PAN-OS 9.0.14 Addressed Issues
Table of Contents
Expand All
|
Collapse All
Next-Generation Firewall Docs
-
PAN-OS 11.1 & Later
- PAN-OS 11.1 & Later
- PAN-OS 11.0 (EoL)
- PAN-OS 10.2
- PAN-OS 10.1
- PAN-OS 10.0 (EoL)
- PAN-OS 9.1 (EoL)
- Cloud Management of NGFWs
-
- Management Interfaces
-
- Launch the Web Interface
- Use the Administrator Login Activity Indicators to Detect Account Misuse
- Manage and Monitor Administrative Tasks
- Commit, Validate, and Preview Firewall Configuration Changes
- Commit Selective Configuration Changes
- Export Configuration Table Data
- Use Global Find to Search the Firewall or Panorama Management Server
- Manage Locks for Restricting Configuration Changes
-
-
- Define Access to the Web Interface Tabs
- Provide Granular Access to the Monitor Tab
- Provide Granular Access to the Policy Tab
- Provide Granular Access to the Objects Tab
- Provide Granular Access to the Network Tab
- Provide Granular Access to the Device Tab
- Define User Privacy Settings in the Admin Role Profile
- Restrict Administrator Access to Commit and Validate Functions
- Provide Granular Access to Global Settings
- Provide Granular Access to the Panorama Tab
- Provide Granular Access to Operations Settings
- Panorama Web Interface Access Privileges
-
- Reset the Firewall to Factory Default Settings
-
- Plan Your Authentication Deployment
- Pre-Logon for SAML Authentication
- Configure SAML Authentication
- Configure Kerberos Single Sign-On
- Configure Kerberos Server Authentication
- Configure TACACS+ Authentication
- Configure TACACS Accounting
- Configure RADIUS Authentication
- Configure LDAP Authentication
- Configure Local Database Authentication
- Configure an Authentication Profile and Sequence
- Test Authentication Server Connectivity
- Troubleshoot Authentication Issues
-
- Keys and Certificates
- Default Trusted Certificate Authorities (CAs)
- Certificate Deployment
- Configure the Master Key
- Export a Certificate and Private Key
- Configure a Certificate Profile
- Configure an SSL/TLS Service Profile
- Configure an SSH Service Profile
- Replace the Certificate for Inbound Management Traffic
- Configure the Key Size for SSL Forward Proxy Server Certificates
-
- HA Overview
-
- Prerequisites for Active/Active HA
- Configure Active/Active HA
-
- Use Case: Configure Active/Active HA with Route-Based Redundancy
- Use Case: Configure Active/Active HA with Floating IP Addresses
- Use Case: Configure Active/Active HA with ARP Load-Sharing
- Use Case: Configure Active/Active HA with Floating IP Address Bound to Active-Primary Firewall
- Use Case: Configure Active/Active HA with Source DIPP NAT Using Floating IP Addresses
- Use Case: Configure Separate Source NAT IP Address Pools for Active/Active HA Firewalls
- Use Case: Configure Active/Active HA for ARP Load-Sharing with Destination NAT
- Use Case: Configure Active/Active HA for ARP Load-Sharing with Destination NAT in Layer 3
- HA Clustering Overview
- HA Clustering Best Practices and Provisioning
- Configure HA Clustering
- Refresh HA1 SSH Keys and Configure Key Options
- HA Firewall States
- Reference: HA Synchronization
-
- Use the Dashboard
- Monitor Applications and Threats
- Monitor Block List
-
- Report Types
- View Reports
- Configure the Expiration Period and Run Time for Reports
- Disable Predefined Reports
- Custom Reports
- Generate Custom Reports
- Generate the SaaS Application Usage Report
- Manage PDF Summary Reports
- Generate User/Group Activity Reports
- Manage Report Groups
- Schedule Reports for Email Delivery
- Manage Report Storage Capacity
- View Policy Rule Usage
