The following table lists the issues that are addressed in the PAN-OS® 7.1.10 release. For new features, associated software versions, known issues, and changes in default behavior, see PAN-OS 7.1 Release Information. Before you upgrade or downgrade to this release, review the information in Upgrade to PAN-OS 7.1.
Starting with PAN-OS 7.1.5, all unresolved known issues and any newly addressed issues in these release notes are identified using new issue ID numbers that include a product-specific prefix. Issues addressed in earlier releases and any associated known issue descriptions continue to use their original issue ID.
Issue ID Description
PAN-77595 Fixed an issue where PA-7000 Series firewalls forwarded a SIP INVITE based on route lookup instead of Policy-Based Forwarding (PBF) policy.
PAN-77516 A security-related fix was made to address a Remote Code Execution (RCE) vulnerability when the PAN-OS DNS Proxy service resolved FQDNs (CVE-2017-8390).
PAN-76890 Fixed an issue where traffic that included a ZIP file caused the all_task process to restart and the firewall dropped packets while waiting for that process to resume.
PAN-76153 Fixed an issue where PA-5000 Series firewalls dropped traffic because predict sessions incorrectly matched Policy-Based Forwarding (PBF) policy rules for non-related sessions.
PAN-75413 Fixed an issue where DHCP servers did not assign IP addresses to new end users (DHCP clients) because the firewall failed to process and relay DHCP messages between the servers and clients after you configured a firewall interface as a DHCP relay agent.
PAN-75372 Fixed an issue where Panorama dropped all administrative users because the management-server process restarted.
PAN-75158 Fixed an issue with network outages on firewalls in a virtual wire HA configuration with HA Preemptive failback enabled ( Device > High Availability > General > Election Settings) due to Layer 2 looping after failover events while the firewalls processed broadcast traffic.
PAN-74655 Fixed an issue where users experienced slow network connectivity due to CPU utilization spikes in the firewall Network Processing Cards (NPCs) when the URL cache exceeded one million entries.
PAN-74548 Fixed an issue where the Export Named Configuration dialog did not let you filter configuration snapshots by Name, which prevented you from selecting snapshots beyond the first 500. With this fix, you can now enter a filter string in the Name field to display any matching snapshots.
PAN-74403 Fixed an issue on Panorama where the web interface became unresponsive after you selected Export to CSV for a custom report, which forced you to log in to the CLI and reboot Panorama or restart the management server.
PAN-74368 Fixed an issue where commits failed due to configuration memory limits on firewalls that had numerous Security policy rules that referenced many address objects. With this fix, the number of address objects that a policy rule references does not impact configuration memory.
PAN-74236 Fixed an issue where numerous non-browser based requests from clients caused the User-ID process (useridd) to stop responding, which resulted in too many pan_errors disk writes.
PAN-74188 Fixed an issue where conflicting next-hop entries in the egress routing table caused the firewall to incorrectly route traffic that matched Policy-Based Forwarding (PBF) policy rules configured to Enforce Symmetric Return.
PAN-74184 Fixed an issue where Panorama failed to properly create NSX service profile zones and was out of sync with VMware Service Managers after you assigned VMware service definitions to template stacks.
PAN-73914 A security-related fix was made to address OpenSSL vulnerabilities (CVE-2017-3731).
PAN-73783 Fixed an issue where cookie-based authentication for the GlobalProtect gateway failed with the following error: Invalid user name .
PAN-73631 Fixed an issue where end user clients failed on their first attempt to authenticate when you configured Captive Portal for certificate-based authentication and the client certificates exceeded 2,000 bytes.
PAN-73553 Fixed an issue where SSL Inbound Decryption failed when the private key was stored on a hardware security module (HSM).
PAN-73502 Fixed an issue where the firewall did not purge expired IP address-to-username mappings, which caused one of the root partitions to run out of free space.
PAN-73497 Fixed an issue on Panorama where the CSV file that you exported for a custom report ( Monitor > Manage Custom Reports) included all entries instead of the number of entries specified in the Sort By drop-down (such as Top 10).
