PAN-OS 10.1.9 Addressed Issues

PAN-OS® 10.1.9 addressed issues.
Issue ID
Description
WIF-707
Fixed an issue where, when connections from the firewall to the cloud took longer than expected, the connection timed out. With this fix, the timeout was extended to accommodate slower networks.
PAN-210561
Fixed an issue where the all_task process repeatedly restarted due to missed heartbeats.
PAN-210331
Fixed an issue where the firewall did not send device telemetry files to Cortex Data Lake with the error message
send the file to CDL receiver failed
.
PAN-210080
Fixed an issue where the useridd process stopped responding when add and delete member parameters in an incremental sync query were empty.
PAN-209226
Fixed an issue where the feature bits function reused shared memory, which resulted in a memory allocation error and caused the dataplane to go down.
PAN-209036
Fixed an issue where the dataplane restarted, which led to slot failures occurring and a core file being generated.
PAN-208724
Fixed an issue where port pause frame settings did not work as expected and incorrect pause frames occurred.
PAN-208718
Additional debug information was added to capture internal details during traffic congestion.
PAN-208711
(
PA-5200 Series firewalls only
)The CLI command
debug dataplane set pow no-desched yes/no
was added to address an issue where the all_pktproc process stopped responding and caused traffic issues.
PAN-208537
Fixed an issue where the
licensed-device-capacity
was reduced when multiple device management license key files were present.
PAN-208343
Fixed an issue where telemetry regions were not visible on Panorama.
PAN-208157
Fixed an issue where malformed hints sent from the firewall caused the logd process to stop responding on Panorama, which caused a system reboot into maintenance mode.
PAN-208037
Fixed an issue where NAT64 traffic using the reserved prefix
64:ff9b::/96
was incorrectly dropped when
strict-ip-check
was enabled under zone protection.
PAN-207983
Fixed an issue on Panorama in Management Only mode where the logdb database incorrectly collected traffic, threat, GTP, decryption, and corresponding summary logs.
PAN-207940
Fixed an issue where platforms with RAID disk checks were performed weekly, which caused logs to incorrectly state that RAID was rebuilding.
PAN-207891
Fixed an issue on Panorama where log migration did not complete after an upgrade.
PAN-207738
Fixed an issue where the
ocsp-next-update-time
CLI command did not execute for leaf certificates with certificate chains that did not specify OCSP or CRL URLs. As a result, the next update time was 60 minutes even if a different time was set.
PAN-207623
Fixed an issue on Panorama where log migration did not complete as expected.
PAN-207610
(
PA-5200 Series and PA-7000 Series firewalls only
) Fixed an issue where
Log Admin Activity
was not visible on the web interface.
PAN-207601
Fixed an issue where URL cloud connections were unable to resolve the proxy server hostname.
PAN-207390
Fixed an issue where, even after disabling Telemetry, Telemetry system logs were still generated.
PAN-207260
Fixed an issue where commit operations performed by a Device Group and Template administrator reverted the passwords of other users in the same role.
PAN-207045
(
PA-800 Series firewalls only
) Fixed an issue where PAN-SFP-SX transceivers used on ports 5 to 8 did not renegotiate with peer ports after a reload.
PAN-206858
Fixed an issue where a segmentation fault occurred due to the useridd process being restarted.
PAN-206755
Fixed an issue when a scheduled multi-device group push occurred, the configd process stopped responding, which caused the push to fail.
PAN-206684
(
PA-7000 Series firewalls with Log Forwarding Cards (LFCs) only
) Fixed an issue where, after upgrading the firewall from a PAN-OS 10.0 release to a PAN-OS 10.1 release, the firewall did not duplicate logs to local log collectors or to Cortex Data Lake when a device certificate was already installed.
PAN-206658
Fixed a timeout issue in the Intel
ixgbe
driver that resulted in internal path monitoring failure.
PAN-206629
(
VM-Series firewalls in AWS environments only
) Fixed an issue where a newly bootstrapped firewalls did not forward logs to Panorama.
PAN-206393
(
PA-5280 firewalls only
) Fixed an issue where memory allocation errors caused decryption failures that disrupted traffic with SSL forward proxy enabled.
PAN-206251
(
PA-7000 Series firewalls with LFCs only
) Fixed an issue where the logrcvr process did not send the
system-start
SNMP trap during startup.
PAN-206243
(
PA-220 firewalls only
) Fixed an issue where the firewall reached the maximum disk usage capacity repeatedly in one day.
PAN-206233
Fixed an issue where the pan_comm process stopped responding when a content update and a cloud application update occurred at the same time.
PAN-206077
Fixed an issue on firewalls in active/active high availability (HA) configurations where, after upgrading to PAN-OS 10.1.6-h6, the active primary firewall did not send HIP reports to the active secondary firewall.
PAN-206017
Fixed an issue where the
show dos-protection rule
command displayed a character limit error.
PAN-205877
(
PA-5450 firewalls only
) Added debug commands for an issue where a MAC address flap occurred on a neighbor firewall when connecting both MGT-A and MGT-B interfaces.
PAN-205805
Fixed an issue where Generic routing encapsulation (GRE) traffic was only allowed in one direction when tunnel content inspection (TCI) was enabled.
PAN-205729
(
PA-3200 Series and PA-7000 Series firewalls only
) Fixed an issue where the CPLD watchdog timeout caused the firewall to reboot unexpectedly.
PAN-205699
Fixed an issue where the cloud plugin configuration was automatically deleted from Panorama after a reboot or a configd process restart.
PAN-205590
Fixed an issue where the fan tray fault LED light was on even though no alarm was reported in the system environment.
PAN-205453
Fixed an issue where running reports or queries under a user group caused the reportd process to stop responding.
PAN-205396
Fixed an issue where SD-WAN adaptive SaaS path monitoring did not work correctly during a next hop link down failure.
PAN-205260
Fixed an issue where there was an IP address conflict after a reboot due to a transaction ID collision.
PAN-205231
Fixed an issue where a commit operation remained at 55% for longer than expected if more than 7,500 Security policy rules were configured.
PAN-205222
Fixed an issue where you were unable to add a new application in a selected policy rule.
PAN-205211
Fixed an issue where the reportd process stopped responding while querying logs (
Monitor > Logs > <logtype>
).
PAN-205123
Fixed an issue where the pan_task process stopped responding due to a timing issue during ECDSA processing.
PAN-205096
Fixed an issue where promoted sessions were not synced with all cluster members in an HA cluster.
PAN-205030
Fixed an issue where, when a session hit policy based forwarding with symmetric return enabled was not offloaded, the firewall received excessive return-mac update messages, which resulted in resource contention and traffic disruption.
PAN-204952
Fixed an issue where the GlobalProtect portal continued to generate new authentication cookies even when a user had already authenticated with a valid cookie.
PAN-204892
Fixed an issue on Panorama where the web interface was not accessible and displayed the error
504 Gateway Not Reachable
due to the mgmtsrvr process not responding.
PAN-204749
Fixed an issue where sudden, large bursts of traffic destined for an interface that was down caused packet buffers to fill, which stalled path monitor heartbeat packets.
PAN-204582
Fixed an issue where, when a firewall acting as a DHCP client received a new DHCP IP address, the firewall did not release old DHCP IP addresses from the IP address stack.