- Use External Services for Monitoring
- Configure Log Forwarding
- Configure Email Alerts
-
- Configure Syslog Monitoring
-
- Traffic Log Fields
- Threat Log Fields
- URL Filtering Log Fields
- Data Filtering Log Fields
- HIP Match Log Fields
- GlobalProtect Log Fields
- IP-Tag Log Fields
- User-ID Log Fields
- Decryption Log Fields
- Tunnel Inspection Log Fields
- SCTP Log Fields
- Authentication Log Fields
- Config Log Fields
- System Log Fields
- Correlated Events Log Fields
- GTP Log Fields
- Audit Log Fields
- Syslog Severity
- Custom Log/Event Format
- Escape Sequences
- Forward Logs to an HTTP/S Destination
- Firewall Interface Identifiers in SNMP Managers and NetFlow Collectors
- Monitor Transceivers
-
- User-ID Overview
- Enable User-ID
- Map Users to Groups
- Enable User- and Group-Based Policy
- Enable Policy for Users with Multiple Accounts
- Verify the User-ID Configuration
-
- App-ID Overview
- App-ID and HTTP/2 Inspection
- Manage Custom or Unknown Applications
- Safely Enable Applications on Default Ports
- Applications with Implicit Support
-
- Prepare to Deploy App-ID Cloud Engine
- Enable or Disable the App-ID Cloud Engine
- App-ID Cloud Engine Processing and Policy Usage
- New App Viewer (Policy Optimizer)
- Add Apps to an Application Filter with Policy Optimizer
- Add Apps to an Application Group with Policy Optimizer
- Add Apps Directly to a Rule with Policy Optimizer
- Replace an RMA Firewall (ACE)
- Impact of License Expiration or Disabling ACE
- Commit Failure Due to Cloud Content Rollback
- Troubleshoot App-ID Cloud Engine
- Application Level Gateways
- Disable the SIP Application-level Gateway (ALG)
- Maintain Custom Timeouts for Data Center Applications
-
- Decryption Overview
-
- Keys and Certificates for Decryption Policies
- SSL Forward Proxy
- SSL Forward Proxy Decryption Profile
- SSL Inbound Inspection
- SSL Inbound Inspection Decryption Profile
- SSL Protocol Settings Decryption Profile
- SSH Proxy
- SSH Proxy Decryption Profile
- Profile for No Decryption
- SSL Decryption for Elliptical Curve Cryptography (ECC) Certificates
- Perfect Forward Secrecy (PFS) Support for SSL Decryption
- SSL Decryption and Subject Alternative Names (SANs)
- TLSv1.3 Decryption
- High Availability Not Supported for Decrypted Sessions
- Decryption Mirroring
- Configure SSL Forward Proxy
- Configure SSL Inbound Inspection
- Configure SSH Proxy
- Configure Server Certificate Verification for Undecrypted Traffic
- Post-Quantum Cryptography Detection and Control
- Enable Users to Opt Out of SSL Decryption
- Temporarily Disable SSL Decryption
- Configure Decryption Port Mirroring
- Verify Decryption
- Activate Free Licenses for Decryption Features
-
- Policy Types
- Policy Objects
- Track Rules Within a Rulebase
- Enforce Policy Rule Description, Tag, and Audit Comment
- Move or Clone a Policy Rule or Object to a Different Virtual System
-
- External Dynamic List
- Built-in External Dynamic Lists
- Configure the Firewall to Access an External Dynamic List
- Retrieve an External Dynamic List from the Web Server
- View External Dynamic List Entries
- Exclude Entries from an External Dynamic List
- Enforce Policy on an External Dynamic List
- Find External Dynamic Lists That Failed Authentication
- Disable Authentication for an External Dynamic List
- Register IP Addresses and Tags Dynamically
- Use Dynamic User Groups in Policy
- Use Auto-Tagging to Automate Security Actions
- CLI Commands for Dynamic IP Addresses and Tags
- Application Override Policy
- Test Policy Rules
-
- Network Segmentation Using Zones
- How Do Zones Protect the Network?