PAN-73484 Fixed an issue where the firewall server process (devsrvr) restarted during URL updates.
PAN-73359 Fixed an issue where commits failed because an accumulation of delayed ACC summary reports on Panorama and Log Collectors caused a memory leak in the reportd process.
PAN-73281 Fixed an issue where the firewall dropped multicast traffic on an egress VLAN interface when the traffic was offloaded.
PAN-73191 Fixed an issue where OSPF adjacency flapping occurred between the firewall and an OSPF peer due to a heavy processing load on the dataplane and queued OSPF hello packets.
PAN-73045 Fixed an issue where HA failover and fail-back events terminated sessions that started before the failover.
PAN-72875 Fixed an issue where the severity level of the Failed to sync PAN-DB to peer: Peer user failure syslog message was too high. With this fix, the message severity level is info instead of medium .
PAN-72871 Fixed an issue where the firewall displayed only part of the URL Filtering Continue and Override response page.
PAN-72697 Fixed an issue where, after a DoS attack ended, the firewall continued generating Threat logs and incrementing the session drop counter.
PAN-72433 Fixed an issue where the PA-7050 firewall displayed incorrect information for the packet counts and number of bytes associated with traffic on subinterfaces. With this fix, the firewall displays the correct information in the show interface CLI command output and in other sources of information for subinterfaces (such as SNMP statistics and NetFlow record exports).
PAN-72346 Fixed an issue where the firewall failed to export botnet reports and displayed the following error: Missing report job id .
PAN-71627 Fixed an issue where the firewall failed to authenticate to a SafeNet hardware security module (HSM). With this fix, the firewall supports multiple SafeNet HSM client versions; you can use the request hsm client-version CLI command to select the version that is compatible with your SafeNet HSM server.
PAN-71544 Fixed an issue where the VM-Series firewall on a Microsoft Hyper-V server stopped receiving traffic on interfaces in Tap mode because the system clock went backward, which caused the packet processor to stop responding.
PAN-71484 Fixed an issue where the firewall disrupted SIP traffic by discarding long-lived SIP sessions after a content update.
PAN-71400 Fixed an issue where the DNS Proxy feature did not work because the associated process (dnsproxy) stopped running on a firewall that had an address object ( Objects > Address) with the same FQDN as one of the Static Entries in a DNS proxy configuration ( Network > DNS Proxy).
PAN-71312 Fixed an issue where custom reports did not display results for queries that specified the Negate option, Contains operator, and a Value that included a period (.) character preceding a filename extension.
PAN-71311 Fixed an issue where, after losing the connection to the Windows-based User-ID agent, the firewall generated a System log with the wrong severity level ( informational instead of high ) if you configured the User-ID agent with an FQDN instead of an IP address ( Device > User Identification > User-ID Agents).
PAN-71133 Fixed an issue on where the dataplane rebooted after multiple dataplane processes restarted due to memory corruption.
PAN-70928 Fixed an issue where the GlobalProtect gateway failed to verify the revocation status of a client certificate using Online Certificate Status Protocol (OCSP).
PAN-70731 Fixed an issue where the firewall failed to authenticate to a SafeNet hardware security module (HSM) if the Administrator Password ( Device > Setup > HSM) contained special characters.
PAN-70366 Fixed an issue where SMTP email servers did not receive PDF reports from the firewall because the report emails used bare LF instead of CRLF line separators.
PAN-69951 Fixed an issue where the firewall generated System logs for dataplane under severe load events but failed to forward those logs to Panorama.
PAN-69874 Fixed an issue where, when the PAN-OS XML API sent IP address-to-username mappings with no timeout value to a firewall that had the Enable User Identification Timeout option disabled, the firewall assigned the mappings a timeout of 60 minutes instead of never.
PAN-69801 Fixed an issue where the primary firewall peer in an HA active/active configuration was in a tentative HA state and did not synchronize session update messages with the secondary peer, which resulted in dropped packets after a session aged out (within 30 seconds).
PAN-69799 Fixed an issue where PA-7050 firewalls did not correctly enforce log retention periods ( Device > Setup > Management, Logging and Reporting Settings section, Log Storage tab, Max Days fields).
