PAN-OS Release Notes

10.1.9-h1

docs.paloaltonetworks.com
Contact Information
Corporate Headquarters:
Palo Alto Networks
3000 Tannery Way
Santa Clara, CA 95054
www.paloaltonetworks.com/company/contact-support

About the Documentation

• For the most recent version of this guide or for access to related documentation, visit the Technical
Documentation portal docs.paloaltonetworks.com.
• To search for a specific topic, go to our search page docs.paloaltonetworks.com/search.html.
• Have feedback or questions for us? Leave a comment on any page in the portal, or write to us at
[email protected].

Copyright
Palo Alto Networks, Inc.
www.paloaltonetworks.com

© 2020-2023 Palo Alto Networks, Inc. Palo Alto Networks is a registered trademark of Palo
Alto Networks. A list of our trademarks can be found at www.paloaltonetworks.com/company/
trademarks.html. All other marks mentioned herein may be trademarks of their respective companies.

Last Revised
March 7, 2023

PAN-OS Release Notes 10.1.9-h1 2 ©2023 Palo Alto Networks, Inc.

Table of Contents
Features Introduced in PAN-OS 10.1........................................................... 5
App-ID Features...........................................................................................................................6
Management Features................................................................................................................7
Panorama Features......................................................................................................................9
Networking Features................................................................................................................10
Identity Features....................................................................................................................... 12
User-ID Features....................................................................................................................... 13
URL Filtering Features............................................................................................................. 14
Content Inspection Features.................................................................................................. 15
PAN-OS SD-WAN Features................................................................................................... 16
GlobalProtect Features............................................................................................................ 17
Virtualization Features............................................................................................................. 18
Mobile Infrastructure Security Features..............................................................................20
Hardware Features................................................................................................................... 21

Changes to Default Behavior........................................................................23

Changes to Default Behavior in PAN-OS 10.1..................................................................24

Limitations..........................................................................................................29
Limitations in PAN-OS 10.1................................................................................................... 30

Associated Content and Software Versions............................................. 37

Associated Content and Software Versions for PAN-OS 10.1...................................... 38
WildFire Analysis Environment Support for PAN-OS 10.1.............................................39

PAN-OS 10.1.9 Known and Addressed Issues......................................... 41

PAN-OS 10.1.9 Known Issues............................................................................................... 42
PAN-OS 10.1.9-h1 Addressed Issues.................................................................................. 65
PAN-OS 10.1.9 Addressed Issues.........................................................................................67

PAN-OS 10.1.8 Known and Addressed Issues.......................................101

PAN-OS 10.1.8 Known Issues.............................................................................................102
PAN-OS 10.1.8-h2 Addressed Issues................................................................................ 126
PAN-OS 10.1.8 Addressed Issues...................................................................................... 129

PAN-OS 10.1.7 Known and Addressed Issues.......................................133

PAN-OS 10.1.7 Known Issues.............................................................................................134
PAN-OS 10.1.7 Addressed Issues...................................................................................... 158

PAN-OS 10.1.6 Known and Addressed Issues.......................................169

PAN-OS 10.1.6 Known Issues.............................................................................................170

PAN-OS Release Notes 10.1.9-h1 3 ©2023 Palo Alto Networks, Inc.

Table of Contents

PAN-OS 10.1.6-h6 Addressed Issues................................................................................ 195

PAN-OS 10.1.6-h3 Addressed Issues................................................................................ 197
PAN-OS 10.1.6 Addressed Issues...................................................................................... 199

PAN-OS 10.1.5 Known and Addressed Issues.......................................207

PAN-OS 10.1.5 Known Issues.............................................................................................208
PAN-OS 10.1.5-h2 Addressed Issues................................................................................ 233
PAN-OS 10.1.5-h1 Addressed Issues................................................................................ 234
PAN-OS 10.1.5 Addressed Issues...................................................................................... 235

PAN-OS 10.1.4 Known and Addressed Issues.......................................249

PAN-OS 10.1.4 Known Issues.............................................................................................250
PAN-OS 10.1.4-h4 Addressed Issues................................................................................ 275
PAN-OS 10.1.4-h2 Addressed Issues................................................................................ 276
PAN-OS 10.1.4 Addressed Issues...................................................................................... 277

PAN-OS 10.1.3 Known and Addressed Issues.......................................281

PAN-OS 10.1.3 Known Issues.............................................................................................282
PAN-OS 10.1.3-h1 Addressed Issues................................................................................ 308
PAN-OS 10.1.3 Addressed Issues...................................................................................... 309

PAN-OS 10.1.2 Known and Addressed Issues.......................................313

PAN-OS 10.1.2 Known Issues.............................................................................................314
PAN-OS 10.1.2 Addressed Issues...................................................................................... 340

PAN-OS 10.1.1 Known and Addressed Issues.......................................345

PAN-OS 10.1.1 Known Issues.............................................................................................346
PAN-OS 10.1.1 Addressed Issues...................................................................................... 373

PAN-OS 10.1.0 Known and Addressed Issues.......................................377

PAN-OS 10.1.0 Known Issues.............................................................................................378
PAN-OS 10.1.0 Addressed Issues...................................................................................... 408

Related Documentation............................................................................... 409

Related Documentation for PAN-OS 10.1....................................................................... 410

PAN-OS Release Notes 10.1.9-h1 4 ©2023 Palo Alto Networks, Inc.

Features Introduced in PAN-OS 10.1
Review new features introduced in Palo Alto Networks PAN-OS® 10.1 software.
> App-ID Features > Content Inspection Features
> Management Features > PAN-OS SD-WAN Features
> Panorama Features > GlobalProtect Features
> Networking Features > Virtualization Features
> Identity Features > Mobile Infrastructure Security
> User-ID Features Features

> URL Filtering Features > Hardware Features

5
Features Introduced in PAN-OS 10.1
App-ID Features
New App-ID Feature
App-ID Cloud Engine
SaaS Policy Recommendation
SaaS Security Inline
Subscription
PAN-OS Release Notes 10.1.9-h1
Description
With App-ID Cloud Engine (ACE), which powers our SaaS
Security Inline subscription, you can now dramatically increase
visibility and control of over 15,000 SaaS applications and
their corresponding functions. Applications identified through
ACE integrate seamlessly with Policy Optimizer to streamline
incorporation of these new applications with the strongest
possible security posture. New applications become available
in PAN-OS as ACE defines them, with no need to wait for App-
ID signature development. New ACE applications don’t break
existing policy because the Security policy rules that previously
controlled the applications continue to control them until you
use ACE App-IDs in Security policy.
SaaS Policy Recommendation works with next-generation
firewalls that have a SaaS Security Inline subscription to
provide SaaS visibility and security controls that prevent data
security risks of unsanctioned SaaS app traffic traversing your
network. With SaaS policy rule recommendations authored
by the SaaS administrator and imported as policy rules by
the firewall administrator, SaaS Policy Recommendation
facilitates a seamless SaaS security workflow throughout your
organization for improved security posture.
In combination with next-generation firewalls, the SaaS
Security Inline subscription provides SaaS visibility and security
controls that prevent data security risks of unsanctioned SaaS
app traffic traversing your network. With SaaS policy rule
recommendations authored by the SaaS administrator and
imported as policy rules by the firewall administration, SaaS
Security Inline facilitates a seamless SaaS security workflow
throughout your organization for an improved security
posture.
6 ©2023 Palo Alto Networks, Inc.
Features Introduced in PAN-OS 10.1
Management Features
New Management Feature
Audit Tracking for Administrator Activity
Device Certificate for Cortex Data Lake
Packet Diagnostics Resource Protection
PAN-OS Release Notes 10.1.9-h1
Description
PAN-OS 10.1 allows you to track administrator
activity in the web interface and command
line interface (CLI) to understand where
administrators navigated and what operational
and debug commands were performed to
maintain an audit history for compliance
purposes. An audit log is generated and
forwarded to your syslog server each time an
administrator activity occurs, enabling near real-
time reporting of activity.
To reduce the number of certificates you
need to install and manage to connect to Palo
Alto Networks cloud services, you can now
authenticate to Cortex Data Lake using a device
certificate. This enables you to authenticate to
Cortex Data Lake using the same certificate that
you would use to connect to Cortex XDR, IoT
Security, and Enterprise Data Loss Prevention.
Devices using a device certificate follow a
new process to onboard to Cortex Data Lake.
Make sure to follow the onboarding process
appropriate for your PAN-OS version and
deployment style.
The Packet-Diag command improves and
promotes best practices while debugging the
firewall. The improvements give you more
granular control and automatically safeguards
against accidental resource depletion that can
impact firewall performance and reduces the
amount of time it takes to analyze complex
issues.
Packet-Diag logging is now automatically:
• Disabled after a time out setting (default 60
seconds).
• After a CPU buffer or threshold is reached.
Packet-Diag filters are also now automatically
enabled.
7 ©2023 Palo Alto Networks, Inc.
Features Introduced in PAN-OS 10.1

New Management Feature Description

OpenConfig Support PAN-OS expands its automation capabilities

to now support an interface based on the
OpenConfig standard data models to simplify
deploying firewalls in OpenConfig managed
networks. The OpenConfig gNMI/gNOI service
is provided through a plugin you can use
to manage, configure, generate streaming
telemetry, and carry out operational services on
the firewall.

Persistent Uncommitted Changes on PAN- All in-process configuration changes are

OS preserved locally in the event your PAN-OS
device or a PAN-OS management process
restarts before the changes can be successfully
committed. This ensures that your uncommitted
configuration changes are not lost due to
accidental reboots or process restarts, and
reduces the operational burden of recreating
your configuration changes when an unforeseen
restart occurs.

PAN-OS Release Notes 10.1.9-h1 8 ©2023 Palo Alto Networks, Inc.

Features Introduced in PAN-OS 10.1
Panorama Features
New Panorama Feature
Authentication Key for Secure
Onboarding
Optimization for Deploying
Changes to Multiple Virtual
Systems of the Same Firewall
Scheduled Configuration Push
to Managed Firewalls
Unique Master Key for a
Managed Firewall
PAN-OS Release Notes 10.1.9-h1
Description
To strengthen the security of onboarding new firewalls, Log
Collectors, and WildFire appliances running PAN-OS 10.1.0
and later releases, a device registration authentication key is
required for mutual authentication between the Panorama
management server and the firewall, Log Collector, or
WildFire appliance on first connection. Each device
registration authentication key configured on Panorama is
unique and allows for customizable parameters such as the
key lifetime and the number of times the key can be used
before it becomes invalid.
In PAN-OS 10.1, a configuration push to multiple virtual
systems of the same managed firewall running PAN-OS 10.1
are combined into a single commit operation on the firewall
regardless of how many device groups the virtual systems
are a part of. This optimization dramatically reduces the time
required to deploy device group configuration changes to
multiple virtual systems of a mutli-vsys firewall managed by
Panorama.
In PAN-OS 10.1, you can now schedule configuration pushes
to ease your operational overhead for any size deployment
irrespective of location and maintenance window times. For
example, scheduling your configuration pushes improves the
efficiency of operations during short maintenance windows
by eliminating human delays as well as speeding up change
deployments to multi-vsys firewalls (with the optimization
for multiple virtual systems as described next). The flexibility
of scheduled configuration pushes allow you to create a
one-time push or schedule recurring pushes to provide you
with an automated way to deploy routine or pre-approved
changes to your managed firewalls.
Configure a unique master key for each firewall managed
by the Panorama management server to ensure the
configuration security of each firewall and ease the
operational burden of updating the managed firewall master
key. Configuring a unique master key for each managed
firewall limits exposure if a master key is compromised.
9 ©2023 Palo Alto Networks, Inc.
Features Introduced in PAN-OS 10.1
Networking Features
Networking features in PAN-OS 10.1.
New Networking Feature
LSVPN Cookie Expiry Extension
(PAN-OS 10.1.7 and later 10.1
Releases)
Persistent NAT for DIPP
(PAN-OS 10.1.6 and later 10.1
Releases)
Aggregate Group Members on
Multiple Cards
Network Packet Broker
PAN-OS Release Notes 10.1.9-h1
Description
You can now configure the cookie expiration period
from 1 to 5 years, while the default remains as 6
months. The encrypted cookie stored on an Large Scale
VPN (LSVPN) satellite expires after every 6 months.
This causes the VPN tunnels associated with the
satellite to go down, causing an outage until the satellite
is re-authenticated to the LSVPN portal or gateway and
a new cookie is generated. A re-authentication every
six months causes administrative overhead, affecting
productivity, network stability, and resources of the
company.
To reduce administrative overhead, we’ve extended the
cookie expiration period from 6 months to 5 years.
One type of source NAT is Dynamic IP and Port (DIPP).
Some applications, such as VoIP, video, and others,
use DIPP and may require Session Traversal Utilities
for NAT (STUN) protocol. DIPP NAT uses symmetric
NAT, which may have compatibility issues with STUN.
To alleviate those issues, persistent NAT for DIPP
provides additional support for connectivity with such
applications. When you enable persistent NAT for DIPP,
the binding of a private source IP address and port to a
specific public (translated) source IP address and port
persists for subsequent sessions that arrive having that
same original source IP address and port.
A PA-7050 or PA-7080 firewall that has an aggregate
interface group configured using different line cards will
correctly handle fragmented packets after you run the
CLI operational command: set ae-frag redistribution-
policy hash.
You can now not only decrypt but also broker all traffic
—decrypted TLS, non-decrypted TLS, and non-TLS—to
a suite of vendor-agnostic security tools such as IPS,
IDS, and SIEM devices for inspection. Network Packet
Broker eliminates the need to purchase and maintain
dedicated, single-function appliances to decrypt and
manage security chain devices. You can filter and
forward traffic to one chain or to multiple chains of
security devices based on application, user, IP address,
10 ©2023 Palo Alto Networks, Inc.
Features Introduced in PAN-OS 10.1
New Networking Feature
Support for Stronger SNMPv3
Encryption
PAN-OS Release Notes 10.1.9-h1
Description
device, and zone. You can also load balance traffic and
eliminate single points of failure. The feature enables
you to consolidate security tools with overlapping
functionality, which simplifies your network and
reduces capital and operating expenses.
SNMPv3 now supports stronger hashing and encryption
algorithms to better meet your organizations internal
encryption policies. You can specify hashing algorithms
from SHA-224 to SHA-512 for the Authentication
Protocol, and encryption algorithms AES-192 and
AES-256 for the Privacy Protocol when configuring
SNMP or defining the SNMP Trap Server profile.
11 ©2023 Palo Alto Networks, Inc.
Features Introduced in PAN-OS 10.1

Identity Features
New Identity Feature Description

Cloud Identity Engine Managing multiple identity sources and providers is

complex and time-consuming - not to mention the
difficulties of merging on-premises sources with cloud-
based services, as well as scaling your identity solution
as business needs change. By combining Directory
Sync, which provides group mapping for security policy,
and the new Cloud Authentication Service, which
simplifies user authentication, the Cloud Identity Engine
reduces the complexity of deploying a comprehensive
identity solution or transitioning from an on-premises
LDAP authentication solution to a cloud-based identity
provider (IdP). You can now reduce the attack surface
by verifying user access at the time of authentication
and having consistent visibility into both the IP address
and the identity of the user, regardless of how the user
authenticates on the network.

PAN-OS Release Notes 10.1.9-h1 12 ©2023 Palo Alto Networks, Inc.

Features Introduced in PAN-OS 10.1
User-ID Features
New User-ID Feature
Group mapping centralization for
virtual system hubs
PAN-OS Release Notes 10.1.9-h1
Description
You can now use virtual system User-ID hubs to
share group mapping information in addition to IP
address-to-username mapping information, allowing
you to more consistently enforce group-based policy.
Configuring a virtual system as a hub allows you to use
your multi-vsys environment to maximize the number of
available mappings for each virtual system and simplify
configuration.
13 ©2023 Palo Alto Networks, Inc.
Features Introduced in PAN-OS 10.1
URL Filtering Features
New URL Filtering Feature
Enhanced Handling of SSL/TLS
Handshakes for Decrypted Traffic
Advanced URL Filtering Security
Subscription
PAN-OS Release Notes 10.1.9-h1
Description
The firewall now inspects SSL/TLS handshakes to
enforce Security policy as early as possible, addressing
concerns that malicious actors may use the handshake
to exfiltrate data. You can enable this functionality if
you have a URL Filtering subscription, configure SSL/
TLS decryption, and block specific URL categories in
Security policy rules.
The Advanced URL Filtering security subscription
is a new, cloud-based ML-powered web security
engine that protects against today’s most evasive and
targeted web-based attacks. Advanced URL Filtering
performs ML-based inspection of web traffic in real-
time, reducing reliance on URL databases and out-of-
band web crawling to detect and prevent advanced,
file-less web-based attacks including targeted phishing,
web-delivered malware and exploits, command-and-
control, social engineering, and other types of web
attacks.
14 ©2023 Palo Alto Networks, Inc.
Features Introduced in PAN-OS 10.1
Content Inspection Features
New Content Inspection Feature
Additional Protections for Modern
DNS-layer Attacks
PAN-OS Release Notes 10.1.9-h1
Description
DNS Security now features almost three times the
number of protections against DNS-layer attacks as
before, including several industry-first protections for
attacks including ultra-slow DNS tunneling and dangling
DNS. Other protections include NSNX DDoS attacks,
fast-flux domains, dictionary DGA, DNS rebinding, and
predictive detection of newly registered domains.
Download the latest PAN-OS content release to take
advantage of the new protections.
15 ©2023 Palo Alto Networks, Inc.
Features Introduced in PAN-OS 10.1
PAN-OS SD-WAN Features
PAN-OS SD-WAN features in PAN-OS 10.1.
New SD-WAN Feature
Prisma Access Hub Support
SD-WAN Support for AE and
Subinterfaces
SD-WAN Support for Layer 3
Subinterfaces
PAN-OS Release Notes 10.1.9-h1
Description
As more internet services move to the cloud, PAN-
OS Secure SD-WAN now offers security in the cloud
using Prisma Access, in addition to security on-premises
using PAN-OS firewalls. The SD-WAN hub-and-spoke
topology now supports a Prisma Access hub. You can
secure your internet traffic for specific applications at
the branch location or in the cloud with Prisma Access
and have this traffic fail over to any other VPN tunnel if
necessary.
SD-WAN now allows you to combine multiple ISP
services into an Aggregated Ethernet (AE) interface
for link redundancy. The AE interface supports
subinterfaces that you tag for different ISP services
using Layer 3 VLAN tags to achieve end-to-end traffic
segmentation.
SD-WAN now allows you to combine multiple ISP
services into an Ethernet interface. The interface
supports subinterfaces that you tag for different ISP
services using Layer 3 VLAN tags to achieve end-to-end
traffic segmentation.
16 ©2023 Palo Alto Networks, Inc.
Features Introduced in PAN-OS 10.1

GlobalProtect Features
The following table describes new GlobalProtect features introduced in PAN-OS 10.1. For
features related to the GlobalProtect app, see the GlobalProtect App 5.2 Release Notes.

New GlobalProtect Description

Feature

Security Policy You can now enforce a security policy rule to track traffic from
Enforcement endpoints while end users are connected to GlobalProtect and
for Inactive to quickly log out inactive GlobalProtect sessions. With this
GlobalProtect enhancement, you can now enforce a shorter inactivity logout period.
Sessions If a GlobalProtect session remains inactive during the configured time
period, the session is automatically logged out and the VPN tunnel is
terminated.

Support for Gzip Palo Alto Networks next generation firewall adds support for Gzip
Encoding in encoding to Clientless VPN deployments. This enables Clientless VPN
Clientless VPN users to access internal or SaaS applications that use Gzip encoding.
This enhancement also ensures that the Gzip-compressed web pages
(Available with PAN-
are displayed correctly when accessed through the Clientless VPN.
OS 10.1.2 and later
10.1 releases)

PAN-OS Release Notes 10.1.9-h1 17 ©2023 Palo Alto Networks, Inc.

Features Introduced in PAN-OS 10.1
Virtualization Features
New Virtualization Feature
Intelligent Traffic Offload service
for VM-Series on KVM
Address Family eXpress Data Path
(AF-XDP) Support on CN-Series
DPDK Support for Different NIC
Types
CN-Series Firewall as a Kubernetes
Service
PAN-OS Release Notes 10.1.9-h1
Description
Intelligent Traffic Offload service (ITO) is a Security
subscription that, when configured with the BlueField-2
SmartNIC, increases capacity throughput for the VM-
Series firewall. The ITO service inspects the first few
packets of a new flow to determine whether it benefits
from inspection. If not, the service offloads the flow to
the SmartNIC, decreasing the load on the VM-Series
firewall.
The VM-Series firewall and the SmartNIC must be
installed on the same x86 physical host, and the VM-
Series firewall must be deployed in virtual wire mode.
Active/Passive HA is supported.
To increase effective throughput, the CN-Series firewall
can now leverage AF XDP, an eBPF based socket that is
optimized for high performance packet processing suited
to cloud native services.
VM-Series firewalls now support multiple NIC types and
multiple queues. You can configure both SR-IOV and
DPDK for all hypervisors on cloud platforms that support
multiple NIC types. In addition, a single NIC type with
variable queues (available on some cloud platforms) is
also supported.
Please contact Technical Support if you want to use this
feature.
You can now deploy the CN-Series firewall as a
Kubernetes service. In Kubernetes deployments with
smaller nodes with more stringent resource constraints,
deploying the CN-Series as a daemonset can be
difficult. The challenges associated with predicting
and provisioning the necessary resources can result in
firewalls consuming more resources than required to
support the traffic on the cluster. By deploying the CN-
Series as a service, you can start with the right amount
of resources and scale dynamically when necessary.
When deployed as a service, the CN-Series firewall
provides complete Layer 7 visibility, application-level
segmentation, and protection for traffic in your native
Kubernetes, OpenShift, AKS, EKS, or GKE environments
using native Kubernetes constructs.
18 ©2023 Palo Alto Networks, Inc.
Features Introduced in PAN-OS 10.1

New Virtualization Feature Description

Customize Dataplane Cores Customize dataplane cores is an optional feature that

allows you to customize the number of dataplane cores
in two ways:
• During the initial deployment, use the init-
cfg.txt file bootstrap parameter plugin-op-
commands=set-dp-cores:<#-cores>.
• From a deployed firewall, using the VM-Series CLI
command request plugins vm_series dp-
cores <#-cores>.
Typically you increase the number of dataplane cores
(which decreases the number of management plane
cores) to improve performance.
• Dataplane core customization is supported on
firewalls licensed with a Software NGFW credit pool
for 10.0.4 and above, and running PAN-OS 10.1 or
later.
• Dataplane core customization is not supported for:
• NSX-T
• Intelligent Traffic Offload

IPVLAN CNI L2 Support on the You can now use IPVLAN in Layer 2 mode with your CN-
CN-Series Firewall on EKS Series deployment on EKS.
(Available with PAN-OS® 10.1.2
and later 10.1 releases)

Increased Maximum Application The CN-Series firewall deployed in Daemonset mode

Pods per CN-NGFW Node now secures up to 125 application pods per CN-NGFW
node.
(Available with PAN-OS® 10.1.9
and later 10.1 releases)

PAN-OS Release Notes 10.1.9-h1 19 ©2023 Palo Alto Networks, Inc.

Features Introduced in PAN-OS 10.1
Mobile Infrastructure Security Features
New Mobile Infrastructure Security
Feature
5G Multi-access Edge Computing
Security
PAN-OS Release Notes 10.1.9-h1
Description
For enterprises and service providers that use Multi-
access Edge Computing (MEC) in 5G environments,
5G Multi-access Edge Computing Security not only
provides the same level of security already available at
the subscriber, equipment, and network slice level now
for 5G networks, but also secures traffic at the protocol
level through stateful inspection for Packet Forwarding
Control Protocol (PFCP) traffic. This new level of security
protects and secures devices and users that connect
to MEC, as well as applications hosted on MEC, from
attacks such as Denial of Service (DoS) and spoofing, as
well as other potential threats such as vulnerabilities,
malware, and viruses. 5G Multi-access Edge Computing
Security delivers granular visibility and control, as well as
context-based visibility into threats.
20 ©2023 Palo Alto Networks, Inc.
Features Introduced in PAN-OS 10.1

Hardware Features
Hardware features in PAN-OS 10.1.

New Hardware Feature Description

PA-400 Series Firewalls The PA-400 Series firewall is optimized

for price and performance. The PA-400
(The PA-410 firewall is available for PAN-OS
Series provides faster boot times, higher
10.1.2 and later)
performance, increased flexibility in
deployments, improved SD-WAN integration,
and cloud management.

PA-5450 Firewall The PA-5450 firewall is a new high-end

modular appliance that allows you to
scale interfaces and data processing using
Networking Cards (NCs) and Data Processing
Cards (DPCs) to fit your deployment needs.

PAN-OS Release Notes 10.1.9-h1 21 ©2023 Palo Alto Networks, Inc.

Features Introduced in PAN-OS 10.1

PAN-OS Release Notes 10.1.9-h1 22 ©2023 Palo Alto Networks, Inc.

Changes to Default Behavior
Review the changes to default behavior for PAN-OS 10.1.

> Changes to Default Behavior in PAN-OS 10.1

23
Changes to Default Behavior
Changes to Default Behavior in PAN-OS 10.1
The following table details the changes in default behavior upon upgrade to PAN-OS® 10.1.
You may also want to review the Upgrade/Downgrade Considerations before upgrading to this
release.
Feature
SSL Inbound Inspection
Satellite Authentication
GlobalProtect App for Android
Configuration from an MDM
Authentication Key for Secure
Onboarding
PAN-OS Release Notes 10.1.9-h1
Change
The firewall now proxies all decrypted inbound
traffic to servers, so SSL Inbound Inspection
cannot decrypt some inbound sessions, such as
sessions with client authentication or pinned
certificates. In addition, the firewall does not
support High Availability sync for decrypted SSL
sessions.
Beginning with PAN-OS 10.1, satellites can no
longer perform initial authentication to the portal
using only the satellite serial number. Instead, the
satellite administrator must manually authenticate
to the portal using the username and password
associated with a local database authentication
profile to establish the initial connection with
the portal. Upon successful authentication, the
portal generates a satellite cookie, which it uses to
authenticate the satellite on subsequent sessions.
The cookie lifetime is 180 days, after which the
satellite administrator must manually authenticate
again in order for the portal to issue a new cookie.
This behavior is only supported on PAN-OS 10.1
or later releases. If you have a portal running 10.1
or later, with satellites running an earlier version
of PAN-OS, the satellites will no longer be able
to authenticate to the portal. Additionally, any
satellites running on PAN-OS 10.1 or later that
previously authenticated using serial numbers will
require manual authentication.
The keyword to configure Per-App VPN on
Android devices from an MDM changed from
block list and allow list to blocklist
and allowlist upon upgrade to PAN-OS 10.1.
You will need to change your MDM configuration
for this setting upon upgrade.
A device registration authentication key is now
required to securely onboard new firewalls,
Log Collectors, and WildFire appliances
24 ©2023 Palo Alto Networks, Inc.
Changes to Default Behavior
Feature
Persistent Uncommitted Changes on
PAN-OS
Device Group Push from Panorama to a
Multi-VSYS Firewall.
Software Next Generation Firewall
Credits
VM-700 Deployment on Hyper-V
Reduced Session Capacity on the
PA-3260
Log Forwarding on the PA-7000 Series
Firewall
PAN-OS Release Notes 10.1.9-h1
Change
running PAN-OS 10.1.0 and later releases.
The device registration authentication key is
used for mutual authentication between the
Panorama management server and the firewall,
Log Collector, or WildFire appliance on first
connection. See the PAN-OS 10.1 New Features
Guide for more information.
On upgrade to PAN-OS 10.1, all uncommitted
configuration changes on firewalls and Panorama
are preserved if the management process, firewall,
or Panorama restart before you can commit the
changes. This is supported for PA-Series and
VM-Series firewalls and Panorama M-Series and
virtual appliances.
One or more device group pushes from Panorama
to multiple VSYS on a multi-VSYS firewall are
now bundled as a single commit job on the
managed firewall to reduce the overall commit job
completion time.
In PAN-OS 10.1 you can use Software Next
Generation Firewall credits to license VM-
Series firewalls deployed with up to 32 vCPUs.
Previously Software Next Generation Firewall
Credits could license no more than 16 vCPUs.
When a VM-700 is deployed on Hyper-V there
is a drop in performance if the host physical
function (PF) max transmission unit (MTU) is set
1504 while the device MTU is set to 1500 and
the device maximum segment size (MSS) is set to
1460.To work around this issue, set the host PF
MTU to 1500 and on the device, set the MTU to
1496 and the MSS to 1456.
The maximum number of sessions supported on
the PA-3260 firewall are reduced from 3M to
2.2M to preserve Dataplane memory.
Beginning with PAN-OS 10.1, the PA-7000
Series Firewall only uses the logging port and the
corresponding log card (LPC or LFC) to forward
system and configuration logs.
25 ©2023 Palo Alto Networks, Inc.
Changes to Default Behavior
Feature
SNMP Traps
Preview Changes
Authentication Settings for Panorama
Managed Firewalls
Window Size Customization Added to
Replay Protection
Scheduled Log Export
(PAN-OS 10.1.5 and later releases)
Add a Device to Panorama Management
PAN-OS Release Notes 10.1.9-h1
Change
System and configuration logs are not forwarded
if the corresponding (LPC or LFC) is not
configured.
By default, SNMP Traps are now forwarded on
the logging port of the LFC introduced for the
PA-7000 Series and PA-5400 Series firewalls in
PAN-OS 10.1.
For PA-7000 Series firewalls, SNMP Traps are not
forwarded if the LFC is not configured.
After you upgrade Panorama to PAN-OS 10.1,
Preview Changes (Commit > Preview Changes)
shows that HIP Profiles called source-hip-
any and destination-hip-any were added to
each Security policy rule for any managed firewall
running PAN-OS 9.1 or earlier release instead of
hip-profiles-any. This is due to a change
to the XML file Panorama uses to compare the
running and candidate configurations in PAN-OS
10.0 and later releases. You can ignore this error
as the push will succeed.
If you configure the Failed Attempts
Authentication Setting (Device > Setup >
Management) for managed firewalls as part of
a template or template stack configuration on
Panorama, the minimum value for the setting is 1.
To allow you to customize the window size when
you Enable Replay Protection during IPSec tunnel
configuration, an Anti-Replay Window has been
added. You can select an anti-replay window size
of 64, 128, 256, 512, 1024, 2048, or 4096.
In addition, the default size of the anti-replay
window has been increased to 1024.
Scheduled log exports (Device > Log Export) may
not export logs as scheduled if multiple logs are
scheduled to export at the same time.
Workaround: When scheduling your log exports,
maintain at least 6 hours between each scheduled
log export.
After you successfully add a managed firewall
or Dedicated Log Collector to Panorama
26 ©2023 Palo Alto Networks, Inc.
Changes to Default Behavior
Feature
Test SCP Server Connection
(PAN-OS 10.1.9 and later releases)
PAN-OS Release Notes 10.1.9-h1
Change
management using the device registration auth
key, the managed firewall or Dedicated Log
Collector automatically disconnects and then
reconnects to Panorama using the certificate
provided by Panorama.
After the managed firewall or Dedicated Log
Collector automatically reconnects to Panorama,
the connection Status (Panorama > Managed
Devices > Summary or Panorama > Managed
Collectors) reflects the connection status
accurately.
To test the SCP server connection when you
schedule a configuration export (Panorama >
Schedule Config Export) or log export (Device >
Scheduled Log Export), a new pop-up window is
displayed requiring you to enter the SCP server
clear textPassword and Confirm Pasword to test
the SCP server connection and enable the secure
transfer of data.
You must also enter the clear text SCP server
Password and Confirm Password when you test
the SCP server connection from the firewall or
Panoram CLI.
admin>test scp-server-connection
initiate <ip> username <username>
password <clear-text-password>
27 ©2023 Palo Alto Networks, Inc.
Changes to Default Behavior

PAN-OS Release Notes 10.1.9-h1 28 ©2023 Palo Alto Networks, Inc.

Limitations
Review limitations around Palo Alto Networks PAN-OS® 10.1 software.

> Limitations in PAN-OS 10.1

29
Limitations

Limitations in PAN-OS 10.1

The following are limitations associated with PAN-OS 10.1.

Issue ID Description

PAN-190727 (PA-5450 only) Log interfaces must be configured to

ensure they are not in the same subnetwork as the
management interface. Configuring both interfaces in
the same subnetwork can cause connectivity issues
and result in the wrong interface being used for log
forwarding.

PAN-187615 SSL/TLS session resumption fails on PA firewalls using

TLSv1.3 with an x25519 ECDSA key.
Workaround:
• Use an RSA certificate.
• If you must use an ECDSA certificate, send
secp521r1 as the elliptic curve parameter in the
Client Hello message.

PAN-186061 On the Panorama management server, pushing a

configuration change to managed firewalls fails if a
HIP Profile (Objects > GlobalProtect > HIP Profiles)
is associated with a Security (Policies > Security) or
Authentication (Policies > Authentication) policy rule.
This applies to:
• Panorama running PAN-OS 10.1.4 or earlier 10.1
release, managing firewalls running PAN-OS
10.0.9 or later 10.0 release where the Security and
Authentication policy rules were created from the
CLI.
• (SD-WAN) Panorama running PAN-OS 10.1.4 or
earlier 10.1 release, managing firewalls running PAN-
OS 10.0.9 or later 10.0 release and are leveraging
the Panorama plugin for SD-WAN auto-generated
generate BGP policy.
Workaround: Remove any HIP Profiles associated
with a Security or Authentication policy rule from the
Panorama CLI.
1. Log in to the Panorama CLI.

PAN-OS Release Notes 10.1.9-h1 30 ©2023 Palo Alto Networks, Inc.

Limitations

Issue ID Description
2. Remove any HIP Profile associated with a policy rule.

admin> configure

Security policy rule command

admin# delete device-group <device-

group-name> <pre-rulebase or post-
rulebase> security rules <rule-name>
hip-profiles

Authentication policy rule command

admin# delete device-group <device-

group-name> <pre-rulebase or post-
rulebase> authentication rules <rule-
name> hip-profiles

3. Commit

admin# commit

Alternatively, upgrade to PAN-OS 10.1.5 or later

release to avoid needing to remove HIP Profile
association from your Security and Authentication
policy rules.
• Firewall or Panorama local commit may fail and
display the error hip-profiles unexpected here after
the following PAN-OS upgrades:
• From 10.0.x version to 10.0.9 or 10.1.5 version
• From 10.1.x version to 10.1.5.version
Workaround: Load the running configuration.
1. Log in to the Panorama CLI.
2. Load the running config.

admin> config

admin# load config from running-

config.xml

admin# commit force

3. Push to your managed firewalls from Panorama.

Continue to the next step only if the push fails again.
4. Log in to the firewall CLI.

PAN-OS Release Notes 10.1.9-h1 31 ©2023 Palo Alto Networks, Inc.

Limitations

Issue ID Description
5. Load the running config.

admin> config

admin# load config from running-

config.xml

admin# commit force

PAN-182912 Due to a change in default root partition threshold,

PAN-OS may print a critical log on a PA-7050 stating
that disk usage has exceeded the limit.
Workaround: Replace the first-generation PA-7050
SMC (Switch Management Card) with the second-
generation SMC-B.

PAN-175545 (PAN-OS 10.1.2 and later versions) The PA-410 does

not write session logs locally. As a result, the PAN-OS
Web Interface does not display any logs in the Monitor
tab.

PAN-174817 When an external dynamic list is added to an Anti-

Spyware Profile and configured as an allow list, the EDL
policy action of allow does not have precedence over
the domain policy action specified under DNS Security.
As a result, when there is a domain match to an entry
in the EDL and a DNS Security domain category, the
action specified under DNS Security is still applied, even
when the EDL is explicitly configured with an action of
Allow.
Workaround: Configure the EDL with an Alert action.
This generates threat logs on the firewall but will
apply the EDL action instead of DNS Security action.
Alternatively, add DNS domain exceptions to the
DNS Domain/FQDN Allow List located in the DNS
Exceptions tab in your Anti-Spyware Profile.

PAN-174784 Up to 100,000 daily summary logs can be processed

for Scheduled and Run Now custom reports (Monitor
> Manage Custom Reports) when configured for the
last calendar day. This can result in the generated report
not displaying all relevant log data generated in the last
calendar day.

PAN-174442 When a Certificate Profile (Device > Certificate

Management > Certificate Profile) is configured to

PAN-OS Release Notes 10.1.9-h1 32 ©2023 Palo Alto Networks, Inc.

Limitations

Issue ID Description
Block session if certificate status cannot be retrieved
within timeout, the firewall allows client certificate
validation to go through even if the CRL Distribution
Point or OCSP Responder is unreachable.
Workaround: You must also enable Block session if
certificate status is unknown to ensure Block session if
certificate status cannot be retrieved within timeout is
effective.

PAN-174038 In an SD-WAN configuration, when a GlobalProtect

Gateway is terminated on a loopback interface, if the
tunnel protocol is udp-encapsulated ESP (IPSec), the
return traffic from the Gateway toward the client
is load-balanced across all of the SD-WAN member
interfaces and cannot be subjected to an SD-WAN
policy.

PAN-172401 The PA-400 Series data port drops traffic when the
local link speed is forced to 10Mbs/100Mbs while the
remote peer link speed is set to autonegotiate.

PAN-172383 When the App-ID Cloud Engine (ACE) is enabled on

Panorama and you downgrade from PAN-OS 10.1 to
PAN-OS 10.0, it takes a longer time than expected
for the software installation to complete. The amount
of time depends on the size of the ACE configuration
(how many ACE App-IDs are used in Security policy,
either directly or through an Application Filter or an
Application Group).
The extra time is required to check for cloud application
references, including processing time to check
references for applications, application containers,
application types, and application tags across the entire
configuration. It also takes extra time to check for
redundancy between predefined (content-provided) and
cloud applications, and after all checks are complete,
to produce a list of ACE applications that you must
remove from Security policy before the downgrade can
succeed.

PAN-172302 (PAN-OS 10.1.0 and 10.1.1) The PA-400 Series

management port link goes down when a remote peer
link speed is set to Auto OFF or forced to 100Mbs.

PAN-171283 When you run the App-ID Cloud Engine (ACE) service
on firewalls in an HA cluster, after a cluster failover, the
sessions based on ACE App-IDs move to the failover

PAN-OS Release Notes 10.1.9-h1 33 ©2023 Palo Alto Networks, Inc.

Limitations

Issue ID Description
firewall. However, as with other applications, on failover
some session information is not retained.
For ACE App-IDs, the operational command
admin@pan-os-fw> show session id
<session> shows the application as being 0 instead
of showing the name of the application. This does not
affect Security policy enforcement after the failover.

PAN-171057 Policies > Security > Policy Optimizer > New App
Viewer displays rules that do not have new applications
if the functional applications are in an app container.
For example, a Security policy allow rule includes an app
container for the “exampleapp” application. The firewall
sees the functional application “exampleapp-post” for
the first time. Because the allow rule includes the new
app’s container, the firewall should not see it as a new
application. However, the New App Viewer shows the
rule as having seen a new application even though the
app container includes it in the rule.

PAN-168234 The Cisco TrustSec, Zero Touch Provisioning (ZTP),

and Enterprise Data Loss Prevention (DLP) plugins are
not supported on a Panorama™ management server in
FIPS-CC mode and cause a commit failure if installed on
Panorama in FIPS-CC mode.

PAN-167996 When the firewall downloads App-IDs from the App-

ID Cloud Engine, if the App-ID of a cloud-delivered
application is the same as a the App-ID of a custom
application that already exists on the firewall, the
commit fails. (Two applications cannot have the same
App-ID.)
Workaround: Rename the custom application to
remove the conflict with the cloud-delivered App-
ID, or if the custom application and cloud-delivered
application are the same application, you can delete
the custom application and use the cloud-delivered
application.

PAN-167335 Only packets within the first client-to-server HTTP/1.0

and HTTP/1.1 transaction header sections are matched
against cloud-based App-ID signatures. This means that
after the first transaction, functional apps are identified
as base applications.

PAN-OS Release Notes 10.1.9-h1 34 ©2023 Palo Alto Networks, Inc.

Limitations

Issue ID Description

PAN-165116 When you Commit changes on the firewall, if you

configure a Security policy rule with an application that
has application dependencies (the application depends
on other applications to work) and you did not add the
application dependencies to the rule, a warning appears
that shows the application dependencies to add to
the rule. For example, if you configure a rule with the
“google-surveys-base” application but do not add the
application dependency “google-base” to the rule, the
commit warning appears.
For App-ID Cloud Engine (ACE) applications, the
application dependency warning only appears if you
add the ACE application to the rule directly or using an
Application Group. If you add ACE applications to the
rule using an Application Filter, then commit actions
don’t warn you if application dependencies are missing.

PAN-159293 Certification Revocation List (CRL) in Distinguished

Encoding Rules (DER) format may erroneously return
errors for VM-Series firewalls despite being able to
successfully pull the CRL to verify that the syslog server
certificate is still valid.

PAN-152433 When you have an active/passive HA pair of PA-3200

Series firewalls running PAN-OS 10.0.0 with NAT
configured, if you upgrade one firewall to PAN-OS
10.0.1, the firewall goes to non-functional state due to a
NAT oversubscription mismatch between the HA peers.
The same non-functional state results if both HA peers
are running PAN-OS 10.0.1 and you downgrade one to
PAN-OS 10.00. The upgraded or downgraded firewall
goes to non-functional state because PAN-OS 10.0.0
and 10.0.1 have different default NAT oversubscription
rates.
Workaround: After an upgrade or downgrade, modify
the NAT oversubscription rate on one firewall so that
the rates on the HA pair match.

PAN-146573 PA-7000 Series firewalls configured with a large

number of interfaces experience impacted performance
and possible timeouts when performing SNMP queries.

PAN-121678 (PA-7000b Series only) The following error during

secure boot has no impact and can be ignored:
[ 0.672461] Device 'efifb.0' does
not have a release() function, it is

PAN-OS Release Notes 10.1.9-h1 35 ©2023 Palo Alto Networks, Inc.

Limitations

Issue ID Description
broken and must be fixed.[ 2.026107]
EFI: Problem loading in-kernel X.509
certificate (-65)Maintenance Mode
filesystem size: 2.0G

PAN-106675 After upgrading the Panorama management server to

PAN-OS 8.1 or a later release, predefined reports do
not display a list of top attackers.
Workaround: Create new threat summary reports
(Monitor > PDF Reports > Manage PDF Summary)
containing the top attackers to mimic the predefined
reports.

PAN-99845 After an HA firewall fails over to its HA peer, sessions

established before the failover might not undergo the
following actions in a reliable manner:
• SIP call modifications (some examples include
resuming a call that was on hold, transferring a call,
and picking up a parked call).
• Call tear-down.

PAN-41558 When you use a firewall loopback interface as

a GlobalProtect gateway interface, traffic is not
routed correctly for third-party IPSec clients, such as
strongSwan.
Workaround: Use a physical firewall interface instead
of a loopback firewall interface as the GlobalProtect
gateway interface for third-party IPSec clients.
Alternatively, configure the loopback interface that is
used as the GlobalProtect gateway to be in the same
zone as the physical ingress interface for third-party
IPSec traffic.

PAN-OS Release Notes 10.1.9-h1 36 ©2023 Palo Alto Networks, Inc.

Associated Content and Software
Versions
Review information about the associated content and software versions for Palo Alto
Networks PAN-OS® 10.1 software.

> Associated Content and Software Versions for PAN-OS 10.1

> WildFire Analysis Environment Support for PAN-OS 10.1

37
Associated Content and Software Versions

Associated Content and Software Versions for PAN-OS

10.1
The following minimum software and content release versions are compatible with PAN-OS 10.1.
To see a list of the next-generation firewall models that support PAN-OS 10.1, see the Palo Alto
Networks® Compatibility Matrix.

Palo Alto Networks Software or Minimum Compatible Version with PAN-OS 10.1
Content Release Version

Panorama 10.1

User-ID Agent 10.1

Terminal Services (TS) Agent 10.1

GlobalProtect App 5.2

Applications and Threats 8408

Content Release Version

VMware NSX Plugin Version 3.1.0

PAN-OS Release Notes 10.1.9-h1 38 ©2023 Palo Alto Networks, Inc.

Associated Content and Software Versions

WildFire Analysis Environment Support for PAN-OS

10.1
The following WildFire guest VM images (analysis environments) are supported in the PAN-
OS 10.1 release of WildFire. To upgrade the WildFire appliance, refer to: Upgrade a WildFire
Appliance.

WildFire Analysis WildFire WildFire Appliance Guest VM Filename Minimum

Environment VM ID Compatible
PAN-OS
Version

Windows XP (Adobe vm-3 WFWinXpAddon3_m-1.0.0.xpaddon3* 8.0

Reader 11, Flash 11,
Office 2010)

Windows 7 x64 SP1 vm-5 WFWin7_64Addon1_m-1.0.0.7_64addon1 8.0

(Adobe Reader 11, Flash
11, Office 2010)

WFWin7_64Base_m-1.0.0.7_64base 8.0

This is a required base

VM image package for
the proper function of
the Windows 7 analysis
environment.

Windows XP (Internet vm-6** WFWinXpGf_m-1.0.0.xpgf 8.0

Explorer 8, Flash 11,
Elink analysis support)

Windows 10 x64 vm-7 WFWin10Base_m-1.0.0-c2.10base 10.0

(Adobe Reader 11, Flash
11, Office 2010)

• * This WildFire guest VM image comes preinstalled and is not available on the Palo Alto
Networks Support Portal for download.
• ** This WildFire analysis environment is not selectable through the WildFire appliance
CLI.

PAN-OS Release Notes 10.1.9-h1 39 ©2023 Palo Alto Networks, Inc.

Associated Content and Software Versions

PAN-OS Release Notes 10.1.9-h1 40 ©2023 Palo Alto Networks, Inc.

PAN-OS 10.1.9 Known and Addressed
Issues
Review a list of known and addressed issues for PAN-OS 10.1.9.
For contacting support, for information on support programs, to manage your account
or devices, or to open a support case, go to https://support.paloaltonetworks.com.

> PAN-OS 10.1.9 Known Issues

> PAN-OS 10.1.9-h1 Addressed Issues
> PAN-OS 10.1.9 Addressed Issues

41
PAN-OS 10.1.9 Known and Addressed Issues

PAN-OS 10.1.9 Known Issues

®
The following list includes only outstanding known issues specific to PAN-OS 10.1.9. This list
includes issues specific to Panorama™, GlobalProtect™, VM-Series plugins, and WildFire®, as well
as known issues that apply more generally or that are not identified by an issue ID.

Issue ID Description

— If you use Panorama to retrieve logs from Cortex Data Lake

(CDL), new log fields (including for Device-ID, Decryption, and
GlobalProtect) are not visible on the Panorama web interface.
Workaround: Enable duplicate logging to send the logs to
CDL and Panorama. This workaround does not support
Panorama virtual appliances in Management Only mode.

— Upgrading a PA-220 firewall takes up to an hour or more.

— PA-220 firewalls are experiencing slower web interface and

CLI performance times.

— Upgrading Panorama with a local Log Collector and Dedicated

Log Collectors to PAN-OS 8.1 or a later PAN-OS release
can take up to six hours to complete due to significant
infrastructure changes. Ensure uninterrupted power to all
appliances throughout the upgrade process.

— A critical System log is generated on the VM-Series firewall

if the minimum memory requirement for the model is not
available.
• When the memory allocated is less than 4.5GB, you
cannot upgrade the firewall. The following error message
displays: Failed to install 9.0.0 with the
following error: VM-50 in 9.0.0 requires
5.5GB memory, VM-50 Lite requires 4.5GB
memory.Please configure this VM with enough
memory before upgrading.
• If the memory allocation is more than 4.5GB but less than
the licensed capacity requirement for the model, it will
default to the capacity associated with the VM-50.
The System log message System capacity adjusted
to VM-50 capacity due to insufficient
memory for VM-<xxx> license, indicates that you
must allocate the additional memory required for licensed
capacity for the firewall model.

PAN-OS Release Notes 10.1.9-h1 42 ©2023 Palo Alto Networks, Inc.

PAN-OS 10.1.9 Known and Addressed Issues

Issue ID Description

APPORTAL-3313 Changes to an IoT Security subscription license take up to 24

hours to have effect on the IoT Security app.

APPORTAL-3309 An IoT Security production license cannot be installed on a

firewall that still has a valid IoT Security eval or trial license.
Workaround: Wait until the 30-day eval or trial license
expires and then install the production license.

APL-15000 When you move a firewall from one Cortex Data Lake
instance to another, it can take up to an hour for the firewall
to begin sending logs to the new instance.

APL-8269 For data retrieved from Cortex Data Lake, the Threat Name
column in Panorama > ACC > threat-activity appears blank.

PLUG-12041 On an OpenShift cluster, MP pod may crash when the

number of underlying threads exceeds beyond the per pod
maximum limit of 1024.
Workaround: Increase the process ID (PID) limit to 2048 in
worker nodes.

PLUG-380 When you rename a device group, template, or template

stack in Panorama that is part of a VMware NSX service
definition, the new name is not reflected in NSX Manager.
Therefore, any ESXi hosts that you add to a vSphere cluster
are not added to the correct device group, template, or
template stack and your Security policy is not pushed to
VM-Series firewalls that you deploy after you rename those
objects. There is no impact to existing VM-Series firewalls.

WF500-5559 An intermittent error while analyzing signed PE samples on

the WildFire appliance might cause analysis failures.

WF500-5471 After using the firewall CLI to add a WildFire appliance with
an IPv6 address, the initial connection may fail.
Workaround: Retry connecting after you restart the web
server with the following command: debug software
restart process web-server.

PAN-211728 For VM-Series firewalls leveraging SD-WAN and deployed

on VMware ESXi running VMX-13, Auto-Commits fail after
upgrade to PAN-OS 10.1.9 and display the error:
total SD-WAN interfaces 3 exceed the platform
maximum 0

PAN-OS Release Notes 10.1.9-h1 43 ©2023 Palo Alto Networks, Inc.

PAN-OS 10.1.9 Known and Addressed Issues

Issue ID Description
Workaround: Attach a serial console to the VM-Series
firewall before upgrade to PAN-OS 10.1.9.

PAN-197341 On the Panorama management server, if you create multiple

device group Objects with the same name in the Shared
device group and any additional device groups (Panorama >
Device Groups) under the same device group hierarchy that
are used in one or more Policies, renaming the object with a
shared name in any device group causes the object name to
change in the policies where it is used. This issue applies only
to device group objects that can be referenced in a Security
policy rule.
For example:
1. You create a parent device group DG-A and a child device
group DG-B.
2. You create address objects called AddressObjA in
the Shared, DG-A and DG-B device groups and add
AddressObjA to a Security policy rule under DG-A and
DG-B.
3. Later, you change the AddressObjA name in the Shared
device group to AddressObjB.
Changing the name of the address object in the Shared
device group causes the references in the Policy rule to use
the renamed Shared object instead of the device group
object.

PAN-196758 On the Panorama management server, pushing a

configuration change to firewalls leveraging SD-WAN
erroneously show the auto-provisioned BGP configurations
for SD-WAN as being edited or deleted despite no edits or
deletions being made when you Preview Changes (Commit >
Push to Devices > Edit Selections or Commit > Commit and
Push > Edit Selections).

PAN-194515 (PA-5450 firewall only) The Panorama web interface does

not display any predefined template stack variables in the
dropdown menu under Device > Setup > Log Interface > IP
Address.
Workaround: Configure the log interface IP address on the
individual firewall web interface instead of on Panorama.

PAN-194424 (PA-5450 firewall only) Upgrading to PAN-OS 10.1.6-h2

while having a log interface configured can cause both the log
interface and the management interface to remain connected
to the log collector.

PAN-OS Release Notes 10.1.9-h1 44 ©2023 Palo Alto Networks, Inc.

PAN-OS 10.1.9 Known and Addressed Issues

Issue ID Description
Workaround: Restart the log receiver service by running the
following CLI command:

debug software restart process log-receiver

PAN-194202 (PA-5450 firewall only) If the management interface and Log

Collector are configured on the same subnetwork, the firewall
conducts log forwarding using the management interface
instead of the logging interface.

PAN-188052 Devices in FIPS-CC mode are unable to connect to servers

utilizing ECDSA-based host keys that impacts exporting logs
(Device > Scheduled Log Export), exporting configurations
(Device > Scheduled Config Export), or the scp export
command in the CLI.
Workaround: Use RSA-based host keys on the destination
server.

PAN-187685 On the Panorama management server, the Template

Status displays no synchronization status (Panorama >
Managed Devices > Summary) after a bootstrapped firewall is
successfully added to Panorama.
Workaround: After the bootstrapped firewall is successfully
added to Panorama, log in to the Panorama web interface and
select Commit > Push to Devices.

PAN-179888 On the Panorama management server, the number of

managed firewall (Panorama > Managed Devices > Health)
Power Supplies displays an incorrect count of power
supplies.

PAN-174982 In HA active/active configurations where, when interfaces

that were associated with a virtual router were deleted, the
configuration change did not sync.

PAN-172274 When you activate the advanced URL filtering license, your
license entitlements for PAN-DB and advanced URL filtering
might not display correctly on the firewall — this is a display
anomaly, not a licensing issue, and does not affect access to
the services.
Workaround: Issue the following command to retrieve and
update the licenses: license request fetch.

PAN-172113 If you request a User Activity Report on Panorama and the

vsys key value in the XML is an unsupported value, the

PAN-OS Release Notes 10.1.9-h1 45 ©2023 Palo Alto Networks, Inc.

PAN-OS 10.1.9 Known and Addressed Issues

Issue ID Description
resulting job becomes unresponsive at 10% and does not
complete until you manually stop the job in the web interface.
Workaround:Change the vsys key to a valid device group,
commit your changes, and run the User Activity Report again.

PAN-172132 QoS fails to run on a tunnel interface (for example, tunnel.1).

PAN-172067 When you configure an HTTP server profile (Device > Server
Profiles > HTTP or Panorama > Server Profiles > HTTP), the
Username and Password fields are always required regardless
of whether Tag Registration is enabled.
Workaround: When you configure an HTTP server profile,
always enter a username and password to successfully create
the HTTP server profile.
You must enter a username and password even if the HTTP
server does not require it. The HTTP server ignores the
username and password if they are not required for the
firewall to connect.

PAN-172061 A process (all_pktproc) can cause intermittent crashes on

the Passive PA-5450 firewall in an Active/Passive HA pair.
This issue may be seen during an upgrade or reload of the
firewall with traffic and when clearing sessions.

PAN-171938 No results are displayed when you Show Application Filter

for a Security policy rule (Policies > Security > Application >
Value > Show Application Filter).

PAN-171723 If you use Panorama to push a configuration that uses App-

ID Cloud Engine (ACE) App-IDs and then you downgrade the
firewall from PAN-OS 10.1 to PAN-OS 10.0, the installation
succeeds but after you reboot, the auto-commit fails.
Workaround: Remove all ACE application configurations
before downgrading.

PAN-171706 If you are using Panorama to manage firewalls with multiple

virtual systems and the virtual system that is the User-ID hub
uses an alias, the local commit on Panorama is successful but
the commit to the firewall fails.

PAN-171673 On the Panorama management server, the ACC returns

inaccurate results when you filter for New App-ID in the
Application usage widget.

PAN-OS Release Notes 10.1.9-h1 46 ©2023 Palo Alto Networks, Inc.

PAN-OS 10.1.9 Known and Addressed Issues

Issue ID Description

PAN-171635 If you have an on-premise Active Directory and there is an

existing group mapping configuration on the firewall, if you
migrate the group mapping to the Cloud Identity Engine, the
firewall does not remove the existing group mapping even
if the configuration is disabled and the firewall is rebooted,
which may conflict with new mappings from the Cloud
Identity Engine.
Workaround: Use the debug user-id clear domain-
map command to remove the existing group mappings from
the firewall.

PAN-171224 On the Panorama management server, a custom report

(Monitor > Managed Custom Reports) with a high volume
of unique data objects is not generated when you click Run
Now.

PAN-171145 If you edit or remove the value for the mail attribute in
your on-premise Active Directory, the changes may not be
immediately reflected on the firewall after it syncs with the
Cloud Identity Engine.

PAN-170923 In Policies > Security > Policy Optimizer > New App Viewer,
when you select a Security policy rule in the bottom portion
of the screen, the application data in the application browser
(top portion of screen) does not match the Apps Seen on the
selected rule. In addition, filtering in the application browser
based on Apps Seen does not work.

PAN-170270 Using the CLI to power on a PA-5450 Networking Card

(NC) in an Active HA firewall can cause its Passive peer to
temporarily go down.

PAN-169906 The CN-Series Firewall as a Kubernetes Service does not

support AF_XDP when deployed in CentOS.

PAN-168636 Connecting to the App-ID Cloud Engine (ACE) cloud using a

management port with explicit proxy configured on it is not
supported. Instead, use a data plane interface for the service
route (Prepare to Deploy App-ID Cloud Engine describes how
to do this.)

PAN-168113 On the Panorama management server, you are unable

to configure a master key (Device > Master Key and
Diagnostics) for a managed firewall if an interface (Network
> Interfaces > Ethernet) references a zone pushed from
Panorama.

PAN-OS Release Notes 10.1.9-h1 47 ©2023 Palo Alto Networks, Inc.

PAN-OS 10.1.9 Known and Addressed Issues

Issue ID Description
Workaround: Remove the referenced zone from the interface
configuration to successfully configure a master key.

PAN-167847 If you issue the command opof stats, then clear the
results {opof stats -c}, the Active Sessions value is sometimes
invalid. For example, you might see a negative number or an
excessively large number.
Workaround: Re-run the opof stats command after the
offload completes.

PAN-167401 When a firewall or Panorama appliance configured with a

proxy is upgraded to PAN-OS 10.0.3 or a later release, it fails
to connect to edge service.

PAN-165669 If you configure a group that the firewall retrieves from the
Cloud Identity Engine as the user in value in a filter query,
Panorama is unable to retrieve the group membership and
as a result, is unable to display this data in logs and custom
reports.

PAN-164922 On the Panorama management server, a context switch to a

managed firewall running a PAN-OS 8.1.0 to 8.1.19 release
fails.

PAN-164885 On the Panorama management server, pushes to managed

firewalls (Commit > Push to Devices or Commit and Push)
may fail when an EDL (Objects > External Dynamic Lists) is
configured to Check for updates every 5 minutes due to the
commit and EDL fetch processes overlapping. This is more
likely to occur when multiple EDLs are configured to check
for updates every 5 minutes.

PAN-164841 A successful deployment of a Panorama virtual appliance on

Amazon Web Services (AWS), Microsoft Azure, or Google
Cloud Platform (GCP) is inaccessible when deploying using
the PAN-OS 10.1.0-b6 release.

PAN-164647 On the Panorama management server, activating a license

(Panorama > Device Deployment > Licenses) on managed
firewalls in a high availability (HA) configuration causes the
Safari web browser to become unresponsive.
Workaround: Log in to the Panorama web interface from
a web browser other than Safari to successfully activate a
license on managed firewalls in an HA configuration.

PAN-OS Release Notes 10.1.9-h1 48 ©2023 Palo Alto Networks, Inc.

PAN-OS 10.1.9 Known and Addressed Issues

Issue ID Description

PAN-164618 The VM-Series firewall CLI and system logs display the license
name VM-SERIES-X, while the user interface displays VM-
FLEX-X (in both cases X is the number of vCPUs). In future
releases the user interface will use the VM-SERIES-X format.

PAN-164586 If you use a value other than mail for the user or group
email attribute in the Cloud Identity Engine, it displays in
user@domain format in the CLI output.

PAN-163966 On the Panorama management server, the ACC and on

demand reports (Monitor > Manage Custom Reports) are
unable to fetch Directory Sync group membership when
the Source User Group filter query is applied, resulting in no
data being displayed for the filter when Directory Sync is
configured as the Source User for a policy rule.

PAN-162836 On the VM-Series firewall, if you select Device > Licenses >
Deactivate VM a popup window opens and you can choose
Subscriptions or Support and press Continue to remove
licenses and register the changes with the license server.
When the license removal is complete the Deactivate VM
window does not update its text to exclude deactivated
licenses or close the window.
Workaround: Wait until the license deactivation is complete,
and click Cancel to close the window.

PAN-161666 The firewall includes any users configured in the Cloud

Identity Engine in the count of groups. As a result, some CLI
command output does not accurately display the number
of groups the firewall has retrieved from the Cloud Identity
Engine and counts users as groups in the No. of Groups
in the command output. If the attempt to retrieve the user or
group fails, the information for the user or group still displays
in the CLI command output.

PAN-161451 If you issue the command opof stats, there are occasional
zero packet and byte counts coming from the DPDK
counters. This occurs when a session is in the tcp-reuse state,
and has no impact on the existing session.

PAN-160238 If you migrate traffic from a firewall running a PAN-OS

version earlier than 9.0 to a firewall running PAN-OS 9.0 or
later, you experience intermittent VXLAN packet drops if TCI
policy is not configured for inspecting VXLAN traffic flows.
Workaround: On the new firewall, create an app override for
VXLAN outer headers as described in What is an Application

PAN-OS Release Notes 10.1.9-h1 49 ©2023 Palo Alto Networks, Inc.

PAN-OS 10.1.9 Known and Addressed Issues

Issue ID Description
Override? and the video tutorial How to Configure an
Application Override Policy on the Palo Alto Networks
Firewall.

PAN-OS version 9.0 can inspect both inner and

outer VXLAN flows. If you want to inspect inner
flows, you must define a tunnel content inspection
(TCI) policy.

PAN-157444 As a result of a telemetry handling update, the Source Zone

field in the DNS analytics logs (viewable in the DNS Analytics
tab within AutoFocus) might not display correct results.

PAN-157327 On downgrade to PAN-OS 9.1, Enterprise Data Loss

Prevention (DLP) filtering settings (Device > Setup > DLP) are
not removed and cause commit errors for the downgraded
firewall if you do not uninstall the Enterprise DLP plugin
before downgrade.
Workaround: After you successfully downgrade a managed
firewall to PAN-OS 9.1, commit and push from Panorama to
remove the Enterprise DLP filtering settings and complete the
downgrade.
1. Downgrade your managed firewall to PAN-OS 9.1
2. Log in to the firewall web interface and view the Tasks
to verify all auto commits related to the downgrade have
completed successfully.
3. Log in to the Panorama web interface and Commit >
Commit and Push to your managed firewall downgraded to
PAN-OS 9.1.

PAN-157103 Multi-channel functionality may not be properly utilized on

an VM-Series firewall deployed in VMware NSX-V after the
service is first deployed.
Workaround: Execute the command debug dataplane
pow status to view the number of channels being utilized
by the dataplane.

Per pan-task Netx statisticsCounter Name

1 2 3 4 5 6 Total-------------
--------------------------------ready_dvf
2 0 0 0 0 0 2

If multi-channel functionality is not working, disable your

NSX-V security policy and reapply it. Then reboot the VM-
Series firewall. When the firewall is back up, verify that multi-

PAN-OS Release Notes 10.1.9-h1 50 ©2023 Palo Alto Networks, Inc.

PAN-OS 10.1.9 Known and Addressed Issues

Issue ID Description
channel functionality is working by executing the command
debug dataplane pow status. It should now show
multiple channels being utilized.

Per pan-task Netx statisticsCounter Name

1 2 3 4 5 6 Total-------------
--------------------------------ready_dvf
1 1 0 0 0 0 2

PAN-156598 (Panorama only) If you configure a standard custom

vulnerability signature in a custom Vulnerability Protection
profile in a shared device group, the shared profile custom
signatures do not populate in the other device groups when
you configure a combination custom vulnerability signature.
Workaround: Use the CLI to update the combination
signature.

PAN-154292 On the Panorama management server, downgrading from

a PAN-OS 10.0 release to a PAN-OS 9.1 release causes
Panorama commit (Commit > Commit to Panorama) failures
if a custom report (Monitor > Manage Custom Reports) is
configured to Group By Session ID.
Workaround: After successful downgrade, reconfigure the
Group By setting in the custom report.

PAN-154034 On the Panorama management server, the Type column in the

System logs (Monitor > Logs > System) for managed firewalls
running a PAN-OS 9.1 release erroneously display iot as the
type.

PAN-154032 On the Panorama management server, downgrading to PAN-

OS 9.1 with the Panorama plugin for Cisco TrustSec version
1.0.2 installed does not automatically transform the plugin to
be compatible with PAN-OS 9.1
Workaround: After successful downgrade to PAN-OS 9.1,
Remove Config (Panorama > Plugins) of the Panorama plugin
for Cisco TrustSec and then reconfigure the plugin.

PAN-153803 On the Panorama management server, scheduled email PDF

reports (Monitor > PDF Reports) fail if a GIF image is used in
the header or footer.

PAN-153557 On the Panorama management server CLI, the overall report

status for a report query is marked as Done despite reports
generated from logs in the Cortex Data Lake (CDL) from the

PAN-OS Release Notes 10.1.9-h1 51 ©2023 Palo Alto Networks, Inc.

PAN-OS 10.1.9 Known and Addressed Issues

Issue ID Description
PODamericas Collector Group jobs are still in a Running
state.

PAN-153068 The Bonjour Reflector option is supported on up to 16

interfaces. If you enable it on more than 16 interfaces, the
commit succeeds and the Bonjour Reflector option is enabled
only for the first 16 interfaces and ignored for any additional
interfaces.

PAN-151238 There is a known issue where M-100 appliances are able

to download and install a PAN-OS 10.0 release image even
though the M-100 appliance is no longer supported after
PAN-OS 9.1. (Refer to the hardware end-of-life dates.)

PAN-151085 On a PA-7000 Series firewall chassis having multiple slots,

when HA clustering is enabled on an active/active HA pair,
the session table count for one of the peers can show a higher
count than the actual number of active sessions on that peer.
This behavior can be seen when the session is being set up
on a non-cache slot (for example, when a session distribution
policy is set to round-robin or session-load); it is caused by
the additional cache lookup that happens when HA cluster
participation is enabled.

PAN-150801 Automatic quarantine of a device based on forwarding profile

or log setting does not work on the PA-7000 Series firewalls.

PAN-150515 After you install the device certificate on a new Panorama

management server, Panorama is not able to connect to the
IoT Security edge service.
Workaround: Restart Panorama to connect to the IoT
Security edge service.

PAN-150345 During updates to the Device Dictionary, the IoT Security

service does not push new Device-ID attributes (such as new
device profiles) to the firewall until a manual commit occurs.
Workaround: Perform a force commit to push the attributes
in the content update to the firewall.

PAN-150361 In an Active-Passive high availability (HA) configuration, an

error displays if you create a device object on the passive
device.
Workaround: Load the running configuration and perform a
force commit to sync the devices.

PAN-OS Release Notes 10.1.9-h1 52 ©2023 Palo Alto Networks, Inc.

PAN-OS 10.1.9 Known and Addressed Issues

Issue ID Description

PAN-148971 If you enter a search term for Events that are related to IoT
in the System logs and apply the filter, the page displays an
Invalid term error.
Workaround: Specify iot as the Type Attribute to filter the
logs and use the search term as the Description Attribute. For
example: ( subtype eq iot ) and ( description
contains 'gRPC connection' ).

PAN-148924 In an active-passive HA configuration, tags for dynamic user

groups are not persistent after rebooting the firewall because
the active firewall does not sync the tags to the passive
firewall during failover.

PAN-146995 After downgrading a Panorama management server from

PAN-OS 10.0 to PAN-OS 9.1, the VLD and logd processes
may crash when Panorama reboots.
Workaround: Panorama automatically restarts the VLD and
logd processes.

PAN-146807 Changing the device group configured in a monitoring

definition from a child DG to a parent DG, or vice versa,
might cause firewalls configured in the child DG to lose
IP tag mapping information received from the monitoring
definition. Only firewalls assigned to the parent DG receive IP
tag mapping updates.
Workaround: Perform a manual config sync on the device
group that lost the IP tag mapping information.

PAN-146485 On the Panorama management server, adding, deleting, or

modifying the upstream NAT configuration (Panorama > SD-
WAN > Devices) does not display the branch template stack
as out of sync.
Additionally, adding, deleting, or modifying the BGP
configuration (Panorama > SD-WAN > Devices) does not
display the hub and branch template stacks as out of sync.
For example, modifying the BGP configuration on the branch
firewall does not cause the hub template stack to display as
out of sync, nor does modifying the BGP configuration on
the hub firewall cause the branch template stack as out of
sync.
Workaround: After performing a configuration change,
Commit and Push the configuration changes to all hub and
branch firewalls in the VPN cluster containing the firewall
with the modified configuration.

PAN-OS Release Notes 10.1.9-h1 53 ©2023 Palo Alto Networks, Inc.

PAN-OS 10.1.9 Known and Addressed Issues

Issue ID Description

PAN-145460 CN-MGMT pods fail to connect to the Panorama

management server when using the Kubernetes plugin.
Workaround: Commit the Panorama configuration after the
CN-MGMT pod successfully registers with Panorama.

PAN-144889 On the Panorama management server, adding, deleting, or

modifying the original subnet IP, or adding a new subnet
after you successfully configure a tunnel IP subnet, for the
SD-WAN 1.0.2 plugin does not display the managed firewall
templates (Panorama > Managed Devices > Summary) as Out
of Sync.
Workaround: When modifying the original subnet IP, or
adding a new subnet, push the template configuration
changes to your managed firewalls and Force Template
Values (Commit > Push to Devices > Edit Selections).

PAN-143132 Fetching the device certificate from the Palo Alto Networks
Customer Support Portal (CSP) may fail and displays the
following error in the CLI:
ERROR Failed to process S1C msg: Error
Workaround: Retrying fetching the device certificate from
the Palo Alto Networks CSP.

PAN-141630 Current performance limitation: single data plane use only.

The PA-5200 Series and PA-7000 Series firewalls that
support 5G network slice security, 5G equipment ID security,
and 5G subscriber ID security use a single data plane only,
which currently limits the firewall performance.

PAN-140959 The Panorama management server allows you to downgrade

Zero Touch Provisioning (ZTP) firewalls to PAN-OS 9.1.2 and
earlier releases where ZTP functionality is not supported.

PAN-140008 ElasticSearch is forced to restart when the masterd process

misses too many heartbeat messages on the Panorama
management server resulting in a delay in a log query and
ingestion.

PAN-136763 On the Panorama management server, managed firewalls

display as disconnected when installing a PAN-OS
software update (Panorama > Device Deployment >
Software) but display as connected when you view your
managed firewalls Summary (Panorama > Managed Devices >
Summary) and from the CLI.

PAN-OS Release Notes 10.1.9-h1 54 ©2023 Palo Alto Networks, Inc.

PAN-OS 10.1.9 Known and Addressed Issues

Issue ID Description
Workaround: Log out and log back in to the Panorama web
interface.

PAN-135742 There is an issue in HTTP2 session decryption where the

App-ID in the decryption log is the App-ID of the parent
session (which is web-browsing).

PAN-134053 ACC does not filter WildFire logs from Dynamic User Groups.

PAN-132598 The Panorama management server does not check for

duplicate addresses in address groups (Objects > Address
Groups) and duplicate services in service groups (Objects >
Service Groups) when created from the CLI.

PAN-130550 (PA-3200 Series, PA-5220, PA-5250, PA-5260, and PA-7000

Series firewalls) For traffic between virtual systems (inter-
vsys traffic), the firewall cannot perform source NAT using
dynamic IP (DIP) address translation.
Workaround: Use source NAT with Dynamic IP and Port
(DIPP) translation on inter-vsys traffic.

PAN-127813 In the current release, SD-WAN auto-provisioning configures

hubs and branches in a hub and spoke model, where branches
don’t communicate with each other. Expected branch routes
are for generic prefixes, which can be configured in the hub
and advertised to all branches. Branches with unique prefixes
are not published up to the hub.
Workaround: Add any specific prefixes for branches to the
hub advertise-list configuration.

PAN-127206 If you use the CLI to enable the cleartext option for the
Include Username in HTTP Header Insertion Entries feature,
the authentication request to the firewall may become
unresponsive or time out.

PAN-123277 Dynamic tags from other sources are accessible using the CLI
but do not display on the Panorama web interface.

PAN-123040 When you try to view network QoS statistics on an SD-

WAN branch or hub, the QoS statistics and the hit count
for the QoS rules don’t display. A workaround exists for
this issue. Please contact Support for information about the
workaround.

PAN-120440 There is an issue on M-500 Panorama management servers

where any ethernet interface with an IPv6 address having

PAN-OS Release Notes 10.1.9-h1 55 ©2023 Palo Alto Networks, Inc.

PAN-OS 10.1.9 Known and Addressed Issues

Issue ID Description
Private PAN-DB-URL connectivity only supports the
following format: 2001:DB9:85A3:0:0:8A2E:370:2.

PAN-120423 PAN-OS 10.0.0 does not support the XML API for
GlobalProtect logs.

PAN-120303 There is an issue where the firewall remains connected to the

PAN-DB-URL server through the old management IP address
on the M-500 Panorama management server, even when you
configured the Eth1/1 interface.
Workaround: Update the PAN-DB-URL IP address on the
firewall using one of the methods below.
• Modify the PAN-DB Server IP address on the managed
firewall.
1. On the web interface, delete the PAN-DB Server IP
address (Device > Setup > Content ID > URL Filtering
settings).
2. Commit your changes.
3. Add the new M-500 Eth1/1 IP PAN-DB IP address.
4. Commit your changes.
• Restart the firewall (devsrvr) process.
1. Log in to the firewall CLI.
2. Restart the devsrvr process: debug software
restart process device-server

PAN-116017 (Google Cloud Platform (GCP) only) The firewall does not
accept the DNS value from the initial configuration (init-cfg)
file when you bootstrap the firewall.
Workaround: Add DNS value as part of the bootstrap.xml in
the bootstrap folder and complete the bootstrap process.

PAN-115816 (Microsoft Azure only) There is an intermittent issue where

an Ethernet (eth1) interface does not come up when you first
boot up the firewall.
Workaround: Reboot the firewall.

PAN-114495 Alibaba Cloud runs on a KVM hypervisor and supports two

Virtio modes: DPDK (default) and MMAP. If you deploy a
VM-Series firewall running PAN-OS 9.0 in DPDK packet
mode and you then switch to MMAP packet mode, the VM-
Series firewall duplicates packets that originate from or
terminate on the firewall. As an example, if a load balancer or
a server behind the firewall pings the VM-Series firewall after

PAN-OS Release Notes 10.1.9-h1 56 ©2023 Palo Alto Networks, Inc.

PAN-OS 10.1.9 Known and Addressed Issues

Issue ID Description
you switch from DPDK packet mode to MMAP packet mode,
the firewall duplicates the ping packets.
Throughput traffic is not duplicated if you deploy the VM-
Series firewall using MMAP packet mode.

PAN-112694 (Firewalls with multiple virtual systems only) If you configure

dynamic DNS (DDNS) on a new interface (associated with
vsys1 or another virtual system) and you then create a
New Certificate Profile from the drop-down, you must set
the location for the Certificate Profile to Shared. If you
configure DDNS on an existing interface and then create a
new Certificate Profile, we also recommend that you choose
the Shared location instead of a specific virtual system.
Alternatively, you can select a preexisting certificate profile
instead of creating a new one.

PAN-112456 You can temporarily submit a change request for a URL

Category with three suggested categories; however, only
two categories are supported. Do not add more than two
suggested categories to a change request until we address
this issue. If you submit more than two suggested categories,
only the first two categories in the change request are
evaluated.

PAN-112135 You cannot unregister tags for a subnet or range in a dynamic

address group from the web interface.
Workaround: Use an XML API request to unregister the tags
for the subnet or range.

PAN-111928 Invalid configuration errors are not displayed as expected

when you revert a Panorama management server
configuration.
Workaround: After you revert the Panorama configuration,
Commit (Commit > Commit to Panorama) the reverted
configuration to display the invalid configuration errors.

PAN-111866 The push scope selection on the Panorama web interface

displays incorrectly even though the commit scope displays
as expected. This issue occurs when one administrator makes
configuration changes to separate device groups or templates
that affect multiple firewalls and a different administrator
attempts to push those changes.
Workaround: Perform one of the following tasks.

PAN-OS Release Notes 10.1.9-h1 57 ©2023 Palo Alto Networks, Inc.

PAN-OS 10.1.9 Known and Addressed Issues

Issue ID Description
• Initiate a Commit to Panorama operation followed by a
Push to Devices operation for the modified device group
and template configurations.
• Manually select the devices that belong to the modified
device group and template configurations.

PAN-111729 If you disable DPDK mode and enable it again, you must
immediately reboot the firewall.

PAN-111670 Tagged VLAN traffic fails when sent through an SR-IOV

adapter.

PAN-110794 DGA-based threats shown in the firewall threat log display

the same name for all such instances.

PAN-109526 The system log does not correctly display the URL for
CRL files; instead, the URLs are displayed with encoded
characters.

PAN-104780 If you configure a HIP object to match only when a

connecting endpoint is managed (Objects > GlobalProtect >
HIP Objects > <hip-object> > General > Managed), iOS and
Android endpoints that are managed by AirWatch are unable
to successfully match the HIP object and the HIP report
incorrectly indicates that these endpoints are not managed.
This issue occurs because GlobalProtect gateways cannot
correctly identify the managed status of these endpoints.
Additionally, iOS endpoints that are managed by AirWatch
are unable to match HIP objects based on the endpoint serial
number because GlobalProtect gateways cannot identify the
serial numbers of these endpoints; these serial numbers do
not appear in the HIP report.

PAN-103276 Adding a disk to a virtual appliance running Panorama 8.1

or a later release on VMware ESXi 6.5 update1 causes the
Panorama virtual appliance and host web client to become
unresponsive.
Workaround: Upgrade the ESXi host to ESXi 6.5 update2 and
add the disk again.

PAN-101688 (Panorama plugins) The IP address-to-tag mapping

information registered on a firewall or virtual system is not
deleted when you remove the firewall or virtual system from
a Device Group.

PAN-OS Release Notes 10.1.9-h1 58 ©2023 Palo Alto Networks, Inc.

PAN-OS 10.1.9 Known and Addressed Issues

Issue ID Description
Workaround: Log in to the CLI on the firewall and enter
the following command to unregister the IP address-to-tag
mappings: debug object registered-ip clear all.

PAN-101537 After you configure and push address and address group
objects in Shared and vsys-specific device groups from
the Panorama management server to managed firewalls,
executing the show log <log-type> direction
equal <direction> <dst> | <src> in <object-
name> command on a managed firewall only returns address
and address group objects pushed form the Shared device
group.
Workaround: Specify the vsys in the query string:
admin> set system target-vsys <vsys-name>
admin> show log <log-type> direction equal
<direction> query equal ‘vsys eq <vsys-name>’
<dst> | <src> in <object-name>

PAN-98520 When booting or rebooting a PA-7000 Series Firewall with

the SMC-B installed, the BIOS console output displays
attempts to connect to the card's controller in the System
Memory Speed section. The messages can be ignored.

PAN-97757 GlobalProtect authentication fails with an Invalid

username/password error (because the user is not found
in Allow List) after you enable GlobalProtect authentication
cookies and add a RADIUS group to the Allow List of the
authentication profile used to authenticate to GlobalProtect.
Workaround: Disable GlobalProtect authentication cookies.
Alternatively, disable (clear) Retrieve user group from
RADIUS in the authentication profile and configure group
mapping from Active Directory (AD) through LDAP.

PAN-97524 (Panorama management server only) The Security Zone and

Virtual System columns (Network tab) display None after a
Device Group and Template administrator with read-only
privileges performs a context switch.

PAN-96446 A firewall that is not included in a Collector Group fails to

generate a system log if logs are dropped when forwarded
to a Panorama management server that is running in
Management Only mode.

PAN-95773 On VM-Series firewalls that have Data Plane Development

Kit (DPDK) enabled and that use the i40e network interface

PAN-OS Release Notes 10.1.9-h1 59 ©2023 Palo Alto Networks, Inc.

PAN-OS 10.1.9 Known and Addressed Issues

Issue ID Description
card (NIC), the show session info CLI command displays
an inaccurate throughput and packet rate.
Workaround: Disable DPDK by running the set system
setting dpdk-pkt-io off CLI command.

PAN-95028 For administrator accounts that you created in PAN-OS 8.0.8

and earlier releases, the firewall does not apply password
profile settings (Device > Password Profiles) until after you
upgrade to PAN-OS 8.0.9 or a later release and then only
after you modify the account passwords. (Administrator
accounts that you create in PAN-OS 8.0.9 or a later release
do not require you to change the passwords to apply
password profile settings.)

PAN-94846 When DPDK is enabled on the VM-Series firewall with i40e

virtual function (VF) driver, the VF does not detect the link
status of the physical link. The VF link status remains up,
regardless of changes to the physical link state.

PAN-94093 HTTP Header Insertion does not work when jumbo frames
are received out of order.

PAN-93968 The firewall and Panorama web interfaces display

vulnerability threat IDs that are not available in PAN-OS
9.0 releases (Objects > Security Profiles > Vulnerability
Protection > <profile> > Exceptions). To confirm whether a
particular threat ID is available in your release, monitor the
release notes for each new Applications and Threats content
update or check the Palo Alto Networks Threat Vault to see
the minimum PAN-OS release version for a threat signature.

PAN-93607 When you configure a VM-500 firewall with an SCTP

Protection profile (Objects > Security Profiles > SCTP
Protection) and you try to add the profile to an existing
Security Profile Group (Objects > Security Profile Groups),
the Security Profile Group doesn’t list the SCTP Protection
profile in its drop-down list of available profiles.
Workaround: Create a new Security Profile Group and select
the SCTP Protection profile from there.

PAN-93532 When you configure a firewall running PAN-OS 9.0 as an

nCipher HSM client, the web interface on the firewall displays
the nCipher server status as Not Authenticated, even though
the HSM state is up (Device > Setup > HSM).

PAN-OS Release Notes 10.1.9-h1 60 ©2023 Palo Alto Networks, Inc.

PAN-OS 10.1.9 Known and Addressed Issues

Issue ID Description

PAN-93193 The memory-optimized VM-50 Lite intermittently performs

slowly and stops processing traffic when memory utilization
is critically high. To prevent this issue, make sure that you do
not:
• Switch to the firewall Context on the Panorama
management server.
• Commit changes when a dynamic update is being installed.
• Generate a custom report when a dynamic update is being
installed.
• Generate custom reports during a commit.
Workaround: When the firewall performs slowly, or you see
a critical System log for memory utilization, wait for 5 minutes
and then manually reboot the firewall.
Use the Task Manager to verify that you are not performing
memory intensive tasks such as installing dynamic updates,
committing changes or generating reports, at the same time,
on the firewall.

PAN-91802 On a VM-Series firewall, the clear session all CLI command

does not clear GTP sessions.

PAN-83610 In rare cases, a PA-5200 Series firewall (with an FE100

network processor) that has session offload enabled (default)
incorrectly resets the UDP checksum of outgoing UDP
packets.
Workaround: In PAN-OS 8.0.6 and later releases, you can
persistently disable session offload for only UDP traffic using
the set session udp-off load no CLI command.

PAN-83236 The VM-Series firewall on Google Cloud Platform does not

publish firewall metrics to Google Stack Monitoring when you
manually configure a DNS server IP address (Device > Setup
> Services).
Workaround: The VM-Series firewall on Google Cloud
Platform must use the DNS server that Google provides.

PAN-83215 SSL decryption based on ECDSA certificates does not work

when you import the ECDSA private keys onto an nCipher
nShield hardware security module (HSM).

PAN-81521 Endpoints failed to authenticate to GlobalProtect through

Kerberos when you specify an FQDN instead of an IP address

PAN-OS Release Notes 10.1.9-h1 61 ©2023 Palo Alto Networks, Inc.

PAN-OS 10.1.9 Known and Addressed Issues

Issue ID Description
in the Kerberos server profile (Device > Server Profiles >
Kerberos).
Workaround: Replace the FQDN with the IP address in the
Kerberos server profile.

PAN-77125 PA-7000 Series, PA-5450, PA-5200 Series, and PA-3200

Series firewalls configured in tap mode don’t close offloaded
sessions after processing the associated traffic; the sessions
remain open until they time out.
Workaround: Configure the firewalls in virtual wire mode
instead of tap mode, or disable session offloading by running
the set session off load no CLI command.

PAN-75457 In WildFire appliance clusters that have three or more nodes,

the Panorama management server does not support changing
node roles. In a three-node cluster for example, you cannot
use Panorama to configure the worker node as a controller
node by adding the HA and cluster controller configurations,
configure an existing controller node as a worker node by
removing the HA configuration, and then commit and push
the configuration. Attempts to change cluster node roles from
Panorama results in a validation error—the commit fails and
the cluster becomes unresponsive.

PAN-73530 The firewall does not generate a packet capture (pcap) when a
Data Filtering profile blocks files.

PAN-73401 When you import a two-node WildFire appliance cluster

into the Panorama management server, the controller nodes
report their state as out-of-sync if either of the following
conditions exist:
• You did not configure a worker list to add at least one
worker node to the cluster. (In a two-node cluster, both
nodes are controller nodes configured as an HA pair.
Adding a worker node would make the cluster a three-
node cluster.)
• You did not configure a service advertisement (either by
enabling or not enabling advertising DNS service on the
controller nodes).
Workaround: There are three possible workarounds to sync
the controller nodes:
• After you import the two-node cluster into Panorama,
push the configuration from Panorama to the cluster. After
the push succeeds, Panorama reports that the controller
nodes are in sync.

PAN-OS Release Notes 10.1.9-h1 62 ©2023 Palo Alto Networks, Inc.

PAN-OS 10.1.9 Known and Addressed Issues

Issue ID Description
• Configure a worker list on the cluster controller:

admin@wf500(active-controller)# set
deviceconfig cluster mode controller work
er-list <worker-ip-address>

(<worker-ip-address> is the IP address of the worker

node you are adding to the cluster.) This creates a three-
node cluster. After you import the cluster into Panorama,
Panorama reports that the controller nodes are in sync.
When you want the cluster to have only two nodes, use a
different workaround.
• Configure service advertisement on the local CLI of the
cluster controller and then import the configuration into
Panorama. The service advertisement can advertise that
DNS is or is not enabled.

admin@wf500(active-controller)# set
deviceconfig cluster mode controller serv
ice-advertisement dns-service
enabled
yes

or

admin@wf500(active-controller)# set
deviceconfig cluster mode controller serv
ice-advertisement dns-service
enabled
no

Both commands result in Panorama reporting that the

controller nodes are in sync.

PAN-70906 If the PAN-OS web interface and the GlobalProtect portal are
enabled on the same IP address, then when a user logs out of
the GlobalProtect portal, the administrative user is also logged
out from the PAN-OS web interface.
Workaround: Use the IP address to access the PAN-OS web
interface and an FQDN to access the GlobalProtect portal.

