PAN-OS 10.0.7 Addressed Issues
Focus
Focus

PAN-OS 10.0.7 Addressed Issues

Table of Contents
End-of-Life (EoL)

PAN-OS 10.0.7 Addressed Issues

PAN-OS® 10.0.7 addressed issues.
Issue ID
Description
WF500-5568
Fixed an issue where a firewall in FIPS mode running PAN-OS 8.1.18 or a later version failed to connect with a WildFire appliance in normal mode.
WF500-5559
Fixed an issue where an intermittent error while analyzing signed PE samples on the WildFire appliance might have caused analysis failures.
WF500-5509
(
WF-500 appliance only
) Fixed an issue where cloud inquiries were logged under the
SD-WAN
subtype.
PAN-173080
Fixed an issue where the User-ID connection limit was reached even when only a few User-ID agents were connected to the service.
PAN-172518
Fixed an issue where a race condition occurred and caused a process (useridd) to restart.
PAN-172125
Fixed an intermittent issue where processing HIP messages in the (useridd) process caused a memory leak.
PAN-171878
Fixed an issue with SD-WAN path selection logic that caused a dataplane to stop responding.
PAN-171442
Fixed an issue on Amazon Web Services (AWS) Gateway Load Balancer (GWLB) deployments with overlay routing and cross-zone load balancing enabled where packets were forwarded to the incorrect GWLB interface.
PAN-171203
Fixed an issue in a high availability (HA) configuration where, when one firewall was active and its peer was in a suspended state, the suspended firewall continued to send traffic, which triggered the detection of duplicate MAC addresses.
PAN-170989
Fixed an issue memory usage consumption issue on a process (useridd).
PAN-170932
Fixed an issue in Telemetry settings where the
OK
button was disabled when
Telemetry Region
was set to
None
.
PAN-170825
Fixed an issue where, when a partial
Preview Change
job failed, a process (configd) stopped responding.
PAN-170740
Fixed an issue with the google-docs-uploading application that occurred if a Security policy rule was applied to a Security profile and traffic was decrypted.
PAN-170681
Fixed an issue where the data redistribution agent and the data redistribution client failed to connect due to the agent not sending a SSL Server hello response.
PAN-170610
Fixed an issue where SD-WAN SaaS monitoring traffic was incorrectly dropped by a Security policy that included a deny rule.
PAN-170314
Fixed an issue where PAN-DB URL cloud updates failed because a process (devsrvr) did not fetch serial numbers, which prevented the PAN_DB URL cloud from connecting after first deployment.
PAN-170083
Fixed an intermittent issue where packet pointer corruption occurred, which resulted in a dataplane restart.
PAN-169712
Fixed an intermittent issue where traffic falsely matched a converted Suricata rule.
PAN-169197
Fixed a rare issue where generating a tech support file caused the useridd process to stop responding.
PAN-169161
Fixed an issue where, after a pan_comm process restart, the configuration wasn't synced between the management and the dataplane pod.
PAN-169064
Fixed an issue where the management CPU remained at 100% due to a large number of configured User-ID agents.
PAN-168888
Fixed an issue where, when a maximum session count was configured, the SD-WAN plugin caused commit failures on Panorama.
PAN-168718
Fixed an issue where, when a client or server received partial application data, the record was partially processed by legacy code. This caused decryption to fail when a decryption profile protocol was set to a maximum of TLSv1.3.
PAN-168574
Fixed an issue on Panorama where, after an upgrade to a PAN-OS 10.0 release version, a configuration pushed to firewalls running on PAN-OS 9.1 failed during an autocommit with the following error message:
Need to config WMI account and password for querying Microsoft directory servers
.
PAN-168418
Fixed an issue where, when an MLAV URL with an exception list was configured and forward proxy was enabled, a process (all_pktproc) repeatedly restarted, which resulted in the firewall rebooting.
PAN-167989
Fixed a timing issue between downloading and installing threads that occurred when Panorama pushed content updates and the firewall fetched content updates simultaneously.
