PAN-OS Release Notes

10.2.12

docs.paloaltonetworks.com
Contact Information
Corporate Headquarters:
Palo Alto Networks
3000 Tannery Way
Santa Clara, CA 95054
www.paloaltonetworks.com/company/contact-support

About the Documentation

• For the most recent version of this guide or for access to related documentation, visit the Technical
Documentation portal docs.paloaltonetworks.com.
• To search for a specific topic, go to our search page docs.paloaltonetworks.com/search.html.
• Have feedback or questions for us? Leave a comment on any page in the portal, or write to us at
[email protected].

Copyright
Palo Alto Networks, Inc.
www.paloaltonetworks.com

© 2021-2024 Palo Alto Networks, Inc. Palo Alto Networks is a registered trademark of Palo
Alto Networks. A list of our trademarks can be found at www.paloaltonetworks.com/company/
trademarks.html. All other marks mentioned herein may be trademarks of their respective companies.

Last Revised
October 1, 2024

PAN-OS Release Notes 10.2.12 2 ©2024 Palo Alto Networks, Inc.

Table of Contents
Features Introduced in PAN-OS 10.2........................................................... 7
Content Inspection Features.................................................................................................... 8
URL Filtering Features................................................................................................................9
Panorama Features................................................................................................................... 10
Networking Features................................................................................................................11
GlobalProtect Features............................................................................................................ 15
Management Features............................................................................................................. 16
Decryption Features................................................................................................................. 19
App-ID Features........................................................................................................................ 20
IoT Security Features............................................................................................................... 21
Mobile Infrastructure Security Features..............................................................................22
Authentication Features.......................................................................................................... 23
Virtualization Features............................................................................................................. 24
Hardware Features................................................................................................................... 26
Enterprise Data Loss Prevention Features......................................................................... 27

Changes to Default Behavior........................................................................29

Changes to Default Behavior in PAN-OS 10.2..................................................................30

Limitations..........................................................................................................35
Limitations in PAN-OS 10.2................................................................................................... 36

Associated Content and Software Versions............................................. 39

Associated Content and Software Versions for PAN-OS 10.2...................................... 40
Compatible Plugin Versions for PAN-OS 10.2.................................................................. 41
WildFire Analysis Environment Support for PAN-OS 10.2.2......................................... 46

PAN-OS 10.2.12 Known and Addressed Issues.......................................47

PAN-OS 10.2.12 Known Issues.............................................................................................48
PAN-OS 10.2.12 Addressed Issues...................................................................................... 56

PAN-OS 10.2.11 Known and Addressed Issues.......................................59

PAN-OS 10.2.11 Known Issues.............................................................................................60
PAN-OS 10.2.11-h3 Addressed Issues................................................................................ 69
PAN-OS 10.2.11-h2 Addressed Issues................................................................................ 70
PAN-OS 10.2.11-h1 Addressed Issues................................................................................ 71
PAN-OS 10.2.11 Addressed Issues...................................................................................... 72

PAN-OS 10.2.10 Known and Addressed Issues.......................................79

PAN-OS 10.2.10 Known Issues.............................................................................................80

PAN-OS Release Notes 10.2.12 3 ©2024 Palo Alto Networks, Inc.

Table of Contents

PAN-OS 10.2.10-h5 Addressed Issues................................................................................ 89

PAN-OS 10.2.10-h4 Addressed Issues................................................................................ 90
PAN-OS 10.2.10-h3 Addressed Issues................................................................................ 92
PAN-OS 10.2.10-h2 Addressed Issues................................................................................ 93
PAN-OS 10.2.10 Addressed Issues...................................................................................... 94

PAN-OS 10.2.9 Known and Addressed Issues......................................... 99

PAN-OS 10.2.9 Known Issues.............................................................................................100
PAN-OS 10.2.9-h11 Addressed Issues..............................................................................109
PAN-OS 10.2.9-h9 Addressed Issues................................................................................ 110
PAN-OS 10.2.9-h1 Addressed Issues................................................................................ 113
PAN-OS 10.2.9 Addressed Issues...................................................................................... 114

PAN-OS 10.2.8 Known and Addressed Issues.......................................117

PAN-OS 10.2.8 Known Issues.............................................................................................118
PAN-OS 10.2.8-h10 Addressed Issues..............................................................................127
PAN-OS 10.2.8-h4 Addressed Issues................................................................................ 128
PAN-OS 10.2.8-h3 Addressed Issues................................................................................ 130
PAN-OS 10.2.8 Addressed Issues...................................................................................... 131

PAN-OS 10.2.7 Known and Addressed Issues.......................................147

PAN-OS 10.2.7 Known Issues.............................................................................................148
PAN-OS 10.2.7-h12 Addressed Issues..............................................................................159
PAN-OS 10.2.7-h8 Addressed Issues................................................................................ 161
PAN-OS 10.2.7-h6 Addressed Issues................................................................................ 162
PAN-OS 10.2.7-h3 Addressed Issues................................................................................ 164
PAN-OS 10.2.7-h1 Addressed Issues................................................................................ 167
PAN-OS 10.2.7 Addressed Issues...................................................................................... 168

PAN-OS 10.2.6 Known and Addressed Issues.......................................171

PAN-OS 10.2.6 Known Issues.............................................................................................172
PAN-OS 10.2.6-h3 Addressed Issues................................................................................ 185
PAN-OS 10.2.6-h1 Addressed Issues................................................................................ 186
PAN-OS 10.2.6 Addressed Issues...................................................................................... 187

PAN-OS 10.2.5 Known and Addressed Issues.......................................189

PAN-OS 10.2.5 Known Issues.............................................................................................190
PAN-OS 10.2.5-h6 Addressed Issues................................................................................ 202
PAN-OS 10.2.5-h4 Addressed Issues................................................................................ 203
PAN-OS 10.2.5-h1 Addressed Issues................................................................................ 204
PAN-OS 10.2.5 Addressed Issues...................................................................................... 205

PAN-OS 10.2.4 Known and Addressed Issues.......................................225

PAN-OS Release Notes 10.2.12 4 ©2024 Palo Alto Networks, Inc.

Table of Contents

PAN-OS 10.2.4 Known Issues.............................................................................................226

PAN-OS 10.2.4-h16 Addressed Issues..............................................................................239
PAN-OS 10.2.4-h10 Addressed Issues..............................................................................240
PAN-OS 10.2.4-h4 Addressed Issues................................................................................ 241
PAN-OS 10.2.4-h3 Addressed Issues................................................................................ 243
PAN-OS 10.2.4-h2 Addressed Issues................................................................................ 245
PAN-OS 10.2.4 Addressed Issues...................................................................................... 247

PAN-OS 10.2.3 Known and Addressed Issues.......................................279

PAN-OS 10.2.3 Known Issues.............................................................................................280
PAN-OS 10.2.3-h13 Addressed Issues..............................................................................294
PAN-OS 10.2.3-h12 Addressed Issues..............................................................................295
PAN-OS 10.2.3-h11 Addressed Issues..............................................................................296
PAN-OS 10.2.3-h9 Addressed Issues................................................................................ 297
PAN-OS 10.2.3-h4 Addressed Issues................................................................................ 298
PAN-OS 10.2.3-h2 Addressed Issues................................................................................ 300
PAN-OS 10.2.3 Addressed Issues...................................................................................... 302

PAN-OS 10.2.2 Known and Addressed Issues.......................................313

PAN-OS 10.2.2 Known Issues.............................................................................................314
PAN-OS 10.2.2-h5 Addressed Issues................................................................................ 331
PAN-OS 10.2.2-h4 Addressed Issues................................................................................ 332
PAN-OS 10.2.2-h2 Addressed Issues................................................................................ 333
PAN-OS 10.2.2-h1 Addressed Issues................................................................................ 334
PAN-OS 10.2.2 Addressed Issues...................................................................................... 335

PAN-OS 10.2.1 Known and Addressed Issues.......................................339

PAN-OS 10.2.1 Known Issues.............................................................................................340
PAN-OS 10.2.1-h2 Addressed Issues................................................................................ 355
PAN-OS 10.2.1-h1 Addressed Issues................................................................................ 356
PAN-OS 10.2.1 Addressed Issues...................................................................................... 357

PAN-OS 10.2.0 Known and Addressed Issues.......................................363

PAN-OS 10.2.0 Known Issues.............................................................................................364
PAN-OS 10.2.0-h3 Addressed Issues................................................................................ 384
PAN-OS 10.2.0-h2 Addressed Issues................................................................................ 385
PAN-OS 10.2.0-h1 Addressed Issues................................................................................ 386
PAN-OS 10.2.0 Addressed Issues...................................................................................... 387

Related Documentation............................................................................... 389

Related Documentation for PAN-OS 10.2....................................................................... 390

PAN-OS Release Notes 10.2.12 5 ©2024 Palo Alto Networks, Inc.

Table of Contents

PAN-OS Release Notes 10.2.12 6 ©2024 Palo Alto Networks, Inc.

Features Introduced in PAN-OS
10.2
Review new features introduced in Palo Alto Networks PAN-OS® 10.2 software.
• Content Inspection Features
• URL Filtering Features
• Panorama Features
• Networking Features
• GlobalProtect Features
• Management Features
• Decryption Features
• App-ID Features
• IoT Security Features
• Mobile Infrastructure Security Features
• Virtualization Features
• Hardware Features
• Enterprise Data Loss Prevention Features

7
Features Introduced in PAN-OS 10.2

Content Inspection Features

New Content Inspection Feature Description

Advanced Threat Prevention Palo Alto Networks Advanced Threat Prevention

Subscription subscription—a new flagship intrusion prevention
service—detects and prevents the latest advanced
threats from infiltrating your network by leveraging
deep learning models trained on high fidelity threat
intelligence gathered by Palo Alto Networks. This inline
cloud-based threat detection and prevention engine
defends your network from evasive and unknown
command-and-control (C2) threats by inspecting all
network traffic.
Advanced Threat Prevention includes all of the existing
capabilities found in Threat Prevention, including a
proven signature-based threat prevention solution
to defend against known exploits, command-and-
control, and commodity malware, and expands on
that foundation with an extensible cloud architecture,
providing scalable threat detection mechanisms to
keep your network protections up to date without
sapping firewall resources or relying on regular update
packages.

Domain Fronting Detection Firewalls now have a unique threat ID signature to

identify and block domain fronting, also known as SNI
spoofing, through your Anti-Spyware security profile
as a spyware signature. This allows you to protect
your network from malicious attackers using a crafted
packet to indicate a fake website in the SNI while
surreptitiously connecting to a different website via
the HTTP Host Header — a possible vector for the
distribution of malware.

PAN-OS Release Notes 10.2.12 8 ©2024 Palo Alto Networks, Inc.

Features Introduced in PAN-OS 10.2

URL Filtering Features

New URL Filtering Feature Description

Inline Deep Learning Analysis for The Advanced URL Filtering cloud now leverages a new
Advanced URL Filtering inline deep learning engine that analyzes suspicious
web page content to protect users against zero-day
web attacks. By employing cloud-based inline web page
payload analysis, Advanced URL Filtering is capable
of detecting and preventing advanced and targeted
phishing attacks, and other web-based attacks that use
advanced evasion techniques such as cloaking, multi-
step attacks, CAPTCHA challenges, and previously
unseen one-time-use URLs.

HTTP Header Expansion HTTP header insertion has been enhanced to support
header values up to 16K bytes. You can now specify
more tenants to which you restrict access and better
manage access to applications with longer header
values in a single HTTP header insertion entry.

PAN-OS Release Notes 10.2.12 9 ©2024 Palo Alto Networks, Inc.

Features Introduced in PAN-OS 10.2

Panorama Features
New Panorama Feature Description

Increased Device Management To ease the operational burden of managing the

Capacity for the Panorama Virtual configuration of your large-scale firewall deployments,
Appliance the Panorama virtual appliance installed on VMware
ESXi in Management Only mode now supports
PAN-OS 10.2.5 and later releases
management of up to 5,000 Palo Alto Networks Next-
Generation Firewalls (NGFW).

Panorama Interconnect 2.0 Upgrade to Panorama Interconnect Plugin 2.0 is

required to upgrade to PAN-OS 10.2. You must
PAN-OS 10.2.4 and later releases
download the Panorama Interconnect Plugin 2.0.0 prior
to install of PAN-OS 10.2.4 to successfully upgrade.

Zero Touch Provisioning 2.0.3 The Zero Touch Provisioning (ZTP) Plugin 2.0.3 release
includes minor bug and performance fixes.
PAN-OS 10.2.4 and later releases

Administrator-Level Push Panorama administrators can now review and push

their own committed configuration changes to managed
firewalls. This helps improve collaboration across teams,
the handling of emergency changes, and the auditing
of those changes. Additionally, for multi-vsys firewalls
running PAN-OS 10.2, Shared Panorama configurations
are now pushed to the Panorama Shared context on the
firewall, eliminating replication and reducing the risk of
hitting capacity limits for shared objects such as EDLs
and Custom URL categories.

Automatic Content Push for VM- Eliminate the operational overhead required to
Series and CN-Series Firewalls regenerate your VM-Series and CN-Series firewall
images with the latest content updates. Enable this
feature to automatically push content updates when
onboarding new VM-Series and CN-Series firewalls to
the Panorama management server. When leveraging
Auto Scale, you can maintain existing dynamic content
(such as for policy rules using App-ID) in the image
configurations.

Log Collector Health Monitoring on PAN-OS 10.2 introduces the ability to monitor
Panorama health metrics for your managed Log Collectors from
a centralized location. This helps you assess the
operational performance of a Log Collector to easily
identify and resolve any issues as soon as they arise.

PAN-OS Release Notes 10.2.12 10 ©2024 Palo Alto Networks, Inc.

Features Introduced in PAN-OS 10.2

Networking Features
New Networking Feature Description

Authenticate LSVPN Satellite with You can now onboard a remote satellite using the
Serial Number and IP Method combination of serial number and IP address in
addition to the username/password and satellite cookie
(PAN-OS 10.2.8 and later 10.2
authentication method. This authentication method
releases)
reduces the complexity by enabling you to perform
software upgrade and deploy new firewalls without
manual intervention.

PA-5420 Firewall Supports The number of virtual routers supported on a PA-5420

Additional Virtual Routers firewall increased from 50 to 65. This increase allows
you to have a virtual router for each virtual system on
(PAN-OS 10.2.8 and later 10.2
the firewall in the event that you configure more than
releases)
50 virtual systems.

Improved Throughput with Lockless The Palo Alto Networks QoS implementation now
QoS supports a new QoS mode called lockless QoS for
PA-3410, PA-3420, PA-3430, PA-3440, PA-5410,
(PAN-OS 10.2.5 and later 10.2
PA-5420, and PA-5430 firewalls. For firewalls with
releases)
higher bandwidth QoS requirements, the lockless QoS
dedicates CPU cores to the QoS function that improves
QoS performance, resulting in improved throughput and
latency.

Software Cut-Through Support for The PA-5410, PA-5420, PA-5430, and PA-3400 Series
PA-5410, PA-5420, PA-5430, and firewalls have significantly improved latency.
PA-3400 Series Firewalls
(PAN-OS 10.2.5 and later 10.2
releases)

LSVPN Cookie Expiry Extension You can now configure the cookie expiration period
from 1 to 5 years, while the default remains as 6
(PAN-OS 10.2.4 and later 10.2
months. The encrypted cookie stored on an Large Scale
releases)
VPN (LSVPN) satellite expires after every 6 months.
This causes the VPN tunnels associated with the
satellite to go down, causing an outage until the satellite
is re-authenticated to the LSVPN portal or gateway and
a new cookie is generated. A re-authentication every
six months causes administrative overhead, affecting
productivity, network stability, and resources of the
company.
To reduce administrative overhead, we’ve extended the
cookie expiration period from 6 months to 5 years.

PAN-OS Release Notes 10.2.12 11 ©2024 Palo Alto Networks, Inc.

Features Introduced in PAN-OS 10.2

New Networking Feature Description

Increased Maximum Number of (PA-3400 Series firewalls only) The maximum number
Security Zones for PA-3400 Series of security zones supported on the PA-3410 and
Firewalls PA-3420 firewalls has increased from 40 to 200. The
maximum number of security zones supported on the
(PAN-OS 10.2.4 and later 10.2
PA-3430 firewall has increased from 100 to 200.
releases)

Poll Timeout Improvement for The PA-3400 and PA-5400 Series firewalls have
PA-3400 and PA-5400 Series improved latency when operating under low load.
Firewalls
(PAN-OS 10.2.4 and later 10.2
releases)

Persistent NAT for DIPP One type of source NAT is Dynamic IP and Port (DIPP).
Some applications, such as VoIP, video, and others,
(PAN-OS 10.2.4 and later 10.2
use DIPP and may require Session Traversal Utilities
releases)
for NAT (STUN) protocol. DIPP NAT uses symmetric
NAT, which may have compatibility issues with STUN.
To alleviate those issues, persistent NAT for DIPP
provides additional support for connectivity with such
applications. When you enable persistent NAT for DIPP,
the binding of a private source IP address and port to a
specific public (translated) source IP address and port
persists for subsequent sessions that arrive having that
same original source IP address and port.

IPv4 Multicast for Advanced The Advanced Routing Engine supports IPv4 multicast
Routing Engine on logical routers. This engine supports PIM sparse
mode (PIM-SM), PIM source-specific mode (PIM-SSM),
(PAN-OS 10.2.2 and later 10.2
and Internet Group Management Protocol (IGMP)
releases)
on NGFW interfaces. You can also configure static
routes over which to reverse-path forward (RPF)
from the NGFW to the source. In line with the other
routing protocols, multicast routing relies on profiles to
parameterize PIM and IGMP. Unlike the legacy routing
engine, which supports IGMPv1, the Advanced Routing
Engine instead supports IGMP static joins for devices
that do not support IGMPv2 or IGMPv3.

Security Policy Rule Top-Down When a packet with an IP address matches prefixes
Order When Wildcard Masks in Security policy rules that have overlapping wildcard
Overlap masks, you can have the firewall choose the first fully
matching rule in top-down order (rather than match
(PAN-OS 10.2.1 and later 10.2
the rule with the longest prefix in the mask). Thus,
releases)
more than one rule has the potential to be enforced on
different packets.

PAN-OS Release Notes 10.2.12 12 ©2024 Palo Alto Networks, Inc.

Features Introduced in PAN-OS 10.2

New Networking Feature Description

Increase in Wildcard Address The number of wildcard address objects supported

Objects per virtual system is increased to 5,000 on PA-5220,
PA-5250, PA-5260, and PA-5280 firewalls.
(PAN-OS 10.2.1 and later 10.2
releases)

Advanced Routing Engine PAN-OS 10.2 offers an advanced routing engine that
uses an industry-standard configuration methodology
to reduce your learning curve. It allows the creation
of profile-based filtering lists and conditional route
maps, all of which can be used across logical routers.
These profiles provide finer granularity to filter routes
for each dynamic routing protocol and improve route
redistribution across multiple protocols.

If you have an existing firewall configuration

that uses the legacy routing engine, the
migration of that deployment to the
advanced routing engine is not supported in
this release. (A new firewall deployment has
no configuration to migrate; therefore, such
migration is not supported.)

PAN-OS 10.2.0 and 10.2.1 don't support

IPv4 multicast on the Advanced Routing
Engine.

New BGP Capabilities The Advanced Routing Engine provides new BGP
capabilities:
• Suppress/unsuppress map
• BGP backdoor
• Fast failover
• Advanced filtering
• Replace AS, allow AS, and no-prepend support for
import rules
• Increased character limit to 64 in the AS Path regular
expression field for BGP Export rule
• Enhanced community support
• Ability to select Exact in conditional advertising
• Conditional advertisements based on learned routes
• More granular filter on the prefix match in export/
import rules

PAN-OS Release Notes 10.2.12 13 ©2024 Palo Alto Networks, Inc.

Features Introduced in PAN-OS 10.2

New Networking Feature Description

• Redistribution of multiple BGP prefix communities
per import/export policy
• Ability to select exact, shortest, and longest match
for redistributed routes
• Ability to re-order route redistribution profiles
• Support for BGP graceful shutdown

New OSPFv3 and OSPFv2 The Advanced Routing Engine provides new OSPFv3
Capabilities and OSPFv2 capabilities:
• Granular administrative distance
• Advanced inter-area filtering to limit what is
imported to and exported from an OSPF area
• Redistribution using a route map
• New action on range command to substitute a route
• Redistribute only default route from OSPF to RIP
• MTU-ignore for OSPF interfaces

HA Cluster Behavior Change for On an HA cluster standalone firewall node that is

Modular System chassis based (such as a PA-5450 or PA-7000 Series
firewall), if you restart a slot or power a slot on or off,
the change in status does not trigger a failover; the
firewall remains functional after it restarts or you power
it on.

PAN-OS Release Notes 10.2.12 14 ©2024 Palo Alto Networks, Inc.

Features Introduced in PAN-OS 10.2

GlobalProtect Features
New GlobalProtect Feature Description

SAML/CAS ACS Landing Page You can now customize the SAML/CAS ACS landing
Customization page displayed on the default browser when you
are using the SAML/CAS authentication method
to authenticate to the GlobalProtect app. You can
configure to rebrand or debrand the SAML/CAS ACS
landing page on the default browser by using command-
line interface (CLI) commands. By default, the feature is
not enabled for the app.

This feature is not available on Panorama.

PAN-OS Release Notes 10.2.12 15 ©2024 Palo Alto Networks, Inc.

Features Introduced in PAN-OS 10.2

Management Features
New Management Feature Description

PAN-OS Software Patch Download and install PAN-OS software patches to

Deployment apply fixes to bug or Common Vulnerability Exposure
(CVE) without the need to schedule a prolonged
PAN-OS 10.2.8 and later releases
maintenance window to install a new PAN-OS version
from the Next-Generation Firewall or Panorama™
management server web interface. This allows you to
strength your security posture immediately without
introducing new known issues or changed to default
behaviors that may come with installing a new PAN-OS
version.

Policy Rulebase Management Using Tags allows you the ability to visually group your policy
the Tag Browser rulebase. PAN-OS 10.2.5 introduces the Tag Browser
which allows you to manage your policy rulebase using
PAN-OS 10.2.5 and later releases
the applied tags, and thereby simplifies policy rulebase
management.

AIOps for NGFW Streamline your firewall operations with AIOps for
NGFW, a new product offered on the hub. AIOps
for NGFW leverages PAN-OS device telemetry and
best practice assessments to give you up-to-date
information about device health and security posture.
This information includes alerts, interactive dashboards,
remediation recommendations, and more.

Selective Commit of Configuration PAN-OS 10.2 allows firewall and Panorama

Changes administrators to review and select specific
configuration objects to commit, including configuration
changes made by other administrators. Leveraging
selective commit allows you to maintain your defined
operational procedure while still being able to
successfully make independent configuration changes
not defined in your operational scope.

Simplified Software Upgrade Firewalls and Panorama management servers now

validate software upgrades before you install them.
This allows more steps to be completed prior to
the software installation, which speeds up software
upgrades and increases confidence in the upgrade
process. For example, prior to downloading the target
release, the appliance displays any required software,
including intermediate software versions and content
dependencies, which you can download along with

PAN-OS Release Notes 10.2.12 16 ©2024 Palo Alto Networks, Inc.

Features Introduced in PAN-OS 10.2

New Management Feature Description

the target release in one step. You can also use an
SCP server as a download source and view a history of
software upgrades.

Strata Cloud Manager Command The Strata Cloud Manager Command Center is your
Center new NetSec homepage; it is your first stop to assess
the health, security, and efficiency of your network.
In a single view, the command center shows you all
users and IoT devices accessing the internet, SaaS
applications, and private apps, and how Prisma Access,
your NGFWs, and your security services are protecting
them.

PAN-OS Release Notes 10.2.12 17 ©2024 Palo Alto Networks, Inc.

Features Introduced in PAN-OS 10.2

New Management Feature Description

The command center provides you with four different
views, each with its own tracked data, metrics, and
actionable insights to examine and interact with:
• Summary: A high-level look at all your network
and security infrastructure. Monitor the traffic
between your sources (users, IoT) and applications
(private, SaaS), and see metrics onboarded security
subscriptions.
• Threats: Dig deeper into anomalies on your network
and block threats that are impacting your users.
Review the traffic inspected on your network and
see how threats are being detected and blocked
around the clock by your Cloud-Delivered Security
subscriptions.
• Operational Health: Review incidents of degraded
user experience on your network and see root-
cause analysis of the issues and remediation
recommendations.
• Data Security: Find high-risk sensitive data and
update data profiles to further secure your network.
Review the sensitive data flow across your network
and SaaS applications.
When the command center surfaces an issue through
one of these views that you should address or
investigate (an anomaly, a security gap, a degraded user
experience, something that impacts the security and
health of your network), it provides a path to where you
can take actions to further secure your network.

View Preferred and Base Releases The Panorama web interface now displays the preferred
of PAN-OS Software releases and the corresponding base releases of PAN-
OS software. Before you upgrade or downgrade
PAN-OS 10.2.10 and later 10.2
Panorama or PAN-OS, you can view the list of preferred
releases
and base releases and choose your preferred target
PAN-OS release. Preferred releases offer the latest and
the most advanced features and ensure stability and
performance. When there are no preferred releases
available, the corresponding base version is not
displayed. If necessary, you can choose to view either
preferred releases or base releases.

PAN-OS Release Notes 10.2.12 18 ©2024 Palo Alto Networks, Inc.

Features Introduced in PAN-OS 10.2

Decryption Features
New Decryption Feature Description

Multiple Certificate Support for SSL SSL Inbound Inspection has been improved to prevent
Inbound Inspection traffic disruption and strengthen network security while
you update your internal servers and firewalls with new
server certificates. You no longer need to disable the
decryption of inbound SSL traffic to reduce downtime
during the replacement process. You can now add
multiple certificates to an SSL Inbound Inspection
decryption policy rule to ensure a valid certificate is
always available.

PAN-OS Release Notes 10.2.12 19 ©2024 Palo Alto Networks, Inc.

Features Introduced in PAN-OS 10.2

App-ID Features
New App-ID Feature Description

Support for Tenant-Level SaaS Policy Recommendations work with next-generation

Policy Recommendations firewalls that have a SaaS Security Inline subscription. SaaS
Security Inline provides SaaS visibility and security controls
PAN-OS 10.2.5 and later
that prevent data security risks of unsanctioned SaaS app
10.2 releases
traffic traversing your network. For certain applications,
SaaS Security Inline administrators can now submit policy
rule recommendations for individual application tenants. For
example, a SaaS Security Inline administrator might create a
policy rule recommendation to block downloads from Box for
one tenant only.
The tenant-level policy recommendations are shown along
with the application-level policy recommendations on the
Device > Policy > Recommendation > SaaS page for firewall.
A tenant-level policy recommendation defines a number of
custom apps collected into an application group. Each custom
app can identify up to 10 tenants and one action to block.

PAN-OS Release Notes 10.2.12 20 ©2024 Palo Alto Networks, Inc.

Features Introduced in PAN-OS 10.2

IoT Security Features

New IoT Security Feature Description

Simplified IoT Onboarding When onboarding IoT Security, you can now select
a predefined Log Forwarding profile and apply it
to multiple Security policy rules. This simplifies the
previous onboarding process where you had to create a
Log Forwarding profile and apply it individually to each
Security policy rule.

Data Collection for IoT Security You can now collect data for devices whose traffic
doesn’t pass through a firewall by mirroring their
traffic on network switches and sending it to the
firewall through an Encapsulated Remote Switched
Port Analyzer (ERSPAN) tunnel. After the firewall
decapsulates the traffic, PAN-OS logs the traffic the
same as if it had terminated on a TAP port. The firewall
then sends the logs to the logging service where IoT
Security accesses and analyzes it.

PAN-OS Release Notes 10.2.12 21 ©2024 Palo Alto Networks, Inc.

Features Introduced in PAN-OS 10.2

Mobile Infrastructure Security Features

New Mobile Infrastructure Security Description
Feature

New Deployment Option for GTP The new deployment option for GTP security provides
Security in 3G/4G Networks subscriber-level and equipment-level visibility and
security policy control for combined 3G and 4G/LTE
networks and supports GTP stateful inspection and
IMSI/IMEI correlation in network topologies with a
combo node of combined serving gateway (SGW)
and packet data network gateway (PGW). To ensure
continuous traffic security for users during handovers
between 3G and 4G/LTE in these network topologies,
this feature now supports the Gn [mobility management
entity (MME)-serving GPRS support node (SGSN)]
interface in addition to the existing GTP security options.

Mobile Network Security Support As more enterprises adopt private 5G networks and
on New Mid-Range Hardware multi-access edge computing (MEC), this transition
Platforms provides new opportunities for attacks. To secure these
new environments, you can now use the industry's
only 5G-native security to deploy a Zero Trust-based
architecture. Palo Alto Networks now supports mobile
network security features such as 5G Subscriber ID
Security, 5G Equipment ID Security, 5G MEC Security,
and 4G/ LTE Security features in a new range of next-
generation firewalls: the PA-3440, PA-3430, PA-5430,
PA-5420 and PA-5410 (in addition to the PA-5200
series, the PA-5450, and the PA-7000 series).

PAN-OS Release Notes 10.2.12 22 ©2024 Palo Alto Networks, Inc.

Features Introduced in PAN-OS 10.2

Authentication Features
New Authentication Feature Description

Authentication Portal If your Authentication Portal deployment uses redirect

Support for IPv6 Redirect mode and Security Assertion Markup Language (SAML) or
Host Lightweight Directory Access Protocol (LDAP) with multi-
factor authentication (MFA), you can now use an IPV6 address
PAN-OS 10.2.9
for the domain name system (DNS) address (AAAA) record, as
well as an IPv4 address.
This allows you to map an IPv6 address on the Layer 3
interface to the redirect host in addition to an IPv4 address (for
example, to provide redundancy). By entering a CLI command,
you can configure the fully qualified domain name (FQDN) of
the redirect host as an IPv6 address. When the firewall starts
an Authentication Portal session, it detects whether the FQDN
of the host uses IPv4 or IPv6 when it creates the mapping for
the user. With this capability, even if the user changes the
traffic type from IPv4 to IPv6 during the same session, the
firewall can still map the user correctly, ensuring that your
user-based security policy is applied consistently throughout
your network and across enforcement devices.
You can also use the CLI commands to view or remove the
currently configured FQDN of the redirect host. To ensure
that the Authentication Portal configuration is successful,
make sure to add the required IPv6 address as a DNS
attribute in the Subject Alternative Name (SAN) field for the
certificate that you configure for your Authentication Portal
deployment. This capability allows you to use different internet
protocol versions, supporting even more options for your
Authentication Portal deployment.

PAN-OS Release Notes 10.2.12 23 ©2024 Palo Alto Networks, Inc.

Features Introduced in PAN-OS 10.2

Virtualization Features
New Virtualization Feature Description

CN-Series Firewall as a Kubernetes You can now deploy the Palo Alto Networks Container
CNF Native Firewalls (CN-Series) as a Container Network
Function (CNF) to protect containerized as well as non-
containerized workloads. This is a new deployment mode
for the CN-Series firewall that augments the previously
released CN-Series-as-a-daemonset and CN-Series-
as-a-kubernetes service deployment modes, limited to
protecting only container workloads.
Deploying the CN-Series-as-a-Kubernetes-CNF allows
customers to run CN-Series in Layer-3 mode. This
enables customers to steer the traffic to CN-Series from
even non containerized sources. You can build resilient
network security by deploying CN-Series in an HA pair.
In the CNF mode of deployment, you can take advantage
of I/O acceleration techniques such as DPDK and SR-
IOV to boost the firewall performance.

High Availability Support for CN- You can now deploy the CN-Series as a kubernetes CNF
Series Firewall as a Kubernetes in High Availability (HA) mode. This deployment mode
CNF currently supports active/passive HA with session and
configuration synchronization.

DPDK support for CN-Series The Kubernetes CNF mode of CN-Series now supports
Firewall Data Plane Development Kit (DPDK) and allows the
application pods to use DPDK. DPDK provides a simple
framework for fast packet processing in dataplane
applications.
You can set up DPDK on on-premises worker nodes and
AWS EKS cluster.

Daemonset(vwire) IPv6 Support Using the Daemonset mode, you can now secure the
interfaces of application pods having IPv6 IP addresses.

L3 IPv4 Support for CN-Series With the Kubernetes CNF, CN-Series now supports L3
Policy Based Routing (PBR) with IPv4 IP addresses. The
IP addresses to the interfaces in K8s environment are
typically programmed through the CNI using DHCP.

IPv6 DAG Plugin Support With the Kubernetes 3.0.0 plugin, you can now validate
(Kubernetes 3.0.0 Plugin) Service account files, view detailed dashboards, push IP
addresses for tags used in Security Policies (Tag Pruning),
and retrieve IPv6 addresses that can be used in a Multus
CNI setup.

PAN-OS Release Notes 10.2.12 24 ©2024 Palo Alto Networks, Inc.

Features Introduced in PAN-OS 10.2

New Virtualization Feature Description

47 Dataplane Cores Support for Starting with PAN-10.2, the VM-Series and CN-Series
VM-Series and CN-Series Firewalls firewalls support a maximum of 47 dataplane cores; an
increase from the previous maximum of 31.

For VM-Series, if you have NUMA

performance optimization enabled with
custom dataplane core setting, the NUMA
settings take precedence.

Elastic Memory Profile Beginning with PAN-OS 10.2, the maximum number of
sessions and capacity supported on an individual VM-
Series firewall scales with the increase in the amount of
memory allocated to the VM-Series instance.

PAN-OS Release Notes 10.2.12 25 ©2024 Palo Alto Networks, Inc.

Features Introduced in PAN-OS 10.2

Hardware Features
New Hardware Feature Description

WF-500-B Appliance The WF-500-B firewall is the newest on-premises

hardware that offers dedicated sandboxing capabilities.
(The WF-500-B appliance is available
This WildFire appliance features improved speeds over
for PAN-OS 10.2.2 and later)
its predecessor, the WF-500.

PA-3400 Series Firewalls The PA-3400 Series delivers a superior NGFW

solution for the internet gateway and campus
segmentation use case, offering comprehensive
security capabilities without compromising on
performance and flexible network interface options
enabling network consolidation and high speed
connectivity up to 100 Gbps.

PA-5410, PA-5420, and PA-5430 The new PA-5400 Series models provide the highest
Firewalls fixed form-factor firewalls in the Palo Alto Networks
NGFW portfolio. These firewalls offer comprehensive
security capabilities and high capacity interfaces for
use cases that include large enterprise data centers,
Internet gateways, and large campus environments.

M-300 and M-700 Appliances These new M-Series models are multi-functional
appliances that you can configure to run in
Panorama™ Management mode, Panorama
Management-only mode, Panorama Log Collector
mode, or PAN-DB Private Cloud mode. These models
include the following main features when compared to
the M-200 and M-600 appliances:
• Improved responsiveness with faster CPU and more
memory
• Increased log ingestion rate
• Support for larger configuration sizes

PAN-OS Release Notes 10.2.12 26 ©2024 Palo Alto Networks, Inc.

Features Introduced in PAN-OS 10.2

Enterprise Data Loss Prevention Features

New Enterprise DLP Feature Description

New Application Support Enterprise DLP now supports the following new applications.
Requires DLP plugin 3.0.4 or Firewalls leveraging Enterprise DLP must be running PAN-
later release OS 10.2.4 or later release and have Apps & Threats content
version 8684-7912 installed.
• Google Drive Web
• Microsoft OneDrive Desktop - Business

Expanded Download Support Enterprise DLP now supports download inspection for the
for Existing Applications following applications.
Requires DLP plugin 3.0.4 or Requires DLP plugin 3.0.4 or later release and have Apps &
later release Threats content version 8684-7912 installed.
• Box Desktop - Business
• Microsoft SharePoint Desktop
• Microsoft SharePoint Web
• Naver Mail Web
• Salesforce Web

Expanded File Size Support for Enterprise DLP now supports large file inspection for the
Existing Applications following applications.
Requires DLP plugin 3.0.4 or Firewalls leveraging Enterprise DLP must be running PAN-
later release OS 10.2.4 or later release and have Apps & Threats content
version 8684-7912 installed.
• Microsoft OneDrive Desktop - Personal

Large File Inspection for Box Enterprise DLP now supports upload inspection of files up
and Web Browsing to 100MB in size for the Box Web App and Web Browsing
applications.
Requires DLP plugin 3.0.3 or
later release

Proxy Support for Enterprise Enterprise DLP now supports connectivity to the DLP cloud
DLP service when the Panorama management server uses a Proxy
for its outbound internet connection.
Requires DLP plugin 3.0.3 or
later release

Support for HTTP/2 Traffic Enterprise DLP now supports inspection of file and non-file
Inspection based HTTP/2 traffic.

PAN-OS Release Notes 10.2.12 27 ©2024 Palo Alto Networks, Inc.

Features Introduced in PAN-OS 10.2

New Enterprise DLP Feature Description

Requires DLP plugin 3.0.2 or
later release

Web Form Data Inspection More data is being exchanged in non-file formats that
for Enterprise Data Loss leverage collaboration applications, web forms, Cloud
Prevention applications, and social media. PAN-OS 10.2 supports
inspection of non-file format traffic to strengthen your
Requires DLP plugin 3.0.1 or
security posture and prevent exfiltration of sensitive data.
later release

PAN-OS Release Notes 10.2.12 28 ©2024 Palo Alto Networks, Inc.

Changes to Default Behavior
Review the changes to default behavior for PAN-OS 10.2.
• Changes to Default Behavior in PAN-OS 10.2

29
Changes to Default Behavior

Changes to Default Behavior in PAN-OS 10.2

The following table details the changes in default behavior upon upgrade to PAN-OS® 10.2.
You may also want to review the Upgrade/Downgrade Considerations before upgrading to this
release.

Feature Change

Managed Device Traffic to Panorama PAN-OS 10.2 uses TLS version 1.3 to encrypt
the service certificate and handshake messages
between Panorama, managed firewalls, and
Dedicated Log Collectors. As a result, the App-
ID traffic between Panorama, managed firewalls,
and Dedicated Log Collectors is reclassified from
panorama to ssl.
As a result, a Security policy rule is required to
allow the ssl application. This allows Panorama,
managed firewalls, and Dedicated Log Collectors
to continue communication after successful
upgrade to PAN-OS 10.2. Review the Ports
Used for Panorama for more information on the
destination ports required for managed device
communication with Panorama.

Administrator Login Usernames that contain all numbers are no longer

valid. For example, the username 12345678 does
not work.
Usernames that include at least one alphabetical
or legal symbol character are valid, such as
1234_567, 1234a789_, and c7897432.

Masterd Rename With PAN-OS 10.2 all instances of masterd in the

CLI were replaced with MD.

Panorama Management of Multi-Vsys For multi-vsys firewalls managed by a Panorama

Firewalls managed server, configuration objects in the
Shared device group are now pushed to a
Panorama Shared configuration context for all
virtual systems rather than duplicating the shared
configuration to each virtual system to reduce the
operational burden of scaling configurations for
multi-vsys firewalls.
As a result, you must delete or rename any locally
configured firewall Shared object that has an
identical name to an object in the Panorama
Shared configuration. Otherwise, configuration
pushes from Panorama fail after the upgrade and

PAN-OS Release Notes 10.2.12 30 ©2024 Palo Alto Networks, Inc.

Changes to Default Behavior

Feature Change
display the error <object-name> is already
in use.
The following configurations cannot be added to
the Shared Panorama location and are replicated
to the Panorama location of each vsys of a multi-
vsys firewall.
• Pre and Post Rules
• External Dynamic Lists (EDL)
• Security Profile Groups
• HIP objects and profiles
• Custom objects
• Decryption profiles
• SD-WAN Link Management Profiles

Palo Alto Networks recommends that if a multi-

vsys firewall is managed by Panorama, then
all vsys configurations should be managed by
Panorama.
This helps avoid commit failures on the managed
multi-vsys firewall and allows you to take
advantage of optimized shared object pushes
from Panorama.

Certificates On upgrade to PAN-OS 10.2, it is required that

all certificates meet the following minimum
requirements:
• RSA 2048 bits or greater, or ECDSA 256 bits or
greater
• Digest of SHA256 or greater
See the PAN-OS Administrator's Guide or
Panorama Administrator's Guide for more
information on regenerating or re-importing your
certificates.

Advanced Routing Engine With Advanced Routing enabled, by default

connected peers prefer a link-local next-hop
address over a global next-hop address.

Advanced Routing Engine and BFD On a firewall with Advanced Routing enabled,
BFD session establishment for iBGP peers is
changed. Any iBGP peers over a loopback address
are not considered to be directly connected and
therefore should enable the multihop option in

PAN-OS Release Notes 10.2.12 31 ©2024 Palo Alto Networks, Inc.

Changes to Default Behavior

Feature Change
the BFD profile and specify Minimum Rx TTL
accordingly.

Auto Web Interface Refresh for XML API When making successful XML API calls on a
firewall, the web interface will refresh after an
PAN-OS 10.2.5 and later releases
interval of 10 seconds.

Selective Push for Prisma Access Pushing selective configuration changes to Prisma
(Panorama Managed) Access in Panorama Managed Prisma Access
deployments is no longer supported.
PAN-OS 10.2.2 and later releases
To push selective configuration changes to Prisma
Access:
1. Commit > Commit to Panorama and select
only the configuration changes you want to
push.
2. Push your configuration changes to Prisma
Access.

Scheduled Log Export Scheduled log exports (Device > Log Export) may
not export logs as scheduled if multiple logs are
scheduled to export at the same time.
Workaround: When scheduling your log exports,
maintain at least 6 hours between each scheduled
log export.

Test SCP Server Connection To test the SCP server connection when you
schedule a configuration export (Panorama >
PAN-OS 10.2.4 and later releases
Schedule Config Export) or log export (Device >
Scheduled Log Export), a new pop-up window is
displayed requiring you to enter the SCP server
clear textPassword and Confirm Password to test
the SCP server connection and enable the secure
transfer of data.
You must also enter the clear text SCP server
Password and Confirm Password when you test
the SCP server connection from the firewall or
Panorama CLI.

admin>test scp-server-connection
initiate <ip> username <username>
password <clear-text-password>

Enterprise data loss prevention (DLP) After successful upgrade to PAN-OS 10.2.4 with
Predefined Data Filtering Profiles Panorama plugin for Enterprise DLP 3.0.4 or later
release installed, the default File Direction for

PAN-OS Release Notes 10.2.12 32 ©2024 Palo Alto Networks, Inc.

Changes to Default Behavior

Feature Change
predefined data filtering profiles (Objects > DLP >
Data Filtering Profiles) is Both.

Authentication for SAML and client In PAN-OS 9.1 and earlier versions, if you
certificate configured client certificate authentication, the
firewall applied the policy rule using the domain
of the certificate.
In PAN-OS 10.2 and later versions, if you
configure both SAML authentication and client
certificate authentication, the firewall applies the
policy rule using the SAML domain.
If you do not configure the SAML domain
when using both SAML and client certificate
authentication, the firewall may not be able to
authenticate users successfully.
If the SAML username differs from the certificate
username, delete the username from the client
certificate profile and commit the changes;
otherwise, authentication is not successful.

Domain Fronting Detection Domain Fronting Detection is a feature that was

released in PAN-OS 10.2 that enabled detection
PAN-OS 10.2.9-h8 and later releases
of a TLS evasion technique that can circumvent
PAN-OS 10.2.11 and later releases URL filtering database solutions and facilitate data
exfiltration, contained in HTTP request payloads
using HTTP/1.x and HTTP/2 protocols. Due
to excessive false-positives generated by this
detection when inspecting HTTP/2 requests, the
firewall no longer generates threat logs alerts for
HTTP/2 requests in PAN-OS 10.2.9h8 and later
and PAN-OS 10.2.11 and later.

PAN-OS Release Notes 10.2.12 33 ©2024 Palo Alto Networks, Inc.

Changes to Default Behavior

PAN-OS Release Notes 10.2.12 34 ©2024 Palo Alto Networks, Inc.

Limitations
Review limitations around Palo Alto Networks PAN-OS® 10.2 software.
• Limitations in PAN-OS 10.2

35
Limitations

Limitations in PAN-OS 10.2

The following are limitations associated with PAN-OS 10.2.

Issue ID Description

PAN-265738 NAT is not configurable when HA clusters are

configured. HA clusters don't support NAT.

PAN-247465 (PA-7080 only) The firewall does not support Aquantia

10G SFP transceivers.

PAN-246825 ECMP is not supported for equal-cost routes where one

or more of those routes has a virtual router or logical
router as the next hop. None of the equal-cost routes
will be installed in the Forwarding Information Base
(FIB).

PAN-240517 Enter any random username and password (or just press
enter) in the pop-up dialog on the satellite to retrigger
the authentication process in the following cases:
• A scenario where the portal is running PAN-OS
10.2.8 and the satellite is running version earlier to
10.2.8, and the satellite cookie has expired. In this
case, when you attempt to enable the serial number
and IP address authentication method without
adding the satellite IP address in the IP allow list on
the portal, satellite authentication fails. The failure is
due to a missing IP address in the IP allow list.
• A scenario where the portal is running PAN-OS
10.2.8 and the satellite is running version earlier to
10.2.8, if the satellite cookie expires before enabling
the serial number and IP address authentication
method on the portal, satellite authentication will fail
due to satellite cookie expiration.

PAN-218067 By default, Next Generation firewalls and Panorama

attempt to fetch the device certificate or Panorama
device certificate with each commit even when the
firewall is not using any Palo Alto Networks cloud
service.
You can prevent the firewall from attempting to fetch
the device certificate for the following firewalls:
• M-300 appliance
• M-500 appliance

PAN-OS Release Notes 10.2.12 36 ©2024 Palo Alto Networks, Inc.

Limitations

Issue ID Description
• PA-410, PA-440, PA-450, and PA-460 firewalls
• PA-1400 Series firewalls
• PA-3400 Series firewalls
• PA-5410, PA-5420, and PA-5430 firewalls
• PA-5450 firewall
To disable, log in to the firewall CLI or Panorama CLI
and enter the following command:

admin> request certificate auto-fetch

disable

PAN-215869 PAN-OS logs (Monitor > Logs) experience a significant

delay before they are displayed if NetFlow (Device >
Server Profiles > NetFlow) is enabled on an interface
(Network > Interface). This may result in log loss if
the volume of delayed logs exceeds the logging buffer
available on the firewall.
The following firewalls are impacted:
• PA-410, PA-440, PA-450, and PA-460 Firewalls
• PA-800 Series Firewalls
• PA-3200 Series Firewalls
• PA-3400 Series Firewalls

PAN-207505 Email schedules (Monitor > PDF Reports > Email

Scheduler) are not supported for SaaS Application
This issue is now resolved. See
Usage (Monitor > PDF Reports > SaaS Application
PAN-OS 11.0.0 Addressed Issues.
Usage) reports.

PAN-205166 (PA-440, PA-450, and PA-460 firewalls only) The

CLI does not display system information about the
power supply when entering the show system
environmentals command. As a result, the CLI
cannot be used to view the current status of the power
adapter.
Workaround: To manually interpret the status of the
firewall's power adapter, verify that your power cable
connections are secure and that the LED on the power
adapter is on. If the LED is not illuminated even though
the power cable connections are secure, your power
adapter has failed.

PAN-190811 (PA-5450 only) Log interfaces must be configured to

ensure they are not in the same subnetwork as the

PAN-OS Release Notes 10.2.12 37 ©2024 Palo Alto Networks, Inc.

Limitations

Issue ID Description
This issue is now resolved. See management interface. Configuring both interfaces in
PAN-OS 10.2.2 Addressed Issues. the same subnetwork can cause connectivity issues
and result in the wrong interface being used for log
forwarding.

PAN-181823 On a PA-5400 Series firewall (minus the PA-5450),

setting the peer port to forced 10M or 100M speed
causes any multi-gigabit RJ-45 ports on the firewall to
go down if they are set to Auto.

PAN-181229 On the Panorama management server, a Shared

tag (Objects > Tags) cannot be applied to a Shared
application filter (Objects > Application Filters).

PAN-174784 Up to 100,000 daily summary logs can be processed

for Scheduled and Run Now custom reports (Monitor
> Manage Custom Reports) when configured for the
last calendar day. This can result in the generated report
not displaying all relevant log data generated in the last
calendar day.

PAN-172144 On a Panorama management server deployed on

VMware ESXi that is managing Dedicated Log
Collectors, filtering traffic logs (Monitor > Logs >
Traffic) using the (time_generated_geq) filter does
not return results for the specified Generate Time if the
Dedicated Log Collectors are in different time zones.
Workaround: Configure the same time zone for the
Dedicated Log Collectors you are querying.
1. Log in to the Log Collector CLI.
2. Set the time zone for the Dedicated Log Collector.

admin> configure

admin# set deviceconfig timezone

<time_zone>

admin# commit

PAN-OS Release Notes 10.2.12 38 ©2024 Palo Alto Networks, Inc.

Associated Content and Software
Versions
Review information about the associated content and software versions for Palo Alto Networks
PAN-OS® 10.2 software.
• Associated Content and Software Versions for PAN-OS 10.2
• Compatible Plugin Versions for PAN-OS 10.2
• WildFire Analysis Environment Support for PAN-OS 10.2.2

39
Associated Content and Software Versions

Associated Content and Software Versions for PAN-OS

10.2
The following minimum software and content release versions are compatible with PAN-OS 10.2.
To see a list of the next-generation firewall models that support PAN-OS 10.2, see the Palo Alto
Networks® Compatibility Matrix.

Palo Alto Networks Software or Minimum Compatible Version with PAN-OS 10.2
Content Release Version

Panorama 10.2

User-ID Agent 10.2

Terminal Services (TS) Agent 10.2

GlobalProtect App 5.2

Applications and Threats 8614

Content Release Version

VMware NSX Plugin Version 3.2.3

PAN-OS Release Notes 10.2.12 40 ©2024 Palo Alto Networks, Inc.

Associated Content and Software Versions

Compatible Plugin Versions for PAN-OS 10.2

PAN OS 10.2 is enhanced with upgraded plugins to increase reliability and robustness.
The following minimum plugin versions are compatible with PAN-OS 10.2.

Plugin Name Minimum Compatible Plugin Version with PAN-OS 10.2

AWS Plugin 4.0.0

Azure Plugin 4.0.0

Cloud Services Plugin 3.2.0

Kubernetes Plugin 3.0.0

SW FW Licensing Plugin (VM 1.0.0

licensing plugin and the previous
version is supported)

Panorama VM-Series Plugin 3.0.0

SD-WAN Plugin 3.0.0

IPS Signature Converter Plugin 2.0.0

ZTP Plugin 2.0.0

DLP Plugin 3.0.0

OpenConfig Plugin 1.1.0

GCP Plugin 3.0.0

Cisco ACI Plugin 3.0.0

VCenter Plugin 2.0.0

Nutanix Plugin 2.0.0

Cisco TrustSec Plugin 2.0.0

PAN-OS Release Notes 10.2.12 41 ©2024 Palo Alto Networks, Inc.

Associated Content and Software Versions

Important considerations for upgrading your plugins

• The plugin versions listed in the above table are the only plugins that are compatible
with PAN-OS 10.2. If you use any other plugins, you should not upgrade to PAN-OS
10.2 until you upgrade all plugins to the minimum version.
• Starting with PAN-OS 10.2, the VM-Series plugin is installed by default. This option
is currently available only in PAN OS 10.2, which means that Panorama software
requires that you download a compatible version of the VM-Series plugin if you
downgrade your firewall from PAN-OS 10.2.

• Each upgraded Panorama plugin supports both existing firewalls and PAN OS 10.2
firewalls.
• The VM-Series plugin is required only for Azure deployments and not for any other
Panorama plugins.

Supported Migration Paths for Plugins

Plugin Name Upgrade/ Base PAN-OS Base Plugin Target PAN- Target Plugin
Downgrade Version OS Version

AWS Upgrade 10.1.x 3.0.x 10.2.0 4.0.0

AWS
Plugin
2.x.x
should
be
upgraded
to
3.0.x
in
PAN
OS
10.1.x
before
upgrading
to
PAN
OS
10.2.0

Downgrade 10.2.0 4.0.0 10.1.x 3.0.x

Azure Plugin Upgrade 10.1.x 3.1.x 10.2.0 4.0.0

Downgrade 10.2.0 4.0.0 10.1.x 3.2.X (yet to

be released)

PAN-OS Release Notes 10.2.12 42 ©2024 Palo Alto Networks, Inc.

Associated Content and Software Versions

Plugin Name Upgrade/ Base PAN-OS Base Plugin Target PAN- Target Plugin
Downgrade Version OS Version
Downgrading
is
not
possible
until
the
Azure
Plugin
3.2.x
is
released.

Kubernetes Upgrade 10.1.x 2.0.x 10.2.0 3.0.0

Plugin
Downgrade 10.2.0 3.0.0 10.1.x 2.0.x

PAN-OS Release Notes 10.2.12 43 ©2024 Palo Alto Networks, Inc.

Associated Content and Software Versions

Plugin Name Upgrade/ Base PAN-OS Base Plugin Target PAN- Target Plugin
Downgrade Version OS Version
If
you
have
a
custom
certificate
size
greater
than
32k,
the
auto
commit
(which
happens
after
downgrade)
will
fail.
To
avoid
this,
you
can
save
the
config
file,
add
a
dummy
value
in
the
custom
certificate
which
is
less
than
16K
and
then
downgrade
to
2.0.x(k8s
plugin
cannot
contact
the
PAN-OS Release Notes 10.2.12 44 ©2024 Palo Alto Networks, Inc.
API
server).
You
Associated Content and Software Versions

Plugin Name Upgrade/ Base PAN-OS Base Plugin Target PAN- Target Plugin
Downgrade Version OS Version

GCP Plugin Upgrade 10.1.x 2.0.0 10.2.0 3.0.0

Downgrade 10.2.0 3.0.0 10.1.x 2.0.0

Cisco ACI Upgrade 10.1.x 2.0.x 10.2.0 3.0.0

Plugin
Downgrade 10.2.0 3.0.0 10.1.x 2.0.x

VCenter Upgrade 10.1.x 1.0.x 10.2.0 2.0.0

Plugin
Downgrade 10.2.0 2.0.0 10.1.x 1.0.x

Nutanix Upgrade 10.1.x 1.0.0 10.2.0 2.0.0

Plugin
Downgrade 10.2.0 2.0.0 10.1.x 1.0.0

For more information on upgrade and downgrade, see:

• PAN-OS 10.2 Upgrade Guide
• Upgrade Panorama Plugins in the PAN-OS Upgrade Guide

PAN-OS Release Notes 10.2.12 45 ©2024 Palo Alto Networks, Inc.

Associated Content and Software Versions

WildFire Analysis Environment Support for PAN-OS

10.2.2
The following WildFire guest VM images (analysis environments) are supported in the PAN-OS
10.2.2 and later releases of WildFire. To upgrade the WildFire appliance, refer to: Upgrade a
WildFire Appliance.

WildFire Analysis WildFire WildFire Appliance Guest VM Filename Minimum

Environment VM ID Compatible
PAN-OS
Version

Windows XP (Adobe vm-3 WFWinXpAddon3_m-1.0.1.xpaddon3 10.2.2 and

Reader 11, Flash 11, later
Office 2010)

Windows 7 x64 SP1 vm-5 WFWin7_64Addon1_m-1.0.1.7_64addon1 10.2.2 and

(Adobe Reader 11, Flash later
11, Office 2010)

Windows XP (Internet vm-6** WFWinXpGf_m-1.0.1.xpgf 10.2.2 and

Explorer 8, Flash 11, later
Elink analysis support)

Windows 10 x64 vm-7 WFWin10Base_m-1.0.1.10base 10.2.2 and

(Adobe Reader 11, Flash later
11, Office 2010)

• * This WildFire guest VM image comes preinstalled and is not available on the Palo Alto
Networks Support Portal for download.
• ** This WildFire analysis environment is not selectable through the WildFire appliance
CLI.

PAN-OS Release Notes 10.2.12 46 ©2024 Palo Alto Networks, Inc.

PAN-OS 10.2.12 Known and
Addressed Issues
Review a list of known and addressed issues for PAN-OS 10.2.12.
For contacting support, for information on support programs, to manage your account or devices,
or to open a support case, go to https://support.paloaltonetworks.com.
• PAN-OS 10.2.12 Known Issues
• PAN-OS 10.2.12 Addressed Issues

47
PAN-OS 10.2.12 Known and Addressed Issues

PAN-OS 10.2.12 Known Issues

®
The following list includes only outstanding known issues specific to PAN-OS 10.2.12. This list
includes issues specific to Panorama™, GlobalProtect™, VM-Series plugins, and WildFire®, as well
as known issues that apply more generally or that are not identified by an issue ID.

Issue ID Description

WF500-5854 The WildFire analysis report on the firewall log viewer

(Monitoring > WildFire Submissions) does not display the
following data fields: File Type, SHA-256, MD-5, and File
Size".
Workaround: Download and open the WildFire analysis
report in the PDF format using the link in the upper right-
hand corner of the Detailed Log View.

WF500-5843 In a WildFire appliance cluster, issuing the show cluster-

all peers CLI command when a node within the cluster
is being rebooted generates the following error: Server
error : An error occured.

WF500-5840 The sample analysis statistics that are returned when issuing
the show wildfire local statistics CLI command
in WildFire appliance cluster deployments may not accurately
reflect the number of samples that have been processed.

WF500-5823 The following WildFire appliance CLI command does not

return a signature generation status as expected: show
wildfire global signature-status. This does not
corrupt or otherwise prevent the WildFire appliance from
analyzing a sample.

WF500-5781 The WildFire appliance might erroneously generate and

log the following device certification error: Device
certificate is missing or invalid. It cannot
be renewed.

WF500-5754 In WildFire appliance clusters, issuing the show cluster

controller CLI command generates an error when an IPv6
address is configured for the management interface but not
for the cluster interface.
Workaround: Ensure all WildFire appliance interfaces that are
enabled use matching protocols (all IPv4 or all IPv6).

WF500-5632 The number of registered WildFire appliances reported in

Panorama (Panorama > Managed WildFire Appliances >

PAN-OS Release Notes 10.2.12 48 ©2024 Palo Alto Networks, Inc.

PAN-OS 10.2.12 Known and Addressed Issues

Issue ID Description
Firewalls Connected > View) does not accurately reflect the
current status of connected WildFire appliances.

PAN-265336 (PA-800 Series, PA-3200 Series, PA-5200 Series, and

PA-5450 firewalls only) Copper ports flap when generating a
This isuse is now resolved.
technical support file or executing device telemetry.
See PAN-OS 10.2.11-h2
Addressed Issues.

PAN-260851 From the NGFW or Panorama CLI, you can override the
existing application tag even if Disable Override is enabled for
the application (Objects > Applications) tag.

PAN-257601 (PA-5450 firewalls only) Networking cards can experience

an internal link fault, causing path monitoring failure on the
Fixed in PAN-OS 10.2.11.
Dataplane Processing Card (DPC).
Affects 10.2.11-h2 and later
10.2 releases.

PAN-234015 The X-Forwarded-For (XFF) value is not displayed in traffic

logs.

PAN-223365 The Panorama management server is unable to query any

logs if the ElasticSearch health status for any Log Collector
(Panorama > Managed Collector is degraded.
Workaround: Log in to the Log Collector CLI and restart
ElasticSearch.

admindebug elasticsearch es-restart all

PAN-229865 Upgrading a PA-220 firewall running a PAN-OS 10.1 release

fails when the target PAN-OS upgrade version is PAN-OS
10.2.5.
Workaround: On your upgrade path to PAN-OS 10.2.5, first
upgrade to PAN-OS 10.2.4 and then upgrade to PAN-OS
10.2.5.

PAN-223677 (PA-3410, PA-3420, PA-3430, PA-3440, PA-5410, PA-5420,

and PA-5430 firewalls) By enabling Lockless QoS feature,
a slight degradation in App-ID and Threat performance is
expected.

PAN-222586 On PA-5410, PA-5420, and PA-5430 firewalls, the Filter

dropdown menus, Forward Methods, and Built-In Actions
for Correlation Log settings (Device > Log Settings) are not
displayed and cannot be configured.

PAN-OS Release Notes 10.2.12 49 ©2024 Palo Alto Networks, Inc.

PAN-OS 10.2.12 Known and Addressed Issues

Issue ID Description

PAN-221775 A Malformed Request error is displayed when you Test

Connection for an email server profile (Device > Server
Profiles > Email) using SMTP over TLS and the Password
includes an ampersand (&).

PAN-213746 On the Panorama management server, the Hostkey displayed

as undefined undefined if you override an SSH Service
Profile (Device > Certificate Management > SSH Service
Profile) Hostkey configured in a Template from the Template
Stack.

PAN-213119 PA-5410 and PA-5420 firewalls display the following error

when you view the Block IP list (Monitor > Block IP):
show -> dis-block-table is unexpected

PAN-212889 On the Panorama management server, different threat

names are used when querying the same threat in the Threat
Monitor (Monitor > App Scope > Threat Monitor) and ACC.
This results in the ACC displaying no data to display
when you are redirected to the ACC after clicking a threat
name in the Threat Monitor and filtering the same threat
name in the Global Filters.

PAN-212533 Modifying the Administrator Type for an existing

administrator (Device > Administrators or Panorama >
Administrators) from Superuser to a Role-Based custom
admin, or vice versa, does not modify the access privileges of
the administrator.

PAN-211531 On the Panorama management server, admins can still

perform a selective push to managed firewalls when Push
All Changes and Push for Other Admins are disabled in the
admin role profile (Panorama > Admin Roles).

PAN-209288 Certificates are not successfully generated using SCEP

(Device > Certificate Management > SCEP).

PAN-208622 A file upload to Box.com exceeding 6 files gets stuck and

fails to upload if you specify an Enterprise DLP data filtering
profile (Objects > DLP > Data Filtering Profiles with the
Action set to Block to a Security policy rule (Policies >
Security).

PAN-204689 Upon upgrade to PAN-OS 10.2.4, the following GlobalProtect

settings do not work:

PAN-OS Release Notes 10.2.12 50 ©2024 Palo Alto Networks, Inc.

PAN-OS 10.2.12 Known and Addressed Issues

Issue ID Description
• Allow user to disconnect GlobalProtect App > Allow with
Passcode
• Allow user to Disable GlobalProtect App > Allow with
Passcode
• Allow User to Uninstall GlobalProtect AppAllow with
Password

PAN-196758 On the Panorama management server, pushing a

configuration change to firewalls leveraging SD-WAN
erroneously show the auto-provisioned BGP configurations
for SD-WAN as being edited or deleted despite no edits or
deletions being made when you Preview Changes (Commit >
Push to Devices > Edit Selections or Commit > Commit and
Push > Edit Selections).

PAN-196504 License deactivation fails for VM-Series firewalls licensed

using PA-VM Bundle 3 (BND3).

PAN-194996 When using a 10.2.2 Panorama to manage a Panorama

Managed Prisma Access 3.1.2 deployment, allocating
bandwidth for a remote network deployment fails (the OK
button is grayed out).
Workaround: Retry the operation.

PAN-194519 (PA-5450 firewall only) Trying to configure a custom payload

format under Device > Server Profiles > HTTP yields a
Javascript error.

PAN-194515 (PA-5450 firewall only) The Panorama web interface does

not display any predefined template stack variables in the
dropdown menu under Device > Setup > Log Interface > IP
Address.
Workaround: Configure the log interface IP address on the
individual firewall web interface instead of on Panorama.

PAN-194424 (PA-5450 firewall only) Upgrading to PAN-OS 10.2.2 while

having a log interface configured can cause both the log
interface and the management interface to remain connected
to the log collector.
Workaround: Restart the log receiver service by running the
following CLI command:

debug software restart process log-receiver

PAN-OS Release Notes 10.2.12 51 ©2024 Palo Alto Networks, Inc.

PAN-OS 10.2.12 Known and Addressed Issues

Issue ID Description

PAN-194202 (PA-5450 firewall only) If the management interface and

logging interface are configured on the same subnetwork,
the firewall conducts log forwarding using the management
interface instead of the logging interface.

PAN-190727 (PA-5450 firewall only) Documentation for configuring the log

interface is unavailable on the web interface and in the PAN-
OS Administrator’s Guide.

PAN-189111 After deleting an MP pod and it comes up, the show

routing command output appears empty and traffic stops
working.

PAN-189076 On a firewall with Advanced Routing enabled, OSPFv3 peers

using a broadcast link and a designated router (DR) priority of
0 (zero) are stuck in a two-way state after HA failover.
Workaround: Configure at least one OSPFv3 neighbor with a
non-zero priority setting in the same broadcast domain.

PAN-188358 After triggering a soft reboot on a M-700 appliance, the

Management port LEDs do not light up when a 10G Ethernet
cable is plugged in.

PAN-187685 On the Panorama management server, the Template

Status displays no synchronization status (Panorama >
Managed Devices > Summary) after a bootstrapped firewall is
successfully added to Panorama.
Workaround: After the bootstrapped firewall is successfully
added to Panorama, log in to the Panorama web interface and
select Commit > Push to Devices.

PAN-187643 If you enable SCTP security using a Panorama template when

SCTP INIT Flood Protection is enabled in the Zone Protection
profile using Panorama and you commit all changes, the
commit is successful but the SCTP INIT option is not available
in the Zone Protection profile.
Workaround: Log out of the firewall and log in again to make
the SCIT INIT option available on the web interface.

PAN-187612 On the Panorama management server, not all data profiles

(Objects > DLP Data Filtering Profiles) are displayed after
you:
• Upgrade Panorama to PAN-OS 10.2 and upgrade the
Enterprise DLP plugin to version 3.0.

PAN-OS Release Notes 10.2.12 52 ©2024 Palo Alto Networks, Inc.

PAN-OS 10.2.12 Known and Addressed Issues

Issue ID Description
• Downgrade Panorama to PAN-OS 10.1 and downgrade
the Enterprise DLP plugin to version 1.0.
Workaround: Log in to the Panorama CLI and reset the DLP
plugin.
admin > request plugins dlp reset

PAN-187407 The configured Advanced Threat Prevention inline cloud

analysis action for a given model might not be honored under
the following condition: If the firewall is set to Hold client
request for category lookup and the action set to Reset-Both
and the URL cache has been cleared, the first request for
inline cloud analysis will be bypassed.

PAN-187370 On a firewall with Advanced Routing enabled, if there is also a

logical router instance that uses the default configuration and
has no interfaces assigned to it, this will result in terminating
the management daemon and main routing daemon in the
firewall during commit.
Workaround: Do not use a logical router instance with no
interfaces bound to it.

PAN-186283 Templates appear out-of-sync on Panorama after successfully

deploying the CFT stack using the Panorama plugin for AWS.
Workaround: Use Commit > Push to Devices to synchronize
the templates.

PAN-186282 On HA deployments on AWS and Azure, Panorama fails to

populate match criteria automatically when adding dynamic
address groups.
Workaround: Reboot the Panorama HA pair.

PAN-184406 Using the CLI to add a RAID disk pair to an M-700 appliance
causes the dmdb process to crash.
Workaround: Contact customer support to stop the dmdb
process before adding a RAID disk pair to a M-700 appliance.

PAN-183404 Static IP addresses are not recognized when "and" operators

are used with IP CIDR range.

PAN-181933 If you use multiple log forwarding cards (LFCs) on the

PA-7000 series, all of the cards may not receive all of the
updates and the mappings for the clients may become out of
sync, which causes the firewall to not correctly populate the
Source User column in the session logs.

PAN-OS Release Notes 10.2.12 53 ©2024 Palo Alto Networks, Inc.

PAN-OS 10.2.12 Known and Addressed Issues

Issue ID Description

PAN-181823 On a PA-5400 Series firewall (minus the PA-5450), setting the

peer port to forced 10M or 100M speed causes any multi-
gigabit RJ-45 ports on the firewall to go down if they are set
to Auto.

PAN-180661 On the Panorama management server, pushing an

unsupported Minimum Password Complexity (Device > Setup
> Management) to a managed firewall erroneously displays
commit time out as the reason the commit failed.

PAN-180104 When upgrading a CN-Series as a DaemonSet deployment to

PAN-OS 10.2, CN-NGFW pods fail to connect to CN-MGMT
pod if the Kubernetes cluster previously had a CN-Series as a
DaemonSet deployment running PAN-OS 10.0 or 10.1.
Workaround: Reboot the worker nodes before upgrading to
PAN-OS 10.2.

PAN-178194 A user interface issue in PAN-OS renders the contents of

the Inline ML tab in the URL Filtering Profile inaccessible on
firewalls licensed for Advanced URL Filtering. Additionally, a
message indicating that a License required for URL filtering to
function is unavailable displays at the bottom of the UI. These
errors do not affect the operation of Advanced URL Filtering
or URL Filtering Inline ML.
Workaround: Configuration settings for URL Filtering
Inline ML must be applied through the CLI. The following
configuration commands are available:
• Define URL exceptions for specific web sites—

admin# set profiles url-filtering

<url_filtering_profile_name> mlav-
category-exception

• Configuration settings for each inline ML model—

admin# set profiles url-filtering

<url_filtering_profile_name> mlav-
engine-urlbased-enabled

PAN-177455 PAN-OS 10.2.0 is not supported on PA-7000 Series firewalls

with HA (High Availability) clustering enabled and using an
HA4 communication link. Attempting to load PAN-OS 10.2.0
on the firewall causes the PA-7000 100G NPC to go offline.
As a result, the firewall fails to boot normally and enters

PAN-OS Release Notes 10.2.12 54 ©2024 Palo Alto Networks, Inc.

PAN-OS 10.2.12 Known and Addressed Issues

Issue ID Description
maintenance mode. HA Pairs of Active-Passive and Active-
Active firewalls are not affected.

PAN-175915 When the firewall is deployed on N3 and N11 interfaces in

5G networks and 5G-HTTP/2 traffic inspection is enabled in
the Mobile Network Protection Profile, the traffic logs do not
display network slice SST and SD values.

PAN-174982 In HA active/active configurations where, when interfaces

that were associated with a virtual router were deleted, the
configuration change did not sync.

PAN-172274 When you activate the advanced URL filtering license, your
license entitlements for PAN-DB and advanced URL filtering
might not display correctly on the firewall — this is a display
anomaly, not a licensing issue, and does not affect access to
the services.
Workaround: Issue the following command to retrieve and
update the licenses: license request fetch.

PAN-171938 No results are displayed when you Show Application Filter

for a Security policy rule (Policies > Security > Application >
Value > Show Application Filter).

PAN-OS Release Notes 10.2.12 55 ©2024 Palo Alto Networks, Inc.

PAN-OS 10.2.12 Known and Addressed Issues

PAN-OS 10.2.12 Addressed Issues

Issue ID Description

PAN-264680 (PA-220 firewalls only) Fixed an issue where Device > Setup was not
displayed on the web interface.

PAN-263226 Fixed an issue where, when SSL decryption was enabled and Client
Hello messages spanned multiple TCP segments, some SSL decrypted
sessions failed.

PAN-263164 Fixes a problem where Netflow User ID information was truncated to

31 characters.

PAN-262593 Fixed an issue where traffic to websites failed on the Google Chrome
web browser on Secure Web Gateway (SWG) nodes.

PAN-261991 Fixed an issue where traffic that did not match a decryption policy
rule, or matched a no-decrypt policy rule, failed when accumulation
proxy was enabled and a Zone Protection profile was configured with
syn-cookies enabled.

PAN-261917 Fixed an issue where websites with a no-decrypt policy rule were
decrypted in traffic log when using a Google Chrome browser with
PQC enabled.

PAN-261489 Fixed an issue where an out-of-memory (OOM) condition caused a

firewall outage.

PAN-261484 Fixed an issue on the firewall where DPDK allocated twice the amount
of memory as requested for pre-allocation.

PAN-260928 Fixed an issue where GlobalProtect failed to connect when using

LDAP authentication with machine certificates with the error message
You are not authorized to connect to GlobalProtect
portal.

PAN-260738 Fixed an issue on the Panorama web interface where the progress bar
did not complete when importing a vulnerability profile configuration
through an XML file.

PAN-260149 Fixed an issue where the management plane DNS cache size was
lower than expected.

PAN-OS Release Notes 10.2.12 56 ©2024 Palo Alto Networks, Inc.

PAN-OS 10.2.12 Known and Addressed Issues

Issue ID Description

PAN-259883 Fixed an issue where the firewalls behind an Amazon Web Services
(AWS) Gateway Load Balancer (GWLB) stopped responding when
processing GENEVE packets with the reserved bit set.

PAN-257994 (CN-Series firewalls only) Fixed an issue where commits failed with the
error failed to handle CONFIG_UPDATE_START due to cfgdb
files for the container not being symbolically linked to the cfgdb files
on the virtual machine.

PAN-257957 (Firewalls and Panorama appliances in FIPS-CC mode only) Fixed

an issue where the authd process restarted if RADIUS PAP/CHAP
authentication was used.

PAN-257652 Fixed an issue where Internal Host Detection for IPv6 did not work
after upgrading to a PAN-OS 10.2 release.

PAN-255611 Fixed an issue on the firewall where newly added routes were not
automatically sorted based on subnets when added to a redistribution
profile.

PAN-255509 (PA-5450 firewalls only) Fixed an issue where BFD sessions flapped
intermittently.

PAN-255323 (PA-7050 firewalls only) Fixed an issue where the Network Processing
Card (NPC), Data Processing Card (DPC), and Log Forwarding Card
(LFC) remained in a starting state after an unexpected power cycle.

PAN-252974 (PA-450 firewalls only) Fixed an issue where specific routes were not
advertised when BGP Aggregate was configured with the advertise
filter.

PAN-252669 Fixed an issue where the ikemgr process stopped responding with a
SIGSEGV error.

PAN-251446 Fixed an issue where a critical system log was generated for a SAML
authenticated user whose username length was greater than 32
characters.

PAN-250394 Fixed an issue where a large amount of group data caused serialization
errors and prevented synchronization.

PAN-239246 Fixed an issue where the CLI command debug user-id dump
hip-based-profile-database-entry returned an incorrect
value in the output for the total size of hip reports.

PAN-OS Release Notes 10.2.12 57 ©2024 Palo Alto Networks, Inc.

PAN-OS 10.2.12 Known and Addressed Issues

Issue ID Description

PAN-230825 Fixed an issue where link flaps occurred on Panorama appliances in

high-availability (HA) configurations.

PAN-227543 Fixed an issue where the firewall did not match traffic to FQDN
objects if the FQDN object contained uppercase characters.

PAN-226361 Fixed an issue where sessions ended with resources-

unavailabledue to the Content and Threat Detection GlobalProtect
packet queue being full.

PAN-221127 Fixed an issue where a large number of core files were generated,
which caused the root partition to become full and the firewall to
move into a non-functional state.

PAN-210395 Fixed an issue where the GlobalProtect application configuration

screen did not display all value names when a language other than
English was selected.

PAN-203231 Fixed an issue where Software Version in the device summary report
exported from Panorama included HTML tags.

PAN-189951 Fixed an issue where the CLI command debug device-telemetry

on debug caused high CPU load.

PAN-76904 (PA-5410 firewalls only) Fixed an issue where the management

interface went down and an error message displayed in the show
interface management CLI command output.

PAN-OS Release Notes 10.2.12 58 ©2024 Palo Alto Networks, Inc.

PAN-OS 10.2.11 Known and
Addressed Issues
Review a list of known and addressed issues for PAN-OS 10.2.11.
For contacting support, for information on support programs, to manage your account or devices,
or to open a support case, go to https://support.paloaltonetworks.com.
• PAN-OS 10.2.11 Known Issues
• PAN-OS 10.2.11-h3 Addressed Issues
• PAN-OS 10.2.11-h2 Addressed Issues
• PAN-OS 10.2.11-h1 Addressed Issues
• PAN-OS 10.2.11 Addressed Issues

59
PAN-OS 10.2.11 Known and Addressed Issues

PAN-OS 10.2.11 Known Issues

®
The following list includes only outstanding known issues specific to PAN-OS 10.2.11. This list
includes issues specific to Panorama™, GlobalProtect™, VM-Series plugins, and WildFire®, as well
as known issues that apply more generally or that are not identified by an issue ID.

