Pan Os Release Notes

PAN-OS Release Notes
11.0.2-h1
docs.paloaltonetworks.com
Contact Information
Corporate Headquarters:
Palo Alto Networks
3000 Tannery Way
Santa Clara, CA 95054
www.paloaltonetworks.com/company/contact-support
About the Documentation

• For the most recent version of this guide or for access to related documentation, visit the Technical
Documentation portal docs.paloaltonetworks.com.
• To search for a specific topic, go to our search page docs.paloaltonetworks.com/search.html.
• Have feedback or questions for us? Leave a comment on any page in the portal, or write to us at
documentation@paloaltonetworks.com.
Copyright
Palo Alto Networks, Inc.
www.paloaltonetworks.com
© 2022-2023 Palo Alto Networks, Inc. Palo Alto Networks is a registered trademark of Palo
Alto Networks. A list of our trademarks can be found at www.paloaltonetworks.com/company/
trademarks.html. All other marks mentioned herein may be trademarks of their respective companies.
Last Revised
August 17, 2023
PAN-OS Release Notes 11.0.2-h1 2 ©2023 Palo Alto Networks, Inc.

Table of Contents
Features Introduced in PAN-OS 11.0........................................................... 5
Networking Features.................................................................................................................. 6
Panorama Features......................................................................................................................9
Management Features............................................................................................................. 10
Certificate Management Features.........................................................................................11
Cloud Identity Features........................................................................................................... 12
Content Inspection Features.................................................................................................. 13
IoT Security Features............................................................................................................... 14
Mobile Infrastructure Security Features..............................................................................15
PAN-OS SD-WAN Features................................................................................................... 16
Virtualization Features............................................................................................................. 17
Advanced WildFire Features.................................................................................................. 18
GlobalProtect Features............................................................................................................ 19
Hardware Features................................................................................................................... 20
Enterprise Data Loss Prevention Features......................................................................... 21
Changes to Default Behavior........................................................................23

Changes to Default Behavior in PAN-OS 11.0..................................................................24
Limitations..........................................................................................................27
Limitations in PAN-OS 11.0................................................................................................... 28
Associated Content and Software Versions............................................. 31

Associated Content and Software Versions for PAN-OS 11.0...................................... 32
WildFire Analysis Environment Support for PAN-OS 11.0.............................................33
PAN-OS 11.0.2 Known and Addressed Issues......................................... 35

PAN-OS 11.0.2 Known Issues............................................................................................... 36
PAN-OS 11.0.2-h1 Addressed Issues.................................................................................. 43
PAN-OS 11.0.2 Addressed Issues.........................................................................................44

PAN-OS 11.0.1-h2 Addressed Issues.................................................................................. 63

Related Documentation................................................................................. 85

Table of Contents
Related Documentation for PAN-OS 11.0......................................................................... 86

Features Introduced in PAN-OS
11.0
Review new features introduced in Palo Alto Networks PAN-OS® 11.0 software.
• Networking Features
• Panorama Features
• Management Features
• Certificate Management Features
• Cloud Identity Features
• Content Inspection Features
• IoT Security Features
• Mobile Infrastructure Security Features
• PAN-OS SD-WAN Features
• Virtualization Features
• Advanced WildFire Features
• GlobalProtect Features
• Hardware Features
• Enterprise Data Loss Prevention Features
5
Features Introduced in PAN-OS 11.0
Networking Features
New Networking Feature Description
LSVPN Cookie Expiry Extension You can now configure the cookie expiration period
from 1 to 5 years, while the default remains as 6
(PAN-OS 11.0.1 and later 11.0
months. The encrypted cookie stored on an Large Scale
releases)
VPN (LSVPN) satellite expires after every 6 months.
This causes the VPN tunnels associated with the
satellite to go down, causing an outage until the satellite
is re-authenticated to the LSVPN portal or gateway and
a new cookie is generated. A re-authentication every
six months causes administrative overhead, affecting
productivity, network stability, and resources of the
company.
To reduce administrative overhead, we’ve extended the
cookie expiration period from 6 months to 5 years.
PPPoE Client Support on a The firewall extends PPPoE IPv4 client support to a
Subinterface subinterface so that the firewall can connect to an
ISP that uses an IEEE 802.1Q VLAN tag on its PPPoE
connections. The firewall as a PPPoE client receives its
releases)
IPv4 address and other information from the PPPoE
server. The firewall encapsulates PPPoE packets from
a host in an 802.1Q frame before sending them to the
ISP, and decapsulates PPPoE packets from the 802.1Q
frame before sending them to the host.
Increased Maximum Number of (PA-3400 Series firewalls only) The maximum number
Security Zones for PA-3400 Series of security zones supported on the PA-3410 and
Firewalls PA-3420 firewalls has increased from 40 to 200. The
maximum number of security zones supported on the
PA-3430 firewall has increased from 100 to 200.
releases)
Poll Timeout Improvement for The PA-3400 and PA-5400 Series firewalls have
PA-3400 and PA-5400 Series improved latency when operating under low load.
Firewalls
releases)
Web Proxy Some networks are designed around a proxy for

compliance and other requirements. The Web Proxy
capability available in PAN-OS 11.0 allows these
customers to migrate to NGFW without changing their
proxy network to secure web as well as non-web traffic.
With web proxy available for both NGFW and Prisma


Access, Palo Alto Networks helps you transition to a
single, integrated security stack for web security across
on-premises and cloud-delivered form factors. By
configuring seamless synchronization between your on-
premises proxy device and the cloud-based proxy, you
can enable Prisma Access as a SASE solution for your
SWG-based network architecture to ensure consistent
policy application regardless of location.
DHCPv6 Client with Prefix The firewall now supports a stateful DHCPv6 Client
Delegation to obtain IPv6 addresses and other parameters. This
feature also supports Prefix Delegation by assigning
prefixes received from the DHCP server to configured
pools. A prefix from the pool is distributed using SLAAC
to a host-facing (inherited) interface.
IPSec Transport Mode In addition to the default tunnel mode, you can now
configure IPSec tunnels to use Transport Mode when
encrypting host-to-host communications. Transport
mode encrypts only the payload while retaining the
original IP header. You can use Transport mode to
encrypt the management traffic with the most secure
protocols.
Multicast Source Discovery The Advanced Routing Engine adds support for MSDP.
Protocol on Advanced Routing MSDP interconnects multiple IPv4 PIM Sparse-Mode
Engine (PIM-SM) domains, enables the discovery of multicast
sources in other PIM-SM domains, and reduces the
complexity of interconnecting multiple PIM-SM
domains by allowing PIM-SM domains to use an
interdomain source tree.
BFD Support on PA-400 Series Bidirectional Forwarding Detection (BFD) support

Firewalls is extended to the PA-400 Series firewalls (PA-410,
PA-440, PA-450, and PA-460 firewalls) for both the
legacy routing engine and Advanced Routing Engine.
IPv4 and IPv6 Address Families On the Advanced Routing Engine, BGP peer groups
Supported over a Single BGP and peers now support both an IPv4 address family
Peering on Advanced Routing (AFI profile) for unicast SAFI and an IPv6 AFI profile
Engine for unicast SAFI over a single peering. This means that,
regardless of whether the BGP local address and peer
address are IPv4 or IPv6, the peering supports both
IPv4 and IPv6 unicast routes being carried over a single
BGP session that uses IPv4 or IPv6.
Power Over Ethernet (PoE) PoE enables you to transfer electrical power from
a supported firewall to a powered device. Using


interfaces that have been configured for PoE, you
can allocate power to multiple powered devices
while still maintaining data transfer over an Ethernet
connection. PoE is supported on many of the new
models introduced with PAN-OS 11.0, including
PA-1420, PA-1410, PA-445, and PA-415.
Persistent NAT for DIPP Some applications, such as VoIP and video, use DIPP
source NAT and may require STUN. DIPP NAT uses
symmetric NAT, which may have compatibility issues
with STUN. To alleviate those issues, persistent NAT for
DIPP provides additional support for connectivity with
such applications. When you enable persistent NAT for
DIPP, the binding of a private source IP address and
port to a specific public (translated) source IP address
and port persists for subsequent sessions that arrive
having that same original source IP address and port.

Panorama Features
New Panorama Feature Description
Panorama Interconnect 2.0 Upgrade to Panorama Interconnect Plugin 2.0 is

required to upgrade to PAN-OS 11.0. You must
PAN-OS 11.0.1 and later releases
download the Panorama Interconnect Plugin 2.0.0 prior
to install of PAN-OS 11.0.1 to successfully upgrade.
Zero Touch Provisioning 2.0.3 The Zero Touch Provisioning (ZTP) Plugin 2.0.3 release
includes minor bug and performance fixes.
Admin-Level Commit with Policy You can perform admin-level commits even when
Reordering there are pending changes that affect the order of a
policy rulebase from other admins. This simplifies your
configuration workflow because you don't have to
coordinate commits with other administrators when
your changes are unrelated to theirs and no longer
requires you to wait for a Superuser admin to be
available to do a full commit on Panorama.
Proactive BPA using AIOps for The configuration commit processes on Panorama
NGFW have been seamlessly integrated with the on-demand
dynamic scale cloud plugin to perform BPA at the time
of a commit and block it for your chosen set of checks.
This allows you to fix any BPA violations in real-time
and proceed with a clean bill of health. This smarter
workflow eliminates any exposure that a compromised
security posture could create.
Static Security Group Tag (SGT) for The Panorama plugin for Cisco TrustSec now provides
TrustSec plugin support for static SGT (Security Group Tags) retrieved
from the Cisco ISE server. The static SGTs are used
in the same way dynamic SGTs are currently used; IP
addresses and tags are extracted and forwarded to
the Panorama plugin framework, which then pushes
them to the firewalls. Static SGTs can improve security
posture when an endpoint does not authenticate
through Cisco ISE.

Management Features
New Management Feature Description
Skip Software Version Upgrade You can now upgrade and downgrade standalone and
Panorama managed devices running 10.1 or later more
efficiently by skipping up to three software versions.
You can skip either two major releases and one minor
release, or one major release and two minor releases.
The ability to skip multiple software releases during
an upgrade or downgrade shortens the time needed
for the maintenance window and enables you to take
advantage of the latest PAN-OS innovations more
quickly. This feature also enhances the capabilities
of the multi-image download option and pre-install
validation check, which reduces the number of steps in
the process.
TLSv1.3 Support for Management PAN-OS 11.0 introduces two management

Access configuration options that let you define TLSv1.3
as your preferred TLS protocol and select a TLSv1.3
certificate. You can use the new settings to specify
the TLS versions and certificates your management
interface supports outside of SSL/TLS service profiles.
For example, you can select tlsv1.3_only TLS mode
for a faster, more secure connection that meets your
regulatory requirements.
Multi-Vsys Capability for the Multiple virtual systems featuring shared gateway
PA-400 Series Firewalls support are now available for most PA-400 Series
firewalls with a multi-vsys license. PA-440 firewalls
support up to two virtual systems. PA-450 and PA-460
firewalls support up to five virtual systems.

