PAN-OS 10.1.5 Addressed Issues

Fixed an issue on Amazon Web Services (AWS) Gateway Load Balancer (GWLB) deployments with overlay routing enabled where, when a single firewall was the backend of multiple GWLBs, packets were re-encapsulated with an incorrect source IP address.

(FIPS-CC enabled firewalls only) Fixed an issue where the firewall was unable to connect to log collectors after an upgrade due to missing cipher suites.

Fixed an issue where the firewall onboard packet processor used by the PAN-OS content-inspection (CTD) engine can generate high dataplane resource usage when overwhelmed by a session with an unusually high number of packets. This can result in resource-unavailable messages due to the content inspection queue filling up. Factors related to the likelihood of an occurrence include enablement of content-inspection based features that are configured in such a way that might process thousands of packets in rapid succession (such as SMB file transfers). This can cause poor performance for the affected session and other sessions using the same packet processor. PA-3000 series and VM-Series firewalls are not impacted.

(VM-Series firewalls only) Fixed an issue that caused the pan_task process to stop responding with floating point exception (FPE) when there was a module of 0 on the queue number.

Fixed an issue where, when pre-generated license key files were manually uploaded via the web interface, they weren't properly recognized by PAN-OS and didn't display a serial number or initiate a reboot.

(VM-Series firewalls only) Fixed an issue with vm_license_response.log that consumed a large portion of the root partition.

(VM-Series firewalls in Microsoft Azure environments only) Fixed a Data Plane Development Kit (DPDK) issue where interfaces remained in a link-down state after an Azure hot plug event. This issue occurred due to a hot plug of Accelerated Networking interfaces on the Azure backend caused by host updates, which led to Virtual Function unregister/Register messages on the VM side.

(PA-5400 Series firewalls only) Fixed an issue where HSCI interfaces didn’t come up when using BiDi transceivers.

Fixed an issue where, after logging in, Panorama displayed a 500 error page after five minutes of logging for dynamic group template admin types with access to approximately 115 managed devices or 120 dynamic groups.

Fixed an issue where index creation failed when Elasticsearch attempted to create a new index with a duplicate index name.

(PA-5400 Series firewalls only) Fixed an issue where traffic flow through IKE NATT IPSec S2S tunnels broke on tunnel rekey with multiple data processing cards (DPC).

Fixed an issue where log queries that included WildFire submission logs returned more slowly than expected.

(PA-440 Series firewalls only) Fixed an issue where the firewall's maximum tunnel limit was incorrect.

Updated an issue to eliminate failed pan_comm software issues that caused the dataplane to restart unexpectedly

Fixed an issue where the dataplane exited during IPSec encapsulation and decapsulation offload operations.

(PA-5400 Series firewalls only) Fixed an issue where up to 75% traffic loss occurred on GlobalProtect tunnels with multiple DPCs.

Fixed an issue where you were unable to reference shared address objects as a BGP peer address (Virtual Router > BGP > Peer Group > Peer Address).

Fixed an issue where processing corrupted IoT messages caused the wificlient process to restart.

Fixed an issue where the distributord process hit the FD limit, which caused User-ID redistribution to not function properly.

Fixed an issue where Security policies were deleted on managed devices upon a successful push from Panorama to multiple device groups. This occurred when the Security policies had device_tags selected in the target section.

Fixed an issue where, after upgrading the Panorama, tagged address objects used in dynamic address groups were removed after a full commit and push. This issue occurred when the setting Share Unused Address and Service Objects with Devices was left unchecked.

Fixed an issue where the logrcvr process stopped responding due to a heartbeat failure that was caused by sysd nodes being stuck on logdb_writers for system, configuration, and alarm logs.

Fixed an issue on Panorama where you were unable to select a template variable in Templates > Device > Log Forwarding Card > Log Forwarding Card Interface > Network > IP address location.

Fixed an issue on the firewall web interface where logs were delayed when querying for logs.