PAN-204581
Fixed an issue where, when accessing a web application via the GlobalProtect Clientless VPN, the web application landing page continuously reloaded.
PAN-204575
(
PA-7000 Series firewalls with Log Forwarding Cards (LFCs) only
) Fixed an issue where the firewall did not forward logs to the log collector.
PAN-204482
Fixed an issue where searching threat logs (
Monitor > Logs > Threat
) using the
partial hash
parameter did not work, which resulted in an invalid operator error.
PAN-204456
Fixed an issue related to the logd process that caused high memory consumption.
PAN-204271
Fixed an issue where the quarantine device list did not display due to the maximum memory being reached.
PAN-204238
Fixed an issue where, when
View Rulebase as Groups
was enabled, the
Tags
field did not display a scroll down arrow for navigation.
PAN-204216
Fixed an issue where URL categorization failed and the firewall displayed the URL category as
not-resolved
for all traffic and the following error message was displayed in the device server logs
Error(43): A libcurl function was given a bad argument
.
PAN-204118
Fixed an issue where browser sessions stopped responding for device group template admin users with access domains that had many device groups or templates.
PAN-204068
Fixed an issue where a newly created vsys (virtual system) in a template was not able to be pushed from Panorama to the firewall.
PAN-203984
Fixed an issue where the logrcvr process restarted after the firewall was power cycled or rebooted.
PAN-203964
(
Firewalls in FIPS-CC mode only
) Fixed an issue where the firewall went into maintenance mode due to downloading a corrupted software image, which resulted in the error message
FIPS-CC failure. Image File Authentication Error
.
PAN-203851
Fixed an issue with firewalls in HA configurations where host information profile (HIP) sync did not work between peer firewalls.
PAN-203796
Fixed an issue where legitimate syn+ack packets were dropped after an invalid syn+ack packet was ingressed.
PAN-203681
(
Panorama appliances in FIPS-CC mode only
) Fixed an issue where a leaf certificate was unable to be imported into a template stack.
PAN-203618
Fixed an issue where, when SSL/TLS Handshake Inspection was enabled, SSL/TLS sessions were incorrectly reset if a Security policy rule with no Security profiles configured was matched.
PAN-203563
Fixed an issue with Content and Threat Detection allocation storage space where performing a commit failed with a
CUSTOM_UPDATE_BLOCK
error message.
PAN-203453
Fixed an issue on Panorama where the log query failed due to a high number of User-ID redistribution messages.
PAN-203430
Fixed an issue where, when the User-ID agent had
collector name/secret
configured, the configuration was mandatory on clients on PAN-OS 10.0 and later releases.
PAN-203362
Fixed an issue where the rasmgr process restarted due to a null reference.
PAN-203330
Fixed an issue where the certificate for an External Dynamic List (EDL) incorrectly changed from invalid to valid, which caused the EDL file to be removed.
PAN-203320
Fixed an issue where configuring the firewall to connect with Panorama using an auth key and creating the auth key without adding the managed firewall to Panorama first, the auth key was incorrectly decreased incrementally.
PAN-203244
Fixed a path monitoring issue that caused traffic degradation.
PAN-203147
(
Firewalls in FIPS-CC mode only
) Fixed an issue where the firewall unexpectedly rebooted when downloading a new PAN-OS software image.
PAN-202918
Fixed an issue where processing route-table entries did not work as expected.
PAN-202722
Fixed an issue where the factor completion time for login events learned through XML API displayed as
1969/21/31 19:00:00
.
PAN-202593
Fixed an issue where expanding Global Find results displayed only the top level and second level of a searched item.
PAN-202544
An enhancement was made to collect CPLD register data after a path monitor failure.
PAN-202543
An enhancement was made to improve path monitor data collection by verifying the status of the control network.
PAN-202361
Fixed an issue where packets queued to the pan_task process were still transmitted when the process was not responding.
PAN-202339
(
VM-Series firewalls on Amazon Web Services (AWS) only
) Fixed an issue where the firewall displayed reduced throughput of SSL traffic.
PAN-202295
Fixed an issue where read-only superusers were unable to see the Commit All job status, warnings, or errors for Panorama device groups.
PAN-202282
Fixed an issue where stats dump files did not display all necessary reports.
PAN-202264
(
VM-Series firewalls only
) Fixed an issue where an automatic site license activation for a PAYG license did not register in the Customer Support Portal.
PAN-202248
Fixed an issue where, due to a tunnel content inspection (TCI) policy match, IPSec traffic did not pass through the firewall when NAT was performed on the traffic.
PAN-202247
Fixed an issue with firewalls in HA configurations where the firewall dropped IKE SA connections if the peer firewall received an
INVALID_SPI
message. This occurred even though no IKE SA was associated with the SPI in the received
INVALID-SPI
payload.
PAN-202208
Fixed an issue where high CPU was experienced when requests from the dataplane to the management plane for username and User ID timed out.
PAN-202194
Fixed an SD-WAN link issue that occurred when Aggregate Ethernet without a member interface was configured as an SD-WAN interface.
PAN-202140
Fixed an issue where the comm process stopped responding due to an OOM condition.
PAN-202101
Fixed an issue where firewalls stopped responding after an upgrade due to configuration corruption.
PAN-202040
(
PA-220 firewalls only
) Fixed an issue where ECDSA fingerprints were not displayed.
PAN-202012
A debug command was introduced to control Gzip encoding for the GlobalProtect Clientless VPN application.
PAN-201954
Fixed an issue where NAT policy rules were deleted on managed devices after a successful push from Panorama to multiple device groups. This occurred when NAT policy rules had
device_tags
selected in the target section.
PAN-201910
PAN-OS security profiles might consume a large amount of memory depending on the profile configuration and quantity. In some cases, this might reduce the number of supported security profiles below the stated maximum for a given platform.
PAN-201900
Fixed an internal path monitoring failure issue that caused the dataplane to go down.
PAN-201701
Fixed an issue where the firewall generated system log alerts if the raid for a system or log disk was corrupted.
PAN-201639
Fixed an issue with Saas Application Usage reports where
Applications with Risky Characteristics
displayed only two applications per section.
PAN-201632
Fixed an issue where the all_task stopped responding with a segmentation fault due to an invalid interface port.
PAN-201587
Fixed an issue where the
App Pcaps
directory size was incorrectly detected which caused commit errors.
PAN-201580
Fixed an issue where the useridd process stopped responding due to an invalid vsys_id request.
PAN-201360
Fixed an issue with Panorama managed log collector statistics where the oldest logs displayed on the primary Panorama appliance and the secondary Panorama appliance did not match.
PAN-201189
Added the
max-kb
filter for the
show session info
CLI command to troubleshoot instances when the firewall went down due to software packet buffer depletion.
PAN-201136
Fixed an issue where IGMP packets were offloaded with frequent IGMP Join and Leave messages from the client.
PAN-200946
Fixed an issue with firewalls in active/passive HA configurations where GRE tunnels went down due to recursive routing when the passive firewall was booting up. When the passive firewall became active and no recursive routing was configured, the GRE tunnel remained down.
PAN-200845
(
M-600 Appliances in Management-only mode only
) Fixed an issue where XML API queries failed due to the configuration size being larger than expected.