Certificate Management Features

Certificate Management Features Description
Support for OCSP Verification through HTTP If your network deployment includes a web
Proxy proxy, you can now use the Online Certificate
Status Protocol (OCSP) to check the validity
of SSL/TLS certificates. The firewall forwards
OCSP requests to your proxy server instead
of directly to the OCSP responder. You'll need
to configure an OCSP responder and specify
OCSP as your certificate revocation status
method.

Cloud Identity Features

New Cloud Identity Feature Description
User Context for the Cloud User Context for the Cloud Identity Engine provides
Identity Engine unparalleled visibility into your user identification and
device information (such as tags, quarantine lists, and
mappings, which now includes IP-address-to-port number
mappings from Terminal Server agents) and provides a
simple yet precise way to redistribute that information to
other firewalls and devices within your network through
segmentation (for example, by region or use case).
By enabling the service on your firewall and defining
information distribution for your network segments
in the Cloud Identity Engine, you can quickly locate
critical information and ensure consistent user-based
policy enforcement across your network. User Context
represents the next expansion of User-ID in a unified
interface on the Cloud Identity Engine and presents
actionable user identity information at a glance.

Content Inspection Features

New Content Inspection Feature Description
®
DNS Security Support for DoH PAN-OS can identify traffic contained in DoH (DNS-
(DNS-Over-HTTPS) over-HTTPS) requests and apply DNS Security real-
time protection measures. This allows you to secure all
DoH traffic, which is quickly becoming the emerging
standard of maintaining user privacy and data security,
by leveraging the same DNS Security analytics used to
defend your organization from a range of DNS-based
threats.
Advanced Threat Prevention The Advanced Threat Prevention subscription now

Support for Detecting Zero-Day supports additional deep learning and heuristic analysis
Exploits engines to prevent malicious zero-day Injection attacks
(Inbound threats), such as SQLi and Command Injection
attacks. These attacks target vulnerable applications
that do not sufficiently validate, filter, or sanitize user-
supplied data.
®
Support for Custom Layer 3 and PAN-OS now supports user-defined custom threat
Layer 4 Threat Signatures signatures based on Layer 3 and Layer 4 header fields.
This enables you to provide enhanced vulnerability
coverage for old and/or deprecated TCP/IP stacks used
in embedded devices, where signature protections are
not readily available.

IoT Security Features

New IoT Security Feature Description
IoT Security for Isolated Network You can deploy one or more Palo Alto Networks next-
Segments generation firewalls as hardened security telemetry
gateways to logically connect firewalls in isolated
network segments with Palo Alto Networks cloud-
releases)
delivered security solutions. The security telemetry
gateways block any attempted inbound internet
connections to the isolated firewalls using either
a single gateway or multiple gateways in a chain
depending on your needs and the design of your
network architecture.
®
IoT Security Policy Rule New PAN-OS and IoT Security configuration
Recommendation Enhancements workflows make it easier to scale and manage policy
rule recommendations. The names of recommended
policy rules are now automatically generated. IoT
Security automatically pushes activated policy rule sets
to Panorama and next-generation firewalls. Panorama
lets you import multiple rules at a time into multiple
device groups, and firewalls let you import multiple
rules at a time into your policy rulebase.
Improved DHCP Traffic Visibility By extending DHCP traffic visibility further into your
for IoT Security network, you can now discover and monitor even
more devices than ever. IoT Security employs multiple
methods to detect and monitor network activity and
correlate it to individual devices. A particularly useful
method is the examination of DHCP traffic, which
allows IoT Security to associate dynamically assigned
IP addresses with device MAC addresses and then add
these devices to its inventory and track their network
behavior. When it’s difficult to route DHCP traffic in
certain areas of the network to or through a firewall,
there can be gaps in the coverage that IoT Security
provides. To improve visibility into DHCP traffic that
otherwise wouldn't reach the firewall, you can configure
DHCP servers to send the firewall their server logs as
syslog messages. The firewall then forwards the logs
through the logging service to IoT Security.

Mobile Infrastructure Security Features

New Mobile Infrastructure Security Description
Feature
5G RADIUS Support for Intelligent Intelligent Security with RADIUS provides consistent
Security information and identification for all subscribers,
equipment, applications, and data based on context
and subscriber activity. To correlate user equipment
(UE) information with more types of 4G/5G traffic, the
firewall can now inspect RADIUS traffic for enforcement
of subscriber-level and equipment-level security policy.
Intelligent Security with RADIUS allows enterprises to
expand their zero-trust architecture to subscribers and
equipment on 5G networks.
User Equipment (UE) to IP Address Control and user plane separation (CUPS) architecture
Correlation with PFCP for 5G is a common configuration for networks undergoing
Migration transition from 4G/LTE to 5G; however, traffic
inspection for both planes must be performed by the
same firewall. User Equipment (UE) to IP Address
Correlation with PFCP allows the firewall to extract user
information and correlate it with the equipment ID or
subscriber ID. It enables you to create granular security
policies based on subscriber or equipment ID, as well
as enhanced visibility through logging and reporting
for applications and threats based on subscriber or
equipment ID.

PAN-OS SD-WAN Features

PAN-OS SD-WAN features in PAN-OS 11.0.
New SD-WAN Feature Description
SD-WAN IPv6 Basic Connectivity The legacy routing engine now supports SD-
WAN in a dual stack using IPv6 BGP loopback
(PAN-OS 11.0.2 and later 11.0 releases)
addresses for BGP peering; thus, you can
establish IPv6 connectivity from the branch to
the hub over an IPv4 SD-WAN tunnel. (IPv6
connectivity over DIA isn't supported.)
SD-WAN Plugin Support for Advanced We have enhanced the SD-WAN plugin 3.1.0
Routing Engine to support logical routers for branches and
hubs that use advanced routing engines. With
SD-WAN plugin 3.1.0 configured with an
advanced routing option, all SD-WAN related
objects are automatically generated in logical
routers rather than virtual routers. SD-WAN
plugin 3.1.0 running PAN-OS 11.0 offers
an advanced routing engine that relies on
industry-standard configuration methodology,
which facilitates the administrator tasks. It
allows the creation of profiles that are used
for different functions (such as, filtering,
redistribution, and metric changes), all of
which can be used across logical routers.
These profiles provide finer granularity to
filter routes for each dynamic routing protocol
and improve route redistribution across
multiple protocols.

Virtualization Features
New Virtualization Feature Description
Hyperscale Security Fabric (HSF) With CN-Series Hyperscale Security Fabric (HSF) 1.0,
1.0 on CN-Series you can now create a cluster of containerized next-gen
firewalls that deliver a highly scalable and resilient next-
gen firewall solution, eliminating the dependency on
external load balancers for Mobile Service Providers
deploying 5G networks.
Advanced Routing Engine Support The Advanced Routing Engine is now supported on the
on CN-Series CN-Series.
Key Management Service (KMS) This release enables cloud native key managers,
Support for VM-Series Azure Key Vault and AWS Secrets Manager, to store
certificates for VM-Series firewalls.

Advanced WildFire Features

New WildFire Feature Description
Intelligent Run-time Memory Palo Alto Networks Advanced WildFire is a new

Analysis cloud-based subscription service that detects and
prevents modern evasive malware from entering your
network by leveraging a new advanced analysis engine.
Advanced WildFire is built on an extensible cloud
architecture that operates in the WildFire global cloud
to stealthily observe malware and apply the latest
deep learning-derived analysis techniques, such as
intelligent run-time memory analysis, dependency
emulation, malware family fingerprinting, malware
configuration file analysis, and more, to uncover and
determine the true nature of a sample as it passes
through your network. Observed malware threats
generate WildFire signatures to identify and protect
against future infections.
Hold Mode for WildFire Real Time You can now configure the firewall to hold packets
Signature Lookup for unknown files when performing WildFire real time
signature lookups to prevent the first transfer of known
(Available in PAN-OS 11.0.2 and
malware.
later)

GlobalProtect Features
The following table describes new GlobalProtect features introduced in PAN-OS 11.0. For
features related to the GlobalProtect app, see the GlobalProtect App 6.1 Release Notes.
New GlobalProtect Description

Feature
End-user Notification You can now enable and customize end-user notifications about expiry
about GlobalProtect of GlobalProtect app sessions on the gateway. These notifications
Session Logout inform the end users in advance when their app sessions are about
to expire due to inactivity or expiry of the login lifetime and lets
them know how much time is left before the app gets disconnected,
preventing unexpected and abrupt app logout.

Hardware Features
New Hardware Feature Description
PA-415 and PA-445 Firewalls The PA-415 and PA-445 firewalls offer an improved
price to performance ratio with features such as Power
Over Ethernet (PoE) capability, fiber ports, higher
scalability, and enhanced boot times.
PA-1400 Series Firewalls The PA-1410 and PA-1420 are intended for
distributed enterprises, branches, and small to mid-
sized businesses. These models feature Power Over
Ethernet (PoE) capability, power redundancy, and
Multi-Gig ports.
PA-5440 Firewall The PA-5440 is the highest scale fixed form-factor

firewall that Palo Alto Networks currently offers. The
PA-5440 can process more sessions and features
higher threat capabilities.

Enterprise Data Loss Prevention Features

New Enterprise DLP Feature Description
File Type Include or Exclude Enterprise Data Loss Prevention (E-DLP) now supports
List for Data Filtering Profiles creating a file type include or exclude list for data filtering
profiles configured for file-based inspection. This allows you
Requires PAN-OS 11.0.2 and
to select one of two modes:
DLP plugin 4.0.1
• Inclusion Mode—Allow only specified file types be
scanned by Enterprise DLP.
• Exclusion Mode—Allow all supported files to be scanned
by Enterprise DLP by default but excluding the file types
you specify.
Exclusion Mode includes True File Type Support and does
not rely on file extensions to determine file types.
Enterprise DLP Plugin Upgrade Upgrade to Enterprise DLP Plugin 4.0 is required to upgrade
to PAN-OS 11.0. The minimum supported PAN-OS version is
Requires DLP plugin 4.0.0
PAN-OS 11.0. You must download the Enterprise DLP Plugin
4.0 prior to install of PAN-OS 11.0 to successfully upgrade.


Changes to Default Behavior
Review the changes to default behavior for PAN-OS 11.0.
• Changes to Default Behavior in PAN-OS 11.0
23
Changes to Default Behavior in PAN-OS 11.0

The following table details the changes in default behavior upon upgrade to PAN-OS® 11.0.
You may also want to review the Upgrade/Downgrade Considerations before upgrading to this
release.
Feature Change
Minimum System Memory Requirement Palo Alto Networks has increased the
for the Panorama Virtual Appliance recommended Panorama virtual appliance
memory requirement to a minimum of 64GB,
up from 32GB. This impacts Panorama virtual
appliances in Panorama and Log Collector
mode to avoid any logging, management, and
operational performance issues related to an
under-provisioned Panorama virtual appliance.
For new Panorama virtual appliance deployments,
Palo Alto Networks recommends deploying the
virtual machine with a minimum of 64GB. For
existing Panroama virtual appliance deployments,
See Increase the CPUs and Memory of the
Panorama Virtual Appliance to increase the
memory for an existing Panorama virtual
appliance after successful upgrade to PAN-OS
11.0.
Custom Syslog Format The maximum characters supported for a custom

syslog format (Device > Server Profiles > Syslog
and Panorama > Server Profiles > Syslog) is
increased to 4,096 characters.
Panorama Memory Management Rather than automatically restarting the

Panorama management server, a critical
system log (Monitor > Logs > System) is now
generated to alert that a Panorama reboot
(Panorama > Setup > Operations) is required
when the configd process responsible for
configuration management and Panorama
operations encounters memory issues
Test SCP Server Connection To test the SCP server connection when you
schedule a configuration export (Panorama >
Schedule Config Export) or log export (Device >
Scheduled Log Export), a new pop-up window is
displayed requiring you to enter the SCP server
clear textPassword and Confirm Password to test
the SCP server connection and enable the secure
transfer of data.

