Fixed an issue where a process (all_pktproc) stopped responding and the dataplane restarted when the firewall processed a malformed GPRS tunneling protocol (GTP) packet.

(PA-7000 Series firewalls running PAN-OS 8.1.12 only) Fixed an intermittent issue where the dataplane process (all_pktproc_X) on a Network Processing Card (NPC) restarted when processing IPSec tunnel traffic.

(PA-5200 Series firewalls only) Fixed an issue where the Quad Small Form-factor Pluggable (QSFP) 28 ports 21 and 22 did not respond when plugged in with a Finisar 100G AOC cable.

Fixed an issue on the firewalls where some Dynamic Address Groups pushed from Panorama were missing member IP addresses.

Fixed an issue where fragmented traffic caused high dataplane use and firewall performance issues.

Introduced the clear url-cache all CLI command to aggressively clear the dataplane URL cache.

Fixed an issue in Panorama where a process (configd) restarted during a commit using a RADIUS super admin role.

(PA-5200 and PA-7000 Series only) Fixed an issue where traffic was processed asymmetrically when using Internet Protocol (IP) classifiers on virtual wire (vwire) subinterfaces.

(PA-5200 and PA-7000 Series only) Fixed an issue where certain GPRS tunneling protocol (GTP) traffic was dropped even when gtp nodrop was enabled.

Fixed an issue where a process (reportd) stopped responding while running a log query.

Fixed an issue where GPRS tunneling protocol (GTP) version 2 handling was unable to handle fully qualified tunnel endpoint IDs (FTEID) coming in reverse order, leading to GTP-C and GTP-U flows with incorrect IP addresses and tunnel endpoint IDs (TEIDs). This caused a GTP stateful inspection failure for further packets on the respective flows.

Fixed an issue where users saw a page with a random phone number for authentication and could not proceed further in the authentication process when multi-factor authentication (MFA) was configured as the authentication portal.

Fixed an issue where the management plane CPU was high due to index generation on summary logs.

Fixed an issue where the software pool for Regex results was depleted and caused connection failures.

Fixed an issue where offloaded traffic was dropped by the firewall every time there was an explicit commit (Commit on the firewall locally or Commit All Changes in Panorama) or an implicit commit (Antivirus update, Dynamic Update, or WildFire update, and so on) was performed on the firewall.

Fixed an issue where the Panorama VM rebooted while filtering for configuration logs when the query value was not one of the predefined string results.

Fixed an issue where in the web interface, traffic logs did not display the destination zone (Monitor > Logs > Traffic > To Zone) for multicast sessions.

Fixed a rare issue where 200 OK messages were dropped during the offload of traffic for App-ID inspection.

Fixed an issue on Panorama appliances where you could not change maximum transmission unit (MTU) values from the web interface and displayed the following error message: Malformed Request.

Fixed an issue where the firewall incorrectly interpreted an external dynamic list MineMeld instability error code as an empty external dynamic list.

Fixed an issue where GTP inspection stopped functioning after unrelated changes in policy and a commit followed by a high availability (HA) failover.

Fixed an issue where the firewall restarted due to an out-of-memory condition caused by a leak in a process (ikemgr).

Fixed an issue where CRL/OCSP verifications failed due to requests routing through the management interface even when service route was configured.

If an admin user password was changed but no commit was performed afterward, the new password did not persist after a reboot. Instead, the admin user could still use the old password to log in, and the calculation of expiry days was incorrect based on the password change timestamp in the database.

Fixed an issue where the disk usage calculation was getting corrupted and purging logs.

Fixed an issue in Panorama where after switching context to a managed device, the session idle timeout was not being updated, and the web session timed out even when the administrator was actively working.

A fix was made to address a vulnerability with a race condition due to an insecure creation of a file in a temporary directory in PAN-OS (CVE-2020-2016).

Fixed an issue in the firewalls where a push operation (Commit All Changes) from Panorama failed on the passive firewall when pushing a large number of security policy additions to both firewalls in an HA pair.

Fixed an issue where hardware security model (HSM) authentication from the web interface failed if the password contained an ampersand (&).

Fixed an issue where a burst of VLAN-tagged packets in a congested system caused an overflow and locked up the firewall. The threshold has been increased with this fix.