PAN-200822
Fixed an issue where reports were not generated in the
docm
file type.
PAN-200775
(
VM-Series firewalls only Microsoft Azure environments only
) Fixed an issue where negotiation and speed were not displayed on Ethernet interfaces.
PAN-200463
Fixed an issue where disabling
strict-username-check
did not apply to admin users authenticating with SAML.
PAN-200160
Fixed a memory leak issue on Panorama related to the logd process that caused an out-of-memory (OOM) condition.
PAN-200116
Fixed an issue where Elasticsearch displayed
RED
due to frequent tunnel check failures between HA clusters.
PAN-200102
Fixed an issue on the firewall web interface that prevented applications from loading under any policy or in any location where application IDs were able to be refreshed.
PAN-200095
Fixed an issue where Panorama troubleshooting tests for log collector connectivity did not return results from log collectors running PAN-OS 10.1 releases.
PAN-200035
Fixed an issue where the firewall reported
General TLS Protocol Error
for TLSv1.3 when the firewall closed a TCP connection to the server via a FIN packet without waiting for the handshake to complete.
PAN-199807
Fixed an issue where the dataplane frequently restarted due to high memory usage on wifclient.
PAN-199661
(
VM-Series firewalls in ESXI environments only
) Fixed an issue where the number of used packet buffers was not calculated properly, and packet buffers displayed as a higher value than the correct value, which triggered PBP Alerts. This occurred when the driver name was not compatible with new DPDK versions.
PAN-199612
Fixed a sync issue with firewalls in active/active HA configurations.
PAN-199500
Fixed an issue where, when many NAT policy rules were configured, the pan_comm process stopped responding after a configuration commit due to a high number of debug messages.
PAN-199410
Fixed an issue where system logs for syslog activities were categorized as
general
under
Type
and
EVENT
columns.
PAN-199214
Fixed an intermittent issue where downloading
threat pcap
via XML API failed with the following error message:
/opt/pancfg/session/pan/user_tmp/XXXXX/YYYYY.pcap does not exist
.
PAN-199141
Fixed an issue where renaming a device group and then performing a partial commit led to the device group hierarchy being incorrectly changed.
PAN-199052
(
PA-800 Series firewalls only
) Fixed an issue where commit operations took longer than expected. This fix improves the completion time for commit operations.
PAN-198920
Fixed an issue where configuration changes caused a previously valid interface ID to become invalid due to HA switchovers delaying the configuration push.
PAN-198889
Fixed an issue where the logd process stopped responding if some devices in a collector group were on a PAN-OS 10.1 device and others were on a PAN-OS 10.0 release. This issue affected the devices on a PAN-OS 10.0 release.
PAN-198718
(
PA-5280 firewalls only
) Fixed an issue where memory allocation failures caused increased decryption failures.
PAN-198691
Added an alternate health endpoint to direct health probes on the firewall (https://firewall/unauth/php/health.php) to address an issue where
/php/login.php
performance was slow when large amounts of traffic were being processed.
PAN-198575
Fixed an issue where data did not load when filtering by
Threat Name
(
ACC > Threat Activity
).
PAN-198306
Fixed an issue where the useridd process stopped responding when booting up the firewall.
PAN-198187
Fixed an issue where system logs (
Monitor > System
) did not display the commit description after performing a commit and push to multiple device groups from Panorama.
PAN-198174
Fixed an issue where, when viewing traffic or threat logs from the
Application Command Center
(ACC) or
Monitor
tabs, performing a reverse DNS lookup caused the dnsproxy process to restart if DNS server settings were not configured.
PAN-198050
Fixed an issue where
Connection to update server is successful
messages displayed even when connections failed.
PAN-198038
A CLI command was added to address an issue where long-lived sessions were aging out even when there was ongoing traffic.
PAN-197953
Fixed an issue where the logd process stopped responding due to forwarded threat logs, which caused Panorama to reboot into maintenance mode.
PAN-197935
Fixed an intermittent issue where XML API IP address tag registration failed on firewalls in a multi-vsys environment.
PAN-197919
Fixed an issue where, when path monitoring for a static route was configured with a new Ping Interval value, the value was not used as intended.
PAN-197877
Fixed an intermittent issue on Panorama where the distributord process stopped responding.
PAN-197872
Fixed an issue where the useridd process generated false positive critical errors.
PAN-197859
Fixed an issue where firewalls running LSVPN with tunnel monitoring enabled where, after an upgrade to PAN-OS 9.1.14 or a later PAN-OS release, LSVPN tunnels flapped.
PAN-197847
Fixed an issue where disabling the
enc-algo-aes-128-gcm
cipher did not work when using an SSL/TLS profile.
PAN-197737
Fixed an issue where the connection to the PAN-DB server failed with following error message:
Failed to send req type[3], curl error: Couldn't resolve host name
.
PAN-197729
Fixed an issue where repeated configuration pushes from Panorama resulted in a management server memory leak.
PAN-197678
Fixed an issue where the dataplane stopped responding, which caused internal path monitoring failure.
PAN-197649
Fixed an issue where failure logs for slot restarts caused by internal path monitoring contained no debug logs.
PAN-197582
Fixed an issue where, after upgrading to PAN-OS 10.1.6, the firewall reset SSL connections that used policy-based forwarding.
PAN-197426
Fixed an issue on Panorama where, when attempting to view the
Monitor page
, the error
invalid term
was displayed.
PAN-197383
Fixed an issue where, after upgrading to PAN-OS 10.2 release, the firewall ran a RAID rebuild for the log disk after ever every reboot.
PAN-197298
Fixed an issue where the audit comment archive for Security rule changes output had overlapping formats.
PAN-197219
Fixed an issue where the following error message was not sent from multi-factor authentication PingID and did not display in the browser:
Your company has enhanced its VPN authentication with PingID. Please install the PingID app for iOS or Android, and use pairing key:<key>. To connect, type "ok"
.
PAN-197203
Fixed an intermittent issue where, if SSL/TLS Handshake Inspection was enabled, multiple processes stopped responding when the firewall was processing packets.
PAN-197121
Fixed an issue where incorrect user details were displayed under the
USER DETAIL
drop-down (
ACC > Network activity > User activity
).
PAN-197097
Fixed an issue where LSVPN did not support IPv6 addresses on the satellite firewall.
PAN-196954
Fixed a memory leak issue related to the distributord process.
PAN-196895
Fixed a timing issue with updating the cache when upgrading from a PAN-OS 10.0 release to a PAN-OS 10.1 release.
PAN-196874
Fixed an issue where, when the firewall accepted ICMP redirect messages on the management interface, the firewall did not clear the route from the cache.
PAN-196840
Fixed an issue where exporting a Security policy rule that contained Korean language characters to CSV format resulted in the policy description being in a non-readable format.
PAN-196811
Fixed an issue where logout events without a username caused high CPU usage.
PAN-196701
Fixed an issue where the firewall did not properly measure the Panorama connection keepalive timer, which caused a Panorama HA failover to take longer than expected.
PAN-196566
Fixed an issue where the useridd process restarted repeatedly which let to an OOM condition.
PAN-196559
Fixed an issue where LSVPN satellites continued to allow connections even when the certificate was revoked, the serial number was removed from the GlobalProtect portal, and the satellite was disconnected from the gateway.
