PAN-OS 10.1.5 Addressed Issues
Table of Contents
Expand All
|
Collapse All
Next-Generation Firewall Docs
-
-
- Cloud Management of NGFWs
- PAN-OS 10.0 (EoL)
- PAN-OS 10.1
- PAN-OS 10.2
- PAN-OS 11.0
- PAN-OS 11.1 & Later
- PAN-OS 9.1 (EoL)
-
- PAN-OS 10.1
- PAN-OS 10.2
- PAN-OS 11.0
- PAN-OS 11.1 & Later
-
-
-
- Cloud Management and AIOps for NGFW
- PAN-OS 10.0 (EoL)
- PAN-OS 10.1
- PAN-OS 10.2
- PAN-OS 11.0
- PAN-OS 11.1
- PAN-OS 11.2
- PAN-OS 8.1 (EoL)
- PAN-OS 9.0 (EoL)
- PAN-OS 9.1 (EoL)
PAN-OS 10.1.5 Addressed Issues
PAN-OSĀ® 10.1.5 addressed issues.
Issue ID | Description |
---|---|
PAN-189769 | Fixed an issue on Amazon Web Services (AWS)
Gateway Load Balancer (GWLB) deployments with overlay routing enabled
where, when a single firewall was the backend of multiple GWLBs,
packets were re-encapsulated with an incorrect source IP address. |
PAN-189665 | (FIPS-CC enabled firewalls only)
Fixed an issue where the firewall was unable to connect to log collectors
after an upgrade due to missing cipher suites. |
PAN-189468 | Fixed an issue where the firewall onboard
packet processor used by the PAN-OS content-inspection (CTD) engine
can generate high dataplane resource usage when overwhelmed by a
session with an unusually high number of packets. This can result
in resource-unavailable messages due to
the content inspection queue filling up. Factors related to the likelihood
of an occurrence include enablement of content-inspection based
features that are configured in such a way that might process thousands
of packets in rapid succession (such as SMB file transfers). This
can cause poor performance for the affected session and other sessions
using the same packet processor. PA-3000 series and VM-Series firewalls
are not impacted. |
PAN-189230 | (VM-Series firewalls only) Fixed
an issue that caused the pan_task process to stop responding
with floating point exception (FPE) when there was a module of 0
on the queue number. |
PAN-188883 | Fixed an issue where, when pre-generated
license key files were manually uploaded via the web interface,
they weren't properly recognized by PAN-OS and didn't display a
serial number or initiate a reboot. |
PAN-187894 | (VM-Series firewalls only) Fixed
an issue with vm_license_response.log that consumed
a large portion of the root partition. |
PAN-187769 | (VM-Series firewalls in Microsoft Azure
environments only) Fixed a Data Plane Development Kit (DPDK)
issue where interfaces remained in a link-down state after an Azure
hot plug event. This issue occurred due to a hot plug of Accelerated
Networking interfaces on the Azure backend caused by host updates,
which led to Virtual Function unregister/Register messages on the
VM side. |
PAN-187438 | (PA-5400 Series firewalls only)
Fixed an issue where HSCI interfaces didnāt come up when using BiDi
transceivers. |
PAN-186785 | Fixed an issue where, after logging in,
Panorama displayed a 500 error page after five minutes of logging
for dynamic group template admin types with access to approximately
115 managed devices or 120 dynamic groups. |
PAN-186725 | Fixed an issue where index creation failed
when Elasticsearch attempted to create a new index with a duplicate
index name. |
PAN-186646 | (PA-5400 Series firewalls only)
Fixed an issue where traffic flow through IKE NATT IPSec S2S tunnels
broke on tunnel rekey with multiple data processing cards (DPC). |
PAN-186516 | Fixed an issue where log queries that included
WildFire submission logs returned more slowly than expected. |
PAN-186402 | (PA-440 Series firewalls only)
Fixed an issue where the firewall's maximum tunnel limit was incorrect. |
PAN-185750 | Updated an issue to eliminate failed pan_comm software
issues that caused the dataplane to restart unexpectedly |
PAN-185726 | Fixed an issue where the dataplane exited
during IPSec encapsulation and decapsulation offload operations. |
PAN-185695 | (PA-5400 Series firewalls only)
Fixed an issue where up to 75% traffic loss occurred on GlobalProtect
tunnels with multiple DPCs. |
PAN-185359 | Fixed an issue where you were unable to
reference shared address objects as a BGP peer address (Virtual
Router > BGP > Peer Group > Peer Address). |
PAN-185164 | Fixed an issue where processing corrupted
IoT messages caused the wificlient process
to restart. |
PAN-185163 | Fixed an issue where the distributord process
hit the FD limit, which caused User-ID redistribution to not function properly. |
