The following table lists the issues that are addressed in the PAN-OS® 7.1.8 release. For new features, associated software versions, known issues, and changes in default behavior, see PAN-OS 7.1 Release Information. Before you upgrade or downgrade to this release, review the information in Upgrade to PAN-OS 7.1.
Starting with PAN-OS 7.1.5, all unresolved known issues and any newly addressed issues in these release notes are identified using new issue ID numbers that include a product-specific prefix. Issues addressed in earlier releases and any associated known issue descriptions continue to use their original issue ID.
Issue ID Description
PAN-73699 Fixed an issue where UDP IPv6 fragmented packets were dropped due to an incorrect defrag packet attached to the session bind nack message.
PAN-73291 Fixed an issue where authentication failed for client certificates signed by a CA certificate that was not listed first in the Certificate Profile configured with client certificate authentication for GlobalProtect portals and gateways.
PAN-72952 Improved file-type identification for Office Open XML (OOXML) files, which improves the ability for WildFire to accurately classify OOXML files as benign or malicious.
PAN-72616 Fixed an issue on PA-7000 Series firewalls where sessions were dropped with the flow_bind_pending_full message when using Ethernet IP (etherip) protocol 97, which resulted in unstable connections and delayed responses.
PAN-71892 Fixed an issue where an LDAP profile did not use the configured port; the profile used the default port, instead.
PAN-71829 Fixed an issue on PA-5000 Series firewalls where the dataplane restarted due to specific changes related to certificates or SSL profiles in a GlobalProtect configuration—specifically, configuring a new gateway, changing a certificate linked to GlobalProtect, or changing the minimum or maximum version of the TLS profile linked to GlobalProtect.
PAN-71556 Fixed an issue where MAC address table entries with a time-to-live (TTL) value of 0 were not removed as expected, which caused the table to continually increase in size.
PAN-71384 Fixed an issue with the passive firewall in a high availability (HA) configuration that had LACP pre-negotiation enabled where the firewall stopped correctly processing LACP BPDU packets through an interface that had previously physically flapped.
PAN-71215 Fixed an issue where deactivating a VM-Series firewall from Panorama failed and caused the firewall to become unreachable when the Verify Update Server Identity setting was enabled in Panorama ( Panorama > Setup > Services > Verify Update Server Identity) but disabled on the firewall.
PAN-70969 Fixed an issue on a virtual wire where, if you enabled Link State Pass Through ( Network > Virtual Wires), there were significant delays in link-state propagation or even instances where an interface stayed down permanently even when ports were re-enabled on the neighbor device.
PAN-70923 Fixed an issue where the User-ID process (userid) stopped responding when the firewall was having connectivity issues with one of the LDAP servers.
PAN-70428 A security-related fix was made to prevent inappropriate information disclosure to authenticated users (CVE-2017-5583 / PAN-SA-2017-0005).
PAN-70371 Fixed an issue where RADIUS challenge-based authentication failed when user input included uppercase characters.
PAN-69906 Fixed an issue where SNMP packets caused a decoder loop that resulted in high dataplane CPU usage.
PAN-69479 Fixed an issue where renaming a template broke the configuration for any NSX service profile zones within that template.
PAN-69340 Fixed an issue where the capacity license was not applied when you used a license authorization code (capacity license or a bundle) to bootstrap a VM-Series firewall because the firewall did not reboot after the license was applied.
PAN-69194 Fixed an issue where performing a device group commit from a Panorama server running version 7.1 to managed firewalls running PAN-OS 6.1 failed to commit when the custom spyware profile action was set to Drop. With this fix, Panorama translates the action from Drop to Drop packets for firewalls running PAN-OS 6.1, which allows the device group commit to succeed.
PAN-68766 Fixed an issue where navigating to the IPSec tunnel configuration in a Panorama template caused the Panorama management web interface to stop responding and displayed a 502 Bad Gateway error.
PAN-68489 Fixed an issue where the management interface configured for DHCP caused FQDN resolution to fail.
PAN-68074 A security-related fix was made to address CVE-2016-5195 (PAN-SA-2017-0003).
PAN-68072 Fixed an issue on VM-Series firewalls where rebooting or configuring a new L3 interface caused the IP range configured on a disabled interface to be incorrectly installed in the FIB and routing table if you disabled the interface from the vSwitch.
PAN-68062 Fixed an issue where the firewall failed to apply the correct action if the vulnerability profile had a very long list of CVEs. With this fix, the firewall is able to support up to 64 CVEs per vulnerability rule. If the number of CVEs in the rule is more than 64, the firewall displays a warning when you commit configuration changes.
PAN-68034 The netstat CLI command was removed in the 7.1 release for Panorama, Panorama log collector, and WildFire. With this fix, the netstat command is reintroduced.
PAN-67944 Fixed an issue where a process (all_pktproc) stopped responding because a race condition occurred when closing sessions.
PAN-67090 Fixed an issue where the web interface displayed an obsolete flag for the nation of Myanmar.
PAN-67086 Fixed an issue on PA-7000 Series firewalls where the PA-7000-20GQXM-NPC and PA-7000-20GQ-NPC cards could not achieve more than 16Gbps throughput for non-offloaded traffic. With this fix, the cards can reach the maximum specified throughput of 20Gbps.
PAN-66838 A security-related fix was made to address a Cross Site-Scripting (XSS) vulnerability on the management web interface (CVE-2017-5584 / PAN-SA-2017-0004).
PAN-66688 Fixed an issue with memory leaks associated with the routed process when allocated memory was not released when no longer needed.
