PAN-OS 10.0.8 Addressed Issues

PAN-OS® 10.0.8 addressed issues.
Issue ID
Description
WF500-5561
Fixed an issue where high disk use occurred due to an inadequate rotation of log files in
php_error.log, sdownload_error.log, sdownload_access.log and nginx_error.log
PAN-178672
Fixed an issue where a process (useridd) stopped responding due to buffer overflow.
PAN-178047
(
CN-Series firewalls only
) Fixed an issue where propagating IP address tag mappings to the firewall took longer than expected, which resulted in traffic not matching Security policy rules with Dynamic Address Groups.
PAN-177941
Fixed an issue where the
bcm.log
and
brdagent_stdout.log-<datestamp>
files filled up the root disk space.
PAN-177409
Fixed an issue where, when the quarantine feature was enabled, every
hostid
lookup created a new entry in the cache memory instead of having a single cache entry for each IP address, which led to memory exhaustion.
PAN-176661
Fixed an issue in Simple Certificate Enrollment Protocol (SCEP) (CVE-2021-3060).
PAN-176655 and PAN-158334
A fix was made to address an OS command injection vulnerability in the PAN-OS CLI that enabled an authenticated administrator with access to the CLI to execute arbitrary OS commands to escalate privileges (CVE-2021-3061).
PAN-176653
A fix was made to address an OS command injection vulnerability in the PAN-OS web interface that enabled an authenticated administrator with permissions to use XML API to execute arbitrary OS commands to escalate privileges (CVE-2021-3058).
PAN-176618
A fix was made to address an OS command injection vulnerability in PAN-OS that existed when performing dynamic updates (CVE-2021-3059).
PAN-176433
Fixed an issue where the Zero Touch Provisioning (ZTP) plugin on Panorama was unable to sync with the ZTP service and displayed the following error message:
Failed to fetch sync status
.
PAN-176283
(
PA-7000 Series firewalls with Data Processing Cards (DPCs) only
) Fixed an issue where packet loss occurred when quality of service was enabled on an aggregate interface.
PAN-176277
Fixed a timing issue that impacted tunnel renegotiation and monitoring.
PAN-176118
Fixed an issue where firewalls configured with a mixed mode of interfaces stopped processing Layer-3-tagged traffic.
PAN-175509
Fixed an issue where a deadlock on
CONFIG_LOCK
caused both the web interface and CLI commands to time out until the mgmtsrvr process was restarted.
PAN-175403
(
VM-Series firewalls only
) Fixed an issue where the firewall did not display any logs except for system logs.
PAN-175233
Fixed an issue where commits failed when an AES-GCM crypto profile was used for IKEv1 mode.
PAN-175169
Fixed an issue on Panorama where, in
URL Filtering
(
Device > Setup > Content-ID
),
Hold client request for category lookup
configuration changes were not pushed to managed firewalls running PAN-OS 9.1 release versions.
PAN-175121
Fixed a rare issue where, when two nodes started IKE_SA negotiations at the same time, which resulted in duplicate IKE SAs.
PAN-174448
Fixed an issue where ZTP configurations weren’t removed after disabling them, which resulted in predefined configurations being loaded after a reboot.
PAN-174326
A fix was made to address an OS command injection vulnerability in the PAN-OS web interface that enabled an authenticated administrator to execute arbitrary OS commands to escalate privileges (CVE-2021-3050).
PAN-173903
Fixed an issue where clicking a hyperlink on a web page caused the web browser to download a file instead.
PAN-173893
Fixed a memory leak issue related to the (useridd) process that occurred when group mapping is enabled.
PAN-173828
(
PA-7000 Series firewalls with 20GQ Network Processing Cards (NPCs) only
) Fixed an issue on high availability active/passive configurations where data ports on the passive firewall sent out packets, which caused a MAC flap on upstream firewalls.
PAN-173216
Fixed an issue where the firewall incorrectly handled HTML pages when accessed via the GlobalProtect Clientless VPN.
PAN-172853
Fixed an issue where Panorama appliances running a PAN-OS 10.0 release did not push the Security policy options
no-hip
and
quarantine
to firewalls running PAN-OS 9.1.
