PAN-OS 10.0.1 Addressed Issues
Table of Contents
Expand All
|
Collapse All
Next-Generation Firewall Docs
-
-
- Cloud Management of NGFWs
- PAN-OS 10.0 (EoL)
- PAN-OS 10.1
- PAN-OS 10.2
- PAN-OS 11.0 (EoL)
- PAN-OS 11.1 & Later
- PAN-OS 9.1 (EoL)
-
- PAN-OS 10.1
- PAN-OS 10.2
- PAN-OS 11.0 (EoL)
- PAN-OS 11.1 & Later
-
-
- Cloud Management and AIOps for NGFW
- PAN-OS 10.0 (EoL)
- PAN-OS 10.1
- PAN-OS 10.2
- PAN-OS 11.0 (EoL)
- PAN-OS 11.1
- PAN-OS 11.2
- PAN-OS 8.1 (EoL)
- PAN-OS 9.0 (EoL)
- PAN-OS 9.1 (EoL)
End-of-Life (EoL)
PAN-OS 10.0.1 Addressed Issues
PAN-OS® 10.0.1 addressed issues.
Issue ID | Description |
---|---|
PAN-154114 | A fix was made to address a vulnerability
related to information exposure through log files in PAN-OS where
secrets in PAN-OS XML API requests were logged in cleartext in the
web server logs when the API was used incorrectly (CVE-2021-3036). |
PAN-153727 | Fixed an intermittent issue where, when
using the Chrome browser on an Apple MAC laptop, firewalls managed
by a Panorama appliance running PAN-OS 10.0.1 did not display when
editing selections (CommitCommit and Push or CommitPush
to DevicesEdit Selections)
before pushing a configuration change to the managed firewalls. |
PAN-153425 | Fixed a memory corruption issue that caused
two forwarding daemons (flow_mgmt and flow_ctrl_pktlog)
to restart. |
PAN-152906 | Fixed an issue where pushing changes from
Panorama to the firewalls did not work, and the commit all operation
failed with the following validation error: azure-ha-config is missing 'client-id'. |
PAN-152762 | Fixed an issue where role-based administrators
were unable to import certificate key pairs onto firewalls. |
PAN-152282 | Fixed an issue where platforms using AHO
for content and application inspection run into dataplane process (all_pktproc)
restarts. |
PAN-152263 | Fixed an issue where the Azure auto-scaling
templates in the GitHub repository (https://github.com/PaloAltoNetworks/azure-autoscaling/tree/master/Version-1-0)
required a Panorama virtual appliance with the Panorama plugin for
Azure v2.0.0. |
PAN-152167 | Fixed an issue where the SYSD variable cfg.lcass-license was
set to True on Panorama. |
PAN-152160 | Fixed an issue where commits failed due
to a User-ID log collector secret setting. |
PAN-152017 | Fixed an issue where a VM-Series firewall
on Amazon Web Services (AWS) failed on first reboot after enabling
FIPS mode. |
PAN-151909 | Modified the diff algorithm for when a configuration
audit was performed because certain objects incorrectly displayed
as either New or Modified/Unchanged due
to the XML format being added. |
PAN-151880 | (PA-7080 firewalls only) After
upgrading to PAN-OS 10.0.0, commits failed and displayed the following
error message: max-session should be equal to or between 1 and 320000040. |
PAN-151642 | Fixed an issue for AWS Panorama M4/C4 instances
where logging disks in Panorama mode go into an unavailable/admin
disabled state after upgrade to PAN-OS 10.0.0. |
PAN-151590 | Fixed an issue where including TLSv1.3 in
the SSL Forward Proxy decryption profile caused entries to not populate
in the ssl-decrypt exclude-cache. |
PAN-151231 | Fixed an issue on Panorama where you were
unable to commit configuration changes after successfully downgrading
from a PAN-OS 10.0 release version to a PAN-OS 9.1 or earlier release
version. |
PAN-151197 | Fixed an issue where a process (authd)
restarted when an administrator authenticated to the firewall with
an Active Directory (AD) account. This issue occurred when LDAP
was configured with FQDN, used DHCP instead of a static management
IP address, and used the management interface to connect to the
LDAP server. |
PAN-151149 | Fixed an issue where certificates, custom
