Fixed an issue where PA-7000 Series firewalls forwarded a SIP INVITE based on route lookup instead of Policy-Based Forwarding (PBF) policy.

A security-related fix was made to address a Remote Code Execution (RCE) vulnerability when the PAN-OS DNS Proxy service resolved FQDNs (CVE-2017-8390).

Fixed an issue where traffic that included a ZIP file caused the all_task process to restart and the firewall dropped packets while waiting for that process to resume.

Fixed an issue where PA-5000 Series firewalls dropped traffic because predict sessions incorrectly matched Policy-Based Forwarding (PBF) policy rules for non-related sessions.

Fixed an issue where DHCP servers did not assign IP addresses to new end users (DHCP clients) because the firewall failed to process and relay DHCP messages between the servers and clients after you configured a firewall interface as a DHCP relay agent.

Fixed an issue where Panorama dropped all administrative users because the management-server process restarted.

Fixed an issue with network outages on firewalls in a virtual wire HA configuration with HA Preemptive failback enabled (Device > High Availability > General > Election Settings) due to Layer 2 looping after failover events while the firewalls processed broadcast traffic.

Fixed an issue where users experienced slow network connectivity due to CPU utilization spikes in the firewall Network Processing Cards (NPCs) when the URL cache exceeded one million entries.

Fixed an issue where the Export Named Configuration dialog did not let you filter configuration snapshots by Name, which prevented you from selecting snapshots beyond the first 500. With this fix, you can now enter a filter string in the Name field to display any matching snapshots.

Fixed an issue on Panorama where the web interface became unresponsive after you selected Export to CSV for a custom report, which forced you to log in to the CLI and reboot Panorama or restart the management server.

Fixed an issue where commits failed due to configuration memory limits on firewalls that had numerous Security policy rules that referenced many address objects. With this fix, the number of address objects that a policy rule references does not impact configuration memory.

Fixed an issue where numerous non-browser based requests from clients caused the User-ID process (useridd) to stop responding, which resulted in too many pan_errors disk writes.

Fixed an issue where conflicting next-hop entries in the egress routing table caused the firewall to incorrectly route traffic that matched Policy-Based Forwarding (PBF) policy rules configured to Enforce Symmetric Return.

Fixed an issue where Panorama failed to properly create NSX service profile zones and was out of sync with VMware Service Managers after you assigned VMware service definitions to template stacks.

A security-related fix was made to address OpenSSL vulnerabilities (CVE-2017-3731).

Fixed an issue where cookie-based authentication for the GlobalProtect gateway failed with the following error: Invalid user name.

Fixed an issue where end user clients failed on their first attempt to authenticate when you configured Captive Portal for certificate-based authentication and the client certificates exceeded 2,000 bytes.

Fixed an issue where SSL Inbound Decryption failed when the private key was stored on a hardware security module (HSM).

Fixed an issue where the firewall did not purge expired IP address-to-username mappings, which caused one of the root partitions to run out of free space.

Fixed an issue on Panorama where the CSV file that you exported for a custom report (Monitor > Manage Custom Reports) included all entries instead of the number of entries specified in the Sort By drop-down (such as Top 10).

Fixed an issue where the firewall server process (devsrvr) restarted during URL updates.

Fixed an issue where commits failed because an accumulation of delayed ACC summary reports on Panorama and Log Collectors caused a memory leak in the reportd process.

Fixed an issue where the firewall dropped multicast traffic on an egress VLAN interface when the traffic was offloaded.

Fixed an issue where OSPF adjacency flapping occurred between the firewall and an OSPF peer due to a heavy processing load on the dataplane and queued OSPF hello packets.

Fixed an issue where HA failover and fail-back events terminated sessions that started before the failover.

Fixed an issue where the severity level of the Failed to sync PAN-DB to peer: Peer user failure syslog message was too high. With this fix, the message severity level is info instead of medium.

Fixed an issue where the firewall displayed only part of the URL Filtering Continue and Override response page.

Fixed an issue where, after a DoS attack ended, the firewall continued generating Threat logs and incrementing the session drop counter.

Fixed an issue where the PA-7050 firewall displayed incorrect information for the packet counts and number of bytes associated with traffic on subinterfaces. With this fix, the firewall displays the correct information in the show interface CLI command output and in other sources of information for subinterfaces (such as SNMP statistics and NetFlow record exports).

Fixed an issue where the firewall failed to export botnet reports and displayed the following error: Missing report job id.

