PAN-OS 10.1.10 Addressed Issues
PAN-OS® 10.1.10 addressed issues.
PA-5400 Series firewalls with DPC (Data Processing Cards) only) Fixed an issue with slot 2 DPCs where URL Filtering did not work as expected after upgrading to PAN-OS 10.1.9.
Fixed an intermittent issue where an LACP flap occurred when the LACP transmission rate was set to
Fixed an issue where, after upgrading Panorama to PAN-OS 10.1.9, multiple User-ID alerts were generated every 10 minutes.
Fixed an issue with firewalls in active/active HA configurations where GlobalProtect disconnected when the original suspected active-primary firewall became active-secondary.
Fixed an issue where the firewall was unable to fully process the user list from a child group when the child group contained more than 1,500 users.
Fixed an issue where, when custom signatures used a certain syntax, false positives were generated on devices on a PAN-OS 10.0 release.
Fixed a memory related issue where the
MEMORY_POOLaddress was mapped incorrectly
Fixed an issue where false negatives occurred for some script samples.
PA-5200 Series firewalls only) Fixed an issue where unplugging a PAN-SFP-CG transceiver from an interface with its link speed setting set to 1000 caused the firewall to incorrectly read that interface as up.
Fixed an issue where attempting to change the disk-usage cleanup threshold to 90 resulted in the error message
Server error : op command for client dagger timed out as client is not available.
Fixed an issue on log collectors where the root partition reached 100% utilization.
Fixed an issue where large OSPF control packets were fragmented, which caused the neighborship to fail.
Fixed an issue where, when viewing a WildFire Analysis report via the web interface, the
detailed log viewwas not accessible if the browser window was resized.
Fixed a memory leak issue related to SSL crypto operations that resulted in failed commits.
Fixed an issue where the
show session packet-buffer-protection buffer-latencyCLI command randomly displayed incorrect values.
Fixed an issue where missed heartbeats caused the Data Processing Card (DPC) and its corresponding Network Processing Card (NPC) to restart due to internal packet path monitoring failure.
Fixed an issue on Panorama where users with custom admin roles were incorrectly unable to view SSH profiles even when it was permitted in the custom role.
Panorama appliances in Legacy Mode only) Fixed an issue where
Blocked Browsing Summary by Websitein the user activity report contained scrambled characters.
Fixed an issue where the Data Processing Card remained in a
Startingstate after a restart.
Fixed an issue where fragmented UDP packets were dropped.
Fixed an issue where firewalls disconnected from Cortex Data Lake due to a missing key file after renewing the device certificate.
Fixed an issue with firewalls on active/passive HA configurations GlobalProtect where users were disconnected after HA failover.
Fixed an issue on Panorama where Security policy rules with a
Tagtarget did not appear in the pre-rule list of a Dynamic Address Group that was part of the tag.
Fixed an issue on Panorama where VM-Series firewalls in HA configurations hosted on Amazon Web Services (AWS) were not displayed under
Deploy Master Key.
Fixed an issue where the
Templateslist was not displayed under the
Locationdrop-down for commit or configuration locks.
A debug command was added to address an issue with firewalls in high availability configurations.
CN-Series firewalls only) Fixed an issue where the dataplane stopped responding after a container restart.
Fixed an issue where, when traffic and threat logs exceeded the threshold of 90% total allowed size, alarms were not generated for other log types.
Fixed an issue where dataplane ports responded to ICMP requests fewer than 64 bytes with nonzero padding bytes in the ICMP response.
Fixed an issue where link-local address communication for IPv6, BFD, and OSPFv3 neighbors was dropped when IP address spoofing check was enabled in a Zone Protection profile.
Fixed an issue where Panorama was unable to retrieve IP address-to-username mapping from a firewall on a PAN-OS 8.1 release.
Fixed an issue with firewalls in active/passive HA configurations where the passive firewall created an incorrect SCTP association due to the HA sync messages from the active firewall having an incorrect value.
Fixed an issue where the GlobalProtect
logdbquota was not displayed in the
show system logdb quotaoutput.
Fixed an issue on the web interface where the
Session Expire Timedisplayed a past date if the device time was in December.
Fixed an issue on the firewall where log filtering did not work as expected.
Fixed an issue where a Panorama in Management Only mode was unable to display logs from log collectors due to missing schema files.
PA-7000 Series firewalls only) Fixed an issue where autotagging in log forwarding did not work.
Fixed an issue where, when a client sent a TCP/FIN packet, the firewall displayed the end reason as
Fixed an issue where the all_task process stopped responding when freeing the HTTP/2 stream, which caused the dataplane to go down.
Fixed an issue where authentication failed when the service route for RADIUS traffic was configured as
use defaultfor IPv4 addresses and included the dataplane interface as the destination route.
Fixed an issue where API calls did not display tunnel info.
Fixed an issue where NAT policies were not visible on the CLI if they contained more than 32 characters.
