The following table lists the issues that are addressed in the PAN-OS® 7.1.5 release. For new features, associated software versions, known issues, and changes in default behavior, see PAN-OS 7.1 Release Information. Before you upgrade or downgrade to this release, review the information in Upgrade to PAN-OS 7.1.
Starting with PAN-OS 7.1.5, all unresolved known issues and any newly addressed issues in these release notes are identified using new issue ID numbers that include a product-specific prefix. Issues addressed in earlier releases and any associated known issue descriptions continue to use their original issue ID.
Issue ID Description
PAN-63171 Fixed an issue where, when using the GlobalProtect agent on a Mac OS X endpoint, the connection from the agent to the GlobalProtect gateway failed and the agent displayed the error Certificate error. Restart the service? .
PAN-63080 Fixed an issue where, if you had a custom response page that used a large binary object, a process (websrvr) stopped responding, which caused the captive portal to not function.
PAN-62803 Fixed an issue where, if you configured GlobalProtect to use certificate-based authentication, users on Chromebook endpoints received prompts to log on using username and password.
PAN-62773 Fixed an issue on VM-Series firewalls in an HA configuration where synchronization traffic lead to a condition where the firewall stopped responding.
PAN-62589 Fixed an issue on Panorama where a stack configuration was incomplete and failed with the error message Failed to create configuration for template , even though the composing templates had configuration entries present.
PAN-62339 Fixed an issue where a process (websrvr) restarted repeatedly during captive portal redirects because the redirect URL did not include required vsys and URL arguments.
PAN-61818 Fixed an issue where CPU utilization on the dataplane was higher than expected.
PAN-61815 Fixed a rare issue where VM-Series firewalls stopped generating traffic, threat or URL logs, or lost the ability to resolve the URL category.
PAN-61547 Fixed an issue where a process (snmpd) had a memory leak that caused frequent SNMP restarts.
PAN-61521 Fixed an issue on Panorama where, if you added a User-ID agent to a template in a template stack, and one of the templates in the stack did not have a User-ID agent specified, you would lose User-ID agents from templates in the stack.
PAN-61146 Fixed an issue where, if you changed or refreshed an FQDN configuration with a large number of IP address entries (more than 32 IPV4 and IPV6 entries) in a single FQDN object, the firewall or Panorama management server stopped responding.
PAN-61046 A security-related fix was made to address a cross-site request forgery issue (PAN-SA-2016-0032).
PAN-60872 Fixed an issue where WildFire falsely identified Microsoft Word files containing macros as suspicious.
PAN-60830 Fixed an issue on firewalls in an HA active-passive pair where HA configuration sync failed. This issue occurred when configuration sync from the active firewall happened while the passive firewall was in a state where a local commit failed. With this fix, configuration sync from the active firewall overwrites the configuration on the passive firewall, and configuration sync succeeds.
PAN-60828 Fixed an issue where a process (l3svc) restarted due to missing too many heartbeats, which caused the Captive Portal to fail to trigger.
PAN-60819 Fixed an issue where the dataplane restarted while processing a chain of tunnel packets.
PAN-60667 Fixed an issue where a process (devsrvr) restarted repeatedly due to a problem with the internal URL cache structure.
PAN-60587 Fixed an issue where the firewall did not provide a blocked page response if you accessed a blocked application over HTTPS.
PAN-60568 A security-related change was made to address a version disclosure in GlobalProtect (PAN-SA-2016-0026).
PAN-60444 Fixed an issue where SCEP enrollment failed when parsing CA certificates sent by the Aruba ClearPass server.
PAN-60002 Fixed an issue where, if you configured virtual routers with OSPF Type-5 external routes with non-zero forward addresses, the routing tables of some virtual routers did not contain the routes. With this fix, OSPF Type-5 external routes install as expected in the virtual routers.
PAN-59778 Fixed an issue where, in very rare cases, the firewall forwarded frames to incorrect ports because duplicate MAC address entries were present in the offload processor MAC table. With this fix, the offload processor will not have duplicate MAC address entries in the MAC table.
PAN-59704 Fixed an issue on VM-Series firewalls where, if path monitoring for HA used IPv6 addressing, the firewall used the wrong IPv6 address and path monitoring checking failed.
PAN-59634 Fixed an issue in WildFire that led to a false negative detection on a malicious file. With this fix, WildFire detects malicious files that launch via powershell.exe.
PAN-59565 Fixed an issue where exported log files did not correctly escape certain characters, such as commas ( , ), backslashes ( \ ), and equal-to operators ( = ).
PAN-59470 Fixed an issue where the firewall brought down a tunnel that terminated at an IKE gateway configured for dynamic IP addressing when the IP address of the gateway changed. With this fix, the firewall does not bring down a tunnel if the IKE gateway dynamic IP address changes.
PAN-59451 Fixed an issue where the captive portal response page did not display the user's IP address as specified by the <user/> variable in the HTML code for the page.
PAN-59315 Fixed an issue where a delay occurred on HA failover following a control plane failure on the active firewall.
PAN-59258 98112 Fixed an issue on firewalls in an HA active/active configuration where session timeouts for some traffic were unexpectedly refreshed after a commit or HA sync attempt. However, in PAN-OS 7.1.4, this issue is fixed only for an HA pair where both peers are running a PAN-OS 7.1 release; this issue is not fixed in a configuration where one firewall is running a PAN-OS 7.1 release and the other is running a PAN-OS 7.0 or earlier release.
PAN-58896 Fixed an issue where, if you used the CLI command request system fqdn show to display FQDN objects, the firewall displayed extra IP addresses that were not associated with the FQDN.
PAN-58885 Fixed an issue where dataplane CPU usage became excessive.
