PAN-OS 11.1.8 Addressed Issues
Table of Contents
Expand All
|
Collapse All
Next-Generation Firewall Docs
-
PAN-OS 11.1 & Later
- PAN-OS 11.1 & Later
- PAN-OS 11.0 (EoL)
- PAN-OS 10.2
- PAN-OS 10.1
- PAN-OS 10.0 (EoL)
- PAN-OS 9.1 (EoL)
- Cloud Management of NGFWs
-
- Management Interfaces
-
- Launch the Web Interface
- Use the Administrator Login Activity Indicators to Detect Account Misuse
- Manage and Monitor Administrative Tasks
- Commit, Validate, and Preview Firewall Configuration Changes
- Commit Selective Configuration Changes
- Export Configuration Table Data
- Use Global Find to Search the Firewall or Panorama Management Server
- Manage Locks for Restricting Configuration Changes
-
-
- Define Access to the Web Interface Tabs
- Provide Granular Access to the Monitor Tab
- Provide Granular Access to the Policy Tab
- Provide Granular Access to the Objects Tab
- Provide Granular Access to the Network Tab
- Provide Granular Access to the Device Tab
- Define User Privacy Settings in the Admin Role Profile
- Restrict Administrator Access to Commit and Validate Functions
- Provide Granular Access to Global Settings
- Provide Granular Access to the Panorama Tab
- Provide Granular Access to Operations Settings
- Panorama Web Interface Access Privileges
-
- Reset the Firewall to Factory Default Settings
-
- Plan Your Authentication Deployment
- Pre-Logon for SAML Authentication
- Configure SAML Authentication
- Configure Kerberos Single Sign-On
- Configure Kerberos Server Authentication
- Configure TACACS+ Authentication
- Configure TACACS Accounting
- Configure RADIUS Authentication
- Configure LDAP Authentication
- Configure Local Database Authentication
- Configure an Authentication Profile and Sequence
- Test Authentication Server Connectivity
- Troubleshoot Authentication Issues
-
- Keys and Certificates
- Default Trusted Certificate Authorities (CAs)
- Certificate Deployment
- Configure the Master Key
- Export a Certificate and Private Key
- Configure a Certificate Profile
- Configure an SSL/TLS Service Profile
- Configure an SSH Service Profile
- Replace the Certificate for Inbound Management Traffic
- Configure the Key Size for SSL Forward Proxy Server Certificates
-
- HA Overview
-
- Prerequisites for Active/Active HA
- Configure Active/Active HA
-
- Use Case: Configure Active/Active HA with Route-Based Redundancy
- Use Case: Configure Active/Active HA with Floating IP Addresses
- Use Case: Configure Active/Active HA with ARP Load-Sharing
- Use Case: Configure Active/Active HA with Floating IP Address Bound to Active-Primary Firewall
- Use Case: Configure Active/Active HA with Source DIPP NAT Using Floating IP Addresses
- Use Case: Configure Separate Source NAT IP Address Pools for Active/Active HA Firewalls
- Use Case: Configure Active/Active HA for ARP Load-Sharing with Destination NAT
- Use Case: Configure Active/Active HA for ARP Load-Sharing with Destination NAT in Layer 3
- HA Clustering Overview
- HA Clustering Best Practices and Provisioning
- Configure HA Clustering
- Refresh HA1 SSH Keys and Configure Key Options
- HA Firewall States
- Reference: HA Synchronization
-
- Use the Dashboard
- Monitor Applications and Threats
- Monitor Block List
-
- Report Types
- View Reports
- Configure the Expiration Period and Run Time for Reports
- Disable Predefined Reports
- Custom Reports
- Generate Custom Reports
- Generate the SaaS Application Usage Report
- Manage PDF Summary Reports
- Generate User/Group Activity Reports
- Manage Report Groups
- Schedule Reports for Email Delivery
- Manage Report Storage Capacity
- View Policy Rule Usage
- Use External Services for Monitoring
- Configure Log Forwarding
- Configure Email Alerts
-
- Configure Syslog Monitoring
-
- Traffic Log Fields
- Threat Log Fields
- URL Filtering Log Fields
- Data Filtering Log Fields
- HIP Match Log Fields
- GlobalProtect Log Fields
- IP-Tag Log Fields
- User-ID Log Fields
- Decryption Log Fields
- Tunnel Inspection Log Fields
- SCTP Log Fields
- Authentication Log Fields
- Config Log Fields
- System Log Fields
- Correlated Events Log Fields
- GTP Log Fields
- Audit Log Fields
- Syslog Severity
- Custom Log/Event Format
- Escape Sequences
- Forward Logs to an HTTP/S Destination
- Firewall Interface Identifiers in SNMP Managers and NetFlow Collectors
- Monitor Transceivers
-
- User-ID Overview
- Enable User-ID
- Map Users to Groups
- Enable User- and Group-Based Policy
- Enable Policy for Users with Multiple Accounts
- Verify the User-ID Configuration
-
- App-ID Overview
- App-ID and HTTP/2 Inspection
- Manage Custom or Unknown Applications
- Safely Enable Applications on Default Ports
- Applications with Implicit Support
-
- Prepare to Deploy App-ID Cloud Engine
- Enable or Disable the App-ID Cloud Engine
- App-ID Cloud Engine Processing and Policy Usage
- New App Viewer (Policy Optimizer)
- Add Apps to an Application Filter with Policy Optimizer
- Add Apps to an Application Group with Policy Optimizer
- Add Apps Directly to a Rule with Policy Optimizer
- Replace an RMA Firewall (ACE)
- Impact of License Expiration or Disabling ACE
- Commit Failure Due to Cloud Content Rollback
- Troubleshoot App-ID Cloud Engine
- Application Level Gateways
- Disable the SIP Application-level Gateway (ALG)
- Maintain Custom Timeouts for Data Center Applications
-
- Decryption Overview
-
- Keys and Certificates for Decryption Policies
- SSL Forward Proxy
- SSL Forward Proxy Decryption Profile
- SSL Inbound Inspection
- SSL Inbound Inspection Decryption Profile
- SSL Protocol Settings Decryption Profile
- SSH Proxy
- SSH Proxy Decryption Profile
- Profile for No Decryption
- SSL Decryption for Elliptical Curve Cryptography (ECC) Certificates
- Perfect Forward Secrecy (PFS) Support for SSL Decryption
