PAN-OS 10.0.2 Addressed Issues
Table of Contents
Expand All
|
Collapse All
Next-Generation Firewall Docs
-
-
- Cloud Management of NGFWs
- PAN-OS 10.0 (EoL)
- PAN-OS 10.1
- PAN-OS 10.2
- PAN-OS 11.0 (EoL)
- PAN-OS 11.1 & Later
- PAN-OS 9.1 (EoL)
-
- PAN-OS 10.1
- PAN-OS 10.2
- PAN-OS 11.0 (EoL)
- PAN-OS 11.1 & Later
-
-
- Cloud Management and AIOps for NGFW
- PAN-OS 10.0 (EoL)
- PAN-OS 10.1
- PAN-OS 10.2
- PAN-OS 11.0 (EoL)
- PAN-OS 11.1
- PAN-OS 11.2
- PAN-OS 8.1 (EoL)
- PAN-OS 9.0 (EoL)
- PAN-OS 9.1 (EoL)
End-of-Life (EoL)
PAN-OS 10.0.2 Addressed Issues
PAN-OS® 10.0.2 addressed issues.
Issue ID | Description |
---|---|
PAN-156026 | Fixed an issue where using the lscan/hyperscan
feature with custom signatures caused a shared resource pool to
be depleted, which resulted in a dataplane restart. |
PAN-156023 | Fixed an issue where a file system integrity
check failed in FIPS-CC mode, which caused the appliance to enter
maintenance mode. |
PAN-155517 | Fixed an issue where a sudden increase in
URL-cloud data challenged the cache capacity of the device. |
PAN-155459 | Fixed an issue where an interface placed
in a pre-defined zone was removed by the SD-WAN plugin after a commit
to the firewall. |
PAN-155373 | Fixed a discrepancy between flag values
on Panorama and the firewall for the same traffic log entry. |
PAN-154930 | Fixed an issue on Panorama where the ACC tab
was blank. |
PAN-154902 | Fixed an issue where the IP address-to-tag
mappings for dynamic address groups and FQDN objects were not retained
if there was a content update for IoT. |
PAN-154591 | Fixed an issue where NULL users in panGlobalProtectGetConfig were
not checked for before calling strcmp(). |
PAN-154274 | Fixed an intermittent issue on Panorama
where context switching to and from the managed firewall web interface
caused the Panorama administrator to be logged out. |
PAN-154092 | An enhancement was made to provide an option
to increase Data Plane Development Kit (DPDK) ring size and DPDK
queue number for VM-Series firewalls deployed on ESXi. |
PAN-154016 | Fixed an issue where auto-commits failed
for VM-Series firewalls bootstrapped with new content installation
during bootstrap. The firewalls displayed the following error message: Details:Error: Undefined application <application-name>. |
PAN-153998 | Fixed an issue where port flaps and a delay
in interface state changes occurred with commits. |
PAN-153983 | Fixed an issue where the IPSec encapsulation
sequence was not properly synced to the dataplanes on a high availability
(HA) active/passive cluster. |
PAN-153952 | Fixed an issue where the firewall treated
external dynamic list entries with nested carets as invalid. |
PAN-153874 | Fixed a capacity issue caused by high operational
activity and large configurations on Panorama. This fix increased
the virtual memory limit on the configd process to
32GB. |
PAN-153814 | Fixed an issue where the firewall displayed
the URL Filtering Safe Search Block Page on the specific site only,
even when the traffic was matched to a specific rule that did not
have any URL filtering policies. |
PAN-153813 | Fixed an issue where the proxy configuration
did not get honored, which caused certificate revocation list (CRL)
checks from the firewall to fail. |
PAN-153791 | Fixed an issue in DPDK code that cause a
system restart on a process (brdagent). |
PAN-153673 | Fixed an issue where traffic logs were not
shown due to a thread timeout that was causing the reading of the
logs from the dataplane to slow. |
PAN-153631 | Fixed an issue where the firewalls did not
generate traffic logs for implicitly allowed applications. |
PAN-153516 | Fixed an issue where PAN-OS software images
that were manually uploaded to Panorama failed to be deployed on
managed firewalls using the Panorama device deployment feature. |
PAN-153382 | Fixed an issue where the per-minute resource
monitor was three minutes behind. |
PAN-153328 | Fixed a commit failure issue that occurred
when IPv6 IP-pool range was configured on the gateway but IPv6 was
not enabled on the interface. |
PAN-153294 | Fixed an issue on the firewall where a GlobalProtect
username authenticated via Kerberos was unnecessarily normalized
to SAMAccountName format. |
PAN-153286 | Fixed an issue on Panorama deployed on Amazon
