PAN-OS 10.0.1 Addressed Issues
Focus
Focus

PAN-OS 10.0.1 Addressed Issues

Table of Contents
End-of-Life (EoL)

PAN-OS 10.0.1 Addressed Issues

PAN-OS® 10.0.1 addressed issues.
Issue ID
Description
PAN-154114
A fix was made to address a vulnerability related to information exposure through log files in PAN-OS where secrets in PAN-OS XML API requests were logged in cleartext in the web server logs when the API was used incorrectly (CVE-2021-3036).
PAN-153727
Fixed an intermittent issue where, when using the Chrome browser on an Apple MAC laptop, firewalls managed by a Panorama appliance running PAN-OS 10.0.1 did not display when editing selections (
Commit
Commit and Push or Commit
Push to Devices
Edit Selections
) before pushing a configuration change to the managed firewalls.
PAN-153425
Fixed a memory corruption issue that caused two forwarding daemons (flow_mgmt and flow_ctrl_pktlog) to restart.
PAN-152906
Fixed an issue where pushing changes from Panorama to the firewalls did not work, and the commit all operation failed with the following validation error:
azure-ha-config is missing 'client-id'
.
PAN-152762
Fixed an issue where role-based administrators were unable to import certificate key pairs onto firewalls.
PAN-152282
Fixed an issue where platforms using AHO for content and application inspection run into dataplane process (all_pktproc) restarts.
PAN-152263
Fixed an issue where the Azure auto-scaling templates in the GitHub repository (https://github.com/PaloAltoNetworks/azure-autoscaling/tree/master/Version-1-0) required a Panorama virtual appliance with the Panorama plugin for Azure v2.0.0.
PAN-152167
Fixed an issue where the SYSD variable
cfg.lcass-license
was set to
True
on Panorama.
PAN-152160
Fixed an issue where commits failed due to a User-ID log collector secret setting.
PAN-152017
Fixed an issue where a VM-Series firewall on Amazon Web Services (AWS) failed on first reboot after enabling FIPS mode.
PAN-151909
Modified the diff algorithm for when a configuration audit was performed because certain objects incorrectly displayed as either
New
or
Modified/Unchanged
due to the XML format being added.
PAN-151880
(
PA-7080 firewalls only
) After upgrading to PAN-OS 10.0.0, commits failed and displayed the following error message:
max-session should be equal to or between 1 and 320000040
.
PAN-151642
Fixed an issue for AWS Panorama M4/C4 instances where logging disks in Panorama mode go into an unavailable/admin disabled state after upgrade to PAN-OS 10.0.0.
PAN-151590
Fixed an issue where including TLSv1.3 in the SSL Forward Proxy decryption profile caused entries to not populate in the
ssl-decrypt exclude-cache
.
PAN-151231
Fixed an issue on Panorama where you were unable to commit configuration changes after successfully downgrading from a PAN-OS 10.0 release version to a PAN-OS 9.1 or earlier release version.
PAN-151197
Fixed an issue where a process (authd) restarted when an administrator authenticated to the firewall with an Active Directory (AD) account. This issue occurred when LDAP was configured with FQDN, used DHCP instead of a static management IP address, and used the management interface to connect to the LDAP server.
PAN-151149
Fixed an issue where certificates, custom logos, and Security Assertion Markup Language (SAML) metadata were unable to be uploaded from the web interface using a Chromium-based browser running version 84 or later.
PAN-151115
Fixed an issue where, if a Security rule used an IP Address External Dynamic List (EDL) for IPv6 traffic, the information for the EDL did not display under
Source EDL
or
Destination EDL
in the logs.
PAN-151049
Fixed an issue where multi-plugin support for Panorama was not enabled by default.
PAN-150998
Fixed an issue where, when deploying a VM-Series firewall on VMware NSX that had been assigned a serial number that was used by a previously deactivated firewall, the new firewall was deployed in a deactivated or partially deactivated state.
PAN-150898
Fixed an issue where, if the HA1 interface was not configured, downgrading from a PAN-OS 10.0 release version to a PAN-OS 9.1 release version caused a commit error.
PAN-150872
(
PA-220 and PA-800 Series firewalls only
) Fixed an issue where samples processed using WildFire Inline ML didn't support automatic false positive correction.
PAN-150714
Fixed an issue where the Panorama management server continues to forward syslogs to a syslog server over the management interface when configured to forward syslogs over the Ethernet1/1 interface (
Panorama
Setup
Interfaces
).
PAN-150629
Fixed an issue where the firewall web interface did not load Vulnerability Protection profiles with high numbers of exceptions.
PAN-150585
Fixed an issue in Panorama where Variable CSV file imports of template stack variables failed with the following error message:
Template Stack Variable Configuration Import - Invalid CSV file
.
PAN-150556
Fixed an issue with unified logs where effective query filters were not properly applied.
PAN-150449
Fixed an issue where using a filter with an address range of 0.0.0.0 to 255.255.255.255 in the Application Command Center (ACC) caused the CPU utilization to be unusually high.
