS web interface.
Workaround:
Use the IP address to access the PAN-OS web interface and an FQDN to access the GlobalProtect portal.
Known
10.1.9
PAN-69505
When viewing an external dynamic list that requires client authentication and you
Test Source URL
, the firewall fails to indicate whether it can reach the external dynamic list server and returns a URL access error (
Objects
External Dynamic Lists
).
Known
10.1.9
PAN-40079
The VM-Series firewall on KVM, for all supported Linux distributions, does not support the Broadcom network adapters for PCI pass-through functionality.
Known
10.1.9
PAN-39636
Regardless of the
Time Frame
you specify for a scheduled custom report on a Panorama M-Series appliance, the earliest possible start date for the report data is effectively the date when you configured the report (
Monitor
Manage Custom Reports
). For example, if you configure the report on the 15th of the month and set the
Time Frame
to
Last 30 Days
, the report that Panorama generates on the 16th will include only data from the 15th onward. This issue applies only to scheduled reports; on-demand reports include all data within the specified
Time Frame
.
Workaround:
To generate an on-demand report, click
Run Now
when you configure the custom report.
Known
10.1.9
PAN-38255
When you perform a factory reset on a Panorama virtual appliance and configure the serial number, logging does not work until you reboot Panorama or execute the
debug software restart process management-server
CLI command.
Known
10.1.9
PAN-31832
The following issues apply when configuring a firewall to use a hardware security module (HSM):
  • nCipher nShield Connect
    —The firewall requires at least four minutes to detect that an HSM was disconnected, causing SSL functionality to be unavailable during the delay.
  • SafeNet Network
    —When losing connectivity to either or both HSMs in an HA configuration, the display of information from the
    show high-availability state
    and
    show hsm info
    commands are blocked for 20 seconds.
Addressed
10.1.9-h8
PAN-237935
Extended the offline PAN-DB, Panorama, and WildFire certificates which were previously set to expire on September 2, 2024.
Addressed
10.1.9-h8
PAN-237876
Extended the firewall Panorama root CA certificate which was previously set to expire on April 7th, 2024.
Addressed
10.1.9-h8
PAN-231771
Fixed an issue where the firewall issued /box/getserv/ requests with PAN-OS 7.1.0 and did not take device certificates.
Addressed
10.1.9-h8
PAN-227568
When a device certificate is installed, renewed, or removed, the firewall will reconnect to the WildFire cloud to use the newest certificate.
Addressed
10.1.9-h8
PAN-215576
Fixed an issue where the
userID-Agent
and
TS-Agent
certificates were set to expire on November 18, 2024. With this fix, the expiration date has been extended to January 2032.
Addressed
10.1.9-h6
PAN-222712
(
PA-5450 firewalls only
) Fixed a low frequency DPC restart issue.
Addressed
10.1.9-h3
PAN-217431
(
PA-5400 Series firewalls with DPC (Data Processing Cards) only
) Fixed an issue with slot 2 DPCs where URL filtering did not work as expected after upgrading to PAN-OS 10.1.9.
Addressed
10.1.9-h3
PAN-216710
Fixed an issue with firewalls in active/active high availability configurations where GlobalProtect disconnected when the original suspected Active-Primary firewall became Active-Secondary.
Addressed
10.1.9-h3
PAN-216656
Fixed an issue where the firewall was unable to fully process the user list from a child group when the child group contained more than 1,500 users.
Addressed
10.1.9-h3
PAN-216314
(
PA-3200 Series firewalls only
) Fixed an issue where, after upgrading to or from PAN-OS 10.1.9 or PAN-OS 10.1.9-h1, offloaded application traffic sessions disconnected even when a session was active. This occurred due to the application default session timeout value being exceeded.
Addressed
10.1.9-h3
PAN-216036
Fixed an issue where the all_pktproc process stopped responding, which caused the firewall to enter a nonfunctional state.
Addressed
10.1.9-h3
PAN-215488
Fixed an issue where an expired Trusted Root CA was used to sign the forward proxy leaf certificate during SSL Decryption.
Addressed
10.1.9-h3
PAN-215461
Fixed an issue where the packet descriptor leaked over time with GRE tunnels and keepalives.
Addressed
10.1.9-h3
PAN-214331
Fixed an issue on Panorama where the configd process stopped responding when a content update for a managed firewall was run using the scheduler.
Addressed
10.1.9-h3
PAN-211870
Fixed an issue where path monitoring failure occurred, which caused high availability failover.
Addressed
10.1.9-h3
PAN-211519
Fixed an issue where RTP/RTCP packets were dropped for SIP calls by SIP ALG when the source NAT translation type was persistent
Dynamic IP And Port
.
Addressed
10.1.9-h3
PAN-208189
Fixed an issue when traffic failed to match and reach all destinations if a Security policy rule includes FQDN objects that resolve to two or more IP addresses.
Addressed
10.1.9-h3
PAN-207455
Fixed an issue where the pan_task process stopped responding when processing client certificate requests from the server in TLS1.3.
Addressed
10.1.9-h1
PAN-213661
Fixed an issue where memory allocation failure caused dataplane processes to restart. This issue occurred when decryption was enabled and the device is under heavy L7 usage.
Addressed
10.1.9-h1
PAN-211242
Fixed an issue where missed heartbeats caused the Data Processing Card (DPC) and its corresponding Network Processing Card (NPC) to restart due to internal packet path monitoring failure.
Addressed
10.1.9-h1
PAN-210327
(
PA-5200 Series firewalls only
) Fixed an issue where upgrading to PAN-OS 10.1.7, an internal loop caused an increase in the packets received per second.
Addressed
10.1.9-h1
PAN-209069
Fixed an issue where IP addresses in the
X-Forwarded-For
(XFF) field were not logged when the IP address contained an associated port number.
Addressed
10.1.9-h1
PAN-209021
Fixed an issue where packets were fragmented when SD-WAN VPN tunnel was configured on aggregate ethernet interfaces and sub-interfaces.
Addressed
10.1.9-h1
PAN-208987
(
PA-5400 Series only
) Fixed an issue where packets were not transmitted from the firewall if its fragments were received on different slots. This occurred when aggregate ethernet (AE) members in an AE interface were placed on a different slot.
Addressed
10.1.9-h1
PAN-207740
Fixed an issue that resulted in a race condition, which caused the configd process to stop responding.
Addressed
10.1.9-h1
PAN-207400
Fixed an issue on Octeon based dplatforms where fragmented VLAN tagged packets dropped on an aggregate interface.
Addressed
10.1.9-h1
PAN-205255
Fixed a rare issue that caused the dataplane to restart unexpectedly.
Addressed
10.1.9-h1
PAN-203137
(
PA-5450 firewalls only
) Fixed an issue where HSCI ports did not come up when QSFP DAC cables were used.
Addressed
10.1.9-h1
PAN-186412
Fixed an issue where invalid
packet-ptr
was seen in work entries.
Addressed
10.1.9
WIF-707
Fixed an issue where, when connections from the firewall to the cloud took longer than expected, the connection timed out. With this fix, the timeout was extended to accommodate slower networks.
Addressed
10.1.9
PAN-210561
Fixed an issue where the all_task process repeatedly restarted due to missed heartbeats.
Addressed
10.1.9
PAN-210331
Fixed an issue where the firewall did not send device telemetry files to Cortex Data Lake with the error message
send the file to CDL receiver failed
.
Addressed
10.1.9
PAN-210080
Fixed an issue where the useridd process stopped responding when add and delete member parameters in an incremental sync query were empty.
Addressed
10.1.9
PAN-209226
Fixed an issue where the feature bits function reused shared memory, which resulted in a memory allocation error and caused the dataplane to go down.
Addressed
10.1.9
PAN-209036
Fixed an issue where the dataplane restarted, which led to slot failures occurring and a core file being generated.
Addressed
10.1.9
PAN-208724
Fixed an issue where port pause frame settings did not work as expected and incorrect pause frames occurred.
Addressed
10.1.9
PAN-208718
Additional debug information was added to capture internal details during traffic congestion.
Addressed
10.1.9
PAN-208711
(
PA-5200 Series firewalls only
)The CLI command
debug dataplane set pow no-desched yes/no
was added to address an issue where the all_pktproc process stopped responding and caused traffic issues.
Addressed
10.1.9
PAN-208537
Fixed an issue where the
licensed-device-capacity
was reduced when multiple device management license key files were present.
Addressed
10.1.9
PAN-208343
Fixed an issue where telemetry regions were not visible on Panorama.
Addressed
10.1.9
PAN-208157
Fixed an issue where malformed hints sent from the firewall caused the logd process to stop responding on Panorama, which caused a system reboot into maintenance mode.
Addressed
10.1.9
PAN-208037
Fixed an issue where NAT64 traffic using the reserved prefix
64:ff9b::/96
was incorrectly dropped when
strict-ip-check
was enabled under zone protection.
Addressed
10.1.9
PAN-207983
Fixed an issue on Panorama in Management Only mode where the logdb database incorrectly collected traffic, threat, GTP, decryption, and corresponding summary logs.
Addressed
10.1.9
PAN-207940
Fixed an issue where platforms with RAID disk checks were performed weekly, which caused logs to incorrectly state that RAID was rebuilding.
Addressed
10.1.9
PAN-207891
Fixed an issue on Panorama where log migration did not complete after an upgrade.
Addressed
10.1.9
PAN-207738
Fixed an issue where the
ocsp-next-update-time
CLI command did not execute for leaf certificates with certificate chains that did not specify OCSP or CRL URLs. As a result, the next update time was 60 minutes even if a different time was set.
Addressed
10.1.9
PAN-207623
Fixed an issue on Panorama where log migration did not complete as expected.
Addressed
10.1.9
PAN-207610
(
PA-5200 Series and PA-7000 Series firewalls only
) Fixed an issue where
Log Admin Activity
was not visible on the web interface.
Addressed
10.1.9
PAN-207601
Fixed an issue where URL cloud connections were unable to resolve the proxy server hostname.
Addressed
10.1.9
PAN-207390
Fixed an issue where, even after disabling Telemetry, Telemetry system logs were still generated.
Addressed
10.1.9
PAN-207260
Fixed an issue where commit operations performed by a Device Group and Template administrator reverted the passwords of other users in the same role.
Addressed
10.1.9
PAN-207045
(
PA-800 Series firewalls only
) Fixed an issue where PAN-SFP-SX transceivers used on ports 5 to 8 did not renegotiate with peer ports after a reload.
Addressed
10.1.9
PAN-206858
Fixed an issue where a segmentation fault occurred due to the useridd process being restarted.
Addressed
10.1.9
PAN-206755
Fixed an issue when a scheduled multi-device group push occurred, the configd process stopped responding, which caused the push to fail.
Addressed
10.1.9
PAN-206684
(
PA-7000 Series firewalls with Log Forwarding Cards (LFCs) only
) Fixed an issue where, after upgrading the firewall from a PAN-OS 10.0 release to a PAN-OS 10.1 release, the firewall did not duplicate logs to local log collectors or to Cortex Data Lake when a device certificate was already installed.
Addressed
10.1.9
PAN-206658
Fixed a timeout issue in the Intel
ixgbe
driver that resulted in internal path monitoring failure.
Addressed
10.1.9
PAN-206629
(
VM-Series firewalls in AWS environments only
) Fixed an issue where a newly bootstrapped firewalls did not forward logs to Panorama.
Addressed
10.1.9
PAN-206393
(
PA-5280 firewalls only
) Fixed an issue where memory allocation errors caused decryption failures that disrupted traffic with SSL forward proxy enabled.
Addressed
10.1.9
PAN-206251
(
PA-7000 Series firewalls with LFCs only
) Fixed an issue where the logrcvr process did not send the
system-start
SNMP trap during startup.
Addressed
10.1.9
PAN-206233
Fixed an issue where the pan_comm process stopped responding when a content update and a cloud application update occurred at the same time.
Addressed
10.1.9
PAN-206077
Fixed an issue on firewalls in active/active high availability (HA) configurations where, after upgrading to PAN-OS 10.1.6-h6, the active primary firewall did not send HIP reports to the active secondary firewall.
Addressed
10.1.9
PAN-206017
Fixed an issue where the
show dos-protection rule
command displayed a character limit error.
Addressed
10.1.9
PAN-205877
(
PA-5450 firewalls only
) Added debug commands for an issue where a MAC address flap occurred on a neighbor firewall when connecting both MGT-A and MGT-B interfaces.
Addressed
10.1.9
PAN-205805
Fixed an issue where Generic routing encapsulation (GRE) traffic was only allowed in one direction when tunnel content inspection (TCI) was enabled.
Addressed
10.1.9
PAN-205729
(
PA-3200 Series and PA-7000 Series firewalls only
) Fixed an issue where the CPLD watchdog timeout caused the firewall to reboot unexpectedly.
Addressed
10.1.9
PAN-205699
Fixed an issue where the cloud plugin configuration was automatically deleted from Panorama after a reboot or a configd process restart.
Addressed
10.1.9
PAN-205590
Fixed an issue where the fan tray fault LED light was on even though no alarm was reported in the system environment.
Addressed
10.1.9
PAN-205453
Fixed an issue where running reports or queries under a user group caused the reportd process to stop responding.
Addressed
10.1.9
PAN-205396
Fixed an issue where SD-WAN adaptive SaaS path monitoring did not work correctly during a next hop link down failure.
Addressed
10.1.9
PAN-205260
Fixed an issue where there was an IP address conflict after a reboot due to a transaction ID collision.
Addressed
10.1.9
PAN-205231
Fixed an issue where a commit operation remained at 55% for longer than expected if more than 7,500 Security policy rules were configured.
Addressed
10.1.9
PAN-205222
Fixed an issue where you were unable to add a new application in a selected policy rule.
Addressed
10.1.9
PAN-205211
Fixed an issue where the reportd process stopped responding while querying logs (
Monitor > Logs > <logtype>
).
Addressed
10.1.9
PAN-205123
Fixed an issue where the pan_task process stopped responding due to a timing issue during ECDSA processing.
Addressed
10.1.9
PAN-205096
Fixed an issue where promoted sessions were not synced with all cluster members in an HA cluster.
Addressed
10.1.9
PAN-205030
Fixed an issue where, when a session hit policy based forwarding with symmetric return enabled was not offloaded, the firewall received excessive return-mac update messages, which resulted in resource contention and traffic disruption.
Addressed
10.1.9
PAN-204952
Fixed an issue where the GlobalProtect portal continued to generate new authentication cookies even when a user had already authenticated with a valid cookie.
Addressed
10.1.9
PAN-204892
Fixed an issue on Panorama where the web interface was not accessible and displayed the error
504 Gateway Not Reachable
due to the mgmtsrvr process not responding.
Addressed
10.1.9
PAN-204749
Fixed an issue where sudden, large bursts of traffic destined for an interface that was down caused packet buffers to fill, which stalled path monitor heartbeat packets.
Addressed
10.1.9
PAN-204582
Fixed an issue where, when a firewall acting as a DHCP client received a new DHCP IP address, the firewall did not release old DHCP IP addresses from the IP address stack.
Addressed
10.1.9
PAN-204581
Fixed an issue where, when accessing a web application via the GlobalProtect Clientless VPN, the web application landing page continuously reloaded.
Addressed
10.1.9
PAN-204575
(
PA-7000 Series firewalls with Log Forwarding Cards (LFCs) only
) Fixed an issue where the firewall did not forward logs to the log collector.
Addressed
10.1.9
PAN-204482
Fixed an issue where searching threat logs (
Monitor > Logs > Threat
) using the
partial hash
parameter did not work, which resulted in an invalid operator error.
Addressed
10.1.9
PAN-204456
Fixed an issue related to the logd process that caused high memory consumption.
Addressed
10.1.9
PAN-204271
Fixed an issue where the quarantine device list did not display due to the maximum memory being reached.
Addressed
10.1.9
PAN-204238
Fixed an issue where, when
View Rulebase as Groups
was enabled, the
Tags
field did not display a scroll down arrow for navigation.
Addressed
10.1.9
PAN-204216
Fixed an issue where URL categorization failed and the firewall displayed the URL category as
not-resolved
for all traffic and the following error message was displayed in the device server logs
Error(43): A libcurl function was given a bad argument
.
Addressed
10.1.9
PAN-204118
Fixed an issue where browser sessions stopped responding for device group template admin users with access domains that had many device groups or templates.
Addressed
10.1.9
PAN-204068
Fixed an issue where a newly created vsys (virtual system) in a template was not able to be pushed from Panorama to the firewall.
Addressed
10.1.9
PAN-203984
Fixed an issue where the logrcvr process restarted after the firewall was power cycled or rebooted.
Addressed
10.1.9
PAN-203964
(
Firewalls in FIPS-CC mode only
) Fixed an issue where the firewall went into maintenance mode due to downloading a corrupted software image, which resulted in the error message
FIPS-CC failure. Image File Authentication Error
.
Addressed
10.1.9
PAN-203851
Fixed an issue with firewalls in HA configurations where host information profile (HIP) sync did not work between peer firewalls.
Addressed
10.1.9
PAN-203796
Fixed an issue where legitimate syn+ack packets were dropped after an invalid syn+ack packet was ingressed.
Addressed
10.1.9
PAN-203681
(
Panorama appliances in FIPS-CC mode only
) Fixed an issue where a leaf certificate was unable to be imported into a template stack.
Addressed
10.1.9
PAN-203618
Fixed an issue where, when SSL/TLS Handshake Inspection was enabled, SSL/TLS sessions were incorrectly reset if a Security policy rule with no Security profiles configured was matched.
Addressed
10.1.9
PAN-203563
Fixed an issue with Content and Threat Detection allocation storage space where performing a commit failed with a
CUSTOM_UPDATE_BLOCK
error message.
Addressed
10.1.9
PAN-203453
Fixed an issue on Panorama where the log query failed due to a high number of User-ID redistribution messages.
Addressed
10.1.9
PAN-203430
Fixed an issue where, when the User-ID agent had
collector name/secret
configured, the configuration was mandatory on clients on PAN-OS 10.0 and later releases.
Addressed
10.1.9
PAN-203362
Fixed an issue where the rasmgr process restarted due to a null reference.
Addressed
10.1.9
PAN-203330
Fixed an issue where the certificate for an External Dynamic List (EDL) incorrectly changed from invalid to valid, which caused the EDL file to be removed.
Addressed
10.1.9
PAN-203320
Fixed an issue where configuring the firewall to connect with Panorama using an auth key and creating the auth key without adding the managed firewall to Panorama first, the auth key was incorrectly decreased incrementally.
Addressed
10.1.9
PAN-203244
Fixed a path monitoring issue that caused traffic degradation.
Addressed
10.1.9
PAN-203147
(
Firewalls in FIPS-CC mode only
) Fixed an issue where the firewall unexpectedly rebooted when downloading a new PAN-OS software image.
Addressed
10.1.9
PAN-202918
Fixed an issue where processing route-table entries did not work as expected.
Addressed
10.1.9
PAN-202722
Fixed an issue where the factor completion time for login events learned through XML API displayed as
1969/21/31 19:00:00
.
Addressed
10.1.9
PAN-202593
Fixed an issue where expanding Global Find results displayed only the top level and second level of a searched item.
Addressed
10.1.9
PAN-202544
An enhancement was made to collect CPLD register data after a path monitor failure.
Addressed
10.1.9
PAN-202543
An enhancement was made to improve path monitor data collection by verifying the status of the control network.
Addressed
10.1.9
PAN-202361
Fixed an issue where packets queued to the pan_task process were still transmitted when the process was not responding.
Addressed
10.1.9
PAN-202339
(
VM-Series firewalls on Amazon Web Services (AWS) only
) Fixed an issue where the firewall displayed reduced throughput of SSL traffic.
Addressed
10.1.9
PAN-202295
Fixed an issue where read-only superusers were unable to see the Commit All job status, warnings, or errors for Panorama device groups.
Addressed
10.1.9
PAN-202282
Fixed an issue where stats dump files did not display all necessary reports.
Addressed
10.1.9
PAN-202264
(
VM-Series firewalls only
) Fixed an issue where an automatic site license activation for a PAYG license did not register in the Customer Support Portal.
Addressed
10.1.9
PAN-202248
Fixed an issue where, due to a tunnel content inspection (TCI) policy match, IPSec traffic did not pass through the firewall when NAT was performed on the traffic.
Addressed
10.1.9
PAN-202247
Fixed an issue with firewalls in HA configurations where the firewall dropped IKE SA connections if the peer firewall received an
INVALID_SPI
message. This occurred even though no IKE SA was associated with the SPI in the received
INVALID-SPI
payload.
Addressed
10.1.9
PAN-202208
Fixed an issue where high CPU was experienced when requests from the dataplane to the management plane for username and User ID timed out.
Addressed
10.1.9
PAN-202194
Fixed an SD-WAN link issue that occurred when Aggregate Ethernet without a member interface was configured as an SD-WAN interface.
Addressed
10.1.9
PAN-202140
Fixed an issue where the comm process stopped responding due to an OOM condition.
Addressed
10.1.9
PAN-202101
Fixed an issue where firewalls stopped responding after an upgrade due to configuration corruption.
Addressed
10.1.9
PAN-202040
(
PA-220 firewalls only
) Fixed an issue where ECDSA fingerprints were not displayed.
Addressed
10.1.9
PAN-202012
A debug command was introduced to control Gzip encoding for the GlobalProtect Clientless VPN application.
Addressed
10.1.9
PAN-201954
Fixed an issue where NAT policy rules were deleted on managed devices after a successful push from Panorama to multiple device groups. This occurred when NAT policy rules had
device_tags
selected in the target section.
Addressed
10.1.9
PAN-201910
PAN-OS security profiles might consume a large amount of memory depending on the profile configuration and quantity. In some cases, this might reduce the number of supported security profiles below the stated maximum for a given platform.
Addressed
10.1.9
PAN-201900
Fixed an internal path monitoring failure issue that caused the dataplane to go down.
Addressed
10.1.9
PAN-201701
Fixed an issue where the firewall generated system log alerts if the raid for a system or log disk was corrupted.
Addressed
10.1.9
PAN-201639
Fixed an issue with Saas Application Usage reports where
Applications with Risky Characteristics
displayed only two applications per section.
Addressed
10.1.9
PAN-201632
Fixed an issue where the all_task stopped responding with a segmentation fault due to an invalid interface port.
Addressed
10.1.9
PAN-201587
Fixed an issue where the
App Pcaps
directory size was incorrectly detected which caused commit errors.
Addressed
10.1.9
PAN-201580
Fixed an issue where the useridd process stopped responding due to an invalid vsys_id request.
Addressed
10.1.9
PAN-201360
Fixed an issue with Panorama managed log collector statistics where the oldest logs displayed on the primary Panorama appliance and the secondary Panorama appliance did not match.
Addressed
10.1.9
PAN-201189
Added the
max-kb
filter for the
show session info
CLI command to troubleshoot instances when the firewall went down due to software packet buffer depletion.
Addressed
10.1.9
PAN-201136
Fixed an issue where IGMP packets were offloaded with frequent IGMP Join and Leave messages from the client.
Addressed
10.1.9
PAN-200946
Fixed an issue with firewalls in active/passive HA configurations where GRE tunnels went down due to recursive routing when the passive firewall was booting up. When the passive firewall became active and no recursive routing was configured, the GRE tunnel remained down.
Addressed
10.1.9
PAN-200845
(
M-600 Appliances in Management-only mode only
) Fixed an issue where XML API queries failed due to the configuration size being larger than expected.
Addressed
10.1.9
PAN-200822
Fixed an issue where reports were not generated in the
docm
file type.
Addressed
10.1.9
PAN-200775
(
VM-Series firewalls only Microsoft Azure environments only
) Fixed an issue where negotiation and speed were not displayed on Ethernet interfaces.
Addressed
10.1.9
PAN-200463
Fixed an issue where disabling
strict-username-check
did not apply to admin users authenticating with SAML.
Addressed
10.1.9
PAN-200160
Fixed a memory leak issue on Panorama related to the logd process that caused an out-of-memory (OOM) condition.
Addressed
10.1.9
PAN-200116
Fixed an issue where Elasticsearch displayed
RED
due to frequent tunnel check failures between HA clusters.
Addressed
10.1.9
PAN-200102
Fixed an issue on the firewall web interface that prevented applications from loading under any policy or in any location where application IDs were able to be refreshed.
Addressed
10.1.9
PAN-200095
Fixed an issue where Panorama troubleshooting tests for log collector connectivity did not return results from log collectors running PAN-OS 10.1 releases.
Addressed
10.1.9
PAN-200035
Fixed an issue where the firewall reported
General TLS Protocol Error
for TLSv1.3 when the firewall closed a TCP connection to the server via a FIN packet without waiting for the handshake to complete.
Addressed
10.1.9
PAN-199807
Fixed an issue where the dataplane frequently restarted due to high memory usage on wifclient.
Addressed
10.1.9
PAN-199661
(
VM-Series firewalls in ESXI environments only
) Fixed an issue where the number of used packet buffers was not calculated properly, and packet buffers displayed as a higher value than the correct value, which triggered PBP Alerts. This occurred when the driver name was not compatible with new DPDK versions.
Addressed
10.1.9
PAN-199612
Fixed a sync issue with firewalls in active/active HA configurations.
Addressed
10.1.9
PAN-199500
Fixed an issue where, when many NAT policy rules were configured, the pan_comm process stopped responding after a configuration commit due to a high number of debug messages.
Addressed
10.1.9
PAN-199410
Fixed an issue where system logs for syslog activities were categorized as
general
under
Type
and
EVENT
columns.
Addressed
10.1.9
PAN-199214
Fixed an intermittent issue where downloading
threat pcap
via XML API failed with the following error message:
/opt/pancfg/session/pan/user_tmp/XXXXX/YYYYY.pcap does not exist
.
Addressed
10.1.9
PAN-199141
Fixed an issue where renaming a device group and then performing a partial commit led to the device group hierarchy being incorrectly changed.
Addressed
10.1.9
PAN-199052
(
PA-800 Series firewalls only
) Fixed an issue where commit operations took longer than expected. This fix improves the completion time for commit operations.
Addressed
10.1.9
PAN-198920
Fixed an issue where configuration changes caused a previously valid interface ID to become invalid due to HA switchovers delaying the configuration push.
Addressed
10.1.9
PAN-198889
Fixed an issue where the logd process stopped responding if some devices in a collector group were on a PAN-OS 10.1 device and others were on a PAN-OS 10.0 release. This issue affected the devices on a PAN-OS 10.0 release.
Addressed
10.1.9
PAN-198718
(
PA-5280 firewalls only
) Fixed an issue where memory allocation failures caused increased decryption failures.
Addressed
10.1.9
PAN-198691
Added an alternate health endpoint to direct health probes on the firewall (https://firewall/unauth/php/health.php) to address an issue where
/php/login.php
performance was slow when large amounts of traffic were being processed.
Addressed
10.1.9
PAN-198575
Fixed an issue where data did not load when filtering by
Threat Name
(
ACC > Threat Activity
).
Addressed
10.1.9
PAN-198306
Fixed an issue where the useridd process stopped responding when booting up the firewall.
Addressed
10.1.9
PAN-198187
Fixed an issue where system logs (
Monitor > System
) did not display the commit description after performing a commit and push to multiple device groups from Panorama.
Addressed
10.1.9
PAN-198174
Fixed an issue where, when viewing traffic or threat logs from the
Application Command Center
(ACC) or
Monitor
tabs, performing a reverse DNS lookup caused the dnsproxy process to restart if DNS server settings were not configured.
Addressed
10.1.9
PAN-198050
Fixed an issue where
Connection to update server is successful
messages displayed even when connections failed.
Addressed
10.1.9
PAN-198038
A CLI command was added to address an issue where long-lived sessions were aging out even when there was ongoing traffic.
Addressed
10.1.9
PAN-197953
Fixed an issue where the logd process stopped responding due to forwarded threat logs, which caused Panorama to reboot into maintenance mode.
Addressed
10.1.9
PAN-197935
Fixed an intermittent issue where XML API IP address tag registration failed on firewalls in a multi-vsys environment.
Addressed
10.1.9
PAN-197919
Fixed an issue where, when path monitoring for a static route was configured with a new Ping Interval value, the value was not used as intended.
Addressed
10.1.9
PAN-197877
Fixed an intermittent issue on Panorama where the distributord process stopped responding.
Addressed
10.1.9
PAN-197872
Fixed an issue where the useridd process generated false positive critical errors.
Addressed
10.1.9
PAN-197859
Fixed an issue where firewalls running LSVPN with tunnel monitoring enabled where, after an upgrade to PAN-OS 9.1.14 or a later PAN-OS release, LSVPN tunnels flapped.
Addressed
10.1.9
PAN-197847
Fixed an issue where disabling the
enc-algo-aes-128-gcm
cipher did not work when using an SSL/TLS profile.
Addressed
10.1.9
PAN-197737
Fixed an issue where the connection to the PAN-DB server failed with following error message:
Failed to send req type[3], curl error: Couldn't resolve host name
.
Addressed
10.1.9
PAN-197729
Fixed an issue where repeated configuration pushes from Panorama resulted in a management server memory leak.
Addressed
10.1.9
PAN-197678
Fixed an issue where the dataplane stopped responding, which caused internal path monitoring failure.
Addressed
10.1.9
PAN-197649
Fixed an issue where failure logs for slot restarts caused by internal path monitoring contained no debug logs.
Addressed
10.1.9
PAN-197582
Fixed an issue where, after upgrading to PAN-OS 10.1.6, the firewall reset SSL connections that used policy-based forwarding.
Addressed
10.1.9
PAN-197426
Fixed an issue on Panorama where, when attempting to view the
Monitor page
, the error
invalid term
was displayed.
Addressed
10.1.9
PAN-197383
Fixed an issue where, after upgrading to PAN-OS 10.2 release, the firewall ran a RAID rebuild for the log disk after ever every reboot.
Addressed
10.1.9
PAN-197298
Fixed an issue where the audit comment archive for Security rule changes output had overlapping formats.
Addressed
10.1.9
PAN-197219
Fixed an issue where the following error message was not sent from multi-factor authentication PingID and did not display in the browser:
Your company has enhanced its VPN authentication with PingID. Please install the PingID app for iOS or Android, and use pairing key:<key>. To connect, type "ok"
.
Addressed
10.1.9
PAN-197203
Fixed an intermittent issue where, if SSL/TLS Handshake Inspection was enabled, multiple processes stopped responding when the firewall was processing packets.
Addressed
10.1.9
PAN-197121
Fixed an issue where incorrect user details were displayed under the
USER DETAIL
drop-down (
ACC > Network activity > User activity
).
Addressed
10.1.9
PAN-197097
Fixed an issue where LSVPN did not support IPv6 addresses on the satellite firewall.
Addressed
10.1.9
PAN-196954
Fixed a memory leak issue related to the distributord process.
Addressed
10.1.9
PAN-196895
Fixed a timing issue with updating the cache when upgrading from a PAN-OS 10.0 release to a PAN-OS 10.1 release.
Addressed
10.1.9
PAN-196874
Fixed an issue where, when the firewall accepted ICMP redirect messages on the management interface, the firewall did not clear the route from the cache.
Addressed
10.1.9
PAN-196840
Fixed an issue where exporting a Security policy rule that contained Korean language characters to CSV format resulted in the policy description being in a non-readable format.
Addressed
10.1.9
PAN-196811
Fixed an issue where logout events without a username caused high CPU usage.
Addressed
10.1.9
PAN-196701
Fixed an issue where the firewall did not properly measure the Panorama connection keepalive timer, which caused a Panorama HA failover to take longer than expected.
Addressed
10.1.9
PAN-196566
Fixed an issue where the useridd process restarted repeatedly which let to an OOM condition.
Addressed
10.1.9
PAN-196559
Fixed an issue where LSVPN satellites continued to allow connections even when the certificate was revoked, the serial number was removed from the GlobalProtect portal, and the satellite was disconnected from the gateway.
Addressed
10.1.9
PAN-196474
Fixed an issue where, when a decryption profile was configured with TLSv1.2 or later, web pages utilizing TLS1.0 were blocked with an incorrect
ERR_TIME_OUT
message instead of an
ERR_CONNECTION_RESET
message.
Addressed
10.1.9
PAN-196467
Fixed an issue where enabling strict IP address checks in a Zone Protection profile caused GRE tunnel packets to be dropped.
Addressed
10.1.9
PAN-196457
Fixed an issue where extraneous logs displayed in the Traffic log when Security policy settings were changed.
Addressed
10.1.9
PAN-196452
Fixed an issue where DNS queries failed from source port 4789 with a NAT configuration.
Addressed
10.1.9
PAN-196410
Fixed an issue where you were unable to customize the risk value in
Risk-of-app
.
Addressed
10.1.9
PAN-196404
Fixed an issue where the firewall did not forward IPSec decrypted traffic to a third-party security chain device when the network packet broker feature was enabled.
Addressed
10.1.9
PAN-196398
(
PA-7000 Series firewalls with Switch Management Cards (SMC-B) only
) Fixed an issue where the firewall did not capture data when the active management interface was MGT-B.
Addressed
10.1.9
PAN-196309
(
PA-5450 firewalls only
) Fixed an issue where a firewall configured with a Policy-Based Forwarding policy flapped when a commit was performed, even when the next hop was reachable.
Addressed
10.1.9
PAN-196261
Fixed an issue where
inter-lc disconnected
messages were logged once every minute.
Addressed
10.1.9
PAN-196124
Fixed an issue where the log_index process ignored healthy logs and caused system logs to go missing.
Addressed
10.1.9
PAN-196105
Fixed an issue on the firewall where using special characters in a password caused authentication to fail when connecting to the GlobalProtect portal with GlobalProtect satellite configured.
Addressed
10.1.9
PAN-196050
Fixed an issue on Panorama where logs did not populate when one log collector in a log collector group was down.
Addressed
10.1.9
PAN-196001
Fixed an issue where the devsrvr process stopped responding, which caused FQDN objects to not resolve, and, as a result, caused traffic to hit the incorrect Security policy rule.
Addressed
10.1.9
PAN-195869
Fixed an issue where scheduled custom reports based on firewall data did not display any information.
Addressed
10.1.9
PAN-195828
Fixed an issue where SNMP reported the
panVsysActiveTcpCps
and
panVsysActiveUdpCps
value to be 0.
Addressed
10.1.9
PAN-195792
Fixed an issue where, when generating a stats dump file for a managed device from Panorama (
Panorama > Support > Stats Dump File
), the file did not display any data.
Addressed
10.1.9
PAN-195790
Fixed an issue where syslog traffic that was sent from the management interface to the syslog server even when a destination IP address service route was configured.
Addressed
10.1.9
PAN-195689
Fixed an issue where WildFire submission logs did not load on the firewall web interface.
Addressed
10.1.9
PAN-195669
Fixed an issue with Panorama appliances in HA configurations where a passive Panorama appliance generated
CMS Redistribution Client is connected to global collector
messages.
Addressed
10.1.9
PAN-195583
Fixed an issue where, after renaming an object, configuration pushes from Panorama failed with the commit error
object name is not an allowed keyword
.
Addressed
10.1.9
PAN-195526
Fixed an issue where the firewall system log received a large amount of error messages when attempting a connection between the firewall and Panorama.
Addressed
10.1.9
PAN-195374
(
Firewalls in active/passive HA configurations only
) Fixed an issue where, when redistribution agent connections to the passive firewall failed, excessive system alerts for the failed connection were generated. With this fix, system alerts are logged every 5 hours instead of 10 minutes.
Addressed
10.1.9
PAN-195254
(
PA-7000 Series firewalls only
) Fixed an issue where log queries from an M-Series Panorama appliance or Panorama virtual appliance in Management Only mode to the firewall failed after updating the firewall to a PAN-OS 10.1 release.
Addressed
10.1.9
PAN-195201
Fixed an issue where high volume DNS Security traffic caused the firewall to reboot.
Addressed
10.1.9
PAN-195200
Fixed an issue where Panorama did not attach and email scheduled reports (
Monitor
PDF
Reports
Email Scheduler
) when the size of the email attachments was large.
Addressed
10.1.9
PAN-195114
Fixed an issue where proxy ARP responded on the wrong interface when the same subnet was in two virtual routers.
Addressed
10.1.9
PAN-195064
Fixed an issue where the log collector did not forward correlation logs to the syslog server.
Addressed
10.1.9
PAN-194912
Fixed an issue where the CLI command
show applications list
did not return any outputs.
Addressed
10.1.9
PAN-194812
Fixed an issue where generating reports via XML API failed when the serial number was set as
target
in the query.
Addressed
10.1.9
PAN-194744
Fixed an issue with log corruption, which caused te log_index process to continually restart.
Addressed
10.1.9
PAN-194737
Fixed an issue where path monitor displayed as deleted when it was disabled, which caused a preview change in the summary for static routes.
Addressed
10.1.9
PAN-194588
(
PA-7000 Series firewalls with LFCs, PA-7050 firewalls with SMC-Bs, and PA-7080 firewalls only
) Fixed an issue where the
logrcvr_statistics
output was not recorded in mp-monitor.log.
Addressed
10.1.9
PAN-194456
Fixed an issue where the sysd process disconnected from the pan_dha process after an HA failover or reboot.
Addressed
10.1.9
PAN-194175
Fixed an issue on Panorama where a commit push to managed firewalls failed when objects were added as source address exclusions in a Security policy and
Share Unused Address and Service Objects with Devices
was unchecked.
Addressed
10.1.9
PAN-194093
Fixed an issue on the firewall where the dataplane unexpectedly restarted due to an issue with the all_pktproc process.
Addressed
10.1.9
PAN-194092
Added a debug command to address an issue where adding a new log collector to an existing collector group, the ACL was updated for the new log collector but not the existing ones.
Addressed
10.1.9
PAN-194068
(
PA-5200 Series firewalls only
) Fixed an issue where the firewall unexpectedly rebooted with the log message
Heartbeat failed previously
.
Addressed
10.1.9
PAN-194043
Fixed an issue where
Managed Devices > Summary
did not reflect new tag values after an update.
Addressed
10.1.9
PAN-194031
(
PA-220 Firewalls only
) Fixed an issue where system log configurations did not work as expected due to insufficient process timeout after a logrcvr process restart.
Addressed
10.1.9
PAN-194025
Fixed an issue where the ikemgr process stopped responding due to a timing issue, which caused VPN tunnels to go down.
Addressed
10.1.9
PAN-193928
Fixed an intermittent issue where GlobalProtect logs were not visible under device groups (
Mobile_User_Device_Group
).
Addressed
10.1.9
PAN-193831
Fixed an issue where internal routes were added to the routing table even after disabling dynamic routing protocols.
Addressed
10.1.9
PAN-193818
Fixed an issue where the firewall device server failed to resolve URL cloud FQDNs, which interrupted URL category lookup.
Addressed
10.1.9
PAN-193808
Fixed a memory leak issue in the mgmtsrvr process that resulted in an OOM condition.
Addressed
10.1.9
PAN-193744
(
PA-3200 Series firewalls only
) Fixed an issue where, when the HA2 HSCI connection was down, the system log displayed
Port HA1-b: down
instead of
Port HSCI: Down
.
Addressed
10.1.9
PAN-193733
(
Firewalls in multi-vsys environments only
) Fixed an issue where IP tag addresses were not synced to all virtual systems (vsys) when they were pushed to the firewall from Panorama via XML API.
Addressed
10.1.9
PAN-193619
Fixed an issue where air gapped firewalls and Panorama appliances performed excessive validity checks to updates.paloaltonetworks.com, which caused software installs to fail.
Addressed
10.1.9
PAN-193558
Fixed an issue where log retention settings
Multi Disk
did not display correct values on the firewall web interface when the settings were configured using a Panorama template or template stack.
Addressed
10.1.9
PAN-193396
Fixed an issue where the source user name was displayed in traffic logs even when
Show User Names In Logs and Reports
was disabled for a custom admin role.
Addressed
10.1.9
PAN-193323
Fixed an issue where root partition utilization reached 100% due to mdb old logs not being purged as expected.
Addressed
10.1.9
PAN-193281
Fixed an issue where the logrcvr process stopped responding after a content update on the firewall.
Addressed
10.1.9
PAN-193245
Fixed an issue where, when using
syslog-ng
forwarding via SSL, with a Base Common Name (CN) and multiple Subject Alternative Names (SANs) were listed in the certificate.
Addressed
10.1.9
PAN-193235
Fixed an issue where duplicate log entries were displayed on Panorama.
Addressed
10.1.9
PAN-193043
Fixed an issue with the where firewalls in Google Cloud Platforms (GCP) inserted the hostname as
PA-VM
in the syslog header instead of the DHCP assigned hostname when logs were being sent to the syslog server.
Addressed
10.1.9
PAN-192456
Fixed an issue where GlobalProtect SSL VPN processing during a high traffic load caused the dataplane to stop responding.
Addressed
10.1.9
PAN-192431
Fixed an issue where unmanaged tags were set to NULL, which caused unmanaged devices to match the HIP rule for managed devices. As a result, you were unable to distinguish between managed and unmanaged devices.
Addressed
10.1.9
PAN-192296
Fixed an issue where, when you saved a SaaS application report as a PDF or sent it to print, the size of contents were shrinked and was smaller than expected.
Addressed
10.1.9
PAN-192244
Fixed an issue where scheduled log export jobs continued to run even after being deleted.
Addressed
10.1.9
PAN-192193
Fixed an issue where exporting a list of managed collectors via the Panorama web interface failed with the following error message:
Export Error, Error while exporting
Addressed
10.1.9
PAN-192188
(
PA-5450 firewalls only
) Fixed an issue where the
show running resource-monitor ingress-backlogs
CLI command failed with the following error message:
Server error : Failed to intepret the DP response
.
Addressed
10.1.9
PAN-192130
Fixed an issue where the GlobalProtect client remained in a connecting state when GlobalProtect Client VPN and SAML authentication were enabled.
Addressed
10.1.9
PAN-192092
Fixed an issue with firewalls in active/passive configurations only where the registered cookie from the satellite firewall to the passive firewall did not sync, which caused authentication between the satellite firewall and the GlobalProtect portal firewall to fail after a failover event.
Addressed
10.1.9
PAN-192076
Fixed an issue where OpenSSL memory initialization caused unexpected failovers.
Addressed
10.1.9
PAN-191997
Fixed an issue where log queries did not successfully filter the
unknown
category.
Addressed
10.1.9
PAN-191845
Fixed an issue where the firewall used a locally configured DNS server instead of a DHCP provided one.
Addressed
10.1.9
PAN-191652
Fixed an issue with Prisma Cloud where a commit push failed due to the error
Error: failed to handle TDB_UPDATE_BLOCK>
.
Addressed
10.1.9
PAN-191463
Fixed an issue where the firewall did not handle packets at Fastpath when the interface pointer was null.
Addressed
10.1.9
PAN-191390
(
VM-Series firewalls only
) Fixed an issue where the management plane CPU was incorrectly calculated as high when logged in the mp-monitor.log.
Addressed
10.1.9
PAN-191235
Fixed an issue with firewalls in HA configurations where the passive firewall attempted to connect to a hardware security module (HSM) client when a service route was configured, which caused dynamic updates and software updates to fail.
Addressed
10.1.9
PAN-191048
Fixed an issue where Panorama did not push the password hash of the local admin password to managed WildFire appliances.
Addressed
10.1.9
PAN-191032
Fixed an issue on Panorama where
Managed Devices
displayed
Unknown
.
Addressed
10.1.9
PAN-190963
Fixed an issue on the firewall interface where
Log Collector Status > Device connectivity
displayed as
error
.
Addressed
10.1.9
PAN-190533
Fixed an issue where addresses and address groups were not displayed for users in Security admin roles.
Addressed
10.1.9
PAN-190502
Fixed an issue where the Policy filter and Policy optimizer filter were required to have the exact same syntax, including nested conditions with rules that contained more than one tag when filtering via the
neq
operator.
Addressed
10.1.9
PAN-190454
Fixed an issue where, while authenticating, the allow list check failed for vsys users when a SAML authentication profile was configured under
shared location
.
Addressed
10.1.9
PAN-190286
Fixed an issue in the web interface where non-superusers with administrator privileges were unable to see Log Processing Card (LPC) information.
Addressed
10.1.9
PAN-190266
Fixed an issue that stopped the all_task process to stop responding at the
pan_sdwan_qualify_if_ini
function.
Addressed
10.1.9
PAN-190055
(
VM-Series firewalls only
) Fixed an issue where the firewall did not follow the set Jumbo MTU value.
Addressed
10.1.9
PAN-189960
Fixed an issue on Panorama where you were unable to view the last address object moved to the shared template list.
Addressed
10.1.9
PAN-189866
Fixed an issue with the web interface where group include lists used server profiles instead of LDAP proxy.
Addressed
10.1.9
PAN-189804
Fixed an issue where editing Panorama settings within a template or template stack an authentication was required, but adding an authentication key displayed an error.
Addressed
10.1.9
PAN-189783
Fixed an issue where container resource limits were not enforced for all processes when running inside a container.
Addressed
10.1.9
PAN-189755
Fixed an issue where the snmpd stopped responding which caused SNMPv3 polling outages.
Addressed
10.1.9
PAN-189723
Fixed an issue where you were unable to configure dynamic address groups to use more than 64,000 IP addresses in a Security policy rule.
Addressed
10.1.9
PAN-189719
Fixed an issue on Panorama where
Test Server Connection
failed in an HTTP server profile with the following error message:
failed binding local connection end
.
Addressed
10.1.9
PAN-189718
Fixed an issue where the number of sessions did not reach the expected maximum value with Security profiles.
Addressed
10.1.9
PAN-189518
Fixed an issue where incoming DNS packets with looped compression pointers caused the dnsproxyd process to stop responding.
Addressed
10.1.9
PAN-189379
Fixed an issue where FQDN based Security policy rules did not match correctly.
Addressed
10.1.9
PAN-189335
Fixed an issue where the varrcvr process restarted repeatedly, which caused the firewall to restart.
Addressed
10.1.9
PAN-189300
Fixed an issue where Panorama appliances in active/passive HA configurations reported the false positive system log
Failed to sync vm-auth-key
when a VM authentication key was generated on the active appliance.
Addressed
10.1.9
PAN-189298
Fixed an issue where existing traffic sessions were not synced after restarting the active dataplane when it became passive.
Addressed
10.1.9
PAN-189200
Fixed an issue where sinkholes did not occur for AWS Gateway Load Balancer dig queries.
Addressed
10.1.9
PAN-189027
Fixed an issue where the dataplane CPU utilization provided from the web interface or via SNMP was incorrect. This is observed across all platforms.
Addressed
10.1.9
PAN-188933
Fixed an issue where the UDP checksum wasn't correctly calculated for VXLAN traffic after applying NAT.
Addressed
10.1.9
PAN-188912
Fixed an issue where authentication failed due to a process responsible for handling authentication requests going into an irrecoverable state.
Addressed
10.1.9
PAN-188602
Fixed an issue where the all_task process stopped responding, which caused IPSec tunnels to peers to go down.
Addressed
10.1.9
PAN-188519
(
VM-Series firewalls only
) Fixed an issue where, when manually deactivating the license, the admin user did not receive the option to download the token file and upload it to the Customer Support Portal (CSP) to deactivate the license.
Addressed
10.1.9
PAN-188506
Fixed an issue where the
ctd_dns_malicious_fwd
counter incorrectly increased incrementally.
Addressed
10.1.9
PAN-188348
Fixed an issue where encapsulating Security payload packets originating from the firewall were dropped when strict IP address check was enabled in a zone protection profile.
Addressed
10.1.9
PAN-188291
Fixed an issue where, when using Global Find on the web interface to search for a given
Hostname Configuration (Device > Setup > Management)
, clicking the search result directed you to the appropriate Hostname configuration, but did not change the respective
Template
field automatically.
Addressed
10.1.9
PAN-188036
Fixed an issue where SIP TCP sequence numbers were calculated incorrectly when SIP cleartext proxy was disabled.
Addressed
10.1.9
PAN-188035
(
Firewalls and Panorama appliances in FIPS mode only
) Fixed an issue where, even when region lists were disabled, the following error message was displayed:
Unable to retrieve region list either region list has not been set or data format is wrong
.
Addressed
10.1.9
PAN-187985
Fixed an issue where you were unable to configure a QoS Profile as percentage for Clear Text Traffic.
Addressed
10.1.9
PAN-187761
Fixed an issue where, during HA failover, the now passive firewall continued to pass traffic after the active firewall had already taken over.
Addressed
10.1.9
PAN-187720
Fixed an issue where the firewall did not show master key validity information after the master key was updated and the firewall was restarted.
Addressed
10.1.9
PAN-187476
Fixed an issue where, when HIP redistribution was enabled, Panorama did not display part of the HIP information.
Addressed
10.1.9
PAN-187342
Fixed an issue where the
Schedules
button (
Device Deployment > Dynamic updates
) was grayed out for custom role-based admins.
Addressed
10.1.9
PAN-187279
Fixed an issue where not all quarantined devices were displayed as expected.
Addressed
10.1.9
PAN-187096
Fixed an issue where you were unable to sort through
Addresses
(
Device Group > Objects
).
Addressed
10.1.9
PAN-186487
Fixed an issue with snmpd.log overflow caused by continuous hourly repeating errors.
Addressed
10.1.9
PAN-186471
Fixed an issue where, when exporting to CSV in Global Find, the firewall truncated names of rules that contained over 40 characters.
Addressed
10.1.9
PAN-186447
Fixed an issue where
Health
(
Panorama > Managed Devices
) did not display environmental tabs and fan and power supply status was not visible.
Addressed
10.1.9
PAN-186433
Fixed an intermittent issue where decryption failed for clients sending TLSv1.3 Client Hello and CCS in two separate packets instead of one.
Addressed
10.1.9
PAN-186270
Fixed an issue where, when HA was enabled and a dynamic update schedule was configured, the configd process unexpectedly stopped responding during configuration commits.
Addressed
10.1.9
PAN-185928
Fixed an issue where external dynamic list auto refresh did not work when destination service route was enabled.
Addressed
10.1.9
PAN-185844
Fixed an issue where Decryption Log entries were associated with the wrong Security policy rule.
Addressed
10.1.9
PAN-185611
(
PA-850 firewalls only
) Fixed an issue where the maximum number of aggregate interfaces was incorrectly set as 8 instead of 6.
Addressed
10.1.9
PAN-185591
Fixed an issue where, in multi-vsys systems, some policy rules were unable to be edited due to the
Target
field being unclickable.
Addressed
10.1.9
PAN-185466
Fixed an issue where WildFire submission did not work as expected.
Addressed
10.1.9
PAN-185394
(
PA-7000 Series firewalls only
) Fixed an issue where not all changes to the template were reflected on the firewall.
Addressed
10.1.9
PAN-185390
Fixed an issue where the
Block IP list
option was incorrectly displayed on firewalls where it was not applicable.
Addressed
10.1.9
PAN-185283
Fixed an issue on Panorama where using the
name-of-threatid contains log4j
filter didn't produce expected results.
Addressed
10.1.9
PAN-185276
Fixed an issue where a debug command displayed different
idmgr
digest results.
Addressed
10.1.9
PAN-185249
Fixed an issue where
Template Stack
overrides (
Dynamic Updates
Apps & Threats
Schedule
) were not able to be reverted via the web interface.
Addressed
10.1.9
PAN-185234
(
VM-Series firewalls on Microsoft Azure environments only
) Fixed an issue where, when accelerated networking was enabled, the packet buffer utilization was displayed as high even when no traffic was traversing the firewall.
Addressed
10.1.9
PAN-185200
Fixed an issue where the User-ID manager assigned an ID to an object with a
DELETE
command.
Addressed
10.1.9
PAN-185135
(
VM-Series firewalls on Kernel-based Virtual Machine (KVM) only
) Fixed an issue where the physical port counters (including SNMP) on the dataplane interfaces increased when DPDK was enabled.
Addressed
10.1.9
PAN-184766
(
PA-5450 firewalls only
) Fixed an issue where the control packets for BGP, OSPF, and Bidirectional Forwarding Detection (BFD) were not assigned a QoS value of 5.
Addressed
10.1.9
PAN-184744
Fixed an issue where the firewall did not decrypt SSL traffic due to a lack of internal resources allocated for decryption.
Addressed
10.1.9
PAN-184537
Fixed an issue where GlobalProtect requested for passwords that contained non ASCII characters (ö) to be reentered when refreshing the connection.
Addressed
10.1.9
PAN-184408
Fixed an issue where commits pushed from Panorama to the firewall failed due to the application status for an application being incorrectly considered an invalid reference.
Addressed
10.1.9
PAN-184181
Fixed an ESP encapsulation issue where, when IPv6 address proxy IDs were configured, encapsulation was handled incorrectly with a different proxy ID SPI in the same tunnel when the source IP address of the proxy was overlapped by the destination IP address.
Addressed
10.1.9
PAN-183981
Fixed an issue on the firewall where, when the GlobalProtect portal was not configured, the GlobalProtect landing page was still loaded with the message
GlobalProtect portal does not exist
. This issue occurred when using the exact GlobalProtect portal link: https://x.x.x.x/global-protect/login.esp
Addressed
10.1.9
PAN-183632
Fixed an issue where the firewall was unable to match HIP objects with code versions over 4 digits long.
Addressed
10.1.9
PAN-183629
Fixed an issue where
Clientless-vpn max-users
displayed the limit as 20 instead of 200.
Addressed
10.1.9
PAN-183524
Fixed an issue where GPRS tunneling protocol (GTPv2-c and GTP-U) traffic was identified with
insufficient-data
in the traffic logs.
Addressed
10.1.9
PAN-183375
Fixed an issue where traffic arriving on a tunnel with a bad IP header checksum was not dropped.
Addressed
10.1.9
PAN-183319
Fixed an issue on Panorama where commits remained at 99% due to multiple firewalls sending out CSR singing requests every 10 minutes.
Addressed
10.1.9
PAN-183287
Fixed an issue where firewall commits failed due to the commit-recovery connection check ending prematurely.
Addressed
10.1.9
PAN-183154
Fixed an issue where DNS exception failed when DNS queries contained a capital letter.
Addressed
10.1.9
PAN-183126
Fixed an issue on Panorama where you were able to attempt to push a number of active schedules to the firewall that was greater than the firewall's maximum capacity.
Addressed
10.1.9
PAN-182876
Fixed an issue where GlobalProtect connections failed via XML when special characters (<), (&), and (>) were present in the GlobalProtect portal configuration passcode.
Addressed
10.1.9
PAN-182845
Fixed an issue that caused devices to be removed from Panorama when one device was added by one user, but a Commit and Push operation was completed by a second user before the first user completed a Commit of the added device change.
Addressed
10.1.9
PAN-182486
Fixed an issue on the web interface where the same IP address was displayed for sub interfaces in a multi-vsys firewall.
Addressed
10.1.9
PAN-182449
Fixed an issue where Apple iPad users were unable to authenticate to the GlobalProtect portal using any browser, which resulted in Clientless VPN access issues.
Addressed
10.1.9
PAN-182244
Fixed an issue where Session Initiation Protocol (SIP) REGISTER packets did not get transmitted when application-level gateway (ALG) and SIP Proxy were enabled, which caused a SIP-registration issue in environments where TCP retransmission occurred.
Addressed
10.1.9
PAN-182167
Removed a duplicate save filter Icon in the Audit Comment Archive for Security Rule Audit Comments tab.
Addressed
10.1.9
PAN-181968
(
PA-400 Series firewalls in active/passive HA configurations only
) Fixed an issue where, when HA failover occurred, link up on all ports took longer than expected, which caused traffic outages.
Addressed
10.1.9
PAN-181684
Fixed an issue where cluster definition for OpenShift was not able to be added if a custom certificate was used for an API endpoint.
Addressed
10.1.9
PAN-181376
Fixed an issue where the
show session id
CLI command displayed a negative packet count.
Addressed
10.1.9
PAN-181366
Fixed an issue where the firewall sent an incorrect IP address on ICMP sessions in NetFlow packets when NAT was applied to the target traffic.
Addressed
10.1.9
PAN-181334
Fixed an issue where users with custom admin roles and access domains were unable to view address objects or edit Security rules.
Addressed
10.1.9
PAN-181324
Fixed a memory issue related to the lpmgrd process that caused the firewall to enter a non-functional state.
Addressed
10.1.9
PAN-181129
Improved protection against unexpected packets and error handling for traffic identified as SIP.
Addressed
10.1.9
PAN-181034
Fixed an issue where, after changing the Decryption mirroring setting to
Forwarded only
in the decryption profile, Panorama did not save the setting.
Addressed
10.1.9
PAN-180948
Fixed an issue where an external dynamic list fetch failed with the error message
Unable to fetch external dynamic list. Couldn't resolve host name. Using old copy for refresh
.
Addressed
10.1.9
PAN-180690
Fixed an issue where the firewall dropped IPv6 Bi-Directional Forwarding (BFD) packets when IP Spoofing was enabled in a Zone Protection Profile.
Addressed
10.1.9
PAN-180147
Fixed an issue where the
bcm.log
and
brdagent_stdout.log-<datestamp>
files filled up the root disk space.
Addressed
10.1.9
PAN-180030
Fixed an issue where hyperlinks to threatvault for threat logs with DNS Security categories resulted in the following error message:
No data is found based on your search, please search for something else
.
Addressed
10.1.9
PAN-179952
Fixed an issue on Panorama where not all categories were displayed under
Log settings
.
Addressed
10.1.9
PAN-179826
Fixed an issue where the firewall incorrectly displayed the license error
IoT Security license is required for feature to function
even when the
IoT Security, Does not Require Data Lake
license was installed.
Addressed
10.1.9
PAN-179636
Fixed an issue where Authentication Server logs for various connections (including LDAP and Radius Server) were not displayed in the syslog when connections were up.
Addressed
10.1.9
PAN-179624
Fixed an issue where setting the password complexity to
Require Password Change on First Login
caused the user to be prompted with certificate authentication.
Addressed
10.1.9
PAN-179506
(
VM-Series firewalls on Microsoft Azure environments only
) Fixed an issue where Panorama was unable to push software updates to the firewall.
Addressed
10.1.9
PAN-179467
Fixed an issue where
Selective Audit
(
Device > Log settings
) options were visible to a group of admin users if the firewall was not in FIPS-CC mode.
Addressed
10.1.9
PAN-179395
Fixed an issue where the firewall still populated the domain map even after clearing the domain map via the CLI after removing the group-mapping setting configuration.
Addressed
10.1.9
PAN-179258
Fixed an issue where system disk migration failed.
Addressed
10.1.9
PAN-179212
Fixed an issue where extraneous characters displayed at the end of a CSV report.
Addressed
10.1.9
PAN-179152
Fixed an issue where partial commit failures did not display an error message.
Addressed
10.1.9
PAN-178961
Fixed an issue where a process ( authd ) stopped responding due to incorrect context handling.
Addressed
10.1.9
PAN-178959
Fixed an issue where configuring BGP to Aggregate with Suppress Filters using
From Peers
did not work as expected.
Addressed
10.1.9
PAN-178951
Fixed an issue on the firewall where Agentless User-ID lost parent Security group information after the Security group name of the nested groups on Active Directory was changed.
Addressed
10.1.9
PAN-178802
Increased the default virtual memory limit for the mgmtsrvr process from 3.2GB to 16GB.
Addressed
10.1.9
PAN-178800
Fixed an issue where the reportd process stopped responding when URL Filtering Inline ML phishing logs were queried.
Addressed
10.1.9
PAN-178728
Fixed an issue where the dcsd process stopped responding when attempting to read the config to update its redis database.
Addressed
10.1.9
PAN-178594
Fixed an issue where the descriptions of options under the
set syslogng ssl-conn-validation
CLI command were not accurate.
Addressed
10.1.9
PAN-178407
Fixed an permissions issue where, when attempting to troubleshoot the syslog over TCP via the CLI, the following error message was displayed:
Error: "/var/log/pan/syslog-ng.log: Permission denied
.
Addressed
10.1.9
PAN-178363
Fixed an issue where a process ( mgmtsrvr ) wasn't restarted after the virtual memory limit was exceeded.
Addressed
10.1.9
PAN-178354
Fixed an issue where the error message
You do not have permission to reboot device
was incorrectly displayed to a TACAC user when attempting to install PAN-OS.
Addressed
10.1.9
PAN-178349
Fixed an issue where log forwarding did not work when the filter size was more than 1,024 characters in the log forwarding profile.
Addressed
10.1.9
PAN-178248
Fixed an issue where, when exporting the Applications list on PDF or CSV profile formats, the report displayed all tag values as undefined.
Addressed
10.1.9
PAN-178186
Fixed a commit issue where, when replacing an old firewall with a new firewall using the serial number, the change to the serial number was not reflected in the Security policy rule.
Addressed
10.1.9
PAN-177942
Fixed an issue where, when grouping HA peers, access domains that were configured using multi-vsys firewalls deselected devices or virtual systems that were in other configured access domains.
Addressed
10.1.9
PAN-177939
Fixed an issue where a certificate without a private key was able to be added to an SSL/TLS Service Profile, which caused the l3svc process to stop responding.
Addressed
10.1.9
PAN-177908
Fixed an issue where you were unable to configure
region
for source or destination IP addresses in a Security policy rule.
Addressed
10.1.9
PAN-177891
Fixed an issue where group-mapping information was not automatically refreshed at the refresh interval when LDAP proxy was configured.
Addressed
10.1.9
PAN-177853
Fixed an issue where the logd process on Panorama and the logrcvr process on the firewall stopped responding when a log forwarding profile had a filter that included the field
sender
and
subject
.
Addressed
10.1.9
PAN-177562
Fixed an issue where PDF reports were not translated to the configured local language.
Addressed
10.1.9
PAN-177201
Fixed an issue where, when a Panorama appliance on a PAN-OS 9.0 or later release pushed built-in external dynamic lists to a firewall on a PAN-OS 8.1 release, the external dynamic list was removed, but the rule was still pushed to the firewall. With this fix, Panorama will show a validation error when attempting to push a pre-defined external dynamic list to a firewall on a PAN-OS 8.1 release.
Addressed
10.1.9
PAN-177133
(
Firewalls in HA configurations only
) Fixed an issue where the HA1 heartbeat backup flapped with the following error message:
Unable to send icmp packet:(errno: 105) No buffer space available
.
Addressed
10.1.9
PAN-176989
Fixed an issue where the CLI command to show SD-WAN tunnel members caused the firewall to stop responding.
Addressed
10.1.9
PAN-176471
Fixed an issue where adding applications without a description using XML API deleted the whole Panorama application list.
Addressed
10.1.9
PAN-176461
Fixed an issue where a process ( mdb ) stopped responding after downgrading from a PAN-OS 9.1 release to an earlier release due to discrepancies in the mongodb process version.
Note
: To utilize this fix, first install a PAN-OS 9.0 release on the web interface, and then, prior to reboot, run the following CLI command:
debug mongo clear instance mdb
.
Addressed
10.1.9
PAN-176379
Fixed an issue where, when multiple routers were configured under a Panorama template, you were only able to select its own virtual router for next hop.
Addressed
10.1.9
PAN-175709
Fixed an issue where the dnsproxy process stopped responding when a DNS signature lookup request was received before the process was fully initialized.
Addressed
10.1.9
PAN-175142
Fixed an issue on Panorama where executing a debug command caused the logrcvr process to stop responding.
Addressed
10.1.9
PAN-175121
Fixed a rare issue where, when two nodes started IKE_SA negotiations at the same time, which resulted in duplicate IKE SAs.
Addressed
10.1.9
PAN-175069
Fixed an issue where commits failed when the IPv6 link-local address was configured for BGP peering as local and peer address.
Addressed
10.1.9
PAN-175061
Fixed an issue where filtering threat logs using any value under
THREAT ID/NAME
displayed the error
Invalid term
.
Addressed
10.1.9
PAN-174988
(
PA-220 Series firewalls only
) Fixed an issue where the
runtime-state
parameter was missing in the CLI command
request high-availability sync-to-remote
.
Addressed
10.1.9
PAN-174953
Fixed an issue where the firewall didn't update URL categories from the management plane to the dataplane cache.
Addressed
10.1.9
PAN-174821
(
PA-3220 firewalls only
) Fixed an issue where auto-negotiation was not disabled with force mode set to
ON
in the interface settings.
Addressed
10.1.9
PAN-174781
Fixed an issue where the firewall did not send an SMTP 541 error message to the email client after detecting a malicious file attachment.
Addressed
10.1.9
PAN-174702
Fixed an issue where Panorama pushed
share-unused
tagged objects to the firewall, which caused the device address object limit to be exceeded.
Addressed
10.1.9
PAN-174680
Fixed an issue where, when adding new configurations, Panorama didn't display a list of suggested template variables when typing in a relevant field.
Addressed
10.1.9
PAN-174592
Fixed an issue where the firewall did not check reserved fields in GTPv1 and GTPv2 headers as expected from the latest 3GPP Specifications.
Addressed
10.1.9
PAN-174525
Fixed an issue where the sslvpn process restarted repeatedly.
Addressed
10.1.9
PAN-174480
Fixed an issue where scheduled email reports were blocked by open-source content filters due to a violation of rfc2046.
Addressed
10.1.9
PAN-174462
Fixed an issue where the configd process stopped responding when creating Application filters with tags and adding the filter to a Security policy rule.
Addressed
10.1.9
PAN-174102
Fixed an issue where, when MLAV feature found malicious content, no action was applied even though it had increased the execution counters, displayed the score and verdict in the log, and showed no allow list hits,
Addressed
10.1.9
PAN-174064
Fixed an issue where downloading a GlobalProtect data file did not work and displayed a
no global protect license
error even when a valid license was present.
Addressed
10.1.9
PAN-174027
Fixed an issue on Panorama where attempting to rename mapping for address options caused a push to fail with the following error message:
Error: Duplicate address name.
.
Addressed
10.1.9
PAN-173813
A debug command was added to disable automatic implicit tail matching, which was the default.
Addressed
10.1.9
PAN-173810
Fixed an issue where the
debug user-id dump ts-agent user-ids
CLI command caused the useridd process to stop responding.
Addressed
10.1.9
PAN-173437
Fixed an issue where the firewall did not detect that the management port was down the first time after booting up the system.
Addressed
10.1.9
PAN-173207
Fixed an issue where radius authentication timed out when logging in due to the firewall sending authentication requests using a static IP address instead of a DCHP assigned IP address.
Addressed
10.1.9
PAN-173080
Fixed an issue where the User-ID connection limit was reached even when only a few User-ID agents were connected to the service.
Addressed
10.1.9
PAN-173031
Fixed an issue where users were promted twice for DUO SAML Authentication when authentication override cookies were enabled.
Addressed
10.1.9
PAN-172823
Fixed an issue where MD5 checksums were updated before the new customer EDLs were pushed to the dataplane.
Addressed
10.1.9
PAN-172780
Fixed an issue where user domain override was not reset when deleted from group mapping.
Addressed
10.1.9
PAN-172753
(
PA-7000 Series firewalls only
) Fixed an issue where link-local internal packet handling between the management plane and the dataplane caused an Network Processing Card (NPC) slot to go down.
Addressed
10.1.9
PAN-172452
Fixed an issue where the log file did not include all logs.
Addressed
10.1.9
PAN-172357
(
VM-Series firewalls in Oracle Cloud Infrastructure Government Cloud only
) Fixed an issue with firewalls in HA configurations where HA failover did not occur when firewalls were in FIPS mode.
Addressed
10.1.9
PAN-172324
Fixed an issue on the Panorama web interface where custom vulnerability signature IDs weren't populated in the drop-down when creating a custom combination signature.
Addressed
10.1.9
PAN-172308
Fixed an issue where generating packet captures did not work when the data filtering profile was configured to block HTML files via a POST request.
Addressed
10.1.9
PAN-172100
Fixed an issue with URL filtering where, after upgrading to a PAN-OS 9.1 release, the
Continue
button on a URL did not work and caused the website to be inaccessible, even though the predefined category of URL was configured to continue traffic. This occurred when URL traffic hit a rule where the custom category was set to
None
.
Addressed
10.1.9
PAN-171927
Fixed an issue where incorrect results were displayed when filtering logs in the
Monitor
tab.
Addressed
10.1.9
PAN-171569
Fixed an issue where HIP matches were not recognized in an SSL decryption policy rule.
Addressed
10.1.9
PAN-171337
Fixed an issue where connection per second (CPS) rates collected via SNMP were not correct.
Addressed
10.1.9
PAN-171300
Fixed an issue on Panorama where a password change in a template did not reset an expired password flag on the firewall, which caused the user to change their password when logging in to a firewall.
Addressed
10.1.9
PAN-171066
Fixed an issue with GlobalProtect where cookie based authentication for Internal Gateway failed with the following error messages:
Invalid authentication cookie
and
Invalid User Name
.
Addressed
10.1.9
PAN-170989
Fixed an issue with memory usage consumption related to the useridd process.
Addressed
10.1.9
PAN-170936
Fixed an issue where the firewall egressed offloaded frames out of order after an explicit commit (
Commit
on the firewall or
Commit All Changes
on Panorama) or an implicit comment such as an Antivirus update, Dynamic Update, or WildFire update.
Note
This issue persists for a network-related configuration and commit.
Addressed
10.1.9
PAN-170798
Fixed an issue where OSPF flaps occurred when a Layer 3 interface IPv4 was changed from
DHCP Client
to
Static
.
Addressed
10.1.9
PAN-170531
Fixed an issue where the web interface icons for service objects and service group objects were identical when used in a NAT policy rule.
Addressed
10.1.9
PAN-169899
Fixed an issue on firewalls with offload processors where the ECMP forced symmetric return feature didn't work for CRE traffic after the session was offloaded.
Addressed
10.1.9
PAN-169674
(
Firewalls with Cavium Octeon processors only
) Fixed an issue where the
all_pktproc
process stopped responding when reassembling TCP packets.
Addressed
10.1.9
PAN-169521
Fixed an issue where QoS tagging unexpectedly behaved differently at different stages of packet processing.
Addressed
10.1.9
PAN-169456
Fixed an issue where, after renaming an authentication profile, system logs still showed the old profile name.
Addressed
10.1.9
PAN-169308
Fixed a commit issue when comparing numbers of rules where the bucket size of the application dependency hash table was too small.
Addressed
10.1.9
PAN-169122
Fixed an issue where medium priority correlation events were not generated when the
irc-base repeat
count value was greater than 10.
Addressed
10.1.9
PAN-168514
Fixed an issue where authentication failed when the destination service route was used to reach the authentication server.
Addressed
10.1.9
PAN-168480
Fixed an issue where the firewall did not switch to STP for multicast groups when IGMP receivers were stopped and restarted for the same set of groups within a short time period.
Addressed
10.1.9
PAN-167918
Fixed an issue where the GlobalProtect pre-log on VPN failed to establish or match pre-log on policies due to the domain name being prepended to pre-log on user.
Addressed
10.1.9
PAN-167850
Fixed an issue with firewalls in active/active HA configurations where IPSec packets were not forwarded to the HA peer owner of the tunnel, which caused packets to be dropped.
Addressed
10.1.9
PAN-167805
Fixed an intermittent issue where traffic ingressing through a VPN tunnel failed to match predict session, which resulted in child sessions failing.
Addressed
10.1.9
PAN-167087
Fixed an issue where the focus was not set on the free text field when requesting a token code on the Authentication Portal.
Addressed
10.1.9
PAN-166686
Fixed an issue where EDNS responses dropped when the original request was DNS.
Addressed
10.1.9
PAN-165951
(
PA-3020 firewalls only
) Fixed an issue on the firewall where disk space was not cleared when multiple image files were present.
Addressed
10.1.9
PAN-163713
Fixed an issue where the alternate name was not getting copied to user-Fixed an issue where
user-attributes
for users in custom groups were incorrect, which caused username formats to not match the user.
Addressed
10.1.9
PAN-163043
Fixed an issue where, when exporting logs via the CLI, only 65,535 rows were exported even when 1,000,000 rows were configured.
Addressed
10.1.9
PAN-162088
(
Panorama appliances in HA configurations only$$
) Fixed an issue where content updates (
Panorama
Dynamic Updates
) manually uploaded to the active HA peer were not synchronized to the passive HA peer when you installed a content updated and enabled
Sync to HA peer
.
Addressed
10.1.9
PAN-160419
Fixed an issue where the following error message displayed in the system log after restarting the firewall:
dns-signature initialization from file storage failed, start with empty cache
.
Addressed
10.1.9
PAN-157710
Fixed an issue where admin users with custom roles were unable to create VLANs.
Addressed
10.1.9
PAN-157199
(
PA-220 firewalls only
) Fixed an issue where the GlobalProtect portal was not reachable with IPv6 addresses.
Addressed
10.1.9
PAN-156700
Fixed an issue where DNS Security logs did not display threat names or IDs when the domain name contained an uppercase letter.
Addressed
10.1.9
PAN-155902
Fixed an issue where the auto MTU value was incorrect, which caused unexpected latency issues for GlobalProtect users.
Addressed
10.1.9
PAN-155467
(
VM-Series firewalls only
) Fixed an issue where IPSec decap dropped packets when NAT was configured locally on the firewall.
Addressed
10.1.9
PAN-154892
Fixed an issue on the firewall where Real Time Streaming Protocol (RTSP) flows that were subjected to Dynamic IP and Port (DIPP) NAT were not supported by the Application Layer Gateway (ALG).
Addressed
10.1.9
PAN-153308
Fixed an issue which caused the mouse cursor to remove focus from the search bar when hovering over a hyperlink inside of a cell menu (e.g., source zone, source address, destination zone, destination address, etc.).
Addressed
10.1.9
PAN-151273
Fixed an issue where the commit event was not recorded in the config logs during a
Commit and Push
on the Panorama management server.
Addressed
10.1.9
PAN-123446
Fixed an issue where an administrator with a Superuser role could not reset administrator credentials.
Addressed
10.1.9
PAN-78762
Fixed an issue where you were unable to reset a VPN tunnel via the firewall web interface (
Network > IPSec Tunnels > Tunnel Info > Restart
).
Known
10.1.10
—
If you use Panorama to retrieve logs from Cortex Data Lake (CDL), new log fields (including for Device-ID, Decryption, and GlobalProtect) are not visible on the Panorama web interface.
Workaround:
Enable duplicate logging to send the logs to CDL and Panorama. This workaround does not support Panorama virtual appliances in Management Only mode .
Known
10.1.10
—
Upgrading a PA-220 firewall takes up to an hour or more.
Known
10.1.10
—
PA-220 firewalls are experiencing slower web interface and CLI performance times.
Known
10.1.10
—
Upgrading Panorama with a local Log Collector and Dedicated Log Collectors to PAN-OS 8.1 or a later PAN-OS release can take up to six hours to complete due to significant infrastructure changes. Ensure uninterrupted power to all appliances throughout the upgrade process.
Known
10.1.10
—
A critical System log is generated on the VM-Series firewall if the minimum memory requirement for the model is not available.
  • When the memory allocated is less than 4.5GB, you cannot upgrade the firewall. The following error message displays:
    Failed to install 9.0.0 with the following error: VM-50 in 9.0.0 requires 5.5GB memory, VM-50 Lite requires 4.5GB memory.Please configure this VM with enough memory before upgrading.
  • If the memory allocation is more than 4.5GB but less than the licensed capacity requirement for the model, it will default to the capacity associated with the VM-50.
    The System log message
    System capacity adjusted to VM-50 capacity due to insufficient memory for VM-
    <xxx>
    license
    , indicates that you must allocate the additional memory required for licensed capacity for the firewall model.
Known
10.1.10
APPORTAL-3313
Changes to an IoT Security subscription license take up to 24 hours to have effect on the IoT Security app.
Known
10.1.10
APPORTAL-3309
An IoT Security production license cannot be installed on a firewall that still has a valid IoT Security eval or trial license.
Workaround:
Wait until the 30-day eval or trial license expires and then install the production license.
Known
10.1.10
APL-15000
When you move a firewall from one Cortex Data Lake instance to another, it can take up to an hour for the firewall to begin sending logs to the new instance.
Known
10.1.10
APL-8269
For data retrieved from Cortex Data Lake, the Threat Name column in
Panorama
ACC
threat-activity
appears blank.
Known
10.1.10
PLUG-12041
On an OpenShift cluster, MP pod may crash when the number of underlying threads exceeds beyond the per pod maximum limit of 1024.
Workaround:
Increase the process ID (PID) limit to 2048 in worker nodes.
Known
10.1.10
PLUG-380
When you rename a device group, template, or template stack in Panorama that is part of a VMware NSX service definition, the new name is not reflected in NSX Manager. Therefore, any ESXi hosts that you add to a vSphere cluster are not added to the correct device group, template, or template stack and your Security policy is not pushed to VM-Series firewalls that you deploy after you rename those objects. There is no impact to existing VM-Series firewalls.
Known
10.1.10
WF500-5559
An intermittent error while analyzing signed PE samples on the WildFire appliance might cause analysis failures.
Known
10.1.10
WF500-5471
After using the firewall CLI to add a WildFire appliance with an IPv6 address, the initial connection may fail.
Workaround:
Retry connecting after you restart the web server with the following command:
debug software restart process web-server
.
Known
10.1.10
PAN-228273
On the Panorama management server in FIPS-CC mode, the ElasticSearch cluster fails to come up and the
show log-collector-es-cluster health
command displays the
status
is
red
. This results in log ingestion issues for Panorama in Panorama only or Log Collector mode.
Known
10.1.10
PAN-227344
On the Panorama management server, PDF Summary Reports (
Monitor
PDF Reports
Manage PDF Summary
) display no data and are blank when predefined reports are included in the summary report.
Known
10.1.10
PAN-223488
This issue is now resolved. See
PAN-OS 10.1.12 Addressed Issues
.
On the M-600 appliance, closed ElasticSearch shards are not deleted from the M-600 appliance. This causes the ElasticSearch shard purging to not work as expected, resulting in high disk usage.
Known
10.1.10
PAN-223365
The Panorama management server is unable to query any logs if the ElasticSearch health status for any Log Collector (
Panorama
Managed Collector
is degraded.
Workaround:
Log in to the Log Collector CLI and restart ElasticSearch. 
admin
debug elasticsearch es-restart all
Known
10.1.10
PAN-221126
This issue is now resolved. See
PAN-OS 10.1.11 Addressed Issues
Email server profiles (
Device
Server Profiles
Email
and
Panorama
Server Profiles
Email
) to forward logs as email notifications are not forwarded in a readable format.
Workaround:
Use a
Custom Log Format
to forward logs as email notifications in a readable format.
Known
10.1.10
PAN-221015
This issue is now resolved. See
` PAN-OS 10.1.12 Addressed Issues
.
On M-600 appliances in Panorama or Log Collector mode, the
es-1
and
es-2
ElasticSearch processes fail to restart when the M-600 appliance is rebooted. The results in the Managed Collector
ES
health status (
Panorama
Managed Collectors
Health Status
) to be degraded.
Workaround:
Log in to the Panorama or Log Collector CLI experiencing degraded ElasticSearch health and restart all ElasticSearch processes. 
admin>
debug elasticsearch es-restart optional all
Known
10.1.10
PAN-219644
This issue is now resolved. See
PAN-OS 10.1.12 Addressed Issues
.
Firewalls forwarding logs to a syslog server over TLS (
Objects
Log Forwarding
) use the default Palo Alto Networks certificate instead of the custom certificate configured on the firewall.
Known
10.1.10
PAN-219824
File system checks on the logging drive may take more time depending on the usage and file system content, resulting in autocommits taking longer to complete than expected.
Known
10.1.10
PAN-218521
The ElasticSearch process on the M-600 appliance in Log Collector mode may enter a continuous reboot cycle. This results in the M-600 appliance becoming unresponsive, consuming logging disk space, and preventing new log ingestion.
Known
10.1.10
PAN-217307
This issue is now resolved. See
PAN-OS 10.1.14 Addressed Issues
.
The following Security policy rule (
Policies
Security
) filters return no results:
log-start eq no
log-end eq no
log-end eq yes
Known
10.1.10
PAN-216214
For Panorama-managed firewalls in an Active/Active High Availability (HA) configuration where you configure the firewall HA settings (
Device
High Availability
) in a template or template stack (
Panorama
Templates
), performing a local commit on one of the HA firewalls triggers an HA config sync on the peer firewall. This causes the HA peer configuration to go
Out of Sync
.
Known
10.1.10
PAN-213746
On the Panorama management server, the
Hostkey
displayed as
undefined undefined
if you override an SSH Service Profile (
Device
Certificate Management
SSH Service Profile
) Hostkey configured in a Template from the Template Stack.
Known
10.1.10
PAN-212978
The Palo Alto Networks firewall stops responding when executing an SD-WAN debug operational CLI command.
Known
10.1.10
PAN-212889
This issue is now resolved. See PAN-OS 10.1.11 Addressed Issues
.
On the Panorama management server, different threat names are used when querying the same threat in the Threat Monitor (
Monitor
App Scope
Threat Monitor
) and
ACC
. This results in the ACC displaying
no data to display
when you are redirected to the ACC after clicking a threat name in the Threat Monitor.
Known
10.1.10
PAN-211728
For VM-Series firewalls leveraging SD-WAN and deployed on VMware ESXi running VMX-13, Auto-Commits fail after upgrade to PAN-OS 10.1.9 and display the error:
total SD-WAN interfaces 3 exceed the platform maximum 0
Workaround:
Attach a serial console to the VM-Series firewall before upgrade to PAN-OS 10.1.9.
Known
10.1.10
PAN-204689
Upon upgrade to PAN-OS 10.1.9, the following GlobalProtect settings do not work:
  • Allow user to disconnect GlobalProtect App
    Allow with Passcode
  • Allow user to Disable GlobalProtect App
    Allow with Passcode
  • Allow User to Uninstall GlobalProtect App
    Allow with Password
Known
10.1.10
PAN-197341
On the Panorama management server, if you create multiple device group
Objects
with the same name in the Shared device group and any additional device groups (
Panorama
Device Groups
) under the same device group hierarchy that are used in one or more
Policies
, renaming the object with a shared name in any device group causes the object name to change in the policies where it is used. This issue applies only to device group objects that can be referenced in a Security policy rule.
For example:
  1. You create a parent device group
    DG-A
    and a child device group
    DG-B
    .
  2. You create address objects called
    AddressObjA
    in the
    Shared
    ,
    DG-A
    and
    DG-B
    device groups and add
    AddressObjA
    to a Security policy rule under
    DG-A
    and
    DG-B
    .
  3. Later, you change the
    AddressObjA
    name in the
    Shared
    device group to
    AddressObjB
    .
Changing the name of the address object in the
Shared
device group causes the references in the Policy rule to use the renamed
Shared
object instead of the device group object.
Known
10.1.10
PAN-196758
On the Panorama management server, pushing a configuration change to firewalls leveraging SD-WAN erroneously show the auto-provisioned BGP configurations for SD-WAN as being edited or deleted despite no edits or deletions being made when you
Preview Changes
(
Commit
Push to Devices
Edit Selections
or
Commit
Commit and Push
Edit Selections
).
Known
10.1.10
PAN-194515
(
PA-5450 firewall only
) The Panorama web interface does not display any predefined template stack variables in the dropdown menu under
Device
Setup
Log Interface
IP Address
.
Workaround:
Configure the log interface IP address on the individual firewall web interface instead of on Panorama.
Known
10.1.10
PAN-194424
(
PA-5450 firewall only
) Upgrading to PAN-OS 10.1.6-h2 while having a log interface configured can cause both the log interface and the management interface to remain connected to the log collector.
Workaround:
Restart the log receiver service by running the following CLI command: 
debug software restart process log-receiver
Known
10.1.10
PAN-194202
(
PA-5450 firewall only
) If the management interface and Log Collector are configured on the same subnetwork, the firewall conducts log forwarding using the management interface instead of the logging interface.
Known
10.1.10
PAN-193518
All logs (
Monitor
Logs
) generated by a firewall running a PAN-OS 10.0 release are not accessible if you downgrade from PAN-OS 10.1 to PAN-OS 10.0, and then upgrade back to PAN-OS 10.1.
Workaround:
If you need to downgrade from PAN-OS 10.1 to PAN-OS 10.0 and then back to PAN-OS 10.1, downgrade to PAN-OS 10.0.11 to ensure that all logs ingested while running a PAN-OS 10.0 release remain accessible after upgrade back to PAN-OS 10.1.
Known
10.1.10
PAN-193004
This issue is now resolved. See
PAN-OS 10.1.12 Addressed Issues
.
The Panorama management server fails to delete old IP Tag data. This causes the
/opt/pancfg
partition to reach maximum capacity which impacts Panorama performance.
Known
10.1.10
PAN-188052
Devices in FIPS-CC mode are unable to connect to servers utilizing ECDSA-based host keys that impacts exporting logs (
Device
Scheduled Log Export
), exporting configurations (
Device
Scheduled Config Export
), or the
scp export
command in the CLI.
Workaround:
Use RSA-based host keys on the destination server.
Known
10.1.10
PAN-187685
On the Panorama management server, the Template Status displays no synchronization status (
Panorama
Managed Devices
Summary
) after a bootstrapped firewall is successfully added to Panorama.
Workaround:
After the bootstrapped firewall is successfully added to Panorama, log in to the Panorama web interface and select
Commit
Push to Devices
.
Known
10.1.10
PAN-179888
On the Panorama management server, the number of managed firewall (
Panorama
Managed Devices
Health
)
Power Supplies
displays an incorrect count of power supplies.
Known
10.1.10
PAN-174982
In HA active/active configurations where, when interfaces that were associated with a virtual router were deleted, the configuration change did not sync.
Known
10.1.10
PAN-172274
When you activate the advanced URL filtering license, your license entitlements for PAN-DB and advanced URL filtering might not display correctly on the firewall — this is a display anomaly, not a licensing issue, and does not affect access to the services.
Workaround:
Issue the following command to retrieve and update the licenses:
license request fetch
.
Known
10.1.10
PAN-172113
If you request a User Activity Report on Panorama and the vsys key value in the XML is an unsupported value, the resulting job becomes unresponsive at 10% and does not complete until you manually stop the job in the web interface.
Workaround:
Change the vsys key to a valid device group, commit your changes, and run the User Activity Report again.
Known
10.1.10
PAN-172067
When you configure an HTTP server profile (
Device
Server Profiles
HTTP
or
Panorama
Server Profiles
HTTP
), the
Username
and
Password
fields are always required regardless of whether
Tag Registration
is enabled.
Workaround:
When you configure an HTTP server profile, always enter a username and password to successfully create the HTTP server profile.
You must enter a username and password even if the HTTP server does not require it. The HTTP server ignores the username and password if they are not required for the firewall to connect.
Known
10.1.10
PAN-172061
A process (
all_pktproc
) can cause intermittent crashes on the Passive PA-5450 firewall in an Active/Passive HA pair. This issue may be seen during an upgrade or reload of the firewall with traffic and when clearing sessions.
Known
10.1.10
PAN-171938
No results are displayed when you
Show Application Filter
for a Security policy rule (
Policies
Security
Application
Value
Show Application Filter
).
Known
10.1.10
PAN-171723
If you use Panorama to push a configuration that uses App-ID Cloud Engine (ACE) App-IDs and then you downgrade the firewall from PAN-OS 10.1 to PAN-OS 10.0, the installation succeeds but after you reboot, the auto-commit fails.
Workaround:
Remove all ACE application configurations before downgrading.
Known
10.1.10
PAN-171706
This issue is now resolved. See
PAN-OS 10.1.11 Addressed Issues
.
If you are using Panorama to manage firewalls with multiple virtual systems and the virtual system that is the User-ID hub uses an alias, the local commit on Panorama is successful but the commit to the firewall fails.
Known
10.1.10
PAN-171673
On the Panorama management server, the
ACC
returns inaccurate results when you filter for
New App-ID
in the
Application
usage widget.
Known
10.1.10
PAN-171635
If you have an on-premise Active Directory and there is an existing group mapping configuration on the firewall, if you migrate the group mapping to the Cloud Identity Engine, the firewall does not remove the existing group mapping even if the configuration is disabled and the firewall is rebooted, which may conflict with new mappings from the Cloud Identity Engine.
Workaround
: Use the
debug user-id clear domain-map
command to remove the existing group mappings from the firewall.
Known
10.1.10
PAN-171224
On the Panorama management server, a custom report (
Monitor
Managed Custom Reports
) with a high volume of unique data objects is not generated when you click
Run Now
.
Known
10.1.10
PAN-171145
If you edit or remove the value for the
mail
attribute in your on-premise Active Directory, the changes may not be immediately reflected on the firewall after it syncs with the Cloud Identity Engine.
Known
10.1.10
PAN-170923
In
Policies
Security
Policy Optimizer
New App Viewer
, when you select a Security policy rule in the bottom portion of the screen, the application data in the application browser (top portion of screen) does not match the Apps Seen on the selected rule. In addition, filtering in the application browser based on Apps Seen does not work.
Known
10.1.10
PAN-170270
Using the CLI to power on a PA-5450 Networking Card (NC) in an Active HA firewall can cause its Passive peer to temporarily go down.
Known
10.1.10
PAN-169906
The CN-Series Firewall as a Kubernetes Service does not support AF_XDP when deployed in CentOS.
Known
10.1.10
PAN-168636
Connecting to the App-ID Cloud Engine (ACE) cloud using a management port with explicit proxy configured on it is not supported. Instead, use a data plane interface for the service route ( Prepare to Deploy App-ID Cloud Engine describes how to do this.)
Known
10.1.10
PAN-168113
On the Panorama management server, you are unable to configure a master key (
Device
Master Key and Diagnostics
) for a managed firewall if an interface (
Network
Interfaces
Ethernet
) references a zone pushed from Panorama.
Workaround:
Remove the referenced zone from the interface configuration to successfully configure a master key.
Known
10.1.10
PAN-167847
If you issue the command
opof stats
, then clear the results {opof stats -c}, the Active Sessions value is sometimes invalid. For example, you might see a negative number or an excessively large number.
Workaround:
Re-run the
opof stats
command after the offload completes.
Known
10.1.10
PAN-167401
When a firewall or Panorama appliance configured with a proxy is upgraded to PAN-OS 10.0.3 or a later release, it fails to connect to edge service.
Known
10.1.10
PAN-165669
If you configure a group that the firewall retrieves from the Cloud Identity Engine as the
user in
value in a filter query, Panorama is unable to retrieve the group membership and as a result, is unable to display this data in logs and custom reports.
Known
10.1.10
PAN-164922
On the Panorama management server, a context switch to a managed firewall running a PAN-OS 8.1.0 to 8.1.19 release fails.
Known
10.1.10
PAN-164885
On the Panorama management server, pushes to managed firewalls (
Commit
Push to Devices
or
Commit and Push
) may fail when an EDL (
Objects
External Dynamic Lists
) is configured to
Check for updates
every 5 minutes due to the commit and EDL fetch processes overlapping. This is more likely to occur when multiple EDLs are configured to check for updates every 5 minutes.
Known
10.1.10
PAN-164841
A successful deployment of a Panorama virtual appliance on Amazon Web Services (AWS), Microsoft Azure, or Google Cloud Platform (GCP) is inaccessible when deploying using the PAN-OS 10.1.0-b6 release.
Known
10.1.10
PAN-164647
On the Panorama management server, activating a license (
Panorama
Device Deployment
Licenses
) on managed firewalls in a high availability (HA) configuration causes the Safari web browser to become unresponsive.
Workaround:
Log in to the Panorama web interface from a web browser other than Safari to successfully activate a license on managed firewalls in an HA configuration.
Known
10.1.10
PAN-164618
The VM-Series firewall CLI and system logs display the license name
VM-SERIES-X
, while the user interface displays
VM-FLEX-X
(in both cases
X
is the number of vCPUs). In future releases the user interface will use the
VM-SERIES-X
format.
Known
10.1.10
PAN-164586
If you use a value other than
mail
for the user or group email attribute in the Cloud Identity Engine, it displays in
user@domain
format in the CLI output.
Known
10.1.10
PAN-163966
On the Panorama management server, the
ACC
and on demand reports (
Monitor
Manage Custom Reports
) are unable to fetch Directory Sync group membership when the Source User Group filter query is applied, resulting in no data being displayed for the filter when Directory Sync is configured as the Source User for a policy rule.
Known
10.1.10
PAN-162836
On the VM-Series firewall, if you select
Device
Licenses
Deactivate VM
a popup window opens and you can choose
Subscriptions
or
Support
and press
Continue
to remove licenses and register the changes with the license server. When the license removal is complete the
Deactivate VM
window does not update its text to exclude deactivated licenses or close the window.
Workaround
: Wait until the license deactivation is complete, and click
Cancel
to close the window.
Known
10.1.10
PAN-161666
The firewall includes any users configured in the Cloud Identity Engine in the count of groups. As a result, some CLI command output does not accurately display the number of groups the firewall has retrieved from the Cloud Identity Engine and counts users as groups in the
No. of Groups
in the command output. If the attempt to retrieve the user or group fails, the information for the user or group still displays in the CLI command output.
Known
10.1.10
PAN-161451
If you issue the command
opof stats
, there are occasional zero packet and byte counts coming from the DPDK counters. This occurs when a session is in the tcp-reuse state, and has no impact on the existing session.
Known
10.1.10
PAN-160238
If you migrate traffic from a firewall running a PAN-OS version earlier than 9.0 to a firewall running PAN-OS 9.0 or later, you experience intermittent VXLAN packet drops if TCI policy is not configured for inspecting VXLAN traffic flows.
Workaround:
On the new firewall, create an app override for VXLAN outer headers as described in What is an Application Override? and the video tutorial How to Configure an Application Override Policy on the Palo Alto Networks Firewall .
PAN-OS version 9.0 can inspect both inner and outer VXLAN flows. If you want to inspect inner flows, you must define a tunnel content inspection (TCI) policy.
Known
10.1.10
PAN-157444
As a result of a telemetry handling update, the Source Zone field in the DNS analytics logs (viewable in the DNS Analytics tab within AutoFocus) might not display correct results.
Known
10.1.10
PAN-157327
On downgrade to PAN-OS 9.1, Enterprise Data Loss Prevention (DLP) filtering settings (
Device
Setup
DLP
) are not removed and cause commit errors for the downgraded firewall if you do not uninstall the Enterprise DLP plugin before downgrade.
Workaround:
After you successfully downgrade a managed firewall to PAN-OS 9.1, commit and push from Panorama to remove the Enterprise DLP filtering settings and complete the downgrade.
  1. Downgrade your managed firewall to PAN-OS 9.1
  2. Log in to the firewall web interface and view the
    Tasks
    to verify all auto commits related to the downgrade have completed successfully.
  3. Log in to the Panorama web interface and
    Commit
    Commit and Push
    to your managed firewall downgraded to PAN-OS 9.1.
Known
10.1.10
PAN-157103
Multi-channel functionality may not be properly utilized on an VM-Series firewall deployed in VMware NSX-V after the service is first deployed.
Workaround
: Execute the command
debug dataplane pow status
to view the number of channels being utilized by the dataplane. 
Per pan-task Netx statisticsCounter Name    1   2   3   4   5   6   Total---------------------------------------------ready_dvf       2   0   0   0   0   0     2
If multi-channel functionality is not working, disable your NSX-V security policy and reapply it. Then reboot the VM-Series firewall. When the firewall is back up, verify that multi-channel functionality is working by executing the command
debug dataplane pow status
. It should now show multiple channels being utilized. 
Per pan-task Netx statisticsCounter Name    1   2   3   4   5   6   Total---------------------------------------------ready_dvf       1   1   0   0   0   0     2
Known
10.1.10
PAN-156598
(
Panorama only
) If you configure a standard custom vulnerability signature in a custom Vulnerability Protection profile in a shared device group, the shared profile custom signatures do not populate in the other device groups when you configure a combination custom vulnerability signature.
Workaround:
Use the CLI to update the combination signature.
Known
10.1.10
PAN-154292
On the Panorama management server, downgrading from a PAN-OS 10.0 release to a PAN-OS 9.1 release causes Panorama commit (
Commit
Commit to Panorama
) failures if a custom report (
Monitor
Manage Custom Reports
) is configured to Group By
Session ID
.
Workaround:
After successful downgrade, reconfigure the Group By setting in the custom report.
Known
10.1.10
PAN-154034
On the Panorama management server, the Type column in the System logs (
Monitor
Logs
System
) for managed firewalls running a PAN-OS 9.1 release erroneously display
iot
as the type.
Known
10.1.10
PAN-154032
On the Panorama management server, downgrading to PAN-OS 9.1 with the Panorama plugin for Cisco TrustSec version 1.0.2 installed does not automatically transform the plugin to be compatible with PAN-OS 9.1
Workaround:
After successful downgrade to PAN-OS 9.1,
Remove Config
(
Panorama
Plugins
) of the Panorama plugin for Cisco TrustSec and then reconfigure the plugin.
Known
10.1.10
PAN-153803
On the Panorama management server, scheduled email PDF reports (
Monitor
PDF Reports
) fail if a GIF image is used in the header or footer.
Known
10.1.10
PAN-153557
On the Panorama management server CLI, the overall report status for a report query is marked as
Done
despite reports generated from logs in the Cortex Data Lake (CDL) from the PODamericas Collector Group jobs are still in a
Running
state.
Known
10.1.10
PAN-153068
The Bonjour Reflector option is supported on up to 16 interfaces. If you enable it on more than 16 interfaces, the commit succeeds and the Bonjour Reflector option is enabled only for the first 16 interfaces and ignored for any additional interfaces.
Known
10.1.10
PAN-151238
There is a known issue where M-100 appliances are able to download and install a PAN-OS 10.0 release image even though the M-100 appliance is no longer supported after PAN-OS 9.1. (Refer to the hardware end-of-life dates .)
Known
10.1.10
PAN-151085
On a PA-7000 Series firewall chassis having multiple slots, when HA clustering is enabled on an active/active HA pair, the session table count for one of the peers can show a higher count than the actual number of active sessions on that peer. This behavior can be seen when the session is being set up on a non-cache slot (for example, when a session distribution policy is set to round-robin or session-load); it is caused by the additional cache lookup that happens when HA cluster participation is enabled.
Known
10.1.10
PAN-150801
Automatic quarantine of a device based on forwarding profile or log setting does not work on the PA-7000 Series firewalls.
Known
10.1.10
PAN-150515
After you install the device certificate on a new Panorama management server, Panorama is not able to connect to the IoT Security edge service.
Workaround:
Restart Panorama to connect to the IoT Security edge service.
Known
10.1.10
PAN-150345
During updates to the Device Dictionary, the IoT Security service does not push new Device-ID attributes (such as new device profiles) to the firewall until a manual commit occurs.
Workaround:
Perform a force commit to push the attributes in the content update to the firewall.
Known
10.1.10
PAN-150361
In an Active-Passive high availability (HA) configuration, an error displays if you create a device object on the passive device.
Workaround:
Load the running configuration and perform a force commit to sync the devices.
Known
10.1.10
PAN-148971
If you enter a search term for Events that are related to IoT in the System logs and apply the filter, the page displays an
Invalid term
error.
Workaround:
Specify
iot
as the
Type Attribute
to filter the logs and use the search term as the
Description Attribute
. For example:
( subtype eq iot ) and ( description contains 'gRPC connection' )
.
Known
10.1.10
PAN-148924
In an active-passive HA configuration, tags for dynamic user groups are not persistent after rebooting the firewall because the active firewall does not sync the tags to the passive firewall during failover.
Known
10.1.10
PAN-146995
After downgrading a Panorama management server from PAN-OS 10.0 to PAN-OS 9.1, the
VLD
and
logd
processes may crash when Panorama reboots.
Workaround:
Panorama automatically restarts the
VLD
and
logd
processes.
Known
10.1.10
PAN-146807
Changing the device group configured in a monitoring definition from a child DG to a parent DG, or vice versa, might cause firewalls configured in the child DG to lose IP tag mapping information received from the monitoring definition. Only firewalls assigned to the parent DG receive IP tag mapping updates.
Workaround
: Perform a manual config sync on the device group that lost the IP tag mapping information.
Known
10.1.10
PAN-146485
On the Panorama management server, adding, deleting, or modifying the upstream NAT configuration (
Panorama
SD-WAN
Devices
) does not display the branch template stack as
out of sync
.
Additionally, adding, deleting, or modifying the BGP configuration (
Panorama
SD-WAN
Devices
) does not display the hub and branch template stacks as
out of sync
. For example, modifying the BGP configuration on the branch firewall does not cause the hub template stack to display as
out of sync
, nor does modifying the BGP configuration on the hub firewall cause the branch template stack as
out of sync
.
Workaround:
After performing a configuration change,
Commit and Push
the configuration changes to all hub and branch firewalls in the VPN cluster containing the firewall with the modified configuration.
Known
10.1.10
PAN-145460
CN-MGMT pods fail to connect to the Panorama management server when using the Kubernetes plugin.
Workaround:
Commit
the Panorama configuration after the CN-MGMT pod successfully registers with Panorama.
Known
10.1.10
PAN-144889
On the Panorama management server, adding, deleting, or modifying the original subnet IP, or adding a new subnet after you successfully configure a tunnel IP subnet, for the SD-WAN 1.0.2 plugin does not display the managed firewall templates (
Panorama
Managed Devices
Summary
) as
Out of Sync
.
Workaround
: When modifying the original subnet IP, or adding a new subnet, push the template configuration changes to your managed firewalls and
Force Template Values
(
Commit
Push to Devices
Edit Selections
).
Known
10.1.10
PAN-143132
Fetching the device certificate from the Palo Alto Networks Customer Support Portal (CSP) may fail and displays the following error in the CLI:
ERROR Failed to process S1C msg: Error
Workaround:
Retrying fetching the device certificate from the Palo Alto Networks CSP.
Known
10.1.10
PAN-141630
Current performance limitation: single data plane use only. The PA-5200 Series and PA-7000 Series firewalls that support 5G network slice security, 5G equipment ID security, and 5G subscriber ID security use a single data plane only, which currently limits the firewall performance.
Known
10.1.10
PAN-140959
The Panorama management server allows you to downgrade Zero Touch Provisioning (ZTP) firewalls to PAN-OS 9.1.2 and earlier releases where ZTP functionality is not supported.
Known
10.1.10
PAN-140008
ElasticSearch is forced to restart when the
masterd
process misses too many heartbeat messages on the Panorama management server resulting in a delay in a log query and ingestion.
Known
10.1.10
PAN-136763
On the Panorama management server, managed firewalls display as
disconnected
when installing a PAN-OS software update (
Panorama
Device Deployment
Software
) but display as
connected
when you view your managed firewalls Summary (
Panorama
Managed Devices
Summary
) and from the CLI.
Workaround:
Log out and log back in to the Panorama web interface.
Known
10.1.10
PAN-135742
There is an issue in HTTP2 session decryption where the App-ID in the decryption log is the App-ID of the parent session (which is web-browsing).
Known
10.1.10
PAN-134053
ACC does not filter WildFire logs from Dynamic User Groups.
Known
10.1.10
PAN-132598
The Panorama management server does not check for duplicate addresses in address groups (
Objects
Address Groups
) and duplicate services in service groups (
Objects
Service Groups
) when created from the CLI.
Known
10.1.10
PAN-130550
(
PA-3200 Series, PA-5220, PA-5250, PA-5260, and PA-7000 Series firewalls
) For traffic between virtual systems (inter-vsys traffic), the firewall cannot perform source NAT using dynamic IP (DIP) address translation.
Workaround:
Use source NAT with Dynamic IP and Port (DIPP) translation on inter-vsys traffic.
Known
10.1.10
PAN-127813
In the current release, SD-WAN auto-provisioning configures hubs and branches in a hub and spoke model, where branches don’t communicate with each other. Expected branch routes are for generic prefixes, which can be configured in the hub and advertised to all branches. Branches with unique prefixes are not published up to the hub.
Workaround:
Add any specific prefixes for branches to the hub advertise-list configuration.
Known
10.1.10
PAN-127206
If you use the CLI to enable the cleartext option for the Include Username in HTTP Header Insertion Entries feature, the authentication request to the firewall may become unresponsive or time out.
Known
10.1.10
PAN-123277
Dynamic tags from other sources are accessible using the CLI but do not display on the Panorama web interface.
Known
10.1.10
PAN-123040
When you try to view network QoS statistics on an SD-WAN branch or hub, the QoS statistics and the hit count for the QoS rules don’t display. A workaround exists for this issue. Please contact Support for information about the workaround.
Known
10.1.10
PAN-120440
There is an issue on M-500 Panorama management servers where any ethernet interface with an IPv6 address having Private PAN-DB-URL connectivity only supports the following format:
2001:DB9:85A3:0:0:8A2E:370:2
.
Known
10.1.10
PAN-120423
PAN-OS 10.0.0 does not support the XML API for GlobalProtect logs.
Known
10.1.10
PAN-120303
There is an issue where the firewall remains connected to the PAN-DB-URL server through the old management IP address on the M-500 Panorama management server, even when you configured the Eth1/1 interface.
Workaround:
Update the PAN-DB-URL IP address on the firewall using one of the methods below.
  • Modify the PAN-DB Server IP address on the managed firewall.
    1. On the web interface, delete the
      PAN-DB Server
      IP address (
      Device
      Setup
      Content ID
      URL Filtering
      settings).
    2. Commit
      your changes.
    3. Add the new M-500 Eth1/1 IP PAN-DB IP address.
    4. Commit
      your changes.
  • Restart the firewall ( devsrvr ) process.
    1. Log in to the firewall CLI.
    2. Restart the devsrvr process:
      debug software restart process device-server
Known
10.1.10
PAN-116017
(
Google Cloud Platform (GCP) only
) The firewall does not accept the DNS value from the initial configuration (init-cfg) file when you bootstrap the firewall.
Workaround:
Add DNS value as part of the bootstrap.xml in the bootstrap folder and complete the bootstrap process.
Known
10.1.10
PAN-115816
(
Microsoft Azure only
) There is an intermittent issue where an Ethernet (eth1) interface does not come up when you first boot up the firewall.
Workaround:
Reboot the firewall.
Known
10.1.10
PAN-114495
Alibaba Cloud runs on a KVM hypervisor and supports two Virtio modes: DPDK (default) and MMAP. If you deploy a VM-Series firewall running PAN-OS 9.0 in DPDK packet mode and you then switch to MMAP packet mode, the VM-Series firewall duplicates packets that originate from or terminate on the firewall. As an example, if a load balancer or a server behind the firewall pings the VM-Series firewall after you switch from DPDK packet mode to MMAP packet mode, the firewall duplicates the ping packets.
Throughput traffic is not duplicated if you deploy the VM-Series firewall using MMAP packet mode.
Known
10.1.10
PAN-112694
(
Firewalls with multiple virtual systems only
) If you configure dynamic DNS (DDNS) on a new interface (associated with vsys1 or another virtual system) and you then create a
New
Certificate Profile from the drop-down, you must set the location for the Certificate Profile to Shared. If you configure DDNS on an existing interface and then create a new Certificate Profile, we also recommend that you choose the Shared location instead of a specific virtual system. Alternatively, you can select a preexisting certificate profile instead of creating a new one.
Known
10.1.10
PAN-112456
You can temporarily submit a change request for a URL Category with three suggested categories; however, only two categories are supported. Do not add more than two suggested categories to a change request until we address this issue. If you submit more than two suggested categories, only the first two categories in the change request are evaluated.
Known
10.1.10
PAN-112135
You cannot unregister tags for a subnet or range in a dynamic address group from the web interface.
Workaround:
Use an XML API request to unregister the tags for the subnet or range.
Known
10.1.10
PAN-111928
Invalid configuration errors are not displayed as expected when you revert a Panorama management server configuration.
Workaround:
After you revert the Panorama configuration,
Commit
(
Commit
Commit to Panorama
) the reverted configuration to display the invalid configuration errors.
Known
10.1.10
PAN-111866
The push scope selection on the Panorama web interface displays incorrectly even though the commit scope displays as expected. This issue occurs when one administrator makes configuration changes to separate device groups or templates that affect multiple firewalls and a different administrator attempts to push those changes.
Workaround:
Perform one of the following tasks.
  • Initiate a
    Commit to Panorama
    operation followed by a
    Push to Devices
    operation for the modified device group and template configurations.
  • Manually select the devices that belong to the modified device group and template configurations.
Known
10.1.10
PAN-111729
If you disable DPDK mode and enable it again, you must immediately reboot the firewall.
Known
10.1.10
PAN-111670
Tagged VLAN traffic fails when sent through an SR-IOV adapter.
Known
10.1.10
PAN-110794
DGA-based threats shown in the firewall threat log display the same name for all such instances.
Known
10.1.10
PAN-109526
The system log does not correctly display the URL for CRL files; instead, the URLs are displayed with encoded characters.
Known
10.1.10
PAN-104780
If you configure a HIP object to match only when a connecting endpoint is managed (
Objects
GlobalProtect
HIP Objects
<hip-object>
General
Managed
), iOS and Android endpoints that are managed by AirWatch are unable to successfully match the HIP object and the HIP report incorrectly indicates that these endpoints are not managed. This issue occurs because GlobalProtect gateways cannot correctly identify the managed status of these endpoints.
Additionally, iOS endpoints that are managed by AirWatch are unable to match HIP objects based on the endpoint serial number because GlobalProtect gateways cannot identify the serial numbers of these endpoints; these serial numbers do not appear in the HIP report.
Known
10.1.10
PAN-103276
Adding a disk to a virtual appliance running Panorama 8.1 or a later release on VMware ESXi 6.5 update1 causes the Panorama virtual appliance and host web client to become unresponsive.
Workaround:
Upgrade the ESXi host to ESXi 6.5 update2 and add the disk again.
Known
10.1.10
PAN-101688
(
Panorama plugins
) The IP address-to-tag mapping information registered on a firewall or virtual system is not deleted when you remove the firewall or virtual system from a Device Group.
Workaround:
Log in to the CLI on the firewall and enter the following command to unregister the IP address-to-tag mappings:
debug object registered-ip clear all
.
Known
10.1.10
PAN-101537
After you configure and push address and address group objects in Shared and vsys-specific device groups from the Panorama management server to managed firewalls, executing the
show log
<log-type>
direction equal
<direction>
<dst>
|
<src>
in
<object-name>
command on a managed firewall only returns address and address group objects pushed form the Shared device group.
Workaround:
Specify the vsys in the query string:
admin>
set system target-vsys
<vsys-name>
admin>
show log
<log-type>
direction equal
<direction>
query equal ‘vsys eq
<vsys-name>
’
<dst>
|
<src>
in
<object-name>
Known
10.1.10
PAN-98520
When booting or rebooting a PA-7000 Series Firewall with the SMC-B installed, the BIOS console output displays attempts to connect to the card's controller in the System Memory Speed section. The messages can be ignored.
Known
10.1.10
PAN-97757
GlobalProtect authentication fails with an
Invalid username/password
error (because the user is not found in
Allow List
) after you enable GlobalProtect authentication cookies and add a RADIUS group to the
Allow List
of the authentication profile used to authenticate to GlobalProtect.
Workaround:
Disable GlobalProtect authentication cookies. Alternatively, disable (clear)
Retrieve user group from RADIUS
in the authentication profile and configure group mapping from Active Directory (AD) through LDAP.
Known
10.1.10
PAN-97524
(
Panorama management server only
) The Security Zone and Virtual System columns (
Network
tab) display
None
after a Device Group and Template administrator with read-only privileges performs a context switch.
Known
10.1.10
PAN-96446
A firewall that is not included in a Collector Group fails to generate a system log if logs are dropped when forwarded to a Panorama management server that is running in Management Only mode.
Known
10.1.10
PAN-95773
On VM-Series firewalls that have Data Plane Development Kit (DPDK) enabled and that use the i40e network interface card (NIC), the
show session info
CLI command displays an inaccurate throughput and packet rate.
Workaround:
Disable DPDK by running the
set system setting dpdk-pkt-io off
CLI command.
Known
10.1.10
PAN-95028
For administrator accounts that you created in PAN-OS 8.0.8 and earlier releases, the firewall does not apply password profile settings (
Device
Password Profiles
) until after you upgrade to PAN-OS 8.0.9 or a later release and then only after you modify the account passwords. (Administrator accounts that you create in PAN-OS 8.0.9 or a later release do not require you to change the passwords to apply password profile settings.)
Known
10.1.10
PAN-94846
When DPDK is enabled on the VM-Series firewall with i40e virtual function (VF) driver, the VF does not detect the link status of the physical link. The VF link status remains up, regardless of changes to the physical link state.
Known
10.1.10
PAN-94093
HTTP Header Insertion does not work when jumbo frames are received out of order.
Known
10.1.10
PAN-93968
The firewall and Panorama web interfaces display vulnerability threat IDs that are not available in PAN-OS 9.0 releases (
Objects
Security Profiles
Vulnerability Protection
<profile>
Exceptions
). To confirm whether a particular threat ID is available in your release, monitor the release notes for each new Applications and Threats content update or check the Palo Alto Networks Threat Vault to see the minimum PAN-OS release version for a threat signature.
Known
10.1.10
PAN-93607
When you configure a VM-500 firewall with an SCTP Protection profile (
Objects
Security Profiles
SCTP Protection
) and you try to add the profile to an existing Security Profile Group (
Objects
Security Profile Groups
), the Security Profile Group doesn’t list the SCTP Protection profile in its drop-down list of available profiles.
Workaround:
Create a new Security Profile Group and select the SCTP Protection profile from there.
Known
10.1.10
PAN-93532
When you configure a firewall running PAN-OS 9.0 as an nCipher HSM client, the web interface on the firewall displays the nCipher server status as Not Authenticated, even though the HSM state is up (
Device
Setup
HSM
).
Known
10.1.10
PAN-93193
The memory-optimized VM-50 Lite intermittently performs slowly and stops processing traffic when memory utilization is critically high. To prevent this issue, make sure that you do not:
  • Switch to the firewall
    Context
    on the Panorama management server.
  • Commit changes when a dynamic update is being installed.
  • Generate a custom report when a dynamic update is being installed.
  • Generate custom reports during a commit.
Workaround:
When the firewall performs slowly, or you see a critical System log for memory utilization, wait for 5 minutes and then manually reboot the firewall.
Use the Task Manager to verify that you are not performing memory intensive tasks such as installing dynamic updates, committing changes or generating reports, at the same time, on the firewall.
Known
10.1.10
PAN-91802
On a VM-Series firewall, the
clear session all
CLI command does not clear GTP sessions.
Known
10.1.10
PAN-83610
In rare cases, a PA-5200 Series firewall (with an FE100 network processor) that has session offload enabled (default) incorrectly resets the UDP checksum of outgoing UDP packets.
Workaround:
In PAN-OS 8.0.6 and later releases, you can persistently disable session offload for only UDP traffic using the
set session udp-off load no
CLI command.
Known
10.1.10
PAN-83236
The VM-Series firewall on Google Cloud Platform does not publish firewall metrics to Google Stack Monitoring when you manually configure a DNS server IP address (
Device
Setup
Services
).
Workaround:
The VM-Series firewall on Google Cloud Platform must use the DNS server that Google provides.
Known
10.1.10
PAN-83215
SSL decryption based on ECDSA certificates does not work when you import the ECDSA private keys onto an nCipher nShield hardware security module (HSM).
Known
10.1.10
PAN-81521
Endpoints failed to authenticate to GlobalProtect through Kerberos when you specify an FQDN instead of an IP address in the Kerberos server profile (
Device
Server Profiles
Kerberos
).
Workaround:
Replace the FQDN with the IP address in the Kerberos server profile.
Known
10.1.10
PAN-77125
PA-7000 Series, PA-5450, PA-5200 Series, and PA-3200 Series firewalls configured in tap mode don’t close offloaded sessions after processing the associated traffic; the sessions remain open until they time out.
Workaround:
Configure the firewalls in virtual wire mode instead of tap mode, or disable session offloading by running the
set session off load no
CLI command.
Known
10.1.10
PAN-75457
In WildFire appliance clusters that have three or more nodes, the Panorama management server does not support changing node roles. In a three-node cluster for example, you cannot use Panorama to configure the worker node as a controller node by adding the HA and cluster controller configurations, configure an existing controller node as a worker node by removing the HA configuration, and then commit and push the configuration. Attempts to change cluster node roles from Panorama results in a validation error—the commit fails and the cluster becomes unresponsive.
Known
10.1.10
PAN-73530
The firewall does not generate a packet capture (pcap) when a Data Filtering profile blocks files.
Known
10.1.10
PAN-73401
When you import a two-node WildFire appliance cluster into the Panorama management server, the controller nodes report their state as out-of-sync if either of the following conditions exist:
  • You did not configure a worker list to add at least one worker node to the cluster. (In a two-node cluster, both nodes are controller nodes configured as an HA pair. Adding a worker node would make the cluster a three-node cluster.)
  • You did not configure a service advertisement (either by enabling or not enabling advertising DNS service on the controller nodes).
Workaround:
There are three possible workarounds to sync the controller nodes:
  • After you import the two-node cluster into Panorama, push the configuration from Panorama to the cluster. After the push succeeds, Panorama reports that the controller nodes are in sync.
  • Configure a worker list on the cluster controller: 
    admin@wf500(active-controller)# 
    set
deviceconfig cluster mode controller worker-list 
    <worker-ip-address>
    (
    <worker-ip-address>
    is the IP address of the worker node you are adding to the cluster.) This creates a three-node cluster. After you import the cluster into Panorama, Panorama reports that the controller nodes are in sync. When you want the cluster to have only two nodes, use a different workaround.
  • Configure service advertisement on the local CLI of the cluster controller and then import the configuration into Panorama. The service advertisement can advertise that DNS is or is not enabled. 
    admin@wf500(active-controller)# 
    set
deviceconfig cluster mode controller service-advertisement dns-service
enabled
yes
    or 
    admin@wf500(active-controller)# 
    set
deviceconfig cluster mode controller service-advertisement dns-service
enabled
no
    Both commands result in Panorama reporting that the controller nodes are in sync.
Known
10.1.10
PAN-70906
If the PAN-OS web interface and the GlobalProtect portal are enabled on the same IP address, then when a user logs out of the GlobalProtect portal, the administrative user is also logged out from the PAN-OS web interface.
Workaround:
Use the IP address to access the PAN-OS web interface and an FQDN to access the GlobalProtect portal.
Known
10.1.10
PAN-69505
When viewing an external dynamic list that requires client authentication and you
Test Source URL
, the firewall fails to indicate whether it can reach the external dynamic list server and returns a URL access error (
Objects
External Dynamic Lists
).
Known
10.1.10
PAN-40079
The VM-Series firewall on KVM, for all supported Linux distributions, does not support the Broadcom network adapters for PCI pass-through functionality.
Known
10.1.10
PAN-39636
Regardless of the
Time Frame
you specify for a scheduled custom report on a Panorama M-Series appliance, the earliest possible start date for the report data is effectively the date when you configured the report (
Monitor
Manage Custom Reports
). For example, if you configure the report on the 15th of the month and set the
Time Frame
to
Last 30 Days
, the report that Panorama generates on the 16th will include only data from the 15th onward. This issue applies only to scheduled reports; on-demand reports include all data within the specified
Time Frame
.
Workaround:
To generate an on-demand report, click
Run Now
when you configure the custom report.
Known
10.1.10
PAN-38255
When you perform a factory reset on a Panorama virtual appliance and configure the serial number, logging does not work until you reboot Panorama or execute the
debug software restart process management-server
CLI command.
Known
10.1.10
PAN-31832
The following issues apply when configuring a firewall to use a hardware security module (HSM):
  • nCipher nShield Connect
    —The firewall requires at least four minutes to detect that an HSM was disconnected, causing SSL functionality to be unavailable during the delay.
  • SafeNet Network
    —When losing connectivity to either or both HSMs in an HA configuration, the display of information from the
    show high-availability state
    and
    show hsm info
    commands are blocked for 20 seconds.
Addressed
10.1.10-h5
PAN-237935
Extended the offline PAN-DB, Panorama, and WildFire certificates which were previously set to expire on September 2, 2024.
Addressed
10.1.10-h5
PAN-237876
Extended the firewall Panorama root CA certificate which was previously set to expire on April 7th, 2024.
Addressed
10.1.10-h5
PAN-231771
Fixed an issue where the firewall issued /box/getserv/ requests with PAN-OS 7.1.0 and did not take device certificates.
Addressed
10.1.10-h5
PAN-227568
When a device certificate is installed, renewed, or removed, the firewall will reconnect to the WildFire cloud to use the newest certificate.
Addressed
10.1.10-h5
PAN-236605
Fixed an issue where the configd process stopped responding due to a deadlock related to rule-hit-count.
Addressed
10.1.10-h5
PAN-234962
Fixed an issue on Panorama that caused commit operations to be slower than expected.
Addressed
10.1.10-h5
PAN-215576
Fixed an issue where the
userID-Agent
and
TS-Agent
certificates were set to expire on November 18, 2024. With this fix, the expiration date has been extended to January 2032.
Addressed
10.1.10-h2
PAN-225169
Added a CLI command to view Cortex Data Lake queue usage.
Addressed
10.1.10-h2
PAN-223501
Fixed an issue where diagnostic information for the dataplane in the dp-monitor.log file was not complete.
Addressed
10.1.10-h2
PAN-222712
(
PA-5450 firewalls only
) Fixed a low frequency DPC restart issue.
Addressed
10.1.10-h2
PAN-221984
(
VM-Series firewalls in Microsoft Azure environments only
) Fixed an issue where an interface went down after a hotplug event and was only recoverable by restarting the firewall.
Addressed
10.1.10-h2
PAN-219508
(
VM-Series, PA-400 Series, PA-1400, PA-3400, and PA-5400 Series firewalls only
) Fixed an issue where Bidirectional Forwarding Detection (BFD) packets experienced a delay in processing, which caused the BFD connection to flap.
Addressed
10.1.10-h2
PAN-215436
Fixed an issue with the web interface where the latest logs took longer than expected to display under
Monitor
.
Addressed
10.1.10-h2
PAN-215317
Fixed an issue where the dataplane stopped responding unexpectedly with the error message
comm exited with signal of 10
.
Addressed
10.1.10-h2
PAN-195439
(
VM-Series firewalls in Microsoft Azure environments only
) Fixed an issue where the dataplane interface status went down after a hotplug event triggered by Azure infrastructure.
Addressed
10.1.10-h2
PAN-184630
Fixed an issue where TLS clients, such as those using OpenSSL 3.0, enforced the TLS renegotiation extension (RFC 5746).
Addressed
10.1.10-h2
PAN-180082
Fixed an issue where errors in brdagent logs caused dataplane path monitoring failure.
Addressed
10.1.10-h2
PAN-160633
(
PA-3200 Series, PA-5200 Series, and PA-7000 Series firewalls only
) Fixed an issue where the dataplane restarted repeatedly due to an internal path monitoring failures until a power cycle.
Addressed
10.1.10-h1
PAN-223317
Fixed an issue where SSL traffic failed with the error message:
Error: General TLS protocol error
.
Addressed
10.1.10-h1
PAN-219659
Fixed an issue where root partition frequently filled up and the following error message was displayed:
Disk usage for / exceeds limit, xx percent in use, cleaning filesystem
.
Addressed
10.1.10-h1
PAN-218947
Fixed an issue where logs were not displayed in Elasticsearch under ingestion load.
Addressed
10.1.10-h1
PAN-218335
Fixed an issue with hardware destination MAC filtering on the Log Processing Card (LPC) that caused the logging card interface to be susceptible to unicast flooding.
Addressed
10.1.10-h1
PAN-218001
(
PA-400 Series firewalls only
) Fixed an issue where shutdown commands rebooted the system instead of correctly triggering a shutdown.
Addressed
10.1.10-h1
PAN-217681
Fixed an issue caused by out of order TCP segments where the FIN flag and TCP data was truncated in a packet, which resulted in retransmission failure.
Addressed
10.1.10-h1
PAN-217477
Fixed an issue where the drop counter was incremented incorrectly. Drop counter calculations did not account for failures to send out logs from logrcvr/logd to syslog-ng.
Addressed
10.1.10-h1
PAN-217169
Fixed an issue where the logrcvr stopped forwarding logs to the syslog server after a restart or crash.
Addressed
10.1.10-h1
PAN-216984
Fixed an issue where internal path monitoring failed due to the
sysdagent
not responding.
Addressed
10.1.10-h1
PAN-215911
Fixed an issue that resulted in a race condition, which caused the configd process to stop responding.
Addressed
10.1.10-h1
PAN-215808
Fixed an issue where, after upgrading to PAN-OS 10.1, the log forwarding rate towards the syslog server was reduced. With this fix, the overall log-forwarding rate has also been improved.
Addressed
10.1.10-h1
PAN-215315
Fixed an issue where the dataplane stopped responding due to ager and inline packet processing occurring concurrently on different cores for the same session.
Addressed
10.1.10-h1
PAN-214990
Fixed an issue where firewall copper ports flapped intermittently when device telemetry was enabled.
Addressed
10.1.10-h1
PAN-214815
Fixed an issue where SNMP queries were not replied to due to an internal process timeout.
Addressed
10.1.10-h1
PAN-214187
Fixed an issue where superreaders were able to execute the
request restart system
CLI command.
Addressed
10.1.10-h1
PAN-214026
Fixed an issue where, when using an ECMP
weighted-round-robin
algorithm, traffic was not redistributed among the links proportionally as expected from the configuration.
Addressed
10.1.10-h1
PAN-212877
Fixed an issue where a race condition caused log flooding, which caused the firewall to go into an unresponsive state.
Addressed
10.1.10-h1
PAN-211887
Fixed an issue on Panorama that caused recently committed changes to not be displayed when previewing the changes to push to device groups.
Addressed
10.1.10-h1
PAN-210740
Fixed a memory leak issue related to the slotd process.
Addressed
10.1.10-h1
PAN-196116
A new CLI command
debug log-receiver param-tuning syslog-threads
to increase the number of processing threads for syslog forwarding up to 16 was added to address an issue where the syslog forwarding queue depth approached its limit and the drop count increased.
Addressed
10.1.10-h1
PAN-186579
Fixed an issue where, after a hardware failure, the system log did not include information about the failure.
Addressed
10.1.10-h1
PAN-181724
Fixed an issue where the Panorama or firewall page remained open after the session expired and you were unable to perform additional actions.
Addressed
10.1.10-h1
PAN-172853
Fixed an issue where Panorama appliances running a PAN-OS 10.0 release did not push the Security policy options
no-hip
and
quarantine
to firewalls running PAN-OS 9.1.
Addressed
10.1.10
PAN-217431
(
PA-5400 Series firewalls with DPC (Data Processing Cards) only
) Fixed an issue with slot 2 DPCs where URL Filtering did not work as expected after upgrading to PAN-OS 10.1.9.
Addressed
10.1.10
PAN-217284
Fixed an intermittent issue where an LACP flap occurred when the LACP transmission rate was set to
Fast
.
Addressed
10.1.10
PAN-216996
Fixed an issue where, after upgrading Panorama to PAN-OS 10.1.9, multiple User-ID alerts were generated every 10 minutes.
Addressed
10.1.10
PAN-216710
Fixed an issue with firewalls in active/active HA configurations where GlobalProtect disconnected when the original suspected active-primary firewall became active-secondary.
Addressed
10.1.10
PAN-216656
Fixed an issue where the firewall was unable to fully process the user list from a child group when the child group contained more than 1,500 users.
Addressed
10.1.10
PAN-216366
Fixed an issue where, when custom signatures used a certain syntax, false positives were generated on devices on a PAN-OS 10.0 release.
Addressed
10.1.10
PAN-215503
Fixed a memory related issue where the
MEMORY_POOL
address was mapped incorrectly
Addressed
10.1.10
PAN-215125
Fixed an issue where false negatives occurred for some script samples.
Addressed
10.1.10
PAN-215023
(
PA-400 Series firewalls only
) Fixed an issue where the firewall did not boot up successfully and an Amber LED light was shown.
Addressed
10.1.10
PAN-214624
Fixed an issue where the logrcvr process stopped responding.
Addressed
10.1.10
PAN-213463
(
PA-5200 Series firewalls only
) Fixed an issue where unplugging a PAN-SFP-CG transceiver from an interface with its link speed setting set to 1000 caused the firewall to incorrectly read that interface as up.
Addressed
10.1.10
PAN-212848
Fixed an issue where attempting to change the disk-usage cleanup threshold to 90 resulted in the error message
Server error : op command for client dagger timed out as client is not available
.
Addressed
10.1.10
PAN-212530
Fixed an issue on log collectors where the root partition reached 100% utilization.
Addressed
10.1.10
PAN-211997
Fixed an issue where large OSPF control packets were fragmented, which caused the neighborship to fail.
Addressed
10.1.10
PAN-211602
Fixed an issue where, when viewing a WildFire Analysis report via the web interface, the
detailed log view
was not accessible if the browser window was resized.
Addressed
10.1.10
PAN-211441
Fixed a memory leak issue related to SSL crypto operations that resulted in failed commits.
Addressed
10.1.10
PAN-211422
Fixed an issue where the
show session packet-buffer-protection buffer-latency
CLI command randomly displayed incorrect values.
Addressed
10.1.10
PAN-211242
Fixed an issue where missed heartbeats caused the Data Processing Card (DPC) and its corresponding Network Processing Card (NPC) to restart due to internal packet path monitoring failure.
Addressed
10.1.10
PAN-211150
Fixed an issue on Panorama where users with custom admin roles were incorrectly unable to view SSH profiles even when it was permitted in the custom role.
Addressed
10.1.10
PAN-210921
(
Panorama appliances in Legacy Mode only
) Fixed an issue where
Blocked Browsing Summary by Website
in the user activity report contained scrambled characters.
Addressed
10.1.10
PAN-210919
Fixed an issue where the Data Processing Card remained in a
Starting
state after a restart.
Addressed
10.1.10
PAN-210738
Fixed an issue where fragmented UDP packets were dropped.
Addressed
10.1.10
PAN-210661
Fixed an issue where firewalls disconnected from Cortex Data Lake due to a missing key file after renewing the device certificate.
Addressed
10.1.10
PAN-210654
Fixed an issue with firewalls on active/passive HA configurations GlobalProtect where users were disconnected after HA failover.
Addressed
10.1.10
PAN-210563
Fixed an issue on Panorama where Security policy rules with a
Tag
target did not appear in the pre-rule list of a Dynamic Address Group that was part of the tag.
Addressed
10.1.10
PAN-210397
Fixed an issue on Panorama where VM-Series firewalls in HA configurations hosted on Amazon Web Services (AWS) were not displayed under
Deploy Master Key
.
Addressed
10.1.10
PAN-210236
Fixed an issue where the
Templates
list was not displayed under the
Location
drop-down for commit or configuration locks.
Addressed
10.1.10
PAN-210216
A debug command was added to address an issue with firewalls in high availability configurations.
Addressed
10.1.10
PAN-210158
(
CN-Series firewalls only
) Fixed an issue where the dataplane stopped responding after a container restart.
Addressed
10.1.10
PAN-210000
Fixed an issue where, when traffic and threat logs exceeded the threshold of 90% total allowed size, alarms were not generated for other log types.
Addressed
10.1.10
PAN-209872
Fixed an issue where dataplane ports responded to ICMP requests fewer than 64 bytes with nonzero padding bytes in the ICMP response.
Addressed
10.1.10
PAN-209696
Fixed an issue where link-local address communication for IPv6, BFD, and OSPFv3 neighbors was dropped when IP address spoofing check was enabled in a Zone Protection profile.
Addressed
10.1.10
PAN-209683
Fixed an issue where Panorama was unable to retrieve IP address-to-username mapping from a firewall on a PAN-OS 8.1 release.
Addressed
10.1.10
PAN-209617
Fixed an issue with firewalls in active/passive HA configurations where the passive firewall created an incorrect SCTP association due to the HA sync messages from the active firewall having an incorrect value.
Addressed
10.1.10
PAN-209501
Fixed an issue where the GlobalProtect
logdb
quota was not displayed in the
show system logdb quota
output.
Addressed
10.1.10
PAN-209491
Fixed an issue on the web interface where the
Session Expire Time
displayed a past date if the device time was in December.
Addressed
10.1.10
PAN-209375
Fixed an issue on the firewall where log filtering did not work as expected.
Addressed
10.1.10
PAN-209108
Fixed an issue where a Panorama in Management Only mode was unable to display logs from log collectors due to missing schema files.
Addressed
10.1.10
PAN-208930
(
PA-7000 Series firewalls only
) Fixed an issue where autotagging in log forwarding did not work.
Addressed
10.1.10
PAN-208902
Fixed an issue where, when a client sent a TCP/FIN packet, the firewall displayed the end reason as
aged-out
instead of
tcp-fin
.
Addressed
10.1.10
PAN-208877
Fixed an issue where the all_task process stopped responding when freeing the HTTP/2 stream, which caused the dataplane to go down.
Addressed
10.1.10
PAN-208792
Fixed an issue where authentication failed when the service route for RADIUS traffic was configured as
use default
for IPv4 addresses and included the dataplane interface as the destination route.
Addressed
10.1.10
PAN-208526
Fixed an issue where API calls did not display tunnel info.
Addressed
10.1.10
PAN-208485
Fixed an issue where NAT policies were not visible on the CLI if they contained more than 32 characters.
Addressed
10.1.10
PAN-208438
Fixed an issue on Panorama where Security policy rules incorrectly displayed as disabled.
Addressed
10.1.10
PAN-208325
(
PA-5400 Series, PA-3400 Series, PA-400 Series only, and PA-5450 firewalls only
) Fixed an issue where the firewall was unable to automatically renew the device certificate.
Addressed
10.1.10
PAN-208316
Fixed an issue where user-group names were unable to be configured as the source user via the
test security-policy-match
command.
Addressed
10.1.10
PAN-208240
Fixed an issue where, when attempting to replace an existing certificate, importing a new certificate with the same name as the existing certificate failed due to mismatched public and private keys.
Addressed
10.1.10
PAN-208210
Fixed an issue where changes to the syslog server configuration were not applied without first restarting the management server.
Addressed
10.1.10
PAN-208201
Fixed an issue on the firewall where the modified date and time was incorrectly updated after a commit operation, PAN-OS upgrade, or reboot.
Addressed
10.1.10
PAN-208189
Fixed an issue when traffic failed to match and reach all destinations if a Security policy rule includes FQDN objects that resolve to two or more IP addresses.
Addressed
10.1.10
PAN-208187
Fixed an issue where REST API requests did not work for GlobalProtect gateway tunnels.
Addressed
10.1.10
PAN-208039
(
PA-7000 Series firewalls with SMC-B only
) Fixed an issue where the details of configuration changes were not included in configuration logs on the syslog server.
Addressed
10.1.10
PAN-207741
Fixed an issue where Large Scale VPN (LSVPN) Portal authentication failed with the error
invalid http response. return error(Authentication failed; Retry authentication
when the satellite connected to more than one portal.
Addressed
10.1.10
PAN-207663
Fixed a Clientless VPN issue where JSON stringifies caused issues with the application rewrite.
Addressed
10.1.10
PAN-207661
Fixed an issue with firewalls in active/active HA configurations where the virtual floating IP address configuration under a Panorama template was overridden and displayed
From Template Override: undefined
as a source.
Addressed
10.1.10
PAN-207577
Fixed an issue where
Panorama > Setup > Interfaces
was not accessible for users with custom admin roles even when the interface option was selected for the custom admin roles.
Addressed
10.1.10
PAN-207562
Fixed an issue where the shard count displayed by the
show log-collector-es-cluster health
CLI command was higher than the recommended limit. The recommended limit can be calculated with the formula 20*heap-memory*no-of-data-nodes.
Addressed
10.1.10
PAN-207400
Fixed an issue on Octeon based platforms where fragmented VLAN tagged packets dropped on an aggregate interface.
Addressed
10.1.10
PAN-206640
Fixed an issue where the
ikemgr
process stopped responding, which caused IPSec tunnels to go down.
Addressed
10.1.10
PAN-206396
Fixed an issue where HIP report flip and HIP check failed when a user was part of multiple user groups with different domains.
Addressed
10.1.10
PAN-206333
Fixed an issue where the
Include/Exclude IP
filter under
Data Distribution
did not work correctly.
Addressed
10.1.10
PAN-206268
Fixed an issue where an authentication key field, even though not supported, was enabled under the
Device
tab on Panorama.
Addressed
10.1.10
PAN-206221
Fixed an issue where scheduled configuration pushes with
Include Device and Network Templates
selected did not work.
Addressed
10.1.10
PAN-206128
(
PA-7000 Series firewalls with NPCs (Network Processing Cards) only
) Improved debugging capability for an issue where the firewall restarted due to heartbeat failures and then failed with the following error message:
Power not OK
.
Addressed
10.1.10
PAN-205995
Fixed an issue where logs from unaffected log collector groups were not displayed when a log collector was down.
Addressed
10.1.10
PAN-205955
Fixed an issue where RAID rebuilds occurred even with healthy disks and a clean shutdown.
Addressed
10.1.10
PAN-205829
Fixed an issue where logs did not display
Host-ID
details for GlobalProtect users despite having a quarantine Security policy rule. This occurred due to a missed local cache lookup.
Addressed
10.1.10
PAN-205804
Fixed an issue on Panorama where a WildFire scheduled update for managed devices triggered multiple
UploadInstall
jobs per minute.
Addressed
10.1.10
PAN-205513
Fixed an issue where the stats dump file generated by Panorama for a device firewall differed from the stats dump file generated by the managed device.
Addressed
10.1.10
PAN-205451
Fixed an issue where the pan_com process stopped responding due to aggressive commits.
Addressed
10.1.10
PAN-205369
Fixed an issue where connections to Cortex Data Lake were initialized from the firewall even when Cortex Data Lake forwarding was disabled.
Addressed
10.1.10
PAN-205337
Fixed an issue in the
Run Now
section of custom reports where
Threat/Content Name
displayed in hypertext, and hovering over the text with the mouse displayed the message undefined .
Addressed
10.1.10
PAN-205086
Fixed an issue where DNS Security categories were able to be deleted from spyware profiles.
Addressed
10.1.10
PAN-204987
Fixed an issue where the firewall changed sequence numbers for reused sessions.
Addressed
10.1.10
PAN-204718
(
PA-5200 Series firewalls only
) Fixed an issue where, after upgrading to PAN-OS 10.1.6-h3, a TACACS user login displayed the following error message during the first login attempt:
Could not chdir to home directory /opt/pancfg/home/user: Permission denied
.
Addressed
10.1.10
PAN-204683
Fixed an issue where logs were unable to be generated due to old logs not getting purged and
/opt/panlogs
reaching over 100% usage.
Addressed
10.1.10
PAN-204420
(
WF-500 appliances only
) Fixed an issue where, after an upgrade to a PAN-OS 10.1 release, SNMP traps were not sent to the SNMP server. This occurred due to SNMP trap server settings not being enabled.
Addressed
10.1.10
PAN-204233
Fixed an issue where, when the firewall received a 513 error from the WildFire cloud, the firewall attempted to repeatedly send the same file.
Addressed
10.1.10
PAN-203663
Fixed an issue where administrators were unable to change the password of a local database for users configured as a local admin user via an authentication profile.
Addressed
10.1.10
PAN-203655
Fixed an issue where enabling
event-specific traps
(
Device
Setup
Operations
Miscellaneous
SNMP Setup
), the new deviating device system logs included incorrect information.
Addressed
10.1.10
PAN-203339
Fixed an issue where services failed due to the RAID rebuild not being completed on time.
Addressed
10.1.10
PAN-203137
(
PA-5450 firewalls only
) Fixed an issue where HSCI ports did not come up when QSFP DAC cables were used.
Addressed
10.1.10
PAN-202981
Fixed an issue on Panorama where global find did not return results for existing universally unique identifiers (UUID).
Addressed
10.1.10
PAN-201855
Fixed an issue where, after cloning a template, a certificate with the block private key option enabled was corrupted.
Addressed
10.1.10
PAN-201839
Fixed an issue where GlobalProtect HIP matches failed for Mac users due to invalid characters being present in the subject alternative attributes in the certificate on the HIP report.
Addressed
10.1.10
PAN-201721
Fixed an issue with firewalls in HA configurations where HA setup generated the error
mismatch due to device update
during a content update even though the version was the same.
Addressed
10.1.10
PAN-201601
Fixed an issue where the all_task process stopped responding after adding customer hyperscan signatures.
Addressed
10.1.10
PAN-201561
Fixed an issue where LSVPN satellite authentication cookies were not synced across high availability LSVPN portals.
Addressed
10.1.10
PAN-201466
Fixed an issue where the system log generated on GlobalProtect satellite did not provide the reason for failures to connect to the GlobalProtect portal or gateway.
Addressed
10.1.10
PAN-201085
(
PA-5450 firewalls only
) Fixed an issue where inserting the NPC and DPC on slot2 created excessive logs in the
bcm.log file
.
Addressed
10.1.10
PAN-200676
Fixed an issue with firewalls in active/passive HA configurations where the user counts in the management plane were not synchronized between the active and the passive firewall.
Addressed
10.1.10
PAN-200356
Fixed an issue where the
Elapsed seconds
field incorrectly displayed as 0 for DHCP packets coming from the firewall.
Addressed
10.1.10
PAN-199687
Fixed an issue where content updates failed when using prelicensed keys during the bootstrap process.
Addressed
10.1.10
PAN-199557
Fixed an issue on Panorama where virtual memory usage exceeded the set limit, which caused the configd process to restart.
Addressed
10.1.10
PAN-198693
Fixed an issue where decrypted SSH sessions were interrupted with a decryption error.
Addressed
10.1.10
PAN-198453
Fixed an issue where you were unable to resize the
Description
pop-up window (
Policies > Security > Prerules
).
Addressed
10.1.10
PAN-198333
Fixed an issue where the SaaS PDF report incorrectly displayed the sanctioned application tag count as 1.
Addressed
10.1.10
PAN-198043
Fixed a rare issue where a
BuildXmlCache
job failed on the firewall.
Addressed
10.1.10
PAN-197388
Fixed an issue where, when the firewall forwarded Threat logs via email, the email client truncated the sender and recipient email addresses when they were put between angle brackets (<, >).
Addressed
10.1.10
PAN-197115
Fixed an issue where, when the total number of in-used HIP Profiles was greater than 32, traffic from the GlobalProtect Agent did not hit the expected Security policy rule configured with the HIP Profile even though a HIP Match log was generated.
Addressed
10.1.10
PAN-196597
Fixed an issue where the dnsproxyd process stopped responding due to corruption.
Addressed
10.1.10
PAN-196417
(
PA-7000 Series firewalls only
) Fixed an issue where firewalls experienced slow SNMP responses, which caused the SNMP server to time out before polling completion.
Addressed
10.1.10
PAN-196345
Fixed an issue where scheduled dynamic content updates failed to be retrieved by managed firewalls from Panorama when connectivity was slow.
Addressed
10.1.10
PAN-196003
Fixed an issue where the
Adjust Columns
options for Panorama Traffic logs did not correctly autoadjust the columns.
Addressed
10.1.10
PAN-195251
Fixed an issue where IPSec tunnel re-keying generated the critical log message
tunnel-status-up
.
Addressed
10.1.10
PAN-194805
Fixed an issue where scheduled configuration backups to the SCP server failed with the error message
No ECDSA host key is known
.
Addressed
10.1.10
PAN-193710
Fixed an issue where running the
show interface
CLI command caused the pan_comm process to stop responding during a configuration change.
Addressed
10.1.10
PAN-193521
Fixed an issue where
Panorama > Device > Deployment > Software
did not display software after running
check now
for managed devices.
Addressed
10.1.10
PAN-192739
Fixed an issue where the error message
Machine Learning found virus
was displayed in threat CSV logs as
Threat ID/Name
when WildFire Inline ML detected malware.
Addressed
10.1.10
PAN-192681
Fixed an issue where HIP database storage on the firewall reached full capacity due to the firewall not purging older HIP reports.
Addressed
10.1.10
PAN-192417
Fixed an issue where botnet reports were not generated on the firewall.
Addressed
10.1.10
PAN-190903
Fixed an issue where MAC addresses in threat capture were swapped between the source MAC and destination MAC addresses.
Addressed
10.1.10
PAN-189442
Fixed an issue where the all_pktproc process stopped responding, which caused the firewall to reboot.
Addressed
10.1.10
PAN-189395
(
PA-400 Series firewalls only
) Fixed an issue where running a PAN-OS 10.2 release caused dataplane processes to restart unexpectedly.
Addressed
10.1.10
PAN-189441
Fixed an issue where the
pan_comm
process repeatedly restarted, which caused commits to fail.
Addressed
10.1.10
PAN-189423
Fixed an issue where exporting correlation logs generated an empty file.
Addressed
10.1.10
PAN-189196
Fixed an issue on the firewall where the DHCP server did not send DHCP NAK packets correctly when
Served Addresses
were configured.
Addressed
10.1.10
PAN-188403
Fixed an issue on the web interface where the interzone-default rule hit count was not displayed.
Addressed
10.1.10
PAN-187253
(
PA-400 Series firewalls only
) Fixed an issue where the *all_task* process stopped repsonding.
Addressed
10.1.10
PAN-186956
Fixed an issue where SD-WAN DIA VIF did not become active if default gateways for the member interface did not respond to pings.
Addressed
10.1.10
PAN-186412
Fixed an issue where invalid
packet-ptr
was seen in work entries.
Addressed
10.1.10
PAN-186182
Fixed an issue where software buffer 3 was depleted when URL proxy was enabled and SSL sessions were decrypted to inject the block page. This issue occurred when an HTTP/2 block page was displayed for a large POST request.
Addressed
10.1.10
PAN-185770
Fixed an issue where the firewall displayed the error message
Malformed Request
when an email address included an ampersand ( & ) when configuring an Email server profile.
Addressed
10.1.10
PAN-182689
Fixed an issue where a signature from a previous WildFire package triggered malware detection even though the signature was no longer present in the current WildFire package.
Addressed
10.1.10
PAN-180655
Fixed an issue where FTP connections failed when SSL Inbound Inspection was enabled and a Security Profile was attached to the FTP connection allow policy rule.
Addressed
10.1.10
PAN-172977
Fixed an issue where session offloading did not occur on a tap interface under a high packet load.
Addressed
10.1.10
PAN-172806
Fixed an issue that the logrcvr process crashes during the firewall reboots.
Addressed
10.1.10
PAN-170414
Fixed an issue related to an OOM condition in the dataplane, which was caused by multiple
panio
commands using extra memory.
Addressed
10.1.10
PAN-168102
Fixed an issue where the API format to check heap usage of a node showed a JSON error.
Known
10.1.11
—
If you use Panorama to retrieve logs from Cortex Data Lake (CDL), new log fields (including for Device-ID, Decryption, and GlobalProtect) are not visible on the Panorama web interface.
Workaround:
Enable duplicate logging to send the logs to CDL and Panorama. This workaround does not support Panorama virtual appliances in Management Only mode .
Known
10.1.11
—
Upgrading a PA-220 firewall takes up to an hour or more.
Known
10.1.11
—
PA-220 firewalls are experiencing slower web interface and CLI performance times.
Known
10.1.11
—
Upgrading Panorama with a local Log Collector and Dedicated Log Collectors to PAN-OS 8.1 or a later PAN-OS release can take up to six hours to complete due to significant infrastructure changes. Ensure uninterrupted power to all appliances throughout the upgrade process.
Known
10.1.11
—
A critical System log is generated on the VM-Series firewall if the minimum memory requirement for the model is not available.
  • When the memory allocated is less than 4.5GB, you cannot upgrade the firewall. The following error message displays:
    Failed to install 9.0.0 with the following error: VM-50 in 9.0.0 requires 5.5GB memory, VM-50 Lite requires 4.5GB memory.Please configure this VM with enough memory before upgrading.
  • If the memory allocation is more than 4.5GB but less than the licensed capacity requirement for the model, it will default to the capacity associated with the VM-50.
    The System log message
    System capacity adjusted to VM-50 capacity due to insufficient memory for VM-
    <xxx>
    license
    , indicates that you must allocate the additional memory required for licensed capacity for the firewall model.
Known
10.1.11
APPORTAL-3313
Changes to an IoT Security subscription license take up to 24 hours to have effect on the IoT Security app.
Known
10.1.11
APPORTAL-3309
An IoT Security production license cannot be installed on a firewall that still has a valid IoT Security eval or trial license.
Workaround:
Wait until the 30-day eval or trial license expires and then install the production license.
Known
10.1.11
APL-15000
When you move a firewall from one Cortex Data Lake instance to another, it can take up to an hour for the firewall to begin sending logs to the new instance.
Known
10.1.11
APL-8269
For data retrieved from Cortex Data Lake, the Threat Name column in
Panorama
ACC
threat-activity
appears blank.
Known
10.1.11
PLUG-12041
On an OpenShift cluster, MP pod may crash when the number of underlying threads exceeds beyond the per pod maximum limit of 1024.
Workaround:
Increase the process ID (PID) limit to 2048 in worker nodes.
Known
10.1.11
PLUG-380
When you rename a device group, template, or template stack in Panorama that is part of a VMware NSX service definition, the new name is not reflected in NSX Manager. Therefore, any ESXi hosts that you add to a vSphere cluster are not added to the correct device group, template, or template stack and your Security policy is not pushed to VM-Series firewalls that you deploy after you rename those objects. There is no impact to existing VM-Series firewalls.
Known
10.1.11
WF500-5559
An intermittent error while analyzing signed PE samples on the WildFire appliance might cause analysis failures.
Known
10.1.11
WF500-5471
After using the firewall CLI to add a WildFire appliance with an IPv6 address, the initial connection may fail.
Workaround:
Retry connecting after you restart the web server with the following command:
debug software restart process web-server
.
Known
10.1.11
PAN-242784
This issue is now resolved. See
PAN-OS 10.1.11-h5 Addressed Issues
.
DNS resolution may fail if DNS server IP is obtained through DHCP.
Workaround:
Configure the DNS server with a static IP or renew the DHCP IP when you see the issue.
This issue affects PAN-OS 10.1.11-h4 only.
Known
10.1.11
PAN-235741
This issue is now resolved. See
PAN-OS 10.1.11-h5 Addressed Issues
.
DNS resolution fails for firewall and Panorama plugins if the DNS Server IP address is obtained through DHCP.
This issue affects PAN-OS 10.1.11-h4 only.
Known
10.1.11
PAN-231658
DNS resolution fails when interfaces are configured as DHCP and a DNS server is provided via DHCP while also statically configured with DNS servers.
This issue affects PAN-OS 10.1.11-h5 only.
Known
10.1.11
PAN-230106
The firewall is unable to retrieve the most current external dynamic list information from the server due to hostname resolution failure.
This issue affects PAN-OS 10.1.11-h5 only.
Known
10.1.11
PAN-227435
This issue is now resolved. See
PAN-OS 10.1.12 Addressed Issues
.
(
PA-410 firewalls only
) Upgrading a firewall to PAN-OS 10.1.11-h1 or PAN-OS 10.1.11-h4 causes the logrcvr process to hang or crash. This causes the auto-commit process to fail or remain at
0%
.
Known
10.1.11
PAN-227344
On the Panorama management server, PDF Summary Reports (
Monitor
PDF Reports
Manage PDF Summary
) display no data and are blank when predefined reports are included in the summary report.
Known
10.1.11
PAN-223365
The Panorama management server is unable to query any logs if the ElasticSearch health status for any Log Collector (
Panorama
Managed Collector
is degraded.
Workaround:
Log in to the Log Collector CLI and restart ElasticSearch. 
admin
debug elasticsearch es-restart all
Known
10.1.11
PAN-223488
This issue is now resolved. See
PAN-OS 10.1.12 Addressed Issues
.
On the M-600 appliance, closed ElasticSearch shards are not deleted from the M-600 appliance. This causes the ElasticSearch shard purging to not work as expected, resulting in high disk usage.
Known
10.1.11
PAN-221015
This issue is now resolved. See
PAN-OS 10.1.12 Addressed Issues
.
On M-600 appliances in Panorama or Log Collector mode, the
es-1
and
es-2
ElasticSearch processes fail to restart when the M-600 appliance is rebooted. The results in the Managed Collector
ES
health status (
Panorama
Managed Collectors
Health Status
) to be degraded.
Workaround:
Log in to the Panorama or Log Collector CLI experiencing degraded ElasticSearch health and restart all ElasticSearch processes. 
admin>
debug elasticsearch es-restart optional all
Known
10.1.11
PAN-219644
This issue is now resolved. See
PAN-OS 10.1.12 Addressed Issues
.
Firewalls forwarding logs to a syslog server over TLS (
Objects
Log Forwarding
) use the default Palo Alto Networks certificate instead of the custom certificate configured on the firewall.
Known
10.1.11
PAN-219824
File system checks on the logging drive may take more time depending on the usage and file system content, resulting in autocommits taking longer to complete than expected.
Known
10.1.11
PAN-218521
The ElasticSearch process on the M-600 appliance in Log Collector mode may enter a continuous reboot cycle. This results in the M-600 appliance becoming unresponsive, consuming logging disk space, and preventing new log ingestion.
