Fixed an issue on WF-500 appliance clusters where attempts to submit samples for analysis through the WildFire XML API failed with a 499 or 502 error in the HTTP response when the local worker was fully loaded.

Fixed an issue where the WF-500 appliance couldn’t forward logs over TCP or SSL to a syslog server.

Fixed an issue where the root partition on the WF-500 appliance reached its maximum storage capacity because the following log files had no size limit and grew continuously: appweb_access.log, trap-access.log, wpc_build_detail.log, rsyncd.log, cluster-mgr.log, and cluster-script.log. With this fix, the appweb_access.log, trap-access.log, and wpc_build_detail.log logs have a limit of 10MB and the WF-500 appliance maintains one rotating backup file for each of these logs to store old data when a log exceeds the limit. Also with this fix, the rsyncd.log, cluster-mgr.log, and cluster-script.log logs have a limit of 5MB and the WF-500 appliance maintains eight rotating backup files for each of these logs.

Fixed an issue in a WF-500 appliance cluster where the controller backup node was stuck in

global-db-service: WaitingforLeaderReady

status when you tried to add nodes to the cluster.

Fixed an issue where firewalls and Panorama management servers couldn’t retrieve reports from a WF-500 appliance due to an interruption in its data migration after you upgraded the appliance from a PAN-OS 7.1 release to a PAN-OS 8.0 or later release. With this fix, you can run the new

debug device data-migration show

CLI command on the WF-500 appliance after each upgrade to verify data migration finished successfully (output is

Migration inMySQL is successful

). Don't perform additional upgrades on the WF-500 appliance until the data migration finishes.

Fixed an issue where Dedicated Log Collectors failed to forward logs to syslog servers.

Fixed an issue on the firewall and Panorama management server where the web interface became unresponsive because the management server process (mgmtsrvr) restarted after you set its debugging level to

debug

(through the

debug management-server on debug

CLI command).

Fixed an issue where the firewall web interface didn't display System logs (

Monitor

Logs

System

) after you upgraded to PAN-OS 8.1 and then logged in using an administrative account that existed before the upgrade.

Fixed an issue where App-ID didn’t recognize GPRS Tunneling Protocol User Plane (GTP-U) in GTP messages on port 2152 when only single-direction message packets arrived (Traffic logs indicated

application insufficient-data

).

Fixed an issue on the Panorama management server where characters in the

Secret

string of a TACACS+ server profile changed on the firewall after you pushed the server profile configuration from a template stack (

Device

Server Profiles

TACACS+

).

Fixed an issue on the PA-200, PA-220, PA-220R, PA-500, and PA-800 Series firewalls where the GlobalProtect data file installation failed after you upgraded the firewall to PAN-OS 8.1.

Fixed an issue where the firewall and Panorama management server displayed policy rules in a jumbled order when you scrolled the rule list in the

Policies

tab. The firewall and Panorama also opened the wrong rule for editing when you double-clicked one.

Fixed an issue where System logs included the following debugging information even though the firewall successfully resolved IP addresses:

Failed to resolve domain name:xxx.yyy.zzafter trying all attempts to name servers: A.B.C.D, W.X.Y.Z

. With this fix, daemon logs include that debugging information instead of System logs.

Fixed an issue where, after upgrading the firewall to PAN-OS 8.1, LDAP authentication failed if the associated authentication profile had an

Allow List

with entries other than

All

(

Device

Authentication Profile

).

Fixed an issue where GlobalProtect client authentication failed after you entered domains in upper case characters in the

Allow List

of an authentication profile (

Device

Authentication Profile

<authentication_profile>

Advanced

).

Fixed an issue where Server Message Block (SMB) sessions were in a discard state with the session end reason

resources-unavailable

.

Fixed an issue where the

Check URL Category

link in URL Filtering profiles opened a page that displayed a

page not found

error instead of opening the web page used to check the PAN-DB URL Filtering database for the URL Filtering category of a URL (

Objects

Security Profiles

URL Filtering

).

Fixed an issue where the firewall dropped packet data protocol (PDP) context update and delete messages that had a tunnel endpoint identifier (TEID) of zero in GPRS Tunneling Protocol (GTP) traffic, and the traffic failed when the dropped messages were valid.

Fixed an issue in a Panorama deployment with a Collector Group containing multiple Log Collectors where the logging search engine restarted after you changed the SSH keys used for high availability (HA). The disruption to the search engine caused an out-of-memory condition and caused Panorama to display logs and report data from only one Log Collector in the Collector Group.

Fixed the following LDAP authentication issues:

Fixed an issue where the default view and maximized view of the Application Usage report (

ACC

Network Activity

) didn't display matching values when you set the

Time

to

Last 12 Hrs

or a longer period.

