PAN-OS 10.0.1 Addressed Issues
Table of Contents
Expand All
|
Collapse All
Next-Generation Firewall Docs
-
PAN-OS 11.1 & Later
- PAN-OS 11.1 & Later
- PAN-OS 11.0 (EoL)
- PAN-OS 10.2
- PAN-OS 10.1
- PAN-OS 10.0 (EoL)
- PAN-OS 9.1 (EoL)
- Cloud Management of NGFWs
-
- Management Interfaces
-
- Launch the Web Interface
- Use the Administrator Login Activity Indicators to Detect Account Misuse
- Manage and Monitor Administrative Tasks
- Commit, Validate, and Preview Firewall Configuration Changes
- Commit Selective Configuration Changes
- Export Configuration Table Data
- Use Global Find to Search the Firewall or Panorama Management Server
- Manage Locks for Restricting Configuration Changes
-
-
- Define Access to the Web Interface Tabs
- Provide Granular Access to the Monitor Tab
- Provide Granular Access to the Policy Tab
- Provide Granular Access to the Objects Tab
- Provide Granular Access to the Network Tab
- Provide Granular Access to the Device Tab
- Define User Privacy Settings in the Admin Role Profile
- Restrict Administrator Access to Commit and Validate Functions
- Provide Granular Access to Global Settings
- Provide Granular Access to the Panorama Tab
- Provide Granular Access to Operations Settings
- Panorama Web Interface Access Privileges
-
- Reset the Firewall to Factory Default Settings
-
- Plan Your Authentication Deployment
- Pre-Logon for SAML Authentication
- Configure SAML Authentication
- Configure Kerberos Single Sign-On
- Configure Kerberos Server Authentication
- Configure TACACS+ Authentication
- Configure TACACS Accounting
- Configure RADIUS Authentication
- Configure LDAP Authentication
- Configure Local Database Authentication
- Configure an Authentication Profile and Sequence
- Test Authentication Server Connectivity
- Troubleshoot Authentication Issues
-
- Keys and Certificates
- Default Trusted Certificate Authorities (CAs)
- Certificate Deployment
- Configure the Master Key
- Export a Certificate and Private Key
- Configure a Certificate Profile
- Configure an SSL/TLS Service Profile
- Configure an SSH Service Profile
- Replace the Certificate for Inbound Management Traffic
- Configure the Key Size for SSL Forward Proxy Server Certificates
-
- HA Overview
-
- Prerequisites for Active/Active HA
- Configure Active/Active HA
-
- Use Case: Configure Active/Active HA with Route-Based Redundancy
- Use Case: Configure Active/Active HA with Floating IP Addresses
- Use Case: Configure Active/Active HA with ARP Load-Sharing
- Use Case: Configure Active/Active HA with Floating IP Address Bound to Active-Primary Firewall
- Use Case: Configure Active/Active HA with Source DIPP NAT Using Floating IP Addresses
- Use Case: Configure Separate Source NAT IP Address Pools for Active/Active HA Firewalls
- Use Case: Configure Active/Active HA for ARP Load-Sharing with Destination NAT
- Use Case: Configure Active/Active HA for ARP Load-Sharing with Destination NAT in Layer 3
- HA Clustering Overview
- HA Clustering Best Practices and Provisioning
- Configure HA Clustering
- Refresh HA1 SSH Keys and Configure Key Options
- HA Firewall States
- Reference: HA Synchronization
-
- Use the Dashboard
- Monitor Applications and Threats
- Monitor Block List
-
- Report Types
- View Reports
- Configure the Expiration Period and Run Time for Reports
- Disable Predefined Reports
- Custom Reports
- Generate Custom Reports
- Generate the SaaS Application Usage Report
- Manage PDF Summary Reports
- Generate User/Group Activity Reports
- Manage Report Groups
- Schedule Reports for Email Delivery
- Manage Report Storage Capacity
- View Policy Rule Usage