PAN-167872
Fixed an issue related to a process (all_pktproc) that occurred in long-lived sessions that spanned two content upgrades.
PAN-167637
Fixed an issue where users connecting to the US East gateway encountered a delay in DNS responses.
PAN-167541
Fixed an issue where large External Dynamic Lists (EDLs) caused commit issues due to a hard limit being reached.
PAN-167443
Fixed an issue where commits failed and generated
pan_comm
SIGSEGV CORE files.
PAN-167306
(
VM-Series firewalls on Microsoft Azure only
) Fixed an issue where, when a second disk was added,
/opt/panlogs
was mounted on an incorrect partition.
PAN-167099
Fixed a configuration management issue that resulted in a process (ikemgr) failing to recognize changes in subsequent commits.
PAN-167098
Fixed an issue where a configd process memory corruption occurred when Panorama was exposed to multiple XML API calls on Dynamic Address Groups updates.
PAN-166836
Fixed an issue where session failed due to resource unavailability.
PAN-166572
Fixed an issue where a process (configd) restarted when browsing policies on Panorama.
PAN-166420
In 10.0.x Query Traffic log option is missing for Address groups under source and destination in the security policy tab
PAN-166328
(
PA-7000 Series firewalls with NPCs only
) Fixed an issue where path monitoring failure occurred while hot inserting a 100G NPC (network processing card) into the firewall.
PAN-166296
Fixed an issue where an unavailable certificate revocation list (CRL) from the server side caused an infinite loop on a process (sslmgr), which resulted in it not responding for other tasks.
PAN-166021
Fixed an issue where log queries that included a username did not return with any output.
PAN-165661
Fixed an issue in an HA active/active configuration where an administrative shutdown message was not sent to the BGP peer when the firewall went into a suspended state, which delayed convergence.
PAN-165399
Fixed an issue where the multi-factor authentication (MFA) Challenge message did not display during login when the GlobalProtect portal was accessed by the web browser.
PAN-165235
Fixed an issue where the handover handling between LTE and 3G on S5 and S8 to Gn/Gp was not working properly and led to stateful inspection failures.
PAN-165025
Fixed an issue where, when default interzone and intrazone Security policy rules were overwritten, the rules did not display hit counts.
PAN-164646
Fixed an issue where tunnel monitoring in the Large Scale VPN (LSVPN) displayed as down in both the CLI and the web interface due to incorrect dataplane ownership.
PAN-164571
Fixed an issue where DHCP leases were not properly synchronized between HA peers after a device or dhcpd process restart. With this fix, the DHCP lease details display correctly on both the active and the passive device.
PAN-164446
Fixed an issue on Panorama where a commit failed with the following error message:
Local-AS number does not fit in 2-byte AS format
, even though the AS format was set to 4 bytes.
PAN-164431
(
VM-Series firewalls only
) Fixed an issue where the firewall rebooted into maintenance mode after installing a capacity license in FIPS-CC mode.
PAN-164392
Fixed an issue where an out-of-memory (OOM) condition occurred due to a memory leak related to a process (logrcvr).
PAN-164338
Fixed an issue where, when using the CLI or API, configurations for policy rule services or applications that either used custom settings and default settings together, or used multiple default settings together, successfully commit instead of failing or displaying a warning.
Note
To use this fix, you must delete previous application or service settings in the configuration.
PAN-164056
Fixed a memory issue for Large Scale VPN with multiple dataplane systems.
PAN-163940
Fixed an issue where the firewall truncated the application name when doing a NetFlow export to the NetFlow analyzer.
PAN-163800
Fixed an intermittent issue where the presence of an Anti-Spyware profile in a Security policy rule that matched DNS traffic caused DNS responses to be malformed in transit.
PAN-163280
Fixed an issue where, after upgrading to a PAN-OS 10.0 release version, a commit failed due to an admin-role-related validation error that displayed the following message:
device unexpected here
.
PAN-163270
Fixed an issue where the login banner was not aligned properly when it contained multiple sequential whitespaces.