PAN-69505 When viewing an external dynamic list that requires client

authentication and you Test Source URL, the firewall fails to
indicate whether it can reach the external dynamic list server
and returns a URL access error (Objects > External Dynamic
Lists).

PAN-OS Release Notes 10.1.9-h1 63 ©2023 Palo Alto Networks, Inc.

PAN-OS 10.1.9 Known and Addressed Issues

Issue ID Description

PAN-40079 The VM-Series firewall on KVM, for all supported Linux

distributions, does not support the Broadcom network
adapters for PCI pass-through functionality.

PAN-39636 Regardless of the Time Frame you specify for a scheduled

custom report on a Panorama M-Series appliance, the earliest
possible start date for the report data is effectively the date
when you configured the report (Monitor > Manage Custom
Reports). For example, if you configure the report on the
15th of the month and set the Time Frame to Last 30 Days,
the report that Panorama generates on the 16th will include
only data from the 15th onward. This issue applies only to
scheduled reports; on-demand reports include all data within
the specified Time Frame.
Workaround: To generate an on-demand report, click Run
Now when you configure the custom report.

PAN-38255 When you perform a factory reset on a Panorama virtual

appliance and configure the serial number, logging does
not work until you reboot Panorama or execute the debug
software restart process management-server CLI
command.

PAN-31832 The following issues apply when configuring a firewall to use

a hardware security module (HSM):
• nCipher nShield Connect—The firewall requires at least
four minutes to detect that an HSM was disconnected,
causing SSL functionality to be unavailable during the
delay.
• SafeNet Network—When losing connectivity to either
or both HSMs in an HA configuration, the display of
information from the show high-availability
state and show hsm info commands are blocked for
20 seconds.

PAN-OS Release Notes 10.1.9-h1 64 ©2023 Palo Alto Networks, Inc.

PAN-OS 10.1.9 Known and Addressed Issues

PAN-OS 10.1.9-h1 Addressed Issues

Issue ID Description

PAN-213661 Fixed an issue where memory allocation failure caused

dataplane processes to restart. This issue occurred when
decryption was enabled and the device is under heavy L7
usage.

PAN-211242 Fixed an issue where missed heartbeats caused the Data

Processing Card (DPC) and its corresponding Network
Processing Card (NPC) to restart due to internal packet
path monitoring failure.

PAN-210327 (PA-5200 Series firewalls only) Fixed an issue where

upgrading to PAN-OS 10.1.7, an internal loop caused an
increase in the packets received per second.

PAN-209069 Fixed an issue where IP addresses in the X-Forwarded-

For (XFF) field were not logged when the IP address
contained an associated port number.

PAN-209021 Fixed an issue where packets were fragmented when SD-

WAN VPN tunnel was configured on aggregate ethernet
interfaces and sub-interfaces.

PAN-208987 (PA-5400 Series only) Fixed an issue where packets were

not transmitted from the firewall if its fragments were
received on different slots. This occurred when aggregate
ethernet (AE) members in an AE interface were placed on
a different slot.

PAN-207740 Fixed an issue that resulted in a race condition, which

caused the configd process to stop responding.

PAN-207400 Fixed an issue on Octeon based dplatforms where

fragmented VLAN tagged packets dropped on an
aggregate interface.

PAN-205255 (PA-7000 Series firewalls only) Fixed a rare issue that

caused the dataplane to restart unexpectedly.

PAN-203137 (PA-5450 firewalls only) Fixed an issue where HSCI ports

did not come up when QSFP DAC cables were used.

PAN-OS Release Notes 10.1.9-h1 65 ©2023 Palo Alto Networks, Inc.

PAN-OS 10.1.9 Known and Addressed Issues

Issue ID Description

PAN-186412 Fixed an issue where invalid packet-ptr was seen in

work entries.

PAN-OS Release Notes 10.1.9-h1 66 ©2023 Palo Alto Networks, Inc.

PAN-OS 10.1.9 Known and Addressed Issues

PAN-OS 10.1.9 Addressed Issues

Issue ID Description

WIF-707 Fixed an issue where, when connections from the firewall to the cloud
took longer than expected, the connection timed out. With this fix, the
timeout was extended to accommodate slower networks.

PAN-210561 Fixed an issue where the all_task process repeatedly restarted due to
missed heartbeats.

PAN-210331 Fixed an issue where the firewall did not send device telemetry files to
Cortex Data Lake with the error message send the file to CDL
receiver failed.

PAN-210080 Fixed an issue where the useridd process stopped responding when
add and delete member parameters in an incremental sync query were
empty.

PAN-209226 Fixed an issue where the feature bits function reused shared memory,
which resulted in a memory allocation error and caused the dataplane
to go down.

PAN-209036 Fixed an issue where the dataplane restarted, which led to slot failures
occurring and a core file being generated.

PAN-208724 Fixed an issue where port pause frame settings did not work as
expected and incorrect pause frames occurred.

PAN-208718 Additional debug information was added to capture internal details

during traffic congestion.

PAN-208711 (PA-5200 Series firewalls only)The CLI command debug dataplane

set pow no-desched yes/no was added to address an issue
where the all_pktproc process stopped responding and caused traffic
issues.

PAN-208537 Fixed an issue where the licensed-device-capacity was

reduced when multiple device management license key files were
present.

PAN-208343 Fixed an issue where telemetry regions were not visible on Panorama.

PAN-208157 Fixed an issue where malformed hints sent from the firewall caused
the logd process to stop responding on Panorama, which caused a
system reboot into maintenance mode.

PAN-OS Release Notes 10.1.9-h1 67 ©2023 Palo Alto Networks, Inc.

PAN-OS 10.1.9 Known and Addressed Issues

Issue ID Description

PAN-208037 Fixed an issue where NAT64 traffic using the reserved prefix
64:ff9b::/96 was incorrectly dropped when strict-ip-check
was enabled under zone protection.

PAN-207983 Fixed an issue on Panorama in Management Only mode where the

logdb database incorrectly collected traffic, threat, GTP, decryption,
and corresponding summary logs.

PAN-207940 Fixed an issue where platforms with RAID disk checks were performed
weekly, which caused logs to incorrectly state that RAID was
rebuilding.

PAN-207891 Fixed an issue on Panorama where log migration did not complete
after an upgrade.

PAN-207738 Fixed an issue where the ocsp-next-update-time CLI command

did not execute for leaf certificates with certificate chains that did not
specify OCSP or CRL URLs. As a result, the next update time was 60
minutes even if a different time was set.

PAN-207623 Fixed an issue on Panorama where log migration did not complete as
expected.

PAN-207610 (PA-5200 Series and PA-7000 Series firewalls only) Fixed an issue
where Log Admin Activity was not visible on the web interface.

PAN-207601 Fixed an issue where URL cloud connections were unable to resolve
the proxy server hostname.

PAN-207390 Fixed an issue where, even after disabling Telemetry, Telemetry

system logs were still generated.

PAN-207260 Fixed an issue where commit operations performed by a Device Group

and Template administrator reverted the passwords of other users in
the same role.

PAN-207045 (PA-800 Series firewalls only) Fixed an issue where PAN-SFP-SX

transceivers used on ports 5 to 8 did not renegotiate with peer ports
after a reload.

PAN-206858 Fixed an issue where a segmentation fault occurred due to the useridd
process being restarted.

PAN-206755 Fixed an issue when a scheduled multi-device group push occurred,

the configd process stopped responding, which caused the push to fail.

PAN-OS Release Notes 10.1.9-h1 68 ©2023 Palo Alto Networks, Inc.

PAN-OS 10.1.9 Known and Addressed Issues

Issue ID Description

PAN-206684 (PA-7000 Series firewalls with Log Forwarding Cards (LFCs) only)
Fixed an issue where, after upgrading the firewall from a PAN-OS 10.0
release to a PAN-OS 10.1 release, the firewall did not duplicate logs
to local log collectors or to Cortex Data Lake when a device certificate
was already installed.

PAN-206658 Fixed a timeout issue in the Intel ixgbe driver that resulted in internal
path monitoring failure.

PAN-206629 (VM-Series firewalls in AWS environments only) Fixed an issue where

a newly bootstrapped firewalls did not forward logs to Panorama.

PAN-206393 (PA-5280 firewalls only) Fixed an issue where memory allocation

errors caused decryption failures that disrupted traffic with SSL
forward proxy enabled.

PAN-206251 (PA-7000 Series firewalls with LFCs only) Fixed an issue where the
logrcvr process did not send the system-start SNMP trap during
startup.

PAN-206233 Fixed an issue where the pan_comm process stopped responding when
a content update and a cloud application update occurred at the same
time.

PAN-206077 Fixed an issue on firewalls in active/active high availability (HA)

configurations where, after upgrading to PAN-OS 10.1.6-h6, the active
primary firewall did not send HIP reports to the active secondary
firewall.

PAN-206017 Fixed an issue where the show dos-protection rule command

displayed a character limit error.

PAN-205877 (PA-5450 firewalls only) Added debug commands for an issue where
a MAC address flap occurred on a neighbor firewall when connecting
both MGT-A and MGT-B interfaces.

PAN-205805 Fixed an issue where Generic routing encapsulation (GRE) traffic was
only allowed in one direction when tunnel content inspection (TCI) was
enabled.

PAN-205729 (PA-3200 Series and PA-7000 Series firewalls only) Fixed an issue
where the CPLD watchdog timeout caused the firewall to reboot
unexpectedly.

PAN-205699 Fixed an issue where the cloud plugin configuration was automatically
deleted from Panorama after a reboot or a configd process restart.

PAN-OS Release Notes 10.1.9-h1 69 ©2023 Palo Alto Networks, Inc.

PAN-OS 10.1.9 Known and Addressed Issues

Issue ID Description

PAN-205590 Fixed an issue where the fan tray fault LED light was on even though
no alarm was reported in the system environment.

PAN-205453 Fixed an issue where running reports or queries under a user group
caused the reportd process to stop responding.

PAN-205396 Fixed an issue where SD-WAN adaptive SaaS path monitoring did not
work correctly during a next hop link down failure.

PAN-205260 Fixed an issue where there was an IP address conflict after a reboot
due to a transaction ID collision.

PAN-205231 Fixed an issue where a commit operation remained at 55% for

longer than expected if more than 7,500 Security policy rules were
configured.

PAN-205222 Fixed an issue where you were unable to add a new application in a
selected policy rule.

PAN-205211 Fixed an issue where the reportd process stopped responding while
querying logs (Monitor > Logs > <logtype>).

PAN-205123 Fixed an issue where the pan_task process stopped responding due to
a timing issue during ECDSA processing.

PAN-205096 Fixed an issue where promoted sessions were not synced with all
cluster members in an HA cluster.

PAN-205030 Fixed an issue where, when a session hit policy based forwarding with
symmetric return enabled was not offloaded, the firewall received
excessive return-mac update messages, which resulted in resource
contention and traffic disruption.

PAN-204952 Fixed an issue where the GlobalProtect portal continued to

generate new authentication cookies even when a user had already
authenticated with a valid cookie.

PAN-204892 Fixed an issue on Panorama where the web interface was not
accessible and displayed the error 504 Gateway Not Reachable
due to the mgmtsrvr process not responding.

PAN-204749 Fixed an issue where sudden, large bursts of traffic destined for an
interface that was down caused packet buffers to fill, which stalled
path monitor heartbeat packets.

PAN-OS Release Notes 10.1.9-h1 70 ©2023 Palo Alto Networks, Inc.

PAN-OS 10.1.9 Known and Addressed Issues

Issue ID Description

PAN-204582 Fixed an issue where, when a firewall acting as a DHCP client received
a new DHCP IP address, the firewall did not release old DHCP IP
addresses from the IP address stack.

PAN-204581 Fixed an issue where, when accessing a web application via the
GlobalProtect Clientless VPN, the web application landing page
continuously reloaded.

PAN-204575 (PA-7000 Series firewalls with Log Forwarding Cards (LFCs) only)
Fixed an issue where the firewall did not forward logs to the log
collector.

PAN-204482 Fixed an issue where searching threat logs (Monitor > Logs > Threat)
using the partial hash parameter did not work, which resulted in
an invalid operator error.

PAN-204456 Fixed an issue related to the logd process that caused high memory
consumption.

PAN-204271 Fixed an issue where the quarantine device list did not display due to
the maximum memory being reached.

PAN-204238 Fixed an issue where, when View Rulebase as Groups was enabled,
the Tags field did not display a scroll down arrow for navigation.

PAN-204216 Fixed an issue where URL categorization failed and the firewall
displayed the URL category as not-resolved for all traffic and
the following error message was displayed in the device server
logs Error(43): A libcurl function was given a bad
argument.

PAN-204118 Fixed an issue where browser sessions stopped responding for device
group template admin users with access domains that had many device
groups or templates.

PAN-204068 Fixed an issue where a newly created vsys (virtual system) in a

template was not able to be pushed from Panorama to the firewall.

PAN-203984 Fixed an issue where the logrcvr process restarted after the firewall
was power cycled or rebooted.

PAN-203964 (Firewalls in FIPS-CC mode only) Fixed an issue where the firewall
went into maintenance mode due to downloading a corrupted
software image, which resulted in the error message FIPS-CC
failure. Image File Authentication Error.

PAN-OS Release Notes 10.1.9-h1 71 ©2023 Palo Alto Networks, Inc.

PAN-OS 10.1.9 Known and Addressed Issues

Issue ID Description

PAN-203851 Fixed an issue with firewalls in HA configurations where host

information profile (HIP) sync did not work between peer firewalls.

PAN-203796 Fixed an issue where legitimate syn+ack packets were dropped after
an invalid syn+ack packet was ingressed.

PAN-203681 (Panorama appliances in FIPS-CC mode only) Fixed an issue where a

leaf certificate was unable to be imported into a template stack.

PAN-203618 Fixed an issue where, when SSL/TLS Handshake Inspection was

enabled, SSL/TLS sessions were incorrectly reset if a Security policy
rule with no Security profiles configured was matched.

PAN-203563 Fixed an issue with Content and Threat Detection allocation

storage space where performing a commit failed with a
CUSTOM_UPDATE_BLOCK error message.

PAN-203453 Fixed an issue on Panorama where the log query failed due to a high
number of User-ID redistribution messages.

PAN-203430 Fixed an issue where, when the User-ID agent had collector
name/secret configured, the configuration was mandatory on clients
on PAN-OS 10.0 and later releases.

PAN-203362 Fixed an issue where the rasmgr process restarted due to a null
reference.

PAN-203330 Fixed an issue where the certificate for an External Dynamic List (EDL)
incorrectly changed from invalid to valid, which caused the EDL file to
be removed.

PAN-203320 Fixed an issue where configuring the firewall to connect with

Panorama using an auth key and creating the auth key without adding
the managed firewall to Panorama first, the auth key was incorrectly
decreased incrementally.

PAN-203244 Fixed a path monitoring issue that caused traffic degradation.

PAN-203147 (Firewalls in FIPS-CC mode only) Fixed an issue where the firewall
unexpectedly rebooted when downloading a new PAN-OS software
image.

PAN-202918 Fixed an issue where processing route-table entries did not work as
expected.

PAN-OS Release Notes 10.1.9-h1 72 ©2023 Palo Alto Networks, Inc.

PAN-OS 10.1.9 Known and Addressed Issues

Issue ID Description

PAN-202722 Fixed an issue where the factor completion time for login events
learned through XML API displayed as 1969/21/31 19:00:00.

PAN-202593 Fixed an issue where expanding Global Find results displayed only the
top level and second level of a searched item.

PAN-202544 An enhancement was made to collect CPLD register data after a path
monitor failure.

PAN-202543 An enhancement was made to improve path monitor data collection by

verifying the status of the control network.

PAN-202361 Fixed an issue where packets queued to the pan_task process were still
transmitted when the process was not responding.

PAN-202339 (VM-Series firewalls on Amazon Web Services (AWS) only) Fixed an

issue where the firewall displayed reduced throughput of SSL traffic.

PAN-202295 Fixed an issue where read-only superusers were unable to see the
Commit All job status, warnings, or errors for Panorama device groups.

PAN-202282 Fixed an issue where stats dump files did not display all necessary
reports.

PAN-202264 (VM-Series firewalls only) Fixed an issue where an automatic site

license activation for a PAYG license did not register in the Customer
Support Portal.

PAN-202248 Fixed an issue where, due to a tunnel content inspection (TCI) policy
match, IPSec traffic did not pass through the firewall when NAT was
performed on the traffic.

PAN-202247 Fixed an issue with firewalls in HA configurations where the

firewall dropped IKE SA connections if the peer firewall received an
INVALID_SPI message. This occurred even though no IKE SA was
associated with the SPI in the received INVALID-SPI payload.

PAN-202208 Fixed an issue where high CPU was experienced when requests from
the dataplane to the management plane for username and User ID
timed out.

PAN-202194 Fixed an SD-WAN link issue that occurred when Aggregate Ethernet
without a member interface was configured as an SD-WAN interface.

PAN-202140 Fixed an issue where the comm process stopped responding due to an
OOM condition.

PAN-OS Release Notes 10.1.9-h1 73 ©2023 Palo Alto Networks, Inc.

PAN-OS 10.1.9 Known and Addressed Issues

Issue ID Description

PAN-202101 Fixed an issue where firewalls stopped responding after an upgrade

due to configuration corruption.

PAN-202040 (PA-220 firewalls only) Fixed an issue where ECDSA fingerprints were
not displayed.

PAN-202012 A debug command was introduced to control Gzip encoding for the
GlobalProtect Clientless VPN application.

PAN-201954 Fixed an issue where NAT policy rules were deleted on managed
devices after a successful push from Panorama to multiple device
groups. This occurred when NAT policy rules had device_tags selected
in the target section.

PAN-201910 PAN-OS security profiles might consume a large amount of memory

depending on the profile configuration and quantity. In some cases,
this might reduce the number of supported security profiles below the
stated maximum for a given platform.

PAN-201900 Fixed an internal path monitoring failure issue that caused the
dataplane to go down.

PAN-201701 Fixed an issue where the firewall generated system log alerts if the raid
for a system or log disk was corrupted.

PAN-201639 Fixed an issue with Saas Application Usage reports where Applications
with Risky Characteristics displayed only two applications per section.

PAN-201632 Fixed an issue where the all_task stopped responding with a

segmentation fault due to an invalid interface port.

PAN-201587 Fixed an issue where the App Pcaps directory size was incorrectly
detected which caused commit errors.

PAN-201580 Fixed an issue where the useridd process stopped responding due to
an invalid vsys_id request.

PAN-201360 Fixed an issue with Panorama managed log collector statistics where
the oldest logs displayed on the primary Panorama appliance and the
secondary Panorama appliance did not match.

PAN-201189 Added the max-kb filter for the show session info CLI command
to troubleshoot instances when the firewall went down due to
software packet buffer depletion.

PAN-OS Release Notes 10.1.9-h1 74 ©2023 Palo Alto Networks, Inc.

PAN-OS 10.1.9 Known and Addressed Issues

Issue ID Description

PAN-201136 Fixed an issue where IGMP packets were offloaded with frequent
IGMP Join and Leave messages from the client.

PAN-200946 Fixed an issue with firewalls in active/passive HA configurations where

GRE tunnels went down due to recursive routing when the passive
firewall was booting up. When the passive firewall became active and
no recursive routing was configured, the GRE tunnel remained down.

PAN-200845 (M-600 Appliances in Management-only mode only) Fixed an issue

where XML API queries failed due to the configuration size being
larger than expected.

PAN-200822 Fixed an issue where reports were not generated in the docm file type.

PAN-200775 (VM-Series firewalls only Microsoft Azure environments only) Fixed

an issue where negotiation and speed were not displayed on Ethernet
interfaces.

PAN-200463 Fixed an issue where disabling strict-username-check did not

apply to admin users authenticating with SAML.

PAN-200160 Fixed a memory leak issue on Panorama related to the logd process
that caused an out-of-memory (OOM) condition.

PAN-200116 Fixed an issue where Elasticsearch displayed RED due to frequent

tunnel check failures between HA clusters.

PAN-200102 Fixed an issue on the firewall web interface that prevented

applications from loading under any policy or in any location where
application IDs were able to be refreshed.

PAN-200095 Fixed an issue where Panorama troubleshooting tests for log collector
connectivity did not return results from log collectors running PAN-OS
10.1 releases.

PAN-200035 Fixed an issue where the firewall reported General TLS Protocol
Error for TLSv1.3 when the firewall closed a TCP connection to the
server via a FIN packet without waiting for the handshake to complete.

PAN-199807 Fixed an issue where the dataplane frequently restarted due to high
memory usage on wifclient.

PAN-199661 (VM-Series firewalls in ESXI environments only) Fixed an issue where

the number of used packet buffers was not calculated properly, and
packet buffers displayed as a higher value than the correct value,

PAN-OS Release Notes 10.1.9-h1 75 ©2023 Palo Alto Networks, Inc.

PAN-OS 10.1.9 Known and Addressed Issues

Issue ID Description
which triggered PBP Alerts. This occurred when the driver name was
not compatible with new DPDK versions.

PAN-199612 Fixed a sync issue with firewalls in active/active HA configurations.

PAN-199500 Fixed an issue where, when many NAT policy rules were configured,
the pan_comm process stopped responding after a configuration
commit due to a high number of debug messages.

PAN-199410 Fixed an issue where system logs for syslog activities were categorized
as general under Type and EVENT columns.

PAN-199214 Fixed an intermittent issue where downloading threat pcap via

XML API failed with the following error message: /opt/pancfg/
session/pan/user_tmp/XXXXX/YYYYY.pcap does not
exist.

PAN-199141 Fixed an issue where renaming a device group and then performing
a partial commit led to the device group hierarchy being incorrectly
changed.

PAN-199052 (PA-800 Series firewalls only) Fixed an issue where commit operations
took longer than expected. This fix improves the completion time for
commit operations.

PAN-198920 Fixed an issue where configuration changes caused a previously valid

interface ID to become invalid due to HA switchovers delaying the
configuration push.

PAN-198889 Fixed an issue where the logd process stopped responding if some
devices in a collector group were on a PAN-OS 10.1 device and others
were on a PAN-OS 10.0 release. This issue affected the devices on a
PAN-OS 10.0 release.

PAN-198718 (PA-5280 firewalls only) Fixed an issue where memory allocation

failures caused increased decryption failures.

PAN-198691 Added an alternate health endpoint to direct health probes on the

firewall (https://firewall/unauth/php/health.php) to address an issue
where /php/login.php performance was slow when large amounts
of traffic were being processed.

PAN-198575 Fixed an issue where data did not load when filtering by Threat Name
(ACC > Threat Activity).

PAN-198306 Fixed an issue where the useridd process stopped responding when
booting up the firewall.

PAN-OS Release Notes 10.1.9-h1 76 ©2023 Palo Alto Networks, Inc.

PAN-OS 10.1.9 Known and Addressed Issues

Issue ID Description

PAN-198187 Fixed an issue where system logs (Monitor > System) did not display
the commit description after performing a commit and push to multiple
device groups from Panorama.

PAN-198174 Fixed an issue where, when viewing traffic or threat logs from the
Application Command Center (ACC) or Monitor tabs, performing a
reverse DNS lookup caused the dnsproxy process to restart if DNS
server settings were not configured.

PAN-198050 Fixed an issue where Connection to update server is successful

messages displayed even when connections failed.

PAN-198038 A CLI command was added to address an issue where long-lived

sessions were aging out even when there was ongoing traffic.

PAN-197953 Fixed an issue where the logd process stopped responding due
to forwarded threat logs, which caused Panorama to reboot into
maintenance mode.

PAN-197935 Fixed an intermittent issue where XML API IP address tag registration
failed on firewalls in a multi-vsys environment.

PAN-197919 Fixed an issue where, when path monitoring for a static route was
configured with a new Ping Interval value, the value was not used as
intended.

PAN-197877 Fixed an intermittent issue on Panorama where the distributord

process stopped responding.

PAN-197872 Fixed an issue where the useridd process generated false positive
critical errors.

PAN-197859 Fixed an issue where firewalls running LSVPN with tunnel monitoring
enabled where, after an upgrade to PAN-OS 9.1.14 or a later PAN-OS
release, LSVPN tunnels flapped.

PAN-197847 Fixed an issue where disabling the enc-algo-aes-128-gcm cipher

did not work when using an SSL/TLS profile.

PAN-197737 Fixed an issue where the connection to the PAN-DB server failed with
following error message: Failed to send req type[3], curl
error: Couldn't resolve host name.

PAN-197729 Fixed an issue where repeated configuration pushes from Panorama

resulted in a management server memory leak.

PAN-OS Release Notes 10.1.9-h1 77 ©2023 Palo Alto Networks, Inc.

PAN-OS 10.1.9 Known and Addressed Issues

Issue ID Description

PAN-197678 Fixed an issue where the dataplane stopped responding, which caused
internal path monitoring failure.

PAN-197649 Fixed an issue where failure logs for slot restarts caused by internal
path monitoring contained no debug logs.

PAN-197582 Fixed an issue where, after upgrading to PAN-OS 10.1.6, the firewall
reset SSL connections that used policy-based forwarding.

PAN-197426 Fixed an issue on Panorama where, when attempting to view the

Monitor page, the error invalid term was displayed.

PAN-197383 Fixed an issue where, after upgrading to PAN-OS 10.2 release, the
firewall ran a RAID rebuild for the log disk after ever every reboot.

PAN-197298 Fixed an issue where the audit comment archive for Security rule
changes output had overlapping formats.

PAN-197219 Fixed an issue where the following error message was not sent from
multi-factor authentication PingID and did not display in the browser:
Your company has enhanced its VPN authentication
with PingID. Please install the PingID app for iOS
or Android, and use pairing key:<key>. To connect,
type "ok".

PAN-197203 Fixed an intermittent issue where, if SSL/TLS Handshake Inspection

was enabled, multiple processes stopped responding when the firewall
was processing packets.

PAN-197121 Fixed an issue where incorrect user details were displayed under the
USER DETAIL drop-down (ACC > Network activity > User activity).

PAN-197097 Fixed an issue where LSVPN did not support IPv6 addresses on the
satellite firewall.

PAN-196954 Fixed a memory leak issue related to the distributord process.

PAN-196895 Fixed a timing issue with updating the cache when upgrading from a
PAN-OS 10.0 release to a PAN-OS 10.1 release.

PAN-196874 Fixed an issue where, when the firewall accepted ICMP redirect
messages on the management interface, the firewall did not clear the
route from the cache.

PAN-OS Release Notes 10.1.9-h1 78 ©2023 Palo Alto Networks, Inc.

PAN-OS 10.1.9 Known and Addressed Issues

Issue ID Description

PAN-196840 Fixed an issue where exporting a Security policy rule that contained
Korean language characters to CSV format resulted in the policy
description being in a non-readable format.

PAN-196811 Fixed an issue where logout events without a username caused high
CPU usage.

PAN-196701 Fixed an issue where the firewall did not properly measure the
Panorama connection keepalive timer, which caused a Panorama HA
failover to take longer than expected.

PAN-196566 Fixed an issue where the useridd process restarted repeatedly which
let to an OOM condition.

PAN-196559 Fixed an issue where LSVPN satellites continued to allow connections

even when the certificate was revoked, the serial number was
removed from the GlobalProtect portal, and the satellite was
disconnected from the gateway.

PAN-196474 Fixed an issue where, when a decryption profile was configured

with TLSv1.2 or later, web pages utilizing TLS1.0 were blocked
with an incorrect ERR_TIME_OUT message instead of an
ERR_CONNECTION_RESET message.

PAN-196467 Fixed an issue where enabling strict IP address checks in a Zone

Protection profile caused GRE tunnel packets to be dropped.

PAN-196457 Fixed an issue where extraneous logs displayed in the Traffic log when
Security policy settings were changed.

PAN-196452 Fixed an issue where DNS queries failed from source port 4789 with a
NAT configuration.

PAN-196410 Fixed an issue where you were unable to customize the risk value in
Risk-of-app.

PAN-196404 Fixed an issue where the firewall did not forward IPSec decrypted
traffic to a third-party security chain device when the network packet
broker feature was enabled.

PAN-196398 (PA-7000 Series firewalls with Switch Management Cards (SMC-B)

only) Fixed an issue where the firewall did not capture data when the
active management interface was MGT-B.

PAN-OS Release Notes 10.1.9-h1 79 ©2023 Palo Alto Networks, Inc.

PAN-OS 10.1.9 Known and Addressed Issues

Issue ID Description

PAN-196309 (PA-5450 firewalls only) Fixed an issue where a firewall configured

with a Policy-Based Forwarding policy flapped when a commit was
performed, even when the next hop was reachable.

PAN-196261 Fixed an issue where inter-lc disconnected messages were

logged once every minute.

PAN-196124 Fixed an issue where the log_index process ignored healthy logs and
caused system logs to go missing.

PAN-196105 Fixed an issue on the firewall where using special characters in a

password caused authentication to fail when connecting to the
GlobalProtect portal with GlobalProtect satellite configured.

PAN-196050 Fixed an issue on Panorama where logs did not populate when one log
collector in a log collector group was down.

PAN-196001 Fixed an issue where the devsrvr process stopped responding, which
caused FQDN objects to not resolve, and, as a result, caused traffic to
hit the incorrect Security policy rule.

PAN-195869 Fixed an issue where scheduled custom reports based on firewall data
did not display any information.

PAN-195828 Fixed an issue where SNMP reported the panVsysActiveTcpCps

and panVsysActiveUdpCps value to be 0.

PAN-195792 Fixed an issue where, when generating a stats dump file for a managed
device from Panorama (Panorama > Support > Stats Dump File), the
file did not display any data.

PAN-195790 Fixed an issue where syslog traffic that was sent from the
management interface to the syslog server even when a destination IP
address service route was configured.

PAN-195689 Fixed an issue where WildFire submission logs did not load on the
firewall web interface.

PAN-195669 Fixed an issue with Panorama appliances in HA configurations where

a passive Panorama appliance generated CMS Redistribution
Client is connected to global collector messages.

PAN-195583 Fixed an issue where, after renaming an object, configuration pushes

from Panorama failed with the commit error object name is not an
allowed keyword.

PAN-OS Release Notes 10.1.9-h1 80 ©2023 Palo Alto Networks, Inc.

PAN-OS 10.1.9 Known and Addressed Issues

Issue ID Description

PAN-195526 Fixed an issue where the firewall system log received a large amount
of error messages when attempting a connection between the firewall
and Panorama.

PAN-195374 (Firewalls in active/passive HA configurations only) Fixed an issue

where, when redistribution agent connections to the passive firewall
failed, excessive system alerts for the failed connection were
generated. With this fix, system alerts are logged every 5 hours instead
of 10 minutes.

PAN-195254 (PA-7000 Series firewalls only) Fixed an issue where log queries from
an M-Series Panorama appliance or Panorama virtual appliance in
Management Only mode to the firewall failed after updating the
firewall to a PAN-OS 10.1 release.

PAN-195201 Fixed an issue where high volume DNS Security traffic caused the
firewall to reboot.

PAN-195114 Fixed an issue where proxy ARP responded on the wrong interface
when the same subnet was in two virtual routers.

PAN-195064 Fixed an issue where the log collector did not forward correlation logs
to the syslog server.

PAN-194912 Fixed an issue where the CLI command show applications list
did not return any outputs.

PAN-194812 Fixed an issue where generating reports via XML API failed when the
serial number was set as target in the query.

PAN-194744 Fixed an issue with log corruption, which caused te log_index process
to continually restart.

PAN-194737 Fixed an issue where path monitor displayed as deleted when it was
disabled, which caused a preview change in the summary for static
routes.

PAN-194588 (PA-7000 Series firewalls with LFCs, PA-7050 firewalls with

SMC-Bs, and PA-7080 firewalls only) Fixed an issue where the
logrcvr_statistics output was not recorded in mp-monitor.log.

PAN-194456 Fixed an issue where the sysd process disconnected from the pan_dha
process after an HA failover or reboot.

PAN-194175 Fixed an issue on Panorama where a commit push to managed

firewalls failed when objects were added as source address exclusions

PAN-OS Release Notes 10.1.9-h1 81 ©2023 Palo Alto Networks, Inc.

PAN-OS 10.1.9 Known and Addressed Issues

Issue ID Description
in a Security policy and Share Unused Address and Service Objects
with Devices was unchecked.

PAN-194093 Fixed an issue on the firewall where the dataplane unexpectedly

restarted due to an issue with the all_pktproc process.

PAN-194092 Added a debug command to address an issue where adding a new log
collector to an existing collector group, the ACL was updated for the
new log collector but not the existing ones.

PAN-194068 (PA-5200 Series firewalls only) Fixed an issue where the firewall
unexpectedly rebooted with the log message Heartbeat failed
previously.

PAN-194043 Fixed an issue where Managed Devices > Summary did not reflect
new tag values after an update.

PAN-194031 (PA-220 Firewalls only) Fixed an issue where system log configurations
did not work as expected due to insufficient process timeout after a
logrcvr process restart.

PAN-194025 Fixed an issue where the ikemgr process stopped responding due to a
timing issue, which caused VPN tunnels to go down.

PAN-193928 Fixed an intermittent issue where GlobalProtect logs were not visible
under device groups (Mobile_User_Device_Group).

PAN-193831 Fixed an issue where internal routes were added to the routing table
even after disabling dynamic routing protocols.

PAN-193818 Fixed an issue where the firewall device server failed to resolve URL
cloud FQDNs, which interrupted URL category lookup.

PAN-193808 Fixed a memory leak issue in the mgmtsrvr process that resulted in an
OOM condition.

PAN-193744 (PA-3200 Series firewalls only) Fixed an issue where, when the HA2
HSCI connection was down, the system log displayed Port HA1-b:
down instead of Port HSCI: Down.

PAN-193733 (Firewalls in multi-vsys environments only) Fixed an issue where IP tag

addresses were not synced to all virtual systems (vsys) when they were
pushed to the firewall from Panorama via XML API.

PAN-193619 Fixed an issue where air gapped firewalls and Panorama appliances
performed excessive validity checks to updates.paloaltonetworks.com,
which caused software installs to fail.

PAN-OS Release Notes 10.1.9-h1 82 ©2023 Palo Alto Networks, Inc.

PAN-OS 10.1.9 Known and Addressed Issues

Issue ID Description

PAN-193558 Fixed an issue where log retention settings Multi Disk did not display
correct values on the firewall web interface when the settings were
configured using a Panorama template or template stack.

PAN-193452 (PA-220 firewalls only) Fixed an issue where the firewall reached the
maximum disk usage capacity repeatedly in one day.

PAN-193396 Fixed an issue where the source user name was displayed in traffic
logs even when Show User Names In Logs and Reports was disabled
for a custom admin role.

PAN-193323 Fixed an issue where root partition utilization reached 100% due to
mdb old logs not being purged as expected.

PAN-193281 Fixed an issue where the logrcvr process stopped responding after a
content update on the firewall.

PAN-193245 Fixed an issue where, when using syslog-ng forwarding via SSL,
with a Base Common Name (CN) and multiple Subject Alternative
Names (SANs) were listed in the certificate.

PAN-193235 Fixed an issue where duplicate log entries were displayed on

Panorama.

PAN-193043 Fixed an issue with the where firewalls in Google Cloud Platforms
(GCP) inserted the hostname as PA-VM in the syslog header instead of
the DHCP assigned hostname when logs were being sent to the syslog
server.

PAN-192456 Fixed an issue where GlobalProtect SSL VPN processing during a high
traffic load caused the dataplane to stop responding.

PAN-192431 Fixed an issue where unmanaged tags were set to NULL, which caused
unmanaged devices to match the HIP rule for managed devices.
As a result, you were unable to distinguish between managed and
unmanaged devices.

PAN-192296 Fixed an issue where, when you saved a SaaS application report as
a PDF or sent it to print, the size of contents were shrinked and was
smaller than expected.

PAN-192244 Fixed an issue where scheduled log export jobs continued to run even
after being deleted.

PAN-OS Release Notes 10.1.9-h1 83 ©2023 Palo Alto Networks, Inc.

PAN-OS 10.1.9 Known and Addressed Issues

Issue ID Description

PAN-192193 Fixed an issue where exporting a list of managed collectors via the
Panorama web interface failed with the following error message:
Export Error, Error while exporting

PAN-192188 (PA-5450 firewalls only) Fixed an issue where the show running
resource-monitor ingress-backlogs CLI command failed
with the following error message: Server error : Failed to
intepret the DP response.

PAN-192130 Fixed an issue where the GlobalProtect client remained in a connecting

state when GlobalProtect Client VPN and SAML authentication were
enabled.

PAN-192092 Fixed an issue with firewalls in active/passive configurations only

where the registered cookie from the satellite firewall to the passive
firewall did not sync, which caused authentication between the
satellite firewall and the GlobalProtect portal firewall to fail after a
failover event.

PAN-192076 Fixed an issue where OpenSSL memory initialization caused

unexpected failovers.

PAN-191997 Fixed an issue where log queries did not successfully filter the
unknown category.

PAN-191845 Fixed an issue where the firewall used a locally configured DNS server
instead of a DHCP provided one.

PAN-191652 Fixed an issue with Prisma Cloud where a commit push failed due to
the error Error: failed to handle TDB_UPDATE_BLOCK>.

PAN-191463 Fixed an issue where the firewall did not handle packets at Fastpath
when the interface pointer was null.

PAN-191390 (VM-Series firewalls only) Fixed an issue where the management

plane CPU was incorrectly calculated as high when logged in the mp-
monitor.log.

PAN-191235 Fixed an issue with firewalls in HA configurations where the passive

firewall attempted to connect to a hardware security module (HSM)
client when a service route was configured, which caused dynamic
updates and software updates to fail.

PAN-191048 Fixed an issue where Panorama did not push the password hash of the
local admin password to managed WildFire appliances.

PAN-OS Release Notes 10.1.9-h1 84 ©2023 Palo Alto Networks, Inc.

PAN-OS 10.1.9 Known and Addressed Issues

Issue ID Description

PAN-191032 Fixed an issue on Panorama where Managed Devices displayed

Unknown.

PAN-190963 Fixed an issue on the firewall interface where Log Collector Status >
Device connectivity displayed as error.

PAN-190533 Fixed an issue where addresses and address groups were not displayed
for users in Security admin roles.

PAN-190502 Fixed an issue where the Policy filter and Policy optimizer filter were
required to have the exact same syntax, including nested conditions
with rules that contained more than one tag when filtering via the neq
operator.

PAN-190454 Fixed an issue where, while authenticating, the allow list check failed
for vsys users when a SAML authentication profile was configured
under shared location.

PAN-190286 Fixed an issue in the web interface where non-superusers with

administrator privileges were unable to see Log Processing Card (LPC)
information.

PAN-190266 Fixed an issue that stopped the all_task process to stop responding at
the pan_sdwan_qualify_if_ini function.

PAN-190055 (VM-Series firewalls only) Fixed an issue where the firewall did not
follow the set Jumbo MTU value.

PAN-189960 Fixed an issue on Panorama where you were unable to view the last
address object moved to the shared template list.

PAN-189866 Fixed an issue with the web interface where group include lists used
server profiles instead of LDAP proxy.

PAN-189804 Fixed an issue where editing Panorama settings within a template

or template stack an authentication was required, but adding an
authentication key displayed an error.

PAN-189783 Fixed an issue where container resource limits were not enforced for
all processes when running inside a container.

PAN-189755 Fixed an issue where the snmpd stopped responding which caused
SNMPv3 polling outages.

PAN-189723 Fixed an issue where you were unable to configure dynamic address
groups to use more than 64,000 IP addresses in a Security policy rule.

PAN-OS Release Notes 10.1.9-h1 85 ©2023 Palo Alto Networks, Inc.

PAN-OS 10.1.9 Known and Addressed Issues

Issue ID Description

PAN-189719 Fixed an issue on Panorama where Test Server Connection failed in

an HTTP server profile with the following error message: failed
binding local connection end.

PAN-189718 Fixed an issue where the number of sessions did not reach the
expected maximum value with Security profiles.

PAN-189518 Fixed an issue where incoming DNS packets with looped compression
pointers caused the dnsproxyd process to stop responding.

PAN-189379 Fixed an issue where FQDN based Security policy rules did not match
correctly.

PAN-189335 Fixed an issue where the varrcvr process restarted repeatedly, which
caused the firewall to restart.

PAN-189300 Fixed an issue where Panorama appliances in active/passive HA

configurations reported the false positive system log Failed to
sync vm-auth-key when a VM authentication key was generated
on the active appliance.

PAN-189298 Fixed an issue where existing traffic sessions were not synced after
restarting the active dataplane when it became passive.

PAN-189200 Fixed an issue where sinkholes did not occur for AWS Gateway Load
Balancer dig queries.

PAN-189027 (VM-Series firewalls in Microsoft Azure environments only) Fixed an

issue where the dataplane CPU utilization provided from the web
interface or via SNMP was incorrect.

PAN-188933 Fixed an issue where the UDP checksum wasn't correctly calculated
for VXLAN traffic after applying NAT.

PAN-188912 Fixed an issue where authentication failed due to a process

responsible for handling authentication requests going into an
irrecoverable state.

PAN-188602 Fixed an issue where the all_task process stopped responding, which
caused IPSec tunnels to peers to go down.

PAN-188519 (VM-Series firewalls only) Fixed an issue where, when manually

deactivating the license, the admin user did not receive the option to
download the token file and upload it to the Customer Support Portal
(CSP) to deactivate the license.

PAN-OS Release Notes 10.1.9-h1 86 ©2023 Palo Alto Networks, Inc.

PAN-OS 10.1.9 Known and Addressed Issues

Issue ID Description

PAN-188506 Fixed an issue where the ctd_dns_malicious_fwd counter

incorrectly increased incrementally.

PAN-188348 Fixed an issue where encapsulating Security payload packets

originating from the firewall were dropped when strict IP address
check was enabled in a zone protection profile.

PAN-188291 Fixed an issue where, when using Global Find on the web interface
to search for a given Hostname Configuration (Device > Setup
> Management), clicking the search result directed you to the
appropriate Hostname configuration, but did not change the
respective Template field automatically.

PAN-188036 Fixed an issue where SIP TCP sequence numbers were calculated
incorrectly when SIP cleartext proxy was disabled.

PAN-188035 (Firewalls and Panorama appliances in FIPS mode only) Fixed an issue
where, even when region lists were disabled, the following error
message was displayed: Unable to retrieve region list
either region list has not been set or data format
is wrong.

PAN-187985 Fixed an issue where you were unable to configure a QoS Profile as
percentage for Clear Text Traffic.

PAN-187761 Fixed an issue where, during HA failover, the now passive firewall
continued to pass traffic after the active firewall had already taken
over.

PAN-187720 Fixed an issue where the firewall did not show master key validity
information after the master key was updated and the firewall was
restarted.

PAN-187476 Fixed an issue where, when HIP redistribution was enabled, Panorama
did not display part of the HIP information.

PAN-187342 Fixed an issue where the Schedules button (Device Deployment >
Dynamic updates) was grayed out for custom role-based admins.

PAN-187279 Fixed an issue where not all quarantined devices were displayed as
expected.

PAN-187096 Fixed an issue where you were unable to sort through Addresses
(Device Group > Objects).

PAN-OS Release Notes 10.1.9-h1 87 ©2023 Palo Alto Networks, Inc.

PAN-OS 10.1.9 Known and Addressed Issues

Issue ID Description

PAN-186471 Fixed an issue where, when exporting to CSV in Global Find, the
firewall truncated names of rules that contained over 40 characters.

PAN-186447 Fixed an issue where Health (Panorama > Managed Devices) did not
display environmental tabs and fan and power supply status was not
visible.

PAN-186433 Fixed an intermittent issue where decryption failed for clients sending
TLSv1.3 Client Hello and CCS in two separate packets instead of one.

PAN-186270 Fixed an issue where, when HA was enabled and a dynamic update
schedule was configured, the configd process unexpectedly stopped
responding during configuration commits.

PAN-185928 Fixed an issue where external dynamic list auto refresh did not work
when destination service route was enabled.

PAN-185844 Fixed an issue where Decryption Log entries were associated with the
wrong Security policy rule.

PAN-185611 (PA-850 firewalls only) Fixed an issue where the maximum number of
aggregate interfaces was incorrectly set as 8 instead of 6.

PAN-185591 Fixed an issue where, in multi-vsys systems, some policy rules were
unable to be edited due to the Target field being unclickable.

PAN-185466 Fixed an issue where WildFire submission did not work as expected.

PAN-185394 (PA-7000 Series firewalls only) Fixed an issue where not all changes to
the template were reflected on the firewall.

PAN-185390 Fixed an issue where the Block IP list option was incorrectly displayed
on firewalls where it was not applicable.

PAN-185283 Fixed an issue on Panorama where using the name-of-threatid

contains log4j filter didn't produce expected results.

PAN-185276 Fixed an issue where a debug command displayed different idmgr

digest results.

PAN-185249 Fixed an issue where Template Stack overrides (Dynamic Updates >
Apps & Threats > Schedule) were not able to be reverted via the web
interface.

PAN-185234 (VM-Series firewalls on Microsoft Azure environments only) Fixed an

issue where, when accelerated networking was enabled, the packet

PAN-OS Release Notes 10.1.9-h1 88 ©2023 Palo Alto Networks, Inc.

PAN-OS 10.1.9 Known and Addressed Issues

Issue ID Description
buffer utilization was displayed as high even when no traffic was
traversing the firewall.

PAN-185200 Fixed an issue where the User-ID manager assigned an ID to an object

with a DELETE command.

PAN-185135 (VM-Series firewalls on Kernel-based Virtual Machine (KVM) only)

Fixed an issue where the physical port counters (including SNMP) on
the dataplane interfaces increased when DPDK was enabled.

PAN-184766 (PA-5450 firewalls only) Fixed an issue where the control packets for
BGP, OSPF, and Bidirectional Forwarding Detection (BFD) were not
assigned a QoS value of 5.

PAN-184744 Fixed an issue where the firewall did not decrypt SSL traffic due to a
lack of internal resources allocated for decryption.

PAN-184537 Fixed an issue where GlobalProtect requested for passwords that

contained non ASCII characters (ö) to be reentered when refreshing
the connection.

PAN-184408 Fixed an issue where commits pushed from Panorama to the firewall
failed due to the application status for an application being incorrectly
considered an invalid reference.

PAN-184181 Fixed an ESP encapsulation issue where, when IPv6 address proxy
IDs were configured, encapsulation was handled incorrectly with a
different proxy ID SPI in the same tunnel when the source IP address
of the proxy was overlapped by the destination IP address.

PAN-183981 Fixed an issue on the firewall where, when the GlobalProtect portal
was not configured, the GlobalProtect landing page was still loaded
with the message GlobalProtect portal does not exist.
This issue occurred when using the exact GlobalProtect portal link:
https://x.x.x.x/global-protect/login.esp

PAN-183632 Fixed an issue where the firewall was unable to match HIP objects
with code versions over 4 digits long.

PAN-183629 Fixed an issue where Clientless-vpn max-users displayed the

limit as 20 instead of 200.

PAN-183524 Fixed an issue where GPRS tunneling protocol (GTPv2-c and GTP-U)
traffic was identified with insufficient-data in the traffic logs.

PAN-183375 Fixed an issue where traffic arriving on a tunnel with a bad IP header
checksum was not dropped.

PAN-OS Release Notes 10.1.9-h1 89 ©2023 Palo Alto Networks, Inc.

PAN-OS 10.1.9 Known and Addressed Issues

Issue ID Description

PAN-183319 Fixed an issue on Panorama where commits remained at 99% due to

multiple firewalls sending out CSR singing requests every 10 minutes.

PAN-183287 Fixed an issue where firewall commits failed due to the commit-
recovery connection check ending prematurely.

PAN-183154 Fixed an issue where DNS exception failed when DNS queries
contained a capital letter.

PAN-183126 Fixed an issue on Panorama where you were able to attempt to push
a number of active schedules to the firewall that was greater than the
firewall's maximum capacity.

PAN-182876 Fixed an issue where GlobalProtect connections failed via XML when
special characters (<), (&), and (>) were present in the GlobalProtect
portal configuration passcode.

PAN-182845 Fixed an issue that caused devices to be removed from Panorama

when one device was added by one user, but a Commit and Push
operation was completed by a second user before the first user
completed a Commit of the added device change.

PAN-182486 Fixed an issue on the web interface where the same IP address was
displayed for sub interfaces in a multi-vsys firewall.

PAN-182449 Fixed an issue where Apple iPad users were unable to authenticate
to the GlobalProtect portal using any browser, which resulted in
Clientless VPN access issues.

PAN-182244 Fixed an issue where Session Initiation Protocol (SIP) REGISTER

packets did not get transmitted when application-level gateway (ALG)
and SIP Proxy were enabled, which caused a SIP-registration issue in
environments where TCP retransmission occurred.

PAN-182167 Removed a duplicate save filter Icon in the Audit Comment Archive for
Security Rule Audit Comments tab.

PAN-181968 (PA-400 Series firewalls in active/passive HA configurations only)

Fixed an issue where, when HA failover occurred, link up on all ports
took longer than expected, which caused traffic outages.

PAN-181684 Fixed an issue where cluster definition for OpenShift was not able to
be added if a custom certificate was used for an API endpoint.

PAN-181376 Fixed an issue where the show session id CLI command displayed
a negative packet count.

PAN-OS Release Notes 10.1.9-h1 90 ©2023 Palo Alto Networks, Inc.

PAN-OS 10.1.9 Known and Addressed Issues

Issue ID Description

PAN-181366 Fixed an issue where the firewall sent an incorrect IP address on ICMP
sessions in NetFlow packets when NAT was applied to the target
traffic.

PAN-181334 Fixed an issue where users with custom admin roles and access
domains were unable to view address objects or edit Security rules.

PAN-181324 Fixed a memory issue related to the lpmgrd process that caused the
firewall to enter a non-functional state.

PAN-181129 Improved protection against unexpected packets and error handling

for traffic identified as SIP.

PAN-181034 Fixed an issue where, after changing the Decryption mirroring setting
to Forwarded only in the decryption profile, Panorama did not save
the setting.

PAN-180948 Fixed an issue where an external dynamic list fetch failed with the
error message Unable to fetch external dynamic list.
Couldn't resolve host name. Using old copy for
refresh.

PAN-180690 Fixed an issue where the firewall dropped IPv6 Bi-Directional

Forwarding (BFD) packets when IP Spoofing was enabled in a Zone
Protection Profile.

PAN-180147 Fixed an issue where the bcm.log and brdagent_stdout.log-

<datestamp> files filled up the root disk space.

PAN-180030 Fixed an issue where hyperlinks to threatvault for threat logs with
DNS Security categories resulted in the following error message: No
data is found based on your search, please search
for something else.

PAN-179952 Fixed an issue on Panorama where not all categories were displayed
under Log settings.

PAN-179826 Fixed an issue where the firewall incorrectly displayed the license
error IoT Security license is required for feature to
function even when the IoT Security, Does not Require
Data Lake license was installed.

PAN-179636 Fixed an issue where Authentication Server logs for various

connections (including LDAP and Radius Server) were not displayed in
the syslog when connections were up.

PAN-OS Release Notes 10.1.9-h1 91 ©2023 Palo Alto Networks, Inc.

PAN-OS 10.1.9 Known and Addressed Issues

Issue ID Description

PAN-179624 Fixed an issue where setting the password complexity to Require

Password Change on First Login caused the user to be prompted with
certificate authentication.

PAN-179506 (VM-Series firewalls on Microsoft Azure environments only) Fixed an

issue where Panorama was unable to push software updates to the
firewall.

PAN-179467 Fixed an issue where Selective Audit (Device > Log settings) options
were visible to a group of admin users if the firewall was not in FIPS-
CC mode.

PAN-179395 Fixed an issue where the firewall still populated the domain map even
after clearing the domain map via the CLI after removing the group-
mapping setting configuration.

PAN-179258 Fixed an issue where system disk migration failed.

PAN-179212 Fixed an issue where extraneous characters displayed at the end of a

CSV report.

PAN-179152 Fixed an issue where partial commit failures did not display an error
message.

PAN-178961 Fixed an issue where a process (authd) stopped responding due to

incorrect context handling.

PAN-178959 Fixed an issue where configuring BGP to Aggregate with Suppress

Filters using From Peers did not work as expected.

PAN-178951 Fixed an issue on the firewall where Agentless User-ID lost parent
Security group information after the Security group name of the
nested groups on Active Directory was changed.

PAN-178802 Increased the default virtual memory limit for the mgmtsrvr process
from 3.2GB to 16GB.

PAN-178800 Fixed an issue where the reportd process stopped responding when
URL Filtering Inline ML phishing logs were queried.

PAN-178728 Fixed an issue where the dcsd process stopped responding when
attempting to read the config to update its redis database.

PAN-178594 Fixed an issue where the descriptions of options under the set
syslogng ssl-conn-validation CLI command were not
accurate.

PAN-OS Release Notes 10.1.9-h1 92 ©2023 Palo Alto Networks, Inc.

PAN-OS 10.1.9 Known and Addressed Issues

Issue ID Description

PAN-178407 Fixed an permissions issue where, when attempting to troubleshoot

the syslog over TCP via the CLI, the following error message
was displayed: Error: "/var/log/pan/syslog-ng.log:
Permission denied.

PAN-178363 Fixed an issue where a process (mgmtsrvr) wasn't restarted after the
virtual memory limit was exceeded.

PAN-178354 Fixed an issue where the error message You do not have
permission to reboot device was incorrectly displayed to a
TACAC user when attempting to install PAN-OS.

PAN-178349 Fixed an issue where log forwarding did not work when the filter size
was more than 1,024 characters in the log forwarding profile.

PAN-178248 Fixed an issue where, when exporting the Applications list on PDF or
CSV profile formats, the report displayed all tag values as undefined.

PAN-178186 Fixed a commit issue where, when replacing an old firewall with a new
firewall using the serial number, the change to the serial number was
not reflected in the Security policy rule.

PAN-177942 Fixed an issue where, when grouping HA peers, access domains that
were configured using multi-vsys firewalls deselected devices or
virtual systems that were in other configured access domains.

PAN-177939 Fixed an issue where a certificate without a private key was able to be
added to an SSL/TLS Service Profile, which caused the l3svc process to
stop responding.

PAN-177908 Fixed an issue where you were unable to configure region for source
or destination IP addresses in a Security policy rule.

PAN-177891 Fixed an issue where group-mapping information was not

automatically refreshed at the refresh interval when LDAP proxy was
configured.

PAN-177853 Fixed an issue where the logd process on Panorama and the logrcvr
process on the firewall stopped responding when a log forwarding
profile had a filter that included the field sender and subject.

PAN-177562 Fixed an issue where PDF reports were not translated to the
configured local language.

PAN-177201 Fixed an issue where, when a Panorama appliance on a PAN-OS 9.0

or later release pushed built-in external dynamic lists to a firewall on
a PAN-OS 8.1 release, the external dynamic list was removed, but the

PAN-OS Release Notes 10.1.9-h1 93 ©2023 Palo Alto Networks, Inc.

PAN-OS 10.1.9 Known and Addressed Issues

Issue ID Description
rule was still pushed to the firewall. With this fix, Panorama will show
a validation error when attempting to push a pre-defined external
dynamic list to a firewall on a PAN-OS 8.1 release.

PAN-177133 (Firewalls in HA configurations only) Fixed an issue where the HA1

heartbeat backup flapped with the following error message: Unable
to send icmp packet:(errno: 105) No buffer space
available.

PAN-176989 Fixed an issue where the CLI command to show SD-WAN tunnel
members caused the firewall to stop responding.

PAN-176471 Fixed an issue where adding applications without a description using

XML API deleted the whole Panorama application list.

PAN-176461 Fixed an issue where a process (mdb) stopped responding after

downgrading from a PAN-OS 9.1 release to an earlier release due to
discrepancies in the mongodb process version.
Note: To utilize this fix, first install a PAN-OS 9.0 release on the web
interface, and then, prior to reboot, run the following CLI command:
debug mongo clear instance mdb.

PAN-176379 Fixed an issue where, when multiple routers were configured under a
Panorama template, you were only able to select its own virtual router
for next hop.

PAN-175709 Fixed an issue where the dnsproxy process stopped responding when
a DNS signature lookup request was received before the process was
fully initialized.

PAN-175142 Fixed an issue on Panorama where executing a debug command

caused the logrcvr process to stop responding.

PAN-175121 Fixed a rare issue where, when two nodes started IKE_SA negotiations
at the same time, which resulted in duplicate IKE SAs.

PAN-175069 Fixed an issue where commits failed when the IPv6 link-local address
was configured for BGP peering as local and peer address.

PAN-175061 Fixed an issue where filtering threat logs using any value under
THREAT ID/NAME displayed the error Invalid term.

PAN-174988 (PA-220 Series firewalls only) Fixed an issue where the runtime-
state parameter was missing in the CLI command request high-
availability sync-to-remote.

PAN-OS Release Notes 10.1.9-h1 94 ©2023 Palo Alto Networks, Inc.

PAN-OS 10.1.9 Known and Addressed Issues

Issue ID Description

PAN-174953 Fixed an issue where the firewall didn't update URL categories from
the management plane to the dataplane cache.

PAN-174821 (PA-3220 firewalls only) Fixed an issue where auto-negotiation was

not disabled with force mode set to ON in the interface settings.

PAN-174781 Fixed an issue where the firewall did not send an SMTP 541 error
message to the email client after detecting a malicious file attachment.

PAN-174702 Fixed an issue where Panorama pushed share-unused tagged

objects to the firewall, which caused the device address object limit to
be exceeded.

PAN-174680 Fixed an issue where, when adding new configurations, Panorama

didn't display a list of suggested template variables when typing in a
relevant field.

PAN-174592 Fixed an issue where the firewall did not check reserved fields
in GTPv1 and GTPv2 headers as expected from the latest 3GPP
Specifications.

PAN-174525 Fixed an issue where the sslvpn process restarted repeatedly.

PAN-174480 Fixed an issue where scheduled email reports were blocked by open-
source content filters due to a violation of rfc2046.

PAN-174462 Fixed an issue where the configd process stopped responding when
creating Application filters with tags and adding the filter to a Security
policy rule.

PAN-174102 Fixed an issue where, when MLAV feature found malicious content,
no action was applied even though it had increased the execution
counters, displayed the score and verdict in the log, and showed no
allow list hits,

PAN-174064 Fixed an issue where downloading a GlobalProtect data file did not
work and displayed a no global protect license error even
when a valid license was present.

PAN-174027 Fixed an issue on Panorama where attempting to rename mapping for

address options caused a push to fail with the following error message:
Error: Duplicate address name..

PAN-173813 A debug command was added to disable automatic implicit tail

matching, which was the default.

PAN-OS Release Notes 10.1.9-h1 95 ©2023 Palo Alto Networks, Inc.

PAN-OS 10.1.9 Known and Addressed Issues

Issue ID Description

PAN-173810 Fixed an issue where the debug user-id dump ts-agent user-
ids CLI command caused the useridd process to stop responding.

PAN-173437 Fixed an issue where the firewall did not detect that the management
port was down the first time after booting up the system.

PAN-173207 Fixed an issue where radius authentication timed out when logging in
due to the firewall sending authentication requests using a static IP
address instead of a DCHP assigned IP address.

PAN-173080 Fixed an issue where the User-ID connection limit was reached even
when only a few User-ID agents were connected to the service.

PAN-173031 Fixed an issue where users were promted twice for DUO SAML
Authentication when authentication override cookies were enabled.

PAN-172823 Fixed an issue where MD5 checksums were updated before the new
customer EDLs were pushed to the dataplane.

PAN-172780 Fixed an issue where user domain override was not reset when
deleted from group mapping.

PAN-172753 (PA-7000 Series firewalls only) Fixed an issue where link-local internal
packet handling between the management plane and the dataplane
caused an Network Processing Card (NPC) slot to go down.

PAN-172452 Fixed an issue where the log file did not include all logs.

PAN-172357 (VM-Series firewalls in Oracle Cloud Infrastructure Government Cloud

only) Fixed an issue with firewalls in HA configurations where HA
failover did not occur when firewalls were in FIPS mode.

PAN-172324 Fixed an issue on the Panorama web interface where custom

vulnerability signature IDs weren't populated in the drop-down when
creating a custom combination signature.

PAN-172308 Fixed an issue where generating packet captures did not work when
the data filtering profile was configured to block HTML files via a
POST request.

PAN-172100 Fixed an issue with URL filtering where, after upgrading to a PAN-OS
9.1 release, the Continue button on a URL did not work and caused
the website to be inaccessible, even though the predefined category
of URL was configured to continue traffic. This occurred when URL
traffic hit a rule where the custom category was set to None.

PAN-OS Release Notes 10.1.9-h1 96 ©2023 Palo Alto Networks, Inc.

PAN-OS 10.1.9 Known and Addressed Issues

Issue ID Description

PAN-171927 Fixed an issue where incorrect results were displayed when filtering
logs in the Monitor tab.

PAN-171569 Fixed an issue where HIP matches were not recognized in an SSL
decryption policy rule.

PAN-171337 Fixed an issue where connection per second (CPS) rates collected via
SNMP were not correct.

PAN-171300 Fixed an issue on Panorama where a password change in a template

did not reset an expired password flag on the firewall, which caused
the user to change their password when logging in to a firewall.

PAN-171066 Fixed an issue with GlobalProtect where cookie based authentication

for Internal Gateway failed with the following error messages:
Invalid authentication cookie and Invalid User Name.

PAN-170989 Fixed an issue with memory usage consumption related to the useridd
process.

PAN-170936 Fixed an issue where the firewall egressed offloaded frames out of
order after an explicit commit (Commit on the firewall or Commit All
Changes on Panorama) or an implicit comment such as an Antivirus
update, Dynamic Update, or WildFire update.
Note This issue persists for a network-related configuration and
commit.

PAN-170798 Fixed an issue where OSPF flaps occurred when a Layer 3 interface
IPv4 was changed from DHCP Client to Static.

PAN-170531 Fixed an issue where the web interface icons for service objects and
service group objects were identical when used in a NAT policy rule.

PAN-169899 Fixed an issue on firewalls with offload processors where the ECMP
forced symmetric return feature didn't work for CRE traffic after the
session was offloaded.

PAN-169674 (Firewalls with Cavium Octeon processors only) Fixed an issue where
the all_pktproc process stopped responding when reassembling TCP
packets.

PAN-169521 Fixed an issue where QoS tagging unexpectedly behaved differently at

different stages of packet processing.

PAN-169456 Fixed an issue where, after renaming an authentication profile, system

logs still showed the old profile name.

PAN-OS Release Notes 10.1.9-h1 97 ©2023 Palo Alto Networks, Inc.

PAN-OS 10.1.9 Known and Addressed Issues

Issue ID Description

PAN-169308 Fixed a commit issue when comparing numbers of rules where the
bucket size of the application dependency hash table was too small.

PAN-169122 Fixed an issue where medium priority correlation events were not
generated when the irc-base repeat count value was greater than
10.

PAN-168514 Fixed an issue where authentication failed when the destination

service route was used to reach the authentication server.

PAN-168480 Fixed an issue where the firewall did not switch to STP for multicast
groups when IGMP receivers were stopped and restarted for the same
set of groups within a short time period.

PAN-167918 Fixed an issue where the GlobalProtect pre-log on VPN failed to

establish or match pre-log on policies due to the domain name being
prepended to pre-log on user.

PAN-167850 Fixed an issue with firewalls in active/active HA configurations where

IPSec packets were not forwarded to the HA peer owner of the tunnel,
which caused packets to be dropped.

PAN-167805 Fixed an intermittent issue where traffic ingressing through a VPN

tunnel failed to match predict session, which resulted in child sessions
failing.

PAN-167087 Fixed an issue where the focus was not set on the free text field when
requesting a token code on the Authentication Portal.

PAN-166686 Fixed an issue where EDNS responses dropped when the original
request was DNS.

PAN-165951 (PA-3020 firewalls only) Fixed an issue on the firewall where disk
space was not cleared when multiple image files were present.

PAN-163713 Fixed an issue where the alternate name was not getting copied to
user-Fixed an issue where user-attributes for users in custom
groups were incorrect, which caused username formats to not match
the user.

PAN-163043 Fixed an issue where, when exporting logs via the CLI, only 65,535
rows were exported even when 1,000,000 rows were configured.

PAN-162088 (Panorama appliances in HA configurations only$$) Fixed an issue

where content updates (Panorama > Dynamic Updates) manually
uploaded to the active HA peer were not synchronized to the passive

PAN-OS Release Notes 10.1.9-h1 98 ©2023 Palo Alto Networks, Inc.

PAN-OS 10.1.9 Known and Addressed Issues

Issue ID Description
HA peer when you installed a content updated and enabled Sync to
HA peer.

PAN-160419 Fixed an issue where the following error message displayed in

the system log after restarting the firewall: dns-signature
initialization from file storage failed, start with
empty cache.

PAN-157710 Fixed an issue where admin users with custom roles were unable to
create VLANs.

PAN-157199 (PA-220 firewalls only) Fixed an issue where the GlobalProtect portal
was not reachable with IPv6 addresses.

PAN-156700 Fixed an issue where DNS Security logs did not display threat names
or IDs when the domain name contained an uppercase letter.

PAN-155902 Fixed an issue where the auto MTU value was incorrect, which caused
unexpected latency issues for GlobalProtect users.

PAN-155467 (VM-Series firewalls only) Fixed an issue where IPSec decap dropped
packets when NAT was configured locally on the firewall.

PAN-154892 Fixed an issue on the firewall where Real Time Streaming Protocol
(RTSP) flows that were subjected to Dynamic IP and Port (DIPP) NAT
were not supported by the Application Layer Gateway (ALG).

PAN-153308 Fixed an issue which caused the mouse cursor to remove focus from
the search bar when hovering over a hyperlink inside of a cell menu
(e.g., source zone, source address, destination zone, destination
address, etc.).

PAN-151273 Fixed an issue where the commit event was not recorded in the config
logs during a Commit and Push on the Panorama management server.

PAN-123446 Fixed an issue where an administrator with a Superuser role could not
reset administrator credentials.

PAN-78762 Fixed an issue where you were unable to reset a VPN tunnel via the
firewall web interface (Network > IPSec Tunnels > Tunnel Info >
Restart).

PAN-OS Release Notes 10.1.9-h1 99 ©2023 Palo Alto Networks, Inc.

PAN-OS 10.1.9 Known and Addressed Issues

PAN-OS Release Notes 10.1.9-h1 100 ©2023 Palo Alto Networks, Inc.
PAN-OS 10.1.8 Known and Addressed
Issues
Review a list of known and addressed issues for PAN-OS 10.1.8.
For contacting support, for information on support programs, to manage your account
or devices, or to open a support case, go to https://support.paloaltonetworks.com.

> PAN-OS 10.1.8 Known Issues

> PAN-OS 10.1.8-h2 Addressed Issues
> PAN-OS 10.1.8 Addressed Issues

101
PAN-OS 10.1.8 Known and Addressed Issues

PAN-OS 10.1.8 Known Issues

®
The following list includes only outstanding known issues specific to PAN-OS 10.1.8. This list
includes issues specific to Panorama™, GlobalProtect™, VM-Series plugins, and WildFire®, as well
as known issues that apply more generally or that are not identified by an issue ID.

Issue ID Description

— If you use Panorama to retrieve logs from Cortex Data Lake

(CDL), new log fields (including for Device-ID, Decryption, and
GlobalProtect) are not visible on the Panorama web interface.
Workaround: Enable duplicate logging to send the logs to
CDL and Panorama. This workaround does not support
Panorama virtual appliances in Management Only mode.

— Upgrading a PA-220 firewall takes up to an hour or more.

— PA-220 firewalls are experiencing slower web interface and

CLI performance times.

— Upgrading Panorama with a local Log Collector and Dedicated

Log Collectors to PAN-OS 8.1 or a later PAN-OS release
can take up to six hours to complete due to significant
infrastructure changes. Ensure uninterrupted power to all
appliances throughout the upgrade process.

— A critical System log is generated on the VM-Series firewall

if the minimum memory requirement for the model is not
available.
• When the memory allocated is less than 4.5GB, you
cannot upgrade the firewall. The following error message
displays: Failed to install 9.0.0 with the
following error: VM-50 in 9.0.0 requires
5.5GB memory, VM-50 Lite requires 4.5GB
memory.Please configure this VM with enough
memory before upgrading.
• If the memory allocation is more than 4.5GB but less than
the licensed capacity requirement for the model, it will
default to the capacity associated with the VM-50.
The System log message System capacity adjusted
to VM-50 capacity due to insufficient
memory for VM-<xxx> license, indicates that you
must allocate the additional memory required for licensed
capacity for the firewall model.

PAN-OS Release Notes 10.1.9-h1 102 ©2023 Palo Alto Networks, Inc.
PAN-OS 10.1.8 Known and Addressed Issues

Issue ID Description

APPORTAL-3313 Changes to an IoT Security subscription license take up to 24

hours to have effect on the IoT Security app.

APPORTAL-3309 An IoT Security production license cannot be installed on a

firewall that still has a valid IoT Security eval or trial license.
Workaround: Wait until the 30-day eval or trial license
expires and then install the production license.

APL-15000 When you move a firewall from one Cortex Data Lake
instance to another, it can take up to an hour for the firewall
to begin sending logs to the new instance.

APL-8269 For data retrieved from Cortex Data Lake, the Threat Name
column in Panorama > ACC > threat-activity appears blank.

PLUG-380 When you rename a device group, template, or template

stack in Panorama that is part of a VMware NSX service
definition, the new name is not reflected in NSX Manager.
Therefore, any ESXi hosts that you add to a vSphere cluster
are not added to the correct device group, template, or
template stack and your Security policy is not pushed to
VM-Series firewalls that you deploy after you rename those
objects. There is no impact to existing VM-Series firewalls.

WF500-5559 An intermittent error while analyzing signed PE samples on

the WildFire appliance might cause analysis failures.

WF500-5471 After using the firewall CLI to add a WildFire appliance with
an IPv6 address, the initial connection may fail.
Workaround: Retry connecting after you restart the web
server with the following command: debug software
restart process web-server.

PAN-202339 The VM-Series firewall on AWS might display reduced

throughput of SSL traffic.
This issue is now resolved. See
PAN-OS 10.1.9 Addressed
Issues
.

PAN-198174 When viewing traffic or threat logs from the firewall ACC
or Monitor, performing a reverse DNS lookup, for example,
when resolving IP addresses to domain names using the
Resolve Hostname feature, can cause the appliance to crash
and restart if DNS server settings have not been configured.

PAN-OS Release Notes 10.1.9-h1 103 ©2023 Palo Alto Networks, Inc.
PAN-OS 10.1.8 Known and Addressed Issues

Issue ID Description
Workaround: Provide a DNS server setting for the firewall
(Device > DNS Setup > Services). If you cannot reference a
valid DNS server, you can add a dummy address.

PAN-197341 On the Panorama management server, if you create multiple

device group Objects with the same name in the Shared
device group and any additional device groups (Panorama >
Device Groups) under the same device group hierarchy that
are used in one or more Policies, renaming the object with a
shared name in any device group causes the object name to
change in the policies where it is used. This issue applies only
to device group objects that can be referenced in a Security
policy rule.
For example:
1. You create a parent device group DG-A and a child device
group DG-B.
2. You create address objects called AddressObjA in
the Shared, DG-A and DG-B device groups and add
AddressObjA to a Security policy rule under DG-A and
DG-B.
3. Later, you change the AddressObjA name in the Shared
device group to AddressObjB.
Changing the name of the address object in the Shared
device group causes the references in the Policy rule to use
the renamed Shared object instead of the device group
object.

PAN-197097 Large Scale VPN (LSVPN) does not support IPv6 addresses on
the satellite firewall.
This issue is now resolved. See
PAN-OS 10.1.9 Addressed
Issues.

PAN-196758 On the Panorama management server, pushing a

configuration change to firewalls leveraging SD-WAN
erroneously show the auto-provisioned BGP configurations
for SD-WAN as being edited or deleted despite no edits or
deletions being made when you Preview Changes (Commit >
Push to Devices > Edit Selections or Commit > Commit and
Push > Edit Selections).

PAN-194519 (PA-5450 firewall only) Trying to configure a custom payload

format under Device > Server Profiles > HTTP yields a
This issue is now resolved. See
Javascript error.
PAN-OS 10.1.9 Addressed
Issues.

PAN-OS Release Notes 10.1.9-h1 104 ©2023 Palo Alto Networks, Inc.
PAN-OS 10.1.8 Known and Addressed Issues

Issue ID Description

PAN-194515 (PA-5450 firewall only) The Panorama web interface does

not display any predefined template stack variables in the
dropdown menu under Device > Setup > Log Interface > IP
Address.
Workaround: Configure the log interface IP address on the
individual firewall web interface instead of on Panorama.

PAN-194424 (PA-5450 firewall only) Upgrading to PAN-OS 10.1.6-h2

while having a log interface configured can cause both the log
interface and the management interface to remain connected
to the log collector.
Workaround: Restart the log receiver service by running the
following CLI command:

debug software restart process log-receiver

PAN-194202 (PA-5450 firewall only) If the management interface and Log

Collector are configured on the same subnetwork, the firewall
conducts log forwarding using the management interface
instead of the logging interface.

PAN-189057 On the Panorama management server, Panorama enters a

This issue is now resolved. See
PAN-OS 10.1.9 Addressed
Issues.
non-functional state due to php.debug.log life taking
up too much space.
Workaround: Disable the debug flag for Panorama.
1. Log in to the Panorama web interface.
2. In the same browser you are logged into the Panorama
web interface, enter the following URL.
https://<panorama_ip>/debug
3. Uncheck (disable) Debug or Clear Debug.
4. (HA configuration) Repeat this step on each Panorama high
availability (HA) peer if Panorama is in a HA configuration.

PAN-188052 Devices in FIPS-CC mode are unable to connect to servers

utilizing ECDSA-based host keys that impacts exporting logs
(Device > Scheduled Log Export), exporting configurations
(Device > Scheduled Config Export), or the scp export
command in the CLI.
Workaround: Use RSA-based host keys on the destination
server.

PAN-187685 On the Panorama management server, the Template

Status displays no synchronization status (Panorama >

PAN-OS Release Notes 10.1.9-h1 105 ©2023 Palo Alto Networks, Inc.
PAN-OS 10.1.8 Known and Addressed Issues

Issue ID Description
Managed Devices > Summary) after a bootstrapped firewall is
successfully added to Panorama.
Workaround: After the bootstrapped firewall is successfully
added to Panorama, log in to the Panorama web interface and
select Commit > Push to Devices.

PAN-179888 On the Panorama management server, the number of

managed firewall (Panorama > Managed Devices > Health)
Power Supplies displays an incorrect count of power
supplies.

PAN-174982 In HA active/active configurations where, when interfaces

that were associated with a virtual router were deleted, the
configuration change did not sync.

PAN-172274 When you activate the advanced URL filtering license, your
license entitlements for PAN-DB and advanced URL filtering
might not display correctly on the firewall — this is a display
anomaly, not a licensing issue, and does not affect access to
the services.
Workaround: Issue the following command to retrieve and
update the licenses: license request fetch.

PAN-172113 If you request a User Activity Report on Panorama and the

vsys key value in the XML is an unsupported value, the
resulting job becomes unresponsive at 10% and does not
complete until you manually stop the job in the web interface.
Workaround:Change the vsys key to a valid device group,
commit your changes, and run the User Activity Report again.

PAN-172132 QoS fails to run on a tunnel interface (for example, tunnel.1).

PAN-172067 When you configure an HTTP server profile (Device > Server
Profiles > HTTP or Panorama > Server Profiles > HTTP), the
Username and Password fields are always required regardless
of whether Tag Registration is enabled.
Workaround: When you configure an HTTP server profile,
always enter a username and password to successfully create
the HTTP server profile.
You must enter a username and password even if the HTTP
server does not require it. The HTTP server ignores the
username and password if they are not required for the
firewall to connect.

PAN-OS Release Notes 10.1.9-h1 106 ©2023 Palo Alto Networks, Inc.
PAN-OS 10.1.8 Known and Addressed Issues

Issue ID Description

PAN-172061 A process (all_pktproc) can cause intermittent crashes on

the Passive PA-5450 firewall in an Active/Passive HA pair.
This issue may be seen during an upgrade or reload of the
firewall with traffic and when clearing sessions.

PAN-171938 No results are displayed when you Show Application Filter

for a Security policy rule (Policies > Security > Application >
Value > Show Application Filter).

PAN-171723 If you use Panorama to push a configuration that uses App-

ID Cloud Engine (ACE) App-IDs and then you downgrade the
firewall from PAN-OS 10.1 to PAN-OS 10.0, the installation
succeeds but after you reboot, the auto-commit fails.
Workaround: Remove all ACE application configurations
before downgrading.

PAN-171706 If you are using Panorama to manage firewalls with multiple

virtual systems and the virtual system that is the User-ID hub
uses an alias, the local commit on Panorama is successful but
the commit to the firewall fails.

PAN-171673 On the Panorama management server, the ACC returns

inaccurate results when you filter for New App-ID in the
Application usage widget.

PAN-171635 If you have an on-premise Active Directory and there is an

existing group mapping configuration on the firewall, if you
migrate the group mapping to the Cloud Identity Engine, the
firewall does not remove the existing group mapping even
if the configuration is disabled and the firewall is rebooted,
which may conflict with new mappings from the Cloud
Identity Engine.
Workaround: Use the debug user-id clear domain-
map command to remove the existing group mappings from
the firewall.

PAN-171224 On the Panorama management server, a custom report

(Monitor > Managed Custom Reports) with a high volume
of unique data objects is not generated when you click Run
Now.

PAN-171145 If you edit or remove the value for the mail attribute in
your on-premise Active Directory, the changes may not be
immediately reflected on the firewall after it syncs with the
Cloud Identity Engine.

PAN-OS Release Notes 10.1.9-h1 107 ©2023 Palo Alto Networks, Inc.
PAN-OS 10.1.8 Known and Addressed Issues

Issue ID Description

PAN-170923 In Policies > Security > Policy Optimizer > New App Viewer,
when you select a Security policy rule in the bottom portion
of the screen, the application data in the application browser
(top portion of screen) does not match the Apps Seen on the
selected rule. In addition, filtering in the application browser
based on Apps Seen does not work.

PAN-170270 Using the CLI to power on a PA-5450 Networking Card

(NC) in an Active HA firewall can cause its Passive peer to
temporarily go down.

PAN-169906 The CN-Series Firewall as a Kubernetes Service does not

support AF_XDP when deployed in CentOS.

PAN-168636 Connecting to the App-ID Cloud Engine (ACE) cloud using a

management port with explicit proxy configured on it is not
supported. Instead, use a data plane interface for the service
route (Prepare to Deploy App-ID Cloud Engine describes how
to do this.)

PAN-168113 On the Panorama management server, you are unable

to configure a master key (Device > Master Key and
Diagnostics) for a managed firewall if an interface (Network
> Interfaces > Ethernet) references a zone pushed from
Panorama.
Workaround: Remove the referenced zone from the interface
configuration to successfully configure a master key.

PAN-167847 If you issue the command opof stats, then clear the
results {opof stats -c}, the Active Sessions value is sometimes
invalid. For example, you might see a negative number or an
excessively large number.
Workaround: Re-run the opof stats command after the
offload completes.

PAN-167401 When a firewall or Panorama appliance configured with a

proxy is upgraded to PAN-OS 10.0.3 or a later release, it fails
to connect to edge service.

PAN-165669 If you configure a group that the firewall retrieves from the
Cloud Identity Engine as the user in value in a filter query,
Panorama is unable to retrieve the group membership and
as a result, is unable to display this data in logs and custom
reports.

PAN-OS Release Notes 10.1.9-h1 108 ©2023 Palo Alto Networks, Inc.
PAN-OS 10.1.8 Known and Addressed Issues

Issue ID Description

PAN-164922 On the Panorama management server, a context switch to a

managed firewall running a PAN-OS 8.1.0 to 8.1.19 release
fails.

PAN-164885 On the Panorama management server, pushes to managed

firewalls (Commit > Push to Devices or Commit and Push)
may fail when an EDL (Objects > External Dynamic Lists) is
configured to Check for updates every 5 minutes due to the
commit and EDL fetch processes overlapping. This is more
likely to occur when multiple EDLs are configured to check
for updates every 5 minutes.

PAN-164841 A successful deployment of a Panorama virtual appliance on

Amazon Web Services (AWS), Microsoft Azure, or Google
Cloud Platform (GCP) is inaccessible when deploying using
the PAN-OS 10.1.0-b6 release.

PAN-164647 On the Panorama management server, activating a license

(Panorama > Device Deployment > Licenses) on managed
firewalls in a high availability (HA) configuration causes the
Safari web browser to become unresponsive.
Workaround: Log in to the Panorama web interface from
a web browser other than Safari to successfully activate a
license on managed firewalls in an HA configuration.

PAN-164618 The VM-Series firewall CLI and system logs display the license
name VM-SERIES-X, while the user interface displays VM-
FLEX-X (in both cases X is the number of vCPUs). In future
releases the user interface will use the VM-SERIES-X format.

PAN-164586 If you use a value other than mail for the user or group
email attribute in the Cloud Identity Engine, it displays in
user@domain format in the CLI output.

PAN-163966 On the Panorama management server, the ACC and on

demand reports (Monitor > Manage Custom Reports) are
unable to fetch Directory Sync group membership when
the Source User Group filter query is applied, resulting in no
data being displayed for the filter when Directory Sync is
configured as the Source User for a policy rule.

PAN-162836 On the VM-Series firewall, if you select Device > Licenses >
Deactivate VM a popup window opens and you can choose
Subscriptions or Support and press Continue to remove
licenses and register the changes with the license server.
When the license removal is complete the Deactivate VM

PAN-OS Release Notes 10.1.9-h1 109 ©2023 Palo Alto Networks, Inc.
PAN-OS 10.1.8 Known and Addressed Issues

Issue ID Description
window does not update its text to exclude deactivated
licenses or close the window.
Workaround: Wait until the license deactivation is complete,
and click Cancel to close the window.

PAN-162088 On the Panorama management server in a high availability

(HA) configuration, content updates (Panorama > Dynamic
This issue is now resolved. See
Updates) manually uploaded to the active HA peer are not
PAN-OS 10.1.9 Addressed
synchronized to the passive HA peer when you Install a
Issues.
content update and enable Sync to HA Peer.

PAN-161666 The firewall includes any users configured in the Cloud

Identity Engine in the count of groups. As a result, some CLI
command output does not accurately display the number
of groups the firewall has retrieved from the Cloud Identity
Engine and counts users as groups in the No. of Groups
in the command output. If the attempt to retrieve the user or
group fails, the information for the user or group still displays
in the CLI command output.

PAN-161451 If you issue the command opof stats, there are occasional
zero packet and byte counts coming from the DPDK
counters. This occurs when a session is in the tcp-reuse state,
and has no impact on the existing session.

PAN-160238 If you migrate traffic from a firewall running a PAN-OS

version earlier than 9.0 to a firewall running PAN-OS 9.0 or
later, you experience intermittent VXLAN packet drops if TCI
policy is not configured for inspecting VXLAN traffic flows.
Workaround: On the new firewall, create an app override for
VXLAN outer headers as described in What is an Application
Override? and the video tutorial How to Configure an
Application Override Policy on the Palo Alto Networks
Firewall.

PAN-OS version 9.0 can inspect both inner and

outer VXLAN flows. If you want to inspect inner
flows, you must define a tunnel content inspection
(TCI) policy.

PAN-157444 As a result of a telemetry handling update, the Source Zone

field in the DNS analytics logs (viewable in the DNS Analytics
tab within AutoFocus) might not display correct results.

PAN-157327 On downgrade to PAN-OS 9.1, Enterprise Data Loss

Prevention (DLP) filtering settings (Device > Setup > DLP) are

PAN-OS Release Notes 10.1.9-h1 110 ©2023 Palo Alto Networks, Inc.
PAN-OS 10.1.8 Known and Addressed Issues

Issue ID Description
not removed and cause commit errors for the downgraded
firewall if you do not uninstall the Enterprise DLP plugin
before downgrade.
Workaround: After you successfully downgrade a managed
firewall to PAN-OS 9.1, commit and push from Panorama to
remove the Enterprise DLP filtering settings and complete the
downgrade.
1. Downgrade your managed firewall to PAN-OS 9.1
2. Log in to the firewall web interface and view the Tasks
to verify all auto commits related to the downgrade have
completed successfully.
3. Log in to the Panorama web interface and Commit >
Commit and Push to your managed firewall downgraded to
PAN-OS 9.1.

PAN-157103 Multi-channel functionality may not be properly utilized on

an VM-Series firewall deployed in VMware NSX-V after the
service is first deployed.
Workaround: Execute the command debug dataplane
pow status to view the number of channels being utilized
by the dataplane.

Per pan-task Netx statisticsCounter Name

1 2 3 4 5 6 Total-------------
--------------------------------ready_dvf
2 0 0 0 0 0 2

If multi-channel functionality is not working, disable your

NSX-V security policy and reapply it. Then reboot the VM-
Series firewall. When the firewall is back up, verify that multi-
channel functionality is working by executing the command
debug dataplane pow status. It should now show
multiple channels being utilized.

Per pan-task Netx statisticsCounter Name

1 2 3 4 5 6 Total-------------
--------------------------------ready_dvf
1 1 0 0 0 0 2

PAN-156598 (Panorama only) If you configure a standard custom

vulnerability signature in a custom Vulnerability Protection
profile in a shared device group, the shared profile custom
signatures do not populate in the other device groups when
you configure a combination custom vulnerability signature.

PAN-OS Release Notes 10.1.9-h1 111 ©2023 Palo Alto Networks, Inc.
PAN-OS 10.1.8 Known and Addressed Issues

Issue ID Description
Workaround: Use the CLI to update the combination
signature.

PAN-154292 On the Panorama management server, downgrading from

a PAN-OS 10.0 release to a PAN-OS 9.1 release causes
Panorama commit (Commit > Commit to Panorama) failures
if a custom report (Monitor > Manage Custom Reports) is
configured to Group By Session ID.
Workaround: After successful downgrade, reconfigure the
Group By setting in the custom report.

PAN-154034 On the Panorama management server, the Type column in the

System logs (Monitor > Logs > System) for managed firewalls
running a PAN-OS 9.1 release erroneously display iot as the
type.

PAN-154032 On the Panorama management server, downgrading to PAN-

OS 9.1 with the Panorama plugin for Cisco TrustSec version
1.0.2 installed does not automatically transform the plugin to
be compatible with PAN-OS 9.1
Workaround: After successful downgrade to PAN-OS 9.1,
Remove Config (Panorama > Plugins) of the Panorama plugin
for Cisco TrustSec and then reconfigure the plugin.

PAN-153803 On the Panorama management server, scheduled email PDF

reports (Monitor > PDF Reports) fail if a GIF image is used in
the header or footer.

PAN-153557 On the Panorama management server CLI, the overall report

status for a report query is marked as Done despite reports
generated from logs in the Cortex Data Lake (CDL) from the
PODamericas Collector Group jobs are still in a Running
state.