Fixed an issue where the firewall failed to authenticate to a SafeNet hardware security module (HSM). With this fix, the firewall supports multiple SafeNet HSM client versions; you can use the request hsm client-version CLI command to select the version that is compatible with your SafeNet HSM server.

Fixed an issue where the VM-Series firewall on a Microsoft Hyper-V server stopped receiving traffic on interfaces in Tap mode because the system clock went backward, which caused the packet processor to stop responding.

Fixed an issue where the firewall disrupted SIP traffic by discarding long-lived SIP sessions after a content update.

Fixed an issue where the DNS Proxy feature did not work because the associated process (dnsproxy) stopped running on a firewall that had an address object (Objects > Address) with the same FQDN as one of the Static Entries in a DNS proxy configuration (Network > DNS Proxy).

Fixed an issue where custom reports did not display results for queries that specified the Negate option, Contains operator, and a Value that included a period (.) character preceding a filename extension.

Fixed an issue where, after losing the connection to the Windows-based User-ID agent, the firewall generated a System log with the wrong severity level (informational instead of high) if you configured the User-ID agent with an FQDN instead of an IP address (Device > User Identification > User-ID Agents).

Fixed an issue on where the dataplane rebooted after multiple dataplane processes restarted due to memory corruption.

Fixed an issue where the GlobalProtect gateway failed to verify the revocation status of a client certificate using Online Certificate Status Protocol (OCSP).

Fixed an issue where the firewall failed to authenticate to a SafeNet hardware security module (HSM) if the Administrator Password (Device > Setup > HSM) contained special characters.

Fixed an issue where SMTP email servers did not receive PDF reports from the firewall because the report emails used bare LF instead of CRLF line separators.

Fixed an issue where the firewall generated System logs for dataplane under severe load events but failed to forward those logs to Panorama.

Fixed an issue where, when the PAN-OS XML API sent IP address-to-username mappings with no timeout value to a firewall that had the Enable User Identification Timeout option disabled, the firewall assigned the mappings a timeout of 60 minutes instead of never.

Fixed an issue where the primary firewall peer in an HA active/active configuration was in a tentative HA state and did not synchronize session update messages with the secondary peer, which resulted in dropped packets after a session aged out (within 30 seconds).

Fixed an issue where PA-7050 firewalls did not correctly enforce log retention periods (Device > Setup > Management, Logging and Reporting Settings section, Log Storage tab, Max Days fields).

Fixed an issue where the URL link included in the email for a SaaS Application Usage report triggered third-party spam filters.

Fixed an issue where committing a configuration with 4,000 or more Layer 3 subinterfaces caused the dataplane to stop responding.

Fixed an issue where CSV exports for Unified logs (Monitor > Logs > Unified) had no log entries if you limited the effective queries to one log type.

Fixed an issue on the PA-7050 firewall where the mprelay process experienced a memory leak and stopped responding, which caused slot failures and HA failover.

Fixed an issue where the SaaS Application Usage report displayed upload and download bandwidth usage numbers incorrectly in the Data Transfer by Application section.

Fixed an issue where Panorama could not change the connection Status of an NSX manager (Panorama > VMware NSX > Service Managers) from Unknown to Registered due to a non-existent null value entry in the NSX manager response.

Fixed an issue where path monitoring failures did not produce enough information for troubleshooting. With this fix, PAN-OS supports additional debug commands and the tech support file (click Generate Tech Support File under Device > Support) includes additional registry values to troubleshoot path monitoring failures.

Fixed an issue where enabling cookie authentication on the GlobalProtect portal (Network > GlobalProtect > Portals) caused the sslvpn process to stop responding, which disconnected end users who connected through an SSL VPN.

Fixed an issue where Panorama only intermittently used the proxy server if you configured it for connecting to VMware NSX service managers.

Fixed an issue where the firewall did not properly mask the Auth Password and Priv Password for SNMPv3 server profiles when you viewed configuration changes in a Configuration log.

Fixed an issue where firewall interfaces configured as DHCP clients renewed DHCP leases at incorrect intervals.

Fixed an issue on firewalls in an HA configuration where, when an end user accessed applications over a GlobalProtect clientless VPN, the web browser became unresponsive for about 30 seconds after a failover.

Fixed an issue on PA-7000 Series and PA-5000 Series firewalls where end users who accessed applications over SSL VPN or IPSec tunnels through GlobalProtect experienced one-directional traffic.