Fixed an issue where a process (routed) stopped responding when users accessed the web interface to view the OSPF interface data (Network > Virtual Routers > More Runtime Stats > OSPF > Interface) if OSPF MD5 was configured in the OSPF Auth profile.

Fixed an issue in Panorama where logs couldn't be viewed when an additional log collector was configured in the existing log collector group.

Fixed an issue where set application dump on rule CLI command did not accept rule names greater than 32 characters despite a stated limit of 63 characters.

A fix was made to address an issue where an OS command injection vulnerability in the PAN-OS management server allowed authenticated administrators to execute arbitrary OS commands with root privileges when uploading a new certificate in FIPS-CC mode (CVE-2020-2028).

Fixed an issue where a process failed to restart even when the system logs displayed the following message: virtual memory exceeded, restarting.

Fixed an issue where a Transmission Control Protocol (TCP) connection reuse was incorrectly handled by a high availability (HA) active/active cluster with asymmetric flows.

Fixed an issue where the VM-Series firewall restarted due to a deadlock condition occurring when processing QoS-enabled L7 traffic.

Fixed an issue where system startup failed when the collector group was configured with an incorrect serial number of invalid length.

A fix was made to address a cleartext transmission of sensitive information vulnerability in Palo Alto Networks PAN-OS and Panorama that disclosed an authenticated PAN-OS administrator's PAN-OS session cookie (CVE-2020-2013).

Fixed an issue when Minimum Password Complexity was Enabled for all local administrators, the setting was also applied to plugin users. This caused API calls from plugin users to fail (HTTP Error code 502) because the password change was not made for the users and authentication failed.

Fixed an issue where LACP connectivity issues were observed due to high CPU utilization when multiple dataplanes were used.

A fix was made to address an issue where an OS command injection vulnerability in the PAN-OS web management interface allowed authenticated administrators to execute arbitrary OS commands with root privileges by sending a malicious request to generate new certificates for use in the PAN-OS configuration (CVE-2020-2029).

Fixed an issue on Panorama where the task manager showed locally executed jobs but did not show tasks or jobs pushed to managed firewalls.

Fixed an issue where Address Resolution Protocol (ARP) randomly failed on one of the interfaces for a firewall deployed in the KVM/GCP/ESXi clouds.

Fixed an issue where GPRS tunneling protocol (GTP) v2 protocol handling was not able to handle the secondary Modify Bearer Request/Response in the GTP-C session.

Fixed an issue on firewalls where a process (useridd) restarted while processing incorrect ip-user mappings that contained blank usernames from User-ID agents.

Fixed an issue for Cloud/VM platforms where the tunnels between the log collectors did not come up when a public IP was used for the log collectors in an environment with a Panorama management server and two or more log collectors.

Fixed an issue where the GlobalProtect™ portal used an outdated getbootstrap version.

Fixed an issue where App-ID signatures failed to match when there were more than 12 partial App-ID matches within the same session.

Fixed an issue where Create Session Request message looped internally causing continuous packet inspection and consuming firewall resources.

A fix was made to address a predictable temporary file vulnerability in PAN-OS (CVE-2020-1994).

Fixed an issue where the dataplane restarted due to a race condition when a configuration push and a Netflow update occurred simultaneously.

Fixed an issue on the firewalls where enabling SSL Forward Proxy using the hardware security module (HSM) led to intermittent failure while loading random secure websites with the following message: ERR_CERT_INVALID. This occurred mainly with servers presenting ECDSA certificates.

Fixed an issue where the Aggregate Ethernet (AE) subinterface showed a different status from the AE parent interface.

Fixed an issue where a log collector with a dynamically assigned IP address could not establish communication between other log collectors.

Fixed an issue where allow lists and auth profiles in multi-vsys systems would not allow a user to be identified in user groups.Users would show as Not in allow list because the multi-vsys (vsys1) was shown as vsys0.

Fixed an issue with certificate authentication where only the topmost certificate was used to validate the client certificate.

Fixed an issue where the OSPF protocol didn't choose the correct loopback address for the forwarding address in the Not-So-Stubby Area (NSSA).

A fix was made to address a stack-based buffer overflow vulnerability in the management server component of PAN-OS (CVE-2020-1990).

Fixed an issue where some SSLv3 session traffic logs showed an Allow action even when the security rule policy had a Deny action when the url-proxy setting was enabled.

