PAN-OS 8.1.13 Addressed Issues
Table of Contents
Expand All
|
Collapse All
Next-Generation Firewall Docs
-
PAN-OS 11.1 & Later
- PAN-OS 11.1 & Later
- PAN-OS 11.0 (EoL)
- PAN-OS 10.2
- PAN-OS 10.1
- PAN-OS 10.0 (EoL)
- PAN-OS 9.1 (EoL)
- Cloud Management of NGFWs
-
- Management Interfaces
-
- Launch the Web Interface
- Use the Administrator Login Activity Indicators to Detect Account Misuse
- Manage and Monitor Administrative Tasks
- Commit, Validate, and Preview Firewall Configuration Changes
- Commit Selective Configuration Changes
- Export Configuration Table Data
- Use Global Find to Search the Firewall or Panorama Management Server
- Manage Locks for Restricting Configuration Changes
-
-
- Define Access to the Web Interface Tabs
- Provide Granular Access to the Monitor Tab
- Provide Granular Access to the Policy Tab
- Provide Granular Access to the Objects Tab
- Provide Granular Access to the Network Tab
- Provide Granular Access to the Device Tab
- Define User Privacy Settings in the Admin Role Profile
- Restrict Administrator Access to Commit and Validate Functions
- Provide Granular Access to Global Settings
- Provide Granular Access to the Panorama Tab
- Provide Granular Access to Operations Settings
- Panorama Web Interface Access Privileges
-
- Reset the Firewall to Factory Default Settings
-
- Plan Your Authentication Deployment
- Pre-Logon for SAML Authentication
- Configure SAML Authentication
- Configure Kerberos Single Sign-On
- Configure Kerberos Server Authentication
- Configure TACACS+ Authentication
- Configure TACACS Accounting
- Configure RADIUS Authentication
- Configure LDAP Authentication
- Configure Local Database Authentication
- Configure an Authentication Profile and Sequence
- Test Authentication Server Connectivity
- Troubleshoot Authentication Issues
-
- Keys and Certificates
- Default Trusted Certificate Authorities (CAs)
- Certificate Deployment
- Configure the Master Key
- Export a Certificate and Private Key
- Configure a Certificate Profile
- Configure an SSL/TLS Service Profile
- Configure an SSH Service Profile
- Replace the Certificate for Inbound Management Traffic
- Configure the Key Size for SSL Forward Proxy Server Certificates
-
- HA Overview
-
- Prerequisites for Active/Active HA
- Configure Active/Active HA
-
- Use Case: Configure Active/Active HA with Route-Based Redundancy
- Use Case: Configure Active/Active HA with Floating IP Addresses
- Use Case: Configure Active/Active HA with ARP Load-Sharing
- Use Case: Configure Active/Active HA with Floating IP Address Bound to Active-Primary Firewall
- Use Case: Configure Active/Active HA with Source DIPP NAT Using Floating IP Addresses
- Use Case: Configure Separate Source NAT IP Address Pools for Active/Active HA Firewalls
- Use Case: Configure Active/Active HA for ARP Load-Sharing with Destination NAT
- Use Case: Configure Active/Active HA for ARP Load-Sharing with Destination NAT in Layer 3
- HA Clustering Overview
- HA Clustering Best Practices and Provisioning
- Configure HA Clustering
- Refresh HA1 SSH Keys and Configure Key Options
- HA Firewall States
- Reference: HA Synchronization
-
- Use the Dashboard
- Monitor Applications and Threats
- Monitor Block List
-
- Report Types
- View Reports
- Configure the Expiration Period and Run Time for Reports
- Disable Predefined Reports
- Custom Reports
- Generate Custom Reports
- Generate the SaaS Application Usage Report
- Manage PDF Summary Reports
- Generate User/Group Activity Reports
- Manage Report Groups
- Schedule Reports for Email Delivery
- Manage Report Storage Capacity
- View Policy Rule Usage