PAN-153068 The Bonjour Reflector option is supported on up to 16

interfaces. If you enable it on more than 16 interfaces, the
commit succeeds and the Bonjour Reflector option is enabled
only for the first 16 interfaces and ignored for any additional
interfaces.

PAN-151238 There is a known issue where M-100 appliances are able

to download and install a PAN-OS 10.0 release image even
though the M-100 appliance is no longer supported after
PAN-OS 9.1. (Refer to the hardware end-of-life dates.)

PAN-OS Release Notes 10.1.9-h1 112 ©2023 Palo Alto Networks, Inc.
PAN-OS 10.1.8 Known and Addressed Issues

Issue ID Description

PAN-151085 On a PA-7000 Series firewall chassis having multiple slots,

when HA clustering is enabled on an active/active HA pair,
the session table count for one of the peers can show a higher
count than the actual number of active sessions on that peer.
This behavior can be seen when the session is being set up
on a non-cache slot (for example, when a session distribution
policy is set to round-robin or session-load); it is caused by
the additional cache lookup that happens when HA cluster
participation is enabled.

PAN-150801 Automatic quarantine of a device based on forwarding profile

or log setting does not work on the PA-7000 Series firewalls.

PAN-150515 After you install the device certificate on a new Panorama

management server, Panorama is not able to connect to the
IoT Security edge service.
Workaround: Restart Panorama to connect to the IoT
Security edge service.

PAN-150345 During updates to the Device Dictionary, the IoT Security

service does not push new Device-ID attributes (such as new
device profiles) to the firewall until a manual commit occurs.
Workaround: Perform a force commit to push the attributes
in the content update to the firewall.

PAN-150361 In an Active-Passive high availability (HA) configuration, an

error displays if you create a device object on the passive
device.
Workaround: Load the running configuration and perform a
force commit to sync the devices.

PAN-148971 If you enter a search term for Events that are related to IoT
in the System logs and apply the filter, the page displays an
Invalid term error.
Workaround: Specify iot as the Type Attribute to filter the
logs and use the search term as the Description Attribute. For
example: ( subtype eq iot ) and ( description
contains 'gRPC connection' ).

PAN-148924 In an active-passive HA configuration, tags for dynamic user

groups are not persistent after rebooting the firewall because
the active firewall does not sync the tags to the passive
firewall during failover.

PAN-OS Release Notes 10.1.9-h1 113 ©2023 Palo Alto Networks, Inc.
PAN-OS 10.1.8 Known and Addressed Issues

Issue ID Description

PAN-146995 After downgrading a Panorama management server from

PAN-OS 10.0 to PAN-OS 9.1, the VLD and logd processes
may crash when Panorama reboots.
Workaround: Panorama automatically restarts the VLD and
logd processes.

PAN-146807 Changing the device group configured in a monitoring

definition from a child DG to a parent DG, or vice versa,
might cause firewalls configured in the child DG to lose
IP tag mapping information received from the monitoring
definition. Only firewalls assigned to the parent DG receive IP
tag mapping updates.
Workaround: Perform a manual config sync on the device
group that lost the IP tag mapping information.

PAN-146485 On the Panorama management server, adding, deleting, or

modifying the upstream NAT configuration (Panorama > SD-
WAN > Devices) does not display the branch template stack
as out of sync.
Additionally, adding, deleting, or modifying the BGP
configuration (Panorama > SD-WAN > Devices) does not
display the hub and branch template stacks as out of sync.
For example, modifying the BGP configuration on the branch
firewall does not cause the hub template stack to display as
out of sync, nor does modifying the BGP configuration on
the hub firewall cause the branch template stack as out of
sync.
Workaround: After performing a configuration change,
Commit and Push the configuration changes to all hub and
branch firewalls in the VPN cluster containing the firewall
with the modified configuration.

PAN-145460 CN-MGMT pods fail to connect to the Panorama

management server when using the Kubernetes plugin.
Workaround: Commit the Panorama configuration after the
CN-MGMT pod successfully registers with Panorama.

PAN-144889 On the Panorama management server, adding, deleting, or

modifying the original subnet IP, or adding a new subnet
after you successfully configure a tunnel IP subnet, for the
SD-WAN 1.0.2 plugin does not display the managed firewall
templates (Panorama > Managed Devices > Summary) as Out
of Sync.

PAN-OS Release Notes 10.1.9-h1 114 ©2023 Palo Alto Networks, Inc.
PAN-OS 10.1.8 Known and Addressed Issues

Issue ID Description
Workaround: When modifying the original subnet IP, or
adding a new subnet, push the template configuration
changes to your managed firewalls and Force Template
Values (Commit > Push to Devices > Edit Selections).

PAN-143132 Fetching the device certificate from the Palo Alto Networks
Customer Support Portal (CSP) may fail and displays the
following error in the CLI:
ERROR Failed to process S1C msg: Error
Workaround: Retrying fetching the device certificate from
the Palo Alto Networks CSP.

PAN-141630 Current performance limitation: single data plane use only.

The PA-5200 Series and PA-7000 Series firewalls that
support 5G network slice security, 5G equipment ID security,
and 5G subscriber ID security use a single data plane only,
which currently limits the firewall performance.

PAN-140959 The Panorama management server allows you to downgrade

Zero Touch Provisioning (ZTP) firewalls to PAN-OS 9.1.2 and
earlier releases where ZTP functionality is not supported.

PAN-140008 ElasticSearch is forced to restart when the masterd process

misses too many heartbeat messages on the Panorama
management server resulting in a delay in a log query and
ingestion.

PAN-136763 On the Panorama management server, managed firewalls

display as disconnected when installing a PAN-OS
software update (Panorama > Device Deployment >
Software) but display as connected when you view your
managed firewalls Summary (Panorama > Managed Devices >
Summary) and from the CLI.
Workaround: Log out and log back in to the Panorama web
interface.

PAN-135742 There is an issue in HTTP2 session decryption where the

App-ID in the decryption log is the App-ID of the parent
session (which is web-browsing).

PAN-134053 ACC does not filter WildFire logs from Dynamic User Groups.

PAN-132598 The Panorama management server does not check for

duplicate addresses in address groups (Objects > Address

PAN-OS Release Notes 10.1.9-h1 115 ©2023 Palo Alto Networks, Inc.
PAN-OS 10.1.8 Known and Addressed Issues

Issue ID Description
Groups) and duplicate services in service groups (Objects >
Service Groups) when created from the CLI.

PAN-130550 (PA-3200 Series, PA-5220, PA-5250, PA-5260, and PA-7000

Series firewalls) For traffic between virtual systems (inter-
vsys traffic), the firewall cannot perform source NAT using
dynamic IP (DIP) address translation.
Workaround: Use source NAT with Dynamic IP and Port
(DIPP) translation on inter-vsys traffic.

PAN-127813 In the current release, SD-WAN auto-provisioning configures

hubs and branches in a hub and spoke model, where branches
don’t communicate with each other. Expected branch routes
are for generic prefixes, which can be configured in the hub
and advertised to all branches. Branches with unique prefixes
are not published up to the hub.
Workaround: Add any specific prefixes for branches to the
hub advertise-list configuration.

PAN-127206 If you use the CLI to enable the cleartext option for the
Include Username in HTTP Header Insertion Entries feature,
the authentication request to the firewall may become
unresponsive or time out.

PAN-123277 Dynamic tags from other sources are accessible using the CLI
but do not display on the Panorama web interface.

PAN-123040 When you try to view network QoS statistics on an SD-

WAN branch or hub, the QoS statistics and the hit count
for the QoS rules don’t display. A workaround exists for
this issue. Please contact Support for information about the
workaround.

PAN-120440 There is an issue on M-500 Panorama management servers

where any ethernet interface with an IPv6 address having
Private PAN-DB-URL connectivity only supports the
following format: 2001:DB9:85A3:0:0:8A2E:370:2.

PAN-120423 PAN-OS 10.0.0 does not support the XML API for
GlobalProtect logs.

PAN-120303 There is an issue where the firewall remains connected to the

PAN-DB-URL server through the old management IP address
on the M-500 Panorama management server, even when you
configured the Eth1/1 interface.

PAN-OS Release Notes 10.1.9-h1 116 ©2023 Palo Alto Networks, Inc.
PAN-OS 10.1.8 Known and Addressed Issues

Issue ID Description
Workaround: Update the PAN-DB-URL IP address on the
firewall using one of the methods below.
• Modify the PAN-DB Server IP address on the managed
firewall.
1. On the web interface, delete the PAN-DB Server IP
address (Device > Setup > Content ID > URL Filtering
settings).
2. Commit your changes.
3. Add the new M-500 Eth1/1 IP PAN-DB IP address.
4. Commit your changes.
• Restart the firewall (devsrvr) process.
1. Log in to the firewall CLI.
2. Restart the devsrvr process: debug software
restart process device-server

PAN-116017 (Google Cloud Platform (GCP) only) The firewall does not
accept the DNS value from the initial configuration (init-cfg)
file when you bootstrap the firewall.
Workaround: Add DNS value as part of the bootstrap.xml in
the bootstrap folder and complete the bootstrap process.

PAN-115816 (Microsoft Azure only) There is an intermittent issue where

an Ethernet (eth1) interface does not come up when you first
boot up the firewall.
Workaround: Reboot the firewall.

PAN-114495 Alibaba Cloud runs on a KVM hypervisor and supports two

Virtio modes: DPDK (default) and MMAP. If you deploy a
VM-Series firewall running PAN-OS 9.0 in DPDK packet
mode and you then switch to MMAP packet mode, the VM-
Series firewall duplicates packets that originate from or
terminate on the firewall. As an example, if a load balancer or
a server behind the firewall pings the VM-Series firewall after
you switch from DPDK packet mode to MMAP packet mode,
the firewall duplicates the ping packets.
Throughput traffic is not duplicated if you deploy the VM-
Series firewall using MMAP packet mode.

PAN-112694 (Firewalls with multiple virtual systems only) If you configure

dynamic DNS (DDNS) on a new interface (associated with
vsys1 or another virtual system) and you then create a
New Certificate Profile from the drop-down, you must set
the location for the Certificate Profile to Shared. If you

PAN-OS Release Notes 10.1.9-h1 117 ©2023 Palo Alto Networks, Inc.
PAN-OS 10.1.8 Known and Addressed Issues

Issue ID Description
configure DDNS on an existing interface and then create a
new Certificate Profile, we also recommend that you choose
the Shared location instead of a specific virtual system.
Alternatively, you can select a preexisting certificate profile
instead of creating a new one.

PAN-112456 You can temporarily submit a change request for a URL

Category with three suggested categories; however, only
two categories are supported. Do not add more than two
suggested categories to a change request until we address
this issue. If you submit more than two suggested categories,
only the first two categories in the change request are
evaluated.

PAN-112135 You cannot unregister tags for a subnet or range in a dynamic

address group from the web interface.
Workaround: Use an XML API request to unregister the tags
for the subnet or range.

PAN-111928 Invalid configuration errors are not displayed as expected

when you revert a Panorama management server
configuration.
Workaround: After you revert the Panorama configuration,
Commit (Commit > Commit to Panorama) the reverted
configuration to display the invalid configuration errors.

PAN-111866 The push scope selection on the Panorama web interface

displays incorrectly even though the commit scope displays
as expected. This issue occurs when one administrator makes
configuration changes to separate device groups or templates
that affect multiple firewalls and a different administrator
attempts to push those changes.
Workaround: Perform one of the following tasks.
• Initiate a Commit to Panorama operation followed by a
Push to Devices operation for the modified device group
and template configurations.
• Manually select the devices that belong to the modified
device group and template configurations.

PAN-111729 If you disable DPDK mode and enable it again, you must
immediately reboot the firewall.

PAN-111670 Tagged VLAN traffic fails when sent through an SR-IOV

adapter.

PAN-OS Release Notes 10.1.9-h1 118 ©2023 Palo Alto Networks, Inc.
PAN-OS 10.1.8 Known and Addressed Issues

Issue ID Description

PAN-110794 DGA-based threats shown in the firewall threat log display

the same name for all such instances.

PAN-109526 The system log does not correctly display the URL for
CRL files; instead, the URLs are displayed with encoded
characters.

PAN-104780 If you configure a HIP object to match only when a

connecting endpoint is managed (Objects > GlobalProtect >
HIP Objects > <hip-object> > General > Managed), iOS and
Android endpoints that are managed by AirWatch are unable
to successfully match the HIP object and the HIP report
incorrectly indicates that these endpoints are not managed.
This issue occurs because GlobalProtect gateways cannot
correctly identify the managed status of these endpoints.
Additionally, iOS endpoints that are managed by AirWatch
are unable to match HIP objects based on the endpoint serial
number because GlobalProtect gateways cannot identify the
serial numbers of these endpoints; these serial numbers do
not appear in the HIP report.

PAN-103276 Adding a disk to a virtual appliance running Panorama 8.1

or a later release on VMware ESXi 6.5 update1 causes the
Panorama virtual appliance and host web client to become
unresponsive.
Workaround: Upgrade the ESXi host to ESXi 6.5 update2 and
add the disk again.

PAN-101688 (Panorama plugins) The IP address-to-tag mapping

information registered on a firewall or virtual system is not
deleted when you remove the firewall or virtual system from
a Device Group.
Workaround: Log in to the CLI on the firewall and enter
the following command to unregister the IP address-to-tag
mappings: debug object registered-ip clear all.

PAN-101537 After you configure and push address and address group
objects in Shared and vsys-specific device groups from
the Panorama management server to managed firewalls,
executing the show log <log-type> direction
equal <direction> <dst> | <src> in <object-
name> command on a managed firewall only returns address
and address group objects pushed form the Shared device
group.
Workaround: Specify the vsys in the query string:

PAN-OS Release Notes 10.1.9-h1 119 ©2023 Palo Alto Networks, Inc.
PAN-OS 10.1.8 Known and Addressed Issues

Issue ID Description
admin> set system target-vsys <vsys-name>
admin> show log <log-type> direction equal
<direction> query equal ‘vsys eq <vsys-name>’
<dst> | <src> in <object-name>

PAN-98520 When booting or rebooting a PA-7000 Series Firewall with

the SMC-B installed, the BIOS console output displays
attempts to connect to the card's controller in the System
Memory Speed section. The messages can be ignored.

PAN-97757 GlobalProtect authentication fails with an Invalid

username/password error (because the user is not found
in Allow List) after you enable GlobalProtect authentication
cookies and add a RADIUS group to the Allow List of the
authentication profile used to authenticate to GlobalProtect.
Workaround: Disable GlobalProtect authentication cookies.
Alternatively, disable (clear) Retrieve user group from
RADIUS in the authentication profile and configure group
mapping from Active Directory (AD) through LDAP.

PAN-97524 (Panorama management server only) The Security Zone and

Virtual System columns (Network tab) display None after a
Device Group and Template administrator with read-only
privileges performs a context switch.

PAN-96446 A firewall that is not included in a Collector Group fails to

generate a system log if logs are dropped when forwarded
to a Panorama management server that is running in
Management Only mode.

PAN-95773 On VM-Series firewalls that have Data Plane Development

Kit (DPDK) enabled and that use the i40e network interface
card (NIC), the show session info CLI command displays
an inaccurate throughput and packet rate.
Workaround: Disable DPDK by running the set system
setting dpdk-pkt-io off CLI command.

PAN-95028 For administrator accounts that you created in PAN-OS 8.0.8

and earlier releases, the firewall does not apply password
profile settings (Device > Password Profiles) until after you
upgrade to PAN-OS 8.0.9 or a later release and then only
after you modify the account passwords. (Administrator
accounts that you create in PAN-OS 8.0.9 or a later release
do not require you to change the passwords to apply
password profile settings.)

PAN-OS Release Notes 10.1.9-h1 120 ©2023 Palo Alto Networks, Inc.
PAN-OS 10.1.8 Known and Addressed Issues

Issue ID Description

PAN-94846 When DPDK is enabled on the VM-Series firewall with i40e

virtual function (VF) driver, the VF does not detect the link
status of the physical link. The VF link status remains up,
regardless of changes to the physical link state.

PAN-94093 HTTP Header Insertion does not work when jumbo frames
are received out of order.

PAN-93968 The firewall and Panorama web interfaces display

vulnerability threat IDs that are not available in PAN-OS
9.0 releases (Objects > Security Profiles > Vulnerability
Protection > <profile> > Exceptions). To confirm whether a
particular threat ID is available in your release, monitor the
release notes for each new Applications and Threats content
update or check the Palo Alto Networks Threat Vault to see
the minimum PAN-OS release version for a threat signature.

PAN-93607 When you configure a VM-500 firewall with an SCTP

Protection profile (Objects > Security Profiles > SCTP
Protection) and you try to add the profile to an existing
Security Profile Group (Objects > Security Profile Groups),
the Security Profile Group doesn’t list the SCTP Protection
profile in its drop-down list of available profiles.
Workaround: Create a new Security Profile Group and select
the SCTP Protection profile from there.

PAN-93532 When you configure a firewall running PAN-OS 9.0 as an

nCipher HSM client, the web interface on the firewall displays
the nCipher server status as Not Authenticated, even though
the HSM state is up (Device > Setup > HSM).

PAN-93193 The memory-optimized VM-50 Lite intermittently performs

slowly and stops processing traffic when memory utilization
is critically high. To prevent this issue, make sure that you do
not:
• Switch to the firewall Context on the Panorama
management server.
• Commit changes when a dynamic update is being installed.
• Generate a custom report when a dynamic update is being
installed.
• Generate custom reports during a commit.
Workaround: When the firewall performs slowly, or you see
a critical System log for memory utilization, wait for 5 minutes
and then manually reboot the firewall.

PAN-OS Release Notes 10.1.9-h1 121 ©2023 Palo Alto Networks, Inc.
PAN-OS 10.1.8 Known and Addressed Issues

Issue ID Description
Use the Task Manager to verify that you are not performing
memory intensive tasks such as installing dynamic updates,
committing changes or generating reports, at the same time,
on the firewall.

PAN-91802 On a VM-Series firewall, the clear session all CLI command

does not clear GTP sessions.

PAN-83610 In rare cases, a PA-5200 Series firewall (with an FE100

network processor) that has session offload enabled (default)
incorrectly resets the UDP checksum of outgoing UDP
packets.
Workaround: In PAN-OS 8.0.6 and later releases, you can
persistently disable session offload for only UDP traffic using
the set session udp-off load no CLI command.

PAN-83236 The VM-Series firewall on Google Cloud Platform does not

publish firewall metrics to Google Stack Monitoring when you
manually configure a DNS server IP address (Device > Setup
> Services).
Workaround: The VM-Series firewall on Google Cloud
Platform must use the DNS server that Google provides.

PAN-83215 SSL decryption based on ECDSA certificates does not work

when you import the ECDSA private keys onto an nCipher
nShield hardware security module (HSM).

PAN-81521 Endpoints failed to authenticate to GlobalProtect through

Kerberos when you specify an FQDN instead of an IP address
in the Kerberos server profile (Device > Server Profiles >
Kerberos).
Workaround: Replace the FQDN with the IP address in the
Kerberos server profile.

PAN-77125 PA-7000 Series, PA-5450, PA-5200 Series, and PA-3200

Series firewalls configured in tap mode don’t close offloaded
sessions after processing the associated traffic; the sessions
remain open until they time out.
Workaround: Configure the firewalls in virtual wire mode
instead of tap mode, or disable session offloading by running
the set session off load no CLI command.

PAN-75457 In WildFire appliance clusters that have three or more nodes,

the Panorama management server does not support changing
node roles. In a three-node cluster for example, you cannot

PAN-OS Release Notes 10.1.9-h1 122 ©2023 Palo Alto Networks, Inc.
PAN-OS 10.1.8 Known and Addressed Issues

Issue ID Description
use Panorama to configure the worker node as a controller
node by adding the HA and cluster controller configurations,
configure an existing controller node as a worker node by
removing the HA configuration, and then commit and push
the configuration. Attempts to change cluster node roles from
Panorama results in a validation error—the commit fails and
the cluster becomes unresponsive.

PAN-73530 The firewall does not generate a packet capture (pcap) when a
Data Filtering profile blocks files.

PAN-73401 When you import a two-node WildFire appliance cluster

into the Panorama management server, the controller nodes
report their state as out-of-sync if either of the following
conditions exist:
• You did not configure a worker list to add at least one
worker node to the cluster. (In a two-node cluster, both
nodes are controller nodes configured as an HA pair.
Adding a worker node would make the cluster a three-
node cluster.)
• You did not configure a service advertisement (either by
enabling or not enabling advertising DNS service on the
controller nodes).
Workaround: There are three possible workarounds to sync
the controller nodes:
• After you import the two-node cluster into Panorama,
push the configuration from Panorama to the cluster. After
the push succeeds, Panorama reports that the controller
nodes are in sync.
• Configure a worker list on the cluster controller:

admin@wf500(active-controller)# set
deviceconfig cluster mode controller work
er-list <worker-ip-address>

(<worker-ip-address> is the IP address of the worker

node you are adding to the cluster.) This creates a three-
node cluster. After you import the cluster into Panorama,
Panorama reports that the controller nodes are in sync.
When you want the cluster to have only two nodes, use a
different workaround.
• Configure service advertisement on the local CLI of the
cluster controller and then import the configuration into

PAN-OS Release Notes 10.1.9-h1 123 ©2023 Palo Alto Networks, Inc.
PAN-OS 10.1.8 Known and Addressed Issues

Issue ID Description
Panorama. The service advertisement can advertise that
DNS is or is not enabled.

admin@wf500(active-controller)# set
deviceconfig cluster mode controller serv
ice-advertisement dns-service
enabled
yes

or

admin@wf500(active-controller)# set
deviceconfig cluster mode controller serv
ice-advertisement dns-service
enabled
no

Both commands result in Panorama reporting that the

controller nodes are in sync.

PAN-70906 If the PAN-OS web interface and the GlobalProtect portal are
enabled on the same IP address, then when a user logs out of
the GlobalProtect portal, the administrative user is also logged
out from the PAN-OS web interface.
Workaround: Use the IP address to access the PAN-OS web
interface and an FQDN to access the GlobalProtect portal.

PAN-69505 When viewing an external dynamic list that requires client

authentication and you Test Source URL, the firewall fails to
indicate whether it can reach the external dynamic list server
and returns a URL access error (Objects > External Dynamic
Lists).

PAN-40079 The VM-Series firewall on KVM, for all supported Linux

distributions, does not support the Broadcom network
adapters for PCI pass-through functionality.

PAN-39636 Regardless of the Time Frame you specify for a scheduled

custom report on a Panorama M-Series appliance, the earliest
possible start date for the report data is effectively the date
when you configured the report (Monitor > Manage Custom
Reports). For example, if you configure the report on the
15th of the month and set the Time Frame to Last 30 Days,
the report that Panorama generates on the 16th will include
only data from the 15th onward. This issue applies only to
scheduled reports; on-demand reports include all data within
the specified Time Frame.

PAN-OS Release Notes 10.1.9-h1 124 ©2023 Palo Alto Networks, Inc.
PAN-OS 10.1.8 Known and Addressed Issues

Issue ID Description
Workaround: To generate an on-demand report, click Run
Now when you configure the custom report.

PAN-38255 When you perform a factory reset on a Panorama virtual

appliance and configure the serial number, logging does
not work until you reboot Panorama or execute the debug
software restart process management-server CLI
command.

PAN-31832 The following issues apply when configuring a firewall to use

a hardware security module (HSM):
• nCipher nShield Connect—The firewall requires at least
four minutes to detect that an HSM was disconnected,
causing SSL functionality to be unavailable during the
delay.
• SafeNet Network—When losing connectivity to either
or both HSMs in an HA configuration, the display of
information from the show high-availability
state and show hsm info commands are blocked for
20 seconds.

PAN-OS Release Notes 10.1.9-h1 125 ©2023 Palo Alto Networks, Inc.
PAN-OS 10.1.8 Known and Addressed Issues

PAN-OS 10.1.8-h2 Addressed Issues

Issue ID Description

PAN-208724 Fixed an issue where port pause frame settings did not work as
expected and incorrect pause frames occurred.

PAN-208718 Additional debug information was added to capture internal details

during traffic congestion.

PAN-206658 Fixed a timeout issue in the Intel ixgbe driver that resulted in internal
path monitoring failure.

PAN-206251 (PA-7000 Series firewalls with Log Forwarding Cards (LFCs) only)
Fixed an issue where the logrcvr process did not send the system-
start SNMP trap during startup.

PAN-205735 Fixed an issue where the mgmtsrvr process stopped responding, which
caused the Panorama web interface to become inaccessible and return
a 504 Gateway Not Reachable page.

PAN-205030 Fixed an issue where, when a session hit policy based forwarding with
symmetric return enabled was not offloaded, the firewall received
excessive return-mac update messages, which resulted in resource
contention and traffic disruption.

PAN-204335 Fixed an issue where Panorama became unresponsive, and when

refreshed, the error 504 Gateway not Reachable was displayed.

PAN-203851 Fixed an issue with firewalls in high availability (HA) configurations

where host information profile (HIP) sync did not work between the
active primary firewall and the active secondary firewall.

PAN-203653 Fixed an issue where dynamic updates were completed even when
configuration commits failed, which caused the all_task process to stop
responding.

PAN-203453 Fixed an issue on Panorama where the log query failed due to a high
number of User-ID redistribution messages.

PAN-203402 Fixed an intermittent issue where forward session installs were

delayed, which resulted in latencies.

PAN-203244 Fixed a path monitoring issue that caused traffic degradation.

PAN-202783 (PA-7000 Series firewalls with 100G NPC (Network Processing Cards)
only) Fixed an issue where sudden, large bursts of traffic destined for

PAN-OS Release Notes 10.1.9-h1 126 ©2023 Palo Alto Networks, Inc.
PAN-OS 10.1.8 Known and Addressed Issues

Issue ID Description
an interface that was down caused packet buffers to fill, which stalled
path monitor heartbeat packets.

PAN-202544 An enhancement was made to collect CPLD register data after a path
monitor failure.

PAN-202543 An enhancement was made to improve path monitor data collection by

verifying the status of the control network.

PAN-202535 Fixed an issue where the Device Telemetry configuration for a region
was unable to be set or edited via the web interface.

PAN-202361 Fixed an issue where packets queued to the pan_task process were still
transmitted when the process was not responding.

PAN-202101 Fixed an issue where firewalls stopped responding after an upgrade

due to configuration corruption.

PAN-202012 A debug command was introduced to control Gzip encoding for the
GlobalProtect Clientless VPN application.

PAN-201900 Fixed an internal path monitoring failure issue that caused the
dataplane to go down.

PAN-201858 Fixed an issue where the SD-WAN interface Maximum Transmission

Unit (MTU) led to incorrect fragmentation of IPSec traffic.

PAN-201627 Fixed an issue in next-generation firewall deployments where, when

SD-WAN was configured, the dataplane restarted if all SD-WAN
member links were down due to an out-of-memory (OOM) condition
or during a reboot when all SD-WAN tunnels were down.

PAN-198718 (PA-5280 firewalls only) Fixed an issue where memory allocation

failures caused increased decryption failures.

PAN-197582 Fixed an issue where, after upgrading to PAN-OS 10.1.6, the firewall
reset SSL connections that used policy-based forwarding.

PAN-196261 Fixed an issue where inter-lc disconnected once every minute in the
system logs.

PAN-194704 Fixed an issue with SIP ALG where improper NAT was applied when
Destination NAT ran out of IP addresses.

PAN-194068 (PA-5200 Series firewalls only) Fixed an issue where the firewall
unexpectedly rebooted with the log message Heartbeat failed
previously.

PAN-OS Release Notes 10.1.9-h1 127 ©2023 Palo Alto Networks, Inc.
PAN-OS 10.1.8 Known and Addressed Issues

Issue ID Description

PAN-193928 Fixed an intermittent issue where GlobalProtect logs were not visible
under device groups (Mobile_User_Device_Group).

PAN-192456 Fixed an issue where GlobalProtect SSL VPN processing during a high
traffic load caused the dataplane to stop responding.

PAN-191408 Fixed an issue where the firewall did not correctly receive dynamic
address group information from Panorama after a reboot or initial
connection.

PAN-184766 (PA-5450 firewalls only) Fixed an issue where the control packets for
BGP, OSPF, and Bidirectional Forwarding Detection (BFD) were not
assigned a QoS value of 5.

PAN-183757 (PA-5200 Series and PA-7000 Series firewalls only) Fixed an issue
where uneven distribution of sessions caused packet latency.

PAN-172452 Fixed an issue where the log file did not include all logs.

PAN-171143 Fixed an issue where tech support files didn't collected DP3 logs.

PAN-167288 Fixed an issue with the pan_task process that caused the queue to
build up.

PAN-OS Release Notes 10.1.9-h1 128 ©2023 Palo Alto Networks, Inc.
PAN-OS 10.1.8 Known and Addressed Issues

PAN-OS 10.1.8 Addressed Issues

Issue ID Description

PAN-204830 Fixed an issue where logging in via the web interface or CLI did not
work until an auto-commit was complete.

PAN-203598 Fixed an issue where, when tunnel content inspection was enabled for
VXLAN, ARP over VXLAN packets were dropped.

PAN-201872 Fixed an issue where SMB performance caused overall network

latency after an upgrade.

PAN-201818 Fixed an issue where INIT SCTP packets were dropped after being
processed by the CTD, and silent drops occurred even with SCTP no-
drop function enabled.

PAN-201627 Fixed an issue in next-generation firewall deployments where, when

SD-WAN was configured, the dataplane restarted if all SD-WAN
member links were down due to an out-of-memory (OOM) condition
or during a reboot when all SD-WAN tunnels were down.

PAN-201357 The CLI command debug dataplane set pow no-desched yes
was added to address an issue where the all_pktproc process stopped
responding and caused traffic issues.

PAN-199726 Fixed an issue with firewalls in HA configurations where both firewalls

responded with gARP messages after a switchover.

PAN-199570 Fixed an issue where uploading certificates using a custom admin role
did not work as expected after a context switch.

PAN-199099 Fixed an issue where, when decryption was enabled, Safari and Google
Chrome browsers on Apple Mac computers rejected the server
certificate created by the firewall because the Authority Key Identifier
was copied from the original server certificate and did not match the
Subject Key Identifier on the forward trust certificate.

PAN-198733 (PA-5450 firewalls only) Fixed an issue where tcpdump was

hardcoded to eth0 instead of bond0.

PAN-198266 Fixed an issue where, when predicts for UDP packets were created,
a configuration change occurred that triggered a new policy lookup,
which caused the dataplane stopped responding when converting the
predict. This resulted in a dataplane restart.

PAN-OS Release Notes 10.1.9-h1 129 ©2023 Palo Alto Networks, Inc.
PAN-OS 10.1.8 Known and Addressed Issues

Issue ID Description

PAN-198078 Fixed an issue where VXLAN keepalive packets were dropped

randomly.

PAN-197576 Fixed an issue where commits pushed from Panorama caused a

memory leak related to the mgmtsrvr process.

PAN-197386 Fixed an issue where traffic that was subject to network packet broker
inspection entered a looping state due to incorrect session offload.

PAN-196704 Fixed an issue where Preview Changes on Panorama Push to Devices

incorrectly displayed changes to encrypted entries.

PAN-196583 Fixed an issue where the Cisco TrustSEc plugin triggered a flood of
redundant register/unregister messages due to a failed IP address tag
database search.

PAN-196558 Fixed an issue where IP address tag policy updates were delayed.

PAN-196131 Fixed an issue where the comm process stopped responding when a
show command was executed in two sessions.

PAN-195107 (PA-7000s Series firewalls with LFCs only) Fixed an issue where the IP
address of the LFC displayed as unknown.

PAN-194795 Fixed an issue where a dataplane 1 VCCIO voltage fluctuation

triggered the chassis master alarm.

PAN-194615 Fixed an issue where the packet broker session timeout value did not
match the master sessions timeout value after the firewall received a
TCP FIN or RST packet. The fix ensures that Broker session times out
within 1 second after the master session timed out.

PAN-194441 Fixed an issue where the dataplane CPU usage was higher than
expected due to packet looping in the broker session when the
network packet broker was enabled.

PAN-189720 Fixed an issue where commits failed when downgrading a Panorama

appliance running a PAN-OS 10.1 release to a PAN-OS 10.0 release.

PAN-189429 Fixed a memory leak that occurred when enabling XFF (x-forwarded-
for) logging in a Security policy.

PAN-189270 Fixed an issue that caused a memory leak on the reportd process.

PAN-188118 Fixed an issue with firewalls in FIPS mode that prevented device
telemetry from connecting.

PAN-OS Release Notes 10.1.9-h1 130 ©2023 Palo Alto Networks, Inc.
PAN-OS 10.1.8 Known and Addressed Issues

Issue ID Description

PAN-181759 (Firewalls in active/active HA configurations only) Fixed an issue

where firewall configuration files were not synced.

PAN-180039 Fixed an issue in 10.0.9, where executing the CLI command show
transceiver-detail all resulted in the following error message:
An error occurred. See dagger.log for information..

PAN-178613 (PA-400 Series firewalls only) Fixed an issue where multiple restarts
related to the all_task process occurred.

PAN-OS Release Notes 10.1.9-h1 131 ©2023 Palo Alto Networks, Inc.
PAN-OS 10.1.8 Known and Addressed Issues

PAN-OS Release Notes 10.1.9-h1 132 ©2023 Palo Alto Networks, Inc.
PAN-OS 10.1.7 Known and Addressed
Issues
Review a list of known and addressed issues for PAN-OS 10.1.7.
For contacting support, for information on support programs, to manage your account
or devices, or to open a support case, go to https://support.paloaltonetworks.com.

> PAN-OS 10.1.7 Known Issues

> PAN-OS 10.1.7 Addressed Issues

133
PAN-OS 10.1.7 Known and Addressed Issues

PAN-OS 10.1.7 Known Issues

®
The following list includes only outstanding known issues specific to PAN-OS 10.1.7. This list
includes issues specific to Panorama™, GlobalProtect™, VM-Series plugins, and WildFire®, as well
as known issues that apply more generally or that are not identified by an issue ID.

Issue ID Description

— If you use Panorama to retrieve logs from Cortex Data Lake

(CDL), new log fields (including for Device-ID, Decryption, and
GlobalProtect) are not visible on the Panorama web interface.
Workaround: Enable duplicate logging to send the logs to
CDL and Panorama. This workaround does not support
Panorama virtual appliances in Management Only mode.

— Upgrading a PA-220 firewall takes up to an hour or more.

— PA-220 firewalls are experiencing slower web interface and

CLI performance times.

— Upgrading Panorama with a local Log Collector and Dedicated

Log Collectors to PAN-OS 8.1 or a later PAN-OS release
can take up to six hours to complete due to significant
infrastructure changes. Ensure uninterrupted power to all
appliances throughout the upgrade process.

— A critical System log is generated on the VM-Series firewall

if the minimum memory requirement for the model is not
available.
• When the memory allocated is less than 4.5GB, you
cannot upgrade the firewall. The following error message
displays: Failed to install 9.0.0 with the
following error: VM-50 in 9.0.0 requires
5.5GB memory, VM-50 Lite requires 4.5GB
memory.Please configure this VM with enough
memory before upgrading.
• If the memory allocation is more than 4.5GB but less than
the licensed capacity requirement for the model, it will
default to the capacity associated with the VM-50.
The System log message System capacity adjusted
to VM-50 capacity due to insufficient
memory for VM-<xxx> license, indicates that you
must allocate the additional memory required for licensed
capacity for the firewall model.

PAN-OS Release Notes 10.1.9-h1 134 ©2023 Palo Alto Networks, Inc.
PAN-OS 10.1.7 Known and Addressed Issues

Issue ID Description

APPORTAL-3313 Changes to an IoT Security subscription license take up to 24

hours to have effect on the IoT Security app.

APPORTAL-3309 An IoT Security production license cannot be installed on a

firewall that still has a valid IoT Security eval or trial license.
Workaround: Wait until the 30-day eval or trial license
expires and then install the production license.

APL-15000 When you move a firewall from one Cortex Data Lake
instance to another, it can take up to an hour for the firewall
to begin sending logs to the new instance.

APL-8269 For data retrieved from Cortex Data Lake, the Threat Name
column in Panorama > ACC > threat-activity appears blank.

PLUG-380 When you rename a device group, template, or template

stack in Panorama that is part of a VMware NSX service
definition, the new name is not reflected in NSX Manager.
Therefore, any ESXi hosts that you add to a vSphere cluster
are not added to the correct device group, template, or
template stack and your Security policy is not pushed to
VM-Series firewalls that you deploy after you rename those
objects. There is no impact to existing VM-Series firewalls.

WF500-5559 An intermittent error while analyzing signed PE samples on

the WildFire appliance might cause analysis failures.

WF500-5471 After using the firewall CLI to add a WildFire appliance with
an IPv6 address, the initial connection may fail.
Workaround: Retry connecting after you restart the web
server with the following command: debug software
restart process web-server.

PAN-201627 For next-generation firewall deployments where SD-WAN

is configured, the dataplane could restart if all SD-WAN
This issue is now resolved. See
member links are down due to an out-of-memory condition.
PAN-OS 10.1.8 Addressed
This could also happen during a device reboot when all SD-
Issues.
WAN tunnels are down.
Workaround: Downgrade to PAN-OS 10.1.6-h3 or earlier, or
upgrade to the latest PAN-OS 10.2 release.

PAN-199099 When decryption is enabled, Safari and Google Chrome

browsers on Mac computers running macOS Monterey or
later reject the server certificates firewalls present. The
browsers cannot validate the chain of trust for the certificates

PAN-OS Release Notes 10.1.9-h1 135 ©2023 Palo Alto Networks, Inc.
PAN-OS 10.1.7 Known and Addressed Issues

Issue ID Description
This issue is now resolved. See because the Authority Key Identifier (AKID) of the server
PAN-OS 10.1.8 Addressed certificates and the Subject Key Identifier (SKID) of the
Issues. forward trust certificate do not match.
Workaround: Use a forward trust certificate that does not
contain AKID or SKID extensions.

PAN-198174 When viewing traffic or threat logs from the firewall ACC
or Monitor, performing a reverse DNS lookup, for example,
when resolving IP addresses to domain names using the
Resolve Hostname feature, can cause the appliance to crash
and restart if DNS server settings have not been configured.
Workaround: Provide a DNS server setting for the firewall
(Device > DNS Setup > Services). If you cannot reference a
valid DNS server, you can add a dummy address.

PAN-197341 On the Panorama management server, if you create multiple

device group Objects with the same name in the Shared
device group and any additional device groups (Panorama >
Device Groups) under the same device group hierarchy that
are used in one or more Policies, renaming the object with a
shared name in any device group causes the object name to
change in the policies where it is used. This issue applies only
to device group objects that can be referenced in a Security
policy rule.
For example:
1. You create a parent device group DG-A and a child device
group DG-B.
2. You create address objects called AddressObjA in
the Shared, DG-A and DG-B device groups and add
AddressObjA to a Security policy rule under DG-A and
DG-B.
3. Later, you change the AddressObjA name in the Shared
device group to AddressObjB.
Changing the name of the address object in the Shared
device group causes the references in the Policy rule to use
the renamed Shared object instead of the device group
object.

PAN-197097 Large Scale VPN (LSVPN) does not support IPv6 addresses on
the satellite firewall.
This issue is now resolved. See
PAN-OS 10.1.9 Addressed
Issues.

PAN-OS Release Notes 10.1.9-h1 136 ©2023 Palo Alto Networks, Inc.
PAN-OS 10.1.7 Known and Addressed Issues

Issue ID Description

PAN-196758 On the Panorama management server, pushing a

configuration change to firewalls leveraging SD-WAN
erroneously show the auto-provisioned BGP configurations
for SD-WAN as being edited or deleted despite no edits or
deletions being made when you Preview Changes (Commit >
Push to Devices > Edit Selections or Commit > Commit and
Push > Edit Selections).

PAN-194519 (PA-5450 firewall only) Trying to configure a custom payload

format under Device > Server Profiles > HTTP yields a
This issue is now resolved. See
Javascript error.
PAN-OS 10.1.9 Addressed
Issues.

PAN-194515 (PA-5450 firewall only) The Panorama web interface does

not display any predefined template stack variables in the
dropdown menu under Device > Setup > Log Interface > IP
Address.
Workaround: Configure the log interface IP address on the
individual firewall web interface instead of on Panorama.

PAN-194424 (PA-5450 firewall only) Upgrading to PAN-OS 10.1.6-h2

while having a log interface configured can cause both the log
interface and the management interface to remain connected
to the log collector.
Workaround: Restart the log receiver service by running the
following CLI command:

debug software restart process log-receiver

PAN-194202 (PA-5450 firewall only) If the management interface and

logging interface are configured on the same subnetwork,
the firewall conducts log forwarding using the management
interface instead of the logging interface.

PAN-190727 (PA-5450 firewall only) Documentation for configuring the log

interface is unavailable on the web interface and in the PAN-
This issue is now resolved. See
OS Administrator’s Guide.
PAN-OS 10.1.7 Addressed
Issues.

PAN-189057 On the Panorama management server, Panorama enters a

This issue is now resolved. See
PAN-OS 10.1.9 Addressed
Issues.
non-functional state due to php.debug.log life taking
up too much space.
Workaround: Disable the debug flag for Panorama.
1. Log in to the Panorama web interface.

PAN-OS Release Notes 10.1.9-h1 137 ©2023 Palo Alto Networks, Inc.
PAN-OS 10.1.7 Known and Addressed Issues

Issue ID Description
2. In the same browser you are logged into the Panorama
web interface, enter the following URL.
https://<panorama_ip>/debug
3. Uncheck (disable) Debug or Clear Debug.
4. (HA configuration) Repeat this step on each Panorama high
availability (HA) peer if Panorama is in a HA configuration.

PAN-188052 Devices in FIPS-CC mode are unable to connect to servers

utilizing ECDSA-based host keys that impacts exporting logs
(Device > Scheduled Log Export), exporting configurations
(Device > Scheduled Config Export), or the scp export
command in the CLI.
Workaround: Use RSA-based host keys on the destination
server.

PAN-187685 On the Panorama management server, the Template

Status displays no synchronization status (Panorama >
Managed Devices > Summary) after a bootstrapped firewall is
successfully added to Panorama.
Workaround: After the bootstrapped firewall is successfully
added to Panorama, log in to the Panorama web interface and
select Commit > Push to Devices.

PAN-174982 In HA active/active configurations where, when interfaces

that were associated with a virtual router were deleted, the
configuration change did not sync.

PAN-172274 When you activate the advanced URL filtering license, your
license entitlements for PAN-DB and advanced URL filtering
might not display correctly on the firewall — this is a display
anomaly, not a licensing issue, and does not affect access to
the services.
Workaround: Issue the following command to retrieve and
update the licenses: license request fetch.

PAN-172113 If you request a User Activity Report on Panorama and the

vsys key value in the XML is an unsupported value, the
resulting job becomes unresponsive at 10% and does not
complete until you manually stop the job in the web interface.
Workaround:Change the vsys key to a valid device group,
commit your changes, and run the User Activity Report again.

PAN-172132 QoS fails to run on a tunnel interface (for example, tunnel.1).

PAN-OS Release Notes 10.1.9-h1 138 ©2023 Palo Alto Networks, Inc.
PAN-OS 10.1.7 Known and Addressed Issues

Issue ID Description

PAN-172067 When you configure an HTTP server profile (Device > Server
Profiles > HTTP or Panorama > Server Profiles > HTTP), the
Username and Password fields are always required regardless
of whether Tag Registration is enabled.
Workaround: When you configure an HTTP server profile,
always enter a username and password to successfully create
the HTTP server profile.
You must enter a username and password even if the HTTP
server does not require it. The HTTP server ignores the
username and password if they are not required for the
firewall to connect.

PAN-172061 A process (all_pktproc) can cause intermittent crashes on

the Passive PA-5450 firewall in an Active/Passive HA pair.
This issue may be seen during an upgrade or reload of the
firewall with traffic and when clearing sessions.

PAN-171938 No results are displayed when you Show Application Filter

for a Security policy rule (Policies > Security > Application >
Value > Show Application Filter).

PAN-171723 If you use Panorama to push a configuration that uses App-

ID Cloud Engine (ACE) App-IDs and then you downgrade the
firewall from PAN-OS 10.1 to PAN-OS 10.0, the installation
succeeds but after you reboot, the auto-commit fails.
Workaround: Remove all ACE application configurations
before downgrading.

PAN-171706 If you are using Panorama to manage firewalls with multiple

virtual systems and the virtual system that is the User-ID hub
uses an alias, the local commit on Panorama is successful but
the commit to the firewall fails.

PAN-171673 On the Panorama management server, the ACC returns

inaccurate results when you filter for New App-ID in the
Application usage widget.

PAN-171635 If you have an on-premise Active Directory and there is an

existing group mapping configuration on the firewall, if you
migrate the group mapping to the Cloud Identity Engine, the
firewall does not remove the existing group mapping even
if the configuration is disabled and the firewall is rebooted,
which may conflict with new mappings from the Cloud
Identity Engine.

PAN-OS Release Notes 10.1.9-h1 139 ©2023 Palo Alto Networks, Inc.
PAN-OS 10.1.7 Known and Addressed Issues

Issue ID Description
Workaround: Use the debug user-id clear domain-
map command to remove the existing group mappings from
the firewall.

PAN-171224 On the Panorama management server, a custom report

(Monitor > Managed Custom Reports) with a high volume
of unique data objects is not generated when you click Run
Now.

PAN-171145 If you edit or remove the value for the mail attribute in
your on-premise Active Directory, the changes may not be
immediately reflected on the firewall after it syncs with the
Cloud Identity Engine.

PAN-170923 In Policies > Security > Policy Optimizer > New App Viewer,
when you select a Security policy rule in the bottom portion
of the screen, the application data in the application browser
(top portion of screen) does not match the Apps Seen on the
selected rule. In addition, filtering in the application browser
based on Apps Seen does not work.

PAN-170270 Using the CLI to power on a PA-5450 Networking Card

(NC) in an Active HA firewall can cause its Passive peer to
temporarily go down.

PAN-169906 The CN-Series Firewall as a Kubernetes Service does not

support AF_XDP when deployed in CentOS.

PAN-168636 Connecting to the App-ID Cloud Engine (ACE) cloud using a

management port with explicit proxy configured on it is not
supported. Instead, use a data plane interface for the service
route (Prepare to Deploy App-ID Cloud Engine describes how
to do this.)

PAN-168113 On the Panorama management server, you are unable

to configure a master key (Device > Master Key and
Diagnostics) for a managed firewall if an interface (Network
> Interfaces > Ethernet) references a zone pushed from
Panorama.
Workaround: Remove the referenced zone from the interface
configuration to successfully configure a master key.

PAN-167847 If you issue the command opof stats, then clear the
results {opof stats -c}, the Active Sessions value is sometimes
invalid. For example, you might see a negative number or an
excessively large number.

PAN-OS Release Notes 10.1.9-h1 140 ©2023 Palo Alto Networks, Inc.
PAN-OS 10.1.7 Known and Addressed Issues

Issue ID Description
Workaround: Re-run the opof stats command after the
offload completes.

PAN-167401 When a firewall or Panorama appliance configured with a

proxy is upgraded to PAN-OS 10.0.3 or a later release, it fails
to connect to edge service.

PAN-165669 If you configure a group that the firewall retrieves from the
Cloud Identity Engine as the user in value in a filter query,
Panorama is unable to retrieve the group membership and
as a result, is unable to display this data in logs and custom
reports.

PAN-164922 On the Panorama management server, a context switch to a

managed firewall running a PAN-OS 8.1.0 to 8.1.19 release
fails.

PAN-164885 On the Panorama management server, pushes to managed

firewalls (Commit > Push to Devices or Commit and Push)
may fail when an EDL (Objects > External Dynamic Lists) is
configured to Check for updates every 5 minutes due to the
commit and EDL fetch processes overlapping. This is more
likely to occur when multiple EDLs are configured to check
for updates every 5 minutes.

PAN-164841 A successful deployment of a Panorama virtual appliance on

Amazon Web Services (AWS), Microsoft Azure, or Google
Cloud Platform (GCP) is inaccessible when deploying using
the PAN-OS 10.1.0-b6 release.

PAN-164647 On the Panorama management server, activating a license

(Panorama > Device Deployment > Licenses) on managed
firewalls in a high availability (HA) configuration causes the
Safari web browser to become unresponsive.
Workaround: Log in to the Panorama web interface from
a web browser other than Safari to successfully activate a
license on managed firewalls in an HA configuration.

PAN-164618 The VM-Series firewall CLI and system logs display the license
name VM-SERIES-X, while the user interface displays VM-
FLEX-X (in both cases X is the number of vCPUs). In future
releases the user interface will use the VM-SERIES-X format.

PAN-164586 If you use a value other than mail for the user or group
email attribute in the Cloud Identity Engine, it displays in
user@domain format in the CLI output.

PAN-OS Release Notes 10.1.9-h1 141 ©2023 Palo Alto Networks, Inc.
PAN-OS 10.1.7 Known and Addressed Issues

Issue ID Description

PAN-163966 On the Panorama management server, the ACC and on

demand reports (Monitor > Manage Custom Reports) are
unable to fetch Directory Sync group membership when
the Source User Group filter query is applied, resulting in no
data being displayed for the filter when Directory Sync is
configured as the Source User for a policy rule.

PAN-162836 On the VM-Series firewall, if you select Device > Licenses >
Deactivate VM a popup window opens and you can choose
Subscriptions or Support and press Continue to remove
licenses and register the changes with the license server.
When the license removal is complete the Deactivate VM
window does not update its text to exclude deactivated
licenses or close the window.
Workaround: Wait until the license deactivation is complete,
and click Cancel to close the window.

PAN-162088 On the Panorama management server in a high availability

(HA) configuration, content updates (Panorama > Dynamic
This issue is now resolved. See
Updates) manually uploaded to the active HA peer are not
PAN-OS 10.1.9 Addressed
synchronized to the passive HA peer when you Install a
Issues.
content update and enable Sync to HA Peer.

PAN-161666 The firewall includes any users configured in the Cloud

Identity Engine in the count of groups. As a result, some CLI
command output does not accurately display the number
of groups the firewall has retrieved from the Cloud Identity
Engine and counts users as groups in the No. of Groups
in the command output. If the attempt to retrieve the user or
group fails, the information for the user or group still displays
in the CLI command output.

PAN-161451 If you issue the command opof stats, there are occasional
zero packet and byte counts coming from the DPDK
counters. This occurs when a session is in the tcp-reuse state,
and has no impact on the existing session.

PAN-160238 If you migrate traffic from a firewall running a PAN-OS

version earlier than 9.0 to a firewall running PAN-OS 9.0 or
later, you experience intermittent VXLAN packet drops if TCI
policy is not configured for inspecting VXLAN traffic flows.
Workaround: On the new firewall, create an app override for
VXLAN outer headers as described in What is an Application
Override? and the video tutorial How to Configure an
Application Override Policy on the Palo Alto Networks
Firewall.

PAN-OS Release Notes 10.1.9-h1 142 ©2023 Palo Alto Networks, Inc.
PAN-OS 10.1.7 Known and Addressed Issues

Issue ID Description
PAN-OS version 9.0 can inspect both inner and
outer VXLAN flows. If you want to inspect inner
flows, you must define a tunnel content inspection
(TCI) policy.

PAN-157444 As a result of a telemetry handling update, the Source Zone

field in the DNS analytics logs (viewable in the DNS Analytics
tab within AutoFocus) might not display correct results.

PAN-157327 On downgrade to PAN-OS 9.1, Enterprise Data Loss

Prevention (DLP) filtering settings (Device > Setup > DLP) are
not removed and cause commit errors for the downgraded
firewall if you do not uninstall the Enterprise DLP plugin
before downgrade.
Workaround: After you successfully downgrade a managed
firewall to PAN-OS 9.1, commit and push from Panorama to
remove the Enterprise DLP filtering settings and complete the
downgrade.
1. Downgrade your managed firewall to PAN-OS 9.1
2. Log in to the firewall web interface and view the Tasks
to verify all auto commits related to the downgrade have
completed successfully.
3. Log in to the Panorama web interface and Commit >
Commit and Push to your managed firewall downgraded to
PAN-OS 9.1.

PAN-157103 Multi-channel functionality may not be properly utilized on

an VM-Series firewall deployed in VMware NSX-V after the
service is first deployed.
Workaround: Execute the command debug dataplane
pow status to view the number of channels being utilized
by the dataplane.

Per pan-task Netx statisticsCounter Name

1 2 3 4 5 6 Total-------------
--------------------------------ready_dvf
2 0 0 0 0 0 2

If multi-channel functionality is not working, disable your

NSX-V security policy and reapply it. Then reboot the VM-
Series firewall. When the firewall is back up, verify that multi-
channel functionality is working by executing the command
debug dataplane pow status. It should now show
multiple channels being utilized.

PAN-OS Release Notes 10.1.9-h1 143 ©2023 Palo Alto Networks, Inc.
PAN-OS 10.1.7 Known and Addressed Issues

Issue ID Description

Per pan-task Netx statisticsCounter Name

1 2 3 4 5 6 Total-------------
--------------------------------ready_dvf
1 1 0 0 0 0 2

PAN-156598 (Panorama only) If you configure a standard custom

vulnerability signature in a custom Vulnerability Protection
profile in a shared device group, the shared profile custom
signatures do not populate in the other device groups when
you configure a combination custom vulnerability signature.
Workaround: Use the CLI to update the combination
signature.

PAN-154292 On the Panorama management server, downgrading from

a PAN-OS 10.0 release to a PAN-OS 9.1 release causes
Panorama commit (Commit > Commit to Panorama) failures
if a custom report (Monitor > Manage Custom Reports) is
configured to Group By Session ID.
Workaround: After successful downgrade, reconfigure the
Group By setting in the custom report.

PAN-154034 On the Panorama management server, the Type column in the

System logs (Monitor > Logs > System) for managed firewalls
running a PAN-OS 9.1 release erroneously display iot as the
type.

PAN-154032 On the Panorama management server, downgrading to PAN-

OS 9.1 with the Panorama plugin for Cisco TrustSec version
1.0.2 installed does not automatically transform the plugin to
be compatible with PAN-OS 9.1
Workaround: After successful downgrade to PAN-OS 9.1,
Remove Config (Panorama > Plugins) of the Panorama plugin
for Cisco TrustSec and then reconfigure the plugin.

PAN-153803 On the Panorama management server, scheduled email PDF

reports (Monitor > PDF Reports) fail if a GIF image is used in
the header or footer.

PAN-153557 On the Panorama management server CLI, the overall report

status for a report query is marked as Done despite reports
generated from logs in the Cortex Data Lake (CDL) from the
PODamericas Collector Group jobs are still in a Running
state.

PAN-OS Release Notes 10.1.9-h1 144 ©2023 Palo Alto Networks, Inc.
PAN-OS 10.1.7 Known and Addressed Issues

Issue ID Description

PAN-153068 The Bonjour Reflector option is supported on up to 16

interfaces. If you enable it on more than 16 interfaces, the
commit succeeds and the Bonjour Reflector option is enabled
only for the first 16 interfaces and ignored for any additional
interfaces.

PAN-151238 There is a known issue where M-100 appliances are able

to download and install a PAN-OS 10.0 release image even
though the M-100 appliance is no longer supported after
PAN-OS 9.1. (Refer to the hardware end-of-life dates.)

PAN-151085 On a PA-7000 Series firewall chassis having multiple slots,

when HA clustering is enabled on an active/active HA pair,
the session table count for one of the peers can show a higher
count than the actual number of active sessions on that peer.
This behavior can be seen when the session is being set up
on a non-cache slot (for example, when a session distribution
policy is set to round-robin or session-load); it is caused by
the additional cache lookup that happens when HA cluster
participation is enabled.

PAN-150801 Automatic quarantine of a device based on forwarding profile

or log setting does not work on the PA-7000 Series firewalls.

PAN-150515 After you install the device certificate on a new Panorama

management server, Panorama is not able to connect to the
IoT Security edge service.
Workaround: Restart Panorama to connect to the IoT
Security edge service.

PAN-150345 During updates to the Device Dictionary, the IoT Security

service does not push new Device-ID attributes (such as new
device profiles) to the firewall until a manual commit occurs.
Workaround: Perform a force commit to push the attributes
in the content update to the firewall.

PAN-150361 In an Active-Passive high availability (HA) configuration, an

error displays if you create a device object on the passive
device.
Workaround: Load the running configuration and perform a
force commit to sync the devices.

PAN-148971 If you enter a search term for Events that are related to IoT
in the System logs and apply the filter, the page displays an
Invalid term error.

PAN-OS Release Notes 10.1.9-h1 145 ©2023 Palo Alto Networks, Inc.
PAN-OS 10.1.7 Known and Addressed Issues

Issue ID Description
Workaround: Specify iot as the Type Attribute to filter the
logs and use the search term as the Description Attribute. For
example: ( subtype eq iot ) and ( description
contains 'gRPC connection' ).

PAN-148924 In an active-passive HA configuration, tags for dynamic user

groups are not persistent after rebooting the firewall because
the active firewall does not sync the tags to the passive
firewall during failover.

PAN-146995 After downgrading a Panorama management server from

PAN-OS 10.0 to PAN-OS 9.1, the VLD and logd processes
may crash when Panorama reboots.
Workaround: Panorama automatically restarts the VLD and
logd processes.

PAN-146807 Changing the device group configured in a monitoring

definition from a child DG to a parent DG, or vice versa,
might cause firewalls configured in the child DG to lose
IP tag mapping information received from the monitoring
definition. Only firewalls assigned to the parent DG receive IP
tag mapping updates.
Workaround: Perform a manual config sync on the device
group that lost the IP tag mapping information.

PAN-146485 On the Panorama management server, adding, deleting, or

modifying the upstream NAT configuration (Panorama > SD-
WAN > Devices) does not display the branch template stack
as out of sync.
Additionally, adding, deleting, or modifying the BGP
configuration (Panorama > SD-WAN > Devices) does not
display the hub and branch template stacks as out of sync.
For example, modifying the BGP configuration on the branch
firewall does not cause the hub template stack to display as
out of sync, nor does modifying the BGP configuration on
the hub firewall cause the branch template stack as out of
sync.
Workaround: After performing a configuration change,
Commit and Push the configuration changes to all hub and
branch firewalls in the VPN cluster containing the firewall
with the modified configuration.

PAN-145460 CN-MGMT pods fail to connect to the Panorama

management server when using the Kubernetes plugin.

PAN-OS Release Notes 10.1.9-h1 146 ©2023 Palo Alto Networks, Inc.
PAN-OS 10.1.7 Known and Addressed Issues

Issue ID Description
Workaround: Commit the Panorama configuration after the
CN-MGMT pod successfully registers with Panorama.

PAN-144889 On the Panorama management server, adding, deleting, or

modifying the original subnet IP, or adding a new subnet
after you successfully configure a tunnel IP subnet, for the
SD-WAN 1.0.2 plugin does not display the managed firewall
templates (Panorama > Managed Devices > Summary) as Out
of Sync.
Workaround: When modifying the original subnet IP, or
adding a new subnet, push the template configuration
changes to your managed firewalls and Force Template
Values (Commit > Push to Devices > Edit Selections).

PAN-143132 Fetching the device certificate from the Palo Alto Networks
Customer Support Portal (CSP) may fail and displays the
following error in the CLI:
ERROR Failed to process S1C msg: Error
Workaround: Retrying fetching the device certificate from
the Palo Alto Networks CSP.

PAN-141630 Current performance limitation: single data plane use only.

The PA-5200 Series and PA-7000 Series firewalls that
support 5G network slice security, 5G equipment ID security,
and 5G subscriber ID security use a single data plane only,
which currently limits the firewall performance.

PAN-140959 The Panorama management server allows you to downgrade

Zero Touch Provisioning (ZTP) firewalls to PAN-OS 9.1.2 and
earlier releases where ZTP functionality is not supported.

PAN-140008 ElasticSearch is forced to restart when the masterd process

misses too many heartbeat messages on the Panorama
management server resulting in a delay in a log query and
ingestion.

PAN-136763 On the Panorama management server, managed firewalls

display as disconnected when installing a PAN-OS
software update (Panorama > Device Deployment >
Software) but display as connected when you view your
managed firewalls Summary (Panorama > Managed Devices >
Summary) and from the CLI.
Workaround: Log out and log back in to the Panorama web
interface.

PAN-OS Release Notes 10.1.9-h1 147 ©2023 Palo Alto Networks, Inc.
PAN-OS 10.1.7 Known and Addressed Issues

Issue ID Description

PAN-135742 There is an issue in HTTP2 session decryption where the

App-ID in the decryption log is the App-ID of the parent
session (which is web-browsing).

PAN-134053 ACC does not filter WildFire logs from Dynamic User Groups.

PAN-132598 The Panorama management server does not check for

duplicate addresses in address groups (Objects > Address
Groups) and duplicate services in service groups (Objects >
Service Groups) when created from the CLI.

PAN-130550 (PA-3200 Series, PA-5220, PA-5250, PA-5260, and PA-7000

Series firewalls) For traffic between virtual systems (inter-
vsys traffic), the firewall cannot perform source NAT using
dynamic IP (DIP) address translation.
Workaround: Use source NAT with Dynamic IP and Port
(DIPP) translation on inter-vsys traffic.

PAN-127813 In the current release, SD-WAN auto-provisioning configures

hubs and branches in a hub and spoke model, where branches
don’t communicate with each other. Expected branch routes
are for generic prefixes, which can be configured in the hub
and advertised to all branches. Branches with unique prefixes
are not published up to the hub.
Workaround: Add any specific prefixes for branches to the
hub advertise-list configuration.

PAN-127206 If you use the CLI to enable the cleartext option for the
Include Username in HTTP Header Insertion Entries feature,
the authentication request to the firewall may become
unresponsive or time out.

PAN-123277 Dynamic tags from other sources are accessible using the CLI
but do not display on the Panorama web interface.

PAN-123040 When you try to view network QoS statistics on an SD-

WAN branch or hub, the QoS statistics and the hit count
for the QoS rules don’t display. A workaround exists for
this issue. Please contact Support for information about the
workaround.

PAN-120440 There is an issue on M-500 Panorama management servers

where any ethernet interface with an IPv6 address having
Private PAN-DB-URL connectivity only supports the
following format: 2001:DB9:85A3:0:0:8A2E:370:2.

PAN-OS Release Notes 10.1.9-h1 148 ©2023 Palo Alto Networks, Inc.
PAN-OS 10.1.7 Known and Addressed Issues

Issue ID Description

PAN-120423 PAN-OS 10.0.0 does not support the XML API for
GlobalProtect logs.

PAN-120303 There is an issue where the firewall remains connected to the

PAN-DB-URL server through the old management IP address
on the M-500 Panorama management server, even when you
configured the Eth1/1 interface.
Workaround: Update the PAN-DB-URL IP address on the
firewall using one of the methods below.
• Modify the PAN-DB Server IP address on the managed
firewall.
1. On the web interface, delete the PAN-DB Server IP
address (Device > Setup > Content ID > URL Filtering
settings).
2. Commit your changes.
3. Add the new M-500 Eth1/1 IP PAN-DB IP address.
4. Commit your changes.
• Restart the firewall (devsrvr) process.
1. Log in to the firewall CLI.
2. Restart the devsrvr process: debug software
restart process device-server

PAN-116017 (Google Cloud Platform (GCP) only) The firewall does not
accept the DNS value from the initial configuration (init-cfg)
file when you bootstrap the firewall.
Workaround: Add DNS value as part of the bootstrap.xml in
the bootstrap folder and complete the bootstrap process.

PAN-115816 (Microsoft Azure only) There is an intermittent issue where

an Ethernet (eth1) interface does not come up when you first
boot up the firewall.
Workaround: Reboot the firewall.

PAN-114495 Alibaba Cloud runs on a KVM hypervisor and supports two

Virtio modes: DPDK (default) and MMAP. If you deploy a
VM-Series firewall running PAN-OS 9.0 in DPDK packet
mode and you then switch to MMAP packet mode, the VM-
Series firewall duplicates packets that originate from or
terminate on the firewall. As an example, if a load balancer or
a server behind the firewall pings the VM-Series firewall after
you switch from DPDK packet mode to MMAP packet mode,
the firewall duplicates the ping packets.

PAN-OS Release Notes 10.1.9-h1 149 ©2023 Palo Alto Networks, Inc.
PAN-OS 10.1.7 Known and Addressed Issues

Issue ID Description
Throughput traffic is not duplicated if you deploy the VM-
Series firewall using MMAP packet mode.

PAN-112694 (Firewalls with multiple virtual systems only) If you configure

dynamic DNS (DDNS) on a new interface (associated with
vsys1 or another virtual system) and you then create a
New Certificate Profile from the drop-down, you must set
the location for the Certificate Profile to Shared. If you
configure DDNS on an existing interface and then create a
new Certificate Profile, we also recommend that you choose
the Shared location instead of a specific virtual system.
Alternatively, you can select a preexisting certificate profile
instead of creating a new one.

PAN-112456 You can temporarily submit a change request for a URL

Category with three suggested categories; however, only
two categories are supported. Do not add more than two
suggested categories to a change request until we address
this issue. If you submit more than two suggested categories,
only the first two categories in the change request are
evaluated.

PAN-112135 You cannot unregister tags for a subnet or range in a dynamic

address group from the web interface.
Workaround: Use an XML API request to unregister the tags
for the subnet or range.

PAN-111928 Invalid configuration errors are not displayed as expected

when you revert a Panorama management server
configuration.
Workaround: After you revert the Panorama configuration,
Commit (Commit > Commit to Panorama) the reverted
configuration to display the invalid configuration errors.

PAN-111866 The push scope selection on the Panorama web interface

displays incorrectly even though the commit scope displays
as expected. This issue occurs when one administrator makes
configuration changes to separate device groups or templates
that affect multiple firewalls and a different administrator
attempts to push those changes.
Workaround: Perform one of the following tasks.
• Initiate a Commit to Panorama operation followed by a
Push to Devices operation for the modified device group
and template configurations.

PAN-OS Release Notes 10.1.9-h1 150 ©2023 Palo Alto Networks, Inc.
PAN-OS 10.1.7 Known and Addressed Issues

Issue ID Description
• Manually select the devices that belong to the modified
device group and template configurations.

PAN-111729 If you disable DPDK mode and enable it again, you must
immediately reboot the firewall.

PAN-111670 Tagged VLAN traffic fails when sent through an SR-IOV

adapter.

PAN-110794 DGA-based threats shown in the firewall threat log display

the same name for all such instances.

PAN-109526 The system log does not correctly display the URL for
CRL files; instead, the URLs are displayed with encoded
characters.

PAN-104780 If you configure a HIP object to match only when a

connecting endpoint is managed (Objects > GlobalProtect >
HIP Objects > <hip-object> > General > Managed), iOS and
Android endpoints that are managed by AirWatch are unable
to successfully match the HIP object and the HIP report
incorrectly indicates that these endpoints are not managed.
This issue occurs because GlobalProtect gateways cannot
correctly identify the managed status of these endpoints.
Additionally, iOS endpoints that are managed by AirWatch
are unable to match HIP objects based on the endpoint serial
number because GlobalProtect gateways cannot identify the
serial numbers of these endpoints; these serial numbers do
not appear in the HIP report.

PAN-103276 Adding a disk to a virtual appliance running Panorama 8.1

or a later release on VMware ESXi 6.5 update1 causes the
Panorama virtual appliance and host web client to become
unresponsive.
Workaround: Upgrade the ESXi host to ESXi 6.5 update2 and
add the disk again.

PAN-101688 (Panorama plugins) The IP address-to-tag mapping

information registered on a firewall or virtual system is not
deleted when you remove the firewall or virtual system from
a Device Group.
Workaround: Log in to the CLI on the firewall and enter
the following command to unregister the IP address-to-tag
mappings: debug object registered-ip clear all.

PAN-OS Release Notes 10.1.9-h1 151 ©2023 Palo Alto Networks, Inc.
PAN-OS 10.1.7 Known and Addressed Issues

Issue ID Description

PAN-101537 After you configure and push address and address group
objects in Shared and vsys-specific device groups from
the Panorama management server to managed firewalls,
executing the show log <log-type> direction
equal <direction> <dst> | <src> in <object-
name> command on a managed firewall only returns address
and address group objects pushed form the Shared device
group.
Workaround: Specify the vsys in the query string:
admin> set system target-vsys <vsys-name>
admin> show log <log-type> direction equal
<direction> query equal ‘vsys eq <vsys-name>’
<dst> | <src> in <object-name>

PAN-98520 When booting or rebooting a PA-7000 Series Firewall with

the SMC-B installed, the BIOS console output displays
attempts to connect to the card's controller in the System
Memory Speed section. The messages can be ignored.

PAN-97757 GlobalProtect authentication fails with an Invalid

username/password error (because the user is not found
in Allow List) after you enable GlobalProtect authentication
cookies and add a RADIUS group to the Allow List of the
authentication profile used to authenticate to GlobalProtect.
Workaround: Disable GlobalProtect authentication cookies.
Alternatively, disable (clear) Retrieve user group from
RADIUS in the authentication profile and configure group
mapping from Active Directory (AD) through LDAP.

PAN-97524 (Panorama management server only) The Security Zone and

Virtual System columns (Network tab) display None after a
Device Group and Template administrator with read-only
privileges performs a context switch.

PAN-96446 A firewall that is not included in a Collector Group fails to

generate a system log if logs are dropped when forwarded
to a Panorama management server that is running in
Management Only mode.

PAN-95773 On VM-Series firewalls that have Data Plane Development

Kit (DPDK) enabled and that use the i40e network interface
card (NIC), the show session info CLI command displays
an inaccurate throughput and packet rate.

PAN-OS Release Notes 10.1.9-h1 152 ©2023 Palo Alto Networks, Inc.
PAN-OS 10.1.7 Known and Addressed Issues

Issue ID Description
Workaround: Disable DPDK by running the set system
setting dpdk-pkt-io off CLI command.

PAN-95028 For administrator accounts that you created in PAN-OS 8.0.8

and earlier releases, the firewall does not apply password
profile settings (Device > Password Profiles) until after you
upgrade to PAN-OS 8.0.9 or a later release and then only
after you modify the account passwords. (Administrator
accounts that you create in PAN-OS 8.0.9 or a later release
do not require you to change the passwords to apply
password profile settings.)

PAN-94846 When DPDK is enabled on the VM-Series firewall with i40e

virtual function (VF) driver, the VF does not detect the link
status of the physical link. The VF link status remains up,
regardless of changes to the physical link state.

PAN-94093 HTTP Header Insertion does not work when jumbo frames
are received out of order.

PAN-93968 The firewall and Panorama web interfaces display

vulnerability threat IDs that are not available in PAN-OS
9.0 releases (Objects > Security Profiles > Vulnerability
Protection > <profile> > Exceptions). To confirm whether a
particular threat ID is available in your release, monitor the
release notes for each new Applications and Threats content
update or check the Palo Alto Networks Threat Vault to see
the minimum PAN-OS release version for a threat signature.

PAN-93607 When you configure a VM-500 firewall with an SCTP

Protection profile (Objects > Security Profiles > SCTP
Protection) and you try to add the profile to an existing
Security Profile Group (Objects > Security Profile Groups),
the Security Profile Group doesn’t list the SCTP Protection
profile in its drop-down list of available profiles.
Workaround: Create a new Security Profile Group and select
the SCTP Protection profile from there.

PAN-93532 When you configure a firewall running PAN-OS 9.0 as an

nCipher HSM client, the web interface on the firewall displays
the nCipher server status as Not Authenticated, even though
the HSM state is up (Device > Setup > HSM).

PAN-93193 The memory-optimized VM-50 Lite intermittently performs

slowly and stops processing traffic when memory utilization
is critically high. To prevent this issue, make sure that you do
not:

PAN-OS Release Notes 10.1.9-h1 153 ©2023 Palo Alto Networks, Inc.
PAN-OS 10.1.7 Known and Addressed Issues

Issue ID Description
• Switch to the firewall Context on the Panorama
management server.
• Commit changes when a dynamic update is being installed.
• Generate a custom report when a dynamic update is being
installed.
• Generate custom reports during a commit.
Workaround: When the firewall performs slowly, or you see
a critical System log for memory utilization, wait for 5 minutes
and then manually reboot the firewall.
Use the Task Manager to verify that you are not performing
memory intensive tasks such as installing dynamic updates,
committing changes or generating reports, at the same time,
on the firewall.

PAN-91802 On a VM-Series firewall, the clear session all CLI command

does not clear GTP sessions.

PAN-83610 In rare cases, a PA-5200 Series firewall (with an FE100

network processor) that has session offload enabled (default)
incorrectly resets the UDP checksum of outgoing UDP
packets.
Workaround: In PAN-OS 8.0.6 and later releases, you can
persistently disable session offload for only UDP traffic using
the set session udp-off load no CLI command.

PAN-83236 The VM-Series firewall on Google Cloud Platform does not

publish firewall metrics to Google Stack Monitoring when you
manually configure a DNS server IP address (Device > Setup
> Services).
Workaround: The VM-Series firewall on Google Cloud
Platform must use the DNS server that Google provides.

PAN-83215 SSL decryption based on ECDSA certificates does not work

when you import the ECDSA private keys onto an nCipher
nShield hardware security module (HSM).

PAN-81521 Endpoints failed to authenticate to GlobalProtect through

Kerberos when you specify an FQDN instead of an IP address
in the Kerberos server profile (Device > Server Profiles >
Kerberos).
Workaround: Replace the FQDN with the IP address in the
Kerberos server profile.

PAN-OS Release Notes 10.1.9-h1 154 ©2023 Palo Alto Networks, Inc.
PAN-OS 10.1.7 Known and Addressed Issues

Issue ID Description

PAN-77125 PA-7000 Series, PA-5450, PA-5200 Series, and PA-3200

Series firewalls configured in tap mode don’t close offloaded
sessions after processing the associated traffic; the sessions
remain open until they time out.
Workaround: Configure the firewalls in virtual wire mode
instead of tap mode, or disable session offloading by running
the set session off load no CLI command.

PAN-75457 In WildFire appliance clusters that have three or more nodes,

the Panorama management server does not support changing
node roles. In a three-node cluster for example, you cannot
use Panorama to configure the worker node as a controller
node by adding the HA and cluster controller configurations,
configure an existing controller node as a worker node by
removing the HA configuration, and then commit and push
the configuration. Attempts to change cluster node roles from
Panorama results in a validation error—the commit fails and
the cluster becomes unresponsive.

PAN-73530 The firewall does not generate a packet capture (pcap) when a
Data Filtering profile blocks files.

PAN-73401 When you import a two-node WildFire appliance cluster

into the Panorama management server, the controller nodes
report their state as out-of-sync if either of the following
conditions exist:
• You did not configure a worker list to add at least one
worker node to the cluster. (In a two-node cluster, both
nodes are controller nodes configured as an HA pair.
Adding a worker node would make the cluster a three-
node cluster.)
• You did not configure a service advertisement (either by
enabling or not enabling advertising DNS service on the
controller nodes).
Workaround: There are three possible workarounds to sync
the controller nodes:
• After you import the two-node cluster into Panorama,
push the configuration from Panorama to the cluster. After
the push succeeds, Panorama reports that the controller
nodes are in sync.
• Configure a worker list on the cluster controller:

admin@wf500(active-controller)# set

PAN-OS Release Notes 10.1.9-h1 155 ©2023 Palo Alto Networks, Inc.
PAN-OS 10.1.7 Known and Addressed Issues

Issue ID Description
deviceconfig cluster mode controller work
er-list <worker-ip-address>

(<worker-ip-address> is the IP address of the worker

node you are adding to the cluster.) This creates a three-
node cluster. After you import the cluster into Panorama,
Panorama reports that the controller nodes are in sync.
When you want the cluster to have only two nodes, use a
different workaround.
• Configure service advertisement on the local CLI of the
cluster controller and then import the configuration into
Panorama. The service advertisement can advertise that
DNS is or is not enabled.

admin@wf500(active-controller)# set
deviceconfig cluster mode controller serv
ice-advertisement dns-service
enabled
yes

or

admin@wf500(active-controller)# set
deviceconfig cluster mode controller serv
ice-advertisement dns-service
enabled
no

Both commands result in Panorama reporting that the

controller nodes are in sync.

PAN-70906 If the PAN-OS web interface and the GlobalProtect portal are
enabled on the same IP address, then when a user logs out of
the GlobalProtect portal, the administrative user is also logged
out from the PAN-OS web interface.
Workaround: Use the IP address to access the PAN-OS web
interface and an FQDN to access the GlobalProtect portal.

PAN-69505 When viewing an external dynamic list that requires client

authentication and you Test Source URL, the firewall fails to
indicate whether it can reach the external dynamic list server
and returns a URL access error (Objects > External Dynamic
Lists).

PAN-OS Release Notes 10.1.9-h1 156 ©2023 Palo Alto Networks, Inc.
PAN-OS 10.1.7 Known and Addressed Issues

Issue ID Description

PAN-40079 The VM-Series firewall on KVM, for all supported Linux

distributions, does not support the Broadcom network
adapters for PCI pass-through functionality.

PAN-39636 Regardless of the Time Frame you specify for a scheduled

custom report on a Panorama M-Series appliance, the earliest
possible start date for the report data is effectively the date
when you configured the report (Monitor > Manage Custom
Reports). For example, if you configure the report on the
15th of the month and set the Time Frame to Last 30 Days,
the report that Panorama generates on the 16th will include
only data from the 15th onward. This issue applies only to
scheduled reports; on-demand reports include all data within
the specified Time Frame.
Workaround: To generate an on-demand report, click Run
Now when you configure the custom report.

PAN-38255 When you perform a factory reset on a Panorama virtual

appliance and configure the serial number, logging does
not work until you reboot Panorama or execute the debug
software restart process management-server CLI
command.

PAN-31832 The following issues apply when configuring a firewall to use

a hardware security module (HSM):
• nCipher nShield Connect—The firewall requires at least
four minutes to detect that an HSM was disconnected,
causing SSL functionality to be unavailable during the
delay.
• SafeNet Network—When losing connectivity to either
or both HSMs in an HA configuration, the display of
information from the show high-availability
state and show hsm info commands are blocked for
20 seconds.

PAN-OS Release Notes 10.1.9-h1 157 ©2023 Palo Alto Networks, Inc.
PAN-OS 10.1.7 Known and Addressed Issues

PAN-OS 10.1.7 Addressed Issues

Issue ID Description

PAN-200771 Fixed an issue where syslog-ng was unable to start due to a design
change in the syslog configuration file.

PAN-199654 Fixed an issue where ACC reports did not work for custom RBAC
users when more than 12 access domains were associated with the
username.

PAN-199311 Fixed an issue where the Log Forwarding Card (LFC) failed to forward
logs to the syslog server.

PAN-198509 Fixed an issue where commits failed due to insufficient CFG memory.

PAN-198332 (PA-5400 Series only) Fixed an issue where swapping Network

Processing Cards (NPCs) caused high root partition use.

PAN-198244 Fixed an issue where using the load config partial CLI
command to x-paths removed address object entries from address
groups.

PAN-197484 (PA-5400 Series firewalls) Fixed an issue where the firewall forwarded
packets to the incorrect aggregate ethernet interface when Policy
Based Forwarding (PBF) was used.

PAN-197244 Fixed an issue on firewalls with Forward Proxy enabled where the
all_pktproc process stopped responding due to missed heartbeats.

PAN-196993 Fixed an issue where an incorrect regex key was generated to

invalidate the completions cache, which caused the configd process to
stop responding.

PAN-196953 (PA-5450 firewalls only) Fixed an issue where jumbo frames were
dropped.

PAN-196445 Fixed an issue where restarting the NPC or the Data Processing Card
(DPC) did not bring up all the network interfaces.

PAN-196227 Fixed an issue where the logd process stopped responding, which
caused Panorama to reboot into maintenance mode.

PAN-196005 (PA-3200 Series, PA-5200 Series, and PA-5400 Series firewalls only)
Fixed an issue where GlobalProtect IPSec tunnels disconnected at half
the inactivity logout timer value.

PAN-OS Release Notes 10.1.9-h1 158 ©2023 Palo Alto Networks, Inc.
PAN-OS 10.1.7 Known and Addressed Issues

Issue ID Description

PAN-195707 Fixed an issue on Panorama appliances configured as log collectors

where Panorama repeatedly rebooted into maintenance mode.

PAN-195628 Fixed an issue that caused the pan_task process to miss heartbeats and
stop responding.

PAN-195625 Fixed an issue where authd frequently created SSL sessions, which
resulted in an out-of-memory (OOM) condition.

PAN-195360 Fixed an issue with firewalls in Microsoft Azure environments

where BGP flapping occurred due to the firewall incorrectly treating
capability from BGP peering as unsupported.

PAN-195223 Fixed an issue where the all_pktproc process restarted when receiving
a GTPv2 Modify Bearer Request packet if the Serving GPRS Support
Node (SGSN) used the same key as the Serving Gateway (SGW).

PAN-195181 Added enhancements to improve the load on the pan_comm process

during SNMP polling.

PAN-194958 Fixed an issue where using the show routing protocol bgp
loc-rib-detail CLI command caused the CLI to stop responding.

PAN-194826 (WF-500 and WF-500-B appliances only) Fixed an issue where log
system forwarding did not work over a TLS connection.

PAN-194776 Fixed an issue on Amazon Web Services (AWS) Gateway Load

Balancer (GWLB) deployments with overlay routing enabled where
intra-zone packets were re-encapsulated with the incorrect source/
destination MAC address.

PAN-194601 Fixed an issue that caused the all_task process to stop responding.

PAN-194481 Fixed an issue in ESXi where the bootstrapped VM-Series firewalls

with the Software Licensing Plugin had :xxx appended to their
hostnames.

PAN-194472 A CLI command was added to address an issue where packets were
discarded due to the QoS queue limit being reached. This command
enables you to modify the QoS queue size to accommodate more
users.

PAN-194408 Fixed an issue where, when policy rules had the apps that implicitly
depended on web browsing configured with the service application
default, traffic did not match the rule correctly.

PAN-OS Release Notes 10.1.9-h1 159 ©2023 Palo Alto Networks, Inc.
PAN-OS 10.1.7 Known and Addressed Issues

Issue ID Description

PAN-194406 Fixed an issue where the MTU from SD-WAN interfaces was
recalculated after a configuration push from Panorama or a local
commit, which caused traffic disruption.

PAN-193981 (VM-Series firewalls in Microsoft Azure environments only) Fixed

an issue where the firewall stopped monitoring high availability (HA)
failure and floating IP addresses did not get moved to the newly active
firewall.

PAN-193765 Fixed an issue where commits failed the following error displayed in
the configd log: Unable to populate ids into candidate
config: Error: Error populating id for ‘sg2+DMZ to
FirstAM Scanner-1‘.

PAN-193763 Fixed an issue on the firewall where the dataplane CPU spiked, which
caused traffic to be affected during commits or content updates.

PAN-193707 Fixed an issue where SAML authentication failed during commits with
the following error message: revocation status could not be
verified (reason: ).

PAN-193483 (VM-Series firewalls only) Fixed an issue where, during Layer-7 packet
inspection where traffic was being inspected for threat signature and
data patterns, multiple processes stopped responding.

PAN-193392 Fixed an issue where RTP packets dropped due to conflicting duplicate
flows.

PAN-193175 Fixed an issue where PBP Drops (8507) threat logs were
incorrectly logged as SCTP Init Flood (8506).

PAN-193132 (PA-220 firewalls only) Fixed an issue where a commit and push from
Panorama caused high dataplane CPU utilization.

PAN-192944 Fixed an issue where the logrcvr process caused an OOM condition.

PAN-192758 (PA-7000 Series firewalls only) Fixed an issue where files failed to
upload to the WildFire public cloud.

PAN-192726 Fixed an issue where the firewall dropped TCP traffic inside IPSec
tunnels.

PAN-192725 Fixed an issue where the firewall failed to forward logs to Panorama
when configured with IPv6 addressing only.

PAN-OS Release Notes 10.1.9-h1 160 ©2023 Palo Alto Networks, Inc.
PAN-OS 10.1.7 Known and Addressed Issues

Issue ID Description

PAN-192666 (VM-Series firewalls only) Fixed an issue where uploading certificates

via API failed within the first 30 minutes of a bootstrap.

PAN-192551 (PA-5400 Series firewalls only) Fixed an issue where the firewall
incorrectly processed path monitoring packets, which caused a slot
restart.

PAN-192404 Fixed an issue where ARP broadcasts occurring in the same time
interval and network segment as HA path monitoring pings triggered
an ARP cache request, which prevented the firewall from sending
ICMP echo requests to the monitored destination IP address and
caused an HA path monitoring failover.

PAN-192330 (Bootstrapped VM-Series firewalls in Microsoft Azure environments

only) Fixed an issue where the firewall did not automatically receive
the Cortex Data Lake license.

PAN-192089 Fixed an issue on the web interface where the IPSec tunnel did not
gray out after disabling it.

PAN-191867 Fixed an issue where CPU stalls resulted in a slot restart.

PAN-191847 Fixed an issue where the Panorama appliance was unable to generate
scheduled custom reports due to the large number of files stored in
the opt/pancfg/mgmt/custom-reports directory.

PAN-191726 Fixed an issue where an SCP export of the device state from the
firewall added single quotes ( ' ) to the filename.

PAN-191558 Fixed an issue where, after an upgrade to PAN-OS 10.1.5, Global Find
did not display all results related to a searched item.

PAN-191381 Fixed an issue where multicast packets were dropped due to a large
timeout value in the multicast FIB.

PAN-191288 Fixed an issue where the firewall restarted due to a dnsproxy process
crash.

PAN-191269 Fixed an issue where the NAT pool leaked for passive mode FTP
predict sessions.

PAN-191218 (PA-5400 Series firewalls only) Fixed an issue where the session log
storage quota could not be changed via the web interface.

PAN-191163 Fixed an issue where the logrcvr process stopped responding when
processing threat logs with HTTP2 and data capture flagged.

PAN-OS Release Notes 10.1.9-h1 161 ©2023 Palo Alto Networks, Inc.
PAN-OS 10.1.7 Known and Addressed Issues

Issue ID Description

PAN-191022 Fixed an issue where a full routing table caused many dataplane
messages, which resulted in packet buffer congestion and packet
drops.

PAN-190811 (PA-5450 firewalls only) Fixed an issue where logs were forwarded
through the management interface instead of the configured log
interface to be used for forwarding.

PAN-190727 (PA-5450 firewall only) Fixed an issue where documentation for

configuring the log interface was unavailable on the web interface and
in the PAN-OS Administrator’s Guide.

PAN-190493 Fixed an issue where decrypted VLAN traffic on Virtual Wire (V-Wire)
changed to VLAN ID 0.

PAN-190492 Fixed an issue where the Panorama log collector group level SSH
settings were not migrated to the new format when upgrading from a
PAN-OS 9.1 release to a PAN-OS 10.0 release.