A fix was made to address a DOM-based cross site scripting vulnerability in the PAN-OS and Panorama management web interfaces (CVE-2020-2017).

Fixed an issue where the firewall incorrectly populated the username after the user had been served an Anti-Phishing Continue Page due to credential phishing detection.

Fixed an issue where ‘show routing bfd‘ related commands triggered a routed memory leak.

Fixed an issue where an Address Resolution Protocol (ARP) broadcast storm potentially overloaded the Log Processing Card (LPC) and caused the device to reboot.

A fix was made to address the improper restriction of the XML external entity (XXE) vulnerability in the Palo Alto Networks Panorama management server (CVE-2020-2012).

(PA-5000 and PA-3000 Series only) Fixed an issue where the passive device in a high availability (HA) pair started processing traffic, which resulted in a packet buffer leak.

A fix was made to address an authentication bypass spoofing vulnerability in the authentication daemon and User-ID components of Palo Alto Networks PAN-OS (CVE-2020-2002).

Fixed an issue where the BGP conditional advertisement did not respond as expected, which caused the prefix in the Advertise Filters (Network > Virtual Router > BGP > Conditional Adv) to be incorrectly advertised.

A fix was made to address a vulnerability with the Nginx web server included with PAN-OS (CVE-2017-7529).

Fixed an issue on the firewalls where the user mappings populated by the XML API were lost after rebooting.

Fixed an issue in the firewalls where after enabling a Cortex Data Lake license, if some connections between the firewall and Customer Support Portal server were blocked, the management plane memory utilization would start increasing, leading to multiple process restarts due to an out-of-memory condition.

Fixed an issue where superuser CLI permissions for role-based administrators did not match superuser privileges.

(PA-3200 Series only) Fixed an issue where high availability (HA1) hearbeat backup connection flaps occurred due to ping failures caused by unavailability of buffer space when Heartbeat Backup was configured (Device > High Availability > Election Settings).

Java Runtime Environment (JRE) was upgraded to 1.8.0_201.

Fixed an issue where the content update failed due to the appweb process periodically restarting.

A fix was made to address OpenSSH issues (PAN-SA-2020-0002 / CVE-2018-20685, CVE-2019-6109, and CVE-2019-6111).

A fix was made to upgrade OpenSSH software included with PAN-OS (PAN-SA-2020-0005 / CVE-2016-10012).

Fixed an issue on the Panorama API where exporting packet capture (pcap) using the XML API failed, and the web interface displayed the following error message: session id is missing. For Panorama, you can specify either the serial number or both the device_name and sessionid.

Fixed an issue where high availability (HA) sync would fail due to a large core being enabled on one peer.

A fix was made to address an improper authorization vulnerability in PAN-OS (CVE-2020-1998).

Fixed an issue in Panorama where progress stopped on a commit if there was a missing device group.

Fixed an isolated issue that caused a process (configd) to restart due to kernel segmentation fault errors and caused a core file to be generated.

Fixed an issue to simplify the code in the web interface when changing administrator passwords.

Fixed an issue where Panorama failed to commit templates, including log correlation configurations, to firewalls that do not support log correlation. Note: Correlation is not supported on PA-200, PA-220, PA-500, PA-820, PA-850, and PA-VM platforms.

Fixed an issue where the dynamic update sync to peer failed when the firewalls were in a high availability (HA) configuration.

A fix was made to address a predictable temporary filename vulnerability (CVE-2020-1981).

Fixed an issue where the IPSec tunnel size limit set by the customer was not maintained correctly in the system.

A fix was made to address a shell command injection vulnerability in the PAN-OS CLI (CVE-2020-1980).

(PA-7000 Series firewalls only) Fixed an issue where first packet processor packet buffer is not allocated with proper alignment, which caused memory corruption.

A fix was made to address a buffer flow vulnerability in the PAN-OS management interface where authenticated users were able to crash system processes or execute arbitrary code with root privileges (CVE-2020-2015).

Fixed an issue where the ZIP hardware processing engine stopped processing ZIP-related requests.

A fix was made to address a format string vulnerability in the PAN-OS log daemon (logd) on Panorama (CVE-2020-1979).

(PA-3200 Series firewalls only) Fixed an issue where incomplete core dump files were generated when the dataplane stopped responding, which made troubleshooting difficult.