Issue ID Description

WF500-5854 The WildFire analysis report on the firewall log viewer

(Monitoring > WildFire Submissions) does not display the
following data fields: File Type, SHA-256, MD-5, and File
Size".
Workaround: Download and open the WildFire analysis
report in the PDF format using the link in the upper right-
hand corner of the Detailed Log View.

WF500-5843 In a WildFire appliance cluster, issuing the show cluster-

all peers CLI command when a node within the cluster
is being rebooted generates the following error: Server
error : An error occured.

WF500-5840 The sample analysis statistics that are returned when issuing
the show wildfire local statistics CLI command
in WildFire appliance cluster deployments may not accurately
reflect the number of samples that have been processed.

WF500-5823 The following WildFire appliance CLI command does not

return a signature generation status as expected: show
wildfire global signature-status. This does not
corrupt or otherwise prevent the WildFire appliance from
analyzing a sample.

WF500-5781 The WildFire appliance might erroneously generate and

log the following device certification error: Device
certificate is missing or invalid. It cannot
be renewed.

WF500-5754 In WildFire appliance clusters, issuing the show cluster

controller CLI command generates an error when an IPv6
address is configured for the management interface but not
for the cluster interface.
Workaround: Ensure all WildFire appliance interfaces that are
enabled use matching protocols (all IPv4 or all IPv6).

WF500-5632 The number of registered WildFire appliances reported in

Panorama (Panorama > Managed WildFire Appliances >

PAN-OS Release Notes 10.2.12 60 ©2024 Palo Alto Networks, Inc.

PAN-OS 10.2.11 Known and Addressed Issues

Issue ID Description
Firewalls Connected > View) does not accurately reflect the
current status of connected WildFire appliances.

PAN-265336 (PA-800 Series, PA-3200 Series, PA-5200 Series, and

PA-5450 firewalls only) Copper ports flap when generating a
This issue is now resolved.
technical support file or executing device telemetry.
See PAN-OS 10.2.11-h2
Addressed Issues.

PAN-264680 (PA-220 firewalls only) Device > Setup is not displayed

when the Enterprise Data Loss Prevention (E-DLP) plugin is
This issue is now resolved.
installed.
See PAN-OS 10.2.11-h3
Addressed Issues. Workaround: Uninstall the Enterprise DLP plugin.
1. Log in to the firewall web interface.
2. Select Device > Plugins.
3. Search for dlp.
4. Uninstall.

PAN-264580 (PA-3400 Series firewalls only) Upgrading to PAN-OS 10.2.11

results in the following error: Target image validation
failed with error invalid literal for int()
with base 10.

PAN-263226 When SSL decryption is enabled and Client Hello messages

span multiple TCP segments, elements from the proxy_l2info
memory pool may not be freed properly. Memory leaks in this
pool cause some SSL decryption sessions to fail.
Workaround: Disable Client Hello accumulation using the
debug dataplane set ssl-decrypt accumulate-
client-hello disable yes CLI command.

PAN-260851 From the NGFW or Panorama CLI, you can override the
existing application tag even if Disable Override is enabled for
the application (Objects > Applications) tag.

PAN-257957 If you enable FIPS-CC mode and use the PAP or CHAP
authentication methods for your RADIUS server, the authd
This issue is now resolved. See
process may restart unexpectedly. To avoid this issue, use one
PAN-OS 10.2.12 Addressed
of the following workarounds:
Issues.Affects 10.2.11-h1 and
later 10.2 releases. • If you use PAN-OS 10.2.10-h3, 10.2.11, or an earlier
version, configure the RADIUS server so that it does not
send the message authenticator back to client.
• Use other protocols, such as LDAP, Kerberos, TACACS+,
SAML, RADIUS EAP, instead of RADIUS PAP or CHAP.

PAN-OS Release Notes 10.2.12 61 ©2024 Palo Alto Networks, Inc.

PAN-OS 10.2.11 Known and Addressed Issues

Issue ID Description
• Change from FIPS mode to normal mode.

PAN-257601 (PA-5450 firewalls only) Networking cards can experience

an internal link fault, causing path monitoring failure on the
Fixed in PAN-OS 10.2.11.
Dataplane Processing Card (DPC).
Affects 10.2.11-h2 and later
10.2 releases.

PAN-234015 The X-Forwarded-For (XFF) value is not displayed in Traffic

logs.

PAN-223365 The Panorama management server is unable to query any

logs if the ElasticSearch health status for any Log Collector
(Panorama > Managed Collector is degraded.
Workaround: Log in to the Log Collector CLI and restart
ElasticSearch.

admindebug elasticsearch es-restart all

PAN-229865 Upgrading a PA-220 firewall running a PAN-OS 10.1 release

fails when the target PAN-OS upgrade version is PAN-OS
10.2.5.
Workaround: On your upgrade path to PAN-OS 10.2.5, first
upgrade to PAN-OS 10.2.4 and then upgrade to PAN-OS
10.2.5.

PAN-223677 (PA-3410, PA-3420, PA-3430, PA-3440, PA-5410, PA-5420,

and PA-5430 firewalls) By enabling the Lockless QoS feature,
a slight degradation in App-ID and Threat performance is
expected.

PAN-222586 On PA-5410, PA-5420, and PA-5430 firewalls, the Filter

dropdown menus, Forward Methods, and Built-In Actions
for Correlation Log settings (Device > Log Settings) are not
displayed and cannot be configured.

PAN-221775 A Malformed Request error is displayed when you Test

Connection for an email server profile (Device > Server
Profiles > Email) using SMTP over TLS and the Password
includes an ampersand (&).

PAN-213746 On the Panorama management server, the Hostkey displayed

as undefined undefined if you override an SSH Service
Profile (Device > Certificate Management > SSH Service
Profile) Hostkey configured in a Template from the Template
Stack.

PAN-OS Release Notes 10.2.12 62 ©2024 Palo Alto Networks, Inc.

PAN-OS 10.2.11 Known and Addressed Issues

Issue ID Description

PAN-213119 PA-5410 and PA-5420 firewalls display the following error

when you view the Block IP list (Monitor > Block IP):
show -> dis-block-table is unexpected

PAN-212889 On the Panorama management server, different threat

names are used when querying the same threat in the Threat
Monitor (Monitor > App Scope > Threat Monitor) and ACC.
This results in the ACC displaying no data to display
when you are redirected to the ACC after clicking a threat
name in the Threat Monitor and filtering the same threat
name in the Global Filters.

PAN-212533 Modifying the Administrator Type for an existing

administrator (Device > Administrators or Panorama >
Administrators) from Superuser to a Role-Based custom
admin, or vice versa, does not modify the access privileges of
the administrator.

PAN-211531 On the Panorama management server, admins can still

perform a selective push to managed firewalls when Push
All Changes and Push for Other Admins are disabled in the
admin role profile (Panorama > Admin Roles).

PAN-209288 Certificates are not successfully generated using SCEP

(Device > Certificate Management > SCEP).

PAN-208622 A file upload to Box.com exceeding 6 files gets stuck and

fails to upload if you specify an Enterprise DLP data filtering
profile (Objects > DLP > Data Filtering Profiles with the
Action set to Block to a Security policy rule (Policies >
Security).

PAN-204689 Upon upgrade to PAN-OS 10.2.4, the following GlobalProtect

settings do not work:
• Allow user to disconnect GlobalProtect App > Allow with
Passcode
• Allow user to Disable GlobalProtect App > Allow with
Passcode
• Allow User to Uninstall GlobalProtect AppAllow with
Password

PAN-196758 On the Panorama management server, pushing a

configuration change to firewalls leveraging SD-WAN
erroneously show the auto-provisioned BGP configurations
for SD-WAN as being edited or deleted despite no edits or

PAN-OS Release Notes 10.2.12 63 ©2024 Palo Alto Networks, Inc.

PAN-OS 10.2.11 Known and Addressed Issues

Issue ID Description
deletions being made when you Preview Changes (Commit >
Push to Devices > Edit Selections or Commit > Commit and
Push > Edit Selections).

PAN-196504 License deactivation fails for VM-Series firewalls licensed

using PA-VM Bundle 3 (BND3).

PAN-194996 When using a 10.2.2 Panorama to manage a Panorama

Managed Prisma Access 3.1.2 deployment, allocating
bandwidth for a remote network deployment fails (the OK
button is grayed out).
Workaround: Retry the operation.

PAN-194519 (PA-5450 firewall only) Trying to configure a custom payload

format under Device > Server Profiles > HTTP yields a
JavaScript error.

PAN-194515 (PA-5450 firewall only) The Panorama web interface does

not display any predefined template stack variables in the
dropdown menu under Device > Setup > Log Interface > IP
Address.
Workaround: Configure the log interface IP address on the
individual firewall web interface instead of on Panorama.

PAN-194424 (PA-5450 firewall only) Upgrading to PAN-OS 10.2.2 while

having a log interface configured can cause both the log
interface and the management interface to remain connected
to the log collector.
Workaround: Restart the log receiver service by running the
following CLI command:

debug software restart process log-receiver

PAN-194202 (PA-5450 firewall only) If the management interface and

logging interface are configured on the same subnetwork,
the firewall conducts log forwarding using the management
interface instead of the logging interface.

PAN-190727 (PA-5450 firewall only) Documentation for configuring the log

interface is unavailable on the web interface and in the PAN-
OS Administrator’s Guide.

PAN-189111 After deleting an MP pod and it comes up, the show

routing command output appears empty and traffic stops
working.

PAN-OS Release Notes 10.2.12 64 ©2024 Palo Alto Networks, Inc.

PAN-OS 10.2.11 Known and Addressed Issues

Issue ID Description

PAN-189076 On a firewall with Advanced Routing enabled, OSPFv3 peers

using a broadcast link and a designated router (DR) priority of
0 (zero) are stuck in a two-way state after HA failover.
Workaround: Configure at least one OSPFv3 neighbor with a
non-zero priority setting in the same broadcast domain.

PAN-188358 After triggering a soft reboot on an M-700 appliance, the

Management port LEDs do not light up when a 10G Ethernet
cable is plugged in.

PAN-187685 On the Panorama management server, the Template

Status displays no synchronization status (Panorama >
Managed Devices > Summary) after a bootstrapped firewall is
successfully added to Panorama.
Workaround: After the bootstrapped firewall is successfully
added to Panorama, log in to the Panorama web interface and
select Commit > Push to Devices.

PAN-187643 If you enable SCTP security using a Panorama template when

SCTP INIT Flood Protection is enabled in the Zone Protection
profile using Panorama and you commit all changes, the
commit is successful but the SCTP INIT option is not available
in the Zone Protection profile.
Workaround: Log out of the firewall and log in again to make
the SCIT INIT option available on the web interface.

PAN-187612 On the Panorama management server, not all data profiles

(Objects > DLP Data Filtering Profiles) are displayed after
you:
• Upgrade Panorama to PAN-OS 10.2 and upgrade the
Enterprise DLP plugin to version 3.0.
• Downgrade Panorama to PAN-OS 10.1 and downgrade
the Enterprise DLP plugin to version 1.0.
Workaround: Log in to the Panorama CLI and reset the DLP
plugin.
admin > request plugins dlp reset

PAN-187407 The configured Advanced Threat Prevention inline cloud

analysis action for a given model might not be honored under
the following condition: If the firewall is set to Hold client
request for category lookup and the action set to Reset-Both
and the URL cache has been cleared, the first request for
inline cloud analysis will be bypassed.

PAN-OS Release Notes 10.2.12 65 ©2024 Palo Alto Networks, Inc.

PAN-OS 10.2.11 Known and Addressed Issues

Issue ID Description

PAN-187370 On a firewall with Advanced Routing enabled, if there is also a

logical router instance that uses the default configuration and
has no interfaces assigned to it, this will result in terminating
the management daemon and main routing daemon in the
firewall during commit.
Workaround: Do not use a logical router instance with no
interfaces bound to it.

PAN-186283 Templates appear out-of-sync on Panorama after successfully

deploying the CFT stack using the Panorama plugin for AWS.
Workaround: Use Commit > Push to Devices to synchronize
the templates.

PAN-186282 On HA deployments on AWS and Azure, Panorama fails to

populate match criteria automatically when adding dynamic
address groups.
Workaround: Reboot the Panorama HA pair.

PAN-184406 Using the CLI to add a RAID disk pair to an M-700 appliance
causes the dmdb process to crash.
Workaround: Contact customer support to stop the dmdb
process before adding a RAID disk pair to an M-700
appliance.

PAN-183404 Static IP addresses are not recognized when "and" operators

are used with IP CIDR range.

PAN-181933 If you use multiple log forwarding cards (LFCs) on the

PA-7000 Series, all of the cards may not receive all of the
updates and the mappings for the clients may become out of
sync, which causes the firewall to not correctly populate the
Source User column in the session logs.

PAN-181823 On a PA-5400 Series firewall (minus the PA-5450), setting the

peer port to forced 10M or 100M speed causes any multi-
gigabit RJ-45 ports on the firewall to go down if they are set
to Auto.

PAN-180661 On the Panorama management server, pushing an

unsupported Minimum Password Complexity (Device > Setup
> Management) to a managed firewall erroneously displays
commit time out as the reason the commit failed.

PAN-180104 When upgrading a CN-Series as a DaemonSet deployment to

PAN-OS 10.2, CN-NGFW pods fail to connect to CN-MGMT

PAN-OS Release Notes 10.2.12 66 ©2024 Palo Alto Networks, Inc.

PAN-OS 10.2.11 Known and Addressed Issues

Issue ID Description
pod if the Kubernetes cluster previously had a CN-Series as a
DaemonSet deployment running PAN-OS 10.0 or 10.1.
Workaround: Reboot the worker nodes before upgrading to
PAN-OS 10.2.

PAN-178194 A user interface issue in PAN-OS renders the contents of

the Inline ML tab in the URL Filtering Profile inaccessible on
firewalls licensed for Advanced URL Filtering. Additionally, a
message indicating that a License required for URL filtering to
function is unavailable displays at the bottom of the UI. These
errors do not affect the operation of Advanced URL Filtering
or URL Filtering inline ML.
Workaround: Configuration settings for URL Filtering
inline ML must be applied through the CLI. The following
configuration commands are available:
• Define URL exceptions for specific websites—

admin# set profiles url-filtering

<url_filtering_profile_name> mlav-
category-exception

• Configuration settings for each inline ML model—

admin# set profiles url-filtering

<url_filtering_profile_name> mlav-
engine-urlbased-enabled

PAN-177455 PAN-OS 10.2.0 is not supported on PA-7000 Series firewalls

with HA (high availability) clustering enabled and using an
HA4 communication link. Attempting to load PAN-OS 10.2.0
on the firewall causes the PA-7000 100G NPC to go offline.
As a result, the firewall fails to boot normally and enters
maintenance mode. HA pairs of Active-Passive and Active-
Active firewalls are not affected.

PAN-175915 When the firewall is deployed on N3 and N11 interfaces in

5G networks and 5G-HTTP/2 traffic inspection is enabled in
the Mobile Network Protection Profile, the Traffic logs do not
display network slice SST and SD values.

PAN-174982 In HA active/active configurations where, when interfaces

that were associated with a virtual router were deleted, the
configuration change did not sync.

PAN-172274 When you activate the Advanced URL Filtering license, your
license entitlements for PAN-DB and Advanced URL Filtering

PAN-OS Release Notes 10.2.12 67 ©2024 Palo Alto Networks, Inc.

PAN-OS 10.2.11 Known and Addressed Issues

Issue ID Description
might not display correctly on the firewall — this is a display
anomaly, not a licensing issue, and does not affect access to
the services.
Workaround: Issue the following command to retrieve and
update the licenses: license request fetch.

PAN-171938 No results are displayed when you Show Application Filter

for a Security policy rule (Policies > Security > Application >
Value > Show Application Filter).

PAN-OS Release Notes 10.2.12 68 ©2024 Palo Alto Networks, Inc.

PAN-OS 10.2.11 Known and Addressed Issues

PAN-OS 10.2.11-h3 Addressed Issues

Issue ID Description

PAN-264680 (PA-220 firewalls only) Fixed an issue where Device > Setup was not
displayed on the web interface.

PAN-262340 Fixed an issue where FQDN resolution failed for address objects, and
all FQDN traffic was denied by the interzone-default policy rule.

PAN-188312 Fixed an issue where processing heavy traffic with jumbo frames
enabled caused the all_task to stop responding.

PAN-OS Release Notes 10.2.12 69 ©2024 Palo Alto Networks, Inc.

PAN-OS 10.2.11 Known and Addressed Issues

PAN-OS 10.2.11-h2 Addressed Issues

Issue ID Description

PAN-265438 Fixed an issue where the firewall did not update the Nicafe firmware
from 2.110 to 2.111.

PAN-265336 (PA-800 Series, PA-3200 Series, PA-5200 Series, and PA-5450

firewalls only) Fixed an issue where the copper ports flapped when
generating a technical support file or executing telemetry.

PAN-264871 Fixed an issue on Panorama where the configd process stopped

responding when viewing IP addresses on dynamic address groups
with a large number of IP addresses.

PAN-260512 Fixed an issue where accessing the IP address of the device address
group objects from the user interface caused the configd process to
stop responding.

PAN-OS Release Notes 10.2.12 70 ©2024 Palo Alto Networks, Inc.

PAN-OS 10.2.11 Known and Addressed Issues

PAN-OS 10.2.11-h1 Addressed Issues

Issue ID Description

PAN-263226 Fixed an issue where decryption based traffic failed on Explicit Proxy
nodes.

PAN-261917 Fixed an issue where websites with a no-decrypt policy rule were
decrypted in traffic log when using a Google Chrome browser with
PQC enabled.

PAN-257957 (Firewalls and Panorama appliances in FIPS-CC mode only) Fixed

an issue where the authd process restarted if RADIUS PAP/CHAP
authentication was used.

PAN-OS Release Notes 10.2.12 71 ©2024 Palo Alto Networks, Inc.

PAN-OS 10.2.11 Known and Addressed Issues

PAN-OS 10.2.11 Addressed Issues

Issue ID Description

PAN-259997 (PA-3410, PA-3420, and PA-3430 firewalls only) Fixed an issue where
the install failed when upgrading from PAN-OS 10.2.3-h3 and later
10.2 releases to PAN-OS 10.2.10 due to the number of configured
vsys zones exceeding the zone limit in PAN-OS 10.2.10.

PAN-259480 Fixed an issue where the varrcvr process stopped responding after
running out of memory due to how the process queued and dequeued
files for WildFire file forwarding when a WildFire Analysis Security
Profile was enabled.

PAN-259473 (PA-5450 firewalls only) Fixed an issue where the chassis shut down
when FAN1 was removed.

PAN-259344 Fixed an issue where performing a configuration commit on a firewall

locally or from Panorama caused a memory leak related to the configd
process and resulted in an out-of-memory (OOM) condition.

PAN-257925 (CN-Series firewalls only) Fixed an issue where the CLI command show
system setting ctd state did not work as expected.

PAN-257601 (PA-5450 firewalls only) Fixed an issue where Networking Cards (NC)
experienced an internal link fault which caused path monitoring failure
on the Dataplane Processing Card (DPC).

PAN-257515 Fixed an issue where Possible Domain Fronting Detection for HTTP/2
generated false positives. With this change, domain fronting is limited
to HTTP/1.

PAN-257355 Fixed an issue where a false positive HTTP/TLS evasion alert was
generated when the domain had DNS load balance.

PAN-257462 Fixed an issue related to the varrcvr process where the management
plane CPU was higher than expected during WildFire updates.

PAN-257432 Fixed an issue on Panorama where the reportd process stopped

responding, which caused a log query issue.

PAN-257021 "Fixed an issue on the web interface where Match Evidence log details
for Monitor > Correlated events did not populate."

PAN-256939 Fixed an issue on the firewall where disk space was low in /opt/
pancfg/, which caused dynamic content installation to fail.

PAN-OS Release Notes 10.2.12 72 ©2024 Palo Alto Networks, Inc.

PAN-OS 10.2.11 Known and Addressed Issues

Issue ID Description

PAN-256738 (VM-Series firewalls in HA configurations only) Fixed an issue where

BGP routes from the active firewall were lost when the passive firewall
was rebooted.

PAN-256666 Fixed an issue where the configd process stopped responding when
Commit and Push operations were performed on multiple device
groups.

PAN-256223 Fixed an issue where device telemetry log collection filled the root
partition.

PAN-255163 (CN-Series firewalls only) Fixed an issue where the system database
key that stored the configuration status of the dataplane pod was not
updated frequently.

PAN-254373 Fixed an issue where the firewall did not handle error code 500
responses from the WildFire cloud correctly.

PAN-253085 Fixed an issue where the firewall restarted when the parsing of the
cross-pkt http origin header failed when processing a translator
website.

PAN-252411 Fixed an issue where, when log files were purged from the rollup
summary logs, the summary report still used the rollup summary data,
which resulted in the summary report displaying less data.

PAN-251929 Fixed an issue where inbound decryption did not work when FIPS self-
tests were turned on.

PAN-251847 Fixed an issue on log collectors where the incoming log rate was lower
than expected.

PAN-251676 Fixed an issue on Panorama appliances in large-scale deployments

where configd process core files consumed more space in the /opt/
panlogs partition than was available.

PAN-251656 Fixed an issue where enabling lockless QoS caused traffic disruptions.

PAN-250371 Fixed an issue where the logrcvr process stopped responding, which
caused commits to fail with the error message Management server
failed to send phase 1 to client logrcvr.

PAN-250062 Fixed an issue where device telemetry failed after upgrading due to
bundle generation failure.

PAN-OS Release Notes 10.2.12 73 ©2024 Palo Alto Networks, Inc.

PAN-OS 10.2.11 Known and Addressed Issues

Issue ID Description

PAN-248975 Fixed an issue on the Panorama web interface where no content was
displayed after logging in.

PAN-248508 (VM-Series firewalls on Amazon Web Services (AWS) environments

only) Fixed an issue where the firewall did not perform MSS clamping
when GWLB endpoints were mapped to static subinterfaces.

PAN-248211 Fixed an issue on Panorama where commits failed when Advanced

Routing was enabled.

PAN-247257 Fixed an issue where the useridd process stopped responding, which
caused the firewall to reboot.

PAN-247099 Fixed an issue where the firewall decrypted traffic unexpectedly when
the client hello was spread across multiple packets.

PAN-246707 Fixed an issue where failover was not triggered when multiple
processes stopped responding.

PAN-246420 (PA-5450 Series firewalls only) Fixed an issue where the firewall
rebooted unexpectedly during an upgrade.

PAN-245157 (VM-Series firewalls in Microsoft Azure environments only) Fixed an

issue where the firewall restarted after an HA failover when DPDK
was enabled.

PAN-244894 Fixed an issue where turning off mprelay logging caused mprelay
heartbeat failure.

PAN-244227 Fixed an issue where inconsistent FIB entries across the dataplane
were not detected.

PAN-242601 Fixed an issue where the all-task process stopped responding with
DNS traffic due to an incorrect cleanup by pan_free.

PAN-242519 Fixed an issue where scheduled email reports failed if the @ symbol
before the mail client was missing.

PAN-242146 Fixed an issue where the DHCP was unable to find the interface,
which resulted in the DHCP process and all connected DHCP services
to stop responding.

PAN-240993 Fixed an issue where you were unable to revert a sort in the task
manager in the Admin column.

PAN-OS Release Notes 10.2.12 74 ©2024 Palo Alto Networks, Inc.

PAN-OS 10.2.11 Known and Addressed Issues

Issue ID Description

PAN-240251 Fixed an issue where the vldmgr process incorrectly restarted during
an Elasticsearch restart.

PAN-239952 (Firewalls in active/passive HA configurations only) Fixed an issue

where HA sync messages from the active firewall took longer than
expected to reach the passive firewall.

PAN-239575 Fixed an issue where the TCP window size of the server-to-client
flow for HTTP/2 connection sessions decremented if HTTP/2 stream
sessions were closed due to a Security Profile or a Security policy rule.
This caused the connection session to have a TCP window of 0.

PAN-239337 Fixed an issue where the log_index was suspended and corrupted BDX
files flooded the index_log.

PAN-239271 Fixed an issue where changing the firewall's DNS servers could lead to
connectivity to the hostname-configured User-ID agent.

PAN-238705 (PA-400 Series firewalls only) Fixed an issue where HA link-monitor

did not work.

PAN-238562 Fixed an issue where log collectors stopped responding when

gathering reports from Panorama.

PAN-238508 Fixed an issue where the routed process created excessive logs in the
log file.

PAN-238355 Fixed an issue where, when a device group was not successfully
renamed, unexpected configuration changes to the device group
structure occurred.

PAN-238249 Fixed an issue where static route path monitor packets from a
multislot chassis were intercepted by the firewall performing Static
NAT (SNAT).

PAN-237678 Fixed an issue with firewalls in active/passive HA configurations where

the passive firewall displayed the error message Unable to read
QSFP Module ID when the passive link state was set to shutdown.

PAN-237582 Fixed an issue where logs were intermittently missing on the log
collector due to missing aliases for some indices.

PAN-237562 Fixed an issue where firewalls generated link-change system logs for
SFP ports even when no cable was connected to the ports.

PAN-OS Release Notes 10.2.12 75 ©2024 Palo Alto Networks, Inc.

PAN-OS 10.2.11 Known and Addressed Issues

Issue ID Description

PAN-237478 Fixed an issue where the Traffic log displayed 0 bytes for denied
sessions.

PAN-237369 (PA-1420 firewalls only) Fixed an issue where the all_task process
stopped responding, which caused the firewall to become
unresponsive.

PAN-236497 Fixed an issue where the firewall was unable to purge expired GTP-U
sessions that remained as allocated sessions even after the TTL was
expired.

PAN-236261 Fixed an issue where a proxy server was used for external dynamic
list communication even when the dataplane interface was configured
through service routes.

PAN-235336 Fixed an issue where the character limit for dgname exceeded the
supported number of characters (31), which caused device group
names to be partially displayed during a validate operation.

PAN-235081 (VM-Series firewalls only) Fixed an issue where the firewall sent
packets to its own interface after configuring NAT64.

PAN-234596 Fixed an issue on firewalls in active/passive HA configurations where

the passive firewall incorrectly became active after a reboot.

PAN-234560 Fixed an issue where the daily summary report displayed IPv6
addresses instead of IPv4 addresses.

PAN-234459 Fixed an issue with the firewall web interface where local SSL
decryption exclusion cache entries were not visible.

PAN-233689 (PA-7000 Series firewalls only) Fixed an issue where the Log
Forwarding Card (LFC) disk quota usage was reported as 0 MB for all
log types.

PAN-233541 Fixed an issue where device group and template administrators with
access to a specific virtual system were able to see logs for all virtual
systems via Context Switch.

PAN-233366 Fixed an issue where the DHCP server sent DHCP ACK messages as
broadcasts instead of unicasts when responding to DHCP INFORM
messages.

PAN-233129 Fixed an issue where the firewall sent duplicate logs to syslog server
when the log forwarding profile was configured with Shared enabled
and was used in a Security policy rule.

PAN-OS Release Notes 10.2.12 76 ©2024 Palo Alto Networks, Inc.

PAN-OS 10.2.11 Known and Addressed Issues

Issue ID Description

PAN-232368 Fixed an issue where commits failed with the error message
Error: Max. user groups used in policy 1389 exceed
capacity (1000).

PAN-231802 Fixed an issue where an Advanced Routing BGP session flapped with
commits when BGP peer authentication was enabled.

PAN-230326 Fixed an issue where the Network Packet Broker (NPB) user interface
was incorrectly displayed on unsupported platforms.

PAN-229873 (PA-7050 firewalls only) Fixed an issue related to brdagent process

errors.

PAN-229606 Fixed an issue where the brdagent process stopped responding after an
upgrade due to initialization failure.

PAN-227939 Fixed an issue where the all_task process stopped responding due to
high wifclient memory usage, which caused the firewall to reboot.

PAN-227887 Fixed an issue where IP address checksums were calculated

incorrectly.

PAN-225213 Fixed an issue where Push All Changes displayed changes that were
already committed in the push scope for another device group after
performing a selective commit and selective push to the first device
group.

PAN-224938 Fixed an issue where the CLI command settings for set system
setting logging max-log-rate did not persist after a mgmtsrvr
process restart.

PAN-224584 Fixed an issue on Panorama where generating UAR reports for 30 days
or more was slower than expected, and reports showed the same logs
repeatedly in a loop.

PAN-224365 Fixed an issue where excessive network path monitoring messages

were generated in the system logs.

PAN-221711 Fixed an issue on the firewall that caused the LFC to stop responding,
which impacted logging capability.

PAN-221571 Fixed an issue on the web interface where the Security policy rule
hit count remained at 0 for some rules even though the traffic logs
showed live hits.

PAN-OS Release Notes 10.2.12 77 ©2024 Palo Alto Networks, Inc.

PAN-OS 10.2.11 Known and Addressed Issues

Issue ID Description

PAN-220881 Fixed an issue where the CLI command show logging-status did
not correctly display the last log created and forwarded timestamps.

PAN-220500 (PA-5450 and PA-400 firewalls only) Fixed an issue where the
request shutdown system CLI command did not completely shut
down the system.

PAN-217307 Fixed an issue where the log-start and log-end policy rule filters
did not return reliable results when set to no or yes.

PAN-215670 Fixed an issue where local reports and scheduled reports displayed
different data.

PAN-215561 Fixed an issue where GlobalProtect authentication failed when new

users were added to an existing local database group user list.

PAN-214177 Fixed an issue where template configurations were not properly

pushed to the firewall during an export or push of the device
configuration bundle.

PAN-214100 Fixed an issue where selecting a threat name under Threat Monitor
displayed the threat ID instead of the threat name.

PAN-209542 (PA-5450 firewalls only) Fixed an issue where, when a log interface
was configured, the log interface and the management interface
remained connected to the log collector when upgrading to PAN-OS
10.2.2.

PAN-205482 Fixed an issue related to the configd process where Panorama

displayed the error Server not responding when editing policy rules.

PAN-198622 Fixed an issue where username fields under Policies were marked with
the same color as the first tag associated to that rule.

PAN-196395 (PA-5450 firewalls only) Fixed an issue where the firewall accepted
12 Aggregate Ethernet interfaces, but you were unable to configure
interfaces 9-12 via the web interface.

PAN-194968 Fixed an issue on the web interface where Antivirus updates were not
able to be downloaded and installed unless Apps and Threads updates
were downloaded and installed first, and the Antivirus content list
displayed as blank. The resulting error message from the update server
was also not reflected in the web interface.

PAN-191632 Fixed an issue where console sessions were not cleared after the set
idle timeout value.

PAN-OS Release Notes 10.2.12 78 ©2024 Palo Alto Networks, Inc.

PAN-OS 10.2.10 Known and
Addressed Issues
Review a list of known and addressed issues for PAN-OS 10.2.10.
For contacting support, for information on support programs, to manage your account or devices,
or to open a support case, go to https://support.paloaltonetworks.com.
• PAN-OS 10.2.10 Known Issues
• PAN-OS 10.2.10-h5 Addressed Issues
• PAN-OS 10.2.10-h4 Addressed Issues
• PAN-OS 10.2.10-h3 Addressed Issues
• PAN-OS 10.2.10-h2 Addressed Issues
• PAN-OS 10.2.10 Addressed Issues

79
PAN-OS 10.2.10 Known and Addressed Issues

PAN-OS 10.2.10 Known Issues

®
The following list includes only outstanding known issues specific to PAN-OS 10.2.10. This list
includes issues specific to Panorama™, GlobalProtect™, VM-Series plugins, and WildFire®, as well
as known issues that apply more generally or that are not identified by an issue ID.

Issue ID Description

WF500-5854 The WildFire analysis report on the firewall log viewer

(Monitoring > WildFire Submissions) does not display the
following data fields: File Type, SHA-256, MD-5, and File
Size".
Workaround: Download and open the WildFire analysis
report in the PDF format using the link in the upper right-
hand corner of the Detailed Log View.

WF500-5843 In a WildFire appliance cluster, issuing the show cluster-

all peers CLI command when a node within the cluster
is being rebooted generates the following error: Server
error : An error occured.

WF500-5840 The sample analysis statistics that are returned when issuing
the show wildfire local statistics CLI command
in WildFire appliance cluster deployments may not accurately
reflect the number of samples that have been processed.

WF500-5823 The following WildFire appliance CLI command does not

return a signature generation status as expected: show
wildfire global signature-status. This does not
corrupt or otherwise prevent the WildFire appliance from
analyzing a sample.

WF500-5781 The WildFire appliance might erroneously generate and

log the following device certification error: Device
certificate is missing or invalid. It cannot
be renewed.

WF500-5754 In WildFire appliance clusters, issuing the show cluster

controller CLI command generates an error when an IPv6
address is configured for the management interface but not
for the cluster interface.
Workaround: Ensure all WildFire appliance interfaces that are
enabled use matching protocols (all IPv4 or all IPv6).

WF500-5632 The number of registered WildFire appliances reported in

Panorama (Panorama > Managed WildFire Appliances >

PAN-OS Release Notes 10.2.12 80 ©2024 Palo Alto Networks, Inc.

PAN-OS 10.2.10 Known and Addressed Issues

Issue ID Description
Firewalls Connected > View) does not accurately reflect the
current status of connected WildFire appliances.

PAN-263226 (PAN-OS When SSL decryption is enabled and Client Hello messages
10.2.10-h2 and 10.2.10-h3 span multiple TCP segments, elements from the proxy_l2info
only) memory pool may not be freed properly. Memory leaks in this
pool cause some SSL decryption sessions to fail.
Workaround: Disable Client Hello accumulation using the
debug dataplane set ssl-decrypt accumulate-
client-hello disable yes CLI command.

PAN-260851 From the NGFW or Panorama CLI, you can override the
existing application tag even if Disable Override is enabled for
the application (Objects > Applications) tag.

PAN-259997 On PA-3410, PA-3420, and PA-3430 firewalls, the install

fails when upgrading from PAN-OS 10.2.3-h3 and later 10.2
This issue is now resolved.
releases to PAN-OS 10.2.10 due the number of configured
See PAN-OS 10.2.10-h3
vsys zones exceeding the zone limit in PAN-OS 10.2.10.
Addressed Issues.
Workaround: Before installing PAN-OS 10.2.10, reduce
the number of security zones to 40 zones or fewer for
PA-3410 and PA-3420 firewalls, and to 100 zones or fewer
for PA-3430 firewalls.

PAN-259733 Custom reports created in PAN-OS are not deleted as

expected, resulting in high memory use by the reportd
This issue is now resolved.
process. This can lead to issues, such as out-of-memory
See PAN-OS 10.2.10-h2
conditions, content installation failures, and unexpected
Addressed Issues.
firewall reboots.

PAN-259344 Performing a configuration commit on a firewall, either locally

or from Panorama, causes a memory leak by the configd
This issue is now resolved.
process and results in an out-of-memory (OOM) condition.
See PAN-OS 10.2.10-h3
Addressed Issues.

PAN-257957 If you enable FIPS-CC mode and use the PAP or CHAP
authentication methods for your RADIUS server, the authd
This issue is now resolved. See
process may restart unexpectedly. To avoid this issue, use one
PAN-OS 10.2.12 Addressed
of the following workarounds:
Issues.Affects 10.2.10-h3 and
later 10.2 releases. • If you use PAN-OS 10.2.10-h3, 10.2.11, or an earlier
version, configure the RADIUS server so that it does not
send the message authenticator back to client.
• Use other protocols, such as LDAP, Kerberos, TACACS+,
SAML, RADIUS EAP, instead of RADIUS PAP or CHAP.

PAN-OS Release Notes 10.2.12 81 ©2024 Palo Alto Networks, Inc.

PAN-OS 10.2.10 Known and Addressed Issues

Issue ID Description
• Change from FIPS mode to normal mode.

PAN-234015 The X-Forwarded-For (XFF) value is not displayed in traffic

logs.

PAN-223365 The Panorama management server is unable to query any

logs if the ElasticSearch health status for any Log Collector
(Panorama > Managed Collector is degraded.
Workaround: Log in to the Log Collector CLI and restart
ElasticSearch.

admindebug elasticsearch es-restart all

PAN-229865 Upgrading a PA-220 firewall running a PAN-OS 10.1 release

fails when the target PAN-OS upgrade version is PAN-OS
10.2.5.
Workaround: On your upgrade path to PAN-OS 10.2.5, first
upgrade to PAN-OS 10.2.4 and then upgrade to PAN-OS
10.2.5.

PAN-223677 (PA-3410, PA-3420, PA-3430, PA-3440, PA-5410, PA-5420,

and PA-5430 firewalls) By enabling Lockless QoS feature,
a slight degradation in App-ID and Threat performance is
expected.

PAN-222586 On PA-5410, PA-5420, and PA-5430 firewalls, the Filter

dropdown menus, Forward Methods, and Built-In Actions
for Correlation Log settings (Device > Log Settings) are not
displayed and cannot be configured.

PAN-221775 A Malformed Request error is displayed when you Test

Connection for an email server profile (Device > Server
Profiles > Email) using SMTP over TLS and the Password
includes an ampersand (&).

PAN-217307 The following Security policy rule (Policies > Security) filters
return no results:
This issue is now resolved. See
PAN-OS 10.2.11 Addressed log-start eq no
Issues.
log-end eq no
log-end eq yes

PAN-213746 On the Panorama management server, the Hostkey displayed

as undefined undefined if you override an SSH Service
Profile (Device > Certificate Management > SSH Service

PAN-OS Release Notes 10.2.12 82 ©2024 Palo Alto Networks, Inc.

PAN-OS 10.2.10 Known and Addressed Issues

Issue ID Description
Profile) Hostkey configured in a Template from the Template
Stack.

PAN-213119 PA-5410 and PA-5420 firewalls display the following error

when you view the Block IP list (Monitor > Block IP):
show -> dis-block-table is unexpected

PAN-212889 On the Panorama management server, different threat

names are used when querying the same threat in the Threat
Monitor (Monitor > App Scope > Threat Monitor) and ACC.
This results in the ACC displaying no data to display
when you are redirected to the ACC after clicking a threat
name in the Threat Monitor and filtering the same threat
name in the Global Filters.

PAN-212533 Modifying the Administrator Type for an existing

administrator (Device > Administrators or Panorama >
Administrators) from Superuser to a Role-Based custom
admin, or vice versa, does not modify the access privileges of
the administrator.

PAN-211531 On the Panorama management server, admins can still

perform a selective push to managed firewalls when Push
All Changes and Push for Other Admins are disabled in the
admin role profile (Panorama > Admin Roles).

PAN-209288 Certificates are not successfully generated using SCEP

(Device > Certificate Management > SCEP).

PAN-208622 A file upload to Box.com exceeding 6 files gets stuck and

fails to upload if you specify an Enterprise DLP data filtering
profile (Objects > DLP > Data Filtering Profiles with the
Action set to Block to a Security policy rule (Policies >
Security).

PAN-204689 Upon upgrade to PAN-OS 10.2.4, the following GlobalProtect

settings do not work:
• Allow user to disconnect GlobalProtect App > Allow with
Passcode
• Allow user to Disable GlobalProtect App > Allow with
Passcode
• Allow User to Uninstall GlobalProtect AppAllow with
Password

PAN-196758 On the Panorama management server, pushing a

configuration change to firewalls leveraging SD-WAN

PAN-OS Release Notes 10.2.12 83 ©2024 Palo Alto Networks, Inc.

PAN-OS 10.2.10 Known and Addressed Issues

Issue ID Description
erroneously show the auto-provisioned BGP configurations
for SD-WAN as being edited or deleted despite no edits or
deletions being made when you Preview Changes (Commit >
Push to Devices > Edit Selections or Commit > Commit and
Push > Edit Selections).

PAN-196504 License deactivation fails for VM-Series firewalls licensed

using PA-VM Bundle 3 (BND3).

PAN-194996 When using a 10.2.2 Panorama to manage a Panorama

Managed Prisma Access 3.1.2 deployment, allocating
bandwidth for a remote network deployment fails (the OK
button is grayed out).
Workaround: Retry the operation.

PAN-194519 (PA-5450 firewall only) Trying to configure a custom payload

format under Device > Server Profiles > HTTP yields a
Javascript error.

PAN-194515 (PA-5450 firewall only) The Panorama web interface does

not display any predefined template stack variables in the
dropdown menu under Device > Setup > Log Interface > IP
Address.
Workaround: Configure the log interface IP address on the
individual firewall web interface instead of on Panorama.

PAN-194424 (PA-5450 firewall only) Upgrading to PAN-OS 10.2.2 while

having a log interface configured can cause both the log
interface and the management interface to remain connected
to the log collector.
Workaround: Restart the log receiver service by running the
following CLI command:

debug software restart process log-receiver

PAN-194202 (PA-5450 firewall only) If the management interface and

logging interface are configured on the same subnetwork,
the firewall conducts log forwarding using the management
interface instead of the logging interface.

PAN-190727 (PA-5450 firewall only) Documentation for configuring the log

interface is unavailable on the web interface and in the PAN-
OS Administrator’s Guide.

PAN-OS Release Notes 10.2.12 84 ©2024 Palo Alto Networks, Inc.

PAN-OS 10.2.10 Known and Addressed Issues

Issue ID Description

PAN-189111 After deleting an MP pod and it comes up, the show

routing command output appears empty and traffic stops
working.

PAN-189076 On a firewall with Advanced Routing enabled, OSPFv3 peers

using a broadcast link and a designated router (DR) priority of
0 (zero) are stuck in a two-way state after HA failover.
Workaround: Configure at least one OSPFv3 neighbor with a
non-zero priority setting in the same broadcast domain.

PAN-188358 After triggering a soft reboot on a M-700 appliance, the

Management port LEDs do not light up when a 10G Ethernet
cable is plugged in.

PAN-187685 On the Panorama management server, the Template

Status displays no synchronization status (Panorama >
Managed Devices > Summary) after a bootstrapped firewall is
successfully added to Panorama.
Workaround: After the bootstrapped firewall is successfully
added to Panorama, log in to the Panorama web interface and
select Commit > Push to Devices.

PAN-187643 If you enable SCTP security using a Panorama template when

SCTP INIT Flood Protection is enabled in the Zone Protection
profile using Panorama and you commit all changes, the
commit is successful but the SCTP INIT option is not available
in the Zone Protection profile.
Workaround: Log out of the firewall and log in again to make
the SCIT INIT option available on the web interface.

PAN-187612 On the Panorama management server, not all data profiles

(Objects > DLP Data Filtering Profiles) are displayed after
you:
• Upgrade Panorama to PAN-OS 10.2 and upgrade the
Enterprise DLP plugin to version 3.0.
• Downgrade Panorama to PAN-OS 10.1 and downgrade
the Enterprise DLP plugin to version 1.0.
Workaround: Log in to the Panorama CLI and reset the DLP
plugin.
admin > request plugins dlp reset

PAN-187407 The configured Advanced Threat Prevention inline cloud

analysis action for a given model might not be honored under
the following condition: If the firewall is set to Hold client

PAN-OS Release Notes 10.2.12 85 ©2024 Palo Alto Networks, Inc.

PAN-OS 10.2.10 Known and Addressed Issues

Issue ID Description
request for category lookup and the action set to Reset-Both
and the URL cache has been cleared, the first request for
inline cloud analysis will be bypassed.

PAN-187370 On a firewall with Advanced Routing enabled, if there is also a

logical router instance that uses the default configuration and
has no interfaces assigned to it, this will result in terminating
the management daemon and main routing daemon in the
firewall during commit.
Workaround: Do not use a logical router instance with no
interfaces bound to it.

PAN-186283 Templates appear out-of-sync on Panorama after successfully

deploying the CFT stack using the Panorama plugin for AWS.
Workaround: Use Commit > Push to Devices to synchronize
the templates.

PAN-186282 On HA deployments on AWS and Azure, Panorama fails to

populate match criteria automatically when adding dynamic
address groups.
Workaround: Reboot the Panorama HA pair.

PAN-184406 Using the CLI to add a RAID disk pair to an M-700 appliance
causes the dmdb process to crash.
Workaround: Contact customer support to stop the dmdb
process before adding a RAID disk pair to a M-700 appliance.

PAN-183404 Static IP addresses are not recognized when "and" operators

are used with IP CIDR range.

PAN-181933 If you use multiple log forwarding cards (LFCs) on the

PA-7000 series, all of the cards may not receive all of the
updates and the mappings for the clients may become out of
sync, which causes the firewall to not correctly populate the
Source User column in the session logs.

PAN-181823 On a PA-5400 Series firewall (minus the PA-5450), setting the

peer port to forced 10M or 100M speed causes any multi-
gigabit RJ-45 ports on the firewall to go down if they are set
to Auto.

PAN-180661 On the Panorama management server, pushing an

unsupported Minimum Password Complexity (Device > Setup
> Management) to a managed firewall erroneously displays
commit time out as the reason the commit failed.

PAN-OS Release Notes 10.2.12 86 ©2024 Palo Alto Networks, Inc.

PAN-OS 10.2.10 Known and Addressed Issues

Issue ID Description

PAN-180104 When upgrading a CN-Series as a DaemonSet deployment to

PAN-OS 10.2, CN-NGFW pods fail to connect to CN-MGMT
pod if the Kubernetes cluster previously had a CN-Series as a
DaemonSet deployment running PAN-OS 10.0 or 10.1.
Workaround: Reboot the worker nodes before upgrading to
PAN-OS 10.2.

PAN-178194 A user interface issue in PAN-OS renders the contents of

the Inline ML tab in the URL Filtering Profile inaccessible on
firewalls licensed for Advanced URL Filtering. Additionally, a
message indicating that a License required for URL filtering to
function is unavailable displays at the bottom of the UI. These
errors do not affect the operation of Advanced URL Filtering
or URL Filtering Inline ML.
Workaround: Configuration settings for URL Filtering
Inline ML must be applied through the CLI. The following
configuration commands are available:
• Define URL exceptions for specific web sites—

admin# set profiles url-filtering

<url_filtering_profile_name> mlav-
category-exception

• Configuration settings for each inline ML model—

admin# set profiles url-filtering

<url_filtering_profile_name> mlav-
engine-urlbased-enabled

PAN-177455 PAN-OS 10.2.0 is not supported on PA-7000 Series firewalls

with HA (High Availability) clustering enabled and using an
HA4 communication link. Attempting to load PAN-OS 10.2.0
on the firewall causes the PA-7000 100G NPC to go offline.
As a result, the firewall fails to boot normally and enters
maintenance mode. HA Pairs of Active-Passive and Active-
Active firewalls are not affected.

PAN-175915 When the firewall is deployed on N3 and N11 interfaces in

5G networks and 5G-HTTP/2 traffic inspection is enabled in
the Mobile Network Protection Profile, the traffic logs do not
display network slice SST and SD values.

PAN-174982 In HA active/active configurations where, when interfaces

that were associated with a virtual router were deleted, the
configuration change did not sync.

PAN-OS Release Notes 10.2.12 87 ©2024 Palo Alto Networks, Inc.

PAN-OS 10.2.10 Known and Addressed Issues

Issue ID Description

PAN-172274 When you activate the advanced URL filtering license, your
license entitlements for PAN-DB and advanced URL filtering
might not display correctly on the firewall — this is a display
anomaly, not a licensing issue, and does not affect access to
the services.
Workaround: Issue the following command to retrieve and
update the licenses: license request fetch.

PAN-171938 No results are displayed when you Show Application Filter

for a Security policy rule (Policies > Security > Application >
Value > Show Application Filter).

PAN-OS Release Notes 10.2.12 88 ©2024 Palo Alto Networks, Inc.

PAN-OS 10.2.10 Known and Addressed Issues

PAN-OS 10.2.10-h5 Addressed Issues

Issue ID Description

PAN-256077 Fixed an issue where the GlobalProtect client

would disconnect consistently due to keep-
alive timeouts when using an SSL-only tunnel.

PAN-241044 Fixed an issue where traffic was denied by the

interzone-default policy rule when a Security
policy rule with an FQDN destination was
configured.

PAN-222590 Fixed an issue where a semicolon appeared at

the end of file names of data filtering logs.

PAN-217198 Fixed an issue where Security policy rules did

not display values for FQDN.

PAN-203231 Fixed an issue where Software Version in

the device summary report exported from
Panorama included HTML tags.

PAN-188312 Fixed an issue where processing heavy traffic

with jumbo frames enabled caused the all_task
to stop responding.

PAN-OS Release Notes 10.2.12 89 ©2024 Palo Alto Networks, Inc.

PAN-OS 10.2.10 Known and Addressed Issues

PAN-OS 10.2.10-h4 Addressed Issues

Issue ID Description

PAN-263226 Fixed an issue where decryption based traffic failed on Explicit Proxy
nodes.

PAN-263164 Fixes a problem where Netflow User ID information was truncated to

31 characters.

PAN-262287 Fixed an issue where dereferencing a NULL pointer that occurred

when App-ID stopped responding caused the firewall to restart.

PAN-261917 Fixed an issue where websites with a no-decrypt policy rule were
decrypted in traffic log when using a Google Chrome browser with
PQC enabled

PAN-261797 (Firewalls and Panorama appliances in FIPS-CC mode only) Fixed

an issue where the authd process restarted if RADIUS PAP/CHAP
authentication was used.

PAN-261270 Fixed an issue where the firewall decremented the TTL/Hop limit for
BGPv6 packets by 1 after IPSec decryption.

PAN-260662 Fixed an issue where large file downloads were slower than expected
when private IP address visibility was enabled.

PAN-258442 Fixed an issue where changes made to the split tunnel configuration
on the Prisma Access gateway were not reflected on the GlobalProtect
client.

PAN-257957 (Firewalls and Panorama appliances in FIPS-CC mode only) Fixed

an issue where the authd process restarted if RADIUS PAP/CHAP
authentication was used.

PAN-257563 Fixed an issue where the logrcvr component for SASE and MCW
displayed incorrect zones in the traffic flow.

PAN-255619 Fixed an intermittent issue where file downloads from websites failed.

PAN-254826 Fixed an issue where the firewall stopped responding when processing
traffic.

PAN-254671 Fixed an issue where excessive Timed out while getting

config lock error messages were generated when making bulk
changes via XML API.

PAN-OS Release Notes 10.2.12 90 ©2024 Palo Alto Networks, Inc.

PAN-OS 10.2.10 Known and Addressed Issues

Issue ID Description

PAN-250371 Fixed an issue where the logrcvr process stopped responding, which
caused commits to fail with the error message Management server
failed to send phase 1 to client logrcvr.

PAN-247257 Fixed an issue where the useridd process stopped responding, which
caused the firewall to reboot.

PAN-242958 Fixed an issue where the firewall intermittently logged connect-

agent-failure messages for service connection instances due to
bi-directional host ID redistribution.

PAN-242331 Fixed an issue where Prisma Access remote network firewalls

intermittently created incorrect user-to-IP-address mappings.

PAN-240990 Fixed an issue where l3svc.py displayed incorrect logs.

PAN-218873 Fixed an issue where a HIP mask was reused when an existing IP
address user mapping was updated by a new IP address user mapping
that had a different username but the same IP address.

PAN-OS Release Notes 10.2.12 91 ©2024 Palo Alto Networks, Inc.

PAN-OS 10.2.10 Known and Addressed Issues

PAN-OS 10.2.10-h3 Addressed Issues

Issue ID Description

PAN-259997 (PA-3410, PA-3420, and PA-3430 firewalls only) Fixed an issue where
the install failed when upgrading from PAN-OS 10.2.3-h3 and later
10.2 releases to PAN-OS 10.2.10 due to the number of configured
vsys zones exceeding the zone limit in PAN-OS 10.2.10.

PAN-259480 Fixed an issue where the varrcvr process stopped responding after
running out of memory due to how the process queued and dequeued
files for WildFire file forwarding when a WildFire Analysis Security
profile was enabled.

PAN-257462 Fixed an issue related to the varrcvr process where the management
plane CPU was higher than expected during WildFire updates.

PAN-256939 Fixed an issue on the firewall where disk space was low in /opt/
pancfg/, which caused dynamic content installation to fail.

PAN-254373 Fixed an issue where the firewall did not handle error code 500
responses from the WildFire cloud correctly.

PAN-253400 Fixed an issue where the logrcvr process stopped responding.

PAN-249814 Fixed an issue where multiple all_task processes stopped responding,

which caused the dataplane to fail.

PAN-244746 Fixed an issue where changes committed on Panorama were not

reflected on the firewall after a successful push.

PAN-235840 Fixed an issue where, after a configuration push from Panorama to

managed firewalls, the status displayed as None and the push took
longer than expected.

PAN-234560 Fixed an issue where the daily summary report displayed IPv6
addresses instead of IPv4 addresses.

PAN-OS Release Notes 10.2.12 92 ©2024 Palo Alto Networks, Inc.

PAN-OS 10.2.10 Known and Addressed Issues

PAN-OS 10.2.10-h2 Addressed Issues

Issue ID Description

PAN-259733 Fixed an issue where a custom report was not deleted on Panorama
when expected.

PAN-259344 Fixed an issue where performing a configuration commit on a firewall

locally or from Panorama caused a memory leak related to the configd
process and resulted in a out-of-memory (OOM) condition.

PAN-258941 Fixed an issue where some URLs were not accessible when connected
to Prisma Access explicit proxy.

PAN-249266 Fixed an issue where the config process virtual memory was exceeded
due to delays in post-commit processing.

PAN-247099 Fixed an issue where the firewall decrypted traffic unexpectedly when
the client hello was spread across multiple packets.

PAN-225087 Fixed an issue where the dataplane logs were corrupted with
unexpected IPv6 addresses.

PAN-OS Release Notes 10.2.12 93 ©2024 Palo Alto Networks, Inc.

PAN-OS 10.2.10 Known and Addressed Issues

PAN-OS 10.2.10 Addressed Issues

Issue ID Description

PAN-257197 Fixed an issue where ifType and ifSpeed were not populated in
asynchronous mode of SNMP operations.

PAN-256181 Fixed an issue where the management interface and front panel port
interface statistics were not populated in asynchronous mode of
SNMP operations.

PAN-255868 (PA-3400 Series firewalls only) Fixed an issue where the firewall
entered maintenance mode after enabling kernel data collection during
the silent reboot.

PAN-255396 Fixed an issue where, when using serial number and IP address
authentication, and multiple gateways were configured, the portal
returned the last gateway in the list and disregarded the satellite
assignment by serial number.

PAN-253546 Fixed an issue where a TLS client hello was split into multiple packets
and arrived out of order, so the packets were dropped and the session
terminated.

PAN-253317 (VM-Series firewalls on Microsoft Azure environments only) Fixed an

issue where you were unable to log in to the firewall after a private
data reset.

PAN-252730 Fixed an issue where the Elasticsearch status for a log collector group
changed to red or yellow after performing a collector group push.

PAN-252517 Fixed an issue where SNMP failed to respond to multiple Object

Identifier (OID) queries in a single SNMP GET request.

PAN-251895 Fixed an issue where enabling inline Cloud Analysis features caused
a slow packet buffer leak, which resulted in performance issues and
dropped traffic.

PAN-251639 Fixed an issue where an out of memory condition might occur due to
a memory leak in the varrcvr process when a Wildfire Analysis security
profile is enabled.

PAN-251563 Added CPLD enhancement to capture external power issues.

PAN-OS Release Notes 10.2.12 94 ©2024 Palo Alto Networks, Inc.

PAN-OS 10.2.10 Known and Addressed Issues

Issue ID Description

PAN-251013 Fixed an issue on the web interface where the Virtual Router and
Virtual System configurations for the template incorrectly showed as
none.

PAN-250083 Fixed an issue on firewalls in HA configurations where packets were

dropped over HA3 HSCI due to the default MRU being incorrect.

PAN-250020 Fixed an issue where MLC2 verdict retrieval failed due to a regression
in loopback data flag handling.

PAN-248130 Fixed an issue where the AND operation under a Dynamic Address
Group comparison did not work after upgrading the AWS plugin to
3.0.1.

PAN-248105 Fixed an issue where the GlobalProtect SSL VPN tunnel immediately
disconnected due to a keep-alive timeout.

PAN-246976 Fixed an issue with unbalanced NAT session distribution with

multidataplane firewalls when persistent-dipp was enabled.

PAN-246960 Fixed an issue where firewalls failed to fetch content updates from the
WildFire private cloud due to an Unsupported protocol error.

PAN-245850 Fixed an issue on Panorama appliances in active/passive HA

configurations where the firewalls entered an HA out-of-sync status
and jobs failed on the passive appliance with the error message Could
not merged running config from file.

PAN-245842 Fixed an issue with the syn-cookie option where traffic unexpectedly
stopped during packet exchange.

PAN-245690 Fixed an issue where the managed collectors health status on

Panorama displayed as empty.

PAN-245125 (VM-Series firewalls in Microsoft Azure environments only) Fixed

an issue where file descriptors were not closed due to invalid
configurations.

PAN-244907 Fixed an issue where ports did not go down when moving from an
active state to a suspended state.

PAN-244746 Fixed an issue where changes committed on Panorama were not

reflected on the firewall after a successful push.

PAN-OS Release Notes 10.2.12 95 ©2024 Palo Alto Networks, Inc.

PAN-OS 10.2.10 Known and Addressed Issues

Issue ID Description

PAN-244648 (PA-5200 Series only) Fixed an issue where the firewall did not boot
up after a factory reset, and, with FIPS mode enabled, the firewall
rebooted into maintenance mode.

PAN-244622 Fixed an issue where FIB repush did not work with Advanced Routing
enabled.

PAN-244013 Fixed an issue where the web interface did not display newly added
antispyware signatures or Vulnerability signatures.

PAN-243240 Fixed an issue where the using QoS caused packet buffer utilization to
increase exponentially and the PKI POOL DFLT pool depleted until a
reboot was performed.

PAN-242893 Fixed an issue where the verdict for www.googleapis.com displayed

the message not-resolved.

PAN-242309 Fixed an issue where a higher byte count (s2c) was observed for DNS-
Base application.

PAN-241230 Fixed an issue where the SNMP get request status value for Panorama
connections was incorrect.

PAN-240786 Fixed an issue on firewalls in HA configurations where VXLAN

sessions were allocated, but not installed or freed, which resulted in
a constant high session table usage that was not synced between the
firewalls. This resulted in a session count mismatch.

PAN-240612 Fixed a kernel panic caused by a third-party issue

PAN-240368 Fixed an issue where Authentication Portal redirection for HTTPS

websites did not work when Enhanced Handling of SSL/TLS
Handshakes for Decrypted Traffic was enabled.

PAN-240347 Fixed an issue with the web interface where the Dashboard and a
Device Group policy rule took longer than expected to load.

PAN-240225 Fixed an issue where authentication failed on web-based

GlobalProtect portal.

PAN-239662 Fixed an issue where the NSSA default route from the firewall was not
generated to advertise even though the backbone area default route
was advertised during a graceful restart.

PAN-OS Release Notes 10.2.12 96 ©2024 Palo Alto Networks, Inc.

PAN-OS 10.2.10 Known and Addressed Issues

Issue ID Description

PAN-239354 Fixed an issue where DNS resolution was delayed when an

antispyware policy rule was applied to both client to firewall and
firewall to internal DNS server legs of a connection.

PAN-238625 Fixed an issue where, when the physical interface went down, the SD-
WAN Ethernet connection state still showed UP/path-monitor due
to the Active URL SaaS monitor connection state remaining UP/path-
monitor.

PAN-237608 Fixed an issue where a NetFlow export truncated the source

username.

PAN-236133 Fixed an issue where SSL traffic was impacted when SSL Command
and Control detector for Incline Cloud Analysis was set to reset-both,
reset-client, reset-server, or drop.

PAN-232550 Fixed an issue where SNMPv3 authentication failed when using

SHA-512 Auth protocol.

PAN-231642 Fixed an issue on the Panorama web interface where users who were
logged in through multiple sessions were able to see an active lock on
only one session.

PAN-229115 Fixed an issue on the web interface where the screen was blank after
logging in to Panorama.

PAN-226108 Fixed an issue where the masterd process was unable to start or stop
the sysd process.

PAN-225394 Fixed an issue on the firewall where SNMP incorrectly reported high
packet descriptor usage.

PAN-223914 Fixed an issue on Panorama where the reportd process unexpectedly

stopped responding.

PAN-223418 Fixed an issue where heartbeats to the brdagent process were lost,
resulting in the process not responding, which caused the firewall to
reboot.

PAN-221041 Fixed an issue where the following error message was seen
frequently in the system logs: Clearing snmpd.log due to log
overflow.

PAN-216941 (Panorama appliances in Log Collector mode only) Fixed an issue

where Panorama stopped processing and saving logs.

PAN-OS Release Notes 10.2.12 97 ©2024 Palo Alto Networks, Inc.

PAN-OS 10.2.10 Known and Addressed Issues

Issue ID Description

PAN-164885 Fixed an issue on Panorama where Commit and Push or Push

to Devices operations failed when an external dynamic list was
configured to check for updates every 5 minutes due to the commit
and external dynamic fetch processes overlapping.

PAN-OS Release Notes 10.2.12 98 ©2024 Palo Alto Networks, Inc.

PAN-OS 10.2.9 Known and
Addressed Issues
Review a list of known and addressed issues for PAN-OS 10.2.9.
For contacting support, for information on support programs, to manage your account or devices,
or to open a support case, go to https://support.paloaltonetworks.com.
• PAN-OS 10.2.9 Known Issues
• PAN-OS 10.2.9-h11 Addressed Issues
• PAN-OS 10.2.9-h9 Addressed Issues
• PAN-OS 10.2.9-h1 Addressed Issues
• PAN-OS 10.2.9 Addressed Issues

99
PAN-OS 10.2.9 Known and Addressed Issues

PAN-OS 10.2.9 Known Issues

®
The following list includes only outstanding known issues specific to PAN-OS 10.2.9. This list
includes issues specific to Panorama™, GlobalProtect™, VM-Series plugins, and WildFire®, as well
as known issues that apply more generally or that are not identified by an issue ID.

Issue ID Description

WF500-5854 The WildFire analysis report on the firewall log viewer

(Monitoring > WildFire Submissions) does not display the
following data fields: File Type, SHA-256, MD-5, and File
Size".
Workaround: Download and open the WildFire analysis
report in the PDF format using the link in the upper right-
hand corner of the Detailed Log View.

WF500-5843 In a WildFire appliance cluster, issuing the show cluster-

all peers CLI command when a node within the cluster
is being rebooted generates the following error: Server
error : An error occured.

WF500-5840 The sample analysis statistics that are returned when issuing
the show wildfire local statistics CLI command
in WildFire appliance cluster deployments may not accurately
reflect the number of samples that have been processed.

WF500-5823 The following WildFire appliance CLI command does not

return a signature generation status as expected: show
wildfire global signature-status. This does not
corrupt or otherwise prevent the WildFire appliance from
analyzing a sample.

WF500-5781 The WildFire appliance might erroneously generate and

log the following device certification error: Device
certificate is missing or invalid. It cannot
be renewed.

WF500-5754 In WildFire appliance clusters, issuing the show cluster

controller CLI command generates an error when an IPv6
address is configured for the management interface but not
for the cluster interface.
Workaround: Ensure all WildFire appliance interfaces that are
enabled use matching protocols (all IPv4 or all IPv6).

WF500-5632 The number of registered WildFire appliances reported in

Panorama (Panorama > Managed WildFire Appliances >

PAN-OS Release Notes 10.2.12 100 ©2024 Palo Alto Networks, Inc.
PAN-OS 10.2.9 Known and Addressed Issues

Issue ID Description
Firewalls Connected > View) does not accurately reflect the
current status of connected WildFire appliances.

PAN-263226 (PAN-OS When SSL decryption is enabled and Client Hello messages
10.2.9-h9 only) span multiple TCP segments, elements from the proxy_l2info
memory pool may not be freed properly. Memory leaks in this
pool cause some SSL decryption sessions to fail.
Workaround: Disable Client Hello accumulation using the
debug dataplane set ssl-decrypt accumulate-
client-hello disable yes CLI command.

PAN-260851 From the NGFW or Panorama CLI, you can override the
existing application tag even if Disable Override is enabled for
the application (Objects > Applications) tag.

PAN-251895 When Inline Cloud Analysis features are enabled, the firewall
experiences a slow packet buffer leak, resulting in poor
This issue is now resolved. See
performance and dropped traffic.
PAN-OS 10.2.10 Addressed
Issues. Workaround: Disable WildFire Inline Cloud Analysis and
Advanced Threat Prevention Inline Cloud Analysis on the
firewall.

PAN-251639 An out of memory condition might occur due to a memory

leak in the varrcvr process when a Wildfire Analysis security
This issue is now resolved.
profile is enabled.
See. PAN-OS 10.2.9-h9
Addressed Issues.
This issue is now resolved. See
PAN-OS 10.2.10 Addressed
Issues.

PAN-234015 The X-Forwarded-For (XFF) value is not displayed in traffic

logs.

PAN-223365 The Panorama management server is unable to query any

logs if the ElasticSearch health status for any Log Collector
(Panorama > Managed Collector is degraded.
Workaround: Log in to the Log Collector CLI and restart
ElasticSearch.

admindebug elasticsearch es-restart all

PAN-229865 Upgrading a PA-220 firewall running a PAN-OS 10.1 release

fails when the target PAN-OS upgrade version is PAN-OS
10.2.5.

PAN-OS Release Notes 10.2.12 101 ©2024 Palo Alto Networks, Inc.
PAN-OS 10.2.9 Known and Addressed Issues

Issue ID Description
Workaround: On your upgrade path to PAN-OS 10.2.5, first
upgrade to PAN-OS 10.2.4 and then upgrade to PAN-OS
10.2.5.

PAN-223677 (PA-3410, PA-3420, PA-3430, PA-3440, PA-5410, PA-5420,

and PA-5430 firewalls) By enabling Lockless QoS feature,
a slight degradation in App-ID and Threat performance is
expected.

PAN-222586 On PA-5410, PA-5420, and PA-5430 firewalls, the Filter

dropdown menus, Forward Methods, and Built-In Actions
for Correlation Log settings (Device > Log Settings) are not
displayed and cannot be configured.

PAN-221775 A Malformed Request error is displayed when you Test

Connection for an email server profile (Device > Server
Profiles > Email) using SMTP over TLS and the Password
includes an ampersand (&).

PAN-217307 The following Security policy rule (Policies > Security) filters
return no results:
This issue is now resolved. See
PAN-OS 10.2.11 Addressed log-start eq no
Issues.
log-end eq no
log-end eq yes

PAN-213746 On the Panorama management server, the Hostkey displayed

as undefined undefined if you override an SSH Service
Profile (Device > Certificate Management > SSH Service
Profile) Hostkey configured in a Template from the Template
Stack.

PAN-213119 PA-5410 and PA-5420 firewalls display the following error

when you view the Block IP list (Monitor > Block IP):
show -> dis-block-table is unexpected

PAN-212889 On the Panorama management server, different threat

names are used when querying the same threat in the Threat
Monitor (Monitor > App Scope > Threat Monitor) and ACC.
This results in the ACC displaying no data to display
when you are redirected to the ACC after clicking a threat
name in the Threat Monitor and filtering the same threat
name in the Global Filters.

PAN-212533 Modifying the Administrator Type for an existing

administrator (Device > Administrators or Panorama >

PAN-OS Release Notes 10.2.12 102 ©2024 Palo Alto Networks, Inc.
PAN-OS 10.2.9 Known and Addressed Issues

Issue ID Description
Administrators) from Superuser to a Role-Based custom
admin, or vice versa, does not modify the access privileges of
the administrator.

PAN-211531 On the Panorama management server, admins can still

perform a selective push to managed firewalls when Push
All Changes and Push for Other Admins are disabled in the
admin role profile (Panorama > Admin Roles).

PAN-209288 Certificates are not successfully generated using SCEP

(Device > Certificate Management > SCEP).

PAN-208622 A file upload to Box.com exceeding 6 files gets stuck and

fails to upload if you specify an Enterprise DLP data filtering
profile (Objects > DLP > Data Filtering Profiles with the
Action set to Block to a Security policy rule (Policies >
Security).

PAN-204689 Upon upgrade to PAN-OS 10.2.4, the following GlobalProtect

settings do not work:
• Allow user to disconnect GlobalProtect App > Allow with
Passcode
• Allow user to Disable GlobalProtect App > Allow with
Passcode
• Allow User to Uninstall GlobalProtect AppAllow with
Password

PAN-196758 On the Panorama management server, pushing a

configuration change to firewalls leveraging SD-WAN
erroneously show the auto-provisioned BGP configurations
for SD-WAN as being edited or deleted despite no edits or
deletions being made when you Preview Changes (Commit >
Push to Devices > Edit Selections or Commit > Commit and
Push > Edit Selections).

PAN-196504 License deactivation fails for VM-Series firewalls licensed

using PA-VM Bundle 3 (BND3).

PAN-194996 When using a 10.2.2 Panorama to manage a Panorama

Managed Prisma Access 3.1.2 deployment, allocating
bandwidth for a remote network deployment fails (the OK
button is grayed out).
Workaround: Retry the operation.

PAN-OS Release Notes 10.2.12 103 ©2024 Palo Alto Networks, Inc.
PAN-OS 10.2.9 Known and Addressed Issues

Issue ID Description

PAN-194519 (PA-5450 firewall only) Trying to configure a custom payload

format under Device > Server Profiles > HTTP yields a
Javascript error.

PAN-194515 (PA-5450 firewall only) The Panorama web interface does

not display any predefined template stack variables in the
dropdown menu under Device > Setup > Log Interface > IP
Address.
Workaround: Configure the log interface IP address on the
individual firewall web interface instead of on Panorama.

PAN-194424 (PA-5450 firewall only) Upgrading to PAN-OS 10.2.2 while

having a log interface configured can cause both the log
interface and the management interface to remain connected
to the log collector.
Workaround: Restart the log receiver service by running the
following CLI command:

debug software restart process log-receiver

PAN-194202 (PA-5450 firewall only) If the management interface and

logging interface are configured on the same subnetwork,
the firewall conducts log forwarding using the management
interface instead of the logging interface.

PAN-190727 (PA-5450 firewall only) Documentation for configuring the log

interface is unavailable on the web interface and in the PAN-
OS Administrator’s Guide.

PAN-189111 After deleting an MP pod and it comes up, the show

routing command output appears empty and traffic stops
working.

PAN-189076 On a firewall with Advanced Routing enabled, OSPFv3 peers

using a broadcast link and a designated router (DR) priority of
0 (zero) are stuck in a two-way state after HA failover.
Workaround: Configure at least one OSPFv3 neighbor with a
non-zero priority setting in the same broadcast domain.

PAN-188358 After triggering a soft reboot on a M-700 appliance, the

Management port LEDs do not light up when a 10G Ethernet
cable is plugged in.

PAN-187685 On the Panorama management server, the Template

Status displays no synchronization status (Panorama >

PAN-OS Release Notes 10.2.12 104 ©2024 Palo Alto Networks, Inc.
PAN-OS 10.2.9 Known and Addressed Issues

Issue ID Description
Managed Devices > Summary) after a bootstrapped firewall is
successfully added to Panorama.
Workaround: After the bootstrapped firewall is successfully
added to Panorama, log in to the Panorama web interface and
select Commit > Push to Devices.

PAN-187643 If you enable SCTP security using a Panorama template when

SCTP INIT Flood Protection is enabled in the Zone Protection
profile using Panorama and you commit all changes, the
commit is successful but the SCTP INIT option is not available
in the Zone Protection profile.
Workaround: Log out of the firewall and log in again to make
the SCIT INIT option available on the web interface.

PAN-187612 On the Panorama management server, not all data profiles

(Objects > DLP Data Filtering Profiles) are displayed after
you:
• Upgrade Panorama to PAN-OS 10.2 and upgrade the
Enterprise DLP plugin to version 3.0.
• Downgrade Panorama to PAN-OS 10.1 and downgrade
the Enterprise DLP plugin to version 1.0.
Workaround: Log in to the Panorama CLI and reset the DLP
plugin.
admin > request plugins dlp reset

PAN-187407 The configured Advanced Threat Prevention inline cloud

analysis action for a given model might not be honored under
the following condition: If the firewall is set to Hold client
request for category lookup and the action set to Reset-Both
and the URL cache has been cleared, the first request for
inline cloud analysis will be bypassed.

PAN-187370 On a firewall with Advanced Routing enabled, if there is also a

logical router instance that uses the default configuration and
has no interfaces assigned to it, this will result in terminating
the management daemon and main routing daemon in the
firewall during commit.
Workaround: Do not use a logical router instance with no
interfaces bound to it.

PAN-186283 Templates appear out-of-sync on Panorama after successfully

deploying the CFT stack using the Panorama plugin for AWS.

PAN-OS Release Notes 10.2.12 105 ©2024 Palo Alto Networks, Inc.
PAN-OS 10.2.9 Known and Addressed Issues

Issue ID Description
Workaround: Use Commit > Push to Devices to synchronize
the templates.

PAN-186282 On HA deployments on AWS and Azure, Panorama fails to

populate match criteria automatically when adding dynamic
address groups.
Workaround: Reboot the Panorama HA pair.

PAN-184406 Using the CLI to add a RAID disk pair to an M-700 appliance
causes the dmdb process to crash.
Workaround: Contact customer support to stop the dmdb
process before adding a RAID disk pair to a M-700 appliance.

PAN-183404 Static IP addresses are not recognized when "and" operators

are used with IP CIDR range.

PAN-181933 If you use multiple log forwarding cards (LFCs) on the

PA-7000 series, all of the cards may not receive all of the
updates and the mappings for the clients may become out of
sync, which causes the firewall to not correctly populate the
Source User column in the session logs.

PAN-181823 On a PA-5400 Series firewall (minus the PA-5450), setting the

peer port to forced 10M or 100M speed causes any multi-
gigabit RJ-45 ports on the firewall to go down if they are set
to Auto.

PAN-180661 On the Panorama management server, pushing an

unsupported Minimum Password Complexity (Device > Setup
> Management) to a managed firewall erroneously displays
commit time out as the reason the commit failed.

PAN-180104 When upgrading a CN-Series as a DaemonSet deployment to

PAN-OS 10.2, CN-NGFW pods fail to connect to CN-MGMT
pod if the Kubernetes cluster previously had a CN-Series as a
DaemonSet deployment running PAN-OS 10.0 or 10.1.
Workaround: Reboot the worker nodes before upgrading to
PAN-OS 10.2.

PAN-178194 A user interface issue in PAN-OS renders the contents of

the Inline ML tab in the URL Filtering Profile inaccessible on
firewalls licensed for Advanced URL Filtering. Additionally, a
message indicating that a License required for URL filtering to
function is unavailable displays at the bottom of the UI. These
errors do not affect the operation of Advanced URL Filtering
or URL Filtering Inline ML.

PAN-OS Release Notes 10.2.12 106 ©2024 Palo Alto Networks, Inc.
PAN-OS 10.2.9 Known and Addressed Issues

Issue ID Description
Workaround: Configuration settings for URL Filtering
Inline ML must be applied through the CLI. The following
configuration commands are available:
• Define URL exceptions for specific web sites—

admin# set profiles url-filtering

<url_filtering_profile_name> mlav-
category-exception

• Configuration settings for each inline ML model—

admin# set profiles url-filtering

<url_filtering_profile_name> mlav-
engine-urlbased-enabled

PAN-177455 PAN-OS 10.2.0 is not supported on PA-7000 Series firewalls

with HA (High Availability) clustering enabled and using an
HA4 communication link. Attempting to load PAN-OS 10.2.0
on the firewall causes the PA-7000 100G NPC to go offline.
As a result, the firewall fails to boot normally and enters
maintenance mode. HA Pairs of Active-Passive and Active-
Active firewalls are not affected.

PAN-175915 When the firewall is deployed on N3 and N11 interfaces in

5G networks and 5G-HTTP/2 traffic inspection is enabled in
the Mobile Network Protection Profile, the traffic logs do not
display network slice SST and SD values.

PAN-174982 In HA active/active configurations where, when interfaces

that were associated with a virtual router were deleted, the
configuration change did not sync.

PAN-172274 When you activate the advanced URL filtering license, your
license entitlements for PAN-DB and advanced URL filtering
might not display correctly on the firewall — this is a display
anomaly, not a licensing issue, and does not affect access to
the services.
Workaround: Issue the following command to retrieve and
update the licenses: license request fetch.