Feature Change
You must also enter the clear text SCP server
Password and Confirm Password when you test
the SCP server connection from the firewall or
Panorama CLI.
admin>test scp-server-connection
initiate <ip> username <username>
password <clear-text-password>


Limitations
Review limitations around Palo Alto Networks PAN-OS® 11.0 software.
• Limitations in PAN-OS 11.0
27
Limitations
Limitations in PAN-OS 11.0

The following are limitations associated with PAN-OS 11.0.
Issue ID Description
— The following limitations apply for on-premises Explicit

Proxy:
• On-premises Explicit Proxy does not support multi-
tenancy.
• On-premises Explicit Proxy supports authentication
using SAML and Kerberos.
• On-premises Explicit Proxy requires decryption (TLS
1.3 is recommended).
• On-premises Explicit Proxy requires port 8080.
• On-premises Explicit Proxy requires PAC files to
direct traffic to the on-premises Explicit Proxy.
• On-premises Explicit Proxy supports customer-based
hosting for their individual PAC files.
• On-premises Explicit Proxy supports inbound proxy
chaining with XFF and XAU HTTP headers.
• On-premises Explicit Proxy supports HTTP/2 for
Kerberos only; HTTP/2 for SAML is not supported in
this release.
— In Advanced Routing mode, BGP peer groups and

peers allow IPv6 NLRI to be transported over an IPv6
MP-BGP peer and allow IPv6 NLRI to be transported
over an IPv4 MP-BGP peer. If you want to use IPv4
multicast, you are limited to only IPv4 with that peer.
The firewall does not support SAFI IPv6 multicast at all.
PLUG-10942 For CN-Series deployments using the Advanced

Routing Engine with the Kubernetes 3.0.0 plugin, you
must configure Advanced Routing manually on the
template stack:
1. Set the flag PAN_ADVANCED_ROUTING:”true” in
the pan-cn-mgmt-configmap-0.yaml file.
2. Manually enable Advanced Routing on the Panorama
template, then commit and push the configuration.
PAN-215869 PAN-OS logs (Monitor > Logs) experience a significant

delay before they are displayed if NetFlow (Device >
Server Profiles > NetFlow) is enabled on an interface

Limitations
(Network > Interface). This may result in log loss if
the volume of delayed logs exceeds the logging buffer
available on the firewall.
The following firewalls are impacted:
• PA-400 Series Firewalls
PAN-205932 DHCPv6 Client with Prefix Delegation is currently

incompatible with GlobalProtect. You cannot configure
GP gateways with dynamic IPv6 addresses.
PAN-205166 (PA-440, PA-450, and PA-460 firewalls only) The

CLI does not display system information about the
power supply when entering the show system
environmentals command. As a result, the CLI
cannot be used to view the current status of the power
adapter.
Workaround: To manually interpret the status of the
firewall's power adapter, verify that your power cable
connections are secure and that the LED on the power
adapter is on. If the LED is not illuminated even though
the power cable connections are secure, your power
adapter has failed.
PAN-197412 In IPSec transport mode, the traffic does not flow if

you configure BGP routes in a tunnel interface. While
using IPSec transport mode for BGP routes, configure
the BGP routes on a physical interface (for example,
ethernet 1/1) and not the tunnel interface.
While IPSec tunnel mode for BGP routes works with
the tunnel interface, IPSec transport mode for BGP
routes works with the physical interface only.
PAN-196530 On the PA-5440 firewall, the valid range to configure

the maximum number of site-to-site VPN tunnels is
from 0 to 10,000.
admin@PA-5440# set import resource max-

site-to-site-vpn-tunnels <0-10000>

Limitations
PAN-192679 (PA-415 and PA-445 firewalls) The hardware can detect

the presence of a power adapter but does not detect
voltage or functionality. As a result, the firewall’s Alarm
feature is unavailable to the power supply and is only
raised when the device reaches temperature limits.
Furthermore, the firewall does not display power supply
details in system logs or the CLI.

Associated Content and Software
Versions
Review information about the associated content and software versions for Palo Alto Networks
PAN-OS® 11.0 software.
• Associated Content and Software Versions for PAN-OS 11.0
• WildFire Analysis Environment Support for PAN-OS 11.0
31
Associated Content and Software Versions
Associated Content and Software Versions for PAN-OS

11.0
The following minimum software and content release versions are compatible with PAN-OS 11.0.
To see a list of the next-generation firewall models that support PAN-OS 11.0, see the Palo Alto
Networks® Compatibility Matrix.
Palo Alto Networks Software or Minimum Compatible Version with PAN-OS 11.0
Content Release Version
Panorama 11.0
User-ID Agent 11.0
Terminal Services (TS) Agent 11.0
GlobalProtect App 6.0
Applications and Threats 8635

Content Release Version
PAN-OS SD-WAN Plugin If you have installed the PAN-OS SD-WAN plugin, PAN-OS
11.0.1 requires the 3.1.1 plugin.

WildFire Analysis Environment Support for PAN-OS

11.0
The following WildFire guest VM images (analysis environments) are supported in the PAN-
OS 11.0 release of WildFire. To upgrade the WildFire appliance, refer to: Upgrade a WildFire
Appliance
WildFire Analysis WildFire WildFire Appliance Guest VM Filename Minimum

Environment VM ID Compatible
PAN-OS
Version
Windows XP (Adobe vm-3 WFWinXpAddon3_m-1.0.1.xpaddon3 10.2.2 and

Reader 11, Flash 11, later
Office 2010)
Windows 7 x64 SP1 vm-5 WFWin7_64Addon1_m-1.0.1.7_64addon1 10.2.2 and

(Adobe Reader 11, Flash later
11, Office 2010)
Windows XP (Internet vm-6** WFWinXpGf_m-1.0.1.xpgf 10.2.2 and

Explorer 8, Flash 11, later
Elink analysis support)
Windows 10 x64 vm-7 WFWin10Base_m-1.0.1.10base 10.2.2 and

(Adobe Reader 11, Flash later
11, Office 2010)
• * This WildFire guest VM image comes preinstalled and is not available on the Palo Alto
Networks Support Portal for download.
• ** This WildFire analysis environment is not selectable through the WildFire appliance
CLI.


PAN-OS 11.0.2 Known and
Addressed Issues
Review a list of known and addressed issues for PAN-OS 11.0.2.
For contacting support, for information on support programs, to manage your account or devices,
or to open a support case, go to https://support.paloaltonetworks.com.
• PAN-OS 11.0.2 Known Issues
• PAN-OS 11.0.2-h1 Addressed Issues
• PAN-OS 11.0.2 Addressed Issues
35
PAN-OS 11.0.2 Known and Addressed Issues
PAN-OS 11.0.2 Known Issues

®
The following list includes only outstanding known issues specific to PAN-OS 11.0.2. This list
includes issues specific to Panorama™, GlobalProtect™, VM-Series plugins, and WildFire®, as well
as known issues that apply more generally or that are not identified by an issue ID.
WF500-5632 The number of registered WildFire appliances reported in

Panorama (Panorama > Managed WildFire Appliances >
Firewalls Connected > View) does not accurately reflect the
current status of connected WildFire appliances.
PAN-222586 On PA-5410, PA-5420, PA-5430, and PA-5440 firewalls,

the Filter dropdown menus, Forward Methods, and Built-In
Actions for Correlation Log settings (Device > Log Settings)
are not displayed and cannot be configured.
PAN-221126 Email server profiles (Device > Server Profiles > Email and
Panorama > Server Profiles > Email) to forward logs as email
notifications are not forwarded in a readable format.
Workaround: Use a Custom Log Format to forward logs as
email notifications in a readable format.
PAN-221015 On M-600 appliances in Panorama or Log Collector mode, the

es-1 and es-2 ElasticSearch processes fail to restart when
the M-600 appliance is rebooted. The results in the Managed
Collector ES health status (Panorama > Managed Collectors >
Health Status) to be degraded.
Workaround: Log in to the Panorama or Log Collector CLI
experiencing degraded ElasticSearch health and restart all
ElasticSearch processes.
admin>debug elasticsearch es-restart

optional all
PAN-220180 Configured botnet reports (Monitor > Botnet) are not

generated.
PAN-220176 (PAN-OS 11.0.1-h2 hotfix) System process crashes might

occur with VoIP traffic when NAT is enabled with Persistent
Dynamic IP and Port settings.
PAN-216314 Upon upgrade or downgrade to or from PAN-OS 10.1.9

or 10.1.9-h1, offloaded application traffic sessions may
disconnect after a period of time even if a session is active.

The disconnect occurs after the application's default session
timeout value is exceeded. This behavior affects only PAN-
OS 10.1.9 and 10.1.9-h1. If you are on PAN-OS 10.1.9 and
10.1.9-h1, please use the following workaround. If you have
already upgraded or downgraded to another PAN-OS version,
use the following workaround in that version.
Workaround: Run the CLI command debug
dataplane internal pdt fe100 csr
wr_sem_ctrl_ctr_scan_dis value 0 to set the value
to zero (0).
PAN-213746 On the Panorama management server, the Hostkey displayed

as undefined undefined if you override an SSH Service
Profile (Device > Certificate Management > SSH Service
Profile) Hostkey configured in a Template from the Template
Stack.
PAN-212978 The Palo Alto Networks firewall stops responding when

executing an SD-WAN debug operational CLI command.
PAN-212889 On the Panorama management server, different threat

names are used when querying the same threat in the Threat
Monitor (Monitor > App Scope > Threat Monitor) and ACC.
This results in the ACC displaying no data to display
when you are redirected to the ACC after clicking a threat
name in the Threat Monitor and filtering the same threat
name in the Global Filters.
PAN-211531 On the Panorama management server, admins can still

perform a selective push to managed firewalls when Push
All Changes and Push for Other Admins are disabled in the
admin role profile (Panorama > Admin Roles).
PAN-207770 Data filtering logs (Monitor > Logs > Data Filtering)
incorrectly display the traffic Direction as server-to-
client instead of client-to-server for upload traffic
that matches Enterprise data loss prevention (DLP) data
patterns (Objects > DLP > Data Filtering Patterns) in an
Enterprise DLP data filtering profile (Objects > DLP > Data
Filtering Profiles).
PAN-207733 When a DHCPv6 client is configured on HA Active/Passive

firewalls, if the DHCPv6 server goes down, after the lease
time expires, the DHCPv6 client should enter SOLICIT state
on both the Active and Passive firewalls. Instead, the client is

stuck in BOUND state with an IPv6 address having lease time
0 on the Passive firewall.
PAN-207616 On the Panorama management server, after selecting

managed firewalls and creating a new Tag (Panorama >
Managed Devices > Summary) the managed firewalls are
automatically unselected and any new tag created is applied
to the managed firewalls for which you initially created the
new tag.
Workaround: Select and then unselect the managed firewalls
for which you created a new tag.