- Use External Services for Monitoring
- Configure Log Forwarding
- Configure Email Alerts
-
- Configure Syslog Monitoring
-
- Traffic Log Fields
- Threat Log Fields
- URL Filtering Log Fields
- Data Filtering Log Fields
- HIP Match Log Fields
- GlobalProtect Log Fields
- IP-Tag Log Fields
- User-ID Log Fields
- Decryption Log Fields
- Tunnel Inspection Log Fields
- SCTP Log Fields
- Authentication Log Fields
- Config Log Fields
- System Log Fields
- Correlated Events Log Fields
- GTP Log Fields
- Audit Log Fields
- Syslog Severity
- Custom Log/Event Format
- Escape Sequences
- Forward Logs to an HTTP/S Destination
- Firewall Interface Identifiers in SNMP Managers and NetFlow Collectors
- Monitor Transceivers
-
- User-ID Overview
- Enable User-ID
- Map Users to Groups
- Enable User- and Group-Based Policy
- Enable Policy for Users with Multiple Accounts
- Verify the User-ID Configuration
-
- App-ID Overview
- App-ID and HTTP/2 Inspection
- Manage Custom or Unknown Applications
- Safely Enable Applications on Default Ports
- Applications with Implicit Support
-
- Prepare to Deploy App-ID Cloud Engine
- Enable or Disable the App-ID Cloud Engine
- App-ID Cloud Engine Processing and Policy Usage
- New App Viewer (Policy Optimizer)
- Add Apps to an Application Filter with Policy Optimizer
- Add Apps to an Application Group with Policy Optimizer
- Add Apps Directly to a Rule with Policy Optimizer
- Replace an RMA Firewall (ACE)
- Impact of License Expiration or Disabling ACE
- Commit Failure Due to Cloud Content Rollback
- Troubleshoot App-ID Cloud Engine
- Application Level Gateways
- Disable the SIP Application-level Gateway (ALG)
- Maintain Custom Timeouts for Data Center Applications
-
- Decryption Overview
-
- Keys and Certificates for Decryption Policies
- SSL Forward Proxy
- SSL Forward Proxy Decryption Profile
- SSL Inbound Inspection
- SSL Inbound Inspection Decryption Profile
- SSL Protocol Settings Decryption Profile
- SSH Proxy
- SSH Proxy Decryption Profile
- Profile for No Decryption
- SSL Decryption for Elliptical Curve Cryptography (ECC) Certificates
- Perfect Forward Secrecy (PFS) Support for SSL Decryption
- SSL Decryption and Subject Alternative Names (SANs)
- TLSv1.3 Decryption
- High Availability Not Supported for Decrypted Sessions
- Decryption Mirroring
- Configure SSL Forward Proxy
- Configure SSL Inbound Inspection
- Configure SSH Proxy
- Configure Server Certificate Verification for Undecrypted Traffic
- Post-Quantum Cryptography Detection and Control
- Enable Users to Opt Out of SSL Decryption
- Temporarily Disable SSL Decryption
- Configure Decryption Port Mirroring
- Verify Decryption
- Activate Free Licenses for Decryption Features
-
- Policy Types
- Policy Objects
- Track Rules Within a Rulebase
- Enforce Policy Rule Description, Tag, and Audit Comment
- Move or Clone a Policy Rule or Object to a Different Virtual System
-
- External Dynamic List
- Built-in External Dynamic Lists
- Configure the Firewall to Access an External Dynamic List
- Retrieve an External Dynamic List from the Web Server
- View External Dynamic List Entries
- Exclude Entries from an External Dynamic List
- Enforce Policy on an External Dynamic List
- Find External Dynamic Lists That Failed Authentication
- Disable Authentication for an External Dynamic List
- Register IP Addresses and Tags Dynamically
- Use Dynamic User Groups in Policy
- Use Auto-Tagging to Automate Security Actions
- CLI Commands for Dynamic IP Addresses and Tags
- Application Override Policy
- Test Policy Rules
-
- Network Segmentation Using Zones
- How Do Zones Protect the Network?
