PAN-OS 8.1.7 Addressed Issues

Fixed an issue on a WF-500 appliance cluster where a firewall failed to join the cluster with a large data set of previously processed files.

Fixed an issue where the automatic refresh of external dynamic lists (EDLs) did not update the URL or Domain EDLs.

Fixed an issue on a VM-Series firewall where traffic stopped processing and resumed processing only after the firewall was restarted.

(Panorama™ running PAN-OS® 8.1.6 only) Fixed an intermittent issue where autocommits failed and Panorama stopped displaying device groups when managing a WildFire® appliance running PAN-OS 8.1.5 or an earlier PAN-OS 8.1 release.

Fixed an issue where source URLs (ObjectsExternal Dynamic Lists<EDL-name>Create ListSource URL), which contained double escape characters caused external dynamic list entries to display incorrect values in the policies.

Fixed an intermittent issue on a firewall where outbound traffic failed with an error message: (proxy decrypt failure) when configured with HTTP Header Insertion (ObjectsSecurity ProfilesURL Filtering<Filter-name>HTTP Header Insertion).

Fixed an issue where the push scope selection on the Panorama web interface displayed incorrectly even though the commit scope displayed as expected. This issue occurred when one administrator made configuration changes to separate device groups or templates that affected multiple firewalls and a different administrator attempted to push those changes.

Fixed an intermittent issue on Panorama M-Series and virtual appliances where elastic search queries to Cortex Data Lake did not display logs.

Fixed an issue where the external dynamic list did not update after a scheduled refresh of the list.

(PA-3200 Series and PA-5200 Series firewalls only) Fixed an issue where a firewall dropped generic routing encapsulation (GRE) version 1 traffic.

Fixed an issue where Captive Portal authentication required two log-in attempts when the authentication sequence was configured as an authentication profile.

Fixed an issue where the firewall sent RIP updates more frequently than expected.

Fixed an issue where GTP-U traffic dropped when the GTP tunnel endpoint ID (TEID) was not updated correctly during a GTP-C update.

Fixed an issue on VM-Series firewalls Dynamic Address Groups did not display all the tags and labels for registered IPs.

A security related fix was made to limit the amount of information returned from an API call error message.

Fixed an issue where a process (useridd) stopped responding when the firewall received excessive Security Assertion Markup Language (SAML) requests received.

(PA-500 and PA-800 Series firewalls only) Fixed an issue where commits failed after you imported a device state from Panorama the template configuration referenced Bidirectional Forwarding Detection (BFD).

Fixed an issue where an administrator with a custom configuration role could not export reports.

Fixed an issue where the firewall did not remove the 4-Byte AS Format number when Remove Private AS was enabled.

Fixed an issue on Panorama M-Series and virtual appliances where a process (configd) stopped responding during a local commit.

Fixed an intermittent issue on a firewall where configuring Force Template Values (NetworkInterfacesCommitPush to DevicesTemplates) deleted the zone assigned to an interface.

Fixed an issue where P2MP OSPF static neighbor did not display in the run-time neighbor table.

Fixed an issue where the DHCP client interface was configured with an incorrect subnet mask value instead of the value provided by DHCP option 1.

Fixed an issue on GlobalProtect™ where you were unable to authenticate when the domain name included the ampersand ( & ) character.

Fixed an issue where applications took longer than expected to load when accessed through a Clientless VPN.

Fixed an issue where the Strict IP Address Check incorrectly triggered when you enabled ECMP (Network >Virtual RoutersAddRouter settingsECMP).

Fixed an issue on a VM-Series firewall where packet sizes more than 1,500 bytes caused the firewall to stop transmitting and receiving packets.

Fixed an issue where commits failed after a BGP aggregate route configuration modification.

Fixed an issue on a VM-Series firewall where the PCI-PT interface did not receive VLAN tagged traffic after a system boot up.

(PA-5000 Series firewalls only) Fixed an issue where extra byte (1 to 7) padding were appended to the initial SYN and UDP packets, which caused the server to stop responding.

(Panorama M-Series and virtual appliances only) Fixed a rare issue where the web interface did not display new logs as expected because Elasticsearch (ES) stopped working when the Raid drives reached maximum capacity and the purge script to remove old ES indices failed to execute and make room for new indices. However, this issue also resulted in creation of new ES indices that were empty because the appliance could not read or write to them. With this fix, old indices are purged as expected; however, empty ES indices created before you upgraded to this release with this fix are not removed as expected (see known issue PAN-114041).

Fixed an issue where the test security-policy-match XML API command returned invalid XML responses.

Fixed an issue where you were unable to retrieve the external dynamic list for URLs that included the ampersand ( & ) character in the URL string.

Fixed an intermittent issue on a firewall where the (all_pktproc) stopped responding and caused the dataplane to restart.

Fixed an issue where you were unable to search for service objects by destination port numbers.

Fixed an issue where the firewall did not display the full URL information in the URL Filtering log (MonitorURL Filtering) after a (“ ’\r’ “) return character.

A security-related fix was made to address a denial of service (DoS) vulnerability in PAN-OS SNMP (CVE-2018-18065 / PAN-SA-2019-0007).

Fixed an issue where DNS proxy memory leaks occurred during the FQDN refresh process.

