PAN-OS 9.1.3 Addressed Issues
Table of Contents
Expand All
|
Collapse All
Next-Generation Firewall Docs
-
PAN-OS 11.1 & Later
- PAN-OS 11.1 & Later
- PAN-OS 11.0 (EoL)
- PAN-OS 10.2
- PAN-OS 10.1
- PAN-OS 10.0 (EoL)
- PAN-OS 9.1 (EoL)
- Cloud Management of NGFWs
-
- Management Interfaces
-
- Launch the Web Interface
- Use the Administrator Login Activity Indicators to Detect Account Misuse
- Manage and Monitor Administrative Tasks
- Commit, Validate, and Preview Firewall Configuration Changes
- Commit Selective Configuration Changes
- Export Configuration Table Data
- Use Global Find to Search the Firewall or Panorama Management Server
- Manage Locks for Restricting Configuration Changes
-
-
- Define Access to the Web Interface Tabs
- Provide Granular Access to the Monitor Tab
- Provide Granular Access to the Policy Tab
- Provide Granular Access to the Objects Tab
- Provide Granular Access to the Network Tab
- Provide Granular Access to the Device Tab
- Define User Privacy Settings in the Admin Role Profile
- Restrict Administrator Access to Commit and Validate Functions
- Provide Granular Access to Global Settings
- Provide Granular Access to the Panorama Tab
- Provide Granular Access to Operations Settings
- Panorama Web Interface Access Privileges
-
- Reset the Firewall to Factory Default Settings
-
- Plan Your Authentication Deployment
- Pre-Logon for SAML Authentication
- Configure SAML Authentication
- Configure Kerberos Single Sign-On
- Configure Kerberos Server Authentication
- Configure TACACS+ Authentication
- Configure TACACS Accounting
- Configure RADIUS Authentication
- Configure LDAP Authentication
- Configure Local Database Authentication
- Configure an Authentication Profile and Sequence
- Test Authentication Server Connectivity
- Troubleshoot Authentication Issues
-
- Keys and Certificates
- Default Trusted Certificate Authorities (CAs)
- Certificate Deployment
- Configure the Master Key
- Export a Certificate and Private Key
- Configure a Certificate Profile
- Configure an SSL/TLS Service Profile
- Configure an SSH Service Profile
- Replace the Certificate for Inbound Management Traffic
- Configure the Key Size for SSL Forward Proxy Server Certificates
-
- HA Overview
-
- Prerequisites for Active/Active HA
- Configure Active/Active HA
-
- Use Case: Configure Active/Active HA with Route-Based Redundancy
- Use Case: Configure Active/Active HA with Floating IP Addresses
- Use Case: Configure Active/Active HA with ARP Load-Sharing
- Use Case: Configure Active/Active HA with Floating IP Address Bound to Active-Primary Firewall
- Use Case: Configure Active/Active HA with Source DIPP NAT Using Floating IP Addresses
- Use Case: Configure Separate Source NAT IP Address Pools for Active/Active HA Firewalls
- Use Case: Configure Active/Active HA for ARP Load-Sharing with Destination NAT
- Use Case: Configure Active/Active HA for ARP Load-Sharing with Destination NAT in Layer 3
- HA Clustering Overview
- HA Clustering Best Practices and Provisioning
- Configure HA Clustering
- Refresh HA1 SSH Keys and Configure Key Options
- HA Firewall States
- Reference: HA Synchronization
-
- Use the Dashboard
- Monitor Applications and Threats
- Monitor Block List
-
- Report Types
- View Reports
- Configure the Expiration Period and Run Time for Reports
- Disable Predefined Reports
- Custom Reports
- Generate Custom Reports
- Generate the SaaS Application Usage Report
- Manage PDF Summary Reports
- Generate User/Group Activity Reports
- Manage Report Groups
- Schedule Reports for Email Delivery
- Manage Report Storage Capacity
- View Policy Rule Usage