PAN-184761 | Fixed an issue where Security policies were
deleted on managed devices upon a successful push from Panorama
to multiple device groups. This occurred when the Security policies
had device_tags selected in the target section. |
PAN-184445 | Fixed an issue where, after upgrading the
Panorama, tagged address objects used in dynamic address groups
were removed after a full commit and push. This issue occurred when
the setting Share Unused Address and Service Objects
with Devices was left unchecked. |
PAN-184432 | Fixed an issue where the logrcvr process stopped
responding due to a heartbeat failure that was caused by sysd nodes
being stuck on logdb_writers for system, configuration, and alarm logs. |
PAN-184224 | Fixed an issue on Panorama where you were
unable to select a template variable in Templates > Device
> Log Forwarding Card > Log Forwarding Card Interface > Network
> IP address location. |
PAN-184076 | Fixed an issue on the firewall web interface
where logs were delayed when querying for logs. |
PAN-184047 | Fixed an issue where Terminal Service agent
(TS agent) connections with a certificate profile and the certificate
chain on the TS agent failed. This occurred because common name
validation and key usage checks were being performed in the root
or intermediate certificate. |
PAN-183774 | Fixed an memory leak issue in the mgmtsrvr process,
which resulted in an out-of-memory (OOM) condition and high availability
(HA) failover. |
PAN-183428 | Fixed an issue where, when exporting or
pushing a device configuration bundle from Panorama, a validation
error occurred with GlobalProtect gateway inactivity logout time. |
PAN-183239 | Fixed an issue where the firewall randomly
disconnected from the WildFire URL cloud. |
PAN-183112 | Fixed an issue where the threat log type ml-virus wasn't
forwarded to Panorama or to external servers. |
PAN-182954 | (PA-7000 Series firewalls with Log Processing
Cards (LPC) only) Fixed an issue where excessive threat ID
lookups caused logs to be lost. |
PAN-182903 | Fixed an issue where SD-WAN failover on
a hub or branch in full mesh took longer than expected. |
PAN-182732 | Fixed an issue where the GlobalProtect gateway
inactivity timer wasn't refreshed even though traffic was passing
through the tunnel. |
PAN-182634 | (PA-400 Series firewalls only)
Fixed an issue where the firewall detected a Power Supply Unit (PSU)
failure for the opposite side when disconnecting a PSU from the
device. This issue occurred when redundant PSUs were connected. |
PAN-181839 | Fixed an issue where Panorama Global Search
reported No Matches found while still returning
results for matching entries on large configurations. |
PAN-181802 | Fixed an issue where a memory utilization
condition resulted in the web interface responding more slowly than
expected and management server restarting. |
PAN-181706 | Fixed an issue where the logrcvr process stopped
responding after upgrading to PAN-OS 10.1. |
PAN-181579 | Fixed an issue with the GlobalProtect gateway
where the time-to-live (TTL) limit expired faster than real-time
limit. As a result, a reconnection was required before the expected
lifetime expiration. |
PAN-181558 | Fixed an issue where the stats dump file
was not generated properly. |
PAN-181360 | Fixed an issue where staggering scheduled
dynamic updates from Panorama to firewalls only worked for the first
scheduled group and failed for the remaining groups of the same
type. |
PAN-181116 | Fixed memory corruption issues in PAN-OS
10.1.3 and 10.1.4 that caused the pan_comm process
to stop responding and the dataplane to restart. These issues also
caused GlobalProtect tunnels to fall back to SSL instead of IPSec
due to the inadvertent encapsulation of the ICMP keepalive response
from the firewall. |
PAN-181039 | Fixed an issue with DNS cache depletion
that caused continuous DNS retries. |
PAN-180916 | Fixed an issue where DNS security caused
the TTL value of the pointer record (PTR) to be overwritten with
a value of 30 seconds. |
PAN-180760 | Fixed an issue where users were unable to
SSH to the firewall and encountered the following error message: Could not chdir to home directory /opt/pancfg/home/user: Permission denied. |
PAN-180095 | Fixed an issue where Panorama serial-number-based redistribution
agents did not redistribute HIP reports. |
PAN-179982 | Fixed an issue where an OOM condition occurred
due to quarantine list redistribution. |