Fixed an issue where Terminal Service agent (TS agent) connections with a certificate profile and the certificate chain on the TS agent failed. This occurred because common name validation and key usage checks were being performed in the root or intermediate certificate.

Fixed an memory leak issue in the mgmtsrvr process, which resulted in an out-of-memory (OOM) condition and high availability (HA) failover.

Fixed an issue where, when exporting or pushing a device configuration bundle from Panorama, a validation error occurred with GlobalProtect gateway inactivity logout time.

Fixed an issue where the firewall randomly disconnected from the WildFire URL cloud.

Fixed an issue where the threat log type ml-virus wasn't forwarded to Panorama or to external servers.

(PA-7000 Series firewalls with Log Processing Cards (LPC) only) Fixed an issue where excessive threat ID lookups caused logs to be lost.

Fixed an issue where SD-WAN failover on a hub or branch in full mesh took longer than expected.

Fixed an issue where the GlobalProtect gateway inactivity timer wasn't refreshed even though traffic was passing through the tunnel.

(PA-400 Series firewalls only) Fixed an issue where the firewall detected a Power Supply Unit (PSU) failure for the opposite side when disconnecting a PSU from the device. This issue occurred when redundant PSUs were connected.

Fixed an issue where Panorama Global Search reported No Matches found while still returning results for matching entries on large configurations.

Fixed an issue where a memory utilization condition resulted in the web interface responding more slowly than expected and management server restarting.

Fixed an issue where the logrcvr process stopped responding after upgrading to PAN-OS 10.1.

Fixed an issue with the GlobalProtect gateway where the time-to-live (TTL) limit expired faster than real-time limit. As a result, a reconnection was required before the expected lifetime expiration.

Fixed an issue where the stats dump file was not generated properly.

Fixed an issue where staggering scheduled dynamic updates from Panorama to firewalls only worked for the first scheduled group and failed for the remaining groups of the same type.

Fixed memory corruption issues in PAN-OS 10.1.3 and 10.1.4 that caused the pan_comm process to stop responding and the dataplane to restart. These issues also caused GlobalProtect tunnels to fall back to SSL instead of IPSec due to the inadvertent encapsulation of the ICMP keepalive response from the firewall.

Fixed an issue with DNS cache depletion that caused continuous DNS retries.

Fixed an issue where DNS security caused the TTL value of the pointer record (PTR) to be overwritten with a value of 30 seconds.

Fixed an issue where users were unable to SSH to the firewall and encountered the following error message: Could not chdir to home directory /opt/pancfg/home/user: Permission denied.

Fixed an issue where Panorama serial-number-based redistribution agents did not redistribute HIP reports.

Fixed an issue where an OOM condition occurred due to quarantine list redistribution.

Fixed an issue where the WildFire Inline Machine Learning (ML) did not detect mlav-test-pe-file.exe when traffic was decrypted.

Fixed an issue where updating the master key did not update the SD-WAN preshared key (PSK).

Fixed an issue where new tunnels were unable to be established for Elasticsearch due to faulty logic that prevented old tunnels to be removed when a node went down.

Fixed an issue where GRE tunnels flapped during commit jobs.

A validation error was added to inform an administrator when a policy field contained the value any.

Fixed an issue on high availability configurations where, after upgrading to PAN-OS 9.1.10, PAN-OS 10.0.6, or PAN-OS 10.1.0, the HA1 and HA1-Backup link stayed down. This issue occurred when the peer firewall IP address was in a different subnet.

Fixed an issue where admins and other Superusers were unable to remove a commit lock that was taken by another admin user with the format <domain/user>. As a result, deleting the commit lock failed.

Fixed an issue where a web-proxy port number was added to the destination URL when captive portal authentication was run.

Fixed an issue where you were unable to delete dynamic address groups one at a time using XML API.

Fixed an issue where the useridd process stopped responding when a NULL reference attempted to be dereferenced. This issue occurred to IP address users being added.

Fixed an issue where quarantined devices appeared in the CLI but not the web interface.

