PAN-OS 11.1.6-h17 Addressed Issues
Table of Contents
Expand All
|
Collapse All
Next-Generation Firewall Docs
-
-
-
-
-
-
-
- PAN-OS 12.1
- PAN-OS 11.2
- PAN-OS 11.1
- PAN-OS 11.0 (EoL)
- PAN-OS 10.2
- PAN-OS 10.1
- PAN-OS 10.0 (EoL)
- PAN-OS 9.1 (EoL)
- PAN-OS 9.0 (EoL)
- PAN-OS 8.1 (EoL)
-
- PAN-OS 12.1
- PAN-OS 11.2
- PAN-OS 11.1
- PAN-OS 10.2
- PAN-OS 10.1
PAN-OS 11.1.6-h17 Addressed Issues
PAN-OS 11.1.6-h17 addressed issues.
Issue ID
|
Description
|
---|---|
PAN-298241
|
Fixed an issue where the NAT IP address pool was exhausted, which led
to intermittent connectivity issues with call applications and
outbound call failures. This occurred due to the firewall not
properly releasing NAT dynamic ports back to the address pool.
|
PAN-296519
|
Fixed an issue where a stream receiving a reconnect signal with an
associated error in Wifclient caused the entire pool to
close, which resulted in a complete disconnection.
|
PAN-295644
|
Fixed an issue where Cloud Data Lake (CDL) log forwarding streams
intermittently displayed as inactive.
|
PAN-295385
|
Fixed an issue where syslog forwarding dropped due to FQDN resolution
failures.
|
PAN-295342
|
Fixed an issue where the pan_comm process stopped
responding due to insufficient time allocated to read file
descriptors when processing long messages.
|
PAN-295049
|
Fixed an issue where the logrcvr process stopped
responding due to memory allocation errors during Redis
communication.
|
PAN-294488
|
Fixed an issue where certificate data was missing in decryption logs
for No decrypt policy rules and TLS1.2
traffic after upgrading, and the Subject Common
Name, Issuer Common Name,
Certificate Start Date,
Certificate End Date,
Certificate Serial Number, and
Certificate Fingerprint fields were blank
in the decryption logs.
|
PAN-294436
|
Fixed an issue where polling failed for ethernet interfaces due to
the physical port counters read from the MAC being 0.
|
PAN-294179
|
Fixed an issue on Panorama where commit versions did not display
correct data in the config audit page even after a refresh.
|
PAN-293985
|
Fixed an issue with the Panorama web interface where admin users were
unable to log in and received the error message 504:
Gateway Timeout.
|
PAN-293877
|
(Firewalls with Hub vsys (virtual system) configurations enabled
only) Fixed an issue where, when using the Hub vsys feature
to redistribute Host Information Profiles (HIP) to a non-Hub vsys,
HIP policy enforcement failed intermittently on the active secondary
firewall. This occurred when traffic destined for specific non-Hub
vsys was routed to the active secondary, and the HIP query was not
triggered due to an incorrect check for the HIP mask in the Hub
vsys.
|
PAN-293842
|
Fixed an issue where the hybrid-SWG service proxy stopped working
after upgrading to PAN-OS 11.1.6-h13 due to the firewall failing to
establish the listening interface.
|
PAN-293673
|
Fixed an issue where the firewall stopped all tasks due to an OOM
condition caused by a scheduled log export using FTP to an external
FTP server.
|
PAN-293511
|
Fixed an issue where renaming a BGP filtering profile in Panorama
does not update the corresponding BGP peer group in the virtual
router, leading to commit failures.
|
PAN-292242
|
Fixed an issue on M-200 and logging appliances where traffic logs
were intermittently truncated when forwarded using a TCP syslog
configuration. This issue occurred during the log forwarding stage
due to intermittent syslog drops caused by exceeding the forwarding
queue capacity.
|
PAN-292228
|
Fixed an issue where, after configuring dual stack GlobalProtect with
both IPv4 and IPv6 address pools, IPv6 return traffic was dropped
with the error message flow-basic error; packet
dropped, tunnel resolution failure.
|
PAN-292202
|
Fixed an issue where the system logs repeatedly displayed the alert
Clearing snmpd.log due to log
overflow due to the SNMP counters rolling over.
|
PAN-291940
|
Fixed an issue where the firewall established multiple TCP
connections to a syslog server, which caused logs to be dropped.