PAN-190448 Fixed an issue in ACC reports where IPv6 addresses were displayed
instead of IPv4 addresses.

PAN-190292 Fixed an issue where you could not configure a log interface as a
service route Device > Setup > Services > Service Route

PAN-190225 Fixed an issue on Panorama appliances in active/passive HA

configurations where the passive appliance was unable to connect to
the active appliance after resetting the secure connection state.

PAN-189867 Fixed an issue where, when logging in to the GlobalProtect gateway,

the authentication cookie was not reused.

PAN-189861 Fixed an issue on firewalls in HA configurations where intermittent

system alerts on the active firewall caused the pan_comm process to
restart continuously.

PAN-189762 Fixed an issue where a predict session didn't match with the traffic
when both source NAT and destination NAT were enabled.

PAN-189414 Fixed an issue where TCP packets were dropped during the first zone
transfer when DNS security was enabled.

PAN-189304 Fixed an issue where the Panorama appliance didn't display logs or
generate reports for a device group containing MIPs platform that
forwarded logs to Cortex Data Lake.

PAN-OS Release Notes 10.1.9-h1 162 ©2023 Palo Alto Networks, Inc.
PAN-OS 10.1.7 Known and Addressed Issues

Issue ID Description

PAN-189225 Fixed an issue where BGP routes were lost or uninstalled after
disabling jumbo frames on the firewall.

PAN-189206 Fixed an issue where Device Group and Template administrator roles
didn't support a context switch between the Panorama and firewall
web interfaces.

PAN-189114 Fixed an issue where the dataplane went down, which caused an HA
failover.

PAN-188942 Fixed an issue where, when modifying a DNS proxy configuration,

the server port number was transparently changed to port 1080 if an
administrator changed only the server IP address.

PAN-188867 Fixed an issue where the firewall dropped packets when the session
payload was too large.

PAN-188338 Fixed an issue where canceling a commit caused the commit process
to remain at 70% and the firewall had to be rebooted.

PAN-188096 (VM-Series firewalls only) Fixed an issue where, on firewalls licensed

with Software NGFW Credit (VM-FLEX-4 and higher), HA clustering
was unable to be established.

PAN-187890 Fixed an issue where the Cortex Data Lake connection incorrectly
displayed as disconnected when a service route was in use.

PAN-187805 Fixed an issue where a process (all_pktproc) stopped responding and

the dataplane restarted during certificate construction or destruction.

PAN-187755 Fixed an issue where the maximum session timeout was not applied to
the administrator as expected.

PAN-187151 Fixed an issue where tunnel-monitoring interface was incorrectly

shown as up instead of down.

PAN-186995 Fixed an issue where the command to show IP address tags for
Dynamic Address Groups displayed the error start-point should
be equal to or between 1 and 100000 even when the
maximum registered IP address limit was greater than 100,000. With
this fix, the show command will display IP address tags up to the
correct maximum limit.

PAN-186957 Fixed an issue where, in SAML Metadata Export, a drop-down did not
appear in the input field when IP or Hostname was selected for Type.

PAN-OS Release Notes 10.1.9-h1 163 ©2023 Palo Alto Networks, Inc.
PAN-OS 10.1.7 Known and Addressed Issues

Issue ID Description

PAN-186891 Fixed an issue where NetFlow packets contained incorrect octet

counts.

PAN-186807 Fixed an issue where RAID rebuild occurred after a reboot due to the
RAID array not being populated during the firewall bootup.

PAN-186658 Fixed an issue where Panorama console sessions were not cleared on
the firewall after the idle-timeout value expired.

PAN-186584 Fixed an issue where SNMPv3 CPU use didn't match the firewall
output for show running resource-monitor on single dataplane
firewalls.

PAN-186418 Fixed an issue where Panorama displayed a discrepancy in RAM

configured on the VMware host.

PAN-186075 (VM-Series firewalls only) Fixed an issue where the firewall rebooted
after receiving large packets while in DPDK mode on Azure virtual
machines running CX4 (MLx5) drivers.

PAN-185789 Fixed an issue where the show ntp CLI command resulted in a
Rejected status for NTP servers that used auto-key authentication.

PAN-185787 Fixed an issue where logging in to the Panorama web interface did not
work and the following error message displayed: Timed out while
getting config lock. Please try again.

PAN-185286 (PA-5400 Series firewalls only) Fixed an issue on Panorama where

device health resources did not populate.

PAN-184902 Fixed an issue where the logd process stopped responding on

Panorama and wasn't able to receive logs from the firewall due to the
event manager returning a null pointer.

PAN-184845 Fixed an issue where Address Resolution Protocol (ARP) packets

dropped due to ARP throttle.

PAN-184771 Fixed an issue where the threat category in a schedule report

incorrectly displayed as unknown.

PAN-184702 (M-700 appliances in Log Collector mode only) Fixed an issue on the
Panorama management server where the Panorama appliance failed to
connect to Panorama when added as a managed log collector.

PAN-OS Release Notes 10.1.9-h1 164 ©2023 Palo Alto Networks, Inc.
PAN-OS 10.1.7 Known and Addressed Issues

Issue ID Description

PAN-184342 Fixed an issue where the firewall dropped the second TCP packet as
non-syn TCP if it was SYN/ACK/PSH due to the incorrect expectation
that the second packet would be SYN/ACK.

PAN-184068 (PA-5200 series firewalls only) Fixed an issue where the firewall
generated pause frames, which caused network latency.

PAN-183949 Fixed an issue on the firewall where a script to send XML API queries
to update the block list caused the sslmgr process to restart.

PAN-183888 Fixed an issue on Panorama appliances with PA-5400 Series managed

firewalls where Monitor > Traffic did not display logs.

PAN-183826 Fixed an issue where, after clicking WildFire Analysis Report, the web
interface failed to display the report with the following error message:
refused to connect.

PAN-183664 (VM-Series firewalls only) Fixed an issue where set core operations
failed during Software NGFW FLEX licensing.

PAN-183603 (M-200 and M-600 appliances in Log Collector mode only) Fixed
a disk issue that occurred after an upgrade to PAN-OS 10.2 which
prevented the ElasticSearch process from starting, which resulted in
the dedicated log collector being unable to write new logs to logging
disks.

PAN-183270 Fixed an issue where a bootstrapped firewall connected only to the

first log collector in a log collector group.

PAN-183184 Fixed an issue where enabling SSL decryption with a Hardware

Security Model (HSM) caused a dataplane restart.

PAN-183166 Fixed an issue where system, configuration, and alarm logs were
queued up on the logrcvr process and were not forwarded out or
written to disk until an autocommit was passed.

PAN-182951 Fixed an issue where commits remained at 98% for an hour and then
failed.

PAN-182539 Fixed an issue with Panorama appliances in HA configurations where

dedicated log collectors did not send local system or configuration logs
to both Panorama appliances.

PAN-182212 Fixed an issue where SNMP reported the panVsysActiveTcpCps

and panVsysActiveUdpCps value to be 0.

PAN-OS Release Notes 10.1.9-h1 165 ©2023 Palo Alto Networks, Inc.
PAN-OS 10.1.7 Known and Addressed Issues

Issue ID Description

PAN-182173 (Panorama appliances in HA configurations only) Fixed an issue where,

when using Prisma Access multitenancy, the passive appliance didn't
correctly update the tenant information after the tenant was deleted
on the active appliance.

PAN-182087 Fixed an issue where commit failures occurred due to validity

checks performed against self-signing certificates not evaluating
Authentication Key Identifier and Subject Key Identifier fields.

PAN-180863 Fixed an issue where the authentication key was mandatory on the
firewall to remove Panorama server details.

PAN-179750 A CLI command was added to set the virtual memory limit in dedicated
log collectors.

PAN-179543 Fixed an issue where the flow_mgmt process stopped responding when
attempting to clear the session table, which caused the dataplane to
restart.

PAN-179295 Fixed an issue where report generation did not work as expected
due to missed parameters being passed during inter-daemon
communication.

PAN-178243 Fixed an issue where Shared Gateway was not visible in the Virtual
System drop down when configuring a Layer3 aggregate subinterface.

PAN-178194 Fixed an issue with the web interface where, when only the Advanced
URL Filtering license was activated, the message License required
for URL filtering to function was incorrectly displayed and
the URL Filtering Profile > Inline ML section was disabled.

PAN-177861 Fixed an issue with User ID redistribution where a system log with
severity of High was generated each time a commit was performed.
This issue occurred due to all UIA agent connections being reset after
each commit.

PAN-177482 Fixed an issue where ACC > App Scope > Threat Monitor showed NO
DATA TO DISPLAY.

PAN-176703 Fixed an issue that occurred after upgrading to a PAN-OS 9.0 or later
release where commits to the firewall configuration failed with the
following error message: statistics-service is invalid.

PAN-175236 Fixed an issue in the template stack where you were unable to add
routes under GlobalProtect > Gateway > Satellite > Network Settings.

PAN-OS Release Notes 10.1.9-h1 166 ©2023 Palo Alto Networks, Inc.
PAN-OS 10.1.7 Known and Addressed Issues

Issue ID Description

PAN-174809 Fixed an issue where a process (all_pktproc) restarted.

PAN-174489 Fixed a source user mismatch issue that occurred when the same
name was set as the actual domain for the overriding domain.

PAN-173373 (VM-Series firewalls in NSX-T deployments only) Fixed an

issue where deployments dropped packets with the counter
pan_netx_send_pkt error.

PAN-172834 Fixed a memory leak issue related to the useridd process that occurred
when processing IP-address-to-username mappings.

PAN-172501 Fixed an issue where you were unable to revert HA mode settings to
the default values from the web interface.

PAN-171714 Fixed an issue where, when NetBIOS format (domain\user) was used
for the IP address-to-username mapping and the firewall received
the group mapping information from the Cloud Identity Engine, the
firewall did not match the user to the correct group.

PAN-171690 Fixed an issue where logs were not displayed in GlobalProtect

Deployment Activity with the message No data to display even
though they were displayed in the Monitor tab.

PAN-171497 Fixed an issue where, after a local user group was updated by adding
or removing users, the local user group was removed from groupdb.

PAN-171159 Fixed a memory leak on the configd process on Panorama caused

during multi-clone operations for rules.

PAN-169153 Fixed an issue where LDAP connections over TLS failed with untrusted
certificates error even though Verify Server Certificate for SSL
sessions option was not selected.

PAN-168005 Fixed an issue where GlobalProtect was unable to connect to the

gateway and displayed the error message Could not connect
to the gateway. The device or features requires
a GlobalProtect subscription license even though the
gateway firewall had a valid gateway license.

PAN-163906 Fixed an issue where commits failed due to a non-configuration error.

PAN-163828 Fixed an issue where path MTU discovery did not work when the MTU
was not configured manually on the tunnel interface.

PAN-OS Release Notes 10.1.9-h1 167 ©2023 Palo Alto Networks, Inc.
PAN-OS 10.1.7 Known and Addressed Issues

Issue ID Description

PAN-163261 Fixed an intermittent issue where the firewall dropped GTPv2 Modify
Bearer Request packets with the following error message: Abnormal
GTPv2-C message with missing mandatory IE.

PAN-160238 Fixed an issue where intermittent VXLAN packet drops occurred if

the TCI was not configured for inspecting VXLAN traffic. This issue
occurred when traffic was migrated from a firewall running a PAN-OS
version earlier than PAN-OS 9.0 to a firewall running PAN-OS 9.0 or
later.

PAN-157215 Fixed an issue that occurred when two FQDNs were resolved to the
same IP address and were configured as the same src/dst of the same
rule. If one FQDN was later resolved to a different IP address, the
IP address resolved for the second FQDN was also changed, which
caused traffic with the original IP address to hit the incorrect rule.

PAN-151469 Fixed an issue where packets were dropped unexpectedly due to

errors parsing the IP version field.

PAN-OS Release Notes 10.1.9-h1 168 ©2023 Palo Alto Networks, Inc.
PAN-OS 10.1.6 Known and Addressed
Issues
Review a list of known and addressed issues for PAN-OS 10.1.6.
For contacting support, for information on support programs, to manage your account
or devices, or to open a support case, go to https://support.paloaltonetworks.com.

> PAN-OS 10.1.6 Known Issues

> PAN-OS 10.1.6-h6 Addressed Issues
> PAN-OS 10.1.6-h3 Addressed Issues
> PAN-OS 10.1.6 Addressed Issues

169
PAN-OS 10.1.6 Known and Addressed Issues

PAN-OS 10.1.6 Known Issues

®
The following list includes only outstanding known issues specific to PAN-OS 10.1.6. This list
includes issues specific to Panorama™, GlobalProtect™, VM-Series plugins, and WildFire®, as well
as known issues that apply more generally or that are not identified by an issue ID.

Issue ID Description

— If you use Panorama to retrieve logs from Cortex Data Lake

(CDL), new log fields (including for Device-ID, Decryption, and
GlobalProtect) are not visible on the Panorama web interface.
Workaround: Enable duplicate logging to send the logs to
CDL and Panorama. This workaround does not support
Panorama virtual appliances in Management Only mode.

— Upgrading a PA-220 firewall takes up to an hour or more.

— PA-220 firewalls are experiencing slower web interface and

CLI performance times.

— Upgrading Panorama with a local Log Collector and Dedicated

Log Collectors to PAN-OS 8.1 or a later PAN-OS release
can take up to six hours to complete due to significant
infrastructure changes. Ensure uninterrupted power to all
appliances throughout the upgrade process.

— A critical System log is generated on the VM-Series firewall

if the minimum memory requirement for the model is not
available.
• When the memory allocated is less than 4.5GB, you
cannot upgrade the firewall. The following error message
displays: Failed to install 9.0.0 with the
following error: VM-50 in 9.0.0 requires
5.5GB memory, VM-50 Lite requires 4.5GB
memory.Please configure this VM with enough
memory before upgrading.
• If the memory allocation is more than 4.5GB but less than
the licensed capacity requirement for the model, it will
default to the capacity associated with the VM-50.
The System log message System capacity adjusted
to VM-50 capacity due to insufficient
memory for VM-<xxx> license, indicates that you
must allocate the additional memory required for licensed
capacity for the firewall model.

PAN-OS Release Notes 10.1.9-h1 170 ©2023 Palo Alto Networks, Inc.
PAN-OS 10.1.6 Known and Addressed Issues

Issue ID Description

APPORTAL-3313 Changes to an IoT Security subscription license take up to 24

hours to have effect on the IoT Security app.

APPORTAL-3309 An IoT Security production license cannot be installed on a

firewall that still has a valid IoT Security eval or trial license.
Workaround: Wait until the 30-day eval or trial license
expires and then install the production license.

APL-15000 When you move a firewall from one Cortex Data Lake
instance to another, it can take up to an hour for the firewall
to begin sending logs to the new instance.

APL-8269 For data retrieved from Cortex Data Lake, the Threat Name
column in Panorama > ACC > threat-activity appears blank.

PLUG-380 When you rename a device group, template, or template

stack in Panorama that is part of a VMware NSX service
definition, the new name is not reflected in NSX Manager.
Therefore, any ESXi hosts that you add to a vSphere cluster
are not added to the correct device group, template, or
template stack and your Security policy is not pushed to
VM-Series firewalls that you deploy after you rename those
objects. There is no impact to existing VM-Series firewalls.

WF500-5559 An intermittent error while analyzing signed PE samples on

the WildFire appliance might cause analysis failures.

WF500-5471 After using the firewall CLI to add a WildFire appliance with
an IPv6 address, the initial connection may fail.
Workaround: Retry connecting after you restart the web
server with the following command: debug software
restart process web-server.

PAN-201627 (PAN-OS 10.1.6-h4 and later PAN-OS 10.1.6 hotfixes) For

next-generation firewall deployments where SD-WAN
This issue is now resolved. See
is configured, the dataplane could restart if all SD-WAN
PAN-OS 10.1.8 Addressed
member links are down due to an out-of-memory condition.
Issues.
This could also happen during a device reboot when all SD-
WAN tunnels are down.
Workaround: Downgrade to PAN-OS 10.1.6-h3 or earlier, or
upgrade to the latest PAN-OS 10.2 release.

PAN-198187 For firewalls managed by a Panorama management server,

System logs (Monitor > System) may not display the Commit

PAN-OS Release Notes 10.1.9-h1 171 ©2023 Palo Alto Networks, Inc.
PAN-OS 10.1.6 Known and Addressed Issues

Issue ID Description
This issue is now resolved. See Description if you push (Commit > Push to Devices) to
PAN-OS 10.1.9 Addressed multiple device groups from Panorama.
Issues.

PAN-198174 When viewing traffic or threat logs from the firewall ACC
or Monitor, performing a reverse DNS lookup, for example,
when resolving IP addresses to domain names using the
Resolve Hostname feature, can cause the appliance to crash
and restart if DNS server settings have not been configured.
Workaround: Provide a DNS server setting for the firewall
(Device > DNS Setup > Services). If you cannot reference a
valid DNS server, you can add a dummy address.

PAN-197341 On the Panorama management server, if you create multiple

device group Objects with the same name in the Shared
device group and any additional device groups (Panorama >
Device Groups) under the same device group hierarchy that
are used in one or more Policies, renaming the object with a
shared name in any device group causes the object name to
change in the policies where it is used. This issue applies only
to device group objects that can be referenced in a Security
policy rule.
For example:
1. You create a parent device group DG-A and a child device
group DG-B.
2. You create address objects called AddressObjA in
the Shared, DG-A and DG-B device groups and add
AddressObjA to a Security policy rule under DG-A and
DG-B.
3. Later, you change the AddressObjA name in the Shared
device group to AddressObjB.
Changing the name of the address object in the Shared
device group causes the references in the Policy rule to use
the renamed Shared object instead of the device group
object.

PAN-197097 Large Scale VPN (LSVPN) does not support IPv6 addresses on
the satellite firewall.
This issue is now resolved. See
PAN-OS 10.1.9 Addressed
Issues.

PAN-196758 On the Panorama management server, pushing a

configuration change to firewalls leveraging SD-WAN
erroneously show the auto-provisioned BGP configurations

PAN-OS Release Notes 10.1.9-h1 172 ©2023 Palo Alto Networks, Inc.
PAN-OS 10.1.6 Known and Addressed Issues

Issue ID Description
for SD-WAN as being edited or deleted despite no edits or
deletions being made when you Preview Changes (Commit >
Push to Devices > Edit Selections or Commit > Commit and
Push > Edit Selections).

PAN-194519 (PA-5450 firewall only) Trying to configure a custom payload

format under Device > Server Profiles > HTTP yields a
This issue is now resolved. See
Javascript error.
PAN-OS 10.1.9 Addressed
Issues.

PAN-194515 (PA-5450 firewall only) The Panorama web interface does

not display any predefined template stack variables in the
dropdown menu under Device > Setup > Log Interface > IP
Address.
Workaround: Configure the log interface IP address on the
individual firewall web interface instead of on Panorama.

PAN-194424 (PA-5450 firewall only) Upgrading to PAN-OS 10.1.6-h2

while having a log interface configured can cause both the log
interface and the management interface to remain connected
to the log collector.
Workaround: Restart the log receiver service by running the
following CLI command:

debug software restart process log-receiver

PAN-194202 (PA-5450 firewall only) If the management interface and

logging interface are configured on the same subnetwork,
the firewall conducts log forwarding using the management
interface instead of the logging interface.

PAN-192403 (PA-5450 firewall only) There is no commit warning in the

web interface when configuring the management interface
This issue is now resolved. See
and logging interface in the same subnetwork. Having both
PAN-OS 10.1.6-h3 Addressed
interfaces in the same subnetwork can cause routing and
Issues.
connectivity issues.

PAN-190727 (PA-5450 firewall only) Documentation for configuring the log

interface is unavailable on the web interface and in the PAN-
OS Administrator’s Guide.

PAN-189057 On the Panorama management server, Panorama enters a

This issue is now resolved. See
PAN-OS 10.1.9 Addressed
Issues.
non-functional state due to php.debug.log life taking
up too much space.
Workaround: Disable the debug flag for Panorama.

PAN-OS Release Notes 10.1.9-h1 173 ©2023 Palo Alto Networks, Inc.
PAN-OS 10.1.6 Known and Addressed Issues

Issue ID Description
1. Log in to the Panorama web interface.
2. In the same browser you are logged into the Panorama
web interface, enter the following URL.
https://<panorama_ip>/debug
3. Uncheck (disable) Debug or Clear Debug.
4. (HA configuration) Repeat this step on each Panorama high
availability (HA) peer if Panorama is in a HA configuration.

PAN-188052 Devices in FIPS-CC mode are unable to connect to servers

utilizing ECDSA-based host keys that impacts exporting logs
(Device > Scheduled Log Export), exporting configurations
(Device > Scheduled Config Export), or the scp export
command in the CLI.
Workaround: Use RSA-based host keys on the destination
server.

PAN-187685 On the Panorama management server, the Template

Status displays no synchronization status (Panorama >
Managed Devices > Summary) after a bootstrapped firewall is
successfully added to Panorama.
Workaround: After the bootstrapped firewall is successfully
added to Panorama, log in to the Panorama web interface and
select Commit > Push to Devices.

PAN-178194 A UI issue in PAN-OS renders the contents of the Inline

ML tab in the URL Filtering Profile inaccessible on firewalls
This issue is now resolved. See
licensed for Advanced URL Filtering. Additionally, a message
PAN-OS 10.1.7 Addressed
indicating that a License required for URL filtering to function
Issues.
is unavailable displays at the bottom of the UI. These errors
do not affect the operation of Advanced URL Filtering or URL
Filtering Inline ML.
Workaround: Configuration settings for URL Filtering
Inline ML must be applied through the CLI. The following
configuration commands are available:
• Define URL exceptions for specific web sites—

admin# set profiles url-filtering

<url_filtering_profile_name> mlav-
category-exception

PAN-OS Release Notes 10.1.9-h1 174 ©2023 Palo Alto Networks, Inc.
PAN-OS 10.1.6 Known and Addressed Issues

Issue ID Description
• Configuration settings for each inline ML model—

admin# set profiles url-filtering

<url_filtering_profile_name> mlav-
engine-urlbased-enabled

PAN-174982 In HA active/active configurations where, when interfaces

that were associated with a virtual router were deleted, the
configuration change did not sync.

PAN-172274 When you activate the advanced URL filtering license, your
license entitlements for PAN-DB and advanced URL filtering
might not display correctly on the firewall — this is a display
anomaly, not a licensing issue, and does not affect access to
the services.
Workaround: Issue the following command to retrieve and
update the licenses: license request fetch.

PAN-172113 If you request a User Activity Report on Panorama and the

vsys key value in the XML is an unsupported value, the
resulting job becomes unresponsive at 10% and does not
complete until you manually stop the job in the web interface.
Workaround:Change the vsys key to a valid device group,
commit your changes, and run the User Activity Report again.

PAN-172132 QoS fails to run on a tunnel interface (for example, tunnel.1).

PAN-172067 When you configure an HTTP server profile (Device > Server
Profiles > HTTP or Panorama > Server Profiles > HTTP), the
Username and Password fields are always required regardless
of whether Tag Registration is enabled.
Workaround: When you configure an HTTP server profile,
always enter a username and password to successfully create
the HTTP server profile.
You must enter a username and password even if the HTTP
server does not require it. The HTTP server ignores the
username and password if they are not required for the
firewall to connect.

PAN-172061 A process (all_pktproc) can cause intermittent crashes on

the Passive PA-5450 firewall in an Active/Passive HA pair.
This issue may be seen during an upgrade or reload of the
firewall with traffic and when clearing sessions.

PAN-OS Release Notes 10.1.9-h1 175 ©2023 Palo Alto Networks, Inc.
PAN-OS 10.1.6 Known and Addressed Issues

Issue ID Description

PAN-171938 No results are displayed when you Show Application Filter

for a Security policy rule (Policies > Security > Application >
Value > Show Application Filter).

PAN-171723 If you use Panorama to push a configuration that uses App-

ID Cloud Engine (ACE) App-IDs and then you downgrade the
firewall from PAN-OS 10.1 to PAN-OS 10.0, the installation
succeeds but after you reboot, the auto-commit fails.
Workaround: Remove all ACE application configurations
before downgrading.

PAN-171714 If you use the NetBIOS format (domain\user) for the IP

address-to-username mapping and the firewall receives the
This issue is now resolved. See
group mapping information from the Cloud Identity Engine,
PAN-OS 10.1.7 Addressed
the firewall does not successfully match the user to the
Issues.
correct group.

PAN-171706 If you are using Panorama to manage firewalls with multiple

virtual systems and the virtual system that is the User-ID hub
uses an alias, the local commit on Panorama is successful but
the commit to the firewall fails.

PAN-171673 On the Panorama management server, the ACC returns

inaccurate results when you filter for New App-ID in the
Application usage widget.

PAN-171635 If you have an on-premise Active Directory and there is an

existing group mapping configuration on the firewall, if you
migrate the group mapping to the Cloud Identity Engine, the
firewall does not remove the existing group mapping even
if the configuration is disabled and the firewall is rebooted,
which may conflict with new mappings from the Cloud
Identity Engine.
Workaround: Use the debug user-id clear domain-
map command to remove the existing group mappings from
the firewall.

PAN-171224 On the Panorama management server, a custom report

(Monitor > Managed Custom Reports) with a high volume
of unique data objects is not generated when you click Run
Now.

PAN-171145 If you edit or remove the value for the mail attribute in
your on-premise Active Directory, the changes may not be

PAN-OS Release Notes 10.1.9-h1 176 ©2023 Palo Alto Networks, Inc.
PAN-OS 10.1.6 Known and Addressed Issues

Issue ID Description
immediately reflected on the firewall after it syncs with the
Cloud Identity Engine.

PAN-170923 In Policies > Security > Policy Optimizer > New App Viewer,
when you select a Security policy rule in the bottom portion
of the screen, the application data in the application browser
(top portion of screen) does not match the Apps Seen on the
selected rule. In addition, filtering in the application browser
based on Apps Seen does not work.

PAN-170270 Using the CLI to power on a PA-5450 Networking Card

(NC) in an Active HA firewall can cause its Passive peer to
temporarily go down.

PAN-169906 The CN-Series Firewall as a Kubernetes Service does not

support AF_XDP when deployed in CentOS.

PAN-168636 Connecting to the App-ID Cloud Engine (ACE) cloud using a

management port with explicit proxy configured on it is not
supported. Instead, use a data plane interface for the service
route (Prepare to Deploy App-ID Cloud Engine describes how
to do this.)

PAN-168113 On the Panorama management server, you are unable

to configure a master key (Device > Master Key and
Diagnostics) for a managed firewall if an interface (Network
> Interfaces > Ethernet) references a zone pushed from
Panorama.
Workaround: Remove the referenced zone from the interface
configuration to successfully configure a master key.

PAN-167847 If you issue the command opof stats, then clear the
results {opof stats -c}, the Active Sessions value is sometimes
invalid. For example, you might see a negative number or an
excessively large number.
Workaround: Re-run the opof stats command after the
offload completes.

PAN-167401 When a firewall or Panorama appliance configured with a

proxy is upgraded to PAN-OS 10.0.3 or a later release, it fails
to connect to edge service.

PAN-166464 PAN-OS reports the PA-5450 fan numbers incorrectly

by listing them in the opposite order. This does not affect
fan operation. For further information, contact Customer
Support.

PAN-OS Release Notes 10.1.9-h1 177 ©2023 Palo Alto Networks, Inc.
PAN-OS 10.1.6 Known and Addressed Issues

Issue ID Description
This issue is now resolved. See
PAN-OS 10.1.6-h6 Addressed
Issues.

PAN-165669 If you configure a group that the firewall retrieves from the
Cloud Identity Engine as the user in value in a filter query,
Panorama is unable to retrieve the group membership and
as a result, is unable to display this data in logs and custom
reports.

PAN-164922 On the Panorama management server, a context switch to a

managed firewall running a PAN-OS 8.1.0 to 8.1.19 release
fails.

PAN-164885 On the Panorama management server, pushes to managed

firewalls (Commit > Push to Devices or Commit and Push)
may fail when an EDL (Objects > External Dynamic Lists) is
configured to Check for updates every 5 minutes due to the
commit and EDL fetch processes overlapping. This is more
likely to occur when multiple EDLs are configured to check
for updates every 5 minutes.

PAN-164841 A successful deployment of a Panorama virtual appliance on

Amazon Web Services (AWS), Microsoft Azure, or Google
Cloud Platform (GCP) is inaccessible when deploying using
the PAN-OS 10.1.0-b6 release.

PAN-164647 On the Panorama management server, activating a license

(Panorama > Device Deployment > Licenses) on managed
firewalls in a high availability (HA) configuration causes the
Safari web browser to become unresponsive.
Workaround: Log in to the Panorama web interface from
a web browser other than Safari to successfully activate a
license on managed firewalls in an HA configuration.

PAN-164618 The VM-Series firewall CLI and system logs display the license
name VM-SERIES-X, while the user interface displays VM-
FLEX-X (in both cases X is the number of vCPUs). In future
releases the user interface will use the VM-SERIES-X format.

PAN-164586 If you use a value other than mail for the user or group
email attribute in the Cloud Identity Engine, it displays in
user@domain format in the CLI output.

PAN-163966 On the Panorama management server, the ACC and on

demand reports (Monitor > Manage Custom Reports) are
unable to fetch Directory Sync group membership when

PAN-OS Release Notes 10.1.9-h1 178 ©2023 Palo Alto Networks, Inc.
PAN-OS 10.1.6 Known and Addressed Issues

Issue ID Description
the Source User Group filter query is applied, resulting in no
data being displayed for the filter when Directory Sync is
configured as the Source User for a policy rule.

PAN-162836 On the VM-Series firewall, if you select Device > Licenses >
Deactivate VM a popup window opens and you can choose
Subscriptions or Support and press Continue to remove
licenses and register the changes with the license server.
When the license removal is complete the Deactivate VM
window does not update its text to exclude deactivated
licenses or close the window.
Workaround: Wait until the license deactivation is complete,
and click Cancel to close the window.

PAN-162088 On the Panorama management server in a high availability

(HA) configuration, content updates (Panorama > Dynamic
This issue is now resolved. See
Updates) manually uploaded to the active HA peer are not
PAN-OS 10.1.9 Addressed
synchronized to the passive HA peer when you Install a
Issues.
content update and enable Sync to HA Peer.

PAN-161666 The firewall includes any users configured in the Cloud

Identity Engine in the count of groups. As a result, some CLI
command output does not accurately display the number
of groups the firewall has retrieved from the Cloud Identity
Engine and counts users as groups in the No. of Groups
in the command output. If the attempt to retrieve the user or
group fails, the information for the user or group still displays
in the CLI command output.

PAN-161451 If you issue the command opof stats, there are occasional
zero packet and byte counts coming from the DPDK
counters. This occurs when a session is in the tcp-reuse state,
and has no impact on the existing session.

PAN-160238 If you migrate traffic from a firewall running a PAN-OS

version earlier than 9.0 to a firewall running PAN-OS 9.0 or
later, you experience intermittent VXLAN packet drops if TCI
policy is not configured for inspecting VXLAN traffic flows.
Workaround: On the new firewall, create an app override for
VXLAN outer headers as described in What is an Application
Override? and the video tutorial How to Configure an
Application Override Policy on the Palo Alto Networks
Firewall.

PAN-OS Release Notes 10.1.9-h1 179 ©2023 Palo Alto Networks, Inc.
PAN-OS 10.1.6 Known and Addressed Issues

Issue ID Description
PAN-OS version 9.0 can inspect both inner and
outer VXLAN flows. If you want to inspect inner
flows, you must define a tunnel content inspection
(TCI) policy.

PAN-157444 As a result of a telemetry handling update, the Source Zone

field in the DNS analytics logs (viewable in the DNS Analytics
tab within AutoFocus) might not display correct results.

PAN-157327 On downgrade to PAN-OS 9.1, Enterprise Data Loss

Prevention (DLP) filtering settings (Device > Setup > DLP) are
not removed and cause commit errors for the downgraded
firewall if you do not uninstall the Enterprise DLP plugin
before downgrade.
Workaround: After you successfully downgrade a managed
firewall to PAN-OS 9.1, commit and push from Panorama to
remove the Enterprise DLP filtering settings and complete the
downgrade.
1. Downgrade your managed firewall to PAN-OS 9.1
2. Log in to the firewall web interface and view the Tasks
to verify all auto commits related to the downgrade have
completed successfully.
3. Log in to the Panorama web interface and Commit >
Commit and Push to your managed firewall downgraded to
PAN-OS 9.1.

PAN-157103 Multi-channel functionality may not be properly utilized on

an VM-Series firewall deployed in VMware NSX-V after the
service is first deployed.
Workaround: Execute the command debug dataplane
pow status to view the number of channels being utilized
by the dataplane.

Per pan-task Netx statisticsCounter Name

1 2 3 4 5 6 Total-------------
--------------------------------ready_dvf
2 0 0 0 0 0 2

If multi-channel functionality is not working, disable your

NSX-V security policy and reapply it. Then reboot the VM-
Series firewall. When the firewall is back up, verify that multi-
channel functionality is working by executing the command
debug dataplane pow status. It should now show
multiple channels being utilized.

PAN-OS Release Notes 10.1.9-h1 180 ©2023 Palo Alto Networks, Inc.
PAN-OS 10.1.6 Known and Addressed Issues

Issue ID Description

Per pan-task Netx statisticsCounter Name

1 2 3 4 5 6 Total-------------
--------------------------------ready_dvf
1 1 0 0 0 0 2

PAN-156598 (Panorama only) If you configure a standard custom

vulnerability signature in a custom Vulnerability Protection
profile in a shared device group, the shared profile custom
signatures do not populate in the other device groups when
you configure a combination custom vulnerability signature.
Workaround: Use the CLI to update the combination
signature.

PAN-154292 On the Panorama management server, downgrading from

a PAN-OS 10.0 release to a PAN-OS 9.1 release causes
Panorama commit (Commit > Commit to Panorama) failures
if a custom report (Monitor > Manage Custom Reports) is
configured to Group By Session ID.
Workaround: After successful downgrade, reconfigure the
Group By setting in the custom report.

PAN-154034 On the Panorama management server, the Type column in the

System logs (Monitor > Logs > System) for managed firewalls
running a PAN-OS 9.1 release erroneously display iot as the
type.

PAN-154032 On the Panorama management server, downgrading to PAN-

OS 9.1 with the Panorama plugin for Cisco TrustSec version
1.0.2 installed does not automatically transform the plugin to
be compatible with PAN-OS 9.1
Workaround: After successful downgrade to PAN-OS 9.1,
Remove Config (Panorama > Plugins) of the Panorama plugin
for Cisco TrustSec and then reconfigure the plugin.

PAN-153803 On the Panorama management server, scheduled email PDF

reports (Monitor > PDF Reports) fail if a GIF image is used in
the header or footer.

PAN-153557 On the Panorama management server CLI, the overall report

status for a report query is marked as Done despite reports
generated from logs in the Cortex Data Lake (CDL) from the
PODamericas Collector Group jobs are still in a Running
state.

PAN-OS Release Notes 10.1.9-h1 181 ©2023 Palo Alto Networks, Inc.
PAN-OS 10.1.6 Known and Addressed Issues

Issue ID Description

PAN-153068 The Bonjour Reflector option is supported on up to 16

interfaces. If you enable it on more than 16 interfaces, the
commit succeeds and the Bonjour Reflector option is enabled
only for the first 16 interfaces and ignored for any additional
interfaces.

PAN-151238 There is a known issue where M-100 appliances are able

to download and install a PAN-OS 10.0 release image even
though the M-100 appliance is no longer supported after
PAN-OS 9.1. (Refer to the hardware end-of-life dates.)

PAN-151085 On a PA-7000 Series firewall chassis having multiple slots,

when HA clustering is enabled on an active/active HA pair,
the session table count for one of the peers can show a higher
count than the actual number of active sessions on that peer.
This behavior can be seen when the session is being set up
on a non-cache slot (for example, when a session distribution
policy is set to round-robin or session-load); it is caused by
the additional cache lookup that happens when HA cluster
participation is enabled.

PAN-150801 Automatic quarantine of a device based on forwarding profile

or log setting does not work on the PA-7000 Series firewalls.

PAN-150515 After you install the device certificate on a new Panorama

management server, Panorama is not able to connect to the
IoT Security edge service.
Workaround: Restart Panorama to connect to the IoT
Security edge service.

PAN-150345 During updates to the Device Dictionary, the IoT Security

service does not push new Device-ID attributes (such as new
device profiles) to the firewall until a manual commit occurs.
Workaround: Perform a force commit to push the attributes
in the content update to the firewall.

PAN-150361 In an Active-Passive high availability (HA) configuration, an

error displays if you create a device object on the passive
device.
Workaround: Load the running configuration and perform a
force commit to sync the devices.

PAN-148971 If you enter a search term for Events that are related to IoT
in the System logs and apply the filter, the page displays an
Invalid term error.

PAN-OS Release Notes 10.1.9-h1 182 ©2023 Palo Alto Networks, Inc.
PAN-OS 10.1.6 Known and Addressed Issues

Issue ID Description
Workaround: Specify iot as the Type Attribute to filter the
logs and use the search term as the Description Attribute. For
example: ( subtype eq iot ) and ( description
contains 'gRPC connection' ).

PAN-148924 In an active-passive HA configuration, tags for dynamic user

groups are not persistent after rebooting the firewall because
the active firewall does not sync the tags to the passive
firewall during failover.

PAN-146995 After downgrading a Panorama management server from

PAN-OS 10.0 to PAN-OS 9.1, the VLD and logd processes
may crash when Panorama reboots.
Workaround: Panorama automatically restarts the VLD and
logd processes.

PAN-146807 Changing the device group configured in a monitoring

definition from a child DG to a parent DG, or vice versa,
might cause firewalls configured in the child DG to lose
IP tag mapping information received from the monitoring
definition. Only firewalls assigned to the parent DG receive IP
tag mapping updates.
Workaround: Perform a manual config sync on the device
group that lost the IP tag mapping information.

PAN-146485 On the Panorama management server, adding, deleting, or

modifying the upstream NAT configuration (Panorama > SD-
WAN > Devices) does not display the branch template stack
as out of sync.
Additionally, adding, deleting, or modifying the BGP
configuration (Panorama > SD-WAN > Devices) does not
display the hub and branch template stacks as out of sync.
For example, modifying the BGP configuration on the branch
firewall does not cause the hub template stack to display as
out of sync, nor does modifying the BGP configuration on
the hub firewall cause the branch template stack as out of
sync.
Workaround: After performing a configuration change,
Commit and Push the configuration changes to all hub and
branch firewalls in the VPN cluster containing the firewall
with the modified configuration.

PAN-145460 CN-MGMT pods fail to connect to the Panorama

management server when using the Kubernetes plugin.

PAN-OS Release Notes 10.1.9-h1 183 ©2023 Palo Alto Networks, Inc.
PAN-OS 10.1.6 Known and Addressed Issues

Issue ID Description
Workaround: Commit the Panorama configuration after the
CN-MGMT pod successfully registers with Panorama.

PAN-144889 On the Panorama management server, adding, deleting, or

modifying the original subnet IP, or adding a new subnet
after you successfully configure a tunnel IP subnet, for the
SD-WAN 1.0.2 plugin does not display the managed firewall
templates (Panorama > Managed Devices > Summary) as Out
of Sync.
Workaround: When modifying the original subnet IP, or
adding a new subnet, push the template configuration
changes to your managed firewalls and Force Template
Values (Commit > Push to Devices > Edit Selections).

PAN-143132 Fetching the device certificate from the Palo Alto Networks
Customer Support Portal (CSP) may fail and displays the
following error in the CLI:
ERROR Failed to process S1C msg: Error
Workaround: Retrying fetching the device certificate from
the Palo Alto Networks CSP.

PAN-141630 Current performance limitation: single data plane use only.

The PA-5200 Series and PA-7000 Series firewalls that
support 5G network slice security, 5G equipment ID security,
and 5G subscriber ID security use a single data plane only,
which currently limits the firewall performance.

PAN-140959 The Panorama management server allows you to downgrade

Zero Touch Provisioning (ZTP) firewalls to PAN-OS 9.1.2 and
earlier releases where ZTP functionality is not supported.

PAN-140008 ElasticSearch is forced to restart when the masterd process

misses too many heartbeat messages on the Panorama
management server resulting in a delay in a log query and
ingestion.

PAN-136763 On the Panorama management server, managed firewalls

display as disconnected when installing a PAN-OS
software update (Panorama > Device Deployment >
Software) but display as connected when you view your
managed firewalls Summary (Panorama > Managed Devices >
Summary) and from the CLI.
Workaround: Log out and log back in to the Panorama web
interface.

PAN-OS Release Notes 10.1.9-h1 184 ©2023 Palo Alto Networks, Inc.
PAN-OS 10.1.6 Known and Addressed Issues

Issue ID Description

PAN-135742 There is an issue in HTTP2 session decryption where the

App-ID in the decryption log is the App-ID of the parent
session (which is web-browsing).

PAN-134053 ACC does not filter WildFire logs from Dynamic User Groups.

PAN-132598 The Panorama management server does not check for

duplicate addresses in address groups (Objects > Address
Groups) and duplicate services in service groups (Objects >
Service Groups) when created from the CLI.

PAN-130550 (PA-3200 Series, PA-5220, PA-5250, PA-5260, and PA-7000

Series firewalls) For traffic between virtual systems (inter-
vsys traffic), the firewall cannot perform source NAT using
dynamic IP (DIP) address translation.
Workaround: Use source NAT with Dynamic IP and Port
(DIPP) translation on inter-vsys traffic.

PAN-127813 In the current release, SD-WAN auto-provisioning configures

hubs and branches in a hub and spoke model, where branches
don’t communicate with each other. Expected branch routes
are for generic prefixes, which can be configured in the hub
and advertised to all branches. Branches with unique prefixes
are not published up to the hub.
Workaround: Add any specific prefixes for branches to the
hub advertise-list configuration.

PAN-127206 If you use the CLI to enable the cleartext option for the
Include Username in HTTP Header Insertion Entries feature,
the authentication request to the firewall may become
unresponsive or time out.

PAN-123277 Dynamic tags from other sources are accessible using the CLI
but do not display on the Panorama web interface.

PAN-123040 When you try to view network QoS statistics on an SD-

WAN branch or hub, the QoS statistics and the hit count
for the QoS rules don’t display. A workaround exists for
this issue. Please contact Support for information about the
workaround.

PAN-120440 There is an issue on M-500 Panorama management servers

where any ethernet interface with an IPv6 address having
Private PAN-DB-URL connectivity only supports the
following format: 2001:DB9:85A3:0:0:8A2E:370:2.

PAN-OS Release Notes 10.1.9-h1 185 ©2023 Palo Alto Networks, Inc.
PAN-OS 10.1.6 Known and Addressed Issues

Issue ID Description

PAN-120423 PAN-OS 10.0.0 does not support the XML API for
GlobalProtect logs.

PAN-120303 There is an issue where the firewall remains connected to the

PAN-DB-URL server through the old management IP address
on the M-500 Panorama management server, even when you
configured the Eth1/1 interface.
Workaround: Update the PAN-DB-URL IP address on the
firewall using one of the methods below.
• Modify the PAN-DB Server IP address on the managed
firewall.
1. On the web interface, delete the PAN-DB Server IP
address (Device > Setup > Content ID > URL Filtering
settings).
2. Commit your changes.
3. Add the new M-500 Eth1/1 IP PAN-DB IP address.
4. Commit your changes.
• Restart the firewall (devsrvr) process.
1. Log in to the firewall CLI.
2. Restart the devsrvr process: debug software
restart process device-server

PAN-116017 (Google Cloud Platform (GCP) only) The firewall does not
accept the DNS value from the initial configuration (init-cfg)
file when you bootstrap the firewall.
Workaround: Add DNS value as part of the bootstrap.xml in
the bootstrap folder and complete the bootstrap process.

PAN-115816 (Microsoft Azure only) There is an intermittent issue where

an Ethernet (eth1) interface does not come up when you first
boot up the firewall.
Workaround: Reboot the firewall.

PAN-114495 Alibaba Cloud runs on a KVM hypervisor and supports two

Virtio modes: DPDK (default) and MMAP. If you deploy a
VM-Series firewall running PAN-OS 9.0 in DPDK packet
mode and you then switch to MMAP packet mode, the VM-
Series firewall duplicates packets that originate from or
terminate on the firewall. As an example, if a load balancer or
a server behind the firewall pings the VM-Series firewall after
you switch from DPDK packet mode to MMAP packet mode,
the firewall duplicates the ping packets.

PAN-OS Release Notes 10.1.9-h1 186 ©2023 Palo Alto Networks, Inc.
PAN-OS 10.1.6 Known and Addressed Issues

Issue ID Description
Throughput traffic is not duplicated if you deploy the VM-
Series firewall using MMAP packet mode.

PAN-112694 (Firewalls with multiple virtual systems only) If you configure

dynamic DNS (DDNS) on a new interface (associated with
vsys1 or another virtual system) and you then create a
New Certificate Profile from the drop-down, you must set
the location for the Certificate Profile to Shared. If you
configure DDNS on an existing interface and then create a
new Certificate Profile, we also recommend that you choose
the Shared location instead of a specific virtual system.
Alternatively, you can select a preexisting certificate profile
instead of creating a new one.

PAN-112456 You can temporarily submit a change request for a URL

Category with three suggested categories; however, only
two categories are supported. Do not add more than two
suggested categories to a change request until we address
this issue. If you submit more than two suggested categories,
only the first two categories in the change request are
evaluated.

PAN-112135 You cannot unregister tags for a subnet or range in a dynamic

address group from the web interface.
Workaround: Use an XML API request to unregister the tags
for the subnet or range.

PAN-111928 Invalid configuration errors are not displayed as expected

when you revert a Panorama management server
configuration.
Workaround: After you revert the Panorama configuration,
Commit (Commit > Commit to Panorama) the reverted
configuration to display the invalid configuration errors.

PAN-111866 The push scope selection on the Panorama web interface

displays incorrectly even though the commit scope displays
as expected. This issue occurs when one administrator makes
configuration changes to separate device groups or templates
that affect multiple firewalls and a different administrator
attempts to push those changes.
Workaround: Perform one of the following tasks.
• Initiate a Commit to Panorama operation followed by a
Push to Devices operation for the modified device group
and template configurations.

PAN-OS Release Notes 10.1.9-h1 187 ©2023 Palo Alto Networks, Inc.
PAN-OS 10.1.6 Known and Addressed Issues

Issue ID Description
• Manually select the devices that belong to the modified
device group and template configurations.

PAN-111729 If you disable DPDK mode and enable it again, you must
immediately reboot the firewall.

PAN-111670 Tagged VLAN traffic fails when sent through an SR-IOV

adapter.

PAN-110794 DGA-based threats shown in the firewall threat log display

the same name for all such instances.

PAN-109526 The system log does not correctly display the URL for
CRL files; instead, the URLs are displayed with encoded
characters.

PAN-104780 If you configure a HIP object to match only when a

connecting endpoint is managed (Objects > GlobalProtect >
HIP Objects > <hip-object> > General > Managed), iOS and
Android endpoints that are managed by AirWatch are unable
to successfully match the HIP object and the HIP report
incorrectly indicates that these endpoints are not managed.
This issue occurs because GlobalProtect gateways cannot
correctly identify the managed status of these endpoints.
Additionally, iOS endpoints that are managed by AirWatch
are unable to match HIP objects based on the endpoint serial
number because GlobalProtect gateways cannot identify the
serial numbers of these endpoints; these serial numbers do
not appear in the HIP report.

PAN-103276 Adding a disk to a virtual appliance running Panorama 8.1

or a later release on VMware ESXi 6.5 update1 causes the
Panorama virtual appliance and host web client to become
unresponsive.
Workaround: Upgrade the ESXi host to ESXi 6.5 update2 and
add the disk again.

PAN-101688 (Panorama plugins) The IP address-to-tag mapping

information registered on a firewall or virtual system is not
deleted when you remove the firewall or virtual system from
a Device Group.
Workaround: Log in to the CLI on the firewall and enter
the following command to unregister the IP address-to-tag
mappings: debug object registered-ip clear all.

PAN-OS Release Notes 10.1.9-h1 188 ©2023 Palo Alto Networks, Inc.
PAN-OS 10.1.6 Known and Addressed Issues

Issue ID Description

PAN-101537 After you configure and push address and address group
objects in Shared and vsys-specific device groups from
the Panorama management server to managed firewalls,
executing the show log <log-type> direction
equal <direction> <dst> | <src> in <object-
name> command on a managed firewall only returns address
and address group objects pushed form the Shared device
group.
Workaround: Specify the vsys in the query string:
admin> set system target-vsys <vsys-name>
admin> show log <log-type> direction equal
<direction> query equal ‘vsys eq <vsys-name>’
<dst> | <src> in <object-name>

PAN-98520 When booting or rebooting a PA-7000 Series Firewall with

the SMC-B installed, the BIOS console output displays
attempts to connect to the card's controller in the System
Memory Speed section. The messages can be ignored.

PAN-97757 GlobalProtect authentication fails with an Invalid

username/password error (because the user is not found
in Allow List) after you enable GlobalProtect authentication
cookies and add a RADIUS group to the Allow List of the
authentication profile used to authenticate to GlobalProtect.
Workaround: Disable GlobalProtect authentication cookies.
Alternatively, disable (clear) Retrieve user group from
RADIUS in the authentication profile and configure group
mapping from Active Directory (AD) through LDAP.

PAN-97524 (Panorama management server only) The Security Zone and

Virtual System columns (Network tab) display None after a
Device Group and Template administrator with read-only
privileges performs a context switch.

PAN-96446 A firewall that is not included in a Collector Group fails to

generate a system log if logs are dropped when forwarded
to a Panorama management server that is running in
Management Only mode.

PAN-95773 On VM-Series firewalls that have Data Plane Development

Kit (DPDK) enabled and that use the i40e network interface
card (NIC), the show session info CLI command displays
an inaccurate throughput and packet rate.

PAN-OS Release Notes 10.1.9-h1 189 ©2023 Palo Alto Networks, Inc.
PAN-OS 10.1.6 Known and Addressed Issues

Issue ID Description
Workaround: Disable DPDK by running the set system
setting dpdk-pkt-io off CLI command.

PAN-95028 For administrator accounts that you created in PAN-OS 8.0.8

and earlier releases, the firewall does not apply password
profile settings (Device > Password Profiles) until after you
upgrade to PAN-OS 8.0.9 or a later release and then only
after you modify the account passwords. (Administrator
accounts that you create in PAN-OS 8.0.9 or a later release
do not require you to change the passwords to apply
password profile settings.)

PAN-94846 When DPDK is enabled on the VM-Series firewall with i40e

virtual function (VF) driver, the VF does not detect the link
status of the physical link. The VF link status remains up,
regardless of changes to the physical link state.

PAN-94093 HTTP Header Insertion does not work when jumbo frames
are received out of order.

PAN-93968 The firewall and Panorama web interfaces display

vulnerability threat IDs that are not available in PAN-OS
9.0 releases (Objects > Security Profiles > Vulnerability
Protection > <profile> > Exceptions). To confirm whether a
particular threat ID is available in your release, monitor the
release notes for each new Applications and Threats content
update or check the Palo Alto Networks Threat Vault to see
the minimum PAN-OS release version for a threat signature.

PAN-93607 When you configure a VM-500 firewall with an SCTP

Protection profile (Objects > Security Profiles > SCTP
Protection) and you try to add the profile to an existing
Security Profile Group (Objects > Security Profile Groups),
the Security Profile Group doesn’t list the SCTP Protection
profile in its drop-down list of available profiles.
Workaround: Create a new Security Profile Group and select
the SCTP Protection profile from there.

PAN-93532 When you configure a firewall running PAN-OS 9.0 as an

nCipher HSM client, the web interface on the firewall displays
the nCipher server status as Not Authenticated, even though
the HSM state is up (Device > Setup > HSM).

PAN-93193 The memory-optimized VM-50 Lite intermittently performs

slowly and stops processing traffic when memory utilization
is critically high. To prevent this issue, make sure that you do
not:

PAN-OS Release Notes 10.1.9-h1 190 ©2023 Palo Alto Networks, Inc.
PAN-OS 10.1.6 Known and Addressed Issues

Issue ID Description
• Switch to the firewall Context on the Panorama
management server.
• Commit changes when a dynamic update is being installed.
• Generate a custom report when a dynamic update is being
installed.
• Generate custom reports during a commit.
Workaround: When the firewall performs slowly, or you see
a critical System log for memory utilization, wait for 5 minutes
and then manually reboot the firewall.
Use the Task Manager to verify that you are not performing
memory intensive tasks such as installing dynamic updates,
committing changes or generating reports, at the same time,
on the firewall.

PAN-91802 On a VM-Series firewall, the clear session all CLI command

does not clear GTP sessions.

PAN-83610 In rare cases, a PA-5200 Series firewall (with an FE100

network processor) that has session offload enabled (default)
incorrectly resets the UDP checksum of outgoing UDP
packets.
Workaround: In PAN-OS 8.0.6 and later releases, you can
persistently disable session offload for only UDP traffic using
the set session udp-off load no CLI command.

PAN-83236 The VM-Series firewall on Google Cloud Platform does not

publish firewall metrics to Google Stack Monitoring when you
manually configure a DNS server IP address (Device > Setup
> Services).
Workaround: The VM-Series firewall on Google Cloud
Platform must use the DNS server that Google provides.

PAN-83215 SSL decryption based on ECDSA certificates does not work

when you import the ECDSA private keys onto an nCipher
nShield hardware security module (HSM).

PAN-81521 Endpoints failed to authenticate to GlobalProtect through

Kerberos when you specify an FQDN instead of an IP address
in the Kerberos server profile (Device > Server Profiles >
Kerberos).
Workaround: Replace the FQDN with the IP address in the
Kerberos server profile.

PAN-OS Release Notes 10.1.9-h1 191 ©2023 Palo Alto Networks, Inc.
PAN-OS 10.1.6 Known and Addressed Issues

Issue ID Description

PAN-77125 PA-7000 Series, PA-5450, PA-5200 Series, and PA-3200

Series firewalls configured in tap mode don’t close offloaded
sessions after processing the associated traffic; the sessions
remain open until they time out.
Workaround: Configure the firewalls in virtual wire mode
instead of tap mode, or disable session offloading by running
the set session off load no CLI command.

PAN-75457 In WildFire appliance clusters that have three or more nodes,

the Panorama management server does not support changing
node roles. In a three-node cluster for example, you cannot
use Panorama to configure the worker node as a controller
node by adding the HA and cluster controller configurations,
configure an existing controller node as a worker node by
removing the HA configuration, and then commit and push
the configuration. Attempts to change cluster node roles from
Panorama results in a validation error—the commit fails and
the cluster becomes unresponsive.

PAN-73530 The firewall does not generate a packet capture (pcap) when a
Data Filtering profile blocks files.

PAN-73401 When you import a two-node WildFire appliance cluster

into the Panorama management server, the controller nodes
report their state as out-of-sync if either of the following
conditions exist:
• You did not configure a worker list to add at least one
worker node to the cluster. (In a two-node cluster, both
nodes are controller nodes configured as an HA pair.
Adding a worker node would make the cluster a three-
node cluster.)
• You did not configure a service advertisement (either by
enabling or not enabling advertising DNS service on the
controller nodes).
Workaround: There are three possible workarounds to sync
the controller nodes:
• After you import the two-node cluster into Panorama,
push the configuration from Panorama to the cluster. After
the push succeeds, Panorama reports that the controller
nodes are in sync.
• Configure a worker list on the cluster controller:

admin@wf500(active-controller)# set

PAN-OS Release Notes 10.1.9-h1 192 ©2023 Palo Alto Networks, Inc.
PAN-OS 10.1.6 Known and Addressed Issues

Issue ID Description
deviceconfig cluster mode controller work
er-list <worker-ip-address>

(<worker-ip-address> is the IP address of the worker

node you are adding to the cluster.) This creates a three-
node cluster. After you import the cluster into Panorama,
Panorama reports that the controller nodes are in sync.
When you want the cluster to have only two nodes, use a
different workaround.
• Configure service advertisement on the local CLI of the
cluster controller and then import the configuration into
Panorama. The service advertisement can advertise that
DNS is or is not enabled.

admin@wf500(active-controller)# set
deviceconfig cluster mode controller serv
ice-advertisement dns-service
enabled
yes

or

admin@wf500(active-controller)# set
deviceconfig cluster mode controller serv
ice-advertisement dns-service
enabled
no

Both commands result in Panorama reporting that the

controller nodes are in sync.

PAN-70906 If the PAN-OS web interface and the GlobalProtect portal are
enabled on the same IP address, then when a user logs out of
the GlobalProtect portal, the administrative user is also logged
out from the PAN-OS web interface.
Workaround: Use the IP address to access the PAN-OS web
interface and an FQDN to access the GlobalProtect portal.

PAN-69505 When viewing an external dynamic list that requires client

authentication and you Test Source URL, the firewall fails to
indicate whether it can reach the external dynamic list server
and returns a URL access error (Objects > External Dynamic
Lists).

PAN-OS Release Notes 10.1.9-h1 193 ©2023 Palo Alto Networks, Inc.
PAN-OS 10.1.6 Known and Addressed Issues

Issue ID Description

PAN-40079 The VM-Series firewall on KVM, for all supported Linux

distributions, does not support the Broadcom network
adapters for PCI pass-through functionality.

PAN-39636 Regardless of the Time Frame you specify for a scheduled

custom report on a Panorama M-Series appliance, the earliest
possible start date for the report data is effectively the date
when you configured the report (Monitor > Manage Custom
Reports). For example, if you configure the report on the
15th of the month and set the Time Frame to Last 30 Days,
the report that Panorama generates on the 16th will include
only data from the 15th onward. This issue applies only to
scheduled reports; on-demand reports include all data within
the specified Time Frame.
Workaround: To generate an on-demand report, click Run
Now when you configure the custom report.

PAN-38255 When you perform a factory reset on a Panorama virtual

appliance and configure the serial number, logging does
not work until you reboot Panorama or execute the debug
software restart process management-server CLI
command.

PAN-31832 The following issues apply when configuring a firewall to use

a hardware security module (HSM):
• nCipher nShield Connect—The firewall requires at least
four minutes to detect that an HSM was disconnected,
causing SSL functionality to be unavailable during the
delay.
• SafeNet Network—When losing connectivity to either
or both HSMs in an HA configuration, the display of
information from the show high-availability
state and show hsm info commands are blocked for
20 seconds.

PAN-OS Release Notes 10.1.9-h1 194 ©2023 Palo Alto Networks, Inc.
PAN-OS 10.1.6 Known and Addressed Issues

PAN-OS 10.1.6-h6 Addressed Issues

Issue ID Description

PAN-196993 Fixed an issue where an incorrect regex key was

generated to invalidate the completions cache, which
caused the configd process to stop responding.

PAN-195181 Added enhancements to improve the load on the

pan_comm process during SNMP polling.

PAN-194826 (WF-500 and WF-500-B appliances only) Fixed an issue

where log system forwarding did not work over a TLS
connection.

PAN-194776 Fixed an issue on Amazon Web Services (AWS) Gateway

Load Balancer (GWLB) deployments with overlay routing
enabled where intra-zone packets were re-encapsulated
with the incorrect source/destination MAC address.

PAN-194721 Fixed an issue where path monitor failure occurred, which

caused slots to go down.

PAN-194694 Fixed an issue where multiple SNMP requests being made

to the firewall caused in the pan_comm process to stop
responding.

PAN-194645 (PA-5400 Series firewalls only) Fixed an issue where the

Data Processing Card status was incorrectly shown as
config=None

PAN-194601 Fixed an issue that caused the all_task process to stop

responding.

PAN-194406 Fixed an issue where the MTU from SD-WAN interfaces

was recalculated after a configuration push from
Panorama or a local commit, which caused traffic
disruption.

PAN-194097 Fixed an issue on firewalls in high availability (HA) active/

passive configurations where _ha_d_session_msgbuf
overflowed on the passive firewall during an upgrade,
which caused the firewall to enter a non-functional state.

PAN-193732 (PA-5400 Series firewalls only) Fixed an issue where the

firewall incorrectly handled internal transactions.

PAN-OS Release Notes 10.1.9-h1 195 ©2023 Palo Alto Networks, Inc.
PAN-OS 10.1.6 Known and Addressed Issues

Issue ID Description

PAN-193184 Fixed an issue where IP-user-mapping disappeared when

login/logout events occurred at the same timestamp.

PAN-193132 (PA-220 firewalls only) Fixed an issue where a commit

and push from Panorama caused high dataplane CPU
utilization.

PAN-192999 A fix was made to address CVE-2022-0028.

PAN-192758 (PA-7000 Series firewalls only) Fixed an issue where files

failed to upload to the Wildfire public cloud.

PAN-192673 (PA-7050-SMC-B firewalls only) Fixed an issue where the

LFC (log forwarding card) syslog-ng service failed to start
after an upgrade.

PAN-192551 (PA-5400 Series firewalls only) Fixed an issue where the

firewall incorrectly processed path monitoring packets,
which caused a slot restart.

PAN-192052 Fixed an issue where, when next hop MAC address

entries weren't found on the offload processor for active
traffic, update messages flooded the firewall, which
caused resource contention and traffic disruption.

PAN-182951 Fixed an issue where commits remained at 98% for an

hour and then failed.

PAN-173469 Fixed an intermittent issue where websites were blocked

and categorized as not resolved.

PAN-OS Release Notes 10.1.9-h1 196 ©2023 Palo Alto Networks, Inc.
PAN-OS 10.1.6 Known and Addressed Issues

PAN-OS 10.1.6-h3 Addressed Issues

Issue ID Description

PAN-194408 Fixed an issue where, when policy rules had the apps that
implicitly depended on web browsing configured with the
service application default, traffic did not match the rule
correctly.

PAN-194325 (PA-5450 firewalls only) Fixed an issue where the logging

interface configuration was not correctly written to the
syslog-ng configuration file.

PAN-192880 Fixed an issue where, when the firewall was configured

for jumbo frames, an internal interface was not set with
the correct MTU, which caused byte frames larger than
1500 to be dropped when a DF bit was set.

PAN-192403 (PA-5450 firewalls only) Fixed an issue on the web

interface where, when configuring the management
interface and logging interface in the same subnetwork,
a commit warning was not displayed even though the
configuration caused routing and connectivity issues.

PAN-191558 Fixed an issue where, after an upgrade to PAN-OS 10.1.5,

Global Find did not display all results related to a searched
item.

PAN-191257 Fixed an issue on the firewall where the useridd process

stopped responding after a commit from Panorama.
This occurred due to a timing issue where a HIP query
from the dataplane was initiated before the process had
finished initialization.

PAN-190811 (PA-5450 firewalls only) Fixed an issue where logs were

forwarded through the management interface instead of
the configured log interface to be used for forwarding.

PAN-190292 Fixed an issue where you could not configure a log

interface as a service route (Device > Setup > Services >
Service Route)

PAN-189762 Fixed an issue where a predict session didn't match with

the traffic when both source NAT and destination NAT
were enabled.

PAN-OS Release Notes 10.1.9-h1 197 ©2023 Palo Alto Networks, Inc.
PAN-OS 10.1.6 Known and Addressed Issues

Issue ID Description

PAN-188833 Fixed an issue where shared address objects used as a

source or destination in policies were cloned but not
freed back after configuration commits.

PAN-187126 Fixed an issue where enabling DPDK mode on the

dataplane interfaces of a Microsoft Azure instance caused
the brdagent process to stop responding.

PAN-186075 (VM-Series firewalls only) Fixed an issue where the

firewall rebooted after receiving large packets while in
DPDK mode on Azure virtual machines running CX4
(MLx5) drivers.

PAN-186024 Fixed an issue where URL category match did not work
for External Dynamic List URLS due to a leak related to
the devsrvr process.

PAN-183166 Fixed an issue where system, configuration, and alarm

logs were queued up on the logrcvr process and were not
forwarded out or written to disk until an autocommit was
passed.

PAN-OS Release Notes 10.1.9-h1 198 ©2023 Palo Alto Networks, Inc.
PAN-OS 10.1.6 Known and Addressed Issues

PAN-OS 10.1.6 Addressed Issues

Issue ID Description

WF500-5509 (WF-500 appliance only) Fixed an issue where cloud inquiries were
logged under the SD-WAN subtype.

PAN-193579 Fixed an issue where new logs viewed from the CLI (show log
<log_type>) and new syslogs forwarded to a syslog server contained
additional, erroneous entries.

PAN-192930 Fixed an issue where, when the default port was not TCP/443,
implicitly used SSL applications were blocked by the Security policy as
an SSL application and did not shift to the correct application.

PAN-191629 (PA-5450 firewalls only) Fixed an issue where the hourly summary
log was limited to 100,001 lines when summarized, which resulted in
inconsistent report results when using summary logs.

PAN-191470 Fixed an issue on Panorama where encrypted passwords were sent to

firewalls on PAN-OS 10.1 releases during a multi-device group push,
which caused client-based External Dynamic Lists (EDL) to fail.

PAN-191466 Fixed an issue where you were unable to use the web interface to
override IPsec tunnels pushed from Panorama

PAN-191222 Fixed an issue where Panorama became inaccessible when after a push
to the collector group.

PAN-190728 Fixed an issue in an active/passive high availability (HA) configurations

with link or path monitoring enabled where the aggregate ethernet
interface went down before member interfaces went down.

PAN-190675 Fixed an IoT cloud connectivity issue with the firewall dataplane when
the Data Services service route was used and the egress interface had
VLAN tagging.

PAN-190660 Fixed an issue where the vld process stopped responding when
Elasticsearch had no data.

PAN-190644 Fixed an issue where Elasticsearch removed indices earlier than the
configured retention period.

PAN-190409 (PA-5450 and PA-3200 Series firewalls that use a FE101 processor
only) Fixed an issue where packets in the same session were

PAN-OS Release Notes 10.1.9-h1 199 ©2023 Palo Alto Networks, Inc.
PAN-OS 10.1.6 Known and Addressed Issues

Issue ID Description
forwarded through a different member of an aggregate ethernet group
when the session was offloaded.

PAN-189982 Fixed an issue where, when inputting tags, the scrollbar in the dialog
box for the tag field obscured the down arrow.

PAN-189643 Fixed an issue where, when Quality of Service (QoS) was enabled on
an IPSec tunnel, traffic failed due to applying the wrong tunnel QoS ID.

PAN-189182 Fixed an issue where the change summary didn't work after upgrading
the Panorama appliance.

PAN-189010 Fixed an issue on Panorama where a deadlock in the configd process

caused both the web interface and the CLI to be inaccessible.

PAN-188872 Fixed an out-of-memory (OOM) condition caused by a memory leak

issue on the useridd process.

PAN-188776 (PA-5450 firewalls only) Fixed an issue where the AUX-2 port required
a reboot to link up after factory resetting the firewall.

PAN-188336 Fixed an issue with the dnsproxyd process that caused the firewall to
unexpectedly reboot.

PAN-188303 Fixed an issue where the serial number displayed as unknown after
running the show system state CLI command.

PAN-188272 (PA-5200 Series and PA-7000 Series firewalls only) Fixed an issue
where Support UTF-8 For Log Output wasn't visible on the web
interface.

PAN-188097 Fixed an issue where the firewall stopped allocating new sessions
with increments in the counter session_alloc_failure. This was caused
by GPRS tunneling protocol (GTP-U) tunnel session aging processing
issue.

PAN-188009 Fixed an issue where a firewall import to Panorama running a PAN-OS

10.1 release or a PAN-OS 10.2 release resulted in corrupted private
information when the master key was not used.

PAN-188005 Fixed an issue where the var/off file consumed more space than
expected, which caused 100% root partition.

PAN-187829 Fixed an issue where the web_backend and httpd processes leaked
descriptors, which caused activities that depended on the processes,
such as logging in to the web interface, to fail.

PAN-OS Release Notes 10.1.9-h1 200 ©2023 Palo Alto Networks, Inc.
PAN-OS 10.1.6 Known and Addressed Issues

Issue ID Description

PAN-187630 Fixed an issue where the all_task process stopped

responding with a stack trace that contained the function
pan_agent_userpolicy_cache_find.

PAN-187558 Fixed an issue where the following error message flooded the system
log: Incremental update to DP failed.

PAN-186750 Fixed an issue where, after upgrading to a PAN-OS 10.1 release,

SaaS reports generated on Panorama did not display Applications at
a glance and most charts were missing data on the right side of the
chart.

PAN-186262 Fixed an issue where Panorama appliances in Panorama or Log

Collector mode became unresponsive while Elasticsearch accumulated
internal connections related to logging processes.

PAN-186143 Fixed an issue where no local changes could be made on a Zero Touch
Provisioning (ZTP) enabled device after an upgrade to a PAN-OS 10.1
release.

PAN-185616 Fixed an issue where the firewall sent fewer logs to the system log
server than expected. With this fix, the firewall accommodates a larger
send queue for syslog forwarding to TCP syslog receivers.

PAN-185558 Fixed an issue where Panorama log migration failed when old logs
migrated to a newer format. This was due to older indices failing to
close.

PAN-185440 Fixed an issue where iOS devices incorrectly displayed as jailbroken

under HIP match logs.

PAN-185416 (PA-220 firewalls only) Fixed an issue where the firewall repeatedly
rebooted every few hours.

PAN-184979 Fixed an issue in multi-vsys environments where the DNS service

route always used the management interface even when the dataplane
interface was

PAN-184621 Fixed an issue on FIPS-enabled devices where modifying any

configuration of an existing GlobalProtect portal failed with the
following error message: Operation failed : Malformed
request.

PAN-184291 Fixed an issue where the GlobalProtect portal generated a cookie with
a domain as NULL instead of empty-domain, which caused users to be
identified incorrectly.

PAN-OS Release Notes 10.1.9-h1 201 ©2023 Palo Alto Networks, Inc.
PAN-OS 10.1.6 Known and Addressed Issues

Issue ID Description

PAN-184071 Fixed an issue where tech support files were not generated.

PAN-183788 Fixed an issue with SCEP certificate enrollment where the incorrect
Registration Authority (RA) certificate was chosen to encrypt the
enrollment request.

PAN-183579 Fixed an issue where SD-WAN path monitoring failed over the
interface directly connected to the ISP due to an unsupported ICMP
probe format.

PAN-183529 (PA-5450 firewalls only) Fixed an issue where upgrading the firewall
caused corrupted log records to be created, which caused the logrcvr
process to fail. This resulted in the auto-commit process required
to bring up the firewall after a reboot to fail and, subsequently, the
firewall to become unresponsive.

PAN-183339 Fixed an issue where line breaks in a description were not visible.

PAN-183327 (Firewalls in HA configurations only) Fixed an issue where policy based

forwarding (PBF) sessions between virtual systems (vsys) weren't
pushed to the high availability peer.

PAN-183322 (Firewalls in Hyper-V environments only) Fixed an issue where, when

upgrading PAN-OS 10.0.5 to PAN-OS 10.0.6 or later, the default
Maximum Transmission Unit (MTU) is restored to 1500 from 1496.

PAN-181604 Fixed an issue where audit comment archive configuration

logs (between commits) were lost after each upgrade.

PAN-181568 Fixed an issue where high dataplane CPU occurred when DNS Security
was enabled on a firewall with many DNS sessions but less overall
traffic.

PAN-181277 Fixed an issue where VPN tunnels in SD-WAN flapped due to

duplicate tunnel IDs.

PAN-181262 Fixed an issue where, when the data loss prevention (DLP) plugin was
installed, the Panorama web interface froze after previewing changes.

PAN-181245 Fixed an internal path monitoring failure issue that caused the
dataplane to go down.

PAN-181215 Fixed an issue where the authd process didn't receive authentication
requests due to internal socket errors.

PAN-181031 Fixed an issue where the CN-NGFW (DP) folder on the CN-MGMT
pod eventually consumed a large amount of space in the /var/log/pan

PAN-OS Release Notes 10.1.9-h1 202 ©2023 Palo Alto Networks, Inc.
PAN-OS 10.1.6 Known and Addressed Issues

Issue ID Description
because the old registered stale next-generation firewall logs were not
being cleared.

PAN-180934 Fixed an issue where, when decrypting at TLS1.3, websites failed to

load due to the firewall incorrectly handling payload padding from the
server.

PAN-180661 Fixed an issue on Panorama where pushing an unsupported Minimum

Password Complexity (Device > Setup > Management) to a managed
firewall incorrectly displayed a commit timeout as the reason the
commit failed.

PAN-180396 Fixed an issue where Panorama displayed an error when generating a

ticket to disable GlobalProtect for Prisma Access.

PAN-180338 Fixed an issue where the CTD loop count wasn't accurately
incremented.

PAN-180125 Fixed an issue where either Elasticsearch es-1 or es-2 didn't start after
rebooting the log collector.

PAN-179184 Fixed an issue where Security Assertion Markup Language (SAML)

authentication failed when multiple single sign-on (SSO) requests
were sent at the same time from SSL VPN to the authd process on the
firewall.

PAN-178975 Fixed an issue where the local log collector was out of sync and
displayed a public IP address mismatch for the management interface.

PAN-178862 Fixed an issue where bootstrapped firewalls didn't associate with

the configured template stack if the stack name had more than 31
characters.

PAN-178450 Fixed an issue where icons weren't displayed for clientless VPN
applications.

PAN-177762 Fixed an issue where wificlient in PAN-OS 10.0 and later releases
caused processing delays, on-chip descriptor spikes, and buffer usage.

PAN-177671 Fixed an issue where, when SIP traffic traversing the firewall was sent
with a high QoS differentiated service code (DSCP) value, the DSCP
value was reset to the default setting (CS0) for the first data packet.

PAN-177455 (PA-7000 Series firewalls with HA clustering enabled and using HA4
communication links only) Fixed an issue where loading PAN-OS
10.2.0 on the firewall caused the PA-7000 100G NPC (Network

PAN-OS Release Notes 10.1.9-h1 203 ©2023 Palo Alto Networks, Inc.
PAN-OS 10.1.6 Known and Addressed Issues

Issue ID Description
Processing Card) to go offline. As a result, the firewall failed to boot
normally and entered maintenance.

PAN-177409 Fixed an issue where, when the quarantine feature was enabled, every
hostid lookup created a new entry in the cache memory instead of
having a single cache entry for each IP address, which led to memory
exhaustion.

PAN-177063 Fixed an issue where decrypting large packets introduced congestion

during content inspection, which caused processes to stop responding
due to missed heartbeats.

PAN-176437 (PA-3200 Series firewalls only) Fixed an issue where multiple

processes stopped responding, which caused the firewall to reboot.

PAN-175186 Fixed an issue where performing a commit-all operation with the

API type op instead of commit resulted in Panorama returning the
incorrect error message Use type [commit-all] instead of the correct
error message to use the type commit.

PAN-175022 Fixed an issue where the PAN-OS web interface table of contents did
not display or the help contents reloaded continuously.

PAN-175016 Fixed an issue where PDF summary reports were empty when they
were generated by a user in a custom admin role.

PAN-174660 Fixed an issue where the devsrvr process stopped responding after
a local or Panorama pushed commit. This occurred when a single NAT
policy contained more than 64 address objects.

PAN-174514 (VM-Series firewalls on Amazon Web Services (AWS) with Gateway

Load Balancer (GWLB) enabled only) Fixed an issue where the firewall
didn't block access with a response page when accessing a blocked
URL category.

PAN-174161 Fixed an issue in Panorama that occurred when attempting to disable

override on an object from a child device group did not work after
cloning and renaming the object.

PAN-173453 Fixed an issue where multiple heartbeat failures occurred, which

resulted in high availability failover.

PAN-172768 Fixed an issue where HIP report generation caused a memory leak on
a process (useridd).

PAN-OS Release Notes 10.1.9-h1 204 ©2023 Palo Alto Networks, Inc.
PAN-OS 10.1.6 Known and Addressed Issues

Issue ID Description

PAN-172766 Fixed an issue on Panorama where a commit push to managed

firewalls failed with sctp-init is invalid error even though
SCTP settings were not configured in the corresponding template.

PAN-170462 Fixed an issue where Saas applications downloaded from the App-ID
Cloud Engine (ACE) didn't appear in daily application reports (Monitor
> Reports > Application Reports) or in the Application column of the
Application Usage widget in (ACC > Network Activity.

PAN-168400 Fixed an issue where, after installing Cloud Services plugin 10.2, the
Plugin cloud_services status (Dashboard > High Availability) displayed
as Mismatch.

PAN-168339 Fixed an issue where replacing SSL certificates for inbound

management traffic did not work when Block Private Key Export was
enabled.

PAN-165660 Fixed an issue where, in scenarios with Fragmented Session Initiation

Protocol (SIP), where the first packet arrived out of order, bypassing
App-ID and Content and Threat Detection (CTD). With this fix, the
out-of-order packet is transmitted after it has been queued and
processed by APP-ID and CTD.

PAN-163174 Fixed an issue on the firewall where, after a commit, GlobalProtect

users saw SAML authentication failure due to an improper certificate
revocation check.

PAN-162444 Fixed an issue where the system state reported incorrect or missing
capacity numbers for FQDN address objects.

PAN-162164 Fixed an issue where, when upgrading a multi-dataplane firewall from

a PAN-OS 10.0 to a PAN-OS 10.1 release, the commit failed if the
DHCP Broadcast Session option was enabled in the configuration.

PAN-159702 Fixed an issue where FQDN refresh did not work with the error No
name servers found!, and no subsequent retries occur.

PAN-155730 Fixed an issue where corrupted log index files were not automatically
removed.

PAN-142701 Fixed an issue where the firewall did not delete Stateless SCTP
sessions after receiving an SCTP Abort packet.

PAN-OS Release Notes 10.1.9-h1 205 ©2023 Palo Alto Networks, Inc.
PAN-OS 10.1.6 Known and Addressed Issues

PAN-OS Release Notes 10.1.9-h1 206 ©2023 Palo Alto Networks, Inc.
PAN-OS 10.1.5 Known and Addressed
Issues
Review a list of known and addressed issues for PAN-OS 10.1.5.
For contacting support, for information on support programs, to manage your account
or devices, or to open a support case, go to https://support.paloaltonetworks.com.

> PAN-OS 10.1.5 Known Issues

> PAN-OS 10.1.5-h2 Addressed Issues
> PAN-OS 10.1.5-h1 Addressed Issues
> PAN-OS 10.1.5 Addressed Issues

207
PAN-OS 10.1.5 Known and Addressed Issues

PAN-OS 10.1.5 Known Issues

®
The following list includes only outstanding known issues specific to PAN-OS 10.1.5. This list
includes issues specific to Panorama™, GlobalProtect™, VM-Series plugins, and WildFire®, as well
as known issues that apply more generally or that are not identified by an issue ID.

Issue ID Description

— If you use Panorama to retrieve logs from Cortex Data Lake

(CDL), new log fields (including for Device-ID, Decryption, and
GlobalProtect) are not visible on the Panorama web interface.
Workaround: Enable duplicate logging to send the logs to
CDL and Panorama. This workaround does not support
Panorama virtual appliances in Management Only mode.

— Upgrading a PA-220 firewall takes up to an hour or more.

— PA-220 firewalls are experiencing slower web interface and

CLI performance times.

— Upgrading Panorama with a local Log Collector and Dedicated

Log Collectors to PAN-OS 8.1 or a later PAN-OS release
can take up to six hours to complete due to significant
infrastructure changes. Ensure uninterrupted power to all
appliances throughout the upgrade process.

— A critical System log is generated on the VM-Series firewall

if the minimum memory requirement for the model is not
available.
• When the memory allocated is less than 4.5GB, you
cannot upgrade the firewall. The following error message
displays: Failed to install 9.0.0 with the
following error: VM-50 in 9.0.0 requires
5.5GB memory, VM-50 Lite requires 4.5GB
memory.Please configure this VM with enough
memory before upgrading.
• If the memory allocation is more than 4.5GB but less than
the licensed capacity requirement for the model, it will
default to the capacity associated with the VM-50.
The System log message System capacity adjusted
to VM-50 capacity due to insufficient
memory for VM-<xxx> license, indicates that you
must allocate the additional memory required for licensed
capacity for the firewall model.

PAN-OS Release Notes 10.1.9-h1 208 ©2023 Palo Alto Networks, Inc.
PAN-OS 10.1.5 Known and Addressed Issues

Issue ID Description

APPORTAL-3313 Changes to an IoT Security subscription license take up to 24

hours to have effect on the IoT Security app.

APPORTAL-3309 An IoT Security production license cannot be installed on a

firewall that still has a valid IoT Security eval or trial license.
Workaround: Wait until the 30-day eval or trial license
expires and then install the production license.

APL-15000 When you move a firewall from one Cortex Data Lake
instance to another, it can take up to an hour for the firewall
to begin sending logs to the new instance.

APL-8269 For data retrieved from Cortex Data Lake, the Threat Name
column in Panorama > ACC > threat-activity appears blank.

PLUG-380 When you rename a device group, template, or template

stack in Panorama that is part of a VMware NSX service
definition, the new name is not reflected in NSX Manager.
Therefore, any ESXi hosts that you add to a vSphere cluster
are not added to the correct device group, template, or
template stack and your Security policy is not pushed to
VM-Series firewalls that you deploy after you rename those
objects. There is no impact to existing VM-Series firewalls.

WF500-5559 An intermittent error while analyzing signed PE samples on

the WildFire appliance might cause analysis failures.

WF500-5471 After using the firewall CLI to add a WildFire appliance with
an IPv6 address, the initial connection may fail.
Workaround: Retry connecting after you restart the web
server with the following command: debug software
restart process web-server.

PAN-197341 On the Panorama management server, if you create multiple

device group Objects with the same name in the Shared
device group and any additional device groups (Panorama >
Device Groups) under the same device group hierarchy that
are used in one or more Policies, renaming the object with a
shared name in any device group causes the object name to
change in the policies where it is used. This issue applies only
to device group objects that can be referenced in a Security
policy rule.
For example:
1. You create a parent device group DG-A and a child device
group DG-B.

PAN-OS Release Notes 10.1.9-h1 209 ©2023 Palo Alto Networks, Inc.
PAN-OS 10.1.5 Known and Addressed Issues

Issue ID Description
2. You create address objects called AddressObjA in
the Shared, DG-A and DG-B device groups and add
AddressObjA to a Security policy rule under DG-A and
DG-B.
3. Later, you change the AddressObjA name in the Shared
device group to AddressObjB.
Changing the name of the address object in the Shared
device group causes the references in the Policy rule to use
the renamed Shared object instead of the device group
object.

PAN-197097 Large Scale VPN (LSVPN) does not support IPv6 addresses on
the satellite firewall.
This issue is now resolved. See
PAN-OS 10.1.9 Addressed
Issues.

PAN-196758 On the Panorama management server, pushing a

configuration change to firewalls leveraging SD-WAN
erroneously show the auto-provisioned BGP configurations
for SD-WAN as being edited or deleted despite no edits or
deletions being made when you Preview Changes (Commit >
Push to Devices > Edit Selections or Commit > Commit and
Push > Edit Selections).

PAN-196309 (PA-5450 firewall only) In PAN-OS 10.1.5-h1, a firewall

configured with a Policy-Based Forwarding policy flaps when
a commit is performed, even when the next hop is reachable.

PAN-194519 (PA-5450 firewall only) Trying to configure a custom payload

format under Device > Server Profiles > HTTP yields a
This issue is now resolved. See
Javascript error.
PAN-OS 10.1.9 Addressed
Issues.

PAN-194515 (PA-5450 firewall only) The Panorama web interface does

not display any predefined template stack variables in the
dropdown menu under Device > Setup > Log Interface > IP
Address.
Workaround: Configure the log interface IP address on the
individual firewall web interface instead of on Panorama.

PAN-192403 (PA-5450 firewall only) There is no commit warning in the

web interface when configuring the management interface
This issue is now resolved. See
and logging interface in the same subnetwork. Having both
PAN-OS 10.1.6-h3 Addressed
Issues.

PAN-OS Release Notes 10.1.9-h1 210 ©2023 Palo Alto Networks, Inc.
PAN-OS 10.1.5 Known and Addressed Issues

Issue ID Description
interfaces in the same subnetwork can cause routing and
connectivity issues.

PAN-191558 After an upgrade to PAN-OS 10.1.5, Global Find did not

display all results related to a searched item.
This issue is now resolved. See
PAN-OS 10.1.6-h3 Addressed
Issues.

PAN-190727 (PA-5450 firewall only) Documentation for configuring the log

interface is unavailable on the web interface and in the PAN-
OS Administrator’s Guide.

PAN-189057 On the Panorama management server, Panorama enters a

This issue is now resolved. See
PAN-OS 10.1.9 Addressed
Issues.
non-functional state due to php.debug.log life taking
up too much space.
Workaround: Disable the debug flag for Panorama.
1. Log in to the Panorama web interface.
2. In the same browser you are logged into the Panorama
web interface, enter the following URL.
https://<panorama_ip>/debug
3. Uncheck (disable) Debug or Clear Debug.
4. (HA configuration) Repeat this step on each Panorama high
availability (HA) peer if Panorama is in a HA configuration.

PAN-188052 Devices in FIPS-CC mode are unable to connect to servers

utilizing ECDSA-based host keys that impacts exporting logs
(Device > Scheduled Log Export), exporting configurations
(Device > Scheduled Config Export), or the scp export
command in the CLI.
Workaround: Use RSA-based host keys on the destination
server.

PAN-187685 On the Panorama management server, the Template

Status displays no synchronization status (Panorama >
Managed Devices > Summary) after a bootstrapped firewall is
successfully added to Panorama.
Workaround: After the bootstrapped firewall is successfully
added to Panorama, log in to the Panorama web interface and
select Commit > Push to Devices.

PAN-180661 On the Panorama management server, pushing an

unsupported Minimum Password Complexity (Device > Setup

PAN-OS Release Notes 10.1.9-h1 211 ©2023 Palo Alto Networks, Inc.
PAN-OS 10.1.5 Known and Addressed Issues

Issue ID Description
This issue is now resolved. See > Management) to a managed firewall erroneously displays
PAN-OS 10.1.6 Addressed commit time out as the reason the commit failed.
Issues.

PAN-178194 A UI issue in PAN-OS renders the contents of the Inline

ML tab in the URL Filtering Profile inaccessible on firewalls
This issue is now resolved. See
licensed for Advanced URL Filtering. Additionally, a message
PAN-OS 10.1.7 Addressed
indicating that a License required for URL filtering to function
Issues.
is unavailable displays at the bottom of the UI. These errors
do not affect the operation of Advanced URL Filtering or URL
Filtering Inline ML.
Workaround: Configuration settings for URL Filtering
Inline ML must be applied through the CLI. The following
configuration commands are available:
• Define URL exceptions for specific web sites—

admin# set profiles url-filtering

<url_filtering_profile_name> mlav-
category-exception

• Configuration settings for each inline ML model—

admin# set profiles url-filtering

<url_filtering_profile_name> mlav-
engine-urlbased-enabled

PAN-177455 PAN-OS 10.1.2 is not supported on PA-7000 Series firewalls

with HA (High Availability) clustering enabled and using an
This issue is now resolved. See
HA4 communication link. Attempting to load PAN-OS 10.1.2
PAN-OS 10.1.6 Addressed
on the firewall causes the PA-7000 100G NPC to go offline.
Issues.
As a result, the firewall fails to boot normally and enters
maintenance mode. HA Pairs of Active-Passive and Active-
Active firewalls are not affected.