PAN-150409 and PAN-145797
A fix was made to address a buffer overflow vulnerability in the PAN-OS management web interface that allowed authenticated administrators to disrupt system processes and execute arbitrary code with root privileges (CVE-2020-2042).
PAN-150333
Fixed an issue with a race condition that caused the firewall to start forwarding logs to a Panorama appliance in Management Only mode. The issue occurred when the lcs-pref.xml file was first deployed to the firewall.
Workaround:
Restart the management server on the firewall to reconnect it with the log collectors.
PAN-150243
Fixed an issue where after a successful commit, the candidate configuration was not updated to running configuration when initiated by an API-privileges-only custom role based administrator.
PAN-150170, PAN-150013, and PAN-149822
A fix was made to address an OS command injection and memory corruption vulnerability in the PAN-OS management web interface that allowed authenticated administrators to disrupt system processes and execute arbitrary code and OS commands with root privileges (CVE-2020-2000).
PAN-150097
Fixed an issue where hourly URL summary log generation failed.
PAN-150069
Fixed an issue where the description for
proxy_ssl_invalid_cert
contained the word unvalid instead of invalid.
PAN-149839
(
PA-7000 Series firewalls only
) Added CLI commands to enable/disable resource-control groups and CLI commands to set an upper memory limit of 8G on a process (mgmtsrvr). To enable resource-control groups, use
debug software resource-control enable
and to disable them, use
debug software resource-control disable
. To set the memory limit, use
debug management-server limit-memory enable
, and to remove the limit, use
debug management-server limit-memory disable
. For the memory limit change to take effect, the firewall must be rebooted.
PAN-149813
Fixed an issue where the reply to an XML API call from Panorama was in a different format after upgrading to PAN-OS 8.1.14-h1 and later releases, which caused automated systems to fail the API call.
PAN-149770
Fixed an issue with debug file handling that led to a process (mgmtsrvr) restart.
PAN-149501
A fix was made to address a memory corruption vulnerability in the GlobalProtect Clientless VPN that enabled an authenticated attacker to execute arbitrary code with root user privileges during SAML authentication (CVE-2021-3056).
PAN-149426
Fixed an issue where non-superuser administrators with all rights enabled were unable to
Review Policies
or
Review Apps
for downloaded or installed content versions.
PAN-149377
A fix was made to address a vulnerability regarding information exposure through log files in PAN-OS that made it possible for configuration secrets for HTTP, email, and SNMP trap v3 log forwarding server profiles to be logged to the logrcvr.log system log (CVE-2021-3032).
PAN-149339
Fixed an issue where, when an ECMP route changed, the flow table in the offload engine was not updated.
PAN-149325
Fixed an issue on Panorama where the web interface took more time than expected to load changes when the virtual router was large or when there was a large configuration change request from the web interface.
PAN-149296
Fixed an issue on Panorama where system and configuration logs of dedicated Log Collectors did not show up on Panorama appliances in Management Only mode.
PAN-149283
Fixed an issue where editing device log forwarding in the collector group then filtering specific firewalls and adding new firewalls caused the old firewalls to disappear from the log forwarding preferences list.
PAN-149217
Fixed an issue where overridden TCP timeout values for service-based sessions did not take effect, and sessions timed out according to default application values.
PAN-149199
Fixed an issue where the
Authentication Settings
for the template stack on the firewall incorrectly displayed as overridden.
PAN-149054
Fixed an issue in Panorama where a commit-all to managed firewalls failed after renaming a device group.
PAN-149008
Fixed an issue where the CLI command
Show config running
following the CLI command
set cli op-command-xml-output on
produces an unreadable output.
PAN-149005
Fixed an issue where XML API failed to fetch logs larger than 10MB.
PAN-148806
A fix was made to address an uncontrolled resource consumption vulnerability in PAN-OS that allowed for a remote unauthenticated user to upload temporary files through the management web interface that were not properly deleted after the request was finished. An attacker could disrupt the availability of the management web interface by repeatedly uploading files until available disk space was exhausted (CVE-2020-2039).
PAN-148767
Fixed an issue where the firewall incorrectly created GPRS tunneling protocol (GTP-U) sessions from Create Session Request and Create Session Response packets.
PAN-148522
Fixed an issue for PAN-DB where certain situations caused performance issues.
PAN-148441
Fixed an issue where required processes were not automatically restarted on the Log Processing Card (LPC) or the Log Forwarding Card (LFC).
PAN-148359