PAN-196474
Fixed an issue where, when a decryption profile was configured with TLSv1.2 or later, web pages utilizing TLS1.0 were blocked with an incorrect
ERR_TIME_OUT
message instead of an
ERR_CONNECTION_RESET
message.
PAN-196467
Fixed an issue where enabling strict IP address checks in a Zone Protection profile caused GRE tunnel packets to be dropped.
PAN-196457
Fixed an issue where extraneous logs displayed in the Traffic log when Security policy settings were changed.
PAN-196452
Fixed an issue where DNS queries failed from source port 4789 with a NAT configuration.
PAN-196410
Fixed an issue where you were unable to customize the risk value in
Risk-of-app
.
PAN-196404
Fixed an issue where the firewall did not forward IPSec decrypted traffic to a third-party security chain device when the network packet broker feature was enabled.
PAN-196398
(
PA-7000 Series firewalls with Switch Management Cards (SMC-B) only
) Fixed an issue where the firewall did not capture data when the active management interface was MGT-B.
PAN-196309
(
PA-5450 firewalls only
) Fixed an issue where a firewall configured with a Policy-Based Forwarding policy flapped when a commit was performed, even when the next hop was reachable.
PAN-196261
Fixed an issue where
inter-lc disconnected
messages were logged once every minute.
PAN-196124
Fixed an issue where the log_index process ignored healthy logs and caused system logs to go missing.
PAN-196105
Fixed an issue on the firewall where using special characters in a password caused authentication to fail when connecting to the GlobalProtect portal with GlobalProtect satellite configured.
PAN-196050
Fixed an issue on Panorama where logs did not populate when one log collector in a log collector group was down.
PAN-196001
Fixed an issue where the devsrvr process stopped responding, which caused FQDN objects to not resolve, and, as a result, caused traffic to hit the incorrect Security policy rule.
PAN-195869
Fixed an issue where scheduled custom reports based on firewall data did not display any information.
PAN-195828
Fixed an issue where SNMP reported the
panVsysActiveTcpCps
and
panVsysActiveUdpCps
value to be 0.
PAN-195792
Fixed an issue where, when generating a stats dump file for a managed device from Panorama (
Panorama > Support > Stats Dump File
), the file did not display any data.
PAN-195790
Fixed an issue where syslog traffic that was sent from the management interface to the syslog server even when a destination IP address service route was configured.
PAN-195689
Fixed an issue where WildFire submission logs did not load on the firewall web interface.
PAN-195669
Fixed an issue with Panorama appliances in HA configurations where a passive Panorama appliance generated
CMS Redistribution Client is connected to global collector
messages.
PAN-195583
Fixed an issue where, after renaming an object, configuration pushes from Panorama failed with the commit error
object name is not an allowed keyword
.
PAN-195526
Fixed an issue where the firewall system log received a large amount of error messages when attempting a connection between the firewall and Panorama.
PAN-195374
(
Firewalls in active/passive HA configurations only
) Fixed an issue where, when redistribution agent connections to the passive firewall failed, excessive system alerts for the failed connection were generated. With this fix, system alerts are logged every 5 hours instead of 10 minutes.
PAN-195254
(
PA-7000 Series firewalls only
) Fixed an issue where log queries from an M-Series Panorama appliance or Panorama virtual appliance in Management Only mode to the firewall failed after updating the firewall to a PAN-OS 10.1 release.
PAN-195201
Fixed an issue where high volume DNS Security traffic caused the firewall to reboot.
PAN-195200
Fixed an issue where Panorama did not attach and email scheduled reports (
Monitor
PDF
Reports
Email Scheduler
) when the size of the email attachments was large.
PAN-195114
Fixed an issue where proxy ARP responded on the wrong interface when the same subnet was in two virtual routers.
PAN-195064
Fixed an issue where the log collector did not forward correlation logs to the syslog server.
PAN-194912
Fixed an issue where the CLI command
show applications list
did not return any outputs.
PAN-194812
Fixed an issue where generating reports via XML API failed when the serial number was set as
target
in the query.
PAN-194744
Fixed an issue with log corruption, which caused te log_index process to continually restart.
PAN-194737
Fixed an issue where path monitor displayed as deleted when it was disabled, which caused a preview change in the summary for static routes.
PAN-194588
(
PA-7000 Series firewalls with LFCs, PA-7050 firewalls with SMC-Bs, and PA-7080 firewalls only
) Fixed an issue where the
logrcvr_statistics
output was not recorded in mp-monitor.log.
PAN-194456
Fixed an issue where the sysd process disconnected from the pan_dha process after an HA failover or reboot.
PAN-194175
Fixed an issue on Panorama where a commit push to managed firewalls failed when objects were added as source address exclusions in a Security policy and
Share Unused Address and Service Objects with Devices
was unchecked.
PAN-194093
Fixed an issue on the firewall where the dataplane unexpectedly restarted due to an issue with the all_pktproc process.
PAN-194092
Added a debug command to address an issue where adding a new log collector to an existing collector group, the ACL was updated for the new log collector but not the existing ones.
PAN-194068
(
PA-5200 Series firewalls only
) Fixed an issue where the firewall unexpectedly rebooted with the log message
Heartbeat failed previously
.
PAN-194043
Fixed an issue where
Managed Devices > Summary
did not reflect new tag values after an update.
PAN-194031
(
PA-220 Firewalls only
) Fixed an issue where system log configurations did not work as expected due to insufficient process timeout after a logrcvr process restart.
PAN-194025
Fixed an issue where the ikemgr process stopped responding due to a timing issue, which caused VPN tunnels to go down.
PAN-193928
Fixed an intermittent issue where GlobalProtect logs were not visible under device groups (
Mobile_User_Device_Group
).
PAN-193831
Fixed an issue where internal routes were added to the routing table even after disabling dynamic routing protocols.
PAN-193818
Fixed an issue where the firewall device server failed to resolve URL cloud FQDNs, which interrupted URL category lookup.
PAN-193808
Fixed a memory leak issue in the mgmtsrvr process that resulted in an OOM condition.
PAN-193744
(
PA-3200 Series firewalls only
) Fixed an issue where, when the HA2 HSCI connection was down, the system log displayed
Port HA1-b: down
instead of
Port HSCI: Down
.
PAN-193733
(
Firewalls in multi-vsys environments only
) Fixed an issue where IP tag addresses were not synced to all virtual systems (vsys) when they were pushed to the firewall from Panorama via XML API.
PAN-193619
Fixed an issue where air gapped firewalls and Panorama appliances performed excessive validity checks to updates.paloaltonetworks.com, which caused software installs to fail.
PAN-193558
Fixed an issue where log retention settings
Multi Disk
did not display correct values on the firewall web interface when the settings were configured using a Panorama template or template stack.
PAN-193396
Fixed an issue where the source user name was displayed in traffic logs even when
Show User Names In Logs and Reports
was disabled for a custom admin role.
PAN-193323
Fixed an issue where root partition utilization reached 100% due to mdb old logs not being purged as expected.
PAN-193281
Fixed an issue where the logrcvr process stopped responding after a content update on the firewall.
PAN-193245
Fixed an issue where, when using
syslog-ng
forwarding via SSL, with a Base Common Name (CN) and multiple Subject Alternative Names (SANs) were listed in the certificate.