- Use External Services for Monitoring
- Configure Log Forwarding
- Configure Email Alerts
-
- Configure Syslog Monitoring
-
- Traffic Log Fields
- Threat Log Fields
- URL Filtering Log Fields
- Data Filtering Log Fields
- HIP Match Log Fields
- GlobalProtect Log Fields
- IP-Tag Log Fields
- User-ID Log Fields
- Decryption Log Fields
- Tunnel Inspection Log Fields
- SCTP Log Fields
- Authentication Log Fields
- Config Log Fields
- System Log Fields
- Correlated Events Log Fields
- GTP Log Fields
- Audit Log Fields
- Syslog Severity
- Custom Log/Event Format
- Escape Sequences
- Forward Logs to an HTTP/S Destination
- Firewall Interface Identifiers in SNMP Managers and NetFlow Collectors
- Monitor Transceivers
-
- User-ID Overview
- Enable User-ID
- Map Users to Groups
- Enable User- and Group-Based Policy
- Enable Policy for Users with Multiple Accounts
- Verify the User-ID Configuration
-
- App-ID Overview
- App-ID and HTTP/2 Inspection
- Manage Custom or Unknown Applications
- Safely Enable Applications on Default Ports
- Applications with Implicit Support
-
- Prepare to Deploy App-ID Cloud Engine
- Enable or Disable the App-ID Cloud Engine
- App-ID Cloud Engine Processing and Policy Usage
- New App Viewer (Policy Optimizer)
- Add Apps to an Application Filter with Policy Optimizer
- Add Apps to an Application Group with Policy Optimizer
- Add Apps Directly to a Rule with Policy Optimizer
- Replace an RMA Firewall (ACE)
- Impact of License Expiration or Disabling ACE
- Commit Failure Due to Cloud Content Rollback
- Troubleshoot App-ID Cloud Engine
- Application Level Gateways
- Disable the SIP Application-level Gateway (ALG)
- Maintain Custom Timeouts for Data Center Applications
-
- Decryption Overview
-
- Keys and Certificates for Decryption Policies
- SSL Forward Proxy
- SSL Forward Proxy Decryption Profile
- SSL Inbound Inspection
- SSL Inbound Inspection Decryption Profile
- SSL Protocol Settings Decryption Profile
- SSH Proxy
- SSH Proxy Decryption Profile
- Profile for No Decryption
- SSL Decryption for Elliptical Curve Cryptography (ECC) Certificates
- Perfect Forward Secrecy (PFS) Support for SSL Decryption
- SSL Decryption and Subject Alternative Names (SANs)
- TLSv1.3 Decryption
- High Availability Not Supported for Decrypted Sessions
- Decryption Mirroring
- Configure SSL Forward Proxy
- Configure SSL Inbound Inspection
- Configure SSH Proxy
- Configure Server Certificate Verification for Undecrypted Traffic
- Post-Quantum Cryptography Detection and Control
- Enable Users to Opt Out of SSL Decryption
- Temporarily Disable SSL Decryption
- Configure Decryption Port Mirroring
- Verify Decryption
- Activate Free Licenses for Decryption Features
-
- Policy Types
- Policy Objects
- Track Rules Within a Rulebase
- Enforce Policy Rule Description, Tag, and Audit Comment
- Move or Clone a Policy Rule or Object to a Different Virtual System
-
- External Dynamic List
- Built-in External Dynamic Lists
- Configure the Firewall to Access an External Dynamic List
- Retrieve an External Dynamic List from the Web Server
- View External Dynamic List Entries
- Exclude Entries from an External Dynamic List
- Enforce Policy on an External Dynamic List
- Find External Dynamic Lists That Failed Authentication
- Disable Authentication for an External Dynamic List
- Register IP Addresses and Tags Dynamically
- Use Dynamic User Groups in Policy
- Use Auto-Tagging to Automate Security Actions
- CLI Commands for Dynamic IP Addresses and Tags
- Application Override Policy
- Test Policy Rules
-
- Network Segmentation Using Zones
- How Do Zones Protect the Network?
