End-of-Life (EoL)
PAN-OS 7.1.0 Addressed Issues
PAN-OS® 7.1.0 addressed issues
The following table lists the issues that are addressed
in the PAN-OS® 7.1.0 release. For new features, associated software
versions, known issues, and changes in default behavior, see PAN-OS 7.1 Release Information.
Before you upgrade or downgrade to this release, review the information in Upgrade to PAN-OS 7.1.
Issue ID | Description |
---|---|
93072 | A security-related change was made to address
an issue in the policy configuration dialog (PAN-SA-2016-0014). |
92382 | Fixed an issue where the firewall could not
install PAN-OS or GlobalProtect agent software images on leap day
(February 29). With this fix, the firewall can install these images
regardless of the date. |
92293 | A security-related fix was made to address
CVE-2016-1712 (PAN-SA-2016-0012). |
91900 | Fixed an issue where a Panorama validate operation
followed by an FQDN refresh caused the validated configuration change
to commit to the firewall. |
91876 | Fixed an issue where the passive firewall in
a VM-Series ESXi configuration was processing and forwarding traffic. |
91771 | Fixed an issue where a firewall did not send
TCP packets out during the transmit stage in the same order as those
packets were received. |
91728 | A security-related fix was made to address
a Denial of Service (DoS) condition related to the PAN-OS XML API
(PAN-SA-2016-0008). |
91653 | Fixed an issue where SSL decryption did not
work as expected for resumed sessions. |
91533 | Fixed an issue where a firewall failed a commit
after receiving a File Blocking profile from Panorama that contained
a space at the end of the profile name. This issue occurred when
the managed firewall was running an older version of PAN-OS (when
File Blocking and WildFire™ Analysis profiles were merged into one
profile) and Panorama pushed the configuration to a device group. |
91522 | Fixed an issue where a cloned application name
could not be edited after it was cloned from a Shared/Device Group
location to a Shared location. With this fix, the cloned application
names can be edited. |
91336 | Fixed an issue where the packet processor stopped
responding when proxy packets were switched to the fast path group
on the dataplane. |
91307 | Fixed an issue where SSL decryption sessions
failed for secure websites that used a certificate issued by the
Entrust.net Certification Authority (2048). |
91234 | Fixed an issue on PA-7000 Series firewalls
where a session was modified while in a state that should not allow
modification, which caused processes associated with the packet
processing daemon to stop responding. |
91075 | Fixed an issue where the LSVPN tunnel interface
started flapping after upgrading the firewall at one end of the
tunnel (either the GlobalProtect gateway or satellite firewall)
to a PAN-OS 7.0 or later release while the firewall at the other
end of the tunnel was still running a PAN-OS 6.1 or earlier release.
This issue occurred due to changes to encryption algorithm names
when introducing Suite B ciphers in PAN-OS 7.0. With this fix, firewalls
running PAN-OS 7.0.7 (or PAN-OS 7.1) or later releases successfully
recognize the old names used in PAN-OS 6.1 and earlier releases
so that LSVPN tunnels are established and stay up as expected. |
91034 | Fixed an issue on the WildFire platform where,
if the snmp.log file is over 5MB, the snmpd process cleared the
log file and restarted. |
90982 | Fixed an issue where upgrading from a PAN-OS
6.1 caused the GlobalProtect portal or gateway and SSL decryption
processes to stop responding. This issue occurred because SSL/TLS
Service Profiles (introduced in PAN-OS 7.0) were not created successfully
if you did not enable multiple virtual system (multi-vsys) functionality
on the firewall. With this fix, SSL/TLS Service profiles are now
successfully created on non-multi-vsys platforms when upgrading
to PAN-OS 7.1.0 and later releases. |
90933 | Fixed an issue where the firewall generated
superfluous logs (for traffic that did not match the configured
filters) after you enabled dataplane debugging. |
90857 | Fixed an issue with a passive peer in an HA
configuration where the web interface did not allow you to configure
dynamic updates. |
90794 | Fixed an issue where a log file (/var/log/wtmp)
inflated and consumed the available disk space. With this fix, PAN-OS
uses a log rotation function to prevent log files from consuming
more disk space than necessary. |
90742 | Fixed an issue where you could not add WF-500
appliance signatures as exceptions in an Antivirus profile when
the signature names contained more than 32 characters. |
90635 | A security-related fix was made to address
a cross-site scripting condition in the Application Command Center
(ACC) (PAN-SA-2016-0009). |
90553 | Fixed an issue where Data Filtering and WildFire
Submission logs for non-NAT sessions contained incorrect or invalid
NAT information. |
90501 | Fixed an issue where the firewall could not
connect to a GlobalProtect portal or gateway after removing the
LSVPN configuration. |
90433 | Fixed an issue where overrides of the default
rules in the Shared policy took precedence over the overrides of
default rules in a device group. With this fix, override precedence
