PAN-OS 9.0.11 Addressed Issues
Table of Contents
Expand All
|
Collapse All
Next-Generation Firewall Docs
-
PAN-OS 11.1 & Later
- PAN-OS 11.1 & Later
- PAN-OS 11.0 (EoL)
- PAN-OS 10.2
- PAN-OS 10.1
- PAN-OS 10.0 (EoL)
- PAN-OS 9.1 (EoL)
- Cloud Management of NGFWs
-
- Management Interfaces
-
- Launch the Web Interface
- Use the Administrator Login Activity Indicators to Detect Account Misuse
- Manage and Monitor Administrative Tasks
- Commit, Validate, and Preview Firewall Configuration Changes
- Commit Selective Configuration Changes
- Export Configuration Table Data
- Use Global Find to Search the Firewall or Panorama Management Server
- Manage Locks for Restricting Configuration Changes
-
-
- Define Access to the Web Interface Tabs
- Provide Granular Access to the Monitor Tab
- Provide Granular Access to the Policy Tab
- Provide Granular Access to the Objects Tab
- Provide Granular Access to the Network Tab
- Provide Granular Access to the Device Tab
- Define User Privacy Settings in the Admin Role Profile
- Restrict Administrator Access to Commit and Validate Functions
- Provide Granular Access to Global Settings
- Provide Granular Access to the Panorama Tab
- Provide Granular Access to Operations Settings
- Panorama Web Interface Access Privileges
-
- Reset the Firewall to Factory Default Settings
-
- Plan Your Authentication Deployment
- Pre-Logon for SAML Authentication
- Configure SAML Authentication
- Configure Kerberos Single Sign-On
- Configure Kerberos Server Authentication
- Configure TACACS+ Authentication
- Configure TACACS Accounting
- Configure RADIUS Authentication
- Configure LDAP Authentication
- Configure Local Database Authentication
- Configure an Authentication Profile and Sequence
- Test Authentication Server Connectivity
- Troubleshoot Authentication Issues
-
- Keys and Certificates
- Default Trusted Certificate Authorities (CAs)
- Certificate Deployment
- Configure the Master Key
- Export a Certificate and Private Key
- Configure a Certificate Profile
- Configure an SSL/TLS Service Profile
- Configure an SSH Service Profile
- Replace the Certificate for Inbound Management Traffic
- Configure the Key Size for SSL Forward Proxy Server Certificates
-
- HA Overview
-
- Prerequisites for Active/Active HA
- Configure Active/Active HA
-
- Use Case: Configure Active/Active HA with Route-Based Redundancy
- Use Case: Configure Active/Active HA with Floating IP Addresses
- Use Case: Configure Active/Active HA with ARP Load-Sharing
- Use Case: Configure Active/Active HA with Floating IP Address Bound to Active-Primary Firewall
- Use Case: Configure Active/Active HA with Source DIPP NAT Using Floating IP Addresses
- Use Case: Configure Separate Source NAT IP Address Pools for Active/Active HA Firewalls
- Use Case: Configure Active/Active HA for ARP Load-Sharing with Destination NAT
- Use Case: Configure Active/Active HA for ARP Load-Sharing with Destination NAT in Layer 3
- HA Clustering Overview
- HA Clustering Best Practices and Provisioning
- Configure HA Clustering
- Refresh HA1 SSH Keys and Configure Key Options
- HA Firewall States
- Reference: HA Synchronization
-
- Use the Dashboard
- Monitor Applications and Threats
- Monitor Block List
-
- Report Types
- View Reports
- Configure the Expiration Period and Run Time for Reports
- Disable Predefined Reports
- Custom Reports
- Generate Custom Reports
- Generate the SaaS Application Usage Report
- Manage PDF Summary Reports
- Generate User/Group Activity Reports
- Manage Report Groups
- Schedule Reports for Email Delivery
- Manage Report Storage Capacity
- View Policy Rule Usage
