The following table lists the issues that are addressed in the PAN-OS® 7.1.6 release. For new features, associated software versions, known issues, and changes in default behavior, see PAN-OS 7.1 Release Information. Before you upgrade or downgrade to this release, review the information in Upgrade to PAN-OS 7.1.
Starting with PAN-OS 7.1.5, all unresolved known issues and any newly addressed issues in these release notes are identified using new issue ID numbers that include a product-specific prefix. Issues addressed in earlier releases and any associated known issue descriptions continue to use their original issue ID.
Issue ID Description
PAN-68586 Fixed an issue where adding, removing, or modifying the Import/Export rules in a BGP configuration caused BFD and BGP neighbor state to flap.
PAN-67730 Fixed an issue where a process (l3svc) stopped responding multiple times with the message l3scv: Exited 4 times, waiting xxxx seconds to retry . With this fix, the failing process (l3svc) will no longer exit inadvertently.
PAN-67231 Fixed an issue on PA-5000 Series and PA-3000 Series firewalls where the dataplane restarted when processing traffic that had an incorrectly set IPv4 Reserved Flag.
PAN-66991 Fixed an issue where, if the firewall received an empty SCEP authentication cookie from a GlobalProtect agent, a process (ssl-mgr) on the firewall restarted. With this fix, the process does not restart when it receives an empty authentication cookie (the cookies are transparent to the user and cannot be configured).
PAN-66677 Fixed an issue on PA-5000 Series firewalls where traffic looped infinitely between dataplanes, which caused a loss of the affected traffic and a spike in CPU consumption.
PAN-66250 Fixed an issue on log collectors where a deadlock occurred for inter-log collector connections, which caused connectivity issues between log collectors and between firewalls and log collectors. This issue also caused local buffering of logs on the firewall. With this fix, log collector connection processing has been modified to eliminate these issues.
PAN-66210 Fixed an issue where a dataplane process failed to restart due to a missing or corrupt file, which caused the network processing card (NPC) to restart.
PAN-65996 Fixed an issue where, if a connection to the LDAP server failed, the authentication process (authd) stopped processing GlobalProtect user authentication requests, and, eventually, all subsequent successful authentication requests were dropped because the retry-interval flag was not set correctly. With this fix, authentication functions normally after the retry interval.
PAN-64796 Fixed an issue where a process (logrcvr) consumed more memory than expected when a WildFire update occurred if you enabled correlation objects ( Monitor > Automated Correlation Engine > Correlation Objects).
PAN-64727 Fixed an issue where the firewall changed the sequence numbers of forwarded TCP keep-alive packets.
PAN-64582 Fixed an issue where a memory leak prevented secure websites from loading correctly if the URL filtering configuration blocked some objects on the page and a decryption profile rule applied “No Decrypt” to the website.”
PAN-64368 Fixed an issue on PA-7000 Series firewalls where, if you applied a Quality of Service (QoS) profile to an Aggregated Ethernet (AE) interface, the QoS statistics reported a maximum egress for the AE interface that differed from the sum of the egress values of the individual interfaces in the aggregate. With this fix, QoS statistics correctly report the configured QoS value of the AE interface.
PAN-64361 Fixed an issue where the DNS proxy failed for DNS traffic that used TCP as the transportation protocol and DNS servers contained DNS records with a very large number of entries (more than 100).
PAN-64360 Fixed an issue where the firewall failed to populate the email sender, recipient, and subject information for WildFire reports.
PAN-64263 Fixed an issue where forward-proxy decryption failed if the server certificate record size exceeded 16KB.
PAN-63928 When a limited-role user accessed the web interface on the firewall and made changes from the Panorama context, the firewall applied an automated commit lock that could not be removed from that user.
PAN-63818 Fixed an issue on Panorama where, after you added a zone to a template, the zone failed to show up in the drop-down when choosing the source in a security policy.
PAN-63800 Fixed an issue where, if you enabled decryption on the firewall with a decryption profile that did not use Diffie-Hellman (DHE) and Elliptic Curve Diffie-Hellman (ECDHE) ciphers, the firewall sent an elliptic curve extension in the Client Hello, which caused the server to decline the connection.
PAN-63315 Fixed an issue where the custom response page for URL overrides failed to display.
PAN-63142 Fixed an issue where the dataplane restarted when processing IPv6 traffic that matched a predict session.
PAN-63080 Fixed an issue where a process (websrvr) stopped responding, which caused the captive portal to not function. This issue occurred when you had a custom response page that used a large binary object.
PAN-63073 Security-related fixes were made to prevent denial of service attacks against the web management interface (PAN-SA-2016-0035).
PAN-62782 Fixed an issue where an LDAP query that terminated before completion resulted in a memory corruption.