Fixed an issue on Panorama where Security policy rules incorrectly displayed as disabled.
PA-5400 Series, PA-3400 Series, PA-400 Series only, and PA-5450 firewalls only) Fixed an issue where the firewall was unable to automatically renew the device certificate.
Fixed an issue where user-group names were unable to be configured as the source user via the
Fixed an issue where, when attempting to replace an existing certificate, importing a new certificate with the same name as the existing certificate failed due to mismatched public and private keys.
Fixed an issue where changes to the syslog server configuration were not applied without first restarting the management server.
Fixed an issue on the firewall where the modified date and time was incorrectly updated after a commit operation, PAN-OS upgrade, or reboot.
Fixed an issue with firewalls in active/passive HA configurations where, after rebooting the passive firewall, interfaces were briefly shown as powered up, and then shown as down or shutdown.
Fixed an issue where traffic that matched a Security policy rule with FQDN objects resolved with two IP addresses reached both IP address destinations.
Fixed an issue where REST API requests did not work for GlobalProtect gateway tunnels.
PA-7000 Series firewalls with SMC-B only) Fixed an issue where the details of configuration changes were not included in configuration logs on the syslog server.
Fixed an issue where Large Scale VPN (LSVPN) Portal authentication failed with the error
invalid http response. return error(Authentication failed; Retry authenticationwhen the satellite connected to more than one portal.
Fixed a Clientless VPN issue where JSON stringifies caused issues with the application rewrite.
Fixed an issue with firewalls in active/active HA configurations where the virtual floating IP address configuration under a Panorama template was overridden and displayed
From Template Override: undefinedas a source.
Fixed an issue where
Panorama > Setup > Interfaceswas not accessible for users with custom admin roles even when the interface option was selected for the custom admin roles.
Fixed an issue where the shard count displayed by the
show log-collector-es-cluster healthCLI command was higher than the recommended limit. The recommended limit can be calculated with the formula 20*heap-memory*no-of-data-nodes.
Fixed an issue on Octeon based platforms where fragmented VLAN tagged packets dropped on an aggregate interface.
Fixed an issue where the
ikemgrprocess stopped responding, which caused IPSec tunnels to go down.
Fixed an issue where HIP report flip and HIP check failed when a user was part of multiple user groups with different domains.
Fixed an issue where the
Include/Exclude IPfilter under
Data Distributiondid not work correctly.
Fixed an issue where an authentication key field, even though not supported, was enabled under the
Devicetab on Panorama.
Fixed an issue where scheduled configuration pushes with
Include Device and Network Templatesselected did not work.
PA-7000 Series firewalls with NPCs (Network Processing Cards) only) Improved debugging capability for an issue where the firewall restarted due to heartbeat failures and then failed with the following error message:
Power not OK.
Fixed an issue where logs from unaffected log collector groups were not displayed when a log collector was down.
Fixed an issue where RAID rebuilds occurred even with healthy disks and a clean shutdown.
Fixed an issue where logs did not display
Host-IDdetails for GlobalProtect users despite having a quarantine Security policy rule. This occurred due to a missed local cache lookup.
Fixed an issue on Panorama where a WildFire scheduled update for managed devices triggered multiple
UploadInstalljobs per minute.
Fixed an issue where the stats dump file generated by Panorama for a device firewall differed from the stats dump file generated by the managed device.
Fixed an issue where connections to Cortex Data Lake were initialized from the firewall even when Cortex Data Lake forwarding was disabled.
Fixed an issue in the
Run Nowsection of custom reports where
Threat/Content Namedisplayed in hypertext, and hovering over the text with the mouse displayed the message undefined.
Fixed an issue where DNS Security categories were able to be deleted from spyware profiles.
Fixed an issue where the firewall changed sequence numbers for reused sessions.
PA-5200 Series firewalls only) Fixed an issue where, after upgrading to PAN-OS 10.1.6-h3, a TACACS user login displayed the following error message during the first login attempt:
Could not chdir to home directory /opt/pancfg/home/user: Permission denied.
Fixed an issue where logs were unable to be generated due to old logs not getting purged and
/opt/panlogsreaching over 100% usage.
WF-500 appliances only) Fixed an issue where, after an upgrade to a PAN-OS 10.1 release, SNMP traps were not sent to the SNMP server. This occurred due to SNMP trap server settings not being enabled.
Fixed an issue where, when the firewall received a 513 error from the WildFire cloud, the firewall attempted to repeatedly send the same file.
Fixed an issue where administrators were unable to change the password of a local database for users configured as a local admin user via an authentication profile.
Fixed an issue where enabling
), the new deviating device system logs included incorrect information.
Fixed an issue where services failed due to the RAID rebuild not being completed on time.
PA-5450 firewalls only) Fixed an issue where HSCI ports did not come up when QSFP DAC cables were used.
