A security-related change was made to address an issue in the policy configuration dialog (PAN-SA-2016-0014).

Fixed an issue where the firewall could not install PAN-OS or GlobalProtect agent software images on leap day (February 29). With this fix, the firewall can install these images regardless of the date.

A security-related fix was made to address CVE-2016-1712 (PAN-SA-2016-0012).

Fixed an issue where a Panorama validate operation followed by an FQDN refresh caused the validated configuration change to commit to the firewall.

Fixed an issue where the passive firewall in a VM-Series ESXi configuration was processing and forwarding traffic.

Fixed an issue where a firewall did not send TCP packets out during the transmit stage in the same order as those packets were received.

A security-related fix was made to address a Denial of Service (DoS) condition related to the PAN-OS XML API (PAN-SA-2016-0008).

Fixed an issue where SSL decryption did not work as expected for resumed sessions.

Fixed an issue where a firewall failed a commit after receiving a File Blocking profile from Panorama that contained a space at the end of the profile name. This issue occurred when the managed firewall was running an older version of PAN-OS (when File Blocking and WildFire™ Analysis profiles were merged into one profile) and Panorama pushed the configuration to a device group.

Fixed an issue where a cloned application name could not be edited after it was cloned from a Shared/Device Group location to a Shared location. With this fix, the cloned application names can be edited.

Fixed an issue where the packet processor stopped responding when proxy packets were switched to the fast path group on the dataplane.

Fixed an issue where SSL decryption sessions failed for secure websites that used a certificate issued by the Entrust.net Certification Authority (2048).

Fixed an issue on PA-7000 Series firewalls where a session was modified while in a state that should not allow modification, which caused processes associated with the packet processing daemon to stop responding.

Fixed an issue where the LSVPN tunnel interface started flapping after upgrading the firewall at one end of the tunnel (either the GlobalProtect gateway or satellite firewall) to a PAN-OS 7.0 or later release while the firewall at the other end of the tunnel was still running a PAN-OS 6.1 or earlier release. This issue occurred due to changes to encryption algorithm names when introducing Suite B ciphers in PAN-OS 7.0. With this fix, firewalls running PAN-OS 7.0.7 (or PAN-OS 7.1) or later releases successfully recognize the old names used in PAN-OS 6.1 and earlier releases so that LSVPN tunnels are established and stay up as expected.

Fixed an issue on the WildFire platform where, if the snmp.log file is over 5MB, the snmpd process cleared the log file and restarted.

Fixed an issue where upgrading from a PAN-OS 6.1 caused the GlobalProtect portal or gateway and SSL decryption processes to stop responding. This issue occurred because SSL/TLS Service Profiles (introduced in PAN-OS 7.0) were not created successfully if you did not enable multiple virtual system (multi-vsys) functionality on the firewall. With this fix, SSL/TLS Service profiles are now successfully created on non-multi-vsys platforms when upgrading to PAN-OS 7.1.0 and later releases.

Fixed an issue where the firewall generated superfluous logs (for traffic that did not match the configured filters) after you enabled dataplane debugging.

Fixed an issue with a passive peer in an HA configuration where the web interface did not allow you to configure dynamic updates.

Fixed an issue where a log file (/var/log/wtmp) inflated and consumed the available disk space. With this fix, PAN-OS uses a log rotation function to prevent log files from consuming more disk space than necessary.

Fixed an issue where you could not add WF-500 appliance signatures as exceptions in an Antivirus profile when the signature names contained more than 32 characters.

A security-related fix was made to address a cross-site scripting condition in the Application Command Center (ACC) (PAN-SA-2016-0009).

Fixed an issue where Data Filtering and WildFire Submission logs for non-NAT sessions contained incorrect or invalid NAT information.

Fixed an issue where the firewall could not connect to a GlobalProtect portal or gateway after removing the LSVPN configuration.

Fixed an issue where overrides of the default rules in the Shared policy took precedence over the overrides of default rules in a device group. With this fix, override precedence now behaves as designed (overrides of default rules in the lowest level device group take precedence over those settings in the higher level device groups and Shared).

Fixed an issue where a global counter (flow_dos_pf_noreplyneedfrag) related to the suppress-icmp-needfrag Zone Protection profile displayed the action as drop even when configured to allow ICMP Fragmentation. This fix introduces a new global counter (Unsuppressed ICMP Need Fragmentation).

Fixed an issue where a device administrator was unable to configure certain settings under Device > Setup > Operations.

