PAN-OS 8.1.2 Addressed Issues

Fixed an issue where the WF-500 appliance provided no option to configure the master key. With this fix, you can use the request master-key new-master-key <key> lifetime <lifetime> CLI command to configure the master key.

Fixed an issue on PA-3200 Series firewalls where powering down a copper interface disrupted the operations of other interfaces that were grouped with it at the hardware level.

Fixed an issue on PA-3200 Series firewalls where SFP/SFP+ ports intermittently failed to come up after a reboot.

Fixed an issue on offline VM-Series firewalls where the web interface and CLI did not display license information after you activated licenses.

Fixed an issue with dataplane restarts when the mix of network traffic included a high ratio of RTP and RTP Control Protocol (RTCP) traffic.

Fixed an issue where a process (configd) stopped responding during a partial revert operation when reverting an interface configuration.

Fixed an issue where the GlobalProtect™ portal landing page did not return the HTTP Strict Transport Security (HSTS) header in the error response page when sending the response to an endpoint.

Fixed an issue where PA-7000 Series and PA-5200 Series firewalls intermittently failed to forward logs to Log Collectors or the Logging Service due to DNS resolution failure for the FQDNs of those log receivers.

Fixed an issue where, after end users successfully authenticated for access to a service or application, their web browsers briefly displayed a page indicating authentication completed and then they were redirected to an unknown URL that the user did not specify.

Fixed an issue where syslog servers misrepresented HIP Match, Authentication, and User-ID™ logs received from the firewall because the order changed in the first seven syslog fields for those log types. With this fix, the first seven syslog fields are the same for all log types.

Fixed an issue on the Panorama™ management server where partial revert operations failed with the following error after you used the PAN-OS® XML API to create template stacks: template-stack-> is missing 'settings' template-stack is invalid.

Fixed an issue where the active firewall in a high availability (HA) configuration did not synchronize the GlobalProtect data file to the passive firewall.

Fixed an issue on firewalls that collect port-to-username mappings from Terminal Services agents where the firewalls didn't enforce user-based policies correctly because the dataplane had incorrect primary-to-alternative-username mappings even after you cleared the User-ID cache.

Fixed an issue where the mprelay process stopped responding when a commit occurred while the firewall was identifying flows that needed a NetFlow update.

Fixed an issue where, after you upgraded the firewall to PAN-OS 8.1, a 500 Internal Server error occurred for traffic that matched a Security policy rule with a URL Filtering profile that specified a continue action (ObjectsSecurity ProfilesURL Filtering) because the firewall did not correctly apply AES encryption or synchronize the associated API key between the management plane and dataplane.

Fixed an issue on the Panorama management server where selecting additional target firewalls for a shared policy rule cleared any existing firewall selections for that rule (PanoramaPolicies<policy_type>{Pre Rules | Post Rules | Default Rules}Target).

Fixed an issue with VM-Series firewalls on Azure where dynamic updates failed for the GlobalProtect Data File when you scheduled the updates using the management interface.

Fixed an issue where VM-Series firewalls for NSX and firewalls in an NSX notify group (PanoramaVMware NSXNotify Group) briefly dropped traffic while receiving dynamic address updates after the primary Panorama in a high availability (HA) configuration failed over.

Fixed an issue where a VM-Series firewall on KVM in DPDK mode didn't receive traffic after you configured it to use the i40e single-root input/output virtualization (SR-IOV) virtual function (VF). This fix requires that you install i40e driver version 2.1.16 or later, and that you set the VF to be trusted by running the following CLI command on the KVM host:

Fixed an issue where mobile endpoints that used GPRS Tunneling Protocol (GTP) lost traffic and had to reconnect because the firewall dropped the response message that a Gateway GPRS support node (GGSN) sent for a second Packet Data Protocol (PDP) context update.

Fixed an issue where, after you added group mapping configurations, an out-of-memory condition developed that intermittently caused the User-ID process (useridd) to restart and temporarily prevented the firewall from receiving updates to user mappings and group mappings.