logos, and Security Assertion Markup Language (SAML) metadata were
unable to be uploaded from the web interface using a Chromium-based
browser running version 84 or later. |
PAN-151115 | Fixed an issue where, if a Security rule
used an IP Address External Dynamic List (EDL) for IPv6 traffic,
the information for the EDL did not display under Source EDL or Destination EDL in
the logs. |
PAN-151049 | Fixed an issue where multi-plugin support
for Panorama was not enabled by default. |
PAN-150998 | Fixed an issue where, when deploying a VM-Series
firewall on VMware NSX that had been assigned a serial number that
was used by a previously deactivated firewall, the new firewall
was deployed in a deactivated or partially deactivated state. |
PAN-150898 | Fixed an issue where, if the HA1 interface
was not configured, downgrading from a PAN-OS 10.0 release version
to a PAN-OS 9.1 release version caused a commit error. |
PAN-150872 | (PA-220 and PA-800 Series firewalls
only) Fixed an issue where samples processed using WildFire
Inline ML didn't support automatic false positive correction. |
PAN-150714 | Fixed an issue where the Panorama management
server continues to forward syslogs to a syslog server over the
management interface when configured to forward syslogs over the
Ethernet1/1 interface (PanoramaSetupInterfaces). |
PAN-150629 | Fixed an issue where the firewall web interface
did not load Vulnerability Protection profiles with high numbers
of exceptions. |
PAN-150585 | Fixed an issue in Panorama where Variable
CSV file imports of template stack variables failed with the following
error message: Template Stack Variable Configuration Import - Invalid CSV file. |
PAN-150556 | Fixed an issue with unified logs where effective
query filters were not properly applied. |
PAN-150449 | Fixed an issue where using a filter with
an address range of 0.0.0.0 to 255.255.255.255 in the Application
Command Center (ACC) caused the CPU utilization to be unusually
high. |
PAN-150409 and PAN-145797 | A fix was made to address a buffer overflow
vulnerability in the PAN-OS management web interface that allowed
authenticated administrators to disrupt system processes and execute
arbitrary code with root privileges (CVE-2020-2042). |
PAN-150333 | Fixed an issue with a race condition that
caused the firewall to start forwarding logs to a Panorama appliance
in Management Only mode. The issue occurred when the lcs-pref.xml
file was first deployed to the firewall. Workaround: Restart
the management server on the firewall to reconnect it with the log
collectors. |
PAN-150243 | Fixed an issue where after a successful
commit, the candidate configuration was not updated to running configuration
when initiated by an API-privileges-only custom role based administrator. |
PAN-150170, PAN-150013, and PAN-149822 | A fix was made to address an OS command
injection and memory corruption vulnerability in the PAN-OS management
web interface that allowed authenticated administrators to disrupt
system processes and execute arbitrary code and OS commands with
root privileges (CVE-2020-2000). |
PAN-150097 | Fixed an issue where hourly URL summary
log generation failed. |
PAN-150069 | Fixed an issue where the description for proxy_ssl_invalid_cert contained the
word unvalid instead of invalid. |
PAN-149839 | (PA-7000 Series firewalls only)
Added CLI commands to enable/disable resource-control groups and
CLI commands to set an upper memory limit of 8G on a process (mgmtsrvr).
To enable resource-control groups, use debug software resource-control enable and
to disable them, use debug software resource-control disable.
To set the memory limit, use debug management-server limit-memory enable,
and to remove the limit, use debug management-server limit-memory disable.