-
PAN-OS 11.1 & Later
- PAN-OS 11.1 & Later
- PAN-OS 11.0 (EoL)
- PAN-OS 10.2
- PAN-OS 10.1
-
- Tap Interfaces
-
- Layer 2 and Layer 3 Packets over a Virtual Wire
- Port Speeds of Virtual Wire Interfaces
- LLDP over a Virtual Wire
- Aggregated Interfaces for a Virtual Wire
- Virtual Wire Support of High Availability
- Zone Protection for a Virtual Wire Interface
- VLAN-Tagged Traffic
- Virtual Wire Subinterfaces
- Configure Virtual Wires
- Configure a PPPoE Client on a Subinterface
- Configure an IPv6 PPPoE Client
- Configure an Aggregate Interface Group
- Configure Bonjour Reflector for Network Segmentation
- Use Interface Management Profiles to Restrict Access
-
- DHCP Overview
- Firewall as a DHCP Server and Client
- Firewall as a DHCPv6 Client
- DHCP Messages
- Dynamic IPv6 Addressing on the Management Interface
- Configure an Interface as a DHCP Server
- Configure an Interface as a DHCPv4 Client
- Configure an Interface as a DHCPv6 Client with Prefix Delegation
- Configure the Management Interface as a DHCP Client
- Configure the Management Interface for Dynamic IPv6 Address Assignment
- Configure an Interface as a DHCP Relay Agent
-
- DNS Overview
- DNS Proxy Object
- DNS Server Profile
- Multi-Tenant DNS Deployments
- Configure a DNS Proxy Object
- Configure a DNS Server Profile
- Use Case 1: Firewall Requires DNS Resolution
- Use Case 2: ISP Tenant Uses DNS Proxy to Handle DNS Resolution for Security Policies, Reporting, and Services within its Virtual System
- Use Case 3: Firewall Acts as DNS Proxy Between Client and Server
- DNS Proxy Rule and FQDN Matching
-
- NAT Rule Capacities
- Dynamic IP and Port NAT Oversubscription
- Dataplane NAT Memory Statistics
-
- Translate Internal Client IP Addresses to Your Public IP Address (Source DIPP NAT)
- Create a Source NAT Rule with Persistent DIPP
- PAN-OS
- Strata Cloud Manager
- Enable Clients on the Internal Network to Access your Public Servers (Destination U-Turn NAT)
- Enable Bi-Directional Address Translation for Your Public-Facing Servers (Static Source NAT)
- Configure Destination NAT with DNS Rewrite
- Configure Destination NAT Using Dynamic IP Addresses
- Modify the Oversubscription Rate for DIPP NAT
- Reserve Dynamic IP NAT Addresses
- Disable NAT for a Specific Host or Interface
-
- Network Packet Broker Overview
- How Network Packet Broker Works
- Prepare to Deploy Network Packet Broker
- Configure Transparent Bridge Security Chains
- Configure Routed Layer 3 Security Chains
- Network Packet Broker HA Support
- User Interface Changes for Network Packet Broker
- Limitations of Network Packet Broker
- Troubleshoot Network Packet Broker
-
- Enable Advanced Routing
- Logical Router Overview
- Configure a Logical Router
- Create a Static Route
- Configure BGP on an Advanced Routing Engine
- Create BGP Routing Profiles
- Create Filters for the Advanced Routing Engine
- Configure OSPFv2 on an Advanced Routing Engine
- Create OSPF Routing Profiles
- Configure OSPFv3 on an Advanced Routing Engine
- Create OSPFv3 Routing Profiles
- Configure RIPv2 on an Advanced Routing Engine
- Create RIPv2 Routing Profiles
- Create BFD Profiles
- Configure IPv4 Multicast
- Configure MSDP
- Create Multicast Routing Profiles
- Create an IPv4 MRoute
-
-
PAN-OS 9.1 (EoL)
- PAN-OS 11.2
- PAN-OS 11.1
- PAN-OS 11.0 (EoL)
- PAN-OS 10.2
- PAN-OS 10.1
- PAN-OS 10.0 (EoL)
- PAN-OS 9.1 (EoL)
- PAN-OS 9.0 (EoL)
- PAN-OS 8.1 (EoL)
- Cloud Management and AIOps for NGFW
-
- Changes to Default Behavior
- Limitations
-
-
- PAN-OS 9.1.19 Known Issues
- PAN-OS 9.1.18 Known Issues
- PAN-OS 9.1.17 Known Issues
- PAN-OS 9.1.16 Known Issues
- PAN-OS 9.1.15 Known Issues
- PAN-OS 9.1.14 Known Issues
- PAN-OS 9.1.13 Known Issues
- PAN-OS 9.1.12 Known Issues
- PAN-OS 9.1.11 Known Issues
- PAN-OS 9.1.10 Known Issues
- PAN-OS 9.1.9 Known Issues
- PAN-OS 9.1.8 Known Issues
- PAN-OS 9.1.7 Known Issues
- PAN-OS 9.1.6 Known Issues
- PAN-OS 9.1.5 Known Issues
- PAN-OS 9.1.4 Known Issues
- PAN-OS 9.1.3 Known Issues
- PAN-OS 9.1.2 Known Issues
- PAN-OS 9.1.1 Known Issues
-
-
- PAN-OS 9.1.19 Addressed Issues
- PAN-OS 9.1.18 Addressed Issues
- PAN-OS 9.1.17-h1 Addressed Issues
- PAN-OS 9.1.17 Addressed Issues
- PAN-OS 9.1.16-h5 Addressed Issues
- PAN-OS 9.1.16-h4 Addressed Issues
- PAN-OS 9-1-16-h3 Addressed Issues
- PAN-OS 9.1.16 Addressed Issues
- PAN-OS 9.1.15-h1 Addressed Issues
- PAN-OS 9.1.15 Addressed Issues
- PAN-OS 9.1.14-h8 Addressed Issues
- PAN-OS 9.1.14-h7 Addressed Issues
- PAN-OS 9.1.14-h4 Addressed Issues
- PAN-OS 9.1.14-h1 Addressed Issues
- PAN-OS 9.1.14 Addressed Issues