now behaves as designed (overrides of default rules in the lowest
level device group take precedence over those settings in the higher
level device groups and Shared). |
90411 | Fixed an issue where a global counter (flow_dos_pf_noreplyneedfrag) related
to the suppress-icmp-needfrag Zone Protection profile displayed the
action as drop even when configured to allow ICMP Fragmentation. This
fix introduces a new global counter (Unsuppressed ICMP Need Fragmentation). |
90260 | Fixed an issue where a device administrator
was unable to configure certain settings under Device > Setup >
Operations. |
90249 | Fixed an issue where upgrading from a PAN-OS
6.1 or earlier release prevented administrators from overriding
LDAP group mappings that were pushed from Panorama. |
90141 | Improved output of the command request batch
license info on Panorama to include license expiration times. |
90106 | Fixed an issue where a process restarted unexpectedly
due to the reuse of a process ID (PID). The PID was associated with
an old SSH session that the firewall intended to terminate because
the SSH session had timed out but was never closed properly, which
inadvertently resulted in a restart of the process currently associated
with that PID. |
90070 | Fixed an issue where a memory leak associated
with the authentication process (authd) caused intermittent access
and authentication issues. |
89979 | Fixed an issue where the Aggregate Ethernet
(AE) interface port in virtual wire mode with link state pass through
enabled came up after a commit even though its peer AE interface
port was down. With this fix, the other AE interface port will come
up after the commit and is then brought down in approximately 10
seconds. This causes both AE interfaces to stay down until the first
AE interface recovers. |
89910 | Fixed an issue where all LLDP packets were
sent with the source MAC address of the MGT interface instead of
the dataplane interface from which they were transmitted. With this
fix, LLDP packets are encapsulated with the source MAC address of
the interface that transmitted the packet. |
89906 | Fixed an issue where non-superuser administrators
were unable to see Exempt Profiles and the Security policy rules
in which the profiles are used when viewing a Threat log (Monitor
> Logs > Threat > < Threat Name >). |
89761 | Fixed an issue where a scheduled log export
failed to export the logs if the password in the configuration contained
the dollar sign ("$") character. |
89752 | A security-related fix was made to address
a buffer overflow condition. |
89750 | A security-related fix was made to address
a stack underflow condition. |
89743 | Fixed an issue where commits failed due to
processes (configd and mgmtsrvr) that stopped responding. This issue
was caused by memory corruption related to the WildFire deployment
schedule. |
89723 | Fixed an issue where IPSec tunnels using IKEv2
failed to establish a VPN if multiple remote gateways were behind
a port address translation (PAT) setup. With this fix, the firewall
can allow multiple devices behind PAT to set up security associations
to the same IP gateway. |
89717 | A security-related fix was made to ensure the
appropriate response to special requests received through the API
interface. |
89706 | A security-related fix was made to prevent
some CLI commands from improperly executing code. |
89595 | Fixed an issue where attempting to Hide Panorama
background header (Panorama > Setup > Operations > Custom Logos)
resulted in an error (Edit breaks config validity). |
89551 | Fixed an issue where the User Activity Report
did not show results for user names that contained German characters. |
89503 | Fixed an issue where user-group mappings were
not properly populated into the dataplane after a firewall reboot. |
89467 | Fixed an issue with exporting a botnet report
where exporting to CSV returned the Missing report job ID error. |
89413 | Fixed an issue where Panorama template commits
failed when the names of several certificates in the Default Trusted
Certificate Authorities list changed. This occurred when Panorama
was running a PAN-OS 7.0 release and pushed a template to a firewall
running a PAN-OS 6.1 or earlier release. |
89342 | Fixed a rare condition where the root partition
on a firewall or appliance ran out of space during device state
generation. |
89296 | Fixed an issue where a commit failed after
renaming a Panorama shared object that was already referenced in
the rules on a local firewall. |
89284 | Fixed a reporting issue on the ACC and SaaS
Application Usage Report on managed firewalls. This issue occurred
because the application information pushed from Panorama did not
populate in a way or location that allowed the information to be
used for reports generated on the firewalls. |
89036 | Fixed an issue where the delete user-file ssh
known-hosts command was unavailable on an M-Series appliance in
Log Collector mode. |
88651 | Fixed an issue where the User-ID (useridd)
process stopped responding when the running-config was missing the
port number associations for the Terminal Services (TS) Agent. |
88585 | Fixed an issue where DNS proxy rules didn't
consistently match a domain name with the correct primary IP addresses.
