PAN-OS 11.1.10-h4 Addressed Issues
Table of Contents
Expand All
|
Collapse All
Next-Generation Firewall Docs
-
-
-
-
-
-
-
- PAN-OS 12.1
- PAN-OS 11.2
- PAN-OS 11.1
- PAN-OS 11.0 (EoL)
- PAN-OS 10.2
- PAN-OS 10.1
- PAN-OS 10.0 (EoL)
- PAN-OS 9.1 (EoL)
- PAN-OS 9.0 (EoL)
- PAN-OS 8.1 (EoL)
-
- PAN-OS 12.1
- PAN-OS 11.2
- PAN-OS 11.1
- PAN-OS 10.2
- PAN-OS 10.1
PAN-OS 11.1.10-h4 Addressed Issues
PAN-OSĀ® 11.1.10-h4 addressed issues.
Issue ID
|
Description
|
---|---|
PAN-298241
|
Fixed an issue where the NAT IP address pool was exhausted, which led
to intermittent connectivity issues with call applications and
outbound call failures. This occurred due to the firewall not
properly releasing NAT dynamic ports back to the address pool.
|
PAN-296992
|
Fixed an issue where Panorama managed firewalls with no defined log
collector group continually attempted to establish a logging
connection to Panorama, which resulted in excessive system log
messages.
|
PAN-296519
|
Fixed an issue where a stream receiving a reconnect signal with an
associated error in Wifclient caused the entire pool to
close, which resulted in a complete disconnection.
|
PAN-295644
|
Fixed an issue where Cloud Data Lake (CDL) log forwarding streams
intermittently displayed as inactive.
|
PAN-295385
|
Fixed an issue where syslog forwarding dropped due to FQDN resolution
failures.
|
PAN-295342
|
Fixed an issue where the pan_comm process stopped
responding due to insufficient time allocated to read file
descriptors when processing long messages.
|
PAN-295049
|
Fixed an issue where the logrcvr process stopped
responding due to memory allocation errors during Redis
communication.
|
PAN-294488
|
Fixed an issue where certificate data was missing in decryption logs
for No decrypt policy rules and TLS1.2
traffic after upgrading, and the Subject Common
Name, Issuer Common Name,
Certificate Start Date,
Certificate End Date,
Certificate Serial Number, and
Certificate Fingerprint fields were blank
in the decryption logs.
|
PAN-294436
|
Fixed an issue where polling failed for ethernet interfaces due to
the physical port counters read from the MAC being 0.
|
PAN-294179
|
Fixed an issue on Panorama where commit versions did not display
correct data in the config audit page even after a refresh.
|
PAN-293985
|
(Firewalls with Hub vsys (virtual system) configurations enabled
only) Fixed an issue where, when using the Hub vsys feature
to redistribute Host Information Profiles (HIP) to a non-Hub vsys,
HIP policy enforcement failed intermittently on the active secondary
firewall. This occurred when traffic destined for specific non-Hub
vsys was routed to the active secondary, and the HIP query was not
triggered due to an incorrect check for the HIP mask in the Hub
vsys.
|
PAN-293842
|
Fixed an issue where the hybrid-SWG service proxy stopped working
after upgrading to PAN-OS 11.1.6-h13 due to the firewall failing to
establish the listening interface.
|
PAN-293673
|
Fixed an issue where the firewall stopped all tasks due to an OOM
condition caused by a scheduled log export using FTP to an external
FTP server.
|
PAN-293511
|
Fixed an issue where renaming a BGP filtering profile in Panorama
does not update the corresponding BGP peer group in the virtual
router, leading to commit failures.
|
PAN-292242
|
Fixed an issue on M-200 and logging appliances where traffic logs
were intermittently truncated when forwarded using a TCP syslog
configuration. This issue occurred during the log forwarding stage
due to intermittent syslog drops caused by exceeding the forwarding
queue capacity.
|
PAN-292228
|
Fixed an issue where, after configuring dual stack GlobalProtect with
both IPv4 and IPv6 address pools, IPv6 return traffic was dropped
with the error message flow-basic error; packet
dropped, tunnel resolution failure.
|
PAN-292202
|
Fixed an issue where the system logs repeatedly displayed the alert
Clearing snmpd.log due to log overflow due to the
SNMP counters rolling over.
|
PAN-291940
|
Fixed an issue where the firewall established multiple TCP
connections to a syslog server, which caused logs to be dropped.
This occurred because the firewall established a new TCP session for
each transfer and the sessions were not closed, which resulted in a
continuous increase in connections over time.
|
PAN-291792
|
(PA-7050 firewalls on vwire instances only) Fixed an issue
where Bidirectional Forwarding Detection (BFD) echo packets were
dropped due to the firewall dropping packets with the same source
and destination IP addresses.
|
PAN-291785
|
Fixed an issue where the all_task process stopped
responding.
|
PAN-291631
|
(VM-Series firewalls on Amazon Web Services (AWS) only)
Fixed an issue where the firewall frequently rebooted.
|
PAN-291456
|
Fixed an issue where the custom completer for device groups and
templates received the device group name and template name from the
running configuration instead of the candidate configuration.
|
PAN-290919
|
(VM-Series firewalls only) Fixed an issue where file
download speeds and performance was slower than expected for Prisma
Access mobile users when SSL decryption was enabled.