- SSL Decryption and Subject Alternative Names (SANs)
- TLSv1.3 Decryption
- High Availability Not Supported for Decrypted Sessions
- Decryption Mirroring
- Configure SSL Forward Proxy
- Configure SSL Inbound Inspection
- Configure SSH Proxy
- Configure Server Certificate Verification for Undecrypted Traffic
- Post-Quantum Cryptography Detection and Control
- Enable Users to Opt Out of SSL Decryption
- Temporarily Disable SSL Decryption
- Configure Decryption Port Mirroring
- Verify Decryption
- Activate Free Licenses for Decryption Features
-
- Policy Types
- Policy Objects
- Track Rules Within a Rulebase
- Enforce Policy Rule Description, Tag, and Audit Comment
- Move or Clone a Policy Rule or Object to a Different Virtual System
-
- External Dynamic List
- Built-in External Dynamic Lists
- Configure the Firewall to Access an External Dynamic List
- Retrieve an External Dynamic List from the Web Server
- View External Dynamic List Entries
- Exclude Entries from an External Dynamic List
- Enforce Policy on an External Dynamic List
- Find External Dynamic Lists That Failed Authentication
- Disable Authentication for an External Dynamic List
- Register IP Addresses and Tags Dynamically
- Use Dynamic User Groups in Policy
- Use Auto-Tagging to Automate Security Actions
- CLI Commands for Dynamic IP Addresses and Tags
- Application Override Policy
- Test Policy Rules
-
- Network Segmentation Using Zones
- How Do Zones Protect the Network?
-
PAN-OS 11.1 & Later
- PAN-OS 11.1 & Later
- PAN-OS 11.0 (EoL)
- PAN-OS 10.2
- PAN-OS 10.1
-
- Tap Interfaces
-
- Layer 2 and Layer 3 Packets over a Virtual Wire
- Port Speeds of Virtual Wire Interfaces
- LLDP over a Virtual Wire
- Aggregated Interfaces for a Virtual Wire
- Virtual Wire Support of High Availability
- Zone Protection for a Virtual Wire Interface
- VLAN-Tagged Traffic
- Virtual Wire Subinterfaces
- Configure Virtual Wires
- Configure a PPPoE Client on a Subinterface
- Configure an IPv6 PPPoE Client
- Configure an Aggregate Interface Group
- Configure Bonjour Reflector for Network Segmentation
- Use Interface Management Profiles to Restrict Access
-
- DHCP Overview
- Firewall as a DHCP Server and Client
- Firewall as a DHCPv6 Client
- DHCP Messages
- Dynamic IPv6 Addressing on the Management Interface
- Configure an Interface as a DHCP Server
- Configure an Interface as a DHCPv4 Client
- Configure an Interface as a DHCPv6 Client with Prefix Delegation
- Configure the Management Interface as a DHCP Client
- Configure the Management Interface for Dynamic IPv6 Address Assignment
- Configure an Interface as a DHCP Relay Agent
-
- DNS Overview
- DNS Proxy Object
- DNS Server Profile
- Multi-Tenant DNS Deployments
- Configure a DNS Proxy Object
- Configure a DNS Server Profile
- Use Case 1: Firewall Requires DNS Resolution
- Use Case 2: ISP Tenant Uses DNS Proxy to Handle DNS Resolution for Security Policies, Reporting, and Services within its Virtual System
- Use Case 3: Firewall Acts as DNS Proxy Between Client and Server
- DNS Proxy Rule and FQDN Matching
-
- NAT Rule Capacities
- Dynamic IP and Port NAT Oversubscription
- Dataplane NAT Memory Statistics
-
- Translate Internal Client IP Addresses to Your Public IP Address (Source DIPP NAT)
- Create a Source NAT Rule with Persistent DIPP
- PAN-OS
- Strata Cloud Manager
- Enable Clients on the Internal Network to Access your Public Servers (Destination U-Turn NAT)
- Enable Bi-Directional Address Translation for Your Public-Facing Servers (Static Source NAT)
- Configure Destination NAT with DNS Rewrite
- Configure Destination NAT Using Dynamic IP Addresses
- Modify the Oversubscription Rate for DIPP NAT
- Reserve Dynamic IP NAT Addresses
- Disable NAT for a Specific Host or Interface
-
- Network Packet Broker Overview
- How Network Packet Broker Works
- Prepare to Deploy Network Packet Broker
- Configure Transparent Bridge Security Chains
- Configure Routed Layer 3 Security Chains
- Network Packet Broker HA Support
- User Interface Changes for Network Packet Broker
- Limitations of Network Packet Broker
- Troubleshoot Network Packet Broker
-
- Enable Advanced Routing
- Logical Router Overview
- Configure a Logical Router
- Create a Static Route
- Configure BGP on an Advanced Routing Engine
- Create BGP Routing Profiles
- Create Filters for the Advanced Routing Engine
- Configure OSPFv2 on an Advanced Routing Engine
- Create OSPF Routing Profiles
- Configure OSPFv3 on an Advanced Routing Engine
- Create OSPFv3 Routing Profiles
- Configure RIPv2 on an Advanced Routing Engine
- Create RIPv2 Routing Profiles
- Create BFD Profiles
- Configure IPv4 Multicast
- Configure MSDP
- Create Multicast Routing Profiles
- Create an IPv4 MRoute
-
-
PAN-OS 11.1
- PAN-OS 11.2
- PAN-OS 11.1
- PAN-OS 11.0 (EoL)
- PAN-OS 10.2
- PAN-OS 10.1
- PAN-OS 10.0 (EoL)
- PAN-OS 9.1 (EoL)
- PAN-OS 9.0 (EoL)
- PAN-OS 8.1 (EoL)
- Cloud Management and AIOps for NGFW
-
- Networking Features
- Decryption Features
- Certificate Management Features
- Management Features
- Panorama Features
- Mobile Infrastructure Security Features
- SD-WAN Features
- Zone Protection Features
- GlobalProtect Features
- IoT Security Features
- Virtualization Features
- Authentication Features
- Advanced WildFire Features
- Hardware Features
-
- PAN-OS 11.1.2 Known Issues
- PAN-OS 11.1.2-h18 Addressed Issues
- PAN-OS 11.1.2-h16 Addressed Issues
- PAN-OS 11.1.2-h15 Addressed Issues
- PAN-OS 11.1.2-h14 Addressed Issues
- PAN-OS 11.1.2-h12 Addressed Issues
- PAN-OS 11.1.2-h9 Addressed Issues
- PAN-OS 11.1.2-h4 Addressed Issues
- PAN-OS 11.1.2-h3 Addressed Issues
- PAN-OS 11.1.2-h1 Addressed Issues
- PAN-OS 11.1.2 Addressed Issues
PAN-OS 11.1.8 Addressed Issues
PAN-OSĀ® 11.1.8 addressed issues.