Fixed an issue where a process (useridd) stopped responding due to buffer overflow.

Fixed an issue where restarting the management server created an invalid reference in the device server, which caused subsequent commits to fail.

(PA-5450 firewalls only) Fixed an issue where High Speed Log Forwarding was enabled when attempting to view local logs.

Fixed an issue where the CLI output of show location ip <ip address> returned unknown.

Fixed an issue where, after rebooting the firewall, FQDN address objects referred in rules in a virtual system (vsys) did not resolve when the vsys used a custom DNS proxy.

Fixed an issue where a role-based admin with Operational Requests enabled under the XML API section was unable to set the License Deactivation API key.

Fixed an issue where a process (devsrvr) stopped responding due to an unexpected returned value.

Fixed an issue where aggressive situations caused on-chip descriptor exhaustion.

A fix was made to address a vulnerability that enabled an authenticated network-based administrator to upload a specifically created configuration that disrupted system processes and was able to execute arbitrary code with root privileges when the configuration was committed (CVE-2022-0024).

Fixed an issue where, when system logs and configuration logs on a dedicated log detector system were forwarded to a Panorama management server in Management Only mode, the logs were not ingested and were dropped. This caused the dedicated log detector system to not be viewable on a Panorama appliance in Management Only mode.

Fixed an issue where configurations failed when downgrading from PAN-OS 10.1.1 and later versions to PAN-OS 10.0.0 using the autosaveconfig.xml file.

Fixed an issue where reports using the decryption summary database and Panorama as data sources returned no results.

Fixed an issue on Panorama where a log collector group commit deleted the proxy settings configured on dedicated log collectors.

Fixed an intermittent issue where Panorama did not show new logs from firewalls.

Fixed an issue where, when the address object in the parent device group was renamed, and the address object was overridden in the child device group and called in a Security policy, the object in the Security policy was renamed as well.

Fixed an issue where, when you disabled a NAT rule, the Destination Translation value none displayed in blue and was still able to be modified to a different value.

Fixed an issue where log collectors generated Failed to check IoT content upgrade system logs even when no IoT license was installed.

Fixed an issue where the log collector continuously disconnected from Panorama due to high latency and a high number of packets in Send-Q.

Fixed an intermittent issue where traffic was lost when performing a failover in an HA active/passive setup.

Fixed an issue where importing a firewall configuration to Panorama failed if Import device's shared objects into Panorama's shared context (device group specific objects will be created if unique) was unchecked.

Fixed an issue where scheduled email alerts were not forwarded to all recipients in the override list.

Fixed an intermittent issue on Panorama where querying logs via the web interface or API did not return results.

Fixed an issue where the firewall didn't resolve specific domain names with multiple nested Canonical Name (CNAME) records when caching was enabled.

Fixed an issue where the header did not match the correct policy when IPv6 addresses were set in XFF header.

Fixed an issue where a process (authd) process stopped responding, which caused authentication to fail.

Fixed an issue where alerts related to syslog connections were not generated in the system logs.

Fixed an issue where sorting address groups by name, address, or location did not work on a device group that was part of a nested device group.

(PA-5200 Series firewalls only) Fixed an issue where the firewall was unable to monitor AUX1 and AUX2 interfaces through SNMP.

Fixed an issue where log forwarding profiles did not show up in the dropdown under Zones.

Fixed an issue where a deadlock on CONFIG_LOCK caused both the web interface and CLI commands to time out until the mgmtsrvr process was restarted.

(VM-Series firewalls only) Fixed an issue where the firewall did not display any logs except for system logs.

Fixed an issue where enabling Use proxy to fetch logs from Strata Logging Service caused Panorama to not show logs when queried.

Fixed an issue where Panorama commits were slower than expected and the configd process stopped responding due to a memory leak.

Fixed an issue where a Security policy configured with App-ID and set to web-browsing and application-default service allowed clear-text web-browsing on tcp/443.

