PAN-OS 11.0.3 Addressed Issues
Focus
Focus

PAN-OS 11.0.3 Addressed Issues

Table of Contents

PAN-OS 11.0.3 Addressed Issues

PAN-OS 11.0.3 addressed issues.
Issue ID
Description
PAN-231823
A fix was made to address CVE-2024-5916.
PAN-233954
Fixed an issue where the firewall was unable to retrieve correct groups from the LDAP server.
PAN-232059
Fixed an issue with memory management when processing large certificates using TLSv1.3.
PAN-229691
Fixed an issue on Panorama where configuration lock timeout errors were observed during normal operational commands by increasing thread stack size on Panorama.
PAN-228877
(PA-7050 firewalls only) Fixed an issue with OOM conditions which caused slot restarts due to pan_cmd consuming more than 300 MB.
PAN-227639
Fixed an issue where the ACC displayed an incorrect DNS-base application traffic byte count.
PAN-227376
Fixed an issue where a memory overrun caused the all_task process to stop responding.
PAN-227179
Fixed an issue where routes were not updated in the forwarding table.
PAN-226418
A CLI command was added to address an issue where long-lived sessions aged out even when there was ongoing traffic.
PAN-226198
Fixed an issue on Panorama where the configd process repeatedly restarted when attempting to make configuration changes.
PAN-225920
Fixed an issue where duplicate predict sessions didn't release NAT resources.
PAN-225183
Fixed an issue where SSH tunnels were unstable due to ciphers used as part of the high availability SSH configuration.
PAN-225169
Added a CLI command to view Cortex Data Lake queue usage.
PAN-224145
Fixed an issue in multi-vsys environments where, when Panorama was on a PAN-OS 10.2 release and the firewall was on a PAN-OS 10.1 release, commits failed on the firewall when inbound inspection mode was configured in the decryption policy rule.
PAN-223852
Fixed an issue where all_pktproc stopped responding when network packet broker or decryption broker chains failed.
PAN-223741
Fixed an issue where the mprelay process stopped responding, which caused a slot restart when another slot rebooted.
PAN-223501
(PA-5200 Series and PA-7000 Series firewalls only) Fixed an issue where diagnostic information for the dataplane in the dp-monitor.log file was not complete.
PAN-223488
Fixed an issue where closed ElasticSearch shards were not deleted, which resulted in shard purging not working as expected.
PAN-223457
Fixed an issue where, if the number of group queries exceeded the Okta rate limit threshold, the firewall cleared the cache for the groups.
PAN-223317
Fixed an issue where SSL traffic failed with the error message: Error: General TLS protocol error.
PAN-223185
Fixed an issue where the distributord process stopped responding.
PAN-222957
Fixed an issue where managed firewalls did not reflect changes pushed by users who were not in a superuser role.
PAN-222941
Fixed an issue where viewing the latest logs took longer than expected due to log indexer failures.
PAN-222533
(VM-Series firewalls on Microsoft Azure and Amazon Web Services (AWS) environments) Added support for high availability (HA) link monitoring and path monitoring.
PAN-222418
Fixed an issue where the firewall intermittently recorded a reconnection message to the authentication server as an error, even if no disconnection occurred.
PAN-222162
Fixed an issue where the show transceiver <interface> CLI command showed the RX and TX powers as 0.00 mW.
PAN-221984
(VM-Series firewalls in Microsoft Azure environments only) Fixed an issue where an interface went down after a hotplug event and was only recoverable by restarting the firewall.
PAN-221836
Fixed an issue where improper SNI detection caused incorrect URL categorization.
PAN-221787
Fixed an issue where a User Principal Name (UPN) was incorrectly required in the pre-logon machine certificate.
PAN-221647
Fixed an issue where the Apps seen value was not reflected on Panorama.
PAN-221577
Fixed an issue where a static route for a branch or hub over the respective virtual interface was not installed in the routing table even when the tunnel to the branch or hub was active.
PAN-221208
Fixed an issue where the tunnel monitor was unable to remain up when zone protection with Strict IP was enabled and NAT Traversal was applied.
PAN-221126
Fixed an issue where Email server profiles (Device > Server Profiles > Email and Panorama > Server Profiles > Email) to forward logs as email notifications were not forwarded in a readable format.
PAN-220910
Fixed an issue where an internal management plane NIC caused a kernel panic when doing a transmit due to the driver reinitializing under certain failure or change conditions on the same interface during transmit.
PAN-220899
Fixed an issue where you were unable to choose the manual GlobalProtect gateway.