- Use External Services for Monitoring
- Configure Log Forwarding
- Configure Email Alerts
-
- Configure Syslog Monitoring
-
- Traffic Log Fields
- Threat Log Fields
- URL Filtering Log Fields
- Data Filtering Log Fields
- HIP Match Log Fields
- GlobalProtect Log Fields
- IP-Tag Log Fields
- User-ID Log Fields
- Decryption Log Fields
- Tunnel Inspection Log Fields
- SCTP Log Fields
- Authentication Log Fields
- Config Log Fields
- System Log Fields
- Correlated Events Log Fields
- GTP Log Fields
- Audit Log Fields
- Syslog Severity
- Custom Log/Event Format
- Escape Sequences
- Forward Logs to an HTTP/S Destination
- Firewall Interface Identifiers in SNMP Managers and NetFlow Collectors
- Monitor Transceivers
-
- User-ID Overview
- Enable User-ID
- Map Users to Groups
- Enable User- and Group-Based Policy
- Enable Policy for Users with Multiple Accounts
- Verify the User-ID Configuration
-
- App-ID Overview
- App-ID and HTTP/2 Inspection
- Manage Custom or Unknown Applications
- Safely Enable Applications on Default Ports
- Applications with Implicit Support
-
- Prepare to Deploy App-ID Cloud Engine
- Enable or Disable the App-ID Cloud Engine
- App-ID Cloud Engine Processing and Policy Usage
- New App Viewer (Policy Optimizer)
- Add Apps to an Application Filter with Policy Optimizer
- Add Apps to an Application Group with Policy Optimizer
- Add Apps Directly to a Rule with Policy Optimizer
- Replace an RMA Firewall (ACE)
- Impact of License Expiration or Disabling ACE
- Commit Failure Due to Cloud Content Rollback
- Troubleshoot App-ID Cloud Engine
- Application Level Gateways
- Disable the SIP Application-level Gateway (ALG)
- Maintain Custom Timeouts for Data Center Applications
-
- Decryption Overview
-
- Keys and Certificates for Decryption Policies
- SSL Forward Proxy
- SSL Forward Proxy Decryption Profile
- SSL Inbound Inspection
- SSL Inbound Inspection Decryption Profile
- SSL Protocol Settings Decryption Profile
- SSH Proxy
- SSH Proxy Decryption Profile
- Profile for No Decryption
- SSL Decryption for Elliptical Curve Cryptography (ECC) Certificates
- Perfect Forward Secrecy (PFS) Support for SSL Decryption
- SSL Decryption and Subject Alternative Names (SANs)
- TLSv1.3 Decryption
- High Availability Not Supported for Decrypted Sessions
- Decryption Mirroring
- Configure SSL Forward Proxy
- Configure SSL Inbound Inspection
- Configure SSH Proxy
- Configure Server Certificate Verification for Undecrypted Traffic
- Post-Quantum Cryptography Detection and Control
- Enable Users to Opt Out of SSL Decryption
- Temporarily Disable SSL Decryption
- Configure Decryption Port Mirroring
- Verify Decryption
- Activate Free Licenses for Decryption Features
-
- Policy Types
- Policy Objects
- Track Rules Within a Rulebase
- Enforce Policy Rule Description, Tag, and Audit Comment
- Move or Clone a Policy Rule or Object to a Different Virtual System
-
- External Dynamic List
- Built-in External Dynamic Lists
- Configure the Firewall to Access an External Dynamic List
- Retrieve an External Dynamic List from the Web Server
- View External Dynamic List Entries
- Exclude Entries from an External Dynamic List
- Enforce Policy on an External Dynamic List
- Find External Dynamic Lists That Failed Authentication
- Disable Authentication for an External Dynamic List
- Register IP Addresses and Tags Dynamically
- Use Dynamic User Groups in Policy
- Use Auto-Tagging to Automate Security Actions
- CLI Commands for Dynamic IP Addresses and Tags
- Application Override Policy
- Test Policy Rules
-
- Network Segmentation Using Zones
- How Do Zones Protect the Network?