- PAN-OS 9.1.13-h5 Addressed Issues
- PAN-OS 9.1.13-h4 Addressed Issues
- PAN-OS 9.1.13-h3 Addressed Issues
- PAN-OS 9.1.13-h1 Addressed Issues
- PAN-OS 9.1.13 Addressed Issues
- PAN-OS 9.1.12-h7 Addressed Issues
- PAN-OS 9.1.12-h6 Addressed Issues
- PAN-OS 9.1.12-h4 Addressed Issues
- PAN-OS 9.1.12-h3 Addressed Issues
- PAN-OS 9.1.12 Addressed Issues
- PAN-OS 9.1.11-h5 Addressed Issues
- PAN-OS 9.1.11-h4 Addressed Issues
- PAN-OS 9.1.11-h3 Addressed Issues
- PAN-OS 9.1.11-h2 Addressed Issues
- PAN-OS 9.1.11 Addressed Issues
- PAN-OS 9.1.10 Addressed Issues
- PAN-OS 9.1.9 Addressed Issues
- PAN-OS 9.1.8 Addressed Issues
- PAN-OS 9.1.7 Addressed Issues
- PAN-OS 9.1.6 Addressed Issues
- PAN-OS 9.1.5 Addressed Issues
- PAN-OS 9.1.4 Addressed Issues
- PAN-OS 9.1.3-h1 Addressed Issues
- PAN-OS 9.1.3 Addressed Issues
- PAN-OS 9.1.2-h1 Addressed Issues
- PAN-OS 9.1.2 Addressed Issues
- PAN-OS 9.1.1 Addressed Issues
- PAN-OS 9.1.0 Addressed Issues
End-of-Life (EoL)
PAN-OS 9.1.3 Addressed Issues
PAN-OS® 9.1.3 addressed issues.
Issue ID | Description |
---|---|
PAN-148988 | A fix was made to address a Security Assertion
Markup Language (SAML) authentication issue (CVE-2020-2021). |
PAN-148068 | Fixed an issue where SSL connections were
blocked if you enabled decryption with the option to block sessions
that have expired certificates. This issue included servers that
sent an expired AddTrust certificate authority (CA) in the certificate
chain. |
PAN-147424 | Fixed an issue with internal buffer and
file sizes where logs were discarded due to slow log purging when
the incoming log rate was high. |
PAN-145195, PAN-145151, PAN-145150, and PAN-145149 | A fix was made to address a buffer overflow
vulnerability in PAN-OS that allowed an unauthenticated attacker
to disrupt system processes and potentially execute arbitrary code
with root privileges by sending a malicious request to the Captive
Portal or Multi-Factor Authentication interface (CVE-2020-2040). |
PAN-145026 | Fixed an issue where Cortex Data Lake certificates
on the firewall were not automatically renewed after the certificates
expired. |
PAN-144782 | Fixed an issue where a configuration audit
created a large number of opresult.out files, which filled up the
session/pan/user_tmp directory in opt/pancfg. This caused a slow
Panorama response until a device restart was performed or the files
were manually deleted from the root of the device. |
PAN-144646 | Fixed an issue where a process (varrcvr) stopped
responding on the PA-7000 Series Log Forwarding Card (LFC) when
it received a verdict from the WildFire cloud. |
PAN-144221 | (Microsoft Azure only) Fixed an
issue where a process (brdagent) stopped responding,
which caused the firewall to restart unexpectedly. |
PAN-144073 | Fixed an issue where on the Panorama management
server, hub and branch firewall latency, jitter, and packet loss
data was not updated when monitoring SD-WAN link performance (Panorama
> SD-WAN > Monitoring). |
PAN-143957 | Fixed an issue where, after loading a saved
configuration snapshot by API, a custom role-based administrator
required Superuser privileges to perform a full commit. |
PAN-143845 | Fixed an issue where the firewall repeatedly
rebooted due to a process (rasmgr) restarting when
GlobalProtect was used in pre-logon mode. |
PAN-143537 | (VM-Series firewalls only) Fixed
an issue where disk utilization of the root partition increased
until it reached 100%. |
PAN-143493 | Fixed an memory issue associated with a
process (mgmtsrvr) due to a large number of ACK packets
in logs on Panorama or the log collector. |
PAN-143442 | Fixed an issue where Amazon Web Services
(AWS) Nitro System based VM-Series firewalls unexpectedly rebooted
due to input/output (I/O) errors caused by improper NMVE I/O timeout
settings. |
PAN-143169 | Fixed an issue where running a test security-policy-match API
command truncated the rule name to 31 characters. |
PAN-143130 | Fixed an issue where, in Panorama, cloning
a shared Security policy rule failed if done via the web interface
and resulted in a process (configd) restarting with
the following error message: Failed security rule(s): undefined The request could not be handled. |
PAN-142674 | Fixed an issue where a process (brdagent)
failed in a high availability (HA) configuration using High Speed
Chassis Interconnect (HSCI) ports due to a memory leak. |
PAN-142302 | Fixed an issue where the firewalls faced
connection issues with Cortex Data Lake. |
PAN-142089 | Fixed an internal logging issue for a daemon (authd). |