With this fix, matching logic favors results that do not include
wildcards. |
88561 | Fixed an issue where the tunnel went down and
began to renegotiate, causing traffic destined for the tunnel during
that time to be dropped. This issue occurred when the configuration
was pushed from Panorama to a firewall configured with IKEv2 preferred
mode and that was connected to a firewall configured to use IKEv1
in an IPSec connection. |
88450 | Fixed an issue where Layer 3 interfaces without
defined IP addresses, zones, or virtual routers dropped LLDP packets,
which prevented the firewall from obtaining and displaying neighbor
information. |
88421 | Fixed an issue where WildFire reports were
generated for files already blocked by the Antivirus profile SMTP
decoder. |
88408 | Fixed an issue where the show logging-status
device command used in the XML API caused the log daemon to stop
responding when the device attribute was omitted. |
88346 | Fixed an issue where a firewall was sending
BGP packets with the wrong MD5 authentication value. |
88327 | Fixed an issue where several valid country
codes were missing in the Certificate Attributes section when generating
a certificate from the web interface. |
88313 | Fixed an issue where read-only device administrators
were unable to view logs on the ACC tab. |
88279 | Fixed an issue where the debug dataplane packet-diag
aggregate-logs command showed an incorrect target filename. |
88225 | Fixed an issue where the firewall could not
register with the WildFire public cloud due to a problem with the
log-cache size becoming too large. With this fix, a limitation mechanism
is now in place to control the log-cache size. |
88191 | A security-related fix was made to address
information leakage in system logs that impacted the web interface
(PAN-SA-2016-0016). |
88142 | Fixed an issue with time calculation when displaying
statistics for more than a single day (Monitor > App Scope > Network
Monitor) that caused data to be unexpectedly shifted (calculation
used 12:00 A.M. GMT instead of local time and data was shifted accordingly).