-
PAN-OS 11.1 & Later
- PAN-OS 11.1 & Later
- PAN-OS 11.0 (EoL)
- PAN-OS 10.2
- PAN-OS 10.1
-
- Tap Interfaces
-
- Layer 2 and Layer 3 Packets over a Virtual Wire
- Port Speeds of Virtual Wire Interfaces
- LLDP over a Virtual Wire
- Aggregated Interfaces for a Virtual Wire
- Virtual Wire Support of High Availability
- Zone Protection for a Virtual Wire Interface
- VLAN-Tagged Traffic
- Virtual Wire Subinterfaces
- Configure Virtual Wires
- Configure a PPPoE Client on a Subinterface
- Configure an IPv6 PPPoE Client
- Configure an Aggregate Interface Group
- Configure Bonjour Reflector for Network Segmentation
- Use Interface Management Profiles to Restrict Access
-
- DHCP Overview
- Firewall as a DHCP Server and Client
- Firewall as a DHCPv6 Client
- DHCP Messages
- Dynamic IPv6 Addressing on the Management Interface
- Configure an Interface as a DHCP Server
- Configure an Interface as a DHCPv4 Client
- Configure an Interface as a DHCPv6 Client with Prefix Delegation
- Configure the Management Interface as a DHCP Client
- Configure the Management Interface for Dynamic IPv6 Address Assignment
- Configure an Interface as a DHCP Relay Agent
-
- DNS Overview
- DNS Proxy Object
- DNS Server Profile
- Multi-Tenant DNS Deployments
- Configure a DNS Proxy Object
- Configure a DNS Server Profile
- Use Case 1: Firewall Requires DNS Resolution
- Use Case 2: ISP Tenant Uses DNS Proxy to Handle DNS Resolution for Security Policies, Reporting, and Services within its Virtual System
- Use Case 3: Firewall Acts as DNS Proxy Between Client and Server
- DNS Proxy Rule and FQDN Matching
-
- NAT Rule Capacities
- Dynamic IP and Port NAT Oversubscription
- Dataplane NAT Memory Statistics
-
- Translate Internal Client IP Addresses to Your Public IP Address (Source DIPP NAT)
- Create a Source NAT Rule with Persistent DIPP
- PAN-OS
- Strata Cloud Manager
- Enable Clients on the Internal Network to Access your Public Servers (Destination U-Turn NAT)
- Enable Bi-Directional Address Translation for Your Public-Facing Servers (Static Source NAT)
- Configure Destination NAT with DNS Rewrite
- Configure Destination NAT Using Dynamic IP Addresses
- Modify the Oversubscription Rate for DIPP NAT
- Reserve Dynamic IP NAT Addresses
- Disable NAT for a Specific Host or Interface
-
- Network Packet Broker Overview
- How Network Packet Broker Works
- Prepare to Deploy Network Packet Broker
- Configure Transparent Bridge Security Chains
- Configure Routed Layer 3 Security Chains
- Network Packet Broker HA Support
- User Interface Changes for Network Packet Broker
- Limitations of Network Packet Broker
- Troubleshoot Network Packet Broker
-
- Enable Advanced Routing