-
PAN-OS 11.1 & Later
- PAN-OS 11.1 & Later
- PAN-OS 11.0 (EoL)
- PAN-OS 10.2
- PAN-OS 10.1
-
- Tap Interfaces
-
- Layer 2 and Layer 3 Packets over a Virtual Wire
- Port Speeds of Virtual Wire Interfaces
- LLDP over a Virtual Wire
- Aggregated Interfaces for a Virtual Wire
- Virtual Wire Support of High Availability
- Zone Protection for a Virtual Wire Interface
- VLAN-Tagged Traffic
- Virtual Wire Subinterfaces
- Configure Virtual Wires
- Configure a PPPoE Client on a Subinterface
- Configure an IPv6 PPPoE Client
- Configure an Aggregate Interface Group
- Configure Bonjour Reflector for Network Segmentation
- Use Interface Management Profiles to Restrict Access
-
- DHCP Overview
- Firewall as a DHCP Server and Client
- Firewall as a DHCPv6 Client
- DHCP Messages
- Dynamic IPv6 Addressing on the Management Interface
- Configure an Interface as a DHCP Server
- Configure an Interface as a DHCPv4 Client
- Configure an Interface as a DHCPv6 Client with Prefix Delegation
- Configure the Management Interface as a DHCP Client
- Configure the Management Interface for Dynamic IPv6 Address Assignment
- Configure an Interface as a DHCP Relay Agent
-
- DNS Overview
- DNS Proxy Object
- DNS Server Profile
- Multi-Tenant DNS Deployments
- Configure a DNS Proxy Object
- Configure a DNS Server Profile
- Use Case 1: Firewall Requires DNS Resolution
- Use Case 2: ISP Tenant Uses DNS Proxy to Handle DNS Resolution for Security Policies, Reporting, and Services within its Virtual System
- Use Case 3: Firewall Acts as DNS Proxy Between Client and Server
- DNS Proxy Rule and FQDN Matching
-
- NAT Rule Capacities
- Dynamic IP and Port NAT Oversubscription
- Dataplane NAT Memory Statistics
-
- Translate Internal Client IP Addresses to Your Public IP Address (Source DIPP NAT)
- Create a Source NAT Rule with Persistent DIPP
- PAN-OS
- Strata Cloud Manager
- Enable Clients on the Internal Network to Access your Public Servers (Destination U-Turn NAT)
- Enable Bi-Directional Address Translation for Your Public-Facing Servers (Static Source NAT)
- Configure Destination NAT with DNS Rewrite
- Configure Destination NAT Using Dynamic IP Addresses
- Modify the Oversubscription Rate for DIPP NAT
- Reserve Dynamic IP NAT Addresses
- Disable NAT for a Specific Host or Interface
-
- Network Packet Broker Overview
- How Network Packet Broker Works
- Prepare to Deploy Network Packet Broker
- Configure Transparent Bridge Security Chains
- Configure Routed Layer 3 Security Chains
- Network Packet Broker HA Support
- User Interface Changes for Network Packet Broker
- Limitations of Network Packet Broker
- Troubleshoot Network Packet Broker
-
- Enable Advanced Routing
- Logical Router Overview
- Configure a Logical Router
- Create a Static Route
- Configure BGP on an Advanced Routing Engine
- Create BGP Routing Profiles
- Create Filters for the Advanced Routing Engine
- Configure OSPFv2 on an Advanced Routing Engine
- Create OSPF Routing Profiles
- Configure OSPFv3 on an Advanced Routing Engine
- Create OSPFv3 Routing Profiles
- Configure RIPv2 on an Advanced Routing Engine
- Create RIPv2 Routing Profiles
- Create BFD Profiles
- Configure IPv4 Multicast
- Configure MSDP
- Create Multicast Routing Profiles
- Create an IPv4 MRoute
-
-
PAN-OS 10.0 (EoL)
- PAN-OS 11.2
- PAN-OS 11.1
- PAN-OS 11.0 (EoL)
- PAN-OS 10.2
- PAN-OS 10.1
- PAN-OS 10.0 (EoL)
- PAN-OS 9.1 (EoL)
- PAN-OS 9.0 (EoL)
- PAN-OS 8.1 (EoL)
- Cloud Management and AIOps for NGFW
-
-
- Enterprise Data Loss Prevention Features
- IoT Security Features
- Content Inspection Features
- Decryption Features
- GlobalProtect Features
- Management Features
- Certificate Management Features
- Panorama Features
- Networking Features
- User-ID Features
- Policy Features
- Authentication Features
- WildFire Features
- Virtualization Features
- SD-WAN Features
- Mobile Infrastructure Security Features
- New Hardware Introduced with PAN-OS 10.0
- Changes to Default Behavior
- Associated Software and Content Versions
- Limitations
-
-