Known
10.1.11
PAN-217307
This issue is now resolved. See
PAN-OS 10.1.14 Addressed Issues
.
The following Security policy rule (
Policies
Security
) filters return no results:
log-start eq no
log-end eq no
log-end eq yes
Known
10.1.11
PAN-213746
On the Panorama management server, the
Hostkey
displayed as
undefined undefined
if you override an SSH Service Profile (
Device
Certificate Management
SSH Service Profile
) Hostkey configured in a Template from the Template Stack.
Known
10.1.11
PAN-212978
The Palo Alto Networks firewall stops responding when executing an SD-WAN debug operational CLI command.
Known
10.1.11
PAN-211728
For VM-Series firewalls leveraging SD-WAN and deployed on VMware ESXi running VMX-13, Auto-Commits fail after upgrade to PAN-OS 10.1.9 and display the error:
total SD-WAN interfaces 3 exceed the platform maximum 0
Workaround:
Attach a serial console to the VM-Series firewall before upgrade to PAN-OS 10.1.9.
Known
10.1.11
PAN-204689
Upon upgrade to PAN-OS 10.1.9, the following GlobalProtect settings do not work:
  • Allow user to disconnect GlobalProtect App
    Allow with Passcode
  • Allow user to Disable GlobalProtect App
    Allow with Passcode
  • Allow User to Uninstall GlobalProtect App
    Allow with Password
Known
10.1.11
PAN-197341
On the Panorama management server, if you create multiple device group
Objects
with the same name in the Shared device group and any additional device groups (
Panorama
Device Groups
) under the same device group hierarchy that are used in one or more
Policies
, renaming the object with a shared name in any device group causes the object name to change in the policies where it is used. This issue applies only to device group objects that can be referenced in a Security policy rule.
For example:
  1. You create a parent device group
    DG-A
    and a child device group
    DG-B
    .
  2. You create address objects called
    AddressObjA
    in the
    Shared
    ,
    DG-A
    and
    DG-B
    device groups and add
    AddressObjA
    to a Security policy rule under
    DG-A
    and
    DG-B
    .
  3. Later, you change the
    AddressObjA
    name in the
    Shared
    device group to
    AddressObjB
    .
Changing the name of the address object in the
Shared
device group causes the references in the Policy rule to use the renamed
Shared
object instead of the device group object.
Known
10.1.11
PAN-196758
On the Panorama management server, pushing a configuration change to firewalls leveraging SD-WAN erroneously show the auto-provisioned BGP configurations for SD-WAN as being edited or deleted despite no edits or deletions being made when you
Preview Changes
(
Commit
Push to Devices
Edit Selections
or
Commit
Commit and Push
Edit Selections
).
Known
10.1.11
PAN-194515
(
PA-5450 firewall only
) The Panorama web interface does not display any predefined template stack variables in the dropdown menu under
Device
Setup
Log Interface
IP Address
.
Workaround:
Configure the log interface IP address on the individual firewall web interface instead of on Panorama.
Known
10.1.11
PAN-194424
(
PA-5450 firewall only
) Upgrading to PAN-OS 10.1.6-h2 while having a log interface configured can cause both the log interface and the management interface to remain connected to the log collector.
Workaround:
Restart the log receiver service by running the following CLI command: 
debug software restart process log-receiver
Known
10.1.11
PAN-194202
(
PA-5450 firewall only
) If the management interface and Log Collector are configured on the same subnetwork, the firewall conducts log forwarding using the management interface instead of the logging interface.
Known
10.1.11
PAN-193518
All logs (
Monitor
Logs
) generated by a firewall running a PAN-OS 10.0 release are not accessible if you downgrade from PAN-OS 10.1 to PAN-OS 10.0, and then upgrade back to PAN-OS 10.1.
Workaround:
If you need to downgrade from PAN-OS 10.1 to PAN-OS 10.0 and then back to PAN-OS 10.1, downgrade to PAN-OS 10.0.11 to ensure that all logs ingested while running a PAN-OS 10.0 release remain accessible after upgrade back to PAN-OS 10.1.
Known
10.1.11
PAN-193004
This issue is now resolved. See
PAN-OS 10.1.12 Addressed Issues
.
The Panorama management server fails to delete old IP Tag data. This causes the
/opt/pancfg
partition to reach maximum capacity which impacts Panorama performance.
Known
10.1.11
PAN-188052
Devices in FIPS-CC mode are unable to connect to servers utilizing ECDSA-based host keys that impacts exporting logs (
Device
Scheduled Log Export
), exporting configurations (
Device
Scheduled Config Export
), or the
scp export
command in the CLI.
Workaround:
Use RSA-based host keys on the destination server.
Known
10.1.11
PAN-187685
On the Panorama management server, the Template Status displays no synchronization status (
Panorama
Managed Devices
Summary
) after a bootstrapped firewall is successfully added to Panorama.
Workaround:
After the bootstrapped firewall is successfully added to Panorama, log in to the Panorama web interface and select
Commit
Push to Devices
.
Known
10.1.11
PAN-179888
On the Panorama management server, the number of managed firewall (
Panorama
Managed Devices
Health
)
Power Supplies
displays an incorrect count of power supplies.
Known
10.1.11
PAN-174982
In HA active/active configurations where, when interfaces that were associated with a virtual router were deleted, the configuration change did not sync.
Known
10.1.11
PAN-172274
When you activate the advanced URL filtering license, your license entitlements for PAN-DB and advanced URL filtering might not display correctly on the firewall — this is a display anomaly, not a licensing issue, and does not affect access to the services.
Workaround:
Issue the following command to retrieve and update the licenses:
license request fetch
.
Known
10.1.11
PAN-172113
If you request a User Activity Report on Panorama and the vsys key value in the XML is an unsupported value, the resulting job becomes unresponsive at 10% and does not complete until you manually stop the job in the web interface.
Workaround:
Change the vsys key to a valid device group, commit your changes, and run the User Activity Report again.
Known
10.1.11
PAN-172067
When you configure an HTTP server profile (
Device
Server Profiles
HTTP
or
Panorama
Server Profiles
HTTP
), the
Username
and
Password
fields are always required regardless of whether
Tag Registration
is enabled.
Workaround:
When you configure an HTTP server profile, always enter a username and password to successfully create the HTTP server profile.
You must enter a username and password even if the HTTP server does not require it. The HTTP server ignores the username and password if they are not required for the firewall to connect.
Known
10.1.11
PAN-172061
A process (
all_pktproc
) can cause intermittent crashes on the Passive PA-5450 firewall in an Active/Passive HA pair. This issue may be seen during an upgrade or reload of the firewall with traffic and when clearing sessions.
Known
10.1.11
PAN-171938
No results are displayed when you
Show Application Filter
for a Security policy rule (
Policies
Security
Application
Value
Show Application Filter
).
Known
10.1.11
PAN-171723
If you use Panorama to push a configuration that uses App-ID Cloud Engine (ACE) App-IDs and then you downgrade the firewall from PAN-OS 10.1 to PAN-OS 10.0, the installation succeeds but after you reboot, the auto-commit fails.
Workaround:
Remove all ACE application configurations before downgrading.
Known
10.1.11
PAN-171706
If you are using Panorama to manage firewalls with multiple virtual systems and the virtual system that is the User-ID hub uses an alias, the local commit on Panorama is successful but the commit to the firewall fails.
Known
10.1.11
PAN-171673
On the Panorama management server, the
ACC
returns inaccurate results when you filter for
New App-ID
in the
Application
usage widget.
Known
10.1.11
PAN-171635
If you have an on-premise Active Directory and there is an existing group mapping configuration on the firewall, if you migrate the group mapping to the Cloud Identity Engine, the firewall does not remove the existing group mapping even if the configuration is disabled and the firewall is rebooted, which may conflict with new mappings from the Cloud Identity Engine.
Workaround
: Use the
debug user-id clear domain-map
command to remove the existing group mappings from the firewall.
Known
10.1.11
PAN-171224
On the Panorama management server, a custom report (
Monitor
Managed Custom Reports
) with a high volume of unique data objects is not generated when you click
Run Now
.
Known
10.1.11
PAN-171145
If you edit or remove the value for the
mail
attribute in your on-premise Active Directory, the changes may not be immediately reflected on the firewall after it syncs with the Cloud Identity Engine.
Known
10.1.11
PAN-170923
In
Policies
Security
Policy Optimizer
New App Viewer
, when you select a Security policy rule in the bottom portion of the screen, the application data in the application browser (top portion of screen) does not match the Apps Seen on the selected rule. In addition, filtering in the application browser based on Apps Seen does not work.
Known
10.1.11
PAN-170270
Using the CLI to power on a PA-5450 Networking Card (NC) in an Active HA firewall can cause its Passive peer to temporarily go down.
Known
10.1.11
PAN-169906
The CN-Series Firewall as a Kubernetes Service does not support AF_XDP when deployed in CentOS.
Known
10.1.11
PAN-168636
Connecting to the App-ID Cloud Engine (ACE) cloud using a management port with explicit proxy configured on it is not supported. Instead, use a data plane interface for the service route ( Prepare to Deploy App-ID Cloud Engine describes how to do this.)
Known
10.1.11
PAN-168113
On the Panorama management server, you are unable to configure a master key (
Device
Master Key and Diagnostics
) for a managed firewall if an interface (
Network
Interfaces
Ethernet
) references a zone pushed from Panorama.
Workaround:
Remove the referenced zone from the interface configuration to successfully configure a master key.
Known
10.1.11
PAN-167847
If you issue the command
opof stats
, then clear the results {opof stats -c}, the Active Sessions value is sometimes invalid. For example, you might see a negative number or an excessively large number.
Workaround:
Re-run the
opof stats
command after the offload completes.
Known
10.1.11
PAN-167401
When a firewall or Panorama appliance configured with a proxy is upgraded to PAN-OS 10.0.3 or a later release, it fails to connect to edge service.
Known
10.1.11
PAN-165669
If you configure a group that the firewall retrieves from the Cloud Identity Engine as the
user in
value in a filter query, Panorama is unable to retrieve the group membership and as a result, is unable to display this data in logs and custom reports.
Known
10.1.11
PAN-164922
On the Panorama management server, a context switch to a managed firewall running a PAN-OS 8.1.0 to 8.1.19 release fails.
Known
10.1.11
PAN-164885
On the Panorama management server, pushes to managed firewalls (
Commit
Push to Devices
or
Commit and Push
) may fail when an EDL (
Objects
External Dynamic Lists
) is configured to
Check for updates
every 5 minutes due to the commit and EDL fetch processes overlapping. This is more likely to occur when multiple EDLs are configured to check for updates every 5 minutes.
Known
10.1.11
PAN-164841
A successful deployment of a Panorama virtual appliance on Amazon Web Services (AWS), Microsoft Azure, or Google Cloud Platform (GCP) is inaccessible when deploying using the PAN-OS 10.1.0-b6 release.
Known
10.1.11
PAN-164647
On the Panorama management server, activating a license (
Panorama
Device Deployment
Licenses
) on managed firewalls in a high availability (HA) configuration causes the Safari web browser to become unresponsive.
Workaround:
Log in to the Panorama web interface from a web browser other than Safari to successfully activate a license on managed firewalls in an HA configuration.
Known
10.1.11
PAN-164618
The VM-Series firewall CLI and system logs display the license name
VM-SERIES-X
, while the user interface displays
VM-FLEX-X
(in both cases
X
is the number of vCPUs). In future releases the user interface will use the
VM-SERIES-X
format.
Known
10.1.11
PAN-164586
If you use a value other than
mail
for the user or group email attribute in the Cloud Identity Engine, it displays in
user@domain
format in the CLI output.
Known
10.1.11
PAN-163966
On the Panorama management server, the
ACC
and on demand reports (
Monitor
Manage Custom Reports
) are unable to fetch Directory Sync group membership when the Source User Group filter query is applied, resulting in no data being displayed for the filter when Directory Sync is configured as the Source User for a policy rule.
Known
10.1.11
PAN-162836
On the VM-Series firewall, if you select
Device
Licenses
Deactivate VM
a popup window opens and you can choose
Subscriptions
or
Support
and press
Continue
to remove licenses and register the changes with the license server. When the license removal is complete the
Deactivate VM
window does not update its text to exclude deactivated licenses or close the window.
Workaround
: Wait until the license deactivation is complete, and click
Cancel
to close the window.
Known
10.1.11
PAN-161666
The firewall includes any users configured in the Cloud Identity Engine in the count of groups. As a result, some CLI command output does not accurately display the number of groups the firewall has retrieved from the Cloud Identity Engine and counts users as groups in the
No. of Groups
in the command output. If the attempt to retrieve the user or group fails, the information for the user or group still displays in the CLI command output.
Known
10.1.11
PAN-161451
If you issue the command
opof stats
, there are occasional zero packet and byte counts coming from the DPDK counters. This occurs when a session is in the tcp-reuse state, and has no impact on the existing session.
Known
10.1.11
PAN-160238
If you migrate traffic from a firewall running a PAN-OS version earlier than 9.0 to a firewall running PAN-OS 9.0 or later, you experience intermittent VXLAN packet drops if TCI policy is not configured for inspecting VXLAN traffic flows.
Workaround:
On the new firewall, create an app override for VXLAN outer headers as described in What is an Application Override? and the video tutorial How to Configure an Application Override Policy on the Palo Alto Networks Firewall .
PAN-OS version 9.0 can inspect both inner and outer VXLAN flows. If you want to inspect inner flows, you must define a tunnel content inspection (TCI) policy.
Known
10.1.11
PAN-157444
As a result of a telemetry handling update, the Source Zone field in the DNS analytics logs (viewable in the DNS Analytics tab within AutoFocus) might not display correct results.
Known
10.1.11
PAN-157327
On downgrade to PAN-OS 9.1, Enterprise Data Loss Prevention (DLP) filtering settings (
Device
Setup
DLP
) are not removed and cause commit errors for the downgraded firewall if you do not uninstall the Enterprise DLP plugin before downgrade.
Workaround:
After you successfully downgrade a managed firewall to PAN-OS 9.1, commit and push from Panorama to remove the Enterprise DLP filtering settings and complete the downgrade.
  1. Downgrade your managed firewall to PAN-OS 9.1
  2. Log in to the firewall web interface and view the
    Tasks
    to verify all auto commits related to the downgrade have completed successfully.
  3. Log in to the Panorama web interface and
    Commit
    Commit and Push
    to your managed firewall downgraded to PAN-OS 9.1.
Known
10.1.11
PAN-157103
Multi-channel functionality may not be properly utilized on an VM-Series firewall deployed in VMware NSX-V after the service is first deployed.
Workaround
: Execute the command
debug dataplane pow status
to view the number of channels being utilized by the dataplane. 
Per pan-task Netx statisticsCounter Name    1   2   3   4   5   6   Total---------------------------------------------ready_dvf       2   0   0   0   0   0     2
If multi-channel functionality is not working, disable your NSX-V security policy and reapply it. Then reboot the VM-Series firewall. When the firewall is back up, verify that multi-channel functionality is working by executing the command
debug dataplane pow status
. It should now show multiple channels being utilized. 
Per pan-task Netx statisticsCounter Name    1   2   3   4   5   6   Total---------------------------------------------ready_dvf       1   1   0   0   0   0     2
Known
10.1.11
PAN-156598
(
Panorama only
) If you configure a standard custom vulnerability signature in a custom Vulnerability Protection profile in a shared device group, the shared profile custom signatures do not populate in the other device groups when you configure a combination custom vulnerability signature.
Workaround:
Use the CLI to update the combination signature.
Known
10.1.11
PAN-154292
On the Panorama management server, downgrading from a PAN-OS 10.0 release to a PAN-OS 9.1 release causes Panorama commit (
Commit
Commit to Panorama
) failures if a custom report (
Monitor
Manage Custom Reports
) is configured to Group By
Session ID
.
Workaround:
After successful downgrade, reconfigure the Group By setting in the custom report.
Known
10.1.11
PAN-154034
On the Panorama management server, the Type column in the System logs (
Monitor
Logs
System
) for managed firewalls running a PAN-OS 9.1 release erroneously display
iot
as the type.
Known
10.1.11
PAN-154032
On the Panorama management server, downgrading to PAN-OS 9.1 with the Panorama plugin for Cisco TrustSec version 1.0.2 installed does not automatically transform the plugin to be compatible with PAN-OS 9.1
Workaround:
After successful downgrade to PAN-OS 9.1,
Remove Config
(
Panorama
Plugins
) of the Panorama plugin for Cisco TrustSec and then reconfigure the plugin.
Known
10.1.11
PAN-153803
On the Panorama management server, scheduled email PDF reports (
Monitor
PDF Reports
) fail if a GIF image is used in the header or footer.
Known
10.1.11
PAN-153557
On the Panorama management server CLI, the overall report status for a report query is marked as
Done
despite reports generated from logs in the Cortex Data Lake (CDL) from the PODamericas Collector Group jobs are still in a
Running
state.
Known
10.1.11
PAN-153068
The Bonjour Reflector option is supported on up to 16 interfaces. If you enable it on more than 16 interfaces, the commit succeeds and the Bonjour Reflector option is enabled only for the first 16 interfaces and ignored for any additional interfaces.
Known
10.1.11
PAN-151238
There is a known issue where M-100 appliances are able to download and install a PAN-OS 10.0 release image even though the M-100 appliance is no longer supported after PAN-OS 9.1. (Refer to the hardware end-of-life dates .)
Known
10.1.11
PAN-151085
On a PA-7000 Series firewall chassis having multiple slots, when HA clustering is enabled on an active/active HA pair, the session table count for one of the peers can show a higher count than the actual number of active sessions on that peer. This behavior can be seen when the session is being set up on a non-cache slot (for example, when a session distribution policy is set to round-robin or session-load); it is caused by the additional cache lookup that happens when HA cluster participation is enabled.
Known
10.1.11
PAN-150801
Automatic quarantine of a device based on forwarding profile or log setting does not work on the PA-7000 Series firewalls.
Known
10.1.11
PAN-150515
After you install the device certificate on a new Panorama management server, Panorama is not able to connect to the IoT Security edge service.
Workaround:
Restart Panorama to connect to the IoT Security edge service.
Known
10.1.11
PAN-150345
During updates to the Device Dictionary, the IoT Security service does not push new Device-ID attributes (such as new device profiles) to the firewall until a manual commit occurs.
Workaround:
Perform a force commit to push the attributes in the content update to the firewall.
Known
10.1.11
PAN-150361
In an Active-Passive high availability (HA) configuration, an error displays if you create a device object on the passive device.
Workaround:
Load the running configuration and perform a force commit to sync the devices.
Known
10.1.11
PAN-148971
If you enter a search term for Events that are related to IoT in the System logs and apply the filter, the page displays an
Invalid term
error.
Workaround:
Specify
iot
as the
Type Attribute
to filter the logs and use the search term as the
Description Attribute
. For example:
( subtype eq iot ) and ( description contains 'gRPC connection' )
.
Known
10.1.11
PAN-148924
In an active-passive HA configuration, tags for dynamic user groups are not persistent after rebooting the firewall because the active firewall does not sync the tags to the passive firewall during failover.
Known
10.1.11
PAN-146995
After downgrading a Panorama management server from PAN-OS 10.0 to PAN-OS 9.1, the
VLD
and
logd
processes may crash when Panorama reboots.
Workaround:
Panorama automatically restarts the
VLD
and
logd
processes.
Known
10.1.11
PAN-146807
Changing the device group configured in a monitoring definition from a child DG to a parent DG, or vice versa, might cause firewalls configured in the child DG to lose IP tag mapping information received from the monitoring definition. Only firewalls assigned to the parent DG receive IP tag mapping updates.
Workaround
: Perform a manual config sync on the device group that lost the IP tag mapping information.
Known
10.1.11
PAN-146485
On the Panorama management server, adding, deleting, or modifying the upstream NAT configuration (
Panorama
SD-WAN
Devices
) does not display the branch template stack as
out of sync
.
Additionally, adding, deleting, or modifying the BGP configuration (
Panorama
SD-WAN
Devices
) does not display the hub and branch template stacks as
out of sync
. For example, modifying the BGP configuration on the branch firewall does not cause the hub template stack to display as
out of sync
, nor does modifying the BGP configuration on the hub firewall cause the branch template stack as
out of sync
.
Workaround:
After performing a configuration change,
Commit and Push
the configuration changes to all hub and branch firewalls in the VPN cluster containing the firewall with the modified configuration.
Known
10.1.11
PAN-145460
CN-MGMT pods fail to connect to the Panorama management server when using the Kubernetes plugin.
Workaround:
Commit
the Panorama configuration after the CN-MGMT pod successfully registers with Panorama.
Known
10.1.11
PAN-144889
On the Panorama management server, adding, deleting, or modifying the original subnet IP, or adding a new subnet after you successfully configure a tunnel IP subnet, for the SD-WAN 1.0.2 plugin does not display the managed firewall templates (
Panorama
Managed Devices
Summary
) as
Out of Sync
.
Workaround
: When modifying the original subnet IP, or adding a new subnet, push the template configuration changes to your managed firewalls and
Force Template Values
(
Commit
Push to Devices
Edit Selections
).
Known
10.1.11
PAN-143132
Fetching the device certificate from the Palo Alto Networks Customer Support Portal (CSP) may fail and displays the following error in the CLI:
ERROR Failed to process S1C msg: Error
Workaround:
Retrying fetching the device certificate from the Palo Alto Networks CSP.
Known
10.1.11
PAN-141630
Current performance limitation: single data plane use only. The PA-5200 Series and PA-7000 Series firewalls that support 5G network slice security, 5G equipment ID security, and 5G subscriber ID security use a single data plane only, which currently limits the firewall performance.
Known
10.1.11
PAN-140959
The Panorama management server allows you to downgrade Zero Touch Provisioning (ZTP) firewalls to PAN-OS 9.1.2 and earlier releases where ZTP functionality is not supported.
Known
10.1.11
PAN-140008
ElasticSearch is forced to restart when the
masterd
process misses too many heartbeat messages on the Panorama management server resulting in a delay in a log query and ingestion.
Known
10.1.11
PAN-136763
On the Panorama management server, managed firewalls display as
disconnected
when installing a PAN-OS software update (
Panorama
Device Deployment
Software
) but display as
connected
when you view your managed firewalls Summary (
Panorama
Managed Devices
Summary
) and from the CLI.
Workaround:
Log out and log back in to the Panorama web interface.
Known
10.1.11
PAN-135742
There is an issue in HTTP2 session decryption where the App-ID in the decryption log is the App-ID of the parent session (which is web-browsing).
Known
10.1.11
PAN-134053
ACC does not filter WildFire logs from Dynamic User Groups.
Known
10.1.11
PAN-132598
The Panorama management server does not check for duplicate addresses in address groups (
Objects
Address Groups
) and duplicate services in service groups (
Objects
Service Groups
) when created from the CLI.
Known
10.1.11
PAN-130550
(
PA-3200 Series, PA-5220, PA-5250, PA-5260, and PA-7000 Series firewalls
) For traffic between virtual systems (inter-vsys traffic), the firewall cannot perform source NAT using dynamic IP (DIP) address translation.
Workaround:
Use source NAT with Dynamic IP and Port (DIPP) translation on inter-vsys traffic.
Known
10.1.11
PAN-127813
In the current release, SD-WAN auto-provisioning configures hubs and branches in a hub and spoke model, where branches don’t communicate with each other. Expected branch routes are for generic prefixes, which can be configured in the hub and advertised to all branches. Branches with unique prefixes are not published up to the hub.
Workaround:
Add any specific prefixes for branches to the hub advertise-list configuration.
Known
10.1.11
PAN-127206
If you use the CLI to enable the cleartext option for the Include Username in HTTP Header Insertion Entries feature, the authentication request to the firewall may become unresponsive or time out.
Known
10.1.11
PAN-123277
Dynamic tags from other sources are accessible using the CLI but do not display on the Panorama web interface.
Known
10.1.11
PAN-123040
When you try to view network QoS statistics on an SD-WAN branch or hub, the QoS statistics and the hit count for the QoS rules don’t display. A workaround exists for this issue. Please contact Support for information about the workaround.
Known
10.1.11
PAN-120440
There is an issue on M-500 Panorama management servers where any ethernet interface with an IPv6 address having Private PAN-DB-URL connectivity only supports the following format:
2001:DB9:85A3:0:0:8A2E:370:2
.
Known
10.1.11
PAN-120423
PAN-OS 10.0.0 does not support the XML API for GlobalProtect logs.
Known
10.1.11
PAN-120303
There is an issue where the firewall remains connected to the PAN-DB-URL server through the old management IP address on the M-500 Panorama management server, even when you configured the Eth1/1 interface.
Workaround:
Update the PAN-DB-URL IP address on the firewall using one of the methods below.
  • Modify the PAN-DB Server IP address on the managed firewall.
    1. On the web interface, delete the
      PAN-DB Server
      IP address (
      Device
      Setup
      Content ID
      URL Filtering
      settings).
    2. Commit
      your changes.
    3. Add the new M-500 Eth1/1 IP PAN-DB IP address.
    4. Commit
      your changes.
  • Restart the firewall ( devsrvr ) process.
    1. Log in to the firewall CLI.
    2. Restart the devsrvr process:
      debug software restart process device-server
Known
10.1.11
PAN-116017
(
Google Cloud Platform (GCP) only
) The firewall does not accept the DNS value from the initial configuration (init-cfg) file when you bootstrap the firewall.
Workaround:
Add DNS value as part of the bootstrap.xml in the bootstrap folder and complete the bootstrap process.
Known
10.1.11
PAN-115816
(
Microsoft Azure only
) There is an intermittent issue where an Ethernet (eth1) interface does not come up when you first boot up the firewall.
Workaround:
Reboot the firewall.
Known
10.1.11
PAN-114495
Alibaba Cloud runs on a KVM hypervisor and supports two Virtio modes: DPDK (default) and MMAP. If you deploy a VM-Series firewall running PAN-OS 9.0 in DPDK packet mode and you then switch to MMAP packet mode, the VM-Series firewall duplicates packets that originate from or terminate on the firewall. As an example, if a load balancer or a server behind the firewall pings the VM-Series firewall after you switch from DPDK packet mode to MMAP packet mode, the firewall duplicates the ping packets.
Throughput traffic is not duplicated if you deploy the VM-Series firewall using MMAP packet mode.
Known
10.1.11
PAN-112694
(
Firewalls with multiple virtual systems only
) If you configure dynamic DNS (DDNS) on a new interface (associated with vsys1 or another virtual system) and you then create a
New
Certificate Profile from the drop-down, you must set the location for the Certificate Profile to Shared. If you configure DDNS on an existing interface and then create a new Certificate Profile, we also recommend that you choose the Shared location instead of a specific virtual system. Alternatively, you can select a preexisting certificate profile instead of creating a new one.
Known
10.1.11
PAN-112456
You can temporarily submit a change request for a URL Category with three suggested categories; however, only two categories are supported. Do not add more than two suggested categories to a change request until we address this issue. If you submit more than two suggested categories, only the first two categories in the change request are evaluated.
Known
10.1.11
PAN-112135
You cannot unregister tags for a subnet or range in a dynamic address group from the web interface.
Workaround:
Use an XML API request to unregister the tags for the subnet or range.
Known
10.1.11
PAN-111928
Invalid configuration errors are not displayed as expected when you revert a Panorama management server configuration.
Workaround:
After you revert the Panorama configuration,
Commit
(
Commit
Commit to Panorama
) the reverted configuration to display the invalid configuration errors.
Known
10.1.11
PAN-111866
The push scope selection on the Panorama web interface displays incorrectly even though the commit scope displays as expected. This issue occurs when one administrator makes configuration changes to separate device groups or templates that affect multiple firewalls and a different administrator attempts to push those changes.
Workaround:
Perform one of the following tasks.
  • Initiate a
    Commit to Panorama
    operation followed by a
    Push to Devices
    operation for the modified device group and template configurations.
  • Manually select the devices that belong to the modified device group and template configurations.
Known
10.1.11
PAN-111729
If you disable DPDK mode and enable it again, you must immediately reboot the firewall.
Known
10.1.11
PAN-111670
Tagged VLAN traffic fails when sent through an SR-IOV adapter.
Known
10.1.11
PAN-110794
DGA-based threats shown in the firewall threat log display the same name for all such instances.
Known
10.1.11
PAN-109526
The system log does not correctly display the URL for CRL files; instead, the URLs are displayed with encoded characters.
Known
10.1.11
PAN-104780
If you configure a HIP object to match only when a connecting endpoint is managed (
Objects
GlobalProtect
HIP Objects
<hip-object>
General
Managed
), iOS and Android endpoints that are managed by AirWatch are unable to successfully match the HIP object and the HIP report incorrectly indicates that these endpoints are not managed. This issue occurs because GlobalProtect gateways cannot correctly identify the managed status of these endpoints.
Additionally, iOS endpoints that are managed by AirWatch are unable to match HIP objects based on the endpoint serial number because GlobalProtect gateways cannot identify the serial numbers of these endpoints; these serial numbers do not appear in the HIP report.
Known
10.1.11
PAN-103276
Adding a disk to a virtual appliance running Panorama 8.1 or a later release on VMware ESXi 6.5 update1 causes the Panorama virtual appliance and host web client to become unresponsive.
Workaround:
Upgrade the ESXi host to ESXi 6.5 update2 and add the disk again.
Known
10.1.11
PAN-101688
(
Panorama plugins
) The IP address-to-tag mapping information registered on a firewall or virtual system is not deleted when you remove the firewall or virtual system from a Device Group.
Workaround:
Log in to the CLI on the firewall and enter the following command to unregister the IP address-to-tag mappings:
debug object registered-ip clear all
.
Known
10.1.11
PAN-101537
After you configure and push address and address group objects in Shared and vsys-specific device groups from the Panorama management server to managed firewalls, executing the
show log
<log-type>
direction equal
<direction>
<dst>
|
<src>
in
<object-name>
command on a managed firewall only returns address and address group objects pushed form the Shared device group.
Workaround:
Specify the vsys in the query string:
admin>
set system target-vsys
<vsys-name>
admin>
show log
<log-type>
direction equal
<direction>
query equal ‘vsys eq
<vsys-name>
’
<dst>
|
<src>
in
<object-name>
Known
10.1.11
PAN-98520
When booting or rebooting a PA-7000 Series Firewall with the SMC-B installed, the BIOS console output displays attempts to connect to the card's controller in the System Memory Speed section. The messages can be ignored.
Known
10.1.11
PAN-97757
GlobalProtect authentication fails with an
Invalid username/password
error (because the user is not found in
Allow List
) after you enable GlobalProtect authentication cookies and add a RADIUS group to the
Allow List
of the authentication profile used to authenticate to GlobalProtect.
Workaround:
Disable GlobalProtect authentication cookies. Alternatively, disable (clear)
Retrieve user group from RADIUS
in the authentication profile and configure group mapping from Active Directory (AD) through LDAP.
Known
10.1.11
PAN-97524
(
Panorama management server only
) The Security Zone and Virtual System columns (
Network
tab) display
None
after a Device Group and Template administrator with read-only privileges performs a context switch.
Known
10.1.11
PAN-96446
A firewall that is not included in a Collector Group fails to generate a system log if logs are dropped when forwarded to a Panorama management server that is running in Management Only mode.
Known
10.1.11
PAN-95773
On VM-Series firewalls that have Data Plane Development Kit (DPDK) enabled and that use the i40e network interface card (NIC), the
show session info
CLI command displays an inaccurate throughput and packet rate.
Workaround:
Disable DPDK by running the
set system setting dpdk-pkt-io off
CLI command.
Known
10.1.11
PAN-95028
For administrator accounts that you created in PAN-OS 8.0.8 and earlier releases, the firewall does not apply password profile settings (
Device
Password Profiles
) until after you upgrade to PAN-OS 8.0.9 or a later release and then only after you modify the account passwords. (Administrator accounts that you create in PAN-OS 8.0.9 or a later release do not require you to change the passwords to apply password profile settings.)
Known
10.1.11
PAN-94846
When DPDK is enabled on the VM-Series firewall with i40e virtual function (VF) driver, the VF does not detect the link status of the physical link. The VF link status remains up, regardless of changes to the physical link state.
Known
10.1.11
PAN-94093
HTTP Header Insertion does not work when jumbo frames are received out of order.
Known
10.1.11
PAN-93968
The firewall and Panorama web interfaces display vulnerability threat IDs that are not available in PAN-OS 9.0 releases (
Objects
Security Profiles
Vulnerability Protection
<profile>
Exceptions
). To confirm whether a particular threat ID is available in your release, monitor the release notes for each new Applications and Threats content update or check the Palo Alto Networks Threat Vault to see the minimum PAN-OS release version for a threat signature.
Known
10.1.11
PAN-93607
When you configure a VM-500 firewall with an SCTP Protection profile (
Objects
Security Profiles
SCTP Protection
) and you try to add the profile to an existing Security Profile Group (
Objects
Security Profile Groups
), the Security Profile Group doesn’t list the SCTP Protection profile in its drop-down list of available profiles.
Workaround:
Create a new Security Profile Group and select the SCTP Protection profile from there.
Known
10.1.11
PAN-93532
When you configure a firewall running PAN-OS 9.0 as an nCipher HSM client, the web interface on the firewall displays the nCipher server status as Not Authenticated, even though the HSM state is up (
Device
Setup
HSM
).
Known
10.1.11
PAN-93193
The memory-optimized VM-50 Lite intermittently performs slowly and stops processing traffic when memory utilization is critically high. To prevent this issue, make sure that you do not:
  • Switch to the firewall
    Context
    on the Panorama management server.
  • Commit changes when a dynamic update is being installed.
  • Generate a custom report when a dynamic update is being installed.
  • Generate custom reports during a commit.
Workaround:
When the firewall performs slowly, or you see a critical System log for memory utilization, wait for 5 minutes and then manually reboot the firewall.
Use the Task Manager to verify that you are not performing memory intensive tasks such as installing dynamic updates, committing changes or generating reports, at the same time, on the firewall.
Known
10.1.11
PAN-91802
On a VM-Series firewall, the
clear session all
CLI command does not clear GTP sessions.
Known
10.1.11
PAN-83610
In rare cases, a PA-5200 Series firewall (with an FE100 network processor) that has session offload enabled (default) incorrectly resets the UDP checksum of outgoing UDP packets.
Workaround:
In PAN-OS 8.0.6 and later releases, you can persistently disable session offload for only UDP traffic using the
set session udp-off load no
CLI command.
Known
10.1.11
PAN-83236
The VM-Series firewall on Google Cloud Platform does not publish firewall metrics to Google Stack Monitoring when you manually configure a DNS server IP address (
Device
Setup
Services
).
Workaround:
The VM-Series firewall on Google Cloud Platform must use the DNS server that Google provides.
Known
10.1.11
PAN-83215
SSL decryption based on ECDSA certificates does not work when you import the ECDSA private keys onto an nCipher nShield hardware security module (HSM).
Known
10.1.11
PAN-81521
Endpoints failed to authenticate to GlobalProtect through Kerberos when you specify an FQDN instead of an IP address in the Kerberos server profile (
Device
Server Profiles
Kerberos
).
Workaround:
Replace the FQDN with the IP address in the Kerberos server profile.
Known
10.1.11
PAN-77125
PA-7000 Series, PA-5450, PA-5200 Series, and PA-3200 Series firewalls configured in tap mode don’t close offloaded sessions after processing the associated traffic; the sessions remain open until they time out.
Workaround:
Configure the firewalls in virtual wire mode instead of tap mode, or disable session offloading by running the
set session off load no
CLI command.
Known
10.1.11
PAN-75457
In WildFire appliance clusters that have three or more nodes, the Panorama management server does not support changing node roles. In a three-node cluster for example, you cannot use Panorama to configure the worker node as a controller node by adding the HA and cluster controller configurations, configure an existing controller node as a worker node by removing the HA configuration, and then commit and push the configuration. Attempts to change cluster node roles from Panorama results in a validation error—the commit fails and the cluster becomes unresponsive.
Known
10.1.11
PAN-73530
The firewall does not generate a packet capture (pcap) when a Data Filtering profile blocks files.
Known
10.1.11
PAN-73401
When you import a two-node WildFire appliance cluster into the Panorama management server, the controller nodes report their state as out-of-sync if either of the following conditions exist:
  • You did not configure a worker list to add at least one worker node to the cluster. (In a two-node cluster, both nodes are controller nodes configured as an HA pair. Adding a worker node would make the cluster a three-node cluster.)
  • You did not configure a service advertisement (either by enabling or not enabling advertising DNS service on the controller nodes).
Workaround:
There are three possible workarounds to sync the controller nodes:
  • After you import the two-node cluster into Panorama, push the configuration from Panorama to the cluster. After the push succeeds, Panorama reports that the controller nodes are in sync.
  • Configure a worker list on the cluster controller: 
    admin@wf500(active-controller)# 
    set
deviceconfig cluster mode controller worker-list 
    <worker-ip-address>
    (
    <worker-ip-address>
    is the IP address of the worker node you are adding to the cluster.) This creates a three-node cluster. After you import the cluster into Panorama, Panorama reports that the controller nodes are in sync. When you want the cluster to have only two nodes, use a different workaround.
  • Configure service advertisement on the local CLI of the cluster controller and then import the configuration into Panorama. The service advertisement can advertise that DNS is or is not enabled. 
    admin@wf500(active-controller)# 
    set
deviceconfig cluster mode controller service-advertisement dns-service
enabled
yes
    or 
    admin@wf500(active-controller)# 
    set
deviceconfig cluster mode controller service-advertisement dns-service
enabled
no
    Both commands result in Panorama reporting that the controller nodes are in sync.
Known
10.1.11
PAN-70906
If the PAN-OS web interface and the GlobalProtect portal are enabled on the same IP address, then when a user logs out of the GlobalProtect portal, the administrative user is also logged out from the PAN-OS web interface.
Workaround:
Use the IP address to access the PAN-OS web interface and an FQDN to access the GlobalProtect portal.
Known
10.1.11
PAN-69505
When viewing an external dynamic list that requires client authentication and you
Test Source URL
, the firewall fails to indicate whether it can reach the external dynamic list server and returns a URL access error (
Objects
External Dynamic Lists
).
Known
10.1.11
PAN-40079
The VM-Series firewall on KVM, for all supported Linux distributions, does not support the Broadcom network adapters for PCI pass-through functionality.
Known
10.1.11
PAN-39636
Regardless of the
Time Frame
you specify for a scheduled custom report on a Panorama M-Series appliance, the earliest possible start date for the report data is effectively the date when you configured the report (
Monitor
Manage Custom Reports
). For example, if you configure the report on the 15th of the month and set the
Time Frame
to
Last 30 Days
, the report that Panorama generates on the 16th will include only data from the 15th onward. This issue applies only to scheduled reports; on-demand reports include all data within the specified
Time Frame
.
Workaround:
To generate an on-demand report, click
Run Now
when you configure the custom report.
Known
10.1.11
PAN-38255
When you perform a factory reset on a Panorama virtual appliance and configure the serial number, logging does not work until you reboot Panorama or execute the
debug software restart process management-server
CLI command.
Known
10.1.11
PAN-31832
The following issues apply when configuring a firewall to use a hardware security module (HSM):
  • nCipher nShield Connect
    —The firewall requires at least four minutes to detect that an HSM was disconnected, causing SSL functionality to be unavailable during the delay.
  • SafeNet Network
    —When losing connectivity to either or both HSMs in an HA configuration, the display of information from the
    show high-availability state
    and
    show hsm info
    commands are blocked for 20 seconds.
Addressed
10.1.11-h5
PAN-242784
Fixed an issue where DNS resolution failed on platforms that obtained DNS server IP addresses from DHCP.
Addressed
10.1.11-h5
PAN-237935
Extended the offline PAN-DB, Panorama, and WildFire certificates which were previously set to expire on September 2, 2024.
Addressed
10.1.11-h5
PAN-237876
Extended the firewall Panorama root CA certificate which was previously set to expire on April 7th, 2024.
Addressed
10.1.11-h5
PAN-235741
Fixed an issue where DNS resolution failed for firewall and Panorama plugins.
Addressed
10.1.11-h5
PAN-235585
Fixed an issue where, when custom signatures and predefined signatures shared the same literal pattern part, the custom signature caused an incorrect calculation for the length of the predefined signature, which resulted in App-ID not detected correctly.
Addressed
10.1.11-h5
PAN-234929
Fixed an issue where tabs in the
ACC
such as
Network Activity
Threat Activity
and
Blocked Activity
did not display data when you applied a
Time
filter of
Last 15 Minutes
,
Last Hour
,
Last 6 Hours
, or
Last 12 Hours
, and the data that was displayed with the
Last 24 Hours
filter was not accurate. Reports that were run against summary logs also did not display accurate results.
Addressed
10.1.11-h5
PAN-234238
Fixed an issue where a Security policy that referenced more than 30 HIP profiles caused buffer overflow, which caused other Security policies with HIP profiles to misidentified users and traffic was denied.
Addressed
10.1.11-h5
PAN-232132
Fixed an issue where DNS response packets were malformed when an Anti-Spyware Security Profile was enabled.
Addressed
10.1.11-h5
PAN-231552
Fixed an issue where traffic returning from a third-party Security chain was dropped.
Addressed
10.1.11-h5
PAN-228877
(
PA-5200 Series, PA-5400 Series, and PA-7000 Series only
) Fixed an issue with out-of-memory (OOM) conditions which caused slot restarts due to
pan_cmd
consuming more than 300MB.
Addressed
10.1.11-h5
PAN-227539
Fixed an issue where excess WIF process memory use caused processes to restart due to OOM conditions.
Addressed
10.1.11-h5
PAN-226792
Fixed an issue where the logrcvr process stored older content versions in the shared memory even when newer content updates were installed.
Addressed
10.1.11-h5
PAN-224954
Fixed an issue where, after upgrading and rebooting a Panorama appliance in Panorama or Log Collector mode, managed firewalls continuously disconnected.
Addressed
10.1.11-h5
PAN-222002
Fixed an issue where content updates failed with the error message
Unable to get key pancontent-8.0.pass from cryptod. Error -9
.
Addressed
10.1.11-h5
PAN-221881
Fixed an issue where log ingestion to Panorama failed, which resulted in missing logs under the
Monitor
tab.
Addressed
10.1.11-h5
PAN-220790
Fixed an issue where the reportd process stopped responding, which caused Panorama to restart.
Addressed
10.1.11-h5
PAN-215576
Fixed an issue where the
userID-Agent
and
TS-Agent
certificates were set to expire on November 18, 2024. With this fix, the expiration date has been extended to January 2032.
Addressed
10.1.11-h5
PAN-208400
Fixed an issue where pushing dynamic objects to the firewall did not send all Panorama objects that matched the dynamic object filter when
Share Unused Address and Service Objects with Device
was selected on Panorama.
Addressed
10.1.11-h4
PAN-237935
Extended the offline PAN-DB, Panorama, and WildFire certificates which were previously set to expire on September 2, 2024.
Addressed
10.1.11-h4
PAN-237876
Extended the firewall Panorama root CA certificate which was previously set to expire on April 7th, 2024.
Addressed
10.1.11-h4
PAN-235585
Fixed an issue where, when custom signatures and predefined signatures shared the same literal pattern part, the custom signature caused an incorrect calculation for the length of the predefined signature, which resulted in App-ID not detected correctly.
Addressed
10.1.11-h4
PAN-234929
Fixed an issue where tabs in the
ACC
such as
Network Activity
Threat Activity
and
Blocked Activity
did not display data when you applied a
Time
filter of
Last 15 Minutes
,
Last Hour
,
Last 6 Hours
, or
Last 12 Hours
, and the data that was displayed with the
Last 24 Hours
filter was not accurate. Reports that were run against summary logs also did not display accurate results.
Addressed
10.1.11-h4
PAN-234238
Fixed an issue where a Security policy that referenced more than 30 HIP profiles caused buffer overflow, which caused other Security policies with HIP profiles to misidentified users and traffic was denied.
Addressed
10.1.11-h4
PAN-232132
Fixed an issue where DNS response packets were malformed when an Anti-Spyware Security Profile was enabled.
Addressed
10.1.11-h4
PAN-231658
Fixed an issue where DNS resolution failed when interfaces were configured as DHCP and a DNS server was provided via DHCP while also statically configured with DNS servers.
Addressed
10.1.11-h4
PAN-231552
Fixed an issue where traffic returning from a third-party Security chain was dropped.
Addressed
10.1.11-h4
PAN-230106
Fixed an issue where the firewall was unable to retrieve the most current external dynamic list information from the server due to hostname resolution failure.
Addressed
10.1.11-h4
PAN-228877
(
PA-7050 firewalls only
) Fixed an issue with out-of-memory (OOM) conditions which caused slot restarts due to
pan_cmd
consuming more than 300MB.
Addressed
10.1.11-h4
PAN-227539
Fixed an issue where excess WIF process memory use caused processes to restart due to OOM conditions.
Addressed
10.1.11-h4
PAN-226792
Fixed an issue where the logrcvr process stored older content versions in the shared memory even when newer content updates were installed.
Addressed
10.1.11-h4
PAN-224954
Fixed an issue where, after upgrading and rebooting a Panorama appliance in Panorama or Log Collector mode, managed firewalls continuously disconnected.
Addressed
10.1.11-h4
PAN-222002
Fixed an issue where content updates failed with the error message
Unable to get key pancontent-8.0.pass from cryptod. Error -9
.
Addressed
10.1.11-h4
PAN-221881
Fixed an issue where log ingestion to Panorama failed, which resulted in missing logs under the
Monitor
tab.
Addressed
10.1.11-h4
PAN-220790
Fixed an issue where the reportd process stopped responding, which caused Panorama to restart.
Addressed
10.1.11-h4
PAN-215576
Fixed an issue where the
userID-Agent
and
TS-Agent
certificates were set to expire on November 18, 2024. With this fix, the expiration date has been extended to January 2032.
Addressed
10.1.11-h4
PAN-208400
Fixed an issue where pushing dynamic objects to the firewall did not send all Panorama objects that matched the dynamic object filter when
Share Unused Address and Service Objects with Device
was selected on Panorama.
Addressed
10.1.11-h3
PAN-237871
(
WF-500 appliances and PAN-DB private cloud deployments only
) Fixed an issue where the
root-cert
was set to expire on December 31, 2023. With this fix, the expiration date has been extended.
Addressed
10.1.11-h1
PAN-235726
Fixed an issue on the web interface where a pop up window did not show a success message or close after a license was successfully upgraded or deactivated.
Addressed
10.1.11-h1
PAN-234962
Fixed an issue on Panorama that caused commit operations to be slower than expected.
Addressed
10.1.11-h1
PAN-233954
Fixed an issue where the firewall was unable to retrieve correct groups from the LDAP server.
Addressed
10.1.11-h1
PAN-233974
Fixed an issue where LACP interfaces went down after an upgrade.
Addressed
10.1.11-h1
PAN-232059
Fixed an issue with memory management when processing large certificates using TLSv1.3.
Addressed
10.1.11-h1
PAN-231291
Fixed an issue where SD-WAN Adaptive SaaS path monitor went down after an upgrade.
Addressed
10.1.11-h1
PAN-230039
Fixed an issue where migrating from an Enterprise License Agreement (ELA) to a Flexible VM-Series License failed with a deactivation error message.
Addressed
10.1.11-h1
PAN-227376
Fixed an issue where a memory overrun caused the all_task process to stop responding.
Addressed
10.1.11-h1
PAN-224060
(
PA-220 Series firewalls only
) Fixed an issue where multiple dataplane processes stopped responding after an upgrade.
Addressed
10.1.11-h1
PAN-221190
(
PA-800 Series firewalls only
) Fixed an issue where the firewall rebooted due to I2C errors when unsupported optics were inserted in ports 5-8.
Addressed
10.1.11-h1
PAN-220659
Fixed an issue on the firewall where scheduled Antivirus updates failed when external dynamic lists were configured on the firewall.
Addressed
10.1.11-h1
PAN-218057
(
PA-7000 Series firewalls only
) Fixed an issue where internal path monitoring failed due to a heartbeat miss.
Addressed
10.1.11-h1
PAN-208567
Fixed an issue with email formatting where, when a scheduled email contained two or more attachments, only one attachment was visible.
Addressed
10.1.11-h1
PAN-204868
Fixed an issue where disk utilization was continuously high due to the log purger not sufficiently reducing the utilization level.
Addressed
10.1.11-h1
PAN-161373
Fixed an issue where the SYN action field did not change as expected and the value was set to SYN cookie.
Addressed
10.1.11
PAN-228820
A CLI command was added to address an issue where long-lived sessions were aging out even when there was ongoing traffic.
Addressed
10.1.11
PAN-227639
Fixed an issue where the
ACC
displayed an incorrect DNS-base application traffic byte count.
Addressed
10.1.11
PAN-227523
A fix was made to address customer and internal bugs ( CVE-2023-38802 ).
Addressed
10.1.11
PAN-226418
A CLI command was added to address an issue where long-lived sessions aged out even when there was ongoing traffic.
Addressed
10.1.11
PAN-225920
Fixed an issue where duplicate predict sessions didn't release NAT resources.
Addressed
10.1.11
PAN-225240
Fixed an issue where the OSPF neighbor state remained in
exstart
when the OSPF network had more than 40 routes.
Addressed
10.1.11
PAN-225183
Fixed an issue where SSH tunnels were unstable due to ciphers used as part of the high availability SSH configuration.
Addressed
10.1.11
PAN-225169
Added a CLI command to view Cortex Data Lake queue usage.
Addressed
10.1.11
PAN-225082
Fixed an issue where GlobalProtect quarantine-delete logs were incorrectly shown on passive firewalls.
Addressed
10.1.11
PAN-223852
Fixed an issue where all_pktproc stopped responding when network packet broker or decryption broker chains failed.
Addressed
10.1.11
PAN-223787
(
PA-400 Series and PA-1400 Series firewalls only
) Fixed an issue where commits failed with the error message
Error unserializing profile objects failed to handle CONFIG_UPDATE_START
.
Addressed
10.1.11
PAN-223741
Fixed an issue where the mprelay process stopped responding, which caused a slot restart when another slot rebooted.
Addressed
10.1.11
PAN-223501
Fixed an issue where diagnostic information for the dataplane in the dp-monitor.log file was not complete.
Addressed
10.1.11
PAN-223457
Fixed an issue where, if the number of group queries exceeded the Okta rate limit threshold, the firewall cleared the cache for the groups.
Addressed
10.1.11
PAN-223317
Fixed an issue where SSL traffic failed with the error message:
Error: General TLS protocol error
.
Addressed
10.1.11
PAN-223263
Fixed an issue on the web interface where the system clock for
Mexico_city
was displayed in CDT instead of CST on the management dashboard.
Addressed
10.1.11
PAN-222941
Fixed an issue where viewing the latest logs took longer than expected due to log indexer failures.
Addressed
10.1.11
PAN-222712
(
PA-5450 firewalls only
) Fixed a low frequency DPC restart issue.
Addressed
10.1.11
PAN-222533
(
VM-Series firewalls on Microsoft Azure and Amazon Web Services (AWS) environments
) Added support for high availability (HA) link monitoring and path monitoring.
Addressed
10.1.11
PAN-221984
(
VM-Series firewalls in Microsoft Azure environments only
) Fixed an issue where an interface went down after a hotplug event and was only recoverable by restarting the firewall.
Addressed
10.1.11
PAN-221577
Fixed an issue where a static route for a branch or hub over the respective virtual interface was not installed in the routing table even when the tunnel to the branch or hub was active.
Addressed
10.1.11
PAN-221208
Fixed an issue where the tunnel monitor was unable to remain up when Zone Protection with Strict IP was enabled and NAT Traversal was applied.
Addressed
10.1.11
PAN-221126
Fixed an issue where Email server profiles (
Device > Server Profiles > Email and Panorama > Server Profiles > Email
) to forward logs as email notifications were not forwarded in a readable format.
Addressed
10.1.11
PAN-220910
Fixed an issue where an internal management plane NIC caused a kernel panic when doing a transmit due to the driver reinitializing under certain failure or change conditions on the same interface during transmit.
Addressed
10.1.11
PAN-220626
Fixed an issue where system warning logs were written every 24 hours.
Addressed
10.1.11
PAN-220576
If you are using Panorama to manage firewalls with multiple virtual systems and the virtual system that is the User-ID hub uses an alias, the local commit on Panorama is successful but the commit to the firewall fails.
Addressed
10.1.11
PAN-220500
(
PA-5450 and PA-400 firewalls only
) Fixed an issue where the
request shutdown system
CLI command did not completely shut down the system.
Addressed
10.1.11
PAN-220281
(
PA-7080 firewalls only
) Fixed an issue where autocommitting changes after rebooting the log forwarding Card (LFC) caused the logrcvr process to fail to read the configuration file.
Addressed
10.1.11
PAN-219813
Fixed an issue where the configuration log displayed incorrect information after a multidevice group
Validate-all
operation.
Addressed
10.1.11
PAN-219690
Fixed an issue where GlobalProtect authentication failed when authentication was SAML with CAS and the portal was resolved with IPv6.
Addressed
10.1.11
PAN-219643
(
VM-Series firewalls in Microsoft Azure environments only
) Fixed an issue where the dataplane interface status went down due to a DPDK driver issue.
Addressed
10.1.11
PAN-219640
Fixed an issue where a transformation migration script error caused a commit failure with the error message
user-id-agent unexpected here
. This occurred after upgrading the firewall from a PAN-OS 9.1 release to a PAN-OS 10.0 release.
Addressed
10.1.11
PAN-219573
Fixed an issue where tag names did not correctly display special characters.
Addressed
10.1.11
PAN-219498
Fixed an issue where the
Threat ID/Name
detail in Threat logs was not included in syslog messages sent to Splunk.
Addressed
10.1.11
PAN-219300
Fixed an issue where the task manager displayed only limited data.
Addressed
10.1.11
PAN-218988
Fixed an issue in FIPS mode where, when importing a certificate with a new private key, and the certificate used the name of an existing certificate on the Panorama, the following error message was displayed:
Mismatched public and private keys
.
Addressed
10.1.11
PAN-218947
Fixed an issue where logs were not displayed in Elasticsearch under ingestion load.
Addressed
10.1.11
PAN-218644
Fixed an issue where the firewall generated incorrect VSA attribute codes when radius was configured with EAP-based authentication protocols.
Addressed
10.1.11
PAN-218404
Fixed an issue where ikemgr stopped responding due to receiving
CREATE_CHILD
messages with a malformed SA payload.
Addressed
10.1.11
PAN-218335
Fixed an issue with hardware destination MAC filtering on the Log Processing Card (LPC) that caused the logging card interface to be susceptible to unicast flooding.
Addressed
10.1.11
PAN-218318
Fixed an issue where the firewall changed the time zone automatically instead of retrieving the correct time zone from the NTP server.
Addressed
10.1.11
PAN-218107
Fixed an issue with ciphers used for SSH tunnels where packet lengths were too large, which made the SSH tunnel unstable.
Addressed
10.1.11
PAN-217650
(
VM-Series firewalls and Panorama virtual appliances in Microsoft Azure environments only
) Fixed an issue where management interface Speed/Duplex was reported as unknown.
Addressed
10.1.11
PAN-217493
Fixed an issue where superusers with read-only privileges were unable to view SCEP object configurations.
Addressed
10.1.11
PAN-217477
Fixed an issue where the drop counter was incremented incorrectly. Drop counter calculations did not account for failures to send out logs from logrcvr/logd to syslog-ng.
Addressed
10.1.11
PAN-217465
Fixed an issue where the Panorama web interface became unresponsive and displayed the error message
504 Gateway Not Reachable
.
Addressed
10.1.11
PAN-217208
Fixed an issue where a memory leak related to the snmpd process caused an out-of-memory (OOM) condition or caused the process to restart when using SNMPv3.
Addressed
10.1.11
PAN-217169
Fixed an issue where the logrcvr stopped forwarding logs to the syslog server after a restart or crash.
Addressed
10.1.11
PAN-217024
Fixed an issue where fetching device certificates failed for internal DNS servers with the error message
ERROR Error: Could not resolve host: certificate.paloaltonetworks.com
.
Addressed
10.1.11
PAN-216984
Fixed an issue where internal path monitoring failed due to the
sysdagent
not responding.
Addressed
10.1.11
PAN-216957
Fixed an issue where allow list checks in an authentication profile did not work if the group Distinguished Name contains the ampersand ( & ) character.
Addressed
10.1.11
PAN-216913
(
VM-Series firewalls in Microsoft Azure environments only
) Fixed an issue where the brdagent process stopped responding due to missed heartbeats, which caused the firewall to reboot. This occurred when the brdagent process and DPDK-managed ports became out of sync after the Azure infrastructure triggered a hotplug event.
Addressed
10.1.11
PAN-216775
Fixed an issue where the devsrvr process stopped responding at
pan_cloud_agent_get_curl_connection()
and the URL cloud could not be connected.
Addressed
10.1.11
PAN-216755
Fixed an issue where CRL checks failed which caused authentication failures.
Addressed
10.1.11
PAN-216662
Fixed an issue where a custom Antispyware profile did not open and displayed the following error message:
The server is not responding. Please wait and try your operation again later
.
Addressed
10.1.11
PAN-216214
(
Panorama managed firewalls in active/active HA configurations only
) Fixed an issue where the HA status displayed as
Out of Sync
(
Panorama > Managed Devices > Health
) if local firewall configurations were made on one of the HA peers. This caused the next HA configuration sync to overwrite the local firewall configuration made on the HA peer.
Addressed
10.1.11
PAN-216170
(
PA-400 Series firewalls in HA configurations only
) Fixed an issue where an HA switchover took longer than expected to bring up ports on the newly active firewall.
Addressed
10.1.11
PAN-216043
Fixed an issue where wifclient stopped responding due to shared memory corruption.
Addressed
10.1.11
PAN-215911
Fixed an issue that resulted in a race condition, which caused the configd process to stop responding.
Addressed
10.1.11
PAN-215899
Fixed an issue with Panorama appliances in HA configurations where configuration synchronization between the HA peers failed.
Addressed
10.1.11
PAN-215857
Fixed an issue where the option to reboot the entire firewall was visible to vsys admins.
Addressed
10.1.11
PAN-215808
Fixed an issue where, after upgrading to PAN-OS 10.1, the log forwarding rate toward the syslog server was reduced. With this fix, the overall log forwarding rate has also been improved.
Addressed
10.1.11
PAN-215780
Fixed an issue where changes to Zone Protection profiles made via XML API were not reflected in the zone protection configuration.
Addressed
10.1.11
PAN-215767
Fixed an issue where, after a high availability failover, IKE SA negotiation failed with the error message
INVALID_SPI
, which resulted in temporary loss of traffic over some proxy IDs.
Addressed
10.1.11
PAN-215655
Fixed an issue where, after a multidynamic group push, Security policy rules with the target device tag were added to a firewall that did not have the tag.
Addressed
10.1.11
PAN-215644
(
VM-Series firewalls only
) Fixed an issue where the firewall displayed the error message
tap0: Incorrect MTU 9000 requested, hw max 1500
when Jumbo Frames were active.
Addressed
10.1.11
PAN-215503
Fixed a memory-related issue where the
MEMORY_POOL
address was mapped incorrectly.
Addressed
10.1.11
PAN-215437
Fixed an issue where show commands for
config-lock
and
commit-lock
were not available for Panorama appliance in Log Collector mode.
Addressed
10.1.11
PAN-215436
Fixed an issue with the web interface where the latest logs took longer than expected to display under
Monitor
.
Addressed
10.1.11
PAN-215335
Fixed an issue where DHCP lease renewal failed due to a change in the firewall timestamp (
Device > Setup > Management
).
Addressed
10.1.11
PAN-215324
(
PA-5400 Series firewalls with Jumbo Frames enabled only
) Fixed an issue with CPU throttling and buffer depletion.
Addressed
10.1.11
PAN-215317
Fixed an issue where the dataplane stopped responding unexpectedly with the error message
comm exited with signal of 10
.
Addressed
10.1.11
PAN-215315
Fixed an issue where the dataplane stopped responding due to ager and inline packet processing occurring concurrently on different cores for the same session.
Addressed
10.1.11
PAN-215058
Fixed a memory leak related to the logdb process.
Addressed
10.1.11
PAN-214990
Fixed an issue where firewall copper ports flapped intermittently when device telemetry was enabled.
Addressed
10.1.11
PAN-214987
Fixed an issue where
Application Filter
names were not random, and they matched or included internal protocol names.
Addressed
10.1.11
PAN-214815
Fixed an issue where SNMP queries were not replied to due to an internal process timeout.
Addressed
10.1.11
PAN-214773
Fixed an issue where RTP packets traversing intervsys were dropped on the outgoing vsys.
Addressed
10.1.11
PAN-214753
Fixed an issue where retrieving WildFire Analysis reports when choosing WildFire log entries under
Detailed Log View
displayed the error
Fetching WildFire server xxx report failed!
Addressed
10.1.11
PAN-214727
Fixed an issue where a memory leak related to the useridd process resulted in an OOM condition, which caused the process to stop responding.
Addressed
10.1.11
PAN-214669
Fixed an issue where FIN and RESET packets were sent in reverse order.
Addressed
10.1.11
PAN-214406
Fixed an issue with Elasticsearch where ES tunnels were not started and were forked incorrectly, which caused them to fail.
Addressed
10.1.11
PAN-214273
Fixed an issue where Elasticsearch logs were not cleared, which caused the root partition to fill up.
Addressed
10.1.11
PAN-214187
Fixed an issue where superreaders were able to execute the
request restart system
CLI command.
Addressed
10.1.11
PAN-214026
Fixed an issue where, when using an ECMP
weighted-round-robin
algorithm, traffic was not redistributed among the links proportionally as expected from the configuration.
Addressed
10.1.11
PAN-213956
Fixed an issue where the firewall interface did not go down even after the peer link/switch port went down.
Addressed
10.1.11
PAN-213949
Fixed an issue where the VPN responder stopped responding when it received a CREATE_CHILD message with no security association (SA) payload.
Addressed
10.1.11
PAN-213942
(
PA-400 Series firewalls
) Fixed an issue where the firewall required an explicit allow rule to forward broadcast traffic.
Addressed
10.1.11
PAN-213931
Fixed an issue where the logrcvr process cache was not in sync with the mapping on the firewall.
Addressed
10.1.11
PAN-213256
Fixed an issue where schedule settings (
Panorama > Device Deployment > Dynamic Updates > Schedules
) did not correctly reflect the settings configured in a detailed view of specific entries.
Addressed
10.1.11
PAN-213162
Fixed an issue where an SD-WAN object was not displayed under a child device group.
Addressed
10.1.11
PAN-213112
Fixed an issue where executing the
show report directory-listing
CLI command resulted in no output after upgrading to a PAN-OS 10.1 release.
Addressed
10.1.11
PAN-213077
Fixed an issue where the sysdagent process stopped responding, which caused interfaces and the subsequent connections behind them to fail.
Addressed
10.1.11
PAN-212978
Fixed an issue where the firewall stopped responding when executing an SD-WAN debug CLI command.
Addressed
10.1.11
PAN-212889
Fixed an issue on Panorama where different threat names were used when querying a threat under
Threat Monitor
(
Monitor
App Scope
) and the ACC. This resulted in the ACC displaying no data after clicking a threat name in
Threat Monitor
and filtering it in the global filters.
Addressed
10.1.11
PAN-212877
Fixed an issue where a race condition caused log flooding, which caused the firewall to go into an unresponsive state.
Addressed
10.1.11
PAN-212761
Fixed an issue where the all_pktproc process stopped responding, which caused the dataplane to go down and caused HA failover.
Addressed
10.1.11
PAN-212577
(
PA-5200 Series and PA-7080 firewalls only
) Fixed an issue where commits took longer than expected when more than 45,000 Security policy rules were configured.
Addressed
10.1.11
PAN-211887
Fixed an issue on Panorama that caused recently committed changes to not be displayed when previewing the changes to push to device groups.
Addressed
10.1.11
PAN-210883
Fixed an issue where SSL proxy traffic was dropped when DoS zone protection was enabled.
Addressed
10.1.11
PAN-210879
Fixed an issue where
Host-ID
info is not populated in the Traffic logs for GlobalProtect users even with a set Quarantine Security Policy rule due to a missing local cache lookup.
Addressed
10.1.11
PAN-210875
Fixed an issue where the pan_task process stopped responding due to software packet buffer 3 trailer corruption, which caused the firewall to restart.
Addressed
10.1.11
PAN-210740
Fixed a memory leak issue related to the slotd process.
Addressed
10.1.11
PAN-210456
Fixed an issue where high latency occurred on PA-850-ZTP when SSL decryption was enabled.
Addressed
10.1.11
PAN-210364
Fixed an issue where high latency was observed when accessing internal web applications, which interrupted development activities related to the web server.
Addressed
10.1.11
PAN-208395
Fixed an issue where user authentication failed in multi-vsys environments with the error message
User is not in allowlist
when an authentication profile was created in a shared configuration space.
Addressed
10.1.11
PAN-208090
Fixed an issue where the ACC report did not display data when querying the filter for the fields
Source
and
Destination IP
.
Addressed
10.1.11
PAN-207700
Fixed an issue where the
show system info
and
show system ztp status
CLI commands displayed a different Zero Touch Provisioning (ZTP) status if a firewall upgrade was initiated from Panorama before the initial commit push succeeded.
Addressed
10.1.11
PAN-207604
Fixed an issue where system logs continuously generated the log message
Not enough space to load content to SHM
.
Addressed
10.1.11
PAN-207457
Fixed an issue where the MLAV allow list did not work for some types of traffic.
Addressed
10.1.11
PAN-207371
Fixed an issue where the external dynamic list order on the firewall was not updated after making an order change from Panorama.
Addressed
10.1.11
PAN-207092
Fixed an issue where logging in using default credentials after changing to FIPS-CC for NSX-T firewalls did not work.
Addressed
10.1.11
PAN-206765
Fixed an issue where log forwarding filters involving negation did not work.
Addressed
10.1.11
PAN-206041
(
PA-7050 firewalls only
) Fixed an issue where the ikemgr process stopped responding.
Addressed
10.1.11
PAN-205015
Fixed an issue where not all users were included in the user group after an incremental sync between the firewall and the Cloud Identity Engine.
Addressed
10.1.11
PAN-204870
Fixed an issue where available memory gradually declined due to a leak in kernel unreclaimable memory.
Addressed
10.1.11
PAN-204530
Fixed an issue where giving up FTP or SCP sessions for log export took longer than expected after a failure to export the log when one of the destination hosts designated in the scheduled log export was unresponsive.
Addressed
10.1.11
PAN-203611
Fixed an issue where URL categorization was not recognized for URLs that contained more than 100 characters.
Addressed
10.1.11
PAN-202524
Fixed an issue where the session ID was missing in the session details section of the
ingress-backlogs
XML API output.
Addressed
10.1.11
PAN-202008
Fixed an issue where Traffic logs exported to CSV files contained inaccuracies and were not complete.
Addressed
10.1.11
PAN-200757
Fixed an issue with client certificate generation on Panorama, which resulted in a firewall being unable to connect to a log collector.
Addressed
10.1.11
PAN-200394
Fixed an issue where, after a push from Panorama to one or more device groups in a multi-vsys environment, vulnerability profile exceptions were not seen on all firewalls.
Addressed
10.1.11
PAN-195439
(
VM-Series firewalls in Microsoft Azure environments only
) Fixed an issue where the dataplane interface status went down after a hotplug event triggered by Azure infrastructure.
Addressed
10.1.11
PAN-193484
Fixed an issue where DNS failed if the domain name started with a period.
Addressed
10.1.11
PAN-189328
Fixed an issue where traffic belonging to the same session was sent out from different ECMP enabled interfaces.
Addressed
10.1.11
PAN-188093
(
Firewalls in HA active/passive configurations only
) Fixed an issue where
name_only
entries caused URLs to not resolve on the active firewall.
Addressed
10.1.11
PAN-187989
Fixed an issue where a user who did not have permissions of other access domains were able to view the commit and configuration lock.
Addressed
10.1.11
PAN-186579
Fixed an issue where, after a hardware failure, the system log did not include information about the failure.
Addressed
10.1.11
PAN-184630
Fixed an issue where TLS clients, such as those using OpenSSL 3.0, enforced the TLS renegotiation extension (RFC 5746).
Addressed
10.1.11
PAN-180082
Fixed an issue where errors in brdagent logs caused dataplane path monitoring failure.
Addressed
10.1.11
PAN-179888
Fixed an issue on Panorama where the number of managed firewalls
Power Supplies
did not display a correct count.
Addressed
10.1.11
PAN-175669
Fixed an issue where DNS Security did not attempt to reach
dns.service.paloaltonetworks.com
when HTTP proxy with a custom port was configured.
Addressed
10.1.11
PAN-175121
Fixed a rare issue where, when two nodes started IKE_SA negotiations at the same time, which resulted in duplicate IKE SAs.
Addressed
10.1.11
PAN-172853
Fixed an issue where Panorama appliances running a PAN-OS 10.0 release did not push the Security policy options
no-hip
and
quarantine
to firewalls running PAN-OS 9.1.
Addressed
10.1.11
PAN-171706
Fixed an issue on where local commits on Panorama were successful, but commits to managed firewalls failed when the firewalls had multiple virtual systems and the virtual system that was the User-ID hub used an alias.
Addressed
10.1.11
PAN-169586
Fixed an issue where scheduled log view reports in emails didn't match the monitor page query result for the same time interval.
Addressed
10.1.11
PAN-160633
(
PA-3200 Series, PA-5200 Series, and PA-7000 Series firewalls only
) Fixed an issue where the dataplane restarted repeatedly due to an internal path monitoring failure until a power cycle.
Known
10.1.12
—
If you use Panorama to retrieve logs from Cortex Data Lake (CDL), new log fields (including for Device-ID, Decryption, and GlobalProtect) are not visible on the Panorama web interface.
Workaround:
Enable duplicate logging to send the logs to CDL and Panorama. This workaround does not support Panorama virtual appliances in Management Only mode .
Known
10.1.12
—
Upgrading a PA-220 firewall takes up to an hour or more.
Known
10.1.12
—
PA-220 firewalls are experiencing slower web interface and CLI performance times.
Known
10.1.12
—
Upgrading Panorama with a local Log Collector and Dedicated Log Collectors to PAN-OS 8.1 or a later PAN-OS release can take up to six hours to complete due to significant infrastructure changes. Ensure uninterrupted power to all appliances throughout the upgrade process.
Known
10.1.12
—
A critical System log is generated on the VM-Series firewall if the minimum memory requirement for the model is not available.
  • When the memory allocated is less than 4.5GB, you cannot upgrade the firewall. The following error message displays:
    Failed to install 9.0.0 with the following error: VM-50 in 9.0.0 requires 5.5GB memory, VM-50 Lite requires 4.5GB memory.Please configure this VM with enough memory before upgrading.
  • If the memory allocation is more than 4.5GB but less than the licensed capacity requirement for the model, it will default to the capacity associated with the VM-50.
    The System log message
    System capacity adjusted to VM-50 capacity due to insufficient memory for VM-
    <xxx>
    license
    , indicates that you must allocate the additional memory required for licensed capacity for the firewall model.
Known
10.1.12
APPORTAL-3313
Changes to an IoT Security subscription license take up to 24 hours to have effect on the IoT Security app.
Known
10.1.12
APPORTAL-3309
An IoT Security production license cannot be installed on a firewall that still has a valid IoT Security eval or trial license.
Workaround:
Wait until the 30-day eval or trial license expires and then install the production license.
Known
10.1.12
APL-15000
When you move a firewall from one Cortex Data Lake instance to another, it can take up to an hour for the firewall to begin sending logs to the new instance.
Known
10.1.12
APL-8269
For data retrieved from Cortex Data Lake, the Threat Name column in
Panorama
ACC
threat-activity
appears blank.
Known
10.1.12
PLUG-14947
If you are using the Panorama plugin for Azure, do not upgrade to PAN-OS 10.1.12. When installed on 10.1.12, the Panorama plugin for Azure fails to connect to Azure.
Known
10.1.12
PLUG-12041
On an OpenShift cluster, MP pod may crash when the number of underlying threads exceeds beyond the per pod maximum limit of 1024.
Workaround:
Increase the process ID (PID) limit to 2048 in worker nodes.
Known
10.1.12
PLUG-380
When you rename a device group, template, or template stack in Panorama that is part of a VMware NSX service definition, the new name is not reflected in NSX Manager. Therefore, any ESXi hosts that you add to a vSphere cluster are not added to the correct device group, template, or template stack and your Security policy is not pushed to VM-Series firewalls that you deploy after you rename those objects. There is no impact to existing VM-Series firewalls.
Known
10.1.12
WF500-5559
An intermittent error while analyzing signed PE samples on the WildFire appliance might cause analysis failures.
Known
10.1.12
WF500-5471
After using the firewall CLI to add a WildFire appliance with an IPv6 address, the initial connection may fail.
Workaround:
Retry connecting after you restart the web server with the following command:
debug software restart process web-server
.
Known
10.1.12
PAN-242837
Default login credentials and SSH fail after enabling FIPS-CC Mode on a firewall or Panorama after converting through the Maintenance Recovery Tool (MRT). The firewall or Panorama becomes stuck and requires a factory reset to recover.
Known
10.1.12
PAN-242784
This issue is now resolved. See
PAN-OS 10.1.11-h5 Addressed Issues
.
DNS resolution may fail if DNS server IP is obtained through DHCP.
Workaround:
Configure the DNS server with a static IP or renew the DHCP IP when you see the issue.
This issue affects PAN-OS 10.1.11-h4 only.
Known
10.1.12
PAN-238769
FIPS-CC VM-Series only. Upgrading to PAN-OS 10.1.10-h2 or PAN-OS 10.1.11 changes all locally created Security policy actions to Deny.
Workaround:
Before upgrading, save a backup of the current configuration. After upgrading, load the backup configuration to restore the security policy action settings.
Known
10.1.12
PAN-235741
This issue is now resolved. See
PAN-OS 10.1.11-h5 Addressed Issues
.
DNS resolution fails for firewall and Panorama plugins if the DNS Server IP address is obtained through DHCP.
This issue affects PAN-OS 10.1.11-h4 only.
Known
10.1.12
PAN-231658
DNS resolution fails when interfaces are configured as DHCP and a DNS server is provided via DHCP while also statically configured with DNS servers.
This issue affects PAN-OS 10.1.11-h5 only.
Known
10.1.12
PAN-230106
The firewall is unable to retrieve the most current external dynamic list information from the server due to hostname resolution failure.
This issue affects PAN-OS 10.1.11-h5 only.
Known
10.1.12
PAN-227344
On the Panorama management server, PDF Summary Reports (
Monitor
PDF Reports
Manage PDF Summary
) display no data and are blank when predefined reports are included in the summary report.
Known
10.1.12
PAN-223365
The Panorama management server is unable to query any logs if the ElasticSearch health status for any Log Collector (
Panorama
Managed Collector
is degraded.
Workaround:
Log in to the Log Collector CLI and restart ElasticSearch. 
admin
debug elasticsearch es-restart all
Known
10.1.12
PAN-219824
File system checks on the logging drive may take more time depending on the usage and file system content, resulting in autocommits taking longer to complete than expected.
Known
10.1.12
PAN-218521
The ElasticSearch process on the M-600 appliance in Log Collector mode may enter a continuous reboot cycle. This results in the M-600 appliance becoming unresponsive, consuming logging disk space, and preventing new log ingestion.
Known
10.1.12
PAN-217307
This issue is now resolved. See
PAN-OS 10.1.14 Addressed Issues
.
The following Security policy rule (
Policies
Security
) filters return no results:
log-start eq no
log-end eq no
log-end eq yes
Known
10.1.12
PAN-213746
On the Panorama management server, the
Hostkey
displayed as
undefined undefined
if you override an SSH Service Profile (
Device
Certificate Management
SSH Service Profile
) Hostkey configured in a Template from the Template Stack.
Known
10.1.12
PAN-212978
The Palo Alto Networks firewall stops responding when executing an SD-WAN debug operational CLI command.
Known
10.1.12
PAN-211728
For VM-Series firewalls leveraging SD-WAN and deployed on VMware ESXi running VMX-13, Auto-Commits fail after upgrade to PAN-OS 10.1.9 and display the error:
total SD-WAN interfaces 3 exceed the platform maximum 0
Workaround:
Attach a serial console to the VM-Series firewall before upgrade to PAN-OS 10.1.9.
Known
10.1.12
PAN-204689
Upon upgrade to PAN-OS 10.1.9, the following GlobalProtect settings do not work:
  • Allow user to disconnect GlobalProtect App
    Allow with Passcode
  • Allow user to Disable GlobalProtect App
    Allow with Passcode
  • Allow User to Uninstall GlobalProtect App
    Allow with Password
Known
10.1.12
PAN-197341
On the Panorama management server, if you create multiple device group
Objects
with the same name in the Shared device group and any additional device groups (
Panorama
Device Groups
) under the same device group hierarchy that are used in one or more
Policies
, renaming the object with a shared name in any device group causes the object name to change in the policies where it is used. This issue applies only to device group objects that can be referenced in a Security policy rule.
For example:
  1. You create a parent device group
    DG-A
    and a child device group
    DG-B
    .
  2. You create address objects called
    AddressObjA
    in the
    Shared
    ,
    DG-A
    and
    DG-B
    device groups and add
    AddressObjA
    to a Security policy rule under
    DG-A
    and
    DG-B
    .
  3. Later, you change the
    AddressObjA
    name in the
    Shared
    device group to
    AddressObjB
    .
Changing the name of the address object in the
Shared
device group causes the references in the Policy rule to use the renamed
Shared
object instead of the device group object.
Known
10.1.12
PAN-196758
On the Panorama management server, pushing a configuration change to firewalls leveraging SD-WAN erroneously show the auto-provisioned BGP configurations for SD-WAN as being edited or deleted despite no edits or deletions being made when you
Preview Changes
(
Commit
Push to Devices
Edit Selections
or
Commit
Commit and Push
Edit Selections
).
Known
10.1.12
PAN-194515
(
PA-5450 firewall only
) The Panorama web interface does not display any predefined template stack variables in the dropdown menu under
Device
Setup
Log Interface
IP Address
.
Workaround:
Configure the log interface IP address on the individual firewall web interface instead of on Panorama.
Known
10.1.12
PAN-194424
(
PA-5450 firewall only
) Upgrading to PAN-OS 10.1.6-h2 while having a log interface configured can cause both the log interface and the management interface to remain connected to the log collector.
Workaround:
Restart the log receiver service by running the following CLI command: 
debug software restart process log-receiver
Known
10.1.12
PAN-194202
(
PA-5450 firewall only
) If the management interface and Log Collector are configured on the same subnetwork, the firewall conducts log forwarding using the management interface instead of the logging interface.
Known
10.1.12
PAN-193518
All logs (
Monitor
Logs
) generated by a firewall running a PAN-OS 10.0 release are not accessible if you downgrade from PAN-OS 10.1 to PAN-OS 10.0, and then upgrade back to PAN-OS 10.1.
Workaround:
If you need to downgrade from PAN-OS 10.1 to PAN-OS 10.0 and then back to PAN-OS 10.1, downgrade to PAN-OS 10.0.11 to ensure that all logs ingested while running a PAN-OS 10.0 release remain accessible after upgrade back to PAN-OS 10.1.
Known
10.1.12
PAN-188052
Devices in FIPS-CC mode are unable to connect to servers utilizing ECDSA-based host keys that impacts exporting logs (
Device
Scheduled Log Export
), exporting configurations (
Device
Scheduled Config Export
), or the
scp export
command in the CLI.
Workaround:
Use RSA-based host keys on the destination server.
Known
10.1.12
PAN-187685
On the Panorama management server, the Template Status displays no synchronization status (
Panorama
Managed Devices
Summary
) after a bootstrapped firewall is successfully added to Panorama.
Workaround:
After the bootstrapped firewall is successfully added to Panorama, log in to the Panorama web interface and select
Commit
Push to Devices
.
Known
10.1.12
PAN-179888
On the Panorama management server, the number of managed firewall (
Panorama
Managed Devices
Health
)
Power Supplies
displays an incorrect count of power supplies.
Known
10.1.12
PAN-174982
In HA active/active configurations where, when interfaces that were associated with a virtual router were deleted, the configuration change did not sync.
Known
10.1.12
PAN-172274
When you activate the advanced URL filtering license, your license entitlements for PAN-DB and advanced URL filtering might not display correctly on the firewall — this is a display anomaly, not a licensing issue, and does not affect access to the services.
Workaround:
Issue the following command to retrieve and update the licenses:
license request fetch
.
Known
10.1.12
PAN-172113
If you request a User Activity Report on Panorama and the vsys key value in the XML is an unsupported value, the resulting job becomes unresponsive at 10% and does not complete until you manually stop the job in the web interface.
Workaround:
Change the vsys key to a valid device group, commit your changes, and run the User Activity Report again.
Known
10.1.12
PAN-172067
When you configure an HTTP server profile (
Device
Server Profiles
HTTP
or
Panorama
Server Profiles
HTTP
), the
Username
and
Password
fields are always required regardless of whether
Tag Registration
is enabled.
Workaround:
When you configure an HTTP server profile, always enter a username and password to successfully create the HTTP server profile.
You must enter a username and password even if the HTTP server does not require it. The HTTP server ignores the username and password if they are not required for the firewall to connect.
Known
10.1.12
PAN-172061
A process (
all_pktproc
) can cause intermittent crashes on the Passive PA-5450 firewall in an Active/Passive HA pair. This issue may be seen during an upgrade or reload of the firewall with traffic and when clearing sessions.
Known
10.1.12
PAN-171938
No results are displayed when you
Show Application Filter
for a Security policy rule (
Policies
Security
Application
Value
Show Application Filter
).
Known
10.1.12
PAN-171723
If you use Panorama to push a configuration that uses App-ID Cloud Engine (ACE) App-IDs and then you downgrade the firewall from PAN-OS 10.1 to PAN-OS 10.0, the installation succeeds but after you reboot, the auto-commit fails.
Workaround:
Remove all ACE application configurations before downgrading.
Known
10.1.12
PAN-171673
On the Panorama management server, the
ACC
returns inaccurate results when you filter for
New App-ID
in the
Application
usage widget.
Known
10.1.12
PAN-171635
If you have an on-premise Active Directory and there is an existing group mapping configuration on the firewall, if you migrate the group mapping to the Cloud Identity Engine, the firewall does not remove the existing group mapping even if the configuration is disabled and the firewall is rebooted, which may conflict with new mappings from the Cloud Identity Engine.
Workaround
: Use the
debug user-id clear domain-map
command to remove the existing group mappings from the firewall.
Known
10.1.12
PAN-171224
On the Panorama management server, a custom report (
Monitor
Managed Custom Reports
) with a high volume of unique data objects is not generated when you click
Run Now
.
Known
10.1.12
PAN-171145
If you edit or remove the value for the
mail
attribute in your on-premise Active Directory, the changes may not be immediately reflected on the firewall after it syncs with the Cloud Identity Engine.
Known
10.1.12
PAN-170923
In
Policies
Security
Policy Optimizer
New App Viewer
, when you select a Security policy rule in the bottom portion of the screen, the application data in the application browser (top portion of screen) does not match the Apps Seen on the selected rule. In addition, filtering in the application browser based on Apps Seen does not work.
Known
10.1.12
PAN-170270
Using the CLI to power on a PA-5450 Networking Card (NC) in an Active HA firewall can cause its Passive peer to temporarily go down.
Known
10.1.12
PAN-169906
The CN-Series Firewall as a Kubernetes Service does not support AF_XDP when deployed in CentOS.
Known
10.1.12
PAN-168636
Connecting to the App-ID Cloud Engine (ACE) cloud using a management port with explicit proxy configured on it is not supported. Instead, use a data plane interface for the service route ( Prepare to Deploy App-ID Cloud Engine describes how to do this.)
Known
10.1.12
PAN-168113
On the Panorama management server, you are unable to configure a master key (
Device
Master Key and Diagnostics
) for a managed firewall if an interface (
Network
Interfaces
Ethernet
) references a zone pushed from Panorama.
Workaround:
Remove the referenced zone from the interface configuration to successfully configure a master key.
Known
10.1.12
PAN-167847
If you issue the command
opof stats
, then clear the results {opof stats -c}, the Active Sessions value is sometimes invalid. For example, you might see a negative number or an excessively large number.
Workaround:
Re-run the
opof stats
command after the offload completes.
Known
10.1.12
PAN-167401
When a firewall or Panorama appliance configured with a proxy is upgraded to PAN-OS 10.0.3 or a later release, it fails to connect to edge service.
Known
10.1.12
PAN-165669
If you configure a group that the firewall retrieves from the Cloud Identity Engine as the
user in
value in a filter query, Panorama is unable to retrieve the group membership and as a result, is unable to display this data in logs and custom reports.
Known
10.1.12
PAN-164922
On the Panorama management server, a context switch to a managed firewall running a PAN-OS 8.1.0 to 8.1.19 release fails.
Known
10.1.12
PAN-164885
On the Panorama management server, pushes to managed firewalls (
Commit
Push to Devices
or
Commit and Push
) may fail when an EDL (
Objects
External Dynamic Lists
) is configured to
Check for updates
every 5 minutes due to the commit and EDL fetch processes overlapping. This is more likely to occur when multiple EDLs are configured to check for updates every 5 minutes.
Known
10.1.12
PAN-164841
A successful deployment of a Panorama virtual appliance on Amazon Web Services (AWS), Microsoft Azure, or Google Cloud Platform (GCP) is inaccessible when deploying using the PAN-OS 10.1.0-b6 release.
Known
10.1.12
PAN-164647
On the Panorama management server, activating a license (
Panorama
Device Deployment
Licenses
) on managed firewalls in a high availability (HA) configuration causes the Safari web browser to become unresponsive.
Workaround:
Log in to the Panorama web interface from a web browser other than Safari to successfully activate a license on managed firewalls in an HA configuration.
Known
10.1.12
PAN-164618
The VM-Series firewall CLI and system logs display the license name
VM-SERIES-X
, while the user interface displays
VM-FLEX-X
(in both cases
X
is the number of vCPUs). In future releases the user interface will use the
VM-SERIES-X
format.
Known
10.1.12
PAN-164586
If you use a value other than
mail
for the user or group email attribute in the Cloud Identity Engine, it displays in
user@domain
format in the CLI output.
Known
10.1.12
PAN-163966
On the Panorama management server, the
ACC
and on demand reports (
Monitor
Manage Custom Reports
) are unable to fetch Directory Sync group membership when the Source User Group filter query is applied, resulting in no data being displayed for the filter when Directory Sync is configured as the Source User for a policy rule.
Known
10.1.12
PAN-162836
On the VM-Series firewall, if you select
Device
Licenses
Deactivate VM
a popup window opens and you can choose
Subscriptions
or
Support
and press
Continue
to remove licenses and register the changes with the license server. When the license removal is complete the
Deactivate VM
window does not update its text to exclude deactivated licenses or close the window.
Workaround
: Wait until the license deactivation is complete, and click
Cancel
to close the window.
Known
10.1.12
PAN-161666
The firewall includes any users configured in the Cloud Identity Engine in the count of groups. As a result, some CLI command output does not accurately display the number of groups the firewall has retrieved from the Cloud Identity Engine and counts users as groups in the
No. of Groups
in the command output. If the attempt to retrieve the user or group fails, the information for the user or group still displays in the CLI command output.
Known
10.1.12
PAN-161451
If you issue the command
opof stats
, there are occasional zero packet and byte counts coming from the DPDK counters. This occurs when a session is in the tcp-reuse state, and has no impact on the existing session.
Known
10.1.12
PAN-160238
If you migrate traffic from a firewall running a PAN-OS version earlier than 9.0 to a firewall running PAN-OS 9.0 or later, you experience intermittent VXLAN packet drops if TCI policy is not configured for inspecting VXLAN traffic flows.
Workaround:
On the new firewall, create an app override for VXLAN outer headers as described in What is an Application Override? and the video tutorial How to Configure an Application Override Policy on the Palo Alto Networks Firewall .
PAN-OS version 9.0 can inspect both inner and outer VXLAN flows. If you want to inspect inner flows, you must define a tunnel content inspection (TCI) policy.
Known
10.1.12
PAN-157444
As a result of a telemetry handling update, the Source Zone field in the DNS analytics logs (viewable in the DNS Analytics tab within AutoFocus) might not display correct results.
Known
10.1.12
PAN-157327
On downgrade to PAN-OS 9.1, Enterprise Data Loss Prevention (DLP) filtering settings (
Device
Setup
DLP
) are not removed and cause commit errors for the downgraded firewall if you do not uninstall the Enterprise DLP plugin before downgrade.
Workaround:
After you successfully downgrade a managed firewall to PAN-OS 9.1, commit and push from Panorama to remove the Enterprise DLP filtering settings and complete the downgrade.
  1. Downgrade your managed firewall to PAN-OS 9.1
  2. Log in to the firewall web interface and view the
    Tasks
    to verify all auto commits related to the downgrade have completed successfully.
  3. Log in to the Panorama web interface and
    Commit
    Commit and Push
    to your managed firewall downgraded to PAN-OS 9.1.
Known
10.1.12
PAN-157103
Multi-channel functionality may not be properly utilized on an VM-Series firewall deployed in VMware NSX-V after the service is first deployed.
Workaround
: Execute the command
debug dataplane pow status
to view the number of channels being utilized by the dataplane. 
Per pan-task Netx statisticsCounter Name    1   2   3   4   5   6   Total---------------------------------------------ready_dvf       2   0   0   0   0   0     2
If multi-channel functionality is not working, disable your NSX-V security policy and reapply it. Then reboot the VM-Series firewall. When the firewall is back up, verify that multi-channel functionality is working by executing the command
debug dataplane pow status
. It should now show multiple channels being utilized. 
Per pan-task Netx statisticsCounter Name    1   2   3   4   5   6   Total---------------------------------------------ready_dvf       1   1   0   0   0   0     2
Known
10.1.12
PAN-156598
(
Panorama only
) If you configure a standard custom vulnerability signature in a custom Vulnerability Protection profile in a shared device group, the shared profile custom signatures do not populate in the other device groups when you configure a combination custom vulnerability signature.
Workaround:
Use the CLI to update the combination signature.
Known
10.1.12
PAN-154292
On the Panorama management server, downgrading from a PAN-OS 10.0 release to a PAN-OS 9.1 release causes Panorama commit (
Commit
Commit to Panorama
) failures if a custom report (
Monitor
Manage Custom Reports
) is configured to Group By
Session ID
.
Workaround:
After successful downgrade, reconfigure the Group By setting in the custom report.
Known
10.1.12
PAN-154034
On the Panorama management server, the Type column in the System logs (
Monitor
Logs
System
) for managed firewalls running a PAN-OS 9.1 release erroneously display
iot
as the type.
Known
10.1.12
PAN-154032
On the Panorama management server, downgrading to PAN-OS 9.1 with the Panorama plugin for Cisco TrustSec version 1.0.2 installed does not automatically transform the plugin to be compatible with PAN-OS 9.1
Workaround:
After successful downgrade to PAN-OS 9.1,
Remove Config
(
Panorama
Plugins
) of the Panorama plugin for Cisco TrustSec and then reconfigure the plugin.
Known
10.1.12
PAN-153803
On the Panorama management server, scheduled email PDF reports (
Monitor
PDF Reports
) fail if a GIF image is used in the header or footer.
Known
10.1.12
PAN-153557
On the Panorama management server CLI, the overall report status for a report query is marked as
Done
despite reports generated from logs in the Cortex Data Lake (CDL) from the PODamericas Collector Group jobs are still in a
Running
state.
Known
10.1.12
PAN-153068
The Bonjour Reflector option is supported on up to 16 interfaces. If you enable it on more than 16 interfaces, the commit succeeds and the Bonjour Reflector option is enabled only for the first 16 interfaces and ignored for any additional interfaces.
Known
10.1.12
PAN-151238
There is a known issue where M-100 appliances are able to download and install a PAN-OS 10.0 release image even though the M-100 appliance is no longer supported after PAN-OS 9.1. (Refer to the hardware end-of-life dates .)
Known
10.1.12
PAN-151085
On a PA-7000 Series firewall chassis having multiple slots, when HA clustering is enabled on an active/active HA pair, the session table count for one of the peers can show a higher count than the actual number of active sessions on that peer. This behavior can be seen when the session is being set up on a non-cache slot (for example, when a session distribution policy is set to round-robin or session-load); it is caused by the additional cache lookup that happens when HA cluster participation is enabled.
Known
10.1.12
PAN-150801
Automatic quarantine of a device based on forwarding profile or log setting does not work on the PA-7000 Series firewalls.
Known
10.1.12
PAN-150515
After you install the device certificate on a new Panorama management server, Panorama is not able to connect to the IoT Security edge service.
Workaround:
Restart Panorama to connect to the IoT Security edge service.
Known
10.1.12
PAN-150345
During updates to the Device Dictionary, the IoT Security service does not push new Device-ID attributes (such as new device profiles) to the firewall until a manual commit occurs.
Workaround:
Perform a force commit to push the attributes in the content update to the firewall.
Known
10.1.12
PAN-150361
In an Active-Passive high availability (HA) configuration, an error displays if you create a device object on the passive device.
Workaround:
Load the running configuration and perform a force commit to sync the devices.
Known
10.1.12
PAN-148971
If you enter a search term for Events that are related to IoT in the System logs and apply the filter, the page displays an
Invalid term
error.
Workaround:
Specify
iot
as the
Type Attribute
to filter the logs and use the search term as the
Description Attribute
. For example:
( subtype eq iot ) and ( description contains 'gRPC connection' )
.
Known
10.1.12
PAN-148924
In an active-passive HA configuration, tags for dynamic user groups are not persistent after rebooting the firewall because the active firewall does not sync the tags to the passive firewall during failover.
Known
10.1.12
PAN-146995
After downgrading a Panorama management server from PAN-OS 10.0 to PAN-OS 9.1, the
VLD
and
logd
processes may crash when Panorama reboots.
Workaround:
Panorama automatically restarts the
VLD
and
logd
processes.
Known
10.1.12
PAN-146807
Changing the device group configured in a monitoring definition from a child DG to a parent DG, or vice versa, might cause firewalls configured in the child DG to lose IP tag mapping information received from the monitoring definition. Only firewalls assigned to the parent DG receive IP tag mapping updates.
Workaround
: Perform a manual config sync on the device group that lost the IP tag mapping information.
Known
10.1.12
PAN-146485
On the Panorama management server, adding, deleting, or modifying the upstream NAT configuration (
Panorama
SD-WAN
Devices
) does not display the branch template stack as
out of sync
.
Additionally, adding, deleting, or modifying the BGP configuration (
Panorama
SD-WAN
Devices
) does not display the hub and branch template stacks as
out of sync
. For example, modifying the BGP configuration on the branch firewall does not cause the hub template stack to display as
out of sync
, nor does modifying the BGP configuration on the hub firewall cause the branch template stack as
out of sync
.
Workaround:
After performing a configuration change,
Commit and Push
the configuration changes to all hub and branch firewalls in the VPN cluster containing the firewall with the modified configuration.
Known
10.1.12
PAN-145460
CN-MGMT pods fail to connect to the Panorama management server when using the Kubernetes plugin.
Workaround:
Commit
the Panorama configuration after the CN-MGMT pod successfully registers with Panorama.
Known
10.1.12
PAN-144889
On the Panorama management server, adding, deleting, or modifying the original subnet IP, or adding a new subnet after you successfully configure a tunnel IP subnet, for the SD-WAN 1.0.2 plugin does not display the managed firewall templates (
Panorama
Managed Devices
Summary
) as
Out of Sync
.
Workaround
: When modifying the original subnet IP, or adding a new subnet, push the template configuration changes to your managed firewalls and
Force Template Values
(
Commit
Push to Devices
Edit Selections
).
Known
10.1.12
PAN-143132
Fetching the device certificate from the Palo Alto Networks Customer Support Portal (CSP) may fail and displays the following error in the CLI:
ERROR Failed to process S1C msg: Error
Workaround:
Retrying fetching the device certificate from the Palo Alto Networks CSP.
Known
10.1.12
PAN-141630
Current performance limitation: single data plane use only. The PA-5200 Series and PA-7000 Series firewalls that support 5G network slice security, 5G equipment ID security, and 5G subscriber ID security use a single data plane only, which currently limits the firewall performance.
Known
10.1.12
PAN-140959
The Panorama management server allows you to downgrade Zero Touch Provisioning (ZTP) firewalls to PAN-OS 9.1.2 and earlier releases where ZTP functionality is not supported.
Known
10.1.12
PAN-140008
ElasticSearch is forced to restart when the
masterd
process misses too many heartbeat messages on the Panorama management server resulting in a delay in a log query and ingestion.
Known
10.1.12
PAN-136763
On the Panorama management server, managed firewalls display as
disconnected
when installing a PAN-OS software update (
Panorama
Device Deployment
Software
) but display as
connected
when you view your managed firewalls Summary (
Panorama
Managed Devices
Summary
) and from the CLI.
Workaround:
Log out and log back in to the Panorama web interface.
Known
10.1.12
PAN-135742
There is an issue in HTTP2 session decryption where the App-ID in the decryption log is the App-ID of the parent session (which is web-browsing).
Known
10.1.12
PAN-134053
ACC does not filter WildFire logs from Dynamic User Groups.
Known
10.1.12
PAN-132598
The Panorama management server does not check for duplicate addresses in address groups (
Objects
Address Groups
) and duplicate services in service groups (
Objects
Service Groups
) when created from the CLI.
Known
10.1.12
PAN-130550
(
PA-3200 Series, PA-5220, PA-5250, PA-5260, and PA-7000 Series firewalls
) For traffic between virtual systems (inter-vsys traffic), the firewall cannot perform source NAT using dynamic IP (DIP) address translation.
Workaround:
Use source NAT with Dynamic IP and Port (DIPP) translation on inter-vsys traffic.
Known
10.1.12
PAN-127813
In the current release, SD-WAN auto-provisioning configures hubs and branches in a hub and spoke model, where branches don’t communicate with each other. Expected branch routes are for generic prefixes, which can be configured in the hub and advertised to all branches. Branches with unique prefixes are not published up to the hub.
Workaround:
Add any specific prefixes for branches to the hub advertise-list configuration.
Known
10.1.12
PAN-127206
If you use the CLI to enable the cleartext option for the Include Username in HTTP Header Insertion Entries feature, the authentication request to the firewall may become unresponsive or time out.
Known
10.1.12
PAN-123277
Dynamic tags from other sources are accessible using the CLI but do not display on the Panorama web interface.
Known
10.1.12
PAN-123040
When you try to view network QoS statistics on an SD-WAN branch or hub, the QoS statistics and the hit count for the QoS rules don’t display. A workaround exists for this issue. Please contact Support for information about the workaround.
Known
10.1.12
PAN-120440
There is an issue on M-500 Panorama management servers where any ethernet interface with an IPv6 address having Private PAN-DB-URL connectivity only supports the following format:
2001:DB9:85A3:0:0:8A2E:370:2
.
Known
10.1.12
PAN-120423
PAN-OS 10.0.0 does not support the XML API for GlobalProtect logs.
Known
10.1.12
PAN-120303
There is an issue where the firewall remains connected to the PAN-DB-URL server through the old management IP address on the M-500 Panorama management server, even when you configured the Eth1/1 interface.
Workaround:
Update the PAN-DB-URL IP address on the firewall using one of the methods below.
  • Modify the PAN-DB Server IP address on the managed firewall.
    1. On the web interface, delete the
      PAN-DB Server
      IP address (
      Device
      Setup
      Content ID
      URL Filtering
      settings).
    2. Commit
      your changes.
    3. Add the new M-500 Eth1/1 IP PAN-DB IP address.
    4. Commit
      your changes.
  • Restart the firewall ( devsrvr ) process.
    1. Log in to the firewall CLI.
    2. Restart the devsrvr process:
      debug software restart process device-server
Known
10.1.12
PAN-116017
(
Google Cloud Platform (GCP) only
) The firewall does not accept the DNS value from the initial configuration (init-cfg) file when you bootstrap the firewall.
Workaround:
Add DNS value as part of the bootstrap.xml in the bootstrap folder and complete the bootstrap process.
Known
10.1.12
PAN-115816
(
Microsoft Azure only
) There is an intermittent issue where an Ethernet (eth1) interface does not come up when you first boot up the firewall.
Workaround:
Reboot the firewall.
Known
10.1.12
PAN-114495
Alibaba Cloud runs on a KVM hypervisor and supports two Virtio modes: DPDK (default) and MMAP. If you deploy a VM-Series firewall running PAN-OS 9.0 in DPDK packet mode and you then switch to MMAP packet mode, the VM-Series firewall duplicates packets that originate from or terminate on the firewall. As an example, if a load balancer or a server behind the firewall pings the VM-Series firewall after you switch from DPDK packet mode to MMAP packet mode, the firewall duplicates the ping packets.
Throughput traffic is not duplicated if you deploy the VM-Series firewall using MMAP packet mode.
Known
10.1.12
PAN-112694
(
Firewalls with multiple virtual systems only
) If you configure dynamic DNS (DDNS) on a new interface (associated with vsys1 or another virtual system) and you then create a
New
Certificate Profile from the drop-down, you must set the location for the Certificate Profile to Shared. If you configure DDNS on an existing interface and then create a new Certificate Profile, we also recommend that you choose the Shared location instead of a specific virtual system. Alternatively, you can select a preexisting certificate profile instead of creating a new one.
Known
10.1.12
PAN-112456
You can temporarily submit a change request for a URL Category with three suggested categories; however, only two categories are supported. Do not add more than two suggested categories to a change request until we address this issue. If you submit more than two suggested categories, only the first two categories in the change request are evaluated.
Known
10.1.12
PAN-112135
You cannot unregister tags for a subnet or range in a dynamic address group from the web interface.
Workaround:
Use an XML API request to unregister the tags for the subnet or range.
Known
10.1.12
PAN-111928
Invalid configuration errors are not displayed as expected when you revert a Panorama management server configuration.
Workaround:
After you revert the Panorama configuration,
Commit
(
Commit
Commit to Panorama
) the reverted configuration to display the invalid configuration errors.
Known
10.1.12
PAN-111866
The push scope selection on the Panorama web interface displays incorrectly even though the commit scope displays as expected. This issue occurs when one administrator makes configuration changes to separate device groups or templates that affect multiple firewalls and a different administrator attempts to push those changes.
Workaround:
Perform one of the following tasks.
  • Initiate a
    Commit to Panorama
    operation followed by a
    Push to Devices
    operation for the modified device group and template configurations.
  • Manually select the devices that belong to the modified device group and template configurations.
Known
10.1.12
PAN-111729
If you disable DPDK mode and enable it again, you must immediately reboot the firewall.
Known
10.1.12
PAN-111670
Tagged VLAN traffic fails when sent through an SR-IOV adapter.
Known
10.1.12
PAN-110794
DGA-based threats shown in the firewall threat log display the same name for all such instances.
Known
10.1.12
PAN-109526
The system log does not correctly display the URL for CRL files; instead, the URLs are displayed with encoded characters.
Known
10.1.12
PAN-104780
If you configure a HIP object to match only when a connecting endpoint is managed (
Objects
GlobalProtect
HIP Objects
<hip-object>
General
Managed
), iOS and Android endpoints that are managed by AirWatch are unable to successfully match the HIP object and the HIP report incorrectly indicates that these endpoints are not managed. This issue occurs because GlobalProtect gateways cannot correctly identify the managed status of these endpoints.
Additionally, iOS endpoints that are managed by AirWatch are unable to match HIP objects based on the endpoint serial number because GlobalProtect gateways cannot identify the serial numbers of these endpoints; these serial numbers do not appear in the HIP report.
Known
10.1.12
PAN-103276
Adding a disk to a virtual appliance running Panorama 8.1 or a later release on VMware ESXi 6.5 update1 causes the Panorama virtual appliance and host web client to become unresponsive.
Workaround:
Upgrade the ESXi host to ESXi 6.5 update2 and add the disk again.
Known
10.1.12
PAN-101688
(
Panorama plugins
) The IP address-to-tag mapping information registered on a firewall or virtual system is not deleted when you remove the firewall or virtual system from a Device Group.
Workaround:
Log in to the CLI on the firewall and enter the following command to unregister the IP address-to-tag mappings:
debug object registered-ip clear all
.
Known
10.1.12
PAN-101537
After you configure and push address and address group objects in Shared and vsys-specific device groups from the Panorama management server to managed firewalls, executing the
show log
<log-type>
direction equal
<direction>
<dst>
|
<src>
in
<object-name>
command on a managed firewall only returns address and address group objects pushed form the Shared device group.
Workaround:
Specify the vsys in the query string:
admin>
set system target-vsys
<vsys-name>
admin>
show log
<log-type>
direction equal
<direction>
query equal ‘vsys eq
<vsys-name>
’
<dst>
|
<src>
in
<object-name>
Known
10.1.12
PAN-98520
When booting or rebooting a PA-7000 Series Firewall with the SMC-B installed, the BIOS console output displays attempts to connect to the card's controller in the System Memory Speed section. The messages can be ignored.
Known
10.1.12
PAN-97757
GlobalProtect authentication fails with an
Invalid username/password
error (because the user is not found in
Allow List
) after you enable GlobalProtect authentication cookies and add a RADIUS group to the
Allow List
of the authentication profile used to authenticate to GlobalProtect.
Workaround:
Disable GlobalProtect authentication cookies. Alternatively, disable (clear)
Retrieve user group from RADIUS
in the authentication profile and configure group mapping from Active Directory (AD) through LDAP.
Known
10.1.12
PAN-97524
(
Panorama management server only
) The Security Zone and Virtual System columns (
Network
tab) display
None
after a Device Group and Template administrator with read-only privileges performs a context switch.
Known
10.1.12
PAN-96446
A firewall that is not included in a Collector Group fails to generate a system log if logs are dropped when forwarded to a Panorama management server that is running in Management Only mode.
Known
10.1.12
PAN-95773
On VM-Series firewalls that have Data Plane Development Kit (DPDK) enabled and that use the i40e network interface card (NIC), the
show session info
CLI command displays an inaccurate throughput and packet rate.
Workaround:
Disable DPDK by running the
set system setting dpdk-pkt-io off
CLI command.
Known
10.1.12
PAN-95028
For administrator accounts that you created in PAN-OS 8.0.8 and earlier releases, the firewall does not apply password profile settings (
Device
Password Profiles
) until after you upgrade to PAN-OS 8.0.9 or a later release and then only after you modify the account passwords. (Administrator accounts that you create in PAN-OS 8.0.9 or a later release do not require you to change the passwords to apply password profile settings.)
Known
10.1.12
PAN-94846
When DPDK is enabled on the VM-Series firewall with i40e virtual function (VF) driver, the VF does not detect the link status of the physical link. The VF link status remains up, regardless of changes to the physical link state.
Known
10.1.12
PAN-94093
HTTP Header Insertion does not work when jumbo frames are received out of order.
Known
10.1.12
PAN-93968
The firewall and Panorama web interfaces display vulnerability threat IDs that are not available in PAN-OS 9.0 releases (
Objects
Security Profiles
Vulnerability Protection
<profile>
Exceptions
). To confirm whether a particular threat ID is available in your release, monitor the release notes for each new Applications and Threats content update or check the Palo Alto Networks Threat Vault to see the minimum PAN-OS release version for a threat signature.
Known
10.1.12
PAN-93607
When you configure a VM-500 firewall with an SCTP Protection profile (
Objects
Security Profiles
SCTP Protection
) and you try to add the profile to an existing Security Profile Group (
Objects
Security Profile Groups
), the Security Profile Group doesn’t list the SCTP Protection profile in its drop-down list of available profiles.
Workaround:
Create a new Security Profile Group and select the SCTP Protection profile from there.
Known
10.1.12
PAN-93532
When you configure a firewall running PAN-OS 9.0 as an nCipher HSM client, the web interface on the firewall displays the nCipher server status as Not Authenticated, even though the HSM state is up (
Device
Setup
HSM
).
Known
10.1.12
PAN-93193
The memory-optimized VM-50 Lite intermittently performs slowly and stops processing traffic when memory utilization is critically high. To prevent this issue, make sure that you do not:
  • Switch to the firewall
    Context
    on the Panorama management server.
  • Commit changes when a dynamic update is being installed.
  • Generate a custom report when a dynamic update is being installed.
  • Generate custom reports during a commit.
Workaround:
When the firewall performs slowly, or you see a critical System log for memory utilization, wait for 5 minutes and then manually reboot the firewall.
Use the Task Manager to verify that you are not performing memory intensive tasks such as installing dynamic updates, committing changes or generating reports, at the same time, on the firewall.
Known
10.1.12
PAN-91802
On a VM-Series firewall, the
clear session all
CLI command does not clear GTP sessions.
Known
10.1.12
PAN-83610
In rare cases, a PA-5200 Series firewall (with an FE100 network processor) that has session offload enabled (default) incorrectly resets the UDP checksum of outgoing UDP packets.
Workaround:
In PAN-OS 8.0.6 and later releases, you can persistently disable session offload for only UDP traffic using the
set session udp-off load no
CLI command.
Known
10.1.12
PAN-83236
The VM-Series firewall on Google Cloud Platform does not publish firewall metrics to Google Stack Monitoring when you manually configure a DNS server IP address (
Device
Setup
Services
).
Workaround:
The VM-Series firewall on Google Cloud Platform must use the DNS server that Google provides.
Known
10.1.12
PAN-83215
SSL decryption based on ECDSA certificates does not work when you import the ECDSA private keys onto an nCipher nShield hardware security module (HSM).
Known
10.1.12
PAN-81521
Endpoints failed to authenticate to GlobalProtect through Kerberos when you specify an FQDN instead of an IP address in the Kerberos server profile (
Device
Server Profiles
Kerberos
).
Workaround:
Replace the FQDN with the IP address in the Kerberos server profile.
Known
10.1.12
PAN-77125
PA-7000 Series, PA-5450, PA-5200 Series, and PA-3200 Series firewalls configured in tap mode don’t close offloaded sessions after processing the associated traffic; the sessions remain open until they time out.
Workaround:
Configure the firewalls in virtual wire mode instead of tap mode, or disable session offloading by running the
set session off load no
CLI command.
Known
10.1.12
PAN-75457
In WildFire appliance clusters that have three or more nodes, the Panorama management server does not support changing node roles. In a three-node cluster for example, you cannot use Panorama to configure the worker node as a controller node by adding the HA and cluster controller configurations, configure an existing controller node as a worker node by removing the HA configuration, and then commit and push the configuration. Attempts to change cluster node roles from Panorama results in a validation error—the commit fails and the cluster becomes unresponsive.
Known
10.1.12
PAN-73530
The firewall does not generate a packet capture (pcap) when a Data Filtering profile blocks files.
Known
10.1.12
PAN-73401
When you import a two-node WildFire appliance cluster into the Panorama management server, the controller nodes report their state as out-of-sync if either of the following conditions exist:
  • You did not configure a worker list to add at least one worker node to the cluster. (In a two-node cluster, both nodes are controller nodes configured as an HA pair. Adding a worker node would make the cluster a three-node cluster.)
  • You did not configure a service advertisement (either by enabling or not enabling advertising DNS service on the controller nodes).
Workaround:
There are three possible workarounds to sync the controller nodes:
  • After you import the two-node cluster into Panorama, push the configuration from Panorama to the cluster. After the push succeeds, Panorama reports that the controller nodes are in sync.
  • Configure a worker list on the cluster controller: 
    admin@wf500(active-controller)# 
    set
deviceconfig cluster mode controller worker-list 
    <worker-ip-address>
    (
    <worker-ip-address>
    is the IP address of the worker node you are adding to the cluster.) This creates a three-node cluster. After you import the cluster into Panorama, Panorama reports that the controller nodes are in sync. When you want the cluster to have only two nodes, use a different workaround.
  • Configure service advertisement on the local CLI of the cluster controller and then import the configuration into Panorama. The service advertisement can advertise that DNS is or is not enabled. 
    admin@wf500(active-controller)# 
    set
deviceconfig cluster mode controller service-advertisement dns-service
enabled
yes
    or 
    admin@wf500(active-controller)# 
    set
deviceconfig cluster mode controller service-advertisement dns-service
enabled
no
    Both commands result in Panorama reporting that the controller nodes are in sync.
Known
10.1.12
PAN-70906
If the PAN-OS web interface and the GlobalProtect portal are enabled on the same IP address, then when a user logs out of the GlobalProtect portal, the administrative user is also logged out from the PAN-OS web interface.
Workaround:
Use the IP address to access the PAN-OS web interface and an FQDN to access the GlobalProtect portal.
Known
10.1.12
PAN-69505
When viewing an external dynamic list that requires client authentication and you
Test Source URL
, the firewall fails to indicate whether it can reach the external dynamic list server and returns a URL access error (
Objects
External Dynamic Lists
).
Known
10.1.12
PAN-40079
The VM-Series firewall on KVM, for all supported Linux distributions, does not support the Broadcom network adapters for PCI pass-through functionality.
Known
10.1.12
PAN-39636
Regardless of the
Time Frame
you specify for a scheduled custom report on a Panorama M-Series appliance, the earliest possible start date for the report data is effectively the date when you configured the report (
Monitor
Manage Custom Reports
). For example, if you configure the report on the 15th of the month and set the
Time Frame
to
Last 30 Days
, the report that Panorama generates on the 16th will include only data from the 15th onward. This issue applies only to scheduled reports; on-demand reports include all data within the specified
Time Frame
.
Workaround:
To generate an on-demand report, click
Run Now
when you configure the custom report.
Known
10.1.12
PAN-38255
When you perform a factory reset on a Panorama virtual appliance and configure the serial number, logging does not work until you reboot Panorama or execute the
debug software restart process management-server
CLI command.
Known
10.1.12
PAN-31832
The following issues apply when configuring a firewall to use a hardware security module (HSM):
  • nCipher nShield Connect
    —The firewall requires at least four minutes to detect that an HSM was disconnected, causing SSL functionality to be unavailable during the delay.
  • SafeNet Network
    —When losing connectivity to either or both HSMs in an HA configuration, the display of information from the
    show high-availability state
    and
    show hsm info
    commands are blocked for 20 seconds.
Addressed
10.1.12
PAN-239241
Extended the root certificate for WildFire appliances to December 31, 2032.
Addressed
10.1.12
PAN-238610
Fixed an issue with the Panorama Virtual Appliance where, after the mgmtsrvr restarted on the passive appliance, stale IP address tags were pushed to the connected firewalls with the message
clear all registered ip addresses
.
Addressed
10.1.12
PAN-237454
Fixed an issue where Panorama stopped redistributing IP address-to-username mappings when packet loss occurred between the distributor and the client.
Addressed
10.1.12
PAN-236605
Fixed an issue where the configd process stopped responding due to a deadlock related to rule-hit-count.
Addressed
10.1.12
PAN-236261
Fixed an issue where a proxy server was used for External Dynamic List communication even when the dataplane interface was configured through service routes.
Addressed
10.1.12
PAN-235741
Fixed an issue where DNS resolution failed for Panorama and firewall plugins if the DNS Server IP was obtained through DHCP.
Addressed
10.1.12
PAN-235737
Fixed an issue where the brdagent process stopped responding due to a sudden increase in logging to the bcm.log.
Addressed
10.1.12
PAN-235385
Enhanced wifclient cloud connectivity redundancy.
Addressed
10.1.12
PAN-233957
(
PA-5450 firewalls only
) Fixed an issue where the NAT private pool was not used properly when enabling slot 6 DPC.
Addressed
10.1.12
PAN-233390
Fixed an issue where TLSv13 Client Authentication was not incorrectly presented with an decryption failure log.
Addressed
10.1.12
PAN-232800
Fixed an issue where critical disk usage for
/opt/pancfg
increased continuously and the system logs displayed the following message:
Disk usage for /opt/pancfg exceeds limit, <value> percent in use
.
Addressed
10.1.12
PAN-232358
(
PA-5450 firewalls only
) Fixed an issue where the interface on QSFP28 ports did not go down when the Tx cable was removed from the QSFP28 module.
Addressed
10.1.12
PAN-231459
(
PA-5450 firewalls only
) Fixed an issue where a large number of invalid source MAC addresses were shown in drop-stage packet captures.
Addressed
10.1.12
PAN-231291
Fixed an issue where SD-WAN Adaptive SaaS path monitor went down after an upgrade.
Addressed
10.1.12
PAN-230813
Fixed an issue where flex memory leak caused decryption failure and commit failure with the error message
Error preparing global objects failed to handle CONFIG_UPDATE_START
.
Addressed
10.1.12
PAN-230656
(
Firewalls in HA configurations only
) Fixed an issue where a split brain condition occurred on both firewalls after booting up any firewall, and an HA switchover occurred after booting up a firewall with a higher HA priority even when no preemptive option was enabled on the firewall.
Addressed
10.1.12
PAN-230362
Fixed an issue where the firewall truncated the payload of a TCP Out of Order segment with a FIN flag.
Addressed
10.1.12
PAN-229691
Fixed an issue on Panorama where configuration lock timeout errors were observed during normal operational commands by increasing thread stack size on Panorama.
Addressed
10.1.12
PAN-229606
Fixed an issue where the brdagent process stopped responding after an upgrade due to initialization failure.
Addressed
10.1.12
PAN-229398
Fixed an issue where the Management Processor Card (MPC) stopped responding.
Addressed
10.1.12
PAN-229315
Fixed an issue where Octets in NetFlow records were always reported to be 0 despite having a non-zero packet count.
Addressed
10.1.12
PAN-229307
Fixed an issue where half closed SSL decryption sessions stayed active, which caused software packet buffer depletion.
Addressed
10.1.12
PAN-229080
Fixed an issue where the new management IP address on the interface did not take effect.
Addressed
10.1.12
PAN-228442
Fixed an issue on firewalls in active/passive HA configurations where sessions did not fail over from the active firewall to the passive firewall when upgrading PAN-OS.
Addressed
10.1.12
PAN-228386
Fixed an issue with session caching where the reportd process stopped responding due to null values.
Addressed
10.1.12
PAN-228043
Fixed an issue on firewalls on active/active HA configurations where packets dropped during commit operations when forwarding traffic via an HA3 link when an aggregate ethernet interface or data interface was used as an HA3 link.
Addressed
10.1.12
PAN-227804
Fixed an issue where memory corruption caused the comm process to stop responding.
Addressed
10.1.12
PAN-227774
Fixed an issue where commits failed with the error message
Management server failed to send phase 1 to client logrcvr
.
Addressed
10.1.12
PAN-227645
Fixed an issue where GlobalProtect authentication override cookies were not generated on GlobalProtect portal firewalls with configuration selection criteria enabled.
Addressed
10.1.12
PAN-227522
Fixed an issue where
shared
application filters that had application object overrides were overwritten by predefined applications.
Addressed
10.1.12
PAN-227435
Fixed an issue where the logrcvr process stopped responding and caused the autocommit process to fail or remain at 0%.
Addressed
10.1.12
PAN-227179
Fixed an issue where routes were not updated in the forwarding table.
Addressed
10.1.12
PAN-227058
Fixed an issue where traffic did not match Security policy rules with the destination as FQDN and instead hit the default deny rule.
Addressed
10.1.12
PAN-226935
Fixed an issue where autocommits failed due to duplicate application name entries.
Addressed
10.1.12
PAN-226860
Fixed an issue where macOS XAuth clients disconnected prematurely from the GlobalProtect gateway during a Phase 2 rekey event.
Addressed
10.1.12
PAN-225698
Fixed an issue on Panorama where a failover occurred and Panorama went into a nonfunctional state due to high root disk usage.
Addressed
10.1.12
PAN-225394
Fixed an issue on the firewall where SNMP incorrectly reported high packet descriptor usage.
Addressed
10.1.12
PAN-225110
Fixed an issue with firewalls in HA configurations where HA configuration syncs did not complete or logging data was missing until firewall process were manually restarted or the firewalls were rebooted.
Addressed
10.1.12
PAN-225094
Fixed an issue where performing a commit operation failed and the following error message was displayed:
failed to handle CUSTOM_UPDATE
.
Addressed
10.1.12
PAN-225013
(
PA-5450 firewalls only
) Fixed an issue where the firewall rebooted unexpectedly when a Network Card was on Slot 2 instead of a DPC.
Addressed
10.1.12
PAN-224955
Fixed an issue where the devsrvr process stopped responding when Zone Protection had more than 255 profiles.
Addressed
10.1.12
PAN-224656
Fixed an issue where the devsrvr process caused delays when dynamic address groups with large entry lists were being processed during a commit, which caused commits to take longer than expected.
Addressed
10.1.12
PAN-224500
Fixed an issue where IPv6 addresses in XFF were displayed in traffic logs.
Addressed
10.1.12
PAN-224405
Fixed an issue where the distributord process repeatedly stopped responding.
Addressed
10.1.12
PAN-224354
Fixed an issue where a memory leak related to the distributord process occurred when connections flapped for IP address-to-username mapping redistribution.
Addressed
10.1.12
PAN-224036
(
PA-5450 firewalls only
) Fixed an issue where a firewall with QoS configured was not able to send packets out of its interfaces after a reboot.
Addressed
10.1.12
PAN-223914
Fixed an issue on Panorama where the reportd process unexpectedly stopped responding.
Addressed
10.1.12
PAN-223855
Fixed an issue where the
show running ippool
CLI command output displayed incorrect used and available NAT IP address pools on DIPP NAT policies in multi-dataplane firewalls.
Addressed
10.1.12
PAN-223488
(
M-600 Appliances only
) Fixed an issue where closed ElasticSearch shards were not deleted, which resulted in shard purging not working as expected.
Addressed
10.1.12
PAN-223271
Fixed an issue where the file transfer of large zipped and compressed files had the App-ID
unknown-tcp
.
Addressed
10.1.12
PAN-223270
Fixed an issue with Virtual Wire links on firewalls in active/active HA configurations where the forwarding path was not preserved in HTTP/2 cleartext traffic with asymmetric routing.
Addressed
10.1.12
PAN-223094
Fixed an issue where fragmented TCP traffic was dropped due to an IP address ID conflict over the SD-WAN tunnel.
Addressed
10.1.12
PAN-222418
Fixed an issue where the firewall intermittently recorded a reconnection message to the authentication server as an error, even if no disconnection occurred.
Addressed
10.1.12
PAN-222162
Fixed an issue where the
show transceiver <interface>
CLI command showed the RX and TX powers as 0.00 mW.
Addressed
10.1.12
PAN-221973
Fixed an issue where the same user connected to multiple SSL VPN connections and one of the sessions stopped working.
Addressed
10.1.12
PAN-221938
Fixed an issue with network packet broker sessions where the broker session and master session timeouts were out of sync, which caused traffic drops if the broker session timed out when the master session was still active.
Addressed
10.1.12
PAN-221896
Fixed an issue where decryption failed with the error message
decrypt-error
when processing consecutive packets with TLSv1.3.
Addressed
10.1.12
PAN-221708
Fixed an issue where temporary files remained under
/opt/pancfg/tmp/sw-images/
even after manually uploading the content or AV file to the firewall.
Addressed
10.1.12
PAN-221316
Fixed an issue where the useridd process memory consumption increased significantly which caused the process to stop responding and the device to restart.
Addressed
10.1.12
PAN-221015
(
M-600 Appliances only
) Fixed an issue where ElasticSearch processes did not restart when the appliance was rebooted, which caused the Managed Collector ES health status to be downgraded.
Addressed
10.1.12
PAN-220640
(
PA-220 firewalls only
) Fixed an issue where the firewall CPU percentage was miscalculated, and the values that were displayed were incorrect.
Addressed
10.1.12
PAN-220619
Fixed an issue where the correct device filter did not apply when filtering
Targets
and
Target/Tags
(
Device Group > Policies
).
Addressed
10.1.12
PAN-219768
Fixed an issue where you were unable to filter Data Filtering logs with
Thread ID/NAME
for custom data patterns created over Panorama.
Addressed
10.1.12
PAN-219644
Fixed an issue where firewalls that forwarded logs to a syslog server over TLS (
Objects > Log Forwarding
) used the default Palo Alto Networks certificate instead of the configured custom certificate.
Addressed
10.1.12
PAN-219585
Fixed an issue where enabling
syslog-ng
debugs from the root caused 100% disk utilization.
Addressed
10.1.12
PAN-219415
Fixed an issue where BGP routes were installed in the routing table even when the option to install routes was disabled in the configuration.
Addressed
10.1.12
PAN-219351
Fixed an issue where the
all_pktproc
process stopped responding during L7 processing.
Addressed
10.1.12
PAN-219260
(
M-Series appliances only
) Fixed an issue where the management interface flapped due to low memory reserved for kernel space.
Addressed
10.1.12
PAN-218659
Fixed an issue where Security zones under Interfaces displayed as
none
for dynamic group and template admin users in a read-only admin role.
Addressed
10.1.12
PAN-218620
Fixed an issue where scheduled configuration exports and SCP server connection testing failed.
Addressed
10.1.12
PAN-218611
Fixed an issue where the device telemetry region was not updated on the firewall when pushed from the Panorama template stack.
Addressed
10.1.12
PAN-218340
Fixed an issue where selective pushes to template stack and multi device group pushes caused a buildup of resident memory, which caused the configd process to stop responding.
Addressed
10.1.12
PAN-218331
Fixed an issue where you were unable to export or download packet captures from the firewall when context switching from Panorama.
Addressed
10.1.12
PAN-218267
Fixed an issue where a commit and push operation from Panorama to managed firewalls did not complete or took longer to complete than expected.
Addressed
10.1.12
PAN-218238
Fixed an issue where you were unable to create a file exception (
Monitor > Threat Log > Detailed Log view > Create Exception
), and the following error message was displayed:
no antivirus profile corresponding to threat log
.
Addressed
10.1.12
PAN-218119
Fixed an issue where the firewall transmitted packets with an incorrect source MAC address during commit operations.
Addressed
10.1.12
PAN-217831
Fixed an issue memory leak issue related to the logd process that occurred due to a sysd object not being released.
Addressed
10.1.12
PAN-217510
Fixed an issue where inbound DHCP packets received by a DHCP client interface that were not addressed to itself were silently dropped instead of forwarded.
Addressed
10.1.12
PAN-217295
Fixed an issue where the dataplane restarted while under heavy utilization due to an out-of-memory (OOM) condition.
Addressed
10.1.12
PAN-217293
Fixed a rare issue where URLs were not accessible when the header length was greater than 16,000 over HTTP/2.
Addressed
10.1.12
PAN-217289
Fixed an intermittent issue where HTTP/2 traffic caused buffer depletion.
Addressed
10.1.12
PAN-217272
Fixed an issue where the DNS proxy log included an excessive number of the follwing error message:
Warning: pan_dnsproxy_log_resolve_fail: Failed to resolve domain name ** AAAA after trying all attempts to name servers
Addressed
10.1.12
PAN-217155
Fixed an issue where syncs between Panorama and the Cloud Identity Engine (CIE) caused intermittent slowness when using the web interface due to a large number of groups in the CIE directory.
Addressed
10.1.12
PAN-217123
Fixed an issue where, when log queries in the
yyyy/mm/dd
format displayed extra digits for the day and an error was not generated.
Addressed
10.1.12
PAN-217064
Fixed an issue where commits took longer than expected when the DLP plugin was configured.
Addressed
10.1.12
PAN-216647
Fixed an issue where the sysd node was updated at incorrect times.
Addressed
10.1.12
PAN-216230
Fixed an issue where the shard count reached up to 10% over the limit rather than staying under the limit.
Addressed
10.1.12
PAN-216101
Fixed an issue where a memory leak related to a process and LLDP packet processing caused an OOM condition on the firewall.
Addressed
10.1.12
PAN-215778
Fixed an issue where API Get requests for
/config
timed out due to insufficient buffer size.
Addressed
10.1.12
PAN-215670
Fixed an issue where local reports and scheduled reports displayed different data.
Addressed
10.1.12
PAN-215583
Fixed an issue on firewalls in HA configurations where the primary firewall went into a non-functional state due to a timeout in the
pan_comm
logs during the policy based forwarding (PBF) parse, which caused an HA failover.
Addressed
10.1.12
PAN-214942
Fixed an issue where SD-WAN UDP traffic failed over to a non-member path after a flap of an SD-WAN virtual interface.
Addressed
10.1.12
PAN-214068
Fixed an issue on Panorama where the web interface stopped responding when creating zones for shared gateways, and when the page was refreshed, the zone was not created.
Addressed
10.1.12
PAN-213746
Fixed an issue on Panorama where the Hostkey displayed as
undefined
if a SSH Service Profile Hostkey configured in a Template from the Template Stack was overridden.
Addressed
10.1.12
PAN-213491
Fixed an issue where the management CPU was high, which caused the web interface to be slower than expected.
Addressed
10.1.12
PAN-212932
Fixed an issue where the firewall went into a restart loop with the following error message:
failed to get mgt settings candidate: configured traffic quota of 0 MB is less than the minimum 32 MB
.
Addressed
10.1.12
PAN-212580
(
PA-7050 firewalls only
) Fixed an issue where disk space filled up due to files under
/opt/var/s8/lp/log/pan/
not being properly deleted.
Addressed
10.1.12
PAN-211945
Fixed an issue where URL Filtering system logs showed the error message
CURL ERROR: bind failed with errno 124: Address family not supported by protocol
even though the PAN-DB cloud was connected.
Addressed
10.1.12
PAN-211827
Fixed an issue where dynamic updates failed with the following error message:
CONFIG_UPDATE_INC: Incremental update to DP failed please try to commit force the latest config
.
Addressed
10.1.12
PAN-211821
Fixed an issue on firewalls in HA configurations where committing changes after disabling the QoS feature on multiple Aggregate Ethernet (AE) caused the dataplane to go down.
Addressed
10.1.12
PAN-211384
Fixed an issue where the size of the
redisthost_1
in the Redis database continuously increased, which caused an OOM condition.
Addressed
10.1.12
PAN-211255
Fixed an issue third-party VPNC IPSec clients were disconnected after a few seconds for firewalls in active/active HA configurations.
Addressed
10.1.12
PAN-210429
(
VM-Series firewalls only
) Fixed an issue where the HTTP service failed to come up on DHCP dataplane interfaces after rebooting the firewall, which resulted in health-check failure on HTTP/80 with a 503 error code on the public load balancer.
Addressed
10.1.12
PAN-208085
Fixed an issue where the BFD peers were deleted during a commit from Panorama. This occurred because the
pan_comm
thread became deadlocked due to the same sysd object was handled during the commit.
Addressed
10.1.12
PAN-207003
Fixed an issue where the logrcvr process netflow buffer was not reset which resulted in duplicate netflow records.
Addressed
10.1.12
PAN-206325
Fixed an issue where a renamed object was still referenced with the previous name in a Security policy rule, which caused commit failures when using
edit
API to create the rule.
Addressed
10.1.12
PAN-206278
Fixed an issue where a critical system log was generated when the boot drive for PA-7000 Series firewall Switch Management Cards (SMCs) failed.
Addressed
10.1.12
PAN-204808
(
PA-400 Series, PA-1400 Series, PA-3400 Series, and PA-5400 Series firewalls only
) Fixed an issue where executing the CLI command
show running resource-monitor ingress-backlogs
displayed the error message
Server error : Dataplane is not up or invalid target-dp(*.dp*)
.
Addressed
10.1.12
PAN-204788
Fixed an issue where the configd process stopped responding when performing a
Push to Devices
operation when multiple device groups were selected.
Addressed
10.1.12
PAN-203791
(
PA-3400 and PA-5400 Series firewalls only
) Fixed an issue where the log type correlation was not configurable and displayed as
$.Format.Correlation
(
Device > Server Profile > syslog ><Profile-name> > Customer log format > log type
).
Addressed
10.1.12
PAN-201269
Fixed an issue where commits failed with the error message
IPv6 addresses are not allowed because IPv6-firewalling is disabled
when Security policy rules had an address group with more than 1000 FQDN address objects.
Addressed
10.1.12
PAN-198190
(
VM-Series firewalls only
) Fixed an issue where the MTU on the management interface could not be configured to a value greater than 1500.
Addressed
10.1.12
PAN-196956
Fixed an issue where URL filtering logs did not display matching entries when filtered by device name.
Addressed
10.1.12
PAN-194968
Fixed an issue on the web interface where Antivirus updates were not able to be downloaded and installed unless Apps and Threads updates were downloaded and installed first, and the Antivirus content list displayed as blank. The resulting error message from the update server was also not reflected in the web interface.
Addressed
10.1.12
PAN-193004
Fixed an issue where
/opt/pancfg
partition utilization reached 100%, which caused access to the Panorama web interface to fail.
Addressed
10.1.12
PAN-191632
Fixed an issue where console sessions were not cleared after the set idle timeout value.
Addressed
10.1.12
PAN-183297
Fixed an issue where, when the firewall received a large amount of user information, the firewall was unable to output IP address-to-username mapping information via XML API.
Addressed
10.1.12
PAN-175642
Fixed an issue where system logs to alert for support license expiry were not generated.
Addressed
10.1.12
PAN-173604
Fixed an issue where executing the CLI command
debug management-server log-forwarding-stats
caused the logrcvr process to stop responding.
Addressed
10.1.12
PAN-158034
Fixed an issue where traffic logs displayed incorrect policy matches for HTTP/2 stream connections during a commit.
Known
10.1.13
—
If you use Panorama to retrieve logs from Cortex Data Lake (CDL), new log fields (including for Device-ID, Decryption, and GlobalProtect) are not visible on the Panorama web interface.
Workaround:
Enable duplicate logging to send the logs to CDL and Panorama. This workaround does not support Panorama virtual appliances in Management Only mode .
Known
10.1.13
—
Upgrading a PA-220 firewall takes up to an hour or more.
Known
10.1.13
—
PA-220 firewalls are experiencing slower web interface and CLI performance times.
Known
10.1.13
—
Upgrading Panorama with a local Log Collector and Dedicated Log Collectors to PAN-OS 8.1 or a later PAN-OS release can take up to six hours to complete due to significant infrastructure changes. Ensure uninterrupted power to all appliances throughout the upgrade process.
Known
10.1.13
—
A critical System log is generated on the VM-Series firewall if the minimum memory requirement for the model is not available.
  • When the memory allocated is less than 4.5GB, you cannot upgrade the firewall. The following error message displays:
    Failed to install 9.0.0 with the following error: VM-50 in 9.0.0 requires 5.5GB memory, VM-50 Lite requires 4.5GB memory.Please configure this VM with enough memory before upgrading.
  • If the memory allocation is more than 4.5GB but less than the licensed capacity requirement for the model, it will default to the capacity associated with the VM-50.
    The System log message
    System capacity adjusted to VM-50 capacity due to insufficient memory for VM-
    <xxx>
    license
    , indicates that you must allocate the additional memory required for licensed capacity for the firewall model.
Known
10.1.13
APPORTAL-3313
Changes to an IoT Security subscription license take up to 24 hours to have effect on the IoT Security app.
Known
10.1.13
APPORTAL-3309
An IoT Security production license cannot be installed on a firewall that still has a valid IoT Security eval or trial license.
Workaround:
Wait until the 30-day eval or trial license expires and then install the production license.
Known
10.1.13
APL-15000
When you move a firewall from one Cortex Data Lake instance to another, it can take up to an hour for the firewall to begin sending logs to the new instance.
Known
10.1.13
APL-8269
For data retrieved from Cortex Data Lake, the Threat Name column in
Panorama
ACC
threat-activity
appears blank.
Known
10.1.13
PLUG-14947
If you are using the Panorama plugin for Azure, do not upgrade to PAN-OS 10.1.12. When installed on 10.1.12, the Panorama plugin for Azure fails to connect to Azure.
Known
10.1.13
PLUG-12041
On an OpenShift cluster, MP pod may crash when the number of underlying threads exceeds beyond the per pod maximum limit of 1024.
Workaround:
Increase the process ID (PID) limit to 2048 in worker nodes.
Known
10.1.13
PLUG-380
When you rename a device group, template, or template stack in Panorama that is part of a VMware NSX service definition, the new name is not reflected in NSX Manager. Therefore, any ESXi hosts that you add to a vSphere cluster are not added to the correct device group, template, or template stack and your Security policy is not pushed to VM-Series firewalls that you deploy after you rename those objects. There is no impact to existing VM-Series firewalls.
Known
10.1.13
WF500-5559
An intermittent error while analyzing signed PE samples on the WildFire appliance might cause analysis failures.
Known
10.1.13
WF500-5471
After using the firewall CLI to add a WildFire appliance with an IPv6 address, the initial connection may fail.
Workaround:
Retry connecting after you restart the web server with the following command:
debug software restart process web-server
.
Known
10.1.13
PAN-242837
Default login credentials and SSH fail after enabling FIPS-CC Mode on a firewall or Panorama after converting through the Maintenance Recovery Tool (MRT). The firewall or Panorama becomes stuck and requires a factory reset to recover.
Known
10.1.13
PAN-242784
This issue is now resolved. See
PAN-OS 10.1.11-h5 Addressed Issues
.
DNS resolution may fail if DNS server IP is obtained through DHCP.
Workaround:
Configure the DNS server with a static IP or renew the DHCP IP when you see the issue.
This issue affects PAN-OS 10.1.11-h4 only.
Known
10.1.13
PAN-238769
FIPS-CC VM-Series only. Upgrading to PAN-OS 10.1.10-h2 or PAN-OS 10.1.11 changes all locally created Security policy actions to Deny.
Workaround:
Before upgrading, save a backup of the current configuration. After upgrading, load the backup configuration to restore the security policy action settings.
Known
10.1.13
PAN-235741
This issue is now resolved. See
PAN-OS 10.1.11-h5 Addressed Issues
.
DNS resolution fails for firewall and Panorama plugins if the DNS Server IP address is obtained through DHCP.
This issue affects PAN-OS 10.1.11-h4 only.
Known
10.1.13
PAN-231658
DNS resolution fails when interfaces are configured as DHCP and a DNS server is provided via DHCP while also statically configured with DNS servers.
This issue affects PAN-OS 10.1.11-h5 only.
Known
10.1.13
PAN-230106
The firewall is unable to retrieve the most current external dynamic list information from the server due to hostname resolution failure.
This issue affects PAN-OS 10.1.11-h5 only.
Known
10.1.13
PAN-227344
On the Panorama management server, PDF Summary Reports (
Monitor
PDF Reports
Manage PDF Summary
) display no data and are blank when predefined reports are included in the summary report.
Known
10.1.13
PAN-223365
The Panorama management server is unable to query any logs if the ElasticSearch health status for any Log Collector (
Panorama
Managed Collector
is degraded.
Workaround:
Log in to the Log Collector CLI and restart ElasticSearch. 
admin
debug elasticsearch es-restart all
Known
10.1.13
PAN-219824
File system checks on the logging drive may take more time depending on the usage and file system content, resulting in autocommits taking longer to complete than expected.
Known
10.1.13
PAN-218521
The ElasticSearch process on the M-600 appliance in Log Collector mode may enter a continuous reboot cycle. This results in the M-600 appliance becoming unresponsive, consuming logging disk space, and preventing new log ingestion.
Known
10.1.13
PAN-217307
This issue is now resolved. See
PAN-OS 10.1.14 Addressed Issues
.
The following Security policy rule (
Policies
Security
) filters return no results:
log-start eq no
log-end eq no
log-end eq yes
Known
10.1.13
PAN-213746
On the Panorama management server, the
Hostkey
displayed as
undefined undefined
if you override an SSH Service Profile (
Device
Certificate Management
SSH Service Profile
) Hostkey configured in a Template from the Template Stack.
Known
10.1.13
PAN-212978
The Palo Alto Networks firewall stops responding when executing an SD-WAN debug operational CLI command.
Known
10.1.13
PAN-211728
For VM-Series firewalls leveraging SD-WAN and deployed on VMware ESXi running VMX-13, Auto-Commits fail after upgrade to PAN-OS 10.1.9 and display the error:
total SD-WAN interfaces 3 exceed the platform maximum 0
Workaround:
Attach a serial console to the VM-Series firewall before upgrade to PAN-OS 10.1.9.
Known
10.1.13
PAN-204689
Upon upgrade to PAN-OS 10.1.9, the following GlobalProtect settings do not work:
  • Allow user to disconnect GlobalProtect App
    Allow with Passcode
  • Allow user to Disable GlobalProtect App
    Allow with Passcode
  • Allow User to Uninstall GlobalProtect App
    Allow with Password
Known
10.1.13
PAN-197341
On the Panorama management server, if you create multiple device group
Objects
with the same name in the Shared device group and any additional device groups (
Panorama
Device Groups
) under the same device group hierarchy that are used in one or more
Policies
, renaming the object with a shared name in any device group causes the object name to change in the policies where it is used. This issue applies only to device group objects that can be referenced in a Security policy rule.
For example:
  1. You create a parent device group
    DG-A
    and a child device group
    DG-B
    .
  2. You create address objects called
    AddressObjA
    in the
    Shared
    ,
    DG-A
    and
    DG-B
    device groups and add
    AddressObjA
    to a Security policy rule under
    DG-A
    and
    DG-B
    .
  3. Later, you change the
    AddressObjA
    name in the
    Shared
    device group to
    AddressObjB
    .
Changing the name of the address object in the
Shared
device group causes the references in the Policy rule to use the renamed
Shared
object instead of the device group object.
Known
10.1.13
PAN-196758
On the Panorama management server, pushing a configuration change to firewalls leveraging SD-WAN erroneously show the auto-provisioned BGP configurations for SD-WAN as being edited or deleted despite no edits or deletions being made when you
Preview Changes
(
Commit
Push to Devices
Edit Selections
or
Commit
Commit and Push
Edit Selections
).
Known
10.1.13
PAN-194515
(
PA-5450 firewall only
) The Panorama web interface does not display any predefined template stack variables in the dropdown menu under
Device
Setup
Log Interface
IP Address
.
Workaround:
Configure the log interface IP address on the individual firewall web interface instead of on Panorama.
Known
10.1.13
PAN-194424
(
PA-5450 firewall only
) Upgrading to PAN-OS 10.1.6-h2 while having a log interface configured can cause both the log interface and the management interface to remain connected to the log collector.
Workaround:
Restart the log receiver service by running the following CLI command: 
debug software restart process log-receiver
Known
10.1.13
PAN-194202
(
PA-5450 firewall only
) If the management interface and Log Collector are configured on the same subnetwork, the firewall conducts log forwarding using the management interface instead of the logging interface.
Known
10.1.13
PAN-193518
All logs (
Monitor
Logs
) generated by a firewall running a PAN-OS 10.0 release are not accessible if you downgrade from PAN-OS 10.1 to PAN-OS 10.0, and then upgrade back to PAN-OS 10.1.
Workaround:
If you need to downgrade from PAN-OS 10.1 to PAN-OS 10.0 and then back to PAN-OS 10.1, downgrade to PAN-OS 10.0.11 to ensure that all logs ingested while running a PAN-OS 10.0 release remain accessible after upgrade back to PAN-OS 10.1.
Known
10.1.13
PAN-188052
Devices in FIPS-CC mode are unable to connect to servers utilizing ECDSA-based host keys that impacts exporting logs (
Device
Scheduled Log Export
), exporting configurations (
Device
Scheduled Config Export
), or the
scp export
command in the CLI.
Workaround:
Use RSA-based host keys on the destination server.
Known
10.1.13
PAN-187685
On the Panorama management server, the Template Status displays no synchronization status (
Panorama
Managed Devices
Summary
) after a bootstrapped firewall is successfully added to Panorama.
Workaround:
After the bootstrapped firewall is successfully added to Panorama, log in to the Panorama web interface and select
Commit
Push to Devices
.
Known
10.1.13
PAN-179888
On the Panorama management server, the number of managed firewall (
Panorama
Managed Devices
Health
)
Power Supplies
displays an incorrect count of power supplies.
Known
10.1.13
PAN-174982
In HA active/active configurations where, when interfaces that were associated with a virtual router were deleted, the configuration change did not sync.
Known
10.1.13
PAN-172274
When you activate the advanced URL filtering license, your license entitlements for PAN-DB and advanced URL filtering might not display correctly on the firewall — this is a display anomaly, not a licensing issue, and does not affect access to the services.
Workaround:
Issue the following command to retrieve and update the licenses:
license request fetch
.
Known
10.1.13
PAN-172113
If you request a User Activity Report on Panorama and the vsys key value in the XML is an unsupported value, the resulting job becomes unresponsive at 10% and does not complete until you manually stop the job in the web interface.
Workaround:
Change the vsys key to a valid device group, commit your changes, and run the User Activity Report again.
Known
10.1.13
PAN-172067
When you configure an HTTP server profile (
Device
Server Profiles
HTTP
or
Panorama
Server Profiles
HTTP
), the
Username
and
Password
fields are always required regardless of whether
Tag Registration
is enabled.
Workaround:
When you configure an HTTP server profile, always enter a username and password to successfully create the HTTP server profile.
You must enter a username and password even if the HTTP server does not require it. The HTTP server ignores the username and password if they are not required for the firewall to connect.
Known
10.1.13
PAN-172061
A process (
all_pktproc
) can cause intermittent crashes on the Passive PA-5450 firewall in an Active/Passive HA pair. This issue may be seen during an upgrade or reload of the firewall with traffic and when clearing sessions.
Known
10.1.13
PAN-171938
No results are displayed when you
Show Application Filter
for a Security policy rule (
Policies
Security
Application
Value
Show Application Filter
).
Known
10.1.13
PAN-171723
If you use Panorama to push a configuration that uses App-ID Cloud Engine (ACE) App-IDs and then you downgrade the firewall from PAN-OS 10.1 to PAN-OS 10.0, the installation succeeds but after you reboot, the auto-commit fails.
Workaround:
Remove all ACE application configurations before downgrading.
Known
10.1.13
PAN-171673
On the Panorama management server, the
ACC
returns inaccurate results when you filter for
New App-ID
in the
Application
usage widget.
Known
10.1.13
PAN-171635
If you have an on-premise Active Directory and there is an existing group mapping configuration on the firewall, if you migrate the group mapping to the Cloud Identity Engine, the firewall does not remove the existing group mapping even if the configuration is disabled and the firewall is rebooted, which may conflict with new mappings from the Cloud Identity Engine.
Workaround
: Use the
debug user-id clear domain-map
command to remove the existing group mappings from the firewall.
Known
10.1.13
PAN-171224
On the Panorama management server, a custom report (
Monitor
Managed Custom Reports
) with a high volume of unique data objects is not generated when you click
Run Now
.
Known
10.1.13
PAN-171145
If you edit or remove the value for the
mail
attribute in your on-premise Active Directory, the changes may not be immediately reflected on the firewall after it syncs with the Cloud Identity Engine.
Known
10.1.13
PAN-170923
In
Policies
Security
Policy Optimizer
New App Viewer
, when you select a Security policy rule in the bottom portion of the screen, the application data in the application browser (top portion of screen) does not match the Apps Seen on the selected rule. In addition, filtering in the application browser based on Apps Seen does not work.
Known
10.1.13
PAN-170270
Using the CLI to power on a PA-5450 Networking Card (NC) in an Active HA firewall can cause its Passive peer to temporarily go down.
Known
10.1.13
PAN-169906
The CN-Series Firewall as a Kubernetes Service does not support AF_XDP when deployed in CentOS.
Known
10.1.13
PAN-168636
Connecting to the App-ID Cloud Engine (ACE) cloud using a management port with explicit proxy configured on it is not supported. Instead, use a data plane interface for the service route ( Prepare to Deploy App-ID Cloud Engine describes how to do this.)
Known
10.1.13
PAN-168113
On the Panorama management server, you are unable to configure a master key (
Device
Master Key and Diagnostics
) for a managed firewall if an interface (
Network
Interfaces
Ethernet
) references a zone pushed from Panorama.
Workaround:
Remove the referenced zone from the interface configuration to successfully configure a master key.
Known
10.1.13
PAN-167847
If you issue the command
opof stats
, then clear the results {opof stats -c}, the Active Sessions value is sometimes invalid. For example, you might see a negative number or an excessively large number.
Workaround:
Re-run the
opof stats
command after the offload completes.
Known
10.1.13
PAN-167401
When a firewall or Panorama appliance configured with a proxy is upgraded to PAN-OS 10.0.3 or a later release, it fails to connect to edge service.
Known
10.1.13
PAN-165669
If you configure a group that the firewall retrieves from the Cloud Identity Engine as the
user in
value in a filter query, Panorama is unable to retrieve the group membership and as a result, is unable to display this data in logs and custom reports.
Known
10.1.13
PAN-164922
On the Panorama management server, a context switch to a managed firewall running a PAN-OS 8.1.0 to 8.1.19 release fails.
Known
10.1.13
PAN-164885
On the Panorama management server, pushes to managed firewalls (
Commit
Push to Devices
or
Commit and Push
) may fail when an EDL (
Objects
External Dynamic Lists
) is configured to
Check for updates
every 5 minutes due to the commit and EDL fetch processes overlapping. This is more likely to occur when multiple EDLs are configured to check for updates every 5 minutes.
Known
10.1.13
PAN-164841
A successful deployment of a Panorama virtual appliance on Amazon Web Services (AWS), Microsoft Azure, or Google Cloud Platform (GCP) is inaccessible when deploying using the PAN-OS 10.1.0-b6 release.
Known
10.1.13
PAN-164647
On the Panorama management server, activating a license (
Panorama
Device Deployment
Licenses
) on managed firewalls in a high availability (HA) configuration causes the Safari web browser to become unresponsive.
Workaround:
Log in to the Panorama web interface from a web browser other than Safari to successfully activate a license on managed firewalls in an HA configuration.
Known
10.1.13
PAN-164618
The VM-Series firewall CLI and system logs display the license name
VM-SERIES-X
, while the user interface displays
VM-FLEX-X
(in both cases
X
is the number of vCPUs). In future releases the user interface will use the
VM-SERIES-X
format.
Known
10.1.13
PAN-164586
If you use a value other than
mail
for the user or group email attribute in the Cloud Identity Engine, it displays in
user@domain
format in the CLI output.
Known
10.1.13
PAN-163966
On the Panorama management server, the
ACC
and on demand reports (
Monitor
Manage Custom Reports
) are unable to fetch Directory Sync group membership when the Source User Group filter query is applied, resulting in no data being displayed for the filter when Directory Sync is configured as the Source User for a policy rule.
Known
10.1.13
PAN-162836
On the VM-Series firewall, if you select
Device
Licenses
Deactivate VM
a popup window opens and you can choose
Subscriptions
or
Support
and press
Continue
to remove licenses and register the changes with the license server. When the license removal is complete the
Deactivate VM
window does not update its text to exclude deactivated licenses or close the window.
Workaround
: Wait until the license deactivation is complete, and click
Cancel
to close the window.
Known
10.1.13
PAN-161666
The firewall includes any users configured in the Cloud Identity Engine in the count of groups. As a result, some CLI command output does not accurately display the number of groups the firewall has retrieved from the Cloud Identity Engine and counts users as groups in the
No. of Groups
in the command output. If the attempt to retrieve the user or group fails, the information for the user or group still displays in the CLI command output.
Known
10.1.13
PAN-161451
If you issue the command
opof stats
, there are occasional zero packet and byte counts coming from the DPDK counters. This occurs when a session is in the tcp-reuse state, and has no impact on the existing session.
Known
10.1.13
PAN-160238
If you migrate traffic from a firewall running a PAN-OS version earlier than 9.0 to a firewall running PAN-OS 9.0 or later, you experience intermittent VXLAN packet drops if TCI policy is not configured for inspecting VXLAN traffic flows.
Workaround:
On the new firewall, create an app override for VXLAN outer headers as described in What is an Application Override? and the video tutorial How to Configure an Application Override Policy on the Palo Alto Networks Firewall .
PAN-OS version 9.0 can inspect both inner and outer VXLAN flows. If you want to inspect inner flows, you must define a tunnel content inspection (TCI) policy.
Known
10.1.13
PAN-157444
As a result of a telemetry handling update, the Source Zone field in the DNS analytics logs (viewable in the DNS Analytics tab within AutoFocus) might not display correct results.
Known
10.1.13
PAN-157327
On downgrade to PAN-OS 9.1, Enterprise Data Loss Prevention (DLP) filtering settings (
Device
Setup
DLP
) are not removed and cause commit errors for the downgraded firewall if you do not uninstall the Enterprise DLP plugin before downgrade.
Workaround:
After you successfully downgrade a managed firewall to PAN-OS 9.1, commit and push from Panorama to remove the Enterprise DLP filtering settings and complete the downgrade.
  1. Downgrade your managed firewall to PAN-OS 9.1
  2. Log in to the firewall web interface and view the
    Tasks
    to verify all auto commits related to the downgrade have completed successfully.
  3. Log in to the Panorama web interface and
    Commit
    Commit and Push
    to your managed firewall downgraded to PAN-OS 9.1.
Known
10.1.13
PAN-157103
Multi-channel functionality may not be properly utilized on an VM-Series firewall deployed in VMware NSX-V after the service is first deployed.