-
PAN-OS 11.1 & Later
- PAN-OS 11.1 & Later
- PAN-OS 11.0 (EoL)
- PAN-OS 10.2
- PAN-OS 10.1
-
- Tap Interfaces
-
- Layer 2 and Layer 3 Packets over a Virtual Wire
- Port Speeds of Virtual Wire Interfaces
- LLDP over a Virtual Wire
- Aggregated Interfaces for a Virtual Wire
- Virtual Wire Support of High Availability
- Zone Protection for a Virtual Wire Interface
- VLAN-Tagged Traffic
- Virtual Wire Subinterfaces
- Configure Virtual Wires
- Configure a PPPoE Client on a Subinterface
- Configure an IPv6 PPPoE Client
- Configure an Aggregate Interface Group
- Configure Bonjour Reflector for Network Segmentation
- Use Interface Management Profiles to Restrict Access
-
- DHCP Overview
- Firewall as a DHCP Server and Client
- Firewall as a DHCPv6 Client
- DHCP Messages
- Dynamic IPv6 Addressing on the Management Interface
- Configure an Interface as a DHCP Server
- Configure an Interface as a DHCPv4 Client
- Configure an Interface as a DHCPv6 Client with Prefix Delegation
- Configure the Management Interface as a DHCP Client
- Configure the Management Interface for Dynamic IPv6 Address Assignment
- Configure an Interface as a DHCP Relay Agent
-
- DNS Overview
- DNS Proxy Object
- DNS Server Profile
- Multi-Tenant DNS Deployments
- Configure a DNS Proxy Object
- Configure a DNS Server Profile
- Use Case 1: Firewall Requires DNS Resolution
- Use Case 2: ISP Tenant Uses DNS Proxy to Handle DNS Resolution for Security Policies, Reporting, and Services within its Virtual System
- Use Case 3: Firewall Acts as DNS Proxy Between Client and Server
- DNS Proxy Rule and FQDN Matching
-
- NAT Rule Capacities
- Dynamic IP and Port NAT Oversubscription
- Dataplane NAT Memory Statistics
-
- Translate Internal Client IP Addresses to Your Public IP Address (Source DIPP NAT)
- Create a Source NAT Rule with Persistent DIPP
- PAN-OS
- Strata Cloud Manager
- Enable Clients on the Internal Network to Access your Public Servers (Destination U-Turn NAT)
- Enable Bi-Directional Address Translation for Your Public-Facing Servers (Static Source NAT)
- Configure Destination NAT with DNS Rewrite
- Configure Destination NAT Using Dynamic IP Addresses
- Modify the Oversubscription Rate for DIPP NAT
- Reserve Dynamic IP NAT Addresses
- Disable NAT for a Specific Host or Interface
-
- Network Packet Broker Overview
- How Network Packet Broker Works
- Prepare to Deploy Network Packet Broker
- Configure Transparent Bridge Security Chains
- Configure Routed Layer 3 Security Chains
- Network Packet Broker HA Support
- User Interface Changes for Network Packet Broker
- Limitations of Network Packet Broker
- Troubleshoot Network Packet Broker
-
- Enable Advanced Routing