- PAN-OS 10.0.12 Known Issues
- PAN-OS 10.0.11 Known Issues
- PAN-OS 10.0.10 Known Issues
- PAN-OS 10.0.9 Known Issues
- PAN-OS 10.0.8 Known Issues
- PAN-OS 10.0.7 Known Issues
- PAN-OS 10.0.6 Known Issues
- PAN-OS 10.0.5 Known Issues
- PAN-OS 10.0.4 Known Issues
- PAN-OS 10.0.3 Known Issues
- PAN-OS 10.0.2 Known Issues
- PAN-OS 10.0.1 Known Issues
- Known Issues for the CN-Series on Version 10.0
-
-
-
- PAN-OS 10.0.12-h6 Addressed Issues
- PAN-OS 10.0.12-h5 Addressed Issues
- PAN-OS 10.0.12-h4 Addressed Issues
- PAN-OS 10.0.12-h3 Addressed Issues
- PAN-OS 10.0.12-h1 Addressed Issues
- PAN-OS 10.0.12 Addressed Issues
- PAN-OS 10.0.11-h4 Addressed Issues
- PAN-OS 10.0.11-h3 Addressed Issues
- PAN-OS 10.0.11-h1 Addressed Issues
- PAN-OS 10.0.11 Addressed Issues
- PAN-OS 10.0.10-h1 Addressed Issues
- PAN-OS 10.0.10 Addressed Issues
- PAN-OS 10.0.9 Addressed Issues
- PAN-OS 10.0.8-h11 Addressed Issues
- PAN-OS 10.0.8-h10 Addressed Issues
- PAN-OS 10.0.8-h8 Addressed Issues
- PAN-OS 10.0.8-h4 Addressed Issues
- PAN-OS 10.0.8 Addressed Issues
- PAN-OS 10.0.7 Addressed Issues
- PAN-OS 10.0.6 Addressed Issues
- PAN-OS 10.0.5 Addressed Issues
- PAN-OS 10.0.4 Addressed Issues
- PAN-OS 10.0.3 Addressed Issues
- PAN-OS 10.0.2 Addressed Issues
- PAN-OS 10.0.1 Addressed Issues
- PAN-OS 10.0.0 Addressed Issues
End-of-Life (EoL)
PAN-OS 10.0.1 Addressed Issues
PAN-OS® 10.0.1 addressed issues.
Issue ID | Description |
---|---|
PAN-154114 | A fix was made to address a vulnerability
related to information exposure through log files in PAN-OS where
secrets in PAN-OS XML API requests were logged in cleartext in the
web server logs when the API was used incorrectly (CVE-2021-3036). |
PAN-153727 | Fixed an intermittent issue where, when
using the Chrome browser on an Apple MAC laptop, firewalls managed
by a Panorama appliance running PAN-OS 10.0.1 did not display when
editing selections (CommitCommit and Push or CommitPush
to DevicesEdit Selections)
before pushing a configuration change to the managed firewalls. |
PAN-153425 | Fixed a memory corruption issue that caused
two forwarding daemons (flow_mgmt and flow_ctrl_pktlog)
to restart. |
PAN-152906 | Fixed an issue where pushing changes from
Panorama to the firewalls did not work, and the commit all operation
failed with the following validation error: azure-ha-config is missing 'client-id'. |
PAN-152762 | Fixed an issue where role-based administrators
were unable to import certificate key pairs onto firewalls. |
PAN-152282 | Fixed an issue where platforms using AHO
for content and application inspection run into dataplane process (all_pktproc)
restarts. |
PAN-152263 | Fixed an issue where the Azure auto-scaling
templates in the GitHub repository (https://github.com/PaloAltoNetworks/azure-autoscaling/tree/master/Version-1-0)
required a Panorama virtual appliance with the Panorama plugin for
Azure v2.0.0. |
PAN-152167 | Fixed an issue where the SYSD variable cfg.lcass-license was
set to True on Panorama. |
PAN-152160 | Fixed an issue where commits failed due
to a User-ID log collector secret setting. |
PAN-152017 | Fixed an issue where a VM-Series firewall
on Amazon Web Services (AWS) failed on first reboot after enabling
FIPS mode. |
PAN-151909 | Modified the diff algorithm for when a configuration
audit was performed because certain objects incorrectly displayed
as either New or Modified/Unchanged due
to the XML format being added. |
PAN-151880 | (PA-7080 firewalls only) After
upgrading to PAN-OS 10.0.0, commits failed and displayed the following
error message: max-session should be equal to or between 1 and 320000040. |
PAN-151642 | Fixed an issue for AWS Panorama M4/C4 instances
where logging disks in Panorama mode go into an unavailable/admin
disabled state after upgrade to PAN-OS 10.0.0. |
PAN-151590 | Fixed an issue where including TLSv1.3 in
the SSL Forward Proxy decryption profile caused entries to not populate
in the ssl-decrypt exclude-cache. |
PAN-151231 | Fixed an issue on Panorama where you were
