PAN-OS 8.1.4 Addressed Issues

Fixed an issue where WF-500 appliances failed to analyze Excel files because the files contained links and required a manual response to a popup dialog about whether to update those links before opening the file.

Fixed an issue where the WF-500 appliance factory reset failed.

Fixed an issue on a WF-500 appliance where in maintenance mode, network activity did not occur.

Fixed an issue where the WF-500 appliance reported incorrect memory utilization values through SNMP (hrStorageUsed).

Fixed an issue where the WF-500 appliance SNMP notifications did not provide information for the eth2 and eth3 interfaces.

Fixed an issue on WF-500 passive cluster members where file forwarding was incorrectly disabled, which prevented the passive firewall from uploading samples.

Fixed an issue on WF-500 appliances that caused a compliance scan to incorrectly report two vulnerabilities: SSL Server Supports DES Ciphers (Sweet32 Exposure) and NGINX Log Escape Sequence Injection Vulnerability.

Fixed an issue where the firewall did not generate a new random value in the TLS Server Hello message, which breaks TLSv1.3 connections when SSL Forward Proxy decryption is enabled.

Fixed an issue where administrators were not able to create a WF-500 cluster unless they first configured an HA1 backup.

Fixed a rare issue where PA-3200 Series firewalls started dropping offloaded traffic.

Fixed an issue with the Panorama Interconnect plugin where Panorama Node child jobs were not displayed under Panorama Controller Tasks (PanoramaInterconnectTasks) as expected when you tried to Push Common Config (PanoramaInterconnectPanorama Nodes).

Fixed an issue where a hardware packet buffer leak caused firewall performance to degrade.

Fixed an issue on a PA 3200 Series firewall where the dataplane failed due to an internal path monitoring failure.

Fixed an intermittent issue on a PA-3200 Series firewall where the forwarding information base (FIB) did not update correctly, which prevented successful forwarding of offloaded traffic.

Fixed an Issue where a process (mgmtsrvr) failed on EDL refresh when configured over a Secured Socket Layer (SSL) connection.

Fixed an issue on a PA-5000 Series firewall where the dataplane restarts when multicast traffic matched a stale session on the offload processor that was not cleared as expected.

Fixed an issue where a process (rasmgr) restarted when a satellite tunnel tear down command and a get user config command occurred simultaneously.

Fixed an issue where a process (rasmgr) restarted multiple times, which caused the firewall to reboot.

Fixed an issue where a PA-5200 Series firewall processed the tunnel-monitoring with profile-failover as having the tunnel status up and peers as down during initial configuration.

Fixed an issue where Extended Authentication (X-Auth) clients intermittently failed to establish an IPSec tunnel to GlobalProtect™ gateways.

Fixed an issue on an M-100 appliance in a high availability (HA) configuration where administrators could not reestablish access to the appliance after a session ended unexpectedly.

Fixed an issue where a configured Layer 3 interface erroneously opened ports 28869/tcp and 28870/tcp on the IP address assigned to that Layer 3 interface.

Fixed an issue where simultaneous management access allowed only one user to log in at a time.

Fixed an issue where a system failure occurred due to packet size exceeding the hardware limit.

Fixed an issue where SNMP fan trays did not initialize as expected and prevented the SNMP manager from receiving fan tray information.

Fixed an issue on VM-Series firewalls where the dataplane stops processing traffic when attempting to transmit packets larger than the firewall maximum transmission unit (MTU).

(PA-200, PA-220, PA-220R, PA-500, and PA-800 Series firewall only) Fixed an issue where a large number of group mappings caused the firewall to display out-of-memory (OOM) errors and restart.

Fixed an issue where the content rewriter module failed to properly handle simultaneous chunked and zipped responses, and did not send end of response.

Fixed an issue on an M-100 appliance where a bulk set of commands timed out causing config locks and, while running any subsequent show commands, responded with the following message: Server error: Timed out while getting config lock. Please try again.

