PAN-OS 10.0.9 Addressed Issues

PAN-OS® 10.0.9 addressed issues.
Issue ID
Fixed an issue where cloud queries failed, which generated system logs. The issue occurred because a hash was not found in the cloud.
Fixed an issue where, after upgrading Panorama, when
Share Unused Address and Service Objects with Devices
was unchecked, address objects using tags to dynamic address groups were removed after a full commit.
Fixed an issue on firewalls in high availability (HA) active/passive configurations where, when the passive firewall was reloaded, not all session information from the active firewall was duplicated to the passive firewall.
Fixed an issue where staggering scheduled dynamic updates from Panorama to firewalls only worked for the first scheduled group and failed for the remaining groups of the same type.
Fixed an issue where Panorama was inaccessible due to the configd process not responding.
Fixed an issue where, when decrypting at TLS1.3, websites failed to load due to the firewall incorrectly handling payload padding from the server.
Fixed an issue where new tunnels were unable to be established for Elasticsearch due to faulty logic that prevented old tunnels to be removed when a node went down.
Fixed an issue where a process (authd) stopped responding due to incorrect context handling.
VM-Series firewalls on Hyper-V only
) Fixed an issue where packet length was calculated incorrectly, which caused 4 extra bytes to be added to the end of the frame in VLAN-tagged traffic.
Fixed an issue with the GlobalProtect Clientless VPN where, when an application sent a negative max age value on a cookie, part of the cookie was retained by PAN-OS and used for the subsequent connection on the user session.
Fixed an issue where
in PAN-OS 10.0 and later releases caused processing delays, on-chip descriptor spikes, and buffer usage.
Fixed an issue where, when creating a certificate name, you could set a character limit that exceeded what the decryption profile configuration was able to support.
Fixed an issue where, when system logs and configuration logs on a dedicated log collector system were forwarded to a Panorama management server in Management Only mode, the logs were not ingested and were dropped. This caused the dedicated log collector system to not be viewable on a Panorama appliance in Management Only mode.
Fixed an issue with proxy session handling where the server leg closed early, which caused client issues if the proxy session client leg was experiencing network issues.
PA-7000 Series firewalls only
) Fixed a an issue where persistent sessions did not properly age out when removing a Data Processing Card (DPC).
Fixed an issue where a delay to detect when an interface was down after a cable pull caused traffic to be black-holed to the downed link for 10 or more seconds.
Fixed an intermittent issue on Panorama where querying logs via the web interface or API did not return results.
Fixed an intermittent issue where users did not have access to resources due to a host information profile (HIP) check failure that was caused by the HIP data not being synced between the management plane and the dataplane.
Fixed an issue where a process (authd) stopped responding, which caused authentication to fail.
Fixed an issue where a process (tund) stopped responding when enabling IPSec tunnel monitoring.
Fixed an issue where SSL decryption failed for websites when they were accessed from Google Chrome version 92 or higher.
Fixed an issue where enabling
Use proxy to fetch logs from Cortex Data Lake
caused Panorama to not show logs when queried.
Fixed an issue where Panorama commits were slower than expected and the configd process stopped responding due to a memory leak.
Fixed a memory leak issue in the (mgmtsrvr) process.
Fixed an intermittent issue where IP address-to-username mappings were not created on a redistribution client if a logout and login message shared the same timestamp.
M-200 and M-500 appliances only
) Fixed a capacity issue that was caused by high operational activity and large configurations. This fix increases the virtual memory limit on the configd process to 32GB.
Fixed an issue where, when the time-to-live (TTL) value for symmetric MAC entries weren't updated to other dataplanes and HA peers, timeouts occurred for traffic using policy-based forwarding (PBF) with symmetric returns.
Fixed an issue where scheduled customer reports displayed as empty when the configured destination was an address group.
Fixed an issue on the Panorama interface where
Deploying Master Key
to low-end devices resulted in a
Failed to communicate
message, even when the new master key was updated on the end device. This issue occurred because a master key deployment had insufficient time to process due to a connection timeout.
Fixed an issue where the firewall did not send an SMTP 541 error message to the email client after detecting a malicious file attachment.