Fixed an issue where the firewall did not correctly modify the Configuration XML file (by removing ctd skip-block-http-range) when you upgraded from PAN-OS 8.0 to PAN-OS 8.1.

Fixed an issue on the Panorama management server where the configd process restarted when an external health monitoring script (such as GoldenGate) executed against Panorama, which became unusable until configd finished restarting.

Fixed an issue on Panorama Log Collectors where the show system masterkey-properties CLI command did not display the master key lifetime and reminder settings.

Fixed an issue where PA-5200 Series and PA-3200 Series firewalls in an active/active high availability (HA) configuration sent packets in the wrong direction in a virtual wire deployment.

Fixed an issue where mobile endpoints that use GPRS Tunneling Protocol (GTP) lose GTP-U traffic because the firewall dropped all GTP-U packets as packets without sessions after receiving two GTP requests with the same tunnel endpoint identifiers (TEIDs) and IP addresses.

Fixed an issue where commit failures occurred after you configured a DHCP-enabled subinterface as the local Interface for an IKE gateway configuration (NetworkNetwork ProfilesIKE Gateways<IKE_gateway>General).

Fixed an issue where the Panorama management server exported reports slowly or not at all due to DNS resolution failures.

Fixed an issue where the firewall did not correctly re-learn a User-ID mapping after that mapping was temporarily lost and recovered through successful WMI probing.

Fixed an issue where WildFire submissions with a filename that contained %20n or a subject that contained %n caused the management server (mgmtsrvr) process to stop responding.

Fixed an issue where a Panorama management server running PAN-OS 8.1 failed to push host information profile (HIP) objects that specified Encrypted Locations with State values to firewalls running PAN-OS 8.0 or an earlier release (ObjectsGlobalProtectHIP Objects<HIP_object>Disk EncryptionCriteria<encrypted_location>).

Fixed an issue on PA-500, PA-220, PA-220-R, and PA-200 firewalls where commits failed after the Panorama management server pushed a Decryption profile that you configured to Block sessions if HSM not available to firewalls that did not support a hardware security module (HSM).

Fixed an issue where the total log storage utilization that the firewall displayed did not account for IP Tag storage that was set to less than two per cent (DeviceSetupManagementLogging and Reporting SettingsLog Storage).

Fixed an issue where QSFP+ interfaces (13 and 14) on a PA-7000-20GQ-NPC Network Processing Card (NPC) unexpectedly flapped when the card was booting up.

Fixed an issue on Panorama M-Series and virtual appliances where the hash of the shared policy was incorrectly calculated, which caused an in-sync shared policy status to display as out-of-sync.

Fixed an issue on the Panorama management server where the Task Manager displayed Completed status immediately after you initiated a push operation to firewalls (Commit all job) even though the push operation was still in progress.

Fixed an issue where the VM-Series firewall for Azure intermittently failed to resolve URLs and generated the following error because Azure prematurely timed out the connection to the PAN-DB cloud after four minutes: Failed tosend Update Request to the Cloud.

Fixed an issue where a Panorama Collector Group forwarded Threat and WildFire® Submission logs to the wrong external server after you configured match list profiles with the same name for both log types (PanoramaCollector Groups<Collector_Group>Collector Log Forwarding{Threat | WildFire}<match_list_profile>).

Fixed an issue where the firewall routed Open Shortest Path First (OSPF) unicast hello messages (P2MP non-broadcast) using a forwarding information base (FIB) instead of sending the messages over the interface to which the OSPF neighbor connected.

Fixed an issue where the firewall did not apply tag-based matching rules for dynamic address groups unless you enclosed the tag names with single quotes ('<tag_name>') in the matching rules (ObjectsAddress Groups<address_group>).

Fixed an issue where a firewall forwarded a deleted or expired IP address-to-username mapping to another firewall through User-ID Redistribution but the receiving firewall still displayed the mapping as an active IP address-to-username mapping.

