PAN-OS 10.0.7 Addressed Issues
PAN-OS® 10.0.7 addressed issues.
Fixed an issue where a firewall in FIPS mode running PAN-OS 8.1.18 or a later version failed to connect with a WildFire appliance in normal mode.
Fixed an issue where an intermittent error while analyzing signed PE samples on the WildFire appliance might have caused analysis failures.
WF-500 appliance only) Fixed an issue where cloud inquiries were logged under the
Fixed an issue where the User-ID connection limit was reached even when only a few User-ID agents were connected to the service.
Fixed an issue with SD-WAN path selection logic that caused a dataplane to stop responding.
Fixed an issue on Amazon Web Services (AWS) Gateway Load Balancer (GWLB) deployments with overlay routing and cross-zone load balancing enabled where packets were forwarded to the incorrect GWLB interface.
Fixed an issue in a high availability (HA) configuration where, when one firewall was active and its peer was in a suspended state, the suspended firewall continued to send traffic, which triggered the detection of duplicate MAC addresses.
Fixed an issue in Telemetry settings where the
OKbutton was disabled when
Telemetry Regionwas set to
Fixed an issue with the google-docs-uploading application that occurred if a Security policy rule was applied to a Security profile and traffic was decrypted.
Fixed an issue where the data redistribution agent and the data redistribution client failed to connect due to the agent not sending a SSL Server hello response.
Fixed an issue where SD-WAN SaaS monitoring traffic was incorrectly dropped by a Security policy that included a deny rule.
Fixed an intermittent issue where packet pointer corruption occurred, which resulted in a dataplane restart.
Fixed an intermittent issue where traffic falsely matched a converted Suricata rule.
Fixed an issue where the management CPU remained at 100% due to a large number of configured User-ID agents.
Fixed an issue where, when a maximum session count was configured, the SD-WAN plugin caused commit failures on Panorama.
Fixed an issue where, when a client or server received partial application data, the record was partially processed by legacy code. This caused decryption to fail when a decryption profile protocol was set to a maximum of TLSv1.3.
Fixed an issue on Panorama where, after an upgrade to a PAN-OS 10.0 release version, a configuration pushed to firewalls running on PAN-OS 9.1 failed during an autocommit with the following error message:
Need to config WMI account and password for querying Microsoft directory servers.
Fixed a timing issue between downloading and installing threads that occurred when Panorama pushed content updates and the firewall fetched content updates simultaneously.
Fixed an issue where users connecting to the US East gateway encountered a delay in DNS responses.
Fixed an issue where large External Dynamic Lists (EDLs) caused commit issues due to a hard limit being reached.
Fixed an issue where commits failed and generated
pan_commSIGSEGV CORE files.
VM-Series firewalls on Microsoft Azure only) Fixed an issue where, when a second disk was added,
/opt/panlogswas mounted on an incorrect partition.
Fixed an issue where session failed due to resource unavailability.
In 10.0.x Query Traffic log option is missing for Address groups under source and destination in the security policy tab
PA-7000 Series firewalls with NPCs only) Fixed an issue where path monitoring failure occurred while hot inserting a 100G NPC (network processing card) into the firewall.
Fixed an issue where log queries that included a username did not return with any output.
Fixed an issue in an HA active/active configuration where an administrative shutdown message was not sent to the BGP peer when the firewall went into a suspended state, which delayed convergence.
Fixed an issue where the multi-factor authentication (MFA) Challenge message did not display during login when the GlobalProtect portal was accessed by the web browser.
Fixed an issue where the handover handling between LTE and 3G on S5 and S8 to Gn/Gp was not working properly and led to stateful inspection failures.
Fixed an issue where, when default interzone and intrazone Security policy rules were overwritten, the rules did not display hit counts.
Fixed an issue where tunnel monitoring in the Large Scale VPN (LSVPN) displayed as down in both the CLI and the web interface due to incorrect dataplane ownership.
Fixed an issue where DHCP leases were not properly synchronized between HA peers after a device or dhcpd process restart. With this fix, the DHCP lease details display correctly on both the active and the passive device.
Fixed an issue on Panorama where a commit failed with the following error message:
Local-AS number does not fit in 2-byte AS format, even though the AS format was set to 4 bytes.
VM-Series firewalls only) Fixed an issue where the firewall rebooted into maintenance mode after installing a capacity license in FIPS-CC mode.
Fixed an issue where, when using the CLI or API, configurations for policy rule services or applications that either used custom settings and default settings together, or used multiple default settings together, successfully commit instead of failing or displaying a warning.
NoteTo use this fix, you must delete previous application or service settings in the configuration.
Fixed a memory issue for Large Scale VPN with multiple dataplane systems.
Fixed an issue where the firewall truncated the application name when doing a NetFlow export to the NetFlow analyzer.
Fixed an intermittent issue where the presence of an Anti-Spyware profile in a Security policy rule that matched DNS traffic caused DNS responses to be malformed in transit.