- Use External Services for Monitoring
- Configure Log Forwarding
- Configure Email Alerts
-
- Configure Syslog Monitoring
-
- Traffic Log Fields
- Threat Log Fields
- URL Filtering Log Fields
- Data Filtering Log Fields
- HIP Match Log Fields
- GlobalProtect Log Fields
- IP-Tag Log Fields
- User-ID Log Fields
- Decryption Log Fields
- Tunnel Inspection Log Fields
- SCTP Log Fields
- Authentication Log Fields
- Config Log Fields
- System Log Fields
- Correlated Events Log Fields
- GTP Log Fields
- Audit Log Fields
- Syslog Severity
- Custom Log/Event Format
- Escape Sequences
- Forward Logs to an HTTP/S Destination
- Firewall Interface Identifiers in SNMP Managers and NetFlow Collectors
- Monitor Transceivers
-
- User-ID Overview
- Enable User-ID
- Map Users to Groups
- Enable User- and Group-Based Policy
- Enable Policy for Users with Multiple Accounts
- Verify the User-ID Configuration
-
- App-ID Overview
- App-ID and HTTP/2 Inspection
- Manage Custom or Unknown Applications
- Safely Enable Applications on Default Ports
- Applications with Implicit Support
-
- Prepare to Deploy App-ID Cloud Engine
- Enable or Disable the App-ID Cloud Engine
- App-ID Cloud Engine Processing and Policy Usage
- New App Viewer (Policy Optimizer)
- Add Apps to an Application Filter with Policy Optimizer
- Add Apps to an Application Group with Policy Optimizer
- Add Apps Directly to a Rule with Policy Optimizer
- Replace an RMA Firewall (ACE)
- Impact of License Expiration or Disabling ACE
- Commit Failure Due to Cloud Content Rollback
- Troubleshoot App-ID Cloud Engine
- Application Level Gateways
- Disable the SIP Application-level Gateway (ALG)
- Maintain Custom Timeouts for Data Center Applications
-
- Decryption Overview
-
- Keys and Certificates for Decryption Policies
- SSL Forward Proxy
- SSL Forward Proxy Decryption Profile
- SSL Inbound Inspection
- SSL Inbound Inspection Decryption Profile
- SSL Protocol Settings Decryption Profile
- SSH Proxy
- SSH Proxy Decryption Profile
- Profile for No Decryption
- SSL Decryption for Elliptical Curve Cryptography (ECC) Certificates
- Perfect Forward Secrecy (PFS) Support for SSL Decryption
- SSL Decryption and Subject Alternative Names (SANs)
- TLSv1.3 Decryption
- High Availability Not Supported for Decrypted Sessions
- Decryption Mirroring
- Configure SSL Forward Proxy
- Configure SSL Inbound Inspection
- Configure SSH Proxy
- Configure Server Certificate Verification for Undecrypted Traffic
- Post-Quantum Cryptography Detection and Control
- Enable Users to Opt Out of SSL Decryption
- Temporarily Disable SSL Decryption
- Configure Decryption Port Mirroring
- Verify Decryption
- Activate Free Licenses for Decryption Features
-
- Policy Types
- Policy Objects
- Track Rules Within a Rulebase
- Enforce Policy Rule Description, Tag, and Audit Comment
- Move or Clone a Policy Rule or Object to a Different Virtual System
-
- External Dynamic List
- Built-in External Dynamic Lists
- Configure the Firewall to Access an External Dynamic List
- Retrieve an External Dynamic List from the Web Server
- View External Dynamic List Entries
- Exclude Entries from an External Dynamic List
- Enforce Policy on an External Dynamic List
- Find External Dynamic Lists That Failed Authentication
- Disable Authentication for an External Dynamic List
- Register IP Addresses and Tags Dynamically
- Use Dynamic User Groups in Policy
- Use Auto-Tagging to Automate Security Actions
- CLI Commands for Dynamic IP Addresses and Tags
- Application Override Policy
- Test Policy Rules
-
- Network Segmentation Using Zones
- How Do Zones Protect the Network?