firewalls, the Passive firewall sometimes crashes.
PAN-207442 For M-700 appliances in an active/passive high availability

(Panorama > High Availability) configuration, the active-
primary HA peer configuration sync to the secondary-
passive HA peer may fail. When the config sync fails, the
job Results is Successful (Tasks), however the sync status
on the Dashboard displays as Out of Sync for both HA
peers.
Workaround: Perform a local commit on the active-
primary HA peer and then synchronize the HA
configuration.
1. Log in to the Panorama web interface of the active-
primary HA peer.
2. Select Commit and Commit to Panorama.
3. In the active-primary HA peer Dashboard, click Sync
to Peer in the High Availability widget.
PAN-207040 If you disable Advanced Routing, remove logical routers,

and downgrade from PAN-OS 11.0.0 to a PAN-OS 10.2.x or
10.1.x release, subsequent commits fail and SD-WAN devices
on Panorama have no Virtual Router name.

firewalls, releasing the IPv6 address from the client (using
Release in the UI or using the request dhcp client
ipv6 release all CLI command) releases the IPv6
address from the Active firewall, but not the Passive firewall.
PAN-206909 The Dedicated Log Collector is unable to reconnect to the

Panorama management server if the configd process
crashes. This results in the Dedicated Log Collector losing

connectivity to Panorama despite the managed collector
connection Status (Panorama > Managed Collector)
displaying connected and the managed colletor Health
status displaying as healthy.
This results in the local Panorama config and system logs not
being forwarded to the Dedicated Log Collector. Firewall log
forwarding to the disconnected Dedicated Log Collector is
not impacted.
Workaround: Restart the mgmtsrvr process on the
Dedicated Log Collector.
1. Log in to the Dedicated Log Collector CLI.
2. Confirm the Dedicated Log Collector is disconnected from
Panorama.
admin> show panorama-status
Verify the Connected status is no.

3. Restart the mgmtsrvr process.
admin> debug software restart process

management-server
PAN-206416 On the Panorama management server, no data filtering log

(Monitor > Logs > Data Filtering) is generated when the
managed firewall loses connectivity to the following cloud
services, and as a result fails to forward matched traffic for
inspection.
• DLP cloud service
• Advanced Threat Protection inline cloud analysis service
• Advanced URL Filtering cloud service
PAN-206315 (PA-1420 firewall only) In an active/passive high availability

(HA) configuration, the show session info CLI command
shows that the passive firewall has packet rate and
throughput values. The packet rate and throughput of the
passive firewall should be zero since it is not processing
traffic.

(HA) configuration, the show interface all, show-
high availability interface ha2, and show high-
availability all CLI commands display the HSCI port
state as unknown on both the active and passive firewalls.

PAN-204689 Upon upgrade to PAN-OS 11.0.1, the following GlobalProtect

settings do not work:
• Allow user to disconnect GlobalProtect App > Allow with
Passcode
• Allow user to Disable GlobalProtect App > Allow with
Passcode
• Allow User to Uninstall GlobalProtect App > Allow with
Password
PAN-201910 PAN-OS security profiles might consume a large amount of

memory depending on the profile configuration and quantity.
In some cases, this might reduce the number of supported
security profiles below the stated maximum for a given
platform.
PAN-197588 The PAN-OS ACC (Application Command Center) does not

display a widget detailing statistics and data associated with
vulnerability exploits that have been detected using inline
cloud analysis.
PAN-197419 (PA-1400 Series firewalls only) In Network > Interface >

Ethernet, the power over Ethernet (PoE) ports do not display
a Tag value.
PAN-197097 Large Scale VPN (LSVPN) does not support IPv6 addresses on
the satellite firewall.
PAN-196758 On the Panorama management server, pushing a

configuration change to firewalls leveraging SD-WAN
erroneously show the auto-provisioned BGP configurations
for SD-WAN as being edited or deleted despite no edits or
deletions being made when you Preview Changes (Commit >
Push to Devices > Edit Selections or Commit > Commit and
Push > Edit Selections).
PAN-196146 The VM-Series firewall on Azure does not boot up with a

hostname (specified in an init-cgf.txt or user data) when
bootstrapped.
PAN-195968 (PA-1400 Series firewalls only) When using the CLI to

configure power over Ethernet (PoE) on a non-PoE port,
the CLI prints an error depending on whether an interface
type was selected on the non-PoE port or not. If an interface
type, such as tap, Layer 2, or virtual wire, was selected before
PoE was configured, the error message will not include the
interface name (eg. ethernet1/4). If an interface type was not

selected before PoE was configured, the error message will
include the interface name.
PAN-195342 On the Panorama management server, Context Switch fails

when you try to Context Switch from a managed firewall
running PAN-OS 10.1.7 or earlier release back to Panorama
and the following error is displayed:
Could not find start token '@start@'

Ethernet, hovering the mouse over a power over Ethernet
(PoE) Link State icon does not display link speed and link
duplex details.
PAN-194424 (PA-5450 firewall only) Upgrading to PAN-OS 10.2.2 while

having a log interface configured can cause both the log
interface and the management interface to remain connected
to the log collector.
Workaround: Restart the log receiver service by running the
following CLI command:
debug software restart process log-receiver
PAN-192282 (PA-415 and PA-445 firewalls only) In 1G mode, the MGT and
Ethernet 1/1 port LEDs glow amber instead of green.
PAN-187685 On the Panorama management server, the Template

Status displays no synchronization status (Panorama >
Managed Devices > Summary) after a bootstrapped firewall is
successfully added to Panorama.
Workaround: After the bootstrapped firewall is successfully
added to Panorama, log in to the Panorama web interface and
select Commit > Push to Devices.
PAN-187407 The configured Advanced Threat Prevention inline cloud

analysis action for a given model might not be honored under
the following condition: If the firewall is set to Hold client
request for category lookup and the action set to Reset-Both
and the URL cache has been cleared, the first request for
inline cloud analysis will be bypassed.
PAN-186283 Templates appear out-of-sync on Panorama after successfully

deploying the CFT stack using the Panorama plugin for AWS.
Workaround: Use Commit > Push to Devices to synchronize
the templates.

PAN-184708 Scheduled report emails (Monitor > PDF Reports > Email
Scheduler) are not emailed if:
• A scheduled report email contains a Report Group
(Monitor > PDF Reports > Report Group) which includes a
SaaS Application Usage report.
• A scheduled report contains only a SaaS Application Usage
Report.
Workaround: To receive a scheduled report email for all other
PDF report types:
1. Select Monitor > PDF Reports > Report Groups and
remove all SaaS Application Usage reports from all Report
Groups.
2. Select Monitor > PDF Reports > Email Scheduler and
edit the scheduled report email that contains only a SaaS
Application Usage report. For the Recurrence, select
Disable and click OK.
Repeat this step for all scheduled report emails that
contain only a SaaS Application Usage report.
3. Commit.
(Panorama managed firewalls) Select Commit > Commit
and Push
PAN-184406 Using the CLI to add a RAID disk pair to an M-700 appliance
causes the dmdb process to crash.
Workaround: Contact customer support to stop the dmdb
process before adding a RAID disk pair to a M-700 appliance.
PAN-183404 Static IP addresses are not recognized when "and" operators

are used with IP CIDR range.
PAN-181933 If you use multiple log forwarding cards (LFCs) on the

PA-7000 series, all of the cards may not receive all of the
updates and the mappings for the clients may become out of
sync, which causes the firewall to not correctly populate the
Source User column in the session logs.
PAN-171938 No results are displayed when you Show Application Filter

for a Security policy rule (Policies > Security > Application >
Value > Show Application Filter).

PAN-OS 11.0.2-h1 Addressed Issues

PAN-225184 Fixed an issue where disk space utilization was higher than expected
due to excessive logging for a KNI: Out of memory event under a
specific traffic load condition.
PAN-222712 (PA-5450 firewalls only) Fixed a low frequency DPC restart issue.
PAN-221984 (VM-Series firewalls in Microsoft Azure environments only) Fixed an

issue where an interface went down after a hotplug event and was
only recoverable by restarting the firewall.
PAN-220921 Fixed an issue where return tunnel traffic was dropped with the
counter flow_tunnel_encap_err when Enforce Symmetric
Return was enabled in a Policy Based Forwarding rule.
PAN-195439 (VM-Series firewalls in Microsoft Azure environments only) Fixed an

issue where the dataplane interface status went down after a hotplug
event triggered by Azure infrastructure.
PAN-193004 Fixed an issue where /opt/pancfg partition utilization reached

100%, which caused access to the Panorama web interface to fail.

PAN-OS 11.0.2 Addressed Issues

PAN-221708 Fixed an issue where temporary files remained under /opt/pancfg/

tmp/sw-images/ even after manually uploading the content or AV
file to the firewall.
PAN-221519 (VM-Series firewalls only) Fixed an issue where the all_task process
stopped responding due to DPDK driver compatibility issues.
PAN-219686 Fixed an issue where a device group push operation from Panorama
failed with the following error on managed firewalls.
vsys -> vsys1 -> plugins unexpected here
vsys is invalid
Commit failed
PAN-218644 Fixed an issue where the firewall generated incorrect VSA attribute
codes when radius was configured with EAP based authentication
protocols.
PAN-218335 Fixed an issue with hardware destination MAC filtering on the Log
Processing Card (LPC) that caused the logging card interface to be
susceptible to unicast flooding.
PAN-218264 (PA-3400 and PA-1400 Series firewalls only) Fixed an issue where
packet drops occurred due to slow servicing of internal hardware
queries.
PAN-217681 Fixed an issue caused by out of order TCP segments where the
FIN flag and TCP data was truncated in a packet, which resulted in
retransmission failure.
PAN-217581 Fixed an issue where the firewall did not initiate scheduled log uploads
to the FTP server.
PAN-217493 Fixed an issue where superusers with read-only privileges were unable
to view SCEP object configurations.
PAN-217484 Fixed an issue where the rasmgr process used 100% CPU due
to a maximum duration timer not being set, which caused the
GlobalProtect gateway to be unavailable.