PAN-66436 Fixed an issue where a role-based Panorama administrator could not perform a configuration audit after context-switching to a firewall.
PAN-64889 Fixed an issue on Panorama where attempting to configure dynamic IP objects using the XML API failed, preventing the configuration from being pushed to the managed firewalls.
PAN-64711 Fixed an issue where the predict session incorrectly used the policies of the parent session.
PAN-64638 Fixed an issue where the firewall failed to send a RADIUS access request after changing the IP address of the management interface.
PAN-64588 Fixed an issue where custom reports did not populate correctly when grouped by source country.
PAN-64525 Fixed an issue where User-ID failed to update the allow list for a group name that was larger than 128 bytes.
PAN-64520 Fixed an issue where H.323-based video calls failed when using source NAT (dynamic or static) due to incorrect translation of the destCallSignalAddress payload in the H.225 call setup.
PAN-64164 Fixed an issue on Panorama virtual appliances in an HA configuration where, if you enabled log forwarding to syslog, both the active and passive peers sent logs. With this fix, only the active peer sends logs when you enable log forwarding to syslog.
PAN-64081 Fixed an issue on PA-5000 Series firewalls where the dataplane stopped responding due to a race condition during hardware offload.
PAN-63798 Fixed an issue where usernames were displayed in logs and reports when privacy settings in admin role was configured to prevent their display.
PAN-63204 Fixed an issue where the firewall incorrectly assigned an expired User-ID IP mapping for 30 seconds after the original mapping had expired.
PAN-63054 Fixed an issue on VM-Series firewalls where enabling software QoS resulted in dropped packets under heavy traffic conditions. With this fix, VM-Series firewalls no longer drop packets due to heavy loads with software QoS enabled and software QoS performance in general is improved for all Palo Alto Networks firewalls.
PAN-62822 Fixed an issue where the firewall dropped RTP traffic matching a predict session when a video call initiated from the external side of a shared gateway. With this fix, when a predict session goes across a different vsys or a shared gateway, the firewall uses the egress interface's vsys to lookup the destination zone instead of the session's vsys.
PAN-62319 Fixed an issue where multicast entries were pointing to the wrong rendezvous point (RP) IP address because a recycled interface ID allocated for PIM register encapsulation retained an old tunnel interface that pointed to the wrong RP.
PAN-62074 Fixed an issue where the User-ID agent incorrectly read the IP address in the security logs for Kerberos login events.
PAN-62057 Fixed an issue where the GlobalProtect agent failed to authenticate using a client certificate that had a signature algorithm that was not SHA1/SHA256. With this fix, the firewall provides support for the SHA384 signature algorithm for client-based authentication.
PAN-62038 Fixed an issue where configurations committed from Panorama stalled at 99% and failed to complete.
PAN-61837 Fixed an issue on PA-3000 Series and PA-5000 Series firewalls where the dataplane stopped responding when a session crossed vsys boundaries and could not find the correct egress port. This issue occurred when zone protection was enabled with a SYN Cookies action ( Network > Zone Protection > Flood Protection).
PAN-61304 Fixed an issue where certain Access Domain users (such as vsys administrators) were not able to log in to the web interface on the firewall; instead, they received the following error: Could not find role profile in running config.
PAN-60797 Fixed an issue where read-only superusers were able to view threat packet captures (pcaps) on the firewall but received an error (“File not found”) when they attempted to export certain types of pcap files (threat, threat extpcap, app, and filtering).
PAN-60662 Fixed an issue on devices where commits failed due to issues with a process (authd).
PAN-60630 Fixed an issue where the server-to-client (s2c) flow for RTP predicted sessions were not correctly matching a policy-based forwarding (PBF) rule.
PAN-60591 Fixed an issue where a custom role administrator with commit privileges could not commit configurations using the XML API.
PAN-60402 Fixed an issue where renaming an address object caused the commit to a Device Group to fail.
PAN-59204 Fixed an issue where the firewall did not create an IPSec NAT-T session after a tunnel re-key until it originated a tunnel keep-alive. When this issue occurred, the firewall dropped NAT-T packets.
PAN-58496 Fixed an issue where custom reports using threat summary were not populated.
PAN-58411 Fixed an issue where PA-7000 Series firewalls were sending report requests even when the debug skip-condor reports CLI command was set to no .
PAN-57434 Fixed an issue where the firewall reset connections instead of sending an SMTP 5.4.1 error message when SMTP traffic was blocked after detecting a vulnerability signature. With this fix, the firewall sends an SMTP 5.4.1 error message when SMTP traffic is blocked due to a vulnerability signature.
PAN-57338 Fixed an issue where a slow file descriptor leak between two processes (mgmtsrvr and pan_log_receiver) caused the log receiver to stop responding and degraded management server performance. This issue occurred after a long device up time (more than 380 days).
PAN-56839 Fixed an issue where the dataplane stopped responding when a change to the Aggregate Ethernet (AE) link configuration was committed, resulting in an unexpected path monitoring condition.
PAN-56700 Fixed an issue where the SNMP OID ifHCOutOctets did not contain the expected data.
PAN-56684 Fixed an issue where DNS proxy static entries stopped working when there were duplicate entries in the configuration.
PAN-56531 Fixed an issue where you could not select a configured decrypt interface (it did not display) in the Decrypt Mirror drop-down ( Device Groups > Objects > Decryption Profile) when the firewall or appliance was part of a template stack but not a template.
PAN-55035 Fixed an issue where CSV exports of system logs from the web interface did not enclose strings containing commas in quotes, which broke the formatting of the entries. With this fix, strings containing commas are enclosed in double quotes.

Related Documentation