Fixed an issue where upgrading from a PAN-OS 6.1 or earlier release prevented administrators from overriding LDAP group mappings that were pushed from Panorama.

Improved output of the command request batch license info on Panorama to include license expiration times.

Fixed an issue where a process restarted unexpectedly due to the reuse of a process ID (PID). The PID was associated with an old SSH session that the firewall intended to terminate because the SSH session had timed out but was never closed properly, which inadvertently resulted in a restart of the process currently associated with that PID.

Fixed an issue where a memory leak associated with the authentication process (authd) caused intermittent access and authentication issues.

Fixed an issue where the Aggregate Ethernet (AE) interface port in virtual wire mode with link state pass through enabled came up after a commit even though its peer AE interface port was down. With this fix, the other AE interface port will come up after the commit and is then brought down in approximately 10 seconds. This causes both AE interfaces to stay down until the first AE interface recovers.

Fixed an issue where all LLDP packets were sent with the source MAC address of the MGT interface instead of the dataplane interface from which they were transmitted. With this fix, LLDP packets are encapsulated with the source MAC address of the interface that transmitted the packet.

Fixed an issue where non-superuser administrators were unable to see Exempt Profiles and the Security policy rules in which the profiles are used when viewing a Threat log (Monitor > Logs > Threat > < Threat Name >).

Fixed an issue where a scheduled log export failed to export the logs if the password in the configuration contained the dollar sign ("$") character.

A security-related fix was made to address a buffer overflow condition.

A security-related fix was made to address a stack underflow condition.

Fixed an issue where commits failed due to processes (configd and mgmtsrvr) that stopped responding. This issue was caused by memory corruption related to the WildFire deployment schedule.

Fixed an issue where IPSec tunnels using IKEv2 failed to establish a VPN if multiple remote gateways were behind a port address translation (PAT) setup. With this fix, the firewall can allow multiple devices behind PAT to set up security associations to the same IP gateway.

A security-related fix was made to ensure the appropriate response to special requests received through the API interface.

A security-related fix was made to prevent some CLI commands from improperly executing code.

Fixed an issue where attempting to Hide Panorama background header (Panorama > Setup > Operations > Custom Logos) resulted in an error (Edit breaks config validity).

Fixed an issue where the User Activity Report did not show results for user names that contained German characters.

Fixed an issue where user-group mappings were not properly populated into the dataplane after a firewall reboot.

Fixed an issue with exporting a botnet report where exporting to CSV returned the Missing report job ID error.

Fixed an issue where Panorama template commits failed when the names of several certificates in the Default Trusted Certificate Authorities list changed. This occurred when Panorama was running a PAN-OS 7.0 release and pushed a template to a firewall running a PAN-OS 6.1 or earlier release.

Fixed a rare condition where the root partition on a firewall or appliance ran out of space during device state generation.

Fixed an issue where a commit failed after renaming a Panorama shared object that was already referenced in the rules on a local firewall.

Fixed a reporting issue on the ACC and SaaS Application Usage Report on managed firewalls. This issue occurred because the application information pushed from Panorama did not populate in a way or location that allowed the information to be used for reports generated on the firewalls.

Fixed an issue where the delete user-file ssh known-hosts command was unavailable on an M-Series appliance in Log Collector mode.

Fixed an issue where the User-ID (useridd) process stopped responding when the running-config was missing the port number associations for the Terminal Services (TS) Agent.

Fixed an issue where DNS proxy rules didn't consistently match a domain name with the correct primary IP addresses. With this fix, matching logic favors results that do not include wildcards.

Fixed an issue where the tunnel went down and began to renegotiate, causing traffic destined for the tunnel during that time to be dropped. This issue occurred when the configuration was pushed from Panorama to a firewall configured with IKEv2 preferred mode and that was connected to a firewall configured to use IKEv1 in an IPSec connection.

Fixed an issue where Layer 3 interfaces without defined IP addresses, zones, or virtual routers dropped LLDP packets, which prevented the firewall from obtaining and displaying neighbor information.

Fixed an issue where WildFire reports were generated for files already blocked by the Antivirus profile SMTP decoder.

Fixed an issue where the show logging-status device command used in the XML API caused the log daemon to stop responding when the device attribute was omitted.

Fixed an issue where a firewall was sending BGP packets with the wrong MD5 authentication value.

Fixed an issue where several valid country codes were missing in the Certificate Attributes section when generating a certificate from the web interface.