PAN-220747
Fixed an issue where logs were not visible after restarting the log collector.
PAN-220626
Fixed an issue where system warning logs were written every 24 hours.
PAN-220448
Fixed an issue where the GlobalProtect client connection remained at the prelogin stage when Kerberos SSO failed and was unable to fall back to the realm authentication.
PAN-220401
Fixed an issue where, during a reboot, an unexpected error message was displayed that the syslog configuration file format was too old.
PAN-220281
(PA-7080 firewalls only) Fixed an issue where autocommitting changes after rebooting the Log Forwarding Card (LFC) caused the logrcvr process to fail to read the configuration file.
PAN-220180
Fixed an issue where configured botnet reports (Monitor > Botnet) were not generated.
PAN-219813
Fixed an issue where the configuration log displayed incorrect information after a multidevice group Validate-all operation.
PAN-219659
Fixed an issue where root partition frequently filled up and the following error message was displayed: Disk usage for / exceeds limit, xx percent in use, cleaning filesystem.
PAN-219644
Fixed an issue where firewalls that forwarded logs to a syslog server over TLS (Objects > Log Forwarding) used the default Palo Alto Networks certificate instead of the configured custom certificate.
PAN-219623
Fixed an issue where, when a multidynamic group validate job was pushed on the firewall, logs displayed Panorama push instead of ValidateAll push.
PAN-219498
Fixed an issue where the Threat ID/Name detail in Threat logs was not included in syslog messages sent to Splunk.
PAN-219300
Fixed an issue where the task manager displayed only limited data.
PAN-219253
Fixed an issue where, after making changes in a template, the Commit and Push option was grayed out.
PAN-218988
Fixed an issue in FIPS mode where, when importing a certificate with a new private key, and the certificate used the name of an existing certificate on the Panorama, the following error message was displayed: Mismatched public and private keys.
PAN-218947
Fixed an issue where logs were not displayed in Elasticsearch under ingestion load.
PAN-218697
Fixed an issue where the ElasticSearch status frequently changed to red or yellow after a PAN-OS upgrade.
PAN-218663 and PAN-181876
A fix was made to address CVE-2024-2433
PAN-218404
Fixed an issue where ikemgr stopped responding due to receiving CREATE_CHILD messages with a malformed SA payload.
PAN-218340
Fixed an issue where selective pushes to template stack and multi device group pushes caused a buildup of resident memory, which caused the configd process to stop responding.
PAN-218318
Fixed an issue where the firewall changed the time zone automatically instead of retrieving the correct time zone from the NTP server.
PAN-218273
Fixed an issue where TCP keepalive packets from the client to the server weren't forwarded when SSL decryption was enabled.
PAN-218267
Fixed an issue where a commit and push operation from Panorama to managed firewalls did not complete or took longer to complete than expected.
PAN-218252
Fixed an issue where the slot-1 data processor showed the status as down during an SNMP query.
PAN-218107
Fixed an issue with ciphers used for SSH tunnels where packet lengths were too large, which made the SSH tunnel unstable.
PAN-218046
Fixed an issue where the Virtual Routers (Network > Virtual Routers) setting was not available when configuring a custom admin role (Device > Admin Roles).
PAN-218001
(PA-400 Series firewalls only) Fixed an issue where shutdown commands rebooted the system instead of correctly triggering a shutdown.
PAN-217650
(VM-Series firewalls and Panorama virtual appliances in Microsoft Azure environments only) Fixed an issue where management interface Speed/Duplex was reported as unknown.
PAN-217493
Fixed an issue where superusers with read-only privileges were unable to view SCEP object configurations.
PAN-217169
Fixed an issue where the logrcvr stopped forwarding logs to the syslog server after a restart.
PAN-217053
Fixed an issue where the configd process stopped responding after a selective push to multiple device groups failed.
PAN-216957
Fixed an issue where allow list checks in an authentication profile did not work if the group Distinguished Name contains the ampersand ( & ) character.
PAN-216775
Fixed an issue where the devsrvr process stopped responding at pan_cloud_agent_get_curl_connection() and the URL cloud could not be connected.
PAN-216366
Fixed an issue where, when custom signatures used a certain syntax, false positives were generated on devices on a PAN-OS 10.0 release.
PAN-216214
(Panorama managed firewalls in active/active HA configurations only) Fixed an issue where the HA status displayed as Out of Sync (Panorama > Managed Devices > Health) if local firewall configurations were made on one of the HA peers. This caused the next HA configuration sync to overwrite the local firewall configuration made on the HA peer.