PAN-171938 No results are displayed when you Show Application Filter

for a Security policy rule (Policies > Security > Application >
Value > Show Application Filter).

PAN-164885 On the Panorama management server, pushes to managed

firewalls (Commit > Push to Devices or Commit and Push)
may fail when an EDL (Objects > External Dynamic Lists) is

PAN-OS Release Notes 10.2.12 107 ©2024 Palo Alto Networks, Inc.
PAN-OS 10.2.9 Known and Addressed Issues

Issue ID Description
This issue is now resolved. See configured to Check for updates every 5 minutes due to the
PAN-OS 10.2.10 Addressed commit and EDL fetch processes overlapping. This is more
Issues. likely to occur when multiple EDLs are configured to check
for updates every 5 minutes.

PAN-OS Release Notes 10.2.12 108 ©2024 Palo Alto Networks, Inc.
PAN-OS 10.2.9 Known and Addressed Issues

PAN-OS 10.2.9-h11 Addressed Issues

Issue ID Description

PAN-263226 Fixed an issue where decryption based traffic failed on Explicit Proxy
nodes.

PAN-261917 Fixed an issue where websites with a no-decrypt policy rule were
decrypted in traffic log when using a Google Chrome browser with
PQC enabled

PAN-260662 Fixed an issue where large file downloads were slower than expected
when private IP address visibility was enabled.

PAN-260218 Fixed an issue where BGP Aggregate Advertise filters did not work
as expected when the summary option was enabled, and only
summarized routes were advertised.

PAN-258996 Fixed an issue where the firewall displayed the SFP ports as
PowerDown when the SFP transceiver was removed and reinserted or
the port was shut down and brought back up on the peer device.

PAN-251661 Fixed an issue where a memory overwrite occurred during HTTP/2

header inflation.

PAN-251563 Added CPLD enhancement to capture external power issues.

PAN-240612 Fixed a kernel panic caused by a third-party issue.

PAN-233191 (PA-5450 firewalls only) Fixed an issue where the Data Processing
Card (DPC) restarted due to path monitor failure after QSFP28
disconnected from the Network Processing Card (NPC).

PAN-226768 Fixed an issue where, when the GlobalProtect app was installed on
iOS endpoints and the gateway was configured to accept cookies, the
app remained in the Connecting stage after authentication, and the
GlobalProtect log displayed the error message User is not in
allow list. This occurred when the app was restarted or when the
app attempted to reconnect after disconnection.

PAN-OS Release Notes 10.2.12 109 ©2024 Palo Alto Networks, Inc.
PAN-OS 10.2.9 Known and Addressed Issues

PAN-OS 10.2.9-h9 Addressed Issues

Issue ID Description

PAN-259480 Fixed an issue where the varrcvr process stopped responding after
running out of memory due to how the process queued and dequeued
files for WildFire file forwarding when a WildFire Analysis Security
profile was enabled.

PAN-259344 Fixed an issue where performing a configuration commit on a firewall

locally or from Panorama caused a memory leak related to the configd
process and resulted in a out-of-memory (OOM) condition.

PAN-258941 Fixed an issue where some URLs were not accessible when connected
to Prisma Access explicit proxy.

PAN-258442 Fixed an issue where changes made to the split tunnel configuration
on the Prisma Access gateway were not reflected on the GlobalProtect
client.

PAN-257919 Fixed an issue where, when using explicit proxy with SAML
authentication, initiating SAML authentication with a non-GET request
resulted in a 302 redirect response instead of the expected 200 ok
response.

PAN-257515 Fixed an issue where Possible Domain Fronting Detection for HTTP/2
generated false positives. With this change, domain fronting is limited
to HTTP/1.

PAN-257355 Fixed an issue where a false positive HTTP/TLS evasion alert was
generated when the domain had DNS load balance.

PAN-257197 Fixed an issue where ifType and ifSpeed were not populated in
asynchronous mode of SNMP operations.

PAN-256181 Fixed an issue where the management interface and front panel port
interface statistics were not populated in asynchronous mode of
SNMP operations.

PAN-254422 Fixed an issue where the firewall required a restart when an SD-WAN
policy rule was pushed from Panorama.

PAN-254241 Fixed an issue where the firewall stopped responding due to a high
number of SD-WAN probes being sent.

PAN-OS Release Notes 10.2.12 110 ©2024 Palo Alto Networks, Inc.
PAN-OS 10.2.9 Known and Addressed Issues

Issue ID Description

PAN-252517 Fixed an issue where SNMP failed to respond to multiple Object

Identifier (OID) queries in a single SNMP GET request.

PAN-252214 A fix was made to address CVE-2024-3400.

PAN-251639 Fixed acn issue where an out-of-memory condition occurred due to a

memory leak related to the varrvcr process when a WildFire Analysis
security profile was enabled.

PAN-251013 Fixed an issue on the web interface where the Virtual Router and
Virtual System configurations for the template incorrectly showed as
none.

PAN-250062 Fixed an issue where device telemetry failed after upgrading due to
bundle generation failure.

PAN-249814 Fixed an issue where multiple all_task processes stopped responding,

which caused the dataplane to fail.

PAN-247099 Fixed an issue where the firewall decrypted traffic unexpectedly when
the client hello was spread across multiple packets.

PAN-246960 Fixed an issue where firewalls failed to fetch content updates from the
Wildfire Private Cloud due to an Unsupported protocol error.

PAN-245125 (VM-Series firewalls in Microsoft Azure environments only) Fixed

an issue where file descriptors were not closed due to invalid
configurations.

PAN-244013 Fixed an issue where the web interface did not display newly added
Anti-Spyware signatures or Vulnerability Signatures until you
refreshed the browser or logged out or in via the web interface.

PAN-242309 Fixed an issue where a higher byte count (s2c) was observed for DNS-
Base application.

PAN-239662 Fixed an issue with firewalls in active/passive high availability (HA)

configurations where the NSSA default route from the active firewall
was not generated to advertise even though the backbone area default
route was advertised during a graceful restart.

PAN-239143 Fixed an issue with accessing websites when URL filtering profiles
were configured with the block-continue action and the server used
HTTP/2.

PAN-236909 Fixed an issue where, when you committed the first configuration
change after booting up the firewall, the external dynamic list file

PAN-OS Release Notes 10.2.12 111 ©2024 Palo Alto Networks, Inc.
PAN-OS 10.2.9 Known and Addressed Issues

Issue ID Description
download failed until the list was refreshed. This occurred when the
configuration was pushed with a certificate profile.

PAN-231440 Fixed an issue where, when a certificate profile was configured on an

external dynamic list object but the profile had been deleted or did
not exist, commits silently failed with the error Failed to refresh
EDL config instead of showing the correct validation error message

PAN-223418 Fixed an issue where heartbeats to the brdagent process were lost,
resultng in the process not responding, which caused the firewall to
reboot.

PAN-164885 Fixed an issue on Panorama where Commit and Push or Push

to Devices operations failed when an external dynamic list was
configured to check for updates every 5 minutes due to the commit
and external dynamic fetch processes overlapping.

PAN-OS Release Notes 10.2.12 112 ©2024 Palo Alto Networks, Inc.
PAN-OS 10.2.9 Known and Addressed Issues

PAN-OS 10.2.9-h1 Addressed Issues

Issue ID Description

PAN-252214 A fix was made to address CVE-2024-3400.

PAN-OS Release Notes 10.2.12 113 ©2024 Palo Alto Networks, Inc.
PAN-OS 10.2.9 Known and Addressed Issues

PAN-OS 10.2.9 Addressed Issues

Issue ID Description

PAN-250686 Fixed an issue where selective push operations did not work when
more than one admin user simultaneously performed changes and
partial commits on Panorama.

PAN-247403 (VM-Series firewalls only) Fixed an issue where the push scope CLI
command took longer than expected, which caused the web interface
to be slow.

PAN-246431 Fixed an issue where a Push to Device operation remained at the

state None when performing a selective push to device groups and
templates that included both connected and disconnected firewalls.

PAN-245701 Fixed an issue where the returned values to SNMP requests for data
port statistics were incorrect.

PAN-244836 A knob was introduced to toggle the default behavior of BGP in the
Advanced Routing stack to not suppress duplicate updates. By default,
the prefix updates are suppressed for optimization.

PAN-244548 Fixed an issue where ECMP sessions changed destination MAC

addresses mid-session, which caused connections to be reset.

PAN-244493 Fixed a memory limitation with mapping subinterfaces to VPCE

endpoints for GCP IPS, Amazon Web Services (AWS) integration with
GWLB, and NSX service chain mapping.

PAN-242910 Fixed an issue where a custom based non-Superuser was unable to

push to firewalls.

PAN-242627 Fixed an issue where selective push did not work.

PAN-241018 (VM-Series firewalls in Microsoft Azure environments only) Fixed a

Dataplane Development Kit (DPDK) issue where interfaces remained
in a link-down stage after an Azure hot plug event.

PAN-240477 Fixed a temporary hardware issue that caused PAN-SFP-PLUS-CU-5M

to not be able to link up on PA-5400 Series, PA-3400 Series, and
PA-1400 Series firewalls.

PAN-240066 Fixed a duplicate MAC address issue where an ethernet interface sent
out Gratuitous ARP (GARP) messages for an IP address that was not
configured on it.

PAN-OS Release Notes 10.2.12 114 ©2024 Palo Alto Networks, Inc.
PAN-OS 10.2.9 Known and Addressed Issues

Issue ID Description

PAN-239722 Fixed an issue where SNMP scans to the firewall took longer than
expected and intermittently timed out.

PAN-238643 Fixed an issue where a memory leak caused multiple processes to stop
responding when VM Information Sources was configured.

PAN-237991 Fixed an issue where the log collector sent fewer logs than expected
to the syslog server.

PAN-233692 Fixed an issue on Panorama where the configd process stopped, which
caused performance issues.

PAN-233684 Fixed an issue on Panorama where Push to Devices or Commit and

Push operations took longer than expected on the web interface.

PAN-231439 Fixed an issue where, when a VoIP call using dynamic IP and NAT was
put on hold, the audio became one-way due to early termination of
NAT ports.

PAN-230746 Fixed an issue on the web interface where device groups with a large
number of managed firewalls displayed the Policy page more slowly
than expected.

PAN-228515 Fixed an issue where the Elasticsearch cluster health status displayed
as yellow or red due to Elasticsearch SSH tunnel flaps.

PAN-224500 Fixed an issue where IPv6 addresses in XFF were displayed in Traffic
logs.

PAN-222188 A CLI command was introduced to address an issue where SNMP

monitoring performance was slower than expected, which resulted in
snmpwalk timeouts.

PAN-215430 Fixed an issue where dynamic IP address NAT with SIP intermittently
failed to convert RTP Predict sessions.

PAN-212553 Fixed an issue where the ikemgr process stopped responding due to
memory corruption, which caused VPN tunnels to go down.

PAN-207092 Fixed an issue where logging in using default credentials after changing
to FIPS-CC for NSX-T firewalls did not work.

PAN-OS Release Notes 10.2.12 115 ©2024 Palo Alto Networks, Inc.
PAN-OS 10.2.9 Known and Addressed Issues

PAN-OS Release Notes 10.2.12 116 ©2024 Palo Alto Networks, Inc.
PAN-OS 10.2.8 Known and
Addressed Issues
Review a list of known and addressed issues for PAN-OS 10.2.8.
For contacting support, for information on support programs, to manage your account or devices,
or to open a support case, go to https://support.paloaltonetworks.com.
• PAN-OS 10.2.8 Known Issues
• PAN-OS 10.2.8-h10 Addressed Issues
• PAN-OS 10.2.8-h4 Addressed Issues
• PAN-OS 10.2.8-h3 Addressed Issues
• PAN-OS 10.2.8 Addressed Issues

117
PAN-OS 10.2.8 Known and Addressed Issues

PAN-OS 10.2.8 Known Issues

®
The following list includes only outstanding known issues specific to PAN-OS 10.2.8. This list
includes issues specific to Panorama™, GlobalProtect™, VM-Series plugins, and WildFire®, as well
as known issues that apply more generally or that are not identified by an issue ID.

Issue ID Description

WF500-5854 The WildFire analysis report on the firewall log viewer

(Monitoring > WildFire Submissions) does not display the
following data fields: File Type, SHA-256, MD-5, and File
Size".
Workaround: Download and open the WildFire analysis
report in the PDF format using the link in the upper right-
hand corner of the Detailed Log View.

WF500-5843 In a WildFire appliance cluster, issuing the show cluster-

all peers CLI command when a node within the cluster
is being rebooted generates the following error: Server
error : An error occured.

WF500-5840 The sample analysis statistics that are returned when issuing
the show wildfire local statistics CLI command
in WildFire appliance cluster deployments may not accurately
reflect the number of samples that have been processed.

WF500-5823 The following WildFire appliance CLI command does not

return a signature generation status as expected: show
wildfire global signature-status. This does not
corrupt or otherwise prevent the WildFire appliance from
analyzing a sample.

WF500-5781 The WildFire appliance might erroneously generate and

log the following device certification error: Device
certificate is missing or invalid. It cannot
be renewed.

WF500-5754 In WildFire appliance clusters, issuing the show cluster

controller CLI command generates an error when an IPv6
address is configured for the management interface but not
for the cluster interface.
Workaround: Ensure all WildFire appliance interfaces that are
enabled use matching protocols (all IPv4 or all IPv6).

WF500-5632 The number of registered WildFire appliances reported in

Panorama (Panorama > Managed WildFire Appliances >

PAN-OS Release Notes 10.2.12 118 ©2024 Palo Alto Networks, Inc.
PAN-OS 10.2.8 Known and Addressed Issues

Issue ID Description
Firewalls Connected > View) does not accurately reflect the
current status of connected WildFire appliances.

PAN-260851 From the NGFW or Panorama CLI, you can override the
existing application tag even if Disable Override is enabled for
the application (Objects > Applications) tag.

PAN-255868 (PA-3400 Series firewalls only) After enabling kernel data

collection during a silent reboot, the firewall fails and reboots
to maintenance mode.
Workaround: To recover the firewall, initiate a reboot from
maintenance mode.

PAN-251895 When Inline Cloud Analysis features are enabled, the firewall
experiences a slow packet buffer leak, resulting in poor
This issue is now resolved. See
performance and dropped traffic.
PAN-OS 10.2.10 Addressed
Issues. Workaround: Disable WildFire Inline Cloud Analysis and
Advanced Threat Prevention Inline Cloud Analysis on the
firewall.

PAN-250062 Device telemetry might fail at configured intervals due to

bundle generation issues.

PAN-243951 On the Panorama management sever in an active/passive

High Availability (HA) configuration, managed devices
(Panorama > Managed Devices > Summary) display as
out-of-sync on the passive HA peer when configuration
changes are made to the SD-WAN (Panorama > SD-WAN)
configuration on the active HA peer.
Workaround: Manually synchronize the Panorama HA peers.
1. Log in to the Panorama web interface on the active HA
peer.
2. Select Commit and Commit to Panorama the SD-WAN
configuration changes on the active HA peer.
On the passive HA peer, select Panorama > Managed
Devices > Summary and observe that the managed devices
are now out-of-sync.
3. Log in to the primary HA peer Panorama CLI and trigger a
manual synchronization between the active and secondary
HA peers.
request high-availability sync-to-remote running-config
4. Log back in to the active HA peer Panorama web interface
and select Commit > Push to Devices and Push.

PAN-OS Release Notes 10.2.12 119 ©2024 Palo Alto Networks, Inc.
PAN-OS 10.2.8 Known and Addressed Issues

Issue ID Description

PAN-242910 On the Panorama management server, Panorama

administrators (Panorama > Administrators) that are
assigned a custom Panorama admin role (Panorama > Admin
Roles) with Push All Changes enabled are unable to push
configuration changes to managed firewalls when Managed
Devices and Push For Other Admins are disabled.

PAN-234015 The X-Forwarded-For (XFF) value is not displayed in traffic

logs.

PAN-223365 The Panorama management server is unable to query any

logs if the ElasticSearch health status for any Log Collector
(Panorama > Managed Collector is degraded.
Workaround: Log in to the Log Collector CLI and restart
ElasticSearch.

admindebug elasticsearch es-restart all

PAN-229865 Upgrading a PA-220 firewall running a PAN-OS 10.1 release

fails when the target PAN-OS upgrade version is PAN-OS
10.2.5.
Workaround: On your upgrade path to PAN-OS 10.2.5, first
upgrade to PAN-OS 10.2.4 and then upgrade to PAN-OS
10.2.5.

PAN-228515 The EleasticSearch SSH flaps on the M-600 appliance in

Panorama or Log Collector mode. This causes logs to not
display on the Panorama management server (Monitor
> Logs) and the Log Collector health status (Panorama >
Managed Collectors > Status) to display as degraded.

PAN-223677 (PA-3410, PA-3420, PA-3430, PA-3440, PA-5410, PA-5420,

and PA-5430 firewalls) By enabling Lockless QoS feature,
a slight degradation in App-ID and Threat performance is
expected.

PAN-222586 On PA-5410, PA-5420, and PA-5430 firewalls, the Filter

dropdown menus, Forward Methods, and Built-In Actions
for Correlation Log settings (Device > Log Settings) are not
displayed and cannot be configured.

PAN-221775 A Malformed Request error is displayed when you Test

Connection for an email server profile (Device > Server
Profiles > Email) using SMTP over TLS and the Password
includes an ampersand (&).

PAN-OS Release Notes 10.2.12 120 ©2024 Palo Alto Networks, Inc.
PAN-OS 10.2.8 Known and Addressed Issues

Issue ID Description

PAN-217307 The following Security policy rule (Policies > Security) filters
return no results:
This issue is now resolved. See
PAN-OS 10.2.11 Addressed log-start eq no
Issues.
log-end eq no
log-end eq yes

PAN-213746 On the Panorama management server, the Hostkey displayed

as undefined undefined if you override an SSH Service
Profile (Device > Certificate Management > SSH Service
Profile) Hostkey configured in a Template from the Template
Stack.

PAN-213119 PA-5410 and PA-5420 firewalls display the following error

when you view the Block IP list (Monitor > Block IP):
show -> dis-block-table is unexpected

PAN-212889 On the Panorama management server, different threat

names are used when querying the same threat in the Threat
Monitor (Monitor > App Scope > Threat Monitor) and ACC.
This results in the ACC displaying no data to display
when you are redirected to the ACC after clicking a threat
name in the Threat Monitor and filtering the same threat
name in the Global Filters.

PAN-212533 Modifying the Administrator Type for an existing

administrator (Device > Administrators or Panorama >
Administrators) from Superuser to a Role-Based custom
admin, or vice versa, does not modify the access privileges of
the administrator.

PAN-211531 On the Panorama management server, admins can still

perform a selective push to managed firewalls when Push
All Changes and Push for Other Admins are disabled in the
admin role profile (Panorama > Admin Roles).

PAN-209288 Certificates are not successfully generated using SCEP

(Device > Certificate Management > SCEP).

PAN-208622 A file upload to Box.com exceeding 6 files gets stuck and

fails to upload if you specify an Enterprise DLP data filtering
profile (Objects > DLP > Data Filtering Profiles with the
Action set to Block to a Security policy rule (Policies >
Security).

PAN-OS Release Notes 10.2.12 121 ©2024 Palo Alto Networks, Inc.
PAN-OS 10.2.8 Known and Addressed Issues

Issue ID Description

PAN-204689 Upon upgrade to PAN-OS 10.2.4, the following GlobalProtect

settings do not work:
• Allow user to disconnect GlobalProtect App > Allow with
Passcode
• Allow user to Disable GlobalProtect App > Allow with
Passcode
• Allow User to Uninstall GlobalProtect AppAllow with
Password

PAN-196758 On the Panorama management server, pushing a

configuration change to firewalls leveraging SD-WAN
erroneously show the auto-provisioned BGP configurations
for SD-WAN as being edited or deleted despite no edits or
deletions being made when you Preview Changes (Commit >
Push to Devices > Edit Selections or Commit > Commit and
Push > Edit Selections).

PAN-196504 License deactivation fails for VM-Series firewalls licensed

using PA-VM Bundle 3 (BND3).

PAN-194996 When using a 10.2.2 Panorama to manage a Panorama

Managed Prisma Access 3.1.2 deployment, allocating
bandwidth for a remote network deployment fails (the OK
button is grayed out).
Workaround: Retry the operation.

PAN-194519 (PA-5450 firewall only) Trying to configure a custom payload

format under Device > Server Profiles > HTTP yields a
Javascript error.

PAN-194515 (PA-5450 firewall only) The Panorama web interface does

not display any predefined template stack variables in the
dropdown menu under Device > Setup > Log Interface > IP
Address.
Workaround: Configure the log interface IP address on the
individual firewall web interface instead of on Panorama.

PAN-194424 (PA-5450 firewall only) Upgrading to PAN-OS 10.2.2 while

having a log interface configured can cause both the log
interface and the management interface to remain connected
to the log collector.

PAN-OS Release Notes 10.2.12 122 ©2024 Palo Alto Networks, Inc.
PAN-OS 10.2.8 Known and Addressed Issues

Issue ID Description
Workaround: Restart the log receiver service by running the
following CLI command:

debug software restart process log-receiver

PAN-194202 (PA-5450 firewall only) If the management interface and

logging interface are configured on the same subnetwork,
the firewall conducts log forwarding using the management
interface instead of the logging interface.

PAN-190727 (PA-5450 firewall only) Documentation for configuring the log

interface is unavailable on the web interface and in the PAN-
OS Administrator’s Guide.

PAN-189111 After deleting an MP pod and it comes up, the show

routing command output appears empty and traffic stops
working.

PAN-189076 On a firewall with Advanced Routing enabled, OSPFv3 peers

using a broadcast link and a designated router (DR) priority of
0 (zero) are stuck in a two-way state after HA failover.
Workaround: Configure at least one OSPFv3 neighbor with a
non-zero priority setting in the same broadcast domain.

PAN-188358 After triggering a soft reboot on a M-700 appliance, the

Management port LEDs do not light up when a 10G Ethernet
cable is plugged in.

PAN-187685 On the Panorama management server, the Template

Status displays no synchronization status (Panorama >
Managed Devices > Summary) after a bootstrapped firewall is
successfully added to Panorama.
Workaround: After the bootstrapped firewall is successfully
added to Panorama, log in to the Panorama web interface and
select Commit > Push to Devices.

PAN-187643 If you enable SCTP security using a Panorama template when

SCTP INIT Flood Protection is enabled in the Zone Protection
profile using Panorama and you commit all changes, the
commit is successful but the SCTP INIT option is not available
in the Zone Protection profile.
Workaround: Log out of the firewall and log in again to make
the SCIT INIT option available on the web interface.

PAN-OS Release Notes 10.2.12 123 ©2024 Palo Alto Networks, Inc.
PAN-OS 10.2.8 Known and Addressed Issues

Issue ID Description

PAN-187612 On the Panorama management server, not all data profiles

(Objects > DLP Data Filtering Profiles) are displayed after
you:
• Upgrade Panorama to PAN-OS 10.2 and upgrade the
Enterprise DLP plugin to version 3.0.
• Downgrade Panorama to PAN-OS 10.1 and downgrade
the Enterprise DLP plugin to version 1.0.
Workaround: Log in to the Panorama CLI and reset the DLP
plugin.
admin > request plugins dlp reset

PAN-187407 The configured Advanced Threat Prevention inline cloud

analysis action for a given model might not be honored under
the following condition: If the firewall is set to Hold client
request for category lookup and the action set to Reset-Both
and the URL cache has been cleared, the first request for
inline cloud analysis will be bypassed.

PAN-187370 On a firewall with Advanced Routing enabled, if there is also a

logical router instance that uses the default configuration and
has no interfaces assigned to it, this will result in terminating
the management daemon and main routing daemon in the
firewall during commit.
Workaround: Do not use a logical router instance with no
interfaces bound to it.

PAN-186283 Templates appear out-of-sync on Panorama after successfully

deploying the CFT stack using the Panorama plugin for AWS.
Workaround: Use Commit > Push to Devices to synchronize
the templates.

PAN-186282 On HA deployments on AWS and Azure, Panorama fails to

populate match criteria automatically when adding dynamic
address groups.
Workaround: Reboot the Panorama HA pair.

PAN-184406 Using the CLI to add a RAID disk pair to an M-700 appliance
causes the dmdb process to crash.
Workaround: Contact customer support to stop the dmdb
process before adding a RAID disk pair to a M-700 appliance.

PAN-183404 Static IP addresses are not recognized when "and" operators

are used with IP CIDR range.

PAN-OS Release Notes 10.2.12 124 ©2024 Palo Alto Networks, Inc.
PAN-OS 10.2.8 Known and Addressed Issues

Issue ID Description

PAN-181933 If you use multiple log forwarding cards (LFCs) on the

PA-7000 series, all of the cards may not receive all of the
updates and the mappings for the clients may become out of
sync, which causes the firewall to not correctly populate the
Source User column in the session logs.

PAN-181823 On a PA-5400 Series firewall (minus the PA-5450), setting the

peer port to forced 10M or 100M speed causes any multi-
gigabit RJ-45 ports on the firewall to go down if they are set
to Auto.

PAN-180661 On the Panorama management server, pushing an

unsupported Minimum Password Complexity (Device > Setup
> Management) to a managed firewall erroneously displays
commit time out as the reason the commit failed.

PAN-180104 When upgrading a CN-Series as a DaemonSet deployment to

PAN-OS 10.2, CN-NGFW pods fail to connect to CN-MGMT
pod if the Kubernetes cluster previously had a CN-Series as a
DaemonSet deployment running PAN-OS 10.0 or 10.1.
Workaround: Reboot the worker nodes before upgrading to
PAN-OS 10.2.

PAN-178194 A user interface issue in PAN-OS renders the contents of

the Inline ML tab in the URL Filtering Profile inaccessible on
firewalls licensed for Advanced URL Filtering. Additionally, a
message indicating that a License required for URL filtering to
function is unavailable displays at the bottom of the UI. These
errors do not affect the operation of Advanced URL Filtering
or URL Filtering Inline ML.
Workaround: Configuration settings for URL Filtering
Inline ML must be applied through the CLI. The following
configuration commands are available:
• Define URL exceptions for specific web sites—

admin# set profiles url-filtering

<url_filtering_profile_name> mlav-
category-exception

• Configuration settings for each inline ML model—

admin# set profiles url-filtering

<url_filtering_profile_name> mlav-
engine-urlbased-enabled

PAN-OS Release Notes 10.2.12 125 ©2024 Palo Alto Networks, Inc.
PAN-OS 10.2.8 Known and Addressed Issues

Issue ID Description

PAN-177455 PAN-OS 10.2.0 is not supported on PA-7000 Series firewalls

with HA (High Availability) clustering enabled and using an
HA4 communication link. Attempting to load PAN-OS 10.2.0
on the firewall causes the PA-7000 100G NPC to go offline.
As a result, the firewall fails to boot normally and enters
maintenance mode. HA Pairs of Active-Passive and Active-
Active firewalls are not affected.

PAN-175915 When the firewall is deployed on N3 and N11 interfaces in

5G networks and 5G-HTTP/2 traffic inspection is enabled in
the Mobile Network Protection Profile, the traffic logs do not
display network slice SST and SD values.

PAN-174982 In HA active/active configurations where, when interfaces

that were associated with a virtual router were deleted, the
configuration change did not sync.

PAN-172274 When you activate the advanced URL filtering license, your
license entitlements for PAN-DB and advanced URL filtering
might not display correctly on the firewall — this is a display
anomaly, not a licensing issue, and does not affect access to
the services.
Workaround: Issue the following command to retrieve and
update the licenses: license request fetch.

PAN-171938 No results are displayed when you Show Application Filter

for a Security policy rule (Policies > Security > Application >
Value > Show Application Filter).

PAN-164885 On the Panorama management server, pushes to managed

firewalls (Commit > Push to Devices or Commit and Push)
This issue is now resolved. See
may fail when an EDL (Objects > External Dynamic Lists) is
PAN-OS 10.2.10 Addressed
configured to Check for updates every 5 minutes due to the
Issues.
commit and EDL fetch processes overlapping. This is more
likely to occur when multiple EDLs are configured to check
for updates every 5 minutes.

PAN-OS Release Notes 10.2.12 126 ©2024 Palo Alto Networks, Inc.
PAN-OS 10.2.8 Known and Addressed Issues

PAN-OS 10.2.8-h10 Addressed Issues

Issue ID Description

PAN-263226 Fixed an issue where decryption based traffic failed on Explicit Proxy
nodes.

PAN-261917 Fixed an issue where websites with a no-decrypt policy rule were
decrypted in traffic logs when using a Google Chrome browser with
PQC enabled.

PAN-254826 Fixed an issue where the firewall stopped responding when processing
traffic.

PAN-253546 Fixed an issue where a TLS client hello was split into multiple packets
and arrived out of order, so the packets were dropped and the session
terminated.

PAN-247099 Fixed an issue where the firewall decrypted traffic unexpectedly when
the client hello was spread across multiple packets.

PAN-224195 Fixed an issue where Authentication Portal redirects failed with a 500
Internal error when the Authentication Portal token was disabled.

PAN-OS Release Notes 10.2.12 127 ©2024 Palo Alto Networks, Inc.
PAN-OS 10.2.8 Known and Addressed Issues

PAN-OS 10.2.8-h4 Addressed Issues

Issue ID Description

PAN-253317 (VM-Series firewalls on Microsoft Azure environments only) Fixed an

issue where you were unable to log in to the firewall after a private
data reset.

PAN-251895 Fixed an issue where enabling Inline Cloud Analysis features caused
a slow packet buffer leak, which resulted in performance issues and
dropped traffic.

PAN-251563 Added CPLD enhancement to capture external power issues.

PAN-251013 Fixed an issue on the web interface where the Virtual Router and
Virtual System configurations for the template incorrectly showed as
none.

PAN-250020 Fixed an issue where MLC2 verdict retrieval failed due to a regression
in loopback data flag handling.

PAN-248105 Fixed an issue where the GlobalProtect SSL VPN tunnel immediately
disconnected due to a keep-alive timeout.

PAN-246976 Fixed an issue with unbalanced NAT session distribution with multi-
dataplane firewalls when persistent-dipp was enabled.

PAN-244648 Fixed an issue where, when FIPS was enabled in maintenance mode,
the firewall rebooted and returned to maintenance mode.

PAN-244622 Fixed an issue where FIB re-push did not work with Advanced Routing
enabled.

PAN-244548 Fixed an issue where ECMP sessions changed destination MAC

addresses mid-session, which caused connections to be reset.

PAN-242309 Fixed an issue where a higher byte count (s2c) was observed for DNS-
Base application.

PAN-240612 Fixed a kernel panic caused by a third-party issue

PAN-240308 Fixed an issue where ElasticSearch did not work as expected when
raid-mounts were not fully ready after a reboot.

PAN-OS Release Notes 10.2.12 128 ©2024 Palo Alto Networks, Inc.
PAN-OS 10.2.8 Known and Addressed Issues

Issue ID Description

PAN-236133 Fixed an issue where SSL traffic was impacted when SSL Command
and Control detector or Incline Cloud Analysis was set to reset-both,
reset-client, reset-server, or drop.

PAN-225394 Fixed an issue on the firewall where SNMP incorrectly reported high
packet descriptor usage.

PAN-203981 Fixed an issue where usernames with only numeric characters were
not valid.

PAN-OS Release Notes 10.2.12 129 ©2024 Palo Alto Networks, Inc.
PAN-OS 10.2.8 Known and Addressed Issues

PAN-OS 10.2.8-h3 Addressed Issues

Issue ID Description

PAN-252214 A fix was made to address CVE-2024-3400.

PAN-OS Release Notes 10.2.12 130 ©2024 Palo Alto Networks, Inc.
PAN-OS 10.2.8 Known and Addressed Issues

PAN-OS 10.2.8 Addressed Issues

Issue ID Description

PAN-240596 Fixed an issue where all_task stopped responding due to an invalid

memory address.

PAN-242561 Fixed an issue where GlobalProtect tunnels disconnected shortly after

being established when SSL was used as the transfer protocol.

PAN-240197 Fixed an issue where configuration changes made in Panorama and

pushed to the firewall weren’t reflected on the firewall.

PAN-240174 Fixed an issue where, when LSVPN serial numbers and IP address
authentication were enabled, IPv6 address ranges and complete IPv6
addresses that were manually added to the IP address allow or exclude
list were not usable after a restart of the gp_broker process or the
firewall.

PAN-239241 Extended the root certificate for WildFire appliances to December 31,
2032.

PAN-239144 Fixed an issue where the web interface was slower than expected
when logging in, committing, and pushing changes after upgrading to
PAN-OS 10.2.7.

PAN-237876 Extended the firewall Panorama root CA certificate which was

previously set to expire on April 7th, 2024.

PAN-237871 (WF-500 appliances and PAN-DB private cloud deployments only)

Fixed an issue where the root-cert was set to expire on December
31, 2023. With this fix, the expiration date has been extended.

PAN-237454 Fixed an issue where Panorama stopped redistributing IP address-

to-username mappings when packet loss occurred between the
distributor and the client.

PAN-236244 Fixed an issue where you were unable to select authentication profiles
via the web interface.

PAN-236233 Fixed an issue where SNMP reports displayed incorrect values for SSL
Proxy sessions and SSL Proxy utilization.

PAN-235741 Fixed an issue where DNS resolution failed for Panorama and firewall
plugins if the DNS Server IP address was obtained through DHCP.

PAN-OS Release Notes 10.2.12 131 ©2024 Palo Alto Networks, Inc.
PAN-OS 10.2.8 Known and Addressed Issues

Issue ID Description

PAN-235737 Fixed an issue where the brdagent process stopped responding due to
a sudden increase in logging to the bcm.log.

PAN-235628 Fixed an issue where you weren’t prompted for login credentials when
you disconnected and connected back to the GlobalProtect portal
when SAML authentication was selected along with single sign-on
(SSO) and Single Log Out (SLO).

PAN-235557 Fixed an issue where uploads from tunnels, including GlobalProtect,

were slower than expected when the inner and outer sessions were on
different dataplanes.

PAN-234852 Fixed an issue where DLP logs for the Salesforce application had a
report ID of 0 and did not include missing information such as file type,
file hash, and the reason for data filtering.

PAN-234279 Fixed an issue where the ikemgr process crashed due to an IKEv1
timing issue, which caused commits to fail with the following error
message: Client ikemgr requesting last config in
the middle of a commit/validate, aborting current
commit.

PAN-233954 Fixed an issue where the firewall was unable to retrieve correct groups
from the LDAP server.

PAN-233207 Fixed an issue where the configd process stopped responding when a
partial configuration revert operation was performed.

PAN-233191 (PA-5450 firewalls only) Fixed an issue where the Data Processing
Card (DPC) restarted due to path monitor failure after QSFP28
disconnected from the Network Processing Card (NPC).

PAN-232377 Fixed an issue where the AddrObjRefresh job failed when the
useridd process restarted.

PAN-232358 (PA-5450 firewalls only) Fixed an issue where the interface on

QSFP28 ports did not go down when the Tx cable was removed from
the QSFP28 module.

PAN-232250 Fixed an issue where, when SSH service profiles for management
access was set to None, the reported output was incorrect.

PAN-231771 Fixed an issue where the firewall issued /box/getserv/ requests with
PAN-OS 7.1.0 and did not take device certificates.

PAN-OS Release Notes 10.2.12 132 ©2024 Palo Alto Networks, Inc.
PAN-OS 10.2.8 Known and Addressed Issues

Issue ID Description

PAN-231698 Fixed an issue where you were unable to set the Dynamic Updates
schedule threshold to an empty value.

PAN-231658 Fixed an issue where DNS resolution failed when interfaces were
configured as DHCP and a DNS server was provided via DHCP while
also statically configured with DNS servers.

PAN-231552 Fixed an issue where traffic returning from a third-party Security chain
was dropped.

PAN-231459 (PA-5450 firewalls only) Fixed an issue where a large number of invalid
source MAC addresses were shown in drop-stage packet captures.

PAN-231422 Fixed an issue where you were unable to configure more than 256
scheduled objects on the firewall.

PAN-231329 Fixed an issue where the logrcvr process stopped responding due to a
corrupt log in the forwarding pipeline.

PAN-230813 Fixed an issue where flex memory leak caused decryption failure and
commit failure with the error message Error preparing global
objects failed to handle CONFIG_UPDATE_START.

PAN-230656 (Firewalls in HA configurations only) Fixed an issue where a split brain

condition occurred on both firewalls after booting up any firewall, and
an HA switchover occurred after booting up a firewall with a higher
HA priority even when no preemptive option was enabled on the
firewall.

PAN-230362 Fixed an issue where the firewall truncated the payload of a TCP Out
of Order segment with a FIN flag.

PAN-230359 Fixed an issue where SAML authentication failed with the

error message Failed to verify signature against
certificate when ds:KeyName was in the IdP metadata.

PAN-230106 Fixed an issue where the firewall was unable to retrieve the most
current external dynamic list information from the server due to
hostname resolution failure.

PAN-230092 Fixed an issue where the routed process stopped responding when
committing routing-related changes if Advanced Routing was enabled.

PAN-230039 Fixed an issue where migrating from an Enterprise License Agreement

(ELA) to a Flexible VM-Series License failed with a deactivation error
message.

PAN-OS Release Notes 10.2.12 133 ©2024 Palo Alto Networks, Inc.
PAN-OS 10.2.8 Known and Addressed Issues

Issue ID Description

PAN-229952 Fixed an issue where the the print PDF option did not work (Panorama
> Managed Devices > Health).

PAN-229315 Fixed an issue where Octets in NetFlow records were always reported
to be 0 despite having a non-zero packet count.

PAN-229307 Fixed an issue where half closed SSL decryption sessions stayed active,
which caused software packet buffer depletion.

PAN-229080 Fixed an issue where the new management IP address on the interface
did not take effect.

PAN-229069 Fixed an issue where clientless VPN portal users were unable to access
clientless applications due to an SSL renegotiation being triggered.

PAN-228820 A CLI command was added to address an issue where long-lived

sessions aged out even when there was ongoing traffic.

PAN-228442 Fixed an issue on firewalls in active/passive HA configurations where

sessions did not fail over from the active firewall to the passive firewall
when upgrading PAN-OS.

PAN-228342 Fixed an issue where objects in the running configuration appeared to

be deleted under the push scope preview.

PAN-228323 Fixed an issue where a large number of Panorama management server

cookies were created in the Redis database when the Cloud-Service
plugin sent an authentication request every second, and logging in to
or using Panorama was slower than expected.

PAN-228277 Fixed an issue where commits took longer than expected.

PAN-228273 (Panorama appliances in FIPS-CC mode only) Fixed an issue where

the Elasticsearch cluster did not come up, and the show log-
collector-es-cluster health CLI command displayed the
status as red. This caused log ingestion issues for Panorama appliances
in Panorama mode or Log Collector mode.

PAN-227804 Fixed an issue where memory corruption caused the comm process to
stop responding.

PAN-227774 Fixed an issue where commits failed with the error message
Management server failed to send phase 1 to client
logrcvr.

PAN-OS Release Notes 10.2.12 134 ©2024 Palo Alto Networks, Inc.
PAN-OS 10.2.8 Known and Addressed Issues

Issue ID Description

PAN-227641 Fixed an issue where Preview Changes and Change Summary when
saving changes did not open a new window when clicked.

PAN-227522 Fixed an issue where shared application filters that had application
object overrides were overwritten by predefined applications.

PAN-227397 Fixed an issue where selective pushes on Panorama removed a

previously pushed configuration from the firewalls.

PAN-227233 Fixed an issue where the combination signature aggregation criteria in

a Vulnerability Protection profile was incorrectly blank even though a
value was set.

PAN-227058 Fixed an issue where traffic did not match Security policy rules with
the destination as FQDN and instead hit the default deny rule.

PAN-226935 Fixed an issue where autocommits failed due to duplicate application

name entries.

PAN-226860 Fixed an issue where macOS X-Auth clients disconnected prematurely

from the GlobalProtect gateway during a Phase 2 re-key event.

PAN-226768 Fixed an issue where, when the GlobalProtect app was installed on
iOS endpoints and the gateway was configured to accept cookies,
the app remained in the Connecting stage after authentication, and
the GlobalProtect log displayed the error message `User is not in
allow list`. This occurred when the app was restarted or when the app
attempted to reconnect after disconnection.

PAN-226489 Fixed an issue where Panorama was unable to push scheduled

Dynamic Updates to firewalls with the error message Failed to
add deploy job. Too many (30) deploy jobs pending
for device.

PAN-226418 A CLI command was added to address an issue where long-lived

sessions aged out even when there was ongoing traffic.

PAN-226260 Fixed an issue where support for CBC ciphers with some
authentication algorithms was only available in FIPS mode.

PAN-225920 Fixed an issue where duplicate predict sessions did not release NAT
resources.

PAN-225228 Fixed an issue where filtering Threat logs using any value under
THREAT ID/NAME displayed the error Invalid term.

PAN-OS Release Notes 10.2.12 135 ©2024 Palo Alto Networks, Inc.
PAN-OS 10.2.8 Known and Addressed Issues

Issue ID Description

PAN-225169 Added a CLI command to view Strata Logging Service queue usage.

PAN-225110 Fixed an issue with firewalls in HA configurations where HA

configuration syncs did not complete or logging data was missing
until firewall processes were manually restarted or the firewalls were
rebooted.

PAN-225094 Fixed an issue where performing a commit operation failed and

the following error message was displayed: failed to handle
CUSTOM_UPDATE.

PAN-225082 Fixed an issue where GlobalProtect quarantine-delete logs were

incorrectly shown on passive firewalls.

PAN-225013 (PA-5450 firewalls only) Fixed an issue where the firewall rebooted
unexpectedly when a Network Card was on Slot 2 instead of a DPC.

PAN-224955 Fixed an issue where the devsrvr process stopped responding when
zone protection had more than 255 profiles.

PAN-224772 Fixed a high memory usage issue with the mongodb process that
caused an OOM condition.

PAN-224656 Fixed an issue where the devsrvr process caused delays when Dynamic
Address Groups with large entry lists were being processed during a
commit, which caused commits to take longer than expected.

PAN-224405 Fixed an issue where the distributord process repeatedly stopped

responding.

PAN-224354 Fixed an issue where a memory leak related to the distributord process
occurred when connections flapped for IP address-to-username
mapping redistribution.

PAN-224036 (PA-5450 firewalls only) Fixed an issue where a firewall with QoS
configured wasn't able to send packets out of its interfaces after a
reboot.

PAN-223855 Fixed an issue where the show running ippool CLI command
output displayed incorrect used and available NAT IP address pools on
DIPP NAT policy rules in multidataplane firewalls.

PAN-223852 Fixed an issue where all_pktproc stopped responding when network

packet broker or decryption broker chains failed.

PAN-OS Release Notes 10.2.12 136 ©2024 Palo Alto Networks, Inc.
PAN-OS 10.2.8 Known and Addressed Issues

Issue ID Description

PAN-223741 Fixed an issue where the mprelay process stopped responding, which
caused a slot restart when another slot rebooted.

PAN-223481 (PA-5450 firewalls only) Fixed an issue where the all_pktproc process
stopped responding when the firewall was on PAN-OS 10.1.9-h3 or a
later release.

PAN-223457 Fixed an issue where, if the number of group queries exceeded the
Okta rate limit threshold, the firewall cleared the cache for the groups.

PAN-223271 Fixed an issue where the file transfer of large zipped and compressed
files had the App-ID unknown-tcp.

PAN-223263 Fixed an issue on the web interface where the system clock for
Mexico_city was displayed in CDT instead of CST on the management
dashboard.

PAN-223259 Fixed an issue where selective pushes failed with the error Failed
to generate selective push configuration. Unable to
retrieve last in-sync configuration for the device,
either a push was never done or version is too old.
Please try a full push.

PAN-223094 Fixed an issue where fragmented TCP traffic was dropped due to an IP
address ID conflict over the SD-WAN tunnel.

PAN-222941 Fixed an issue where viewing the latest logs took longer than expected
due to log indexer failures.

PAN-222533 (VM-Series firewalls on Microsoft Azure and Amazon Web Services

(AWS) environments) Added support for HA link monitoring and path
monitoring.

PAN-222500 Fixed an issue where an old configuration unexpectedly merged during

a push from Panorama.

PAN-222418 Fixed an issue where the firewall intermittently recorded a

reconnection message to the authentication server as an error, even if
no disconnection occurred.

PAN-222253 Fixed an issue on Panorama where policy rulebase reordering under

View Rulebase by Groups (Policy > <policy-rulebase>) did not
persist if you reordered the policy rulebase by dragging and dropping
individual policy rules and then moved the entire tag group.

PAN-OS Release Notes 10.2.12 137 ©2024 Palo Alto Networks, Inc.
PAN-OS 10.2.8 Known and Addressed Issues

Issue ID Description

PAN-222089 Fixed an issue where you were unable to context switch from
Panorama to the managed device.

PAN-221938 Fixed an issue with network packet broker sessions where the broker
session and primary session timeouts were out of sync, which caused
traffic drops if the broker session timed out when the primary session
was still active.

PAN-221857 Fixed an issue where users were unable to log in to the GlobalProtect
app using SAML authentication after upgrading to PAN-OS 10.2.3-
h4, and the GlobalProtect logs displayed the following error message:
Username from SAML SSO response is different from
the input.

PAN-221763 Fixed an issue on the web interface where text overlapped when
editing address and prefix values using Firefox.

PAN-221577 Fixed an issue where a static route for a branch or hub over the
respective virtual interface wasn't installed in the routing table even
when the tunnel to the branch or hub was active.

PAN-221316 Fixed an issue where the useridd process memory consumption

increased significantly, which caused the process to stop responding
and the device to restart.

PAN-221208 Fixed an issue where the tunnel monitor was unable to remain up
when zone protection with Strict IP was enabled and NAT Traversal
was applied.

PAN-221003 Fixed an issue where you were unable to uncheck firewalls in HA

configurations from the device group when Group HA Peers was
enabled.

PAN-220790 Fixed an issue where the reportd process stopped responding, which
caused Panorama to restart.

PAN-220659 Fixed an issue on the firewall where scheduled antivirus updates failed
when external dynamic lists were configured on the firewall.

PAN-220640 (PA-220 firewalls only) Fixed an issue where the firewall CPU
percentage was miscalculated, and the values that were displayed
were incorrect.

PAN-220180 Fixed an issue where configured botnet reports (Monitor > Botnet)
weren’t generated.

PAN-OS Release Notes 10.2.12 138 ©2024 Palo Alto Networks, Inc.
PAN-OS 10.2.8 Known and Addressed Issues

Issue ID Description

PAN-219813 Fixed an issue where the configuration log displayed incorrect

information after a multi-device group Validate-all operation.

PAN-219768 Fixed an issue where you were unable to filter data filtering logs with
Threat ID/NAME for custom data patterns created over Panorama.

PAN-219644 Fixed an issue where firewalls that forwarded logs to a syslog server
over TLS (Objects > Log Forwarding) used the default Palo Alto
Networks certificate instead of the configured custom certificate.

PAN-219585 Fixed an issue where enabling syslog-ng debugs from the root
caused 100% disk utilization.

PAN-219415 Fixed an issue where BGP routes were installed in the routing
table even when the option to install routes was disabled in the
configuration.

PAN-219300 Fixed an issue where the task manager displayed only limited data.

PAN-219260 (M-Series appliances only) Fixed an issue where the management

interface flapped due to low memory reserved for kernel space.

PAN-219241 Fixed an issue where web content for a failed SAML login had
readability and functionality issues for the GlobalProtect app.

PAN-219137 (CN-Series firewalls only) Fixed an issue where firewalls did not upload
files to the WildFire public cloud.

PAN-218928 Fixed an issue where the reportd process stopped responding after
querying logs or generating ACC reports with some filters.

PAN-218671 Fixed an issue on Panorama where commits failed after downgrading

the SD-WAN plugin.

PAN-218663 and A fix was made to address CVE-2024-2433.

PAN-181876

PAN-218611 Fixed an issue where the device telemetry region wasn't updated on
the firewall when pushed from the Panorama template stack.

PAN-218555 Fixed an issue where the firewall did not receive dynamic address
updates pushed from Panorama during initial registration to Panorama.

PAN-218352 Fixed an issue where Panorama was slower than expected when
WildFire deployment was scheduled every minute to a large number of
devices.

PAN-OS Release Notes 10.2.12 139 ©2024 Palo Alto Networks, Inc.
PAN-OS 10.2.8 Known and Addressed Issues

Issue ID Description

PAN-218331 Fixed an issue where you were unable to export or download packet
captures from the firewall when context switching from Panorama.

PAN-218273 Fixed an issue where TCP keepalive packets from the client to the
server weren't forwarded when SSL decryption was enabled.

PAN-218238 Fixed an issue where you were unable to create a file exception
(Monitor > Threat Log > Detailed Log view > Create Exception), and
the following error message was displayed: no antivirus profile
corresponding to threat log.

PAN-218119 Fixed an issue where the firewall transmitted packets with an incorrect
source MAC address during commit operations.

PAN-217831 Fixed an issue memory leak issue related to the logd process that
occurred due to a sysd object not being released.

PAN-217728 Fixed an issue where uploading a certificate in a manual configuration

option for SafenetHSM failed.

PAN-217674 Fixed an issue where RADIUS authentication failed when the

destination route of the service route was configured with an IPv4
address with more than 14 characters.

PAN-217541 Fixed an issue where the useridd process stopped responding after a
restart when HIP redistribution was enabled.

PAN-217510 Fixed an issue where inbound DHCP packets received by a DHCP

client interface that weren’t addressed to itself were silently dropped
instead of forwarded.

PAN-217493 Fixed an issue where superusers with read-only privileges were unable
to view SCEP object configurations.

PAN-217280 Fixed an issue where, when Advanced Routing was enabled, the routed
process stopped responding during booting up.

PAN-217272 Fixed an issue where the DNS proxy log included an

excessive number of the following error message: Warning:
pan_dnsproxy_log_resolve_fail: Failed to resolve
domain name ** AAAA after trying all attempts to
name servers

PAN-217241 Fixed an issue where predict session conversion failed for RTP and
RTCP traffic.

PAN-OS Release Notes 10.2.12 140 ©2024 Palo Alto Networks, Inc.
PAN-OS 10.2.8 Known and Addressed Issues

Issue ID Description

PAN-217064 Fixed an issue where commits took longer than expected when the
DLP plugin was configured.

PAN-217024 Fixed an issue where fetching device certificates failed for internal
DNS servers with the error message ERROR Error: Could not
resolve host: certificate.paloaltonetworks.com.

PAN-216647 Fixed an issue where the sysd node was updated at incorrect times.

PAN-216214 (Panorama managed firewalls in active/active HA configurations

only) Fixed an issue where the HA status displayed as Out of
Sync (Panorama > Managed Devices > Health) if local firewall
configurations were made on one of the HA peers. This caused
the next HA configuration sync to overwrite the local firewall
configuration made on the HA peer.

PAN-216101 Fixed an issue where a memory leak related to a process and LLDP
packet processing caused an OOM condition on the firewall.

PAN-215857 Fixed an issue where the option to reboot the entire firewall was
visible to vsys admins.

PAN-215583 Fixed an issue on firewalls in HA configurations where the primary

firewall went into a non-functional state due to a timeout in the
pan_comm logs during the policy-based forwarding (PBF) parse, which
caused an HA failover.

PAN-215576 Fixed an issue where the userID-Agent and TS-Agent certificates

were set to expire on November 18, 2024. With this fix, the expiration
date has been extended to January 2032.

PAN-215436 Fixed an issue with the web interface where the latest logs took longer
than expected to display under Monitor.

PAN-215082 (M-300 and M-700 appliances only) Fixed an issue where Panorama
generated erroneous system logs (Monitor > Logs > System) to alert
that the appliance memory usage limit was reached.

PAN-214987 Fixed an issue where Application Filter names weren’t random, and
they matched or included internal protocol names.

PAN-214942 Fixed an issue where SD-WAN UDP traffic failed over to a non-
member path after a flap of an SD-WAN virtual interface.

PAN-214847 Fixed an issue where, when certificate authentication for admin user
authentication was enabled, vulnerability scans that used usernames or

PAN-OS Release Notes 10.2.12 141 ©2024 Palo Alto Networks, Inc.
PAN-OS 10.2.8 Known and Addressed Issues

Issue ID Description
passwords against the management interface reported a vulnerability
due to a missing HSTS header in the Access Denied response page.

PAN-214773 Fixed an issue where RTP packets traversing intervsys were dropped
on the outgoing vsys.

PAN-214558 Fixed an issue where overriding a Layer2/vwire subinterface on

Panorama caused other subinterfaces to disappear.

PAN-214336 Fixed an issue where ICMPv6 unreachable messages were sent with
an unspecified source address ( :: ) for VLAN interfaces.

PAN-213956 Fixed an issue where the firewall interface did not go down even after
the peer link/switch port went down.

PAN-213918 Fixed an issue where mlav-test-pe-file.exe was not detected by

WildFire Inline ML.

PAN-213491 Fixed an issue where the management CPU was high, which caused
the web interface to be slower than expected.

PAN-213173 Fixed an issue where Preview Changes under Scheduled Pushes did
not launch the Change Preview window.

PAN-213112 Fixed an issue where executing the show report directory-

listing CLI command resulted in no output after upgrading to a
PAN-OS 10.1 release.

PAN-213103 Fixed an issue where Clientless VPN access failed with the error
message temporarily unavailable when accessing the
Clientless VPN bookmarked application from the identity provider
application portal.

PAN-212932 Fixed an issue where the firewall went into a restart loop with
the following error message: failed to get mgt settings
candidate: configured traffic quota of 0 MB is less
than the minimum 32 MB.

PAN-212877 Fixed an issue where a race condition caused log flooding, which
caused the firewall to go into an unresponsive state.

PAN-212770 Fixed an issue on the firewall where the WildFire file size limit value
did not match on the web interface and the CLI.

PAN-212580 (PA-7050 firewalls only) Fixed an issue where disk space filled up
due to files under /opt/var/s8/lp/log/pan/ not being properly
deleted.

PAN-OS Release Notes 10.2.12 142 ©2024 Palo Alto Networks, Inc.
PAN-OS 10.2.8 Known and Addressed Issues

Issue ID Description

PAN-211945 Fixed an issue where URL Filtering system logs showed the error
message CURL ERROR: bind failed with errno 124:
Address family not supported by protocol even though
the PAN-DB cloud was connected.

PAN-211827 Fixed an issue where Dynamic Updates failed with the following error
message: CONFIG_UPDATE_INC: Incremental update to DP
failed please try to commit force the latest config.

PAN-211821 Fixed an issue on firewalls in HA configurations where committing

changes after disabling the QoS feature on multiple Aggregate
Ethernet (AE) interfaces caused the dataplane to go down.

PAN-211384 Fixed an issue where the size of the redisthost_1 in the Redis
database continuously increased, which caused an OOM condition.

PAN-210234 Fixed a REST API call to query the template stack configuration did not
return the template stack variables or device variables.

PAN-208438 Fixed an issue on Panorama where Security policy rules incorrectly

displayed as disabled.

PAN-208395 Fixed an issue where user authentication failed in multi-vsys

environments with the error message User is not in allowlist
when an authentication profile was created in a shared configuration
space.

PAN-208085 Fixed an issue where the BFD peers were deleted during a commit
from Panorama. This occurred because the pan_comm thread became
deadlocked due to the same sysd object was handled during the
commit.

PAN-207577 Fixed an issue where Panorama > Setup > Interfaces wasn't accessible
for users with custom admin roles even when the interface option was
selected for the custom admin roles.

PAN-207003 Fixed an issue where the logrcvr process NetFlow buffer wasn't reset
which resulted in duplicate NetFlow records.

PAN-206325 Fixed an issue where a renamed object was still referenced with the
previous name in a Security policy rule, which caused commit failures
when using edit API to create the rule.

PAN-206041 (PA-7050 firewalls only) Fixed an issue where the ikemgr process
stopped responding.

PAN-OS Release Notes 10.2.12 143 ©2024 Palo Alto Networks, Inc.
PAN-OS 10.2.8 Known and Addressed Issues

Issue ID Description

PAN-204808 (PA-400 Series, PA-1400 Series, PA-3400 Series, and PA-5400 Series
firewalls only) Fixed an issue where executing the CLI command show
running resource-monitor ingress-backlogs displayed
the error message Server error : Dataplane is not up or
invalid target-dp(*.dp*)

PAN-204663 Fixed an issue on Panorama where you were unable to context switch
from one managed firewall to another.

PAN-202008 Fixed an issue where Traffic logs exported to CSV files contained
inaccuracies and weren’t complete.

PAN-201269 Fixed an issue where commits failed with the error message IPv6
addresses are not allowed because IPv6-firewalling
is disabled when Security policy rules had an address group with
more than 1000 FQDN address objects.

PAN-198190 (VM-Series firewalls only) Fixed an issue where the MTU on the
management interface couldn’t be configured to a value greater than
1500.

PAN-197189 Fixed an issue where the RST packet wasn't sent to the client when
decrypted HTTP/2 traffic was detected by custom vulnerability
signatures with action reset-both.

PAN-196146 (VM-Series firewalls only) Fixed an issue where hostname validation

failed due to the firewall not taking the hostname provided in
init.cfg.

PAN-193484 Fixed an issue where DNS failed if the domain name started with a
period.

PAN-192318 Fixed an issue where executing the CLI command show rule-
hit-count device-group displayed the error message Server
error : show rule hit count op-command failed.

PAN-186957 Fixed an issue where, in SAML Metadata Export, a drop-down did not
appear in the input field when IP or Hostname was selected for Type.

PAN-185286 (PA-5400 Series firewalls only) Fixed an issue on Panorama where

device health resources did not populate.

PAN-181706 Fixed an issue where the logrcvr process stopped responding after
upgrading to PAN-OS 10.1.

PAN-OS Release Notes 10.2.12 144 ©2024 Palo Alto Networks, Inc.
PAN-OS 10.2.8 Known and Addressed Issues

Issue ID Description

PAN-179952 Fixed an issue on Panorama where not all categories were displayed
under Log settings.

PAN-179260 Fixed an issue where admins and other superusers were unable to
remove a commit lock that was taken by another admin user with the
format <domain/user>. As a result, deleting the commit lock failed.

PAN-175642 Fixed an issue where system logs to alert for support license expiry
weren’t generated.

PAN-98605 Fixed an issue where audit comments did not appear in the audit
comments archive.

PAN-OS Release Notes 10.2.12 145 ©2024 Palo Alto Networks, Inc.
PAN-OS 10.2.8 Known and Addressed Issues

PAN-OS Release Notes 10.2.12 146 ©2024 Palo Alto Networks, Inc.
PAN-OS 10.2.7 Known and
Addressed Issues
Review a list of known and addressed issues for PAN-OS 10.2.7.
For contacting support, for information on support programs, to manage your account or devices,
or to open a support case, go to https://support.paloaltonetworks.com.
• PAN-OS 10.2.7 Known Issues
• PAN-OS 10.2.7-h12 Addressed Issues
• PAN-OS 10.2.7-h8 Addressed Issues
• PAN-OS 10.2.7-h6 Addressed Issues
• PAN-OS 10.2.7-h3 Addressed Issues
• PAN-OS 10.2.7-h1 Addressed Issues
• PAN-OS 10.2.7 Addressed Issues

147
PAN-OS 10.2.7 Known and Addressed Issues

PAN-OS 10.2.7 Known Issues

®
The following list includes only outstanding known issues specific to PAN-OS 10.2.7. This list
includes issues specific to Panorama™, GlobalProtect™, VM-Series plugins, and WildFire®, as well
as known issues that apply more generally or that are not identified by an issue ID.

Issue ID Description

WF500-5854 The WildFire analysis report on the firewall log viewer

(Monitoring > WildFire Submissions) does not display the
following data fields: File Type, SHA-256, MD-5, and File
Size".
Workaround: Download and open the WildFire analysis
report in the PDF format using the link in the upper right-
hand corner of the Detailed Log View.

WF500-5843 In a WildFire appliance cluster, issuing the show cluster-

all peers CLI command when a node within the cluster
is being rebooted generates the following error: Server
error : An error occured.

WF500-5840 The sample analysis statistics that are returned when issuing
the show wildfire local statistics CLI command
in WildFire appliance cluster deployments may not accurately
reflect the number of samples that have been processed.

WF500-5823 The following WildFire appliance CLI command does not

return a signature generation status as expected: show
wildfire global signature-status. This does not
corrupt or otherwise prevent the WildFire appliance from
analyzing a sample.

WF500-5781 The WildFire appliance might erroneously generate and

log the following device certification error: Device
certificate is missing or invalid. It cannot
be renewed.

WF500-5754 In WildFire appliance clusters, issuing the show cluster

controller CLI command generates an error when an IPv6
address is configured for the management interface but not
for the cluster interface.
Workaround: Ensure all WildFire appliance interfaces that are
enabled use matching protocols (all IPv4 or all IPv6).

WF500-5632 The number of registered WildFire appliances reported in

Panorama (Panorama > Managed WildFire Appliances >

PAN-OS Release Notes 10.2.12 148 ©2024 Palo Alto Networks, Inc.
PAN-OS 10.2.7 Known and Addressed Issues

Issue ID Description
Firewalls Connected > View) does not accurately reflect the
current status of connected WildFire appliances.

PAN-260851 From the NGFW or Panorama CLI, you can override the
existing application tag even if Disable Override is enabled for
the application (Objects > Applications) tag.

PAN-250062 Device telemetry might fail at configured intervals due to

bundle generation issues.

PAN-244673 Upgrading a flexible-vCPU VM-Series firewall HA deployment

from 10.1.x directly to 10.2.3 or later causes the active HA
peer to become unresponsive. In this scenario, the upgraded
firewall then becomes the active peer.
Workaround: Upgrade the VM-Series firewalls to PAN-OS
10.2.2 before upgrading to the latest PAN-OS 10.2.x version.

PAN-243951 On the Panorama management sever in an active/passive

High Availability (HA) configuration, managed devices
(Panorama > Managed Devices > Summary) display as
out-of-sync on the passive HA peer when configuration
changes are made to the SD-WAN (Panorama > SD-WAN)
configuration on the active HA peer.
Workaround: Manually synchronize the Panorama HA peers.
1. Log in to the Panorama web interface on the active HA
peer.
2. Select Commit and Commit to Panorama the SD-WAN
configuration changes on the active HA peer.
On the passive HA peer, select Panorama > Managed
Devices > Summary and observe that the managed devices
are now out-of-sync.
3. Log in to the primary HA peer Panorama CLI and trigger a
manual synchronization between the active and secondary
HA peers.
request high-availability sync-to-remote running-config
4. Log back in to the active HA peer Panorama web interface
and select Commit > Push to Devices and Push.

PAN-234015 The X-Forwarded-For (XFF) value is not displayed in traffic

logs.

PAN-242910 On the Panorama management server, Panorama

administrators (Panorama > Administrators) that are
assigned a custom Panorama admin role (Panorama > Admin

PAN-OS Release Notes 10.2.12 149 ©2024 Palo Alto Networks, Inc.
PAN-OS 10.2.7 Known and Addressed Issues

Issue ID Description
PAN-OS 10.2.7, 10.2.7-h1, Roles) with Push All Changes enabled are unable to push
and 10.2.7-h3 only configuration changes to managed firewalls when Managed
Devices and Push For Other Admins are disabled.

PAN-242837 Default login credentials and SSH fail after enabling FIPS-CC
Mode on a firewall or Panorama after converting through the
Maintenance Recovery Tool (MRT). The firewall or Panorama
becomes stuck and requires a factory reset to recover.

PAN-242561 On the PAN-OS 10.2.7-h3 version, GlobalProtect tunnel

might disconnect shortly after being established when SSL is
used as a transport protocol.
Workaround: Disable Internet Protocol version 6 (TCP/IPv6)
on the PANGP Virtual Network Adapter.

PAN-238769 FIPS-CC VM only. Upgrading to 10.1.10-h2 or 10.1.11 will

change all locally created security Policy actions to Deny.
Re-load the back-up config taken before upgrading or the
last version to get the previous config back. Also, Unable to
login to FIPSCC Mode devices with default credentials after
converting the mode for 10.1.12 release , 10.2.7 release ,
11.1.0 , 11.1.1, 11.0.3 versions.

PAN-234929 The tabs in the ACC, such as Network Activity, Threat

Activity, and Blocked Activity, may not display any data when
This issue is now resolved. See
you apply a Time filter for the Last 15 minutes, Last Hour,
PAN-OS 10.2.7-h3 Addressed
Last 6 Hours, or Last 12 Hours. With the Last 24 Hours filter,
Issues.
the data displayed may not be accurate. Additionally, reports
run against summary logs may not display accurate results.

PAN-228515 The EleasticSearch SSH flaps on the M-600 appliance in

Panorama or Log Collector mode. This causes logs to not
display on the Panorama management server (Monitor
> Logs) and the Log Collector health status (Panorama >
Managed Collectors > Status) to display as degraded.

PAN-228273 On the Panorama management server in FIPS-CC mode, the

ElasticSearch cluster fails to come up and the show log-
This issue is now resolved. See
collector-es-cluster health command displays
PAN-OS 10.2.8 Addressed
the status is red. This results in log ingestion issues for
Issues.
Panorama in Panorama only or Log Collector mode.

PAN-227344 On the Panorama management server, PDF Summary Reports

(Monitor > PDF Reports > Manage PDF Summary) display no
data and are blank when predefined reports are included in
the summary report.

PAN-OS Release Notes 10.2.12 150 ©2024 Palo Alto Networks, Inc.
PAN-OS 10.2.7 Known and Addressed Issues

Issue ID Description

PAN-223365 The Panorama management server is unable to query any

logs if the ElasticSearch health status for any Log Collector
(Panorama > Managed Collector is degraded.
Workaround: Log in to the Log Collector CLI and restart
ElasticSearch.

admindebug elasticsearch es-restart all

PAN-229865 Upgrading a PA-220 firewall running a PAN-OS 10.1 release

fails when the target PAN-OS upgrade version is PAN-OS
10.2.5.
Workaround: On your upgrade path to PAN-OS 10.2.5, first
upgrade to PAN-OS 10.2.4 and then upgrade to PAN-OS
10.2.5.

PAN-226768 When the GlobalProtect app is installed on iOS endpoints

and the gateway is configured to accept cookies, the app
This issue is now resolved. See
stays in Connecting stage after authentication and the
PAN-OS 10.2.8 Addressed
GlobalProtect log displays the error message, User is not in
Issues.
allow list. This happens when the app is restarted or when the
app tries to reconnect after disconnection.

PAN-223677 (PA-3410, PA-3420, PA-3430, PA-3440, PA-5410, PA-5420,

and PA-5430 firewalls) By enabling Lockless QoS feature,
a slight degradation in App-ID and Threat performance is
expected.

PAN-223457 If the number of group queries exceeds the Okta rate limit
threshold, the firewall clears the cache for the groups. To
This issue is now resolved. See
avoid encountering this issue, disable the Okta rate limit.
PAN-OS 10.2.8 Addressed
Issues.

PAN-222586 On PA-5410, PA-5420, and PA-5430 firewalls, the Filter

dropdown menus, Forward Methods, and Built-In Actions
for Correlation Log settings (Device > Log Settings) are not
displayed and cannot be configured.

PAN-222418 The firewall intermittently records a reconnection message to

the authentication server as a error, even if no disconnection
This issue is now resolved. See
occurs.
PAN-OS 10.2.8 Addressed
Issues.

PAN-222253 On the Panorama management server, policy rulebase

reordering when you View Rulebase by Groups (Policy >
<policy-rulebase>) does not persist if you reorder the policy

PAN-OS Release Notes 10.2.12 151 ©2024 Palo Alto Networks, Inc.
PAN-OS 10.2.7 Known and Addressed Issues

Issue ID Description
This issue is now resolved. See rulebase by dragging and dropping individual policy rules and
PAN-OS 10.2.8 Addressed then moving the entire tag group.
Issues.

PAN-221775 A Malformed Request error is displayed when you Test

Connection for an email server profile (Device > Server
Profiles > Email) using SMTP over TLS and the Password
includes an ampersand (&).

PAN-221857 Users are unable to log in to the GlobalProtect app using

SAML authentication after the app is upgraded to 10.2.3-
This issue is now resolved. See
h4 and the GlobalProtect logs display the following error
PAN-OS 10.2.8 Addressed
message: Username from SAML SSO response is different
Issues.
from the input..

PAN-221033 The firewall is responding to an ARP request for an IP address

in the firewall's NAT address pool when that IP address isn't
in the same subnet as the IP address of the ingress interface.

PAN-220180 Configured botnet reports (Monitor > Botnet) are not

generated.
This issue is now resolved. See
PAN-OS 10.2.8 Addressed
Issues.

PAN-219644 Firewalls forwarding logs to a syslog server over TLS (Objects

> Log Forwarding) use the default Palo Alto Networks
This issue is now resolved. See
certificate instead of the custom certificate configured on the
PAN-OS 10.2.8 Addressed
firewall.
Issues.

PAN-217307 The following Security policy rule (Policies > Security) filters
return no results:
This issue is now resolved. See
PAN-OS 10.2.11 Addressed log-start eq no
Issues.
log-end eq no
log-end eq yes

PAN-215082 M-300 and M-700 appliances may generate erroneous

system logs (Monitor > Logs > System) to alert that the M-
This issue is now resolved. See
Series appliance memory usage limits are reached.
PAN-OS 10.2.8 Addressed
Issues.

PAN-213746 On the Panorama management server, the Hostkey displayed

as undefined undefined if you override an SSH Service
Profile (Device > Certificate Management > SSH Service

PAN-OS Release Notes 10.2.12 152 ©2024 Palo Alto Networks, Inc.
PAN-OS 10.2.7 Known and Addressed Issues

Issue ID Description
Profile) Hostkey configured in a Template from the Template
Stack.

PAN-213119 PA-5410 and PA-5420 firewalls display the following error

when you view the Block IP list (Monitor > Block IP):
show -> dis-block-table is unexpected

PAN-212889 On the Panorama management server, different threat

names are used when querying the same threat in the Threat
Monitor (Monitor > App Scope > Threat Monitor) and ACC.
This results in the ACC displaying no data to display
when you are redirected to the ACC after clicking a threat
name in the Threat Monitor and filtering the same threat
name in the Global Filters.

PAN-212533 Modifying the Administrator Type for an existing

administrator (Device > Administrators or Panorama >
Administrators) from Superuser to a Role-Based custom
admin, or vice versa, does not modify the access privileges of
the administrator.

PAN-211531 On the Panorama management server, admins can still

perform a selective push to managed firewalls when Push
All Changes and Push for Other Admins are disabled in the
admin role profile (Panorama > Admin Roles).

PAN-209288 Certificates are not successfully generated using SCEP

(Device > Certificate Management > SCEP).

PAN-208622 A file upload to Box.com exceeding 6 files gets stuck and

fails to upload if you specify an Enterprise DLP data filtering
profile (Objects > DLP > Data Filtering Profiles with the
Action set to Block to a Security policy rule (Policies >
Security).

PAN-204689 Upon upgrade to PAN-OS 10.2.4, the following GlobalProtect

settings do not work:
• Allow user to disconnect GlobalProtect App > Allow with
Passcode
• Allow user to Disable GlobalProtect App > Allow with
Passcode
• Allow User to Uninstall GlobalProtect App > Allow with
Password

PAN-196758 On the Panorama management server, pushing a

configuration change to firewalls leveraging SD-WAN

PAN-OS Release Notes 10.2.12 153 ©2024 Palo Alto Networks, Inc.
PAN-OS 10.2.7 Known and Addressed Issues

Issue ID Description
erroneously show the auto-provisioned BGP configurations
for SD-WAN as being edited or deleted despite no edits or
deletions being made when you Preview Changes (Commit >
Push to Devices > Edit Selections or Commit > Commit and
Push > Edit Selections).

PAN-196504 License deactivation fails for VM-Series firewalls licensed

using PA-VM Bundle 3 (BND3).

PAN-196146 The VM-Series firewall on Azure does not boot up with a

hostname (specified in an init-cgf.txt or user data) when
This issue is now resolved. See
bootstrapped.
PAN-OS 10.2.8 Addressed
Issues.

PAN-194996 When using a 10.2.2 Panorama to manage a Panorama

Managed Prisma Access 3.1.2 deployment, allocating
bandwidth for a remote network deployment fails (the OK
button is grayed out).
Workaround: Retry the operation.

PAN-194519 (PA-5450 firewall only) Trying to configure a custom payload

format under Device > Server Profiles > HTTP yields a
Javascript error.

PAN-194515 (PA-5450 firewall only) The Panorama web interface does

not display any predefined template stack variables in the
dropdown menu under Device > Setup > Log Interface > IP
Address.
Workaround: Configure the log interface IP address on the
individual firewall web interface instead of on Panorama.

PAN-194424 (PA-5450 firewall only) Upgrading to PAN-OS 10.2.2 while

having a log interface configured can cause both the log
interface and the management interface to remain connected
to the log collector.
Workaround: Restart the log receiver service by running the
following CLI command:

debug software restart process log-receiver

PAN-194202 (PA-5450 firewall only) If the management interface and

logging interface are configured on the same subnetwork,
the firewall conducts log forwarding using the management
interface instead of the logging interface.

PAN-OS Release Notes 10.2.12 154 ©2024 Palo Alto Networks, Inc.
PAN-OS 10.2.7 Known and Addressed Issues

Issue ID Description

PAN-190727 (PA-5450 firewall only) Documentation for configuring the log

interface is unavailable on the web interface and in the PAN-
OS Administrator’s Guide.

PAN-189111 After deleting an MP pod and it comes up, the show

routing command output appears empty and traffic stops
working.

PAN-189076 On a firewall with Advanced Routing enabled, OSPFv3 peers

using a broadcast link and a designated router (DR) priority of
0 (zero) are stuck in a two-way state after HA failover.
Workaround: Configure at least one OSPFv3 neighbor with a
non-zero priority setting in the same broadcast domain.

PAN-188358 After triggering a soft reboot on a M-700 appliance, the

Management port LEDs do not light up when a 10G Ethernet
cable is plugged in.

PAN-187685 On the Panorama management server, the Template

Status displays no synchronization status (Panorama >
Managed Devices > Summary) after a bootstrapped firewall is
successfully added to Panorama.
Workaround: After the bootstrapped firewall is successfully
added to Panorama, log in to the Panorama web interface and
select Commit > Push to Devices.

PAN-187643 If you enable SCTP security using a Panorama template when

SCTP INIT Flood Protection is enabled in the Zone Protection
profile using Panorama and you commit all changes, the
commit is successful but the SCTP INIT option is not available
in the Zone Protection profile.
Workaround: Log out of the firewall and log in again to make
the SCIT INIT option available on the web interface.

PAN-187612 On the Panorama management server, not all data profiles

(Objects > DLP Data Filtering Profiles) are displayed after
you:
• Upgrade Panorama to PAN-OS 10.2 and upgrade the
Enterprise DLP plugin to version 3.0.
• Downgrade Panorama to PAN-OS 10.1 and downgrade
the Enterprise DLP plugin to version 1.0.
Workaround: Log in to the Panorama CLI and reset the DLP
plugin.

PAN-OS Release Notes 10.2.12 155 ©2024 Palo Alto Networks, Inc.
PAN-OS 10.2.7 Known and Addressed Issues

Issue ID Description
admin > request plugins dlp reset

PAN-187407 The configured Advanced Threat Prevention inline cloud

analysis action for a given model might not be honored under
the following condition: If the firewall is set to Hold client
request for category lookup and the action set to Reset-Both
and the URL cache has been cleared, the first request for
inline cloud analysis will be bypassed.

PAN-187370 On a firewall with Advanced Routing enabled, if there is also a

logical router instance that uses the default configuration and
has no interfaces assigned to it, this will result in terminating
the management daemon and main routing daemon in the
firewall during commit.
Workaround: Do not use a logical router instance with no
interfaces bound to it.

PAN-186283 Templates appear out-of-sync on Panorama after successfully

deploying the CFT stack using the Panorama plugin for AWS.
Workaround: Use Commit > Push to Devices to synchronize
the templates.