Workaround
: Execute the command
debug dataplane pow status
to view the number of channels being utilized by the dataplane. 
Per pan-task Netx statisticsCounter Name    1   2   3   4   5   6   Total---------------------------------------------ready_dvf       2   0   0   0   0   0     2
If multi-channel functionality is not working, disable your NSX-V security policy and reapply it. Then reboot the VM-Series firewall. When the firewall is back up, verify that multi-channel functionality is working by executing the command
debug dataplane pow status
. It should now show multiple channels being utilized. 
Per pan-task Netx statisticsCounter Name    1   2   3   4   5   6   Total---------------------------------------------ready_dvf       1   1   0   0   0   0     2
Known
10.1.13
PAN-156598
(
Panorama only
) If you configure a standard custom vulnerability signature in a custom Vulnerability Protection profile in a shared device group, the shared profile custom signatures do not populate in the other device groups when you configure a combination custom vulnerability signature.
Workaround:
Use the CLI to update the combination signature.
Known
10.1.13
PAN-154292
On the Panorama management server, downgrading from a PAN-OS 10.0 release to a PAN-OS 9.1 release causes Panorama commit (
Commit
Commit to Panorama
) failures if a custom report (
Monitor
Manage Custom Reports
) is configured to Group By
Session ID
.
Workaround:
After successful downgrade, reconfigure the Group By setting in the custom report.
Known
10.1.13
PAN-154034
On the Panorama management server, the Type column in the System logs (
Monitor
Logs
System
) for managed firewalls running a PAN-OS 9.1 release erroneously display
iot
as the type.
Known
10.1.13
PAN-154032
On the Panorama management server, downgrading to PAN-OS 9.1 with the Panorama plugin for Cisco TrustSec version 1.0.2 installed does not automatically transform the plugin to be compatible with PAN-OS 9.1
Workaround:
After successful downgrade to PAN-OS 9.1,
Remove Config
(
Panorama
Plugins
) of the Panorama plugin for Cisco TrustSec and then reconfigure the plugin.
Known
10.1.13
PAN-153803
On the Panorama management server, scheduled email PDF reports (
Monitor
PDF Reports
) fail if a GIF image is used in the header or footer.
Known
10.1.13
PAN-153557
On the Panorama management server CLI, the overall report status for a report query is marked as
Done
despite reports generated from logs in the Cortex Data Lake (CDL) from the PODamericas Collector Group jobs are still in a
Running
state.
Known
10.1.13
PAN-153068
The Bonjour Reflector option is supported on up to 16 interfaces. If you enable it on more than 16 interfaces, the commit succeeds and the Bonjour Reflector option is enabled only for the first 16 interfaces and ignored for any additional interfaces.
Known
10.1.13
PAN-151238
There is a known issue where M-100 appliances are able to download and install a PAN-OS 10.0 release image even though the M-100 appliance is no longer supported after PAN-OS 9.1. (Refer to the hardware end-of-life dates .)
Known
10.1.13
PAN-151085
On a PA-7000 Series firewall chassis having multiple slots, when HA clustering is enabled on an active/active HA pair, the session table count for one of the peers can show a higher count than the actual number of active sessions on that peer. This behavior can be seen when the session is being set up on a non-cache slot (for example, when a session distribution policy is set to round-robin or session-load); it is caused by the additional cache lookup that happens when HA cluster participation is enabled.
Known
10.1.13
PAN-150801
Automatic quarantine of a device based on forwarding profile or log setting does not work on the PA-7000 Series firewalls.
Known
10.1.13
PAN-150515
After you install the device certificate on a new Panorama management server, Panorama is not able to connect to the IoT Security edge service.
Workaround:
Restart Panorama to connect to the IoT Security edge service.
Known
10.1.13
PAN-150345
During updates to the Device Dictionary, the IoT Security service does not push new Device-ID attributes (such as new device profiles) to the firewall until a manual commit occurs.
Workaround:
Perform a force commit to push the attributes in the content update to the firewall.
Known
10.1.13
PAN-150361
In an Active-Passive high availability (HA) configuration, an error displays if you create a device object on the passive device.
Workaround:
Load the running configuration and perform a force commit to sync the devices.
Known
10.1.13
PAN-148971
If you enter a search term for Events that are related to IoT in the System logs and apply the filter, the page displays an
Invalid term
error.
Workaround:
Specify
iot
as the
Type Attribute
to filter the logs and use the search term as the
Description Attribute
. For example:
( subtype eq iot ) and ( description contains 'gRPC connection' )
.
Known
10.1.13
PAN-148924
In an active-passive HA configuration, tags for dynamic user groups are not persistent after rebooting the firewall because the active firewall does not sync the tags to the passive firewall during failover.
Known
10.1.13
PAN-146995
After downgrading a Panorama management server from PAN-OS 10.0 to PAN-OS 9.1, the
VLD
and
logd
processes may crash when Panorama reboots.
Workaround:
Panorama automatically restarts the
VLD
and
logd
processes.
Known
10.1.13
PAN-146807
Changing the device group configured in a monitoring definition from a child DG to a parent DG, or vice versa, might cause firewalls configured in the child DG to lose IP tag mapping information received from the monitoring definition. Only firewalls assigned to the parent DG receive IP tag mapping updates.
Workaround
: Perform a manual config sync on the device group that lost the IP tag mapping information.
Known
10.1.13
PAN-146485
On the Panorama management server, adding, deleting, or modifying the upstream NAT configuration (
Panorama
SD-WAN
Devices
) does not display the branch template stack as
out of sync
.
Additionally, adding, deleting, or modifying the BGP configuration (
Panorama
SD-WAN
Devices
) does not display the hub and branch template stacks as
out of sync
. For example, modifying the BGP configuration on the branch firewall does not cause the hub template stack to display as
out of sync
, nor does modifying the BGP configuration on the hub firewall cause the branch template stack as
out of sync
.
Workaround:
After performing a configuration change,
Commit and Push
the configuration changes to all hub and branch firewalls in the VPN cluster containing the firewall with the modified configuration.
Known
10.1.13
PAN-145460
CN-MGMT pods fail to connect to the Panorama management server when using the Kubernetes plugin.
Workaround:
Commit
the Panorama configuration after the CN-MGMT pod successfully registers with Panorama.
Known
10.1.13
PAN-144889
On the Panorama management server, adding, deleting, or modifying the original subnet IP, or adding a new subnet after you successfully configure a tunnel IP subnet, for the SD-WAN 1.0.2 plugin does not display the managed firewall templates (
Panorama
Managed Devices
Summary
) as
Out of Sync
.
Workaround
: When modifying the original subnet IP, or adding a new subnet, push the template configuration changes to your managed firewalls and
Force Template Values
(
Commit
Push to Devices
Edit Selections
).
Known
10.1.13
PAN-143132
Fetching the device certificate from the Palo Alto Networks Customer Support Portal (CSP) may fail and displays the following error in the CLI:
ERROR Failed to process S1C msg: Error
Workaround:
Retrying fetching the device certificate from the Palo Alto Networks CSP.
Known
10.1.13
PAN-141630
Current performance limitation: single data plane use only. The PA-5200 Series and PA-7000 Series firewalls that support 5G network slice security, 5G equipment ID security, and 5G subscriber ID security use a single data plane only, which currently limits the firewall performance.
Known
10.1.13
PAN-140959
The Panorama management server allows you to downgrade Zero Touch Provisioning (ZTP) firewalls to PAN-OS 9.1.2 and earlier releases where ZTP functionality is not supported.
Known
10.1.13
PAN-140008
ElasticSearch is forced to restart when the
masterd
process misses too many heartbeat messages on the Panorama management server resulting in a delay in a log query and ingestion.
Known
10.1.13
PAN-136763
On the Panorama management server, managed firewalls display as
disconnected
when installing a PAN-OS software update (
Panorama
Device Deployment
Software
) but display as
connected
when you view your managed firewalls Summary (
Panorama
Managed Devices
Summary
) and from the CLI.
Workaround:
Log out and log back in to the Panorama web interface.
Known
10.1.13
PAN-135742
There is an issue in HTTP2 session decryption where the App-ID in the decryption log is the App-ID of the parent session (which is web-browsing).
Known
10.1.13
PAN-134053
ACC does not filter WildFire logs from Dynamic User Groups.
Known
10.1.13
PAN-132598
The Panorama management server does not check for duplicate addresses in address groups (
Objects
Address Groups
) and duplicate services in service groups (
Objects
Service Groups
) when created from the CLI.
Known
10.1.13
PAN-130550
(
PA-3200 Series, PA-5220, PA-5250, PA-5260, and PA-7000 Series firewalls
) For traffic between virtual systems (inter-vsys traffic), the firewall cannot perform source NAT using dynamic IP (DIP) address translation.
Workaround:
Use source NAT with Dynamic IP and Port (DIPP) translation on inter-vsys traffic.
Known
10.1.13
PAN-127813
In the current release, SD-WAN auto-provisioning configures hubs and branches in a hub and spoke model, where branches don’t communicate with each other. Expected branch routes are for generic prefixes, which can be configured in the hub and advertised to all branches. Branches with unique prefixes are not published up to the hub.
Workaround:
Add any specific prefixes for branches to the hub advertise-list configuration.
Known
10.1.13
PAN-127206
If you use the CLI to enable the cleartext option for the Include Username in HTTP Header Insertion Entries feature, the authentication request to the firewall may become unresponsive or time out.
Known
10.1.13
PAN-123277
Dynamic tags from other sources are accessible using the CLI but do not display on the Panorama web interface.
Known
10.1.13
PAN-123040
When you try to view network QoS statistics on an SD-WAN branch or hub, the QoS statistics and the hit count for the QoS rules don’t display. A workaround exists for this issue. Please contact Support for information about the workaround.
Known
10.1.13
PAN-120440
There is an issue on M-500 Panorama management servers where any ethernet interface with an IPv6 address having Private PAN-DB-URL connectivity only supports the following format:
2001:DB9:85A3:0:0:8A2E:370:2
.
Known
10.1.13
PAN-120423
PAN-OS 10.0.0 does not support the XML API for GlobalProtect logs.
Known
10.1.13
PAN-120303
There is an issue where the firewall remains connected to the PAN-DB-URL server through the old management IP address on the M-500 Panorama management server, even when you configured the Eth1/1 interface.
Workaround:
Update the PAN-DB-URL IP address on the firewall using one of the methods below.
  • Modify the PAN-DB Server IP address on the managed firewall.
    1. On the web interface, delete the
      PAN-DB Server
      IP address (
      Device
      Setup
      Content ID
      URL Filtering
      settings).
    2. Commit
      your changes.
    3. Add the new M-500 Eth1/1 IP PAN-DB IP address.
    4. Commit
      your changes.
  • Restart the firewall ( devsrvr ) process.
    1. Log in to the firewall CLI.
    2. Restart the devsrvr process:
      debug software restart process device-server
Known
10.1.13
PAN-116017
(
Google Cloud Platform (GCP) only
) The firewall does not accept the DNS value from the initial configuration (init-cfg) file when you bootstrap the firewall.
Workaround:
Add DNS value as part of the bootstrap.xml in the bootstrap folder and complete the bootstrap process.
Known
10.1.13
PAN-115816
(
Microsoft Azure only
) There is an intermittent issue where an Ethernet (eth1) interface does not come up when you first boot up the firewall.
Workaround:
Reboot the firewall.
Known
10.1.13
PAN-114495
Alibaba Cloud runs on a KVM hypervisor and supports two Virtio modes: DPDK (default) and MMAP. If you deploy a VM-Series firewall running PAN-OS 9.0 in DPDK packet mode and you then switch to MMAP packet mode, the VM-Series firewall duplicates packets that originate from or terminate on the firewall. As an example, if a load balancer or a server behind the firewall pings the VM-Series firewall after you switch from DPDK packet mode to MMAP packet mode, the firewall duplicates the ping packets.
Throughput traffic is not duplicated if you deploy the VM-Series firewall using MMAP packet mode.
Known
10.1.13
PAN-112694
(
Firewalls with multiple virtual systems only
) If you configure dynamic DNS (DDNS) on a new interface (associated with vsys1 or another virtual system) and you then create a
New
Certificate Profile from the drop-down, you must set the location for the Certificate Profile to Shared. If you configure DDNS on an existing interface and then create a new Certificate Profile, we also recommend that you choose the Shared location instead of a specific virtual system. Alternatively, you can select a preexisting certificate profile instead of creating a new one.
Known
10.1.13
PAN-112456
You can temporarily submit a change request for a URL Category with three suggested categories; however, only two categories are supported. Do not add more than two suggested categories to a change request until we address this issue. If you submit more than two suggested categories, only the first two categories in the change request are evaluated.
Known
10.1.13
PAN-112135
You cannot unregister tags for a subnet or range in a dynamic address group from the web interface.
Workaround:
Use an XML API request to unregister the tags for the subnet or range.
Known
10.1.13
PAN-111928
Invalid configuration errors are not displayed as expected when you revert a Panorama management server configuration.
Workaround:
After you revert the Panorama configuration,
Commit
(
Commit
Commit to Panorama
) the reverted configuration to display the invalid configuration errors.
Known
10.1.13
PAN-111866
The push scope selection on the Panorama web interface displays incorrectly even though the commit scope displays as expected. This issue occurs when one administrator makes configuration changes to separate device groups or templates that affect multiple firewalls and a different administrator attempts to push those changes.
Workaround:
Perform one of the following tasks.
  • Initiate a
    Commit to Panorama
    operation followed by a
    Push to Devices
    operation for the modified device group and template configurations.
  • Manually select the devices that belong to the modified device group and template configurations.
Known
10.1.13
PAN-111729
If you disable DPDK mode and enable it again, you must immediately reboot the firewall.
Known
10.1.13
PAN-111670
Tagged VLAN traffic fails when sent through an SR-IOV adapter.
Known
10.1.13
PAN-110794
DGA-based threats shown in the firewall threat log display the same name for all such instances.
Known
10.1.13
PAN-109526
The system log does not correctly display the URL for CRL files; instead, the URLs are displayed with encoded characters.
Known
10.1.13
PAN-104780
If you configure a HIP object to match only when a connecting endpoint is managed (
Objects
GlobalProtect
HIP Objects
<hip-object>
General
Managed
), iOS and Android endpoints that are managed by AirWatch are unable to successfully match the HIP object and the HIP report incorrectly indicates that these endpoints are not managed. This issue occurs because GlobalProtect gateways cannot correctly identify the managed status of these endpoints.
Additionally, iOS endpoints that are managed by AirWatch are unable to match HIP objects based on the endpoint serial number because GlobalProtect gateways cannot identify the serial numbers of these endpoints; these serial numbers do not appear in the HIP report.
Known
10.1.13
PAN-103276
Adding a disk to a virtual appliance running Panorama 8.1 or a later release on VMware ESXi 6.5 update1 causes the Panorama virtual appliance and host web client to become unresponsive.
Workaround:
Upgrade the ESXi host to ESXi 6.5 update2 and add the disk again.
Known
10.1.13
PAN-101688
(
Panorama plugins
) The IP address-to-tag mapping information registered on a firewall or virtual system is not deleted when you remove the firewall or virtual system from a Device Group.
Workaround:
Log in to the CLI on the firewall and enter the following command to unregister the IP address-to-tag mappings:
debug object registered-ip clear all
.
Known
10.1.13
PAN-101537
After you configure and push address and address group objects in Shared and vsys-specific device groups from the Panorama management server to managed firewalls, executing the
show log
<log-type>
direction equal
<direction>
<dst>
|
<src>
in
<object-name>
command on a managed firewall only returns address and address group objects pushed form the Shared device group.
Workaround:
Specify the vsys in the query string:
admin>
set system target-vsys
<vsys-name>
admin>
show log
<log-type>
direction equal
<direction>
query equal ‘vsys eq
<vsys-name>
’
<dst>
|
<src>
in
<object-name>
Known
10.1.13
PAN-98520
When booting or rebooting a PA-7000 Series Firewall with the SMC-B installed, the BIOS console output displays attempts to connect to the card's controller in the System Memory Speed section. The messages can be ignored.
Known
10.1.13
PAN-97757
GlobalProtect authentication fails with an
Invalid username/password
error (because the user is not found in
Allow List
) after you enable GlobalProtect authentication cookies and add a RADIUS group to the
Allow List
of the authentication profile used to authenticate to GlobalProtect.
Workaround:
Disable GlobalProtect authentication cookies. Alternatively, disable (clear)
Retrieve user group from RADIUS
in the authentication profile and configure group mapping from Active Directory (AD) through LDAP.
Known
10.1.13
PAN-97524
(
Panorama management server only
) The Security Zone and Virtual System columns (
Network
tab) display
None
after a Device Group and Template administrator with read-only privileges performs a context switch.
Known
10.1.13
PAN-96446
A firewall that is not included in a Collector Group fails to generate a system log if logs are dropped when forwarded to a Panorama management server that is running in Management Only mode.
Known
10.1.13
PAN-95773
On VM-Series firewalls that have Data Plane Development Kit (DPDK) enabled and that use the i40e network interface card (NIC), the
show session info
CLI command displays an inaccurate throughput and packet rate.
Workaround:
Disable DPDK by running the
set system setting dpdk-pkt-io off
CLI command.
Known
10.1.13
PAN-95028
For administrator accounts that you created in PAN-OS 8.0.8 and earlier releases, the firewall does not apply password profile settings (
Device
Password Profiles
) until after you upgrade to PAN-OS 8.0.9 or a later release and then only after you modify the account passwords. (Administrator accounts that you create in PAN-OS 8.0.9 or a later release do not require you to change the passwords to apply password profile settings.)
Known
10.1.13
PAN-94846
When DPDK is enabled on the VM-Series firewall with i40e virtual function (VF) driver, the VF does not detect the link status of the physical link. The VF link status remains up, regardless of changes to the physical link state.
Known
10.1.13
PAN-94093
HTTP Header Insertion does not work when jumbo frames are received out of order.
Known
10.1.13
PAN-93968
The firewall and Panorama web interfaces display vulnerability threat IDs that are not available in PAN-OS 9.0 releases (
Objects
Security Profiles
Vulnerability Protection
<profile>
Exceptions
). To confirm whether a particular threat ID is available in your release, monitor the release notes for each new Applications and Threats content update or check the Palo Alto Networks Threat Vault to see the minimum PAN-OS release version for a threat signature.
Known
10.1.13
PAN-93607
When you configure a VM-500 firewall with an SCTP Protection profile (
Objects
Security Profiles
SCTP Protection
) and you try to add the profile to an existing Security Profile Group (
Objects
Security Profile Groups
), the Security Profile Group doesn’t list the SCTP Protection profile in its drop-down list of available profiles.
Workaround:
Create a new Security Profile Group and select the SCTP Protection profile from there.
Known
10.1.13
PAN-93532
When you configure a firewall running PAN-OS 9.0 as an nCipher HSM client, the web interface on the firewall displays the nCipher server status as Not Authenticated, even though the HSM state is up (
Device
Setup
HSM
).
Known
10.1.13
PAN-93193
The memory-optimized VM-50 Lite intermittently performs slowly and stops processing traffic when memory utilization is critically high. To prevent this issue, make sure that you do not:
  • Switch to the firewall
    Context
    on the Panorama management server.
  • Commit changes when a dynamic update is being installed.
  • Generate a custom report when a dynamic update is being installed.
  • Generate custom reports during a commit.
Workaround:
When the firewall performs slowly, or you see a critical System log for memory utilization, wait for 5 minutes and then manually reboot the firewall.
Use the Task Manager to verify that you are not performing memory intensive tasks such as installing dynamic updates, committing changes or generating reports, at the same time, on the firewall.
Known
10.1.13
PAN-91802
On a VM-Series firewall, the
clear session all
CLI command does not clear GTP sessions.
Known
10.1.13
PAN-83610
In rare cases, a PA-5200 Series firewall (with an FE100 network processor) that has session offload enabled (default) incorrectly resets the UDP checksum of outgoing UDP packets.
Workaround:
In PAN-OS 8.0.6 and later releases, you can persistently disable session offload for only UDP traffic using the
set session udp-off load no
CLI command.
Known
10.1.13
PAN-83236
The VM-Series firewall on Google Cloud Platform does not publish firewall metrics to Google Stack Monitoring when you manually configure a DNS server IP address (
Device
Setup
Services
).
Workaround:
The VM-Series firewall on Google Cloud Platform must use the DNS server that Google provides.
Known
10.1.13
PAN-83215
SSL decryption based on ECDSA certificates does not work when you import the ECDSA private keys onto an nCipher nShield hardware security module (HSM).
Known
10.1.13
PAN-81521
Endpoints failed to authenticate to GlobalProtect through Kerberos when you specify an FQDN instead of an IP address in the Kerberos server profile (
Device
Server Profiles
Kerberos
).
Workaround:
Replace the FQDN with the IP address in the Kerberos server profile.
Known
10.1.13
PAN-77125
PA-7000 Series, PA-5450, PA-5200 Series, and PA-3200 Series firewalls configured in tap mode don’t close offloaded sessions after processing the associated traffic; the sessions remain open until they time out.
Workaround:
Configure the firewalls in virtual wire mode instead of tap mode, or disable session offloading by running the
set session off load no
CLI command.
Known
10.1.13
PAN-75457
In WildFire appliance clusters that have three or more nodes, the Panorama management server does not support changing node roles. In a three-node cluster for example, you cannot use Panorama to configure the worker node as a controller node by adding the HA and cluster controller configurations, configure an existing controller node as a worker node by removing the HA configuration, and then commit and push the configuration. Attempts to change cluster node roles from Panorama results in a validation error—the commit fails and the cluster becomes unresponsive.
Known
10.1.13
PAN-73530
The firewall does not generate a packet capture (pcap) when a Data Filtering profile blocks files.
Known
10.1.13
PAN-73401
When you import a two-node WildFire appliance cluster into the Panorama management server, the controller nodes report their state as out-of-sync if either of the following conditions exist:
  • You did not configure a worker list to add at least one worker node to the cluster. (In a two-node cluster, both nodes are controller nodes configured as an HA pair. Adding a worker node would make the cluster a three-node cluster.)
  • You did not configure a service advertisement (either by enabling or not enabling advertising DNS service on the controller nodes).
Workaround:
There are three possible workarounds to sync the controller nodes:
  • After you import the two-node cluster into Panorama, push the configuration from Panorama to the cluster. After the push succeeds, Panorama reports that the controller nodes are in sync.
  • Configure a worker list on the cluster controller: 
    admin@wf500(active-controller)# 
    set
deviceconfig cluster mode controller worker-list 
    <worker-ip-address>
    (
    <worker-ip-address>
    is the IP address of the worker node you are adding to the cluster.) This creates a three-node cluster. After you import the cluster into Panorama, Panorama reports that the controller nodes are in sync. When you want the cluster to have only two nodes, use a different workaround.
  • Configure service advertisement on the local CLI of the cluster controller and then import the configuration into Panorama. The service advertisement can advertise that DNS is or is not enabled. 
    admin@wf500(active-controller)# 
    set
deviceconfig cluster mode controller service-advertisement dns-service
enabled
yes
    or 
    admin@wf500(active-controller)# 
    set
deviceconfig cluster mode controller service-advertisement dns-service
enabled
no
    Both commands result in Panorama reporting that the controller nodes are in sync.
Known
10.1.13
PAN-70906
If the PAN-OS web interface and the GlobalProtect portal are enabled on the same IP address, then when a user logs out of the GlobalProtect portal, the administrative user is also logged out from the PAN-OS web interface.
Workaround:
Use the IP address to access the PAN-OS web interface and an FQDN to access the GlobalProtect portal.
Known
10.1.13
PAN-69505
When viewing an external dynamic list that requires client authentication and you
Test Source URL
, the firewall fails to indicate whether it can reach the external dynamic list server and returns a URL access error (
Objects
External Dynamic Lists
).
Known
10.1.13
PAN-40079
The VM-Series firewall on KVM, for all supported Linux distributions, does not support the Broadcom network adapters for PCI pass-through functionality.
Known
10.1.13
PAN-39636
Regardless of the
Time Frame
you specify for a scheduled custom report on a Panorama M-Series appliance, the earliest possible start date for the report data is effectively the date when you configured the report (
Monitor
Manage Custom Reports
). For example, if you configure the report on the 15th of the month and set the
Time Frame
to
Last 30 Days
, the report that Panorama generates on the 16th will include only data from the 15th onward. This issue applies only to scheduled reports; on-demand reports include all data within the specified
Time Frame
.
Workaround:
To generate an on-demand report, click
Run Now
when you configure the custom report.
Known
10.1.13
PAN-38255
When you perform a factory reset on a Panorama virtual appliance and configure the serial number, logging does not work until you reboot Panorama or execute the
debug software restart process management-server
CLI command.
Known
10.1.13
PAN-31832
The following issues apply when configuring a firewall to use a hardware security module (HSM):
  • nCipher nShield Connect
    —The firewall requires at least four minutes to detect that an HSM was disconnected, causing SSL functionality to be unavailable during the delay.
  • SafeNet Network
    —When losing connectivity to either or both HSMs in an HA configuration, the display of information from the
    show high-availability state
    and
    show hsm info
    commands are blocked for 20 seconds.
Addressed
10.1.13-h1
PAN-248651
Fixed a GlobalProtect issue that prevented the firewall from sending authentication cookies.
Addressed
10.1.13-h1
PAN-248105
Fixed an issue where the GlobalProtect SSL VPN tunnel immediately disconnected due to a keep-alive timeout.
Addressed
10.1.13-h1
PAN-246960
Fixed an issue where firewalls failed to fetch content updates from the Wildfire Private Cloud due to an
Unsupported protocol
error.
Addressed
10.1.13-h1
PAN-246215
Fixed an issue where the sleep time for a suspended pan_task process caused configuration and policy updates to be blocked.
Addressed
10.1.13-h1
PAN-243463
Fixed an issue where high Enhanced Application Log traffic used excess system resources and caused processes to not work.
Addressed
10.1.13-h1
PAN-239354
Fixed an issue where DNS resolution was delayed when an Antispyware policy rule was applied to both client to firewall and firewall to internal DNS server legs of a connection.
Addressed
10.1.13-h1
PAN-225963
Fixed an issue where the IP address-to-user mapping was not correct.
Addressed
10.1.13-h1
PAN-220907
(
VM-Series firewalls only
) Fixed an issue where large packets were dropped from the dataplane to the management plane, which caused OSPF neighborship to fail.
Addressed
10.1.13
PAN-245701
Fixed an issue where
snmpwalk
displayed data port statistics incorrectly.
Addressed
10.1.13
PAN-244548
Fixed an issue where ECMP sessions changed destination MAC addresses mid-session, which caused connections to be reset.
Addressed
10.1.13
PAN-242561
Fixed an issue where GlobalProtect tunnels disconnected shortly after being established when SSL was used as the transfer protocol.
Addressed
10.1.13
PAN-239337
Fixed an issue where the log_index was suspended and currupted BDX files flooded the index_log.
Addressed
10.1.13
PAN-238769
(
VM-Series firewalls in FIPS-CC mode only
) Fixed an issue where upgrading Panorama caused all locally created Security policy rule actions to Deny.
Addressed
10.1.13
PAN-233541
Fixed an issue where device group and template administrators with access to a specific virtual system were able to see logs for all virtual systems via Context Switch.
Addressed
10.1.13
PAN-233191
(
PA-5450 firewalls only
) Fixed an issue where the Data Processing Card (DPC) restarted due to path monitor failure after QSFP28 disconnected from the Network Processing Card (NPC).
Addressed
10.1.13
PAN-228323
Fixed an issue where a large number of Panorama management server cookies were created in the Redis database when the Cloud-Service plugin sent an authentication request every second, and logging in to or using Panorama was slower than expected.
Addressed
10.1.13
PAN-226108
Fixed an issue where the masterd process was unable to start or stop the sysd process.
Addressed
10.1.13
PAN-222188
A CLI command was introducted to address an issue where SNMP monitoring performance was slower than expected, which resulted in
snmpwalk
timeouts.
Addressed
10.1.13
PAN-215430
Fixed an issue where Dynamic IP address NAT with SIP intermittently failed to convert RTP Predict sessions.
Addressed
10.1.13
PAN-212553
Fixed an issue where the ikemgr process stopped responding due to memory corruption, which caused VPN tunnels to go down.
Addressed
10.1.13
PAN-205482
Fixed an issue related to the configd process where Panorama displayed the error
Server not responding
when editing policies.
Known
10.1.14
—
If you use Panorama to retrieve logs from Cortex Data Lake (CDL), new log fields (including for Device-ID, Decryption, and GlobalProtect) are not visible on the Panorama web interface.
Workaround:
Enable duplicate logging to send the logs to CDL and Panorama. This workaround does not support Panorama virtual appliances in Management Only mode .
Known
10.1.14
—
Upgrading a PA-220 firewall takes up to an hour or more.
Known
10.1.14
—
PA-220 firewalls are experiencing slower web interface and CLI performance times.
Known
10.1.14
—
Upgrading Panorama with a local Log Collector and Dedicated Log Collectors to PAN-OS 8.1 or a later PAN-OS release can take up to six hours to complete due to significant infrastructure changes. Ensure uninterrupted power to all appliances throughout the upgrade process.
Known
10.1.14
—
A critical System log is generated on the VM-Series firewall if the minimum memory requirement for the model is not available.
  • When the memory allocated is less than 4.5GB, you cannot upgrade the firewall. The following error message displays:
    Failed to install 9.0.0 with the following error: VM-50 in 9.0.0 requires 5.5GB memory, VM-50 Lite requires 4.5GB memory.Please configure this VM with enough memory before upgrading.
  • If the memory allocation is more than 4.5GB but less than the licensed capacity requirement for the model, it will default to the capacity associated with the VM-50.
    The System log message
    System capacity adjusted to VM-50 capacity due to insufficient memory for VM-
    <xxx>
    license
    , indicates that you must allocate the additional memory required for licensed capacity for the firewall model.
Known
10.1.14
APPORTAL-3313
Changes to an IoT Security subscription license take up to 24 hours to have effect on the IoT Security app.
Known
10.1.14
APPORTAL-3309
An IoT Security production license cannot be installed on a firewall that still has a valid IoT Security eval or trial license.
Workaround:
Wait until the 30-day eval or trial license expires and then install the production license.
Known
10.1.14
APL-15000
When you move a firewall from one Cortex Data Lake instance to another, it can take up to an hour for the firewall to begin sending logs to the new instance.
Known
10.1.14
APL-8269
For data retrieved from Cortex Data Lake, the Threat Name column in
Panorama
ACC
threat-activity
appears blank.
Known
10.1.14
PLUG-14947
If you are using the Panorama plugin for Azure, do not upgrade to PAN-OS 10.1.12. When installed on 10.1.12, the Panorama plugin for Azure fails to connect to Azure.
Known
10.1.14
PLUG-12041
On an OpenShift cluster, MP pod may crash when the number of underlying threads exceeds beyond the per pod maximum limit of 1024.
Workaround:
Increase the process ID (PID) limit to 2048 in worker nodes.
Known
10.1.14
PLUG-380
When you rename a device group, template, or template stack in Panorama that is part of a VMware NSX service definition, the new name is not reflected in NSX Manager. Therefore, any ESXi hosts that you add to a vSphere cluster are not added to the correct device group, template, or template stack and your Security policy is not pushed to VM-Series firewalls that you deploy after you rename those objects. There is no impact to existing VM-Series firewalls.
Known
10.1.14
WF500-5559
An intermittent error while analyzing signed PE samples on the WildFire appliance might cause analysis failures.
Known
10.1.14
WF500-5471
After using the firewall CLI to add a WildFire appliance with an IPv6 address, the initial connection may fail.
Workaround:
Retry connecting after you restart the web server with the following command:
debug software restart process web-server
.
Known
10.1.14
PAN-242837
Default login credentials and SSH fail after enabling FIPS-CC Mode on a firewall or Panorama after converting through the Maintenance Recovery Tool (MRT). The firewall or Panorama becomes stuck and requires a factory reset to recover.
Known
10.1.14
PAN-242784
This issue is now resolved. See
PAN-OS 10.1.11-h5 Addressed Issues
.
DNS resolution may fail if DNS server IP is obtained through DHCP.
Workaround:
Configure the DNS server with a static IP or renew the DHCP IP when you see the issue.
This issue affects PAN-OS 10.1.11-h4 only.
Known
10.1.14
PAN-238769
FIPS-CC VM-Series only. Upgrading to PAN-OS 10.1.10-h2 or PAN-OS 10.1.11 changes all locally created Security policy actions to Deny.
Workaround:
Before upgrading, save a backup of the current configuration. After upgrading, load the backup configuration to restore the security policy action settings.
Known
10.1.14
PAN-235741
This issue is now resolved. See
PAN-OS 10.1.11-h5 Addressed Issues
.
DNS resolution fails for firewall and Panorama plugins if the DNS Server IP address is obtained through DHCP.
This issue affects PAN-OS 10.1.11-h4 only.
Known
10.1.14
PAN-231658
DNS resolution fails when interfaces are configured as DHCP and a DNS server is provided via DHCP while also statically configured with DNS servers.
This issue affects PAN-OS 10.1.11-h5 only.
Known
10.1.14
PAN-230106
The firewall is unable to retrieve the most current external dynamic list information from the server due to hostname resolution failure.
This issue affects PAN-OS 10.1.11-h5 only.
Known
10.1.14
PAN-227344
On the Panorama management server, PDF Summary Reports (
Monitor
PDF Reports
Manage PDF Summary
) display no data and are blank when predefined reports are included in the summary report.
Known
10.1.14
PAN-223365
The Panorama management server is unable to query any logs if the ElasticSearch health status for any Log Collector (
Panorama
Managed Collector
is degraded.
Workaround:
Log in to the Log Collector CLI and restart ElasticSearch. 
admin
debug elasticsearch es-restart all
Known
10.1.14
PAN-219824
File system checks on the logging drive may take more time depending on the usage and file system content, resulting in autocommits taking longer to complete than expected.
Known
10.1.14
PAN-218521
The ElasticSearch process on the M-600 appliance in Log Collector mode may enter a continuous reboot cycle. This results in the M-600 appliance becoming unresponsive, consuming logging disk space, and preventing new log ingestion.
Known
10.1.14
PAN-213746
On the Panorama management server, the
Hostkey
displayed as
undefined undefined
if you override an SSH Service Profile (
Device
Certificate Management
SSH Service Profile
) Hostkey configured in a Template from the Template Stack.
Known
10.1.14
PAN-212978
The Palo Alto Networks firewall stops responding when executing an SD-WAN debug operational CLI command.
Known
10.1.14
PAN-211728
For VM-Series firewalls leveraging SD-WAN and deployed on VMware ESXi running VMX-13, Auto-Commits fail after upgrade to PAN-OS 10.1.9 and display the error:
total SD-WAN interfaces 3 exceed the platform maximum 0
Workaround:
Attach a serial console to the VM-Series firewall before upgrade to PAN-OS 10.1.9.
Known
10.1.14
PAN-204689
Upon upgrade to PAN-OS 10.1.9, the following GlobalProtect settings do not work:
  • Allow user to disconnect GlobalProtect App
    Allow with Passcode
  • Allow user to Disable GlobalProtect App
    Allow with Passcode
  • Allow User to Uninstall GlobalProtect App
    Allow with Password
Known
10.1.14
PAN-197341
On the Panorama management server, if you create multiple device group
Objects
with the same name in the Shared device group and any additional device groups (
Panorama
Device Groups
) under the same device group hierarchy that are used in one or more
Policies
, renaming the object with a shared name in any device group causes the object name to change in the policies where it is used. This issue applies only to device group objects that can be referenced in a Security policy rule.
For example:
  1. You create a parent device group
    DG-A
    and a child device group
    DG-B
    .
  2. You create address objects called
    AddressObjA
    in the
    Shared
    ,
    DG-A
    and
    DG-B
    device groups and add
    AddressObjA
    to a Security policy rule under
    DG-A
    and
    DG-B
    .
  3. Later, you change the
    AddressObjA
    name in the
    Shared
    device group to
    AddressObjB
    .
Changing the name of the address object in the
Shared
device group causes the references in the Policy rule to use the renamed
Shared
object instead of the device group object.
Known
10.1.14
PAN-196758
On the Panorama management server, pushing a configuration change to firewalls leveraging SD-WAN erroneously show the auto-provisioned BGP configurations for SD-WAN as being edited or deleted despite no edits or deletions being made when you
Preview Changes
(
Commit
Push to Devices
Edit Selections
or
Commit
Commit and Push
Edit Selections
).
Known
10.1.14
PAN-194515
(
PA-5450 firewall only
) The Panorama web interface does not display any predefined template stack variables in the dropdown menu under
Device
Setup
Log Interface
IP Address
.
Workaround:
Configure the log interface IP address on the individual firewall web interface instead of on Panorama.
Known
10.1.14
PAN-194424
(
PA-5450 firewall only
) Upgrading to PAN-OS 10.1.6-h2 while having a log interface configured can cause both the log interface and the management interface to remain connected to the log collector.
Workaround:
Restart the log receiver service by running the following CLI command: 
debug software restart process log-receiver
Known
10.1.14
PAN-194202
(
PA-5450 firewall only
) If the management interface and Log Collector are configured on the same subnetwork, the firewall conducts log forwarding using the management interface instead of the logging interface.
Known
10.1.14
PAN-193518
All logs (
Monitor
Logs
) generated by a firewall running a PAN-OS 10.0 release are not accessible if you downgrade from PAN-OS 10.1 to PAN-OS 10.0, and then upgrade back to PAN-OS 10.1.
Workaround:
If you need to downgrade from PAN-OS 10.1 to PAN-OS 10.0 and then back to PAN-OS 10.1, downgrade to PAN-OS 10.0.11 to ensure that all logs ingested while running a PAN-OS 10.0 release remain accessible after upgrade back to PAN-OS 10.1.
Known
10.1.14
PAN-188052
Devices in FIPS-CC mode are unable to connect to servers utilizing ECDSA-based host keys that impacts exporting logs (
Device
Scheduled Log Export
), exporting configurations (
Device
Scheduled Config Export
), or the
scp export
command in the CLI.
Workaround:
Use RSA-based host keys on the destination server.
Known
10.1.14
PAN-187685
On the Panorama management server, the Template Status displays no synchronization status (
Panorama
Managed Devices
Summary
) after a bootstrapped firewall is successfully added to Panorama.
Workaround:
After the bootstrapped firewall is successfully added to Panorama, log in to the Panorama web interface and select
Commit
Push to Devices
.
Known
10.1.14
PAN-179888
On the Panorama management server, the number of managed firewall (
Panorama
Managed Devices
Health
)
Power Supplies
displays an incorrect count of power supplies.
Known
10.1.14
PAN-174982
In HA active/active configurations where, when interfaces that were associated with a virtual router were deleted, the configuration change did not sync.
Known
10.1.14
PAN-172274
When you activate the advanced URL filtering license, your license entitlements for PAN-DB and advanced URL filtering might not display correctly on the firewall — this is a display anomaly, not a licensing issue, and does not affect access to the services.
Workaround:
Issue the following command to retrieve and update the licenses:
license request fetch
.
Known
10.1.14
PAN-172113
If you request a User Activity Report on Panorama and the vsys key value in the XML is an unsupported value, the resulting job becomes unresponsive at 10% and does not complete until you manually stop the job in the web interface.
Workaround:
Change the vsys key to a valid device group, commit your changes, and run the User Activity Report again.
Known
10.1.14
PAN-172067
When you configure an HTTP server profile (
Device
Server Profiles
HTTP
or
Panorama
Server Profiles
HTTP
), the
Username
and
Password
fields are always required regardless of whether
Tag Registration
is enabled.
Workaround:
When you configure an HTTP server profile, always enter a username and password to successfully create the HTTP server profile.
You must enter a username and password even if the HTTP server does not require it. The HTTP server ignores the username and password if they are not required for the firewall to connect.
Known
10.1.14
PAN-172061
A process (
all_pktproc
) can cause intermittent crashes on the Passive PA-5450 firewall in an Active/Passive HA pair. This issue may be seen during an upgrade or reload of the firewall with traffic and when clearing sessions.
Known
10.1.14
PAN-171938
No results are displayed when you
Show Application Filter
for a Security policy rule (
Policies
Security
Application
Value
Show Application Filter
).
Known
10.1.14
PAN-171723
If you use Panorama to push a configuration that uses App-ID Cloud Engine (ACE) App-IDs and then you downgrade the firewall from PAN-OS 10.1 to PAN-OS 10.0, the installation succeeds but after you reboot, the auto-commit fails.
Workaround:
Remove all ACE application configurations before downgrading.
Known
10.1.14
PAN-171673
On the Panorama management server, the
ACC
returns inaccurate results when you filter for
New App-ID
in the
Application
usage widget.
Known
10.1.14
PAN-171635
If you have an on-premise Active Directory and there is an existing group mapping configuration on the firewall, if you migrate the group mapping to the Cloud Identity Engine, the firewall does not remove the existing group mapping even if the configuration is disabled and the firewall is rebooted, which may conflict with new mappings from the Cloud Identity Engine.
Workaround
: Use the
debug user-id clear domain-map
command to remove the existing group mappings from the firewall.
Known
10.1.14
PAN-171224
On the Panorama management server, a custom report (
Monitor
Managed Custom Reports
) with a high volume of unique data objects is not generated when you click
Run Now
.
Known
10.1.14
PAN-171145
If you edit or remove the value for the
mail
attribute in your on-premise Active Directory, the changes may not be immediately reflected on the firewall after it syncs with the Cloud Identity Engine.
Known
10.1.14
PAN-170923
In
Policies
Security
Policy Optimizer
New App Viewer
, when you select a Security policy rule in the bottom portion of the screen, the application data in the application browser (top portion of screen) does not match the Apps Seen on the selected rule. In addition, filtering in the application browser based on Apps Seen does not work.
Known
10.1.14
PAN-170270
Using the CLI to power on a PA-5450 Networking Card (NC) in an Active HA firewall can cause its Passive peer to temporarily go down.
Known
10.1.14
PAN-169906
The CN-Series Firewall as a Kubernetes Service does not support AF_XDP when deployed in CentOS.
Known
10.1.14
PAN-168636
Connecting to the App-ID Cloud Engine (ACE) cloud using a management port with explicit proxy configured on it is not supported. Instead, use a data plane interface for the service route ( Prepare to Deploy App-ID Cloud Engine describes how to do this.)
Known
10.1.14
PAN-168113
On the Panorama management server, you are unable to configure a master key (
Device
Master Key and Diagnostics
) for a managed firewall if an interface (
Network
Interfaces
Ethernet
) references a zone pushed from Panorama.
Workaround:
Remove the referenced zone from the interface configuration to successfully configure a master key.
Known
10.1.14
PAN-167847
If you issue the command
opof stats
, then clear the results {opof stats -c}, the Active Sessions value is sometimes invalid. For example, you might see a negative number or an excessively large number.
Workaround:
Re-run the
opof stats
command after the offload completes.
Known
10.1.14
PAN-167401
When a firewall or Panorama appliance configured with a proxy is upgraded to PAN-OS 10.0.3 or a later release, it fails to connect to edge service.
Known
10.1.14
PAN-165669
If you configure a group that the firewall retrieves from the Cloud Identity Engine as the
user in
value in a filter query, Panorama is unable to retrieve the group membership and as a result, is unable to display this data in logs and custom reports.
Known
10.1.14
PAN-164922
On the Panorama management server, a context switch to a managed firewall running a PAN-OS 8.1.0 to 8.1.19 release fails.
Known
10.1.14
PAN-164885
On the Panorama management server, pushes to managed firewalls (
Commit
Push to Devices
or
Commit and Push
) may fail when an EDL (
Objects
External Dynamic Lists
) is configured to
Check for updates
every 5 minutes due to the commit and EDL fetch processes overlapping. This is more likely to occur when multiple EDLs are configured to check for updates every 5 minutes.
Known
10.1.14
PAN-164841
A successful deployment of a Panorama virtual appliance on Amazon Web Services (AWS), Microsoft Azure, or Google Cloud Platform (GCP) is inaccessible when deploying using the PAN-OS 10.1.0-b6 release.
Known
10.1.14
PAN-164647
On the Panorama management server, activating a license (
Panorama
Device Deployment
Licenses
) on managed firewalls in a high availability (HA) configuration causes the Safari web browser to become unresponsive.
Workaround:
Log in to the Panorama web interface from a web browser other than Safari to successfully activate a license on managed firewalls in an HA configuration.
Known
10.1.14
PAN-164618
The VM-Series firewall CLI and system logs display the license name
VM-SERIES-X
, while the user interface displays
VM-FLEX-X
(in both cases
X
is the number of vCPUs). In future releases the user interface will use the
VM-SERIES-X
format.
Known
10.1.14
PAN-164586
If you use a value other than
mail
for the user or group email attribute in the Cloud Identity Engine, it displays in
user@domain
format in the CLI output.
Known
10.1.14
PAN-163966
On the Panorama management server, the
ACC
and on demand reports (
Monitor
Manage Custom Reports
) are unable to fetch Directory Sync group membership when the Source User Group filter query is applied, resulting in no data being displayed for the filter when Directory Sync is configured as the Source User for a policy rule.
Known
10.1.14
PAN-162836
On the VM-Series firewall, if you select
Device
Licenses
Deactivate VM
a popup window opens and you can choose
Subscriptions
or
Support
and press
Continue
to remove licenses and register the changes with the license server. When the license removal is complete the
Deactivate VM
window does not update its text to exclude deactivated licenses or close the window.
Workaround
: Wait until the license deactivation is complete, and click
Cancel
to close the window.
Known
10.1.14
PAN-161666
The firewall includes any users configured in the Cloud Identity Engine in the count of groups. As a result, some CLI command output does not accurately display the number of groups the firewall has retrieved from the Cloud Identity Engine and counts users as groups in the
No. of Groups
in the command output. If the attempt to retrieve the user or group fails, the information for the user or group still displays in the CLI command output.
Known
10.1.14
PAN-161451
If you issue the command
opof stats
, there are occasional zero packet and byte counts coming from the DPDK counters. This occurs when a session is in the tcp-reuse state, and has no impact on the existing session.
Known
10.1.14
PAN-160238
If you migrate traffic from a firewall running a PAN-OS version earlier than 9.0 to a firewall running PAN-OS 9.0 or later, you experience intermittent VXLAN packet drops if TCI policy is not configured for inspecting VXLAN traffic flows.
Workaround:
On the new firewall, create an app override for VXLAN outer headers as described in What is an Application Override? and the video tutorial How to Configure an Application Override Policy on the Palo Alto Networks Firewall .
PAN-OS version 9.0 can inspect both inner and outer VXLAN flows. If you want to inspect inner flows, you must define a tunnel content inspection (TCI) policy.
Known
10.1.14
PAN-157444
As a result of a telemetry handling update, the Source Zone field in the DNS analytics logs (viewable in the DNS Analytics tab within AutoFocus) might not display correct results.
Known
10.1.14
PAN-157327
On downgrade to PAN-OS 9.1, Enterprise Data Loss Prevention (DLP) filtering settings (
Device
Setup
DLP
) are not removed and cause commit errors for the downgraded firewall if you do not uninstall the Enterprise DLP plugin before downgrade.
Workaround:
After you successfully downgrade a managed firewall to PAN-OS 9.1, commit and push from Panorama to remove the Enterprise DLP filtering settings and complete the downgrade.
  1. Downgrade your managed firewall to PAN-OS 9.1
  2. Log in to the firewall web interface and view the
    Tasks
    to verify all auto commits related to the downgrade have completed successfully.
  3. Log in to the Panorama web interface and
    Commit
    Commit and Push
    to your managed firewall downgraded to PAN-OS 9.1.
Known
10.1.14
PAN-157103
Multi-channel functionality may not be properly utilized on an VM-Series firewall deployed in VMware NSX-V after the service is first deployed.
Workaround
: Execute the command
debug dataplane pow status
to view the number of channels being utilized by the dataplane. 
Per pan-task Netx statisticsCounter Name    1   2   3   4   5   6   Total---------------------------------------------ready_dvf       2   0   0   0   0   0     2
If multi-channel functionality is not working, disable your NSX-V security policy and reapply it. Then reboot the VM-Series firewall. When the firewall is back up, verify that multi-channel functionality is working by executing the command
debug dataplane pow status
. It should now show multiple channels being utilized. 
Per pan-task Netx statisticsCounter Name    1   2   3   4   5   6   Total---------------------------------------------ready_dvf       1   1   0   0   0   0     2
Known
10.1.14
PAN-156598
(
Panorama only
) If you configure a standard custom vulnerability signature in a custom Vulnerability Protection profile in a shared device group, the shared profile custom signatures do not populate in the other device groups when you configure a combination custom vulnerability signature.
Workaround:
Use the CLI to update the combination signature.
Known
10.1.14
PAN-154292
On the Panorama management server, downgrading from a PAN-OS 10.0 release to a PAN-OS 9.1 release causes Panorama commit (
Commit
Commit to Panorama
) failures if a custom report (
Monitor
Manage Custom Reports
) is configured to Group By
Session ID
.
Workaround:
After successful downgrade, reconfigure the Group By setting in the custom report.
Known
10.1.14
PAN-154034
On the Panorama management server, the Type column in the System logs (
Monitor
Logs
System
) for managed firewalls running a PAN-OS 9.1 release erroneously display
iot
as the type.
Known
10.1.14
PAN-154032
On the Panorama management server, downgrading to PAN-OS 9.1 with the Panorama plugin for Cisco TrustSec version 1.0.2 installed does not automatically transform the plugin to be compatible with PAN-OS 9.1
Workaround:
After successful downgrade to PAN-OS 9.1,
Remove Config
(
Panorama
Plugins
) of the Panorama plugin for Cisco TrustSec and then reconfigure the plugin.
Known
10.1.14
PAN-153803
On the Panorama management server, scheduled email PDF reports (
Monitor
PDF Reports
) fail if a GIF image is used in the header or footer.
Known
10.1.14
PAN-153557
On the Panorama management server CLI, the overall report status for a report query is marked as
Done
despite reports generated from logs in the Cortex Data Lake (CDL) from the PODamericas Collector Group jobs are still in a
Running
state.
Known
10.1.14
PAN-153068
The Bonjour Reflector option is supported on up to 16 interfaces. If you enable it on more than 16 interfaces, the commit succeeds and the Bonjour Reflector option is enabled only for the first 16 interfaces and ignored for any additional interfaces.
Known
10.1.14
PAN-151238
There is a known issue where M-100 appliances are able to download and install a PAN-OS 10.0 release image even though the M-100 appliance is no longer supported after PAN-OS 9.1. (Refer to the hardware end-of-life dates .)
Known
10.1.14
PAN-151085
On a PA-7000 Series firewall chassis having multiple slots, when HA clustering is enabled on an active/active HA pair, the session table count for one of the peers can show a higher count than the actual number of active sessions on that peer. This behavior can be seen when the session is being set up on a non-cache slot (for example, when a session distribution policy is set to round-robin or session-load); it is caused by the additional cache lookup that happens when HA cluster participation is enabled.
Known
10.1.14
PAN-150801
Automatic quarantine of a device based on forwarding profile or log setting does not work on the PA-7000 Series firewalls.
Known
10.1.14
PAN-150515
After you install the device certificate on a new Panorama management server, Panorama is not able to connect to the IoT Security edge service.
Workaround:
Restart Panorama to connect to the IoT Security edge service.
Known
10.1.14
PAN-150345
During updates to the Device Dictionary, the IoT Security service does not push new Device-ID attributes (such as new device profiles) to the firewall until a manual commit occurs.
Workaround:
Perform a force commit to push the attributes in the content update to the firewall.
Known
10.1.14
PAN-150361
In an Active-Passive high availability (HA) configuration, an error displays if you create a device object on the passive device.
Workaround:
Load the running configuration and perform a force commit to sync the devices.
Known
10.1.14
PAN-148971
If you enter a search term for Events that are related to IoT in the System logs and apply the filter, the page displays an
Invalid term
error.
Workaround:
Specify
iot
as the
Type Attribute
to filter the logs and use the search term as the
Description Attribute
. For example:
( subtype eq iot ) and ( description contains 'gRPC connection' )
.
Known
10.1.14
PAN-148924
In an active-passive HA configuration, tags for dynamic user groups are not persistent after rebooting the firewall because the active firewall does not sync the tags to the passive firewall during failover.
Known
10.1.14
PAN-146995
After downgrading a Panorama management server from PAN-OS 10.0 to PAN-OS 9.1, the
VLD
and
logd
processes may crash when Panorama reboots.
Workaround:
Panorama automatically restarts the
VLD
and
logd
processes.
Known
10.1.14
PAN-146807
Changing the device group configured in a monitoring definition from a child DG to a parent DG, or vice versa, might cause firewalls configured in the child DG to lose IP tag mapping information received from the monitoring definition. Only firewalls assigned to the parent DG receive IP tag mapping updates.
Workaround
: Perform a manual config sync on the device group that lost the IP tag mapping information.
Known
10.1.14
PAN-146485
On the Panorama management server, adding, deleting, or modifying the upstream NAT configuration (
Panorama
SD-WAN
Devices
) does not display the branch template stack as
out of sync
.
Additionally, adding, deleting, or modifying the BGP configuration (
Panorama
SD-WAN
Devices
) does not display the hub and branch template stacks as
out of sync
. For example, modifying the BGP configuration on the branch firewall does not cause the hub template stack to display as
out of sync
, nor does modifying the BGP configuration on the hub firewall cause the branch template stack as
out of sync
.
Workaround:
After performing a configuration change,
Commit and Push
the configuration changes to all hub and branch firewalls in the VPN cluster containing the firewall with the modified configuration.
Known
10.1.14
PAN-145460
CN-MGMT pods fail to connect to the Panorama management server when using the Kubernetes plugin.
Workaround:
Commit
the Panorama configuration after the CN-MGMT pod successfully registers with Panorama.
Known
10.1.14
PAN-144889
On the Panorama management server, adding, deleting, or modifying the original subnet IP, or adding a new subnet after you successfully configure a tunnel IP subnet, for the SD-WAN 1.0.2 plugin does not display the managed firewall templates (
Panorama
Managed Devices
Summary
) as
Out of Sync
.
Workaround
: When modifying the original subnet IP, or adding a new subnet, push the template configuration changes to your managed firewalls and
Force Template Values
(
Commit
Push to Devices
Edit Selections
).
Known
10.1.14
PAN-143132
Fetching the device certificate from the Palo Alto Networks Customer Support Portal (CSP) may fail and displays the following error in the CLI:
ERROR Failed to process S1C msg: Error
Workaround:
Retrying fetching the device certificate from the Palo Alto Networks CSP.
Known
10.1.14
PAN-141630
Current performance limitation: single data plane use only. The PA-5200 Series and PA-7000 Series firewalls that support 5G network slice security, 5G equipment ID security, and 5G subscriber ID security use a single data plane only, which currently limits the firewall performance.
Known
10.1.14
PAN-140959
The Panorama management server allows you to downgrade Zero Touch Provisioning (ZTP) firewalls to PAN-OS 9.1.2 and earlier releases where ZTP functionality is not supported.
Known
10.1.14
PAN-140008
ElasticSearch is forced to restart when the
masterd
process misses too many heartbeat messages on the Panorama management server resulting in a delay in a log query and ingestion.
Known
10.1.14
PAN-136763
On the Panorama management server, managed firewalls display as
disconnected
when installing a PAN-OS software update (
Panorama
Device Deployment
Software
) but display as
connected
when you view your managed firewalls Summary (
Panorama
Managed Devices
Summary
) and from the CLI.
Workaround:
Log out and log back in to the Panorama web interface.
Known
10.1.14
PAN-135742
There is an issue in HTTP2 session decryption where the App-ID in the decryption log is the App-ID of the parent session (which is web-browsing).
Known
10.1.14
PAN-134053
ACC does not filter WildFire logs from Dynamic User Groups.
Known
10.1.14
PAN-132598
The Panorama management server does not check for duplicate addresses in address groups (
Objects
Address Groups
) and duplicate services in service groups (
Objects
Service Groups
) when created from the CLI.
Known
10.1.14
PAN-130550
(
PA-3200 Series, PA-5220, PA-5250, PA-5260, and PA-7000 Series firewalls
) For traffic between virtual systems (inter-vsys traffic), the firewall cannot perform source NAT using dynamic IP (DIP) address translation.
Workaround:
Use source NAT with Dynamic IP and Port (DIPP) translation on inter-vsys traffic.
Known
10.1.14
PAN-127813
In the current release, SD-WAN auto-provisioning configures hubs and branches in a hub and spoke model, where branches don’t communicate with each other. Expected branch routes are for generic prefixes, which can be configured in the hub and advertised to all branches. Branches with unique prefixes are not published up to the hub.
Workaround:
Add any specific prefixes for branches to the hub advertise-list configuration.
Known
10.1.14
PAN-127206
If you use the CLI to enable the cleartext option for the Include Username in HTTP Header Insertion Entries feature, the authentication request to the firewall may become unresponsive or time out.
Known
10.1.14
PAN-123277
Dynamic tags from other sources are accessible using the CLI but do not display on the Panorama web interface.
Known
10.1.14
PAN-123040
When you try to view network QoS statistics on an SD-WAN branch or hub, the QoS statistics and the hit count for the QoS rules don’t display. A workaround exists for this issue. Please contact Support for information about the workaround.
Known
10.1.14
PAN-120440
There is an issue on M-500 Panorama management servers where any ethernet interface with an IPv6 address having Private PAN-DB-URL connectivity only supports the following format:
2001:DB9:85A3:0:0:8A2E:370:2
.
Known
10.1.14
PAN-120423
PAN-OS 10.0.0 does not support the XML API for GlobalProtect logs.
Known
10.1.14
PAN-120303
There is an issue where the firewall remains connected to the PAN-DB-URL server through the old management IP address on the M-500 Panorama management server, even when you configured the Eth1/1 interface.
Workaround:
Update the PAN-DB-URL IP address on the firewall using one of the methods below.
  • Modify the PAN-DB Server IP address on the managed firewall.
    1. On the web interface, delete the
      PAN-DB Server
      IP address (
      Device
      Setup
      Content ID
      URL Filtering
      settings).
    2. Commit
      your changes.
    3. Add the new M-500 Eth1/1 IP PAN-DB IP address.
    4. Commit
      your changes.
  • Restart the firewall ( devsrvr ) process.
    1. Log in to the firewall CLI.
    2. Restart the devsrvr process:
      debug software restart process device-server
Known
10.1.14
PAN-116017
(
Google Cloud Platform (GCP) only
) The firewall does not accept the DNS value from the initial configuration (init-cfg) file when you bootstrap the firewall.
Workaround:
Add DNS value as part of the bootstrap.xml in the bootstrap folder and complete the bootstrap process.
Known
10.1.14
PAN-115816
(
Microsoft Azure only
) There is an intermittent issue where an Ethernet (eth1) interface does not come up when you first boot up the firewall.
Workaround:
Reboot the firewall.
Known
10.1.14
PAN-114495
Alibaba Cloud runs on a KVM hypervisor and supports two Virtio modes: DPDK (default) and MMAP. If you deploy a VM-Series firewall running PAN-OS 9.0 in DPDK packet mode and you then switch to MMAP packet mode, the VM-Series firewall duplicates packets that originate from or terminate on the firewall. As an example, if a load balancer or a server behind the firewall pings the VM-Series firewall after you switch from DPDK packet mode to MMAP packet mode, the firewall duplicates the ping packets.
Throughput traffic is not duplicated if you deploy the VM-Series firewall using MMAP packet mode.
Known
10.1.14
PAN-112694
(
Firewalls with multiple virtual systems only
) If you configure dynamic DNS (DDNS) on a new interface (associated with vsys1 or another virtual system) and you then create a
New
Certificate Profile from the drop-down, you must set the location for the Certificate Profile to Shared. If you configure DDNS on an existing interface and then create a new Certificate Profile, we also recommend that you choose the Shared location instead of a specific virtual system. Alternatively, you can select a preexisting certificate profile instead of creating a new one.
Known
10.1.14
PAN-112456
You can temporarily submit a change request for a URL Category with three suggested categories; however, only two categories are supported. Do not add more than two suggested categories to a change request until we address this issue. If you submit more than two suggested categories, only the first two categories in the change request are evaluated.
Known
10.1.14
PAN-112135
You cannot unregister tags for a subnet or range in a dynamic address group from the web interface.
Workaround:
Use an XML API request to unregister the tags for the subnet or range.
Known
10.1.14
PAN-111928
Invalid configuration errors are not displayed as expected when you revert a Panorama management server configuration.
Workaround:
After you revert the Panorama configuration,
Commit
(
Commit
Commit to Panorama
) the reverted configuration to display the invalid configuration errors.
Known
10.1.14
PAN-111866
The push scope selection on the Panorama web interface displays incorrectly even though the commit scope displays as expected. This issue occurs when one administrator makes configuration changes to separate device groups or templates that affect multiple firewalls and a different administrator attempts to push those changes.
Workaround:
Perform one of the following tasks.
  • Initiate a
    Commit to Panorama
    operation followed by a
    Push to Devices
    operation for the modified device group and template configurations.
  • Manually select the devices that belong to the modified device group and template configurations.
Known
10.1.14
PAN-111729
If you disable DPDK mode and enable it again, you must immediately reboot the firewall.
Known
10.1.14
PAN-111670
Tagged VLAN traffic fails when sent through an SR-IOV adapter.
Known
10.1.14
PAN-110794
DGA-based threats shown in the firewall threat log display the same name for all such instances.
Known
10.1.14
PAN-109526
The system log does not correctly display the URL for CRL files; instead, the URLs are displayed with encoded characters.
Known
10.1.14
PAN-104780
If you configure a HIP object to match only when a connecting endpoint is managed (
Objects
GlobalProtect
HIP Objects
<hip-object>
General
Managed
), iOS and Android endpoints that are managed by AirWatch are unable to successfully match the HIP object and the HIP report incorrectly indicates that these endpoints are not managed. This issue occurs because GlobalProtect gateways cannot correctly identify the managed status of these endpoints.
Additionally, iOS endpoints that are managed by AirWatch are unable to match HIP objects based on the endpoint serial number because GlobalProtect gateways cannot identify the serial numbers of these endpoints; these serial numbers do not appear in the HIP report.
Known
10.1.14
PAN-103276
Adding a disk to a virtual appliance running Panorama 8.1 or a later release on VMware ESXi 6.5 update1 causes the Panorama virtual appliance and host web client to become unresponsive.
Workaround:
Upgrade the ESXi host to ESXi 6.5 update2 and add the disk again.
Known
10.1.14
PAN-101688
(
Panorama plugins
) The IP address-to-tag mapping information registered on a firewall or virtual system is not deleted when you remove the firewall or virtual system from a Device Group.
Workaround:
Log in to the CLI on the firewall and enter the following command to unregister the IP address-to-tag mappings:
debug object registered-ip clear all
.
Known
10.1.14
PAN-101537
After you configure and push address and address group objects in Shared and vsys-specific device groups from the Panorama management server to managed firewalls, executing the
show log
<log-type>
direction equal
<direction>
<dst>
|
<src>
in
<object-name>
command on a managed firewall only returns address and address group objects pushed form the Shared device group.
Workaround:
Specify the vsys in the query string:
admin>
set system target-vsys
<vsys-name>
admin>
show log
<log-type>
direction equal
<direction>
query equal ‘vsys eq
<vsys-name>
’
<dst>
|
<src>
in
<object-name>
Known
10.1.14
PAN-98520
When booting or rebooting a PA-7000 Series Firewall with the SMC-B installed, the BIOS console output displays attempts to connect to the card's controller in the System Memory Speed section. The messages can be ignored.
Known
10.1.14
PAN-97757
GlobalProtect authentication fails with an
Invalid username/password
error (because the user is not found in
Allow List
) after you enable GlobalProtect authentication cookies and add a RADIUS group to the
Allow List
of the authentication profile used to authenticate to GlobalProtect.
Workaround:
Disable GlobalProtect authentication cookies. Alternatively, disable (clear)
Retrieve user group from RADIUS
in the authentication profile and configure group mapping from Active Directory (AD) through LDAP.
Known
10.1.14
PAN-97524
(
Panorama management server only
) The Security Zone and Virtual System columns (
Network
tab) display
None
after a Device Group and Template administrator with read-only privileges performs a context switch.
Known
10.1.14
PAN-96446
A firewall that is not included in a Collector Group fails to generate a system log if logs are dropped when forwarded to a Panorama management server that is running in Management Only mode.
Known
10.1.14
PAN-95773
On VM-Series firewalls that have Data Plane Development Kit (DPDK) enabled and that use the i40e network interface card (NIC), the
show session info
CLI command displays an inaccurate throughput and packet rate.
Workaround:
Disable DPDK by running the
set system setting dpdk-pkt-io off
CLI command.
Known
10.1.14
PAN-95028
For administrator accounts that you created in PAN-OS 8.0.8 and earlier releases, the firewall does not apply password profile settings (
Device
Password Profiles
) until after you upgrade to PAN-OS 8.0.9 or a later release and then only after you modify the account passwords. (Administrator accounts that you create in PAN-OS 8.0.9 or a later release do not require you to change the passwords to apply password profile settings.)
Known
10.1.14
PAN-94846
When DPDK is enabled on the VM-Series firewall with i40e virtual function (VF) driver, the VF does not detect the link status of the physical link. The VF link status remains up, regardless of changes to the physical link state.
Known
10.1.14
PAN-94093
HTTP Header Insertion does not work when jumbo frames are received out of order.
Known
10.1.14
PAN-93968
The firewall and Panorama web interfaces display vulnerability threat IDs that are not available in PAN-OS 9.0 releases (
Objects
Security Profiles
Vulnerability Protection
<profile>
Exceptions
). To confirm whether a particular threat ID is available in your release, monitor the release notes for each new Applications and Threats content update or check the Palo Alto Networks Threat Vault to see the minimum PAN-OS release version for a threat signature.
Known
10.1.14
PAN-93607
When you configure a VM-500 firewall with an SCTP Protection profile (
Objects
Security Profiles
SCTP Protection
) and you try to add the profile to an existing Security Profile Group (
Objects
Security Profile Groups
), the Security Profile Group doesn’t list the SCTP Protection profile in its drop-down list of available profiles.
Workaround:
Create a new Security Profile Group and select the SCTP Protection profile from there.
Known
10.1.14
PAN-93532
When you configure a firewall running PAN-OS 9.0 as an nCipher HSM client, the web interface on the firewall displays the nCipher server status as Not Authenticated, even though the HSM state is up (
Device
Setup
HSM
).
Known
10.1.14
PAN-93193
The memory-optimized VM-50 Lite intermittently performs slowly and stops processing traffic when memory utilization is critically high. To prevent this issue, make sure that you do not:
  • Switch to the firewall
    Context
    on the Panorama management server.
  • Commit changes when a dynamic update is being installed.
  • Generate a custom report when a dynamic update is being installed.
  • Generate custom reports during a commit.
Workaround:
When the firewall performs slowly, or you see a critical System log for memory utilization, wait for 5 minutes and then manually reboot the firewall.
Use the Task Manager to verify that you are not performing memory intensive tasks such as installing dynamic updates, committing changes or generating reports, at the same time, on the firewall.
Known
10.1.14
PAN-91802
On a VM-Series firewall, the
clear session all
CLI command does not clear GTP sessions.
Known
10.1.14
PAN-83610
In rare cases, a PA-5200 Series firewall (with an FE100 network processor) that has session offload enabled (default) incorrectly resets the UDP checksum of outgoing UDP packets.
Workaround:
In PAN-OS 8.0.6 and later releases, you can persistently disable session offload for only UDP traffic using the
set session udp-off load no
CLI command.
Known
10.1.14
PAN-83236
The VM-Series firewall on Google Cloud Platform does not publish firewall metrics to Google Stack Monitoring when you manually configure a DNS server IP address (
Device
Setup
Services
).
Workaround:
The VM-Series firewall on Google Cloud Platform must use the DNS server that Google provides.
Known
10.1.14
PAN-83215
SSL decryption based on ECDSA certificates does not work when you import the ECDSA private keys onto an nCipher nShield hardware security module (HSM).
Known
10.1.14
PAN-81521
Endpoints failed to authenticate to GlobalProtect through Kerberos when you specify an FQDN instead of an IP address in the Kerberos server profile (
Device
Server Profiles
Kerberos
).
Workaround:
Replace the FQDN with the IP address in the Kerberos server profile.
Known
10.1.14
PAN-77125
PA-7000 Series, PA-5450, PA-5200 Series, and PA-3200 Series firewalls configured in tap mode don’t close offloaded sessions after processing the associated traffic; the sessions remain open until they time out.
Workaround:
Configure the firewalls in virtual wire mode instead of tap mode, or disable session offloading by running the
set session off load no
CLI command.
Known
10.1.14
PAN-75457
In WildFire appliance clusters that have three or more nodes, the Panorama management server does not support changing node roles. In a three-node cluster for example, you cannot use Panorama to configure the worker node as a controller node by adding the HA and cluster controller configurations, configure an existing controller node as a worker node by removing the HA configuration, and then commit and push the configuration. Attempts to change cluster node roles from Panorama results in a validation error—the commit fails and the cluster becomes unresponsive.
Known
10.1.14
PAN-73530
The firewall does not generate a packet capture (pcap) when a Data Filtering profile blocks files.
Known
10.1.14
PAN-73401
When you import a two-node WildFire appliance cluster into the Panorama management server, the controller nodes report their state as out-of-sync if either of the following conditions exist:
  • You did not configure a worker list to add at least one worker node to the cluster. (In a two-node cluster, both nodes are controller nodes configured as an HA pair. Adding a worker node would make the cluster a three-node cluster.)
  • You did not configure a service advertisement (either by enabling or not enabling advertising DNS service on the controller nodes).
Workaround:
There are three possible workarounds to sync the controller nodes:
  • After you import the two-node cluster into Panorama, push the configuration from Panorama to the cluster. After the push succeeds, Panorama reports that the controller nodes are in sync.
  • Configure a worker list on the cluster controller: 
    admin@wf500(active-controller)# 
    set
deviceconfig cluster mode controller worker-list 
    <worker-ip-address>
    (
    <worker-ip-address>
    is the IP address of the worker node you are adding to the cluster.) This creates a three-node cluster. After you import the cluster into Panorama, Panorama reports that the controller nodes are in sync. When you want the cluster to have only two nodes, use a different workaround.
  • Configure service advertisement on the local CLI of the cluster controller and then import the configuration into Panorama. The service advertisement can advertise that DNS is or is not enabled. 
    admin@wf500(active-controller)# 
    set
deviceconfig cluster mode controller service-advertisement dns-service
enabled
yes
    or 
    admin@wf500(active-controller)# 
    set
deviceconfig cluster mode controller service-advertisement dns-service
enabled
no
    Both commands result in Panorama reporting that the controller nodes are in sync.
Known
10.1.14
PAN-70906
If the PAN-OS web interface and the GlobalProtect portal are enabled on the same IP address, then when a user logs out of the GlobalProtect portal, the administrative user is also logged out from the PAN-OS web interface.
Workaround:
Use the IP address to access the PAN-OS web interface and an FQDN to access the GlobalProtect portal.
Known
10.1.14
PAN-69505
When viewing an external dynamic list that requires client authentication and you
Test Source URL
, the firewall fails to indicate whether it can reach the external dynamic list server and returns a URL access error (
Objects
External Dynamic Lists
).
Known
10.1.14
PAN-40079
The VM-Series firewall on KVM, for all supported Linux distributions, does not support the Broadcom network adapters for PCI pass-through functionality.
Known
10.1.14
PAN-39636
Regardless of the
Time Frame
you specify for a scheduled custom report on a Panorama M-Series appliance, the earliest possible start date for the report data is effectively the date when you configured the report (
Monitor
Manage Custom Reports
). For example, if you configure the report on the 15th of the month and set the
Time Frame
to
Last 30 Days
, the report that Panorama generates on the 16th will include only data from the 15th onward. This issue applies only to scheduled reports; on-demand reports include all data within the specified
Time Frame
.
Workaround:
To generate an on-demand report, click
Run Now
when you configure the custom report.
Known
10.1.14
PAN-38255
When you perform a factory reset on a Panorama virtual appliance and configure the serial number, logging does not work until you reboot Panorama or execute the
debug software restart process management-server
CLI command.
Known
10.1.14
PAN-31832
The following issues apply when configuring a firewall to use a hardware security module (HSM):
  • nCipher nShield Connect
    —The firewall requires at least four minutes to detect that an HSM was disconnected, causing SSL functionality to be unavailable during the delay.
  • SafeNet Network
    —When losing connectivity to either or both HSMs in an HA configuration, the display of information from the
    show high-availability state
    and
    show hsm info
    commands are blocked for 20 seconds.
Addressed
10.1.14-h2
PAN-258702
(
WF-500 appliances only
) Fixed an issue where the varrcvr process stopped responding when files were being forwarded to the WildFire cloud.
Addressed
10.1.14-h2
PAN-257197
Fixed an issue where
ifType
and
ifSpeed
were not populated in asynchronous mode of SNMP operations.
Addressed
10.1.14-h2
PAN-251847
Fixed an issue on log collectors where the incoming log rate was lower than expected.
Addressed
10.1.14-h2
PAN-255163
(
CN-Series firewalls only
) Fixed an issue where the system database key that stored the configuration status of the dataplane pod was not updated frequently.
Addressed
10.1.14-h2
PAN-248130
Fixed an issue where the
AND
operation under a Dynamic Address Group comparison did not work after upgrading the AWS plugin to 3.0.1.
Addressed
10.1.14-h2
PAN-247257
Fixed an issue where the useridd process stopped responding, which caused the firewall to reboot.
Addressed
10.1.14
PAN-253317
(
VM-Series firewalls on Microsoft Azure environments only
) Fixed an issue where you were unable to log in to the firewall after a private data reset.
Addressed
10.1.14
PAN-251013
Fixed an issue on the web interface where the
Virtual Router
and
Virtual System
configurations for the template incorrectly showed as
none
.
Addressed
10.1.14
PAN-246420
(
PA-5400 Series firewalls only
) Fixed an issue where the firewall rebooted unexpectedly during an upgrade.
Addressed
10.1.14
PAN-246155
Fixed an issue where the firewall dropped small fragmented ICMP messages with the
discard-icmp-ping-zero-id
counter when a Zone Protection profile was enabled.
Addressed
10.1.14
PAN-245157
(
VM-Series firewalls in Microsoft Azure environments only
) Fixed an issue where the firewall restarted after an HA failover when DPDK was enabled.
Addressed
10.1.14
PAN-245125
(
VM-Series firewalls in Microsoft Azure environments only
) Fixed an issue where file descriptors were not closed due to invalid configurations.
Addressed
10.1.14
PAN-245041
Fixed an issue where the WF-500 appliance returned an error verdict for every sample in FIPS mode.
Addressed
10.1.14
PAN-242027
Fixed an issue where the all-task process repeatedly restarted during memory allocation failures.
Addressed
10.1.14
PAN-241888
Fixed an issue where DHCP lease renewal failed due to a change in the firewall timestamp (
Device > Setup > Management
).
Addressed
10.1.14
PAN-241230
Fixed an issue where the SNMP get request status value for Panorama connections was incorrect.
Addressed
10.1.14
PAN-241018
(
VM-Series firewalls in Microsoft Azure environments only
) Fixed a Data Plane Development Kit (DPDK) issue where interfaces remained in a link-down stage after an Azure hot plug event.
Addressed
10.1.14
PAN-240993
Fixed an issue where you were unable to revert a sort in task manager in the admin column.
Addressed
10.1.14
PAN-240786
Fixed an issue on firewalls in HA configurations where VXLAN sessions were allocated, but not installed or freed, which resulted in a constant high session table usage that was not synced between the firewalls. This resulted in a session count mismatch.
Addressed
10.1.14
PAN-240618
Fixed an issue where configuration commits were successful even when dynamic peer IKE gateways configured on the same interface and IP address that did not have the same IKE Crypto profile.
Addressed
10.1.14
PAN-240327
Fixed an issue where traffic on all branches was impacted when the SD-WAN MPLS link on one branch went down.
Addressed
10.1.14
PAN-240308
Fixed an issue where ElasticSearch did not work as expected when RAID-mounts were not fully ready after a reboot.
Addressed
10.1.14
PAN-239255
Fixed an issue where the firewall did not update the ARP cache timeout value after modifying the
arp-cache-timeout
setting.
Addressed
10.1.14
PAN-238705
(
PA-400 Series firewalls only
) Fixed an issue where HA link-monitor did not work.
Addressed
10.1.14
PAN-238643
Fixed an issue where a memory leak caused multiple processes to stop responding when VM Information Sources was configured.
Addressed
10.1.14
PAN-238621
Fixed an issue where the HA3 link status remained down when updating the HA3 interface configuration when the AE interface was up.
Addressed
10.1.14
PAN-238592
(
PA-3410 firewalls only
) Fixed an issue where the firewall did not boot up after upgrading due to a TPM lockout condition that persisted for over 24 hours.
Addressed
10.1.14
PAN-238508
Fixed an issue where the routed process created excessive logs in the log file.
Addressed
10.1.14
PAN-238355
Fixed an issue where, when a device group was not successfully renamed, unexpected configuration changes to the device group structure occurred.
Addressed
10.1.14
PAN-238249
Fixed an issue where static route path monitor packets from a multislot chassis were intercepted by the firewall performing Static NAT (SNAT).
Addressed
10.1.14
PAN-238183
Fixed an issue where Panorama displayed deviating device system logs for nonconnected interfaces.
Addressed
10.1.14
PAN-237657
Fixed an issue with 100% CPU utilization in the varrcvr process that occurred during an incremental WildFire update.
Addressed
10.1.14
PAN-237608
Fixed an issue where a NetFlow export truncated the source username.
Addressed
10.1.14
PAN-236233
Fixed an issue where SNMP reports displayed incorrect values for SSL Proxy sessions and SSL Proxy utilization.
Addressed
10.1.14
PAN-235840
Fixed an issue where, after a configuration push from Panorama to managed firewalls, the status displayed as
None
and the push took longer than expected.
Addressed
10.1.14
PAN-235557
Fixed an issue where uploads from tunnels, including GlobalProtect, were slower than expected when the inner and outer sessions were on different dataplanes.
Addressed
10.1.14
PAN-235531
Fixed an issue where GlobalProtect logs displayed incorrect vsys numbers on Panorama.
Addressed
10.1.14
PAN-235475
Fixed an issue where firewall sinkhole functionality was disrupted when a domain entry in an external dynamic list started with a period (.) character.
Addressed
10.1.14
PAN-235168
Fixed an issue where disk space became full even after clearing old logs and content images.
Addressed
10.1.14
PAN-234596
Fixed an issue on firewalls in active/passive HA configurations where the passive firewall incorrectly became active after a reboot.
Addressed
10.1.14
PAN-234169
Fixed an issue where downloading files failed or was slower than expected due to malware scanning even when the session was matched to a Security policy rule with no Anti-Virus profile attached.
Addressed
10.1.14
PAN-233965
Fixed an issue where the tund process stopped responding, which caused push operation to managed firewalls or making changes to local firewalls to fail.
Addressed
10.1.14
PAN-233692
Fixed an issue on Panorama where the configd process stopped, which caused performance issues.
Addressed
10.1.14
PAN-233689
(
PA-7000 Series firewalls only
) Fixed an issue where the Log Forwarding Card (LFC) disk quota usage was reported as 0 MB for all log types.
Addressed
10.1.14
PAN-233603
(
CN-Series firewalls only
) Fixed an issue where slot information was not correct after a slotd process restart on the management pod.
Addressed
10.1.14
PAN-231395
Fixed an intermittent issue where the OCSP query failed.
Addressed
10.1.14
PAN-231270
Fixed an issue where Panorama became unresponsive due to the useridd process not responding.
Addressed
10.1.14
PAN-231237
(
Firewalls only in FIPS mode only
) Fixed an issue where the firewall repeatedly displayed the error message
Cipher decrypt-final failure
.
Addressed
10.1.14
PAN-229874
Fixed an issue where the firewall was unable to form OSPFv3 adjacency when using an ESP authentication profile.
Addressed
10.1.14
PAN-229873
(
PA-7050 firewalls only
) Fixed an issue related to brdagent process errors.
Addressed
10.1.14
PAN-229832
Fixed an intermittent issue where MLAV and URL cloud connectivity were lost.
Addressed
10.1.14
PAN-228277
Fixed an issue where commits took longer than expected.
Addressed
10.1.14
PAN-224772
Fixed a high memory usage issue with the mongodb process that caused an OOM condition.
Addressed
10.1.14
PAN-224365
Fixed an issue where excessive network path monitoring messages were generated in the system logs.
Addressed
10.1.14
PAN-222500
Fixed an issue where an old configuration unexpectedly merged during a push from Panorama.
Addressed
10.1.14
PAN-220907
(
VM-Series firewalls only
) Fixed an issue where large packets were dropped from the dataplane to the management plane, which caused OSPF neighborship to fail.
Addressed
10.1.14
PAN-220767
Fixed an issue where, at the beginning of a session, out of order packets with a TCP payload were truncated with a nonzero trailer.
Addressed
10.1.14
PAN-220490
Fixed an issue where the commit warning
Missing pre-defined DNS security category
was incorrectly displayed.
Addressed
10.1.14
PAN-219113
Fixed an issue where, when a port on the NPC was configured for log forwarding, the ingress traffic on the card was sent for processing to the LPC, and the LPC card was reloaded when the ingress volume of traffic was high.
Addressed
10.1.14
PAN-218136
Fixed an issue where the service route setting
Palo Alto Networks Services
was not applied to
Threat Vault
communication.
Addressed
10.1.14
PAN-217307
Fixed an issue where the
log-start
and
log-end
policy rule filters did not return reliable results when set to
no
or
yes
.
Addressed
10.1.14
PAN-217147
Fixed an issue where commits took longer than expected when a large number of Security policy rules were configured.
Addressed
10.1.14
PAN-216941
(
M-700 Appliances in Log Collector mode only
) Fixed an issue where Panorama stopped processing and saving logs.
Addressed
10.1.14
PAN-215561
Fixed an issue where GlobalProtect authentication failed when new users were added to an existing local database group user list.
Addressed
10.1.14
PAN-214463
Fixed an issue where IKE re-key negotiation failed with a third-party vendor and the firewall acting as the initiator received a response with the VENDOR_ID payload and the error message
unexpected critical payload (type 43)
.
Addressed
10.1.14
PAN-213918
Fixed an issue where
mlav-test-pe-file.exe
was not detected by WildFire Inline ML.
Addressed
10.1.14
PAN-212606
Fixed an issue where the static gateway IKE-SA was established based on the peer ID even though the peer IP address matched a different object.
Addressed
10.1.14
PAN-211575
Fixed an issue where a local commit on Panorama remained at 99% for longer than expected before completing.
Addressed
10.1.14
PAN-210260
Fixed an issue on firewalls in HA configurations where the peer satellite firewall was able to connect to the GlobalProtect portal without username and password authentication.
Addressed
10.1.14
PAN-196395
(
PA-5450 firewalls only
) Fixed an issue where the firewall accepted 12 Aggregate Ethernet interfaces, but you were unable to configure interfaces 9-12 via the web interface.
Addressed
10.1.14
PAN-194782
Fixed an issue on Panorama where, if you added a new local or nonlocal administrator account or an admin user to a template, authentication profiles were incorrectly referenced.
Addressed
10.1.14
PAN-182011
Fixed an issue where the httpd process stopped responding and generated a core after a commit.
Known
10.2.0
WIF-495
This issue is now resolved. See
PAN-OS 10.2.1 Addressed Issues
.
On the Panorama management server, edits made to an existing data filtering profile (
Objects > DLP > Data Filtering Profiles
) can result in matching traffic not being detected by Enterprise DLP.
Known
10.2.0
WF500-5754
In WildFire appliance clusters, issuing the
show cluster controller
CLI command generates an error when an IPv6 address is configured for the management interface but not for the cluster interface.
Workaround:
Ensure all WildFire appliance interfaces that are enabled use matching protocols (all IPv4 or all IPv6).
Known
10.2.0
WF500-5632
The number of registered WildFire appliances reported in Panorama (
Panorama
Managed WildFire Appliances
Firewalls Connected
View
) does not accurately reflect the current status of connected WildFire appliances.
Known
10.2.0
PAN-243951
On the Panorama management sever in an active/passive High Availability (HA) configuration, managed devices (
Panorama
Managed Devices
Summary
) display as
out-of-sync
on the passive HA peer when configuration changes are made to the SD-WAN (
Panorama
SD-WAN
) configuration on the active HA peer.
Workaround:
Manually synchronize the Panorama HA peers.
  1. Log in to the Panorama web interface on the active HA peer.
  2. Select
    Commit
    and
    Commit to Panorama
    the SD-WAN configuration changes on the active HA peer.
    On the passive HA peer, select
    Panorama
    Managed Devices
    Summary
    and observe that the managed devices are now
    out-of-sync
    .
  3. Log in to the primary HA peer Panorama CLI and trigger a manual synchronization between the active and secondary HA peers.
    request high-availability sync-to-remote running-config
  4. Log back in to the active HA peer Panorama web interface and select
    Commit
    Push to Devices
    and
    Push
    .
Known
10.2.0
PAN-227344
On the Panorama management server, PDF Summary Reports (
Monitor
PDF Reports
Manage PDF Summary
) display no data and are blank when predefined reports are included in the summary report.
Known
10.2.0
PAN-225337
This issue is now resolved. See
PAN-OS 10.2.7 Addressed Issues
.
On the Panorama management server, the configuration push to a multi-vsys firewall fails if you:
  1. Create a
    Shared
    and vsys-specific device group configuration object with an indentical name. For example, a
    Shared
    address object called
    SharedAO1
    and a vsys-specific address object also called
    SharedAO1
    .
  2. Reference the
    Shared
    object in another
    Shared
    configuration. For example, reference the
    Shared
    address object (
    SharedAO1
    ) in a
    Shared
    address group called
    SharedAG1
    .
  3. Use the
    Shared
    configuration object with the reference in a vsys-specific configuration. For example, reference the
    Shared
    address group (
    SharedAG1
    ) in a vsys-specific policy rule.
Workaround:
Select
Panorama
Setup
Management
and edit the Panorama Settings to enable one of the following:
  • Shared Unused Address and Service Objects with Devices
    —This options pushes all
    Shared
    objects, along with device group specific objects, to managed firewalls.
    This is a global setting and applies to all managed firewalls, and may result in pushing too many configuration objects to your managed firewalls.
  • Objects defined in ancestors will take higher precedence
    —This option specifies that in the event of objects with the same name, ancestor object take precedence over descendent objects. In this case, the
    Shared
    objects take precedence over the vsys-specific object.
    This is a global setting and applies to all managed firewalls. In the example above, if the IP address for the
    Shared
    SharedAO1
    object was
    10.1.1.1
    and the device group specific
    SharedAO1
    was
    10.2.2.2
    , the
    10.1.1.1
    IP address takes precedence.
Alternatively, you can remove the duplicate address objects from the device group configuration to allow only the
Shared
objects in your configuration.
Known
10.2.0
PAN-223488
This issue is now resolved. See
PAN-OS 10.2.7 Addressed Issues
.
On the M-600 appliance, closed ElasticSearch shards are not deleted from the M-600 appliance. This causes the ElasticSearch shard purging to not work as expected, resulting in high disk usage.
Known
10.2.0
PAN-223365
The Panorama management server is unable to query any logs if the ElasticSearch health status for any Log Collector (
Panorama
Managed Collector
is degraded.
Workaround:
Log in to the Log Collector CLI and restart ElasticSearch. 
admin
debug elasticsearch es-restart all
Known
10.2.0
PAN-222586
On PA-5410, PA-5420, and PA-5430 firewalls, the Filter dropdown menus, Forward Methods, and Built-In Actions for Correlation Log settings (
Device
Log Settings
) are not displayed and cannot be configured.
Known
10.2.0
PAN-222253
This issue is now resolved. See
PAN-OS 10.2.8 Addressed Issues
.
On the Panorama management server, policy rulebase reordering when you
View Rulebase by Groups
(
Policy
<policy-rulebase>
) does not persist if you reorder the policy rulebase by dragging and dropping individual policy rules and then moving the entire tag group.
Known
10.2.0
PAN-221775
A
Malformed Request
error is displayed when you
Test Connection
for an email server profile (
Device
Server Profiles
Email
) using
SMTP over TLS
and the
Password
includes an ampersand (&).
Known
10.2.0
PAN-221015
This issue is now resolved. See
PAN-OS 10.2.7 Addressed Issues
.
On M-600 appliances in Panorama or Log Collector mode, the
es-1
and
es-2
ElasticSearch processes fail to restart when the M-600 appliance is rebooted. The results in the Managed Collector
ES
health status (
Panorama
Managed Collectors
Health Status
) to be degraded.
Workaround:
Log in to the Panorama or Log Collector CLI experiencing degraded ElasticSearch health and restart all ElasticSearch processes. 
admin>
debug elasticsearch es-restart optional all
Known
10.2.0
PAN-219644
This issue is now resolved. See
PAN-OS 10.2.8 Addressed Issues
.
Firewalls forwarding logs to a syslog server over TLS (
Objects
Log Forwarding
) use the default Palo Alto Networks certificate instead of the custom certificate configured on the firewall.
Known
10.2.0
PAN-218521
This issue is now resolved. See
PAN-OS 10.2.7 Addressed Issues
.
The ElasticSearch process on the M-600 appliance in Log Collector mode may enter a continuous reboot cycle. This results in the M-600 appliance becoming unresponsive, consuming logging disk space, and preventing new log ingestion.
Known
10.2.0
PAN-217307
The following Security policy rule (
Policies
Security
) filters return no results:
log-start eq no
log-end eq no
log-end eq yes
Known
10.2.0
PAN-215778
This issue is now resolved. See
PAN-OS 10.2.5 Addressed Issues
.
On the M-600 appliance in Management Only mode, XML API Get requests for
/config
fail with the following error due to exceeding the total configuration size supported on the M-600 appliance. 
504 Gateway timeout
Known
10.2.0
PAN-215082
This issue is now resolved. See
PAN-OS 10.2.8 Addressed Issues
.
M-300 and M-700 appliances may generate erroneous system logs (
Monitor
Logs
System
) to alert that the M-Series appliance memory usage limits are reached.
Known
10.2.0
PAN-213746
On the Panorama management server, the
Hostkey
displayed as
undefined undefined
if you override an SSH Service Profile (
Device
Certificate Management
SSH Service Profile
) Hostkey configured in a Template from the Template Stack.
Known
10.2.0
PAN-213119
PA-5410 and PA-5420 firewalls display the following error when you view the Block IP list (
Monitor
Block IP
):
show -> dis-block-table is unexpected
Known
10.2.0
PAN-212889
On the Panorama management server, different threat names are used when querying the same threat in the Threat Monitor (
Monitor
App Scope
Threat Monitor
) and
ACC
. This results in the ACC displaying
no data to display
when you are redirected to the ACC after clicking a threat name in the Threat Monitor and filtering the same threat name in the Global Filters.
Known
10.2.0
PAN-212533
Modifying the
Administrator Type
for an existing administrator (
Device
Administrators
or
Panorama
Administrators
) from
Superuser
to a
Role-Based
custom admin, or vice versa, does not modify the access privileges of the administrator.
Known
10.2.0
PAN-211531
On the Panorama management server, admins can still perform a selective push to managed firewalls when
Push All Changes
and
Push for Other Admins
are disabled in the admin role profile (
Panorama
Admin Roles
).
Known
10.2.0
PAN-209937
Certificate-based authentication for administrator accounts may be unable to log into the Panorama or firewall web interface with the following error:
Bad Request - Your browser sent a request that this server could not understand
Known
10.2.0
PAN-208325
This issue is now resolved. See
PAN-OS 10.2.5 Addressed Issues
.
The following NextGen firewalls and Panorama management server models are unable to automatically renew the device certificate (
Device
Setup
Management
or
Panorama
Setup
Management
).
  • M-300 and M-700
  • PA-410 Firewall
  • PA-440, PA-450, and PA-460 Firewalls
  • PA-3400 Series
  • PA-5410, PA-5420, and PA-5430 Firewalls
  • PA-5450 Firewall
Workaround:
Log in to the firewall CLI or Panorama CLI and fetch the device certificate. 
admin>
request certificate fetch
Known
10.2.0
PAN-207629
This issue is now resolved. See
PAN-OS 10.2.4 Addressed Issues
.
On the Panorama management server, selective push fails to managed firewalls if the managed firewalls are enabled with multiple vsys and the Push Scope contains shared objects in device groups.
Known
10.2.0
PAN-206909
The Dedicated Log Collector is unable to reconnect to the Panorama management server if the
configd
process crashes. This results in the Dedicated Log Collector losing connectivity to Panorama despite the managed collector connection
Status
(
Panorama
Managed Collector
) displaying
connected
and the managed colletor
Health
status displaying as healthy.
This results in the local Panorama config and system logs not being forwarded to the Dedicated Log Collector. Firewall log forwarding to the disconnected Dedicated Log Collector is not impacted.
Workaround:
Restart the
mgmtsrvr
process on the Dedicated Log Collector.
  2. Confirm the Dedicated Log Collector is disconnected from Panorama. 
    admin>
     show panorama-status
    Verify the
    Connected
    status is
    no
    .
  3. Restart the
    mgmtsrvr
    process. 
    admin>
     debug software restart process management-server
Known
10.2.0
PAN-206268
On the Panorama management server, the Auth Key field was erroneously displayed when you configure the Panorama Settings (
Device
Setup
Management
) as part of a template or template stack configuration.
Known
10.2.0
PAN-206253
This issue is now resolved. See
PAN-OS 10.2.4 Addressed Issues
.
For PA-3400 Series firewalls, the default log rate is set too low and the max configurable log rate is incorrectly capped resulting in the firewall not generating more than 6,826 logs per second.
Known
10.2.0
PAN-206243
This issue is now resolved. See
PAN-OS 10.2.4 Addressed Issues
.
The PA-220 firewall reaches the maximum disk usage capacity multiple a day that requires a disk cleanup. A critical system log (
Monitor
Logs
System
) is generated each time the firewall reaches maximum disk usage capacity.
Known
10.2.0
PAN-205187
This issue is now resolved. See
PAN-OS 10.2.4 Addressed Issues
.
ElasticSearch may not start properly when a newly installed Panorama virtual appliance powers on for the first time, resulting in the Panorama virtual appliance being unable to query logs forwarded from the managed firewall to a Log Collector.
Workaround:
Log in to the Panorama CLI and start the PAN-OS software. 
admin>
request restart software
Known
10.2.0
PAN-204663
This issue is now resolved. See
PAN-OS 10.2.4 Addressed Issues
.
On the Panorama management server, you are unable to Context Switch from one managed firewall to another.
Workaround:
After you Context Switch to a managed firewall, you must first Context Switch back to Panorama before you can continue to Context Switch to a different managed firewall.
Known
10.2.0
PAN-201855
This issue is now resolved. See
PAN-OS 10.2.5 Addressed Issues
.
On the Panorama management server, cloning any template (
Panorama
Templates
) corrupts certificates (
Device
Certificate Management
Certificates
) with the
Block Private Key Export
setting enabled across all templates. This results in managed firewalls experiencing issues wherever the corrupted certificate is referenced.
For example, you have template A, B, and C where templates A and B have certificates with the
Block Private Key Export
setting enabled. Cloning template C corrupts the certificates with
Block Private Key Export
setting enabled in templates A and B.
Workaround:
After cloning a template, delete and re-import the corrupted certificates.
Known
10.2.0
PAN-199557
This issue is now resolved. See
PAN-OS 10.2.5 Addressed Issues
.
On M-600 appliances in an Active/Passive high availability (HA) configuration, the
configd
process restarts due to a memory leak on the
Active
Panorama HA peer. This causes the Panorama web interface and CLI to become unresponsive.
Workaround:
Manually reboot the
Active
Panorama HA peer.
Known
10.2.0
PAN-197341
On the Panorama management server, if you create multiple device group
Objects
with the same name in the Shared device group and any additional device groups (
Panorama
Device Groups
) under the same device group hierarchy that are used in one or more
Policies
, renaming the object with a shared name in any device group causes the object name to change in the policies where it is used. This issue applies only to device group objects that can be referenced in a Security policy rule.
For example:
  1. You create a parent device group
    DG-A
    and a child device group
    DG-B
    .
  2. You create address objects called
    AddressObjA
    in the
    Shared
    ,
    DG-A
    and
    DG-B
    device groups and add
    AddressObjA
    to a Security policy rule under
    DG-A
    and
    DG-B
    .
  3. Later, you change the
    AddressObjA
    name in the
    Shared
    device group to
    AddressObjB
    .
Changing the name of the address object in the
Shared
device group causes the references in the Policy rule to use the renamed
Shared
object instead of the device group object.
Known
10.2.0
PAN-197097
Large Scale VPN (LSVPN) does not support IPv6 addresses on the satellite firewall.
Known
10.2.0
PAN-196758
On the Panorama management server, pushing a configuration change to firewalls leveraging SD-WAN erroneously show the auto-provisioned BGP configurations for SD-WAN as being edited or deleted despite no edits or deletions being made when you
Preview Changes
(
Commit
Push to Devices
Edit Selections
or
Commit
Commit and Push
Edit Selections
).
Known
10.2.0
PAN-196720
During the CN-Series firewall deployment on Oracle OKEplatform, when you delete the deployment by deleting yamls, the MP/DP pods are stuck in Terminating state.
Workaround:
Delete the CN-Series DP pods, MP pods, and then the pan-cni yaml file in a sequential order.
Known
10.2.0
PAN-194826
This issue is now resolved. See
PAN-OS 10.2.3 Addressed Issues
.
(
WF-500 appliance only
) System log forwarding does not work over a TLS connection.
Known
10.2.0
PAN-194519
(
PA-5450 firewall only
) Trying to configure a custom payload format under
Device
Server Profiles
HTTP
yields a Javascript error.
Known
10.2.0
PAN-194515
(
PA-5450 firewall only
) The Panorama web interface does not display any predefined template stack variables in the dropdown menu under
Device
Setup
Log Interface
IP Address
.
Workaround:
Configure the log interface IP address on the individual firewall web interface instead of on Panorama.
Known
10.2.0
PAN-193251
This issue is now resolved. See
PAN-OS 10.2.3 Addressed Issues
.
If SAML is configured as the authentication method for GlobalProtect, authentication on the Portal page is not successful in the browser.
Workaround:
Use the GlobalProtect app installed on the endpoint to authenticate.
Known
10.2.0
PAN-192403
(
PA-5450 firewall only
) There is no commit warning in the web interface when configuring the management interface and logging interface in the same subnetwork. Having both interfaces in the same subnetwork can cause routing and connectivity issues.
Known
10.2.0
PAN-191570
This issue is now resolved. See
PAN-OS 10.2.3 Addressed Issues
.
The Traffic Activity and SSL/TLS widgets in the
ACC
erroneously display
Report Error
if there is no SSL data to display.
Known
10.2.0
PAN-190727
(
PA-5450 firewall only
) Documentation for configuring the log interface is unavailable on the web interface and in the PAN-OS Administrator’s Guide.
Known
10.2.0
PAN-190435
When you
Commit
a configuration change, the
Task Manager
commit
Status
goes directly from
0%
to
Completed
and does accurately reflect the commit job progress.
Known
10.2.0
PAN-190311
This issue is now resolved. See
PAN-OS 10.2.1 Addressed Issues
.
(
PA-220 and PA-220R firewalls and PA-800 Series firewalls only
) There is an issue where management connectivity to the firewall is lost due to the expiration of the DHCP lease, which causes the IP configuration on the management port to be purged.
Known
10.2.0
PAN-189425
This issue is now resolved. See
PAN-OS 10.2.4 Addressed Issues
.
On the Panorama management server,
Export Panorama and devices config bundle
(
Panorama
Setup
Operations
) fails to export. When the export fails, you are redirected to a new window and the following error is displayed:
Failed to redirect error to /var/log/pan/appweb3-panmodule.log (Permission denied)
Known
10.2.0
PAN-189395
This issue is now resolved. See
PAN-OS 10.2.2 Addressed Issues
.
Running any version of PAN-OS 10.2 on a PA-400 Series firewall can cause the dataplane process to restart unexpectedly and trigger a crash.
Known
10.2.0
PAN-189380
This issue is now resolved. See
PAN-OS 10.2.3 Addressed Issues
.
After you successfully upgrade a PA-3000 Series firewall to PAN-OS 10.2.0 or later release and Enterprise data loss prevention (DLP) plugin 3.0.0 or later release, the first configuration push from the Panorama management server causes the firewall dataplane to crash.
Workaround:
Restart the firewall to restore dataplane functionality.
  2. Restart the firewall. 
    admin>
     
    request restart system
Known
10.2.0
PAN-189361
This issue is now resolved. See
PAN-OS 10.2.1 Addressed Issues
.
Panorama is unable to distribute antivirus signature updates to firewalls with only an Advanced Threat Prevention license. Firewalls with previously installed and active Threat Prevention license are unaffected.
Known
10.2.0
PAN-189298
This issue is now resolved. See
PAN-OS 10.2.1 Addressed Issues
.
On deploying the HA with 10.2.0-98 in Packet-mmap mode, the session sync for an existing session fails after restarting an active DP in Packet-mmap mode.
Known
10.2.0
PAN-189214
This issue is now resolved. See
PAN-OS 10.2.1 Addressed Issues
.
When the Advanced Threat Prevention license is present on a firewall without a Threat Prevention license, the antivirus signature update packages that are normally available to install under
Device
Dynamic Updates
are not displayed.
Workaround:
Use the
request anti-virus upgrade {info | download | install}
CLI commands to retrieve a list of available antivirus updates and the download and installation status, download specific antivirus packages, and to install antivirus packages.Optionally, you can schedule recurring automatic updates using the following CLI command:
set deviceconfig system update-schedule anti-virus recurring
.
Known
10.2.0
PAN-189206
This issue is now resolved. See
PAN-OS 10.2.1 Addressed Issues
.
Device Group and Template administrator roles don't support a context switch between the Panorama and firewall web interface.
Workaround:
Use a Superuser or Panorama administrator role to context switch.
Known
10.2.0
PAN-189111
After deleting an MP pod and it comes up, the
show routing
command output appears empty and traffic stops working.
Known
10.2.0
PAN-189106
This issue is now resolved. See
PAN-OS 10.2.1 Addressed Issues
.
On the Panorama management server, you must uninstall the ZTP Plugin 2.0 before you can successfully downgrade to PAN-OS 10.1. After successful downgrade, you must reinstall the latest ZTP Plugin 1.0 version.
Workaround:
Before you downgrade Panorama to PAN-OS 10.1, uninstall ZTP Plugin 2.0. After you successfully downgrade Panorama to PAN-OS 10.1, re-install ZTP Plugin 1.0 and re-enable ZTP functionality.
  3. Downgrade Panorama to PAN-OS 10.1.
  6. Select
    Panorama
    Zero Touch Provisioning
    and check (enable)
    ZTP
    .
Known
10.2.0
PAN-189076
On a firewall with Advanced Routing enabled, OSPFv3 peers using a broadcast link and a designated router (DR) priority of 0 (zero) are stuck in a two-way state after HA failover.
Workaround:
Configure at least one OSPFv3 neighbor with a non-zero priority setting in the same broadcast domain.
Known
10.2.0
PAN-189057
This issue is now resolved. See
PAN-OS 10.2.2 Addressed Issues
.
On the Panorama management server, Panorama enters a
non-functional
state due to
php.debug.log
life taking up too much space.
Workaround:
Disable the debug flag for Panorama.
  2. In the same browser you are logged into the Panorama web interface, enter the following URL.
    https://<panorama_ip>/debug
  3. Uncheck (disable)
    Debug
    or
    Clear Debug
    .
  4. (
    HA configuration
    ) Repeat this step on each Panorama high availability (HA) peer if Panorama is in a HA configuration.
Known
10.2.0
PAN-189032
This issue is now resolved. See
PAN-OS 10.2.1 Addressed Issues
.
When the firewall has Advanced Routing enabled, an OSPFv3 interface configured with the p2mp link type causes the commit to fail.
Known
10.2.0
PAN-188956
This issue is now resolved. See
PAN-OS 10.2.1 Addressed Issues
.
After successful upgrade to PAN-OS 10.2, logging in to the firewall or Panorama web interface from the same Internet browser window or session from which the firewall or Panorama was upgraded displays the following error:
Your login session has expired and you have been logged out for security reasons. Please log in again if you wish to continue.
Workaround:
The following are different ways to log in to the firewall or Panorama web interface after upgrading to PAN-OS 10.2.
  • Close the browser and log in to the firewall or Panorama web interface from an entirely new browser session.
  • Clear your browser cache for the browser from which you upgraded the firewall or Panorama.
  • Log in to the firewall or Panorama web interface from the browser in Incognito mode.
    If you upgraded the firewall or Panorama from a browser in Incognito mode, close the browser and log in to the firewall or Panorama web interface from an entirely new browser session.
  • Log in to the firewall or Panorama web interface from a different browser than the one used to upgrade to PAN-OS.
Known
10.2.0
PAN-188904
This issue is now resolved. See
PAN-OS 10.2.4 Addressed Issues
.
Certain web pages and web page contents might not properly load when cloud inline categorization is enabled on the firewall.
Known
10.2.0
PAN-188489
This issue is now resolved. See
PAN-OS 10.2.3 Addressed Issues
.
On the Panorama management server, dynamic content updates are not automatically pushed to VM-Series firewalls licensed using the Panorama Software Firewall License plugin when
Automatically push content when software device registers to Panorama
(
Panorama
Templates
Add Stack
) is enabled.
Known
10.2.0
PAN-188358
After triggering a soft reboot on a M-700 appliance, the Management port LEDs do not light up when a 10G Ethernet cable is plugged in.
Known
10.2.0
PAN-188064
This issue is now resolved. See
PAN-OS 10.2.3 Addressed Issues
.
The SCP Server Profile configuration (
Devices
Server Profiles
SCP
are not automatically deleted after downgrade from PAN-OS 10.2.0 to PAN-OS 10.1 or earlier release.
Known
10.2.0
PAN-188052
Devices in FIPS-CC mode are unable to connect to servers utilizing ECDSA-based host keys that impacts exporting logs (
Device
Scheduled Log Export
), exporting configurations (
Device
Scheduled Config Export
), or the
scp export
command in the CLI.
Workaround:
Use RSA-based host keys on the destination server.
Known
10.2.0
PAN-187846
This issue is now resolved. See
PAN-OS 10.2.1 Addressed Issues
.
On the Panorama management server, a selective push (
Commit
Push to Devices
Push Changes Made By
and
Commit
Commit and Push
Commit and Push Changes Made By
) may push an incorrect configuration to managed firewalls causing the firewalls to display as
Out of Sync
if the Panorama pushed version for the Shared Policy and Template configuration (
Panorama
Managed Devices
Summary
) are 20 version or more older than the current local running configuration on Panorama.
To determine the current configuration version, select
Panorama
Config Audit
and expand the
Local Running config
menu to review the list of Panorama configuration versions.
Workaround
: Push a more recent configuration to your managed firewalls before performing a selective push.
Known
10.2.0
PAN-187685
On the Panorama management server, the Template Status displays no synchronization status (
Panorama
Managed Devices
Summary
) after a bootstrapped firewall is successfully added to Panorama.
Workaround:
After the bootstrapped firewall is successfully added to Panorama, log in to the Panorama web interface and select
Commit
Push to Devices
.
Known
10.2.0
PAN-187643
If you enable SCTP security using a Panorama template when
SCTP INIT Flood Protection
is enabled in the Zone Protection profile using Panorama and you commit all changes, the commit is successful but the
SCTP INIT
option is not available in the Zone Protection profile.
Workaround:
Log out of the firewall and log in again to make the
SCIT INIT
option available on the web interface.
Known
10.2.0
PAN-187612
On the Panorama management server, not all data profiles (
Objects
DLP Data Filtering Profiles
) are displayed after you:
  • Upgrade Panorama to PAN-OS 10.2 and upgrade the Enterprise DLP plugin to version 3.0.
  • Downgrade Panorama to PAN-OS 10.1 and downgrade the Enterprise DLP plugin to version 1.0.
Workaround:
Log in to the Panorama CLI and reset the DLP plugin.
admin > request plugins dlp reset
Known
10.2.0
PAN-187429
This issue is now resolved. See
PAN-OS 10.2.2 Addressed Issues
.
On PA-3400 & PA-5400 series firewalls (minus the PA-5450), the CLI and SNMP MIB walk do not display the Model and Serial-number of the Fan tray and PSUs.
Known
10.2.0
PAN-187407
The configured Advanced Threat Prevention inline cloud analysis action for a given model might not be honored under the following condition: If the firewall is set to
Hold client request for category lookup
and the action set to
Reset-Both
and the URL cache has been cleared, the first request for inline cloud analysis will be bypassed.
Known
10.2.0
PAN-187370
On a firewall with Advanced Routing enabled, if there is also a logical router instance that uses the default configuration and has no interfaces assigned to it, this will result in terminating the management daemon and main routing daemon in the firewall during commit.
Workaround
: Do not use a logical router instance with no interfaces bound to it.
Known
10.2.0
PAN-187234
This issue is now resolved. See
PAN-OS 10.2.3 Addressed Issues
.
Certain web pages submitted for analysis by Advanced URL Filtering cloud inline categorization might experience high latency.
Known
10.2.0
PAN-186913
This issue is now resolved. See
PAN-OS 10.2.2 Addressed Issues
.
On the Panorama management server,
Validate Device Group
(
Commit
Commit and Push
erroneously issues a CommitAll operation instead of a ValidateAll operation when multiple device groups are included in the push and results in no configuration validation.
Workaround:
Validate device group configurations using one of the following methods.
  • Select only one device group when you
    Validate Device Group
    for a
    Commit and Push
    to managed firewalls.
  • To validate multiple device groups, select
    Commit
    Commit to Panorama
    first. After the device group configuration is committed to Panorama, select
    Commit
    Push to Devices
    and
    Validate Device Group
    to validate multiple device groups.
Known
10.2.0
PAN-186886
This issue is now resolved. See
PAN-OS 10.2.1 Addressed Issues
.
Individual configuration objects cannot be viewed when you commit selective configuration changes (
Commit
Commit Changes Made By
) on a multi-vsys firewall.
Known
10.2.0
PAN-186283
Templates appear out-of-sync on Panorama after successfully deploying the CFT stack using the Panorama plugin for AWS.
Workaround
: Use
Commit
Push to Devices
to synchronize the templates.
Known
10.2.0
PAN-186282
On HA deployments on AWS and Azure, Panorama fails to populate match criteria automatically when adding dynamic address groups.
Workaround:
Reboot the Panorama HA pair.
Known
10.2.0
PAN-186262
The Panorama management server in Panorama or Log Collector mode may become unresponsive as Elasticsearch accumulates internal connections related to logging processes. The chances Panorama becomes unresponsive increases the longer Panorama remains powered on.
Workaround:
Reboot Panorama if it becomes unresponsive.
Known
10.2.0
PAN-186137
This issue is now resolved. See
PAN-OS 10.2.1 Addressed Issues
.
The management interface of the PA-3400 Series firewall incorrectly displays 10G port speed as an option. 10G speed is not supported on the PA-3400 Series firewall management port and cannot be configured.
Known
10.2.0
PAN-186134
On the Panorama management server, performing a
Commit and Push
(
Commit > Commit and Push
) may intermittently not push the committed configuration changes to managed firewalls.
Workaround:
Select
Commit > Push to Devices
to push the committed configuration changes to your managed firewalls.
Known
10.2.0
PAN-185966
The
debug skip-cert-renewal-check-syslog yes
command is not available on Log Collector CLI to stop the Dedicated Log Collector from trying to renew the device certificate and displaying the following error:
No valid device certificate found
Known
10.2.0
PAN-185286
This issue is now resolved. See
PAN-OS 10.2.8 Addressed Issues
.
(
PA-5400 Series firewalls only
) On the Panorama management server, the device health resources (
Panorama
Managed Devices
Health
) do not populate.
Known
10.2.0
PAN-184708
Scheduled report emails (
Monitor
PDF Reports
Email Scheduler
) are not emailed if:
  • A scheduled report email contains a Report Group (
    Monitor
    PDF Reports
    Report Group
    ) which includes a SaaS Application Usage report.
  • A scheduled report contains only a SaaS Application Usage Report.
Workaround:
To receive a scheduled report email for all other PDF report types:
  1. Select
    Monitor
    PDF Reports
    Report Groups
    and remove all SaaS Application Usage reports from all Report Groups.
  2. Select
    Monitor
    PDF Reports
    Email Scheduler
    and edit the scheduled report email that contains only a SaaS Application Usage report. For the Recurrence, select
    Disable
    and click
    OK
    .
    Repeat this step for all scheduled report emails that contain only a SaaS Application Usage report.
  3. Commit
    .
    (
    Panorama managed firewalls
    ) Select
    Commit
    Commit and Push
Known
10.2.0
PAN-184702
This issue is now resolved. See
PAN-OS 10.2.3 Addressed Issues
.
On the Panorama management server, an M-700 appliance in Log Collector mode fails to connect to Panorama when added as a managed collector (
Panorama > Managed Collectors
).
Known
10.2.0
PAN-184474
When the firewall has Advanced Routing enabled, a static route stays active after the interface goes down.
Workaround
: For firewalls that support Bidirectional Forwarding Detection (BFD), configure BFD for the static route.
Known
10.2.0
PAN-184406
Using the CLI to add a RAID disk pair to an M-700 appliance causes the dmdb process to crash.
Workaround:
Contact customer support to stop the dmdb process before adding a RAID disk pair to a M-700 appliance.
Known
10.2.0
PAN-183567
This issue is now resolved. See
PAN-OS 10.2.1 Addressed Issues
.
On the Panorama management server, you must download and install the ZTP Plugin 2.0 after successful upgrade to PAN-OS 10.2. After upgrade to PAN-OS 10.2, the
show plugins installed
command does not display the ZTP plugin until you install ZTP Plugin 2.0.
Workaround:
After Panorama successfully upgrades to PAN-OS 10.2, manually download and install the ZTP Plugin 2.0.
  2. Select
    Panorama
    Plugins
    and search for the
    ztp
    plugin.
  3. Download
    and
    Install
    ZTP Plugin 2.0.
Known
10.2.0
PAN-183404
Static IP addresses are not recognized when "and" operators are used with IP CIDR range.
Known
10.2.0
PAN-182734
This issue is now resolved. See
PAN-OS 10.2.5 Addressed Issues
.
On an Advanced Routing Engine, if you change the IPSec tunnel configuration, BGP flaps.
Known
10.2.0
PAN-182492
This issue is now resolved. See
PAN-OS 10.2.1 Addressed Issues
.
The WildFire analysis report cannot be viewed from the firewall WildFire submission log entry page.
Workaround
: You can retrieve the Wildfire analysis reports through the WildFire API or the WildFire portal.
Known
10.2.0
PAN-181933
If you use multiple log forwarding cards (LFCs) on the PA-7000 series, all of the cards may not receive all of the updates and the mappings for the clients may become out of sync, which causes the firewall to not correctly populate the Source User column in the session logs.
Known
10.2.0
PAN-180661
On the Panorama management server, pushing an unsupported Minimum Password Complexity (
Device
Setup
Management
) to a managed firewall erroneously displays
commit time out
as the reason the commit failed.
Known
10.2.0
PAN-180104
When upgrading a CN-Series as a DaemonSet deployment to PAN-OS 10.2, CN-NGFW pods fail to connect to CN-MGMT pod if the Kubernetes cluster previously had a CN-Series as a DaemonSet deployment running PAN-OS 10.0 or 10.1.
Workaround
: Reboot the worker nodes before upgrading to PAN-OS 10.2.
Known
10.2.0
PAN-179420
This issue is now resolved. See
PAN-OS 10.2.1 Addressed Issues
.
On the Panorama management server, a selective push (
Commit
Push to Devices
Push Changes Made By
and
Commit
Commit and Push
Commit and Push Changes Made By
to managed firewalls fails if you rename an existing device group, template, or template stack that was already pushed to your managed firewalls and you selectively committed specific configuration objects from the renamed device group, template, or template stack.
Workaround:
After you rename the existing device group, template, or template stack,
Push
(
Commit
Push to Devices
all configuration changes for the named device group, template, or template stack.
Known
10.2.0
PAN-178195
This issue is now resolved. See
PAN-OS 10.2.1 Addressed Issues
.
The URL filtering logs generated by traffic analyzed by Advanced URL filtering cloud inline categorization does not display the name of the URL.
Known
10.2.0
PAN-177455
This issue is now resolved. See
PAN-OS 10.2.2 Addressed Issues
.
PAN-OS 10.2.0 is not supported on PA-7000 Series firewalls with HA (High Availability) clustering enabled and using an HA4 communication link. Attempting to load PAN-OS 10.2.0 on the firewall causes the PA-7000 100G NPC to go offline. As a result, the firewall fails to boot normally and enters maintenance mode. HA Pairs of Active-Passive and Active-Active firewalls are not affected.
Known
10.2.0
PAN-176693
This issue is now resolved. See
PAN-OS 10.2.1 Addressed Issues
.
The Activity (ACT) LEDs on the RJ-45 ports of the M-300 and M-700 appliances do not blink while processing network traffic.
Known
10.2.0
PAN-176156
This issue is now resolved. See
PAN-OS 10.2.2 Addressed Issues
.
Executing
show running resource-monitor
with the
ingress-backlogs
option produces the following server error:
Dataplane is not up or invalid target-dp(*.dp*)
.
Known
10.2.0
PAN-175915
When the firewall is deployed on N3 and N11 interfaces in 5G networks and 5G-HTTP/2 traffic inspection is enabled in the Mobile Network Protection Profile, the traffic logs do not display network slice SST and SD values.
Known
10.2.0
PAN-174982
In HA active/active configurations where, when interfaces that were associated with a virtual router were deleted, the configuration change did not sync.
Known
10.2.0
PAN-172274
When you activate the advanced URL filtering license, your license entitlements for PAN-DB and advanced URL filtering might not display correctly on the firewall — this is a display anomaly, not a licensing issue, and does not affect access to the services.
Workaround:
Issue the following command to retrieve and update the licenses:
license request fetch
.
Known
10.2.0
PAN-172132
This issue is now resolved by PAN-189643. See
PAN-OS 10.2.4 Addressed Issues
.
QoS fails to run on a tunnel interface (for example, tunnel.1).
Known
10.2.0
PAN-171938
No results are displayed when you
Show Application Filter
for a Security policy rule (
Policies
Security
Application
Value
Show Application Filter
).
Known
10.2.0
PAN-171069
Local Log Collectors for Panorama management servers in active/passive high availability (HA) configuration cannot be added to the same Collector Group (
Panorama
Collector Groups
).
Workaround:
Before you upgrade your Panorama servers to PAN-OS 10.1.0, configure HA (
Panorama
High Availability
), add the local Log Collectors of the HA peers to the same Collector Group, and upgrade to PAN 10.1.0.
Known
10.2.0
PAN-164885
This issue is now resolved. See
PAN-OS 10.2.10 Addressed Issues
.
On the Panorama management server, pushes to managed firewalls (
Commit
Push to Devices
or
Commit and Push
) may fail when an EDL (
Objects
External Dynamic Lists
) is configured to
Check for updates
every 5 minutes due to the commit and EDL fetch processes overlapping. This is more likely to occur when multiple EDLs are configured to check for updates every 5 minutes.
Known
10.2.0
PAN-163676
Next-Gen Firewalls are unable to connect to a syslog server when the certificates required to connect to the syslog server are part of a Certificate Profile (
Device
Certificate Management
Certificate Profile
) if the
Use OCSP
setting is enabled to check the revocation status of certificates.
Workaround:
Enable
Use CRL
to check the revocation status of certificates in the Certificate Profile.
Addressed
10.2.0-h3
PAN-252214
A fix was made to address CVE-2024-3400 .
Addressed
10.2.0-h2
PAN-238792
Fixed the following device certificate issues:
  • The firewall was unable to automatically renew the device certificate-Fetching device certificates failed incorrectly with the error message
    OTP is not valid
    .
  • Firewalls disconnected from Cortex Data Lake after renewing the device certificate.
  • The device certificate was not correctly generated on the log forwarding card (LFC).
  • WildFire cloud logs did not log thermite certificate usage status.
Addressed
10.2.0-h2
PAN-237876
Extended the firewall Panorama root CA certificate which was previously set to expire on April 7th, 2024.
Addressed
10.2.0-h2
PAN-237871
(
WF-500 appliances and PAN-DB private cloud deployments only
) Fixed an issue where the
root-cert
was set to expire on December 31, 2023. With this fix, the expiration date has been extended.
Addressed
10.2.0-h2
PAN-231771
Fixed an issue where the firewall issued /box/getserv/ requests with PAN-OS 7.1.0 and did not take device certificates.
Addressed
10.2.0-h2
PAN-227568
When a device certificate is installed, renewed, or removed, the firewall will reconnect to the WildFire cloud to use the newest certificate.
Addressed
10.2.0-h2
PAN-215576
Fixed an issue where the
userID-Agent
and
TS-Agent
certificates were set to expire on November 18, 2024. With this fix, the expiration date has been extended to January 2032.
Addressed
10.2.0-h2
PAN-202450
Fixed an issue where the
device-client-cert
was set to expire on December 31, 2023. With this fix, the expiration date has been extended.
Addressed
10.2.0-h2
PAN-198372
Fixed an issue where the
root-cert
was set to expire on December 31, 2023. With this fix, the expiration date has been extended.
Addressed
10.2.0-h1
PAN-190311
(
PA-220 and PA-220R firewalls and PA-800 Series firewalls only
) Fixed an issue where management connectivity to the firewall was lost due to the expiration of the DHCP lease, which caused the IP configuration on the management port to be purged in PAN-OS 10.2.0. To upgrade, download PAN-OS 10.2.0 (no installation), then download and install PAN-OS 10.2.0-h1.
Addressed
10.2.0
PAN-186143
Fixed an issue where no local changes could be made on a ZTP-enabled device after an upgrade to PAN-OS 10.1.x.
Addressed
10.2.0
PAN-182634
(
PA-400 series firewalls only
) Fixed an issue where the firewall detected a Power Supply Unit (PSU) failure for the opposite side when disconnecting a PSU from the device. This issue occurred when redundant PSUs were connected.
Addressed
10.2.0
PAN-178165
Fixed an issue where the CLI command
set system setting ctd ctd-agent-assigned-cores 0
to change assigned cores for the ctd-agent failed.
Addressed
10.2.0
PAN-175950
Fixed an issue where IoT Security (without CDL) onboarding failed.
Known
10.2.1
WF500-5781
The WildFire appliance might erroneously generate and log the following device certification error:
Device certificate is missing or invalid. It cannot be renewed.
Known
10.2.1
WF500-5754
In WildFire appliance clusters, issuing the
show cluster controller
CLI command generates an error when an IPv6 address is configured for the management interface but not for the cluster interface.
Workaround:
Ensure all WildFire appliance interfaces that are enabled use matching protocols (all IPv4 or all IPv6).
Known
10.2.1
WF500-5632
The number of registered WildFire appliances reported in Panorama (
Panorama
Managed WildFire Appliances
Firewalls Connected
View
) does not accurately reflect the current status of connected WildFire appliances.
Known
10.2.1
PAN-243951
On the Panorama management sever in an active/passive High Availability (HA) configuration, managed devices (
Panorama
Managed Devices
Summary
) display as
out-of-sync
on the passive HA peer when configuration changes are made to the SD-WAN (
Panorama
SD-WAN
) configuration on the active HA peer.
Workaround:
Manually synchronize the Panorama HA peers.
  1. Log in to the Panorama web interface on the active HA peer.
  2. Select
    Commit
    and
    Commit to Panorama
    the SD-WAN configuration changes on the active HA peer.
    On the passive HA peer, select
    Panorama
    Managed Devices
    Summary
    and observe that the managed devices are now
    out-of-sync
    .
  3. Log in to the primary HA peer Panorama CLI and trigger a manual synchronization between the active and secondary HA peers.
    request high-availability sync-to-remote running-config
  4. Log back in to the active HA peer Panorama web interface and select
    Commit
    Push to Devices
    and
    Push
    .
Known
10.2.1
PAN-228273
This issue is now resolved. See
PAN-OS 10.2.8 Addressed Issues
.
On the Panorama management server in FIPS-CC mode, the ElasticSearch cluster fails to come up and the
show log-collector-es-cluster health
command displays the
status
is
red
. This results in log ingestion issues for Panorama in Panorama only or Log Collector mode.
Known
10.2.1
PAN-227344
On the Panorama management server, PDF Summary Reports (
Monitor
PDF Reports
Manage PDF Summary
) display no data and are blank when predefined reports are included in the summary report.
Known
10.2.1
PAN-225337
This issue is now resolved. See
PAN-OS 10.2.7 Addressed Issues
.
On the Panorama management server, the configuration push to a multi-vsys firewall fails if you:
  1. Create a
    Shared
    and vsys-specific device group configuration object with an indentical name. For example, a
    Shared
    address object called
    SharedAO1
    and a vsys-specific address object also called
    SharedAO1
    .
  2. Reference the
    Shared
    object in another
    Shared
    configuration. For example, reference the
    Shared
    address object (
    SharedAO1
    ) in a
    Shared
    address group called
    SharedAG1
    .
  3. Use the
    Shared
    configuration object with the reference in a vsys-specific configuration. For example, reference the
    Shared
    address group (
    SharedAG1
    ) in a vsys-specific policy rule.
Workaround:
Select
Panorama
Setup
Management
and edit the Panorama Settings to enable one of the following:
  • Shared Unused Address and Service Objects with Devices
    —This options pushes all
    Shared
    objects, along with device group specific objects, to managed firewalls.
    This is a global setting and applies to all managed firewalls, and may result in pushing too many configuration objects to your managed firewalls.
  • Objects defined in ancestors will take higher precedence
    —This option specifies that in the event of objects with the same name, ancestor object take precedence over descendent objects. In this case, the
    Shared
    objects take precedence over the vsys-specific object.
    This is a global setting and applies to all managed firewalls. In the example above, if the IP address for the
    Shared
    SharedAO1
    object was
    10.1.1.1
    and the device group specific
    SharedAO1
    was
    10.2.2.2
    , the
    10.1.1.1
    IP address takes precedence.
Alternatively, you can remove the duplicate address objects from the device group configuration to allow only the
Shared
objects in your configuration.
Known
10.2.1
PAN-223488
This issue is now resolved. See
PAN-OS 10.2.7 Addressed Issues
.
On the M-600 appliance, closed ElasticSearch shards are not deleted from the M-600 appliance. This causes the ElasticSearch shard purging to not work as expected, resulting in high disk usage.
Known
10.2.1
PAN-223365
The Panorama management server is unable to query any logs if the ElasticSearch health status for any Log Collector (
Panorama
Managed Collector
is degraded.
Workaround:
Log in to the Log Collector CLI and restart ElasticSearch. 
admin
debug elasticsearch es-restart all
Known
10.2.1
PAN-222586
On PA-5410, PA-5420, and PA-5430 firewalls, the Filter dropdown menus, Forward Methods, and Built-In Actions for Correlation Log settings (
Device
Log Settings
) are not displayed and cannot be configured.
Known
10.2.1
PAN-222253
This issue is now resolved. See
PAN-OS 10.2.8 Addressed Issues
.
On the Panorama management server, policy rulebase reordering when you
View Rulebase by Groups
(
Policy
<policy-rulebase>
) does not persist if you reorder the policy rulebase by dragging and dropping individual policy rules and then moving the entire tag group.
Known
10.2.1
PAN-221775
A
Malformed Request
error is displayed when you
Test Connection
for an email server profile (
Device
Server Profiles
Email
) using
SMTP over TLS
and the
Password
includes an ampersand (&).
Known
10.2.1
PAN-221015
This issue is now resolved. See
PAN-OS 10.2.7 Addressed Issues
.
On M-600 appliances in Panorama or Log Collector mode, the
es-1
and
es-2
ElasticSearch processes fail to restart when the M-600 appliance is rebooted. The results in the Managed Collector
ES
health status (
Panorama
Managed Collectors
Health Status
) to be degraded.
Workaround:
Log in to the Panorama or Log Collector CLI experiencing degraded ElasticSearch health and restart all ElasticSearch processes. 
admin>
debug elasticsearch es-restart optional all
Known
10.2.1
PAN-219644
This issue is now resolved. See
PAN-OS 10.2.8 Addressed Issues
.
Firewalls forwarding logs to a syslog server over TLS (
Objects
Log Forwarding
) use the default Palo Alto Networks certificate instead of the custom certificate configured on the firewall.
Known
10.2.1
PAN-218521
This issue is now resolved. See
PAN-OS 10.2.7 Addressed Issues
.
The ElasticSearch process on the M-600 appliance in Log Collector mode may enter a continuous reboot cycle. This results in the M-600 appliance becoming unresponsive, consuming logging disk space, and preventing new log ingestion.
Known
10.2.1
PAN-217307
The following Security policy rule (
Policies
Security
) filters return no results:
log-start eq no
log-end eq no
log-end eq yes
Known
10.2.1
PAN-215778
This issue is now resolved. See
PAN-OS 10.2.5 Addressed Issues
.
On the M-600 appliance in Management Only mode, XML API Get requests for
/config
fail with the following error due to exceeding the total configuration size supported on the M-600 appliance. 
504 Gateway timeout
Known
10.2.1
PAN-215082
This issue is now resolved. See
PAN-OS 10.2.8 Addressed Issues
.
M-300 and M-700 appliances may generate erroneous system logs (
Monitor
Logs
System
) to alert that the M-Series appliance memory usage limits are reached.
Known
10.2.1
PAN-213746
On the Panorama management server, the
Hostkey
displayed as
undefined undefined
if you override an SSH Service Profile (
Device
Certificate Management
SSH Service Profile
) Hostkey configured in a Template from the Template Stack.
Known
10.2.1
PAN-213119
PA-5410 and PA-5420 firewalls display the following error when you view the Block IP list (
Monitor
Block IP
):
show -> dis-block-table is unexpected
Known
10.2.1
PAN-212889
On the Panorama management server, different threat names are used when querying the same threat in the Threat Monitor (
Monitor
App Scope
Threat Monitor
) and
ACC
. This results in the ACC displaying
no data to display
when you are redirected to the ACC after clicking a threat name in the Threat Monitor and filtering the same threat name in the Global Filters.
Known
10.2.1
PAN-212533
Modifying the
Administrator Type
for an existing administrator (
Device
Administrators
or
Panorama
Administrators
) from
Superuser
to a
Role-Based
custom admin, or vice versa, does not modify the access privileges of the administrator.
Known
10.2.1
PAN-211531
On the Panorama management server, admins can still perform a selective push to managed firewalls when
Push All Changes
and
Push for Other Admins
are disabled in the admin role profile (
Panorama
Admin Roles
).
Known
10.2.1
PAN-209288
Certificates are not successfully generated using SCEP (
Device
Certificate Management
SCEP
).
Known
10.2.1
PAN-208325
This issue is now resolved. See
PAN-OS 10.2.5 Addressed Issues
.
The following NextGen firewalls and Panorama management server models are unable to automatically renew the device certificate (
Device
Setup
Management
or
Panorama
Setup
Management
).
  • M-300 and M-700
  • PA-410 Firewall
  • PA-440, PA-450, and PA-460 Firewalls
  • PA-3400 Series
  • PA-5410, PA-5420, and PA-5430 Firewalls
  • PA-5450 Firewall
Workaround:
Log in to the firewall CLI or Panorama CLI and fetch the device certificate. 
admin>
request certificate fetch
Known
10.2.1
PAN-207629
This issue is now resolved. See
PAN-OS 10.2.4 Addressed Issues
.
On the Panorama management server, selective push fails to managed firewalls if the managed firewalls are enabled with multiple vsys and the Push Scope contains shared objects in device groups.
Known
10.2.1
PAN-206268
On the Panorama management server, the Auth Key field was erroneously displayed when you configure the Panorama Settings (
Device
Setup
Management
) as part of a template or template stack configuration.
Known
10.2.1
PAN-206253
This issue is now resolved. See
PAN-OS 10.2.4 Addressed Issues
.
For PA-3400 Series firewalls, the default log rate is set too low and the max configurable log rate is incorrectly capped resulting in the firewall not generating more than 6,826 logs per second.
Known
10.2.1
PAN-206243
This issue is now resolved. See
PAN-OS 10.2.4 Addressed Issues
.
The PA-220 firewall reaches the maximum disk usage capacity multiple a day that requires a disk cleanup. A critical system log (
Monitor
Logs
System
) is generated each time the firewall reaches maximum disk usage capacity.
Known
10.2.1
PAN-205187
This issue is now resolved. See
PAN-OS 10.2.4 Addressed Issues
.
ElasticSearch may not start properly when a newly installed Panorama virtual appliance powers on for the first time, resulting in the Panorama virtual appliance being unable to query logs forwarded from the managed firewall to a Log Collector.
Workaround:
Log in to the Panorama CLI and start the PAN-OS software. 
admin>
request restart software
Known
10.2.1
PAN-204663
This issue is now resolved. See
PAN-OS 10.2.4 Addressed Issues
.
On the Panorama management server, you are unable to Context Switch from one managed firewall to another.
Workaround:
After you Context Switch to a managed firewall, you must first Context Switch back to Panorama before you can continue to Context Switch to a different managed firewall.
Known
10.2.1
PAN-201855
This issue is now resolved. See
PAN-OS 10.2.5 Addressed Issues
.
On the Panorama management server, cloning any template (
Panorama
Templates
) corrupts certificates (
Device
Certificate Management
Certificates
) with the
Block Private Key Export
setting enabled across all templates. This results in managed firewalls experiencing issues wherever the corrupted certificate is referenced.
For example, you have template A, B, and C where templates A and B have certificates with the
Block Private Key Export
setting enabled. Cloning template C corrupts the certificates with
Block Private Key Export
setting enabled in templates A and B.
Workaround:
After cloning a template, delete and re-import the corrupted certificates.
Known
10.2.1
PAN-199557
This issue is now resolved. See
PAN-OS 10.2.5 Addressed Issues
.
On M-600 appliances in an Active/Passive high availability (HA) configuration, the
configd
process restarts due to a memory leak on the
Active
Panorama HA peer. This causes the Panorama web interface and CLI to become unresponsive.
Workaround:
Manually reboot the
Active
Panorama HA peer.
Known
10.2.1
PAN-197097
Large Scale VPN (LSVPN) does not support IPv6 addresses on the satellite firewall.
Known
10.2.1
PAN-196758
On the Panorama management server, pushing a configuration change to firewalls leveraging SD-WAN erroneously show the auto-provisioned BGP configurations for SD-WAN as being edited or deleted despite no edits or deletions being made when you
Preview Changes
(
Commit
Push to Devices
Edit Selections
or
Commit
Commit and Push
Edit Selections
).
Known
10.2.1
PAN-194826
This issue is now resolved. See
PAN-OS 10.2.3 Addressed Issues
.
(
WF-500 appliance only
) System log forwarding does not work over a TLS connection.
Known
10.2.1
PAN-194708
This issue is now resolved. See
PAN-OS 10.2.3 Addressed Issues
.
URL filtering logs (
Monitor
Logs
URL Filtering
) erroneously truncate a 16KB Header value and do not display the Header values that follow the truncated 16KB header.
For example, a URL filtering log has 5 Headers. The second Header has a 16KB value. In the URL filtering log, the first header and the value are displayed, second Header value is truncated, and remaining three headers are not displayed.
Known
10.2.1
PAN-194519
(
PA-5450 firewall only
) Trying to configure a custom payload format under
Device
Server Profiles
HTTP
yields a Javascript error.
Known
10.2.1
PAN-194515
(
PA-5450 firewall only
) The Panorama web interface does not display any predefined template stack variables in the dropdown menu under
Device
Setup
Log Interface
IP Address
.
Workaround:
Configure the log interface IP address on the individual firewall web interface instead of on Panorama.
Known
10.2.1
PAN-193251
This issue is now resolved. See
PAN-OS 10.2.3 Addressed Issues
.
If SAML is configured as the authentication method for GlobalProtect, authentication on the Portal page is not successful in the browser.
Workaround:
Use the GlobalProtect app installed on the endpoint to authenticate.
Known
10.2.1
PAN-192403
(
PA-5450 firewall only
) There is no commit warning in the web interface when configuring the management interface and logging interface in the same subnetwork. Having both interfaces in the same subnetwork can cause routing and connectivity issues.
Known
10.2.1
PAN-190735
This issue is now resolved. See
PAN-OS 10.2.3 Addressed Issues
.
Certain webpages that use chunked-encoded data transfers might not load properly when analyzed by Advanced URL Filtering cloud inline categorization.
Known
10.2.1
PAN-190727
(
PA-5450 firewall only
) Documentation for configuring the log interface is unavailable on the web interface and in the PAN-OS Administrator’s Guide.
Known
10.2.1
PAN-190435
When you
Commit
a configuration change, the
Task Manager
commit
Status
goes directly from
0%
to
Completed
and does accurately reflect the commit job progress.
Known
10.2.1
PAN-189425
This issue is now resolved. See
PAN-OS 10.2.4 Addressed Issues
.
On the Panorama management server,
Export Panorama and devices config bundle
(
Panorama
Setup
Operations
) fails to export. When the export fails, you are redirected to a new window and the following error is displayed:
Failed to redirect error to /var/log/pan/appweb3-panmodule.log (Permission denied)
Known
10.2.1
PAN-189395
This issue is now resolved. See
PAN-OS 10.2.2 Addressed Issues
.
Running any version of PAN-OS 10.2.1 on a PA-400 Series firewall can cause the dataplane process to restart unexpectedly and trigger a crash.
Known
10.2.1
PAN-189380
This issue is now resolved. See
PAN-OS 10.2.3 Addressed Issues
.
After you successfully upgrade a PA-3000 Series firewall to PAN-OS 10.2.0 or later release and Enterprise data loss prevention (DLP) plugin 3.0.0 or later release, the first configuration push from the Panorama management server causes the firewall dataplane to crash.
Workaround:
Restart the firewall to restore dataplane functionality.
  2. Restart the firewall. 
    admin>
     
    request restart system
Known
10.2.1
PAN-189111
After deleting an MP pod and it comes up, the
show routing
command output appears empty and traffic stops working.
Known
10.2.1
PAN-189076
On a firewall with Advanced Routing enabled, OSPFv3 peers using a broadcast link and a designated router (DR) priority of 0 (zero) are stuck in a two-way state after HA failover.
Workaround:
Configure at least one OSPFv3 neighbor with a non-zero priority setting in the same broadcast domain.
Known
10.2.1
PAN-189057
This issue is now resolved. See
PAN-OS 10.2.2 Addressed Issues
.
On the Panorama management server, Panorama enters a
non-functional
state due to
php.debug.log
life taking up too much space.
Workaround:
Disable the debug flag for Panorama.
  2. In the same browser you are logged into the Panorama web interface, enter the following URL.
    https://<panorama_ip>/debug
  3. Uncheck (disable)
    Debug
    or
    Clear Debug
    .
  4. (
    HA configuration
    ) Repeat this step on each Panorama high availability (HA) peer if Panorama is in a HA configuration.
Known
10.2.1
PAN-188904
This issue is now resolved. See
PAN-OS 10.2.4 Addressed Issues
.
Certain web pages and web page contents might not properly load when cloud inline categorization is enabled on the firewall.
Known
10.2.1
PAN-188489
This issue is now resolved. See
PAN-OS 10.2.3 Addressed Issues
.
On the Panorama management server, dynamic content updates are not automatically pushed to VM-Series firewalls licensed using the Panorama Software Firewall License plugin when
Automatically push content when software device registers to Panorama
(
Panorama
Templates
Add Stack
) is enabled.
Known
10.2.1
PAN-188358
After triggering a soft reboot on a M-700 appliance, the Management port LEDs do not light up when a 10G Ethernet cable is plugged in.
Known
10.2.1
PAN-188064
This issue is now resolved. See
PAN-OS 10.2.3 Addressed Issues
.
The SCP Server Profile configuration (
Devices
Server Profiles
SCP
are not automatically deleted after downgrade from PAN-OS 10.2.0 to PAN-OS 10.1 or earlier release.
Known
10.2.1
PAN-187685
On the Panorama management server, the Template Status displays no synchronization status (
Panorama
Managed Devices
Summary
) after a bootstrapped firewall is successfully added to Panorama.
Workaround:
After the bootstrapped firewall is successfully added to Panorama, log in to the Panorama web interface and select
Commit
Push to Devices
.
Known
10.2.1
PAN-187643
If you enable SCTP security using a Panorama template when
SCTP INIT Flood Protection
is enabled in the Zone Protection profile using Panorama and you commit all changes, the commit is successful but the
SCTP INIT
option is not available in the Zone Protection profile.
Workaround:
Log out of the firewall and log in again to make the
SCIT INIT
option available on the web interface.
Known
10.2.1
PAN-187612
On the Panorama management server, not all data profiles (
Objects
DLP Data Filtering Profiles
) are displayed after you:
  • Upgrade Panorama to PAN-OS 10.2 and upgrade the Enterprise DLP plugin to version 3.0.
  • Downgrade Panorama to PAN-OS 10.1 and downgrade the Enterprise DLP plugin to version 1.0.
Workaround:
Log in to the Panorama CLI and reset the DLP plugin.
admin > request plugins dlp reset
Known
10.2.1
PAN-187429
This issue is now resolved. See
PAN-OS 10.2.2 Addressed Issues
.
On PA-3400 & PA-5400 series firewalls (minus the PA-5450), the CLI and SNMP MIB walk do not display the Model and Serial-number of the Fan tray and PSUs.
Known
10.2.1
PAN-187407
The configured Advanced Threat Prevention inline cloud analysis action for a given model might not be honored under the following condition: If the firewall is set to
Hold client request for category lookup
and the action set to
Reset-Both
and the URL cache has been cleared, the first request for inline cloud analysis will be bypassed.
Known
10.2.1
PAN-187370
On a firewall with Advanced Routing enabled, if there is also a logical router instance that uses the default configuration and has no interfaces assigned to it, this will result in terminating the management daemon and main routing daemon in the firewall during commit.
Workaround
: Do not use a logical router instance with no interfaces bound to it.
Known
10.2.1
PAN-187234
This issue is now resolved. See
PAN-OS 10.2.3 Addressed Issues
.
Certain web pages submitted for analysis by Advanced URL Filtering cloud inline categorization might experience high latency.
Known
10.2.1
PAN-186913
This issue is now resolved. See
PAN-OS 10.2.2 Addressed Issues
.
On the Panorama management server,
Validate Device Group
(
Commit
Commit and Push
erroneously issues a CommitAll operation instead of a ValidateAll operation when multiple device groups are included in the push and results in no configuration validation.
Workaround:
Validate device group configurations using one of the following methods.
  • Select only one device group when you
    Validate Device Group
    for a
    Commit and Push
    to managed firewalls.
  • To validate multiple device groups, select
    Commit
    Commit to Panorama
    first. After the device group configuration is committed to Panorama, select
    Commit
    Push to Devices
    and
    Validate Device Group
    to validate multiple device groups.
Known
10.2.1
PAN-186283
Templates appear out-of-sync on Panorama after successfully deploying the CFT stack using the Panorama plugin for AWS.
Workaround
: Use
Commit
Push to Devices
to synchronize the templates.
Known
10.2.1
PAN-186282
On HA deployments on AWS and Azure, Panorama fails to populate match criteria automatically when adding dynamic address groups.
Workaround:
Reboot the Panorama HA pair.
Known
10.2.1
PAN-186262
The Panorama management server in Panorama or Log Collector mode may become unresponsive as Elasticsearch accumulates internal connections related to logging processes. The chances Panorama becomes unresponsive increases the longer Panorama remains powered on.
Workaround:
Reboot Panorama if it becomes unresponsive.
Known
10.2.1
PAN-186134
On the Panorama management server, performing a
Commit and Push
(
Commit > Commit and Push
) may intermittently not push the committed configuration changes to managed firewalls.
Workaround:
Select
Commit > Push to Devices
to push the committed configuration changes to your managed firewalls.
Known
10.2.1
PAN-185286
This issue is now resolved. See
PAN-OS 10.2.8 Addressed Issues
.
(
PA-5400 Series firewalls only
) On the Panorama management server, the device health resources (
Panorama
Managed Devices
Health
) do not populate.
Known
10.2.1
PAN-184708
Scheduled report emails (
Monitor
PDF Reports
Email Scheduler
) are not emailed if:
  • A scheduled report email contains a Report Group (
    Monitor
    PDF Reports
    Report Group
    ) which includes a SaaS Application Usage report.
  • A scheduled report contains only a SaaS Application Usage Report.
Workaround:
To receive a scheduled report email for all other PDF report types:
  1. Select
    Monitor
    PDF Reports
    Report Groups
    and remove all SaaS Application Usage reports from all Report Groups.
  2. Select
    Monitor
    PDF Reports
    Email Scheduler
    and edit the scheduled report email that contains only a SaaS Application Usage report. For the Recurrence, select
    Disable
    and click
    OK
    .
    Repeat this step for all scheduled report emails that contain only a SaaS Application Usage report.
  3. Commit
    .
    (
    Panorama managed firewalls
    ) Select
    Commit
    Commit and Push
Known
10.2.1
PAN-184702
This issue is now resolved. See
PAN-OS 10.2.3 Addressed Issues
.
On the Panorama management server, an M-700 appliance in Log Collector mode fails to connect to Panorama when added as a managed collector (
Panorama > Managed Collectors
).
Known
10.2.1
PAN-184474
This issue is now resolved. See
PAN-OS 10.2.2 Addressed Issues
.
When the firewall has Advanced Routing enabled, a static route stays active after the interface goes down.
Workaround
: For firewalls that support Bidirectional Forwarding Detection (BFD), configure BFD for the static route.
Known
10.2.1
PAN-184406
Using the CLI to add a RAID disk pair to an M-700 appliance causes the dmdb process to crash.
Workaround:
Contact customer support to stop the dmdb process before adding a RAID disk pair to a M-700 appliance.
Known
10.2.1
PAN-183404
Static IP addresses are not recognized when "and" operators are used with IP CIDR range.
Known
10.2.1
PAN-182734
This issue is now resolved. See
PAN-OS 10.2.5 Addressed Issues
.
On an Advanced Routing Engine, if you change the IPSec tunnel configuration, BGP flaps.
Known
10.2.1
PAN-181933
If you use multiple log forwarding cards (LFCs) on the PA-7000 series, all of the cards may not receive all of the updates and the mappings for the clients may become out of sync, which causes the firewall to not correctly populate the Source User column in the session logs.
Known
10.2.1
PAN-181823
On a PA-5400 Series firewall (minus the PA-5450), setting the peer port to forced 10M or 100M speed causes any multi-gigabit RJ-45 ports on the firewall to go down if they are set to Auto.
Known
10.2.1
PAN-180661
On the Panorama management server, pushing an unsupported Minimum Password Complexity (
Device
Setup
Management
) to a managed firewall erroneously displays
commit time out
as the reason the commit failed.
Known
10.2.1
PAN-180104
When upgrading a CN-Series as a DaemonSet deployment to PAN-OS 10.2, CN-NGFW pods fail to connect to CN-MGMT pod if the Kubernetes cluster previously had a CN-Series as a DaemonSet deployment running PAN-OS 10.0 or 10.1.
Workaround
: Reboot the worker nodes before upgrading to PAN-OS 10.2.
Known
10.2.1
PAN-178194
This issue is now resolved. See
PAN-OS 10.2.3 Addressed Issues
.
A user interface issue in PAN-OS renders the contents of the
Inline ML
tab in the
URL Filtering Profile
inaccessible on firewalls licensed for Advanced URL Filtering. Additionally, a message indicating that a
License required for URL filtering to function
is unavailable displays at the bottom of the UI. These errors do not affect the operation of Advanced URL Filtering or URL Filtering Inline ML.
Workaround:
Configuration settings for URL Filtering Inline ML must be applied through the CLI. The following configuration commands are available:
  • Define URL exceptions for specific web sites— 
    admin#
     set profiles url-filtering <url_filtering_profile_name> mlav-category-exception
  • Configuration settings for each inline ML model— 
    admin#
     set profiles url-filtering <url_filtering_profile_name> mlav-engine-urlbased-enabled
Known
10.2.1
PAN-177455
This issue is now resolved. See
PAN-OS 10.2.2 Addressed Issues
.
PAN-OS 10.2.0 is not supported on PA-7000 Series firewalls with HA (High Availability) clustering enabled and using an HA4 communication link. Attempting to load PAN-OS 10.2.0 on the firewall causes the PA-7000 100G NPC to go offline. As a result, the firewall fails to boot normally and enters maintenance mode. HA Pairs of Active-Passive and Active-Active firewalls are not affected.
Known
10.2.1
PAN-176156
This issue is now resolved. See
PAN-OS 10.2.2 Addressed Issues
Executing
show running resource-monitor
with the
ingress-backlogs
option produces the following server error:
Dataplane is not up or invalid target-dp(*.dp*)
.
Known
10.2.1
PAN-175915
When the firewall is deployed on N3 and N11 interfaces in 5G networks and 5G-HTTP/2 traffic inspection is enabled in the Mobile Network Protection Profile, the traffic logs do not display network slice SST and SD values.
Known
10.2.1
PAN-174982
In HA active/active configurations where, when interfaces that were associated with a virtual router were deleted, the configuration change did not sync.
Known
10.2.1
PAN-172274
When you activate the advanced URL filtering license, your license entitlements for PAN-DB and advanced URL filtering might not display correctly on the firewall — this is a display anomaly, not a licensing issue, and does not affect access to the services.
Workaround:
Issue the following command to retrieve and update the licenses:
license request fetch
.
Known
10.2.1
PAN-172132
This issue is now resolved by PAN-189643. See
PAN-OS 10.2.4 Addressed Issues
.
QoS fails to run on a tunnel interface (for example, tunnel.1).
Known
10.2.1
PAN-171938
No results are displayed when you
Show Application Filter
for a Security policy rule (
Policies
Security
Application
Value
Show Application Filter
).
Known
10.2.1
PAN-164885
This issue is now resolved. See
PAN-OS 10.2.10 Addressed Issues
.
On the Panorama management server, pushes to managed firewalls (
Commit
Push to Devices
or
Commit and Push
) may fail when an EDL (
Objects
External Dynamic Lists
) is configured to
Check for updates
every 5 minutes due to the commit and EDL fetch processes overlapping. This is more likely to occur when multiple EDLs are configured to check for updates every 5 minutes.
Addressed
10.2.1-h2
PAN-252214
A fix was made to address CVE-2024-3400 .
Addressed
10.2.1-h1
PAN-239241
Extended the root certificate for WildFire appliances to December 31, 2032.
Addressed
10.2.1-h1
PAN-238792
Fixed the following device certificate issues:
  • The firewall was unable to automatically renew the device certificate-Fetching device certificates failed incorrectly with the error message
    OTP is not valid
    .
  • Firewalls disconnected from Cortex Data Lake after renewing the device certificate.
  • The device certificate was not correctly generated on the log forwarding card (LFC).
  • WildFire cloud logs did not log thermite certificate usage status.
Addressed
10.2.1-h1
PAN-237876
Extended the firewall Panorama root CA certificate which was previously set to expire on April 7th, 2024.
Addressed
10.2.1-h1
PAN-237871
(
WF-500 appliances and PAN-DB private cloud deployments only
) Fixed an issue where the
root-cert
was set to expire on December 31, 2023. With this fix, the expiration date has been extended.
Addressed
10.2.1-h1
PAN-231771
Fixed an issue where the firewall issued /box/getserv/ requests with PAN-OS 7.1.0 and did not take device certificates.
Addressed
10.2.1-h1
PAN-227568
When a device certificate is installed, renewed, or removed, the firewall will reconnect to the WildFire cloud to use the newest certificate.
Addressed
10.2.1-h1
PAN-215576
Fixed an issue where the
userID-Agent
and
TS-Agent
certificates were set to expire on November 18, 2024. With this fix, the expiration date has been extended to January 2032.
Addressed
10.2.1-h1
PAN-202450
Fixed an issue where the
device-client-cert
was set to expire on December 31, 2023. With this fix, the expiration date has been extended.
Addressed
10.2.1-h1
PAN-198372
Fixed an issue where the
root-cert
was set to expire on December 31, 2023. With this fix, the expiration date has been extended.
Addressed
10.2.1
WIF-495
Fixed an issue on Panorama where edits made to an existing data filtering profile resulted in matching traffic not being detected by Enterprise DLP.
Addressed
10.2.1
PAN-190311
(
PA-220 and PA-220R firewalls and PA-800 Series firewalls only
) Fixed an issue where management connectivity to the firewall was lost due to the expiration of the DHCP lease, which caused the IP configuration on the management port to be purged in PAN-OS 10.2.0. To upgrade, download PAN-OS 10.2.0 (no installation), then download and install PAN-OS 10.2.0-h1.