Fixed an issue where GTP traffic failed because the firewall dropped GTP-U echo request packets.

Fixed an issue where device monitoring did not work on the Panorama management server.

Fixed an issue on firewalls with SSL decryption configured where the dataplane restarted because the all_pktproc process stopped responding after decryption errors occurred.

Fixed an issue where the GlobalProtect agent couldn't split tunnel applications based on the destination domain because the

Include Domain

and

Exclude Domain

lists were not pushed to the agent after the user established the GlobalProtect connection (

Network

GlobalProtect

Gateways

gateway>

Agent

Client Settings

client_settings_configuration>

Split Tunnel

Domain and Application

). In addition, the GlobalProtect agent couldn't include applications in the VPN tunnel based on the application process name because the

Include Client Application Process Name

list was not pushed to the agent after the user established the GlobalProtect connection.

Fixed an issue where the VM-Series firewall for NSX randomly disrupted traffic due to high CPU usage by the pan_task process.

Fixed an issue on firewalls where the Log Collector preference list displayed the IP address as unknown for a Panorama Log Collector deployed on AWS if the interface (ethernet1/1 to ethernet1/5) used for sending logs did not have a public IP address configured and you pushed configurations to the Collector Group.

Fixed an issue where the Panorama management server failed to export Traffic logs as a CSV file (

Monitor

Logs

Traffic

) after you set the

Max Rows in CSV Export

to more than 500,000 rows (

Panorama

Setup

Management

Logging and Reporting Settings

Log Export and Reporting

).

Fixed an issue where the firewall web interface didn't display Host Information Profile (HIP) information in HIP Match logs for end users who had Microsoft-supported special characters in their domains or usernames.

Fixed an issue where the firewall intermittently became unresponsive because the management server process (mgmtsrvr) stopped responding during a commit after you configured policy rules to use external dynamic lists (EDLs).

Fixed an issue where the Google Chrome browser displayed certificate warnings for self-signed ECDSA certificates that you generated on the firewall.

Fixed an issue where the GCP DHCP Server took 30-50 seconds to respond to a DHCP discover request, causing DHCP IP assignments to fail.

A security-related fix was made to prevent denial of service (DoS) to the management web interface (CVE-2018-8715).

Fixed an issue on hardware firewalls that were decrypting SSL traffic where multiple commits in a short period of time caused the firewalls to become unresponsive.

Fixed an issue where IPv6 BGP peering persisted (not all BGP routes were withdrawn) after the associated firewall interface went down.

Fixed an issue where a Panorama appliance experienced memory depletion after allowing you to mistakenly enter the IP address of the appliance when using the

set deviceconfig system panorama-server

<IP_address>

or

set log-collector

<Log_Collector>

deviceconfig system

configuration mode CLI commands. These commands enable connectivity with separate appliances. With this fix, the command displays an error message when you specify the IP address of the appliance on which you run the command instead of the appliance to which it must connect. The correct IP address depends on the type of appliance on which you run the command:

Fixed an issue where the firewall assigned the wrong URL filtering category to traffic that contained a malformed host header. With this fix, the firewall enables the blocking of any traffic with a malformed URL.

Fixed an issue where firewalls configured for User-ID redistribution failed to redistribute IP address-to-username mappings due to a memory leak.

Fixed an issue where the Panorama management server could not generate reports and the ACC page became unresponsive when too many heartbeats were missed because Panorama never cleared reportIDs greater than 65535.

Fixed an issue where VM-Series firewalls deleted logs by reinitializing the logging disk when the periodic file system integrity check (FSCK) took over 30 minutes during bootup.

Fixed an issue where the PAN-OS XML API returned the same job IDs for all report jobs on the firewall. With this fix, the PAN-OS XML API returns the correct job ID for each report job.

Fixed an issue on the Panorama management server where administrators with read-only privileges couldn’t view deployment

Schedules

for content updates (

Panorama

Device Deployment

Dynamic Updates

).

Fixed an issue on Panorama management servers in an HA configuration where, after failover caused the secondary HA peer to become active, it failed to deploy scheduled dynamic updates to Log Collectors and firewalls.

Fixed an issue where a Panorama Collector Group didn’t forward logs to some external servers after you configured multiple server profiles (

Panorama

Collector Groups

<Collector_Group>

Collector Log Forwarding

).