Fixed an issue where access to Panorama™ accounts failed due to the removal of IPv4 address and exclusive use of IPv6 on the management (MGT) port.

Fixed an issue where a configuration change commit was accepted when only one virtual wire (vwire) interface was defined in a vwire pair. With this fix, a commit for a change where only one vwire interface is defined for a vwire pair is rejected and an error message is displayed.

A security-related fix was made to address a cross-site scripting (XSS) vulnerability in the GlobalProtect Portal login page.

Fixed an issue where the second virtual system (vsys) dropped TCP traffic that was out-of-order when that second vsys controlled the proxy session in a multi-vsys configuration.

Fixed an issue where the firewall did not return Captive Portal response pages as expected due to depletion of file descriptors.

Fixed an issue where RADIUS VSA administrators were able to login for one hour after their VSA administrator role was removed on the RADIUS server.

Fixed an issue where the firewall attempted to reconnect to the LDAP server when an empty Distinguished Name (DN) returned for an invalid user.

Fixed an issue where the firewall dataplane restarted due to missing SIP parent information after an HA failover event.

Fixed an issue in an HA active/active virtual wire configuration where a race condition caused the firewall to intermittently drop First SYN packets when they traversed the HA3 link.

Fixed an issue where a library (libpam_pan.so) did not handle incorrect passwords as expected.

Fixed an issue in Panorama where a commit failed message appeared in the Template Last Commit column in the device management summary after a Panorama reboot or upgrade.

Fixed an issue where searching through pcaps from a Log Collector in a configuration with multiple Log Collectors took longer than expected.

Fixed an intermittent issue where Captive Portal multi-factor authentication (MFA) failed and discarded new MFA requests.

Fixed an issue on Panorama where generating a threat pcap from the web interface (Monitor tab) took longer than expected and caused the web interface and CLI to become inaccessible.

Fixed an issue where high elastic search memory load caused the firewall not to display logs and reboot

Fixed an issue on a PA-5200 Series firewall in an HA active/passive configuration where the firewall dropped TCP-FIN packets after a failover.

Fixed an issue on the Panorama centralized management server where the logs related to the clear-log system were not forwarded to the Syslog server.

Fixed an issue on VM-Series firewalls where administrators could not log in to a firewall with an AMI image created from a virtual machine (VM).

A security-related fix was made to address three OpenSSL vulnerabilities: CVE-2018-0732, CVE-2018-0737, and CVE-2018-0739.

Fixed an issue where Panorama displayed a File not found error when you attempted to view or download Threat pcaps from the Monitor tab.

Fixed an issue where the commit failed and the device server log displayed the following message: failed to handle CONFIG_UPDATE_START.

Fixed an issue where after you exit a process, a fixed amount of memory did not release which caused memory leaks.

Fixed an issue on a PA-220 firewall in an HA active/passive configuration and with jumbo frames enabled (DeviceSetupSession) where configuration and dynamic updates failed to synchronize.

Fixed an issue where firewall overrides configuration to not validate first ASN, resulting in multi-lateral BGP connection flaps peering over an internet exchange.

Fixed an issue where a log record in the JSON query caused a process (reportd) to fail.

Fixed an issue where an administrator with the CLI Device Read privilege was able to discard a session that was revoked.

Fixed an issue on VM-Series firewalls where the virtual machine (VM) information source made incorrect calls in FIPS-CC mode.

Fixed an issue where the set ssh service-restart mgmt CLI command did not respond correctly.

Fixed an issue in an HA active/passive configuration where URL request messages were not prioritized from the dataplane to the management plane and where a high rate of log generation in the dataplane caused inconsistent URL categorization.

Fixed an issue where the log in banner did not display properly when configured to single long-line.

Fixed an issue in an HA active/passive configuration where an HA sync job executed while a commit all job was processing.