To use this fix, run the CLI command debug dataplane set
ssl-decrypt fptcp-rto min <100-500>.
|
PAN-290691
|
Added the CLI command set system setting ctd
h323_rtp_predict timeout to increase the maximum
timeout limit from 3600 seconds to 65535 seconds.
|
PAN-290449
|
Fixed an issue where, when multiple scheduled vulnerability reports
were sent in the same email, only the first attached report was
displayed.
|
PAN-289803
|
Fixed an issue on the firewall where AIPOs and ADEM licenses failed
when SD-WAN or GlobalProtect licenses were not present.
|
PAN-289406
|
Fixed an issue where, when redistributing User-ID information between
firewalls, the receiving firewall incorrectly received and stored
duplicate Host Information Profile (HIP) profiles. This occurred
when a GlobalProtect gateway redistributed User-ID and HIP
information through an intermediate firewall.
|
PAN-289383
|
Fixed an issue where the MPLS interface eth1/6 went down and remained
down, even after replacing the SFP with a supported one and
adjusting duplex and speed settings.
|
PAN-289226
|
(Firewalls in HA active/passive configurations only) Fixed
an issue where the firewalls experienced high dataplane CPU use when
NAT64 was enabled. This occurred due to NAT64 traffic not being
offloaded and unnecessary HA session updates being sent for every
NAT64 packet.
|
PAN-289109
|
Fixed an issue where the Panorama web interface was slower than
expected during configuration operations and a configuration lock
time out occurred during a commit.
|
PAN-288988
|
Fixed an issue on Panorama where, after logging in to the web
interface as the ZTP installer administrator, the web interface was
blank.
|
PAN-288432
|
Fixed an issue where, when Advanced Routing Engine was enabled
firewalls configured with multiple logical routers, static routes
were preferred over eBGP routes even though the static routes had a
higher administrative distance.
|
PAN-287842
|
Fixed an issue where the comm process stopped responding
due to missing heartbeats, which resulted in a system alert and HA
communication loss on slot1.
|
PAN-287688
|
Fixed an issue where the firewall failed to connect to the Palo Alto
Networks update server when using a customized service route with
the source interface as MGT.
|
PAN-287611
|
Fixed an issue where, after upgrading, the firewall incorrectly
calculated the UDP checksum for RTP traffic after NAT and Security
policy application, which led to dropped packets and silent calls in
applications.
|
PAN-287601
|
Fixed an issue on Panorama where commits took longer than
expected.
|
PAN-287154
|
Fixed an issue on the firewall where the show
advanced-routing bgp loc-rib-detail CLI command
incorrectly displayed no BGP route when
multiple BGP peers were enabled. With this fix, the CLI command
requires a peer name to be specified to display local RIB details.
|
PAN-286931
|
Fixed an issue where syslog forwarding in PAN-OS 11.1 and later
releases did not support service routes when performing certificate
validation over TLS.
|
PAN-286899
|
Fixed an issue where the
device-group-tags CLI command used
an unnecessary configuration read lock.
|
PAN-286615
|
Fixed an issue where the firewall double-freed shared memory when the
shared memory usage reached 100% when sending large payloads. This
occurred when DLP, Advanced Advanced Threat Protection (ATP),
Advanced WildFire (AWF), or Advanced URL Filtering were enabled.
|
PAN-286299
|
Fixed an issue on firewalls running PAN-OS 11.1 releases where, after
being offboarded from Panorama, the firewall XML configuration file
retained template information from the previous Panorama
configuration. As a result, when the firewall and its configuration
were imported to another Panorama appliance, all configurations in
the Network and Device
tab became read-only.
|
PAN-286231
|
Fixed an issue where a simultaneous selective push from Panorama to
multiple firewalls with different base configurations resulted in
configuration corruption, which caused the firewall to go down.
|
PAN-285436
|
Fixed an issue where a selective push from Panorama caused the
firewall Security policy rules to be removed on firewalls associated
with the device group. This occurred when the base configuration
version chosen for the selective push preceded the device
configuration import operation, which caused the imported
configuration to not be included in the pushed configuration.
|
PAN-265111
|
Fixed an issue where fragmented SSL hello packets were reordered when
going out of the SC/ZTT towards the datacenter.
|
PAN-260827
|
Fixed an issue where the firewall consumed excessive CPU while
processing traffic for a workload running on a GKE cluster, which
caused reduced throughput.
|
PAN-251035
|
Fixed an issue where selective push operations did not push
certificate changes to the firewall.