PAN-193235
Fixed an issue where duplicate log entries were displayed on Panorama.
PAN-193043
Fixed an issue with the where firewalls in Google Cloud Platforms (GCP) inserted the hostname as
PA-VM
in the syslog header instead of the DHCP assigned hostname when logs were being sent to the syslog server.
PAN-192456
Fixed an issue where GlobalProtect SSL VPN processing during a high traffic load caused the dataplane to stop responding.
PAN-192431
Fixed an issue where unmanaged tags were set to NULL, which caused unmanaged devices to match the HIP rule for managed devices. As a result, you were unable to distinguish between managed and unmanaged devices.
PAN-192296
Fixed an issue where, when you saved a SaaS application report as a PDF or sent it to print, the size of contents were shrinked and was smaller than expected.
PAN-192244
Fixed an issue where scheduled log export jobs continued to run even after being deleted.
PAN-192193
Fixed an issue where exporting a list of managed collectors via the Panorama web interface failed with the following error message:
Export Error, Error while exporting
PAN-192188
(
PA-5450 firewalls only
) Fixed an issue where the
show running resource-monitor ingress-backlogs
CLI command failed with the following error message:
Server error : Failed to intepret the DP response
.
PAN-192130
Fixed an issue where the GlobalProtect client remained in a connecting state when GlobalProtect Client VPN and SAML authentication were enabled.
PAN-192092
Fixed an issue with firewalls in active/passive configurations only where the registered cookie from the satellite firewall to the passive firewall did not sync, which caused authentication between the satellite firewall and the GlobalProtect portal firewall to fail after a failover event.
PAN-192076
Fixed an issue where OpenSSL memory initialization caused unexpected failovers.
PAN-191997
Fixed an issue where log queries did not successfully filter the
unknown
category.
PAN-191845
Fixed an issue where the firewall used a locally configured DNS server instead of a DHCP provided one.
PAN-191652
Fixed an issue with Prisma Cloud where a commit push failed due to the error
Error: failed to handle TDB_UPDATE_BLOCK>
.
PAN-191463
Fixed an issue where the firewall did not handle packets at Fastpath when the interface pointer was null.
PAN-191390
(
VM-Series firewalls only
) Fixed an issue where the management plane CPU was incorrectly calculated as high when logged in the mp-monitor.log.
PAN-191235
Fixed an issue with firewalls in HA configurations where the passive firewall attempted to connect to a hardware security module (HSM) client when a service route was configured, which caused dynamic updates and software updates to fail.
PAN-191048
Fixed an issue where Panorama did not push the password hash of the local admin password to managed WildFire appliances.
PAN-191032
Fixed an issue on Panorama where
Managed Devices
displayed
Unknown
.
PAN-190963
Fixed an issue on the firewall interface where
Log Collector Status > Device connectivity
displayed as
error
.
PAN-190533
Fixed an issue where addresses and address groups were not displayed for users in Security admin roles.
PAN-190502
Fixed an issue where the Policy filter and Policy optimizer filter were required to have the exact same syntax, including nested conditions with rules that contained more than one tag when filtering via the
neq
operator.
PAN-190454
Fixed an issue where, while authenticating, the allow list check failed for vsys users when a SAML authentication profile was configured under
shared location
.
PAN-190286
Fixed an issue in the web interface where non-superusers with administrator privileges were unable to see Log Processing Card (LPC) information.
PAN-190266
Fixed an issue that stopped the all_task process to stop responding at the
pan_sdwan_qualify_if_ini
function.
PAN-190055
(
VM-Series firewalls only
) Fixed an issue where the firewall did not follow the set Jumbo MTU value.
PAN-189960
Fixed an issue on Panorama where you were unable to view the last address object moved to the shared template list.
PAN-189866
Fixed an issue with the web interface where group include lists used server profiles instead of LDAP proxy.
PAN-189804
Fixed an issue where editing Panorama settings within a template or template stack an authentication was required, but adding an authentication key displayed an error.
PAN-189783
Fixed an issue where container resource limits were not enforced for all processes when running inside a container.
PAN-189755
Fixed an issue where the snmpd stopped responding which caused SNMPv3 polling outages.
PAN-189723
Fixed an issue where you were unable to configure dynamic address groups to use more than 64,000 IP addresses in a Security policy rule.
PAN-189719
Fixed an issue on Panorama where
Test Server Connection
failed in an HTTP server profile with the following error message:
failed binding local connection end
.
PAN-189718
Fixed an issue where the number of sessions did not reach the expected maximum value with Security profiles.
PAN-189518
Fixed an issue where incoming DNS packets with looped compression pointers caused the dnsproxyd process to stop responding.
PAN-189379
Fixed an issue where FQDN based Security policy rules did not match correctly.
PAN-189335
Fixed an issue where the varrcvr process restarted repeatedly, which caused the firewall to restart.
PAN-189300
Fixed an issue where Panorama appliances in active/passive HA configurations reported the false positive system log
Failed to sync vm-auth-key
when a VM authentication key was generated on the active appliance.
PAN-189298
Fixed an issue where existing traffic sessions were not synced after restarting the active dataplane when it became passive.
PAN-189200
Fixed an issue where sinkholes did not occur for AWS Gateway Load Balancer dig queries.
PAN-189027
(
VM-Series firewalls in Microsoft Azure environments only
) Fixed an issue where the dataplane CPU utilization provided from the web interface or via SNMP was incorrect.
PAN-188933
Fixed an issue where the UDP checksum wasn't correctly calculated for VXLAN traffic after applying NAT.
PAN-188912
Fixed an issue where authentication failed due to a process responsible for handling authentication requests going into an irrecoverable state.
PAN-188602
Fixed an issue where the all_task process stopped responding, which caused IPSec tunnels to peers to go down.
PAN-188519
(
VM-Series firewalls only
) Fixed an issue where, when manually deactivating the license, the admin user did not receive the option to download the token file and upload it to the Customer Support Portal (CSP) to deactivate the license.
PAN-188506
Fixed an issue where the
ctd_dns_malicious_fwd
counter incorrectly increased incrementally.
PAN-188348
Fixed an issue where encapsulating Security payload packets originating from the firewall were dropped when strict IP address check was enabled in a zone protection profile.
PAN-188291
Fixed an issue where, when using Global Find on the web interface to search for a given
Hostname Configuration (Device > Setup > Management)
, clicking the search result directed you to the appropriate Hostname configuration, but did not change the respective
Template
field automatically.
PAN-188036
Fixed an issue where SIP TCP sequence numbers were calculated incorrectly when SIP cleartext proxy was disabled.
PAN-188035
(
Firewalls and Panorama appliances in FIPS mode only
) Fixed an issue where, even when region lists were disabled, the following error message was displayed:
Unable to retrieve region list either region list has not been set or data format is wrong
.
PAN-187985
Fixed an issue where you were unable to configure a QoS Profile as percentage for Clear Text Traffic.
PAN-187761
Fixed an issue where, during HA failover, the now passive firewall continued to pass traffic after the active firewall had already taken over.
PAN-187720
Fixed an issue where the firewall did not show master key validity information after the master key was updated and the firewall was restarted.
PAN-187476
Fixed an issue where, when HIP redistribution was enabled, Panorama did not display part of the HIP information.