unable to commit configuration changes after successfully downgrading
from a PAN-OS 10.0 release version to a PAN-OS 9.1 or earlier release
version. |
PAN-151197 | Fixed an issue where a process (authd)
restarted when an administrator authenticated to the firewall with
an Active Directory (AD) account. This issue occurred when LDAP
was configured with FQDN, used DHCP instead of a static management
IP address, and used the management interface to connect to the
LDAP server. |
PAN-151149 | Fixed an issue where certificates, custom
logos, and Security Assertion Markup Language (SAML) metadata were
unable to be uploaded from the web interface using a Chromium-based
browser running version 84 or later. |
PAN-151115 | Fixed an issue where, if a Security rule
used an IP Address External Dynamic List (EDL) for IPv6 traffic,
the information for the EDL did not display under Source EDL or Destination EDL in
the logs. |
PAN-151049 | Fixed an issue where multi-plugin support
for Panorama was not enabled by default. |
PAN-150998 | Fixed an issue where, when deploying a VM-Series
firewall on VMware NSX that had been assigned a serial number that
was used by a previously deactivated firewall, the new firewall
was deployed in a deactivated or partially deactivated state. |
PAN-150898 | Fixed an issue where, if the HA1 interface
was not configured, downgrading from a PAN-OS 10.0 release version
to a PAN-OS 9.1 release version caused a commit error. |
PAN-150872 | (PA-220 and PA-800 Series firewalls
only) Fixed an issue where samples processed using WildFire
Inline ML didn't support automatic false positive correction. |
PAN-150714 | Fixed an issue where the Panorama management
server continues to forward syslogs to a syslog server over the
management interface when configured to forward syslogs over the
Ethernet1/1 interface (PanoramaSetupInterfaces). |
PAN-150629 | Fixed an issue where the firewall web interface
did not load Vulnerability Protection profiles with high numbers
of exceptions. |
PAN-150585 | Fixed an issue in Panorama where Variable
CSV file imports of template stack variables failed with the following
error message: Template Stack Variable Configuration Import - Invalid CSV file. |
PAN-150556 | Fixed an issue with unified logs where effective
query filters were not properly applied. |
PAN-150449 | Fixed an issue where using a filter with
an address range of 0.0.0.0 to 255.255.255.255 in the Application
Command Center (ACC) caused the CPU utilization to be unusually
high. |
PAN-150409 and PAN-145797 | A fix was made to address a buffer overflow
vulnerability in the PAN-OS management web interface that allowed
authenticated administrators to disrupt system processes and execute
arbitrary code with root privileges (CVE-2020-2042). |
PAN-150333 | Fixed an issue with a race condition that
caused the firewall to start forwarding logs to a Panorama appliance
in Management Only mode. The issue occurred when the lcs-pref.xml
file was first deployed to the firewall. Workaround: Restart
the management server on the firewall to reconnect it with the log
collectors. |
PAN-150243 | Fixed an issue where after a successful
commit, the candidate configuration was not updated to running configuration
when initiated by an API-privileges-only custom role based administrator. |
PAN-150170, PAN-150013, and PAN-149822 | A fix was made to address an OS command
injection and memory corruption vulnerability in the PAN-OS management
web interface that allowed authenticated administrators to disrupt
system processes and execute arbitrary code and OS commands with
root privileges (CVE-2020-2000). |
PAN-150097 | Fixed an issue where hourly URL summary
log generation failed. |
PAN-150069 | Fixed an issue where the description for proxy_ssl_invalid_cert contained the
word unvalid instead of invalid. |
PAN-149839 | (PA-7000 Series firewalls only)
Added CLI commands to enable/disable resource-control groups and
CLI commands to set an upper memory limit of 8G on a process (mgmtsrvr).