PAN-179976 | Fixed an issue where the WildFire Inline
Machine Learning (ML) did not detect mlav-test-pe-file.exe when
traffic was decrypted. |
PAN-179899 | Fixed an issue where updating the master
key did not update the SD-WAN preshared key (PSK). |
PAN-179886 | Fixed an issue where new tunnels were unable
to be established for Elasticsearch due to faulty logic that prevented
old tunnels to be removed when a node went down. |
PAN-179413 | Fixed an issue where GRE tunnels flapped
during commit jobs. |
PAN-179321 | A validation error was added to inform an
administrator when a policy field contained the value any. |
PAN-179274 | Fixed an issue on high availability configurations
where, after upgrading to PAN-OS 9.1.10, PAN-OS 10.0.6, or PAN-OS
10.1.0, the HA1 and HA1-Backup link stayed down. This issue occurred
when the peer firewall IP address was in a different subnet. |
PAN-179260 | Fixed an issue where admins and other Superusers
were unable to remove a commit lock that was taken by another admin
user with the format <domain/user>. As a result, deleting the
commit lock failed. |
PAN-179164 | Fixed an issue where a web-proxy port number
was added to the destination URL when captive portal authentication
was run. |
PAN-179059 | Fixed an issue where you were unable to
delete dynamic address groups one at a time using XML API. |
PAN-178947 | Fixed an issue where the useridd process stopped
responding when a NULL reference attempted to be dereferenced. This
issue occurred to IP address users being added. |
PAN-178860 | Fixed an issue where quarantined devices
appeared in the CLI but not the web interface. |
PAN-178672 | Fixed an issue where a process (useridd) stopped
responding due to buffer overflow. |
PAN-178615 | Fixed an issue where restarting the management
server created an invalid reference in the device server, which
caused subsequent commits to fail. |
PAN-177981 | (PA-5450 firewalls only) Fixed
an issue where High Speed Log Forwarding was
enabled when attempting to view local logs. |
PAN-177956 | Fixed an issue where the CLI output of show location ip <ip address> returned
unknown. |
PAN-177907 | Fixed an issue where, after rebooting the
firewall, FQDN address objects referred in rules in a virtual system
(vsys) did not resolve when the vsys used a custom DNS proxy. |
PAN-177878 | Fixed an issue where a role-based admin
with Operational Requests enabled under the
XML API section was unable to set the License Deactivation API key. |
PAN-177874 | Fixed an issue where a process (devsrvr) stopped
responding due to an unexpected returned value. |
PAN-177626 | Fixed an issue where aggressive situations
caused on-chip descriptor exhaustion. |
PAN-177551 | A fix was made to address a vulnerability
that enabled an authenticated network-based administrator to upload
a specifically created configuration that disrupted system processes
and was able to execute arbitrary code with root privileges when
the configuration was committed (CVE-2022-0024). |
PAN-177363 | Fixed an issue where, when system logs and
configuration logs on a dedicated log detector system were forwarded
to a Panorama management server in Management Only mode, the logs
were not ingested and were dropped. This caused the dedicated log
detector system to not be viewable on a Panorama appliance in Management
Only mode. |
PAN-177351 | Fixed an issue where configurations failed
when downgrading from PAN-OS 10.1.1 and later versions to PAN-OS
10.0.0 using the autosaveconfig.xml file. |
PAN-177187 | Fixed an issue where reports using the decryption
summary database and Panorama as data sources returned no results. |
PAN-177170 | Fixed an issue on Panorama where a log collector
group commit deleted the proxy settings configured on dedicated
log collectors. |
PAN-177072 | Fixed an intermittent issue where Panorama
did not show new logs from firewalls. |
PAN-177060 | Fixed an issue where, when the address object
in the parent device group was renamed, and the address object was
overridden in the child device group and called in a Security policy,
the object in the Security policy was renamed as well. |
PAN-177054 | Fixed an issue where, when you disabled
a NAT rule, the Destination Translation value none displayed
in blue and was still able to be modified to a different value. |
PAN-176997 | Fixed an issue where log collectors generated Failed to
check IoT content upgrade system logs even when no IoT