Fixed an issue where changing SSL connection validation settings for system logs caused the mgmtsrvr process to stop responding.

Fixed an intermittent issue where IP address-to-username mappings were not created on a redistribution client if a logout and login message shared the same timestamp.

(M-200 and M-500 appliances only) Fixed a capacity issue that was caused by high operational activity and large configurations. This fix increases the virtual memory limit on the configd process to 32GB.

Fixed an issue where, when the TTL value for symmetric MAC entries weren't updated to other dataplanes and HA peers, timeouts occurred for traffic using policy-based forwarding (PBF) with symmetric returns.

Fixed an issue on the Panorama interface where Deploying Master Key to low-end devices resulted in a Failed to communicate message, even when the new master key was updated on the end device. This issue occurred because a master key deployment had insufficient time to process due to a connection timeout.

Fixed an OOM condition that occurred due to multiple parallel jobs being created by the scheduled log export feature.

Fixed an issue where, when adding new configurations, Panorama didn't display a list of suggested template variables when typing in a relevant field.

Fixed an intermittent issue where, when Security profiles were attached to a policy, files that were downloaded across TLS sessions decrypted by the firewall were malformed.

Fixed an issue where the email subject of scheduled reports was enclosed in single quotation marks.

(VM-Series firewalls on a Kernel-based Virtual Machine (KVM) running on Proxmox Hypervisor only) Fixed an issue where SSH traffic was identified as unknown-TCP.

Fixed an issue where sequence numbers were calculated incorrectly for traffic that was subject to Session Initiation Protocol (SIP) application-level gateway (ALG) when SIP TCP Clear Text Proxy was disabled.

Fixed an issue where Panorama failed to update shared policies during partial commits when a new device group was created but not yet committed.

Fixed a memory leak issue related to the (useridd) process that occurred when group mapping was enabled.

Fixed an issue where a bar or point on a Network Monitor graph had to be clicked more than once to properly redirect to the corresponding ACC report.

Fixed an issue where the dataplane restarted due to running out of memory in the policy cache.

Fixed an issue where exporting a device summary to CSV failed and displayed the following error message: Error while exporting.

Fixed an issue where Superuser administrators with read-only privileges (Device > Administrators and Panorama > Administrators) were unable to view the hardware ACL blocking setting and duration in the CLI using the following commands:

Fixed an issue where log queries on Panorama appliances returned with no output and the error message Schema file does not exist displayed in the reported process log.

Fixed an issue where the rem_addr field in Terminal Access Controller Access-Control System (TACACS+) authentication displayed the management or service route IP address of the firewall instead of the source IP address of the user.

Fixed an intermittent issue where the firewall didn't generate block URL logs for URLs even though the websites were blocked in the client device.

(VM-Series firewalls only) Fixed an issue where a process (all_task) stopped responding.

Fixed an issue where the semi-colon (;) was not recognized as token separator while doing regex for URL category matching even though it is mentioned in the documentation.

Fixed a memory leak issue related to the useridd process.

Fixed an issue where the internal interface flow control that caused the monitoring process to incorrectly determine the interface to be malfunctioning.

Fixed an issue where a HIP database cache loop caused high CPU utilization on a process (useridd) and caused IP address-to-user mapping redistribution failure.

Fixed an issue where NetFlow traffic triggered a packet buffer leak.

(VM-Series firewalls only) The logging rate limit was improved to prevent log loss.

Fixed an issue where HIP profile objects in security policies and authentication policies were still visible in the CLI even after replacing them with source HIP and destination HIP objects.

Fixed an issue in active/active HA configurations where sessions disconnected during an upgrade from a PAN-OS 9.0 release to a PAN-OS 9.1 release.

Fixed an issue where firewalls experienced high packet descriptor usage due to internal communication associated with WildFire.

Fixed an issue where the IPSec tunnel configuration didn't load when a double quotation mark was added to the comment section of the IPSec tunnel General tab.

Fixed script issues that caused diagnostic data to not be collected after path monitor failure.