PAN-58816 Fixed an issue where, if you configured multiple virtual systems (Vsys) with non-consecutive identifying numbers, an SNMP poll of the panVsysActiveSessions OID incorrectly showed zero session values for some virtual systems. With this fix, SNMP polling output is correct and matches the equivalent CLI output of the same data.
PAN-58657 Fixed an issue on PA-7000 Series firewalls where a slot stopped responding due to a memory condition.
PAN-58322 Fixed an issue where, if you monitored server status from the user interface, the connection state appeared to toggle between the connected and disconnected states even though the server remained connected. This issue occurred for servers with agentless user mapping when you selected Enable Session in Device > User Identification > User Mapping > Palo Alto Networks User-ID Agent Setup > Server Monitor.
PAN-58086 Fixed an issue where a process (devsrvr) restarted if you committed a configuration that used more than 64 vendor IDs in a single vulnerability protection rule. With this fix, if you commit a configuration with more then 64 vendor IDs in a single rule, you receive a warning that you have exceeded the maximum number of IDs, and the process restart does not occur.
PAN-57659 A security-related fix was made to address a cross-site scripting (XSS) condition in the web interface (PAN-SA-2016-0031).
PAN-57464 Fixed an issue where end users experienced delays because the firewall sent an RST packet without an ACK flag to the client. This issue occurred when the firewall applied a security policy action of Reset Client or Reset Both .
PAN-57383 Fixed an issue where SSL decrypted traffic that used an unsupported RSA key size of 16384 caused the dataplane to restart.
PAN-57323 Fixed an issue where VPN traffic went into a discard state because the firewall allowed packets to be sent through the tunnel prior to the completion of the IKE Phase 2 re-key process.
PAN-57200 Fixed an issue where you could not restart certain firewall processes from the CLI without root access. With this fix, you can now restart these processes (bfd, cryptod, dhcpd, ikemgr, keymgr, and pppoed) using the CLI command debug software restart process . See CLI Changes in PAN-OS 7.1 for more information.
PAN-57054 Fixed an issue where, if you redistributed User-ID mapping information and the mapping used a timeout value of NEVER , the firewall incorrectly changed the timeout value to 3600.
PAN-56937 Fixed an issue where, if you viewed a configuration diff on the active Panorama server in an HA pair, a process (configd) restarted on the passive Panorama server.
PAN-56924 Fixed an issue where Panorama incorrectly removed the LDAP domain field when it pushed a template configuration to a firewall running a PAN-OS 6.x release. This issue occurred in a configuration where Panorama used a PAN-OS 7.x release and firewalls used a mixture of PAN-OS 6.x and PAN-OS 7.x releases.
PAN-56918 Fixed an issue where firewalls did not recognize malware that had been Base64 encoded in a zipped RTF file. This issue occurred during an SMTP session.
PAN-56650 Fixed an issue where a log collector failed to send the system log to the active Panorama peer in an HA active/passive Panorama configuration after the active peer restarted.
PAN-56580 Fixed an issue where throughput in an IPSec tunnel was lower than expected. With this fix, the firewall defaults the DSCP field to 0 for ESP packets to improve performance.
PAN-56456 Fixed an issue where, if you implemented an authorization profile for OSPF with MD5 authentication on a firewall configured for FIPS-CC mode, the dataplane restarted.
PAN-56438 Fixed an issue where the internal value for block time in the Denial of Service (DoS) table exceeded the configured block time. This issue occurred on firewalls installed in an HA configuration.
PAN-56280 Fixed an issue where the firewall displayed the status of a 10G SFP+ virtual wire interface as 10000/full/up when the configured state of the interface was auto/auto/down . This issue occurred when Link State Pass Through in Network > Virtual Wires was enabled.
PAN-56221 A security-related fix was made to address a cross-site scripting (XSS) condition in the web interface (PAN-SA-2016-0033).
PAN-56200 Fixed an issue where the firewall allowed access to the search engine's cached version of a web page even though the page belonged to a URL category blocked by a policy.
PAN-56034 Fixed an issue where WildFire platforms experienced nonresponsive processes and sudden restarts under certain clients' traffic conditions.
PAN-55996 Fixed an issue where the dataplane restarted when processing SSL packets with an oversized Layer 2 header.
PAN-55993 Fixed an issue where user authentication based on user groups stopped working after you enabled the multiple virtual systems (multi-vsys) feature.
PAN-55560 Fixed an issue where a memory condition caused the dataplane to restart with the message Dataplane is down: too many dataplane processes exited .
PAN-55190 Fixed an issue where the firewall failed to resolved URLs on the dataplane. This issue occurred when an out-of-memory error caused faults in the URL cache. With this fix, the firewall handles out-of-memory errors correctly, allowing proper resolution of URLs.
PAN-54696 Fixed an issue where incorrect handling of selective-acknowledgment (SACK) packets caused a decrease in download speeds on SSL-decrypted traffic.
PAN-54309 Fixed an issue in Panorama and where the default value of Save User Credentials in Network > GlobalProtect > Portals > GlobalProtect-portal-config > Agent > agent-config > Authentication was No when it should have been Yes .
PAN-54196 Fixed an issue where the firewall did not increment the packet identifier of RADIUS Access-Request packets as required by the RFC standard.
PAN-52379 A security-related fix was made to address CVE-2015-5364 and 2015-5366 (PAN-SA-2016-0025).
PAN-52202 Fixed an issue where Panorama, when configured with a log collector, showed logs for a previous date and did not refresh the log display to show the latest logs.
PAN-49329 Fixed an issue where a firewall configured to block URL categories over HTTPS did not send a FIN/ACK to the browser to close the connection after sending a block page. This issue occurred for firewalls configured to perform NAT.

Related Documentation