PAN-OS 8.1.14 Addressed Issues
Focus
Focus

PAN-OS 8.1.14 Addressed Issues

Table of Contents
End-of-Life (EoL)

PAN-OS 8.1.14 Addressed Issues

PAN-OS® 8.1.14 addressed issues.
PA-7000 Series firewalls do not support the PAN-OS 8.1.14 release.
Issue ID
Description
WF500-5185
(WF-500 appliances only) Fixed an issue where inadequate rotation of log files caused unusually high disk usage.
PAN-140270
Added debugging task to periodically collect output (in the Tech Support File (TSF) from the debug dataplane internal pdt bcm counters graphical CLI command.
PAN-139555
Fixed an issue in a high availability (HA) configuration where, after upgrading the passive firewall, the outer UDP sessions synced from the active firewall did not retain rule information and GPRS tunneling protocol (GTP) inspection failed after failover.
PAN-137673
Fixed an issue where a memory leak associated with the (devsrvr) process caused an out-of-memory (OOM) condition on the firewall.
PAN-136820
Fixed an issue where an HA failover occurred after the firewall reported the following error message in the System log: Dataplane down: controlplane exit failure.
PAN-136470
Fixed an issue where a process (all_pktproc) restarted and caused the dataplane to restart after processing packets with 0.0.0.0 and destination protocol 251 that internally mapped to GTP-C traffic.
PAN-135909
Fixed an issue where connections to the web interface were abruptly interrupted due to a double free condition (gPanUiPhpGlobal_secure_config_reset), which led to unexpected process restarts.
PAN-135684
Fixed an issue with log collectors on Panorama where large indexes caused higher than expected CPU usage when disk space usage was high.
PAN-134707
Fixed an issue where a commit took longer than expected after upgrading when Negate was enabled for addresses in a rule.
PAN-134547
Fixed an issue where the passive firewall in an active/passive HA configuration deleted BGP-learned routes that were synchronized from the active firewall when the BGP configuration included the redistribution of the learned routes.
PAN-134431
Fixed an issue with Security Assertion Markup Language (SAML) authentication where the firewall used old authd_id values, which resulted in failed authentication.
PAN-134370
Fixed an issue where a process (mp-relay) restarted due to missing routes or next hops.
PAN-133289
Fixed an issue where improper parsing of the URL database caused high device-server CPU usage.
PAN-132898
Fixed an intermittent issue where logs were missing with log_index debug messages due to merging of the index.
PAN-131939
Fixed an issue where the dataplane restarted during file transfer due to one or more content updates being installed at the same time.
PAN-131922
Fixed an issue where the certificate was not automatically pushed to the firewall until you manually fetched the certificate from the firewall.
PAN-131517
Fixed an issue with a memory corruption error that caused a process (all_pktproc) to restart.
PAN-131501
Fixed an issue when configuring Clientless VPN and executing the portal-getconfig CLI command where user groups were retrieved but were not freed, which caused a memory leak in the sslvpn process.
PAN-130750
Fixed an issue where a commit failed on the firewall after disabling Pre-Defined Reports from Panorama.
PAN-130361
A fix was made to address an external control of filename vulnerability in the SD-WAN component of Palo Alto Networks Panorama (CVE-2020-2009).
PAN-129328
Fixed an issue where packet descriptor (on-chip) usage reached 100% even though buffers, throughput, and session counts were not elevated.
PAN-129289
Fixed an issue where export failed for a large running-config.xml file using the XML API.
PAN-128568
Fixed a rare issue where a process (pan_task) restarted due to a NULL pointer exception.
PAN-128330
Fixed an issue where the response for the XML API call for the show object registered-ip all operational CLI command included extra appended content.
PAN-127614
Fixed an issue where SNMPv3 monitoring of the firewall failed from the Zabbix server after a firewall reboot or SNMP process restart on the firewall.
PAN-127189
Fixed an issue where images displayed through the Clientless VPN were corrupted.
PAN-127118
A fix was made to address an OS command line injection vulnerability in the PAN-OS management server where authenticated users were able to inject arbitrary shell commands with root privileges (CVE-2020-2014).
PAN-127004
Fixed an issue where a process (sysd) restarted due to missing heartbeats.
PAN-126817
Fixed an issue where Security Assertion Markup Language (SAML) response validation failed with a certificate mismatch error even when the firewall had the same certificate on the identity provider.
PAN-126362
A fix was made to address a command injection vulnerability in the PAN-OS management interface where an authenticated administrator was able to execute arbitrary OS commands with root privileges (CVE-2020-2010).
PAN-126205