This occurred because the firewall established a new TCP session for
each transfer and the sessions were not closed, which resulted in a
continuous increase in connections over time.
|
PAN-291792
|
(PA-7050 firewalls on vwire instances only) Fixed an issue
where Bidirectional Forwarding Detection (BFD) echo packets were
dropped due to the firewall dropping packets with the same source
and destination IP addresses.
|
PAN-291785
|
Fixed an issue where the all_task process stopped
responding.
|
PAN-291631
|
(VM-Series firewalls on Amazon Web Services (AWS) only)
Fixed an issue where the firewall frequently rebooted.
|
PAN-291456
|
Fixed an issue where the custom completer for device groups and
templates received the device group name and template name from the
running configuration instead of the candidate configuration.
|
PAN-290919
|
(VM-Series firewalls only) Fixed an issue where file
download speeds and performance was slower than expected for Prisma
Access mobile users when SSL decryption was enabled.
To use this fix, run the CLI command debug dataplane
set ssl-decrypt fptcp-rto min <100-500>.
|
PAN-290691
|
Added the CLI command set system setting ctd
h323_rtp_predict timeout to increase the maximum
timeout limit from 3600 seconds to 65535 seconds.
|
PAN-290449
|
Fixed an issue where, when multiple scheduled vulnerability reports
were sent in the same email, only the first attached report was
displayed.
|
PAN-289803
|
Fixed an issue on the firewall where AIPOs and ADEM licenses failed
when SD-WAN or GlobalProtect licenses were not present.
|
PAN-289406
|
Fixed an issue where, when redistributing User-ID information between
firewalls, the receiving firewall incorrectly received and stored
duplicate Host Information Profile (HIP) profiles. This occurred
when a GlobalProtect gateway redistributed User-ID and HIP
information through an intermediate firewall.
|
PAN-289383
|
Fixed an issue where the MPLS interface eth1/6 went down and remained
down, even after replacing the SFP with a supported one and
adjusting duplex and speed settings.
|
PAN-289109
|
Fixed an issue where the Panorama web interface was slower than
expected during configuration operations and a configuration lock
time out occurred during a commit.
|
PAN-288988
|
Fixed an issue on Panorama where, after logging in to the web
interface as the ZTP installer administrator, the web interface was
blank.
|
PAN-288432
|
Fixed an issue where, when Advanced Routing Engine was enabled
firewalls configured with multiple logical routers, static routes
were preferred over eBGP routes even though the static routes had a
higher administrative distance.
|
PAN-288363
|
Fixed an issue where the MIB ID returned an incorrect value via SNMP.
|
PAN-287842
|
Fixed an issue where the comm process stopped responding
due to missing heartbeats, which resulted in a system alert and HA
communication loss on slot1.
|
PAN-287688
|
Fixed an issue where the firewall failed to connect to the Palo Alto
Networks update server when using a customized service route with
the source interface as MGT.
|
PAN-287601
|
Fixed an issue on Panorama where commits took longer than
expected.
|
PAN-287387
|
Fixed an issue on Panorama where API jobs failed with the error
message Server error: Timed out while getting config
lock. This occurred due to slow set request
performance when setting a large number of address objects in a
single set call.
|
PAN-286931
|
Fixed an issue where syslog forwarding in PAN-OS 11.1 and later
releases did not support service routes when performing certificate
validation over TLS.
|
PAN-286899
|
Fixed an issue where the
device-group-tags CLI command used
an unnecessary configuration read lock.
|
PAN-286615
|
Fixed an issue where the firewall double-freed shared memory when the
shared memory usage reached 100% when sending large payloads. This
occurred when DLP, Advanced Advanced Threat Protection (ATP),
Advanced WildFire (AWF), or Advanced URL Filtering were enabled.