PAN-186282 On HA deployments on AWS and Azure, Panorama fails to

populate match criteria automatically when adding dynamic
address groups.
Workaround: Reboot the Panorama HA pair.

PAN-185286 (PA-5400 Series firewalls only) On the Panorama

management server, the device health resources (Panorama >
This issue is now resolved. See
Managed Devices > Health) do not populate.
PAN-OS 10.2.8 Addressed
Issues.

PAN-184406 Using the CLI to add a RAID disk pair to an M-700 appliance
causes the dmdb process to crash.
Workaround: Contact customer support to stop the dmdb
process before adding a RAID disk pair to a M-700 appliance.

PAN-183404 Static IP addresses are not recognized when "and" operators

are used with IP CIDR range.

PAN-181933 If you use multiple log forwarding cards (LFCs) on the

PA-7000 series, all of the cards may not receive all of the
updates and the mappings for the clients may become out of

PAN-OS Release Notes 10.2.12 156 ©2024 Palo Alto Networks, Inc.
PAN-OS 10.2.7 Known and Addressed Issues

Issue ID Description
sync, which causes the firewall to not correctly populate the
Source User column in the session logs.

PAN-181823 On a PA-5400 Series firewall (minus the PA-5450), setting the

peer port to forced 10M or 100M speed causes any multi-
gigabit RJ-45 ports on the firewall to go down if they are set
to Auto.

PAN-180661 On the Panorama management server, pushing an

unsupported Minimum Password Complexity (Device > Setup
> Management) to a managed firewall erroneously displays
commit time out as the reason the commit failed.

PAN-180104 When upgrading a CN-Series as a DaemonSet deployment to

PAN-OS 10.2, CN-NGFW pods fail to connect to CN-MGMT
pod if the Kubernetes cluster previously had a CN-Series as a
DaemonSet deployment running PAN-OS 10.0 or 10.1.
Workaround: Reboot the worker nodes before upgrading to
PAN-OS 10.2.

PAN-178194 A user interface issue in PAN-OS renders the contents of

the Inline ML tab in the URL Filtering Profile inaccessible on
firewalls licensed for Advanced URL Filtering. Additionally, a
message indicating that a License required for URL filtering to
function is unavailable displays at the bottom of the UI. These
errors do not affect the operation of Advanced URL Filtering
or URL Filtering Inline ML.
Workaround: Configuration settings for URL Filtering
Inline ML must be applied through the CLI. The following
configuration commands are available:
• Define URL exceptions for specific web sites—

admin# set profiles url-filtering

<url_filtering_profile_name> mlav-
category-exception

• Configuration settings for each inline ML model—

admin# set profiles url-filtering

<url_filtering_profile_name> mlav-
engine-urlbased-enabled

PAN-177455 PAN-OS 10.2.0 is not supported on PA-7000 Series firewalls

with HA (High Availability) clustering enabled and using an
HA4 communication link. Attempting to load PAN-OS 10.2.0
on the firewall causes the PA-7000 100G NPC to go offline.

PAN-OS Release Notes 10.2.12 157 ©2024 Palo Alto Networks, Inc.
PAN-OS 10.2.7 Known and Addressed Issues

Issue ID Description
As a result, the firewall fails to boot normally and enters
maintenance mode. HA Pairs of Active-Passive and Active-
Active firewalls are not affected.

PAN-175915 When the firewall is deployed on N3 and N11 interfaces in

5G networks and 5G-HTTP/2 traffic inspection is enabled in
the Mobile Network Protection Profile, the traffic logs do not
display network slice SST and SD values.

PAN-174982 In HA active/active configurations where, when interfaces

that were associated with a virtual router were deleted, the
configuration change did not sync.

PAN-172274 When you activate the advanced URL filtering license, your
license entitlements for PAN-DB and advanced URL filtering
might not display correctly on the firewall — this is a display
anomaly, not a licensing issue, and does not affect access to
the services.
Workaround: Issue the following command to retrieve and
update the licenses: license request fetch.

PAN-171938 No results are displayed when you Show Application Filter

for a Security policy rule (Policies > Security > Application >
Value > Show Application Filter).

PAN-164885 On the Panorama management server, pushes to managed

firewalls (Commit > Push to Devices or Commit and Push)
This issue is now resolved. See
may fail when an EDL (Objects > External Dynamic Lists) is
PAN-OS 10.2.10 Addressed
configured to Check for updates every 5 minutes due to the
Issues.
commit and EDL fetch processes overlapping. This is more
likely to occur when multiple EDLs are configured to check
for updates every 5 minutes.

PAN-OS Release Notes 10.2.12 158 ©2024 Palo Alto Networks, Inc.
PAN-OS 10.2.7 Known and Addressed Issues

PAN-OS 10.2.7-h12 Addressed Issues

Issue ID Description

PAN-263226 Fixed an issue where decryption based traffic failed on Explicit Proxy
nodes.

PAN-261917 Fixed an issue where websites with a no-decrypt policy rule were
decrypted in traffic log when using a Google Chrome browser with
PQC enabled

PAN-258996 Fixed an issue where the firewall displayed the SFP ports as
PowerDown when the SFP transceiver was removed and reinserted or
the port was shut down and brought back up on the peer device.

PAN-255868 (PA-3400 Series firewalls only) Fixed an issue where the firewall
entered maintenance mode after enabling kernel data collection during
the silent reboot.

PAN-253546 Fixed an issue where a TLS client hello was split into multiple packets
and arrived out of order, so the packets were dropped and the session
terminated.

PAN-252214 A fix was made to address CVE-2024-3400.

PAN-251661 Fixed an issue where a memory overwrite occurred during HTTP/2

header inflation.

PAN-251563 Added CPLD enhancement to capture external power issues.

PAN-250152 Fixed an issue related to shared-to-shared optimization. To utilize this

fix, contact Palo Alto Networks Tech Support.

PAN-249814 Fixed an issue where multiple all_task processes stopped responding,

which caused the dataplane to fail.

PAN-247257 Fixed an issue where the useridd process stopped responding, which
caused the firewall to reboot.

PAN-244648 Fixed an issue where, when FIPS was enabled in maintenance mode,
the firewall rebooted and returned to maintenance mode.

PAN-240612 Fixed a kernel panic caused by a third-party issue.

PAN-244013 Fixed an issue where the web interface did not display newly added
Anti-Spyware signatures or Vulnerability Signatures.

PAN-OS Release Notes 10.2.12 159 ©2024 Palo Alto Networks, Inc.
PAN-OS 10.2.7 Known and Addressed Issues

Issue ID Description

PAN-239662 Fixed an issue with firewalls in active/passive HA configurations where

the NSSA default route from the active firewall was not generated to
advertise even though the backbone area default route was advertised
during a graceful restart.

PAN-238625 Fixed an issue where, when the physical interface went down, the SD-
WAN ethernet connection state still showed UP/path-monitor due
to the Active URL SaaS monitor connection state remaining UP/path-
monitor.

PAN-233191 (PA-5450 firewalls only) Fixed an issue where the Data Processing
Card (DPC) restarted due to path monitor failure after QSFP28
disconnected from the Network Processing Card (NPC).

PAN-226768 Fixed an issue where, when the GlobalProtect app was installed on
iOS endpoints and the gateway was configured to accept cookies, the
app remained in the Connecting stage after authentication, and the
GlobalProtect log displayed the error message User is not in
allow list. This occurred when the app was restarted or when the
app attempted to reconnect after disconnection.

PAN-OS Release Notes 10.2.12 160 ©2024 Palo Alto Networks, Inc.
PAN-OS 10.2.7 Known and Addressed Issues

PAN-OS 10.2.7-h8 Addressed Issues

Issue ID Description

PAN-252214 A fix was made to address CVE-2024-3400.

PAN-OS Release Notes 10.2.12 161 ©2024 Palo Alto Networks, Inc.
PAN-OS 10.2.7 Known and Addressed Issues

PAN-OS 10.2.7-h6 Addressed Issues

Issue ID Description

PAN-246431 Fixed an issue where a Push to Device operation remained at the

state None when performing a selective push to device groups and
This issue is resolved
templates that included both connected and disconnected firewalls.
in this hotfix but not
in PAN-OS 10.2.8.

PAN-242910 Fixed an issue where a custom based non Superuser was unable to
push to firewalls.
This issue is resolved
in this hotfix but not
in PAN-OS 10.2.8.

PAN-242627 Fixed an issue where selective push did not work.

This issue is resolved
in this hotfix but not
in PAN-OS 10.2.8.

PAN-242561 Fixed an issue where GlobalProtect tunnels disconnected shortly after

being established when SSL was used as the transfer protocol.

PAN-242027 Fixed an issue where the all-task process repeatedly restarted during
memory allocation failures.

PAN-239367 Fixed an issue on the firewall where a memory leak associated with
the logrcvr process occurred.

PAN-238643 Fixed an issue where a memory leak caused multiple processes to stop
responding when VM Information Sources was configured.
This issue is resolved
in this hotfix but not
in PAN-OS 10.2.8.

PAN-237208 Fixed an issue where the reportd process stopped and the firewall
rebooted.

PAN-235840 Fixed an issue where, after a configuration push from Panorama to

managed firewalls, the status displayed as None and the push took
longer than expected.

PAN-233789 Fixed an issue with commit and push and push operations where the
user was not correctly bound to the scope, which caused all device
groups to be selected for a selective push.

PAN-OS Release Notes 10.2.12 162 ©2024 Palo Alto Networks, Inc.
PAN-OS 10.2.7 Known and Addressed Issues

Issue ID Description

PAN-231148 Fixed an issue where no DHCP option list was defined when using
GlobalProtect.

PAN-229090 Fixed an issue where the logrcvr process stopped responding during
memory allocation failures.

PAN-228515 Fixed an issue where the Elasticsearch cluster health status displayed
as yellow or red due to Elasticsearch SSH tunnel flaps.
This issue is resolved
in this hotfix but not
in PAN-OS 10.2.8.

PAN-223259 Fixed an issue where selective pushes failed with the error message
Failed to generate selective push configuration.
Unable to retrieve last in-sync configuration for
the device, either a push was never done or version
is too old. Please try a full push.

PAN-217293 Fixed a rare issue where URLs were not accessible when the header
length was greater than 16,000 over HTTP/2.

PAN-199070 Fixed an issue where the all_task and pan_task processes stopped
responding, which impacted traffic.

PAN-OS Release Notes 10.2.12 163 ©2024 Palo Alto Networks, Inc.
PAN-OS 10.2.7 Known and Addressed Issues

PAN-OS 10.2.7-h3 Addressed Issues

Issue ID Description

PAN-240197 Fixed an issue where configuration changes made in Panorama and

pushed to the firewall were not reflected on the firewall.

PAN-239144 Fixed an issue where the web interface was slower than expected
when logging in, committing, and pushing changes after upgrading to
PAN-OS 10.2.7.

PAN-238792 Fixed the following device certificate issues:

• The firewall was unable to automatically renew the device
certificate-Fetching device certificates failed incorrectly with the
error message OTP is not valid.
• Firewalls disconnected from Strata Logging Service after renewing
the device certificate.
• The device certificate was not correctly generated on the log
forwarding card (LFC).
• WildFire cloud logs did not log thermite certificate usage status.

PAN-237935 Extended the offline PAN-DB, Panorama, and WildFire certificates

which were previously set to expire on September 2, 2024.

PAN-237876 Extended the firewall Panorama root CA certificate which was

previously set to expire on April 7th, 2024.

PAN-234929 Fixed an issue where tabs in the ACC such as Network Activity Threat
Activity and Blocked Activity did not display data when you applied
a Time filter of Last 15 Minutes, Last Hour, Last 6 Hours, or Last 12
Hours, and the data that was displayed with the Last 24 Hours filter
was not accurate. Reports that were run against summary logs also did
not display accurate results.

PAN-234279 Fixed an issue where the ikemgr process crashed due to an IKEv1
timing issue, which caused commits to fail with the following error
message: Client ikemgr requesting last config in
the middle of a commit/validate, aborting current
commit.

PAN-232377 Fixed an issue where the AddrObjRefresh job failed when the
useridd process restarted.

PAN-231771 Fixed an issue where the firewall issued /box/getserv/ requests with
PAN-OS 7.1.0 and did not take device certificates.

PAN-OS Release Notes 10.2.12 164 ©2024 Palo Alto Networks, Inc.
PAN-OS 10.2.7 Known and Addressed Issues

Issue ID Description

PAN-231169 (PA-220 firewalls only) Fixed an issue where an unused plugin

incorrectly used memory.

PAN-228273 (Panorama appliances in FIPS-CC mode only) Fixed an issue where

the Elasticsearch cluster did not come up, and the show log-
collector-es-cluster health CLI command displayed the
status as red. This caused log ingestion issues for Panorama appliances
in Panorama mode or Log Collector mode.

PAN-227568 When a device certificate is installed, renewed, or removed, the

firewall will reconnect to the WildFire cloud to use the newest
certificate.

PAN-224954 Fixed an issue where, after upgrading and rebooting a Panorama

appliance in Panorama or Log Collector mode, managed firewalls
continuously disconnected.

PAN-224067 Fixed an issue where cookie authentication did not work for
GlobalProtect when an authentication override domain was configured
in the SAML authentication profile.

PAN-224060 (PA-220 Series firewalls only) Fixed an issue where multiple dataplane
processes stopped responding after an upgrade.

PAN-223652 Fixed an issue where data was not thread safe and led to concurrent
read/write issues that caused GPSVC to stop working unexpectedly.

PAN-223270 Fixed an issue with Virtual Wire links on firewalls in active/active

HA configurations where the forwarding path was not preserved in
HTTP/2 cleartext traffic with asymmetric routing.

PAN-222002 Fixed an issue where content updates failed with the error message
Unable to get key pancontent-8.0.pass from cryptod.
Error -9.

PAN-218988 Fixed an issue in FIPS mode where, when importing a certificate

with a new private key, and the certificate used the name of an
existing certificate on the Panorama, the following error message was
displayed: Mismatched public and private keys.

PAN-218057 (PA-7000 Series firewalls only) Fixed an issue where internal path
monitoring failed due to a heartbeat miss.

PAN-217289 Fixed an intermittent issue where HTTP/2 traffic caused buffer

depletion.

PAN-OS Release Notes 10.2.12 165 ©2024 Palo Alto Networks, Inc.
PAN-OS 10.2.7 Known and Addressed Issues

Issue ID Description

PAN-216214 (Panorama managed firewalls in active/active HA configurations

only) Fixed an issue where the HA (high availability) status displayed
as Out of Sync (Panorama > Managed Devices > Health) if local
firewall configurations were made on one of the HA peers. This
caused the next HA configuration sync to overwrite the local firewall
configuration made on the HA peer.

PAN-215576 Fixed an issue where the userID-Agent and TS-Agent certificates

were set to expire on November 18, 2024. With this fix, the expiration
date has been extended to January 2032.

PAN-208395 Fixed an issue where user authentication failed in multi-vsys

environments with the error message User is not in allowlist
when an authentication profile was created in a shared configuration
space.

PAN-202361 Fixed an issue where packets queued to the pan_task process were still
transmitted when the process was not responding.

PAN-189769 Fixed an issue on Amazon Web Services (AWS) Gateway Load

Balancer (GWLB) deployments with overlay routing enabled where,
when a single firewall was the backend of multiple GWLBs, packets
were re-encapsulated with an incorrect source IP address.

PAN-181706 Fixed an issue where the logrcvr process stopped responding after
upgrading to PAN-OS 10.1.

PAN-OS Release Notes 10.2.12 166 ©2024 Palo Alto Networks, Inc.
PAN-OS 10.2.7 Known and Addressed Issues

PAN-OS 10.2.7-h1 Addressed Issues

Issue ID Description

PAN-237871 (WF-500 appliances and PAN-DB private cloud deployments only)

Fixed an issue where the root-cert was set to expire on December
31, 2023. With this fix, the expiration date has been extended.

PAN-236926 Fixed an issue where Elasticsearch shards failed if they were allocated
when tunnels were down, and shards that failed remained unallocated
when tunnels went back up.

PAN-OS Release Notes 10.2.12 167 ©2024 Palo Alto Networks, Inc.
PAN-OS 10.2.7 Known and Addressed Issues

PAN-OS 10.2.7 Addressed Issues

Issue ID Description

PAN-236605 Fixed an issue where the configd process stopped responding due to a
deadlock related to rule-hit-count.

PAN-232800 Fixed an issue where critical disk usage for /opt/pancfg increased
continuously and the system logs displayed the following message:
Disk usage for /opt/pancfg exceeds limit, <value>
percent in use.

PAN-232132 Fixed an issue where DNS response packets were malformed when an
Anti-Spyware Security Profile was enabled.

PAN-232059 Fixed an issue with memory management when processing large

certificates using TLSv1.3.

PAN-231823 A fix was made to address CVE-2024-5916.

PAN-231043 Fixed an issue where websites were not able to be opened via
GlobalProtect with SSL-VPN when software cut through was enabled.

PAN-229691 Fixed an issue on Panorama where configuration lock timeout errors

were observed during normal operational commands by increasing
thread stack size on Panorama.

PAN-228998 Fixed an issue where multiple license status checks caused an internal
process to stop responding.

PAN-228877 (PA-7050 firewalls only) Fixed an issue with OOM conditions that
caused slot restarts due to pan_cmd consuming more than 300 MB.

PAN-227539 Fixed an issue where excess WIF process memory use caused
processes to restart due to OOM conditions.

PAN-227368 Fixed an issue where the GlobalProtect app was unable to connect
to a portal or gateway and GlobalProtect Clientless VPN users were
unable to access applications if authentication took more than 20
seconds.

PAN-225337 Fixed an issue on Panorama related to Shared configuration

objects where configuration pushes to multi-vsys firewalls when
authentication took longer than 20 seconds.

PAN-224145 Fixed an issue in multi-vsys environments where, when Panorama was

on a PAN-OS 10.2 release and the firewall was on a PAN-OS 10.1

PAN-OS Release Notes 10.2.12 168 ©2024 Palo Alto Networks, Inc.
PAN-OS 10.2.7 Known and Addressed Issues

Issue ID Description
release, commits failed on the firewall when inbound inspection mode
was configured in the decryption policy rule.

PAN-223488 Fixed an issue where closed ElasticSearch shards were not deleted,
which resulted in shard purging not working as expected.

PAN-221190 (PA-800 Series firewalls only) Fixed an issue where the firewall
rebooted due to I2C errors when unsupported optics were inserted in
ports 5-8.

PAN-221126 Fixed an issue where Email server profiles (Device > Server Profiles >
Email and Panorama > Server Profiles > Email) to forward logs as email
notifications were not forwarded in a readable format.

PAN-221015 (M-600 Appliances only) Fixed an issue where ElasticSearch processes

did not restart when the appliance was rebooted, which caused the
Managed Collector ES health status to be downgraded.

PAN-218521 (M-600 Appliances in Log Collector mode only) Fixed an issue where
Panorama continuously rebooted and became unresponsive, which
consumed excessive logging disk space and prevented new log
ingestion.

PAN-215268 Fixed an issue where selective push did not work for firewalls on PAN-
OS 9.1 or an earlier release.

PAN-214186 Fixed an issue where category length was incorrect, which caused the
dataplane to restart.

PAN-212761 Fixed an issue where the all_pktproc process stopped responding,

which caused the dataplane to go down and caused HA failover.

PAN-193004 Fixed an issue where /opt/pancfg partition utilization reached

100%, which caused access to the Panorama web interface to fail.

PAN-OS Release Notes 10.2.12 169 ©2024 Palo Alto Networks, Inc.
PAN-OS 10.2.7 Known and Addressed Issues

PAN-OS Release Notes 10.2.12 170 ©2024 Palo Alto Networks, Inc.
PAN-OS 10.2.6 Known and
Addressed Issues
Review a list of known and addressed issues for PAN-OS 10.2.6.
For contacting support, for information on support programs, to manage your account or devices,
or to open a support case, go to https://support.paloaltonetworks.com.
• PAN-OS 10.2.6 Known Issues
• PAN-OS 10.2.6-h3 Addressed Issues
• PAN-OS 10.2.6-h1 Addressed Issues
• PAN-OS 10.2.6 Addressed Issues

171
PAN-OS 10.2.6 Known and Addressed Issues

PAN-OS 10.2.6 Known Issues

®
The following list includes only outstanding known issues specific to PAN-OS 10.2.6. This list
includes issues specific to Panorama™, GlobalProtect™, VM-Series plugins, and WildFire®, as well
as known issues that apply more generally or that are not identified by an issue ID.

Issue ID Description

WF500-5854 The WildFire analysis report on the firewall log viewer

(Monitoring > WildFire Submissions) does not display the
following data fields: File Type, SHA-256, MD-5, and File
Size".
Workaround: Download and open the WildFire analysis
report in the PDF format using the link in the upper right-
hand corner of the Detailed Log View.

WF500-5843 In a WildFire appliance cluster, issuing the show cluster-

all peers CLI command when a node within the cluster
is being rebooted generates the following error: Server
error : An error occured.

WF500-5840 The sample analysis statistics that are returned when issuing
the show wildfire local statistics CLI command
in WildFire appliance cluster deployments may not accurately
reflect the number of samples that have been processed.

WF500-5823 The following WildFire appliance CLI command does not

return a signature generation status as expected: show
wildfire global signature-status. This does not
corrupt or otherwise prevent the WildFire appliance from
analyzing a sample.

WF500-5781 The WildFire appliance might erroneously generate and

log the following device certification error: Device
certificate is missing or invalid. It cannot
be renewed.

WF500-5754 In WildFire appliance clusters, issuing the show cluster

controller CLI command generates an error when an IPv6
address is configured for the management interface but not
for the cluster interface.
Workaround: Ensure all WildFire appliance interfaces that are
enabled use matching protocols (all IPv4 or all IPv6).

WF500-5632 The number of registered WildFire appliances reported in

Panorama (Panorama > Managed WildFire Appliances >

PAN-OS Release Notes 10.2.12 172 ©2024 Palo Alto Networks, Inc.
PAN-OS 10.2.6 Known and Addressed Issues

Issue ID Description
Firewalls Connected > View) does not accurately reflect the
current status of connected WildFire appliances.

PAN-260851 From the NGFW or Panorama CLI, you can override the
existing application tag even if Disable Override is enabled for
the application (Objects > Applications) tag.

PAN-250062 Device telemetry might fail at configured intervals due to

bundle generation issues.

PAN-244648 (PA-5200 Series firewalls only) After a factory reset, the

firewall may get stuck in maintenance mode and be unable
to load the boot image. The firewall fails to enable FIPS-CC
mode during this time.
Workaround: The following workaround allows the firewall
to boot in normal mode but does not apply to FIPS-CC
mode. Attempting to enable FIPS-CC mode after using this
workaround will cause the firewall to reboot and re-enter
maintenace mode.
1. Enter maintenance mode.
2. Select Disk Image > Advanced Options.
3. Select Bootstrap with the options panos-10.2.8,
maint, and maint.
4. Select Bootstrap with the options panos-10.2.8,
sysroot0, and panos.
5. Select Bootstrap with the option sysroot0.
6. Select Reboot.

PAN-243951 On the Panorama management sever in an active/passive

High Availability (HA) configuration, managed devices
(Panorama > Managed Devices > Summary) display as
out-of-sync on the passive HA peer when configuration
changes are made to the SD-WAN (Panorama > SD-WAN)
configuration on the active HA peer.
Workaround: Manually synchronize the Panorama HA peers.
1. Log in to the Panorama web interface on the active HA
peer.
2. Select Commit and Commit to Panorama the SD-WAN
configuration changes on the active HA peer.
On the passive HA peer, select Panorama > Managed
Devices > Summary and observe that the managed devices
are now out-of-sync.

PAN-OS Release Notes 10.2.12 173 ©2024 Palo Alto Networks, Inc.
PAN-OS 10.2.6 Known and Addressed Issues

Issue ID Description
3. Log in to the primary HA peer Panorama CLI and trigger a
manual synchronization between the active and secondary
HA peers.
request high-availability sync-to-remote running-config
4. Log back in to the active HA peer Panorama web interface
and select Commit > Push to Devices and Push.

PAN-234015 The X-Forwarded-For (XFF) value is not displayed in traffic

logs.

PAN-234929 The tabs in the ACC, such as Network Activity, Threat

Activity, and Blocked Activity, may not display any data when
This issue is now resolved. See
you apply a Time filter for the Last 15 minutes, Last Hour,
PAN-OS 10.2.7-h3 Addressed
Last 6 Hours, or Last 12 Hours. With the Last 24 Hours filter,
Issues.
the data displayed may not be accurate. Additionally, reports
run against summary logs may not display accurate results.

PAN-228515 The EleasticSearch SSH flaps on the M-600 appliance in

Panorama or Log Collector mode. This causes logs to not
display on the Panorama management server (Monitor
> Logs) and the Log Collector health status (Panorama >
Managed Collectors > Status) to display as degraded.

PAN-228273 On the Panorama management server in FIPS-CC mode, the

ElasticSearch cluster fails to come up and the show log-
This issue is now resolved. See
collector-es-cluster health command displays
PAN-OS 10.2.8 Addressed
the status is red. This results in log ingestion issues for
Issues.
Panorama in Panorama only or Log Collector mode.

PAN-227344 On the Panorama management server, PDF Summary Reports

(Monitor > PDF Reports > Manage PDF Summary) display no
data and are blank when predefined reports are included in
the summary report.

PAN-225337 On the Panorama management server, the configuration push

to a multi-vsys firewall fails if you:
This issue is now resolved. See
PAN-OS 10.2.7 Addressed 1. Create a Shared and vsys-specific device group
Issues. configuration object with an indentical name. For example,
a Shared address object called SharedAO1 and a vsys-
specific address object also called SharedAO1.
2. Reference the Shared object in another Shared
configuration. For example, reference the Shared address
object (SharedAO1) in a Shared address group called
SharedAG1.

PAN-OS Release Notes 10.2.12 174 ©2024 Palo Alto Networks, Inc.
PAN-OS 10.2.6 Known and Addressed Issues

Issue ID Description
3. Use the Shared configuration object with the reference
in a vsys-specific configuration. For example, reference
the Shared address group (SharedAG1) in a vsys-specific
policy rule.
Workaround: Select Panorama > Setup > Management and
edit the Panorama Settings to enable one of the following:
• Shared Unused Address and Service Objects with
Devices—This options pushes all Shared objects, along
with device group specific objects, to managed firewalls.
This is a global setting and applies to all managed firewalls,
and may result in pushing too many configuration objects
to your managed firewalls.
• Objects defined in ancestors will take higher precedence—
This option specifies that in the event of objects with
the same name, ancestor object take precedence over
descendent objects. In this case, the Shared objects take
precedence over the vsys-specific object.
This is a global setting and applies to all managed firewalls.
In the example above, if the IP address for the Shared
SharedAO1 object was 10.1.1.1 and the device group
specific SharedAO1 was 10.2.2.2, the 10.1.1.1 IP
address takes precedence.
Alternatively, you can remove the duplicate address objects
from the device group configuration to allow only the Shared
objects in your configuration.

PAN-223365 The Panorama management server is unable to query any

logs if the ElasticSearch health status for any Log Collector
(Panorama > Managed Collector is degraded.
Workaround: Log in to the Log Collector CLI and restart
ElasticSearch.

admindebug elasticsearch es-restart all

PAN-227368 The GlobalProtect app cannot connect to a portal or gateway

and GlobalProtect Clientless VPN users cannot access
This issue is now resolved. See
applications if authentication takes longer than 20 seconds.
PAN-OS 10.2.7 Addressed
Issues. Workaround: Increase the TCP handshake timeout to the
maximum value of 60 seconds.

PAN-226768 When the GlobalProtect app is installed on iOS endpoints

and the gateway is configured to accept cookies, the app
stays in Connecting stage after authentication and the

PAN-OS Release Notes 10.2.12 175 ©2024 Palo Alto Networks, Inc.
PAN-OS 10.2.6 Known and Addressed Issues

Issue ID Description
This issue is now resolved. See GlobalProtect log displays the error message, User is not in
PAN-OS 10.2.8 Addressed allow list. This happens when the app is restarted or when the
Issues. app tries to reconnect after disconnection.

PAN-223677 (PA-3410, PA-3420, PA-3430, PA-3440, PA-5410, PA-5420,

and PA-5430 firewalls) By enabling Lockless QoS feature,
a slight degradation in App-ID and Threat performance is
expected.

PAN-223488 Closed ElasticSearch shards are not deleted from a Panorama

M-Series or virtual appliance. This causes the ElasticSearch
This issue is now resolved. See
shard purging to not work as expected, resulting in high disk
PAN-OS 10.2.7 Addressed
usage.
Issues.

PAN-223457 If the number of group queries exceeds the Okta rate limit
threshold, the firewall clears the cache for the groups. To
This issue is now resolved. See
avoid encountering this issue, disable the Okta rate limit.
PAN-OS 10.2.8 Addressed
Issues.

PAN-222586 On PA-5410, PA-5420, and PA-5430 firewalls, the Filter

dropdown menus, Forward Methods, and Built-In Actions
for Correlation Log settings (Device > Log Settings) are not
displayed and cannot be configured.

PAN-222418 The firewall intermittently records a reconnection message to

the authentication server as a error, even if no disconnection
This issue is now resolved. See
occurs.
PAN-OS 10.2.8 Addressed
Issues.

PAN-222253 On the Panorama management server, policy rulebase

reordering when you View Rulebase by Groups (Policy >
This issue is now resolved. See
<policy-rulebase>) does not persist if you reorder the policy
PAN-OS 10.2.8 Addressed
rulebase by dragging and dropping individual policy rules and
Issues.
then moving the entire tag group.

PAN-221775 A Malformed Request error is displayed when you Test

Connection for an email server profile (Device > Server
Profiles > Email) using SMTP over TLS and the Password
includes an ampersand (&).

PAN-221857 Users are unable to log in to the GlobalProtect app using

SAML authentication after the app is upgraded to 10.2.3-
This issue is now resolved. See
h4 and the GlobalProtect logs display the following error
PAN-OS 10.2.8 Addressed
message: Username from SAML SSO response is different
Issues.
from the input..

PAN-OS Release Notes 10.2.12 176 ©2024 Palo Alto Networks, Inc.
PAN-OS 10.2.6 Known and Addressed Issues

Issue ID Description

PAN-221126 Email server profiles (Device > Server Profiles > Email and
Panorama > Server Profiles > Email) to forward logs as email
This issue is now resolved. See
notifications are not forwarded in a readable format.
PAN-OS 10.2.7 Addressed
Issues. Workaround: Use a Custom Log Format to forward logs as
email notifications in a readable format.

PAN-221015 On M-600 appliances in Panorama or Log Collector mode, the

es-1 and es-2 ElasticSearch processes fail to restart when
This issue is now resolved. See
the M-600 appliance is rebooted. The results in the Managed
PAN-OS 10.2.7 Addressed
Collector ES health status (Panorama > Managed Collectors >
Issues.
Health Status) to be degraded.
Workaround: Log in to the Panorama or Log Collector CLI
experiencing degraded ElasticSearch health and restart all
ElasticSearch processes.

admin>debug elasticsearch es-restart

optional all

PAN-220180 Configured botnet reports (Monitor > Botnet) are not

generated.
This issue is now resolved. See
PAN-OS 10.2.8 Addressed
Issues.

PAN-219644 Firewalls forwarding logs to a syslog server over TLS (Objects

> Log Forwarding) use the default Palo Alto Networks
This issue is now resolved. See
certificate instead of the custom certificate configured on the
PAN-OS 10.2.8 Addressed
firewall.
Issues.

PAN-218521 The ElasticSearch process on the M-600 appliance in Log

Collector mode may enter a continuous reboot cycle. This
This issue is now resolved. See
results in the M-600 appliance becoming unresponsive,
PAN-OS 10.2.7 Addressed
consuming logging disk space, and preventing new log
Issues.
ingestion.

PAN-217307 The following Security policy rule (Policies > Security) filters
return no results:
This issue is now resolved. See
PAN-OS 10.2.11 Addressed log-start eq no
Issues.
log-end eq no
log-end eq yes

PAN-215082 M-300 and M-700 appliances may generate erroneous

system logs (Monitor > Logs > System) to alert that the M-
Series appliance memory usage limits are reached.

PAN-OS Release Notes 10.2.12 177 ©2024 Palo Alto Networks, Inc.
PAN-OS 10.2.6 Known and Addressed Issues

Issue ID Description
This issue is now resolved. See
PAN-OS 10.2.8 Addressed
Issues.

PAN-213746 On the Panorama management server, the Hostkey displayed

as undefined undefined if you override an SSH Service
Profile (Device > Certificate Management > SSH Service
Profile) Hostkey configured in a Template from the Template
Stack.

PAN-213119 PA-5410 and PA-5420 firewalls display the following error

when you view the Block IP list (Monitor > Block IP):
show -> dis-block-table is unexpected

PAN-212889 On the Panorama management server, different threat

names are used when querying the same threat in the Threat
Monitor (Monitor > App Scope > Threat Monitor) and ACC.
This results in the ACC displaying no data to display
when you are redirected to the ACC after clicking a threat
name in the Threat Monitor and filtering the same threat
name in the Global Filters.

PAN-212533 Modifying the Administrator Type for an existing

administrator (Device > Administrators or Panorama >
Administrators) from Superuser to a Role-Based custom
admin, or vice versa, does not modify the access privileges of
the administrator.

PAN-211531 On the Panorama management server, admins can still

perform a selective push to managed firewalls when Push
All Changes and Push for Other Admins are disabled in the
admin role profile (Panorama > Admin Roles).

PAN-209288 Certificates are not successfully generated using SCEP

(Device > Certificate Management > SCEP).

PAN-208622 A file upload to Box.com exceeding 6 files gets stuck and

fails to upload if you specify an Enterprise DLP data filtering
profile (Objects > DLP > Data Filtering Profiles with the
Action set to Block to a Security policy rule (Policies >
Security).

PAN-204689 Upon upgrade to PAN-OS 10.2.4, the following GlobalProtect

settings do not work:
• Allow user to disconnect GlobalProtect App > Allow with
Passcode

PAN-OS Release Notes 10.2.12 178 ©2024 Palo Alto Networks, Inc.
PAN-OS 10.2.6 Known and Addressed Issues

Issue ID Description
• Allow user to Disable GlobalProtect App > Allow with
Passcode
• Allow User to Uninstall GlobalProtect App > Allow with
Password

PAN-196758 On the Panorama management server, pushing a

configuration change to firewalls leveraging SD-WAN
erroneously show the auto-provisioned BGP configurations
for SD-WAN as being edited or deleted despite no edits or
deletions being made when you Preview Changes (Commit >
Push to Devices > Edit Selections or Commit > Commit and
Push > Edit Selections).

PAN-196504 License deactivation fails for VM-Series firewalls licensed

using PA-VM Bundle 3 (BND3).

PAN-196146 The VM-Series firewall on Azure does not boot up with a

hostname (specified in an init-cgf.txt or user data) when
This issue is now resolved. See
bootstrapped.
PAN-OS 10.2.8 Addressed
Issues.

PAN-194996 When using a 10.2.2 Panorama to manage a Panorama

Managed Prisma Access 3.1.2 deployment, allocating
bandwidth for a remote network deployment fails (the OK
button is grayed out).
Workaround: Retry the operation.

PAN-194519 (PA-5450 firewall only) Trying to configure a custom payload

format under Device > Server Profiles > HTTP yields a
Javascript error.

PAN-194515 (PA-5450 firewall only) The Panorama web interface does

not display any predefined template stack variables in the
dropdown menu under Device > Setup > Log Interface > IP
Address.
Workaround: Configure the log interface IP address on the
individual firewall web interface instead of on Panorama.

PAN-194424 (PA-5450 firewall only) Upgrading to PAN-OS 10.2.2 while

having a log interface configured can cause both the log
interface and the management interface to remain connected
to the log collector.

PAN-OS Release Notes 10.2.12 179 ©2024 Palo Alto Networks, Inc.
PAN-OS 10.2.6 Known and Addressed Issues

Issue ID Description
Workaround: Restart the log receiver service by running the
following CLI command:

debug software restart process log-receiver

PAN-194202 (PA-5450 firewall only) If the management interface and

logging interface are configured on the same subnetwork,
the firewall conducts log forwarding using the management
interface instead of the logging interface.

PAN-193004 The Panorama management server fails to delete old IP

Tag data. This causes the /opt/pancfg partition to reach
This issue is now resolved. See
maximum capacity which impacts Panorama performance.
PAN-OS 10.2.7 Addressed
Issues.

PAN-190727 (PA-5450 firewall only) Documentation for configuring the log

interface is unavailable on the web interface and in the PAN-
OS Administrator’s Guide.

PAN-189111 After deleting an MP pod and it comes up, the show

routing command output appears empty and traffic stops
working.

PAN-189076 On a firewall with Advanced Routing enabled, OSPFv3 peers

using a broadcast link and a designated router (DR) priority of
0 (zero) are stuck in a two-way state after HA failover.
Workaround: Configure at least one OSPFv3 neighbor with a
non-zero priority setting in the same broadcast domain.

PAN-188358 After triggering a soft reboot on a M-700 appliance, the

Management port LEDs do not light up when a 10G Ethernet
cable is plugged in.

PAN-187685 On the Panorama management server, the Template

Status displays no synchronization status (Panorama >
Managed Devices > Summary) after a bootstrapped firewall is
successfully added to Panorama.
Workaround: After the bootstrapped firewall is successfully
added to Panorama, log in to the Panorama web interface and
select Commit > Push to Devices.

PAN-187643 If you enable SCTP security using a Panorama template when

SCTP INIT Flood Protection is enabled in the Zone Protection
profile using Panorama and you commit all changes, the
commit is successful but the SCTP INIT option is not available
in the Zone Protection profile.

PAN-OS Release Notes 10.2.12 180 ©2024 Palo Alto Networks, Inc.
PAN-OS 10.2.6 Known and Addressed Issues

Issue ID Description
Workaround: Log out of the firewall and log in again to make
the SCIT INIT option available on the web interface.

PAN-187612 On the Panorama management server, not all data profiles

(Objects > DLP Data Filtering Profiles) are displayed after
you:
• Upgrade Panorama to PAN-OS 10.2 and upgrade the
Enterprise DLP plugin to version 3.0.
• Downgrade Panorama to PAN-OS 10.1 and downgrade
the Enterprise DLP plugin to version 1.0.
Workaround: Log in to the Panorama CLI and reset the DLP
plugin.
admin > request plugins dlp reset

PAN-187407 The configured Advanced Threat Prevention inline cloud

analysis action for a given model might not be honored under
the following condition: If the firewall is set to Hold client
request for category lookup and the action set to Reset-Both
and the URL cache has been cleared, the first request for
inline cloud analysis will be bypassed.

PAN-187370 On a firewall with Advanced Routing enabled, if there is also a

logical router instance that uses the default configuration and
has no interfaces assigned to it, this will result in terminating
the management daemon and main routing daemon in the
firewall during commit.
Workaround: Do not use a logical router instance with no
interfaces bound to it.

PAN-186283 Templates appear out-of-sync on Panorama after successfully

deploying the CFT stack using the Panorama plugin for AWS.
Workaround: Use Commit > Push to Devices to synchronize
the templates.

PAN-186282 On HA deployments on AWS and Azure, Panorama fails to

populate match criteria automatically when adding dynamic
address groups.
Workaround: Reboot the Panorama HA pair.

PAN-185286 (PA-5400 Series firewalls only) On the Panorama

management server, the device health resources (Panorama >
This issue is now resolved. See
Managed Devices > Health) do not populate.
PAN-OS 10.2.8 Addressed
Issues.

PAN-OS Release Notes 10.2.12 181 ©2024 Palo Alto Networks, Inc.
PAN-OS 10.2.6 Known and Addressed Issues

Issue ID Description

PAN-184406 Using the CLI to add a RAID disk pair to an M-700 appliance
causes the dmdb process to crash.
Workaround: Contact customer support to stop the dmdb
process before adding a RAID disk pair to a M-700 appliance.

PAN-183404 Static IP addresses are not recognized when "and" operators

are used with IP CIDR range.

PAN-181933 If you use multiple log forwarding cards (LFCs) on the

PA-7000 series, all of the cards may not receive all of the
updates and the mappings for the clients may become out of
sync, which causes the firewall to not correctly populate the
Source User column in the session logs.

PAN-181823 On a PA-5400 Series firewall (minus the PA-5450), setting the

peer port to forced 10M or 100M speed causes any multi-
gigabit RJ-45 ports on the firewall to go down if they are set
to Auto.

PAN-180661 On the Panorama management server, pushing an

unsupported Minimum Password Complexity (Device > Setup
> Management) to a managed firewall erroneously displays
commit time out as the reason the commit failed.

PAN-180104 When upgrading a CN-Series as a DaemonSet deployment to

PAN-OS 10.2, CN-NGFW pods fail to connect to CN-MGMT
pod if the Kubernetes cluster previously had a CN-Series as a
DaemonSet deployment running PAN-OS 10.0 or 10.1.
Workaround: Reboot the worker nodes before upgrading to
PAN-OS 10.2.

PAN-178194 A user interface issue in PAN-OS renders the contents of

the Inline ML tab in the URL Filtering Profile inaccessible on
firewalls licensed for Advanced URL Filtering. Additionally, a
message indicating that a License required for URL filtering to
function is unavailable displays at the bottom of the UI. These
errors do not affect the operation of Advanced URL Filtering
or URL Filtering Inline ML.
Workaround: Configuration settings for URL Filtering
Inline ML must be applied through the CLI. The following
configuration commands are available:

PAN-OS Release Notes 10.2.12 182 ©2024 Palo Alto Networks, Inc.
PAN-OS 10.2.6 Known and Addressed Issues

Issue ID Description
• Define URL exceptions for specific web sites—

admin# set profiles url-filtering

<url_filtering_profile_name> mlav-
category-exception

• Configuration settings for each inline ML model—

admin# set profiles url-filtering

<url_filtering_profile_name> mlav-
engine-urlbased-enabled

PAN-177455 PAN-OS 10.2.0 is not supported on PA-7000 Series firewalls

with HA (High Availability) clustering enabled and using an
HA4 communication link. Attempting to load PAN-OS 10.2.0
on the firewall causes the PA-7000 100G NPC to go offline.
As a result, the firewall fails to boot normally and enters
maintenance mode. HA Pairs of Active-Passive and Active-
Active firewalls are not affected.

PAN-175915 When the firewall is deployed on N3 and N11 interfaces in

5G networks and 5G-HTTP/2 traffic inspection is enabled in
the Mobile Network Protection Profile, the traffic logs do not
display network slice SST and SD values.

PAN-174982 In HA active/active configurations where, when interfaces

that were associated with a virtual router were deleted, the
configuration change did not sync.

PAN-172274 When you activate the advanced URL filtering license, your
license entitlements for PAN-DB and advanced URL filtering
might not display correctly on the firewall — this is a display
anomaly, not a licensing issue, and does not affect access to
the services.
Workaround: Issue the following command to retrieve and
update the licenses: license request fetch.

PAN-171938 No results are displayed when you Show Application Filter

for a Security policy rule (Policies > Security > Application >
Value > Show Application Filter).

PAN-164885 On the Panorama management server, pushes to managed

firewalls (Commit > Push to Devices or Commit and Push)
This issue is now resolved. See
may fail when an EDL (Objects > External Dynamic Lists) is
PAN-OS 10.2.10 Addressed
configured to Check for updates every 5 minutes due to the
Issues.
commit and EDL fetch processes overlapping. This is more

PAN-OS Release Notes 10.2.12 183 ©2024 Palo Alto Networks, Inc.
PAN-OS 10.2.6 Known and Addressed Issues

Issue ID Description
likely to occur when multiple EDLs are configured to check
for updates every 5 minutes.

PAN-OS Release Notes 10.2.12 184 ©2024 Palo Alto Networks, Inc.
PAN-OS 10.2.6 Known and Addressed Issues

PAN-OS 10.2.6-h3 Addressed Issues

Issue ID Description

PAN-252214 A fix was made to address CVE-2024-3400.

PAN-OS Release Notes 10.2.12 185 ©2024 Palo Alto Networks, Inc.
PAN-OS 10.2.6 Known and Addressed Issues

PAN-OS 10.2.6-h1 Addressed Issues

Issue ID Description

PAN-238792 Fixed the following device certificate issues:

• The firewall was unable to automatically renew the device
certificate-Fetching device certificates failed incorrectly with the
error message OTP is not valid.
• Firewalls disconnected from Strata Logging Service after renewing
the device certificate.
• The device certificate was not correctly generated on the log
forwarding card (LFC).
• WildFire cloud logs did not log thermite certificate usage status.

PAN-237876 Extended the firewall Panorama root CA certificate which was

previously set to expire on April 7th, 2024.

PAN-231771 Fixed an issue where the firewall issued /box/getserv/ requests with
PAN-OS 7.1.0 and did not take device certificates.

PAN-227568 When a device certificate is installed, renewed, or removed, the

firewall will reconnect to the WildFire cloud to use the newest
certificate.

PAN-215576 Fixed an issue where the userID-Agent and TS-Agent certificates

were set to expire on November 18, 2024. With this fix, the expiration
date has been extended to January 2032.

PAN-OS Release Notes 10.2.12 186 ©2024 Palo Alto Networks, Inc.
PAN-OS 10.2.6 Known and Addressed Issues

PAN-OS 10.2.6 Addressed Issues

Issue ID Description

PAN-231823 A fix was made to address CVE-2024-5916.

PAN-229865 (PA-220 firewalls only) Fixed an issue where upgrading to PAN-OS

10.2.5 failed if the firewall was on a PAN-OS 10.1 release.

PAN-229705 Fixed an issue where running the show rule-hit-count CLI

command on Panorama displayed the error message Server
error : Timed out while getting config lock. Please
try again. when attempting to log in or run CLI commands.

PAN-227639 Fixed an issue where the ACC displayed an incorrect DNS-base

application traffic byte count.

PAN-227523 A fix was made to address customer and internal bugs

(CVE-2023-38802).

PAN-227376 Fixed an issue where a memory overrun caused the all_task process to
stop responding.

PAN-225240 Fixed an issue where the OSPF neighbor state remained in exstart
when the OSPF network had more than 40 routes.

PAN-223787 (PA-400 Series and PA-1400 Series firewalls only) Fixed an

issue where commits failed with the error message Error
unserializing profile objects failed to handle
CONFIG_UPDATE_START.

PAN-221728 Fixed an issue where selective pushes did not work after upgrading to
PAN-OS 10.2.4.

PAN-216775 Fixed an issue where the devsrvr process stopped responding at

pan_cloud_agent_get_curl_connection() and the URL cloud
could not be connected.

PAN-214273 Fixed an issue where Elasticsearch logs were not cleared, which
caused the root partition to fill up.

PAN-205015 Fixed an issue where not all users were included in the user group
after an incremental sync between the firewall and the Cloud Identity
Engine.

PAN-OS Release Notes 10.2.12 187 ©2024 Palo Alto Networks, Inc.
PAN-OS 10.2.6 Known and Addressed Issues

Issue ID Description

PAN-204868 Fixed an issue where disk utilization was continuously high due to the
log purger not sufficiently reducing the utilization level.

PAN-198509 Fixed an issue where commits failed due to insufficient CFG memory.

PAN-198043 Fixed a rare issue where aBuildXmlCache job failed on the firewall.

PAN-OS Release Notes 10.2.12 188 ©2024 Palo Alto Networks, Inc.
PAN-OS 10.2.5 Known and
Addressed Issues
Review a list of known and addressed issues for PAN-OS 10.2.5.
For contacting support, for information on support programs, to manage your account or devices,
or to open a support case, go to https://support.paloaltonetworks.com.
• PAN-OS 10.2.5 Known Issues
• PAN-OS 10.2.5-h6 Addressed Issues
• PAN-OS 10.2.5-h4 Addressed Issues
• PAN-OS 10.2.5-h1 Addressed Issues
• PAN-OS 10.2.5 Addressed Issues

189
PAN-OS 10.2.5 Known and Addressed Issues

PAN-OS 10.2.5 Known Issues

®
The following list includes only outstanding known issues specific to PAN-OS 10.2.5. This list
includes issues specific to Panorama™, GlobalProtect™, VM-Series plugins, and WildFire®, as well
as known issues that apply more generally or that are not identified by an issue ID.

Issue ID Description

WF500-5854 The WildFire analysis report on the firewall log viewer

(Monitoring > WildFire Submissions) does not display the
following data fields: File Type, SHA-256, MD-5, and File
Size".
Workaround: Download and open the WildFire analysis
report in the PDF format using the link in the upper right-
hand corner of the Detailed Log View.

WF500-5843 In a WildFire appliance cluster, issuing the show cluster-

all peers CLI command when a node within the cluster
is being rebooted generates the following error: Server
error : An error occured.

WF500-5840 The sample analysis statistics that are returned when issuing
the show wildfire local statistics CLI command
in WildFire appliance cluster deployments may not accurately
reflect the number of samples that have been processed.

WF500-5823 The following WildFire appliance CLI command does not

return a signature generation status as expected: show
wildfire global signature-status. This does not
corrupt or otherwise prevent the WildFire appliance from
analyzing a sample.

WF500-5781 The WildFire appliance might erroneously generate and

log the following device certification error: Device
certificate is missing or invalid. It cannot
be renewed.

WF500-5754 In WildFire appliance clusters, issuing the show cluster

controller CLI command generates an error when an IPv6
address is configured for the management interface but not
for the cluster interface.
Workaround: Ensure all WildFire appliance interfaces that are
enabled use matching protocols (all IPv4 or all IPv6).

WF500-5632 The number of registered WildFire appliances reported in

Panorama (Panorama > Managed WildFire Appliances >

PAN-OS Release Notes 10.2.12 190 ©2024 Palo Alto Networks, Inc.
PAN-OS 10.2.5 Known and Addressed Issues

Issue ID Description
Firewalls Connected > View) does not accurately reflect the
current status of connected WildFire appliances.

PAN-260851 From the NGFW or Panorama CLI, you can override the
existing application tag even if Disable Override is enabled for
the application (Objects > Applications) tag.

PAN-250062 Device telemetry might fail at configured intervals due to

bundle generation issues.

PAN-243951 On the Panorama management sever in an active/passive

High Availability (HA) configuration, managed devices
(Panorama > Managed Devices > Summary) display as
out-of-sync on the passive HA peer when configuration
changes are made to the SD-WAN (Panorama > SD-WAN)
configuration on the active HA peer.
Workaround: Manually synchronize the Panorama HA peers.
1. Log in to the Panorama web interface on the active HA
peer.
2. Select Commit and Commit to Panorama the SD-WAN
configuration changes on the active HA peer.
On the passive HA peer, select Panorama > Managed
Devices > Summary and observe that the managed devices
are now out-of-sync.
3. Log in to the primary HA peer Panorama CLI and trigger a
manual synchronization between the active and secondary
HA peers.
request high-availability sync-to-remote running-config
4. Log back in to the active HA peer Panorama web interface
and select Commit > Push to Devices and Push.

PAN-234015 The X-Forwarded-For (XFF) value is not displayed in traffic

logs.

PAN-228273 On the Panorama management server in FIPS-CC mode, the

ElasticSearch cluster fails to come up and the show log-
This issue is now resolved. See
collector-es-cluster health command displays
PAN-OS 10.2.8 Addressed
the status is red. This results in log ingestion issues for
Issues.
Panorama in Panorama only or Log Collector mode.

PAN-227344 On the Panorama management server, PDF Summary Reports

(Monitor > PDF Reports > Manage PDF Summary) display no
data and are blank when predefined reports are included in
the summary report.

PAN-OS Release Notes 10.2.12 191 ©2024 Palo Alto Networks, Inc.
PAN-OS 10.2.5 Known and Addressed Issues

Issue ID Description

PAN-225337 On the Panorama management server, the configuration push

to a multi-vsys firewall fails if you:
This issue is now resolved. See
PAN-OS 10.2.7 Addressed 1. Create a Shared and vsys-specific device group
Issues. configuration object with an indentical name. For example,
a Shared address object called SharedAO1 and a vsys-
specific address object also called SharedAO1.
2. Reference the Shared object in another Shared
configuration. For example, reference the Shared address
object (SharedAO1) in a Shared address group called
SharedAG1.
3. Use the Shared configuration object with the reference
in a vsys-specific configuration. For example, reference
the Shared address group (SharedAG1) in a vsys-specific
policy rule.
Workaround: Select Panorama > Setup > Management and
edit the Panorama Settings to enable one of the following:
• Shared Unused Address and Service Objects with
Devices—This options pushes all Shared objects, along
with device group specific objects, to managed firewalls.
This is a global setting and applies to all managed firewalls,
and may result in pushing too many configuration objects
to your managed firewalls.
• Objects defined in ancestors will take higher precedence—
This option specifies that in the event of objects with
the same name, ancestor object take precedence over
descendent objects. In this case, the Shared objects take
precedence over the vsys-specific object.
This is a global setting and applies to all managed firewalls.
In the example above, if the IP address for the Shared
SharedAO1 object was 10.1.1.1 and the device group
specific SharedAO1 was 10.2.2.2, the 10.1.1.1 IP
address takes precedence.
Alternatively, you can remove the duplicate address objects
from the device group configuration to allow only the Shared
objects in your configuration.

PAN-227368 The GlobalProtect app cannot connect to a portal or gateway

and GlobalProtect Clientless VPN users cannot access
This issue is now resolved. See
applications if authentication takes longer than 20 seconds.
PAN-OS 10.2.7 Addressed
Issues. Workaround: Increase the TCP handshake timeout to the
maximum value of 60 seconds.

PAN-OS Release Notes 10.2.12 192 ©2024 Palo Alto Networks, Inc.
PAN-OS 10.2.5 Known and Addressed Issues

Issue ID Description

PAN-229865 Upgrading a PA-220 firewall running a PAN-OS 10.1 release

fails when the target PAN-OS upgrade version is PAN-OS
This issue is now resolved. See
10.2.5.
PAN-OS 10.2.6 Addressed
Issues. Workaround: On your upgrade path to PAN-OS 10.2.5, first
upgrade to PAN-OS 10.2.4 and then upgrade to PAN-OS
10.2.5.

PAN-226768 When the GlobalProtect app is installed on iOS endpoints

and the gateway is configured to accept cookies, the app
This issue is now resolved. See
stays in Connecting stage after authentication and the
PAN-OS 10.2.8 Addressed
GlobalProtect log displays the error message, User is not in
Issues.
allow list. This happens when the app is restarted or when the
app tries to reconnect after disconnection.

PAN-223677 (PA-3410, PA-3420, PA-3430, PA-3440, PA-5410, PA-5420,

and PA-5430 firewalls) By enabling Lockless QoS feature,
a slight degradation in App-ID and Threat performance is
expected.

PAN-223488 Closed ElasticSearch shards are not deleted from a Panorama

M-Series or virtual appliance. This causes the ElasticSearch
This issue is now resolved. See
shard purging to not work as expected, resulting in high disk
PAN-OS 10.2.7 Addressed
usage.
Issues.

PAN-223457 If the number of group queries exceeds the Okta rate limit
threshold, the firewall clears the cache for the groups. To
This issue is now resolved. See
avoid encountering this issue, disable the Okta rate limit.
PAN-OS 10.2.8 Addressed
Issues.

PAN-223365 The Panorama management server is unable to query any

logs if the ElasticSearch health status for any Log Collector
(Panorama > Managed Collector is degraded.
Workaround: Log in to the Log Collector CLI and restart
ElasticSearch.

admindebug elasticsearch es-restart all

PAN-222586 On PA-5410, PA-5420, and PA-5430 firewalls, the Filter

dropdown menus, Forward Methods, and Built-In Actions
for Correlation Log settings (Device > Log Settings) are not
displayed and cannot be configured.

PAN-OS Release Notes 10.2.12 193 ©2024 Palo Alto Networks, Inc.
PAN-OS 10.2.5 Known and Addressed Issues

Issue ID Description

PAN-222418 The firewall intermittently records a reconnection message to

the authentication server as a error, even if no disconnection
This issue is now resolved. See
occurs.
PAN-OS 10.2.8 Addressed
Issues.

PAN-222253 On the Panorama management server, policy rulebase

reordering when you View Rulebase by Groups (Policy >
This issue is now resolved. See
<policy-rulebase>) does not persist if you reorder the policy
PAN-OS 10.2.8 Addressed
rulebase by dragging and dropping individual policy rules and
Issues.
then moving the entire tag group.

PAN-221775 A Malformed Request error is displayed when you Test

Connection for an email server profile (Device > Server
Profiles > Email) using SMTP over TLS and the Password
includes an ampersand (&).

PAN-221857 Users are unable to log in to the GlobalProtect app using

SAML authentication after the app is upgraded to 10.2.3-
This issue is now resolved. See
h4 and the GlobalProtect logs display the following error
PAN-OS 10.2.8 Addressed
message: Username from SAML SSO response is different
Issues.
from the input..

PAN-221126 Email server profiles (Device > Server Profiles > Email and
Panorama > Server Profiles > Email) to forward logs as email
This issue is now resolved. See
notifications are not forwarded in a readable format.
PAN-OS 10.2.7 Addressed
Issues. Workaround: Use a Custom Log Format to forward logs as
email notifications in a readable format.

PAN-221015 On M-600 appliances in Panorama or Log Collector mode, the

es-1 and es-2 ElasticSearch processes fail to restart when
This issue is now resolved. See
the M-600 appliance is rebooted. The results in the Managed
PAN-OS 10.2.7 Addressed
Collector ES health status (Panorama > Managed Collectors >
Issues.
Health Status) to be degraded.
Workaround: Log in to the Panorama or Log Collector CLI
experiencing degraded ElasticSearch health and restart all
ElasticSearch processes.

admin>debug elasticsearch es-restart

optional all

PAN-220180 Configured botnet reports (Monitor > Botnet) are not

generated.
This issue is now resolved. See
PAN-OS 10.2.8 Addressed
Issues.

PAN-OS Release Notes 10.2.12 194 ©2024 Palo Alto Networks, Inc.
PAN-OS 10.2.5 Known and Addressed Issues

Issue ID Description

PAN-219644 Firewalls forwarding logs to a syslog server over TLS (Objects

> Log Forwarding) use the default Palo Alto Networks
This issue is now resolved. See
certificate instead of the custom certificate configured on the
PAN-OS 10.2.8 Addressed
firewall.
Issues.

PAN-218521 The ElasticSearch process on the M-600 appliance in Log

Collector mode may enter a continuous reboot cycle. This
This issue is now resolved. See
results in the M-600 appliance becoming unresponsive,
PAN-OS 10.2.7 Addressed
consuming logging disk space, and preventing new log
Issues.
ingestion.

PAN-217307 The following Security policy rule (Policies > Security) filters
return no results:
This issue is now resolved. See
PAN-OS 10.2.11 Addressed log-start eq no
Issues.
log-end eq no
log-end eq yes

PAN-216214 For Panorama-managed firewalls in an Active/Active High

Availability (HA) configuration where you configure the
firewall HA settings (Device > High Availability) in a template
or template stack (Panorama > Templates), performing a local
commit on one of the HA firewalls triggers an HA config sync
on the peer firewall. This causes the HA peer configuration to
go Out of Sync.

PAN-215082 M-300 and M-700 appliances may generate erroneous

system logs (Monitor > Logs > System) to alert that the M-
This issue is now resolved. See
Series appliance memory usage limits are reached.
PAN-OS 10.2.8 Addressed
Issues.

PAN-213746 On the Panorama management server, the Hostkey displayed

as undefined undefined if you override an SSH Service
Profile (Device > Certificate Management > SSH Service
Profile) Hostkey configured in a Template from the Template
Stack.

PAN-213119 PA-5410 and PA-5420 firewalls display the following error

when you view the Block IP list (Monitor > Block IP):
show -> dis-block-table is unexpected

PAN-212889 On the Panorama management server, different threat

names are used when querying the same threat in the Threat
Monitor (Monitor > App Scope > Threat Monitor) and ACC.
This results in the ACC displaying no data to display

PAN-OS Release Notes 10.2.12 195 ©2024 Palo Alto Networks, Inc.
PAN-OS 10.2.5 Known and Addressed Issues

Issue ID Description
when you are redirected to the ACC after clicking a threat
name in the Threat Monitor and filtering the same threat
name in the Global Filters.

PAN-212533 Modifying the Administrator Type for an existing

administrator (Device > Administrators or Panorama >
Administrators) from Superuser to a Role-Based custom
admin, or vice versa, does not modify the access privileges of
the administrator.

PAN-211531 On the Panorama management server, admins can still

perform a selective push to managed firewalls when Push
All Changes and Push for Other Admins are disabled in the
admin role profile (Panorama > Admin Roles).

PAN-209288 Certificates are not successfully generated using SCEP

(Device > Certificate Management > SCEP).

PAN-208622 A file upload to Box.com exceeding 6 files gets stuck and

fails to upload if you specify an Enterprise DLP data filtering
profile (Objects > DLP > Data Filtering Profiles with the
Action set to Block to a Security policy rule (Policies >
Security).

PAN-204689 Upon upgrade to PAN-OS 10.2.4, the following GlobalProtect

settings do not work:
• Allow user to disconnect GlobalProtect App > Allow with
Passcode
• Allow user to Disable GlobalProtect App > Allow with
Passcode
• Allow User to Uninstall GlobalProtect App > Allow with
Password

PAN-198708 On the Panorama management server, the File Type

field does not display any data when you view the Detailed
Log View in the Data Filtering log (Monitor > Logs > Data
Filtering > <select log> > DLP).

PAN-196758 On the Panorama management server, pushing a

configuration change to firewalls leveraging SD-WAN
erroneously show the auto-provisioned BGP configurations
for SD-WAN as being edited or deleted despite no edits or
deletions being made when you Preview Changes (Commit >
Push to Devices > Edit Selections or Commit > Commit and
Push > Edit Selections).

PAN-OS Release Notes 10.2.12 196 ©2024 Palo Alto Networks, Inc.
PAN-OS 10.2.5 Known and Addressed Issues

Issue ID Description

PAN-196504 License deactivation fails for VM-Series firewalls licensed

using PA-VM Bundle 3 (BND3).

PAN-196146 The VM-Series firewall on Azure does not boot up with a

hostname (specified in an init-cgf.txt or user data) when
This issue is now resolved. See
bootstrapped.
PAN-OS 10.2.8 Addressed
Issues.

PAN-194996 When using a 10.2.2 Panorama to manage a Panorama

Managed Prisma Access 3.1.2 deployment, allocating
bandwidth for a remote network deployment fails (the OK
button is grayed out).
Workaround: Retry the operation.

PAN-194519 (PA-5450 firewall only) Trying to configure a custom payload

format under Device > Server Profiles > HTTP yields a
Javascript error.

PAN-194515 (PA-5450 firewall only) The Panorama web interface does

not display any predefined template stack variables in the
dropdown menu under Device > Setup > Log Interface > IP
Address.
Workaround: Configure the log interface IP address on the
individual firewall web interface instead of on Panorama.

PAN-194424 (PA-5450 firewall only) Upgrading to PAN-OS 10.2.2 while

having a log interface configured can cause both the log
interface and the management interface to remain connected
to the log collector.
Workaround: Restart the log receiver service by running the
following CLI command:

debug software restart process log-receiver

PAN-194202 (PA-5450 firewall only) If the management interface and

logging interface are configured on the same subnetwork,
the firewall conducts log forwarding using the management
interface instead of the logging interface.

PAN-193004 The Panorama management server fails to delete old IP

Tag data. This causes the /opt/pancfg partition to reach
This issue is now resolved. See
maximum capacity which impacts Panorama performance.
PAN-OS 10.2.7 Addressed
Issues.

PAN-OS Release Notes 10.2.12 197 ©2024 Palo Alto Networks, Inc.
PAN-OS 10.2.5 Known and Addressed Issues

Issue ID Description

PAN-190727 (PA-5450 firewall only) Documentation for configuring the log

interface is unavailable on the web interface and in the PAN-
OS Administrator’s Guide.

PAN-189111 After deleting an MP pod and it comes up, the show

routing command output appears empty and traffic stops
working.

PAN-189076 On a firewall with Advanced Routing enabled, OSPFv3 peers

using a broadcast link and a designated router (DR) priority of
0 (zero) are stuck in a two-way state after HA failover.
Workaround: Configure at least one OSPFv3 neighbor with a
non-zero priority setting in the same broadcast domain

PAN-188358 After triggering a soft reboot on a M-700 appliance, the

Management port LEDs do not light up when a 10G Ethernet
cable is plugged in.

PAN-187685 On the Panorama management server, the Template

Status displays no synchronization status (Panorama >
Managed Devices > Summary) after a bootstrapped firewall is
successfully added to Panorama.
Workaround: After the bootstrapped firewall is successfully
added to Panorama, log in to the Panorama web interface and
select Commit > Push to Devices.

PAN-187643 If you enable SCTP security using a Panorama template when

SCTP INIT Flood Protection is enabled in the Zone Protection
profile using Panorama and you commit all changes, the
commit is successful but the SCTP INIT option is not available
in the Zone Protection profile.
Workaround: Log out of the firewall and log in again to make
the SCIT INIT option available on the web interface.

PAN-187612 On the Panorama management server, not all data profiles

(Objects > DLP Data Filtering Profiles) are displayed after
you:
• Upgrade Panorama to PAN-OS 10.2 and upgrade the
Enterprise DLP plugin to version 3.0.
• Downgrade Panorama to PAN-OS 10.1 and downgrade
the Enterprise DLP plugin to version 1.0.
Workaround: Log in to the Panorama CLI and reset the DLP
plugin.

PAN-OS Release Notes 10.2.12 198 ©2024 Palo Alto Networks, Inc.
PAN-OS 10.2.5 Known and Addressed Issues

Issue ID Description
admin > request plugins dlp reset

PAN-187407 The configured Advanced Threat Prevention inline cloud

analysis action for a given model might not be honored under
the following condition: If the firewall is set to Hold client
request for category lookup and the action set to Reset-Both
and the URL cache has been cleared, the first request for
inline cloud analysis will be bypassed.

PAN-187370 On a firewall with Advanced Routing enabled, if there is also a

logical router instance that uses the default configuration and
has no interfaces assigned to it, this will result in terminating
the management daemon and main routing daemon in the
firewall during commit.
Workaround: Do not use a logical router instance with no
interfaces bound to it.

PAN-186283 Templates appear out-of-sync on Panorama after successfully

deploying the CFT stack using the Panorama plugin for AWS.
Workaround: Use Commit > Push to Devices to synchronize
the templates.

PAN-186282 On HA deployments on AWS and Azure, Panorama fails to

populate match criteria automatically when adding dynamic
address groups.
Workaround: Reboot the Panorama HA pair.

PAN-185286 (PA-5400 Series firewalls only) On the Panorama

management server, the device health resources (Panorama >
This issue is now resolved. See
Managed Devices > Health) do not populate.
PAN-OS 10.2.8 Addressed
Issues.

PAN-184406 Using the CLI to add a RAID disk pair to an M-700 appliance
causes the dmdb process to crash.
Workaround: Contact customer support to stop the dmdb
process before adding a RAID disk pair to a M-700 appliance.

PAN-183404 Static IP addresses are not recognized when "and" operators

are used with IP CIDR range.

PAN-181933 If you use multiple log forwarding cards (LFCs) on the

PA-7000 series, all of the cards may not receive all of the
updates and the mappings for the clients may become out of

PAN-OS Release Notes 10.2.12 199 ©2024 Palo Alto Networks, Inc.
PAN-OS 10.2.5 Known and Addressed Issues

Issue ID Description
sync, which causes the firewall to not correctly populate the
Source User column in the session logs.

PAN-181823 On a PA-5400 Series firewall (minus the PA-5450), setting the

peer port to forced 10M or 100M speed causes any multi-
gigabit RJ-45 ports on the firewall to go down if they are set
to Auto.

PAN-180661 On the Panorama management server, pushing an

unsupported Minimum Password Complexity (Device > Setup
> Management) to a managed firewall erroneously displays
commit time out as the reason the commit failed.

PAN-180104 When upgrading a CN-Series as a DaemonSet deployment to

PAN-OS 10.2, CN-NGFW pods fail to connect to CN-MGMT
pod if the Kubernetes cluster previously had a CN-Series as a
DaemonSet deployment running PAN-OS 10.0 or 10.1.
Workaround: Reboot the worker nodes before upgrading to
PAN-OS 10.2.

PAN-178194 A user interface issue in PAN-OS renders the contents of

the Inline ML tab in the URL Filtering Profile inaccessible on
firewalls licensed for Advanced URL Filtering. Additionally, a
message indicating that a License required for URL filtering to
function is unavailable displays at the bottom of the UI. These
errors do not affect the operation of Advanced URL Filtering
or URL Filtering Inline ML.
Workaround: Configuration settings for URL Filtering
Inline ML must be applied through the CLI. The following
configuration commands are available:
• Define URL exceptions for specific web sites—

admin# set profiles url-filtering

<url_filtering_profile_name> mlav-
category-exception

• Configuration settings for each inline ML model—

admin# set profiles url-filtering

<url_filtering_profile_name> mlav-
engine-urlbased-enabled

PAN-177455 PAN-OS 10.2.0 is not supported on PA-7000 Series firewalls

with HA (High Availability) clustering enabled and using an
HA4 communication link. Attempting to load PAN-OS 10.2.0
on the firewall causes the PA-7000 100G NPC to go offline.

PAN-OS Release Notes 10.2.12 200 ©2024 Palo Alto Networks, Inc.
PAN-OS 10.2.5 Known and Addressed Issues

Issue ID Description
As a result, the firewall fails to boot normally and enters
maintenance mode. HA Pairs of Active-Passive and Active-
Active firewalls are not affected.

PAN-175915 When the firewall is deployed on N3 and N11 interfaces in

5G networks and 5G-HTTP/2 traffic inspection is enabled in
the Mobile Network Protection Profile, the traffic logs do not
display network slice SST and SD values.

PAN-174982 In HA active/active configurations where, when interfaces

that were associated with a virtual router were deleted, the
configuration change did not sync.

PAN-172274 When you activate the advanced URL filtering license, your
license entitlements for PAN-DB and advanced URL filtering
might not display correctly on the firewall — this is a display
anomaly, not a licensing issue, and does not affect access to
the services.
Workaround: Issue the following command to retrieve and
update the licenses: license request fetch.

PAN-171938 No results are displayed when you Show Application Filter

for a Security policy rule (Policies > Security > Application >
Value > Show Application Filter).

PAN-164885 On the Panorama management server, pushes to managed

firewalls (Commit > Push to Devices or Commit and Push)
This issue is now resolved. See
may fail when an EDL (Objects > External Dynamic Lists) is
PAN-OS 10.2.10 Addressed
configured to Check for updates every 5 minutes due to the
Issues.
commit and EDL fetch processes overlapping. This is more
likely to occur when multiple EDLs are configured to check
for updates every 5 minutes.

PAN-OS Release Notes 10.2.12 201 ©2024 Palo Alto Networks, Inc.
PAN-OS 10.2.5 Known and Addressed Issues

PAN-OS 10.2.5-h6 Addressed Issues

Issue ID Description

PAN-252214 A fix was made to address CVE-2024-3400.

PAN-OS Release Notes 10.2.12 202 ©2024 Palo Alto Networks, Inc.
PAN-OS 10.2.5 Known and Addressed Issues

PAN-OS 10.2.5-h4 Addressed Issues

Issue ID Description

PAN-238792 Fixed the following device certificate issues:

• The firewall was unable to automatically renew the device
certificate-Fetching device certificates failed incorrectly with the
error message OTP is not valid.
• Firewalls disconnected from Strata Logging Service after renewing
the device certificate.
• The device certificate was not correctly generated on the log
forwarding card (LFC).
• WildFire cloud logs did not log thermite certificate usage status.

PAN-237876 Extended the firewall Panorama root CA certificate which was

previously set to expire on April 7th, 2024.

PAN-231771 Fixed an issue where the firewall issued /box/getserv/ requests with
PAN-OS 7.1.0 and did not take device certificates.

PAN-227568 When a device certificate is installed, renewed, or removed, the

firewall will reconnect to the WildFire cloud to use the newest
certificate.

PAN-215576 Fixed an issue where the userID-Agent and TS-Agent certificates

were set to expire on November 18, 2024. With this fix, the expiration
date has been extended to January 2032.

PAN-OS Release Notes 10.2.12 203 ©2024 Palo Alto Networks, Inc.
PAN-OS 10.2.5 Known and Addressed Issues

PAN-OS 10.2.5-h1 Addressed Issues

Issue ID Description

PAN-229705 Fixed an issue where running the show rule-hit-count CLI

command on Panorama displayed the error message Server
error : Timed out while getting config lock. Please
try again. when attempting to log in or run CLI commands.

PAN-OS Release Notes 10.2.12 204 ©2024 Palo Alto Networks, Inc.
PAN-OS 10.2.5 Known and Addressed Issues

PAN-OS 10.2.5 Addressed Issues

Issue ID Description

PAN-231823 A fix was made to address CVE-2024-5916.

PAN-227179 Fixed an issue where routes were not updated in the forwarding table.

PAN-225340 Fixed an issue where GlobalProtect users were unable to connect after
upgrading to PAN-OS 10.2.4 due to an incorrect client authentication
configuration being selected.

PAN-225183 Fixed an issue where SSH tunnels were unstable due to ciphers used
as part of the high availability SSH configuration.

PAN-224273 Fixed an issue where the debug dataplane pow status CLI
command did not display extended NIC statistics.

PAN-223501 (PA-5200 Series and PA-7000 Series firewalls only) Fixed an issue
where diagnostic information for the dataplane in the dp-monitor.log
file was not complete.

PAN-223317 Fixed an issue where SSL traffic failed with the error message: Error:
General TLS protocol error.

PAN-223185 Fixed an issue where the distributord process stopped responding.

PAN-222712 (PA-5450 firewalls only) Fixed a low frequency DPC restart issue.

PAN-221984 (VM-Series firewalls in Microsoft Azure environments only) Fixed an

issue where an interface went down after a hotplug event and was
only recoverable by restarting the firewall.

PAN-221881 Fixed an issue where log ingestion to Panorama failed, which resulted
in missing logs under the Monitor tab.

PAN-221836 Fixed an issue where improper SNI detection caused incorrect URL
categorization.

PAN-221708 Fixed an issue where temporary files remained under /opt/pancfg/

tmp/sw-images/ even after manually uploading the content or AV
file to the firewall.

PAN-221647 Fixed an issue where the Apps seen value was not reflected on
Panorama.

PAN-OS Release Notes 10.2.12 205 ©2024 Palo Alto Networks, Inc.
PAN-OS 10.2.5 Known and Addressed Issues

Issue ID Description

PAN-220910 Fixed an issue where an internal management plane NIC caused a

kernel panic when doing a transmit due to the driver reinitializing
under certain failure or change conditions on the same interface during
transmit.

PAN-220899 Fixed an issue where you were unable to choose the manual
GlobalProtect gateway.

PAN-220747 Fixed an issue where logs were not visible after restarting the log
collector.

PAN-220626 Fixed an issue where system warning logs were written every 24
hours.

PAN-220448 Fixed an issue where the GlobalProtect client connection remained at

the prelogin stage when Kerberos SSO failed and was unable to fall
back to the realm authentication.

PAN-220401 Fixed an issue where, during a reboot, an unexpected error message

was displayed that the syslog configuration file format was too old.

PAN-220281 (PA-7080 firewalls only) Fixed an issue where auto-committing

changes after rebooting the Log Forwarding Card (LFC) caused the
logrcvr process to fail to read the configuration file.

PAN-219690 Fixed an issue where GlobalProtect authentication failed when

authentication was SAML with CAS and the portal was resolved with
IPv6.

PAN-219686 Fixed an issue where a device group push operation from Panorama
failed with the following error on managed firewalls: vsys <vsys1>
plugins unexpected here vsys is invalid Commit
failed.

PAN-219659 Fixed an issue where root partition frequently filled up and the
following error message was displayed: Disk usage for /
exceeds limit, xx percent in use, cleaning
filesystem.

PAN-219640 Fixed an issue where a transformation migration script error

caused a commit failure with the error message user-id-agent
unexpected here. This occurred after upgrading the firewall from a
PAN-OS 9.1 release to a PAN-OS 10.0 release.