- Logical Router Overview
- Configure a Logical Router
- Create a Static Route
- Configure BGP on an Advanced Routing Engine
- Create BGP Routing Profiles
- Create Filters for the Advanced Routing Engine
- Configure OSPFv2 on an Advanced Routing Engine
- Create OSPF Routing Profiles
- Configure OSPFv3 on an Advanced Routing Engine
- Create OSPFv3 Routing Profiles
- Configure RIPv2 on an Advanced Routing Engine
- Create RIPv2 Routing Profiles
- Create BFD Profiles
- Configure IPv4 Multicast
- Configure MSDP
- Create Multicast Routing Profiles
- Create an IPv4 MRoute
-
-
PAN-OS 9.0 (EoL)
- PAN-OS 11.2
- PAN-OS 11.1
- PAN-OS 11.0 (EoL)
- PAN-OS 10.2
- PAN-OS 10.1
- PAN-OS 10.0 (EoL)
- PAN-OS 9.1 (EoL)
- PAN-OS 9.0 (EoL)
- PAN-OS 8.1 (EoL)
- Cloud Management and AIOps for NGFW
-
- Changes to Default Behavior
- Associated Software and Content Versions
- Limitations
-
-
- PAN-OS 9.0.17 Known Issues
- PAN-OS 9.0.16 Known Issues
- PAN-OS 9.0.15 Known Issues
- PAN-OS 9.0.14 Known Issues
- PAN-OS 9.0.13 Known Issues
- PAN-OS 9.0.12 Known Issues
- PAN-OS 9.0.11 Known Issues
- PAN-OS 9.0.10 Known Issues
- PAN-OS 9.0.9 Known Issues
- PAN-OS 9.0.8 Known Issues
- PAN-OS 9.0.7 Known Issues
- PAN-OS 9.0.6 Known Issues
- PAN-OS 9.0.5 (and 9.0.5-h3) Known Issues
- PAN-OS 9.0.4 Known Issues
- PAN-OS 9.0.3 (and 9.0.3-h2 and 9.0.3-h3) Known Issues
- PAN-OS 9.0.2 (and 9.0.2-h4) Known Issues
- PAN-OS 9.0.1 Known Issues
- Known Issues Specific to the WildFire Appliance
-
-
- PAN-OS 9.0.17-h5 Addressed Issues
- PAN-OS 9.0.17-h4 Addressed Issues
- PAN-OS 9.0.17-h1 Addressed Issues
- PAN-OS 9.0.17 Addressed Issues
- PAN-OS 9.0.16-h7 Addressed Issues
- PAN-OS 9.0.16-h6 Addressed Issues
- PAN-OS 9.0.16-h5 Addressed Issues
- PAN-OS 9.0.16-h3 Addressed Issues
- PAN-OS 9.0.16-h2 Addressed Issues
- PAN-OS 9.0.16 Addressed Issues
- PAN-OS 9.0.15 Addressed Issues
- PAN-OS 9.0.14-h4 Addressed Issues
- PAN-OS 9.0.14-h3 Addressed Issues
- PAN-OS 9.0.14 Addressed Issues
- PAN-OS 9.0.13 Addressed Issues
- PAN-OS 9.0.12 Addressed Issues
- PAN-OS 9.0.11 Addressed Issues
- PAN-OS 9.0.10 Addressed Issues
- PAN-OS 9.0.9-h1 Addressed Issues
- PAN-OS 9.0.9 Addressed Issues
- PAN-OS 9.0.8 Addressed Issues
- PAN-OS 9.0.7 Addressed Issues
- PAN-OS 9.0.6 Addressed Issues
- PAN-OS 9.0.5-h3 Addressed Issues
- PAN-OS 9.0.5 Addressed Issues
- PAN-OS 9.0.4 Addressed Issues
- PAN-OS 9.0.3-h3 Addressed Issues
- PAN-OS 9.0.3-h2 Addressed Issues
- PAN-OS 9.0.3 Addressed Issues
- PAN-OS 9.0.2-h4 Addressed Issues
- PAN-OS 9.0.2 Addressed Issues
- PAN-OS 9.0.1 Addressed Issues
- PAN-OS 9.0.0 Addressed Issues
End-of-Life (EoL)
PAN-OS 9.0.14 Addressed Issues
PAN-OS® 9.0.14 addressed issues.