license was installed. |
PAN-176889 | Fixed an issue where the log collector continuously
disconnected from Panorama due to high latency and a high number
of packets in Send-Q. |
PAN-176746 | Fixed an intermittent issue where traffic
was lost when performing a failover in an HA active/passive setup. |
PAN-176376 | Fixed an issue where importing a firewall
configuration to Panorama failed if Import device's shared
objects into Panorama's shared context (device group specific objects
will be created if unique) was unchecked. |
PAN-176348 | Fixed an issue where scheduled email alerts
were not forwarded to all recipients in the override list. |
PAN-176280 | Fixed an intermittent issue on Panorama
where querying logs via the web interface or API did not return
results. |
PAN-176262 | Fixed an issue where the firewall didn't
resolve specific domain names with multiple nested Canonical Name
(CNAME) records when caching was enabled. |
PAN-176116 | Fixed an issue where the header did not
match the correct policy when IPv6 addresses were set in XFF header. |
PAN-176032 | Fixed an issue where a process (authd)
process stopped responding, which caused authentication to fail. |
PAN-176030 | Fixed an issue where alerts related to syslog
connections were not generated in the system logs. |
PAN-175717
|
Fixed an issue where firewalls managed by a Panorama management
server entered maintenance mode if:
|
PAN-175716 | Fixed an issue where sorting address groups
by name, address, or location did not work on a device group that
was part of a nested device group. |
PAN-175628 | (PA-5200 Series firewalls only)
Fixed an issue where the firewall was unable to monitor AUX1 and
AUX2 interfaces through SNMP. |
PAN-175570 | Fixed an issue where log forwarding profiles
did not show up in the dropdown under Zones. |
PAN-175509 | Fixed an issue where a deadlock on CONFIG_LOCK caused
both the web interface and CLI commands to time out until the mgmtsrvr process
was restarted. |
PAN-175403 | (VM-Series firewalls only) Fixed
an issue where the firewall did not display any logs except for
system logs. |
PAN-175399 | Fixed an issue where enabling Use proxy to fetch logs from Strata Logging Service caused Panorama to not show logs when
queried. |
PAN-175307 | Fixed an issue where Panorama commits were
slower than expected and the configd process stopped
responding due to a memory leak. |
PAN-175259 | Fixed an issue where a Security policy configured
with App-ID and set to web-browsing and application-default
service allowed clear-text web-browsing on tcp/443. |
PAN-175161 | Fixed an issue where changing SSL connection
validation settings for system logs caused the mgmtsrvr process
to stop responding. |
PAN-175141 | Fixed an intermittent issue where IP address-to-username mappings
were not created on a redistribution client if a logout and login message
shared the same timestamp. |
PAN-174998 | (M-200 and M-500 appliances only)
Fixed a capacity issue that was caused by high operational activity
and large configurations. This fix increases the virtual memory
limit on the configd process to 32GB. |
PAN-174894 | Fixed an issue where, when the TTL value
for symmetric MAC entries weren't updated to other dataplanes and
HA peers, timeouts occurred for traffic using policy-based forwarding
(PBF) with symmetric returns. |
PAN-174864 | Fixed an issue on the Panorama interface
where Deploying Master Key to low-end devices resulted
in a Failed to communicate message, even
when the new master key was updated on the end device. This issue
occurred because a master key deployment had insufficient time to
process due to a connection timeout. |
PAN-174709 | Fixed an OOM condition that occurred due
to multiple parallel jobs being created by the scheduled log export
feature. |
PAN-174680 | Fixed an issue where, when adding new configurations,
Panorama didn't display a list of suggested template variables when
typing in a relevant field. |
PAN-174607 | Fixed an intermittent issue where, when
Security profiles were attached to a policy, files that were downloaded
across TLS sessions decrypted by the firewall were malformed. |
PAN-174604 | Fixed an issue where the email subject of
scheduled reports was enclosed in single quotation marks. |
PAN-174564 | (VM-Series firewalls on a Kernel-based
Virtual Machine (KVM) running on Proxmox Hypervisor only) Fixed