Fixed an issue where a small percentage of writable third-party SFP transceivers (not purchased from Palo Alto Networks®) stopped working or experienced other issues after you upgraded the firewall to which the SFPs are connected to a PAN-OS 8.1 release. With this fix, you must not reboot the firewall after you download and install the PAN-OS 8.1 base image until after you download and install the PAN-OS 8.1.1 release. For additional details, upgrade considerations, and instructions for upgrading your firewalls, refer to the PAN-OS 8.1 upgrade information.

Fixed an issue where SSL Forward Proxy decryption didn’t work after you excluded every predefined

Hostname

from decryption (

Device

Certificate Management

SSL Decryption Exclusion

).

Fixed an issue where enabling jumbo frames (

Device

Setup

Session

) reduced throughput because:

Fixed an issue where the Panorama management server didn't display log data in

Monitor

Logs

, the

ACC

tab, or reports when Panorama was in a different timezone than the Dedicated Log Collectors because Panorama applied the wrong time filter.

Fixed an issue where, when you tried to export a custom report, and your Chrome or Firefox browser was configured to block popup windows, the firewall instead downloaded a Tech Support File to your client system.

Fixed an issue where the firewall didn't

Block sessions with unsupported cipher suites

based on Decryption policy rules for SSL Inbound Inspection when the rules referenced a

Decryption Profile

with a list of allowed ciphers that didn't match the ciphers that the destination server specified (

Objects

Decryption

Decryption Profile

). With this fix, the firewall checks the ciphers of both the source client and destination server against the cipher list in Decryption profiles when evaluating whether to allow sessions based on Decryption policy.

Fixed an issue where VM-Series firewalls used the incorrect MAC address in DHCP messages initiated from a subinterface after you configured that subinterface as a

DHCP Client

(

Network

Interfaces

Ethernet

<subinterface>

IPv4

) and disabled the

Use Hypervisor Assigned MAC Address

option (

Device

Management

Setup

).

Fixed an issue where firewalls in an active/passive HA configuration took longer than expected to fail over after you configured them to redistribute routes between an interior gateway protocol (IGP) and Border Gateway Protocol (BGP).

Fixed an issue where the firewall web interface displayed a blank

Device

Licenses

page when you had 10 x 5 phone support.

Fixed an issue where the firewall didn't generate URL Filtering logs for user credential submissions associated with a URL that was not a container page after you selected

Log container page only

and set the

User Credential Submission

action to

alert

for the URL category in a URL Filtering profile (

Objects

Security Profiles

URL Filtering

<ULR_Filtering_profile>

). With this fix, the firewall generates URL Filtering logs for user credential submissions regardless of whether you enable

Log container page only

in the URL Filtering profile.

Fixed an issue where the Panorama management server intermittently did not refresh health data for managed firewalls (

Panorama

Managed Devices

Health

) and therefore displayed 0 for session statistics.

Fixed an issue where the firewall didn't generate a System log to indicate when the reason that end users couldn’t authenticate to a GlobalProtect portal was a DNS resolution failure for the FQDNs in a RADIUS server profile (

Device

Server Profiles

RADIUS

).

Fixed an issue on VM-Series firewalls for Azure where, after the firewall rebooted, some interfaces configured as DHCP clients intermittently did not receive DHCP-assigned IP addresses.

Fixed an issue where endpoint users could not authenticate to GlobalProtect when specifying a

User Domain

with Microsoft-supported symbols such as the dollar symbol ($) in the authentication profile (

Device

Authentication Profile

).

As an enhancement to improve security for the firewall, the management (MGT) interface now includes the following HTTP security headers: X-XSS-Protection, X-Content-Type-Options, and Content-Security-Policy.

Fixed an issue where the GlobalProtect agent failed to establish a TCP connection with the GlobalProtect gateway when TCP SYN packets had unsupported congestion notification flag bits set (ECN or CWR).

Fixed an issue where PA-5200 Series firewalls caused slow traffic over IPSec VPN tunnels because the firewalls reordered TCP segments during IPSec encryption.

Fixed an issue where the firewall dropped IPv6 traffic while enforcing IPv6 bidirectional NAT policy rules because the firewall incorrectly translated the destination address for a host that resided on a directly attached network.

Fixed an issue where, in rare cases, the firewall couldn't establish connections with GlobalProtect agents because the rasmgr process stopped responding when hundreds of end users logged in and out of GlobalProtect at the same time.

Fixed an issue where end user accounts were locked out after you configured authentication based on a RADIUS server profile with multiple servers (

Device

Server Profiles

RADIUS

) and enabled the gateway to

Retrieve Framed-IP-Address attribute from authentication server

(

Network

GlobalProtect

Gateways

<gateway>

Agent

Client Settings

<client_settings_configuration>

IP Pools

). With this fix, instead of requesting framed IP addresses from all the servers in a RADIUS server profile at the same time, the firewall sends the request to only one server at a time until one of the servers responds.