PAN-217477 Fixed an issue where the drop counter was incremented incorrectly.
Drop counter calculations did not account for failures to send out logs
from logrcvr/logd to syslog-ng.
PAN-217284 Fixed an intermittent issue where LACP flap occurred when the LACP
transmission rate was set to Fast.
PAN-216996 Fixed an issue where, after upgrading Panorama to PAN-OS 10.1.9,

multiple User-ID alerts were generated every 10 minutes.
PAN-216821 Fixed an issue where the reportd process stopped responding after
upgrading an M-200 appliance to PAN-OS 11.0.1.
PAN-216710 Fixed an issue with firewalls in active/active HA configurations where

GlobalProtect disconnected when the original suspected Active-
Primary firewall became Active-Secondary.
PAN-216590 Fixed an issue where User-ID logs in Panorama displayed incorrect

results for the filter not (ugflags has user-group-found).
PAN-216360 Fixed an issue on Panorama where No Default Selections under Push

to Devices was intermittently deselected after performing a commit
operation.
PAN-216036 Fixed an issue where the all_pktproc process stopped responding,

which caused the firewall to enter a nonfunctional state.
PAN-215911 Fixed an issue that resulted in a race condition, which caused the
configd process to stop responding.
PAN-215899 Fixed an issue with Panorama appliances in high availability (HA)

configurations where configuration synchronization between the HA
peers failed.
PAN-215857 Fixed an issue where the option to reboot the entire firewall was
visible to vsys admins.
PAN-215808 Fixed an issue where after upgrading to PAN-OS 10.1, the log-
forwarding rate towards the Syslog server was reduced. The overall
log-forwarding rate has also been improved.
PAN-215780 Fixed an issue where, changes to Zone Protection profiles made via
XML API were not reflected in the Zone Protection configuration.
PAN-215778 Fixed an issue where API Get requests for /config timed out due to
insufficient buffer size.

PAN-215503 Fixed a memory related issue where the MEMORY_POOL address was
mapped incorrectly.
PAN-215496 Fixed an issue where 100G ports did not come up with BIDI QSFP
modules.
PAN-215324 (PA-5400 Series firewalls with Jumbo Frames enabled only) Fixed an
issue with CPU throttling and buffer depletion.
PAN-215315 Fixed an issue where the dataplane stopped responding due to ager
and inline packet processing occurring concurrently on different cores
for the same session.
PAN-215125 Fixed an issue where false negatives occurred for some script samples.
PAN-214925 Fixed an issue where temporary files remained in their temporary

locations even after manually uploading the files to the firewall.
PAN-214889 Fixed an issue where commits took longer than expected due to
application dependency checks.
PAN-214847 Fixed an issue where, when certificate authentication for admin user
authentication was enabled, vulnerability scans that used usernames or
passwords against the management interface reported a vulnerability
due to a missing HSTS header in the Access Denied response page.
PAN-214634 Fixed an issue where an elink parser did not work.
PAN-214337 Fixed an issue on the firewall related to the gp_broker configuration

transform that led to longer commit times.
PAN-214187 Fixed an issue where superreaders were able to execute the request
restart system CLI command.
PAN-214100 Fixed an issue where selecting a threat name under Threat Monitor
displayed the threat ID instead of the threat name.
PAN-214037 (PA-5440, PA-5430, PA-5420, and PA-5410 firewalls only) Fixed an

issue where firewalls in active/active HA configurations experienced
packet drop when running asymmetric traffic.
PAN-214026 Fixed an issue where, when using an ECMP weighted-round-

robin algorithm, traffic was not redistributed among the links
proportionally as expected from the configuration.

PAN-213942 (PA-400 Series firewalls) Fixed an issue where the firewall required an
explicit allow rule to forward broadcast traffic.
PAN-213932 Fixed an issue where, when an incorrect log filter was configured, the
commit did not fail.
PAN-213746 Fixed an issue on Panorama where the Hostkey displayed as

**undefined** if a SSH Service Profile Hostkey configured in a
Template from the Template Stack was overridden.
PAN-212848 Fixed an issue where attempting to change the disk-usage cleanup

threshold to 90 resulted in the error message Server error : op
command for client dagger timed out as client is
not available.
PAN-212726 Fixed an issue where RTP/RTCP packets were dropped for SIP calls
by SIP ALG when the source NAT translation type was persistent
Dynamic IP And Port.
PAN-212530 Fixed an issue on log collectors where root partition reached 100%
utilization.
PAN-212409 Fixed an issue where there were duplicate IPSec Security Associations
(SAs) for the same tunnel, gateway, or proxy ID.
PAN-211997 Fixed an issue where large OSPF control packets were fragmented,
which caused the neighborship to fail.
PAN-211887 Fixed an issue on Panorama that caused recently committed changes

to not be displayed when previewing the changes to push to device
groups.
PAN-211843 Fixed an issue where renaming a Zone Protection profile failed with
the error message Obj does not exist.
PAN-211602 Fixed an issue where, when viewing a WildFire Analysis Report via the
web interface, the detailed log view was not accessible if the browser
window was resized.
PAN-211422 Fixed an issue where the show session packet-buffer-

protection buffer-latency CLI command randomly displayed
incorrect values.

PAN-211242 Fixed an issue where missed heartbeats caused the Data Processing
Card (DPC) and its corresponding Network Processing Card (NPC) to
restart due to internal packet path monitoring failure.
PAN-211041 (Panorama virtual appliances only) Fixed an issue where DHCP

assigned interfaces did not send ICMP unreachable -
Fragmentation needed messages when the received packets were
higher than the maximum transmission unit (MTU).
PAN-210921 (Panorama appliances in Legacy Mode only) Fixed an issue where

Blocked Browsing Summary by Website in the user activity report
contained scrambled characters.
PAN-210919 Fixed an issue where the Data Processing Card remained in a

Starting state after a restart.
PAN-210875 Fixed an issue where the pan_task process stopped responding due to
software packet buffer 3 trailer corruption, which caused the firewall
to restart.
PAN-210736 Fixed an issue where configuration changes related to the SSH service
profile were not reflected when pushed from Panorama. With this
fix, the deletion of ciphers, MAC, and kex fields of SSH server profiles
and HA profiles won't clear the values under template stacks and will
retain the values configured from templates.
PAN-210661 Fixed an issue where firewalls disconnected from Cortex Data Lake
after renewing the device certificate.
PAN-210563 Fixed an issue on Panorama where Security policy rules with a Tag
target did not appear in the pre-rule list of a dynamic address group
that was part of the tag.
PAN-209898 Fixed an issue where the logrcvr process stopped due to memory
corruption.
PAN-209696 Fixed an issue where link-local address communication for IPv6, BFD,
and OSPFv3 neighbors was dropped when IP address spoofing check
was enabled in a Zone Protection profile.
PAN-209683 Fixed an issue where Panorama was unable to retrieve IP address-to-

username mapping from a firewall on a PAN-OS 8.1 release.
PAN-209660 Fixed an issue where a selective push from Panorama to multiple

firewalls failed due to a missing configuration file, which caused a
communication error.

PAN-209617 Fixed an issue with firewalls in active/passive HA configurations where

the passive firewall created an incorrect SCTP association due to the
HA sync messages from the active firewall having an incorrect value.
PAN-209275 Fixed an issue where Override cookie authentication into the

GlobalProtect gateway failed when an allow list was configured under
the authentication profile.
PAN-209021 Fixed an issue where packets were fragmented when SD-WAN VPN
tunnel was configured on aggregate ethernet interfaces and sub-
interfaces.
PAN-208877 Fixed an issue where the all_task process stopped responding when
freeing the HTTP2 stream, which caused the dataplane to go down.
PAN-208737 Fixed an issue where domain information wasn't populated in IP

address-to-username matching after a successful GlobalProtect
authentication using an authentication override cookie.
PAN-208325 (PA-5400 Series, PA-3400 Series, and PA-400 Series only) Fixed an
issue where the firewall was unable to automatically renew the device
certificate.
PAN-208201 Fixed an issue on the firewall where the modified date and time was
incorrectly updated after a commit operation, PAN-OS upgrade, or
reboot.
PAN-207842 Fixed an issue where WildFire Analysis Reports were not visible when
the WF-500 appliance was on private cloud.
PAN-207741 Fixed an issue where Large Scale VPN (LSVPN) Portal authentication
failed with the error invalid http response. return
error(Authentication failed; Retry authentication
when the satellite connected to more than one portal.
PAN-207700 Fixed an issue where the show system info and show system
ztp status CLI commands displayed a different Zero Touch
Provisioning (ZTP) status if a firewall upgrade was initiated from
Panorama before the initial commit push succeeded.
PAN-207562 Fixed an issue where the shard count displayed by the show log-
collector-es-cluster health CLI command was higher than
the recommended limit. The recommended limit can be calculated with
the formula 20* heap-memory * no-of-data-nodes.

PAN-206396 Fixed an issue where HIP report flip and HIP checks failed when a user
was part of multiple user groups with different domains.
PAN-206333 Fixed an issue where the Include/Exclude IP filter under Data

Distribution did not work correctly.
PAN-206253 (PA-1400 Series and PA-3400 Series firewalls only) Fixed an issue
where the default log rate was too low and the maximum configurable
log rate was incorrectly capped, which caused the firewall to not
generate logs at more than 6826 logs per second.
PAN-205955 Fixed an issue where RAID rebuilds occurred even with healthy disks
and a clean shutdown.
PAN-205513 Fixed an issue where the stats dump file generated by Panorama for
a device firewall differed from the stats dump file generated by the
managed device.
PAN-205086 Fixed an issue where DNS Security categories were able to be deleted
from Spyware profiles.
PAN-204838 Fixed an issue where the dot1q VLAN tag was missing in ARP reply
packets.
PAN-204718 (PA-5200 Series firewalls only) Fixed an issue where, after upgrading
to PAN-OS 10.1.6-h3, a TACACS user login displayed the following
error message during the first login attempt: Could not chdir to
home directory /opt/pancfg/home/user: Permission
denied.
PAN-204238 Fixed an issue where, when View Rulebase as Groups was enabled,
the Tags field did not display a scroll down arrow for navigation.
PAN-204068 Fixed an issue where a newly created vsys (virtual system) in a

template was not able to be pushed from Panorama to the firewall.
PAN-203330 Fixed an issue where the certificate for an External Dynamic List (EDL)
incorrectly changed from invalid to valid, which caused the EDL file to
be removed.
PAN-202963 Fixed an issue where the system log message dsc HA state is
changed from 1 to 0 was generated with the severity High. With
this fix, the severity was changed to Info.
PAN-202795 Fixed an issue where file identification failed with a large HTTP
header.

PAN-201721 Fixed an issue with firewalls in HA configurations where HA setup

generated the error mismatch due to device update during a
content update even though the version was the same.
PAN-200019 Fixed an issue on Panorama where Virtual Routers (Network > Virtual
Routers) was not available when configuring a custom Panorama
admin role (Panorama > Admin Roles).
PAN-199557 Fixed an issue on Panorama where virtual memory usage exceeded the
set limit, which caused the configd process to restart.
PAN-197339 Fixed an issue where template configuration for the User-ID agent was
not reflected on the template stack on Panorama appliances on PAN-
OS 10.2.1.
PAN-197121 Fixed an issue where incorrect user details were displayed under the
USER DETAIL drop-down (ACC > Network activity > User activity).
PAN-196309 (PA-5450 firewalls only) Fixed an issue where a firewall configured

with a Policy-Based Forwarding policy flapped when a commit was
performed, even when the next hop was reachable.
PAN-195788 Fixed an issue where zip files did not download when applying Security
inspection and the following error message displayed: resources-
unavailable.
PAN-195695 Fixed an issue where the AppScope Summary report and PDF report
export function did not work as expected.
PAN-192456 Fixed an issue where GlobalProtect SSL VPN processing during a high
traffic load caused the dataplane to stop responding.
PAN-189666 Fixed an issue where GlobalProtect portal connections failed after

random commits when multiple agent configurations were provisioned
and configuration selection criteria using certificate profile was used.
PAN-187763 Fixed an issue where DNS Security logs did not display a threat
category, threat name, or threat ID when domain names contained 64
or more characters.
PAN-187279 Fixed an issue where not all quarantined devices were displayed as
expected.
PAN-184630 Fixed an issue where TLS clients, such as those using OpenSSL 3.0,
enforced the TLS renegotiation extension (RFC 5746).