Issue ID | Description |
|---|---|
PAN-283493 | Fixed an issue threat reports were empty when generated from Panorama, but displayed correctly when generated from the firewall.
|
PAN-282236 | Fixed an issue where large IPv6 packets were reassembled on the firewall when the packets arrived fragmented over an IPv4 tunnel.
|
PAN-281540 | Fixed an issue where the logd process repeatedly restarted when the SD-WAN site name was over 31 characters and contained certain XML escape characters.
|
PAN-280505 | Fixed an issue where the web interface did not display a message to commit prior changes before attempting a partial configuration load.
|
PAN-280471 | Fixed an issue where navigating Panorama > Monitor > Logs was slower than expected.
|
PAN-280243 | Fixed an issue where the firewall lost the pre-shared key configuration assigned from a PSK variable when an unrelated device group configuration was loaded.
|
PAN-279983 | (PA-1400 Series firewalls only) Fixed an issue on the web interface where Enable Bonjour Reflector was not displayed (Network > Interfaces > Ethernet Interface).
|
PAN-279746 | Fixed an issue where SMTP packets were not sent out when the Client Hello arrived at the firewall in multiple out-of-order segments and the traffic was not subject to SSL decryption.
|
PAN-279604 | Fixed an issue where scheduled SaaS application usage reports were generated incorrectly, and the login page was displayed instead of the report content.
|
PAN-279336 | Fixed an issue where the CLI did not display a message to commit prior changes before loading a partial configuration.
|
PAN-279176 | Fixed an issue where the configuration audit displayed inaccurate information after partially loading the configuration via the CLI, which caused the audit to flag the configuration as deleted or changed.
|
PAN-278684 | (PA-445 firewalls only) Fixed an issue where the firewall did not properly power cycle during a reboot.
|
PAN-277751 | Fixed an issue where a policy-based forwarding (PBF) rule with an action of no-pbf and a service of TCP-22 did not match traffic after upgrading to PAN-OS 11.1.5-h1. As a result, traffic was matched by a lower rule with a service of any and an action of forward.
|
PAN-277631 | Fixed an issue where the logrcvr process discarded logs due to a full queue.
|
PAN-277306 | Fixed an issue where the XML API and REST API failed to run commands with an error.
|
PAN-276822 | Fixed an issue where the packet buffer size increased significantly when WildFire File Forwarding was continued after a threat detection and then canceled.
|
PAN-276795 | Fixed an issue where the GlobalProtect client displayed an error message when you clicked Check Now and Preferred Releases and Base Releases were unchecked (Device > Software).
|
PAN-276599 | Fixed an issue where the password expiry prompt was not visible when logging in via the web interface.
|
PAN-276491 | (Panorama virtual appliances only) Fixed an issue where Panorama stopped responding when running reports.
|
PAN-276352 | Fixed an issue where multicast flows were dropped due to a missing sysd variable for maximum multicast routes.
|
PAN-276062 | Fixed an issue where importing a firewall with a large number of address objects into Panorama did not work and remained at 99% completion.
|
PAN-275905 | Fixed an issue where the Panorama web interface was slower than expected and Elasticsearch CPU usage was high.
|
PAN-275754 | Added support for bootstrapping Panorama virtual appliances on ESXi.
|
PAN-275718 | Fixed an issue where Panorama stopped forwarding logs to a Syslog server after upgrading to PAN-OS 11.1.5-h1.
|
PAN-275713 | Fixed an issue where the firewall DSCD process stopped responding when the Endpoint Serial Number was enabled and the Active Directory returns list of serial numbers for a specific device from Cloud Identity Engine.
|
PAN-275653 | Fixed an issue where the Log Collector service did not start on a new Log Collector appliance added to a Log Collector group. As a result, the new Log Collector appliance did not appear in the cluster and the number of nodes in the cluster was incorrect.
|
PAN-275077 | Fixed an issue where DNS Security intermittently logs malicious domain URLs as Alert instead of taking a Sinkhole action, even when configured to Sinkhole malicious DNS domains.
|
PAN-275032 | (M-600 appliances only) Fixed an issue where the Elasticsearch cluster certificate (CC) status displayed with a past expiration date, which caused all shards to be unassigned.
|
PAN-274791 | Fixed an issue where the firewall might reboot when traffic matches with certain Advanced features (such as Advanced Threat Prevention and Advanced URL Filtering with properly configured URL Filtering/Anti-Spyware/Vulnerability security profiles) and Shared Pool Type 32 becomes depleted.
|
PAN-274671 | Fixed an issue where empty traffic logdb folders were generated for each day even when trafcfic logs were not received by the logrcvr process.
|
PAN-274570 | Fixed an issue where the devsrvr process restarted after a failed commit due to an invalid memory access.
|
PAN-274557 | Fixed an issue on PA-5450 in FIPSCC mode where a firewall rebooted into maintenance mode when it was manually rebooted from the web interface.
