) Fixed an issue where PAN-OS displayed the incorrect chassis
serial number when an MPC (Management Processor Card) or SMC (Switch
Management Card) was moved from one chassis to another.
Fixed an issue where Zero-Touch Provisioning
(ZTP) configuration wasn't removed after disabling it, which resulted
in predefined configurations to be loaded after a reboot.
A fix was made to address an OS command
injection vulnerability in the PAN-OS web interface that enabled
an authenticated administrator to execute arbitrary OS commands
to escalate privileges (CVE-2021-3050).
VM-Series firewalls deployed in Amazon
Web Services (AWS) only
) Fixed an issue where Gateway Load
Balancer (GWLB) inspection incorrectly displayed as false after
Fixed an issue where a sudden increase in
URL data approached the maximum cache capacity of the firewall.
Fixed an issue where a process (authd)
used old Thermite certificate post renewals, which caused authentication
failures when using the Cloud Authentication service.
Fixed an issue where clicking a hyperlink
on a web page caused the web browser to download a file instead.
Fixed an issue where a race condition occurred
and caused a process (useridd) to restart.
Fixed an issue where, when downgrading from
PAN-OS 10.1 to an earlier version, with Cloud Authentication Service
configured in an Authentication profile, the firewall did not remove
the Cloud Authentication Service from the Authentication profile
and displayed the authentication method as
and subsequent commits failed.
Fixed an issue on firewalls in HA configuration
where HA-2 links continuously flapped on HSCI interfaces after upgrading
to PAN-OS 8.1.19.
Fixed an issue where, when the firewall
communicated with the Cloud Identity Engine before the device certificate
was installed on the firewall or Panorama, subsequent queries to
the Cloud Identity Engine failed.
Fixed an issue where a HIP database cache
loop caused high CPU utilization on a process (useridd)
and caused IP address-to-user mapping redistribution failure.
PA-400 Series firewalls only
Fixed an intermittent issue where changing the port speed from auto-negotiate
to 1G caused the dataplane port to flap, which resulted in lost
Fixed an intermittent issue where processing
HIP messages in the (useridd) process caused a memory
Fixed an issue with SD-WAN path selection
logic that caused an all_pktproc dataplane to stop
Fixed an issue where no data was displayed
for the Forward Error Correction (FEC) plot for SD-WAN application
Fixed an issue on Amazon Web Services (AWS)
Gateway Load Balancer (GWLB) deployments with overlay routing and
cross-zone load balancing enabled where packets were forwarded to
the incorrect GWLB interface.
Fixed an issue in an HA configuration where,
when one firewall was active and its peer was in a suspended state,
the suspended firewall continued to send traffic, which triggered
the detection of duplicate MAC addresses.
Fixed an issue where the data redistribution
agent and the data redistribution client failed to connect due to
the agent not sending a SSL Server hello response.
Fixed an issue where a process (ikemgr)
stopped responding while making configuration changes. This issue
occurred if Site-to-Site IPSec was using certification-based authentication.
Fixed an issue where configuration files
were not exported using the scheduled Secure Copy (SCP).
Fixed an issue where deleting licenses on
the firewall incorrectly set the GlobalProtect gateway license node
. The firewall displayed the following
error message during a GlobalProtect application connection:
Could not connect to the gateway. The device or feature requires a GlobalProtect subscription license
even though the gateway firewall had a valid gateway license.
Fixed an issue where, when a client or server
received partial application data, the record was partially processed
by legacy code. This caused decryption to fail when a decryption
profile protocol was set to a maximum of TLSv1.3.
Fixed an issue where, after upgrading to
10.0.3, admin sessions on Panorama were not logged out after the
idle timeout expired.
Fixed a configuration management issue that
resulted in a process (ikemgr) failing to recognize
changes in subsequent commits.
Fixed an issue where the firewall did not
generate a notification for the GlobalProtect client when the firewall
denied unencrypted TLS sessions due to an authentication policy
Fixed an issue where
enabled by default.
Fixed an issue where the time-to-live (TTL)
value received from the DNS server reset to 0 on DNS secure TCP
transactions when anti-spyware profiles were used, which caused
DNS dynamic updates to fail.
Fixed an issue where the
debug sslmgr view crl
failed when an ampersand (&) character was included in the URL
for the certificate revocation list (CRL).
Fixed an issue where using tags to target
a device group in a Security policy rule did not work, and the rule
was displayed in all device groups (
Fixed an issue where, when stateless GTP-U
traffic hit a multi-dataplane firewall, an inter-dataplane fragmentation
loop occurred, which caused high dataplane resource usage.
Panorama appliances on PAN-OS 10.0
) Fixed an issue with Security policy rule configuration
where, in the
setting was not available
for Address Groups.
A fix was made to address a time-of-check
to time-of-use (TOCTOU) race condition in the PAN-OS web interface
that enabled an authenticated administrator with permission to upload
plugins to execute arbitrary code with root user privileges (CVE-2021-3054).
Fixed an issue where during QoS config generation
the Aggregate Ethernet (AE) subnets were incorrectly calculated
cumulatively across all AEs instead of calculating just the total
subnets of an AE.