- Logical Router Overview
- Configure a Logical Router
- Create a Static Route
- Configure BGP on an Advanced Routing Engine
- Create BGP Routing Profiles
- Create Filters for the Advanced Routing Engine
- Configure OSPFv2 on an Advanced Routing Engine
- Create OSPF Routing Profiles
- Configure OSPFv3 on an Advanced Routing Engine
- Create OSPFv3 Routing Profiles
- Configure RIPv2 on an Advanced Routing Engine
- Create RIPv2 Routing Profiles
- Create BFD Profiles
- Configure IPv4 Multicast
- Configure MSDP
- Create Multicast Routing Profiles
- Create an IPv4 MRoute
-
-
PAN-OS 9.0 (EoL)
- PAN-OS 11.2
- PAN-OS 11.1
- PAN-OS 11.0 (EoL)
- PAN-OS 10.2
- PAN-OS 10.1
- PAN-OS 10.0 (EoL)
- PAN-OS 9.1 (EoL)
- PAN-OS 9.0 (EoL)
- PAN-OS 8.1 (EoL)
- Cloud Management and AIOps for NGFW
-
- Changes to Default Behavior
- Associated Software and Content Versions
- Limitations
-
-
- PAN-OS 9.0.17 Known Issues
- PAN-OS 9.0.16 Known Issues
- PAN-OS 9.0.15 Known Issues
- PAN-OS 9.0.14 Known Issues
- PAN-OS 9.0.13 Known Issues
- PAN-OS 9.0.12 Known Issues
- PAN-OS 9.0.11 Known Issues
- PAN-OS 9.0.10 Known Issues
- PAN-OS 9.0.9 Known Issues
- PAN-OS 9.0.8 Known Issues
- PAN-OS 9.0.7 Known Issues
- PAN-OS 9.0.6 Known Issues
- PAN-OS 9.0.5 (and 9.0.5-h3) Known Issues
- PAN-OS 9.0.4 Known Issues
- PAN-OS 9.0.3 (and 9.0.3-h2 and 9.0.3-h3) Known Issues
- PAN-OS 9.0.2 (and 9.0.2-h4) Known Issues
- PAN-OS 9.0.1 Known Issues
- Known Issues Specific to the WildFire Appliance
-
-
- PAN-OS 9.0.17-h5 Addressed Issues
- PAN-OS 9.0.17-h4 Addressed Issues
- PAN-OS 9.0.17-h1 Addressed Issues
- PAN-OS 9.0.17 Addressed Issues
- PAN-OS 9.0.16-h7 Addressed Issues
- PAN-OS 9.0.16-h6 Addressed Issues
- PAN-OS 9.0.16-h5 Addressed Issues
- PAN-OS 9.0.16-h3 Addressed Issues
- PAN-OS 9.0.16-h2 Addressed Issues
- PAN-OS 9.0.16 Addressed Issues
- PAN-OS 9.0.15 Addressed Issues
- PAN-OS 9.0.14-h4 Addressed Issues
- PAN-OS 9.0.14-h3 Addressed Issues
- PAN-OS 9.0.14 Addressed Issues
- PAN-OS 9.0.13 Addressed Issues
- PAN-OS 9.0.12 Addressed Issues
- PAN-OS 9.0.11 Addressed Issues
- PAN-OS 9.0.10 Addressed Issues
- PAN-OS 9.0.9-h1 Addressed Issues
- PAN-OS 9.0.9 Addressed Issues
- PAN-OS 9.0.8 Addressed Issues
- PAN-OS 9.0.7 Addressed Issues
- PAN-OS 9.0.6 Addressed Issues
- PAN-OS 9.0.5-h3 Addressed Issues
- PAN-OS 9.0.5 Addressed Issues
- PAN-OS 9.0.4 Addressed Issues
- PAN-OS 9.0.3-h3 Addressed Issues
- PAN-OS 9.0.3-h2 Addressed Issues
- PAN-OS 9.0.3 Addressed Issues
- PAN-OS 9.0.2-h4 Addressed Issues
- PAN-OS 9.0.2 Addressed Issues
- PAN-OS 9.0.1 Addressed Issues
- PAN-OS 9.0.0 Addressed Issues
End-of-Life (EoL)
PAN-OS 9.0.11 Addressed Issues
PAN-OS® 9.0.11 addressed issues.