Fixed an issue where read-only device administrators were unable to view logs on the ACC tab.

Fixed an issue where the debug dataplane packet-diag aggregate-logs command showed an incorrect target filename.

Fixed an issue where the firewall could not register with the WildFire public cloud due to a problem with the log-cache size becoming too large. With this fix, a limitation mechanism is now in place to control the log-cache size.

A security-related fix was made to address information leakage in system logs that impacted the web interface (PAN-SA-2016-0016).

Fixed an issue with time calculation when displaying statistics for more than a single day (Monitor > App Scope > Network Monitor) that caused data to be unexpectedly shifted (calculation used 12:00 A.M. GMT instead of local time and data was shifted accordingly). With this fix, graphs display data across multiple days as expected for the local time on the firewall.

Fixed an issue on Panorama where an administrator with an access-domain name longer than 31 characters received the following error when logging in: Login could not be completed. Please contact the administrator. With this fix, administrators with access-domain names of up to 63 characters can log in.

Fixed an issue where WildFire reports (web interface and PDF) were unable to display digital signer information.

Fixed an issue where scheduled dynamic updates to managed firewalls stopped functioning after migrating the Panorama VM to an M-500.

Fixed an issue where the XML API request to test Security policy was not properly targeted to a specified virtual system (vsys), which made the request applicable only to the default vsys. With this fix, the XML API request to test Security policy is able to retrieve results for any previously targeted vsys.

Fixed an intermittent issue in an HA active/active configuration where packets passed through a virtual wire were dropped due to a race condition that occurred when the session owner and session setup were not on the same HA peer.

Fixed an issue where an OSPF route with a lower administrative distance than the static route should become the preferred route but was not installed and used as expected; the firewall continued to use the static route instead.

Fixed an issue where high rates of fragmented packets caused the firewall to experience a spike in packet buffer, descriptor, and CPU usage.

Fixed an issue where a virtual system custom role administrator could not add user to IP mappings using the XML API.

Fixed an issue on M-Series appliances that caused the show ntp CLI command to time out.

A security-related change was made to management plane account restrictions to prevent service disruption.

Fixed a cosmetic issue where the traffic log type was displayed in the severity column of the Log Forwarding profile.

Fixed an issue where the User-ID process (useridd) stopped responding, which caused the firewall to reboot.

Fixed an issue where a change of an object name was not propagated in some parts of the configuration where the object was referenced.

Fixed an issue where committing a policy on Panorama that contained interfaces that were manually defined generated an error: [interface name] is not an allowed keyword.

Fixed an issue on Panorama virtual appliances and on M-Series appliances in Panorama mode where two correlation engine sub-objects on the Web UI tab (Correlation Objects and Correlated Events) were incorrectly excluded when adding or modifying an Admin Role profile (Template > Device > Admin Roles).

Fixed an issue where an incomplete IPSec tunnel configuration (one without an IKE gateway specified) caused the firewall server process to stop responding.

Fixed an issue where LDAP sessions on Panorama were kept open and not actively refreshed. With this fix, a keep-alive mechanism is added that is triggered after 15 minutes of session inactivity and that allows a maximum of 5 failed probes before dropping a connection (probes occur in 60-second intervals).

Fixed an issue on Panorama where a commit to a device group caused the Panorama job to fail, but the job was successful on the managed device.

Fixed an issue where the SSL Certificate Errors Notify Page did not display values of some variables (such as certname, issuer, and reason) on web pages with expired certificates.

Fixed an issue where QoS statistics for a specific interface were empty after a device reboot.

Security-related fixes were made to address issues reported in the October 2015 NTP-4.2.8p4 Security Vulnerability Announcement.

Fixed an issue where a firewall in an HA active/passive configuration dropped FTP PORT command packets after a failover.

Fixed an issue where the General Settings dialog for Device > Setup > Management did not resize correctly when the Login Banner contained a large amount of text.

Fixed an issue where predefined Application Usage Risk Trend graphs (Monitor > Reports > PDF Summary Reports) did not display lines between contiguous dots as expected.

Fixed an issue where the administrator could not manually type the Ethernet interface name in a NAT policy in Panorama.

Fixed an issue where the failed to handle CONFIG_COMMIT error was displayed during a commit.

Fixed an issue where the management plane stopped responding if you modified an object referenced in a large number of rules.

Fixed an issue where the firewall did not send SNMPv3 traps that used an IPv6 server address.