an issue where SSH traffic was identified as unknown-TCP. |
PAN-174347 | Fixed an issue where sequence numbers were
calculated incorrectly for traffic that was subject to Session Initiation
Protocol (SIP) application-level gateway (ALG) when SIP TCP Clear
Text Proxy was disabled. |
PAN-174011 | Fixed an issue where Panorama failed to
update shared policies during partial commits when a new device
group was created but not yet committed. |
PAN-173893 | Fixed a memory leak issue related to the (useridd)
process that occurred when group mapping was enabled. |
PAN-173753 | Fixed an issue where a bar or point on a Network Monitor graph
had to be clicked more than once to properly redirect to the corresponding
ACC report. |
PAN-173689 | Fixed an issue where the dataplane restarted
due to running out of memory in the policy cache. |
PAN-173545 | Fixed an issue where exporting a device
summary to CSV failed and displayed the following error message: Error while exporting. |
PAN-173509 | Fixed an issue where Superuser administrators
with read-only privileges (Device > Administrators and
Panorama > Administrators) were unable to view the hardware
ACL blocking setting and duration in the CLI using the following commands:
|
PAN-173267 | Fixed an issue where log queries on Panorama
appliances returned with no output and the error message Schema file does not exist displayed
in the reported process log. |
PAN-173179 | Fixed an issue where the rem_addr field
in Terminal Access Controller Access-Control System (TACACS+) authentication
displayed the management or service route IP address of the firewall
instead of the source IP address of the user. |
PAN-172837 | Fixed an intermittent issue where the firewall
didn't generate block URL logs for URLs even though the websites
were blocked in the client device. |
PAN-172748 | (VM-Series firewalls only) Fixed
an issue where a process (all_task) stopped responding. |
PAN-172404 | Fixed an issue where the semi-colon (;)
was not recognized as token separator while doing regex for URL
category matching even though it is mentioned in the documentation. |
PAN-172396 | Fixed a memory leak issue related to the useridd process. |
PAN-172316 | Fixed an issue where the internal interface
flow control that caused the monitoring process to incorrectly determine
the interface to be malfunctioning. |
PAN-172295 | Fixed an issue where a HIP database cache
loop caused high CPU utilization on a process (useridd)
and caused IP address-to-user mapping redistribution failure. |
PAN-172243 | Fixed an issue where NetFlow traffic triggered
a packet buffer leak. |
PAN-172056 | (VM-Series firewalls only) The
logging rate limit was improved to prevent log loss. |
PAN-171869 | Fixed an issue where HIP profile objects
in security policies and authentication policies were still visible
in the CLI even after replacing them with source HIP and destination
HIP objects. |
PAN-171367 | Fixed an issue in active/active HA configurations
where sessions disconnected during an upgrade from a PAN-OS 9.0
release to a PAN-OS 9.1 release. |
PAN-171345 | Fixed an issue where firewalls experienced
high packet descriptor usage due to internal communication associated
with WildFire. |
PAN-171181 | Fixed an issue where the IPSec tunnel configuration
didn't load when a double quotation mark was added to the comment
section of the IPSec tunnel General tab. |
PAN-170952 | Fixed script issues that caused diagnostic
data to not be collected after path monitor failure. |
PAN-170595 | Fixed an issue with Content and Threat Detection
where traffic patterns created a bus error, which caused the all_pktproc process
to stop responding and the dataplane to restart. |
PAN-170297 | Fixed an issue where ACC > Threat activity
did not include the threat name after upgrading to a PAN-OS 10.0
release. |
PAN-169917 | Fixed an issue on Panorama where AUX interface
IP addresses did not populate when configuring service routes. |
PAN-169796 | Fixed an issue where the high availability
path group destination IP address was removed after pushing a PAN-OS
10 release template from Panorama to a firewall running a PAN-OS
9 release. |
PAN-169433 | Fixed an issue on Panorama where clicking Run Now for
a custom report with 32 or more filters in the Query Builder returned
the following message: No matching records. |
PAN-168921 | Fixed an issue on firewalls in HA active/active
configurations where traffic with complete packets showed up as