Web Services (AWS) where the Log Collector disk was on Admin disabled
state when changing the instance type from m4 to m5. |
PAN-153231 | (PA-7080 Series firewalls only)
Fixed an issue where firewalls deployed with PA-7000 100G Network
Processing Cards (NPCs) and legacy cards using the older system
management controller with over 2500 IPSec tunnels commit successfully,
but the NPCs fail and display as down. |
PAN-153210 | Fixed an issue where the MLAV cloud server
rejected the connection from the firewall when the Threat Prevention
license was not installed on the firewall. |
PAN-153207 | Fixed an issue for VM-Series firewalls deployed
on Azure where a process (pan_comm) restarted if DPDK
was on. |
PAN-153174 | Fixed an issue where using XML API to download
packet captures (pcap) did not work if the pcap file was larger
than 8MB. |
PAN-153113 | Fixed an issue where the GlobalProtect gateway
failed with the following error message: gateway does not exist. |
PAN-153111 | Fixed an issue where packet buffer unavailability
caused host-bound sessions to remain in an opening state in the dataplane. |
PAN-153019 | Fixed an issue where the following error
message appeared: Error: pan_tdb_load_sml_dfa_serialize(pan_tdb_ser.c:2424): pan_util_file_to_buf /opt/pancfg/mgmt/content//cache/common//sml_dfa.cache.ser error,
even though the cache file got regenerated if it was missing. |
PAN-152974 | Fixed an issue where manually inputting
lowercase protocol values to Test Security Policy Match resulted
in a blank error window displaying on the web interface. With this
fix, values cannot be manually input. |
PAN-152912 | Fixed an issue where a content update caused
the Panorama XML cache build to fail. This resulted references of
the used objects on Panorama being removed, which caused commits
on the managed firewalls to fail. |
PAN-152746 | Fixed an issue where the firewall dropped
GPRS tunneling protocol (GTPv2-x) Create Session Response packets
with the following error message: bad port 84b. |
PAN-152706 | Fixed an intermittent issue where Panorama
did not retrieve firewall logs from Cortex Data Lake. |
PAN-152699 | Fixed an issue where the firewall added
a redundant 0\r\n packet while processing Clientless
VPN traffic. |
PAN-152648 | Fixed an issue where multiple all_pktproc processes
stopped responding, which caused the dataplane to restart. |
PAN-152592 | Fixed an issue where the following error
message: globalprotectgateway-invalid-license daily
even when the firewall did not use GlobalProtect features that required
a license. |
PAN-152559 | (Japanese language only) Fixed
an issue where the NAT From Address attribute
in the Add Log Filter (Monitor > Logs - Traffic) popup
window was mistranslated. |
PAN-152440 | Fixed an issue where the syntax on GlobalProtect
DNS suffixes was not validated. |
PAN-152408 | Fixed an issue where the firewall restarted
if X-Forwarded-For (XFF) parsing was enabled either for Security
policy lookup or User-ID. |
PAN-152285 | Fixed an issue where certain GTP-U sessions
that could not complete installation still occupied the flow table,
which led to higher-than-expected session table usage. |
PAN-152106 | Fixed an issue where a process (genindex.sh) caused
the management plane CPU usage to remain high for a longer period
of time than expected. |
PAN-152103 | Fixed a memory leak issue where a process (dnsproxy)
did not properly release memory after usage. |
PAN-152098 | Fixed an issue where the Policy Optimizer
for some device groups showed incorrect data with a - character
in the rule usage column. |
PAN-152027 | Fixed an issue with URL Filtering where
websites that were previously in the malicious category but have
since been cleared remained in the malicious category in the dataplane
cache. These websites were moved to the benign category only after
you manually cleared the cache. |
PAN-152026 | Fixed an issue where the session browser
did not display results when filtered for IPv6 addresses with more
than 31 characters. |
PAN-152008 | Fixed an intermittent issue in firewalls
where configuring group-mapping without an include list resulted
in zero or a partial number of Domain Users group members. |
PAN-151888 | Fixed an issue where remote users were able
to save log filters, which created a local user with the same username.