PAN-175022 The PAN-OS web interface table of contents do not display

or the help contents reload continuously.
This issue is now resolved. See
PAN-OS 10.1.6 Addressed
Issues.

PAN-174982 In HA active/active configurations where, when interfaces

that were associated with a virtual router were deleted, the
configuration change did not sync.

PAN-172274 When you activate the advanced URL filtering license, your
license entitlements for PAN-DB and advanced URL filtering
might not display correctly on the firewall — this is a display

PAN-OS Release Notes 10.1.9-h1 212 ©2023 Palo Alto Networks, Inc.
PAN-OS 10.1.5 Known and Addressed Issues

Issue ID Description
anomaly, not a licensing issue, and does not affect access to
the services.
Workaround: Issue the following command to retrieve and
update the licenses: license request fetch.

PAN-172113 If you request a User Activity Report on Panorama and the

vsys key value in the XML is an unsupported value, the
resulting job becomes unresponsive at 10% and does not
complete until you manually stop the job in the web interface.
Workaround:Change the vsys key to a valid device group,
commit your changes, and run the User Activity Report again.

PAN-172132 QoS fails to run on a tunnel interface (for example, tunnel.1).

PAN-172067 When you configure an HTTP server profile (Device > Server
Profiles > HTTP or Panorama > Server Profiles > HTTP), the
Username and Password fields are always required regardless
of whether Tag Registration is enabled.
Workaround: When you configure an HTTP server profile,
always enter a username and password to successfully create
the HTTP server profile.
You must enter a username and password even if the HTTP
server does not require it. The HTTP server ignores the
username and password if they are not required for the
firewall to connect.

PAN-172061 A process (all_pktproc) can cause intermittent crashes on

the Passive PA-5450 firewall in an Active/Passive HA pair.
This issue may be seen during an upgrade or reload of the
firewall with traffic and when clearing sessions.

PAN-171938 No results are displayed when you Show Application Filter

for a Security policy rule (Policies > Security > Application >
Value > Show Application Filter).

PAN-171723 If you use Panorama to push a configuration that uses App-

ID Cloud Engine (ACE) App-IDs and then you downgrade the
firewall from PAN-OS 10.1 to PAN-OS 10.0, the installation
succeeds but after you reboot, the auto-commit fails.
Workaround: Remove all ACE application configurations
before downgrading.

PAN-171714 If you use the NetBIOS format (domain\user) for the IP

address-to-username mapping and the firewall receives the
group mapping information from the Cloud Identity Engine,

PAN-OS Release Notes 10.1.9-h1 213 ©2023 Palo Alto Networks, Inc.
PAN-OS 10.1.5 Known and Addressed Issues

Issue ID Description
This issue is now resolved. See the firewall does not successfully match the user to the
PAN-OS 10.1.7 Addressed correct group.
Issues.

PAN-171706 If you are using Panorama to manage firewalls with multiple

virtual systems and the virtual system that is the User-ID hub
uses an alias, the local commit on Panorama is successful but
the commit to the firewall fails.

PAN-171673 On the Panorama management server, the ACC returns

inaccurate results when you filter for New App-ID in the
Application usage widget.

PAN-171635 If you have an on-premise Active Directory and there is an

existing group mapping configuration on the firewall, if you
migrate the group mapping to the Cloud Identity Engine, the
firewall does not remove the existing group mapping even
if the configuration is disabled and the firewall is rebooted,
which may conflict with new mappings from the Cloud
Identity Engine.
Workaround: Use the debug user-id clear domain-
map command to remove the existing group mappings from
the firewall.

PAN-171224 On the Panorama management server, a custom report

(Monitor > Managed Custom Reports) with a high volume
of unique data objects is not generated when you click Run
Now.

PAN-171145 If you edit or remove the value for the mail attribute in
your on-premise Active Directory, the changes may not be
immediately reflected on the firewall after it syncs with the
Cloud Identity Engine.

PAN-170923 In Policies > Security > Policy Optimizer > New App Viewer,
when you select a Security policy rule in the bottom portion
of the screen, the application data in the application browser
(top portion of screen) does not match the Apps Seen on the
selected rule. In addition, filtering in the application browser
based on Apps Seen does not work.

PAN-170462 SaaS applications downloaded from the App-ID Cloud Engine

(ACE) do not appear in daily application reports (Monitor >
This issue is now resolved. See
Reports > Application Reports) or in the Application column
PAN-OS 10.1.6 Addressed
of the Application Usage widget in ACC > Network Activity.
Issues.

PAN-OS Release Notes 10.1.9-h1 214 ©2023 Palo Alto Networks, Inc.
PAN-OS 10.1.5 Known and Addressed Issues

Issue ID Description

PAN-170270 Using the CLI to power on a PA-5450 Networking Card

(NC) in an Active HA firewall can cause its Passive peer to
temporarily go down.

PAN-169906 The CN-Series Firewall as a Kubernetes Service does not

support AF_XDP when deployed in CentOS.

PAN-168636 Connecting to the App-ID Cloud Engine (ACE) cloud using a

management port with explicit proxy configured on it is not
supported. Instead, use a data plane interface for the service
route (Prepare to Deploy App-ID Cloud Engine describes how
to do this.)

PAN-168113 On the Panorama management server, you are unable

to configure a master key (Device > Master Key and
Diagnostics) for a managed firewall if an interface (Network
> Interfaces > Ethernet) references a zone pushed from
Panorama.
Workaround: Remove the referenced zone from the interface
configuration to successfully configure a master key.

PAN-167847 If you issue the command opof stats, then clear the
results {opof stats -c}, the Active Sessions value is sometimes
invalid. For example, you might see a negative number or an
excessively large number.
Workaround: Re-run the opof stats command after the
offload completes.

PAN-167401 When a firewall or Panorama appliance configured with a

proxy is upgraded to PAN-OS 10.0.3 or a later release, it fails
to connect to edge service.

PAN-166464 PAN-OS reports the PA-5450 fan numbers incorrectly

by listing them in the opposite order. This does not affect
This issue is now resolved. See
fan operation. For further information, contact Customer
PAN-OS 10.1.6-h6 Addressed
Support.
Issues.

PAN-165669 If you configure a group that the firewall retrieves from the
Cloud Identity Engine as the user in value in a filter query,
Panorama is unable to retrieve the group membership and
as a result, is unable to display this data in logs and custom
reports.

PAN-OS Release Notes 10.1.9-h1 215 ©2023 Palo Alto Networks, Inc.
PAN-OS 10.1.5 Known and Addressed Issues

Issue ID Description

PAN-164922 On the Panorama management server, a context switch to a

managed firewall running a PAN-OS 8.1.0 to 8.1.19 release
fails.

PAN-164885 On the Panorama management server, pushes to managed

firewalls (Commit > Push to Devices or Commit and Push)
may fail when an EDL (Objects > External Dynamic Lists) is
configured to Check for updates every 5 minutes due to the
commit and EDL fetch processes overlapping. This is more
likely to occur when multiple EDLs are configured to check
for updates every 5 minutes.

PAN-164841 A successful deployment of a Panorama virtual appliance on

Amazon Web Services (AWS), Microsoft Azure, or Google
Cloud Platform (GCP) is inaccessible when deploying using
the PAN-OS 10.1.0-b6 release.

PAN-164647 On the Panorama management server, activating a license

(Panorama > Device Deployment > Licenses) on managed
firewalls in a high availability (HA) configuration causes the
Safari web browser to become unresponsive.
Workaround: Log in to the Panorama web interface from
a web browser other than Safari to successfully activate a
license on managed firewalls in an HA configuration.

PAN-164618 The VM-Series firewall CLI and system logs display the license
name VM-SERIES-X, while the user interface displays VM-
FLEX-X (in both cases X is the number of vCPUs). In future
releases the user interface will use the VM-SERIES-X format.

PAN-164586 If you use a value other than mail for the user or group
email attribute in the Cloud Identity Engine, it displays in
user@domain format in the CLI output.

PAN-163966 On the Panorama management server, the ACC and on

demand reports (Monitor > Manage Custom Reports) are
unable to fetch Directory Sync group membership when
the Source User Group filter query is applied, resulting in no
data being displayed for the filter when Directory Sync is
configured as the Source User for a policy rule.

PAN-162836 On the VM-Series firewall, if you select Device > Licenses >
Deactivate VM a popup window opens and you can choose
Subscriptions or Support and press Continue to remove
licenses and register the changes with the license server.
When the license removal is complete the Deactivate VM

PAN-OS Release Notes 10.1.9-h1 216 ©2023 Palo Alto Networks, Inc.
PAN-OS 10.1.5 Known and Addressed Issues

Issue ID Description
window does not update its text to exclude deactivated
licenses or close the window.
Workaround: Wait until the license deactivation is complete,
and click Cancel to close the window.

PAN-162164 When upgrading a multi-dataplane firewall from PAN-

OS 10.0 to 10.1, if the configuration includes the DHCP
This issue is now resolved. See
Broadcast Session option enabled, the commit fails. Auto-
PAN-OS 10.1.6 Addressed
commit is not affected.
Issues.
Workaround: Load the configuration from running config
(load config from running-config.xml) and perform a commit.

PAN-162088 On the Panorama management server in a high availability

(HA) configuration, content updates (Panorama > Dynamic
This issue is now resolved. See
Updates) manually uploaded to the active HA peer are not
PAN-OS 10.1.9 Addressed
synchronized to the passive HA peer when you Install a
Issues.
content update and enable Sync to HA Peer.

PAN-161666 The firewall includes any users configured in the Cloud

Identity Engine in the count of groups. As a result, some CLI
command output does not accurately display the number
of groups the firewall has retrieved from the Cloud Identity
Engine and counts users as groups in the No. of Groups
in the command output. If the attempt to retrieve the user or
group fails, the information for the user or group still displays
in the CLI command output.

PAN-161451 If you issue the command opof stats, there are occasional
zero packet and byte counts coming from the DPDK
counters. This occurs when a session is in the tcp-reuse state,
and has no impact on the existing session.

PAN-160238 If you migrate traffic from a firewall running a PAN-OS

version earlier than 9.0 to a firewall running PAN-OS 9.0 or
later, you experience intermittent VXLAN packet drops if TCI
policy is not configured for inspecting VXLAN traffic flows.
Workaround: On the new firewall, create an app override for
VXLAN outer headers as described in What is an Application
Override? and the video tutorial How to Configure an
Application Override Policy on the Palo Alto Networks
Firewall.

PAN-OS Release Notes 10.1.9-h1 217 ©2023 Palo Alto Networks, Inc.
PAN-OS 10.1.5 Known and Addressed Issues

Issue ID Description
PAN-OS version 9.0 can inspect both inner and
outer VXLAN flows. If you want to inspect inner
flows, you must define a tunnel content inspection
(TCI) policy.

PAN-157444 As a result of a telemetry handling update, the Source Zone

field in the DNS analytics logs (viewable in the DNS Analytics
tab within AutoFocus) might not display correct results.

PAN-157327 On downgrade to PAN-OS 9.1, Enterprise Data Loss

Prevention (DLP) filtering settings (Device > Setup > DLP) are
not removed and cause commit errors for the downgraded
firewall if you do not uninstall the Enterprise DLP plugin
before downgrade.
Workaround: After you successfully downgrade a managed
firewall to PAN-OS 9.1, commit and push from Panorama to
remove the Enterprise DLP filtering settings and complete the
downgrade.
1. Downgrade your managed firewall to PAN-OS 9.1
2. Log in to the firewall web interface and view the Tasks
to verify all auto commits related to the downgrade have
completed successfully.
3. Log in to the Panorama web interface and Commit >
Commit and Push to your managed firewall downgraded to
PAN-OS 9.1.

PAN-157103 Multi-channel functionality may not be properly utilized on

an VM-Series firewall deployed in VMware NSX-V after the
service is first deployed.
Workaround: Execute the command debug dataplane
pow status to view the number of channels being utilized
by the dataplane.

Per pan-task Netx statisticsCounter Name

1 2 3 4 5 6 Total-------------
--------------------------------ready_dvf
2 0 0 0 0 0 2

If multi-channel functionality is not working, disable your

NSX-V security policy and reapply it. Then reboot the VM-
Series firewall. When the firewall is back up, verify that multi-
channel functionality is working by executing the command
debug dataplane pow status. It should now show
multiple channels being utilized.

PAN-OS Release Notes 10.1.9-h1 218 ©2023 Palo Alto Networks, Inc.
PAN-OS 10.1.5 Known and Addressed Issues

Issue ID Description

Per pan-task Netx statisticsCounter Name

1 2 3 4 5 6 Total-------------
--------------------------------ready_dvf
1 1 0 0 0 0 2

PAN-156598 (Panorama only) If you configure a standard custom

vulnerability signature in a custom Vulnerability Protection
profile in a shared device group, the shared profile custom
signatures do not populate in the other device groups when
you configure a combination custom vulnerability signature.
Workaround: Use the CLI to update the combination
signature.

PAN-154292 On the Panorama management server, downgrading from

a PAN-OS 10.0 release to a PAN-OS 9.1 release causes
Panorama commit (Commit > Commit to Panorama) failures
if a custom report (Monitor > Manage Custom Reports) is
configured to Group By Session ID.
Workaround: After successful downgrade, reconfigure the
Group By setting in the custom report.

PAN-154034 On the Panorama management server, the Type column in the

System logs (Monitor > Logs > System) for managed firewalls
running a PAN-OS 9.1 release erroneously display iot as the
type.

PAN-154032 On the Panorama management server, downgrading to PAN-

OS 9.1 with the Panorama plugin for Cisco TrustSec version
1.0.2 installed does not automatically transform the plugin to
be compatible with PAN-OS 9.1
Workaround: After successful downgrade to PAN-OS 9.1,
Remove Config (Panorama > Plugins) of the Panorama plugin
for Cisco TrustSec and then reconfigure the plugin.

PAN-153803 On the Panorama management server, scheduled email PDF

reports (Monitor > PDF Reports) fail if a GIF image is used in
the header or footer.

PAN-153557 On the Panorama management server CLI, the overall report

status for a report query is marked as Done despite reports
generated from logs in the Cortex Data Lake (CDL) from the
PODamericas Collector Group jobs are still in a Running
state.

PAN-OS Release Notes 10.1.9-h1 219 ©2023 Palo Alto Networks, Inc.
PAN-OS 10.1.5 Known and Addressed Issues

Issue ID Description

PAN-153068 The Bonjour Reflector option is supported on up to 16

interfaces. If you enable it on more than 16 interfaces, the
commit succeeds and the Bonjour Reflector option is enabled
only for the first 16 interfaces and ignored for any additional
interfaces.

PAN-151238 There is a known issue where M-100 appliances are able

to download and install a PAN-OS 10.0 release image even
though the M-100 appliance is no longer supported after
PAN-OS 9.1. (Refer to the hardware end-of-life dates.)

PAN-151085 On a PA-7000 Series firewall chassis having multiple slots,

when HA clustering is enabled on an active/active HA pair,
the session table count for one of the peers can show a higher
count than the actual number of active sessions on that peer.
This behavior can be seen when the session is being set up
on a non-cache slot (for example, when a session distribution
policy is set to round-robin or session-load); it is caused by
the additional cache lookup that happens when HA cluster
participation is enabled.

PAN-150801 Automatic quarantine of a device based on forwarding profile

or log setting does not work on the PA-7000 Series firewalls.

PAN-150515 After you install the device certificate on a new Panorama

management server, Panorama is not able to connect to the
IoT Security edge service.
Workaround: Restart Panorama to connect to the IoT
Security edge service.

PAN-150345 During updates to the Device Dictionary, the IoT Security

service does not push new Device-ID attributes (such as new
device profiles) to the firewall until a manual commit occurs.
Workaround: Perform a force commit to push the attributes
in the content update to the firewall.

PAN-150361 In an Active-Passive high availability (HA) configuration, an

error displays if you create a device object on the passive
device.
Workaround: Load the running configuration and perform a
force commit to sync the devices.

PAN-148971 If you enter a search term for Events that are related to IoT
in the System logs and apply the filter, the page displays an
Invalid term error.

PAN-OS Release Notes 10.1.9-h1 220 ©2023 Palo Alto Networks, Inc.
PAN-OS 10.1.5 Known and Addressed Issues

Issue ID Description
Workaround: Specify iot as the Type Attribute to filter the
logs and use the search term as the Description Attribute. For
example: ( subtype eq iot ) and ( description
contains 'gRPC connection' ).

PAN-148924 In an active-passive HA configuration, tags for dynamic user

groups are not persistent after rebooting the firewall because
the active firewall does not sync the tags to the passive
firewall during failover.

PAN-146995 After downgrading a Panorama management server from

PAN-OS 10.0 to PAN-OS 9.1, the VLD and logd processes
may crash when Panorama reboots.
Workaround: Panorama automatically restarts the VLD and
logd processes.

PAN-146807 Changing the device group configured in a monitoring

definition from a child DG to a parent DG, or vice versa,
might cause firewalls configured in the child DG to lose
IP tag mapping information received from the monitoring
definition. Only firewalls assigned to the parent DG receive IP
tag mapping updates.
Workaround: Perform a manual config sync on the device
group that lost the IP tag mapping information.

PAN-146485 On the Panorama management server, adding, deleting, or

modifying the upstream NAT configuration (Panorama > SD-
WAN > Devices) does not display the branch template stack
as out of sync.
Additionally, adding, deleting, or modifying the BGP
configuration (Panorama > SD-WAN > Devices) does not
display the hub and branch template stacks as out of sync.
For example, modifying the BGP configuration on the branch
firewall does not cause the hub template stack to display as
out of sync, nor does modifying the BGP configuration on
the hub firewall cause the branch template stack as out of
sync.
Workaround: After performing a configuration change,
Commit and Push the configuration changes to all hub and
branch firewalls in the VPN cluster containing the firewall
with the modified configuration.

PAN-145460 CN-MGMT pods fail to connect to the Panorama

management server when using the Kubernetes plugin.

PAN-OS Release Notes 10.1.9-h1 221 ©2023 Palo Alto Networks, Inc.
PAN-OS 10.1.5 Known and Addressed Issues

Issue ID Description
Workaround: Commit the Panorama configuration after the
CN-MGMT pod successfully registers with Panorama.

PAN-144889 On the Panorama management server, adding, deleting, or

modifying the original subnet IP, or adding a new subnet
after you successfully configure a tunnel IP subnet, for the
SD-WAN 1.0.2 plugin does not display the managed firewall
templates (Panorama > Managed Devices > Summary) as Out
of Sync.
Workaround: When modifying the original subnet IP, or
adding a new subnet, push the template configuration
changes to your managed firewalls and Force Template
Values (Commit > Push to Devices > Edit Selections).

PAN-143132 Fetching the device certificate from the Palo Alto Networks
Customer Support Portal (CSP) may fail and displays the
following error in the CLI:
ERROR Failed to process S1C msg: Error
Workaround: Retrying fetching the device certificate from
the Palo Alto Networks CSP.

PAN-141630 Current performance limitation: single data plane use only.

The PA-5200 Series and PA-7000 Series firewalls that
support 5G network slice security, 5G equipment ID security,
and 5G subscriber ID security use a single data plane only,
which currently limits the firewall performance.

PAN-140959 The Panorama management server allows you to downgrade

Zero Touch Provisioning (ZTP) firewalls to PAN-OS 9.1.2 and
earlier releases where ZTP functionality is not supported.

PAN-140008 ElasticSearch is forced to restart when the masterd process

misses too many heartbeat messages on the Panorama
management server resulting in a delay in a log query and
ingestion.

PAN-136763 On the Panorama management server, managed firewalls

display as disconnected when installing a PAN-OS
software update (Panorama > Device Deployment >
Software) but display as connected when you view your
managed firewalls Summary (Panorama > Managed Devices >
Summary) and from the CLI.
Workaround: Log out and log back in to the Panorama web
interface.

PAN-OS Release Notes 10.1.9-h1 222 ©2023 Palo Alto Networks, Inc.
PAN-OS 10.1.5 Known and Addressed Issues

Issue ID Description

PAN-135742 There is an issue in HTTP2 session decryption where the

App-ID in the decryption log is the App-ID of the parent
session (which is web-browsing).

PAN-134053 ACC does not filter WildFire logs from Dynamic User Groups.

PAN-132598 The Panorama management server does not check for

duplicate addresses in address groups (Objects > Address
Groups) and duplicate services in service groups (Objects >
Service Groups) when created from the CLI.

PAN-130550 (PA-3200 Series, PA-5220, PA-5250, PA-5260, and PA-7000

Series firewalls) For traffic between virtual systems (inter-
vsys traffic), the firewall cannot perform source NAT using
dynamic IP (DIP) address translation.
Workaround: Use source NAT with Dynamic IP and Port
(DIPP) translation on inter-vsys traffic.

PAN-127813 In the current release, SD-WAN auto-provisioning configures

hubs and branches in a hub and spoke model, where branches
don’t communicate with each other. Expected branch routes
are for generic prefixes, which can be configured in the hub
and advertised to all branches. Branches with unique prefixes
are not published up to the hub.
Workaround: Add any specific prefixes for branches to the
hub advertise-list configuration.

PAN-127206 If you use the CLI to enable the cleartext option for the
Include Username in HTTP Header Insertion Entries feature,
the authentication request to the firewall may become
unresponsive or time out.

PAN-123277 Dynamic tags from other sources are accessible using the CLI
but do not display on the Panorama web interface.

PAN-123040 When you try to view network QoS statistics on an SD-

WAN branch or hub, the QoS statistics and the hit count
for the QoS rules don’t display. A workaround exists for
this issue. Please contact Support for information about the
workaround.

PAN-120440 There is an issue on M-500 Panorama management servers

where any ethernet interface with an IPv6 address having
Private PAN-DB-URL connectivity only supports the
following format: 2001:DB9:85A3:0:0:8A2E:370:2.

PAN-OS Release Notes 10.1.9-h1 223 ©2023 Palo Alto Networks, Inc.
PAN-OS 10.1.5 Known and Addressed Issues

Issue ID Description

PAN-120423 PAN-OS 10.0.0 does not support the XML API for
GlobalProtect logs.

PAN-120303 There is an issue where the firewall remains connected to the

PAN-DB-URL server through the old management IP address
on the M-500 Panorama management server, even when you
configured the Eth1/1 interface.
Workaround: Update the PAN-DB-URL IP address on the
firewall using one of the methods below.
• Modify the PAN-DB Server IP address on the managed
firewall.
1. On the web interface, delete the PAN-DB Server IP
address (Device > Setup > Content ID > URL Filtering
settings).
2. Commit your changes.
3. Add the new M-500 Eth1/1 IP PAN-DB IP address.
4. Commit your changes.
• Restart the firewall (devsrvr) process.
1. Log in to the firewall CLI.
2. Restart the devsrvr process: debug software
restart process device-server

PAN-116017 (Google Cloud Platform (GCP) only) The firewall does not
accept the DNS value from the initial configuration (init-cfg)
file when you bootstrap the firewall.
Workaround: Add DNS value as part of the bootstrap.xml in
the bootstrap folder and complete the bootstrap process.

PAN-115816 (Microsoft Azure only) There is an intermittent issue where

an Ethernet (eth1) interface does not come up when you first
boot up the firewall.
Workaround: Reboot the firewall.

PAN-114495 Alibaba Cloud runs on a KVM hypervisor and supports two

Virtio modes: DPDK (default) and MMAP. If you deploy a
VM-Series firewall running PAN-OS 9.0 in DPDK packet
mode and you then switch to MMAP packet mode, the VM-
Series firewall duplicates packets that originate from or
terminate on the firewall. As an example, if a load balancer or
a server behind the firewall pings the VM-Series firewall after
you switch from DPDK packet mode to MMAP packet mode,
the firewall duplicates the ping packets.

PAN-OS Release Notes 10.1.9-h1 224 ©2023 Palo Alto Networks, Inc.
PAN-OS 10.1.5 Known and Addressed Issues

Issue ID Description
Throughput traffic is not duplicated if you deploy the VM-
Series firewall using MMAP packet mode.

PAN-112694 (Firewalls with multiple virtual systems only) If you configure

dynamic DNS (DDNS) on a new interface (associated with
vsys1 or another virtual system) and you then create a
New Certificate Profile from the drop-down, you must set
the location for the Certificate Profile to Shared. If you
configure DDNS on an existing interface and then create a
new Certificate Profile, we also recommend that you choose
the Shared location instead of a specific virtual system.
Alternatively, you can select a preexisting certificate profile
instead of creating a new one.

PAN-112456 You can temporarily submit a change request for a URL

Category with three suggested categories; however, only
two categories are supported. Do not add more than two
suggested categories to a change request until we address
this issue. If you submit more than two suggested categories,
only the first two categories in the change request are
evaluated.

PAN-112135 You cannot unregister tags for a subnet or range in a dynamic

address group from the web interface.
Workaround: Use an XML API request to unregister the tags
for the subnet or range.

PAN-111928 Invalid configuration errors are not displayed as expected

when you revert a Panorama management server
configuration.
Workaround: After you revert the Panorama configuration,
Commit (Commit > Commit to Panorama) the reverted
configuration to display the invalid configuration errors.

PAN-111866 The push scope selection on the Panorama web interface

displays incorrectly even though the commit scope displays
as expected. This issue occurs when one administrator makes
configuration changes to separate device groups or templates
that affect multiple firewalls and a different administrator
attempts to push those changes.
Workaround: Perform one of the following tasks.
• Initiate a Commit to Panorama operation followed by a
Push to Devices operation for the modified device group
and template configurations.

PAN-OS Release Notes 10.1.9-h1 225 ©2023 Palo Alto Networks, Inc.
PAN-OS 10.1.5 Known and Addressed Issues

Issue ID Description
• Manually select the devices that belong to the modified
device group and template configurations.

PAN-111729 If you disable DPDK mode and enable it again, you must
immediately reboot the firewall.

PAN-111670 Tagged VLAN traffic fails when sent through an SR-IOV

adapter.

PAN-110794 DGA-based threats shown in the firewall threat log display

the same name for all such instances.

PAN-109526 The system log does not correctly display the URL for
CRL files; instead, the URLs are displayed with encoded
characters.

PAN-104780 If you configure a HIP object to match only when a

connecting endpoint is managed (Objects > GlobalProtect >
HIP Objects > <hip-object> > General > Managed), iOS and
Android endpoints that are managed by AirWatch are unable
to successfully match the HIP object and the HIP report
incorrectly indicates that these endpoints are not managed.
This issue occurs because GlobalProtect gateways cannot
correctly identify the managed status of these endpoints.
Additionally, iOS endpoints that are managed by AirWatch
are unable to match HIP objects based on the endpoint serial
number because GlobalProtect gateways cannot identify the
serial numbers of these endpoints; these serial numbers do
not appear in the HIP report.

PAN-103276 Adding a disk to a virtual appliance running Panorama 8.1

or a later release on VMware ESXi 6.5 update1 causes the
Panorama virtual appliance and host web client to become
unresponsive.
Workaround: Upgrade the ESXi host to ESXi 6.5 update2 and
add the disk again.

PAN-101688 (Panorama plugins) The IP address-to-tag mapping

information registered on a firewall or virtual system is not
deleted when you remove the firewall or virtual system from
a Device Group.
Workaround: Log in to the CLI on the firewall and enter
the following command to unregister the IP address-to-tag
mappings: debug object registered-ip clear all.

PAN-OS Release Notes 10.1.9-h1 226 ©2023 Palo Alto Networks, Inc.
PAN-OS 10.1.5 Known and Addressed Issues

Issue ID Description

PAN-101537 After you configure and push address and address group
objects in Shared and vsys-specific device groups from
the Panorama management server to managed firewalls,
executing the show log <log-type> direction
equal <direction> <dst> | <src> in <object-
name> command on a managed firewall only returns address
and address group objects pushed form the Shared device
group.
Workaround: Specify the vsys in the query string:
admin> set system target-vsys <vsys-name>
admin> show log <log-type> direction equal
<direction> query equal ‘vsys eq <vsys-name>’
<dst> | <src> in <object-name>

PAN-98520 When booting or rebooting a PA-7000 Series Firewall with

the SMC-B installed, the BIOS console output displays
attempts to connect to the card's controller in the System
Memory Speed section. The messages can be ignored.

PAN-97757 GlobalProtect authentication fails with an Invalid

username/password error (because the user is not found
in Allow List) after you enable GlobalProtect authentication
cookies and add a RADIUS group to the Allow List of the
authentication profile used to authenticate to GlobalProtect.
Workaround: Disable GlobalProtect authentication cookies.
Alternatively, disable (clear) Retrieve user group from
RADIUS in the authentication profile and configure group
mapping from Active Directory (AD) through LDAP.

PAN-97524 (Panorama management server only) The Security Zone and

Virtual System columns (Network tab) display None after a
Device Group and Template administrator with read-only
privileges performs a context switch.

PAN-96446 A firewall that is not included in a Collector Group fails to

generate a system log if logs are dropped when forwarded
to a Panorama management server that is running in
Management Only mode.

PAN-95773 On VM-Series firewalls that have Data Plane Development

Kit (DPDK) enabled and that use the i40e network interface
card (NIC), the show session info CLI command displays
an inaccurate throughput and packet rate.

PAN-OS Release Notes 10.1.9-h1 227 ©2023 Palo Alto Networks, Inc.
PAN-OS 10.1.5 Known and Addressed Issues

Issue ID Description
Workaround: Disable DPDK by running the set system
setting dpdk-pkt-io off CLI command.

PAN-95028 For administrator accounts that you created in PAN-OS 8.0.8

and earlier releases, the firewall does not apply password
profile settings (Device > Password Profiles) until after you
upgrade to PAN-OS 8.0.9 or a later release and then only
after you modify the account passwords. (Administrator
accounts that you create in PAN-OS 8.0.9 or a later release
do not require you to change the passwords to apply
password profile settings.)

PAN-94846 When DPDK is enabled on the VM-Series firewall with i40e

virtual function (VF) driver, the VF does not detect the link
status of the physical link. The VF link status remains up,
regardless of changes to the physical link state.

PAN-94093 HTTP Header Insertion does not work when jumbo frames
are received out of order.

PAN-93968 The firewall and Panorama web interfaces display

vulnerability threat IDs that are not available in PAN-OS
9.0 releases (Objects > Security Profiles > Vulnerability
Protection > <profile> > Exceptions). To confirm whether a
particular threat ID is available in your release, monitor the
release notes for each new Applications and Threats content
update or check the Palo Alto Networks Threat Vault to see
the minimum PAN-OS release version for a threat signature.

PAN-93607 When you configure a VM-500 firewall with an SCTP

Protection profile (Objects > Security Profiles > SCTP
Protection) and you try to add the profile to an existing
Security Profile Group (Objects > Security Profile Groups),
the Security Profile Group doesn’t list the SCTP Protection
profile in its drop-down list of available profiles.
Workaround: Create a new Security Profile Group and select
the SCTP Protection profile from there.

PAN-93532 When you configure a firewall running PAN-OS 9.0 as an

nCipher HSM client, the web interface on the firewall displays
the nCipher server status as Not Authenticated, even though
the HSM state is up (Device > Setup > HSM).

PAN-93193 The memory-optimized VM-50 Lite intermittently performs

slowly and stops processing traffic when memory utilization
is critically high. To prevent this issue, make sure that you do
not:

PAN-OS Release Notes 10.1.9-h1 228 ©2023 Palo Alto Networks, Inc.
PAN-OS 10.1.5 Known and Addressed Issues

Issue ID Description
• Switch to the firewall Context on the Panorama
management server.
• Commit changes when a dynamic update is being installed.
• Generate a custom report when a dynamic update is being
installed.
• Generate custom reports during a commit.
Workaround: When the firewall performs slowly, or you see
a critical System log for memory utilization, wait for 5 minutes
and then manually reboot the firewall.
Use the Task Manager to verify that you are not performing
memory intensive tasks such as installing dynamic updates,
committing changes or generating reports, at the same time,
on the firewall.

PAN-91802 On a VM-Series firewall, the clear session all CLI command

does not clear GTP sessions.

PAN-83610 In rare cases, a PA-5200 Series firewall (with an FE100

network processor) that has session offload enabled (default)
incorrectly resets the UDP checksum of outgoing UDP
packets.
Workaround: In PAN-OS 8.0.6 and later releases, you can
persistently disable session offload for only UDP traffic using
the set session udp-off load no CLI command.

PAN-83236 The VM-Series firewall on Google Cloud Platform does not

publish firewall metrics to Google Stack Monitoring when you
manually configure a DNS server IP address (Device > Setup
> Services).
Workaround: The VM-Series firewall on Google Cloud
Platform must use the DNS server that Google provides.

PAN-83215 SSL decryption based on ECDSA certificates does not work

when you import the ECDSA private keys onto an nCipher
nShield hardware security module (HSM).

PAN-81521 Endpoints failed to authenticate to GlobalProtect through

Kerberos when you specify an FQDN instead of an IP address
in the Kerberos server profile (Device > Server Profiles >
Kerberos).
Workaround: Replace the FQDN with the IP address in the
Kerberos server profile.

PAN-OS Release Notes 10.1.9-h1 229 ©2023 Palo Alto Networks, Inc.
PAN-OS 10.1.5 Known and Addressed Issues

Issue ID Description

PAN-77125 PA-7000 Series, PA-5450, PA-5200 Series, and PA-3200

Series firewalls configured in tap mode don’t close offloaded
sessions after processing the associated traffic; the sessions
remain open until they time out.
Workaround: Configure the firewalls in virtual wire mode
instead of tap mode, or disable session offloading by running
the set session off load no CLI command.

PAN-75457 In WildFire appliance clusters that have three or more nodes,

the Panorama management server does not support changing
node roles. In a three-node cluster for example, you cannot
use Panorama to configure the worker node as a controller
node by adding the HA and cluster controller configurations,
configure an existing controller node as a worker node by
removing the HA configuration, and then commit and push
the configuration. Attempts to change cluster node roles from
Panorama results in a validation error—the commit fails and
the cluster becomes unresponsive.

PAN-73530 The firewall does not generate a packet capture (pcap) when a
Data Filtering profile blocks files.

PAN-73401 When you import a two-node WildFire appliance cluster

into the Panorama management server, the controller nodes
report their state as out-of-sync if either of the following
conditions exist:
• You did not configure a worker list to add at least one
worker node to the cluster. (In a two-node cluster, both
nodes are controller nodes configured as an HA pair.
Adding a worker node would make the cluster a three-
node cluster.)
• You did not configure a service advertisement (either by
enabling or not enabling advertising DNS service on the
controller nodes).
Workaround: There are three possible workarounds to sync
the controller nodes:
• After you import the two-node cluster into Panorama,
push the configuration from Panorama to the cluster. After
the push succeeds, Panorama reports that the controller
nodes are in sync.
• Configure a worker list on the cluster controller:

admin@wf500(active-controller)# set

PAN-OS Release Notes 10.1.9-h1 230 ©2023 Palo Alto Networks, Inc.
PAN-OS 10.1.5 Known and Addressed Issues

Issue ID Description
deviceconfig cluster mode controller work
er-list <worker-ip-address>

(<worker-ip-address> is the IP address of the worker

node you are adding to the cluster.) This creates a three-
node cluster. After you import the cluster into Panorama,
Panorama reports that the controller nodes are in sync.
When you want the cluster to have only two nodes, use a
different workaround.
• Configure service advertisement on the local CLI of the
cluster controller and then import the configuration into
Panorama. The service advertisement can advertise that
DNS is or is not enabled.

admin@wf500(active-controller)# set
deviceconfig cluster mode controller serv
ice-advertisement dns-service
enabled
yes

or

admin@wf500(active-controller)# set
deviceconfig cluster mode controller serv
ice-advertisement dns-service
enabled
no

Both commands result in Panorama reporting that the

controller nodes are in sync.

PAN-70906 If the PAN-OS web interface and the GlobalProtect portal are
enabled on the same IP address, then when a user logs out of
the GlobalProtect portal, the administrative user is also logged
out from the PAN-OS web interface.
Workaround: Use the IP address to access the PAN-OS web
interface and an FQDN to access the GlobalProtect portal.

PAN-69505 When viewing an external dynamic list that requires client

authentication and you Test Source URL, the firewall fails to
indicate whether it can reach the external dynamic list server
and returns a URL access error (Objects > External Dynamic
Lists).

PAN-OS Release Notes 10.1.9-h1 231 ©2023 Palo Alto Networks, Inc.
PAN-OS 10.1.5 Known and Addressed Issues

Issue ID Description

PAN-40079 The VM-Series firewall on KVM, for all supported Linux

distributions, does not support the Broadcom network
adapters for PCI pass-through functionality.

PAN-39636 Regardless of the Time Frame you specify for a scheduled

custom report on a Panorama M-Series appliance, the earliest
possible start date for the report data is effectively the date
when you configured the report (Monitor > Manage Custom
Reports). For example, if you configure the report on the
15th of the month and set the Time Frame to Last 30 Days,
the report that Panorama generates on the 16th will include
only data from the 15th onward. This issue applies only to
scheduled reports; on-demand reports include all data within
the specified Time Frame.
Workaround: To generate an on-demand report, click Run
Now when you configure the custom report.

PAN-38255 When you perform a factory reset on a Panorama virtual

appliance and configure the serial number, logging does
not work until you reboot Panorama or execute the debug
software restart process management-server CLI
command.

PAN-31832 The following issues apply when configuring a firewall to use

a hardware security module (HSM):
• nCipher nShield Connect—The firewall requires at least
four minutes to detect that an HSM was disconnected,
causing SSL functionality to be unavailable during the
delay.
• SafeNet Network—When losing connectivity to either
or both HSMs in an HA configuration, the display of
information from the show high-availability
state and show hsm info commands are blocked for
20 seconds.

PAN-OS Release Notes 10.1.9-h1 232 ©2023 Palo Alto Networks, Inc.
PAN-OS 10.1.5 Known and Addressed Issues

PAN-OS 10.1.5-h2 Addressed Issues

Issue ID Description

PAN-191629 (PA-5450 firewalls only) Fixed an issue where the hourly summary
log was limited to 100,001 lines when summarized, which resulted in
inconsistent report results when using summary logs.

PAN-190660 Fixed an issue where the vld process stopped responding when
Elasticsearch had no data.

PAN-190644 Fixed an issue where Elasticsearch removed indices earlier than the
configured retention period.

PAN-190409 (PA-5450 firewalls and PA-3200 Series firewalls that use a FE101
processor only) Fixed an issue where packets in the same session were
forwarded through a different member of an aggregate ethernet group
when the session was offloaded.

PAN-189375 Fixed an issue where, when migrating the firewall, the firewall dropped
packets when trying to re-use the TCP session.

PAN-188097 Fixed an issue where the firewall stopped allocating new sessions
with increments in the counter session_alloc_failure. This was caused
by GPRS tunneling protocol (GTP-U) tunnel session aging processing
issue.

PAN-183529 (PA-5450 firewalls only) Fixed an issue where upgrading the firewall
caused corrupted log records to be created, which caused the logrcvr
process to fail. This resulted in the auto-commit process required
to bring up the firewall after a reboot to fail and, subsequently, the
firewall to become unresponsive.

PAN-181277 Fixed an issue where VPN tunnels in SD-WAN flapped due to

duplicate tunnel IDs.

PAN-OS Release Notes 10.1.9-h1 233 ©2023 Palo Alto Networks, Inc.
PAN-OS 10.1.5 Known and Addressed Issues

PAN-OS 10.1.5-h1 Addressed Issues

Issue ID Description

PAN-190175 and A fix was made to address an OpenSSL infinite loop vulnerability in the
PAN-190223 PAN-OS software (CVE-2022-0778).

PAN-189643 Fixed an issue where, when QoS was enabled on an IPSec tunnel,
traffic failed due to applying the wrong tunnel QoS ID.

PAN-178450 and Fixed an issue where icons weren't displayed for clientless VPN
PAN-177905 applications.

PAN-OS Release Notes 10.1.9-h1 234 ©2023 Palo Alto Networks, Inc.
PAN-OS 10.1.5 Known and Addressed Issues

PAN-OS 10.1.5 Addressed Issues

Issue ID Description

PAN-189769 Fixed an issue on Amazon Web Services (AWS) Gateway Load

Balancer (GWLB) deployments with overlay routing enabled where,
when a single firewall was the backend of multiple GWLBs, packets
were re-encapsulated with an incorrect source IP address.

PAN-189665 (FIPS-CC enabled firewalls only) Fixed an issue where the firewall was
unable to connect to log collectors after an upgrade due to missing
cipher suites.

PAN-189468 Fixed an issue where the firewall onboard packet processor used
by the PAN-OS content-inspection (CTD) engine can generate
high dataplane resource usage when overwhelmed by a session
with an unusually high number of packets. This can result in
resource-unavailable messages due to the content inspection
queue filling up. Factors related to the likelihood of an occurrence
include enablement of content-inspection based features that are
configured in such a way that might process thousands of packets
in rapid succession (such as SMB file transfers). This can cause poor
performance for the affected session and other sessions using the
same packet processor. PA-3000 series and VM-Series firewalls are
not impacted.

PAN-189230 (VM-Series firewalls only) Fixed an issue that caused the pan_task
process to stop responding with floating point exception (FPE) when
there was a module of 0 on the queue number.

PAN-188883 Fixed an issue where, when pre-generated license key files were
manually uploaded via the web interface, they weren't properly
recognized by PAN-OS and didn't display a serial number or initiate a
reboot.

PAN-187894 (VM-Series firewalls only) Fixed an issue with

vm_license_response.log that consumed a large portion of the
root partition.

PAN-187769 (VM-Series firewalls in Microsoft Azure environments only) Fixed a

Data Plane Development Kit (DPDK) issue where interfaces remained
in a link-down state after an Azure hot plug event. This issue occurred
due to a hot plug of Accelerated Networking interfaces on the Azure
backend caused by host updates, which led to Virtual Function
unregister/Register messages on the VM side.

PAN-OS Release Notes 10.1.9-h1 235 ©2023 Palo Alto Networks, Inc.
PAN-OS 10.1.5 Known and Addressed Issues

Issue ID Description

PAN-187438 (PA-5400 Series firewalls only) Fixed an issue where HSCI interfaces
didn’t come up when using BiDi transceivers.

PAN-186785 Fixed an issue where, after logging in, Panorama displayed a 500 error
page after five minutes of logging for dynamic group template admin
types with access to approximately 115 managed devices or 120
dynamic groups.

PAN-186725 Fixed an issue where index creation failed when Elasticsearch

attempted to create a new index with a duplicate index name.

PAN-186646 (PA-5400 Series firewalls only) Fixed an issue where traffic flow
through IKE NATT IPSec S2S tunnels broke on tunnel rekey with
multiple data processing cards (DPC).

PAN-186516 Fixed an issue where log queries that included WildFire submission
logs returned more slowly than expected.

PAN-186402 (PA-440 Series firewalls only) Fixed an issue where the firewall's
maximum tunnel limit was incorrect.

PAN-185750 Updated an issue to eliminate failed pan_comm software issues that

caused the dataplane to restart unexpectedly

PAN-185726 Fixed an issue where the dataplane exited during IPSec encapsulation
and decapsulation offload operations.

PAN-185695 (PA-5400 Series firewalls only) Fixed an issue where up to 75% traffic
loss occurred on GlobalProtect tunnels with multiple DPCs.

PAN-185359 Fixed an issue where you were unable to reference shared address
objects as a BGP peer address (Virtual Router > BGP > Peer Group >
Peer Address).

PAN-185164 Fixed an issue where processing corrupted IoT messages caused the
wificlient process to restart.

PAN-185163 Fixed an issue where the distributord process hit the FD limit, which
caused User-ID redistribution to not function properly.

PAN-184761 Fixed an issue where Security policies were deleted on managed

devices upon a successful push from Panorama to multiple device
groups. This occurred when the Security policies had device_tags
selected in the target section.

PAN-184445 Fixed an issue where, after upgrading the Panorama, tagged address
objects used in dynamic address groups were removed after a full

PAN-OS Release Notes 10.1.9-h1 236 ©2023 Palo Alto Networks, Inc.
PAN-OS 10.1.5 Known and Addressed Issues

Issue ID Description
commit and push. This issue occurred when the setting Share Unused
Address and Service Objects with Devices was left unchecked.

PAN-184432 Fixed an issue where the logrcvr process stopped responding due
to a heartbeat failure that was caused by sysd nodes being stuck on
logdb_writers for system, configuration, and alarm logs.

PAN-184224 Fixed an issue on Panorama where you were unable to select a

template variable in Templates > Device > Log Forwarding Card > Log
Forwarding Card Interface > Network > IP address location.

PAN-184076 Fixed an issue on the firewall web interface where logs were delayed
when querying for logs.

PAN-184047 Fixed an issue where Terminal Service agent (TS agent) connections
with a certificate profile and the certificate chain on the TS agent
failed. This occurred because common name validation and key usage
checks were being performed in the root or intermediate certificate.

PAN-183774 Fixed an memory leak issue in the mgmtsrvr process, which resulted in
an out-of-memory (OOM) condition and high availability (HA) failover.

PAN-183428 Fixed an issue where, when exporting or pushing a device

configuration bundle from Panorama, a validation error occurred with
GlobalProtect gateway inactivity logout time.

PAN-183239 Fixed an issue where the firewall randomly disconnected from the
WildFire URL cloud.

PAN-183112 Fixed an issue where the threat log type ml-virus wasn't forwarded
to Panorama or to external servers.

PAN-182954 (PA-7000 Series firewalls with Log Processing Cards (LPC) only) Fixed
an issue where excessive threat ID lookups caused logs to be lost.

PAN-182903 Fixed an issue where SD-WAN failover on a hub or branch in full mesh
took longer than expected.

PAN-182732 Fixed an issue where the GlobalProtect gateway inactivity timer wasn't
refreshed even though traffic was passing through the tunnel.

PAN-182634 (PA-400 Series firewalls only) Fixed an issue where the firewall
detected a Power Supply Unit (PSU) failure for the opposite side
when disconnecting a PSU from the device. This issue occurred when
redundant PSUs were connected.

PAN-OS Release Notes 10.1.9-h1 237 ©2023 Palo Alto Networks, Inc.
PAN-OS 10.1.5 Known and Addressed Issues

Issue ID Description

PAN-181839 Fixed an issue where Panorama Global Search reported No Matches

found while still returning results for matching entries on large
configurations.

PAN-181802 Fixed an issue where a memory utilization condition resulted in the

web interface responding more slowly than expected and management
server restarting.

PAN-181706 Fixed an issue where the logrcvr process stopped responding after
upgrading to PAN-OS 10.1.

PAN-181579 Fixed an issue with the GlobalProtect gateway where the time-
to-live (TTL) limit expired faster than real-time limit. As a result, a
reconnection was required before the expected lifetime expiration.

PAN-181558 Fixed an issue where the stats dump file was not generated properly.

PAN-181360 Fixed an issue where staggering scheduled dynamic updates from

Panorama to firewalls only worked for the first scheduled group and
failed for the remaining groups of the same type.

PAN-181116 Fixed memory corruption issues in PAN-OS 10.1.3 and 10.1.4 that
caused the pan_comm process to stop responding and the dataplane to
restart. These issues also caused GlobalProtect tunnels to fall back to
SSL instead of IPSec due to the inadvertent encapsulation of the ICMP
keepalive response from the firewall.

PAN-181039 Fixed an issue with DNS cache depletion that caused continuous DNS
retries.

PAN-180916 Fixed an issue where DNS security caused the TTL value of the pointer
record (PTR) to be overwritten with a value of 30 seconds.

PAN-180760 Fixed an issue where users were unable to SSH to the firewall and
encountered the following error message: Could not chdir to
home directory /opt/pancfg/home/user: Permission
denied.

PAN-180095 Fixed an issue where Panorama serial-number-based redistribution

agents did not redistribute HIP reports.

PAN-179982 Fixed an issue where an OOM condition occurred due to quarantine

list redistribution.

PAN-179976 Fixed an issue where the WildFire Inline Machine Learning (ML) did
not detect mlav-test-pe-file.exe when traffic was decrypted.

PAN-OS Release Notes 10.1.9-h1 238 ©2023 Palo Alto Networks, Inc.
PAN-OS 10.1.5 Known and Addressed Issues

Issue ID Description

PAN-179899 Fixed an issue where updating the master key did not update the SD-
WAN preshared key (PSK).

PAN-179886 Fixed an issue where new tunnels were unable to be established for
Elasticsearch due to faulty logic that prevented old tunnels to be
removed when a node went down.

PAN-179413 Fixed an issue where GRE tunnels flapped during commit jobs.

PAN-179321 A validation error was added to inform an administrator when a policy

field contained the value any.

PAN-179274 Fixed an issue on high availability configurations where, after

upgrading to PAN-OS 9.1.10, PAN-OS 10.0.6, or PAN-OS 10.1.0, the
HA1 and HA1-Backup link stayed down. This issue occurred when the
peer firewall IP address was in a different subnet.

PAN-179260 Fixed an issue where admins and other Superusers were unable to
remove a commit lock that was taken by another admin user with the
format <domain/user>. As a result, deleting the commit lock failed.

PAN-179164 Fixed an issue where a web-proxy port number was added to the
destination URL when captive portal authentication was run.

PAN-179059 Fixed an issue where you were unable to delete dynamic address
groups one at a time using XML API.

PAN-178947 Fixed an issue where the useridd process stopped responding when a
NULL reference attempted to be dereferenced. This issue occurred to
IP address users being added.

PAN-178860 Fixed an issue where quarantined devices appeared in the CLI but not
the web interface.

PAN-178672 Fixed an issue where a process (useridd) stopped responding due to

buffer overflow.

PAN-178615 Fixed an issue where restarting the management server created an

invalid reference in the device server, which caused subsequent
commits to fail.

PAN-177981 (PA-5450 firewalls only) Fixed an issue where High Speed Log
Forwarding was enabled when attempting to view local logs.

PAN-177956 Fixed an issue where the CLI output of show location ip <ip
address> returned unknown.

PAN-OS Release Notes 10.1.9-h1 239 ©2023 Palo Alto Networks, Inc.
PAN-OS 10.1.5 Known and Addressed Issues

Issue ID Description

PAN-177907 Fixed an issue where, after rebooting the firewall, FQDN address
objects referred in rules in a virtual system (vsys) did not resolve when
the vsys used a custom DNS proxy.

PAN-177878 Fixed an issue where a role-based admin with Operational Requests

enabled under the XML API section was unable to set the License
Deactivation API key.

PAN-177874 Fixed an issue where a process (devsrvr) stopped responding due to an

unexpected returned value.

PAN-177626 Fixed an issue where aggressive situations caused on-chip descriptor

exhaustion.

PAN-177551 A fix was made to address a vulnerability that enabled an

authenticated network-based administrator to upload a specifically
created configuration that disrupted system processes and was able to
execute arbitrary code with root privileges when the configuration was
committed (CVE-2022-0024).

PAN-177363 Fixed an issue where, when system logs and configuration logs on
a dedicated log detector system were forwarded to a Panorama
management server in Management Only mode, the logs were not
ingested and were dropped. This caused the dedicated log detector
system to not be viewable on a Panorama appliance in Management
Only mode.

PAN-177351 Fixed an issue where configurations failed when downgrading from

PAN-OS 10.1.1 and later versions to PAN-OS 10.0.0 using the
autosaveconfig.xml file.

PAN-177187 Fixed an issue where reports using the decryption summary database
and Panorama as data sources returned no results.

PAN-177170 Fixed an issue on Panorama where a log collector group commit

deleted the proxy settings configured on dedicated log collectors.

PAN-177072 Fixed an intermittent issue where Panorama did not show new logs
from firewalls.

PAN-177060 Fixed an issue where, when the address object in the parent device
group was renamed, and the address object was overridden in the
child device group and called in a Security policy, the object in the
Security policy was renamed as well.

PAN-OS Release Notes 10.1.9-h1 240 ©2023 Palo Alto Networks, Inc.
PAN-OS 10.1.5 Known and Addressed Issues

Issue ID Description

PAN-177054 Fixed an issue where, when you disabled a NAT rule, the Destination
Translation value none displayed in blue and was still able to be
modified to a different value.

PAN-176997 Fixed an issue where log collectors generated Failed to check IoT
content upgrade system logs even when no IoT license was installed.

PAN-176889 Fixed an issue where the log collector continuously disconnected from
Panorama due to high latency and a high number of packets in Send-
Q.

PAN-176746 Fixed an intermittent issue where traffic was lost when performing a
failover in an HA active/passive setup.

PAN-176376 Fixed an issue where importing a firewall configuration to Panorama

failed if Import device's shared objects into Panorama's shared
context (device group specific objects will be created if unique) was
unchecked.

PAN-176348 Fixed an issue where scheduled email alerts were not forwarded to all
recipients in the override list.

PAN-176280 Fixed an intermittent issue on Panorama where querying logs via the
web interface or API did not return results.

PAN-176262 Fixed an issue where the firewall didn't resolve specific domain names
with multiple nested Canonical Name (CNAME) records when caching
was enabled.

PAN-176116 Fixed an issue where the header did not match the correct policy when
IPv6 addresses were set in XFF header.

PAN-176032 Fixed an issue where a process (authd) process stopped responding,

which caused authentication to fail.

PAN-176030 Fixed an issue where alerts related to syslog connections were not
generated in the system logs.

PAN-175716 Fixed an issue where sorting address groups by name, address, or

location did not work on a device group that was part of a nested
device group.

PAN-175628 (PA-5200 Series firewalls only) Fixed an issue where the firewall was
unable to monitor AUX1 and AUX2 interfaces through SNMP.

PAN-OS Release Notes 10.1.9-h1 241 ©2023 Palo Alto Networks, Inc.
PAN-OS 10.1.5 Known and Addressed Issues

Issue ID Description

PAN-175570 Fixed an issue where log forwarding profiles did not show up in the
dropdown under Zones.

PAN-175509 Fixed an issue where a deadlock on CONFIG_LOCK caused both

the web interface and CLI commands to time out until the mgmtsrvr
process was restarted.

PAN-175403 (VM-Series firewalls only) Fixed an issue where the firewall did not
display any logs except for system logs.

PAN-175399 Fixed an issue where enabling Use proxy to fetch logs from
Cortex Data Lake caused Panorama to not show logs when
queried.

PAN-175307 Fixed an issue where Panorama commits were slower than expected
and the configd process stopped responding due to a memory leak.

PAN-175259 Fixed an issue where a Security policy configured with App-ID and set
to web-browsing and application-default service allowed clear-text
web-browsing on tcp/443.

PAN-175161 Fixed an issue where changing SSL connection validation settings for
system logs caused the mgmtsrvr process to stop responding.

PAN-175141 Fixed an intermittent issue where IP address-to-username mappings

were not created on a redistribution client if a logout and login
message shared the same timestamp.

PAN-174998 (M-200 and M-500 appliances only) Fixed a capacity issue that was
caused by high operational activity and large configurations. This fix
increases the virtual memory limit on the configd process to 32GB.

PAN-174894 Fixed an issue where, when the TTL value for symmetric MAC entries
weren't updated to other dataplanes and HA peers, timeouts occurred
for traffic using policy-based forwarding (PBF) with symmetric returns.

PAN-174864 Fixed an issue on the Panorama interface where Deploying Master

Key to low-end devices resulted in a Failed to communicate message,
even when the new master key was updated on the end device. This
issue occurred because a master key deployment had insufficient time
to process due to a connection timeout.

PAN-174709 Fixed an OOM condition that occurred due to multiple parallel jobs
being created by the scheduled log export feature.

PAN-OS Release Notes 10.1.9-h1 242 ©2023 Palo Alto Networks, Inc.
PAN-OS 10.1.5 Known and Addressed Issues

Issue ID Description

PAN-174680 Fixed an issue where, when adding new configurations, Panorama

didn't display a list of suggested template variables when typing in a
relevant field.

PAN-174607 Fixed an intermittent issue where, when Security profiles were

attached to a policy, files that were downloaded across TLS sessions
decrypted by the firewall were malformed.

PAN-174604 Fixed an issue where the email subject of scheduled reports was
enclosed in single quotation marks.

PAN-174564 (VM-Series firewalls on a Kernel-based Virtual Machine (KVM) running

on Proxmox Hypervisor only) Fixed an issue where SSH traffic was
identified as unknown-TCP.

PAN-174347 Fixed an issue where sequence numbers were calculated incorrectly

for traffic that was subject to Session Initiation Protocol (SIP)
application-level gateway (ALG) when SIP TCP Clear Text Proxy was
disabled.

PAN-174011 Fixed an issue where Panorama failed to update shared policies during
partial commits when a new device group was created but not yet
committed.

PAN-173893 Fixed a memory leak issue related to the (useridd) process that
occurred when group mapping was enabled.

PAN-173753 Fixed an issue where a bar or point on a Network Monitor graph had
to be clicked more than once to properly redirect to the corresponding
ACC report.

PAN-173689 Fixed an issue where the dataplane restarted due to running out of
memory in the policy cache.

PAN-173545 Fixed an issue where exporting a device summary to CSV failed and
displayed the following error message: Error while exporting.

PAN-173509 Fixed an issue where Superuser administrators with read-only

privileges (Device > Administrators and Panorama > Administrators)

PAN-OS Release Notes 10.1.9-h1 243 ©2023 Palo Alto Networks, Inc.
PAN-OS 10.1.5 Known and Addressed Issues

Issue ID Description
were unable to view the hardware ACL blocking setting and duration
in the CLI using the following commands:
• show system setting hardware-acl-blocking-
enable

• show system setting hardware-acl-blocking-

duration

PAN-173267 Fixed an issue where log queries on Panorama appliances returned

with no output and the error message Schema file does not
exist displayed in the reported process log.

PAN-173179 Fixed an issue where the rem_addr field in Terminal Access

Controller Access-Control System (TACACS+) authentication displayed
the management or service route IP address of the firewall instead of
the source IP address of the user.

PAN-172837 Fixed an intermittent issue where the firewall didn't generate block
URL logs for URLs even though the websites were blocked in the client
device.

PAN-172748 (VM-Series firewalls only) Fixed an issue where a process (all_task)

stopped responding.

PAN-172404 Fixed an issue where the semi-colon (;) was not recognized as token
separator while doing regex for URL category matching even though it
is mentioned in the documentation.

PAN-172396 Fixed a memory leak issue related to the useridd process.

PAN-172316 Fixed an issue where the internal interface flow control that caused
the monitoring process to incorrectly determine the interface to be
malfunctioning.

PAN-172295 Fixed an issue where a HIP database cache loop caused high CPU
utilization on a process (useridd) and caused IP address-to-user
mapping redistribution failure.

PAN-172243 Fixed an issue where NetFlow traffic triggered a packet buffer leak.

PAN-172056 (VM-Series firewalls only) The logging rate limit was improved to
prevent log loss.

PAN-171869 Fixed an issue where HIP profile objects in security policies and
authentication policies were still visible in the CLI even after replacing
them with source HIP and destination HIP objects.

PAN-OS Release Notes 10.1.9-h1 244 ©2023 Palo Alto Networks, Inc.
PAN-OS 10.1.5 Known and Addressed Issues

Issue ID Description

PAN-171367 Fixed an issue in active/active HA configurations where sessions

disconnected during an upgrade from a PAN-OS 9.0 release to a PAN-
OS 9.1 release.

PAN-171345 Fixed an issue where firewalls experienced high packet descriptor

usage due to internal communication associated with WildFire.

PAN-171181 Fixed an issue where the IPSec tunnel configuration didn't load when
a double quotation mark was added to the comment section of the
IPSec tunnel General tab.

PAN-170952 Fixed script issues that caused diagnostic data to not be collected after
path monitor failure.

PAN-170595 Fixed an issue with Content and Threat Detection where traffic
patterns created a bus error, which caused the all_pktproc process to
stop responding and the dataplane to restart.

PAN-170297 Fixed an issue where ACC > Threat activity did not include the threat
name after upgrading to a PAN-OS 10.0 release.

PAN-169917 Fixed an issue on Panorama where AUX interface IP addresses did not
populate when configuring service routes.

PAN-169796 Fixed an issue where the high availability path group destination IP
address was removed after pushing a PAN-OS 10 release template
from Panorama to a firewall running a PAN-OS 9 release.

PAN-169433 Fixed an issue on Panorama where clicking Run Now for a custom
report with 32 or more filters in the Query Builder returned the
following message: No matching records.

PAN-168921 Fixed an issue on firewalls in HA active/active configurations

where traffic with complete packets showed up as incomplete and
was disconnected due to a non-session owner closing the session
prematurely.

PAN-168890 A CLI command was added to address an issue where a configured

proxy server for a service route was automatically applied to the email
server service route.

PAN-168662 Fixed an issue on Panorama where multiple copies of logs were

displayed for a single session.

PAN-OS Release Notes 10.1.9-h1 245 ©2023 Palo Alto Networks, Inc.
PAN-OS 10.1.5 Known and Addressed Issues

Issue ID Description

PAN-168635 Fixed an issue on the firewall where, when attempting to change the
master key, the existing master key was not validated first. As a result,
all firewall keys were corrupted.

PAN-168286 Fixed a memory leak issue in the mgmtsrvr process that was caused by
failed commit all operations.

PAN-168189 Fixed an issue where, even when there was active multicast traffic, the
firewall sent Protocol Independent Multicast (PIM) prune messages.

PAN-167858 Fixed an issue where a DNS Security inspection identified a TCP DNS
request that had two requests in one segment as a malformed packet
and dropped the packet.

PAN-167259 Fixed an issue where, after manually uploading WildFire images, the
dropdown did not display any available files to choose from.

PAN-166368 Fixed an issue on Panorama where long FQDN queries did not resolve
due to the character limit being 64 characters.

PAN-165147 Fixed an issue where, when there was a high volume of traffic for
sessions with Application Block Pages enabled, other regular packets
were dropped.

PAN-164871 (VM-Series firewalls only) Fixed an intermittent issue where

deactivating the firewall via XML API using manual mode failed. This
occurred because the size of the license token file was incorrect.

PAN-164631 Fixed an issue where the stats dump report was empty.

PAN-163831 Fixed an issue where IPv6 addresses were displayed instead of IPv4 in
custom reports.

PAN-163245 Fixed an issue where a commit-all or push to the firewall from

Panorama failed with the following error message: client routed
requesting last config in the middle of a commit/
validate. Aborting current commit/validate.

PAN-162047 (Firewalls in HA active/passive configurations only) Fixed a routing

table mis-sync issue where routes were missing on the passive firewall
when GRE tunnels with keepalives were configured.

PAN-161297 Fixed an interoperability issue with other vendors when IKEv2 used
SHA2-based certificate authentication.

PAN-OS Release Notes 10.1.9-h1 246 ©2023 Palo Alto Networks, Inc.
PAN-OS 10.1.5 Known and Addressed Issues

Issue ID Description

PAN-161111 Fixed an issue where TLS 1.3 Forward Proxy Decryption failed with
a malloc failure error. This issue was caused by the server certificate
being very large.

PAN-161031 Fixed an issue where authentication via LDAP server failed in FIPS-
CC mode when the LDAP server profile was configured with the root
certificate chain and Verify server certificate for SSL sessions options
enabled.

PAN-159835 Fixed an issue where, after an upgrade, the following error message
was displayed: Not enough space to load content to SHM.

PAN-158639 Fixed an issue on Panorama where logs that were forwarded to

a collector group did not appear, and the log collector displayed
the following error message: es.init-status not ready in
logjobq.

PAN-158541 Fixed an OOM condition on the dataplane on FIPS-mode firewall

decryption that used DHE ciphers.

PAN-158369 Fixed an issue where applications did not work via the Clientless VPN
when they were configured on a vlan interface

PAN-156289 Fixed an issue where the default severities for Content Update errors
were inaccurate.

PAN-151692 Fixed a permission issue where a Panorama administrator was

unable to download or install dynamic updates (Panorama > Device
Deployment).

PAN-151302 (PA-7000 Series firewalls with LFCs only) Fixed an issue where the
logging rate for the LFC was not displayed in Panorama > Managed
Devices > Health.

PAN-146734 Fixed an issue where, when a Panorama-pushed configuration was

referenced in a local configuration, commits failed after updating
the master key on the firewall, which resulted in the following error
message: Invalid candidate configuration. Master key
change aborted....

PAN-145833 (PA-3200 Series firewalls only) Fixed an issue where the firewall
stopped recording dataplane diagnostic data in dp-monitor.log after a
few hours of uptime.

PAN-OS Release Notes 10.1.9-h1 247 ©2023 Palo Alto Networks, Inc.
PAN-OS 10.1.5 Known and Addressed Issues

Issue ID Description

PAN-141454 Fixed an issue where the output of the CLI command show running
resource-monitor ingress-backlogs displayed an incorrect
total utilization value.

PAN-OS Release Notes 10.1.9-h1 248 ©2023 Palo Alto Networks, Inc.
PAN-OS 10.1.4 Known and Addressed
Issues
Review a list of known and addressed issues for PAN-OS 10.1.4.
For contacting support, for information on support programs, to manage your account
or devices, or to open a support case, go to https://support.paloaltonetworks.com.

> PAN-OS 10.1.4 Known Issues

> PAN-OS 10.1.4-h4 Addressed Issues
> PAN-OS 10.1.4-h2 Addressed Issues
> PAN-OS 10.1.4 Addressed Issues

249
PAN-OS 10.1.4 Known and Addressed Issues

PAN-OS 10.1.4 Known Issues

®
The following list includes only outstanding known issues specific to PAN-OS 10.1.4. This list
includes issues specific to Panorama™, GlobalProtect™, VM-Series plugins, and WildFire®, as well
as known issues that apply more generally or that are not identified by an issue ID.

Issue ID Description

— If you use Panorama to retrieve logs from Cortex Data Lake

(CDL), new log fields (including for Device-ID, Decryption, and
GlobalProtect) are not visible on the Panorama web interface.
Workaround: Enable duplicate logging to send the logs to
CDL and Panorama. This workaround does not support
Panorama virtual appliances in Management Only mode.

— Upgrading a PA-220 firewall takes up to an hour or more.

— PA-220 firewalls are experiencing slower web interface and

CLI performance times.

— Upgrading Panorama with a local Log Collector and Dedicated

Log Collectors to PAN-OS 8.1 or a later PAN-OS release
can take up to six hours to complete due to significant
infrastructure changes. Ensure uninterrupted power to all
appliances throughout the upgrade process.

— A critical System log is generated on the VM-Series firewall

if the minimum memory requirement for the model is not
available.
• When the memory allocated is less than 4.5GB, you
cannot upgrade the firewall. The following error message
displays: Failed to install 9.0.0 with the
following error: VM-50 in 9.0.0 requires
5.5GB memory, VM-50 Lite requires 4.5GB
memory.Please configure this VM with enough
memory before upgrading.
• If the memory allocation is more than 4.5GB but less than
the licensed capacity requirement for the model, it will
default to the capacity associated with the VM-50.
The System log message System capacity adjusted
to VM-50 capacity due to insufficient
memory for VM-<xxx> license, indicates that you
must allocate the additional memory required for licensed
capacity for the firewall model.

PAN-OS Release Notes 10.1.9-h1 250 ©2023 Palo Alto Networks, Inc.
PAN-OS 10.1.4 Known and Addressed Issues

Issue ID Description

APPORTAL-3313 Changes to an IoT Security subscription license take up to 24

hours to have effect on the IoT Security app.

APPORTAL-3309 An IoT Security production license cannot be installed on a

firewall that still has a valid IoT Security eval or trial license.
Workaround: Wait until the 30-day eval or trial license
expires and then install the production license.

APL-15000 When you move a firewall from one Cortex Data Lake
instance to another, it can take up to an hour for the firewall
to begin sending logs to the new instance.

APL-8269 For data retrieved from Cortex Data Lake, the Threat Name
column in Panorama > ACC > threat-activity appears blank.

PLUG-380 When you rename a device group, template, or template

stack in Panorama that is part of a VMware NSX service
definition, the new name is not reflected in NSX Manager.
Therefore, any ESXi hosts that you add to a vSphere cluster
are not added to the correct device group, template, or
template stack and your Security policy is not pushed to
VM-Series firewalls that you deploy after you rename those
objects. There is no impact to existing VM-Series firewalls.

WF500-5559 An intermittent error while analyzing signed PE samples on

the WildFire appliance might cause analysis failures.

WF500-5471 After using the firewall CLI to add a WildFire appliance with
an IPv6 address, the initial connection may fail.
Workaround: Retry connecting after you restart the web
server with the following command: debug software
restart process web-server.

PAN-197341 On the Panorama management server, if you create multiple

device group Objects with the same name in the Shared
device group and any additional device groups (Panorama >
Device Groups) under the same device group hierarchy that
are used in one or more Policies, renaming the object with a
shared name in any device group causes the object name to
change in the policies where it is used. This issue applies only
to device group objects that can be referenced in a Security
policy rule.
For example:
1. You create a parent device group DG-A and a child device
group DG-B.

PAN-OS Release Notes 10.1.9-h1 251 ©2023 Palo Alto Networks, Inc.
PAN-OS 10.1.4 Known and Addressed Issues

Issue ID Description
2. You create address objects called AddressObjA in
the Shared, DG-A and DG-B device groups and add
AddressObjA to a Security policy rule under DG-A and
DG-B.
3. Later, you change the AddressObjA name in the Shared
device group to AddressObjB.
Changing the name of the address object in the Shared
device group causes the references in the Policy rule to use
the renamed Shared object instead of the device group
object.

PAN-196758 On the Panorama management server, pushing a

configuration change to firewalls leveraging SD-WAN
erroneously show the auto-provisioned BGP configurations
for SD-WAN as being edited or deleted despite no edits or
deletions being made when you Preview Changes (Commit >
Push to Devices > Edit Selections or Commit > Commit and
Push > Edit Selections).

PAN-194519 (PA-5450 firewall only) Trying to configure a custom payload

format under Device > Server Profiles > HTTP yields a
This issue is now resolved. See
Javascript error.
PAN-OS 10.1.9 Addressed
Issues.

PAN-194515 (PA-5450 firewall only) The Panorama web interface does

not display any predefined template stack variables in the
dropdown menu under Device > Setup > Log Interface > IP
Address.
Workaround: Configure the log interface IP address on the
individual firewall web interface instead of on Panorama.

PAN-192403 (PA-5450 firewall only) There is no commit warning in the

web interface when configuring the management interface
This issue is now resolved. See
and logging interface in the same subnetwork. Having both
PAN-OS 10.1.6-h3 Addressed
interfaces in the same subnetwork can cause routing and
Issues.
connectivity issues.

PAN-190727 (PA-5450 firewall only) Documentation for configuring the log

interface is unavailable on the web interface and in the PAN-
OS Administrator’s Guide.

PAN-188052 Devices in FIPS-CC mode are unable to connect to servers

utilizing ECDSA-based host keys that impacts exporting logs
(Device > Scheduled Log Export), exporting configurations

PAN-OS Release Notes 10.1.9-h1 252 ©2023 Palo Alto Networks, Inc.
PAN-OS 10.1.4 Known and Addressed Issues

Issue ID Description
(Device > Scheduled Config Export), or the scp export
command in the CLI.
Workaround: Use RSA-based host keys on the destination
server.

PAN-187685 On the Panorama management server, the Template

Status displays no synchronization status (Panorama >
Managed Devices > Summary) after a bootstrapped firewall is
successfully added to Panorama.
Workaround: After the bootstrapped firewall is successfully
added to Panorama, log in to the Panorama web interface and
select Commit > Push to Devices.

PAN-186262 The Panorama management server in Panorama or Log

Collector mode may become unresponsive as Elasticsearch
accumulates internal connections related to logging
processes. The chances Panorama becomes unresponsive
increases the longer Panorama remains powered on.
Workaround: Reboot Panorama if it becomes unresponsive.

PAN-181116 After upgrading to PAN-OS 10.1, some GlobalProtect tunnels

fall back to SSL instead of IPSec due to the inadvertent
This issue is now resolved. See
encapsulation of the ICMP keepalive response from the
PAN-OS 10.1.5 Addressed
firewall.
Issues.

PAN-180661 On the Panorama management server, pushing an

unsupported Minimum Password Complexity (Device > Setup
This issue is now resolved. See
> Management) to a managed firewall erroneously displays
PAN-OS 10.1.6 Addressed
commit time out as the reason the commit failed.
Issues.

PAN-178194 A UI issue in PAN-OS renders the contents of the Inline

ML tab in the URL Filtering Profile inaccessible on firewalls
This issue is now resolved. See
licensed for Advanced URL Filtering. Additionally, a message
PAN-OS 10.1.7 Addressed
indicating that a License required for URL filtering to function
Issues.
is unavailable displays at the bottom of the UI. These errors
do not affect the operation of Advanced URL Filtering or URL
Filtering Inline ML.
Workaround: Configuration settings for URL Filtering
Inline ML must be applied through the CLI. The following
configuration commands are available:

PAN-OS Release Notes 10.1.9-h1 253 ©2023 Palo Alto Networks, Inc.
PAN-OS 10.1.4 Known and Addressed Issues

Issue ID Description
• Define URL exceptions for specific web sites—

admin# set profiles url-filtering

<url_filtering_profile_name> mlav-
category-exception

• Configuration settings for each inline ML model—

admin# set profiles url-filtering

<url_filtering_profile_name> mlav-
engine-urlbased-enabled

PAN-177455 PAN-OS 10.1.2 is not supported on PA-7000 Series firewalls

with HA (High Availability) clustering enabled and using an
This issue is now resolved. See
HA4 communication link. Attempting to load PAN-OS 10.1.2
PAN-OS 10.1.6 Addressed
on the firewall causes the PA-7000 100G NPC to go offline.
Issues.
As a result, the firewall fails to boot normally and enters
maintenance mode. HA Pairs of Active-Passive and Active-
Active firewalls are not affected.

PAN-174982 In HA active/active configurations where, when interfaces

that were associated with a virtual router were deleted, the
configuration change did not sync.

PAN-173509 Superuser administrators with read-only privileges (Device >

Administrators and Panorama > Administrators) are unable
This issue is now resolved. See
to view the hardware ACL blocking setting and duration in the
PAN-OS 10.1.5 Addressed
CLI using the commands:
Issues.
admin> show system setting hardware-acl-
blocking-enable

admin> show system setting hardware-acl-

blocking-duration

PAN-172274 When you activate the advanced URL filtering license, your
license entitlements for PAN-DB and advanced URL filtering
might not display correctly on the firewall — this is a display
anomaly, not a licensing issue, and does not affect access to
the services.
Workaround: Issue the following command to retrieve and
update the licenses: license request fetch.

PAN-172113 If you request a User Activity Report on Panorama and the

vsys key value in the XML is an unsupported value, the
resulting job becomes unresponsive at 10% and does not
complete until you manually stop the job in the web interface.

PAN-OS Release Notes 10.1.9-h1 254 ©2023 Palo Alto Networks, Inc.
PAN-OS 10.1.4 Known and Addressed Issues

Issue ID Description
Workaround:Change the vsys key to a valid device group,
commit your changes, and run the User Activity Report again.

PAN-172132 QoS fails to run on a tunnel interface (for example, tunnel.1).

PAN-172067 When you configure an HTTP server profile (Device > Server
Profiles > HTTP or Panorama > Server Profiles > HTTP), the
Username and Password fields are always required regardless
of whether Tag Registration is enabled.
Workaround: When you configure an HTTP server profile,
always enter a username and password to successfully create
the HTTP server profile.
You must enter a username and password even if the HTTP
server does not require it. The HTTP server ignores the
username and password if they are not required for the
firewall to connect.

PAN-172061 A process (all_pktproc) can cause intermittent crashes on

the Passive PA-5450 firewall in an Active/Passive HA pair.
This issue may be seen during an upgrade or reload of the
firewall with traffic and when clearing sessions.

PAN-171938 No results are displayed when you Show Application Filter

for a Security policy rule (Policies > Security > Application >
Value > Show Application Filter).

PAN-171723 If you use Panorama to push a configuration that uses App-

ID Cloud Engine (ACE) App-IDs and then you downgrade the
firewall from PAN-OS 10.1 to PAN-OS 10.0, the installation
succeeds but after you reboot, the auto-commit fails.
Workaround: Remove all ACE application configurations
before downgrading.

PAN-171714 If you use the NetBIOS format (domain\user) for the IP

address-to-username mapping and the firewall receives the
This issue is now resolved. See
group mapping information from the Cloud Identity Engine,
PAN-OS 10.1.7 Addressed
the firewall does not successfully match the user to the
Issues.
correct group.

PAN-171706 If you are using Panorama to manage firewalls with multiple

virtual systems and the virtual system that is the User-ID hub
uses an alias, the local commit on Panorama is successful but
the commit to the firewall fails.

PAN-OS Release Notes 10.1.9-h1 255 ©2023 Palo Alto Networks, Inc.
PAN-OS 10.1.4 Known and Addressed Issues

Issue ID Description

PAN-171673 On the Panorama management server, the ACC returns

inaccurate results when you filter for New App-ID in the
Application usage widget.

PAN-171635 If you have an on-premise Active Directory and there is an

existing group mapping configuration on the firewall, if you
migrate the group mapping to the Cloud Identity Engine, the
firewall does not remove the existing group mapping even
if the configuration is disabled and the firewall is rebooted,
which may conflict with new mappings from the Cloud
Identity Engine.
Workaround: Use the debug user-id clear domain-
map command to remove the existing group mappings from
the firewall.

PAN-171224 On the Panorama management server, a custom report

(Monitor > Managed Custom Reports) with a high volume
of unique data objects is not generated when you click Run
Now.

PAN-171145 If you edit or remove the value for the mail attribute in
your on-premise Active Directory, the changes may not be
immediately reflected on the firewall after it syncs with the
Cloud Identity Engine.

PAN-170923 In Policies > Security > Policy Optimizer > New App Viewer,
when you select a Security policy rule in the bottom portion
of the screen, the application data in the application browser
(top portion of screen) does not match the Apps Seen on the
selected rule. In addition, filtering in the application browser
based on Apps Seen does not work.

PAN-170462 SaaS applications downloaded from the App-ID Cloud Engine

(ACE) do not appear in daily application reports (Monitor >
This issue is now resolved. See
Reports > Application Reports) or in the Application column
PAN-OS 10.1.6 Addressed
of the Application Usage widget in ACC > Network Activity.
Issues.

PAN-170270 Using the CLI to power on a PA-5450 Networking Card

(NC) in an Active HA firewall can cause its Passive peer to
temporarily go down.

PAN-169906 The CN-Series Firewall as a Kubernetes Service does not

support AF_XDP when deployed in CentOS.

PAN-168636 Connecting to the App-ID Cloud Engine (ACE) cloud using a

management port with explicit proxy configured on it is not

PAN-OS Release Notes 10.1.9-h1 256 ©2023 Palo Alto Networks, Inc.
PAN-OS 10.1.4 Known and Addressed Issues

Issue ID Description
supported. Instead, use a data plane interface for the service
route (Prepare to Deploy App-ID Cloud Engine describes how
to do this.)

PAN-168113 On the Panorama management server, you are unable

to configure a master key (Device > Master Key and
Diagnostics) for a managed firewall if an interface (Network
> Interfaces > Ethernet) references a zone pushed from
Panorama.
Workaround: Remove the referenced zone from the interface
configuration to successfully configure a master key.

PAN-167847 If you issue the command opof stats, then clear the
results {opof stats -c}, the Active Sessions value is sometimes
invalid. For example, you might see a negative number or an
excessively large number.
Workaround: Re-run the opof stats command after the
offload completes.

PAN-167401 When a firewall or Panorama appliance configured with a

proxy is upgraded to PAN-OS 10.0.3 or a later release, it fails
to connect to edge service.

PAN-166464 PAN-OS reports the PA-5450 fan numbers incorrectly

by listing them in the opposite order. This does not affect
This issue is now resolved. See
fan operation. For further information, contact Customer
PAN-OS 10.1.6-h6 Addressed
Support.
Issues.

PAN-165669 If you configure a group that the firewall retrieves from the
Cloud Identity Engine as the user in value in a filter query,
Panorama is unable to retrieve the group membership and
as a result, is unable to display this data in logs and custom
reports.

PAN-164922 On the Panorama management server, a context switch to a

managed firewall running a PAN-OS 8.1.0 to 8.1.19 release
fails.

PAN-164885 On the Panorama management server, pushes to managed

firewalls (Commit > Push to Devices or Commit and Push)
may fail when an EDL (Objects > External Dynamic Lists) is
configured to Check for updates every 5 minutes due to the
commit and EDL fetch processes overlapping. This is more
likely to occur when multiple EDLs are configured to check
for updates every 5 minutes.

PAN-OS Release Notes 10.1.9-h1 257 ©2023 Palo Alto Networks, Inc.
PAN-OS 10.1.4 Known and Addressed Issues

Issue ID Description

PAN-164841 A successful deployment of a Panorama virtual appliance on

Amazon Web Services (AWS), Microsoft Azure, or Google
Cloud Platform (GCP) is inaccessible when deploying using
the PAN-OS 10.1.0-b6 release.

PAN-164647 On the Panorama management server, activating a license

(Panorama > Device Deployment > Licenses) on managed
firewalls in a high availability (HA) configuration causes the
Safari web browser to become unresponsive.
Workaround: Log in to the Panorama web interface from
a web browser other than Safari to successfully activate a
license on managed firewalls in an HA configuration.

PAN-164618 The VM-Series firewall CLI and system logs display the license
name VM-SERIES-X, while the user interface displays VM-
FLEX-X (in both cases X is the number of vCPUs). In future
releases the user interface will use the VM-SERIES-X format.

PAN-164586 If you use a value other than mail for the user or group
email attribute in the Cloud Identity Engine, it displays in
user@domain format in the CLI output.

PAN-163966 On the Panorama management server, the ACC and on

demand reports (Monitor > Manage Custom Reports) are
unable to fetch Directory Sync group membership when
the Source User Group filter query is applied, resulting in no
data being displayed for the filter when Directory Sync is
configured as the Source User for a policy rule.

PAN-162836 On the VM-Series firewall, if you select Device > Licenses >
Deactivate VM a popup window opens and you can choose
Subscriptions or Support and press Continue to remove
licenses and register the changes with the license server.
When the license removal is complete the Deactivate VM
window does not update its text to exclude deactivated
licenses or close the window.
Workaround: Wait until the license deactivation is complete,
and click Cancel to close the window.

PAN-162164 When upgrading a multi-dataplane firewall from PAN-

OS 10.0 to 10.1, if the configuration includes the DHCP
This issue is now resolved. See
Broadcast Session option enabled, the commit fails. Auto-
PAN-OS 10.1.6 Addressed
commit is not affected.
Issues.
Workaround: Load the configuration from running config
(load config from running-config.xml) and perform a commit.

PAN-OS Release Notes 10.1.9-h1 258 ©2023 Palo Alto Networks, Inc.
PAN-OS 10.1.4 Known and Addressed Issues

Issue ID Description

PAN-162088 On the Panorama management server in a high availability

(HA) configuration, content updates (Panorama > Dynamic
This issue is now resolved. See
Updates) manually uploaded to the active HA peer are not
PAN-OS 10.1.9 Addressed
synchronized to the passive HA peer when you Install a
Issues.
content update and enable Sync to HA Peer.

PAN-161666 The firewall includes any users configured in the Cloud

Identity Engine in the count of groups. As a result, some CLI
command output does not accurately display the number
of groups the firewall has retrieved from the Cloud Identity
Engine and counts users as groups in the No. of Groups
in the command output. If the attempt to retrieve the user or
group fails, the information for the user or group still displays
in the CLI command output.

PAN-161451 If you issue the command opof stats, there are occasional
zero packet and byte counts coming from the DPDK
counters. This occurs when a session is in the tcp-reuse state,
and has no impact on the existing session.

PAN-160238 If you migrate traffic from a firewall running a PAN-OS

version earlier than 9.0 to a firewall running PAN-OS 9.0 or
later, you experience intermittent VXLAN packet drops if TCI
policy is not configured for inspecting VXLAN traffic flows.
Workaround: On the new firewall, create an app override for
VXLAN outer headers as described in What is an Application
Override? and the video tutorial How to Configure an
Application Override Policy on the Palo Alto Networks
Firewall.

PAN-OS version 9.0 can inspect both inner and

outer VXLAN flows. If you want to inspect inner
flows, you must define a tunnel content inspection
(TCI) policy.

PAN-157444 As a result of a telemetry handling update, the Source Zone

field in the DNS analytics logs (viewable in the DNS Analytics
tab within AutoFocus) might not display correct results.

PAN-157327 On downgrade to PAN-OS 9.1, Enterprise Data Loss

Prevention (DLP) filtering settings (Device > Setup > DLP) are
not removed and cause commit errors for the downgraded
firewall if you do not uninstall the Enterprise DLP plugin
before downgrade.
Workaround: After you successfully downgrade a managed
firewall to PAN-OS 9.1, commit and push from Panorama to

PAN-OS Release Notes 10.1.9-h1 259 ©2023 Palo Alto Networks, Inc.
PAN-OS 10.1.4 Known and Addressed Issues

Issue ID Description
remove the Enterprise DLP filtering settings and complete the
downgrade.
1. Downgrade your managed firewall to PAN-OS 9.1
2. Log in to the firewall web interface and view the Tasks
to verify all auto commits related to the downgrade have
completed successfully.
3. Log in to the Panorama web interface and Commit >
Commit and Push to your managed firewall downgraded to
PAN-OS 9.1.

PAN-157103 Multi-channel functionality may not be properly utilized on

an VM-Series firewall deployed in VMware NSX-V after the
service is first deployed.
Workaround: Execute the command debug dataplane
pow status to view the number of channels being utilized
by the dataplane.

Per pan-task Netx statisticsCounter Name

1 2 3 4 5 6 Total-------------
--------------------------------ready_dvf
2 0 0 0 0 0 2

If multi-channel functionality is not working, disable your

NSX-V security policy and reapply it. Then reboot the VM-
Series firewall. When the firewall is back up, verify that multi-
channel functionality is working by executing the command
debug dataplane pow status. It should now show
multiple channels being utilized.

Per pan-task Netx statisticsCounter Name

1 2 3 4 5 6 Total-------------
--------------------------------ready_dvf
1 1 0 0 0 0 2

PAN-156598 (Panorama only) If you configure a standard custom

vulnerability signature in a custom Vulnerability Protection
profile in a shared device group, the shared profile custom
signatures do not populate in the other device groups when
you configure a combination custom vulnerability signature.
Workaround: Use the CLI to update the combination
signature.