-
PAN-OS 11.1 & Later
- PAN-OS 11.1 & Later
- PAN-OS 11.0 (EoL)
- PAN-OS 10.2
- PAN-OS 10.1
-
- Tap Interfaces
-
- Layer 2 and Layer 3 Packets over a Virtual Wire
- Port Speeds of Virtual Wire Interfaces
- LLDP over a Virtual Wire
- Aggregated Interfaces for a Virtual Wire
- Virtual Wire Support of High Availability
- Zone Protection for a Virtual Wire Interface
- VLAN-Tagged Traffic
- Virtual Wire Subinterfaces
- Configure Virtual Wires
- Configure a PPPoE Client on a Subinterface
- Configure an IPv6 PPPoE Client
- Configure an Aggregate Interface Group
- Configure Bonjour Reflector for Network Segmentation
- Use Interface Management Profiles to Restrict Access
-
- DHCP Overview
- Firewall as a DHCP Server and Client
- Firewall as a DHCPv6 Client
- DHCP Messages
- Dynamic IPv6 Addressing on the Management Interface
- Configure an Interface as a DHCP Server
- Configure an Interface as a DHCPv4 Client
- Configure an Interface as a DHCPv6 Client with Prefix Delegation
- Configure the Management Interface as a DHCP Client
- Configure the Management Interface for Dynamic IPv6 Address Assignment
- Configure an Interface as a DHCP Relay Agent
-
- DNS Overview
- DNS Proxy Object
- DNS Server Profile
- Multi-Tenant DNS Deployments
- Configure a DNS Proxy Object
- Configure a DNS Server Profile
- Use Case 1: Firewall Requires DNS Resolution
- Use Case 2: ISP Tenant Uses DNS Proxy to Handle DNS Resolution for Security Policies, Reporting, and Services within its Virtual System
- Use Case 3: Firewall Acts as DNS Proxy Between Client and Server
- DNS Proxy Rule and FQDN Matching
-
- NAT Rule Capacities
- Dynamic IP and Port NAT Oversubscription
- Dataplane NAT Memory Statistics
-
- Translate Internal Client IP Addresses to Your Public IP Address (Source DIPP NAT)
- Create a Source NAT Rule with Persistent DIPP
- PAN-OS
- Strata Cloud Manager
- Enable Clients on the Internal Network to Access your Public Servers (Destination U-Turn NAT)
- Enable Bi-Directional Address Translation for Your Public-Facing Servers (Static Source NAT)
- Configure Destination NAT with DNS Rewrite
- Configure Destination NAT Using Dynamic IP Addresses
- Modify the Oversubscription Rate for DIPP NAT
- Reserve Dynamic IP NAT Addresses
- Disable NAT for a Specific Host or Interface
-
- Network Packet Broker Overview
- How Network Packet Broker Works
- Prepare to Deploy Network Packet Broker
- Configure Transparent Bridge Security Chains
- Configure Routed Layer 3 Security Chains
- Network Packet Broker HA Support
- User Interface Changes for Network Packet Broker
- Limitations of Network Packet Broker
- Troubleshoot Network Packet Broker
-
- Enable Advanced Routing
- Logical Router Overview