With this fix, graphs display data across multiple days as expected
for the local time on the firewall. |
88141 | Fixed an issue on Panorama where an administrator
with an access-domain name longer than 31 characters received the
following error when logging in: Login could not be completed. Please
contact the administrator. With this fix, administrators with access-domain
names of up to 63 characters can log in. |
88101 | Fixed an issue where WildFire reports (web
interface and PDF) were unable to display digital signer information. |
87911 | Fixed an issue where scheduled dynamic updates
to managed firewalls stopped functioning after migrating the Panorama
VM to an M-500. |
87880 | Fixed an issue where the XML API request to
test Security policy was not properly targeted to a specified virtual
system (vsys), which made the request applicable only to the default
vsys. With this fix, the XML API request to test Security policy
is able to retrieve results for any previously targeted vsys. |
87871 | Fixed an intermittent issue in an HA active/active
configuration where packets passed through a virtual wire were dropped
due to a race condition that occurred when the session owner and
session setup were not on the same HA peer. |
87870 | Fixed an issue where an OSPF route with a lower
administrative distance than the static route should become the
preferred route but was not installed and used as expected; the
firewall continued to use the static route instead. |
87851 | Fixed an issue where high rates of fragmented
packets caused the firewall to experience a spike in packet buffer,
descriptor, and CPU usage. |
87727 | Fixed an issue where a virtual system custom
role administrator could not add user to IP mappings using the XML
API. |
87594 | Fixed an issue on M-Series appliances that
caused the show ntp CLI command to time out. |
87482 | A security-related change was made to management
plane account restrictions to prevent service disruption. |
87414 | Fixed a cosmetic issue where the traffic log
type was displayed in the severity column of the Log Forwarding
profile. |
87207 | Fixed an issue where the User-ID process (useridd)
stopped responding, which caused the firewall to reboot. |
87144 | Fixed an issue where a change of an object
name was not propagated in some parts of the configuration where
the object was referenced. |
87094 | Fixed an issue where committing a policy on
Panorama that contained interfaces that were manually defined generated
an error: [interface name] is not an allowed keyword. |
87066 | Fixed an issue on Panorama virtual appliances
and on M-Series appliances in Panorama mode where two correlation
engine sub-objects on the Web UI tab (Correlation Objects and Correlated
Events) were incorrectly excluded when adding or modifying an Admin
Role profile (Template > Device > Admin Roles). |
86979 | Fixed an issue where an incomplete IPSec tunnel
configuration (one without an IKE gateway specified) caused the
firewall server process to stop responding. |
86977 | Fixed an issue where LDAP sessions on Panorama
were kept open and not actively refreshed. With this fix, a keep-alive
mechanism is added that is triggered after 15 minutes of session
inactivity and that allows a maximum of 5 failed probes before dropping
a connection (probes occur in 60-second intervals). |
86944 | Fixed an issue on Panorama where a commit to
a device group caused the Panorama job to fail, but the job was
successful on the managed device. |
86725 | Fixed an issue where the SSL Certificate Errors
Notify Page did not display values of some variables (such as certname,
issuer, and reason) on web pages with expired certificates. |
86717 | Fixed an issue where QoS statistics for a specific
interface were empty after a device reboot. |
86686 | Security-related fixes were made to address
issues reported in the October 2015 NTP-4.2.8p4 Security Vulnerability
Announcement. |
86623 | Fixed an issue where a firewall in an HA active/passive
configuration dropped FTP PORT command packets after a failover. |
86613 | Fixed an issue where the General Settings dialog
for Device > Setup > Management did not resize correctly when the
Login Banner contained a large amount of text. |
86488 | Fixed an issue where predefined Application
Usage Risk Trend graphs (Monitor > Reports > PDF Summary Reports)
did not display lines between contiguous dots as expected. |
86395 | Fixed an issue where the administrator could
not manually type the Ethernet interface name in a NAT policy in
Panorama. |
86313 | Fixed an issue where the failed to handle CONFIG_COMMIT
error was displayed during a commit. |
86202 | Fixed an issue where the management plane stopped
responding if you modified an object referenced in a large number
of rules. |
86189 | Fixed an issue where the firewall did not send
SNMPv3 traps that used an IPv6 server address. |
86122 | Fixed an issue where an LACP Aggregate Ethernet
(AE) interface using SFP copper ports remained down after a dataplane
restart. |
85961 | Fixed an issue that occurred when using the
Panorama template stack where the configuration (gear) icon displayed
in the wrong location (next to Panorama servers in the template
stack). |
85882 | Fixed an issue where improperly formatted API
calls to Panorama caused one of the system daemons to stop responding. |
85602 | Enhanced logging for events where long CLI