PAN-141923 | Fixed an issue where authentication stopped
working after a commit and a process (authd) exited,
which caused other processes to exit. |
PAN-141844 | Fixed an issue where promiscuous VLAN mode
did not work with the new host drivers being used on the ESXi and
single-root input/output virtualization (SR-IOV) with VLAN tagging
did not work as expected. Both Data Plane Development Kit and packet
mmap mode did not work. |
PAN-141563 | Fixed an issue where Slot 8 path monitoring
failure occurred due to a memory buildup in a process (logrcvr)
that was caused by slow communication and connection between log
forwarding and Cortex Data Lake. |
PAN-141262 | Fixed an issue where the resolution of FQDN
for a policy on the web interface did not work as expected if the
FQDN contained capital letters. |
PAN-141239 | Fixed an issue where dataplane free memory
was depleted, which affected new GlobalProtect connections to the
firewall. |
PAN-141221 | Fixed an issue where a commit or content
update operation with an error was not prevented from executing
in the dataplane, which caused corruption in the dataplane policy
cache. |
PAN-140982 | (PA-7000 Series firewalls only)
Fixed an issue where a process (mprelay) on the control
plane was restarted due to an internal heartbeat miss. |
PAN-140846 | Fixed an issue where the dataplane restarted
during a commit when Netflow was enabled. |
PAN-140669 | Fixed a memory leak issue caused by a process (mgmtsrvr). |
PAN-140628 | Fixed an issue where a memory leak on a
process (useridd) caused multiple processes to restart
during device serial number checks. |
PAN-140618 | Fixed an issue on Panorama where SNMP monitoring
of the logging rate per device was incorrect. |
PAN-140575 | |
PAN-140465 | (VM-Series firewalls only) Fixed
connection issues between IPv6 peers when the IPv6 neighbor cache
was synchronized in an HA cluster where, after failover, the newly
active firewall did not send multicast neighbor solicitation from
its global unicast address. |
PAN-140389 | Fixed an issue on Panorama in Legacy mode
where configuring Network File System (NFS) log storage (Device
> Setup > Operations) caused all plugin installations
to fail. |
PAN-140386 | Fixed an intermittent issue where the firewall
used IP addresses instead of domain names for URL category lookup
after upgrading to 9.0.6. |
PAN-140375 | Fixed an issue where a process (logrcvr)
exited due to a race condition. |
PAN-140270 | Added additional debugging to periodically
collect the debug dataplane internal pdt bcm counters graphicalCLI
command's output in the Tech Support File (TSF). |
PAN-140121 | Fixed an issue where a process (authid)
used a large amount of memory due to many incomplete authentication requests,
which caused an out-of-memory (OOM) condition. |
PAN-140043 | (PA-7050 firewalls running on PA-7000
100G NPCs only) Fixed an issue where the PA-7000 100G NPC Native
Implemented Function (NIF) initialization took longer than expected,
which caused internal path monitoring failure and sent the firewall
into a non-functional state while rebooting. |
PAN-139935 | Fixed an issue in the URL process where
a process (devsrvr) stopped responding. |
PAN-139858 | Fixed an issue where Policy >
Security > Test Policy Match did not work when the source
user or group length was greater than 20 characters. |
PAN-139727 | Fixed an issue where disabling predefined
trusted root certificates did not have any effect. |
PAN-139718 | Fixed an issue where the firewall failed
stateful inspection for GTP forward relocation requests greater
than 1,500 bytes and could not parse Access Point Name (APN) information
in forward relocation requests. |
PAN-139661 | Fixed an issue that led to exhaustion of
memory, which resulted in path monitoring failures when Cortex Data
Lake was configured. |
PAN-139595 | Fixed an issue on Panorama in Legacy mode
where a process (logd) repeatedly restarted while processing
incoming logs and caused Panorama to reboot. |
PAN-139555 | Fixed an issue where after upgrading the
passive firewall, the outer UDP sessions synced from the active
firewall did not retain the rule information and after failover,
GPRS tunneling protocol (GTP) inspection did not work. |
PAN-139391 | Fixed an issue where unique GlobalProtect
portal profiles were not selected in the correct order. |
PAN-139371 | Fixed an issue where a commit failed with
the following error message: destination is invalid when
using objects from static routes. |
PAN-138870 | Fixed an issue where a process (configd) restarted