With this fix, remote users cannot save a log filter. |
PAN-151806 | Fixed an issue where the Panorama web interface
showed the SD-WAN license status as red despite having the correct
batch license information for the managed firewalls. |
PAN-151692 | Fixed a permission issue where a Panorama
administrator was unable to download or install dynamic updates
(Panorama > Device Deployment). |
PAN-151691 | Fixed an issue where the number of items
under Add match criteria for Dynamic Address
Groups did not update after setting a search filter string. |
PAN-151679 | Fixed an issue where it was possible via
the CLI to create a Security policy rule with the any and application-default options
simultaneously configured. |
PAN-151503 | Fixed an intermittent issue where memory
was not fully freed after a Panorama commitAll completion on the
firewall. |
PAN-151489 | Fixed an issue where configuration changes
for collector group device log forwarding were not logged in Panorama
configuration logs. |
PAN-151483 | Fixed an issue where, when an out-of-order
stream of TCP packets was subjected to HTTP header insertion, the
packets were duplicated. |
PAN-151469 | Fixed an issue where packets were dropped
unexpectedly due to errors parsing the IP version field. |
PAN-151430 | Fixed an issue where logs sent from the
firewall to Panorama were delayed, and the current log summary database
was inaccurate because the delayed logs were included. |
PAN-151264 | Fixed an issue where using the ampersand
(&) character in URLs submitted via XML API caused an error. |
PAN-151210 | Fixed an issue where the dynamic address
group learned in the parent dynamic group was not pushed to the
child dynamic address group if the child dynamic address group was
not configured with notify groups under
the respective plugin. When using the CLI command debug dau settings device-group recursive yes/no,
clear previous dynamic address group entries from the Panorama database using
the CLI command debug dau clear database device-group <dynamic address group name> for
all dynamic address groups under the hierarchy for the dynamic address group
configured in the monitoring definition. Also, do a full sync from the
plugins configured using the command request plugins <plugin-name> sync. |
PAN-151203 | Fixed an issue where the firewall dropped
certain GTPv1 Update PDP Context packets. |
PAN-151198 | Fixed an issue where Panorama admin users
with read-only privileges were able to manage backups and load configurations
on the firewall. |
PAN-151164 | Fixed an issue where logs weren't able to
be migrated from PA-5200 Series firewalls manually via the CLI. |
PAN-151120 | Fixed an issue where the SYN-ACK packet
matched stale entries in the session flow table and was dropped
on the firewall with the following error message: Inactive flow state 0. |
PAN-151061 | Fixed an issue where certificate domains
were not used for GlobalProtect portal getconfig actions,
which resulted in a process (useridd) returning the
wrong user group. This caused the wrong client configuration to
be matched. |
PAN-151057 | Fixed an issue where upgrading the capacity
license on a VM-Series HA pair resulted in both firewalls going
into a non-functional state instead of only the higher capacity
license firewall. |
PAN-150750 | (PA-5200 Series and PA-7000 Series firewalls
only) Fixed an intermittent issue where the firewall dropped
packets when two or more GTP packets on the same GTP tunnel were
very close to each other. |
PAN-150748 | Fixed an issue where the firewall silently
dropped GTPv2-C Delete Session Response packets. |
PAN-150746 | Fixed an issue where the firewall dropped
GTP packets with Delete Bearer messages for EBI 6 if they were received
within two seconds of receiving the Delete Bearer messages for EBI
5. |
PAN-150729 | Fixed an issue where a process (useridd) stopped
responding when a User-ID agent was configured using the HA peer's
management IP address. |
PAN-150613 | Fixed an issue that caused a process (mprelay) to
stop responding when committing changes in the Netflow Server Profile
configuration (Device > Server Profiles > Netflow). |