Fixed an issue on Panorama where global find did not return results for existing universally unique identifiers (UUID).
Fixed an issue where, after cloning a template, a certificate with the block private key option enabled was corrupted.
Fixed an issue where GlobalProtect HIP matches failed for Mac users due to invalid characters being present in the subject alternative attributes in the certificate on the HIP report.
Fixed an issue with firewalls in HA configurations where HA setup generated the error
mismatch due to device updateduring a content update even though the version was the same.
Fixed an issue where the all_task process stopped responding after adding customer hyperscan signatures.
Fixed an issue where LSVPN satellite authentication cookies were not synced across high availability LSVPN portals.
Fixed an issue where the system log generated on GlobalProtect satellite did not provide the reason for failures to connect to the GlobalProtect portal or gateway.
Fixed an issue with firewalls in active/passive HA configurations where the user counts in the management plane were not synchronized between the active and the passive firewall.
Fixed an issue where the
Elapsed secondsfield incorrectly displayed as 0 for DHCP packets coming from the firewall.
Fixed an issue where content updates failed when using prelicensed keys during the bootstrap process.
Fixed an issue on Panorama where virtual memory usage exceeded the set limit, which caused the configd process to restart.
Fixed an issue where decrypted SSH sessions were interrupted with a decryption error.
Fixed an issue where you were unable to resize the
Descriptionpop-up window (
Policies > Security > Prerules).
Fixed an issue where the SaaS PDF report incorrectly displayed the sanctioned application tag count as 1.
Fixed a rare issue where a
BuildXmlCachejob failed on the firewall.
Fixed an issue where, when the firewall forwarded Threat logs via email, the email client truncated the sender and recipient email addresses when they were put between angle brackets (<, >).
Fixed an issue where, when the total number of in-used HIP Profiles was greater than 32, traffic from the GlobalProtect Agent did not hit the expected Security policy rule configured with the HIP Profile even though a HIP Match log was generated.
PA-7000 Series firewalls only) Fixed an issue where firewalls experienced slow SNMP responses, which caused the SNMP server to time out before polling completion.
Fixed an issue where scheduled dynamic content updates failed to be retrieved by managed firewalls from Panorama when connectivity was slow.
Fixed an issue where the
Adjust Columnsoptions for Panorama Traffic logs did not correctly autoadjust the columns.
Fixed an issue where IPSec tunnel re-keying generated the critical log message
Fixed an issue where scheduled configuration backups to the SCP server failed with the error message
No ECDSA host key is known.
Fixed an issue where running the
show interfaceCLI command caused the pan_comm process to stop responding during a configuration change.
Fixed an issue where
Panorama > Device > Deployment > Softwaredid not display software after running
check nowfor managed devices.
Fixed an issue where the error message
Machine Learning found viruswas displayed in threat CSV logs as
Threat ID/Namewhen WildFire Inline ML detected malware.
Fixed an issue where HIP database storage on the firewall reached full capacity due to the firewall not purging older HIP reports.
Fixed an issue where botnet reports were not generated on the firewall.
Fixed an issue where MAC addresses in threat capture were swapped between the source MAC and destination MAC addresses.
Fixed an issue where the all_pktproc process stopped responding, which caused the firewall to reboot.
PA-400 Series firewalls only) Fixed an issue where running a PAN-OS 10.2 release caused dataplane processes to restart unexpectedly.
Fixed an issue where the
pan_commprocess repeatedly restarted, which caused commits to fail.
Fixed an issue where exporting correlation logs generated an empty file.
Fixed an issue on the firewall where the DHCP server did not send DHCP NAK packets correctly when
Served Addresseswere configured.
Fixed an issue on the web interface where the interzone-default rule hit count was not displayed.
PA-400 Series firewalls only) Fixed an issue where the *all_task* process stopped repsonding.
Fixed an issue where SD-WAN DIA VIF did not become active if default gateways for the member interface did not respond to pings.
Fixed an issue where invalid
packet-ptrwas seen in work entries.
Fixed an issue where software buffer 3 was depleted when URL proxy was enabled and SSL sessions were decrypted to inject the block page. This issue occurred when an HTTP/2 block page was displayed for a large POST request.
Fixed an issue where the firewall displayed the error message
Malformed Requestwhen an email address included an ampersand ( & ) when configuring an Email server profile.
Fixed an issue where a signature from a previous WildFire package triggered malware detection even though the signature was no longer present in the current WildFire package.
Fixed an issue where FTP connections failed when SSL Inbound Inspection was enabled and a Security Profile was attached to the FTP connection allow policy rule.
Fixed an issue where session offloading did not occur on a tap interface under a high packet load.
Fixed an issue related to an OOM condition in the dataplane, which was caused by multiple
paniocommands using extra memory.
Fixed an issue where the API format to check heap usage of a node showed a JSON error.
Recommended For You
Recommended videos not found.