For the memory limit change to take effect, the firewall must be
rebooted. |
PAN-149813 | Fixed an issue where the reply to an XML
API call from Panorama was in a different format after upgrading
to PAN-OS 8.1.14-h1 and later releases, which caused automated systems
to fail the API call. |
PAN-149770 | Fixed an issue with debug file handling
that led to a process (mgmtsrvr) restart. |
PAN-149501 | A fix was made to address a memory corruption
vulnerability in the GlobalProtect Clientless VPN that enabled an
authenticated attacker to execute arbitrary code with root user
privileges during SAML authentication (CVE-2021-3056). |
PAN-149426 | Fixed an issue where non-superuser administrators
with all rights enabled were unable to Review Policies or Review
Apps for downloaded or installed content versions. |
PAN-149377 | A fix was made to address a vulnerability
regarding information exposure through log files in PAN-OS that
made it possible for configuration secrets for HTTP, email, and
SNMP trap v3 log forwarding server profiles to be logged to the
logrcvr.log system log (CVE-2021-3032). |
PAN-149339 | Fixed an issue where, when an ECMP route
changed, the flow table in the offload engine was not updated. |
PAN-149325 | Fixed an issue on Panorama where the web
interface took more time than expected to load changes when the
virtual router was large or when there was a large configuration
change request from the web interface. |
PAN-149296 | Fixed an issue on Panorama where system
and configuration logs of dedicated Log Collectors did not show
up on Panorama appliances in Management Only mode. |
PAN-149283 | Fixed an issue where editing device log
forwarding in the collector group then filtering specific firewalls
and adding new firewalls caused the old firewalls to disappear from
the log forwarding preferences list. |
PAN-149217 | Fixed an issue where overridden TCP timeout
values for service-based sessions did not take effect, and sessions
timed out according to default application values. |
PAN-149199 | Fixed an issue where the Authentication Settings for
the template stack on the firewall incorrectly displayed as overridden. |
PAN-149054 | Fixed an issue in Panorama where a commit-all
to managed firewalls failed after renaming a device group. |
PAN-149008 | Fixed an issue where the CLI command Show config running following
the CLI command set cli op-command-xml-output on produces
an unreadable output. |
PAN-149005 | Fixed an issue where XML API failed to fetch
logs larger than 10MB. |
PAN-148806 | A fix was made to address an uncontrolled
resource consumption vulnerability in PAN-OS that allowed for a
remote unauthenticated user to upload temporary files through the
management web interface that were not properly deleted after the
request was finished. An attacker could disrupt the availability
of the management web interface by repeatedly uploading files until
available disk space was exhausted (CVE-2020-2039). |
PAN-148767 | Fixed an issue where the firewall incorrectly
created GPRS tunneling protocol (GTP-U) sessions from Create Session
Request and Create Session Response packets. |
PAN-148522 | Fixed an issue for PAN-DB where certain
situations caused performance issues. |
PAN-148441 | Fixed an issue where required processes
were not automatically restarted on the Log Processing Card (LPC)
or the Log Forwarding Card (LFC). |
PAN-148359 | Fixed an issue where SD-WAN server-to-client
symmetric return did not function correctly in certain circumstances.