Issue ID | Description |
|---|---|
WF500-5568 | Fixed an issue where a firewall in FIPS
mode running PAN-OS 8.1.18 or a later version failed to connect
with a WildFire appliance in normal mode. |
WF500-5513 | Fixed an issue where cloud queries failed,
which generated system logs. The issue occurred because a hash was
not found in the cloud. |
PAN-170740 | Fixed an issue with the google-docs-uploading application that
occurred if a Security policy rule was applied to a Security profile and
traffic was decrypted. |
PAN-168921 | Fixed an issue in active/active high availability
(HA) configurations where traffic with complete packets was showing
up as incomplete and being disconnected due to a non-session owner
device closing the session prematurely. |
PAN-168298 | Fixed an issue where a firewall superuser
using an LDAP authentication profile that was pushed from Panorama
was unable to save the filter under Monitor > Logs. |
PAN-167989 | Fixed a timing issue between downloading
and installing threads that occurred when Panorama pushed content
updates and the firewall fetched content updates simultaneously. |
PAN-166836 | Fixed an issue where session failed due
to resource unavailability. |
PAN-166328 | (PA-7000 Series firewalls with NPCs
only) Fixed an issue where path monitoring failure occurred
while hot inserting a 100G NPC (network processing card) into the
firewall. |
PAN-166296 | Fixed an issue where an unavailable certificate
revocation list (CRL) from the server side caused an infinite loop
on a process (sslmgr), which resulted in it not responding
for other tasks. |
PAN-166241 | A fix was made to address an improper restriction
of XML external identity (XXE) reference in the PAN-OS web interface
that enabled an authenticated administrator to read any arbitrary
file from the file system and send a specifically crafted request
to the firewall that caused the service to crash (CVE-2021-3055). |
PAN-165661 | Fixed an issue in an HA active/active configuration
where an administrative shutdown message was not sent to the BGP
peer when the firewall went into a suspended state, which delayed convergence. |
PAN-164922 | Fixed an issue on Panorama where a context
switch to a managed firewall running PAN-OS 8.1.0 to PAN-OS 8.1.19
failed. To utilize this fix, upgrade Panorama to PAN-OS 10.0.5. |
PAN-164846 | Fixed an issue where packet buffers were
depleted. |
PAN-164646 | Fixed an issue where tunnel monitoring in
the Large Scale VPN (LSVPN) displayed as down in both the CLI and
the web interface due to incorrect dataplane ownership. |
PAN-164422 | (VM-Series firewalls only) A fix
was made to address improper access control that enabled an attacker
with authenticated access to GlobalProtect portals and GlobalProtect
gateways to connect to the EC2 instance metadata endpoint for VM-Series
firewalls hosted on Amazon Web Services (AWS) (CVE-2021-3062). |
PAN-164056 | Fixed a memory issue for LSVPNs with multiple
dataplane systems. |
PAN-162710 | Debug code was introduced to enable additional
logging for flow lookup. |
PAN-162600 | Fixed an issue where, when the GlobalProtect
client sent UDP/4501 traffic that was destined for the GlobalProtect
gateway inside the GlobalProtect tunnel, the firewall still processed
the traffic, which caused routing loops. |
PAN-161260 | |
PAN-160744 | Fixed an issue where the negative time difference
between the dataplane and the management plane during the client
certificate info check prevented the GlobalProtect client from connecting
to the GlobalProtect gateway with the following error message: Required client certificate not found. |
PAN-160455 | A fix was made to address an issue where
certain invalid URL entries contained in an External Dynamic List
(EDL) caused the devsrvr process to stop responding (CVE-2021-3048). |
PAN-159944 | Fixed an issue where a process (dnsproxyd) stopped
responding due to an error in the DNS cache operation. |
PAN-159826 | Fixed an issue where SSL VPN memory leaked
when the default browser for SAML authentication on GlobalProtect
was not enabled. |
PAN-159295 | Fixed an issue where scheduled configuration
export files saved in the /tmp folder
in root were not periodically purged, which caused the root partition
to fill up. |
PAN-159135 | Fixed an issue where the firewall rejected
SAML Assertions, which caused user authentication failure when the Validate Identity
Provider Certificate was enabled in the SAML Server
Profile in vsys3 or above. |