|
PAN-286475
|
Fixed an issue where the option to sort sequence numbers was missing
from Filters prefix list in the advanced
routing filters.
|
PAN-286299
|
Fixed an issue on firewalls running PAN-OS 11.1 releases where, after
being offboarded from Panorama, the firewall XML configuration file
retained template information from the previous Panorama
configuration. As a result, when the firewall and its configuration
were imported to another Panorama appliance, all configurations in
the Network and Device
tab became read-only.
|
PAN-286231
|
Fixed an issue where a simultaneous selective push from Panorama to
multiple firewalls with different base configurations resulted in
configuration corruption, which caused the firewall to go down.
|
PAN-285436
|
Fixed an issue where a selective push from Panorama caused the
firewall Security policy rules to be removed on firewalls associated
with the device group. This occurred when the base configuration
version chosen for the selective push preceded the device
configuration import operation, which caused the imported
configuration to not be included in the pushed configuration.
|
PAN-285285
|
Fixed an issue where commits remained at 98% completion when static
route configuration cleanup was in progress.
|
PAN-284117
|
(Panorama appliances in Log Collector mode only) Fixed an
issue where the vm_agent process restarted after an
upgrade.
|
PAN-283813
|
Fixed an issue on Panorama where the web interface performance was
slower than usual when retrieving read-only configurations from
Panorama.
|
PAN-283522
|
Fixed an issue where the SAML single log out (SLO) URL was not
correctly displayed in the web interface after it was changed in the
SAML profile.
|
PAN-283165
|
Fixed an issue where the Panorama web interface was slower than
expected after a period of inactivity due to the Panorama management
server unnecessarily reading the
running-config.xml file.
|
PAN-281776
|
Fixed an issue on the Panorama web interface where the error message
PPPoEv6 Client Interface cannot be enabled with
DHCPv6 client was generated when overriding
aggregate interfaces even when no DHCPv6 or PPPoE was configured.
|
PAN-281721
|
Fixed an issue where the firewall generated high-severity system
alerts indicating that the configuration size exceeded the maximum
recommended size, even when the configuration size was within the
expected limits.
|
PAN-281488
|
Fixed an issue where searching configuration logs for an
audit_uuid did not return a result if the rule was
created with a clone operation.
|
PAN-281096
|
Fixed an issue on HA clusters where, when link and path monitoring
was configured and the failover condition was set to
all, disconnecting and reconnecting
monitored ethernet ports caused the firewall to switch to a
nonfunctional role, which resulted in all interfaces except the HA
interface going down.
|
PAN-279901
|
Fixed an issue where the firewall dropped client hello packets when
decryption was enabled, which prevented access to certain websites.
This occurred when the client hello packet was truncated, the
accumulation proxy assumed that the first packet contains at least 5
bytes, or out-of-order packets were waiting in L4 TCP.
|
PAN-279829
|
Fixed an issue where NAT pool leaks occurred during a test when RTSP
traffic hit NAT rules.
|
PAN-279706
|
(M-600 appliances only) Fixed an issue where Panorama did
not update all `panreplay` database entries after performing a
commit and full push to all devices.
|
PAN-279690
|
Fixed an issue where the all_pktproc process stopped
responding, which caused the firewall to unexpectedly restart.
|
PAN-279415
|
Fixed an issue where service routes configured to use a data plane
interface incorrectly used the management plane interface for
traffic transmission. This issue affected syslog and CRL status
traffic when a custom service route was not configured.
|
PAN-279400
|
Fixed an issue where, when Restrict Certificate
Extensions was enabled on decryption profiles, the
basic constraints extension was overwritten incorrectly.
|
PAN-279366
|
Fixed an issue where the firewall used an unnecessary configuration
lock when running operational commands.
|
PAN-277234
|
Fixed an issue where a device group import resulted in a Security
policy rule being created with Application
set to none.
|
PAN-277178
|
Fixed an issue on Panorama where you were unable to delete a shared
object due to the rulebase incorrectly referencing the shared object
instead of the device group-specific object when the name was used.