and administrators received one of the following error messages: Timed out while getting config lock. Please try again or Please wait while the server reboots... due
to a database error. |
PAN-138813 | Fixed a performance drop issue seen when
using API to configure larger sets of objects (more than 25 objects). |
PAN-138739 | Fixed an issue where, in an HA active/active
configuration in a virtual wire deployment with asymmetric traffic,
decryption did not work for some sites. |
PAN-138674 | Fixed an issue where custom role-based admins
were able to reset the rule hit counter for disabled device groups. |
PAN-138648 | Fixed an issue with internal buffer and
file sizes where logs were discarded due to slow log purging when
the incoming log rate was high. |
PAN-138476 | Fixed an intermittent issue where logs were
delayed or missing when querying for logs by applying filters. To
leverage this fix, you must upgrade Panorama to 9.0.9 and the Cloud
Services plugin to 1.6.0-h1. |
PAN-138213 | Fixed an issue where a Panorama Custom Report based
on the Detailed Logs > Panorama Data > Traffic database
was not able to report on decrypted sessions. |
PAN-138037 | Fixed an issue where the host information
profile (HIP) match message was automatically enabled when modifying
the GlobalProtect Agent settings. |
PAN-138034 | Fixed an issue where virtual machine (VM)
information source Dynamic Address Groups overrode static address
groups, which caused traffic to hit the wrong Security policy rule. |
PAN-137902 | (PA-7000 Series firewalls only)
Fixed an issue where hot swapping a PA-7000 100G NPC with a PA-7000
20G NPC caused packet buffer leak and slot restarts. |
PAN-137885 | (VM-Series firewalls in Microsoft Azure
environment only) Fixed an issue where a firewall with accelerated
networking enabled was unable to process packets efficiently because
of underlying Microsoft drivers. To leverage this fix, you must
upgrade to VM-Series Plugin 1.0.12. |
PAN-137867 | (PA-7000 Series firewalls only, running
with both a PA-7000 100G NPC and a PA-7000 20G NPC) Fixed an
issue where IPSec traffic caused dataplane restarts. |
PAN-137777 | Fixed an issue where GlobalProtect logs
failed to send to syslog servers over a TCP connection. |
PAN-137716 | Fixed an issue where, for users with admin
roles, logs for only one device group were displayed due to a query
string with multiple device groups. |
PAN-137673 | Fixed an issue where a memory leak associated
with a process (devsrvr) caused an out-of-memory (OOM)
condition on the firewall. |
PAN-137656 | Fixed an issue where the show config diff CLI
command did not work correctly and produced unexpected output. |
PAN-137401 | Fixed an issue where the authentication
policy did not redirect users for Captive Portal authentication
if the attached authentication profile did not have Enable
Additional Authentication Factors selected. |
PAN-137387 | Fixed an issue where URL filtering used
the IP address instead of the hostname, which led to incorrect URL
categorization. |
PAN-137251 | Fixed an issue where a Panorama appliance
running PAN-OS 9.1.0 was unable to export address objects and displayed
the following error message: Error while exporting. |
PAN-137152 | Fixed an issue where SSL decrypted traffic
was dropped due to a certificate status error during session resumption. |
PAN-136957 | Fixed an issue where access was denied if
a password contained more than 63 characters. |
PAN-136950 | Fixed an issue where, on a firewall managed
by Panorama, the XML API based IP tags were lost after a firewall
reboot or process (useridd) restart. |
PAN-136791 | Fixed an issue where, in a particular scenario,
the first response to a SIP INVITE message created incorrect appinfo2ip entries
and caused Via header translation failure. |
PAN-136765 | Fixed an issue where an FQDN update that
resolved to the same IP address of another FQDN across different
policies caused the other FQDN to be deleted due to missing FQDN
aggregation. |
PAN-136726 | Fixed an issue on the firewall where the
dataplane pan-task process (all_pktproc) stopped responding
while inspecting Server Message Block (SMB) traffic. |
PAN-136716 | (Panorama virtual appliances only)
Fixed an issue where SNMP monitoring of ifSpeed reported the interface
speed as 0 for interfaces other than eth0. |
PAN-136703 | (PA-3000 Series and PA-800 Series firewalls
only) Fixed an issue with insufficient memory allocation for
configurations to accommodate the PAN-OS 9.0 Dynamic Address Group
feature. |
PAN-136649 | Fixed an issue where PA-7000 20GXM and PA-7000