Fixed an issue where the dataplane restarted due to an internal path monitoring failure caused by large SSL decrypted file transfer sessions.

Fixed an intermittent issue on a firewall where the log receiver leaked memory after 24 hours of runtime, which caused the firewall to stop responding.

Fixed an issue where MIB attributes caused MIB compilation failures when using a third-party compiler.

Fixed an issue where GlobalProtect did not authenticate and displayed the following error message: search failed 32.

Fixed an issue where you could not log in to GlobalProtect from a mobile device when the mobile ID contained a hyphen (-) character in the mobile ID string.

Fixed an issue on a firewall where a Layer 2 interface that contained a VLAN sub-interface in conjunction with policy based forwarding (PBF) caused the firewall to forward the return traffic to the incorrect web interface.

A security-related fix was made to address the Linux Kernel Local Privilege Escalation vulnerability (CVE-2018-14634 / PAN-SA-2019-0006).

A security-related fix was made to address an issue with the wf_curl.log file in WF-500 appliances (WildFire).

Fixed an issue where NetFlow server profile traffic did not route over IPSec tunnels when the service route was configured to use the dataplane interface.

Fixed an issue where correlated events forwarded as email alerts displayed the incorrect date and time.

Fixed an issue on a firewall in a high availability (HA) active/passive configuration where OSPF and BGP running on an Aggregate Ethernet (AE) interface with LACP enabled took longer than expected to restart after a failover.

Fixed an issue on a VM-Series firewall where the dataplane interface continuously flapped when PCI passthrough was enabled with DPDK.

Fixed an intermittent issue where octet values were incorrect for random flows in the NetFlow traffic.

Fixed an issue on a VM-50 firewall where an out-of-memory event caused the firewall to restart.

Fixed an issue in an HA active/passive configuration where the passive firewall ran a configuration out-of-sync after a restart.

Fixed an issue where the real-time clock (RTC) battery voltage exceeded the maximum threshold value.

Fixed an issue where BGP conditional advertisements did not respond, the BGP conditional advertisements did not match the suppress condition policy even when the prefix in the non-exist filter condition matched.

Fixed an issue in an HA active/passive configuration where a suspended firewall processed traffic.

Fixed an issue on PA-3200 Series firewalls where an SNMP OID (sysObjectID) reported the incorrect model (for example, PA-2020 instead of PA-3260).

Fixed an issue where an API call (show system disk details), responded with the following error message: An error occurred. See dagger.log for information.

Fixed an issue on Panorama M-Series and virtual appliances where the Task Manager did not display progress after you pushed a configuration to a firewall.

Fixed an issue where a newly deployed VM-Series firewall in the VMware NSX environment did not display on the summary web interface (PanoramaSummary) after a partial commit.

Fixed an intermittent issue where a job type (content) caused a firewall configuration failure and the firewall to stop responding.

Fixed an intermittent issue on a firewall where a commit and FQDN refresh took longer than expected.

Fixed an issue on Panorama M-Series and virtual appliances where disk quota edits failed and resulted in the following error message: quota-settings -> disk-quota is invalid.

Fixed an issue on a PA-5200 Series firewall where enhanced small form-factor pluggable (SFP+) ports were unable to detect link-fault events on the transmission side.

Fixed an issue where SNMP queries displayed incorrect values.

Fixed an intermittent issue where the session ID did not clear when the session ID was set to 0.

Fixed an issue where administrators configured with Device Group and Template Admin type were unable to perform a global search and returned the following message: Unauthorized request.

Fixed an intermittent issue on VM-Series firewalls in an AWS environment where packets were dropped due to a longer than expected delay in transmission.

Fixed an issue where the object identifier (OID) ifAdminStatus incorrectly displayed "up" when it was configured to be configured "down."

A security-related fix was made to address a development configuration file issue.

Fixed an issue where the IPv6 flow label was set to 0 when decryption was configured, which caused the firewall to drop IPv6 traffic during the SSL handshake.

Fixed an issue on Panorama M-Series and virtual appliances where TCP port 28 was accessible on management plane.

Fixed an issue where SYN-ACK packets with low time-to-live (TTL) values were sent, which caused a connection failure.

An enhancement was made to enable you to monitor connections between a firewall and Cortex Data Lake on the web interface.

Fixed an issue on a firewall where TCP reset packets were sent even after you set the vulnerability profile action to drop the packets.

(PA-200 <N/A in 9.0>, PA-220, and PA-220R firewalls only) Fixed an issue with the Ethernet driver that caused the firewall to reboot when experiencing heavy broadcast traffic on the management interface.

Fixed an issue where a firewall stopped responding when a NAT Dynamic IP and Port (DIPP) was configured as a NAT dynamic IP fallback.

Fixed an issue where the GlobalProtect Gateway host information profile (HIP) notification operation failed to execute and returned the following message: GP-EX-GW-21 -> hip-notification - > win-fw-is-not-enable -> not-match-message -> message is invalid.

Fixed an issue where firewalls that were not configured to decrypt HTTPS services and applications traffic allowed users without valid authentication timestamps to access those resources regardless of Authentication Policy settings. To prevent such access, either configure the firewall to decrypt traffic or run the debug device-server cp-deny-encrypted on command and execute the commit force CLI command (this command will persist across reboots).