Fixed an issue where the GlobalProtect connection failed with the following dataplane ICMPv6 message: Packet too big due to the firewall MTU value set lower than normal.

Fixed an issue where values were missing in the URL field in the Data Filtering logs.

Fixed an issue on Panorama M-Series and virtual appliances where the configuration (configd) process stopped responding after you entered a filter string and tried to Add Match Criteria for any Dynamic address group type (ObjectsAddress Groups).

Fixed an issue where the Panorama web interface Group Mapping Setting took longer to load than expected when there were multiple device groups and each group reported to a different master device.

Fixed an issue where audio failed for long-lived session initiated protocol (SIP) sessions subjected to six content updates.

Fixed a rare issue where the task manager failed to load in the web interface when a pending job caused subsequent completed jobs to be inappropriately held in memory.

Fixed an issue on Panorama M-Series and virtual appliances where the report-generation process stopped responding due to a corrupt log record in the JSON query.

Fixed an intermittent issue where session BIND messages were dropped in a Dynamic IP configuration.

Fixed an issue on a PA-3220 firewall where the external dynamic list refresh and commit, failed after an increase in the number of external dynamic list objects in the firewall.

Fixed an issue on PA-800 Series firewalls where the web interface did not display or allow you to configure the bandwidth setting any higher than 1Gbps.

Fixed an issue where generation of extraneous data filtering logs for SMB protocol traffic occurred without data filtering or file blocking securities rules in place.

Fixed an issue where the Syslog server received an incorrect vsys/port log message when multiple vsys systems, with the same profile name and different port numbers, are connected to a single syslog server.

Fixed an issue where the DNS proxy process failed due to a DNS response packet containing a TXT resource record with length = 0.

Fixed an issue where PA-5000 Series firewalls did not send an IGMP query immediately after an HA failover.

Fixed an issue where software deployment from Panorama to a managed firewall failed.

A security-related fix was made to prevent HTTP Header Injection in the Captive Portal.

Fixed an issue during a decrypted session on an L3 Aggregate Ethernet (AE) interface, where an incorrectly formatted threat packet capture (pcap) caused malformed packet captures during an inspection.

Fixed an issue where a commit took significantly longer than expected when cloning a rule compared to when configuring a new rule when the configuration contained a large number of rules.

Fixed an issue on Panorama M-Series and virtual appliances where logs failed to purge from the log-disks when /opt/pancfg partition usage reached 100%.

Fixed an issue where a Panorama appliance returned the following error: mgmtsrvr: User restart reason - Virtual memory limit exceeded (8204808 > 8192000).

Fixed an issue where firewalls in an HA active/active configuration with a default session setup and owner configuration dropped packets in a GlobalProtect VPN tunnel that used a floating IP address.

Fixed an issue on a PA-500 firewall where the dataplane tunnel content pointer entered a NULL state and caused dataplane processes (pan_comm and tund) to stop responding, which caused the dataplane to restart.

Fixed an issue where a PA-220 firewall did not recognize the panDeviceLogging SNMP object identifier.

Fixed an issue where some fields did not populate the template when logs are forwarded to the HTTP Server.

Fixed an issue where the header captions you configured for PDF Summary Reports or for Custom Reports were not used for the report name as expected.

Fixed an issue where the firewall returns an empty response for the API call show user ip-user-mapping.

Fixed an issue on Panorama where Collector Groups and WildFire Appliances and Clusters (CommitPush to DevicesEdit Selections) that were already in sync with the current configuration were incorrectly selected and, thus, included when you attempted to push a configuration only to appliances that were not in sync.

Fixed an issue where the firewall revealed part of a password in cleartext on the command-line interface (CLI) and management server (mgmtsrvr) log when an administrator attempted to set a password that exceeded the maximum number of characters (31) using the CLI. With this fix, the firewall reports an error when an administrator attempts to set a password that contains more than 31 characters without revealing any part of the actual password.