- Configure a Logical Router
- Create a Static Route
- Configure BGP on an Advanced Routing Engine
- Create BGP Routing Profiles
- Create Filters for the Advanced Routing Engine
- Configure OSPFv2 on an Advanced Routing Engine
- Create OSPF Routing Profiles
- Configure OSPFv3 on an Advanced Routing Engine
- Create OSPFv3 Routing Profiles
- Configure RIPv2 on an Advanced Routing Engine
- Create RIPv2 Routing Profiles
- Create BFD Profiles
- Configure IPv4 Multicast
- Configure MSDP
- Create Multicast Routing Profiles
- Create an IPv4 MRoute
-
-
PAN-OS 8.1 (EoL)
- PAN-OS 11.2
- PAN-OS 11.1
- PAN-OS 11.0 (EoL)
- PAN-OS 10.2
- PAN-OS 10.1
- PAN-OS 10.0 (EoL)
- PAN-OS 9.1 (EoL)
- PAN-OS 9.0 (EoL)
- PAN-OS 8.1 (EoL)
- Cloud Management and AIOps for NGFW
-
-
- App-ID Changes in PAN-OS 8.1
- Authentication Changes in PAN-OS 8.1
- Content Inspection Changes in PAN-OS 8.1
- GlobalProtect Changes in PAN-OS 8.1
- User-ID Changes in PAN-OS 8.1
- Panorama Changes in PAN-OS 8.1
- Networking Changes in PAN-OS 8.1
- Virtualization Changes in PAN-OS 8.1
- Appliance Changes in PAN-OS 8.1
- Associated Software and Content Versions
- Limitations
-
- PAN-OS 8.1.26-h1 Addressed Issues
- PAN-OS 8.1.26 Addressed Issues
- PAN-OS 8.1.25-h3 Addressed Issues
- PAN-OS 8.1.25-h2 Addressed Issues
- PAN-OS 8.1.25-h1 Addressed Issues
- PAN-OS 8.1.25 Addressed Issues
- PAN-OS 8.1.24-h2 Addressed Issues
- PAN-OS 8.1.24-h1 Addressed Issues
- PAN-OS 8.1.24 Addressed Issues
- PAN-OS 8.1.23-h1 Addressed Issues
- PAN-OS 8.1.23 Addressed Issues
- PAN-OS 8.1.22 Addressed Issues
- PAN-OS 8.1.21-h3 Addressed Issues
- PAN-OS 8.1.21-h2 Addressed Issues
- PAN-OS 8.1.21-h1 Addressed Issues
- PAN-OS 8.1.21 Addressed Issues
- PAN-OS 8.1.20-h1 Addressed Issues
- PAN-OS 8.1.20 Addressed Issues
- PAN-OS 8.1.19 Addressed Issues
- PAN-OS 8.1.18 Addressed Issues
- PAN-OS 8.1.17 Addressed Issues
- PAN-OS 8.1.16 Addressed Issues
- PAN-OS 8.1.15-h3 Addressed Issues
- PAN-OS 8.1.15 Addressed Issues
- PAN-OS 8.1.14-h2 Addressed Issues
- PAN-OS 8.1.14 Addressed Issues
- PAN-OS 8.1.13 Addressed Issues
- PAN-OS 8.1.12 Addressed Issues
- PAN-OS 8.1.11 Addressed Issues
- PAN-OS 8.1.10 Addressed Issues
- PAN-OS 8.1.9-h4 Addressed Issues
- PAN-OS 8.1.9 Addressed Issues
- PAN-OS 8.1.8-h5 Addressed Issues
- PAN-OS 8.1.8 Addressed Issues
- PAN-OS 8.1.7 Addressed Issues
- PAN-OS 8.1.6-h2 Addressed Issues
- PAN-OS 8.1.6 Addressed Issues
- PAN-OS 8.1.5 Addressed Issues
- PAN-OS 8.1.4-h2 Addressed Issues
- PAN-OS 8.1.4 Addressed Issues
- PAN-OS 8.1.3 Addressed Issues
- PAN-OS 8.1.2 Addressed Issues
- PAN-OS 8.1.1 Addressed Issues
- PAN-OS 8.1.0 Addressed Issues
End-of-Life (EoL)
PAN-OS 8.1.13 Addressed Issues
PAN-OS® 8.1.13 addressed issues.