Issue ID | Description |
---|---|
PAN-154092 | An enhancement was made to provide an option
to increase Data Plane Development Kit (DPDK) ring size and DPDK
queue number for VM-Series firewalls deployed on ESXi. |
PAN-153983 | Fixed an issue where the IPSec encapsulation
sequence was not properly synced to the dataplanes on a high availability
(HA) active/passive cluster. |
PAN-153813 | Fixed an issue where the proxy configuration
did not get honored, which caused certificate revocation list (CRL)
checks from the firewall to fail. |
PAN-153673 | Fixed an issue where traffic logs were not
shown due to a thread timeout that was causing the reading of the
logs from the dataplane to slow. |
PAN-153436 | Added CLI commands to increase thread limits
to reduce task thread exhaustion on a process (configd). |
PAN-153111 | Fixed an issue where packet buffer unavailability
caused host-bound sessions to remain in an opening state in the dataplane. |
PAN-152706 | Fixed an intermittent issue where Panorama
did not retrieve firewall logs from Cortex Data Lake. |
PAN-152285 | Fixed an issue where certain GPRS tunneling
protocol (GTP-U) sessions that could not complete installation still
occupied the flow table, which led to higher-than-expected session
table usage. |
PAN-152106 | Fixed an issue where a process (genindex.sh) caused
the management plane CPU usage to remain high for a longer period
of time than expected. |
PAN-152027 | Fixed an issue with URL Filtering where
websites that were previously in the malicious category but have
since been cleared remained in the malicious category in the dataplane
cache. These websites were moved to the benign category only after
you manually cleared the cache. |
PAN-151203 | Fixed an issue where the firewall dropped
certain GTPv1 Update PDP Context packets. |
PAN-151057 | Fixed an issue where upgrading the capacity
license on a VM-Series HA pair resulted in both firewalls going
into a non-functional state instead of only the higher capacity
license firewall. |
PAN-150750 | (PA-5200 Series and PA-7000 Series firewalls
only) Fixed an intermittent issue where the firewall dropped
packets when two or more GTP packets on the same GTP tunnel were
very close to each other. |
PAN-150748 | Fixed an issue where the firewall silently
dropped GTPv2-C Delete Session Response packets. |
PAN-150746 | Fixed an issue where the firewall dropped
GTP packets with Delete Bearer messages for EBI 6 if they were received
within two seconds of receiving the Delete Bearer messages for EBI
5. |
PAN-150613 | Fixed an issue that caused a process (mprelay) to
stop responding when committing changes in the Netflow Server Profile
configuration (Device > Server Profiles > Netflow). |
PAN-150243 | Fixed an issue where the candidate configuration
was not updated to the running configuration after a successful
commit when the commit was initiated by an API-privileges-only custom
role-based administrator. |
PAN-149912 | Fixed an issue where FIB entries were unexpectedly
removed due to miscommunication between internal processes. |
PAN-149480 | Fixed an issue where a custom report query
from Panorama, which includes new fields not supported in prior
releases, triggered a restart of a process (reportd)
when Panorama was connected to log collectors running an earlier
PAN-OS release. |
PAN-149426 | Fixed an issue where non-superuser administrators
with all rights enabled were unable to Review Policies or Review
Apps for downloaded or installed content versions. |
PAN-149296 | Fixed an issue on Panorama where system
and configuration logs from dedicated Log Collectors did not display
on Panorama appliances in Management Only mode. |
PAN-148564 | Fixed an issue where Panorama stopped showing
new logs when url_category_list was
in the URL payload format of the HTTP(S) server profile used to
forward URL logs from the Panorama Log Collector. |
PAN-147741 | Fixed an issue where an API call for correlated
events did not return any events . |
PAN-147595 | Fixed an issue where stream control transmission
protocol (SCTP) logs for an existing SCTP session still showed old
rule information after a policy commit and session rematch. |
PAN-147285 | Fixed an issue where host information profile
(HIP) details were not available on Panorama even with a valid and
active HIP redistribution configuration. |
PAN-146878 | Fixed an issue where TCP traffic dropped