system commands would timeout. For example, when generating a tech-support
file. |
85426 | Fixed a cosmetic issue where the log action
for the interzone-default Security policy rule was incorrect in
session detail (session to be logged at end) when the default log
action was overridden by the user. |
85344 | Fixed an issue where scheduled dynamic update
installation caused the HA link to flap. |
85320 | Fixed an issue where a process (cryptod) stopped
responding when attempting to use SSH to access a firewall that
rebooted into maintenance mode after the master key was allowed
to expire. With this fix, administrators can use SSH to access the
firewall without causing the cryptod process to fail even after
a firewall reboots to maintenance mode after the master key expires. |
85265 | Fixed an issue in the XML API that prevented
a read-only Superuser from downloading custom packet captures. |
84997 | Fixed an issue on PA-7000 Series firewalls
where the first autocommit attempt failed. |
84911 | Fixed an issue where an error was displayed
when saving the NFS partition configuration on a Panorama virtual
appliance. |
84695 | Fixed an issue where GlobalProtect was not
appropriately indicated on the interface tab when it is configured
on a loopback interface. |
84414 | Fixed an issue on the PA-7050 firewall where
after deleting a HIP log forwarding profile a false warning would
appear during a commit. |
84146 | Fixed an issue in PAN-OS 7.0 releases where
the source and destination field was no longer included as expected
in error messages that were triggered when requests to delete address
objects failed. With this fix, the source and destination information
is again included in the error message. |
84143 | Enhancement made to allow administrators to
include the application field and URL field in custom response pages. |
84115 | Fixed an issue where virtual system administrators
(full access or read-only) were unable to access settings under
the Network tab (Panel for undefined not registered was displayed,
instead). |
84046 | Fixed an issue where SSL decryption failed
when a certificate was rejected due to a missing or empty basicConstraints
extension. With this fix, an exception is added to allow a missing
or empty basicConstraints extension for self-signed non-CA certificates,
and the following behaviors will be applied to CAs with regard to
basicConstraints extensions:
|
84027 | Fixed an issue where a firewall allowed some
HTTP GET packets to pass through even when the URL Filtering profile
was configured to block packets in this URL category. |
83239 | Fixed an issue where inbound SSL decryption
did not work as expected when you enabled SYN cookies. |
83086 | Fixed an issue where the output of the show
dos-protection <zone-name> blocked source command didn't display
the correct data for the requested zone. |
82918 | Fixed an issue where re-entering an LDAP bind
password through the CLI using a hash value (instead of a regular
password) was rejected for having too many characters. |
82524 | Fixed an issue where a custom report with Group
By Source User option did not include all data when the Source User
field was empty. |
82493 | Fixed an issue so that the firewall performs
NAT translations on IP addresses in an SCCP packet by doing a second
NAT policy lookup instead of using a NAT policy for the current
session. |
82322 | Added an enhancement to the PAN-OS routing
engine for BGP routing protocol to remove a varying AS number preceded
by a static AS number in the AS_PATH attribute. |
82106 | Fixed an issue where repetitive logging of
inconsequential debug messages caused the snmpd.log file to reach
its maximum file size and prevent further logging. With this fix,
these inconsequential debug messages are no longer written to the
log file. |
80953 | Fixed an issue where packets were not adhering
to the virtual wire forwarding path, which caused MAC address flapping
on neighboring devices. This occurred on a firewall in HA active/active
virtual wire mode. |
80750 | Fixed an issue where you could not select a
template stack or a descendant device group defined in a device
group hierarchy on Panorama when specifying the device group and
template for the VM-Series NSX edition firewall. |
80336 | Fixed an issue where Panorama custom report
filenames that included a period (".") character resulted in empty
reports. With this fix, reports are generated as expected for custom
report filenames that include a period so long as the period is
not the first character in the filename. |
77273 | Fixed an issue where importing a certificate
with the same subject name as an existing certificate failed. With
this fix, you can import a certificate that uses the same subject
name as an existing certificate. |
64717 | Fixed an issue where an HA configuration did
not correctly synchronize between firewalls when configured on Panorama
and pushed to the firewalls. |
42851 | Fixed a performance issue with commit requests
related to IKE configuration parsing. Also fixed cosmetic IKE validation
messages displayed during the commit process, such as during a commit
when the IKE gateway configuration was binded to an interface without
an IP address. With this fix, the correct error message is displayed
(IKE gateway <gw-name> used local interface <interface> which
has no IP address. Configuration is invalid.) |
Most Popular
Recommended For You
Recommended Videos
Recommended videos not found.