Fixed an issue where, after upgrading to a PAN-OS 10.0 release version, a commit failed due to an admin-role-related validation error that displayed the following message:
device unexpected here.
Fixed an issue where the login banner was not aligned properly when it contained multiple sequential whitespaces.
Fixed an issue where, when the GlobalProtect client sent UDP/4501 traffic that was destined for the GlobalProtect gateway inside the GlobalProtect tunnel, the firewall still processed the traffic, which caused routing loops.
Fixed an issue where predict session didn't update the associated rules when Security policies shifted after a commit.
The following CLI commands were added to enable the customer to set the dataplane utilization limit. The default setting is the recommended value of 500; a value of 0 removes dataplane CTD limits: -
debug dataplane show ctd wildfire max-
debug dataplane set ctd wildfire max <0-5000>
Fixed an issue in Panorama where an administrator with the role of Panorama administrator did not have the option to download or install GlobalProtect clients (
Panorama > Device Deployment > GlobalProtect).
Fixed an issue where the metadata from the firewall's authentication profile was unable to export. This issue occurred when the authentication profile and the SAML Identity Provider sever profile were created with
Locationand were pushed from Panorama template stack values. To utilize this fix, you must upgrade both Panorama and the firewall.
Fixed an issue where the Multiprotocol Label Switching (MPLS) interface wasn't monitored when private traffic wasn't VPN encapsulated.
Fixed an intermittent issue where importing a new firewalls configuration into Panorama failed due to conflicting virtual system (vsys) names, even when the
Device Group Name Prefixwas used to make the name unique.
Fixed an issue where Panorama repeatedly displayed the following error message:
HA Failover: updates not received from all sources: Pending plugins.
Fixed an issue where tunnel traffic was dropped intermittently when Quality of Service (QoS) Profile was assigned but the profile had no limits defined.
Fixed an issue where, after selecting a PAN-OS release to upgrade to in
Device Association > To SW Version, the upgrade failed after connecting to Panorama.
Fixed an issue where only one medium-severity system log was generated if either the EDL file wasn't updated at the remote end or the downloaded file wasn't a text file.
Fixed an issue where system logs incorrectly displayed as
Fixed an issue where intermittent virtual extensible LAN (VXLAN) packet drops occurred if the TCI was not configured for inspecting VXLAN traffic. This issue occurred when traffic was migrated from a firewall running a PAN-OS version earlier than PAN-OS 9.0 to a firewall running PAN-OS 9.0 or later.
Fixed an issue where a local commit in the Panorama management server caused the status to get out of sync on the managed WildFire appliance.
Fixed an issue where importing PAN-TRAPS.my to the SNMP manager caused the following error to display:
Registration failed, registration failed, because there are unreferenced definition names in the MIB file.
Fixed an issue where a Japanese keyword search displayed garbled characters during SAML authentication.
Fixed an issue where, when the CLI command
oscp-exclude-nonce-yeswas enabled for a certificate profile, a nonce value was still included in the Online Certificate Status Protocol (OCSP) request.
Fixed an issue where you were unable to select the configured QoS profile under the template stack.
VM-Series firewalls only) Fixed an issue where the Certification Revocation List (CRL) in Distinguished Encoding Rules (DER) format incorrectly returned errors despite being able to successfully pull the CRL to verify that the syslog server certificate was still valid.
Fixed an issue where a .txt file was corrupted, which caused the web interface to not display the requested information.
Fixed an issue where, when a new tag was created, a custom application with the same name was also created.
Fixed an issue where an increase was observed on
spyware_state, which caused latency.
Fixed a memory leak issue in the management server process.
Fixed an issue where commits to the Prisma Access Remote networks from Panorama were failing when the management server on the cloud firewall failed to exit cleanly and reported the following error:
pan_check_cert_status(pan_crl_ocsp.c:284): sysd write failed (TIMEOUT)
Fixed an issue on Panorama where logs that were forwarded to a collector group did not appear, and the log collector displayed the following error message:
es.init-status not ready in logjobq.
PA-3200 Series firewalls only) Fixed an issue where, for SNMPv2-MIB:sysServices,
snmpwalkreturned the following error message:
No Such Instance currently exists at this OID.
Fixed an issue where warnings displayed during a commit or validate when BGP peers used in an import/export rule were disabled.
Fixed an issue where the policy-based forwarding (PBF) monitor was failing on the tunnel interface when QoS was enabled.
PA-7000 Series firewalls only) Fixed an issue where TFTP traffic with a high packet rate was not offloaded even after hitting an application override policy with a custom application.
Fixed an issue where HIP reports were not visible on the web interface due to a domain override configuration.
VM-Series firewalls with multiple DHCP interfaces only) Fixed an issue where leases renewed more quickly than needed, which caused unnecessary SPF recalculations.