PAN-187342
Fixed an issue where the
Schedules
button (
Device Deployment > Dynamic updates
) was grayed out for custom role-based admins.
PAN-187279
Fixed an issue where not all quarantined devices were displayed as expected.
PAN-187096
Fixed an issue where you were unable to sort through
Addresses
(
Device Group > Objects
).
PAN-186471
Fixed an issue where, when exporting to CSV in Global Find, the firewall truncated names of rules that contained over 40 characters.
PAN-186447
Fixed an issue where
Health
(
Panorama > Managed Devices
) did not display environmental tabs and fan and power supply status was not visible.
PAN-186433
Fixed an intermittent issue where decryption failed for clients sending TLSv1.3 Client Hello and CCS in two separate packets instead of one.
PAN-186270
Fixed an issue where, when HA was enabled and a dynamic update schedule was configured, the configd process unexpectedly stopped responding during configuration commits.
PAN-185928
Fixed an issue where external dynamic list auto refresh did not work when destination service route was enabled.
PAN-185844
Fixed an issue where Decryption Log entries were associated with the wrong Security policy rule.
PAN-185611
(
PA-850 firewalls only
) Fixed an issue where the maximum number of aggregate interfaces was incorrectly set as 8 instead of 6.
PAN-185591
Fixed an issue where, in multi-vsys systems, some policy rules were unable to be edited due to the
Target
field being unclickable.
PAN-185466
Fixed an issue where WildFire submission did not work as expected.
PAN-185394
(
PA-7000 Series firewalls only
) Fixed an issue where not all changes to the template were reflected on the firewall.
PAN-185390
Fixed an issue where the
Block IP list
option was incorrectly displayed on firewalls where it was not applicable.
PAN-185283
Fixed an issue on Panorama where using the
name-of-threatid contains log4j
filter didn't produce expected results.
PAN-185276
Fixed an issue where a debug command displayed different
idmgr
digest results.
PAN-185249
Fixed an issue where
Template Stack
overrides (
Dynamic Updates
Apps & Threats
Schedule
) were not able to be reverted via the web interface.
PAN-185234
(
VM-Series firewalls on Microsoft Azure environments only
) Fixed an issue where, when accelerated networking was enabled, the packet buffer utilization was displayed as high even when no traffic was traversing the firewall.
PAN-185200
Fixed an issue where the User-ID manager assigned an ID to an object with a
DELETE
command.
PAN-185135
(
VM-Series firewalls on Kernel-based Virtual Machine (KVM) only
) Fixed an issue where the physical port counters (including SNMP) on the dataplane interfaces increased when DPDK was enabled.
PAN-184766
(
PA-5450 firewalls only
) Fixed an issue where the control packets for BGP, OSPF, and Bidirectional Forwarding Detection (BFD) were not assigned a QoS value of 5.
PAN-184744
Fixed an issue where the firewall did not decrypt SSL traffic due to a lack of internal resources allocated for decryption.
PAN-184537
Fixed an issue where GlobalProtect requested for passwords that contained non ASCII characters (ö) to be reentered when refreshing the connection.
PAN-184408
Fixed an issue where commits pushed from Panorama to the firewall failed due to the application status for an application being incorrectly considered an invalid reference.
PAN-184181
Fixed an ESP encapsulation issue where, when IPv6 address proxy IDs were configured, encapsulation was handled incorrectly with a different proxy ID SPI in the same tunnel when the source IP address of the proxy was overlapped by the destination IP address.
PAN-183981
Fixed an issue on the firewall where, when the GlobalProtect portal was not configured, the GlobalProtect landing page was still loaded with the message
GlobalProtect portal does not exist
. This issue occurred when using the exact GlobalProtect portal link: https://x.x.x.x/global-protect/login.esp
PAN-183632
Fixed an issue where the firewall was unable to match HIP objects with code versions over 4 digits long.
PAN-183629
Fixed an issue where
Clientless-vpn max-users
displayed the limit as 20 instead of 200.
PAN-183524
Fixed an issue where GPRS tunneling protocol (GTPv2-c and GTP-U) traffic was identified with
insufficient-data
in the traffic logs.
PAN-183375
Fixed an issue where traffic arriving on a tunnel with a bad IP header checksum was not dropped.
PAN-183319
Fixed an issue on Panorama where commits remained at 99% due to multiple firewalls sending out CSR singing requests every 10 minutes.
PAN-183287
Fixed an issue where firewall commits failed due to the commit-recovery connection check ending prematurely.
PAN-183154
Fixed an issue where DNS exception failed when DNS queries contained a capital letter.
PAN-183126
Fixed an issue on Panorama where you were able to attempt to push a number of active schedules to the firewall that was greater than the firewall's maximum capacity.
PAN-182876
Fixed an issue where GlobalProtect connections failed via XML when special characters (<), (&), and (>) were present in the GlobalProtect portal configuration passcode.
PAN-182845
Fixed an issue that caused devices to be removed from Panorama when one device was added by one user, but a Commit and Push operation was completed by a second user before the first user completed a Commit of the added device change.
PAN-182486
Fixed an issue on the web interface where the same IP address was displayed for sub interfaces in a multi-vsys firewall.
PAN-182449
Fixed an issue where Apple iPad users were unable to authenticate to the GlobalProtect portal using any browser, which resulted in Clientless VPN access issues.
PAN-182244
Fixed an issue where Session Initiation Protocol (SIP) REGISTER packets did not get transmitted when application-level gateway (ALG) and SIP Proxy were enabled, which caused a SIP-registration issue in environments where TCP retransmission occurred.
PAN-182167
Removed a duplicate save filter Icon in the Audit Comment Archive for Security Rule Audit Comments tab.
PAN-181968
(
PA-400 Series firewalls in active/passive HA configurations only
) Fixed an issue where, when HA failover occurred, link up on all ports took longer than expected, which caused traffic outages.
PAN-181684
Fixed an issue where cluster definition for OpenShift was not able to be added if a custom certificate was used for an API endpoint.
PAN-181376
Fixed an issue where the
show session id
CLI command displayed a negative packet count.
PAN-181366
Fixed an issue where the firewall sent an incorrect IP address on ICMP sessions in NetFlow packets when NAT was applied to the target traffic.
PAN-181334
Fixed an issue where users with custom admin roles and access domains were unable to view address objects or edit Security rules.
PAN-181324
Fixed a memory issue related to the lpmgrd process that caused the firewall to enter a non-functional state.
PAN-181129
Improved protection against unexpected packets and error handling for traffic identified as SIP.
PAN-181034
Fixed an issue where, after changing the Decryption mirroring setting to
Forwarded only
in the decryption profile, Panorama did not save the setting.
PAN-180948
Fixed an issue where an external dynamic list fetch failed with the error message
Unable to fetch external dynamic list. Couldn't resolve host name. Using old copy for refresh
.
PAN-180690
Fixed an issue where the firewall dropped IPv6 Bi-Directional Forwarding (BFD) packets when IP Spoofing was enabled in a Zone Protection Profile.
PAN-180147
Fixed an issue where the
bcm.log
and
brdagent_stdout.log-<datestamp>
files filled up the root disk space.
PAN-180030
Fixed an issue where hyperlinks to threatvault for threat logs with DNS Security categories resulted in the following error message:
No data is found based on your search, please search for something else
.