PAN-172834
Fixed a memory leak issue related to the useridd process that occurred when processing IP-address-to-username mappings.
PAN-172768
Fixed an issue where HIP report generation caused a memory leak on a process (useridd).
PAN-172726
Fixed an issue where the policy-based forwarding (PBF) ID was overwritten by the EMCP ID, which caused PBF to stop working.
PAN-172580
Fixed an intermittent issue where commits failed after a commit validation and were modified for custom URL category objects.
PAN-172490
Fixed an issue on firewalls in HA configuration where HA-2 links continuously flapped on HSCI interfaces after upgrading to PAN-OS 8.1.19.
PAN-172464
Fixed an issue where unicast DHCP discover or request packets were silently dropped.
PAN-172295
Fixed an issue where a HIP database cache loop caused high CPU utilization on a process (useridd) and caused IP address-to-user mapping redistribution failure.
PAN-172179
(
PA-7000b firewalls only
) Fixed an issue where, when GPRS tunneling protocol (GTP-U) tunnel acceleration was enabled but Mobile Network Protection was not enabled on the corresponding policy, GTP-U traffic was dropped.
PAN-171290
Fixed an issue where Panorama deployed in Google Cloud Platform (GCP) failed to the renew management server DHCP IP.
PAN-171241
Fixed an memory and file descriptor leak on a process (reportd) that resulted in traffic not matching the correct Security policy rule after a devsrvr process restart.
PAN-171174
Console debug output was enhanced to address issues that led to a loss of SSH and web interface access.
PAN-170932
Fixed an issue in Telemetry settings where the
OK
button was disabled when
Telemetry Region
was set to
None
.
PAN-170926
Fixed an issue where the threat name was not displayed on an Antivirus Block Page when using the
threatname
variable.
PAN-170574
(
Panorama appliances on Microsoft Azure and Amazon Web Services (AWS) only
) Fixed an issue where Panorama sent
127.0.0.1
as the NAS-IP-Address in RADIUS messages.
PAN-170297
Fixed an issue where
ACC
Threat
activity did not include the threat name after upgrading to a PAN-OS 10.0 release.
PAN-170103
Fixed an issue where a process (ikemgr) stopped responding while making configuration changes. This issue occurred if Site-to-Site IPSec was using certification-based authentication.
PAN-169793
Fixed an issue where using cookies to authenticate MacOS users didn't work due to the client agent not providing the
phpsessionid
set from the sent GlobalProtect messages during the connection. As a result, the firewall was unable to find and include the portal authentication cookie in the response message.
PAN-169687
Fixed an issue where SNMP returned an improper status for an unsupported interface type.
PAN-169600
Fixed an issue where
pan_sdwan_get_fec_encp
queried the SD-WAN module for whether FEC/PD was to be triggered even when SD-WAN was not configured.
PAN-169105
Fixed an issue on the Panorama web interface where a Network File System (NFS) storage partition displayed the incorrect storage size.
PAN-168921
Fixed an issue on firewalls in HA active/active configuration where traffic with complete packets showed up as incomplete and was disconnected due to a non-session owner closing the session prematurely.
PAN-168903
Fixed an issue where deleting licenses on the firewall incorrectly set the GlobalProtect gateway license node to
false
. The firewall displayed the following error message during a GlobalProtect application connection:
Could not connect to the gateway. The device or feature requires a GlobalProtect subscription license
, even though the gateway firewall had a valid gateway license.
PAN-168890
A CLI command was added to address an issue where a configured proxy server for a service route was automatically applied to the email server service route.
PAN-168221
(
Panorama appliances deployed in Microsoft Azure instances without temporary disks
) Fixed an issue where Panorama displayed an incorrect number of drives.
PAN-167858
Fixed an issue where a DNS Security inspection identified a TCP DNS request that had two requests in one segment as a malformed packet and dropped the packet.
PAN-167805
Fixed an intermittent issue where traffic ingressing through a VPN tunnel failed to match predict session, which resulted in child sessions failing.
PAN-167329
Fixed an issue where ZTP flow did not complete.