|
PAN-274292 | (M-600 Appliances only) Fixed an issue where the web interface was slow when logging in and filtering for policies due to deep search operations taking longer than expected.
|
PAN-274207 | Fixed an issue where Global Search did not redirect correctly to routing profiles when searching for their names.
|
PAN-274146 | Fixed an issue where the firewall rebooted continuously after upgrading to PAN-OS 11.1.5-h1 when a tunnel session was established in a Gateway Load Balancing (GWLB) scenario and no data packet was associated with the packet.
|
PAN-274038 | Fixed an issue where you were unable to use the s_encrypted field in custom reports for the Panorama threat log database.
|
PAN-273991 | Fixed an issue where the transmit power for a cable that was used on port 44 displayed as N/A.
|
PAN-273963 | Fixed an issue where GlobalProtect health information (HIP) did not display the certificate key usage.
|
PAN-273949 | Fixed an issue where the firewall generated the following error message in the snmpd logs: pan_get_keystr_from_cryptod(pan_snmpinterface.c:181): Key X2F1dGhfa2V5 import from cryptod failed.
|
PAN-273727 | Fixed an issue where the firewall skipped the DNS policy rule of a domain external dynamic list (EDL) during an EDL refresh.
|
PAN-273614 | Fixed an issue where packets were dropped initially when a SYN cookie with activation threshold 0 was enabled.
|
PAN-273597 | Fixed an issue where logs in the cloud database displayed in the Not-Resolved category but not in the local database.
|
PAN-273589 | Fixed an issue where firewalls configured with a VPN tunnel stopped responding when a configuration update was applied.
|
PAN-273453 | Fixed an issue where restarting the firewall did not initiate an autocommit job, which caused the firewall to stop responding and the HA interface to go down.
|
PAN-273277 | Fixed an issue where GlobalProtect clients on macOS devices were prompted to enter their username and password for Kerberos SSO authentication.
|
PAN-273153 | Fixed an issue where the Panorama web interface was slower than expected due to excessive polling of the MonitorDirect.getTasks API by the Task Manager.
|
PAN-273019 | Fixed an intermittent issue where SSL decryption failed.
|
PAN-272998 | Fixed an issue where commits from Panorama to VM-Series firewalls on Microsoft Azure environments failed.
|
PAN-272796 | Fixed an issue where you were unable to export the GlobalProtect client software version to the SCP server.
|
PAN-272746 | (PA-440 firewalls only) Fixed an issue where the firewall entered an unstable state after committing changes or onboarding to Panorama.
|
PAN-272743 | Fixed an issue where non-captive portal traffic was not visible under Traffic Logs when the traffic was denied by an authentication rule and the session was discarded.
|
PAN-272726 | Fixed an issue on the web interface where the URL Filtering change category feature did not work.
|
PAN-272605 | Fixed an issue where the firewall did not display VPC endpoints when there was a large amount of VPC endpoints to interface mappings.
|
PAN-272408 | (PA-1420 firewalls only) Fixed an issue where the firewall reported unsupported SFPs when PAN-SFPPLUS10GBASE-T SFPs were used on ports Ethernet 1/21 and 1/22.
|
PAN-272178 | Fixed an issue where the firewall displayed packet buffers between 18 and 19 even when there was little or no traffic.
|
PAN-272172 | Fixed an issue where plugin_api_server could experience a memory leak when using OpenConfig for telemetry.
|
PAN-272171 | Fixed an issue where the firewall dropped the AAAA DNS server response and caused delays in traffic from Ubuntu or Linux clients when DNS Security was enabled.
|
PAN-272085 | Fixed an issue where the firewall might crash and reboot when DoH is enabled for DNS Security and multiple DoH transactions are sent in a single HTTP/1 connection.
|
PAN-271915 | Fixed an issue where the push scope did not populate when attempting to push a policy to a device group.
|
PAN-271774 | Fixed an issue where the firewall logs displayed the reason for data filtering action as FW Skipped: XXXX.
|
PAN-271700 | Fixed an issue where User-ID connections were lost after an HA failover.
|
PAN-271637 | Fixed an issue where the firewall did not increase the metric of the default route when redistributed into OSPF when the firewall was configured as an NSSA ABR.
|
PAN-271636 | (PA-1400 and PA-3400 Series firewalls only) Fixed an issue where the firewall displayed the error message Failed to parse pbf policy when you committed a configuration that included more than 8 Policy Based Forwarding (PBF) rules with symmetric return enabled.
|
PAN-271490 | Fixed an issue on the firewall that caused the following error message to be displayed: frr_ns0: failed to stop child frr_ns0_ospf6d.
|
PAN-271436 | A CLI counter was added to indicate a full suppression queue.
|
PAN-271184 | Fixed an issue where Device Telemetry failed due to an issue with the encoding of characters in the log file path.
|
PAN-271181 | Fixed an issue where committing changes to Advanced Routing and redistribution profiles failed while pushing the configuration from SCM.
|
PAN-271152 | (7000-Series firewalls in HA configurations only) Fixed an issue where the firewall failed over into a non-functional state, and the LFC LED was blinking on the passive firewall.
|
PAN-270849 | Fixed a memory leak issue related to the configd process that occurred when running consecutive commits for mulitple days.
|
PAN-270747 | Fixed an issue where the show system statistics application CLI command failed.
|
PAN-270744 | Fixed an issue where API calls to Panorama failed with the error Server error : Timed out while getting config lock. Please try again.
|
PAN-270651 | Fixed an issue where the firewall didn't restart after applying an air-gapped license if the firewall capacity was the same as the license capacity. The additional character in subscription is tracked fixed as IT issue.
|
PAN-270569 | Fixed an issue where the userid process stopped responding due to memory was being reset to NULL when it was freed.
|
PAN-270554 | Fixed an issue where the GlobalProtect client (UWP) or metered hotspot connections triggered TLS resumption fo GlobalProtect portal authentication, which caused the portal authentication to fail with a valid cert required error.
|
PAN-270493 | Fixed an issue where the Low free buffer limit output was not available.