PAN-179952
Fixed an issue on Panorama where not all categories were displayed under
Log settings
.
PAN-179826
Fixed an issue where the firewall incorrectly displayed the license error
IoT Security license is required for feature to function
even when the
IoT Security, Does not Require Data Lake
license was installed.
PAN-179636
Fixed an issue where Authentication Server logs for various connections (including LDAP and Radius Server) were not displayed in the syslog when connections were up.
PAN-179624
Fixed an issue where setting the password complexity to
Require Password Change on First Login
caused the user to be prompted with certificate authentication.
PAN-179506
(
VM-Series firewalls on Microsoft Azure environments only
) Fixed an issue where Panorama was unable to push software updates to the firewall.
PAN-179467
Fixed an issue where
Selective Audit
(
Device > Log settings
) options were visible to a group of admin users if the firewall was not in FIPS-CC mode.
PAN-179395
Fixed an issue where the firewall still populated the domain map even after clearing the domain map via the CLI after removing the group-mapping setting configuration.
PAN-179258
Fixed an issue where system disk migration failed.
PAN-179212
Fixed an issue where extraneous characters displayed at the end of a CSV report.
PAN-179152
Fixed an issue where partial commit failures did not display an error message.
PAN-178961
Fixed an issue where a process (authd) stopped responding due to incorrect context handling.
PAN-178959
Fixed an issue where configuring BGP to Aggregate with Suppress Filters using
From Peers
did not work as expected.
PAN-178951
Fixed an issue on the firewall where Agentless User-ID lost parent Security group information after the Security group name of the nested groups on Active Directory was changed.
PAN-178802
Increased the default virtual memory limit for the mgmtsrvr process from 3.2GB to 16GB.
PAN-178800
Fixed an issue where the reportd process stopped responding when URL Filtering Inline ML phishing logs were queried.
PAN-178728
Fixed an issue where the dcsd process stopped responding when attempting to read the config to update its redis database.
PAN-178594
Fixed an issue where the descriptions of options under the
set syslogng ssl-conn-validation
CLI command were not accurate.
PAN-178407
Fixed an permissions issue where, when attempting to troubleshoot the syslog over TCP via the CLI, the following error message was displayed:
Error: "/var/log/pan/syslog-ng.log: Permission denied
.
PAN-178363
Fixed an issue where a process (mgmtsrvr) wasn't restarted after the virtual memory limit was exceeded.
PAN-178354
Fixed an issue where the error message
You do not have permission to reboot device
was incorrectly displayed to a TACAC user when attempting to install PAN-OS.
PAN-178349
Fixed an issue where log forwarding did not work when the filter size was more than 1,024 characters in the log forwarding profile.
PAN-178248
Fixed an issue where, when exporting the Applications list on PDF or CSV profile formats, the report displayed all tag values as undefined.
PAN-178186
Fixed a commit issue where, when replacing an old firewall with a new firewall using the serial number, the change to the serial number was not reflected in the Security policy rule.
PAN-177942
Fixed an issue where, when grouping HA peers, access domains that were configured using multi-vsys firewalls deselected devices or virtual systems that were in other configured access domains.
PAN-177939
Fixed an issue where a certificate without a private key was able to be added to an SSL/TLS Service Profile, which caused the l3svc process to stop responding.
PAN-177908
Fixed an issue where you were unable to configure
region
for source or destination IP addresses in a Security policy rule.
PAN-177891
Fixed an issue where group-mapping information was not automatically refreshed at the refresh interval when LDAP proxy was configured.
PAN-177853
Fixed an issue where the logd process on Panorama and the logrcvr process on the firewall stopped responding when a log forwarding profile had a filter that included the field
sender
and
subject
.
PAN-177562
Fixed an issue where PDF reports were not translated to the configured local language.
PAN-177201
Fixed an issue where, when a Panorama appliance on a PAN-OS 9.0 or later release pushed built-in external dynamic lists to a firewall on a PAN-OS 8.1 release, the external dynamic list was removed, but the rule was still pushed to the firewall. With this fix, Panorama will show a validation error when attempting to push a pre-defined external dynamic list to a firewall on a PAN-OS 8.1 release.
PAN-177133
(
Firewalls in HA configurations only
) Fixed an issue where the HA1 heartbeat backup flapped with the following error message:
Unable to send icmp packet:(errno: 105) No buffer space available
.
PAN-176989
Fixed an issue where the CLI command to show SD-WAN tunnel members caused the firewall to stop responding.
PAN-176471
Fixed an issue where adding applications without a description using XML API deleted the whole Panorama application list.
PAN-176461
Fixed an issue where a process (mdb) stopped responding after downgrading from a PAN-OS 9.1 release to an earlier release due to discrepancies in the mongodb process version.
Note
: To utilize this fix, first install a PAN-OS 9.0 release on the web interface, and then, prior to reboot, run the following CLI command:
debug mongo clear instance mdb
.
PAN-176379
Fixed an issue where, when multiple routers were configured under a Panorama template, you were only able to select its own virtual router for next hop.
PAN-175709
Fixed an issue where the dnsproxy process stopped responding when a DNS signature lookup request was received before the process was fully initialized.
PAN-175142
Fixed an issue on Panorama where executing a debug command caused the logrcvr process to stop responding.
PAN-175121
Fixed a rare issue where, when two nodes started IKE_SA negotiations at the same time, which resulted in duplicate IKE SAs.
PAN-175069
Fixed an issue where commits failed when the IPv6 link-local address was configured for BGP peering as local and peer address.
PAN-175061
Fixed an issue where filtering threat logs using any value under
THREAT ID/NAME
displayed the error
Invalid term
.
PAN-174988
(
PA-220 Series firewalls only
) Fixed an issue where the
runtime-state
parameter was missing in the CLI command
request high-availability sync-to-remote
.
PAN-174953
Fixed an issue where the firewall didn't update URL categories from the management plane to the dataplane cache.
PAN-174821
(
PA-3220 firewalls only
) Fixed an issue where auto-negotiation was not disabled with force mode set to
ON
in the interface settings.
PAN-174781
Fixed an issue where the firewall did not send an SMTP 541 error message to the email client after detecting a malicious file attachment.
PAN-174702
Fixed an issue where Panorama pushed
share-unused
tagged objects to the firewall, which caused the device address object limit to be exceeded.
PAN-174680
Fixed an issue where, when adding new configurations, Panorama didn't display a list of suggested template variables when typing in a relevant field.
PAN-174592
Fixed an issue where the firewall did not check reserved fields in GTPv1 and GTPv2 headers as expected from the latest 3GPP Specifications.
PAN-174525
Fixed an issue where the sslvpn process restarted repeatedly.
PAN-174480
Fixed an issue where scheduled email reports were blocked by open-source content filters due to a violation of rfc2046.
PAN-174462
Fixed an issue where the configd process stopped responding when creating Application filters with tags and adding the filter to a Security policy rule.
PAN-174102
Fixed an issue where, when MLAV feature found malicious content, no action was applied even though it had increased the execution counters, displayed the score and verdict in the log, and showed no allow list hits,
PAN-174064
Fixed an issue where downloading a GlobalProtect data file did not work and displayed a
no global protect license
error even when a valid license was present.