Fixed an issue where an LACP Aggregate Ethernet (AE) interface using SFP copper ports remained down after a dataplane restart.

Fixed an issue that occurred when using the Panorama template stack where the configuration (gear) icon displayed in the wrong location (next to Panorama servers in the template stack).

Fixed an issue where improperly formatted API calls to Panorama caused one of the system daemons to stop responding.

Enhanced logging for events where long CLI system commands would timeout. For example, when generating a tech-support file.

Fixed a cosmetic issue where the log action for the interzone-default Security policy rule was incorrect in session detail (session to be logged at end) when the default log action was overridden by the user.

Fixed an issue where scheduled dynamic update installation caused the HA link to flap.

Fixed an issue where a process (cryptod) stopped responding when attempting to use SSH to access a firewall that rebooted into maintenance mode after the master key was allowed to expire. With this fix, administrators can use SSH to access the firewall without causing the cryptod process to fail even after a firewall reboots to maintenance mode after the master key expires.

Fixed an issue in the XML API that prevented a read-only Superuser from downloading custom packet captures.

Fixed an issue on PA-7000 Series firewalls where the first autocommit attempt failed.

Fixed an issue where an error was displayed when saving the NFS partition configuration on a Panorama virtual appliance.

Fixed an issue where GlobalProtect was not appropriately indicated on the interface tab when it is configured on a loopback interface.

Fixed an issue on the PA-7050 firewall where after deleting a HIP log forwarding profile a false warning would appear during a commit.

Fixed an issue in PAN-OS 7.0 releases where the source and destination field was no longer included as expected in error messages that were triggered when requests to delete address objects failed. With this fix, the source and destination information is again included in the error message.

Enhancement made to allow administrators to include the application field and URL field in custom response pages.

Fixed an issue where virtual system administrators (full access or read-only) were unable to access settings under the Network tab (Panel for undefined not registered was displayed, instead).

Fixed an issue where SSL decryption failed when a certificate was rejected due to a missing or empty basicConstraints extension. With this fix, an exception is added to allow a missing or empty basicConstraints extension for self-signed non-CA certificates, and the following behaviors will be applied to CAs with regard to basicConstraints extensions:

If the CA has an extension basicConstraints=CA:TRUE, then allow the CA.
If the CA has an extension basicConstraints=CA:FALSE, then block the CA, but allow device-trusted CAs, including default CAs and imported CAs.
If the CA has does not have a basicConstraints extension, then block the CA, but allow device-trusted CAs, including default CAs and imported CAs, and allow self-signed CAs.

Fixed an issue where a firewall allowed some HTTP GET packets to pass through even when the URL Filtering profile was configured to block packets in this URL category.

Fixed an issue where inbound SSL decryption did not work as expected when you enabled SYN cookies.

Fixed an issue where the output of the show dos-protection <zone-name> blocked source command didn't display the correct data for the requested zone.

Fixed an issue where re-entering an LDAP bind password through the CLI using a hash value (instead of a regular password) was rejected for having too many characters.

Fixed an issue where a custom report with Group By Source User option did not include all data when the Source User field was empty.

Fixed an issue so that the firewall performs NAT translations on IP addresses in an SCCP packet by doing a second NAT policy lookup instead of using a NAT policy for the current session.

Added an enhancement to the PAN-OS routing engine for BGP routing protocol to remove a varying AS number preceded by a static AS number in the AS_PATH attribute.

Fixed an issue where repetitive logging of inconsequential debug messages caused the snmpd.log file to reach its maximum file size and prevent further logging. With this fix, these inconsequential debug messages are no longer written to the log file.

Fixed an issue where packets were not adhering to the virtual wire forwarding path, which caused MAC address flapping on neighboring devices. This occurred on a firewall in HA active/active virtual wire mode.

Fixed an issue where you could not select a template stack or a descendant device group defined in a device group hierarchy on Panorama when specifying the device group and template for the VM-Series NSX edition firewall.

Fixed an issue where Panorama custom report filenames that included a period (".") character resulted in empty reports. With this fix, reports are generated as expected for custom report filenames that include a period so long as the period is not the first character in the filename.

Fixed an issue where importing a certificate with the same subject name as an existing certificate failed. With this fix, you can import a certificate that uses the same subject name as an existing certificate.

Fixed an issue where an HA configuration did not correctly synchronize between firewalls when configured on Panorama and pushed to the firewalls.