Fixed an issue where role-based administrators were unable to import certificate private keys onto firewalls.
PAN-125934
Fixed an issue on Panorama where a commit failed when bootstrapping a firewall to a configuration with a serial number of "unknown." The commit failed with the following error message: mgt-config -> devices -> unknown unknown is invalid.
PAN-125889
(PA-7000 Series firewalls only) Fixed an issue where auto-tagging failed for log forwarding.
PAN-125794
Fixed an issue where a role-based adminstrator with CLI access was unable to successfully execute the commit-partial CLI command to commit only changes made by themselves.
PAN-125730
Fixed an issue where packets tagged with IP protocol 252 were incorrectly treated as GPRS tunneling protocol (GTP) traffic, which caused the packet processor to terminate.
PAN-125534
(PA-5200 Series and PA-7000 Series firewalls only) Fixed an issue where firewalls experienced high packet descriptor (on-chip) usage during uploads to the WildFire Cloud or WF-500 appliance.
PAN-125527
Fixed an issue where multilayer ZIP-file inspection caused software buffer corruption and caused the all_pktproc process to restart.
PAN-125410
Fixed an issue where a new GPRS tunneling protocol version 2 control plane (GTPv2-C) session reused GTP-C tunnel parameters within two seconds after deleting the old GTP-C session, which caused a session conflict on the firewall.
PAN-124039
A fix was made to address an issue where the GlobalProtect Portal feature in PAN-OS did not set a new session identifier after a successful user login (CVE-2020-1993).
PAN-123637
(PA-3200 Series firewalls only) Fixed an issue where configuring 1G small form-factor pluggable (SFP) ports on a firewall with forced speed mode (of 1G) enabled made the link unusable when forced speed mode (of 1G) was also enabled on the peer firewall.
PAN-122432
Fixed an issue where the firewall failed to correctly read the virtual system (vsys), which eventually resulted in a management server process restart.
PAN-121626
(PA-3200 Series firewalls only) Fixed an intermittent issue where firewalls dropped packets, which caused issues such as traffic latency, slow file transfers, reduced throughput, internal path monitoring failures, and application failures.
PAN-119806
Fixed an issue where the dataplane restarted due to internal packet path monitoring failure.
PAN-118226
A fix was made to address an improper input validation vulnerability in the configuration daemon of Palo Alto Networks Panorama (CVE-2020-2011).
PAN-117955
A fix was made to address a missing authorization vulnerability in the Panorama management server (CVE-2020-1996).
PAN-117480
A fix was made to upgrade Nginx software included with PAN-OS (PAN-SA-2020-0006 / CVE-2016-4450 and CVE-2013-0337).
PAN-116480
Fixed an issue in Panorama where the show system search-engine-quota CLI command, the show log-collector serial-number <log-collector_SN> CLI command, and Statistics (Panorama > Managed Collectors > Statistics) showed incorrect log retention data.
PAN-116189
Fixed an issue where Session Initiation Protocol (SIP) calls failed and displayed the following error message: end-reason : resources-unavailable.
PAN-102688
A fix was made to address an OS command injection and external control of filename vulnerability in Palo Alto Networks PAN-OS (CVE-2020-2008).
PAN-102682
A fix was made to address an OS command injection vulnerability in the management component of PAN-OS where an authenticated user was able to potentially execute arbitrary commands with root privileges (CVE-2020-2007).
PAN-100855
A fix was made to address a stack-based buffer overflow vulnerability in the management server component of PAN-OS where an authenticated user was able to execute arbitrary code with root privileges (CVE-2020-2006).
PAN-100415
A fix was made to address an external control of filename vulnerability in the command processing of PAN-OS (CVE-2020-2003).
PAN-100006
(PA-200 firewalls only) Fixed an issue where the User-ID™ process caused an out-of-memory (OOM) condition when the number of IP address tags monitored from Amazon Web Services (AWS) VM Monitoring was greater than the maximum supported number.
PAN- 99551
Fixed an issue on a firewall in a high availability (HA) active/passive configuration where the User-ID™ process stopped responding on the passive firewall when the system was managing a high number of (more than 30,000) active users.
PAN-96104
Fixed an issue in the web interface where the language preference reverted to English after logging out from a session that was authenticated by Security Assertion Language Markup (SAML) single sign-on (SSO).
PAN-88136
Fixed a rare issue where a URL update caused the dataplane to restart.
PAN-82052
A fix was made to address an open redirection vulnerability in the GlobalProtect component of Palo Alto Networks PAN-OS (CVE-2020-1997).
PAN-71148
Fixed an issue on Panorama where the ACC tab did not show data for the period before the daylight saving time (DST) change.