PAN-219573 Fixed an issue where tag names did not correctly display special
characters.

PAN-OS Release Notes 10.2.12 206 ©2024 Palo Alto Networks, Inc.
PAN-OS 10.2.5 Known and Addressed Issues

Issue ID Description

PAN-219508 (VM-Series, PA-400 Series, PA-1400, PA-3400, and PA-5400

Series firewalls only) Fixed an issue where Bidirectional Forwarding
Detection (BFD) packets experienced a delay in processing, which
caused the BFD connection to flap.

PAN-219498 Fixed an issue where the Threat ID/Name detail in Threat logs was not
included in syslog messages sent to Splunk.

PAN-219351 Fixed an issue where the all_pktproc process stopped responding

during Layer 7 processing.

PAN-219253 Fixed an issue where, after making changes in a template, the Commit
and Push option was grayed out.

PAN-218947 Fixed an issue where logs were not displayed in Elasticsearch under
ingestion load.

PAN-218697 Fixed an issue where the ElasticSearch status frequently changed to

red or yellow after a PAN-OS upgrade.

PAN-218644 Fixed an issue where the firewall generated incorrect VSA attribute
codes when radius was configured with EAP-based authentication
protocols.

PAN-218620 Fixed an issue where scheduled configuration exports and SCP server
connection testing failed.

PAN-218404 Fixed an issue where ikemgr stopped responding due to receiving

CREATE_CHILD messages with a malformed SA payload.

PAN-218335 Fixed an issue with hardware destination MAC filtering on the Log
Processing Card (LPC) that caused the logging card interface to be
susceptible to unicast flooding.

PAN-218318 Fixed an issue where the firewall changed the time zone automatically
instead of retrieving the correct time zone from the NTP server.

PAN-218264 (PA-3400 and PA-1400 Series firewalls only) Fixed an issue where
packet drops occurred due to slow servicing of internal hardware
queries.

PAN-218151 Fixed an issue where a configuration push to a new firewall did not
work and displayed validation errors.

PAN-218107 Fixed an issue with ciphers used for SSH tunnels where packet lengths
were too large, which made the SSH tunnel unstable.

PAN-OS Release Notes 10.2.12 207 ©2024 Palo Alto Networks, Inc.
PAN-OS 10.2.5 Known and Addressed Issues

Issue ID Description

PAN-218001 (PA-400 Series firewalls only) Fixed an issue where shut down
commands rebooted the system instead of correctly triggering a
shutdown.

PAN-217681 Fixed an issue caused by out of order TCP segments where the TCP
retransmission failed when the TCP segment had the FIN flag and the
TCP data was truncated.

PAN-217582 (VM-Series firewalls on Google Cloud Platform environments only)

Fixed an issue where firewalls failed to load the virtual machine
information source configuration.

PAN-217581 Fixed an issue where the firewall did not initiate scheduled log uploads
to the FTP server.

PAN-217489 Fixed an issue with firewalls in active/passive HA configurations where

the passive firewall MAC flapping occurred when the passive firewall
was rebooted.

PAN-217465 Fixed an issue where the Panorama web interface became

unresponsive and displayed the error message 504 Gateway Not
Reachable.

PAN-217431 (PA-5400 Series firewalls with DPC (Data Processing Cards) only)
Fixed an issue with slot 2 DPCs where URL Filtering did not work as
expected after upgrading to PAN-OS 10.1.9.

PAN-217284 Fixed an intermittent issue where an LACP flap occurred when the
LACP transmission rate was set to Fast.

PAN-217169 Fixed an issue where the logrcvr stopped forwarding logs to the syslog
server after a restart or crash.

PAN-216996 Fixed an issue where multiple User-ID alerts were generated every 10
minutes.

PAN-216957 Fixed an issue where allow list checks in an authentication profile did
not work if the group Distinguished Name contains the ampersand
( & ) character.

PAN-216913 (VM-Series firewalls in Microsoft Azure environments only) Fixed an

issue where the brdagent process stopped responding due to missed
heartbeats, which caused the firewall to reboot. This occurred when
the brdagent process and DPDK-managed ports became out of sync
after the Azure infrastructure triggered a hotplug event.

PAN-OS Release Notes 10.2.12 208 ©2024 Palo Alto Networks, Inc.
PAN-OS 10.2.5 Known and Addressed Issues

Issue ID Description

PAN-216821 Fixed an issue where the reportd process stopped responding after
upgrading an M-200 appliance to PAN-OS 10.2.4.

PAN-216662 Fixed an issue where a custom Antispyware profile did not open
and displayed the following error message: The server is not
responding. Please wait and try your operation
again later.

PAN-216366 Fixed an issue where, when custom signatures used a certain syntax,
false positives were generated on devices on a PAN-OS 10.0 release.

PAN-216360 Fixed an issue on Panorama where No Default Selections under Push

to Devices was intermittently deselected after performing a commit
operation.

PAN-216170 (PA-400 Series firewalls in HA configurations only) Fixed an issue

where an HA switchover took longer than expected to bring up ports
on the newly active firewall.

PAN-216054 Fixed an issue that caused the firewall's fan speed to increase while it
was idle.

PAN-216048 Fixed an issue where, when upgrading from a PAN-OS 9.1 release to
a PAN-OS 10.0 release, commits failed with the error message: hip
profiles unexpected here.

PAN-216043 Fixed an issue where wifclient stopped responding due to shared

memory corruption.

PAN-215911 Fixed an issue that resulted in a race condition, which caused the
configd process to stop responding.

PAN-215808 Fixed an issue where, after upgrading to PAN-OS 10.1, the log
forwarding rate toward the syslog server was reduced. With this fix,
the overall log forwarding rate has also been improved.

PAN-215780 Fixed an issue where changes to Zone Protection profiles made via
XML API were not reflected in the zone protection configuration.

PAN-215778 Fixed an issue where API Get requests for /config timed out due to
insufficient buffer size.

PAN-215655 Fixed an issue where, after a multidynamic group push, Security policy
rules with the target device tag were added to a firewall that did not
have the tag.

PAN-OS Release Notes 10.2.12 209 ©2024 Palo Alto Networks, Inc.
PAN-OS 10.2.5 Known and Addressed Issues

Issue ID Description

PAN-215503 Fixed a memory-related issue where the MEMORY_POOL address was

mapped incorrectly.

PAN-215496 Fixed an issue where 100G ports did not come up with BIDI QSFP
modules.

PAN-215338 (PA-5400 Series firewalls only) Fixed an issue where the inner VLAN
tag for Q-in-Q traffic was stripped when forwarding.

PAN-215317 Fixed an issue where the dataplane stopped responding unexpectedly

with the error message comm exited with signal of 10.

PAN-215066 Fixed an issue on Panorama where push scope rendering caused the
Commit and Push or Push to Devices operation window to hang for
several minutes.

PAN-215058 Fixed a memory leak related to the logdb process.

PAN-214990 Fixed an issue where firewall copper ports flapped intermittently when
device telemetry was enabled.

PAN-214815 Fixed an issue where SNMP queries were not replied to due to an
internal process timeout.

PAN-214753 Fixed an issue where retrieving WildFire Analysis reports when

choosing WildFire log entries under Detailed Log View displayed the
error Fetching WildFire server xxx report failed!

PAN-214727 Fixed an issue where a memory leak related to the useridd process
resulted in an OOM condition, which caused the process to stop
responding.

PAN-214669 Fixed an issue where FIN and RESET packets were sent in reverse
order.

PAN-214201 Fixed an issue where, after exporting custom reports to CSV format,
the letter b appeared at the beginning of each column.

PAN-214187 Fixed an issue where superreaders were able to execute the request
restart system CLI command.

PAN-214026 Fixed an issue where, when using an ECMP weighted-round-

robin algorithm, traffic was not redistributed among the links
proportionally as expected from the configuration.

PAN-OS Release Notes 10.2.12 210 ©2024 Palo Alto Networks, Inc.
PAN-OS 10.2.5 Known and Addressed Issues

Issue ID Description

PAN-213949 Fixed an issue where the VPN responder stopped responding when it
received a CREATE_CHILD message with no security association (SA)
payload.

PAN-213942 (PA-400 Series firewalls) Fixed an issue where the firewall required an
explicit allow rule to forward broadcast traffic.

PAN-213932 Fixed an issue where, when an incorrect log filter was configured, the
commit did not fail.

PAN-213931 Fixed an issue where the logrcvr process cache was not in sync with
the mapping on the firewall.

PAN-213746 Fixed an issue on Panorama where the Hostkey displayed as

undefined if an SSH Service Profile Hostkey configured in a template
from the template stack was overridden.

PAN-213463 (PA-5200 Series firewalls only) Fixed an issue where unplugging a

PAN-SFP-CG transceiver from an interface with its link speed setting
set to 1000 caused the firewall to incorrectly read that interface as up.

PAN-213296 Fixed an issue where Single Log-out (SLO) was not correctly triggered
from the firewall toward the client, which caused the client to not
initiate the SLO request toward the identity provider (IdP). This
resulted in the IdP not making the SLO callback to the firewall to
remove the user.

PAN-213162 Fixed an issue where an SD-WAN object was not displayed under a
child device group.

PAN-213077 Fixed an issue where the sysdagent process stopped responding, which
caused interfaces and the subsequent connections behind them to fail.

PAN-213060 Fixed an issue where Panorama did not show the target under the
Entities column.

PAN-212978 Fixed an issue where the firewall stopped responding when executing
an SD-WAN debug CLI command.

PAN-212889 Fixed an issue on Panorama where different threat names were used
when querying a threat under Threat Monitor (Monitor > App Scope)
and the ACC. This resulted in the ACC displaying no data after clicking
a threat name in Threat Monitor and filtering it in the global filters.

PAN-OS Release Notes 10.2.12 211 ©2024 Palo Alto Networks, Inc.
PAN-OS 10.2.5 Known and Addressed Issues

Issue ID Description

PAN-212859 Fixed an issue where the pan_task stopped responding briefly

during a commit due to a contention with brdagent updating the
configuration.

PAN-212848 Fixed an issue where attempting to change the disk-usage cleanup

threshold to 90 resulted in the error message Server error : op
command for client dagger timed out as client is
not available.

PAN-212726 Fixed an issue where RTP/RTCP packets were dropped for SIP calls
by SIP ALG when the source NAT translation type was persistent
Dynamic IP And Port.

PAN-212577 (PA-5200 Series and PA-7080 firewalls only) Fixed an issue where
commits took longer than expected when more than 45,000 Security
policy rules were configured.

PAN-212576 Fixed an issue where firewall HA clusters in active/active

configurations with Advanced Routing enabled did not relay to ping
requests sent to a virtual IP address.

PAN-212530 Fixed an issue on log collectors where root partition reached 100%
utilization.

PAN-212057 Fixed an issue where Advanced Threat Prevention caused SSL delays
when no URL licenses were present.

PAN-211997 Fixed an issue where large OSPF control packets were fragmented,
which caused the neighborship to fail.

PAN-211887 Fixed an issue on Panorama that caused recently committed changes

to not be displayed when previewing the changes to push to device
groups.

PAN-211843 Fixed an issue where renaming a Zone Protection profile failed with
the error message Obj does not exist.

PAN-211602 Fixed an issue where, when viewing a WildFire Analysis report via the
web interface, the detailed log view was not accessible if the browser
window was resized.

PAN-211575 Fixed an issue where a local commit on Panorama remained at 99% for
longer than expected before completing.

PAN-OS Release Notes 10.2.12 212 ©2024 Palo Alto Networks, Inc.
PAN-OS 10.2.5 Known and Addressed Issues

Issue ID Description

PAN-211519 Fixed an issue where RTP/RTCP packets were dropped for SIP calls
by SIP ALG when the source NAT translation type was persistent
Dynamic IP And Port.

PAN-211441 Fixed a memory leak issue related to SSL crypto operations that
resulted in failed commits.

PAN-211422 Fixed an issue where the show session packet-buffer-

protection buffer-latency CLI command randomly displayed
incorrect values.

PAN-211398 Fixed an issue where dataplane processes stopped responding when

handling HTTP/2 streams.

PAN-211191 Fixed an issue where the firewall restarted after initiating a mgmtsrvr
process restart.

PAN-211041 (Panorama virtual appliances only) Fixed an issue where DHCP

assigned interfaces did not send ICMP unreachable -
Fragmentation needed messages when the received packets were
higher than the maximum transmission unit (MTU).

PAN-210921 (Panorama appliances in Legacy Mode only) Fixed an issue where

Blocked Browsing Summary by Website in the user activity report
contained scrambled characters.

PAN-210883 Fixed an issue where SSL proxy traffic was dropped when DoS zone
protection was enabled.

PAN-210740 Fixed a memory leak issue related to the slotd process.

PAN-210738 Fixed an issue where fragmented UDP packets were dropped.

PAN-210736 Fixed an issue where configuration changes related to the SSH service
profile were not reflected when pushed from Panorama. With this
fix, the deletion of ciphers, MAC, and kex fields of SSH server profiles
and HA profiles won't clear the values under template stacks and will
retain the values configured from templates.

PAN-210661 Fixed an issue where firewalls disconnected from Strata Logging

Service after renewing the device certificate.

PAN-210640 Fixed an issue where applications were not displayed after

authenticating into the clientless VPN.

PAN-OS Release Notes 10.2.12 213 ©2024 Palo Alto Networks, Inc.
PAN-OS 10.2.5 Known and Addressed Issues

Issue ID Description

PAN-210563 Fixed an issue on Panorama where Security policy rules with a Tag
target did not appear in the pre-rule list of a Dynamic Address Group
that was part of the tag.

PAN-210511 Fixed an issue where Panorama commits failed due to an invalid

community value error.

PAN-210502 Fixed an issue where Panorama was unable to convert to PAN-OS 9.1
syntax for WF-500 appliances.

PAN-210456 Fixed an issue where high latency occurred on PA-850-ZTP when SSL
decryption was enabled.

PAN-210452 Fixed an issue where application PCAP was not generated when
Security policy rules were used as a filter.

PAN-210451 Fixed an issue where the firewall did not send the source IP address
of the user to the RADIUS server with the set authentication
radius-vsa-on client-source-ip CLI command.

PAN-210429 (VM-Series firewalls only) Fixed an issue where the HTTP service
failed to come up on DHCP dataplane interfaces after rebooting the
firewall, which resulted in health-check failure on HTTP/80 with a 503
error code on the public load balancer.

PAN-210397 Fixed an issue on Panorama where VM-Series firewalls in HA

configurations hosted on Amazon Web Services (AWS) were not
displayed under Deploy Master Key.

PAN-210364 Fixed an issue where high latency was observed when accessing
internal web applications, which interrupted development activities
related to the web server.

PAN-210325 Fixed an issue on the firewall where the configuration log always
displayed commit-all operations as successful even when the commit
failed.

PAN-210216 A debug command was added to address an issue with firewalls in high
availability configurations.

PAN-210158 (CN-Series firewalls only) Fixed an issue where the dataplane stopped
responding after a container restart.

PAN-210000 Fixed an issue where, when traffic and Threat logs exceeded the
threshold of 90% total allowed size, alarms were not generated for
other log types.

PAN-OS Release Notes 10.2.12 214 ©2024 Palo Alto Networks, Inc.
PAN-OS 10.2.5 Known and Addressed Issues

Issue ID Description

PAN-209937 Fixed an issue where certificate-based authentication for

administrators were unable to log in to the Panorama or firewall web
interface and received the following error message: Bad Request -
Your browser sent a request that this server could
not understand.

PAN-209930 Fixed an issue where cloned rules pushed from Panorama were not
shown on the managed firewall.

PAN-209872 Fixed an issue where dataplane ports responded to ICMP requests

fewer than 64 bytes with nonzero padding bytes in the ICMP
response.

PAN-209696 Fixed an issue where link-local address communication for IPv6, BFD,
and OSPFv3 neighbors was dropped when IP address spoofing check
was enabled in a Zone Protection profile.

PAN-209683 Fixed an issue where Panorama was unable to retrieve IP address-to-

username mapping from a firewall on a PAN-OS 8.1 release.

PAN-209617 Fixed an issue with firewalls in active/passive HA configurations where

the passive firewall created an incorrect SCTP association due to the
HA sync messages from the active firewall having an incorrect value.

PAN-209585 The Palo Alto Networks QoS implementation now supports a new QoS
mode called lockless QoS for PA-3400, PA-5410, PA-5420, PA-5430,
and PA-5440 firewalls. For firewalls with higher bandwidth QoS
requirements, the lockless QoS dedicates cores to the QoS function
that improves QoS performance, resulting in improved throughput and
latency.

PAN-209501 Fixed an issue where the GlobalProtect logdb quota was not
displayed in the show system logdb quota output.

PAN-209375 Fixed an issue on the firewall where log filtering did not work as
expected.

PAN-209172 Fixed an issue where the firewall was unable to handle GRE packets
for Point-to-Point Tunneling Protocol (PPTP) connections.

PAN-209108 Fixed an issue where a Panorama in Management Only mode was

unable to display logs from log collectors due to missing schema files.

PAN-208902 Fixed an issue where, when a client sent a TCP/FIN packet, the
firewall displayed the end reason as aged-out instead of tcp-fin.

PAN-OS Release Notes 10.2.12 215 ©2024 Palo Alto Networks, Inc.
PAN-OS 10.2.5 Known and Addressed Issues

Issue ID Description

PAN-208792 Fixed an issue where authentication failed when the service route for
RADIUS traffic was configured as use default for IPv4 addresses and
included the dataplane interface as the destination route.

PAN-208567 Fixed an issue with email formatting where, when a scheduled email
contained two or more attachments, only one attachment was visible.

PAN-208343 Fixed an issue where telemetry regions were not visible on Panorama.

PAN-208325 (PA-5400 Series, PA-3400 Series, and PA-400 Series only) Fixed an
issue where the firewall was unable to automatically renew the device
certificate.

PAN-208316 Fixed an issue where user-group names were unable to be configured

as the source user via the test security-policy-match
command.

PAN-208201 Fixed an issue on the firewall where the modified date and time was
incorrectly updated after a commit operation, PAN-OS upgrade, or
reboot.

PAN-208198 Fixed an issue with firewalls in active/passive HA configurations

where, after rebooting the passive firewall, interfaces were briefly
shown as powered up, and then shown as down or shutdown.

PAN-208187 Fixed an issue where REST API requests did not work for
GlobalProtect gateway tunnels.

PAN-208090 Fixed an issue where the ACC report did not display data when
querying the filter for the fields Source and Destination IP.

PAN-208039 (PA-7000 Series firewalls with SMC-B only) Fixed an issue where the
details of configuration changes were not included in configuration
logs on the syslog server.

PAN-207842 Fixed an issue where WildFire Analysis reports were not visible when
the WF-500 appliance was on private cloud.

PAN-207741 Fixed an issue where Large Scale VPN (LSVPN) Portal authentication
failed with the error invalid http response. return
error(Authentication failed; Retry authentication
when the satellite connected to more than one portal.

PAN-207700 Fixed an issue where the show system info and show system
ztp status CLI commands displayed a different Zero Touch

PAN-OS Release Notes 10.2.12 216 ©2024 Palo Alto Networks, Inc.
PAN-OS 10.2.5 Known and Addressed Issues

Issue ID Description
Provisioning (ZTP) status if a firewall upgrade was initiated from
Panorama before the initial commit push succeeded.

PAN-207661 Fixed an issue with firewalls in active/active HA configurations

where the virtual floating IP address configuration under a
Panorama template was overridden and displayed From Template
Override: undefined as a source.

PAN-207604 Fixed an issue where system logs continuously generated the log
message Not enough space to load content to SHM.

PAN-207457 Fixed an issue where the MLAV allow list did not work for some types
of traffic.

PAN-207240 Fixed an issue where mprelay repeatedly restarted, which

caused commits to remain at 70% before failing with the error
message A communication error happened during the
configuration commit to the data plane, please try
again.

PAN-206765 Fixed an issue where log forwarding filters involving negation did not
work.

PAN-206640 Fixed an issue where the ikemgr process stopped responding, which
caused IPSec tunnels to go down.

PAN-206396 Fixed an issue where HIP report flip and HIP check failed when a user
was part of multiple user groups with different domains.

PAN-206391 Fixed an issue where shared objects were seen under the push scope
with every configuration push.

PAN-206333 Fixed an issue where the Include/Exclude IP filter under Data

Distribution did not work correctly.

PAN-206278 Fixed an issue where a critical system log was generated when the
boot drive for PA-7000 Series firewall Switch Management Cards
(SMCs) failed.

PAN-206221 Fixed an issue where scheduled configuration pushes with Include

Device and Network Templates selected did not work.

PAN-205513 Fixed an issue where the stats dump file generated by Panorama for
a device firewall differed from the stats dump file generated by the
managed device.

PAN-OS Release Notes 10.2.12 217 ©2024 Palo Alto Networks, Inc.
PAN-OS 10.2.5 Known and Addressed Issues

Issue ID Description

PAN-205369 Fixed an issue where connections to Strata Logging Service were

initialized from the firewall even when Strata Logging Service
forwarding was disabled.

PAN-205086 Fixed an issue where DNS Security categories were able to be deleted
from spyware profiles.

PAN-204718 (PA-5200 Series firewalls only) Fixed an issue where, after upgrading
to PAN-OS 10.1.6-h3, a TACACS user login displayed the following
error message during the first login attempt: Could not chdir to
home directory /opt/pancfg/home/user: Permission
denied.

PAN-204683 Fixed an issue where logs were unable to be generated due to old logs
not getting purged and /opt/panlogs reaching over 100% usage.

PAN-204530 Fixed an issue where giving up FTP or SCP sessions for log export
took longer than expected after a failure to export the log when one
of the destination hosts designated in the scheduled log export was
unresponsive.

PAN-204420 (WF-500 appliances only) Fixed an issue where, after an upgrade to a

PAN-OS 10.1 release, SNMP traps were not sent to the SNMP server.
This occurred due to SNMP trap server settings not being enabled.

PAN-204233 Fixed an issue where, when the firewall received a 513 error from the
WildFire cloud, the firewall attempted to repeatedly send the same
file.

PAN-204215 (PA-7000 Series firewalls with Log Processing Cards (LPCs) only)
Fixed an issue where performing a commit operation resulted in the
following error messages: log forwarding is setup for data
but log-card interface is not setup or log forwarding
is setup for traffic but log-card interface is not
setup.

PAN-203791 (PA-3400 and PA-5400 Series firewalls only) Fixed an issue where
the log type correlation was not configurable and displayed as
$.Format.Correlation (Device > Server Profile > syslog ><Profile-
name> > Customer log format > log type).

PAN-203655 Fixed an issue where enabling event-specific traps (Device > Setup >
Operations > Miscellaneous > SNMP Setup), the new deviating device
system logs included incorrect information.

PAN-OS Release Notes 10.2.12 218 ©2024 Palo Alto Networks, Inc.
PAN-OS 10.2.5 Known and Addressed Issues

Issue ID Description

PAN-203611 Fixed an issue where URL categorization was not recognized for URLs
that contained more than 100 characters.

PAN-203222 Fixed an issue where commit-all operations took longer than expected
due to cURL failures and timeouts related to external dynamic list
retrieval.

PAN-203168 Fixed an issue where the WIF state was not cleaned up promptly
after usage, which caused allocation failure. This fix increased the
wif_state quota.

PAN-202981 Fixed an issue on Panorama where global find did not return results for
existing universally unique identifiers (UUID).

PAN-202963 Fixed an issue where the system log message dsc HA state is
changed from 1 to 0 was generated with the severity High. With
this fix, the severity was changed to Info.

PAN-202524 Fixed an issue where the session ID was missing in the session details
section of the ingress-backlogs XML API output.

PAN-202516 Fixed an issue where the firewall stopped responding if it received an

illegal packet with SRC port = 0 encapsulated within a VXLAN packet.

PAN-201855 Fixed an issue where, after cloning a template, a certificate with the
block private key option enabled was corrupted.

PAN-201721 Fixed an issue with firewalls in HA configurations where HA setup

generated the error mismatch due to device update during a
content update even though the version was the same.

PAN-201515 Fixed an issue with the web interface where the cursor disappeared
under the Policies and Objects tabs on the search bar if the cursor was
moved quickly.

PAN-201466 Fixed an issue where the system log generated on GlobalProtect

satellite did not provide the reason for failures to connect to the
GlobalProtect portal or gateway.

PAN-200757 Fixed an issue with client certificate generation on Panorama, which

resulted in a firewall being unable to connect to a log collector.

PAN-200394 Fixed an issue where, after a push from Panorama to one or more
device groups in a multi-vsys environment, vulnerability profile
exceptions were not seen on all firewalls.

PAN-OS Release Notes 10.2.12 219 ©2024 Palo Alto Networks, Inc.
PAN-OS 10.2.5 Known and Addressed Issues

Issue ID Description

PAN-199819 Fixed an issue where, if a decryption profile allowed TLS1.3, but

the server only supported TLS1.2, and the cipher used by the first
connection to the server was a CBC SHA2 cipher suite, the connection
failed.

PAN-199687 Fixed an issue where content updates failed when using prelicensed
keys during the bootstrap process.

PAN-199557 Fixed an issue on Panorama where virtual memory usage exceeded the
set limit, which caused the configd process to restart.

PAN-198453 Fixed an issue where you were unable to resize the Description pop-
up window (Policies > Security > Prerules).

PAN-198050 Fixed an issue where Connection to update server is

successful messages displayed even when connections failed.

PAN-197493 Fixed an issue where having multiple terminal service agents with the
same hostname caused the firewall to reboot.

PAN-197467 Fixed an issue on Panorama where the WildFire Test-Configuration

feature did not work as expected.

PAN-197388 Fixed an issue where, when the firewall forwarded Threat logs via
email, the email client truncated the sender and recipient email
addresses when they were put between angle brackets (<, >).

PAN-196956 Fixed an issue where URL Filtering logs did not display matching
entries when filtered by device name.

PAN-196923 Fixed an issue where the interface option did not have a source
address in the cURL command, which caused a DNS lookup error and
resulted in DNS lookup failing for device Telemetry.

PAN-196597 Fixed an issue where the dnsproxyd process stopped responding due to
corruption.

PAN-196417 (PA-7000 Series firewalls only) Fixed an issue where firewalls

experienced slow SNMP responses, which caused the SNMP server to
time out before polling completion.

PAN-196345 Fixed an issue where scheduled dynamic content updates failed to be

retrieved by managed firewalls from Panorama when connectivity was
slow.

PAN-OS Release Notes 10.2.12 220 ©2024 Palo Alto Networks, Inc.
PAN-OS 10.2.5 Known and Addressed Issues

Issue ID Description

PAN-195788 Fixed an issue where zip files did not download when applying Security
inspection and the following error message displayed: resources-
unavailable.

PAN-195439 (VM-Series firewalls in Microsoft Azure environments only) Fixed an

issue where the dataplane interface status went down after a hotplug
event triggered by Azure infrastructure.

PAN-195251 Fixed an issue where IPSec tunnel re-key generated the critical log
message tunnel-status-up.

PAN-193521 Fixed an issue where Panorama > Device > Deployment > Software
did not display software after running check now for managed devices.

PAN-190903 Fixed an issue where MAC addresses in threat capture were swapped
between the source MAC and destination MAC addresses.

PAN-190435 Fixed an issue where, after committing a configuration change, the

Task Manager commit Status went directly from 0% to Completed
instead of reflecting the accurate commit job process.

PAN-190055 (VM-Series firewalls only) Fixed an issue where the firewall did not
follow the set Jumbo MTU value.

PAN-189442 Fixed an issue where the all_pktproc process stopped responding,

which caused the firewall to reboot.

PAN-189423 Fixed an issue where exporting correlation logs generated an empty

file.

PAN-189328 Fixed an issue where traffic belonging to the same session was sent
out from different ECMP enabled interfaces.

PAN-187989 Fixed an issue where a user who did not have permissions of other
access domains were able to view the commit and configuration lock.

PAN-186956 Fixed an issue where SD-WAN DIA VIF did not become active if
default gateways for member interfaces did not respond to pings.

PAN-186182 Fixed an issue where software buffer 3 was depleted when URL proxy
was enabled and SSL sessions were decrypted to inject the block page.
This issue occurred when an HTTP/2 block page was displayed for a
large POST request.

PAN-OS Release Notes 10.2.12 221 ©2024 Palo Alto Networks, Inc.
PAN-OS 10.2.5 Known and Addressed Issues

Issue ID Description

PAN-185249 Fixed an issue where Template Stack overrides (Dynamic Updates >
App & Threats > Schedule) were not able to be reverted via the web
interface.

PAN-185135 (VM-Series firewalls on Kernel-based Virtual Machine (KVM) only)

Fixed an issue where the physical port counters (including SNMP) on
the dataplane interfaces increased when DPDK was enabled.

PAN-184630 Fixed an issue where TLS clients, such as those using OpenSSL 3.0,
enforced the TLS renegotiation extension (RFC 5746).

PAN-183297 Fixed an issue where, when the firewall received a large amount of
user information, the firewall was unable to output IP address-to-
username mapping information via XML API.

PAN-182960 Additional error logs were added for an issue where, when multiple
Panorama web interface sessions were opened, active lock did not
show up on the web interface for any session.

PAN-182734 Fixed an issue where, on an Advanced Routing Engine, BGP peering

flapped after a commit.

PAN-180082 Fixed an issue where errors in brdagent logs caused dataplane path
monitoring failure.

PAN-177227 (VM-Series firewalls on Amazon Web Services environments only)

Fixed an issue where traffic sent from a GENEVE tunnel to the firewall
was dropped if the firewall attempted to encapsulate traffic into an
IPSec tunnel.

PAN-176412 Fixed an issue where changing the password of a local database user
did not work.

PAN-172977 Fixed an issue where session offloading did not occur on a tap
interface under a high packet load.

PAN-172600 Fixed an issue where the CLI command show rule-hit-count did
not provide all details of the rule from the device group.

PAN-169586 Fixed an issue where scheduled log view reports in emails didn't match
the monitor page query result for the same time interval.

PAN-168102 Fixed an issue where the API format to check heap usage of a node
showed a JSON error.

PAN-OS Release Notes 10.2.12 222 ©2024 Palo Alto Networks, Inc.
PAN-OS 10.2.5 Known and Addressed Issues

Issue ID Description

PAN-160633 (PA-3200 Series, PA-5200 Series, and PA-7000 Series firewalls only)
Fixed an issue where the dataplane restarted repeatedly due to an
internal path monitoring failure until a power cycle.

PAN-151692 Fixed a permission issue where a Panorama administrator was

unable to download or install Dynamic Updates (Panorama > Device
Deployment).

PAN-OS Release Notes 10.2.12 223 ©2024 Palo Alto Networks, Inc.
PAN-OS 10.2.5 Known and Addressed Issues

PAN-OS Release Notes 10.2.12 224 ©2024 Palo Alto Networks, Inc.
PAN-OS 10.2.4 Known and
Addressed Issues
Review a list of known and addressed issues for PAN-OS 10.2.4.
For contacting support, for information on support programs, to manage your account or devices,
or to open a support case, go to https://support.paloaltonetworks.com.
• PAN-OS 10.2.4 Known Issues
• PAN-OS 10.2.4-h16 Addressed Issues
• PAN-OS 10.2.4-h10 Addressed Issues
• PAN-OS 10.2.4-h4 Addressed Issues
• PAN-OS 10.2.4-h3 Addressed Issues
• PAN-OS 10.2.4-h2 Addressed Issues
• PAN-OS 10.2.4 Addressed Issues

225
PAN-OS 10.2.4 Known and Addressed Issues

PAN-OS 10.2.4 Known Issues

®
The following list includes only outstanding known issues specific to PAN-OS 10.2.4. This list
includes issues specific to Panorama™, GlobalProtect™, VM-Series plugins, and WildFire®, as well
as known issues that apply more generally or that are not identified by an issue ID.

Issue ID Description

WF500-5854 The WildFire analysis report on the firewall log viewer

(Monitoring > WildFire Submissions) does not display the
following data fields: File Type, SHA-256, MD-5, and File
Size".
Workaround: Download and open the WildFire analysis
report in the PDF format using the link in the upper right-
hand corner of the Detailed Log View.

WF500-5843 In a WildFire appliance cluster, issuing the show cluster-

all peers CLI command when a node within the cluster
is being rebooted generates the following error: Server
error : An error occured.

WF500-5840 The sample analysis statistics that are returned when issuing
the show wildfire local statistics CLI command
in WildFire appliance cluster deployments may not accurately
reflect the number of samples that have been processed.

WF500-5823 The following WildFire appliance CLI command does not

return a signature generation status as expected: show
wildfire global signature-status. This does not
corrupt or otherwise prevent the WildFire appliance from
analyzing a sample.

WF500-5781 The WildFire appliance might erroneously generate and

log the following device certification error: Device
certificate is missing or invalid. It cannot
be renewed.

WF500-5754 In WildFire appliance clusters, issuing the show cluster

controller CLI command generates an error when an IPv6
address is configured for the management interface but not
for the cluster interface.
Workaround: Ensure all WildFire appliance interfaces that are
enabled use matching protocols (all IPv4 or all IPv6).

WF500-5632 The number of registered WildFire appliances reported in

Panorama (Panorama > Managed WildFire Appliances >

PAN-OS Release Notes 10.2.12 226 ©2024 Palo Alto Networks, Inc.
PAN-OS 10.2.4 Known and Addressed Issues

Issue ID Description
Firewalls Connected > View) does not accurately reflect the
current status of connected WildFire appliances.

PAN-260851 From the NGFW or Panorama CLI, you can override the
existing application tag even if Disable Override is enabled for
the application (Objects > Applications) tag.

PAN-250062 Device telemetry might fail at configured intervals due to

bundle generation issues.

PAN-243951 On the Panorama management sever in an active/passive

High Availability (HA) configuration, managed devices
(Panorama > Managed Devices > Summary) display as
out-of-sync on the passive HA peer when configuration
changes are made to the SD-WAN (Panorama > SD-WAN)
configuration on the active HA peer.
Workaround: Manually synchronize the Panorama HA peers.
1. Log in to the Panorama web interface on the active HA
peer.
2. Select Commit and Commit to Panorama the SD-WAN
configuration changes on the active HA peer.
On the passive HA peer, select Panorama > Managed
Devices > Summary and observe that the managed devices
are now out-of-sync.
3. Log in to the primary HA peer Panorama CLI and trigger a
manual synchronization between the active and secondary
HA peers.
request high-availability sync-to-remote running-config
4. Log back in to the active HA peer Panorama web interface
and select Commit > Push to Devices and Push.

PAN-228273 On the Panorama management server in FIPS-CC mode, the

ElasticSearch cluster fails to come up and the show log-
This issue is now resolved. See
collector-es-cluster health command displays
PAN-OS 10.2.8 Addressed
the status is red. This results in log ingestion issues for
Issues.
Panorama in Panorama only or Log Collector mode.

PAN-227344 On the Panorama management server, PDF Summary Reports

(Monitor > PDF Reports > Manage PDF Summary) display no
data and are blank when predefined reports are included in
the summary report.

PAN-OS Release Notes 10.2.12 227 ©2024 Palo Alto Networks, Inc.
PAN-OS 10.2.4 Known and Addressed Issues

Issue ID Description

PAN-227342 (PA-7000 Series firewalls only) In an Active/Active High

Availability (HA) setup, enabling hardware offload can result
in web traffic being blocked.

PAN-225337 On the Panorama management server, the configuration push

to a multi-vsys firewall fails if you:
This issue is now resolved. See
PAN-OS 10.2.7 Addressed 1. Create a Shared and vsys-specific device group
Issues. configuration object with an indentical name. For example,
a Shared address object called SharedAO1 and a vsys-
specific address object also called SharedAO1.
2. Reference the Shared object in another Shared
configuration. For example, reference the Shared address
object (SharedAO1) in a Shared address group called
SharedAG1.
3. Use the Shared configuration object with the reference
in a vsys-specific configuration. For example, reference
the Shared address group (SharedAG1) in a vsys-specific
policy rule.
Workaround: Select Panorama > Setup > Management and
edit the Panorama Settings to enable one of the following:
• Shared Unused Address and Service Objects with
Devices—This options pushes all Shared objects, along
with device group specific objects, to managed firewalls.
This is a global setting and applies to all managed firewalls,
and may result in pushing too many configuration objects
to your managed firewalls.
• Objects defined in ancestors will take higher precedence—
This option specifies that in the event of objects with
the same name, ancestor object take precedence over
descendent objects. In this case, the Shared objects take
precedence over the vsys-specific object.
This is a global setting and applies to all managed firewalls.
In the example above, if the IP address for the Shared
SharedAO1 object was 10.1.1.1 and the device group
specific SharedAO1 was 10.2.2.2, the 10.1.1.1 IP
address takes precedence.
Alternatively, you can remove the duplicate address objects
from the device group configuration to allow only the Shared
objects in your configuration.

PAN-223488 Closed ElasticSearch shards are not deleted from a Panorama

M-Series or virtual appliance. This causes the ElasticSearch

PAN-OS Release Notes 10.2.12 228 ©2024 Palo Alto Networks, Inc.
PAN-OS 10.2.4 Known and Addressed Issues

Issue ID Description
This issue is now resolved. See shard purging to not work as expected, resulting in high disk
PAN-OS 10.2.7 Addressed usage.
Issues.

PAN-223365 The Panorama management server is unable to query any

logs if the ElasticSearch health status for any Log Collector
(Panorama > Managed Collector is degraded.
Workaround: Log in to the Log Collector CLI and restart
ElasticSearch.

admindebug elasticsearch es-restart all

PAN-222586 On PA-5410, PA-5420, and PA-5430 firewalls, the Filter

dropdown menus, Forward Methods, and Built-In Actions
for Correlation Log settings (Device > Log Settings) are not
displayed and cannot be configured.

PAN-222253 On the Panorama management server, policy rulebase

reordering when you View Rulebase by Groups (Policy >
This issue is now resolved. See
<policy-rulebase>) does not persist if you reorder the policy
PAN-OS 10.2.8 Addressed
rulebase by dragging and dropping individual policy rules and
Issues.
then moving the entire tag group.

PAN-221775 A Malformed Request error is displayed when you Test

Connection for an email server profile (Device > Server
Profiles > Email) using SMTP over TLS and the Password
includes an ampersand (&).

PAN-221015 On M-600 appliances in Panorama or Log Collector mode, the

es-1 and es-2 ElasticSearch processes fail to restart when
This issue is now resolved. See
the M-600 appliance is rebooted. The results in the Managed
PAN-OS 10.2.7 Addressed
Collector ES health status (Panorama > Managed Collectors >
Issues.
Health Status) to be degraded.
Workaround: Log in to the Panorama or Log Collector CLI
experiencing degraded ElasticSearch health and restart all
ElasticSearch processes.

admin>debug elasticsearch es-restart

optional all

PAN-220180 Configured botnet reports (Monitor > Botnet) are not

generated.
This issue is now resolved. See
PAN-OS 10.2.8 Addressed
Issues.

PAN-OS Release Notes 10.2.12 229 ©2024 Palo Alto Networks, Inc.
PAN-OS 10.2.4 Known and Addressed Issues

Issue ID Description

PAN-219644 Firewalls forwarding logs to a syslog server over TLS (Objects

> Log Forwarding) use the default Palo Alto Networks
This issue is now resolved. See
certificate instead of the custom certificate configured on the
PAN-OS 10.2.8 Addressed
firewall.
Issues.

PAN-218521 The ElasticSearch process on the M-600 appliance in Log

Collector mode may enter a continuous reboot cycle. This
This issue is now resolved. See
results in the M-600 appliance becoming unresponsive,
PAN-OS 10.2.7 Addressed
consuming logging disk space, and preventing new log
Issues.
ingestion.

PAN-217307 The following Security policy rule (Policies > Security) filters
return no results:
This issue is now resolved. See
PAN-OS 10.2.11 Addressed log-start eq no
Issues.
log-end eq no
log-end eq yes

PAN-216821 The reportd process crashes after you successfully upgrade

an M-200 appliance to PAN-OS 10.2.4.
This issue is now resolved. See
PAN-OS 10.2.5 Addressed
Issues.

PAN-215778 On the M-600 appliance in Management Only mode, XML

API Get requests for /config fail with the following error
This issue is now resolved. See
due to exceeding the total configuration size supported on
PAN-OS 10.2.5 Addressed
the M-600 appliance.
Issues.
504 Gateway timeout

PAN-215082 M-300 and M-700 appliances may generate erroneous

system logs (Monitor > Logs > System) to alert that the M-
This issue is now resolved. See
Series appliance memory usage limits are reached.
PAN-OS 10.2.8 Addressed
Issues.

PAN-213746 On the Panorama management server, the Hostkey displayed

as undefined undefined if you override an SSH Service
Profile (Device > Certificate Management > SSH Service
Profile) Hostkey configured in a Template from the Template
Stack.

PAN-213119 PA-5410 and PA-5420 firewalls display the following error

when you view the Block IP list (Monitor > Block IP):

PAN-OS Release Notes 10.2.12 230 ©2024 Palo Alto Networks, Inc.
PAN-OS 10.2.4 Known and Addressed Issues

Issue ID Description
show -> dis-block-table is unexpected

PAN-212978 The Palo Alto Networks firewall stops responding when

executing an SD-WAN debug operational CLI command.
This issue is now resolved. See
PAN-OS 10.2.4-h3 Addressed
Issues.

PAN-212889 On the Panorama management server, different threat

names are used when querying the same threat in the Threat
Monitor (Monitor > App Scope > Threat Monitor) and ACC.
This results in the ACC displaying no data to display
when you are redirected to the ACC after clicking a threat
name in the Threat Monitor and filtering the same threat
name in the Global Filters.

PAN-212533 Modifying the Administrator Type for an existing

administrator (Device > Administrators or Panorama >
Administrators) from Superuser to a Role-Based custom
admin, or vice versa, does not modify the access privileges of
the administrator.

PAN-211531 On the Panorama management server, admins can still

perform a selective push to managed firewalls when Push
All Changes and Push for Other Admins are disabled in the
admin role profile (Panorama > Admin Roles).

PAN-210366 On the Panorama management server in a high availability

(HA) configuration, the primary HA peer may enter a
This issue is now resolved. See
primary-non-functional state and generate a system
PAN-OS 10.2.4-h3 Addressed
log (Monitor > Logs > System) with the following message:
Issues
High root partition usage: going to state
Non-Functional

PAN-209288 Certificates are not successfully generated using SCEP

(Device > Certificate Management > SCEP).

PAN-208622 A file upload to Box.com exceeding 6 files gets stuck and

fails to upload if you specify an Enterprise DLP data filtering
profile (Objects > DLP > Data Filtering Profiles with the
Action set to Block to a Security policy rule (Policies >
Security).

PAN-208325 The following NextGen firewalls and Panorama management

server models are unable to automatically renew the device
certificate (Device > Setup > Management or Panorama >
Setup > Management).

PAN-OS Release Notes 10.2.12 231 ©2024 Palo Alto Networks, Inc.
PAN-OS 10.2.4 Known and Addressed Issues

Issue ID Description
This issue is now resolved. See • M-300 and M-700
PAN-OS 10.2.5 Addressed • PA-410 Firewall
Issues.
• PA-440, PA-450, and PA-460 Firewalls
• PA-3400 Series
• PA-5410, PA-5420, and PA-5430 Firewalls
• PA-5450 Firewall
Workaround: Log in to the firewall CLI or Panorama CLI and
fetch the device certificate.

admin>request certificate fetch

PAN-204689 Upon upgrade to PAN-OS 10.2.4, the following GlobalProtect

settings do not work:
• Allow user to disconnect GlobalProtect App > Allow with
Passcode
• Allow user to Disable GlobalProtect App > Allow with
Passcode
• Allow User to Uninstall GlobalProtect App > Allow with
Password

PAN-201855 On the Panorama management server, cloning any template

(Panorama > Templates) corrupts certificates (Device >
Certificate Management > Certificates) with the Block
Private Key Export setting enabled across all templates. This
results in managed firewalls experiencing issues wherever the
corrupted certificate is referenced.
For example, you have template A, B, and C where templates
A and B have certificates with the Block Private Key Export
setting enabled. Cloning template C corrupts the certificates
with Block Private Key Export setting enabled in templates A
and B.
Workaround: After cloning a template, delete and re-import
the corrupted certificates.

PAN-199557 On M-600 appliances in an Active/Passive high availability

(HA) configuration, the configd process restarts due to a
This issue is now resolved. See
memory leak on the Active Panorama HA peer. This causes
PAN-OS 10.2.5 Addressed
the Panorama web interface and CLI to become unresponsive.
Issues.
Workaround: Manually reboot the Active Panorama HA
peer.

PAN-OS Release Notes 10.2.12 232 ©2024 Palo Alto Networks, Inc.
PAN-OS 10.2.4 Known and Addressed Issues

Issue ID Description

PAN-198708 On the Panorama management server, the File Type

field does not display any data when you view the Detailed
Log View in the Data Filtering log (Monitor > Logs > Data
Filtering > <select log> > DLP).

PAN-196758 On the Panorama management server, pushing a

configuration change to firewalls leveraging SD-WAN
erroneously show the auto-provisioned BGP configurations
for SD-WAN as being edited or deleted despite no edits or
deletions being made when you Preview Changes (Commit >
Push to Devices > Edit Selections or Commit > Commit and
Push > Edit Selections).

PAN-196504 License deactivation fails for VM-Series firewalls licensed

using PA-VM Bundle 3 (BND3).

PAN-196146 The VM-Series firewall on Azure does not boot up with a

hostname (specified in an init-cgf.txt or user data) when
This issue is now resolved. See
bootstrapped.
PAN-OS 10.2.8 Addressed
Issues.

PAN-194996 When using a 10.2.2 Panorama to manage a Panorama

Managed Prisma Access 3.1.2 deployment, allocating
bandwidth for a remote network deployment fails (the OK
button is grayed out).
Workaround: Retry the operation.

PAN-194519 (PA-5450 firewall only) Trying to configure a custom payload

format under Device > Server Profiles > HTTP yields a
Javascript error.

PAN-194515 (PA-5450 firewall only) The Panorama web interface does

not display any predefined template stack variables in the
dropdown menu under Device > Setup > Log Interface > IP
Address.
Workaround: Configure the log interface IP address on the
individual firewall web interface instead of on Panorama.

PAN-194424 (PA-5450 firewall only) Upgrading to PAN-OS 10.2.2 while

having a log interface configured can cause both the log
interface and the management interface to remain connected
to the log collector.

PAN-OS Release Notes 10.2.12 233 ©2024 Palo Alto Networks, Inc.
PAN-OS 10.2.4 Known and Addressed Issues

Issue ID Description
Workaround: Restart the log receiver service by running the
following CLI command:

debug software restart process log-receiver

PAN-194202 (PA-5450 firewall only) If the management interface and

logging interface are configured on the same subnetwork,
the firewall conducts log forwarding using the management
interface instead of the logging interface.

PAN-190727 (PA-5450 firewall only) Documentation for configuring the log

interface is unavailable on the web interface and in the PAN-
OS Administrator’s Guide.

PAN-190435 When you Commit a configuration change, the Task Manager

commit Status goes directly from 0% to Completed and
does accurately reflect the commit job progress.

PAN-189111 After deleting an MP pod and it comes up, the show

routing command output appears empty and traffic stops
working.

PAN-189076 On a firewall with Advanced Routing enabled, OSPFv3 peers

using a broadcast link and a designated router (DR) priority of
0 (zero) are stuck in a two-way state after HA failover.
Workaround: Configure at least one OSPFv3 neighbor with a
non-zero priority setting in the same broadcast domain.

PAN-188358 After triggering a soft reboot on a M-700 appliance, the

Management port LEDs do not light up when a 10G Ethernet
cable is plugged in.

PAN-187685 On the Panorama management server, the Template

Status displays no synchronization status (Panorama >
Managed Devices > Summary) after a bootstrapped firewall is
successfully added to Panorama.
Workaround: After the bootstrapped firewall is successfully
added to Panorama, log in to the Panorama web interface and
select Commit > Push to Devices.

PAN-187643 If you enable SCTP security using a Panorama template when

SCTP INIT Flood Protection is enabled in the Zone Protection
profile using Panorama and you commit all changes, the
commit is successful but the SCTP INIT option is not available
in the Zone Protection profile.

PAN-OS Release Notes 10.2.12 234 ©2024 Palo Alto Networks, Inc.
PAN-OS 10.2.4 Known and Addressed Issues

Issue ID Description
Workaround: Log out of the firewall and log in again to make
the SCIT INIT option available on the web interface.

PAN-187612 On the Panorama management server, not all data profiles

(Objects > DLP Data Filtering Profiles) are displayed after
you:
• Upgrade Panorama to PAN-OS 10.2 and upgrade the
Enterprise DLP plugin to version 3.0.
• Downgrade Panorama to PAN-OS 10.1 and downgrade
the Enterprise DLP plugin to version 1.0.
Workaround: Log in to the Panorama CLI and reset the DLP
plugin.
admin > request plugins dlp reset

PAN-187407 The configured Advanced Threat Prevention inline cloud

analysis action for a given model might not be honored under
the following condition: If the firewall is set to Hold client
request for category lookup and the action set to Reset-Both
and the URL cache has been cleared, the first request for
inline cloud analysis will be bypassed.

PAN-187370 On a firewall with Advanced Routing enabled, if there is also a

logical router instance that uses the default configuration and
has no interfaces assigned to it, this will result in terminating
the management daemon and main routing daemon in the
firewall during commit.
Workaround: Do not use a logical router instance with no
interfaces bound to it.

PAN-186283 Templates appear out-of-sync on Panorama after successfully

deploying the CFT stack using the Panorama plugin for AWS.
Workaround: Use Commit > Push to Devices to synchronize
the templates.

PAN-186282 On HA deployments on AWS and Azure, Panorama fails to

populate match criteria automatically when adding dynamic
address groups.
Workaround: Reboot the Panorama HA pair.

PAN-185286 (PA-5400 Series firewalls only) On the Panorama

management server, the device health resources (Panorama >
This issue is now resolved. See
Managed Devices > Health) do not populate.
PAN-OS 10.2.8 Addressed
Issues.

PAN-OS Release Notes 10.2.12 235 ©2024 Palo Alto Networks, Inc.
PAN-OS 10.2.4 Known and Addressed Issues

Issue ID Description

PAN-184406 Using the CLI to add a RAID disk pair to an M-700 appliance
causes the dmdb process to crash.
Workaround: Contact customer support to stop the dmdb
process before adding a RAID disk pair to a M-700 appliance.

PAN-183404 Static IP addresses are not recognized when "and" operators

are used with IP CIDR range.

PAN-182734 On an Advanced Routing Engine, if you change the IPSec

tunnel configuration, BGP flaps.
This issue is now resolved. See
PAN-OS 10.2.5 Addressed
Issues.

PAN-181933 If you use multiple log forwarding cards (LFCs) on the

PA-7000 series, all of the cards may not receive all of the
updates and the mappings for the clients may become out of
sync, which causes the firewall to not correctly populate the
Source User column in the session logs.

PAN-181823 On a PA-5400 Series firewall (minus the PA-5450), setting the

peer port to forced 10M or 100M speed causes any multi-
gigabit RJ-45 ports on the firewall to go down if they are set
to Auto.

PAN-180661 On the Panorama management server, pushing an

unsupported Minimum Password Complexity (Device > Setup
> Management) to a managed firewall erroneously displays
commit time out as the reason the commit failed.

PAN-180104 When upgrading a CN-Series as a DaemonSet deployment to

PAN-OS 10.2, CN-NGFW pods fail to connect to CN-MGMT
pod if the Kubernetes cluster previously had a CN-Series as a
DaemonSet deployment running PAN-OS 10.0 or 10.1.
Workaround: Reboot the worker nodes before upgrading to
PAN-OS 10.2.

PAN-178194 A user interface issue in PAN-OS renders the contents of

the Inline ML tab in the URL Filtering Profile inaccessible on
firewalls licensed for Advanced URL Filtering. Additionally, a
message indicating that a License required for URL filtering to
function is unavailable displays at the bottom of the UI. These
errors do not affect the operation of Advanced URL Filtering
or URL Filtering Inline ML.

PAN-OS Release Notes 10.2.12 236 ©2024 Palo Alto Networks, Inc.
PAN-OS 10.2.4 Known and Addressed Issues

Issue ID Description
Workaround: Configuration settings for URL Filtering
Inline ML must be applied through the CLI. The following
configuration commands are available:
• Define URL exceptions for specific web sites—

admin# set profiles url-filtering

<url_filtering_profile_name> mlav-
category-exception

• Configuration settings for each inline ML model—

admin# set profiles url-filtering

<url_filtering_profile_name> mlav-
engine-urlbased-enabled

PAN-177455 PAN-OS 10.2.0 is not supported on PA-7000 Series firewalls

with HA (High Availability) clustering enabled and using an
HA4 communication link. Attempting to load PAN-OS 10.2.0
on the firewall causes the PA-7000 100G NPC to go offline.
As a result, the firewall fails to boot normally and enters
maintenance mode. HA Pairs of Active-Passive and Active-
Active firewalls are not affected.

PAN-175915 When the firewall is deployed on N3 and N11 interfaces in

5G networks and 5G-HTTP/2 traffic inspection is enabled in
the Mobile Network Protection Profile, the traffic logs do not
display network slice SST and SD values.

PAN-174982 In HA active/active configurations where, when interfaces

that were associated with a virtual router were deleted, the
configuration change did not sync.

PAN-172274 When you activate the advanced URL filtering license, your
license entitlements for PAN-DB and advanced URL filtering
might not display correctly on the firewall — this is a display
anomaly, not a licensing issue, and does not affect access to
the services.
Workaround: Issue the following command to retrieve and
update the licenses: license request fetch.

PAN-171938 No results are displayed when you Show Application Filter

for a Security policy rule (Policies > Security > Application >
Value > Show Application Filter).

PAN-164885 On the Panorama management server, pushes to managed

firewalls (Commit > Push to Devices or Commit and Push)
may fail when an EDL (Objects > External Dynamic Lists) is

PAN-OS Release Notes 10.2.12 237 ©2024 Palo Alto Networks, Inc.
PAN-OS 10.2.4 Known and Addressed Issues

Issue ID Description
This issue is now resolved. See configured to Check for updates every 5 minutes due to the
PAN-OS 10.2.10 Addressed commit and EDL fetch processes overlapping. This is more
Issues. likely to occur when multiple EDLs are configured to check
for updates every 5 minutes.

PAN-160633 (PA-3200 Series, PA-5200 Series, and PA-7000 Series

firewalls only) The dataplane restarts repeatedly due to
This issue is now resolved. See
internal path monitoring failures until a power cycle.
PAN-OS 10.2.5 Addressed
Issues.

PAN-OS Release Notes 10.2.12 238 ©2024 Palo Alto Networks, Inc.
PAN-OS 10.2.4 Known and Addressed Issues

PAN-OS 10.2.4-h16 Addressed Issues

Issue ID Description

PAN-252214 A fix was made to address CVE-2024-3400.

PAN-OS Release Notes 10.2.12 239 ©2024 Palo Alto Networks, Inc.
PAN-OS 10.2.4 Known and Addressed Issues

PAN-OS 10.2.4-h10 Addressed Issues

Issue ID Description

PAN-238792 Fixed the following device certificate issues:

• The firewall was unable to automatically renew the device
certificate-Fetching device certificates failed incorrectly with the
error message OTP is not valid.
• Firewalls disconnected from Strata Logging Service after renewing
the device certificate.
• The device certificate was not correctly generated on the log
forwarding card (LFC).
• WildFire cloud logs did not log thermite certificate usage status.

PAN-237876 Extended the firewall Panorama root CA certificate which was

previously set to expire on April 7th, 2024.

PAN-231771 Fixed an issue where the firewall issued /box/getserv/ requests with
PAN-OS 7.1.0 and did not take device certificates.

PAN-227568 When a device certificate is installed, renewed, or removed, the

firewall will reconnect to the WildFire cloud to use the newest
certificate.

PAN-215576 Fixed an issue where the userID-Agent and TS-Agent certificates

were set to expire on November 18, 2024. With this fix, the expiration
date has been extended to January 2032.

PAN-OS Release Notes 10.2.12 240 ©2024 Palo Alto Networks, Inc.
PAN-OS 10.2.4 Known and Addressed Issues

PAN-OS 10.2.4-h4 Addressed Issues

Issue ID Description

PAN-223501 Fixed an issue where diagnostic information for the

dataplane in the dp-monitor.log file was not complete.

PAN-222712 (PA-5450 firewalls only) Fixed a low frequency DPC

restart issue.

PAN-221984 (VM-Series firewalls in Microsoft Azure environments

only) Fixed an issue where an interface went down after a
hotplug event and was only recoverable by restarting the
firewall.

PAN-221836 Fixed an issue where improper SNI detection caused

incorrect URL categorization.

PAN-219508 (VM-Series, PA-400 Series, PA-1400, PA-3400, and

PA-5400 Series firewalls only) Fixed an issue where
Bidirectional Forwarding Detection (BFD) packets
experienced a delay in processing, which caused the BFD
connection to flap.

PAN-217489 Fixed an issue with firewalls in active/passive high

availability (HA) configurations where the passive firewall
MAC flapping occurred when the passive firewall was
rebooted.

PAN-216043 Fixed an issue where wifclient stopped responding due to

shared memory corruption.

PAN-215655 Fixed an issue where, after a multi-dynamic group push,

Security policies with the target device tag was added to a
firewall that did not have the tag.

PAN-215066 Fixed an issue on Panorama where push scope rendering

caused the commit and push or push operation window to
hang for several minutes.

PAN-214187 Fixed an issue where superreaders were able to execute

the request restart system CLI command.

PAN-211191 Fixed an issue where the firewall restarted after initiating

a mgmtsrvr process restart.

PAN-OS Release Notes 10.2.12 241 ©2024 Palo Alto Networks, Inc.
PAN-OS 10.2.4 Known and Addressed Issues

Issue ID Description

PAN-210661 Fixed an issue where firewalls disconnected from Strata

Logging Service after renewing the device certificate.

PAN-210429 (VM-Series firewalls only) Fixed an issue where the HTTP

service failed to come up on DHCP dataplane interfaces
after rebooting the firewall, which resulted in health-
check failure on HTTP/80 with a 503 error code on the
public load balancer.

PAN-195439 (VM-Series firewalls in Microsoft Azure environments

only) Fixed an issue where the dataplane interface status
went down after a hotplug event triggered by Azure
infrastructure.

PAN-169586 Fixed an issue where scheduled log view reports in emails

didn't match the monitor page query result for the same
time interval.

PAN-OS Release Notes 10.2.12 242 ©2024 Palo Alto Networks, Inc.
PAN-OS 10.2.4 Known and Addressed Issues

PAN-OS 10.2.4-h3 Addressed Issues

Issue ID Description

PAN-222035 Fixed an issue where when multiple portals were

configured in Prisma Access deployments, CIE SAML
authentication failed on the secondary portal.

PAN-221068 Fixed an issue where the firewall restarted after a failed

push from Panorama, which resulted in autocommit
failures.

PAN-219355 Fixed an issue where disk space became full due to a

GPSVC FD leak.

PAN-219333 Fixed an issue where a secondary Prisma Access Portal

address with port 8443 did not work.

PAN-218620 Fixed an issue where scheduled configuration exports and

SCP server connection testing failed.

PAN-218368 Fixed an issue with incorrect VLAN tagging on Intel based

platforms that occurred when opening a response page
from a virtual-wire subinterface.

PAN-218340 Fixed a memory leak issue related to the configd process

that affected selective pushes on Panorama.

PAN-218267 Fixed an issue where a partial commit and push operation

from Panorama to managed firewalls did not work as
expected.

PAN-218046 Fixed an issue where the Virtual Routers (Network

> Virtual Routers) setting was not available when
configuring a custom admin role Device > Admin Roles.

PAN-217053 Fixed an issue where the configd process stopped

responding after a selective push to multiple device
groups failed.

PAN-215899 Fixed an issue with Panorama appliances in high

availability (HA) configurations where configuration
synchronization between the HA peers failed.

PAN-215767 Fixed an issue where, after a high availability failover,

IKE SA negotiation failed with the error message

PAN-OS Release Notes 10.2.12 243 ©2024 Palo Alto Networks, Inc.
PAN-OS 10.2.4 Known and Addressed Issues

Issue ID Description
INVALID_SPI, which resulted in temporary loss of traffic
over some proxy IDs.

PAN-215324 (PA-5400 Series firewalls with Jumbo Frames enabled

only) Fixed an issue with CPU throttling and buffer
depletion.

PAN-215315 Fixed an issue where the dataplane stopped responding

due to ager and inline packet processing occurring
concurrently on different cores for the same session.

PAN-214463 Fixed an issue where IKE rekey negotiation failed with a

third-party vendor and the firewall acting as the initiator
received a response with the VENDOR_ID payload and
the error message unexpected critical payload
(type 43).

PAN-213973 Fixed an issue where the authd process stopped

responding during a cleanup of authentication server
context.

PAN-212978 Fixed an issue where the firewall stopped responding

when executing an SD-WAN configuration or operational
CLI command.

PAN-210366 Fixed an issue where deleting a device group when a

selective configuration push was in progress caused the
configd process to stop responding.

PAN-208240 Fixed an issue where, when attempting to replace an

existing certificate, importing a new certificate with
the same name as the existing certificate failed due to
mismatched public and private keys.

PAN-OS Release Notes 10.2.12 244 ©2024 Palo Alto Networks, Inc.
PAN-OS 10.2.4 Known and Addressed Issues

PAN-OS 10.2.4-h2 Addressed Issues

Issue ID Description

PAN-218285 Fixed an issue where after switching the SPN by

suspending the active SPN, the forwarding rule was not
correctly pointing to the new active node when moved
from 3 rules (TCP/UDP/ICMP) to 1 Layer 3 default rule in
GCP.

PAN-217484 Fixed an issue where the rasmgr process used 100% CPU
due to a maximum duration timer not being set, which
caused the GlobalProtect gateway to be unavailable.

PAN-217431 Fixed an issue with slot 2 DPCs where URL Filtering did
not work as expected after upgrading to PAN-OS 10.1.9.

PAN-216710 Fixed an issue with firewalls in active/active HA

configurations where GlobalProtect disconnected when
the original suspected active-primary firewall became
active-secondary.

PAN-216036 Fixed an issue where the all_pktproc process

stopped responding, which caused the firewall to enter a
nonfunctional state.

PAN-215823 Fixed an issue on log collectors where the reportd

process stopped responding.

PAN-215496 Fixed an issue where 100G ports did not come up with
BIDI QSFP modules.

PAN-214406 Fixed an issue with Elasticsearch where ES tunnels

weren’t started and were forked incorrectly, which caused
them to fail.

PAN-213079 Fixed an issue with Captive Portal SAML authentication

by increasing the number of retries in the Nginx
configuration.

PAN-212726 Fixed an issue where RTP/RTCP packets were dropped

for SIP calls by SIP ALG when the source NAT translation
PAN-211519
type was persistent Dynamic IP And Port.

PAN-211870 Fixed an issue where path monitoring failure occurred,

which caused high availability failover.

PAN-OS Release Notes 10.2.12 245 ©2024 Palo Alto Networks, Inc.
PAN-OS 10.2.4 Known and Addressed Issues

Issue ID Description

PAN-195912 Fixed an issue where connections from the firewall to

Strata Logging Service failed.

PAN-OS Release Notes 10.2.12 246 ©2024 Palo Alto Networks, Inc.
PAN-OS 10.2.4 Known and Addressed Issues

PAN-OS 10.2.4 Addressed Issues

Issue ID Description

WF500-5976 (WF-500 appliances only) Fixed an issue where files were incorrectly
detected as malicious.

WF500-5953 Fixed an issue where testing the same file sample using a PowerShell
script returned different verdicts in Private Cloud and Public Cloud.

WF500-5920 Fixed an issue where an elink parser did not work.

PAN-231823 A fix was made to address CVE-2024-5916.

PAN-220741 (Firewalls in active/passive HA configurations only) Fixed an issue

where, when redistribution agent connections to the passive firewall
failed, excessive system alerts for the failed connection were
generated. With this fix, system alerts are logged every 5 hours instead
of 10 minutes.

PAN-219686 Fixed an issue where a device group push operation from Panorama
failed with the following error on managed firewalls.
vsys -> vsys1 -> plugins unexpected here
vsys is invalid
Commit failed

PAN-216656 Fixed an issue where the firewall was unable to fully process the user
list from a child group when the child group contained more than
1,500 users.

PAN-216314 (PA-3200 Series firewalls only) Fixed an issue where, after upgrading
to or from PAN-OS 10.1.9 or PAN-OS 10.1.9-h1, offloaded application
traffic sessions disconnected even when a session was active. This
occurred due to the application default session timeout value being
exceeded.

PAN-215911 Fixed an issue that resulted in a race condition, which caused the
configd process to stop responding.

PAN-215488 Fixed an issue where an expired Trusted Root CA was used to sign the
forward proxy leaf certificate during SSL Decryption.

PAN-215461 Fixed an issue where the packet descriptor leaked over time with GRE
tunnels and keepalives.

PAN-OS Release Notes 10.2.12 247 ©2024 Palo Alto Networks, Inc.
PAN-OS 10.2.4 Known and Addressed Issues

Issue ID Description

PAN-215125 Fixed an issue where false negatives occurred for some script samples.

PAN-214634 Fixed an issue where an elink parser did not work.

PAN-214624 Fixed an issue where the logrcvr process stopped responding.

PAN-214337 Fixed an issue on the firewall related to the gp_broker configuration

transform that led to longer commit times.

PAN-214037 (PA-5440, PA-5430, PA-5420, and PA-5410 firewalls only) Fixed an

issue where firewalls in active/active HA configurations experienced
packet drop when running asymmetric traffic.

PAN-213973 Fixed an issue where the authd process stopped responding during a
cleanup of authentication server context.

PAN-213661 Fixed an issue where memory allocation failure caused dataplane

processes to restart. This issue occurred when decryption was enabled
and the device was under heavy L7 usage.

PAN-213011 Fixed an issue where, when using multi-factor authentication (MFA)

with RADIUS OTP, the challenge message Enter Your Microsoft
verification code did not appear when accessing the GlobalProtect
portal via browser.

PAN-212982 Fixed an issue where the logrcvr process stopped responding with
MICA HTTP2 traffic.

PAN-212409 Fixed an issue where there were duplicate IPSec Security Associations
(SAs) for the same tunnel, gateway, or proxy ID.

PAN-211242 Fixed an issue where missed heartbeats caused the Data Processing
Card (DPC) and its corresponding Network Processing Card (NPC) to
restart due to internal packet path monitoring failure.

PAN-210919 Fixed an issue where the Data Processing Card remained in a

Starting state after a restart.

PAN-210892 (M-600 and M-700 appliances only) Fixed an issue where the
Elasticsearch shard count grew continuously without limit.

PAN-210875 Fixed an issue where the pan_task process stopped responding due to
software packet buffer 3 trailer corruption, which caused the firewall
to restart.

PAN-OS Release Notes 10.2.12 248 ©2024 Palo Alto Networks, Inc.
PAN-OS 10.2.4 Known and Addressed Issues

Issue ID Description

PAN-210561 Fixed an issue where the all_task process repeatedly restarted due to
missed heartbeats.

PAN-210481 Fixed an issue where botnet reports were not generated on the
firewall.

PAN-210449 Fixed an issue where the value for shared objects used in policy
rules were not displayed on multi-vsys firewalls when pushed from
Panorama.

PAN-210331 Fixed an issue where the firewall did not send device telemetry files
to Strata Logging Service with the error message Send File to
Strata Logging Service Receiver Failed.

PAN-210327 (PA-5200 Series firewalls only) Fixed an issue where upgrading to

PAN-OS 10.1.7, an internal loop caused an increase in the packets
received per second.

PAN-210237 Fixed an issue where system logs generated by Panorama for commit
operations showed the severity as High instead of Informational.

PAN-210080 Fixed an issue where the useridd process stopped responding when
add and delete member parameters in an incremental sync query were
empty.

PAN-209660 Fixed an issue where a selective push from Panorama to multiple

firewalls failed due to a missing configuration file, which caused a
communication error.

PAN-209346 Fixed an issue where, after upgrading to PAN-OS 10.2.3, HA peers

received conflicting ARP messages that indicated a duplicate IP
address.

PAN-209305 Fixed a memory space issue where the content and threat detection
(CTD) process flow cleanup during inline cloud analysis did not work.

PAN-209226 Fixed an issue where the feature bits function reused shared memory,
which resulted in a memory allocation error and caused the dataplane
to go down.

PAN-209069 Fixed an issue where IP addresses in the X-Forwarded-For (XFF) field

were not logged when the IP address contained an associated port
number.

PAN-OS Release Notes 10.2.12 249 ©2024 Palo Alto Networks, Inc.
PAN-OS 10.2.4 Known and Addressed Issues

Issue ID Description

PAN-209021 Fixed an issue where packets were fragmented when SD-WAN VPN
tunnel was configured on aggregate ethernet interfaces and sub-
interfaces.

PAN-208987 (PA-5400 Series only) Fixed an issue where packets were not
transmitted from the firewall if its fragments were received on
different slots. This occurred when aggregate ethernet (AE) members
in an AE interface were placed on a different slot.

PAN-208922 A fix was made to address an issue where an authenticated

administrator was able to commit a specifically created configuration
to read local files and resources from the system (CVE-2023-38046).

PAN-208930 (PA-7000 Series firewalls only) Fixed an issue where auto-tagging in

log forwarding did not work.

PAN-208877 Fixed an issue where the all_task process stopped responding when
freeing the HTTP2 stream, which caused the dataplane to go down.

PAN-208737 Fixed an issue where domain information wasn't populated in IP

address-to-username matching after a successful GlobalProtect
authentication using an authentication override cookie.

PAN-208724 Fixed an issue where port pause frame settings did not work as
expected and incorrect pause frames occurred.

PAN-208718 Additional debug information was added to capture internal details

during traffic congestion.

PAN-208711 (PA-5200 Series firewalls only) The CLI command debug dataplane
set pow no-desched yes/no was added to address an issue
where the all_pktproc process stopped responding and caused traffic
issues.

PAN-208537 Fixed an issue where the licensed-device-capacity was

reduced when multiple device management license key files were
present.

PAN-208485 Fixed an issue where NAT policies were not visible on the CLI if they
contained more than 32 characters.

PAN-208189 Fixed an issue when traffic failed to match and reach all destinations
if a Security policy rule includes FQDN objects that resolve to two or
more IP addresses.

PAN-OS Release Notes 10.2.12 250 ©2024 Palo Alto Networks, Inc.
PAN-OS 10.2.4 Known and Addressed Issues

Issue ID Description

PAN-208157 Fixed an issue where malformed hints sent from the firewall caused
the logd process to stop responding on Panorama, which caused a
system reboot into maintenance mode.

PAN-208079 (VM-Series firewalls on Microsoft Azure environments only) Fixed an

issue where the PAN-DB engine did not start when using a VM-Series
firewall Flex based CPU.

PAN-207983 Fixed an issue on Panorama in Management Only mode where the

logdb database incorrectly collected traffic, threat, GTP, decryption,
and corresponding summary logs.

PAN-207940 Fixed an issue where platforms with RAID disk checks were performed
weekly, which caused logs to incorrectly state that RAID was
rebuilding.

PAN-207891 Fixed an issue on Panorama where log migration did not complete
after an upgrade.

PAN-207740 Fixed an issue that resulted in a race condition, which caused the
configd process to stop responding.

PAN-207738 Fixed an issue where the ocsp-next-update-time CLI command

did not execute for leaf certificates with certificate chains that did not
specify OCSP or CRL URLs. As a result, the next update time was 60
minutes even if a different time was set.

PAN-207663 Fixed a Clientless VPN issue where JSON stringify caused issues with
the application rewrite.

PAN-207629 Fixed an issue where a selective push to firewalls failed if the firewalls
were enabled with multiple vsys and the push scope contained shared
objects in device groups.

PAN-207623 Fixed an issue on Panorama where log migration did not complete as
expected.

PAN-207610 (PA-5200 Series and PA-7000 Series firewalls only) Fixed an issue
where Log Admin Activity was not visible on the web interface.

PAN-207602 Fixed an issue where file streams were opened or closed twice due to
a race condition which caused Linux to stop responding.

PAN-207601 Fixed an issue where URL cloud connections were unable to resolve
the proxy server hostname.

PAN-OS Release Notes 10.2.12 251 ©2024 Palo Alto Networks, Inc.
PAN-OS 10.2.4 Known and Addressed Issues

Issue ID Description

PAN-207533 Fixed an issue with firewalls in HA configurations where ARP and IPv6
multicast packets were transmitted from the passive firewall.

PAN-207455 Fixed an issue where the pan_task process stopped responding when
processing client certificate requests from the server in TLS1.3.

PAN-207426 Fixed an issue where a selective push did not include the Share
Unused Address and Service Objects with Devices option on
Panorama, which caused the firewall to not receive the objects during
the configuration push.

PAN-207400 Fixed an issue on Octeon based platforms where fragmented VLAN

tagged packets dropped on an aggregate interface.

PAN-207390 Fixed an issue where, even after disabling Telemetry, Telemetry

system logs were still generated.

PAN-207260 A commit option was enabled for Device Group and Template
administrators after a password change.

PAN-207045 (PA-800 Series firewalls only) Fixed an issue where PAN-SFP-SX

transceivers used on ports 5 to 8 did not renegotiate with peer ports
after a reload.

PAN-207043 Fixed an issue on PAN-OS 10.2.3 where ports 41-44 remained down
when the PAN-QSFP28-DAC-5M cable was connected.

PAN-206963 (M-700 Appliances only) A CLI command was added to check the
status of each physical port of a bond1 interface.

PAN-206921 Fixed an issue where GlobalProtect client certificate authentication

failed on a gateway when the gateway was placed behind a NAT.

PAN-206858 Fixed an issue where a segmentation fault occurred due to the useridd
process being restarted.

PAN-206796 Fixed an issue where cfg.lcaas-region was not reset when it was
empty, which caused Strata Logging Service onboarding to fail.

PAN-206755 Fixed an issue when a scheduled multi-device group push occurred,

the configd process stopped responding, which caused the push to fail.

PAN-206658 Fixed a timeout issue in the Intel ixgbe driver that resulted in internal
path monitoring failure.

PAN-OS Release Notes 10.2.12 252 ©2024 Palo Alto Networks, Inc.
PAN-OS 10.2.4 Known and Addressed Issues

Issue ID Description

PAN-206629 (VM-Series firewalls in AWS environments only) Fixed an issue where

a newly bootstrapped firewalls did not forward logs to Panorama.

PAN-206393 (PA-5280 firewalls only) Fixed an issue where memory allocation

errors caused decryption failures that disrupted traffic with SSL
forward proxy enabled.

PAN-206382 Fixed an issue where authentication sequences were not populated

in the drop down when selecting authentication profiles during
administrator creation in a template.

PAN-206253 (PA-3400 Series firewalls only) Fixed an issue where the default log
rate value was too low, and the maximum configurable log rate was
capped incorrectly, which caused the firewall to not generate more
than 6826 logs per second.

PAN-206251 (PA-7000 Series firewalls with Log Forwarding Cards (LFCs) only)
Fixed an issue where the logrcvr process did not send the system-
start SNMP trap during startup.

PAN-206233 Fixed an issue where the pan_comm process stopped responding when
a content update and a cloud application update occurred at the same
time.

PAN-206128 (PA-7000 Series firewalls with NPCs (Network Processing Cards)

only) Improved debugging capability for an issue where the firewall
restarted due to heartbeat failures and then failed with the following
error message: Power not OK.

PAN-206077 Fixed an issue on firewalls in active/active HA configurations where,

after upgrading to PAN-OS 10.1.6-h6, the active primary firewall did
not send HIP reports to the active secondary firewall.

PAN-206069 Fixed an issue where the firewall was unable to boot up on older Intel
CPUs.

PAN-206017 Fixed an issue where the show dos-protection rule command

displayed a character limit error.