PAN-162600
Fixed an issue where, when the GlobalProtect client sent UDP/4501 traffic that was destined for the GlobalProtect gateway inside the GlobalProtect tunnel, the firewall still processed the traffic, which caused routing loops.
PAN-161869
Fixed an issue where a core dump occurred on a process (flow_ctrl) after a commit if a policy-based forwarding (PBF) rule referenced an interface that had a DHCP IP address assignment.
PAN-161289
Fixed an issue where predict session didn't update the associated rules when Security policies shifted after a commit.
PAN-161218
The following CLI commands were added to enable the customer to set the dataplane utilization limit. The default setting is the recommended value of 500; a value of 0 removes dataplane CTD limits: -
debug dataplane show ctd wildfire max
-
debug dataplane set ctd wildfire max <0-5000>
PAN-161025
Fixed an issue in Panorama where an administrator with the role of Panorama administrator did not have the option to download or install GlobalProtect clients (
Panorama > Device Deployment > GlobalProtect
).
PAN-160997
Fixed an issue where the metadata from the firewall's authentication profile was unable to export. This issue occurred when the authentication profile and the SAML Identity Provider sever profile were created with
VSYS
in the
Location
and were pushed from Panorama template stack values. To utilize this fix, you must upgrade both Panorama and the firewall.
PAN-160843
Fixed an issue where the Multiprotocol Label Switching (MPLS) interface wasn't monitored when private traffic wasn't VPN encapsulated.
PAN-160831
Fixed an intermittent issue where importing a new firewalls configuration into Panorama failed due to conflicting virtual system (vsys) names, even when the
Device Group Name Prefix
was used to make the name unique.
PAN-160818
Fixed an issue where Panorama repeatedly displayed the following error message:
HA Failover: updates not received from all sources: Pending plugins
.
PAN-160540
Fixed an issue where tunnel traffic was dropped intermittently when Quality of Service (QoS) Profile was assigned but the profile had no limits defined.
PAN-160432
Fixed an issue where, after selecting a PAN-OS release to upgrade to in
Device Association > To SW Version
, the upgrade failed after connecting to Panorama.
PAN-160254
Fixed a memory leak issue related to a process (reportd) where memory was not freed after an ElasticSearch request.
PAN-160253
Fixed an issue where only one medium-severity system log was generated if either the EDL file wasn't updated at the remote end or the downloaded file wasn't a text file.
PAN-160247
Fixed an issue where system logs incorrectly displayed as
Critical
.
PAN-160238
Fixed an issue where intermittent virtual extensible LAN (VXLAN) packet drops occurred if the TCI was not configured for inspecting VXLAN traffic. This issue occurred when traffic was migrated from a firewall running a PAN-OS version earlier than PAN-OS 9.0 to a firewall running PAN-OS 9.0 or later.
PAN-160150
Fixed an intermittent issue where, when a race condition occurred, a process (rasmgr) stopped responding, which caused GlobalProtect user authentication failure.
PAN-160053
Fixed an issue in Panorama where a process (configd) stopped responding due to a race condition in the mongodb process.
PAN-159973
Fixed an issue where a local commit in the Panorama management server caused the status to get out of sync on the managed WildFire appliance.
PAN-159700
Fixed an issue where importing PAN-TRAPS.my to the SNMP manager caused the following error to display:
Registration failed, registration failed, because there are unreferenced definition names in the MIB file
.
PAN-159592
Fixed an issue where a Japanese keyword search displayed garbled characters during SAML authentication.
PAN-159536
Fixed an issue where, when the CLI command
oscp-exclude-nonce-yes
was enabled for a certificate profile, a nonce value was still included in the Online Certificate Status Protocol (OCSP) request.
PAN-159499
Fixed an issue where you were unable to select the configured QoS profile under the template stack.
PAN-159293
(
VM-Series firewalls only
) Fixed an issue where the Certification Revocation List (CRL) in Distinguished Encoding Rules (DER) format incorrectly returned errors despite being able to successfully pull the CRL to verify that the syslog server certificate was still valid.
PAN-159224
Fixed an memory leak issue related to a process (mgmtsrvr), which was caused by a certificate loading operation.
