End-of-Life (EoL)

PAN-OS 10.0.9 Addressed Issues

PAN-OS® 10.0.9 addressed issues.
Issue ID
Description
WF500-5513
Fixed an issue where cloud queries failed, which generated system logs. The issue occurred because a hash was not found in the cloud.
PAN-184445
Fixed an issue where, after upgrading Panorama, when
Share Unused Address and Service Objects with Devices
was unchecked, address objects using tags to dynamic address groups were removed after a full commit.
PAN-183754
Fixed an issue on firewalls in high availability (HA) active/passive configurations where, when the passive firewall was reloaded, not all session information from the active firewall was duplicated to the passive firewall.
PAN-181360
Fixed an issue where staggering scheduled dynamic updates from Panorama to firewalls only worked for the first scheduled group and failed for the remaining groups of the same type.
PAN-181309
Fixed an issue where Panorama was inaccessible due to the configd process not responding.
PAN-180934
Fixed an issue where, when decrypting at TLS1.3, websites failed to load due to the firewall incorrectly handling payload padding from the server.
PAN-179886
Fixed an issue where new tunnels were unable to be established for Elasticsearch due to faulty logic that prevented old tunnels to be removed when a node went down.
PAN-178961
Fixed an issue where a process (authd) stopped responding due to incorrect context handling.
PAN-179146
(
VM-Series firewalls on Hyper-V only
) Fixed an issue where packet length was calculated incorrectly, which caused 4 extra bytes to be added to the end of the frame in VLAN-tagged traffic.
PAN-178953
Fixed an issue with the GlobalProtect Clientless VPN where, when an application sent a negative max age value on a cookie, part of the cookie was retained by PAN-OS and used for the subsequent connection on the user session.
PAN-177762
Fixed an issue where
wificlient
in PAN-OS 10.0 and later releases caused processing delays, on-chip descriptor spikes, and buffer usage.
PAN-177571
Fixed an issue where, when creating a certificate name, you could set a character limit that exceeded what the decryption profile configuration was able to support.
PAN-177363
Fixed an issue where, when system logs and configuration logs on a dedicated log collector system were forwarded to a Panorama management server in Management Only mode, the logs were not ingested and were dropped. This caused the dedicated log collector system to not be viewable on a Panorama appliance in Management Only mode.
PAN-176719
Fixed an issue with proxy session handling where the server leg closed early, which caused client issues if the proxy session client leg was experiencing network issues.
PAN-176392
(
PA-7000 Series firewalls only
) Fixed a an issue where persistent sessions did not properly age out when removing a Data Processing Card (DPC).
PAN-176341
Fixed an issue where a delay to detect when an interface was down after a cable pull caused traffic to be black-holed to the downed link for 10 or more seconds.
PAN-176280
Fixed an intermittent issue on Panorama where querying logs via the web interface or API did not return results.
PAN-176054
Fixed an intermittent issue where users did not have access to resources due to a host information profile (HIP) check failure that was caused by the HIP data not being synced between the management plane and the dataplane.
PAN-176032
Fixed an issue where a process (authd) stopped responding, which caused authentication to fail.
PAN-175923
Fixed an issue where a process (tund) stopped responding when enabling IPSec tunnel monitoring.
PAN-175652
Fixed an issue where SSL decryption failed for websites when they were accessed from Google Chrome version 92 or higher.
PAN-175399
Fixed an issue where enabling
Use proxy to fetch logs from Cortex Data Lake
caused Panorama to not show logs when queried.
PAN-175307
Fixed an issue where Panorama commits were slower than expected and the configd process stopped responding due to a memory leak.
PAN-175211
Fixed a memory leak issue in the (mgmtsrvr) process.
PAN-175141
Fixed an intermittent issue where IP address-to-username mappings were not created on a redistribution client if a logout and login message shared the same timestamp.
PAN-174998
(
M-200 and M-500 appliances only
) Fixed a capacity issue that was caused by high operational activity and large configurations. This fix increases the virtual memory limit on the configd process to 32GB.
PAN-174894
Fixed an issue where, when the time-to-live (TTL) value for symmetric MAC entries weren't updated to other dataplanes and HA peers, timeouts occurred for traffic using policy-based forwarding (PBF) with symmetric returns.
PAN-174886
Fixed an issue where scheduled customer reports displayed as empty when the configured destination was an address group.
PAN-174864
Fixed an issue on the Panorama interface where
Deploying Master Key
to low-end devices resulted in a
Failed to communicate
message, even when the new master key was updated on the end device. This issue occurred because a master key deployment had insufficient time to process due to a connection timeout.
PAN-174781
Fixed an issue where the firewall did not send an SMTP 541 error message to the email client after detecting a malicious file attachment.