PAN-206005 (PA-3400 Series firewalls only) Fixed an issue where the l7_misc
memory pool was undersized and caused connectivity loss when the
limit was reached.

PAN-205995 Fixed an issue where logs from unaffected log collector groups were
not displayed when a log collector was down.

PAN-OS Release Notes 10.2.12 253 ©2024 Palo Alto Networks, Inc.
PAN-OS 10.2.4 Known and Addressed Issues

Issue ID Description

PAN-205955 Fixed an issue where RAID rebuilds occurred even with healthy disks
and a clean shutdown.

PAN-205877 (PA-5450 firewalls only) Added debug commands for an issue where
a MAC address flap occurred on a neighbor firewall when connecting
both MGT-A and MGT-B interfaces.

PAN-205829 Fixed an issue where logs did not display Host-ID details for
GlobalProtect users despite having a quarantine Security policy rule.
This occurred due to a missed local cache lookup.

PAN-205804 Fixed an issue on Panorama where a WildFire scheduled update for

managed devices triggered multiple UploadInstall jobs per minute.

PAN-205729 (PA-3200 Series and PA-7000 Series firewalls only) Fixed an issue
where the CPLD watchdog timeout caused the firewall to reboot
unexpectedly.

PAN-205699 Fixed an issue where the cloud plugin configuration was automatically
deleted from Panorama after a reboot or a configd process restart.

PAN-205590 Fixed an issue where the fan tray fault LED light was on even though
no alarm was reported in the system environment.

PAN-205473 (VM-Series firewalls on Microsoft Hyper-V only) Fixed an issue where

the firewall did not receive any traffic on Layer 3 sub-interfaces from
the trunk port.

PAN-205453 Fixed an issue where running reports or queries under a user group
caused the reportd process to stop responding.

PAN-205451 Fixed an issue where the pan_com process stopped responding due to
aggressive commits.

PAN-205428 Fixed an issue where WildFire submissions failed if the file name
contained special characters.

PAN-205396 Fixed an issue where SD-WAN adaptive SaaS path monitoring did not
work correctly during a next hop link down failure.

PAN-205337 Fixed an issue in the Run Now section of custom reports where
Threat/Content Name displayed in hypertext, and hovering over the
text with the mouse displayed the message undefined.

PAN-205260 Fixed an issue where there was an IP address conflict after a reboot
due to a transaction ID collision.

PAN-OS Release Notes 10.2.12 254 ©2024 Palo Alto Networks, Inc.
PAN-OS 10.2.4 Known and Addressed Issues

Issue ID Description

PAN-205255 Fixed a rare issue that caused the dataplane to restart unexpectedly.

PAN-205231 Fixed an issue where a commit operation remained at 55% for

longer than expected if more than 7,500 Security policy rules were
configured.

PAN-205222 Fixed an issue where you were unable to add a new application in a
selected policy rule.

PAN-205211 Fixed an issue where the reportd process stopped responding while
querying logs (Monitor > Logs > <logtype>).

PAN-205187 Fixed an issue where Elasticsearch did not start properly when a
newly installed Panorama virtual appliance powered on for the first
time, which caused the Panorama virtual appliance to not query logs
forwarded from the managed firewall to a Log Collector.

PAN-205096 Fixed an issue where promoted sessions were not synced with all
cluster members in an HA cluster.

PAN-205030 Fixed an issue where, when a session hit policy based forwarding with
symmetric return enabled was not offloaded, the firewall received
excessive return-mac update messages, which resulted in resource
contention and traffic disruption.

PAN-204892 Fixed an issue on Panorama where the web interface was not
accessible and displayed the error 504 Gateway Not Reachable
due to the mgmtsrvr process not responding.

PAN-204851 Fixed an issue where, when performing an advanced factory reset

from maintenance mode on a firewall running PAN-OS 10.2.2 or
an earlier release and downgrading to PAN-OS 10.1.0 or an earlier
release, the firewall entered into maintenance mode after the reboot.

PAN-204838 Fixed an issue where the dot1q VLAN tag was missing in ARP reply
packets.

PAN-204830 Fixed an issue where logging in via the web interface or CLI did not
work until an auto-commit was complete.

PAN-204749 Fixed an issue where sudden, large bursts of traffic destined for an
interface that was down caused packet buffers to fill, which stalled
path monitor heartbeat packets.

PAN-OS Release Notes 10.2.12 255 ©2024 Palo Alto Networks, Inc.
PAN-OS 10.2.4 Known and Addressed Issues

Issue ID Description

PAN-204690 Fixed an issue where selective configuration pushes failed due to

schema validation when both the device group and template stack had
the same name.

PAN-204663 Fixed an issue on Panorama where you were unable to context switch
from one managed firewall to another.

PAN-204582 Fixed an issue where, when a firewall acting as a DHCP client received
a new DHCP IP address, the firewall did not release old DHCP IP
addresses from the IP address stack.

PAN-204581 Fixed an issue where, when accessing a web application via the
GlobalProtect Clientless VPN, the web application landing page
continuously reloaded.

PAN-204575 (PA-7000 Series firewalls with Log Forwarding Cards (LFCs) only)
Fixed an issue where the firewall did not forward logs to the log
collector.

PAN-204482 Fixed an issue where searching threat logs (Monitor > Logs > Threat)
using the partial hash parameter did not work, which resulted in
an invalid operator error.

PAN-204456 Fixed an issue related to the logd process that caused high memory
consumption.

PAN-204335 Fixed an issue where Panorama became unresponsive, and when

refreshed, the error 504 Gateway not Reachable was displayed.

PAN-204307 (PA-5440, PA-5430, PA-5420 and PA-5410 firewalls only) Fixed an

issue where, when moving interfaces from one aggregate group to
another while the interface's link state was down, traffic was not
properly routed through the aggregate group until after a second
commit.

PAN-204271 Fixed an issue where the quarantine device list did not display due to
the maximum memory being reached.

PAN-204238 Fixed an issue where, when View Rulebase as Groups was enabled,
the Tags field did not display a scroll down arrow for navigation.

PAN-204216 Fixed an issue where URL categorization failed and the firewall
displayed the URL category as not-resolved for all traffic and
the following error message was displayed in the device server
logs Error(43): A libcurl function was given a bad
argument.

PAN-OS Release Notes 10.2.12 256 ©2024 Palo Alto Networks, Inc.
PAN-OS 10.2.4 Known and Addressed Issues

Issue ID Description

PAN-204118 Fixed an issue where browser sessions stopped responding for device
group template admin users with access domains that had many device
groups or templates.

PAN-204068 Fixed an issue where a newly created vsys (virtual system) in a

template was not able to be pushed from Panorama to the firewall.

PAN-203964 (Firewalls in FIPS-CC mode only) Fixed an issue where the firewall
went into maintenance mode due to downloading a corrupted
software image, which resulted in the error message FIPS-CC
failure. Image File Authentication Error.

PAN-203851 Fixed an issue with firewalls in HA configurations where host

information profile (HIP) sync did not work between peer firewalls.

PAN-203796 Fixed an issue where legitimate syn+ack packets were dropped after
an invalid syn+ack packet was ingressed.

PAN-203681 (Panorama appliances in FIPS-CC mode only) Fixed an issue where a

leaf certificate was unable to be imported into a template stack.

PAN-203663 Fixed an issue where administrators were unable to change the

password of a local database for users configured as a local admin user
via an authentication profile.

PAN-203653 Fixed an issue where dynamic updates were completed even when
configuration commits failed, which caused the all_task process to stop
responding.

PAN-203618 Fixed an issue where, when SSL/TLS Handshake Inspection was

enabled, SSL/TLS sessions were incorrectly reset if a Security policy
rule with no Security profiles configured was matched.

PAN-203604 Fixed an issue where GlobalProtect authentication failed for SAML

username with a special character.

PAN-203563 Fixed an issue with Content and Threat Detection allocation

storage space where performing a commit failed with a
CUSTOM_UPDATE_BLOCK error message.

PAN-203430 Fixed an issue where, when the User-ID agent had collector
name/secret configured, the configuration was mandatory on clients
on PAN-OS 10.0 and later releases.

PAN-203402 Fixed an intermittent issue where forward session installs were

delayed, which resulted in latencies.

PAN-OS Release Notes 10.2.12 257 ©2024 Palo Alto Networks, Inc.
PAN-OS 10.2.4 Known and Addressed Issues

Issue ID Description

PAN-203362 Fixed an issue where the rasmgr process restarted due to a null
reference.

PAN-203339 Fixed an issue where services failed due to the RAID rebuild not being
completed on time.

PAN-203330 Fixed an issue where the certificate for an External Dynamic List (EDL)
incorrectly changed from invalid to valid, which caused the EDL file to
be removed.

PAN-203320 Fixed an issue where configuring the firewall to connect with

Panorama using an auth key and creating the auth key without adding
the managed firewall to Panorama first, the auth key was incorrectly
decreased incrementally.

PAN-203147 (Firewalls in FIPS-CC mode only) Fixed an issue where the firewall
unexpectedly rebooted when downloading a new PAN-OS software
image.

PAN-203137 (PA-5450 firewalls only) Fixed an issue where HSCI ports did not come
up when QSFP DAC cables were used.

PAN-202946 Fixed an issue where the request high-availability

session-reestablish command was not available for API.

PAN-202918 Fixed an issue where processing route-table entries did not work as
expected.

PAN-202872 Fixed an issue where an incorrect URL list limit displayed during a
commit.

PAN-202783 (PA-7000 Series firewalls with 100G NPC (Network Processing Cards)
only) Fixed an issue where sudden, large bursts of traffic destined for
an interface that was down caused packet buffers to fill, which stalled
path monitor heartbeat packets.

PAN-202722 Fixed an issue where the factor completion time for login events
learned through XML API displayed as 1969/12/31 19:00:00.

PAN-202593 Fixed an issue where expanding Global Find results displayed only the
top level and second level of a searched item.

PAN-202544 An enhancement was made to collect CPLD register data after a path
monitor failure.

PAN-OS Release Notes 10.2.12 258 ©2024 Palo Alto Networks, Inc.
PAN-OS 10.2.4 Known and Addressed Issues

Issue ID Description

PAN-202543 An enhancement was made to improve path monitor data collection by

verifying the status of the control network.

PAN-202535 Fixed an issue where the Device Telemetry configuration for a region
was unable to be set or edited via the web interface.

PAN-202451 Fixed an issue where Retrieve Framed-IP-Address attribute

from the authentication server fails generating GlobalProtect
connection failure with the error Assign private IP address
failed.

PAN-202450 Fixed an issue where the device-client-cert was set to expire

on December 31, 2023. With this fix, the expiration date has been
extended.

PAN-202295 Fixed an issue where read-only superusers were unable to see the
Commit All job status, warnings, or errors for Panorama device groups.

PAN-202282 Fixed an issue where stats dump files did not display all necessary
reports.

PAN-202264 (VM-Series firewalls only) Fixed an issue where an automatic site

license activation for a PAYG license did not register in the Customer
Support Portal.

PAN-202248 Fixed an issue where, due to a tunnel content inspection (TCI) policy
match, IPSec traffic did not pass through the firewall when NAT was
performed on the traffic.

PAN-202194 Fixed an SD-WAN link issue that occurred when Aggregate Ethernet
without a member interface was configured as an SD-WAN interface.

PAN-202140 Fixed an issue where the comm process stopped responding due to an
OOM condition.

PAN-202101 Fixed an issue where firewalls stopped responding after an upgrade

due to configuration corruption.

PAN-202095 Fixed an issue on the web interface where the language setting is not
retained.

PAN-202040 (PA-220 firewalls only) Fixed an issue where ECDSA fingerprints were
not displayed.

PAN-202012 A debug command was introduced to control Gzip encoding for the
GlobalProtect Clientless VPN application.

PAN-OS Release Notes 10.2.12 259 ©2024 Palo Alto Networks, Inc.
PAN-OS 10.2.4 Known and Addressed Issues

Issue ID Description

PAN-201973 (PA-3400 Series firewalls only) Fixed an issue where the management
interface could not be assigned as an HA port.

PAN-201954 Fixed an issue where NAT policy rules were deleted on managed
devices after a successful push from Panorama to multiple device
groups. This occurred when NAT policy rules had device_tags selected
in the target section.

PAN-201910 Fixed an issue where some Security profiles consumed a large amount
of memory, which reduced the number of supported Security profiles
below the stated maximum for a platform.

PAN-201900 Fixed an internal path monitoring failure issue that caused the
dataplane to go down.

PAN-201860 Fixed an issue where the Device Quarantine list was not redistributed
or updated on Panorama and Prisma Access in a full mesh topology.

PAN-201858 Fixed an issue where the SD-WAN interface Maximum Transmission

Unit (MTU) led to incorrect fragmentation of IPSec traffic.

PAN-201839 Fixed an issue where GlobalProtect HIP match failed for Mac users
due to invalid characters being present in the subject alternative
attributes in the certificate on the HIP report.

PAN-201818 Fixed an issue where INIT SCTP packets were dropped after being
processed by the CTD, and silent drops occurred even with SCTP no-
drop function enabled.

PAN-201714 Fixed an issue with GlobalProtect where attempting to authenticate

with the GlobalProtect gateway returned a 502 error code.

PAN-201701 Fixed an issue where the firewall generated system log alerts if the raid
for a system or log disk was corrupted.

PAN-201639 Fixed an issue with Saas Application Usage reports where Applications
with Risky Characteristics displayed only two applications per section.

PAN-201632 Fixed an issue where the all_task stopped responding with a

segmentation fault due to an invalid interface port.

PAN-201601 Fixed an issue where the all_task process stopped responding after
adding customer hyperscan signatures.

PAN-201587 Fixed an issue where the App Pcaps directory size was incorrectly
detected which caused commit errors.

PAN-OS Release Notes 10.2.12 260 ©2024 Palo Alto Networks, Inc.
PAN-OS 10.2.4 Known and Addressed Issues

Issue ID Description

PAN-201580 Fixed an issue where the useridd process stopped responding due to
an invalid vsys_id request.

PAN-201561 Fixed an issue where LSVPN satellite authentication cookies were not
synced across high availability LSVPN portals.

PAN-201360 Fixed an issue with Panorama managed log collector statistics where
the oldest logs displayed on the primary Panorama appliance and the
secondary Panorama appliance did not match.

PAN-201357 The CLI command debug dataplane set pow no-desched yes
was added to address an issue where the all_pktproc process stopped
responding and caused traffic issues.

PAN-201136 Fixed an issue where IGMP packets were offloaded with frequent
IGMP Join and Leave messages from the client.

PAN-201085 (PA-5450 firewalls only) Fixed an issue where inserting the NPC and
DPC on slot2 created excessive logs in the bcm.log file.

PAN-200946 Fixed an issue with firewalls in active/passive HA configurations where

GRE tunnels went down due to recursive routing when the passive
firewall was booting up. When the passive firewall became active and
no recursive routing was configured, the GRE tunnel remained down.

PAN-200914 (PA-3440 firewalls only) Fixed an issue where the default NAT DIPP
pool oversubscription was set to 2 instead of 4.

PAN-200845 (M-600 Appliances in Management-only mode only) Fixed an issue

where XML API queries failed due to the configuration size being
larger than expected.

PAN-200774 Fixed an issue where SCEP certificate import did not work on the
firewall when the certificate name contained a period ( . ).

PAN-200676 Fixed an issue with firewalls in active/passive HA configurations where

the user counts in the management plane were not synchronized
between the active and the passive firewall.

PAN-200463 Fixed an issue where disabling strict-username-check did not

apply to admin users authenticating with SAML.

PAN-200356 Fixed an issue where the Elapsed seconds field incorrectly displayed as
0 for DHCP packets coming from the firewall.

PAN-200354 Fixed an issue where the firewall did not initiate scheduled log reports.

PAN-OS Release Notes 10.2.12 261 ©2024 Palo Alto Networks, Inc.
PAN-OS 10.2.4 Known and Addressed Issues

Issue ID Description

PAN-200160 Fixed a memory leak issue on Panorama related to the logd process
that caused an out-of-memory (OOM) condition.

PAN-200116 Fixed an issue where Elasticsearch displayed red due to frequent

tunnel check failures between HA clusters.

PAN-200103 Fixed an issue where decryption logs were not displayed under
Manage Custom Reports for custom Panorama admin users.

PAN-200102 Fixed an issue on the firewall web interface that prevented

applications from loading under any policy or in any location where
application IDs were able to be refreshed.

PAN-200035 Fixed an issue where the firewall reported General TLS Protocol
Error for TLSv1.3 when the firewall closed a TCP connection to the
server via a FIN packet without waiting for the handshake to complete.

PAN-200019 Fixed an issue on Panorama where Virtual Routers (Network > Virtual
Routers) was not available when configuring a custom Panorama
admin role (Panorama > Admin Roles).

PAN-199965 Fixed an issue where the reportd process stopped responding on log
collectors during query and report operations due to a race condition
between request handling threads.

PAN-199821 Fixed an issue where the Include/Exclude IPs filter under Data
Redistribution did not consistently filter IP addresses correctly.

PAN-199807 Fixed an issue where the dataplane frequently restarted due to high
memory usage on wifclient.

PAN-199726 Fixed an issue with firewalls in HA configurations where both firewalls

responded with gARP messages after a switchover.

PAN-199661 (VM-Series firewalls in ESXI environments only) Fixed an issue where

the number of used packet buffers was not calculated properly, and
packet buffers displayed as a higher value than the correct value,
which triggered PBP Alerts. This occurred when the driver name was
not compatible with new DPDK versions.

PAN-199612 Fixed a sync issue with firewalls in active/active HA configurations.

PAN-199570 Fixed an issue where uploading certificates using a custom admin role
did not work as expected after a context switch.

PAN-OS Release Notes 10.2.12 262 ©2024 Palo Alto Networks, Inc.
PAN-OS 10.2.4 Known and Addressed Issues

Issue ID Description

PAN-199543 Resolved failed authentication for Radius and TLS where shared secret
was striped for FIPS mode

PAN-199500 Fixed an issue where, when many NAT policy rules were configured,
the pan_comm process stopped responding after a configuration
commit due to a high number of debug messages.

PAN-199410 Fixed an issue where system logs for syslog activities were categorized
as general under Type and EVENT columns.

PAN-199214 Fixed an intermittent issue where downloading threat pcap via

XML API failed with the following error message: /opt/pancfg/
session/pan/user_tmp/XXXXX/YYYYY.pcap does not
exist.

PAN-199141 Fixed an issue where renaming a device group and then performing
a partial commit led to the device group hierarchy being incorrectly
changed.

PAN-198920 Fixed an issue where configuration changes caused a previously valid

interface ID to become invalid due to HA switchovers delaying the
configuration push.

PAN-198889 Fixed an issue where the logd process stopped responding if some
devices in a collector group were on a PAN-OS 10.1 device and others
were on a PAN-OS 10.0 release. This issue affected the devices on a
PAN-OS 10.0 release.

PAN-198871 Fixed an issue when both URL and Advanced URL licenses were
installed, the expiry date was not correctly checked.

PAN-198718 (PA-5280 firewalls only) Fixed an issue where memory allocation

failures caused increased decryption failures.

PAN-198693 Fixed an issue where decrypted SSH sessions were interrupted with a
decryption error.

PAN-198691 Added an alternate health endpoint to direct health probes on the

firewall (https://firewall/unauth/php/health.php) to address an issue
where /php/login.php performance was slow when large amounts
of traffic were being processed.

PAN-198575 Fixed an issue where data did not load when filtering by Threat Name
(ACC > Threat Activity).

PAN-OS Release Notes 10.2.12 263 ©2024 Palo Alto Networks, Inc.
PAN-OS 10.2.4 Known and Addressed Issues

Issue ID Description

PAN-198333 Fixed an issue where the SaaS PDF report incorrectly displayed the
sanctioned application tag count as 1.

PAN-198306 Fixed an issue where the useridd process stopped responding when
booting up the firewall.

PAN-198174 Fixed an issue where, when viewing traffic or threat logs from the
Application Command Center (ACC) or Monitor tabs, performing a
reverse DNS lookup caused the dnsproxy process to restart if DNS
server settings were not configured.

PAN-198078 Fixed an issue where VXLAN keepalive packets were dropped

randomly.

PAN-198038 A CLI command was added to address an issue where long-lived

sessions were aging out even when there was ongoing traffic.

PAN-197953 Fixed an issue where the logd process stopped responding due
to forwarded threat logs, which caused Panorama to reboot into
maintenance mode.

PAN-197935 Fixed an intermittent issue where XML API IP address tag registration
failed on firewalls in a multi-vsys environment.

PAN-197919 Fixed an issue where, when path monitoring for a static route was
configured with a new Ping Interval value, the value was not used as
intended.

PAN-197908 Fixed an issue where Strata Logging Service flaps occurred for long
durations which caused a memory leak related to the mgmtsrvr
process.

PAN-197877 Fixed an intermittent issue on Panorama where the distributord

process stopped responding.

PAN-197872 Fixed an issue where the useridd process generated false positive
critical errors.

PAN-197847 Fixed an issue where disabling the enc-algo-aes-128-gcm cipher

did not work when using an SSL/TLS profile.

PAN-197737 Fixed an issue where the connection to the PAN-DB server failed with
following error message: Failed to send req type[3], curl
error: Couldn't resolve host name.

PAN-OS Release Notes 10.2.12 264 ©2024 Palo Alto Networks, Inc.
PAN-OS 10.2.4 Known and Addressed Issues

Issue ID Description

PAN-197729 Fixed an issue where repeated configuration pushes from Panorama

resulted in a management server memory leak.

PAN-197678 Fixed an issue where the dataplane stopped responding, which caused
internal path monitoring failure.

PAN-197582 Fixed an issue where, after upgrading to PAN-OS 10.1.6, the firewall
reset SSL connections that used policy-based forwarding.

PAN-197563 Fixed an issue in the User Activity Report where output fields started
with the letter b.

PAN-197549 Fixed an issue where making GlobalProtect gateway configuration

changes resulted in a HIP notification error.

PAN-197426 Fixed an issue on Panorama where, when attempting to view the

Monitor page, the error invalid term was displayed.

PAN-197386 Fixed an issue where traffic that was subject to network packet broker
inspection entered a looping state due to incorrect session offload.

PAN-197339 Fixed an issue where template configuration for the User-ID agent was
not reflected on the template stack on Panorama appliances on PAN-
OS 10.2.1.

PAN-197298 Fixed an issue where the audit comment archive for Security rule
changes output had overlapping formats.

PAN-197203 Fixed an intermittent issue where, if SSL/TLS Handshake Inspection

was enabled, multiple processes stopped responding when the firewall
was processing packets.

PAN-197121 Fixed an issue where incorrect user details were displayed under the
USER DETAIL drop-down (ACC > Network activity > User activity).

PAN-197115 Fixed an issue where, when the total number of in-used HIP profiles
was greater than 32, traffic from the GlobalProtect Agent did not hit
the expected Security policy rule configured with the HIP profile even
though a HIP match log was generated.

PAN-197097 Fixed an issue where LSVPN did not support IPv6 addresses on the
satellite firewall.

PAN-196954 Fixed a memory leak issue related to the distributord process.

PAN-OS Release Notes 10.2.12 265 ©2024 Palo Alto Networks, Inc.
PAN-OS 10.2.4 Known and Addressed Issues

Issue ID Description

PAN-196874 Fixed an issue where, when the firewall accepted ICMP redirect
messages on the management interface, the firewall did not clear the
route from the cache.

PAN-196840 Fixed an issue where exporting a Security policy rule that contained
Korean language characters to CSV format resulted in the policy
description being in a non-readable format.

PAN-196811 Fixed an issue where logout events without a username caused high
CPU usage.

PAN-196715 Fixed an issue where you could not directly edit Services and Address
objects from the Policies tab.

PAN-196704 Fixed an issue where Preview Changes on Panorama Push to Devices

incorrectly displayed changes to encrypted entries.

PAN-196701 Fixed an issue where the firewall did not properly measure the
Panorama connection keepalive timer, which caused a Panorama HA
failover to take longer than expected.

PAN-196671 (PA-3400 Series firewalls and PA-5410, PA-5420, and PA-5430

firewalls only) Addressed an issue to improve network latency,

PAN-196583 Fixed an issue where the Cisco TrustSEc plugin triggered a flood of
redundant register/unregister messages due to a failed IP address tag
database search.

PAN-196566 Fixed an issue where the useridd process restarted repeatedly which
let to an OOM condition.

PAN-196558 Fixed an issue where IP address tag policy updates were delayed.

PAN-196474 Fixed an issue where, when a decryption profile was configured

with TLSv1.2 or later, web pages utilizing TLS1.0 were blocked
with an incorrect ERR_TIME_OUT message instead of an
ERR_CONNECTION_RESET message.

PAN-196467 Fixed an issue where enabling strict IP address checks in a Zone

Protection profile caused GRE tunnel packets to be dropped.

PAN-196457 Fixed an issue where extraneous logs displayed in the Traffic log when
Security policy settings were changed.

PAN-196452 Fixed an issue where DNS queries failed from source port 4789 with a
NAT configuration.

PAN-OS Release Notes 10.2.12 266 ©2024 Palo Alto Networks, Inc.
PAN-OS 10.2.4 Known and Addressed Issues

Issue ID Description

PAN-196450 Fixed an issue where certificates with whitespaces in the name or

common name (CN) were not able to be imported.

PAN-196410 Fixed an issue where you were unable to customize the risk value in
Risk-of-app.

PAN-196309 (PA-5450 firewalls only) Fixed an issue where a firewall configured

with a Policy-Based Forwarding policy flapped when a commit was
performed, even when the next hop was reachable.

PAN-196131 Fixed an issue where the comm process stopped responding when a
show command was executed in two sessions.

PAN-196105 Fixed an issue on the firewall where using special characters in a

password caused authentication to fail when connecting to the
GlobalProtect portal with GlobalProtect satellite configured.

PAN-196050 Fixed an issue on Panorama where logs did not populate when one log
collector in a log collector group was down.

PAN-196003 Fixed an issue where the Adjust Columns options for Panorama traffic
logs did not correctly auto-adjust the columns.

PAN-195988 Fixed an issue where commits failed when an AS path regular

expression that included the ( _ ) character was specified in the virtual
router BGP configuration export rule.

PAN-195893 Fixed an issue where daily PDF summary reports were not generated
when the Application Report was selected.

PAN-195869 Fixed an issue where scheduled custom reports based on firewall data
did not display any information.

PAN-195828 Fixed an issue where SNMP reported the panVsysActiveTcpCps

and panVsysActiveUdpCps value to be 0.

PAN-195792 Fixed an issue where, when generating a stats dump file for a managed
device from Panorama (Panorama > Support > Stats Dump File), the
file did not display any data.

PAN-195790 Fixed an issue where syslog traffic that was sent from the
management interface to the syslog server even when a destination IP
address service route was configured.

PAN-195713 Fixed an issue where clientless VPN applications were not displayed in
the GlobalProtect portal page.

PAN-OS Release Notes 10.2.12 267 ©2024 Palo Alto Networks, Inc.
PAN-OS 10.2.4 Known and Addressed Issues

Issue ID Description

PAN-195695 Fixed an issue where the AppScope Summary report and PDF report
export function did not work as expected.

PAN-195669 Fixed an issue with Panorama appliances in HA configurations where

a passive Panorama appliance generated CMS Redistribution
Client is connected to global collector messages.

PAN-195659 Fixed an issue with firewalls in HA configurations where ping

responses from the target IP addresses were much delayed after a
configuration push.

PAN-195583 Fixed an issue where, after renaming an object, configuration pushes

from Panorama failed with the commit error object name is not an
allowed keyword.

PAN-195526 Fixed an issue where the firewall system log received a large amount
of error messages when attempting a connection between the firewall
and Panorama.

PAN-195374 (Firewalls in active/passive HA configurations only) Fixed an issue

where, when redistribution agent connections to the passive firewall
failed, excessive system alerts for the failed connection were
generated. With this fix, system alerts are logged every 5 hours instead
of 10 minutes.

PAN-195201 Fixed an issue where high volume DNS Security traffic caused the
firewall to reboot.

PAN-195200 Fixed an issue where Panorama did not attach and email scheduled
reports (Monitor > PDF > Reports > Email Scheduler) when the size of
the email attachments was large.

PAN-195114 Fixed an issue where proxy ARP responded on the wrong interface
when the same subnet was in two virtual routers.

PAN-195107 (PA-7000s Series firewalls with LFCs only) Fixed an issue where the IP
address of the LFC displayed as unknown.

PAN-195064 Fixed an issue where the log collector did not forward correlation logs
to the syslog server.

PAN-194912 Fixed an issue where the CLI command show applications list
did not return any outputs.

PAN-194812 Fixed an issue where generating reports via XML API failed when the
serial number was set as target in the query.

PAN-OS Release Notes 10.2.12 268 ©2024 Palo Alto Networks, Inc.
PAN-OS 10.2.4 Known and Addressed Issues

Issue ID Description

PAN-194805 Fixed an issue where scheduled configuration backups to the SCP

server failed with error message No ECDSA host key is known.

PAN-194737 Fixed an issue where path monitor displayed as deleted when it was
disabled, which caused a preview change in the summary for static
routes.

PAN-194704 Fixed an issue with SIP ALG where improper NAT was applied when
Destination NAT ran out of IP addresses.

PAN-194615 Fixed an issue where the packet broker session timeout value did not
match the master sessions timeout value after the firewall received a
TCP FIN or RST packet. The fix ensures that Broker session times out
within 1 second after the master session timed out.

PAN-194441 Fixed an issue where the dataplane CPU usage was higher than
expected due to packet looping in the broker session when the
network packet broker was enabled.

PAN-194175 Fixed an issue on Panorama where a commit push to managed

firewalls failed when objects were added as source address exclusions
in a Security policy and Share Unused Address and Service Objects
with Devices was unchecked.

PAN-194068 (PA-5200 Series firewalls only) Fixed an issue where the firewall
unexpectedly rebooted with the log message Heartbeat failed
previously.

PAN-194043 Fixed an issue where Managed Devices > Summary did not reflect
new tag values after an update.

PAN-194031 (PA-220 Firewalls only) Fixed an issue where system log configurations
did not work as expected due to insufficient process timeout after a
logrcvr process restart.

PAN-194025 Fixed an issue where the ikemgr process stopped responding due to a
timing issue, which caused VPN tunnels to go down.

PAN-193879 Fixed an issue on Panorama where the push scope was delayed for
commit and push operations.

PAN-193831 Fixed an issue where internal routes were added to the routing table
even after disabling dynamic routing protocols.

PAN-193808 Fixed a memory leak issue in the mgmtsrvr process that resulted in an
OOM condition.

PAN-OS Release Notes 10.2.12 269 ©2024 Palo Alto Networks, Inc.
PAN-OS 10.2.4 Known and Addressed Issues

Issue ID Description

PAN-193733 (Firewalls in multi-vsys environments only) Fixed an issue where IP tag

addresses were not synced to all virtual systems (vsys) when they were
pushed to the firewall from Panorama via XML API.

PAN-193619 Fixed an issue where air gapped firewalls and Panorama appliances
performed excessive validity checks to updates.paloaltonetworks.com,
which caused software installs to fail.

PAN-193558 Fixed an issue where log retention settings Multi Disk did not display
correct values on the firewall web interface when the settings were
configured using a Panorama template or template stack.

PAN-193396 Fixed an issue where the source user name was displayed in traffic
logs even when Show User Names In Logs and Reports was disabled
for a custom admin role.

PAN-193323 Fixed an issue where root partition utilization reached 100% due to
mdb old logs not being purged as expected.

PAN-193281 Fixed an issue where the logrcvr process stopped responding after a
content update on the firewall.

PAN-193245 Fixed an issue where, when using syslog-ng forwarding via SSL,
with a Base Common Name (CN) and multiple Subject Alternative
Names (SANs) were listed in the certificate.

PAN-193175 Fixed an issue where PBP Drops (8507) threat logs were
incorrectly logged as SCTP Init Flood (8506).

PAN-193043 Fixed an issue with the where firewalls in Google Cloud Platforms
(GCP) inserted the hostname as PA-VM in the syslog header instead of
the DHCP assigned hostname when logs were being sent to the syslog
server.

PAN-193026 Fixed an issue where warning messages were generated during

commits when configuration details of two profiles were identical.

PAN-192681 Fixed an issue where HIP database storage on the firewall reached full
capacity due to the firewall not purging older HIP reports.

PAN-192513 Fixed an issue where log migration did not work when converting a
Legacy mode Panorama appliance to Log Collector mode.

PAN-192456 Fixed an issue where GlobalProtect SSL VPN processing during a high
traffic load caused the dataplane to stop responding.

PAN-OS Release Notes 10.2.12 270 ©2024 Palo Alto Networks, Inc.
PAN-OS 10.2.4 Known and Addressed Issues

Issue ID Description

PAN-192417 Fixed an issue where botnet reports were not generated on the
firewall.

PAN-192296 Fixed an issue where, when you saved a SaaS application report
as a PDF or sent it to print, the size of the report was smaller than
expected.

PAN-192244 Fixed an issue where scheduled log export jobs continued to run even
after being deleted.

PAN-192193 Fixed an issue where exporting a list of managed collectors via the
Panorama web interface failed with the following error message:
Export Error, Error while exporting

PAN-192188 (PA-5450 firewalls only) Fixed an issue where the show running
resource-monitor ingress-backlogs CLI command failed
with the following error message: Server error : Failed to
intepret the DP response.

PAN-192092 Fixed an issue with firewalls in active/passive configurations only

where the registered cookie from the satellite firewall to the passive
firewall did not sync, which caused authentication between the
satellite firewall and the GlobalProtect portal firewall to fail after a
failover event.

PAN-192076 Added debug logs for visibility into an OpenSSL memory initialization
issue that caused unexpected failovers.

PAN-191997 Fixed an issue where log queries did not successfully filter the
unknown category.

PAN-191652 Fixed an issue with Prisma Cloud where a commit push failed due to
the error Error: failed to handle TDB_UPDATE_BLOCK.

PAN-191463 Fixed an issue where the firewall did not handle packets at Fastpath
when the interface pointer was null.

PAN-191408 Fixed an issue where the firewall did not correctly receive dynamic
address group information from Panorama after a reboot or initial
connection.

PAN-191390 (VM-Series firewalls only) Fixed an issue where the management

plane CPU was incorrectly calculated as high when logged in the mp-
monitor.log.

PAN-OS Release Notes 10.2.12 271 ©2024 Palo Alto Networks, Inc.
PAN-OS 10.2.4 Known and Addressed Issues

Issue ID Description

PAN-191352 Fixed an intermittent issue where high latency was observed on the
web interface and CLI due to high CPU usage related to the sadc
process.

PAN-191235 Fixed an issue with firewalls in HA configurations where the passive

firewall attempted to connect to a hardware security module (HSM)
client when a service route was configured, which caused dynamic
updates and software updates to fail.

PAN-191032 Fixed an issue on Panorama where Managed Devices displayed

Unknown.

PAN-190533 Fixed an issue where addresses and address groups were not displayed
for users in Security admin roles.

PAN-190502 Fixed an issue where the Policy filter and Policy optimizer filter were
required to have the exact same syntax, including nested conditions
with rules that contained more than one tag when filtering via the neq
operator.

PAN-190454 Fixed an issue where, while authenticating, the allow list check failed
for vsys users when a SAML authentication profile was configured
under shared location.

PAN-190409 (PA-5450 and PA-3200 Series firewalls that use an FE101 processor
only) Fixed an issue where packets in the same session were
forwarded through a different member of an aggregate ethernet
group when the session was offloaded. The fix is that you can use the
following CLI command to change the default tag setting to the tuple
setting:
admin@firewall> set session lag-flow-key-type ?
> tag tag
> tuple tuple
tag is the default behavior (tag based on the CPU, tuple based on the
FE).
tuple is the new behavior, where both CPU and FE use the same
selection algorithm.
Use the following command to display the algorithm:
admin@firewall> show session lag-flow-key-type
dp0: tuple based on fe100
dp1: tuple based on fe100

PAN-OS Release Notes 10.2.12 272 ©2024 Palo Alto Networks, Inc.
PAN-OS 10.2.4 Known and Addressed Issues

Issue ID Description

PAN-190266 Fixed an issue that stopped the all_task process to stop responding at
the pan_sdwan_qualify_if_ini function.

PAN-189960 Fixed an issue on Panorama where you were unable to view the last
address object moved to the shared template list.

PAN-189866 Fixed an issue with the web interface where group include lists used
server profiles instead of LDAP proxy.

PAN-189783 Fixed an issue where container resource limits were not enforced for
all processes when running inside a container.

PAN-189719 Fixed an issue on Panorama where Test Server Connection failed in

an HTTP server profile with the following error message: failed
binding local connection end.

PAN-189718 Fixed an issue where the number of sessions did not reach the
expected maximum value with Security profiles.

PAN-189666 Fixed an issue where GlobalProtect portal connections failed after

random commits when multiple agent configurations were provisioned
and configuration selection criteria using certificate profile was used.

PAN-189643 Fixed an issue where, when QoS was enabled on an IPSec tunnel,
traffic failed due to applying the wrong tunnel QoS ID.

PAN-189518 Fixed an issue where incoming DNS packets with looped compression
pointers caused the dnsproxyd process to stop responding.

PAN-189425 Fixed an issue on Panorama where Export Panorama and devices

config bundle (Panorama > Setup > Operations) failed with the
following error message: Failed to redirect error to /var/
log/pan/appweb3-panmodule.log (Permission denied).

PAN-189379 Fixed an issue where FQDN based Security policy rules did not match
correctly.

PAN-189375 Fixed an issue where, when migrating the firewall, the firewall dropped
packets when trying to re-use the TCP session.

PAN-189335 Fixed an issue where the varrcvr process restarted repeatedly, which
caused the firewall to restart.

PAN-189300 Fixed an issue where Panorama appliances in active/passive HA

configurations reported the false positive system log Failed to

PAN-OS Release Notes 10.2.12 273 ©2024 Palo Alto Networks, Inc.
PAN-OS 10.2.4 Known and Addressed Issues

Issue ID Description
sync vm-auth-key when a VM authentication key was generated
on the active appliance.

PAN-189200 Fixed an issue where sinkholes did not occur for AWS Gateway Load
Balancer dig queries.

PAN-189027 Fixed an issue where the dataplane CPU utilization provided from the
web interface or via SNMP was incorrect.

PAN-188933 Fixed an issue where the UDP checksum wasn't correctly calculated
for VXLAN traffic after applying NAT.

PAN-188912 Fixed an issue where authentication failed due to a process

responsible for handling authentication requests going into an
irrecoverable state.

PAN-188519 (VM-Series firewalls only) Fixed an issue where, when manually

deactivating the license, the admin user did not receive the option to
download the token file and upload it to the Customer Support Portal
(CSP) to deactivate the license.

PAN-188904 Fixed an issue where web pages and web page contents were not
properly loaded when cloud inline categorization was enabled.

PAN-188506 Fixed an issue where the ctd_dns_malicious_fwd counter

incorrectly increased incrementally.

PAN-188403 Fixed an issue on the web interface where the interzone-default rule
hit count was not displayed.

PAN-188348 Fixed an issue where encapsulating Security payload packets

originating from the firewall were dropped when strict IP address
check was enabled in a zone protection profile.

PAN-188291 Fixed an issue where, when using Global Find on the web interface
to search for a given Hostname Configuration (Device > Setup
> Management), clicking the search result directed you to the
appropriate Hostname configuration, but did not change the
respective Template field automatically.

PAN-188272 (PA-5200 Series and PA-7000 Series firewalls only) Fixed an issue
where Support UTF-8 For Log Output wasn't visible on the web
interface.

PAN-188118 Fixed an issue with firewalls in FIPS mode that prevented device
telemetry from connecting.

PAN-OS Release Notes 10.2.12 274 ©2024 Palo Alto Networks, Inc.
PAN-OS 10.2.4 Known and Addressed Issues

Issue ID Description

PAN-187763 Fixed an issue where DNS Security logs did not display a threat
category, threat name, or threat ID when domain names contained 64
or more characters.

PAN-187438 (PA-5400 Series firewalls only) Fixed an issue where HSCI interfaces
didn’t come up when using BiDi transceivers.

PAN-187279 Fixed an issue where not all quarantined devices were displayed as
expected.

PAN-186530 Fixed an issue where the current date was incorrectly printed as the
last license check date.

PAN-186471 Fixed an issue where, when exporting to CSV in Global Find, the
firewall truncated names of rules that contained over 40 characters.

PAN-186412 Fixed an issue where invalid packet-ptr was seen in work entries.

PAN-186294 Fixed an issue where commits from Panorama failed on the firewall
due to the virtual router name character limit.

PAN-186270 Fixed an issue where, when HA was enabled and a dynamic update
schedule was configured, the configd process unexpectedly stopped
responding during configuration commits.

PAN-185770 Fixed an issue where the firewall displayed the error message
Malformed Request when an email address included an ampersand
( & ) when configuring an email server profile.

PAN-185466 Fixed an issue where WildFire submission did not work as expected.

PAN-185394 (PA-7000 Series firewalls only) Fixed an issue where not all changes to
the template were reflected on the firewall.

PAN-185360 Fixed an issue where, when Captive Portal Authentication was

configured, l3svc_ngx_error.log and l3svc_access.log did
not roll over after exceeding 10 megabytes, which caused the root
partition to reach full utilization.

PAN-185287 (PA-7050 firewalls with Network Processing Cards (NPCs) only) Debug
commands were added to address an issue where the firewall's NPC
Slot2 failed and multiple dataplane processes stopped responding.

PAN-185234 (VM-Series firewalls only) Fixed an issue where the packet buffer
utilization was displayed as high even when no traffic was traversing
the firewall.

PAN-OS Release Notes 10.2.12 275 ©2024 Palo Alto Networks, Inc.
PAN-OS 10.2.4 Known and Addressed Issues

Issue ID Description

PAN-184744 Fixed an issue where the firewall did not decrypt SSL traffic due to a
lack of internal resources allocated for decryption.

PAN-184708 Fixed an issue where scheduled report emails (Monitor>PDF

Reports>Email Scheduler) were not emailed as expected if they
included a SaaS Application Usage report.

PAN-183524 Fixed an issue where GTPv2-c and GTP-U traffic was identified with
insufficient-data in the traffic logs.

PAN-183375 Fixed an issue where traffic arriving on a tunnel with a bad IP address
header checksum was not dropped.

PAN-183126 Fixed an issue on Panorama where you were able to attempt to push
a number of active schedules to the firewall that was greater than the
firewall's maximum capacity.

PAN-182875 Fixed an issue where certificate generation using SCEP did not take
more than one organizational unit (OU).

PAN-182732 Fixed an issue where the GlobalProtect gateway inactivity timer wasn't
refreshed even though traffic was passing through the tunnel.

PAN-182167 Removed a duplicate save filter Icon in the Audit Comment Archive for
Security Rule Audit Comments tab.

PAN-181968 (PA-400 Series firewalls in active/passive HA configurations only)

Fixed an issue where, when HA failover occurred, link up on all ports
took longer than expected, which caused traffic outages.

PAN-181334 Fixed an issue where users with custom admin roles and access
domains were unable to view address objects or edit Security rules.

PAN-181129 Improved protection against unexpected packets and error handling

for traffic identified as SIP.

PAN-180948 Fixed an issue where an external dynamic list fetch failed with the
error message Unable to fetch external dynamic list.
Couldn't resolve host name. Using old copy for
refresh.

PAN-180690 Fixed an issue where the firewall dropped IPv6 Bi-Directional

Forwarding (BFD) packets when IP Spoofing was enabled in a Zone
Protection Profile.

PAN-OS Release Notes 10.2.12 276 ©2024 Palo Alto Networks, Inc.
PAN-OS 10.2.4 Known and Addressed Issues

Issue ID Description

PAN-179174 Fixed an issue where exported PDF report of the ACC was the
incorrect color after upgrading from a PAN-OS 10.1 or later release.

PAN-178951 Fixed an issue on the firewall where Agentless User-ID lost parent
Security group information after the Security group name of the
nested groups on Active Directory was changed.

PAN-178728 Fixed an issue where the dcsd process stopped responding when
attempting to read the config to update its redis database.

PAN-177942 Fixed an issue where, when grouping HA peers, access domains that
were configured using multi-vsys firewalls deselected devices or
virtual systems that were in other configured access domains.

PAN-177562 Fixed an issue where PDF reports were not translated to the
configured local language.

PAN-177201 Fixed an issue where, when a Panorama appliance on a PAN-OS 9.0

or later release pushed built-in external dynamic lists to a firewall on
a PAN-OS 8.1 release, the external dynamic list was removed, but the
rule was still pushed to the firewall. With this fix, Panorama will show
a validation error when attempting to push a pre-defined external
dynamic list to a firewall on a PAN-OS 8.1 release.

PAN-176989 Fixed an issue where the CLI command to show SD-WAN tunnel
members caused the firewall to stop responding.

PAN-176379 Fixed an issue where, when multiple routers were configured under a
Panorama template, you were only able to select its own virtual router
for next hop.

PAN-175244 Fixed an issue on Panorama where the configd process stopped

responding when adding, deleting or listing an authentication key.

PAN-175142 Fixed an issue on Panorama where executing a debug command

caused the logrcvr process to stop responding.

PAN-175061 Fixed an issue where filtering threat logs using any value under
THREAT ID/NAME displayed the error Invalid term.

PAN-174953 Fixed an issue where the firewall didn't update URL categories from
the management plane to the dataplane cache.

PAN-174781 Fixed an issue where the firewall did not send an SMTP 541 error
message to the email client after detecting a malicious file attachment.

PAN-OS Release Notes 10.2.12 277 ©2024 Palo Alto Networks, Inc.
PAN-OS 10.2.4 Known and Addressed Issues

Issue ID Description

PAN-174680 Fixed an issue where, when adding new configurations, Panorama

didn't display a list of suggested template variables when typing in a
relevant field.

PAN-174027 Fixed an issue on Panorama where attempting to rename mapping for

address options caused a push to fail with the following error message:
Error: Duplicate address name..

PAN-171927 Fixed an issue where incorrect results were displayed when filtering
logs in the Monitor tab.

PAN-171300 Fixed an issue on Panorama where a password change in a template

did not reset an expired password flag on the firewall, which caused
the user to change their password when logging in to a firewall.

PAN-170414 Fixed an issue related to an OOM condition in the dataplane, which

was caused by multiple panio commands using extra memory.

PAN-157199 (PA-220 firewalls only) Fixed an issue where the GlobalProtect portal
was not reachable with IPv6 addresses.

PAN-142701 Fixed an issue where the firewall did not delete Stateless SCTP
sessions after receiving an SCTP Abort packet.

PAN-OS Release Notes 10.2.12 278 ©2024 Palo Alto Networks, Inc.
PAN-OS 10.2.3 Known and
Addressed Issues
Review a list of known and addressed issues for PAN-OS 10.2.3.
For contacting support, for information on support programs, to manage your account or devices,
or to open a support case, go to https://support.paloaltonetworks.com.
• PAN-OS 10.2.3 Known Issues
• PAN-OS 10.2.3-h13 Addressed Issues
• PAN-OS 10.2.3-h12 Addressed Issues
• PAN-OS 10.2.3-h11 Addressed Issues
• PAN-OS 10.2.3-h9 Addressed Issues
• PAN-OS 10.2.3-h4 Addressed Issues
• PAN-OS 10.2.3-h2 Addressed Issues
• PAN-OS 10.2.3 Addressed Issues

279
PAN-OS 10.2.3 Known and Addressed Issues

PAN-OS 10.2.3 Known Issues

®
The following list includes only outstanding known issues specific to PAN-OS 10.2.3. This list
includes issues specific to Panorama™, GlobalProtect™, VM-Series plugins, and WildFire®, as well
as known issues that apply more generally or that are not identified by an issue ID.

Issue ID Description

WF500-5854 The WildFire analysis report on the firewall log viewer

(Monitoring > WildFire Submissions) does not display the
following data fields: File Type, SHA-256, MD-5, and File
Size".
Workaround: Download and open the WildFire analysis
report in the PDF format using the link in the upper right-
hand corner of the Detailed Log View.

WF500-5843 In a WildFire appliance cluster, issuing the show cluster-

all peers CLI command when a node within the cluster
is being rebooted generates the following error: Server
error : An error occured.

WF500-5840 The sample analysis statistics that are returned when issuing
the show wildfire local statistics CLI command
in WildFire appliance cluster deployments may not accurately
reflect the number of samples that have been processed.

WF500-5823 The following WildFire appliance CLI command does not

return a signature generation status as expected: show
wildfire global signature-status. This does not
corrupt or otherwise prevent the WildFire appliance from
analyzing a sample.

WF500-5781 The WildFire appliance might erroneously generate and

log the following device certification error: Device
certificate is missing or invalid. It cannot
be renewed.

WF500-5754 In WildFire appliance clusters, issuing the show cluster

controller CLI command generates an error when an IPv6
address is configured for the management interface but not
for the cluster interface.
Workaround: Ensure all WildFire appliance interfaces that are
enabled use matching protocols (all IPv4 or all IPv6).

WF500-5632 The number of registered WildFire appliances reported in

Panorama (Panorama > Managed WildFire Appliances >

PAN-OS Release Notes 10.2.12 280 ©2024 Palo Alto Networks, Inc.
PAN-OS 10.2.3 Known and Addressed Issues

Issue ID Description
Firewalls Connected > View) does not accurately reflect the
current status of connected WildFire appliances.

PAN-260851 From the NGFW or Panorama CLI, you can override the
existing application tag even if Disable Override is enabled for
the application (Objects > Applications) tag.

PAN-250062 Device telemetry might fail at configured intervals due to

bundle generation issues.

PAN-243951 On the Panorama management sever in an active/passive

High Availability (HA) configuration, managed devices
(Panorama > Managed Devices > Summary) display as
out-of-sync on the passive HA peer when configuration
changes are made to the SD-WAN (Panorama > SD-WAN)
configuration on the active HA peer.
Workaround: Manually synchronize the Panorama HA peers.
1. Log in to the Panorama web interface on the active HA
peer.
2. Select Commit and Commit to Panorama the SD-WAN
configuration changes on the active HA peer.
On the passive HA peer, select Panorama > Managed
Devices > Summary and observe that the managed devices
are now out-of-sync.
3. Log in to the primary HA peer Panorama CLI and trigger a
manual synchronization between the active and secondary
HA peers.
request high-availability sync-to-remote running-config
4. Log back in to the active HA peer Panorama web interface
and select Commit > Push to Devices and Push.

PAN-228273 On the Panorama management server in FIPS-CC mode, the

ElasticSearch cluster fails to come up and the show log-
This issue is now resolved. See
collector-es-cluster health command displays
PAN-OS 10.2.8 Addressed
the status is red. This results in log ingestion issues for
Issues.
Panorama in Panorama only or Log Collector mode.

PAN-227344 On the Panorama management server, PDF Summary Reports

(Monitor > PDF Reports > Manage PDF Summary) display no
data and are blank when predefined reports are included in
the summary report.

PAN-225337 On the Panorama management server, the configuration push

to a multi-vsys firewall fails if you:

PAN-OS Release Notes 10.2.12 281 ©2024 Palo Alto Networks, Inc.
PAN-OS 10.2.3 Known and Addressed Issues

Issue ID Description
This issue is now resolved. See 1. Create a Shared and vsys-specific device group
PAN-OS 10.2.7 Addressed configuration object with an indentical name. For example,
Issues. a Shared address object called SharedAO1 and a vsys-
specific address object also called SharedAO1.
2. Reference the Shared object in another Shared
configuration. For example, reference the Shared address
object (SharedAO1) in a Shared address group called
SharedAG1.
3. Use the Shared configuration object with the reference
in a vsys-specific configuration. For example, reference
the Shared address group (SharedAG1) in a vsys-specific
policy rule.
Workaround: Select Panorama > Setup > Management and
edit the Panorama Settings to enable one of the following:
• Shared Unused Address and Service Objects with
Devices—This options pushes all Shared objects, along
with device group specific objects, to managed firewalls.
This is a global setting and applies to all managed firewalls,
and may result in pushing too many configuration objects
to your managed firewalls.
• Objects defined in ancestors will take higher precedence—
This option specifies that in the event of objects with
the same name, ancestor object take precedence over
descendent objects. In this case, the Shared objects take
precedence over the vsys-specific object.
This is a global setting and applies to all managed firewalls.
In the example above, if the IP address for the Shared
SharedAO1 object was 10.1.1.1 and the device group
specific SharedAO1 was 10.2.2.2, the 10.1.1.1 IP
address takes precedence.
Alternatively, you can remove the duplicate address objects
from the device group configuration to allow only the Shared
objects in your configuration.

PAN-223488 Closed ElasticSearch shards are not deleted from the

Panorama M-Series and virtual appliance. This causes the
This issue is now resolved. See
ElasticSearch shard purging to not work as expected, resulting
PAN-OS 10.2.7 Addressed
in high disk usage.
Issues.

PAN-223365 The Panorama management server is unable to query any

logs if the ElasticSearch health status for any Log Collector
(Panorama > Managed Collector is degraded.

PAN-OS Release Notes 10.2.12 282 ©2024 Palo Alto Networks, Inc.
PAN-OS 10.2.3 Known and Addressed Issues

Issue ID Description
Workaround: Log in to the Log Collector CLI and restart
ElasticSearch.

admindebug elasticsearch es-restart all

PAN-222586 On PA-5410, PA-5420, and PA-5430 firewalls, the Filter

dropdown menus, Forward Methods, and Built-In Actions
for Correlation Log settings (Device > Log Settings) are not
displayed and cannot be configured.

PAN-222253 On the Panorama management server, policy rulebase

reordering when you View Rulebase by Groups (Policy >
This issue is now resolved. See
<policy-rulebase>) does not persist if you reorder the policy
PAN-OS 10.2.8 Addressed
rulebase by dragging and dropping individual policy rules and
Issues.
then moving the entire tag group.

PAN-221775 A Malformed Request error is displayed when you Test

Connection for an email server profile (Device > Server
Profiles > Email) using SMTP over TLS and the Password
includes an ampersand (&).

PAN-221015 On M-600 appliances in Panorama or Log Collector mode, the

es-1 and es-2 ElasticSearch processes fail to restart when
This issue is now resolved. See
the M-600 appliance is rebooted. The results in the Managed
PAN-OS 10.2.7 Addressed
Collector ES health status (Panorama > Managed Collectors >
Issues.
Health Status) to be degraded.
Workaround: Log in to the Panorama or Log Collector CLI
experiencing degraded ElasticSearch health and restart all
ElasticSearch processes.

admin>debug elasticsearch es-restart

optional all

PAN-219644 Firewalls forwarding logs to a syslog server over TLS (Objects

> Log Forwarding) use the default Palo Alto Networks
This issue is now resolved. See
certificate instead of the custom certificate configured on the
PAN-OS 10.2.8 Addressed
firewall.
Issues.

PAN-218521 The ElasticSearch process on the M-600 appliance in Log

Collector mode may enter a continuous reboot cycle. This
This issue is now resolved. See
results in the M-600 appliance becoming unresponsive,
PAN-OS 10.2.7 Addressed
consuming logging disk space, and preventing new log
Issues.
ingestion.

PAN-217307 The following Security policy rule (Policies > Security) filters
return no results:

PAN-OS Release Notes 10.2.12 283 ©2024 Palo Alto Networks, Inc.
PAN-OS 10.2.3 Known and Addressed Issues

Issue ID Description
This issue is now resolved. See log-start eq no
PAN-OS 10.2.11 Addressed
log-end eq no
Issues.
log-end eq yes

PAN-215778 On the M-600 appliance in Management Only mode, XML

API Get requests for /config fail with the following error
This issue is now resolved. See
due to exceeding the total configuration size supported on
PAN-OS 10.2.5 Addressed
the M-600 appliance.
Issues.
504 Gateway timeout

PAN-215082 M-300 and M-700 appliances may generate erroneous

system logs (Monitor > Logs > System) to alert that the M-
This issue is now resolved. See
Series appliance memory usage limits are reached.
PAN-OS 10.2.8 Addressed
Issues.

PAN-213746 On the Panorama management server, the Hostkey displayed

as undefined undefined if you override an SSH Service
Profile (Device > Certificate Management > SSH Service
Profile) Hostkey configured in a Template from the Template
Stack.

PAN-213119 PA-5410 and PA-5420 firewalls display the following error

when you view the Block IP list (Monitor > Block IP):
show -> dis-block-table is unexpected

PAN-212978 The Palo Alto Networks firewall stops responding when

executing an SD-WAN debug operational CLI command.
This issue is now resolved. See
PAN-OS 10.2.4-h3 Addressed
Issues.

PAN-212889 On the Panorama management server, different threat

names are used when querying the same threat in the Threat
Monitor (Monitor > App Scope > Threat Monitor) and ACC.
This results in the ACC displaying no data to display
when you are redirected to the ACC after clicking a threat
name in the Threat Monitor and filtering the same threat
name in the Global Filters.

PAN-212533 Modifying the Administrator Type for an existing

administrator (Device > Administrators or Panorama >
Administrators) from Superuser to a Role-Based custom
admin, or vice versa, does not modify the access privileges of
the administrator.

PAN-OS Release Notes 10.2.12 284 ©2024 Palo Alto Networks, Inc.
PAN-OS 10.2.3 Known and Addressed Issues

Issue ID Description

PAN-211531 On the Panorama management server, admins can still

perform a selective push to managed firewalls when Push
All Changes and Push for Other Admins are disabled in the
admin role profile (Panorama > Admin Roles).

PAN-210366 On the Panorama management server in a high availability

(HA) configuration, the primary HA peer may enter a
This issue is now resolved. See
primary-non-functional state and generate a system
PAN-OS 10.2.4-h3 Addressed
log (Monitor > Logs > System) with the following message:
Issues.
High root partition usage: going to state
Non-Functional

PAN-209288 Certificates are not successfully generated using SCEP

(Device > Certificate Management > SCEP).

PAN-208622 A file upload to Box.com exceeding 6 files gets stuck and

fails to upload if you specify an Enterprise DLP data filtering
profile (Objects > DLP > Data Filtering Profiles with the
Action set to Block to a Security policy rule (Policies >
Security).

PAN-208325 The following NextGen firewalls and Panorama management

server models are unable to automatically renew the device
This issue is now resolved. See
certificate (Device > Setup > Management or Panorama >
PAN-OS 10.2.5 Addressed
Setup > Management).
Issues.
• M-300 and M-700
• PA-410 Firewall
• PA-440, PA-450, and PA-460 Firewalls
• PA-3400 Series
• PA-5410, PA-5420, and PA-5430 Firewalls
• PA-5450 Firewall
Workaround: Log in to the firewall CLI or Panorama CLI and
fetch the device certificate.

admin>request certificate fetch

PAN-208189 Traffic fails to match and reach all destinations if a Security

policy rule includes FQDN objects that resolve to two or
This issue is now resolved. See
more IP addresses.
PAN-OS 10.2.4 Addressed
Issues.

PAN-207629 On the Panorama management server, selective push fails to

managed firewalls if the managed firewalls are enabled with

PAN-OS Release Notes 10.2.12 285 ©2024 Palo Alto Networks, Inc.
PAN-OS 10.2.3 Known and Addressed Issues

Issue ID Description
This issue is now resolved. See multiple vsys and the Push Scope contains shared objects in
PAN-OS 10.2.4 Addressed device groups.
Issues.

PAN-206253 For PA-3400 Series firewalls, the default log rate is set too
low and the max configurable log rate is incorrectly capped
This issue is now resolved. See
resulting in the firewall not generating more than 6,826 logs
PAN-OS 10.2.4 Addressed
per second.
Issues.

PAN-206243 The PA-220 firewall reaches the maximum disk usage

capacity multiple a day that requires a disk cleanup. A critical
This issue is now resolved. See
system log (Monitor > Logs > System) is generated each time
PAN-OS 10.2.4 Addressed
the firewall reaches maximum disk usage capacity.
Issues.

PAN-206005 (PA-3400 Series firewalls only) The I7_misc memory pool

on this platform is undersized and can cause a loss of
This issue is now resolved. See
connectivity when reaching the limit of the memory pool.
PAN-OS 10.2.4 Addressed
Certain features, like using a decryption profile with Strip
Issues.
ALPN disabled, can lead to depleting the memory pool and
causing a connection loss.
Workaround: Disable HTTP2 by enabling Strip ALPN in the
decryption profile or avoid usage of the I7_misc memory pool.

PAN-205187 ElasticSearch may not start properly when a newly installed

Panorama virtual appliance powers on for the first time,
This issue is now resolved. See
resulting in the Panorama virtual appliance being unable to
PAN-OS 10.2.4 Addressed
query logs forwarded from the managed firewall to a Log
Issues.
Collector.
Workaround: Log in to the Panorama CLI and start the PAN-
OS software.

admin>request restart software

PAN-204663 On the Panorama management server, you are unable to

Context Switch from one managed firewall to another.
This issue is now resolved. See
PAN-OS 10.2.4 Addressed Workaround: After you Context Switch to a managed
Issues. firewall, you must first Context Switch back to Panorama
before you can continue to Context Switch to a different
managed firewall.

PAN-201855 On the Panorama management server, cloning any template

(Panorama > Templates) corrupts certificates (Device >
This issue is now resolved. See
Certificate Management > Certificates) with the Block
PAN-OS 10.2.5 Addressed
Private Key Export setting enabled across all templates. This
Issues.

PAN-OS Release Notes 10.2.12 286 ©2024 Palo Alto Networks, Inc.
PAN-OS 10.2.3 Known and Addressed Issues

Issue ID Description
results in managed firewalls experiencing issues wherever the
corrupted certificate is referenced.
For example, you have template A, B, and C where templates
A and B have certificates with the Block Private Key Export
setting enabled. Cloning template C corrupts the certificates
with Block Private Key Export setting enabled in templates A
and B.
Workaround: After cloning a template, delete and re-import
the corrupted certificates.

PAN-199557 On M-600 appliances in an Active/Passive high availability

(HA) configuration, the configd process restarts due to a
This issue is now resolved. See
memory leak on the Active Panorama HA peer. This causes
PAN-OS 10.2.5 Addressed
the Panorama web interface and CLI to become unresponsive.
Issues.
Workaround: Manually reboot the Active Panorama HA
peer.

PAN-198708 On the Panorama management server, the File Type

field does not display any data when you view the Detailed
Log View in the Data Filtering log (Monitor > Logs > Data
Filtering > <select log> > DLP).

PAN-198174 When viewing traffic or threat logs from the firewall ACC
or Monitor, performing a reverse DNS lookup, for example,
This issue is now resolved. See
when resolving IP addresses to domain names using the
PAN-OS 10.2.4 Addressed
Resolve Hostname feature, can cause the appliance to crash
Issues.
and restart if DNS server settings have not been configured.
Workaround: Provide a DNS server setting for the firewall
(Device > DNS Setup > Services). If you cannot reference a
valid DNS server, you can add a dummy address.

PAN-197097 Large Scale VPN (LSVPN) does not support IPv6 addresses on
the satellite firewall.
This issue is now resolved. See
PAN-OS 10.2.4 Addressed
Issues.

PAN-196758 On the Panorama management server, pushing a

configuration change to firewalls leveraging SD-WAN
erroneously show the auto-provisioned BGP configurations
for SD-WAN as being edited or deleted despite no edits or
deletions being made when you Preview Changes (Commit >
Push to Devices > Edit Selections or Commit > Commit and
Push > Edit Selections).

PAN-OS Release Notes 10.2.12 287 ©2024 Palo Alto Networks, Inc.
PAN-OS 10.2.3 Known and Addressed Issues

Issue ID Description

PAN-196504 License deactivation fails for VM-Series firewalls licensed

using PA-VM Bundle 3 (BND3).

PAN-196146 The VM-Series firewall on Azure does not boot up with a

hostname (specified in an init-cgf.txt or user data) when
This issue is now resolved. See
bootstrapped.
PAN-OS 10.2.8 Addressed
Issues.

PAN-195541 When a DNS request is submitted to the DNS Security

service for inspection, the dataplane pan-task process
This issue is now resolved. See
(all_pktproc) might fail during the DNS request process, or
PAN-OS 10.2.4 Addressed
when the dataplane cache is reset, or if the cache output is
Issues.
generated through the CLI, resulting in firewall crashes or the
inability/reduced capability to process network traffic.
The following CLI commands can trigger a crash of the
all_pktproc process:
• debug dataplane reset dns-cache all

• debug dataplane show dns-cache print

• show dns-proxy dns-signature cache

• clear dns-proxy dns-signature cache

PAN-194996 When using a 10.2.2 Panorama to manage a Panorama

Managed Prisma Access 3.1.2 deployment, allocating
bandwidth for a remote network deployment fails (the OK
button is grayed out).
Workaround: Retry the operation.

PAN-194519 (PA-5450 firewall only) Trying to configure a custom payload

format under Device > Server Profiles > HTTP yields a
Javascript error.

PAN-194515 (PA-5450 firewall only) The Panorama web interface does

not display any predefined template stack variables in the
dropdown menu under Device > Setup > Log Interface > IP
Address.
Workaround: Configure the log interface IP address on the
individual firewall web interface instead of on Panorama.

PAN-194424 (PA-5450 firewall only) Upgrading to PAN-OS 10.2.2 while

having a log interface configured can cause both the log

PAN-OS Release Notes 10.2.12 288 ©2024 Palo Alto Networks, Inc.
PAN-OS 10.2.3 Known and Addressed Issues

Issue ID Description
interface and the management interface to remain connected
to the log collector.
Workaround: Restart the log receiver service by running the
following CLI command:

debug software restart process log-receiver

PAN-194202 (PA-5450 firewall only) If the management interface and

logging interface are configured on the same subnetwork,
the firewall conducts log forwarding using the management
interface instead of the logging interface.

PAN-190727 (PA-5450 firewall only) Documentation for configuring the log

interface is unavailable on the web interface and in the PAN-
OS Administrator’s Guide.

PAN-190435 When you Commit a configuration change, the Task Manager

commit Status goes directly from 0% to Completed and
does accurately reflect the commit job progress.

PAN-189425 On the Panorama management server, Export Panorama and

devices config bundle (Panorama > Setup > Operations) fails
This issue is now resolved. See
to export. When the export fails, you are redirected to a new
PAN-OS 10.2.4 Addressed
window and the following error is displayed:
Issues.
Failed to redirect error to /var/log/pan/
appweb3-panmodule.log (Permission denied)

PAN-189111 After deleting an MP pod and it comes up, the show

routing command output appears empty and traffic stops
working.

PAN-189076 On a firewall with Advanced Routing enabled, OSPFv3 peers

using a broadcast link and a designated router (DR) priority of
0 (zero) are stuck in a two-way state after HA failover.
Workaround: Configure at least one OSPFv3 neighbor with a
non-zero priority setting in the same broadcast domain.

PAN-188904 Certain web pages and web page contents might not properly
load when cloud inline categorization is enabled on the
This issue is now resolved. See
firewall.
PAN-OS 10.2.4 Addressed
Issues.

PAN-OS Release Notes 10.2.12 289 ©2024 Palo Alto Networks, Inc.
PAN-OS 10.2.3 Known and Addressed Issues

Issue ID Description

PAN-188358 After triggering a soft reboot on a M-700 appliance, the

Management port LEDs do not light up when a 10G Ethernet
cable is plugged in.

PAN-187685 On the Panorama management server, the Template

Status displays no synchronization status (Panorama >
Managed Devices > Summary) after a bootstrapped firewall is
successfully added to Panorama.
Workaround: After the bootstrapped firewall is successfully
added to Panorama, log in to the Panorama web interface and
select Commit > Push to Devices.

PAN-187643 If you enable SCTP security using a Panorama template when

SCTP INIT Flood Protection is enabled in the Zone Protection
profile using Panorama and you commit all changes, the
commit is successful but the SCTP INIT option is not available
in the Zone Protection profile.
Workaround: Log out of the firewall and log in again to make
the SCIT INIT option available on the web interface.

PAN-187612 On the Panorama management server, not all data profiles

(Objects > DLP Data Filtering Profiles) are displayed after
you:
• Upgrade Panorama to PAN-OS 10.2 and upgrade the
Enterprise DLP plugin to version 3.0.
• Downgrade Panorama to PAN-OS 10.1 and downgrade
the Enterprise DLP plugin to version 1.0.
Workaround: Log in to the Panorama CLI and reset the DLP
plugin.
admin > request plugins dlp reset

PAN-187407 The configured Advanced Threat Prevention inline cloud

analysis action for a given model might not be honored under
the following condition: If the firewall is set to Hold client
request for category lookup and the action set to Reset-Both
and the URL cache has been cleared, the first request for
inline cloud analysis will be bypassed.

PAN-187370 On a firewall with Advanced Routing enabled, if there is also a

logical router instance that uses the default configuration and
has no interfaces assigned to it, this will result in terminating
the management daemon and main routing daemon in the
firewall during commit.

PAN-OS Release Notes 10.2.12 290 ©2024 Palo Alto Networks, Inc.
PAN-OS 10.2.3 Known and Addressed Issues

Issue ID Description
Workaround: Do not use a logical router instance with no
interfaces bound to it.

PAN-186283 Templates appear out-of-sync on Panorama after successfully

deploying the CFT stack using the Panorama plugin for AWS.
Workaround: Use Commit > Push to Devices to synchronize
the templates.

PAN-186282 On HA deployments on AWS and Azure, Panorama fails to

populate match criteria automatically when adding dynamic
address groups.
Workaround: Reboot the Panorama HA pair.

PAN-186134 On the Panorama management server, performing a Commit

and Push (Commit > Commit and Push) may intermittently
not push the committed configuration changes to managed
firewalls.
Workaround: Select Commit > Push to Devices to push the
committed configuration changes to your managed firewalls.

PAN-185286 (PA-5400 Series firewalls only) On the Panorama

management server, the device health resources (Panorama >
This issue is now resolved. See
Managed Devices > Health) do not populate.
PAN-OS 10.2.8 Addressed
Issues.

PAN-184708 Scheduled report emails (Monitor > PDF Reports > Email
Scheduler) are not emailed if:
This issue is now resolved. See
PAN-OS 10.2.4 Addressed • A scheduled report email contains a Report Group
Issues. (Monitor > PDF Reports > Report Group) which includes a
SaaS Application Usage report.
• A scheduled report contains only a SaaS Application Usage
Report.
Workaround: To receive a scheduled report email for all other
PDF report types:
1. Select Monitor > PDF Reports > Report Groups and
remove all SaaS Application Usage reports from all Report
Groups.
2. Select Monitor > PDF Reports > Email Scheduler and
edit the scheduled report email that contains only a SaaS
Application Usage report. For the Recurrence, select
Disable and click OK.
Repeat this step for all scheduled report emails that
contain only a SaaS Application Usage report.

PAN-OS Release Notes 10.2.12 291 ©2024 Palo Alto Networks, Inc.
PAN-OS 10.2.3 Known and Addressed Issues

Issue ID Description
3. Commit.
(Panorama managed firewalls) Select Commit > Commit
and Push

PAN-184406 Using the CLI to add a RAID disk pair to an M-700 appliance
causes the dmdb process to crash.
Workaround: Contact customer support to stop the dmdb
process before adding a RAID disk pair to a M-700 appliance.

PAN-183404 Static IP addresses are not recognized when "and" operators

are used with IP CIDR range.

PAN-182734 On an Advanced Routing Engine, if you change the IPSec

tunnel configuration, BGP flaps.
This issue is now resolved. See
PAN-OS 10.2.5 Addressed
Issues.

PAN-181933 If you use multiple log forwarding cards (LFCs) on the

PA-7000 series, all of the cards may not receive all of the
updates and the mappings for the clients may become out of
sync, which causes the firewall to not correctly populate the
Source User column in the session logs.

PAN-181823 On a PA-5400 Series firewall (minus the PA-5450), setting the

peer port to forced 10M or 100M speed causes any multi-
gigabit RJ-45 ports on the firewall to go down if they are set
to Auto.

PAN-180661 On the Panorama management server, pushing an

unsupported Minimum Password Complexity (Device > Setup
> Management) to a managed firewall erroneously displays
commit time out as the reason the commit failed.

PAN-180104 When upgrading a CN-Series as a DaemonSet deployment to

PAN-OS 10.2, CN-NGFW pods fail to connect to CN-MGMT
pod if the Kubernetes cluster previously had a CN-Series as a
DaemonSet deployment running PAN-OS 10.0 or 10.1.
Workaround: Reboot the worker nodes before upgrading to
PAN-OS 10.2.

PAN-177455 PAN-OS 10.2.0 is not supported on PA-7000 Series firewalls

with HA (High Availability) clustering enabled and using an
HA4 communication link. Attempting to load PAN-OS 10.2.0
on the firewall causes the PA-7000 100G NPC to go offline.
As a result, the firewall fails to boot normally and enters

PAN-OS Release Notes 10.2.12 292 ©2024 Palo Alto Networks, Inc.
PAN-OS 10.2.3 Known and Addressed Issues

Issue ID Description
maintenance mode. HA Pairs of Active-Passive and Active-
Active firewalls are not affected.

PAN-175915 When the firewall is deployed on N3 and N11 interfaces in

5G networks and 5G-HTTP/2 traffic inspection is enabled in
the Mobile Network Protection Profile, the traffic logs do not
display network slice SST and SD values.

PAN-174982 In HA active/active configurations where, when interfaces

that were associated with a virtual router were deleted, the
configuration change did not sync.

PAN-172274 When you activate the advanced URL filtering license, your
license entitlements for PAN-DB and advanced URL filtering
might not display correctly on the firewall — this is a display
anomaly, not a licensing issue, and does not affect access to
the services.
Workaround: Issue the following command to retrieve and
update the licenses: license request fetch.

PAN-172132 QoS fails to run on a tunnel interface (for example, tunnel.1).

This issue is now resolved by
PAN-189643. See PAN-OS
10.2.4 Addressed Issues.

PAN-171938 No results are displayed when you Show Application Filter

for a Security policy rule (Policies > Security > Application >
Value > Show Application Filter).

PAN-164885 On the Panorama management server, pushes to managed

firewalls (Commit > Push to Devices or Commit and Push)
This issue is now resolved. See
may fail when an EDL (Objects > External Dynamic Lists) is
PAN-OS 10.2.10 Addressed
configured to Check for updates every 5 minutes due to the
Issues.
commit and EDL fetch processes overlapping. This is more
likely to occur when multiple EDLs are configured to check
for updates every 5 minutes.

PAN-OS Release Notes 10.2.12 293 ©2024 Palo Alto Networks, Inc.
PAN-OS 10.2.3 Known and Addressed Issues

PAN-OS 10.2.3-h13 Addressed Issues

Issue ID Description

PAN-252214 A fix was made to address CVE-2024-3400.

PAN-OS Release Notes 10.2.12 294 ©2024 Palo Alto Networks, Inc.
PAN-OS 10.2.3 Known and Addressed Issues

PAN-OS 10.2.3-h12 Addressed Issues

Issue ID Description

PAN-238792 Fixed the following device certificate issues:

• The firewall was unable to automatically renew the device
certificate-Fetching device certificates failed incorrectly with the
error message OTP is not valid.
• Firewalls disconnected from Strata Logging Service after renewing
the device certificate.
• The device certificate was not correctly generated on the log
forwarding card (LFC).
• WildFire cloud logs did not log thermite certificate usage status.

PAN-237876 Extended the firewall Panorama root CA certificate which was

previously set to expire on April 7th, 2024.

PAN-231771 Fixed an issue where the firewall issued /box/getserv/ requests with
PAN-OS 7.1.0 and did not take device certificates.

PAN-227568 When a device certificate is installed, renewed, or removed, the

firewall will reconnect to the WildFire cloud to use the newest
certificate.

PAN-215576 Fixed an issue where the userID-Agent and TS-Agent certificates

were set to expire on November 18, 2024. With this fix, the expiration
date has been extended to January 2032.

PAN-OS Release Notes 10.2.12 295 ©2024 Palo Alto Networks, Inc.
PAN-OS 10.2.3 Known and Addressed Issues

PAN-OS 10.2.3-h11 Addressed Issues

Issue ID Description

PAN-238792 Fixed the following device certificate issues:

• The firewall was unable to automatically renew the device
certificate-Fetching device certificates failed incorrectly with the
error message OTP is not valid.
• Firewalls disconnected from Strata Logging Service after renewing
the device certificate.
• The device certificate was not correctly generated on the log
forwarding card (LFC).
• WildFire cloud logs did not log thermite certificate usage status.