PAN-159214
Fixed an issue where a .txt file was corrupted, which caused the web interface to not display the requested information.
PAN-159122
Fixed an issue where, when a new tag was created, a custom application with the same name was also created.
PAN-158932
Fixed an issue where an increase was observed on
spyware_state
, which caused latency.
PAN-158654
Fixed a memory leak issue in the management server process.
PAN-158649
Fixed an issue where commits to the Prisma Access Remote networks from Panorama were failing when the management server on the cloud firewall failed to exit cleanly and reported the following error:
pan_check_cert_status(pan_crl_ocsp.c:284): sysd write failed (TIMEOUT)
PAN-158639
Fixed an issue on Panorama where logs that were forwarded to a collector group did not appear, and the log collector displayed the following error message:
es.init-status not ready in logjobq
.
PAN-158450
(
PA-3200 Series firewalls only
) Fixed an issue where, for SNMPv2-MIB:sysServices,
snmpwalk
returned the following error message:
No Such Instance currently exists at this OID
.
PAN-158372
Fixed a buffer overflow issue related to the useridd process.
PAN-158337
Fixed an issue where warnings displayed during a commit or validate when BGP peers used in an import/export rule were disabled.
PAN-158161
Fixed an issue where the policy-based forwarding (PBF) monitor was failing on the tunnel interface when QoS was enabled.
PAN-158119
(
PA-7000 Series firewalls only
) Fixed an issue where TFTP traffic with a high packet rate was not offloaded even after hitting an application override policy with a custom application.
PAN-158020
Fixed an issue where HIP reports were not visible on the web interface due to a domain override configuration.
PAN-157938
(
VM-Series firewalls with multiple DHCP interfaces only
) Fixed an issue where leases renewed more quickly than needed, which caused unnecessary SPF recalculations.
PAN-157908
Fixed an issue where false system alarms for the IP tag log database exceeded the alarm threshold value.
PAN-157903
Fixed an issue where the
To
field of an email was truncated in threat logs when the field of the original email exceeded 512 bytes.
PAN-157835
Fixed an issue where DNS Proxy rules that contained uppercase characters were not normalized to lowercase, which prevented the rules from being matched.
PAN-157715
Fixed an intermittent issue where SMB file transfer operations failed due to packet drops that were caused by the Content and Threat Detection (CTD) queue filling up quickly. This fix introduces a new CLI command which, when enabled, prevents these failures:
set system setting ctd nonblocking-pattern-match-qsizecheck [enable|disable]
.
PAN-157632
Fixed an intermittent issue where the firewall dropped GTP-U traffic with the message
TEID=0x00000000
.
PAN-157570
Fixed an issue where device deployment from Panorama to the firewalls failed with the error message
Failed to get DLSRVR client key
. This issue occurred only on firewalls where the
request system-private-data-reset
CLI command had been issued in the past.
PAN-157518
Fixed an issue where using tags to target a device group in a Security policy rule did not work, and the rule was displayed in all device groups (
Preview Rules
).
PAN-157472
(
PA_5200 Series firewalls only
) Fixed an issue where, after a factory reset, the firewall displayed the following error message:
data_plane_X: Exited 1 times, must be manually recovered.
.
PAN-157213
(
ZTP firewalls only
) Fixed an issue where the firewall failed to connect to Panorama when Zero Touch Provisioning (ZTP) was disabled.
PAN-157074
Fixed an issue where a process (configd) stopped responding, which caused corruption.
PAN-157035
(
PA-5200 Series firewalls only
) Fixed an intermittent issue where multicast packets traversing the firewall in VLAN configurations experienced higher drop rates than expected.
PAN-157027
Fixed an issue where, when stateless GTP-U traffic hit a multi-dataplane firewall, an inter-dataplane fragmentation loop occurred, which caused high dataplane resource usage.
PAN-157026
Fixed an issue where the firewall did not display unified logs.
PAN-156552
Fixed a discrepancy in Panorama between application usage data and the application name in the
ACC
tab.