Fixed an issue where false system alarms for the IP tag log database exceeded the alarm threshold value.
Fixed an issue where the
Tofield of an email was truncated in threat logs when the field of the original email exceeded 512 bytes.
Fixed an issue where DNS Proxy rules that contained uppercase characters were not normalized to lowercase, which prevented the rules from being matched.
Fixed an intermittent issue where SMB file transfer operations failed due to packet drops that were caused by the Content and Threat Detection (CTD) queue filling up quickly. This fix introduces a new CLI command which, when enabled, prevents these failures:
set system setting ctd nonblocking-pattern-match-qsizecheck [enable|disable].
Fixed an intermittent issue where the firewall dropped GTP-U traffic with the message
Fixed an issue where device deployment from Panorama to the firewalls failed with the error message
Failed to get DLSRVR client key. This issue occurred only on firewalls where the
request system-private-data-resetCLI command had been issued in the past.
Fixed an issue where using tags to target a device group in a Security policy rule did not work, and the rule was displayed in all device groups (
PA_5200 Series firewalls only) Fixed an issue where, after a factory reset, the firewall displayed the following error message:
data_plane_X: Exited 1 times, must be manually recovered..
ZTP firewalls only) Fixed an issue where the firewall failed to connect to Panorama when Zero Touch Provisioning (ZTP) was disabled.
PA-5200 Series firewalls only) Fixed an intermittent issue where multicast packets traversing the firewall in VLAN configurations experienced higher drop rates than expected.
Fixed an issue where, when stateless GTP-U traffic hit a multi-dataplane firewall, an inter-dataplane fragmentation loop occurred, which caused high dataplane resource usage.
Fixed an issue where the firewall did not display unified logs.
Fixed a discrepancy in Panorama between application usage data and the application name in the
Fixed an issue where NetFlow updates were sent without honoring the configured active timeout value.
Fixed an issue where zone protection and spoofed IP address protection didn't properly drop unroutable packets.
Fixed an issue where individual users were unable to populate the
allowed user/user groupfield when configuring the GlobalProtect Clientless VPN.
Fixed an issue where the default log level for
mprelaywas set to INFO and caused commits to stop working on VM-Series firewalls in AWS using EBS backed volumes when route monitor was configured.
Panorama appliances on PAN-OS 10.0 releases only) Fixed an issue with Security policy rule configuration where, in the
Query Trafficsetting was not available for Address Groups.
Fixed an issue where the firewall was unable to detect end-user IP address spoofing on the GTP-U for a user data session when using an IPv6 address.
Fixed an issue where Panorama failed to push dynamic user groups to the managed firewalls.
Fixed an issue where the inactivity logout timeout did not reflect on the GlobalProtect mapping timeout.
Fixed an issue where the software QoS shaping queue processing was not properly applied on multicast traffic.
Fixed an issue where GlobalProtect logs did not populate on the destination syslog server in Log Event Extended Format (LEEF) and common event format (CEF).
Fixed an issue where the commit event was not recorded in the config logs during a
Commit and Pushon the Panorama management server.
Fixed an issue in the External Dynamic List (EDL) where printed log messages repeated until the end of the description field.
Fixed an issue where, even when tunnel interface was set to
down, the following alert displayed:
Tunnel GRE_Tunnels is going down(critical).
Fixed an issue on the firewall web interface where the Cortex Data Lake
Logging Service Statuspop-up window did not show correct information.
Fixed an issue where, in two separate but simultaneous sessions, the same software packet buffer was owned and processed.
Fixed an issue where merged configurations were unable to be exported from Panorama-managed firewalls using the PAN-OS XML API.
Fixed a rare issue where, when aggregate ethernet (AE) groups were deleted and re-added, the AE interface no longer had an SDB node to send link the location to. As a result, the dataplane was unable to identify a connected route for the interface address.
Fixed an issue with the group-mapping mode credential detection feature that failed to block users when logging in using corporate credentials.
A fix was made to address a time-of-check to time-of-use (TOCTOU) race condition in the PAN-OS web interface that enabled an authenticated administrator with permission to upload plugins to execute arbitrary code with root user privileges (CVE-2021-3054).
Fixed an issue on Panorama where a template configuration push was blocked when the managed firewall did not have a plugin referenced in the template configuration.
Fixed an issue where an incorrect Certificate Authority (CA) was used for communicating to the Zero Touch Provisioning (ZTP) service.
Fixed an issue where IKE Gateway configurations with different crypto profiles on the same IP address with dynamic peers failed with the following error message:
IKEv1 gateway should use the same crypto profiles configured on the same interface or local IP address.
With this fix, you are able to configure IKE Gateways with different crypto profiles on the same IP address with dynamic peers when IKEv1 auto mode is applied.
Fixed an intermittent issue where, when the DNS Security cloud was not reachable, DNS responses had bad UDP checksums.
Recommended For You
Recommended videos not found.