due to TCP sequence checking in an HA active/active configuration
where traffic was asymmetric. |
PAN-146650 | A fix was made to address an authentication
bypass vulnerability in the GlobalProtect SSL VPN component of PAN-OS
that allowed an attacker to bypass all client certificate checks
with an invalid certificate. As a result, the attacker was able
to authenticate as any user and gain access to restricted VPN network
resources when the gateway or portal was configured to rely only
on certificate-based authentication (CVE-2020-2050). |
PAN-146531 | Fixed an issue where conversion from Panorama
mode to logger mode was enabled even when an administrative user
named admin did not exist in the configuration,
which prevented access to the appliance after conversion. |
PAN-146506 | Fixed an issue where memory usage on a process (useridd)
was high, which caused the process to restart on the firewall that
was acting as the User-ID redistribution agent. This issue occurred
when multiple clients requested IP address-to-user mappings at the
same time. |
PAN-146284 | Fixed an issue where Applications and Threats
content installation failed on the firewall with the following error
message: Error: Threat database handler failed. |
PAN-146117 | Fixed an issue on the firewall where memory
usage on a process (devsrvr) increased after running
the show object dynamic-address-group all CLI
command. |
PAN-146115 | Fixed an issue where GlobalProtect™ IPSec
connections flapped when the peer address to the gateway changed
due to NAT. |
PAN-145823 | Fixed an issue where BGP-learned routes
were incorrectly populated with a VR error as a next hop. |
PAN-145757 | Fixed an issue where a firewall process (all_pktproc)
restarted while processing Session Traversal Utilities for NAT (STUN)
over TCP. |
PAN-145752 | Fixed an issue where exporting policies
to PDF or CSV files did not include all policies and contained duplicates. |
PAN-145188 | Fixed an issue on Panorama in PAN-DB mode
where content updates did not successfully install, which caused
the cloud state to degrade. |
PAN-145133 | A fix was made to address a vulnerability
in the PAN-OS signature-based threat detection engine that allowed
an attacker to evade threat prevention signatures using specifically
crafted TCP packets (CVE-2020-1999). |
PAN-144919 | Fixed an issue on an M-600 appliance where
the Panorama management server stopped receiving new logs from firewalls
because delayed log purging caused log storage on the Log Collectors
to reach maximum capacity. |
PAN-144448 | Fixed an issue with the automated correlation
engine that caused firewalls to stop generating correlated event
logs for the beacon-heuristics object
(ID 6005). |
PAN-143959 | Fixed an issue on Panorama where a custom
administrator with all rights enabled was not able to display the
content of the external dynamic list (EDL) on the Panorama web interface. |
PAN-143809 | Fixed an issue where Log Collectors had
problems ingesting older logs for previous days received at a high
rate. |
PAN-143796 | Fixed an issue where commits failed on the
firewall due to memory allocation failure. You can check configuration
memory using the debug dataplane show cfg-memstat statistics CLI
command. |
PAN-141980 | Fixed an issue where random member ports
in a link aggregate group failed to join the aggregate group due
to the following error: Link speed mismatch. |
PAN-141923 | Fixed an issue where authentication stopped
working after a commit and a process (authd) exited,
which caused other processes to exit. |
PAN-141793 | Fixed an issue where Panorama did not show
correct logs filtered with not, leq,
and geq. |
PAN-141717 | Fixed an issue where an administrative user
using custom admin roles and without access to the Device tab
was unable to expand the detailed views of Monitor > Logs. |
PAN-141551 | Fixed an issue where SSH service restart
management did not take effect in the SSH management server profile. |
PAN-141262 | Fixed an issue where the resolution of FQDN
for a policy on the web interface did not work as expected if the
FQDN contained CAPITAL letters. |
PAN-140900 | Fixed an issue where IP address-to-tag mapping
entries had negative time-to-live (TTL) values instead of being
removed after expiry. |
PAN-140883 | Fixed an issue where, after rebooting the
firewall, the SNMP object identifier (OID) for TCP connections per
second (panVsysActiveTcpCps / .1.3.6.1.4.1.25461.2.1.2.3.9.1.6.1)