Addressed
10.2.1
PAN-190175 and PAN-190223
A fix was made to address an OpenSSL infinite loop vulnerability in the PAN-OS software ( CVE-2022-0778 ).
Addressed
10.2.1
PAN-189665
(
FIPS-CC enabled firewalls only
) Fixed an issue where the firewall was unable to connect to log collectors after an upgrade due to missing cipher suites.
Addressed
10.2.1
PAN-189565
Fixed an issue after upgrading to PAN-OS 10.2 where the tund process stopped responding on multiple GlobalProtect clients.
Addressed
10.2.1
PAN-189468
Fixed an issue where the firewall onboard packet processor used by the PAN-OS content-inspection (CTD) engine can generate high dataplane resource usage when overwhelmed by a session with an unusually high number of packets. This can result in
resource-unavailable
messages due to the content inspection queue filling up. Factors related to the likelihood of an occurrence include enablement of content-inspection based features that are configured in such a way that might process thousands of packets in rapid succession (such as SMB file transfers). This can cause poor performance for the affected session and other sessions using the same packet processor. PA-3000 series and VM-Series firewalls are not impacted.
Addressed
10.2.1
PAN-189361
Fixed an issue where Panorama was unable to distribute antivirus signature updates to firewalls with an Advanced Threat Prevention license only.
Addressed
10.2.1
PAN-189298
Fixed an issue where existing traffic sessions were not synced after restarting the active dataplane when it became passive.
Addressed
10.2.1
PAN-189230
(
VM-Series firewalls only
) Fixed an issue that caused the pan_task process to stop responding with floating point exception (FPE) when there was a module of 0 on the queue number.
Addressed
10.2.1
PAN-189214
Fixed an issue that prevented antivirus signature update packages that are normally available to install from displaying properly on the firewall when the Advanced Threat Prevention license is present on a firewall without a Threat Prevention license.
Addressed
10.2.1
PAN-189206
Fixed an issue where Device Group and Template administrator roles didn't support a context switch between the Panorama and firewall web interfaces.
Addressed
10.2.1
PAN-189106
Fixed an issue on Panorama where you were unable to successfully downgrade to a PAN-OS 10.1 release unless you uninstalled the ZTP Plugin 2.0.
Addressed
10.2.1
PAN-189094
Fixed an issue where, after upgrading a CN-Series firewall from a PAN-OS 10.1 release to PAN-OS 10.2.0, show session commands did not return output.
Addressed
10.2.1
PAN-189032
Fixed an issue where, when Advanced Routing was enabled on the firewall, an OSPFv3 interface configured with the p2mp link type caused commits to fail.
Addressed
10.2.1
PAN-188956
Fixed an issue where, after a successful upgrade to PAN-OS 10.2, logging into the firewall or Panorama web interface from the same internet browser window or session from which the firewall or Panorama was upgraded did not work.
Addressed
10.2.1
PAN-188883
Fixed an issue where, when pre-generated license key files were manually uploaded via the web interface, they weren't properly recognized by PAN-OS and didn't display a serial number or initiate a reboot.
Addressed
10.2.1
PAN-188828
Fixed an intermittent issue where web pages and web page contents did not properly load when cloud inline categorization was enabled.
Addressed
10.2.1
PAN-188009
Fixed an issue where a firewall import to Panorama running a PAN-OS 10.1 release or a PAN-OS 10.2 release resulted in corrupted private information when the master key was not used.
Addressed
10.2.1
PAN-187846
Fixed an issue on Panorama where a selective push pushed an incorrect configuration to the managed firewalls, which caused the firewalls to display as out of sync. This issue occurred if the Panorama-pushed version for the
Shared Policy and Template
configuration were 20 or more versions older than the current local running configuration on Panorama.
Addressed
10.2.1
PAN-187769
(
VM-Series firewalls in Microsoft Azure environments only
) Fixed a Data Plane Development Kit (DPDK) issue where interfaces remained in a link-down state after an Azure hot plug event. This issue occurred due to a hot plug of Accelerated Networking interfaces on the Azure backend caused by host updates, which led to Virtual Function unregister/Register messages on the VM side.
Addressed
10.2.1
PAN-186886
Fixed an issue where individual configuration objects were not viewable after committing selective configuration changes on a multi-vsys firewall.
Addressed
10.2.1
PAN-186785
Fixed an issue where, after logging in, Panorama displayed a 500 error page after five minutes of logging for dynamic group template admin types with access to approximately 115 managed devices or 120 dynamic groups.
Addressed
10.2.1
PAN-186516
Fixed an issue where log queries that included WildFire submission logs returned more slowly than expected.
Addressed
10.2.1
PAN-186487
Fixed an issue with snmpd.log overflow caused by continuous hourly repeating errors.
Addressed
10.2.1
PAN-186402
(
PA-440 Series firewalls only
) Fixed an issue where the firewall's maximum tunnel limit was incorrect.
Addressed
10.2.1
PAN-186137
(
PA-3400 Series firewalls only
) Fixed an issue where the firewall management interface incorrectly displayed 10G port speed as an option even though 10G speed is not supported and can't be configured.
Addressed
10.2.1
PAN-185616
Fixed an issue where the firewall sent fewer logs to the system log server than expected. With this fix, the firewall accommodates a larger send queue for syslog forwarding to TCP syslog receivers.
Addressed
10.2.1
PAN-185164
Fixed an issue where processing corrupted IoT messages caused the
wificlient
process to restart.
Addressed
10.2.1
PAN-184224
Fixed an issue on Panorama where you were unable to select a template variable in
Templates > Device > Log Forwarding Card > Log Forwarding Card Interface > Network > IP address location
.
Addressed
10.2.1
PAN-183826
Fixed an issue where, after clicking
WildFire Analysis Report
, the web interface failed to display the report with the following error message:
refused to connect
.
Addressed
10.2.1
PAN-183567
Fixed an issue on Panorama where ZTP Plugin 2.0 was not available for download before upgrading Panorama to PAN-OS 10.2.
Addressed
10.2.1
PAN-182492
Fixed an issue where the WildFire analysis report was not viewable from the firewall WildFire submission log entry page.
Addressed
10.2.1
PAN-181839
Fixed an issue where Panorama Global Search reported
No Matches found
while still returning results for matching entries on large configurations.
Addressed
10.2.1
PAN-181039
Fixed an issue with DNS cache depletion that caused continuous DNS retries.
Addressed
10.2.1
PAN-181031
Fixed an issue where the CN-NGFW (DP) folder on the CN-MGMT pod eventually consumed a large amount of space in the /var/log/pan because the old registered stale next-generation firewall logs were not being cleared.
Addressed
10.2.1
PAN-180338
Fixed an issue where the CTD loop count wasn't accurately incremented.
Addressed
10.2.1
PAN-180095
Fixed an issue where Panorama serial-number-based redistribution agents did not redistribute HIP reports.
Addressed
10.2.1
PAN-179966
Fixed an issue where, after upgrading to a PAN-OS 8.1 release, the port on the firewall stayed up, but the port on the connected device reported down. This occurred because, on force mode, autoneg was disabled by default. With this fix, autoneg is enabled by default on force mode.
Addressed
10.2.1
PAN-179420
Fixed an issue on Panorama where a selective push to managed firewalls failed after renaming an existing device group, template, or template stack that was already pushed to the managed firewalls and you selectively committed specific configuration objects from the renamed device group, template, or template stack.
Addressed
10.2.1
PAN-179321
A validation error was added to inform an administrator when a policy field contained the value
any
.
Addressed
10.2.1
PAN-178195
Fixed an issue where the URL filtering logs generated by traffic analyzed by Advanced URL filtering cloud inline categorization didn't display the URL name.
Addressed
10.2.1
PAN-177072
Fixed an intermittent issue where Panorama did not show new logs from firewalls.
Addressed
10.2.1
PAN-176889
Fixed an issue where the log collector continuously disconnected from Panorama due to high latency and a high number of packets in Send-Q.
Addressed
10.2.1
PAN-176693
(
M-300 and M-700 appliances only
) Fixed an issue where the Activity (ACT) LEDs on the RJ-45 ports did not blink when processing network traffic.
Addressed
10.2.1
PAN-174607
Fixed an intermittent issue where, when Security profiles were attached to a policy, files that were downloaded across TLS sessions decrypted by the firewall were malformed.
Addressed
10.2.1
PAN-145833
(
PA-3200 Series firewalls only
) Fixed an issue where the firewall stopped recording dataplane diagnostic data in dp-monitor.log after a few hours of uptime.
Known
10.2.2
WF500-5854
The WildFire analysis report on the firewall log viewer (
Monitoring
WildFire Submissions
) does not display the following data fields: File Type, SHA-256, MD-5, and File Size".
Workaround
: Download and open the WildFire analysis report in the PDF format using the link in the upper right-hand corner of the
Detailed Log View
.
Known
10.2.2
WF500-5843
In a WildFire appliance cluster, issuing the
show cluster-all peers
CLI command when a node within the cluster is being rebooted generates the following error:
Server error : An error occured.
Known
10.2.2
WF500-5840
The sample analysis statistics that are returned when issuing the
show wildfire local statistics
CLI command in WildFire appliance cluster deployments may not accurately reflect the number of samples that have been processed.
Known
10.2.2
WF500-5823
The following WildFire appliance CLI command does not return a signature generation status as expected:
show wildfire global signature-status
. This does not corrupt or otherwise prevent the WildFire appliance from analyzing a sample.
Known
10.2.2
WF500-5781
The WildFire appliance might erroneously generate and log the following device certification error:
Device certificate is missing or invalid. It cannot be renewed.
Known
10.2.2
WF500-5754
In WildFire appliance clusters, issuing the
show cluster controller
CLI command generates an error when an IPv6 address is configured for the management interface but not for the cluster interface.
Workaround:
Ensure all WildFire appliance interfaces that are enabled use matching protocols (all IPv4 or all IPv6).
Known
10.2.2
WF500-5632
The number of registered WildFire appliances reported in Panorama (
Panorama
Managed WildFire Appliances
Firewalls Connected
View
) does not accurately reflect the current status of connected WildFire appliances.
Known
10.2.2
PAN-243951
On the Panorama management sever in an active/passive High Availability (HA) configuration, managed devices (
Panorama
Managed Devices
Summary
) display as
out-of-sync
on the passive HA peer when configuration changes are made to the SD-WAN (
Panorama
SD-WAN
) configuration on the active HA peer.
Workaround:
Manually synchronize the Panorama HA peers.
  1. Log in to the Panorama web interface on the active HA peer.
  2. Select
    Commit
    and
    Commit to Panorama
    the SD-WAN configuration changes on the active HA peer.
    On the passive HA peer, select
    Panorama
    Managed Devices
    Summary
    and observe that the managed devices are now
    out-of-sync
    .
  3. Log in to the primary HA peer Panorama CLI and trigger a manual synchronization between the active and secondary HA peers.
    request high-availability sync-to-remote running-config
  4. Log back in to the active HA peer Panorama web interface and select
    Commit
    Push to Devices
    and
    Push
    .
Known
10.2.2
PAN-228273
This issue is now resolved. See
PAN-OS 10.2.8 Addressed Issues
.
On the Panorama management server in FIPS-CC mode, the ElasticSearch cluster fails to come up and the
show log-collector-es-cluster health
command displays the
status
is
red
. This results in log ingestion issues for Panorama in Panorama only or Log Collector mode.
Known
10.2.2
PAN-227344
On the Panorama management server, PDF Summary Reports (
Monitor
PDF Reports
Manage PDF Summary
) display no data and are blank when predefined reports are included in the summary report.
Known
10.2.2
PAN-225337
This issue is now resolved. See
PAN-OS 10.2.7 Addressed Issues
.
On the Panorama management server, the configuration push to a multi-vsys firewall fails if you:
  1. Create a
    Shared
    and vsys-specific device group configuration object with an indentical name. For example, a
    Shared
    address object called
    SharedAO1
    and a vsys-specific address object also called
    SharedAO1
    .
  2. Reference the
    Shared
    object in another
    Shared
    configuration. For example, reference the
    Shared
    address object (
    SharedAO1
    ) in a
    Shared
    address group called
    SharedAG1
    .
  3. Use the
    Shared
    configuration object with the reference in a vsys-specific configuration. For example, reference the
    Shared
    address group (
    SharedAG1
    ) in a vsys-specific policy rule.
Workaround:
Select
Panorama
Setup
Management
and edit the Panorama Settings to enable one of the following:
  • Shared Unused Address and Service Objects with Devices
    —This options pushes all
    Shared
    objects, along with device group specific objects, to managed firewalls.
    This is a global setting and applies to all managed firewalls, and may result in pushing too many configuration objects to your managed firewalls.
  • Objects defined in ancestors will take higher precedence
    —This option specifies that in the event of objects with the same name, ancestor object take precedence over descendent objects. In this case, the
    Shared
    objects take precedence over the vsys-specific object.
    This is a global setting and applies to all managed firewalls. In the example above, if the IP address for the
    Shared
    SharedAO1
    object was
    10.1.1.1
    and the device group specific
    SharedAO1
    was
    10.2.2.2
    , the
    10.1.1.1
    IP address takes precedence.
Alternatively, you can remove the duplicate address objects from the device group configuration to allow only the
Shared
objects in your configuration.
Known
10.2.2
PAN-223488
This issue is now resolved. See
PAN-OS 10.2.7 Addressed Issues
.
On the M-600 appliance, closed ElasticSearch shards are not deleted from the M-600 appliance. This causes the ElasticSearch shard purging to not work as expected, resulting in high disk usage.
Known
10.2.2
PAN-223365
The Panorama management server is unable to query any logs if the ElasticSearch health status for any Log Collector (
Panorama
Managed Collector
is degraded.
Workaround:
Log in to the Log Collector CLI and restart ElasticSearch. 
admin
debug elasticsearch es-restart all
Known
10.2.2
PAN-222586
On PA-5410, PA-5420, and PA-5430 firewalls, the Filter dropdown menus, Forward Methods, and Built-In Actions for Correlation Log settings (
Device
Log Settings
) are not displayed and cannot be configured.
Known
10.2.2
PAN-222253
This issue is now resolved. See
PAN-OS 10.2.8 Addressed Issues
.
On the Panorama management server, policy rulebase reordering when you
View Rulebase by Groups
(
Policy
<policy-rulebase>
) does not persist if you reorder the policy rulebase by dragging and dropping individual policy rules and then moving the entire tag group.
Known
10.2.2
PAN-221775
A
Malformed Request
error is displayed when you
Test Connection
for an email server profile (
Device
Server Profiles
Email
) using
SMTP over TLS
and the
Password
includes an ampersand (&).
Known
10.2.2
PAN-221015
This issue is now resolved. See
PAN-OS 10.2.7 Addressed Issues
.
On M-600 appliances in Panorama or Log Collector mode, the
es-1
and
es-2
ElasticSearch processes fail to restart when the M-600 appliance is rebooted. The results in the Managed Collector
ES
health status (
Panorama
Managed Collectors
Health Status
) to be degraded.
Workaround:
Log in to the Panorama or Log Collector CLI experiencing degraded ElasticSearch health and restart all ElasticSearch processes. 
admin>
debug elasticsearch es-restart optional all
Known
10.2.2
PAN-219644
This issue is now resolved. See
PAN-OS 10.2.8 Addressed Issues
.
Firewalls forwarding logs to a syslog server over TLS (
Objects
Log Forwarding
) use the default Palo Alto Networks certificate instead of the custom certificate configured on the firewall.
Known
10.2.2
PAN-218521
This issue is now resolved. See
PAN-OS 10.2.7 Addressed Issues
.
The ElasticSearch process on the M-600 appliance in Log Collector mode may enter a continuous reboot cycle. This results in the M-600 appliance becoming unresponsive, consuming logging disk space, and preventing new log ingestion.
Known
10.2.2
PAN-217307
The following Security policy rule (
Policies
Security
) filters return no results:
log-start eq no
log-end eq no
log-end eq yes
Known
10.2.2
PAN-215778
This issue is now resolved. See
PAN-OS 10.2.5 Addressed Issues
.
On the M-600 appliance in Management Only mode, XML API Get requests for
/config
fail with the following error due to exceeding the total configuration size supported on the M-600 appliance. 
504 Gateway timeout
Known
10.2.2
PAN-215082
This issue is now resolved. See
PAN-OS 10.2.8 Addressed Issues
.
M-300 and M-700 appliances may generate erroneous system logs (
Monitor
Logs
System
) to alert that the M-Series appliance memory usage limits are reached.
Known
10.2.2
PAN-213746
On the Panorama management server, the
Hostkey
displayed as
undefined undefined
if you override an SSH Service Profile (
Device
Certificate Management
SSH Service Profile
) Hostkey configured in a Template from the Template Stack.
Known
10.2.2
PAN-213119
PA-5410 and PA-5420 firewalls display the following error when you view the Block IP list (
Monitor
Block IP
):
show -> dis-block-table is unexpected
Known
10.2.2
PAN-212889
On the Panorama management server, different threat names are used when querying the same threat in the Threat Monitor (
Monitor
App Scope
Threat Monitor
) and
ACC
. This results in the ACC displaying
no data to display
when you are redirected to the ACC after clicking a threat name in the Threat Monitor and filtering the same threat name in the Global Filters.
Known
10.2.2
PAN-212533
Modifying the
Administrator Type
for an existing administrator (
Device
Administrators
or
Panorama
Administrators
) from
Superuser
to a
Role-Based
custom admin, or vice versa, does not modify the access privileges of the administrator.
Known
10.2.2
PAN-211531
On the Panorama management server, admins can still perform a selective push to managed firewalls when
Push All Changes
and
Push for Other Admins
are disabled in the admin role profile (
Panorama
Admin Roles
).
Known
10.2.2
PAN-210366
This issue is now resolved. See
PAN-OS 10.2.4-h3 Addressed Issues
.
On the Panorama management server in a high availability (HA) configuration, the primary HA peer may enter a
primary-non-functional
state and generate a system log (
Monitor
Logs
System
) with the following message:
High root partition usage: going to state Non-Functional
Known
10.2.2
PAN-209288
Certificates are not successfully generated using SCEP (
Device
Certificate Management
SCEP
).
Known
10.2.2
PAN-208325
This issue is now resolved. See
PAN-OS 10.2.5 Addressed Issues
.
The following NextGen firewalls and Panorama management server models are unable to automatically renew the device certificate (
Device
Setup
Management
or
Panorama
Setup
Management
).
  • M-300 and M-700
  • PA-410 Firewall
  • PA-440, PA-450, and PA-460 Firewalls
  • PA-3400 Series
  • PA-5410, PA-5420, and PA-5430 Firewalls
  • PA-5450 Firewall
Workaround:
Log in to the firewall CLI or Panorama CLI and fetch the device certificate. 
admin>
request certificate fetch
Known
10.2.2
PAN-207629
This issue is now resolved. See
PAN-OS 10.2.4 Addressed Issues
.
On the Panorama management server, selective push fails to managed firewalls if the managed firewalls are enabled with multiple vsys and the Push Scope contains shared objects in device groups.
Known
10.2.2
PAN-206268
On the Panorama management server, the Auth Key field was erroneously displayed when you configure the Panorama Settings (
Device
Setup
Management
) as part of a template or template stack configuration.
Known
10.2.2
PAN-206253
This issue is now resolved. See
PAN-OS 10.2.4 Addressed Issues
.
For PA-3400 Series firewalls, the default log rate is set too low and the max configurable log rate is incorrectly capped resulting in the firewall not generating more than 6,826 logs per second.
Known
10.2.2
PAN-206243
This issue is now resolved. See
PAN-OS 10.2.4 Addressed Issues
.
The PA-220 firewall reaches the maximum disk usage capacity multiple a day that requires a disk cleanup. A critical system log (
Monitor
Logs
System
) is generated each time the firewall reaches maximum disk usage capacity.
Known
10.2.2
PAN-205187
This issue is now resolved. See
PAN-OS 10.2.4 Addressed Issues
.
ElasticSearch may not start properly when a newly installed Panorama virtual appliance powers on for the first time, resulting in the Panorama virtual appliance being unable to query logs forwarded from the managed firewall to a Log Collector.
Workaround:
Log in to the Panorama CLI and start the PAN-OS software. 
admin>
request restart software
Known
10.2.2
PAN-204663
This issue is now resolved. See
PAN-OS 10.2.4 Addressed Issues
.
On the Panorama management server, you are unable to Context Switch from one managed firewall to another.
Workaround:
After you Context Switch to a managed firewall, you must first Context Switch back to Panorama before you can continue to Context Switch to a different managed firewall.
Known
10.2.2
PAN-201855
This issue is now resolved. See
PAN-OS 10.2.5 Addressed Issues
.
On the Panorama management server, cloning any template (
Panorama
Templates
) corrupts certificates (
Device
Certificate Management
Certificates
) with the
Block Private Key Export
setting enabled across all templates. This results in managed firewalls experiencing issues wherever the corrupted certificate is referenced.
For example, you have template A, B, and C where templates A and B have certificates with the
Block Private Key Export
setting enabled. Cloning template C corrupts the certificates with
Block Private Key Export
setting enabled in templates A and B.
Workaround:
After cloning a template, delete and re-import the corrupted certificates.
Known
10.2.2
PAN-200019
PAN-OS 10.2.2-h1 and later releases
.
On the Panorama management server, the Virtual Routers (
Network
Virtual Routers
) setting is not available when configuring a custom Panorama admin role (
Panorama
Admin Roles
).
Known
10.2.2
PAN-199557
This issue is now resolved. See
PAN-OS 10.2.5 Addressed Issues
.
On M-600 appliances in an Active/Passive high availability (HA) configuration, the
configd
process restarts due to a memory leak on the
Active
Panorama HA peer. This causes the Panorama web interface and CLI to become unresponsive.
Workaround:
Manually reboot the
Active
Panorama HA peer.
Known
10.2.2
PAN-199099
When decryption is enabled, Safari and Google Chrome browsers on Mac computers running macOS Monterey or later reject the server certificates firewalls present. The browsers cannot validate the chain of trust for the certificates because the Authority Key Identifier (AKID) of the server certificates and the Subject Key Identifier (SKID) of the forward trust certificate do not match.
Workaround:
Use a forward trust certificate that does not contain AKID or SKID extensions.
Known
10.2.2
PAN-198174
This issue is now resolved. See
PAN-OS 10.2.4 Addressed Issues
.
When viewing traffic or threat logs from the firewall ACC or Monitor, performing a reverse DNS lookup, for example, when resolving IP addresses to domain names using the
Resolve Hostname
feature, can cause the appliance to crash and restart if DNS server settings have not been configured.
Workaround:
Provide a DNS server setting for the firewall (
Device
DNS Setup
Services
). If you cannot reference a valid DNS server, you can add a dummy address.
Known
10.2.2
PAN-197097
This issue is now resolved. See
PAN-OS 10.2.4 Addressed Issues
.
Large Scale VPN (LSVPN) does not support IPv6 addresses on the satellite firewall.
Known
10.2.2
PAN-196758
On the Panorama management server, pushing a configuration change to firewalls leveraging SD-WAN erroneously show the auto-provisioned BGP configurations for SD-WAN as being edited or deleted despite no edits or deletions being made when you
Preview Changes
(
Commit
Push to Devices
Edit Selections
or
Commit
Commit and Push
Edit Selections
).
Known
10.2.2
PAN-196784
This issue is now resolved. See
PAN-OS 10.2.3 Addressed Issues
.
Palo Alto Networks® Next-Gen firewalls experience a logs per second (LPS) degradation after upgrade to PAN-OS 10.2.2.
Known
10.2.2
PAN-196504
License deactivation fails for VM-Series firewalls licensed using PA-VM Bundle 3 (BND3).
Known
10.2.2
PAN-196146
This issue is now resolved. See
PAN-OS 10.2.8 Addressed Issues
.
The VM-Series firewall on Azure does not boot up with a hostname (specified in an init-cgf.txt or user data) when bootstrapped.
Known
10.2.2
PAN-195541
This issue is now resolved. See
PAN-OS 10.2.4 Addressed Issues
.
When a DNS request is submitted to the DNS Security service for inspection, the dataplane pan-task process (all_pktproc) might fail during the DNS request process, or when the dataplane cache is reset, or if the cache output is generated through the CLI, resulting in firewall crashes or the inability/reduced capability to process network traffic.
The following CLI commands can trigger a crash of the all_pktproc process: 
  • debug dataplane reset dns-cache all
  • debug dataplane show dns-cache print
  • show dns-proxy dns-signature cache
  • clear dns-proxy dns-signature cache
Known
10.2.2
PAN-194996
When using a 10.2.2 Panorama to manage a Panorama Managed Prisma Access 3.1.2 deployment, allocating bandwidth for a remote network deployment fails (the OK button is grayed out).
Workaround
: Retry the operation.
Known
10.2.2
PAN-194925
This issue is now resolved. See
PAN-OS 10.2.3 Addressed Issues
.
When using a 10.2.2 Panorama to manage a Panorama Managed Prisma Access 3.1.2 deployment, when making changes in the Service Connection and Remote Networks area, the configuration changes do not display in the Push Scope during a commit.
Workaround
: For service connection changes, make sure that Service Setup is selected in the Push Scope before you commit. For remote network changes, make sure that Remote Networks is selected in the Push Scope before you commit.
Known
10.2.2
PAN-194859
This issue is now resolved. See
PAN-OS 10.2.3 Addressed Issues
.
When using a 10.2.2 Panorama to manage a Panorama Managed Prisma Access 3.1.2 deployment, after migrating from a single tenant to a multi-tenant Prisma Access deployment and making configuration changes, the Cloud Services plugin shows
No pending changes to commit
when you hover over the Commit tab, even though there are pending changes to commit.
Workaround
: The status shown when hovering over the Commit tab is a cosmetic issue. Commit the pending changes, if required.
Known
10.2.2
PAN-194826
This issue is now resolved. See
PAN-OS 10.2.3 Addressed Issues
.
(
WF-500 and WF-500-B appliance only
) System log forwarding does not work over a TLS connection.
Known
10.2.2
PAN-194708
This issue is now resolved. See
PAN-OS 10.2.3 Addressed Issues
.
URL filtering logs (
Monitor
Logs
URL Filtering
) erroneously truncate a 16KB Header value and do not display the Header values that follow the truncated 16KB header.
For example, a URL filtering log has 5 Headers. The second Header has a 16KB value. In the URL filtering log, the first header and the value are displayed, second Header value is truncated, and remaining three headers are not displayed.
Known
10.2.2
PAN-194519
(
PA-5450 firewall only
) Trying to configure a custom payload format under
Device
Server Profiles
HTTP
yields a Javascript error.
Known
10.2.2
PAN-194515
(
PA-5450 firewall only
) The Panorama web interface does not display any predefined template stack variables in the dropdown menu under
Device
Setup
Log Interface
IP Address
.
Workaround:
Configure the log interface IP address on the individual firewall web interface instead of on Panorama.
Known
10.2.2
PAN-194424
(
PA-5450 firewall only
) Upgrading to PAN-OS 10.2.2 while having a log interface configured can cause both the log interface and the management interface to remain connected to the log collector.
Workaround:
Restart the log receiver service by running the following CLI command: 
debug software restart process log-receiver
Known
10.2.2
PAN-194202
(
PA-5450 firewall only
) If the management interface and logging interface are configured on the same subnetwork, the firewall conducts log forwarding using the management interface instead of the logging interface.
Known
10.2.2
PAN-193251
This issue is now resolved. See
PAN-OS 10.2.3 Addressed Issues
.
If SAML is configured as the authentication method for GlobalProtect, authentication on the Portal page is not successful in the browser.
Workaround:
Use the GlobalProtect app installed on the endpoint to authenticate.
Known
10.2.2
PAN-190735
This issue is now resolved. See
PAN-OS 10.2.3 Addressed Issues
.
Certain webpages that use chunked-encoded data transfers might not load properly when analyzed by Advanced URL Filtering cloud inline categorization.
Known
10.2.2
PAN-190727
(
PA-5450 firewall only
) Documentation for configuring the log interface is unavailable on the web interface and in the PAN-OS Administrator’s Guide.
Known
10.2.2
PAN-190435
When you
Commit
a configuration change, the
Task Manager
commit
Status
goes directly from
0%
to
Completed
and does accurately reflect the commit job progress.
Known
10.2.2
PAN-189425
This issue is now resolved. See
PAN-OS 10.2.4 Addressed Issues
.
On the Panorama management server,
Export Panorama and devices config bundle
(
Panorama
Setup
Operations
) fails to export. When the export fails, you are redirected to a new window and the following error is displayed:
Failed to redirect error to /var/log/pan/appweb3-panmodule.log (Permission denied)
Known
10.2.2
PAN-189380
This issue is now resolved. See
PAN-OS 10.2.3 Addressed Issues
.
After you successfully upgrade a PA-3000 Series firewall to PAN-OS 10.2.0 or later release and Enterprise data loss prevention (DLP) plugin 3.0.0 or later release, the first configuration push from the Panorama management server causes the firewall dataplane to crash.
Workaround:
Restart the firewall to restore dataplane functionality.
  2. Restart the firewall. 
    admin>
     
    request restart system
Known
10.2.2
PAN-189111
After deleting an MP pod and it comes up, the
show routing
command output appears empty and traffic stops working.
Known
10.2.2
PAN-189076
On a firewall with Advanced Routing enabled, OSPFv3 peers using a broadcast link and a designated router (DR) priority of 0 (zero) are stuck in a two-way state after HA failover.
Workaround:
Configure at least one OSPFv3 neighbor with a non-zero priority setting in the same broadcast domain.
Known
10.2.2
PAN-188904
This issue is now resolved. See
PAN-OS 10.2.4 Addressed Issues
.
Certain web pages and web page contents might not properly load when cloud inline categorization is enabled on the firewall.
Known
10.2.2
PAN-188489
This issue is now resolved. See
PAN-OS 10.2.3 Addressed Issues
.
On the Panorama management server, dynamic content updates are not automatically pushed to VM-Series firewalls licensed using the Panorama Software Firewall License plugin when
Automatically push content when software device registers to Panorama
(
Panorama
Templates
Add Stack
) is enabled.
Known
10.2.2
PAN-188358
After triggering a soft reboot on a M-700 appliance, the Management port LEDs do not light up when a 10G Ethernet cable is plugged in.
Known
10.2.2
PAN-188064
This issue is now resolved. See
PAN-OS 10.2.3 Addressed Issues
.
The SCP Server Profile configuration (
Devices
Server Profiles
SCP
are not automatically deleted after downgrade from PAN-OS 10.2.0 to PAN-OS 10.1 or earlier release.
Known
10.2.2
PAN-187685
On the Panorama management server, the Template Status displays no synchronization status (
Panorama
Managed Devices
Summary
) after a bootstrapped firewall is successfully added to Panorama.
Workaround:
After the bootstrapped firewall is successfully added to Panorama, log in to the Panorama web interface and select
Commit
Push to Devices
.
Known
10.2.2
PAN-187643
If you enable SCTP security using a Panorama template when
SCTP INIT Flood Protection
is enabled in the Zone Protection profile using Panorama and you commit all changes, the commit is successful but the
SCTP INIT
option is not available in the Zone Protection profile.
Workaround:
Log out of the firewall and log in again to make the
SCIT INIT
option available on the web interface.
Known
10.2.2
PAN-187612
On the Panorama management server, not all data profiles (
Objects
DLP Data Filtering Profiles
) are displayed after you:
  • Upgrade Panorama to PAN-OS 10.2 and upgrade the Enterprise DLP plugin to version 3.0.
  • Downgrade Panorama to PAN-OS 10.1 and downgrade the Enterprise DLP plugin to version 1.0.
Workaround:
Log in to the Panorama CLI and reset the DLP plugin.
admin > request plugins dlp reset
Known
10.2.2
PAN-187407
The configured Advanced Threat Prevention inline cloud analysis action for a given model might not be honored under the following condition: If the firewall is set to
Hold client request for category lookup
and the action set to
Reset-Both
and the URL cache has been cleared, the first request for inline cloud analysis will be bypassed.
Known
10.2.2
PAN-187370
On a firewall with Advanced Routing enabled, if there is also a logical router instance that uses the default configuration and has no interfaces assigned to it, this will result in terminating the management daemon and main routing daemon in the firewall during commit.
Workaround
: Do not use a logical router instance with no interfaces bound to it.
Known
10.2.2
PAN-187234
This issue is now resolved. See
PAN-OS 10.2.3 Addressed Issues
.
Certain web pages submitted for analysis by Advanced URL Filtering cloud inline categorization might experience high latency.
Known
10.2.2
PAN-186283
Templates appear out-of-sync on Panorama after successfully deploying the CFT stack using the Panorama plugin for AWS.
Workaround
: Use
Commit
Push to Devices
to synchronize the templates.
Known
10.2.2
PAN-186282
On HA deployments on AWS and Azure, Panorama fails to populate match criteria automatically when adding dynamic address groups.
Workaround:
Reboot the Panorama HA pair.
Known
10.2.2
PAN-186134
On the Panorama management server, performing a
Commit and Push
(
Commit > Commit and Push
) may intermittently not push the committed configuration changes to managed firewalls.
Workaround:
Select
Commit > Push to Devices
to push the committed configuration changes to your managed firewalls.
Known
10.2.2
PAN-185286
This issue is now resolved. See
PAN-OS 10.2.8 Addressed Issues
.
(
PA-5400 Series firewalls only
) On the Panorama management server, the device health resources (
Panorama
Managed Devices
Health
) do not populate.
Known
10.2.2
PAN-184708
Scheduled report emails (
Monitor
PDF Reports
Email Scheduler
) are not emailed if:
  • A scheduled report email contains a Report Group (
    Monitor
    PDF Reports
    Report Group
    ) which includes a SaaS Application Usage report.
  • A scheduled report contains only a SaaS Application Usage Report.
Workaround:
To receive a scheduled report email for all other PDF report types:
  1. Select
    Monitor
    PDF Reports
    Report Groups
    and remove all SaaS Application Usage reports from all Report Groups.
  2. Select
    Monitor
    PDF Reports
    Email Scheduler
    and edit the scheduled report email that contains only a SaaS Application Usage report. For the Recurrence, select
    Disable
    and click
    OK
    .
    Repeat this step for all scheduled report emails that contain only a SaaS Application Usage report.
  3. Commit
    .
    (
    Panorama managed firewalls
    ) Select
    Commit
    Commit and Push
Known
10.2.2
PAN-184702
This issue is now resolved. See
PAN-OS 10.2.3 Addressed Issues
.
On the Panorama management server, an M-700 appliance in Log Collector mode fails to connect to Panorama when added as a managed collector (
Panorama > Managed Collectors
).
Known
10.2.2
PAN-184406
Using the CLI to add a RAID disk pair to an M-700 appliance causes the dmdb process to crash.
Workaround:
Contact customer support to stop the dmdb process before adding a RAID disk pair to a M-700 appliance.
Known
10.2.2
PAN-183404
Static IP addresses are not recognized when "and" operators are used with IP CIDR range.
Known
10.2.2
PAN-182734
This issue is now resolved. See
PAN-OS 10.2.5 Addressed Issues
.
On an Advanced Routing Engine, if you change the IPSec tunnel configuration, BGP flaps.
Known
10.2.2
PAN-181933
If you use multiple log forwarding cards (LFCs) on the PA-7000 series, all of the cards may not receive all of the updates and the mappings for the clients may become out of sync, which causes the firewall to not correctly populate the Source User column in the session logs.
Known
10.2.2
PAN-181823
On a PA-5400 Series firewall (minus the PA-5450), setting the peer port to forced 10M or 100M speed causes any multi-gigabit RJ-45 ports on the firewall to go down if they are set to Auto.
Known
10.2.2
PAN-180661
On the Panorama management server, pushing an unsupported Minimum Password Complexity (
Device
Setup
Management
) to a managed firewall erroneously displays
commit time out
as the reason the commit failed.
Known
10.2.2
PAN-180104
When upgrading a CN-Series as a DaemonSet deployment to PAN-OS 10.2, CN-NGFW pods fail to connect to CN-MGMT pod if the Kubernetes cluster previously had a CN-Series as a DaemonSet deployment running PAN-OS 10.0 or 10.1.
Workaround
: Reboot the worker nodes before upgrading to PAN-OS 10.2.
Known
10.2.2
PAN-178194
This issue is now resolved. See
PAN-OS 10.2.3 Addressed Issues
.
A user interface issue in PAN-OS renders the contents of the
Inline ML
tab in the
URL Filtering Profile
inaccessible on firewalls licensed for Advanced URL Filtering. Additionally, a message indicating that a
License required for URL filtering to function
is unavailable displays at the bottom of the UI. These errors do not affect the operation of Advanced URL Filtering or URL Filtering Inline ML.
Workaround:
Configuration settings for URL Filtering Inline ML must be applied through the CLI. The following configuration commands are available:
  • Define URL exceptions for specific web sites— 
    admin#
     set profiles url-filtering <url_filtering_profile_name> mlav-category-exception
  • Configuration settings for each inline ML model— 
    admin#
     set profiles url-filtering <url_filtering_profile_name> mlav-engine-urlbased-enabled
Known
10.2.2
PAN-177455
PAN-OS 10.2.0 is not supported on PA-7000 Series firewalls with HA (High Availability) clustering enabled and using an HA4 communication link. Attempting to load PAN-OS 10.2.0 on the firewall causes the PA-7000 100G NPC to go offline. As a result, the firewall fails to boot normally and enters maintenance mode. HA Pairs of Active-Passive and Active-Active firewalls are not affected.
Known
10.2.2
PAN-175915
When the firewall is deployed on N3 and N11 interfaces in 5G networks and 5G-HTTP/2 traffic inspection is enabled in the Mobile Network Protection Profile, the traffic logs do not display network slice SST and SD values.
Known
10.2.2
PAN-174982
In HA active/active configurations where, when interfaces that were associated with a virtual router were deleted, the configuration change did not sync.
Known
10.2.2
PAN-172274
When you activate the advanced URL filtering license, your license entitlements for PAN-DB and advanced URL filtering might not display correctly on the firewall — this is a display anomaly, not a licensing issue, and does not affect access to the services.
Workaround:
Issue the following command to retrieve and update the licenses:
license request fetch
.
Known
10.2.2
PAN-172132
This issue is now resolved by PAN-189643. See
PAN-OS 10.2.4 Addressed Issues
.
QoS fails to run on a tunnel interface (for example, tunnel.1).
Known
10.2.2
PAN-171938
No results are displayed when you
Show Application Filter
for a Security policy rule (
Policies
Security
Application
Value
Show Application Filter
).
Known
10.2.2
PAN-164885
This issue is now resolved. See
PAN-OS 10.2.10 Addressed Issues
.
On the Panorama management server, pushes to managed firewalls (
Commit
Push to Devices
or
Commit and Push
) may fail when an EDL (
Objects
External Dynamic Lists
) is configured to
Check for updates
every 5 minutes due to the commit and EDL fetch processes overlapping. This is more likely to occur when multiple EDLs are configured to check for updates every 5 minutes.
Addressed
10.2.2-h5
PAN-252214
A fix was made to address CVE-2024-3400 .
Addressed
10.2.2-h4
PAN-238792
Fixed the following device certificate issues:
  • The firewall was unable to automatically renew the device certificate-Fetching device certificates failed incorrectly with the error message
    OTP is not valid
    .
  • Firewalls disconnected from Cortex Data Lake after renewing the device certificate.
  • The device certificate was not correctly generated on the log forwarding card (LFC).
  • WildFire cloud logs did not log thermite certificate usage status.
Addressed
10.2.2-h4
PAN-237935
Extended the offline PAN-DB, Panorama, and WildFire certificates which were previously set to expire on September 2, 2024.
Addressed
10.2.2-h4
PAN-237876
Extended the firewall Panorama root CA certificate which was previously set to expire on April 7th, 2024.
Addressed
10.2.2-h4
PAN-237871
(
WF-500 appliances and PAN-DB private cloud deployments only
) Fixed an issue where the
root-cert
was set to expire on December 31, 2023. With this fix, the expiration date has been extended.
Addressed
10.2.2-h4
PAN-231771
Fixed an issue where the firewall issued /box/getserv/ requests with PAN-OS 7.1.0 and did not take device certificates.
Addressed
10.2.2-h4
PAN-227568
When a device certificate is installed, renewed, or removed, the firewall will reconnect to the WildFire cloud to use the newest certificate.
Addressed
10.2.2-h4
PAN-215576
Fixed an issue where the
userID-Agent
and
TS-Agent
certificates were set to expire on November 18, 2024. With this fix, the expiration date has been extended to January 2032.
Addressed
10.2.2-h4
PAN-202450
Fixed an issue where the
device-client-cert
was set to expire on December 31, 2023. With this fix, the expiration date has been extended.
Addressed
10.2.2-h4
PAN-198372
Fixed an issue where the
root-cert
was set to expire on December 31, 2023. With this fix, the expiration date has been extended.
Addressed
10.2.2-h2
PAN-192999
A fix was made to address CVE-2022-0028 .
Addressed
10.2.2-h1
PAN-195517
Fixed an issue where
CommitAll
operations from Panorama to Prisma Access device groups failed due to missing configuration files.
Addressed
10.2.2-h1
PAN-194107
Fixed an issue where the expiry date for the Advanced Threat Protection license was incorrect for BND3 payg VM-Series firewalls on Amazon Web Services (AWS), Oracle Cloud Infrastructure (OCI), Google Cloud Platform (GCP), and Microsoft Azure.
Addressed
10.2.2-h1
PAN-186075
(
VM-Series firewalls only
) Fixed an issue where the firewall rebooted after receiving large packets while in DPDK mode on Azure virtual machines running CX4 (MLx5) drivers.
Addressed
10.2.2
PAN-193579
Fixed an issue where new logs viewed from the CLI (show log <log_type>) and new syslogs forwarded to a syslog server contained additional, erroneous entries.
Addressed
10.2.2
PAN-192930
Fixed an issue where, when the default port was not TCP/443, implicitly used SSL applications were blocked by the Security policy as an SSL application and did not shift to the correct application.
Addressed
10.2.2
PAN-192880
Fixed an issue where, when the firewall was configured for jumbo frames, an internal interface was not set with the correct MTU, which caused byte frames larger than 1500 to be dropped when a DF bit was set.
Addressed
10.2.2
PAN-192725
Fixed an issue where the firewall failed to forward logs to Panorama when configured with IPv6 addressing only.
Addressed
10.2.2
PAN-192089
Fixed an issue on the web interface where the IPSec tunnel did not gray out after disabling it.
Addressed
10.2.2
PAN-191629
(
PA-5450 firewalls only
) Fixed an issue where the hourly summary log was limited to 100,001 lines when summarized, which resulted in inconsistent report results when using summary logs.
Addressed
10.2.2
PAN-191513
Fixed an issue on multi-vsys firewalls where the DLP cloud service continued to exclude an application added to a shared application group (
Objects
Application Filters
) from non-file traffic inspection. This issue occurred when the application was removed from the application group or filter that was added to the
App Exclusion List
(
Objects
DLP
Data Filtering Profiles
).
Addressed
10.2.2
PAN-191470
Fixed an issue on Panorama where encrypted passwords were sent to firewalls on PAN-OS 10.1 releases during a multi-device group push, which caused client-based External Dynamic Lists (EDL) to fail.
Addressed
10.2.2
PAN-191466
Fixed an issue where you were unable to use the web interface to override IPsec tunnels pushed from Panorama
Addressed
10.2.2
PAN-191288
Fixed an issue where the firewall restarted due to a dnsproxy process crash.
Addressed
10.2.2
PAN-190811
(
PA-5450 firewalls only
) Fixed an issue where logs were forwarded through the management interface instead of the configured log interface to be used for forwarding.
Addressed
10.2.2
PAN-190675
Fixed an IoT cloud connectivity issue with the firewall dataplane when the
Data Services
service route was used and the egress interface had VLAN tagging.
Addressed
10.2.2
PAN-190492
Fixed an issue where the Panorama log collector group level SSH settings were not migrated to the new format when upgrading from a PAN-OS 9.1 release to a PAN-OS 10.0 release.
Addressed
10.2.2
PAN-189429
Fixed a memory leak that occurred when enabling XFF (x-forwarded-for) logging in a Security policy.
Addressed
10.2.2
PAN-189395
(
PA-400 Series firewalls only
) Fixed an issue where running a PAN-OS 10.2 release caused dataplane processes to restart unexpectedly.
Addressed
10.2.2
PAN-189010
Fixed an issue on Panorama where a deadlock in the configd process caused both the web interface and the CLI to be inaccessible.
Addressed
10.2.2
PAN-188872
Fixed an OOM condition caused by a memory leak issue on the useridd process.
Addressed
10.2.2
PAN-188833
Fixed an issue where shared address objects used as a source or destination in policies were cloned but not freed back after configuration commits.
Addressed
10.2.2
PAN-188097
Fixed an issue where the firewall stopped allocating new sessions with increments in the counter session_alloc_failure. This was caused by GPRS tunneling protocol (GTP-U) tunnel session aging processing issue.
Addressed
10.2.2
PAN-187558
Fixed an issue where the following error message flooded the system log:
Incremental update to DP failed
.
Addressed
10.2.2
PAN-187429
(
PA-3400 Series firewalls and PA-5410, PA-5420, and PA-5430 firewalls only
) Fixed an issue where the CLI and SNMP MIB walk did not display the model and serial number of the fan tray and PSUs.
Addressed
10.2.2
PAN-187151
Fixed an issue where tunnel-monitoring interface was incorrectly shown as up instead of down.
Addressed
10.2.2
PAN-186913
Fixed an issue on Panorama where
Validate Device Group
(
Commit
Commit and Push
) incorrectly issued a commit all operation instead of a validate all operation. This issue occurred when multiple device groups were included in the push.
Addressed
10.2.2
PAN-186750
Fixed an issue where, after upgrading to a PAN-OS 10.1 release, SaaS reports generated on Panorama did not display
Applications at a glance
and most charts were missing data on the right side of the chart.
Addressed
10.2.2
PAN-185844
Fixed an issue where Decryption Log entries were associated with the wrong Security policy rule.
Addressed
10.2.2
PAN-185558
Fixed an issue where Panorama log migration failed when old logs migrated to a newer format. This was due to older indices failing to close.
Addressed
10.2.2
PAN-184474
Fixed an issue where, when the firewall had Advanced Routing enabled, a static route remained active after an interface went down.
Addressed
10.2.2
PAN-183579
Fixed an issue where SD-WAN path monitoring failed over the interface directly connected to the ISP due to an unsupported ICMP probe format.
Addressed
10.2.2
PAN-183319
Fixed an issue on Panorama where commits remained at 99% due to multiple firewalls sending out CSR singing requests every 10 minutes.
Addressed
10.2.2
PAN-182087
Fixed an issue where commit failures occurred due to validity checks performed against self-signing certificates not evaluating
Authentication Key Identifier
and
Subject Key Identifier
fields were present.
Addressed
10.2.2
PAN-180396
Fixed an issue where Panorama displayed an error when generating a ticket to disable GlobalProtect for Prisma Access.
Addressed
10.2.2
PAN-180147
Fixed an issue where the
bcm.log
and
brdagent_stdout.log-<datestamp>
files filled up the root disk space.
Addressed
10.2.2
PAN-178450
Fixed an issue where icons weren't displayed for clientless VPN applications.
Addressed
10.2.2
PAN-177671
Fixed an issue where, when SIP traffic traversing the firewall was sent with a high Quality of Service (QoS) differentiated service code (DSCP) value, the DSCP value was reset to the default setting (CS0) for the first data packet.
Addressed
10.2.2
PAN-177455
(PA-7000 Series firewalls with HA clustering enabled and using HA4 communication links only
) Fixed an issue where loading PAN-OS 10.2.0 on the firewall caused the PA-7000 100G NPC (Network Processing Card) to go offline. As a result, the firewall failed to boot normally and entered maintenance.
Addressed
10.2.2
PAN-176156
Fixed an issue where executing the
show running resource-monitor
with the
ingress-backlogs
option enabled displayed the error message `Dataplane is not up or invalid target-dp(*.dp*)`.
Addressed
10.2.2
PAN-174345
Fixed an issue where a process all_pktproc stopped responding after upgrading the firewall.
Known
10.2.3
WF500-5854
The WildFire analysis report on the firewall log viewer (
Monitoring
WildFire Submissions
) does not display the following data fields: File Type, SHA-256, MD-5, and File Size".
Workaround
: Download and open the WildFire analysis report in the PDF format using the link in the upper right-hand corner of the
Detailed Log View
.
Known
10.2.3
WF500-5843
In a WildFire appliance cluster, issuing the
show cluster-all peers
CLI command when a node within the cluster is being rebooted generates the following error:
Server error : An error occured.
Known
10.2.3
WF500-5840
The sample analysis statistics that are returned when issuing the
show wildfire local statistics
CLI command in WildFire appliance cluster deployments may not accurately reflect the number of samples that have been processed.
Known
10.2.3
WF500-5823
The following WildFire appliance CLI command does not return a signature generation status as expected:
show wildfire global signature-status
. This does not corrupt or otherwise prevent the WildFire appliance from analyzing a sample.
Known
10.2.3
WF500-5781
The WildFire appliance might erroneously generate and log the following device certification error:
Device certificate is missing or invalid. It cannot be renewed.
Known
10.2.3
WF500-5754
In WildFire appliance clusters, issuing the
show cluster controller
CLI command generates an error when an IPv6 address is configured for the management interface but not for the cluster interface.
Workaround:
Ensure all WildFire appliance interfaces that are enabled use matching protocols (all IPv4 or all IPv6).
Known
10.2.3
WF500-5632
The number of registered WildFire appliances reported in Panorama (
Panorama
Managed WildFire Appliances
Firewalls Connected
View
) does not accurately reflect the current status of connected WildFire appliances.
Known
10.2.3
PAN-243951
On the Panorama management sever in an active/passive High Availability (HA) configuration, managed devices (
Panorama
Managed Devices
Summary
) display as
out-of-sync
on the passive HA peer when configuration changes are made to the SD-WAN (
Panorama
SD-WAN
) configuration on the active HA peer.
Workaround:
Manually synchronize the Panorama HA peers.
  1. Log in to the Panorama web interface on the active HA peer.
  2. Select
    Commit
    and
    Commit to Panorama
    the SD-WAN configuration changes on the active HA peer.
    On the passive HA peer, select
    Panorama
    Managed Devices
    Summary
    and observe that the managed devices are now
    out-of-sync
    .
  3. Log in to the primary HA peer Panorama CLI and trigger a manual synchronization between the active and secondary HA peers.
    request high-availability sync-to-remote running-config
  4. Log back in to the active HA peer Panorama web interface and select
    Commit
    Push to Devices
    and
    Push
    .
Known
10.2.3
PAN-228273
This issue is now resolved. See
PAN-OS 10.2.8 Addressed Issues
.
On the Panorama management server in FIPS-CC mode, the ElasticSearch cluster fails to come up and the
show log-collector-es-cluster health
command displays the
status
is
red
. This results in log ingestion issues for Panorama in Panorama only or Log Collector mode.
Known
10.2.3
PAN-227344
On the Panorama management server, PDF Summary Reports (
Monitor
PDF Reports
Manage PDF Summary
) display no data and are blank when predefined reports are included in the summary report.
Known
10.2.3
PAN-225337
This issue is now resolved. See
PAN-OS 10.2.7 Addressed Issues
.
On the Panorama management server, the configuration push to a multi-vsys firewall fails if you:
  1. Create a
    Shared
    and vsys-specific device group configuration object with an indentical name. For example, a
    Shared
    address object called
    SharedAO1
    and a vsys-specific address object also called
    SharedAO1
    .
  2. Reference the
    Shared
    object in another
    Shared
    configuration. For example, reference the
    Shared
    address object (
    SharedAO1
    ) in a
    Shared
    address group called
    SharedAG1
    .
  3. Use the
    Shared
    configuration object with the reference in a vsys-specific configuration. For example, reference the
    Shared
    address group (
    SharedAG1
    ) in a vsys-specific policy rule.
Workaround:
Select
Panorama
Setup
Management
and edit the Panorama Settings to enable one of the following:
  • Shared Unused Address and Service Objects with Devices
    —This options pushes all
    Shared
    objects, along with device group specific objects, to managed firewalls.
    This is a global setting and applies to all managed firewalls, and may result in pushing too many configuration objects to your managed firewalls.
  • Objects defined in ancestors will take higher precedence
    —This option specifies that in the event of objects with the same name, ancestor object take precedence over descendent objects. In this case, the
    Shared
    objects take precedence over the vsys-specific object.
    This is a global setting and applies to all managed firewalls. In the example above, if the IP address for the
    Shared
    SharedAO1
    object was
    10.1.1.1
    and the device group specific
    SharedAO1
    was
    10.2.2.2
    , the
    10.1.1.1
    IP address takes precedence.
Alternatively, you can remove the duplicate address objects from the device group configuration to allow only the
Shared
objects in your configuration.
Known
10.2.3
PAN-223488
This issue is now resolved. See
PAN-OS 10.2.7 Addressed Issues
.
On the M-600 appliance, closed ElasticSearch shards are not deleted from the M-600 appliance. This causes the ElasticSearch shard purging to not work as expected, resulting in high disk usage.
Known
10.2.3
PAN-223365
The Panorama management server is unable to query any logs if the ElasticSearch health status for any Log Collector (
Panorama
Managed Collector
is degraded.
Workaround:
Log in to the Log Collector CLI and restart ElasticSearch. 
admin
debug elasticsearch es-restart all
Known
10.2.3
PAN-222586
On PA-5410, PA-5420, and PA-5430 firewalls, the Filter dropdown menus, Forward Methods, and Built-In Actions for Correlation Log settings (
Device
Log Settings
) are not displayed and cannot be configured.
Known
10.2.3
PAN-222253
This issue is now resolved. See
PAN-OS 10.2.8 Addressed Issues
.
On the Panorama management server, policy rulebase reordering when you
View Rulebase by Groups
(
Policy
<policy-rulebase>
) does not persist if you reorder the policy rulebase by dragging and dropping individual policy rules and then moving the entire tag group.
Known
10.2.3
PAN-221775
A
Malformed Request
error is displayed when you
Test Connection
for an email server profile (
Device
Server Profiles
Email
) using
SMTP over TLS
and the
Password
includes an ampersand (&).
Known
10.2.3
PAN-221015
This issue is now resolved. See
PAN-OS 10.2.7 Addressed Issues
.
On M-600 appliances in Panorama or Log Collector mode, the
es-1
and
es-2
ElasticSearch processes fail to restart when the M-600 appliance is rebooted. The results in the Managed Collector
ES
health status (
Panorama
Managed Collectors
Health Status
) to be degraded.
Workaround:
Log in to the Panorama or Log Collector CLI experiencing degraded ElasticSearch health and restart all ElasticSearch processes. 
admin>
debug elasticsearch es-restart optional all
Known
10.2.3
PAN-219644
This issue is now resolved. See
PAN-OS 10.2.8 Addressed Issues
.
Firewalls forwarding logs to a syslog server over TLS (
Objects
Log Forwarding
) use the default Palo Alto Networks certificate instead of the custom certificate configured on the firewall.
Known
10.2.3
PAN-218521
This issue is now resolved. See
PAN-OS 10.2.7 Addressed Issues
.
The ElasticSearch process on the M-600 appliance in Log Collector mode may enter a continuous reboot cycle. This results in the M-600 appliance becoming unresponsive, consuming logging disk space, and preventing new log ingestion.
Known
10.2.3
PAN-217307
The following Security policy rule (
Policies
Security
) filters return no results:
log-start eq no
log-end eq no
log-end eq yes
Known
10.2.3
PAN-215778
This issue is now resolved. See
PAN-OS 10.2.5 Addressed Issues
.
On the M-600 appliance in Management Only mode, XML API Get requests for
/config
fail with the following error due to exceeding the total configuration size supported on the M-600 appliance. 
504 Gateway timeout
Known
10.2.3
PAN-215082
This issue is now resolved. See
PAN-OS 10.2.8 Addressed Issues
.
M-300 and M-700 appliances may generate erroneous system logs (
Monitor
Logs
System
) to alert that the M-Series appliance memory usage limits are reached.
Known
10.2.3
PAN-213746
On the Panorama management server, the
Hostkey
displayed as
undefined undefined
if you override an SSH Service Profile (
Device
Certificate Management
SSH Service Profile
) Hostkey configured in a Template from the Template Stack.
Known
10.2.3
PAN-213119
PA-5410 and PA-5420 firewalls display the following error when you view the Block IP list (
Monitor
Block IP
):
show -> dis-block-table is unexpected
Known
10.2.3
PAN-212978
This issue is now resolved. See
PAN-OS 10.2.4-h3 Addressed Issues
.
The Palo Alto Networks firewall stops responding when executing an SD-WAN debug operational CLI command.
Known
10.2.3
PAN-212889
On the Panorama management server, different threat names are used when querying the same threat in the Threat Monitor (
Monitor
App Scope
Threat Monitor
) and
ACC
. This results in the ACC displaying
no data to display
when you are redirected to the ACC after clicking a threat name in the Threat Monitor and filtering the same threat name in the Global Filters.
Known
10.2.3
PAN-212533
Modifying the
Administrator Type
for an existing administrator (
Device
Administrators
or
Panorama
Administrators
) from
Superuser
to a
Role-Based
custom admin, or vice versa, does not modify the access privileges of the administrator.
Known
10.2.3
PAN-211531
On the Panorama management server, admins can still perform a selective push to managed firewalls when
Push All Changes
and
Push for Other Admins
are disabled in the admin role profile (
Panorama
Admin Roles
).
Known
10.2.3
PAN-210366
This issue is now resolved. See
PAN-OS 10.2.4-h3 Addressed Issues
.
On the Panorama management server in a high availability (HA) configuration, the primary HA peer may enter a
primary-non-functional
state and generate a system log (
Monitor
Logs
System
) with the following message:
High root partition usage: going to state Non-Functional
Known
10.2.3
PAN-209288
Certificates are not successfully generated using SCEP (
Device
Certificate Management
SCEP
).
Known
10.2.3
PAN-208622
A file upload to Box.com exceeding 6 files gets stuck and fails to upload if you specify an Enterprise DLP data filtering profile (
Objects
DLP
Data Filtering Profiles
with the Action set to
Block
to a Security policy rule (
Policies
Security
).
Known
10.2.3
PAN-208325
This issue is now resolved. See
PAN-OS 10.2.5 Addressed Issues
.
The following NextGen firewalls and Panorama management server models are unable to automatically renew the device certificate (
Device
Setup
Management
or
Panorama
Setup
Management
).
  • M-300 and M-700
  • PA-410 Firewall
  • PA-440, PA-450, and PA-460 Firewalls
  • PA-3400 Series
  • PA-5410, PA-5420, and PA-5430 Firewalls
  • PA-5450 Firewall
Workaround:
Log in to the firewall CLI or Panorama CLI and fetch the device certificate. 
admin>
request certificate fetch
Known
10.2.3
PAN-208189
This issue is now resolved. See
PAN-OS 10.2.4 Addressed Issues
.
Traffic fails to match and reach all destinations if a Security policy rule includes FQDN objects that resolve to two or more IP addresses.
Known
10.2.3
PAN-207629
This issue is now resolved. See
PAN-OS 10.2.4 Addressed Issues
.
On the Panorama management server, selective push fails to managed firewalls if the managed firewalls are enabled with multiple vsys and the Push Scope contains shared objects in device groups.
Known
10.2.3
PAN-206253
This issue is now resolved. See
PAN-OS 10.2.4 Addressed Issues
.
For PA-3400 Series firewalls, the default log rate is set too low and the max configurable log rate is incorrectly capped resulting in the firewall not generating more than 6,826 logs per second.
Known
10.2.3
PAN-206243
This issue is now resolved. See
PAN-OS 10.2.4 Addressed Issues
.
The PA-220 firewall reaches the maximum disk usage capacity multiple a day that requires a disk cleanup. A critical system log (
Monitor
Logs
System
) is generated each time the firewall reaches maximum disk usage capacity.
Known
10.2.3
PAN-206005
This issue is now resolved. See
PAN-OS 10.2.4 Addressed Issues
.
(
PA-3400 Series firewalls only
) The I7_misc memory pool on this platform is undersized and can cause a loss of connectivity when reaching the limit of the memory pool. Certain features, like using a decryption profile with Strip ALPN disabled, can lead to depleting the memory pool and causing a connection loss.
Workaround:
Disable HTTP2 by enabling Strip ALPN in the decryption profile or avoid usage of the I7_misc memory pool.
Known
10.2.3
PAN-205187
This issue is now resolved. See
PAN-OS 10.2.4 Addressed Issues
.
ElasticSearch may not start properly when a newly installed Panorama virtual appliance powers on for the first time, resulting in the Panorama virtual appliance being unable to query logs forwarded from the managed firewall to a Log Collector.
Workaround:
Log in to the Panorama CLI and start the PAN-OS software. 
admin>
request restart software
Known
10.2.3
PAN-204663
This issue is now resolved. See
PAN-OS 10.2.4 Addressed Issues
.
On the Panorama management server, you are unable to Context Switch from one managed firewall to another.
Workaround:
After you Context Switch to a managed firewall, you must first Context Switch back to Panorama before you can continue to Context Switch to a different managed firewall.
Known
10.2.3
PAN-201855
This issue is now resolved. See
PAN-OS 10.2.5 Addressed Issues
.
On the Panorama management server, cloning any template (
Panorama
Templates
) corrupts certificates (
Device
Certificate Management
Certificates
) with the
Block Private Key Export
setting enabled across all templates. This results in managed firewalls experiencing issues wherever the corrupted certificate is referenced.
For example, you have template A, B, and C where templates A and B have certificates with the
Block Private Key Export
setting enabled. Cloning template C corrupts the certificates with
Block Private Key Export
setting enabled in templates A and B.
Workaround:
After cloning a template, delete and re-import the corrupted certificates.
Known
10.2.3
PAN-199557
This issue is now resolved. See
PAN-OS 10.2.5 Addressed Issues
.
On M-600 appliances in an Active/Passive high availability (HA) configuration, the
configd
process restarts due to a memory leak on the
Active
Panorama HA peer. This causes the Panorama web interface and CLI to become unresponsive.
Workaround:
Manually reboot the
Active
Panorama HA peer.
Known
10.2.3
PAN-198708
On the Panorama management server, the
File Type
field does not display any data when you view the Detailed Log View in the Data Filtering log (
Monitor
Logs
Data Filtering
<select log>
DLP
).
Known
10.2.3
PAN-198174
This issue is now resolved. See
PAN-OS 10.2.4 Addressed Issues
.
When viewing traffic or threat logs from the firewall ACC or Monitor, performing a reverse DNS lookup, for example, when resolving IP addresses to domain names using the
Resolve Hostname
feature, can cause the appliance to crash and restart if DNS server settings have not been configured.
Workaround:
Provide a DNS server setting for the firewall (
Device
DNS Setup
Services
). If you cannot reference a valid DNS server, you can add a dummy address.
Known
10.2.3
PAN-197097
This issue is now resolved. See
PAN-OS 10.2.4 Addressed Issues
.
Large Scale VPN (LSVPN) does not support IPv6 addresses on the satellite firewall.
Known
10.2.3
PAN-196758
On the Panorama management server, pushing a configuration change to firewalls leveraging SD-WAN erroneously show the auto-provisioned BGP configurations for SD-WAN as being edited or deleted despite no edits or deletions being made when you
Preview Changes
(
Commit
Push to Devices
Edit Selections
or
Commit
Commit and Push
Edit Selections
).
Known
10.2.3
PAN-196504
License deactivation fails for VM-Series firewalls licensed using PA-VM Bundle 3 (BND3).
Known
10.2.3
PAN-196146
This issue is now resolved. See
PAN-OS 10.2.8 Addressed Issues
.
The VM-Series firewall on Azure does not boot up with a hostname (specified in an init-cgf.txt or user data) when bootstrapped.
Known
10.2.3
PAN-195541
This issue is now resolved. See
PAN-OS 10.2.4 Addressed Issues
.
When a DNS request is submitted to the DNS Security service for inspection, the dataplane pan-task process (all_pktproc) might fail during the DNS request process, or when the dataplane cache is reset, or if the cache output is generated through the CLI, resulting in firewall crashes or the inability/reduced capability to process network traffic.
The following CLI commands can trigger a crash of the all_pktproc process: 
  • debug dataplane reset dns-cache all
  • debug dataplane show dns-cache print
  • show dns-proxy dns-signature cache
  • clear dns-proxy dns-signature cache
Known
10.2.3
PAN-194996
When using a 10.2.2 Panorama to manage a Panorama Managed Prisma Access 3.1.2 deployment, allocating bandwidth for a remote network deployment fails (the OK button is grayed out).
Workaround
: Retry the operation.
Known
10.2.3
PAN-194519
(
PA-5450 firewall only
) Trying to configure a custom payload format under
Device
Server Profiles
HTTP
yields a Javascript error.
Known
10.2.3
PAN-194515
(
PA-5450 firewall only
) The Panorama web interface does not display any predefined template stack variables in the dropdown menu under
Device
Setup
Log Interface
IP Address
.
Workaround:
Configure the log interface IP address on the individual firewall web interface instead of on Panorama.
Known
10.2.3
PAN-194424
(
PA-5450 firewall only
) Upgrading to PAN-OS 10.2.2 while having a log interface configured can cause both the log interface and the management interface to remain connected to the log collector.
Workaround:
Restart the log receiver service by running the following CLI command: 
debug software restart process log-receiver
Known
10.2.3
PAN-194202
(
PA-5450 firewall only
) If the management interface and logging interface are configured on the same subnetwork, the firewall conducts log forwarding using the management interface instead of the logging interface.
Known
10.2.3
PAN-190727
(
PA-5450 firewall only
) Documentation for configuring the log interface is unavailable on the web interface and in the PAN-OS Administrator’s Guide.
Known
10.2.3
PAN-190435
When you
Commit
a configuration change, the
Task Manager
commit
Status
goes directly from
0%
to
Completed
and does accurately reflect the commit job progress.
Known
10.2.3
PAN-189425
This issue is now resolved. See
PAN-OS 10.2.4 Addressed Issues
.
On the Panorama management server,
Export Panorama and devices config bundle
(
Panorama
Setup
Operations
) fails to export. When the export fails, you are redirected to a new window and the following error is displayed:
Failed to redirect error to /var/log/pan/appweb3-panmodule.log (Permission denied)
Known
10.2.3
PAN-189111
After deleting an MP pod and it comes up, the
show routing
command output appears empty and traffic stops working.
Known
10.2.3
PAN-189076
On a firewall with Advanced Routing enabled, OSPFv3 peers using a broadcast link and a designated router (DR) priority of 0 (zero) are stuck in a two-way state after HA failover.
Workaround:
Configure at least one OSPFv3 neighbor with a non-zero priority setting in the same broadcast domain.
Known
10.2.3
PAN-188904
This issue is now resolved. See
PAN-OS 10.2.4 Addressed Issues
.
Certain web pages and web page contents might not properly load when cloud inline categorization is enabled on the firewall.
Known
10.2.3
PAN-188358
After triggering a soft reboot on a M-700 appliance, the Management port LEDs do not light up when a 10G Ethernet cable is plugged in.
Known
10.2.3
PAN-187685
On the Panorama management server, the Template Status displays no synchronization status (
Panorama
Managed Devices
Summary
) after a bootstrapped firewall is successfully added to Panorama.
Workaround:
After the bootstrapped firewall is successfully added to Panorama, log in to the Panorama web interface and select
Commit
Push to Devices
.
Known
10.2.3
PAN-187643
If you enable SCTP security using a Panorama template when
SCTP INIT Flood Protection
is enabled in the Zone Protection profile using Panorama and you commit all changes, the commit is successful but the
SCTP INIT
option is not available in the Zone Protection profile.
Workaround:
Log out of the firewall and log in again to make the
SCIT INIT
option available on the web interface.
Known
10.2.3
PAN-187612
On the Panorama management server, not all data profiles (
Objects
DLP Data Filtering Profiles
) are displayed after you:
  • Upgrade Panorama to PAN-OS 10.2 and upgrade the Enterprise DLP plugin to version 3.0.
  • Downgrade Panorama to PAN-OS 10.1 and downgrade the Enterprise DLP plugin to version 1.0.
Workaround:
Log in to the Panorama CLI and reset the DLP plugin.
admin > request plugins dlp reset
Known
10.2.3
PAN-187407
The configured Advanced Threat Prevention inline cloud analysis action for a given model might not be honored under the following condition: If the firewall is set to
Hold client request for category lookup
and the action set to
Reset-Both
and the URL cache has been cleared, the first request for inline cloud analysis will be bypassed.
Known
10.2.3
PAN-187370
On a firewall with Advanced Routing enabled, if there is also a logical router instance that uses the default configuration and has no interfaces assigned to it, this will result in terminating the management daemon and main routing daemon in the firewall during commit.
Workaround
: Do not use a logical router instance with no interfaces bound to it.
Known
10.2.3
PAN-186283
Templates appear out-of-sync on Panorama after successfully deploying the CFT stack using the Panorama plugin for AWS.
Workaround
: Use
Commit
Push to Devices
to synchronize the templates.
Known
10.2.3
PAN-186282
On HA deployments on AWS and Azure, Panorama fails to populate match criteria automatically when adding dynamic address groups.
Workaround:
Reboot the Panorama HA pair.
Known
10.2.3
PAN-186134
On the Panorama management server, performing a
Commit and Push
(
Commit > Commit and Push
) may intermittently not push the committed configuration changes to managed firewalls.
Workaround:
Select
Commit > Push to Devices
to push the committed configuration changes to your managed firewalls.
Known
10.2.3
PAN-185286
This issue is now resolved. See
PAN-OS 10.2.8 Addressed Issues
.
(
PA-5400 Series firewalls only
) On the Panorama management server, the device health resources (
Panorama
Managed Devices
Health
) do not populate.
Known
10.2.3
PAN-184708
Scheduled report emails (
Monitor
PDF Reports
Email Scheduler
) are not emailed if:
  • A scheduled report email contains a Report Group (
    Monitor
    PDF Reports
    Report Group
    ) which includes a SaaS Application Usage report.
  • A scheduled report contains only a SaaS Application Usage Report.
Workaround:
To receive a scheduled report email for all other PDF report types:
  1. Select
    Monitor
    PDF Reports
    Report Groups
    and remove all SaaS Application Usage reports from all Report Groups.
  2. Select
    Monitor
    PDF Reports
    Email Scheduler
    and edit the scheduled report email that contains only a SaaS Application Usage report. For the Recurrence, select
    Disable
    and click
    OK
    .
    Repeat this step for all scheduled report emails that contain only a SaaS Application Usage report.
  3. Commit
    .
    (
    Panorama managed firewalls
    ) Select
    Commit
    Commit and Push
Known
10.2.3
PAN-184406
Using the CLI to add a RAID disk pair to an M-700 appliance causes the dmdb process to crash.
Workaround:
Contact customer support to stop the dmdb process before adding a RAID disk pair to a M-700 appliance.
Known
10.2.3
PAN-183404
Static IP addresses are not recognized when "and" operators are used with IP CIDR range.
Known
10.2.3
PAN-182734
This issue is now resolved. See
PAN-OS 10.2.5 Addressed Issues
.
On an Advanced Routing Engine, if you change the IPSec tunnel configuration, BGP flaps.
Known
10.2.3
PAN-181933
If you use multiple log forwarding cards (LFCs) on the PA-7000 series, all of the cards may not receive all of the updates and the mappings for the clients may become out of sync, which causes the firewall to not correctly populate the Source User column in the session logs.
Known
10.2.3
PAN-181823
On a PA-5400 Series firewall (minus the PA-5450), setting the peer port to forced 10M or 100M speed causes any multi-gigabit RJ-45 ports on the firewall to go down if they are set to Auto.
Known
10.2.3
PAN-180661
On the Panorama management server, pushing an unsupported Minimum Password Complexity (
Device
Setup
Management
) to a managed firewall erroneously displays
commit time out
as the reason the commit failed.
Known
10.2.3
PAN-180104
When upgrading a CN-Series as a DaemonSet deployment to PAN-OS 10.2, CN-NGFW pods fail to connect to CN-MGMT pod if the Kubernetes cluster previously had a CN-Series as a DaemonSet deployment running PAN-OS 10.0 or 10.1.
Workaround
: Reboot the worker nodes before upgrading to PAN-OS 10.2.
Known
10.2.3
PAN-177455
PAN-OS 10.2.0 is not supported on PA-7000 Series firewalls with HA (High Availability) clustering enabled and using an HA4 communication link. Attempting to load PAN-OS 10.2.0 on the firewall causes the PA-7000 100G NPC to go offline. As a result, the firewall fails to boot normally and enters maintenance mode. HA Pairs of Active-Passive and Active-Active firewalls are not affected.
Known
10.2.3
PAN-175915
When the firewall is deployed on N3 and N11 interfaces in 5G networks and 5G-HTTP/2 traffic inspection is enabled in the Mobile Network Protection Profile, the traffic logs do not display network slice SST and SD values.
Known
10.2.3
PAN-174982
In HA active/active configurations where, when interfaces that were associated with a virtual router were deleted, the configuration change did not sync.
Known
10.2.3
PAN-172274
When you activate the advanced URL filtering license, your license entitlements for PAN-DB and advanced URL filtering might not display correctly on the firewall — this is a display anomaly, not a licensing issue, and does not affect access to the services.
Workaround:
Issue the following command to retrieve and update the licenses:
license request fetch
.
Known
10.2.3
PAN-172132
This issue is now resolved by PAN-189643. See
PAN-OS 10.2.4 Addressed Issues
.
QoS fails to run on a tunnel interface (for example, tunnel.1).
Known
10.2.3
PAN-171938
No results are displayed when you
Show Application Filter
for a Security policy rule (
Policies
Security
Application
Value
Show Application Filter
).
Known
10.2.3
PAN-164885
This issue is now resolved. See
PAN-OS 10.2.10 Addressed Issues
.
On the Panorama management server, pushes to managed firewalls (
Commit
Push to Devices
or
Commit and Push
) may fail when an EDL (
Objects
External Dynamic Lists
) is configured to
Check for updates
every 5 minutes due to the commit and EDL fetch processes overlapping. This is more likely to occur when multiple EDLs are configured to check for updates every 5 minutes.
Addressed
10.2.3-h13
PAN-252214
A fix was made to address CVE-2024-3400 .
Addressed
10.2.3-h12
PAN-238792
Fixed the following device certificate issues:
  • The firewall was unable to automatically renew the device certificate-Fetching device certificates failed incorrectly with the error message
    OTP is not valid
    .
  • Firewalls disconnected from Cortex Data Lake after renewing the device certificate.
  • The device certificate was not correctly generated on the log forwarding card (LFC).
  • WildFire cloud logs did not log thermite certificate usage status.
Addressed
10.2.3-h12
PAN-237876
Extended the firewall Panorama root CA certificate which was previously set to expire on April 7th, 2024.
Addressed
10.2.3-h12
PAN-231771
Fixed an issue where the firewall issued /box/getserv/ requests with PAN-OS 7.1.0 and did not take device certificates.
Addressed
10.2.3-h12
PAN-227568
When a device certificate is installed, renewed, or removed, the firewall will reconnect to the WildFire cloud to use the newest certificate.
Addressed
10.2.3-h12
PAN-215576
Fixed an issue where the
userID-Agent
and
TS-Agent
certificates were set to expire on November 18, 2024. With this fix, the expiration date has been extended to January 2032.
Addressed
10.2.3-h11
PAN-238792
Fixed the following device certificate issues:
  • The firewall was unable to automatically renew the device certificate-Fetching device certificates failed incorrectly with the error message
    OTP is not valid
    .
  • Firewalls disconnected from Cortex Data Lake after renewing the device certificate.
  • The device certificate was not correctly generated on the log forwarding card (LFC).
  • WildFire cloud logs did not log thermite certificate usage status.
Addressed
10.2.3-h11
PAN-237876
Extended the firewall Panorama root CA certificate which was previously set to expire on April 7th, 2024.
Addressed
10.2.3-h11
PAN-231771
Fixed an issue where the firewall issued /box/getserv/ requests with PAN-OS 7.1.0 and did not take device certificates.
Addressed
10.2.3-h11
PAN-227568
When a device certificate is installed, renewed, or removed, the firewall will reconnect to the WildFire cloud to use the newest certificate.
Addressed
10.2.3-h11
PAN-215576
Fixed an issue where the
userID-Agent
and
TS-Agent
certificates were set to expire on November 18, 2024. With this fix, the expiration date has been extended to January 2032.
Addressed
10.2.3-h9
PAN-202450
Fixed an issue where the
device-client-cert
was set to expire on December 31, 2023. With this fix, the expiration date has been extended.
Addressed
10.2.3-h9
PAN-198372
Fixed an issue where the
root-cert
was set to expire on December 31, 2023. With this fix, the expiration date has been extended.
Addressed
10.2.3-h4
PAN-210513
Fixed an issue where Captive Portal authentication via SAML did not work.
Addressed
10.2.3-h4
PAN-208737
Fixed an issue where domain information wasn't populated in IP address-to-username matching after a successful GlobalProtect authentication using an authentication override cookie.
Addressed
10.2.3-h4
PAN-208079
(
VM-Series firewalls on Microsoft Azure environments only
) Fixed an issue where the PAN-DB engine did not start when using a VM-Series firewall Flex based CPU.
Addressed
10.2.3-h4
PAN-207562
Fixed an issue where the shard count displayed by the
show log-collector-es-cluster health
CLI command was higher than the recommended limit. The recommended limit can be calculated with the formula 20*heap-memory*no-of-data-nodes.
Addressed
10.2.3-h4
PAN-206963
(
M-700 Appliances only
) A CLI command was added to check the status of each physical port of a bond1 interface.
Addressed
10.2.3-h4
PAN-206921
Fixed an issue where the GlobalProtect client pre-login was successful, but the certificate authentication failed.
Addressed
10.2.3-h4
PAN-206466
Fixed an issue where the push scope was displaying duplicate shared objects for each device group that were listed under the
shared-object
group.
Addressed
10.2.3-h4
PAN-206069
Fixed an issue where the firewall was unable to boot up on older Intel CPUs.
Addressed
10.2.3-h4
PAN-205698
Fixed an issue where GlobalProtect authentication did not work on Apple MacOS devices when the authentication method used was CIE with SAML Authentication.
Addressed
10.2.3-h4
PAN-204892
Fixed an issue on Panorama where the web interface was not accessible and displayed the error
504 Gateway Not Reachable
due to the mgmtsrvr process not responding.
Addressed
10.2.3-h4
PAN-204838
Fixed an issue where the
dot1q
VLAN tag in ARP reply packets were not displayed.
Addressed
10.2.3-h4
PAN-204572
Fixed an issue where python scripts were not working as expected.
Addressed
10.2.3-h4
PAN-197339
Fixed an issue where template configuration for the User-ID agent was not reflected on the template stack on Panorama appliances on PAN-OS 10.2.1.
Addressed
10.2.3-h4
PAN-196954
Fixed a memory leak issue related to the
distributord
process.
Addressed
10.2.3-h4
PAN-195149
Fixed an issue where firewall administrators were unable to log in to the web interface when RADIUS two-factor authentication was used.
Addressed
10.2.3-h4
PAN-186270
Fixed an issue where, when high availability (HA) was enabled and a dynamic update schedule was configured, the configd process unexpectedly stopped responding during configuration commits.
Addressed
10.2.3-h2
PAN-205830
Fixed an issue with multi-vsys firewalls where custom applications and shared objects pushed from Panorama did not populate in their respective lists on the firewall.
Addressed
10.2.3-h2
PAN-205805
Fixed an issue where Generic routing encapsulation (GRE) traffic was only allowed in one direction when tunnel content inspection (TCI) was enabled.
Addressed
10.2.3-h2
PAN-205231
Fixed an issue where a commit operation remained at 55% for longer than expected if more than 7,500 Security policy rules were configured.
Addressed
10.2.3-h2
PAN-202795
Fixed an issue where file identification failed for files with minimal data with large headers.
Addressed
10.2.3-h2
PAN-202535
Fixed an issue where the Device Telemetry configuration for a region was unable to be set or edited via the web interface.
Addressed
10.2.3-h2
PAN-201872
Fixed an issue where SMB performance caused overall network latency after an upgrade.
Addressed
10.2.3-h2
PAN-201714
Fixed an issue with GlobalProtect where attempting to authenticate with the GlobalProtect gateway returned a 502 error code.
Addressed
10.2.3-h2
PAN-201357
The CLI command
debug dataplane set pow no-desched yes
was added to address an issue where the all_pktproc process stopped responding and caused traffic issues.
Addressed
10.2.3-h2
PAN-200946
Fixed an issue with firewalls in active/passive HA configurations where GRE tunnels went down due to recursive routing when the passive firewall was booting up. When the passive firewall became active and no recursive routing was configured, the GRE tunnel remained down.
Addressed
10.2.3-h2
PAN-198718
(
PA-5280 firewalls only
) Fixed an issue where memory allocation failures caused increased decryption failures.
Addressed
10.2.3-h2
PAN-196583
Fixed an issue where the Cisco TrustSEc plugin triggered a flood of redundant register/unregister messages due to a failed IP address tag database search.
Addressed
10.2.3-h2
PAN-195756
Fixed an issue that caused an API request timeout when parsing requests using large header buffers.
Addressed
10.2.3-h2
PAN-195713
Fixed an issue where clientless VPN applications were not displayed in the GlobalProtect portal page.
Addressed
10.2.3-h2
PAN-182732
Fixed an issue where the GlobalProtect gateway inactivity timer wasn't refreshed even though traffic was passing through the tunnel.
Addressed
10.2.3
PAN-209275
Fixed an issue where Override cookie authentication into the GlobalProtect gateway failed when an allow list was configured under the authentication profile.
Addressed
10.2.3
PAN-201627
Fixed an issue in next-generation firewall deployments where, when SD-WAN was configured, the dataplane restarted if all SD-WAN member links were down due to an out-of-memory (OOM) condition or during a reboot when all SD-WAN tunnels were down.
Addressed
10.2.3
PAN-200771
Fixed an issue where syslog-ng was unable to start due to a design change in the syslog configuration file.
Addressed
10.2.3
PAN-199654
Fixed an issue where ACC reports did not work for custom RBAC users when more than 12 access domains were associated with the username.
Addressed
10.2.3
PAN-199311
Fixed an issue where the Log Forwarding Card (LFC) failed to forward logs to the syslog server.
Addressed
10.2.3
PAN-199099
Fixed an issue where, when decryption was enabled, Safari and Google Chrome browsers on Apple Mac computers rejected the server certificate created by the firewall because the Authority Key Identifier was copied from the original server certificate and did not match the Subject Key Identifier on the forward trust certificate.
Addressed
10.2.3
PAN-198733
(
PA-5450 firewalls only
) Fixed an issue where
dmin tcpdump
was hardcoded to eth0 instead of bond0.
Addressed
10.2.3
PAN-198332
(
PA-5400 Series only
) Fixed an issue where swapping Network Processing Cards (NPCs) caused high root partition use.
Addressed
10.2.3
PAN-198266
Fixed an issue where, when predicts for UDP packets were created, a configuration change occurred that triggered a new policy lookup, which caused the dataplane stopped responding when converting the predict. This resulted in a dataplane restart.
Addressed
10.2.3
PAN-198244
Fixed an issue where using the
load config partial
CLI command to x-paths removed address object entries from address groups.
Addressed
10.2.3
PAN-197576
Fixed an issue where commits pushed from Panorama caused a memory leak related to the mgmtsrvr process.
Addressed
10.2.3
PAN-197484
(
PA-5400 Series firewalls
) Fixed an issue where the firewall forwarded packets to the incorrect aggregate ethernet interface when Policy Based Forwarding (PBF) was used.
Addressed
10.2.3
PAN-197383
Fixed an issue where, after upgrading to PAN-OS 10.2 release, the firewall ran a RAID rebuild for the log disk after ever every reboot.
Addressed
10.2.3
PAN-197244
Fixed an issue on firewalls with Forward Proxy enabled where the all_pktproc process stopped responding due to missed heartbeats.
Addressed
10.2.3
PAN-196993
Fixed an issue where an incorrect regex key was generated to invalidate the completions cache, which caused the configd process to stop responding.
Addressed
10.2.3
PAN-196953
(
PA-5450 firewalls only
) Fixed an issue where jumbo frames were dropped.
Addressed
10.2.3
PAN-196445
Fixed an issue where restarting the Network Processing Card (NPC) or the Data Processing Card (DPC) did not bring up all the network interfaces.
Addressed
10.2.3
PAN-196398
(
PA-7000 Series SMC-B firewalls only
) Fixed an issue where the firewall did not capture data when the active management interface was MGT-B.
Addressed
10.2.3
PAN-196227
Fixed an issue where the logd process stopped responding, which caused Panorama to reboot into maintenance mode.
Addressed
10.2.3
PAN-196005
(
PA-3200 Series, PA-5200 Series, and PA-5400 Series firewalls only
) Fixed an issue where GlobalProtect IPSec tunnels disconnected at half the inactivity logout timer value.
Addressed
10.2.3
PAN-195707
Fixed an issue on Panorama appliances configured as log collectors where Panorama repeatedly rebooted into maintenance mode.
Addressed
10.2.3
PAN-195689
Fixed an issue where WildFire submission logs did not load on the firewall web interface.
Addressed
10.2.3
PAN-195628
Fixed an issue that caused the pan_task process to miss heartbeats and stop responding.
Addressed
10.2.3
PAN-195625
Fixed an issue where authd frequently created SSL sessions, which resulted in an OOM condition.
Addressed
10.2.3
PAN-195360
Fixed an issue with firewalls in Microsoft Azure environments where BGP flapping occurred due to the firewall incorrectly treating capability from BGP peering as unsupported.
Addressed
10.2.3
PAN-195223
Fixed an issue where the all_pktproc process restarted when receiving a GTPv2 Modify Bearer Request packet if the Serving GPRS Support Node (SGSN) used the same key as the Serving Gateway (SGW).
Addressed
10.2.3
PAN-195181
Added enhancements to improve the load on the pan_comm process during SNMP polling.
Addressed
10.2.3
PAN-194993
Fixed an issue that occurred when authenticating into GlobalProtect with authentication override cookies and SAML where, if the cookie was invalid, authentication did not fall back to SAML.
Addressed
10.2.3
PAN-194826
(
WF-500 and WF-500-B appliances only
) Fixed an issue where log system forwarding did not work over a TLS connection.
Addressed
10.2.3
PAN-194782
Fixed an issue on Panorama where, if you added a new local or non-local administrator account or an admin user to a template, authentication profiles were incorrectly referenced.
Addressed
10.2.3
PAN-194708
Fixed an issue where URL filtering logs (
Monitor
Logs
URL Filtering
) incorrectly truncated a 16KB Header value and did not display the Header values that followed the truncated 16KB header.
Addressed
10.2.3
PAN-194694
Fixed an issue where multiple SNMP requests being made to the firewall caused in the pan_comm process to stop responding.
Addressed
10.2.3
PAN-194601
Fixed an issue that caused the all_task process to stop responding.
Addressed
10.2.3
PAN-194588
(
PA-7000 Series firewalls with LFCs (Log Forwarding Cards), PA-7050 firewalls with SMC-B (Switch Management Cards), and PA-7080 firewalls only
) Fixed an issue where the
logrcvr_statistics
output was not recorded in mp-monitor.log.
Addressed
10.2.3
PAN-194481
Fixed an issue in ESXi where the bootstrapped VM-Series firewalls with the Software Licensing Plugin had
:xxx
appended to their hostnames.
Addressed
10.2.3
PAN-194408
Fixed an issue where, when policy rules had the apps that implicitly depended on web browsing configured with the service application default , traffic did not match the rule correctly.
Addressed
10.2.3
PAN-194406
Fixed an issue where the MTU from SD-WAN interfaces was recalculated after a configuration push from Panorama or a local commit, which caused traffic disruption.
Addressed
10.2.3
PAN-194262
Fixed an issue where the GlobalProtect application failed to connect when a user or group was configured under the portal
Config Selection Criteria
.
Addressed
10.2.3
PAN-194152
(
PA-5410, PA-5420, PA-5430, and PA-5440 firewalls in HA configurations only
) Fixed an issue where HA1-A and HA1-B port information didn't match to front panel mappings and, when one firewall was on PAN-OS 10.2.3 or a later release and the other was on PAN-OS 10.2.2 or an earlier release, a split-brain situation occurred.
Addressed
10.2.3
PAN-194129
(
PA-5450 firewalls only
) Fixed an issue where slot 2 did not use all features correctly if a DPC was used instead of an NPC.
Addressed
10.2.3
PAN-194097
Fixed an issue on firewalls in high availability (HA) active/passive configurations where
_ha_d_session_msgbuf
overflowed on the passive firewall during an upgrade, which caused the firewall to enter a non-functional state.
Addressed
10.2.3
PAN-193981
(
VM-Series firewalls in Microsoft Azure environments only
) Fixed an issue where the firewall stopped monitoring HA failure and floating IP addresses did not get moved to the newly active firewall.
Addressed
10.2.3
PAN-193899
Fixed an issue where advanced mode factory reset (
Maintenance Mode
Factory Reset
Advanced
select a specific image
) was only compatible with PAN-OS 10.1.3 or later version images.
Addressed
10.2.3
PAN-193818
Fixed an issue where the firewall device server failed to resolve URL cloud FQDNs, which interrupted URL category lookup.
Addressed
10.2.3
PAN-193766
(
VM-Series firewalls only
) Fixed an issue where the GlobalProtect portal was not accessible.
Addressed
10.2.3
PAN-193765
Fixed an issue where commits failed the following error displayed in the configd log:
Unable to populate ids into candidate config: Error: Error populating id for 'sg2+DMZ to FirstAM Scanner-1
.
Addressed
10.2.3
PAN-193763
Fixed an issue on the firewall where the dataplane CPU spiked, which caused traffic to be affected during commits or content updates.
Addressed
10.2.3
PAN-193744
(
PA-3200 Series firewalls only
) Fixed an issue where, when the HA2 HSCI connection was down, the system log displayed
Port HA1-b: down
instead of
Port HSCI: Down
.
Addressed
10.2.3
PAN-193732
(
PA-5400 Series firewalls only
) Fixed an issue where the firewall incorrectly handled internal transactions.
Addressed
10.2.3
PAN-193707
Fixed an issue where SAML authentication failed during commits with the following error message:
revocation status could not be verified (reason: )
.
Addressed
10.2.3
PAN-193483
(
VM-Series firewalls only
) Fixed an issue where, during Layer-7 packet inspection where traffic was being inspected for threat signature and data patterns, multiple processes stopped responding.
Addressed
10.2.3
PAN-193392
Fixed an issue where RTP packets dropped due to conflicting duplicate flows.
Addressed
10.2.3
PAN-193251
Fixed an issue where, when SAML was configured as the authentication method for GlobalProtect, the SAML page did not load when using a browser.
Addressed
10.2.3
PAN-193235
Fixed an issue where duplicate log entries were displayed on Panorama.
Addressed
10.2.3
PAN-193201
Fixed an issue where auto-commits failed after an upgrade if an imported certificate size was greater than the size of a buffer.
Addressed
10.2.3
PAN-193132
(
PA-220 firewalls only
) Fixed an issue where a commit and push from Panorama caused high dataplane CPU utilization.
Addressed
10.2.3
PAN-192944
Fixed an issue where the logrcvr process caused an OOM condition.
Addressed
10.2.3
PAN-192739
Fixed an issue where the error message
Machine Learning found virus
was displayed in threat CSV logs as
Threat ID/Name
when WildFire Inline ML detected malware.
Addressed
10.2.3
PAN-192726
Fixed an issue where the firewall dropped TCP traffic inside IPSec tunnels.
Addressed
10.2.3
PAN-192673
(
PA-7050-SMC-B firewalls only
) Fixed an issue where the LFC syslog-ng service failed to start after an upgrade.
Addressed
10.2.3
PAN-192666
(
VM-Series firewalls only
) Fixed an issue where uploading certificates via API failed within the first 30 minutes of a bootstrap.
Addressed
10.2.3
PAN-192551
(
PA-5400 Series firewalls only
) Fixed an issue where the firewall incorrectly processed path monitoring packets.
Addressed
10.2.3
PAN-192404
Fixed an issue where ARP broadcasts occurring in the same time interval and network segment as HA path monitoring pings triggered an ARP cache request, which prevented the firewall from sending ICMP echo requests to the monitored destination IP address and caused an HA path monitoring failover.
Addressed
10.2.3
PAN-192330
(
Bootstrapped VM-Series firewalls in Microsoft Azure environments only
) Fixed an issue where the firewall did not automatically receive the Cortex Data Lake license.
Addressed
10.2.3
PAN-192052
Fixed an issue where, when next hop MAC address entries weren't found on the offload processor for active traffic, update messages flooded the firewall, which caused resource contention and traffic disruption.
Addressed
10.2.3
PAN-191874
Fixed an issue where monthly scheduled reports did not display information after upgrading to PAN-OS 10.2.0.
Addressed
10.2.3
PAN-191847
Fixed an issue where the Panorama appliance was unable to generate scheduled custom reports due to the large number of files stored in the
opt/pancfg/mgmt/custom-reports
directory.
Addressed
10.2.3
PAN-191726
Fixed an issue where an SCP export of the device state from the firewall added single quotes ( ' ) to the filename.
Addressed
10.2.3
PAN-191558
Fixed an issue where, after an upgrade to PAN-OS 10.1.5, Global Find did not display all results related to a searched item.
Addressed
10.2.3
PAN-191269
Fixed an issue where the NAT pool leaked for passive mode FTP predict sessions.
Addressed
10.2.3
PAN-191222
Fixed an issue where Panorama became inaccessible when after a push to the collector group.
Addressed
10.2.3
PAN-191218
(
PA-5400 Series firewalls only
) Fixed an issue where the session log storage quota could not be changed via the web interface.
Addressed
10.2.3
PAN-191216
Fixed an issue where, on Apple iOS devices, SAML authentication did not connect to the GlobalProtect portal.
Addressed
10.2.3
PAN-191214
Fixed an issue where the Elasticsearch process stopped responding, which caused an OOM condition.
Addressed
10.2.3
PAN-190657
Fixed an issue where IPSec tunnels did not rekey due to the security association being deleted too early.
Addressed
10.2.3
PAN-190448
Fixed an issue in ACC reports where IPv6 addresses were displayed instead of IPv4 addresses.
Addressed
10.2.3
PAN-189894
Fixed an issue with the web interface where the template stack didn't show inherited values of
Template > Authentication Portal Settings
.
Addressed
10.2.3
PAN-189861
Fixed an issue on firewalls in HA configurations where intermittent system alerts on the active firewall caused the pan_comm process to restart continuously.
Addressed
10.2.3
PAN-189859
Fixed an issue on the firewall where an administrator was unable to
Import Custom URL Category Content
.
Addressed
10.2.3
PAN-189762
Fixed an issue where a predict session didn't match with the traffic when both source NAT and destination NAT were enabled.
Addressed
10.2.3
PAN-189723
Fixed an issue where you were unable to configure dynamic address groups to use more than 64,000 IP addresses in a Security policy.
Addressed
10.2.3
PAN-189414
Fixed an issue where TCP packets were dropped during the first zone transfer when DNS security was enabled.
Addressed
10.2.3
PAN-189304
Fixed an issue where the Panorama appliance didn't display logs or generate reports for a device group containing MIPs platform that forwarded logs to Cortex Data Lake.
Addressed
10.2.3
PAN-189270
Fixed an issue that caused a memory leak on the reportd process.
Addressed
10.2.3
PAN-189225
Fixed an issue where BGP routes were lost or uninstalled after disabling jumbo frames on the firewall.
Addressed
10.2.3
PAN-189114
Fixed an issue where the dataplane went down, which caused an HA failover.
Addressed
10.2.3
PAN-188867
Fixed an issue where the firewall dropped packets when the session payload was too large.
Addressed
10.2.3
PAN-188489
(
VM-Series firewalls only
) Fixed an issue where dynamic content updates weren't automatically pushed to the firewall licensed using the Panorama Software Firewall License plugin when
Automatically push content when software device registers to Panorama
(
Panorama
Templates
Add Stack
) was enabled.
Addressed
10.2.3
PAN-188338
Fixed an issue where canceling a commit caused the commit process to remain at 70% and the firewall had to be rebooted.
Addressed
10.2.3
PAN-188303
Fixed an issue where the serial number displayed as
unknown
after running the
show system state
CLI command.
Addressed
10.2.3
PAN-188096
(
VM-Series firewalls only
) Fixed an issue where, on firewalls licensed with Software NGFW Credit (VM-FLEX-4 and higher), HA clustering was unable to be established.
Addressed
10.2.3
PAN-187985
Fixed an issue where you were unable to configure a QoS Profile as percentage for Clear Text Traffic.
Addressed
10.2.3
PAN-187890
Fixed an issue where the Cortex Data Lake connection incorrectly displayed as disconnected when a service route was in use.
Addressed
10.2.3
PAN-187805
Fixed an issue where a process ( all_pktproc ) stopped responding and the dataplane restarted during certificate construction or destruction.
Addressed
10.2.3
PAN-187476
Fixed an issue where, when hip-redistribution is enabled, Panorama doesn't display a part of HIP information.
Addressed
10.2.3
PAN-187234
Fixed an intermittent issue where web pages submitted for analysis by Advanced URL Filtering cloud inline categorization experienced high latency.
Addressed
10.2.3
PAN-186891
Fixed an issue where NetFlow packets contained incorrect octet counts.
Addressed
10.2.3
PAN-186418
Fixed an issue where Panorama displayed a discrepancy in RAM configured on the VMware host.
Addressed
10.2.3
PAN-186134
Fixed an issue on Panorama where performing a commit and push intermittently failed to push the committed configuration to managed firewalls.
Addressed
10.2.3
PAN-186075
(
VM-Series firewalls only
) Fixed an issue where the firewall rebooted after receiving large packets while in DPDK mode on Azure virtual machines running CX4 (MLx5) drivers.
Addressed
10.2.3
PAN-185787
Fixed an issue where logging in to the Panorama web interface did not work and the following error message displayed:
Timed out while getting config lock. Please try again
.
Addressed
10.2.3
PAN-185283
Fixed an issue on Panorama where using the
name-of-threatid contains log4j
filter didn't produce expected results.
Addressed
10.2.3
PAN-184702
(
M-700 appliances in Log Collector mode only
) Fixed an issue on the Panorama management server where the Panorama appliance failed to connect to Panorama when added as a managed log collector.
Addressed
10.2.3
PAN-184068
(
PA-5200 Series firewalls only
) Fixed an issue where the firewall generated pause frames, which caused network latency.
Addressed
10.2.3
PAN-183788
Fixed an issue with SCEP certificate enrollment where the incorrect Registration Authority (RA) certificate was chosen to encrypt the enrollment request.
Addressed
10.2.3
PAN-185750
Updated an issue to eliminate failed pan_comm software issues that caused the dataplane to restart unexpectedly
Addressed
10.2.3
PAN-183270
Fixed an issue where a bootstrapped firewall connected only to the first log collector in a log collector group.
Addressed
10.2.3
PAN-183184
Fixed an issue where enabling SSL decryption with a Hardware Security Model (HSM) caused a dataplane restart.
Addressed
10.2.3
PAN-183166
Fixed an issue where system, configuration, and alarm logs were queued up on the logrcvr process and were not forwarded out or written to disk until an autocommit was passed.
Addressed
10.2.3
PAN-182689
Fixed an issue where a signature from a previous WildFire package triggered virus detection even though the signature was no longer present in the current WildFire package.
Addressed
10.2.3
PAN-182539
Fixed an issue with Panorama appliances in HA configurations where dedicated log collectors did not send local system or configuration logs to both Panorama appliances.
Addressed
10.2.3
PAN-182212
Fixed an issue where SNMP reported the
panVsysActiveTcpCps
and
panVsysActiveUdpCps
value to be 0.
Addressed
10.2.3
PAN-181277
Fixed an issue where VPN tunnels in SD-WAN flapped due to duplicate tunnel IDs.
Addressed
10.2.3
PAN-179543
Fixed an issue where the flow_mgmt process stopped responding when attempting to clear the session table, which caused the dataplane to restart.
Addressed
10.2.3
PAN-179258
Fixed an issue where system disk migration failed.
Addressed
10.2.3
PAN-178243
Fixed an issue where
Shared Gateway
was not visible in the
Virtual System
drop down when configuring a Layer3 aggregate subinterface.
Addressed
10.2.3
PAN-178194
Fixed an issue with the web interface where, when only the Advanced URL Filtering license was activated, the message
License required for URL filtering to function
was incorrectly displayed and the
URL Filtering Profile > Inline ML
section was disabled.
Addressed
10.2.3
PAN-177482
Fixed an issue where
ACC > App Scope > Threat Monitor
showed
NO DATA TO DISPLAY
.
Addressed
10.2.3
PAN-172501
Fixed an issue where you were unable to revert HA mode settings to the default values from the web interface.
Addressed
10.2.3
PAN-171714
Fixed an issue where, when NetBIOS format (domain\user) was used for the IP address-to-username mapping and the firewall received the group mapping information from the Cloud Identity Engine, the firewall did not match the user to the correct group.
Addressed
10.2.3
PAN-157215
Fixed an issue that occurred when two FQDNs were resolved to the same IP address and were configured as the same src/dst of the same rule. If one FQDN was later resolved to a different IP address, the IP address resolved for the second FQDN was also changed, which caused traffic with the original IP address to hit the incorrect rule.
Addressed
10.2.3
PAN-151469
Fixed an issue where packets were dropped unexpectedly due to errors parsing the IP version field.
Known
10.2.4
WF500-5854
The WildFire analysis report on the firewall log viewer (
Monitoring
WildFire Submissions
) does not display the following data fields: File Type, SHA-256, MD-5, and File Size".
Workaround
: Download and open the WildFire analysis report in the PDF format using the link in the upper right-hand corner of the
Detailed Log View
.
Known
10.2.4
WF500-5843
In a WildFire appliance cluster, issuing the
show cluster-all peers
CLI command when a node within the cluster is being rebooted generates the following error:
Server error : An error occured.
Known
10.2.4
WF500-5840
The sample analysis statistics that are returned when issuing the
show wildfire local statistics
CLI command in WildFire appliance cluster deployments may not accurately reflect the number of samples that have been processed.
Known
10.2.4
WF500-5823
The following WildFire appliance CLI command does not return a signature generation status as expected:
show wildfire global signature-status
. This does not corrupt or otherwise prevent the WildFire appliance from analyzing a sample.
Known
10.2.4
WF500-5781
The WildFire appliance might erroneously generate and log the following device certification error:
Device certificate is missing or invalid. It cannot be renewed.
Known
10.2.4
WF500-5754
In WildFire appliance clusters, issuing the
show cluster controller
CLI command generates an error when an IPv6 address is configured for the management interface but not for the cluster interface.
Workaround:
Ensure all WildFire appliance interfaces that are enabled use matching protocols (all IPv4 or all IPv6).
Known
10.2.4
WF500-5632
The number of registered WildFire appliances reported in Panorama (
Panorama
Managed WildFire Appliances
Firewalls Connected
View
) does not accurately reflect the current status of connected WildFire appliances.
Known
10.2.4
PAN-243951
On the Panorama management sever in an active/passive High Availability (HA) configuration, managed devices (
Panorama
Managed Devices
Summary
) display as
out-of-sync
on the passive HA peer when configuration changes are made to the SD-WAN (
Panorama
SD-WAN
) configuration on the active HA peer.
Workaround:
Manually synchronize the Panorama HA peers.
  1. Log in to the Panorama web interface on the active HA peer.
  2. Select
    Commit
    and
    Commit to Panorama
    the SD-WAN configuration changes on the active HA peer.
    On the passive HA peer, select
    Panorama
    Managed Devices
    Summary
    and observe that the managed devices are now
    out-of-sync
    .
  3. Log in to the primary HA peer Panorama CLI and trigger a manual synchronization between the active and secondary HA peers.
    request high-availability sync-to-remote running-config
  4. Log back in to the active HA peer Panorama web interface and select
    Commit
    Push to Devices
    and
    Push
    .
Known
10.2.4
PAN-228273
This issue is now resolved. See
PAN-OS 10.2.8 Addressed Issues
.
On the Panorama management server in FIPS-CC mode, the ElasticSearch cluster fails to come up and the
show log-collector-es-cluster health
command displays the
status
is
red
. This results in log ingestion issues for Panorama in Panorama only or Log Collector mode.
Known
10.2.4
PAN-227344
On the Panorama management server, PDF Summary Reports (
Monitor
PDF Reports
Manage PDF Summary
) display no data and are blank when predefined reports are included in the summary report.
Known
10.2.4
PAN-227342
(
PA-7000 Series firewalls only
) In an Active/Active High Availability (HA) setup, enabling hardware offload can result in web traffic being blocked.
Known
10.2.4
PAN-225337
This issue is now resolved. See
PAN-OS 10.2.7 Addressed Issues
.
On the Panorama management server, the configuration push to a multi-vsys firewall fails if you:
  1. Create a
    Shared
    and vsys-specific device group configuration object with an indentical name. For example, a
    Shared
    address object called
    SharedAO1
    and a vsys-specific address object also called
    SharedAO1
    .
  2. Reference the
    Shared
    object in another
    Shared
    configuration. For example, reference the
    Shared
    address object (
    SharedAO1
    ) in a
    Shared
    address group called
    SharedAG1
    .
  3. Use the
    Shared
    configuration object with the reference in a vsys-specific configuration. For example, reference the
    Shared
    address group (
    SharedAG1
    ) in a vsys-specific policy rule.
Workaround:
Select
Panorama
Setup
Management
and edit the Panorama Settings to enable one of the following:
  • Shared Unused Address and Service Objects with Devices
    —This options pushes all
    Shared
    objects, along with device group specific objects, to managed firewalls.
    This is a global setting and applies to all managed firewalls, and may result in pushing too many configuration objects to your managed firewalls.
  • Objects defined in ancestors will take higher precedence
    —This option specifies that in the event of objects with the same name, ancestor object take precedence over descendent objects. In this case, the
    Shared
    objects take precedence over the vsys-specific object.
    This is a global setting and applies to all managed firewalls. In the example above, if the IP address for the
    Shared
    SharedAO1
    object was
    10.1.1.1
    and the device group specific
    SharedAO1
    was
    10.2.2.2
    , the
    10.1.1.1
    IP address takes precedence.
Alternatively, you can remove the duplicate address objects from the device group configuration to allow only the
Shared
objects in your configuration.
Known
10.2.4
PAN-223488
This issue is now resolved. See
PAN-OS 10.2.7 Addressed Issues
.
On the M-600 appliance, closed ElasticSearch shards are not deleted from the M-600 appliance. This causes the ElasticSearch shard purging to not work as expected, resulting in high disk usage.
Known
10.2.4
PAN-223365
The Panorama management server is unable to query any logs if the ElasticSearch health status for any Log Collector (
Panorama
Managed Collector
is degraded.
Workaround:
Log in to the Log Collector CLI and restart ElasticSearch. 
admin
debug elasticsearch es-restart all
Known
10.2.4
PAN-222586
On PA-5410, PA-5420, and PA-5430 firewalls, the Filter dropdown menus, Forward Methods, and Built-In Actions for Correlation Log settings (
Device
Log Settings
) are not displayed and cannot be configured.
Known
10.2.4
PAN-222253
This issue is now resolved. See
PAN-OS 10.2.8 Addressed Issues
.
On the Panorama management server, policy rulebase reordering when you
View Rulebase by Groups
(
Policy
<policy-rulebase>
) does not persist if you reorder the policy rulebase by dragging and dropping individual policy rules and then moving the entire tag group.
Known
10.2.4
PAN-221775
A
Malformed Request
error is displayed when you
Test Connection
for an email server profile (
Device
Server Profiles
Email
) using
SMTP over TLS
and the
Password
includes an ampersand (&).
Known
10.2.4
PAN-221015
This issue is now resolved. See
PAN-OS 10.2.7 Addressed Issues
.
On M-600 appliances in Panorama or Log Collector mode, the
es-1
and
es-2
ElasticSearch processes fail to restart when the M-600 appliance is rebooted. The results in the Managed Collector
ES
health status (
Panorama
Managed Collectors
Health Status
) to be degraded.
Workaround:
Log in to the Panorama or Log Collector CLI experiencing degraded ElasticSearch health and restart all ElasticSearch processes. 
admin>
debug elasticsearch es-restart optional all
Known
10.2.4
PAN-220180
This issue is now resolved. See
PAN-OS 10.2.8 Addressed Issues
.
Configured botnet reports (
Monitor
Botnet
) are not generated.
Known
10.2.4
PAN-219644
This issue is now resolved. See
PAN-OS 10.2.8 Addressed Issues
.
Firewalls forwarding logs to a syslog server over TLS (
Objects
Log Forwarding
) use the default Palo Alto Networks certificate instead of the custom certificate configured on the firewall.
Known
10.2.4
PAN-218521
This issue is now resolved. See
PAN-OS 10.2.7 Addressed Issues
.
The ElasticSearch process on the M-600 appliance in Log Collector mode may enter a continuous reboot cycle. This results in the M-600 appliance becoming unresponsive, consuming logging disk space, and preventing new log ingestion.
Known
10.2.4
PAN-217307
The following Security policy rule (
Policies
Security
) filters return no results:
log-start eq no
log-end eq no
log-end eq yes
Known
10.2.4
PAN-216821
This issue is now resolved. See
PAN-OS 10.2.5 Addressed Issues
.
The
reportd
process crashes after you successfully upgrade an M-200 appliance to PAN-OS 10.2.4.
Known
10.2.4
PAN-215778
This issue is now resolved. See
PAN-OS 10.2.5 Addressed Issues
.
On the M-600 appliance in Management Only mode, XML API Get requests for
/config
fail with the following error due to exceeding the total configuration size supported on the M-600 appliance. 
504 Gateway timeout
Known
10.2.4
PAN-215082
This issue is now resolved. See
PAN-OS 10.2.8 Addressed Issues
.
M-300 and M-700 appliances may generate erroneous system logs (
Monitor
Logs
System
) to alert that the M-Series appliance memory usage limits are reached.
Known
10.2.4
PAN-213746
On the Panorama management server, the
Hostkey
displayed as
undefined undefined
if you override an SSH Service Profile (
Device
Certificate Management
SSH Service Profile
) Hostkey configured in a Template from the Template Stack.
Known
10.2.4
PAN-213119
PA-5410 and PA-5420 firewalls display the following error when you view the Block IP list (
Monitor
Block IP
):
show -> dis-block-table is unexpected
Known
10.2.4
PAN-212978
This issue is now resolved. See
PAN-OS 10.2.4-h3 Addressed Issues
.
The Palo Alto Networks firewall stops responding when executing an SD-WAN debug operational CLI command.
Known
10.2.4
PAN-212889
On the Panorama management server, different threat names are used when querying the same threat in the Threat Monitor (
Monitor
App Scope
Threat Monitor
) and
ACC
. This results in the ACC displaying
no data to display
when you are redirected to the ACC after clicking a threat name in the Threat Monitor and filtering the same threat name in the Global Filters.
Known
10.2.4
PAN-212533
Modifying the
Administrator Type
for an existing administrator (
Device
Administrators
or
Panorama
Administrators
) from
Superuser
to a
Role-Based
custom admin, or vice versa, does not modify the access privileges of the administrator.
Known
10.2.4
PAN-211531
On the Panorama management server, admins can still perform a selective push to managed firewalls when
Push All Changes
and
Push for Other Admins
are disabled in the admin role profile (
Panorama
Admin Roles
).
Known
10.2.4
PAN-210366
This issue is now resolved. See
PAN-OS 10.2.4-h3 Addressed Issues
On the Panorama management server in a high availability (HA) configuration, the primary HA peer may enter a
primary-non-functional
state and generate a system log (
Monitor
Logs
System
) with the following message:
High root partition usage: going to state Non-Functional
Known
10.2.4
PAN-209288
Certificates are not successfully generated using SCEP (
Device
Certificate Management
SCEP
).
Known
10.2.4
PAN-208622
A file upload to Box.com exceeding 6 files gets stuck and fails to upload if you specify an Enterprise DLP data filtering profile (
Objects
DLP
Data Filtering Profiles
with the Action set to
Block
to a Security policy rule (
Policies
Security
).
Known
10.2.4
PAN-208325
This issue is now resolved. See
PAN-OS 10.2.5 Addressed Issues
.
The following NextGen firewalls and Panorama management server models are unable to automatically renew the device certificate (
Device
Setup
Management
or
Panorama
Setup
Management
).
  • M-300 and M-700
  • PA-410 Firewall
  • PA-440, PA-450, and PA-460 Firewalls
  • PA-3400 Series
  • PA-5410, PA-5420, and PA-5430 Firewalls
  • PA-5450 Firewall
Workaround:
Log in to the firewall CLI or Panorama CLI and fetch the device certificate. 
admin>
request certificate fetch
Known
10.2.4
PAN-204689
Upon upgrade to PAN-OS 10.2.4, the following GlobalProtect settings do not work:
  • Allow user to disconnect GlobalProtect App
    Allow with Passcode
  • Allow user to Disable GlobalProtect App
    Allow with Passcode
  • Allow User to Uninstall GlobalProtect App
    Allow with Password
Known
10.2.4
PAN-201855
On the Panorama management server, cloning any template (
Panorama
Templates
) corrupts certificates (
Device
Certificate Management
Certificates
) with the
Block Private Key Export
setting enabled across all templates. This results in managed firewalls experiencing issues wherever the corrupted certificate is referenced.
For example, you have template A, B, and C where templates A and B have certificates with the
Block Private Key Export
setting enabled. Cloning template C corrupts the certificates with
Block Private Key Export
setting enabled in templates A and B.
Workaround:
After cloning a template, delete and re-import the corrupted certificates.
Known
10.2.4
PAN-199557
This issue is now resolved. See
PAN-OS 10.2.5 Addressed Issues
.
On M-600 appliances in an Active/Passive high availability (HA) configuration, the
configd
process restarts due to a memory leak on the
Active
Panorama HA peer. This causes the Panorama web interface and CLI to become unresponsive.
Workaround:
Manually reboot the
Active
Panorama HA peer.
Known
10.2.4
PAN-198708
On the Panorama management server, the
File Type
field does not display any data when you view the Detailed Log View in the Data Filtering log (
Monitor
Logs
Data Filtering
<select log>
DLP
).
Known
10.2.4
PAN-196758
On the Panorama management server, pushing a configuration change to firewalls leveraging SD-WAN erroneously show the auto-provisioned BGP configurations for SD-WAN as being edited or deleted despite no edits or deletions being made when you
Preview Changes
(
Commit
Push to Devices
Edit Selections
or
Commit
Commit and Push
Edit Selections
).
Known
10.2.4
PAN-196504
License deactivation fails for VM-Series firewalls licensed using PA-VM Bundle 3 (BND3).
Known
10.2.4
PAN-196146
This issue is now resolved. See
PAN-OS 10.2.8 Addressed Issues
.
The VM-Series firewall on Azure does not boot up with a hostname (specified in an init-cgf.txt or user data) when bootstrapped.
Known
10.2.4
PAN-194996
When using a 10.2.2 Panorama to manage a Panorama Managed Prisma Access 3.1.2 deployment, allocating bandwidth for a remote network deployment fails (the OK button is grayed out).
Workaround
: Retry the operation.
Known
10.2.4
PAN-194519
(
PA-5450 firewall only
) Trying to configure a custom payload format under
Device
Server Profiles
HTTP
yields a Javascript error.
Known
10.2.4
PAN-194515
(
PA-5450 firewall only
) The Panorama web interface does not display any predefined template stack variables in the dropdown menu under
Device
Setup
Log Interface
IP Address
.
Workaround:
Configure the log interface IP address on the individual firewall web interface instead of on Panorama.
Known
10.2.4
PAN-194424
(
PA-5450 firewall only
) Upgrading to PAN-OS 10.2.2 while having a log interface configured can cause both the log interface and the management interface to remain connected to the log collector.
Workaround:
Restart the log receiver service by running the following CLI command: 
debug software restart process log-receiver
Known
10.2.4
PAN-194202
(
PA-5450 firewall only
) If the management interface and logging interface are configured on the same subnetwork, the firewall conducts log forwarding using the management interface instead of the logging interface.
Known
10.2.4
PAN-190727
(
PA-5450 firewall only
) Documentation for configuring the log interface is unavailable on the web interface and in the PAN-OS Administrator’s Guide.
Known
10.2.4
PAN-190435
When you
Commit
a configuration change, the
Task Manager
commit
Status
goes directly from
0%
to
Completed
and does accurately reflect the commit job progress.
Known
10.2.4
PAN-189111
After deleting an MP pod and it comes up, the
show routing
command output appears empty and traffic stops working.
Known
10.2.4
PAN-189076
On a firewall with Advanced Routing enabled, OSPFv3 peers using a broadcast link and a designated router (DR) priority of 0 (zero) are stuck in a two-way state after HA failover.
Workaround:
Configure at least one OSPFv3 neighbor with a non-zero priority setting in the same broadcast domain.
Known
10.2.4
PAN-188358
After triggering a soft reboot on a M-700 appliance, the Management port LEDs do not light up when a 10G Ethernet cable is plugged in.
Known
10.2.4
PAN-187685
On the Panorama management server, the Template Status displays no synchronization status (
Panorama
Managed Devices
Summary
) after a bootstrapped firewall is successfully added to Panorama.
Workaround:
After the bootstrapped firewall is successfully added to Panorama, log in to the Panorama web interface and select
Commit
Push to Devices
.
Known
10.2.4
PAN-187643
If you enable SCTP security using a Panorama template when
SCTP INIT Flood Protection
is enabled in the Zone Protection profile using Panorama and you commit all changes, the commit is successful but the
SCTP INIT
option is not available in the Zone Protection profile.
Workaround:
Log out of the firewall and log in again to make the
SCIT INIT
option available on the web interface.
Known
10.2.4
PAN-187612
On the Panorama management server, not all data profiles (
Objects
DLP Data Filtering Profiles
) are displayed after you:
  • Upgrade Panorama to PAN-OS 10.2 and upgrade the Enterprise DLP plugin to version 3.0.
  • Downgrade Panorama to PAN-OS 10.1 and downgrade the Enterprise DLP plugin to version 1.0.
Workaround:
Log in to the Panorama CLI and reset the DLP plugin.
admin > request plugins dlp reset
Known
10.2.4
PAN-187407
The configured Advanced Threat Prevention inline cloud analysis action for a given model might not be honored under the following condition: If the firewall is set to
Hold client request for category lookup
and the action set to
Reset-Both
and the URL cache has been cleared, the first request for inline cloud analysis will be bypassed.
Known
10.2.4
PAN-187370
On a firewall with Advanced Routing enabled, if there is also a logical router instance that uses the default configuration and has no interfaces assigned to it, this will result in terminating the management daemon and main routing daemon in the firewall during commit.
Workaround
: Do not use a logical router instance with no interfaces bound to it.
Known
10.2.4
PAN-186283
Templates appear out-of-sync on Panorama after successfully deploying the CFT stack using the Panorama plugin for AWS.
Workaround
: Use
Commit
Push to Devices
to synchronize the templates.
Known
10.2.4
PAN-186282
On HA deployments on AWS and Azure, Panorama fails to populate match criteria automatically when adding dynamic address groups.
Workaround:
Reboot the Panorama HA pair.
Known
10.2.4
PAN-185286
This issue is now resolved. See
PAN-OS 10.2.8 Addressed Issues
.
(
PA-5400 Series firewalls only
) On the Panorama management server, the device health resources (
Panorama
Managed Devices
Health
) do not populate.
Known
10.2.4
PAN-184708
Scheduled report emails (
Monitor
PDF Reports
Email Scheduler
) are not emailed if:
  • A scheduled report email contains a Report Group (
    Monitor
    PDF Reports
    Report Group
    ) which includes a SaaS Application Usage report.
  • A scheduled report contains only a SaaS Application Usage Report.
Workaround:
To receive a scheduled report email for all other PDF report types:
  1. Select
    Monitor
    PDF Reports
    Report Groups
    and remove all SaaS Application Usage reports from all Report Groups.
  2. Select
    Monitor
    PDF Reports
    Email Scheduler
    and edit the scheduled report email that contains only a SaaS Application Usage report. For the Recurrence, select
    Disable
    and click
    OK
    .
    Repeat this step for all scheduled report emails that contain only a SaaS Application Usage report.
  3. Commit
    .
    (
    Panorama managed firewalls
    ) Select
    Commit
    Commit and Push
Known
10.2.4
PAN-184406
Using the CLI to add a RAID disk pair to an M-700 appliance causes the dmdb process to crash.
Workaround:
Contact customer support to stop the dmdb process before adding a RAID disk pair to a M-700 appliance.
Known
10.2.4
PAN-183404
Static IP addresses are not recognized when "and" operators are used with IP CIDR range.
Known
10.2.4
PAN-182734
This issue is now resolved. See
PAN-OS 10.2.5 Addressed Issues
.
On an Advanced Routing Engine, if you change the IPSec tunnel configuration, BGP flaps.
Known
10.2.4
PAN-181933
If you use multiple log forwarding cards (LFCs) on the PA-7000 series, all of the cards may not receive all of the updates and the mappings for the clients may become out of sync, which causes the firewall to not correctly populate the Source User column in the session logs.
Known
10.2.4
PAN-181823
On a PA-5400 Series firewall (minus the PA-5450), setting the peer port to forced 10M or 100M speed causes any multi-gigabit RJ-45 ports on the firewall to go down if they are set to Auto.
Known
10.2.4
PAN-180661
On the Panorama management server, pushing an unsupported Minimum Password Complexity (
Device
Setup
Management
) to a managed firewall erroneously displays
commit time out
as the reason the commit failed.
Known
10.2.4
PAN-180104
When upgrading a CN-Series as a DaemonSet deployment to PAN-OS 10.2, CN-NGFW pods fail to connect to CN-MGMT pod if the Kubernetes cluster previously had a CN-Series as a DaemonSet deployment running PAN-OS 10.0 or 10.1.
Workaround
: Reboot the worker nodes before upgrading to PAN-OS 10.2.
Known
10.2.4
PAN-178194
A user interface issue in PAN-OS renders the contents of the
Inline ML
tab in the
URL Filtering Profile
inaccessible on firewalls licensed for Advanced URL Filtering. Additionally, a message indicating that a
License required for URL filtering to function
is unavailable displays at the bottom of the UI. These errors do not affect the operation of Advanced URL Filtering or URL Filtering Inline ML.
Workaround:
Configuration settings for URL Filtering Inline ML must be applied through the CLI. The following configuration commands are available:
  • Define URL exceptions for specific web sites— 
    admin#
     set profiles url-filtering <url_filtering_profile_name> mlav-category-exception
  • Configuration settings for each inline ML model— 
    admin#
     set profiles url-filtering <url_filtering_profile_name> mlav-engine-urlbased-enabled
Known
10.2.4
PAN-177455
PAN-OS 10.2.0 is not supported on PA-7000 Series firewalls with HA (High Availability) clustering enabled and using an HA4 communication link. Attempting to load PAN-OS 10.2.0 on the firewall causes the PA-7000 100G NPC to go offline. As a result, the firewall fails to boot normally and enters maintenance mode. HA Pairs of Active-Passive and Active-Active firewalls are not affected.
Known
10.2.4
PAN-175915
When the firewall is deployed on N3 and N11 interfaces in 5G networks and 5G-HTTP/2 traffic inspection is enabled in the Mobile Network Protection Profile, the traffic logs do not display network slice SST and SD values.
Known
10.2.4
PAN-174982
In HA active/active configurations where, when interfaces that were associated with a virtual router were deleted, the configuration change did not sync.
Known
10.2.4
PAN-172274
When you activate the advanced URL filtering license, your license entitlements for PAN-DB and advanced URL filtering might not display correctly on the firewall — this is a display anomaly, not a licensing issue, and does not affect access to the services.
Workaround:
Issue the following command to retrieve and update the licenses:
license request fetch
.
Known
10.2.4
PAN-171938
No results are displayed when you
Show Application Filter
for a Security policy rule (
Policies
Security
Application
Value
Show Application Filter
).
Known
10.2.4
PAN-164885
This issue is now resolved. See
PAN-OS 10.2.10 Addressed Issues
.
On the Panorama management server, pushes to managed firewalls (
Commit
Push to Devices
or
Commit and Push
) may fail when an EDL (
Objects
External Dynamic Lists
) is configured to
Check for updates
every 5 minutes due to the commit and EDL fetch processes overlapping. This is more likely to occur when multiple EDLs are configured to check for updates every 5 minutes.
Known
10.2.4
PAN-160633
This issue is now resolved. See
PAN-OS 10.2.5 Addressed Issues
.
(
PA-3200 Series, PA-5200 Series, and PA-7000 Series firewalls only
) The dataplane restarts repeatedly due to internal path monitoring failures until a power cycle.
Addressed
10.2.4-h16
PAN-252214
A fix was made to address CVE-2024-3400 .
Addressed
10.2.4-h10
PAN-238792
Fixed the following device certificate issues:
  • The firewall was unable to automatically renew the device certificate-Fetching device certificates failed incorrectly with the error message
    OTP is not valid
    .
  • Firewalls disconnected from Cortex Data Lake after renewing the device certificate.
  • The device certificate was not correctly generated on the log forwarding card (LFC).
  • WildFire cloud logs did not log thermite certificate usage status.
Addressed
10.2.4-h10
PAN-237876
Extended the firewall Panorama root CA certificate which was previously set to expire on April 7th, 2024.
Addressed
10.2.4-h10
PAN-231771
Fixed an issue where the firewall issued /box/getserv/ requests with PAN-OS 7.1.0 and did not take device certificates.
Addressed
10.2.4-h10
PAN-227568
When a device certificate is installed, renewed, or removed, the firewall will reconnect to the WildFire cloud to use the newest certificate.
Addressed
10.2.4-h10
PAN-215576
Fixed an issue where the
userID-Agent
and
TS-Agent
certificates were set to expire on November 18, 2024. With this fix, the expiration date has been extended to January 2032.
Addressed
10.2.4-h4
PAN-223501
Fixed an issue where diagnostic information for the dataplane in the dp-monitor.log file was not complete.
Addressed
10.2.4-h4
PAN-222712
(
PA-5450 firewalls only
) Fixed a low frequency DPC restart issue.
Addressed
10.2.4-h4
PAN-221984
(
VM-Series firewalls in Microsoft Azure environments only
) Fixed an issue where an interface went down after a hotplug event and was only recoverable by restarting the firewall.
Addressed
10.2.4-h4
PAN-221836
Fixed an issue where improper SNI detection caused incorrect URL categorization.
Addressed
10.2.4-h4
PAN-219508
(
VM-Series, PA-400 Series, PA-1400, PA-3400, and PA-5400 Series firewalls only
) Fixed an issue where Bidirectional Forwarding Detection (BFD) packets experienced a delay in processing, which caused the BFD connection to flap.
Addressed
10.2.4-h4
PAN-217489
Fixed an issue with firewalls in active/passive high availability (HA) configurations where the passive firewall MAC flapping occurred when the passive firewall was rebooted.
Addressed
10.2.4-h4
PAN-216043
Fixed an issue where wifclient stopped responding due to shared memory corruption.
Addressed
10.2.4-h4
PAN-215655
Fixed an issue where, after a multi-dynamic group push, Security policies with the target device tag was added to a firewall that did not have the tag.
Addressed
10.2.4-h4
PAN-215066
Fixed an issue on Panorama where push scope rendering caused the commit and push or push operation window to hang for several minutes.
Addressed
10.2.4-h4
PAN-214187
Fixed an issue where superreaders were able to execute the
request restart system
CLI command.
Addressed
10.2.4-h4
PAN-211191
Fixed an issue where the firewall restarted after initiating a mgmtsrvr process restart.
Addressed
10.2.4-h4
PAN-210661
Fixed an issue where firewalls disconnected from Cortex Data Lake after renewing the device certificate.
Addressed
10.2.4-h4
PAN-210429
(
VM-Series firewalls only
) Fixed an issue where the HTTP service failed to come up on DHCP dataplane interfaces after rebooting the firewall, which resulted in health-check failure on HTTP/80 with a 503 error code on the public load balancer.
Addressed
10.2.4-h4
PAN-195439
(
VM-Series firewalls in Microsoft Azure environments only
) Fixed an issue where the dataplane interface status went down after a hotplug event triggered by Azure infrastructure.
Addressed
10.2.4-h4
PAN-169586
Fixed an issue where scheduled log view reports in emails didn't match the monitor page query result for the same time interval.
Addressed
10.2.4-h3
PAN-222035
Fixed an issue where when multiple portals were configured in Prisma Access deployments, CIE SAML authentication failed on the secondary portal.
Addressed
10.2.4-h3
PAN-221068
Fixed an issue where the firewall restarted after a failed push from Panorama, which resulted in autocommit failures.
Addressed
10.2.4-h3
PAN-219355
Fixed an issue where disk space became full due to a GPSVC FD leak.
Addressed
10.2.4-h3
PAN-219333
Fixed an issue where a secondary Prisma Access Portal address with port 8443 did not work.
Addressed
10.2.4-h3
PAN-218620
Fixed an issue where scheduled configuration exports and SCP server connection testing failed.
Addressed
10.2.4-h3
PAN-218368
Fixed an issue with incorrect VLAN tagging on Intel based platforms that occurred when opening a response page from a virtual-wire subinterface.
Addressed
10.2.4-h3
PAN-218340
Fixed a memory leak issue related to the configd process that affected selective pushes on Panorama.
Addressed
10.2.4-h3
PAN-218267
Fixed an issue where a partial commit and push operation from Panorama to managed firewalls did not work as expected.
Addressed
10.2.4-h3
PAN-218046
Fixed an issue where the
Virtual Routers
(
Network
Virtual Routers
) setting was not available when configuring a custom admin role
Device
Admin Roles
.
Addressed
10.2.4-h3
PAN-217053
Fixed an issue where the configd process stopped responding after a selective push to multiple device groups failed.
Addressed
10.2.4-h3
PAN-215899
Fixed an issue with Panorama appliances in high availability (HA) configurations where configuration synchronization between the HA peers failed.
Addressed
10.2.4-h3
PAN-215767
Fixed an issue where, after a high availability failover, IKE SA negotiation failed with the error message
INVALID_SPI
, which resulted in temporary loss of traffic over some proxy IDs.
Addressed
10.2.4-h3
PAN-215324
(
PA-5400 Series firewalls with Jumbo Frames enabled only
) Fixed an issue with CPU throttling and buffer depletion.
Addressed
10.2.4-h3
PAN-215315
Fixed an issue where the dataplane stopped responding due to ager and inline packet processing occurring concurrently on different cores for the same session.
Addressed
10.2.4-h3
PAN-214463
Fixed an issue where IKE rekey negotiation failed with a third-party vendor and the firewall acting as the initiator received a response with the VENDOR_ID payload and the error message
unexpected critical payload (type 43)
.
Addressed
10.2.4-h3
PAN-213973
Fixed an issue where the authd process stopped responding during a cleanup of authentication server context.
Addressed
10.2.4-h3
PAN-212978
Fixed an issue where the firewall stopped responding when executing an SD-WAN configuration or operational CLI command.
Addressed
10.2.4-h3
PAN-210366
Fixed an issue where deleting a device group when a selective configuration push was in progress caused the configd process to stop responding.
Addressed
10.2.4-h3
PAN-208240
Fixed an issue where, when attempting to replace an existing certificate, importing a new certificate with the same name as the existing certificate failed due to mismatched public and private keys.
Addressed
10.2.4-h2
PAN-218285
Fixed an issue where after switching the SPN by suspending the active SPN, the forwarding rule was not correctly pointing to the new active node when moved from 3 rules (TCP/UDP/ICMP) to 1 Layer 3 default rule in GCP.
Addressed
10.2.4-h2
PAN-217484
Fixed an issue where the rasmgr process used 100% CPU due to a maximum duration timer not being set, which caused the GlobalProtect gateway to be unavailable.
Addressed
10.2.4-h2
PAN-217431
Fixed an issue with slot 2 DPCs where URL Filtering did not work as expected after upgrading to PAN-OS 10.1.9.
Addressed
10.2.4-h2
PAN-216710
Fixed an issue with firewalls in active/active HA configurations where GlobalProtect disconnected when the original suspected active-primary firewall became active-secondary.
Addressed
10.2.4-h2
PAN-216036
Fixed an issue where the
all_pktproc
process stopped responding, which caused the firewall to enter a nonfunctional state.
Addressed
10.2.4-h2
PAN-215823
Fixed an issue on log collectors where the
reportd
process stopped responding.
Addressed
10.2.4-h2
PAN-215496
Fixed an issue where 100G ports did not come up with BIDI QSFP modules.
Addressed
10.2.4-h2
PAN-214406
Fixed an issue with Elasticsearch where ES tunnels weren’t started and were forked incorrectly, which caused them to fail.
Addressed
10.2.4-h2
PAN-213079
Fixed an issue with Captive Portal SAML authentication by increasing the number of retries in the Nginx configuration.
Addressed
10.2.4-h2
PAN-212726
PAN-211519
Fixed an issue where RTP/RTCP packets were dropped for SIP calls by SIP ALG when the source NAT translation type was persistent
Dynamic IP And Port
.
Addressed
10.2.4-h2
PAN-211870
Fixed an issue where path monitoring failure occurred, which caused high availability failover.
Addressed
10.2.4-h2
PAN-195912
Fixed an issue where connections from the firewall to Cortex Data Lake failed.
Addressed
10.2.4
WF500-5976
(
WF-500 appliances only
) Fixed an issue where files were incorrectly detected as malicious.
Addressed
10.2.4
WF500-5953
Fixed an issue where testing the same file sample using a PowerShell script returned different verdicts in Private Cloud and Public Cloud.
Addressed
10.2.4
WF500-5920
Fixed an issue where an elink parser did not work.
Addressed
10.2.4
PAN-220741
(
Firewalls in active/passive HA configurations only
) Fixed an issue where, when redistribution agent connections to the passive firewall failed, excessive system alerts for the failed connection were generated. With this fix, system alerts are logged every 5 hours instead of 10 minutes.
Addressed
10.2.4
PAN-219686
Fixed an issue where a device group push operation from Panorama failed with the following error on managed firewalls.
vsys -> vsys1 -> plugins unexpected here
vsys is invalid
Commit failed
Addressed
10.2.4
PAN-216656
Fixed an issue where the firewall was unable to fully process the user list from a child group when the child group contained more than 1,500 users.
Addressed
10.2.4
PAN-216314
(
PA-3200 Series firewalls only
) Fixed an issue where, after upgrading to or from PAN-OS 10.1.9 or PAN-OS 10.1.9-h1, offloaded application traffic sessions disconnected even when a session was active. This occurred due to the application default session timeout value being exceeded.
Addressed
10.2.4
PAN-215911
Fixed an issue that resulted in a race condition, which caused the configd process to stop responding.
Addressed
10.2.4
PAN-215488
Fixed an issue where an expired Trusted Root CA was used to sign the forward proxy leaf certificate during SSL Decryption.
Addressed
10.2.4
PAN-215461
Fixed an issue where the packet descriptor leaked over time with GRE tunnels and keepalives.
Addressed
10.2.4
PAN-215125
Fixed an issue where false negatives occurred for some script samples.
Addressed
10.2.4
PAN-214634
Fixed an issue where an elink parser did not work.
Addressed
10.2.4
PAN-214624
Fixed an issue where the logrcvr process stopped responding.
Addressed
10.2.4
PAN-214337
Fixed an issue on the firewall related to the
gp_broker
configuration transform that led to longer commit times.
Addressed
10.2.4
PAN-214037
(
PA-5440, PA-5430, PA-5420, and PA-5410 firewalls only
) Fixed an issue where firewalls in active/active HA configurations experienced packet drop when running asymmetric traffic.
Addressed
10.2.4
PAN-213973
Fixed an issue where the authd process stopped responding during a cleanup of authentication server context.
Addressed
10.2.4
PAN-213661
Fixed an issue where memory allocation failure caused dataplane processes to restart. This issue occurred when decryption was enabled and the device was under heavy L7 usage.
Addressed
10.2.4
PAN-213011
Fixed an issue where, when using multi-factor authentication (MFA) with RADIUS OTP, the challenge message
Enter Your Microsoft verification code
did not appear when accessing the GlobalProtect portal via browser.
Addressed
10.2.4
PAN-212982
Fixed an issue where the logrcvr process stopped responding with MICA HTTP2 traffic.
Addressed
10.2.4
PAN-212409
Fixed an issue where there were duplicate IPSec Security Associations (SAs) for the same tunnel, gateway, or proxy ID.
Addressed
10.2.4
PAN-211242
Fixed an issue where missed heartbeats caused the Data Processing Card (DPC) and its corresponding Network Processing Card (NPC) to restart due to internal packet path monitoring failure.
Addressed
10.2.4
PAN-210919
Fixed an issue where the Data Processing Card remained in a
Starting
state after a restart.
Addressed
10.2.4
PAN-210892
(
M-600 and M-700 appliances only
) Fixed an issue where the Elasticsearch shard count grew continuously without limit.
Addressed
10.2.4
PAN-210875
Fixed an issue where the pan_task process stopped responding due to software packet buffer 3 trailer corruption, which caused the firewall to restart.
Addressed
10.2.4
PAN-210561
Fixed an issue where the all_task process repeatedly restarted due to missed heartbeats.
Addressed
10.2.4
PAN-210481
Fixed an issue where botnet reports were not generated on the firewall.
Addressed
10.2.4
PAN-210449
Fixed an issue where the value for shared objects used in policy rules were not displayed on multi-vsys firewalls when pushed from Panorama.
Addressed
10.2.4
PAN-210331
Fixed an issue where the firewall did not send device telemetry files to Cortex Data Lake with the error message
Send File to CDL Receiver Failed
.
Addressed
10.2.4
PAN-210327
(
PA-5200 Series firewalls only
) Fixed an issue where upgrading to PAN-OS 10.1.7, an internal loop caused an increase in the packets received per second.
Addressed
10.2.4
PAN-210237
Fixed an issue where system logs generated by Panorama for commit operations showed the severity as
High
instead of
Informational
.
Addressed
10.2.4
PAN-210080
Fixed an issue where the useridd process stopped responding when add and delete member parameters in an incremental sync query were empty.
Addressed
10.2.4
PAN-209660
Fixed an issue where a selective push from Panorama to multiple firewalls failed due to a missing configuration file, which caused a communication error.
Addressed
10.2.4
PAN-209346
Fixed an issue where, after upgrading to PAN-OS 10.2.3, HA peers received conflicting ARP messages that indicated a duplicate IP address.
Addressed
10.2.4
PAN-209305
Fixed a memory space issue where the content and threat detection (CTD) process flow cleanup during inline cloud analysis did not work.
Addressed
10.2.4
PAN-209226
Fixed an issue where the feature bits function reused shared memory, which resulted in a memory allocation error and caused the dataplane to go down.
Addressed
10.2.4
PAN-209069
Fixed an issue where IP addresses in the
X-Forwarded-For
(XFF) field were not logged when the IP address contained an associated port number.
Addressed
10.2.4
PAN-209021
Fixed an issue where packets were fragmented when SD-WAN VPN tunnel was configured on aggregate ethernet interfaces and sub-interfaces.
Addressed
10.2.4
PAN-208987
(
PA-5400 Series only
) Fixed an issue where packets were not transmitted from the firewall if its fragments were received on different slots. This occurred when aggregate ethernet (AE) members in an AE interface were placed on a different slot.
Addressed
10.2.4
PAN-208922
A fix was made to address an issue where an authenticated administrator was able to commit a specifically created configuration to read local files and resources from the system ( CVE-2023-38046 ).
Addressed
10.2.4
PAN-208930
(
PA-7000 Series firewalls only
) Fixed an issue where auto-tagging in log forwarding did not work.
Addressed
10.2.4
PAN-208877
Fixed an issue where the all_task process stopped responding when freeing the HTTP2 stream, which caused the dataplane to go down.
Addressed
10.2.4
PAN-208737
Fixed an issue where domain information wasn't populated in IP address-to-username matching after a successful GlobalProtect authentication using an authentication override cookie.
Addressed
10.2.4
PAN-208724
Fixed an issue where port pause frame settings did not work as expected and incorrect pause frames occurred.
Addressed
10.2.4
PAN-208718
Additional debug information was added to capture internal details during traffic congestion.
Addressed
10.2.4
PAN-208711
(
PA-5200 Series firewalls only
) The CLI command
debug dataplane set pow no-desched yes/no
was added to address an issue where the all_pktproc process stopped responding and caused traffic issues.
Addressed
10.2.4
PAN-208537
Fixed an issue where the
licensed-device-capacity
was reduced when multiple device management license key files were present.
Addressed
10.2.4
PAN-208485
Fixed an issue where NAT policies were not visible on the CLI if they contained more than 32 characters.
Addressed
10.2.4
PAN-208189
Fixed an issue when traffic failed to match and reach all destinations if a Security policy rule includes FQDN objects that resolve to two or more IP addresses.
Addressed
10.2.4
PAN-208157
Fixed an issue where malformed hints sent from the firewall caused the logd process to stop responding on Panorama, which caused a system reboot into maintenance mode.
Addressed
10.2.4
PAN-208079
(
VM-Series firewalls on Microsoft Azure environments only
) Fixed an issue where the PAN-DB engine did not start when using a VM-Series firewall Flex based CPU.
Addressed
10.2.4
PAN-207983
Fixed an issue on Panorama in Management Only mode where the logdb database incorrectly collected traffic, threat, GTP, decryption, and corresponding summary logs.
Addressed
10.2.4
PAN-207940
Fixed an issue where platforms with RAID disk checks were performed weekly, which caused logs to incorrectly state that RAID was rebuilding.
Addressed
10.2.4
PAN-207891
Fixed an issue on Panorama where log migration did not complete after an upgrade.
Addressed
10.2.4
PAN-207740
Fixed an issue that resulted in a race condition, which caused the configd process to stop responding.
Addressed
10.2.4
PAN-207738
Fixed an issue where the
ocsp-next-update-time
CLI command did not execute for leaf certificates with certificate chains that did not specify OCSP or CRL URLs. As a result, the next update time was 60 minutes even if a different time was set.
Addressed
10.2.4
PAN-207663
Fixed a Clientless VPN issue where JSON stringify caused issues with the application rewrite.
Addressed
10.2.4
PAN-207629
Fixed an issue where a selective push to firewalls failed if the firewalls were enabled with multiple vsys and the push scope contained shared objects in device groups.
Addressed
10.2.4
PAN-207623
Fixed an issue on Panorama where log migration did not complete as expected.
Addressed
10.2.4
PAN-207610
(
PA-5200 Series and PA-7000 Series firewalls only
) Fixed an issue where
Log Admin Activity
was not visible on the web interface.
Addressed
10.2.4
PAN-207602
Fixed an issue where file streams were opened or closed twice due to a race condition which caused Linux to stop responding.
Addressed
10.2.4
PAN-207601
Fixed an issue where URL cloud connections were unable to resolve the proxy server hostname.
Addressed
10.2.4
PAN-207533
Fixed an issue with firewalls in HA configurations where ARP and IPv6 multicast packets were transmitted from the passive firewall.
Addressed
10.2.4
PAN-207455
Fixed an issue where the pan_task process stopped responding when processing client certificate requests from the server in TLS1.3.
Addressed
10.2.4
PAN-207426
Fixed an issue where a selective push did not include the
Share Unused Address and Service Objects with Devices
option on Panorama, which caused the firewall to not receive the objects during the configuration push.
Addressed
10.2.4
PAN-207400
Fixed an issue on Octeon based platforms where fragmented VLAN tagged packets dropped on an aggregate interface.
Addressed
10.2.4
PAN-207390
Fixed an issue where, even after disabling Telemetry, Telemetry system logs were still generated.
Addressed
10.2.4
PAN-207260
A commit option was enabled for Device Group and Template administrators after a password change.
Addressed
10.2.4
PAN-207045
(
PA-800 Series firewalls only
) Fixed an issue where PAN-SFP-SX transceivers used on ports 5 to 8 did not renegotiate with peer ports after a reload.
Addressed
10.2.4
PAN-207043
Fixed an issue on PAN-OS 10.2.3 where ports 41-44 remained down when the PAN-QSFP28-DAC-5M cable was connected.
Addressed
10.2.4
PAN-206963
(
M-700 Appliances only
) A CLI command was added to check the status of each physical port of a bond1 interface.
Addressed
10.2.4
PAN-206921
Fixed an issue where GlobalProtect client certificate authentication failed on a gateway when the gateway was placed behind a NAT.
Addressed
10.2.4
PAN-206858
Fixed an issue where a segmentation fault occurred due to the useridd process being restarted.
Addressed
10.2.4
PAN-206796
Fixed an issue where
cfg.lcaas-region
was not reset when it was empty, which caused Cortex Data Lake onboarding to fail.
Addressed
10.2.4
PAN-206755
Fixed an issue when a scheduled multi-device group push occurred, the configd process stopped responding, which caused the push to fail.
Addressed
10.2.4
PAN-206658
Fixed a timeout issue in the Intel
ixgbe
driver that resulted in internal path monitoring failure.
Addressed
10.2.4
PAN-206629
(
VM-Series firewalls in AWS environments only
) Fixed an issue where a newly bootstrapped firewalls did not forward logs to Panorama.
Addressed
10.2.4
PAN-206393
(
PA-5280 firewalls only
) Fixed an issue where memory allocation errors caused decryption failures that disrupted traffic with SSL forward proxy enabled.
Addressed
10.2.4
PAN-206382
Fixed an issue where authentication sequences were not populated in the drop down when selecting authentication profiles during administrator creation in a template.
Addressed
10.2.4
PAN-206253
(
PA-3400 Series firewalls only
) Fixed an issue where the default log rate value was too low, and the maximum configurable log rate was capped incorrectly, which caused the firewall to not generate more than 6826 logs per second.
Addressed
10.2.4
PAN-206251
(
PA-7000 Series firewalls with Log Forwarding Cards (LFCs) only
) Fixed an issue where the logrcvr process did not send the
system-start
SNMP trap during startup.
Addressed
10.2.4
PAN-206233
Fixed an issue where the pan_comm process stopped responding when a content update and a cloud application update occurred at the same time.
Addressed
10.2.4
PAN-206128
(
PA-7000 Series firewalls with NPCs (Network Processing Cards) only
) Improved debugging capability for an issue where the firewall restarted due to heartbeat failures and then failed with the following error message:
Power not OK
.
Addressed
10.2.4
PAN-206077
Fixed an issue on firewalls in active/active HA configurations where, after upgrading to PAN-OS 10.1.6-h6, the active primary firewall did not send HIP reports to the active secondary firewall.
Addressed
10.2.4
PAN-206069
Fixed an issue where the firewall was unable to boot up on older Intel CPUs.
Addressed
10.2.4
PAN-206017
Fixed an issue where the
show dos-protection rule
command displayed a character limit error.
Addressed
10.2.4
PAN-206005
(
PA-3400 Series firewalls only
) Fixed an issue where the
l7_misc
memory pool was undersized and caused connectivity loss when the limit was reached.
Addressed
10.2.4
PAN-205995
Fixed an issue where logs from unaffected log collector groups were not displayed when a log collector was down.
Addressed
10.2.4
PAN-205955
Fixed an issue where RAID rebuilds occurred even with healthy disks and a clean shutdown.
Addressed
10.2.4
PAN-205877
(
PA-5450 firewalls only
) Added debug commands for an issue where a MAC address flap occurred on a neighbor firewall when connecting both MGT-A and MGT-B interfaces.
Addressed
10.2.4
PAN-205829
Fixed an issue where logs did not display
Host-ID
details for GlobalProtect users despite having a quarantine Security policy rule. This occurred due to a missed local cache lookup.
Addressed
10.2.4
PAN-205804
Fixed an issue on Panorama where a WildFire scheduled update for managed devices triggered multiple
UploadInstall
jobs per minute.
Addressed
10.2.4
PAN-205729
(
PA-3200 Series and PA-7000 Series firewalls only
) Fixed an issue where the CPLD watchdog timeout caused the firewall to reboot unexpectedly.
Addressed
10.2.4
PAN-205699
Fixed an issue where the cloud plugin configuration was automatically deleted from Panorama after a reboot or a configd process restart.
Addressed
10.2.4
PAN-205590
Fixed an issue where the fan tray fault LED light was on even though no alarm was reported in the system environment.
Addressed
10.2.4
PAN-205473
(
VM-Series firewalls on Microsoft Hyper-V only
) Fixed an issue where the firewall did not receive any traffic on Layer 3 sub-interfaces from the trunk port.
Addressed
10.2.4
PAN-205453
Fixed an issue where running reports or queries under a user group caused the reportd process to stop responding.
Addressed
10.2.4
PAN-205451
Fixed an issue where the pan_com process stopped responding due to aggressive commits.
Addressed
10.2.4
PAN-205428
Fixed an issue where WildFire submissions failed if the file name contained special characters.
Addressed
10.2.4
PAN-205396
Fixed an issue where SD-WAN adaptive SaaS path monitoring did not work correctly during a next hop link down failure.
Addressed
10.2.4
PAN-205337
Fixed an issue in the
Run Now
section of custom reports where
Threat/Content Name
displayed in hypertext, and hovering over the text with the mouse displayed the message undefined .
Addressed
10.2.4
PAN-205260
Fixed an issue where there was an IP address conflict after a reboot due to a transaction ID collision.
Addressed
10.2.4
PAN-205255
Fixed a rare issue that caused the dataplane to restart unexpectedly.
Addressed
10.2.4
PAN-205231
Fixed an issue where a commit operation remained at 55% for longer than expected if more than 7,500 Security policy rules were configured.
Addressed
10.2.4
PAN-205222
Fixed an issue where you were unable to add a new application in a selected policy rule.
Addressed
10.2.4
PAN-205211
Fixed an issue where the reportd process stopped responding while querying logs (
Monitor > Logs > <logtype>
).
Addressed
10.2.4
PAN-205187
Fixed an issue where Elasticsearch did not start properly when a newly installed Panorama virtual appliance powered on for the first time, which caused the Panorama virtual appliance to not query logs forwarded from the managed firewall to a Log Collector.
Addressed
10.2.4
PAN-205096
Fixed an issue where promoted sessions were not synced with all cluster members in an HA cluster.
Addressed
10.2.4
PAN-205030
Fixed an issue where, when a session hit policy based forwarding with symmetric return enabled was not offloaded, the firewall received excessive return-mac update messages, which resulted in resource contention and traffic disruption.
Addressed
10.2.4
PAN-204892
Fixed an issue on Panorama where the web interface was not accessible and displayed the error
504 Gateway Not Reachable
due to the mgmtsrvr process not responding.
Addressed
10.2.4
PAN-204851
Fixed an issue where, when performing an advanced factory reset from maintenance mode on a firewall running PAN-OS 10.2.2 or an earlier release and downgrading to PAN-OS 10.1.0 or an earlier release, the firewall entered into maintenance mode after the reboot.
Addressed
10.2.4
PAN-204838
Fixed an issue where the
dot1q
VLAN tag was missing in ARP reply packets.
Addressed
10.2.4
PAN-204830
Fixed an issue where logging in via the web interface or CLI did not work until an auto-commit was complete.
Addressed
10.2.4
PAN-204749
Fixed an issue where sudden, large bursts of traffic destined for an interface that was down caused packet buffers to fill, which stalled path monitor heartbeat packets.
Addressed
10.2.4
PAN-204690
Fixed an issue where selective configuration pushes failed due to schema validation when both the device group and template stack had the same name.
Addressed
10.2.4
PAN-204663
Fixed an issue on Panorama where you were unable to context switch from one managed firewall to another.
Addressed
10.2.4
PAN-204582
Fixed an issue where, when a firewall acting as a DHCP client received a new DHCP IP address, the firewall did not release old DHCP IP addresses from the IP address stack.
Addressed
10.2.4
PAN-204581
Fixed an issue where, when accessing a web application via the GlobalProtect Clientless VPN, the web application landing page continuously reloaded.
Addressed
10.2.4
PAN-204575
(
PA-7000 Series firewalls with Log Forwarding Cards (LFCs) only
) Fixed an issue where the firewall did not forward logs to the log collector.
Addressed
10.2.4
PAN-204482
Fixed an issue where searching threat logs (
Monitor > Logs > Threat
) using the
partial hash
parameter did not work, which resulted in an invalid operator error.
Addressed
10.2.4
PAN-204456
Fixed an issue related to the logd process that caused high memory consumption.
Addressed
10.2.4
PAN-204335
Fixed an issue where Panorama became unresponsive, and when refreshed, the error
504 Gateway not Reachable
was displayed.