Fixed an issue where the firewall used an incorrect next hop in the Border Gateway Protocol (BGP) route that it advertised to External BGP (eBGP) peers in the BGP peer group.

Fixed an issue on firewalls deployed in virtual wire mode where SSL decryption failed due to a memory pool allocation failure.

Fixed an issue where firewalls intermittently blocked SSL traffic due to a certificate timeout error after you enabled SSL Forward Proxy decryption and configured the firewall to Block sessions on certificate status check timeout (ObjectsDecryptionDecryption Profile<Decryption_profile>SSL DecryptionSSL Forward Proxy).

Fixed an issue where Bidirectional Forwarding Detection (BFD) sessions were active in only one virtual router when two or more virtual routers had active BGP sessions (with BFD enabled) using the same peer IP address.

(GlobalProtect configurations only) Fixed an issue where a configured Layer 3 interface erroneously opened ports 28869/tcp and 28870/tcp on the IP address assigned to that Layer 3 interface.

Fixed an issue where the request system external-list show type ip name <EDL_name> CLI command did not display external dynamic list entries after you restarted the management server (mgmtsrvr) process.

Fixed an issue where the management server (mgmtsrvr) process on the firewall restarted when you pushed configurations from the Panorama management server.

Fixed an issue where the Panorama management server generated high-severity System logs with the Syslogconnection established to server message after you configured Traps log ingestion (PanoramaLog Ingestion Profile) for forwarding to a syslog server (PanoramaServer ProfilesSyslog) and committed configuration changes (CommitCommit to Panorama).

Fixed an issue where SSL decrypted traffic failed after you configured the firewall to Enforce Symmetric Return in Policy Based Forwarding (PBF) policy rules (PoliciesPolicy Based Forwarding).

Fixed an issue where the firewall failed to perform decryption because endpoints tried to resume decrypted inbound perfect forward secrecy (PFS) sessions.

In certain customer environments, enhancements in PAN-OS 8.1.2 to change fan speeds may help reduce rare cases of drive communication failure in PA-5200 Series firewalls.

Fixed an issue where configuring additional interfaces (such as ethernet1/1 or ethernet1/2) on the Panorama management server in Management Only mode caused an attempt to create a local Log Collector when you committed the configuration (PanoramaSetupInterfaces), which caused the commit to fail because a local Log Collector is not supported on a Panorama management sever in Management Only mode.

Fixed an issue on firewalls in a high availability (HA) configuration where traffic was disrupted because the dataplane restarted unexpectedly when the firewall concurrently processed HA messages and packets for the same session. This issue occurred on all firewall models except the PA-200 and VM-50 firewalls.

Fixed an issue where the Security policy rules pushed from Panorama to a firewall did not display in the list of available rules in the global filters list in the Application Command Center (ACC).

Fixed an issue on VM-Series firewalls for KVM where applications that relied on multicasting failed because the firewalls filtered multicast traffic by the physical function (PF) after you configured them to use single root I/O virtualization (SR-IOV) virtual function (VF) devices.

Fixed an issue where PA-5200 Series firewalls sent logs to the passive or suspended Panorama virtual appliance in Legacy mode in a high availability (HA) configuration. With this fix, the firewalls send logs only to the active Panorama.

(VM-50 Lite firewalls only) Fixed an intermittent issue where Failed to back up PAN-DB errors were reported in the system log due to management plane out-of-memory errors when a process (devsrvr) attempted to run an md5 checksum.

Fixed an issue where WildFire Submission logs did not correctly display the subject fields of emails because the firewall did not remove white spaces between encoded chunks in those fields.

Fixed an issue where an administrator whose Admin Role profile had the Command Line privileges set to superuser (DeviceAdmin Roles<role>Command Line) could not request tech-support dump from the CLI.

Fixed an issue where the firewall displayed a continue-and-override response page when users tried to access a URL that the firewall incorrectly categorized as unknown because it learned the URL field as an IP address.

Fixed an issue on the Panorama management server where administrators couldn't log in to the web interface because disk space utilization reached 100 per cent due to the continuous growth of cmserror log files.