PAN-154292 On the Panorama management server, downgrading from

a PAN-OS 10.0 release to a PAN-OS 9.1 release causes
Panorama commit (Commit > Commit to Panorama) failures

PAN-OS Release Notes 10.1.9-h1 260 ©2023 Palo Alto Networks, Inc.
PAN-OS 10.1.4 Known and Addressed Issues

Issue ID Description
if a custom report (Monitor > Manage Custom Reports) is
configured to Group By Session ID.
Workaround: After successful downgrade, reconfigure the
Group By setting in the custom report.

PAN-154034 On the Panorama management server, the Type column in the

System logs (Monitor > Logs > System) for managed firewalls
running a PAN-OS 9.1 release erroneously display iot as the
type.

PAN-154032 On the Panorama management server, downgrading to PAN-

OS 9.1 with the Panorama plugin for Cisco TrustSec version
1.0.2 installed does not automatically transform the plugin to
be compatible with PAN-OS 9.1
Workaround: After successful downgrade to PAN-OS 9.1,
Remove Config (Panorama > Plugins) of the Panorama plugin
for Cisco TrustSec and then reconfigure the plugin.

PAN-153803 On the Panorama management server, scheduled email PDF

reports (Monitor > PDF Reports) fail if a GIF image is used in
the header or footer.

PAN-153557 On the Panorama management server CLI, the overall report

status for a report query is marked as Done despite reports
generated from logs in the Cortex Data Lake (CDL) from the
PODamericas Collector Group jobs are still in a Running
state.

PAN-153068 The Bonjour Reflector option is supported on up to 16

interfaces. If you enable it on more than 16 interfaces, the
commit succeeds and the Bonjour Reflector option is enabled
only for the first 16 interfaces and ignored for any additional
interfaces.

PAN-151238 There is a known issue where M-100 appliances are able

to download and install a PAN-OS 10.0 release image even
though the M-100 appliance is no longer supported after
PAN-OS 9.1. (Refer to the hardware end-of-life dates.)

PAN-151085 On a PA-7000 Series firewall chassis having multiple slots,

when HA clustering is enabled on an active/active HA pair,
the session table count for one of the peers can show a higher
count than the actual number of active sessions on that peer.
This behavior can be seen when the session is being set up
on a non-cache slot (for example, when a session distribution
policy is set to round-robin or session-load); it is caused by

PAN-OS Release Notes 10.1.9-h1 261 ©2023 Palo Alto Networks, Inc.
PAN-OS 10.1.4 Known and Addressed Issues

Issue ID Description
the additional cache lookup that happens when HA cluster
participation is enabled.

PAN-150801 Automatic quarantine of a device based on forwarding profile

or log setting does not work on the PA-7000 Series firewalls.

PAN-150515 After you install the device certificate on a new Panorama

management server, Panorama is not able to connect to the
IoT Security edge service.
Workaround: Restart Panorama to connect to the IoT
Security edge service.

PAN-150345 During updates to the Device Dictionary, the IoT Security

service does not push new Device-ID attributes (such as new
device profiles) to the firewall until a manual commit occurs.
Workaround: Perform a force commit to push the attributes
in the content update to the firewall.

PAN-150361 In an Active-Passive high availability (HA) configuration, an

error displays if you create a device object on the passive
device.
Workaround: Load the running configuration and perform a
force commit to sync the devices.

PAN-148971 If you enter a search term for Events that are related to IoT
in the System logs and apply the filter, the page displays an
Invalid term error.
Workaround: Specify iot as the Type Attribute to filter the
logs and use the search term as the Description Attribute. For
example: ( subtype eq iot ) and ( description
contains 'gRPC connection' ).

PAN-148924 In an active-passive HA configuration, tags for dynamic user

groups are not persistent after rebooting the firewall because
the active firewall does not sync the tags to the passive
firewall during failover.

PAN-146995 After downgrading a Panorama management server from

PAN-OS 10.0 to PAN-OS 9.1, the VLD and logd processes
may crash when Panorama reboots.
Workaround: Panorama automatically restarts the VLD and
logd processes.

PAN-146807 Changing the device group configured in a monitoring

definition from a child DG to a parent DG, or vice versa,

PAN-OS Release Notes 10.1.9-h1 262 ©2023 Palo Alto Networks, Inc.
PAN-OS 10.1.4 Known and Addressed Issues

Issue ID Description
might cause firewalls configured in the child DG to lose
IP tag mapping information received from the monitoring
definition. Only firewalls assigned to the parent DG receive IP
tag mapping updates.
Workaround: Perform a manual config sync on the device
group that lost the IP tag mapping information.

PAN-146485 On the Panorama management server, adding, deleting, or

modifying the upstream NAT configuration (Panorama > SD-
WAN > Devices) does not display the branch template stack
as out of sync.
Additionally, adding, deleting, or modifying the BGP
configuration (Panorama > SD-WAN > Devices) does not
display the hub and branch template stacks as out of sync.
For example, modifying the BGP configuration on the branch
firewall does not cause the hub template stack to display as
out of sync, nor does modifying the BGP configuration on
the hub firewall cause the branch template stack as out of
sync.
Workaround: After performing a configuration change,
Commit and Push the configuration changes to all hub and
branch firewalls in the VPN cluster containing the firewall
with the modified configuration.

PAN-145460 CN-MGMT pods fail to connect to the Panorama

management server when using the Kubernetes plugin.
Workaround: Commit the Panorama configuration after the
CN-MGMT pod successfully registers with Panorama.

PAN-144889 On the Panorama management server, adding, deleting, or

modifying the original subnet IP, or adding a new subnet
after you successfully configure a tunnel IP subnet, for the
SD-WAN 1.0.2 plugin does not display the managed firewall
templates (Panorama > Managed Devices > Summary) as Out
of Sync.
Workaround: When modifying the original subnet IP, or
adding a new subnet, push the template configuration
changes to your managed firewalls and Force Template
Values (Commit > Push to Devices > Edit Selections).

PAN-143132 Fetching the device certificate from the Palo Alto Networks
Customer Support Portal (CSP) may fail and displays the
following error in the CLI:
ERROR Failed to process S1C msg: Error

PAN-OS Release Notes 10.1.9-h1 263 ©2023 Palo Alto Networks, Inc.
PAN-OS 10.1.4 Known and Addressed Issues

Issue ID Description
Workaround: Retrying fetching the device certificate from
the Palo Alto Networks CSP.

PAN-141630 Current performance limitation: single data plane use only.

The PA-5200 Series and PA-7000 Series firewalls that
support 5G network slice security, 5G equipment ID security,
and 5G subscriber ID security use a single data plane only,
which currently limits the firewall performance.

PAN-140959 The Panorama management server allows you to downgrade

Zero Touch Provisioning (ZTP) firewalls to PAN-OS 9.1.2 and
earlier releases where ZTP functionality is not supported.

PAN-140008 ElasticSearch is forced to restart when the masterd process

misses too many heartbeat messages on the Panorama
management server resulting in a delay in a log query and
ingestion.

PAN-136763 On the Panorama management server, managed firewalls

display as disconnected when installing a PAN-OS
software update (Panorama > Device Deployment >
Software) but display as connected when you view your
managed firewalls Summary (Panorama > Managed Devices >
Summary) and from the CLI.
Workaround: Log out and log back in to the Panorama web
interface.

PAN-135742 There is an issue in HTTP2 session decryption where the

App-ID in the decryption log is the App-ID of the parent
session (which is web-browsing).

PAN-134053 ACC does not filter WildFire logs from Dynamic User Groups.

PAN-132598 The Panorama management server does not check for

duplicate addresses in address groups (Objects > Address
Groups) and duplicate services in service groups (Objects >
Service Groups) when created from the CLI.

PAN-130550 (PA-3200 Series, PA-5220, PA-5250, PA-5260, and PA-7000

Series firewalls) For traffic between virtual systems (inter-
vsys traffic), the firewall cannot perform source NAT using
dynamic IP (DIP) address translation.
Workaround: Use source NAT with Dynamic IP and Port
(DIPP) translation on inter-vsys traffic.

PAN-OS Release Notes 10.1.9-h1 264 ©2023 Palo Alto Networks, Inc.
PAN-OS 10.1.4 Known and Addressed Issues

Issue ID Description

PAN-127813 In the current release, SD-WAN auto-provisioning configures

hubs and branches in a hub and spoke model, where branches
don’t communicate with each other. Expected branch routes
are for generic prefixes, which can be configured in the hub
and advertised to all branches. Branches with unique prefixes
are not published up to the hub.
Workaround: Add any specific prefixes for branches to the
hub advertise-list configuration.

PAN-127206 If you use the CLI to enable the cleartext option for the
Include Username in HTTP Header Insertion Entries feature,
the authentication request to the firewall may become
unresponsive or time out.

PAN-123277 Dynamic tags from other sources are accessible using the CLI
but do not display on the Panorama web interface.

PAN-123040 When you try to view network QoS statistics on an SD-

WAN branch or hub, the QoS statistics and the hit count
for the QoS rules don’t display. A workaround exists for
this issue. Please contact Support for information about the
workaround.

PAN-120440 There is an issue on M-500 Panorama management servers

where any ethernet interface with an IPv6 address having
Private PAN-DB-URL connectivity only supports the
following format: 2001:DB9:85A3:0:0:8A2E:370:2.

PAN-120423 PAN-OS 10.0.0 does not support the XML API for
GlobalProtect logs.

PAN-120303 There is an issue where the firewall remains connected to the

PAN-DB-URL server through the old management IP address
on the M-500 Panorama management server, even when you
configured the Eth1/1 interface.
Workaround: Update the PAN-DB-URL IP address on the
firewall using one of the methods below.

PAN-OS Release Notes 10.1.9-h1 265 ©2023 Palo Alto Networks, Inc.
PAN-OS 10.1.4 Known and Addressed Issues

Issue ID Description
• Modify the PAN-DB Server IP address on the managed
firewall.
1. On the web interface, delete the PAN-DB Server IP
address (Device > Setup > Content ID > URL Filtering
settings).
2. Commit your changes.
3. Add the new M-500 Eth1/1 IP PAN-DB IP address.
4. Commit your changes.
• Restart the firewall (devsrvr) process.
1. Log in to the firewall CLI.
2. Restart the devsrvr process: debug software
restart process device-server

PAN-116017 (Google Cloud Platform (GCP) only) The firewall does not
accept the DNS value from the initial configuration (init-cfg)
file when you bootstrap the firewall.
Workaround: Add DNS value as part of the bootstrap.xml in
the bootstrap folder and complete the bootstrap process.

PAN-115816 (Microsoft Azure only) There is an intermittent issue where

an Ethernet (eth1) interface does not come up when you first
boot up the firewall.
Workaround: Reboot the firewall.

PAN-114495 Alibaba Cloud runs on a KVM hypervisor and supports two

Virtio modes: DPDK (default) and MMAP. If you deploy a
VM-Series firewall running PAN-OS 9.0 in DPDK packet
mode and you then switch to MMAP packet mode, the VM-
Series firewall duplicates packets that originate from or
terminate on the firewall. As an example, if a load balancer or
a server behind the firewall pings the VM-Series firewall after
you switch from DPDK packet mode to MMAP packet mode,
the firewall duplicates the ping packets.
Throughput traffic is not duplicated if you deploy the VM-
Series firewall using MMAP packet mode.

PAN-112694 (Firewalls with multiple virtual systems only) If you configure

dynamic DNS (DDNS) on a new interface (associated with
vsys1 or another virtual system) and you then create a
New Certificate Profile from the drop-down, you must set
the location for the Certificate Profile to Shared. If you
configure DDNS on an existing interface and then create a
new Certificate Profile, we also recommend that you choose

PAN-OS Release Notes 10.1.9-h1 266 ©2023 Palo Alto Networks, Inc.
PAN-OS 10.1.4 Known and Addressed Issues

Issue ID Description
the Shared location instead of a specific virtual system.
Alternatively, you can select a preexisting certificate profile
instead of creating a new one.

PAN-112456 You can temporarily submit a change request for a URL

Category with three suggested categories; however, only
two categories are supported. Do not add more than two
suggested categories to a change request until we address
this issue. If you submit more than two suggested categories,
only the first two categories in the change request are
evaluated.

PAN-112135 You cannot unregister tags for a subnet or range in a dynamic

address group from the web interface.
Workaround: Use an XML API request to unregister the tags
for the subnet or range.

PAN-111928 Invalid configuration errors are not displayed as expected

when you revert a Panorama management server
configuration.
Workaround: After you revert the Panorama configuration,
Commit (Commit > Commit to Panorama) the reverted
configuration to display the invalid configuration errors.

PAN-111866 The push scope selection on the Panorama web interface

displays incorrectly even though the commit scope displays
as expected. This issue occurs when one administrator makes
configuration changes to separate device groups or templates
that affect multiple firewalls and a different administrator
attempts to push those changes.
Workaround: Perform one of the following tasks.
• Initiate a Commit to Panorama operation followed by a
Push to Devices operation for the modified device group
and template configurations.
• Manually select the devices that belong to the modified
device group and template configurations.

PAN-111729 If you disable DPDK mode and enable it again, you must
immediately reboot the firewall.

PAN-111670 Tagged VLAN traffic fails when sent through an SR-IOV

adapter.

PAN-110794 DGA-based threats shown in the firewall threat log display

the same name for all such instances.

PAN-OS Release Notes 10.1.9-h1 267 ©2023 Palo Alto Networks, Inc.
PAN-OS 10.1.4 Known and Addressed Issues

Issue ID Description

PAN-109526 The system log does not correctly display the URL for
CRL files; instead, the URLs are displayed with encoded
characters.

PAN-104780 If you configure a HIP object to match only when a

connecting endpoint is managed (Objects > GlobalProtect >
HIP Objects > <hip-object> > General > Managed), iOS and
Android endpoints that are managed by AirWatch are unable
to successfully match the HIP object and the HIP report
incorrectly indicates that these endpoints are not managed.
This issue occurs because GlobalProtect gateways cannot
correctly identify the managed status of these endpoints.
Additionally, iOS endpoints that are managed by AirWatch
are unable to match HIP objects based on the endpoint serial
number because GlobalProtect gateways cannot identify the
serial numbers of these endpoints; these serial numbers do
not appear in the HIP report.

PAN-103276 Adding a disk to a virtual appliance running Panorama 8.1

or a later release on VMware ESXi 6.5 update1 causes the
Panorama virtual appliance and host web client to become
unresponsive.
Workaround: Upgrade the ESXi host to ESXi 6.5 update2 and
add the disk again.

PAN-101688 (Panorama plugins) The IP address-to-tag mapping

information registered on a firewall or virtual system is not
deleted when you remove the firewall or virtual system from
a Device Group.
Workaround: Log in to the CLI on the firewall and enter
the following command to unregister the IP address-to-tag
mappings: debug object registered-ip clear all.

PAN-101537 After you configure and push address and address group
objects in Shared and vsys-specific device groups from
the Panorama management server to managed firewalls,
executing the show log <log-type> direction
equal <direction> <dst> | <src> in <object-
name> command on a managed firewall only returns address
and address group objects pushed form the Shared device
group.
Workaround: Specify the vsys in the query string:
admin> set system target-vsys <vsys-name>

PAN-OS Release Notes 10.1.9-h1 268 ©2023 Palo Alto Networks, Inc.
PAN-OS 10.1.4 Known and Addressed Issues

Issue ID Description
admin> show log <log-type> direction equal
<direction> query equal ‘vsys eq <vsys-name>’
<dst> | <src> in <object-name>

PAN-98520 When booting or rebooting a PA-7000 Series Firewall with

the SMC-B installed, the BIOS console output displays
attempts to connect to the card's controller in the System
Memory Speed section. The messages can be ignored.

PAN-97757 GlobalProtect authentication fails with an Invalid

username/password error (because the user is not found
in Allow List) after you enable GlobalProtect authentication
cookies and add a RADIUS group to the Allow List of the
authentication profile used to authenticate to GlobalProtect.
Workaround: Disable GlobalProtect authentication cookies.
Alternatively, disable (clear) Retrieve user group from
RADIUS in the authentication profile and configure group
mapping from Active Directory (AD) through LDAP.

PAN-97524 (Panorama management server only) The Security Zone and

Virtual System columns (Network tab) display None after a
Device Group and Template administrator with read-only
privileges performs a context switch.

PAN-96446 A firewall that is not included in a Collector Group fails to

generate a system log if logs are dropped when forwarded
to a Panorama management server that is running in
Management Only mode.

PAN-95773 On VM-Series firewalls that have Data Plane Development

Kit (DPDK) enabled and that use the i40e network interface
card (NIC), the show session info CLI command displays
an inaccurate throughput and packet rate.
Workaround: Disable DPDK by running the set system
setting dpdk-pkt-io off CLI command.

PAN-95028 For administrator accounts that you created in PAN-OS 8.0.8

and earlier releases, the firewall does not apply password
profile settings (Device > Password Profiles) until after you
upgrade to PAN-OS 8.0.9 or a later release and then only
after you modify the account passwords. (Administrator
accounts that you create in PAN-OS 8.0.9 or a later release
do not require you to change the passwords to apply
password profile settings.)

PAN-OS Release Notes 10.1.9-h1 269 ©2023 Palo Alto Networks, Inc.
PAN-OS 10.1.4 Known and Addressed Issues

Issue ID Description

PAN-94846 When DPDK is enabled on the VM-Series firewall with i40e

virtual function (VF) driver, the VF does not detect the link
status of the physical link. The VF link status remains up,
regardless of changes to the physical link state.

PAN-94093 HTTP Header Insertion does not work when jumbo frames
are received out of order.

PAN-93968 The firewall and Panorama web interfaces display

vulnerability threat IDs that are not available in PAN-OS
9.0 releases (Objects > Security Profiles > Vulnerability
Protection > <profile> > Exceptions). To confirm whether a
particular threat ID is available in your release, monitor the
release notes for each new Applications and Threats content
update or check the Palo Alto Networks Threat Vault to see
the minimum PAN-OS release version for a threat signature.

PAN-93607 When you configure a VM-500 firewall with an SCTP

Protection profile (Objects > Security Profiles > SCTP
Protection) and you try to add the profile to an existing
Security Profile Group (Objects > Security Profile Groups),
the Security Profile Group doesn’t list the SCTP Protection
profile in its drop-down list of available profiles.
Workaround: Create a new Security Profile Group and select
the SCTP Protection profile from there.

PAN-93532 When you configure a firewall running PAN-OS 9.0 as an

nCipher HSM client, the web interface on the firewall displays
the nCipher server status as Not Authenticated, even though
the HSM state is up (Device > Setup > HSM).

PAN-93193 The memory-optimized VM-50 Lite intermittently performs

slowly and stops processing traffic when memory utilization
is critically high. To prevent this issue, make sure that you do
not:
• Switch to the firewall Context on the Panorama
management server.
• Commit changes when a dynamic update is being installed.
• Generate a custom report when a dynamic update is being
installed.
• Generate custom reports during a commit.
Workaround: When the firewall performs slowly, or you see
a critical System log for memory utilization, wait for 5 minutes
and then manually reboot the firewall.

PAN-OS Release Notes 10.1.9-h1 270 ©2023 Palo Alto Networks, Inc.
PAN-OS 10.1.4 Known and Addressed Issues

Issue ID Description
Use the Task Manager to verify that you are not performing
memory intensive tasks such as installing dynamic updates,
committing changes or generating reports, at the same time,
on the firewall.

PAN-91802 On a VM-Series firewall, the clear session all CLI command

does not clear GTP sessions.

PAN-83610 In rare cases, a PA-5200 Series firewall (with an FE100

network processor) that has session offload enabled (default)
incorrectly resets the UDP checksum of outgoing UDP
packets.
Workaround: In PAN-OS 8.0.6 and later releases, you can
persistently disable session offload for only UDP traffic using
the set session udp-off load no CLI command.

PAN-83236 The VM-Series firewall on Google Cloud Platform does not

publish firewall metrics to Google Stack Monitoring when you
manually configure a DNS server IP address (Device > Setup
> Services).
Workaround: The VM-Series firewall on Google Cloud
Platform must use the DNS server that Google provides.

PAN-83215 SSL decryption based on ECDSA certificates does not work

when you import the ECDSA private keys onto an nCipher
nShield hardware security module (HSM).

PAN-81521 Endpoints failed to authenticate to GlobalProtect through

Kerberos when you specify an FQDN instead of an IP address
in the Kerberos server profile (Device > Server Profiles >
Kerberos).
Workaround: Replace the FQDN with the IP address in the
Kerberos server profile.

PAN-77125 PA-7000 Series, PA-5450, PA-5200 Series, and PA-3200

Series firewalls configured in tap mode don’t close offloaded
sessions after processing the associated traffic; the sessions
remain open until they time out.
Workaround: Configure the firewalls in virtual wire mode
instead of tap mode, or disable session offloading by running
the set session off load no CLI command.

PAN-75457 In WildFire appliance clusters that have three or more nodes,

the Panorama management server does not support changing
node roles. In a three-node cluster for example, you cannot

PAN-OS Release Notes 10.1.9-h1 271 ©2023 Palo Alto Networks, Inc.
PAN-OS 10.1.4 Known and Addressed Issues

Issue ID Description
use Panorama to configure the worker node as a controller
node by adding the HA and cluster controller configurations,
configure an existing controller node as a worker node by
removing the HA configuration, and then commit and push
the configuration. Attempts to change cluster node roles from
Panorama results in a validation error—the commit fails and
the cluster becomes unresponsive.

PAN-73530 The firewall does not generate a packet capture (pcap) when a
Data Filtering profile blocks files.

PAN-73401 When you import a two-node WildFire appliance cluster

into the Panorama management server, the controller nodes
report their state as out-of-sync if either of the following
conditions exist:
• You did not configure a worker list to add at least one
worker node to the cluster. (In a two-node cluster, both
nodes are controller nodes configured as an HA pair.
Adding a worker node would make the cluster a three-
node cluster.)
• You did not configure a service advertisement (either by
enabling or not enabling advertising DNS service on the
controller nodes).
Workaround: There are three possible workarounds to sync
the controller nodes:
• After you import the two-node cluster into Panorama,
push the configuration from Panorama to the cluster. After
the push succeeds, Panorama reports that the controller
nodes are in sync.
• Configure a worker list on the cluster controller:

admin@wf500(active-controller)# set
deviceconfig cluster mode controller work
er-list <worker-ip-address>

(<worker-ip-address> is the IP address of the worker

node you are adding to the cluster.) This creates a three-
node cluster. After you import the cluster into Panorama,
Panorama reports that the controller nodes are in sync.
When you want the cluster to have only two nodes, use a
different workaround.
• Configure service advertisement on the local CLI of the
cluster controller and then import the configuration into

PAN-OS Release Notes 10.1.9-h1 272 ©2023 Palo Alto Networks, Inc.
PAN-OS 10.1.4 Known and Addressed Issues

Issue ID Description
Panorama. The service advertisement can advertise that
DNS is or is not enabled.

admin@wf500(active-controller)# set
deviceconfig cluster mode controller serv
ice-advertisement dns-service
enabled
yes

or

admin@wf500(active-controller)# set
deviceconfig cluster mode controller serv
ice-advertisement dns-service
enabled
no

Both commands result in Panorama reporting that the

controller nodes are in sync.

PAN-70906 If the PAN-OS web interface and the GlobalProtect portal are
enabled on the same IP address, then when a user logs out of
the GlobalProtect portal, the administrative user is also logged
out from the PAN-OS web interface.
Workaround: Use the IP address to access the PAN-OS web
interface and an FQDN to access the GlobalProtect portal.

PAN-69505 When viewing an external dynamic list that requires client

authentication and you Test Source URL, the firewall fails to
indicate whether it can reach the external dynamic list server
and returns a URL access error (Objects > External Dynamic
Lists).

PAN-40079 The VM-Series firewall on KVM, for all supported Linux

distributions, does not support the Broadcom network
adapters for PCI pass-through functionality.

PAN-39636 Regardless of the Time Frame you specify for a scheduled

custom report on a Panorama M-Series appliance, the earliest
possible start date for the report data is effectively the date
when you configured the report (Monitor > Manage Custom
Reports). For example, if you configure the report on the
15th of the month and set the Time Frame to Last 30 Days,
the report that Panorama generates on the 16th will include
only data from the 15th onward. This issue applies only to
scheduled reports; on-demand reports include all data within
the specified Time Frame.

PAN-OS Release Notes 10.1.9-h1 273 ©2023 Palo Alto Networks, Inc.
PAN-OS 10.1.4 Known and Addressed Issues

Issue ID Description
Workaround: To generate an on-demand report, click Run
Now when you configure the custom report.

PAN-38255 When you perform a factory reset on a Panorama virtual

appliance and configure the serial number, logging does
not work until you reboot Panorama or execute the debug
software restart process management-server CLI
command.

PAN-31832 The following issues apply when configuring a firewall to use

a hardware security module (HSM):
• nCipher nShield Connect—The firewall requires at least
four minutes to detect that an HSM was disconnected,
causing SSL functionality to be unavailable during the
delay.
• SafeNet Network—When losing connectivity to either
or both HSMs in an HA configuration, the display of
information from the show high-availability
state and show hsm info commands are blocked for
20 seconds.

PAN-OS Release Notes 10.1.9-h1 274 ©2023 Palo Alto Networks, Inc.
PAN-OS 10.1.4 Known and Addressed Issues

PAN-OS 10.1.4-h4 Addressed Issues

Issue ID Description

PAN-187438 (PA-5400 Series firewalls only) Fixed an issue where HSCI interfaces
didn’t come up when using BiDi transceivers.

PAN-185750 Updated an issue to eliminate failed pan_comm software issues that

caused the dataplane to restart unexpectedly.

PAN-181116 Fixed an issue where, after upgrading to a PAN-OS 10.1 release,

GlobalProtect tunnels fell back to SSL instead of IPSec due to the
inadvertent encapsulation of the ICMP keepalive response from the
firewall.

PAN-OS Release Notes 10.1.9-h1 275 ©2023 Palo Alto Networks, Inc.
PAN-OS 10.1.4 Known and Addressed Issues

PAN-OS 10.1.4-h2 Addressed Issues

Issue ID Description

PAN-184445 Fixed an issue where, after upgrading Panorama and enabling Share
Unused Address and Service Objects with Devices, address objects
using tags to dynamic address groups were removed after a full
commit.

PAN-178381 Fixed an issue on Panorama where logs didn't display under the
Monitor tab and the Elasticsearch process did not work after
upgrading to a PAN-OS 10.1 release.

PAN-OS Release Notes 10.1.9-h1 276 ©2023 Palo Alto Networks, Inc.
PAN-OS 10.1.4 Known and Addressed Issues

PAN-OS 10.1.4 Addressed Issues

Issue ID Description

PAN-183767 Fixed an issue where downloading Dynamic Updates files

failed when connected to the static update server at us-
static.updates.paloaltonetworks.com.

PAN-183274 (PA-400 Series firewalls only) Fixed a rare issue where abnormal
power downs occurred.

PAN-181309 Fixed an issue where Panorama was inaccessible due to the configd
process not responding.

PAN-180511 (PA-400 Series and PA-5400 Series firewalls only) Fixed an issue
where technical support file generation restarted the firewall.

PAN-180402 Fixed an issue where a null tunnel configuration pointer caused a

process (tund) to stop responding.

PAN-178953 Fixed an issue with the GlobalProtect Clientless VPN where, when
an application sent a negative max age value on a cookie, part of
the cookie was retained by PAN-OS and used for the subsequent
connection on the user session.

PAN-178190 Fixed an issue where the firewall incorrectly set the disk quota
cfg.diskquota.traffic to 0 after upgrading to a PAN-OS 10.0
release. With this fix, the log disk quota will be retained correctly after
upgrade.

PAN-178047 (CN-Series firewalls only) Fixed an issue where propagating IP address

tag mappings to the firewall took longer than expected, which resulted
in traffic not matching Security policy rules with Dynamic Address
Groups.

PAN-177119 Fixed an issue with the GlobalProtect gateway where SMS-message-

based multi-factor authentication (MFA) did not display a prompt to
enter the authentication code.

PAN-176983 (Panorama management server on PAN-OS 10.1.3 or a later release

only) Fixed an issue where adding a firewall on PAN-OS 10.1.3 or a
later release to Panorama management was only supported from the
firewall CLI.

PAN-OS Release Notes 10.1.9-h1 277 ©2023 Palo Alto Networks, Inc.
PAN-OS 10.1.4 Known and Addressed Issues

Issue ID Description

PAN-176392 (PA-7000 Series firewall only) Fixed a an issue where persistent

sessions did not properly age out when removing a Data Processing
Card (DPC).

PAN-176341 Fixed an issue where a delay to detect when an interface was down
after a cable pull caused traffic to be black-holed to the downed link
for 10 or more seconds.

PAN-176283 (PA-7000 Series firewalls with Data Processing Cards (DPCs) only)
Fixed an issue where packet loss occurred when quality of service was
enabled on an aggregate interface.

PAN-176118 Fixed an issue where firewalls configured with a mixed mode of

interfaces stopped processing Layer-3-tagged traffic.

PAN-176054 Fixed an intermittent issue where users did not have access to
resources due to a HIP check failure that was caused by the HIP data
not being synced between the management plane and the dataplane.

PAN-175923 Fixed an issue where a process (tund) stopped responding when

enabling IPSec tunnel monitoring.

PAN-174886 Fixed an issue where scheduled customer reports displayed as empty

when the configured destination was an address group.

PAN-174345 Fixed an issue where a process all_pktproc stopped responding after

upgrading the firewall.

PAN-174055 Fixed an issue where SNMP readings reported as 0 for dataplane

interface packet statistics for Amazon Web Services (AWS)
m5n.4xlarge instance types. This issue occurred because the physical
port counters read from MAC addresses were reported as 0.

PAN-173978 Fixed an issue where the Elasticsearch process continuously restarted

if zero-length files were present.

PAN-173973 (PA-7000 Series firewalls only) Fixed an issue where flaps occurred
when Link State Pass Through was enabled.

PAN-173216 Fixed an issue where the firewall incorrectly handled HTML pages
when accessed via the GlobalProtect Clientless VPN.

PAN-172464 Fixed an issue where unicast DHCP discover or request packets were
silently dropped.

PAN-172200 Fixed an issue where a process (configd) restarted due to memory

corruption in the show dynamic-address-group CLI command

PAN-OS Release Notes 10.1.9-h1 278 ©2023 Palo Alto Networks, Inc.
PAN-OS 10.1.4 Known and Addressed Issues

Issue ID Description
during commits, commit and push operations, and high availability
Panorama syncs.

PAN-172179 (PA-7000b firewalls only) Fixed an issue where, when GTP-U tunnel
acceleration was enabled but Mobile Network Protection was not
enabled on the corresponding policy, GPRS tunneling protocol (GTP-U)
traffic was dropped.

PAN-171696 (PA-800 and PA-400 Series firewalls and PA-220 firewalls only) Fixed
an issue where the management plane CPU was incorrectly reported
to be high.

PAN-171380 Fixed an issue where loading configuration versions in Panorama

added unnecessary IDs to the configuration.

PAN-171174 Console debug output was enhanced to address issues that led to a
loss of SSH and web interface access.

PAN-171127 Fixed an issue on Panorama where custom reports (Monitor > Manage
Custom Reports) for Device Application Statistics and Device Traffic
Summary databases displayed null for the Application field.

PAN-171104 Fixed an issue where a race-condition check returned a false negative,

which caused a process (all_task) to stop responding and generate a
core file.

PAN-170997 Fixed an issue where FQDN service routes were not installed after a
system reboot.

PAN-169300 Debug logs were added to troubleshoot WildFire submission issues.

PAN-169173 Fixed an issue where, if you continuously performed partial commits

of a configuration with a high number of Dynamic Address Groups,
Panorama became unresponsive and commits were slower than
expected.

PAN-165235 Fixed an issue where the handover handling between LTE and 3G
on S5 and S8 to Gn/Gp was not working properly and led to stateful
inspection failures.

PAN-164450 Fixed an intermittent issue where the firewall dropped GTPv2 Create
Session Response packets with the cause Partially Accepted.

PAN-164335 Fixed an issue that caused false positives on GTPv2 vulnerability

signatures.

PAN-OS Release Notes 10.1.9-h1 279 ©2023 Palo Alto Networks, Inc.
PAN-OS 10.1.4 Known and Addressed Issues

Issue ID Description

PAN-163692 Fixed an issue where the firewall did not create new GTP-C sessions
when a Create Session Request message was retransmitted and a
completely new Create Session Response message was returned.

PAN-163261 Fixed an intermittent issue where the firewall dropped GTPv2 Modify
Bearer Request packets with the following error message: Abnormal
GTPv2-C message with missing mandatory IE.

PAN-161496 Fixed an issue when calculating the incremental checksum after a

post-NAT translation where the arguments to pan_in_cksm32_diff
overflowed the 32-bit integer.

PAN-OS Release Notes 10.1.9-h1 280 ©2023 Palo Alto Networks, Inc.
PAN-OS 10.1.3 Known and Addressed
Issues
Review a list of known and addressed issues for PAN-OS 10.1.3.
For contacting support, for information on support programs, to manage your account
or devices, or to open a support case, go to https://support.paloaltonetworks.com.

> PAN-OS 10.1.3 Known Issues

> PAN-OS 10.1.3-h1 Addressed Issues
> PAN-OS 10.1.3 Addressed Issues

281
PAN-OS 10.1.3 Known and Addressed Issues

PAN-OS 10.1.3 Known Issues

®
The following list includes only outstanding known issues specific to PAN-OS 10.1.3. This list
includes issues specific to Panorama™, GlobalProtect™, VM-Series plugins, and WildFire®, as well
as known issues that apply more generally or that are not identified by an issue ID.

Issue ID Description

— If you use Panorama to retrieve logs from Cortex Data Lake

(CDL), new log fields (including for Device-ID, Decryption, and
GlobalProtect) are not visible on the Panorama web interface.
Workaround: Enable duplicate logging to send the logs to
CDL and Panorama. This workaround does not support
Panorama virtual appliances in Management Only mode.

— Upgrading a PA-220 firewall takes up to an hour or more.

— PA-220 firewalls are experiencing slower web interface and

CLI performance times.

— Upgrading Panorama with a local Log Collector and Dedicated

Log Collectors to PAN-OS 8.1 or a later PAN-OS release
can take up to six hours to complete due to significant
infrastructure changes. Ensure uninterrupted power to all
appliances throughout the upgrade process.

— A critical System log is generated on the VM-Series firewall

if the minimum memory requirement for the model is not
available.
• When the memory allocated is less than 4.5GB, you
cannot upgrade the firewall. The following error message
displays: Failed to install 9.0.0 with the
following error: VM-50 in 9.0.0 requires
5.5GB memory, VM-50 Lite requires 4.5GB
memory.Please configure this VM with enough
memory before upgrading.
• If the memory allocation is more than 4.5GB but less than
the licensed capacity requirement for the model, it will
default to the capacity associated with the VM-50.
The System log message System capacity adjusted
to VM-50 capacity due to insufficient
memory for VM-<xxx> license, indicates that you
must allocate the additional memory required for licensed
capacity for the firewall model.

PAN-OS Release Notes 10.1.9-h1 282 ©2023 Palo Alto Networks, Inc.
PAN-OS 10.1.3 Known and Addressed Issues

Issue ID Description

APPORTAL-3313 Changes to an IoT Security subscription license take up to 24

hours to have effect on the IoT Security app.

APPORTAL-3309 An IoT Security production license cannot be installed on a

firewall that still has a valid IoT Security eval or trial license.
Workaround: Wait until the 30-day eval or trial license
expires and then install the production license.

APL-15000 When you move a firewall from one Cortex Data Lake
instance to another, it can take up to an hour for the firewall
to begin sending logs to the new instance.

APL-8269 For data retrieved from Cortex Data Lake, the Threat Name
column in Panorama > ACC > threat-activity appears blank.

PLUG-380 When you rename a device group, template, or template

stack in Panorama that is part of a VMware NSX service
definition, the new name is not reflected in NSX Manager.
Therefore, any ESXi hosts that you add to a vSphere cluster
are not added to the correct device group, template, or
template stack and your Security policy is not pushed to
VM-Series firewalls that you deploy after you rename those
objects. There is no impact to existing VM-Series firewalls.

WF500-5559 An intermittent error while analyzing signed PE samples on

the WildFire appliance might cause analysis failures.

WF500-5471 After using the firewall CLI to add a WildFire appliance with
an IPv6 address, the initial connection may fail.
Workaround: Retry connecting after you restart the web
server with the following command: debug software
restart process web-server.

PAN-197341 On the Panorama management server, if you create multiple

device group Objects with the same name in the Shared
device group and any additional device groups (Panorama >
Device Groups) under the same device group hierarchy that
are used in one or more Policies, renaming the object with a
shared name in any device group causes the object name to
change in the policies where it is used. This issue applies only
to device group objects that can be referenced in a Security
policy rule.
For example:
1. You create a parent device group DG-A and a child device
group DG-B.

PAN-OS Release Notes 10.1.9-h1 283 ©2023 Palo Alto Networks, Inc.
PAN-OS 10.1.3 Known and Addressed Issues

Issue ID Description
2. You create address objects called AddressObjA in
the Shared, DG-A and DG-B device groups and add
AddressObjA to a Security policy rule under DG-A and
DG-B.
3. Later, you change the AddressObjA name in the Shared
device group to AddressObjB.
Changing the name of the address object in the Shared
device group causes the references in the Policy rule to use
the renamed Shared object instead of the device group
object.

PAN-196758 On the Panorama management server, pushing a

configuration change to firewalls leveraging SD-WAN
erroneously show the auto-provisioned BGP configurations
for SD-WAN as being edited or deleted despite no edits or
deletions being made when you Preview Changes (Commit >
Push to Devices > Edit Selections or Commit > Commit and
Push > Edit Selections).

PAN-194519 (PA-5450 firewall only) Trying to configure a custom payload

format under Device > Server Profiles > HTTP yields a
This issue is now resolved. See
Javascript error.
PAN-OS 10.1.9 Addressed
Issues.

PAN-194515 (PA-5450 firewall only) The Panorama web interface does

not display any predefined template stack variables in the
dropdown menu under Device > Setup > Log Interface > IP
Address.
Workaround: Configure the log interface IP address on the
individual firewall web interface instead of on Panorama.

PAN-192403 (PA-5450 firewall only) There is no commit warning in the

web interface when configuring the management interface
This issue is now resolved. See
and logging interface in the same subnetwork. Having both
PAN-OS 10.1.6-h3 Addressed
interfaces in the same subnetwork can cause routing and
Issues.
connectivity issues.

PAN-190727 (PA-5450 firewall only) Documentation for configuring the log

interface is unavailable on the web interface and in the PAN-
OS Administrator’s Guide.

PAN-188052 Devices in FIPS-CC mode are unable to connect to servers

utilizing ECDSA-based host keys that impacts exporting logs
(Device > Scheduled Log Export), exporting configurations

PAN-OS Release Notes 10.1.9-h1 284 ©2023 Palo Alto Networks, Inc.
PAN-OS 10.1.3 Known and Addressed Issues

Issue ID Description
(Device > Scheduled Config Export), or the scp export
command in the CLI.
Workaround: Use RSA-based host keys on the destination
server.

PAN-187685 On the Panorama management server, the Template

Status displays no synchronization status (Panorama >
Managed Devices > Summary) after a bootstrapped firewall is
successfully added to Panorama.
Workaround: After the bootstrapped firewall is successfully
added to Panorama, log in to the Panorama web interface and
select Commit > Push to Devices.

PAN-186283 Templates appear out-of-sync on Panorama after successfully

deploying the CFT stack using the Panorama plugin for AWS
3.0.2.
Workaround: Use Commit > Push to Devices to synchronize
the templates.

PAN-186282 Panorama deployed in active/passive high availability does

not display dynamic address group match criteria received
from AWS by the Panorama plugin for AWS 3.0.2.

PAN-186262 The Panorama management server in Panorama or Log

Collector mode may become unresponsive as Elasticsearch
accumulates internal connections related to logging
processes. The chances Panorama becomes unresponsive
increases the longer Panorama remains powered on.
Workaround: Reboot Panorama if it becomes unresponsive.

PAN-182048 Shared device groups on Panorama do not learn IP address

information received from AWS by the Panorama plugin for
AWS 3.0.2.
Workaround: When configuring a dynamic address group,
specify an individual device group instead of selecting Shared.

PAN-182010 On the Panorama management server, a managed firewall

running any PAN-OS 10.1 version cannot reconnect to
Panorama if the managed firewall was originally added
to Panorama management using the device registration
authentication key (Panorama > Device Registration Auth
Key) and has the device certificate (Device > Setup >
Management > Device Certificate) installed at the time of
reconnect.

PAN-OS Release Notes 10.1.9-h1 285 ©2023 Palo Alto Networks, Inc.
PAN-OS 10.1.3 Known and Addressed Issues

Issue ID Description

PAN-181116 After upgrading to PAN-OS 10.1, some GlobalProtect tunnels

fall back to SSL instead of IPSec due to the inadvertent
This issue is now resolved. See
encapsulation of the ICMP keepalive response from the
PAN-OS 10.1.5 Addressed
firewall.
Issues.

PAN-180661 On the Panorama management server, pushing an

unsupported Minimum Password Complexity (Device > Setup
This issue is now resolved. See
> Management) to a managed firewall erroneously displays
PAN-OS 10.1.6 Addressed
commit time out as the reason the commit failed.
Issues.

PAN-178194 A UI issue in PAN-OS renders the contents of the Inline

ML tab in the URL Filtering Profile inaccessible on firewalls
This issue is now resolved. See
licensed for Advanced URL Filtering. Additionally, a message
PAN-OS 10.1.7 Addressed
indicating that a License required for URL filtering to function
Issues.
is unavailable displays at the bottom of the UI. These errors
do not affect the operation of Advanced URL Filtering or URL
Filtering Inline ML.
Workaround: Configuration settings for URL Filtering
Inline ML must be applied through the CLI. The following
configuration commands are available:
• Define URL exceptions for specific web sites—

admin# set profiles url-filtering

<url_filtering_profile_name> mlav-
category-exception

• Configuration settings for each inline ML model—

admin# set profiles url-filtering

<url_filtering_profile_name> mlav-
engine-urlbased-enabled

PAN-177455 PAN-OS 10.1.2 is not supported on PA-7000 Series firewalls

with HA (High Availability) clustering enabled and using an
This issue is now resolved. See
HA4 communication link. Attempting to load PAN-OS 10.1.2
PAN-OS 10.1.6 Addressed
on the firewall causes the PA-7000 100G NPC to go offline.
Issues.
As a result, the firewall fails to boot normally and enters
maintenance mode. HA Pairs of Active-Passive and Active-
Active firewalls are not affected.

PAN-176983 On the Panorama management server running PAN-OS

10.1.3 or later release, adding a firewall running PAN-OS
This issue is now resolved.
10.1.3 or later release to Panorama management is supported
See PAN-OS 10.1.4
only from the firewall CLI.
Addressed Issues.

PAN-OS Release Notes 10.1.9-h1 286 ©2023 Palo Alto Networks, Inc.
PAN-OS 10.1.3 Known and Addressed Issues

Issue ID Description
Workaround: Add the device registration authentication key
from the firewall CLI.
1. Log in to the Panorama web interface.
2. Add a firewall to Panorama and configure the device
registration authentication key.
Do not add the device registration authentication key
created on Panorama when configuring the Panorama IP
settings on the firewall web interface.
3. Log in to the firewall CLI.
4. Add the device registration authentication key.

admin> request authkey set <auth key>

PAN-174982 In HA active/active configurations where, when interfaces

that were associated with a virtual router were deleted, the
configuration change did not sync.

PAN-173509 Superuser administrators with read-only privileges (Device >

Administrators and Panorama > Administrators) are unable
This issue is now resolved. See
to view the hardware ACL blocking setting and duration in the
PAN-OS 10.1.5 Addressed
CLI using the commands:
Issues.
admin> show system setting hardware-acl-
blocking-enable

admin> show system setting hardware-acl-

blocking-duration

PAN-172274 When you activate the advanced URL filtering license, your
license entitlements for PAN-DB and advanced URL filtering
might not display correctly on the firewall — this is a display
anomaly, not a licensing issue, and does not affect access to
the services.
Workaround: Issue the following command to retrieve and
update the licenses: license request fetch.

PAN-172113 If you request a User Activity Report on Panorama and the

vsys key value in the XML is an unsupported value, the
resulting job becomes unresponsive at 10% and does not
complete until you manually stop the job in the web interface.
Workaround:Change the vsys key to a valid device group,
commit your changes, and run the User Activity Report again.

PAN-OS Release Notes 10.1.9-h1 287 ©2023 Palo Alto Networks, Inc.
PAN-OS 10.1.3 Known and Addressed Issues

Issue ID Description

PAN-172132 QoS fails to run on a tunnel interface (for example, tunnel.1).

PAN-172067 When you configure an HTTP server profile (Device > Server
Profiles > HTTP or Panorama > Server Profiles > HTTP), the
Username and Password fields are always required regardless
of whether Tag Registration is enabled.
Workaround: When you configure an HTTP server profile,
always enter a username and password to successfully create
the HTTP server profile.
You must enter a username and password even if the HTTP
server does not require it. The HTTP server ignores the
username and password if they are not required for the
firewall to connect.

PAN-172061 A process (all_pktproc) can cause intermittent crashes on

the Passive PA-5450 firewall in an Active/Passive HA pair.
This issue may be seen during an upgrade or reload of the
firewall with traffic and when clearing sessions.

PAN-171938 No results are displayed when you Show Application Filter

for a Security policy rule (Policies > Security > Application >
Value > Show Application Filter).

PAN-171723 If you use Panorama to push a configuration that uses App-

ID Cloud Engine (ACE) App-IDs and then you downgrade the
firewall from PAN-OS 10.1 to PAN-OS 10.0, the installation
succeeds but after you reboot, the auto-commit fails.
Workaround: Remove all ACE application configurations
before downgrading.

PAN-171714 If you use the NetBIOS format (domain\user) for the IP

address-to-username mapping and the firewall receives the
This issue is now resolved. See
group mapping information from the Cloud Identity Engine,
PAN-OS 10.1.7 Addressed
the firewall does not successfully match the user to the
Issues.
correct group.

PAN-171706 If you are using Panorama to manage firewalls with multiple

virtual systems and the virtual system that is the User-ID hub
uses an alias, the local commit on Panorama is successful but
the commit to the firewall fails.

PAN-171673 On the Panorama management server, the ACC returns

inaccurate results when you filter for New App-ID in the
Application usage widget.

PAN-OS Release Notes 10.1.9-h1 288 ©2023 Palo Alto Networks, Inc.
PAN-OS 10.1.3 Known and Addressed Issues

Issue ID Description

PAN-171635 If you have an on-premise Active Directory and there is an

existing group mapping configuration on the firewall, if you
migrate the group mapping to the Cloud Identity Engine, the
firewall does not remove the existing group mapping even
if the configuration is disabled and the firewall is rebooted,
which may conflict with new mappings from the Cloud
Identity Engine.
Workaround: Use the debug user-id clear domain-
map command to remove the existing group mappings from
the firewall.

PAN-171224 On the Panorama management server, a custom report

(Monitor > Managed Custom Reports) with a high volume
of unique data objects is not generated when you click Run
Now.

PAN-171145 If you edit or remove the value for the mail attribute in
your on-premise Active Directory, the changes may not be
immediately reflected on the firewall after it syncs with the
Cloud Identity Engine.

PAN-171127 On the Panorama management server, custom reports

(Monitor > Manage Custom Reports) for the Device
This issue is now resolved. See
Application Statistics and Device Traffic Summary databases
PAN-OS 10.1.4 Addressed
display null for the Application fields.
Issues

PAN-170923 In Policies > Security > Policy Optimizer > New App Viewer,
when you select a Security policy rule in the bottom portion
of the screen, the application data in the application browser
(top portion of screen) does not match the Apps Seen on the
selected rule. In addition, filtering in the application browser
based on Apps Seen does not work.

PAN-170462 SaaS applications downloaded from the App-ID Cloud Engine

(ACE) do not appear in daily application reports (Monitor >
This issue is now resolved. See
Reports > Application Reports) or in the Application column
PAN-OS 10.1.6 Addressed
of the Application Usage widget in ACC > Network Activity.
Issues.

PAN-170270 Using the CLI to power on a PA-5450 Networking Card

(NC) in an Active HA firewall can cause its Passive peer to
temporarily go down.

PAN-169906 The CN-Series Firewall as a Kubernetes Service does not

support AF_XDP when deployed in CentOS.

PAN-OS Release Notes 10.1.9-h1 289 ©2023 Palo Alto Networks, Inc.
PAN-OS 10.1.3 Known and Addressed Issues

Issue ID Description

PAN-168636 Connecting to the App-ID Cloud Engine (ACE) cloud using a

management port with explicit proxy configured on it is not
supported. Instead, use a data plane interface for the service
route (Prepare to Deploy App-ID Cloud Engine describes how
to do this.)

PAN-168113 On the Panorama management server, you are unable

to configure a master key (Device > Master Key and
Diagnostics) for a managed firewall if an interface (Network
> Interfaces > Ethernet) references a zone pushed from
Panorama.
Workaround: Remove the referenced zone from the interface
configuration to successfully configure a master key.

PAN-167847 If you issue the command opof stats, then clear the
results {opof stats -c}, the Active Sessions value is sometimes
invalid. For example, you might see a negative number or an
excessively large number.
Workaround: Re-run the opof stats command after the
offload completes.

PAN-167401 When a firewall or Panorama appliance configured with a

proxy is upgraded to PAN-OS 10.0.3 or a later release, it fails
to connect to edge service.

PAN-166464 PAN-OS reports the PA-5450 fan numbers incorrectly

by listing them in the opposite order. This does not affect
This issue is now resolved. See
fan operation. For further information, contact Customer
PAN-OS 10.1.6-h6 Addressed
Support.
Issues.

PAN-165669 If you configure a group that the firewall retrieves from the
Cloud Identity Engine as the user in value in a filter query,
Panorama is unable to retrieve the group membership and
as a result, is unable to display this data in logs and custom
reports.

PAN-164922 On the Panorama management server, a context switch to a

managed firewall running a PAN-OS 8.1.0 to 8.1.19 release
fails.

PAN-164885 On the Panorama management server, pushes to managed

firewalls (Commit > Push to Devices or Commit and Push)
may fail when an EDL (Objects > External Dynamic Lists) is
configured to Check for updates every 5 minutes due to the
commit and EDL fetch processes overlapping. This is more

PAN-OS Release Notes 10.1.9-h1 290 ©2023 Palo Alto Networks, Inc.
PAN-OS 10.1.3 Known and Addressed Issues

Issue ID Description
likely to occur when multiple EDLs are configured to check
for updates every 5 minutes.

PAN-164841 A successful deployment of a Panorama virtual appliance on

Amazon Web Services (AWS), Microsoft Azure, or Google
Cloud Platform (GCP) is inaccessible when deploying using
the PAN-OS 10.1.0-b6 release.

PAN-164647 On the Panorama management server, activating a license

(Panorama > Device Deployment > Licenses) on managed
firewalls in a high availability (HA) configuration causes the
Safari web browser to become unresponsive.
Workaround: Log in to the Panorama web interface from
a web browser other than Safari to successfully activate a
license on managed firewalls in an HA configuration.

PAN-164618 The VM-Series firewall CLI and system logs display the license
name VM-SERIES-X, while the user interface displays VM-
FLEX-X (in both cases X is the number of vCPUs). In future
releases the user interface will use the VM-SERIES-X format.

PAN-164586 If you use a value other than mail for the user or group
email attribute in the Cloud Identity Engine, it displays in
user@domain format in the CLI output.

PAN-163966 On the Panorama management server, the ACC and on

demand reports (Monitor > Manage Custom Reports) are
unable to fetch Directory Sync group membership when
the Source User Group filter query is applied, resulting in no
data being displayed for the filter when Directory Sync is
configured as the Source User for a policy rule.

PAN-162836 On the VM-Series firewall, if you select Device > Licenses >
Deactivate VM a popup window opens and you can choose
Subscriptions or Support and press Continue to remove
licenses and register the changes with the license server.
When the license removal is complete the Deactivate VM
window does not update its text to exclude deactivated
licenses or close the window.
Workaround: Wait until the license deactivation is complete,
and click Cancel to close the window.

PAN-162164 When upgrading a multi-dataplane firewall from PAN-

OS 10.0 to 10.1, if the configuration includes the DHCP
Broadcast Session option enabled, the commit fails. Auto-
commit is not affected.

PAN-OS Release Notes 10.1.9-h1 291 ©2023 Palo Alto Networks, Inc.
PAN-OS 10.1.3 Known and Addressed Issues

Issue ID Description
This issue is now resolved. See Workaround: Load the configuration from running config
PAN-OS 10.1.6 Addressed (load config from running-config.xml) and perform a commit.
Issues.

PAN-162088 On the Panorama management server in a high availability

(HA) configuration, content updates (Panorama > Dynamic
This issue is now resolved. See
Updates) manually uploaded to the active HA peer are not
PAN-OS 10.1.9 Addressed
synchronized to the passive HA peer when you Install a
Issues.
content update and enable Sync to HA Peer.

PAN-161666 The firewall includes any users configured in the Cloud

Identity Engine in the count of groups. As a result, some CLI
command output does not accurately display the number
of groups the firewall has retrieved from the Cloud Identity
Engine and counts users as groups in the No. of Groups
in the command output. If the attempt to retrieve the user or
group fails, the information for the user or group still displays
in the CLI command output.

PAN-161451 If you issue the command opof stats, there are occasional
zero packet and byte counts coming from the DPDK
counters. This occurs when a session is in the tcp-reuse state,
and has no impact on the existing session.

PAN-160238 If you migrate traffic from a firewall running a PAN-OS

version earlier than 9.0 to a firewall running PAN-OS 9.0 or
later, you experience intermittent VXLAN packet drops if TCI
policy is not configured for inspecting VXLAN traffic flows.
Workaround: On the new firewall, create an app override for
VXLAN outer headers as described in What is an Application
Override? and the video tutorial How to Configure an
Application Override Policy on the Palo Alto Networks
Firewall.

PAN-OS version 9.0 can inspect both inner and

outer VXLAN flows. If you want to inspect inner
flows, you must define a tunnel content inspection
(TCI) policy.

PAN-157444 As a result of a telemetry handling update, the Source Zone

field in the DNS analytics logs (viewable in the DNS Analytics
tab within AutoFocus) might not display correct results.

PAN-157327 On downgrade to PAN-OS 9.1, Enterprise Data Loss

Prevention (DLP) filtering settings (Device > Setup > DLP) are
not removed and cause commit errors for the downgraded

PAN-OS Release Notes 10.1.9-h1 292 ©2023 Palo Alto Networks, Inc.
PAN-OS 10.1.3 Known and Addressed Issues

Issue ID Description
firewall if you do not uninstall the Enterprise DLP plugin
before downgrade.
Workaround: After you successfully downgrade a managed
firewall to PAN-OS 9.1, commit and push from Panorama to
remove the Enterprise DLP filtering settings and complete the
downgrade.
1. Downgrade your managed firewall to PAN-OS 9.1
2. Log in to the firewall web interface and view the Tasks
to verify all auto commits related to the downgrade have
completed successfully.
3. Log in to the Panorama web interface and Commit >
Commit and Push to your managed firewall downgraded to
PAN-OS 9.1.

PAN-157103 Multi-channel functionality may not be properly utilized on

an VM-Series firewall deployed in VMware NSX-V after the
service is first deployed.
Workaround: Execute the command debug dataplane
pow status to view the number of channels being utilized
by the dataplane.

Per pan-task Netx statisticsCounter Name

1 2 3 4 5 6 Total-------------
--------------------------------ready_dvf
2 0 0 0 0 0 2

If multi-channel functionality is not working, disable your

NSX-V security policy and reapply it. Then reboot the VM-
Series firewall. When the firewall is back up, verify that multi-
channel functionality is working by executing the command
debug dataplane pow status. It should now show
multiple channels being utilized.

Per pan-task Netx statisticsCounter Name

1 2 3 4 5 6 Total-------------
--------------------------------ready_dvf
1 1 0 0 0 0 2

PAN-156598 (Panorama only) If you configure a standard custom

vulnerability signature in a custom Vulnerability Protection
profile in a shared device group, the shared profile custom
signatures do not populate in the other device groups when
you configure a combination custom vulnerability signature.

PAN-OS Release Notes 10.1.9-h1 293 ©2023 Palo Alto Networks, Inc.
PAN-OS 10.1.3 Known and Addressed Issues

Issue ID Description
Workaround: Use the CLI to update the combination
signature.

PAN-154292 On the Panorama management server, downgrading from

a PAN-OS 10.0 release to a PAN-OS 9.1 release causes
Panorama commit (Commit > Commit to Panorama) failures
if a custom report (Monitor > Manage Custom Reports) is
configured to Group By Session ID.
Workaround: After successful downgrade, reconfigure the
Group By setting in the custom report.

PAN-154034 On the Panorama management server, the Type column in the

System logs (Monitor > Logs > System) for managed firewalls
running a PAN-OS 9.1 release erroneously display iot as the
type.

PAN-154032 On the Panorama management server, downgrading to PAN-

OS 9.1 with the Panorama plugin for Cisco TrustSec version
1.0.2 installed does not automatically transform the plugin to
be compatible with PAN-OS 9.1
Workaround: After successful downgrade to PAN-OS 9.1,
Remove Config (Panorama > Plugins) of the Panorama plugin
for Cisco TrustSec and then reconfigure the plugin.

PAN-153803 On the Panorama management server, scheduled email PDF

reports (Monitor > PDF Reports) fail if a GIF image is used in
the header or footer.

PAN-153557 On the Panorama management server CLI, the overall report

status for a report query is marked as Done despite reports
generated from logs in the Cortex Data Lake (CDL) from the
PODamericas Collector Group jobs are still in a Running
state.

PAN-153068 The Bonjour Reflector option is supported on up to 16

interfaces. If you enable it on more than 16 interfaces, the
commit succeeds and the Bonjour Reflector option is enabled
only for the first 16 interfaces and ignored for any additional
interfaces.

PAN-151238 There is a known issue where M-100 appliances are able

to download and install a PAN-OS 10.0 release image even
though the M-100 appliance is no longer supported after
PAN-OS 9.1. (Refer to the hardware end-of-life dates.)

PAN-OS Release Notes 10.1.9-h1 294 ©2023 Palo Alto Networks, Inc.
PAN-OS 10.1.3 Known and Addressed Issues

Issue ID Description

PAN-151198 On the Panorama management server, read-only Panorama

administrators (Panorama > Administrators) can load
managed firewall configuration Backups (Panorama >
Managed Devices > Summary).

PAN-151085 On a PA-7000 Series firewall chassis having multiple slots,

when HA clustering is enabled on an active/active HA pair,
the session table count for one of the peers can show a higher
count than the actual number of active sessions on that peer.
This behavior can be seen when the session is being set up
on a non-cache slot (for example, when a session distribution
policy is set to round-robin or session-load); it is caused by
the additional cache lookup that happens when HA cluster
participation is enabled.

PAN-150801 Automatic quarantine of a device based on forwarding profile

or log setting does not work on the PA-7000 Series firewalls.

PAN-150515 After you install the device certificate on a new Panorama

management server, Panorama is not able to connect to the
IoT Security edge service.
Workaround: Restart Panorama to connect to the IoT
Security edge service.

PAN-150345 During updates to the Device Dictionary, the IoT Security

service does not push new Device-ID attributes (such as new
device profiles) to the firewall until a manual commit occurs.
Workaround: Perform a force commit to push the attributes
in the content update to the firewall.

PAN-150361 In an Active-Passive high availability (HA) configuration, an

error displays if you create a device object on the passive
device.
Workaround: Load the running configuration and perform a
force commit to sync the devices.

PAN-148971 If you enter a search term for Events that are related to IoT
in the System logs and apply the filter, the page displays an
Invalid term error.
Workaround: Specify iot as the Type Attribute to filter the
logs and use the search term as the Description Attribute. For
example: ( subtype eq iot ) and ( description
contains 'gRPC connection' ).

PAN-OS Release Notes 10.1.9-h1 295 ©2023 Palo Alto Networks, Inc.
PAN-OS 10.1.3 Known and Addressed Issues

Issue ID Description

PAN-148924 In an active-passive HA configuration, tags for dynamic user

groups are not persistent after rebooting the firewall because
the active firewall does not sync the tags to the passive
firewall during failover.

PAN-146995 After downgrading a Panorama management server from

PAN-OS 10.0 to PAN-OS 9.1, the VLD and logd processes
may crash when Panorama reboots.
Workaround: Panorama automatically restarts the VLD and
logd processes.

PAN-146807 Changing the device group configured in a monitoring

definition from a child DG to a parent DG, or vice versa,
might cause firewalls configured in the child DG to lose
IP tag mapping information received from the monitoring
definition. Only firewalls assigned to the parent DG receive IP
tag mapping updates.
Workaround: Perform a manual config sync on the device
group that lost the IP tag mapping information.

PAN-146485 On the Panorama management server, adding, deleting, or

modifying the upstream NAT configuration (Panorama > SD-
WAN > Devices) does not display the branch template stack
as out of sync.
Additionally, adding, deleting, or modifying the BGP
configuration (Panorama > SD-WAN > Devices) does not
display the hub and branch template stacks as out of sync.
For example, modifying the BGP configuration on the branch
firewall does not cause the hub template stack to display as
out of sync, nor does modifying the BGP configuration on
the hub firewall cause the branch template stack as out of
sync.
Workaround: After performing a configuration change,
Commit and Push the configuration changes to all hub and
branch firewalls in the VPN cluster containing the firewall
with the modified configuration.

PAN-145460 CN-MGMT pods fail to connect to the Panorama

management server when using the Kubernetes plugin.
Workaround: Commit the Panorama configuration after the
CN-MGMT pod successfully registers with Panorama.

PAN-144889 On the Panorama management server, adding, deleting, or

modifying the original subnet IP, or adding a new subnet

PAN-OS Release Notes 10.1.9-h1 296 ©2023 Palo Alto Networks, Inc.
PAN-OS 10.1.3 Known and Addressed Issues

Issue ID Description
after you successfully configure a tunnel IP subnet, for the
SD-WAN 1.0.2 plugin does not display the managed firewall
templates (Panorama > Managed Devices > Summary) as Out
of Sync.
Workaround: When modifying the original subnet IP, or
adding a new subnet, push the template configuration
changes to your managed firewalls and Force Template
Values (Commit > Push to Devices > Edit Selections).

PAN-143132 Fetching the device certificate from the Palo Alto Networks
Customer Support Portal (CSP) may fail and displays the
following error in the CLI:
ERROR Failed to process S1C msg: Error
Workaround: Retrying fetching the device certificate from
the Palo Alto Networks CSP.

PAN-141630 Current performance limitation: single data plane use only.

The PA-5200 Series and PA-7000 Series firewalls that
support 5G network slice security, 5G equipment ID security,
and 5G subscriber ID security use a single data plane only,
which currently limits the firewall performance.

PAN-140959 The Panorama management server allows you to downgrade

Zero Touch Provisioning (ZTP) firewalls to PAN-OS 9.1.2 and
earlier releases where ZTP functionality is not supported.

PAN-140008 ElasticSearch is forced to restart when the masterd process

misses too many heartbeat messages on the Panorama
management server resulting in a delay in a log query and
ingestion.

PAN-136763 On the Panorama management server, managed firewalls

display as disconnected when installing a PAN-OS
software update (Panorama > Device Deployment >
Software) but display as connected when you view your
managed firewalls Summary (Panorama > Managed Devices >
Summary) and from the CLI.
Workaround: Log out and log back in to the Panorama web
interface.

PAN-135742 There is an issue in HTTP2 session decryption where the

App-ID in the decryption log is the App-ID of the parent
session (which is web-browsing).

PAN-134053 ACC does not filter WildFire logs from Dynamic User Groups.

PAN-OS Release Notes 10.1.9-h1 297 ©2023 Palo Alto Networks, Inc.
PAN-OS 10.1.3 Known and Addressed Issues

Issue ID Description

PAN-132598 The Panorama management server does not check for

duplicate addresses in address groups (Objects > Address
Groups) and duplicate services in service groups (Objects >
Service Groups) when created from the CLI.

PAN-130550 (PA-3200 Series, PA-5220, PA-5250, PA-5260, and PA-7000

Series firewalls) For traffic between virtual systems (inter-
vsys traffic), the firewall cannot perform source NAT using
dynamic IP (DIP) address translation.
Workaround: Use source NAT with Dynamic IP and Port
(DIPP) translation on inter-vsys traffic.

PAN-127813 In the current release, SD-WAN auto-provisioning configures

hubs and branches in a hub and spoke model, where branches
don’t communicate with each other. Expected branch routes
are for generic prefixes, which can be configured in the hub
and advertised to all branches. Branches with unique prefixes
are not published up to the hub.
Workaround: Add any specific prefixes for branches to the
hub advertise-list configuration.

PAN-127206 If you use the CLI to enable the cleartext option for the
Include Username in HTTP Header Insertion Entries feature,
the authentication request to the firewall may become
unresponsive or time out.

PAN-123277 Dynamic tags from other sources are accessible using the CLI
but do not display on the Panorama web interface.

PAN-123040 When you try to view network QoS statistics on an SD-

WAN branch or hub, the QoS statistics and the hit count
for the QoS rules don’t display. A workaround exists for
this issue. Please contact Support for information about the
workaround.

PAN-120440 There is an issue on M-500 Panorama management servers

where any ethernet interface with an IPv6 address having
Private PAN-DB-URL connectivity only supports the
following format: 2001:DB9:85A3:0:0:8A2E:370:2.

PAN-120423 PAN-OS 10.0.0 does not support the XML API for
GlobalProtect logs.

PAN-120303 There is an issue where the firewall remains connected to the

PAN-DB-URL server through the old management IP address

PAN-OS Release Notes 10.1.9-h1 298 ©2023 Palo Alto Networks, Inc.
PAN-OS 10.1.3 Known and Addressed Issues

Issue ID Description
on the M-500 Panorama management server, even when you
configured the Eth1/1 interface.
Workaround: Update the PAN-DB-URL IP address on the
firewall using one of the methods below.
• Modify the PAN-DB Server IP address on the managed
firewall.
1. On the web interface, delete the PAN-DB Server IP
address (Device > Setup > Content ID > URL Filtering
settings).
2. Commit your changes.
3. Add the new M-500 Eth1/1 IP PAN-DB IP address.
4. Commit your changes.
• Restart the firewall (devsrvr) process.
1. Log in to the firewall CLI.
2. Restart the devsrvr process: debug software
restart process device-server

PAN-116017 (Google Cloud Platform (GCP) only) The firewall does not
accept the DNS value from the initial configuration (init-cfg)
file when you bootstrap the firewall.
Workaround: Add DNS value as part of the bootstrap.xml in
the bootstrap folder and complete the bootstrap process.

PAN-115816 (Microsoft Azure only) There is an intermittent issue where

an Ethernet (eth1) interface does not come up when you first
boot up the firewall.
Workaround: Reboot the firewall.

PAN-114495 Alibaba Cloud runs on a KVM hypervisor and supports two

Virtio modes: DPDK (default) and MMAP. If you deploy a
VM-Series firewall running PAN-OS 9.0 in DPDK packet
mode and you then switch to MMAP packet mode, the VM-
Series firewall duplicates packets that originate from or
terminate on the firewall. As an example, if a load balancer or
a server behind the firewall pings the VM-Series firewall after
you switch from DPDK packet mode to MMAP packet mode,
the firewall duplicates the ping packets.
Throughput traffic is not duplicated if you deploy the VM-
Series firewall using MMAP packet mode.

PAN-112694 (Firewalls with multiple virtual systems only) If you configure

dynamic DNS (DDNS) on a new interface (associated with

PAN-OS Release Notes 10.1.9-h1 299 ©2023 Palo Alto Networks, Inc.
PAN-OS 10.1.3 Known and Addressed Issues

Issue ID Description
vsys1 or another virtual system) and you then create a
New Certificate Profile from the drop-down, you must set
the location for the Certificate Profile to Shared. If you
configure DDNS on an existing interface and then create a
new Certificate Profile, we also recommend that you choose
the Shared location instead of a specific virtual system.
Alternatively, you can select a preexisting certificate profile
instead of creating a new one.

PAN-112456 You can temporarily submit a change request for a URL

Category with three suggested categories; however, only
two categories are supported. Do not add more than two
suggested categories to a change request until we address
this issue. If you submit more than two suggested categories,
only the first two categories in the change request are
evaluated.

PAN-112135 You cannot unregister tags for a subnet or range in a dynamic

address group from the web interface.
Workaround: Use an XML API request to unregister the tags
for the subnet or range.

PAN-111928 Invalid configuration errors are not displayed as expected

when you revert a Panorama management server
configuration.
Workaround: After you revert the Panorama configuration,
Commit (Commit > Commit to Panorama) the reverted
configuration to display the invalid configuration errors.

PAN-111866 The push scope selection on the Panorama web interface

displays incorrectly even though the commit scope displays
as expected. This issue occurs when one administrator makes
configuration changes to separate device groups or templates
that affect multiple firewalls and a different administrator
attempts to push those changes.
Workaround: Perform one of the following tasks.
• Initiate a Commit to Panorama operation followed by a
Push to Devices operation for the modified device group
and template configurations.
• Manually select the devices that belong to the modified
device group and template configurations.

PAN-111729 If you disable DPDK mode and enable it again, you must
immediately reboot the firewall.

PAN-OS Release Notes 10.1.9-h1 300 ©2023 Palo Alto Networks, Inc.
PAN-OS 10.1.3 Known and Addressed Issues

Issue ID Description

PAN-111670 Tagged VLAN traffic fails when sent through an SR-IOV

adapter.

PAN-110794 DGA-based threats shown in the firewall threat log display

the same name for all such instances.

PAN-109526 The system log does not correctly display the URL for
CRL files; instead, the URLs are displayed with encoded
characters.

PAN-104780 If you configure a HIP object to match only when a

connecting endpoint is managed (Objects > GlobalProtect >
HIP Objects > <hip-object> > General > Managed), iOS and
Android endpoints that are managed by AirWatch are unable
to successfully match the HIP object and the HIP report
incorrectly indicates that these endpoints are not managed.
This issue occurs because GlobalProtect gateways cannot
correctly identify the managed status of these endpoints.
Additionally, iOS endpoints that are managed by AirWatch
are unable to match HIP objects based on the endpoint serial
number because GlobalProtect gateways cannot identify the
serial numbers of these endpoints; these serial numbers do
not appear in the HIP report.

PAN-103276 Adding a disk to a virtual appliance running Panorama 8.1

or a later release on VMware ESXi 6.5 update1 causes the
Panorama virtual appliance and host web client to become
unresponsive.
Workaround: Upgrade the ESXi host to ESXi 6.5 update2 and
add the disk again.

PAN-101688 (Panorama plugins) The IP address-to-tag mapping

information registered on a firewall or virtual system is not
deleted when you remove the firewall or virtual system from
a Device Group.
Workaround: Log in to the CLI on the firewall and enter
the following command to unregister the IP address-to-tag
mappings: debug object registered-ip clear all.

PAN-101537 After you configure and push address and address group
objects in Shared and vsys-specific device groups from
the Panorama management server to managed firewalls,
executing the show log <log-type> direction
equal <direction> <dst> | <src> in <object-
name> command on a managed firewall only returns address

PAN-OS Release Notes 10.1.9-h1 301 ©2023 Palo Alto Networks, Inc.
PAN-OS 10.1.3 Known and Addressed Issues

Issue ID Description
and address group objects pushed form the Shared device
group.
Workaround: Specify the vsys in the query string:
admin> set system target-vsys <vsys-name>
admin> show log <log-type> direction equal
<direction> query equal ‘vsys eq <vsys-name>’
<dst> | <src> in <object-name>

PAN-98520 When booting or rebooting a PA-7000 Series Firewall with

the SMC-B installed, the BIOS console output displays
attempts to connect to the card's controller in the System
Memory Speed section. The messages can be ignored.

PAN-97757 GlobalProtect authentication fails with an Invalid

username/password error (because the user is not found
in Allow List) after you enable GlobalProtect authentication
cookies and add a RADIUS group to the Allow List of the
authentication profile used to authenticate to GlobalProtect.
Workaround: Disable GlobalProtect authentication cookies.
Alternatively, disable (clear) Retrieve user group from
RADIUS in the authentication profile and configure group
mapping from Active Directory (AD) through LDAP.

PAN-97524 (Panorama management server only) The Security Zone and

Virtual System columns (Network tab) display None after a
Device Group and Template administrator with read-only
privileges performs a context switch.

PAN-96446 A firewall that is not included in a Collector Group fails to

generate a system log if logs are dropped when forwarded
to a Panorama management server that is running in
Management Only mode.

PAN-95773 On VM-Series firewalls that have Data Plane Development

Kit (DPDK) enabled and that use the i40e network interface
card (NIC), the show session info CLI command displays
an inaccurate throughput and packet rate.
Workaround: Disable DPDK by running the set system
setting dpdk-pkt-io off CLI command.

PAN-95028 For administrator accounts that you created in PAN-OS 8.0.8

and earlier releases, the firewall does not apply password
profile settings (Device > Password Profiles) until after you
upgrade to PAN-OS 8.0.9 or a later release and then only
after you modify the account passwords. (Administrator

PAN-OS Release Notes 10.1.9-h1 302 ©2023 Palo Alto Networks, Inc.
PAN-OS 10.1.3 Known and Addressed Issues

Issue ID Description
accounts that you create in PAN-OS 8.0.9 or a later release
do not require you to change the passwords to apply
password profile settings.)

PAN-94846 When DPDK is enabled on the VM-Series firewall with i40e

virtual function (VF) driver, the VF does not detect the link
status of the physical link. The VF link status remains up,
regardless of changes to the physical link state.

PAN-94093 HTTP Header Insertion does not work when jumbo frames
are received out of order.

PAN-93968 The firewall and Panorama web interfaces display

vulnerability threat IDs that are not available in PAN-OS
9.0 releases (Objects > Security Profiles > Vulnerability
Protection > <profile> > Exceptions). To confirm whether a
particular threat ID is available in your release, monitor the
release notes for each new Applications and Threats content
update or check the Palo Alto Networks Threat Vault to see
the minimum PAN-OS release version for a threat signature.

PAN-93607 When you configure a VM-500 firewall with an SCTP

Protection profile (Objects > Security Profiles > SCTP
Protection) and you try to add the profile to an existing
Security Profile Group (Objects > Security Profile Groups),
the Security Profile Group doesn’t list the SCTP Protection
profile in its drop-down list of available profiles.
Workaround: Create a new Security Profile Group and select
the SCTP Protection profile from there.

PAN-93532 When you configure a firewall running PAN-OS 9.0 as an

nCipher HSM client, the web interface on the firewall displays
the nCipher server status as Not Authenticated, even though
the HSM state is up (Device > Setup > HSM).

PAN-93193 The memory-optimized VM-50 Lite intermittently performs

slowly and stops processing traffic when memory utilization
is critically high. To prevent this issue, make sure that you do
not:
• Switch to the firewall Context on the Panorama
management server.
• Commit changes when a dynamic update is being installed.
• Generate a custom report when a dynamic update is being
installed.
• Generate custom reports during a commit.

PAN-OS Release Notes 10.1.9-h1 303 ©2023 Palo Alto Networks, Inc.
PAN-OS 10.1.3 Known and Addressed Issues

Issue ID Description
Workaround: When the firewall performs slowly, or you see
a critical System log for memory utilization, wait for 5 minutes
and then manually reboot the firewall.
Use the Task Manager to verify that you are not performing
memory intensive tasks such as installing dynamic updates,
committing changes or generating reports, at the same time,
on the firewall.

PAN-91802 On a VM-Series firewall, the clear session all CLI command

does not clear GTP sessions.

PAN-83610 In rare cases, a PA-5200 Series firewall (with an FE100

network processor) that has session offload enabled (default)
incorrectly resets the UDP checksum of outgoing UDP
packets.
Workaround: In PAN-OS 8.0.6 and later releases, you can
persistently disable session offload for only UDP traffic using
the set session udp-off load no CLI command.

PAN-83236 The VM-Series firewall on Google Cloud Platform does not

publish firewall metrics to Google Stack Monitoring when you
manually configure a DNS server IP address (Device > Setup
> Services).
Workaround: The VM-Series firewall on Google Cloud
Platform must use the DNS server that Google provides.

PAN-83215 SSL decryption based on ECDSA certificates does not work

when you import the ECDSA private keys onto an nCipher
nShield hardware security module (HSM).

PAN-81521 Endpoints failed to authenticate to GlobalProtect through

Kerberos when you specify an FQDN instead of an IP address
in the Kerberos server profile (Device > Server Profiles >
Kerberos).
Workaround: Replace the FQDN with the IP address in the
Kerberos server profile.

PAN-77125 PA-7000 Series, PA-5450, PA-5200 Series, and PA-3200

Series firewalls configured in tap mode don’t close offloaded
sessions after processing the associated traffic; the sessions
remain open until they time out.
Workaround: Configure the firewalls in virtual wire mode
instead of tap mode, or disable session offloading by running
the set session off load no CLI command.

PAN-OS Release Notes 10.1.9-h1 304 ©2023 Palo Alto Networks, Inc.
PAN-OS 10.1.3 Known and Addressed Issues

Issue ID Description

PAN-75457 In WildFire appliance clusters that have three or more nodes,

the Panorama management server does not support changing
node roles. In a three-node cluster for example, you cannot
use Panorama to configure the worker node as a controller
node by adding the HA and cluster controller configurations,
configure an existing controller node as a worker node by
removing the HA configuration, and then commit and push
the configuration. Attempts to change cluster node roles from
Panorama results in a validation error—the commit fails and
the cluster becomes unresponsive.

PAN-73530 The firewall does not generate a packet capture (pcap) when a
Data Filtering profile blocks files.

PAN-73401 When you import a two-node WildFire appliance cluster

into the Panorama management server, the controller nodes
report their state as out-of-sync if either of the following
conditions exist:
• You did not configure a worker list to add at least one
worker node to the cluster. (In a two-node cluster, both
nodes are controller nodes configured as an HA pair.
Adding a worker node would make the cluster a three-
node cluster.)
• You did not configure a service advertisement (either by
enabling or not enabling advertising DNS service on the
controller nodes).
Workaround: There are three possible workarounds to sync
the controller nodes:
• After you import the two-node cluster into Panorama,
push the configuration from Panorama to the cluster. After
the push succeeds, Panorama reports that the controller
nodes are in sync.
• Configure a worker list on the cluster controller:

admin@wf500(active-controller)# set
deviceconfig cluster mode controller work
er-list <worker-ip-address>

(<worker-ip-address> is the IP address of the worker

node you are adding to the cluster.) This creates a three-
node cluster. After you import the cluster into Panorama,
Panorama reports that the controller nodes are in sync.
When you want the cluster to have only two nodes, use a
different workaround.

PAN-OS Release Notes 10.1.9-h1 305 ©2023 Palo Alto Networks, Inc.
PAN-OS 10.1.3 Known and Addressed Issues

Issue ID Description
• Configure service advertisement on the local CLI of the
cluster controller and then import the configuration into
Panorama. The service advertisement can advertise that
DNS is or is not enabled.

admin@wf500(active-controller)# set
deviceconfig cluster mode controller serv
ice-advertisement dns-service
enabled
yes

or

admin@wf500(active-controller)# set
deviceconfig cluster mode controller serv
ice-advertisement dns-service
enabled
no

Both commands result in Panorama reporting that the

controller nodes are in sync.

PAN-70906 If the PAN-OS web interface and the GlobalProtect portal are
enabled on the same IP address, then when a user logs out of
the GlobalProtect portal, the administrative user is also logged
out from the PAN-OS web interface.
Workaround: Use the IP address to access the PAN-OS web
interface and an FQDN to access the GlobalProtect portal.

PAN-69505 When viewing an external dynamic list that requires client

authentication and you Test Source URL, the firewall fails to
indicate whether it can reach the external dynamic list server
and returns a URL access error (Objects > External Dynamic
Lists).

PAN-40079 The VM-Series firewall on KVM, for all supported Linux

distributions, does not support the Broadcom network
adapters for PCI pass-through functionality.

PAN-39636 Regardless of the Time Frame you specify for a scheduled

custom report on a Panorama M-Series appliance, the earliest
possible start date for the report data is effectively the date
when you configured the report (Monitor > Manage Custom
Reports). For example, if you configure the report on the
15th of the month and set the Time Frame to Last 30 Days,
the report that Panorama generates on the 16th will include
only data from the 15th onward. This issue applies only to

PAN-OS Release Notes 10.1.9-h1 306 ©2023 Palo Alto Networks, Inc.
PAN-OS 10.1.3 Known and Addressed Issues

Issue ID Description
scheduled reports; on-demand reports include all data within
the specified Time Frame.
Workaround: To generate an on-demand report, click Run
Now when you configure the custom report.

PAN-38255 When you perform a factory reset on a Panorama virtual

appliance and configure the serial number, logging does
not work until you reboot Panorama or execute the debug
software restart process management-server CLI
command.

PAN-31832 The following issues apply when configuring a firewall to use

a hardware security module (HSM):
• nCipher nShield Connect—The firewall requires at least
four minutes to detect that an HSM was disconnected,
causing SSL functionality to be unavailable during the
delay.
• SafeNet Network—When losing connectivity to either
or both HSMs in an HA configuration, the display of
information from the show high-availability
state and show hsm info commands are blocked for
20 seconds.

PAN-OS Release Notes 10.1.9-h1 307 ©2023 Palo Alto Networks, Inc.
PAN-OS 10.1.3 Known and Addressed Issues

PAN-OS 10.1.3-h1 Addressed Issues

Issue ID Description

PAN-182010 Fixed an issue on Panorama where a managed firewall running a PAN-

OS 10.1 version did not reconnect to Panorama. This issue occurred
when a managed firewall was added to Panorama management using
the device registration authentication key and also had the device
certificate installed at the time of the reconnect.

PAN-OS Release Notes 10.1.9-h1 308 ©2023 Palo Alto Networks, Inc.
PAN-OS 10.1.3 Known and Addressed Issues

PAN-OS 10.1.3 Addressed Issues

Issue ID Description

— Fixed a Denial-of-Service (DoS) vulnerability in the GlobalProtect

portal and gateway (CVE-2021-3063).

PAN-179112 Enhancements were added to improve system stability and

debuggability.

PAN-178190 Fixed an issue where the firewall incorrectly set the disk quota
cfg.diskquota.traffic to 0 after upgrading to a PAN-OS 10.0
release. With this fix, the log disk quota will be retained correctly after
upgrade.

PAN-177941 Fixed an issue where the bcm.log and brdagent_stdout.log-

<datestamp> files filled up the root disk space.

PAN-177892 Fixed a memory leak issue where panio failed to start, which resulted
in dp-monitor failing to capture the complete panio output.

PAN-177881 Fixed an issue where VLAN tags were not properly processed in Layer
2 switching mode between interfaces with different tags.

PAN-176862 (VM-Series firewalls only) Fixed an issue where the firewall didn't
attempt to connect to a log collector when the management IP address
used DHCP.

PAN-176661 Fixed an issue in Simple Certificate Enrollment Protocol (SCEP)

(CVE-2021-3060).

PAN-176655 and A fix was made to address an OS command injection vulnerability in

PAN-158334 the PAN-OS CLI that enabled an authenticated administrator with
access to the CLI to execute arbitrary OS commands to escalate
privileges (CVE-2021-3061).

PAN-176653 A fix was made to address an OS command injection vulnerability

in the PAN-OS web interface that enabled an authenticated
administrator with permissions to use XML API to execute arbitrary OS
commands to escalate privileges (CVE-2021-3058).

PAN-176618 A fix was made to address an OS command injection vulnerability

in PAN-OS that existed when performing dynamic updates
(CVE-2021-3059).

PAN-OS Release Notes 10.1.9-h1 309 ©2023 Palo Alto Networks, Inc.
PAN-OS 10.1.3 Known and Addressed Issues

Issue ID Description

PAN-176433 Fixed an issue where the Zero Touch Provisioning (ZTP) plugin on
Panorama was unable to sync with the ZTP service and displayed the
following error message: Failed to fetch sync status.

PAN-176277 Fixed a timing issue that impacted tunnel renegotiation and

monitoring.

PAN-176026 Fixed an issue where connections from firewalls running PAN-

OS 10.1.0 to a Panorama appliance running PAN-OS 10.1.0 broke
unexpectedly.

PAN-175652 Fixed an issue where SSL decryption failed for websites when they
were accessed from Google Chrome version 92 or higher.

PAN-174843 Fixed an issue where a process (logd) stopped responding.

PAN-174671 Fixed an issue with incorrect measurement of packet buffer protection

latency.

PAN-174587 Fixed an issue where, in the case of multiple AWS Partner Network
(APN) connections, the GPRS Tunneling Protocol (GTPv2) Create
Session Requests were sent to the firewall within a short interval,
which caused the firewall to create the GTP-sessions incorrectly.

PAN-174448 Fixed an issue where ZTP configurations weren't removed after

disabling them, which resulted in predefined configurations to be
loaded after a reboot.

PAN-174201 Fixed an issue where, when logs were in the burst list, the vldmgr
process stopped responding after upgrading to PAN-OS 10.1.0.

PAN-174200 Fixed an issue where a role-based admin user was unable to edit, add,
or view interfaces if dashboard permissions were disabled.

PAN-173828 (PA-7000 Series firewalls with 20GQ Network Processing Cards

(NPCs) only) Fixed an issue on high availabilities active/passive
configurations where data ports on the passive firewall sent out
packets, which caused a MAC flap on upstream firewalls.

PAN-173157 Fixed an issue with the HA1 monitor hold timer where the configured
value was not assigned to the HA1 backup interface, which used
the default hold timer (3000 milliseconds), which resulted in failover
events taking longer than expected.

PAN-OS Release Notes 10.1.9-h1 310 ©2023 Palo Alto Networks, Inc.
PAN-OS 10.1.3 Known and Addressed Issues

Issue ID Description

PAN-173076 (Panorama appliances in FIPS mode only) Fixed an issue where the
FIPS Panorama / FIPS firewall schema didn't prune non-FIPS options
from the Clientless VPN.

PAN-172580 Fixed an intermittent issue where commits failed after a commit

validation and were modified for custom URL category objects.

PAN-172208 (PA-5450 firewalls only) Fixed a rare issue where the firewall reloaded
while handling high stress SSL traffic when CPU utilization reached
100% or the packet broker capacity exceeded 40%.

PAN-172171 Fixed an issue where a Passive PA-5450 firewall in an Active/Passive

HA configuration using Auto mode would get stuck in maintenance
mode after receiving the slot7-path_monitor Path monitor
failure system failure.

PAN-172091 Fixed an issue where, when you configured a virtual system (vsys) as
a User-ID hub, and a firewall that receives IP address-to-username
mapping from the hub had a Security policy that includes a QoS policy
rule, the firewall did not match the user to the QoS policy rule if the
traffic attempted to access a vsys that was not the hub.