Addressed
10.2.4
PAN-204307
(
PA-5440, PA-5430, PA-5420 and PA-5410 firewalls only
) Fixed an issue where, when moving interfaces from one aggregate group to another while the interface's link state was down, traffic was not properly routed through the aggregate group until after a second commit.
Addressed
10.2.4
PAN-204271
Fixed an issue where the quarantine device list did not display due to the maximum memory being reached.
Addressed
10.2.4
PAN-204238
Fixed an issue where, when
View Rulebase as Groups
was enabled, the
Tags
field did not display a scroll down arrow for navigation.
Addressed
10.2.4
PAN-204216
Fixed an issue where URL categorization failed and the firewall displayed the URL category as
not-resolved
for all traffic and the following error message was displayed in the device server logs
Error(43): A libcurl function was given a bad argument
.
Addressed
10.2.4
PAN-204118
Fixed an issue where browser sessions stopped responding for device group template admin users with access domains that had many device groups or templates.
Addressed
10.2.4
PAN-204068
Fixed an issue where a newly created vsys (virtual system) in a template was not able to be pushed from Panorama to the firewall.
Addressed
10.2.4
PAN-203964
(
Firewalls in FIPS-CC mode only
) Fixed an issue where the firewall went into maintenance mode due to downloading a corrupted software image, which resulted in the error message
FIPS-CC failure. Image File Authentication Error
.
Addressed
10.2.4
PAN-203851
Fixed an issue with firewalls in HA configurations where host information profile (HIP) sync did not work between peer firewalls.
Addressed
10.2.4
PAN-203796
Fixed an issue where legitimate syn+ack packets were dropped after an invalid syn+ack packet was ingressed.
Addressed
10.2.4
PAN-203681
(
Panorama appliances in FIPS-CC mode only
) Fixed an issue where a leaf certificate was unable to be imported into a template stack.
Addressed
10.2.4
PAN-203663
Fixed an issue where administrators were unable to change the password of a local database for users configured as a local admin user via an authentication profile.
Addressed
10.2.4
PAN-203653
Fixed an issue where dynamic updates were completed even when configuration commits failed, which caused the all_task process to stop responding.
Addressed
10.2.4
PAN-203618
Fixed an issue where, when SSL/TLS Handshake Inspection was enabled, SSL/TLS sessions were incorrectly reset if a Security policy rule with no Security profiles configured was matched.
Addressed
10.2.4
PAN-203604
Fixed an issue where GlobalProtect authentication failed for SAML username with a special character.
Addressed
10.2.4
PAN-203563
Fixed an issue with Content and Threat Detection allocation storage space where performing a commit failed with a
CUSTOM_UPDATE_BLOCK
error message.
Addressed
10.2.4
PAN-203430
Fixed an issue where, when the User-ID agent had
collector name/secret
configured, the configuration was mandatory on clients on PAN-OS 10.0 and later releases.
Addressed
10.2.4
PAN-203402
Fixed an intermittent issue where forward session installs were delayed, which resulted in latencies.
Addressed
10.2.4
PAN-203362
Fixed an issue where the rasmgr process restarted due to a null reference.
Addressed
10.2.4
PAN-203339
Fixed an issue where services failed due to the RAID rebuild not being completed on time.
Addressed
10.2.4
PAN-203330
Fixed an issue where the certificate for an External Dynamic List (EDL) incorrectly changed from invalid to valid, which caused the EDL file to be removed.
Addressed
10.2.4
PAN-203320
Fixed an issue where configuring the firewall to connect with Panorama using an auth key and creating the auth key without adding the managed firewall to Panorama first, the auth key was incorrectly decreased incrementally.
Addressed
10.2.4
PAN-203147
(
Firewalls in FIPS-CC mode only
) Fixed an issue where the firewall unexpectedly rebooted when downloading a new PAN-OS software image.
Addressed
10.2.4
PAN-203137
(
PA-5450 firewalls only
) Fixed an issue where HSCI ports did not come up when QSFP DAC cables were used.
Addressed
10.2.4
PAN-202946
Fixed an issue where the
request high-availability session-reestablish
command was not available for API.
Addressed
10.2.4
PAN-202918
Fixed an issue where processing route-table entries did not work as expected.
Addressed
10.2.4
PAN-202872
Fixed an issue where an incorrect URL list limit displayed during a commit.
Addressed
10.2.4
PAN-202783
(
PA-7000 Series firewalls with 100G NPC (Network Processing Cards) only
) Fixed an issue where sudden, large bursts of traffic destined for an interface that was down caused packet buffers to fill, which stalled path monitor heartbeat packets.
Addressed
10.2.4
PAN-202722
Fixed an issue where the factor completion time for login events learned through XML API displayed as
1969/12/31 19:00:00
.
Addressed
10.2.4
PAN-202593
Fixed an issue where expanding Global Find results displayed only the top level and second level of a searched item.
Addressed
10.2.4
PAN-202544
An enhancement was made to collect CPLD register data after a path monitor failure.
Addressed
10.2.4
PAN-202543
An enhancement was made to improve path monitor data collection by verifying the status of the control network.
Addressed
10.2.4
PAN-202535
Fixed an issue where the Device Telemetry configuration for a region was unable to be set or edited via the web interface.
Addressed
10.2.4
PAN-202451
Fixed an issue where
Retrieve Framed-IP-Address attribute
from the authentication server fails generating GlobalProtect connection failure with the error
Assign private IP address failed
.
Addressed
10.2.4
PAN-202450
Fixed an issue where the
device-client-cert
was set to expire on December 31, 2023. With this fix, the expiration date has been extended.
Addressed
10.2.4
PAN-202295
Fixed an issue where read-only superusers were unable to see the Commit All job status, warnings, or errors for Panorama device groups.
Addressed
10.2.4
PAN-202282
Fixed an issue where stats dump files did not display all necessary reports.
Addressed
10.2.4
PAN-202264
(
VM-Series firewalls only
) Fixed an issue where an automatic site license activation for a PAYG license did not register in the Customer Support Portal.
Addressed
10.2.4
PAN-202248
Fixed an issue where, due to a tunnel content inspection (TCI) policy match, IPSec traffic did not pass through the firewall when NAT was performed on the traffic.
Addressed
10.2.4
PAN-202194
Fixed an SD-WAN link issue that occurred when Aggregate Ethernet without a member interface was configured as an SD-WAN interface.
Addressed
10.2.4
PAN-202140
Fixed an issue where the comm process stopped responding due to an OOM condition.
Addressed
10.2.4
PAN-202101
Fixed an issue where firewalls stopped responding after an upgrade due to configuration corruption.
Addressed
10.2.4
PAN-202095
Fixed an issue on the web interface where the language setting is not retained.
Addressed
10.2.4
PAN-202040
(
PA-220 firewalls only
) Fixed an issue where ECDSA fingerprints were not displayed.
Addressed
10.2.4
PAN-202012
A debug command was introduced to control Gzip encoding for the GlobalProtect Clientless VPN application.
Addressed
10.2.4
PAN-201973
(
PA-3400 Series firewalls only
) Fixed an issue where the management interface could not be assigned as an HA port.
Addressed
10.2.4
PAN-201954
Fixed an issue where NAT policy rules were deleted on managed devices after a successful push from Panorama to multiple device groups. This occurred when NAT policy rules had
device_tags
selected in the target section.
Addressed
10.2.4
PAN-201910
Fixed an issue where some Security profiles consumed a large amount of memory, which reduced the number of supported Security profiles below the stated maximum for a platform.
Addressed
10.2.4
PAN-201900
Fixed an internal path monitoring failure issue that caused the dataplane to go down.
Addressed
10.2.4
PAN-201860
Fixed an issue where the
Device Quarantine
list was not redistributed or updated on Panorama and Prisma Access in a full mesh topology.
Addressed
10.2.4
PAN-201858
Fixed an issue where the SD-WAN interface Maximum Transmission Unit (MTU) led to incorrect fragmentation of IPSec traffic.
Addressed
10.2.4
PAN-201839
Fixed an issue where GlobalProtect HIP match failed for Mac users due to invalid characters being present in the subject alternative attributes in the certificate on the HIP report.
Addressed
10.2.4
PAN-201818
Fixed an issue where INIT SCTP packets were dropped after being processed by the CTD, and silent drops occurred even with SCTP no-drop function enabled.
Addressed
10.2.4
PAN-201714
Fixed an issue with GlobalProtect where attempting to authenticate with the GlobalProtect gateway returned a 502 error code.
Addressed
10.2.4
PAN-201701
Fixed an issue where the firewall generated system log alerts if the raid for a system or log disk was corrupted.
Addressed
10.2.4
PAN-201639
Fixed an issue with Saas Application Usage reports where
Applications with Risky Characteristics
displayed only two applications per section.
Addressed
10.2.4
PAN-201632
Fixed an issue where the all_task stopped responding with a segmentation fault due to an invalid interface port.
Addressed
10.2.4
PAN-201601
Fixed an issue where the all_task process stopped responding after adding customer hyperscan signatures.
Addressed
10.2.4
PAN-201587
Fixed an issue where the
App Pcaps
directory size was incorrectly detected which caused commit errors.
Addressed
10.2.4
PAN-201580
Fixed an issue where the useridd process stopped responding due to an invalid vsys_id request.
Addressed
10.2.4
PAN-201561
Fixed an issue where LSVPN satellite authentication cookies were not synced across high availability LSVPN portals.
Addressed
10.2.4
PAN-201360
Fixed an issue with Panorama managed log collector statistics where the oldest logs displayed on the primary Panorama appliance and the secondary Panorama appliance did not match.
Addressed
10.2.4
PAN-201357
The CLI command
debug dataplane set pow no-desched yes
was added to address an issue where the all_pktproc process stopped responding and caused traffic issues.
Addressed
10.2.4
PAN-201136
Fixed an issue where IGMP packets were offloaded with frequent IGMP Join and Leave messages from the client.
Addressed
10.2.4
PAN-201085
(
PA-5450 firewalls only
) Fixed an issue where inserting the NPC and DPC on slot2 created excessive logs in the
bcm.log
file.
Addressed
10.2.4
PAN-200946
Fixed an issue with firewalls in active/passive HA configurations where GRE tunnels went down due to recursive routing when the passive firewall was booting up. When the passive firewall became active and no recursive routing was configured, the GRE tunnel remained down.
Addressed
10.2.4
PAN-200914
(
PA-3440 firewalls only
) Fixed an issue where the default NAT DIPP pool oversubscription was set to 2 instead of 4.
Addressed
10.2.4
PAN-200845
(
M-600 Appliances in Management-only mode only
) Fixed an issue where XML API queries failed due to the configuration size being larger than expected.
Addressed
10.2.4
PAN-200774
Fixed an issue where SCEP certificate import did not work on the firewall when the certificate name contained a period ( . ).
Addressed
10.2.4
PAN-200676
Fixed an issue with firewalls in active/passive HA configurations where the user counts in the management plane were not synchronized between the active and the passive firewall.
Addressed
10.2.4
PAN-200463
Fixed an issue where disabling
strict-username-check
did not apply to admin users authenticating with SAML.
Addressed
10.2.4
PAN-200356
Fixed an issue where the
Elapsed seconds
field incorrectly displayed as 0 for DHCP packets coming from the firewall.
Addressed
10.2.4
PAN-200354
Fixed an issue where the firewall did not initiate scheduled log reports.
Addressed
10.2.4
PAN-200160
Fixed a memory leak issue on Panorama related to the logd process that caused an out-of-memory (OOM) condition.
Addressed
10.2.4
PAN-200116
Fixed an issue where Elasticsearch displayed red due to frequent tunnel check failures between HA clusters.
Addressed
10.2.4
PAN-200103
Fixed an issue where decryption logs were not displayed under
Manage Custom Reports
for custom Panorama admin users.
Addressed
10.2.4
PAN-200102
Fixed an issue on the firewall web interface that prevented applications from loading under any policy or in any location where application IDs were able to be refreshed.
Addressed
10.2.4
PAN-200035
Fixed an issue where the firewall reported
General TLS Protocol Error
for TLSv1.3 when the firewall closed a TCP connection to the server via a FIN packet without waiting for the handshake to complete.
Addressed
10.2.4
PAN-200019
Fixed an issue on Panorama where
Virtual Routers
(
Network > Virtual Routers
) was not available when configuring a custom Panorama admin role (
Panorama > Admin Roles
).
Addressed
10.2.4
PAN-199965
Fixed an issue where the reportd process stopped responding on log collectors during query and report operations due to a race condition between request handling threads.
Addressed
10.2.4
PAN-199821
Fixed an issue where the
Include/Exclude IPs
filter under
Data Redistribution
did not consistently filter IP addresses correctly.
Addressed
10.2.4
PAN-199807
Fixed an issue where the dataplane frequently restarted due to high memory usage on wifclient.
Addressed
10.2.4
PAN-199726
Fixed an issue with firewalls in HA configurations where both firewalls responded with gARP messages after a switchover.
Addressed
10.2.4
PAN-199661
(
VM-Series firewalls in ESXI environments only
) Fixed an issue where the number of used packet buffers was not calculated properly, and packet buffers displayed as a higher value than the correct value, which triggered PBP Alerts. This occurred when the driver name was not compatible with new DPDK versions.
Addressed
10.2.4
PAN-199612
Fixed a sync issue with firewalls in active/active HA configurations.
Addressed
10.2.4
PAN-199570
Fixed an issue where uploading certificates using a custom admin role did not work as expected after a context switch.
Addressed
10.2.4
PAN-199543
Resolved failed authentication for Radius and TLS where shared secret was striped for FIPS mode
Addressed
10.2.4
PAN-199500
Fixed an issue where, when many NAT policy rules were configured, the pan_comm process stopped responding after a configuration commit due to a high number of debug messages.
Addressed
10.2.4
PAN-199410
Fixed an issue where system logs for syslog activities were categorized as
general
under
Type
and
EVENT
columns.
Addressed
10.2.4
PAN-199214
Fixed an intermittent issue where downloading
threat pcap
via XML API failed with the following error message:
/opt/pancfg/session/pan/user_tmp/XXXXX/YYYYY.pcap does not exist
.
Addressed
10.2.4
PAN-199141
Fixed an issue where renaming a device group and then performing a partial commit led to the device group hierarchy being incorrectly changed.
Addressed
10.2.4
PAN-198920
Fixed an issue where configuration changes caused a previously valid interface ID to become invalid due to HA switchovers delaying the configuration push.
Addressed
10.2.4
PAN-198889
Fixed an issue where the logd process stopped responding if some devices in a collector group were on a PAN-OS 10.1 device and others were on a PAN-OS 10.0 release. This issue affected the devices on a PAN-OS 10.0 release.
Addressed
10.2.4
PAN-198871
Fixed an issue when both URL and Advanced URL licenses were installed, the expiry date was not correctly checked.
Addressed
10.2.4
PAN-198718
(
PA-5280 firewalls only
) Fixed an issue where memory allocation failures caused increased decryption failures.
Addressed
10.2.4
PAN-198693
Fixed an issue where decrypted SSH sessions were interrupted with a decryption error.
Addressed
10.2.4
PAN-198691
Added an alternate health endpoint to direct health probes on the firewall (https://firewall/unauth/php/health.php) to address an issue where
/php/login.php
performance was slow when large amounts of traffic were being processed.
Addressed
10.2.4
PAN-198575
Fixed an issue where data did not load when filtering by
Threat Name
(
ACC > Threat Activity
).
Addressed
10.2.4
PAN-198333
Fixed an issue where the SaaS PDF report incorrectly displayed the sanctioned application tag count as 1.
Addressed
10.2.4
PAN-198306
Fixed an issue where the useridd process stopped responding when booting up the firewall.
Addressed
10.2.4
PAN-198174
Fixed an issue where, when viewing traffic or threat logs from the
Application Command Center
(ACC) or
Monitor
tabs, performing a reverse DNS lookup caused the dnsproxy process to restart if DNS server settings were not configured.
Addressed
10.2.4
PAN-198078
Fixed an issue where VXLAN keepalive packets were dropped randomly.
Addressed
10.2.4
PAN-198038
A CLI command was added to address an issue where long-lived sessions were aging out even when there was ongoing traffic.
Addressed
10.2.4
PAN-197953
Fixed an issue where the logd process stopped responding due to forwarded threat logs, which caused Panorama to reboot into maintenance mode.
Addressed
10.2.4
PAN-197935
Fixed an intermittent issue where XML API IP address tag registration failed on firewalls in a multi-vsys environment.
Addressed
10.2.4
PAN-197919
Fixed an issue where, when path monitoring for a static route was configured with a new Ping Interval value, the value was not used as intended.
Addressed
10.2.4
PAN-197908
Fixed an issue where Cortex Data Lake flaps occurred for long durations which caused a memory leak related to the
mgmtsrvr
process.
Addressed
10.2.4
PAN-197877
Fixed an intermittent issue on Panorama where the distributord process stopped responding.
Addressed
10.2.4
PAN-197872
Fixed an issue where the useridd process generated false positive critical errors.
Addressed
10.2.4
PAN-197847
Fixed an issue where disabling the
enc-algo-aes-128-gcm
cipher did not work when using an SSL/TLS profile.
Addressed
10.2.4
PAN-197737
Fixed an issue where the connection to the PAN-DB server failed with following error message:
Failed to send req type[3], curl error: Couldn't resolve host name
.
Addressed
10.2.4
PAN-197729
Fixed an issue where repeated configuration pushes from Panorama resulted in a management server memory leak.
Addressed
10.2.4
PAN-197678
Fixed an issue where the dataplane stopped responding, which caused internal path monitoring failure.
Addressed
10.2.4
PAN-197582
Fixed an issue where, after upgrading to PAN-OS 10.1.6, the firewall reset SSL connections that used policy-based forwarding.
Addressed
10.2.4
PAN-197563
Fixed an issue in the User Activity Report where output fields started with the letter b .
Addressed
10.2.4
PAN-197549
Fixed an issue where making GlobalProtect gateway configuration changes resulted in a HIP notification error.
Addressed
10.2.4
PAN-197426
Fixed an issue on Panorama where, when attempting to view the
Monitor page
, the error
invalid term
was displayed.
Addressed
10.2.4
PAN-197386
Fixed an issue where traffic that was subject to network packet broker inspection entered a looping state due to incorrect session offload.
Addressed
10.2.4
PAN-197339
Fixed an issue where template configuration for the User-ID agent was not reflected on the template stack on Panorama appliances on PAN-OS 10.2.1.
Addressed
10.2.4
PAN-197298
Fixed an issue where the audit comment archive for Security rule changes output had overlapping formats.
Addressed
10.2.4
PAN-197203
Fixed an intermittent issue where, if SSL/TLS Handshake Inspection was enabled, multiple processes stopped responding when the firewall was processing packets.
Addressed
10.2.4
PAN-197121
Fixed an issue where incorrect user details were displayed under the
USER DETAIL
drop-down (
ACC > Network activity > User activity
).
Addressed
10.2.4
PAN-197115
Fixed an issue where, when the total number of in-used HIP profiles was greater than 32, traffic from the GlobalProtect Agent did not hit the expected Security policy rule configured with the HIP profile even though a HIP match log was generated.
Addressed
10.2.4
PAN-197097
Fixed an issue where LSVPN did not support IPv6 addresses on the satellite firewall.
Addressed
10.2.4
PAN-196954
Fixed a memory leak issue related to the distributord process.
Addressed
10.2.4
PAN-196874
Fixed an issue where, when the firewall accepted ICMP redirect messages on the management interface, the firewall did not clear the route from the cache.
Addressed
10.2.4
PAN-196840
Fixed an issue where exporting a Security policy rule that contained Korean language characters to CSV format resulted in the policy description being in a non-readable format.
Addressed
10.2.4
PAN-196811
Fixed an issue where logout events without a username caused high CPU usage.
Addressed
10.2.4
PAN-196715
Fixed an issue where you could not directly edit
Services
and
Address
objects from the
Policies
tab.
Addressed
10.2.4
PAN-196704
Fixed an issue where
Preview Changes on Panorama Push to Devices
incorrectly displayed changes to encrypted entries.
Addressed
10.2.4
PAN-196701
Fixed an issue where the firewall did not properly measure the Panorama connection keepalive timer, which caused a Panorama HA failover to take longer than expected.
Addressed
10.2.4
PAN-196671
(
PA-3400 Series firewalls and PA-5410, PA-5420, and PA-5430 firewalls only
) Addressed an issue to improve network latency,
Addressed
10.2.4
PAN-196583
Fixed an issue where the Cisco TrustSEc plugin triggered a flood of redundant register/unregister messages due to a failed IP address tag database search.
Addressed
10.2.4
PAN-196566
Fixed an issue where the useridd process restarted repeatedly which let to an OOM condition.
Addressed
10.2.4
PAN-196558
Fixed an issue where IP address tag policy updates were delayed.
Addressed
10.2.4
PAN-196474
Fixed an issue where, when a decryption profile was configured with TLSv1.2 or later, web pages utilizing TLS1.0 were blocked with an incorrect
ERR_TIME_OUT
message instead of an
ERR_CONNECTION_RESET
message.
Addressed
10.2.4
PAN-196467
Fixed an issue where enabling strict IP address checks in a Zone Protection profile caused GRE tunnel packets to be dropped.
Addressed
10.2.4
PAN-196457
Fixed an issue where extraneous logs displayed in the Traffic log when Security policy settings were changed.
Addressed
10.2.4
PAN-196452
Fixed an issue where DNS queries failed from source port 4789 with a NAT configuration.
Addressed
10.2.4
PAN-196450
Fixed an issue where certificates with whitespaces in the name or common name (CN) were not able to be imported.
Addressed
10.2.4
PAN-196410
Fixed an issue where you were unable to customize the risk value in
Risk-of-app
.
Addressed
10.2.4
PAN-196309
(
PA-5450 firewalls only
) Fixed an issue where a firewall configured with a Policy-Based Forwarding policy flapped when a commit was performed, even when the next hop was reachable.
Addressed
10.2.4
PAN-196131
Fixed an issue where the comm process stopped responding when a show command was executed in two sessions.
Addressed
10.2.4
PAN-196105
Fixed an issue on the firewall where using special characters in a password caused authentication to fail when connecting to the GlobalProtect portal with GlobalProtect satellite configured.
Addressed
10.2.4
PAN-196050
Fixed an issue on Panorama where logs did not populate when one log collector in a log collector group was down.
Addressed
10.2.4
PAN-196003
Fixed an issue where the
Adjust Columns
options for Panorama traffic logs did not correctly auto-adjust the columns.
Addressed
10.2.4
PAN-195988
Fixed an issue where commits failed when an AS path regular expression that included the ( _ ) character was specified in the virtual router BGP configuration export rule.
Addressed
10.2.4
PAN-195893
Fixed an issue where daily PDF summary reports were not generated when the
Application Report
was selected.
Addressed
10.2.4
PAN-195869
Fixed an issue where scheduled custom reports based on firewall data did not display any information.
Addressed
10.2.4
PAN-195828
Fixed an issue where SNMP reported the
panVsysActiveTcpCps
and
panVsysActiveUdpCps
value to be 0.
Addressed
10.2.4
PAN-195792
Fixed an issue where, when generating a stats dump file for a managed device from Panorama (
Panorama > Support > Stats Dump File
), the file did not display any data.
Addressed
10.2.4
PAN-195790
Fixed an issue where syslog traffic that was sent from the management interface to the syslog server even when a destination IP address service route was configured.
Addressed
10.2.4
PAN-195713
Fixed an issue where clientless VPN applications were not displayed in the GlobalProtect portal page.
Addressed
10.2.4
PAN-195695
Fixed an issue where the AppScope Summary report and PDF report export function did not work as expected.
Addressed
10.2.4
PAN-195669
Fixed an issue with Panorama appliances in HA configurations where a passive Panorama appliance generated
CMS Redistribution Client is connected to global collector
messages.
Addressed
10.2.4
PAN-195659
Fixed an issue with firewalls in HA configurations where ping responses from the target IP addresses were much delayed after a configuration push.
Addressed
10.2.4
PAN-195583
Fixed an issue where, after renaming an object, configuration pushes from Panorama failed with the commit error
object name is not an allowed keyword
.
Addressed
10.2.4
PAN-195526
Fixed an issue where the firewall system log received a large amount of error messages when attempting a connection between the firewall and Panorama.
Addressed
10.2.4
PAN-195374
(
Firewalls in active/passive HA configurations only
) Fixed an issue where, when redistribution agent connections to the passive firewall failed, excessive system alerts for the failed connection were generated. With this fix, system alerts are logged every 5 hours instead of 10 minutes.
Addressed
10.2.4
PAN-195201
Fixed an issue where high volume DNS Security traffic caused the firewall to reboot.
Addressed
10.2.4
PAN-195200
Fixed an issue where Panorama did not attach and email scheduled reports (
Monitor > PDF > Reports > Email Scheduler
) when the size of the email attachments was large.
Addressed
10.2.4
PAN-195114
Fixed an issue where proxy ARP responded on the wrong interface when the same subnet was in two virtual routers.
Addressed
10.2.4
PAN-195107
(
PA-7000s Series firewalls with LFCs only
) Fixed an issue where the IP address of the LFC displayed as
unknown
.
Addressed
10.2.4
PAN-195064
Fixed an issue where the log collector did not forward correlation logs to the syslog server.
Addressed
10.2.4
PAN-194912
Fixed an issue where the CLI command
show applications list
did not return any outputs.
Addressed
10.2.4
PAN-194812
Fixed an issue where generating reports via XML API failed when the serial number was set as
target
in the query.
Addressed
10.2.4
PAN-194805
Fixed an issue where scheduled configuration backups to the SCP server failed with error message
No ECDSA host key is known
.
Addressed
10.2.4
PAN-194737
Fixed an issue where path monitor displayed as deleted when it was disabled, which caused a preview change in the summary for static routes.
Addressed
10.2.4
PAN-194704
Fixed an issue with SIP ALG where improper NAT was applied when Destination NAT ran out of IP addresses.
Addressed
10.2.4
PAN-194615
Fixed an issue where the packet broker session timeout value did not match the master sessions timeout value after the firewall received a TCP FIN or RST packet. The fix ensures that Broker session times out within 1 second after the master session timed out.
Addressed
10.2.4
PAN-194441
Fixed an issue where the dataplane CPU usage was higher than expected due to packet looping in the broker session when the network packet broker was enabled.
Addressed
10.2.4
PAN-194175
Fixed an issue on Panorama where a commit push to managed firewalls failed when objects were added as source address exclusions in a Security policy and
Share Unused Address and Service Objects with Devices
was unchecked.
Addressed
10.2.4
PAN-194068
(
PA-5200 Series firewalls only
) Fixed an issue where the firewall unexpectedly rebooted with the log message
Heartbeat failed previously
.
Addressed
10.2.4
PAN-194043
Fixed an issue where
Managed Devices > Summary
did not reflect new tag values after an update.
Addressed
10.2.4
PAN-194031
(
PA-220 Firewalls only
) Fixed an issue where system log configurations did not work as expected due to insufficient process timeout after a logrcvr process restart.
Addressed
10.2.4
PAN-194025
Fixed an issue where the ikemgr process stopped responding due to a timing issue, which caused VPN tunnels to go down.
Addressed
10.2.4
PAN-193879
Fixed an issue on Panorama where the push scope was delayed for commit and push operations.
Addressed
10.2.4
PAN-193831
Fixed an issue where internal routes were added to the routing table even after disabling dynamic routing protocols.
Addressed
10.2.4
PAN-193808
Fixed a memory leak issue in the mgmtsrvr process that resulted in an OOM condition.
Addressed
10.2.4
PAN-193733
(
Firewalls in multi-vsys environments only
) Fixed an issue where IP tag addresses were not synced to all virtual systems (vsys) when they were pushed to the firewall from Panorama via XML API.
Addressed
10.2.4
PAN-193619
Fixed an issue where air gapped firewalls and Panorama appliances performed excessive validity checks to updates.paloaltonetworks.com, which caused software installs to fail.
Addressed
10.2.4
PAN-193558
Fixed an issue where log retention settings
Multi Disk
did not display correct values on the firewall web interface when the settings were configured using a Panorama template or template stack.
Addressed
10.2.4
PAN-193396
Fixed an issue where the source user name was displayed in traffic logs even when
Show User Names In Logs and Reports
was disabled for a custom admin role.
Addressed
10.2.4
PAN-193323
Fixed an issue where root partition utilization reached 100% due to mdb old logs not being purged as expected.
Addressed
10.2.4
PAN-193281
Fixed an issue where the logrcvr process stopped responding after a content update on the firewall.
Addressed
10.2.4
PAN-193245
Fixed an issue where, when using
syslog-ng
forwarding via SSL, with a Base Common Name (CN) and multiple Subject Alternative Names (SANs) were listed in the certificate.
Addressed
10.2.4
PAN-193175
Fixed an issue where
PBP Drops (8507)
threat logs were incorrectly logged as
SCTP Init Flood (8506)
.
Addressed
10.2.4
PAN-193043
Fixed an issue with the where firewalls in Google Cloud Platforms (GCP) inserted the hostname as
PA-VM
in the syslog header instead of the DHCP assigned hostname when logs were being sent to the syslog server.
Addressed
10.2.4
PAN-193026
Fixed an issue where warning messages were generated during commits when configuration details of two profiles were identical.
Addressed
10.2.4
PAN-192681
Fixed an issue where HIP database storage on the firewall reached full capacity due to the firewall not purging older HIP reports.
Addressed
10.2.4
PAN-192513
Fixed an issue where log migration did not work when converting a Legacy mode Panorama appliance to Log Collector mode.
Addressed
10.2.4
PAN-192456
Fixed an issue where GlobalProtect SSL VPN processing during a high traffic load caused the dataplane to stop responding.
Addressed
10.2.4
PAN-192417
Fixed an issue where botnet reports were not generated on the firewall.
Addressed
10.2.4
PAN-192296
Fixed an issue where, when you saved a SaaS application report as a PDF or sent it to print, the size of the report was smaller than expected.
Addressed
10.2.4
PAN-192244
Fixed an issue where scheduled log export jobs continued to run even after being deleted.
Addressed
10.2.4
PAN-192193
Fixed an issue where exporting a list of managed collectors via the Panorama web interface failed with the following error message:
Export Error, Error while exporting
Addressed
10.2.4
PAN-192188
(
PA-5450 firewalls only
) Fixed an issue where the
show running resource-monitor ingress-backlogs
CLI command failed with the following error message:
Server error : Failed to intepret the DP response
.
Addressed
10.2.4
PAN-192092
Fixed an issue with firewalls in active/passive configurations only where the registered cookie from the satellite firewall to the passive firewall did not sync, which caused authentication between the satellite firewall and the GlobalProtect portal firewall to fail after a failover event.
Addressed
10.2.4
PAN-192076
Added debug logs for visibility into an OpenSSL memory initialization issue that caused unexpected failovers.
Addressed
10.2.4
PAN-191997
Fixed an issue where log queries did not successfully filter the
unknown
category.
Addressed
10.2.4
PAN-191652
Fixed an issue with Prisma Cloud where a commit push failed due to the error
Error: failed to handle TDB_UPDATE_BLOCK
.
Addressed
10.2.4
PAN-191463
Fixed an issue where the firewall did not handle packets at Fastpath when the interface pointer was null.
Addressed
10.2.4
PAN-191408
Fixed an issue where the firewall did not correctly receive dynamic address group information from Panorama after a reboot or initial connection.
Addressed
10.2.4
PAN-191390
(
VM-Series firewalls only
) Fixed an issue where the management plane CPU was incorrectly calculated as high when logged in the mp-monitor.log.
Addressed
10.2.4
PAN-191352
Fixed an intermittent issue where high latency was observed on the web interface and CLI due to high CPU usage related to the sadc process.
Addressed
10.2.4
PAN-191235
Fixed an issue with firewalls in HA configurations where the passive firewall attempted to connect to a hardware security module (HSM) client when a service route was configured, which caused dynamic updates and software updates to fail.
Addressed
10.2.4
PAN-191032
Fixed an issue on Panorama where
Managed Devices
displayed
Unknown
.
Addressed
10.2.4
PAN-190533
Fixed an issue where addresses and address groups were not displayed for users in Security admin roles.
Addressed
10.2.4
PAN-190502
Fixed an issue where the Policy filter and Policy optimizer filter were required to have the exact same syntax, including nested conditions with rules that contained more than one tag when filtering via the
neq
operator.
Addressed
10.2.4
PAN-190454
Fixed an issue where, while authenticating, the allow list check failed for vsys users when a SAML authentication profile was configured under
shared location
.
Addressed
10.2.4
PAN-190409
(
PA-5450 and PA-3200 Series firewalls that use an FE101 processor only
) Fixed an issue where packets in the same session were forwarded through a different member of an aggregate ethernet group when the session was offloaded. The fix is that you can use the following CLI command to change the default tag setting to the tuple setting:
admin@firewall> set session lag-flow-key-type ?
> tag tag
> tuple tuple
tag
is the default behavior (tag based on the CPU, tuple based on the FE).
tuple
is the new behavior, where both CPU and FE use the same selection algorithm.
Use the following command to display the algorithm:
admin@firewall> show session lag-flow-key-type
dp0: tuple based on fe100
dp1: tuple based on fe100
Addressed
10.2.4
PAN-190266
Fixed an issue that stopped the all_task process to stop responding at the
pan_sdwan_qualify_if_ini
function.
Addressed
10.2.4
PAN-189960
Fixed an issue on Panorama where you were unable to view the last address object moved to the shared template list.
Addressed
10.2.4
PAN-189866
Fixed an issue with the web interface where group include lists used server profiles instead of LDAP proxy.
Addressed
10.2.4
PAN-189783
Fixed an issue where container resource limits were not enforced for all processes when running inside a container.
Addressed
10.2.4
PAN-189719
Fixed an issue on Panorama where
Test Server Connection
failed in an HTTP server profile with the following error message:
failed binding local connection end
.
Addressed
10.2.4
PAN-189718
Fixed an issue where the number of sessions did not reach the expected maximum value with Security profiles.
Addressed
10.2.4
PAN-189666
Fixed an issue where GlobalProtect portal connections failed after random commits when multiple agent configurations were provisioned and configuration selection criteria using certificate profile was used.
Addressed
10.2.4
PAN-189643
Fixed an issue where, when QoS was enabled on an IPSec tunnel, traffic failed due to applying the wrong tunnel QoS ID.
Addressed
10.2.4
PAN-189518
Fixed an issue where incoming DNS packets with looped compression pointers caused the dnsproxyd process to stop responding.
Addressed
10.2.4
PAN-189425
Fixed an issue on Panorama where
Export Panorama and devices config bundle
(
Panorama > Setup > Operations
) failed with the following error message:
Failed to redirect error to /var/log/pan/appweb3-panmodule.log (Permission denied)
.
Addressed
10.2.4
PAN-189379
Fixed an issue where FQDN based Security policy rules did not match correctly.
Addressed
10.2.4
PAN-189375
Fixed an issue where, when migrating the firewall, the firewall dropped packets when trying to re-use the TCP session.
Addressed
10.2.4
PAN-189335
Fixed an issue where the varrcvr process restarted repeatedly, which caused the firewall to restart.
Addressed
10.2.4
PAN-189300
Fixed an issue where Panorama appliances in active/passive HA configurations reported the false positive system log
Failed to sync vm-auth-key
when a VM authentication key was generated on the active appliance.
Addressed
10.2.4
PAN-189200
Fixed an issue where sinkholes did not occur for AWS Gateway Load Balancer dig queries.
Addressed
10.2.4
PAN-189027
Fixed an issue where the dataplane CPU utilization provided from the web interface or via SNMP was incorrect.
Addressed
10.2.4
PAN-188933
Fixed an issue where the UDP checksum wasn't correctly calculated for VXLAN traffic after applying NAT.
Addressed
10.2.4
PAN-188912
Fixed an issue where authentication failed due to a process responsible for handling authentication requests going into an irrecoverable state.
Addressed
10.2.4
PAN-188519
(
VM-Series firewalls only
) Fixed an issue where, when manually deactivating the license, the admin user did not receive the option to download the token file and upload it to the Customer Support Portal (CSP) to deactivate the license.
Addressed
10.2.4
PAN-188904
Fixed an issue where web pages and web page contents were not properly loaded when cloud inline categorization was enabled.
Addressed
10.2.4
PAN-188506
Fixed an issue where the
ctd_dns_malicious_fwd
counter incorrectly increased incrementally.
Addressed
10.2.4
PAN-188403
Fixed an issue on the web interface where the interzone-default rule hit count was not displayed.
Addressed
10.2.4
PAN-188348
Fixed an issue where encapsulating Security payload packets originating from the firewall were dropped when strict IP address check was enabled in a zone protection profile.
Addressed
10.2.4
PAN-188291
Fixed an issue where, when using Global Find on the web interface to search for a given
Hostname Configuration (Device > Setup > Management)
, clicking the search result directed you to the appropriate Hostname configuration, but did not change the respective
Template
field automatically.
Addressed
10.2.4
PAN-188272
(
PA-5200 Series and PA-7000 Series firewalls only
) Fixed an issue where
Support UTF-8 For Log Output
wasn't visible on the web interface.
Addressed
10.2.4
PAN-188118
Fixed an issue with firewalls in FIPS mode that prevented device telemetry from connecting.
Addressed
10.2.4
PAN-187763
Fixed an issue where DNS Security logs did not display a threat category, threat name, or threat ID when domain names contained 64 or more characters.
Addressed
10.2.4
PAN-187438
(
PA-5400 Series firewalls only
) Fixed an issue where HSCI interfaces didn’t come up when using BiDi transceivers.
Addressed
10.2.4
PAN-187279
Fixed an issue where not all quarantined devices were displayed as expected.
Addressed
10.2.4
PAN-186530
Fixed an issue where the current date was incorrectly printed as the last license check date.
Addressed
10.2.4
PAN-186471
Fixed an issue where, when exporting to CSV in Global Find, the firewall truncated names of rules that contained over 40 characters.
Addressed
10.2.4
PAN-186412
Fixed an issue where invalid
packet-ptr
was seen in work entries.
Addressed
10.2.4
PAN-186294
Fixed an issue where commits from Panorama failed on the firewall due to the virtual router name character limit.
Addressed
10.2.4
PAN-186270
Fixed an issue where, when HA was enabled and a dynamic update schedule was configured, the configd process unexpectedly stopped responding during configuration commits.
Addressed
10.2.4
PAN-185770
Fixed an issue where the firewall displayed the error message
Malformed Request
when an email address included an ampersand ( & ) when configuring an email server profile.
Addressed
10.2.4
PAN-185466
Fixed an issue where WildFire submission did not work as expected.
Addressed
10.2.4
PAN-185394
(
PA-7000 Series firewalls only
) Fixed an issue where not all changes to the template were reflected on the firewall.
Addressed
10.2.4
PAN-185360
Fixed an issue where, when Captive Portal Authentication was configured,
l3svc_ngx_error.log
and
l3svc_access.log
did not roll over after exceeding 10 megabytes, which caused the root partition to reach full utilization.
Addressed
10.2.4
PAN-185287
(
PA-7050 firewalls with Network Processing Cards (NPCs) only
) Debug commands were added to address an issue where the firewall's NPC Slot2 failed and multiple dataplane processes stopped responding.
Addressed
10.2.4
PAN-185234
(
VM-Series firewalls only
) Fixed an issue where the packet buffer utilization was displayed as high even when no traffic was traversing the firewall.
Addressed
10.2.4
PAN-184744
Fixed an issue where the firewall did not decrypt SSL traffic due to a lack of internal resources allocated for decryption.
Addressed
10.2.4
PAN-183524
Fixed an issue where GTPv2-c and GTP-U traffic was identified with
insufficient-data
in the traffic logs.
Addressed
10.2.4
PAN-183375
Fixed an issue where traffic arriving on a tunnel with a bad IP address header checksum was not dropped.
Addressed
10.2.4
PAN-183126
Fixed an issue on Panorama where you were able to attempt to push a number of active schedules to the firewall that was greater than the firewall's maximum capacity.
Addressed
10.2.4
PAN-182875
Fixed an issue where certificate generation using SCEP did not take more than one organizational unit (OU).
Addressed
10.2.4
PAN-182732
Fixed an issue where the GlobalProtect gateway inactivity timer wasn't refreshed even though traffic was passing through the tunnel.
Addressed
10.2.4
PAN-182167
Removed a duplicate save filter Icon in the Audit Comment Archive for Security Rule Audit Comments tab.
Addressed
10.2.4
PAN-181968
(
PA-400 Series firewalls in active/passive HA configurations only
) Fixed an issue where, when HA failover occurred, link up on all ports took longer than expected, which caused traffic outages.
Addressed
10.2.4
PAN-181334
Fixed an issue where users with custom admin roles and access domains were unable to view address objects or edit Security rules.
Addressed
10.2.4
PAN-181129
Improved protection against unexpected packets and error handling for traffic identified as SIP.
Addressed
10.2.4
PAN-180948
Fixed an issue where an external dynamic list fetch failed with the error message
Unable to fetch external dynamic list. Couldn't resolve host name. Using old copy for refresh
.
Addressed
10.2.4
PAN-180690
Fixed an issue where the firewall dropped IPv6 Bi-Directional Forwarding (BFD) packets when IP Spoofing was enabled in a Zone Protection Profile.
Addressed
10.2.4
PAN-179174
Fixed an issue where exported PDF report of the ACC was the incorrect color after upgrading from a PAN-OS 10.1 or later release.
Addressed
10.2.4
PAN-178951
Fixed an issue on the firewall where Agentless User-ID lost parent Security group information after the Security group name of the nested groups on Active Directory was changed.
Addressed
10.2.4
PAN-178728
Fixed an issue where the dcsd process stopped responding when attempting to read the config to update its redis database.
Addressed
10.2.4
PAN-177942
Fixed an issue where, when grouping HA peers, access domains that were configured using multi-vsys firewalls deselected devices or virtual systems that were in other configured access domains.
Addressed
10.2.4
PAN-177562
Fixed an issue where PDF reports were not translated to the configured local language.
Addressed
10.2.4
PAN-177201
Fixed an issue where, when a Panorama appliance on a PAN-OS 9.0 or later release pushed built-in external dynamic lists to a firewall on a PAN-OS 8.1 release, the external dynamic list was removed, but the rule was still pushed to the firewall. With this fix, Panorama will show a validation error when attempting to push a pre-defined external dynamic list to a firewall on a PAN-OS 8.1 release.
Addressed
10.2.4
PAN-176989
Fixed an issue where the CLI command to show SD-WAN tunnel members caused the firewall to stop responding.
Addressed
10.2.4
PAN-176379
Fixed an issue where, when multiple routers were configured under a Panorama template, you were only able to select its own virtual router for next hop.
Addressed
10.2.4
PAN-175244
Fixed an issue on Panorama where the configd process stopped responding when adding, deleting or listing an authentication key.
Addressed
10.2.4
PAN-175142
Fixed an issue on Panorama where executing a debug command caused the logrcvr process to stop responding.
Addressed
10.2.4
PAN-175061
Fixed an issue where filtering threat logs using any value under
THREAT ID/NAME
displayed the error
Invalid term
.
Addressed
10.2.4
PAN-174953
Fixed an issue where the firewall didn't update URL categories from the management plane to the dataplane cache.
Addressed
10.2.4
PAN-174781
Fixed an issue where the firewall did not send an SMTP 541 error message to the email client after detecting a malicious file attachment.
Addressed
10.2.4
PAN-174680
Fixed an issue where, when adding new configurations, Panorama didn't display a list of suggested template variables when typing in a relevant field.
Addressed
10.2.4
PAN-174027
Fixed an issue on Panorama where attempting to rename mapping for address options caused a push to fail with the following error message:
Error: Duplicate address name.
.
Addressed
10.2.4
PAN-171927
Fixed an issue where incorrect results were displayed when filtering logs in the
Monitor
tab.
Addressed
10.2.4
PAN-171300
Fixed an issue on Panorama where a password change in a template did not reset an expired password flag on the firewall, which caused the user to change their password when logging in to a firewall.
Addressed
10.2.4
PAN-170414
Fixed an issue related to an OOM condition in the dataplane, which was caused by multiple
panio
commands using extra memory.
Addressed
10.2.4
PAN-157199
(
PA-220 firewalls only
) Fixed an issue where the GlobalProtect portal was not reachable with IPv6 addresses.
Addressed
10.2.4
PAN-142701
Fixed an issue where the firewall did not delete Stateless SCTP sessions after receiving an SCTP Abort packet.
Known
10.2.5
WF500-5854
The WildFire analysis report on the firewall log viewer (
Monitoring
WildFire Submissions
) does not display the following data fields: File Type, SHA-256, MD-5, and File Size".
Workaround
: Download and open the WildFire analysis report in the PDF format using the link in the upper right-hand corner of the
Detailed Log View
.
Known
10.2.5
WF500-5843
In a WildFire appliance cluster, issuing the
show cluster-all peers
CLI command when a node within the cluster is being rebooted generates the following error:
Server error : An error occured.
Known
10.2.5
WF500-5840
The sample analysis statistics that are returned when issuing the
show wildfire local statistics
CLI command in WildFire appliance cluster deployments may not accurately reflect the number of samples that have been processed.
Known
10.2.5
WF500-5823
The following WildFire appliance CLI command does not return a signature generation status as expected:
show wildfire global signature-status
. This does not corrupt or otherwise prevent the WildFire appliance from analyzing a sample.
Known
10.2.5
WF500-5781
The WildFire appliance might erroneously generate and log the following device certification error:
Device certificate is missing or invalid. It cannot be renewed.
Known
10.2.5
WF500-5754
In WildFire appliance clusters, issuing the
show cluster controller
CLI command generates an error when an IPv6 address is configured for the management interface but not for the cluster interface.
Workaround:
Ensure all WildFire appliance interfaces that are enabled use matching protocols (all IPv4 or all IPv6).
Known
10.2.5
WF500-5632
The number of registered WildFire appliances reported in Panorama (
Panorama
Managed WildFire Appliances
Firewalls Connected
View
) does not accurately reflect the current status of connected WildFire appliances.
Known
10.2.5
PAN-243951
On the Panorama management sever in an active/passive High Availability (HA) configuration, managed devices (
Panorama
Managed Devices
Summary
) display as
out-of-sync
on the passive HA peer when configuration changes are made to the SD-WAN (
Panorama
SD-WAN
) configuration on the active HA peer.
Workaround:
Manually synchronize the Panorama HA peers.
  1. Log in to the Panorama web interface on the active HA peer.
  2. Select
    Commit
    and
    Commit to Panorama
    the SD-WAN configuration changes on the active HA peer.
    On the passive HA peer, select
    Panorama
    Managed Devices
    Summary
    and observe that the managed devices are now
    out-of-sync
    .
  3. Log in to the primary HA peer Panorama CLI and trigger a manual synchronization between the active and secondary HA peers.
    request high-availability sync-to-remote running-config
  4. Log back in to the active HA peer Panorama web interface and select
    Commit
    Push to Devices
    and
    Push
    .
Known
10.2.5
PAN-234015
The X-Forwarded-For (XFF) value is not displayed in traffic logs.
Known
10.2.5
PAN-228273
This issue is now resolved. See
PAN-OS 10.2.8 Addressed Issues
.
On the Panorama management server in FIPS-CC mode, the ElasticSearch cluster fails to come up and the
show log-collector-es-cluster health
command displays the
status
is
red
. This results in log ingestion issues for Panorama in Panorama only or Log Collector mode.
Known
10.2.5
PAN-227344
On the Panorama management server, PDF Summary Reports (
Monitor
PDF Reports
Manage PDF Summary
) display no data and are blank when predefined reports are included in the summary report.
Known
10.2.5
PAN-225337
This issue is now resolved. See
PAN-OS 10.2.7 Addressed Issues
.
On the Panorama management server, the configuration push to a multi-vsys firewall fails if you:
  1. Create a
    Shared
    and vsys-specific device group configuration object with an indentical name. For example, a
    Shared
    address object called
    SharedAO1
    and a vsys-specific address object also called
    SharedAO1
    .
  2. Reference the
    Shared
    object in another
    Shared
    configuration. For example, reference the
    Shared
    address object (
    SharedAO1
    ) in a
    Shared
    address group called
    SharedAG1
    .
  3. Use the
    Shared
    configuration object with the reference in a vsys-specific configuration. For example, reference the
    Shared
    address group (
    SharedAG1
    ) in a vsys-specific policy rule.
Workaround:
Select
Panorama
Setup
Management
and edit the Panorama Settings to enable one of the following:
  • Shared Unused Address and Service Objects with Devices
    —This options pushes all
    Shared
    objects, along with device group specific objects, to managed firewalls.
    This is a global setting and applies to all managed firewalls, and may result in pushing too many configuration objects to your managed firewalls.
  • Objects defined in ancestors will take higher precedence
    —This option specifies that in the event of objects with the same name, ancestor object take precedence over descendent objects. In this case, the
    Shared
    objects take precedence over the vsys-specific object.
    This is a global setting and applies to all managed firewalls. In the example above, if the IP address for the
    Shared
    SharedAO1
    object was
    10.1.1.1
    and the device group specific
    SharedAO1
    was
    10.2.2.2
    , the
    10.1.1.1
    IP address takes precedence.
Alternatively, you can remove the duplicate address objects from the device group configuration to allow only the
Shared
objects in your configuration.
Known
10.2.5
PAN-227368
This issue is now resolved. See
PAN-OS 10.2.7 Addressed Issues
.
The GlobalProtect app cannot connect to a portal or gateway and GlobalProtect Clientless VPN users cannot access applications if authentication takes longer than 20 seconds.
Workaround:
Increase the TCP handshake timeout to the maximum value of 60 seconds.
Known
10.2.5
PAN-229865
This issue is now resolved. See
PAN-OS 10.2.6 Addressed Issues
.
Upgrading a PA-220 firewall running a PAN-OS 10.1 release fails when the target PAN-OS upgrade version is PAN-OS 10.2.5.
Workaround:
On your upgrade path to PAN-OS 10.2.5, first upgrade to PAN-OS 10.2.4 and then upgrade to PAN-OS 10.2.5.
Known
10.2.5
PAN-226768
This issue is now resolved. See
PAN-OS 10.2.8 Addressed Issues
.
When the GlobalProtect app is installed on iOS endpoints and the gateway is configured to accept cookies, the app stays in
Connecting
stage after authentication and the GlobalProtect log displays the error message,
User is not in allow list
. This happens when the app is restarted or when the app tries to reconnect after disconnection.
Known
10.2.5
PAN-223677
(
PA-3410, PA-3420, PA-3430, PA-3440, PA-5410, PA-5420, and PA-5430 firewalls
) By enabling Lockless QoS feature, a slight degradation in App-ID and Threat performance is expected.
Known
10.2.5
PAN-223488
This issue is now resolved. See
PAN-OS 10.2.7 Addressed Issues
.
On the M-600 appliance, closed ElasticSearch shards are not deleted from the M-600 appliance. This causes the ElasticSearch shard purging to not work as expected, resulting in high disk usage.
Known
10.2.5
PAN-223457
This issue is now resolved. See
PAN-OS 10.2.8 Addressed Issues
.
If the number of group queries exceeds the Okta rate limit threshold, the firewall clears the cache for the groups. To avoid encountering this issue, disable the Okta rate limit.
Known
10.2.5
PAN-223365
The Panorama management server is unable to query any logs if the ElasticSearch health status for any Log Collector (
Panorama
Managed Collector
is degraded.
Workaround:
Log in to the Log Collector CLI and restart ElasticSearch. 
admin
debug elasticsearch es-restart all
Known
10.2.5
PAN-222586
On PA-5410, PA-5420, and PA-5430 firewalls, the Filter dropdown menus, Forward Methods, and Built-In Actions for Correlation Log settings (
Device
Log Settings
) are not displayed and cannot be configured.
Known
10.2.5
PAN-222418
This issue is now resolved. See
PAN-OS 10.2.8 Addressed Issues
.
The firewall intermittently records a reconnection message to the authentication server as a error, even if no disconnection occurs.
Known
10.2.5
PAN-222253
This issue is now resolved. See
PAN-OS 10.2.8 Addressed Issues
.
On the Panorama management server, policy rulebase reordering when you
View Rulebase by Groups
(
Policy
<policy-rulebase>
) does not persist if you reorder the policy rulebase by dragging and dropping individual policy rules and then moving the entire tag group.
Known
10.2.5
PAN-221775
A
Malformed Request
error is displayed when you
Test Connection
for an email server profile (
Device
Server Profiles
Email
) using
SMTP over TLS
and the
Password
includes an ampersand (&).
Known
10.2.5
PAN-221857
This issue is now resolved. See
PAN-OS 10.2.8 Addressed Issues
.
Users are unable to log in to the GlobalProtect app using SAML authentication after the app is upgraded to 10.2.3-h4 and the GlobalProtect logs display the following error message:
Username from SAML SSO response is different from the input.
.
Known
10.2.5
PAN-221126
This issue is now resolved. See
PAN-OS 10.2.7 Addressed Issues
.
Email server profiles (
Device
Server Profiles
Email
and
Panorama
Server Profiles
Email
) to forward logs as email notifications are not forwarded in a readable format.
Workaround:
Use a
Custom Log Format
to forward logs as email notifications in a readable format.
Known
10.2.5
PAN-221015
This issue is now resolved. See
PAN-OS 10.2.7 Addressed Issues
.
On M-600 appliances in Panorama or Log Collector mode, the
es-1
and
es-2
ElasticSearch processes fail to restart when the M-600 appliance is rebooted. The results in the Managed Collector
ES
health status (
Panorama
Managed Collectors
Health Status
) to be degraded.
Workaround:
Log in to the Panorama or Log Collector CLI experiencing degraded ElasticSearch health and restart all ElasticSearch processes. 
admin>
debug elasticsearch es-restart optional all
Known
10.2.5
PAN-220180
This issue is now resolved. See
PAN-OS 10.2.8 Addressed Issues
.
Configured botnet reports (
Monitor
Botnet
) are not generated.
Known
10.2.5
PAN-219644
This issue is now resolved. See
PAN-OS 10.2.8 Addressed Issues
.
Firewalls forwarding logs to a syslog server over TLS (
Objects
Log Forwarding
) use the default Palo Alto Networks certificate instead of the custom certificate configured on the firewall.
Known
10.2.5
PAN-218521
This issue is now resolved. See
PAN-OS 10.2.7 Addressed Issues
.
The ElasticSearch process on the M-600 appliance in Log Collector mode may enter a continuous reboot cycle. This results in the M-600 appliance becoming unresponsive, consuming logging disk space, and preventing new log ingestion.
Known
10.2.5
PAN-217307
The following Security policy rule (
Policies
Security
) filters return no results:
log-start eq no
log-end eq no
log-end eq yes
Known
10.2.5
PAN-216214
For Panorama-managed firewalls in an Active/Active High Availability (HA) configuration where you configure the firewall HA settings (
Device
High Availability
) in a template or template stack (
Panorama
Templates
), performing a local commit on one of the HA firewalls triggers an HA config sync on the peer firewall. This causes the HA peer configuration to go
Out of Sync
.
Known
10.2.5
PAN-215082
This issue is now resolved. See
PAN-OS 10.2.8 Addressed Issues
.
M-300 and M-700 appliances may generate erroneous system logs (
Monitor
Logs
System
) to alert that the M-Series appliance memory usage limits are reached.
Known
10.2.5
PAN-213746
On the Panorama management server, the
Hostkey
displayed as
undefined undefined
if you override an SSH Service Profile (
Device
Certificate Management
SSH Service Profile
) Hostkey configured in a Template from the Template Stack.
Known
10.2.5
PAN-213119
PA-5410 and PA-5420 firewalls display the following error when you view the Block IP list (
Monitor
Block IP
):
show -> dis-block-table is unexpected
Known
10.2.5
PAN-212889
On the Panorama management server, different threat names are used when querying the same threat in the Threat Monitor (
Monitor
App Scope
Threat Monitor
) and
ACC
. This results in the ACC displaying
no data to display
when you are redirected to the ACC after clicking a threat name in the Threat Monitor and filtering the same threat name in the Global Filters.
Known
10.2.5
PAN-212533
Modifying the
Administrator Type
for an existing administrator (
Device
Administrators
or
Panorama
Administrators
) from
Superuser
to a
Role-Based
custom admin, or vice versa, does not modify the access privileges of the administrator.
Known
10.2.5
PAN-211531
On the Panorama management server, admins can still perform a selective push to managed firewalls when
Push All Changes
and
Push for Other Admins
are disabled in the admin role profile (
Panorama
Admin Roles
).
Known
10.2.5
PAN-209288
Certificates are not successfully generated using SCEP (
Device
Certificate Management
SCEP
).
Known
10.2.5
PAN-208622
A file upload to Box.com exceeding 6 files gets stuck and fails to upload if you specify an Enterprise DLP data filtering profile (
Objects
DLP
Data Filtering Profiles
with the Action set to
Block
to a Security policy rule (
Policies
Security
).
Known
10.2.5
PAN-204689
Upon upgrade to PAN-OS 10.2.4, the following GlobalProtect settings do not work:
  • Allow user to disconnect GlobalProtect App
    Allow with Passcode
  • Allow user to Disable GlobalProtect App
    Allow with Passcode
  • Allow User to Uninstall GlobalProtect App
    Allow with Password
Known
10.2.5
PAN-198708
On the Panorama management server, the
File Type
field does not display any data when you view the Detailed Log View in the Data Filtering log (
Monitor
Logs
Data Filtering
<select log>
DLP
).
Known
10.2.5
PAN-196758
On the Panorama management server, pushing a configuration change to firewalls leveraging SD-WAN erroneously show the auto-provisioned BGP configurations for SD-WAN as being edited or deleted despite no edits or deletions being made when you
Preview Changes
(
Commit
Push to Devices
Edit Selections
or
Commit
Commit and Push
Edit Selections
).
Known
10.2.5
PAN-196504
License deactivation fails for VM-Series firewalls licensed using PA-VM Bundle 3 (BND3).
Known
10.2.5
PAN-196146
This issue is now resolved. See
PAN-OS 10.2.8 Addressed Issues
.
The VM-Series firewall on Azure does not boot up with a hostname (specified in an init-cgf.txt or user data) when bootstrapped.
Known
10.2.5
PAN-194996
When using a 10.2.2 Panorama to manage a Panorama Managed Prisma Access 3.1.2 deployment, allocating bandwidth for a remote network deployment fails (the OK button is grayed out).
Workaround
: Retry the operation.
Known
10.2.5
PAN-194519
(
PA-5450 firewall only
) Trying to configure a custom payload format under
Device
Server Profiles
HTTP
yields a Javascript error.
Known
10.2.5
PAN-194515
(
PA-5450 firewall only
) The Panorama web interface does not display any predefined template stack variables in the dropdown menu under
Device
Setup
Log Interface
IP Address
.
Workaround:
Configure the log interface IP address on the individual firewall web interface instead of on Panorama.
Known
10.2.5
PAN-194424
(
PA-5450 firewall only
) Upgrading to PAN-OS 10.2.2 while having a log interface configured can cause both the log interface and the management interface to remain connected to the log collector.
Workaround:
Restart the log receiver service by running the following CLI command: 
debug software restart process log-receiver
Known
10.2.5
PAN-194202
(
PA-5450 firewall only
) If the management interface and logging interface are configured on the same subnetwork, the firewall conducts log forwarding using the management interface instead of the logging interface.
Known
10.2.5
PAN-193004
This issue is now resolved. See
PAN-OS 10.2.7 Addressed Issues
.
The Panorama management server fails to delete old IP Tag data. This causes the
/opt/pancfg
partition to reach maximum capacity which impacts Panorama performance.
Known
10.2.5
PAN-190727
(
PA-5450 firewall only
) Documentation for configuring the log interface is unavailable on the web interface and in the PAN-OS Administrator’s Guide.
Known
10.2.5
PAN-189111
After deleting an MP pod and it comes up, the
show routing
command output appears empty and traffic stops working.
Known
10.2.5
PAN-189076
On a firewall with Advanced Routing enabled, OSPFv3 peers using a broadcast link and a designated router (DR) priority of 0 (zero) are stuck in a two-way state after HA failover.
Workaround:
Configure at least one OSPFv3 neighbor with a non-zero priority setting in the same broadcast domain
Known
10.2.5
PAN-188358
After triggering a soft reboot on a M-700 appliance, the Management port LEDs do not light up when a 10G Ethernet cable is plugged in.
Known
10.2.5
PAN-187685
On the Panorama management server, the Template Status displays no synchronization status (
Panorama
Managed Devices
Summary
) after a bootstrapped firewall is successfully added to Panorama.
Workaround:
After the bootstrapped firewall is successfully added to Panorama, log in to the Panorama web interface and select
Commit
Push to Devices
.
Known
10.2.5
PAN-187643
If you enable SCTP security using a Panorama template when
SCTP INIT Flood Protection
is enabled in the Zone Protection profile using Panorama and you commit all changes, the commit is successful but the
SCTP INIT
option is not available in the Zone Protection profile.
Workaround:
Log out of the firewall and log in again to make the
SCIT INIT
option available on the web interface.
Known
10.2.5
PAN-187612
On the Panorama management server, not all data profiles (
Objects
DLP Data Filtering Profiles
) are displayed after you:
  • Upgrade Panorama to PAN-OS 10.2 and upgrade the Enterprise DLP plugin to version 3.0.
  • Downgrade Panorama to PAN-OS 10.1 and downgrade the Enterprise DLP plugin to version 1.0.
Workaround:
Log in to the Panorama CLI and reset the DLP plugin.
admin > request plugins dlp reset
Known
10.2.5
PAN-187407
The configured Advanced Threat Prevention inline cloud analysis action for a given model might not be honored under the following condition: If the firewall is set to
Hold client request for category lookup
and the action set to
Reset-Both
and the URL cache has been cleared, the first request for inline cloud analysis will be bypassed.
Known
10.2.5
PAN-187370
On a firewall with Advanced Routing enabled, if there is also a logical router instance that uses the default configuration and has no interfaces assigned to it, this will result in terminating the management daemon and main routing daemon in the firewall during commit.
Workaround
: Do not use a logical router instance with no interfaces bound to it.
Known
10.2.5
PAN-186283
Templates appear out-of-sync on Panorama after successfully deploying the CFT stack using the Panorama plugin for AWS.
Workaround
: Use
Commit
Push to Devices
to synchronize the templates.
Known
10.2.5
PAN-186282
On HA deployments on AWS and Azure, Panorama fails to populate match criteria automatically when adding dynamic address groups.
Workaround:
Reboot the Panorama HA pair.
Known
10.2.5
PAN-185286
This issue is now resolved. See
PAN-OS 10.2.8 Addressed Issues
.
(
PA-5400 Series firewalls only
) On the Panorama management server, the device health resources (
Panorama
Managed Devices
Health
) do not populate.
Known
10.2.5
PAN-184708
Scheduled report emails (
Monitor
PDF Reports
Email Scheduler
) are not emailed if:
  • A scheduled report email contains a Report Group (
    Monitor
    PDF Reports
    Report Group
    ) which includes a SaaS Application Usage report.
  • A scheduled report contains only a SaaS Application Usage Report.
Workaround:
To receive a scheduled report email for all other PDF report types:
  1. Select
    Monitor
    PDF Reports
    Report Groups
    and remove all SaaS Application Usage reports from all Report Groups.
  2. Select
    Monitor
    PDF Reports
    Email Scheduler
    and edit the scheduled report email that contains only a SaaS Application Usage report. For the Recurrence, select
    Disable
    and click
    OK
    .
    Repeat this step for all scheduled report emails that contain only a SaaS Application Usage report.
  3. Commit
    .
    (
    Panorama managed firewalls
    ) Select
    Commit
    Commit and Push
Known
10.2.5
PAN-184406
Using the CLI to add a RAID disk pair to an M-700 appliance causes the dmdb process to crash.
Workaround:
Contact customer support to stop the dmdb process before adding a RAID disk pair to a M-700 appliance.
Known
10.2.5
PAN-183404
Static IP addresses are not recognized when "and" operators are used with IP CIDR range.
Known
10.2.5
PAN-181933
If you use multiple log forwarding cards (LFCs) on the PA-7000 series, all of the cards may not receive all of the updates and the mappings for the clients may become out of sync, which causes the firewall to not correctly populate the Source User column in the session logs.
Known
10.2.5
PAN-181823
On a PA-5400 Series firewall (minus the PA-5450), setting the peer port to forced 10M or 100M speed causes any multi-gigabit RJ-45 ports on the firewall to go down if they are set to Auto.
Known
10.2.5
PAN-180661
On the Panorama management server, pushing an unsupported Minimum Password Complexity (
Device
Setup
Management
) to a managed firewall erroneously displays
commit time out
as the reason the commit failed.
Known
10.2.5
PAN-180104
When upgrading a CN-Series as a DaemonSet deployment to PAN-OS 10.2, CN-NGFW pods fail to connect to CN-MGMT pod if the Kubernetes cluster previously had a CN-Series as a DaemonSet deployment running PAN-OS 10.0 or 10.1.
Workaround
: Reboot the worker nodes before upgrading to PAN-OS 10.2.
Known
10.2.5
PAN-178194
A user interface issue in PAN-OS renders the contents of the
Inline ML
tab in the
URL Filtering Profile
inaccessible on firewalls licensed for Advanced URL Filtering. Additionally, a message indicating that a
License required for URL filtering to function
is unavailable displays at the bottom of the UI. These errors do not affect the operation of Advanced URL Filtering or URL Filtering Inline ML.
Workaround:
Configuration settings for URL Filtering Inline ML must be applied through the CLI. The following configuration commands are available:
  • Define URL exceptions for specific web sites— 
    admin#
     set profiles url-filtering <url_filtering_profile_name> mlav-category-exception
  • Configuration settings for each inline ML model— 
    admin#
     set profiles url-filtering <url_filtering_profile_name> mlav-engine-urlbased-enabled
Known
10.2.5
PAN-177455
PAN-OS 10.2.0 is not supported on PA-7000 Series firewalls with HA (High Availability) clustering enabled and using an HA4 communication link. Attempting to load PAN-OS 10.2.0 on the firewall causes the PA-7000 100G NPC to go offline. As a result, the firewall fails to boot normally and enters maintenance mode. HA Pairs of Active-Passive and Active-Active firewalls are not affected.
Known
10.2.5
PAN-175915
When the firewall is deployed on N3 and N11 interfaces in 5G networks and 5G-HTTP/2 traffic inspection is enabled in the Mobile Network Protection Profile, the traffic logs do not display network slice SST and SD values.
Known
10.2.5
PAN-174982
In HA active/active configurations where, when interfaces that were associated with a virtual router were deleted, the configuration change did not sync.
Known
10.2.5
PAN-172274
When you activate the advanced URL filtering license, your license entitlements for PAN-DB and advanced URL filtering might not display correctly on the firewall — this is a display anomaly, not a licensing issue, and does not affect access to the services.
Workaround:
Issue the following command to retrieve and update the licenses:
license request fetch
.
Known
10.2.5
PAN-171938
No results are displayed when you
Show Application Filter
for a Security policy rule (
Policies
Security
Application
Value
Show Application Filter
).
Known
10.2.5
PAN-164885
This issue is now resolved. See
PAN-OS 10.2.10 Addressed Issues
.
On the Panorama management server, pushes to managed firewalls (
Commit
Push to Devices
or
Commit and Push
) may fail when an EDL (
Objects
External Dynamic Lists
) is configured to
Check for updates
every 5 minutes due to the commit and EDL fetch processes overlapping. This is more likely to occur when multiple EDLs are configured to check for updates every 5 minutes.
Addressed
10.2.5-h6
PAN-252214
A fix was made to address CVE-2024-3400 .
Addressed
10.2.5-h4
PAN-238792
Fixed the following device certificate issues:
  • The firewall was unable to automatically renew the device certificate-Fetching device certificates failed incorrectly with the error message
    OTP is not valid
    .
  • Firewalls disconnected from Cortex Data Lake after renewing the device certificate.
  • The device certificate was not correctly generated on the log forwarding card (LFC).
  • WildFire cloud logs did not log thermite certificate usage status.
Addressed
10.2.5-h4
PAN-237876
Extended the firewall Panorama root CA certificate which was previously set to expire on April 7th, 2024.
Addressed
10.2.5-h4
PAN-231771
Fixed an issue where the firewall issued /box/getserv/ requests with PAN-OS 7.1.0 and did not take device certificates.
Addressed
10.2.5-h4
PAN-227568
When a device certificate is installed, renewed, or removed, the firewall will reconnect to the WildFire cloud to use the newest certificate.
Addressed
10.2.5-h4
PAN-215576
Fixed an issue where the
userID-Agent
and
TS-Agent
certificates were set to expire on November 18, 2024. With this fix, the expiration date has been extended to January 2032.
Addressed
10.2.5-h1
PAN-229705
Fixed an issue where running the
show rule-hit-count
CLI command on Panorama displayed the error message
Server error : Timed out while getting config lock. Please try again.
when attempting to log in or run CLI commands.
Addressed
10.2.5
PAN-227179
Fixed an issue where routes were not updated in the forwarding table.
Addressed
10.2.5
PAN-225340
Fixed an issue where GlobalProtect users were unable to connect after upgrading to PAN-OS 10.2.4 due to an incorrect client authentication configuration being selected.
Addressed
10.2.5
PAN-225183
Fixed an issue where SSH tunnels were unstable due to ciphers used as part of the high availability SSH configuration.
Addressed
10.2.5
PAN-224273
Fixed an issue where the
debug dataplane pow status
CLI command did not display extended NIC statistics.
Addressed
10.2.5
PAN-223501
(
PA-5200 Series and PA-7000 Series firewalls only
) Fixed an issue where diagnostic information for the dataplane in the dp-monitor.log file was not complete.
Addressed
10.2.5
PAN-223317
Fixed an issue where SSL traffic failed with the error message:
Error: General TLS protocol error
.
Addressed
10.2.5
PAN-223185
Fixed an issue where the distributord process stopped responding.
Addressed
10.2.5
PAN-222712
(
PA-5450 firewalls only
) Fixed a low frequency DPC restart issue.
Addressed
10.2.5
PAN-221984
(
VM-Series firewalls in Microsoft Azure environments only
) Fixed an issue where an interface went down after a hotplug event and was only recoverable by restarting the firewall.
Addressed
10.2.5
PAN-221881
Fixed an issue where log ingestion to Panorama failed, which resulted in missing logs under the
Monitor
tab.
Addressed
10.2.5
PAN-221836
Fixed an issue where improper SNI detection caused incorrect URL categorization.
Addressed
10.2.5
PAN-221708
Fixed an issue where temporary files remained under
/opt/pancfg/tmp/sw-images/
even after manually uploading the content or AV file to the firewall.
Addressed
10.2.5
PAN-221647
Fixed an issue where the
Apps seen
value was not reflected on Panorama.
Addressed
10.2.5
PAN-220910
Fixed an issue where an internal management plane NIC caused a kernel panic when doing a transmit due to the driver reinitializing under certain failure or change conditions on the same interface during transmit.
Addressed
10.2.5
PAN-220899
Fixed an issue where you were unable to choose the manual GlobalProtect gateway.
Addressed
10.2.5
PAN-220747
Fixed an issue where logs were not visible after restarting the log collector.
Addressed
10.2.5
PAN-220626
Fixed an issue where system warning logs were written every 24 hours.
Addressed
10.2.5
PAN-220448
Fixed an issue where the GlobalProtect client connection remained at the prelogin stage when Kerberos SSO failed and was unable to fall back to the realm authentication.
Addressed
10.2.5
PAN-220401
Fixed an issue where, during a reboot, an unexpected error message was displayed that the syslog configuration file format was too old.
Addressed
10.2.5
PAN-220281
(
PA-7080 firewalls only
) Fixed an issue where auto-committing changes after rebooting the Log Forwarding Card (LFC) caused the logrcvr process to fail to read the configuration file.
Addressed
10.2.5
PAN-219690
Fixed an issue where GlobalProtect authentication failed when authentication was SAML with CAS and the portal was resolved with IPv6.
Addressed
10.2.5
PAN-219686
Fixed an issue where a device group push operation from Panorama failed with the following error on managed firewalls:
vsys <vsys1> plugins unexpected here vsys is invalid Commit failed
.
Addressed
10.2.5
PAN-219659
Fixed an issue where root partition frequently filled up and the following error message was displayed:
Disk usage for / exceeds limit, xx percent in use, cleaning filesystem
.
Addressed
10.2.5
PAN-219640
Fixed an issue where a transformation migration script error caused a commit failure with the error message
user-id-agent unexpected here
. This occurred after upgrading the firewall from a PAN-OS 9.1 release to a PAN-OS 10.0 release.
Addressed
10.2.5
PAN-219573
Fixed an issue where tag names did not correctly display special characters.
Addressed
10.2.5
PAN-219508
(
VM-Series, PA-400 Series, PA-1400, PA-3400, and PA-5400 Series firewalls only
) Fixed an issue where Bidirectional Forwarding Detection (BFD) packets experienced a delay in processing, which caused the BFD connection to flap.
Addressed
10.2.5
PAN-219498
Fixed an issue where the
Threat ID/Name
detail in Threat logs was not included in syslog messages sent to Splunk.
Addressed
10.2.5
PAN-219351
Fixed an issue where the all_pktproc process stopped responding during Layer 7 processing.
Addressed
10.2.5
PAN-219253
Fixed an issue where, after making changes in a template, the
Commit and Push
option was grayed out.
Addressed
10.2.5
PAN-218947
Fixed an issue where logs were not displayed in Elasticsearch under ingestion load.
Addressed
10.2.5
PAN-218697
Fixed an issue where the ElasticSearch status frequently changed to red or yellow after a PAN-OS upgrade.
Addressed
10.2.5
PAN-218644
Fixed an issue where the firewall generated incorrect VSA attribute codes when radius was configured with EAP-based authentication protocols.
Addressed
10.2.5
PAN-218620
Fixed an issue where scheduled configuration exports and SCP server connection testing failed.
Addressed
10.2.5
PAN-218404
Fixed an issue where ikemgr stopped responding due to receiving
CREATE_CHILD
messages with a malformed SA payload.
Addressed
10.2.5
PAN-218335
Fixed an issue with hardware destination MAC filtering on the Log Processing Card (LPC) that caused the logging card interface to be susceptible to unicast flooding.
Addressed
10.2.5
PAN-218318
Fixed an issue where the firewall changed the time zone automatically instead of retrieving the correct time zone from the NTP server.
Addressed
10.2.5
PAN-218264
(
PA-3400 and PA-1400 Series firewalls only
) Fixed an issue where packet drops occurred due to slow servicing of internal hardware queries.
Addressed
10.2.5
PAN-218151
Fixed an issue where a configuration push to a new firewall did not work and displayed validation errors.
Addressed
10.2.5
PAN-218107
Fixed an issue with ciphers used for SSH tunnels where packet lengths were too large, which made the SSH tunnel unstable.
Addressed
10.2.5
PAN-218001
(
PA-400 Series firewalls only
) Fixed an issue where shut down commands rebooted the system instead of correctly triggering a shutdown.
Addressed
10.2.5
PAN-217681
Fixed an issue caused by out of order TCP segments where the TCP retransmission failed when the TCP segment had the FIN flag and the TCP data was truncated.
Addressed
10.2.5
PAN-217582
(
VM-Series firewalls on Google Cloud Platform environments only
) Fixed an issue where firewalls failed to load the virtual machine information source configuration.
Addressed
10.2.5
PAN-217581
Fixed an issue where the firewall did not initiate scheduled log uploads to the FTP server.
Addressed
10.2.5
PAN-217489
Fixed an issue with firewalls in active/passive HA configurations where the passive firewall MAC flapping occurred when the passive firewall was rebooted.
Addressed
10.2.5
PAN-217465
Fixed an issue where the Panorama web interface became unresponsive and displayed the error message
504 Gateway Not Reachable
.
Addressed
10.2.5
PAN-217431
(
PA-5400 Series firewalls with DPC (Data Processing Cards) only
) Fixed an issue with slot 2 DPCs where URL Filtering did not work as expected after upgrading to PAN-OS 10.1.9.
Addressed
10.2.5
PAN-217284
Fixed an intermittent issue where an LACP flap occurred when the LACP transmission rate was set to
Fast
.
Addressed
10.2.5
PAN-217169
Fixed an issue where the logrcvr stopped forwarding logs to the syslog server after a restart or crash.
Addressed
10.2.5
PAN-216996
Fixed an issue where multiple User-ID alerts were generated every 10 minutes.
Addressed
10.2.5
PAN-216957
Fixed an issue where allow list checks in an authentication profile did not work if the group Distinguished Name contains the ampersand ( & ) character.
Addressed
10.2.5
PAN-216913
(
VM-Series firewalls in Microsoft Azure environments only
) Fixed an issue where the brdagent process stopped responding due to missed heartbeats, which caused the firewall to reboot. This occurred when the brdagent process and DPDK-managed ports became out of sync after the Azure infrastructure triggered a hotplug event.
Addressed
10.2.5
PAN-216821
Fixed an issue where the reportd process stopped responding after upgrading an M-200 appliance to PAN-OS 10.2.4.
Addressed
10.2.5
PAN-216662
Fixed an issue where a custom Antispyware profile did not open and displayed the following error message:
The server is not responding. Please wait and try your operation again later
.
Addressed
10.2.5
PAN-216366
Fixed an issue where, when custom signatures used a certain syntax, false positives were generated on devices on a PAN-OS 10.0 release.
Addressed
10.2.5
PAN-216360
Fixed an issue on Panorama where
No Default Selections
under
Push to Devices
was intermittently deselected after performing a commit operation.
Addressed
10.2.5
PAN-216170
(
PA-400 Series firewalls in HA configurations only
) Fixed an issue where an HA switchover took longer than expected to bring up ports on the newly active firewall.
Addressed
10.2.5
PAN-216054
Fixed an issue that caused the firewall's fan speed to increase while it was idle.
Addressed
10.2.5
PAN-216048
Fixed an issue where, when upgrading from a PAN-OS 9.1 release to a PAN-OS 10.0 release, commits failed with the error message:
hip profiles unexpected here
.
Addressed
10.2.5
PAN-216043
Fixed an issue where wifclient stopped responding due to shared memory corruption.
Addressed
10.2.5
PAN-215911
Fixed an issue that resulted in a race condition, which caused the configd process to stop responding.
Addressed
10.2.5
PAN-215808
Fixed an issue where, after upgrading to PAN-OS 10.1, the log forwarding rate toward the syslog server was reduced. With this fix, the overall log forwarding rate has also been improved.
Addressed
10.2.5
PAN-215780
Fixed an issue where changes to Zone Protection profiles made via XML API were not reflected in the zone protection configuration.
Addressed
10.2.5
PAN-215778
Fixed an issue where API Get requests for
/config
timed out due to insufficient buffer size.
Addressed
10.2.5
PAN-215655
Fixed an issue where, after a multidynamic group push, Security policy rules with the target device tag were added to a firewall that did not have the tag.
Addressed
10.2.5
PAN-215503
Fixed a memory-related issue where the
MEMORY_POOL
address was mapped incorrectly.
Addressed
10.2.5
PAN-215496
Fixed an issue where 100G ports did not come up with BIDI QSFP modules.
Addressed
10.2.5
PAN-215338
(
PA-5400 Series firewalls only
) Fixed an issue where the inner VLAN tag for Q-in-Q traffic was stripped when forwarding.
Addressed
10.2.5
PAN-215317
Fixed an issue where the dataplane stopped responding unexpectedly with the error message
comm exited with signal of 10
.
Addressed
10.2.5
PAN-215066
Fixed an issue on Panorama where push scope rendering caused the
Commit and Push
or
Push to Devices
operation window to hang for several minutes.
Addressed
10.2.5
PAN-215058
Fixed a memory leak related to the logdb process.
Addressed
10.2.5
PAN-214990
Fixed an issue where firewall copper ports flapped intermittently when device telemetry was enabled.
Addressed
10.2.5
PAN-214815
Fixed an issue where SNMP queries were not replied to due to an internal process timeout.
Addressed
10.2.5
PAN-214753
Fixed an issue where retrieving WildFire Analysis reports when choosing WildFire log entries under
Detailed Log View
displayed the error
Fetching WildFire server xxx report failed!
Addressed
10.2.5
PAN-214727
Fixed an issue where a memory leak related to the useridd process resulted in an OOM condition, which caused the process to stop responding.
Addressed
10.2.5
PAN-214669
Fixed an issue where FIN and RESET packets were sent in reverse order.
Addressed
10.2.5
PAN-214201
Fixed an issue where, after exporting custom reports to CSV format, the letter
b
appeared at the beginning of each column.
Addressed
10.2.5
PAN-214187
Fixed an issue where superreaders were able to execute the
request restart system
CLI command.
Addressed
10.2.5
PAN-214026
Fixed an issue where, when using an ECMP
weighted-round-robin
algorithm, traffic was not redistributed among the links proportionally as expected from the configuration.
Addressed
10.2.5
PAN-213949
Fixed an issue where the VPN responder stopped responding when it received a CREATE_CHILD message with no security association (SA) payload.
Addressed
10.2.5
PAN-213942
(
PA-400 Series firewalls
) Fixed an issue where the firewall required an explicit allow rule to forward broadcast traffic.
Addressed
10.2.5
PAN-213932
Fixed an issue where, when an incorrect log filter was configured, the commit did not fail.
Addressed
10.2.5
PAN-213931
Fixed an issue where the logrcvr process cache was not in sync with the mapping on the firewall.
Addressed
10.2.5
PAN-213746
Fixed an issue on Panorama where the Hostkey displayed as
undefined
if an SSH Service Profile Hostkey configured in a template from the template stack was overridden.
Addressed
10.2.5
PAN-213463
(
PA-5200 Series firewalls only
) Fixed an issue where unplugging a PAN-SFP-CG transceiver from an interface with its link speed setting set to 1000 caused the firewall to incorrectly read that interface as up.
Addressed
10.2.5
PAN-213296
Fixed an issue where Single Log-out (SLO) was not correctly triggered from the firewall toward the client, which caused the client to not initiate the SLO request toward the identity provider (IdP). This resulted in the IdP not making the SLO callback to the firewall to remove the user.
Addressed
10.2.5
PAN-213162
Fixed an issue where an SD-WAN object was not displayed under a child device group.
Addressed
10.2.5
PAN-213077
Fixed an issue where the sysdagent process stopped responding, which caused interfaces and the subsequent connections behind them to fail.
Addressed
10.2.5
PAN-213060
Fixed an issue where Panorama did not show the target under the
Entities
column.
Addressed
10.2.5
PAN-212978
Fixed an issue where the firewall stopped responding when executing an SD-WAN debug CLI command.
Addressed
10.2.5
PAN-212889
Fixed an issue on Panorama where different threat names were used when querying a threat under
Threat Monitor
(
Monitor > App Scope
) and the ACC. This resulted in the ACC displaying no data after clicking a threat name in
Threat Monitor
and filtering it in the global filters.
Addressed
10.2.5
PAN-212859
Fixed an issue where the
pan_task
stopped responding briefly during a commit due to a contention with
brdagent
updating the configuration.
Addressed
10.2.5
PAN-212848
Fixed an issue where attempting to change the disk-usage cleanup threshold to 90 resulted in the error message
Server error : op command for client dagger timed out as client is not available
.
Addressed
10.2.5
PAN-212726
Fixed an issue where RTP/RTCP packets were dropped for SIP calls by SIP ALG when the source NAT translation type was persistent
Dynamic IP And Port
.
Addressed
10.2.5
PAN-212577
(
PA-5200 Series and PA-7080 firewalls only
) Fixed an issue where commits took longer than expected when more than 45,000 Security policy rules were configured.
Addressed
10.2.5
PAN-212576
Fixed an issue where firewall HA clusters in active/active configurations with Advanced Routing enabled did not relay to ping requests sent to a virtual IP address.
Addressed
10.2.5
PAN-212530
Fixed an issue on log collectors where root partition reached 100% utilization.
Addressed
10.2.5
PAN-212057
Fixed an issue where Advanced Threat Prevention caused SSL delays when no URL licenses were present.
Addressed
10.2.5
PAN-211997
Fixed an issue where large OSPF control packets were fragmented, which caused the neighborship to fail.
Addressed
10.2.5
PAN-211887
Fixed an issue on Panorama that caused recently committed changes to not be displayed when previewing the changes to push to device groups.
Addressed
10.2.5
PAN-211843
Fixed an issue where renaming a Zone Protection profile failed with the error message
Obj does not exist.
Addressed
10.2.5
PAN-211602
Fixed an issue where, when viewing a WildFire Analysis report via the web interface, the
detailed log view
was not accessible if the browser window was resized.
Addressed
10.2.5
PAN-211575
Fixed an issue where a local commit on Panorama remained at 99% for longer than expected before completing.
Addressed
10.2.5
PAN-211519
Fixed an issue where RTP/RTCP packets were dropped for SIP calls by SIP ALG when the source NAT translation type was persistent
Dynamic IP And Port
.
Addressed
10.2.5
PAN-211441
Fixed a memory leak issue related to SSL crypto operations that resulted in failed commits.
Addressed
10.2.5
PAN-211422
Fixed an issue where the
show session packet-buffer-protection buffer-latency
CLI command randomly displayed incorrect values.
Addressed
10.2.5
PAN-211398
Fixed an issue where dataplane processes stopped responding when handling HTTP/2 streams.
Addressed
10.2.5
PAN-211191
Fixed an issue where the firewall restarted after initiating a mgmtsrvr process restart.
Addressed
10.2.5
PAN-211041
(
Panorama virtual appliances only
) Fixed an issue where DHCP assigned interfaces did not send
ICMP unreachable - Fragmentation needed
messages when the received packets were higher than the maximum transmission unit (MTU).
Addressed
10.2.5
PAN-210921
(
Panorama appliances in Legacy Mode only
) Fixed an issue where
Blocked Browsing Summary by Website
in the user activity report contained scrambled characters.
Addressed
10.2.5
PAN-210883
Fixed an issue where SSL proxy traffic was dropped when DoS zone protection was enabled.
Addressed
10.2.5
PAN-210740
Fixed a memory leak issue related to the slotd process.
Addressed
10.2.5
PAN-210738
Fixed an issue where fragmented UDP packets were dropped.
Addressed
10.2.5
PAN-210736
Fixed an issue where configuration changes related to the SSH service profile were not reflected when pushed from Panorama. With this fix, the deletion of ciphers, MAC, and kex fields of SSH server profiles and HA profiles won't clear the values under template stacks and will retain the values configured from templates.
Addressed
10.2.5
PAN-210661
Fixed an issue where firewalls disconnected from Cortex Data Lake after renewing the device certificate.
Addressed
10.2.5
PAN-210640
Fixed an issue where applications were not displayed after authenticating into the clientless VPN.
Addressed
10.2.5
PAN-210563
Fixed an issue on Panorama where Security policy rules with a
Tag
target did not appear in the pre-rule list of a Dynamic Address Group that was part of the tag.
Addressed
10.2.5
PAN-210511
Fixed an issue where Panorama commits failed due to an invalid community value error.
Addressed
10.2.5
PAN-210502
Fixed an issue where Panorama was unable to convert to PAN-OS 9.1 syntax for WF-500 appliances.
Addressed
10.2.5
PAN-210456
Fixed an issue where high latency occurred on PA-850-ZTP when SSL decryption was enabled.
Addressed
10.2.5
PAN-210452
Fixed an issue where application PCAP was not generated when Security policy rules were used as a filter.
Addressed
10.2.5
PAN-210451
Fixed an issue where the firewall did not send the source IP address of the user to the RADIUS server with the
set authentication radius-vsa-on client-source-ip
CLI command.
Addressed
10.2.5
PAN-210429
(
VM-Series firewalls only
) Fixed an issue where the HTTP service failed to come up on DHCP dataplane interfaces after rebooting the firewall, which resulted in health-check failure on HTTP/80 with a 503 error code on the public load balancer.
Addressed
10.2.5
PAN-210397
Fixed an issue on Panorama where VM-Series firewalls in HA configurations hosted on Amazon Web Services (AWS) were not displayed under
Deploy Master Key
.
Addressed
10.2.5
PAN-210364
Fixed an issue where high latency was observed when accessing internal web applications, which interrupted development activities related to the web server.
Addressed
10.2.5
PAN-210325
Fixed an issue on the firewall where the configuration log always displayed commit-all operations as successful even when the commit failed.
Addressed
10.2.5
PAN-210216
A debug command was added to address an issue with firewalls in high availability configurations.
Addressed
10.2.5
PAN-210158
(
CN-Series firewalls only
) Fixed an issue where the dataplane stopped responding after a container restart.
Addressed
10.2.5
PAN-210000
Fixed an issue where, when traffic and Threat logs exceeded the threshold of 90% total allowed size, alarms were not generated for other log types.
Addressed
10.2.5
PAN-209937
Fixed an issue where certificate-based authentication for administrators were unable to log in to the Panorama or firewall web interface and received the following error message:
Bad Request - Your browser sent a request that this server could not understand
.
Addressed
10.2.5
PAN-209930
Fixed an issue where cloned rules pushed from Panorama were not shown on the managed firewall.
Addressed
10.2.5
PAN-209872
Fixed an issue where dataplane ports responded to ICMP requests fewer than 64 bytes with nonzero padding bytes in the ICMP response.
Addressed
10.2.5
PAN-209696
Fixed an issue where link-local address communication for IPv6, BFD, and OSPFv3 neighbors was dropped when IP address spoofing check was enabled in a Zone Protection profile.
Addressed
10.2.5
PAN-209683
Fixed an issue where Panorama was unable to retrieve IP address-to-username mapping from a firewall on a PAN-OS 8.1 release.
Addressed
10.2.5
PAN-209617
Fixed an issue with firewalls in active/passive HA configurations where the passive firewall created an incorrect SCTP association due to the HA sync messages from the active firewall having an incorrect value.
Addressed
10.2.5
PAN-209585
The Palo Alto Networks QoS implementation now supports a new QoS mode called lockless QoS for PA-3400, PA-5410, PA-5420, PA-5430, and PA-5440 firewalls. For firewalls with higher bandwidth QoS requirements, the lockless QoS dedicates cores to the QoS function that improves QoS performance, resulting in improved throughput and latency.
Addressed
10.2.5
PAN-209501
Fixed an issue where the GlobalProtect
logdb
quota was not displayed in the
show system logdb quota
output.
Addressed
10.2.5
PAN-209375
Fixed an issue on the firewall where log filtering did not work as expected.
Addressed
10.2.5
PAN-209172
Fixed an issue where the firewall was unable to handle GRE packets for Point-to-Point Tunneling Protocol (PPTP) connections.
Addressed
10.2.5
PAN-209108
Fixed an issue where a Panorama in Management Only mode was unable to display logs from log collectors due to missing schema files.
Addressed
10.2.5
PAN-208902
Fixed an issue where, when a client sent a TCP/FIN packet, the firewall displayed the end reason as
aged-out
instead of
tcp-fin
.
Addressed
10.2.5
PAN-208792
Fixed an issue where authentication failed when the service route for RADIUS traffic was configured as
use default
for IPv4 addresses and included the dataplane interface as the destination route.
Addressed
10.2.5
PAN-208567
Fixed an issue with email formatting where, when a scheduled email contained two or more attachments, only one attachment was visible.
Addressed
10.2.5
PAN-208343
Fixed an issue where telemetry regions were not visible on Panorama.
Addressed
10.2.5
PAN-208325
(
PA-5400 Series, PA-3400 Series, and PA-400 Series only
) Fixed an issue where the firewall was unable to automatically renew the device certificate.
Addressed
10.2.5
PAN-208316
Fixed an issue where user-group names were unable to be configured as the source user via the
test security-policy-match
command.
Addressed
10.2.5
PAN-208201
Fixed an issue on the firewall where the modified date and time was incorrectly updated after a commit operation, PAN-OS upgrade, or reboot.
Addressed
10.2.5
PAN-208198
Fixed an issue with firewalls in active/passive HA configurations where, after rebooting the passive firewall, interfaces were briefly shown as powered up, and then shown as down or shutdown.
Addressed
10.2.5
PAN-208187
Fixed an issue where REST API requests did not work for GlobalProtect gateway tunnels.
Addressed
10.2.5
PAN-208090
Fixed an issue where the ACC report did not display data when querying the filter for the fields
Source
and
Destination IP
.
Addressed
10.2.5
PAN-208039
(
PA-7000 Series firewalls with SMC-B only
) Fixed an issue where the details of configuration changes were not included in configuration logs on the syslog server.
Addressed
10.2.5
PAN-207842
Fixed an issue where WildFire Analysis reports were not visible when the WF-500 appliance was on private cloud.
Addressed
10.2.5
PAN-207741
Fixed an issue where Large Scale VPN (LSVPN) Portal authentication failed with the error
invalid http response. return error(Authentication failed; Retry authentication
when the satellite connected to more than one portal.
Addressed
10.2.5
PAN-207700
Fixed an issue where the
show system info
and
show system ztp status
CLI commands displayed a different Zero Touch Provisioning (ZTP) status if a firewall upgrade was initiated from Panorama before the initial commit push succeeded.
Addressed
10.2.5
PAN-207661
Fixed an issue with firewalls in active/active HA configurations where the virtual floating IP address configuration under a Panorama template was overridden and displayed
From Template Override: undefined
as a source.
Addressed
10.2.5
PAN-207604
Fixed an issue where system logs continuously generated the log message
Not enough space to load content to SHM
.
Addressed
10.2.5
PAN-207457
Fixed an issue where the MLAV allow list did not work for some types of traffic.
Addressed
10.2.5
PAN-207240
Fixed an issue where mprelay repeatedly restarted, which caused commits to remain at 70% before failing with the error message
A communication error happened during the configuration commit to the data plane, please try again
.
Addressed
10.2.5
PAN-206765
Fixed an issue where log forwarding filters involving negation did not work.
Addressed
10.2.5
PAN-206640
Fixed an issue where the
ikemgr
process stopped responding, which caused IPSec tunnels to go down.
Addressed
10.2.5
PAN-206396
Fixed an issue where HIP report flip and HIP check failed when a user was part of multiple user groups with different domains.
Addressed
10.2.5
PAN-206391
Fixed an issue where shared objects were seen under the push scope with every configuration push.
Addressed
10.2.5
PAN-206333
Fixed an issue where the
Include/Exclude IP
filter under
Data Distribution
did not work correctly.
Addressed
10.2.5
PAN-206278
Fixed an issue where a critical system log was generated when the boot drive for PA-7000 Series firewall Switch Management Cards (SMCs) failed.
Addressed
10.2.5
PAN-206221
Fixed an issue where scheduled configuration pushes with
Include Device and Network Templates
selected did not work.
Addressed
10.2.5
PAN-205513
Fixed an issue where the stats dump file generated by Panorama for a device firewall differed from the stats dump file generated by the managed device.
Addressed
10.2.5
PAN-205369
Fixed an issue where connections to Cortex Data Lake were initialized from the firewall even when Cortex Data Lake forwarding was disabled.
Addressed
10.2.5
PAN-205086
Fixed an issue where DNS Security categories were able to be deleted from spyware profiles.
Addressed
10.2.5
PAN-204718
(
PA-5200 Series firewalls only
) Fixed an issue where, after upgrading to PAN-OS 10.1.6-h3, a TACACS user login displayed the following error message during the first login attempt:
Could not chdir to home directory /opt/pancfg/home/user: Permission denied
.
Addressed
10.2.5
PAN-204683
Fixed an issue where logs were unable to be generated due to old logs not getting purged and
/opt/panlogs
reaching over 100% usage.
Addressed
10.2.5
PAN-204530
Fixed an issue where giving up FTP or SCP sessions for log export took longer than expected after a failure to export the log when one of the destination hosts designated in the scheduled log export was unresponsive.
Addressed
10.2.5
PAN-204420
(
WF-500 appliances only
) Fixed an issue where, after an upgrade to a PAN-OS 10.1 release, SNMP traps were not sent to the SNMP server. This occurred due to SNMP trap server settings not being enabled.
Addressed
10.2.5
PAN-204233
Fixed an issue where, when the firewall received a 513 error from the WildFire cloud, the firewall attempted to repeatedly send the same file.
Addressed
10.2.5
PAN-204215
(
PA-7000 Series firewalls with Log Processing Cards (LPCs) only
) Fixed an issue where performing a commit operation resulted in the following error messages:
log forwarding is setup for data but log-card interface is not setup
or
log forwarding is setup for traffic but log-card interface is not setup
.
Addressed
10.2.5
PAN-203791
(
PA-3400 and PA-5400 Series firewalls only
) Fixed an issue where the log type correlation was not configurable and displayed as
$.Format.Correlation
(
Device > Server Profile > syslog ><Profile-name> > Customer log format > log type
).
Addressed
10.2.5
PAN-203655
Fixed an issue where enabling
event-specific traps
(
Device > Setup > Operations > Miscellaneous > SNMP Setup
), the new deviating device system logs included incorrect information.
Addressed
10.2.5
PAN-203611
Fixed an issue where URL categorization was not recognized for URLs that contained more than 100 characters.
Addressed
10.2.5
PAN-203222
Fixed an issue where commit-all operations took longer than expected due to cURL failures and timeouts related to external dynamic list retrieval.
Addressed
10.2.5
PAN-203168
Fixed an issue where the WIF state was not cleaned up promptly after usage, which caused allocation failure. This fix increased the
wif_state
quota.
Addressed
10.2.5
PAN-202981
Fixed an issue on Panorama where global find did not return results for existing universally unique identifiers (UUID).
Addressed
10.2.5
PAN-202963
Fixed an issue where the system log message
dsc HA state is changed from 1 to 0
was generated with the severity
High
. With this fix, the severity was changed to
Info
.
Addressed
10.2.5
PAN-202524
Fixed an issue where the session ID was missing in the session details section of the
ingress-backlogs
XML API output.
Addressed
10.2.5
PAN-202516
Fixed an issue where the firewall stopped responding if it received an illegal packet with SRC port = 0 encapsulated within a VXLAN packet.
Addressed
10.2.5
PAN-201855
Fixed an issue where, after cloning a template, a certificate with the block private key option enabled was corrupted.
Addressed
10.2.5
PAN-201721
Fixed an issue with firewalls in HA configurations where HA setup generated the error
mismatch due to device update
during a content update even though the version was the same.
Addressed
10.2.5
PAN-201515
Fixed an issue with the web interface where the cursor disappeared under the
Policies
and
Objects
tabs on the search bar if the cursor was moved quickly.
Addressed
10.2.5
PAN-201466
Fixed an issue where the system log generated on GlobalProtect satellite did not provide the reason for failures to connect to the GlobalProtect portal or gateway.
Addressed
10.2.5
PAN-200757
Fixed an issue with client certificate generation on Panorama, which resulted in a firewall being unable to connect to a log collector.
Addressed
10.2.5
PAN-200394
Fixed an issue where, after a push from Panorama to one or more device groups in a multi-vsys environment, vulnerability profile exceptions were not seen on all firewalls.
Addressed
10.2.5
PAN-199819
Fixed an issue where, if a decryption profile allowed TLS1.3, but the server only supported TLS1.2, and the cipher used by the first connection to the server was a CBC SHA2 cipher suite, the connection failed.
Addressed
10.2.5
PAN-199687
Fixed an issue where content updates failed when using prelicensed keys during the bootstrap process.
Addressed
10.2.5
PAN-199557
Fixed an issue on Panorama where virtual memory usage exceeded the set limit, which caused the configd process to restart.
Addressed
10.2.5
PAN-198453
Fixed an issue where you were unable to resize the
Description
pop-up window (
Policies > Security > Prerules
).
Addressed
10.2.5
PAN-198050
Fixed an issue where
Connection to update server is successful
messages displayed even when connections failed.
Addressed
10.2.5
PAN-197493
Fixed an issue where having multiple terminal service agents with the same hostname caused the firewall to reboot.
Addressed
10.2.5
PAN-197467
Fixed an issue on Panorama where the WildFire
Test-Configuration
feature did not work as expected.
Addressed
10.2.5
PAN-197388
Fixed an issue where, when the firewall forwarded Threat logs via email, the email client truncated the sender and recipient email addresses when they were put between angle brackets (<, >).
Addressed
10.2.5
PAN-196956
Fixed an issue where URL Filtering logs did not display matching entries when filtered by device name.
Addressed
10.2.5
PAN-196923
Fixed an issue where the interface option did not have a source address in the cURL command, which caused a DNS lookup error and resulted in DNS lookup failing for device Telemetry.
Addressed
10.2.5
PAN-196597
Fixed an issue where the dnsproxyd process stopped responding due to corruption.
Addressed
10.2.5
PAN-196417
(
PA-7000 Series firewalls only
) Fixed an issue where firewalls experienced slow SNMP responses, which caused the SNMP server to time out before polling completion.
Addressed
10.2.5
PAN-196345
Fixed an issue where scheduled dynamic content updates failed to be retrieved by managed firewalls from Panorama when connectivity was slow.
Addressed
10.2.5
PAN-195788
Fixed an issue where zip files did not download when applying Security inspection and the following error message displayed:
resources-unavailable
.
Addressed
10.2.5
PAN-195439
(
VM-Series firewalls in Microsoft Azure environments only
) Fixed an issue where the dataplane interface status went down after a hotplug event triggered by Azure infrastructure.
Addressed
10.2.5
PAN-195251
Fixed an issue where IPSec tunnel re-key generated the critical log message
tunnel-status-up
.
Addressed
10.2.5
PAN-193521
Fixed an issue where
Panorama > Device > Deployment > Software
did not display software after running
check now
for managed devices.
Addressed
10.2.5
PAN-190903
Fixed an issue where MAC addresses in threat capture were swapped between the source MAC and destination MAC addresses.
Addressed
10.2.5
PAN-190435
Fixed an issue where, after committing a configuration change, the
Task Manager
commit
Status
went directly from 0% to
Completed
instead of reflecting the accurate commit job process.
Addressed
10.2.5
PAN-190055
(
VM-Series firewalls only
) Fixed an issue where the firewall did not follow the set Jumbo MTU value.
Addressed
10.2.5
PAN-189442
Fixed an issue where the all_pktproc process stopped responding, which caused the firewall to reboot.
Addressed
10.2.5
PAN-189423
Fixed an issue where exporting correlation logs generated an empty file.
Addressed
10.2.5
PAN-189328
Fixed an issue where traffic belonging to the same session was sent out from different ECMP enabled interfaces.
Addressed
10.2.5
PAN-187989
Fixed an issue where a user who did not have permissions of other access domains were able to view the commit and configuration lock.
Addressed
10.2.5
PAN-186956
Fixed an issue where SD-WAN DIA VIF did not become active if default gateways for member interfaces did not respond to pings.
Addressed
10.2.5
PAN-186182
Fixed an issue where software buffer 3 was depleted when URL proxy was enabled and SSL sessions were decrypted to inject the block page. This issue occurred when an HTTP/2 block page was displayed for a large POST request.
Addressed
10.2.5
PAN-185249
Fixed an issue where
Template Stack
overrides (
Dynamic Updates > App & Threats > Schedule
) were not able to be reverted via the web interface.
Addressed
10.2.5
PAN-185135
(
VM-Series firewalls on Kernel-based Virtual Machine (KVM) only
) Fixed an issue where the physical port counters (including SNMP) on the dataplane interfaces increased when DPDK was enabled.
Addressed
10.2.5
PAN-184630
Fixed an issue where TLS clients, such as those using OpenSSL 3.0, enforced the TLS renegotiation extension (RFC 5746).
Addressed
10.2.5
PAN-183297
Fixed an issue where, when the firewall received a large amount of user information, the firewall was unable to output IP address-to-username mapping information via XML API.
Addressed
10.2.5
PAN-182960
Additional error logs were added for an issue where, when multiple Panorama web interface sessions were opened, active lock did not show up on the web interface for any session.
Addressed
10.2.5
PAN-182734
Fixed an issue where, on an Advanced Routing Engine, BGP peering flapped after a commit.
Addressed
10.2.5
PAN-180082
Fixed an issue where errors in brdagent logs caused dataplane path monitoring failure.
Addressed
10.2.5
PAN-177227
(
VM-Series firewalls on Amazon Web Services environments only
) Fixed an issue where traffic sent from a GENEVE tunnel to the firewall was dropped if the firewall attempted to encapsulate traffic into an IPSec tunnel.
Addressed
10.2.5
PAN-176412
Fixed an issue where changing the password of a local database user did not work.
Addressed
10.2.5
PAN-172977
Fixed an issue where session offloading did not occur on a tap interface under a high packet load.
Addressed
10.2.5
PAN-172600
Fixed an issue where the CLI command
show rule-hit-count
did not provide all details of the rule from the device group.
Addressed
10.2.5
PAN-169586
Fixed an issue where scheduled log view reports in emails didn't match the monitor page query result for the same time interval.
Addressed
10.2.5
PAN-168102
Fixed an issue where the API format to check heap usage of a node showed a JSON error.
Addressed
10.2.5
PAN-160633
(
PA-3200 Series, PA-5200 Series, and PA-7000 Series firewalls only
) Fixed an issue where the dataplane restarted repeatedly due to an internal path monitoring failure until a power cycle.
Addressed
10.2.5
PAN-151692
Fixed a permission issue where a Panorama administrator was unable to download or install Dynamic Updates (
Panorama > Device Deployment
).
Known
10.2.6
WF500-5854
The WildFire analysis report on the firewall log viewer (
Monitoring
WildFire Submissions
) does not display the following data fields: File Type, SHA-256, MD-5, and File Size".
Workaround
: Download and open the WildFire analysis report in the PDF format using the link in the upper right-hand corner of the
Detailed Log View
.
Known
10.2.6
WF500-5843
In a WildFire appliance cluster, issuing the
show cluster-all peers
CLI command when a node within the cluster is being rebooted generates the following error:
Server error : An error occured.
Known
10.2.6
WF500-5840
The sample analysis statistics that are returned when issuing the
show wildfire local statistics
CLI command in WildFire appliance cluster deployments may not accurately reflect the number of samples that have been processed.
Known
10.2.6
WF500-5823
The following WildFire appliance CLI command does not return a signature generation status as expected:
show wildfire global signature-status
. This does not corrupt or otherwise prevent the WildFire appliance from analyzing a sample.
Known
10.2.6
WF500-5781
The WildFire appliance might erroneously generate and log the following device certification error:
Device certificate is missing or invalid. It cannot be renewed.
Known
10.2.6
WF500-5754
In WildFire appliance clusters, issuing the
show cluster controller
CLI command generates an error when an IPv6 address is configured for the management interface but not for the cluster interface.
Workaround:
Ensure all WildFire appliance interfaces that are enabled use matching protocols (all IPv4 or all IPv6).
Known
10.2.6
WF500-5632
The number of registered WildFire appliances reported in Panorama (
Panorama
Managed WildFire Appliances
Firewalls Connected
View
) does not accurately reflect the current status of connected WildFire appliances.
Known
10.2.6
PAN-244648
(
PA-5200 Series firewalls only
) After a factory reset, the firewall may get stuck in maintenance mode and be unable to load the boot image. The firewall fails to enable FIPS-CC mode during this time.
Workaround:
The following workaround allows the firewall to boot in normal mode but does not apply to FIPS-CC mode. Attempting to enable FIPS-CC mode after using this workaround will cause the firewall to reboot and re-enter maintenace mode.
  1. Enter maintenance mode.
  2. Select
    Disk Image
    Advanced Options
    .
  3. Select
    Bootstrap
    with the options
    panos-10.2.8
    ,
    maint
    , and
    maint
    .
  4. Select
    Bootstrap
    with the options
    panos-10.2.8
    ,
    sysroot0
    , and
    panos
    .
  5. Select
    Bootstrap
    with the option
    sysroot0
    .
  6. Select
    Reboot
    .
Known
10.2.6
PAN-243951
On the Panorama management sever in an active/passive High Availability (HA) configuration, managed devices (
Panorama
Managed Devices
Summary
) display as
out-of-sync
on the passive HA peer when configuration changes are made to the SD-WAN (
Panorama
SD-WAN
) configuration on the active HA peer.
Workaround:
Manually synchronize the Panorama HA peers.
  1. Log in to the Panorama web interface on the active HA peer.
  2. Select
    Commit
    and
    Commit to Panorama
    the SD-WAN configuration changes on the active HA peer.
    On the passive HA peer, select
    Panorama
    Managed Devices
    Summary
    and observe that the managed devices are now
    out-of-sync
    .
  3. Log in to the primary HA peer Panorama CLI and trigger a manual synchronization between the active and secondary HA peers.
    request high-availability sync-to-remote running-config
  4. Log back in to the active HA peer Panorama web interface and select
    Commit
    Push to Devices
    and
    Push
    .
Known
10.2.6
PAN-234015
The X-Forwarded-For (XFF) value is not displayed in traffic logs.
Known
10.2.6
PAN-234929
This issue is now resolved. See
PAN-OS 10.2.7-h3 Addressed Issues
.
The tabs in the
ACC
, such as
Network Activity
,
Threat Activity
, and
Blocked Activity
, may not display any data when you apply a Time filter for the Last 15 minutes, Last Hour, Last 6 Hours, or Last 12 Hours. With the Last 24 Hours filter, the data displayed may not be accurate. Additionally, reports run against summary logs may not display accurate results.
Known
10.2.6
PAN-228515
The EleasticSearch SSH flaps on the M-600 appliance in Panorama or Log Collector mode. This causes logs to not display on the Panorama management server (
Monitor
Logs
) and the Log Collector health status (
Panorama
Managed Collectors
Status
) to display as degraded.
Known
10.2.6
PAN-228273
This issue is now resolved. See
PAN-OS 10.2.8 Addressed Issues
.
On the Panorama management server in FIPS-CC mode, the ElasticSearch cluster fails to come up and the
show log-collector-es-cluster health
command displays the
status
is
red
. This results in log ingestion issues for Panorama in Panorama only or Log Collector mode.
Known
10.2.6
PAN-227344
On the Panorama management server, PDF Summary Reports (
Monitor
PDF Reports
Manage PDF Summary
) display no data and are blank when predefined reports are included in the summary report.
Known
10.2.6
PAN-225337
This issue is now resolved. See
PAN-OS 10.2.7 Addressed Issues
.
On the Panorama management server, the configuration push to a multi-vsys firewall fails if you:
  1. Create a
    Shared
    and vsys-specific device group configuration object with an indentical name. For example, a
    Shared
    address object called
    SharedAO1
    and a vsys-specific address object also called
    SharedAO1
    .
  2. Reference the
    Shared
    object in another
    Shared
    configuration. For example, reference the
    Shared
    address object (
    SharedAO1
    ) in a
    Shared
    address group called
    SharedAG1
    .
  3. Use the
    Shared
    configuration object with the reference in a vsys-specific configuration. For example, reference the
    Shared
    address group (
    SharedAG1
    ) in a vsys-specific policy rule.
Workaround:
Select
Panorama
Setup
Management
and edit the Panorama Settings to enable one of the following:
  • Shared Unused Address and Service Objects with Devices
    —This options pushes all
    Shared
    objects, along with device group specific objects, to managed firewalls.
    This is a global setting and applies to all managed firewalls, and may result in pushing too many configuration objects to your managed firewalls.
  • Objects defined in ancestors will take higher precedence
    —This option specifies that in the event of objects with the same name, ancestor object take precedence over descendent objects. In this case, the
    Shared
    objects take precedence over the vsys-specific object.
    This is a global setting and applies to all managed firewalls. In the example above, if the IP address for the
    Shared
    SharedAO1
    object was
    10.1.1.1
    and the device group specific
    SharedAO1
    was
    10.2.2.2
    , the
    10.1.1.1
    IP address takes precedence.
Alternatively, you can remove the duplicate address objects from the device group configuration to allow only the
Shared
objects in your configuration.
Known
10.2.6
PAN-223365
The Panorama management server is unable to query any logs if the ElasticSearch health status for any Log Collector (
Panorama
Managed Collector
is degraded.
Workaround:
Log in to the Log Collector CLI and restart ElasticSearch. 
admin
debug elasticsearch es-restart all
Known
10.2.6
PAN-227368
This issue is now resolved. See
PAN-OS 10.2.7 Addressed Issues
.
The GlobalProtect app cannot connect to a portal or gateway and GlobalProtect Clientless VPN users cannot access applications if authentication takes longer than 20 seconds.
Workaround:
Increase the TCP handshake timeout to the maximum value of 60 seconds.
Known
10.2.6
PAN-226768
This issue is now resolved. See
PAN-OS 10.2.8 Addressed Issues
.
When the GlobalProtect app is installed on iOS endpoints and the gateway is configured to accept cookies, the app stays in
Connecting
stage after authentication and the GlobalProtect log displays the error message,
User is not in allow list
. This happens when the app is restarted or when the app tries to reconnect after disconnection.
Known
10.2.6
PAN-223677
(
PA-3410, PA-3420, PA-3430, PA-3440, PA-5410, PA-5420, and PA-5430 firewalls
) By enabling Lockless QoS feature, a slight degradation in App-ID and Threat performance is expected.
Known
10.2.6
PAN-223488
This issue is now resolved. See
PAN-OS 10.2.7 Addressed Issues
.
On the M-600 appliance, closed ElasticSearch shards are not deleted from the M-600 appliance. This causes the ElasticSearch shard purging to not work as expected, resulting in high disk usage.
Known
10.2.6
PAN-223457
This issue is now resolved. See
PAN-OS 10.2.8 Addressed Issues
.
If the number of group queries exceeds the Okta rate limit threshold, the firewall clears the cache for the groups. To avoid encountering this issue, disable the Okta rate limit.
Known
10.2.6
PAN-222586
On PA-5410, PA-5420, and PA-5430 firewalls, the Filter dropdown menus, Forward Methods, and Built-In Actions for Correlation Log settings (
Device
Log Settings
) are not displayed and cannot be configured.
Known
10.2.6
PAN-222418
This issue is now resolved. See
PAN-OS 10.2.8 Addressed Issues
.
The firewall intermittently records a reconnection message to the authentication server as a error, even if no disconnection occurs.
Known
10.2.6
PAN-222253
This issue is now resolved. See
PAN-OS 10.2.8 Addressed Issues
.
On the Panorama management server, policy rulebase reordering when you
View Rulebase by Groups
(
Policy
<policy-rulebase>
) does not persist if you reorder the policy rulebase by dragging and dropping individual policy rules and then moving the entire tag group.
Known
10.2.6
PAN-221775
A
Malformed Request
error is displayed when you
Test Connection
for an email server profile (
Device
Server Profiles
Email
) using
SMTP over TLS
and the
Password
includes an ampersand (&).
Known
10.2.6
PAN-221857
This issue is now resolved. See
PAN-OS 10.2.8 Addressed Issues
.
Users are unable to log in to the GlobalProtect app using SAML authentication after the app is upgraded to 10.2.3-h4 and the GlobalProtect logs display the following error message:
Username from SAML SSO response is different from the input.
.
Known
10.2.6
PAN-221126
This issue is now resolved. See
PAN-OS 10.2.7 Addressed Issues
.
Email server profiles (
Device
Server Profiles
Email
and
Panorama
Server Profiles
Email
) to forward logs as email notifications are not forwarded in a readable format.
Workaround:
Use a
Custom Log Format
to forward logs as email notifications in a readable format.
Known
10.2.6
PAN-221015
This issue is now resolved. See
PAN-OS 10.2.7 Addressed Issues
.
On M-600 appliances in Panorama or Log Collector mode, the
es-1
and
es-2
ElasticSearch processes fail to restart when the M-600 appliance is rebooted. The results in the Managed Collector
ES
health status (
Panorama
Managed Collectors
Health Status
) to be degraded.
Workaround:
Log in to the Panorama or Log Collector CLI experiencing degraded ElasticSearch health and restart all ElasticSearch processes. 
admin>
debug elasticsearch es-restart optional all
Known
10.2.6
PAN-220180
This issue is now resolved. See
PAN-OS 10.2.8 Addressed Issues
.
Configured botnet reports (
Monitor
Botnet
) are not generated.
Known
10.2.6
PAN-219644
This issue is now resolved. See
PAN-OS 10.2.8 Addressed Issues
.
Firewalls forwarding logs to a syslog server over TLS (
Objects
Log Forwarding
) use the default Palo Alto Networks certificate instead of the custom certificate configured on the firewall.
Known
10.2.6
PAN-218521
This issue is now resolved. See
PAN-OS 10.2.7 Addressed Issues
.
The ElasticSearch process on the M-600 appliance in Log Collector mode may enter a continuous reboot cycle. This results in the M-600 appliance becoming unresponsive, consuming logging disk space, and preventing new log ingestion.
Known
10.2.6
PAN-217307
The following Security policy rule (
Policies
Security
) filters return no results:
log-start eq no
log-end eq no
log-end eq yes
Known
10.2.6
PAN-215082
This issue is now resolved. See
PAN-OS 10.2.8 Addressed Issues
.
M-300 and M-700 appliances may generate erroneous system logs (
Monitor
Logs
System
) to alert that the M-Series appliance memory usage limits are reached.
Known
10.2.6
PAN-213746
On the Panorama management server, the
Hostkey
displayed as
undefined undefined
if you override an SSH Service Profile (
Device
Certificate Management
SSH Service Profile
) Hostkey configured in a Template from the Template Stack.
Known
10.2.6
PAN-213119
PA-5410 and PA-5420 firewalls display the following error when you view the Block IP list (
Monitor
Block IP
):
show -> dis-block-table is unexpected
Known
10.2.6
PAN-212889
On the Panorama management server, different threat names are used when querying the same threat in the Threat Monitor (
Monitor
App Scope
Threat Monitor
) and
ACC
. This results in the ACC displaying
no data to display
when you are redirected to the ACC after clicking a threat name in the Threat Monitor and filtering the same threat name in the Global Filters.
Known
10.2.6
PAN-212533
Modifying the
Administrator Type
for an existing administrator (
Device
Administrators
or
Panorama
Administrators
) from
Superuser
to a
Role-Based
custom admin, or vice versa, does not modify the access privileges of the administrator.
Known
10.2.6
PAN-211531
On the Panorama management server, admins can still perform a selective push to managed firewalls when
Push All Changes
and
Push for Other Admins
are disabled in the admin role profile (
Panorama
Admin Roles
).
Known
10.2.6
PAN-209288
Certificates are not successfully generated using SCEP (
Device
Certificate Management
SCEP
).
Known
10.2.6
PAN-208622
A file upload to Box.com exceeding 6 files gets stuck and fails to upload if you specify an Enterprise DLP data filtering profile (
Objects
DLP
Data Filtering Profiles
with the Action set to
Block
to a Security policy rule (
Policies
Security
).
Known
10.2.6
PAN-204689
Upon upgrade to PAN-OS 10.2.4, the following GlobalProtect settings do not work:
  • Allow user to disconnect GlobalProtect App
    Allow with Passcode
  • Allow user to Disable GlobalProtect App
    Allow with Passcode
  • Allow User to Uninstall GlobalProtect App
    Allow with Password
Known
10.2.6
PAN-196758
On the Panorama management server, pushing a configuration change to firewalls leveraging SD-WAN erroneously show the auto-provisioned BGP configurations for SD-WAN as being edited or deleted despite no edits or deletions being made when you
Preview Changes
(
Commit
Push to Devices
Edit Selections
or
Commit
Commit and Push
Edit Selections
).
Known
10.2.6
PAN-196504
License deactivation fails for VM-Series firewalls licensed using PA-VM Bundle 3 (BND3).
Known
10.2.6
PAN-196146
This issue is now resolved. See
PAN-OS 10.2.8 Addressed Issues
.
The VM-Series firewall on Azure does not boot up with a hostname (specified in an init-cgf.txt or user data) when bootstrapped.
Known
10.2.6
PAN-194996
When using a 10.2.2 Panorama to manage a Panorama Managed Prisma Access 3.1.2 deployment, allocating bandwidth for a remote network deployment fails (the OK button is grayed out).
Workaround
: Retry the operation.
Known
10.2.6
PAN-194519
(
PA-5450 firewall only
) Trying to configure a custom payload format under
Device
Server Profiles
HTTP
yields a Javascript error.
Known
10.2.6
PAN-194515
(
PA-5450 firewall only
) The Panorama web interface does not display any predefined template stack variables in the dropdown menu under
Device
Setup
Log Interface
IP Address
.
Workaround:
Configure the log interface IP address on the individual firewall web interface instead of on Panorama.
Known
10.2.6
PAN-194424
(
PA-5450 firewall only
) Upgrading to PAN-OS 10.2.2 while having a log interface configured can cause both the log interface and the management interface to remain connected to the log collector.
Workaround:
Restart the log receiver service by running the following CLI command: 
debug software restart process log-receiver
Known
10.2.6
PAN-194202
(
PA-5450 firewall only
) If the management interface and logging interface are configured on the same subnetwork, the firewall conducts log forwarding using the management interface instead of the logging interface.
Known
10.2.6
PAN-193004
This issue is now resolved. See
PAN-OS 10.2.7 Addressed Issues
.
The Panorama management server fails to delete old IP Tag data. This causes the
/opt/pancfg
partition to reach maximum capacity which impacts Panorama performance.
Known
10.2.6
PAN-190727
(
PA-5450 firewall only
) Documentation for configuring the log interface is unavailable on the web interface and in the PAN-OS Administrator’s Guide.
Known
10.2.6
PAN-189111
After deleting an MP pod and it comes up, the
show routing
command output appears empty and traffic stops working.
Known
10.2.6
PAN-189076
On a firewall with Advanced Routing enabled, OSPFv3 peers using a broadcast link and a designated router (DR) priority of 0 (zero) are stuck in a two-way state after HA failover.
Workaround:
Configure at least one OSPFv3 neighbor with a non-zero priority setting in the same broadcast domain.
Known
10.2.6
PAN-188358
After triggering a soft reboot on a M-700 appliance, the Management port LEDs do not light up when a 10G Ethernet cable is plugged in.
Known
10.2.6
PAN-187685
On the Panorama management server, the Template Status displays no synchronization status (
Panorama
Managed Devices
Summary
) after a bootstrapped firewall is successfully added to Panorama.
Workaround:
After the bootstrapped firewall is successfully added to Panorama, log in to the Panorama web interface and select
Commit
Push to Devices
.
Known
10.2.6
PAN-187643
If you enable SCTP security using a Panorama template when
SCTP INIT Flood Protection
is enabled in the Zone Protection profile using Panorama and you commit all changes, the commit is successful but the
SCTP INIT
option is not available in the Zone Protection profile.
Workaround:
Log out of the firewall and log in again to make the
SCIT INIT
option available on the web interface.
Known
10.2.6
PAN-187612
On the Panorama management server, not all data profiles (
Objects
DLP Data Filtering Profiles
) are displayed after you:
  • Upgrade Panorama to PAN-OS 10.2 and upgrade the Enterprise DLP plugin to version 3.0.
  • Downgrade Panorama to PAN-OS 10.1 and downgrade the Enterprise DLP plugin to version 1.0.
Workaround:
Log in to the Panorama CLI and reset the DLP plugin.
admin > request plugins dlp reset
Known
10.2.6
PAN-187407
The configured Advanced Threat Prevention inline cloud analysis action for a given model might not be honored under the following condition: If the firewall is set to
Hold client request for category lookup
and the action set to
Reset-Both
and the URL cache has been cleared, the first request for inline cloud analysis will be bypassed.
Known
10.2.6
PAN-187370
On a firewall with Advanced Routing enabled, if there is also a logical router instance that uses the default configuration and has no interfaces assigned to it, this will result in terminating the management daemon and main routing daemon in the firewall during commit.
Workaround
: Do not use a logical router instance with no interfaces bound to it.
Known
10.2.6
PAN-186283
Templates appear out-of-sync on Panorama after successfully deploying the CFT stack using the Panorama plugin for AWS.
Workaround
: Use
Commit
Push to Devices
to synchronize the templates.
Known
10.2.6
PAN-186282
On HA deployments on AWS and Azure, Panorama fails to populate match criteria automatically when adding dynamic address groups.
Workaround:
Reboot the Panorama HA pair.
Known
10.2.6
PAN-185286
This issue is now resolved. See
PAN-OS 10.2.8 Addressed Issues
.
(
PA-5400 Series firewalls only
) On the Panorama management server, the device health resources (
Panorama
Managed Devices
Health
) do not populate.
Known
10.2.6
PAN-184708
Scheduled report emails (
Monitor
PDF Reports
Email Scheduler
) are not emailed if:
  • A scheduled report email contains a Report Group (
    Monitor
    PDF Reports
    Report Group
    ) which includes a SaaS Application Usage report.
  • A scheduled report contains only a SaaS Application Usage Report.
Workaround:
To receive a scheduled report email for all other PDF report types:
  1. Select
    Monitor
    PDF Reports
    Report Groups
    and remove all SaaS Application Usage reports from all Report Groups.
  2. Select
    Monitor
    PDF Reports
    Email Scheduler
    and edit the scheduled report email that contains only a SaaS Application Usage report. For the Recurrence, select
    Disable
    and click
    OK
    .
    Repeat this step for all scheduled report emails that contain only a SaaS Application Usage report.
  3. Commit
    .
    (
    Panorama managed firewalls
    ) Select
    Commit
    Commit and Push
Known
10.2.6
PAN-184406
Using the CLI to add a RAID disk pair to an M-700 appliance causes the dmdb process to crash.
Workaround:
Contact customer support to stop the dmdb process before adding a RAID disk pair to a M-700 appliance.
Known
10.2.6
PAN-183404
Static IP addresses are not recognized when "and" operators are used with IP CIDR range.
Known
10.2.6
PAN-181933
If you use multiple log forwarding cards (LFCs) on the PA-7000 series, all of the cards may not receive all of the updates and the mappings for the clients may become out of sync, which causes the firewall to not correctly populate the Source User column in the session logs.
Known
10.2.6
PAN-181823
On a PA-5400 Series firewall (minus the PA-5450), setting the peer port to forced 10M or 100M speed causes any multi-gigabit RJ-45 ports on the firewall to go down if they are set to Auto.
Known
10.2.6
PAN-180661
On the Panorama management server, pushing an unsupported Minimum Password Complexity (
Device
Setup
Management
) to a managed firewall erroneously displays
commit time out
as the reason the commit failed.
Known
10.2.6
PAN-180104
When upgrading a CN-Series as a DaemonSet deployment to PAN-OS 10.2, CN-NGFW pods fail to connect to CN-MGMT pod if the Kubernetes cluster previously had a CN-Series as a DaemonSet deployment running PAN-OS 10.0 or 10.1.
Workaround
: Reboot the worker nodes before upgrading to PAN-OS 10.2.
Known
10.2.6
PAN-178194
A user interface issue in PAN-OS renders the contents of the
Inline ML
tab in the
URL Filtering Profile
inaccessible on firewalls licensed for Advanced URL Filtering. Additionally, a message indicating that a
License required for URL filtering to function
is unavailable displays at the bottom of the UI. These errors do not affect the operation of Advanced URL Filtering or URL Filtering Inline ML.
Workaround:
Configuration settings for URL Filtering Inline ML must be applied through the CLI. The following configuration commands are available:
  • Define URL exceptions for specific web sites— 
    admin#
     set profiles url-filtering <url_filtering_profile_name> mlav-category-exception
  • Configuration settings for each inline ML model— 
    admin#
     set profiles url-filtering <url_filtering_profile_name> mlav-engine-urlbased-enabled
Known
10.2.6
PAN-177455
PAN-OS 10.2.0 is not supported on PA-7000 Series firewalls with HA (High Availability) clustering enabled and using an HA4 communication link. Attempting to load PAN-OS 10.2.0 on the firewall causes the PA-7000 100G NPC to go offline. As a result, the firewall fails to boot normally and enters maintenance mode. HA Pairs of Active-Passive and Active-Active firewalls are not affected.
Known
10.2.6
PAN-175915
When the firewall is deployed on N3 and N11 interfaces in 5G networks and 5G-HTTP/2 traffic inspection is enabled in the Mobile Network Protection Profile, the traffic logs do not display network slice SST and SD values.
Known
10.2.6
PAN-174982
In HA active/active configurations where, when interfaces that were associated with a virtual router were deleted, the configuration change did not sync.
Known
10.2.6
PAN-172274
When you activate the advanced URL filtering license, your license entitlements for PAN-DB and advanced URL filtering might not display correctly on the firewall — this is a display anomaly, not a licensing issue, and does not affect access to the services.
Workaround:
Issue the following command to retrieve and update the licenses:
license request fetch
.
Known
10.2.6
PAN-171938
No results are displayed when you
Show Application Filter
for a Security policy rule (
Policies
Security
Application
Value
Show Application Filter
).
Known
10.2.6
PAN-164885
This issue is now resolved. See
PAN-OS 10.2.10 Addressed Issues
.
On the Panorama management server, pushes to managed firewalls (
Commit
Push to Devices
or
Commit and Push
) may fail when an EDL (
Objects
External Dynamic Lists
) is configured to
Check for updates
every 5 minutes due to the commit and EDL fetch processes overlapping. This is more likely to occur when multiple EDLs are configured to check for updates every 5 minutes.
Addressed
10.2.6-h3
PAN-252214
A fix was made to address CVE-2024-3400 .
Addressed
10.2.6-h1
PAN-238792
Fixed the following device certificate issues:
  • The firewall was unable to automatically renew the device certificate-Fetching device certificates failed incorrectly with the error message
    OTP is not valid
    .
  • Firewalls disconnected from Cortex Data Lake after renewing the device certificate.
  • The device certificate was not correctly generated on the log forwarding card (LFC).
  • WildFire cloud logs did not log thermite certificate usage status.
Addressed
10.2.6-h1
PAN-237876
Extended the firewall Panorama root CA certificate which was previously set to expire on April 7th, 2024.
Addressed
10.2.6-h1
PAN-231771
Fixed an issue where the firewall issued /box/getserv/ requests with PAN-OS 7.1.0 and did not take device certificates.
Addressed
10.2.6-h1
PAN-227568
When a device certificate is installed, renewed, or removed, the firewall will reconnect to the WildFire cloud to use the newest certificate.
Addressed
10.2.6-h1
PAN-215576
Fixed an issue where the
userID-Agent
and
TS-Agent
certificates were set to expire on November 18, 2024. With this fix, the expiration date has been extended to January 2032.
Addressed
10.2.6
PAN-229865
(
PA-220 firewalls only
) Fixed an issue where upgrading to PAN-OS 10.2.5 failed if the firewall was on a PAN-OS 10.1 release.
Addressed
10.2.6
PAN-229705
Fixed an issue where running the
show rule-hit-count
CLI command on Panorama displayed the error message
Server error : Timed out while getting config lock. Please try again.
when attempting to log in or run CLI commands.
Addressed
10.2.6
PAN-227639
Fixed an issue where the
ACC
displayed an incorrect DNS-base application traffic byte count.
Addressed
10.2.6
PAN-227523
A fix was made to address customer and internal bugs ( CVE-2023-38802 ).
Addressed
10.2.6
PAN-227376
Fixed an issue where a memory overrun caused the all_task process to stop responding.
Addressed
10.2.6
PAN-225240
Fixed an issue where the OSPF neighbor state remained in
exstart
when the OSPF network had more than 40 routes.
Addressed
10.2.6
PAN-223787
(
PA-400 Series and PA-1400 Series firewalls only
) Fixed an issue where commits failed with the error message
Error unserializing profile objects failed to handle CONFIG_UPDATE_START
.
Addressed
10.2.6
PAN-221728
Fixed an issue where selective pushes did not work after upgrading to PAN-OS 10.2.4.
Addressed
10.2.6
PAN-216775
Fixed an issue where the devsrvr process stopped responding at
pan_cloud_agent_get_curl_connection()
and the URL cloud could not be connected.
Addressed
10.2.6
PAN-214273
Fixed an issue where Elasticsearch logs were not cleared, which caused the root partition to fill up.
Addressed
10.2.6
PAN-205015
Fixed an issue where not all users were included in the user group after an incremental sync between the firewall and the Cloud Identity Engine.
Addressed
10.2.6
PAN-204868
Fixed an issue where disk utilization was continuously high due to the log purger not sufficiently reducing the utilization level.
Addressed
10.2.6
PAN-198509
Fixed an issue where commits failed due to insufficient CFG memory.
Addressed
10.2.6
PAN-198043
Fixed a rare issue where a
BuildXmlCache
job failed on the firewall.
Known
10.2.7
WF500-5854
The WildFire analysis report on the firewall log viewer (
Monitoring
WildFire Submissions
) does not display the following data fields: File Type, SHA-256, MD-5, and File Size".
Workaround
: Download and open the WildFire analysis report in the PDF format using the link in the upper right-hand corner of the
Detailed Log View
.
Known
10.2.7
WF500-5843
In a WildFire appliance cluster, issuing the
show cluster-all peers
CLI command when a node within the cluster is being rebooted generates the following error:
Server error : An error occured.
Known
10.2.7
WF500-5840
The sample analysis statistics that are returned when issuing the
show wildfire local statistics
CLI command in WildFire appliance cluster deployments may not accurately reflect the number of samples that have been processed.
Known
10.2.7
WF500-5823
The following WildFire appliance CLI command does not return a signature generation status as expected:
show wildfire global signature-status
. This does not corrupt or otherwise prevent the WildFire appliance from analyzing a sample.
Known
10.2.7
WF500-5781
The WildFire appliance might erroneously generate and log the following device certification error:
Device certificate is missing or invalid. It cannot be renewed.
Known
10.2.7
WF500-5754
In WildFire appliance clusters, issuing the
show cluster controller
CLI command generates an error when an IPv6 address is configured for the management interface but not for the cluster interface.
Workaround:
Ensure all WildFire appliance interfaces that are enabled use matching protocols (all IPv4 or all IPv6).
Known
10.2.7
WF500-5632
The number of registered WildFire appliances reported in Panorama (
Panorama
Managed WildFire Appliances
Firewalls Connected
View
) does not accurately reflect the current status of connected WildFire appliances.
Known
10.2.7
PAN-244673
Upgrading a flexible-vCPU VM-Series firewall HA deployment from 10.1.x directly to 10.2.3 or later causes the active HA peer to become unresponsive. In this scenario, the upgraded firewall then becomes the active peer.
Workaround
: Upgrade the VM-Series firewalls to PAN-OS 10.2.2 before upgrading to the latest PAN-OS 10.2.x version.
Known
10.2.7
PAN-243951
On the Panorama management sever in an active/passive High Availability (HA) configuration, managed devices (
Panorama
Managed Devices
Summary
) display as
out-of-sync
on the passive HA peer when configuration changes are made to the SD-WAN (
Panorama
SD-WAN
) configuration on the active HA peer.
Workaround:
Manually synchronize the Panorama HA peers.
  1. Log in to the Panorama web interface on the active HA peer.
  2. Select
    Commit
    and
    Commit to Panorama
    the SD-WAN configuration changes on the active HA peer.
    On the passive HA peer, select
    Panorama
    Managed Devices
    Summary
    and observe that the managed devices are now
    out-of-sync
    .
  3. Log in to the primary HA peer Panorama CLI and trigger a manual synchronization between the active and secondary HA peers.
    request high-availability sync-to-remote running-config
  4. Log back in to the active HA peer Panorama web interface and select
    Commit
    Push to Devices
    and
    Push
    .
Known
10.2.7
PAN-234015
The X-Forwarded-For (XFF) value is not displayed in traffic logs.
Known
10.2.7
PAN-242910
PAN-OS 10.2.7, 10.2.7-h1, and 10.2.7-h3 only
On the Panorama management server, Panorama administrators (
Panorama
Administrators
) that are assigned a custom Panorama admin role (
Panorama
Admin Roles
) with
Push All Changes
enabled are unable to push configuration changes to managed firewalls when
Managed Devices
and
Push For Other Admins
are disabled.
Known
10.2.7
PAN-242837
Default login credentials and SSH fail after enabling FIPS-CC Mode on a firewall or Panorama after converting through the Maintenance Recovery Tool (MRT). The firewall or Panorama becomes stuck and requires a factory reset to recover.
Known
10.2.7
PAN-242561
On the PAN-OS 10.2.7-h3 version, GlobalProtect tunnel might disconnect shortly after being established when SSL is used as a transport protocol.
Workaround
: Disable Internet Protocol version 6 (TCP/IPv6) on the PANGP Virtual Network Adapter.
Known
10.2.7
PAN-238769
FIPS-CC VM only. Upgrading to 10.1.10-h2 or 10.1.11 will change all locally created security Policy actions to Deny. Re-load the back-up config taken before upgrading or the last version to get the previous config back. Also, Unable to login to FIPSCC Mode devices with default credentials after converting the mode for 10.1.12 release , 10.2.7 release , 11.1.0 , 11.1.1, 11.0.3 versions.
Known
10.2.7
PAN-234929
This issue is now resolved. See
PAN-OS 10.2.7-h3 Addressed Issues
.
The tabs in the
ACC
, such as
Network Activity
,
Threat Activity
, and
Blocked Activity
, may not display any data when you apply a Time filter for the Last 15 minutes, Last Hour, Last 6 Hours, or Last 12 Hours. With the Last 24 Hours filter, the data displayed may not be accurate. Additionally, reports run against summary logs may not display accurate results.
Known
10.2.7
PAN-228515
The EleasticSearch SSH flaps on the M-600 appliance in Panorama or Log Collector mode. This causes logs to not display on the Panorama management server (
Monitor
Logs
) and the Log Collector health status (
Panorama
Managed Collectors
Status
) to display as degraded.
Known
10.2.7
PAN-228273
This issue is now resolved. See
PAN-OS 10.2.8 Addressed Issues
.
On the Panorama management server in FIPS-CC mode, the ElasticSearch cluster fails to come up and the
show log-collector-es-cluster health
command displays the
status
is
red
. This results in log ingestion issues for Panorama in Panorama only or Log Collector mode.
Known
10.2.7
PAN-227344
On the Panorama management server, PDF Summary Reports (
Monitor
PDF Reports
Manage PDF Summary
) display no data and are blank when predefined reports are included in the summary report.
Known
10.2.7
PAN-223365
The Panorama management server is unable to query any logs if the ElasticSearch health status for any Log Collector (
Panorama
Managed Collector
is degraded.
Workaround:
Log in to the Log Collector CLI and restart ElasticSearch. 
admin
debug elasticsearch es-restart all
Known
10.2.7
PAN-229865
Upgrading a PA-220 firewall running a PAN-OS 10.1 release fails when the target PAN-OS upgrade version is PAN-OS 10.2.5.
Workaround:
On your upgrade path to PAN-OS 10.2.5, first upgrade to PAN-OS 10.2.4 and then upgrade to PAN-OS 10.2.5.
Known
10.2.7
PAN-226768
This issue is now resolved. See
PAN-OS 10.2.8 Addressed Issues
.
When the GlobalProtect app is installed on iOS endpoints and the gateway is configured to accept cookies, the app stays in
Connecting
stage after authentication and the GlobalProtect log displays the error message,
User is not in allow list
. This happens when the app is restarted or when the app tries to reconnect after disconnection.
Known
10.2.7
PAN-223677
(
PA-3410, PA-3420, PA-3430, PA-3440, PA-5410, PA-5420, and PA-5430 firewalls
) By enabling Lockless QoS feature, a slight degradation in App-ID and Threat performance is expected.
Known
10.2.7
PAN-223457
This issue is now resolved. See
PAN-OS 10.2.8 Addressed Issues
.
If the number of group queries exceeds the Okta rate limit threshold, the firewall clears the cache for the groups. To avoid encountering this issue, disable the Okta rate limit.
Known
10.2.7
PAN-222586
On PA-5410, PA-5420, and PA-5430 firewalls, the Filter dropdown menus, Forward Methods, and Built-In Actions for Correlation Log settings (
Device
Log Settings
) are not displayed and cannot be configured.
Known
10.2.7
PAN-222418
This issue is now resolved. See
PAN-OS 10.2.8 Addressed Issues
.
The firewall intermittently records a reconnection message to the authentication server as a error, even if no disconnection occurs.
Known
10.2.7
PAN-222253
This issue is now resolved. See
PAN-OS 10.2.8 Addressed Issues
.
On the Panorama management server, policy rulebase reordering when you
View Rulebase by Groups
(
Policy
<policy-rulebase>
) does not persist if you reorder the policy rulebase by dragging and dropping individual policy rules and then moving the entire tag group.
Known
10.2.7
PAN-221775
A
Malformed Request
error is displayed when you
Test Connection
for an email server profile (
Device
Server Profiles
Email
) using
SMTP over TLS
and the
Password
includes an ampersand (&).
Known
10.2.7
PAN-221857
This issue is now resolved. See
PAN-OS 10.2.8 Addressed Issues
.
Users are unable to log in to the GlobalProtect app using SAML authentication after the app is upgraded to 10.2.3-h4 and the GlobalProtect logs display the following error message:
Username from SAML SSO response is different from the input.
.
Known
10.2.7
PAN-220180
This issue is now resolved. See
PAN-OS 10.2.8 Addressed Issues
.
Configured botnet reports (
Monitor
Botnet
) are not generated.
Known
10.2.7
PAN-219644
This issue is now resolved. See
PAN-OS 10.2.8 Addressed Issues
.
Firewalls forwarding logs to a syslog server over TLS (
Objects
Log Forwarding
) use the default Palo Alto Networks certificate instead of the custom certificate configured on the firewall.
Known
10.2.7
PAN-217307
The following Security policy rule (
Policies
Security
) filters return no results:
log-start eq no
log-end eq no
log-end eq yes
Known
10.2.7
PAN-215082
This issue is now resolved. See
PAN-OS 10.2.8 Addressed Issues
.
M-300 and M-700 appliances may generate erroneous system logs (
Monitor
Logs
System
) to alert that the M-Series appliance memory usage limits are reached.
Known
10.2.7
PAN-213746
On the Panorama management server, the
Hostkey
displayed as
undefined undefined
if you override an SSH Service Profile (
Device
Certificate Management
SSH Service Profile
) Hostkey configured in a Template from the Template Stack.
Known
10.2.7
PAN-213119
PA-5410 and PA-5420 firewalls display the following error when you view the Block IP list (
Monitor
Block IP
):
show -> dis-block-table is unexpected
Known
10.2.7
PAN-212889
On the Panorama management server, different threat names are used when querying the same threat in the Threat Monitor (
Monitor
App Scope
Threat Monitor
) and
ACC
. This results in the ACC displaying
no data to display
when you are redirected to the ACC after clicking a threat name in the Threat Monitor and filtering the same threat name in the Global Filters.
Known
10.2.7
PAN-212533
Modifying the
Administrator Type
for an existing administrator (
Device
Administrators
or
Panorama
Administrators
) from
Superuser
to a
Role-Based
custom admin, or vice versa, does not modify the access privileges of the administrator.
Known
10.2.7
PAN-211531
On the Panorama management server, admins can still perform a selective push to managed firewalls when
Push All Changes
and
Push for Other Admins
are disabled in the admin role profile (
Panorama
Admin Roles
).
Known
10.2.7
PAN-209288
Certificates are not successfully generated using SCEP (
Device
Certificate Management
SCEP
).
Known
10.2.7
PAN-208622
A file upload to Box.com exceeding 6 files gets stuck and fails to upload if you specify an Enterprise DLP data filtering profile (
Objects
DLP
Data Filtering Profiles
with the Action set to
Block
to a Security policy rule (
Policies
Security
).
Known
10.2.7
PAN-204689
Upon upgrade to PAN-OS 10.2.4, the following GlobalProtect settings do not work:
  • Allow user to disconnect GlobalProtect App
    Allow with Passcode
  • Allow user to Disable GlobalProtect App
    Allow with Passcode
  • Allow User to Uninstall GlobalProtect App
    Allow with Password
Known
10.2.7
PAN-196758
On the Panorama management server, pushing a configuration change to firewalls leveraging SD-WAN erroneously show the auto-provisioned BGP configurations for SD-WAN as being edited or deleted despite no edits or deletions being made when you
Preview Changes
(
Commit
Push to Devices
Edit Selections
or
Commit
Commit and Push
Edit Selections
).
Known
10.2.7
PAN-196504
License deactivation fails for VM-Series firewalls licensed using PA-VM Bundle 3 (BND3).
Known
10.2.7
PAN-196146
This issue is now resolved. See
PAN-OS 10.2.8 Addressed Issues
.
The VM-Series firewall on Azure does not boot up with a hostname (specified in an init-cgf.txt or user data) when bootstrapped.
Known
10.2.7
PAN-194996
When using a 10.2.2 Panorama to manage a Panorama Managed Prisma Access 3.1.2 deployment, allocating bandwidth for a remote network deployment fails (the OK button is grayed out).
Workaround
: Retry the operation.
Known
10.2.7
PAN-194519
(
PA-5450 firewall only
) Trying to configure a custom payload format under
Device
Server Profiles
HTTP
yields a Javascript error.
Known
10.2.7
PAN-194515
(
PA-5450 firewall only
) The Panorama web interface does not display any predefined template stack variables in the dropdown menu under
Device
Setup
Log Interface
IP Address
.
Workaround:
Configure the log interface IP address on the individual firewall web interface instead of on Panorama.
Known
10.2.7
PAN-194424
(
PA-5450 firewall only
) Upgrading to PAN-OS 10.2.2 while having a log interface configured can cause both the log interface and the management interface to remain connected to the log collector.
Workaround:
Restart the log receiver service by running the following CLI command: 
debug software restart process log-receiver
Known
10.2.7
PAN-194202
(
PA-5450 firewall only
) If the management interface and logging interface are configured on the same subnetwork, the firewall conducts log forwarding using the management interface instead of the logging interface.
Known
10.2.7
PAN-190727
(
PA-5450 firewall only
) Documentation for configuring the log interface is unavailable on the web interface and in the PAN-OS Administrator’s Guide.
Known
10.2.7
PAN-189111
After deleting an MP pod and it comes up, the
show routing
command output appears empty and traffic stops working.
Known
10.2.7
PAN-189076
On a firewall with Advanced Routing enabled, OSPFv3 peers using a broadcast link and a designated router (DR) priority of 0 (zero) are stuck in a two-way state after HA failover.
Workaround:
Configure at least one OSPFv3 neighbor with a non-zero priority setting in the same broadcast domain.
Known
10.2.7
PAN-188358
After triggering a soft reboot on a M-700 appliance, the Management port LEDs do not light up when a 10G Ethernet cable is plugged in.
Known
10.2.7
PAN-187685
On the Panorama management server, the Template Status displays no synchronization status (
Panorama
Managed Devices
Summary
) after a bootstrapped firewall is successfully added to Panorama.
Workaround:
After the bootstrapped firewall is successfully added to Panorama, log in to the Panorama web interface and select
Commit
Push to Devices
.
Known
10.2.7
PAN-187643
If you enable SCTP security using a Panorama template when
SCTP INIT Flood Protection
is enabled in the Zone Protection profile using Panorama and you commit all changes, the commit is successful but the
SCTP INIT
option is not available in the Zone Protection profile.
Workaround:
Log out of the firewall and log in again to make the
SCIT INIT
option available on the web interface.
Known
10.2.7
PAN-187612
On the Panorama management server, not all data profiles (
Objects
DLP Data Filtering Profiles
) are displayed after you:
  • Upgrade Panorama to PAN-OS 10.2 and upgrade the Enterprise DLP plugin to version 3.0.
  • Downgrade Panorama to PAN-OS 10.1 and downgrade the Enterprise DLP plugin to version 1.0.
Workaround:
Log in to the Panorama CLI and reset the DLP plugin.
admin > request plugins dlp reset
Known
10.2.7
PAN-187407
The configured Advanced Threat Prevention inline cloud analysis action for a given model might not be honored under the following condition: If the firewall is set to
Hold client request for category lookup
and the action set to
Reset-Both
and the URL cache has been cleared, the first request for inline cloud analysis will be bypassed.
Known
10.2.7
PAN-187370
On a firewall with Advanced Routing enabled, if there is also a logical router instance that uses the default configuration and has no interfaces assigned to it, this will result in terminating the management daemon and main routing daemon in the firewall during commit.
Workaround
: Do not use a logical router instance with no interfaces bound to it.
Known
10.2.7
PAN-186283
Templates appear out-of-sync on Panorama after successfully deploying the CFT stack using the Panorama plugin for AWS.
Workaround
: Use
Commit
Push to Devices
to synchronize the templates.
Known
10.2.7
PAN-186282
On HA deployments on AWS and Azure, Panorama fails to populate match criteria automatically when adding dynamic address groups.
Workaround:
Reboot the Panorama HA pair.
Known
10.2.7
PAN-185286
This issue is now resolved. See
PAN-OS 10.2.8 Addressed Issues
.
(
PA-5400 Series firewalls only
) On the Panorama management server, the device health resources (
Panorama
Managed Devices
Health
) do not populate.
Known
10.2.7
PAN-184708
Scheduled report emails (
Monitor
PDF Reports
Email Scheduler
) are not emailed if:
  • A scheduled report email contains a Report Group (
    Monitor
    PDF Reports
    Report Group
    ) which includes a SaaS Application Usage report.
  • A scheduled report contains only a SaaS Application Usage Report.
Workaround:
To receive a scheduled report email for all other PDF report types:
  1. Select
    Monitor
    PDF Reports
    Report Groups
    and remove all SaaS Application Usage reports from all Report Groups.
  2. Select
    Monitor
    PDF Reports
    Email Scheduler
    and edit the scheduled report email that contains only a SaaS Application Usage report. For the Recurrence, select
    Disable
    and click
    OK
    .
    Repeat this step for all scheduled report emails that contain only a SaaS Application Usage report.
  3. Commit
    .
    (
    Panorama managed firewalls
    ) Select
    Commit
    Commit and Push
Known
10.2.7
PAN-184406
Using the CLI to add a RAID disk pair to an M-700 appliance causes the dmdb process to crash.
Workaround:
Contact customer support to stop the dmdb process before adding a RAID disk pair to a M-700 appliance.
Known
10.2.7
PAN-183404
Static IP addresses are not recognized when "and" operators are used with IP CIDR range.
Known
10.2.7
PAN-181933
If you use multiple log forwarding cards (LFCs) on the PA-7000 series, all of the cards may not receive all of the updates and the mappings for the clients may become out of sync, which causes the firewall to not correctly populate the Source User column in the session logs.
Known
10.2.7
PAN-181823
On a PA-5400 Series firewall (minus the PA-5450), setting the peer port to forced 10M or 100M speed causes any multi-gigabit RJ-45 ports on the firewall to go down if they are set to Auto.
Known
10.2.7
PAN-180661
On the Panorama management server, pushing an unsupported Minimum Password Complexity (
Device
Setup
Management
) to a managed firewall erroneously displays
commit time out
as the reason the commit failed.
Known
10.2.7
PAN-180104
When upgrading a CN-Series as a DaemonSet deployment to PAN-OS 10.2, CN-NGFW pods fail to connect to CN-MGMT pod if the Kubernetes cluster previously had a CN-Series as a DaemonSet deployment running PAN-OS 10.0 or 10.1.
Workaround
: Reboot the worker nodes before upgrading to PAN-OS 10.2.
Known
10.2.7
PAN-178194
A user interface issue in PAN-OS renders the contents of the
Inline ML
tab in the
URL Filtering Profile
inaccessible on firewalls licensed for Advanced URL Filtering. Additionally, a message indicating that a
License required for URL filtering to function
is unavailable displays at the bottom of the UI. These errors do not affect the operation of Advanced URL Filtering or URL Filtering Inline ML.
Workaround:
Configuration settings for URL Filtering Inline ML must be applied through the CLI. The following configuration commands are available:
  • Define URL exceptions for specific web sites— 
    admin#
     set profiles url-filtering <url_filtering_profile_name> mlav-category-exception
  • Configuration settings for each inline ML model— 
    admin#
     set profiles url-filtering <url_filtering_profile_name> mlav-engine-urlbased-enabled
Known
10.2.7
PAN-177455
PAN-OS 10.2.0 is not supported on PA-7000 Series firewalls with HA (High Availability) clustering enabled and using an HA4 communication link. Attempting to load PAN-OS 10.2.0 on the firewall causes the PA-7000 100G NPC to go offline. As a result, the firewall fails to boot normally and enters maintenance mode. HA Pairs of Active-Passive and Active-Active firewalls are not affected.
Known
10.2.7
PAN-175915
When the firewall is deployed on N3 and N11 interfaces in 5G networks and 5G-HTTP/2 traffic inspection is enabled in the Mobile Network Protection Profile, the traffic logs do not display network slice SST and SD values.
Known
10.2.7
PAN-174982
In HA active/active configurations where, when interfaces that were associated with a virtual router were deleted, the configuration change did not sync.
Known
10.2.7
PAN-172274
When you activate the advanced URL filtering license, your license entitlements for PAN-DB and advanced URL filtering might not display correctly on the firewall — this is a display anomaly, not a licensing issue, and does not affect access to the services.
Workaround:
Issue the following command to retrieve and update the licenses:
license request fetch
.
Known
10.2.7
PAN-171938
No results are displayed when you
Show Application Filter
for a Security policy rule (
Policies
Security
Application
Value
Show Application Filter
).