PAN-62385 Fixed an issue where, if the firewall lost connectivity with an LDAP server or if you applied an invalid query filter, and the disruption occurred during a User-ID group mapping update, the firewall deleted existing user-group mappings. With this fix, disruptions during a User-ID group mapping update will cause the firewall to stop adding new user-group mappings, but does not delete existing user-group mappings.
PAN-62261 Fixed an issue where the DNS proxy failed for DNS traffic that used TCP as the transportation protocol.
PAN-62188 Fixed an issue where, if you configured a large number of FQDN objects, the firewall required multiple commits to refresh the objects.
PAN-61554 Fixed an issue where a memory leak in a process (authd) caused all authentications to the firewall to fail.
PAN-61547 Fixed an issue where a process (snmpd) had a memory leak that caused frequent SNMP restarts.
PAN-61543 Fixed an issue where, after you committed a push from the Panorama web interface to a device, the commit job appeared to stall at 0% complete even the Panorama successfully pushed the configuration.
PAN-61468 A security-related fix was made to address CVE-2016-6210 (PAN-SA-2016-0036).
PAN-61436 Fixed an issue where SSL Forward Proxy decryption failed with the error Unsupported Version if the server returned a very large certificate. With this fix, decryption succeeds even for very large certificates.
PAN-61428 Fixed an issue where the firewall allowed a GlobalProtect client to connect without validating the client certificate.
PAN-61104 A security-related fix was made to address a local privilege escalation issue (PAN-SA-2016-0034).
PAN-60933 Fixed an issue on firewalls in an HA active/passive configuration where, if you enabled LACP prenegotiation, the passive firewall intermittently forwarded traffic.
PAN-60893 Fixed an issue where the API command show object registered-ip all option count failed to produce the correct output where there were more than 500 registered entries. When this issue occurred, the command returned a file location for a file that listed the IP addresses instead of returning a count. With this fix, the API command functions correctly where there are more than 500 registered entries and returns the same output as the equivalent CLI command.
PAN-60390 Fixed an issue on Panorama where, if a RADIUS user logged in and tried to commit a configuration change, the commit window appeared and then disappeared before it could be read by the user.
PAN-59715 Fixed an issue where the GlobalProtect agent disconnected from the GlobalProtect gateway under high traffic loads. This issue occurred when the connections employed SSL tunnels instead of IPSec tunnels.
PAN-59532 Fixed an issue where, if you imported a device configuration into Panorama, and then pushed the configuration to a firewall, the commit failed with the error region unexpected here .
PAN-59411 Fixed an issue where a process (logrcvr) stopped responding, which caused commit and OSPF adjacency failures. With this fix, the process uses the correct buffer size to prevent the fault.
PAN-58906 Fixed an issue where, if you deselected the Log at Session End option, the log still generated entries for security policies with a configured URL category and an action other than Allow. With this fix, the firewall does not generate log entries if the option is deselected.
PAN-58822 Fixed an issue where the firewall blocked a static route configuration for the IPv4 destination 0.0.0.0/1. With this fix, the firewall allows configuration of static route entries in the range of 0.0.0.0/[0-7].
PAN-58673 Fixed an issue where the firewall did not use a second LDAP server for authentication if the first LDAP server was unreachable.
PAN-58618 Fixed an issue where the firewall dataplane restarted if you enabled data leak prevention (DLP).
PAN-58602 Fixed an issue where a Panorama template commit to a firewall failed with the error LDAP is missing 'ssl' . This issue occurred when the firewall operated in CCEAL4 mode.
PAN-58589 Fixed an issue where the dataplane restarted when an out-of-memory condition occurred on a process (pan_comm).
PAN-58526 Fixed an issue where Kerberos authentication to the Captive Portal was unsuccessful if the Kerberos token was larger than 8,000 bytes.
PAN-58516 Fixed an issue on PA-500 and PA-2000 Series firewalls where corruption of an instruction cache caused the firewall to restart. This issue occurred after the firewall was in continuous operation without a restart for hundreds of days.
PAN-58508 Fixed an issue where the firewall tried to create IP address-to-username mappings for IP addresses in the zone exclude list if the addresses were configured as address objects.
PAN-58413 Fixed an issue on firewalls and Panorama where, if you attempted to manually upload a software image that was larger than 1GB from the web interface, the upload failed with the error Upload file size exceeded system limit . With this fix, the firewall and Panorama size limit on software image uploads is increased.
PAN-58410 Fixed an issue on VM-Series firewalls in an HA configuration where an interface on the active firewall displayed its status as ukn/ukn/down(autoneg) after a failover occurred.
PAN-57946 Fixed an issue on the M-100 appliance where a configuration for a subnet in the permitted IP addresses of interface Eth1 or Eth2 failed to take effect.