PAN-69585 Fixed an issue where the URL link included in the email for a SaaS Application Usage report triggered third-party spam filters.
PAN-69235 Fixed an issue where committing a configuration with 4,000 or more Layer 3 subinterfaces caused the dataplane to stop responding.
PAN-68831 Fixed an issue where CSV exports for Unified logs ( Monitor > Logs > Unified) had no log entries if you limited the effective queries to one log type.
PAN-68808 Fixed an issue on the PA-7050 firewall where the mprelay process experienced a memory leak and stopped responding, which caused slot failures and HA failover.
PAN-68795 Fixed an issue where the SaaS Application Usage report displayed upload and download bandwidth usage numbers incorrectly in the Data Transfer by Application section.
PAN-68767 Fixed an issue where Panorama could not change the connection Status of an NSX manager ( Panorama > VMware NSX > Service Managers) from Unknown to Registered due to a non-existent null value entry in the NSX manager response.
PAN-68763 Fixed an issue where path monitoring failures did not produce enough information for troubleshooting. With this fix, PAN-OS supports additional debug commands and the tech support file (click Generate Tech Support File under Device > Support) includes additional registry values to troubleshoot path monitoring failures.
PAN-67699 Fixed an issue where enabling cookie authentication on the GlobalProtect portal ( Network > GlobalProtect > Portals) caused the sslvpn process to stop responding, which disconnected end users who connected through an SSL VPN.
PAN-67692 Fixed an issue where Panorama only intermittently used the proxy server if you configured it for connecting to VMware NSX service managers.
PAN-67639 Fixed an issue where the firewall did not properly mask the Auth Password and Priv Password for SNMPv3 server profiles when you viewed configuration changes in a Configuration log.
PAN-67600 Fixed an issue where firewall interfaces configured as DHCP clients renewed DHCP leases at incorrect intervals.
PAN-67412 Fixed an issue on firewalls in an HA configuration where, when an end user accessed applications over a GlobalProtect clientless VPN, the web browser became unresponsive for about 30 seconds after a failover.
PAN-66997 Fixed an issue on PA-7000 Series and PA-5000 Series firewalls where end users who accessed applications over SSL VPN or IPSec tunnels through GlobalProtect experienced one-directional traffic.
PAN-66873 Fixed an issue where PAN-OS deleted critical content files when the management plane ran out of memory, which caused commit failures until you updated or reinstalled the content.
PAN-66215 Fixed an issue where the Panorama management server became unresponsive and inaccessible through SSH or HTTPS for several hours.
PAN-65918 Fixed an issue on the Panorama virtual appliance where the third-party backup software BackupExec failed to back up a quiesced snapshot of Panorama (Panorama in a temporary state where all write operations are flushed). With this fix, the VMware Tools bundled with Panorama supports the quiescing option.
PAN-64884 Fixed an issue where firewalls in an HA configuration did not synchronize the Layer 2 MAC table; after failover, the MAC table was rebuilt only on the peer that became active, which caused excessive packet flooding.
PAN-64870 Fixed an issue where a zone with the Type set to Virtual Wire ( Network > Zones) dropped all incoming traffic when you configured the Zone Protection profile for that zone with a Strict IP Address Check ( Network > Network Profiles > Zone Protection > Packet Based Attack Protection > IP Drop).
PAN-64725 Fixed an issue where PA-7000 Series firewalls and Panorama Log Collectors consumed excess memory and didn't process logs as expected. This issue occurred when DNS response times were slow and scheduled reports contained fields that required DNS lookups.
PAN-64639 Fixed an issue where HA firewalls failed to synchronize the PAN-DB URL database.
PAN-63969 Fixed an issue on PA-7000 Series firewalls in an HA configuration where the NPC 40Gbps (QSFP) Ethernet interfaces on the passive peer displayed link activity on a neighboring device (such as a switch) to which they connected even though the interfaces were down on the passive peer.
PAN-63612 Fixed an issue where User activity reports on Panorama did not include any entries when there was a space in the Device Group name.