PAN-216048
Fixed an issue where, when upgrading from a PAN-OS 9.1 release to a PAN-OS 10.0 release, commits failed with the error message: hip profiles unexpected here.
PAN-215767
Fixed an issue where, after a high availability failover, IKE SA negotiation failed with the error message INVALID_SPI, which resulted in temporary loss of traffic over some proxy IDs.
PAN-215655
Fixed an issue where, after a multidynamic group push, Security policy rules with the target device tag were added to a firewall that did not have the tag.
PAN-215338
(PA-5400 Series firewalls only) Fixed an issue where the inner VLAN tag for Q-in-Q traffic was stripped when forwarding.
PAN-215317
Fixed an issue where the dataplane stopped responding unexpectedly with the error message comm exited with signal of 10.
PAN-215066
Fixed an issue on Panorama where push scope rendering caused the Commit and Push or Push to Devices operation window to hang for several minutes.
PAN-214990
Fixed an issue where firewall copper ports flapped intermittently when device telemetry was enabled.
PAN-214987
Fixed an issue where Application Filter names were not random, and they matched or included internal protocol names.
PAN-214815
Fixed an issue where SNMP queries were not replied to due to an internal process timeout.
PAN-214727
Fixed an issue where a memory leak related to the useridd process resulted in an OOM condition, which caused the process to stop responding.
PAN-214669
Fixed an issue where FIN and RESET packets were sent in reverse order.
PAN-214463
Fixed an issue where IKE re-key negotiation failed with a third-party vendor and the firewall acting as the initiator received a response with the VENDOR_ID payload and the error message unexpected critical payload (type 43).
PAN-214201
Fixed an issue where, after exporting custom reports to CSV format, the letter b appeared at the beginning of each column.
PAN-214186
Fixed an issue where category length was incorrect, which caused the dataplane to restart.
PAN-213956
Fixed an issue where the firewall interface did not go down even after the peer link/switch port went down.
PAN-213931
Fixed an issue where the logrcvr process cache was not in sync with the mapping on the firewall.
PAN-213296
Fixed an issue where Single Log-out (SLO) was not correctly triggered from the firewall toward the client, which caused the client to not initiate the SLO request toward the identity provider (IdP). This resulted in the IdP not making the SLO callback to the firewall to remove the user.
PAN-213162
Fixed an issue where an SD-WAN object was not displayed under a child device group.
PAN-213112
Fixed an issue where executing the show report directory-listing CLI command resulted in no output after upgrading to a PAN-OS 10.1 release.
PAN-212978
Fixed an issue where the firewall stopped responding when executing an SD-WAN debug CLI command.
PAN-212726
Fixed an issue where RTP/RTCP packets were dropped for SIP calls by SIP ALG when the source NAT translation type was persistent Dynamic IP And Port.
PAN-212577
(PA-5200 Series and PA-7080 firewalls only) Fixed an issue where commits took longer than expected when more than 45,000 Security policy rules were configured.
PAN-212240
Fixed an issue where packet capture was logged for an unknown application session when packet capture logging was disabled.
PAN-212057
Fixed an issue where Advanced Threat Prevention caused SSL delays when no URL licenses were present.
PAN-211441
Fixed a memory leak issue related to SSL crypto operations that resulted in failed commits.
PAN-211398
Fixed an issue where dataplane processes stopped responding when handling HTTP/2 streams.
PAN-211384
Fixed an issue where the size of the redisthost_1 in the Redis database continuously increased, which caused an OOM condition.
PAN-210640
Fixed an issue where applications were not displayed after authenticating into the clientless VPN.
PAN-210502
Fixed an issue where Panorama was unable to convert to PAN-OS 9.1 syntax for WF-500 appliances.
PAN-210456
Fixed an issue where high latency occurred on PA-850-ZTP when SSL decryption was enabled.
PAN-210452
Fixed an issue where application packet capture (pcap) was not generated when Security policy rules were used as a filter.
PAN-210429
(VM-Series firewalls only) Fixed an issue where the HTTP service failed to come up on DHCP dataplane interfaces after rebooting the firewall, which resulted in health-check failure on HTTP/80 with a 503 error code on the public load balancer.
PAN-210364
Fixed an issue where high latency was observed when accessing internal web applications, which interrupted development activities related to the web server.