|
PAN-270248 | Fixed an issue where the firewall failed to forward logs to a SNMP trap server if the SNMP manager IP address was unable to be resolved.
|
PAN-270193 | Fixed an issue where the Panorama management server changed its certificate authority (CA) unexpectedly, which caused managed firewalls to disconnect.
|
PAN-270068 | Fixed an issue where the firewall attempted to connect to the AppID cloud using gRPC even when App-ID Cloud Engine was disabled.
|
PAN-269913 | Fixed an issue threat reports were empty when generated from Panorama, but displayed correctly when generated from the firewall.
|
PAN-269716 | Fixed an issue where half-closed TCP sessions did not refresh the session timeout when continuously receiving data after setting the cfg.session.tcp-no-refresh-fin-rst option toTrue.
|
PAN-269624 | Fixed an issue where GlobalProtect clients failed to connect with the error message The device or feature requires a GlobalProtect subscription license.
|
PAN-269456 | Fixed an issue where the firewall rebooted unexpectedly when configuring the GlobalProtect portal and gateway from Panorama.
|
PAN-269291 | Fixed an issue where the scheduled report generation script did not return debug information.
|
PAN-269286 | Fixed an issue where the firewall did not query for an AAAA record when only IPv6 was enabled for the management interface.
|
PAN-269264 | Fixed an issue where the firewall did not send the client hello to the server when the server hello message contained a certificate with a common name of 0.0.0.0.
|
PAN-269193 | Fixed an issue where the firewall redirected the user to the first application instead of the portal page with a list of applications when multiple applications were configured for GlobalProtect clientless VPN along with any user match.
|
PAN-269191 | (VM-Series firewalls only) Fixed an issue where the aggressive clean-up threshold for disk space was set to 95% in system monitor.
|
PAN-269091 | Fixed an issue where the varrcvr process stopped responding.
|
PAN-269052 | Fixed an issue where traffic was blocked by a URL filtering profile even though the Security policy rule did not have a URL filtering profile configured.
|
PAN-269027 | Fixed an issue related to external dynamic lists that caused commit times on the firewall to be higher than expected.
|
PAN-268909 | Fixed an issue where IP address tags were removed from firewalls after a management server or useridd process restart. This occurred when a Panorama serial-number based configuration was used for User-ID redistribution.
|
PAN-268903 | Fixed an issue where scheduled reports from Cortex Data Lake did not limit the number of results to the configured maximum.
|
PAN-268800 | Fixed an issue where a large number of logs caused the logrcvr process to stop responding.
|
PAN-268708 | Fixed an issue where PDF summary and email reports displayed IPv6 addresses instead of IPv4 addresses.
|
PAN-268707 | Fixed an issue where the XML API call to clear rule hit count using device group syntax failed with an error.
|
PAN-268629 | Fixed an issue where traffic did not match the correct security policy when using an application-filter that references a cloud application. This occurred when a high number of cloud applications were attached with a custom tag.
|
PAN-268606 | Fixed an issue where GlobalProtect users with client certificates received an authentication failure message without entering a password and clicking connect or login.
|
PAN-268597 | Fixed an issue where the firewall displayed 0 bytes received for GlobalProtect SSL sessions in the traffic logs.
|
PAN-268569 | Fixed an issue where the web interface was slower than expected when logging in and filtering for policies.
|
PAN-268489 | Fixed a Threat log PCAP ID overwrapping issue.
|
PAN-268425 | Fixed an issue where the execute show transceiver-detail all XML API command returned an incorrect value for the low temperature alarm threshold.
|
PAN-268279 | Fixed an issue where autocommits failed if the management IPv6 gateway was the same as the dataplane interface IP address.
|
PAN-268276 | Fixed an issue where GlobalProtect clients intermittently failed to connect to the gateway with the error message could not connect to gateway.
|
PAN-268168 | Fixed an issue where uploading files that were 5GB or larger to Google Drive or Youtube failed when a decryption policy rule for http2 was enabled
|
PAN-268127 | Fixed an issue where tagging devices in Panorama did not work as expected.
|
PAN-268118 | Fixed an issue on firewalls in active/passive HA configurations where, after a failover, irrelevant routing FIB entries were seen in the routing table on the newly active firewall.
|
PAN-267912 | Fixed an issue on the Panorama web interface where Application and Category was not able to be selected under Test Policy Match.
|
PAN-267660 | Fixed an issue where UserID stopped working when the show object registered user CLI command was used with start-point and limit options.
|
PAN-267650 | Fixed an issue where the firewall did not detect the eth1/1 and eth1/2 interfaces when you created a firewall on an ESXi 8 server.
|
PAN-267614 | Fixed an issue where the Panorama web interface was slower than expected due to high CPU utilization on the mongodb process.
|
PAN-267580 | Fixed an issue where an External Dynamic List (EDL) IP address in an unsupported format was recognized as valid on the firewall.
|
PAN-267518 | Fixed an issue where WildFire submission logs incorrectly reported allowed malicious samples even when they were blocked by threat prevention profiles.
|
PAN-267426 | (Firewalls in HA configuration only) Fixed an issue where the Network pre-negotiation enabled page did not display on the firewall dashboard.
|
PAN-267381 | Fixed an issue where the firewall failed to upload a macOSX file if the file had a MIME boundary.
|
PAN-267235 | Fixed an issue where the firewall did not send User-ID redistribution messages to Panorama when the firewall had multiple virtual systems configured and one of the virtual systems had a display name that was the same as the existing vsys name.
|
PAN-267128 | Fixed an issue where the firewall dropped packets if the log rate exceeded the configured maximum log rate.
|
PAN-267045 | Fixed an issue on the firewall where ICMP ping loss occurred after installing a Network Processing Card (NPC) in slot 7.
|
PAN-267001 | Fixed an issue where multicast streams were unstable with ECMP and dropped every 30 seconds.
|
PAN-266905 | Fixed an issue where sessions ended with the message decrypt error in the logs for traffic that matched a no-decrypt policy.