PAN-150534 | Fixed an issue where authentication logs
with the subtype SAML were not forwarded to the syslog server. |
PAN-150467 | Fixed a memory leak issue with a unified
query that caused a process (mprelay) to restart due
to an out-of-memory (OOM) condition. |
PAN-150445 | Fixed an issue where the firewall did not
translate IP addresses in Layer 7 payloads as per NAT translation
for Oracle Application Server traffic. |
PAN-150337 | A fix was made to address a reflect cross-site
scripting (XSS) vulnerability in the PAN-OS web interface that enabled
an authenticated network-based attacker to mislead another authenticated
PAN-OS administrator to click on a specially crafted link that performed
arbitrary actions in the web interface as the targeted authenticated
administrator (CVE-2021-3052). |
PAN-150305 | Fixed an issue where the output for show user ip-user-mapping-mp all,
when called via XML API, was written to a file instead of returned
via the API. |
PAN-150247 | Fixed an issue on the firewall where GlobalProtect
Clientless VPN portal landing page customization for the navbar_bg_color variable
did not take effect. |
PAN-150110 | Fixed an issue where Elasticsearch restarted
unexpectedly when it ran out of memory. This was due to the vm.max-map-count value
being set incorrectly in the newer version of Elasticsearch (starting
from PAN-OS 9.0). With this fix, the value is set correctly. |
PAN-150018 | Fixed an issue warnings did not generate
for shadowed IP range addresses with /32 mask based IP addresses. |
PAN-150008 | Fixed an issue on the firewall where configuring
auto-tagging based on URL filtering logs resulted in tags being
added to source IP addresses and not matching the log forwarding
filter match criteria. |
PAN-149912 | Fixed an issue where FIB entries were unexpectedly
removed due to miscommunication between internal processes. |
PAN-149696 | Fixed an intermittent issue where the GlobalProtect
portal stopped responding with a 502 Bad Gateway response page when
trying to access the portal URL using a web browser. |
PAN-149645 | Fixed an issue in a virtual wire deployment
configured with Link State Pass Through enabled
where, when one member port went down, the peer port took longer
than expected to change the status to Down. |
PAN-149641 | Fixed an issue where firewalls stopped refreshing
IP tag information when configured with the VM Information Sources feature
with a VMWare vCenter Server. |
PAN-149480 | Fixed an issue where a custom report query
from Panorama, which includes new fields not supported in prior
releases, triggered a restart of a process (reportd)
when Panorama was connected to log collectors running an earlier
PAN-OS release. |
PAN-149381 | Fixed an issue where HSCI-A and HSCI-B displayed AdminStatus as
down regardless of whether OperStatus was Up or Down. |
PAN-149314 | Fixed an issue where lookup of a security
rule with a custom URL category on a multi-virtual system (vsys)
failed when vsys<id>+ was not in
the beginning the category name. |
PAN-149297 | Fixed a buffer overflow issue on the management
server, which forced the administrator to log out on the web interface. |
PAN-149295 | Fixed an issue where the Safe Search Block
Page was visible for a few seconds when browsing HTTP2 websites,
which resulted in latency when browsing. |
PAN-149248 | Fixed an issue that prevented Panorama from
pushing dynamic content to VM-Series firewalls configured with a
pay-as-you-go (PAYG) license. |
PAN-149209 | Fixed an issue where a process (useridd) restarted
after calling gethostbyname(), which
returned NULL pointer. The returned value was not checked, and an
attempt to dereference NULL pointer caused segmentation failure. |
PAN-149207 | Fixed an issue where the clear log acc CLI
command did not remove URL summary logs. |
PAN-149006 | Fixed an issue on VM-Series firewalls deployed
on Google Cloud Platform (GCP) where traffic was backhauled after
a reboot when the policy-based forwarding (PBF) enforced symmetric
return with a next hop feature was enabled and interface IP addresses
were learned via DHCP. |
PAN-149001 | Fixed an issue where, when using certificate