To enable resource-control groups, use debug software resource-control enable and
to disable them, use debug software resource-control disable.
To set the memory limit, use debug management-server limit-memory enable,
and to remove the limit, use debug management-server limit-memory disable.
For the memory limit change to take effect, the firewall must be
rebooted. |
PAN-149813 | Fixed an issue where the reply to an XML
API call from Panorama was in a different format after upgrading
to PAN-OS 8.1.14-h1 and later releases, which caused automated systems
to fail the API call. |
PAN-149770 | Fixed an issue with debug file handling
that led to a process (mgmtsrvr) restart. |
PAN-149501 | A fix was made to address a memory corruption
vulnerability in the GlobalProtect Clientless VPN that enabled an
authenticated attacker to execute arbitrary code with root user
privileges during SAML authentication (CVE-2021-3056). |
PAN-149426 | Fixed an issue where non-superuser administrators
with all rights enabled were unable to Review Policies or Review
Apps for downloaded or installed content versions. |
PAN-149377 | A fix was made to address a vulnerability
regarding information exposure through log files in PAN-OS that
made it possible for configuration secrets for HTTP, email, and
SNMP trap v3 log forwarding server profiles to be logged to the
logrcvr.log system log (CVE-2021-3032). |
PAN-149339 | Fixed an issue where, when an ECMP route
changed, the flow table in the offload engine was not updated. |
PAN-149325 | Fixed an issue on Panorama where the web
interface took more time than expected to load changes when the
virtual router was large or when there was a large configuration
change request from the web interface. |
PAN-149296 | Fixed an issue on Panorama where system
and configuration logs of dedicated Log Collectors did not show
up on Panorama appliances in Management Only mode. |
PAN-149283 | Fixed an issue where editing device log
forwarding in the collector group then filtering specific firewalls
and adding new firewalls caused the old firewalls to disappear from
the log forwarding preferences list. |
PAN-149217 | Fixed an issue where overridden TCP timeout
values for service-based sessions did not take effect, and sessions
timed out according to default application values. |
PAN-149199 | Fixed an issue where the Authentication Settings for
the template stack on the firewall incorrectly displayed as overridden. |
PAN-149054 | Fixed an issue in Panorama where a commit-all
to managed firewalls failed after renaming a device group. |
PAN-149008 | Fixed an issue where the CLI command Show config running following
the CLI command set cli op-command-xml-output on produces
an unreadable output. |
PAN-149005 | Fixed an issue where XML API failed to fetch
logs larger than 10MB. |
PAN-148806 | A fix was made to address an uncontrolled
resource consumption vulnerability in PAN-OS that allowed for a
remote unauthenticated user to upload temporary files through the
management web interface that were not properly deleted after the
request was finished. An attacker could disrupt the availability
of the management web interface by repeatedly uploading files until
available disk space was exhausted (CVE-2020-2039). |
PAN-148767 | Fixed an issue where the firewall incorrectly
created GPRS tunneling protocol (GTP-U) sessions from Create Session
Request and Create Session Response packets. |
PAN-148522 | Fixed an issue for PAN-DB where certain
situations caused performance issues. |
PAN-148441 | Fixed an issue where required processes
were not automatically restarted on the Log Processing Card (LPC)
or the Log Forwarding Card (LFC). |
PAN-148359 | Fixed an issue where SD-WAN server-to-client
symmetric return did not function correctly in certain circumstances.