Addressed Issues
• PAN-OS 11.0.1-h2 Addressed Issues
53

®


PAN-221126 Email server profiles (Device > Server Profiles > Email and
Panorama > Server Profiles > Email) to forward logs as email
notifications are not forwarded in a readable format.
Workaround: Use a Custom Log Format to forward logs as
email notifications in a readable format.


optional all

generated.
PAN-220176 (PAN-OS 11.0.1-h2 hotfix) System process crashes might

occur with VoIP traffic when NAT is enabled with Persistent
Dynamic IP and Port settings.
PAN-216821 The reportd process crashes after you successfully upgrade

an M-200 appliance to PAN-OS 10.2.4.

This issue is now resolved. See
PAN-OS 11.0.2 Addressed
Issues.
PAN-216314 Upon upgrade or downgrade to or from PAN-OS 10.1.9

or 10.1.9-h1, offloaded application traffic sessions may
disconnect after a period of time even if a session is active.
The disconnect occurs after the application's default session
timeout value is exceeded. This behavior affects only PAN-
OS 10.1.9 and 10.1.9-h1. If you are on PAN-OS 10.1.9 and
10.1.9-h1, please use the following workaround. If you have
already upgraded or downgraded to another PAN-OS version,
use the following workaround in that version.
Workaround: Run the CLI command debug
dataplane internal pdt fe100 csr
wr_sem_ctrl_ctr_scan_dis value 0 to set the value
to zero (0).

Stack.


PAN-209937 Certificate-based authentication for administrator accounts

may be unable to log into the Panorama or firewall web
interface with the following error:
Issues. Bad Request - Your browser sent a request
that this server could not understand
PAN-208325 The following NextGen firewalls and Panorama management

server models are unable to automatically renew the device

This issue is now resolved. See certificate (Device > Setup > Management or Panorama >
PAN-OS 11.0.2 Addressed Setup > Management).
Issues.
• M-300 and M-700
• PA-410 Firewall
• PA-415 and PA-445 Firewalls
• PA-440, PA-450, and PA-460 Firewalls
• PA-1400 Series
• PA-3400 Series
• PA-5440 Firewall
Workaround: Log in to the firewall CLI or Panorama CLI and
fetch the device certificate.
admin>request certificate fetch
PAN-208189 Traffic fails to match and reach all destinations if a Security

policy rule includes FQDN objects that resolve to two or
more IP addresses.
PAN-OS 11.0.1-h2 Addressed
Issues.


new tag.


PAN-207442 For M-700 appliances in an active/passive high availability

(Panorama > High Availability) configuration, the active-
primary HA peer configuration sync to the secondary-
passive HA peer may fail. When the config sync fails, the
job Results is Successful (Tasks), however the sync status
on the Dashboard displays as Out of Sync for both HA
peers.
Workaround: Perform a local commit on the active-
primary HA peer and then synchronize the HA
configuration.
1. Log in to the Panorama web interface of the active-
primary HA peer.
2. Select Commit and Commit to Panorama.
3. In the active-primary HA peer Dashboard, click Sync
to Peer in the High Availability widget.



not impacted.

Panorama.


management-server

inspection.

traffic.

PAN-204689 Upon upgrade to PAN-OS 11.0.1, the following GlobalProtect

settings do not work:
• Allow user to disconnect GlobalProtect App > Allow with
Passcode
• Allow user to Disable GlobalProtect App > Allow with
Passcode

• Allow User to Uninstall GlobalProtect App > Allow with
Password

platform.
PAN-199557 On M-600 appliances in an Active/Passive high availability

(HA) configuration, the configd process restarts due to a
memory leak on the Active Panorama HA peer. This causes
the Panorama web interface and CLI to become unresponsive.
Workaround: Manually reboot the Active Panorama HA
peer.

cloud analysis.

a Tag value.


bootstrapped.




duplex details.




the templates.

Report.
PDF report types:
Groups.
3. Commit.
and Push

PAN-182734 On an Advanced Routing Engine, if you change the IPSec

tunnel configuration, BGP flaps.
Issues.




PAN-OS 11.0.1-h2 Addressed Issues

PAN-217431 (PA-5400 Series firewalls with DPC (Data Processing Cards) only)
Fixed an issue with slot 2 DPCs where URL filtering did not work as
expected after upgrading to PAN-OS 10.1.9.
PAN-216710 Fixed an issue with firewalls in active/active high availability (HA)

configurations where GlobalProtect disconnected when the original
suspected Active-Primary firewall became Active-Secondary.
PAN-215899 Fixed an issue with Panorama appliances in HA configurations where

configuration synchronization between the HA peers failed.
PAN-215496 Fixed an issue where 100G ports did not come up with BIDI QSFP
modules.
PAN-215461 Fixed an issue where the packet descriptor leaked over time with GRE
tunnels and keepalives.
PAN-211870 Fixed an issue where path monitoring failure occurred, which caused
high availability failover.
PAN-210607 Fixed an issue where enabling Inline Cloud Analysis on Anti-Spyware,

Vulnerability Protection, or URL Filtering Security profiles caused the
dataplane to stop responding.
PAN-208189 Fixed an issue when traffic failed to match and reach all destinations
if a Security policy rule includes FQDN objects that resolve to two or
more IP addresses.
PAN-206007 Fixed an issue where a debug command generated an incomplete core

file.
PAN-202450 Fixed an issue where the device-client-cert was set to expire

on December 31, 2023. With this fix, the expiration date has been
extended.


PAN-216656 Fixed an issue where the firewall was unable to fully process the user
list from a child group when the child group contained more than
1,500 users.
PAN-215488 Fixed an issue where an expired Trusted Root CA was used to sign the
forward proxy leaf certificate during SSL Decryption.
PAN-210561 Fixed an issue where the all_task process repeatedly restarted due to
missed heartbeats.
PAN-210513 Fixed an issue where Captive Portal authentication via SAML did not
work.
PAN-210481 Fixed an issue where botnet reports were not generated on the
firewall.
PAN-210449 Fixed an issue where the value for shared objects used in policy
rules were not displayed on multi-vsys firewalls when pushed from
Panorama.
PAN-210331 Fixed an issue where the firewall did not send device telemetry files to
Cortex Data Lake with the error message send the file to CDL
receiver failed.
PAN-210327 (PA-5200 Series firewalls only) Fixed an issue where upgrading to

PAN-OS 10.1.7, an internal loop caused an increase in the packets
received per second.
PAN-210237 Fixed an issue where system logs generated by Panorama for commit
operations showed the severity as High instead of Informational.
PAN-210080 Fixed an issue where the useridd process stopped responding when
add and delete member parameters in an incremental sync query were
empty.
PAN-209799 Fixed an issue where logging was not disabled on passive nodes, which
caused the logrcvr to stop responding.

PAN-209491 Fixed an issue on the web interface where the Session Expire Time
displayed a past date if the device time was in December.
PAN-209069 Fixed an issue where IP addresses in the X-Forwarded-For (XFF) field

were not logged when the IP address contained an associated port
number.
PAN-209036 Fixed an issue where the dataplane restarted, which led to slot failures
occurring and a core file being generated.
PAN-208987 (PA-5400 Series only) Fixed an issue where packets were not
transmitted from the firewall if its fragments were received on
different slots. This occurred when aggregate ethernet (AE) members
in an AE interface were placed on a different slot.
PAN-208922 A fix was made to address an issue where an authenticated

administrator was able to commit a specifically created configuration
to read local files and resources from the system (CVE-2023-38046).
PAN-208930 (PA-7000 Series firewalls only) Fixed an issue where auto-tagging in

log forwarding did not work.
PAN-208902 Fixed an issue where, when a client sent a TCP/FIN packet, the
firewall displayed the end reason as aged-out instead of tcp-fin.
PAN-208724 Fixed an issue where port pause frame settings did not work as
expected and incorrect pause frames occurred.
PAN-208718 Additional debug information was added to capture internal details

during traffic congestion.
PAN-208711 (PA-5200 Series firewalls only) The CLI command debug dataplane
set pow no-desched yes/no was added to address an issue
where the all_pktproc process stopped responding and caused traffic
issues.
PAN-208537 Fixed an issue where the licensed-device-capacity was

reduced when multiple device management license key files were
present.
PAN-208525 Fixed an issue where Security policy rules with user groups did not
match when Kerberos authentication was configured for explicit
proxy.
PAN-208485 Fixed an issue where NAT policies were not visible on the CLI if they
contained more than 32 characters.

PAN-208343 Fixed an issue where telemetry regions were not visible on Panorama.
PAN-208157 Fixed an issue where malformed hints sent from the firewall caused
the logd process to stop responding on Panorama, which caused a
system reboot into maintenance mode.
PAN-207940 Fixed an issue where platforms with RAID disk checks were performed
weekly, which caused logs to incorrectly state that RAID was
rebuilding.
PAN-207738 Fixed an issue where the ocsp-next-update-time CLI command

did not execute for leaf certificates with certificate chains that did not
specify OCSP or CRL URLs. As a result, the next update time was 60
minutes even if a different time was set.
PAN-207663 Fixed a Clientless VPN issue where JSON stringify caused issues with
the application rewrite.
where Log Admin Activity was not visible on the web interface.
PAN-207601 Fixed an issue where URL cloud connections were unable to resolve
the proxy server hostname.
PAN-207426 Fixed an issue where a selective push did not include the Share
Unused Address and Service Objects with Devices option on
Panorama, which caused the firewall to not receive the objects during
the configuration push.
PAN-207400 Fixed an issue on Octeon based platforms where fragmented VLAN

tagged packets dropped on an aggregate interface.
PAN-207390 Fixed an issue where, even after disabling Telemetry, Telemetry

system logs were still generated.
PAN-207260 A commit option was enabled for Device Group and Template
administrators after a password change.
PAN-207045 (PA-800 Series firewalls only) Fixed an issue where PAN-SFP-SX

transceivers used on ports 5 to 8 did not renegotiate with peer ports
after a reload.