|
PAN-284283
|
Fixed an issue on Palo Alto Networks firewalls running PAN-OS 11.1.6
where the CLI command traceroute ipv4 yes host
<host> failed with a missing
argument error message.
|
PAN-284117
|
(Panorama appliances in Log Collector mode only) Fixed an
issue where the vm_agent process restarted after an
upgrade.
|
PAN-282854
|
Fixed an issue where the Elasticsearch cluster did not start after
deploying dedicated log collectors in a multi-collector environment.
|
PAN-282578
|
Fixed an issue where ping commands from both the management plane and
dataplane interfaces incorrectly prioritized IPv6 addresses over
IPv4 addresses, even when IPv6 was disabled. This caused
connectivity issues when pinging FQDNs that resolved to IPv6
addresses.
|
PAN-281721
|
Fixed an issue where the firewall generated high-severity system
alerts indicating that the configuration size exceeded the maximum
recommended size, even when the configuration size was within the
expected limits.
|
PAN-281488
|
Fixed an issue where searching configuration logs for an
audit_uuid did not return a result if the rule was
created with a clone operation.
|
PAN-281096
|
Fixed an issue on HA clusters where, when link and path monitoring
was configured and the failover condition was set to
all, disconnecting and reconnecting
monitored ethernet ports caused the firewall to switch to a
nonfunctional role, which resulted in all interfaces except the HA
interface going down.
|
PAN-279901
|
Fixed an issue where the firewall dropped client hello packets when
decryption was enabled, which prevented access to certain websites.
This occurred when the client hello packet was truncated, the
accumulation proxy assumed that the first packet contains at least 5
bytes, or out-of-order packets were waiting in L4 TCP.
|
PAN-279829
|
Fixed an issue where NAT pool leaks occurred during a test when RTSP
traffic hit NAT rules.
|
PAN-279690
|
Fixed an issue where the all_pktproc process stopped
responding, which caused the firewall to unexpectedly restart.
|
PAN-279415
|
Fixed an issue where service routes configured to use a data plane
interface incorrectly used the management plane interface for
traffic transmission. This issue affected syslog and CRL status
traffic when a custom service route was not configured.
|
PAN-279366
|
Fixed an issue where the firewall used an unnecessary configuration
lock when running operational commands.
|
PAN-277178
|
Fixed an issue on Panorama where you were unable to delete a shared
object due to the rulebase incorrectly referencing the shared object
instead of the device group-specific object when the name was used.
To use this fix, delete the original shared object after cloning it
to a device group with the same name.
|
PAN-275272
|
Fixed an issue where a dataplane restart was not triggered as
expected when internal packet path monitoring failure occurred.
|
PAN-274064
|
Fixed an issue on Panorama where the request batch
license info CLI command displayed entries for
devices that were no longer attached to Panorama.
|
PAN-271545
|
Fixed an issue where, when the zone protection option
anycast-source was enabled, IPv6 traffic
with an interface ID of 0 was dropped even if the subnet was not
locally configured on the firewall.
|
PAN-269659
|
Fixed an issue on the firewall where you were unable to configure
more than 500 DHCP relay servers even though the supported limit was
4096.
|
PAN-268522
|
Fixed an issue where the firewall failed to connect to the update
server with a customized service route when the source interface was
set to MGT and the source address was set as
IPv4.
|
PAN-268002
|
Fixed an issue where URL filtering response pages were not displayed
for sites that were blocked as a result of SSL/TLS handshake
inspection.
|
PAN-267330
|
Fixed an issue where the firewall dropped inbount RTP traffic after
using Webex Screen Sharing due to the firewall removing the NAT
cache when the predict timed out, which caused a new NAT to be
established that conflicted with existing sessions. To use this fix,
run the CLI command set system setting ctd
h323_rtp_predict timeout <120-3600> to
increase the timeout limit.
|
PAN-262599
|
Fixed an issue where the firewall displayed incorrect policy cache
usage and configuration memory usage during a commit, which caused
the configuration commit to fail with a
CONFIG_UPDATE_START error. This
occurred when a large number of External Dynamic Lists (EDLs),
shared addresses, and policy rules were configured.
|
PAN-262521
|
Fixed an issue where imported certificates were not visible on
firewalls with multi-vsys disabled.
|
PAN-257362
|
Fixed an issue where GlobalProtect traffic destined for the internet
did not follow the path-based forwarding (PBF) rule and was sent out
the wrong interface.
|
PAN-255860
|
(PA-5200 firewalls only) Fixed an issue where the
all_pktproc process stopped responding when the
firewall was under a heavy traffic load.
|
PAN-201825
|
Fixed an issue where firewalls did not use the Application Command
and Response (ACR) functionality for cloud management, which caused
connections to cloud management to drop after a commit.
|
PAN-174038
|
Fixed an issue with firewalls with SD-WAN policy rules and
GlobalProtect gateway configurations where enabling GlobalProtect on
a loopback interface caused an issue where IPSec tunnel traffic from
the gateway to the client dropped intermittently.
|