Fixed an out-of-memory (OOM) condition that occurred due to multiple parallel jobs being created by the scheduled log export feature.
Fixed an issue where sequence numbers were calculated incorrectly for traffic that was subject to Session Initiation Protocol (SIP) application-level gateway (ALG) when SIP TCP Clear Text Proxy was disabled.
Fixed an issue where a sudden increase in URL data approached the maximum cache capacity of the firewall.
Fixed an issue in Panorama that occurred when attempting to
disable override
on an object from a child device group did not work after cloning and renaming the object.
Fixed an issue where SNMP readings reported as 0 for dataplane interface packet statistics for Amazon Web Services (AWS) m5n.4xlarge instance types. This issue occurred because the physical port counters read from MAC addresses were reported as 0.
Fixed an issue where the Elasticsearch process continuously restarted if zero-length files were present.
Fixed an issue where a bar or point on a
Network Monitor
graph had to be clicked more than once to properly redirect to the corresponding ACC report.
Fixed an issue where exporting a device summary to CSV failed and displayed the following error message:
Error while exporting
Fixed an issue where Superuser administrators with read-only privileges (
Device > Administrators and Panorama > Administrators
) were unable to view the hardware ACL blocking setting and duration in the CLI using the following commands:
  • show system setting hardware-acl-blocking-enable
  • show system setting hardware-acl-blocking-duration
Fixed an issue where multiple heartbeat failures occurred, which resulted in HA failover.
Fixed an issue with the HA1 monitor hold timer where the configured value was not assigned to the HA1 backup interface, which used the default hold timer (3000 milliseconds), which resulted in failover events taking longer than expected.
Panorama appliances in FIPS mode only
) Fixed an issue where the FIPS Panorama / FIPS firewall schema didn't prune non-FIPS options from the Clientless VPN.
PA-800 Series firewalls only
) Fixed an issue where the firewall became unresponsive when an enhanced small form-factor pluggable (SFP+) module was inserted in the SFP port.
Fixed an issue in Panorama where the configd process stopped responding due to a memory issue with
memcpy bson_append
VM-Series firewalls only
) Fixed an issue where a process (all_task) stopped responding.
Fixed a memory leak issue related to the useridd process.
Fixed an issue on the Panorama web interface where custom vulnerability signature IDs weren't populated in the drop-down when creating a custom combination signature.
Fixed an issue where the internal interface flow control that caused the monitoring process to incorrectly determine the interface to be malfunctioning.
Fixed an issue where NetFlow traffic triggered a packet buffer leak.
Fixed an issue where a process (configd) restarted due to memory corruption in the
show dynamic-address-group
CLI command during commits, commit and push operations, and HA Panorama syncs.
Fixed an issue where HIP profile objects in security policies and authentication policies were still visible in the CLI even after replacing them with source HIP and destination HIP objects.
PA-800 and PA-400 Series firewalls and PA-220 firewalls only
) Fixed an issue where the management plane CPU was incorrectly reported to be high.
Fixed an issue where, after a local user group is updated by adding or removing users, the local user group is removed from
Fixed an issue where loading configuration versions in Panorama added unnecessary IDs to the configuration.
Fixed an issue in active/active HA configuration where session disconnected during an upgrade from a PAN-OS 9.0 release to a PAN-OS 9.1 release.
Fixed a memory leak on the configd process on Panorama caused during multi-clone operations for rules.
Fixed an issue where FQDN service routes were not installed after a system reboot.
Fixed an issue where, when the Elasticsearch startup timestamp occurred exactly on the second, an internal variable was set incorrectly, which resulted in failed customer reports and no ACC data to display.
Fixed an memory reference issue related to the devsrvr process that caused the process to stop responding.
Fixed an issue on firewalls with offload processors where the ECMP forced symmetric return feature didn't work for CRE traffic after the session was offloaded.
Fixed an issue on Panorama where clicking
Run Now
for a custom report with 32 or more filters in the Query Builder returned the following message:
No matching records
Fixed an issue where a process (authd) stopped responding due to an invalid null pointer.
Debug logs were added to troubleshoot WildFire submission issues.
Fixed an issue where information level logs caused a configd logs to fill.