PAN-170574 (Panorama appliances on Microsoft Azure and Amazon Web Services

(AWS) only) Fixed an issue where Panorama sent 127.0.0.1 as the
NAS-IP-Address in RADIUS messages.

PAN-170466 Fixed an memory reference issue related to the devsrvr process that
caused the process to stop responding.

PAN-169793 Fixed an issue where using cookies to authenticate MacOS users

didn't work due to the client agent not providing the phpsessionid
set from the sent GlobalProtect messages during the connection.
As a result, the firewall was unable to find and include the portal
authentication cookie in the response message.

PAN-169687 Fixed an issue where SNMP returned an improper status for an

unsupported interface type.

PAN-169105 Fixed an issue on the Panorama web interface where a Network File
System (NFS) storage partition displayed the incorrect storage size.

PAN-168261 Fixed a cosmetic issue where the WildFire submission log displayed
the sha256 of the original email link.

PAN-167849 Fixed an issue where URL-Filtering incorrectly identified the firewall

serial number in the certificate Common Name field as the IP address.

PAN-OS Release Notes 10.1.9-h1 311 ©2023 Palo Alto Networks, Inc.
PAN-OS 10.1.3 Known and Addressed Issues

Issue ID Description

PAN-167266 Fixed an issue on multi-dataplane firewalls with high CPU use on

dataplane 0 that caused an internal loop of forward/host sessions on
the firewall.

PAN-166978 Fixed an issue where the URL-Filtering cloud connection failed with
the following error message: bind failed with errno 97.

PAN-166202 Fixed an issue with an extra character in HTTP Strict Transport

Security (HSTS) regression tests when accessing the GlobalProtect
gateway.

PAN-165433 Fixed an intermittent issue where Cortex Data Lake failed to reconnect
after a disconnect if a management IP address used for logging had an
IP address assignment type of DHCP.

PAN-163448 Fixed an issue when using ixgb drivers with SR-IOV and DPDK that
caused OSPF multicast traffic to be filtered by the physical function
driver.

PAN-162936 Fixed an issue where the all_pktproc process stopped responding on

GTP-U session traffic when attempting to send out packets held in
software buffers.

PAN-162374 Fixed an issue where the firewall rebooted unexpectedly and displayed
the following message: Reboot SYSTEM REBOOT Masterd
Initiated.

PAN-161940 Fixed an issue where the firewall did not honor the peer RX interval
timeout in a Bidirectional Forwarding Detection (BFD) INIT state.

PAN-157962 Fixed an issue where IPv6 prefixes were advertised via IPv4 BGP
peering when MP-BGP was not enabled.

PAN-OS Release Notes 10.1.9-h1 312 ©2023 Palo Alto Networks, Inc.
PAN-OS 10.1.2 Known and Addressed
Issues
Review a list of known and addressed issues for PAN-OS 10.1.2.
For contacting support, for information on support programs, to manage your account
or devices, or to open a support case, go to https://support.paloaltonetworks.com.

> PAN-OS 10.1.2 Known Issues

> PAN-OS 10.1.2 Addressed Issues

313
PAN-OS 10.1.2 Known and Addressed Issues

PAN-OS 10.1.2 Known Issues

®
The following list includes only outstanding known issues specific to PAN-OS 10.1.2. This list
includes issues specific to Panorama™, GlobalProtect™, VM-Series plugins, and WildFire®, as well
as known issues that apply more generally or that are not identified by an issue ID.

Issue ID Description

— If you use Panorama to retrieve logs from Cortex Data Lake

(CDL), new log fields (including for Device-ID, Decryption, and
GlobalProtect) are not visible on the Panorama web interface.
Workaround: Enable duplicate logging to send the logs to
CDL and Panorama. This workaround does not support
Panorama virtual appliances in Management Only mode.

— Upgrading a PA-220 firewall takes up to an hour or more.

— PA-220 firewalls are experiencing slower web interface and

CLI performance times.

— Upgrading Panorama with a local Log Collector and Dedicated

Log Collectors to PAN-OS 8.1 or a later PAN-OS release
can take up to six hours to complete due to significant
infrastructure changes. Ensure uninterrupted power to all
appliances throughout the upgrade process.

— A critical System log is generated on the VM-Series firewall

if the minimum memory requirement for the model is not
available.
• When the memory allocated is less than 4.5GB, you
cannot upgrade the firewall. The following error message
displays: Failed to install 9.0.0 with the
following error: VM-50 in 9.0.0 requires
5.5GB memory, VM-50 Lite requires 4.5GB
memory.Please configure this VM with enough
memory before upgrading.
• If the memory allocation is more than 4.5GB but less than
the licensed capacity requirement for the model, it will
default to the capacity associated with the VM-50.
The System log message System capacity adjusted
to VM-50 capacity due to insufficient
memory for VM-<xxx> license, indicates that you
must allocate the additional memory required for licensed
capacity for the firewall model.

PAN-OS Release Notes 10.1.9-h1 314 ©2023 Palo Alto Networks, Inc.
PAN-OS 10.1.2 Known and Addressed Issues

Issue ID Description

APPORTAL-3313 Changes to an IoT Security subscription license take up to 24

hours to have effect on the IoT Security app.

APPORTAL-3309 An IoT Security production license cannot be installed on a

firewall that still has a valid IoT Security eval or trial license.
Workaround: Wait until the 30-day eval or trial license
expires and then install the production license.

APL-15000 When you move a firewall from one Cortex Data Lake
instance to another, it can take up to an hour for the firewall
to begin sending logs to the new instance.

APL-8269 For data retrieved from Cortex Data Lake, the Threat Name
column in Panorama > ACC > threat-activity appears blank.

PLUG-380 When you rename a device group, template, or template

stack in Panorama that is part of a VMware NSX service
definition, the new name is not reflected in NSX Manager.
Therefore, any ESXi hosts that you add to a vSphere cluster
are not added to the correct device group, template, or
template stack and your Security policy is not pushed to
VM-Series firewalls that you deploy after you rename those
objects. There is no impact to existing VM-Series firewalls.

WF500-5559 An intermittent error while analyzing signed PE samples on

the WildFire appliance might cause analysis failures.

WF500-5471 After using the firewall CLI to add a WildFire appliance with
an IPv6 address, the initial connection may fail.
Workaround: Retry connecting after you restart the web
server with the following command: debug software
restart process web-server.

PAN-197341 On the Panorama management server, if you create multiple

device group Objects with the same name in the Shared
device group and any additional device groups (Panorama >
Device Groups) under the same device group hierarchy that
are used in one or more Policies, renaming the object with a
shared name in any device group causes the object name to
change in the policies where it is used. This issue applies only
to device group objects that can be referenced in a Security
policy rule.
For example:
1. You create a parent device group DG-A and a child device
group DG-B.

PAN-OS Release Notes 10.1.9-h1 315 ©2023 Palo Alto Networks, Inc.
PAN-OS 10.1.2 Known and Addressed Issues

Issue ID Description
2. You create address objects called AddressObjA in
the Shared, DG-A and DG-B device groups and add
AddressObjA to a Security policy rule under DG-A and
DG-B.
3. Later, you change the AddressObjA name in the Shared
device group to AddressObjB.
Changing the name of the address object in the Shared
device group causes the references in the Policy rule to use
the renamed Shared object instead of the device group
object.

PAN-196758 On the Panorama management server, pushing a

configuration change to firewalls leveraging SD-WAN
erroneously show the auto-provisioned BGP configurations
for SD-WAN as being edited or deleted despite no edits or
deletions being made when you Preview Changes (Commit >
Push to Devices > Edit Selections or Commit > Commit and
Push > Edit Selections).

PAN-194519 (PA-5450 firewall only) Trying to configure a custom payload

format under Device > Server Profiles > HTTP yields a
This issue is now resolved. See
Javascript error.
PAN-OS 10.1.9 Addressed
Issues.

PAN-194515 (PA-5450 firewall only) The Panorama web interface does

not display any predefined template stack variables in the
dropdown menu under Device > Setup > Log Interface > IP
Address.
Workaround: Configure the log interface IP address on the
individual firewall web interface instead of on Panorama.

PAN-192403 (PA-5450 firewall only) There is no commit warning in the

web interface when configuring the management interface
This issue is now resolved. See
and logging interface in the same subnetwork. Having both
PAN-OS 10.1.6-h3 Addressed
interfaces in the same subnetwork can cause routing and
Issues.
connectivity issues.

PAN-190727 (PA-5450 firewall only) Documentation for configuring the log

interface is unavailable on the web interface and in the PAN-
OS Administrator’s Guide.

PAN-188052 Devices in FIPS-CC mode are unable to connect to servers

utilizing ECDSA-based host keys that impacts exporting logs
(Device > Scheduled Log Export), exporting configurations

PAN-OS Release Notes 10.1.9-h1 316 ©2023 Palo Alto Networks, Inc.
PAN-OS 10.1.2 Known and Addressed Issues

Issue ID Description
(Device > Scheduled Config Export), or the scp export
command in the CLI.
Workaround: Use RSA-based host keys on the destination
server.

PAN-187685 On the Panorama management server, the Template

Status displays no synchronization status (Panorama >
Managed Devices > Summary) after a bootstrapped firewall is
successfully added to Panorama.
Workaround: After the bootstrapped firewall is successfully
added to Panorama, log in to the Panorama web interface and
select Commit > Push to Devices.

PAN-186262 The Panorama management server in Panorama or Log

Collector mode may become unresponsive as Elasticsearch
accumulates internal connections related to logging
processes. The chances Panorama becomes unresponsive
increases the longer Panorama remains powered on.
Workaround: Reboot Panorama if it becomes unresponsive.

PAN-181116 After upgrading to PAN-OS 10.1, some GlobalProtect tunnels

fall back to SSL instead of IPSec due to the inadvertent
This issue is now resolved. See
encapsulation of the ICMP keepalive response from the
PAN-OS 10.1.5 Addressed
firewall.
Issues.

PAN-180661 On the Panorama management server, pushing an

unsupported Minimum Password Complexity (Device > Setup
This issue is now resolved. See
> Management) to a managed firewall erroneously displays
PAN-OS 10.1.6 Addressed
commit time out as the reason the commit failed.
Issues.

PAN-178194 A UI issue in PAN-OS renders the contents of the Inline

ML tab in the URL Filtering Profile inaccessible on firewalls
This issue is now resolved. See
licensed for Advanced URL Filtering. Additionally, a message
PAN-OS 10.1.7 Addressed
indicating that a License required for URL filtering to function
Issues.
is unavailable displays at the bottom of the UI. These errors
do not affect the operation of Advanced URL Filtering or URL
Filtering Inline ML.
Workaround: Configuration settings for URL Filtering
Inline ML must be applied through the CLI. The following
configuration commands are available:

PAN-OS Release Notes 10.1.9-h1 317 ©2023 Palo Alto Networks, Inc.
PAN-OS 10.1.2 Known and Addressed Issues

Issue ID Description
• Define URL exceptions for specific web sites—

admin# set profiles url-filtering

<url_filtering_profile_name> mlav-
category-exception

• Configuration settings for each inline ML model—

admin# set profiles url-filtering

<url_filtering_profile_name> mlav-
engine-urlbased-enabled

PAN-178190 Traffic, threat, and URL logs are not viewable from the
firewall web interface (Monitor > Logs) and CLI after upgrade
to PAN-OS 10.1.2.

PAN-177455 PAN-OS 10.1.2 is not supported on PA-7000 Series firewalls

with HA (High Availability) clustering enabled and using an
This issue is now resolved. See
HA4 communication link. Attempting to load PAN-OS 10.1.2
PAN-OS 10.1.6 Addressed
on the firewall causes the PA-7000 100G NPC to go offline.
Issues.
As a result, the firewall fails to boot normally and enters
maintenance mode. HA Pairs of Active-Passive and Active-
Active firewalls are not affected.

PAN-175149 (PA-800 and PA-7000 Series firewalls and the PA-220

firewall only) Fixed an issue where ACC and scheduled
reports (Monitor > Manage > Manage Custom Reports)
incorrectly displayed the IPv6 address instead of the IPv4
address.

PAN-174982 In HA active/active configurations where, when interfaces

that were associated with a virtual router were deleted, the
configuration change did not sync.

PAN-174201 The vldmgr process stops responding after upgrading to PAN-

OS 10.1.0 if logs are in the burst list.
This issue is now resolved. See
PAN-OS 10.1.3 Addressed
Issues.

PAN-173509 Superuser administrators with read-only privileges (Device >

Administrators and Panorama > Administrators) are unable

PAN-OS Release Notes 10.1.9-h1 318 ©2023 Palo Alto Networks, Inc.
PAN-OS 10.1.2 Known and Addressed Issues

Issue ID Description
This issue is now resolved. See to view the hardware ACL blocking setting and duration in the
PAN-OS 10.1.5 Addressed CLI using the commands:
Issues.
admin> show system setting hardware-acl-
blocking-enable

admin> show system setting hardware-acl-

blocking-duration

PAN-172274 When you activate the advanced URL filtering license, your
license entitlements for PAN-DB and advanced URL filtering
might not display correctly on the firewall — this is a display
anomaly, not a licensing issue, and does not affect access to
the services.
Workaround: Issue the following command to retrieve and
update the licenses: license request fetch.

PAN-172113 If you request a User Activity Report on Panorama and the

vsys key value in the XML is an unsupported value, the
resulting job becomes unresponsive at 10% and does not
complete until you manually stop the job in the web interface.
Workaround:Change the vsys key to a valid device group,
commit your changes, and run the User Activity Report again.

PAN-172091 If you have configured a virtual system as a User-ID hub and

a firewall that receives IP address-to-username mapping from
the hub has a security policy that includes a QoS policy rule,
the firewall does not match the user to the QoS policy rule if
the traffic attempts to access a virtual system that is not the
hub.

PAN-172208 The PA-5450 firewall may reload in rare conditions while

handling high stress SSL traffic when CPU utilization reaches
This issue is now resolved. See
100% or packet broker capacity exceeds 40%.
PAN-OS 10.1.3 Addressed
Issues.

PAN-172171 In an HA Active/Passive configuration using Auto mode,

a Passive PA-5450 firewall under traffic stress can get
This issue is now resolved. See
stuck in maintenance mode after receiving the slot7-
PAN-OS 10.1.3 Addressed
path_monitor Path monitor failure service failure.
Issues.
Workaround: Use Active/Passive Shutdown mode instead of
Auto mode.

PAN-172132 QoS fails to run on a tunnel interface (for example, tunnel.1).

PAN-OS Release Notes 10.1.9-h1 319 ©2023 Palo Alto Networks, Inc.
PAN-OS 10.1.2 Known and Addressed Issues

Issue ID Description

PAN-172067 When you configure an HTTP server profile (Device > Server
Profiles > HTTP or Panorama > Server Profiles > HTTP), the
Username and Password fields are always required regardless
of whether Tag Registration is enabled.
Workaround: When you configure an HTTP server profile,
always enter a username and password to successfully create
the HTTP server profile.
You must enter a username and password even if the HTTP
server does not require it. The HTTP server ignores the
username and password if they are not required for the
firewall to connect.

PAN-172061 A process (all_pktproc) can cause intermittent crashes on

the Passive PA-5450 firewall in an Active/Passive HA pair.
This issue may be seen during an upgrade or reload of the
firewall with traffic and when clearing sessions.

PAN-171938 No results are displayed when you Show Application Filter

for a Security policy rule (Policies > Security > Application >
Value > Show Application Filter).

PAN-171839 The Enable Bonjour Reflector option under Network >

Interfaces > Layer 3 Interface > IPv4 is not supported on the
PA-5450 firewall.

PAN-171723 If you use Panorama to push a configuration that uses App-

ID Cloud Engine (ACE) App-IDs and then you downgrade the
firewall from PAN-OS 10.1 to PAN-OS 10.0, the installation
succeeds but after you reboot, the auto-commit fails.
Workaround: Remove all ACE application configurations
before downgrading.

PAN-171714 If you use the NetBIOS format (domain\user) for the IP

address-to-username mapping and the firewall receives the
This issue is now resolved. See
group mapping information from the Cloud Identity Engine,
PAN-OS 10.1.7 Addressed
the firewall does not successfully match the user to the
Issues.
correct group.

PAN-171706 If you are using Panorama to manage firewalls with multiple

virtual systems and the virtual system that is the User-ID hub
uses an alias, the local commit on Panorama is successful but
the commit to the firewall fails.

PAN-OS Release Notes 10.1.9-h1 320 ©2023 Palo Alto Networks, Inc.
PAN-OS 10.1.2 Known and Addressed Issues

Issue ID Description

PAN-171673 On the Panorama management server, the ACC returns

inaccurate results when you filter for New App-ID in the
Application usage widget.

PAN-171635 If you have an on-premise Active Directory and there is an

existing group mapping configuration on the firewall, if you
migrate the group mapping to the Cloud Identity Engine, the
firewall does not remove the existing group mapping even
if the configuration is disabled and the firewall is rebooted,
which may conflict with new mappings from the Cloud
Identity Engine.
Workaround: Use the debug user-id clear domain-
map command to remove the existing group mappings from
the firewall.

PAN-171224 On the Panorama management server, a custom report

(Monitor > Managed Custom Reports) with a high volume
of unique data objects is not generated when you click Run
Now.

PAN-171145 If you edit or remove the value for the mail attribute in
your on-premise Active Directory, the changes may not be
immediately reflected on the firewall after it syncs with the
Cloud Identity Engine.

PAN-171127 On the Panorama management server, custom reports

(Monitor > Manage Custom Reports) for the Device
This issue is now resolved. See
Application Statistics and Device Traffic Summary databases
PAN-OS 10.1.4 Addressed
display null for the Application fields.
Issues

PAN-170923 In Policies > Security > Policy Optimizer > New App Viewer,
when you select a Security policy rule in the bottom portion
of the screen, the application data in the application browser
(top portion of screen) does not match the Apps Seen on the
selected rule. In addition, filtering in the application browser
based on Apps Seen does not work.

PAN-170462 SaaS applications downloaded from the App-ID Cloud Engine

(ACE) do not appear in daily application reports (Monitor >
This issue is now resolved. See
Reports > Application Reports) or in the Application column
PAN-OS 10.1.6 Addressed
of the Application Usage widget in ACC > Network Activity.
Issues.

PAN-170270 Using the CLI to power on a PA-5450 Networking Card

(NC) in an Active HA firewall can cause its Passive peer to
temporarily go down.

PAN-OS Release Notes 10.1.9-h1 321 ©2023 Palo Alto Networks, Inc.
PAN-OS 10.1.2 Known and Addressed Issues

Issue ID Description

PAN-169906 The CN-Series Firewall as a Kubernetes Service does not

support AF_XDP when deployed in CentOS.

PAN-168636 Connecting to the App-ID Cloud Engine (ACE) cloud using a

management port with explicit proxy configured on it is not
supported. Instead, use a data plane interface for the service
route (Prepare to Deploy App-ID Cloud Engine describes how
to do this.)

PAN-168113 On the Panorama management server, you are unable

to configure a master key (Device > Master Key and
Diagnostics) for a managed firewall if an interface (Network
> Interfaces > Ethernet) references a zone pushed from
Panorama.
Workaround: Remove the referenced zone from the interface
configuration to successfully configure a master key.

PAN-167847 If you issue the command opof stats, then clear the
results {opof stats -c}, the Active Sessions value is sometimes
invalid. For example, you might see a negative number or an
excessively large number.
Workaround: Re-run the opof stats command after the
offload completes.

PAN-167401 When a firewall or Panorama appliance configured with a

proxy is upgraded to PAN-OS 10.0.3 or a later release, it fails
to connect to edge service.

PAN-166464 PAN-OS reports the PA-5450 fan numbers incorrectly

by listing them in the opposite order. This does not affect
This issue is now resolved. See
fan operation. For further information, contact Customer
PAN-OS 10.1.6-h6 Addressed
Support.
Issues.

PAN-165669 If you configure a group that the firewall retrieves from the
Cloud Identity Engine as the user in value in a filter query,
Panorama is unable to retrieve the group membership and
as a result, is unable to display this data in logs and custom
reports.

PAN-164922 On the Panorama management server, a context switch to a

managed firewall running a PAN-OS 8.1.0 to 8.1.19 release
fails.

PAN-164885 On the Panorama management server, pushes to managed

firewalls (Commit > Push to Devices or Commit and Push)

PAN-OS Release Notes 10.1.9-h1 322 ©2023 Palo Alto Networks, Inc.
PAN-OS 10.1.2 Known and Addressed Issues

Issue ID Description
may fail when an EDL (Objects > External Dynamic Lists) is
configured to Check for updates every 5 minutes due to the
commit and EDL fetch processes overlapping. This is more
likely to occur when multiple EDLs are configured to check
for updates every 5 minutes.

PAN-164841 A successful deployment of a Panorama virtual appliance on

Amazon Web Services (AWS), Microsoft Azure, or Google
Cloud Platform (GCP) is inaccessible when deploying using
the PAN-OS 10.1.0-b6 release.

PAN-164647 On the Panorama management server, activating a license

(Panorama > Device Deployment > Licenses) on managed
firewalls in a high availability (HA) configuration causes the
Safari web browser to become unresponsive.
Workaround: Log in to the Panorama web interface from
a web browser other than Safari to successfully activate a
license on managed firewalls in an HA configuration.

PAN-164586 If you use a value other than mail for the user or group
email attribute in the Cloud Identity Engine, it displays in
user@domain format in the CLI output.

PAN-163966 On the Panorama management server, the ACC and on

demand reports (Monitor > Manage Custom Reports) are
unable to fetch Directory Sync group membership when
the Source User Group filter query is applied, resulting in no
data being displayed for the filter when Directory Sync is
configured as the Source User for a policy rule.

PAN-162836 On the VM-Series firewall, if you select Device > Licenses >
Deactivate VM a popup window opens and you can choose
Subscriptions or Support and press Continue to remove
licenses and register the changes with the license server.
When the license removal is complete the Deactivate VM
window does not update its text to exclude deactivated
licenses or close the window.
Workaround: Wait until the license deactivation is complete,
and click Cancel to close the window.

PAN-162164 When upgrading a multi-dataplane firewall from PAN-

OS 10.0 to 10.1, if the configuration includes the DHCP
This issue is now resolved. See
Broadcast Session option enabled, the commit fails. Auto-
PAN-OS 10.1.6 Addressed
commit is not affected.
Issues.

PAN-OS Release Notes 10.1.9-h1 323 ©2023 Palo Alto Networks, Inc.
PAN-OS 10.1.2 Known and Addressed Issues

Issue ID Description
Workaround: Load the configuration from running config
(load config from running-config.xml) and perform a commit.

PAN-162088 On the Panorama management server in a high availability

(HA) configuration, content updates (Panorama > Dynamic
This issue is now resolved. See
Updates) manually uploaded to the active HA peer are not
PAN-OS 10.1.9 Addressed
synchronized to the passive HA peer when you Install a
Issues.
content update and enable Sync to HA Peer.

PAN-161666 The firewall includes any users configured in the Cloud

Identity Engine in the count of groups. As a result, some CLI
command output does not accurately display the number
of groups the firewall has retrieved from the Cloud Identity
Engine and counts users as groups in the No. of Groups
in the command output. If the attempt to retrieve the user or
group fails, the information for the user or group still displays
in the CLI command output.

PAN-161451 If you issue the command opof stats, there are occasional
zero packet and byte counts coming from the DPDK
counters. This occurs when a session is in the tcp-reuse state,
and has no impact on the existing session.

PAN-160238 If you migrate traffic from a firewall running a PAN-OS

version earlier than 9.0 to a firewall running PAN-OS 9.0 or
later, you experience intermittent VXLAN packet drops if TCI
policy is not configured for inspecting VXLAN traffic flows.
Workaround: On the new firewall, create an app override for
VXLAN outer headers as described in What is an Application
Override? and the video tutorial How to Configure an
Application Override Policy on the Palo Alto Networks
Firewall.

PAN-OS version 9.0 can inspect both inner and

outer VXLAN flows. If you want to inspect inner
flows, you must define a tunnel content inspection
(TCI) policy.

PAN-157444 As a result of a telemetry handling update, the Source Zone

field in the DNS analytics logs (viewable in the DNS Analytics
tab within AutoFocus) might not display correct results.

PAN-157327 On downgrade to PAN-OS 9.1, Enterprise Data Loss

Prevention (DLP) filtering settings (Device > Setup > DLP) are
not removed and cause commit errors for the downgraded
firewall if you do not uninstall the Enterprise DLP plugin
before downgrade.

PAN-OS Release Notes 10.1.9-h1 324 ©2023 Palo Alto Networks, Inc.
PAN-OS 10.1.2 Known and Addressed Issues

Issue ID Description
Workaround: After you successfully downgrade a managed
firewall to PAN-OS 9.1, commit and push from Panorama to
remove the Enterprise DLP filtering settings and complete the
downgrade.
1. Downgrade your managed firewall to PAN-OS 9.1
2. Log in to the firewall web interface and view the Tasks
to verify all auto commits related to the downgrade have
completed successfully.
3. Log in to the Panorama web interface and Commit >
Commit and Push to your managed firewall downgraded to
PAN-OS 9.1.

PAN-157103 Multi-channel functionality may not be properly utilized on

an VM-Series firewall deployed in VMware NSX-V after the
service is first deployed.
Workaround: Execute the command debug dataplane
pow status to view the number of channels being utilized
by the dataplane.

Per pan-task Netx statisticsCounter Name

1 2 3 4 5 6 Total-------------
--------------------------------ready_dvf
2 0 0 0 0 0 2

If multi-channel functionality is not working, disable your

NSX-V security policy and reapply it. Then reboot the VM-
Series firewall. When the firewall is back up, verify that multi-
channel functionality is working by executing the command
debug dataplane pow status. It should now show
multiple channels being utilized.

Per pan-task Netx statisticsCounter Name

1 2 3 4 5 6 Total-------------
--------------------------------ready_dvf
1 1 0 0 0 0 2

PAN-156598 (Panorama only) If you configure a standard custom

vulnerability signature in a custom Vulnerability Protection
profile in a shared device group, the shared profile custom
signatures do not populate in the other device groups when
you configure a combination custom vulnerability signature.
Workaround: Use the CLI to update the combination
signature.

PAN-OS Release Notes 10.1.9-h1 325 ©2023 Palo Alto Networks, Inc.
PAN-OS 10.1.2 Known and Addressed Issues

Issue ID Description

PAN-154292 On the Panorama management server, downgrading from

a PAN-OS 10.0 release to a PAN-OS 9.1 release causes
Panorama commit (Commit > Commit to Panorama) failures
if a custom report (Monitor > Manage Custom Reports) is
configured to Group By Session ID.
Workaround: After successful downgrade, reconfigure the
Group By setting in the custom report.

PAN-154034 On the Panorama management server, the Type column in the

System logs (Monitor > Logs > System) for managed firewalls
running a PAN-OS 9.1 release erroneously display iot as the
type.

PAN-154032 On the Panorama management server, downgrading to PAN-

OS 9.1 with the Panorama plugin for Cisco TrustSec version
1.0.2 installed does not automatically transform the plugin to
be compatible with PAN-OS 9.1
Workaround: After successful downgrade to PAN-OS 9.1,
Remove Config (Panorama > Plugins) of the Panorama plugin
for Cisco TrustSec and then reconfigure the plugin.

PAN-153803 On the Panorama management server, scheduled email PDF

reports (Monitor > PDF Reports) fail if a GIF image is used in
the header or footer.

PAN-153557 On the Panorama management server CLI, the overall report

status for a report query is marked as Done despite reports
generated from logs in the Cortex Data Lake (CDL) from the
PODamericas Collector Group jobs are still in a Running
state.

PAN-153068 The Bonjour Reflector option is supported on up to 16

interfaces. If you enable it on more than 16 interfaces, the
commit succeeds and the Bonjour Reflector option is enabled
only for the first 16 interfaces and ignored for any additional
interfaces.

PAN-151238 There is a known issue where M-100 appliances are able

to download and install a PAN-OS 10.0 release image even
though the M-100 appliance is no longer supported after
PAN-OS 9.1. (Refer to the hardware end-of-life dates.)

PAN-151085 On a PA-7000 Series firewall chassis having multiple slots,

when HA clustering is enabled on an active/active HA pair,
the session table count for one of the peers can show a higher
count than the actual number of active sessions on that peer.

PAN-OS Release Notes 10.1.9-h1 326 ©2023 Palo Alto Networks, Inc.
PAN-OS 10.1.2 Known and Addressed Issues

Issue ID Description
This behavior can be seen when the session is being set up
on a non-cache slot (for example, when a session distribution
policy is set to round-robin or session-load); it is caused by
the additional cache lookup that happens when HA cluster
participation is enabled.

PAN-150801 Automatic quarantine of a device based on forwarding profile

or log setting does not work on the PA-7000 Series firewalls.

PAN-150515 After you install the device certificate on a new Panorama

management server, Panorama is not able to connect to the
IoT Security edge service.
Workaround: Restart Panorama to connect to the IoT
Security edge service.

PAN-150345 During updates to the Device Dictionary, the IoT Security

service does not push new Device-ID attributes (such as new
device profiles) to the firewall until a manual commit occurs.
Workaround: Perform a force commit to push the attributes
in the content update to the firewall.

PAN-150361 In an Active-Passive high availability (HA) configuration, an

error displays if you create a device object on the passive
device.
Workaround: Load the running configuration and perform a
force commit to sync the devices.

PAN-148971 If you enter a search term for Events that are related to IoT
in the System logs and apply the filter, the page displays an
Invalid term error.
Workaround: Specify iot as the Type Attribute to filter the
logs and use the search term as the Description Attribute. For
example: ( subtype eq iot ) and ( description
contains 'gRPC connection' ).

PAN-148924 In an active-passive HA configuration, tags for dynamic user

groups are not persistent after rebooting the firewall because
the active firewall does not sync the tags to the passive
firewall during failover.

PAN-146995 After downgrading a Panorama management server from

PAN-OS 10.0 to PAN-OS 9.1, the VLD and logd processes
may crash when Panorama reboots.

PAN-OS Release Notes 10.1.9-h1 327 ©2023 Palo Alto Networks, Inc.
PAN-OS 10.1.2 Known and Addressed Issues

Issue ID Description
Workaround: Panorama automatically restarts the VLD and
logd processes.

PAN-146807 Changing the device group configured in a monitoring

definition from a child DG to a parent DG, or vice versa,
might cause firewalls configured in the child DG to lose
IP tag mapping information received from the monitoring
definition. Only firewalls assigned to the parent DG receive IP
tag mapping updates.
Workaround: Perform a manual config sync on the device
group that lost the IP tag mapping information.

PAN-146485 On the Panorama management server, adding, deleting, or

modifying the upstream NAT configuration (Panorama > SD-
WAN > Devices) does not display the branch template stack
as out of sync.
Additionally, adding, deleting, or modifying the BGP
configuration (Panorama > SD-WAN > Devices) does not
display the hub and branch template stacks as out of sync.
For example, modifying the BGP configuration on the branch
firewall does not cause the hub template stack to display as
out of sync, nor does modifying the BGP configuration on
the hub firewall cause the branch template stack as out of
sync.
Workaround: After performing a configuration change,
Commit and Push the configuration changes to all hub and
branch firewalls in the VPN cluster containing the firewall
with the modified configuration.

PAN-145460 CN-MGMT pods fail to connect to the Panorama

management server when using the Kubernetes plugin.
Workaround: Commit the Panorama configuration after the
CN-MGMT pod successfully registers with Panorama.

PAN-144889 On the Panorama management server, adding, deleting, or

modifying the original subnet IP, or adding a new subnet
after you successfully configure a tunnel IP subnet, for the
SD-WAN 1.0.2 plugin does not display the managed firewall
templates (Panorama > Managed Devices > Summary) as Out
of Sync.
Workaround: When modifying the original subnet IP, or
adding a new subnet, push the template configuration
changes to your managed firewalls and Force Template
Values (Commit > Push to Devices > Edit Selections).

PAN-OS Release Notes 10.1.9-h1 328 ©2023 Palo Alto Networks, Inc.
PAN-OS 10.1.2 Known and Addressed Issues

Issue ID Description

PAN-143132 Fetching the device certificate from the Palo Alto Networks
Customer Support Portal (CSP) may fail and displays the
following error in the CLI:
ERROR Failed to process S1C msg: Error
Workaround: Retrying fetching the device certificate from
the Palo Alto Networks CSP.

PAN-141630 Current performance limitation: single data plane use only.

The PA-5200 Series and PA-7000 Series firewalls that
support 5G network slice security, 5G equipment ID security,
and 5G subscriber ID security use a single data plane only,
which currently limits the firewall performance.

PAN-140959 The Panorama management server allows you to downgrade

Zero Touch Provisioning (ZTP) firewalls to PAN-OS 9.1.2 and
earlier releases where ZTP functionality is not supported.

PAN-140008 ElasticSearch is forced to restart when the masterd process

misses too many heartbeat messages on the Panorama
management server resulting in a delay in a log query and
ingestion.

PAN-136763 On the Panorama management server, managed firewalls

display as disconnected when installing a PAN-OS
software update (Panorama > Device Deployment >
Software) but display as connected when you view your
managed firewalls Summary (Panorama > Managed Devices >
Summary) and from the CLI.
Workaround: Log out and log back in to the Panorama web
interface.

PAN-135742 There is an issue in HTTP2 session decryption where the

App-ID in the decryption log is the App-ID of the parent
session (which is web-browsing).

PAN-134053 ACC does not filter WildFire logs from Dynamic User Groups.

PAN-132598 The Panorama management server does not check for

duplicate addresses in address groups (Objects > Address
Groups) and duplicate services in service groups (Objects >
Service Groups) when created from the CLI.

PAN-130550 (PA-3200 Series, PA-5220, PA-5250, PA-5260, and PA-7000

Series firewalls) For traffic between virtual systems (inter-

PAN-OS Release Notes 10.1.9-h1 329 ©2023 Palo Alto Networks, Inc.
PAN-OS 10.1.2 Known and Addressed Issues

Issue ID Description
vsys traffic), the firewall cannot perform source NAT using
dynamic IP (DIP) address translation.
Workaround: Use source NAT with Dynamic IP and Port
(DIPP) translation on inter-vsys traffic.

PAN-127813 In the current release, SD-WAN auto-provisioning configures

hubs and branches in a hub and spoke model, where branches
don’t communicate with each other. Expected branch routes
are for generic prefixes, which can be configured in the hub
and advertised to all branches. Branches with unique prefixes
are not published up to the hub.
Workaround: Add any specific prefixes for branches to the
hub advertise-list configuration.

PAN-127206 If you use the CLI to enable the cleartext option for the
Include Username in HTTP Header Insertion Entries feature,
the authentication request to the firewall may become
unresponsive or time out.

PAN-123277 Dynamic tags from other sources are accessible using the CLI
but do not display on the Panorama web interface.

PAN-123040 When you try to view network QoS statistics on an SD-

WAN branch or hub, the QoS statistics and the hit count
for the QoS rules don’t display. A workaround exists for
this issue. Please contact Support for information about the
workaround.

PAN-120440 There is an issue on M-500 Panorama management servers

where any ethernet interface with an IPv6 address having
Private PAN-DB-URL connectivity only supports the
following format: 2001:DB9:85A3:0:0:8A2E:370:2.

PAN-120423 PAN-OS 10.0.0 does not support the XML API for
GlobalProtect logs.

PAN-120303 There is an issue where the firewall remains connected to the

PAN-DB-URL server through the old management IP address
on the M-500 Panorama management server, even when you
configured the Eth1/1 interface.
Workaround: Update the PAN-DB-URL IP address on the
firewall using one of the methods below.

PAN-OS Release Notes 10.1.9-h1 330 ©2023 Palo Alto Networks, Inc.
PAN-OS 10.1.2 Known and Addressed Issues

Issue ID Description
• Modify the PAN-DB Server IP address on the managed
firewall.
1. On the web interface, delete the PAN-DB Server IP
address (Device > Setup > Content ID > URL Filtering
settings).
2. Commit your changes.
3. Add the new M-500 Eth1/1 IP PAN-DB IP address.
4. Commit your changes.
• Restart the firewall (devsrvr) process.
1. Log in to the firewall CLI.
2. Restart the devsrvr process: debug software
restart process device-server

PAN-116017 (Google Cloud Platform (GCP) only) The firewall does not
accept the DNS value from the initial configuration (init-cfg)
file when you bootstrap the firewall.
Workaround: Add DNS value as part of the bootstrap.xml in
the bootstrap folder and complete the bootstrap process.

PAN-115816 (Microsoft Azure only) There is an intermittent issue where

an Ethernet (eth1) interface does not come up when you first
boot up the firewall.
Workaround: Reboot the firewall.

PAN-114495 Alibaba Cloud runs on a KVM hypervisor and supports two

Virtio modes: DPDK (default) and MMAP. If you deploy a
VM-Series firewall running PAN-OS 9.0 in DPDK packet
mode and you then switch to MMAP packet mode, the VM-
Series firewall duplicates packets that originate from or
terminate on the firewall. As an example, if a load balancer or
a server behind the firewall pings the VM-Series firewall after
you switch from DPDK packet mode to MMAP packet mode,
the firewall duplicates the ping packets.
Throughput traffic is not duplicated if you deploy the VM-
Series firewall using MMAP packet mode.

PAN-112694 (Firewalls with multiple virtual systems only) If you configure

dynamic DNS (DDNS) on a new interface (associated with
vsys1 or another virtual system) and you then create a
New Certificate Profile from the drop-down, you must set
the location for the Certificate Profile to Shared. If you
configure DDNS on an existing interface and then create a
new Certificate Profile, we also recommend that you choose

PAN-OS Release Notes 10.1.9-h1 331 ©2023 Palo Alto Networks, Inc.
PAN-OS 10.1.2 Known and Addressed Issues

Issue ID Description
the Shared location instead of a specific virtual system.
Alternatively, you can select a preexisting certificate profile
instead of creating a new one.

PAN-112456 You can temporarily submit a change request for a URL

Category with three suggested categories; however, only
two categories are supported. Do not add more than two
suggested categories to a change request until we address
this issue. If you submit more than two suggested categories,
only the first two categories in the change request are
evaluated.

PAN-112135 You cannot unregister tags for a subnet or range in a dynamic

address group from the web interface.
Workaround: Use an XML API request to unregister the tags
for the subnet or range.

PAN-111928 Invalid configuration errors are not displayed as expected

when you revert a Panorama management server
configuration.
Workaround: After you revert the Panorama configuration,
Commit (Commit > Commit to Panorama) the reverted
configuration to display the invalid configuration errors.

PAN-111866 The push scope selection on the Panorama web interface

displays incorrectly even though the commit scope displays
as expected. This issue occurs when one administrator makes
configuration changes to separate device groups or templates
that affect multiple firewalls and a different administrator
attempts to push those changes.
Workaround: Perform one of the following tasks.
• Initiate a Commit to Panorama operation followed by a
Push to Devices operation for the modified device group
and template configurations.
• Manually select the devices that belong to the modified
device group and template configurations.

PAN-111729 If you disable DPDK mode and enable it again, you must
immediately reboot the firewall.

PAN-111670 Tagged VLAN traffic fails when sent through an SR-IOV

adapter.

PAN-110794 DGA-based threats shown in the firewall threat log display

the same name for all such instances.

PAN-OS Release Notes 10.1.9-h1 332 ©2023 Palo Alto Networks, Inc.
PAN-OS 10.1.2 Known and Addressed Issues

Issue ID Description

PAN-109526 The system log does not correctly display the URL for
CRL files; instead, the URLs are displayed with encoded
characters.

PAN-104780 If you configure a HIP object to match only when a

connecting endpoint is managed (Objects > GlobalProtect >
HIP Objects > <hip-object> > General > Managed), iOS and
Android endpoints that are managed by AirWatch are unable
to successfully match the HIP object and the HIP report
incorrectly indicates that these endpoints are not managed.
This issue occurs because GlobalProtect gateways cannot
correctly identify the managed status of these endpoints.
Additionally, iOS endpoints that are managed by AirWatch
are unable to match HIP objects based on the endpoint serial
number because GlobalProtect gateways cannot identify the
serial numbers of these endpoints; these serial numbers do
not appear in the HIP report.

PAN-103276 Adding a disk to a virtual appliance running Panorama 8.1

or a later release on VMware ESXi 6.5 update1 causes the
Panorama virtual appliance and host web client to become
unresponsive.
Workaround: Upgrade the ESXi host to ESXi 6.5 update2 and
add the disk again.

PAN-101688 (Panorama plugins) The IP address-to-tag mapping

information registered on a firewall or virtual system is not
deleted when you remove the firewall or virtual system from
a Device Group.
Workaround: Log in to the CLI on the firewall and enter
the following command to unregister the IP address-to-tag
mappings: debug object registered-ip clear all.

PAN-101537 After you configure and push address and address group
objects in Shared and vsys-specific device groups from
the Panorama management server to managed firewalls,
executing the show log <log-type> direction
equal <direction> <dst> | <src> in <object-
name> command on a managed firewall only returns address
and address group objects pushed form the Shared device
group.
Workaround: Specify the vsys in the query string:
admin> set system target-vsys <vsys-name>

PAN-OS Release Notes 10.1.9-h1 333 ©2023 Palo Alto Networks, Inc.
PAN-OS 10.1.2 Known and Addressed Issues

Issue ID Description
admin> show log <log-type> direction equal
<direction> query equal ‘vsys eq <vsys-name>’
<dst> | <src> in <object-name>

PAN-98520 When booting or rebooting a PA-7000 Series Firewall with

the SMC-B installed, the BIOS console output displays
attempts to connect to the card's controller in the System
Memory Speed section. The messages can be ignored.

PAN-97757 GlobalProtect authentication fails with an Invalid

username/password error (because the user is not found
in Allow List) after you enable GlobalProtect authentication
cookies and add a RADIUS group to the Allow List of the
authentication profile used to authenticate to GlobalProtect.
Workaround: Disable GlobalProtect authentication cookies.
Alternatively, disable (clear) Retrieve user group from
RADIUS in the authentication profile and configure group
mapping from Active Directory (AD) through LDAP.

PAN-97524 (Panorama management server only) The Security Zone and

Virtual System columns (Network tab) display None after a
Device Group and Template administrator with read-only
privileges performs a context switch.

PAN-96446 A firewall that is not included in a Collector Group fails to

generate a system log if logs are dropped when forwarded
to a Panorama management server that is running in
Management Only mode.

PAN-95773 On VM-Series firewalls that have Data Plane Development

Kit (DPDK) enabled and that use the i40e network interface
card (NIC), the show session info CLI command displays
an inaccurate throughput and packet rate.
Workaround: Disable DPDK by running the set system
setting dpdk-pkt-io off CLI command.

PAN-95028 For administrator accounts that you created in PAN-OS 8.0.8

and earlier releases, the firewall does not apply password
profile settings (Device > Password Profiles) until after you
upgrade to PAN-OS 8.0.9 or a later release and then only
after you modify the account passwords. (Administrator
accounts that you create in PAN-OS 8.0.9 or a later release
do not require you to change the passwords to apply
password profile settings.)

PAN-OS Release Notes 10.1.9-h1 334 ©2023 Palo Alto Networks, Inc.
PAN-OS 10.1.2 Known and Addressed Issues

Issue ID Description

PAN-94846 When DPDK is enabled on the VM-Series firewall with i40e

virtual function (VF) driver, the VF does not detect the link
status of the physical link. The VF link status remains up,
regardless of changes to the physical link state.

PAN-94093 HTTP Header Insertion does not work when jumbo frames
are received out of order.

PAN-93968 The firewall and Panorama web interfaces display

vulnerability threat IDs that are not available in PAN-OS
9.0 releases (Objects > Security Profiles > Vulnerability
Protection > <profile> > Exceptions). To confirm whether a
particular threat ID is available in your release, monitor the
release notes for each new Applications and Threats content
update or check the Palo Alto Networks Threat Vault to see
the minimum PAN-OS release version for a threat signature.

PAN-93607 When you configure a VM-500 firewall with an SCTP

Protection profile (Objects > Security Profiles > SCTP
Protection) and you try to add the profile to an existing
Security Profile Group (Objects > Security Profile Groups),
the Security Profile Group doesn’t list the SCTP Protection
profile in its drop-down list of available profiles.
Workaround: Create a new Security Profile Group and select
the SCTP Protection profile from there.

PAN-93532 When you configure a firewall running PAN-OS 9.0 as an

nCipher HSM client, the web interface on the firewall displays
the nCipher server status as Not Authenticated, even though
the HSM state is up (Device > Setup > HSM).

PAN-93193 The memory-optimized VM-50 Lite intermittently performs

slowly and stops processing traffic when memory utilization
is critically high. To prevent this issue, make sure that you do
not:
• Switch to the firewall Context on the Panorama
management server.
• Commit changes when a dynamic update is being installed.
• Generate a custom report when a dynamic update is being
installed.
• Generate custom reports during a commit.
Workaround: When the firewall performs slowly, or you see
a critical System log for memory utilization, wait for 5 minutes
and then manually reboot the firewall.

PAN-OS Release Notes 10.1.9-h1 335 ©2023 Palo Alto Networks, Inc.
PAN-OS 10.1.2 Known and Addressed Issues

Issue ID Description
Use the Task Manager to verify that you are not performing
memory intensive tasks such as installing dynamic updates,
committing changes or generating reports, at the same time,
on the firewall.

PAN-91802 On a VM-Series firewall, the clear session all CLI command

does not clear GTP sessions.

PAN-83610 In rare cases, a PA-5200 Series firewall (with an FE100

network processor) that has session offload enabled (default)
incorrectly resets the UDP checksum of outgoing UDP
packets.
Workaround: In PAN-OS 8.0.6 and later releases, you can
persistently disable session offload for only UDP traffic using
the set session udp-off load no CLI command.

PAN-83236 The VM-Series firewall on Google Cloud Platform does not

publish firewall metrics to Google Stack Monitoring when you
manually configure a DNS server IP address (Device > Setup
> Services).
Workaround: The VM-Series firewall on Google Cloud
Platform must use the DNS server that Google provides.

PAN-83215 SSL decryption based on ECDSA certificates does not work

when you import the ECDSA private keys onto an nCipher
nShield hardware security module (HSM).

PAN-81521 Endpoints failed to authenticate to GlobalProtect through

Kerberos when you specify an FQDN instead of an IP address
in the Kerberos server profile (Device > Server Profiles >
Kerberos).
Workaround: Replace the FQDN with the IP address in the
Kerberos server profile.

PAN-77125 PA-7000 Series, PA-5450, PA-5200 Series, and PA-3200

Series firewalls configured in tap mode don’t close offloaded
sessions after processing the associated traffic; the sessions
remain open until they time out.
Workaround: Configure the firewalls in virtual wire mode
instead of tap mode, or disable session offloading by running
the set session off load no CLI command.

PAN-75457 In WildFire appliance clusters that have three or more nodes,

the Panorama management server does not support changing
node roles. In a three-node cluster for example, you cannot

PAN-OS Release Notes 10.1.9-h1 336 ©2023 Palo Alto Networks, Inc.
PAN-OS 10.1.2 Known and Addressed Issues

Issue ID Description
use Panorama to configure the worker node as a controller
node by adding the HA and cluster controller configurations,
configure an existing controller node as a worker node by
removing the HA configuration, and then commit and push
the configuration. Attempts to change cluster node roles from
Panorama results in a validation error—the commit fails and
the cluster becomes unresponsive.

PAN-73530 The firewall does not generate a packet capture (pcap) when a
Data Filtering profile blocks files.

PAN-73401 When you import a two-node WildFire appliance cluster

into the Panorama management server, the controller nodes
report their state as out-of-sync if either of the following
conditions exist:
• You did not configure a worker list to add at least one
worker node to the cluster. (In a two-node cluster, both
nodes are controller nodes configured as an HA pair.
Adding a worker node would make the cluster a three-
node cluster.)
• You did not configure a service advertisement (either by
enabling or not enabling advertising DNS service on the
controller nodes).
Workaround: There are three possible workarounds to sync
the controller nodes:
• After you import the two-node cluster into Panorama,
push the configuration from Panorama to the cluster. After
the push succeeds, Panorama reports that the controller
nodes are in sync.
• Configure a worker list on the cluster controller:

admin@wf500(active-controller)# set
deviceconfig cluster mode controller work
er-list <worker-ip-address>

(<worker-ip-address> is the IP address of the worker

node you are adding to the cluster.) This creates a three-
node cluster. After you import the cluster into Panorama,
Panorama reports that the controller nodes are in sync.
When you want the cluster to have only two nodes, use a
different workaround.
• Configure service advertisement on the local CLI of the
cluster controller and then import the configuration into

PAN-OS Release Notes 10.1.9-h1 337 ©2023 Palo Alto Networks, Inc.
PAN-OS 10.1.2 Known and Addressed Issues

Issue ID Description
Panorama. The service advertisement can advertise that
DNS is or is not enabled.

admin@wf500(active-controller)# set
deviceconfig cluster mode controller serv
ice-advertisement dns-service
enabled
yes

or

admin@wf500(active-controller)# set
deviceconfig cluster mode controller serv
ice-advertisement dns-service
enabled
no

Both commands result in Panorama reporting that the

controller nodes are in sync.

PAN-70906 If the PAN-OS web interface and the GlobalProtect portal are
enabled on the same IP address, then when a user logs out of
the GlobalProtect portal, the administrative user is also logged
out from the PAN-OS web interface.
Workaround: Use the IP address to access the PAN-OS web
interface and an FQDN to access the GlobalProtect portal.

PAN-69505 When viewing an external dynamic list that requires client

authentication and you Test Source URL, the firewall fails to
indicate whether it can reach the external dynamic list server
and returns a URL access error (Objects > External Dynamic
Lists).

PAN-40079 The VM-Series firewall on KVM, for all supported Linux

distributions, does not support the Broadcom network
adapters for PCI pass-through functionality.

PAN-39636 Regardless of the Time Frame you specify for a scheduled

custom report on a Panorama M-Series appliance, the earliest
possible start date for the report data is effectively the date
when you configured the report (Monitor > Manage Custom
Reports). For example, if you configure the report on the
15th of the month and set the Time Frame to Last 30 Days,
the report that Panorama generates on the 16th will include
only data from the 15th onward. This issue applies only to
scheduled reports; on-demand reports include all data within
the specified Time Frame.

PAN-OS Release Notes 10.1.9-h1 338 ©2023 Palo Alto Networks, Inc.
PAN-OS 10.1.2 Known and Addressed Issues

Issue ID Description
Workaround: To generate an on-demand report, click Run
Now when you configure the custom report.

PAN-38255 When you perform a factory reset on a Panorama virtual

appliance and configure the serial number, logging does
not work until you reboot Panorama or execute the debug
software restart process management-server CLI
command.

PAN-31832 The following issues apply when configuring a firewall to use

a hardware security module (HSM):
• nCipher nShield Connect—The firewall requires at least
four minutes to detect that an HSM was disconnected,
causing SSL functionality to be unavailable during the
delay.
• SafeNet Network—When losing connectivity to either
or both HSMs in an HA configuration, the display of
information from the show high-availability
state and show hsm info commands are blocked for
20 seconds.

PAN-OS Release Notes 10.1.9-h1 339 ©2023 Palo Alto Networks, Inc.
PAN-OS 10.1.2 Known and Addressed Issues

PAN-OS 10.1.2 Addressed Issues

Issue ID Description

PAN-175685 (PA-7000 Series and PA-5450 firewalls only) Fixed an issue where
PAN-OS displayed the incorrect chassis serial number when an MPC
(Management Processor Card) or SMC (Switch Management Card) was
moved from one chassis to another.

PAN-174448 Fixed an issue where Zero-Touch Provisioning (ZTP) configuration

wasn't removed after disabling it, which resulted in predefined
configurations to be loaded after a reboot.

PAN-174326 A fix was made to address an OS command injection vulnerability

in the PAN-OS web interface that enabled an authenticated
administrator to execute arbitrary OS commands to escalate privileges
(CVE-2021-3050).

PAN-174254 (VM-Series firewalls deployed in Amazon Web Services (AWS) only)

Fixed an issue where Gateway Load Balancer (GWLB) inspection
incorrectly displayed as false after a reboot.

PAN-174244 Fixed an issue where a sudden increase in URL data approached the
maximum cache capacity of the firewall.

PAN-174049 Fixed an issue where a process (authd) used old Thermite certificate
post renewals, which caused authentication failures when using the
Cloud Authentication service.

PAN-173903 Fixed an issue where clicking a hyperlink on a web page caused the
web browser to download a file instead.

PAN-172518 Fixed an issue where a race condition occurred and caused a process
(useridd) to restart.

PAN-172515 Fixed an issue where, when downgrading from PAN-OS 10.1 to

an earlier version, with Cloud Authentication Service configured
in an Authentication profile, the firewall did not remove the Cloud
Authentication Service from the Authentication profile and displayed
the authentication method as None, and subsequent commits failed.

PAN-172490 Fixed an issue on firewalls in HA configuration where HA-2 links

continuously flapped on HSCI interfaces after upgrading to PAN-OS
8.1.19.

PAN-172454 Fixed an issue where, when the firewall communicated with the Cloud
Identity Engine before the device certificate was installed on the

PAN-OS Release Notes 10.1.9-h1 340 ©2023 Palo Alto Networks, Inc.
PAN-OS 10.1.2 Known and Addressed Issues

Issue ID Description
firewall or Panorama, subsequent queries to the Cloud Identity Engine
failed.

PAN-172295 Fixed an issue where a HIP database cache loop caused high CPU
utilization on a process (useridd) and caused IP address-to-user
mapping redistribution failure.

PAN-172276 (PA-400 Series firewalls only) Fixed an intermittent issue where

changing the port speed from auto-negotiate to 1G caused the
dataplane port to flap, which resulted in lost traffic.

PAN-172125 Fixed an intermittent issue where processing HIP messages in the

(useridd) process caused a memory leak.

PAN-171878 Fixed an issue with SD-WAN path selection logic that caused an
all_pktproc dataplane to stop responding.

PAN-171744 Fixed an issue where no data was displayed for the Forward
Error Correction (FEC) plot for SD-WAN application performance
(Panorama > SD-WAN > Monitoring).

PAN-171442 Fixed an issue on Amazon Web Services (AWS) Gateway Load

Balancer (GWLB) deployments with overlay routing and cross-zone
load balancing enabled where packets were forwarded to the incorrect
GWLB interface.

PAN-171203 Fixed an issue in an HA configuration where, when one firewall was

active and its peer was in a suspended state, the suspended firewall
continued to send traffic, which triggered the detection of duplicate
MAC addresses.

PAN-170681 Fixed an issue where the data redistribution agent and the data
redistribution client failed to connect due to the agent not sending a
SSL Server hello response.

PAN-170103 Fixed an issue where a process (ikemgr) stopped responding while

making configuration changes. This issue occurred if Site-to-Site IPSec
was using certification-based authentication.

PAN-169566 Fixed an issue where configuration files were not exported using the
scheduled Secure Copy (SCP).

PAN-168903 Fixed an issue where deleting licenses on the firewall incorrectly

set the GlobalProtect gateway license node to false. The firewall
displayed the following error message during a GlobalProtect
application connection: Could not connect to the gateway.
The device or feature requires a GlobalProtect

PAN-OS Release Notes 10.1.9-h1 341 ©2023 Palo Alto Networks, Inc.
PAN-OS 10.1.2 Known and Addressed Issues

Issue ID Description
subscription license, even though the gateway firewall had a
valid gateway license.

PAN-168718 Fixed an issue where, when a client or server received partial

application data, the record was partially processed by legacy code.
This caused decryption to fail when a decryption profile protocol was
set to a maximum of TLSv1.3.

PAN-167115 Fixed an issue where, after upgrading to 10.0.3, admin sessions on

Panorama were not logged out after the idle timeout expired.

PAN-167099 Fixed a configuration management issue that resulted in a process

(ikemgr) failing to recognize changes in subsequent commits.

PAN-109759 Fixed an issue where the firewall did not generate a notification for
the GlobalProtect client when the firewall denied unencrypted TLS
sessions due to an authentication policy match.

PAN-165225 Fixed an issue where hwpredict was enabled by default.

PAN-161745 Fixed an issue where the time-to-live (TTL) value received from the
DNS server reset to 0 on DNS secure TCP transactions when anti-
spyware profiles were used, which caused DNS dynamic updates to
fail.

PAN-158958 Fixed an issue where the debug sslmgr view crl command failed
when an ampersand (&) character was included in the URL for the
certificate revocation list (CRL).

PAN-157518 Fixed an issue where using tags to target a device group in a Security
policy rule did not work, and the rule was displayed in all device groups
(Preview Rules).

PAN-157027 Fixed an issue where, when stateless GTP-U traffic hit a multi-
dataplane firewall, an inter-dataplane fragmentation loop occurred,
which caused high dataplane resource usage.

PAN-154905 (Panorama appliances on PAN-OS 10.0 releases only) Fixed an issue

with Security policy rule configuration where, in the Source and
Destination tabs, the Query Traffic setting was not available for
Address Groups.

PAN-138727 A fix was made to address a time-of-check to time-of-use (TOCTOU)

race condition in the PAN-OS web interface that enabled an
authenticated administrator with permission to upload plugins to
execute arbitrary code with root user privileges (CVE-2021-3054).

PAN-OS Release Notes 10.1.9-h1 342 ©2023 Palo Alto Networks, Inc.
PAN-OS 10.1.2 Known and Addressed Issues

Issue ID Description

PAN-136961 Fixed an issue where during QoS config generation the Aggregate
Ethernet (AE) subnets were incorrectly calculated cumulatively across
all AEs instead of calculating just the total subnets of an AE.

PAN-OS Release Notes 10.1.9-h1 343 ©2023 Palo Alto Networks, Inc.
PAN-OS 10.1.2 Known and Addressed Issues

PAN-OS Release Notes 10.1.9-h1 344 ©2023 Palo Alto Networks, Inc.
PAN-OS 10.1.1 Known and Addressed
Issues
Review a list of known and addressed issues for PAN-OS 10.1.1.
For contacting support, for information on support programs, to manage your account
or devices, or to open a support case, go to https://support.paloaltonetworks.com.

> PAN-OS 10.1.1 Known Issues

> PAN-OS 10.1.1 Addressed Issues

345
PAN-OS 10.1.1 Known and Addressed Issues

PAN-OS 10.1.1 Known Issues

®
The following list includes only outstanding known issues specific to PAN-OS 10.1.1. This list
includes issues specific to Panorama™, GlobalProtect™, VM-Series plugins, and WildFire®, as well
as known issues that apply more generally or that are not identified by an issue ID.

Issue ID Description

— If you use Panorama to retrieve logs from Cortex Data Lake

(CDL), new log fields (including for Device-ID, Decryption, and
GlobalProtect) are not visible on the Panorama web interface.
Workaround: Enable duplicate logging to send the logs to
CDL and Panorama. This workaround does not support
Panorama virtual appliances in Management Only mode.

— Upgrading a PA-220 firewall takes up to an hour or more.

— PA-220 firewalls are experiencing slower web interface and

CLI performance times.

— Upgrading Panorama with a local Log Collector and Dedicated

Log Collectors to PAN-OS 8.1 or a later PAN-OS release
can take up to six hours to complete due to significant
infrastructure changes. Ensure uninterrupted power to all
appliances throughout the upgrade process.

— A critical System log is generated on the VM-Series firewall

if the minimum memory requirement for the model is not
available.
• When the memory allocated is less than 4.5GB, you
cannot upgrade the firewall. The following error message
displays: Failed to install 9.0.0 with the
following error: VM-50 in 9.0.0 requires
5.5GB memory, VM-50 Lite requires 4.5GB
memory.Please configure this VM with enough
memory before upgrading.
• If the memory allocation is more than 4.5GB but less than
the licensed capacity requirement for the model, it will
default to the capacity associated with the VM-50.
The System log message System capacity adjusted
to VM-50 capacity due to insufficient
memory for VM-<xxx> license, indicates that you
must allocate the additional memory required for licensed
capacity for the firewall model.

PAN-OS Release Notes 10.1.9-h1 346 ©2023 Palo Alto Networks, Inc.
PAN-OS 10.1.1 Known and Addressed Issues

Issue ID Description

APPORTAL-3313 Changes to an IoT Security subscription license take up to 24

hours to have effect on the IoT Security app.

APPORTAL-3309 An IoT Security production license cannot be installed on a

firewall that still has a valid IoT Security eval or trial license.
Workaround: Wait until the 30-day eval or trial license
expires and then install the production license.

APL-15000 When you move a firewall from one Cortex Data Lake
instance to another, it can take up to an hour for the firewall
to begin sending logs to the new instance.

APL-8269 For data retrieved from Cortex Data Lake, the Threat Name
column in Panorama > ACC > threat-activity appears blank.

PLUG-380 When you rename a device group, template, or template

stack in Panorama that is part of a VMware NSX service
definition, the new name is not reflected in NSX Manager.
Therefore, any ESXi hosts that you add to a vSphere cluster
are not added to the correct device group, template, or
template stack and your Security policy is not pushed to
VM-Series firewalls that you deploy after you rename those
objects. There is no impact to existing VM-Series firewalls.

WF500-5559 An intermittent error while analyzing signed PE samples on

the WildFire appliance might cause analysis failures.

WF500-5471 After using the firewall CLI to add a WildFire appliance with
an IPv6 address, the initial connection may fail.
Workaround: Retry connecting after you restart the web
server with the following command: debug software
restart process web-server.

PAN-197341 On the Panorama management server, if you create multiple

device group Objects with the same name in the Shared
device group and any additional device groups (Panorama >
Device Groups) under the same device group hierarchy that
are used in one or more Policies, renaming the object with a
shared name in any device group causes the object name to
change in the policies where it is used. This issue applies only
to device group objects that can be referenced in a Security
policy rule.
For example:
1. You create a parent device group DG-A and a child device
group DG-B.

PAN-OS Release Notes 10.1.9-h1 347 ©2023 Palo Alto Networks, Inc.
PAN-OS 10.1.1 Known and Addressed Issues

Issue ID Description
2. You create address objects called AddressObjA in
the Shared, DG-A and DG-B device groups and add
AddressObjA to a Security policy rule under DG-A and
DG-B.
3. Later, you change the AddressObjA name in the Shared
device group to AddressObjB.
Changing the name of the address object in the Shared
device group causes the references in the Policy rule to use
the renamed Shared object instead of the device group
object.

PAN-196758 On the Panorama management server, pushing a

configuration change to firewalls leveraging SD-WAN
erroneously show the auto-provisioned BGP configurations
for SD-WAN as being edited or deleted despite no edits or
deletions being made when you Preview Changes (Commit >
Push to Devices > Edit Selections or Commit > Commit and
Push > Edit Selections).

PAN-194519 (PA-5450 firewall only) Trying to configure a custom payload

format under Device > Server Profiles > HTTP yields a
This issue is now resolved. See
Javascript error.
PAN-OS 10.1.9 Addressed
Issues.

PAN-194515 (PA-5450 firewall only) The Panorama web interface does

not display any predefined template stack variables in the
dropdown menu under Device > Setup > Log Interface > IP
Address.
Workaround: Configure the log interface IP address on the
individual firewall web interface instead of on Panorama.

PAN-192403 (PA-5450 firewall only) There is no commit warning in the

web interface when configuring the management interface
This issue is now resolved. See
and logging interface in the same subnetwork. Having both
PAN-OS 10.1.6-h3 Addressed
interfaces in the same subnetwork can cause routing and
Issues.
connectivity issues.

PAN-190727 (PA-5450 firewall only) Documentation for configuring the log

interface is unavailable on the web interface and in the PAN-
OS Administrator’s Guide.

PAN-188052 Devices in FIPS-CC mode are unable to connect to servers

utilizing ECDSA-based host keys that impacts exporting logs
(Device > Scheduled Log Export), exporting configurations

PAN-OS Release Notes 10.1.9-h1 348 ©2023 Palo Alto Networks, Inc.
PAN-OS 10.1.1 Known and Addressed Issues

Issue ID Description
(Device > Scheduled Config Export), or the scp export
command in the CLI.
Workaround: Use RSA-based host keys on the destination
server.

PAN-187685 On the Panorama management server, the Template

Status displays no synchronization status (Panorama >
Managed Devices > Summary) after a bootstrapped firewall is
successfully added to Panorama.
Workaround: After the bootstrapped firewall is successfully
added to Panorama, log in to the Panorama web interface and
select Commit > Push to Devices.

PAN-186262 The Panorama management server in Panorama or Log

Collector mode may become unresponsive as Elasticsearch
accumulates internal connections related to logging
processes. The chances Panorama becomes unresponsive
increases the longer Panorama remains powered on.
Workaround: Reboot Panorama if it becomes unresponsive.

PAN-181116 After upgrading to PAN-OS 10.1, some GlobalProtect tunnels

fall back to SSL instead of IPSec due to the inadvertent
encapsulation of the ICMP keepalive response from the
firewall.

PAN-180661 On the Panorama management server, pushing an

unsupported Minimum Password Complexity (Device > Setup
This issue is now resolved. See
> Management) to a managed firewall erroneously displays
PAN-OS 10.1.6 Addressed
commit time out as the reason the commit failed.
Issues.

PAN-178194 A UI issue in PAN-OS renders the contents of the Inline

ML tab in the URL Filtering Profile inaccessible on firewalls
This issue is now resolved. See
licensed for Advanced URL Filtering. Additionally, a message
PAN-OS 10.1.7 Addressed
indicating that a License required for URL filtering to function
Issues.
is unavailable displays at the bottom of the UI. These errors
do not affect the operation of Advanced URL Filtering or URL
Filtering Inline ML.
Workaround: Configuration settings for URL Filtering
Inline ML must be applied through the CLI. The following
configuration commands are available:

PAN-OS Release Notes 10.1.9-h1 349 ©2023 Palo Alto Networks, Inc.
PAN-OS 10.1.1 Known and Addressed Issues

Issue ID Description
• Define URL exceptions for specific web sites—

admin# set profiles url-filtering

<url_filtering_profile_name> mlav-
category-exception

• Configuration settings for each inline ML model—

admin# set profiles url-filtering

<url_filtering_profile_name> mlav-
engine-urlbased-enabled

PAN-178190 Traffic, threat, and URL logs are not viewable from the
firewall web interface (Monitor > Logs) and CLI after upgrade
to PAN-OS 10.1.1.

PAN-175685 (PA-7000 Series and PA-5450 firewall only) When the MPC
(Management Processor Card) or SMC (Switch Management
This issue is now resolved. See
Card) is removed from one chassis and placed in another,
PAN-OS 10.1.2 Addressed
PAN-OS will incorrectly cache and display the chassis serial
Issues.
number of the former chassis.

PAN-175149 (PA-800 and PA-7000 Series firewalls and the PA-220

firewall only) Fixed an issue where ACC and scheduled
reports (Monitor > Manage > Manage Custom Reports)
incorrectly displayed the IPv6 address instead of the IPv4
address.

PAN-174982 In HA active/active configurations where, when interfaces

that were associated with a virtual router were deleted, the
configuration change did not sync.

PAN-174254 Gateway Load Balancer (GWLB) inspection is disabled on the

VM-Series firewall for AWS after a reboot.
This issue is now resolved. See
PAN-OS 10.1.2 Addressed Workaround: Enable GWLB inspection.
Issues.

PAN-173509 Superuser administrators with read-only privileges (Device >

Administrators and Panorama > Administrators) are unable
This issue is now resolved. See
to view the hardware ACL blocking setting and duration in the
PAN-OS 10.1.5 Addressed
CLI using the commands:
Issues.
admin> show system setting hardware-acl-
blocking-enable

admin> show system setting hardware-acl-

blocking-duration

PAN-OS Release Notes 10.1.9-h1 350 ©2023 Palo Alto Networks, Inc.
PAN-OS 10.1.1 Known and Addressed Issues

Issue ID Description

PAN-172515 If you downgrade from PAN-OS 10.1 to an earlier version

and you have configured the Cloud Authentication Service
This issue is now resolved. See
in an Authentication profile, the firewall does not remove
PAN-OS 10.1.2 Addressed
the Cloud Authentication Service from the Authentication
Issues.
profile, displays the authentication method as None, and any
subsequent commits are not successful.
Workaround: Delete the Authentication profile that is
configured for the Cloud Authentication Service then commit
your changes.

PAN-172492 You can create and commit a log forwarding profile (Objects
> Log Forwarding) with an invalid Filter.
This issue is now resolved. See
PAN-OS 10.1.2 Addressed
Issues.

PAN-172454 If the firewall communicates with the Cloud Identity Engine

before you install the device certificate on the firewall or
This issue is now resolved. See
Panorama, all subsequent queries to the Cloud Identity
PAN-OS 10.1.2 Addressed
Engine fail.
Issues.
Workaround: Use the debug software restart
process dscd to restart the connection to the Cloud
Identity Engine.

PAN-172276 Changing the port speed on a PA-400 Series firewall from

auto-negotiate to 1G may cause the dataplane port to flap
This issue is now resolved. See
intermittently and result in a loss of traffic.
PAN-OS 10.1.2 Addressed
Issues.

PAN-172274 When you activate the advanced URL filtering license, your
license entitlements for PAN-DB and advanced URL filtering
might not display correctly on the firewall — this is a display
anomaly, not a licensing issue, and does not affect access to
the services.
Workaround: Issue the following command to retrieve and
update the licenses: license request fetch.

PAN-172113 If you request a User Activity Report on Panorama and the

vsys key value in the XML is an unsupported value, the
resulting job becomes unresponsive at 10% and does not
complete until you manually stop the job in the web interface.
Workaround:Change the vsys key to a valid device group,
commit your changes, and run the User Activity Report again.

PAN-OS Release Notes 10.1.9-h1 351 ©2023 Palo Alto Networks, Inc.
PAN-OS 10.1.1 Known and Addressed Issues

Issue ID Description

PAN-172091 If you have configured a virtual system as a User-ID hub and

a firewall that receives IP address-to-username mapping from
the hub has a security policy that includes a QoS policy rule,
the firewall does not match the user to the QoS policy rule if
the traffic attempts to access a virtual system that is not the
hub.

PAN-172208 The PA-5450 firewall may reload in rare conditions while

handling high stress SSL traffic when CPU utilization reaches
This issue is now resolved. See
100% or packet broker capacity exceeds 40%.
PAN-OS 10.1.3 Addressed
Issues.

PAN-172171 In an HA Active/Passive configuration using Auto mode,

a Passive PA-5450 firewall under traffic stress can get
stuck in maintenance mode after receiving the slot7-
path_monitor Path monitor failure service failure.
Workaround: Use Active/Passive Shutdown mode instead of
Auto mode.

PAN-172132 QoS fails to run on a tunnel interface (for example, tunnel.1).

PAN-172067 When you configure an HTTP server profile (Device > Server
Profiles > HTTP or Panorama > Server Profiles > HTTP), the
Username and Password fields are always required regardless
of whether Tag Registration is enabled.
Workaround: When you configure an HTTP server profile,
always enter a username and password to successfully create
the HTTP server profile.
You must enter a username and password even if the HTTP
server does not require it. The HTTP server ignores the
username and password if they are not required for the
firewall to connect.

PAN-172061 A process (all_pktproc) can cause intermittent crashes on

the Passive PA-5450 firewall in an Active/Passive HA pair.
This issue may be seen during an upgrade or reload of the
firewall with traffic and when clearing sessions.

PAN-171938 No results are displayed when you Show Application Filter

for a Security policy rule (Policies > Security > Application >
Value > Show Application Filter).

PAN-OS Release Notes 10.1.9-h1 352 ©2023 Palo Alto Networks, Inc.
PAN-OS 10.1.1 Known and Addressed Issues

Issue ID Description

PAN-171839 The Enable Bonjour Reflector option under Network >

Interfaces > Layer 3 Interface > IPv4 is not supported on the
PA-5450 firewall.

PAN-171744 No data is displayed for the Forward Error Correction (FEC)

plot for SD-WAN application performance (Panorama > SD-
This issue is now resolved. See
WAN > Monitoring).
PAN-OS 10.1.2 Addressed
Issues.

PAN-171723 If you use Panorama to push a configuration that uses App-

ID Cloud Engine (ACE) App-IDs and then you downgrade the
firewall from PAN-OS 10.1 to PAN-OS 10.0, the installation
succeeds but after you reboot, the auto-commit fails.
Workaround: Remove all ACE application configurations
before downgrading.

PAN-171714 If you use the NetBIOS format (domain\user) for the IP

address-to-username mapping and the firewall receives the
This issue is now resolved. See
group mapping information from the Cloud Identity Engine,
PAN-OS 10.1.7 Addressed
the firewall does not successfully match the user to the
Issues.
correct group.

PAN-171706 If you are using Panorama to manage firewalls with multiple

virtual systems and the virtual system that is the User-ID hub
uses an alias, the local commit on Panorama is successful but
the commit to the firewall fails.

PAN-171673 On the Panorama management server, the ACC returns

inaccurate results when you filter for New App-ID in the
Application usage widget.

PAN-171635 If you have an on-premise Active Directory and there is an

existing group mapping configuration on the firewall, if you
migrate the group mapping to the Cloud Identity Engine, the
firewall does not remove the existing group mapping even
if the configuration is disabled and the firewall is rebooted,
which may conflict with new mappings from the Cloud
Identity Engine.
Workaround: Use the debug user-id clear domain-
map command to remove the existing group mappings from
the firewall.

PAN-171224 On the Panorama management server, a custom report

(Monitor > Managed Custom Reports) with a high volume

PAN-OS Release Notes 10.1.9-h1 353 ©2023 Palo Alto Networks, Inc.
PAN-OS 10.1.1 Known and Addressed Issues

Issue ID Description
of unique data objects is not generated when you click Run
Now.

PAN-171145 If you edit or remove the value for the mail attribute in
your on-premise Active Directory, the changes may not be
immediately reflected on the firewall after it syncs with the
Cloud Identity Engine.

PAN-171127 On the Panorama management server, custom reports

(Monitor > Manage Custom Reports) for the Device
This issue is now resolved. See
Application Statistics and Device Traffic Summary databases
PAN-OS 10.1.4 Addressed
display null for the Application fields.
Issues

PAN-170923 In Policies > Security > Policy Optimizer > New App Viewer,
when you select a Security policy rule in the bottom portion
of the screen, the application data in the application browser
(top portion of screen) does not match the Apps Seen on the
selected rule. In addition, filtering in the application browser
based on Apps Seen does not work.

PAN-170462 SaaS applications downloaded from the App-ID Cloud Engine

(ACE) do not appear in daily application reports (Monitor >
This issue is now resolved. See
Reports > Application Reports) or in the Application column
PAN-OS 10.1.6 Addressed
of the Application Usage widget in ACC > Network Activity.
Issues.

PAN-170270 Using the CLI to power on a PA-5450 Networking Card

(NC) in an Active HA firewall can cause its Passive peer to
temporarily go down.

PAN-169906 The CN-Series Firewall as a Kubernetes Service does not

support AF_XDP when deployed in CentOS.

PAN-168636 Connecting to the App-ID Cloud Engine (ACE) cloud using a

management port with explicit proxy configured on it is not
supported. Instead, use a data plane interface for the service
route (Prepare to Deploy App-ID Cloud Engine describes how
to do this.)

PAN-168113 On the Panorama management server, you are unable

to configure a master key (Device > Master Key and
Diagnostics) for a managed firewall if an interface (Network
> Interfaces > Ethernet) references a zone pushed from
Panorama.
Workaround: Remove the referenced zone from the interface
configuration to successfully configure a master key.

PAN-OS Release Notes 10.1.9-h1 354 ©2023 Palo Alto Networks, Inc.
PAN-OS 10.1.1 Known and Addressed Issues

Issue ID Description

PAN-167847 If you issue the command opof stats, then clear the
results {opof stats -c}, the Active Sessions value is sometimes
invalid. For example, you might see a negative number or an
excessively large number.
Workaround: Re-run the opof stats command after the
offload completes.

PAN-167401 When a firewall or Panorama appliance configured with a

proxy is upgraded to PAN-OS 10.0.3 or a later release, it fails
to connect to edge service.

PAN-166464 PAN-OS reports the PA-5450 fan numbers incorrectly

by listing them in the opposite order. This does not affect
This issue is now resolved. See
fan operation. For further information, contact Customer
PAN-OS 10.1.6-h6 Addressed
Support.
Issues.

PAN-165669 If you configure a group that the firewall retrieves from the
Cloud Identity Engine as the user in value in a filter query,
Panorama is unable to retrieve the group membership and
as a result, is unable to display this data in logs and custom
reports.

PAN-165225 There is an issue where hwpredict is enabled by default,

and you have to disable it via the CLI.

PAN-164922 On the Panorama management server, a context switch to a

managed firewall running a PAN-OS 8.1.0 to 8.1.19 release
fails.

PAN-164885 On the Panorama management server, pushes to managed

firewalls (Commit > Push to Devices or Commit and Push)
may fail when an EDL (Objects > External Dynamic Lists) is
configured to Check for updates every 5 minutes due to the
commit and EDL fetch processes overlapping. This is more
likely to occur when multiple EDLs are configured to check
for updates every 5 minutes.

PAN-164841 A successful deployment of a Panorama virtual appliance on

Amazon Web Services (AWS), Microsoft Azure, or Google
Cloud Platform (GCP) is inaccessible when deploying using
the PAN-OS 10.1.0-b6 release.

PAN-164647 On the Panorama management server, activating a license

(Panorama > Device Deployment > Licenses) on managed
firewalls in a high availability (HA) configuration causes the
Safari web browser to become unresponsive.

PAN-OS Release Notes 10.1.9-h1 355 ©2023 Palo Alto Networks, Inc.
PAN-OS 10.1.1 Known and Addressed Issues

Issue ID Description
Workaround: Log in to the Panorama web interface from
a web browser other than Safari to successfully activate a
license on managed firewalls in an HA configuration.

PAN-164586 If you use a value other than mail for the user or group
email attribute in the Cloud Identity Engine, it displays in
user@domain format in the CLI output.

PAN-163966 On the Panorama management server, the ACC and on

demand reports (Monitor > Manage Custom Reports) are
unable to fetch Directory Sync group membership when
the Source User Group filter query is applied, resulting in no
data being displayed for the filter when Directory Sync is
configured as the Source User for a policy rule.

PAN-162836 On the VM-Series firewall, if you select Device > Licenses >
Deactivate VM a popup window opens and you can choose
Subscriptions or Support and press Continue to remove
licenses and register the changes with the license server.
When the license removal is complete the Deactivate VM
window does not update its text to exclude deactivated
licenses or close the window.
Workaround: Wait until the license deactivation is complete,
and click Cancel to close the window.

PAN-162164 When upgrading a multi-dataplane firewall from PAN-

OS 10.0 to 10.1, if the configuration includes the DHCP
This issue is now resolved. See
Broadcast Session option enabled, the commit fails. Auto-
PAN-OS 10.1.6 Addressed
commit is not affected.
Issues.
Workaround: Load the configuration from running config
(load config from running-config.xml) and perform a commit.

PAN-162088 On the Panorama management server in a high availability

(HA) configuration, content updates (Panorama > Dynamic
This issue is now resolved. See
Updates) manually uploaded to the active HA peer are not
PAN-OS 10.1.9 Addressed
synchronized to the passive HA peer when you Install a
Issues.
content update and enable Sync to HA Peer.

PAN-161666 The firewall includes any users configured in the Cloud

Identity Engine in the count of groups. As a result, some CLI
command output does not accurately display the number
of groups the firewall has retrieved from the Cloud Identity
Engine and counts users as groups in the No. of Groups
in the command output. If the attempt to retrieve the user or
group fails, the information for the user or group still displays
in the CLI command output.

PAN-OS Release Notes 10.1.9-h1 356 ©2023 Palo Alto Networks, Inc.
PAN-OS 10.1.1 Known and Addressed Issues

Issue ID Description

PAN-161451 If you issue the command opof stats, there are occasional
zero packet and byte counts coming from the DPDK
counters. This occurs when a session is in the tcp-reuse state,
and has no impact on the existing session.

PAN-160238 If you migrate traffic from a firewall running a PAN-OS

version earlier than 9.0 to a firewall running PAN-OS 9.0 or
later, you experience intermittent VXLAN packet drops if TCI
policy is not configured for inspecting VXLAN traffic flows.
Workaround: On the new firewall, create an app override for
VXLAN outer headers as described in What is an Application
Override? and the video tutorial How to Configure an
Application Override Policy on the Palo Alto Networks
Firewall.

PAN-OS version 9.0 can inspect both inner and

outer VXLAN flows. If you want to inspect inner
flows, you must define a tunnel content inspection
(TCI) policy.

PAN-157444 As a result of a telemetry handling update, the Source Zone

field in the DNS analytics logs (viewable in the DNS Analytics
tab within AutoFocus) might not display correct results.

PAN-157327 On downgrade to PAN-OS 9.1, Enterprise Data Loss

Prevention (DLP) filtering settings (Device > Setup > DLP) are
not removed and cause commit errors for the downgraded
firewall if you do not uninstall the Enterprise DLP plugin
before downgrade.
Workaround: After you successfully downgrade a managed
firewall to PAN-OS 9.1, commit and push from Panorama to
remove the Enterprise DLP filtering settings and complete the
downgrade.
1. Downgrade your managed firewall to PAN-OS 9.1
2. Log in to the firewall web interface and view the Tasks
to verify all auto commits related to the downgrade have
completed successfully.
3. Log in to the Panorama web interface and Commit >
Commit and Push to your managed firewall downgraded to
PAN-OS 9.1.

PAN-157103 Multi-channel functionality may not be properly utilized on

an VM-Series firewall deployed in VMware NSX-V after the
service is first deployed.

PAN-OS Release Notes 10.1.9-h1 357 ©2023 Palo Alto Networks, Inc.
PAN-OS 10.1.1 Known and Addressed Issues

Issue ID Description
Workaround: Execute the command debug dataplane
pow status to view the number of channels being utilized
by the dataplane.

Per pan-task Netx statisticsCounter Name

1 2 3 4 5 6 Total-------------
--------------------------------ready_dvf
2 0 0 0 0 0 2

If multi-channel functionality is not working, disable your

NSX-V security policy and reapply it. Then reboot the VM-
Series firewall. When the firewall is back up, verify that multi-
channel functionality is working by executing the command
debug dataplane pow status. It should now show
multiple channels being utilized.

Per pan-task Netx statisticsCounter Name

1 2 3 4 5 6 Total-------------
--------------------------------ready_dvf
1 1 0 0 0 0 2

PAN-156598 (Panorama only) If you configure a standard custom

vulnerability signature in a custom Vulnerability Protection
profile in a shared device group, the shared profile custom
signatures do not populate in the other device groups when
you configure a combination custom vulnerability signature.
Workaround: Use the CLI to update the combination
signature.

PAN-154292 On the Panorama management server, downgrading from

a PAN-OS 10.0 release to a PAN-OS 9.1 release causes
Panorama commit (Commit > Commit to Panorama) failures
if a custom report (Monitor > Manage Custom Reports) is
configured to Group By Session ID.
Workaround: After successful downgrade, reconfigure the
Group By setting in the custom report.

PAN-154034 On the Panorama management server, the Type column in the

System logs (Monitor > Logs > System) for managed firewalls
running a PAN-OS 9.1 release erroneously display iot as the
type.

PAN-154032 On the Panorama management server, downgrading to PAN-

OS 9.1 with the Panorama plugin for Cisco TrustSec version
1.0.2 installed does not automatically transform the plugin to
be compatible with PAN-OS 9.1

PAN-OS Release Notes 10.1.9-h1 358 ©2023 Palo Alto Networks, Inc.
PAN-OS 10.1.1 Known and Addressed Issues

Issue ID Description
Workaround: After successful downgrade to PAN-OS 9.1,
Remove Config (Panorama > Plugins) of the Panorama plugin
for Cisco TrustSec and then reconfigure the plugin.

PAN-153803 On the Panorama management server, scheduled email PDF

reports (Monitor > PDF Reports) fail if a GIF image is used in
the header or footer.

PAN-153557 On the Panorama management server CLI, the overall report

status for a report query is marked as Done despite reports
generated from logs in the Cortex Data Lake (CDL) from the
PODamericas Collector Group jobs are still in a Running
state.

PAN-153068 The Bonjour Reflector option is supported on up to 16

interfaces. If you enable it on more than 16 interfaces, the
commit succeeds and the Bonjour Reflector option is enabled
only for the first 16 interfaces and ignored for any additional
interfaces.

PAN-151238 There is a known issue where M-100 appliances are able

to download and install a PAN-OS 10.0 release image even
though the M-100 appliance is no longer supported after
PAN-OS 9.1. (Refer to the hardware end-of-life dates.)

PAN-151085 On a PA-7000 Series firewall chassis having multiple slots,

when HA clustering is enabled on an active/active HA pair,
the session table count for one of the peers can show a higher
count than the actual number of active sessions on that peer.
This behavior can be seen when the session is being set up
on a non-cache slot (for example, when a session distribution
policy is set to round-robin or session-load); it is caused by
the additional cache lookup that happens when HA cluster
participation is enabled.

PAN-150801 Automatic quarantine of a device based on forwarding profile

or log setting does not work on the PA-7000 Series firewalls.

PAN-150515 After you install the device certificate on a new Panorama

management server, Panorama is not able to connect to the
IoT Security edge service.
Workaround: Restart Panorama to connect to the IoT
Security edge service.

PAN-150345 During updates to the Device Dictionary, the IoT Security

service does not push new Device-ID attributes (such as new
device profiles) to the firewall until a manual commit occurs.

PAN-OS Release Notes 10.1.9-h1 359 ©2023 Palo Alto Networks, Inc.
PAN-OS 10.1.1 Known and Addressed Issues

Issue ID Description
Workaround: Perform a force commit to push the attributes
in the content update to the firewall.

PAN-150361 In an Active-Passive high availability (HA) configuration, an

error displays if you create a device object on the passive
device.
Workaround: Load the running configuration and perform a
force commit to sync the devices.

PAN-148971 If you enter a search term for Events that are related to IoT
in the System logs and apply the filter, the page displays an
Invalid term error.
Workaround: Specify iot as the Type Attribute to filter the
logs and use the search term as the Description Attribute. For
example: ( subtype eq iot ) and ( description
contains 'gRPC connection' ).

PAN-148924 In an active-passive HA configuration, tags for dynamic user

groups are not persistent after rebooting the firewall because
the active firewall does not sync the tags to the passive
firewall during failover.

PAN-146995 After downgrading a Panorama management server from

PAN-OS 10.0 to PAN-OS 9.1, the VLD and logd processes
may crash when Panorama reboots.
Workaround: Panorama automatically restarts the VLD and
logd processes.

PAN-146807 Changing the device group configured in a monitoring

definition from a child DG to a parent DG, or vice versa,
might cause firewalls configured in the child DG to lose
IP tag mapping information received from the monitoring
definition. Only firewalls assigned to the parent DG receive IP
tag mapping updates.
Workaround: Perform a manual config sync on the device
group that lost the IP tag mapping information.