profiles configured under specific vsys, the GlobalProtect Machine Certification
Check and HIP Object fail during
a client certificate check. |
PAN-148767 | Fixed an issue where the firewall incorrectly
created GTP-U sessions from Create Session Request and Create Session
Response packets. |
PAN-148564 | Fixed an issue where Panorama stopped showing
new logs when url_category_list was
in the URL payload format of the HTTP(S) server profile used to
forward URL logs from the Panorama Log Collector. |
PAN-147959 | Fixed an issue where the last commit state
did not change to config sent to device when
pushing a device group configuration in the Managed Device
> Summary page on Panorama. |
PAN-147847 | Fixed an issue where traffic didn't hit
the intended Security policy if SSL forward proxy was enabled and
service was set to application-default. |
PAN-147529 | Fixed an issue where ValidateAll jobs were
incorrectly logged as CommitAll in the configuration
log of the firewall. |
PAN-147305 | Fixed an issue where a process (useridd) stopped
responding to requests. |
PAN-147193 | Fixed an issue with the Panorama web interface
where, when all device groups and templates were selected, a load
configuration operation failed. This was caused by the XML cache
rebuilding for each device group and template iteration. |
PAN-147036 | Fixed an issue where TCP connections got
stuck between the firewall and the Log Collector if some packets
were dropped on the path between the two appliances. |
PAN-146215 | (FPP offload based hardware model only)
Fixed an issue where, when UDP traffic that was received on a tunnel
had back-to-back client-to-server packets, random packets dropped. |
PAN-146178 | Fixed an issue where some Panorama management
connections did not adhere to the SSL/TLS Service Profile specified
in Secure Communication Settings. |
PAN-146115 | Fixed an issue where GlobalProtect™ IPSec
connections flapped when the peer address to the gateway changed
due to NAT. |
PAN-146030 | Fixed an issue where enhanced application
logging was not supported for devices connected to Cortex Data Lake
through a proxy server. |
PAN-146006 | Fixed an issue where enabling or disabling
redundancy did not take effect. To utilize this fix,
manually run es_restart.py -t from
root login. |
PAN-145996 | An update was made to change the following
system log message: DO NOT CHOOSE WMI in Active-Directory FOR YOUR USE CASE IF SEE THIS LOG AGAIN IN <number> SECONDS to Please change server monitor(log server) Transport Protocol from WMI to WinRM for better performance.
This update also reduces the severity from High to Informational. |
PAN-145475 | Fixed an issue where the firewall sent Bidirectional
Forwarding Detection (BFD) packets with the final bit always set
to on. With this fix, the final bit
is cleared after the first response. |
PAN-143332 | (PA-800 Series firewalls only)
Fixed an issue where the deployment of the Master Key through the
web interface failed. |
PAN-142867 | Fixed an issue where service session timeout
override was not used for custom applications and the default value
was chosen instead. |
PAN-141495 | Fixed an issue where the following settings
were not pushed from Panorama to the firewall: Minimum
Length, Failed Attempts, and Lockout Time (Template
> Device > Setup > Management). |
PAN-140492 | Fixed an issue on the firewall where, with
SSL forward proxy feature enabled, random file downloads over a
decrypted session would stall or hang in the middle. |
PAN-136652 | (PA-3200 Series firewalls only)
Fixed an issue where you were unable to disable auto negotiation
on small form-factor pluggable (SFP) ports. |
PAN-130955 | Fixed an issue where templates on the secondary
Panorama appliance were out of sync with the primary Panorama appliance
due to an empty content-preview node. |
PAN-123805 | Fixed an issue on the firewall web interface
where the Secure Communication Settings configuration
didn't display a green cog widget to indicate that the configuration
was pushed from Panorama. |
PAN-118887 | Fixed an issue where the PAN-OS 10.0 pattern-matching
engine didn't support the regular expression (regex) element \C. |