|
PAN-266800 | (PA-800 firewalls in HA configurations only) Fixed an issue where the Link LEDs for ethernet1/9 to ethernet1/12 did not turn off after a failover.
|
PAN-266704 | Fixed an issue where filtering BGP routes by peer name in Advanced Routing Engine (ARE) did not display the correct routes.
|
PAN-266698 | Fixed an issue where an email was able to be transferred to the destination MTA even when the firewall detected a suspicious file with a reset-bot action when it was encrypted by STARTTLS.
|
PAN-266695 | Fixed an issue on Panorama where a cyclic nested address group configuration caused the configd process to stop responding after a commit.
|
PAN-266688 | Fixed an issue on the firewall where traffic matched a custom signature even if the custom signature was removed from the configuration.
|
PAN-266653 | Fixed an issue where unexpected path monitor failures caused the firewall to stop responding.
|
PAN-266574 | Fixed an issue where users were unable connect to the portal due to Certificate Revocation List (CRL) checks due to the downloaded CRL file being expired, which caused the CRL cache to be bypassed.
|
PAN-266559 | Fixed an issue where partial commits failed when objects that were referenced in a high number of Security policy rules were renamed.
In such cases below error would be seen in configd logs,
"Limit printing dirty xpaths in journal at count 3000"
To overcome the 3000 xpaths change limit,
use the command to set the limit to a higher value and restart configd daemon.
" debug management-server max-ref-xpaths "
|
PAN-266462 | Fixed an issue where selective pushes did not work as expected when the device group was renamed by a different admin user.
|
PAN-266427 | Fixed an issue on the firewall where, when a high number of SD-WAN branch sites or interfaces were not connected, SD-WAN processes and tund processes stopped responding due to a high probing rate.
|
PAN-266391 | Fixed an issue where the number of hints values were not updated even when there were no hint files on the system.
|
PAN-266354 | Fixed an issue where Hybrid-SWG explicit proxy connections failed when the number of destination domains exceeded 1024.
|
PAN-266312 | Fixed an issue where BFD sessions took longer than expected to establish after an HA failover due to BGP.
|
PAN-266279 | Fixed an issue on Panorama where the default version of IKE gateway was not set to IKEv2 only mode, which caused VPN establishment issues if the firewall recognized a new configuration as IKEv1.
|
PAN-266116 | Fixed an issue where URLs did not work due to certificate revocation list (CRL) requests failing.
|
PAN-265931 | Fixed an issue where some URLs were not blocked when added to the URL Category.
|
PAN-265926 | (PA-3400 Series firewalls only) Fixed an issue where the all_task process stopped responding, which caused the firewall to reboot.
|
PAN-265916 | Fixed an issue where double-clicking the login button returned the error message Login session expired.
|
PAN-265900 | Fixed an issue where the firewall stopped responding due to a tund process or SD-WAN process restart.
|
PAN-265791 | Fixed an issue where the all_task process stopped responding, which caused the dataplane to go down.
|
PAN-265686 | Fixed an issue where the GlobalProtect portal logged passwords in cleartext.
|
PAN-265434 | Fixed an issue where the flow process restarted with the error message SIGABRT __GI_raise __GI_abort __libc_message malloc_printer.
|
PAN-265014 | Fixed an issue where changes made to device groups with the same prefix name were not visible in the commit scope.
|
PAN-264912 | Fixed an issue where the firewall did not shut down completely.
|
PAN-264866 | Fixed an issue on Panorama where you were unable to change the order of traffic steering rules.
|
PAN-264845 | Fixed an issue where the Log Forwarding for Security Services feature did not correctly filter policy rules with log forwarding profiles.
|
PAN-264570 | Fixed an issue where the maximum session limit for a vsys was 4,194,290.
|
PAN-264538 | (VM-Series firewalls only) Fixed an issue where the all_task process stopped responding and a reboot was required.
|
PAN-264477 | Fixed an issue where the firewall did not start Elasticsearch after a commit if Elasticsearch was not previously enabled and started.
|
PAN-264423 | Fixed an issue where the firewall sent a 503 response when a client connected to a web server when the firewall was configured as a web proxy and authentication bypass for Kerberos was enabled.
|
PAN-264289 | Fixed an issue where the CLI and XML API values for the show system environment command did not match.
|
PAN-264246 | Fixed an issue where the Authentication Portal did not work properly with session cookies when the request to the portal contained the header Sec-Fetch-Site=cross-site.
|
PAN-264169 | (PA-5400 Series firewalls only) Fixed an issue where the firewall sent correlated event logs to the syslog server using the management interface instead of the log interface.
|
PAN-264053 | Fixed an issue where the firewall stopped responding after the all_task process stopped responding.
|
PAN-263749 | Fixed an issue where disk space that was used by file descriptors was not freed, which caused the root partition to become full and Panorama to be inaccessible.
|
PAN-263674 | (VM-Series firewalls in HA configurations only) Fixed an issue where the firewall rebooted due to multiple HA failovers.
|
PAN-263654 | Fixed an issue where multiple DNS responses with different CNAME values caused evasion false positive alerts.
|
PAN-263544 | Fixed an issue where management plane CPU usage increased after upgrading when there was a full-mesh User-ID redistribution configuration between multiple firewalls.
|
PAN-263291 | Fixed an issue where Microsoft Outlook did not work as expected when the GlobalProtect clientless VPN was configured.
|
PAN-263086 | (PA-455 firewalls in HA configurations only) Fixed an issue where the HA LED light on the front panel did not turn on even when HA was enabled.
|
PAN-263063 | Enhanced debugging capability when the control network to DP0 was not reliable when the J2C port was down.
|
PAN-262819 | (PA-3410, PA-3420, and PA-3430 firewalls only) Fixed an issue where the maximum supported number of zones was 200.
|
PAN-262782 | Fixed an issue on the firewall where cfg.developer.tasks had a default configuration of True, which capped dataplane CPU performance at 50% in production.
|
PAN-262729 | (Panorama appliances only) Fixed an issue where the configd process experienced continuous high CPU utilization and repeatedly restarted.