PAN-174027
Fixed an issue on Panorama where attempting to rename mapping for address options caused a push to fail with the following error message:
Error: Duplicate address name.
.
PAN-173813
A debug command was added to disable automatic implicit tail matching, which was the default.
PAN-173810
Fixed an issue where the
debug user-id dump ts-agent user-ids
CLI command caused the useridd process to stop responding.
PAN-173437
Fixed an issue where the firewall did not detect that the management port was down the first time after booting up the system.
PAN-173207
Fixed an issue where radius authentication timed out when logging in due to the firewall sending authentication requests using a static IP address instead of a DCHP assigned IP address.
PAN-173080
Fixed an issue where the User-ID connection limit was reached even when only a few User-ID agents were connected to the service.
PAN-173031
Fixed an issue where users were promted twice for DUO SAML Authentication when authentication override cookies were enabled.
PAN-172823
Fixed an issue where MD5 checksums were updated before the new customer EDLs were pushed to the dataplane.
PAN-172780
Fixed an issue where user domain override was not reset when deleted from group mapping.
PAN-172753
(
PA-7000 Series firewalls only
) Fixed an issue where link-local internal packet handling between the management plane and the dataplane caused an Network Processing Card (NPC) slot to go down.
PAN-172452
Fixed an issue where the log file did not include all logs.
PAN-172357
(
VM-Series firewalls in Oracle Cloud Infrastructure Government Cloud only
) Fixed an issue with firewalls in HA configurations where HA failover did not occur when firewalls were in FIPS mode.
PAN-172324
Fixed an issue on the Panorama web interface where custom vulnerability signature IDs weren't populated in the drop-down when creating a custom combination signature.
PAN-172308
Fixed an issue where generating packet captures did not work when the data filtering profile was configured to block HTML files via a POST request.
PAN-172100
Fixed an issue with URL filtering where, after upgrading to a PAN-OS 9.1 release, the
Continue
button on a URL did not work and caused the website to be inaccessible, even though the predefined category of URL was configured to continue traffic. This occurred when URL traffic hit a rule where the custom category was set to
None
.
PAN-171927
Fixed an issue where incorrect results were displayed when filtering logs in the
Monitor
tab.
PAN-171569
Fixed an issue where HIP matches were not recognized in an SSL decryption policy rule.
PAN-171337
Fixed an issue where connection per second (CPS) rates collected via SNMP were not correct.
PAN-171300
Fixed an issue on Panorama where a password change in a template did not reset an expired password flag on the firewall, which caused the user to change their password when logging in to a firewall.
PAN-171066
Fixed an issue with GlobalProtect where cookie based authentication for Internal Gateway failed with the following error messages:
Invalid authentication cookie
and
Invalid User Name
.
PAN-170989
Fixed an issue with memory usage consumption related to the useridd process.
PAN-170936
Fixed an issue where the firewall egressed offloaded frames out of order after an explicit commit (
Commit
on the firewall or
Commit All Changes
on Panorama) or an implicit comment such as an Antivirus update, Dynamic Update, or WildFire update.
Note
This issue persists for a network-related configuration and commit.
PAN-170798
Fixed an issue where OSPF flaps occurred when a Layer 3 interface IPv4 was changed from
DHCP Client
to
Static
.
PAN-170531
Fixed an issue where the web interface icons for service objects and service group objects were identical when used in a NAT policy rule.
PAN-169899
Fixed an issue on firewalls with offload processors where the ECMP forced symmetric return feature didn't work for CRE traffic after the session was offloaded.
PAN-169674
(
Firewalls with Cavium Octeon processors only
) Fixed an issue where the
all_pktproc
process stopped responding when reassembling TCP packets.
PAN-169521
Fixed an issue where QoS tagging unexpectedly behaved differently at different stages of packet processing.
PAN-169456
Fixed an issue where, after renaming an authentication profile, system logs still showed the old profile name.
PAN-169308
Fixed a commit issue when comparing numbers of rules where the bucket size of the application dependency hash table was too small.
PAN-169122
Fixed an issue where medium priority correlation events were not generated when the
irc-base repeat
count value was greater than 10.
PAN-168514
Fixed an issue where authentication failed when the destination service route was used to reach the authentication server.
PAN-168480
Fixed an issue where the firewall did not switch to STP for multicast groups when IGMP receivers were stopped and restarted for the same set of groups within a short time period.
PAN-167918
Fixed an issue where the GlobalProtect pre-log on VPN failed to establish or match pre-log on policies due to the domain name being prepended to pre-log on user.
PAN-167850
Fixed an issue with firewalls in active/active HA configurations where IPSec packets were not forwarded to the HA peer owner of the tunnel, which caused packets to be dropped.
PAN-167805
Fixed an intermittent issue where traffic ingressing through a VPN tunnel failed to match predict session, which resulted in child sessions failing.
PAN-167087
Fixed an issue where the focus was not set on the free text field when requesting a token code on the Authentication Portal.
PAN-166686
Fixed an issue where EDNS responses dropped when the original request was DNS.
PAN-165951
(
PA-3020 firewalls only
) Fixed an issue on the firewall where disk space was not cleared when multiple image files were present.
PAN-163713
Fixed an issue where the alternate name was not getting copied to user-Fixed an issue where
user-attributes
for users in custom groups were incorrect, which caused username formats to not match the user.
PAN-163043
Fixed an issue where, when exporting logs via the CLI, only 65,535 rows were exported even when 1,000,000 rows were configured.
PAN-162088
(
Panorama appliances in HA configurations only$$
) Fixed an issue where content updates (
Panorama
Dynamic Updates
) manually uploaded to the active HA peer were not synchronized to the passive HA peer when you installed a content updated and enabled
Sync to HA peer
.
PAN-160419
Fixed an issue where the following error message displayed in the system log after restarting the firewall:
dns-signature initialization from file storage failed, start with empty cache
.
PAN-157710
Fixed an issue where admin users with custom roles were unable to create VLANs.
PAN-157199
(
PA-220 firewalls only
) Fixed an issue where the GlobalProtect portal was not reachable with IPv6 addresses.
PAN-156700
Fixed an issue where DNS Security logs did not display threat names or IDs when the domain name contained an uppercase letter.
PAN-155902
Fixed an issue where the auto MTU value was incorrect, which caused unexpected latency issues for GlobalProtect users.
PAN-155467
(
VM-Series firewalls only
) Fixed an issue where IPSec decap dropped packets when NAT was configured locally on the firewall.
PAN-154892
Fixed an issue on the firewall where Real Time Streaming Protocol (RTSP) flows that were subjected to Dynamic IP and Port (DIPP) NAT were not supported by the Application Layer Gateway (ALG).
PAN-153308
Fixed an issue which caused the mouse cursor to remove focus from the search bar when hovering over a hyperlink inside of a cell menu (e.g., source zone, source address, destination zone, destination address, etc.).
PAN-151273
Fixed an issue where the commit event was not recorded in the config logs during a
Commit and Push
on the Panorama management server.
PAN-123446
Fixed an issue where an administrator with a Superuser role could not reset administrator credentials.
PAN-78762
Fixed an issue where you were unable to reset a VPN tunnel via the firewall web interface (
Network > IPSec Tunnels > Tunnel Info > Restart
).

Recommended For You