Fixed an issue with Content and Threat Detection where traffic patterns created a bus error, which caused the all_pktproc process to stop responding and the dataplane to restart.

Fixed an issue where ACC > Threat activity did not include the threat name after upgrading to a PAN-OS 10.0 release.

Fixed an issue on Panorama where AUX interface IP addresses did not populate when configuring service routes.

Fixed an issue where the high availability path group destination IP address was removed after pushing a PAN-OS 10 release template from Panorama to a firewall running a PAN-OS 9 release.

Fixed an issue on Panorama where clicking Run Now for a custom report with 32 or more filters in the Query Builder returned the following message: No matching records.

Fixed an issue on firewalls in HA active/active configurations where traffic with complete packets showed up as incomplete and was disconnected due to a non-session owner closing the session prematurely.

A CLI command was added to address an issue where a configured proxy server for a service route was automatically applied to the email server service route.

Fixed an issue on Panorama where multiple copies of logs were displayed for a single session.

Fixed an issue on the firewall where, when attempting to change the master key, the existing master key was not validated first. As a result, all firewall keys were corrupted.

Fixed a memory leak issue in the mgmtsrvr process that was caused by failed commit all operations.

Fixed an issue where, even when there was active multicast traffic, the firewall sent Protocol Independent Multicast (PIM) prune messages.

Fixed an issue where a DNS Security inspection identified a TCP DNS request that had two requests in one segment as a malformed packet and dropped the packet.

Fixed an issue where, after manually uploading WildFire images, the dropdown did not display any available files to choose from.

Fixed an issue on Panorama where long FQDN queries did not resolve due to the character limit being 64 characters.

Fixed an issue where, when there was a high volume of traffic for sessions with Application Block Pages enabled, other regular packets were dropped.

(VM-Series firewalls only) Fixed an intermittent issue where deactivating the firewall via XML API using manual mode failed. This occurred because the size of the license token file was incorrect.

Fixed an issue where the stats dump report was empty.

Fixed an issue where IPv6 addresses were displayed instead of IPv4 in custom reports.

Fixed an issue where a commit-all or push to the firewall from Panorama failed with the following error message: client routed requesting last config in the middle of a commit/validate. Aborting current commit/validate.

(Firewalls in HA active/passive configurations only) Fixed a routing table mis-sync issue where routes were missing on the passive firewall when GRE tunnels with keepalives were configured.

Fixed an interoperability issue with other vendors when IKEv2 used SHA2-based certificate authentication.

Fixed an issue where TLS 1.3 Forward Proxy Decryption failed with a malloc failure error. This issue was caused by the server certificate being very large.

Fixed an issue where authentication via LDAP server failed in FIPS-CC mode when the LDAP server profile was configured with the root certificate chain and Verify server certificate for SSL sessions options enabled.

Fixed an issue where, after an upgrade, the following error message was displayed: Not enough space to load content to SHM.

Fixed an issue on Panorama where logs that were forwarded to a collector group did not appear, and the log collector displayed the following error message: es.init-status not ready in logjobq.

Fixed an OOM condition on the dataplane on FIPS-mode firewall decryption that used DHE ciphers.

Fixed an issue where applications did not work via the Clientless VPN when they were configured on a vlan interface

Fixed an issue where the default severities for Content Update errors were inaccurate.

Fixed a permission issue where a Panorama administrator was unable to download or install dynamic updates (Panorama > Device Deployment).

(PA-7000 Series firewalls with LFCs only) Fixed an issue where the logging rate for the LFC was not displayed in Panorama > Managed Devices > Health.

Fixed an issue where, when a Panorama-pushed configuration was referenced in a local configuration, commits failed after updating the master key on the firewall, which resulted in the following error message: Invalid candidate configuration. Master key change aborted....

(PA-3200 Series firewalls only) Fixed an issue where the firewall stopped recording dataplane diagnostic data in dp-monitor.log after a few hours of uptime.