PAN-237876 Extended the firewall Panorama root CA certificate which was

previously set to expire on April 7th, 2024.

PAN-231771 Fixed an issue where the firewall issued /box/getserv/ requests with
PAN-OS 7.1.0 and did not take device certificates.

PAN-227568 When a device certificate is installed, renewed, or removed, the

firewall will reconnect to the WildFire cloud to use the newest
certificate.

PAN-215576 Fixed an issue where the userID-Agent and TS-Agent certificates

were set to expire on November 18, 2024. With this fix, the expiration
date has been extended to January 2032.

PAN-OS Release Notes 10.2.12 296 ©2024 Palo Alto Networks, Inc.
PAN-OS 10.2.3 Known and Addressed Issues

PAN-OS 10.2.3-h9 Addressed Issues

Issue ID Description

PAN-202450 Fixed an issue where the device-client-cert was set to expire

on December 31, 2023. With this fix, the expiration date has been
extended.

PAN-198372 Fixed an issue where the root-cert was set to expire on December
31, 2023. With this fix, the expiration date has been extended.

PAN-OS Release Notes 10.2.12 297 ©2024 Palo Alto Networks, Inc.
PAN-OS 10.2.3 Known and Addressed Issues

PAN-OS 10.2.3-h4 Addressed Issues

Issue ID Description

PAN-210513 Fixed an issue where Captive Portal authentication via SAML did not
work.

PAN-208737 Fixed an issue where domain information wasn't populated in IP

address-to-username matching after a successful GlobalProtect
authentication using an authentication override cookie.

PAN-208079 (VM-Series firewalls on Microsoft Azure environments only) Fixed an

issue where the PAN-DB engine did not start when using a VM-Series
firewall Flex based CPU.

PAN-207562 Fixed an issue where the shard count displayed by the show log-
collector-es-cluster health CLI command was higher than
the recommended limit. The recommended limit can be calculated with
the formula 20*heap-memory*no-of-data-nodes.

PAN-206963 (M-700 Appliances only) A CLI command was added to check the
status of each physical port of a bond1 interface.

PAN-206921 Fixed an issue where the GlobalProtect client pre-login was successful,
but the certificate authentication failed.

PAN-206466 Fixed an issue where the push scope was displaying duplicate shared
objects for each device group that were listed under the shared-object
group.

PAN-206069 Fixed an issue where the firewall was unable to boot up on older Intel
CPUs.

PAN-205698 Fixed an issue where GlobalProtect authentication did not work on

Apple MacOS devices when the authentication method used was CIE
with SAML Authentication.

PAN-204892 Fixed an issue on Panorama where the web interface was not
accessible and displayed the error 504 Gateway Not Reachable due to
the mgmtsrvr process not responding.

PAN-204838 Fixed an issue where the dot1q VLAN tag in ARP reply packets were
not displayed.

PAN-204572 Fixed an issue where python scripts were not working as expected.

PAN-OS Release Notes 10.2.12 298 ©2024 Palo Alto Networks, Inc.
PAN-OS 10.2.3 Known and Addressed Issues

Issue ID Description

PAN-197339 Fixed an issue where template configuration for the User-ID agent was
not reflected on the template stack on Panorama appliances on PAN-
OS 10.2.1.

PAN-196954 Fixed a memory leak issue related to the distributord process.

PAN-195149 Fixed an issue where firewall administrators were unable to log in to

the web interface when RADIUS two-factor authentication was used.

PAN-186270 Fixed an issue where, when high availability (HA) was enabled and
a dynamic update schedule was configured, the configd process
unexpectedly stopped responding during configuration commits.

PAN-OS Release Notes 10.2.12 299 ©2024 Palo Alto Networks, Inc.
PAN-OS 10.2.3 Known and Addressed Issues

PAN-OS 10.2.3-h2 Addressed Issues

Issue ID Description

PAN-205830 Fixed an issue with multi-vsys firewalls where custom applications

and shared objects pushed from Panorama did not populate in their
respective lists on the firewall.

PAN-205805 Fixed an issue where Generic routing encapsulation (GRE) traffic was
only allowed in one direction when tunnel content inspection (TCI) was
enabled.

PAN-205231 Fixed an issue where a commit operation remained at 55% for

longer than expected if more than 7,500 Security policy rules were
configured.

PAN-202795 Fixed an issue where file identification failed for files with minimal data
with large headers.

PAN-202535 Fixed an issue where the Device Telemetry configuration for a region
was unable to be set or edited via the web interface.

PAN-201872 Fixed an issue where SMB performance caused overall network

latency after an upgrade.

PAN-201714 Fixed an issue with GlobalProtect where attempting to authenticate

with the GlobalProtect gateway returned a 502 error code.

PAN-201357 The CLI command debug dataplane set pow no-desched yes
was added to address an issue where the all_pktproc process stopped
responding and caused traffic issues.

PAN-200946 Fixed an issue with firewalls in active/passive HA configurations where

GRE tunnels went down due to recursive routing when the passive
firewall was booting up. When the passive firewall became active and
no recursive routing was configured, the GRE tunnel remained down.

PAN-198718 (PA-5280 firewalls only) Fixed an issue where memory allocation

failures caused increased decryption failures.

PAN-196583 Fixed an issue where the Cisco TrustSEc plugin triggered a flood of
redundant register/unregister messages due to a failed IP address tag
database search.

PAN-195756 Fixed an issue that caused an API request timeout when parsing
requests using large header buffers.

PAN-OS Release Notes 10.2.12 300 ©2024 Palo Alto Networks, Inc.
PAN-OS 10.2.3 Known and Addressed Issues

Issue ID Description

PAN-195713 Fixed an issue where clientless VPN applications were not displayed in
the GlobalProtect portal page.

PAN-182732 Fixed an issue where the GlobalProtect gateway inactivity timer wasn't
refreshed even though traffic was passing through the tunnel.

PAN-OS Release Notes 10.2.12 301 ©2024 Palo Alto Networks, Inc.
PAN-OS 10.2.3 Known and Addressed Issues

PAN-OS 10.2.3 Addressed Issues

Issue ID Description

PAN-231823 A fix was made to address CVE-2024-5916.

PAN-209275 Fixed an issue where Override cookie authentication into the

GlobalProtect gateway failed when an allow list was configured under
the authentication profile.

PAN-201627 Fixed an issue in next-generation firewall deployments where, when

SD-WAN was configured, the dataplane restarted if all SD-WAN
member links were down due to an out-of-memory (OOM) condition
or during a reboot when all SD-WAN tunnels were down.

PAN-200771 Fixed an issue where syslog-ng was unable to start due to a design
change in the syslog configuration file.

PAN-199654 Fixed an issue where ACC reports did not work for custom RBAC
users when more than 12 access domains were associated with the
username.

PAN-199311 Fixed an issue where the Log Forwarding Card (LFC) failed to forward
logs to the syslog server.

PAN-199099 Fixed an issue where, when decryption was enabled, Safari and Google
Chrome browsers on Apple Mac computers rejected the server
certificate created by the firewall because the Authority Key Identifier
was copied from the original server certificate and did not match the
Subject Key Identifier on the forward trust certificate.

PAN-198733 (PA-5450 firewalls only) Fixed an issue where dmin tcpdump was
hardcoded to eth0 instead of bond0.

PAN-198332 (PA-5400 Series only) Fixed an issue where swapping Network

Processing Cards (NPCs) caused high root partition use.

PAN-198266 Fixed an issue where, when predicts for UDP packets were created,
a configuration change occurred that triggered a new policy lookup,
which caused the dataplane stopped responding when converting the
predict. This resulted in a dataplane restart.

PAN-198244 Fixed an issue where using the load config partial CLI
command to x-paths removed address object entries from address
groups.

PAN-OS Release Notes 10.2.12 302 ©2024 Palo Alto Networks, Inc.
PAN-OS 10.2.3 Known and Addressed Issues

Issue ID Description

PAN-197576 Fixed an issue where commits pushed from Panorama caused a

memory leak related to the mgmtsrvr process.

PAN-197484 (PA-5400 Series firewalls) Fixed an issue where the firewall forwarded
packets to the incorrect aggregate ethernet interface when Policy
Based Forwarding (PBF) was used.

PAN-197383 Fixed an issue where, after upgrading to PAN-OS 10.2 release, the
firewall ran a RAID rebuild for the log disk after ever every reboot.

PAN-197244 Fixed an issue on firewalls with Forward Proxy enabled where the
all_pktproc process stopped responding due to missed heartbeats.

PAN-196993 Fixed an issue where an incorrect regex key was generated to

invalidate the completions cache, which caused the configd process to
stop responding.

PAN-196953 (PA-5450 firewalls only) Fixed an issue where jumbo frames were
dropped.

PAN-196445 Fixed an issue where restarting the Network Processing Card (NPC)
or the Data Processing Card (DPC) did not bring up all the network
interfaces.

PAN-196398 (PA-7000 Series SMC-B firewalls only) Fixed an issue where the
firewall did not capture data when the active management interface
was MGT-B.

PAN-196227 Fixed an issue where the logd process stopped responding, which
caused Panorama to reboot into maintenance mode.

PAN-196005 (PA-3200 Series, PA-5200 Series, and PA-5400 Series firewalls only)
Fixed an issue where GlobalProtect IPSec tunnels disconnected at half
the inactivity logout timer value.

PAN-195707 Fixed an issue on Panorama appliances configured as log collectors

where Panorama repeatedly rebooted into maintenance mode.

PAN-195689 Fixed an issue where WildFire submission logs did not load on the
firewall web interface.

PAN-195628 Fixed an issue that caused the pan_task process to miss heartbeats and
stop responding.

PAN-195625 Fixed an issue where authd frequently created SSL sessions, which
resulted in an OOM condition.

PAN-OS Release Notes 10.2.12 303 ©2024 Palo Alto Networks, Inc.
PAN-OS 10.2.3 Known and Addressed Issues

Issue ID Description

PAN-195360 Fixed an issue with firewalls in Microsoft Azure environments

where BGP flapping occurred due to the firewall incorrectly treating
capability from BGP peering as unsupported.

PAN-195223 Fixed an issue where the all_pktproc process restarted when receiving
a GTPv2 Modify Bearer Request packet if the Serving GPRS Support
Node (SGSN) used the same key as the Serving Gateway (SGW).

PAN-195181 Added enhancements to improve the load on the pan_comm process

during SNMP polling.

PAN-194993 Fixed an issue that occurred when authenticating into GlobalProtect

with authentication override cookies and SAML where, if the cookie
was invalid, authentication did not fall back to SAML.

PAN-194826 (WF-500 and WF-500-B appliances only) Fixed an issue where log
system forwarding did not work over a TLS connection.

PAN-194782 Fixed an issue on Panorama where, if you added a new local or

non-local administrator account or an admin user to a template,
authentication profiles were incorrectly referenced.

PAN-194708 Fixed an issue where URL filtering logs (Monitor > Logs > URL
Filtering) incorrectly truncated a 16KB Header value and did not
display the Header values that followed the truncated 16KB header.

PAN-194694 Fixed an issue where multiple SNMP requests being made to the
firewall caused in the pan_comm process to stop responding.

PAN-194601 Fixed an issue that caused the all_task process to stop responding.

PAN-194588 (PA-7000 Series firewalls with LFCs (Log Forwarding Cards), PA-7050
firewalls with SMC-B (Switch Management Cards), and PA-7080
firewalls only) Fixed an issue where the logrcvr_statistics
output was not recorded in mp-monitor.log.

PAN-194481 Fixed an issue in ESXi where the bootstrapped VM-Series firewalls

with the Software Licensing Plugin had :xxx appended to their
hostnames.

PAN-194408 Fixed an issue where, when policy rules had the apps that implicitly
depended on web browsing configured with the service application
default, traffic did not match the rule correctly.

PAN-OS Release Notes 10.2.12 304 ©2024 Palo Alto Networks, Inc.
PAN-OS 10.2.3 Known and Addressed Issues

Issue ID Description

PAN-194406 Fixed an issue where the MTU from SD-WAN interfaces was
recalculated after a configuration push from Panorama or a local
commit, which caused traffic disruption.

PAN-194262 Fixed an issue where the GlobalProtect application failed to connect

when a user or group was configured under the portal Config
Selection Criteria.

PAN-194152 (PA-5410, PA-5420, PA-5430, and PA-5440 firewalls in HA

configurations only) Fixed an issue where HA1-A and HA1-B port
information didn't match to front panel mappings and, when one
firewall was on PAN-OS 10.2.3 or a later release and the other was on
PAN-OS 10.2.2 or an earlier release, a split-brain situation occurred.

PAN-194129 (PA-5450 firewalls only) Fixed an issue where slot 2 did not use all
features correctly if a DPC was used instead of an NPC.

PAN-194097 Fixed an issue on firewalls in high availability (HA) active/passive

configurations where _ha_d_session_msgbuf overflowed on the
passive firewall during an upgrade, which caused the firewall to enter a
non-functional state.

PAN-193981 (VM-Series firewalls in Microsoft Azure environments only) Fixed an

issue where the firewall stopped monitoring HA failure and floating IP
addresses did not get moved to the newly active firewall.

PAN-193899 Fixed an issue where advanced mode factory reset (Maintenance

Mode > Factory Reset > Advanced > select a specific image) was only
compatible with PAN-OS 10.1.3 or later version images.

PAN-193818 Fixed an issue where the firewall device server failed to resolve URL
cloud FQDNs, which interrupted URL category lookup.

PAN-193766 (VM-Series firewalls only) Fixed an issue where the GlobalProtect

portal was not accessible.

PAN-193765 Fixed an issue where commits failed the following error displayed in
the configd log: Unable to populate ids into candidate
config: Error: Error populating id for 'sg2+DMZ to
FirstAM Scanner-1.

PAN-193763 Fixed an issue on the firewall where the dataplane CPU spiked, which
caused traffic to be affected during commits or content updates.

PAN-OS Release Notes 10.2.12 305 ©2024 Palo Alto Networks, Inc.
PAN-OS 10.2.3 Known and Addressed Issues

Issue ID Description

PAN-193744 (PA-3200 Series firewalls only) Fixed an issue where, when the HA2
HSCI connection was down, the system log displayed Port HA1-b:
down instead of Port HSCI: Down.

PAN-193732 (PA-5400 Series firewalls only) Fixed an issue where the firewall
incorrectly handled internal transactions.

PAN-193707 Fixed an issue where SAML authentication failed during commits with
the following error message: revocation status could not be
verified (reason: ).

PAN-193483 (VM-Series firewalls only) Fixed an issue where, during Layer-7 packet
inspection where traffic was being inspected for threat signature and
data patterns, multiple processes stopped responding.

PAN-193392 Fixed an issue where RTP packets dropped due to conflicting duplicate
flows.

PAN-193251 Fixed an issue where, when SAML was configured as the

authentication method for GlobalProtect, the SAML page did not load
when using a browser.

PAN-193235 Fixed an issue where duplicate log entries were displayed on

Panorama.

PAN-193201 Fixed an issue where auto-commits failed after an upgrade if an

imported certificate size was greater than the size of a buffer.

PAN-193132 (PA-220 firewalls only) Fixed an issue where a commit and push from
Panorama caused high dataplane CPU utilization.

PAN-192944 Fixed an issue where the logrcvr process caused an OOM condition.

PAN-192739 Fixed an issue where the error message Machine Learning found
virus was displayed in threat CSV logs as Threat ID/Name when
WildFire Inline ML detected malware.

PAN-192726 Fixed an issue where the firewall dropped TCP traffic inside IPSec
tunnels.

PAN-192673 (PA-7050-SMC-B firewalls only) Fixed an issue where the LFC syslog-
ng service failed to start after an upgrade.

PAN-192666 (VM-Series firewalls only) Fixed an issue where uploading certificates

via API failed within the first 30 minutes of a bootstrap.

PAN-OS Release Notes 10.2.12 306 ©2024 Palo Alto Networks, Inc.
PAN-OS 10.2.3 Known and Addressed Issues

Issue ID Description

PAN-192551 (PA-5400 Series firewalls only) Fixed an issue where the firewall
incorrectly processed path monitoring packets.

PAN-192404 Fixed an issue where ARP broadcasts occurring in the same time
interval and network segment as HA path monitoring pings triggered
an ARP cache request, which prevented the firewall from sending
ICMP echo requests to the monitored destination IP address and
caused an HA path monitoring failover.

PAN-192330 (Bootstrapped VM-Series firewalls in Microsoft Azure environments

only) Fixed an issue where the firewall did not automatically receive
the Strata Logging Service license.

PAN-192052 Fixed an issue where, when next hop MAC address entries weren't
found on the offload processor for active traffic, update messages
flooded the firewall, which caused resource contention and traffic
disruption.

PAN-191874 Fixed an issue where monthly scheduled reports did not display
information after upgrading to PAN-OS 10.2.0.

PAN-191847 Fixed an issue where the Panorama appliance was unable to generate
scheduled custom reports due to the large number of files stored in
the opt/pancfg/mgmt/custom-reports directory.

PAN-191726 Fixed an issue where an SCP export of the device state from the
firewall added single quotes ( ' ) to the filename.

PAN-191558 Fixed an issue where, after an upgrade to PAN-OS 10.1.5, Global Find
did not display all results related to a searched item.

PAN-191269 Fixed an issue where the NAT pool leaked for passive mode FTP
predict sessions.

PAN-191222 Fixed an issue where Panorama became inaccessible when after a push
to the collector group.

PAN-191218 (PA-5400 Series firewalls only) Fixed an issue where the session log
storage quota could not be changed via the web interface.

PAN-191216 Fixed an issue where, on Apple iOS devices, SAML authentication did
not connect to the GlobalProtect portal.

PAN-191214 Fixed an issue where the Elasticsearch process stopped responding,

which caused an OOM condition.

PAN-OS Release Notes 10.2.12 307 ©2024 Palo Alto Networks, Inc.
PAN-OS 10.2.3 Known and Addressed Issues

Issue ID Description

PAN-190657 Fixed an issue where IPSec tunnels did not rekey due to the security
association being deleted too early.

PAN-190448 Fixed an issue in ACC reports where IPv6 addresses were displayed
instead of IPv4 addresses.

PAN-189894 Fixed an issue with the web interface where the template stack didn't
show inherited values of Template > Authentication Portal Settings.

PAN-189861 Fixed an issue on firewalls in HA configurations where intermittent

system alerts on the active firewall caused the pan_comm process to
restart continuously.

PAN-189859 Fixed an issue on the firewall where an administrator was unable to

Import Custom URL Category Content.

PAN-189762 Fixed an issue where a predict session didn't match with the traffic
when both source NAT and destination NAT were enabled.

PAN-189723 Fixed an issue where you were unable to configure dynamic address
groups to use more than 64,000 IP addresses in a Security policy.

PAN-189414 Fixed an issue where TCP packets were dropped during the first zone
transfer when DNS security was enabled.

PAN-189304 Fixed an issue where the Panorama appliance didn't display logs or
generate reports for a device group containing MIPs platform that
forwarded logs to Strata Logging Service.

PAN-189270 Fixed an issue that caused a memory leak on the reportd process.

PAN-189225 Fixed an issue where BGP routes were lost or uninstalled after
disabling jumbo frames on the firewall.

PAN-189114 Fixed an issue where the dataplane went down, which caused an HA
failover.

PAN-188867 Fixed an issue where the firewall dropped packets when the session
payload was too large.

PAN-188489 (VM-Series firewalls only) Fixed an issue where dynamic content

updates weren't automatically pushed to the firewall licensed using the
Panorama Software Firewall License plugin when Automatically push
content when software device registers to Panorama (Panorama >
Templates > Add Stack) was enabled.

PAN-OS Release Notes 10.2.12 308 ©2024 Palo Alto Networks, Inc.
PAN-OS 10.2.3 Known and Addressed Issues

Issue ID Description

PAN-188338 Fixed an issue where canceling a commit caused the commit process
to remain at 70% and the firewall had to be rebooted.

PAN-188303 Fixed an issue where the serial number displayed as unknown after
running the show system state CLI command.

PAN-188096 (VM-Series firewalls only) Fixed an issue where, on firewalls licensed

with Software NGFW Credit (VM-FLEX-4 and higher), HA clustering
was unable to be established.

PAN-187985 Fixed an issue where you were unable to configure a QoS Profile as
percentage for Clear Text Traffic.

PAN-187890 Fixed an issue where the Strata Logging Service connection incorrectly
displayed as disconnected when a service route was in use.

PAN-187805 Fixed an issue where a process (all_pktproc) stopped responding and

the dataplane restarted during certificate construction or destruction.

PAN-187476 Fixed an issue where, when hip-redistribution is enabled, Panorama

doesn't display a part of HIP information.

PAN-187234 Fixed an intermittent issue where web pages submitted for analysis by
Advanced URL Filtering cloud inline categorization experienced high
latency.

PAN-186891 Fixed an issue where NetFlow packets contained incorrect octet

counts.

PAN-186418 Fixed an issue where Panorama displayed a discrepancy in RAM

configured on the VMware host.

PAN-186134 Fixed an issue on Panorama where performing a commit and push

intermittently failed to push the committed configuration to managed
firewalls.

PAN-186075 (VM-Series firewalls only) Fixed an issue where the firewall rebooted
after receiving large packets while in DPDK mode on Azure virtual
machines running CX4 (MLx5) drivers.

PAN-185787 Fixed an issue where logging in to the Panorama web interface did not
work and the following error message displayed: Timed out while
getting config lock. Please try again.

PAN-185283 Fixed an issue on Panorama where using the name-of-threatid

contains log4j filter didn't produce expected results.

PAN-OS Release Notes 10.2.12 309 ©2024 Palo Alto Networks, Inc.
PAN-OS 10.2.3 Known and Addressed Issues

Issue ID Description

PAN-184702 (M-700 appliances in Log Collector mode only) Fixed an issue on the
Panorama management server where the Panorama appliance failed to
connect to Panorama when added as a managed log collector.

PAN-184068 (PA-5200 Series firewalls only) Fixed an issue where the firewall
generated pause frames, which caused network latency.

PAN-183788 Fixed an issue with SCEP certificate enrollment where the incorrect
Registration Authority (RA) certificate was chosen to encrypt the
enrollment request.

PAN-185750 Updated an issue to eliminate failed pan_comm software issues that

caused the dataplane to restart unexpectedly

PAN-183270 Fixed an issue where a bootstrapped firewall connected only to the

first log collector in a log collector group.

PAN-183184 Fixed an issue where enabling SSL decryption with a Hardware

Security Model (HSM) caused a dataplane restart.

PAN-183166 Fixed an issue where system, configuration, and alarm logs were
queued up on the logrcvr process and were not forwarded out or
written to disk until an autocommit was passed.

PAN-182689 Fixed an issue where a signature from a previous WildFire package

triggered virus detection even though the signature was no longer
present in the current WildFire package.

PAN-182539 Fixed an issue with Panorama appliances in HA configurations where

dedicated log collectors did not send local system or configuration logs
to both Panorama appliances.

PAN-182212 Fixed an issue where SNMP reported the panVsysActiveTcpCps

and panVsysActiveUdpCps value to be 0.

PAN-181277 Fixed an issue where VPN tunnels in SD-WAN flapped due to

duplicate tunnel IDs.

PAN-179543 Fixed an issue where the flow_mgmt process stopped responding when
attempting to clear the session table, which caused the dataplane to
restart.

PAN-179258 Fixed an issue where system disk migration failed.

PAN-178243 Fixed an issue where Shared Gateway was not visible in the Virtual
System drop down when configuring a Layer3 aggregate subinterface.

PAN-OS Release Notes 10.2.12 310 ©2024 Palo Alto Networks, Inc.
PAN-OS 10.2.3 Known and Addressed Issues

Issue ID Description

PAN-178194 Fixed an issue with the web interface where, when only the Advanced
URL Filtering license was activated, the message License required
for URL filtering to function was incorrectly displayed and
the URL Filtering Profile > Inline ML section was disabled.

PAN-177482 Fixed an issue where ACC > App Scope > Threat Monitor showed NO
DATA TO DISPLAY.

PAN-172501 Fixed an issue where you were unable to revert HA mode settings to
the default values from the web interface.

PAN-171714 Fixed an issue where, when NetBIOS format (domain\user) was used
for the IP address-to-username mapping and the firewall received
the group mapping information from the Cloud Identity Engine, the
firewall did not match the user to the correct group.

PAN-157215 Fixed an issue that occurred when two FQDNs were resolved to the
same IP address and were configured as the same src/dst of the same
rule. If one FQDN was later resolved to a different IP address, the
IP address resolved for the second FQDN was also changed, which
caused traffic with the original IP address to hit the incorrect rule.

PAN-151469 Fixed an issue where packets were dropped unexpectedly due to

errors parsing the IP version field.

PAN-OS Release Notes 10.2.12 311 ©2024 Palo Alto Networks, Inc.
PAN-OS 10.2.3 Known and Addressed Issues

PAN-OS Release Notes 10.2.12 312 ©2024 Palo Alto Networks, Inc.
PAN-OS 10.2.2 Known and
Addressed Issues
Review a list of known and addressed issues for PAN-OS 10.2.2.
For contacting support, for information on support programs, to manage your account or devices,
or to open a support case, go to https://support.paloaltonetworks.com.
• PAN-OS 10.2.2 Known Issues
• PAN-OS 10.2.2-h5 Addressed Issues
• PAN-OS 10.2.2-h4 Addressed Issues
• PAN-OS 10.2.2-h2 Addressed Issues
• PAN-OS 10.2.2-h1 Addressed Issues
• PAN-OS 10.2.2 Addressed Issues

313
PAN-OS 10.2.2 Known and Addressed Issues

PAN-OS 10.2.2 Known Issues

®
The following list includes only outstanding known issues specific to PAN-OS 10.2.2. This list
includes issues specific to Panorama™, GlobalProtect™, VM-Series plugins, and WildFire®, as well
as known issues that apply more generally or that are not identified by an issue ID.

Issue ID Description

WF500-5854 The WildFire analysis report on the firewall log viewer

(Monitoring > WildFire Submissions) does not display the
following data fields: File Type, SHA-256, MD-5, and File
Size".
Workaround: Download and open the WildFire analysis
report in the PDF format using the link in the upper right-
hand corner of the Detailed Log View.

WF500-5843 In a WildFire appliance cluster, issuing the show cluster-

all peers CLI command when a node within the cluster
is being rebooted generates the following error: Server
error : An error occured.

WF500-5840 The sample analysis statistics that are returned when issuing
the show wildfire local statistics CLI command
in WildFire appliance cluster deployments may not accurately
reflect the number of samples that have been processed.

WF500-5823 The following WildFire appliance CLI command does not

return a signature generation status as expected: show
wildfire global signature-status. This does not
corrupt or otherwise prevent the WildFire appliance from
analyzing a sample.

WF500-5781 The WildFire appliance might erroneously generate and

log the following device certification error: Device
certificate is missing or invalid. It cannot
be renewed.

WF500-5754 In WildFire appliance clusters, issuing the show cluster

controller CLI command generates an error when an IPv6
address is configured for the management interface but not
for the cluster interface.
Workaround: Ensure all WildFire appliance interfaces that are
enabled use matching protocols (all IPv4 or all IPv6).

WF500-5632 The number of registered WildFire appliances reported in

Panorama (Panorama > Managed WildFire Appliances >

PAN-OS Release Notes 10.2.12 314 ©2024 Palo Alto Networks, Inc.
PAN-OS 10.2.2 Known and Addressed Issues

Issue ID Description
Firewalls Connected > View) does not accurately reflect the
current status of connected WildFire appliances.

PAN-260851 From the NGFW or Panorama CLI, you can override the
existing application tag even if Disable Override is enabled for
the application (Objects > Applications) tag.

PAN-243951 On the Panorama management sever in an active/passive

High Availability (HA) configuration, managed devices
(Panorama > Managed Devices > Summary) display as
out-of-sync on the passive HA peer when configuration
changes are made to the SD-WAN (Panorama > SD-WAN)
configuration on the active HA peer.
Workaround: Manually synchronize the Panorama HA peers.
1. Log in to the Panorama web interface on the active HA
peer.
2. Select Commit and Commit to Panorama the SD-WAN
configuration changes on the active HA peer.
On the passive HA peer, select Panorama > Managed
Devices > Summary and observe that the managed devices
are now out-of-sync.
3. Log in to the primary HA peer Panorama CLI and trigger a
manual synchronization between the active and secondary
HA peers.
request high-availability sync-to-remote running-config
4. Log back in to the active HA peer Panorama web interface
and select Commit > Push to Devices and Push.

PAN-228273 On the Panorama management server in FIPS-CC mode, the

ElasticSearch cluster fails to come up and the show log-
This issue is now resolved. See
collector-es-cluster health command displays
PAN-OS 10.2.8 Addressed
the status is red. This results in log ingestion issues for
Issues.
Panorama in Panorama only or Log Collector mode.

PAN-227344 On the Panorama management server, PDF Summary Reports

(Monitor > PDF Reports > Manage PDF Summary) display no
data and are blank when predefined reports are included in
the summary report.

PAN-225337 On the Panorama management server, the configuration push

to a multi-vsys firewall fails if you:
This issue is now resolved. See
PAN-OS 10.2.7 Addressed 1. Create a Shared and vsys-specific device group
Issues. configuration object with an indentical name. For example,

PAN-OS Release Notes 10.2.12 315 ©2024 Palo Alto Networks, Inc.
PAN-OS 10.2.2 Known and Addressed Issues

Issue ID Description
a Shared address object called SharedAO1 and a vsys-
specific address object also called SharedAO1.
2. Reference the Shared object in another Shared
configuration. For example, reference the Shared address
object (SharedAO1) in a Shared address group called
SharedAG1.
3. Use the Shared configuration object with the reference
in a vsys-specific configuration. For example, reference
the Shared address group (SharedAG1) in a vsys-specific
policy rule.
Workaround: Select Panorama > Setup > Management and
edit the Panorama Settings to enable one of the following:
• Shared Unused Address and Service Objects with
Devices—This options pushes all Shared objects, along
with device group specific objects, to managed firewalls.
This is a global setting and applies to all managed firewalls,
and may result in pushing too many configuration objects
to your managed firewalls.
• Objects defined in ancestors will take higher precedence—
This option specifies that in the event of objects with
the same name, ancestor object take precedence over
descendent objects. In this case, the Shared objects take
precedence over the vsys-specific object.
This is a global setting and applies to all managed firewalls.
In the example above, if the IP address for the Shared
SharedAO1 object was 10.1.1.1 and the device group
specific SharedAO1 was 10.2.2.2, the 10.1.1.1 IP
address takes precedence.
Alternatively, you can remove the duplicate address objects
from the device group configuration to allow only the Shared
objects in your configuration.

PAN-223488 Closed ElasticSearch shards are not deleted from the

Panorama M-Series and virtual appliance. This causes the
This issue is now resolved. See
ElasticSearch shard purging to not work as expected, resulting
PAN-OS 10.2.7 Addressed
in high disk usage.
Issues.

PAN-223365 The Panorama management server is unable to query any

logs if the ElasticSearch health status for any Log Collector
(Panorama > Managed Collector is degraded.

PAN-OS Release Notes 10.2.12 316 ©2024 Palo Alto Networks, Inc.
PAN-OS 10.2.2 Known and Addressed Issues

Issue ID Description
Workaround: Log in to the Log Collector CLI and restart
ElasticSearch.

admindebug elasticsearch es-restart all

PAN-222586 On PA-5410, PA-5420, and PA-5430 firewalls, the Filter

dropdown menus, Forward Methods, and Built-In Actions
for Correlation Log settings (Device > Log Settings) are not
displayed and cannot be configured.

PAN-222253 On the Panorama management server, policy rulebase

reordering when you View Rulebase by Groups (Policy >
This issue is now resolved. See
<policy-rulebase>) does not persist if you reorder the policy
PAN-OS 10.2.8 Addressed
rulebase by dragging and dropping individual policy rules and
Issues.
then moving the entire tag group.

PAN-221775 A Malformed Request error is displayed when you Test

Connection for an email server profile (Device > Server
Profiles > Email) using SMTP over TLS and the Password
includes an ampersand (&).

PAN-221015 On M-600 appliances in Panorama or Log Collector mode, the

es-1 and es-2 ElasticSearch processes fail to restart when
This issue is now resolved. See
the M-600 appliance is rebooted. The results in the Managed
PAN-OS 10.2.7 Addressed
Collector ES health status (Panorama > Managed Collectors >
Issues.
Health Status) to be degraded.
Workaround: Log in to the Panorama or Log Collector CLI
experiencing degraded ElasticSearch health and restart all
ElasticSearch processes.

admin>debug elasticsearch es-restart

optional all

PAN-219644 Firewalls forwarding logs to a syslog server over TLS (Objects

> Log Forwarding) use the default Palo Alto Networks
This issue is now resolved. See
certificate instead of the custom certificate configured on the
PAN-OS 10.2.8 Addressed
firewall.
Issues.

PAN-218521 The ElasticSearch process on the M-600 appliance in Log

Collector mode may enter a continuous reboot cycle. This
This issue is now resolved. See
results in the M-600 appliance becoming unresponsive,
PAN-OS 10.2.7 Addressed
consuming logging disk space, and preventing new log
Issues.
ingestion.

PAN-217307 The following Security policy rule (Policies > Security) filters
return no results:

PAN-OS Release Notes 10.2.12 317 ©2024 Palo Alto Networks, Inc.
PAN-OS 10.2.2 Known and Addressed Issues

Issue ID Description
This issue is now resolved. See log-start eq no
PAN-OS 10.2.11 Addressed
log-end eq no
Issues.
log-end eq yes

PAN-215778 On the M-600 appliance in Management Only mode, XML

API Get requests for /config fail with the following error
This issue is now resolved. See
due to exceeding the total configuration size supported on
PAN-OS 10.2.5 Addressed
the M-600 appliance.
Issues.
504 Gateway timeout

PAN-215082 M-300 and M-700 appliances may generate erroneous

system logs (Monitor > Logs > System) to alert that the M-
This issue is now resolved. See
Series appliance memory usage limits are reached.
PAN-OS 10.2.8 Addressed
Issues.

PAN-213746 On the Panorama management server, the Hostkey displayed

as undefined undefined if you override an SSH Service
Profile (Device > Certificate Management > SSH Service
Profile) Hostkey configured in a Template from the Template
Stack.

PAN-213119 PA-5410 and PA-5420 firewalls display the following error

when you view the Block IP list (Monitor > Block IP):
show -> dis-block-table is unexpected

PAN-212889 On the Panorama management server, different threat

names are used when querying the same threat in the Threat
Monitor (Monitor > App Scope > Threat Monitor) and ACC.
This results in the ACC displaying no data to display
when you are redirected to the ACC after clicking a threat
name in the Threat Monitor and filtering the same threat
name in the Global Filters.

PAN-212533 Modifying the Administrator Type for an existing

administrator (Device > Administrators or Panorama >
Administrators) from Superuser to a Role-Based custom
admin, or vice versa, does not modify the access privileges of
the administrator.

PAN-211531 On the Panorama management server, admins can still

perform a selective push to managed firewalls when Push
All Changes and Push for Other Admins are disabled in the
admin role profile (Panorama > Admin Roles).

PAN-OS Release Notes 10.2.12 318 ©2024 Palo Alto Networks, Inc.
PAN-OS 10.2.2 Known and Addressed Issues

Issue ID Description

PAN-210366 On the Panorama management server in a high availability

(HA) configuration, the primary HA peer may enter a
This issue is now resolved. See
primary-non-functional state and generate a system
PAN-OS 10.2.4-h3 Addressed
log (Monitor > Logs > System) with the following message:
Issues.
High root partition usage: going to state
Non-Functional

PAN-209288 Certificates are not successfully generated using SCEP

(Device > Certificate Management > SCEP).

PAN-208325 The following NextGen firewalls and Panorama management

server models are unable to automatically renew the device
This issue is now resolved. See
certificate (Device > Setup > Management or Panorama >
PAN-OS 10.2.5 Addressed
Setup > Management).
Issues.
• M-300 and M-700
• PA-410 Firewall
• PA-440, PA-450, and PA-460 Firewalls
• PA-3400 Series
• PA-5410, PA-5420, and PA-5430 Firewalls
• PA-5450 Firewall
Workaround: Log in to the firewall CLI or Panorama CLI and
fetch the device certificate.

admin>request certificate fetch

PAN-207629 On the Panorama management server, selective push fails to

managed firewalls if the managed firewalls are enabled with
This issue is now resolved. See
multiple vsys and the Push Scope contains shared objects in
PAN-OS 10.2.4 Addressed
device groups.
Issues.

PAN-206268 On the Panorama management server, the Auth Key field

was erroneously displayed when you configure the Panorama
Settings (Device > Setup > Management) as part of a
template or template stack configuration.

PAN-206253 For PA-3400 Series firewalls, the default log rate is set too
low and the max configurable log rate is incorrectly capped
This issue is now resolved. See
resulting in the firewall not generating more than 6,826 logs
PAN-OS 10.2.4 Addressed
per second.
Issues.

PAN-206243 The PA-220 firewall reaches the maximum disk usage

capacity multiple a day that requires a disk cleanup. A critical

PAN-OS Release Notes 10.2.12 319 ©2024 Palo Alto Networks, Inc.
PAN-OS 10.2.2 Known and Addressed Issues

Issue ID Description
This issue is now resolved. See system log (Monitor > Logs > System) is generated each time
PAN-OS 10.2.4 Addressed the firewall reaches maximum disk usage capacity.
Issues.

PAN-205187 ElasticSearch may not start properly when a newly installed

Panorama virtual appliance powers on for the first time,
This issue is now resolved. See
resulting in the Panorama virtual appliance being unable to
PAN-OS 10.2.4 Addressed
query logs forwarded from the managed firewall to a Log
Issues.
Collector.
Workaround: Log in to the Panorama CLI and start the PAN-
OS software.

admin>request restart software

PAN-204663 On the Panorama management server, you are unable to

Context Switch from one managed firewall to another.
This issue is now resolved. See
PAN-OS 10.2.4 Addressed Workaround: After you Context Switch to a managed
Issues. firewall, you must first Context Switch back to Panorama
before you can continue to Context Switch to a different
managed firewall.

PAN-201855 On the Panorama management server, cloning any template

(Panorama > Templates) corrupts certificates (Device >
This issue is now resolved. See
Certificate Management > Certificates) with the Block
PAN-OS 10.2.5 Addressed
Private Key Export setting enabled across all templates. This
Issues.
results in managed firewalls experiencing issues wherever the
corrupted certificate is referenced.
For example, you have template A, B, and C where templates
A and B have certificates with the Block Private Key Export
setting enabled. Cloning template C corrupts the certificates
with Block Private Key Export setting enabled in templates A
and B.
Workaround: After cloning a template, delete and re-import
the corrupted certificates.

PAN-200019 On the Panorama management server, the Virtual Routers

(Network > Virtual Routers) setting is not available when
PAN-OS 10.2.2-h1 and later
configuring a custom Panorama admin role (Panorama >
releases.
Admin Roles).

PAN-199557 On M-600 appliances in an Active/Passive high availability

(HA) configuration, the configd process restarts due to a
This issue is now resolved. See
memory leak on the Active Panorama HA peer. This causes
PAN-OS 10.2.5 Addressed
the Panorama web interface and CLI to become unresponsive.
Issues.

PAN-OS Release Notes 10.2.12 320 ©2024 Palo Alto Networks, Inc.
PAN-OS 10.2.2 Known and Addressed Issues

Issue ID Description
Workaround: Manually reboot the Active Panorama HA
peer.

PAN-199099 When decryption is enabled, Safari and Google Chrome

browsers on Mac computers running macOS Monterey or
later reject the server certificates firewalls present. The
browsers cannot validate the chain of trust for the certificates
because the Authority Key Identifier (AKID) of the server
certificates and the Subject Key Identifier (SKID) of the
forward trust certificate do not match.
Workaround: Use a forward trust certificate that does not
contain AKID or SKID extensions.

PAN-198174 When viewing traffic or threat logs from the firewall ACC
or Monitor, performing a reverse DNS lookup, for example,
This issue is now resolved. See
when resolving IP addresses to domain names using the
PAN-OS 10.2.4 Addressed
Resolve Hostname feature, can cause the appliance to crash
Issues.
and restart if DNS server settings have not been configured.
Workaround: Provide a DNS server setting for the firewall
(Device > DNS Setup > Services). If you cannot reference a
valid DNS server, you can add a dummy address.

PAN-197097 Large Scale VPN (LSVPN) does not support IPv6 addresses on
the satellite firewall.
This issue is now resolved. See
PAN-OS 10.2.4 Addressed
Issues.

PAN-196758 On the Panorama management server, pushing a

configuration change to firewalls leveraging SD-WAN
erroneously show the auto-provisioned BGP configurations
for SD-WAN as being edited or deleted despite no edits or
deletions being made when you Preview Changes (Commit >
Push to Devices > Edit Selections or Commit > Commit and
Push > Edit Selections).

PAN-196784 Palo Alto Networks® Next-Gen firewalls experience a logs

per second (LPS) degradation after upgrade to PAN-OS
This issue is now resolved. See
10.2.2.
PAN-OS 10.2.3 Addressed
Issues.

PAN-196504 License deactivation fails for VM-Series firewalls licensed

using PA-VM Bundle 3 (BND3).

PAN-OS Release Notes 10.2.12 321 ©2024 Palo Alto Networks, Inc.
PAN-OS 10.2.2 Known and Addressed Issues

Issue ID Description

PAN-196146 The VM-Series firewall on Azure does not boot up with a

hostname (specified in an init-cgf.txt or user data) when
This issue is now resolved. See
bootstrapped.
PAN-OS 10.2.8 Addressed
Issues.

PAN-195541 When a DNS request is submitted to the DNS Security

service for inspection, the dataplane pan-task process
This issue is now resolved. See
(all_pktproc) might fail during the DNS request process, or
PAN-OS 10.2.4 Addressed
when the dataplane cache is reset, or if the cache output is
Issues.
generated through the CLI, resulting in firewall crashes or the
inability/reduced capability to process network traffic.
The following CLI commands can trigger a crash of the
all_pktproc process:
• debug dataplane reset dns-cache all

• debug dataplane show dns-cache print

• show dns-proxy dns-signature cache

• clear dns-proxy dns-signature cache

PAN-194996 When using a 10.2.2 Panorama to manage a Panorama

Managed Prisma Access 3.1.2 deployment, allocating
bandwidth for a remote network deployment fails (the OK
button is grayed out).
Workaround: Retry the operation.

PAN-194925 When using a 10.2.2 Panorama to manage a Panorama

Managed Prisma Access 3.1.2 deployment, when making
This issue is now resolved. See
changes in the Service Connection and Remote Networks
PAN-OS 10.2.3 Addressed
area, the configuration changes do not display in the Push
Issues.
Scope during a commit.
Workaround: For service connection changes, make sure
that Service Setup is selected in the Push Scope before you
commit. For remote network changes, make sure that Remote
Networks is selected in the Push Scope before you commit.

PAN-194859 When using a 10.2.2 Panorama to manage a Panorama

Managed Prisma Access 3.1.2 deployment, after migrating
This issue is now resolved. See
from a single tenant to a multi-tenant Prisma Access
PAN-OS 10.2.3 Addressed
deployment and making configuration changes, the Cloud
Issues.
Services plugin shows No pending changes to commit

PAN-OS Release Notes 10.2.12 322 ©2024 Palo Alto Networks, Inc.
PAN-OS 10.2.2 Known and Addressed Issues

Issue ID Description
when you hover over the Commit tab, even though there are
pending changes to commit.
Workaround: The status shown when hovering over the
Commit tab is a cosmetic issue. Commit the pending changes,
if required.

PAN-194826 (WF-500 and WF-500-B appliance only) System log

forwarding does not work over a TLS connection.
This issue is now resolved. See
PAN-OS 10.2.3 Addressed
Issues.

PAN-194708 URL filtering logs (Monitor > Logs > URL Filtering)
erroneously truncate a 16KB Header value and do not display
This issue is now resolved. See
the Header values that follow the truncated 16KB header.
PAN-OS 10.2.3 Addressed
Issues. For example, a URL filtering log has 5 Headers. The second
Header has a 16KB value. In the URL filtering log, the first
header and the value are displayed, second Header value is
truncated, and remaining three headers are not displayed.

PAN-194519 (PA-5450 firewall only) Trying to configure a custom payload

format under Device > Server Profiles > HTTP yields a
Javascript error.

PAN-194515 (PA-5450 firewall only) The Panorama web interface does

not display any predefined template stack variables in the
dropdown menu under Device > Setup > Log Interface > IP
Address.
Workaround: Configure the log interface IP address on the
individual firewall web interface instead of on Panorama.

PAN-194424 (PA-5450 firewall only) Upgrading to PAN-OS 10.2.2 while

having a log interface configured can cause both the log
interface and the management interface to remain connected
to the log collector.
Workaround: Restart the log receiver service by running the
following CLI command:

debug software restart process log-receiver

PAN-194202 (PA-5450 firewall only) If the management interface and

logging interface are configured on the same subnetwork,
the firewall conducts log forwarding using the management
interface instead of the logging interface.

PAN-OS Release Notes 10.2.12 323 ©2024 Palo Alto Networks, Inc.
PAN-OS 10.2.2 Known and Addressed Issues

Issue ID Description

PAN-193251 If SAML is configured as the authentication method for

GlobalProtect, authentication on the Portal page is not
This issue is now resolved. See
successful in the browser.
PAN-OS 10.2.3 Addressed
Issues. Workaround: Use the GlobalProtect app installed on the
endpoint to authenticate.

PAN-190735 Certain webpages that use chunked-encoded data transfers

might not load properly when analyzed by Advanced URL
This issue is now resolved. See
Filtering cloud inline categorization.
PAN-OS 10.2.3 Addressed
Issues.

PAN-190727 (PA-5450 firewall only) Documentation for configuring the log

interface is unavailable on the web interface and in the PAN-
OS Administrator’s Guide.

PAN-190435 When you Commit a configuration change, the Task Manager

commit Status goes directly from 0% to Completed and
does accurately reflect the commit job progress.

PAN-189425 On the Panorama management server, Export Panorama and

devices config bundle (Panorama > Setup > Operations) fails
This issue is now resolved. See
to export. When the export fails, you are redirected to a new
PAN-OS 10.2.4 Addressed
window and the following error is displayed:
Issues.
Failed to redirect error to /var/log/pan/
appweb3-panmodule.log (Permission denied)

PAN-189380 After you successfully upgrade a PA-3000 Series firewall

to PAN-OS 10.2.0 or later release and Enterprise data
This issue is now resolved. See
loss prevention (DLP) plugin 3.0.0 or later release, the first
PAN-OS 10.2.3 Addressed
configuration push from the Panorama management server
Issues.
causes the firewall dataplane to crash.
Workaround: Restart the firewall to restore dataplane
functionality.
1. Log in to the firewall CLI.
2. Restart the firewall.

admin> request restart system

PAN-189111 After deleting an MP pod and it comes up, the show

routing command output appears empty and traffic stops
working.

PAN-OS Release Notes 10.2.12 324 ©2024 Palo Alto Networks, Inc.
PAN-OS 10.2.2 Known and Addressed Issues

Issue ID Description

PAN-189076 On a firewall with Advanced Routing enabled, OSPFv3 peers

using a broadcast link and a designated router (DR) priority of
0 (zero) are stuck in a two-way state after HA failover.
Workaround: Configure at least one OSPFv3 neighbor with a
non-zero priority setting in the same broadcast domain.

PAN-188904 Certain web pages and web page contents might not properly
load when cloud inline categorization is enabled on the
This issue is now resolved. See
firewall.
PAN-OS 10.2.4 Addressed
Issues.

PAN-188489 On the Panorama management server, dynamic content

updates are not automatically pushed to VM-Series firewalls
This issue is now resolved. See
licensed using the Panorama Software Firewall License plugin
PAN-OS 10.2.3 Addressed
when Automatically push content when software device
Issues.
registers to Panorama (Panorama > Templates > Add Stack)
is enabled.

PAN-188358 After triggering a soft reboot on a M-700 appliance, the

Management port LEDs do not light up when a 10G Ethernet
cable is plugged in.

PAN-188064 The SCP Server Profile configuration (Devices > Server

Profiles > SCP are not automatically deleted after downgrade
This issue is now resolved. See
from PAN-OS 10.2.0 to PAN-OS 10.1 or earlier release.
PAN-OS 10.2.3 Addressed
Issues.

PAN-187685 On the Panorama management server, the Template

Status displays no synchronization status (Panorama >
Managed Devices > Summary) after a bootstrapped firewall is
successfully added to Panorama.
Workaround: After the bootstrapped firewall is successfully
added to Panorama, log in to the Panorama web interface and
select Commit > Push to Devices.

PAN-187643 If you enable SCTP security using a Panorama template when

SCTP INIT Flood Protection is enabled in the Zone Protection
profile using Panorama and you commit all changes, the
commit is successful but the SCTP INIT option is not available
in the Zone Protection profile.
Workaround: Log out of the firewall and log in again to make
the SCIT INIT option available on the web interface.

PAN-OS Release Notes 10.2.12 325 ©2024 Palo Alto Networks, Inc.
PAN-OS 10.2.2 Known and Addressed Issues

Issue ID Description

PAN-187612 On the Panorama management server, not all data profiles

(Objects > DLP Data Filtering Profiles) are displayed after
you:
• Upgrade Panorama to PAN-OS 10.2 and upgrade the
Enterprise DLP plugin to version 3.0.
• Downgrade Panorama to PAN-OS 10.1 and downgrade
the Enterprise DLP plugin to version 1.0.
Workaround: Log in to the Panorama CLI and reset the DLP
plugin.
admin > request plugins dlp reset

PAN-187407 The configured Advanced Threat Prevention inline cloud

analysis action for a given model might not be honored under
the following condition: If the firewall is set to Hold client
request for category lookup and the action set to Reset-Both
and the URL cache has been cleared, the first request for
inline cloud analysis will be bypassed.

PAN-187370 On a firewall with Advanced Routing enabled, if there is also a

logical router instance that uses the default configuration and
has no interfaces assigned to it, this will result in terminating
the management daemon and main routing daemon in the
firewall during commit.
Workaround: Do not use a logical router instance with no
interfaces bound to it.

PAN-187234 Certain web pages submitted for analysis by Advanced URL

Filtering cloud inline categorization might experience high
This issue is now resolved. See
latency.
PAN-OS 10.2.3 Addressed
Issues.

PAN-186283 Templates appear out-of-sync on Panorama after successfully

deploying the CFT stack using the Panorama plugin for AWS.
Workaround: Use Commit > Push to Devices to synchronize
the templates.

PAN-186282 On HA deployments on AWS and Azure, Panorama fails to

populate match criteria automatically when adding dynamic
address groups.
Workaround: Reboot the Panorama HA pair.

PAN-186134 On the Panorama management server, performing a Commit

and Push (Commit > Commit and Push) may intermittently

PAN-OS Release Notes 10.2.12 326 ©2024 Palo Alto Networks, Inc.
PAN-OS 10.2.2 Known and Addressed Issues

Issue ID Description
not push the committed configuration changes to managed
firewalls.
Workaround: Select Commit > Push to Devices to push the
committed configuration changes to your managed firewalls.

PAN-185286 (PA-5400 Series firewalls only) On the Panorama

management server, the device health resources (Panorama >
This issue is now resolved. See
Managed Devices > Health) do not populate.
PAN-OS 10.2.8 Addressed
Issues.

PAN-184708 Scheduled report emails (Monitor > PDF Reports > Email
Scheduler) are not emailed if:
This issue is now resolved. See
PAN-OS 10.2.4 Addressed • A scheduled report email contains a Report Group
Issues. (Monitor > PDF Reports > Report Group) which includes a
SaaS Application Usage report.
• A scheduled report contains only a SaaS Application Usage
Report.
Workaround: To receive a scheduled report email for all other
PDF report types:
1. Select Monitor > PDF Reports > Report Groups and
remove all SaaS Application Usage reports from all Report
Groups.
2. Select Monitor > PDF Reports > Email Scheduler and
edit the scheduled report email that contains only a SaaS
Application Usage report. For the Recurrence, select
Disable and click OK.
Repeat this step for all scheduled report emails that
contain only a SaaS Application Usage report.
3. Commit.
(Panorama managed firewalls) Select Commit > Commit
and Push

PAN-184702 On the Panorama management server, an M-700 appliance in

Log Collector mode fails to connect to Panorama when added
This issue is now resolved. See
as a managed collector (Panorama > Managed Collectors).
PAN-OS 10.2.3 Addressed
Issues. Workaround: Log in to the M-700 CLI and recover the Log
Collector connectivity to Panorama.

PAN-184406 Using the CLI to add a RAID disk pair to an M-700 appliance
causes the dmdb process to crash.
Workaround: Contact customer support to stop the dmdb
process before adding a RAID disk pair to a M-700 appliance.

PAN-OS Release Notes 10.2.12 327 ©2024 Palo Alto Networks, Inc.
PAN-OS 10.2.2 Known and Addressed Issues

Issue ID Description

PAN-183404 Static IP addresses are not recognized when "and" operators

are used with IP CIDR range.

PAN-182734 On an Advanced Routing Engine, if you change the IPSec

tunnel configuration, BGP flaps.
This issue is now resolved. See
PAN-OS 10.2.5 Addressed
Issues.

PAN-181933 If you use multiple log forwarding cards (LFCs) on the

PA-7000 series, all of the cards may not receive all of the
updates and the mappings for the clients may become out of
sync, which causes the firewall to not correctly populate the
Source User column in the session logs.

PAN-181823 On a PA-5400 Series firewall (minus the PA-5450), setting the

peer port to forced 10M or 100M speed causes any multi-
gigabit RJ-45 ports on the firewall to go down if they are set
to Auto.

PAN-180661 On the Panorama management server, pushing an

unsupported Minimum Password Complexity (Device > Setup
> Management) to a managed firewall erroneously displays
commit time out as the reason the commit failed.

PAN-180104 When upgrading a CN-Series as a DaemonSet deployment to

PAN-OS 10.2, CN-NGFW pods fail to connect to CN-MGMT
pod if the Kubernetes cluster previously had a CN-Series as a
DaemonSet deployment running PAN-OS 10.0 or 10.1.
Workaround: Reboot the worker nodes before upgrading to
PAN-OS 10.2.

PAN-178194 A user interface issue in PAN-OS renders the contents of

the Inline ML tab in the URL Filtering Profile inaccessible on
This issue is now resolved. See
firewalls licensed for Advanced URL Filtering. Additionally, a
PAN-OS 10.2.3 Addressed
message indicating that a License required for URL filtering to
Issues.
function is unavailable displays at the bottom of the UI. These
errors do not affect the operation of Advanced URL Filtering
or URL Filtering Inline ML.
Workaround: Configuration settings for URL Filtering
Inline ML must be applied through the CLI. The following
configuration commands are available:

PAN-OS Release Notes 10.2.12 328 ©2024 Palo Alto Networks, Inc.
PAN-OS 10.2.2 Known and Addressed Issues

Issue ID Description
• Define URL exceptions for specific web sites—

admin# set profiles url-filtering

<url_filtering_profile_name> mlav-
category-exception

• Configuration settings for each inline ML model—

admin# set profiles url-filtering

<url_filtering_profile_name> mlav-
engine-urlbased-enabled

PAN-177455 PAN-OS 10.2.0 is not supported on PA-7000 Series firewalls

with HA (High Availability) clustering enabled and using an
HA4 communication link. Attempting to load PAN-OS 10.2.0
on the firewall causes the PA-7000 100G NPC to go offline.
As a result, the firewall fails to boot normally and enters
maintenance mode. HA Pairs of Active-Passive and Active-
Active firewalls are not affected.

PAN-175915 When the firewall is deployed on N3 and N11 interfaces in

5G networks and 5G-HTTP/2 traffic inspection is enabled in
the Mobile Network Protection Profile, the traffic logs do not
display network slice SST and SD values.

PAN-174982 In HA active/active configurations where, when interfaces

that were associated with a virtual router were deleted, the
configuration change did not sync.

PAN-172274 When you activate the advanced URL filtering license, your
license entitlements for PAN-DB and advanced URL filtering
might not display correctly on the firewall — this is a display
anomaly, not a licensing issue, and does not affect access to
the services.
Workaround: Issue the following command to retrieve and
update the licenses: license request fetch.

PAN-172132 QoS fails to run on a tunnel interface (for example, tunnel.1).

This issue is now resolved by
PAN-189643. See PAN-OS
10.2.4 Addressed Issues.

PAN-171938 No results are displayed when you Show Application Filter

for a Security policy rule (Policies > Security > Application >
Value > Show Application Filter).

PAN-OS Release Notes 10.2.12 329 ©2024 Palo Alto Networks, Inc.
PAN-OS 10.2.2 Known and Addressed Issues

Issue ID Description

PAN-164885 On the Panorama management server, pushes to managed

firewalls (Commit > Push to Devices or Commit and Push)
This issue is now resolved. See
may fail when an EDL (Objects > External Dynamic Lists) is
PAN-OS 10.2.10 Addressed
configured to Check for updates every 5 minutes due to the
Issues.
commit and EDL fetch processes overlapping. This is more
likely to occur when multiple EDLs are configured to check
for updates every 5 minutes.

PAN-OS Release Notes 10.2.12 330 ©2024 Palo Alto Networks, Inc.
PAN-OS 10.2.2 Known and Addressed Issues

PAN-OS 10.2.2-h5 Addressed Issues

Issue ID Description

PAN-252214 A fix was made to address CVE-2024-3400.

PAN-OS Release Notes 10.2.12 331 ©2024 Palo Alto Networks, Inc.
PAN-OS 10.2.2 Known and Addressed Issues

PAN-OS 10.2.2-h4 Addressed Issues

Issue ID Description

PAN-238792 Fixed the following device certificate issues:

• The firewall was unable to automatically renew the device
certificate-Fetching device certificates failed incorrectly with the
error message OTP is not valid.
• Firewalls disconnected from Strata Logging Service after renewing
the device certificate.
• The device certificate was not correctly generated on the log
forwarding card (LFC).
• WildFire cloud logs did not log thermite certificate usage status.

PAN-237935 Extended the offline PAN-DB, Panorama, and WildFire certificates

which were previously set to expire on September 2, 2024.

PAN-237876 Extended the firewall Panorama root CA certificate which was

previously set to expire on April 7th, 2024.

PAN-237871 (WF-500 appliances and PAN-DB private cloud deployments only)

Fixed an issue where the root-cert was set to expire on December
31, 2023. With this fix, the expiration date has been extended.

PAN-231771 Fixed an issue where the firewall issued /box/getserv/ requests with
PAN-OS 7.1.0 and did not take device certificates.

PAN-227568 When a device certificate is installed, renewed, or removed, the

firewall will reconnect to the WildFire cloud to use the newest
certificate.

PAN-215576 Fixed an issue where the userID-Agent and TS-Agent certificates

were set to expire on November 18, 2024. With this fix, the expiration
date has been extended to January 2032.

PAN-202450 Fixed an issue where the device-client-cert was set to expire

on December 31, 2023. With this fix, the expiration date has been
extended.

PAN-198372 Fixed an issue where the root-cert was set to expire on December
31, 2023. With this fix, the expiration date has been extended.

PAN-OS Release Notes 10.2.12 332 ©2024 Palo Alto Networks, Inc.
PAN-OS 10.2.2 Known and Addressed Issues

PAN-OS 10.2.2-h2 Addressed Issues

Issue ID Description

PAN-192999 A fix was made to address CVE-2022-0028.

PAN-OS Release Notes 10.2.12 333 ©2024 Palo Alto Networks, Inc.
PAN-OS 10.2.2 Known and Addressed Issues

PAN-OS 10.2.2-h1 Addressed Issues

Issue ID Description

PAN-195517 Fixed an issue where CommitAll operations from Panorama to Prisma

Access device groups failed due to missing configuration files.

PAN-194107 Fixed an issue where the expiry date for the Advanced Threat
Protection license was incorrect for BND3 payg VM-Series firewalls
on Amazon Web Services (AWS), Oracle Cloud Infrastructure (OCI),
Google Cloud Platform (GCP), and Microsoft Azure.

PAN-186075 (VM-Series firewalls only) Fixed an issue where the firewall rebooted
after receiving large packets while in DPDK mode on Azure virtual
machines running CX4 (MLx5) drivers.

PAN-OS Release Notes 10.2.12 334 ©2024 Palo Alto Networks, Inc.
PAN-OS 10.2.2 Known and Addressed Issues

PAN-OS 10.2.2 Addressed Issues

Issue ID Description

PAN-231823 A fix was made to address CVE-2024-5916.

PAN-193579 Fixed an issue where new logs viewed from the CLI (show log
<log_type>) and new syslogs forwarded to a syslog server contained
additional, erroneous entries.

PAN-192930 Fixed an issue where, when the default port was not TCP/443,
implicitly used SSL applications were blocked by the Security policy as
an SSL application and did not shift to the correct application.

PAN-192880 Fixed an issue where, when the firewall was configured for jumbo
frames, an internal interface was not set with the correct MTU, which
caused byte frames larger than 1500 to be dropped when a DF bit was
set.

PAN-192725 Fixed an issue where the firewall failed to forward logs to Panorama
when configured with IPv6 addressing only.

PAN-192089 Fixed an issue on the web interface where the IPSec tunnel did not
gray out after disabling it.

PAN-191629 (PA-5450 firewalls only) Fixed an issue where the hourly summary
log was limited to 100,001 lines when summarized, which resulted in
inconsistent report results when using summary logs.

PAN-191513 Fixed an issue on multi-vsys firewalls where the DLP cloud service
continued to exclude an application added to a shared application
group (Objects > Application Filters) from non-file traffic inspection.
This issue occurred when the application was removed from the
application group or filter that was added to the App Exclusion List
(Objects > DLP > Data Filtering Profiles).

PAN-191470 Fixed an issue on Panorama where encrypted passwords were sent to

firewalls on PAN-OS 10.1 releases during a multi-device group push,
which caused client-based External Dynamic Lists (EDL) to fail.

PAN-191466 Fixed an issue where you were unable to use the web interface to
override IPsec tunnels pushed from Panorama

PAN-191288 Fixed an issue where the firewall restarted due to a dnsproxy process
crash.

PAN-OS Release Notes 10.2.12 335 ©2024 Palo Alto Networks, Inc.
PAN-OS 10.2.2 Known and Addressed Issues

Issue ID Description

PAN-190811 (PA-5450 firewalls only) Fixed an issue where logs were forwarded
through the management interface instead of the configured log
interface to be used for forwarding.

PAN-190675 Fixed an IoT cloud connectivity issue with the firewall dataplane when
the Data Services service route was used and the egress interface had
VLAN tagging.

PAN-190492 Fixed an issue where the Panorama log collector group level SSH
settings were not migrated to the new format when upgrading from a
PAN-OS 9.1 release to a PAN-OS 10.0 release.

PAN-189429 Fixed a memory leak that occurred when enabling XFF (x-forwarded-
for) logging in a Security policy.

PAN-189395 (PA-400 Series firewalls only) Fixed an issue where running a PAN-OS
10.2 release caused dataplane processes to restart unexpectedly.

PAN-189010 Fixed an issue on Panorama where a deadlock in the configd process

caused both the web interface and the CLI to be inaccessible.

PAN-188872 Fixed an OOM condition caused by a memory leak issue on the useridd
process.

PAN-188833 Fixed an issue where shared address objects used as a source

or destination in policies were cloned but not freed back after
configuration commits.

PAN-188097 Fixed an issue where the firewall stopped allocating new sessions
with increments in the counter session_alloc_failure. This was caused
by GPRS tunneling protocol (GTP-U) tunnel session aging processing
issue.

PAN-187558 Fixed an issue where the following error message flooded the system
log: Incremental update to DP failed.

PAN-187429 (PA-3400 Series firewalls and PA-5410, PA-5420, and PA-5430

firewalls only) Fixed an issue where the CLI and SNMP MIB walk did
not display the model and serial number of the fan tray and PSUs.

PAN-187151 Fixed an issue where tunnel-monitoring interface was incorrectly

shown as up instead of down.

PAN-186913 Fixed an issue on Panorama where Validate Device Group (Commit

> Commit and Push) incorrectly issued a commit all operation instead

PAN-OS Release Notes 10.2.12 336 ©2024 Palo Alto Networks, Inc.
PAN-OS 10.2.2 Known and Addressed Issues

Issue ID Description
of a validate all operation. This issue occurred when multiple device
groups were included in the push.

PAN-186750 Fixed an issue where, after upgrading to a PAN-OS 10.1 release,

SaaS reports generated on Panorama did not display Applications at
a glance and most charts were missing data on the right side of the
chart.

PAN-185844 Fixed an issue where Decryption Log entries were associated with the
wrong Security policy rule.

PAN-185558 Fixed an issue where Panorama log migration failed when old logs
migrated to a newer format. This was due to older indices failing to
close.

PAN-184474 Fixed an issue where, when the firewall had Advanced Routing
enabled, a static route remained active after an interface went down.

PAN-183579 Fixed an issue where SD-WAN path monitoring failed over the
interface directly connected to the ISP due to an unsupported ICMP
probe format.

PAN-183319 Fixed an issue on Panorama where commits remained at 99% due to

multiple firewalls sending out CSR singing requests every 10 minutes.

PAN-182087 Fixed an issue where commit failures occurred due to validity

checks performed against self-signing certificates not evaluating
Authentication Key Identifier and Subject Key Identifier fields were
present.

PAN-180396 Fixed an issue where Panorama displayed an error when generating a

ticket to disable GlobalProtect for Prisma Access.

PAN-180147 Fixed an issue where the bcm.log and brdagent_stdout.log-

<datestamp> files filled up the root disk space.

PAN-178450 Fixed an issue where icons weren't displayed for clientless VPN
applications.

PAN-177671 Fixed an issue where, when SIP traffic traversing the firewall was sent
with a high Quality of Service (QoS) differentiated service code (DSCP)
value, the DSCP value was reset to the default setting (CS0) for the
first data packet.

PAN-177455 (PA-7000 Series firewalls with HA clustering enabled and using HA4
communication links only) Fixed an issue where loading PAN-OS
10.2.0 on the firewall caused the PA-7000 100G NPC (Network

PAN-OS Release Notes 10.2.12 337 ©2024 Palo Alto Networks, Inc.
PAN-OS 10.2.2 Known and Addressed Issues

Issue ID Description
Processing Card) to go offline. As a result, the firewall failed to boot
normally and entered maintenance.

PAN-176156 Fixed an issue where executing the show running resource-

monitor with the ingress-backlogs option enabled displayed the
error message `Dataplane is not up or invalid target-dp(*.dp*)`.

PAN-174345 Fixed an issue where a process all_pktproc stopped responding after

upgrading the firewall.

PAN-OS Release Notes 10.2.12 338 ©2024 Palo Alto Networks, Inc.
PAN-OS 10.2.1 Known and
Addressed Issues
Review a list of known and addressed issues for PAN-OS 10.2.1.
For contacting support, for information on support programs, to manage your account or devices,
or to open a support case, go to https://support.paloaltonetworks.com.
• PAN-OS 10.2.1 Known Issues
• PAN-OS 10.2.1-h2 Addressed Issues
• PAN-OS 10.2.1-h1 Addressed Issues
• PAN-OS 10.2.1 Addressed Issues

339
PAN-OS 10.2.1 Known and Addressed Issues

PAN-OS 10.2.1 Known Issues

®
The following list includes only outstanding known issues specific to PAN-OS 10.2.1. This list
includes issues specific to Panorama™, GlobalProtect™, VM-Series plugins, and WildFire®, as well
as known issues that apply more generally or that are not identified by an issue ID.

Issue ID Description

WF500-5781 The WildFire appliance might erroneously generate and

log the following device certification error: Device
certificate is missing or invalid. It cannot
be renewed.

WF500-5754 In WildFire appliance clusters, issuing the show cluster

controller CLI command generates an error when an IPv6
address is configured for the management interface but not
for the cluster interface.
Workaround: Ensure all WildFire appliance interfaces that are
enabled use matching protocols (all IPv4 or all IPv6).

WF500-5632 The number of registered WildFire appliances reported in

Panorama (Panorama > Managed WildFire Appliances >
Firewalls Connected > View) does not accurately reflect the
current status of connected WildFire appliances.

PAN-260851 From the NGFW or Panorama CLI, you can override the
existing application tag even if Disable Override is enabled for
the application (Objects > Applications) tag.

PAN-250062 Device telemetry might fail at configured intervals due to

bundle generation issues.

PAN-243951 On the Panorama management sever in an active/passive

High Availability (HA) configuration, managed devices
(Panorama > Managed Devices > Summary) display as
out-of-sync on the passive HA peer when configuration
changes are made to the SD-WAN (Panorama > SD-WAN)
configuration on the active HA peer.
Workaround: Manually synchronize the Panorama HA peers.
1. Log in to the Panorama web interface on the active HA
peer.

PAN-OS Release Notes 10.2.12 340 ©2024 Palo Alto Networks, Inc.
PAN-OS 10.2.1 Known and Addressed Issues

Issue ID Description
2. Select Commit and Commit to Panorama the SD-WAN
configuration changes on the active HA peer.
On the passive HA peer, select Panorama > Managed
Devices > Summary and observe that the managed devices
are now out-of-sync.
3. Log in to the primary HA peer Panorama CLI and trigger a
manual synchronization between the active and secondary
HA peers.
request high-availability sync-to-remote running-config
4. Log back in to the active HA peer Panorama web interface
and select Commit > Push to Devices and Push.

PAN-228273 On the Panorama management server in FIPS-CC mode, the

ElasticSearch cluster fails to come up and the show log-
This issue is now resolved. See
collector-es-cluster health command displays
PAN-OS 10.2.8 Addressed
the status is red. This results in log ingestion issues for
Issues.
Panorama in Panorama only or Log Collector mode.

PAN-227344 On the Panorama management server, PDF Summary Reports

(Monitor > PDF Reports > Manage PDF Summary) display no
data and are blank when predefined reports are included in
the summary report.

PAN-225337 On the Panorama management server, the configuration push

to a multi-vsys firewall fails if you:
This issue is now resolved. See
PAN-OS 10.2.7 Addressed 1. Create a Shared and vsys-specific device group
Issues. configuration object with an indentical name. For example,
a Shared address object called SharedAO1 and a vsys-
specific address object also called SharedAO1.
2. Reference the Shared object in another Shared
configuration. For example, reference the Shared address
object (SharedAO1) in a Shared address group called
SharedAG1.
3. Use the Shared configuration object with the reference
in a vsys-specific configuration. For example, reference
the Shared address group (SharedAG1) in a vsys-specific
policy rule.
Workaround: Select Panorama > Setup > Management and
edit the Panorama Settings to enable one of the following:

PAN-OS Release Notes 10.2.12 341 ©2024 Palo Alto Networks, Inc.
PAN-OS 10.2.1 Known and Addressed Issues

Issue ID Description
• Shared Unused Address and Service Objects with
Devices—This options pushes all Shared objects, along
with device group specific objects, to managed firewalls.
This is a global setting and applies to all managed firewalls,
and may result in pushing too many configuration objects
to your managed firewalls.
• Objects defined in ancestors will take higher precedence—
This option specifies that in the event of objects with
the same name, ancestor object take precedence over
descendent objects. In this case, the Shared objects take
precedence over the vsys-specific object.
This is a global setting and applies to all managed firewalls.
In the example above, if the IP address for the Shared
SharedAO1 object was 10.1.1.1 and the device group
specific SharedAO1 was 10.2.2.2, the 10.1.1.1 IP
address takes precedence.
Alternatively, you can remove the duplicate address objects
from the device group configuration to allow only the Shared
objects in your configuration.

PAN-223488 Closed ElasticSearch shards are not deleted from a Panorama

M-Series or virtual appliance. This causes the ElasticSearch
This issue is now resolved. See
shard purging to not work as expected, resulting in high disk
PAN-OS 10.2.7 Addressed
usage.
Issues.

PAN-223365 The Panorama management server is unable to query any

logs if the ElasticSearch health status for any Log Collector
(Panorama > Managed Collector is degraded.
Workaround: Log in to the Log Collector CLI and restart
ElasticSearch.

admindebug elasticsearch es-restart all

PAN-222586 On PA-5410, PA-5420, and PA-5430 firewalls, the Filter

dropdown menus, Forward Methods, and Built-In Actions
for Correlation Log settings (Device > Log Settings) are not
displayed and cannot be configured.

PAN-222253 On the Panorama management server, policy rulebase

reordering when you View Rulebase by Groups (Policy >
This issue is now resolved. See
<policy-rulebase>) does not persist if you reorder the policy
PAN-OS 10.2.8 Addressed
rulebase by dragging and dropping individual policy rules and
Issues.
then moving the entire tag group.

PAN-OS Release Notes 10.2.12 342 ©2024 Palo Alto Networks, Inc.
PAN-OS 10.2.1 Known and Addressed Issues

Issue ID Description

PAN-221775 A Malformed Request error is displayed when you Test

Connection for an email server profile (Device > Server
Profiles > Email) using SMTP over TLS and the Password
includes an ampersand (&).

PAN-221015 On M-600 appliances in Panorama or Log Collector mode, the

es-1 and es-2 ElasticSearch processes fail to restart when
This issue is now resolved. See
the M-600 appliance is rebooted. The results in the Managed
PAN-OS 10.2.7 Addressed
Collector ES health status (Panorama > Managed Collectors >
Issues.
Health Status) to be degraded.
Workaround: Log in to the Panorama or Log Collector CLI
experiencing degraded ElasticSearch health and restart all
ElasticSearch processes.

admin>debug elasticsearch es-restart

optional all

PAN-219644 Firewalls forwarding logs to a syslog server over TLS (Objects

> Log Forwarding) use the default Palo Alto Networks
This issue is now resolved. See
certificate instead of the custom certificate configured on the
PAN-OS 10.2.8 Addressed
firewall.
Issues.

PAN-218521 The ElasticSearch process on the M-600 appliance in Log

Collector mode may enter a continuous reboot cycle. This
This issue is now resolved. See
results in the M-600 appliance becoming unresponsive,
PAN-OS 10.2.7 Addressed
consuming logging disk space, and preventing new log
Issues.
ingestion.

PAN-217307 The following Security policy rule (Policies > Security) filters
return no results:
This issue is now resolved. See
PAN-OS 10.2.11 Addressed log-start eq no
Issues.
log-end eq no
log-end eq yes

PAN-215778 On the M-600 appliance in Management Only mode, XML

API Get requests for /config fail with the following error
This issue is now resolved. See
due to exceeding the total configuration size supported on
PAN-OS 10.2.5 Addressed
the M-600 appliance.
Issues.
504 Gateway timeout

PAN-OS Release Notes 10.2.12 343 ©2024 Palo Alto Networks, Inc.
PAN-OS 10.2.1 Known and Addressed Issues

Issue ID Description

PAN-215082 M-300 and M-700 appliances may generate erroneous

system logs (Monitor > Logs > System) to alert that the M-
This issue is now resolved. See
Series appliance memory usage limits are reached.
PAN-OS 10.2.8 Addressed
Issues.

PAN-213746 On the Panorama management server, the Hostkey displayed

as undefined undefined if you override an SSH Service
Profile (Device > Certificate Management > SSH Service
Profile) Hostkey configured in a Template from the Template
Stack.

PAN-213119 PA-5410 and PA-5420 firewalls display the following error

when you view the Block IP list (Monitor > Block IP):
show -> dis-block-table is unexpected

PAN-212889 On the Panorama management server, different threat

names are used when querying the same threat in the Threat
Monitor (Monitor > App Scope > Threat Monitor) and ACC.
This results in the ACC displaying no data to display
when you are redirected to the ACC after clicking a threat
name in the Threat Monitor and filtering the same threat
name in the Global Filters.

PAN-212533 Modifying the Administrator Type for an existing

administrator (Device > Administrators or Panorama >
Administrators) from Superuser to a Role-Based custom
admin, or vice versa, does not modify the access privileges of
the administrator.