PAN-209585
The Palo Alto Networks QoS implementation now supports a new QoS mode called lockless QoS for PA-3400, PA-5410, PA-5420, PA-5430, and PA-5440 firewalls. For firewalls with higher bandwidth QoS requirements, the lockless QoS dedicates cores to the QoS function that improves QoS performance, resulting in improved throughput and latency.
PAN-209375
Fixed an issue on the firewall where log filtering did not work as expected.
PAN-209288
Fixed an issue where generating certificates with SCEP did not work.
PAN-209172
Fixed an issue where the firewall was unable to handle GRE packets for Point-to-Point Tunneling Protocol (PPTP) connections.
PAN-209108
Fixed an issue where a Panorama in Management Only mode was unable to display logs from log collectors due to missing schema files.
PAN-208567
Fixed an issue with email formatting where, when a scheduled email contained two or more attachments, only one attachment was visible.
PAN-208438
Fixed an issue on Panorama where Security policy rules incorrectly displayed as disabled.
PAN-208395
Fixed an issue where user authentication failed in multi-vsys environments with the error message User is not in allowlist when an authentication profile was created in a shared configuration space.
PAN-208316
Fixed an issue where user-group names were unable to be configured as the source user via the test security-policy-match command.
PAN-208240
Fixed an issue where, when attempting to replace an existing certificate, importing a new certificate with the same name as the existing certificate failed due to mismatched public and private keys.
PAN-208198
Fixed an issue with firewalls in active/passive HA configurations where, after rebooting the passive firewall, interfaces were briefly shown as powered up, and then shown as down or shutdown.
PAN-208090
Fixed an issue where the ACC report did not display data when querying the filter for the fields Source and Destination IP.
PAN-207604
Fixed an issue where system logs continuously generated the log message Not enough space to load content to SHM.
PAN-207577
Fixed an issue where Panorama > Setup > Interfaces was not accessible for users with custom admin roles even when the interface option was selected for the custom admin roles.
PAN-206765
Fixed an issue where log forwarding filters involving negation did not work.
PAN-205015
Fixed an issue where not all users were included in the user group after an incremental sync between the firewall and the Cloud Identity Engine.
PAN-204868
Fixed an issue where disk utilization was continuously high due to the log purger not sufficiently reducing the utilization level.
PAN-204718
(PA-5200 Series firewalls only) Fixed an issue where, after upgrading to PAN-OS 10.1.6-h3, a TACACS user login displayed the following error message during the first login attempt: Could not chdir to home directory /opt/pancfg/home/user: Permission denied.
PAN-203611
Fixed an issue where URL categorization was not recognized for URLs that contained more than 100 characters.
PAN-202524
Fixed an issue where the session ID was missing in the session details section of the ingress-backlogs XML API output.
PAN-199819
Fixed an issue where, if a decryption profile allowed TLSv1.3, but the server only supported TLSv1.2, and the cipher used by the first connection to the server was a CBC SHA2 cipher suite, the connection failed.
PAN-198509
Fixed an issue where commits failed due to insufficient CFG memory.
PAN-198453
Fixed an issue where you were unable to resize the Description pop-up window (Policies > Security > Prerules).
PAN-198050
Fixed an issue where Connection to update server is successful messages displayed even when connections failed.
PAN-197339
Fixed an issue where template configuration for the User-ID agent was not reflected on the template stack on Panorama appliances on PAN-OS 10.2.1.
PAN-196345
Fixed an issue where scheduled dynamic content updates failed to be retrieved by managed firewalls from Panorama when connectivity was slow.
PAN-189328
Fixed an issue where traffic belonging to the same session was sent out from different ECMP enabled interfaces.
PAN-187989
Fixed an issue where a user who did not have permissions of other access domains were able to view the commit and configuration lock.
PAN-185360
Fixed an issue where, when Authentication Portal Authentication was configured, l3svc_ngx_error.log and l3svc_access.log did not roll over after exceeding 10 megabytes, which caused the root partition to reach full utilization.
PAN-180082
Fixed an issue where errors in brdagent logs caused dataplane path monitoring failure.
PAN-177227
(VM-Series firewalls on Amazon Web Services environments only) Fixed an issue where traffic sent from a GENEVE tunnel to the firewall was dropped if the firewall attempted to encapsulate traffic into an IPSec tunnel.
PAN-169586
Fixed an issue where scheduled log view reports in emails didn't match the monitor page query result for the same time interval.
PAN-160633
(PA-3200 Series, PA-5200 Series, and PA-7000 Series firewalls only) Fixed an issue where the dataplane restarted repeatedly due to an internal path monitoring failure until a power cycle.