PAN-174709
Fixed an out-of-memory (OOM) condition that occurred due to multiple parallel jobs being created by the scheduled log export feature.
PAN-174347
Fixed an issue where sequence numbers were calculated incorrectly for traffic that was subject to Session Initiation Protocol (SIP) application-level gateway (ALG) when SIP TCP Clear Text Proxy was disabled.
PAN-174244
Fixed an issue where a sudden increase in URL data approached the maximum cache capacity of the firewall.
PAN-174161
Fixed an issue in Panorama that occurred when attempting to
disable override
on an object from a child device group did not work after cloning and renaming the object.
PAN-174055
Fixed an issue where SNMP readings reported as 0 for dataplane interface packet statistics for Amazon Web Services (AWS) m5n.4xlarge instance types. This issue occurred because the physical port counters read from MAC addresses were reported as 0.
PAN-173978
Fixed an issue where the Elasticsearch process continuously restarted if zero-length files were present.
PAN-173753
Fixed an issue where a bar or point on a
Network Monitor
graph had to be clicked more than once to properly redirect to the corresponding ACC report.
PAN-173545
Fixed an issue where exporting a device summary to CSV failed and displayed the following error message:
Error while exporting
.
PAN-173509
Fixed an issue where Superuser administrators with read-only privileges (
Device > Administrators and Panorama > Administrators
) were unable to view the hardware ACL blocking setting and duration in the CLI using the following commands:
  • show system setting hardware-acl-blocking-enable
  • show system setting hardware-acl-blocking-duration
PAN-173453
Fixed an issue where multiple heartbeat failures occurred, which resulted in HA failover.
PAN-173157
Fixed an issue with the HA1 monitor hold timer where the configured value was not assigned to the HA1 backup interface, which used the default hold timer (3000 milliseconds), which resulted in failover events taking longer than expected.
PAN-173076
(
Panorama appliances in FIPS mode only
) Fixed an issue where the FIPS Panorama / FIPS firewall schema didn't prune non-FIPS options from the Clientless VPN.
PAN-172890
(
PA-800 Series firewalls only
) Fixed an issue where the firewall became unresponsive when an enhanced small form-factor pluggable (SFP+) module was inserted in the SFP port.
PAN-172775
Fixed an issue in Panorama where the configd process stopped responding due to a memory issue with
memcpy bson_append
.
PAN-172748
(
VM-Series firewalls only
) Fixed an issue where a process (all_task) stopped responding.
PAN-172396
Fixed a memory leak issue related to the useridd process.
PAN-172324
Fixed an issue on the Panorama web interface where custom vulnerability signature IDs weren't populated in the drop-down when creating a custom combination signature.
PAN-172316
Fixed an issue where the internal interface flow control that caused the monitoring process to incorrectly determine the interface to be malfunctioning.
PAN-172243
Fixed an issue where NetFlow traffic triggered a packet buffer leak.
PAN-172200
Fixed an issue where a process (configd) restarted due to memory corruption in the
show dynamic-address-group
CLI command during commits, commit and push operations, and HA Panorama syncs.
PAN-171869
Fixed an issue where HIP profile objects in security policies and authentication policies were still visible in the CLI even after replacing them with source HIP and destination HIP objects.
PAN-171696
(
PA-800 and PA-400 Series firewalls and PA-220 firewalls only
) Fixed an issue where the management plane CPU was incorrectly reported to be high.
PAN-171497
Fixed an issue where, after a local user group is updated by adding or removing users, the local user group is removed from
groupdb
.
PAN-171380
Fixed an issue where loading configuration versions in Panorama added unnecessary IDs to the configuration.
PAN-171367
Fixed an issue in active/active HA configuration where session disconnected during an upgrade from a PAN-OS 9.0 release to a PAN-OS 9.1 release.
PAN-171159
Fixed a memory leak on the configd process on Panorama caused during multi-clone operations for rules.
PAN-170997
Fixed an issue where FQDN service routes were not installed after a system reboot.
PAN-170603
Fixed an issue where, when the Elasticsearch startup timestamp occurred exactly on the second, an internal variable was set incorrectly, which resulted in failed customer reports and no ACC data to display.
PAN-170466
Fixed an memory reference issue related to the devsrvr process that caused the process to stop responding.
PAN-169899
Fixed an issue on firewalls with offload processors where the ECMP forced symmetric return feature didn't work for CRE traffic after the session was offloaded.
PAN-169433
Fixed an issue on Panorama where clicking
Run Now
for a custom report with 32 or more filters in the Query Builder returned the following message:
No matching records
.
PAN-169347
Fixed an issue where a process (authd) stopped responding due to an invalid null pointer.
PAN-169300
Debug logs were added to troubleshoot WildFire submission issues.
PAN-169212
Fixed an issue where information level logs caused a configd logs to fill.