returned 0 until another OID was pulled. Additionally, after a restart
of a process (snmpd), if the above OID was called before
other OIDs, there was an approximate 10-second delay in populating
the data pulled by each OID. |
PAN-140628 | Fixed an issue where a memory leak on a
process (useridd) caused multiple processes to restart
during device serial number checks. |
PAN-140382 | Fixed an issue where the Host Evasion Threat
ID signature did not trigger for the initial session even when the
DNS response was received before the session expired. |
PAN-140227 | (PA-7000 Series firewalls only)
Fixed a rare issue where the firewall rebooted due to a path monitoring
failure on the Log Processing Card (LPC). |
PAN-140173 | Fixed an issue where a large number of groups
in group mapping caused a process (useridd) to stop
responding. |
PAN-140157 | A fix was made to address a vulnerability
where the password for a configured system proxy server for a PAN-OS
appliance was displayed in cleartext when using the CLI in PAN-OS (CVE-2020-2048). |
PAN-140121 | Fixed an issue where a process (authid)
used a large amount of memory due to many incomplete authentication requests,
which caused an out-of-memory (OOM) condition. |
PAN-140084 | (PA-3200 Series firewalls only)
Fixed an issue where the default Dynamic IP and Port (DIPP) NAT
oversubscription rate was set to 2. |
PAN-139991 | Fixed an issue where the web interface and
the CLI were inaccessible, which caused the following error message
to display on the web interface: Timed out while getting config lock. |
PAN-139680 | Fixed an issue where dynamic route updates
triggered an unintentional refresh of the DHCP client interface
IP address, which led to the removal and re-addition of the default
route associated with the DHCP client IP address and caused traffic
disruption. |
PAN-139233 | Fixed an issue where HIP reports failed
to display on either the web interface or the CLI. |
PAN-139136 | Fixed an issue where a large number of groups
in group mappings caused a process (useridd) to stop
responding. |
PAN-138938 | An enhancement was made to reduce the memory
usage of a process (logrcvr) to avoid out-of-memory
(OOM) conditions on lower-end platforms. |
PAN-138674 | Fixed an issue where custom role-based admins
were able to reset the rule hit counter for disabled device groups. |
PAN-138427 | Fixed an issue where pushing a configuration
from a Panorama management server running PAN-OS 9.0 to a firewall
running PAN-OS 8.1 produced a HTTP/2 warning. To leverage this fix,
update both Panorama and the firewall to PAN-OS 9.0.11 or a later
PAN-OS 9.0 release. |
PAN-137770 | Fixed an issue where the dataplane restarted
due to a loop in DoS protection source-destination IP address classification. |
PAN-137716 | Fixed an issue where, for users with admin
roles, logs for only one device group were displayed due to a query
string with multiple device groups. |
PAN-137663 | Fixed a cosmetic issue where misleading
App-ID and rule shadowing warnings populated after a commit. |
PAN-136791 | Fixed an intermittent issue where the first
response to a SIP INVITE message created incorrect appinfo2ip entries
and caused Via header translation failure. |
PAN-136716 | (Panorama virtual appliances only)
Fixed an issue where SNMP monitoring of ifSpeed reported the interface
speed as 0 for interfaces other than eth0. |
PAN-136650 | Fixed an issue where a Log Collector remained
in an out-of-sync state after configuring an IP address (local or
public) on an additional Ethernet interface. |
PAN-135887 | Fixed an issue where the inner GTP-U flows
were installed using incorrect zones, which led to traffic issues
when the firewall was in line for the S1-U interface. |
PAN-135071 | Fixed an issue in Panorama where the template
stack drop-down was missing templates when using access domain. This
issue is fixed only for existing template stacks. |
PAN-134907 | Fixed an issue where IP tags were not evaluated
in the filter evaluation criteria when Dynamic Address Groups were
configured. |
PAN-134745 | Fixed an issue where Panorama commits failed
due to a process (useridd) exceeding the maximum number
of file descriptors while a large number of firewalls were connecting
to Panorama for User-ID redistribution. |
PAN-134226 | Fixed an issue where AdminStatus for HA1
and High Speed Chassis Interconnect (HSCI) interfaces were incorrectly
reported. |