PAN-206963 (M-700 Appliances only) A CLI command was added to check the
status of each physical port of a bond1 interface.
PAN-206858 Fixed an issue where a segmentation fault occurred due to the useridd
process being restarted.
PAN-206755 Fixed an issue when a scheduled multi-device group push occurred,

the configd process stopped responding, which caused the push to fail.
PAN-206684 (PA-7000 Series firewalls with Log Forwarding Cards (LFCs) only)
Fixed an issue where, after upgrading the firewall from a PAN-OS 10.0
release to a PAN-OS 10.1 release, the firewall did not duplicate logs
to local log collectors or to Cortex Data Lake when a device certificate
was already installed.
PAN-206658 Fixed a timeout issue in the Intel ixgbe driver that resulted in internal
path monitoring failure.
PAN-206466 Fixed an issue where the push scope was displaying duplicate shared
objects for each device group that were listed under the shared-object
group.
PAN-206393 (PA-5280 firewalls only) Fixed an issue where memory allocation

errors caused decryption failures that disrupted traffic with SSL
forward proxy enabled.
PAN-206382 Fixed an issue where authentication sequences were not populated

in the drop down when selecting authentication profiles during
administrator creation in a template.
Fixed an issue where the logrcvr process did not send the system-
start SNMP trap during startup.
PAN-206233 Fixed an issue where the pan_comm process stopped responding when
a content update and a cloud application update occurred at the same
time.
PAN-206128 (PA-7000 Series firewalls with NPCs (Network Processing Cards)

only) Improved debugging capability for an issue where the firewall
restarted due to heartbeat failures and then failed with the following
error message: Power not OK.
PAN-206069 Fixed an issue where the firewall was unable to boot up on older Intel
CPUs.

PAN-206017 Fixed an issue where the show dos-protection rule command

displayed a character limit error.
PAN-206005 (PA-1400 Series, PA-3400 Series, and PA-5440 firewalls only) Fixed
an issue where the l7_misc memory pool was undersized and caused
connectivity loss when the limit was reached.
PAN-205877 (PA-5450 firewalls only) Added debug commands for an issue where
a MAC address flap occurred on a neighbor firewall when connecting
both MGT-A and MGT-B interfaces.
PAN-205829 Fixed an issue where logs did not display Host-ID details for
GlobalProtect users despite having a quarantine Security policy rule.
This occurred due to a missed local cache lookup.
PAN-205804 Fixed an issue on Panorama where a WildFire scheduled update for

managed devices triggered multiple UploadInstall jobs per minute.
where the CPLD watchdog timeout caused the firewall to reboot
unexpectedly.
PAN-205699 Fixed an issue where the cloud plugin configuration was automatically
deleted from Panorama after a reboot or a configd process restart.
PAN-205698 Fixed an issue where GlobalProtect authentication did not work on

Apple MacOS devices when the authentication method used was CIE
with SAML Authentication.
PAN-205590 Fixed an issue where the fan tray fault LED light was on even though
no alarm was reported in the system environment.
PAN-205453 Fixed an issue where running reports or queries under a user group
caused the reportd process to stop responding.
PAN-205396 Fixed an issue where SD-WAN adaptive SaaS path monitoring did not
work correctly during a next hop link down failure.
PAN-205260 Fixed an issue where there was an IP address conflict after a reboot
due to a transaction ID collision.
PAN-205255 Fixed a rare issue that caused the dataplane to restart unexpectedly.
PAN-205231 Fixed an issue where a commit operation remained at 55% for

longer than expected if more than 7,500 Security policy rules were
configured.

PAN-205211 Fixed an issue where the reportd process stopped responding while
querying logs (Monitor > Logs > <logtype>).
PAN-205096 Fixed an issue where promoted sessions were not synced with all
cluster members in an HA cluster.
PAN-204749 Fixed an issue where sudden, large bursts of traffic destined for an
interface that was down caused packet buffers to fill, which stalled
path monitor heartbeat packets.
PAN-204581 Fixed an issue where, when accessing a web application via the
GlobalProtect Clientless VPN, the web application landing page
continuously reloaded.
Fixed an issue where the firewall did not forward logs to the log
collector.
PAN-204572 Fixed an issue where python scripts were not working as expected.
PAN-204456 Fixed an issue related to the logd process that caused high memory
consumption.
PAN-204335 Fixed an issue where Panorama became unresponsive, and when

refreshed, the error 504 Gateway not Reachable was displayed.
PAN-203964 (Firewalls in FIPS-CC mode only) Fixed an issue where the firewall
went into maintenance mode due to downloading a corrupted
software image, which resulted in the error message FIPS-CC
failure. Image File Authentication Error.
PAN-203851 Fixed an issue with firewalls in HA configurations where host

information profile (HIP) sync did not work between peer firewalls.
PAN-203681 (Panorama appliances in FIPS-CC mode only) Fixed an issue where a

leaf certificate was unable to be imported into a template stack.
PAN-203663 Fixed an issue where administrators were unable to change the

password of a local database for users configured as a local admin user
via an authentication profile.
PAN-203453 Fixed an issue on Panorama where the log query failed due to a high
number of User-ID redistribution messages.

PAN-203430 Fixed an issue where, when the User-ID agent had collector
name/secret configured, the configuration was mandatory on clients
on PAN-OS 10.0 and later releases.
PAN-203339 Fixed an issue where services failed due to the RAID rebuild not being
completed on time.
PAN-203147 (Firewalls in FIPS-CC mode only) Fixed an issue where the firewall
unexpectedly rebooted when downloading a new PAN-OS software
image.
PAN-203137 (PA-5450 firewalls only) Fixed an issue where HSCI ports did not come
up when QSFP DAC cables were used.
PAN-202543 An enhancement was made to improve path monitor data collection by

verifying the status of the control network.
PAN-202248 Fixed an issue where, due to a tunnel content inspection (TCI) policy
match, IPSec traffic did not pass through the firewall when NAT was
performed on the traffic.
PAN-201701 Fixed an issue where the firewall generated system log alerts if the raid
for a system or log disk was corrupted.
PAN-201580 Fixed an issue where the useridd process stopped responding due to
an invalid vsys_id request.
PAN-200845 (M-600 Appliances in Management-only mode only) Fixed an issue

where XML API queries failed due to the configuration size being
larger than expected.
PAN-200160 Fixed a memory leak issue on Panorama related to the logd process
that caused an out-of-memory (OOM) condition.
PAN-200116 Fixed an issue where Elasticsearch displayed red due to frequent

tunnel check failures between HA clusters.
PAN-199965 Fixed an issue where the reportd process stopped responding on log
collectors during query and report operations due to a race condition
between request handling threads.
PAN-199807 Fixed an issue where the dataplane frequently restarted due to high
memory usage on wifclient.
PAN-196597 Fixed an issue where the dnsproxyd process stopped responding due to
corruption.

PAN-198306 Fixed an issue where the useridd process stopped responding when
booting up the firewall.
PAN-198266 Fixed an issue where, when predicts for UDP packets were created,
a configuration change occurred that triggered a new policy lookup,
which caused the dataplane stopped responding when converting the
predict. This resulted in a dataplane restart.
PAN-198038 A CLI command was added to address an issue where long-lived

sessions were aging out even when there was ongoing traffic.
PAN-197872 Fixed an issue where the useridd process generated false positive
critical errors.
PAN-197298 Fixed an issue where the audit comment archive for Security rule
changes output had overlapping formats.
PAN-196410 Fixed an issue where you were unable to customize the risk value in
Risk-of-app.
PAN-195756 Fixed an issue that caused an API request timeout when parsing
requests using large header buffers.
PAN-194805 Fixed an issue where scheduled configuration backups to the SCP

server failed with error message No ECDSA host key is known.
PAN-194068 (PA-5200 Series firewalls only) Fixed an issue where the firewall
unexpectedly rebooted with the log message Heartbeat failed
previously.
PAN-192513 Fixed an issue where log migration did not work when converting a
Legacy mode Panorama appliance to Log Collector mode.
PAN-191222 Fixed an issue where Panorama became inaccessible when after a push
to the collector group.
PAN-190502 Fixed an issue where the Policy filter and Policy optimizer filter were
required to have the exact same syntax, including nested conditions
with rules that contained more than one tag when filtering via the neq
operator.
PAN-189335 Fixed an issue where the varrcvr process restarted repeatedly, which
caused the firewall to restart.
PAN-189200 Fixed an issue where sinkholes did not occur for AWS Gateway Load
Balancer dig queries.

PAN-186412 Fixed an issue where invalid packet-ptr was seen in work entries.
PAN-186270 Fixed an issue where, when HA was enabled and a dynamic update
schedule was configured, the configd process unexpectedly stopped
responding during configuration commits.
PAN-183375 Fixed an issue where traffic arriving on a tunnel with a bad IP address
header checksum was not dropped.
PAN-180948 Fixed an issue where an external dynamic list fetch failed with the
error message Unable to fetch external dynamic list.
Couldn't resolve host name. Using old copy for
refresh.
PAN-179174 Fixed an issue where exported PDF report of the ACC was the
incorrect color after upgrading from a PAN-OS 10.1 or later release.
PAN-178594 Fixed an issue where the descriptions of options under the set
syslogng ssl-conn-validation CLI command were not
accurate.
PAN-175142 Fixed an issue on Panorama where executing a debug command

caused the logrcvr process to stop responding.
PAN-170414 Fixed an issue related to an OOM condition in the dataplane, which

was caused by multiple panio commands using extra memory.

Addressed Issues
73

®




optional all

generated.
PAN-212533 Modifying the Administrator Type for an existing

administrator (Device > Administrators or Panorama >
Administrators) from Superuser to a Role-Based custom
admin, or vice versa, does not modify the access privileges of
the administrator.

Stack.



PAN-209937 Certificate-based authentication for administrator accounts

may be unable to log into the Panorama or firewall web
interface with the following error:
Issues. Bad Request - Your browser sent a request
that this server could not understand
PAN-208325 The following NextGen firewalls and Panorama management

server models are unable to automatically renew the device
certificate (Device > Setup > Management or Panorama >
Setup > Management).
Issues.
• M-300 and M-700
• PA-410 Firewall
• PA-415 and PA-445 Firewalls
• PA-1400 Series
• PA-3400 Series
Workaround: Log in to the firewall CLI or Panorama CLI and
fetch the device certificate.
admin>request certificate fetch
PAN-208189 Traffic fails to match and reach all destinations if a Security

policy rule includes FQDN objects that resolve to two or
more IP addresses.
PAN-OS 11.0.1-h2 Addressed
Issues.



new tag.





not impacted.
Panorama.


management-server

inspection.

traffic.
PAN-206253 For PA-1400 and PA-3400 Series firewalls, the default

log rate is set too low and the max configurable log rate is
incorrectly capped resulting in the firewall not generating
more than 6,826 logs per second.
Issues.
PAN-206005 (PA-1400 Series, PA-3400 Series, and PA-5440 firewalls only)

The I7_misc memory pool on these platforms is undersized
and can cause a loss of connectivity when reaching the limit
of the memory pool. Certain features, like using a decryption
Issues.
profile with Strip ALPN disabled, can lead to depleting the
memory pool and causing a connection loss.