PAN-211531 On the Panorama management server, admins can still

perform a selective push to managed firewalls when Push
All Changes and Push for Other Admins are disabled in the
admin role profile (Panorama > Admin Roles).

PAN-209288 Certificates are not successfully generated using SCEP

(Device > Certificate Management > SCEP).

PAN-208325 The following NextGen firewalls and Panorama management

server models are unable to automatically renew the device
This issue is now resolved. See
certificate (Device > Setup > Management or Panorama >
PAN-OS 10.2.5 Addressed
Setup > Management).
Issues.
• M-300 and M-700
• PA-410 Firewall
• PA-440, PA-450, and PA-460 Firewalls

PAN-OS Release Notes 10.2.12 344 ©2024 Palo Alto Networks, Inc.
PAN-OS 10.2.1 Known and Addressed Issues

Issue ID Description
• PA-3400 Series
• PA-5410, PA-5420, and PA-5430 Firewalls
• PA-5450 Firewall
Workaround: Log in to the firewall CLI or Panorama CLI and
fetch the device certificate.

admin>request certificate fetch

PAN-207629 On the Panorama management server, selective push fails to

managed firewalls if the managed firewalls are enabled with
This issue is now resolved. See
multiple vsys and the Push Scope contains shared objects in
PAN-OS 10.2.4 Addressed
device groups.
Issues.

PAN-206268 On the Panorama management server, the Auth Key field

was erroneously displayed when you configure the Panorama
Settings (Device > Setup > Management) as part of a
template or template stack configuration.

PAN-206253 For PA-3400 Series firewalls, the default log rate is set too
low and the max configurable log rate is incorrectly capped
This issue is now resolved. See
resulting in the firewall not generating more than 6,826 logs
PAN-OS 10.2.4 Addressed
per second.
Issues.

PAN-206243 The PA-220 firewall reaches the maximum disk usage

capacity multiple a day that requires a disk cleanup. A critical
This issue is now resolved. See
system log (Monitor > Logs > System) is generated each time
PAN-OS 10.2.4 Addressed
the firewall reaches maximum disk usage capacity.
Issues.

PAN-205187 ElasticSearch may not start properly when a newly installed

Panorama virtual appliance powers on for the first time,
This issue is now resolved. See
resulting in the Panorama virtual appliance being unable to
PAN-OS 10.2.4 Addressed
query logs forwarded from the managed firewall to a Log
Issues.
Collector.
Workaround: Log in to the Panorama CLI and start the PAN-
OS software.

admin>request restart software

PAN-204663 On the Panorama management server, you are unable to

Context Switch from one managed firewall to another.
This issue is now resolved. See
PAN-OS 10.2.4 Addressed Workaround: After you Context Switch to a managed
Issues. firewall, you must first Context Switch back to Panorama

PAN-OS Release Notes 10.2.12 345 ©2024 Palo Alto Networks, Inc.
PAN-OS 10.2.1 Known and Addressed Issues

Issue ID Description
before you can continue to Context Switch to a different
managed firewall.

PAN-201855 On the Panorama management server, cloning any template

(Panorama > Templates) corrupts certificates (Device >
This issue is now resolved. See
Certificate Management > Certificates) with the Block
PAN-OS 10.2.5 Addressed
Private Key Export setting enabled across all templates. This
Issues.
results in managed firewalls experiencing issues wherever the
corrupted certificate is referenced.
For example, you have template A, B, and C where templates
A and B have certificates with the Block Private Key Export
setting enabled. Cloning template C corrupts the certificates
with Block Private Key Export setting enabled in templates A
and B.
Workaround: After cloning a template, delete and re-import
the corrupted certificates.

PAN-199557 On M-600 appliances in an Active/Passive high availability

(HA) configuration, the configd process restarts due to a
This issue is now resolved. See
memory leak on the Active Panorama HA peer. This causes
PAN-OS 10.2.5 Addressed
the Panorama web interface and CLI to become unresponsive.
Issues.
Workaround: Manually reboot the Active Panorama HA
peer.

PAN-197097 Large Scale VPN (LSVPN) does not support IPv6 addresses on
the satellite firewall.

PAN-196758 On the Panorama management server, pushing a

configuration change to firewalls leveraging SD-WAN
erroneously show the auto-provisioned BGP configurations
for SD-WAN as being edited or deleted despite no edits or
deletions being made when you Preview Changes (Commit >
Push to Devices > Edit Selections or Commit > Commit and
Push > Edit Selections).

PAN-194826 (WF-500 appliance only) System log forwarding does not

work over a TLS connection.
This issue is now resolved. See
PAN-OS 10.2.3 Addressed
Issues.

PAN-194708 URL filtering logs (Monitor > Logs > URL Filtering)
erroneously truncate a 16KB Header value and do not display
This issue is now resolved. See
the Header values that follow the truncated 16KB header.
PAN-OS 10.2.3 Addressed
Issues. For example, a URL filtering log has 5 Headers. The second
Header has a 16KB value. In the URL filtering log, the first

PAN-OS Release Notes 10.2.12 346 ©2024 Palo Alto Networks, Inc.
PAN-OS 10.2.1 Known and Addressed Issues

Issue ID Description
header and the value are displayed, second Header value is
truncated, and remaining three headers are not displayed.

PAN-194519 (PA-5450 firewall only) Trying to configure a custom payload

format under Device > Server Profiles > HTTP yields a
Javascript error.

PAN-194515 (PA-5450 firewall only) The Panorama web interface does

not display any predefined template stack variables in the
dropdown menu under Device > Setup > Log Interface > IP
Address.
Workaround: Configure the log interface IP address on the
individual firewall web interface instead of on Panorama.

PAN-193251 If SAML is configured as the authentication method for

GlobalProtect, authentication on the Portal page is not
This issue is now resolved. See
successful in the browser.
PAN-OS 10.2.3 Addressed
Issues. Workaround: Use the GlobalProtect app installed on the
endpoint to authenticate.

PAN-192403 (PA-5450 firewall only) There is no commit warning in the

web interface when configuring the management interface
and logging interface in the same subnetwork. Having both
interfaces in the same subnetwork can cause routing and
connectivity issues.

PAN-190735 Certain webpages that use chunked-encoded data transfers

might not load properly when analyzed by Advanced URL
This issue is now resolved. See
Filtering cloud inline categorization.
PAN-OS 10.2.3 Addressed
Issues.

PAN-190727 (PA-5450 firewall only) Documentation for configuring the log

interface is unavailable on the web interface and in the PAN-
OS Administrator’s Guide.

PAN-190435 When you Commit a configuration change, the Task Manager

commit Status goes directly from 0% to Completed and
does accurately reflect the commit job progress.

PAN-189425 On the Panorama management server, Export Panorama and

devices config bundle (Panorama > Setup > Operations) fails
This issue is now resolved. See
to export. When the export fails, you are redirected to a new
PAN-OS 10.2.4 Addressed
window and the following error is displayed:
Issues.
Failed to redirect error to /var/log/pan/
appweb3-panmodule.log (Permission denied)

PAN-OS Release Notes 10.2.12 347 ©2024 Palo Alto Networks, Inc.
PAN-OS 10.2.1 Known and Addressed Issues

Issue ID Description

PAN-189395 Running any version of PAN-OS 10.2.1 on a PA-400

Series firewall can cause the dataplane process to restart
This issue is now resolved. See
unexpectedly and trigger a crash.
PAN-OS 10.2.2 Addressed
Issues.

PAN-189380 After you successfully upgrade a PA-3000 Series firewall

to PAN-OS 10.2.0 or later release and Enterprise data
This issue is now resolved. See
loss prevention (DLP) plugin 3.0.0 or later release, the first
PAN-OS 10.2.3 Addressed
configuration push from the Panorama management server
Issues.
causes the firewall dataplane to crash.
Workaround: Restart the firewall to restore dataplane
functionality.
1. Log in to the firewall CLI.
2. Restart the firewall.

admin> request restart system

PAN-189111 After deleting an MP pod and it comes up, the show

routing command output appears empty and traffic stops
working.

PAN-189076 On a firewall with Advanced Routing enabled, OSPFv3 peers

using a broadcast link and a designated router (DR) priority of
0 (zero) are stuck in a two-way state after HA failover.
Workaround: Configure at least one OSPFv3 neighbor with a
non-zero priority setting in the same broadcast domain.

PAN-189057 On the Panorama management server, Panorama enters a

non-functional state due to php.debug.log life taking
This issue is now resolved. See
up too much space.
PAN-OS 10.2.2 Addressed
Issues. Workaround: Disable the debug flag for Panorama.
1. Log in to the Panorama web interface.
2. In the same browser you are logged into the Panorama
web interface, enter the following URL.
https://<panorama_ip>/debug
3. Uncheck (disable) Debug or Clear Debug.
4. (HA configuration) Repeat this step on each Panorama high
availability (HA) peer if Panorama is in a HA configuration.

PAN-OS Release Notes 10.2.12 348 ©2024 Palo Alto Networks, Inc.
PAN-OS 10.2.1 Known and Addressed Issues

Issue ID Description

PAN-188904 Certain web pages and web page contents might not properly
load when cloud inline categorization is enabled on the
This issue is now resolved. See
firewall.
PAN-OS 10.2.4 Addressed
Issues.

PAN-188489 On the Panorama management server, dynamic content

updates are not automatically pushed to VM-Series firewalls
This issue is now resolved. See
licensed using the Panorama Software Firewall License plugin
PAN-OS 10.2.3 Addressed
when Automatically push content when software device
Issues.
registers to Panorama (Panorama > Templates > Add Stack)
is enabled.

PAN-188358 After triggering a soft reboot on a M-700 appliance, the

Management port LEDs do not light up when a 10G Ethernet
cable is plugged in.

PAN-188064 The SCP Server Profile configuration (Devices > Server

Profiles > SCP are not automatically deleted after downgrade
This issue is now resolved. See
from PAN-OS 10.2.0 to PAN-OS 10.1 or earlier release.
PAN-OS 10.2.3 Addressed
Issues.

PAN-187685 On the Panorama management server, the Template

Status displays no synchronization status (Panorama >
Managed Devices > Summary) after a bootstrapped firewall is
successfully added to Panorama.
Workaround: After the bootstrapped firewall is successfully
added to Panorama, log in to the Panorama web interface and
select Commit > Push to Devices.

PAN-187643 If you enable SCTP security using a Panorama template when

SCTP INIT Flood Protection is enabled in the Zone Protection
profile using Panorama and you commit all changes, the
commit is successful but the SCTP INIT option is not available
in the Zone Protection profile.
Workaround: Log out of the firewall and log in again to make
the SCIT INIT option available on the web interface.

PAN-187612 On the Panorama management server, not all data profiles

(Objects > DLP Data Filtering Profiles) are displayed after
you:
• Upgrade Panorama to PAN-OS 10.2 and upgrade the
Enterprise DLP plugin to version 3.0.
• Downgrade Panorama to PAN-OS 10.1 and downgrade
the Enterprise DLP plugin to version 1.0.

PAN-OS Release Notes 10.2.12 349 ©2024 Palo Alto Networks, Inc.
PAN-OS 10.2.1 Known and Addressed Issues

Issue ID Description
Workaround: Log in to the Panorama CLI and reset the DLP
plugin.
admin > request plugins dlp reset

PAN-187429 On PA-3400 & PA-5400 series firewalls (minus the PA-5450),

the CLI and SNMP MIB walk do not display the Model and
This issue is now resolved. See
Serial-number of the Fan tray and PSUs.
PAN-OS 10.2.2 Addressed
Issues.

PAN-187407 The configured Advanced Threat Prevention inline cloud

analysis action for a given model might not be honored under
the following condition: If the firewall is set to Hold client
request for category lookup and the action set to Reset-Both
and the URL cache has been cleared, the first request for
inline cloud analysis will be bypassed.

PAN-187370 On a firewall with Advanced Routing enabled, if there is also a

logical router instance that uses the default configuration and
has no interfaces assigned to it, this will result in terminating
the management daemon and main routing daemon in the
firewall during commit.
Workaround: Do not use a logical router instance with no
interfaces bound to it.

PAN-187234 Certain web pages submitted for analysis by Advanced URL

Filtering cloud inline categorization might experience high
This issue is now resolved. See
latency.
PAN-OS 10.2.3 Addressed
Issues.

PAN-186913 On the Panorama management server, Validate Device Group

(Commit > Commit and Push erroneously issues a CommitAll
This issue is now resolved. See
operation instead of a ValidateAll operation when multiple
PAN-OS 10.2.2 Addressed
device groups are included in the push and results in no
Issues.
configuration validation.
Workaround: Validate device group configurations using one
of the following methods.
• Select only one device group when you Validate Device
Group for a Commit and Push to managed firewalls.
• To validate multiple device groups, select Commit >
Commit to Panorama first. After the device group
configuration is committed to Panorama, select Commit
> Push to Devices and Validate Device Group to validate
multiple device groups.

PAN-OS Release Notes 10.2.12 350 ©2024 Palo Alto Networks, Inc.
PAN-OS 10.2.1 Known and Addressed Issues

Issue ID Description

PAN-186283 Templates appear out-of-sync on Panorama after successfully

deploying the CFT stack using the Panorama plugin for AWS.
Workaround: Use Commit > Push to Devices to synchronize
the templates.

PAN-186282 On HA deployments on AWS and Azure, Panorama fails to

populate match criteria automatically when adding dynamic
address groups.
Workaround: Reboot the Panorama HA pair.

PAN-186262 The Panorama management server in Panorama or Log

Collector mode may become unresponsive as Elasticsearch
accumulates internal connections related to logging
processes. The chances Panorama becomes unresponsive
increases the longer Panorama remains powered on.
Workaround: Reboot Panorama if it becomes unresponsive.

PAN-186134 On the Panorama management server, performing a Commit

and Push (Commit > Commit and Push) may intermittently
not push the committed configuration changes to managed
firewalls.
Workaround: Select Commit > Push to Devices to push the
committed configuration changes to your managed firewalls.

PAN-185286 (PA-5400 Series firewalls only) On the Panorama

management server, the device health resources (Panorama >
This issue is now resolved. See
Managed Devices > Health) do not populate.
PAN-OS 10.2.8 Addressed
Issues.

PAN-184708 Scheduled report emails (Monitor > PDF Reports > Email
Scheduler) are not emailed if:
This issue is now resolved. See
PAN-OS 10.2.4 Addressed • A scheduled report email contains a Report Group
Issues. (Monitor > PDF Reports > Report Group) which includes a
SaaS Application Usage report.
• A scheduled report contains only a SaaS Application Usage
Report.
Workaround: To receive a scheduled report email for all other
PDF report types:
1. Select Monitor > PDF Reports > Report Groups and
remove all SaaS Application Usage reports from all Report
Groups.

PAN-OS Release Notes 10.2.12 351 ©2024 Palo Alto Networks, Inc.
PAN-OS 10.2.1 Known and Addressed Issues

Issue ID Description
2. Select Monitor > PDF Reports > Email Scheduler and
edit the scheduled report email that contains only a SaaS
Application Usage report. For the Recurrence, select
Disable and click OK.
Repeat this step for all scheduled report emails that
contain only a SaaS Application Usage report.
3. Commit.
(Panorama managed firewalls) Select Commit > Commit
and Push

PAN-184702 On the Panorama management server, an M-700 appliance in

Log Collector mode fails to connect to Panorama when added
This issue is now resolved. See
as a managed collector (Panorama > Managed Collectors).
PAN-OS 10.2.3 Addressed
Issues. Workaround: Log in to the M-700 CLI and recover the Log
Collector connectivity to Panorama.

PAN-184474 When the firewall has Advanced Routing enabled, a static

route stays active after the interface goes down.
This issue is now resolved. See
PAN-OS 10.2.2 Addressed Workaround: For firewalls that support Bidirectional
Issues. Forwarding Detection (BFD), configure BFD for the static
route.

PAN-184406 Using the CLI to add a RAID disk pair to an M-700 appliance
causes the dmdb process to crash.
Workaround: Contact customer support to stop the dmdb
process before adding a RAID disk pair to a M-700 appliance.

PAN-183404 Static IP addresses are not recognized when "and" operators

are used with IP CIDR range.

PAN-182734 On an Advanced Routing Engine, if you change the IPSec

tunnel configuration, BGP flaps.
This issue is now resolved. See
PAN-OS 10.2.5 Addressed
Issues.

PAN-181933 If you use multiple log forwarding cards (LFCs) on the

PA-7000 series, all of the cards may not receive all of the
updates and the mappings for the clients may become out of
sync, which causes the firewall to not correctly populate the
Source User column in the session logs.

PAN-181823 On a PA-5400 Series firewall (minus the PA-5450), setting the

peer port to forced 10M or 100M speed causes any multi-

PAN-OS Release Notes 10.2.12 352 ©2024 Palo Alto Networks, Inc.
PAN-OS 10.2.1 Known and Addressed Issues

Issue ID Description
gigabit RJ-45 ports on the firewall to go down if they are set
to Auto.

PAN-180661 On the Panorama management server, pushing an

unsupported Minimum Password Complexity (Device > Setup
> Management) to a managed firewall erroneously displays
commit time out as the reason the commit failed.

PAN-180104 When upgrading a CN-Series as a DaemonSet deployment to

PAN-OS 10.2, CN-NGFW pods fail to connect to CN-MGMT
pod if the Kubernetes cluster previously had a CN-Series as a
DaemonSet deployment running PAN-OS 10.0 or 10.1.
Workaround: Reboot the worker nodes before upgrading to
PAN-OS 10.2.

PAN-178194 A user interface issue in PAN-OS renders the contents of

the Inline ML tab in the URL Filtering Profile inaccessible on
This issue is now resolved. See
firewalls licensed for Advanced URL Filtering. Additionally, a
PAN-OS 10.2.3 Addressed
message indicating that a License required for URL filtering to
Issues.
function is unavailable displays at the bottom of the UI. These
errors do not affect the operation of Advanced URL Filtering
or URL Filtering Inline ML.
Workaround: Configuration settings for URL Filtering
Inline ML must be applied through the CLI. The following
configuration commands are available:
• Define URL exceptions for specific web sites—

admin# set profiles url-filtering

<url_filtering_profile_name> mlav-
category-exception

• Configuration settings for each inline ML model—

admin# set profiles url-filtering

<url_filtering_profile_name> mlav-
engine-urlbased-enabled

PAN-177455 PAN-OS 10.2.0 is not supported on PA-7000 Series firewalls

with HA (High Availability) clustering enabled and using an
This issue is now resolved. See
HA4 communication link. Attempting to load PAN-OS 10.2.0
PAN-OS 10.2.2 Addressed
on the firewall causes the PA-7000 100G NPC to go offline.
Issues.
As a result, the firewall fails to boot normally and enters
maintenance mode. HA Pairs of Active-Passive and Active-
Active firewalls are not affected.

PAN-OS Release Notes 10.2.12 353 ©2024 Palo Alto Networks, Inc.
PAN-OS 10.2.1 Known and Addressed Issues

Issue ID Description

PAN-176156 Executing show running resource-monitor with the

ingress-backlogs option produces the following server
This issue is now resolved. See
error: Dataplane is not up or invalid target-
PAN-OS 10.2.2 Addressed
Issues dp(*.dp*).

PAN-175915 When the firewall is deployed on N3 and N11 interfaces in

5G networks and 5G-HTTP/2 traffic inspection is enabled in
the Mobile Network Protection Profile, the traffic logs do not
display network slice SST and SD values.

PAN-174982 In HA active/active configurations where, when interfaces

that were associated with a virtual router were deleted, the
configuration change did not sync.

PAN-172274 When you activate the advanced URL filtering license, your
license entitlements for PAN-DB and advanced URL filtering
might not display correctly on the firewall — this is a display
anomaly, not a licensing issue, and does not affect access to
the services.
Workaround: Issue the following command to retrieve and
update the licenses: license request fetch.

PAN-172132 QoS fails to run on a tunnel interface (for example, tunnel.1).

This issue is now resolved by
PAN-189643. See PAN-OS
10.2.4 Addressed Issues.

PAN-171938 No results are displayed when you Show Application Filter

for a Security policy rule (Policies > Security > Application >
Value > Show Application Filter).

PAN-164885 On the Panorama management server, pushes to managed

firewalls (Commit > Push to Devices or Commit and Push)
This issue is now resolved. See
may fail when an EDL (Objects > External Dynamic Lists) is
PAN-OS 10.2.10 Addressed
configured to Check for updates every 5 minutes due to the
Issues.
commit and EDL fetch processes overlapping. This is more
likely to occur when multiple EDLs are configured to check
for updates every 5 minutes.

PAN-OS Release Notes 10.2.12 354 ©2024 Palo Alto Networks, Inc.
PAN-OS 10.2.1 Known and Addressed Issues

PAN-OS 10.2.1-h2 Addressed Issues

Issue ID Description

PAN-252214 A fix was made to address CVE-2024-3400.

PAN-OS Release Notes 10.2.12 355 ©2024 Palo Alto Networks, Inc.
PAN-OS 10.2.1 Known and Addressed Issues

PAN-OS 10.2.1-h1 Addressed Issues

Issue ID Description

PAN-239241 Extended the root certificate for WildFire appliances to December 31,
2032.

PAN-238792 Fixed the following device certificate issues:

• The firewall was unable to automatically renew the device
certificate-Fetching device certificates failed incorrectly with the
error message OTP is not valid.
• Firewalls disconnected from Strata Logging Service after renewing
the device certificate.
• The device certificate was not correctly generated on the log
forwarding card (LFC).
• WildFire cloud logs did not log thermite certificate usage status.

PAN-237876 Extended the firewall Panorama root CA certificate which was

previously set to expire on April 7th, 2024.

PAN-237871 (WF-500 appliances and PAN-DB private cloud deployments only)

Fixed an issue where the root-cert was set to expire on December
31, 2023. With this fix, the expiration date has been extended.

PAN-231771 Fixed an issue where the firewall issued /box/getserv/ requests with
PAN-OS 7.1.0 and did not take device certificates.

PAN-227568 When a device certificate is installed, renewed, or removed, the

firewall will reconnect to the WildFire cloud to use the newest
certificate.

PAN-215576 Fixed an issue where the userID-Agent and TS-Agent certificates

were set to expire on November 18, 2024. With this fix, the expiration
date has been extended to January 2032.

PAN-202450 Fixed an issue where the device-client-cert was set to expire

on December 31, 2023. With this fix, the expiration date has been
extended.

PAN-198372 Fixed an issue where the root-cert was set to expire on December
31, 2023. With this fix, the expiration date has been extended.

PAN-OS Release Notes 10.2.12 356 ©2024 Palo Alto Networks, Inc.
PAN-OS 10.2.1 Known and Addressed Issues

PAN-OS 10.2.1 Addressed Issues

Issue ID Description

WIF-495 Fixed an issue on Panorama where edits made to an existing data

filtering profile resulted in matching traffic not being detected by
Enterprise DLP.

PAN-231823 A fix was made to address CVE-2024-5916.

PAN-190311 (PA-220 and PA-220R firewalls and PA-800 Series firewalls only) Fixed
an issue where management connectivity to the firewall was lost due
to the expiration of the DHCP lease, which caused the IP configuration
on the management port to be purged in PAN-OS 10.2.0. To upgrade,
download PAN-OS 10.2.0 (no installation), then download and install
PAN-OS 10.2.0-h1.

PAN-190175 and A fix was made to address an OpenSSL infinite loop vulnerability in the
PAN-190223 PAN-OS software (CVE-2022-0778).

PAN-189665 (FIPS-CC enabled firewalls only) Fixed an issue where the firewall was
unable to connect to log collectors after an upgrade due to missing
cipher suites.

PAN-189565 Fixed an issue after upgrading to PAN-OS 10.2 where the tund process
stopped responding on multiple GlobalProtect clients.

PAN-189468 Fixed an issue where the firewall onboard packet processor used
by the PAN-OS content-inspection (CTD) engine can generate
high dataplane resource usage when overwhelmed by a session
with an unusually high number of packets. This can result in
resource-unavailable messages due to the content inspection
queue filling up. Factors related to the likelihood of an occurrence
include enablement of content-inspection based features that are
configured in such a way that might process thousands of packets
in rapid succession (such as SMB file transfers). This can cause poor
performance for the affected session and other sessions using the
same packet processor. PA-3000 series and VM-Series firewalls are
not impacted.

PAN-189361 Fixed an issue where Panorama was unable to distribute antivirus

signature updates to firewalls with an Advanced Threat Prevention
license only.

PAN-189298 Fixed an issue where existing traffic sessions were not synced after
restarting the active dataplane when it became passive.

PAN-OS Release Notes 10.2.12 357 ©2024 Palo Alto Networks, Inc.
PAN-OS 10.2.1 Known and Addressed Issues

Issue ID Description

PAN-189230 (VM-Series firewalls only) Fixed an issue that caused the pan_task
process to stop responding with floating point exception (FPE) when
there was a module of 0 on the queue number.

PAN-189214 Fixed an issue that prevented antivirus signature update packages that
are normally available to install from displaying properly on the firewall
when the Advanced Threat Prevention license is present on a firewall
without a Threat Prevention license.

PAN-189206 Fixed an issue where Device Group and Template administrator roles
didn't support a context switch between the Panorama and firewall
web interfaces.

PAN-189106 Fixed an issue on Panorama where you were unable to successfully

downgrade to a PAN-OS 10.1 release unless you uninstalled the ZTP
Plugin 2.0.

PAN-189094 Fixed an issue where, after upgrading a CN-Series firewall from a PAN-
OS 10.1 release to PAN-OS 10.2.0, show session commands did not
return output.

PAN-189032 Fixed an issue where, when Advanced Routing was enabled on the
firewall, an OSPFv3 interface configured with the p2mp link type
caused commits to fail.

PAN-188956 Fixed an issue where, after a successful upgrade to PAN-OS 10.2,

logging into the firewall or Panorama web interface from the same
internet browser window or session from which the firewall or
Panorama was upgraded did not work.

PAN-188883 Fixed an issue where, when pre-generated license key files were
manually uploaded via the web interface, they weren't properly
recognized by PAN-OS and didn't display a serial number or initiate a
reboot.

PAN-188828 Fixed an intermittent issue where web pages and web page contents
did not properly load when cloud inline categorization was enabled.

PAN-188009 Fixed an issue where a firewall import to Panorama running a PAN-OS

10.1 release or a PAN-OS 10.2 release resulted in corrupted private
information when the master key was not used.

PAN-187846 Fixed an issue on Panorama where a selective push pushed an

incorrect configuration to the managed firewalls, which caused the
firewalls to display as out of sync. This issue occurred if the Panorama-
pushed version for the Shared Policy and Template configuration were

PAN-OS Release Notes 10.2.12 358 ©2024 Palo Alto Networks, Inc.
PAN-OS 10.2.1 Known and Addressed Issues

Issue ID Description
20 or more versions older than the current local running configuration
on Panorama.

PAN-187769 (VM-Series firewalls in Microsoft Azure environments only) Fixed a

Data Plane Development Kit (DPDK) issue where interfaces remained
in a link-down state after an Azure hot plug event. This issue occurred
due to a hot plug of Accelerated Networking interfaces on the Azure
backend caused by host updates, which led to Virtual Function
unregister/Register messages on the VM side.

PAN-186886 Fixed an issue where individual configuration objects were not

viewable after committing selective configuration changes on a multi-
vsys firewall.

PAN-186785 Fixed an issue where, after logging in, Panorama displayed a 500 error
page after five minutes of logging for dynamic group template admin
types with access to approximately 115 managed devices or 120
dynamic groups.

PAN-186516 Fixed an issue where log queries that included WildFire submission
logs returned more slowly than expected.

PAN-186487 Fixed an issue with snmpd.log overflow caused by continuous hourly

repeating errors.

PAN-186402 (PA-440 Series firewalls only) Fixed an issue where the firewall's
maximum tunnel limit was incorrect.

PAN-186137 (PA-3400 Series firewalls only) Fixed an issue where the firewall
management interface incorrectly displayed 10G port speed as
an option even though 10G speed is not supported and can't be
configured.

PAN-185616 Fixed an issue where the firewall sent fewer logs to the system log
server than expected. With this fix, the firewall accommodates a larger
send queue for syslog forwarding to TCP syslog receivers.

PAN-185164 Fixed an issue where processing corrupted IoT messages caused the
wificlient process to restart.

PAN-184224 Fixed an issue on Panorama where you were unable to select a

template variable in Templates > Device > Log Forwarding Card > Log
Forwarding Card Interface > Network > IP address location.

PAN-183826 Fixed an issue where, after clicking WildFire Analysis Report, the web
interface failed to display the report with the following error message:
refused to connect.

PAN-OS Release Notes 10.2.12 359 ©2024 Palo Alto Networks, Inc.
PAN-OS 10.2.1 Known and Addressed Issues

Issue ID Description

PAN-183567 Fixed an issue on Panorama where ZTP Plugin 2.0 was not available
for download before upgrading Panorama to PAN-OS 10.2.

PAN-182492 Fixed an issue where the WildFire analysis report was not viewable
from the firewall WildFire submission log entry page.

PAN-181839 Fixed an issue where Panorama Global Search reported No Matches

found while still returning results for matching entries on large
configurations.

PAN-181039 Fixed an issue with DNS cache depletion that caused continuous DNS
retries.

PAN-181031 Fixed an issue where the CN-NGFW (DP) folder on the CN-MGMT
pod eventually consumed a large amount of space in the /var/log/pan
because the old registered stale next-generation firewall logs were not
being cleared.

PAN-180338 Fixed an issue where the CTD loop count wasn't accurately
incremented.

PAN-180095 Fixed an issue where Panorama serial-number-based redistribution

agents did not redistribute HIP reports.

PAN-179966 Fixed an issue where, after upgrading to a PAN-OS 8.1 release, the
port on the firewall stayed up, but the port on the connected device
reported down. This occurred because, on force mode, autoneg was
disabled by default. With this fix, autoneg is enabled by default on
force mode.

PAN-179420 Fixed an issue on Panorama where a selective push to managed

firewalls failed after renaming an existing device group, template, or
template stack that was already pushed to the managed firewalls and
you selectively committed specific configuration objects from the
renamed device group, template, or template stack.

PAN-179321 A validation error was added to inform an administrator when a policy

field contained the value any.

PAN-178195 Fixed an issue where the URL filtering logs generated by traffic
analyzed by Advanced URL filtering cloud inline categorization didn't
display the URL name.

PAN-177072 Fixed an intermittent issue where Panorama did not show new logs
from firewalls.

PAN-OS Release Notes 10.2.12 360 ©2024 Palo Alto Networks, Inc.
PAN-OS 10.2.1 Known and Addressed Issues

Issue ID Description

PAN-176889 Fixed an issue where the log collector continuously disconnected from
Panorama due to high latency and a high number of packets in Send-
Q.

PAN-176693 (M-300 and M-700 appliances only) Fixed an issue where the Activity
(ACT) LEDs on the RJ-45 ports did not blink when processing network
traffic.

PAN-174607 Fixed an intermittent issue where, when Security profiles were

attached to a policy, files that were downloaded across TLS sessions
decrypted by the firewall were malformed.

PAN-145833 (PA-3200 Series firewalls only) Fixed an issue where the firewall
stopped recording dataplane diagnostic data in dp-monitor.log after a
few hours of uptime.

PAN-OS Release Notes 10.2.12 361 ©2024 Palo Alto Networks, Inc.
PAN-OS 10.2.1 Known and Addressed Issues

PAN-OS Release Notes 10.2.12 362 ©2024 Palo Alto Networks, Inc.
PAN-OS 10.2.0 Known and
Addressed Issues
Review a list of known and addressed issues for PAN-OS 10.2.0.
For contacting support, for information on support programs, to manage your account or devices,
or to open a support case, go to https://support.paloaltonetworks.com.
• PAN-OS 10.2.0 Known Issues
• PAN-OS 10.2.0-h3 Addressed Issues
• PAN-OS 10.2.0-h2 Addressed Issues
• PAN-OS 10.2.0-h1 Addressed Issues
• PAN-OS 10.2.0 Addressed Issues

363
PAN-OS 10.2.0 Known and Addressed Issues

PAN-OS 10.2.0 Known Issues

®
The following list includes only outstanding known issues specific to PAN-OS 10.2.0. This list
includes issues specific to Panorama™, GlobalProtect™, VM-Series plugins, CN-Series firewall,
and WildFire®, as well as known issues that apply more generally or that are not identified by an
issue ID.

Issue ID Description

WIF-495 On the Panorama management server, edits made to an

existing data filtering profile (Objects > DLP > Data Filtering
This issue is now resolved. See
Profiles) can result in matching traffic not being detected by
PAN-OS 10.2.1 Addressed
Enterprise DLP.
Issues.

WF500-5754 In WildFire appliance clusters, issuing the show cluster

controller CLI command generates an error when an IPv6
address is configured for the management interface but not
for the cluster interface.
Workaround: Ensure all WildFire appliance interfaces that are
enabled use matching protocols (all IPv4 or all IPv6).

WF500-5632 The number of registered WildFire appliances reported in

Panorama (Panorama > Managed WildFire Appliances >
Firewalls Connected > View) does not accurately reflect the
current status of connected WildFire appliances.

PAN-264281 When upgrading a ZTP firewall from PAN-OS 10.2 to PAN-

OS 11.1 or later versions, if you use the To SW Version
column to specify the target PAN-OS version, the upgrade
process downloads and installs the intermediary base version
containing an expired root certificate. This causes the ZTP
firewall to lose connection with Panorama
Workaround: Follow the standard upgrade process from
Panorama, which you use for non-ZTP firewalls, to upgrade
to the target PAN-OS version that contains the valid root
certificate.

PAN-260851 From the NGFW or Panorama CLI, you can override the
existing application tag even if Disable Override is enabled for
the application (Objects > Applications) tag.

PAN-250062 Device telemetry might fail at configured intervals due to

bundle generation issues.

PAN-243951 On the Panorama management sever in an active/passive

High Availability (HA) configuration, managed devices

PAN-OS Release Notes 10.2.12 364 ©2024 Palo Alto Networks, Inc.
PAN-OS 10.2.0 Known and Addressed Issues

Issue ID Description
(Panorama > Managed Devices > Summary) display as
out-of-sync on the passive HA peer when configuration
changes are made to the SD-WAN (Panorama > SD-WAN)
configuration on the active HA peer.
Workaround: Manually synchronize the Panorama HA peers.
1. Log in to the Panorama web interface on the active HA
peer.
2. Select Commit and Commit to Panorama the SD-WAN
configuration changes on the active HA peer.
On the passive HA peer, select Panorama > Managed
Devices > Summary and observe that the managed devices
are now out-of-sync.
3. Log in to the primary HA peer Panorama CLI and trigger a
manual synchronization between the active and secondary
HA peers.
request high-availability sync-to-remote running-config
4. Log back in to the active HA peer Panorama web interface
and select Commit > Push to Devices and Push.

PAN-241536 On the Panorama management server, a user with an Admin

Role is unable to modify or add filters to profiles under
Panorama > Network > Routing > Routing Profiles > Filters,
despite having the necessary read and write privileges.

PAN-227344 On the Panorama management server, PDF Summary Reports

(Monitor > PDF Reports > Manage PDF Summary) display no
data and are blank when predefined reports are included in
the summary report.

PAN-225337 On the Panorama management server, the configuration push

to a multi-vsys firewall fails if you:
This issue is now resolved. See
PAN-OS 10.2.7 Addressed 1. Create a Shared and vsys-specific device group
Issues. configuration object with an indentical name. For example,
a Shared address object called SharedAO1 and a vsys-
specific address object also called SharedAO1.
2. Reference the Shared object in another Shared
configuration. For example, reference the Shared address
object (SharedAO1) in a Shared address group called
SharedAG1.
3. Use the Shared configuration object with the reference
in a vsys-specific configuration. For example, reference
the Shared address group (SharedAG1) in a vsys-specific
policy rule.

PAN-OS Release Notes 10.2.12 365 ©2024 Palo Alto Networks, Inc.
PAN-OS 10.2.0 Known and Addressed Issues

Issue ID Description
Workaround: Select Panorama > Setup > Management and
edit the Panorama Settings to enable one of the following:
• Shared Unused Address and Service Objects with
Devices—This options pushes all Shared objects, along
with device group specific objects, to managed firewalls.
This is a global setting and applies to all managed firewalls,
and may result in pushing too many configuration objects
to your managed firewalls.
• Objects defined in ancestors will take higher precedence—
This option specifies that in the event of objects with
the same name, ancestor object take precedence over
descendent objects. In this case, the Shared objects take
precedence over the vsys-specific object.
This is a global setting and applies to all managed firewalls.
In the example above, if the IP address for the Shared
SharedAO1 object was 10.1.1.1 and the device group
specific SharedAO1 was 10.2.2.2, the 10.1.1.1 IP
address takes precedence.
Alternatively, you can remove the duplicate address objects
from the device group configuration to allow only the Shared
objects in your configuration.

PAN-223488 Closed ElasticSearch shards are not deleted from a Panorama

M-Series or virtual appliance. This causes the ElasticSearch
This issue is now resolved. See
shard purging to not work as expected, resulting in high disk
PAN-OS 10.2.7 Addressed
usage.
Issues.

PAN-223365 The Panorama management server is unable to query any

logs if the ElasticSearch health status for any Log Collector
(Panorama > Managed Collector is degraded.
Workaround: Log in to the Log Collector CLI and restart
ElasticSearch.

admindebug elasticsearch es-restart all

PAN-222586 On PA-5410, PA-5420, and PA-5430 firewalls, the Filter

dropdown menus, Forward Methods, and Built-In Actions
for Correlation Log settings (Device > Log Settings) are not
displayed and cannot be configured.

PAN-222253 On the Panorama management server, policy rulebase

reordering when you View Rulebase by Groups (Policy >
<policy-rulebase>) does not persist if you reorder the policy

PAN-OS Release Notes 10.2.12 366 ©2024 Palo Alto Networks, Inc.
PAN-OS 10.2.0 Known and Addressed Issues

Issue ID Description
This issue is now resolved. See rulebase by dragging and dropping individual policy rules and
PAN-OS 10.2.8 Addressed then moving the entire tag group.
Issues.

PAN-221775 A Malformed Request error is displayed when you Test

Connection for an email server profile (Device > Server
Profiles > Email) using SMTP over TLS and the Password
includes an ampersand (&).

PAN-221015 On M-600 appliances in Panorama or Log Collector mode, the

es-1 and es-2 ElasticSearch processes fail to restart when
This issue is now resolved. See
the M-600 appliance is rebooted. The results in the Managed
PAN-OS 10.2.7 Addressed
Collector ES health status (Panorama > Managed Collectors >
Issues.
Health Status) to be degraded.
Workaround: Log in to the Panorama or Log Collector CLI
experiencing degraded ElasticSearch health and restart all
ElasticSearch processes.

admin>debug elasticsearch es-restart

optional all

PAN-219644 Firewalls forwarding logs to a syslog server over TLS (Objects

> Log Forwarding) use the default Palo Alto Networks
This issue is now resolved. See
certificate instead of the custom certificate configured on the
PAN-OS 10.2.8 Addressed
firewall.
Issues.

PAN-218521 The ElasticSearch process on the M-600 appliance in Log

Collector mode may enter a continuous reboot cycle. This
This issue is now resolved. See
results in the M-600 appliance becoming unresponsive,
PAN-OS 10.2.7 Addressed
consuming logging disk space, and preventing new log
Issues.
ingestion.

PAN-217307 The following Security policy rule (Policies > Security) filters
return no results:
This issue is now resolved. See
PAN-OS 10.2.11 Addressed log-start eq no
Issues.
log-end eq no
log-end eq yes

PAN-215778 On the M-600 appliance in Management Only mode, XML

API Get requests for /config fail with the following error
This issue is now resolved. See
due to exceeding the total configuration size supported on
PAN-OS 10.2.5 Addressed
the M-600 appliance.
Issues.
504 Gateway timeout

PAN-OS Release Notes 10.2.12 367 ©2024 Palo Alto Networks, Inc.
PAN-OS 10.2.0 Known and Addressed Issues

Issue ID Description

PAN-215082 M-300 and M-700 appliances may generate erroneous

system logs (Monitor > Logs > System) to alert that the M-
This issue is now resolved. See
Series appliance memory usage limits are reached.
PAN-OS 10.2.8 Addressed
Issues.

PAN-213746 On the Panorama management server, the Hostkey displayed

as undefined undefined if you override an SSH Service
Profile (Device > Certificate Management > SSH Service
Profile) Hostkey configured in a Template from the Template
Stack.

PAN-213119 PA-5410 and PA-5420 firewalls display the following error

when you view the Block IP list (Monitor > Block IP):
show -> dis-block-table is unexpected

PAN-212889 On the Panorama management server, different threat

names are used when querying the same threat in the Threat
Monitor (Monitor > App Scope > Threat Monitor) and ACC.
This results in the ACC displaying no data to display
when you are redirected to the ACC after clicking a threat
name in the Threat Monitor and filtering the same threat
name in the Global Filters.

PAN-212533 Modifying the Administrator Type for an existing

administrator (Device > Administrators or Panorama >
Administrators) from Superuser to a Role-Based custom
admin, or vice versa, does not modify the access privileges of
the administrator.

PAN-211531 On the Panorama management server, admins can still

perform a selective push to managed firewalls when Push
All Changes and Push for Other Admins are disabled in the
admin role profile (Panorama > Admin Roles).

PAN-209937 Certificate-based authentication for administrator accounts

may be unable to log into the Panorama or firewall web
interface with the following error:
Bad Request - Your browser sent a request
that this server could not understand

PAN-208325 The following NextGen firewalls and Panorama management

server models are unable to automatically renew the device
This issue is now resolved. See
certificate (Device > Setup > Management or Panorama >
PAN-OS 10.2.5 Addressed
Setup > Management).
Issues.
• M-300 and M-700

PAN-OS Release Notes 10.2.12 368 ©2024 Palo Alto Networks, Inc.
PAN-OS 10.2.0 Known and Addressed Issues

Issue ID Description
• PA-410 Firewall
• PA-440, PA-450, and PA-460 Firewalls
• PA-3400 Series
• PA-5410, PA-5420, and PA-5430 Firewalls
• PA-5450 Firewall
Workaround: Log in to the firewall CLI or Panorama CLI and
fetch the device certificate.

admin>request certificate fetch

PAN-207629 On the Panorama management server, selective push fails to

managed firewalls if the managed firewalls are enabled with
This issue is now resolved. See
multiple vsys and the Push Scope contains shared objects in
PAN-OS 10.2.4 Addressed
device groups.
Issues.

PAN-206909 The Dedicated Log Collector is unable to reconnect to the

Panorama management server if the configd process
crashes. This results in the Dedicated Log Collector losing
connectivity to Panorama despite the managed collector
connection Status (Panorama > Managed Collector)
displaying connected and the managed colletor Health
status displaying as healthy.
This results in the local Panorama config and system logs not
being forwarded to the Dedicated Log Collector. Firewall log
forwarding to the disconnected Dedicated Log Collector is
not impacted.
Workaround: Restart the mgmtsrvr process on the
Dedicated Log Collector.
1. Log in to the Dedicated Log Collector CLI.
2. Confirm the Dedicated Log Collector is disconnected from
Panorama.

admin> show panorama-status

Verify the Connected status is no.

3. Restart the mgmtsrvr process.

admin> debug software restart process

management-server

PAN-206268 On the Panorama management server, the Auth Key field

was erroneously displayed when you configure the Panorama

PAN-OS Release Notes 10.2.12 369 ©2024 Palo Alto Networks, Inc.
PAN-OS 10.2.0 Known and Addressed Issues

Issue ID Description
Settings (Device > Setup > Management) as part of a
template or template stack configuration.

PAN-206253 For PA-3400 Series firewalls, the default log rate is set too
low and the max configurable log rate is incorrectly capped
This issue is now resolved. See
resulting in the firewall not generating more than 6,826 logs
PAN-OS 10.2.4 Addressed
per second.
Issues.

PAN-206243 The PA-220 firewall reaches the maximum disk usage

capacity multiple a day that requires a disk cleanup. A critical
This issue is now resolved. See
system log (Monitor > Logs > System) is generated each time
PAN-OS 10.2.4 Addressed
the firewall reaches maximum disk usage capacity.
Issues.

PAN-205187 ElasticSearch may not start properly when a newly installed

Panorama virtual appliance powers on for the first time,
This issue is now resolved. See
resulting in the Panorama virtual appliance being unable to
PAN-OS 10.2.4 Addressed
query logs forwarded from the managed firewall to a Log
Issues.
Collector.
Workaround: Log in to the Panorama CLI and start the PAN-
OS software.

admin>request restart software

PAN-204663 On the Panorama management server, you are unable to

Context Switch from one managed firewall to another.
This issue is now resolved. See
PAN-OS 10.2.4 Addressed Workaround: After you Context Switch to a managed
Issues. firewall, you must first Context Switch back to Panorama
before you can continue to Context Switch to a different
managed firewall.

PAN-201855 On the Panorama management server, cloning any template

(Panorama > Templates) corrupts certificates (Device >
This issue is now resolved. See
Certificate Management > Certificates) with the Block
PAN-OS 10.2.5 Addressed
Private Key Export setting enabled across all templates. This
Issues.
results in managed firewalls experiencing issues wherever the
corrupted certificate is referenced.
For example, you have template A, B, and C where templates
A and B have certificates with the Block Private Key Export
setting enabled. Cloning template C corrupts the certificates
with Block Private Key Export setting enabled in templates A
and B.
Workaround: After cloning a template, delete and re-import
the corrupted certificates.

PAN-OS Release Notes 10.2.12 370 ©2024 Palo Alto Networks, Inc.
PAN-OS 10.2.0 Known and Addressed Issues

Issue ID Description

PAN-199557 On M-600 appliances in an Active/Passive high availability

(HA) configuration, the configd process restarts due to a
This issue is now resolved. See
memory leak on the Active Panorama HA peer. This causes
PAN-OS 10.2.5 Addressed
the Panorama web interface and CLI to become unresponsive.
Issues.
Workaround: Manually reboot the Active Panorama HA
peer.

PAN-197341 On the Panorama management server, if you create multiple

device group Objects with the same name in the Shared
device group and any additional device groups (Panorama >
Device Groups) under the same device group hierarchy that
are used in one or more Policies, renaming the object with a
shared name in any device group causes the object name to
change in the policies where it is used. This issue applies only
to device group objects that can be referenced in a Security
policy rule.
For example:
1. You create a parent device group DG-A and a child device
group DG-B.
2. You create address objects called AddressObjA in
the Shared, DG-A and DG-B device groups and add
AddressObjA to a Security policy rule under DG-A and
DG-B.
3. Later, you change the AddressObjA name in the Shared
device group to AddressObjB.
Changing the name of the address object in the Shared
device group causes the references in the Policy rule to use
the renamed Shared object instead of the device group
object.

PAN-197097 Large Scale VPN (LSVPN) does not support IPv6 addresses on
the satellite firewall.

PAN-196758 On the Panorama management server, pushing a

configuration change to firewalls leveraging SD-WAN
erroneously show the auto-provisioned BGP configurations
for SD-WAN as being edited or deleted despite no edits or
deletions being made when you Preview Changes (Commit >
Push to Devices > Edit Selections or Commit > Commit and
Push > Edit Selections).

PAN-196720 During the CN-Series firewall deployment on Oracle

OKEplatform, when you delete the deployment by deleting
yamls, the MP/DP pods are stuck in Terminating state.

PAN-OS Release Notes 10.2.12 371 ©2024 Palo Alto Networks, Inc.
PAN-OS 10.2.0 Known and Addressed Issues

Issue ID Description
Workaround: Delete the CN-Series DP pods, MP pods, and
then the pan-cni yaml file in a sequential order.

PAN-194826 (WF-500 appliance only) System log forwarding does not

work over a TLS connection.
This issue is now resolved. See
PAN-OS 10.2.3 Addressed
Issues.

PAN-194519 (PA-5450 firewall only) Trying to configure a custom payload

format under Device > Server Profiles > HTTP yields a
Javascript error.

PAN-194515 (PA-5450 firewall only) The Panorama web interface does

not display any predefined template stack variables in the
dropdown menu under Device > Setup > Log Interface > IP
Address.
Workaround: Configure the log interface IP address on the
individual firewall web interface instead of on Panorama.

PAN-193251 If SAML is configured as the authentication method for

GlobalProtect, authentication on the Portal page is not
This issue is now resolved. See
successful in the browser.
PAN-OS 10.2.3 Addressed
Issues. Workaround: Use the GlobalProtect app installed on the
endpoint to authenticate.

PAN-192403 (PA-5450 firewall only) There is no commit warning in the

web interface when configuring the management interface
and logging interface in the same subnetwork. Having both
interfaces in the same subnetwork can cause routing and
connectivity issues.

PAN-191570 The Traffic Activity and SSL/TLS widgets in the ACC

erroneously display Report Error if there is no SSL data to
This issue is now resolved. See
display.
PAN-OS 10.2.3 Addressed
Issues.

PAN-190727 (PA-5450 firewall only) Documentation for configuring the log

interface is unavailable on the web interface and in the PAN-
OS Administrator’s Guide.

PAN-190435 When you Commit a configuration change, the Task Manager

commit Status goes directly from 0% to Completed and
does accurately reflect the commit job progress.

PAN-OS Release Notes 10.2.12 372 ©2024 Palo Alto Networks, Inc.
PAN-OS 10.2.0 Known and Addressed Issues

Issue ID Description

PAN-190311 (PA-220 and PA-220R firewalls and PA-800 Series firewalls

only) There is an issue where management connectivity to the
This issue is now resolved. See
firewall is lost due to the expiration of the DHCP lease, which
PAN-OS 10.2.1 Addressed
causes the IP configuration on the management port to be
Issues.
purged.

PAN-189425 On the Panorama management server, Export Panorama and

devices config bundle (Panorama > Setup > Operations) fails
This issue is now resolved. See
to export. When the export fails, you are redirected to a new
PAN-OS 10.2.4 Addressed
window and the following error is displayed:
Issues.
Failed to redirect error to /var/log/pan/
appweb3-panmodule.log (Permission denied)

PAN-189395 Running any version of PAN-OS 10.2 on a PA-400

Series firewall can cause the dataplane process to restart
This issue is now resolved. See
unexpectedly and trigger a crash.
PAN-OS 10.2.2 Addressed
Issues.

PAN-189380 After you successfully upgrade a PA-3000 Series firewall

to PAN-OS 10.2.0 or later release and Enterprise data
This issue is now resolved. See
loss prevention (DLP) plugin 3.0.0 or later release, the first
PAN-OS 10.2.3 Addressed
configuration push from the Panorama management server
Issues.
causes the firewall dataplane to crash.
Workaround: Restart the firewall to restore dataplane
functionality.
1. Log in to the firewall CLI.
2. Restart the firewall.

admin> request restart system

PAN-189361 Panorama is unable to distribute antivirus signature updates

to firewalls with only an Advanced Threat Prevention
This issue is now resolved. See
license. Firewalls with previously installed and active Threat
PAN-OS 10.2.1 Addressed
Prevention license are unaffected.
Issues.

PAN-189298 On deploying the HA with 10.2.0-98 in Packet-mmap mode,

the session sync for an existing session fails after restarting an
This issue is now resolved. See
active DP in Packet-mmap mode.
PAN-OS 10.2.1 Addressed
Issues.

PAN-189214 When the Advanced Threat Prevention license is present on

a firewall without a Threat Prevention license, the antivirus

PAN-OS Release Notes 10.2.12 373 ©2024 Palo Alto Networks, Inc.
PAN-OS 10.2.0 Known and Addressed Issues

Issue ID Description
This issue is now resolved. See signature update packages that are normally available to
PAN-OS 10.2.1 Addressed install under Device > Dynamic Updates are not displayed.
Issues.
Workaround: Use the request anti-virus upgrade
{info | download | install} CLI commands
to retrieve a list of available antivirus updates and the
download and installation status, download specific antivirus
packages, and to install antivirus packages.Optionally, you
can schedule recurring automatic updates using the following
CLI command: set deviceconfig system update-
schedule anti-virus recurring.

PAN-189206 Device Group and Template administrator roles don't support

a context switch between the Panorama and firewall web
This issue is now resolved. See
interface.
PAN-OS 10.2.1 Addressed
Issues. Workaround: Use a Superuser or Panorama administrator role
to context switch.

PAN-189111 After deleting an MP pod and it comes up, the show

routing command output appears empty and traffic stops
working.

PAN-189106 On the Panorama management server, you must uninstall

the ZTP Plugin 2.0 before you can successfully downgrade to
This issue is now resolved. See
PAN-OS 10.1. After successful downgrade, you must reinstall
PAN-OS 10.2.1 Addressed
the latest ZTP Plugin 1.0 version.
Issues.
Workaround: Before you downgrade Panorama to PAN-
OS 10.1, uninstall ZTP Plugin 2.0. After you successfully
downgrade Panorama to PAN-OS 10.1, re-install ZTP Plugin
1.0 and re-enable ZTP functionality.
1. Log in to the Panorama web interface.
2. Uninstall the ZTP Plugin.
3. Downgrade Panorama to PAN-OS 10.1.
4. Log in to the Panorama web interface.
5. Install the ZTP plugin.
6. Select Panorama > Zero Touch Provisioning and check
(enable) ZTP.

PAN-189076 On a firewall with Advanced Routing enabled, OSPFv3 peers

using a broadcast link and a designated router (DR) priority of
0 (zero) are stuck in a two-way state after HA failover.
Workaround: Configure at least one OSPFv3 neighbor with a
non-zero priority setting in the same broadcast domain.

PAN-OS Release Notes 10.2.12 374 ©2024 Palo Alto Networks, Inc.
PAN-OS 10.2.0 Known and Addressed Issues

Issue ID Description

PAN-189057 On the Panorama management server, Panorama enters a

non-functional state due to php.debug.log life taking
This issue is now resolved. See
up too much space.
PAN-OS 10.2.2 Addressed
Issues. Workaround: Disable the debug flag for Panorama.
1. Log in to the Panorama web interface.
2. In the same browser you are logged into the Panorama
web interface, enter the following URL.
https://<panorama_ip>/debug
3. Uncheck (disable) Debug or Clear Debug.
4. (HA configuration) Repeat this step on each Panorama high
availability (HA) peer if Panorama is in a HA configuration.

PAN-189032 When the firewall has Advanced Routing enabled, an OSPFv3

interface configured with the p2mp link type causes the
This issue is now resolved. See
commit to fail.
PAN-OS 10.2.1 Addressed
Issues.

PAN-188956 After successful upgrade to PAN-OS 10.2, logging in to the

firewall or Panorama web interface from the same Internet
This issue is now resolved. See
browser window or session from which the firewall or
PAN-OS 10.2.1 Addressed
Panorama was upgraded displays the following error:
Issues.
Your login session has expired and you have
been logged out for security reasons. Please
log in again if you wish to continue.
Workaround: The following are different ways to log in to the
firewall or Panorama web interface after upgrading to PAN-
OS 10.2.
• Close the browser and log in to the firewall or Panorama
web interface from an entirely new browser session.
• Clear your browser cache for the browser from which you
upgraded the firewall or Panorama.
• Log in to the firewall or Panorama web interface from the
browser in Incognito mode.
If you upgraded the firewall or Panorama from a browser
in Incognito mode, close the browser and log in to the
firewall or Panorama web interface from an entirely new
browser session.
• Log in to the firewall or Panorama web interface from a
different browser than the one used to upgrade to PAN-
OS.

PAN-OS Release Notes 10.2.12 375 ©2024 Palo Alto Networks, Inc.
PAN-OS 10.2.0 Known and Addressed Issues

Issue ID Description

PAN-188904 Certain web pages and web page contents might not properly
load when cloud inline categorization is enabled on the
This issue is now resolved. See
firewall.
PAN-OS 10.2.4 Addressed
Issues.

PAN-188489 On the Panorama management server, dynamic content

updates are not automatically pushed to VM-Series firewalls
This issue is now resolved. See
licensed using the Panorama Software Firewall License plugin
PAN-OS 10.2.3 Addressed
when Automatically push content when software device
Issues.
registers to Panorama (Panorama > Templates > Add Stack)
is enabled.

PAN-188358 After triggering a soft reboot on a M-700 appliance, the

Management port LEDs do not light up when a 10G Ethernet
cable is plugged in.

PAN-188064 The SCP Server Profile configuration (Devices > Server

Profiles > SCP are not automatically deleted after downgrade
This issue is now resolved. See
from PAN-OS 10.2.0 to PAN-OS 10.1 or earlier release.
PAN-OS 10.2.3 Addressed
Issues.

PAN-188052 Devices in FIPS-CC mode are unable to connect to servers

utilizing ECDSA-based host keys that impacts exporting logs
(Device > Scheduled Log Export), exporting configurations
(Device > Scheduled Config Export), or the scp export
command in the CLI.
Workaround: Use RSA-based host keys on the destination
server.

PAN-187846 On the Panorama management server, a selective push

(Commit > Push to Devices > Push Changes Made By and
This issue is now resolved. See
Commit > Commit and Push > Commit and Push Changes
PAN-OS 10.2.1 Addressed
Made By) may push an incorrect configuration to managed
Issues.
firewalls causing the firewalls to display as Out of Sync if the
Panorama pushed version for the Shared Policy and Template
configuration (Panorama > Managed Devices > Summary)
are 20 version or more older than the current local running
configuration on Panorama.
To determine the current configuration version, select
Panorama > Config Auditand expand the Local Running
config menu to review the list of Panorama configuration
versions.
Workaround: Push a more recent configuration to your
managed firewalls before performing a selective push.

PAN-OS Release Notes 10.2.12 376 ©2024 Palo Alto Networks, Inc.
PAN-OS 10.2.0 Known and Addressed Issues

Issue ID Description

PAN-187685 On the Panorama management server, the Template

Status displays no synchronization status (Panorama >
Managed Devices > Summary) after a bootstrapped firewall is
successfully added to Panorama.
Workaround: After the bootstrapped firewall is successfully
added to Panorama, log in to the Panorama web interface and
select Commit > Push to Devices.

PAN-187643 If you enable SCTP security using a Panorama template when

SCTP INIT Flood Protection is enabled in the Zone Protection
profile using Panorama and you commit all changes, the
commit is successful but the SCTP INIT option is not available
in the Zone Protection profile.
Workaround: Log out of the firewall and log in again to make
the SCIT INIT option available on the web interface.

PAN-187612 On the Panorama management server, not all data profiles

(Objects > DLP Data Filtering Profiles) are displayed after
you:
• Upgrade Panorama to PAN-OS 10.2 and upgrade the
Enterprise DLP plugin to version 3.0.
• Downgrade Panorama to PAN-OS 10.1 and downgrade
the Enterprise DLP plugin to version 1.0.
Workaround: Log in to the Panorama CLI and reset the DLP
plugin.
admin > request plugins dlp reset

PAN-187429 On PA-3400 & PA-5400 series firewalls (minus the PA-5450),

the CLI and SNMP MIB walk do not display the Model and
This issue is now resolved. See
Serial-number of the Fan tray and PSUs.
PAN-OS 10.2.2 Addressed
Issues.

PAN-187407 The configured Advanced Threat Prevention inline cloud

analysis action for a given model might not be honored under
the following condition: If the firewall is set to Hold client
request for category lookup and the action set to Reset-Both
and the URL cache has been cleared, the first request for
inline cloud analysis will be bypassed.

PAN-187370 On a firewall with Advanced Routing enabled, if there is also a

logical router instance that uses the default configuration and
has no interfaces assigned to it, this will result in terminating
the management daemon and main routing daemon in the
firewall during commit.

PAN-OS Release Notes 10.2.12 377 ©2024 Palo Alto Networks, Inc.
PAN-OS 10.2.0 Known and Addressed Issues

Issue ID Description
Workaround: Do not use a logical router instance with no
interfaces bound to it.

PAN-187234 Certain web pages submitted for analysis by Advanced URL

Filtering cloud inline categorization might experience high
This issue is now resolved. See
latency.
PAN-OS 10.2.3 Addressed
Issues.

PAN-186913 On the Panorama management server, Validate Device Group

(Commit > Commit and Push erroneously issues a CommitAll
This issue is now resolved. See
operation instead of a ValidateAll operation when multiple
PAN-OS 10.2.2 Addressed
device groups are included in the push and results in no
Issues.
configuration validation.
Workaround: Validate device group configurations using one
of the following methods.
• Select only one device group when you Validate Device
Group for a Commit and Push to managed firewalls.
• To validate multiple device groups, select Commit >
Commit to Panorama first. After the device group
configuration is committed to Panorama, select Commit
> Push to Devices and Validate Device Group to validate
multiple device groups.

PAN-186886 Individual configuration objects cannot be viewed when you

commit selective configuration changes (Commit > Commit
This issue is now resolved. See
Changes Made By) on a multi-vsys firewall.
PAN-OS 10.2.1 Addressed
Issues.

PAN-186283 Templates appear out-of-sync on Panorama after successfully

deploying the CFT stack using the Panorama plugin for AWS.
Workaround: Use Commit > Push to Devices to synchronize
the templates.

PAN-186282 On HA deployments on AWS and Azure, Panorama fails to

populate match criteria automatically when adding dynamic
address groups.
Workaround: Reboot the Panorama HA pair.

PAN-186262 The Panorama management server in Panorama or Log

Collector mode may become unresponsive as Elasticsearch
accumulates internal connections related to logging
processes. The chances Panorama becomes unresponsive
increases the longer Panorama remains powered on.

PAN-OS Release Notes 10.2.12 378 ©2024 Palo Alto Networks, Inc.
PAN-OS 10.2.0 Known and Addressed Issues

Issue ID Description
Workaround: Reboot Panorama if it becomes unresponsive.

PAN-186137 The management interface of the PA-3400 Series firewall

incorrectly displays 10G port speed as an option. 10G speed
This issue is now resolved. See
is not supported on the PA-3400 Series firewall management
PAN-OS 10.2.1 Addressed
port and cannot be configured.
Issues.

PAN-186134 On the Panorama management server, performing a Commit

and Push (Commit > Commit and Push) may intermittently
not push the committed configuration changes to managed
firewalls.
Workaround: Select Commit > Push to Devices to push the
committed configuration changes to your managed firewalls.

PAN-185966 The debug skip-cert-renewal-check-syslog yes

command is not available on Log Collector CLI to stop the
Dedicated Log Collector from trying to renew the device
certificate and displaying the following error:
No valid device certificate found

PAN-185286 (PA-5400 Series firewalls only) On the Panorama

management server, the device health resources (Panorama >
This issue is now resolved. See
Managed Devices > Health) do not populate.
PAN-OS 10.2.8 Addressed
Issues.

PAN-184708 Scheduled report emails (Monitor > PDF Reports > Email
Scheduler) are not emailed if:
This issue is now resolved. See
PAN-OS 10.2.4 Addressed • A scheduled report email contains a Report Group
Issues. (Monitor > PDF Reports > Report Group) which includes a
SaaS Application Usage report.
• A scheduled report contains only a SaaS Application Usage
Report.
Workaround: To receive a scheduled report email for all other
PDF report types:
1. Select Monitor > PDF Reports > Report Groups and
remove all SaaS Application Usage reports from all Report
Groups.
2. Select Monitor > PDF Reports > Email Scheduler and
edit the scheduled report email that contains only a SaaS
Application Usage report. For the Recurrence, select
Disable and click OK.
Repeat this step for all scheduled report emails that
contain only a SaaS Application Usage report.

PAN-OS Release Notes 10.2.12 379 ©2024 Palo Alto Networks, Inc.
PAN-OS 10.2.0 Known and Addressed Issues

Issue ID Description
3. Commit.
(Panorama managed firewalls) Select Commit > Commit
and Push

PAN-184702 On the Panorama management server, an M-700 appliance in

Log Collector mode fails to connect to Panorama when added
This issue is now resolved. See
as a managed collector (Panorama > Managed Collectors).
PAN-OS 10.2.3 Addressed
Issues. Workaround: Log in to the M-700 CLI and recover the Log
Collector connectivity to Panorama.

PAN-184474 When the firewall has Advanced Routing enabled, a static

route stays active after the interface goes down.
Workaround: For firewalls that support Bidirectional
Forwarding Detection (BFD), configure BFD for the static
route.

PAN-184406 Using the CLI to add a RAID disk pair to an M-700 appliance
causes the dmdb process to crash.
Workaround: Contact customer support to stop the dmdb
process before adding a RAID disk pair to a M-700 appliance.

PAN-183567 On the Panorama management server, you must download

and install the ZTP Plugin 2.0 after successful upgrade to
This issue is now resolved. See
PAN-OS 10.2. After upgrade to PAN-OS 10.2, the show
PAN-OS 10.2.1 Addressed
plugins installed command does not display the ZTP
Issues.
plugin until you install ZTP Plugin 2.0.
Workaround: After Panorama successfully upgrades to PAN-
OS 10.2, manually download and install the ZTP Plugin 2.0.
1. Log in to the Panorama web interface.
2. Select Panorama > Plugins and search for the ztp plugin.
3. Download and Install ZTP Plugin 2.0.

PAN-183404 Static IP addresses are not recognized when "and" operators

are used with IP CIDR range.

PAN-182734 On an Advanced Routing Engine, if you change the IPSec

tunnel configuration, BGP flaps.
This issue is now resolved. See
PAN-OS 10.2.5 Addressed
Issues.

PAN-182492 The WildFire analysis report cannot be viewed from the

firewall WildFire submission log entry page.

PAN-OS Release Notes 10.2.12 380 ©2024 Palo Alto Networks, Inc.
PAN-OS 10.2.0 Known and Addressed Issues

Issue ID Description
This issue is now resolved. See Workaround: You can retrieve the Wildfire analysis reports
PAN-OS 10.2.1 Addressed through the WildFire API or the WildFire portal.
Issues.

PAN-181933 If you use multiple log forwarding cards (LFCs) on the

PA-7000 series, all of the cards may not receive all of the
updates and the mappings for the clients may become out of
sync, which causes the firewall to not correctly populate the
Source User column in the session logs.

PAN-180661 On the Panorama management server, pushing an

unsupported Minimum Password Complexity (Device > Setup
> Management) to a managed firewall erroneously displays
commit time out as the reason the commit failed.

PAN-180104 When upgrading a CN-Series as a DaemonSet deployment to

PAN-OS 10.2, CN-NGFW pods fail to connect to CN-MGMT
pod if the Kubernetes cluster previously had a CN-Series as a
DaemonSet deployment running PAN-OS 10.0 or 10.1.
Workaround: Reboot the worker nodes before upgrading to
PAN-OS 10.2.

PAN-179420 On the Panorama management server, a selective push

(Commit > Push to Devices > Push Changes Made By and
This issue is now resolved. See
Commit > Commit and Push > Commit and Push Changes
PAN-OS 10.2.1 Addressed
Made By to managed firewalls fails if you rename an existing
Issues.
device group, template, or template stack that was already
pushed to your managed firewalls and you selectively
committed specific configuration objects from the renamed
device group, template, or template stack.
Workaround: After you rename the existing device group,
template, or template stack, Push (Commit > Push to Devices
all configuration changes for the named device group,
template, or template stack.

PAN-178195 The URL filtering logs generated by traffic analyzed by

Advanced URL filtering cloud inline categorization does not
This issue is now resolved. See
display the name of the URL.
PAN-OS 10.2.1 Addressed
Issues.

PAN-177455 PAN-OS 10.2.0 is not supported on PA-7000 Series firewalls

with HA (High Availability) clustering enabled and using an
This issue is now resolved. See
HA4 communication link. Attempting to load PAN-OS 10.2.0
PAN-OS 10.2.2 Addressed
on the firewall causes the PA-7000 100G NPC to go offline.
Issues.
As a result, the firewall fails to boot normally and enters

PAN-OS Release Notes 10.2.12 381 ©2024 Palo Alto Networks, Inc.
PAN-OS 10.2.0 Known and Addressed Issues

Issue ID Description
maintenance mode. HA Pairs of Active-Passive and Active-
Active firewalls are not affected.

PAN-176693 The Activity (ACT) LEDs on the RJ-45 ports of the M-300
and M-700 appliances do not blink while processing network
This issue is now resolved. See
traffic.
PAN-OS 10.2.1 Addressed
Issues.

PAN-176156 Executing show running resource-monitor with the

ingress-backlogs option produces the following server
This issue is now resolved. See
error: Dataplane is not up or invalid target-
PAN-OS 10.2.2 Addressed
Issues dp(*.dp*).

PAN-175915 When the firewall is deployed on N3 and N11 interfaces in

5G networks and 5G-HTTP/2 traffic inspection is enabled in
the Mobile Network Protection Profile, the traffic logs do not
display network slice SST and SD values.

PAN-174982 In HA active/active configurations where, when interfaces

that were associated with a virtual router were deleted, the
configuration change did not sync.

PAN-172274 When you activate the advanced URL filtering license, your
license entitlements for PAN-DB and advanced URL filtering
might not display correctly on the firewall — this is a display
anomaly, not a licensing issue, and does not affect access to
the services.
Workaround: Issue the following command to retrieve and
update the licenses: license request fetch.

PAN-172132 QoS fails to run on a tunnel interface (for example, tunnel.1).

This issue is now resolved by
PAN-189643. See PAN-OS
10.2.4 Addressed Issues.

PAN-171938 No results are displayed when you Show Application Filter

for a Security policy rule (Policies > Security > Application >
Value > Show Application Filter).

PAN-171069 Local Log Collectors for Panorama management servers in

active/passive high availability (HA) configuration cannot be
added to the same Collector Group (Panorama > Collector
Groups).

PAN-OS Release Notes 10.2.12 382 ©2024 Palo Alto Networks, Inc.
PAN-OS 10.2.0 Known and Addressed Issues

Issue ID Description
Workaround: Before you upgrade your Panorama servers to
PAN-OS 10.1.0, configure HA (Panorama > High Availability),
add the local Log Collectors of the HA peers to the same
Collector Group, and upgrade to PAN 10.1.0.

PAN-164885 On the Panorama management server, pushes to managed

firewalls (Commit > Push to Devices or Commit and Push)
This issue is now resolved. See
may fail when an EDL (Objects > External Dynamic Lists) is
PAN-OS 10.2.10 Addressed
configured to Check for updates every 5 minutes due to the
Issues.
commit and EDL fetch processes overlapping. This is more
likely to occur when multiple EDLs are configured to check
for updates every 5 minutes.

PAN-163676 Next-Gen Firewalls are unable to connect to a syslog server

when the certificates required to connect to the syslog
server are part of a Certificate Profile (Device > Certificate
Management > Certificate Profile) if the Use OCSP setting is
enabled to check the revocation status of certificates.
Workaround: Enable Use CRL to check the revocation status
of certificates in the Certificate Profile.

PAN-OS Release Notes 10.2.12 383 ©2024 Palo Alto Networks, Inc.
PAN-OS 10.2.0 Known and Addressed Issues

PAN-OS 10.2.0-h3 Addressed Issues

Issue ID Description

PAN-252214 A fix was made to address CVE-2024-3400.

PAN-OS Release Notes 10.2.12 384 ©2024 Palo Alto Networks, Inc.
PAN-OS 10.2.0 Known and Addressed Issues

PAN-OS 10.2.0-h2 Addressed Issues

Issue ID Description

PAN-238792 Fixed the following device certificate issues:

• The firewall was unable to automatically renew the device
certificate-Fetching device certificates failed incorrectly with the
error message OTP is not valid.
• Firewalls disconnected from Strata Logging Service after renewing
the device certificate.
• The device certificate was not correctly generated on the log
forwarding card (LFC).
• WildFire cloud logs did not log thermite certificate usage status.

PAN-237876 Extended the firewall Panorama root CA certificate which was

previously set to expire on April 7th, 2024.

PAN-237871 (WF-500 appliances and PAN-DB private cloud deployments only)

Fixed an issue where the root-cert was set to expire on December
31, 2023. With this fix, the expiration date has been extended.

PAN-231771 Fixed an issue where the firewall issued /box/getserv/ requests with
PAN-OS 7.1.0 and did not take device certificates.

PAN-227568 When a device certificate is installed, renewed, or removed, the

firewall will reconnect to the WildFire cloud to use the newest
certificate.

PAN-215576 Fixed an issue where the userID-Agent and TS-Agent certificates

were set to expire on November 18, 2024. With this fix, the expiration
date has been extended to January 2032.

PAN-202450 Fixed an issue where the device-client-cert was set to expire

on December 31, 2023. With this fix, the expiration date has been
extended.

PAN-198372 Fixed an issue where the root-cert was set to expire on December
31, 2023. With this fix, the expiration date has been extended.

PAN-OS Release Notes 10.2.12 385 ©2024 Palo Alto Networks, Inc.
PAN-OS 10.2.0 Known and Addressed Issues

PAN-OS 10.2.0-h1 Addressed Issues

Issue ID Description

PAN-190311 (PA-220 and PA-220R firewalls and PA-800 Series

firewalls only) Fixed an issue where management
connectivity to the firewall was lost due to the expiration
of the DHCP lease, which caused the IP configuration on
the management port to be purged in PAN-OS 10.2.0. To
upgrade, download PAN-OS 10.2.0 (no installation), then
download and install PAN-OS 10.2.0-h1.

PAN-OS Release Notes 10.2.12 386 ©2024 Palo Alto Networks, Inc.
PAN-OS 10.2.0 Known and Addressed Issues

PAN-OS 10.2.0 Addressed Issues

Issue ID Description

PAN-231823 A fix was made to address CVE-2024-5916.

PAN-186143 Fixed an issue where no local changes could be made on a

ZTP-enabled device after an upgrade to PAN-OS 10.1.x.

PAN-182634 (PA-400 series firewalls only) Fixed an issue where the

firewall detected a Power Supply Unit (PSU) failure for
the opposite side when disconnecting a PSU from the
device. This issue occurred when redundant PSUs were
connected.

PAN-178165 Fixed an issue where the CLI command set system

setting ctd ctd-agent-assigned-cores 0 to
change assigned cores for the ctd-agent failed.

PAN-175950 Fixed an issue where IoT Security (without Strata Logging

Service) onboarding failed.

PAN-OS Release Notes 10.2.12 387 ©2024 Palo Alto Networks, Inc.
PAN-OS 10.2.0 Known and Addressed Issues

PAN-OS Release Notes 10.2.12 388 ©2024 Palo Alto Networks, Inc.
Related Documentation
Review the related documentation for PAN-OS 10.2.
To provide feedback on the documentation, write to us at:
[email protected].
• Related Documentation for PAN-OS 10.2

389
Related Documentation

Related Documentation for PAN-OS 10.2

Refer to the PAN-OS® 10.2 documentation on the Technical Documentation portal for general
information on how to configure and use already-released features.
• PAN-OS 10-2 New Features Guide—Detailed information on configuring the features
introduced in this release.
• PAN-OS 10.2 Upgrade Guide—Provides considerations and steps to upgrade PAN-OS.
• PAN-OS 10.2 Administrator’s Guide—Provides the concepts and solutions to get the most out
of your Palo Alto Networks next-generation firewalls. This includes taking you through the
initial configuration and basic set up on your Palo Alto Networks firewalls.
• Panorama 10.2 Administrator’s Guide—Provides the basic framework to quickly set up the
Panorama™ virtual appliance or an M-Series appliance for centralized administration of the
Palo Alto Networks firewalls.
• PAN-OS 10.2 Networking Administrator’s Guide—Provides concepts and details around Palo
Alto Networks firewall networking solution.
• WildFire 10.2 Administrator’s Guide—Provides steps to set up a Palo Alto Networks firewall
to forward samples for WildFire® Analysis, to deploy the WF-500 appliance to host a WildFire
private or hybrid cloud, and to monitor WildFire activity.
• VM-Series 10.2 Deployment Guide—Provides details on deploying and licensing the VM-Series
firewall on all supported hypervisors. It includes example of supported topologies on each
hypervisor.
• GlobalProtect 10.1 Administrator’s Guide—Describes how to set up and manage
GlobalProtect™ features.
• PAN-OS 10.2 Web Interface Help—Detailed, context-sensitive help system integrated with the
firewall and Panorama web interface.
• Palo Alto Networks Compatibility Matrix—Provides operating system and other compatibility
information for Palo Alto Networks next-generation firewalls, appliances, and agents.

PAN-OS Release Notes 10.2.12 390 ©2024 Palo Alto Networks, Inc.