PAN-167266
Fixed an issue on multi-dataplane firewalls with high CPU use on dataplane 0 that caused an internal loop of forward/host sessions on the firewall.
PAN-167115
Fixed an issue where, after upgrading to PAN-OS 10.0.3, admin sessions on Panorama were not logged out after the idle timeout expired.
PAN-166557
Fixed an issue where ElasticSearch didn't register to the masterd process when setting up a new Log Collector configuration.
PAN-166081
Fixed an issue where a Role Based admin user with
tag
disabled was unable to view applications (
Objects > Applications
).
PAN-165913
Fixed an issue on United States GlobalProtect portals where HTTP health checks failed and no authentication events occurred for about 10 minutes.
PAN-165843
Fixed an issue on the firewalls where generating SCEP Certificates did not work when the value of a Relative Distinguished Name (RDN) in the subject string contained a space.
PAN-165433
Fixed an intermittent issue where Cortex Data Lake failed to reconnect after a disconnect if a management IP address used for logging had an IP address assignment type of DHCP.
PAN-165179
Fixed an issue where Panorama missed address group objects during a template configuration due to Panorama not sending the required strings for a query.
PAN-165120
Fixed an issue where the Application Command Center (ACC) did not display data when the Device Group was set with
VSYS
in its name.
PAN-164941
Fixed an issue where multiple duplicate
No Valid DNS Security License
warning messages were generated during a successful commit.
PAN-164450
Fixed an intermittent issue where the firewall dropped GTPv2 Create Session Response packets with the cause
Partially Accepted
.
PAN-164422
(
VM-Series firewalls only
) A fix was made to address improper access control that enabled an attacker with authenticated access to GlobalProtect portals and GlobalProtect gateways to connect to the EC2 instance metadata endpoint for VM-Series firewalls hosted on Amazon Web Services (AWS) (CVE-2021-3062).
PAN-164429
Fixed an issue where the Panorama web interface displayed an unavailable setting.
PAN-164402
A CLI command was added to immediately disable or enable restarting the syslog-ng connection during an FQDN refresh IP address change.
PAN-164335
Fixed an issue that caused false positives on GTPv2 vulnerability signatures.
PAN-163695
Fixed an issue where multiple dataplane process (all_task, flow_mgmt, flow_ctrl, and pktlog_forwarding) stopped responding and caused the dataplane to restart. This issue occurred when the firewall received unexpected packets during an SSL handshake when SSL inbound inspection was configured.
PAN-163692
Fixed an issue where the firewall did not create new GTP-C sessions when a Create Session Request message was retransmitted and a completely new Create Session Response message was returned.
PAN-163606
Fixed an intermittent issue where URLs in an External Dynamic List (EDL) with the valid format
<domain>:<port>
were listed as invalid.
PAN-163448
Fixed an issue when using ixgb drivers with SR-IOV and DPDK that caused OSPF multicast traffic to be filtered by the physical function driver.
PAN-162939
Fixed an issue where a process (devsrvr) ran out of file descriptors, which resulted in the PAN-DB URL Filtering license being incorrectly labeled as expired.
PAN-162936
Fixed an issue where the all_pktproc process stopped responding on GTP-U session traffic when attempting to send out packets held in software buffers.
PAN-162884
Fixed a rare issue where an external dynamic list (EDL) entry became corrupt due to an erroneous string being inserted while generating the list.
PAN-162374
Fixed an issue where the firewall rebooted unexpectedly and displayed the following message:
Reboot SYSTEM REBOOT Masterd Initiated
.
PAN-162174
Fixed an issue where, when the firewall received a configuration from Panorama with no URL category, it was automatically configured as
Any
.
PAN-161940
Fixed an issue where the firewall did not honor the peer RX interval timeout in a Bidirectional Forwarding Detection (BFD) INIT state.
PAN-161617
Fixed an intermittent issue where the NTP status displayed the message
NTP not synched
when using an FQDN that resolved to both an IPv4 and an IPv6 address.
PAN-161544
Fixed an issue where the Device Name field was missing when GlobalProtect logs were exported to CSV from the Panorama management server.
PAN-161208
Fixed an issue where the
Service Route Configuration
(
Device > Setup > Services > Service Route Configuration
) was unchangeable when the web interface language was set to a language other than English.
