PAN-OS 9.0.3 Addressed Issues

Fixed an issue on Panorama™ M-Series and WF-500 appliances where administrators were unable to run the debugsoftware disk-usage aggressive-cleaning enable CLI command and resulted in the following error message: Server error:Failed to execute op command.

Fixed an issue where after you changed the filter configuration in the user.src notin 'cns\proxy full profile, the firewall displayed the following error message: Unknown user group cns\Proxy Full.

Fixed an issue where the GTP-U session did not match the correct policy, which caused the IMSI and IMEI not to display in the inner session traffic and threat logs.

(PA-5250, PA-5260, PA-5280, and PA-7000 Series firewalls only) Fixed an issue where the QSFP28 port did not come up with the TR-FC13L-N00 version of the PAN-QSFP28-100GBASE-LR4 optical transceiver on firewalls running a PAN-OS 9.0 release.

(PA-3000 Series firewalls only) Fixed an intermittent issue where a low memory condition prevented decoders from loading, which led to traffic inspection issues related to the impacted decoder(s).

Cortex Data Lake without Panorama—where we removed Panorama as a requirement to send logs to Cortex Data Lake—was introduced in PAN-OS^® 9.0.2, and was not initially supported for PA-220 and PA-800 Series firewalls. This issue details a change we've made in PAN-OS 9.0.3 to support this feature across all firewall platforms. Here’s how you can get started with Cortex Data Lake now.

(Firewalls with an AutoFocus license only) Fixed an issue where AutoFocus™ threat intelligence did not display when hovering over source and destination addresses in the logs when you configure a service route or proxy.

Fixed an issue where end users who don't have REST API authentication roles were able to list and edit configuration rules.

Fixed an issue on firewalls configured with authentication policies where sessions matching an authentication policy did not generate traffic logs as defined in the security policy when sessions were redirected or denied.

Fixed an issue where authentication failed when you configured a User Principal Name (UPN) and included a group in the profile.

Fixed an issue where multiple device group administrators simultaneously enabled configuration locks caused a race condition.

Fixed an issue on Panorama M-Series and virtual appliances where the management server and a process (configd) used higher than expected CPU and memory.

(PA-200 firewalls only) Fixed a rare out-of-memory (OOM) condition.

Fixed an issue where the firewall sent truncated URLs to the Captive Portal Redirect message when HTTPS traffic sent through a proxy server was subjected to decryption.

Fixed an issue where communication between tunnel interfaces did not respond when you configured a generic routing encapsulation (GRE) tunnel.

Fixed an issue where the NSX Manager passed a blank string to Panorama, which added a null entry into the configuration and caused commits to fail.

Fixed an intermittent issue where after a configuration change, a commit caused the dataplane to stop responding.

Fixed an issue where a dataplane process (all_pktproc) stopped responding due to a packet buffer protection feature.

Fixed an issue where the /opt/pancfg/ partition became full due to a configuration preview operation not responding.

Fixed an issue where a session created from a predict session went into DISCARD state.

Fixed an issue where you were unable to create a custom log forwarding profile when you configured a filter with the "in" and "not in" configurations (ObjectsLog ForwardingAddAddFilterFilter Builder) and resulted in the following error message: Invalid filter policy-logging-cf-ent -> match-list -> ITS_url_logs -> filteris invalid.

Fixed a rare issue where a commit caused the firewall to stop responding when you enabled flow debug and configured a NAT policy.

Fixed a rare issue where Traffic logs, Threat logs and URL filtering logs stopped generating.

Fixed an issue where a process (appweb) stopped responding, which caused the web interface to stop responding.

Fixed an issue where GlobalProtect™ gateway client configuration generation failed when a matching rule existed.

Fixed an issue on Panorama M-Series and virtual appliances where, after you upgraded the firewall to PAN-OS 8.1, commits failed when Panorama was configured to manage shared gateway objects for managed firewalls.

Fixed an issue where a daemon (authd) stopped responding when you configured a GlobalProtect portal and gateway with Security Assertion Markup Language (SAML) authentication.

Fixed an issue where firewall logs incorrectly included the end-user IP address in GTP message logs when you configured PAA IE with IPv4 and IPv6 dual stack in the Create Session Response message.