This issue intermittently affected path selection of parent/child
applications, such as FTP. |
PAN-148087 | Fixed an issue where the object identifier
(OID) being polled for the component hrStorageUsed was not
unique after a PAN-OS upgrade. |
PAN-147796 | Fixed an issue on the firewalls with an
IPsec/Encapuslating Security Payload (ESP) traffic with GlobalProtect
gateway configuration where multiple processes (flow_ctrl, pktlog_forwarding,
and all_task) restarted, which caused the device to
reboot. |
PAN-147741 | Fixed an issue where an API call for correlated
events did not return any events. |
PAN-147684 | Fixed an issue where a daemon (ikemgr) repeatedly
restarted, which resulted in the firewall rebooting. |
PAN-147595 | Fixed an issue where, after a policy commit
and session rematch, stream control transmission protocol (SCTP)
logs for an existing SCTP session still showed old rule information. |
PAN-147298 | (PA-7050 and PA-7080 firewalls with
100G NPC only) Fixed an issue where jumbo frames brought down
the Network Processing Card (NPC) when traffic traversed the firewall
at a high rate. |
PAN-146878 | Fixed an issue where TCP traffic dropped
due to TCP sequence checking in a high availability (HA) active/active
configuration where traffic was asymmetric. |
PAN-146841 | Fixed an issue in Panorama where a commit-all
to the managed firewalls failed with the following error message: invalid object reference when address
objects were uploaded using an external script. |
PAN-146787 | Fixed an issue where traffic incorrectly
matched URL based authentication policies. |
PAN-146650 | A fix was made to address an authentication
bypass vulnerability in the GlobalProtect SSL VPN component of PAN-OS
that allowed an attacker to bypass all client certificate checks
with an invalid certificate. As a result, the attacker was able
to authenticate as any user and gain access to restricted VPN network
resources when the gateway or portal was configured to rely only
on certificate-based authentication (CVE-2020-2050). |
PAN-146623 | Fixed an issue where a GlobalProtect client
in a system with umlaut diacritics serial number is unable to log
in to the GlobalProtect gateway. |
PAN-146284 | Fixed an issue where Application and Threat
Content installation failed on the firewall with the following error
message: Error: Threat database handler failed. |
PAN-144613 | Fixed an issue where, when previewing device
group configurations from Panorama, the following error message
was returned: Parameter device group missing. |
PAN-143809 | Fixed an issue where Log Collectors had
problems ingesting logs for older days received at a high rate. |
PAN-142599 | Fixed an issue where DNS proxy was unable
to handle a UDP DNS reply length greater than 512 bytes. |
PAN-142428 | Fixed an issue where, when using AutoFocus
remote search to find artifacts from the firewall, the redirect
URL did not populate correctly and PAN-OS lost the query parameter
sent. For every search request, a new session was created, and authentication
was required. |
PAN-142363 | Fixed an issue where a process (mprelay) stopped
responding and invoked an out-of-memory (OOM) killer condition and
displayed the following error messages: tcam full and pan_plfm_fe_cp_arp_delete. |
PAN-141980 | Fixed an issue where random member ports
in a link aggregate group failed to join the aggregate group due
to the following error: Link speed mismatch. |
PAN-141895 | Fixed an issue that prevented GTP tunnel
session timeout values from being configured via the web interface. |
PAN-140984 | Fixed an issue where a process (mgmtsrvr) stopped
responding after a commit. |
PAN-140084 | (PA-3200 Series firewalls only)
Fixed an issue where the default Dynamic IP and Port (DIPP) NAT
oversubscription rate is set as 2. |
PAN-138584 | Fixed an issue that prevented the addition
of a secondary logging disk for a VM-Series firewall deployed on
AWS using Nitro server instance types. |
PAN-136988 | Fixed an issue with a address object limitation
where platform limits were not enforced if all the addresses pushed
to the firewall were from Panorama and there were no shared or local
address objects. |
PAN-134251 | (PA-7000 Series firewalls only)
Fixed an issue where unplugging cables from Quad Small Form-factor
Pluggable (QSFP) interfaces on 100G NPC causes path monitoring failures. |
PAN-134029 | Fixed an intermittent issue on the firewall
where H.225 VOIP signaling packets dropped. |
PAN-129376 | (PA-800 Series firewalls only)
Fixed an issue that prevented ports 9-12 from being powered down
by hardware after being requested to do so. |
PAN-126353 | Fixed an issue where the XML API used to
retrieve hardware status periodically failed with a 200 OK message
and no data. |
PAN-115541 | Fixed an issue where removing a cipher from
an SSL/TLS profile did not take effect if it was attached to the
management interface. |
PAN-101484 | A fix was made to address an OS command
injection vulnerability in the PAN-OS management interface that
allowed authenticated administrators to execute arbitrary OS commands
with root privileges (CVE-2020-2038). |