PAN-62937 Fixed an issue where establishing an LDAP connection over a slow or unstable connection caused commits to fail when you enabled TLS. With this fix, if you enable TLS, the firewall does not attempt to establish LDAP connections when you perform a commit.
PAN-62797 Fixed an issue where the cdb process intermittently restarted, which prevented jobs from completing successfully.
PAN-62791 Fixed an issue where the firewall could not use the certificates in its certificate store ( Device > Certificate Managment > Certificates > Device Certificates) after a manual or automatic commit, which caused certificate authentication to fail.
PAN-62500 A security-related fix was made to prevent the inappropriate disclosure of information due to a Linux Kernel vulnerability (CVE-2016-5696).
PAN-62436 Fixed an issue where, after you installed the GlobalProtect agent, it failed to connect with the GlobalProtect portal to download the agent configuration because authentication messages had special characters.
PAN-62159 Fixed an issue where the firewall did not generate WildFire Submission logs when the number of cached logs exceeded storage resources on the firewall.
PAN-61682 Fixed an issue where end users either did not see the Captive Portal web form or saw a page displaying raw HTML code after requesting an application through a web proxy because the HTTP body content length exceeded the specified size in the HTTP Header Content-Length.
PAN-61644 Fixed an issue where Panorama displayed the Invalid term(device-group eq) error when you tried to display the logs for a specific device group.
PAN-61409 Fixed an issue where the firewall failed to connect to an HTTP server using the HTTPS protocol when the CA certificate that validated the firewall certificate was in a specific virtual system instead of the Shared location.
PAN-60376 Fixed an issue where the authentication process (authd) stopped responding and caused the firewall to reboot after the firewall received a stale response to an authentication request before selecting CHAP or PAP as the protocol for authenticating to a RADIUS server.
PAN-60101 Fixed an issue on the M-500 and M-100 appliances in Panorama mode where emailed custom reports contained no data if you configured a report query that used an Operator set to contains ( Monitor > Manage Custom Reports).
PAN-59677 A security-related fix was made to prevent firewall administrators logged in as root from using GNU Wget to access remote servers and write to arbitrary files by redirecting a request from HTTP to a crafted FTP resource (CVE 2016-4971).
PAN-59676 Fixed an issue where firewall administrators with custom roles (Admin Role profiles) could not download content or sofware updates.
PAN-58358 Fixed an issue where CSV exports for Unified logs ( Monitor > Logs > Unified) displayed information in the wrong columns.
PAN-57553 Fixed an issue where a QoS profile failed to work as expected when applied to a clear text node configured with an Aggregate Ethernet (AE) source interface that included AE subinterfaces.
PAN-56453 Fixed an issue where the Correlation logs that Panorama forwarded with a custom Common Event Format (CEF) were incomplete and incorrectly formatted when sent as syslogs.
PAN-56287 Fixed an issue where the firewall discarded VoIP sessions that had multicast destinations.
PAN-56015 Fixed an issue where the syslog format for Correlation logs differed from the format of other log types, which prevented the firewall from integrating with some third-party syslog feeds.
PAN-55245 Fixed an issue on VM-Series firewalls where application-level gateway (ALG) H.245 traffic failed due to a session prediction issue.
PAN-54531 Fixed an issue where the firewall stopped writing new Traffic and Threat logs to storage because the Automated Correlation Engine used disk space in a way that prevented the firewall from purging older logs.
PAN-49821 Fixed an issue where connections to the GlobalProtect portal failed when traffic came from a shared gateway and there was no Security policy rule to allow TCP port 20077 for the GlobalProtect portal IP address. With this fix, you need only allow access to TCP port 443 for the GlobalProtect portal even when traffic is coming from a shared gateway.
PAN-49660 Fixed an issue where several processes stopped on firewalls in an HA configuration that received HA3 messages but didn't have configured HA3 interfaces ( Device > High Availability > Active/Active Config).
PAN-46374 Fixed an issue on PA-7000 Series firewalls where you had to power cycle the Switch Management Card (SMC) when it failed to come up after a soft reboot (such as after upgrading the PAN-OS software).

Related Documentation