Fixed an issue where all the log collectors did not get queued when you configured more than 32 collector groups.

Fixed an issue where the setsystem setting layer4-checksum disable CLI command did not disable the Layer 4 checksum check as expected.

Fixed an issue on Panorama M-Series and virtual appliances where you were unable to authenticate when the authentication profile contained a server profile that used the FQDN of the server.

Fixed an issue on Panorama M-Series and virtual appliances where, after you upgraded the firewall from PAN-OS 8.0.8 to PAN-OS 8.1.4, commits took longer than expected when you configured the Device Group with large group hierarchies.

Fixed an issue where multiple dataplanes stopped responding and caused traffic outages after you enabled IPSec tunnels.

Fixed an issue where the firewall created incorrect predict sessions, which caused flow sessions to fail for applications.

Fixed an issue on Panorama M-Series and virtual appliances where serial numbers for deployed firewalls did not display in the web interface with the exception of GlobalProtect cloud service firewalls.

Fixed an issue on a VM-Series firewall where a process (all_task) stopped responding, which caused the firewall to reboot.

Fixed an issue where the firewall dropped GTPv1 DELETE PDP response packets that had a termination endpoint ID (TEID) value of 0.

Fixed an issue where the firewall incorrectly triggered Reverse Path Forwarding (RPF), which caused packet leaks.

Fixed an issue on a firewall configured with GlobalProtect Clientless VPN where a process (all_pkts) stopped responding, which caused the dataplane to restart.

Fixed an issue where the firewall dropped UpdatePDPContext reponse packets and displayed the following GTP log event: 122113.

A security-related fix was made to address a use-after-free (UAF) vulnerability in the Linux kernel (PAN-SA-2019-0017 / CVE-2019-8912)

Fixed an issue with a memory leak on Panorama appliances associated with commits that eventually caused an unexpected restart of the configuration (configd) process.

(PA-200 firewalls only) Fixed an issue where the management plane (MP) memory was lower than expected, which caused the MP to restart.

A security-related fix was made to correct log file string-conversion errors that caused parsing issues, which caused the User-ID™ (useridd) process to stop running.

Fixed an issue on Panorama VM-Series firewalls where you were logged out of the web interface and had to log back in to push a device group and template configuration from a newly launched bootstrapped firewall.

(PA-5200 Series firewalls only)Fixed an issue where a process (brdagent) stopped responding, which caused the management plane to stop responding.

Fixed an issue where an escape ( “\” ) character was added to HTTP log s when a log contained a comma.

Fixed an issue on a VM-Series firewall in an HA active/passive configuration where the HA1 port flapped and caused a split-brain condition.

Fixed an issue where a predefined report (blocked credential post) generated reports using the incorrect query builder (flags has credential-builder), which caused the report to incorrectly display logs for alerts.

Fixed an issue where the connection between the firewall and Log Collector flapped.

Fixed an issue where IPv4 BGP routes were missing from the routing table and FIB after a failover event.

Fixed an issue where the firewall was unable to add IPv6 loopback IP address ::1 to the external dynamic list and displayed the following error message: Invalid ips: ::1.

Fixed an issue where you were unable to generate user activity reports when the username included a colon ( : ), ampersand ( & ), single parenthesis ( ' ) character.

A security-related fix was made to address a command injection vulnerability (PAN-SA-2019-0018 / CVE-2019-1576).

(PA-3200 Series firewalls only) Fixed a rare software issue that caused the dataplane to restart unexpectedly. To leverage this fix, you must run the debug dataplane set pow no-desched yes CLI command.

(PA-5200, PA-3200, and PA-7000 Series firewalls with 100Gbps cards only) Fixed an issue where the show qos interface ae1 throughput 0 CLI command incorrectly displayed the active data stream only and QoS was not working as expected on the first subinterface.

Fixed an issue where you were unable to generate a custom report (MonitorManage Custom Report<device-name>Report Setting).

Fixed an issue where the dataplane stopped responding due to an incorrectly calculated offset when you configured Exclude video traffic from the tunnel (NetworkGlobalProtectGateways<gateway-name>AgentVideo Traffic).

Fixed an issue where a process (all_pktproc) stopped responding when SSH decryption was enabled, which caused the dataplane to restart.