PAN-146485 On the Panorama management server, adding, deleting, or

modifying the upstream NAT configuration (Panorama > SD-
WAN > Devices) does not display the branch template stack
as out of sync.
Additionally, adding, deleting, or modifying the BGP
configuration (Panorama > SD-WAN > Devices) does not
display the hub and branch template stacks as out of sync.
For example, modifying the BGP configuration on the branch

PAN-OS Release Notes 10.1.9-h1 360 ©2023 Palo Alto Networks, Inc.
PAN-OS 10.1.1 Known and Addressed Issues

Issue ID Description
firewall does not cause the hub template stack to display as
out of sync, nor does modifying the BGP configuration on
the hub firewall cause the branch template stack as out of
sync.
Workaround: After performing a configuration change,
Commit and Push the configuration changes to all hub and
branch firewalls in the VPN cluster containing the firewall
with the modified configuration.

PAN-145460 CN-MGMT pods fail to connect to the Panorama

management server when using the Kubernetes plugin.
Workaround: Commit the Panorama configuration after the
CN-MGMT pod successfully registers with Panorama.

PAN-144889 On the Panorama management server, adding, deleting, or

modifying the original subnet IP, or adding a new subnet
after you successfully configure a tunnel IP subnet, for the
SD-WAN 1.0.2 plugin does not display the managed firewall
templates (Panorama > Managed Devices > Summary) as Out
of Sync.
Workaround: When modifying the original subnet IP, or
adding a new subnet, push the template configuration
changes to your managed firewalls and Force Template
Values (Commit > Push to Devices > Edit Selections).

PAN-143132 Fetching the device certificate from the Palo Alto Networks
Customer Support Portal (CSP) may fail and displays the
following error in the CLI:
ERROR Failed to process S1C msg: Error
Workaround: Retrying fetching the device certificate from
the Palo Alto Networks CSP.

PAN-141630 Current performance limitation: single data plane use only.

The PA-5200 Series and PA-7000 Series firewalls that
support 5G network slice security, 5G equipment ID security,
and 5G subscriber ID security use a single data plane only,
which currently limits the firewall performance.

PAN-140959 The Panorama management server allows you to downgrade

Zero Touch Provisioning (ZTP) firewalls to PAN-OS 9.1.2 and
earlier releases where ZTP functionality is not supported.

PAN-140008 ElasticSearch is forced to restart when the masterd process

misses too many heartbeat messages on the Panorama

PAN-OS Release Notes 10.1.9-h1 361 ©2023 Palo Alto Networks, Inc.
PAN-OS 10.1.1 Known and Addressed Issues

Issue ID Description
management server resulting in a delay in a log query and
ingestion.

PAN-136763 On the Panorama management server, managed firewalls

display as disconnected when installing a PAN-OS
software update (Panorama > Device Deployment >
Software) but display as connected when you view your
managed firewalls Summary (Panorama > Managed Devices >
Summary) and from the CLI.
Workaround: Log out and log back in to the Panorama web
interface.

PAN-135742 There is an issue in HTTP2 session decryption where the

App-ID in the decryption log is the App-ID of the parent
session (which is web-browsing).

PAN-134053 ACC does not filter WildFire logs from Dynamic User Groups.

PAN-132598 The Panorama management server does not check for

duplicate addresses in address groups (Objects > Address
Groups) and duplicate services in service groups (Objects >
Service Groups) when created from the CLI.

PAN-130550 (PA-3200 Series, PA-5220, PA-5250, PA-5260, and PA-7000

Series firewalls) For traffic between virtual systems (inter-
vsys traffic), the firewall cannot perform source NAT using
dynamic IP (DIP) address translation.
Workaround: Use source NAT with Dynamic IP and Port
(DIPP) translation on inter-vsys traffic.

PAN-127813 In the current release, SD-WAN auto-provisioning configures

hubs and branches in a hub and spoke model, where branches
don’t communicate with each other. Expected branch routes
are for generic prefixes, which can be configured in the hub
and advertised to all branches. Branches with unique prefixes
are not published up to the hub.
Workaround: Add any specific prefixes for branches to the
hub advertise-list configuration.

PAN-127206 If you use the CLI to enable the cleartext option for the
Include Username in HTTP Header Insertion Entries feature,
the authentication request to the firewall may become
unresponsive or time out.

PAN-OS Release Notes 10.1.9-h1 362 ©2023 Palo Alto Networks, Inc.
PAN-OS 10.1.1 Known and Addressed Issues

Issue ID Description

PAN-123277 Dynamic tags from other sources are accessible using the CLI
but do not display on the Panorama web interface.

PAN-123040 When you try to view network QoS statistics on an SD-

WAN branch or hub, the QoS statistics and the hit count
for the QoS rules don’t display. A workaround exists for
this issue. Please contact Support for information about the
workaround.

PAN-120440 There is an issue on M-500 Panorama management servers

where any ethernet interface with an IPv6 address having
Private PAN-DB-URL connectivity only supports the
following format: 2001:DB9:85A3:0:0:8A2E:370:2.

PAN-120423 PAN-OS 10.0.0 does not support the XML API for
GlobalProtect logs.

PAN-120303 There is an issue where the firewall remains connected to the

PAN-DB-URL server through the old management IP address
on the M-500 Panorama management server, even when you
configured the Eth1/1 interface.
Workaround: Update the PAN-DB-URL IP address on the
firewall using one of the methods below.
• Modify the PAN-DB Server IP address on the managed
firewall.
1. On the web interface, delete the PAN-DB Server IP
address (Device > Setup > Content ID > URL Filtering
settings).
2. Commit your changes.
3. Add the new M-500 Eth1/1 IP PAN-DB IP address.
4. Commit your changes.
• Restart the firewall (devsrvr) process.
1. Log in to the firewall CLI.
2. Restart the devsrvr process: debug software
restart process device-server

PAN-116017 (Google Cloud Platform (GCP) only) The firewall does not
accept the DNS value from the initial configuration (init-cfg)
file when you bootstrap the firewall.
Workaround: Add DNS value as part of the bootstrap.xml in
the bootstrap folder and complete the bootstrap process.

PAN-OS Release Notes 10.1.9-h1 363 ©2023 Palo Alto Networks, Inc.
PAN-OS 10.1.1 Known and Addressed Issues

Issue ID Description

PAN-115816 (Microsoft Azure only) There is an intermittent issue where

an Ethernet (eth1) interface does not come up when you first
boot up the firewall.
Workaround: Reboot the firewall.

PAN-114495 Alibaba Cloud runs on a KVM hypervisor and supports two

Virtio modes: DPDK (default) and MMAP. If you deploy a
VM-Series firewall running PAN-OS 9.0 in DPDK packet
mode and you then switch to MMAP packet mode, the VM-
Series firewall duplicates packets that originate from or
terminate on the firewall. As an example, if a load balancer or
a server behind the firewall pings the VM-Series firewall after
you switch from DPDK packet mode to MMAP packet mode,
the firewall duplicates the ping packets.
Throughput traffic is not duplicated if you deploy the VM-
Series firewall using MMAP packet mode.

PAN-112694 (Firewalls with multiple virtual systems only) If you configure

dynamic DNS (DDNS) on a new interface (associated with
vsys1 or another virtual system) and you then create a
New Certificate Profile from the drop-down, you must set
the location for the Certificate Profile to Shared. If you
configure DDNS on an existing interface and then create a
new Certificate Profile, we also recommend that you choose
the Shared location instead of a specific virtual system.
Alternatively, you can select a preexisting certificate profile
instead of creating a new one.

PAN-112456 You can temporarily submit a change request for a URL

Category with three suggested categories; however, only
two categories are supported. Do not add more than two
suggested categories to a change request until we address
this issue. If you submit more than two suggested categories,
only the first two categories in the change request are
evaluated.

PAN-112135 You cannot unregister tags for a subnet or range in a dynamic

address group from the web interface.
Workaround: Use an XML API request to unregister the tags
for the subnet or range.

PAN-111928 Invalid configuration errors are not displayed as expected

when you revert a Panorama management server
configuration.

PAN-OS Release Notes 10.1.9-h1 364 ©2023 Palo Alto Networks, Inc.
PAN-OS 10.1.1 Known and Addressed Issues

Issue ID Description
Workaround: After you revert the Panorama configuration,
Commit (Commit > Commit to Panorama) the reverted
configuration to display the invalid configuration errors.

PAN-111866 The push scope selection on the Panorama web interface

displays incorrectly even though the commit scope displays
as expected. This issue occurs when one administrator makes
configuration changes to separate device groups or templates
that affect multiple firewalls and a different administrator
attempts to push those changes.
Workaround: Perform one of the following tasks.
• Initiate a Commit to Panorama operation followed by a
Push to Devices operation for the modified device group
and template configurations.
• Manually select the devices that belong to the modified
device group and template configurations.

PAN-111729 If you disable DPDK mode and enable it again, you must
immediately reboot the firewall.

PAN-111670 Tagged VLAN traffic fails when sent through an SR-IOV

adapter.

PAN-110794 DGA-based threats shown in the firewall threat log display

the same name for all such instances.

PAN-109759 The firewall does not generate a notification for the

GlobalProtect client when the firewall denies an unencrypted
This issue is now resolved. See
TLS session due to an authentication policy match.
PAN-OS 10.1.2 Addressed
Issues

PAN-109526 The system log does not correctly display the URL for
CRL files; instead, the URLs are displayed with encoded
characters.

PAN-104780 If you configure a HIP object to match only when a

connecting endpoint is managed (Objects > GlobalProtect >
HIP Objects > <hip-object> > General > Managed), iOS and
Android endpoints that are managed by AirWatch are unable
to successfully match the HIP object and the HIP report
incorrectly indicates that these endpoints are not managed.
This issue occurs because GlobalProtect gateways cannot
correctly identify the managed status of these endpoints.
Additionally, iOS endpoints that are managed by AirWatch
are unable to match HIP objects based on the endpoint serial

PAN-OS Release Notes 10.1.9-h1 365 ©2023 Palo Alto Networks, Inc.
PAN-OS 10.1.1 Known and Addressed Issues

Issue ID Description
number because GlobalProtect gateways cannot identify the
serial numbers of these endpoints; these serial numbers do
not appear in the HIP report.

PAN-103276 Adding a disk to a virtual appliance running Panorama 8.1

or a later release on VMware ESXi 6.5 update1 causes the
Panorama virtual appliance and host web client to become
unresponsive.
Workaround: Upgrade the ESXi host to ESXi 6.5 update2 and
add the disk again.

PAN-101688 (Panorama plugins) The IP address-to-tag mapping

information registered on a firewall or virtual system is not
deleted when you remove the firewall or virtual system from
a Device Group.
Workaround: Log in to the CLI on the firewall and enter
the following command to unregister the IP address-to-tag
mappings: debug object registered-ip clear all.

PAN-101537 After you configure and push address and address group
objects in Shared and vsys-specific device groups from
the Panorama management server to managed firewalls,
executing the show log <log-type> direction
equal <direction> <dst> | <src> in <object-
name> command on a managed firewall only returns address
and address group objects pushed form the Shared device
group.
Workaround: Specify the vsys in the query string:
admin> set system target-vsys <vsys-name>
admin> show log <log-type> direction equal
<direction> query equal ‘vsys eq <vsys-name>’
<dst> | <src> in <object-name>

PAN-98520 When booting or rebooting a PA-7000 Series Firewall with

the SMC-B installed, the BIOS console output displays
attempts to connect to the card's controller in the System
Memory Speed section. The messages can be ignored.

PAN-97757 GlobalProtect authentication fails with an Invalid

username/password error (because the user is not found
in Allow List) after you enable GlobalProtect authentication
cookies and add a RADIUS group to the Allow List of the
authentication profile used to authenticate to GlobalProtect.

PAN-OS Release Notes 10.1.9-h1 366 ©2023 Palo Alto Networks, Inc.
PAN-OS 10.1.1 Known and Addressed Issues

Issue ID Description
Workaround: Disable GlobalProtect authentication cookies.
Alternatively, disable (clear) Retrieve user group from
RADIUS in the authentication profile and configure group
mapping from Active Directory (AD) through LDAP.

PAN-97524 (Panorama management server only) The Security Zone and

Virtual System columns (Network tab) display None after a
Device Group and Template administrator with read-only
privileges performs a context switch.

PAN-96446 A firewall that is not included in a Collector Group fails to

generate a system log if logs are dropped when forwarded
to a Panorama management server that is running in
Management Only mode.

PAN-95773 On VM-Series firewalls that have Data Plane Development

Kit (DPDK) enabled and that use the i40e network interface
card (NIC), the show session info CLI command displays
an inaccurate throughput and packet rate.
Workaround: Disable DPDK by running the set system
setting dpdk-pkt-io off CLI command.

PAN-95028 For administrator accounts that you created in PAN-OS 8.0.8

and earlier releases, the firewall does not apply password
profile settings (Device > Password Profiles) until after you
upgrade to PAN-OS 8.0.9 or a later release and then only
after you modify the account passwords. (Administrator
accounts that you create in PAN-OS 8.0.9 or a later release
do not require you to change the passwords to apply
password profile settings.)

PAN-94846 When DPDK is enabled on the VM-Series firewall with i40e

virtual function (VF) driver, the VF does not detect the link
status of the physical link. The VF link status remains up,
regardless of changes to the physical link state.

PAN-94093 HTTP Header Insertion does not work when jumbo frames
are received out of order.

PAN-93968 The firewall and Panorama web interfaces display

vulnerability threat IDs that are not available in PAN-OS
9.0 releases (Objects > Security Profiles > Vulnerability
Protection > <profile> > Exceptions). To confirm whether a
particular threat ID is available in your release, monitor the
release notes for each new Applications and Threats content

PAN-OS Release Notes 10.1.9-h1 367 ©2023 Palo Alto Networks, Inc.
PAN-OS 10.1.1 Known and Addressed Issues

Issue ID Description
update or check the Palo Alto Networks Threat Vault to see
the minimum PAN-OS release version for a threat signature.

PAN-93607 When you configure a VM-500 firewall with an SCTP

Protection profile (Objects > Security Profiles > SCTP
Protection) and you try to add the profile to an existing
Security Profile Group (Objects > Security Profile Groups),
the Security Profile Group doesn’t list the SCTP Protection
profile in its drop-down list of available profiles.
Workaround: Create a new Security Profile Group and select
the SCTP Protection profile from there.

PAN-93532 When you configure a firewall running PAN-OS 9.0 as an

nCipher HSM client, the web interface on the firewall displays
the nCipher server status as Not Authenticated, even though
the HSM state is up (Device > Setup > HSM).

PAN-93193 The memory-optimized VM-50 Lite intermittently performs

slowly and stops processing traffic when memory utilization
is critically high. To prevent this issue, make sure that you do
not:
• Switch to the firewall Context on the Panorama
management server.
• Commit changes when a dynamic update is being installed.
• Generate a custom report when a dynamic update is being
installed.
• Generate custom reports during a commit.
Workaround: When the firewall performs slowly, or you see
a critical System log for memory utilization, wait for 5 minutes
and then manually reboot the firewall.
Use the Task Manager to verify that you are not performing
memory intensive tasks such as installing dynamic updates,
committing changes or generating reports, at the same time,
on the firewall.

PAN-91802 On a VM-Series firewall, the clear session all CLI command

does not clear GTP sessions.

PAN-83610 In rare cases, a PA-5200 Series firewall (with an FE100

network processor) that has session offload enabled (default)
incorrectly resets the UDP checksum of outgoing UDP
packets.

PAN-OS Release Notes 10.1.9-h1 368 ©2023 Palo Alto Networks, Inc.
PAN-OS 10.1.1 Known and Addressed Issues

Issue ID Description
Workaround: In PAN-OS 8.0.6 and later releases, you can
persistently disable session offload for only UDP traffic using
the set session udp-off load no CLI command.

PAN-83236 The VM-Series firewall on Google Cloud Platform does not

publish firewall metrics to Google Stack Monitoring when you
manually configure a DNS server IP address (Device > Setup
> Services).
Workaround: The VM-Series firewall on Google Cloud
Platform must use the DNS server that Google provides.

PAN-83215 SSL decryption based on ECDSA certificates does not work

when you import the ECDSA private keys onto an nCipher
nShield hardware security module (HSM).

PAN-81521 Endpoints failed to authenticate to GlobalProtect through

Kerberos when you specify an FQDN instead of an IP address
in the Kerberos server profile (Device > Server Profiles >
Kerberos).
Workaround: Replace the FQDN with the IP address in the
Kerberos server profile.

PAN-77125 PA-7000 Series, PA-5450, PA-5200 Series, and PA-3200

Series firewalls configured in tap mode don’t close offloaded
sessions after processing the associated traffic; the sessions
remain open until they time out.
Workaround: Configure the firewalls in virtual wire mode
instead of tap mode, or disable session offloading by running
the set session off load no CLI command.

PAN-75457 In WildFire appliance clusters that have three or more nodes,

the Panorama management server does not support changing
node roles. In a three-node cluster for example, you cannot
use Panorama to configure the worker node as a controller
node by adding the HA and cluster controller configurations,
configure an existing controller node as a worker node by
removing the HA configuration, and then commit and push
the configuration. Attempts to change cluster node roles from
Panorama results in a validation error—the commit fails and
the cluster becomes unresponsive.

PAN-73530 The firewall does not generate a packet capture (pcap) when a
Data Filtering profile blocks files.

PAN-73401 When you import a two-node WildFire appliance cluster

into the Panorama management server, the controller nodes

PAN-OS Release Notes 10.1.9-h1 369 ©2023 Palo Alto Networks, Inc.
PAN-OS 10.1.1 Known and Addressed Issues

Issue ID Description
report their state as out-of-sync if either of the following
conditions exist:
• You did not configure a worker list to add at least one
worker node to the cluster. (In a two-node cluster, both
nodes are controller nodes configured as an HA pair.
Adding a worker node would make the cluster a three-
node cluster.)
• You did not configure a service advertisement (either by
enabling or not enabling advertising DNS service on the
controller nodes).
Workaround: There are three possible workarounds to sync
the controller nodes:
• After you import the two-node cluster into Panorama,
push the configuration from Panorama to the cluster. After
the push succeeds, Panorama reports that the controller
nodes are in sync.
• Configure a worker list on the cluster controller:

admin@wf500(active-controller)# set
deviceconfig cluster mode controller work
er-list <worker-ip-address>

(<worker-ip-address> is the IP address of the worker

node you are adding to the cluster.) This creates a three-
node cluster. After you import the cluster into Panorama,
Panorama reports that the controller nodes are in sync.
When you want the cluster to have only two nodes, use a
different workaround.
• Configure service advertisement on the local CLI of the
cluster controller and then import the configuration into
Panorama. The service advertisement can advertise that
DNS is or is not enabled.

admin@wf500(active-controller)# set
deviceconfig cluster mode controller serv
ice-advertisement dns-service
enabled
yes

or

admin@wf500(active-controller)# set
deviceconfig cluster mode controller serv
ice-advertisement dns-service
enabled

PAN-OS Release Notes 10.1.9-h1 370 ©2023 Palo Alto Networks, Inc.
PAN-OS 10.1.1 Known and Addressed Issues

Issue ID Description
no

Both commands result in Panorama reporting that the

controller nodes are in sync.

PAN-70906 If the PAN-OS web interface and the GlobalProtect portal are
enabled on the same IP address, then when a user logs out of
the GlobalProtect portal, the administrative user is also logged
out from the PAN-OS web interface.
Workaround: Use the IP address to access the PAN-OS web
interface and an FQDN to access the GlobalProtect portal.

PAN-69505 When viewing an external dynamic list that requires client

authentication and you Test Source URL, the firewall fails to
indicate whether it can reach the external dynamic list server
and returns a URL access error (Objects > External Dynamic
Lists).

PAN-40079 The VM-Series firewall on KVM, for all supported Linux

distributions, does not support the Broadcom network
adapters for PCI pass-through functionality.

PAN-39636 Regardless of the Time Frame you specify for a scheduled

custom report on a Panorama M-Series appliance, the earliest
possible start date for the report data is effectively the date
when you configured the report (Monitor > Manage Custom
Reports). For example, if you configure the report on the
15th of the month and set the Time Frame to Last 30 Days,
the report that Panorama generates on the 16th will include
only data from the 15th onward. This issue applies only to
scheduled reports; on-demand reports include all data within
the specified Time Frame.
Workaround: To generate an on-demand report, click Run
Now when you configure the custom report.

PAN-38255 When you perform a factory reset on a Panorama virtual

appliance and configure the serial number, logging does
not work until you reboot Panorama or execute the debug
software restart process management-server CLI
command.

PAN-31832 The following issues apply when configuring a firewall to use

a hardware security module (HSM):
• nCipher nShield Connect—The firewall requires at least
four minutes to detect that an HSM was disconnected,

PAN-OS Release Notes 10.1.9-h1 371 ©2023 Palo Alto Networks, Inc.
PAN-OS 10.1.1 Known and Addressed Issues

Issue ID Description
causing SSL functionality to be unavailable during the
delay.
• SafeNet Network—When losing connectivity to either
or both HSMs in an HA configuration, the display of
information from the show high-availability
state and show hsm info commands are blocked for
20 seconds.

PAN-OS Release Notes 10.1.9-h1 372 ©2023 Palo Alto Networks, Inc.
PAN-OS 10.1.1 Known and Addressed Issues

PAN-OS 10.1.1 Addressed Issues

Issue ID Description

WF500-5568 Fixed an issue where a firewall in FIPS mode running PAN-OS 8.1.18
or a later version failed to connect with a WildFire appliance in normal
mode.

WF500-5559 Fixed an issue where an intermittent error while analyzing signed PE

samples on the WildFire appliance might have caused analysis failures.

PAN-174094 Fixed an issue where SaaS Policy Recommendation didn’t work on

firewalls because the SaaS Security Inline policy recommendation
license check failed.

PAN-172419 Fixed an issue where hot-swapping or hot-plugging a transceiver in the

HSCI-A or HSCI-B port on the PA-5450 firewall caused the firewall to
reboot unexpectedly.

PAN-172386 (Passive PA-5450 firewalls in an HA active/passive configuration only)

Fixed an issue where, when the ports do not link up initially due to
local or remote faults, the firewall continued to process traffic even
when its port(s) were in a Disabled state.

PAN-172063 Fixed an issue where the outbound/inbound interface was not

populated for session logs that were forwarded to Panorama.

PAN-171898 (PA-5450 firewalls only) Fixed an issue where firewalls did not get full
10G throughput when traffic was sent from 100G or 40G interfaces to
10G interfaces.

PAN-171750 (PA-5450 firewalls only) Fixed an issue where the HSCI interface didn’t
recognize a hot-swapped 40G or 100G transceiver.

PAN-171703 Fixed an issue where GlobalProtect Activity did not display when a
device group was selected.

PAN-171290 Fixed an issue where Panorama deployed in Google Cloud Platform

(GCP) failed to the renew management server DHCP IP.

PAN-170936 Fixed an issue where the firewall egressed offloaded frames out of
order after an explicit commit (Commit on the firewall or Commit All
Changes on Panorama) or an implicit comment such as an Antivirus
update, Dynamic Update, or WildFire update.
Note This issue persists for a network-related configuration and
commit.

PAN-OS Release Notes 10.1.9-h1 373 ©2023 Palo Alto Networks, Inc.
PAN-OS 10.1.1 Known and Addressed Issues

Issue ID Description

PAN-170825 Fixed an issue where, when a partial Preview Change job failed, a
process (configd) stopped responding.

PAN-170740 Fixed an issue with the google-docs-uploading application that

occurred if a Security policy rule was applied to a Security profile and
traffic was decrypted.

PAN-170610 Fixed an issue where SD-WAN SaaS monitoring traffic was incorrectly
dropped by a Security policy that included a deny rule.

PAN-170473 Fixed an issue where SSL traffic wasn’t decrypted on inbound

inspection when the private key used a hardware security module
(HSM).

PAN-170314 Fixed an issue where PAN-DB URL cloud updates failed because a
process (devsrvr) did not fetch serial numbers, which prevented the
PAN_DB URL cloud from connecting after first deployment.

PAN-170174 Fixed an issue where a CN-NGFW pod repeatedly restarted due to

eth0 being unavailable when kubelet ran network checks on eth0.
The following error displayed in the dataplane node journalctl
logs: failed to read pod IP from plugin/docker:
networkPlugin cni failed on the status hook for pod
"pan-ngfw-dep-<>_kube-system": unexpected address
output.

PAN-169064 Fixed an issue where the management CPU remained at 100% due to
a large number of configured User-ID agents.

PAN-168646 Fixed an issue where Elasticsearch didn't start up in a new Log

Collector deployment or downgrade because the Log Collector could
not register the service.

PAN-168920 (PA-5450 firewalls only) Fixed an issue where QoS didn’t honor the
guaranteed bandwidth for classes set to a Priority of real-time.

PAN-168418 Fixed an issue where, when an MLAV URL with an exception list was
configured and forward proxy was enabled, a process (all_pktproc)
repeatedly restarted, which resulted in the firewall rebooting.

PAN-167989 Fixed a timing issue between downloading and installing threads that
occurred when Panorama pushed content updates and the firewall
fetched content updates simultaneously.

PAN-166398 (PA-5450 firewalls only) Fixed an issue where, when you configured
path or latency monitoring on the Health Monitor tab in the packet

PAN-OS Release Notes 10.1.9-h1 374 ©2023 Palo Alto Networks, Inc.
PAN-OS 10.1.1 Known and Addressed Issues

Issue ID Description
broker profile (Objects > Packet Broker), the path health monitor was
disabled due to a configuration synchronization issue after a reboot.

PAN-165025 Fixed an issue where, when default interzone and intrazone Security
policy rules were overwritten, the rules did not display hit counts.

PAN-164707 (PA-7000 Series firewalls only) Fixed an issue where logs were not
viewable via the web interface in the Monitor tab or via the CLI.

PAN-164392 Fixed an issue where an out-of-memory (OOM) condition occurred

due to a memory leak related to a process (logrcvr).

PAN-163800 Fixed an intermittent issue where the presence of an Anti-Spyware

profile in a Security policy rule that matched DNS traffic caused DNS
responses to be malformed in transit.

PAN-162442 Fixed an issue in HA active/active configurations where deleting

an interface not associated with a virtual router did not sync the
configuration change.

PAN-158932 Fixed an issue where an increase was observed on spyware_state,

which caused latency.

PAN-158649 Fixed an issue where commits to the Prisma Access Remote networks
from Panorama were failing when the management server on the
cloud firewall failed to exit cleanly and reported the following error:
pan_check_cert_status(pan_crl_ocsp.c:284): sysd
write failed (TIMEOUT)

PAN-157715 Fixed an intermittent issue where SMB file transfer operations failed
due to packet drops that were caused by the Content and Threat
Detection (CTD) queue filling up quickly. This fix introduces a new CLI
command which, when enabled, prevent these failures: set system
setting ctd nonblocking-pattern-match-qsizecheck
[enable|disable].

PAN-156388 Fixed an issue where a process (useridd) stopped responding while

attempting to remove all HIP reports on the disk.

PAN-154053 Fixed an issue where, when two or more PA-5450 fan assemblies
failed, the firewall shut down without providing a console or CLI error
message about the fan failure.

PAN-OS Release Notes 10.1.9-h1 375 ©2023 Palo Alto Networks, Inc.
PAN-OS 10.1.1 Known and Addressed Issues

PAN-OS Release Notes 10.1.9-h1 376 ©2023 Palo Alto Networks, Inc.
PAN-OS 10.1.0 Known and Addressed
Issues
Review a list of known and addressed issues for PAN-OS 10.1.0.
For contacting support, for information on support programs, to manage your account
or devices, or to open a support case, go to https://support.paloaltonetworks.com.

> PAN-OS 10.1.0 Known Issues

> PAN-OS 10.1.0 Addressed Issues

377
PAN-OS 10.1.0 Known and Addressed Issues

PAN-OS 10.1.0 Known Issues

®
The following list includes only outstanding known issues specific to PAN-OS 10.1.0. This list
includes issues specific to Panorama™, GlobalProtect™, VM-Series plugins, and WildFire®, as well
as known issues that apply more generally or that are not identified by an issue ID.

Issue ID Description

— If you use Panorama to retrieve logs from Cortex Data Lake

(CDL), new log fields (including for Device-ID, Decryption, and
GlobalProtect) are not visible on the Panorama web interface.
Workaround: Enable duplicate logging to send the logs to
CDL and Panorama. This workaround does not support
Panorama virtual appliances in Management Only mode.

— Upgrading a PA-220 firewall takes up to an hour or more.

— PA-220 firewalls are experiencing slower web interface and

CLI performance times.

— Upgrading Panorama with a local Log Collector and Dedicated

Log Collectors to PAN-OS 8.1 or a later PAN-OS release
can take up to six hours to complete due to significant
infrastructure changes. Ensure uninterrupted power to all
appliances throughout the upgrade process.

— A critical System log is generated on the VM-Series firewall

if the minimum memory requirement for the model is not
available.
• When the memory allocated is less than 4.5GB, you
cannot upgrade the firewall. The following error message
displays: Failed to install 9.0.0 with the
following error: VM-50 in 9.0.0 requires
5.5GB memory, VM-50 Lite requires 4.5GB
memory.Please configure this VM with enough
memory before upgrading.
• If the memory allocation is more than 4.5GB but less that
the licensed capacity requirement for the model, it will
default to the capacity associated with the VM-50.
The System log message System capacity adjusted
to VM-50 capacity due to insufficient
memory for VM-<xxx> license, indicates that you
must allocate the additional memory required for licensed
capacity for the firewall model.

PAN-OS Release Notes 10.1.9-h1 378 ©2023 Palo Alto Networks, Inc.
PAN-OS 10.1.0 Known and Addressed Issues

Issue ID Description

APPORTAL-3313 Changes to an IoT Security subscription license take up to 24

hours to have effect on the IoT Security app.

APPORTAL-3309 An IoT Security production license cannot be installed on a

firewall that still has a valid IoT Security eval or trial license.
Workaround: Wait until the 30-day eval or trial license
expires and then install the production license.

APL-15000 When you move a firewall from one Cortex Data Lake
instance to another, it can take up to an hour for the firewall
to begin sending logs to the new instance.

APL-8269 For data retrieved from Cortex Data Lake, the Threat Name
column in Panorama > ACC > threat-activity appears blank.

PLUG-380 When you rename a device group, template, or template

stack in Panorama that is part of a VMware NSX service
definition, the new name is not reflected in NSX Manager.
Therefore, any ESXi hosts that you add to a vSphere cluster
are not added to the correct device group, template, or
template stack and your Security policy is not pushed to
VM-Series firewalls that you deploy after you rename those
objects. There is no impact to existing VM-Series firewalls.

WF500-5559 An intermittent error while analyzing signed PE samples on

the WildFire appliance might cause analysis failures.

WF500-5471 After using the firewall CLI to add a WildFire appliance with
an IPv6 address, the initial connection may fail.
Workaround: Retry connecting after you restart the web
server with the following command: debug software
restart process web-server.

PAN-206909 The Dedicated Log Collector is unable to reconnect to the

Panorama management server if the configd process
crashes. This results in the Dedicated Log Collector losing
connectivity to Panorama despite the managed collector
connection Status (Panorama > Managed Collector)
displaying connected and the managed colletor Health
status displaying as healthy.
This results in the local Panorama config and system logs not
being forwarded to the Dedicated Log Collector. Firewall log
forwarding to the disconnected Dedicated Log Collector is
not impacted.

PAN-OS Release Notes 10.1.9-h1 379 ©2023 Palo Alto Networks, Inc.
PAN-OS 10.1.0 Known and Addressed Issues

Issue ID Description
Workaround: Restart the mgmtsrvr process on the
Dedicated Log Collector.
1. Log in to the Dedicated Log Collector CLI.
2. Confirm the Dedicated Log Collector is disconnected from
Panorama.

admin> show panorama-status

Verify the Connected status is no.

3. Restart the mgmtsrvr process.

admin> debug software restart process

management-server

PAN-197341 On the Panorama management server, if you create multiple

device group Objects with the same name in the Shared
device group and any additional device groups (Panorama >
Device Groups) under the same device group hierarchy that
are used in one or more Policies, renaming the object with a
shared name in any device group causes the object name to
change in the policies where it is used. This issue applies only
to device group objects that can be referenced in a Security
policy rule.
For example:
1. You create a parent device group DG-A and a child device
group DG-B.
2. You create address objects called AddressObjA in
the Shared, DG-A and DG-B device groups and add
AddressObjA to a Security policy rule under DG-A and
DG-B.
3. Later, you change the AddressObjA name in the Shared
device group to AddressObjB.
Changing the name of the address object in the Shared
device group causes the references in the Policy rule to use
the renamed Shared object instead of the device group
object.

PAN-196758 On the Panorama management server, pushing a

configuration change to firewalls leveraging SD-WAN
erroneously show the auto-provisioned BGP configurations
for SD-WAN as being edited or deleted despite no edits or
deletions being made when you Preview Changes (Commit >
Push to Devices > Edit Selections or Commit > Commit and
Push > Edit Selections).

PAN-OS Release Notes 10.1.9-h1 380 ©2023 Palo Alto Networks, Inc.
PAN-OS 10.1.0 Known and Addressed Issues

Issue ID Description

PAN-194519 (PA-5450 firewall only) Trying to configure a custom payload

format under Device > Server Profiles > HTTP yields a
This issue is now resolved. See
Javascript error.
PAN-OS 10.1.9 Addressed
Issues.

PAN-194515 (PA-5450 firewall only) The Panorama web interface does

not display any predefined template stack variables in the
dropdown menu under Device > Setup > Log Interface > IP
Address.
Workaround: Configure the log interface IP address on the
individual firewall web interface instead of on Panorama.

PAN-193336 All logs (Monitor > Logs) generated by a firewall running a

PAN-OS 10.0 release are not accessible if you downgrade
from PAN-OS 10.1 to PAN-OS 10.0, and then upgrade back
to PAN-OS 10.1.

PAN-192403 (PA-5450 firewall only) There is no commit warning in the

web interface when configuring the management interface
This issue is now resolved. See
and logging interface in the same subnetwork. Having both
PAN-OS 10.1.6-h3 Addressed
interfaces in the same subnetwork can cause routing and
Issues.
connectivity issues.

PAN-190727 (PA-5450 firewall only) Documentation for configuring the log

interface is unavailable on the web interface and in the PAN-
OS Administrator’s Guide.

PAN-187685 On the Panorama management server, the Template

Status displays no synchronization status (Panorama >
Managed Devices > Summary) after a bootstrapped firewall is
successfully added to Panorama.
Workaround: After the bootstrapped firewall is successfully
added to Panorama, log in to the Panorama web interface and
select Commit > Push to Devices.

PAN-186913 On the Panorama management server, Validate Device Group

(Commit > Commit and Push erroneously issues a CommitAll
operation instead of a ValidateAll operation when multiple
device groups are included in the push and results in no
configuration validation.

PAN-186262 The Panorama management server in Panorama or Log

Collector mode may become unresponsive as Elasticsearch
accumulates internal connections related to logging

PAN-OS Release Notes 10.1.9-h1 381 ©2023 Palo Alto Networks, Inc.
PAN-OS 10.1.0 Known and Addressed Issues

Issue ID Description
processes. The chances Panorama becomes unresponsive
increases the longer Panorama remains powered on.
Workaround: Reboot Panorama if it becomes unresponsive.

PAN-185966 The debug skip-cert-renewal-check-syslog yes

command is not available on Log Collector CLI to stop the
Dedicated Log Collector from trying to renew the device
certificate and displaying the following error:
No valid device certificate found

PAN-180661 On the Panorama management server, pushing an

unsupported Minimum Password Complexity (Device > Setup
This issue is now resolved. See
> Management) to a managed firewall erroneously displays
PAN-OS 10.1.6 Addressed
commit time out as the reason the commit failed.
Issues.

PAN-188052 Devices in FIPS-CC mode are unable to connect to servers

utilizing ECDSA-based host keys that impacts exporting logs
(Device > Scheduled Log Export), exporting configurations
(Device > Scheduled Config Export), or the scp export
command in the CLI.
Workaround: Use RSA-based host keys on the destination
server.

PAN-178194 A UI issue in PAN-OS renders the contents of the Inline

ML tab in the URL Filtering Profile inaccessible on firewalls
This issue is now resolved. See
licensed for Advanced URL Filtering. Additionally, a message
PAN-OS 10.1.7 Addressed
indicating that a License required for URL filtering to function
Issues.
is unavailable displays at the bottom of the UI. These errors
do not affect the operation of Advanced URL Filtering or URL
Filtering Inline ML.
Workaround: Configuration settings for URL Filtering
Inline ML must be applied through the CLI. The following
configuration commands are available:
• Define URL exceptions for specific web sites—

admin# set profiles url-filtering

<url_filtering_profile_name> mlav-
category-exception

• Configuration settings for each inline ML model—

admin# set profiles url-filtering

<url_filtering_profile_name> mlav-
engine-urlbased-enabled

PAN-OS Release Notes 10.1.9-h1 382 ©2023 Palo Alto Networks, Inc.
PAN-OS 10.1.0 Known and Addressed Issues

Issue ID Description

PAN-177363 Dedicated Log Collector system and config logs cannot be

ingested and are dropped when they are forwarded to a
Panorama management server in Management Only mode,
resulting in Dedicated Log Collector system and config logs
not being viewable on Panorama in Management Only mode.

PAN-175685 (PA-7000 Series and PA-5450 firewall only) When the MPC
(Management Processor Card) or SMC (Switch Management
This issue is now resolved. See
Card) is removed from one chassis and placed in another,
PAN-OS 10.1.2 Addressed
PAN-OS will incorrectly cache and display the chassis serial
Issues.
number of the former chassis.

PAN-175149 For the PA-220 firewall, and the PA-800 and PA-7000 Series
firewalls, the ACC and scheduled reports (Monitor > Manage
> Manage Custom Reports) erroneously display the IPv6
address instead of the IPv4 address.

PAN-174254 Gateway Load Balancer (GWLB) inspection is disabled on the

VM-Series firewall for AWS after a reboot.
This issue is now resolved. See
PAN-OS 10.1.2 Addressed Workaround: Enable GWLB inspection.
Issues.

PAN-174094 SaaS Policy Recommendation does not work on firewalls

because the SaaS Security Inline policy recommendation
This issue has been resolved.
license check fails. When this occurs, the bottom ribbon
See PAN-OS 10.1.1
on Device > Policy Recommendation > SaaS displays the
Addressed Issues.
message SaaS Security license is required for feature to
function in red text.
On Panorama, the SaaS Inline Security column in Panorama >
Device Deployment > Licenses shows that the SaaS Security
Inline license is not present on the managed firewall.
Workaround: If Panorama manages the firewall, use
Panorama to import SaaS policy recommendations and then
push them to the firewall.

PAN-174004 On the Panorama management server, local or Dedicated

Log Collector mode cannot successfully join an ElasticSearch
cluster when added to a Collector Group (Panorama >
Collector Groups) if the SSH key length for a Log Collector in
the cluster is greater than 2048 characters.

PAN-173509 Superuser administrators with read-only privileges (Device >

Administrators and Panorama > Administrators) are unable

PAN-OS Release Notes 10.1.9-h1 383 ©2023 Palo Alto Networks, Inc.
PAN-OS 10.1.0 Known and Addressed Issues

Issue ID Description
This issue is now resolved. See to view the hardware ACL blocking setting and duration in the
PAN-OS 10.1.5 Addressed CLI using the commands:
Issues.
admin> show system setting hardware-acl-
blocking-enable

admin> show system setting hardware-acl-

blocking-duration

PAN-172515 If you downgrade from PAN-OS 10.1 to an earlier version

and you have configured the Cloud Authentication Service
This issue is now resolved. See
in an Authentication profile, the firewall does not remove
PAN-OS 10.1.2 Addressed
the Cloud Authentication Service from the Authentication
Issues.
profile, displays the authentication method as None, and any
subsequent commits are not successful.
Workaround: Delete the Authentication profile that is
configured for the Cloud Authentication Service then commit
your changes.

PAN-172492 You can create and commit a log forwarding profile (Objects
> Log Forwarding) with an invalid Filter.
This issue is now resolved. See
PAN-OS 10.1.2 Addressed
Issues.

PAN-172454 If the firewall communicates with the Cloud Identity Engine

before you install the device certificate on the firewall or
This issue is now resolved. See
Panorama, all subsequent queries to the Cloud Identity
PAN-OS 10.1.2 Addressed
Engine fail.
Issues.
Workaround: Use the debug software restart
process dscd to restart the connection to the Cloud
Identity Engine.

PAN-172419 Hot-swapping or hot-plugging a transceiver in the HSCI-A or

HSCI-B port on the PA-5450 firewall may cause the device to
This issue has been resolved.
reboot unexpectedly.
See PAN-OS 10.1.1
Addressed Issues.

PAN-172386 A Passive PA-5450 firewall in an Active/Passive HA pair will

continue to process traffic even if its port(s) are in a Disabled
This issue has been resolved.
state when the ports do not link up initially due to local or
See PAN-OS 10.1.1
remote faults.
Addressed Issues.

PAN-OS Release Notes 10.1.9-h1 384 ©2023 Palo Alto Networks, Inc.
PAN-OS 10.1.0 Known and Addressed Issues

Issue ID Description

PAN-172276 Changing the port speed on a PA-400 Series firewall from

auto-negotiate to 1G may cause the dataplane port to flap
This issue is now resolved. See
intermittently and result in a loss of traffic.
PAN-OS 10.1.2 Addressed
Issues.

PAN-172274 When you activate the advanced URL filtering license, your
license entitlements for PAN-DB and advanced URL filtering
might not display correctly on the firewall — this is a display
anomaly, not a licensing issue, and does not affect access to
the services.
Workaround: Issue the following command to retrieve and
update the licenses: license request fetch.

PAN-172113 If you request a User Activity Report on Panorama and the

vsys key value in the XML is an unsupported value, the
resulting job becomes unresponsive at 10% and does not
complete until you manually stop the job in the web interface.
Workaround:Change the vsys key to a valid device group,
commit your changes, and run the User Activity Report again.

PAN-172091 If you have configured a virtual system as a User-ID hub and

a firewall that receives IP address-to-username mapping from
the hub has a security policy that includes a QoS policy rule,
the firewall does not match the user to the QoS policy rule if
the traffic attempts to access a virtual system that is not the
hub.

PAN-172208 The PA-5450 firewall may reload in rare conditions while

handling high stress SSL traffic when CPU utilization reaches
This issue is now resolved. See
100% or packet broker capacity exceeds 40%.
PAN-OS 10.1.3 Addressed
Issues.

PAN-172171 In an HA Active/Passive configuration using Auto mode,

a Passive PA-5450 firewall under traffic stress can get
stuck in maintenance mode after receiving the slot7-
path_monitor Path monitor failure service failure.
Workaround: Use Active/Passive Shutdown mode instead of
Auto mode.

PAN-172132 QoS fails to run on a tunnel interface (for example, tunnel.1).

PAN-172067 When you configure a HTTP server profile (Device > Server
Profiles > HTTP or Panorama > Server Profiles > HTTP), the

PAN-OS Release Notes 10.1.9-h1 385 ©2023 Palo Alto Networks, Inc.
PAN-OS 10.1.0 Known and Addressed Issues
Issue ID
PAN-172061
PAN-164707
This issue is now resolved. See
PAN-OS 10.1.1 Addressed
Issues.
PAN-171938
PAN-171898
This issue has been resolved.
See PAN-OS 10.1.1
Addressed Issues.
PAN-171839
PAN-171750
This issue has been resolved.
See PAN-OS 10.1.1
Addressed Issues.
PAN-OS Release Notes 10.1.9-h1
Description
Username and Password fields are always required regardless
of whether Tag Registration is enabled.
Workaround: When you configure an HTTP server profile,
always enter a username and password to successfully create
the HTTP server profile.
You must enter a username and password even if the HTTP
server does not require it. The HTTP server ignores the
username and password if they are not required for the
firewall to connect.
A process (allpktproc) can cause intermittent crashes on the
Passive PA-5450 firewall in an Active/Passive HA pair. This
issue may be seen during an upgrade or reload of the firewall
with traffic and when clearing sessions.
For PA-7000 Series Legacy firewalls, you are unable to view
logs (Monitor) on the web interface or in the CLI (show log
<logtype>)
Workaround: Log in to the firewall CLI and restart the vldmgr
process.
admin> debug software restart process
vldmgr
No results are displayed when you Show Application Filter
for a Security policy rule (Policies > Security > Application >
Value > Show Application Filter).
PA-5450 firewalls may not get full 10G throughput when
traffic is sent from 100G/40G interfaces to 10G interfaces.
The Enable Bonjour Reflector option under Network >
Interfaces > Layer 3 Interface > IPv4 is not supported on the
PA-5450 firewall.
The PA-5450 firewall's HSCI interface does not recognize a
hot-swapped 40G or 100G transceiver.
Workaround: Power down the firewall before removing and
installing a 40G or 100G transceiver. After the transceiver is
installed, power on the firewall.
386 ©2023 Palo Alto Networks, Inc.
PAN-OS 10.1.0 Known and Addressed Issues

Issue ID Description

PAN-171744 No data is displayed for the Forward Error Correction (FEC)

plot for SD-WAN application performance (Panorama > SD-
This issue is now resolved. See
WAN > Monitoring).
PAN-OS 10.1.2 Addressed
Issues.

PAN-171723 If you use Panorama to push a configuration that uses App-

ID Cloud Engine (ACE) App-IDs and then you downgrade the
firewall from PAN-OS 10.1 to PAN-OS 10.0, the installation
succeeds but after you reboot, the auto-commit fails.
Workaround: Remove all ACE application configurations
before downgrading.

PAN-171714 If you use the NetBIOS format (domain\user) for the IP

address-to-username mapping and the firewall receives the
This issue is now resolved. See
group mapping information from the Cloud Identity Engine,
PAN-OS 10.1.7 Addressed
the firewall does not successfully match the user to the
Issues.
correct group.

PAN-171706 If you are using Panorama to manage firewalls with multiple

virtual systems and the virtual system that is the User-ID hub
uses an alias, the local commit on Panorama is successful but
the commit to the firewall fails.

PAN-171703 On the Panorama management server, the GlobalProtect

Activity widget (ACC > GlobalProtect Activity) and
GlobalProtect logs (Monitor > Logs > GlobalProtect) do not
display if a Device Group is selected.
Workaround: Select the All device group to view the
GlobalProtect Activity widget and GlobalProtect logs.

PAN-171673 On the Panorama management server, the ACC returns

inaccurate results when you filter for New App-ID in the
Application usage widget.

PAN-171635 If you have an on-premise Active Directory and there is an

existing group mapping configuration on the firewall, if you
migrate the group mapping to the Cloud Identity Engine, the
firewall does not remove the existing group mapping even
if the configuration is disabled and the firewall is rebooted,
which may conflict with new mappings from the Cloud
Identity Engine.
Workaround: Use the debug user-id clear domain-
map command to remove the existing group mappings from
the firewall.

PAN-OS Release Notes 10.1.9-h1 387 ©2023 Palo Alto Networks, Inc.
PAN-OS 10.1.0 Known and Addressed Issues

Issue ID Description

PAN-171224 On the Panorama management server, a custom report

(Monitor > Managed Custom Reports) with a high volume
of unique data objects is not generated when you click Run
Now.

PAN-171145 If you edit or remove the value for the mail attribute in
your on-premise Active Directory, the changes may not be
immediately reflected on the firewall after it syncs with the
Cloud Identity Engine.

PAN-171127 On the Panorama management server, custom reports

(Monitor > Manage Custom Reports) for the Device
This issue is now resolved. See
Application Statistics and Device Traffic Summary databases
PAN-OS 10.1.4 Addressed
display null for the Application fields.
Issues

PAN-171069 Local Log Collectors for Panorama management servers in

active/passive high availability (HA) configuration cannot be
added to the same Collector Group (Panorama > Collector
Groups).
Workaround: Before you upgrade your Panorama servers to
PAN-OS 10.1.0, configure HA (Panorama > High Availability),
add the local Log Collectors of the HA peers to the same
Collector Group, and upgrade to PAN 10.1.0.

PAN-170923 In Policies > Security > Policy Optimizer > New App Viewer,
when you select a Security policy rule in the bottom portion
of the screen, the application data in the application browser
(top portion of screen) does not match the Apps Seen on the
selected rule. In addition, filtering in the application browser
based on Apps Seen does not work.

PAN-170473 SSL traffic is not decrypted on inbound inspection when the

private key is using a hardware security module (HSM).
This issue has been resolved.
See PAN-OS 10.1.1
Addressed Issues.

PAN-170462 SaaS applications downloaded from the App-ID Cloud Engine

(ACE) do not appear in daily application reports (Monitor >
This issue is now resolved. See
Reports > Application Reports) or in the Application column
PAN-OS 10.1.6 Addressed
of the Application Usage widget in ACC > Network Activity.
Issues.

PAN-170270 Using the CLI to power on a PA-5450 Networking Card

(NC) in an Active HA firewall can cause its Passive peer to
temporarily go down.

PAN-OS Release Notes 10.1.9-h1 388 ©2023 Palo Alto Networks, Inc.
PAN-OS 10.1.0 Known and Addressed Issues

Issue ID Description

PAN-170174 A CN-NGFW pod might incorrectly restart multiple times

after bring up due to eth0 being unavailable when kubelet
This issue has been resolved.
runs network checks on eth0. The following error is seen
See PAN-OS 10.1.1
in the DP node journalctl logs: "failed to read pod IP from
Addressed Issues.
plugin/docker: networkPlugin cni failed on the status hook for
pod "pan-ngfw-dep-<>_kube-system": unexpected address
output".
Workaround: Redeploy the CN-NGFW pod

PAN-169906 The CN-Series Firewall as a Kubernetes Service does not

support AF_XDP when deployed in CentOS.

PAN-169433 On the Panorama management server, clicking Run Now for

a custom report (Monitor > Manage Custom Reports) with
32 or more filters in the Query Builder returns the result No
matching records

PAN-168920 On a PA-5450 firewall, QoS does not honor the guaranteed

bandwidth for classes set to a Priority of real-time.
This issue has been resolved.
See PAN-OS 10.1.1
Addressed Issues.

PAN-168636 Connecting to the App-ID Cloud Engine (ACE) cloud using a

management port with explicit proxy configured on it is not
supported. Instead, use a data plane interface for the service
route (Prepare to Deploy App-ID Cloud Engine describes how
to do this.)

PAN-168113 On the Panorama management server, you are unable

to configure a master key (Device > Master Key and
Diagnostics) for a managed firewall if an interface (Network
> Interfaces > Ethernet) references a zone pushed from
Panorama.
Workaround: Remove the referenced zone from the interface
configuration to successfully configure a master key.

PAN-167847 If you issue the command opof stats, then clear the
results {opof stats -c}, the Active Sessions value is sometimes
invalid. For example, you might see a negative number or an
excessively large number.
Workaround: Re-run the opof stats command after the
offload completes.

PAN-OS Release Notes 10.1.9-h1 389 ©2023 Palo Alto Networks, Inc.
PAN-OS 10.1.0 Known and Addressed Issues

Issue ID Description

PAN-167401 When a firewall or Panorama appliance configured with a

proxy is upgraded to PAN-OS 10.0.3 or a later release, it fails
to connect to edge service.

PAN-166464 PAN-OS reports the PA-5450 fan numbers incorrectly

by listing them in the opposite order. This does not affect
This issue is now resolved. See
fan operation. For further information, contact Customer
PAN-OS 10.1.6-h6 Addressed
Support.
Issues.

PAN-166398 On PA-5450 Next-Generation firewalls, when you configure

path or latency monitoring on the Health Monitor tab in
This issue is now resolved. See
the Packet Broker profile (Objects > Packet Broker), after a
PAN-OS 10.1.1 Addressed
firewall restart, the path health monitor may be disabled due
Issues.
to a configuration synchronization issue, so the firewall may
not be aware of path failures.
Workaround: Change the health monitoring configuration and
commit the change to prevent this issue from occurring.

PAN-165669 If you configure a group that the firewall retrieves from the
Cloud Identity Engine as the user in value in a filter query,
Panorama is unable to retrieve the group membership and
as a result, is unable to display this data in logs and custom
reports.

PAN-165225 There is an issue where hwpredict is enabled by default,

and you have to disable it via the CLI.

PAN-164922 On the Panorama management server, a context switch to a

managed firewall running a PAN-OS 8.1.0 to 8.1.19 release
fails.

PAN-164885 On the Panorama management server, pushes to managed

firewalls (Commit > Push to Devices or Commit and Push)
may fail when an EDL (Objects > External Dynamic Lists) is
configured to Check for updates every 5 minutes due to the
commit and EDL fetch processes overlapping. This is more
likely to occur when multiple EDLs are configured to check
for updates every 5 minutes.

PAN-164841 A successful deployment of a Panorama virtual appliance on

Amazon Web Services (AWS), Microsoft Azure, or Google
Cloud Product (GCP) is inaccessible when deploying using the
PAN-OS 10.1.0-b6 release.

PAN-164647 On the Panorama management server, activating a license

(Panorama > Device Deployment > Licenses) on managed

PAN-OS Release Notes 10.1.9-h1 390 ©2023 Palo Alto Networks, Inc.
PAN-OS 10.1.0 Known and Addressed Issues

Issue ID Description
firewalls in a high availability (HA) configuration causes the
Safari web browser to become unresponsive.
Workaround: Log in to the Panorama web interface from
a web browser other than Safari to successfully activate a
license on managed firewalls in an HA configuration.

PAN-164586 If you use a value other than mail for the user or group
email attribute in the Cloud Identity Engine, it displays in
user@domain format in the CLI output.

PAN-163966 On the Panorama management server, the ACC and on

demand reports (Monitor > Manage Custom Reports) are
unable to fetch Directory Sync group membership when
the Source User Group filter query is applied, resulting in no
data being displayed for the filter when Directory Sync is
configured as the Source User for a policy rule.

PAN-163676 Next-Gen Firewalls are unable to connect to a syslog server

when the certificates required to connect to the syslog
server are part of a Certificate Profile (Device > Certificate
Management > Certificate Profile) if the Use OCSP setting is
enabled to check the revocation status of certificates.
Workaround: Enable Use CRL to check the revocation status
of certificates in the Certificate Profile.

PAN-162836 On the VM-Series firewall, if you select Device > Licenses >
Deactivate VM a popup window opens and you can choose
Subscriptions or Support and press Continue to remove
licenses and register the changes with the license server.
When the license removal is complete the Deactivate VM
window does not update its text to exclude deactivated
licenses or close the window.
Workaround: Wait until the license deactivation is complete,
and click Cancel to close the window.

PAN-162164 When upgrading a multi-dataplane firewall from PAN-

OS 10.0 to 10.1, if the configuration includes the DHCP
This issue is now resolved. See
Broadcast Session option enabled, the commit fails. Auto-
PAN-OS 10.1.6 Addressed
commit is not affected.
Issues.
Workaround: Load the configuration from running config
(load config from running-config.xml) and perform a commit.

PAN-162088 On the Panorama management server in a high availability

(HA) configuration, content updates (Panorama > Dynamic
Updates) manually uploaded to the active HA peer are not

PAN-OS Release Notes 10.1.9-h1 391 ©2023 Palo Alto Networks, Inc.
PAN-OS 10.1.0 Known and Addressed Issues

Issue ID Description
This issue is now resolved. See synchronized to the passive HA peer when you Install a
PAN-OS 10.1.9 Addressed content update and enable Sync to HA Peer.
Issues.

PAN-161666 The firewall includes any users configured in the Cloud

Identity Engine in the count of groups. As a result, some CLI
command output does not accurately display the number
of groups the firewall has retrieved from the Cloud Identity
Engine and counts users as groups in the No. of Groups
in the command output. If the attempt to retrieve the user or
group fails, the information for the user or group still displays
in the CLI command output.

PAN-161451 If you issue the command opof stats, there are occasional
zero packet and byte counts coming from the DPDK
counters. This occurs when a session is in the tcp-reuse state,
and has no impact on the existing session.

PAN-160238 If you migrate traffic from a firewall running a PAN-OS

version earlier than 9.0 to a firewall running PAN-OS 9.0 or
later, you experience intermittent VXLAN packet drops if TCI
policy is not configured for inspecting VXLAN traffic flows.
Workaround: On the new firewall, create an app override for
VXLAN outer headers as described in What is an Application
Override? and the video tutorial How to Configure an
Application Override Policy on the Palo Alto Networks
Firewall.

PAN-OS version 9.0 can inspect both inner and

outer VXLAN flows. If you want to inspect inner
flows, you must define a tunnel content inspection
(TCI) policy.

PAN-157444 As a result of a telemetry handling update, the Source Zone

field in the DNS analytics logs (viewable in the DNS Analytics
tab within AutoFocus) might not display correct results.

PAN-157327 On downgrade to PAN-OS 9.1, Enterprise Data Loss

Prevention (DLP) filtering settings (Device > Setup > DLP) are
not removed and cause commit errors for the downgraded
firewall if you do not uninstall the Enterprise DLP plugin
before downgrade.
Workaround: After you successfully downgrade a managed
firewall to PAN-OS 9.1, commit and push from Panorama to
remove the Enterprise DLP filtering settings and complete the
downgrade.

PAN-OS Release Notes 10.1.9-h1 392 ©2023 Palo Alto Networks, Inc.
PAN-OS 10.1.0 Known and Addressed Issues

Issue ID Description
1. Downgrade your managed firewall to PAN-OS 9.1
2. Log in to the firewall web interface and view the Tasks
to verify all auto commits related to the downgrade have
completed successfully.
3. Log in to the Panorama web interface and Commit >
Commit and Push to your managed firewall downgraded to
PAN-OS 9.1.

PAN-157103 Multi-channel functionality may not be properly utilized on

an VM-Series firewall deployed in VMware NSX-V after the
service is first deployed.
Workaround: Execute the command debug dataplane
pow status to view the number of channels being utilized
by the dataplane.

Per pan-task Netx statisticsCounter Name

1 2 3 4 5 6 Total-------------
--------------------------------ready_dvf
2 0 0 0 0 0 2

If multi-channel functionality is not working, disable your

NSX-V security policy and reapply it. Then reboot the VM-
Series firewall. When the firewall is back up, verify that multi-
channel functionality is working by executing the command
debug dataplane pow status. It should now show
multiple channels being utilized.

Per pan-task Netx statisticsCounter Name

1 2 3 4 5 6 Total-------------
--------------------------------ready_dvf
1 1 0 0 0 0 2

PAN-156598 (Panorama only) If you configure a standard custom

vulnerability signature in a custom Vulnerability Protection
profile in a shared device group, the shared profile custom
signatures do not populate in the other device groups when
you configure a combination custom vulnerability signature.
Workaround: Use the CLI to update the combination
signature.

PAN-154292 On the Panorama management server, downgrading from

a PAN-OS 10.0 release to a PAN-OS 9.1 release causes
Panorama commit (Commit > Commit to Panorama) failures
if a custom report (Monitor > Manage Custom Reports) is
configured to Group By Session ID.

PAN-OS Release Notes 10.1.9-h1 393 ©2023 Palo Alto Networks, Inc.
PAN-OS 10.1.0 Known and Addressed Issues

Issue ID Description
Workaround: After successful downgrade, reconfigure the
Group By setting in the custom report.

PAN-154053 If two or more PA-5450 fan assemblies fail, the firewall shuts
down without providing a console or CLI error message about
This issue has been resolved.
the fan failure.
See PAN-OS 10.1.1
Addressed Issues.

PAN-154034 On the Panorama management server, the Type column in the

System logs (Monitor > Logs > System) for managed firewalls
running a PAN-OS 9.1 release erroneously display iot as the
type.

PAN-154032 On the Panorama management server, downgrading to PAN-

OS 9.1 with the Panorama plugin for Cisco TrustSec version
1.0.2 installed does not automatically transform the plugin to
be compatible with PAN-OS 9.1
Workaround: After successful downgrade to PAN-OS 9.1,
Remove Config (Panorama > Plugins) of the Panorama plugin
for Cisco TrustSec and then reconfigure the plugin.

PAN-153803 On the Panorama management server, scheduled email PDF

reports (Monitor > PDF Reports) fail if a GIF image is used in
the header or footer.

PAN-153557 On the Panorama management server CLI, the overall report

status for a report query is marked as Done despite reports
generated from logs in the Cortex Data Lake (CDL) from the
PODamericas Collector Group jobs are still in a Running
state.

PAN-153068 The Bonjour Reflector option is supported on up to 16

interfaces. If you enable it on more than 16 interfaces, the
commit succeeds and the Bonjour Reflector option is enabled
only for the first 16 interfaces and ignored for any additional
interfaces.

PAN-151238 There is a known issue where M-100 appliances are able

to download and install a PAN-OS 10.0 release image even
though the M-100 appliance is no longer supported after
PAN-OS 9.1. (Refer to the hardware end-of-life dates.)

PAN-151085 On a PA-7000 Series firewall chassis having multiple slots,

when HA clustering is enabled on an active/active HA pair,
the session table count for one of the peers can show a higher
count than the actual number of active sessions on that peer.

PAN-OS Release Notes 10.1.9-h1 394 ©2023 Palo Alto Networks, Inc.
PAN-OS 10.1.0 Known and Addressed Issues

Issue ID Description
This behavior can be seen when the session is being set up
on a non-cache slot (for example, when a session distribution
policy is set to round-robin or session-load); it is caused by
the additional cache lookup that happens when HA cluster
participation is enabled.

PAN-150801 Automatic quarantine of a device based on forwarding profile

or log setting does not work on the PA-7000 Series firewalls.

PAN-150515 After you install the device certificate on a new Panorama

management server, Panorama is not able to connect to the
IoT Security edge service.
Workaround: Restart Panorama to connect to the IoT
Security edge service.

PAN-150345 During updates to the Device Dictionary, the IoT Security

service does not push new Device-ID attributes (such as new
device profiles) to the firewall until a manual commit occurs.
Workaround: Perform a force commit to push the attributes
in the content update to the firewall.

PAN-150361 In an Active-Passive high availability (HA) configuration, an

error displays if you create a device object on the passive
device.
Workaround: Load the running configuration and perform a
force commit to sync the devices.

PAN-148971 If you enter a search term for Events that are related to IoT
in the System logs and apply the filter, the page displays an
Invalid term error.
Workaround: Specify iot as the Type Attribute to filter the
logs and use the search term as the Description Attribute. For
example: ( subtype eq iot ) and ( description
contains 'gRPC connection' ).

PAN-148924 In an active-passive HA configuration, tags for dynamic user

groups are not persistent after rebooting the firewall because
the active firewall does not sync the tags to the passive
firewall during failover.

PAN-146995 After downgrading a Panorama management server from

PAN-OS 10.0 to PAN-OS 9.1, the VLD and logd processes
may crash when Panorama reboots.

PAN-OS Release Notes 10.1.9-h1 395 ©2023 Palo Alto Networks, Inc.
PAN-OS 10.1.0 Known and Addressed Issues

Issue ID Description
Workaround: Panorama automatically restarts the VLD and
logd processes.

PAN-146807 Changing the device group configured in a monitoring

definition from a child DG to a parent DG, or vice versa,
might cause firewalls configured in the child DG to lose
IP tag mapping information received from the monitoring
definition. Only firewalls assigned to the parent DG receive IP
tag mapping updates.
Workaround: Perform a manual config sync on the device
group that lost the IP tag mapping information.

PAN-146485 On the Panorama management server, adding, deleting, or

modifying the upstream NAT configuration (Panorama > SD-
WAN > Devices) does not display the branch template stack
as out of sync.
Additionally, adding, deleting, or modifying the BGP
configuration (Panorama > SD-WAN > Devices) does not
display the hub and branch template stacks as out of sync.
For example, modifying the BGP configuration on the branch
firewall does not cause the hub template stack to display as
out of sync, nor does modifying the BGP configuration on
the hub firewall cause the branch template stack as out of
sync.
Workaround: After performing a configuration change,
Commit and Push the configuration changes to all hub and
branch firewalls in the VPN cluster containing the firewall
with the modified configuration.

PAN-145460 CN-MGMT pods fail to connect to the Panorama

management server when using the Kubernetes plugin.
Workaround: Commit the Panorama configuration after the
CN-MGMT pod successfully registers with Panorama.

PAN-144889 On the Panorama management server, adding, deleting, or

modifying the original subnet IP, or adding a new subnet
after you successfully configure a tunnel IP subnet, for the
SD-WAN 1.0.2 plugin does not display the managed firewall
templates (Panorama > Managed Devices > Summary) as Out
of Sync.
Workaround: When modifying the original subnet IP, or
adding a new subnet, push the template configuration
changes to your managed firewalls and Force Template
Values (Commit > Push to Devices > Edit Selections).

PAN-OS Release Notes 10.1.9-h1 396 ©2023 Palo Alto Networks, Inc.
PAN-OS 10.1.0 Known and Addressed Issues

Issue ID Description

PAN-143132 Fetching the device certificate from the Palo Alto Networks
Customer Support Portal (CSP) may fail and displays the
following error in the CLI:
ERROR Failed to process S1C msg: Error
Workaround: Retrying fetching the device certificate from
the Palo Alto Networks CSP.

PAN-141630 Current performance limitation: single data plane use only.

The PA-5200 Series and PA-7000 Series firewalls that
support 5G network slice security, 5G equipment ID security,
and 5G subscriber ID security use a single data plane only,
which currently limits the firewall performance.

PAN-140959 The Panorama management server allows you to downgrade

Zero Touch Provisioning (ZTP) firewalls to PAN-OS 9.1.2 and
earlier releases where ZTP functionality is not supported.

PAN-140008 ElasticSearch is forced to restart when the masterd process

misses too many heartbeat messages on the Panorama
management server resulting in a delay in a log query and
ingestion.

PAN-136763 On the Panorama management server, managed firewalls

display as disconnected when installing a PAN-OS
software update (Panorama > Device Deployment >
Software) but display as connected when you view your
managed firewalls Summary (Panorama > Managed Devices >
Summary) and from the CLI.
Workaround: Log out and log back in to the Panorama web
interface.

PAN-135742 There is an issue in HTTP2 session decryption where the

App-ID in the decryption log is the App-ID of the parent
session (which is web-browsing).

PAN-134053 ACC does not filter WildFire logs from Dynamic User Groups.

PAN-132598 The Panorama management server does not check for

duplicate addresses in address groups (Objects > Address
Groups) and duplicate services in service groups (Objects >
Service Groups) when created from the CLI.

PAN-130550 (PA-3200 Series, PA-5220, PA-5250, PA-5260, and PA-7000

Series firewalls) For traffic between virtual systems (inter-

PAN-OS Release Notes 10.1.9-h1 397 ©2023 Palo Alto Networks, Inc.
PAN-OS 10.1.0 Known and Addressed Issues

Issue ID Description
vsys traffic), the firewall cannot perform source NAT using
dynamic IP (DIP) address translation.
Workaround: Use source NAT with Dynamic IP and Port
(DIPP) translation on inter-vsys traffic.

PAN-127813 In the current release, SD-WAN auto-provisioning configures

hubs and branches in a hub and spoke model, where branches
don’t communicate with each other. Expected branch routes
are for generic prefixes, which can be configured in the hub
and advertised to all branches. Branches with unique prefixes
are not published up to the hub.
Workaround: Add any specific prefixes for branches to the
hub advertise-list configuration.

PAN-127206 If you use the CLI to enable the cleartext option for the
Include Username in HTTP Header Insertion Entries feature,
the authentication request to the firewall may become
unresponsive or time out.

PAN-123277 Dynamic tags from other sources are accessible using the CLI
but do not display on the Panorama web interface.

PAN-123040 When you try to view network QoS statistics on an SD-

WAN branch or hub, the QoS statistics and the hit count
for the QoS rules don’t display. A workaround exists for
this issue. Please contact Support for information about the
workaround.

PAN-120440 There is an issue on M-500 Panorama management servers

where any ethernet interface with an IPv6 address having
Private PAN-DB-URL connectivity only supports the
following format: 2001:DB9:85A3:0:0:8A2E:370:2.

PAN-120423 PAN-OS 10.0.0 does not support the XML API for
GlobalProtect logs.

PAN-120303 There is an issue where the firewall remains connected to the

PAN-DB-URL server through the old management IP address
on the M-500 Panorama management server, even when you
configured the Eth1/1 interface.
Workaround: Update the PAN-DB-URL IP address on the
firewall using one of the methods below.

PAN-OS Release Notes 10.1.9-h1 398 ©2023 Palo Alto Networks, Inc.
PAN-OS 10.1.0 Known and Addressed Issues

Issue ID Description
• Modify the PAN-DB Server IP address on the managed
firewall.
1. On the web interface, delete the PAN-DB Server IP
address (Device > Setup > Content ID > URL Filtering
settings).
2. Commit your changes.
3. Add the new M-500 Eth1/1 IP PAN-DB IP address.
4. Commit your changes.
• Restart the firewall (devsrvr) process.
1. Log in to the firewall CLI.
2. Restart the devsrvr process: debug software
restart process device-server

PAN-116017 (Google Cloud Platform (GCP) only) The firewall does not
accept the DNS value from the initial configuration (init-cfg)
file when you bootstrap the firewall.
Workaround: Add DNS value as part of the bootstrap.xml in
the bootstrap folder and complete the bootstrap process.

PAN-115816 (Microsoft Azure only) There is an intermittent issue where

an Ethernet (eth1) interface does not come up when you first
boot up the firewall.
Workaround: Reboot the firewall.

PAN-114495 Alibaba Cloud runs on a KVM hypervisor and supports two

Virtio modes: DPDK (default) and MMAP. If you deploy a
VM-Series firewall running PAN-OS 9.0 in DPDK packet
mode and you then switch to MMAP packet mode, the VM-
Series firewall duplicates packets that originate from or
terminate on the firewall. As an example, if a load balancer or
a server behind the firewall pings the VM-Series firewall after
you switch from DPDK packet mode to MMAP packet mode,
the firewall duplicates the ping packets.
Throughput traffic is not duplicated if you deploy the VM-
Series firewall using MMAP packet mode.

PAN-112694 (Firewalls with multiple virtual systems only) If you configure

dynamic DNS (DDNS) on a new interface (associated with
vsys1 or another virtual system) and you then create a
New Certificate Profile from the drop-down, you must set
the location for the Certificate Profile to Shared. If you
configure DDNS on an existing interface and then create a
new Certificate Profile, we also recommend that you choose

PAN-OS Release Notes 10.1.9-h1 399 ©2023 Palo Alto Networks, Inc.
PAN-OS 10.1.0 Known and Addressed Issues

Issue ID Description
the Shared location instead of a specific virtual system.
Alternatively, you can select a preexisting certificate profile
instead of creating a new one.

PAN-112456 You can temporarily submit a change request for a URL

Category with three suggested categories; however, only
two categories are supported. Do not add more than two
suggested categories to a change request until we address
this issue. If you submit more than two suggested categories,
only the first two categories in the change request are
evaluated.

PAN-112135 You cannot unregister tags for a subnet or range in a dynamic

address group from the web interface.
Workaround: Use an XML API request to unregister the tags
for the subnet or range.

PAN-111928 Invalid configuration errors are not displayed as expected

when you revert a Panorama management server
configuration.
Workaround: After you revert the Panorama configuration,
Commit (Commit > Commit to Panorama) the reverted
configuration to display the invalid configuration errors.

PAN-111866 The push scope selection on the Panorama web interface

displays incorrectly even though the commit scope displays
as expected. This issue occurs when one administrator makes
configuration changes to separate device groups or templates
that affect multiple firewalls and a different administrator
attempts to push those changes.
Workaround: Perform one of the following tasks.
• Initiate a Commit to Panorama operation followed by a
Push to Devices operation for the modified device group
and template configurations.
• Manually select the devices that belong to the modified
device group and template configurations.

PAN-111729 If you disable DPDK mode and enable it again, you must
immediately reboot the firewall.

PAN-111670 Tagged VLAN traffic fails when sent through an SR-IOV

adapter.

PAN-110794 DGA-based threats shown in the firewall threat log display

the same name for all such instances.

PAN-OS Release Notes 10.1.9-h1 400 ©2023 Palo Alto Networks, Inc.
PAN-OS 10.1.0 Known and Addressed Issues

Issue ID Description

PAN-109759 The firewall does not generate a notification for the

GlobalProtect client when the firewall denies an unencrypted
This issue is now resolved. See
TLS session due to an authentication policy match.
PAN-OS 10.1.2 Addressed
Issues

PAN-109526 The system log does not correctly display the URL for
CRL files; instead, the URLs are displayed with encoded
characters.

PAN-104780 If you configure a HIP object to match only when a

connecting endpoint is managed (Objects > GlobalProtect >
HIP Objects > <hip-object> > General > Managed), iOS and
Android endpoints that are managed by AirWatch are unable
to successfully match the HIP object and the HIP report
incorrectly indicates that these endpoints are not managed.
This issue occurs because GlobalProtect gateways cannot
correctly identify the managed status of these endpoints.
Additionally, iOS endpoints that are managed by AirWatch
are unable to match HIP objects based on the endpoint serial
number because GlobalProtect gateways cannot identify the
serial numbers of these endpoints; these serial numbers do
not appear in the HIP report.

PAN-103276 Adding a disk to a virtual appliance running Panorama 8.1

or a later release on VMware ESXi 6.5 update1 causes the
Panorama virtual appliance and host web client to become
unresponsive.
Workaround: Upgrade the ESXi host to ESXi 6.5 update2 and
add the disk again.

PAN-101688 (Panorama plugins) The IP address-to-tag mapping

information registered on a firewall or virtual system is not
deleted when you remove the firewall or virtual system from
a Device Group.
Workaround: Log in to the CLI on the firewall and enter
the following command to unregister the IP address-to-tag
mappings: debug object registered-ip clear all.

PAN-101537 After you configure and push address and address group
objects in Shared and vsys-specific device groups from
the Panorama management server to managed firewalls,
executing the show log <log-type> direction
equal <direction> <dst> | <src> in <object-
name> command on a managed firewall only returns address

PAN-OS Release Notes 10.1.9-h1 401 ©2023 Palo Alto Networks, Inc.
PAN-OS 10.1.0 Known and Addressed Issues

Issue ID Description
and address group objects pushed form the Shared device
group.
Workaround: Specify the vsys in the query string:
admin> set system target-vsys <vsys-name>
admin> show log <log-type> direction equal
<direction> query equal ‘vsys eq <vsys-name>’
<dst> | <src> in <object-name>

PAN-98520 When booting or rebooting a PA-7000 Series Firewall with

the SMC-B installed, the BIOS console output displays
attempts to connect to the card's controller in the System
Memory Speed section. The messages can be ignored.

PAN-97757 GlobalProtect authentication fails with an Invalid

username/password error (because the user is not found
in Allow List) after you enable GlobalProtect authentication
cookies and add a RADIUS group to the Allow List of the
authentication profile used to authenticate to GlobalProtect.
Workaround: Disable GlobalProtect authentication cookies.
Alternatively, disable (clear) Retrieve user group from
RADIUS in the authentication profile and configure group
mapping from Active Directory (AD) through LDAP.

PAN-97524 (Panorama management server only) The Security Zone and

Virtual System columns (Network tab) display None after a
Device Group and Template administrator with read-only
privileges performs a context switch.

PAN-96446 A firewall that is not included in a Collector Group fails to

generate a system log if logs are dropped when forwarded
to a Panorama management server that is running in
Management Only mode.

PAN-95773 On VM-Series firewalls that have Data Plane Development

Kit (DPDK) enabled and that use the i40e network interface
card (NIC), the show session info CLI command displays
an inaccurate throughput and packet rate.
Workaround: Disable DPDK by running the set system
setting dpdk-pkt-io off CLI command.

PAN-95028 For administrator accounts that you created in PAN-OS 8.0.8

and earlier releases, the firewall does not apply password
profile settings (Device > Password Profiles) until after you
upgrade to PAN-OS 8.0.9 or a later release and then only
after you modify the account passwords. (Administrator

PAN-OS Release Notes 10.1.9-h1 402 ©2023 Palo Alto Networks, Inc.
PAN-OS 10.1.0 Known and Addressed Issues

Issue ID Description
accounts that you create in PAN-OS 8.0.9 or a later release
do not require you to change the passwords to apply
password profile settings.)

PAN-94846 When DPDK is enabled on the VM-Series firewall with i40e

virtual function (VF) driver, the VF does not detect the link
status of the physical link. The VF link status remains up,
regardless of changes to the physical link state.

PAN-94093 HTTP Header Insertion does not work when jumbo frames
are received out of order.

PAN-93968 The firewall and Panorama web interfaces display

vulnerability threat IDs that are not available in PAN-OS
9.0 releases (Objects > Security Profiles > Vulnerability
Protection > <profile> > Exceptions). To confirm whether a
particular threat ID is available in your release, monitor the
release notes for each new Applications and Threats content
update or check the Palo Alto Networks Threat Vault to see
the minimum PAN-OS release version for a threat signature.

PAN-93607 When you configure a VM-500 firewall with an SCTP

Protection profile (Objects > Security Profiles > SCTP
Protection) and you try to add the profile to an existing
Security Profile Group (Objects > Security Profile Groups),
the Security Profile Group doesn’t list the SCTP Protection
profile in its drop-down list of available profiles.
Workaround: Create a new Security Profile Group and select
the SCTP Protection profile from there.

PAN-93532 When you configure a firewall running PAN-OS 9.0 as an

nCipher HSM client, the web interface on the firewall displays
the nCipher server status as Not Authenticated, even though
the HSM state is up (Device > Setup > HSM).

PAN-93193 The memory-optimized VM-50 Lite intermittently performs

slowly and stops processing traffic when memory utilization
is critically high. To prevent this issue, make sure that you do
not:
• Switch to the firewall Context on the Panorama
management server.
• Commit changes when a dynamic update is being installed.
• Generate a custom report when a dynamic update is being
installed.
• Generate custom reports during a commit.

PAN-OS Release Notes 10.1.9-h1 403 ©2023 Palo Alto Networks, Inc.
PAN-OS 10.1.0 Known and Addressed Issues

Issue ID Description
Workaround: When the firewall performs slowly, or you see
a critical System log for memory utilization, wait for 5 minutes
and then manually reboot the firewall.
Use the Task Manager to verify that you are not performing
memory intensive tasks such as installing dynamic updates,
committing changes or generating reports, at the same time,
on the firewall.

PAN-91802 On a VM-Series firewall, the clear session all CLI command

does not clear GTP sessions.

PAN-83610 In rare cases, a PA-5200 Series firewall (with an FE100

network processor) that has session offload enabled (default)
incorrectly resets the UDP checksum of outgoing UDP
packets.
Workaround: In PAN-OS 8.0.6 and later releases, you can
persistently disable session offload for only UDP traffic using
the set session udp-off load no CLI command.

PAN-83236 The VM-Series firewall on Google Compute Platform does

not publish firewall metrics to Google Stack Monitoring when
you manually configure a DNS server IP address (Device >
Setup > Services).
Workaround: The VM-Series firewall on Google Cloud
Platform must use the DNS server that Google provides.

PAN-83215 SSL decryption based on ECDSA certificates does not work

when you import the ECDSA private keys onto an nCipher
nShield hardware security module (HSM).

PAN-81521 Endpoints failed to authenticate to GlobalProtect through

Kerberos when you specify an FQDN instead of an IP address
in the Kerberos server profile (Device > Server Profiles >
Kerberos).
Workaround: Replace the FQDN with the IP address in the
Kerberos server profile.

PAN-77125 PA-7000 Series, PA-5450, PA-5200 Series, and PA-3200

Series firewalls configured in tap mode don’t close offloaded
sessions after processing the associated traffic; the sessions
remain open until they time out.
Workaround: Configure the firewalls in virtual wire mode
instead of tap mode, or disable session offloading by running
the set session off load no CLI command.

PAN-OS Release Notes 10.1.9-h1 404 ©2023 Palo Alto Networks, Inc.
PAN-OS 10.1.0 Known and Addressed Issues

Issue ID Description

PAN-75457 In WildFire appliance clusters that have three or more nodes,

the Panorama management server does not support changing
node roles. In a three-node cluster for example, you cannot
use Panorama to configure the worker node as a controller
node by adding the HA and cluster controller configurations,
configure an existing controller node as a worker node by
removing the HA configuration, and then commit and push
the configuration. Attempts to change cluster node roles from
Panorama results in a validation error—the commit fails and
the cluster becomes unresponsive.

PAN-73530 The firewall does not generate a packet capture (pcap) when a
Data Filtering profile blocks files.

PAN-73401 When you import a two-node WildFire appliance cluster

into the Panorama management server, the controller nodes
report their state as out-of-sync if either of the following
conditions exist:
• You did not configure a worker list to add at least one
worker node to the cluster. (In a two-node cluster, both
nodes are controller nodes configured as an HA pair.
Adding a worker node would make the cluster a three-
node cluster.)
• You did not configure a service advertisement (either by
enabling or not enabling advertising DNS service on the
controller nodes).
Workaround: There are three possible workarounds to sync
the controller nodes:
• After you import the two-node cluster into Panorama,
push the configuration from Panorama to the cluster. After
the push succeeds, Panorama reports that the controller
nodes are in sync.
• Configure a worker list on the cluster controller:

admin@wf500(active-controller)# set
deviceconfig cluster mode controller work
er-list <worker-ip-address>

(<worker-ip-address> is the IP address of the worker

node you are adding to the cluster.) This creates a three-
node cluster. After you import the cluster into Panorama,
Panorama reports that the controller nodes are in sync.
When you want the cluster to have only two nodes, use a
different workaround.

PAN-OS Release Notes 10.1.9-h1 405 ©2023 Palo Alto Networks, Inc.
PAN-OS 10.1.0 Known and Addressed Issues

Issue ID Description
• Configure service advertisement on the local CLI of the
cluster controller and then import the configuration into
Panorama. The service advertisement can advertise that
DNS is or is not enabled.

admin@wf500(active-controller)# set
deviceconfig cluster mode controller serv
ice-advertisement dns-service
enabled
yes

or

admin@wf500(active-controller)# set
deviceconfig cluster mode controller serv
ice-advertisement dns-service
enabled
no

Both commands result in Panorama reporting that the

controller nodes are in sync.

PAN-70906 If the PAN-OS web interface and the GlobalProtect portal are
enabled on the same IP address, then when a user logs out of
the GlobalProtect portal, the administrative user is also logged
out from the PAN-OS web interface.
Workaround: Use the IP address to access the PAN-OS web
interface and an FQDN to access the GlobalProtect portal.

PAN-69505 When viewing an external dynamic list that requires client

authentication and you Test Source URL, the firewall fails to
indicate whether it can reach the external dynamic list server
and returns a URL access error (Objects > External Dynamic
Lists).

PAN-40079 The VM-Series firewall on KVM, for all supported Linux

distributions, does not support the Broadcom network
adapters for PCI pass-through functionality.

PAN-39636 Regardless of the Time Frame you specify for a scheduled

custom report on a Panorama M-Series appliance, the earliest
possible start date for the report data is effectively the date
when you configured the report (Monitor > Manage Custom
Reports). For example, if you configure the report on the
15th of the month and set the Time Frame to Last 30 Days,
the report that Panorama generates on the 16th will include
only data from the 15th onward. This issue applies only to

PAN-OS Release Notes 10.1.9-h1 406 ©2023 Palo Alto Networks, Inc.
PAN-OS 10.1.0 Known and Addressed Issues

Issue ID Description
scheduled reports; on-demand reports include all data within
the specified Time Frame.
Workaround: To generate an on-demand report, click Run
Now when you configure the custom report.

PAN-38255 When you perform a factory reset on a Panorama virtual

appliance and configure the serial number, logging does
not work until you reboot Panorama or execute the debug
software restart process management-server CLI
command.

PAN-31832 The following issues apply when configuring a firewall to use

a hardware security module (HSM):
• nCipher nShield Connect—The firewall requires at least
four minutes to detect that an HSM was disconnected,
causing SSL functionality to be unavailable during the
delay.
• SafeNet Network—When losing connectivity to either
or both HSMs in an HA configuration, the display of
information from the show high-availability
state and show hsm info commands are blocked for
20 seconds.

PAN-OS Release Notes 10.1.9-h1 407 ©2023 Palo Alto Networks, Inc.
PAN-OS 10.1.0 Known and Addressed Issues

PAN-OS 10.1.0 Addressed Issues

Issue ID Description

APL-14490 Fixed an issue where the option to toggle log ingestion or

storage for devices in the Cortex Data Lake app did not
function.

PAN-164564 Fixed an issue where stats API attempted to get stats

from an unavailable port.

PAN-146573 (PA-7000 Series firewalls only) Fixed an issue where

firewalls configured with a large number of interfaces
experienced impacted performance and timeouts when
performing SNMP queries.

PAN-142099 Fixed an issue for Panorama to allow changing MTU for

mgmt interface.

PAN-OS Release Notes 10.1.9-h1 408 ©2023 Palo Alto Networks, Inc.
Related Documentation
Review the related documentation for PAN-OS 10.1.
To provide feedback on the documentation, write to us at:
[email protected].

> Related Documentation for PAN-OS 10.1

409
Related Documentation

Related Documentation for PAN-OS 10.1

Refer to the PAN-OS® 10.1 documentation on the Technical Documentation portal for general
information on how to configure and use already-released features.
• PAN-OS 10-1 New Features Guide—Detailed information on configuring the features
introduced in this release.
• PAN-OS 10.1 Upgrade Guide—Provides considerations and steps to upgrade PAN-OS.
• PAN-OS 10.1 Administrator’s Guide—Provides the concepts and solutions to get the most out
of your Palo Alto Networks next-generation firewalls. This includes taking you through the
initial configuration and basic set up on your Palo Alto Networks firewalls.
• Panorama 10.1 Administrator’s Guide—Provides the basic framework to quickly set up the
Panorama™ virtual appliance or an M-Series appliance for centralized administration of the
Palo Alto Networks firewalls.
• PAN-OS 10.1 Networking Administrator’s Guide—Provides concepts and details around Palo
Alto Networks firewall networking solution.
• WildFire 10.1 Administrator’s Guide—Provides steps to set up a Palo Alto Networks firewall
to forward samples for WildFire® Analysis, to deploy the WF-500 appliance to host a WildFire
private or hybrid cloud, and to monitor WildFire activity.
• VM-Series 10.1 Deployment Guide—Provides details on deploying and licensing the VM-Series
firewall on all supported hypervisors. It includes example of supported topologies on each
hypervisor.
• GlobalProtect 10.1 Administrator’s Guide—Describes how to set up and manage
GlobalProtect™ features.
• PAN-OS 10.1 Web Interface Help—Detailed, context-sensitive help system integrated with the
firewall and Panorama web interface.
• Palo Alto Networks Compatibility Matrix—Provides operating system and other compatibility
information for Palo Alto Networks next-generation firewalls, appliances, and agents.

PAN-OS Release Notes 10.1.9-h1 410 ©2023 Palo Alto Networks, Inc.