PAN-OS 10.1.2 Addressed Issues

PAN-OS® 10.1.2 addressed issues.
Issue ID
PA-7000 Series and PA-5450 firewalls only
) Fixed an issue where PAN-OS displayed the incorrect chassis serial number when an MPC (Management Processor Card) or SMC (Switch Management Card) was moved from one chassis to another.
Fixed an issue where Zero-Touch Provisioning (ZTP) configuration wasn't removed after disabling it, which resulted in predefined configurations to be loaded after a reboot.
A fix was made to address an OS command injection vulnerability in the PAN-OS web interface that enabled an authenticated administrator to execute arbitrary OS commands to escalate privileges (CVE-2021-3050).
VM-Series firewalls deployed in Amazon Web Services (AWS) only
) Fixed an issue where Gateway Load Balancer (GWLB) inspection incorrectly displayed as false after a reboot.
Fixed an issue where a sudden increase in URL data approached the maximum cache capacity of the firewall.
Fixed an issue where a process (authd) used old Thermite certificate post renewals, which caused authentication failures when using the Cloud Authentication service.
Fixed an issue where clicking a hyperlink on a web page caused the web browser to download a file instead.
Fixed an issue where a race condition occurred and caused a process (useridd) to restart.
Fixed an issue where, when downgrading from PAN-OS 10.1 to an earlier version, with Cloud Authentication Service configured in an Authentication profile, the firewall did not remove the Cloud Authentication Service from the Authentication profile and displayed the authentication method as
, and subsequent commits failed.
Fixed an issue on firewalls in HA configuration where HA-2 links continuously flapped on HSCI interfaces after upgrading to PAN-OS 8.1.19.
Fixed an issue where, when the firewall communicated with the Cloud Identity Engine before the device certificate was installed on the firewall or Panorama, subsequent queries to the Cloud Identity Engine failed.
Fixed an issue where a HIP database cache loop caused high CPU utilization on a process (useridd) and caused IP address-to-user mapping redistribution failure.
PA-400 Series firewalls only
) Fixed an intermittent issue where changing the port speed from auto-negotiate to 1G caused the dataplane port to flap, which resulted in lost traffic.
Fixed an intermittent issue where processing HIP messages in the (useridd) process caused a memory leak.
Fixed an issue with SD-WAN path selection logic that caused an all_pktproc dataplane to stop responding.
Fixed an issue where no data was displayed for the Forward Error Correction (FEC) plot for SD-WAN application performance (
Fixed an issue on Amazon Web Services (AWS) Gateway Load Balancer (GWLB) deployments with overlay routing and cross-zone load balancing enabled where packets were forwarded to the incorrect GWLB interface.
Fixed an issue in an HA configuration where, when one firewall was active and its peer was in a suspended state, the suspended firewall continued to send traffic, which triggered the detection of duplicate MAC addresses.
Fixed an issue where the data redistribution agent and the data redistribution client failed to connect due to the agent not sending a SSL Server hello response.
Fixed an issue where a process (ikemgr) stopped responding while making configuration changes. This issue occurred if Site-to-Site IPSec was using certification-based authentication.
Fixed an issue where configuration files were not exported using the scheduled Secure Copy (SCP).
Fixed an issue where deleting licenses on the firewall incorrectly set the GlobalProtect gateway license node to
. The firewall displayed the following error message during a GlobalProtect application connection:
Could not connect to the gateway. The device or feature requires a GlobalProtect subscription license
, even though the gateway firewall had a valid gateway license.
Fixed an issue where, when a client or server received partial application data, the record was partially processed by legacy code. This caused decryption to fail when a decryption profile protocol was set to a maximum of TLSv1.3.
Fixed an issue where, after upgrading to 10.0.3, admin sessions on Panorama were not logged out after the idle timeout expired.
Fixed a configuration management issue that resulted in a process (ikemgr) failing to recognize changes in subsequent commits.
Fixed an issue where
was enabled by default.
Fixed an issue where the time-to-live (TTL) value received from the DNS server reset to 0 on DNS secure TCP transactions when anti-spyware profiles were used, which caused DNS dynamic updates to fail.
Fixed an issue where the
debug sslmgr view crl
command failed when an ampersand (&) character was included in the URL for the certificate revocation list (CRL).
Fixed an issue where using tags to target a device group in a Security policy rule did not work, and the rule was displayed in all device groups (
Preview Rules
Fixed an issue where, when stateless GTP-U traffic hit a multi-dataplane firewall, an inter-dataplane fragmentation loop occurred, which caused high dataplane resource usage.
Panorama appliances on PAN-OS 10.0 releases only
) Fixed an issue with Security policy rule configuration where, in the
tabs, the
Query Traffic
setting was not available for Address Groups.
A fix was made to address a time-of-check to time-of-use (TOCTOU) race condition in the PAN-OS web interface that enabled an authenticated administrator with permission to upload plugins to execute arbitrary code with root user privileges (CVE-2021-3054).
Fixed an issue where during QoS config generation the Aggregate Ethernet (AE) subnets were incorrectly calculated cumulatively across all AEs instead of calculating just the total subnets of an AE.

Recommended For You