Known
10.2.7
PAN-164885
This issue is now resolved. See
PAN-OS 10.2.10 Addressed Issues
.
On the Panorama management server, pushes to managed firewalls (
Commit
Push to Devices
or
Commit and Push
) may fail when an EDL (
Objects
External Dynamic Lists
) is configured to
Check for updates
every 5 minutes due to the commit and EDL fetch processes overlapping. This is more likely to occur when multiple EDLs are configured to check for updates every 5 minutes.
Addressed
10.2.7-h8
PAN-252214
A fix was made to address CVE-2024-3400 .
Addressed
10.2.7-h6
PAN-246431
This issue is resolved in this hotfix but not in PAN-OS 10.2.8.
Fixed an issue where a
Push to Device
operation remained at the state
None
when performing a selective push to device groups and templates that included both connected and disconnected firewalls.
Addressed
10.2.7-h6
PAN-242910
This issue is resolved in this hotfix but not in PAN-OS 10.2.8.
Fixed an issue where a custom based non Superuser was unable to push to firewalls.
Addressed
10.2.7-h6
PAN-242627
This issue is resolved in this hotfix but not in PAN-OS 10.2.8.
Fixed an issue where selective push did not work.
Addressed
10.2.7-h6
PAN-242561
Fixed an issue where GlobalProtect tunnels disconnected shortly after being established when SSL was used as the transfer protocol.
Addressed
10.2.7-h6
PAN-242027
Fixed an issue where the all-task process repeatedly restarted during memory allocation failures.
Addressed
10.2.7-h6
PAN-239367
Fixed an issue on the firewall where a memory leak associated with the logrcvr process occurred.
Addressed
10.2.7-h6
PAN-238643
This issue is resolved in this hotfix but not in PAN-OS 10.2.8.
Fixed an issue where a memory leak caused multiple processes to stop responding when VM Information Sources was configured.
Addressed
10.2.7-h6
PAN-237208
Fixed an issue where the reportd process stopped and the firewall rebooted.
Addressed
10.2.7-h6
PAN-235840
Fixed an issue where, after a configuration push from Panorama to managed firewalls, the status displayed as
None
and the push took longer than expected.
Addressed
10.2.7-h6
PAN-233789
Fixed an issue with commit and push and push operations where the user was not correctly bound to the scope, which caused all device groups to be selected for a selective push.
Addressed
10.2.7-h6
PAN-231148
Fixed an issue where no DHCP option list was defined when using GlobalProtect.
Addressed
10.2.7-h6
PAN-229090
Fixed an issue where the logrcvr process stopped responding during memory allocation failures.
Addressed
10.2.7-h6
PAN-228515
This issue is resolved in this hotfix but not in PAN-OS 10.2.8.
Fixed an issue where the Elasticsearch cluster health status displayed as yellow or red due to Elasticsearch SSH tunnel flaps.
Addressed
10.2.7-h6
PAN-223259
Fixed an issue where selective pushes failed with the error message
Failed to generate selective push configuration. Unable to retrieve last in-sync configuration for the device, either a push was never done or version is too old. Please try a full push
.
Addressed
10.2.7-h6
PAN-217293
Fixed a rare issue where URLs were not accessible when the header length was greater than 16,000 over HTTP/2.
Addressed
10.2.7-h6
PAN-199070
Fixed an issue where the all_task and pan_task processes stopped responding, which impacted traffic.
Addressed
10.2.7-h3
PAN-240197
Fixed an issue where configuration changes made in Panorama and pushed to the firewall were not reflected on the firewall.
Addressed
10.2.7-h3
PAN-239144
Fixed an issue where the web interface was slower than expected when logging in, committing, and pushing changes after upgrading to PAN-OS 10.2.7.
Addressed
10.2.7-h3
PAN-238792
Fixed the following device certificate issues:
  • The firewall was unable to automatically renew the device certificate-Fetching device certificates failed incorrectly with the error message
    OTP is not valid
    .
  • Firewalls disconnected from Cortex Data Lake after renewing the device certificate.
  • The device certificate was not correctly generated on the log forwarding card (LFC).
  • WildFire cloud logs did not log thermite certificate usage status.
Addressed
10.2.7-h3
PAN-237935
Extended the offline PAN-DB, Panorama, and WildFire certificates which were previously set to expire on September 2, 2024.
Addressed
10.2.7-h3
PAN-237876
Extended the firewall Panorama root CA certificate which was previously set to expire on April 7th, 2024.
Addressed
10.2.7-h3
PAN-234929
Fixed an issue where tabs in the
ACC
such as
Network Activity
Threat Activity
and
Blocked Activity
did not display data when you applied a
Time
filter of
Last 15 Minutes
,
Last Hour
,
Last 6 Hours
, or
Last 12 Hours
, and the data that was displayed with the
Last 24 Hours
filter was not accurate. Reports that were run against summary logs also did not display accurate results.
Addressed
10.2.7-h3
PAN-234279
Fixed an issue where the ikemgr process crashed due to an IKEv1 timing issue, which caused commits to fail with the following error message:
Client ikemgr requesting last config in the middle of a commit/validate, aborting current commit
.
Addressed
10.2.7-h3
PAN-232377
Fixed an issue where the
AddrObjRefresh
job failed when the useridd process restarted.
Addressed
10.2.7-h3
PAN-231771
Fixed an issue where the firewall issued /box/getserv/ requests with PAN-OS 7.1.0 and did not take device certificates.
Addressed
10.2.7-h3
PAN-231169
(
PA-220 firewalls only
) Fixed an issue where an unused plugin incorrectly used memory.
Addressed
10.2.7-h3
PAN-228273
(
Panorama appliances in FIPS-CC mode only
) Fixed an issue where the Elasticsearch cluster did not come up, and the
show log-collector-es-cluster health
CLI command displayed the status as red. This caused log ingestion issues for Panorama appliances in Panorama mode or Log Collector mode.
Addressed
10.2.7-h3
PAN-227568
When a device certificate is installed, renewed, or removed, the firewall will reconnect to the WildFire cloud to use the newest certificate.
Addressed
10.2.7-h3
PAN-224954
Fixed an issue where, after upgrading and rebooting a Panorama appliance in Panorama or Log Collector mode, managed firewalls continuously disconnected.
Addressed
10.2.7-h3
PAN-224067
Fixed an issue where cookie authentication did not work for GlobalProtect when an authentication override domain was configured in the SAML authentication profile.
Addressed
10.2.7-h3
PAN-224060
(
PA-220 Series firewalls only
) Fixed an issue where multiple dataplane processes stopped responding after an upgrade.
Addressed
10.2.7-h3
PAN-223652
Fixed an issue where data was not thread safe and led to concurrent read/write issues that caused GPSVC to stop working unexpectedly.
Addressed
10.2.7-h3
PAN-223270
Fixed an issue with Virtual Wire links on firewalls in active/active HA configurations where the forwarding path was not preserved in HTTP/2 cleartext traffic with asymmetric routing.
Addressed
10.2.7-h3
PAN-222002
Fixed an issue where content updates failed with the error message
Unable to get key pancontent-8.0.pass from cryptod. Error -9
.
Addressed
10.2.7-h3
PAN-218988
Fixed an issue in FIPS mode where, when importing a certificate with a new private key, and the certificate used the name of an existing certificate on the Panorama, the following error message was displayed:
Mismatched public and private keys
.
Addressed
10.2.7-h3
PAN-218057
(
PA-7000 Series firewalls only
) Fixed an issue where internal path monitoring failed due to a heartbeat miss.
Addressed
10.2.7-h3
PAN-217289
Fixed an intermittent issue where HTTP/2 traffic caused buffer depletion.
Addressed
10.2.7-h3
PAN-216214
(
Panorama managed firewalls in active/active HA configurations only
) Fixed an issue where the HA (high availability) status displayed as
Out of Sync
(
Panorama > Managed Devices > Health
) if local firewall configurations were made on one of the HA peers. This caused the next HA configuration sync to overwrite the local firewall configuration made on the HA peer.
Addressed
10.2.7-h3
PAN-215576
Fixed an issue where the
userID-Agent
and
TS-Agent
certificates were set to expire on November 18, 2024. With this fix, the expiration date has been extended to January 2032.
Addressed
10.2.7-h3
PAN-208395
Fixed an issue where user authentication failed in multi-vsys environments with the error message
User is not in allowlist
when an authentication profile was created in a shared configuration space.
Addressed
10.2.7-h3
PAN-202361
Fixed an issue where packets queued to the pan_task process were still transmitted when the process was not responding.
Addressed
10.2.7-h3
PAN-189769
Fixed an issue on Amazon Web Services (AWS) Gateway Load Balancer (GWLB) deployments with overlay routing enabled where, when a single firewall was the backend of multiple GWLBs, packets were re-encapsulated with an incorrect source IP address.
Addressed
10.2.7-h3
PAN-181706
Fixed an issue where the logrcvr process stopped responding after upgrading to PAN-OS 10.1.
Addressed
10.2.7-h1
PAN-237871
(
WF-500 appliances and PAN-DB private cloud deployments only
) Fixed an issue where the
root-cert
was set to expire on December 31, 2023. With this fix, the expiration date has been extended.
Addressed
10.2.7-h1
PAN-236926
Fixed an issue where Elasticsearch shards failed if they were allocated when tunnels were down, and shards that failed remained unallocated when tunnels went back up.
Addressed
10.2.7
PAN-236605
Fixed an issue where the configd process stopped responding due to a deadlock related to rule-hit-count.
Addressed
10.2.7
PAN-232800
Fixed an issue where critical disk usage for
/opt/pancfg
increased continuously and the system logs displayed the following message:
Disk usage for /opt/pancfg exceeds limit, <value> percent in use
.
Addressed
10.2.7
PAN-232132
Fixed an issue where DNS response packets were malformed when an Anti-Spyware Security Profile was enabled.
Addressed
10.2.7
PAN-232059
Fixed an issue with memory management when processing large certificates using TLSv1.3.
Addressed
10.2.7
PAN-231043
Fixed an issue where websites were not able to be opened via GlobalProtect with SSL-VPN when software cut through was enabled.
Addressed
10.2.7
PAN-229691
Fixed an issue on Panorama where configuration lock timeout errors were observed during normal operational commands by increasing thread stack size on Panorama.
Addressed
10.2.7
PAN-228998
Fixed an issue where multiple license status checks caused an internal process to stop responding.
Addressed
10.2.7
PAN-228877
(
PA-7050 firewalls only
) Fixed an issue with OOM conditions that caused slot restarts due to
pan_cmd
consuming more than 300 MB.
Addressed
10.2.7
PAN-227539
Fixed an issue where excess WIF process memory use caused processes to restart due to OOM conditions.
Addressed
10.2.7
PAN-227368
Fixed an issue where the GlobalProtect app was unable to connect to a portal or gateway and GlobalProtect Clientless VPN users were unable to access applications if authentication took more than 20 seconds.
Addressed
10.2.7
PAN-225337
Fixed an issue on Panorama related to Shared configuration objects where configuration pushes to multi-vsys firewalls when authentication took longer than 20 seconds.
Addressed
10.2.7
PAN-224145
Fixed an issue in multi-vsys environments where, when Panorama was on a PAN-OS 10.2 release and the firewall was on a PAN-OS 10.1 release, commits failed on the firewall when inbound inspection mode was configured in the decryption policy rule.
Addressed
10.2.7
PAN-223488
(
M-600 Appliances only
) Fixed an issue where closed ElasticSearch shards were not deleted, which resulted in shard purging not working as expected.
Addressed
10.2.7
PAN-221190
(
PA-800 Series firewalls only
) Fixed an issue where the firewall rebooted due to I2C errors when unsupported optics were inserted in ports 5-8.
Addressed
10.2.7
PAN-221126
Fixed an issue where Email server profiles (
Device > Server Profiles > Email and Panorama > Server Profiles > Email
) to forward logs as email notifications were not forwarded in a readable format.
Addressed
10.2.7
PAN-221015
(
M-600 Appliances only
) Fixed an issue where ElasticSearch processes did not restart when the appliance was rebooted, which caused the Managed Collector ES health status to be downgraded.
Addressed
10.2.7
PAN-218521
(
M-600 Appliances in Log Collector mode only
) Fixed an issue where Panorama continuously rebooted and became unresponsive, which consumed excessive logging disk space and prevented new log ingestion.
Addressed
10.2.7
PAN-215268
Fixed an issue where selective push did not work for firewalls on PAN-OS 9.1 or an earlier release.
Addressed
10.2.7
PAN-212761
Fixed an issue where the all_pktproc process stopped responding, which caused the dataplane to go down and caused HA failover.
Addressed
10.2.7
PAN-193004
Fixed an issue where
/opt/pancfg
partition utilization reached 100%, which caused access to the Panorama web interface to fail.
Known
10.2.8
WF500-5854
The WildFire analysis report on the firewall log viewer (
Monitoring
WildFire Submissions
) does not display the following data fields: File Type, SHA-256, MD-5, and File Size".
Workaround
: Download and open the WildFire analysis report in the PDF format using the link in the upper right-hand corner of the
Detailed Log View
.
Known
10.2.8
WF500-5843
In a WildFire appliance cluster, issuing the
show cluster-all peers
CLI command when a node within the cluster is being rebooted generates the following error:
Server error : An error occured.
Known
10.2.8
WF500-5840
The sample analysis statistics that are returned when issuing the
show wildfire local statistics
CLI command in WildFire appliance cluster deployments may not accurately reflect the number of samples that have been processed.
Known
10.2.8
WF500-5823
The following WildFire appliance CLI command does not return a signature generation status as expected:
show wildfire global signature-status
. This does not corrupt or otherwise prevent the WildFire appliance from analyzing a sample.
Known
10.2.8
WF500-5781
The WildFire appliance might erroneously generate and log the following device certification error:
Device certificate is missing or invalid. It cannot be renewed.
Known
10.2.8
WF500-5754
In WildFire appliance clusters, issuing the
show cluster controller
CLI command generates an error when an IPv6 address is configured for the management interface but not for the cluster interface.
Workaround:
Ensure all WildFire appliance interfaces that are enabled use matching protocols (all IPv4 or all IPv6).
Known
10.2.8
WF500-5632
The number of registered WildFire appliances reported in Panorama (
Panorama
Managed WildFire Appliances
Firewalls Connected
View
) does not accurately reflect the current status of connected WildFire appliances.
Known
10.2.8
PAN-255868
(
PA-3400 Series firewalls only
) After enabling kernel data collection during a silent reboot, the firewall fails and reboots to maintenance mode.
Workaround:
To recover the firewall, initiate a reboot from maintenance mode.
Known
10.2.8
PAN-251895
This issue is now resolved. See
PAN-OS 10.2.10 Addressed Issues
.
When Inline Cloud Analysis features are enabled, the firewall experiences a slow packet buffer leak, resulting in poor performance and dropped traffic.
Workaround:
Disable WildFire Inline Cloud Analysis and Advanced Threat Prevention Inline Cloud Analysis on the firewall.
Known
10.2.8
PAN-243951
On the Panorama management sever in an active/passive High Availability (HA) configuration, managed devices (
Panorama
Managed Devices
Summary
) display as
out-of-sync
on the passive HA peer when configuration changes are made to the SD-WAN (
Panorama
SD-WAN
) configuration on the active HA peer.
Workaround:
Manually synchronize the Panorama HA peers.
  1. Log in to the Panorama web interface on the active HA peer.
  2. Select
    Commit
    and
    Commit to Panorama
    the SD-WAN configuration changes on the active HA peer.
    On the passive HA peer, select
    Panorama
    Managed Devices
    Summary
    and observe that the managed devices are now
    out-of-sync
    .
  3. Log in to the primary HA peer Panorama CLI and trigger a manual synchronization between the active and secondary HA peers.
    request high-availability sync-to-remote running-config
  4. Log back in to the active HA peer Panorama web interface and select
    Commit
    Push to Devices
    and
    Push
    .
Known
10.2.8
PAN-242910
On the Panorama management server, Panorama administrators (
Panorama
Administrators
) that are assigned a custom Panorama admin role (
Panorama
Admin Roles
) with
Push All Changes
enabled are unable to push configuration changes to managed firewalls when
Managed Devices
and
Push For Other Admins
are disabled.
Known
10.2.8
PAN-234015
The X-Forwarded-For (XFF) value is not displayed in traffic logs.
Known
10.2.8
PAN-223365
The Panorama management server is unable to query any logs if the ElasticSearch health status for any Log Collector (
Panorama
Managed Collector
is degraded.
Workaround:
Log in to the Log Collector CLI and restart ElasticSearch. 
admin
debug elasticsearch es-restart all
Known
10.2.8
PAN-229865
Upgrading a PA-220 firewall running a PAN-OS 10.1 release fails when the target PAN-OS upgrade version is PAN-OS 10.2.5.
Workaround:
On your upgrade path to PAN-OS 10.2.5, first upgrade to PAN-OS 10.2.4 and then upgrade to PAN-OS 10.2.5.
Known
10.2.8
PAN-228515
The EleasticSearch SSH flaps on the M-600 appliance in Panorama or Log Collector mode. This causes logs to not display on the Panorama management server (
Monitor
Logs
) and the Log Collector health status (
Panorama
Managed Collectors
Status
) to display as degraded.
Known
10.2.8
PAN-223677
(
PA-3410, PA-3420, PA-3430, PA-3440, PA-5410, PA-5420, and PA-5430 firewalls
) By enabling Lockless QoS feature, a slight degradation in App-ID and Threat performance is expected.
Known
10.2.8
PAN-222586
On PA-5410, PA-5420, and PA-5430 firewalls, the Filter dropdown menus, Forward Methods, and Built-In Actions for Correlation Log settings (
Device
Log Settings
) are not displayed and cannot be configured.
Known
10.2.8
PAN-221775
A
Malformed Request
error is displayed when you
Test Connection
for an email server profile (
Device
Server Profiles
Email
) using
SMTP over TLS
and the
Password
includes an ampersand (&).
Known
10.2.8
PAN-217307
The following Security policy rule (
Policies
Security
) filters return no results:
log-start eq no
log-end eq no
log-end eq yes
Known
10.2.8
PAN-213746
On the Panorama management server, the
Hostkey
displayed as
undefined undefined
if you override an SSH Service Profile (
Device
Certificate Management
SSH Service Profile
) Hostkey configured in a Template from the Template Stack.
Known
10.2.8
PAN-213119
PA-5410 and PA-5420 firewalls display the following error when you view the Block IP list (
Monitor
Block IP
):
show -> dis-block-table is unexpected
Known
10.2.8
PAN-212889
On the Panorama management server, different threat names are used when querying the same threat in the Threat Monitor (
Monitor
App Scope
Threat Monitor
) and
ACC
. This results in the ACC displaying
no data to display
when you are redirected to the ACC after clicking a threat name in the Threat Monitor and filtering the same threat name in the Global Filters.
Known
10.2.8
PAN-212533
Modifying the
Administrator Type
for an existing administrator (
Device
Administrators
or
Panorama
Administrators
) from
Superuser
to a
Role-Based
custom admin, or vice versa, does not modify the access privileges of the administrator.
Known
10.2.8
PAN-211531
On the Panorama management server, admins can still perform a selective push to managed firewalls when
Push All Changes
and
Push for Other Admins
are disabled in the admin role profile (
Panorama
Admin Roles
).
Known
10.2.8
PAN-209288
Certificates are not successfully generated using SCEP (
Device
Certificate Management
SCEP
).
Known
10.2.8
PAN-208622
A file upload to Box.com exceeding 6 files gets stuck and fails to upload if you specify an Enterprise DLP data filtering profile (
Objects
DLP
Data Filtering Profiles
with the Action set to
Block
to a Security policy rule (
Policies
Security
).
Known
10.2.8
PAN-204689
Upon upgrade to PAN-OS 10.2.4, the following GlobalProtect settings do not work:
  • Allow user to disconnect GlobalProtect App
    Allow with Passcode
  • Allow user to Disable GlobalProtect App
    Allow with Passcode
  • Allow User to Uninstall GlobalProtect App
    Allow with Password
Known
10.2.8
PAN-196758
On the Panorama management server, pushing a configuration change to firewalls leveraging SD-WAN erroneously show the auto-provisioned BGP configurations for SD-WAN as being edited or deleted despite no edits or deletions being made when you
Preview Changes
(
Commit
Push to Devices
Edit Selections
or
Commit
Commit and Push
Edit Selections
).
Known
10.2.8
PAN-196504
License deactivation fails for VM-Series firewalls licensed using PA-VM Bundle 3 (BND3).
Known
10.2.8
PAN-194996
When using a 10.2.2 Panorama to manage a Panorama Managed Prisma Access 3.1.2 deployment, allocating bandwidth for a remote network deployment fails (the OK button is grayed out).
Workaround
: Retry the operation.
Known
10.2.8
PAN-194519
(
PA-5450 firewall only
) Trying to configure a custom payload format under
Device
Server Profiles
HTTP
yields a Javascript error.
Known
10.2.8
PAN-194515
(
PA-5450 firewall only
) The Panorama web interface does not display any predefined template stack variables in the dropdown menu under
Device
Setup
Log Interface
IP Address
.
Workaround:
Configure the log interface IP address on the individual firewall web interface instead of on Panorama.
Known
10.2.8
PAN-194424
(
PA-5450 firewall only
) Upgrading to PAN-OS 10.2.2 while having a log interface configured can cause both the log interface and the management interface to remain connected to the log collector.
Workaround:
Restart the log receiver service by running the following CLI command: 
debug software restart process log-receiver
Known
10.2.8
PAN-194202
(
PA-5450 firewall only
) If the management interface and logging interface are configured on the same subnetwork, the firewall conducts log forwarding using the management interface instead of the logging interface.
Known
10.2.8
PAN-190727
(
PA-5450 firewall only
) Documentation for configuring the log interface is unavailable on the web interface and in the PAN-OS Administrator’s Guide.
Known
10.2.8
PAN-189111
After deleting an MP pod and it comes up, the
show routing
command output appears empty and traffic stops working.
Known
10.2.8
PAN-189076
On a firewall with Advanced Routing enabled, OSPFv3 peers using a broadcast link and a designated router (DR) priority of 0 (zero) are stuck in a two-way state after HA failover.
Workaround:
Configure at least one OSPFv3 neighbor with a non-zero priority setting in the same broadcast domain.
Known
10.2.8
PAN-188358
After triggering a soft reboot on a M-700 appliance, the Management port LEDs do not light up when a 10G Ethernet cable is plugged in.
Known
10.2.8
PAN-187685
On the Panorama management server, the Template Status displays no synchronization status (
Panorama
Managed Devices
Summary
) after a bootstrapped firewall is successfully added to Panorama.
Workaround:
After the bootstrapped firewall is successfully added to Panorama, log in to the Panorama web interface and select
Commit
Push to Devices
.
Known
10.2.8
PAN-187643
If you enable SCTP security using a Panorama template when
SCTP INIT Flood Protection
is enabled in the Zone Protection profile using Panorama and you commit all changes, the commit is successful but the
SCTP INIT
option is not available in the Zone Protection profile.
Workaround:
Log out of the firewall and log in again to make the
SCIT INIT
option available on the web interface.
Known
10.2.8
PAN-187612
On the Panorama management server, not all data profiles (
Objects
DLP Data Filtering Profiles
) are displayed after you:
  • Upgrade Panorama to PAN-OS 10.2 and upgrade the Enterprise DLP plugin to version 3.0.
  • Downgrade Panorama to PAN-OS 10.1 and downgrade the Enterprise DLP plugin to version 1.0.
Workaround:
Log in to the Panorama CLI and reset the DLP plugin.
admin > request plugins dlp reset
Known
10.2.8
PAN-187407
The configured Advanced Threat Prevention inline cloud analysis action for a given model might not be honored under the following condition: If the firewall is set to
Hold client request for category lookup
and the action set to
Reset-Both
and the URL cache has been cleared, the first request for inline cloud analysis will be bypassed.
Known
10.2.8
PAN-187370
On a firewall with Advanced Routing enabled, if there is also a logical router instance that uses the default configuration and has no interfaces assigned to it, this will result in terminating the management daemon and main routing daemon in the firewall during commit.
Workaround
: Do not use a logical router instance with no interfaces bound to it.
Known
10.2.8
PAN-186283
Templates appear out-of-sync on Panorama after successfully deploying the CFT stack using the Panorama plugin for AWS.
Workaround
: Use
Commit
Push to Devices
to synchronize the templates.
Known
10.2.8
PAN-186282
On HA deployments on AWS and Azure, Panorama fails to populate match criteria automatically when adding dynamic address groups.
Workaround:
Reboot the Panorama HA pair.
Known
10.2.8
PAN-184708
Scheduled report emails (
Monitor
PDF Reports
Email Scheduler
) are not emailed if:
  • A scheduled report email contains a Report Group (
    Monitor
    PDF Reports
    Report Group
    ) which includes a SaaS Application Usage report.
  • A scheduled report contains only a SaaS Application Usage Report.
Workaround:
To receive a scheduled report email for all other PDF report types:
  1. Select
    Monitor
    PDF Reports
    Report Groups
    and remove all SaaS Application Usage reports from all Report Groups.
  2. Select
    Monitor
    PDF Reports
    Email Scheduler
    and edit the scheduled report email that contains only a SaaS Application Usage report. For the Recurrence, select
    Disable
    and click
    OK
    .
    Repeat this step for all scheduled report emails that contain only a SaaS Application Usage report.
  3. Commit
    .
    (
    Panorama managed firewalls
    ) Select
    Commit
    Commit and Push
Known
10.2.8
PAN-184406
Using the CLI to add a RAID disk pair to an M-700 appliance causes the dmdb process to crash.
Workaround:
Contact customer support to stop the dmdb process before adding a RAID disk pair to a M-700 appliance.
Known
10.2.8
PAN-183404
Static IP addresses are not recognized when "and" operators are used with IP CIDR range.
Known
10.2.8
PAN-181933
If you use multiple log forwarding cards (LFCs) on the PA-7000 series, all of the cards may not receive all of the updates and the mappings for the clients may become out of sync, which causes the firewall to not correctly populate the Source User column in the session logs.
Known
10.2.8
PAN-181823
On a PA-5400 Series firewall (minus the PA-5450), setting the peer port to forced 10M or 100M speed causes any multi-gigabit RJ-45 ports on the firewall to go down if they are set to Auto.
Known
10.2.8
PAN-180661
On the Panorama management server, pushing an unsupported Minimum Password Complexity (
Device
Setup
Management
) to a managed firewall erroneously displays
commit time out
as the reason the commit failed.
Known
10.2.8
PAN-180104
When upgrading a CN-Series as a DaemonSet deployment to PAN-OS 10.2, CN-NGFW pods fail to connect to CN-MGMT pod if the Kubernetes cluster previously had a CN-Series as a DaemonSet deployment running PAN-OS 10.0 or 10.1.
Workaround
: Reboot the worker nodes before upgrading to PAN-OS 10.2.
Known
10.2.8
PAN-178194
A user interface issue in PAN-OS renders the contents of the
Inline ML
tab in the
URL Filtering Profile
inaccessible on firewalls licensed for Advanced URL Filtering. Additionally, a message indicating that a
License required for URL filtering to function
is unavailable displays at the bottom of the UI. These errors do not affect the operation of Advanced URL Filtering or URL Filtering Inline ML.
Workaround:
Configuration settings for URL Filtering Inline ML must be applied through the CLI. The following configuration commands are available:
  • Define URL exceptions for specific web sites— 
    admin#
     set profiles url-filtering <url_filtering_profile_name> mlav-category-exception
  • Configuration settings for each inline ML model— 
    admin#
     set profiles url-filtering <url_filtering_profile_name> mlav-engine-urlbased-enabled
Known
10.2.8
PAN-177455
PAN-OS 10.2.0 is not supported on PA-7000 Series firewalls with HA (High Availability) clustering enabled and using an HA4 communication link. Attempting to load PAN-OS 10.2.0 on the firewall causes the PA-7000 100G NPC to go offline. As a result, the firewall fails to boot normally and enters maintenance mode. HA Pairs of Active-Passive and Active-Active firewalls are not affected.
Known
10.2.8
PAN-175915
When the firewall is deployed on N3 and N11 interfaces in 5G networks and 5G-HTTP/2 traffic inspection is enabled in the Mobile Network Protection Profile, the traffic logs do not display network slice SST and SD values.
Known
10.2.8
PAN-174982
In HA active/active configurations where, when interfaces that were associated with a virtual router were deleted, the configuration change did not sync.
Known
10.2.8
PAN-172274
When you activate the advanced URL filtering license, your license entitlements for PAN-DB and advanced URL filtering might not display correctly on the firewall — this is a display anomaly, not a licensing issue, and does not affect access to the services.
Workaround:
Issue the following command to retrieve and update the licenses:
license request fetch
.
Known
10.2.8
PAN-171938
No results are displayed when you
Show Application Filter
for a Security policy rule (
Policies
Security
Application
Value
Show Application Filter
).
Known
10.2.8
PAN-164885
This issue is now resolved. See
PAN-OS 10.2.10 Addressed Issues
.
On the Panorama management server, pushes to managed firewalls (
Commit
Push to Devices
or
Commit and Push
) may fail when an EDL (
Objects
External Dynamic Lists
) is configured to
Check for updates
every 5 minutes due to the commit and EDL fetch processes overlapping. This is more likely to occur when multiple EDLs are configured to check for updates every 5 minutes.
Addressed
10.2.8-h4
PAN-253317
(
VM-Series firewalls on Microsoft Azure environments only
) Fixed an issue where you were unable to log in to the firewall after a private data reset.
Addressed
10.2.8-h4
PAN-251895
Fixed an issue where enabling Inline Cloud Analysis features caused a slow packet buffer leak, which resulted in performance issues and dropped traffic.
Addressed
10.2.8-h4
PAN-251563
Added CPLD enhancement to capture external power issues.
Addressed
10.2.8-h4
PAN-251013
Fixed an issue on the web interface where the
Virtual Router
and
Virtual System
configurations for the template incorrectly showed as
none
.
Addressed
10.2.8-h4
PAN-250020
Fixed an issue where MLC2 verdict retrieval failed due to a regression in loopback data flag handling.
Addressed
10.2.8-h4
PAN-248105
Fixed an issue where the GlobalProtect SSL VPN tunnel immediately disconnected due to a keep-alive timeout.
Addressed
10.2.8-h4
PAN-246976
Fixed an issue with unbalanced NAT session distribution with multi-dataplane firewalls when persistent-dipp was enabled.
Addressed
10.2.8-h4
PAN-244648
Fixed an issue where, when FIPS was enabled in maintenance mode, the firewall rebooted and returned to maintenance mode.
Addressed
10.2.8-h4
PAN-244622
Fixed an issue where FIB re-push did not work with Advanced Routing enabled.
Addressed
10.2.8-h4
PAN-244548
Fixed an issue where ECMP sessions changed destination MAC addresses mid-session, which caused connections to be reset.
Addressed
10.2.8-h4
PAN-242309
Fixed an issue where a higher byte count (s2c) was observed for DNS-Base application.
Addressed
10.2.8-h4
PAN-240612
Fixed a kernel panic caused by a third-party issue
Addressed
10.2.8-h4
PAN-240308
Fixed an issue where ElasticSearch did not work as expected when raid-mounts were not fully ready after a reboot.
Addressed
10.2.8-h4
PAN-236133
Fixed an issue where SSL traffic was impacted when
SSL Command and Control detector
or Incline Cloud Analysis was set to
reset-both
,
reset-client
,
reset-server
, or
drop
.
Addressed
10.2.8-h4
PAN-225394
Fixed an issue on the firewall where SNMP incorrectly reported high packet descriptor usage.
Addressed
10.2.8-h4
PAN-203981
Fixed an issue where usernames with only numeric characters were not valid.
Addressed
10.2.8-h3
PAN-252214
A fix was made to address CVE-2024-3400 .
Addressed
10.2.8
PAN-240596
Fixed an issue where all_task stopped responding due to an invalid memory address.
Addressed
10.2.8
PAN-242561
Fixed an issue where GlobalProtect tunnels disconnected shortly after being established when SSL was used as the transfer protocol.
Addressed
10.2.8
PAN-240197
Fixed an issue where configuration changes made in Panorama and pushed to the firewall weren’t reflected on the firewall.
Addressed
10.2.8
PAN-240174
Fixed an issue where, when LSVPN serial numbers and IP address authentication were enabled, IPv6 address ranges and complete IPv6 addresses that were manually added to the IP address allow or exclude list were not usable after a restart of the gp_broker process or the firewall.
Addressed
10.2.8
PAN-239241
Extended the root certificate for WildFire appliances to December 31, 2032.
Addressed
10.2.8
PAN-239144
Fixed an issue where the web interface was slower than expected when logging in, committing, and pushing changes after upgrading to PAN-OS 10.2.7.
Addressed
10.2.8
PAN-237876
Extended the firewall Panorama root CA certificate which was previously set to expire on April 7th, 2024.
Addressed
10.2.8
PAN-237871
(
WF-500 appliances and PAN-DB private cloud deployments only
) Fixed an issue where the
root-cert
was set to expire on December 31, 2023. With this fix, the expiration date has been extended.
Addressed
10.2.8
PAN-237454
Fixed an issue where Panorama stopped redistributing IP address-to-username mappings when packet loss occurred between the distributor and the client.
Addressed
10.2.8
PAN-236244
Fixed an issue where you were unable to select authentication profiles via the web interface.
Addressed
10.2.8
PAN-236233
Fixed an issue where SNMP reports displayed incorrect values for SSL Proxy sessions and SSL Proxy utilization.
Addressed
10.2.8
PAN-235741
Fixed an issue where DNS resolution failed for Panorama and firewall plugins if the DNS Server IP address was obtained through DHCP.
Addressed
10.2.8
PAN-235737
Fixed an issue where the brdagent process stopped responding due to a sudden increase in logging to the bcm.log.
Addressed
10.2.8
PAN-235628
Fixed an issue where you weren’t prompted for login credentials when you disconnected and connected back to the GlobalProtect portal when SAML authentication was selected along with single sign-on (SSO) and Single Log Out (SLO).
Addressed
10.2.8
PAN-235557
Fixed an issue where uploads from tunnels, including GlobalProtect, were slower than expected when the inner and outer sessions were on different dataplanes.
Addressed
10.2.8
PAN-234852
Fixed an issue where DLP logs for the Salesforce application had a report ID of 0 and did not include missing information such as file type, file hash, and the reason for data filtering.
Addressed
10.2.8
PAN-234279
Fixed an issue where the ikemgr process crashed due to an IKEv1 timing issue, which caused commits to fail with the following error message:
Client ikemgr requesting last config in the middle of a commit/validate, aborting current commit
.
Addressed
10.2.8
PAN-233954
Fixed an issue where the firewall was unable to retrieve correct groups from the LDAP server.
Addressed
10.2.8
PAN-233207
Fixed an issue where the configd process stopped responding when a partial configuration revert operation was performed.
Addressed
10.2.8
PAN-233191
(
PA-5450 firewalls only
) Fixed an issue where the Data Processing Card (DPC) restarted due to path monitor failure after QSFP28 disconnected from the Network Processing Card (NPC).
Addressed
10.2.8
PAN-232377
Fixed an issue where the
AddrObjRefresh
job failed when the useridd process restarted.
Addressed
10.2.8
PAN-232358
(
PA-5450 firewalls only
) Fixed an issue where the interface on QSFP28 ports did not go down when the Tx cable was removed from the QSFP28 module.
Addressed
10.2.8
PAN-232250
Fixed an issue where, when SSH service profiles for management access was set to
None
, the reported output was incorrect.
Addressed
10.2.8
PAN-231771
Fixed an issue where the firewall issued /box/getserv/ requests with PAN-OS 7.1.0 and did not take device certificates.
Addressed
10.2.8
PAN-231698
Fixed an issue where you were unable to set the Dynamic Updates schedule threshold to an empty value.
Addressed
10.2.8
PAN-231658
Fixed an issue where DNS resolution failed when interfaces were configured as DHCP and a DNS server was provided via DHCP while also statically configured with DNS servers.
Addressed
10.2.8
PAN-231552
Fixed an issue where traffic returning from a third-party Security chain was dropped.
Addressed
10.2.8
PAN-231459
(
PA-5450 firewalls only
) Fixed an issue where a large number of invalid source MAC addresses were shown in drop-stage packet captures.
Addressed
10.2.8
PAN-231422
Fixed an issue where you were unable to configure more than 256 scheduled objects on the firewall.
Addressed
10.2.8
PAN-231329
Fixed an issue where the logrcvr process stopped responding due to a corrupt log in the forwarding pipeline.
Addressed
10.2.8
PAN-230813
Fixed an issue where flex memory leak caused decryption failure and commit failure with the error message
Error preparing global objects failed to handle CONFIG_UPDATE_START
.
Addressed
10.2.8
PAN-230656
(
Firewalls in HA configurations only
) Fixed an issue where a split brain condition occurred on both firewalls after booting up any firewall, and an HA switchover occurred after booting up a firewall with a higher HA priority even when no preemptive option was enabled on the firewall.
Addressed
10.2.8
PAN-230362
Fixed an issue where the firewall truncated the payload of a TCP Out of Order segment with a FIN flag.
Addressed
10.2.8
PAN-230106
Fixed an issue where the firewall was unable to retrieve the most current external dynamic list information from the server due to hostname resolution failure.
Addressed
10.2.8
PAN-230092
Fixed an issue where the routed process stopped responding when committing routing-related changes if Advanced Routing was enabled.
Addressed
10.2.8
PAN-230039
Fixed an issue where migrating from an Enterprise License Agreement (ELA) to a Flexible VM-Series License failed with a deactivation error message.
Addressed
10.2.8
PAN-229952
Fixed an issue where the the
print PDF
option did not work (
Panorama > Managed Devices > Health
).
Addressed
10.2.8
PAN-229315
Fixed an issue where Octets in NetFlow records were always reported to be 0 despite having a non-zero packet count.
Addressed
10.2.8
PAN-229307
Fixed an issue where half closed SSL decryption sessions stayed active, which caused software packet buffer depletion.
Addressed
10.2.8
PAN-229080
Fixed an issue where the new management IP address on the interface did not take effect.
Addressed
10.2.8
PAN-229069
Fixed an issue where clientless VPN portal users were unable to access clientless applications due to an SSL renegotiation being triggered.
Addressed
10.2.8
PAN-228820
A CLI command was added to address an issue where long-lived sessions aged out even when there was ongoing traffic.
Addressed
10.2.8
PAN-228442
Fixed an issue on firewalls in active/passive HA configurations where sessions did not fail over from the active firewall to the passive firewall when upgrading PAN-OS.
Addressed
10.2.8
PAN-228342
Fixed an issue where objects in the running configuration appeared to be deleted under the push scope preview.
Addressed
10.2.8
PAN-228323
Fixed an issue where a large number of Panorama management server cookies were created in the Redis database when the Cloud-Service plugin sent an authentication request every second, and logging in to or using Panorama was slower than expected.
Addressed
10.2.8
PAN-228277
Fixed an issue where commits took longer than expected.
Addressed
10.2.8
PAN-228273
(
Panorama appliances in FIPS-CC mode only
) Fixed an issue where the Elasticsearch cluster did not come up, and the
show log-collector-es-cluster health
CLI command displayed the status as red. This caused log ingestion issues for Panorama appliances in Panorama mode or Log Collector mode.
Addressed
10.2.8
PAN-227804
Fixed an issue where memory corruption caused the comm process to stop responding.
Addressed
10.2.8
PAN-227774
Fixed an issue where commits failed with the error message
Management server failed to send phase 1 to client logrcvr
.
Addressed
10.2.8
PAN-227641
Fixed an issue where
Preview Changes
and
Change Summary
when saving changes did not open a new window when clicked.
Addressed
10.2.8
PAN-227522
Fixed an issue where
shared
application filters that had application object overrides were overwritten by predefined applications.
Addressed
10.2.8
PAN-227397
Fixed an issue where selective pushes on Panorama removed a previously pushed configuration from the firewalls.
Addressed
10.2.8
PAN-227233
Fixed an issue where the combination signature aggregation criteria in a Vulnerability Protection profile was incorrectly blank even though a value was set.
Addressed
10.2.8
PAN-227058
Fixed an issue where traffic did not match Security policy rules with the destination as FQDN and instead hit the default deny rule.
Addressed
10.2.8
PAN-226935
Fixed an issue where autocommits failed due to duplicate application name entries.
Addressed
10.2.8
PAN-226860
Fixed an issue where macOS X-Auth clients disconnected prematurely from the GlobalProtect gateway during a Phase 2 re-key event.
Addressed
10.2.8
PAN-226768
Fixed an issue where, when the GlobalProtect app was installed on iOS endpoints and the gateway was configured to accept cookies, the app remained in the
Connecting
stage after authentication, and the GlobalProtect log displayed the error message `User is not in allow list`. This occurred when the app was restarted or when the app attempted to reconnect after disconnection.
Addressed
10.2.8
PAN-226489
Fixed an issue where Panorama was unable to push scheduled Dynamic Updates to firewalls with the error message
Failed to add deploy job. Too many (30) deploy jobs pending for device
.
Addressed
10.2.8
PAN-226418
A CLI command was added to address an issue where long-lived sessions aged out even when there was ongoing traffic.
Addressed
10.2.8
PAN-226260
Fixed an issue where support for CBC ciphers with some authentication algorithms was only available in FIPS mode.
Addressed
10.2.8
PAN-225920
Fixed an issue where duplicate predict sessions did not release NAT resources.
Addressed
10.2.8
PAN-225228
Fixed an issue where filtering Threat logs using any value under
THREAT ID/NAME
displayed the error
Invalid term
.
Addressed
10.2.8
PAN-225169
Added a CLI command to view Cortex Data Lake queue usage.
Addressed
10.2.8
PAN-225110
Fixed an issue with firewalls in HA configurations where HA configuration syncs did not complete or logging data was missing until firewall processes were manually restarted or the firewalls were rebooted.
Addressed
10.2.8
PAN-225082
Fixed an issue where GlobalProtect quarantine-delete logs were incorrectly shown on passive firewalls.
Addressed
10.2.8
PAN-225013
(
PA-5450 firewalls only
) Fixed an issue where the firewall rebooted unexpectedly when a Network Card was on Slot 2 instead of a DPC.
Addressed
10.2.8
PAN-224955
Fixed an issue where the devsrvr process stopped responding when zone protection had more than 255 profiles.
Addressed
10.2.8
PAN-224772
Fixed a high memory usage issue with the mongodb process that caused an OOM condition.
Addressed
10.2.8
PAN-224656
Fixed an issue where the devsrvr process caused delays when Dynamic Address Groups with large entry lists were being processed during a commit, which caused commits to take longer than expected.
Addressed
10.2.8
PAN-224405
Fixed an issue where the distributord process repeatedly stopped responding.
Addressed
10.2.8
PAN-224354
Fixed an issue where a memory leak related to the distributord process occurred when connections flapped for IP address-to-username mapping redistribution.
Addressed
10.2.8
PAN-224036
(
PA-5450 firewalls only
) Fixed an issue where a firewall with QoS configured wasn't able to send packets out of its interfaces after a reboot.
Addressed
10.2.8
PAN-223855
Fixed an issue where the
show running ippool
CLI command output displayed incorrect used and available NAT IP address pools on DIPP NAT policy rules in multidataplane firewalls.
Addressed
10.2.8
PAN-223852
Fixed an issue where all_pktproc stopped responding when network packet broker or decryption broker chains failed.
Addressed
10.2.8
PAN-223741
Fixed an issue where the mprelay process stopped responding, which caused a slot restart when another slot rebooted.
Addressed
10.2.8
PAN-223481
(
PA-5450 firewalls only
) Fixed an issue where the all_pktproc process stopped responding when the firewall was on PAN-OS 10.1.9-h3 or a later release.
Addressed
10.2.8
PAN-223457
Fixed an issue where, if the number of group queries exceeded the Okta rate limit threshold, the firewall cleared the cache for the groups.
Addressed
10.2.8
PAN-223271
Fixed an issue where the file transfer of large zipped and compressed files had the App-ID
unknown-tcp
.
Addressed
10.2.8
PAN-223263
Fixed an issue on the web interface where the system clock for
Mexico_city
was displayed in CDT instead of CST on the management dashboard.
Addressed
10.2.8
PAN-223259
Fixed an issue where selective pushes failed with the error
Failed to generate selective push configuration. Unable to retrieve last in-sync configuration for the device, either a push was never done or version is too old. Please try a full push
.
Addressed
10.2.8
PAN-223094
Fixed an issue where fragmented TCP traffic was dropped due to an IP address ID conflict over the SD-WAN tunnel.
Addressed
10.2.8
PAN-222941
Fixed an issue where viewing the latest logs took longer than expected due to log indexer failures.
Addressed
10.2.8
PAN-222533
(
VM-Series firewalls on Microsoft Azure and Amazon Web Services (AWS) environments
) Added support for HA link monitoring and path monitoring.
Addressed
10.2.8
PAN-222500
Fixed an issue where an old configuration unexpectedly merged during a push from Panorama.
Addressed
10.2.8
PAN-222418
Fixed an issue where the firewall intermittently recorded a reconnection message to the authentication server as an error, even if no disconnection occurred.
Addressed
10.2.8
PAN-222253
Fixed an issue on Panorama where policy rulebase reordering under
View Rulebase by Groups
(
Policy
<policy-rulebase>
) did not persist if you reordered the policy rulebase by dragging and dropping individual policy rules and then moved the entire tag group.
Addressed
10.2.8
PAN-222089
Fixed an issue where you were unable to context switch from Panorama to the managed device.
Addressed
10.2.8
PAN-221938
Fixed an issue with network packet broker sessions where the broker session and primary session timeouts were out of sync, which caused traffic drops if the broker session timed out when the primary session was still active.
Addressed
10.2.8
PAN-221857
Fixed an issue where users were unable to log in to the GlobalProtect app using SAML authentication after upgrading to PAN-OS 10.2.3-h4, and the GlobalProtect logs displayed the following error message:
Username from SAML SSO response is different from the input
.
Addressed
10.2.8
PAN-221763
Fixed an issue on the web interface where text overlapped when editing address and prefix values using Firefox.
Addressed
10.2.8
PAN-221577
Fixed an issue where a static route for a branch or hub over the respective virtual interface wasn't installed in the routing table even when the tunnel to the branch or hub was active.
Addressed
10.2.8
PAN-221316
Fixed an issue where the useridd process memory consumption increased significantly, which caused the process to stop responding and the device to restart.
Addressed
10.2.8
PAN-221208
Fixed an issue where the tunnel monitor was unable to remain up when zone protection with Strict IP was enabled and NAT Traversal was applied.
Addressed
10.2.8
PAN-221003
Fixed an issue where you were unable to uncheck firewalls in HA configurations from the device group when
Group HA Peers
was enabled.
Addressed
10.2.8
PAN-220790
Fixed an issue where the reportd process stopped responding, which caused Panorama to restart.
Addressed
10.2.8
PAN-220659
Fixed an issue on the firewall where scheduled antivirus updates failed when external dynamic lists were configured on the firewall.
Addressed
10.2.8
PAN-220640
(
PA-220 firewalls only
) Fixed an issue where the firewall CPU percentage was miscalculated, and the values that were displayed were incorrect.
Addressed
10.2.8
PAN-220180
Fixed an issue where configured botnet reports (
Monitor > Botnet
) weren’t generated.
Addressed
10.2.8
PAN-219813
Fixed an issue where the configuration log displayed incorrect information after a multi-device group
Validate-all
operation.
Addressed
10.2.8
PAN-219768
Fixed an issue where you were unable to filter data filtering logs with
Threat ID/NAME
for custom data patterns created over Panorama.
Addressed
10.2.8
PAN-219644
Fixed an issue where firewalls that forwarded logs to a syslog server over TLS (
Objects > Log Forwarding
) used the default Palo Alto Networks certificate instead of the configured custom certificate.
Addressed
10.2.8
PAN-219585
Fixed an issue where enabling
syslog-ng
debugs from the root caused 100% disk utilization.
Addressed
10.2.8
PAN-219415
Fixed an issue where BGP routes were installed in the routing table even when the option to install routes was disabled in the configuration.
Addressed
10.2.8
PAN-219300
Fixed an issue where the task manager displayed only limited data.
Addressed
10.2.8
PAN-219260
(
M-Series appliances only
) Fixed an issue where the management interface flapped due to low memory reserved for kernel space.
Addressed
10.2.8
PAN-219241
Fixed an issue where web content for a failed SAML login had readability and functionality issues for the GlobalProtect app.
Addressed
10.2.8
PAN-219137
(
CN-Series firewalls only
) Fixed an issue where firewalls did not upload files to the WildFire public cloud.
Addressed
10.2.8
PAN-218928
Fixed an issue where the reportd process stopped responding after querying logs or generating ACC reports with some filters.
Addressed
10.2.8
PAN-218671
Fixed an issue on Panorama where commits failed after downgrading the SD-WAN plugin.
Addressed
10.2.8
PAN-218663 and PAN-181876
A fix was made to address CVE-2024-2433 .
Addressed
10.2.8
PAN-218611
Fixed an issue where the device telemetry region wasn't updated on the firewall when pushed from the Panorama template stack.
Addressed
10.2.8
PAN-218555
Fixed an issue where the firewall did not receive dynamic address updates pushed from Panorama during initial registration to Panorama.
Addressed
10.2.8
PAN-218352
Fixed an issue where Panorama was slower than expected when WildFire deployment was scheduled every minute to a large number of devices.
Addressed
10.2.8
PAN-218331
Fixed an issue where you were unable to export or download packet captures from the firewall when context switching from Panorama.
Addressed
10.2.8
PAN-218273
Fixed an issue where TCP keepalive packets from the client to the server weren't forwarded when SSL decryption was enabled.
Addressed
10.2.8
PAN-218238
Fixed an issue where you were unable to create a file exception (
Monitor > Threat Log > Detailed Log view > Create Exception
), and the following error message was displayed:
no antivirus profile corresponding to threat log
.
Addressed
10.2.8
PAN-218119
Fixed an issue where the firewall transmitted packets with an incorrect source MAC address during commit operations.
Addressed
10.2.8
PAN-217831
Fixed an issue memory leak issue related to the logd process that occurred due to a sysd object not being released.
Addressed
10.2.8
PAN-217728
Fixed an issue where uploading a certificate in a manual configuration option for SafenetHSM failed.
Addressed
10.2.8
PAN-217674
Fixed an issue where RADIUS authentication failed when the destination route of the service route was configured with an IPv4 address with more than 14 characters.
Addressed
10.2.8
PAN-217541
Fixed an issue where the useridd process stopped responding after a restart when HIP redistribution was enabled.
Addressed
10.2.8
PAN-217510
Fixed an issue where inbound DHCP packets received by a DHCP client interface that weren’t addressed to itself were silently dropped instead of forwarded.
Addressed
10.2.8
PAN-217493
Fixed an issue where superusers with read-only privileges were unable to view SCEP object configurations.
Addressed
10.2.8
PAN-217280
Fixed an issue where, when Advanced Routing was enabled, the routed process stopped responding during booting up.
Addressed
10.2.8
PAN-217272
Fixed an issue where the DNS proxy log included an excessive number of the following error message:
Warning: pan_dnsproxy_log_resolve_fail: Failed to resolve domain name ** AAAA after trying all attempts to name servers
Addressed
10.2.8
PAN-217241
Fixed an issue where predict session conversion failed for RTP and RTCP traffic.
Addressed
10.2.8
PAN-217064
Fixed an issue where commits took longer than expected when the DLP plugin was configured.
Addressed
10.2.8
PAN-217024
Fixed an issue where fetching device certificates failed for internal DNS servers with the error message
ERROR Error: Could not resolve host: certificate.paloaltonetworks.com
.
Addressed
10.2.8
PAN-216647
Fixed an issue where the
sysd
node was updated at incorrect times.
Addressed
10.2.8
PAN-216214
(
Panorama managed firewalls in active/active HA configurations only
) Fixed an issue where the HA status displayed as
Out of Sync
(
Panorama > Managed Devices > Health
) if local firewall configurations were made on one of the HA peers. This caused the next HA configuration sync to overwrite the local firewall configuration made on the HA peer.
Addressed
10.2.8
PAN-216101
Fixed an issue where a memory leak related to a process and LLDP packet processing caused an OOM condition on the firewall.
Addressed
10.2.8
PAN-215857
Fixed an issue where the option to reboot the entire firewall was visible to vsys admins.
Addressed
10.2.8
PAN-215583
Fixed an issue on firewalls in HA configurations where the primary firewall went into a non-functional state due to a timeout in the
pan_comm
logs during the policy-based forwarding (PBF) parse, which caused an HA failover.
Addressed
10.2.8
PAN-215576
Fixed an issue where the
userID-Agent
and
TS-Agent
certificates were set to expire on November 18, 2024. With this fix, the expiration date has been extended to January 2032.
Addressed
10.2.8
PAN-215436
Fixed an issue with the web interface where the latest logs took longer than expected to display under
Monitor
.
Addressed
10.2.8
PAN-215082
(
M-300 and M-700 appliances only
) Fixed an issue where Panorama generated erroneous system logs (
Monitor
Logs
System
) to alert that the appliance memory usage limit was reached.
Addressed
10.2.8
PAN-214987
Fixed an issue where
Application Filter
names weren’t random, and they matched or included internal protocol names.
Addressed
10.2.8
PAN-214942
Fixed an issue where SD-WAN UDP traffic failed over to a non-member path after a flap of an SD-WAN virtual interface.
Addressed
10.2.8
PAN-214847
Fixed an issue where, when certificate authentication for admin user authentication was enabled, vulnerability scans that used usernames or passwords against the management interface reported a vulnerability due to a missing HSTS header in the
Access Denied
response page.
Addressed
10.2.8
PAN-214773
Fixed an issue where RTP packets traversing intervsys were dropped on the outgoing vsys.
Addressed
10.2.8
PAN-214558
Fixed an issue where overriding a Layer2/vwire subinterface on Panorama caused other subinterfaces to disappear.
Addressed
10.2.8
PAN-214336
Fixed an issue where ICMPv6 unreachable messages were sent with an unspecified source address ( :: ) for VLAN interfaces.
Addressed
10.2.8
PAN-213956
Fixed an issue where the firewall interface did not go down even after the peer link/switch port went down.
Addressed
10.2.8
PAN-213918
Fixed an issue where mlav-test-pe-file.exe was not detected by WildFire Inline ML.
Addressed
10.2.8
PAN-213491
Fixed an issue where the management CPU was high, which caused the web interface to be slower than expected.
Addressed
10.2.8
PAN-213173
Fixed an issue where
Preview Changes
under
Scheduled Pushes
did not launch the
Change Preview
window.
Addressed
10.2.8
PAN-213112
Fixed an issue where executing the
show report directory-listing
CLI command resulted in no output after upgrading to a PAN-OS 10.1 release.
Addressed
10.2.8
PAN-213103
Fixed an issue where Clientless VPN access failed with the error message
temporarily unavailable
when accessing the Clientless VPN bookmarked application from the identity provider application portal.
Addressed
10.2.8
PAN-212932
Fixed an issue where the firewall went into a restart loop with the following error message:
failed to get mgt settings candidate: configured traffic quota of 0 MB is less than the minimum 32 MB
.
Addressed
10.2.8
PAN-212877
Fixed an issue where a race condition caused log flooding, which caused the firewall to go into an unresponsive state.
Addressed
10.2.8
PAN-212770
Fixed an issue on the firewall where the WildFire file size limit value did not match on the web interface and the CLI.
Addressed
10.2.8
PAN-212580
(
PA-7050 firewalls only
) Fixed an issue where disk space filled up due to files under
/opt/var/s8/lp/log/pan/
not being properly deleted.
Addressed
10.2.8
PAN-211945
Fixed an issue where URL Filtering system logs showed the error message
CURL ERROR: bind failed with errno 124: Address family not supported by protocol
even though the PAN-DB cloud was connected.
Addressed
10.2.8
PAN-211827
Fixed an issue where Dynamic Updates failed with the following error message:
CONFIG_UPDATE_INC: Incremental update to DP failed please try to commit force the latest config
.
Addressed
10.2.8
PAN-211821
Fixed an issue on firewalls in HA configurations where committing changes after disabling the QoS feature on multiple Aggregate Ethernet (AE) interfaces caused the dataplane to go down.
Addressed
10.2.8
PAN-211384
Fixed an issue where the size of the
redisthost_1
in the Redis database continuously increased, which caused an OOM condition.
Addressed
10.2.8
PAN-210234
Fixed a REST API call to query the template stack configuration did not return the template stack variables or device variables.
Addressed
10.2.8
PAN-208438
Fixed an issue on Panorama where Security policy rules incorrectly displayed as disabled.
Addressed
10.2.8
PAN-208395
Fixed an issue where user authentication failed in multi-vsys environments with the error message
User is not in allowlist
when an authentication profile was created in a shared configuration space.
Addressed
10.2.8
PAN-208085
Fixed an issue where the BFD peers were deleted during a commit from Panorama. This occurred because the pan_comm thread became deadlocked due to the same sysd object was handled during the commit.
Addressed
10.2.8
PAN-207577
Fixed an issue where
Panorama > Setup > Interfaces
wasn't accessible for users with custom admin roles even when the interface option was selected for the custom admin roles.
Addressed
10.2.8
PAN-207003
Fixed an issue where the logrcvr process NetFlow buffer wasn't reset which resulted in duplicate NetFlow records.
Addressed
10.2.8
PAN-206325
Fixed an issue where a renamed object was still referenced with the previous name in a Security policy rule, which caused commit failures when using
edit
API to create the rule.
Addressed
10.2.8
PAN-206041
(
PA-7050 firewalls only
) Fixed an issue where the ikemgr process stopped responding.
Addressed
10.2.8
PAN-204808
(
PA-400 Series, PA-1400 Series, PA-3400 Series, and PA-5400 Series firewalls only
) Fixed an issue where executing the CLI command
show running resource-monitor ingress-backlogs
displayed the error message
Server error : Dataplane is not up or invalid target-dp(*.dp*)
Addressed
10.2.8
PAN-204663
Fixed an issue on Panorama where you were unable to context switch from one managed firewall to another.
Addressed
10.2.8
PAN-202008
Fixed an issue where Traffic logs exported to CSV files contained inaccuracies and weren’t complete.
Addressed
10.2.8
PAN-201269
Fixed an issue where commits failed with the error message
IPv6 addresses are not allowed because IPv6-firewalling is disabled
when Security policy rules had an address group with more than 1000 FQDN address objects.
Addressed
10.2.8
PAN-198190
(
VM-Series firewalls only
) Fixed an issue where the MTU on the management interface couldn’t be configured to a value greater than 1500.
Addressed
10.2.8
PAN-197189
Fixed an issue where the RST packet wasn't sent to the client when decrypted HTTP/2 traffic was detected by custom vulnerability signatures with action reset-both.
Addressed
10.2.8
PAN-196146
(
VM-Series firewalls only
) Fixed an issue where hostname validation failed due to the firewall not taking the hostname provided in
init.cfg
.
Addressed
10.2.8
PAN-193484
Fixed an issue where DNS failed if the domain name started with a period.
Addressed
10.2.8
PAN-192318
Fixed an issue where executing the CLI command
show rule-hit-count device-group
displayed the error message
Server error : show rule hit count op-command failed
.
Addressed
10.2.8
PAN-186957
Fixed an issue where, in
SAML Metadata Export
, a drop-down did not appear in the input field when
IP or Hostname
was selected for
Type
.
Addressed
10.2.8
PAN-185286
(
PA-5400 Series firewalls only
) Fixed an issue on Panorama where device health resources did not populate.
Addressed
10.2.8
PAN-181706
Fixed an issue where the logrcvr process stopped responding after upgrading to PAN-OS 10.1.
Addressed
10.2.8
PAN-179952
Fixed an issue on Panorama where not all categories were displayed under
Log settings
.
Addressed
10.2.8
PAN-179260
Fixed an issue where admins and other superusers were unable to remove a commit lock that was taken by another admin user with the format <domain/user>. As a result, deleting the commit lock failed.
Addressed
10.2.8
PAN-175642
Fixed an issue where system logs to alert for support license expiry weren’t generated.
Addressed
10.2.8
PAN-98605
Fixed an issue where audit comments did not appear in the audit comments archive.
Known
10.2.9
WF500-5854
The WildFire analysis report on the firewall log viewer (
Monitoring
WildFire Submissions
) does not display the following data fields: File Type, SHA-256, MD-5, and File Size".
Workaround
: Download and open the WildFire analysis report in the PDF format using the link in the upper right-hand corner of the
Detailed Log View
.
Known
10.2.9
WF500-5843
In a WildFire appliance cluster, issuing the
show cluster-all peers
CLI command when a node within the cluster is being rebooted generates the following error:
Server error : An error occured.
Known
10.2.9
WF500-5840
The sample analysis statistics that are returned when issuing the
show wildfire local statistics
CLI command in WildFire appliance cluster deployments may not accurately reflect the number of samples that have been processed.
Known
10.2.9
WF500-5823
The following WildFire appliance CLI command does not return a signature generation status as expected:
show wildfire global signature-status
. This does not corrupt or otherwise prevent the WildFire appliance from analyzing a sample.
Known
10.2.9
WF500-5781
The WildFire appliance might erroneously generate and log the following device certification error:
Device certificate is missing or invalid. It cannot be renewed.
Known
10.2.9
WF500-5754
In WildFire appliance clusters, issuing the
show cluster controller
CLI command generates an error when an IPv6 address is configured for the management interface but not for the cluster interface.
Workaround:
Ensure all WildFire appliance interfaces that are enabled use matching protocols (all IPv4 or all IPv6).
Known
10.2.9
WF500-5632
The number of registered WildFire appliances reported in Panorama (
Panorama
Managed WildFire Appliances
Firewalls Connected
View
) does not accurately reflect the current status of connected WildFire appliances.
Known
10.2.9
PAN-251895
This issue is now resolved. See
PAN-OS 10.2.10 Addressed Issues
.
When Inline Cloud Analysis features are enabled, the firewall experiences a slow packet buffer leak, resulting in poor performance and dropped traffic.
Workaround:
Disable WildFire Inline Cloud Analysis and Advanced Threat Prevention Inline Cloud Analysis on the firewall.
Known
10.2.9
PAN-234015
The X-Forwarded-For (XFF) value is not displayed in traffic logs.
Known
10.2.9
PAN-223365
The Panorama management server is unable to query any logs if the ElasticSearch health status for any Log Collector (
Panorama
Managed Collector
is degraded.
Workaround:
Log in to the Log Collector CLI and restart ElasticSearch. 
admin
debug elasticsearch es-restart all
Known
10.2.9
PAN-229865
Upgrading a PA-220 firewall running a PAN-OS 10.1 release fails when the target PAN-OS upgrade version is PAN-OS 10.2.5.
Workaround:
On your upgrade path to PAN-OS 10.2.5, first upgrade to PAN-OS 10.2.4 and then upgrade to PAN-OS 10.2.5.
Known
10.2.9
PAN-223677
(
PA-3410, PA-3420, PA-3430, PA-3440, PA-5410, PA-5420, and PA-5430 firewalls
) By enabling Lockless QoS feature, a slight degradation in App-ID and Threat performance is expected.
Known
10.2.9
PAN-222586
On PA-5410, PA-5420, and PA-5430 firewalls, the Filter dropdown menus, Forward Methods, and Built-In Actions for Correlation Log settings (
Device
Log Settings
) are not displayed and cannot be configured.
Known
10.2.9
PAN-221775
A
Malformed Request
error is displayed when you
Test Connection
for an email server profile (
Device
Server Profiles
Email
) using
SMTP over TLS
and the
Password
includes an ampersand (&).
Known
10.2.9
PAN-217307
The following Security policy rule (
Policies
Security
) filters return no results:
log-start eq no
log-end eq no
log-end eq yes
Known
10.2.9
PAN-213746
On the Panorama management server, the
Hostkey
displayed as
undefined undefined
if you override an SSH Service Profile (
Device
Certificate Management
SSH Service Profile
) Hostkey configured in a Template from the Template Stack.
Known
10.2.9
PAN-213119
PA-5410 and PA-5420 firewalls display the following error when you view the Block IP list (
Monitor
Block IP
):
show -> dis-block-table is unexpected
Known
10.2.9
PAN-212889
On the Panorama management server, different threat names are used when querying the same threat in the Threat Monitor (
Monitor
App Scope
Threat Monitor
) and
ACC
. This results in the ACC displaying
no data to display
when you are redirected to the ACC after clicking a threat name in the Threat Monitor and filtering the same threat name in the Global Filters.
Known
10.2.9
PAN-212533
Modifying the
Administrator Type
for an existing administrator (
Device
Administrators
or
Panorama
Administrators
) from
Superuser
to a
Role-Based
custom admin, or vice versa, does not modify the access privileges of the administrator.
Known
10.2.9
PAN-211531
On the Panorama management server, admins can still perform a selective push to managed firewalls when
Push All Changes
and
Push for Other Admins
are disabled in the admin role profile (
Panorama
Admin Roles
).
Known
10.2.9
PAN-209288
Certificates are not successfully generated using SCEP (
Device
Certificate Management
SCEP
).
Known
10.2.9
PAN-208622
A file upload to Box.com exceeding 6 files gets stuck and fails to upload if you specify an Enterprise DLP data filtering profile (
Objects
DLP
Data Filtering Profiles
with the Action set to
Block
to a Security policy rule (
Policies
Security
).
Known
10.2.9
PAN-204689
Upon upgrade to PAN-OS 10.2.4, the following GlobalProtect settings do not work:
  • Allow user to disconnect GlobalProtect App
    Allow with Passcode
  • Allow user to Disable GlobalProtect App
    Allow with Passcode
  • Allow User to Uninstall GlobalProtect App
    Allow with Password
Known
10.2.9
PAN-196758
On the Panorama management server, pushing a configuration change to firewalls leveraging SD-WAN erroneously show the auto-provisioned BGP configurations for SD-WAN as being edited or deleted despite no edits or deletions being made when you
Preview Changes
(
Commit
Push to Devices
Edit Selections
or
Commit
Commit and Push
Edit Selections
).
Known
10.2.9
PAN-196504
License deactivation fails for VM-Series firewalls licensed using PA-VM Bundle 3 (BND3).
Known
10.2.9
PAN-194996
When using a 10.2.2 Panorama to manage a Panorama Managed Prisma Access 3.1.2 deployment, allocating bandwidth for a remote network deployment fails (the OK button is grayed out).
Workaround
: Retry the operation.
Known
10.2.9
PAN-194519
(
PA-5450 firewall only
) Trying to configure a custom payload format under
Device
Server Profiles
HTTP
yields a Javascript error.
Known
10.2.9
PAN-194515
(
PA-5450 firewall only
) The Panorama web interface does not display any predefined template stack variables in the dropdown menu under
Device
Setup
Log Interface
IP Address
.
Workaround:
Configure the log interface IP address on the individual firewall web interface instead of on Panorama.
Known
10.2.9
PAN-194424
(
PA-5450 firewall only
) Upgrading to PAN-OS 10.2.2 while having a log interface configured can cause both the log interface and the management interface to remain connected to the log collector.
Workaround:
Restart the log receiver service by running the following CLI command: 
debug software restart process log-receiver
Known
10.2.9
PAN-194202
(
PA-5450 firewall only
) If the management interface and logging interface are configured on the same subnetwork, the firewall conducts log forwarding using the management interface instead of the logging interface.
Known
10.2.9
PAN-190727
(
PA-5450 firewall only
) Documentation for configuring the log interface is unavailable on the web interface and in the PAN-OS Administrator’s Guide.
Known
10.2.9
PAN-189111
After deleting an MP pod and it comes up, the
show routing
command output appears empty and traffic stops working.
Known
10.2.9
PAN-189076
On a firewall with Advanced Routing enabled, OSPFv3 peers using a broadcast link and a designated router (DR) priority of 0 (zero) are stuck in a two-way state after HA failover.
Workaround:
Configure at least one OSPFv3 neighbor with a non-zero priority setting in the same broadcast domain.
Known
10.2.9
PAN-188358
After triggering a soft reboot on a M-700 appliance, the Management port LEDs do not light up when a 10G Ethernet cable is plugged in.
Known
10.2.9
PAN-187685
On the Panorama management server, the Template Status displays no synchronization status (
Panorama
Managed Devices
Summary
) after a bootstrapped firewall is successfully added to Panorama.
Workaround:
After the bootstrapped firewall is successfully added to Panorama, log in to the Panorama web interface and select
Commit
Push to Devices
.
Known
10.2.9
PAN-187643
If you enable SCTP security using a Panorama template when
SCTP INIT Flood Protection
is enabled in the Zone Protection profile using Panorama and you commit all changes, the commit is successful but the
SCTP INIT
option is not available in the Zone Protection profile.
Workaround:
Log out of the firewall and log in again to make the
SCIT INIT
option available on the web interface.
Known
10.2.9
PAN-187612
On the Panorama management server, not all data profiles (
Objects
DLP Data Filtering Profiles
) are displayed after you:
  • Upgrade Panorama to PAN-OS 10.2 and upgrade the Enterprise DLP plugin to version 3.0.
  • Downgrade Panorama to PAN-OS 10.1 and downgrade the Enterprise DLP plugin to version 1.0.
Workaround:
Log in to the Panorama CLI and reset the DLP plugin.
admin > request plugins dlp reset
Known
10.2.9
PAN-187407
The configured Advanced Threat Prevention inline cloud analysis action for a given model might not be honored under the following condition: If the firewall is set to
Hold client request for category lookup
and the action set to
Reset-Both
and the URL cache has been cleared, the first request for inline cloud analysis will be bypassed.
Known
10.2.9
PAN-187370
On a firewall with Advanced Routing enabled, if there is also a logical router instance that uses the default configuration and has no interfaces assigned to it, this will result in terminating the management daemon and main routing daemon in the firewall during commit.
Workaround
: Do not use a logical router instance with no interfaces bound to it.
Known
10.2.9
PAN-186283
Templates appear out-of-sync on Panorama after successfully deploying the CFT stack using the Panorama plugin for AWS.
Workaround
: Use
Commit
Push to Devices
to synchronize the templates.
Known
10.2.9
PAN-186282
On HA deployments on AWS and Azure, Panorama fails to populate match criteria automatically when adding dynamic address groups.
Workaround:
Reboot the Panorama HA pair.
Known
10.2.9
PAN-184708
Scheduled report emails (
Monitor
PDF Reports
Email Scheduler
) are not emailed if:
  • A scheduled report email contains a Report Group (
    Monitor
    PDF Reports
    Report Group
    ) which includes a SaaS Application Usage report.
  • A scheduled report contains only a SaaS Application Usage Report.
Workaround:
To receive a scheduled report email for all other PDF report types:
  1. Select
    Monitor
    PDF Reports
    Report Groups
    and remove all SaaS Application Usage reports from all Report Groups.
  2. Select
    Monitor
    PDF Reports
    Email Scheduler
    and edit the scheduled report email that contains only a SaaS Application Usage report. For the Recurrence, select
    Disable
    and click
    OK
    .
    Repeat this step for all scheduled report emails that contain only a SaaS Application Usage report.
  3. Commit
    .
    (
    Panorama managed firewalls
    ) Select
    Commit
    Commit and Push
Known
10.2.9
PAN-184406
Using the CLI to add a RAID disk pair to an M-700 appliance causes the dmdb process to crash.
Workaround:
Contact customer support to stop the dmdb process before adding a RAID disk pair to a M-700 appliance.
Known
10.2.9
PAN-183404
Static IP addresses are not recognized when "and" operators are used with IP CIDR range.
Known
10.2.9
PAN-181933
If you use multiple log forwarding cards (LFCs) on the PA-7000 series, all of the cards may not receive all of the updates and the mappings for the clients may become out of sync, which causes the firewall to not correctly populate the Source User column in the session logs.
Known
10.2.9
PAN-181823
On a PA-5400 Series firewall (minus the PA-5450), setting the peer port to forced 10M or 100M speed causes any multi-gigabit RJ-45 ports on the firewall to go down if they are set to Auto.
Known
10.2.9
PAN-180661
On the Panorama management server, pushing an unsupported Minimum Password Complexity (
Device
Setup
Management
) to a managed firewall erroneously displays
commit time out
as the reason the commit failed.
Known
10.2.9
PAN-180104
When upgrading a CN-Series as a DaemonSet deployment to PAN-OS 10.2, CN-NGFW pods fail to connect to CN-MGMT pod if the Kubernetes cluster previously had a CN-Series as a DaemonSet deployment running PAN-OS 10.0 or 10.1.
Workaround
: Reboot the worker nodes before upgrading to PAN-OS 10.2.
Known
10.2.9
PAN-178194
A user interface issue in PAN-OS renders the contents of the
Inline ML
tab in the
URL Filtering Profile
inaccessible on firewalls licensed for Advanced URL Filtering. Additionally, a message indicating that a
License required for URL filtering to function
is unavailable displays at the bottom of the UI. These errors do not affect the operation of Advanced URL Filtering or URL Filtering Inline ML.
Workaround:
Configuration settings for URL Filtering Inline ML must be applied through the CLI. The following configuration commands are available:
  • Define URL exceptions for specific web sites— 
    admin#
     set profiles url-filtering <url_filtering_profile_name> mlav-category-exception
  • Configuration settings for each inline ML model— 
    admin#
     set profiles url-filtering <url_filtering_profile_name> mlav-engine-urlbased-enabled
Known
10.2.9
PAN-177455
PAN-OS 10.2.0 is not supported on PA-7000 Series firewalls with HA (High Availability) clustering enabled and using an HA4 communication link. Attempting to load PAN-OS 10.2.0 on the firewall causes the PA-7000 100G NPC to go offline. As a result, the firewall fails to boot normally and enters maintenance mode. HA Pairs of Active-Passive and Active-Active firewalls are not affected.
Known
10.2.9
PAN-175915
When the firewall is deployed on N3 and N11 interfaces in 5G networks and 5G-HTTP/2 traffic inspection is enabled in the Mobile Network Protection Profile, the traffic logs do not display network slice SST and SD values.
Known
10.2.9
PAN-174982
In HA active/active configurations where, when interfaces that were associated with a virtual router were deleted, the configuration change did not sync.
Known
10.2.9
PAN-172274
When you activate the advanced URL filtering license, your license entitlements for PAN-DB and advanced URL filtering might not display correctly on the firewall — this is a display anomaly, not a licensing issue, and does not affect access to the services.
Workaround:
Issue the following command to retrieve and update the licenses:
license request fetch
.
Known
10.2.9
PAN-171938
No results are displayed when you
Show Application Filter
for a Security policy rule (
Policies
Security
Application
Value
Show Application Filter
).
Known
10.2.9
PAN-164885
This issue is now resolved. See
PAN-OS 10.2.10 Addressed Issues
.
On the Panorama management server, pushes to managed firewalls (
Commit
Push to Devices
or
Commit and Push
) may fail when an EDL (
Objects
External Dynamic Lists
) is configured to
Check for updates
every 5 minutes due to the commit and EDL fetch processes overlapping. This is more likely to occur when multiple EDLs are configured to check for updates every 5 minutes.
Addressed
10.2.9-h1
PAN-252214
A fix was made to address CVE-2024-3400 .
Addressed
10.2.9
PAN-250686
Fixed an issue where selective push operations did not work when more than one admin user simultaneously performed changes and partial commits on Panorama.
Addressed
10.2.9
PAN-247403
(
VM-Series firewalls only
) Fixed an issue where the push scope CLI command took longer than expected, which caused the web interface to be slow.
Addressed
10.2.9
PAN-246431
Fixed an issue where a
Push to Device
operation remained at the state
None
when performing a selective push to device groups and templates that included both connected and disconnected firewalls.
Addressed
10.2.9
PAN-245701
Fixed an issue where the returned values to SNMP requests for data port statistics were incorrect.
Addressed
10.2.9
PAN-244836
A knob was introduced to toggle the default behavior of BGP in the Advanced Routing stack to not suppress duplicate updates. By default, the prefix updates are suppressed for optimization.
Addressed
10.2.9
PAN-244548
Fixed an issue where ECMP sessions changed destination MAC addresses mid-session, which caused connections to be reset.
Addressed
10.2.9
PAN-244493
Fixed a memory limitation with mapping subinterfaces to VPCE endpoints for GCP IPS, Amazon Web Services (AWS) integration with GWLB, and NSX service chain mapping.
Addressed
10.2.9
PAN-242910
Fixed an issue where a custom based non-Superuser was unable to push to firewalls.
Addressed
10.2.9
PAN-242627
Fixed an issue where selective push did not work.
Addressed
10.2.9
PAN-241018
(
VM-Series firewalls in Microsoft Azure environments only
) Fixed a Dataplane Development Kit (DPDK) issue where interfaces remained in a link-down stage after an Azure hot plug event.
Addressed
10.2.9
PAN-240066
Fixed a duplicate MAC address issue where an ethernet interface sent out Gratuitous ARP (GARP) messages for an IP address that was not configured on it.
Addressed
10.2.9
PAN-239722
Fixed an issue where SNMP scans to the firewall took longer than expected and intermittently timed out.
Addressed
10.2.9
PAN-238643
Fixed an issue where a memory leak caused multiple processes to stop responding when VM Information Sources was configured.
Addressed
10.2.9
PAN-237991
Fixed an issue where the log collector sent fewer logs than expected to the syslog server.
Addressed
10.2.9
PAN-233692
Fixed an issue on Panorama where the configd process stopped, which caused performance issues.
Addressed
10.2.9
PAN-233684
Fixed an issue on Panorama where
Push to Devices
or
Commit and Push
operations took longer than expected on the web interface.
Addressed
10.2.9
PAN-231439
Fixed an issue where, when a VoIP call using dynamic IP and NAT was put on hold, the audio became one-way due to early termination of NAT ports.
Addressed
10.2.9
PAN-230746
Fixed an issue on the web interface where device groups with a large number of managed firewalls displayed the
Policy
page more slowly than expected.
Addressed
10.2.9
PAN-228515
Fixed an issue where the Elasticsearch cluster health status displayed as yellow or red due to Elasticsearch SSH tunnel flaps.
Addressed
10.2.9
PAN-224500
Fixed an issue where IPv6 addresses in XFF were displayed in Traffic logs.
Addressed
10.2.9
PAN-222188
A CLI command was introduced to address an issue where SNMP monitoring performance was slower than expected, which resulted in
snmpwalk
timeouts.
Addressed
10.2.9
PAN-215430
Fixed an issue where dynamic IP address NAT with SIP intermittently failed to convert RTP Predict sessions.
Addressed
10.2.9
PAN-212553
Fixed an issue where the ikemgr process stopped responding due to memory corruption, which caused VPN tunnels to go down.
Addressed
10.2.9
PAN-207092
Fixed an issue where logging in using default credentials after changing to FIPS-CC for NSX-T firewalls did not work.
Known
10.2.10
WF500-5854
The WildFire analysis report on the firewall log viewer (
Monitoring
WildFire Submissions
) does not display the following data fields: File Type, SHA-256, MD-5, and File Size".
Workaround
: Download and open the WildFire analysis report in the PDF format using the link in the upper right-hand corner of the
Detailed Log View
.
Known
10.2.10
WF500-5843
In a WildFire appliance cluster, issuing the
show cluster-all peers
CLI command when a node within the cluster is being rebooted generates the following error:
Server error : An error occured.
Known
10.2.10
WF500-5840
The sample analysis statistics that are returned when issuing the
show wildfire local statistics
CLI command in WildFire appliance cluster deployments may not accurately reflect the number of samples that have been processed.
Known
10.2.10
WF500-5823
The following WildFire appliance CLI command does not return a signature generation status as expected:
show wildfire global signature-status
. This does not corrupt or otherwise prevent the WildFire appliance from analyzing a sample.
Known
10.2.10
WF500-5781
The WildFire appliance might erroneously generate and log the following device certification error:
Device certificate is missing or invalid. It cannot be renewed.
Known
10.2.10
WF500-5754
In WildFire appliance clusters, issuing the
show cluster controller
CLI command generates an error when an IPv6 address is configured for the management interface but not for the cluster interface.
Workaround:
Ensure all WildFire appliance interfaces that are enabled use matching protocols (all IPv4 or all IPv6).
Known
10.2.10
WF500-5632
The number of registered WildFire appliances reported in Panorama (
Panorama
Managed WildFire Appliances
Firewalls Connected
View
) does not accurately reflect the current status of connected WildFire appliances.
Known
10.2.10
PAN-234015
The X-Forwarded-For (XFF) value is not displayed in traffic logs.
Known
10.2.10
PAN-223365
The Panorama management server is unable to query any logs if the ElasticSearch health status for any Log Collector (
Panorama
Managed Collector
is degraded.
Workaround:
Log in to the Log Collector CLI and restart ElasticSearch. 
admin
debug elasticsearch es-restart all
Known
10.2.10
PAN-229865
Upgrading a PA-220 firewall running a PAN-OS 10.1 release fails when the target PAN-OS upgrade version is PAN-OS 10.2.5.
Workaround:
On your upgrade path to PAN-OS 10.2.5, first upgrade to PAN-OS 10.2.4 and then upgrade to PAN-OS 10.2.5.
Known
10.2.10
PAN-223677
(
PA-3410, PA-3420, PA-3430, PA-3440, PA-5410, PA-5420, and PA-5430 firewalls
) By enabling Lockless QoS feature, a slight degradation in App-ID and Threat performance is expected.
Known
10.2.10
PAN-222586
On PA-5410, PA-5420, and PA-5430 firewalls, the Filter dropdown menus, Forward Methods, and Built-In Actions for Correlation Log settings (
Device
Log Settings
) are not displayed and cannot be configured.
Known
10.2.10
PAN-221775
A
Malformed Request
error is displayed when you
Test Connection
for an email server profile (
Device
Server Profiles
Email
) using
SMTP over TLS
and the
Password
includes an ampersand (&).
Known
10.2.10
PAN-217307
The following Security policy rule (
Policies
Security
) filters return no results:
log-start eq no
log-end eq no
log-end eq yes
Known
10.2.10
PAN-213746
On the Panorama management server, the
Hostkey
displayed as
undefined undefined
if you override an SSH Service Profile (
Device
Certificate Management
SSH Service Profile
) Hostkey configured in a Template from the Template Stack.
Known
10.2.10
PAN-213119
PA-5410 and PA-5420 firewalls display the following error when you view the Block IP list (
Monitor
Block IP
):
show -> dis-block-table is unexpected
Known
10.2.10
PAN-212889
On the Panorama management server, different threat names are used when querying the same threat in the Threat Monitor (
Monitor
App Scope
Threat Monitor
) and
ACC
. This results in the ACC displaying
no data to display
when you are redirected to the ACC after clicking a threat name in the Threat Monitor and filtering the same threat name in the Global Filters.
Known
10.2.10
PAN-212533
Modifying the
Administrator Type
for an existing administrator (
Device
Administrators
or
Panorama
Administrators
) from
Superuser
to a
Role-Based
custom admin, or vice versa, does not modify the access privileges of the administrator.
Known
10.2.10
PAN-211531
On the Panorama management server, admins can still perform a selective push to managed firewalls when
Push All Changes
and
Push for Other Admins
are disabled in the admin role profile (
Panorama
Admin Roles
).
Known
10.2.10
PAN-209288
Certificates are not successfully generated using SCEP (
Device
Certificate Management
SCEP
).
Known
10.2.10
PAN-208622
A file upload to Box.com exceeding 6 files gets stuck and fails to upload if you specify an Enterprise DLP data filtering profile (
Objects
DLP
Data Filtering Profiles
with the Action set to
Block
to a Security policy rule (
Policies
Security
).
Known
10.2.10
PAN-204689
Upon upgrade to PAN-OS 10.2.4, the following GlobalProtect settings do not work:
  • Allow user to disconnect GlobalProtect App
    Allow with Passcode
  • Allow user to Disable GlobalProtect App
    Allow with Passcode
  • Allow User to Uninstall GlobalProtect App
    Allow with Password
Known
10.2.10
PAN-196758
On the Panorama management server, pushing a configuration change to firewalls leveraging SD-WAN erroneously show the auto-provisioned BGP configurations for SD-WAN as being edited or deleted despite no edits or deletions being made when you
Preview Changes
(
Commit
Push to Devices
Edit Selections
or
Commit
Commit and Push
Edit Selections
).
Known
10.2.10
PAN-196504
License deactivation fails for VM-Series firewalls licensed using PA-VM Bundle 3 (BND3).
Known
10.2.10
PAN-194996
When using a 10.2.2 Panorama to manage a Panorama Managed Prisma Access 3.1.2 deployment, allocating bandwidth for a remote network deployment fails (the OK button is grayed out).
Workaround
: Retry the operation.
Known
10.2.10
PAN-194519
(
PA-5450 firewall only
) Trying to configure a custom payload format under
Device
Server Profiles
HTTP
yields a Javascript error.
Known
10.2.10
PAN-194515
(
PA-5450 firewall only
) The Panorama web interface does not display any predefined template stack variables in the dropdown menu under
Device
Setup
Log Interface
IP Address
.
Workaround:
Configure the log interface IP address on the individual firewall web interface instead of on Panorama.
Known
10.2.10
PAN-194424
(
PA-5450 firewall only
) Upgrading to PAN-OS 10.2.2 while having a log interface configured can cause both the log interface and the management interface to remain connected to the log collector.
Workaround:
Restart the log receiver service by running the following CLI command: 
debug software restart process log-receiver
Known
10.2.10
PAN-194202
(
PA-5450 firewall only
) If the management interface and logging interface are configured on the same subnetwork, the firewall conducts log forwarding using the management interface instead of the logging interface.
Known
10.2.10
PAN-190727
(
PA-5450 firewall only
) Documentation for configuring the log interface is unavailable on the web interface and in the PAN-OS Administrator’s Guide.
Known
10.2.10
PAN-189111
After deleting an MP pod and it comes up, the
show routing
command output appears empty and traffic stops working.
Known
10.2.10
PAN-189076
On a firewall with Advanced Routing enabled, OSPFv3 peers using a broadcast link and a designated router (DR) priority of 0 (zero) are stuck in a two-way state after HA failover.
Workaround:
Configure at least one OSPFv3 neighbor with a non-zero priority setting in the same broadcast domain.
Known
10.2.10
PAN-188358
After triggering a soft reboot on a M-700 appliance, the Management port LEDs do not light up when a 10G Ethernet cable is plugged in.
Known
10.2.10
PAN-187685
On the Panorama management server, the Template Status displays no synchronization status (
Panorama
Managed Devices
Summary
) after a bootstrapped firewall is successfully added to Panorama.
Workaround:
After the bootstrapped firewall is successfully added to Panorama, log in to the Panorama web interface and select
Commit
Push to Devices
.
Known
10.2.10
PAN-187643
If you enable SCTP security using a Panorama template when
SCTP INIT Flood Protection
is enabled in the Zone Protection profile using Panorama and you commit all changes, the commit is successful but the
SCTP INIT
option is not available in the Zone Protection profile.
Workaround:
Log out of the firewall and log in again to make the
SCIT INIT
option available on the web interface.
Known
10.2.10
PAN-187612
On the Panorama management server, not all data profiles (
Objects
DLP Data Filtering Profiles
) are displayed after you:
  • Upgrade Panorama to PAN-OS 10.2 and upgrade the Enterprise DLP plugin to version 3.0.
  • Downgrade Panorama to PAN-OS 10.1 and downgrade the Enterprise DLP plugin to version 1.0.
Workaround:
Log in to the Panorama CLI and reset the DLP plugin.
admin > request plugins dlp reset
Known
10.2.10
PAN-187407
The configured Advanced Threat Prevention inline cloud analysis action for a given model might not be honored under the following condition: If the firewall is set to
Hold client request for category lookup
and the action set to
Reset-Both
and the URL cache has been cleared, the first request for inline cloud analysis will be bypassed.
Known
10.2.10
PAN-187370
On a firewall with Advanced Routing enabled, if there is also a logical router instance that uses the default configuration and has no interfaces assigned to it, this will result in terminating the management daemon and main routing daemon in the firewall during commit.
Workaround
: Do not use a logical router instance with no interfaces bound to it.
Known
10.2.10
PAN-186283
Templates appear out-of-sync on Panorama after successfully deploying the CFT stack using the Panorama plugin for AWS.
Workaround
: Use
Commit
Push to Devices
to synchronize the templates.
Known
10.2.10
PAN-186282
On HA deployments on AWS and Azure, Panorama fails to populate match criteria automatically when adding dynamic address groups.
Workaround:
Reboot the Panorama HA pair.
Known
10.2.10
PAN-184708
Scheduled report emails (
Monitor
PDF Reports
Email Scheduler
) are not emailed if:
  • A scheduled report email contains a Report Group (
    Monitor
    PDF Reports
    Report Group
    ) which includes a SaaS Application Usage report.
  • A scheduled report contains only a SaaS Application Usage Report.
Workaround:
To receive a scheduled report email for all other PDF report types:
  1. Select
    Monitor
    PDF Reports
    Report Groups
    and remove all SaaS Application Usage reports from all Report Groups.
  2. Select
    Monitor
    PDF Reports
    Email Scheduler
    and edit the scheduled report email that contains only a SaaS Application Usage report. For the Recurrence, select
    Disable
    and click
    OK
    .
    Repeat this step for all scheduled report emails that contain only a SaaS Application Usage report.
  3. Commit
    .
    (
    Panorama managed firewalls
    ) Select
    Commit
    Commit and Push
Known
10.2.10
PAN-184406
Using the CLI to add a RAID disk pair to an M-700 appliance causes the dmdb process to crash.
Workaround:
Contact customer support to stop the dmdb process before adding a RAID disk pair to a M-700 appliance.
Known
10.2.10
PAN-183404
Static IP addresses are not recognized when "and" operators are used with IP CIDR range.
Known
10.2.10
PAN-181933
If you use multiple log forwarding cards (LFCs) on the PA-7000 series, all of the cards may not receive all of the updates and the mappings for the clients may become out of sync, which causes the firewall to not correctly populate the Source User column in the session logs.
Known
10.2.10
PAN-181823
On a PA-5400 Series firewall (minus the PA-5450), setting the peer port to forced 10M or 100M speed causes any multi-gigabit RJ-45 ports on the firewall to go down if they are set to Auto.
Known
10.2.10
PAN-180661
On the Panorama management server, pushing an unsupported Minimum Password Complexity (
Device
Setup
Management
) to a managed firewall erroneously displays
commit time out
as the reason the commit failed.
Known
10.2.10
PAN-180104
When upgrading a CN-Series as a DaemonSet deployment to PAN-OS 10.2, CN-NGFW pods fail to connect to CN-MGMT pod if the Kubernetes cluster previously had a CN-Series as a DaemonSet deployment running PAN-OS 10.0 or 10.1.
Workaround
: Reboot the worker nodes before upgrading to PAN-OS 10.2.
Known
10.2.10
PAN-178194
A user interface issue in PAN-OS renders the contents of the
Inline ML
tab in the
URL Filtering Profile
inaccessible on firewalls licensed for Advanced URL Filtering. Additionally, a message indicating that a
License required for URL filtering to function
is unavailable displays at the bottom of the UI. These errors do not affect the operation of Advanced URL Filtering or URL Filtering Inline ML.
Workaround:
Configuration settings for URL Filtering Inline ML must be applied through the CLI. The following configuration commands are available:
  • Define URL exceptions for specific web sites— 
    admin#
     set profiles url-filtering <url_filtering_profile_name> mlav-category-exception
  • Configuration settings for each inline ML model— 
    admin#
     set profiles url-filtering <url_filtering_profile_name> mlav-engine-urlbased-enabled
Known
10.2.10
PAN-177455
PAN-OS 10.2.0 is not supported on PA-7000 Series firewalls with HA (High Availability) clustering enabled and using an HA4 communication link. Attempting to load PAN-OS 10.2.0 on the firewall causes the PA-7000 100G NPC to go offline. As a result, the firewall fails to boot normally and enters maintenance mode. HA Pairs of Active-Passive and Active-Active firewalls are not affected.
Known
10.2.10
PAN-175915
When the firewall is deployed on N3 and N11 interfaces in 5G networks and 5G-HTTP/2 traffic inspection is enabled in the Mobile Network Protection Profile, the traffic logs do not display network slice SST and SD values.
Known
10.2.10
PAN-174982
In HA active/active configurations where, when interfaces that were associated with a virtual router were deleted, the configuration change did not sync.
Known
10.2.10
PAN-172274
When you activate the advanced URL filtering license, your license entitlements for PAN-DB and advanced URL filtering might not display correctly on the firewall — this is a display anomaly, not a licensing issue, and does not affect access to the services.
Workaround:
Issue the following command to retrieve and update the licenses:
license request fetch
.
Known
10.2.10
PAN-171938
No results are displayed when you
Show Application Filter
for a Security policy rule (
Policies
Security
Application
Value
Show Application Filter
).
Addressed
10.2.10
PAN-257197
Fixed an issue where
ifType
and
ifSpeed
were not populated in asynchronous mode of SNMP operations.
Addressed
10.2.10
PAN-256181
Fixed an issue where the management interface and front panel port interface statistics were not populated in asynchronous mode of SNMP operations.
Addressed
10.2.10
PAN-255868
(
PA-3400 Series firewalls only
) Fixed an issue where the firewall entered maintenance mode after enabling kernel data collection during the silent reboot.
Addressed
10.2.10
PAN-255396
Fixed an issue where, when using serial number and IP address authentication, and multiple gateways were configured, the portal returned the last gateway in the list and disregarded the satellite assignment by serial number.
Addressed
10.2.10
PAN-253317
(
VM-Series firewalls on Microsoft Azure environments only
) Fixed an issue where you were unable to log in to the firewall after a private data reset.
Addressed
10.2.10
PAN-252517
Fixed an issue where SNMP failed to respond to multiple Object Identifier (OID) queries in a single SNMP GET request.
Addressed
10.2.10
PAN-251895
Fixed an issue where enabling inline Cloud Analysis features caused a slow packet buffer leak, which resulted in performance issues and dropped traffic.
Addressed
10.2.10
PAN-251639
Fixed a memory leak issue related to the varrcvr process that resulted in an OOM condition.
Addressed
10.2.10
PAN-251563
Added CPLD enhancement to capture external power issues.
Addressed
10.2.10
PAN-251013
Fixed an issue on the web interface where the
Virtual Router
and
Virtual System
configurations for the template incorrectly showed as
none
.
Addressed
10.2.10
PAN-250020
Fixed an issue where MLC2 verdict retrieval failed due to a regression in loopback data flag handling.
Addressed
10.2.10
PAN-248130
Fixed an issue where the
AND
operation under a Dynamic Address Group comparison did not work after upgrading the AWS plugin to 3.0.1.
Addressed
10.2.10
PAN-248105
Fixed an issue where the GlobalProtect SSL VPN tunnel immediately disconnected due to a keep-alive timeout.
Addressed
10.2.10
PAN-246976
Fixed an issue with unbalanced NAT session distribution with multidataplane firewalls when persistent-dipp was enabled.
Addressed
10.2.10
PAN-246960
Fixed an issue where firewalls failed to fetch content updates from the WildFire private cloud due to an
Unsupported protocol
error.
Addressed
10.2.10
PAN-245850
Fixed an issue on Panorama appliances in active/passive HA configurations where the firewalls entered an HA out-of-sync status and jobs failed on the passive appliance with the error message
Could not merged running config from file
.
Addressed
10.2.10
PAN-245842
Fixed an issue with the syn-cookie option where traffic unexpectedly stopped during packet exchange.
Addressed
10.2.10
PAN-245690
Fixed an issue where the managed collectors health status on Panorama displayed as empty.
Addressed
10.2.10
PAN-245125
(
VM-Series firewalls in Microsoft Azure environments only
) Fixed an issue where file descriptors were not closed due to invalid configurations.
Addressed
10.2.10
PAN-244907
Fixed an issue where ports did not go down when moving from an active state to a suspended state.
Addressed
10.2.10
PAN-244746
Fixed an issue where changes committed on Panorama were not reflected on the firewall after a successful push.
Addressed
10.2.10
PAN-244648
(
PA-5200 Series only
) Fixed an issue where the firewall did not boot up after a factory reset, and, with FIPS mode enabled, the firewall rebooted into maintenance mode.
Addressed
10.2.10
PAN-244622
Fixed an issue where FIB repush did not work with Advanced Routing enabled.
Addressed
10.2.10
PAN-244013
Fixed an issue where the web interface did not display newly added antispyware signatures or Vulnerability signatures.
Addressed
10.2.10
PAN-242893
Fixed an issue where the verdict for www.googleapis.com displayed the message
not-resolved
.
Addressed
10.2.10
PAN-242309
Fixed an issue where a higher byte count (s2c) was observed for DNS-Base application.
Addressed
10.2.10
PAN-241230
Fixed an issue where the SNMP get request status value for Panorama connections was incorrect.
Addressed
10.2.10
PAN-240786
Fixed an issue on firewalls in HA configurations where VXLAN sessions were allocated, but not installed or freed, which resulted in a constant high session table usage that was not synced between the firewalls. This resulted in a session count mismatch.
Addressed
10.2.10
PAN-240612
Fixed a kernel panic caused by a third-party issue
Addressed
10.2.10
PAN-240368
Fixed an issue where Authentication Portal redirection for HTTPS websites did not work when
Enhanced Handling of SSL/TLS Handshakes for Decrypted Traffic
was enabled.
Addressed
10.2.10
PAN-240347
Fixed an issue with the web interface where the
Dashboard
and a
Device Group
policy rule took longer than expected to load.
Addressed
10.2.10
PAN-240225
Fixed an issue where authentication failed on web-based GlobalProtect portal.
Addressed
10.2.10
PAN-239662
Fixed an issue where the NSSA default route from the firewall was not generated to advertise even though the backbone area default route was advertised during a graceful restart.
Addressed
10.2.10
PAN-239354
Fixed an issue where DNS resolution was delayed when an antispyware policy rule was applied to both client to firewall and firewall to internal DNS server legs of a connection.
Addressed
10.2.10
PAN-238625
Fixed an issue where, when the physical interface went down, the SD-WAN Ethernet connection state still showed
UP/path-monitor
due to the Active URL SaaS monitor connection state remaining UP/path-monitor.
Addressed
10.2.10
PAN-237608
Fixed an issue where a NetFlow export truncated the source username.
Addressed
10.2.10
PAN-236133
Fixed an issue where SSL traffic was impacted when
SSL Command and Control detector
for Incline Cloud Analysis was set to
reset-both
,
reset-client
,
reset-server
, or
drop
.
Addressed
10.2.10
PAN-232550
Fixed an issue where SNMP query responses were slower than expected.
Addressed
10.2.10
PAN-231642
Fixed an issue on the Panorama web interface where users who were logged in through multiple sessions were able to see an active lock on only one session.
Addressed
10.2.10
PAN-229115
Fixed an issue on the web interface where the screen was blank after logging in to Panorama.
Addressed
10.2.10
PAN-226108
Fixed an issue where the masterd process was unable to start or stop the sysd process.
Addressed
10.2.10
PAN-225394
Fixed an issue on the firewall where SNMP incorrectly reported high packet descriptor usage.
Addressed
10.2.10
PAN-223914
Fixed an issue on Panorama where the reportd process unexpectedly stopped responding.
Addressed
10.2.10
PAN-223418
Fixed an issue where heartbeats to the brdagent process were lost, resulting in the process not responding, which caused the firewall to reboot.
Addressed
10.2.10
PAN-221041
Fixed an issue where the following error message was seen frequently in the system logs:
Clearing snmpd.log due to log overflow
.
Addressed
10.2.10
PAN-216941
(
Panorama appliances in Log Collector mode only
) Fixed an issue where Panorama stopped processing and saving logs.
Addressed
10.2.10
PAN-164885
Fixed an issue on Panorama where
Commit and Push
or
Push to Devices
operations failed when an external dynamic list was configured to check for updates every 5 minutes due to the commit and external dynamic fetch processes overlapping.
Known
11.0.0
WF500-5632
The number of registered WildFire appliances reported in Panorama (
Panorama
Managed WildFire Appliances
Firewalls Connected
View
) does not accurately reflect the current status of connected WildFire appliances.
Known
11.0.0
PAN-234015
The X-Forwarded-For (XFF) value is not displayed in traffic logs.
Known
11.0.0
PAN-243951
On the Panorama management sever in an active/passive High Availability (HA) configuration, managed devices (
Panorama
Managed Devices
Summary
) display as
out-of-sync
on the passive HA peer when configuration changes are made to the SD-WAN (
Panorama
SD-WAN
) configuration on the active HA peer.
Workaround:
Manually synchronize the Panorama HA peers.
  1. Log in to the Panorama web interface on the active HA peer.
  2. Select
    Commit
    and
    Commit to Panorama
    the SD-WAN configuration changes on the active HA peer.
    On the passive HA peer, select
    Panorama
    Managed Devices
    Summary
    and observe that the managed devices are now
    out-of-sync
    .
  3. Log in to the primary HA peer Panorama CLI and trigger a manual synchronization between the active and secondary HA peers.
    request high-availability sync-to-remote running-config
  4. Log back in to the active HA peer Panorama web interface and select
    Commit
    Push to Devices
    and
    Push
    .
Known
11.0.0
PAN-242910
On the Panorama management server, Panorama administrators (
Panorama
Administrators
) that are assigned a custom Panorama admin role (
Panorama
Admin Roles
) with
Push All Changes
enabled are unable to push configuration changes to managed firewalls when
Managed Devices
and
Push For Other Admins
are disabled.
Known
11.0.0
PAN-241041
On the Panorama management server exporting template or template stack variables (
Panorama
Templates
) in CSV format results in an empty CSV file.
Known
11.0.0
PAN-228515
The EleasticSearch SSH flaps on the M-600 appliance in Panorama or Log Collector mode. This causes logs to not display on the Panorama management server (
Monitor
Logs
) and the Log Collector health status (
Panorama
Managed Collectors
Status
) to display as degraded.
Known
11.0.0
PAN-228273
On the Panorama management server in FIPS-CC mode, the ElasticSearch cluster fails to come up and the
show log-collector-es-cluster health
command displays the
status
is
red
. This results in log ingestion issues for Panorama in Panorama only or Log Collector mode.
Known
11.0.0
PAN-227344
On the Panorama management server, PDF Summary Reports (
Monitor
PDF Reports
Manage PDF Summary
) display no data and are blank when predefined reports are included in the summary report.
Known
11.0.0
PAN-225886
If you enable explicit proxy mode for the web proxy, intermittent errors and unexpected TCP reconnections may occur.
Known
11.0.0
PAN-225337
This issue is now resolved. See
PAN-OS 11.0.4 Addressed Issues
.
On the Panorama management server, the configuration push to a multi-vsys firewall fails if you:
  1. Create a
    Shared
    and vsys-specific device group configuration object with an indentical name. For example, a
    Shared
    address object called
    SharedAO1
    and a vsys-specific address object also called
    SharedAO1
    .
  2. Reference the
    Shared
    object in another
    Shared
    configuration. For example, reference the
    Shared
    address object (
    SharedAO1
    ) in a
    Shared
    address group called
    SharedAG1
    .
  3. Use the
    Shared
    configuration object with the reference in a vsys-specific configuration. For example, reference the
    Shared
    address group (
    SharedAG1
    ) in a vsys-specific policy rule.
Workaround:
Select
Panorama
Setup
Management
and edit the Panorama Settings to enable one of the following:
  • Shared Unused Address and Service Objects with Devices
    —This options pushes all
    Shared
    objects, along with device group specific objects, to managed firewalls.
    This is a global setting and applies to all managed firewalls, and may result in pushing too many configuration objects to your managed firewalls.
  • Objects defined in ancestors will take higher precedence
    —This option specifies that in the event of objects with the same name, ancestor object take precedence over descendent objects. In this case, the
    Shared
    objects take precedence over the vsys-specific object.
    This is a global setting and applies to all managed firewalls. In the example above, if the IP address for the
    Shared
    SharedAO1
    object was
    10.1.1.1
    and the device group specific
    SharedAO1
    was
    10.2.2.2
    , the
    10.1.1.1
    IP address takes precedence.
Alternatively, you can remove the duplicate address objects from the device group configuration to allow only the
Shared
objects in your configuration.
Known
11.0.0
PAN-223488
This issue is now resolved. See
PAN-OS 11.0.3 Addressed Issues
.
On the M-600 appliance, closed ElasticSearch shards are not deleted from the M-600 appliance. This causes the ElasticSearch shard purging to not work as expected, resulting in high disk usage.
Known
11.0.0
PAN-223365
This issue is now resolved. See
PAN-OS 11.0.4 Addressed Issues
.
The Panorama management server is unable to query any logs if the ElasticSearch health status for any Log Collector (
Panorama
Managed Collector
is degraded.
Workaround:
Log in to the Log Collector CLI and restart ElasticSearch. 
admin
debug elasticsearch es-restart all
Known
11.0.0
PAN-222586
On PA-5410, PA-5420, PA-5430, and PA-5440 firewalls, the Filter dropdown menus, Forward Methods, and Built-In Actions for Correlation Log settings (
Device
Log Settings
) are not displayed and cannot be configured.
Known
11.0.0
PAN-222253
This issue is now resolved. See
PAN-OS 11.0.5 Addressed Issues
.
On the Panorama management server, policy rulebase reordering when you
View Rulebase by Groups
(
Policy
<policy-rulebase>
) does not persist if you reorder the policy rulebase by dragging and dropping individual policy rules and then moving the entire tag group.
Known
11.0.0
PAN-221015
This issue is now resolved. See
PAN-OS 11.0.4 Addressed Issues
.
On M-600 appliances in Panorama or Log Collector mode, the
es-1
and
es-2
ElasticSearch processes fail to restart when the M-600 appliance is rebooted. The results in the Managed Collector
ES
health status (
Panorama
Managed Collectors
Health Status
) to be degraded.
Workaround:
Log in to the Panorama or Log Collector CLI experiencing degraded ElasticSearch health and restart all ElasticSearch processes. 
admin>
debug elasticsearch es-restart optional all
Known
11.0.0
PAN-220180
This issue is now resolved. See
PAN-OS 11.0.3 Addressed Issues
.
Configured botnet reports (
Monitor
Botnet
) are not generated.
Known
11.0.0
PAN-219644
This issue is now resolved. See
PAN-OS 11.0.3 Addressed Issues
.
Firewalls forwarding logs to a syslog server over TLS (
Objects
Log Forwarding
) use the default Palo Alto Networks certificate instead of the custom certificate configured on the firewall.
Known
11.0.0
PAN-218521
This issue is now resolved. See
PAN-OS 11.0.5 Addressed Issues
.
The ElasticSearch process on the M-600 appliance in Log Collector mode may enter a continuous reboot cycle. This results in the M-600 appliance becoming unresponsive, consuming logging disk space, and preventing new log ingestion.
Known
11.0.0
PAN-217307
The following Security policy rule (
Policies
Security
) filters return no results:
log-start eq no
log-end eq no
log-end eq yes
Known
11.0.0
PAN-216214
For Panorama-managed firewalls in an Active/Active High Availability (HA) configuration where you configure the firewall HA settings (
Device
High Availability
) in a template or template stack (
Panorama
Templates
), performing a local commit on one of the HA firewalls triggers an HA config sync on the peer firewall. This causes the HA peer configuration to go
Out of Sync
.
Known
11.0.0
PAN-215778
On the M-600 appliance in Management Only mode, XML API Get requests for
/config
fail with the following error due to exceeding the total configuration size supported on the M-600 appliance. 
504 Gateway timeout
Known
11.0.0
PAN-215082
M-300 and M-700 appliances may generate erroneous system logs (
Monitor
Logs
System
) to alert that the M-Series appliance memory usage limits are reached.
Known
11.0.0
PAN-213746
On the Panorama management server, the
Hostkey
displayed as
undefined undefined
if you override an SSH Service Profile (
Device
Certificate Management
SSH Service Profile
) Hostkey configured in a Template from the Template Stack.
Known
11.0.0
PAN-213119
PA-5410 and PA-5420 firewalls display the following error when you view the Block IP list (
Monitor
Block IP
):
show -> dis-block-table is unexpected
Known
11.0.0
PAN-212889
On the Panorama management server, different threat names are used when querying the same threat in the Threat Monitor (
Monitor
App Scope
Threat Monitor
) and
ACC
. This results in the ACC displaying
no data to display
when you are redirected to the ACC after clicking a threat name in the Threat Monitor and filtering the same threat name in the Global Filters.
Known
11.0.0
PAN-212533
Modifying the
Administrator Type
for an existing administrator (
Device
Administrators
or
Panorama
Administrators
) from
Superuser
to a
Role-Based
custom admin, or vice versa, does not modify the access privileges of the administrator.
Known
11.0.0
PAN-211531
On the Panorama management server, admins can still perform a selective push to managed firewalls when
Push All Changes
and
Push for Other Admins
are disabled in the admin role profile (
Panorama
Admin Roles
).
Known
11.0.0
PAN-209937
This issue is now resolved. See
PAN-OS 11.0.2 Addressed Issues
.
Certificate-based authentication for administrator accounts may be unable to log into the Panorama or firewall web interface with the following error:
Bad Request - Your browser sent a request that this server could not understand
Known
11.0.0
PAN-208325
This issue is now resolved. See
PAN-OS 11.0.2 Addressed Issues
.
The following NextGen firewalls and Panorama management server models are unable to automatically renew the device certificate (
Device
Setup
Management
or
Panorama
Setup
Management
).
  • M-300 and M-700
  • PA-410 Firewall
  • PA-415 and PA-445 Firewalls
  • PA-440, PA-450, and PA-460 Firewalls
  • PA-1400 Series
  • PA-3400 Series
  • PA-5410, PA-5420, and PA-5430 Firewalls
  • PA-5440 Firewall
  • PA-5450 Firewall
Workaround:
Log in to the firewall CLI or Panorama CLI and fetch the device certificate. 
admin>
request certificate fetch
Known
11.0.0
PAN-208189
This issue is now resolved. See
PAN-OS 11.0.1-h2 Addressed Issues
.
Traffic fails to match and reach all destinations if a Security policy rule includes FQDN objects that resolve to two or more IP addresses.
Known
11.0.0
PAN-207770
Data filtering logs (
Monitor
Logs
Data Filtering
) incorrectly display the traffic Direction as
server-to-client
instead of
client-to-server
for upload traffic that matches Enterprise data loss prevention (DLP) data patterns (
Objects
DLP
Data Filtering Patterns
) in an Enterprise DLP data filtering profile (
Objects
DLP
Data Filtering Profiles
).
Known
11.0.0
PAN-207733
When a DHCPv6 client is configured on HA Active/Passive firewalls, if the DHCPv6 server goes down, after the lease time expires, the DHCPv6 client should enter SOLICIT state on both the Active and Passive firewalls. Instead, the client is stuck in BOUND state with an IPv6 address having lease time 0 on the Passive firewall.
Known
11.0.0
PAN-207629
On the Panorama management server, selective push fails to managed firewalls if the managed firewalls are enabled with multiple vsys and the Push Scope contains shared objects in device groups.
Known
11.0.0
PAN-207616
On the Panorama management server, after selecting managed firewalls and creating a new
Tag
(
Panorama
Managed Devices
Summary
) the managed firewalls are automatically unselected and any new tag created is applied to the managed firewalls for which you initially created the new tag.
Workaround:
Select and then unselect the managed firewalls for which you created a new tag.
Known
11.0.0
PAN-207611
When a DHCPv6 client is configured on HA Active/Passive firewalls, the Passive firewall sometimes crashes.
Known
11.0.0
PAN-207040
If you disable Advanced Routing, remove logical routers, and downgrade from PAN-OS 11.0.0 to a PAN-OS 10.2.x or 10.1.x release, subsequent commits fail and SD-WAN devices on Panorama have no Virtual Router name.
Known
11.0.0
PAN-206913
When a DHCPv6 client is configured on HA Active/Passive firewalls, releasing the IPv6 address from the client (using Release in the UI or using the
request dhcp client ipv6 release all
CLI command) releases the IPv6 address from the Active firewall, but not the Passive firewall.
Known
11.0.0
PAN-206909
The Dedicated Log Collector is unable to reconnect to the Panorama management server if the
configd
process crashes. This results in the Dedicated Log Collector losing connectivity to Panorama despite the managed collector connection
Status
(
Panorama
Managed Collector
) displaying
connected
and the managed colletor
Health
status displaying as healthy.
This results in the local Panorama config and system logs not being forwarded to the Dedicated Log Collector. Firewall log forwarding to the disconnected Dedicated Log Collector is not impacted.
Workaround:
Restart the
mgmtsrvr
process on the Dedicated Log Collector.
  2. Confirm the Dedicated Log Collector is disconnected from Panorama. 
    admin>
     show panorama-status
    Verify the
    Connected
    status is
    no
    .
  3. Restart the
    mgmtsrvr
    process. 
    admin>
     debug software restart process management-server
Known
11.0.0
PAN-206416
On the Panorama management server, no data filtering log (
Monitor
Logs
Data Filtering
) is generated when the managed firewall loses connectivity to the following cloud services, and as a result fails to forward matched traffic for inspection.
  • DLP cloud service
  • Advanced Threat Protection inline cloud analysis service
  • Advanced URL Filtering cloud service
Known
11.0.0
PAN-206315
(
PA-1420 firewall only
) In an active/passive high availability (HA) configuration, the
show session info
CLI command shows that the passive firewall has packet rate and throughput values. The packet rate and throughput of the passive firewall should be zero since it is not processing traffic.
Known
11.0.0
PAN-206253
This issue is now resolved. See
PAN-OS 11.0.2 Addressed Issues
.
For PA-1400 and PA-3400 Series firewalls, the default log rate is set too low and the max configurable log rate is incorrectly capped resulting in the firewall not generating more than 6,826 logs per second.
Known
11.0.0
PAN-206005
This issue is now resolved. See
PAN-OS 11.0.1 Addressed Issues
.
(
PA-1400 Series, PA-3400 Series, and PA-5440 firewalls only
) The I7_misc memory pool on these platforms is undersized and can cause a loss of connectivity when reaching the limit of the memory pool. Certain features, like using a decryption profile with Strip ALPN disabled, can lead to depleting the memory pool and causing a connection loss.
Workaround:
Disable HTTP2 by enabling Strip ALPN in the decryption profile or avoid usage of the I7_misc memory pool.
Known
11.0.0
PAN-205255
This issue is now resolved. See
PAN-OS 11.0.1 Addressed Issues
.
There is a rare PAN-OS issue that causes the dataplane to restart unexpectedly.
Known
11.0.0
PAN-205187
ElasticSearch may not start properly when a newly installed Panorama virtual appliance powers on for the first time, resulting in the Panorama virtual appliance being unable to query logs forwarded from the managed firewall to a Log Collector.
Workaround:
Log in to the Panorama CLI and start the PAN-OS software. 
admin>
request restart software
Known
11.0.0
PAN-205009
(
PA-1420 firewall only
) In an active/passive high availability (HA) configuration, the
show interface all
,
show-high availability interface ha2
, and
show high-availability all
CLI commands display the HSCI port state as unknown on both the active and passive firewalls.
Known
11.0.0
PAN-204615
This issue is now resolved. See
PAN-OS 11.0.0 Known Issues
.
BGP sessions can flap even when an unrelated configuration is committed. This results in the BGP session going down and getting established again. As a result, BGP routes get exchanged again, which can lead to momentary traffic disruption if BGP routes were in use for establishing traffic.
Known
11.0.0
PAN-201910
PAN-OS security profiles might consume a large amount of memory depending on the profile configuration and quantity. In some cases, this might reduce the number of supported security profiles below the stated maximum for a given platform.
Known
11.0.0
PAN-201855
On the Panorama management server, cloning any template (
Panorama
Templates
) corrupts certificates (
Device
Certificate Management
Certificates
) with the
Block Private Key Export
setting enabled across all templates. This results in managed firewalls experiencing issues wherever the corrupted certificate is referenced.
For example, you have template A, B, and C where templates A and B have certificates with the
Block Private Key Export
setting enabled. Cloning template C corrupts the certificates with
Block Private Key Export
setting enabled in templates A and B.
Workaround:
After cloning a template, delete and re-import the corrupted certificates.
Known
11.0.0
PAN-199557
On M-600 appliances in an Active/Passive high availability (HA) configuration, the
configd
process restarts due to a memory leak on the
Active
Panorama HA peer. This causes the Panorama web interface and CLI to become unresponsive.
Workaround:
Manually reboot the
Active
Panorama HA peer.
Known
11.0.0
PAN-197588
The PAN-OS ACC (Application Command Center) does not display a widget detailing statistics and data associated with vulnerability exploits that have been detected using inline cloud analysis.
Known
11.0.0
PAN-197419
(
PA-1400 Series firewalls only
) In
Network
Interface
Ethernet
, the power over Ethernet (PoE) ports do not display a
Tag
value.
Known
11.0.0
PAN-197097
Large Scale VPN (LSVPN) does not support IPv6 addresses on the satellite firewall.
Known
11.0.0
PAN-196758
On the Panorama management server, pushing a configuration change to firewalls leveraging SD-WAN erroneously show the auto-provisioned BGP configurations for SD-WAN as being edited or deleted despite no edits or deletions being made when you
Preview Changes
(
Commit
Push to Devices
Edit Selections
or
Commit
Commit and Push
Edit Selections
).
Known
11.0.0
PAN-196146
This issue is now resolved. See
PAN-OS 11.0.5 Addressed Issues
.
The VM-Series firewall on Azure does not boot up with a hostname (specified in an init-cgf.txt or user data) when bootstrapped.
Known
11.0.0
PAN-195968
(
PA-1400 Series firewalls only
) When using the CLI to configure power over Ethernet (PoE) on a non-PoE port, the CLI prints an error depending on whether an interface type was selected on the non-PoE port or not. If an interface type, such as tap, Layer 2, or virtual wire, was selected before PoE was configured, the error message will not include the interface name (eg. ethernet1/4). If an interface type was not selected before PoE was configured, the error message will include the interface name.
Known
11.0.0
PAN-195568
When PAN-OS 11.0 is installed on multiple data plane platforms, users are unable to connect to the GlobalProtect portal or gateway.
Known
11.0.0
PAN-195342
On the Panorama management server, Context Switch fails when you try to Context Switch from a managed firewall running PAN-OS 10.1.7 or earlier release back to Panorama and the following error is displayed:
Could not find start token '@start@'
Known
11.0.0
PAN-194978
(
PA-1400 Series firewalls only
) In
Network
Interface
Ethernet
, hovering the mouse over a power over Ethernet (PoE)
Link State
icon does not display link speed and link duplex details.
Known
11.0.0
PAN-194424
(
PA-5450 firewall only
) Upgrading to PAN-OS 10.2.2 while having a log interface configured can cause both the log interface and the management interface to remain connected to the log collector.
Workaround:
Restart the log receiver service by running the following CLI command: 
debug software restart process log-receiver
Known
11.0.0
PAN-192282
This issue is now resolved. See
PAN-OS 11.0.1 Addressed Issues
.
(
PA-415 and PA-445 firewalls only
) In 1G mode, the MGT and Ethernet 1/1 port LEDs glow amber instead of green.
Known
11.0.0
PAN-187685
On the Panorama management server, the Template Status displays no synchronization status (
Panorama
Managed Devices
Summary
) after a bootstrapped firewall is successfully added to Panorama.
Workaround:
After the bootstrapped firewall is successfully added to Panorama, log in to the Panorama web interface and select
Commit
Push to Devices
.
Known
11.0.0
PAN-187407
The configured Advanced Threat Prevention inline cloud analysis action for a given model might not be honored under the following condition: If the firewall is set to
Hold client request for category lookup
and the action set to
Reset-Both
and the URL cache has been cleared, the first request for inline cloud analysis will be bypassed.
Known
11.0.0
PAN-186283
Templates appear out-of-sync on Panorama after successfully deploying the CFT stack using the Panorama plugin for AWS.
Workaround
: Use
Commit
Push to Devices
to synchronize the templates.
Known
11.0.0
PAN-184708
Scheduled report emails (
Monitor
PDF Reports
Email Scheduler
) are not emailed if:
  • A scheduled report email contains a Report Group (
    Monitor
    PDF Reports
    Report Group
    ) which includes a SaaS Application Usage report.
  • A scheduled report contains only a SaaS Application Usage Report.
Workaround:
To receive a scheduled report email for all other PDF report types:
  1. Select
    Monitor
    PDF Reports
    Report Groups
    and remove all SaaS Application Usage reports from all Report Groups.
  2. Select
    Monitor
    PDF Reports
    Email Scheduler
    and edit the scheduled report email that contains only a SaaS Application Usage report. For the Recurrence, select
    Disable
    and click
    OK
    .
    Repeat this step for all scheduled report emails that contain only a SaaS Application Usage report.
  3. Commit
    .
    (
    Panorama managed firewalls
    ) Select
    Commit
    Commit and Push
Known
11.0.0
PAN-184406
Using the CLI to add a RAID disk pair to an M-700 appliance causes the dmdb process to crash.
Workaround:
Contact customer support to stop the dmdb process before adding a RAID disk pair to a M-700 appliance.
Known
11.0.0
PAN-183404
Static IP addresses are not recognized when "and" operators are used with IP CIDR range.
Known
11.0.0
PAN-182734
This issue is now resolved. See
PAN-OS 11.0.2 Addressed Issues
.
On an Advanced Routing Engine, if you change the IPSec tunnel configuration, BGP flaps.
Known
11.0.0
PAN-181933
If you use multiple log forwarding cards (LFCs) on the PA-7000 series, all of the cards may not receive all of the updates and the mappings for the clients may become out of sync, which causes the firewall to not correctly populate the Source User column in the session logs.
Known
11.0.0
PAN-171938
No results are displayed when you
Show Application Filter
for a Security policy rule (
Policies
Security
Application
Value
Show Application Filter
).
Known
11.0.0
PAN-164885
On the Panorama management server, pushes to managed firewalls (
Commit
Push to Devices
or
Commit and Push
) may fail when an EDL (
Objects
External Dynamic Lists
) is configured to
Check for updates
every 5 minutes due to the commit and EDL fetch processes overlapping. This is more likely to occur when multiple EDLs are configured to check for updates every 5 minutes.
Addressed
11.0.0-h3
PAN-252214
A fix was made to address CVE-2024-3400 .
Addressed
11.0.0-h2
PAN-238792
Fixed the following device certificate issues:
  • The firewall was unable to automatically renew the device certificate.
  • Fetching device certificates failed incorrectly with the error message
    OTP is not valid
    .
  • Firewalls disconnected from Cortex Data Lake after renewing the device certificate.
  • The device certificate was not correctly generated on the log forwarding card (LFC).
  • WildFire cloud logs did not log thermite certificate usage status.
Addressed
11.0.0-h2
PAN-237876
Extended the firewall Panorama root CA certificate which was previously set to expire on April 7th, 2024.
Addressed
11.0.0-h2
PAN-231771
Fixed an issue where the firewall issued /box/getserv/ requests with PAN-OS 7.1.0 and did not take device certificates.
Addressed
11.0.0-h2
PAN-227568
When a device certificate is installed, renewed, or removed, the firewall will reconnect to the WildFire cloud to use the newest certificate.
Addressed
11.0.0-h2
PAN-215576
Fixed an issue where the
userID-Agent
and
TS-Agent
certificates were set to expire on November 18, 2024. With this fix, the expiration date has been extended to January 2032.
Addressed
11.0.0-h1
PAN-202450
Fixed an issue where the
device-client-cert
was set to expire on December 31, 2023. With this fix, the expiration date has been extended.
Addressed
11.0.0-h1
PAN-198372
Fixed an issue where the
root-cert
was set to expire on December 31, 2023. With this fix, the expiration date has been extended.
Addressed
11.0.0
PAN-207505
Fixed an issue where Email schedules (
Monitor
PDF Reports
Email Scheduler
) were not supported for SaaS Application Usage (
Monitor
PDF Reports
SaaS Application Usage
) reports.
Addressed
11.0.0
PAN-204615
Fixed an issue where BGP sessions could flap even when an unrelated configuration was committed. This resulted in the BGP session going down and getting established again. As a result, BGP routes were exchanged again, which could lead to momentary traffic disruption if BGP routes were in use for establishing traffic.
Addressed
11.0.0
PAN-202783
(
PA-7000 Series firewalls with 100G NPC (Network Processing Cards) only
) Fixed an issue where sudden, large bursts of traffic destined for an interface that was down caused packet buffers to fill, which stalled path monitor heartbeat packets.
Addressed
11.0.0
PAN-202535
Fixed an issue where the Device Telemetry configuration for a region was unable to be set or edited via the web interface.
Addressed
11.0.0
PAN-199726
Fixed an issue with firewalls in HA configurations where both firewalls responded with gARP messages after a switchover.
Addressed
11.0.0
PAN-199654
Fixed an issue where ACC reports did not work for custom RBAC users when more than 12 access domains were associated with the username.
Addressed
11.0.0
PAN-198733
(
PA-5450 firewalls only
) Fixed an issue where
tcpdump
was hardcoded to eth0 instead of bond0.
Addressed
11.0.0
PAN-198332
(
PA-5400 Series only
) Fixed an issue where swapping Network Processing Cards (NPCs) caused high root partition use.
Addressed
11.0.0
PAN-198244
Fixed an issue where using the
load config partial
CLI command to x-paths removed address object entries from address groups.
Addressed
11.0.0
PAN-197383
Fixed an issue where, after upgrading to PAN-OS 10.2 release, the firewall ran a RAID rebuild for the log disk after ever every reboot.
Addressed
11.0.0
PAN-197341
Fixed an issue on Panorama where, when you created multiple device group objects with the same name in the shared device group and any additional device groups (
Panorama
Device Groups
) under the same device group hierarchy that were used in one or more policies, renaming the object with a shared name in any device group caused the object name to change in the policies that it was used in. This issue occurred with device group objects that were referenced in a Security policy rule.
Addressed
11.0.0
PAN-196558
Fixed an issue where IP address tag policy updates were delayed.
Addressed
11.0.0
PAN-196398
(
PA-7000 Series SMC-B firewalls only
) Fixed an issue where the firewall did not capture data when the active management interface was MGT-B.
Addressed
11.0.0
PAN-194615
Fixed an issue where the packet broker session timeout value did not match the master sessions timeout value after the firewall received a TCP FIN or RST packet. The fix ensures that Broker session times out within 1 second after the master session timed out.
Addressed
11.0.0
PAN-194152
(
PA-5410, PA-5420, PA-5430, and PA-5440 firewalls in HA configurations only
) Fixed an issue where HA1-A and HA1-B port information didn't match to front panel mappings.
Addressed
11.0.0
PAN-189270
Fixed an issue that caused a memory leak on the reportd process.
Addressed
11.0.0
PAN-188096
(
VM-Series firewalls only
) Fixed an issue where, on firewalls licensed with Software NGFW Credit (VM-FLEX-4 and higher), HA clustering was unable to be established.
Addressed
11.0.0
PAN-171714
Fixed an issue where, when NetBIOS format (domain\user) was used for the IP address-to-username mapping and the firewall received the group mapping information from the Cloud Identity Engine, the firewall did not match the user to the correct group.
Known
11.0.1
WF500-5632
The number of registered WildFire appliances reported in Panorama (
Panorama
Managed WildFire Appliances
Firewalls Connected
View
) does not accurately reflect the current status of connected WildFire appliances.
Known
11.0.1
PAN-243951
On the Panorama management sever in an active/passive High Availability (HA) configuration, managed devices (
Panorama
Managed Devices
Summary
) display as
out-of-sync
on the passive HA peer when configuration changes are made to the SD-WAN (
Panorama
SD-WAN
) configuration on the active HA peer.
Workaround:
Manually synchronize the Panorama HA peers.
  1. Log in to the Panorama web interface on the active HA peer.
  2. Select
    Commit
    and
    Commit to Panorama
    the SD-WAN configuration changes on the active HA peer.
    On the passive HA peer, select
    Panorama
    Managed Devices
    Summary
    and observe that the managed devices are now
    out-of-sync
    .
  3. Log in to the primary HA peer Panorama CLI and trigger a manual synchronization between the active and secondary HA peers.
    request high-availability sync-to-remote running-config
  4. Log back in to the active HA peer Panorama web interface and select
    Commit
    Push to Devices
    and
    Push
    .
Known
11.0.1
PAN-234015
The X-Forwarded-For (XFF) value is not displayed in traffic logs.
Known
11.0.1
PAN-242910
On the Panorama management server, Panorama administrators (
Panorama
Administrators
) that are assigned a custom Panorama admin role (
Panorama
Admin Roles
) with
Push All Changes
enabled are unable to push configuration changes to managed firewalls when
Managed Devices
and
Push For Other Admins
are disabled.
Known
11.0.1
PAN-241041
On the Panorama management server exporting template or template stack variables (
Panorama
Templates
) in CSV format results in an empty CSV file.
Known
11.0.1
PAN-228515
The EleasticSearch SSH flaps on the M-600 appliance in Panorama or Log Collector mode. This causes logs to not display on the Panorama management server (
Monitor
Logs
) and the Log Collector health status (
Panorama
Managed Collectors
Status
) to display as degraded.
Known
11.0.1
PAN-228273
On the Panorama management server in FIPS-CC mode, the ElasticSearch cluster fails to come up and the
show log-collector-es-cluster health
command displays the
status
is
red
. This results in log ingestion issues for Panorama in Panorama only or Log Collector mode.
Known
11.0.1
PAN-227344
On the Panorama management server, PDF Summary Reports (
Monitor
PDF Reports
Manage PDF Summary
) display no data and are blank when predefined reports are included in the summary report.
Known
11.0.1
PAN-225886
If you enable explicit proxy mode for the web proxy, intermittent errors and unexpected TCP reconnections may occur.
Known
11.0.1
PAN-225337
This issue is now resolved. See
PAN-OS 11.0.4 Addressed Issues
.
On the Panorama management server, the configuration push to a multi-vsys firewall fails if you:
  1. Create a
    Shared
    and vsys-specific device group configuration object with an indentical name. For example, a
    Shared
    address object called
    SharedAO1
    and a vsys-specific address object also called
    SharedAO1
    .
  2. Reference the
    Shared
    object in another
    Shared
    configuration. For example, reference the
    Shared
    address object (
    SharedAO1
    ) in a
    Shared
    address group called
    SharedAG1
    .
  3. Use the
    Shared
    configuration object with the reference in a vsys-specific configuration. For example, reference the
    Shared
    address group (
    SharedAG1
    ) in a vsys-specific policy rule.
Workaround:
Select
Panorama
Setup
Management
and edit the Panorama Settings to enable one of the following:
  • Shared Unused Address and Service Objects with Devices
    —This options pushes all
    Shared
    objects, along with device group specific objects, to managed firewalls.
    This is a global setting and applies to all managed firewalls, and may result in pushing too many configuration objects to your managed firewalls.
  • Objects defined in ancestors will take higher precedence
    —This option specifies that in the event of objects with the same name, ancestor object take precedence over descendent objects. In this case, the
    Shared
    objects take precedence over the vsys-specific object.
    This is a global setting and applies to all managed firewalls. In the example above, if the IP address for the
    Shared
    SharedAO1
    object was
    10.1.1.1
    and the device group specific
    SharedAO1
    was
    10.2.2.2
    , the
    10.1.1.1
    IP address takes precedence.
Alternatively, you can remove the duplicate address objects from the device group configuration to allow only the
Shared
objects in your configuration.
Known
11.0.1
PAN-223488
This issue is now resolved. See
PAN-OS 11.0.3 Addressed Issues
.
On the M-600 appliance, closed ElasticSearch shards are not deleted from the M-600 appliance. This causes the ElasticSearch shard purging to not work as expected, resulting in high disk usage.
Known
11.0.1
PAN-223365
This issue is now resolved. See
PAN-OS 11.0.4 Addressed Issues
.
The Panorama management server is unable to query any logs if the ElasticSearch health status for any Log Collector (
Panorama
Managed Collector
is degraded.
Workaround:
Log in to the Log Collector CLI and restart ElasticSearch. 
admin
debug elasticsearch es-restart all
Known
11.0.1
PAN-222586
On PA-5410, PA-5420, PA-5430, and PA-5440 firewalls, the Filter dropdown menus, Forward Methods, and Built-In Actions for Correlation Log settings (
Device
Log Settings
) are not displayed and cannot be configured.
Known
11.0.1
PAN-222253
This issue is now resolved. See
PAN-OS 11.0.5 Addressed Issues
.
On the Panorama management server, policy rulebase reordering when you
View Rulebase by Groups
(
Policy
<policy-rulebase>
) does not persist if you reorder the policy rulebase by dragging and dropping individual policy rules and then moving the entire tag group.
Known
11.0.1
PAN-221126
This issue is now resolved. See
PAN-OS 11.0.3 Addressed Issues
.
Email server profiles (
Device
Server Profiles
Email
and
Panorama
Server Profiles
Email
) to forward logs as email notifications are not forwarded in a readable format.
Workaround:
Use a
Custom Log Format
to forward logs as email notifications in a readable format.
Known
11.0.1
PAN-221015
This issue is now resolved. See
PAN-OS 11.0.4 Addressed Issues
.
On M-600 appliances in Panorama or Log Collector mode, the
es-1
and
es-2
ElasticSearch processes fail to restart when the M-600 appliance is rebooted. The results in the Managed Collector
ES
health status (
Panorama
Managed Collectors
Health Status
) to be degraded.
Workaround:
Log in to the Panorama or Log Collector CLI experiencing degraded ElasticSearch health and restart all ElasticSearch processes. 
admin>
debug elasticsearch es-restart optional all
Known
11.0.1
PAN-220180
This issue is now resolved. See
PAN-OS 11.0.3 Addressed Issues
.
Configured botnet reports (
Monitor
Botnet
) are not generated.
Known
11.0.1
PAN-220176
(
PAN-OS 11.0.1-h2 hotfix
) System process crashes might occur with VoIP traffic when NAT is enabled with Persistent Dynamic IP and Port settings.
Known
11.0.1
PAN-219644
This issue is now resolved. See
PAN-OS 11.0.3 Addressed Issues
.
Firewalls forwarding logs to a syslog server over TLS (
Objects
Log Forwarding
) use the default Palo Alto Networks certificate instead of the custom certificate configured on the firewall.
Known
11.0.1
PAN-218521
This issue is now resolved. See
PAN-OS 11.0.5 Addressed Issues
.
The ElasticSearch process on the M-600 appliance in Log Collector mode may enter a continuous reboot cycle. This results in the M-600 appliance becoming unresponsive, consuming logging disk space, and preventing new log ingestion.
Known
11.0.1
PAN-217307
The following Security policy rule (
Policies
Security
) filters return no results:
log-start eq no
log-end eq no
log-end eq yes
Known
11.0.1
PAN-216821
This issue is now resolved. See
PAN-OS 11.0.2 Addressed Issues
.
The
reportd
process crashes after you successfully upgrade an M-200 appliance to PAN-OS 10.2.4.
Known
11.0.1
PAN-216314
Upon upgrade or downgrade to or from PAN-OS 10.1.9 or 10.1.9-h1, offloaded application traffic sessions may disconnect after a period of time even if a session is active. The disconnect occurs after the application's default session timeout value is exceeded. This behavior affects only PAN-OS 10.1.9 and 10.1.9-h1. If you are on PAN-OS 10.1.9 and 10.1.9-h1, please use the following workaround. If you have already upgraded or downgraded to another PAN-OS version, use the following workaround in that version.
Workaround:
Run the CLI command
debug dataplane internal pdt fe100 csr wr_sem_ctrl_ctr_scan_dis value 0
to set the value to zero (0).
Known
11.0.1
PAN-216214
For Panorama-managed firewalls in an Active/Active High Availability (HA) configuration where you configure the firewall HA settings (
Device
High Availability
) in a template or template stack (
Panorama
Templates
), performing a local commit on one of the HA firewalls triggers an HA config sync on the peer firewall. This causes the HA peer configuration to go
Out of Sync
.
Known
11.0.1
PAN-215778
On the M-600 appliance in Management Only mode, XML API Get requests for
/config
fail with the following error due to exceeding the total configuration size supported on the M-600 appliance. 
504 Gateway timeout
Known
11.0.1
PAN-215082
M-300 and M-700 appliances may generate erroneous system logs (
Monitor
Logs
System
) to alert that the M-Series appliance memory usage limits are reached.
Known
11.0.1
PAN-213746
On the Panorama management server, the
Hostkey
displayed as
undefined undefined
if you override an SSH Service Profile (
Device
Certificate Management
SSH Service Profile
) Hostkey configured in a Template from the Template Stack.
Known
11.0.1
PAN-213119
PA-5410 and PA-5420 firewalls display the following error when you view the Block IP list (
Monitor
Block IP
):
show -> dis-block-table is unexpected
Known
11.0.1
PAN-212889
On the Panorama management server, different threat names are used when querying the same threat in the Threat Monitor (
Monitor
App Scope
Threat Monitor
) and
ACC
. This results in the ACC displaying
no data to display
when you are redirected to the ACC after clicking a threat name in the Threat Monitor and filtering the same threat name in the Global Filters.
Known
11.0.1
PAN-211531
On the Panorama management server, admins can still perform a selective push to managed firewalls when
Push All Changes
and
Push for Other Admins
are disabled in the admin role profile (
Panorama
Admin Roles
).
Known
11.0.1
PAN-209937
This issue is now resolved. See
PAN-OS 11.0.2 Addressed Issues
.
Certificate-based authentication for administrator accounts may be unable to log into the Panorama or firewall web interface with the following error:
Bad Request - Your browser sent a request that this server could not understand
Known
11.0.1
PAN-208325
This issue is now resolved. See
PAN-OS 11.0.2 Addressed Issues
.
The following NextGen firewalls and Panorama management server models are unable to automatically renew the device certificate (
Device
Setup
Management
or
Panorama
Setup
Management
).
  • M-300 and M-700
  • PA-410 Firewall
  • PA-415 and PA-445 Firewalls
  • PA-440, PA-450, and PA-460 Firewalls
  • PA-1400 Series
  • PA-3400 Series
  • PA-5410, PA-5420, and PA-5430 Firewalls
  • PA-5440 Firewall
  • PA-5450 Firewall
Workaround:
Log in to the firewall CLI or Panorama CLI and fetch the device certificate. 
admin>
request certificate fetch
Known
11.0.1
PAN-208189
This issue is now resolved. See
PAN-OS 11.0.1-h2 Addressed Issues
.
Traffic fails to match and reach all destinations if a Security policy rule includes FQDN objects that resolve to two or more IP addresses.
Known
11.0.1
PAN-207770
Data filtering logs (
Monitor
Logs
Data Filtering
) incorrectly display the traffic Direction as
server-to-client
instead of
client-to-server
for upload traffic that matches Enterprise data loss prevention (DLP) data patterns (
Objects
DLP
Data Filtering Patterns
) in an Enterprise DLP data filtering profile (
Objects
DLP
Data Filtering Profiles
).
Known
11.0.1
PAN-207733
When a DHCPv6 client is configured on HA Active/Passive firewalls, if the DHCPv6 server goes down, after the lease time expires, the DHCPv6 client should enter SOLICIT state on both the Active and Passive firewalls. Instead, the client is stuck in BOUND state with an IPv6 address having lease time 0 on the Passive firewall.
Known
11.0.1
PAN-207616
On the Panorama management server, after selecting managed firewalls and creating a new
Tag
(
Panorama
Managed Devices
Summary
) the managed firewalls are automatically unselected and any new tag created is applied to the managed firewalls for which you initially created the new tag.
Workaround:
Select and then unselect the managed firewalls for which you created a new tag.
Known
11.0.1
PAN-207611
When a DHCPv6 client is configured on HA Active/Passive firewalls, the Passive firewall sometimes crashes.
Known
11.0.1
PAN-207442
For M-700 appliances in an active/passive high availability (
Panorama
High Availability
) configuration, the
active-primary
HA peer configuration sync to the
secondary-passive
HA peer may fail. When the config sync fails, the job Results is
Successful
(
Tasks
), however the sync status on the
Dashboard
displays as
Out of Sync
for both HA peers.
Workaround
: Perform a local commit on the
active-primary
HA peer and then synchronize the HA configuration.
  1. Log in to the Panorama web interface of the
    active-primary
    HA peer.
  2. Select
    Commit
    and
    Commit to Panorama
    .
  3. In the
    active-primary
    HA peer
    Dashboard
    , click
    Sync to Peer
    in the High Availability widget.
Known
11.0.1
PAN-207040
If you disable Advanced Routing, remove logical routers, and downgrade from PAN-OS 11.0.0 to a PAN-OS 10.2.x or 10.1.x release, subsequent commits fail and SD-WAN devices on Panorama have no Virtual Router name.
Known
11.0.1
PAN-206913
When a DHCPv6 client is configured on HA Active/Passive firewalls, releasing the IPv6 address from the client (using Release in the UI or using the
request dhcp client ipv6 release all
CLI command) releases the IPv6 address from the Active firewall, but not the Passive firewall.
Known
11.0.1
PAN-206909
The Dedicated Log Collector is unable to reconnect to the Panorama management server if the
configd
process crashes. This results in the Dedicated Log Collector losing connectivity to Panorama despite the managed collector connection
Status
(
Panorama
Managed Collector
) displaying
connected
and the managed colletor
Health
status displaying as healthy.
This results in the local Panorama config and system logs not being forwarded to the Dedicated Log Collector. Firewall log forwarding to the disconnected Dedicated Log Collector is not impacted.
Workaround:
Restart the
mgmtsrvr
process on the Dedicated Log Collector.
  2. Confirm the Dedicated Log Collector is disconnected from Panorama. 
    admin>
     show panorama-status
    Verify the
    Connected
    status is
    no
    .
  3. Restart the
    mgmtsrvr
    process. 
    admin>
     debug software restart process management-server
Known
11.0.1
PAN-206416
On the Panorama management server, no data filtering log (
Monitor
Logs
Data Filtering
) is generated when the managed firewall loses connectivity to the following cloud services, and as a result fails to forward matched traffic for inspection.
  • DLP cloud service
  • Advanced Threat Protection inline cloud analysis service
  • Advanced URL Filtering cloud service
Known
11.0.1
PAN-206315
(
PA-1420 firewall only
) In an active/passive high availability (HA) configuration, the
show session info
CLI command shows that the passive firewall has packet rate and throughput values. The packet rate and throughput of the passive firewall should be zero since it is not processing traffic.
Known
11.0.1
PAN-205009
(
PA-1420 firewall only
) In an active/passive high availability (HA) configuration, the
show interface all
,
show-high availability interface ha2
, and
show high-availability all
CLI commands display the HSCI port state as unknown on both the active and passive firewalls.
Known
11.0.1
PAN-204689
Upon upgrade to PAN-OS 11.0.1, the following GlobalProtect settings do not work:
  • Allow user to disconnect GlobalProtect App
    Allow with Passcode
  • Allow user to Disable GlobalProtect App
    Allow with Passcode
  • Allow User to Uninstall GlobalProtect App
    Allow with Password
Known
11.0.1
PAN-201910
PAN-OS security profiles might consume a large amount of memory depending on the profile configuration and quantity. In some cases, this might reduce the number of supported security profiles below the stated maximum for a given platform.
Known
11.0.1
PAN-199557
On M-600 appliances in an Active/Passive high availability (HA) configuration, the
configd
process restarts due to a memory leak on the
Active
Panorama HA peer. This causes the Panorama web interface and CLI to become unresponsive.
Workaround:
Manually reboot the
Active
Panorama HA peer.
Known
11.0.1
PAN-197588
The PAN-OS ACC (Application Command Center) does not display a widget detailing statistics and data associated with vulnerability exploits that have been detected using inline cloud analysis.
Known
11.0.1
PAN-197419
(
PA-1400 Series firewalls only
) In
Network
Interface
Ethernet
, the power over Ethernet (PoE) ports do not display a
Tag
value.
Known
11.0.1
PAN-197097
Large Scale VPN (LSVPN) does not support IPv6 addresses on the satellite firewall.
Known
11.0.1
PAN-196758
On the Panorama management server, pushing a configuration change to firewalls leveraging SD-WAN erroneously show the auto-provisioned BGP configurations for SD-WAN as being edited or deleted despite no edits or deletions being made when you
Preview Changes
(
Commit
Push to Devices
Edit Selections
or
Commit
Commit and Push
Edit Selections
).
Known
11.0.1
PAN-196146
This issue is now resolved. See
PAN-OS 11.0.5 Addressed Issues
.
The VM-Series firewall on Azure does not boot up with a hostname (specified in an init-cgf.txt or user data) when bootstrapped.
Known
11.0.1
PAN-195968
(
PA-1400 Series firewalls only
) When using the CLI to configure power over Ethernet (PoE) on a non-PoE port, the CLI prints an error depending on whether an interface type was selected on the non-PoE port or not. If an interface type, such as tap, Layer 2, or virtual wire, was selected before PoE was configured, the error message will not include the interface name (eg. ethernet1/4). If an interface type was not selected before PoE was configured, the error message will include the interface name.
Known
11.0.1
PAN-195342
On the Panorama management server, Context Switch fails when you try to Context Switch from a managed firewall running PAN-OS 10.1.7 or earlier release back to Panorama and the following error is displayed:
Could not find start token '@start@'
Known
11.0.1
PAN-194978
(
PA-1400 Series firewalls only
) In
Network
Interface
Ethernet
, hovering the mouse over a power over Ethernet (PoE)
Link State
icon does not display link speed and link duplex details.
Known
11.0.1
PAN-194424
(
PA-5450 firewall only
) Upgrading to PAN-OS 10.2.2 while having a log interface configured can cause both the log interface and the management interface to remain connected to the log collector.
Workaround:
Restart the log receiver service by running the following CLI command: 
debug software restart process log-receiver
Known
11.0.1
PAN-187685
On the Panorama management server, the Template Status displays no synchronization status (
Panorama
Managed Devices
Summary
) after a bootstrapped firewall is successfully added to Panorama.
Workaround:
After the bootstrapped firewall is successfully added to Panorama, log in to the Panorama web interface and select
Commit
Push to Devices
.
Known
11.0.1
PAN-187407
The configured Advanced Threat Prevention inline cloud analysis action for a given model might not be honored under the following condition: If the firewall is set to
Hold client request for category lookup
and the action set to
Reset-Both
and the URL cache has been cleared, the first request for inline cloud analysis will be bypassed.
Known
11.0.1
PAN-186283
Templates appear out-of-sync on Panorama after successfully deploying the CFT stack using the Panorama plugin for AWS.
Workaround
: Use
Commit
Push to Devices
to synchronize the templates.
Known
11.0.1
PAN-184708
Scheduled report emails (
Monitor
PDF Reports
Email Scheduler
) are not emailed if:
  • A scheduled report email contains a Report Group (
    Monitor
    PDF Reports
    Report Group
    ) which includes a SaaS Application Usage report.
  • A scheduled report contains only a SaaS Application Usage Report.
Workaround:
To receive a scheduled report email for all other PDF report types:
  1. Select
    Monitor
    PDF Reports
    Report Groups
    and remove all SaaS Application Usage reports from all Report Groups.
  2. Select
    Monitor
    PDF Reports
    Email Scheduler
    and edit the scheduled report email that contains only a SaaS Application Usage report. For the Recurrence, select
    Disable
    and click
    OK
    .
    Repeat this step for all scheduled report emails that contain only a SaaS Application Usage report.
  3. Commit
    .
    (
    Panorama managed firewalls
    ) Select
    Commit
    Commit and Push
Known
11.0.1
PAN-184406
Using the CLI to add a RAID disk pair to an M-700 appliance causes the dmdb process to crash.
Workaround:
Contact customer support to stop the dmdb process before adding a RAID disk pair to a M-700 appliance.
Known
11.0.1
PAN-183404
Static IP addresses are not recognized when "and" operators are used with IP CIDR range.
Known
11.0.1
PAN-182734
This issue is now resolved. See
PAN-OS 11.0.2 Addressed Issues
.
On an Advanced Routing Engine, if you change the IPSec tunnel configuration, BGP flaps.
Known
11.0.1
PAN-181933
If you use multiple log forwarding cards (LFCs) on the PA-7000 series, all of the cards may not receive all of the updates and the mappings for the clients may become out of sync, which causes the firewall to not correctly populate the Source User column in the session logs.
Known
11.0.1
PAN-171938
No results are displayed when you
Show Application Filter
for a Security policy rule (
Policies
Security
Application
Value
Show Application Filter
).
Known
11.0.1
PAN-164885
On the Panorama management server, pushes to managed firewalls (
Commit
Push to Devices
or
Commit and Push
) may fail when an EDL (
Objects
External Dynamic Lists
) is configured to
Check for updates
every 5 minutes due to the commit and EDL fetch processes overlapping. This is more likely to occur when multiple EDLs are configured to check for updates every 5 minutes.
Addressed
11.0.1-h4
PAN-252214
A fix was made to address CVE-2024-3400 .
Addressed
11.0.1-h3
PAN-238792
Fixed the following device certificate issues:
  • The firewall was unable to automatically renew the device certificate.
  • Fetching device certificates failed incorrectly with the error message
    OTP is not valid
    .
  • Firewalls disconnected from Cortex Data Lake after renewing the device certificate.
  • The device certificate was not correctly generated on the log forwarding card (LFC).
  • WildFire cloud logs did not log thermite certificate usage status.
Addressed
11.0.1-h3
PAN-237876
Extended the firewall Panorama root CA certificate which was previously set to expire on April 7th, 2024.
Addressed
11.0.1-h3
PAN-231771
Fixed an issue where the firewall issued /box/getserv/ requests with PAN-OS 7.1.0 and did not take device certificates.
Addressed
11.0.1-h3
PAN-227568
When a device certificate is installed, renewed, or removed, the firewall will reconnect to the WildFire cloud to use the newest certificate.
Addressed
11.0.1-h3
PAN-215576
Fixed an issue where the
userID-Agent
and
TS-Agent
certificates were set to expire on November 18, 2024. With this fix, the expiration date has been extended to January 2032.
Addressed
11.0.1-h2
PAN-217431
(
PA-5400 Series firewalls with DPC (Data Processing Cards) only
) Fixed an issue with slot 2 DPCs where URL filtering did not work as expected after upgrading to PAN-OS 10.1.9.
Addressed
11.0.1-h2
PAN-216710
Fixed an issue with firewalls in active/active high availability (HA) configurations where GlobalProtect disconnected when the original suspected Active-Primary firewall became Active-Secondary.
Addressed
11.0.1-h2
PAN-215899
Fixed an issue with Panorama appliances in HA configurations where configuration synchronization between the HA peers failed.
Addressed
11.0.1-h2
PAN-215496
Fixed an issue where 100G ports did not come up with BIDI QSFP modules.
Addressed
11.0.1-h2
PAN-215461
Fixed an issue where the packet descriptor leaked over time with GRE tunnels and keepalives.
Addressed
11.0.1-h2
PAN-211870
Fixed an issue where path monitoring failure occurred, which caused high availability failover.
Addressed
11.0.1-h2
PAN-211519
Fixed an issue where RTP/RTCP packets were dropped for SIP calls by SIP ALG when the source NAT translation type was persistent
Dynamic IP And Port
.
Addressed
11.0.1-h2
PAN-210607
Fixed an issue where enabling Inline Cloud Analysis on Anti-Spyware, Vulnerability Protection, or URL Filtering Security profiles caused the dataplane to stop responding.
Addressed
11.0.1-h2
PAN-208189
Fixed an issue when traffic failed to match and reach all destinations if a Security policy rule includes FQDN objects that resolve to two or more IP addresses.
Addressed
11.0.1-h2
PAN-206007
Fixed an issue where a debug command generated an incomplete core file.
Addressed
11.0.1-h2
PAN-202450
Fixed an issue where the
device-client-cert
was set to expire on December 31, 2023. With this fix, the expiration date has been extended.
Addressed
11.0.1
PAN-216656
Fixed an issue where the firewall was unable to fully process the user list from a child group when the child group contained more than 1,500 users.
Addressed
11.0.1
PAN-215911
Fixed an issue that resulted in a race condition, which caused the configd process to stop responding.
Addressed
11.0.1
PAN-215488
Fixed an issue where an expired Trusted Root CA was used to sign the forward proxy leaf certificate during SSL Decryption.
Addressed
11.0.1
PAN-210561
Fixed an issue where the all_task process repeatedly restarted due to missed heartbeats.
Addressed
11.0.1
PAN-210513
Fixed an issue where Captive Portal authentication via SAML did not work.
Addressed
11.0.1
PAN-210481
Fixed an issue where botnet reports were not generated on the firewall.
Addressed
11.0.1
PAN-210449
Fixed an issue where the value for shared objects used in policy rules were not displayed on multi-vsys firewalls when pushed from Panorama.
Addressed
11.0.1
PAN-210331
Fixed an issue where the firewall did not send device telemetry files to Cortex Data Lake with the error message
send the file to CDL receiver failed
.