PAN-161111
Fixed an issue where TLS 1.3 Forward Proxy Decryption failed with a malloc failure error. This issue was caused by the server certificate being very large.
PAN-160708
Fixed an issue where the dataplane restarted after configuring a
deny_all
policy.
PAN-160544
Fixed an issue where a user was able to clone, edit, and commit a configuration that had been locked by another user.
PAN-160238
Fixed an issue where intermittent VXLAN packet drops occurred if the TCI was not configured for inspecting VXLAN traffic. This issue occurred when traffic was migrated from a firewall running a PAN-OS version earlier than PAN-OS 9.0 to a firewall running PAN-OS 9.0 or later.
PAN-159954
Fixed an issue where scheduled configuration bundle exports via Secure Copy (SCP) displayed following error message in the system log:
Failed to export config bundle
after already displaying a
Success
message in the log.
PAN-159922
Fixed an issue where, when the DNS Security feature was enabled, Linux clients experienced a delay in resolving domain names if the clients simultaneously attempted A and AAAA resolution.
PAN-159502
Fixed an issue on Panorama where attempting to partially revert multiple changes to a Security profile group name that were not committed caused the Security profile group to be removed.
PAN-159153
Fixed an issue where commit failures occurred without error messages due to the DLP plugin, even when the DLP configuration was not present on the firewall.
PAN-158958
Fixed an issue where the
debug sslmgr view crl
command failed when ampersand (&) character was included in the URL for the certificate revocation list (CRL).
PAN-158753
($$Panorama virtual appliances in Legacy mode only$$) Fixed an issue where GlobalProtect logs were not forwarded to the external syslog server over TCP.
PAN-158439
Fixed a memory leak on the management server process on Firewall.
PAN-158431
Fixed an issue where a local authentication profile type changed to
SAML
after overriding the profile in the template stack.
PAN-158043
Fixed an issue where the firewall dropped packets due to a race condition.
PAN-157725
Fixed an issue on firewalls where URL category responses were not processed by the dataplane in a timely fashion, which adversely affected web-browsing traffic.
PAN-157459
Fixed an issue where, after updating an address in an Address Group, a commit did not update GlobalProtect split tunnel access routes.
PAN-156893
Fixed an issue where commits failed when the
Username
field in the certificate profile was set to
None
and the GlobalProtect portal and/or gateway certificate authentication profiles were configured with either the user credential or the client certificate request authentication type.
PAN-156482
Fixed a packet buffer issue where HTTP2 packets were held for category lookup and the HTTP request was across multiple packets.
PAN-155715
(
VM-Series firewalls only
) Fixed an issue on the web interface where
Operational Commands
(
Device > High Availability
) did not display.
PAN-154876
Fixed an issue where the web interface did not display
Release Date
when updating the dynamic updates manually.
PAN-153308
Fixed an issue which caused the mouse cursor to remove focus from the search bar when hovering over a hyperlink inside of a cell menu (e.g., source zone, source address, destination zone, destination address, etc.).
PAN-149911
Fixed an issue where URL filtering logs for credential phishing displayed a slash character ( / ) in the URL field.
PAN-144340
(
PA-7000 Series firewalls only
) Fixed an issue where some slots in the firewall did not get registered as up in a process (useridd), which caused the process to ignore IP address-to-user mappings to those slots.
PAN-143930
Fixed an issue where a process (routed) restarted due to the number of BGP peers exceeding the supported configuration.
PAN-141454
Fixed an issue where the output of the CLI command
show running resource-monitor ingress-backlogs
displayed an incorrect total utilization value.
PAN-136961
Fixed an issue where during QoS config generation the Aggregate Ethernet (AE) subnets were incorrectly calculated cumulatively across all AEs instead of calculating just the total subnets of an AE.
PAN-130003
Fixed an issue where the
show logging-status
CLI command did not display any output on the firewall even though the firewall was connected to Panorama and was successfully forwarding logs.
PAN-114127
Fixed an issue in Panorama where the footer bar in the
Devices
dialog box (
Collector Groups > Device Log Forwarding
) was not visible.

Recommended For You