incomplete and was disconnected due to a non-session owner closing
the session prematurely. |
PAN-168890 | A CLI command was added to address an issue
where a configured proxy server for a service route was automatically
applied to the email server service route. |
PAN-168662 | Fixed an issue on Panorama where multiple
copies of logs were displayed for a single session. |
PAN-168635 | Fixed an issue on the firewall where, when
attempting to change the master key, the existing master key was
not validated first. As a result, all firewall keys were corrupted. |
PAN-168286 | Fixed a memory leak issue in the mgmtsrvr process
that was caused by failed commit all operations. |
PAN-168189 | Fixed an issue where, even when there was
active multicast traffic, the firewall sent Protocol Independent
Multicast (PIM) prune messages. |
PAN-167858 | Fixed an issue where a DNS Security inspection
identified a TCP DNS request that had two requests in one segment
as a malformed packet and dropped the packet. |
PAN-167259 | Fixed an issue where, after manually uploading
WildFire images, the dropdown did not display any available files
to choose from. |
PAN-166368 | Fixed an issue on Panorama where long FQDN
queries did not resolve due to the character limit being 64 characters. |
PAN-165147 | Fixed an issue where, when there was a high
volume of traffic for sessions with Application Block
Pages enabled, other regular packets were dropped. |
PAN-164871 | (VM-Series firewalls only) Fixed
an intermittent issue where deactivating the firewall via XML API
using manual mode failed. This occurred because the size of the
license token file was incorrect. |
PAN-164631 | Fixed an issue where the stats
dump report was empty. |
PAN-163831 | Fixed an issue where IPv6 addresses were
displayed instead of IPv4 in custom reports. |
PAN-163245 | Fixed an issue where a commit-all or push
to the firewall from Panorama failed with the following error message: client routed requesting last config in the middle of a commit/validate. Aborting current commit/validate. |
PAN-162047 | (Firewalls in HA active/passive configurations
only) Fixed a routing table mis-sync issue where routes were
missing on the passive firewall when GRE tunnels with keepalives
were configured. |
PAN-161297 | Fixed an interoperability issue with other
vendors when IKEv2 used SHA2-based certificate authentication. |
PAN-161111 | Fixed an issue where TLS 1.3 Forward Proxy
Decryption failed with a malloc failure error. This issue was caused
by the server certificate being very large. |
PAN-161031 | Fixed an issue where authentication via
LDAP server failed in FIPS-CC mode when the LDAP server profile
was configured with the root certificate chain and Verify
server certificate for SSL sessions options enabled. |
PAN-159835 | Fixed an issue where, after an upgrade,
the following error message was displayed: Not enough space to load content to SHM. |
PAN-158639 | Fixed an issue on Panorama where logs that
were forwarded to a collector group did not appear, and the log
collector displayed the following error message: es.init-status not ready in logjobq. |
PAN-158541 | Fixed an OOM condition on the dataplane
on FIPS-mode firewall decryption that used DHE ciphers. |
PAN-158369 | Fixed an issue where applications did not
work via the Clientless VPN when they were configured on a vlan
interface |
PAN-156289 | Fixed an issue where the default severities
for Content Update errors were inaccurate. |
PAN-151692 | Fixed a permission issue where a Panorama
administrator was unable to download or install dynamic updates
(Panorama > Device Deployment). |
PAN-151302 | (PA-7000 Series firewalls with LFCs
only) Fixed an issue where the logging rate for the LFC was
not displayed in Panorama > Managed Devices > Health. |
PAN-146734 | Fixed an issue where, when a Panorama-pushed
configuration was referenced in a local configuration, commits failed
after updating the master key on the firewall, which resulted in
the following error message: Invalid candidate configuration. Master key change aborted.... |
PAN-145833 | (PA-3200 Series firewalls only)
Fixed an issue where the firewall stopped recording dataplane diagnostic
data in dp-monitor.log after a few hours of uptime. |
PAN-141454 | Fixed an issue where the output of the CLI
command show running resource-monitor ingress-backlogs displayed
an incorrect total utilization value. |