20GQXM Network Processing Cards (NPCs) failed to process some sessions
for Layer 7 inspection due to internal maximum threshold value that
was not set. |
PAN-136623 | Fixed an issue where a process (useridd)
failed due to internal user groups that were loading from the disk
taking over the lock. |
PAN-136612 | Fixed an issue where fragmented packets
leaked, which caused the depletion of Work Query Entry (WQE) pools. |
PAN-136582 | Fixed an issue where, when the app-version from
the request header was long, the converted XML was truncated, which
caused parsing to fail by a process (rasmgr) due to
a limitation on the buffer length. |
PAN-136470 | Fixed an issue where a process (all_pktproc) restarted
while processing packets with 0.0.0.0 and destination protocol 251
that internally mapped to GTP-C traffic, which caused the dataplane to
restart. |
PAN-136173 | Fixed an issue where dataplane interfaces
remained down after active firewall bootup or a high availability
(HA) failover. |
PAN-136007 | Fixed an issue where generating subordinate
ECDSA Certificate Authority (CA) certificates from the web interface
failed if the Common Name field contained
a space. |
PAN-135946 | Fixed an intermittent issue where Panorama
was unable to query logs from the log collector due to large file
sizes in es_cache_cron.log. |
PAN-135865 | Fixed an issue that prevented Panorama from
being switched out of management-only mode when deployed in Amazon
Web Services (AWS) instance types M5 and C5. |
PAN-135844 | Fixed an issue where a commit job failed
due to a process (mgmtsrvr) exiting. |
PAN-135796 | Fixed an issue where the firewall dropped
DNS requests for root servers when the action of the DNS security
signature was set to alert or sinkhole in an Anti-Spyware Security
profile. |
PAN-135684 | Fixed an issue with log collectors on Panorama
where large index sizes caused higher CPU usage than expected when
disk space usage was high. |
PAN-135547 | Fixed an issue on Panorama where administrators
were unable to delete a shared address object even when it was not
referenced in the configuration. |
PAN-135504 | Fixed an issue where the GlobalProtect client
used IPv6 during gateway login but used IPv4 during IPsec tunnel
creation, which caused it to fallback to SSL. |
PAN-135418 | Fixed an issue on the firewall where configuring
uppercase User Domain values in authentication
profiles led to a failure in GlobalProtect Agent configuration selection
based on the domain user match condition. |
PAN-135356 | Fixed an issue where policies that contained
objects did not display correctly when exported to CSV or PDF format. |
PAN-135321 | Fixed an issue where all NAT rules using
the same FQDN entries as translated IP addresses were not updated
when the IP addresses changed for those FQDNs. |
PAN-135314 | Fixed an issue where, with a new Panorama
appliance running PAN-OS 9.1.0 and a firewall running an earlier
version, the following error message displayed: interface sdwan is not a valid reference. |
PAN-135262 | A fix was made to address a vulnerability
involving information exposure through log files where an administrator's
password or other sensitive information was logged in cleartext
while using the CLI in PAN-OS software. The opcmdhistory.log file
was introduced to track operational command (op-command) usage but
did not mask all sensitive information (CVE-2020-2044). |
PAN-135158 | Fixed an issue where setting an IPv6 destination
filter for the packet-diag option returned an error regarding a
character limit. |
PAN-134979 | Fixed an issue where TMP files were not
deleted, which caused the root partition to run out of disk space
and caused issues with accessing the firewall. |
PAN-134624 | (VM-Series firewalls only) Fixed
an issue where the VLAN interface failed to obtain the MAC address
when the interface was used as a DHCP relay agent. |
PAN-134431 | Fixed an issue with Security Assertion Markup
Language (SAML) authentication where the firewall used old authd_id values,
which resulted in failed authentication. |
PAN-133885 | Fixed an issue where DNS proxy failed due
to incorrect mapping of the DNS transaction ID. |
PAN-133727 | Fixed an issue where Session Initiation
Protocol (SIP) messages were not parsed correctly when the packet
was received in separate segments, which caused the receiver to
receive corrupted messages. |
PAN-133673 | Fixed an issue that caused a procses (ikemgr)
to exit when site-to-site VPNs experienced connectivity interruptions. |
PAN-133495 | Fixed an issue where the Terminal Server