Fixed an issue on a VM-Series firewall where all jobs did not execute and returned the following error message: Error- time out sending/receiving message.

Fixed an issue where member interfaces of the aggregate interface did not display on web interface (PanoramaManaged DevicesHealthAll Devices<device-name>Interfaces).

Fixed an issue on Panorama M-Series and virtual appliances where you were unable to configure the firewall to disable the portal log in page.

Fixed an issue where you were unable to establish a GlobalProtect connection on IPv6 and displayed the following error message: Packet too big due to the firewall MTU value set lower than normal on the neighboring firewall.

Fixed an intermittent issue where heartbeats failed on the management plane (MP), which caused the dataplane to stop responding and displayed the following error message: Dataplaneis down: controlplane exit failure.

Fixed an issue where Captive Portal authentication required two log-in attempts when the authentication sequence was configured as an authentication profile.

Fixed an issue where GTP-U traffic dropped when the GTP tunnel endpoint ID (TEID) was not updated correctly during a GTP-C update.

Fixed an issue where the content update threshold downloaded and installed an older content version after you manually installed a newer content version.

Fixed an issue where a commit failed with an error message: cluster is missing 'encryption' when HA Traffic Encryption (PanoramaManaged WildFire Clusters<appliance-name>Communication) was not configured and after upgrading from PAN-OS 8.0.12 to PAN-OS 8.1.4.

Fixed an intermittent issue where a process (configd) restarted due to a race condition when generating custom reports.

Fixed an intermittent issue where the firewall dropped packets when the policy rule was set to allow but denied the packets during a commit or high availability (HA) sync.

Fixed an issue where a race condition occurred when a configuration push and NetFlow update occurred simultaneously, which caused the dataplane to restart.

Fixed an issue where you were unable to configure more than one device certificate (DeviceCertificate ManagementCertificates<device certificate-name>) with Trusted Root CA.

(PA-500 and PA-800 Series firewalls only) Fixed an issue where commits failed after you imported a device state from Panorama the template configuration referenced Bidirectional Forwarding Detection (BFD).

Fixed an issue where the dataplane stopped responding and caused a failover event.

Fixed an issue where you were unable to override IKE Gateway configurations (NetworkIKE Gateways<template-name>) in the template stack. However, with this fix, you still cannot override template stacks when you configure any value with none. Additionally, to override the Local Identification, select Authentication in the pop-up dialogue.

Fixed an issue where, after you upgrade the firewall from PAN-OS 8.0 to PAN-OS 8.1, firewalls configured with the User-ID agent and group mapping incorrectly mapped users to groups.

Fixed an intermittent issue on a firewall where configuring Force Template Values (NetworkInterfacesCommitPush to DevicesTemplates) deleted the zone assigned to an interface.

Fixed an issue where host traffic ICMP packets larger than 9,180 bytes dropped when you configured a jumbo frame with a maximum MTU value of 9,216 bytes and with the DF option enabled.

Fixed an issue where a higher than expected rate of tunnel resolution packets occurred due to an internal loop, which caused a spike in dataplane CPU usage for firewalls that support distributed tunnel ownership.

Fixed an intermittent issue on a firewall in an HA active/passive configuration where a ping test stopped responding on Ethernet 1/1, 1/2, and 1/4 due to input errors on the corresponding switch port after a HA failover.

Fixed an issue where the firewall did not update the dataplane DNS cache after the management plane (MP) DNS entries expired, which caused evasion signatures to erroneously trigger a Suspicious TLS/HTTP(S)Evasion Found event.

Fixed an issue where a process (tund) caused the dataplane to restart during a commit.

Fixed an issue where the Strict IP Address Check incorrectly triggered when you enabled ECMP (NetworkVirtual RoutersAddRouter settingsECMP).

Fixed an issue on a firewall in an HA active/active configuration where client-bound DHCPv6 packets dropped when you configured the firewall as a DHCPv6 relay agent.

Fixed an issue where IPv6 traffic throughput reduced more than expected after you updated a static ND entry (NetworkInterfaces<interface-name>AdvancedND Entries) by moving the interface to a different virtual router.

Fixed an issue where an SSL inbound session cache corruption caused a process (all_pktproc) to stop responding.