Issue ID | Description |
|---|---|
PAN-136698 | Fixed an issue where a process (all_pktproc) stopped
responding and the dataplane restarted when the firewall processed
a malformed GPRS tunneling protocol (GTP) packet. |
PAN-135260 | (PA-7000 Series firewalls running PAN-OS
8.1.12 only) Fixed an intermittent issue where the dataplane
process (all_pktproc_X) on a Network Processing Card
(NPC) restarted when processing IPSec tunnel traffic. |
PAN-134678 | (PA-5200 Series firewalls only)
Fixed an issue where the Quad Small Form-factor Pluggable (QSFP)
28 ports 21 and 22 did not respond when plugged in with a Finisar
100G AOC cable. |
PAN-133582 | Fixed an issue on the firewalls where some
Dynamic Address Groups pushed from Panorama were missing member
IP addresses. |
PAN-133440 | Fixed an issue where fragmented traffic
caused high dataplane use and firewall performance issues. |
PAN-133436 | Introduced the clear url-cache all CLI
command to aggressively clear the dataplane URL cache. |
PAN-133378 | Fixed an issue in Panorama where a process (configd)
restarted during a commit using a RADIUS super admin role. |
PAN-133048 | (PA-5200 and PA-7000 Series only)
Fixed an issue where traffic was processed asymmetrically when using
Internet Protocol (IP) classifiers on virtual wire (vwire) subinterfaces. |
PAN-133042 | (PA-5200 and PA-7000 Series only)
Fixed an issue where certain GPRS tunneling protocol (GTP) traffic
was dropped even when gtp nodrop was
enabled. |
PAN-131993 | Fixed an issue where a process (reportd) stopped
responding while running a log query. |
PAN-131907 | Fixed an issue where GPRS tunneling protocol
(GTP) version 2 handling was unable to handle fully qualified tunnel
endpoint IDs (FTEID) coming in reverse order, leading to GTP-C and
GTP-U flows with incorrect IP addresses and tunnel endpoint IDs
(TEIDs). This caused a GTP stateful inspection failure for further
packets on the respective flows. |
PAN-130773 | Fixed an issue where users saw a page with
a random phone number for authentication and could not proceed further
in the authentication process when multi-factor authentication (MFA)
was configured as the authentication portal. |
PAN-130640 | Fixed an issue where the management plane
CPU was high due to index generation on summary logs. |
PAN-130573 | Fixed an issue where the software pool for
Regex results was depleted and caused connection failures. |
PAN-130447 | Fixed an issue where offloaded traffic was
dropped by the firewall every time there was an explicit commit (Commit on
the firewall locally or Commit All Changes in
Panorama) or an implicit commit (Antivirus update, Dynamic Update,
or WildFire update, and so on) was performed on the firewall. |
PAN-130345 | Fixed an issue where the Panorama VM rebooted
while filtering for configuration logs when the query value was
not one of the predefined string results. |
PAN-130290 | Fixed an issue where in the web interface,
traffic logs did not display the destination zone (Monitor
> Logs > Traffic > To Zone) for multicast sessions. |
PAN-130262 | Fixed a rare issue where 200 OK messages
were dropped during the offload of traffic for App-ID inspection. |
PAN-130229 | Fixed an issue on Panorama appliances where
you could not change maximum transmission unit (MTU) values from
the web interface and displayed the following error message: Malformed Request. |
PAN-130069 | Fixed an issue where the firewall incorrectly
interpreted an external dynamic list MineMeld instability error
code as an empty external dynamic list. |
PAN-129658 | Fixed an issue where GTP inspection stopped
functioning after unrelated changes in policy and a commit followed
by a high availability (HA) failover. |
PAN-129518 | Fixed an issue where the firewall restarted
due to an out-of-memory condition caused by a leak in a process (ikemgr). |
PAN-129490 | Fixed an issue where CRL/OCSP verifications
failed due to requests routing through the management interface
even when service route was configured. |
PAN-128908 | If an admin user password was changed but
no commit was performed afterward, the new password did not persist