PAN-158988 | Fixed an issue with HTTP Header Insertion
where the payload was truncated when processing a segmented TCP
stream and when the client retransmitted the packet with the same
sequence number that was previously received segmented. |
PAN-158844 | Adds additional debugging to be used in
identifying the malformed references causing process crashes during
FQDN refresh. |
PAN-158774 | Fixed an issue where random DNS queries
dropped with the counter ctd_dns_wait_pkt_drop when DNS
security was enabled. |
PAN-158723 | A fix was made to address an improper handling
of exception conditions in the PAN-OS dataplane that enabled an
unauthenticated network-based attacker to send specifically crafted
traffic through the firewall that caused the service to crash (CVE-2021-3053). |
PAN-158638 | Fixed an issue where the firewall returned
the following error message when attempting to request a device
certificate using a one-time password (OTP): invalid ocsp response sig-alg. |
PAN-158439 | Fixed a memory leak on the management server
process on Firewall. |
PAN-158262 | A buffer overflow vulnerability in the Telnet-based
administrative management service included with PAN-OS software
allows remote attackers to execute arbitrary code. A fix was
made to address a buffer overflow vulnerability in the Telnet-based
administrative management service included with PAN-OS that allowed
a remote attacker to execute arbitrary code (CVE-2020-10188). |
PAN-157834 | Fixed an issue with missing zone entries
in CSV or PDF export files. |
PAN-157721 | Fixed an issue where the firewall dropped
GPRS tunneling protocol (GTPv2) Create Session Requests and Responses
that had IEs 201 and 202 with the error Abnormal GTPv2-C message with invalid IE. |
PAN-157346 | Fixed an issue where HIP custom checks for
plist failed when the HIP exclusion category were configured under
(Mobile User Template > Network > GlobalProtect > Portal<portal-config>
> Agent<agent-config> > HIP Data Collection). |
PAN-157035 | (PA-5200 Series firewalls only)
Fixed an intermittent issue where multicast packets traversing the
firewall in VLAN configurations experienced higher drop rates than
expected. |
PAN-157027 | Fixed an issue where, when stateless GTP-U
traffic hit a multi-dataplane firewall, an inter-dataplane fragmentation
loop occurred, which caused high dataplane resource usage. |
PAN-156482 | Fixed a packet buffer issue where HTTP2
packets were held for category lookup and the HTTP request was across
multiple packets. |
PAN-156240 | A fix was made to address an issue where
a cryptographically weak pseudo-random number (PRNG) was used during
authentication to the PAN-OS interface. As a result, attackers with
the capability to observe their own authentication secrets over
a long duration on the firewall had the ability to impersonate another
authenticated web interface administrator’s session (CVE-2021-3047). |
PAN-156225 | (PA-3200 Series firewalls only)
Fixed an issue where the HA1-B port remained down after an upgrade
from PAN-OS 9.1.4 to later 9.1 releases and from PAN-OS 10.0.0 to
PAN-OS 10.0.4. |
PAN-155049 | Fixed an issue with SSLVPN memory leaks
related to the GlobalProtect portal Config Selection Criteria. |
PAN-154602 | Fixed an issue where GlobalProtect users
got disconnected after modifying floating IP HA configuration. |
PAN-154557 | Fixed an issue that caused a process (useridd) core
dump when parsing the Subject Alternative Name from a client certificate
sent in the HIP report. |
PAN-154403 | Fixed an issue with HIP matching logic for
missing patches where previous behavior indicated missing patches
when no patches were missing. |
PAN-154376 | Fixed an issue where a process (mgmtsrvr) stopped
responding and was inaccessible through SSH or HTTPS until the firewall
was power cycled. |
PAN-154016 | Fixed an issue where auto-commits failed
for VM-Series firewalls bootstrapped with new content installation
during bootstrap. The firewalls displayed the following error message: Details:Error: Undefined application <application-name>. |
PAN-153814 | Fixed an issue where the firewall displayed
the URL Filtering Safe Search Block Page on the specific site only,
even when the traffic was matched to a specific rule that did not
have any URL filtering policies. |
PAN-153382 | Fixed an issue where the per-minute resource
monitor was three minutes behind. |
PAN-153316 | CLI commands were added to address an issue
where virtual memory on a process (configd) exceeded
the new 32G limit.