Fixed an issue where stale route entries remained in the FIB after the routes were removed from the routing table when you used a redistribution rule without a profile.

Fixed an issue where the dataplane restarted due to an internal path monitoring failure Caused by large SSL decrypted file transfer sessions.

Fixed an issue on a firewall in an HA active/active configuration where the show vpn ipsec-sa CLI command incorrectly returned an error message: Server error: An error occurred. See dagger.log for information when you ran the command on the active secondary firewall.

Fixed an issue where the log collector within a collector group retained varying numbers of detailed firewall logs when you enabled log redundancy.

Fixed an issue on a firewall where a Layer 2 interface that contained a VLAN sub-interface in conjunction with policy based forwarding (PBF) caused the firewall to forward the return traffic to the incorrect web interface.

Fixed an issue on a firewall in an HA active/passive configuration where the passive firewall reported a higher number of GlobalProtect user accounts than the active firewall.

Fixed an issue where the GlobalProtect Gateway web interface did not display the list of previous users.

Fixed an issue where forward error correction (FEC) was disabled by default for AOC modules, which caused QSFP ports to flap or remain in the DOWN state. With this fix, FEC is enabled by default for AOC modules.

Fixed an issue where a firewall incorrectly processed path monitoring, which originated from a NAT firewall on the same network segment.

Fixed an issue on a firewall where stateful inspection failed, which caused the firewall to drop GTPv2-C Modify Bearer Request packets.

Fixed an issue where the firewall did not send emails when you configured the email gateway with an FQDN.

Addressed an issue where in a slow network environment the firewall displayed an error message: error online 1 at column 1: document is empty when you used an API call to fetch a license even when the auth code was successfully applied. Extremely slow networks may still see this issue.

Fixed an issue where an API call (show system disk details), responded with the following error message: An error occurred. See dagger.log for information.

Fixed an issue on Panorama M-Series and virtual appliances where the Task Manager did not display progress after you pushed a configuration to a firewall.

Fixed an issue where Dynamic Updates did not display expired threat prevention licenses when you tried to install an application from Panorama.

Fixed an intermittent issue on a firewall where a commit and FQDN refresh took longer than expected.

Fixed an issue where the decode filter was unable to detect the end characters of a file name, which caused the firewall to bypass the file blocking profile.

Fixed an issue where a process (slmgr) stopped responding during an auto-commit.

Fixed an issue where an invalid Captive Portal authentication policy was successfully pushed to managed firewalls, which caused auto-commits to fail.

Fixed an issue on Panorama M-Series and virtual appliances where Panorama unnecessarily checked and updated licenses for VM-Series firewalls on AWS after every commit, which resulted in new log entries. With this fix, Panorama no longer checks licenses after every commit.

(PA-7000 Series firewalls only) Fixed an issue where the Quad Small Form-factor Pluggable (QSFP) port on a 20GQ NPC card took longer than expected to respond.

Fixed an issue Panorama M-Series and virtual appliances where scheduled reports generated more than one DNS lookups, which caused inconsistent name resolutions for DNS deployments.

Fixed an issue where you were unable to process Address Group match criteria when the match name included the double quotation ( " ) character.

(PA-5250, PA-5260, and PA-5280) Fixed an issue where, when you deployed the firewall in a network that uses Dynamic IP and Port (DIPP) NAT translation with PPTP, client systems were limited to using a translated IP address-and-port pair for only one connection.

Fixed an issue where the firewall incorrectly denied URL access when the URL filtering profile was configured to alert.

Fixed an issue where temporary files generated during preview changes did not get cleared, which caused disk space issues.

Fixed an issue where GlobalProtect clientless VPN did not get redirected to the application URL when you used Internet Explorer as a web browser.

Fixed an issue on GlobalProtect Clientless VPN where the URL gets truncated when you exclude the domain from the Rewrite Exclude Domain List (NetworkGlobalProtectPortals<portal-name>Clientless VPNAdvanced Settings).

Fixed an intermittent issue where the firewall sent packets incorrectly to an outgoing interface.

Fixed an intermittent issue where the Data Filtering (MonitorData Filtering) and Threat Log (MonitorThreat) did not display file names when you transferred multiple files into a single session.