after a reboot. Instead, the admin user could still use the old
password to log in, and the calculation of expiry days was incorrect
based on the password change timestamp in the database. |
PAN-128856 | Fixed an issue where the disk usage calculation
was getting corrupted and purging logs. |
PAN-128717 | Fixed an issue in Panorama where after switching
context to a managed device, the session idle timeout was not being
updated, and the web session timed out even when the administrator
was actively working. |
PAN-128248 | A fix was made to address a vulnerability
with a race condition due to an insecure creation of a file in a
temporary directory in PAN-OS (CVE-2020-2016). |
PAN-127087 | Fixed an issue in the firewalls where a
push operation (Commit All Changes) from
Panorama failed on the passive firewall when pushing a large number
of security policy additions to both firewalls in an HA pair. |
PAN-126412 | Fixed an issue where hardware security model
(HSM) authentication from the web interface failed if the password
contained an ampersand (&). |
PAN-126278 | Fixed an issue where a burst of VLAN-tagged
packets in a congested system caused an overflow and locked up the
firewall. The threshold has been increased with this fix. |
PAN-126202 | Fixed an issue where a process (routed)
stopped responding when users accessed the web interface to view
the OSPF interface data (Network > Virtual Routers >
More Runtime Stats > OSPF > Interface) if OSPF MD5 was configured
in the OSPF Auth profile. |
PAN-126069 | Fixed an issue in Panorama where logs couldn't
be viewed when an additional log collector was configured in the
existing log collector group. |
PAN-126017 | Fixed an issue where set application dump on rule CLI
command did not accept rule names greater than 32 characters despite
a stated limit of 63 characters. |
PAN-125804 | A fix was made to address an issue where
an OS command injection vulnerability in the PAN-OS management server
allowed authenticated administrators to execute arbitrary OS commands
with root privileges when uploading a new certificate in FIPS-CC
mode (CVE-2020-2028). |
PAN-125546 | Fixed an issue where a process failed to
restart even when the system logs displayed the following message: virtual memory exceeded, restarting. |
PAN-125306 | Fixed an issue where a Transmission Control
Protocol (TCP) connection reuse was incorrectly handled by a high
availability (HA) active/active cluster with asymmetric flows. |
PAN-125243 | Fixed an issue where the VM-Series firewall
restarted due to a deadlock condition occurring when processing
QoS-enabled L7 traffic. |
PAN-125194 | Fixed an issue where system startup failed
when the collector group was configured with an incorrect serial
number of invalid length. |
PAN-125122 | A fix was made to address a cleartext transmission
of sensitive information vulnerability in Palo Alto Networks PAN-OS
and Panorama that disclosed an authenticated PAN-OS administrator's
PAN-OS session cookie (CVE-2020-2013). |
PAN-125032 | Fixed an issue when Minimum Password Complexity was Enabled for
all local administrators, the setting was also applied to plugin
users. This caused API calls from plugin users to fail (HTTP Error code 502)
because the password change was not made for the users and authentication
failed. |
PAN-124802 | Fixed an issue where LACP connectivity issues
were observed due to high CPU utilization when multiple dataplanes
were used. |
PAN-124621 | A fix was made to address an issue where
an OS command injection vulnerability in the PAN-OS web management
interface allowed authenticated administrators to execute arbitrary
OS commands with root privileges by sending a malicious request
to generate new certificates for use in the PAN-OS configuration (CVE-2020-2029). |
PAN-124495 | Fixed an issue on Panorama where the task
manager showed locally executed jobs but did not show tasks or jobs
pushed to managed firewalls. |
PAN-124428 | Fixed an issue where Address Resolution
Protocol (ARP) randomly failed on one of the interfaces for a firewall