(TS) Agent disconnected on the firewall after a failover or reboot. |
PAN-133285 | Fixed an issue on the firewalls where configuring
a default Online Certificate Status Protocol (OCSP) URL in front
of an intermediate certificate authority (CA) in a certificate profile
did not override the OCSP URL during the validation of client certificates
issued by the intermediate CA. |
PAN-132922 | Fixed an issue where service objects were
unable to be deleted if they were configured to exceed firewall
limits. |
PAN-131973 | Fixed an issue where both firewalls in an
HA active/passive configuration stopped responding at the same time. |
PAN-130562 | Fixed an issue where, in VM-Series firewalls
deployed using init-cfg.txt in the bootstrap process and set in
an HA configuration, the configuration did not display as synchronized
due to the initcfg configuration. |
PAN-130168 | Fixed an issue where a process (pan_comm) stopped
responding due to operation commands run during a commit. |
PAN-128761 | A fix was made to address an OS command
injection vulnerability in the PAN-OS management interface that
allowed authenticated administrators to execute arbitrary OS commands
with root privileges (CVE-2020-2037). |
PAN-128078 | Fixed an issue where a process (mgmtsrvr) stopped
responding and was inaccessible through SSH or HTTPS until the firewall
was power cycled. |
PAN-127434 | Fixed an issue where reports for URLs were
not generating the correct data output. |
PAN-127318 | Fixed an issue where the firewall intermittently
dropped DNS A or AAAA queries received over IPSec tunnels due to
a session installation failure. |
PAN-126938 | Fixed an issue where multiple daemons restarted
due to MP ARP overflow. |
PAN-125730 | Fixed an issue where packets tagged with
IP protocol 252 were incorrectly treated as GPRS tunneling protocol
(GTP) traffic, which caused the packet processor to terminate. |
PAN-125410 | Fixed an issue where a new GPRS tunneling
protocol version 2 control plane (GTPv2-C) session reused GTP-C
tunnel parameters within two seconds after deleting the old GTP-C
session, which caused a session conflict on the firewall. |
PAN-121598 | Fixed an issue where the PAN-OS XML API
packet capture (pcap) export failed with the following error message: Missing value for parameter device_name.
Now, device_name and sessionid are
no longer required parameters. |
PAN-119118 | Fixed an issue where license and content
error files received from the update and license servers were not
saved to disk. |
PAN-118468 | (VM-Series firewalls on VMware ESXi
only) Fixed an issue where the firewall stays in a boot loop
and enters maintenance mode after adding a 60GB disk. |
PAN-116843 | Fixed an issue on Panorama where, when navigating
through Policies, the following error message displayed: show rule hit count op-command failed. |
PAN-115093 | Fixed an issue where the firewall generated
excessive logs for content decoder (CTD) errors. |
PAN-114540 | Fixed an issue where renaming a template
stack did not change the value and reset to the original value after
you commit the change. |
PAN-114427 | Fixed an issue where an empty host name
in the HTTP header caused a web server process (websrvr)
to stop responding when you accessed the captive portal redirect
page. |
PAN-112988 | Fixed an issue where a process (useridd)
leaked memory, which caused the firewall to drop traffic and display
the following error message: Out-of-memory condition detected, kill process. |
PAN-112539 | Fixed an issue where the firewall stopped
forwarding logs to the log collector from the Log Processing Card
(LPC) after a commit push from Panorama due to a race condition. |
PAN-112120 | Fixed an issue where threat Name field of
a threat Custom Report displayed the threat
ID instead of the threat name. |
PAN-111614 | Fixed an issue with summary reports where
displayed dates were incorrect due to the date range calculation
not considering the change in year. |
PAN-102202 | Fixed an issue where the OSPF summary Link
State Advertisement (LSA) for the default 0.0.0.0/0 route were not
advertised by the Area Border Router (ABR). |
PAN-98803 | Fixed an issue where the IP address-to-tag
mappings for Dynamic Address Groups did not display as expected
on Panorama after you configured the Panorama plugin to monitor
virtual machines or endpoints in your AWS, Azure, or Cisco ACI environment
without installing the NSX plugin. |
PAN-98694 | Fixed an issue on a PA-5200 Series firewall
in a high availability (HA) active/passive configuration where the
firewall dropped TCP-FIN packets after a failover. |