To use this fix, delete the original shared object after cloning it
to a device group with the same name.
|
PAN-276795
|
Fixed an issue where the GlobalProtect client displayed an error
message when you clicked Check Now and
Preferred Releases and Base
Releases were unchecked (Device >
Software).
|
PAN-275272
|
Fixed an issue where a dataplane restart was not triggered as
expected when internal packet path monitoring failure occurred.
|
PAN-274064
|
Fixed an issue on Panorama where the request batch
license info CLI command displayed entries for
devices that were no longer attached to Panorama.
|
PAN-273153
|
Fixed an issue where the Panorama web interface was slower than
expected due to excessive polling of the
MonitorDirect.getTasks API by the
Task Manager.
|
PAN-271438
|
Fixed an issue where the firewall calculated available memory
incorrectly on CENTOS devices, which caused the firewall to display
high memory usage alerts even when sufficient memory was available.
|
PAN-271425
|
(Firewalls in active/active HA configurations only) Fixed an
issue with SSL inbound decryption on firewalls on a vwire setup with
asymmetric routing.
To use this fix, enter the CLI command set system
setting ssl-decrypt ha-vwire-mac-learn global yes
on both firewalls in an HA pair.
|
PAN-269659
|
Fixed an issue on the firewall where you were unable to configure
more than 500 DHCP relay servers even though the supported limit was
4096.
|
PAN-269155
|
Fixed an issue where an OOM condition occurred, which caused
processes to stop responding.
|
PAN-268522
|
Fixed an issue where the firewall failed to connect to the update
server with a customized service route when the source interface was
set to MGT and the source address was set as
IPv4.
|
PAN-268002
|
Fixed an issue where URL filtering response pages were not displayed
for sites that were blocked as a result of SSL/TLS handshake
inspection.
|
PAN-267330
|
Fixed an issue where the firewall dropped inbount RTP traffic after
using Webex Screen Sharing due to the firewall removing the NAT
cache when the predict timed out, which caused a new NAT to be
established that conflicted with existing sessions. To use this fix,
run the CLI command set system setting ctd
h323_rtp_predict timeout <120-3600> to
increase the timeout limit.
|
PAN-265782
|
Fixed an issue on Panorama where, after you enabled multihop in a BFD
profile, you were unable to disable it via the web interface.
|
PAN-265111
|
Fixed an issue where fragmented SSL hello packets were reordered when
going out of the SC/ZTT towards the datacenter.
|
PAN-263465
|
Fixed an issue where the logrcvr process stopped
responding due to a memory leak and buffer overrun.
|
PAN-262599
|
Fixed an issue where the firewall displayed incorrect policy cache
usage and configuration memory usage during a commit, which caused
the configuration commit to fail with a
CONFIG_UPDATE_START error. This
occurred when a large number of External Dynamic Lists (EDLs),
shared addresses, and policy rules were configured.
|
PAN-261677
|
Fixed an issue where multiple smartctl processes entered
a d state due to failure to read from
the kernel partition, which resulted in high CPU and management
impact.
|
PAN-260827
|
Fixed an issue where the firewall consumed excessive CPU while
processing traffic for a workload running on a GKE cluster, which
caused reduced throughput.
|
PAN-260661
|
Fixed an issue where daily email reports generated from the custom
report did not display the report details in PDF or CSV files.
|
PAN-256670
|
Fixed an issue where scheduled email reports were sent without PDF
attachments if the firewall was in FIPS-CC mode.
|
PAN-255860
|
(PA-5200 firewalls only) Fixed an issue where the
all_pktproc process stopped responding when the
firewall was under a heavy traffic load.
|
PAN-251442
|
Fixed an issue where the firewall rebooted into maintenance mode if
the authentication process restarted repeatedly.
|
PAN-251035
|
Fixed an issue where selective push operations did not push
certificate changes to the firewall.
|
PAN-241230
|
Fixed an issue where the SNMP get request status value for Panorama
connections was incorrect.
|