Fixed an issue where Panorama M-Series and virtual appliances did not resolve the FQDN list because a bootstrap setting (cfg.product.bootstrap) was set to factory_reset.

Fixed an issue where an API call resulted in an incorrect response.

Fixed an issue where a temporary flap on configured Aggregate Ethernet (AE) interfaces cleared the dataplane debug logs.

Fixed an issue on a PA-220 firewall where exporting the device state from Panorama command-line interface (CLI) included the default bidirectional forwarding detection (BFD) configuration, which caused a commit to fail on the firewall when uploading the device state.

Fixed an issue on an M-100 appliance where reports did not generate in user groups.

Fixed an issue where TCP segments with large sequence numbers caused the dataplane to fail while large file sizes are transferred.

Fixed an issue where temporary files not properly cleaned caused disk space issues.

Fixed an issue where the syslog messages that terminated with 0 prevented the firewall from identifying matching patterns in the message.

Fixed an issue on an M-500 appliance where a bootstrapped firewall automatically added to Panorama did not commit the changes.

Fixed an issue on Log Collectors where the show log-collector serial-number <LC_serial_number> CLI command displayed log ages that exceeded log expiration periods.

Fixed an issue where files failed to upload to the WildFire cloud when file-forwarding queue limit was reached on the dataplane. When this occurred, the WildFire upload log included the file with a status of offset mismatch.

Fixed an issue where a null-pointer exception caused the device server (devsrv) process on the management plane to restart.

Fixed an intermittent issue where NAT traffic was dropped when NAT parameters were introduced or changed in the path between the LSVPN GlobalProtect gateway and the GlobalProtect satellite. To leverage this fix in your network, you must also enable Tunnel Monitoring on the GlobalProtect Gateway (NetworkGlobalProtectGateways<gp-gateway>SatelliteTunnel Settings).

Fixed an issue on PA-5200 Series firewalls in an HA active/active configuration where session timeouts occurred when TCP timers did not update as expected for asymmetric flows.

Fixed an issue where the output of the show neighbor ndp-monitor all command-line interface (CLI) command was missing a space between the Interface and IPv6 address columns, which decreased readability.

Fixed an issue where the process (cord) stopped responding when trying to forward correlation events if there was no log forwarding profile configured for correlated events.

Fixed an issue where the log receiver failed due to the logging certificate server name indication (SNI) value.

Fixed an issue where PA-7000 Series firewalls did not send logs to Panorama.

(PA-3200 Series, PA-5200 Series, and PA-7000 Series firewalls only) Fixed an issue where the destination interface configured for a QoS profile rule did not match traffic as expected.

Fixed an intermittent issue where the Bidirectional Forwarding Detection (BFD) up time displayed negative values.

Fixed an issue where the antivirus/anti-spyware block page did not display.

Fixed an issue on PA-3200 Series firewalls where Ethernet ports 2, 3, 4, 6, 7, 8, and 10 were functioning only at 1,000Mbps (1Gbps).

Fixed an issue on an M-100 appliance where, when the interface and snapshot length (snaplen) options were enabled, the tcpdump command failed to execute with the following message: Unsupported number of arguments.

Fixed an issue where the URL session information WildFire® report displayed Unknown for sample files uploaded from firewalls running a PAN-OS 8.0 release.

Fixed an issue where, after you disabled the Skip Auth on IKE Rekey option in the GlobalProtect gateway, the firewall still applied the option: end users with endpoints that used Extended Authentication (X-Auth) did not have to re-authenticate when the key for establishing the IPSec tunnel expired (NetworkGlobalProtectGateways<gateway>AgentTunnel Settings).

Fixed an issue where the default QoS profile limited the available bandwidth to 10Gbps when you specifically applied the profile to the ae2 interface; this issue occurred regardless of the bandwidth setting you configured specifically for that profile.

Fixed an issue where the Panorama web interface intermittently became unresponsive during ACC queries.