deployed in the KVM/GCP/ESXi clouds. |
PAN-124087 | Fixed an issue where GPRS tunneling protocol
(GTP) v2 protocol handling was not able to handle the secondary
Modify Bearer Request/Response in the GTP-C session. |
PAN-123858 | Fixed an issue on firewalls where a process (useridd)
restarted while processing incorrect ip-user mappings
that contained blank usernames from User-ID agents. |
PAN-123843 | Fixed an issue for Cloud/VM platforms where
the tunnels between the log collectors did not come up when a public
IP was used for the log collectors in an environment with a Panorama
management server and two or more log collectors. |
PAN-123830 | Fixed an issue where the GlobalProtect™
portal used an outdated getbootstrap version. |
PAN-123747 | Fixed an issue where App-ID signatures failed
to match when there were more than 12 partial App-ID matches within
the same session. |
PAN-123736 | Fixed an issue where Create Session Request
message looped internally causing continuous packet inspection and
consuming firewall resources. |
PAN-123391 | A fix was made to address a predictable
temporary file vulnerability in PAN-OS (CVE-2020-1994). |
PAN-123295 | Fixed an issue where the dataplane restarted
due to a race condition when a configuration push and a Netflow
update occurred simultaneously. |
PAN-122909 | Fixed an issue on the firewalls where enabling SSL Forward
Proxy using the hardware security module (HSM) led to
intermittent failure while loading random secure websites with the following
message: ERR_CERT_INVALID. This occurred mainly
with servers presenting ECDSA certificates. |
PAN-122872 | Fixed an issue where the Aggregate Ethernet
(AE) subinterface showed a different status from the AE parent interface. |
PAN-122565 | Fixed an issue where a log collector with
a dynamically assigned IP address could not establish communication
between other log collectors. |
PAN-121827 | Fixed an issue where allow lists and auth
profiles in multi-vsys systems would not allow a user to be identified
in user groups.Users would show as Not in allow list because
the multi-vsys (vsys1) was shown as vsys0. |
PAN-121822 | Fixed an issue with certificate authentication
where only the topmost certificate was used to validate the client
certificate. |
PAN-121596 | Fixed an issue where the OSPF protocol didn't
choose the correct loopback address for the forwarding address in
the Not-So-Stubby Area (NSSA). |
PAN-121319 | A fix was made to address a stack-based
buffer overflow vulnerability in the management server component
of PAN-OS (CVE-2020-1990). |
PAN-121258 | Fixed an issue where some SSLv3 session
traffic logs showed an Allow action even when the security rule
policy had a Deny action when the url-proxy setting was enabled. |
PAN-121058 | A fix was made to address a DOM-based cross
site scripting vulnerability in the PAN-OS and Panorama management
web interfaces (CVE-2020-2017). |
PAN-120726 | Fixed an issue where the firewall incorrectly
populated the username after the user had been served an Anti-Phishing
Continue Page due to credential phishing detection. |
PAN-120640 | Fixed an issue where ‘show routing bfd‘
related commands triggered a routed memory leak. |
PAN-120350 | Fixed an issue where an Address Resolution
Protocol (ARP) broadcast storm potentially overloaded the Log Processing
Card (LPC) and caused the device to reboot. |
PAN-119810 | A fix was made to address the improper restriction
of the XML external entity (XXE) vulnerability in the Palo Alto
Networks Panorama management server (CVE-2020-2012). |
PAN-119173 | (PA-5000 and PA-3000 Series only)
Fixed an issue where the passive device in a high availability (HA)
pair started processing traffic, which resulted in a packet buffer
leak. |
PAN-118957 | A fix was made to address an authentication
bypass spoofing vulnerability in the authentication daemon and User-ID
components of Palo Alto Networks PAN-OS (CVE-2020-2002). |
PAN-118075 | Fixed an issue where the BGP conditional
advertisement did not respond as expected, which caused the prefix
in the Advertise Filters (Network