|
PAN-262375 | (Firewalls in active/active HA configurations only) Fixed an issue where non-tunneled internal GlobalProtect gateway client information was not synced between firewall peers when using a floating IP address.
|
PAN-262373 | Fixed an issue where the error message Failed to reload config files displayed in the system logs even when device telemetry was not enabled.
|
PAN-262372 | Fixed an issue where the firewall generated the error message Successfully generating a new set of config files in the system logs even when device telemetry was not enabled.
|
PAN-262278 | Fixed an issue where the service route setting for HTTP was not applied when the source interface IP address was set via an address object, which caused HTTP traffic to be sent from the management interface.
|
PAN-262063 | Fixed an issue where the firewall did not display the converted configurations before a commit and reboot, and the commit failed when attempting to migrate from MS to FRR mode.
|
PAN-262040 | Fixed an issue where the XML API key length exceeded the buffer size when the API key lifetime was changed from the default value.
|
PAN-261999 | (VM-Series firewalls in Microsoft Azure environments only) Fixed an issue where enabling flow basic on firewalls caused ARP entries to be removed on both firewalls.
|
PAN-261998 | Fixed an issue where the firewall configuration process restarted during an External Dynamic List refresh or a commit and push operation.
|
PAN-261997 | Fixed an issue where the firewall displayed incorrect statistics for mac_transmit_err and send_deffered on PA-440 appliances running PAN-OS 10.1.9-h3.
|
PAN-261936 | Fixed an issue where WildFire submission logs were not displayed when filtered by Sender Address.
|
PAN-261825 | Fixed an issue where traffic was dropped when Data Loss Prevention or Advanced URL Filtering were enabled. This occurred when the payload size was greater than 3.5 KB.
|
PAN-261824 | Fixed an issue where frequent brdagent errors occurred.
|
PAN-261739 | (VM-Series firewalls in Microsoft Azure environments only) Fixed an issue where the firewall displayed 0 for the physical port counters read from MAC.
|
PAN-261677 | Fixed an issue where multiple smartctl processes entered a d state due to failure to read from the kernel partition, which resulted in high CPU and management impact.
|
PAN-261602 | Fixed an issue where GlobalProtect Decryption logs were not forwarded to Panorama.
|
PAN-261597 | Fixed an issue where the all_pktproc process stopped responding, which caused the firewall to become unavailable.
|
PAN-261570 | (Firewalls in active/active HA configurations only) Fixed an issue where packet loss occurred when dataport was used for HA3 for asymmetrically routed traffic during commits and a virtual wire was configured .
|
PAN-261429 | Fixed an issue where the show auth radius-require-msg-authentic command CLI displayed no output.
|
PAN-261390 | Fixed an issue that caused the Panorama web interface to be slower than expected due to disabling completion-cache by default.
|
PAN-261312 | Fixed an issue where a commit for a policy and configuration dump overlapped, which resulted in a null pointer exception.
|
PAN-261182 | Fixed an issue where the firewall dropped a retransmitted SYN packet when using the TCP Fast Open option.
|
PAN-261074 | Fixed an issue where the firewall delayed video file transfers over SMB when Exclude Video Traffic from the Tunnel feature was enabled and no applications were added to the list.
|
PAN-260879 | Fixed an issue where the Panorama port 28270 did not adhere to the restricted TLS version and ciphers set in the Secure Communication Settings.
|
PAN-260752 | Fixed an issue where the firewall did not support TLSv1.3 in the Clientless VPN, which caused the portal page to not load.
|
PAN-260720 | Fixed an issue where the dsdc process stopped responding after receiving an unexpected API return value.
|
PAN-260700 | Fixed an issue where the firewall was unable to load application metadata from the chunk files. This occurred when the application metadata entry was larger than the buffer used to read it, which resulted in an incomplete entry that caused commit failures.
|
PAN-260564 | Fixed an issue on firewalls in HA configurations where a network loop was detected by switches after suspending HA on the active firewall.
|
PAN-260358 | Fixed an issue where the firewall did not include the NAS-ID and NAS-IP attributes in the RADIUS Access-Request message when using PEAP-MSCHAPv2 authentication.
|
PAN-260300 | (PA-5410, PA-5420, PA-5430, PA-5440 and PA-5445 firewalls only) Fixed an issue related to the all_pktproc process where DPC slot 3 stopped responding.
|
PAN-260279 | Fixed an issue where selective push operations failed with the error message: Failed to generate selective push configuration. Schema validation failed. Please try a full push.
|
PAN-260229 | Fixed an issue where HA path monitoring using VWire did not work as expected after a reboot.
|
PAN-260186 | Fixed an issue where Panorama pushed content to devices that did not have a Threat Prevention license.
|
PAN-260113 | Fixed an issue where the web interface stopped responding when configuring the GlobalProtect gateway when the language was set to Japanese.
|
PAN-260059 | Fixed an issue where Device Telemetry Regions did not show up with the latest content due to content files not being parsed for the region list when Telemetry was turned off.
|
PAN-260003 | Fixed an issue where commits failed when you set Use Management interface for all and MGMT was configured for Data Services.
|
PAN-259870 | (PA-7000b firewalls only) Fixed an issue where Luna Network Hardware Security Modules (HSM) did not work after an upgrade or downgrade.
|
PAN-259865 | (VM-Series firewalls across all public and private clouds) Fixed an issue where the firewall experienced high dataplane CPU usage when SSL Decryption was enabled.
|
PAN-259767 | Fixed an issue where GlobalProtect users were unable to connect when the option Block sessions if the certificate was not issued to the authenticating device was enabled in the certificate profile.
|
PAN-259343 | Fixed an issue on the Panorama web interface where the Configuration tab did not accurately display changes made to URL filtering profiles.
|
PAN-259140 | Fixed an issue where the request wildfire registration channel public API command failed with the error message Method not found.
|
PAN-259091 | Fixed an issue where the CLI command show user ip-user-mapping-mp all displayed the total timeout value instead of the current timeout value when the set cli op-command-xml-output on CLI command was used.