PAN-134029 | Fixed an intermittent issue on the firewall
where H.225 VOIP signaling packets dropped. |
PAN-133934 | Fixed an intermittent issue where user-to-IP
address mappings were not redistributed to client firewalls. |
PAN-133388 | Fixed an issue where an HA configuration
went out of sync when the HA sync job was queued and processed during
an ongoing content installation job on the passive firewall. |
PAN-133179 | Fixed a rare issue where the show ntp CLI
command showed the status as rejected even
when the NTP was synced with at least one NTP server. |
PAN-132285 | Fixed an intermittent issue where a Security
policy with Send ICMP Unreachable enabled
for certain drop or reset sessions caused a process (all-pktproc) to
restart. |
PAN-132053 | Added an enhancement to improve handling
for firewall management web interface sessions that timeout so that
the message Your session has expired does
not display. Now, the web interface will present a timeout page
that presents a button to redirect back to the login page. |
PAN-131750 | Fixed an issue where a configuration push
from Panorama to the firewall showed the Commit All status
as complete even though the job was still in process. |
PAN-130955 | Fixed an issue where templates on the secondary
Panorama appliance were out of sync with the primary Panorama appliance
due to an empty content-preview node. |
PAN-130357 | Fixed a memory leak issue where virtual
memory used by the SNMP process started to slowly increase when
the request was sent with a request-id of
0. |
PAN-129376 | (PA-800 Series firewalls only)
Fixed an issue that prevented ports 9-12 from being powered down
by hardware after being requested to do so. |
PAN-128172 | Fixed an issue on Panorama where the show system logdb-quota CLI
command took more time than expected, which caused the configuration
lock to time out. |
PAN-128048 | Fixed an issue where certificate-based authentication
with IKEv2 IPSec tunnels failed to establish with some third-party
vendors. |
PAN-125218 | A fix was made to address an information
exposure vulnerability in Panorama that disclosed the token for
the Panorama web interface administrator's session to a managed
device when the Panorama administrator performed a context switch (CVE-2020-2022). |
PAN-124819 | Fixed an issue where only the current day's
logs were visible on Panorama. |
PAN-124331 | Fixed an issue where the LDAP query took
longer than expected to populate in the web interface. |
PAN-122672 | Fixed an issue where the firewall returned
incorrect information about the logging service status when the
information was requested through the web interface. |
PAN-122115 | Fixed an issue with the session browser
search where using more than 32 characters caused an error. |
PAN-121944 | Fixed an issue where the Device Connectivity status
was grey on the firewall web interface even when the SSL session
with the logging service was successful. |
PAN-121035 | Added support for high powered module PAN-QSFP28-100GBASE-ER4. |
PAN-120245 | Fixed an issue on Panorama where WildFire® cloud
content download failed for content deployment to the WF-500 appliance. |
PAN-119982 | Fixed an issue where template variable view
failed to display some template variables when the Device
Priority type variable was configured. |
PAN-119329 | Fixed an issue where a process (devsrvr) stopped
responding when the firewall received corrupted data from the PAN-DB
cloud. |
PAN-118667 | Fixed an issue where firewall policy configurations
displayed [object Object] instead of the
object names. |
PAN-115896 | Fixed an issue where the static route path
monitoring status was not viewable from the CLI or web interface
and failed with the following error message: failed to execute op command. |
PAN-115541 | Fixed an issue where removing a cipher from
an SSL/TLS profile did not take effect if it was attached to the
management interface. |
PAN-112449 | Fixed an issue that caused a process (snmpd)
to stop responding when sending a Simple Network Management Protocol (SNMP)
GET request for LcLogUsageTable on
a Panorama appliance in Management Only mode. |
PAN-110511 | Fixed an issue where a passive Panorama
appliance reported that device groups were out of sync despite a
successful HA sync from the active Panorama appliance. This issue
occurred when the address objects defined in the device group were
in use under the corresponding template. |