> Virtual Router > BGP > Conditional Adv) to be incorrectly
advertised. |
PAN-117479 | A fix was made to address a vulnerability
with the Nginx web server included with PAN-OS (CVE-2017-7529). |
PAN-117108 | Fixed an issue on the firewalls where the
user mappings populated by the XML API were lost after rebooting. |
PAN-116842 | Fixed an issue in the firewalls where after
enabling a Cortex Data Lake license, if some connections between
the firewall and Customer Support Portal server were blocked, the
management plane memory utilization would start increasing, leading
to multiple process restarts due to an out-of-memory condition. |
PAN-115562 | Fixed an issue where superuser CLI permissions
for role-based administrators did not match superuser privileges. |
PAN-114648 | (PA-3200 Series only) Fixed an
issue where high availability (HA1) hearbeat backup connection flaps
occurred due to ping failures caused by unavailability of buffer
space when Heartbeat Backup was configured (Device
> High Availability > Election Settings). |
PAN-114236 | Java Runtime Environment (JRE) was upgraded
to 1.8.0_201. |
PAN-112899 | Fixed an issue where the content update
failed due to the appweb process periodically restarting. |
PAN-111636 | A fix was made to address OpenSSH issues (PAN-SA-2020-0002 / CVE-2018-20685, CVE-2019-6109,
and CVE-2019-6111). |
PAN-111061 | A fix was made to upgrade OpenSSH software
included with PAN-OS (PAN-SA-2020-0005 / CVE-2016-10012). |
PAN-109808 | Fixed an issue on the Panorama API where
exporting packet capture (pcap) using the XML API failed, and the
web interface displayed the following error message: session id is missing.
For Panorama, you can specify either the serial number or both the device_name and sessionid. |
PAN-109767 | Fixed an issue where high availability (HA)
sync would fail due to a large core being enabled on one peer. |
PAN-108992 | A fix was made to address an improper authorization
vulnerability in PAN-OS (CVE-2020-1998). |
PAN-108356 | Fixed an issue in Panorama where progress
stopped on a commit if there was a missing device group. |
PAN-107650 | Fixed an isolated issue that caused a process (configd)
to restart due to kernel segmentation fault errors and caused a
core file to be generated. |
PAN-106784 | Fixed an issue to simplify the code in the
web interface when changing administrator passwords. |
PAN-105880 | Fixed an issue where Panorama failed to
commit templates, including log correlation configurations, to firewalls
that do not support log correlation. Note: Correlation
is not supported on PA-200, PA-220, PA-500, PA-820, PA-850, and
PA-VM platforms. |
PAN-104701 | Fixed an issue where the dynamic update
sync to peer failed when the firewalls were in a high availability
(HA) configuration. |
PAN-103038 | A fix was made to address a predictable
temporary filename vulnerability (CVE-2020-1981). |
PAN-102839 | Fixed an issue where the IPSec tunnel size
limit set by the customer was not maintained correctly in the system. |
PAN-102674 | A fix was made to address a shell command
injection vulnerability in the PAN-OS CLI (CVE-2020-1980). |
PAN-102096 | (PA-7000 Series firewalls only)
Fixed an issue where first packet processor packet buffer is not
allocated with proper alignment, which caused memory corruption. |
PAN-100734 | A fix was made to address a buffer flow
vulnerability in the PAN-OS management interface where authenticated
users were able to crash system processes or execute arbitrary code
with root privileges (CVE-2020-2015). |
PAN-99359 | Fixed an issue where the ZIP hardware processing
engine stopped processing ZIP-related requests. |
PAN-97584 | A fix was made to address a format string
vulnerability in the PAN-OS log daemon (logd) on Panorama (CVE-2020-1979). |
PAN-95651 | (PA-3200 Series firewalls only)
Fixed an issue where incomplete core dump files were generated when
the dataplane stopped responding, which made troubleshooting difficult. |
PAN-74442 | Resolved an issue where after enabling debugs
on the dataplane, the debug logs contained information about unrelated
traffic. |