Fixed an issue where SD-WAN server-to-client symmetric return did not function correctly in certain circumstances. This issue intermittently affected path selection of parent/child applications, such as FTP.
PAN-148087
Fixed an issue where the object identifier (OID) being polled for the component
hrStorageUsed
was not unique after a PAN-OS upgrade.
PAN-147796
Fixed an issue on the firewalls with an IPsec/Encapuslating Security Payload (ESP) traffic with GlobalProtect gateway configuration where multiple processes (flow_ctrl, pktlog_forwarding, and all_task) restarted, which caused the device to reboot.
PAN-147741
Fixed an issue where an API call for correlated events did not return any events.
PAN-147684
Fixed an issue where a daemon (ikemgr) repeatedly restarted, which resulted in the firewall rebooting.
PAN-147595
Fixed an issue where, after a policy commit and session rematch, stream control transmission protocol (SCTP) logs for an existing SCTP session still showed old rule information.
PAN-147298
(
PA-7050 and PA-7080 firewalls with 100G NPC only
) Fixed an issue where jumbo frames brought down the Network Processing Card (NPC) when traffic traversed the firewall at a high rate.
PAN-146878
Fixed an issue where TCP traffic dropped due to TCP sequence checking in a high availability (HA) active/active configuration where traffic was asymmetric.
PAN-146841
Fixed an issue in Panorama where a commit-all to the managed firewalls failed with the following error message:
invalid object reference
when address objects were uploaded using an external script.
PAN-146787
Fixed an issue where traffic incorrectly matched URL based authentication policies.
PAN-146650
A fix was made to address an authentication bypass vulnerability in the GlobalProtect SSL VPN component of PAN-OS that allowed an attacker to bypass all client certificate checks with an invalid certificate. As a result, the attacker was able to authenticate as any user and gain access to restricted VPN network resources when the gateway or portal was configured to rely only on certificate-based authentication (CVE-2020-2050).
PAN-146623
Fixed an issue where a GlobalProtect client in a system with umlaut diacritics serial number is unable to log in to the GlobalProtect gateway.
PAN-146284
Fixed an issue where Application and Threat Content installation failed on the firewall with the following error message:
Error: Threat database handler failed
.
PAN-144613
Fixed an issue where, when previewing device group configurations from Panorama, the following error message was returned:
Parameter device group missing
.
PAN-143809
Fixed an issue where Log Collectors had problems ingesting logs for older days received at a high rate.
PAN-142599
Fixed an issue where DNS proxy was unable to handle a UDP DNS reply length greater than 512 bytes.
PAN-142428
Fixed an issue where, when using AutoFocus remote search to find artifacts from the firewall, the redirect URL did not populate correctly and PAN-OS lost the query parameter sent. For every search request, a new session was created, and authentication was required.
PAN-142363
Fixed an issue where a process (mprelay) stopped responding and invoked an out-of-memory (OOM) killer condition and displayed the following error messages:
tcam full
and
pan_plfm_fe_cp_arp_delete
.
PAN-141980
Fixed an issue where random member ports in a link aggregate group failed to join the aggregate group due to the following error:
Link speed mismatch
.
PAN-141895
Fixed an issue that prevented GTP tunnel session timeout values from being configured via the web interface.
PAN-140984
Fixed an issue where a process (mgmtsrvr) stopped responding after a commit.
PAN-140084
(
PA-3200 Series firewalls only
) Fixed an issue where the default Dynamic IP and Port (DIPP) NAT oversubscription rate is set as 2.
PAN-138584
Fixed an issue that prevented the addition of a secondary logging disk for a VM-Series firewall deployed on AWS using Nitro server instance types.
PAN-136988
Fixed an issue with a address object limitation where platform limits were not enforced if all the addresses pushed to the firewall were from Panorama and there were no shared or local address objects.
PAN-134251
(
PA-7000 Series firewalls only
) Fixed an issue where unplugging cables from Quad Small Form-factor Pluggable (QSFP) interfaces on 100G NPC causes path monitoring failures.
PAN-134029
Fixed an intermittent issue on the firewall where H.225 VOIP signaling packets dropped.
PAN-129376
(
PA-800 Series firewalls only
) Fixed an issue that prevented ports 9-12 from being powered down by hardware after being requested to do so.
PAN-126353
Fixed an issue where the XML API used to retrieve hardware status periodically failed with a 200 OK message and no data.
PAN-115541
Fixed an issue where removing a cipher from an SSL/TLS profile did not take effect if it was attached to the management interface.
PAN-101484
A fix was made to address an OS command injection vulnerability in the PAN-OS management interface that allowed authenticated administrators to execute arbitrary OS commands with root privileges (CVE-2020-2038).

Recommended For You