PAN-169173
Fixed an issue where, if you continuously performed partial commits of a configuration with a high number of dynamic address groups, Panorama became unresponsive and commits were slower than expected.
PAN-168339
Fixed an issue where replacing SSL certificates for inbound management traffic did not work when
Block Private Key Export
was enabled.
PAN-168189
Fixed an issue where, even when there was active multicast traffic, the firewall sent Protocol Independent Multicast (PIM) prune messages.
PAN-168178
Fixed an issue where the logrcvr process continuously restarted to due incorrect data.
PAN-167762
Fixed an issue where ICMP sessions didn't display SD-WAN policy name or site name information in the traffic logs.
PAN-167560
Fixed an issue where the Panorama appliance didn't return inherited device group locations pertaining to Security policies for REST API queries.
PAN-167259
(
PA-3220 firewalls on PAN-OS 10.0.3 only
) Fixed an issue where, after manually uploading WildFire images, the dropdown did not display any available files to choose from.
PAN-166978
Fixed an issue where the URL-Filtering cloud connection failed with the following error message:
bind failed with errno 97
.
PAN-166202
Fixed an issue with an extra character in HTTP Strict Transport Security (HSTS) regression tests when accessing the GlobalProtect gateway.
PAN-166180
Fixed an issue where SNMPV3 traps were not processed by the
snmptrap
receiver after a firewall reboot.
PAN-166091
Fixed an issue where the firewall dropped PBF keepalive responses.
PAN-165660
Fixed an issue where, in scenarios with Fragmented SIP, the first packet arrived out of order, bypassing App-ID and Content and Threat Detection (CTD). With this fix, the out-of-order packet is transmitted after it has been queued and processed by APP-ID and CTD.
PAN-165147
Fixed an issue where, when there was a high volume of traffic for sessions with
Application Block Pages
enabled, other regular packets were dropped.
PAN-164997
Fixed an issue where special characters in web interface description
Overview
fields displayed as their respective HTML ASCII character references.
PAN-164631
Fixed an issue where the
stats dump
report was empty.
PAN-163030
Fixed an issue where restarting the devsrvr process caused new GlobalProtect connections to fail with the error message
required client certificate not found
. This issue occurred due to a key mismatch between the dataplane and the management plane.
PAN-161726
Fixed an issue where the
show high-availability all
output incorrectly displayed the VM-Series firewall license type on physical firewalls.
PAN-161496
Fixed an issue when calculating the incremental checksum after a post-NAT translation where the arguments to
pan_in_cksm32_diff
overflowed the 32-bit integer.
PAN-161031
Fixed an issue where authentication via the LDAP server failed in FIPS-CC mode when the LDAP server profile was configured with the root certificate chain and
Verify server certificate for SSL sessions
options enabled.
PAN-160825
(
Panorama virtual appliances only
) Fixed an issue where, when GPRS tunneling protocol (GTP) stateful inspection was enabled, GTP packets carrying NTP traffic with the destination port UDP2152 were identified as GTP-in-GTP in GTP and logged as critical severity in the GTP logs.
PAN-159835
Fixed an issue where, after an upgrade, the following error message was displayed:
Not enough space to load content to SHM
.
PAN-159295
Fixed an issue where scheduled configuration export files saved in the /tmp folder weren't periodically purged, which caused the root partition to fill up.
PAN-159225
Fixed an issue where the web interface did not display
Missing Patches
in the HIP logs.
PAN-159210
Fixed an issue where timed-out DNS Security queries produced incorrect system log entries indicating
cloud service connection refused
. With this fix, timed-out queries are correctly logged as
cloud query timeout
.
PAN-158369
Fixed an issue where applications did not work via the Clientless VPN when they were configured on a vlan interface
PAN-156545
Fixed an issue where exporting a backup to a server with an Elliptic Curve Digital Signature Algorithm (ECDSA) key failed when ECDSA was a valid key type.
PAN-156289
Fixed an issue where the default severities for Content Update errors were inaccurate.
PAN-155059
Fixed an issue on Panorama where, when
Retrieving Content 'WildFire'
information failed, the error message
No records found
incorrectly displayed as
High
severity.
PAN-151302
(
PA-7000 Series firewalls with Log Forwarding Cards (LFC) only
) Fixed an issue where the logging rate for the LFC was not displayed in
Panorama > Managed Devices > Health
.
PAN-150848
Fixed an issue where the firewall dropped TCP FIN traffic due to the server-to-client FIN traffic being out of order.
PAN-147256
(
Firewalls in HA configurations only
) Fixed an issue where connections to the SafeNet hardware security module (HSM) were lost after upgrading to a new major PAN-OS release.
PAN-146737
Fixed an issue where, when running the
show running application statistics
CLI command, the
packets
value in the output rolled over before the
session
value.

Recommended For You