PAN-OS 8.1.19 Addressed Issues
Focus
Focus

PAN-OS 8.1.19 Addressed Issues

Table of Contents
End-of-Life (EoL)

PAN-OS 8.1.19 Addressed Issues

PAN-OS® 8.1.19 addressed issues.
Issue ID
Description
PAN-161731
Functionality was added to enable, via the CLI, the removal of key exchange algorithms used by SSH.
  • Use debug system ssh-kex-prune cipher [diffie-hellman-group1-sha1 diffie-hellman-group-exchange-sha1 .. ] to enable removal of specified key exchanges.
  • Use debug system ssh-kex-prune none to enable addition of key exchanges.
PAN-159135
Fixed an issue where the firewall rejected SAML Assertions, which caused user authentication failure when the Validate Identity Provider Certificate was enabled in the SAML Server Profile in vsys3 or above.
PAN-158988
Fixed an issue with HTTP Header Insertion where the payload was truncated when processing a segmented TCP stream and when the client retransmitted the packet with the same sequence number that was previously received segmented.
PAN-158844
Adds additional debugging to be used in identifying the malformed references causing process crashes during FQDN refresh.
PAN-158638
Fixed an issue where the firewall returned the following error message when attempting to request a device certificate using a one-time password (OTP): invalid ocsp response sig-alg.
PAN-156240
A fix was made to address an issue where a cryptographically weak pseudo-random number (PRNG) was used during authentication to the PAN-OS interface. As a result, attackers with the capability to observe their own authentication secrets over a long duration on the firewall had the ability to impersonate another authenticated web interface administrator’s session (CVE-2021-3047).
PAN-155009
Fixed an issue on the firewall where executing the request system bootstrap-usb prepare CLI command returned a server error.
PAN-154114
A fix was made to address a vulnerability related to information exposure through log files in PAN-OS where secrets in PAN-OS XML API requests were logged in cleartext in the web server logs when the API was used incorrectly (CVE-2021-3036).
PAN-153213
Fixed a rare issue where TCP packets randomly dropped due to reassembly failure.
PAN-152648
Fixed an issue where multiple all_pktproc processes stopped responding, which caused the dataplane to restart.
PAN-152098
Fixed an issue where the Policy Optimizer for some device groups showed incorrect data with a - character in the rule usage column.
PAN-151458
Fixed an issue on firewalls with high availability active/active configurations where GlobalProtect gateways timed out on-demand connections. This occurred because the Inactivity Logout timer did not reset.
PAN-150998
Fixed an issue where, when deploying a VM-Series firewall on VMware NSX that had been assigned a serial number that was used by a previously deactivated firewall, the new firewall was deployed in a deactivated or partially deactivated state.
PAN-150852
Fixed an issue with SMTP that occurred when attachment file names were longer than the allocated buffer. If the file name was longer than the buffer and Layer 7 inspection was enabled, the file was dropped, which caused session errors and an email to not be sent.
PAN-150798
(PA-7000 Series firewalls only) Fixed an issue where Network Processing Cards (NPC) took longer than expected or failed to boot.
PAN-150023
A fix was made to address an issue where an improper authentication vulnerability enabled a Security Assertion Markup Language (SAML) authenticated user to impersonate any user in the GlobalProtect portal and GlobalProtect gateway when they were configured to use SAML authentication (CVE-2021-3046).
PAN-149641
Fixed an issue where firewalls stopped refreshing IP tag information when configured with the VM Information Sources feature with a VMWare vCenter Server.
PAN-149339
Fixed an issue where, when an ECMP route changed, the flow table in the offload engine was not updated.
PAN-147783
Checks were added to help prevent the dataplane from restarting.
PAN-147781
A fix was made to address an issue where an OS command argument injection vulnerability in the PAN-OS web interface enabled an authenticated administrator to read any arbitrary file from the file system (CVE-2021-3045).
PAN-147254
jQuery was updated to 3.5.1.
PAN-147221
Improved QoS scheduling for Bidirectional Forwarding Detection (BFD) and BGP to address the internal handling of BGP and BFD packets under high resource constraints
PAN-145733
Fixed an issue where the SNMP INDEX for panZoneTable on the PAN-COMMON-MIB.my file did not work as expected, which led to entries in panZoneTable not being uniquely identified.
PAN-144975
Fixed an intermittent issue where a high traffic load in a Layer 2 deployment caused SNMP and Panorama health monitoring failures.
PAN-136347
Fixed an issue wherer DNS proxy TCP connections were processed incorrectly, which caused a process (dnsproxy) to stop responding.
PAN-136073
Fixed an issue where the High Speed Chassis Interconnect (HSCI) port flapped continuously after an upgrade or reboot.
PAN-132035
Fixed an issue on Panorama appliances in an active/passive HA configuration where a managed firewall generated high priority alerts that it failed to connect to the passive Panorama appliance's User-ID agent server. This issue occurred because the firewall was only able to connect to one Panorama User-ID server at a time, and it connected only to the active Panorama appliance's User-ID server.
PAN-131474
A fix was made to address a vulnerability related to information exposure through log files in PAN-OS where the connection details for a scheduled configuration export were logged in system logs (CVE-2021-3037).
PAN-128042
Fixed an issue where the dynamic address group failed due to a process (devsrvr) not being synced with another process (useridd).
PAN-124579
Fixed an issue where a process (all_task_3) restarted, which caused the tunnels to reset.