|
PAN-153213 | Fixed a rare issue where TCP packets randomly
dropped due to reassembly failure. |
PAN-152497 | Fixed an issue where the firewall was unable
to create a new GTP-U session when it received Create Session Response
messages, which caused the following error message to display in
the GTP log: GTPv1 message failed stateful inspection. |
PAN-152458 | (VM-Series firewalls on Microsoft Hyper-V
only) Fixed an issue where, when upgrading to PAN-OS 9.0.8
or later, ethernet packets dropped after adding VLAN tags during
egress from a subinterface. To leverage this fix, set the interface
level maximum transmission unit (MTU) to 1496 or less. |
PAN-151521 | Fixed an issue where a process (logrcvr) continuously
restarted at pan_hash_iter_next_i. |
PAN-151395 | Fixed an issue where the firewall repeatedly
logged connection failures to a configured Log Collector. |
PAN-150534 | Fixed an issue where authentication logs
with the subtype SAML were not forwarded to the syslog server. |
PAN-150467 | Fixed a memory leak issue with a unified
query that caused a process (mprelay) to restart due
to an out-of-memory (OOM) condition. |
PAN-150337 | A fix was made to address a reflect cross-site
scripting (XSS) vulnerability in the PAN-OS web interface that enabled
an authenticated network-based attacker to mislead another authenticated
PAN-OS administrator to click on a specially crafted link that performed
arbitrary actions in the web interface as the targeted authenticated
administrator (CVE-2021-3052). |
PAN-150110 | Fixed an issue where Elasticsearch restarted
unexpectedly when it ran out of memory. This was due to the vm.max-map-count value
being set incorrectly in the newer version of Elasticsearch (starting
from PAN-OS 9.0). With this fix, the value is set correctly. |
PAN-150023 | A fix was made to address an issue where
an improper authentication vulnerability enabled a Security Assertion
Markup Language (SAML) authenticated user to impersonate any user
in the GlobalProtect portal and GlobalProtect gateway when they
were configured to use SAML authentication (CVE-2021-3046). |
PAN-149501 | A fix was made to address a memory corruption
vulnerability in the GlobalProtect Clientless VPN that enabled an
authenticated attacker to execute arbitrary code with root user
privileges during SAML authentication (CVE-2021-3056). |
PAN-147827 | Fixed an issue where, when SIP traffic traversing
the firewall was sent with a high QoS Differentiated Services Code
Point (DSCP) value, the DSCP value was reset to the default setting
(CS0). |
PAN-147783 | Checks were added to help prevent the dataplane
from restarting. |
PAN-147781 | A fix was made to address an issue where
an OS command argument injection vulnerability in the PAN-OS web
interface enabled an authenticated administrator to read any arbitrary
file from the file system (CVE-2021-3045). |
PAN-146250 | Fixed an issue where, in two separate but
simultaneous sessions, the same software packet buffer was owned
and processed. |
PAN-146107 | Fixed an issue where memory allocation failure
caused a process (pan_comm) to restart several times,
which caused the firewall to restart. |
PAN-144470 | Fixed an issue where driver descriptor rings
were out of sync in the control plane to dataplane direction, which
caused internal path monitoring heartbeat failures. |
PAN-142621 | Fixed an issue where the firewall was unable
to log debug information in case of kernel panic. |
PAN-141813 | Fixed an issue where multiple daemons restarted
due to a management plane ARP overflow. |
PAN-138727 | A fix was made to address a time-of-check
to time-of-use (TOCTOU) race condition in the PAN-OS web interface
that enabled an authenticated administrator with permission to upload
plugins to execute arbitrary code with root user privileges (CVE-2021-3054). |
PAN-137147 | Fixed an issue where configuration commits
failed due to the dataplane running out of memory in policy cache
allocation. |
PAN-136347 | Fixed an issue where DNS proxy TCP connections
were processed incorrectly, which caused a process (dnsproxy)
to stop responding. |
PAN-133886 | Fixed an issue where GlobalProtect users
were unable to connect to mobile gateways when download of a large
CRL failed due to timeouts that resulted in CRL check failures. |
PAN-132035 | Fixed an issue on Panorama appliances in
an active/passive HA configuration where a managed firewall generated
high priority alerts that it failed to connect to the passive Panorama
appliance's User-ID agent server. This issue occurred because the
firewall was only able to connect to one Panorama User-ID server
at a time, and it connected only to the active Panorama appliance's
User-ID server. |
PAN-115553 | (PA-5200 Series firewalls only)
Fixed an intermittent issue where internal path monitoring failed,
which caused the firewall to unexpectedly restart. |
PAN-110429 | Fixed an issue with firewalls in an HA configuration
where multiple all_pktproc processes stopped responding
due to missing heartbeats, which caused service outages. |