The following table lists the issues that are addressed in the PAN-OS® 7.1.7 release. For new features, associated software versions, known issues, and changes in default behavior, see PAN-OS 7.1 Release Information. Before you upgrade or downgrade to this release, review the information in Upgrade to PAN-OS 7.1.
Starting with PAN-OS 7.1.5, all unresolved known issues and any newly addressed issues in these release notes are identified using new issue ID numbers that include a product-specific prefix. Issues addressed in earlier releases and any associated known issue descriptions continue to use their original issue ID.
Issue ID Description
PAN-70349 Fixed an issue where external dynamic list (EDL) objects lost IP addresses and returned 0.0.0.0 when two or more EDL objects used in a security policy referenced the same source URL.
PAN-69546 Fixed an issue on firewalls in an HA active/passive configuration where, if you enabled LACP pre-negotiation, the egress interface on the passive firewall transmitted packets that should have been filtered, which caused packet loss when neighboring switches incorrectly forwarded traffic to the passive firewall. With this fix, the passive firewall correctly filters egress traffic.
PAN-69485 Fixed an issue where User-ID group mapping did not retain groups retrieved from Active Directory (AD) servers if there were any invalid groups in the group-mapping include list.
PAN-68487 Fixed an issue where the web interface displayed 24 ports instead of 14 ports for the PA-7000-20GQXM-NPC network processing card.
PAN-68045 Fixed an issue on PA-7000 Series firewalls where forwarding to WildFire failed due to an incorrect calculation of file size.
PAN-67986 Fixed an issue where the dataplane restarted due to a corruption in the QoS queue pointer.
PAN-67587 Fixed a rare condition where a dataplane process (all_pktproc) stopped responding.
PAN-67079 Fixed an issue in PAN-OS 7.1.6 where SSL sessions were discarded if the server certificate chain size exceeded 23KB.
PAN-66540 Fixed an issue where the management interface and HA interfaces flapped during installation of a software upgrade, which caused HA failover or split brain.
PAN-65738 Fixed an issue on firewalls in active/active configuration where a newly created BFD profile disappeared after you performed a commit operation on either of the peers.
PAN-64662 Fixed an issue where latency intermittently spiked over 3ms for IPSec traffic. With this fix, the conditions that contributed to latency spikes are addressed.
PAN-64626 Fixed an issue where a memory leak occurred on a process (authd) after each commit, which caused restarts of another process (mgmtsrvr) and affected access to the web interface.
PAN-64435 Fixed an issue on Panorama virtual appliances where a process (configd) experienced high memory usage and stopped responding, which caused commits to fail.
PAN-64321 Fixed an issue where Panorama did not update the names of log forwarding profiles and zone protection profiles in a template stack after renaming, which caused failures when pushing the configuration to devices.
PAN-64177 Fixed an issue where the CLI command test custom-url did not return the correct custom category.
PAN-63901 Fixed an issue where TCP sequence numbering shifted when the firewall performed a decrypted session tear down in the case of a fatal alert.
PAN-63796 Fixed an issue on PA-7000 Series firewalls where internal looping of tunnel creation packets caused high dataplane CPU usage.
PAN-63038 Fixed an issue on Panorama where traffic logs retrieved by XML API query displayed IP addresses with subnet notation instead of full IP addresses. This issue occurred when the administrator using the query had a custom privacy configuration in the web interface that had Show Full IP Addresses disabled.
PAN-63021 Fixed an issue where policy-based forwarding (PBF) symmetric return traffic enforcement failed intermittently because return MAC address entries aged-out prematurely. With this fix, the firewall enforces symmetric return even when PBF return MAC entries age out.
PAN-62944 Fixed an issue where the management server process stopped responding when a Commit All job was initiated from Panorama, which prevented managed devices from reporting the commit job status back to Panorama. As a result, the commit job appeared stalled in Panorama even after commits were successfully completed on the managed devices.
PAN-62212 Fixed an issue where the Global Find window was grayed-out and non-functional if you accessed it from the Browse link when configuring an address object in a security policy.
PAN-62050 Fixed an issue where a User-ID redistribution loop caused high management plane CPU usage. This issue occurred when the User-ID redistribution configuration included three or more firewalls, and the firewall encountered the same IP address and timestamp for different users.
PAN-61742 Fixed an issue where the firewall incorrectly identified BGP traffic as traceroute traffic, causing the wrong policy to be applied to the traffic.
PAN-61643 Fixed an issue where locally created certificates had duplicate serial numbers because the firewall did not check the serial numbers of existing certificates signed by the same CA when generating new certificates.
PAN-61367 Fixed an issue where the firewall failed to send a TCP reset (RST) to the client-side and server-side devices when an application had a reset-both deny action in its security policy.
PAN-60222 Fixed an issue where Panorama allowed you to configure a decryption type on No Decrypt policies. When Panorama pushed these policies to firewalls, it set the decryption type to the default value SSL Forward Proxy . With this fix, when you select No Decrypt as a policy rule action, Panorama disables configuration of the decryption type.
PAN-60182 In response to an issue where LACP flapped intermittently due to negotiation failures, priority for LACP processing is enhanced to mitigate flapping, and additional debug options are added to help isolate negotiation failures.
PAN-59870 Fixed an issue where purged software packages appeared in the list of uploaded software packages. With this fix, the software list will no longer display purged software packages.
PAN-59669 Fixed an issue where Online Certificate Status Protocol (OCSP) verification failed when using non-CA certificates. With this fix, you can configure a non-CA certificate as an OCSP Verify certificate ( Device > Certificate Management > Certificates Profile > Add). Note that if you use a non-CA certificate and then downgrade to a PAN-OS release that does not include this fix, auto-commits will work, but manual commits will fail.
PAN-58744 Fixed an issue where IPSec VPN tunnels failed to establish if you used dynamic VPNs and mixed IKEv1 and IKEv2 on the static device.
PAN-58582 Fixed an issue where the hostname obtained from a Panorama template for a firewall reverted to the default hostname. This issue occurred after the management server process on the firewall (mgmtsrvr) restarted following an event such as a PAN-OS update or firewall restart.
PAN-58520 Fixed an issue where PDF exports of custom reports generated using Run Now did not display hostnames obtained from reverse DNS lookup.
PAN-57874 Fixed an issue where IPSec tunnels flapped randomly because a race condition between two processes (mprelay and pan_task) caused duplicate tunnel monitoring ICMP packets with the same sequence numbers to be sent, which disrupted IPSec tunnel state.
PAN-57360 Fixed an issue where the management server process (mgmtsrvr) had an out-of-memory condition and restarted, causing a loss of uncommitted changes.
PAN-57181 Fixed an issue on Panorama in an HA configuration where synchronization failed after a commit with the message, Committing mgt settings failed. Could not read merged running config from file . This issue occurred when WildFire updates created a race condition with HA synchronization.
PAN-56569 Fixed an issue where the top half of text lines failed to display correctly in the PDF version of the App Scope Threat Monitor Report ( Monitor > App Scope > Threat Monitor).
PAN-56189 Fixed an issue where a custom role administrator who had threat log viewing privileges disabled could view threat logs in the Unified log view.
PAN-55747 Fixed an issue where websites failed to load properly if you enabled SSL decryption. This issue occurred due to an error in the handling of URL block pages and captive portal redirects.

Related Documentation