Fixed an issue where, if you continuously performed partial commits of a configuration with a high number of dynamic address groups, Panorama became unresponsive and commits were slower than expected.
Fixed an issue where replacing SSL certificates for inbound management traffic did not work when
Block Private Key Export
was enabled.
Fixed an issue where, even when there was active multicast traffic, the firewall sent Protocol Independent Multicast (PIM) prune messages.
Fixed an issue where the logrcvr process continuously restarted to due incorrect data.
Fixed an issue where ICMP sessions didn't display SD-WAN policy name or site name information in the traffic logs.
Fixed an issue where the Panorama appliance didn't return inherited device group locations pertaining to Security policies for REST API queries.
PA-3220 firewalls on PAN-OS 10.0.3 only
) Fixed an issue where, after manually uploading WildFire images, the dropdown did not display any available files to choose from.
Fixed an issue where the URL-Filtering cloud connection failed with the following error message:
bind failed with errno 97
Fixed an issue with an extra character in HTTP Strict Transport Security (HSTS) regression tests when accessing the GlobalProtect gateway.
Fixed an issue where SNMPV3 traps were not processed by the
receiver after a firewall reboot.
Fixed an issue where the firewall dropped PBF keepalive responses.
Fixed an issue where, in scenarios with Fragmented SIP, the first packet arrived out of order, bypassing App-ID and Content and Threat Detection (CTD). With this fix, the out-of-order packet is transmitted after it has been queued and processed by APP-ID and CTD.
Fixed an issue where, when there was a high volume of traffic for sessions with
Application Block Pages
enabled, other regular packets were dropped.
Fixed an issue where special characters in web interface description
fields displayed as their respective HTML ASCII character references.
Fixed an issue where the
stats dump
report was empty.
Fixed an issue where restarting the devsrvr process caused new GlobalProtect connections to fail with the error message
required client certificate not found
. This issue occurred due to a key mismatch between the dataplane and the management plane.
Fixed an issue where the
show high-availability all
output incorrectly displayed the VM-Series firewall license type on physical firewalls.
Fixed an issue when calculating the incremental checksum after a post-NAT translation where the arguments to
overflowed the 32-bit integer.
Fixed an issue where authentication via the LDAP server failed in FIPS-CC mode when the LDAP server profile was configured with the root certificate chain and
Verify server certificate for SSL sessions
options enabled.
Panorama virtual appliances only
) Fixed an issue where, when GPRS tunneling protocol (GTP) stateful inspection was enabled, GTP packets carrying NTP traffic with the destination port UDP2152 were identified as GTP-in-GTP in GTP and logged as critical severity in the GTP logs.
Fixed an issue where, after an upgrade, the following error message was displayed:
Not enough space to load content to SHM
Fixed an issue where scheduled configuration export files saved in the /tmp folder weren't periodically purged, which caused the root partition to fill up.
Fixed an issue where the web interface did not display
Missing Patches
in the HIP logs.
Fixed an issue where timed-out DNS Security queries produced incorrect system log entries indicating
cloud service connection refused
. With this fix, timed-out queries are correctly logged as
cloud query timeout
Fixed an issue where applications did not work via the Clientless VPN when they were configured on a vlan interface
Fixed an issue where exporting a backup to a server with an Elliptic Curve Digital Signature Algorithm (ECDSA) key failed when ECDSA was a valid key type.
Fixed an issue where the default severities for Content Update errors were inaccurate.
Fixed an issue on Panorama where, when
Retrieving Content 'WildFire'
information failed, the error message
No records found
incorrectly displayed as
PA-7000 Series firewalls with Log Forwarding Cards (LFC) only
) Fixed an issue where the logging rate for the LFC was not displayed in
Panorama > Managed Devices > Health
Fixed an issue where the firewall dropped TCP FIN traffic due to the server-to-client FIN traffic being out of order.
Firewalls in HA configurations only
) Fixed an issue where connections to the SafeNet hardware security module (HSM) were lost after upgrading to a new major PAN-OS release.
Fixed an issue where, when running the
show running application statistics
CLI command, the
value in the output rolled over before the

Recommended For You