Addressed
11.0.1
PAN-210327
(
PA-5200 Series firewalls only
) Fixed an issue where upgrading to PAN-OS 10.1.7, an internal loop caused an increase in the packets received per second.
Addressed
11.0.1
PAN-210237
Fixed an issue where system logs generated by Panorama for commit operations showed the severity as
High
instead of
Informational
.
Addressed
11.0.1
PAN-210080
Fixed an issue where the useridd process stopped responding when add and delete member parameters in an incremental sync query were empty.
Addressed
11.0.1
PAN-209799
Fixed an issue where logging was not disabled on passive nodes, which caused the
logrcvr
to stop responding.
Addressed
11.0.1
PAN-209491
Fixed an issue on the web interface where the
Session Expire Time
displayed a past date if the device time was in December.
Addressed
11.0.1
PAN-209069
Fixed an issue where IP addresses in the
X-Forwarded-For
(XFF) field were not logged when the IP address contained an associated port number.
Addressed
11.0.1
PAN-209036
Fixed an issue where the dataplane restarted, which led to slot failures occurring and a core file being generated.
Addressed
11.0.1
PAN-208987
(
PA-5400 Series only
) Fixed an issue where packets were not transmitted from the firewall if its fragments were received on different slots. This occurred when aggregate ethernet (AE) members in an AE interface were placed on a different slot.
Addressed
11.0.1
PAN-208922
A fix was made to address an issue where an authenticated administrator was able to commit a specifically created configuration to read local files and resources from the system ( CVE-2023-38046 ).
Addressed
11.0.1
PAN-208930
(
PA-7000 Series firewalls only
) Fixed an issue where auto-tagging in log forwarding did not work.
Addressed
11.0.1
PAN-208902
Fixed an issue where, when a client sent a TCP/FIN packet, the firewall displayed the end reason as
aged-out
instead of
tcp-fin
.
Addressed
11.0.1
PAN-208724
Fixed an issue where port pause frame settings did not work as expected and incorrect pause frames occurred.
Addressed
11.0.1
PAN-208718
Additional debug information was added to capture internal details during traffic congestion.
Addressed
11.0.1
PAN-208711
(
PA-5200 Series firewalls only
) The CLI command
debug dataplane set pow no-desched yes/no
was added to address an issue where the all_pktproc process stopped responding and caused traffic issues.
Addressed
11.0.1
PAN-208537
Fixed an issue where the
licensed-device-capacity
was reduced when multiple device management license key files were present.
Addressed
11.0.1
PAN-208525
Fixed an issue where Security policy rules with user groups did not match when Kerberos authentication was configured for explicit proxy.
Addressed
11.0.1
PAN-208485
Fixed an issue where NAT policies were not visible on the CLI if they contained more than 32 characters.
Addressed
11.0.1
PAN-208343
Fixed an issue where telemetry regions were not visible on Panorama.
Addressed
11.0.1
PAN-208157
Fixed an issue where malformed hints sent from the firewall caused the logd process to stop responding on Panorama, which caused a system reboot into maintenance mode.
Addressed
11.0.1
PAN-207940
Fixed an issue where platforms with RAID disk checks were performed weekly, which caused logs to incorrectly state that RAID was rebuilding.
Addressed
11.0.1
PAN-207740
Fixed an issue that resulted in a race condition, which caused the configd process to stop responding.
Addressed
11.0.1
PAN-207738
Fixed an issue where the
ocsp-next-update-time
CLI command did not execute for leaf certificates with certificate chains that did not specify OCSP or CRL URLs. As a result, the next update time was 60 minutes even if a different time was set.
Addressed
11.0.1
PAN-207663
Fixed a Clientless VPN issue where JSON stringify caused issues with the application rewrite.
Addressed
11.0.1
PAN-207629
Fixed an issue where a selective push to firewalls failed if the firewalls were enabled with multiple vsys and the push scope contained shared objects in device groups.
Addressed
11.0.1
PAN-207610
(
PA-5200 Series and PA-7000 Series firewalls only
) Fixed an issue where
Log Admin Activity
was not visible on the web interface.
Addressed
11.0.1
PAN-207601
Fixed an issue where URL cloud connections were unable to resolve the proxy server hostname.
Addressed
11.0.1
PAN-207426
Fixed an issue where a selective push did not include the
Share Unused Address and Service Objects with Devices
option on Panorama, which caused the firewall to not receive the objects during the configuration push.
Addressed
11.0.1
PAN-207400
Fixed an issue on Octeon based platforms where fragmented VLAN tagged packets dropped on an aggregate interface.
Addressed
11.0.1
PAN-207390
Fixed an issue where, even after disabling Telemetry, Telemetry system logs were still generated.
Addressed
11.0.1
PAN-207260
A commit option was enabled for Device Group and Template administrators after a password change.
Addressed
11.0.1
PAN-207045
(
PA-800 Series firewalls only
) Fixed an issue where PAN-SFP-SX transceivers used on ports 5 to 8 did not renegotiate with peer ports after a reload.
Addressed
11.0.1
PAN-206963
(
M-700 Appliances only
) A CLI command was added to check the status of each physical port of a bond1 interface.
Addressed
11.0.1
PAN-206858
Fixed an issue where a segmentation fault occurred due to the useridd process being restarted.
Addressed
11.0.1
PAN-206755
Fixed an issue when a scheduled multi-device group push occurred, the configd process stopped responding, which caused the push to fail.
Addressed
11.0.1
PAN-206684
(
PA-7000 Series firewalls with Log Forwarding Cards (LFCs) only
) Fixed an issue where, after upgrading the firewall from a PAN-OS 10.0 release to a PAN-OS 10.1 release, the firewall did not duplicate logs to local log collectors or to Cortex Data Lake when a device certificate was already installed.
Addressed
11.0.1
PAN-206658
Fixed a timeout issue in the Intel
ixgbe
driver that resulted in internal path monitoring failure.
Addressed
11.0.1
PAN-206466
Fixed an issue where the push scope was displaying duplicate shared objects for each device group that were listed under the
shared-object
group.
Addressed
11.0.1
PAN-206393
(
PA-5280 firewalls only
) Fixed an issue where memory allocation errors caused decryption failures that disrupted traffic with SSL forward proxy enabled.
Addressed
11.0.1
PAN-206382
Fixed an issue where authentication sequences were not populated in the drop down when selecting authentication profiles during administrator creation in a template.
Addressed
11.0.1
PAN-206251
(
PA-7000 Series firewalls with Log Forwarding Cards (LFCs) only
) Fixed an issue where the logrcvr process did not send the
system-start
SNMP trap during startup.
Addressed
11.0.1
PAN-206233
Fixed an issue where the pan_comm process stopped responding when a content update and a cloud application update occurred at the same time.
Addressed
11.0.1
PAN-206128
(
PA-7000 Series firewalls with NPCs (Network Processing Cards) only
) Improved debugging capability for an issue where the firewall restarted due to heartbeat failures and then failed with the following error message:
Power not OK
.
Addressed
11.0.1
PAN-206069
Fixed an issue where the firewall was unable to boot up on older Intel CPUs.
Addressed
11.0.1
PAN-206017
Fixed an issue where the
show dos-protection rule
command displayed a character limit error.
Addressed
11.0.1
PAN-206005
(
PA-1400 Series, PA-3400 Series, and PA-5440 firewalls only
) Fixed an issue where the
l7_misc
memory pool was undersized and caused connectivity loss when the limit was reached.
Addressed
11.0.1
PAN-205877
(
PA-5450 firewalls only
) Added debug commands for an issue where a MAC address flap occurred on a neighbor firewall when connecting both MGT-A and MGT-B interfaces.
Addressed
11.0.1
PAN-205829
Fixed an issue where logs did not display
Host-ID
details for GlobalProtect users despite having a quarantine Security policy rule. This occurred due to a missed local cache lookup.
Addressed
11.0.1
PAN-205804
Fixed an issue on Panorama where a WildFire scheduled update for managed devices triggered multiple
UploadInstall
jobs per minute.
Addressed
11.0.1
PAN-205729
(
PA-3200 Series and PA-7000 Series firewalls only
) Fixed an issue where the CPLD watchdog timeout caused the firewall to reboot unexpectedly.
Addressed
11.0.1
PAN-205699
Fixed an issue where the cloud plugin configuration was automatically deleted from Panorama after a reboot or a configd process restart.
Addressed
11.0.1
PAN-205698
Fixed an issue where GlobalProtect authentication did not work on Apple MacOS devices when the authentication method used was CIE with SAML Authentication.
Addressed
11.0.1
PAN-205590
Fixed an issue where the fan tray fault LED light was on even though no alarm was reported in the system environment.
Addressed
11.0.1
PAN-205453
Fixed an issue where running reports or queries under a user group caused the reportd process to stop responding.
Addressed
11.0.1
PAN-205396
Fixed an issue where SD-WAN adaptive SaaS path monitoring did not work correctly during a next hop link down failure.
Addressed
11.0.1
PAN-205260
Fixed an issue where there was an IP address conflict after a reboot due to a transaction ID collision.
Addressed
11.0.1
PAN-205255
Fixed a rare issue that caused the dataplane to restart unexpectedly.
Addressed
11.0.1
PAN-205231
Fixed an issue where a commit operation remained at 55% for longer than expected if more than 7,500 Security policy rules were configured.
Addressed
11.0.1
PAN-205211
Fixed an issue where the reportd process stopped responding while querying logs (
Monitor > Logs > <logtype>
).
Addressed
11.0.1
PAN-205096
Fixed an issue where promoted sessions were not synced with all cluster members in an HA cluster.
Addressed
11.0.1
PAN-204749
Fixed an issue where sudden, large bursts of traffic destined for an interface that was down caused packet buffers to fill, which stalled path monitor heartbeat packets.
Addressed
11.0.1
PAN-204581
Fixed an issue where, when accessing a web application via the GlobalProtect Clientless VPN, the web application landing page continuously reloaded.
Addressed
11.0.1
PAN-204575
(
PA-7000 Series firewalls with Log Forwarding Cards (LFCs) only
) Fixed an issue where the firewall did not forward logs to the log collector.
Addressed
11.0.1
PAN-204572
Fixed an issue where python scripts were not working as expected.
Addressed
11.0.1
PAN-204456
Fixed an issue related to the logd process that caused high memory consumption.
Addressed
11.0.1
PAN-204335
Fixed an issue where Panorama became unresponsive, and when refreshed, the error
504 Gateway not Reachable
was displayed.
Addressed
11.0.1
PAN-203964
(
Firewalls in FIPS-CC mode only
) Fixed an issue where the firewall went into maintenance mode due to downloading a corrupted software image, which resulted in the error message
FIPS-CC failure. Image File Authentication Error
.
Addressed
11.0.1
PAN-203851
Fixed an issue with firewalls in HA configurations where host information profile (HIP) sync did not work between peer firewalls.
Addressed
11.0.1
PAN-203681
(
Panorama appliances in FIPS-CC mode only
) Fixed an issue where a leaf certificate was unable to be imported into a template stack.
Addressed
11.0.1
PAN-203663
Fixed an issue where administrators were unable to change the password of a local database for users configured as a local admin user via an authentication profile.
Addressed
11.0.1
PAN-203453
Fixed an issue on Panorama where the log query failed due to a high number of User-ID redistribution messages.
Addressed
11.0.1
PAN-203430
Fixed an issue where, when the User-ID agent had
collector name/secret
configured, the configuration was mandatory on clients on PAN-OS 10.0 and later releases.
Addressed
11.0.1
PAN-203339
Fixed an issue where services failed due to the RAID rebuild not being completed on time.
Addressed
11.0.1
PAN-203147
(
Firewalls in FIPS-CC mode only
) Fixed an issue where the firewall unexpectedly rebooted when downloading a new PAN-OS software image.
Addressed
11.0.1
PAN-203137
(
PA-5450 firewalls only
) Fixed an issue where HSCI ports did not come up when QSFP DAC cables were used.
Addressed
11.0.1
PAN-202543
An enhancement was made to improve path monitor data collection by verifying the status of the control network.
Addressed
11.0.1
PAN-202248
Fixed an issue where, due to a tunnel content inspection (TCI) policy match, IPSec traffic did not pass through the firewall when NAT was performed on the traffic.
Addressed
11.0.1
PAN-201701
Fixed an issue where the firewall generated system log alerts if the raid for a system or log disk was corrupted.
Addressed
11.0.1
PAN-201580
Fixed an issue where the useridd process stopped responding due to an invalid vsys_id request.
Addressed
11.0.1
PAN-200845
(
M-600 Appliances in Management-only mode only
) Fixed an issue where XML API queries failed due to the configuration size being larger than expected.
Addressed
11.0.1
PAN-200160
Fixed a memory leak issue on Panorama related to the logd process that caused an out-of-memory (OOM) condition.
Addressed
11.0.1
PAN-200116
Fixed an issue where Elasticsearch displayed red due to frequent tunnel check failures between HA clusters.
Addressed
11.0.1
PAN-199965
Fixed an issue where the reportd process stopped responding on log collectors during query and report operations due to a race condition between request handling threads.
Addressed
11.0.1
PAN-199807
Fixed an issue where the dataplane frequently restarted due to high memory usage on wifclient.
Addressed
11.0.1
PAN-196597
Fixed an issue where the dnsproxyd process stopped responding due to corruption.
Addressed
11.0.1
PAN-198306
Fixed an issue where the useridd process stopped responding when booting up the firewall.
Addressed
11.0.1
PAN-198266
Fixed an issue where, when predicts for UDP packets were created, a configuration change occurred that triggered a new policy lookup, which caused the dataplane stopped responding when converting the predict. This resulted in a dataplane restart.
Addressed
11.0.1
PAN-198038
A CLI command was added to address an issue where long-lived sessions were aging out even when there was ongoing traffic.
Addressed
11.0.1
PAN-197872
Fixed an issue where the useridd process generated false positive critical errors.
Addressed
11.0.1
PAN-197298
Fixed an issue where the audit comment archive for Security rule changes output had overlapping formats.
Addressed
11.0.1
PAN-196410
Fixed an issue where you were unable to customize the risk value in
Risk-of-app
.
Addressed
11.0.1
PAN-195756
Fixed an issue that caused an API request timeout when parsing requests using large header buffers.
Addressed
11.0.1
PAN-194805
Fixed an issue where scheduled configuration backups to the SCP server failed with error message
No ECDSA host key is known
.
Addressed
11.0.1
PAN-194068
(
PA-5200 Series firewalls only
) Fixed an issue where the firewall unexpectedly rebooted with the log message
Heartbeat failed previously
.
Addressed
11.0.1
PAN-192513
Fixed an issue where log migration did not work when converting a Legacy mode Panorama appliance to Log Collector mode.
Addressed
11.0.1
PAN-192282
(
PA-415 and PA-445 firewalls only
) Fixed an issue where, in 1G mode, the MGT and Ethernet 1/1 port LEDs incorrectly displayed as amber instead of green.
Addressed
11.0.1
PAN-191222
Fixed an issue where Panorama became inaccessible when after a push to the collector group.
Addressed
11.0.1
PAN-190502
Fixed an issue where the Policy filter and Policy optimizer filter were required to have the exact same syntax, including nested conditions with rules that contained more than one tag when filtering via the
neq
operator.
Addressed
11.0.1
PAN-189335
Fixed an issue where the varrcvr process restarted repeatedly, which caused the firewall to restart.
Addressed
11.0.1
PAN-189200
Fixed an issue where sinkholes did not occur for AWS Gateway Load Balancer dig queries.
Addressed
11.0.1
PAN-186412
Fixed an issue where invalid
packet-ptr
was seen in work entries.
Addressed
11.0.1
PAN-186270
Fixed an issue where, when HA was enabled and a dynamic update schedule was configured, the configd process unexpectedly stopped responding during configuration commits.
Addressed
11.0.1
PAN-183375
Fixed an issue where traffic arriving on a tunnel with a bad IP address header checksum was not dropped.
Addressed
11.0.1
PAN-180948
Fixed an issue where an external dynamic list fetch failed with the error message
Unable to fetch external dynamic list. Couldn't resolve host name. Using old copy for refresh
.
Addressed
11.0.1
PAN-179174
Fixed an issue where exported PDF report of the ACC was the incorrect color after upgrading from a PAN-OS 10.1 or later release.
Addressed
11.0.1
PAN-178594
Fixed an issue where the descriptions of options under the
set syslogng ssl-conn-validation
CLI command were not accurate.
Addressed
11.0.1
PAN-175142
Fixed an issue on Panorama where executing a debug command caused the logrcvr process to stop responding.
Addressed
11.0.1
PAN-170414
Fixed an issue related to an OOM condition in the dataplane, which was caused by multiple
panio
commands using extra memory.
Known
11.0.2
WF500-5632
The number of registered WildFire appliances reported in Panorama (
Panorama
Managed WildFire Appliances
Firewalls Connected
View
) does not accurately reflect the current status of connected WildFire appliances.
Known
11.0.2
PAN-243951
On the Panorama management sever in an active/passive High Availability (HA) configuration, managed devices (
Panorama
Managed Devices
Summary
) display as
out-of-sync
on the passive HA peer when configuration changes are made to the SD-WAN (
Panorama
SD-WAN
) configuration on the active HA peer.
Workaround:
Manually synchronize the Panorama HA peers.
  1. Log in to the Panorama web interface on the active HA peer.
  2. Select
    Commit
    and
    Commit to Panorama
    the SD-WAN configuration changes on the active HA peer.
    On the passive HA peer, select
    Panorama
    Managed Devices
    Summary
    and observe that the managed devices are now
    out-of-sync
    .
  3. Log in to the primary HA peer Panorama CLI and trigger a manual synchronization between the active and secondary HA peers.
    request high-availability sync-to-remote running-config
  4. Log back in to the active HA peer Panorama web interface and select
    Commit
    Push to Devices
    and
    Push
    .
Known
11.0.2
PAN-234015
The X-Forwarded-For (XFF) value is not displayed in traffic logs.
Known
11.0.2
PAN-242910
On the Panorama management server, Panorama administrators (
Panorama
Administrators
) that are assigned a custom Panorama admin role (
Panorama
Admin Roles
) with
Push All Changes
enabled are unable to push configuration changes to managed firewalls when
Managed Devices
and
Push For Other Admins
are disabled.
Known
11.0.2
PAN-241041
On the Panorama management server exporting template or template stack variables (
Panorama
Templates
) in CSV format results in an empty CSV file.
Known
11.0.2
PAN-231507
This issue is now resolved. See
PAN-OS 11.0.4 Addressed Issues
.
On PA-1400 Series firewalls only, when an HSCI interface is used as an HA2 interface, HA2 packets are intermittently dropped on the passive device, which can cause the HA2 connection to flap due to missing HA2 keepalive messages. Workaround: use data ports configured as HA2 interface.
Known
11.0.2
PAN-228515
The EleasticSearch SSH flaps on the M-600 appliance in Panorama or Log Collector mode. This causes logs to not display on the Panorama management server (
Monitor
Logs
) and the Log Collector health status (
Panorama
Managed Collectors
Status
) to display as degraded.
Known
11.0.2
PAN-228273
On the Panorama management server in FIPS-CC mode, the ElasticSearch cluster fails to come up and the
show log-collector-es-cluster health
command displays the
status
is
red
. This results in log ingestion issues for Panorama in Panorama only or Log Collector mode.
Known
11.0.2
PAN-227344
On the Panorama management server, PDF Summary Reports (
Monitor
PDF Reports
Manage PDF Summary
) display no data and are blank when predefined reports are included in the summary report.
Known
11.0.2
PAN-225886
If you enable explicit proxy mode for the web proxy, intermittent errors and unexpected TCP reconnections may occur.
Known
11.0.2
PAN-225337
This issue is now resolved. See
PAN-OS 11.0.4 Addressed Issues
.
On the Panorama management server, the configuration push to a multi-vsys firewall fails if you:
  1. Create a
    Shared
    and vsys-specific device group configuration object with an indentical name. For example, a
    Shared
    address object called
    SharedAO1
    and a vsys-specific address object also called
    SharedAO1
    .
  2. Reference the
    Shared
    object in another
    Shared
    configuration. For example, reference the
    Shared
    address object (
    SharedAO1
    ) in a
    Shared
    address group called
    SharedAG1
    .
  3. Use the
    Shared
    configuration object with the reference in a vsys-specific configuration. For example, reference the
    Shared
    address group (
    SharedAG1
    ) in a vsys-specific policy rule.
Workaround:
Select
Panorama
Setup
Management
and edit the Panorama Settings to enable one of the following:
  • Shared Unused Address and Service Objects with Devices
    —This options pushes all
    Shared
    objects, along with device group specific objects, to managed firewalls.
    This is a global setting and applies to all managed firewalls, and may result in pushing too many configuration objects to your managed firewalls.
  • Objects defined in ancestors will take higher precedence
    —This option specifies that in the event of objects with the same name, ancestor object take precedence over descendent objects. In this case, the
    Shared
    objects take precedence over the vsys-specific object.
    This is a global setting and applies to all managed firewalls. In the example above, if the IP address for the
    Shared
    SharedAO1
    object was
    10.1.1.1
    and the device group specific
    SharedAO1
    was
    10.2.2.2
    , the
    10.1.1.1
    IP address takes precedence.
Alternatively, you can remove the duplicate address objects from the device group configuration to allow only the
Shared
objects in your configuration.
Known
11.0.2
PAN-223488
This issue is now resolved. See
PAN-OS 11.0.3 Addressed Issues
.
On the M-600 appliance, closed ElasticSearch shards are not deleted from the M-600 appliance. This causes the ElasticSearch shard purging to not work as expected, resulting in high disk usage.
Known
11.0.2
PAN-223365
This issue is now resolved. See
PAN-OS 11.0.4 Addressed Issues
.
The Panorama management server is unable to query any logs if the ElasticSearch health status for any Log Collector (
Panorama
Managed Collector
is degraded.
Workaround:
Log in to the Log Collector CLI and restart ElasticSearch. 
admin
debug elasticsearch es-restart all
Known
11.0.2
PAN-227368
This issue is now resolved. See
PAN-OS 11.0.4 Addressed Issues
.
The GlobalProtect app cannot connect to a portal or gateway and GlobalProtect Clientless VPN users cannot access applications if authentication takes longer than 20 seconds.
Workaround:
Increase the TCP handshake timeout to the maximum value of 60 seconds.
Known
11.0.2
PAN-222586
On PA-5410, PA-5420, PA-5430, and PA-5440 firewalls, the Filter dropdown menus, Forward Methods, and Built-In Actions for Correlation Log settings (
Device
Log Settings
) are not displayed and cannot be configured.
Known
11.0.2
PAN-222253
This issue is now resolved. See
PAN-OS 11.0.5 Addressed Issues
.
On the Panorama management server, policy rulebase reordering when you
View Rulebase by Groups
(
Policy
<policy-rulebase>
) does not persist if you reorder the policy rulebase by dragging and dropping individual policy rules and then moving the entire tag group.
Known
11.0.2
PAN-221126
This issue is now resolved. See
PAN-OS 11.0.3 Addressed Issues
.
Email server profiles (
Device
Server Profiles
Email
and
Panorama
Server Profiles
Email
) to forward logs as email notifications are not forwarded in a readable format.
Workaround:
Use a
Custom Log Format
to forward logs as email notifications in a readable format.
Known
11.0.2
PAN-221015
This issue is now resolved. See
PAN-OS 11.0.4 Addressed Issues
.
On M-600 appliances in Panorama or Log Collector mode, the
es-1
and
es-2
ElasticSearch processes fail to restart when the M-600 appliance is rebooted. The results in the Managed Collector
ES
health status (
Panorama
Managed Collectors
Health Status
) to be degraded.
Workaround:
Log in to the Panorama or Log Collector CLI experiencing degraded ElasticSearch health and restart all ElasticSearch processes. 
admin>
debug elasticsearch es-restart optional all
Known
11.0.2
PAN-220180
This issue is now resolved. See
PAN-OS 11.0.3 Addressed Issues
.
Configured botnet reports (
Monitor
Botnet
) are not generated.
Known
11.0.2
PAN-220176
(
PAN-OS 11.0.1-h2 hotfix
) System process crashes might occur with VoIP traffic when NAT is enabled with Persistent Dynamic IP and Port settings.
Known
11.0.2
PAN-219644
This issue is now resolved. See
PAN-OS 11.0.3 Addressed Issues
.
Firewalls forwarding logs to a syslog server over TLS (
Objects
Log Forwarding
) use the default Palo Alto Networks certificate instead of the custom certificate configured on the firewall.
Known
11.0.2
PAN-218521
This issue is now resolved. See
PAN-OS 11.0.5 Addressed Issues
.
The ElasticSearch process on the M-600 appliance in Log Collector mode may enter a continuous reboot cycle. This results in the M-600 appliance becoming unresponsive, consuming logging disk space, and preventing new log ingestion.
Known
11.0.2
PAN-217307
The following Security policy rule (
Policies
Security
) filters return no results:
log-start eq no
log-end eq no
log-end eq yes
Known
11.0.2
PAN-216314
Upon upgrade or downgrade to or from PAN-OS 10.1.9 or 10.1.9-h1, offloaded application traffic sessions may disconnect after a period of time even if a session is active. The disconnect occurs after the application's default session timeout value is exceeded. This behavior affects only PAN-OS 10.1.9 and 10.1.9-h1. If you are on PAN-OS 10.1.9 and 10.1.9-h1, please use the following workaround. If you have already upgraded or downgraded to another PAN-OS version, use the following workaround in that version.
Workaround:
Run the CLI command
debug dataplane internal pdt fe100 csr wr_sem_ctrl_ctr_scan_dis value 0
to set the value to zero (0).
Known
11.0.2
PAN-216214
For Panorama-managed firewalls in an Active/Active High Availability (HA) configuration where you configure the firewall HA settings (
Device
High Availability
) in a template or template stack (
Panorama
Templates
), performing a local commit on one of the HA firewalls triggers an HA config sync on the peer firewall. This causes the HA peer configuration to go
Out of Sync
.
Known
11.0.2
PAN-213746
On the Panorama management server, the
Hostkey
displayed as
undefined undefined
if you override an SSH Service Profile (
Device
Certificate Management
SSH Service Profile
) Hostkey configured in a Template from the Template Stack.
Known
11.0.2
PAN-213119
PA-5410 and PA-5420 firewalls display the following error when you view the Block IP list (
Monitor
Block IP
):
show -> dis-block-table is unexpected
Known
11.0.2
PAN-212978
The Palo Alto Networks firewall stops responding when executing an SD-WAN debug operational CLI command.
Known
11.0.2
PAN-212889
On the Panorama management server, different threat names are used when querying the same threat in the Threat Monitor (
Monitor
App Scope
Threat Monitor
) and
ACC
. This results in the ACC displaying
no data to display
when you are redirected to the ACC after clicking a threat name in the Threat Monitor and filtering the same threat name in the Global Filters.
Known
11.0.2
PAN-211531
On the Panorama management server, admins can still perform a selective push to managed firewalls when
Push All Changes
and
Push for Other Admins
are disabled in the admin role profile (
Panorama
Admin Roles
).
Known
11.0.2
PAN-207770
Data filtering logs (
Monitor
Logs
Data Filtering
) incorrectly display the traffic Direction as
server-to-client
instead of
client-to-server
for upload traffic that matches Enterprise data loss prevention (DLP) data patterns (
Objects
DLP
Data Filtering Patterns
) in an Enterprise DLP data filtering profile (
Objects
DLP
Data Filtering Profiles
).
Known
11.0.2
PAN-207733
When a DHCPv6 client is configured on HA Active/Passive firewalls, if the DHCPv6 server goes down, after the lease time expires, the DHCPv6 client should enter SOLICIT state on both the Active and Passive firewalls. Instead, the client is stuck in BOUND state with an IPv6 address having lease time 0 on the Passive firewall.
Known
11.0.2
PAN-207616
On the Panorama management server, after selecting managed firewalls and creating a new
Tag
(
Panorama
Managed Devices
Summary
) the managed firewalls are automatically unselected and any new tag created is applied to the managed firewalls for which you initially created the new tag.
Workaround:
Select and then unselect the managed firewalls for which you created a new tag.
Known
11.0.2
PAN-207611
When a DHCPv6 client is configured on HA Active/Passive firewalls, the Passive firewall sometimes crashes.
Known
11.0.2
PAN-207442
For M-700 appliances in an active/passive high availability (
Panorama
High Availability
) configuration, the
active-primary
HA peer configuration sync to the
secondary-passive
HA peer may fail. When the config sync fails, the job Results is
Successful
(
Tasks
), however the sync status on the
Dashboard
displays as
Out of Sync
for both HA peers.
Workaround
: Perform a local commit on the
active-primary
HA peer and then synchronize the HA configuration.
  1. Log in to the Panorama web interface of the
    active-primary
    HA peer.
  2. Select
    Commit
    and
    Commit to Panorama
    .
  3. In the
    active-primary
    HA peer
    Dashboard
    , click
    Sync to Peer
    in the High Availability widget.
Known
11.0.2
PAN-207040
If you disable Advanced Routing, remove logical routers, and downgrade from PAN-OS 11.0.0 to a PAN-OS 10.2.x or 10.1.x release, subsequent commits fail and SD-WAN devices on Panorama have no Virtual Router name.
Known
11.0.2
PAN-206913
When a DHCPv6 client is configured on HA Active/Passive firewalls, releasing the IPv6 address from the client (using Release in the UI or using the
request dhcp client ipv6 release all
CLI command) releases the IPv6 address from the Active firewall, but not the Passive firewall.
Known
11.0.2
PAN-206909
The Dedicated Log Collector is unable to reconnect to the Panorama management server if the
configd
process crashes. This results in the Dedicated Log Collector losing connectivity to Panorama despite the managed collector connection
Status
(
Panorama
Managed Collector
) displaying
connected
and the managed colletor
Health
status displaying as healthy.
This results in the local Panorama config and system logs not being forwarded to the Dedicated Log Collector. Firewall log forwarding to the disconnected Dedicated Log Collector is not impacted.
Workaround:
Restart the
mgmtsrvr
process on the Dedicated Log Collector.
  2. Confirm the Dedicated Log Collector is disconnected from Panorama. 
    admin>
     show panorama-status
    Verify the
    Connected
    status is
    no
    .
  3. Restart the
    mgmtsrvr
    process. 
    admin>
     debug software restart process management-server
Known
11.0.2
PAN-206416
On the Panorama management server, no data filtering log (
Monitor
Logs
Data Filtering
) is generated when the managed firewall loses connectivity to the following cloud services, and as a result fails to forward matched traffic for inspection.
  • DLP cloud service
  • Advanced Threat Protection inline cloud analysis service
  • Advanced URL Filtering cloud service
Known
11.0.2
PAN-206315
(
PA-1420 firewall only
) In an active/passive high availability (HA) configuration, the
show session info
CLI command shows that the passive firewall has packet rate and throughput values. The packet rate and throughput of the passive firewall should be zero since it is not processing traffic.
Known
11.0.2
PAN-205009
(
PA-1420 firewall only
) In an active/passive high availability (HA) configuration, the
show interface all
,
show-high availability interface ha2
, and
show high-availability all
CLI commands display the HSCI port state as unknown on both the active and passive firewalls.
Known
11.0.2
PAN-204689
Upon upgrade to PAN-OS 11.0.1, the following GlobalProtect settings do not work:
  • Allow user to disconnect GlobalProtect App
    Allow with Passcode
  • Allow user to Disable GlobalProtect App
    Allow with Passcode
  • Allow User to Uninstall GlobalProtect App
    Allow with Password
Known
11.0.2
PAN-201910
PAN-OS security profiles might consume a large amount of memory depending on the profile configuration and quantity. In some cases, this might reduce the number of supported security profiles below the stated maximum for a given platform.
Known
11.0.2
PAN-197588
The PAN-OS ACC (Application Command Center) does not display a widget detailing statistics and data associated with vulnerability exploits that have been detected using inline cloud analysis.
Known
11.0.2
PAN-197419
(
PA-1400 Series firewalls only
) In
Network
Interface
Ethernet
, the power over Ethernet (PoE) ports do not display a
Tag
value.
Known
11.0.2
PAN-197097
Large Scale VPN (LSVPN) does not support IPv6 addresses on the satellite firewall.
Known
11.0.2
PAN-196758
On the Panorama management server, pushing a configuration change to firewalls leveraging SD-WAN erroneously show the auto-provisioned BGP configurations for SD-WAN as being edited or deleted despite no edits or deletions being made when you
Preview Changes
(
Commit
Push to Devices
Edit Selections
or
Commit
Commit and Push
Edit Selections
).
Known
11.0.2
PAN-196146
This issue is now resolved. See
PAN-OS 11.0.5 Addressed Issues
.
The VM-Series firewall on Azure does not boot up with a hostname (specified in an init-cgf.txt or user data) when bootstrapped.
Known
11.0.2
PAN-195968
(
PA-1400 Series firewalls only
) When using the CLI to configure power over Ethernet (PoE) on a non-PoE port, the CLI prints an error depending on whether an interface type was selected on the non-PoE port or not. If an interface type, such as tap, Layer 2, or virtual wire, was selected before PoE was configured, the error message will not include the interface name (eg. ethernet1/4). If an interface type was not selected before PoE was configured, the error message will include the interface name.
Known
11.0.2
PAN-195342
On the Panorama management server, Context Switch fails when you try to Context Switch from a managed firewall running PAN-OS 10.1.7 or earlier release back to Panorama and the following error is displayed:
Could not find start token '@start@'
Known
11.0.2
PAN-194978
(
PA-1400 Series firewalls only
) In
Network
Interface
Ethernet
, hovering the mouse over a power over Ethernet (PoE)
Link State
icon does not display link speed and link duplex details.
Known
11.0.2
PAN-194424
(
PA-5450 firewall only
) Upgrading to PAN-OS 10.2.2 while having a log interface configured can cause both the log interface and the management interface to remain connected to the log collector.
Workaround:
Restart the log receiver service by running the following CLI command: 
debug software restart process log-receiver
Known
11.0.2
PAN-193004
This issue is now resolved. See
PAN-OS 11.0.4 Addressed Issues
.
The Panorama management server fails to delete old IP Tag data. This causes the
/opt/pancfg
partition to reach maximum capacity which impacts Panorama performance.
Known
11.0.2
PAN-187685
On the Panorama management server, the Template Status displays no synchronization status (
Panorama
Managed Devices
Summary
) after a bootstrapped firewall is successfully added to Panorama.
Workaround:
After the bootstrapped firewall is successfully added to Panorama, log in to the Panorama web interface and select
Commit
Push to Devices
.
Known
11.0.2
PAN-187407
The configured Advanced Threat Prevention inline cloud analysis action for a given model might not be honored under the following condition: If the firewall is set to
Hold client request for category lookup
and the action set to
Reset-Both
and the URL cache has been cleared, the first request for inline cloud analysis will be bypassed.
Known
11.0.2
PAN-186283
Templates appear out-of-sync on Panorama after successfully deploying the CFT stack using the Panorama plugin for AWS.
Workaround
: Use
Commit
Push to Devices
to synchronize the templates.
Known
11.0.2
PAN-184708
Scheduled report emails (
Monitor
PDF Reports
Email Scheduler
) are not emailed if:
  • A scheduled report email contains a Report Group (
    Monitor
    PDF Reports
    Report Group
    ) which includes a SaaS Application Usage report.
  • A scheduled report contains only a SaaS Application Usage Report.
Workaround:
To receive a scheduled report email for all other PDF report types:
  1. Select
    Monitor
    PDF Reports
    Report Groups
    and remove all SaaS Application Usage reports from all Report Groups.
  2. Select
    Monitor
    PDF Reports
    Email Scheduler
    and edit the scheduled report email that contains only a SaaS Application Usage report. For the Recurrence, select
    Disable
    and click
    OK
    .
    Repeat this step for all scheduled report emails that contain only a SaaS Application Usage report.
  3. Commit
    .
    (
    Panorama managed firewalls
    ) Select
    Commit
    Commit and Push
Known
11.0.2
PAN-184406
Using the CLI to add a RAID disk pair to an M-700 appliance causes the dmdb process to crash.
Workaround:
Contact customer support to stop the dmdb process before adding a RAID disk pair to a M-700 appliance.
Known
11.0.2
PAN-183404
Static IP addresses are not recognized when "and" operators are used with IP CIDR range.
Known
11.0.2
PAN-181933
If you use multiple log forwarding cards (LFCs) on the PA-7000 series, all of the cards may not receive all of the updates and the mappings for the clients may become out of sync, which causes the firewall to not correctly populate the Source User column in the session logs.
Known
11.0.2
PAN-171938
No results are displayed when you
Show Application Filter
for a Security policy rule (
Policies
Security
Application
Value
Show Application Filter
).
Known
11.0.2
PAN-164885
On the Panorama management server, pushes to managed firewalls (
Commit
Push to Devices
or
Commit and Push
) may fail when an EDL (
Objects
External Dynamic Lists
) is configured to
Check for updates
every 5 minutes due to the commit and EDL fetch processes overlapping. This is more likely to occur when multiple EDLs are configured to check for updates every 5 minutes.
Addressed
11.0.2-h4
PAN-252214
A fix was made to address CVE-2024-3400 .
Addressed
11.0.2-h3
PAN-238792
Fixed the following device certificate issues:
  • The firewall was unable to automatically renew the device certificate.
  • Fetching device certificates failed incorrectly with the error message
    OTP is not valid
    .
  • Firewalls disconnected from Cortex Data Lake after renewing the device certificate.
  • The device certificate was not correctly generated on the log forwarding card (LFC).
  • WildFire cloud logs did not log thermite certificate usage status.
Addressed
11.0.2-h3
PAN-237876
Extended the firewall Panorama root CA certificate which was previously set to expire on April 7th, 2024.
Addressed
11.0.2-h3
PAN-231771
Fixed an issue where the firewall issued /box/getserv/ requests with PAN-OS 7.1.0 and did not take device certificates.
Addressed
11.0.2-h3
PAN-227568
When a device certificate is installed, renewed, or removed, the firewall will reconnect to the WildFire cloud to use the newest certificate.
Addressed
11.0.2-h3
PAN-215576
Fixed an issue where the
userID-Agent
and
TS-Agent
certificates were set to expire on November 18, 2024. With this fix, the expiration date has been extended to January 2032.
Addressed
11.0.2-h2
PAN-230250
Fixed an issue where selected applications serving partial content were dropped when Inline Cloud Analysis in Anti-Spyware was enabled.
Addressed
11.0.2-h2
PAN-223787
(
PA-400 Series and PA-1400 Series firewalls only
) Fixed an issue where commits failed with the error message
Error unserializing profile objects failed to handle CONFIG_UPDATE_START
.
Addressed
11.0.2-h2
PAN-222957
Fixed an issue where managed firewalls did not reflect changes pushed by users that were not in a Superuser role.
Addressed
11.0.2-h2
PAN-218107
Fixed an issue with ciphers used for SSH tunnels where packet lengths were too large, which made the SSH tunnel unstable.
Addressed
11.0.2-h2
PAN-214942
Fixed an issue where SD-WAN traffic failed over to a non-member path after a flap of an SD-WAN virtual interface.
Addressed
11.0.2-h2
PAN-204868
Fixed an issue where disk utilization was continuously high due to the log purger not sufficiently reducing the utilization level.
Addressed
11.0.2-h1
PAN-225184
Fixed an issue where disk space utilization was higher than expected due to excessive logging for a
KNI: Out of memory
event under a specific traffic load condition.
Addressed
11.0.2-h1
PAN-222712
(
PA-5450 firewalls only
) Fixed a low frequency DPC restart issue.
Addressed
11.0.2-h1
PAN-221984
(
VM-Series firewalls in Microsoft Azure environments only
) Fixed an issue where an interface went down after a hotplug event and was only recoverable by restarting the firewall.
Addressed
11.0.2-h1
PAN-220921
Fixed an issue where return tunnel traffic was dropped with the counter
flow_tunnel_encap_err
when
Enforce Symmetric Return
was enabled in a Policy Based Forwarding rule.
Addressed
11.0.2-h1
PAN-195439
(
VM-Series firewalls in Microsoft Azure environments only
) Fixed an issue where the dataplane interface status went down after a hotplug event triggered by Azure infrastructure.
Addressed
11.0.2-h1
PAN-193004
Fixed an issue where
/opt/pancfg
partition utilization reached 100%, which caused access to the Panorama web interface to fail.
Addressed
11.0.2
PAN-221708
Fixed an issue where temporary files remained under
/opt/pancfg/tmp/sw-images/
even after manually uploading the content or AV file to the firewall.
Addressed
11.0.2
PAN-221519
(
VM-Series firewalls only
) Fixed an issue where the all_task process stopped responding due to DPDK driver compatibility issues.
Addressed
11.0.2
PAN-219686
Fixed an issue where a device group push operation from Panorama failed with the following error on managed firewalls.
vsys -> vsys1 -> plugins unexpected here
vsys is invalid
Commit failed
Addressed
11.0.2
PAN-218644
Fixed an issue where the firewall generated incorrect VSA attribute codes when radius was configured with EAP based authentication protocols.
Addressed
11.0.2
PAN-218335
Fixed an issue with hardware destination MAC filtering on the Log Processing Card (LPC) that caused the logging card interface to be susceptible to unicast flooding.
Addressed
11.0.2
PAN-218264
(
PA-3400 and PA-1400 Series firewalls only
) Fixed an issue where packet drops occurred due to slow servicing of internal hardware queries.
Addressed
11.0.2
PAN-217681
Fixed an issue caused by out of order TCP segments where the FIN flag and TCP data was truncated in a packet, which resulted in retransmission failure.
Addressed
11.0.2
PAN-217581
Fixed an issue where the firewall did not initiate scheduled log uploads to the FTP server.
Addressed
11.0.2
PAN-217493
Fixed an issue where superusers with read-only privileges were unable to view SCEP object configurations.
Addressed
11.0.2
PAN-217484
Fixed an issue where the rasmgr process used 100% CPU due to a maximum duration timer not being set, which caused the GlobalProtect gateway to be unavailable.
Addressed
11.0.2
PAN-217477
Fixed an issue where the drop counter was incremented incorrectly. Drop counter calculations did not account for failures to send out logs from logrcvr/logd to syslog-ng.
Addressed
11.0.2
PAN-217284
Fixed an intermittent issue where LACP flap occurred when the LACP transmission rate was set to
Fast
.
Addressed
11.0.2
PAN-216996
Fixed an issue where, after upgrading Panorama to PAN-OS 10.1.9, multiple User-ID alerts were generated every 10 minutes.
Addressed
11.0.2
PAN-216821
Fixed an issue where the reportd process stopped responding after upgrading an M-200 appliance to PAN-OS 11.0.1.
Addressed
11.0.2
PAN-216710
Fixed an issue with firewalls in active/active HA configurations where GlobalProtect disconnected when the original suspected Active-Primary firewall became Active-Secondary.
Addressed
11.0.2
PAN-216590
Fixed an issue where User-ID logs in Panorama displayed incorrect results for the filter
not (ugflags has user-group-found)
.
Addressed
11.0.2
PAN-216360
Fixed an issue on Panorama where
No Default Selections
under
Push to Devices
was intermittently deselected after performing a commit operation.
Addressed
11.0.2
PAN-216170
(
PA-400 Series firewalls in HA configurations only
) Fixed an issue where an HA switchover took longer than expected to bring up ports on the newly active firewall.
Addressed
11.0.2
PAN-216036
Fixed an issue where the
all_pktproc
process stopped responding, which caused the firewall to enter a nonfunctional state.
Addressed
11.0.2
PAN-215911
Fixed an issue that resulted in a race condition, which caused the configd process to stop responding.
Addressed
11.0.2
PAN-215899
Fixed an issue with Panorama appliances in high availability (HA) configurations where configuration synchronization between the HA peers failed.
Addressed
11.0.2
PAN-215857
Fixed an issue where the option to reboot the entire firewall was visible to vsys admins.
Addressed
11.0.2
PAN-215808
Fixed an issue where after upgrading to PAN-OS 10.1, the log-forwarding rate towards the Syslog server was reduced. The overall log-forwarding rate has also been improved.
Addressed
11.0.2
PAN-215780
Fixed an issue where, changes to Zone Protection profiles made via XML API were not reflected in the Zone Protection configuration.
Addressed
11.0.2
PAN-215778
Fixed an issue where API Get requests for
/config
timed out due to insufficient buffer size.
Addressed
11.0.2
PAN-215503
Fixed a memory related issue where the
MEMORY_POOL
address was mapped incorrectly.
Addressed
11.0.2
PAN-215496
Fixed an issue where 100G ports did not come up with BIDI QSFP modules.
Addressed
11.0.2
PAN-215324
(
PA-5400 Series firewalls with Jumbo Frames enabled only
) Fixed an issue with CPU throttling and buffer depletion.
Addressed
11.0.2
PAN-215315
Fixed an issue where the dataplane stopped responding due to ager and inline packet processing occurring concurrently on different cores for the same session.
Addressed
11.0.2
PAN-215125
Fixed an issue where false negatives occurred for some script samples.
Addressed
11.0.2
PAN-214925
Fixed an issue where temporary files remained in their temporary locations even after manually uploading the files to the firewall.
Addressed
11.0.2
PAN-214889
Fixed an issue where commits took longer than expected due to application dependency checks.
Addressed
11.0.2
PAN-214847
Fixed an issue where, when certificate authentication for admin user authentication was enabled, vulnerability scans that used usernames or passwords against the management interface reported a vulnerability due to a missing HSTS header in the
Access Denied
response page.
Addressed
11.0.2
PAN-214634
Fixed an issue where an elink parser did not work.
Addressed
11.0.2
PAN-214337
Fixed an issue on the firewall related to the
gp_broker
configuration transform that led to longer commit times.
Addressed
11.0.2
PAN-214187
Fixed an issue where superreaders were able to execute the
request restart system
CLI command.
Addressed
11.0.2
PAN-214100
Fixed an issue where selecting a threat name under Threat Monitor displayed the threat ID instead of the threat name.
Addressed
11.0.2
PAN-214037
(
PA-5440, PA-5430, PA-5420, and PA-5410 firewalls only
) Fixed an issue where firewalls in active/active HA configurations experienced packet drop when running asymmetric traffic.
Addressed
11.0.2
PAN-214026
Fixed an issue where, when using an ECMP
weighted-round-robin
algorithm, traffic was not redistributed among the links proportionally as expected from the configuration.
Addressed
11.0.2
PAN-213942
(
PA-400 Series firewalls
) Fixed an issue where the firewall required an explicit allow rule to forward broadcast traffic.
Addressed
11.0.2
PAN-213932
Fixed an issue where, when an incorrect log filter was configured, the commit did not fail.
Addressed
11.0.2
PAN-213746
Fixed an issue on Panorama where the Hostkey displayed as **undefined** if a SSH Service Profile Hostkey configured in a Template from the Template Stack was overridden.
Addressed
11.0.2
PAN-212848
Fixed an issue where attempting to change the disk-usage cleanup threshold to 90 resulted in the error message
Server error : op command for client dagger timed out as client is not available
.
Addressed
11.0.2
PAN-212726
Fixed an issue where RTP/RTCP packets were dropped for SIP calls by SIP ALG when the source NAT translation type was persistent
Dynamic IP And Port
.
Addressed
11.0.2
PAN-212530
Fixed an issue on log collectors where root partition reached 100% utilization.
Addressed
11.0.2
PAN-212409
Fixed an issue where there were duplicate IPSec Security Associations (SAs) for the same tunnel, gateway, or proxy ID.
Addressed
11.0.2
PAN-211997
Fixed an issue where large OSPF control packets were fragmented, which caused the neighborship to fail.
Addressed
11.0.2
PAN-211887
Fixed an issue on Panorama that caused recently committed changes to not be displayed when previewing the changes to push to device groups.
Addressed
11.0.2
PAN-211843
Fixed an issue where renaming a Zone Protection profile failed with the error message
Obj does not exist.
Addressed
11.0.2
PAN-211602
Fixed an issue where, when viewing a WildFire Analysis Report via the web interface, the
detailed log view
was not accessible if the browser window was resized.
Addressed
11.0.2
PAN-211519
Fixed an issue where RTP/RTCP packets were dropped for SIP calls by SIP ALG when the source NAT translation type was persistent
Dynamic IP And Port
.
Addressed
11.0.2
PAN-211422
Fixed an issue where the
show session packet-buffer-protection buffer-latency
CLI command randomly displayed incorrect values.
Addressed
11.0.2
PAN-211242
Fixed an issue where missed heartbeats caused the Data Processing Card (DPC) and its corresponding Network Processing Card (NPC) to restart due to internal packet path monitoring failure.
Addressed
11.0.2
PAN-211041
(
Panorama virtual appliances only
) Fixed an issue where DHCP assigned interfaces did not send
ICMP unreachable - Fragmentation needed
messages when the received packets were higher than the maximum transmission unit (MTU).
Addressed
11.0.2
PAN-210921
(
Panorama appliances in Legacy Mode only
) Fixed an issue where
Blocked Browsing Summary by Website
in the user activity report contained scrambled characters.
Addressed
11.0.2
PAN-210919
Fixed an issue where the Data Processing Card remained in a
Starting
state after a restart.
Addressed
11.0.2
PAN-210875
Fixed an issue where the pan_task process stopped responding due to software packet buffer 3 trailer corruption, which caused the firewall to restart.
Addressed
11.0.2
PAN-210736
Fixed an issue where configuration changes related to the SSH service profile were not reflected when pushed from Panorama. With this fix, the deletion of ciphers, MAC, and kex fields of SSH server profiles and HA profiles won't clear the values under template stacks and will retain the values configured from templates.
Addressed
11.0.2
PAN-210661
Fixed an issue where firewalls disconnected from Cortex Data Lake after renewing the device certificate.
Addressed
11.0.2
PAN-210563
Fixed an issue on Panorama where Security policy rules with a
Tag
target did not appear in the pre-rule list of a dynamic address group that was part of the tag.
Addressed
11.0.2
PAN-209898
Fixed an issue where the logrcvr process stopped due to memory corruption.
Addressed
11.0.2
PAN-209696
Fixed an issue where link-local address communication for IPv6, BFD, and OSPFv3 neighbors was dropped when IP address spoofing check was enabled in a Zone Protection profile.
Addressed
11.0.2
PAN-209683
Fixed an issue where Panorama was unable to retrieve IP address-to-username mapping from a firewall on a PAN-OS 8.1 release.
Addressed
11.0.2
PAN-209660
Fixed an issue where a selective push from Panorama to multiple firewalls failed due to a missing configuration file, which caused a communication error.
Addressed
11.0.2
PAN-209617
Fixed an issue with firewalls in active/passive HA configurations where the passive firewall created an incorrect SCTP association due to the HA sync messages from the active firewall having an incorrect value.
Addressed
11.0.2
PAN-209275
Fixed an issue where Override cookie authentication into the GlobalProtect gateway failed when an allow list was configured under the authentication profile.
Addressed
11.0.2
PAN-209021
Fixed an issue where packets were fragmented when SD-WAN VPN tunnel was configured on aggregate ethernet interfaces and sub-interfaces.
Addressed
11.0.2
PAN-208877
Fixed an issue where the all_task process stopped responding when freeing the HTTP2 stream, which caused the dataplane to go down.
Addressed
11.0.2
PAN-208737
Fixed an issue where domain information wasn't populated in IP address-to-username matching after a successful GlobalProtect authentication using an authentication override cookie.
Addressed
11.0.2
PAN-208325
(
PA-5400 Series, PA-3400 Series, and PA-400 Series only
) Fixed an issue where the firewall was unable to automatically renew the device certificate.
Addressed
11.0.2
PAN-208201
Fixed an issue on the firewall where the modified date and time was incorrectly updated after a commit operation, PAN-OS upgrade, or reboot.
Addressed
11.0.2
PAN-207842
Fixed an issue where WildFire Analysis Reports were not visible when the WF-500 appliance was on private cloud.
Addressed
11.0.2
PAN-207741
Fixed an issue where Large Scale VPN (LSVPN) Portal authentication failed with the error
invalid http response. return error(Authentication failed; Retry authentication
when the satellite connected to more than one portal.
Addressed
11.0.2
PAN-207700
Fixed an issue where the
show system info
and
show system ztp status
CLI commands displayed a different Zero Touch Provisioning (ZTP) status if a firewall upgrade was initiated from Panorama before the initial commit push succeeded.
Addressed
11.0.2
PAN-207562
Fixed an issue where the shard count displayed by the
show log-collector-es-cluster health
CLI command was higher than the recommended limit. The recommended limit can be calculated with the formula 20* heap-memory * no-of-data-nodes.
Addressed
11.0.2
PAN-206396
Fixed an issue where HIP report flip and HIP checks failed when a user was part of multiple user groups with different domains.
Addressed
11.0.2
PAN-206333
Fixed an issue where the
Include/Exclude IP
filter under
Data Distribution
did not work correctly.
Addressed
11.0.2
PAN-206253
(
PA-1400 Series and PA-3400 Series firewalls only
) Fixed an issue where the default log rate was too low and the maximum configurable log rate was incorrectly capped, which caused the firewall to not generate logs at more than 6826 logs per second.
Addressed
11.0.2
PAN-205955
Fixed an issue where RAID rebuilds occurred even with healthy disks and a clean shutdown.
Addressed
11.0.2
PAN-205513
Fixed an issue where the stats dump file generated by Panorama for a device firewall differed from the stats dump file generated by the managed device.
Addressed
11.0.2
PAN-205086
Fixed an issue where DNS Security categories were able to be deleted from Spyware profiles.
Addressed
11.0.2
PAN-204838
Fixed an issue where the
dot1q
VLAN tag was missing in ARP reply packets.
Addressed
11.0.2
PAN-204718
(
PA-5200 Series firewalls only
) Fixed an issue where, after upgrading to PAN-OS 10.1.6-h3, a TACACS user login displayed the following error message during the first login attempt:
Could not chdir to home directory /opt/pancfg/home/user: Permission denied
.
Addressed
11.0.2
PAN-204238
Fixed an issue where, when
View Rulebase as Groups
was enabled, the
Tags
field did not display a scroll down arrow for navigation.
Addressed
11.0.2
PAN-204068
Fixed an issue where a newly created vsys (virtual system) in a template was not able to be pushed from Panorama to the firewall.
Addressed
11.0.2
PAN-203330
Fixed an issue where the certificate for an External Dynamic List (EDL) incorrectly changed from invalid to valid, which caused the EDL file to be removed.
Addressed
11.0.2
PAN-202963
Fixed an issue where the system log message
dsc HA state is changed from 1 to 0
was generated with the severity
High
. With this fix, the severity was changed to
Info
.
Addressed
11.0.2
PAN-202795
Fixed an issue where file identification failed with a large HTTP header.
Addressed
11.0.2
PAN-201721
Fixed an issue with firewalls in HA configurations where HA setup generated the error
mismatch due to device update
during a content update even though the version was the same.
Addressed
11.0.2
PAN-200019
Fixed an issue on Panorama where
Virtual Routers
(
Network > Virtual Routers
) was not available when configuring a custom Panorama admin role (
Panorama > Admin Roles
).
Addressed
11.0.2
PAN-199557
Fixed an issue on Panorama where virtual memory usage exceeded the set limit, which caused the configd process to restart.
Addressed
11.0.2
PAN-197121
Fixed an issue where incorrect user details were displayed under the
USER DETAIL
drop-down (
ACC > Network activity > User activity
).
Addressed
11.0.2
PAN-196309
(
PA-5450 firewalls only
) Fixed an issue where a firewall configured with a Policy-Based Forwarding policy flapped when a commit was performed, even when the next hop was reachable.
Addressed
11.0.2
PAN-195788
Fixed an issue where zip files did not download when applying Security inspection and the following error message displayed:
resources-unavailable
.
Addressed
11.0.2
PAN-195695
Fixed an issue where the AppScope Summary report and PDF report export function did not work as expected.
Addressed
11.0.2
PAN-192456
Fixed an issue where GlobalProtect SSL VPN processing during a high traffic load caused the dataplane to stop responding.
Addressed
11.0.2
PAN-189666
Fixed an issue where GlobalProtect portal connections failed after random commits when multiple agent configurations were provisioned and configuration selection criteria using certificate profile was used.
Addressed
11.0.2
PAN-187763
Fixed an issue where DNS Security logs did not display a threat category, threat name, or threat ID when domain names contained 64 or more characters.
Addressed
11.0.2
PAN-187279
Fixed an issue where not all quarantined devices were displayed as expected.
Addressed
11.0.2
PAN-184630
Fixed an issue where TLS clients, such as those using OpenSSL 3.0, enforced the TLS renegotiation extension (RFC 5746).
Known
11.0.3
WF500-5632
The number of registered WildFire appliances reported in Panorama (
Panorama
Managed WildFire Appliances
Firewalls Connected
View
) does not accurately reflect the current status of connected WildFire appliances.
Known
11.0.3
PAN-243951
On the Panorama management sever in an active/passive High Availability (HA) configuration, managed devices (
Panorama
Managed Devices
Summary
) display as
out-of-sync
on the passive HA peer when configuration changes are made to the SD-WAN (
Panorama
SD-WAN
) configuration on the active HA peer.
Workaround:
Manually synchronize the Panorama HA peers.
  1. Log in to the Panorama web interface on the active HA peer.
  2. Select
    Commit
    and
    Commit to Panorama
    the SD-WAN configuration changes on the active HA peer.
    On the passive HA peer, select
    Panorama
    Managed Devices
    Summary
    and observe that the managed devices are now
    out-of-sync
    .
  3. Log in to the primary HA peer Panorama CLI and trigger a manual synchronization between the active and secondary HA peers.
    request high-availability sync-to-remote running-config
  4. Log back in to the active HA peer Panorama web interface and select
    Commit
    Push to Devices
    and
    Push
    .
Known
11.0.3
PAN-234015
The X-Forwarded-For (XFF) value is not displayed in traffic logs.
Known
11.0.3
PAN-242910
PAN-OS 11.0.3, 11.0.3-h1, 11.0.3-h3, and 11.0.3-h5
On the Panorama management server, Panorama administrators (
Panorama
Administrators
) that are assigned a custom Panorama admin role (
Panorama
Admin Roles
) with
Push All Changes
enabled are unable to push configuration changes to managed firewalls when
Managed Devices
and
Push For Other Admins
are disabled.
Known
11.0.3
PAN-242837
Default login credentials and SSH fail after enabling FIPS-CC Mode on a firewall or Panorama after converting through the Maintenance Recovery Tool (MRT). The firewall or Panorama becomes stuck and requires a factory reset to recover.
Known
11.0.3
PAN-241041
On the Panorama management server exporting template or template stack variables (
Panorama
Templates
) in CSV format results in an empty CSV file.
Known
11.0.3
PAN-238769
FIPS-CC VM only. Upgrading to 10.1.10-h2 or 10.1.11 will change all locally created security Policy actions to Deny. Re-load the back-up config taken before upgrading or the last version to get the previous config back. Also, Unable to login to FIPSCC Mode devices with default credentials after converting the mode for 10.1.12 release , 10.2.7 release , 11.1.0 , 11.1.1, 11.0.3 versions.
Known
11.0.3
PAN-234929
The tabs in the
ACC
, such as
Network Activity
,
Threat Activity
, and
Blocked Activity
, may not display any data when you apply a Time filter for the Last 15 minutes, Last Hour, Last 6 Hours, or Last 12 Hours. With the Last 24 Hours filter, the data displayed may not be accurate. Additionally, reports run against summary logs may not display accurate results.
Known
11.0.3
PAN-231507
This issue is now resolved. See
PAN-OS 11.0.4 Addressed Issues
.
On PA-1400 Series firewalls only, when an HSCI interface is used as an HA2 interface, HA2 packets are intermittently dropped on the passive device, which can cause the HA2 connection to flap due to missing HA2 keepalive messages. Workaround: use data ports configured as HA2 interface.
Known
11.0.3
PAN-228515
The EleasticSearch SSH flaps on the M-600 appliance in Panorama or Log Collector mode. This causes logs to not display on the Panorama management server (
Monitor
Logs
) and the Log Collector health status (
Panorama
Managed Collectors
Status
) to display as degraded.
Known
11.0.3
PAN-227344
On the Panorama management server, PDF Summary Reports (
Monitor
PDF Reports
Manage PDF Summary
) display no data and are blank when predefined reports are included in the summary report.
Known
11.0.3
PAN-225886
If you enable explicit proxy mode for the web proxy, intermittent errors and unexpected TCP reconnections may occur.
Known
11.0.3
PAN-225337
This issue is now resolved. See
PAN-OS 11.0.4 Addressed Issues
.
On the Panorama management server, the configuration push to a multi-vsys firewall fails if you:
  1. Create a
    Shared
    and vsys-specific device group configuration object with an indentical name. For example, a
    Shared
    address object called
    SharedAO1
    and a vsys-specific address object also called
    SharedAO1
    .
  2. Reference the
    Shared
    object in another
    Shared
    configuration. For example, reference the
    Shared
    address object (
    SharedAO1
    ) in a
    Shared
    address group called
    SharedAG1
    .
  3. Use the
    Shared
    configuration object with the reference in a vsys-specific configuration. For example, reference the
    Shared
    address group (
    SharedAG1
    ) in a vsys-specific policy rule.
Workaround:
Select
Panorama
Setup
Management
and edit the Panorama Settings to enable one of the following:
  • Shared Unused Address and Service Objects with Devices
    —This options pushes all
    Shared
    objects, along with device group specific objects, to managed firewalls.
    This is a global setting and applies to all managed firewalls, and may result in pushing too many configuration objects to your managed firewalls.
  • Objects defined in ancestors will take higher precedence
    —This option specifies that in the event of objects with the same name, ancestor object take precedence over descendent objects. In this case, the
    Shared
    objects take precedence over the vsys-specific object.
    This is a global setting and applies to all managed firewalls. In the example above, if the IP address for the
    Shared
    SharedAO1
    object was
    10.1.1.1
    and the device group specific
    SharedAO1
    was
    10.2.2.2
    , the
    10.1.1.1
    IP address takes precedence.
Alternatively, you can remove the duplicate address objects from the device group configuration to allow only the
Shared
objects in your configuration.
Known
11.0.3
PAN-233677
(
PA-3410, PA-3420, PA-3430, PA-3440, PA-5410, PA-5420, PA-5430, and PA-5440 firewalls
) By enabling Lockless QoS feature , a slight degradation in App-ID and Threat performance is expected.
Known
11.0.3
PAN-223365
This issue is now resolved. See
PAN-OS 11.0.4 Addressed Issues
.
The Panorama management server is unable to query any logs if the ElasticSearch health status for any Log Collector (
Panorama
Managed Collector
is degraded.
Workaround:
Log in to the Log Collector CLI and restart ElasticSearch. 
admin
debug elasticsearch es-restart all
Known
11.0.3
PAN-227368
This issue is now resolved. See
PAN-OS 11.0.4 Addressed Issues
.
The GlobalProtect app cannot connect to a portal or gateway and GlobalProtect Clientless VPN users cannot access applications if authentication takes longer than 20 seconds.
Workaround:
Increase the TCP handshake timeout to the maximum value of 60 seconds.
Known
11.0.3
PAN-222586
On PA-5410, PA-5420, PA-5430, and PA-5440 firewalls, the Filter dropdown menus, Forward Methods, and Built-In Actions for Correlation Log settings (
Device
Log Settings
) are not displayed and cannot be configured.
Known
11.0.3
PAN-222253
This issue is now resolved. See
PAN-OS 11.0.5 Addressed Issues
.
On the Panorama management server, policy rulebase reordering when you
View Rulebase by Groups
(
Policy
<policy-rulebase>
) does not persist if you reorder the policy rulebase by dragging and dropping individual policy rules and then moving the entire tag group.
Known
11.0.3
PAN-221015
This issue is now resolved. See
PAN-OS 11.0.4 Addressed Issues
.
On M-600 appliances in Panorama or Log Collector mode, the
es-1
and
es-2
ElasticSearch processes fail to restart when the M-600 appliance is rebooted. The results in the Managed Collector
ES
health status (
Panorama
Managed Collectors
Health Status
) to be degraded.
Workaround:
Log in to the Panorama or Log Collector CLI experiencing degraded ElasticSearch health and restart all ElasticSearch processes. 
admin>
debug elasticsearch es-restart optional all
Known
11.0.3
PAN-220176
(
PAN-OS 11.0.1-h2 hotfix
) System process crashes might occur with VoIP traffic when NAT is enabled with Persistent Dynamic IP and Port settings.
Known
11.0.3
PAN-218521
This issue is now resolved. See
PAN-OS 11.0.5 Addressed Issues
.
The ElasticSearch process on the M-600 appliance in Log Collector mode may enter a continuous reboot cycle. This results in the M-600 appliance becoming unresponsive, consuming logging disk space, and preventing new log ingestion.
Known
11.0.3
PAN-217307
The following Security policy rule (
Policies
Security
) filters return no results:
log-start eq no
log-end eq no
log-end eq yes
Known
11.0.3
PAN-216314
Upon upgrade or downgrade to or from PAN-OS 10.1.9 or 10.1.9-h1, offloaded application traffic sessions may disconnect after a period of time even if a session is active. The disconnect occurs after the application's default session timeout value is exceeded. This behavior affects only PAN-OS 10.1.9 and 10.1.9-h1. If you are on PAN-OS 10.1.9 and 10.1.9-h1, please use the following workaround. If you have already upgraded or downgraded to another PAN-OS version, use the following workaround in that version.
Workaround:
Run the CLI command
debug dataplane internal pdt fe100 csr wr_sem_ctrl_ctr_scan_dis value 0
to set the value to zero (0).
Known
11.0.3
PAN-216214
For Panorama-managed firewalls in an Active/Active High Availability (HA) configuration where you configure the firewall HA settings (
Device
High Availability
) in a template or template stack (
Panorama
Templates
), performing a local commit on one of the HA firewalls triggers an HA config sync on the peer firewall. This causes the HA peer configuration to go
Out of Sync
.
Known
11.0.3
PAN-213746
On the Panorama management server, the
Hostkey
displayed as
undefined undefined
if you override an SSH Service Profile (
Device
Certificate Management
SSH Service Profile
) Hostkey configured in a Template from the Template Stack.
Known
11.0.3
PAN-213119
PA-5410 and PA-5420 firewalls display the following error when you view the Block IP list (
Monitor
Block IP
):
show -> dis-block-table is unexpected
Known
11.0.3
PAN-212978
The Palo Alto Networks firewall stops responding when executing an SD-WAN debug operational CLI command.
Known
11.0.3
PAN-212889
On the Panorama management server, different threat names are used when querying the same threat in the Threat Monitor (
Monitor
App Scope
Threat Monitor
) and
ACC
. This results in the ACC displaying
no data to display
when you are redirected to the ACC after clicking a threat name in the Threat Monitor and filtering the same threat name in the Global Filters.
Known
11.0.3
PAN-211531
On the Panorama management server, admins can still perform a selective push to managed firewalls when
Push All Changes
and
Push for Other Admins
are disabled in the admin role profile (
Panorama
Admin Roles
).
Known
11.0.3
PAN-207770
Data filtering logs (
Monitor
Logs
Data Filtering
) incorrectly display the traffic Direction as
server-to-client
instead of
client-to-server
for upload traffic that matches Enterprise data loss prevention (DLP) data patterns (
Objects
DLP
Data Filtering Patterns
) in an Enterprise DLP data filtering profile (
Objects
DLP
Data Filtering Profiles
).
Known
11.0.3
PAN-207733
When a DHCPv6 client is configured on HA Active/Passive firewalls, if the DHCPv6 server goes down, after the lease time expires, the DHCPv6 client should enter SOLICIT state on both the Active and Passive firewalls. Instead, the client is stuck in BOUND state with an IPv6 address having lease time 0 on the Passive firewall.
Known
11.0.3
PAN-207616
On the Panorama management server, after selecting managed firewalls and creating a new
Tag
(
Panorama
Managed Devices
Summary
) the managed firewalls are automatically unselected and any new tag created is applied to the managed firewalls for which you initially created the new tag.
Workaround:
Select and then unselect the managed firewalls for which you created a new tag.
Known
11.0.3
PAN-207611
When a DHCPv6 client is configured on HA Active/Passive firewalls, the Passive firewall sometimes crashes.
Known
11.0.3
PAN-207442
For M-700 appliances in an active/passive high availability (
Panorama
High Availability
) configuration, the
active-primary
HA peer configuration sync to the
secondary-passive
HA peer may fail. When the config sync fails, the job Results is
Successful
(
Tasks
), however the sync status on the
Dashboard
displays as
Out of Sync
for both HA peers.
Workaround
: Perform a local commit on the
active-primary
HA peer and then synchronize the HA configuration.
  1. Log in to the Panorama web interface of the
    active-primary
    HA peer.
  2. Select
    Commit
    and
    Commit to Panorama
    .
  3. In the
    active-primary
    HA peer
    Dashboard
    , click
    Sync to Peer
    in the High Availability widget.
Known
11.0.3
PAN-207040
If you disable Advanced Routing, remove logical routers, and downgrade from PAN-OS 11.0.0 to a PAN-OS 10.2.x or 10.1.x release, subsequent commits fail and SD-WAN devices on Panorama have no Virtual Router name.
Known
11.0.3
PAN-206913
When a DHCPv6 client is configured on HA Active/Passive firewalls, releasing the IPv6 address from the client (using Release in the UI or using the
request dhcp client ipv6 release all
CLI command) releases the IPv6 address from the Active firewall, but not the Passive firewall.
Known
11.0.3
PAN-206909
The Dedicated Log Collector is unable to reconnect to the Panorama management server if the
configd
process crashes. This results in the Dedicated Log Collector losing connectivity to Panorama despite the managed collector connection
Status
(
Panorama
Managed Collector
) displaying
connected
and the managed colletor
Health
status displaying as healthy.
This results in the local Panorama config and system logs not being forwarded to the Dedicated Log Collector. Firewall log forwarding to the disconnected Dedicated Log Collector is not impacted.
Workaround:
Restart the
mgmtsrvr
process on the Dedicated Log Collector.
  2. Confirm the Dedicated Log Collector is disconnected from Panorama. 
    admin>
     show panorama-status
    Verify the
    Connected
    status is
    no
    .
  3. Restart the
    mgmtsrvr
    process. 
    admin>
     debug software restart process management-server
Known
11.0.3
PAN-206416
On the Panorama management server, no data filtering log (
Monitor
Logs
Data Filtering
) is generated when the managed firewall loses connectivity to the following cloud services, and as a result fails to forward matched traffic for inspection.
  • DLP cloud service
  • Advanced Threat Protection inline cloud analysis service
  • Advanced URL Filtering cloud service
Known
11.0.3
PAN-206315
(
PA-1420 firewall only
) In an active/passive high availability (HA) configuration, the
show session info
CLI command shows that the passive firewall has packet rate and throughput values. The packet rate and throughput of the passive firewall should be zero since it is not processing traffic.
Known
11.0.3
PAN-205009
(
PA-1420 firewall only
) In an active/passive high availability (HA) configuration, the
show interface all
,
show-high availability interface ha2
, and
show high-availability all
CLI commands display the HSCI port state as unknown on both the active and passive firewalls.
Known
11.0.3
PAN-204689
Upon upgrade to PAN-OS 11.0.1, the following GlobalProtect settings do not work:
  • Allow user to disconnect GlobalProtect App
    Allow with Passcode
  • Allow user to Disable GlobalProtect App
    Allow with Passcode
  • Allow User to Uninstall GlobalProtect App
    Allow with Password
Known
11.0.3
PAN-201910
PAN-OS security profiles might consume a large amount of memory depending on the profile configuration and quantity. In some cases, this might reduce the number of supported security profiles below the stated maximum for a given platform.
Known
11.0.3
PAN-197588
The PAN-OS ACC (Application Command Center) does not display a widget detailing statistics and data associated with vulnerability exploits that have been detected using inline cloud analysis.
Known
11.0.3
PAN-197419
(
PA-1400 Series firewalls only
) In
Network
Interface
Ethernet
, the power over Ethernet (PoE) ports do not display a
Tag
value.
Known
11.0.3
PAN-197097
Large Scale VPN (LSVPN) does not support IPv6 addresses on the satellite firewall.
Known
11.0.3
PAN-196758
On the Panorama management server, pushing a configuration change to firewalls leveraging SD-WAN erroneously show the auto-provisioned BGP configurations for SD-WAN as being edited or deleted despite no edits or deletions being made when you
Preview Changes
(
Commit
Push to Devices
Edit Selections
or
Commit
Commit and Push
Edit Selections
).
Known
11.0.3
PAN-196146
This issue is now resolved. See
PAN-OS 11.0.5 Addressed Issues
.
The VM-Series firewall on Azure does not boot up with a hostname (specified in an init-cgf.txt or user data) when bootstrapped.
Known
11.0.3
PAN-195968
(
PA-1400 Series firewalls only
) When using the CLI to configure power over Ethernet (PoE) on a non-PoE port, the CLI prints an error depending on whether an interface type was selected on the non-PoE port or not. If an interface type, such as tap, Layer 2, or virtual wire, was selected before PoE was configured, the error message will not include the interface name (eg. ethernet1/4). If an interface type was not selected before PoE was configured, the error message will include the interface name.
Known
11.0.3
PAN-195342
On the Panorama management server, Context Switch fails when you try to Context Switch from a managed firewall running PAN-OS 10.1.7 or earlier release back to Panorama and the following error is displayed:
Could not find start token '@start@'
Known
11.0.3
PAN-194978
(
PA-1400 Series firewalls only
) In
Network
Interface
Ethernet
, hovering the mouse over a power over Ethernet (PoE)
Link State
icon does not display link speed and link duplex details.
Known
11.0.3
PAN-194424
(
PA-5450 firewall only
) Upgrading to PAN-OS 10.2.2 while having a log interface configured can cause both the log interface and the management interface to remain connected to the log collector.
Workaround:
Restart the log receiver service by running the following CLI command: 
debug software restart process log-receiver
Known
11.0.3
PAN-193004
This issue is now resolved. See
PAN-OS 11.0.4 Addressed Issues
.
The Panorama management server fails to delete old IP Tag data. This causes the
/opt/pancfg
partition to reach maximum capacity which impacts Panorama performance.
Known
11.0.3
PAN-187685
On the Panorama management server, the Template Status displays no synchronization status (
Panorama
Managed Devices
Summary
) after a bootstrapped firewall is successfully added to Panorama.
Workaround:
After the bootstrapped firewall is successfully added to Panorama, log in to the Panorama web interface and select
Commit
Push to Devices
.
Known
11.0.3
PAN-187407
The configured Advanced Threat Prevention inline cloud analysis action for a given model might not be honored under the following condition: If the firewall is set to
Hold client request for category lookup
and the action set to
Reset-Both
and the URL cache has been cleared, the first request for inline cloud analysis will be bypassed.
Known
11.0.3
PAN-186283
Templates appear out-of-sync on Panorama after successfully deploying the CFT stack using the Panorama plugin for AWS.
Workaround
: Use
Commit
Push to Devices
to synchronize the templates.
Known
11.0.3
PAN-184708
Scheduled report emails (
Monitor
PDF Reports
Email Scheduler
) are not emailed if:
  • A scheduled report email contains a Report Group (
    Monitor
    PDF Reports
    Report Group
    ) which includes a SaaS Application Usage report.
  • A scheduled report contains only a SaaS Application Usage Report.
Workaround:
To receive a scheduled report email for all other PDF report types:
  1. Select
    Monitor
    PDF Reports
    Report Groups
    and remove all SaaS Application Usage reports from all Report Groups.
  2. Select
    Monitor
    PDF Reports
    Email Scheduler
    and edit the scheduled report email that contains only a SaaS Application Usage report. For the Recurrence, select
    Disable
    and click
    OK
    .
    Repeat this step for all scheduled report emails that contain only a SaaS Application Usage report.
  3. Commit
    .
    (
    Panorama managed firewalls
    ) Select
    Commit
    Commit and Push
Known
11.0.3
PAN-184406
Using the CLI to add a RAID disk pair to an M-700 appliance causes the dmdb process to crash.
Workaround:
Contact customer support to stop the dmdb process before adding a RAID disk pair to a M-700 appliance.
Known
11.0.3
PAN-183404
Static IP addresses are not recognized when "and" operators are used with IP CIDR range.
Known
11.0.3
PAN-181933
If you use multiple log forwarding cards (LFCs) on the PA-7000 series, all of the cards may not receive all of the updates and the mappings for the clients may become out of sync, which causes the firewall to not correctly populate the Source User column in the session logs.
Known
11.0.3
PAN-171938
No results are displayed when you
Show Application Filter
for a Security policy rule (
Policies
Security
Application
Value
Show Application Filter
).
Known
11.0.3
PAN-164885
On the Panorama management server, pushes to managed firewalls (
Commit
Push to Devices
or
Commit and Push
) may fail when an EDL (
Objects
External Dynamic Lists
) is configured to
Check for updates
every 5 minutes due to the commit and EDL fetch processes overlapping. This is more likely to occur when multiple EDLs are configured to check for updates every 5 minutes.
Addressed
11.0.3-h12
PAN-253317
(
VM-Series firewalls on Microsoft Azure environments only
) Fixed an issue where you were unable to log in to the firewall after a private data reset.
Addressed
11.0.3-h12
PAN-246960
Fixed an issue where firewalls failed to fetch content updates from the Wildfire Private Cloud due to an
Unsupported protoco
l error.
Addressed
11.0.3-h12
PAN-244648
(
PA-5200 Series only
) Fixed an issue where the firewall did not boot up after a factory reset, and, with FIPS mode enabled, the firewall rebooted into maintenance mode.
Addressed
11.0.3-h12
PAN-238769
(
VM-Series firewalls in FIPS-CC mode only
) Fixed an issue where upgrading Panorama caused all locally created Security policy rule actions to Deny.
Addressed
11.0.3-h10
PAN-252214
A fix was made to address CVE-2024-3400 .
Addressed
11.0.3-h10
PAN-246707
Fixed an issue where failover was not triggered when multiple processes stopped responding.
Addressed
11.0.3-h10
PAN-244493
Fixed a memory limitation with mapping subinterfaces to VPCE endpoints for GCP IPS, Amazon Web Services (AWS) integration with GWLB, and NSX service chain mapping.
Addressed
11.0.3-h10
PAN-240347
Fixed an issue with the web interface where the
Dashboard
and a
Device Group
policy rule took longer than expected to load.
Addressed
11.0.3-h10
PAN-240166
Fixed an issue where, when explicit proxy was configured on the firewall, websites loaded more slowly than expected or did not load due to DNS using TCP.
Addressed
11.0.3-h10
PAN-239279
Fixed an issue related to web proxy where the masterd process monitoring envoy process memory restarted when it reached an unexpected limit.
Addressed
11.0.3-h10
PAN-230746
Fixed an issue on the web interface where device groups with a large number of managed firewalls displayed the
Policy
page more slowly than expected.
Addressed
11.0.3-h5
PAN-242561
Fixed an issue where GlobalProtect tunnels disconnected shortly after being established when SSL was used as the transfer protocol.
Addressed
11.0.3-h5
PAN-241772
Fixed an issue where, when TLSv1.3 was used, an incorrect error message
invalid padding
was displayed instead of the expected error message
Invalid server certificate
.
Addressed
11.0.3-h5
PAN-240786
Fixed an issue on firewalls in HA configurations where VXLAN sessions were allocated, but not installed or freed, which resulted in a constant high session table usage that was not synced between the firewalls. This resulted in a session count mismatch.
Addressed
11.0.3-h5
PAN-240487
Fixed an issue where fan speed increased significantly after upgrading the firewall.
Addressed
11.0.3-h5
PAN-240197
Fixed an issue where configuration changes made in Panorama and pushed to the firewall were not reflected on the firewall.
Addressed
11.0.3-h5
PAN-238996
Fixed an issue where commits did not complete and remained in a pending state due to a race condition. With this fix, the commit will fail after 60 seconds and not remain in a pending state.
Addressed
11.0.3-h5
PAN-238769
(
VM-Series firewalls in FIPS-CC mode only
) Fixed an issue where upgrading Panorama caused all locally created Security policy rule actions to Deny.
Addressed
11.0.3-h5
PAN-236120
Fixed an issue where the /opt/panlogs partition reached capacity due to the logdb-quota for the User-ID log folder not being matched.
Addressed
11.0.3-h5
PAN-234929
Fixed an issue where tabs in the
ACC
such as
Network Activity
Threat Activity
and
Blocked Activity
did not display data when you applied a
Time
filter of
Last 15 Minutes
,
Last Hour
,
Last 6 Hours
, or
Last 12 Hours
, and the data that was displayed with the
Last 24 Hours filter
was not accurate. Reports that were run against summary logs also did not display accurate results.
Addressed
11.0.3-h5
PAN-232800
Fixed an issue where critical disk usage for /opt/pancfg increased continuously and the system logs displayed the following message:
Disk usage for /opt/pancfg exceeds limit, <value> percent in use
.
Addressed
11.0.3-h5
PAN-231802
Fixed an issue where an Advanced Routing BGP session flapped with commits when BGP peer authentication was enabled.
Addressed
11.0.3-h5
PAN-230746
Fixed an issue on the web interface where device groups with a large number of managed firewalls displayed the
Policy
page more slowly than expected.
Addressed
11.0.3-h5
PAN-229691
Fixed an issue on Panorama where configuration lock timeout errors were observed during normal operational commands by increasing thread stack size on Panorama.
Addressed
11.0.3-h5
PAN-228515
Fixed an issue where the Elasticsearch cluster health status displayed as yellow or red due to Elasticsearch SSH tunnel flaps.
Addressed
11.0.3-h5
PAN-228187
Fixed an issue where the management server restarted due to the virtual memory exceeding the limit.
Addressed
11.0.3-h5
PAN-227397
Fixed an issue where selective pushes on Panorama removed a previously pushed configuration from the firewalls.
Addressed
11.0.3-h5
PAN-227368
Fixed an issue where the GlobalProtect app was unable to connect to a portal or gateway and GlobalProtect Clientless VPN users were unable to access applications if authentication took more than 20 seconds.
Addressed
11.0.3-h5
PAN-223798
Fixed an issue on the firewall where, when Advanced Routing was enabled, PIM join messages were not sent to the RN due to a missing OIF.
Addressed
11.0.3-h5
PAN-223259
Fixed an issue where selective pushes failed with the error message
Failed to generate selective push configuration. Unable to retrieve last in-sync configuration for the device, either a push was never done or version is too old. Please try a full push
.
Addressed
11.0.3-h5
PAN-220907
(
VM-Series firewalls only
) Fixed an issue where large packets were dropped from the dataplane to the management plane, which caused OSPF neighborship to fail.
Addressed
11.0.3-h5
PAN-220659
Fixed an issue on the firewall where scheduled Antivirus updates failed when external dynamic lists were configured on the firewall.
Addressed
11.0.3-h5
PAN-218928
Fixed an issue where the reportd process stopped responding after querying logs or generating ACC reports with some filters.
Addressed
11.0.3-h3
PAN-239769
Fixed an issue where object references in a rule were renamed, and while doing a selective revert of the changes with
Commit changes by me
caused a reference error.
Addressed
11.0.3-h3
PAN-237876
Extended the firewall Panorama root CA certificate which was previously set to expire on April 7th, 2024.
Addressed
11.0.3-h3
PAN-235476
Fixed an issue where threat logs from different Security zones were aggregated into one log.
Addressed
11.0.3-h3
PAN-233039
Fixed an issue where GENEVE encapsulated packets coming from a GFE Proxy mapped to an incorrect Security policy rule.
Addressed
11.0.3-h3
PAN-231507
(
PA-1400 Series firewalls only
) Fixed an issue where, when an HSCI interface was used as an HA2 interface, HA2 packets were intermittently dropped on the passive firewall, which caused the HA2 connection to flap due to missing HA2 keepalive messages.
Addressed
11.0.3-h3
PAN-230092
Fixed an issue where the routed process stopped responding when committing routing-related changes if Advanced routing was enabled.
Addressed
11.0.3-h3
PAN-227568
When a device certificate is installed, renewed, or removed, the firewall will reconnect to the WildFire cloud to use the newest certificate.
Addressed
11.0.3-h3
PAN-227064
Fixed an issue with high availability (HA) sync failure when performing a partial commit after creating a Security policy via REST API.
Addressed
11.0.3-h3
PAN-226792
Fixed an issue where the logrcvr process stored older content versions in the shared memory even when newer content updates were installed.
Addressed
11.0.3-h3
PAN-225886
Fixed an issue where, when explicit proxy mode was enabled for the web proxy, intermittent errors and unexpected TCP reconnections occurred.
Addressed
11.0.3-h3
PAN-218620
Fixed an issue where scheduled configuration exports and SCP server connection testing failed.
Addressed
11.0.3-h3
PAN-215576
Fixed an issue where the
userID-Agent
and
TS-Agent
certificates were set to expire on November 18, 2024. With this fix, the expiration date has been extended to January 2032.
Addressed
11.0.3-h3
PAN-202361
Fixed an issue where packets queued to the pan_task process were still transmitted when the process was not responding.
Addressed
11.0.3-h3
PAN-193004
Fixed an issue where
/opt/pancfg
partition utilization reached 100%, which caused access to the Panorama web interface to fail.
Addressed
11.0.3-h1
PAN-237871
(
WF-500 appliances and PAN-DB private cloud deployments only
) Fixed an issue where the
root-cert
was set to expire on December 31, 2023. With this fix, the expiration date has been extended.
Addressed
11.0.3
PAN-233954
Fixed an issue where the firewall was unable to retrieve correct groups from the LDAP server.
Addressed
11.0.3
PAN-232059
Fixed an issue with memory management when processing large certificates using TLSv1.3.
Addressed
11.0.3
PAN-229691
Fixed an issue on Panorama where configuration lock timeout errors were observed during normal operational commands by increasing thread stack size on Panorama.
Addressed
11.0.3
PAN-228877
(
PA-7050 firewalls only
) Fixed an issue with OOM conditions which caused slot restarts due to
pan_cmd
consuming more than 300 MB.
Addressed
11.0.3
PAN-227639
Fixed an issue where the
ACC
displayed an incorrect DNS-base application traffic byte count.
Addressed
11.0.3
PAN-227376
Fixed an issue where a memory overrun caused the all_task process to stop responding.
Addressed
11.0.3
PAN-227179
Fixed an issue where routes were not updated in the forwarding table.
Addressed
11.0.3
PAN-226418
A CLI command was added to address an issue where long-lived sessions aged out even when there was ongoing traffic.
Addressed
11.0.3
PAN-226198
Fixed an issue on Panorama where the configd process repeatedly restarted when attempting to make configuration changes.
Addressed
11.0.3
PAN-225920
Fixed an issue where duplicate predict sessions didn't release NAT resources.
Addressed
11.0.3
PAN-225183
Fixed an issue where SSH tunnels were unstable due to ciphers used as part of the high availability SSH configuration.
Addressed
11.0.3
PAN-225169
Added a CLI command to view Cortex Data Lake queue usage.
Addressed
11.0.3
PAN-224145
Fixed an issue in multi-vsys environments where, when Panorama was on a PAN-OS 10.2 release and the firewall was on a PAN-OS 10.1 release, commits failed on the firewall when inbound inspection mode was configured in the decryption policy rule.
Addressed
11.0.3
PAN-223852
Fixed an issue where all_pktproc stopped responding when network packet broker or decryption broker chains failed.
Addressed
11.0.3
PAN-223741
Fixed an issue where the mprelay process stopped responding, which caused a slot restart when another slot rebooted.
Addressed
11.0.3
PAN-223501
(
PA-5200 Series and PA-7000 Series firewalls only
) Fixed an issue where diagnostic information for the dataplane in the dp-monitor.log file was not complete.
Addressed
11.0.3
PAN-223488
(
M-600 Appliances only
) Fixed an issue where closed ElasticSearch shards were not deleted, which resulted in shard purging not working as expected.
Addressed
11.0.3
PAN-223457
Fixed an issue where, if the number of group queries exceeded the Okta rate limit threshold, the firewall cleared the cache for the groups.
Addressed
11.0.3
PAN-223317
Fixed an issue where SSL traffic failed with the error message:
Error: General TLS protocol error
.
Addressed
11.0.3
PAN-223185
Fixed an issue where the distributord process stopped responding.
Addressed
11.0.3
PAN-222957
Fixed an issue where managed firewalls did not reflect changes pushed by users who were not in a superuser role.
Addressed
11.0.3
PAN-222941
Fixed an issue where viewing the latest logs took longer than expected due to log indexer failures.
Addressed
11.0.3
PAN-222533
(
VM-Series firewalls on Microsoft Azure and Amazon Web Services (AWS) environments
) Added support for high availability (HA) link monitoring and path monitoring.
Addressed
11.0.3
PAN-222418
Fixed an issue where the firewall intermittently recorded a reconnection message to the authentication server as an error, even if no disconnection occurred.
Addressed
11.0.3
PAN-222162
Fixed an issue where the
show transceiver <interface>
CLI command showed the RX and TX powers as 0.00 mW.
Addressed
11.0.3
PAN-221984
(
VM-Series firewalls in Microsoft Azure environments only
) Fixed an issue where an interface went down after a hotplug event and was only recoverable by restarting the firewall.
Addressed
11.0.3
PAN-221836
Fixed an issue where improper SNI detection caused incorrect URL categorization.
Addressed
11.0.3
PAN-221787
Fixed an issue where a User Principal Name (UPN) was incorrectly required in the pre-logon machine certificate.
Addressed
11.0.3
PAN-221647
Fixed an issue where the
Apps seen
value was not reflected on Panorama.
Addressed
11.0.3
PAN-221577
Fixed an issue where a static route for a branch or hub over the respective virtual interface was not installed in the routing table even when the tunnel to the branch or hub was active.
Addressed
11.0.3
PAN-221208
Fixed an issue where the tunnel monitor was unable to remain up when zone protection with Strict IP was enabled and NAT Traversal was applied.
Addressed
11.0.3
PAN-221126
Fixed an issue where Email server profiles (
Device > Server Profiles > Email and Panorama > Server Profiles > Email
) to forward logs as email notifications were not forwarded in a readable format.
Addressed
11.0.3
PAN-220910
Fixed an issue where an internal management plane NIC caused a kernel panic when doing a transmit due to the driver reinitializing under certain failure or change conditions on the same interface during transmit.
Addressed
11.0.3
PAN-220899
Fixed an issue where you were unable to choose the manual GlobalProtect gateway.
Addressed
11.0.3
PAN-220747
Fixed an issue where logs were not visible after restarting the log collector.
Addressed
11.0.3
PAN-220626
Fixed an issue where system warning logs were written every 24 hours.
Addressed
11.0.3
PAN-220448
Fixed an issue where the GlobalProtect client connection remained at the prelogin stage when Kerberos SSO failed and was unable to fall back to the realm authentication.
Addressed
11.0.3
PAN-220401
Fixed an issue where, during a reboot, an unexpected error message was displayed that the syslog configuration file format was too old.
Addressed
11.0.3
PAN-220281
(
PA-7080 firewalls only
) Fixed an issue where autocommitting changes after rebooting the Log Forwarding Card (LFC) caused the logrcvr process to fail to read the configuration file.
Addressed
11.0.3
PAN-220180
Fixed an issue where configured botnet reports (
Monitor > Botnet
) were not generated.
Addressed
11.0.3
PAN-219813
Fixed an issue where the configuration log displayed incorrect information after a multidevice group
Validate-all
operation.
Addressed
11.0.3
PAN-219659
Fixed an issue where root partition frequently filled up and the following error message was displayed:
Disk usage for / exceeds limit, xx percent in use, cleaning filesystem
.
Addressed
11.0.3
PAN-219644
Fixed an issue where firewalls that forwarded logs to a syslog server over TLS (
Objects > Log Forwarding
) used the default Palo Alto Networks certificate instead of the configured custom certificate.
Addressed
11.0.3
PAN-219623
Fixed an issue where, when a multidynamic group validate job was pushed on the firewall, logs displayed
Panorama push
instead of
ValidateAll push
.
Addressed
11.0.3
PAN-219498
Fixed an issue where the
Threat ID/Name
detail in Threat logs was not included in syslog messages sent to Splunk.
Addressed
11.0.3
PAN-219300
Fixed an issue where the task manager displayed only limited data.
Addressed
11.0.3
PAN-219253
Fixed an issue where, after making changes in a template, the
Commit and Push
option was grayed out.
Addressed
11.0.3
PAN-218988
Fixed an issue in FIPS mode where, when importing a certificate with a new private key, and the certificate used the name of an existing certificate on the Panorama, the following error message was displayed:
Mismatched public and private keys
.
Addressed
11.0.3
PAN-218947
Fixed an issue where logs were not displayed in Elasticsearch under ingestion load.
Addressed
11.0.3
PAN-218697
Fixed an issue where the ElasticSearch status frequently changed to red or yellow after a PAN-OS upgrade.
Addressed
11.0.3
PAN-218663 and PAN-181876
A fix was made to address CVE-2024-2433
Addressed
11.0.3
PAN-218404
Fixed an issue where ikemgr stopped responding due to receiving
CREATE_CHILD
messages with a malformed SA payload.
Addressed
11.0.3
PAN-218340
Fixed an issue where selective pushes to template stack and multi device group pushes caused a buildup of resident memory, which caused the configd process to stop responding.
Addressed
11.0.3
PAN-218318
Fixed an issue where the firewall changed the time zone automatically instead of retrieving the correct time zone from the NTP server.
Addressed
11.0.3
PAN-218273
Fixed an issue where TCP keepalive packets from the client to the server weren't forwarded when SSL decryption was enabled.
Addressed
11.0.3
PAN-218267
Fixed an issue where a commit and push operation from Panorama to managed firewalls did not complete or took longer to complete than expected.
Addressed
11.0.3
PAN-218252
Fixed an issue where the slot-1 data processor showed the status as down during an SNMP query.
Addressed
11.0.3
PAN-218107
Fixed an issue with ciphers used for SSH tunnels where packet lengths were too large, which made the SSH tunnel unstable.
Addressed
11.0.3
PAN-218046
Fixed an issue where the
Virtual Routers
(
Network > Virtual Routers
) setting was not available when configuring a custom admin role (
Device > Admin Roles
).
Addressed
11.0.3
PAN-218001
(
PA-400 Series firewalls only
) Fixed an issue where shutdown commands rebooted the system instead of correctly triggering a shutdown.
Addressed
11.0.3
PAN-217650
(
VM-Series firewalls and Panorama virtual appliances in Microsoft Azure environments only
) Fixed an issue where management interface Speed/Duplex was reported as unknown.
Addressed
11.0.3
PAN-217493
Fixed an issue where superusers with read-only privileges were unable to view SCEP object configurations.
Addressed
11.0.3
PAN-217169
Fixed an issue where the logrcvr stopped forwarding logs to the syslog server after a restart.
Addressed
11.0.3
PAN-217053
Fixed an issue where the configd process stopped responding after a selective push to multiple device groups failed.
Addressed
11.0.3
PAN-216957
Fixed an issue where allow list checks in an authentication profile did not work if the group Distinguished Name contains the ampersand ( & ) character.
Addressed
11.0.3
PAN-216775
Fixed an issue where the devsrvr process stopped responding at
pan_cloud_agent_get_curl_connection()
and the URL cloud could not be connected.
Addressed
11.0.3
PAN-216366
Fixed an issue where, when custom signatures used a certain syntax, false positives were generated on devices on a PAN-OS 10.0 release.
Addressed
11.0.3
PAN-216214
(
Panorama managed firewalls in active/active HA configurations only
) Fixed an issue where the HA status displayed as
Out of Sync
(
Panorama > Managed Devices > Health
) if local firewall configurations were made on one of the HA peers. This caused the next HA configuration sync to overwrite the local firewall configuration made on the HA peer.
Addressed
11.0.3
PAN-216048
Fixed an issue where, when upgrading from a PAN-OS 9.1 release to a PAN-OS 10.0 release, commits failed with the error message:
hip profiles unexpected here
.
Addressed
11.0.3
PAN-215767
Fixed an issue where, after a high availability failover, IKE SA negotiation failed with the error message
INVALID_SPI
, which resulted in temporary loss of traffic over some proxy IDs.
Addressed
11.0.3
PAN-215655
Fixed an issue where, after a multidynamic group push, Security policy rules with the target device tag were added to a firewall that did not have the tag.
Addressed
11.0.3
PAN-215338
(
PA-5400 Series firewalls only
) Fixed an issue where the inner VLAN tag for Q-in-Q traffic was stripped when forwarding.
Addressed
11.0.3
PAN-215317
Fixed an issue where the dataplane stopped responding unexpectedly with the error message
comm exited with signal of 10
.
Addressed
11.0.3
PAN-215066
Fixed an issue on Panorama where push scope rendering caused the
Commit and Push
or
Push to Devices
operation window to hang for several minutes.
Addressed
11.0.3
PAN-214990
Fixed an issue where firewall copper ports flapped intermittently when device telemetry was enabled.
Addressed
11.0.3
PAN-214987
Fixed an issue where
Application Filter
names were not random, and they matched or included internal protocol names.
Addressed
11.0.3
PAN-214815
Fixed an issue where SNMP queries were not replied to due to an internal process timeout.
Addressed
11.0.3
PAN-214727
Fixed an issue where a memory leak related to the useridd process resulted in an OOM condition, which caused the process to stop responding.
Addressed
11.0.3
PAN-214669
Fixed an issue where FIN and RESET packets were sent in reverse order.
Addressed
11.0.3
PAN-214463
Fixed an issue where IKE re-key negotiation failed with a third-party vendor and the firewall acting as the initiator received a response with the VENDOR_ID payload and the error message
unexpected critical payload (type 43)
.
Addressed
11.0.3
PAN-214201
Fixed an issue where, after exporting custom reports to CSV format, the letter
b
appeared at the beginning of each column.
Addressed
11.0.3
PAN-213956
Fixed an issue where the firewall interface did not go down even after the peer link/switch port went down.
Addressed
11.0.3
PAN-213931
Fixed an issue where the logrcvr process cache was not in sync with the mapping on the firewall.
Addressed
11.0.3
PAN-213296
Fixed an issue where Single Log-out (SLO) was not correctly triggered from the firewall toward the client, which caused the client to not initiate the SLO request toward the identity provider (IdP). This resulted in the IdP not making the SLO callback to the firewall to remove the user.
Addressed
11.0.3
PAN-213162
Fixed an issue where an SD-WAN object was not displayed under a child device group.
Addressed
11.0.3
PAN-213112
Fixed an issue where executing the
show report directory-listing
CLI command resulted in no output after upgrading to a PAN-OS 10.1 release.
Addressed
11.0.3
PAN-212978
Fixed an issue where the firewall stopped responding when executing an SD-WAN debug CLI command.
Addressed
11.0.3
PAN-212726
Fixed an issue where RTP/RTCP packets were dropped for SIP calls by SIP ALG when the source NAT translation type was persistent
Dynamic IP And Port
.
Addressed
11.0.3
PAN-212577
(
PA-5200 Series and PA-7080 firewalls only
) Fixed an issue where commits took longer than expected when more than 45,000 Security policy rules were configured.
Addressed
11.0.3
PAN-212240
Fixed an issue where packet capture was logged for an unknown application session when packet capture logging was disabled.
Addressed
11.0.3
PAN-212057
Fixed an issue where Advanced Threat Prevention caused SSL delays when no URL licenses were present.
Addressed
11.0.3
PAN-211441
Fixed a memory leak issue related to SSL crypto operations that resulted in failed commits.
Addressed
11.0.3
PAN-211398
Fixed an issue where dataplane processes stopped responding when handling HTTP/2 streams.
Addressed
11.0.3
PAN-211384
Fixed an issue where the size of the
redisthost_1
in the Redis database continuously increased, which caused an OOM condition.
Addressed
11.0.3
PAN-210640
Fixed an issue where applications were not displayed after authenticating into the clientless VPN.
Addressed
11.0.3
PAN-210502
Fixed an issue where Panorama was unable to convert to PAN-OS 9.1 syntax for WF-500 appliances.
Addressed
11.0.3
PAN-210456
Fixed an issue where high latency occurred on PA-850-ZTP when SSL decryption was enabled.
Addressed
11.0.3
PAN-210452
Fixed an issue where application packet capture (pcap) was not generated when Security policy rules were used as a filter.
Addressed
11.0.3
PAN-210429
(
VM-Series firewalls only
) Fixed an issue where the HTTP service failed to come up on DHCP dataplane interfaces after rebooting the firewall, which resulted in health-check failure on HTTP/80 with a 503 error code on the public load balancer.
Addressed
11.0.3
PAN-210364
Fixed an issue where high latency was observed when accessing internal web applications, which interrupted development activities related to the web server.
Addressed
11.0.3
PAN-209585
The Palo Alto Networks QoS implementation now supports a new QoS mode called lockless QoS for PA-3400, PA-5410, PA-5420, PA-5430, and PA-5440 firewalls. For firewalls with higher bandwidth QoS requirements, the lockless QoS dedicates cores to the QoS function that improves QoS performance, resulting in improved throughput and latency.
Addressed
11.0.3
PAN-209375
Fixed an issue on the firewall where log filtering did not work as expected.
Addressed
11.0.3
PAN-209288
Fixed an issue where generating certificates with SCEP did not work.
Addressed
11.0.3
PAN-209172
Fixed an issue where the firewall was unable to handle GRE packets for Point-to-Point Tunneling Protocol (PPTP) connections.
Addressed
11.0.3
PAN-209108
Fixed an issue where a Panorama in Management Only mode was unable to display logs from log collectors due to missing schema files.
Addressed
11.0.3
PAN-208567
Fixed an issue with email formatting where, when a scheduled email contained two or more attachments, only one attachment was visible.
Addressed
11.0.3
PAN-208438
Fixed an issue on Panorama where Security policy rules incorrectly displayed as disabled.
Addressed
11.0.3
PAN-208395
Fixed an issue where user authentication failed in multi-vsys environments with the error message
User is not in allowlist
when an authentication profile was created in a shared configuration space.
Addressed
11.0.3
PAN-208316
Fixed an issue where user-group names were unable to be configured as the source user via the
test security-policy-match
command.
Addressed
11.0.3
PAN-208240
Fixed an issue where, when attempting to replace an existing certificate, importing a new certificate with the same name as the existing certificate failed due to mismatched public and private keys.
Addressed
11.0.3
PAN-208198
Fixed an issue with firewalls in active/passive HA configurations where, after rebooting the passive firewall, interfaces were briefly shown as powered up, and then shown as down or shutdown.
Addressed
11.0.3
PAN-208090
Fixed an issue where the ACC report did not display data when querying the filter for the fields
Source
and
Destination IP
.
Addressed
11.0.3
PAN-207604
Fixed an issue where system logs continuously generated the log message
Not enough space to load content to SHM
.
Addressed
11.0.3
PAN-207577
Fixed an issue where
Panorama > Setup > Interfaces
was not accessible for users with custom admin roles even when the interface option was selected for the custom admin roles.
Addressed
11.0.3
PAN-206765
Fixed an issue where log forwarding filters involving negation did not work.
Addressed
11.0.3
PAN-205015
Fixed an issue where not all users were included in the user group after an incremental sync between the firewall and the Cloud Identity Engine.
Addressed
11.0.3
PAN-204868
Fixed an issue where disk utilization was continuously high due to the log purger not sufficiently reducing the utilization level.
Addressed
11.0.3
PAN-204718
(
PA-5200 Series firewalls only
) Fixed an issue where, after upgrading to PAN-OS 10.1.6-h3, a TACACS user login displayed the following error message during the first login attempt:
Could not chdir to home directory /opt/pancfg/home/user: Permission denied
.
Addressed
11.0.3
PAN-203611
Fixed an issue where URL categorization was not recognized for URLs that contained more than 100 characters.
Addressed
11.0.3
PAN-202524
Fixed an issue where the session ID was missing in the session details section of the
ingress-backlogs
XML API output.
Addressed
11.0.3
PAN-202095
Fixed an issue on the web interface where the language setting is not retained.
Addressed
11.0.3
PAN-199819
Fixed an issue where, if a decryption profile allowed TLSv1.3, but the server only supported TLSv1.2, and the cipher used by the first connection to the server was a CBC SHA2 cipher suite, the connection failed.
Addressed
11.0.3
PAN-198509
Fixed an issue where commits failed due to insufficient CFG memory.
Addressed
11.0.3
PAN-198453
Fixed an issue where you were unable to resize the
Description
pop-up window (
Policies > Security > Prerules
).
Addressed
11.0.3
PAN-198050
Fixed an issue where
Connection to update server is successful
messages displayed even when connections failed.
Addressed
11.0.3
PAN-197339
Fixed an issue where template configuration for the User-ID agent was not reflected on the template stack on Panorama appliances on PAN-OS 10.2.1.
Addressed
11.0.3
PAN-196345
Fixed an issue where scheduled dynamic content updates failed to be retrieved by managed firewalls from Panorama when connectivity was slow.
Addressed
11.0.3
PAN-189328
Fixed an issue where traffic belonging to the same session was sent out from different ECMP enabled interfaces.
Addressed
11.0.3
PAN-187989
Fixed an issue where a user who did not have permissions of other access domains were able to view the commit and configuration lock.
Addressed
11.0.3
PAN-185360
Fixed an issue where, when Authentication Portal Authentication was configured,
l3svc_ngx_error.log
and
l3svc_access.log
did not roll over after exceeding 10 megabytes, which caused the root partition to reach full utilization.
Addressed
11.0.3
PAN-180082
Fixed an issue where errors in brdagent logs caused dataplane path monitoring failure.
Addressed
11.0.3
PAN-177227
(
VM-Series firewalls on Amazon Web Services environments only
) Fixed an issue where traffic sent from a GENEVE tunnel to the firewall was dropped if the firewall attempted to encapsulate traffic into an IPSec tunnel.
Addressed
11.0.3
PAN-169586
Fixed an issue where scheduled log view reports in emails didn't match the monitor page query result for the same time interval.
Addressed
11.0.3
PAN-160633
(
PA-3200 Series, PA-5200 Series, and PA-7000 Series firewalls only
) Fixed an issue where the dataplane restarted repeatedly due to an internal path monitoring failure until a power cycle.
Known
11.0.4
WF500-5632
The number of registered WildFire appliances reported in Panorama (
Panorama
Managed WildFire Appliances
Firewalls Connected
View
) does not accurately reflect the current status of connected WildFire appliances.
Known
11.0.4
PAN-234015
The X-Forwarded-For (XFF) value is not displayed in traffic logs.
Known
11.0.4
PAN-252744
After upgrading PA-3200 Series, PA-5200 Series, or PA-7000 Series firewalls that are equipped with OCTEON 7x00 dataplane chips to PAN-OS 11.0.4 or 11.0.4-h1, the firewall might see continuous crashes, reboot repeatedly, and/or go into a non-functional state.
Workaround:
If you have already upgraded to one of those releases, downgrade to an earlier release or upgrade to PAN-OS 11.0.4-h2.
Known
11.0.4
PAN-241041
On the Panorama management server exporting template or template stack variables (
Panorama
Templates
) in CSV format results in an empty CSV file.
Known
11.0.4
PAN-234929
The tabs in the
ACC
, such as
Network Activity
,
Threat Activity
, and
Blocked Activity
, may not display any data when you apply a Time filter for the Last 15 minutes, Last Hour, Last 6 Hours, or Last 12 Hours. With the Last 24 Hours filter, the data displayed may not be accurate. Additionally, reports run against summary logs may not display accurate results.
Known
11.0.4
PAN-227344
On the Panorama management server, PDF Summary Reports (
Monitor
PDF Reports
Manage PDF Summary
) display no data and are blank when predefined reports are included in the summary report.
Known
11.0.4
PAN-225886
If you enable explicit proxy mode for the web proxy, intermittent errors and unexpected TCP reconnections may occur.
Known
11.0.4
PAN-233677
(
PA-3410, PA-3420, PA-3430, PA-3440, PA-5410, PA-5420, PA-5430, and PA-5440 firewalls
) By enabling Lockless QoS feature , a slight degradation in App-ID and Threat performance is expected.
Known
11.0.4
PAN-222586
On PA-5410, PA-5420, PA-5430, and PA-5440 firewalls, the Filter dropdown menus, Forward Methods, and Built-In Actions for Correlation Log settings (
Device
Log Settings
) are not displayed and cannot be configured.
Known
11.0.4
PAN-222253
This issue is now resolved. See
PAN-OS 11.0.5 Addressed Issues
.
On the Panorama management server, policy rulebase reordering when you
View Rulebase by Groups
(
Policy
<policy-rulebase>
) does not persist if you reorder the policy rulebase by dragging and dropping individual policy rules and then moving the entire tag group.
Known
11.0.4
PAN-220176
(
PAN-OS 11.0.1-h2 hotfix
) System process crashes might occur with VoIP traffic when NAT is enabled with Persistent Dynamic IP and Port settings.
Known
11.0.4
PAN-218521
This issue is now resolved. See
PAN-OS 11.0.5 Addressed Issues
.
The ElasticSearch process on the M-600 appliance in Log Collector mode may enter a continuous reboot cycle. This results in the M-600 appliance becoming unresponsive, consuming logging disk space, and preventing new log ingestion.
Known
11.0.4
PAN-216314
Upon upgrade or downgrade to or from PAN-OS 10.1.9 or 10.1.9-h1, offloaded application traffic sessions may disconnect after a period of time even if a session is active. The disconnect occurs after the application's default session timeout value is exceeded. This behavior affects only PAN-OS 10.1.9 and 10.1.9-h1. If you are on PAN-OS 10.1.9 and 10.1.9-h1, please use the following workaround. If you have already upgraded or downgraded to another PAN-OS version, use the following workaround in that version.
Workaround:
Run the CLI command
debug dataplane internal pdt fe100 csr wr_sem_ctrl_ctr_scan_dis value 0
to set the value to zero (0).
Known
11.0.4
PAN-216214
For Panorama-managed firewalls in an Active/Active High Availability (HA) configuration where you configure the firewall HA settings (
Device
High Availability
) in a template or template stack (
Panorama
Templates
), performing a local commit on one of the HA firewalls triggers an HA config sync on the peer firewall. This causes the HA peer configuration to go
Out of Sync
.
Known
11.0.4
PAN-213746
On the Panorama management server, the
Hostkey
displayed as
undefined undefined
if you override an SSH Service Profile (
Device
Certificate Management
SSH Service Profile
) Hostkey configured in a Template from the Template Stack.
Known
11.0.4
PAN-213119
PA-5410 and PA-5420 firewalls display the following error when you view the Block IP list (
Monitor
Block IP
):
show -> dis-block-table is unexpected
Known
11.0.4
PAN-212978
The Palo Alto Networks firewall stops responding when executing an SD-WAN debug operational CLI command.
Known
11.0.4
PAN-212889
On the Panorama management server, different threat names are used when querying the same threat in the Threat Monitor (
Monitor
App Scope
Threat Monitor
) and
ACC
. This results in the ACC displaying
no data to display
when you are redirected to the ACC after clicking a threat name in the Threat Monitor and filtering the same threat name in the Global Filters.
Known
11.0.4
PAN-211531
On the Panorama management server, admins can still perform a selective push to managed firewalls when
Push All Changes
and
Push for Other Admins
are disabled in the admin role profile (
Panorama
Admin Roles
).
Known
11.0.4
PAN-207770
Data filtering logs (
Monitor
Logs
Data Filtering
) incorrectly display the traffic Direction as
server-to-client
instead of
client-to-server
for upload traffic that matches Enterprise data loss prevention (DLP) data patterns (
Objects
DLP
Data Filtering Patterns
) in an Enterprise DLP data filtering profile (
Objects
DLP
Data Filtering Profiles
).
Known
11.0.4
PAN-207733
When a DHCPv6 client is configured on HA Active/Passive firewalls, if the DHCPv6 server goes down, after the lease time expires, the DHCPv6 client should enter SOLICIT state on both the Active and Passive firewalls. Instead, the client is stuck in BOUND state with an IPv6 address having lease time 0 on the Passive firewall.
Known
11.0.4
PAN-207616
On the Panorama management server, after selecting managed firewalls and creating a new
Tag
(
Panorama
Managed Devices
Summary
) the managed firewalls are automatically unselected and any new tag created is applied to the managed firewalls for which you initially created the new tag.
Workaround:
Select and then unselect the managed firewalls for which you created a new tag.
Known
11.0.4
PAN-207611
When a DHCPv6 client is configured on HA Active/Passive firewalls, the Passive firewall sometimes crashes.
Known
11.0.4
PAN-207442
For M-700 appliances in an active/passive high availability (
Panorama
High Availability
) configuration, the
active-primary
HA peer configuration sync to the
secondary-passive
HA peer may fail. When the config sync fails, the job Results is
Successful
(
Tasks
), however the sync status on the
Dashboard
displays as
Out of Sync
for both HA peers.
Workaround
: Perform a local commit on the
active-primary
HA peer and then synchronize the HA configuration.
  1. Log in to the Panorama web interface of the
    active-primary
    HA peer.
  2. Select
    Commit
    and
    Commit to Panorama
    .
  3. In the
    active-primary
    HA peer
    Dashboard
    , click
    Sync to Peer
    in the High Availability widget.
Known
11.0.4
PAN-207040
If you disable Advanced Routing, remove logical routers, and downgrade from PAN-OS 11.0.0 to a PAN-OS 10.2.x or 10.1.x release, subsequent commits fail and SD-WAN devices on Panorama have no Virtual Router name.
Known
11.0.4
PAN-206913
When a DHCPv6 client is configured on HA Active/Passive firewalls, releasing the IPv6 address from the client (using Release in the UI or using the
request dhcp client ipv6 release all
CLI command) releases the IPv6 address from the Active firewall, but not the Passive firewall.
Known
11.0.4
PAN-206909
The Dedicated Log Collector is unable to reconnect to the Panorama management server if the
configd
process crashes. This results in the Dedicated Log Collector losing connectivity to Panorama despite the managed collector connection
Status
(
Panorama
Managed Collector
) displaying
connected
and the managed colletor
Health
status displaying as healthy.
This results in the local Panorama config and system logs not being forwarded to the Dedicated Log Collector. Firewall log forwarding to the disconnected Dedicated Log Collector is not impacted.
Workaround:
Restart the
mgmtsrvr
process on the Dedicated Log Collector.
  2. Confirm the Dedicated Log Collector is disconnected from Panorama. 
    admin>
     show panorama-status
    Verify the
    Connected
    status is
    no
    .
  3. Restart the
    mgmtsrvr
    process. 
    admin>
     debug software restart process management-server
Known
11.0.4
PAN-206416
On the Panorama management server, no data filtering log (
Monitor
Logs
Data Filtering
) is generated when the managed firewall loses connectivity to the following cloud services, and as a result fails to forward matched traffic for inspection.
  • DLP cloud service
  • Advanced Threat Protection inline cloud analysis service
  • Advanced URL Filtering cloud service
Known
11.0.4
PAN-206315
(
PA-1420 firewall only
) In an active/passive high availability (HA) configuration, the
show session info
CLI command shows that the passive firewall has packet rate and throughput values. The packet rate and throughput of the passive firewall should be zero since it is not processing traffic.
Known
11.0.4
PAN-205009
(
PA-1420 firewall only
) In an active/passive high availability (HA) configuration, the
show interface all
,
show-high availability interface ha2
, and
show high-availability all
CLI commands display the HSCI port state as unknown on both the active and passive firewalls.
Known
11.0.4
PAN-204689
Upon upgrade to PAN-OS 11.0.1, the following GlobalProtect settings do not work:
  • Allow user to disconnect GlobalProtect App
    Allow with Passcode
  • Allow user to Disable GlobalProtect App
    Allow with Passcode
  • Allow User to Uninstall GlobalProtect App
    Allow with Password
Known
11.0.4
PAN-201910
PAN-OS security profiles might consume a large amount of memory depending on the profile configuration and quantity. In some cases, this might reduce the number of supported security profiles below the stated maximum for a given platform.
Known
11.0.4
PAN-197588
The PAN-OS ACC (Application Command Center) does not display a widget detailing statistics and data associated with vulnerability exploits that have been detected using inline cloud analysis.
Known
11.0.4
PAN-197419
(
PA-1400 Series firewalls only
) In
Network
Interface
Ethernet
, the power over Ethernet (PoE) ports do not display a
Tag
value.
Known
11.0.4
PAN-197097
Large Scale VPN (LSVPN) does not support IPv6 addresses on the satellite firewall.
Known
11.0.4
PAN-196758
On the Panorama management server, pushing a configuration change to firewalls leveraging SD-WAN erroneously show the auto-provisioned BGP configurations for SD-WAN as being edited or deleted despite no edits or deletions being made when you
Preview Changes
(
Commit
Push to Devices
Edit Selections
or
Commit
Commit and Push
Edit Selections
).
Known
11.0.4
PAN-196146
This issue is now resolved. See
PAN-OS 11.0.5 Addressed Issues
.
The VM-Series firewall on Azure does not boot up with a hostname (specified in an init-cgf.txt or user data) when bootstrapped.
Known
11.0.4
PAN-195968
(
PA-1400 Series firewalls only
) When using the CLI to configure power over Ethernet (PoE) on a non-PoE port, the CLI prints an error depending on whether an interface type was selected on the non-PoE port or not. If an interface type, such as tap, Layer 2, or virtual wire, was selected before PoE was configured, the error message will not include the interface name (eg. ethernet1/4). If an interface type was not selected before PoE was configured, the error message will include the interface name.
Known
11.0.4
PAN-195342
On the Panorama management server, Context Switch fails when you try to Context Switch from a managed firewall running PAN-OS 10.1.7 or earlier release back to Panorama and the following error is displayed:
Could not find start token '@start@'
Known
11.0.4
PAN-194978
(
PA-1400 Series firewalls only
) In
Network
Interface
Ethernet
, hovering the mouse over a power over Ethernet (PoE)
Link State
icon does not display link speed and link duplex details.
Known
11.0.4
PAN-194424
(
PA-5450 firewall only
) Upgrading to PAN-OS 10.2.2 while having a log interface configured can cause both the log interface and the management interface to remain connected to the log collector.
Workaround:
Restart the log receiver service by running the following CLI command: 
debug software restart process log-receiver
Known
11.0.4
PAN-187685
On the Panorama management server, the Template Status displays no synchronization status (
Panorama
Managed Devices
Summary
) after a bootstrapped firewall is successfully added to Panorama.
Workaround:
After the bootstrapped firewall is successfully added to Panorama, log in to the Panorama web interface and select
Commit
Push to Devices
.
Known
11.0.4
PAN-187407
The configured Advanced Threat Prevention inline cloud analysis action for a given model might not be honored under the following condition: If the firewall is set to
Hold client request for category lookup
and the action set to
Reset-Both
and the URL cache has been cleared, the first request for inline cloud analysis will be bypassed.
Known
11.0.4
PAN-186283
Templates appear out-of-sync on Panorama after successfully deploying the CFT stack using the Panorama plugin for AWS.
Workaround
: Use
Commit
Push to Devices
to synchronize the templates.
Known
11.0.4
PAN-184708
Scheduled report emails (
Monitor
PDF Reports
Email Scheduler
) are not emailed if:
  • A scheduled report email contains a Report Group (
    Monitor
    PDF Reports
    Report Group
    ) which includes a SaaS Application Usage report.
  • A scheduled report contains only a SaaS Application Usage Report.
Workaround:
To receive a scheduled report email for all other PDF report types:
  1. Select
    Monitor
    PDF Reports
    Report Groups
    and remove all SaaS Application Usage reports from all Report Groups.
  2. Select
    Monitor
    PDF Reports
    Email Scheduler
    and edit the scheduled report email that contains only a SaaS Application Usage report. For the Recurrence, select
    Disable
    and click
    OK
    .
    Repeat this step for all scheduled report emails that contain only a SaaS Application Usage report.
  3. Commit
    .
    (
    Panorama managed firewalls
    ) Select
    Commit
    Commit and Push
Known
11.0.4
PAN-184406
Using the CLI to add a RAID disk pair to an M-700 appliance causes the dmdb process to crash.
Workaround:
Contact customer support to stop the dmdb process before adding a RAID disk pair to a M-700 appliance.
Known
11.0.4
PAN-183404
Static IP addresses are not recognized when "and" operators are used with IP CIDR range.
Known
11.0.4
PAN-181933
If you use multiple log forwarding cards (LFCs) on the PA-7000 series, all of the cards may not receive all of the updates and the mappings for the clients may become out of sync, which causes the firewall to not correctly populate the Source User column in the session logs.
Known
11.0.4
PAN-171938
No results are displayed when you
Show Application Filter
for a Security policy rule (
Policies
Security
Application
Value
Show Application Filter
).
Known
11.0.4
PAN-164885
On the Panorama management server, pushes to managed firewalls (
Commit
Push to Devices
or
Commit and Push
) may fail when an EDL (
Objects
External Dynamic Lists
) is configured to
Check for updates
every 5 minutes due to the commit and EDL fetch processes overlapping. This is more likely to occur when multiple EDLs are configured to check for updates every 5 minutes.
Addressed
11.0.4-h2
PAN-252744
(
PA-3200 Series, PA-5200 Series, and PA-7000 Series firewalls
) Fixed an issue where upgrading the firewall to PAN-OS 11.0.4 or PAN-OS 11.0.4-h1 caused the firewall to go into a non-functional state.
Addressed
11.0.4-h1
PAN-252214
A fix was made to address CVE-2024-3400 .
Addressed
11.0.4
PAN-250686
Fixed an issue where selective push operations did not work when more than one admin user simultaneously performed changes and partial commits on Panorama.
Addressed
11.0.4
PAN-249808
Fixed an issue where the configd process stopped responding when performing multidevice group pushes via XML API.
Addressed
11.0.4
PAN-246707
Fixed an issue where failover was not triggered when multiple processes stopped responding.
Addressed
11.0.4
PAN-245701
Fixed an issue where the returned values to SNMP requests for data port statistics were incorrect.
Addressed
11.0.4
PAN-245690
Fixed an issue where the managed collectors health status on Panorama displayed as empty.
Addressed
11.0.4
PAN-244493
Fixed a memory limitation with mapping subinterfaces to VPCE endpoints for GCP IPS, Amazon Web Services (AWS) integration with GWLB, and NSX service chain mapping.
Addressed
11.0.4
PAN-243951
Fixed an issue on Panorama appliances in active/passive HA configurations where managed devices displayed as out-of-sync on the passive appliance when peer configuration changes were made to the SD-WAN configuration on the active peer.
Addressed
11.0.4
PAN-242910
Fixed an issue where a custom based non-Superuser was unable to push to firewalls.
Addressed
11.0.4
PAN-242627
Fixed an issue where selective push did not work.
Addressed
11.0.4
PAN-242519
Fixed an issue where scheduled email reports failed if the @ symbol before the mail client was missing.
Addressed
11.0.4
PAN-242027
Fixed an issue where the all-task process repeatedly restarted during memory allocation failures.
Addressed
11.0.4
PAN-241164
(
PA-410 firewalls only
) Fixed an issue where system and configuration logs sent from the firewall to Panorama contained the serial number field instead of the firewall device name.
Addressed
11.0.4
PAN-241141
Fixed an issue where creating more than one address object in the same XML API request resulted in a commit error.
Addressed
11.0.4
PAN-240618
Fixed an issue where configuration commits were successful even when dynamic peer IKE gateways configured on the same interface and IP address that did not have the same IKE Crypto profile.
Addressed
11.0.4
PAN-240612
Fixed a kernel panic caused by a third-party issue
Addressed
11.0.4
PAN-240487
Fixed an issue where fan speed increased significantly after upgrading the firewall.
Addressed
11.0.4
PAN-240251
Fixed an issue where the vldmgr process incorrectly restarted during an Elasticsearch restart.
Addressed
11.0.4
PAN-240225
Fixed an issue where authentication failed on web-based GlobalProtect portal.
Addressed
11.0.4
PAN-240197
Fixed an issue where configuration changes made in Panorama and pushed to the firewall were not reflected on the firewall.
Addressed
11.0.4
PAN-240166
Fixed an issue where, when explicit proxy was configured on the firewall, websites loaded more slowly than expected or did not load due to DNS using TCP.
Addressed
11.0.4
PAN-239776
Fixed an issue where Panorama went into maintenance mode due to a GlobalProtect quota configuration that was under the minimum required quota.
Addressed
11.0.4
PAN-239722
Fixed an issue where SNMP scans to the firewall took longer than expected and intermittently timed out.
Addressed
11.0.4
PAN-239279
Fixed an issue where the SWG proxy did not accept new connections.
Addressed
11.0.4
PAN-239256
Fixed an issue where ARP entries were unable to be completed for subinterfaces with SNAT configured.
Addressed
11.0.4
PAN-239241
Extended the root certificate for WildFire appliances to December 31, 2032.
Addressed
11.0.4
PAN-239200
Fixed an issue where the following Prisma Access SWG proxy upstream error was displayed when you attempted to access the proxy:
disconnect / reset before headers: reset reason: overflow
.
Addressed
11.0.4
PAN-239144
Fixed an issue where the web interface was slower than expected when logging in, committing, and pushing changes after upgrading to PAN-OS 10.2.7.
Addressed
11.0.4
PAN-238949
Fixed a memory corruption issue where multiple processes stopped responding.
Addressed
11.0.4
PAN-238643
Fixed an issue where a memory leak caused multiple processes to stop responding when VM Information Sources was configured.
Addressed
11.0.4
PAN-238621
Fixed an issue where the HA3 link status remained down when updating the HA3 interface configuration when the AE interface was up.
Addressed
11.0.4
PAN-238586
Fixed an issue where DNS resolution failure from the LFC resulted in WildFire public cloud connectivity failure.
Addressed
11.0.4
PAN-238562
Fixed an issue where log collectors stopped responding when gathering reports from Panorama.
Addressed
11.0.4
PAN-238508
Fixed an issue where the routed process created excessive logs in the log file.
Addressed
11.0.4
PAN-237993
Fixed an issue where
Config Push Scheduler > Admin scope
changed to an admin ID instead of a 0 value, which caused a scheduled configuration push to work as a Selective push instead of a Full push.
Addressed
11.0.4
PAN-237876
Extended the firewall Panorama root CA certificate which was previously set to expire on April 7th, 2024.
Addressed
11.0.4
PAN-237678
Fixed an issue with firewalls in active/passive HA configurations where the passive firewall displayed the error message
Unable to read QSFP Module ID
when the passive link state was set to shutdown.
Addressed
11.0.4
PAN-237562
Fixed an issue where firewalls generated link-change system logs for SFP ports even when no cable was connected to the ports.
Addressed
11.0.4
PAN-237537
Fixed an issue where, when deleting CTD entries, the all_pktproc process stopped responding which resulted in dataplane failure.
Addressed
11.0.4
PAN-237478
Fixed an issue where the Traffic log displayed 0 bytes for denied sessions.
Addressed
11.0.4
PAN-237454
Fixed an issue where Panorama stopped redistributing IP address-to-username mappings when packet loss occurred between the distributor and the client.
Addressed
11.0.4
PAN-237369
(
PA-1420 firewalls only
) Fixed an issue where the all_task process stopped responding, which caused the firewall to become unresponsive.
Addressed
11.0.4
PAN-236802
Fixed an issue on firewalls in HA configurations where unexpected failovers occurred.
Addressed
11.0.4
PAN-236605
Fixed an issue where the configd process stopped responding due to a deadlock related to rule-hit-count.
Addressed
11.0.4
PAN-235840
Fixed an issue where, after a configuration push from Panorama to managed firewalls, the status displayed as
None
and the push took longer than expected.
Addressed
11.0.4
PAN-235737
Fixed an issue where the brdagent process stopped responding due to a sudden increase in logging to the bcm.log.
Addressed
11.0.4
PAN-235628
Fixed an issue where you were not prompted for login credentials when you disconnected and connected back to the GlobalProtect portal when SAML authentication was selected along with single sign-on (SSO) and Single Log Out (SLO).
Addressed
11.0.4
PAN-235557
Fixed an issue where uploads from tunnels, including GlobalProtect, were slower than expected when the inner and outer sessions were on different dataplanes.
Addressed
11.0.4
PAN-235476
Fixed an issue where Threat logs from different Security zones were aggregated into one log.
Addressed
11.0.4
PAN-235385
Enhanced wifclient cloud connectivity redundancy.
Addressed
11.0.4
PAN-235168
Fixed an issue where disk space became full even after clearing old logs and content images.
Addressed
11.0.4
PAN-235081
(
VM-Series firewalls only
) Fixed an issue where the firewall sent packets to its own interface after configuring NAT64.
Addressed
11.0.4
PAN-234977
Fixed an issue where, when a Layer 2 interface that was a member of a VLAN was down, all traffic transmitted over the VLAN was dropped.
Addressed
11.0.4
PAN-234459
Fixed an issue with the firewall web interface where local SSL decryption exclusion cache entries were not visible.
Addressed
11.0.4
PAN-234290
Fixed an issue where the firewall displayed incorrect interface transfer rates when running the CLI command
show system state filter-pretty sys.s1.px
with a filter.
Addressed
11.0.4
PAN-234279
Fixed an issue where the ikemgr process crashed due to an IKEv1 timing issue, which caused commits to fail with the following error message:
Client ikemgr requesting last config in the middle of a commit/validate, aborting current commit
.
Addressed
11.0.4
PAN-234238
Fixed an issue where a Security policy that referenced more than 30 HIP Profiles caused buffer overflow, which caused other Security policies with HIP Profiles to misidentified users and traffic was denied.
Addressed
11.0.4
PAN-234190
Fixed an issue where the firewall incorrectly blocked URLs even when they matched the custom category.
Addressed
11.0.4
PAN-234031
Fixed an issue on multi-core firewalls where the firewall displayed packets out of order when capturing packets on the transmit stage.
Addressed
11.0.4
PAN-233957
(
PA-5450 firewalls only
) Fixed an issue where the NAT private pool was not used properly when enabling slot 6 DPC.
Addressed
11.0.4
PAN-233833
Fixed an issue where enabling Jumbo frames resulted in software packet buffer depletion.
Addressed
11.0.4
PAN-233789
Fixed an issue with push and commit and push operations where the user was not correctly bound to the scope, which caused all device groups to be selected for a selective push.
Addressed
11.0.4
PAN-233780
(
VM-100 firewalls only
) Fixed an issue where commits failed due to the configuration memory limit.
Addressed
11.0.4
PAN-233764
Fixed an issue where commits failed due to large inbound inspection certificates that exceeded the buffer size of 4,096 bytes.
Addressed
11.0.4
PAN-233541
Fixed an issue where device group and template administrators with access to a specific virtual system were able to see logs for all virtual systems via Context Switch.
Addressed
11.0.4
PAN-233517
Fixed an issue on Panorama where managed device templates and device groups took longer than expected to display in the
Push to Devices
window.
Addressed
11.0.4
PAN-233463
Fixed an issue where the X-Forwarded-For (XFF) IP address value was not displayed in Traffic logs.
Addressed
11.0.4
PAN-233390
Fixed an issue where the exclude-cache reason was incorrectly presented as
TLS13_UNSUPPORTED
instead of
SSL_CLIENT_CERT
.
Addressed
11.0.4
PAN-233191
(
PA-5450 firewalls only
) Fixed an issue where the Data Processing Card (DPC) restarted due to path monitor failure after QSFP28 disconnected from the Network Processing Card (NPC).
Addressed
11.0.4
PAN-233039
Fixed an issue where GENEVE encapsulated packets coming from a GFE Proxy mapped to an incorrect Security policy rule.
Addressed
11.0.4
PAN-232953
Fixed an issue where you were able to cancel the same commit repeatedly, which displayed the error message
Cannot stop job &lt;job&gt; at this time
.
Addressed
11.0.4
PAN-232924
Fixed an issue on firewalls in active/passive HA configurations where the passive firewall was unable to retrieve SDB data for locally inserted SFP transceivers.
Addressed
11.0.4
PAN-232800
Fixed an issue where critical disk usage for
/opt/pancfg
increased continuously and the system logs displayed the following message:
Disk usage for /opt/pancfg exceeds limit, &lt;value&gt; percent in use
.
Addressed
11.0.4
PAN-232377
Fixed an issue where the
AddrObjRefresh
job failed when the useridd process restarted.
Addressed
11.0.4
PAN-232358
(
PA-5450 firewalls only
) Fixed an issue where the interface on QSFP28 ports did not go down when the Tx cable was removed from the QSFP28 module.
Addressed
11.0.4
PAN-232290
(
PA-5200 Series firewalls only
) Fixed an issue where the First Packet Processor (FPP) did not acknowledge a query to find the owner for fragmented packets, tunnel packets, and other scenarios when the packet slot and dataplane owner was unknown.
Addressed
11.0.4
PAN-232250
Fixed an issue where, when SSH service profiles for management access were set to
None
, the reported output was incorrect.
Addressed
11.0.4
PAN-232132
Fixed an issue where DNS response packets were malformed when an antispyware Security Profile was enabled.
Addressed
11.0.4
PAN-231698
Fixed an issue where you were unable to set the Dynamic Updates schedule threshold to an empty value.
Addressed
11.0.4
PAN-231552
Fixed an issue where traffic returning from a third-party Security chain was dropped.
Addressed
11.0.4
PAN-231507
(
PA-1400 Series firewalls only
) Fixed an issue where, when an HSCI interface was used as an HA2 interface, HA2 packets were intermittently dropped on the passive firewall, which caused the HA2 connection to flap due to missing HA2 keepalive messages.
Addressed
11.0.4
PAN-231480
Fixed an issue where the firewall CLI output for GlobalProtect log quota settings did not match the settings configured on the Panorama web interface.
Addressed
11.0.4
PAN-231459
(
PA-5450 firewalls only
) Fixed an issue where a large number of invalid source MAC addresses were shown in drop-stage packet captures.
Addressed
11.0.4
PAN-231395
Fixed an intermittent issue where the OCSP query failed.
Addressed
11.0.4
PAN-231329
Fixed an issue where the logrcvr process stopped responding due to a corrupt log in the forwarding pipeline.
Addressed
11.0.4
PAN-231295
Fixed an issue where the logrcvr process stopped when running the
hints-max
CLI command.
Addressed
11.0.4
PAN-231169
(
PA-220 firewalls only
) Fixed an issue where an unused plugin incorrectly used memory.
Addressed
11.0.4
PAN-231148
Fixed an issue where no DHCP option list was defined when using GlobalProtect.
Addressed
11.0.4
PAN-230813
Fixed an issue where flex memory leak caused decryption failure and commit failure with the error message
Error preparing global objects failed to handle CONFIG_UPDATE_START
.
Addressed
11.0.4
PAN-230746
Fixed an issue on the web interface where device groups with a large number of managed firewalls displayed the
Policy
page more slowly than expected.
Addressed
11.0.4
PAN-230656
(
Firewalls in HA configurations only
) Fixed an issue where a split brain condition occurred on both firewalls after booting up any firewall, and an HA switchover occurred after booting up a firewall with a higher HA priority even when no preemptive option was enabled on the firewall.
Addressed
11.0.4
PAN-230377
Fixed an issue where FEC support was not enabled by default for PAN-25G-SFP28-LR modules.
Addressed
11.0.4
PAN-230363
(
PA-7050 firewalls with SMC-B only
) Fixed an issue where the management interface was reported as up even when MGT-A and MGT-B were both down.
Addressed
11.0.4
PAN-230362
Fixed an issue where the firewall truncated the payload of a TCP Out of Order segment with a FIN flag.
Addressed
11.0.4
PAN-230359
Fixed an issue where SAML authentication failed with the error message
Failed to verify signature against certificate
when
ds:KeyName
was in the IdP metadata.
Addressed
11.0.4
PAN-230198
Fixed an issue where URL logs were duplicated on Cortex Data Lake.
Addressed
11.0.4
PAN-230106
Fixed an issue where the firewall was unable to retrieve the most current external dynamic list information from the server due to hostname resolution failure.
Addressed
11.0.4
PAN-230092
Fixed an issue where the routed process stopped responding when committing routing-related changes if Advanced routing was enabled.
Addressed
11.0.4
PAN-230039
Fixed an issue where migrating from an Enterprise License Agreement (ELA) to a Flexible VM-Series License failed with a deactivation error message.
Addressed
11.0.4
PAN-229952
Fixed an issue where the
print PDF
option did not work (
Panorama > Managed Devices > Health
).
Addressed
11.0.4
PAN-229950
Fixed an issue where custom response pages for the GlobalProtect login page did not load and displayed a 404 Not Found error.
Addressed
11.0.4
PAN-229874
Fixed an issue where the firewall was unable to form OSPFv3 adjacency when using an ESP authentication profile.
Addressed
11.0.4
PAN-229873
(
PA-7050 firewalls only
) Fixed an issue related to brdagent process errors.
Addressed
11.0.4
PAN-229866
Fixed an issue where the reportd process stopped responding.
Addressed
11.0.4
PAN-229824
Fixed an issue where
Device History
was not visible under
Managed Devices Summary
.
Addressed
11.0.4
PAN-229606
Fixed an issue where the brdagent process stopped responding after an upgrade due to initialization failure.
Addressed
11.0.4
PAN-229398
Fixed an issue where the Management Processor Card (MPC) stopped responding.
Addressed
11.0.4
PAN-229315
Fixed an issue where Octets in NetFlow records were always reported to be 0 despite having a nonzero packet count.
Addressed
11.0.4
PAN-229307
Fixed an issue where half closed SSL decryption sessions stayed active, which caused software packet buffer depletion.
Addressed
11.0.4
PAN-229115
Fixed an issue on the web interface where the screen was blank after logging in to Panorama.
Addressed
11.0.4
PAN-229080
Fixed an issue where the new management IP address on the interface did not take effect.
Addressed
11.0.4
PAN-229072
Fixed an issue where GlobalProtect did not automatically connect to an internal gateway after an endpoint was woken.
Addressed
11.0.4
PAN-229069
Fixed an issue where clientless VPN portal users were unable to access clientless applications due to an SSL renegotiation being triggered.
Addressed
11.0.4
PAN-228998
Fixed an issue where multiple license status checks caused an internal process to stop responding.
Addressed
11.0.4
PAN-228775
Fixed an issue where the CLI command
show bonjour interface
did not display any output.
Addressed
11.0.4
PAN-228457
(
PA-7000 firewalls only
) Fixed an issue where the GTP logs forwarded from the firewall to the log collector did not include the pcap.
Addressed
11.0.4
PAN-228442
Fixed an issue on firewalls in active/passive HA configurations where sessions did not fail over from the active firewall to the passive firewall when upgrading PAN-OS.
Addressed
11.0.4
PAN-228342
Fixed an issue where objects in the running configuration appeared to be deleted under the push scope preview.
Addressed
11.0.4
PAN-228323
Fixed an issue where a large number of Panorama management server cookies were created in the Redis database when the Cloud-Service plugin sent an authentication request every second, and logging in to or using Panorama was slower than expected.
Addressed
11.0.4
PAN-228277
Fixed an issue where commits took longer than expected.
Addressed
11.0.4
PAN-227998
Fixed an issue where the zebra process stopped responding due to memory corruption.
Addressed
11.0.4
PAN-227939
Fixed an issue where the all_task process stopped responding due to high wifclient memory usage, which caused the firewall to reboot.
Addressed
11.0.4
PAN-227887
Fixed an issue where IP address checksums were calculated incorrectly.
Addressed
11.0.4
PAN-227804
Fixed an issue where memory corruption caused the comm process to stop responding.
Addressed
11.0.4
PAN-227774
Fixed an issue where commits failed with the error message
Management server failed to send phase 1 to client logrcvr
.
Addressed
11.0.4
PAN-227539
Fixed an issue where excess WIF process memory use caused processes to restart due to OOM conditions.
Addressed
11.0.4
PAN-227522
Fixed an issue where
shared
application filters that had application object overrides were overwritten by predefined applications.
Addressed
11.0.4
PAN-227517
Fixed an issue related to the IPv6 character limit for the source address in static route path monitoring.
Addressed
11.0.4
PAN-227510
Fixed an issue where the error message
Failed to establish GRPC connection to UrlCat service: failed to start grpc connection
was displayed in the system log when the Advanced URL Filtering license was applied but not configured.
Addressed
11.0.4
PAN-227397
Fixed an issue where selective pushes on Panorama removed a previously pushed configuration from the firewalls.
Addressed
11.0.4
PAN-227368
Fixed an issue where the GlobalProtect app was unable to connect to a portal or gateway and GlobalProtect Clientless VPN users were unable to access applications if authentication took more than 20 seconds.
Addressed
11.0.4
PAN-227344
Fixed an issue on Panorama where
PDF Summary Reports
(
Monitor > PDF Reports > Manage PDF Summary
) displayed no data and were blank when predefined widgets were included in the summary report.
Addressed
11.0.4
PAN-227305
Fixed an issue where SCEP certificate generation failed when a service route was used to reach the SCEP server.
Addressed
11.0.4
PAN-227064
Fixed an issue with high availability (HA) sync failure when performing a partial commit after creating a Security policy via REST API.
Addressed
11.0.4
PAN-227058
Fixed an issue where traffic did not match Security policy rules with the destination as FQDN and instead hit the default deny rule.
Addressed
11.0.4
PAN-226923
Fixed an issue where an excessive tab displayed *Device > Setup** when using Simplified Chinese.
Addressed
11.0.4
PAN-226860
Fixed an issue where macOS X-Auth clients disconnected prematurely from the GlobalProtect gateway during a Phase 2 re-key event.
Addressed
11.0.4
PAN-226768
Fixed an issue where, when the GlobalProtect app was installed on iOS endpoints and the gateway was configured to accept cookies, the app remained in the
Connecting
stage after authentication, and the GlobalProtect log displayed the error message
User is not in allow list
. This occurred when the app was restarted or when the app attempted to reconnect after disconnection.
Addressed
11.0.4
PAN-226626
Fixed an issue where the firewall generated numerous logrcvr error messages related to NetFlow.
Addressed
11.0.4
PAN-226470
Fixed an issue where previewing changes for selective admins took longer than expected or displayed the error message
commands succeeded with no output
.
Addressed
11.0.4
PAN-226128
Fixed an issue where selective push failed on Panorama after deleting shared objects that were referenced in multi-device group environments with the error message:
Schema validation failed. Please try a full push.
Addressed
11.0.4
PAN-226021
Fixed an issue where content push operations failed for a URL category
Scanning Activity
.
Addressed
11.0.4
PAN-225975
Fixed an issue where the CLI command
show system disk details
was not available.
Addressed
11.0.4
PAN-225394
Fixed an issue on the firewall where SNMP incorrectly reported high packet descriptor usage.
Addressed
11.0.4
PAN-225337
Fixed an issue on Panorama related to Shared configuration objects where configuration pushes to multi-vsys firewalls failed.
Addressed
11.0.4
PAN-225203
Fixed an issue where the Log Forwarding Card (LFC) did not honor the negotiated MSS on the logging connection.
Addressed
11.0.4
PAN-225110
Fixed an issue with firewalls in HA configurations where HA configuration syncs did not complete or logging data was missing until firewall processes were manually restarted or the firewalls were rebooted.
Addressed
11.0.4
PAN-225094
Fixed an issue where performing a commit operation failed and the following error message was displayed:
failed to handle CUSTOM_UPDATE
.
Addressed
11.0.4
PAN-225090
Fixed an issue on Panorama where
Commit and Push
was grayed out when making changes to a template or device group.
Addressed
11.0.4
PAN-225082
Fixed an issue where GlobalProtect quarantine-delete logs were incorrectly shown on passive firewalls.
Addressed
11.0.4
PAN-225013
(
PA-5450 firewalls only
) Fixed an issue where the firewall rebooted unexpectedly when a Network Card was on Slot 2 instead of a DPC.
Addressed
11.0.4
PAN-224955
Fixed an issue where the devsrvr process stopped responding when Zone Protection had more than 255 profiles.
Addressed
11.0.4
PAN-224954
Fixed an issue where, after upgrading and rebooting a Panorama appliance in Panorama or Log Collector mode, managed firewalls continuously disconnected.
Addressed
11.0.4
PAN-224938
Fixed an issue where the CLI command settings for
set system setting logging max-log-rate
did not persist after a mgmtsrvr process restart.
Addressed
11.0.4
PAN-224882
Fixed an issue where the session end reason was incorrectly logged as
decrypt-cert-validation
for allowed sessions when the decryption profile was configured for a no-decrypt policy.
Addressed
11.0.4
PAN-224788
Fixed an issue where the
Power Supplies
was not present in the
show system environmentals
CLI command output.
Addressed
11.0.4
PAN-224772
Fixed a high memory usage issue with the mongodb process that caused an OOM condition.
Addressed
11.0.4
PAN-224656
Fixed an issue where the devsrvr process caused delays when Dynamic Address Groups with large entry lists were being processed during a commit, which caused commits to take longer than expected.
Addressed
11.0.4
PAN-224500
Fixed an issue where IPv6 addresses in XFF were displayed in Traffic logs.
Addressed
11.0.4
PAN-224424
(
PA-3440 firewalls only
) Fixed an issue where you were unable to set the link speed as 25Gbps from the drop-down in the template for Ethernet ports 1/23 through 1/26.
Addressed
11.0.4
PAN-224405
Fixed an issue where the distributord process repeatedly stopped responding.
Addressed
11.0.4
PAN-224404
Fixed an issue where a memory leak caused decryption failures when SSL Forward Proxy was configured.
Addressed
11.0.4
PAN-224365
Fixed an issue where excessive network path monitoring messages were generated in the system logs.
Addressed
11.0.4
PAN-224354
Fixed an issue where a memory leak related to the distributord process occurred when connections flapped for IP address-to-username mapping redistribution.
Addressed
11.0.4
PAN-224067
Fixed an issue where cookie authentication did not work for GlobalProtect when an authentication override domain was configured in the SAML authentication profile.
Addressed
11.0.4
PAN-223914
Fixed an issue on Panorama where the reportd process unexpectedly stopped responding.
Addressed
11.0.4
PAN-223856
(
PA-800 Series firewalls only
Fixed an issue where the GlobalProtect SSL tunnel failed.
Addressed
11.0.4
PAN-223855
Fixed an issue where the
show running ippool
CLI command output displayed incorrect used and available NAT IP address pools on DIPP NAT policy rules in multidataplane firewalls.
Addressed
11.0.4
PAN-223798
Fixed an issue on the firewall where, when Advanced Routing was enabled, PIM join messages were not sent to the RN due to a missing OIF.
Addressed
11.0.4
PAN-223559
Fixed an issue where unexpected characters appeared in the text of GlobalProtect application authentication prompts when the GlobalProtect portal or gateway had a RADIUS authentication profile.
Addressed
11.0.4
PAN-223796
(
PA-7000 Series firewalls with Log Forwarding Cards (LFC) only
) Fixed an issue where multiple OOM conditions occurred which caused a system restart.
Addressed
11.0.4
PAN-223559
Fixed an issue where unexpected characters appeared in the text of GlobalProtect application authentication prompts when the GlobalProtect portal or gateway had a RADIUS authentication profile.
Addressed
11.0.4
PAN-223481
(
PA-5450 firewalls only
) Fixed an issue where the all_pktproc process stopped responding when the firewall was on PAN-OS 10.1.9-h3 or a later release.
Addressed
11.0.4
PAN-223432
Fixed an issue where SSL decryption for HTTP/2 sessions failed when enabling
Send handshake messages to CTD for inspection
(
Device > Setup > Session > Decryption Settings > SSL Decryption Settings
).
Addressed
11.0.4
PAN-223365
Fixed an issue where Panorama was unbale to query any logs if the Elasticsearch health status for any log collector was degraded.
Addressed
11.0.4
PAN-223271
Fixed an issue where the file transfer of large zipped and compressed files had the App-ID
unknown-tcp
.
Addressed
11.0.4
PAN-223263
Fixed an issue on the web interface where the system clock for
Mexico_city
was displayed in CDT instead of CST on the management dashboard.
Addressed
11.0.4
PAN-223259
Fixed an issue where selective pushes failed with the error message
Failed to generate selective push configuration. Unable to retrieve last in-sync configuration for the device, either a push was never done or version is too old. Please try a full push
.
Addressed
11.0.4
PAN-223172
Fixed an issue on Panorama where host IDs manually added to the device quarantine list were unexpectedly removed.
Addressed
11.0.4
PAN-223094
Fixed an issue where fragmented TCP traffic was dropped due to an IP address ID conflict over the SD-WAN tunnel.
Addressed
11.0.4
PAN-222662
Fixed an issue where the CLI command
debug log-card-interface pint slot <x> host <host>
did not return any information when attempting to ping the Log Forwarding Card (LFC).
Addressed
11.0.4
PAN-222586
(
PA-5410, PA-5420, and PA-5430 firewalls only
) Fixed an issue where
Filter
drop-downs,
Forward Method
, and
Correlation
log settings (
Device > Log Settings > Correlation
) were not displayed.
Addressed
11.0.4
PAN-222188
A CLI command was introduced to address an issue where SNMP monitoring performance was slower than expected, which resulted in
snmpwalk
timeouts.
Addressed
11.0.4
PAN-222089
Fixed an issue where you were unable to context switch from Panorama to the managed device.
Addressed
11.0.4
PAN-221973
Fixed an issue where the same user connected to multiple SSL VPN connections and one of the sessions stopped working.
Addressed
11.0.4
PAN-221938
Fixed an issue with network packet broker sessions where the broker session and primary session timeouts were out of sync, which caused traffic drops if the broker session timed out when the primary session was still active.
Addressed
11.0.4
PAN-221897
Fixed an issue where duplicate entries were not detected during commits, which caused routing engine failure.
Addressed
11.0.4
PAN-221881
Fixed an issue where log ingestion to Panorama failed, which resulted in missing logs under the
Monitor
tab.
Addressed
11.0.4
PAN-221857
Fixed an issue where users were unable to log in to the GlobalProtect app using SAML authentication after upgrading to PAN-OS 10.2.3-h4, and the GlobalProtect logs displayed the following error message:
Username from SAML SSO response is different from the input
.
Addressed
11.0.4
PAN-221728
Fixed an issue where selective pushes did not work after upgrading to PAN-OS 10.2.4.
Addressed
11.0.4
PAN-221428
Fixed a memory leak issue where the packet buffer count continuously increased and the firewall required a restart to clear the buffers.
Addressed
11.0.4
PAN-221190
(
PA-800 Series firewalls only
) Fixed an issue where the firewall rebooted due to I2C errors when unsupported optics were inserted in ports 5-8.
Addressed
11.0.4
PAN-221186
Fixed an issue where BGP aggregate routes were not created and discard routes were not installed in the routing table.
Addressed
11.0.4
PAN-221162
Fixed an issue where previewing changes before pushing to devices displayed a pop-up with the message:
Command succeeded with no output
.
Addressed
11.0.4
PAN-221015
(
M-600 Appliances only
) Fixed an issue where ElasticSearch processes did not restart when the appliance was rebooted, which caused the managed collector ES health status to be downgraded.
Addressed
11.0.4
PAN-220931
(
Panorama appliances in FIPS-CC mode only
) Fixed an issue where scheduled email reports did not contain PDF attachments.
Addressed
11.0.4
PAN-220907
(
VM-Series firewalls only
) Fixed an issue where large packets were dropped from the dataplane to the management plane, which caused OSPF neighborship to fail.
Addressed
11.0.4
PAN-220881
Fixed an issue where the CLI command
show logging-status
did not correctly display the last log created and forwarded timestamps.
Addressed
11.0.4
PAN-220659
Fixed an issue on the firewall where scheduled antivirus updates failed when external dynamic lists were configured on the firewall.
Addressed
11.0.4
PAN-220619
Fixed an issue where the correct device filter did not apply when filtering
Targets
and
Target/Tags
(
Device Group > Policies
).
Addressed
11.0.4
PAN-220553
Fixed an issue where, after enabling Advanced Routing Engine, the backup default route was not installed in the FIB table if static path monitoring went down.
Addressed
11.0.4
PAN-220500
(
PA-5450 and PA-400 firewalls only
) Fixed an issue where the
request shutdown system
CLI command did not completely shut down the system.
Addressed
11.0.4
PAN-220239
Fixed an issue where certificate-based logins to Panorama via the web interface failed.
Addressed
11.0.4
PAN-219851
Fixed an issue where you were unable to export SAML metadata when configuring SAML authentication.
Addressed
11.0.4
PAN-219768
Fixed an issue where you were unable to filter data filtering logs with
Threat ID/NAME
for custom data patterns created over Panorama.
Addressed
11.0.4
PAN-219585
Fixed an issue where enabling
syslog-ng
debugs from the root caused 100% disk utilization.
Addressed
11.0.4
PAN-219494
Fixed an issue with the firewall where adding
Parent-App
under
Application Filter
for Security policy rules did not add dependent applications.
Addressed
11.0.4
PAN-219415
Fixed an issue where BGP routes were installed in the routing table even when the option to install routes was disabled in the configuration.
Addressed
11.0.4
PAN-219351
Fixed an issue where the all_pktproc process stopped responding during Layer 7 processing.