PAN-57787 Fixed an issue on Panorama where, if you used the CLI replace command to replace a device serial number, Panorama updated the managed device serial number but did not update the serial number in the deployment schedule or in custom reports.
PAN-57785 Fixed an issue where the CLI commands show wildfire status and test wildfire tor returned Tor status errors. With this fix, the CLI commands only return Tor status errors in the case of an actual communication error.
PAN-57593 Fixed an issue where a decryption policy stopped decrypting SSL traffic if you enabled Wait for URL on SSL decryption.
PAN-57514 Fixed an issue where correlation logs forwarded from Panorama to an external syslog server contained a dash ( - ) instead of the Panorama hostname.
PAN-57358 Fixed an issue on Panorama where, if you tried to import a device state bundle in the device context ( Device > Operation > Import), the import failed with the error message Error in copying file . With this fix, device state import works as expected.
PAN-57145 Fixed an issue where, if the firewall performed IP and port NAT in the path of a GlobalProtect Large Scale VPN (LSVPN) IPSec tunnel, a re-key caused the firewall side to temporarily change back to the default port number for the new tunnel, and the intermediate NAT device dropped traffic until the old tunnel timed out or was deleted manually. With this fix, when a re-key happens, the firewall searches and applies the correct port number to the new tunnel immediately, which prevents traffic drops.
PAN-57121 Fixed an issue where a VM-Series firewall that was in FIPS-CC mode could not connect to a Panorama server that was in normal mode.
PAN-56969 Fixed an issue where the firewall did not record X-Forwarded-For (XFF), User-Agent, or Referral HTTP headers in the URL log if the traffic was blocked or reset by a security profile even when HTTP header logging was enabled and the traffic contained those fields. With this fix, the firewall correctly logs the HTTP Headers.
PAN-56831 Fixed an issue on PA-7000 Series firewalls where, if the firewall processed UDP packets using an inter-vsys configuration, the packets looped repeatedly from one dataplane to another and increased dataplane CPU consumption to nearly 100%. With this fix, the firewall does not create a loop condition and processes the packets correctly.
PAN-56775 Fixed an issue where a firewall configured to perform a monthly update of the external dynamic list (EDL) initiated an EDL refresh job every second.
PAN-56438 Fixed an issue where the internal value for block time in the Denial of Service (DoS) table exceeded the configured block time. This issue occurred on firewalls installed in an HA configuration.
PAN-56257 Fixed an issue where reverse proxy key log entries did not contain Common Name (CN) information when a certificate mismatch occurred.
PAN-56009 Fixed an issue on firewalls installed in an HA active/active configuration where out-of-order jumbo packets caused the dataplane to restart, which resulted in a failover.
PAN-55737 Fixed an issue on PA-200 firewalls where, after the firewall rebooted and before NTP synchronization occurred, the firewall reported a reboot time without a timezone calculation to Panorama.
PAN-55474 Fixed an issue on firewalls in an HA active/passive configuration where, if you configured the path monitor timers with an aggressive value, the firewalls entered an unstable state with one node eventually becoming non-functional.
PAN-55344 Fixed an issue where the web interface limited the high availability (HA) active/active IPv6 virtual address field to 31 characters.
PAN-55237 A security-related fix was made to address an XPath injection vulnerability in the web interface (PAN-SA-2016-0037).
PAN-55196 Fixed an issue where the firewall did not resolve the IPv4 addresses of configured FQDN objects if you disabled firewalling for IPv6 addresses and you configured FQDN objects with both IPv4 and IPv6 addresses.
PAN-55190 Fixed an issue where a firewall failed to resolved URLs on the dataplane. This issue occurred when an out-of-memory error caused faults in the URL cache. With this fix, firewalls handle out-of-memory errors correctly, allowing proper resolution of URLs.
PAN-54492 Fixed an issue on firewalls and Panorama where SaaS reporting failed and a process (saas_report_wra) did not exit properly after the reporting failure.
PAN-54279 Fixed an issue where the FTP file transfer of a large number of small files failed because the firewall did not install the FTP data-channel session in a timely manner.
PAN-53860 Fixed an issue where SSL decryption did not occur if the SSL handshake was very large.
PAN-52138 Fixed an issue on firewalls with destination NAT enabled where video calls from outside the network failed because the firewall did not properly translate connect packets.
PAN-51703 Fixed an issue where a firewall process (all_pktproc) stopped responding after upgrading a firewall to a PAN-OS 7.1 release,
PAN-39257 Fixed an issue where you could forge the URL filtering continue action by modifying the User-ID ( uid ) parameter in the URL presented by the firewall. This issue occurred in a limited context where a malicious second user clicked on the Continue page alert on behalf of the actual user.

Related Documentation