PAN-156393
Fixed an issue where NetFlow updates were sent without honoring the configured active timeout value.
PAN-156388
Fixed an issue where a process (useridd) stopped responding while attempting to remove all HIP reports on the disk.
PAN-155903
Fixed an issue where zone protection and spoofed IP address protection didn't properly drop unroutable packets.
PAN-155659
Fixed an issue where individual users were unable to populate the
allowed user/user group
field when configuring the GlobalProtect Clientless VPN.
PAN-155657
Fixed an issue where the default log level for
mprelay
was set to INFO and caused commits to stop working on VM-Series firewalls in AWS using EBS backed volumes when route monitor was configured.
PAN-154905
(
Panorama appliances on PAN-OS 10.0 releases only
) Fixed an issue with Security policy rule configuration where, in the
Source
and
Destination
tabs, the
Query Traffic
setting was not available for Address Groups.
PAN-154526
Fixed an issue where a process (genindex.sh) caused high memory usage on the management plane. Due to the resulting out-of-memory (OOM) condition, multiple processes stopped responding.
PAN-154441
Fixed an issue where the Radius EAP authentication stopped working and the authd process restarted.
PAN-154433
Fixed an issue where the firewall was unable to detect end-user IP address spoofing on the GTP-U for a user data session when using an IPv6 address.
PAN-154362
Fixed an issue where Panorama failed to push dynamic user groups to the managed firewalls.
PAN-154334
Fixed an issue where the inactivity logout timeout did not reflect on the GlobalProtect mapping timeout.
PAN-153288
Fixed an issue where the software QoS shaping queue processing was not properly applied on multicast traffic.
PAN-151751
Fixed an issue where GlobalProtect logs did not populate on the destination syslog server in Log Event Extended Format (LEEF) and common event format (CEF).
PAN-151273
Fixed an issue where the commit event was not recorded in the config logs during a
Commit and Push
on the Panorama management server.
PAN-150530
Fixed an issue in the External Dynamic List (EDL) where printed log messages repeated until the end of the description field.
PAN-150388
Fixed an issue where a process (mgmtsrvr) stopped responding when viewing logs in the web interface.
PAN-150080
Fixed an issue where, even when tunnel interface was set to
down
, the following alert displayed:
Tunnel GRE_Tunnels is going down(critical)
.
PAN-147736
Fixed an issue on the firewall web interface where the Cortex Data Lake
Logging Service Status
pop-up window did not show correct information.
PAN-146250
Fixed an issue where, in two separate but simultaneous sessions, the same software packet buffer was owned and processed.
PAN-144305
Fixed an issue where merged configurations were unable to be exported from Panorama-managed firewalls using the PAN-OS XML API.
PAN-144057
Fixed a rare issue where, when aggregate ethernet (AE) groups were deleted and re-added, the AE interface no longer had an SDB node to send link the location to. As a result, the dataplane was unable to identify a connected route for the interface address.
PAN-141494
Fixed an issue with the group-mapping mode credential detection feature that failed to block users when logging in using corporate credentials.
PAN-138727
A fix was made to address a time-of-check to time-of-use (TOCTOU) race condition in the PAN-OS web interface that enabled an authenticated administrator with permission to upload plugins to execute arbitrary code with root user privileges (CVE-2021-3054).
PAN-138134
Fixed an issue on Panorama where a template configuration push was blocked when the managed firewall did not have a plugin referenced in the template configuration.
PAN-138066
Fixed an issue where an incorrect Certificate Authority (CA) was used for communicating to the Zero Touch Provisioning (ZTP) service.
PAN-116515
Fixed an issue where IKE Gateway configurations with different crypto profiles on the same IP address with dynamic peers failed with the following error message:
IKEv1 gateway should use the same crypto profiles configured on the same interface or local IP address
.
With this fix, you are able to configure IKE Gateways with different crypto profiles on the same IP address with dynamic peers when IKEv1 auto mode is applied.
PAN-113093
Fixed an intermittent issue where, when the DNS Security cloud was not reachable, DNS responses had bad UDP checksums.

Recommended For You