An enhancement was made to improve compatibility for the HTTP log forwarding feature so that you can specify the TLS version that the HTTP log forwarding feature uses to connect to the HTTP server.

To specify the version, use the

debug system https-settings tls-version

CLI command. (To view the version that is currently specified, use the

debug system https-settings

command.)

Fixed an issue where firewalls in an active/passive HA configuration didn’t synchronize multicast sessions between the firewall HA peers.

Fixed an issue where PA-7000 Series and PA-5200 Series firewalls didn't properly

Rematch all sessions on config policy change

for offloaded sessions (

Device

Setup

Session

).

Fixed an issue where PA-5200 Series firewalls didn’t forward buffered logs to Panorama Log Collectors after connectivity between the firewalls and Log Collectors was disrupted and then restored.

Fixed an issue where the Panorama management server intermittently displayed the connections among Log Collectors as disconnected after pushing configurations to a Collector Group (

Panorama

Managed Collectors

).

Fixed an issue on a PA-5000 Series firewall configured to use an IPSec tunnel containing multiple proxy IDs (

Network

IPSec Tunnels

<tunnel>

Proxy IDs

) where the firewall dropped tunneled traffic after clear text sessions were established on a different dataplane than the first dataplane (DP0).

Fixed an issue on the Panorama virtual appliance on a VMware ESXi server where VMware Tools failed to start after you upgraded to PAN-OS 8.1.

Fixed an issue where administrators intermittently failed to log in to the firewall because it intermittently restarted processes continuously due to an out-of-memory condition.

Fixed an issue where automatic commits failed after you configured Security policy rules that referenced region objects for the source or destination and then upgraded the PAN-OS software.

Fixed an issue where the firewall didn’t efficiently handle traffic in which the number of Address Resolution Protocol (ARP) packets exceeded the processing capacity of the firewall. With this fix, the firewall handles ARP packets more efficiently.

Fixed an issue on the Panorama virtual appliance for Azure where commit operations failed after you added administrator accounts other than the default admin account, switched from Panorama mode to Log Collector mode, made configuration changes, and then tried to commit your changes. With this fix, Panorama removes all administrator accounts other than the default admin account when you switch to Log Collector mode. Dedicated Log Collectors support only the default admin account.

Fixed an issue on PA-5200 Series firewalls in an active/passive HA configuration where failover took a few seconds longer than expected when it was triggered after the passive firewall rebooted.

Fixed a configuration parsing issue where a default setup of the Authentication Profile caused the firewall to reboot during commit. If the administrator configured the Authentication Profile with any allowed values, including the default values, the configuration committed successfully. The issue was observed on a PA-500 firewall in FIPS-CC mode.

Fixed an issue on firewalls in an HA configuration where an auto-commit failed (the error message was

Error:Duplicate user name

) after you connected a new suspended-secondary peer to an active-primary peer.

Fixed an issue where VM-Series firewalls stopped displaying URL Filtering logs after you configured a URL Filtering profile with an alert action (

Objects

Security Profiles

URL Filtering

).

Fixed an issue where User-ID agents configured to detect credential phishing didn’t detect passwords that contained a blank space.

Fixed an issue where, after receiving machine account names in UPN format from a Windows-based User-ID agent, the firewall misidentified them as user accounts and overrode usernames with machine names in IP address-to-username mappings.

Fixed an issue where the firewall couldn't render URL content for end users after you configured GlobalProtect Clientless VPN with a

Hostname

set to a Layer 3 subinterface or VLAN interface (

Network

GlobalProtect

Portals

<portal>

Clientless VPN

General

).

Fixed an issue where, after you configured a GlobalProtect gateway to exclude all video streaming traffic from the VPN tunnel, Hulu and Sling TV traffic could not be redirected if you did not configure any security profiles (such as a File Blocking profile) for your firewall Security policies.

Fixed an issue where the firewall applied case sensitivity to the names of shared user groups that were defined in its local database and, as a result, users who belonged to those groups couldn't access applications through GlobalProtect Clientless VPN even after successful authentication. With this fix, the firewall ignores character case when evaluating the names of user groups in its local database.

As an enhancement to improve security for GlobalProtect deployments, the GlobalProtect portal now includes the following HTTP security headers in responses to end user login requests: X-XSS-Protection, X-Content-Type-Options, and Content-Security-Policy.

Fixed an issue where the firewall dropped packets based on a QoS class even though traffic didn’t exceed the maximum bandwidth for that class.

Fixed an issue where connections that the firewall handles as an Application Level Gateway (ALG) service were disconnected when destination NAT and decryption were enabled.