This issue intermittently affected path selection of parent/child
applications, such as FTP. |
PAN-148087 | Fixed an issue where the object identifier
(OID) being polled for the component hrStorageUsed was not
unique after a PAN-OS upgrade. |
PAN-147796 | Fixed an issue on the firewalls with an
IPsec/Encapuslating Security Payload (ESP) traffic with GlobalProtect
gateway configuration where multiple processes (flow_ctrl, pktlog_forwarding,
and all_task) restarted, which caused the device to
reboot. |
PAN-147741 | Fixed an issue where an API call for correlated
events did not return any events. |
PAN-147684 | Fixed an issue where a daemon (ikemgr) repeatedly
restarted, which resulted in the firewall rebooting. |
PAN-147595 | Fixed an issue where, after a policy commit
and session rematch, stream control transmission protocol (SCTP)
logs for an existing SCTP session still showed old rule information. |
PAN-147298 | (PA-7050 and PA-7080 firewalls with
100G NPC only) Fixed an issue where jumbo frames brought down
the Network Processing Card (NPC) when traffic traversed the firewall
at a high rate. |
PAN-146878 | Fixed an issue where TCP traffic dropped
due to TCP sequence checking in a high availability (HA) active/active
configuration where traffic was asymmetric. |
PAN-146841 | Fixed an issue in Panorama where a commit-all
to the managed firewalls failed with the following error message: invalid object reference when address
objects were uploaded using an external script. |
PAN-146787 | Fixed an issue where traffic incorrectly
matched URL based authentication policies. |
PAN-146650 | A fix was made to address an authentication
bypass vulnerability in the GlobalProtect SSL VPN component of PAN-OS
that allowed an attacker to bypass all client certificate checks
with an invalid certificate. As a result, the attacker was able
to authenticate as any user and gain access to restricted VPN network
resources when the gateway or portal was configured to rely only
on certificate-based authentication (CVE-2020-2050). |
PAN-146623 | Fixed an issue where a GlobalProtect client
in a system with umlaut diacritics serial number is unable to log
in to the GlobalProtect gateway. |
PAN-146284 | Fixed an issue where Application and Threat
Content installation failed on the firewall with the following error
message: Error: Threat database handler failed. |
PAN-144613 | Fixed an issue where, when previewing device
group configurations from Panorama, the following error message
was returned: Parameter device group missing. |
PAN-143809 | Fixed an issue where Log Collectors had
problems ingesting logs for older days received at a high rate. |
PAN-142599 | Fixed an issue where DNS proxy was unable
to handle a UDP DNS reply length greater than 512 bytes. |
PAN-142428 | Fixed an issue where, when using AutoFocus
remote search to find artifacts from the firewall, the redirect
URL did not populate correctly and PAN-OS lost the query parameter
sent. For every search request, a new session was created, and authentication
was required. |
PAN-142363 | Fixed an issue where a process (mprelay) stopped
responding and invoked an out-of-memory (OOM) killer condition and
displayed the following error messages: tcam full and pan_plfm_fe_cp_arp_delete. |
PAN-141980 | Fixed an issue where random member ports
in a link aggregate group failed to join the aggregate group due
to the following error: Link speed mismatch. |
PAN-141895 | Fixed an issue that prevented GTP tunnel
session timeout values from being configured via the web interface. |
PAN-140984 | Fixed an issue where a process (mgmtsrvr) stopped
responding after a commit. |
PAN-140084 | (PA-3200 Series firewalls only)
Fixed an issue where the default Dynamic IP and Port (DIPP) NAT
oversubscription rate is set as 2. |
PAN-138584 | Fixed an issue that prevented the addition
of a secondary logging disk for a VM-Series firewall deployed on
AWS using Nitro server instance types. |
PAN-136988 | Fixed an issue with a address object limitation
where platform limits were not enforced if all the addresses pushed
to the firewall were from Panorama and there were no shared or local
address objects. |
PAN-134251 | (PA-7000 Series firewalls only)
Fixed an issue where unplugging cables from Quad Small Form-factor
Pluggable (QSFP) interfaces on 100G NPC causes path monitoring failures. |
PAN-134029 | Fixed an intermittent issue on the firewall
where H.225 VOIP signaling packets dropped. |
PAN-129376 | (PA-800 Series firewalls only)
Fixed an issue that prevented ports 9-12 from being powered down
by hardware after being requested to do so. |
PAN-126353 | Fixed an issue where the XML API used to
retrieve hardware status periodically failed with a 200 OK message
and no data. |
PAN-115541 | Fixed an issue where removing a cipher from
an SSL/TLS profile did not take effect if it was attached to the
management interface. |
PAN-101484 | A fix was made to address an OS command
injection vulnerability in the PAN-OS management interface that
allowed authenticated administrators to execute arbitrary OS commands
with root privileges (CVE-2020-2038). |