|
PAN-258912 | (PA-7000b firewalls only) Fixed an issue where the firewall web interface displayed an incorrect HSM client version when the client was upgraded to version 7.2.0.220.
|
PAN-258743 | Fixed an issue where, when you attempted to select a redistribution profile when creating a BGP Redistribute policy rule, the firewall displayed an empty dropdown.
|
PAN-258680 | Fixed an issue on Panorama where, when you removed Security profile groups from a Security policy rule via the CLI and committed the change, the Security policy rule was deleted.
|
PAN-258570 | Fixed an issue where the firewall might reboot unexpectedly due to the varrcvr process progressively using more memory when WildFire file forwarding is handling PE files.
|
PAN-257960 | Fixed an issue where ICD's virtual memory continuously increased due to an increase in unknown IP addresses, which resulted in high management plane CPU utilization.
|
PAN-257594 | Added support for export and import of SC3 CA certificates on Panorama appliances during RMA.
|
PAN-257515 | Fixed an issue where Possible Domain Fronting Detection for HTTP/2 generated false positives. With this change, domain fronting is limited to HTTP/1.
|
PAN-257355 | Fixed an issue where a false positive HTTP/TLS evasion alert was generated when the domain had DNS load balance.
|
PAN-257183 | Fixed an issue where the firewall dropped DNS traffic when using DNS Security.
|
PAN-257070 | Fixed an issue where querying URL filtering logs with the filter (url_category_list contains 'artificial-intelligence' ) displayed both the artificial-intelligence and the shopping categories.
|
PAN-256904 | Fixed an issue where the firewall inconsistently blocked URLs due to intermittent URL category misidentification.
|
PAN-256867 | Fixed an issue where the logrcvr process stopped responding while processing session logs for forwarding to the LFC.
|
PAN-256670 | Fixed an issue where scheduled email reports were sent without PDF attachments if the firewall was in FIPS-CC mode.
|
PAN-256560 | Fixed an issue where exporting a Custom Report to CSV format did not display the full report if it contained non-ASCII characters.
|
PAN-256138 | (VM-Series firewalls only) Fixed an issue where firewalls with a DNS server IP address received by DHCP from Amazon Web Services (AWS) had a delay in resolving FQDNs after a reboot.
|
PAN-255759 | Fixed an issue where the firewall was unable to match HIP data with the correct anti-malware object for Windows Defender.
|
PAN-255619 | Fixed an intermittent issue where file downloads from websites failed when decrypting HTTP/2 traffic.
|
PAN-255611 | Fixed an issue on the firewall where newly added routes were not automatically sorted based on subnets when added to a redistribution profile.
|
PAN-255441 | Fixed an issue where BGP-ARE routes were not advertised due to a peer route map filter.
|
PAN-255294 | (PA-3410 firewalls only) Fixed an issue with an incorrectly open port.
|
PAN-255190 | Fixed an issue where the TCP timeout value was reflected incorrectly when using application override for a custom application in TAP mode.
|
PAN-255020 | Fixed an issue where the Panorama web interface did not display the push scope data for custom admin users when performing a partial commit and push.
|
PAN-254293 | Fixed an issue where an explicit proxy caused intermittent SSL handshake failures to SAP applications accessing public URLs.
|
PAN-253921 | Fixed an issue where the firewall displayed the following error message: critical userid registe 0 fail to integrate the update of registered ip addresses since 2 seconds ago; critical system log alerts observed.
|
PAN-252978 | (PA-3200 Series firewalls only) Fixed an issue where interfaces running at 10 Gbps did not display the speed and duplex information in the CLI or displayed only as auto.
|
PAN-252336 | Fixed an issue where newly added devices or existing deleted devices on the primary Panorama appliance were not updated on the secondary Panorama appliance if the secondary Panorama appliance experienced an HA sync commit failure.
|
PAN-251724 | Fixed an issue where users matched incorrect Security policy rules with a HIP profile.
|
PAN-251533 | (PA-450 firewalls only) Fixed an issue on the web interface where the DHCPv6 client was not available for VLAN interfaces.
|
PAN-251442 | Fixed an issue where the firewall rebooted into maintenance mode if the authentication process restarted repeatedly.
|
PAN-250928 | (PA-5450 firewalls in active/active HA configurations only) Fixed an issue where firewall traffic was silently dropped when sent to the peer owner.
|
PAN-250048 | Fixed an issue where applications did not load via the Clientless VPN portal when the portal was hosted on an L3 VLAN interface.
|
PAN-249748 | Fixed an issue where, when a dynamic address group with more than 500,000 addresses was created, the firewall displayed the error message pan_cfg_addresses_from_xmlhash failed.
|
PAN-247141 | Fixed an issue where DNS traffic did not match the intended SD-WAN policy rule when NAT was enabled.
|
PAN-245683 | Fixed an issue where committing a configuration change on a Panorama managed firewall caused a short outage for GlobalProtect clients.
|
PAN-243283 | (PA-3400 Series firewalls only) Fixed an issue where the firewall had a lower maximum number of Security profiles than expected.
|
PAN-242602 | Fixed an issue where GlobalProtect clients experienced slow SMB-V3 download throughput when passing through a Prisma IPSec tunnel and the firewall and the SMB-V3 session owner dataplane was the same as the IPSec-ESP tunnel on the multi-dataplane firewall.
|
PAN-241953 | |
PAN-241474 | (PA-5200 Series firewalls only) Fixed an issue where the firewall did not increment the flow_parse_ip_cksm counter when traffic with an IP address checksum error was received.
|
PAN-240144 | Fixed an issue where a multi-vsys firewall failed to authenticate to GlobalProtect with a new group that had the same name (suffixed or prefixed) as an existing group.
|
PAN-237294 | Fixed an issue where the interface rate counter intermittently went to zero frequently.
|
PAN-234411 | Fixed an issue where the authd process stopped responding.
|
PAN-233868 | Fixed an issue where the firewall took an incorrect action for overlapping custom and edl-url-categories in a policy rule.
|
PAN-226184 | Fixed an issue where push operations from Panorama were slow due to the rasmgr process taking longer than expected.
|