Workaround: Disable HTTP2 by enabling Strip ALPN in the
decryption profile or avoid usage of the I7_misc memory pool.
PAN-205255 There is a rare PAN-OS issue that causes the dataplane to

restart unexpectedly.
Issues.
PAN-205187 ElasticSearch may not start properly when a newly installed

Panorama virtual appliance powers on for the first time,
resulting in the Panorama virtual appliance being unable to
query logs forwarded from the managed firewall to a Log
Collector.
Workaround: Log in to the Panorama CLI and start the PAN-
OS software.
admin>request restart software

PAN-204615 BGP sessions can flap even when an unrelated configuration

is committed. This results in the BGP session going down
and getting established again. As a result, BGP routes get
PAN-OS 11.0.0 Known Issues.
exchanged again, which can lead to momentary traffic
disruption if BGP routes were in use for establishing traffic.

platform.
PAN-201855 On the Panorama management server, cloning any template

(Panorama > Templates) corrupts certificates (Device >
Certificate Management > Certificates) with the Block
Private Key Export setting enabled across all templates. This
results in managed firewalls experiencing issues wherever the
corrupted certificate is referenced.
For example, you have template A, B, and C where templates
A and B have certificates with the Block Private Key Export
setting enabled. Cloning template C corrupts the certificates

with Block Private Key Export setting enabled in templates A
and B.
Workaround: After cloning a template, delete and re-import
the corrupted certificates.
PAN-199557 On M-600 appliances in an Active/Passive high availability

(HA) configuration, the configd process restarts due to a
memory leak on the Active Panorama HA peer. This causes
the Panorama web interface and CLI to become unresponsive.
Workaround: Manually reboot the Active Panorama HA
peer.

cloud analysis.

a Tag value.


bootstrapped.


PAN-195568 When PAN-OS 11.0 is installed on multiple data plane

platforms, users are unable to connect to the GlobalProtect
portal or gateway.


duplex details.





the templates.
Report.
PDF report types:
Groups.
3. Commit.
and Push

PAN-182734 On an Advanced Routing Engine, if you change the IPSec

tunnel configuration, BGP flaps.
Issues.



PAN-196940 After the readiness changes for CN-MGMT pods, it takes

up to 20 to 25 minutes to bring up a CN-Series cluster in an
Openshift environment.


PAN-207505 Fixed an issue where Email schedules (Monitor > PDF Reports > Email
Scheduler) were not supported for SaaS Application Usage (Monitor >
PDF Reports > SaaS Application Usage) reports.
PAN-204615 Fixed an issue where BGP sessions could flap even when an unrelated
configuration was committed. This resulted in the BGP session going
down and getting established again. As a result, BGP routes were
exchanged again, which could lead to momentary traffic disruption if
BGP routes were in use for establishing traffic.
PAN-202783 (PA-7000 Series firewalls with 100G NPC (Network Processing Cards)
only) Fixed an issue where sudden, large bursts of traffic destined for
an interface that was down caused packet buffers to fill, which stalled
path monitor heartbeat packets.
PAN-202535 Fixed an issue where the Device Telemetry configuration for a region
was unable to be set or edited via the web interface.
PAN-199726 Fixed an issue with firewalls in HA configurations where both firewalls

responded with gARP messages after a switchover.
PAN-199654 Fixed an issue where ACC reports did not work for custom RBAC
users when more than 12 access domains were associated with the
username.
PAN-198733 (PA-5450 firewalls only) Fixed an issue where tcpdump was

hardcoded to eth0 instead of bond0.
PAN-198332 (PA-5400 Series only) Fixed an issue where swapping Network

Processing Cards (NPCs) caused high root partition use.
PAN-198244 Fixed an issue where using the load config partial CLI
command to x-paths removed address object entries from address
groups.
PAN-197383 Fixed an issue where, after upgrading to PAN-OS 10.2 release, the
firewall ran a RAID rebuild for the log disk after ever every reboot.
PAN-197341 Fixed an issue on Panorama where, when you created multiple device
group objects with the same name in the shared device group and
any additional device groups (Panorama > Device Groups) under the
same device group hierarchy that were used in one or more policies,
renaming the object with a shared name in any device group caused

the object name to change in the policies that it was used in. This issue
occurred with device group objects that were referenced in a Security
policy rule.
PAN-196558 Fixed an issue where IP address tag policy updates were delayed.
PAN-196398 (PA-7000 Series SMC-B firewalls only) Fixed an issue where the
firewall did not capture data when the active management interface
was MGT-B.
PAN-194615 Fixed an issue where the packet broker session timeout value did not
match the master sessions timeout value after the firewall received a
TCP FIN or RST packet. The fix ensures that Broker session times out
within 1 second after the master session timed out.
PAN-194152 (PA-5410, PA-5420, PA-5430, and PA-5440 firewalls in HA

configurations only) Fixed an issue where HA1-A and HA1-B port
information didn't match to front panel mappings.
PAN-189270 Fixed an issue that caused a memory leak on the reportd process.
PAN-188096 (VM-Series firewalls only) Fixed an issue where, on firewalls licensed

with Software NGFW Credit (VM-FLEX-4 and higher), HA clustering
was unable to be established.
PAN-171714 Fixed an issue where, when NetBIOS format (domain\user) was used
for the IP address-to-username mapping and the firewall received
the group mapping information from the Cloud Identity Engine, the
firewall did not match the user to the correct group.

Related Documentation
Review the related documentation for PAN-OS 11.0.
To provide feedback on the documentation, write to us at:
documentation@paloaltonetworks.com.
• Related Documentation for PAN-OS 11.0
85
Related Documentation
Related Documentation for PAN-OS 11.0

Refer to the PAN-OS® 11.0 documentation on the Technical Documentation portal for general
information on how to configure and use already-released features.
• PAN-OS 11.0 New Features Guide—Detailed information on configuring the features
introduced in this release.
• PAN-OS 11.0 Upgrade Guide—Provides considerations and steps to upgrade PAN-OS.
• PAN-OS 11.0 Administrator’s Guide—Provides the concepts and solutions to get the most out
of your Palo Alto Networks next-generation firewalls. This includes taking you through the
initial configuration and basic set up on your Palo Alto Networks firewalls.
• Panorama 11.0 Administrator’s Guide—Provides the basic framework to quickly set up the
Panorama™ virtual appliance or an M-Series appliance for centralized administration of the
Palo Alto Networks firewalls.
• PAN-OS 11.0 Networking Administrator’s Guide—Provides concepts and details around Palo
Alto Networks firewall networking solution.
• Advanced WildFire Administration—Provides steps to set up a Palo Alto Networks firewall to
forward samples for WildFire® Analysis, to deploy the WF-500 appliance to host a WildFire
private or hybrid cloud, and to monitor WildFire activity.
• VM-Series 11.0 Deployment Guide—Provides details on deploying and licensing the VM-Series
firewall on all supported hypervisors. It includes example of supported topologies on each
hypervisor.
• GlobalProtect 10.1 (and later) Administrator’s Guide—Describes how to set up and manage
GlobalProtect™ features.
• PAN-OS 11.0 Web Interface Help—Detailed, context-sensitive help system integrated with the
firewall and Panorama web interface.
• Palo Alto Networks Compatibility Matrix—Provides operating system and other compatibility
information for Palo Alto Networks next-generation firewalls, appliances, and agents.

Pan Os Release Notes

Uploaded by

Copyright:

Available Formats

Pan Os Release Notes

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Pan Os Release Notes

Uploaded by

Copyright:

Available Formats

PAN-OS Release Notes

About the Documentation

PAN-OS Release Notes 11.0.2-h1 2 ©2023 Palo Alto Networks, Inc.

Changes to Default Behavior........................................................................23

Associated Content and Software Versions............................................. 31

PAN-OS 11.0.2 Known and Addressed Issues......................................... 35

PAN-OS 11.0.1 Known and Addressed Issues......................................... 53

PAN-OS 11.0.0 Known and Addressed Issues......................................... 73

PAN-OS Release Notes 11.0.2-h1 3 ©2023 Palo Alto Networks, Inc.

Related Documentation for PAN-OS 11.0......................................................................... 86

PAN-OS Release Notes 11.0.2-h1 4 ©2023 Palo Alto Networks, Inc.

Web Proxy Some networks are designed around a proxy for

PAN-OS Release Notes 11.0.2-h1 6 ©2023 Palo Alto Networks, Inc.

New Networking Feature Description

BFD Support on PA-400 Series Bidirectional Forwarding Detection (BFD) support

PAN-OS Release Notes 11.0.2-h1 7 ©2023 Palo Alto Networks, Inc.

New Networking Feature Description

PAN-OS Release Notes 11.0.2-h1 8 ©2023 Palo Alto Networks, Inc.

Panorama Interconnect 2.0 Upgrade to Panorama Interconnect Plugin 2.0 is

PAN-OS Release Notes 11.0.2-h1 9 ©2023 Palo Alto Networks, Inc.

TLSv1.3 Support for Management PAN-OS 11.0 introduces two management

PAN-OS Release Notes 11.0.2-h1 10 ©2023 Palo Alto Networks, Inc.

Certificate Management Features

PAN-OS Release Notes 11.0.2-h1 11 ©2023 Palo Alto Networks, Inc.

Cloud Identity Features

PAN-OS Release Notes 11.0.2-h1 12 ©2023 Palo Alto Networks, Inc.

Content Inspection Features

Advanced Threat Prevention The Advanced Threat Prevention subscription now

PAN-OS Release Notes 11.0.2-h1 13 ©2023 Palo Alto Networks, Inc.

IoT Security Features

PAN-OS Release Notes 11.0.2-h1 14 ©2023 Palo Alto Networks, Inc.

Mobile Infrastructure Security Features

PAN-OS Release Notes 11.0.2-h1 15 ©2023 Palo Alto Networks, Inc.

PAN-OS SD-WAN Features

New SD-WAN Feature Description

PAN-OS Release Notes 11.0.2-h1 16 ©2023 Palo Alto Networks, Inc.

PAN-OS Release Notes 11.0.2-h1 17 ©2023 Palo Alto Networks, Inc.

Advanced WildFire Features

Intelligent Run-time Memory Palo Alto Networks Advanced WildFire is a new

PAN-OS Release Notes 11.0.2-h1 18 ©2023 Palo Alto Networks, Inc.

New GlobalProtect Description

PAN-OS Release Notes 11.0.2-h1 19 ©2023 Palo Alto Networks, Inc.

PA-5440 Firewall The PA-5440 is the highest scale fixed form-factor

PAN-OS Release Notes 11.0.2-h1 20 ©2023 Palo Alto Networks, Inc.

Enterprise Data Loss Prevention Features

PAN-OS Release Notes 11.0.2-h1 21 ©2023 Palo Alto Networks, Inc.

PAN-OS Release Notes 11.0.2-h1 22 ©2023 Palo Alto Networks, Inc.

Changes to Default Behavior in PAN-OS 11.0

Custom Syslog Format The maximum characters supported for a custom

Panorama Memory Management Rather than automatically restarting the

PAN-OS Release Notes 11.0.2-h1 24 ©2023 Palo Alto Networks, Inc.

PAN-OS Release Notes 11.0.2-h1 25 ©2023 Palo Alto Networks, Inc.

PAN-OS Release Notes 11.0.2-h1 26 ©2023 Palo Alto Networks, Inc.

Limitations in PAN-OS 11.0

— The following limitations apply for on-premises Explicit

— In Advanced Routing mode, BGP peer groups and

PLUG-10942 For CN-Series deployments using the Advanced

PAN-215869 PAN-OS logs (Monitor > Logs) experience a significant

PAN-OS Release Notes 11.0.2-h1 28 ©2023 Palo Alto Networks, Inc.