Fixed an issue where PA-5200 Series firewalls in an active/passive high availability (HA) configuration dropped Bidirectional Forwarding Detection (BFD) sessions when the passive firewall was in an initialization state after you rebooted it.

Fixed an issue on PA-3250 and PA-3260 firewalls where the hardware signature match engine was disabled and the PAN-OS software performed signature matching instead, resulting in a ten percent degradation in threat detection performance.

Fixed an issue where the Panorama management server removed address objects and—in the Network tab settings and NAT policy rules—used the associated IP address values without reference to the address objects before pushing configurations to firewalls.

Fixed an issue where the firewall dataplane restarted and resulted in temporary traffic loss when any process stopped responding while system resource usage was running high.

Fixed an issue where an Aggregate Ethernet (AE) interface with Link Aggregation Control Protocol (LACP) enabled on the firewall went down after a cisco-nexus primary virtual port channel (vPC) switch LACP peer rebooted and came back up.

Fixed an issue on PA-7000 Series firewalls in a high availability (HA) configuration where the HA3 link did not come up after you upgraded to PAN-OS 8.1.0 or a later PAN-OS 8.1 release.

Fixed an issue on PA-5200 Series firewalls where the dataplane restarted due to an internal path monitoring failure.

Fixed an issue where PA-5200 Series firewalls dropped offloaded traffic after you enabled session offloading (enabled by default), configured subinterfaces on the second aggregate Ethernet (AE) interface group (ae2), and configured QoS on a non-AE interface.

Fixed an issue where Panorama appliances ignored the time-zone offset in logs sent from the Traps Endpoint Security Manager (ESM).

Fixed an issue where the Panorama management server displayed template configurations as Out of Sync for firewalls with multiple virtual systems even though the template configurations were in sync.

Fixed an issue where PA-7000 Series, PA-5200 Series, PA-5000 Series, PA-3200 Series, and PA-3000 Series firewalls dropped packets because their dataplanes restarted due to QoS queue corruption.

Fixed an issue where the firewall dataplane intermittently restarted, causing traffic loss, after you attached a NetFlow server profile to an interface for which the firewall assigned an invalid identifier.

Fixed an issue on PA-3050, PA-3060, PA-5000 Series, PA-5200 Series, and PA-7000 Series firewalls in a high availability (HA) configuration where multicast sessions intermittently stopped forwarding traffic after HA failover on firewalls with hardware offloading enabled (default).

Fixed an issue on the Panorama management server where administrators with the superuser read-only role could view the Password Hash used to access a Log Collector CLI after another superuser used browser developer tools to modify the input type for that field (PanoramaManaged Collectors<Log_Collector>Authentication).

Fixed an issue where the VM-Series firewall incorrectly displayed network interfaces as having a Link Speed of 1000 and a Link Duplex set to half when the actual values were different (NetworkInterfaces<interface>Advanced).

Fixed an issue where the Panorama management server displayed no output for the User Activity Report (MonitorPDF ReportsUser Activity Report).

Fixed an issue where in rare cases a commit caused the disk to become full due to an incorrect disk quota size value, and as a result the firewall behaved unpredictably (for example, the web interface and CLI became unresponsive).

Fixed an issue on the Panorama management server where editing the Description of a shared policy rule and clicking OK caused the Target setting to revert to Any firewalls instead of the selected firewalls.

Fixed an issue with scheduled log exports that prevented firewalls running in FIPS-CC mode from successfully exporting the logs using Secure Copy (SCP).

Fixed an issue where the Panorama management server failed to push configurations to firewalls running a PAN-OS 7.1 release and displayed the following error:

Fixed an issue where the firewall failed to parse the merged configuration file after you changed the master key; it parsed only the running configuration file. With this fix, the firewall parses both files as expected after you change the master key.

Fixed an issue on PA-7000 Series firewalls in a high availability (HA) configuration where the HA data link (HSCI) interfaces intermittently failed to initialize properly during bootup.