Addressed
11.0.4
PAN-219260
(
M-Series appliances only
) Fixed an issue where the management interface flapped due to low memory reserved for kernel space.
Addressed
11.0.4
PAN-219251
Fixed an issue where the
ctd_dns_wait_pkt_drop
counter increase was greater than expected.
Addressed
11.0.4
PAN-219222
Fixed an issue where spaces in a certificate name caused imports to fail.
Addressed
11.0.4
PAN-219113
Fixed an issue where, when a port on the NPC was configured for log forwarding, the ingress traffic on the card was sent for processing to the LPC, and the LPC card was reloaded when the ingress volume of traffic was high.
Addressed
11.0.4
PAN-218873
Fixed an issue where a HIP mask was reused when an existing IP address user mapping was updated by a new IP address user mapping that had a different username but the same IP address.
Addressed
11.0.4
PAN-218694
Fixed an issue where SaaS PR was reimported to the shared location and policy objects were not updated with new updates coming from the SaaS cloud.
Addressed
11.0.4
PAN-218659
Fixed an issue where Security zones under Interfaces displayed as
none
for dynamic group and template admin users in a read-only admin role.
Addressed
11.0.4
PAN-218652
Fixed an issue on Panorama where the HA virtual address was not created for firewalls in active/active HA configurations.
Addressed
11.0.4
PAN-218620
Fixed an issue where scheduled configuration exports and SCP server connection testing failed.
Addressed
11.0.4
PAN-218611
Fixed an issue where the device telemetry region was not updated on the firewall when pushed from the Panorama template stack.
Addressed
11.0.4
PAN-218555
Fixed an issue where the firewall did not receive dynamic address updates pushed from Panorama during initial registration to Panorama.
Addressed
11.0.4
PAN-218352
Fixed an issue where Panorama was slower than expected when WildFire deployment was scheduled every minute to a large number of devices.
Addressed
11.0.4
PAN-218119
Fixed an issue where the firewall transmitted packets with an incorrect source MAC address during commit operations.
Addressed
11.0.4
PAN-218057
(
PA-7000 Series firewalls only
) Fixed an issue where internal path monitoring failed due to a heartbeat miss.
Addressed
11.0.4
PAN-217728
Fixed an issue where uploading a certificate in a manual configuration option for SafenetHSM failed.
Addressed
11.0.4
PAN-217652
Fixed an issue on Panorama where certificates created on Panorama were not pushed to the firewall with a selective push.
Addressed
11.0.4
PAN-217619
Fixed an issue where supported Bi-DI transceivers were not recognized which caused ports to not come up.
Addressed
11.0.4
PAN-217541
Fixed an issue where the useridd process stopped responding after a restart when HIP redistribution was enabled.
Addressed
11.0.4
PAN-217510
Fixed an issue where inbound DHCP packets received by a DHCP client interface that were not addressed to itself were silently dropped instead of forwarded.
Addressed
11.0.4
PAN-217293
Fixed a rare issue where URLs were not accessible when the header length was greater than 16,000 over HTTP/2.
Addressed
11.0.4
PAN-217289
Fixed an intermittent issue where HTTP/2 traffic caused buffer depletion.
Addressed
11.0.4
PAN-217272
Fixed an issue where the DNS proxy log included an excessive number of the following error message:
Warning: pan_dnsproxy_log_resolve_fail: Failed to resolve domain name ** AAAA after trying all attempts to name servers
Addressed
11.0.4
PAN-217241
Fixed an issue where predict session conversion failed for RTP and RTCP traffic.
Addressed
11.0.4
PAN-217205
Fixed an issue where the firewall did not clear port reused sessions for GlobalProtect traffic with proxy fast-session-delete enabled.
Addressed
11.0.4
PAN-217155
Fixed an issue where syncs between Panorama and the Cloud Identity Engine (CIE) caused intermittent slowness when using the web interface due to a large number of groups in the CIE directory.
Addressed
11.0.4
PAN-217123
Fixed an issue where, when log queries in the
yyyy/mm/dd
format displayed extra digits for the day and an error was not generated.
Addressed
11.0.4
PAN-217064
Fixed an issue where commits took longer than expected when the DLP plugin was configured.
Addressed
11.0.4
PAN-217024
Fixed an issue where fetching device certificates failed for internal DNS servers with the error message
ERROR Error: Could not resolve host: certificate.paloaltonetworks.com
.
Addressed
11.0.4
PAN-216647
Fixed an issue where the
sysd
node was updated at incorrect times.
Addressed
11.0.4
PAN-216230
Fixed an issue where the shard count reached up to 10% over the limit rather than staying under the limit.
Addressed
11.0.4
PAN-216077
A CLI command was added to configure the FEC for PA-5450 breakout ports.
Addressed
11.0.4
PAN-215583
Fixed an issue on firewalls in HA configurations where the primary firewall went into a nonfunctional state due to a timeout in the
pan_comm
logs during the policy-based forwarding (PBF) parse, which caused an HA failover.
Addressed
11.0.4
PAN-215576
Fixed an issue where the
userID-Agent
and
TS-Agent
certificates were set to expire on November 18, 2024. With this fix, the expiration date has been extended to January 2032.
Addressed
11.0.4
PAN-215436
Fixed an issue with the web interface where the latest logs took longer than expected to display under
Monitor
.
Addressed
11.0.4
PAN-214773
Fixed an issue where RTP packets traversing intervsys were dropped on the outgoing vsys.
Addressed
11.0.4
PAN-214760
Fixed an issue where, when a firewall had more than 1,200 logical interfaces, commits failed with the error message:
Error pre-installing config failed to handle CONFIG_COMMIT
.
Addressed
11.0.4
PAN-214311
Fixed an issue where users were able to add configurations via XML API even when a config lock was in place.
Addressed
11.0.4
PAN-214177
Fixed an issue where template configurations were not properly pushed to the firewall during an export or push of the device configuration bundle.
Addressed
11.0.4
PAN-213949
Fixed an issue where the VPN responder stopped responding when it received a CREATE_CHILD message with no security association (SA) payload.
Addressed
11.0.4
PAN-213918
Fixed an issue where
mlav-test-pe-file.exe
was not detected by WildFire Inline ML.
Addressed
11.0.4
PAN-213591
Fixed an issue where
Request Categorization Change
was not displayed under URL filtering logs when the Advanced URL Filtering license was applied.
Addressed
11.0.4
PAN-213011
Fixed an issue where, when using multi-factor authentication (MFA) with RADIUS OTP, the challenge message
Enter Your Microsoft verification code
did not appear when accessing the GlobalProtect portal via browser.
Addressed
11.0.4
PAN-212932
Fixed an issue where the firewall went into a restart loop with the following error message:
failed to get mgt settings candidate: configured traffic quota of 0 MB is less than the minimum 32 MB
.
Addressed
11.0.4
PAN-212770
Fixed an issue on the firewall where the WildFire file size limit value did not match on the web interface and the CLI.
Addressed
11.0.4
PAN-212580
(
PA-7050 firewalls only
) Fixed an issue where disk space filled up due to files under
/opt/var/s8/lp/log/pan/
not being properly deleted.
Addressed
11.0.4
PAN-212576
Fixed an issue where firewall HA clusters in active/active configurations with Advanced Routing enabled did not relay to ping requests sent to a virtual IP address.
Addressed
11.0.4
PAN-211945
Fixed an issue where URL Filtering system logs showed the error message
CURL ERROR: bind failed with errno 124: Address family not supported by protocol
even though the PAN-DB cloud was connected.
Addressed
11.0.4
PAN-211827
Fixed an issue where Dynamic Updates failed with the following error message:
CONFIG_UPDATE_INC: Incremental update to DP failed please try to commit force the latest config
.
Addressed
11.0.4
PAN-211821
Fixed an issue on firewalls in HA configurations where committing changes after disabling the QoS feature on multiple Aggregate Ethernet (AE) interfaces caused the dataplane to go down.
Addressed
11.0.4
PAN-211255
Fixed an issue third-party VPNC IPSec clients were disconnected after a few seconds for firewalls in active/active HA configurations.
Addressed
11.0.4
PAN-210354
Fixed an issue where the routedd process stopped responding when executing the
show static-route path-monitoring
CLI command or when accessing the path monitoring records from the web interface (
Network > Virtual Router > More Runtime Stats > Static Routing
).
Addressed
11.0.4
PAN-208085
Fixed an issue where the BFD peers were deleted during a commit from Panorama. This occurred because the pan_comm thread became deadlocked due to the same sysd object was handled during the commit.
Addressed
11.0.4
PAN-207616
Fixed an issue on Panorama where, after selecting managed firewalls and creating a new tag, the managed firewalls were automatically unselected and any new tag that was created was applied to the managed firewalls for which you initially created the tag.
Addressed
11.0.4
PAN-207092
Fixed an issue where logging in using default credentials after changing to FIPS-CC for NSX-T firewalls did not work.
Addressed
11.0.4
PAN-207003
Fixed an issue where the logrcvr process NetFlow buffer was not reset which resulted in duplicate NetFlow records.
Addressed
11.0.4
PAN-206639
Fixed an issue where the LFC and NPC remained stuck during bootup.
Addressed
11.0.4
PAN-206041
(
PA-7050 firewalls only
) Fixed an issue where the ikemgr process stopped responding.
Addressed
11.0.4
PAN-205041
Fixed an issue where
DNS Security cloud service unavailable
logs did not indicate the service name, status code, or error message in the DNS proxy log.
Addressed
11.0.4
PAN-202361
Fixed an issue where packets queued to the pan_task process were still transmitted when the process was not responding.
Addressed
11.0.4
PAN-202095
Fixed an issue on the web interface where the language setting is not retained.
Addressed
11.0.4
PAN-202008
Fixed an issue where Traffic logs exported to CSV files contained inaccuracies and were not complete.
Addressed
11.0.4
PAN-198043
Fixed a rare issue where a
BuildXmlCache
job failed on the firewall.
Addressed
11.0.4
PAN-196954
Fixed a memory leak issue related to the distributord process.
Addressed
11.0.4
PAN-196840
Fixed an issue where exporting a Security policy rule that contained Korean language characters to CSV format resulted in the policy description being in a nonreadable format.
Addressed
11.0.4
PAN-196395
(
PA-5450 firewalls only
) Fixed an issue where the firewall accepted 12 Aggregate Ethernet interfaces, but you were unable to configure interfaces 9-12 via the web interface.
Addressed
11.0.4
PAN-194912
Fixed an issue where the CLI command
show applications list
did not return any outputs.
Addressed
11.0.4
PAN-194006
Fixed an issue on Panorama where *Commit Push** and
Validate Push
operations during a
Push to Devices
did not handle the configuration for shared objects, which resulted in an invalid configuration being pushed.
Addressed
11.0.4
PAN-193004
Fixed an issue where
/opt/pancfg
partition utilization reached 100%, which caused access to the Panorama web interface to fail.
Addressed
11.0.4
PAN-192188
(
PA-5450 firewalls only
) Fixed an issue where the
show running resource-monitor ingress-backlogs
CLI command failed with the following error message:
Server error : Failed to intepret the DP response
.
Addressed
11.0.4
PAN-185249
Fixed an issue where
Template Stack
overrides (
Dynamic Updates > App & Threats > Schedule
) were not able to be reverted via the web interface.
Addressed
11.0.4
PAN-182960
Additional error logs were added for an issue where, when multiple Panorama web interface sessions were opened, active lock did not show up on the web interface for any session.
Addressed
11.0.4
PAN-172600
Fixed an issue where the CLI command
show rule-hit-count
did not provide all details of the rule from the device group.
Addressed
11.0.4
PAN-171569
Fixed an issue where HIP matches were not recognized in an SSL decryption policy rule.
Known
11.0.5
WF500-5632
The number of registered WildFire appliances reported in Panorama (
Panorama
Managed WildFire Appliances
Firewalls Connected
View
) does not accurately reflect the current status of connected WildFire appliances.
Known
11.0.5
PAN-234015
The X-Forwarded-For (XFF) value is not displayed in traffic logs.
Known
11.0.5
PAN-252744
After upgrading PA-3200 Series, PA-5200 Series, or PA-7000 Series firewalls that are equipped with OCTEON 7x00 dataplane chips to PAN-OS 11.0.4 or 11.0.4-h1, the firewall might see continuous crashes, reboot repeatedly, and/or go into a non-functional state.
Workaround:
If you have already upgraded to one of those releases, downgrade to an earlier release or upgrade to PAN-OS 11.0.4-h2.
Known
11.0.5
PAN-241041
On the Panorama management server exporting template or template stack variables (
Panorama
Templates
) in CSV format results in an empty CSV file.
Known
11.0.5
PAN-234929
The tabs in the
ACC
, such as
Network Activity
,
Threat Activity
, and
Blocked Activity
, may not display any data when you apply a Time filter for the Last 15 minutes, Last Hour, Last 6 Hours, or Last 12 Hours. With the Last 24 Hours filter, the data displayed may not be accurate. Additionally, reports run against summary logs may not display accurate results.
Known
11.0.5
PAN-227344
On the Panorama management server, PDF Summary Reports (
Monitor
PDF Reports
Manage PDF Summary
) display no data and are blank when predefined reports are included in the summary report.
Known
11.0.5
PAN-225886
If you enable explicit proxy mode for the web proxy, intermittent errors and unexpected TCP reconnections may occur.
Known
11.0.5
PAN-233677
(
PA-3410, PA-3420, PA-3430, PA-3440, PA-5410, PA-5420, PA-5430, and PA-5440 firewalls
) By enabling Lockless QoS feature , a slight degradation in App-ID and Threat performance is expected.
Known
11.0.5
PAN-222586
On PA-5410, PA-5420, PA-5430, and PA-5440 firewalls, the Filter dropdown menus, Forward Methods, and Built-In Actions for Correlation Log settings (
Device
Log Settings
) are not displayed and cannot be configured.
Known
11.0.5
PAN-220176
(
PAN-OS 11.0.1-h2 hotfix
) System process crashes might occur with VoIP traffic when NAT is enabled with Persistent Dynamic IP and Port settings.
Known
11.0.5
PAN-216314
Upon upgrade or downgrade to or from PAN-OS 10.1.9 or 10.1.9-h1, offloaded application traffic sessions may disconnect after a period of time even if a session is active. The disconnect occurs after the application's default session timeout value is exceeded. This behavior affects only PAN-OS 10.1.9 and 10.1.9-h1. If you are on PAN-OS 10.1.9 and 10.1.9-h1, please use the following workaround. If you have already upgraded or downgraded to another PAN-OS version, use the following workaround in that version.
Workaround:
Run the CLI command
debug dataplane internal pdt fe100 csr wr_sem_ctrl_ctr_scan_dis value 0
to set the value to zero (0).
Known
11.0.5
PAN-216214
For Panorama-managed firewalls in an Active/Active High Availability (HA) configuration where you configure the firewall HA settings (
Device
High Availability
) in a template or template stack (
Panorama
Templates
), performing a local commit on one of the HA firewalls triggers an HA config sync on the peer firewall. This causes the HA peer configuration to go
Out of Sync
.
Known
11.0.5
PAN-213746
On the Panorama management server, the
Hostkey
displayed as
undefined undefined
if you override an SSH Service Profile (
Device
Certificate Management
SSH Service Profile
) Hostkey configured in a Template from the Template Stack.
Known
11.0.5
PAN-213119
PA-5410 and PA-5420 firewalls display the following error when you view the Block IP list (
Monitor
Block IP
):
show -> dis-block-table is unexpected
Known
11.0.5
PAN-212978
The Palo Alto Networks firewall stops responding when executing an SD-WAN debug operational CLI command.
Known
11.0.5
PAN-212889
On the Panorama management server, different threat names are used when querying the same threat in the Threat Monitor (
Monitor
App Scope
Threat Monitor
) and
ACC
. This results in the ACC displaying
no data to display
when you are redirected to the ACC after clicking a threat name in the Threat Monitor and filtering the same threat name in the Global Filters.
Known
11.0.5
PAN-211531
On the Panorama management server, admins can still perform a selective push to managed firewalls when
Push All Changes
and
Push for Other Admins
are disabled in the admin role profile (
Panorama
Admin Roles
).
Known
11.0.5
PAN-207770
Data filtering logs (
Monitor
Logs
Data Filtering
) incorrectly display the traffic Direction as
server-to-client
instead of
client-to-server
for upload traffic that matches Enterprise data loss prevention (DLP) data patterns (
Objects
DLP
Data Filtering Patterns
) in an Enterprise DLP data filtering profile (
Objects
DLP
Data Filtering Profiles
).
Known
11.0.5
PAN-207733
When a DHCPv6 client is configured on HA Active/Passive firewalls, if the DHCPv6 server goes down, after the lease time expires, the DHCPv6 client should enter SOLICIT state on both the Active and Passive firewalls. Instead, the client is stuck in BOUND state with an IPv6 address having lease time 0 on the Passive firewall.
Known
11.0.5
PAN-207616
On the Panorama management server, after selecting managed firewalls and creating a new
Tag
(
Panorama
Managed Devices
Summary
) the managed firewalls are automatically unselected and any new tag created is applied to the managed firewalls for which you initially created the new tag.
Workaround:
Select and then unselect the managed firewalls for which you created a new tag.
Known
11.0.5
PAN-207611
When a DHCPv6 client is configured on HA Active/Passive firewalls, the Passive firewall sometimes crashes.
Known
11.0.5
PAN-207442
For M-700 appliances in an active/passive high availability (
Panorama
High Availability
) configuration, the
active-primary
HA peer configuration sync to the
secondary-passive
HA peer may fail. When the config sync fails, the job Results is
Successful
(
Tasks
), however the sync status on the
Dashboard
displays as
Out of Sync
for both HA peers.
Workaround
: Perform a local commit on the
active-primary
HA peer and then synchronize the HA configuration.
  1. Log in to the Panorama web interface of the
    active-primary
    HA peer.
  2. Select
    Commit
    and
    Commit to Panorama
    .
  3. In the
    active-primary
    HA peer
    Dashboard
    , click
    Sync to Peer
    in the High Availability widget.
Known
11.0.5
PAN-207040
If you disable Advanced Routing, remove logical routers, and downgrade from PAN-OS 11.0.0 to a PAN-OS 10.2.x or 10.1.x release, subsequent commits fail and SD-WAN devices on Panorama have no Virtual Router name.
Known
11.0.5
PAN-206913
When a DHCPv6 client is configured on HA Active/Passive firewalls, releasing the IPv6 address from the client (using Release in the UI or using the
request dhcp client ipv6 release all
CLI command) releases the IPv6 address from the Active firewall, but not the Passive firewall.
Known
11.0.5
PAN-206909
The Dedicated Log Collector is unable to reconnect to the Panorama management server if the
configd
process crashes. This results in the Dedicated Log Collector losing connectivity to Panorama despite the managed collector connection
Status
(
Panorama
Managed Collector
) displaying
connected
and the managed colletor
Health
status displaying as healthy.
This results in the local Panorama config and system logs not being forwarded to the Dedicated Log Collector. Firewall log forwarding to the disconnected Dedicated Log Collector is not impacted.
Workaround:
Restart the
mgmtsrvr
process on the Dedicated Log Collector.
  2. Confirm the Dedicated Log Collector is disconnected from Panorama. 
    admin>
     show panorama-status
    Verify the
    Connected
    status is
    no
    .
  3. Restart the
    mgmtsrvr
    process. 
    admin>
     debug software restart process management-server
Known
11.0.5
PAN-206416
On the Panorama management server, no data filtering log (
Monitor
Logs
Data Filtering
) is generated when the managed firewall loses connectivity to the following cloud services, and as a result fails to forward matched traffic for inspection.
  • DLP cloud service
  • Advanced Threat Protection inline cloud analysis service
  • Advanced URL Filtering cloud service
Known
11.0.5
PAN-206315
(
PA-1420 firewall only
) In an active/passive high availability (HA) configuration, the
show session info
CLI command shows that the passive firewall has packet rate and throughput values. The packet rate and throughput of the passive firewall should be zero since it is not processing traffic.
Known
11.0.5
PAN-205009
(
PA-1420 firewall only
) In an active/passive high availability (HA) configuration, the
show interface all
,
show-high availability interface ha2
, and
show high-availability all
CLI commands display the HSCI port state as unknown on both the active and passive firewalls.
Known
11.0.5
PAN-204689
Upon upgrade to PAN-OS 11.0.1, the following GlobalProtect settings do not work:
  • Allow user to disconnect GlobalProtect App
    Allow with Passcode
  • Allow user to Disable GlobalProtect App
    Allow with Passcode
  • Allow User to Uninstall GlobalProtect App
    Allow with Password
Known
11.0.5
PAN-201910
PAN-OS security profiles might consume a large amount of memory depending on the profile configuration and quantity. In some cases, this might reduce the number of supported security profiles below the stated maximum for a given platform.
Known
11.0.5
PAN-197588
The PAN-OS ACC (Application Command Center) does not display a widget detailing statistics and data associated with vulnerability exploits that have been detected using inline cloud analysis.
Known
11.0.5
PAN-197419
(
PA-1400 Series firewalls only
) In
Network
Interface
Ethernet
, the power over Ethernet (PoE) ports do not display a
Tag
value.
Known
11.0.5
PAN-197097
Large Scale VPN (LSVPN) does not support IPv6 addresses on the satellite firewall.
Known
11.0.5
PAN-196758
On the Panorama management server, pushing a configuration change to firewalls leveraging SD-WAN erroneously show the auto-provisioned BGP configurations for SD-WAN as being edited or deleted despite no edits or deletions being made when you
Preview Changes
(
Commit
Push to Devices
Edit Selections
or
Commit
Commit and Push
Edit Selections
).
Known
11.0.5
PAN-195968
(
PA-1400 Series firewalls only
) When using the CLI to configure power over Ethernet (PoE) on a non-PoE port, the CLI prints an error depending on whether an interface type was selected on the non-PoE port or not. If an interface type, such as tap, Layer 2, or virtual wire, was selected before PoE was configured, the error message will not include the interface name (eg. ethernet1/4). If an interface type was not selected before PoE was configured, the error message will include the interface name.
Known
11.0.5
PAN-195342
On the Panorama management server, Context Switch fails when you try to Context Switch from a managed firewall running PAN-OS 10.1.7 or earlier release back to Panorama and the following error is displayed:
Could not find start token '@start@'
Known
11.0.5
PAN-194978
(
PA-1400 Series firewalls only
) In
Network
Interface
Ethernet
, hovering the mouse over a power over Ethernet (PoE)
Link State
icon does not display link speed and link duplex details.
Known
11.0.5
PAN-194424
(
PA-5450 firewall only
) Upgrading to PAN-OS 10.2.2 while having a log interface configured can cause both the log interface and the management interface to remain connected to the log collector.
Workaround:
Restart the log receiver service by running the following CLI command: 
debug software restart process log-receiver
Known
11.0.5
PAN-187685
On the Panorama management server, the Template Status displays no synchronization status (
Panorama
Managed Devices
Summary
) after a bootstrapped firewall is successfully added to Panorama.
Workaround:
After the bootstrapped firewall is successfully added to Panorama, log in to the Panorama web interface and select
Commit
Push to Devices
.
Known
11.0.5
PAN-187407
The configured Advanced Threat Prevention inline cloud analysis action for a given model might not be honored under the following condition: If the firewall is set to
Hold client request for category lookup
and the action set to
Reset-Both
and the URL cache has been cleared, the first request for inline cloud analysis will be bypassed.
Known
11.0.5
PAN-186283
Templates appear out-of-sync on Panorama after successfully deploying the CFT stack using the Panorama plugin for AWS.
Workaround
: Use
Commit
Push to Devices
to synchronize the templates.
Known
11.0.5
PAN-184708
Scheduled report emails (
Monitor
PDF Reports
Email Scheduler
) are not emailed if:
  • A scheduled report email contains a Report Group (
    Monitor
    PDF Reports
    Report Group
    ) which includes a SaaS Application Usage report.
  • A scheduled report contains only a SaaS Application Usage Report.
Workaround:
To receive a scheduled report email for all other PDF report types:
  1. Select
    Monitor
    PDF Reports
    Report Groups
    and remove all SaaS Application Usage reports from all Report Groups.
  2. Select
    Monitor
    PDF Reports
    Email Scheduler
    and edit the scheduled report email that contains only a SaaS Application Usage report. For the Recurrence, select
    Disable
    and click
    OK
    .
    Repeat this step for all scheduled report emails that contain only a SaaS Application Usage report.
  3. Commit
    .
    (
    Panorama managed firewalls
    ) Select
    Commit
    Commit and Push
Known
11.0.5
PAN-184406
Using the CLI to add a RAID disk pair to an M-700 appliance causes the dmdb process to crash.
Workaround:
Contact customer support to stop the dmdb process before adding a RAID disk pair to a M-700 appliance.
Known
11.0.5
PAN-183404
Static IP addresses are not recognized when "and" operators are used with IP CIDR range.
Known
11.0.5
PAN-181933
If you use multiple log forwarding cards (LFCs) on the PA-7000 series, all of the cards may not receive all of the updates and the mappings for the clients may become out of sync, which causes the firewall to not correctly populate the Source User column in the session logs.
Known
11.0.5
PAN-171938
No results are displayed when you
Show Application Filter
for a Security policy rule (
Policies
Security
Application
Value
Show Application Filter
).
Known
11.0.5
PAN-164885
On the Panorama management server, pushes to managed firewalls (
Commit
Push to Devices
or
Commit and Push
) may fail when an EDL (
Objects
External Dynamic Lists
) is configured to
Check for updates
every 5 minutes due to the commit and EDL fetch processes overlapping. This is more likely to occur when multiple EDLs are configured to check for updates every 5 minutes.
Addressed
11.0.5
PAN-255868
(
PA-3400 Series firewalls only
) Fixed an issue where the firewall entered maintenance mode after enabling kernel data collection during the silent reboot.
Addressed
11.0.5
PAN-255577
Fixed an issue where push scope changes remained empty and
Edit selections > OK
did not work for admin-based users after upgrading Panorama.
Addressed
11.0.5
PAN-253317
(
VM-Series firewalls on Microsoft Azure environments only
) Fixed an issue where you were unable to log in to the firewall after a private data reset.
Addressed
11.0.5
PAN-251563
Added CPLD enhancement to capture external power issues.
Addressed
11.0.5
PAN-251013
Fixed an issue on the web interface where the
Virtual Router
and
Virtual System
configurations for the template incorrectly showed as
none
.
Addressed
11.0.5
PAN-249019
Fixed an issue where the all_pktproc process stopped responding, which caused the firewall to become unresponsive.
Addressed
11.0.5
PAN-248427
Fixed an issue where push operations took longer than expected to complete.
Addressed
11.0.5
PAN-248105
Fixed an issue where the GlobalProtect SSL VPN tunnel immediately disconnected due to a keep-alive timeout.
Addressed
11.0.5
PAN-247403
(
Panorama virtual appliances only
) Fixed an issue where the push scope CLI command took longer than expected, which caused the web interface to be slow.
Addressed
11.0.5
PAN-246772
Fixed an issue on the firewall where the dataplane went down due to a path monitor failure caused by an OOM condition related to the pan_task process.
Addressed
11.0.5
PAN-246431
Fixed an issue where a
Push to Device
operation remained at the state
None
when performing a selective push to device groups and templates that included both connected and disconnected firewalls.
Addressed
11.0.5
PAN-246215
Fixed an issue where the sleep time for a suspended pan_task process caused configuration and policy updates to be blocked.
Addressed
11.0.5
PAN-245850
Fixed an issue on Panorama appliances in active/passive HA configurations where the firewalls entered an HA out-of-sync status and jobs failed on the passive appliance with the error message
Could not merged running config from file
.
Addressed
11.0.5
PAN-245125
(
VM-Series firewalls in Microsoft Azure environments only
) Fixed an issue where file descriptors were not closed due to invalid configurations.
Addressed
11.0.5
PAN-245041
Fixed an issue where the WF-500 appliance returned an error verdict for every sample in FIPS mode.
Addressed
11.0.5
PAN-244907
Fixed an issue where ports did not go down when moving from an active state to a suspended state.
Addressed
11.0.5
PAN-244894
Fixed an issue where turning off mprelay logging caused mprelay heartbeat failure.
Addressed
11.0.5
PAN-244836
A knob was introduced to toggle the default behavior of BGP in the Advanced Routing stack to not suppress duplicate updates. By default, the prefix updates are suppressed for optimization.
Addressed
11.0.5
PAN-244746
Fixed an issue where changes committed on Panorama were not reflected on the firewall after a successful push.
Addressed
11.0.5
PAN-244622
Fixed an issue where FIB repush did not work with Advanced Routing enabled.
Addressed
11.0.5
PAN-244548
Fixed an issue where ECMP sessions changed destination MAC addresses mid-session, which caused connections to be reset.
Addressed
11.0.5
PAN-244227
Fixed an issue where inconsistent FIB entries across the dataplane were not detected.
Addressed
11.0.5
PAN-243463
Fixed an issue where high Enhanced Application log traffic used excess system resources and caused processes to not work.
Addressed
11.0.5
PAN-242309
Fixed an issue where a higher byte count (s2c) was observed for DNS-Base application.
Addressed
11.0.5
PAN-241018
(
VM-Series firewalls in Microsoft Azure environments only
) Fixed a Data Plane Development Kit (DPDK) issue where interfaces remained in a link-down stage after an Azure hot plug event.
Addressed
11.0.5
PAN-240596
Fixed an issue where all_task stopped responding due to an invalid memory address.
Addressed
11.0.5
PAN-240477
Fixed a temporary hardware issue that caused PAN-SFP-PLUS-CU-5M to not be able to link up on PA-3400 and PA-1400 Series firewalls.
Addressed
11.0.5
PAN-240174
Fixed an issue where, when LSVPN serial numbers and IP address authentication were enabled, IPv6 address ranges and complete IPv6 addresses that were manually added to the IP address allow or exclude list were not usable after a restart of the gp_broker process or the firewall.
Addressed
11.0.5
PAN-239662
Fixed an issue where the NSSA default route from the firewall was not generated to advertise even though the backbone area default route was advertised during a graceful restart.
Addressed
11.0.5
PAN-239337
Fixed an issue where the log_index was suspended and corrupted BDX files flooded the index_log.
Addressed
11.0.5
PAN-238625
Fixed an issue where, when the physical interface went down, the SD-WAN Ethernet connection state still showed
UP/path-monitor
due to the Active URL SaaS monitor connection state remaining UP/path-monitor.
Addressed
11.0.5
PAN-238610
Fixed an issue with the Panorama virtual appliance where, after the mgmtsrvr restarted on the passive appliance, stale IP address tags were pushed to the connected firewalls with the message
clear all registered ip addresses
.
Addressed
11.0.5
PAN-238592
(
PA-3410 firewalls only
) Fixed an issue where the firewall did not boot up after upgrading due to a TPM lockout condition that persisted for over 24 hours.
Addressed
11.0.5
PAN-237991
Fixed an issue where the log collector sent fewer logs than expected to the syslog server.
Addressed
11.0.5
PAN-237657
Fixed an issue with 100% CPU utilization in the varrcvr process that occurred during an incremental WildFire update.
Addressed
11.0.5
PAN-237614
Fixed an issue on Panorama where the API command
request system disk add
failed.
Addressed
11.0.5
PAN-237208
Fixed an issue where the reportd process stopped and the firewall rebooted.
Addressed
11.0.5
PAN-236261
Fixed an issue where a proxy server was used for external dynamic list communication even when the dataplane interface was configured through service routes.
Addressed
11.0.5
PAN-236244
Fixed an issue where you were unable to select authentication profiles via the web interface.
Addressed
11.0.5
PAN-235807
Fixed an issue where static ND entries were not reachable after a reboot.
Addressed
11.0.5
PAN-235585
Fixed an issue where, when custom signatures and predefined signatures shared the same literal pattern part, the custom signature caused an incorrect calculation for the length of the predefined signature, which resulted in App-ID not detecting correctly.
Addressed
11.0.5
PAN-234489
Fixed an issue where a User Principle Name (UPN) was incorrectly required in the pre-logon machine certificate.
Addressed
11.0.5
PAN-234169
Fixed an issue where downloading files failed or was slower than expected due to malware scanning even when the session was matched to a Security policy rule with no Anti-Virus profile attached.
Addressed
11.0.5
PAN-233684
Fixed an issue on Panorama where
Push to Devices
or
Commit and Push
operations took longer than expected on the web interface.
Addressed
11.0.5
PAN-233207
Fixed an issue where the configd process stopped responding when a partial configuration revert operation was performed.
Addressed
11.0.5
PAN-231439
Fixed an issue where, when a VoIP call using dynamic IP and NAT was put on hold, the audio became one-way due to early termination of NAT ports.
Addressed
11.0.5
PAN-229832
Fixed an intermittent issue where MLAV and URL cloud connectivity were lost.
Addressed
11.0.5
PAN-228624
Fixed an issue where FIB entries were deleted due to a sysd process connection error.
Addressed
11.0.5
PAN-228386
Fixed an issue with session caching where the reportd process stopped responding due to null values.
Addressed
11.0.5
PAN-228043
Fixed an issue on firewalls on active/active HA configurations where packets dropped during commit operations when forwarding traffic via an HA3 link when an Aggregate Ethernet interface or data interface was used as an HA3 link.
Addressed
11.0.5
PAN-227641
Fixed an issue where
Preview Changes
and
Change Summary
when saving changes did not open a new window when clicked.
Addressed
11.0.5
PAN-227233
Fixed an issue where the combination signature aggregation criteria in a Vulnerability Protection profile was incorrectly blank even though a value was set.
Addressed
11.0.5
PAN-226489
Fixed an issue where Panorama was unable to push scheduled Dynamic Updates to firewalls with the error message
Failed to add deploy job. Too many (30) deploy jobs pending for device
.
Addressed
11.0.5
PAN-226260
Fixed an issue where support for CBC ciphers with some authentication algorithms was only available in FIPS mode.
Addressed
11.0.5
PAN-226108
Fixed an issue where the masterd process was unable to start or stop the sysd process.
Addressed
11.0.5
PAN-225963
Fixed an issue where the IP address-to-user mapping was not correct.
Addressed
11.0.5
PAN-225228
Fixed an issue where filtering Threat logs using any value under
THREAT ID/NAME
displayed the error
Invalid term
.
Addressed
11.0.5
PAN-223418
Fixed an issue where heartbeats to the brdagent process were lost, resulting in the process not responding, which caused the firewall to reboot.
Addressed
11.0.5
PAN-222253
Fixed an issue on Panorama where policy rulebase reordering under
View Rulebase by Groups
(
Policy > <policy-rulebase>
) did not persist if you reordered the policy rulebase by dragging and dropping individual policy rules and then moved the entire tag group.
Addressed
11.0.5
PAN-221571
Fixed an issue on the web interface where the Security policy rule hit count remained at 0 for some rules even though the Traffic logs showed live hits.
Addressed
11.0.5
PAN-221041
Fixed an issue where the following error message was seen frequently in the system logs:
Clearing snmpd.log due to log overflow
.
Addressed
11.0.5
PAN-221003
Fixed an issue where you were unable to uncheck firewalls in HA configurations from the device group when
Group HA Peers
was enabled.
Addressed
11.0.5
PAN-220640
(
PA-220 firewalls only
) Fixed an issue where the firewall CPU percentage was miscalculated, and the values that were displayed were incorrect.
Addressed
11.0.5
PAN-220601
Fixed an issue with missing logs when one log collector in a log Collector Group became unreachable.
Addressed
11.0.5
PAN-219690
Fixed an issue where GlobalProtect authentication failed when authentication was SAML with CAS and the portal was resolved with IPv6.
Addressed
11.0.5
PAN-218521
M-600 Appliances in Log Collector mode only
) Fixed an issue where Panorama continuously rebooted and became unresponsive, which consumed excessive logging disk space and prevented new log ingestion.
Addressed
11.0.5
PAN-218331
Fixed an issue where you were unable to export or download packet captures from the firewall when context switching from Panorama.
Addressed
11.0.5
PAN-217674
Fixed an issue where RADIUS authentication failed when the destination route of the service route was configured with an IPv4 address with more than 14 characters.
Addressed
11.0.5
PAN-217489
Fixed an issue with firewalls in active/passive HA configurations where the passive firewall MAC flapping occurred when the passive firewall was rebooted.
Addressed
11.0.5
PAN-215905
(
PA-3400 Series firewalls only
) Fixed an issue where silent packet drops were observed on interfaces.
Addressed
11.0.5
PAN-215430
Fixed an issue where dynamic IP address NAT with SIP intermittently failed to convert RTP Predict sessions.
Addressed
11.0.5
PAN-214682
Fixed an issue where the firewall sent incorrectly encoded the
supported_groups
extension in the Client Hello when acting as a forward proxy with decryption profile max version TLSv1.2.
Addressed
11.0.5
PAN-213173
Fixed an issue where
Preview Changes
under
Scheduled Pushes
did not launch the
Change Preview
window.
Addressed
11.0.5
PAN-212553
Fixed an issue where the ikemgr process stopped responding due to memory corruption, which caused VPN tunnels to go down.
Addressed
11.0.5
PAN-209574
Fixed an issue with HTTP2 traffic where downloading large files did not work when decryption was enabled.
Addressed
11.0.5
PAN-207972
Fixed an issue on the web interface where the BGP routing table did not display advertised routes.
Addressed
11.0.5
PAN-205482
Fixed an issue related to the configd process where Panorama displayed the error
Server not responding
when editing policy rules.
Addressed
11.0.5
PAN-200946
Fixed an issue with firewalls in active/passive HA configurations where GRE tunnels went down due to recursive routing when the passive firewall was booting up. When the passive firewall became active and no recursive routing was configured, the GRE tunnel remained down.
Addressed
11.0.5
PAN-196146
(
VM-Series firewalls only
) Fixed an issue where hostname validation failed due to the firewall not taking the hostname provided in
init.cfg
.
Addressed
11.0.5
PAN-194968
Fixed an issue on the web interface where Antivirus updates were not able to be downloaded and installed unless Apps and Threads updates were downloaded and installed first, and the Antivirus content list displayed as blank. The resulting error message from the update server was also not reflected in the web interface.
Addressed
11.0.5
PAN-174454
Fixed an issue where the firewall did not fetch group and user membership due to the Okta sync domain not matching the active directory sync domain.
Known
11.1.0
PAN-243951
On the Panorama management sever in an active/passive High Availability (HA) configuration, managed devices (
Panorama
Managed Devices
Summary
) display as
out-of-sync
on the passive HA peer when configuration changes are made to the SD-WAN (
Panorama
SD-WAN
) configuration on the active HA peer.
Workaround:
Manually synchronize the Panorama HA peers.
  1. Log in to the Panorama web interface on the active HA peer.
  2. Select
    Commit
    and
    Commit to Panorama
    the SD-WAN configuration changes on the active HA peer.
    On the passive HA peer, select
    Panorama
    Managed Devices
    Summary
    and observe that the managed devices are now
    out-of-sync
    .
  3. Log in to the primary HA peer Panorama CLI and trigger a manual synchronization between the active and secondary HA peers.
    request high-availability sync-to-remote running-config
  4. Log back in to the active HA peer Panorama web interface and select
    Commit
    Push to Devices
    and
    Push
    .
Known
11.1.0
PAN-242910
On the Panorama management server, Panorama administrators (
Panorama
Administrators
) that are assigned a custom Panorama admin role (
Panorama
Admin Roles
) with
Push All Changes
enabled are unable to push configuration changes to managed firewalls when
Managed Devices
and
Push For Other Admins
are disabled.
Known
11.1.0
PAN-242561
GlobalProtect tunnel might disconnect shortly after being established when SSL is used as a transport protocol.
Workaround
: Disable Internet Protocol version 6 (TCP/IPv6) on the PANGP Virtual Network Adapter.
Known
11.1.0
PAN-241041
On the Panorama management server exporting template or template stack variables (
Panorama
Templates
) in CSV format results in an empty CSV file.
Known
11.1.0
PAN-228491
On the AWS environment, the session failover takes up to 4 minutes.
Known
11.1.0
PAN-225337
On the Panorama management server, the configuration push to a multi-vsys firewall fails if you:
  1. Create a
    Shared
    and vsys-specific device group configuration object with an indentical name. For example, a
    Shared
    address object called
    SharedAO1
    and a vsys-specific address object also called
    SharedAO1
    .
  2. Reference the
    Shared
    object in another
    Shared
    configuration. For example, reference the
    Shared
    address object (
    SharedAO1
    ) in a
    Shared
    address group called
    SharedAG1
    .
  3. Use the
    Shared
    configuration object with the reference in a vsys-specific configuration. For example, reference the
    Shared
    address group (
    SharedAG1
    ) in a vsys-specific policy rule.
Workaround:
Select
Panorama
Setup
Management
and edit the Panorama Settings to enable one of the following:
  • Shared Unused Address and Service Objects with Devices
    —This options pushes all
    Shared
    objects, along with device group specific objects, to managed firewalls.
    This is a global setting and applies to all managed firewalls, and may result in pushing too many configuration objects to your managed firewalls.
  • Objects defined in ancestors will take higher precedence
    —This option specifies that in the event of objects with the same name, ancestor object take precedence over descendent objects. In this case, the
    Shared
    objects take precedence over the vsys-specific object.
    This is a global setting and applies to all managed firewalls. In the example above, if the IP address for the
    Shared
    SharedAO1
    object was
    10.1.1.1
    and the device group specific
    SharedAO1
    was
    10.2.2.2
    , the
    10.1.1.1
    IP address takes precedence.
Alternatively, you can remove the duplicate address objects from the device group configuration to allow only the
Shared
objects in your configuration.
Known
11.1.0
PAN-224502
The autocommit time of the VM-Series firewall running PAN-OS 11.1.0 might take longer than expected.
Known
11.1.0
PAN-223488
On the M-600 appliance, closed ElasticSearch shards are not deleted from the M-600 appliance. This causes the ElasticSearch shard purging to not work as expected, resulting in high disk usage.
Known
11.1.0
PAN-222253
On the Panorama management server, policy rulebase reordering when you
View Rulebase by Groups
(
Policy
<policy-rulebase>
) does not persist if you reorder the policy rulebase by dragging and dropping individual policy rules and then moving the entire tag group.
Known
11.1.0
PAN-221015
On M-600 appliances in Panorama or Log Collector mode, the
es-1
and
es-2
ElasticSearch processes fail to restart when the M-600 appliance is rebooted. The results in the Managed Collector
ES
health status (
Panorama
Managed Collectors
Health Status
) to be degraded.
Workaround:
Log in to the Panorama or Log Collector CLI experiencing degraded ElasticSearch health and restart all ElasticSearch processes. 
admin>
debug elasticsearch es-restart optional all
Known
11.1.0
PAN-220577
With firewalls in AWS environment that are licensed with VM capacity and secure web proxy licenses, it is observed that the enablement of the web-proxy config fails.
Workaround:
Reboot the firewall after the web proxy license is applied.
Known
11.1.0
PAN-220180
Configured botnet reports (
Monitor
Botnet
) are not generated.
Known
11.1.0
PAN-220176
System process crashes might occur with VoIP traffic when NAT is enabled with Persistent Dynamic IP and Port settings.
Known
11.1.0
PAN-219644
Firewalls forwarding logs to a syslog server over TLS (
Objects
Log Forwarding
) use the default Palo Alto Networks certificate instead of the custom certificate configured on the firewall.
Known
11.1.0
PAN-218521
The ElasticSearch process on the M-600 appliance in Log Collector mode may enter a continuous reboot cycle. This results in the M-600 appliance becoming unresponsive, consuming logging disk space, and preventing new log ingestion.
Known
11.1.0
PAN-217307
This issue is now resolved. See
PAN-OS 11.1.3 Addressed Issues
.
The following Security policy rule (
Policies
Security
) filters return no results:
log-start eq no
log-end eq no
log-end eq yes
Known
11.1.0
PAN-208794
In firewalls with transparent proxy, it is observed that a reboot is necessary to view the transit sessions.
Workaround
: Edit the virtual router settings with any minor change and commit again. Any changes to the network/interfaces or network/virtual routers usually fixes this issue.
Alternatively, you may try rebooting the firewall. This issue disappears following reboot after the
swg
is setup and configured.
Known
11.1.0
PAN-207733
When a DHCPv6 client is configured on HA Active/Passive firewalls, if the DHCPv6 server goes down, after the lease time expires, the DHCPv6 client should enter SOLICIT state on both the Active and Passive firewalls. Instead, the client is stuck in BOUND state with an IPv6 address having lease time 0 on the Passive firewall.
Known
11.1.0
PAN-207611
When a DHCPv6 client is configured on HA Active/Passive firewalls, the Passive firewall sometimes crashes.
Known
11.1.0
PAN-207442
For M-700 appliances in an active/passive high availability (
Panorama
High Availability
) configuration, the
active-primary
HA peer configuration sync to the
secondary-passive
HA peer may fail. When the config sync fails, the job Results is
Successful
(
Tasks
), however the sync status on the
Dashboard
displays as
Out of Sync
for both HA peers.
Workaround
: Perform a local commit on the
active-primary
HA peer and then synchronize the HA configuration.
  1. Log in to the Panorama web interface of the
    active-primary
    HA peer.
  2. Select
    Commit
    and
    Commit to Panorama
    .
  3. In the
    active-primary
    HA peer
    Dashboard
    , click
    Sync to Peer
    in the High Availability widget.
Known
11.1.0
PAN-207040
If you disable Advanced Routing, remove logical routers, and downgrade from PAN-OS 11.0.0 to a PAN-OS 10.2.x or 10.1.x release, subsequent commits fail and SD-WAN devices on Panorama have no Virtual Router name.
Known
11.1.0
PAN-206913
When a DHCPv6 client is configured on HA Active/Passive firewalls, releasing the IPv6 address from the client (using Release in the UI or using the
request dhcp client ipv6 release all
CLI command) releases the IPv6 address from the Active firewall, but not the Passive firewall.
Known
11.1.0
PAN-206909
The Dedicated Log Collector is unable to reconnect to the Panorama management server if the
configd
process crashes. This results in the Dedicated Log Collector losing connectivity to Panorama despite the managed collector connection
Status
(
Panorama
Managed Collector
) displaying
connected
and the managed colletor
Health
status displaying as healthy.
This results in the local Panorama config and system logs not being forwarded to the Dedicated Log Collector. Firewall log forwarding to the disconnected Dedicated Log Collector is not impacted.
Workaround:
Restart the
mgmtsrvr
process on the Dedicated Log Collector.
  2. Confirm the Dedicated Log Collector is disconnected from Panorama. 
    admin>
     show panorama-status
    Verify the
    Connected
    status is
    no
    .
  3. Restart the
    mgmtsrvr
    process. 
    admin>
     debug software restart process management-server
Known
11.1.0
PAN-204689
Upon upgrade to PAN-OS 11.0.1, the following GlobalProtect settings do not work:
  • Allow user to disconnect GlobalProtect App
    Allow with Passcode
  • Allow user to Disable GlobalProtect App
    Allow with Passcode
  • Allow User to Uninstall GlobalProtect App
    Allow with Password
Known
11.1.0
PAN-197588
The PAN-OS ACC (Application Command Center) does not display a widget detailing statistics and data associated with vulnerability exploits that have been detected using inline cloud analysis.
Known
11.1.0
PAN-197419
(
PA-1400 Series firewalls only
) In
Network
Interface
Ethernet
, the power over Ethernet (PoE) ports do not display a
Tag
value.
Known
11.1.0
PAN-196758
On the Panorama management server, pushing a configuration change to firewalls leveraging SD-WAN erroneously show the auto-provisioned BGP configurations for SD-WAN as being edited or deleted despite no edits or deletions being made when you
Preview Changes
(
Commit
Push to Devices
Edit Selections
or
Commit
Commit and Push
Edit Selections
).
Known
11.1.0
PAN-195968
(
PA-1400 Series firewalls only
) When using the CLI to configure power over Ethernet (PoE) on a non-PoE port, the CLI prints an error depending on whether an interface type was selected on the non-PoE port or not. If an interface type, such as tap, Layer 2, or virtual wire, was selected before PoE was configured, the error message will not include the interface name (eg. ethernet1/4). If an interface type was not selected before PoE was configured, the error message will include the interface name.
Known
11.1.0
PAN-194978
(
PA-1400 Series firewalls only
) In
Network
Interface
Ethernet
, hovering the mouse over a power over Ethernet (PoE)
Link State
icon does not display link speed and link duplex details.
Known
11.1.0
PAN-187685
On the Panorama management server, the Template Status displays no synchronization status (
Panorama
Managed Devices
Summary
) after a bootstrapped firewall is successfully added to Panorama.
Workaround:
After the bootstrapped firewall is successfully added to Panorama, log in to the Panorama web interface and select
Commit
Push to Devices
.
Known
11.1.0
PAN-187407
The configured Advanced Threat Prevention inline cloud analysis action for a given model might not be honored under the following condition: If the firewall is set to
Hold client request for category lookup
and the action set to
Reset-Both
and the URL cache has been cleared, the first request for inline cloud analysis will be bypassed.
Known
11.1.0
PAN-186283
Templates appear out-of-sync on Panorama after successfully deploying the CFT stack using the Panorama plugin for AWS.
Workaround
: Use
Commit
Push to Devices
to synchronize the templates.
Known
11.1.0
PAN-184708
Scheduled report emails (
Monitor
PDF Reports
Email Scheduler
) are not emailed if:
  • A scheduled report email contains a Report Group (
    Monitor
    PDF Reports
    Report Group
    ) which includes a SaaS Application Usage report.
  • A scheduled report contains only a SaaS Application Usage Report.
Workaround:
To receive a scheduled report email for all other PDF report types:
  1. Select
    Monitor
    PDF Reports
    Report Groups
    and remove all SaaS Application Usage reports from all Report Groups.
  2. Select
    Monitor
    PDF Reports
    Email Scheduler
    and edit the scheduled report email that contains only a SaaS Application Usage report. For the Recurrence, select
    Disable
    and click
    OK
    .
    Repeat this step for all scheduled report emails that contain only a SaaS Application Usage report.
  3. Commit
    .
    (
    Panorama managed firewalls
    ) Select
    Commit
    Commit and Push
Known
11.1.0
PAN-184406
Using the CLI to add a RAID disk pair to an M-700 appliance causes the dmdb process to crash.
Workaround:
Contact customer support to stop the dmdb process before adding a RAID disk pair to a M-700 appliance.
Known
11.1.0
PAN-183404
Static IP addresses are not recognized when "and" operators are used with IP CIDR range.
Known
11.1.0
PAN-181933
If you use multiple log forwarding cards (LFCs) on the PA-7000 series, all of the cards may not receive all of the updates and the mappings for the clients may become out of sync, which causes the firewall to not correctly populate the Source User column in the session logs.
Known
11.1.0
PAN-164885
On the Panorama management server, pushes to managed firewalls (
Commit
Push to Devices
or
Commit and Push
) may fail when an EDL (
Objects
External Dynamic Lists
) is configured to
Check for updates
every 5 minutes due to the commit and EDL fetch processes overlapping. This is more likely to occur when multiple EDLs are configured to check for updates every 5 minutes.
Addressed
11.1.0-h3
PAN-252214
A fix was made to address CVE-2024-3400 .
Addressed
11.1.0-h2
PAN-238792
Fixed the following device certificate issues:
  • The firewall was unable to automatically renew the device certificate-Fetching device certificates failed incorrectly with the error message
    OTP is not valid
    .
  • Firewalls disconnected from Cortex Data Lake after renewing the device certificate.
  • The device certificate was not correctly generated on the log forwarding card (LFC).
  • WildFire cloud logs did not log thermite certificate usage status.
Addressed
11.1.0-h2
PAN-237876
Extended the firewall Panorama root CA certificate which was previously set to expire on April 7th, 2024.
Addressed
11.1.0-h2
PAN-231771
Fixed an issue where the firewall issued /box/getserv/ requests with PAN-OS 7.1.0 and did not take device certificates.
Addressed
11.1.0-h2
PAN-227568
When a device certificate is installed, renewed, or removed, the firewall will reconnect to the WildFire cloud to use the newest certificate.
Addressed
11.1.0-h2
PAN-215576
Fixed an issue where the
userID-Agent
and
TS-Agent
certificates were set to expire on November 18, 2024. With this fix, the expiration date has been extended to January 2032.
Addressed
11.1.0-h1
PAN-237871
(
WF-500 appliances and PAN-DB private cloud deployments only
) Fixed an issue where the
root-cert
was set to expire on December 31, 2023. With this fix, the expiration date has been extended.
Addressed
11.1.0
PAN-233557
Fixed an issue where, after using Panorama to configure per policy persistent DIPP, downgrading the firewall using Panorama and then upgrading the firewall back to a later PAN-OS release, the global DIPP configuration was not successfully converted b ack to the per policy persistent DIPP rules.
Addressed
11.1.0
PAN-227639
Fixed an issue where the
ACC
displayed an incorrect DNS-base application traffic byte count.
Addressed
11.1.0
PAN-227376
Fixed an issue where a memory overrun caused the all_task process to stop responding.
Addressed
11.1.0
PAN-227368
Fixed an issue where GlobalProtect users could not connect the app to a portal or gateway and GlobalProtect Clientless VPN users were unable to access applications when authentication took longer than 20 seconds.
Addressed
11.1.0
PAN-226418
A CLI command was added to address an issue where long-lived sessions aged out even when there was ongoing traffic.
Addressed
11.1.0
PAN-226198
Fixed an issue on Panorama where the configd process repeatedly restarted when attempting to make configuration changes.
Addressed
11.1.0
PAN-225920
Fixed an issue where duplicate predict sessions didn't release NAT resources.
Addressed
11.1.0
PAN-225886
Fixed an issue where if you enabled explicit proxy mode for the web proxy, intermittent errors and unexpected TCP reconnections may have occurred.
Addressed
11.1.0
PAN-225169
Added a CLI command to view Cortex Data Lake queue usage.
Addressed
11.1.0
PAN-224772
Fixed a high memory usage issue with the mongodb process that caused an OOM condition.
Addressed
11.1.0
PAN-224145
Fixed an issue in multi-vsys environments where, when Panorama was on a PAN-OS 10.2 release and the firewall was on a PAN-OS 10.1 release, commits failed on the firewall when inbound inspection mode was configured in the decryption policy rule.
Addressed
11.1.0
PAN-223457
Fixed an issue where, if the number of group queries exceeded the Okta rate limit threshold, the firewall cleared the cache for the groups.
Addressed
11.1.0
PAN-221126
Fixed an issue where email server profiles (
Device > Server Profiles > Email and Panorama > Server Profiles > Email
) to forward logs as email notifications were not forwarded in a readable format.
Addressed
11.1.0
PAN-218555
Fixed an issue where the firewall did not receive dynamic address updates pushed from Panorama during initial registration to Panorama.
Addressed
11.1.0
PAN-213931
Fixed an issue where the logrcvr process cache was not in sync with the mapping on the firewall.
Known
11.1.1
PAN-243951
On the Panorama management sever in an active/passive High Availability (HA) configuration, managed devices (
Panorama
Managed Devices
Summary
) display as
out-of-sync
on the passive HA peer when configuration changes are made to the SD-WAN (
Panorama
SD-WAN
) configuration on the active HA peer.
Workaround:
Manually synchronize the Panorama HA peers.
  1. Log in to the Panorama web interface on the active HA peer.
  2. Select
    Commit
    and
    Commit to Panorama
    the SD-WAN configuration changes on the active HA peer.
    On the passive HA peer, select
    Panorama
    Managed Devices
    Summary
    and observe that the managed devices are now
    out-of-sync
    .
  3. Log in to the primary HA peer Panorama CLI and trigger a manual synchronization between the active and secondary HA peers.
    request high-availability sync-to-remote running-config
  4. Log back in to the active HA peer Panorama web interface and select
    Commit
    Push to Devices
    and
    Push
    .
Known
11.1.1
PAN-242910
On the Panorama management server, Panorama administrators (
Panorama
Administrators
) that are assigned a custom Panorama admin role (
Panorama
Admin Roles
) with
Push All Changes
enabled are unable to push configuration changes to managed firewalls when
Managed Devices
and
Push For Other Admins
are disabled.
Known
11.1.1
PAN-242837
Default login credentials and SSH fail after enabling FIPS-CC Mode on a firewall or Panorama after converting through the Maintenance Recovery Tool (MRT). The firewall or Panorama becomes stuck and requires a factory reset to recover.
Known
11.1.1
PAN-242561
GlobalProtect tunnel might disconnect shortly after being established when SSL is used as a transport protocol.
Workaround
: Disable Internet Protocol version 6 (TCP/IPv6) on the PANGP Virtual Network Adapter.
Known
11.1.1
PAN-238769
FIPS-CC VM only. Upgrading to 10.1.10-h2 or 10.1.11 will change all locally created security Policy actions to Deny. Re-load the back-up config taken before upgrading or the last version to get the previous config back. Also, Unable to login to FIPSCC Mode devices with default credentials after converting the mode for 10.1.12 release , 10.2.7 release , 11.1.0 , 11.1.1, 11.0.3 versions.
Known
11.1.1
PAN-241041
On the Panorama management server exporting template or template stack variables (
Panorama
Templates
) in CSV format results in an empty CSV file.
Known
11.1.1
PAN-225337
This issue is now resolved. See
PAN-OS 11.1.2 Addressed Issues
On the Panorama management server, the configuration push to a multi-vsys firewall fails if you:
  1. Create a
    Shared
    and vsys-specific device group configuration object with an indentical name. For example, a
    Shared
    address object called
    SharedAO1
    and a vsys-specific address object also called
    SharedAO1
    .
  2. Reference the
    Shared
    object in another
    Shared
    configuration. For example, reference the
    Shared
    address object (
    SharedAO1
    ) in a
    Shared
    address group called
    SharedAG1
    .
  3. Use the
    Shared
    configuration object with the reference in a vsys-specific configuration. For example, reference the
    Shared
    address group (
    SharedAG1
    ) in a vsys-specific policy rule.
Workaround:
Select
Panorama
Setup
Management
and edit the Panorama Settings to enable one of the following:
  • Shared Unused Address and Service Objects with Devices
    —This options pushes all
    Shared
    objects, along with device group specific objects, to managed firewalls.
    This is a global setting and applies to all managed firewalls, and may result in pushing too many configuration objects to your managed firewalls.
  • Objects defined in ancestors will take higher precedence
    —This option specifies that in the event of objects with the same name, ancestor object take precedence over descendent objects. In this case, the
    Shared
    objects take precedence over the vsys-specific object.
    This is a global setting and applies to all managed firewalls. In the example above, if the IP address for the
    Shared
    SharedAO1
    object was
    10.1.1.1
    and the device group specific
    SharedAO1
    was
    10.2.2.2
    , the
    10.1.1.1
    IP address takes precedence.
Alternatively, you can remove the duplicate address objects from the device group configuration to allow only the
Shared
objects in your configuration.
Known
11.1.1
PAN-224502
The autocommit time of the VM-Series firewall running PAN-OS 11.1.0 might take longer than expected.
Known
11.1.1
PAN-223488
On the M-600 appliance, closed ElasticSearch shards are not deleted from the M-600 appliance. This causes the ElasticSearch shard purging to not work as expected, resulting in high disk usage.
Known
11.1.1
PAN-222253
On the Panorama management server, policy rulebase reordering when you
View Rulebase by Groups
(
Policy
<policy-rulebase>
) does not persist if you reorder the policy rulebase by dragging and dropping individual policy rules and then moving the entire tag group.
Known
11.1.1
PAN-221015
On M-600 appliances in Panorama or Log Collector mode, the
es-1
and
es-2
ElasticSearch processes fail to restart when the M-600 appliance is rebooted. The results in the Managed Collector
ES
health status (
Panorama
Managed Collectors
Health Status
) to be degraded.
Workaround:
Log in to the Panorama or Log Collector CLI experiencing degraded ElasticSearch health and restart all ElasticSearch processes. 
admin>
debug elasticsearch es-restart optional all
Known
11.1.1
PAN-220180
Configured botnet reports (
Monitor
Botnet
) are not generated.
Known
11.1.1
PAN-220176
System process crashes might occur with VoIP traffic when NAT is enabled with Persistent Dynamic IP and Port settings.
Known
11.1.1
PAN-219644
Firewalls forwarding logs to a syslog server over TLS (
Objects
Log Forwarding
) use the default Palo Alto Networks certificate instead of the custom certificate configured on the firewall.
Known
11.1.1
PAN-218521
The ElasticSearch process on the M-600 appliance in Log Collector mode may enter a continuous reboot cycle. This results in the M-600 appliance becoming unresponsive, consuming logging disk space, and preventing new log ingestion.
Known
11.1.1
PAN-217307
This issue is now resolved. See
PAN-OS 11.1.3 Addressed Issues
.
The following Security policy rule (
Policies
Security
) filters return no results:
log-start eq no
log-end eq no
log-end eq yes
Known
11.1.1
PAN-207733
When a DHCPv6 client is configured on HA Active/Passive firewalls, if the DHCPv6 server goes down, after the lease time expires, the DHCPv6 client should enter SOLICIT state on both the Active and Passive firewalls. Instead, the client is stuck in BOUND state with an IPv6 address having lease time 0 on the Passive firewall.
Known
11.1.1
PAN-207611
When a DHCPv6 client is configured on HA Active/Passive firewalls, the Passive firewall sometimes crashes.
Known
11.1.1
PAN-207442
For M-700 appliances in an active/passive high availability (
Panorama
High Availability
) configuration, the
active-primary
HA peer configuration sync to the
secondary-passive
HA peer may fail. When the config sync fails, the job Results is
Successful
(
Tasks
), however the sync status on the
Dashboard
displays as
Out of Sync
for both HA peers.
Workaround
: Perform a local commit on the
active-primary
HA peer and then synchronize the HA configuration.
  1. Log in to the Panorama web interface of the
    active-primary
    HA peer.
  2. Select
    Commit
    and
    Commit to Panorama
    .
  3. In the
    active-primary
    HA peer
    Dashboard
    , click
    Sync to Peer
    in the High Availability widget.
Known
11.1.1
PAN-207040
If you disable Advanced Routing, remove logical routers, and downgrade from PAN-OS 11.0.0 to a PAN-OS 10.2.x or 10.1.x release, subsequent commits fail and SD-WAN devices on Panorama have no Virtual Router name.
Known
11.1.1
PAN-206913
When a DHCPv6 client is configured on HA Active/Passive firewalls, releasing the IPv6 address from the client (using Release in the UI or using the
request dhcp client ipv6 release all
CLI command) releases the IPv6 address from the Active firewall, but not the Passive firewall.
Known
11.1.1
PAN-206909
The Dedicated Log Collector is unable to reconnect to the Panorama management server if the
configd
process crashes. This results in the Dedicated Log Collector losing connectivity to Panorama despite the managed collector connection
Status
(
Panorama
Managed Collector
) displaying
connected
and the managed colletor
Health
status displaying as healthy.
This results in the local Panorama config and system logs not being forwarded to the Dedicated Log Collector. Firewall log forwarding to the disconnected Dedicated Log Collector is not impacted.
Workaround:
Restart the
mgmtsrvr
process on the Dedicated Log Collector.
  2. Confirm the Dedicated Log Collector is disconnected from Panorama. 
    admin>
     show panorama-status
    Verify the
    Connected
    status is
    no
    .
  3. Restart the
    mgmtsrvr
    process. 
    admin>
     debug software restart process management-server
Known
11.1.1
PAN-204689
Upon upgrade to PAN-OS 11.0.1, the following GlobalProtect settings do not work:
  • Allow user to disconnect GlobalProtect App
    Allow with Passcode
  • Allow user to Disable GlobalProtect App
    Allow with Passcode
  • Allow User to Uninstall GlobalProtect App
    Allow with Password
Known
11.1.1
PAN-197588
The PAN-OS ACC (Application Command Center) does not display a widget detailing statistics and data associated with vulnerability exploits that have been detected using inline cloud analysis.
Known
11.1.1
PAN-197419
(
PA-1400 Series firewalls only
) In
Network
Interface
Ethernet
, the power over Ethernet (PoE) ports do not display a
Tag
value.
Known
11.1.1
PAN-196758
On the Panorama management server, pushing a configuration change to firewalls leveraging SD-WAN erroneously show the auto-provisioned BGP configurations for SD-WAN as being edited or deleted despite no edits or deletions being made when you
Preview Changes
(
Commit
Push to Devices
Edit Selections
or
Commit
Commit and Push
Edit Selections
).
Known
11.1.1
PAN-195968
(
PA-1400 Series firewalls only
) When using the CLI to configure power over Ethernet (PoE) on a non-PoE port, the CLI prints an error depending on whether an interface type was selected on the non-PoE port or not. If an interface type, such as tap, Layer 2, or virtual wire, was selected before PoE was configured, the error message will not include the interface name (eg. ethernet1/4). If an interface type was not selected before PoE was configured, the error message will include the interface name.
Known
11.1.1
PAN-194978
(
PA-1400 Series firewalls only
) In
Network
Interface
Ethernet
, hovering the mouse over a power over Ethernet (PoE)
Link State
icon does not display link speed and link duplex details.
Known
11.1.1
PAN-187685
On the Panorama management server, the Template Status displays no synchronization status (
Panorama
Managed Devices
Summary
) after a bootstrapped firewall is successfully added to Panorama.
Workaround:
After the bootstrapped firewall is successfully added to Panorama, log in to the Panorama web interface and select
Commit
Push to Devices
.
Known
11.1.1
PAN-187407
The configured Advanced Threat Prevention inline cloud analysis action for a given model might not be honored under the following condition: If the firewall is set to
Hold client request for category lookup
and the action set to
Reset-Both
and the URL cache has been cleared, the first request for inline cloud analysis will be bypassed.
Known
11.1.1
PAN-186283
Templates appear out-of-sync on Panorama after successfully deploying the CFT stack using the Panorama plugin for AWS.
Workaround
: Use
Commit
Push to Devices
to synchronize the templates.
Known
11.1.1
PAN-184708
Scheduled report emails (
Monitor
PDF Reports
Email Scheduler
) are not emailed if:
  • A scheduled report email contains a Report Group (
    Monitor
    PDF Reports
    Report Group
    ) which includes a SaaS Application Usage report.
  • A scheduled report contains only a SaaS Application Usage Report.
Workaround:
To receive a scheduled report email for all other PDF report types:
  1. Select
    Monitor
    PDF Reports
    Report Groups
    and remove all SaaS Application Usage reports from all Report Groups.
  2. Select
    Monitor
    PDF Reports
    Email Scheduler
    and edit the scheduled report email that contains only a SaaS Application Usage report. For the Recurrence, select
    Disable
    and click
    OK
    .
    Repeat this step for all scheduled report emails that contain only a SaaS Application Usage report.
  3. Commit
    .
    (
    Panorama managed firewalls
    ) Select
    Commit
    Commit and Push
Known
11.1.1
PAN-184406
Using the CLI to add a RAID disk pair to an M-700 appliance causes the dmdb process to crash.
Workaround:
Contact customer support to stop the dmdb process before adding a RAID disk pair to a M-700 appliance.
Known
11.1.1
PAN-183404
Static IP addresses are not recognized when "and" operators are used with IP CIDR range.
Known
11.1.1
PAN-181933
If you use multiple log forwarding cards (LFCs) on the PA-7000 series, all of the cards may not receive all of the updates and the mappings for the clients may become out of sync, which causes the firewall to not correctly populate the Source User column in the session logs.
Known
11.1.1
PAN-164885
On the Panorama management server, pushes to managed firewalls (
Commit
Push to Devices
or
Commit and Push
) may fail when an EDL (
Objects
External Dynamic Lists
) is configured to
Check for updates
every 5 minutes due to the commit and EDL fetch processes overlapping. This is more likely to occur when multiple EDLs are configured to check for updates every 5 minutes.
Addressed
11.1.1-h1
PAN-252214
A fix was made to address CVE-2024-3400 .
Addressed
11.1.1
PAN-239241
Extended the root certificate for WildFire appliances to December 31, 2032.
Addressed
11.1.1
PAN-238792
Fixed the following device certificate issues:
  • The firewall was unable to automatically renew the device certificate-Fetching device certificates failed incorrectly with the error message
    OTP is not valid
    .
  • Firewalls disconnected from Cortex Data Lake after renewing the device certificate.
  • The device certificate was not correctly generated on the log forwarding card (LFC).
  • WildFire cloud logs did not log thermite certificate usage status.
Addressed
11.1.1
PAN-237935
Extended the offline PAN-DB, Panorama, and WildFire certificates which were previously set to expire on September 2, 2024.
Addressed
11.1.1
PAN-237876
Extended the firewall Panorama root CA certificate which was previously set to expire on April 7th, 2024.
Addressed
11.1.1
PAN-236605
Fixed an issue where the configd process stopped responding due to a deadlock related to rule-hit-count.
Addressed
11.1.1
PAN-235385
Enhanced wifclient cloud connectivity redundancy.
Addressed
11.1.1
PAN-234929
Fixed an issue where tabs in the
ACC
such as
Network Activity
Threat Activity
and
Blocked Activity
did not display data when you applied a
Time
filter of
Last 15 Minutes
,
Last Hour
,
Last 6 Hours
, or
Last 12 Hours
, and the data that was displayed with the
Last 24 Hours
filter was not accurate. Reports that were run against summary logs also did not display accurate results.
Addressed
11.1.1
PAN-233957
(
PA-5450 firewalls only
) Fixed an issue where the NAT private pool was not used properly when enabling slot 6 DPC.
Addressed
11.1.1
PAN-233191
(
PA-5450 firewalls only
) Fixed an issue where the Data Processing Card (DPC) restarted due to path monitor failure after QSFP28 disconnected from the Network Processing Card (NPC).
Addressed
11.1.1
PAN-232358
(
PA-5450 firewalls only
) Fixed an issue where the interface on QSFP28 ports did not go down when the Tx cable was removed from the QSFP28 module.
Addressed
11.1.1
PAN-231771
Fixed an issue where the firewall issued /box/getserv/ requests with PAN-OS 7.1.0 and did not take device certificates.
Addressed
11.1.1
PAN-231658
Fixed an issue where DNS resolution failed when interfaces were configured as DHCP and a DNS server was provided via DHCP while also statically configured with DNS servers.
Addressed
11.1.1
PAN-231194
Fixed an issue where the firewall was unable to clear hints from the disk.
Addressed
11.1.1
PAN-227568
When a device certificate is installed, renewed, or removed, the firewall will reconnect to the WildFire cloud to use the newest certificate.
Addressed
11.1.1
PAN-215576
Fixed an issue where the
userID-Agent
and
TS-Agent
certificates were set to expire on November 18, 2024. With this fix, the expiration date has been extended to January 2032.
Known
11.1.2
PAN-255538
On the PA-455 firewall, the LEDs indicating the link status of Ports 3 and 4 are swapped.
Known
11.1.2
PAN-252085
The PA-450R, PA-450R-5G, and PA-455 firewalls can experience an interruption of traffic when switching the combo port connection from fiber to copper.
Workaround:
With the copper port connected, initiate a soft reboot of the firewall using the CLI command
request restart system
. After the reboot, the copper port will be able to process traffic.
Known
11.1.2
PAN-243951
On the Panorama management sever in an active/passive High Availability (HA) configuration, managed devices (
Panorama
Managed Devices
Summary
) display as
out-of-sync
on the passive HA peer when configuration changes are made to the SD-WAN (
Panorama
SD-WAN
) configuration on the active HA peer.
Workaround:
Manually synchronize the Panorama HA peers.
  1. Log in to the Panorama web interface on the active HA peer.
  2. Select
    Commit
    and
    Commit to Panorama
    the SD-WAN configuration changes on the active HA peer.
    On the passive HA peer, select
    Panorama
    Managed Devices
    Summary
    and observe that the managed devices are now
    out-of-sync
    .
  3. Log in to the primary HA peer Panorama CLI and trigger a manual synchronization between the active and secondary HA peers.
    request high-availability sync-to-remote running-config
  4. Log back in to the active HA peer Panorama web interface and select
    Commit
    Push to Devices
    and
    Push
    .
Known
11.1.2
PAN-241041
On the Panorama management server exporting template or template stack variables (
Panorama
Templates
) in CSV format results in an empty CSV file.
Known
11.1.2
PAN-224502
The autocommit time of the VM-Series firewall running PAN-OS 11.1.0 might take longer than expected.
Known
11.1.2
PAN-223488
On the M-600 appliance, closed ElasticSearch shards are not deleted from the M-600 appliance. This causes the ElasticSearch shard purging to not work as expected, resulting in high disk usage.
Known
11.1.2
PAN-222253
On the Panorama management server, policy rulebase reordering when you
View Rulebase by Groups
(
Policy
<policy-rulebase>
) does not persist if you reorder the policy rulebase by dragging and dropping individual policy rules and then moving the entire tag group.
Known
11.1.2
PAN-221015
On M-600 appliances in Panorama or Log Collector mode, the
es-1
and
es-2
ElasticSearch processes fail to restart when the M-600 appliance is rebooted. The results in the Managed Collector
ES
health status (
Panorama
Managed Collectors
Health Status
) to be degraded.
Workaround:
Log in to the Panorama or Log Collector CLI experiencing degraded ElasticSearch health and restart all ElasticSearch processes. 
admin>
debug elasticsearch es-restart optional all
Known
11.1.2
PAN-220180
Configured botnet reports (
Monitor
Botnet
) are not generated.
Known
11.1.2
PAN-220176
System process crashes might occur with VoIP traffic when NAT is enabled with Persistent Dynamic IP and Port settings.
Known
11.1.2
PAN-219644
Firewalls forwarding logs to a syslog server over TLS (
Objects
Log Forwarding
) use the default Palo Alto Networks certificate instead of the custom certificate configured on the firewall.
Known
11.1.2
PAN-218521
The ElasticSearch process on the M-600 appliance in Log Collector mode may enter a continuous reboot cycle. This results in the M-600 appliance becoming unresponsive, consuming logging disk space, and preventing new log ingestion.
Known
11.1.2
PAN-217307
This issue is now resolved. See
PAN-OS 11.1.3 Addressed Issues
.
The following Security policy rule (
Policies
Security
) filters return no results:
log-start eq no
log-end eq no
log-end eq yes
Known
11.1.2
PAN-207733
When a DHCPv6 client is configured on HA Active/Passive firewalls, if the DHCPv6 server goes down, after the lease time expires, the DHCPv6 client should enter SOLICIT state on both the Active and Passive firewalls. Instead, the client is stuck in BOUND state with an IPv6 address having lease time 0 on the Passive firewall.
Known
11.1.2
PAN-207611
When a DHCPv6 client is configured on HA Active/Passive firewalls, the Passive firewall sometimes crashes.
Known
11.1.2
PAN-207442
For M-700 appliances in an active/passive high availability (
Panorama
High Availability
) configuration, the
active-primary
HA peer configuration sync to the
secondary-passive
HA peer may fail. When the config sync fails, the job Results is
Successful
(
Tasks
), however the sync status on the
Dashboard
displays as
Out of Sync
for both HA peers.
Workaround
: Perform a local commit on the
active-primary
HA peer and then synchronize the HA configuration.
  1. Log in to the Panorama web interface of the
    active-primary
    HA peer.
  2. Select
    Commit
    and
    Commit to Panorama
    .
  3. In the
    active-primary
    HA peer
    Dashboard
    , click
    Sync to Peer
    in the High Availability widget.
Known
11.1.2
PAN-207040
If you disable Advanced Routing, remove logical routers, and downgrade from PAN-OS 11.0.0 to a PAN-OS 10.2.x or 10.1.x release, subsequent commits fail and SD-WAN devices on Panorama have no Virtual Router name.
Known
11.1.2
PAN-206913
When a DHCPv6 client is configured on HA Active/Passive firewalls, releasing the IPv6 address from the client (using Release in the UI or using the
request dhcp client ipv6 release all
CLI command) releases the IPv6 address from the Active firewall, but not the Passive firewall.
Known
11.1.2
PAN-206909
The Dedicated Log Collector is unable to reconnect to the Panorama management server if the
configd
process crashes. This results in the Dedicated Log Collector losing connectivity to Panorama despite the managed collector connection
Status
(
Panorama
Managed Collector
) displaying
connected
and the managed colletor
Health
status displaying as healthy.
This results in the local Panorama config and system logs not being forwarded to the Dedicated Log Collector. Firewall log forwarding to the disconnected Dedicated Log Collector is not impacted.
Workaround:
Restart the
mgmtsrvr
process on the Dedicated Log Collector.
  2. Confirm the Dedicated Log Collector is disconnected from Panorama. 
    admin>
     show panorama-status
    Verify the
    Connected
    status is
    no
    .
  3. Restart the
    mgmtsrvr
    process. 
    admin>
     debug software restart process management-server
Known
11.1.2
PAN-204689
Upon upgrade to PAN-OS 11.0.1, the following GlobalProtect settings do not work:
  • Allow user to disconnect GlobalProtect App
    Allow with Passcode
  • Allow user to Disable GlobalProtect App
    Allow with Passcode
  • Allow User to Uninstall GlobalProtect App
    Allow with Password
Known
11.1.2
PAN-197588
The PAN-OS ACC (Application Command Center) does not display a widget detailing statistics and data associated with vulnerability exploits that have been detected using inline cloud analysis.
Known
11.1.2
PAN-197419
(
PA-1400 Series firewalls only
) In
Network
Interface
Ethernet
, the power over Ethernet (PoE) ports do not display a
Tag
value.
Known
11.1.2
PAN-196758
On the Panorama management server, pushing a configuration change to firewalls leveraging SD-WAN erroneously show the auto-provisioned BGP configurations for SD-WAN as being edited or deleted despite no edits or deletions being made when you
Preview Changes
(
Commit
Push to Devices
Edit Selections
or
Commit
Commit and Push
Edit Selections
).
Known
11.1.2
PAN-195968
(
PA-1400 Series firewalls only
) When using the CLI to configure power over Ethernet (PoE) on a non-PoE port, the CLI prints an error depending on whether an interface type was selected on the non-PoE port or not. If an interface type, such as tap, Layer 2, or virtual wire, was selected before PoE was configured, the error message will not include the interface name (eg. ethernet1/4). If an interface type was not selected before PoE was configured, the error message will include the interface name.
Known
11.1.2
PAN-194978
(
PA-1400 Series firewalls only
) In
Network
Interface
Ethernet
, hovering the mouse over a power over Ethernet (PoE)
Link State
icon does not display link speed and link duplex details.
Known
11.1.2
PAN-187685
On the Panorama management server, the Template Status displays no synchronization status (
Panorama
Managed Devices
Summary
) after a bootstrapped firewall is successfully added to Panorama.
Workaround:
After the bootstrapped firewall is successfully added to Panorama, log in to the Panorama web interface and select
Commit
Push to Devices
.
Known
11.1.2
PAN-187407
The configured Advanced Threat Prevention inline cloud analysis action for a given model might not be honored under the following condition: If the firewall is set to
Hold client request for category lookup
and the action set to
Reset-Both
and the URL cache has been cleared, the first request for inline cloud analysis will be bypassed.
Known
11.1.2
PAN-186283
Templates appear out-of-sync on Panorama after successfully deploying the CFT stack using the Panorama plugin for AWS.
Workaround
: Use
Commit
Push to Devices
to synchronize the templates.
Known
11.1.2
PAN-184708
Scheduled report emails (
Monitor
PDF Reports
Email Scheduler
) are not emailed if:
  • A scheduled report email contains a Report Group (
    Monitor
    PDF Reports
    Report Group
    ) which includes a SaaS Application Usage report.
  • A scheduled report contains only a SaaS Application Usage Report.
Workaround:
To receive a scheduled report email for all other PDF report types:
  1. Select
    Monitor
    PDF Reports
    Report Groups
    and remove all SaaS Application Usage reports from all Report Groups.
  2. Select
    Monitor
    PDF Reports
    Email Scheduler
    and edit the scheduled report email that contains only a SaaS Application Usage report. For the Recurrence, select
    Disable
    and click
    OK
    .
    Repeat this step for all scheduled report emails that contain only a SaaS Application Usage report.
  3. Commit
    .
    (
    Panorama managed firewalls
    ) Select
    Commit
    Commit and Push
Known
11.1.2
PAN-184406
Using the CLI to add a RAID disk pair to an M-700 appliance causes the dmdb process to crash.
Workaround:
Contact customer support to stop the dmdb process before adding a RAID disk pair to a M-700 appliance.
Known
11.1.2
PAN-183404
Static IP addresses are not recognized when "and" operators are used with IP CIDR range.
Known
11.1.2
PAN-181933
If you use multiple log forwarding cards (LFCs) on the PA-7000 series, all of the cards may not receive all of the updates and the mappings for the clients may become out of sync, which causes the firewall to not correctly populate the Source User column in the session logs.
Known
11.1.2
PAN-164885
On the Panorama management server, pushes to managed firewalls (
Commit
Push to Devices
or
Commit and Push
) may fail when an EDL (
Objects
External Dynamic Lists
) is configured to
Check for updates
every 5 minutes due to the commit and EDL fetch processes overlapping. This is more likely to occur when multiple EDLs are configured to check for updates every 5 minutes.
Addressed
11.1.2-h4
PAN-252214
A fix was made to address CVE-2024-3400 .
Addressed
11.1.2-h4
PAN-251013
Fixed an issue on the web interface where the
Virtual Router
and
Virtual System
configurations for the template incorrectly showed as
none
.
Addressed
11.1.2-h4
PAN-250686
Fixed an issue where selective push operations did not work when more than one admin user simultaneously performed changes and partial commits on Panorama.
Addressed
11.1.2-h4
PAN-249931
Fixed an issue where configuration pushes from Panorama on PAN-OS 11.1.1 to a firewall on a PAN-OS 10.2 release failed.
Addressed
11.1.2-h4
PAN-249808
Fixed an issue where the configd process stopped responding when performing multi-device group pushes via XML API.
Addressed
11.1.2-h4
PAN-247403
(
VM-Series firewalls only
) Fixed an issue where the push scope CLI command took longer than expected, which caused the web interface to be slow.
Addressed
11.1.2-h4
PAN-246960
Fixed an issue where firewalls failed to fetch content updates from the Wildfire Private Cloud due to an
Unsupported protocol
error.
Addressed
11.1.2-h4
PAN-244894
Fixed an issue where turning off mprelay logging caused *mprelay* heartbeat failure.
Addressed
11.1.2-h4
PAN-244622
Fixed an issue where FIB re-push did not work with Advanced Routing enabled.
Addressed
11.1.2-h4
PAN-244227
Fixed an issue where inconsistent FIB entries across the dataplane were not detected.
Addressed
11.1.2-h4
PAN-242309
Fixed an issue where a higher byte count (s2c) was observed for DNS-Base application.
Addressed
11.1.2-h4
PAN-242027
Fixed an issue where the all-task process repeatedly restarted during memory allocation failures.
Addressed
11.1.2-h4
PAN-241141
Fixed an issue where creating more than one address object in the same XML API request resulted in a commit error.
Addressed
11.1.2-h4
PAN-240477
Fixed a temporary hardware issue that caused PAN-SFP-PLUS-CU-5M to not be able to link up on PA-3400 and PA-1400 Series firewalls.
Addressed
11.1.2-h4
PAN-240308
Fixed an issue where ElasticSearch did not work as expected when raid-mounts were not fully ready after a reboot.
Addressed
11.1.2-h4
PAN-239367
Fixed an issue on the firewall where a memory leak associated with the logrcvr process occurred.
Addressed
11.1.2-h4
PAN-239354
Fixed an issue where DNS resolution was delayed when an Antispyware policy rule was applied to both client to firewall and firewall to internal DNS server legs of a connection.
Addressed
11.1.2-h4
PAN-238643
Fixed an issue where a memory leak caused multiple processes to stop responding when VM Information Sources was configured
Addressed
11.1.2-h4
PAN-237537
Fixed an issue where, when deleting CTD entries, the all_pktproc process stopped responding which resulted in dataplane failure.
Addressed
11.1.2-h4
PAN-237208
Fixed an issue where the reportd process stopped and the firewall rebooted.
Addressed
11.1.2-h4
PAN-233789
Fixed an issue with push and commit and push operations where the user was not correctly bound to the scope, which caused all device groups to be selected for a selective push.
Addressed
11.1.2-h4
PAN-233692
Fixed an issue on Panorama where the configd process stopped, which caused performance issues.
Addressed
11.1.2-h4
PAN-233684
Fixed an issue on Panorama where
Push to Devices
or
Commit and Push
operations took longer than expected on the web interface.
Addressed
11.1.2-h4
PAN-231148
Fixed an issue where no DHCP option list was defined when using GlobalProtect.
Addressed
11.1.2-h4
PAN-230746
Fixed an issue on the web interface where device groups with a large number of managed firewalls displayed the
Policy
page more slowly than expected.
Addressed
11.1.2-h4
PAN-205482
Fixed an issue related to the configd process where Panorama displayed the error
Server not responding
when editing policies.
Addressed
11.1.2-h3
PAN-252214
A fix was made to address CVE-2024-3400 .
Addressed
11.1.2-h1
PAN-242879
Fixed an issue where the dataplane restarted when advanced features such as Advanced Threat Protection, Advanced WildFire, and Advanced URL Filtering hit max latency under inline mode.
Addressed
11.1.2-h1
PAN-242634
(
PA-1400 Series, PA-3400 Series, and PA-5400 Series firewalls only
) Fixed an issue where a large packet burst from the dataplane to the management plane caused the DPDK kernel network interface to become unresponsive.
Addressed
11.1.2-h1
PAN-240166
Fixed an issue where, when explicit proxy was configured on the firewall, websites loaded more slowly than expected or did not load due to DNS using TCP.
Addressed
11.1.2-h1
PAN-239279
Fixed an issue where the proxy did not accept new connections.
Addressed
11.1.2
PAN-242627
Fixed an issue where selective push did not work.
Addressed
11.1.2
PAN-242561
Fixed an issue where GlobalProtect tunnels disconnected shortly after being established when SSL was used as the transfer protocol.
Addressed
11.1.2
PAN-242519
Fixed an issue where scheduled email reports failed if the @ symbol before the mail client was missing.
Addressed
11.1.2
PAN-241504
Fixed an issue on the web interface where filtering logs under the
Monitor
tab was slower than expected.
Addressed
11.1.2
PAN-239769
Fixed an issue where object references in a rule were renamed, and a selective revert of the changes with
Commit changes by me
caused a reference error.
Addressed
11.1.2
PAN-238769
(
VM-Series firewalls in FIPS-CC mode only
) Fixed an issue where upgrading Panorama caused all locally created Security policy rule actions to Deny.
Addressed
11.1.2
PAN-238586
Fixed an issue where DNS resolution failure from the LFC resulted in WildFire public cloud connectivity failure.
Addressed
11.1.2
PAN-236120
Fixed an issue where the /opt/panlogs partition reached capacity due to the logdb-quota for the User-ID log folder not being matched.
Addressed
11.1.2
PAN-235840
Fixed an issue where, after a configuration push from Panorama to managed firewalls, the status displayed as
None
and the push took longer than expected.
Addressed
11.1.2
PAN-235585
Fixed an issue where, when custom signatures and predefined signatures shared the same literal pattern part, the custom signature caused an incorrect calculation for the length of the predefined signature, which resulted in App-ID not detecting correctly.
Addressed
11.1.2
PAN-234279
Fixed an issue where the ikemgr process crashed due to an IKEv1 timing issue, which caused commits to fail with the following error message:
Client ikemgr requesting last config in the middle of a commit/validate, aborting current commit
.
Addressed
11.1.2
PAN-230106
Fixed an issue where the firewall was unable to retrieve the most current external dynamic list information from the server due to hostname resolution failure.
Addressed
11.1.2
PAN-227397
Fixed an issue where selective pushes on Panorama removed a previously pushed configuration from the firewalls.
Addressed
11.1.2
PAN-225337
Fixed an issue on Panorama related to Shared configuration objects where configuration pushes to multi-vsys firewalls failed.
Addressed
11.1.2
PAN-225203
Fixed an issue where the Log Forwarding Card (LFC) did not honor the negotiated MSS on the logging connection.
Addressed
11.1.2
PAN-224954
Fixed an issue where, after upgrading and rebooting a Panorama appliance in Panorama or Log Collector mode, managed firewalls continuously disconnected.
Addressed
11.1.2
PAN-223259
Fixed an issue where selective pushes failed with the error message
Failed to generate selective push configuration. Unable to retrieve last in-sync configuration for the device, either a push was never done or version is too old. Please try a full push
.
Addressed
11.1.2
PAN-216941
(
Panorama appliances in Log Collector mode only
) Fixed an issue where Panorama stopped processing and saving logs.
Known
11.1.3
PAN-255868
This issue is now resolved. See
PAN-OS 11.1.3-h1 Addressed Issues
.
(
PA-3400 Series firewalls only
) After enabling kernel data collection during a silent reboot, the firewall fails and reboots to maintenance mode.
Workaround:
To recover the firewall, initiate a reboot from maintenance mode.
Known
11.1.3
PAN-253963
The auto commit job may take longer than expected to complete when the Panorama management server is in Panorama or Log Collector mode.
Known
11.1.3
PAN-243951
On the Panorama management sever in an active/passive High Availability (HA) configuration, managed devices (
Panorama
Managed Devices
Summary
) display as
out-of-sync
on the passive HA peer when configuration changes are made to the SD-WAN (
Panorama
SD-WAN
) configuration on the active HA peer.
Workaround:
Manually synchronize the Panorama HA peers.
  1. Log in to the Panorama web interface on the active HA peer.
  2. Select
    Commit
    and
    Commit to Panorama
    the SD-WAN configuration changes on the active HA peer.
    On the passive HA peer, select
    Panorama
    Managed Devices
    Summary
    and observe that the managed devices are now
    out-of-sync
    .
  3. Log in to the primary HA peer Panorama CLI and trigger a manual synchronization between the active and secondary HA peers.
    request high-availability sync-to-remote running-config
  4. Log back in to the active HA peer Panorama web interface and select
    Commit
    Push to Devices
    and
    Push
    .
Known
11.1.3
PAN-241041
On the Panorama management server exporting template or template stack variables (
Panorama
Templates
) in CSV format results in an empty CSV file.
Known
11.1.3
PAN-224502
The autocommit time of the VM-Series firewall running PAN-OS 11.1.0 might take longer than expected.
Known
11.1.3
PAN-223488
On the M-600 appliance, closed ElasticSearch shards are not deleted from the M-600 appliance. This causes the ElasticSearch shard purging to not work as expected, resulting in high disk usage.
Known
11.1.3
PAN-222253
On the Panorama management server, policy rulebase reordering when you
View Rulebase by Groups
(
Policy
<policy-rulebase>
) does not persist if you reorder the policy rulebase by dragging and dropping individual policy rules and then moving the entire tag group.
Known
11.1.3
PAN-221015
On M-600 appliances in Panorama or Log Collector mode, the
es-1
and
es-2
ElasticSearch processes fail to restart when the M-600 appliance is rebooted. The results in the Managed Collector
ES
health status (
Panorama
Managed Collectors
Health Status
) to be degraded.
Workaround:
Log in to the Panorama or Log Collector CLI experiencing degraded ElasticSearch health and restart all ElasticSearch processes. 
admin>
debug elasticsearch es-restart optional all
Known
11.1.3
PAN-220180
Configured botnet reports (
Monitor
Botnet
) are not generated.
Known
11.1.3
PAN-220176
System process crashes might occur with VoIP traffic when NAT is enabled with Persistent Dynamic IP and Port settings.
Known
11.1.3
PAN-219644
Firewalls forwarding logs to a syslog server over TLS (
Objects
Log Forwarding
) use the default Palo Alto Networks certificate instead of the custom certificate configured on the firewall.
Known
11.1.3
PAN-218521
The ElasticSearch process on the M-600 appliance in Log Collector mode may enter a continuous reboot cycle. This results in the M-600 appliance becoming unresponsive, consuming logging disk space, and preventing new log ingestion.
Known
11.1.3
PAN-207733
When a DHCPv6 client is configured on HA Active/Passive firewalls, if the DHCPv6 server goes down, after the lease time expires, the DHCPv6 client should enter SOLICIT state on both the Active and Passive firewalls. Instead, the client is stuck in BOUND state with an IPv6 address having lease time 0 on the Passive firewall.
Known
11.1.3
PAN-207611
When a DHCPv6 client is configured on HA Active/Passive firewalls, the Passive firewall sometimes crashes.
Known
11.1.3
PAN-207442
For M-700 appliances in an active/passive high availability (
Panorama
High Availability
) configuration, the
active-primary
HA peer configuration sync to the
secondary-passive
HA peer may fail. When the config sync fails, the job Results is
Successful
(
Tasks
), however the sync status on the
Dashboard
displays as
Out of Sync
for both HA peers.
Workaround
: Perform a local commit on the
active-primary
HA peer and then synchronize the HA configuration.
  1. Log in to the Panorama web interface of the
    active-primary
    HA peer.
  2. Select
    Commit
    and
    Commit to Panorama
    .
  3. In the
    active-primary
    HA peer
    Dashboard
    , click
    Sync to Peer
    in the High Availability widget.
Known
11.1.3
PAN-207040
If you disable Advanced Routing, remove logical routers, and downgrade from PAN-OS 11.0.0 to a PAN-OS 10.2.x or 10.1.x release, subsequent commits fail and SD-WAN devices on Panorama have no Virtual Router name.
Known
11.1.3
PAN-206913
When a DHCPv6 client is configured on HA Active/Passive firewalls, releasing the IPv6 address from the client (using Release in the UI or using the
request dhcp client ipv6 release all
CLI command) releases the IPv6 address from the Active firewall, but not the Passive firewall.
Known
11.1.3
PAN-206909
The Dedicated Log Collector is unable to reconnect to the Panorama management server if the
configd
process crashes. This results in the Dedicated Log Collector losing connectivity to Panorama despite the managed collector connection
Status
(
Panorama
Managed Collector
) displaying
connected
and the managed colletor
Health
status displaying as healthy.
This results in the local Panorama config and system logs not being forwarded to the Dedicated Log Collector. Firewall log forwarding to the disconnected Dedicated Log Collector is not impacted.
Workaround:
Restart the
mgmtsrvr
process on the Dedicated Log Collector.
  2. Confirm the Dedicated Log Collector is disconnected from Panorama. 
    admin>
     show panorama-status
    Verify the
    Connected
    status is
    no
    .
  3. Restart the
    mgmtsrvr
    process. 
    admin>
     debug software restart process management-server
Known
11.1.3
PAN-204689
Upon upgrade to PAN-OS 11.0.1, the following GlobalProtect settings do not work:
  • Allow user to disconnect GlobalProtect App
    Allow with Passcode
  • Allow user to Disable GlobalProtect App
    Allow with Passcode
  • Allow User to Uninstall GlobalProtect App
    Allow with Password
Known
11.1.3
PAN-197588
The PAN-OS ACC (Application Command Center) does not display a widget detailing statistics and data associated with vulnerability exploits that have been detected using inline cloud analysis.
Known
11.1.3
PAN-197419
(
PA-1400 Series firewalls only
) In
Network
Interface
Ethernet
, the power over Ethernet (PoE) ports do not display a
Tag
value.
Known
11.1.3
PAN-196758
On the Panorama management server, pushing a configuration change to firewalls leveraging SD-WAN erroneously show the auto-provisioned BGP configurations for SD-WAN as being edited or deleted despite no edits or deletions being made when you
Preview Changes
(
Commit
Push to Devices
Edit Selections
or
Commit
Commit and Push
Edit Selections
).
Known
11.1.3
PAN-195968
(
PA-1400 Series firewalls only
) When using the CLI to configure power over Ethernet (PoE) on a non-PoE port, the CLI prints an error depending on whether an interface type was selected on the non-PoE port or not. If an interface type, such as tap, Layer 2, or virtual wire, was selected before PoE was configured, the error message will not include the interface name (eg. ethernet1/4). If an interface type was not selected before PoE was configured, the error message will include the interface name.
Known
11.1.3
PAN-194978
(
PA-1400 Series firewalls only
) In
Network
Interface
Ethernet
, hovering the mouse over a power over Ethernet (PoE)
Link State
icon does not display link speed and link duplex details.
Known
11.1.3
PAN-187685
On the Panorama management server, the Template Status displays no synchronization status (
Panorama
Managed Devices
Summary
) after a bootstrapped firewall is successfully added to Panorama.
Workaround:
After the bootstrapped firewall is successfully added to Panorama, log in to the Panorama web interface and select
Commit
Push to Devices
.
Known
11.1.3
PAN-187407
The configured Advanced Threat Prevention inline cloud analysis action for a given model might not be honored under the following condition: If the firewall is set to
Hold client request for category lookup
and the action set to
Reset-Both
and the URL cache has been cleared, the first request for inline cloud analysis will be bypassed.
Known
11.1.3
PAN-186283
Templates appear out-of-sync on Panorama after successfully deploying the CFT stack using the Panorama plugin for AWS.
Workaround
: Use
Commit
Push to Devices
to synchronize the templates.
Known
11.1.3
PAN-184708
Scheduled report emails (
Monitor
PDF Reports
Email Scheduler
) are not emailed if:
  • A scheduled report email contains a Report Group (
    Monitor
    PDF Reports
    Report Group
    ) which includes a SaaS Application Usage report.
  • A scheduled report contains only a SaaS Application Usage Report.
Workaround:
To receive a scheduled report email for all other PDF report types:
  1. Select
    Monitor
    PDF Reports
    Report Groups
    and remove all SaaS Application Usage reports from all Report Groups.
  2. Select
    Monitor
    PDF Reports
    Email Scheduler
    and edit the scheduled report email that contains only a SaaS Application Usage report. For the Recurrence, select
    Disable
    and click
    OK
    .
    Repeat this step for all scheduled report emails that contain only a SaaS Application Usage report.
  3. Commit
    .
    (
    Panorama managed firewalls
    ) Select
    Commit
    Commit and Push
Known
11.1.3
PAN-184406
Using the CLI to add a RAID disk pair to an M-700 appliance causes the dmdb process to crash.
Workaround:
Contact customer support to stop the dmdb process before adding a RAID disk pair to a M-700 appliance.
Known
11.1.3
PAN-183404
Static IP addresses are not recognized when "and" operators are used with IP CIDR range.
Known
11.1.3
PAN-181933
If you use multiple log forwarding cards (LFCs) on the PA-7000 series, all of the cards may not receive all of the updates and the mappings for the clients may become out of sync, which causes the firewall to not correctly populate the Source User column in the session logs.
Known
11.1.3
PAN-164885
On the Panorama management server, pushes to managed firewalls (
Commit
Push to Devices
or
Commit and Push
) may fail when an EDL (
Objects
External Dynamic Lists
) is configured to
Check for updates
every 5 minutes due to the commit and EDL fetch processes overlapping. This is more likely to occur when multiple EDLs are configured to check for updates every 5 minutes.
Addressed
11.1.3-h1
PAN-256765
Fixed an issue where you were unable to push variables from Panorama in service routes for non-cluster templates.
Addressed
11.1.3-h1
PAN-255868
(
PA-3400 Series firewalls only
) Fixed an issue where the firewall entered maintenance mode after enabling kernel data collection during the silent reboot.
Addressed
11.1.3
PAN-251013
Fixed an issue on the web interface where the
Virtual Router
and
Virtual System
configurations for the template incorrectly showed as
none
.
Addressed
11.1.3
PAN-250686
Fixed an issue where selective push operations did not work when more than one admin user simultaneously performed changes and partial commits on Panorama.
Addressed
11.1.3
PAN-249808
Fixed an issue where the configd process stopped responding when performing multi-device group pushes via XML API.
Addressed
11.1.3
PAN-249597
Fixed an issue where the
Policy
page on the Panorama web interface was slower than expected when a device group had a large number of managed devices.
Addressed
11.1.3
PAN-249019
Fixed an issue where the all_pktproc process stopped responding, which caused the firewall to become unresponsive.
Addressed
11.1.3
PAN-248748
Fixed an issue that caused the dataplane to stop responding when running a packet diagnostic with Jumbo frames enabled.
Addressed
11.1.3
PAN-248105
Fixed an issue where the GlobalProtect SSL VPN tunnel immediately disconnected due to a keep-alive timeout.
Addressed
11.1.3
PAN-247403
(
Panorama virtual appliances only
) Fixed an issue where the push scope CLI command took longer than expected, which caused the web interface to be slow.
Addressed
11.1.3
PAN-246707
Fixed an issue where failover was not triggered when multiple processes stopped responding.
Addressed
11.1.3
PAN-246215
Fixed an issue where the sleep time for a suspended pan_task process caused configuration and policy updates to be blocked.
Addressed
11.1.3
PAN-245701
Fixed an issue where the returned values to SNMP requests for data port statistics were incorrect.
Addressed
11.1.3
PAN-245690
Fixed an issue where the Managed Collectors health status on Panorama displayed as empty.
Addressed
11.1.3
PAN-245041
Fixed an issue where the WF-500 appliance returned an error verdict for every sample in FIPS mode.
Addressed
11.1.3
PAN-244894
Fixed an issue where turning off mprelay logging caused mprelay heartbeat failure.
Addressed
11.1.3
PAN-244836
A knob was introduced to toggle the default behavior of BGP in the Advanced Routing stack to not suppress duplicate updates. By default, the prefix updates are suppressed for optimization.
Addressed
11.1.3
PAN-244648
Fixed an issue where, when FIPS was enabled in maintenance mode, the firewall rebooted and returned to maintenance mode.
Addressed
11.1.3
PAN-244622
Fixed an issue where FIB re-push did not work with Advanced Routing enabled.
Addressed
11.1.3
PAN-244548
Fixed an issue where ECMP sessions changed destination MAC addresses mid-session, which caused connections to be reset.
Addressed
11.1.3
PAN-244493
Fixed a memory limitation with mapping subinterfaces to VPCE endpoints for GCP IPS, Amazon Web Services (AWS) integration with GWLB, and NSX service chain mapping.
Addressed
11.1.3
PAN-244227
Fixed an issue where inconsistent FIB entries across the dataplane were not detected.
Addressed
11.1.3
PAN-244013
Fixed an issue where the web interface did not display newly added Anti-Spyware signatures or Vulnerability Signatures.
Addressed
11.1.3
PAN-243463
Fixed an issue where high Enhanced Application Log traffic used excess system resources and caused processes to not work.
Addressed
11.1.3
PAN-242027
Fixed an issue where the all-task process repeatedly restarted during memory allocation failures.
Addressed
11.1.3
PAN-241548
Fixed an issue where the firewall stopped responding when switching from endpoint authentication bypass to endpoint Kerberos authentication with SWG-proxy traffic.
Addressed
11.1.3
PAN-241230
Fixed an issue where the SNMP get request status value for Panorama connections was incorrect.
Addressed
11.1.3
PAN-241164
(
PA-410 firewalls only
) Fixed an issue where system and configuration logs sent from the firewall to Panorama contained the serial number field instead of the firewall device name.
Addressed
11.1.3
PAN-241141
Fixed an issue where creating more than one address object in the same XML API request resulted in a commit error.
Addressed
11.1.3
PAN-241041
Fixed an issue where, after upgrading to 11.1.0, exporting CSV files for template stack variables or template variables resulted in an empty file.
Addressed
11.1.3
PAN-241018
(
VM-Series firewalls in Microsoft Azure environments only
) Fixed a Dataplane Development Kit (DPDK) issue where interfaces remained in a link-down stage after an Azure hot plug event.
Addressed
11.1.3
PAN-240993
Fixed an issue where you were unable to revert a sort in task manager in the admin column.
Addressed
11.1.3
PAN-240786
Fixed an issue on firewalls in HA configurations where VXLAN sessions were allocated, but not installed or freed, which resulted in a constant high session table usage that was not synced between the firewalls. This resulted in a session count mismatch.
Addressed
11.1.3
PAN-240618
Fixed an issue where configuration commits were successful even when dynamic peer IKE gateways configured on the same interface and IP address that did not have the same IKE crypto profile.
Addressed
11.1.3
PAN-240612
Fixed a kernel panic caused by a third-party issue
Addressed
11.1.3
PAN-240596
Fixed an issue where all_task stopped responding due to an invalid memory address.
Addressed
11.1.3
PAN-240477
Fixed a temporary hardware issue that caused PAN-SFP-PLUS-CU-5M to not be able to link up on PA-3400 and PA-1400 Series firewalls.
Addressed
11.1.3
PAN-240368
Fixed an issue where authentication portal redirection for HTTPS websites did not work when
Enhanced Handling of SSL/TLS Handshakes for Decrypted Traffic
was enabled.
Addressed
11.1.3
PAN-240347
Fixed an issue with the web interface where the
Dashboard
and a
Device Group
policy rule took longer than expected to load.
Addressed
11.1.3
PAN-240308
Fixed an issue where ElasticSearch did not work as expected when raid-mounts were not fully ready after a reboot.
Addressed
11.1.3
PAN-240251
Fixed an issue where the vldmgr process incorrectly restarted during an Elasticsearch restart.
Addressed
11.1.3
PAN-239776
Fixed an issue where Panorama went into maintenance mode due to a GlobalProtect quota configuration that was under the minimum required quota.
Addressed
11.1.3
PAN-239722
Fixed an issue where SNMP scans to the firewall took longer than expected and intermittently timed out.
Addressed
11.1.3
PAN-239662
Fixed an issue where the NSSA default route from the firewall was not generated to advertise even though the backbone area default route was advertised during a graceful restart.
Addressed
11.1.3
PAN-239367
Fixed an issue on the firewall where a memory leak associated with the logrcvr process occurred.
Addressed
11.1.3
PAN-239354
Fixed an issue where DNS resolution was delayed when an antispyware policy rule was applied to both client to firewall and firewall to internal DNS server legs of a connection.
Addressed
11.1.3
PAN-239337
Fixed an issue where the log_index was suspended and corrupted BDX files flooded the index_log.
Addressed
11.1.3
PAN-239256
Fixed an issue where ARP entries were unable to be completed for subinterfaces with SNAT configured.
Addressed
11.1.3
PAN-238996
Fixed an issue where commits did not complete and remained in a pending state due to a race condition. With this fix, the commit will fail after 60 seconds and not remain in a pending state.
Addressed
11.1.3
PAN-238643
Fixed an issue where a memory leak caused multiple processes to stop responding when VM Information Sources was configured.
Addressed
11.1.3
PAN-238625
Fixed an issue where, when the physical interface went down, the SD-WAN Ethernet connection state still showed
UP/path-monitor
due to the Active URL SaaS monitor connection state remaining UP/path-monitor.
Addressed
11.1.3
PAN-238621
Fixed an issue where the HA3 link status remained down when updating the HA3 interface configuration when the AE interface was up.
Addressed
11.1.3
PAN-238562
Fixed an issue where log collectors stopped responding when gathering reports from Panorama.
Addressed
11.1.3
PAN-238508
Fixed an issue where the routed process created excessive logs in the log file.
Addressed
11.1.3
PAN-237678
Fixed an issue with firewalls in active/passive HA configurations where the passive firewall displayed the error message
Unable to read QSFP Module ID
when the passive link state was set to shutdown.
Addressed
11.1.3
PAN-237537
Fixed an issue where, when deleting CTD entries, the all_pktproc process stopped responding which resulted in dataplane failure.
Addressed
11.1.3
PAN-237478
Fixed an issue where the traffic log displayed 0 bytes for denied sessions.
Addressed
11.1.3
PAN-237454
Fixed an issue where Panorama stopped redistributing IP address-to-username mappings when packet loss occurred between the distributor and the client.
Addressed
11.1.3
PAN-237369
(
PA-1420 firewalls only
) Fixed an issue where the all_task process stopped responding, which caused the firewall to become unresponsive.
Addressed
11.1.3
PAN-237246
Fixed an issue where the all_pktproc process repeatedly restarted, which caused the firewall to go into a nonfunctional state.
Addressed
11.1.3
PAN-236802
Fixed an issue on firewalls in HA configurations where unexpected failovers occurred.
Addressed
11.1.3
PAN-236261
Fixed an issue where a proxy server was used for External Dynamic List communication even when the dataplane interface was configured through service routes.
Addressed
11.1.3
PAN-236244
Fixed an issue where you were unable to select Authentication Profiles via the web interface.
Addressed
11.1.3
PAN-236233
Fixed an issue where SNMP reports displayed incorrect values for SSL Proxy sessions and SSL Proxy utilization.
Addressed
11.1.3
PAN-235737
Fixed an issue where the brdagent process stopped responding due to a sudden increase in logging to the bcm.log.
Addressed
11.1.3
PAN-235628
Fixed an issue where you were not prompted for login credentials when you disconnected and connected back to the GlobalProtect portal when SAML authentication was selected along with Single Sign-On (SSO) and Single Log Out (SLO).
Addressed
11.1.3
PAN-235557
Fixed an issue where uploads from tunnels, including GlobalProtect, were slower than expected when the inner and outer sessions were on different dataplanes.
Addressed
11.1.3
PAN-235476
Fixed an issue where threat logs from different Security zones were aggregated into one log.
Addressed
11.1.3
PAN-235168
Fixed an issue where disk space became full even after clearing old logs and content images.
Addressed
11.1.3
PAN-235081
(
VM-Series firewalls only
) Fixed an issue where the firewall sent packets to its own interface after configuring NAT64.
Addressed
11.1.3
PAN-234596
Fixed an issue on firewalls in active/passive HA configurations where the passive firewall incorrectly became active after a reboot.
Addressed
11.1.3
PAN-234459
Fixed an issue with the firewall web interface where local SSL decryption exclusion cache entries were not visible.
Addressed
11.1.3
PAN-234290
Fixed an issue where the firewall displayed incorrect interface transfer rates when running the CLI command
show system state filter-pretty sys.s1.px
with a filter.
Addressed
11.1.3
PAN-234169
Fixed an issue where downloading files failed or was slower than expected due to malware scanning even when the session was matched to a Security policy rule with no Anti-Virus profile attached.
Addressed
11.1.3
PAN-234031
Fixed an issue on multi-core firewalls where the firewall displayed packets out of order when capturing packets on the transmit stage.
Addressed
11.1.3
PAN-233833
Fixed an issue where enabling Jumbo frames resulted in software packet buffer depletion.
Addressed
11.1.3
PAN-233789
Fixed an issue with
Push
and
Commit and Push
operations where the user was not correctly bound to the scope, which caused all device groups to be selected for a selective push.
Addressed
11.1.3
PAN-233692
Fixed an issue on Panorama where the configd process stopped, which caused performance issues.
Addressed
11.1.3
PAN-233684
Fixed an issue on Panorama where
Push to Devices
or
Commit and Push
operations took longer than expected on the web interface.
Addressed
11.1.3
PAN-233603
(
CN-Series firewalls only
) Fixed an issue where slot information was not correct after a slotd process restart on the management pod.
Addressed
11.1.3
PAN-233541
Fixed an issue where device group and template administrators with access to a specific virtual system were able to see logs for all virtual systems via Context Switch.
Addressed
11.1.3
PAN-233517
Fixed an issue on Panorama where managed device templates and device groups took longer than expected to display in the
Push to Devices
window.
Addressed
11.1.3
PAN-233463
Fixed an issue where the X-Forwarded-For (XFF) IP addressed value was not displayed in traffic logs.
Addressed
11.1.3
PAN-233207
Fixed an issue where the configd process stopped responding when a partial configuration revert operation was performed.
Addressed
11.1.3
PAN-233039
Fixed an issue where GENEVE encapsulated packets coming from a GFE Proxy mapped to an incorrect Security policy rule.
Addressed
11.1.3
PAN-232953
Fixed an issue where you were able to cancel the same commit repeatedly, which displayed the error message
Cannot stop job <job> at this time
.
Addressed
11.1.3
PAN-232368
Fixed an issue where commits failed with the error message
Error: Max. user groups used in policy 1389 exceed capacity (1000).
Addressed
11.1.3
PAN-232250
Fixed an issue where, when SSH service profiles for management access were set to
None
, the reported output was incorrect.
Addressed
11.1.3
PAN-231802
Fixed an issue where an Advanced Routing BGP session flapped with commits when BGP peer authentication was enabled.
Addressed
11.1.3
PAN-231552
Fixed an issue where traffic returning from a third-party Security chain was dropped.
Addressed
11.1.3
PAN-231507
(
PA-1400 Series firewalls only
) Fixed an issue where, when an HSCI interface was used as an HA2 interface, HA2 packets were intermittently dropped on the passive firewall, which caused the HA2 connection to flap due to missing HA2 keepalive messages.
Addressed
11.1.3
PAN-231480
Fixed an issue where the firewall CLI output for GlobalProtect log quota settings did not match the settings configured on the Panorama web interface.
Addressed
11.1.3
PAN-231439
Fixed an issue where, when a VoIP call using dynamic IP and NAT was put on hold, the audio became one-way due to early termination of NAT ports.
Addressed
11.1.3
PAN-231395
Fixed an intermittent issue where the OCSP query failed.
Addressed
11.1.3
PAN-231148
Fixed an issue where no DHCP option list was defined when using GlobalProtect.
Addressed
11.1.3
PAN-230813
Fixed an issue where flex memory leak caused decryption failure and commit failure with the error message
Error preparing global objects failed to handle CONFIG_UPDATE_START
.
Addressed
11.1.3
PAN-230746
Fixed an issue on the web interface where device groups with a large number of managed firewalls displayed the
Policy
page more slowly than expected.
Addressed
11.1.3
PAN-230656
(
Firewalls in HA configurations only
) Fixed an issue where a split brain condition occurred on both firewalls after booting up any firewall, and an HA switchover occurred after booting up a firewall with a higher HA priority even when no preemptive option was enabled on the firewall.
Addressed
11.1.3
PAN-230377
Fixed an issue where FEC support was not enabled by default for PAN-25G-SFP28-LR modules.
Addressed
11.1.3
PAN-230372
Fixed an issue where OCSP queries did not work after upgrading to a PAN-OS 11.0 release.
Addressed
11.1.3
PAN-230039
Fixed an issue where migrating from an Enterprise License Agreement (ELA) to a Flexible VM-Series License failed with a deactivation error message.
Addressed
11.1.3
PAN-229985
(
VM-Series firewalls in Amazon Web Services (AWS) only
) Fixed an issue where, when Gateway Load Balancer (GWLB) overlay routing was enabled, GWLB packets re-encapsulated with the incorrect flow cookie in the GENEVE header when transmitting the response back to GWLB.
Addressed
11.1.3
PAN-229874
Fixed an issue where the firewall was unable to form OSPFv3 adjacency when using an ESP authentication profile.
Addressed
11.1.3
PAN-229873
(
PA-7050 firewalls only
) Fixed an issue related to brdagent process errors.
Addressed
11.1.3
PAN-229315
Fixed an issue where Octets in NetFlow records were always reported to be 0 despite having a non-zero packet count.
Addressed
11.1.3
PAN-229069
Fixed an issue where clientless VPN portal users were unable to access clientless applications due to an SSL renegotiation being triggered.
Addressed
11.1.3
PAN-228457
(
PA-7000 firewalls only
) Fixed an issue where the GTP logs forwarded from the firewall to the log collector did not include the pcap.
Addressed
11.1.3
PAN-228442
Fixed an issue on firewalls in active/passive HA configurations where sessions did not fail over from the active firewall to the passive firewall when upgrading PAN-OS.
Addressed
11.1.3
PAN-228323
Fixed an issue where a large number of Panorama management server cookies were created in the Redis database when the Cloud-Service plugin sent an authentication request every second, and logging in to or using Panorama was slower than expected.
Addressed
11.1.3
PAN-227973
Fixed an issue where commits failed after renaming an address object or object group with a selective commit.
Addressed
11.1.3
PAN-227939
Fixed an issue where the all_task process stopped responding due to high wifclient memory usage, which caused the firewall to reboot.
Addressed
11.1.3
PAN-227887
Fixed an issue where IP address checksums were calculated incorrectly.
Addressed
11.1.3
PAN-227510
Fixed an issue where the error message
Failed to establish GRPC connection to UrlCat service: failed to start grpc connection
was displayed in the system log when the Advanced URL Filtering license was applied but not configured.
Addressed
11.1.3
PAN-227064
Fixed an issue with high availability (HA) sync failure when performing a partial commit after creating a Security policy via REST API.
Addressed
11.1.3
PAN-226489
Fixed an issue where Panorama was unable to push scheduled dynamic updates to firewalls with the error message
Failed to add deploy job. Too many (30) deploy jobs pending for device
.
Addressed
11.1.3
PAN-225090
Fixed an issue on Panorama where
Commit and Push
was grayed out when making changes to a template or device group.
Addressed
11.1.3
PAN-225064
Fixed an issue where Panorama stopped responding and entered a non-functional state after moving multiple Security policy rules at the same time from one device group to another device group.
Addressed
11.1.3
PAN-224938
Fixed an issue where the CLI command settings for
set system setting logging max-log-rate
did not persist after a mgmtsrvr process restart.
Addressed
11.1.3
PAN-224424
(
PA-3440 firewalls only
) Fixed an issue where you were unable to set the link speed as 25Gbps from the drop-down in the template for Ethernet ports 1/23 through 1/26.
Addressed
11.1.3
PAN-224060
(
PA-220 Series firewalls only
) Fixed an issue where multiple dataplane processes stopped responding after an upgrade.
Addressed
11.1.3
PAN-223365
Fixed an issue where Panorama was unable to query any logs if the Elasticsearch health status for any log collector was degraded.
Addressed
11.1.3
PAN-223172
Fixed an issue on Panorama where host IDs manually added to the device quarantine list were unexpectedly removed.
Addressed
11.1.3
PAN-222188
A CLI command was introduced to address an issue where SNMP monitoring performance was slower than expected, which resulted in
snmpwalk
timeouts.
Addressed
11.1.3
PAN-222002
Fixed an issue where content updates failed with the error message
Unable to get key pancontent-8.0.pass from cryptod. Error -9
.
Addressed
11.1.3
PAN-220931
(
Panorama appliances in FIPS-CC mode only
) Fixed an issue where scheduled email reports did not contain PDF attachments.
Addressed
11.1.3
PAN-219805
Fixed an issue where the reportd process stopped responding due to a race condition.
Addressed
11.1.3
PAN-219113
Fixed an issue where, when a port on the NPC was configured for log forwarding, the ingress traffic on the card was sent for processing to the LPC, and the LPC card was reloaded when the ingress volume of traffic was high.
Addressed
11.1.3
PAN-217619
Fixed an issue where supported Bi-DI transceivers were not recognized which caused ports to not come up.
Addressed
11.1.3
PAN-217307
Fixed an issue where the
log-start
and
log-end
policy rule filters did not return reliable results when set to
no
or
yes
.
Addressed
11.1.3
PAN-217241
Fixed an issue where predict session conversion failed for RTP and RTCP traffic.
Addressed
11.1.3
PAN-209574
Fixed an issue with HTTP/2 traffic where downloading large files did not work when decryption was enabled.
Addressed
11.1.3
PAN-205482
Fixed an issue related to the configd process where Panorama displayed the error
Server not responding
when editing policies.
Addressed
11.1.3
PAN-199141
Fixed an issue where renaming a device group and then performing a partial commit led to the device group hierarchy being incorrectly changed.
Addressed
11.1.3
PAN-196395
(
PA-5450 firewalls only
) Fixed an issue where the firewall accepted 12 aggregate ethernet interfaces, but you were unable to configure interfaces 9-12 via the web interface.
Addressed
11.1.3
PAN-174454
Fixed an issue where the firewall did not fetch group and user membership due to the Okta sync domain not matching the active Cloud Identity Engine domain.
Known
11.1.4
PAN-253963
The auto commit job may take longer than expected to complete when the Panorama management server is in Panorama or Log Collector mode.
Known
11.1.4
PAN-243951
On the Panorama management sever in an active/passive High Availability (HA) configuration, managed devices (
Panorama
Managed Devices
Summary
) display as
out-of-sync
on the passive HA peer when configuration changes are made to the SD-WAN (
Panorama
SD-WAN
) configuration on the active HA peer.
Workaround:
Manually synchronize the Panorama HA peers.
  1. Log in to the Panorama web interface on the active HA peer.
  2. Select
    Commit
    and
    Commit to Panorama
    the SD-WAN configuration changes on the active HA peer.
    On the passive HA peer, select
    Panorama
    Managed Devices
    Summary
    and observe that the managed devices are now
    out-of-sync
    .
  3. Log in to the primary HA peer Panorama CLI and trigger a manual synchronization between the active and secondary HA peers.
    request high-availability sync-to-remote running-config
  4. Log back in to the active HA peer Panorama web interface and select
    Commit
    Push to Devices
    and
    Push
    .
Known
11.1.4
PAN-241041
On the Panorama management server exporting template or template stack variables (
Panorama
Templates
) in CSV format results in an empty CSV file.
Known
11.1.4
PAN-224502
The autocommit time of the VM-Series firewall running PAN-OS 11.1.0 might take longer than expected.
Known
11.1.4
PAN-223488
On the M-600 appliance, closed ElasticSearch shards are not deleted from the M-600 appliance. This causes the ElasticSearch shard purging to not work as expected, resulting in high disk usage.
Known
11.1.4
PAN-222253
On the Panorama management server, policy rulebase reordering when you
View Rulebase by Groups
(
Policy
<policy-rulebase>
) does not persist if you reorder the policy rulebase by dragging and dropping individual policy rules and then moving the entire tag group.
Known
11.1.4
PAN-221126
Email server profiles (
Device
Server Profiles
Email
and
Panorama
Server Profiles
Email
) to forward logs as email notifications are not forwarded in a readable format.
Workaround:
Use a
Custom Log Format
to forward logs as email notifications in a readable format.
Known
11.1.4
PAN-221015
On M-600 appliances in Panorama or Log Collector mode, the
es-1
and
es-2
ElasticSearch processes fail to restart when the M-600 appliance is rebooted. The results in the Managed Collector
ES
health status (
Panorama
Managed Collectors
Health Status
) to be degraded.
Workaround:
Log in to the Panorama or Log Collector CLI experiencing degraded ElasticSearch health and restart all ElasticSearch processes. 
admin>
debug elasticsearch es-restart optional all
Known
11.1.4
PAN-220180
Configured botnet reports (
Monitor
Botnet
) are not generated.
Known
11.1.4
PAN-220176
System process crashes might occur with VoIP traffic when NAT is enabled with Persistent Dynamic IP and Port settings.
Known
11.1.4
PAN-219644
Firewalls forwarding logs to a syslog server over TLS (
Objects
Log Forwarding
) use the default Palo Alto Networks certificate instead of the custom certificate configured on the firewall.
Known
11.1.4
PAN-218521
The ElasticSearch process on the M-600 appliance in Log Collector mode may enter a continuous reboot cycle. This results in the M-600 appliance becoming unresponsive, consuming logging disk space, and preventing new log ingestion.
Known
11.1.4
PAN-207733
When a DHCPv6 client is configured on HA Active/Passive firewalls, if the DHCPv6 server goes down, after the lease time expires, the DHCPv6 client should enter SOLICIT state on both the Active and Passive firewalls. Instead, the client is stuck in BOUND state with an IPv6 address having lease time 0 on the Passive firewall.
Known
11.1.4
PAN-207611
When a DHCPv6 client is configured on HA Active/Passive firewalls, the Passive firewall sometimes crashes.
Known
11.1.4
PAN-207442
For M-700 appliances in an active/passive high availability (
Panorama
High Availability
) configuration, the
active-primary
HA peer configuration sync to the
secondary-passive
HA peer may fail. When the config sync fails, the job Results is
Successful
(
Tasks
), however the sync status on the
Dashboard
displays as
Out of Sync
for both HA peers.
Workaround
: Perform a local commit on the
active-primary
HA peer and then synchronize the HA configuration.
  1. Log in to the Panorama web interface of the
    active-primary
    HA peer.
  2. Select
    Commit
    and
    Commit to Panorama
    .
  3. In the
    active-primary
    HA peer
    Dashboard
    , click
    Sync to Peer
    in the High Availability widget.
Known
11.1.4
PAN-207040
If you disable Advanced Routing, remove logical routers, and downgrade from PAN-OS 11.0.0 to a PAN-OS 10.2.x or 10.1.x release, subsequent commits fail and SD-WAN devices on Panorama have no Virtual Router name.
Known
11.1.4
PAN-206913
When a DHCPv6 client is configured on HA Active/Passive firewalls, releasing the IPv6 address from the client (using Release in the UI or using the
request dhcp client ipv6 release all
CLI command) releases the IPv6 address from the Active firewall, but not the Passive firewall.
Known
11.1.4
PAN-206909
The Dedicated Log Collector is unable to reconnect to the Panorama management server if the
configd
process crashes. This results in the Dedicated Log Collector losing connectivity to Panorama despite the managed collector connection
Status
(
Panorama
Managed Collector
) displaying
connected
and the managed colletor
Health
status displaying as healthy.
This results in the local Panorama config and system logs not being forwarded to the Dedicated Log Collector. Firewall log forwarding to the disconnected Dedicated Log Collector is not impacted.
Workaround:
Restart the
mgmtsrvr
process on the Dedicated Log Collector.
  2. Confirm the Dedicated Log Collector is disconnected from Panorama. 
    admin>
     show panorama-status
    Verify the
    Connected
    status is
    no
    .
  3. Restart the
    mgmtsrvr
    process. 
    admin>
     debug software restart process management-server
Known
11.1.4
PAN-204689
Upon upgrade to PAN-OS 11.0.1, the following GlobalProtect settings do not work:
  • Allow user to disconnect GlobalProtect App
    Allow with Passcode
  • Allow user to Disable GlobalProtect App
    Allow with Passcode
  • Allow User to Uninstall GlobalProtect App
    Allow with Password
Known
11.1.4
PAN-197588
The PAN-OS ACC (Application Command Center) does not display a widget detailing statistics and data associated with vulnerability exploits that have been detected using inline cloud analysis.
Known
11.1.4
PAN-197419
(
PA-1400 Series firewalls only
) In
Network
Interface
Ethernet
, the power over Ethernet (PoE) ports do not display a
Tag
value.
Known
11.1.4
PAN-196758
On the Panorama management server, pushing a configuration change to firewalls leveraging SD-WAN erroneously show the auto-provisioned BGP configurations for SD-WAN as being edited or deleted despite no edits or deletions being made when you
Preview Changes
(
Commit
Push to Devices
Edit Selections
or
Commit
Commit and Push
Edit Selections
).
Known
11.1.4
PAN-195968
(
PA-1400 Series firewalls only
) When using the CLI to configure power over Ethernet (PoE) on a non-PoE port, the CLI prints an error depending on whether an interface type was selected on the non-PoE port or not. If an interface type, such as tap, Layer 2, or virtual wire, was selected before PoE was configured, the error message will not include the interface name (eg. ethernet1/4). If an interface type was not selected before PoE was configured, the error message will include the interface name.
Known
11.1.4
PAN-194978
(
PA-1400 Series firewalls only
) In
Network
Interface
Ethernet
, hovering the mouse over a power over Ethernet (PoE)
Link State
icon does not display link speed and link duplex details.
Known
11.1.4
PAN-187685
On the Panorama management server, the Template Status displays no synchronization status (
Panorama
Managed Devices
Summary
) after a bootstrapped firewall is successfully added to Panorama.
Workaround:
After the bootstrapped firewall is successfully added to Panorama, log in to the Panorama web interface and select
Commit
Push to Devices
.
Known
11.1.4
PAN-187407
The configured Advanced Threat Prevention inline cloud analysis action for a given model might not be honored under the following condition: If the firewall is set to
Hold client request for category lookup
and the action set to
Reset-Both
and the URL cache has been cleared, the first request for inline cloud analysis will be bypassed.
Known
11.1.4
PAN-186283
Templates appear out-of-sync on Panorama after successfully deploying the CFT stack using the Panorama plugin for AWS.
Workaround
: Use
Commit
Push to Devices
to synchronize the templates.
Known
11.1.4
PAN-184708
Scheduled report emails (
Monitor
PDF Reports
Email Scheduler
) are not emailed if:
  • A scheduled report email contains a Report Group (
    Monitor
    PDF Reports
    Report Group
    ) which includes a SaaS Application Usage report.
  • A scheduled report contains only a SaaS Application Usage Report.
Workaround:
To receive a scheduled report email for all other PDF report types:
  1. Select
    Monitor
    PDF Reports
    Report Groups
    and remove all SaaS Application Usage reports from all Report Groups.
  2. Select
    Monitor
    PDF Reports
    Email Scheduler
    and edit the scheduled report email that contains only a SaaS Application Usage report. For the Recurrence, select
    Disable
    and click
    OK
    .
    Repeat this step for all scheduled report emails that contain only a SaaS Application Usage report.
  3. Commit
    .
    (
    Panorama managed firewalls
    ) Select
    Commit
    Commit and Push
Known
11.1.4
PAN-184406
Using the CLI to add a RAID disk pair to an M-700 appliance causes the dmdb process to crash.
Workaround:
Contact customer support to stop the dmdb process before adding a RAID disk pair to a M-700 appliance.
Known
11.1.4
PAN-183404
Static IP addresses are not recognized when "and" operators are used with IP CIDR range.
Known
11.1.4
PAN-181933
If you use multiple log forwarding cards (LFCs) on the PA-7000 series, all of the cards may not receive all of the updates and the mappings for the clients may become out of sync, which causes the firewall to not correctly populate the Source User column in the session logs.
Known
11.1.4
PAN-164885
On the Panorama management server, pushes to managed firewalls (
Commit
Push to Devices
or
Commit and Push
) may fail when an EDL (
Objects
External Dynamic Lists
) is configured to
Check for updates
every 5 minutes due to the commit and EDL fetch processes overlapping. This is more likely to occur when multiple EDLs are configured to check for updates every 5 minutes.
Addressed
11.1.4
PAN-256181
Fixed an issue where the management interface and front panel port interface statistics were not populated in asynchronous mode of SNMP operations.
Addressed
11.1.4
PAN-255868
(
PA-3400 Series firewalls only
) Fixed an issue where the firewall entered maintenance mode after enabling kernel data collection during the silent reboot.
Addressed
11.1.4
PAN-253317
(
VM-Series firewalls on Microsoft Azure environments only
) Fixed an issue where you were unable to log in to the firewall after a private data reset.
Addressed
11.1.4
PAN-252517
Fixed an issue where SNMP failed to respond to multiple Object Identifier (OID) queries in a single SNMP GET request.
Addressed
11.1.4
PAN-250597
Fixed an issue where Global Find for a Panorama pushed shared address object displayed
Others
in the results.
Addressed
11.1.4
PAN-250270
Fixed an issue where partial commits did not merge changes when the complete rule base was updated with edit operations via XML API.
Addressed
11.1.4
PAN-249814
Fixed an issue where multiple all_task processes stopped responding, which caused the dataplane to fail.
Addressed
11.1.4
PAN-245157
(
VM-Series firewalls in Microsoft Azure environments only
) Fixed an issue where the firewall restarted after an HA failover when DPDK was enabled.
Addressed
11.1.4
PAN-245125
(
VM-Series firewalls in Microsoft Azure environments only
) Fixed an issue where file descriptors were not closed due to invalid configurations.
Addressed
11.1.4
PAN-244746
Fixed an issue where changes committed on Panorama were not reflected on the firewall after a successful push.
Addressed
11.1.4
PAN-238183
Fixed an issue where Panorama displayed deviating device system logs for non-connected interfaces.
Addressed
11.1.4
PAN-236497
Fixed an issue where the firewall was unable to purge expired GTP-U sessions that remained as allocated sessions even after the TTL was expired.
Addressed
11.1.4
PAN-234977
Fixed an issue where, when a Layer 2 interface that was a member of a VLAN was down, all traffic transmitted over the VLAN was dropped.
Addressed
11.1.4
PAN-231642
Fixed an issue on the Panorama web interface where users that were logged in through multiple sessions were able to see an active lock on only one session.
Addressed
11.1.4
PAN-214773
Fixed an issue where RTP packets traversing inter-vsys were dropped on the outgoing vsys.
Addressed
11.1.4
PAN-202095
Fixed an issue on the web interface where the language setting was not retained.
Known
11.2.0
PAN-257045
The firewall using the Advanced Routing Engine loses PIM Hello messages after a two-day steady state run.
Known
11.2.0
PAN-256780
The firewall using the Advanced Routing Engine has inconsistent formatting of multicast output from the CLI command:
show ip igmp sources json
.
Known
11.2.0
PAN-256343
When the firewall is using the Advanced Routing Engine and OSPFv3 is configured, the interface and area information fails to appear in the CLI or the user interface. Additionally, you shouldn't use the CLI command
show advanced-routing ospf interface
because it disrupts traffic.
Known
11.2.0
PAN-254305
DHCP request is not sent when the service route is configured.
Known
11.2.0
PAN-254236
TLSv1.3 hybridized Kyber support in the latest versions of Chrome and Edge browsers results in dropped Client Hello packets when SSL/TLS handshake inspection is enabled.
Workaround:
Disable SSL/TLS handshake inspection .
Known
11.2.0
PAN-254143
A firewall that uses the Advanced Routing Engine fails to add a local route to the Routing Information Base (RIB); it is able to add connected routes to the RIB. However the firewall adds both connected and local routes to the Forwarding Information Base (FIB). This results in a mismatch between the RIB and FIB.
Known
11.2.0
PAN-254108
when upgrading or downgrading a Panorama management server (
Panorama
Software
), managed device (
Panorama
Device Deployment
Software
), or standalone firewall (
Device
Software
),
Base Releases
and
Preferred Releases
settings are checked (enabled) by default and cause no PAN-OS software images to display.
Workaround:
Uncheck (disable)
Base Releases
or
Preferred Releases
to display either the available base PAN-OS or preferred PAN-OS releases available to download and install.
Known
11.2.0
PAN-253963
The auto commit job may take longer than expected to complete when the Panorama management server is in Panorama or Log Collector mode.
Known
11.2.0
PAN-253702
A firewall using the Advanced Routing Engine fails to come up and fails to display OSPFv3 neighbor information.
Known
11.2.0
PAN-252661
If you change the service route of gp-ip-mgmt in
Device > Setup > Services > Service Features > gp-ip-mgmt
and
Commit
, the change won’t take effect. gp-ip-mgmt continues to use the last committed service route.
Workaround:
After you change the service route interface for gp-ip-mgmt, navigate to either a GlobalProtect portal or gateway, click
OK
to save the configuration, and
Commit
the changes. This commit will include the service route change.
Known
11.2.0
PAN-250246
Panorama and the firewall display inconsistent IP addresses for device group members after manually syncing.
Known
11.2.0
PAN-249700
On a firewall that uses the Advanced Routing Engine and has BGP enabled, the BGP process crashes with SIGSEGV signal when the local interface and the peer IP address change.
Known
11.2.0
PAN-248836
The Advanced DNS Security trial license and trial license information cannot be activated and viewed, respectively, on a managed firewall (with expired or active status) from Panorama. These tasks can only be performed on the firewall.
Known
11.2.0
PAN-248147
The firewall using the Advanced Routing Engine doesn't properly display the interface name in the CLI command: show advanced-routing ospf neighbor brief yes.
Known
11.2.0
PAN-247728
When Advanced Routing is enabled, IP multicast is not supported. An upcoming version will provide support for this feature. Customers who have multicast configured or who plan to deploy multicast routing should not upgrade to 11.2.0. Additionally, when Advanced Routing is enabled, the BGP dampening configuration isn't applied to any peers or peer group; the configuration is preserved but has no effect on BGP. Customers can use BGP even if they have applied a Dampening profile to a specific set of peers. The issue doesn't affect any other BGP features.
Known
11.2.0
PAN-247221
The firewall using the Advanced Routing Engine fails to display output for the CLI command:
show advanced-routing bgp peer received-routes
.
Known
11.2.0
PAN-241994
The VMX hardware version was upgraded from vmx-10 to vmx-15 on ESXi and NSX-T. Support for vmx-15 is supported on ESXi 6.7 U2 and onwards. Palo Alto Networks recommends that you upgrade your ESXi version if it is less than 6.7 U2. For more information, see the compatibility matrix .
Known
11.2.0
PAN-239612
When the firewall is running PAN-OS 11.2.0 and Advanced Routing is enabled, DHCPv4 relay agent functions successfully, but DHCPv6 relay agent doesn't work.
Known
11.2.0
PAN-236649
If you change the configuration of a firewall acting as a PPPoEv4 or PPPoEv6 client, old routes from the Forwarding Information Base (FIB) and route table for an inherited configuration with dynamic-identifier or client remain visible. Old routes also remain visible for an inherited interface when you execute the CLI command,
show interface all
.
Workaround:
Unconfigure and configure the Inherited Interface.
Known
11.2.0
PAN-207442
For M-700 appliances in an active/passive high availability (
Panorama
High Availability
) configuration, the
active-primary
HA peer configuration sync to the
secondary-passive
HA peer may fail. When the config sync fails, the job Results is
Successful
(
Tasks
), however the sync status on the
Dashboard
displays as
Out of Sync
for both HA peers.
Workaround
: Perform a local commit on the
active-primary
HA peer and then synchronize the HA configuration.
  1. Log in to the Panorama web interface of the
    active-primary
    HA peer.
  2. Select
    Commit
    and
    Commit to Panorama
    .
  3. In the
    active-primary
    HA peer
    Dashboard
    , click
    Sync to Peer
    in the High Availability widget.
Known
11.2.0
PAN-206909
The Dedicated Log Collector is unable to reconnect to the Panorama management server if the
configd
process crashes. This results in the Dedicated Log Collector losing connectivity to Panorama despite the managed collector connection
Status
(
Panorama
Managed Collector
) displaying
connected
and the managed colletor
Health
status displaying as healthy.
This results in the local Panorama config and system logs not being forwarded to the Dedicated Log Collector. Firewall log forwarding to the disconnected Dedicated Log Collector is not impacted.
Workaround:
Restart the
mgmtsrvr
process on the Dedicated Log Collector.
  2. Confirm the Dedicated Log Collector is disconnected from Panorama. 
    admin>
     show panorama-status
    Verify the
    Connected
    status is
    no
    .
  3. Restart the
    mgmtsrvr
    process. 
    admin>
     debug software restart process management-server
Known
11.2.0
PAN-197588
The PAN-OS ACC (Application Command Center) does not display a widget detailing statistics and data associated with vulnerability exploits that have been detected using inline cloud analysis.
Known
11.2.0
PAN-197419
(
PA-1400 Series firewalls only
) In
Network
Interface
Ethernet
, the power over Ethernet (PoE) ports do not display a
Tag
value.
Known
11.2.0
PAN-196758
On the Panorama management server, pushing a configuration change to firewalls leveraging SD-WAN erroneously show the auto-provisioned BGP configurations for SD-WAN as being edited or deleted despite no edits or deletions being made when you
Preview Changes
(
Commit
Push to Devices
Edit Selections
or
Commit
Commit and Push
Edit Selections
).
Known
11.2.0
PAN-195968
(
PA-1400 Series firewalls only
) When using the CLI to configure power over Ethernet (PoE) on a non-PoE port, the CLI prints an error depending on whether an interface type was selected on the non-PoE port or not. If an interface type, such as tap, Layer 2, or virtual wire, was selected before PoE was configured, the error message will not include the interface name (eg. ethernet1/4). If an interface type was not selected before PoE was configured, the error message will include the interface name.
Known
11.2.0
PAN-187685
On the Panorama management server, the Template Status displays no synchronization status (
Panorama
Managed Devices
Summary
) after a bootstrapped firewall is successfully added to Panorama.
Workaround:
After the bootstrapped firewall is successfully added to Panorama, log in to the Panorama web interface and select
Commit
Push to Devices
.
Known
11.2.0
PAN-187407
The configured Advanced Threat Prevention inline cloud analysis action for a given model might not be honored under the following condition: If the firewall is set to
Hold client request for category lookup
and the action set to
Reset-Both
and the URL cache has been cleared, the first request for inline cloud analysis will be bypassed.
Known
11.2.0
PAN-184406
Using the CLI to add a RAID disk pair to an M-700 appliance causes the dmdb process to crash.
Workaround:
Contact customer support to stop the dmdb process before adding a RAID disk pair to a M-700 appliance.
Known
11.2.0
PAN-183404
Static IP addresses are not recognized when "and" operators are used with IP CIDR range.
Known
11.2.0
PAN-181933
If you use multiple log forwarding cards (LFCs) on the PA-7000 series, all of the cards may not receive all of the updates and the mappings for the clients may become out of sync, which causes the firewall to not correctly populate the Source User column in the session logs.
Known
11.2.0
PAN-164885
This issue is now resolved. See
PAN-OS 11.2.1 Addressed Issues
.
On the Panorama management server, pushes to managed firewalls (
Commit
Push to Devices
or
Commit and Push
) may fail when an EDL (
Objects
External Dynamic Lists
) is configured to
Check for updates
every 5 minutes due to the commit and EDL fetch processes overlapping. This is more likely to occur when multiple EDLs are configured to check for updates every 5 minutes.
Addressed
11.2.0
PAN-240174
Fixed an issue where, when LSVPN serial numbers and IP address authentication were enabled, IPv6 address ranges and complete IPv6 addresses that were manually added to the IP address allow or exclude list were not usable after a restart of the gp_broker process or the firewall.
Addressed
11.2.0
PAN-230362
Fixed an issue where the firewall truncated the payload of a TCP Out of Order segment with a FIN flag.
Addressed
11.2.0
PAN-228386
Fixed an issue with session caching where the reportd process stopped responding due to null values.
Addressed
11.2.0
PAN-227344
Fixed an issue on Panorama where
PDF Summary Reports
(
Monitor > PDF Reports > Manage PDF Summary
) displayed no data and were blank when predefined widgets were included in the summary report.
Addressed
11.2.0
PAN-227305
Fixed an issue where SCEP certificate generation failed when a service route was used to reach the SCEP server.
Addressed
11.2.0
PAN-227224
(
PA-1400 Series firewalls
) Fixed an issue where the firewall was unable to handle GRE packets for Point-to-Point Tunneling Protocol (PPTP) connections.
Addressed
11.2.0
PAN-226626
Fixed an issue where the firewall generated numerous logrcvr error messages related to netflow.
Addressed
11.2.0
PAN-225394
Fixed an issue on the firewall where SNMP incorrectly reported high packet descriptor usage.
Addressed
11.2.0
PAN-225240
Fixed an issue where the OSPF neighbor state remained in
exstart
when the OSPF network had more than 40 routes.
Addressed
11.2.0
PAN-225183
Fixed an issue where SSH tunnels were unstable due to ciphers used as part of the high availability SSH configuration.
Addressed
11.2.0
PAN-224772
Fixed a high memory usage issue with the mongodb process that caused an OOM condition.
Addressed
11.2.0
PAN-224365
Fixed an issue where excessive network path monitoring messages were generated in the system logs.
Addressed
11.2.0
PAN-224067
Fixed an issue where cookie authentication did not work for GlobalProtect when an authentication override domain was configured in the SAML authentication profile.
Addressed
11.2.0
PAN-223501
Fixed an issue where diagnostic information for the dataplane in the dp-monitor.log file was not complete.
Addressed
11.2.0
PAN-223365
Fixed an issue where Panorama was unbale to query any logs if the Elasticsearch health status for any log collector was degraded.
Addressed
11.2.0
PAN-220881
Fixed an issue where the CLI command
show logging-status
did not correctly display the last log created and forwarded timestamps.
Addressed
11.2.0
PAN-220640
(
PA-220 firewalls only
) Fixed an issue where the firewall CPU percentage was miscalculated, and the values that were displayed were incorrect.
Addressed
11.2.0
PAN-219768
Fixed an issue where you were unable to filter Data Filtering logs with
Threat ID/NAME
for custom data patterns created over Panorama.
Addressed
11.2.0
PAN-219585
Fixed an issue where enabling
syslog-ng
debugs from the root caused 100% disk utilization.
Addressed
11.2.0
PAN-217510
Fixed an issue where inbound DHCP packets received by a DHCP client interface that were not addressed to itself were silently dropped instead of forwarded.
Addressed
11.2.0
PAN-208567
Fixed an issue with email formatting where, when a scheduled email contained two or more attachments, only one attachment was visible.
Addressed
11.2.0
PAN-207003
Fixed an issue where the logrcvr process netflow buffer was not reset which resulted in duplicate netflow records.
Addressed
11.2.0
PAN-202095
Fixed an issue on the web interface where the language setting is not retained.
Known
11.2.1
PAN-259853
When the DHCP server is enabled for GlobalProtect, the commit error message is not properly displayed when
Any
is selected as the source interface in the service router configuration (
Device
Setup
Service
Service Router Configuration
).
Known
11.2.1
PAN-259423
When the GlobalProtect DHCP feature is enabled with two primary DHCP servers on the GlobalProtect gateway, the gpsvc gets stuck during renewal and after HA failover.
Known
11.2.1
PAN-254236
TLSv1.3 hybridized Kyber support in the latest versions of Chrome and Edge browsers results in dropped Client Hello packets when SSL/TLS handshake inspection is enabled.
Workaround:
Disable SSL/TLS handshake inspection .
Known
11.2.1
PAN-254108
when upgrading or downgrading a Panorama management server (
Panorama
Software
), managed device (
Panorama
Device Deployment
Software
), or standalone firewall (
Device
Software
),
Base Releases
and
Preferred Releases
settings are checked (enabled) by default and cause no PAN-OS software images to display.
Workaround:
Uncheck (disable)
Base Releases
or
Preferred Releases
to display either the available base PAN-OS or preferred PAN-OS releases available to download and install.
Known
11.2.1
PAN-253963
The auto commit job may take longer than expected to complete when the Panorama management server is in Panorama or Log Collector mode.
Known
11.2.1
PAN-252661
If you change the service route of gp-ip-mgmt in
Device > Setup > Services > Service Features > gp-ip-mgmt
and
Commit
, the change won’t take effect. gp-ip-mgmt continues to use the last committed service route.
Workaround:
After you change the service route interface for gp-ip-mgmt, navigate to either a GlobalProtect portal or gateway, click
OK
to save the configuration, and
Commit
the changes. This commit will include the service route change.
Known
11.2.1
PAN-250246
Panorama and the firewall display inconsistent IP addresses for device group members after manually syncing.
Known
11.2.1
PAN-248836
The Advanced DNS Security trial license and trial license information cannot be activated and viewed, respectively, on a managed firewall (with expired or active status) from Panorama. These tasks can only be performed on the firewall.
Known
11.2.1
PAN-247728
When Advanced Routing is enabled, IP multicast is not supported. An upcoming version will provide support for this feature. Customers who have multicast configured or who plan to deploy multicast routing should not upgrade to 11.2.0. Additionally, when Advanced Routing is enabled, the BGP dampening configuration isn't applied to any peers or peer group; the configuration is preserved but has no effect on BGP. Customers can use BGP even if they have applied a Dampening profile to a specific set of peers. The issue doesn't affect any other BGP features.
Known
11.2.1
PAN-241994
The VMX hardware version was upgraded from vmx-10 to vmx-15 on ESXi and NSX-T. Support for vmx-15 is supported on ESXi 6.7 U2 and onwards. Palo Alto Networks recommends that you upgrade your ESXi version if it is less than 6.7 U2. For more information, see the compatibility matrix .
Known
11.2.1
PAN-239612
When the firewall is running PAN-OS 11.2.0 and Advanced Routing is enabled, DHCPv4 relay agent functions successfully, but DHCPv6 relay agent doesn't work.
Known
11.2.1
PAN-236649
If you change the configuration of a firewall acting as a PPPoEv4 or PPPoEv6 client, old routes from the Forwarding Information Base (FIB) and route table for an inherited configuration with dynamic-identifier or client remain visible. Old routes also remain visible for an inherited interface when you execute the CLI command,
show interface all
.
Workaround:
Unconfigure and configure the Inherited Interface.
Known
11.2.1
PAN-207442
For M-700 appliances in an active/passive high availability (
Panorama
High Availability
) configuration, the
active-primary
HA peer configuration sync to the
secondary-passive
HA peer may fail. When the config sync fails, the job Results is
Successful
(
Tasks
), however the sync status on the
Dashboard
displays as
Out of Sync
for both HA peers.
Workaround
: Perform a local commit on the
active-primary
HA peer and then synchronize the HA configuration.
  1. Log in to the Panorama web interface of the
    active-primary
    HA peer.
  2. Select
    Commit
    and
    Commit to Panorama
    .
  3. In the
    active-primary
    HA peer
    Dashboard
    , click
    Sync to Peer
    in the High Availability widget.
Known
11.2.1
PAN-206909
The Dedicated Log Collector is unable to reconnect to the Panorama management server if the
configd
process crashes. This results in the Dedicated Log Collector losing connectivity to Panorama despite the managed collector connection
Status
(
Panorama
Managed Collector
) displaying
connected
and the managed colletor
Health
status displaying as healthy.
This results in the local Panorama config and system logs not being forwarded to the Dedicated Log Collector. Firewall log forwarding to the disconnected Dedicated Log Collector is not impacted.
Workaround:
Restart the
mgmtsrvr
process on the Dedicated Log Collector.
  2. Confirm the Dedicated Log Collector is disconnected from Panorama. 
    admin>
     show panorama-status
    Verify the
    Connected
    status is
    no
    .
  3. Restart the
    mgmtsrvr
    process. 
    admin>
     debug software restart process management-server
Known
11.2.1
PAN-197588
The PAN-OS ACC (Application Command Center) does not display a widget detailing statistics and data associated with vulnerability exploits that have been detected using inline cloud analysis.
Known
11.2.1
PAN-197419
(
PA-1400 Series firewalls only
) In
Network
Interface
Ethernet
, the power over Ethernet (PoE) ports do not display a
Tag
value.
Known
11.2.1
PAN-196758
On the Panorama management server, pushing a configuration change to firewalls leveraging SD-WAN erroneously show the auto-provisioned BGP configurations for SD-WAN as being edited or deleted despite no edits or deletions being made when you
Preview Changes
(
Commit
Push to Devices
Edit Selections
or
Commit
Commit and Push
Edit Selections
).
Known
11.2.1
PAN-195968
(
PA-1400 Series firewalls only
) When using the CLI to configure power over Ethernet (PoE) on a non-PoE port, the CLI prints an error depending on whether an interface type was selected on the non-PoE port or not. If an interface type, such as tap, Layer 2, or virtual wire, was selected before PoE was configured, the error message will not include the interface name (eg. ethernet1/4). If an interface type was not selected before PoE was configured, the error message will include the interface name.
Known
11.2.1
PAN-187685
On the Panorama management server, the Template Status displays no synchronization status (
Panorama
Managed Devices
Summary
) after a bootstrapped firewall is successfully added to Panorama.
Workaround:
After the bootstrapped firewall is successfully added to Panorama, log in to the Panorama web interface and select
Commit
Push to Devices
.
Known
11.2.1
PAN-187407
The configured Advanced Threat Prevention inline cloud analysis action for a given model might not be honored under the following condition: If the firewall is set to
Hold client request for category lookup
and the action set to
Reset-Both
and the URL cache has been cleared, the first request for inline cloud analysis will be bypassed.
Known
11.2.1
PAN-184406
Using the CLI to add a RAID disk pair to an M-700 appliance causes the dmdb process to crash.
Workaround:
Contact customer support to stop the dmdb process before adding a RAID disk pair to a M-700 appliance.
Known
11.2.1
PAN-183404
Static IP addresses are not recognized when "and" operators are used with IP CIDR range.
Known
11.2.1
PAN-181933
If you use multiple log forwarding cards (LFCs) on the PA-7000 series, all of the cards may not receive all of the updates and the mappings for the clients may become out of sync, which causes the firewall to not correctly populate the Source User column in the session logs.
Addressed
11.2.1
PAN-257919
Fixed an issue where, when using explicit proxy with SAML authentication, initiating SAML authentication with a non-GET request resulted in a
302 redirect
response instead of the expected
200 ok
response.
Addressed
11.2.1
PAN-256343
Fixed an issue where, when Advanced Routing Engine was enabled and OSPFv3 was configured, the CLI command
show advanced-routing ospf interface
caused traffic to be disrupted, and the interface and area information did not display in CLI or the web interface.
Addressed
11.2.1
PAN-255868
(
PA-3400 Series firewalls only
) Fixed an issue where the firewall entered maintenance mode after enabling kernel data collection during the silent reboot.
Addressed
11.2.1
PAN-255227
Fixed an issue where the the MAC address was sent to the DHCP server instead of the hostname on macOS endpoints.
Addressed
11.2.1
PAN-249292
(
VM-Series firewalls on Microsoft Azure environments only
) Fixed an issue where CPU usage was higher than expected after a hotplug event when Accelerated Networking was enabled for the management interface.
Addressed
11.2.1
PAN-236909
Fixed an issue where, when you committed the first configuration change after booting up the firewall, the external dynamic list file download failed until the list was refreshed. This occurred when the configuration was pushed with a certificate profile.
Addressed
11.2.1
PAN-164885
Fixed an issue on Panorama where
Commit and Push
or
Push to Devices
operations failed when an external dynamic list was configured to check for updates every 5 minutes due to the commit and external dynamic fetch processes overlapping.