Fixed an issue where PAN-OS deleted critical content files when the management plane ran out of memory, which caused commit failures until you updated or reinstalled the content.

Fixed an issue where the Panorama management server became unresponsive and inaccessible through SSH or HTTPS for several hours.

Fixed an issue on the Panorama virtual appliance where the third-party backup software BackupExec failed to back up a quiesced snapshot of Panorama (Panorama in a temporary state where all write operations are flushed). With this fix, the VMware Tools bundled with Panorama supports the quiescing option.

Fixed an issue where firewalls in an HA configuration did not synchronize the Layer 2 MAC table; after failover, the MAC table was rebuilt only on the peer that became active, which caused excessive packet flooding.

Fixed an issue where a zone with the Type set to Virtual Wire (Network > Zones) dropped all incoming traffic when you configured the Zone Protection profile for that zone with a Strict IP Address Check (Network > Network Profiles > Zone Protection > Packet Based Attack Protection > IP Drop).

Fixed an issue where PA-7000 Series firewalls and Panorama Log Collectors consumed excess memory and didn't process logs as expected. This issue occurred when DNS response times were slow and scheduled reports contained fields that required DNS lookups.

Fixed an issue where HA firewalls failed to synchronize the PAN-DB URL database.

Fixed an issue on PA-7000 Series firewalls in an HA configuration where the NPC 40Gbps (QSFP) Ethernet interfaces on the passive peer displayed link activity on a neighboring device (such as a switch) to which they connected even though the interfaces were down on the passive peer.

Fixed an issue where User activity reports on Panorama did not include any entries when there was a space in the Device Group name.

Fixed an issue where establishing an LDAP connection over a slow or unstable connection caused commits to fail when you enabled TLS. With this fix, if you enable TLS, the firewall does not attempt to establish LDAP connections when you perform a commit.

Fixed an issue where the cdb process intermittently restarted, which prevented jobs from completing successfully.

Fixed an issue where the firewall could not use the certificates in its certificate store (Device > Certificate Managment > Certificates > Device Certificates) after a manual or automatic commit, which caused certificate authentication to fail.

A security-related fix was made to prevent the inappropriate disclosure of information due to a Linux Kernel vulnerability (CVE-2016-5696).

Fixed an issue where, after you installed the GlobalProtect agent, it failed to connect with the GlobalProtect portal to download the agent configuration because authentication messages had special characters.

Fixed an issue where the firewall did not generate WildFire Submission logs when the number of cached logs exceeded storage resources on the firewall.

Fixed an issue where end users either did not see the Captive Portal web form or saw a page displaying raw HTML code after requesting an application through a web proxy because the HTTP body content length exceeded the specified size in the HTTP Header Content-Length.

Fixed an issue where Panorama displayed the Invalid term(device-group eq) error when you tried to display the logs for a specific device group.

Fixed an issue where the firewall failed to connect to an HTTP server using the HTTPS protocol when the CA certificate that validated the firewall certificate was in a specific virtual system instead of the Shared location.

Fixed an issue where the authentication process (authd) stopped responding and caused the firewall to reboot after the firewall received a stale response to an authentication request before selecting CHAP or PAP as the protocol for authenticating to a RADIUS server.

Fixed an issue on the M-500 and M-100 appliances in Panorama mode where emailed custom reports contained no data if you configured a report query that used an Operator set to contains (Monitor > Manage Custom Reports).

A security-related fix was made to prevent firewall administrators logged in as root from using GNU Wget to access remote servers and write to arbitrary files by redirecting a request from HTTP to a crafted FTP resource (CVE 2016-4971).

Fixed an issue where firewall administrators with custom roles (Admin Role profiles) could not download content or sofware updates.

Fixed an issue where CSV exports for Unified logs (Monitor > Logs > Unified) displayed information in the wrong columns.

Fixed an issue where a QoS profile failed to work as expected when applied to a clear text node configured with an Aggregate Ethernet (AE) source interface that included AE subinterfaces.

Fixed an issue where the Correlation logs that Panorama forwarded with a custom Common Event Format (CEF) were incomplete and incorrectly formatted when sent as syslogs.

Fixed an issue where the firewall discarded VoIP sessions that had multicast destinations.

Fixed an issue where the syslog format for Correlation logs differed from the format of other log types, which prevented the firewall from integrating with some third-party syslog feeds.

Fixed an issue on VM-Series firewalls where application-level gateway (ALG) H.245 traffic failed due to a session prediction issue.

Fixed an issue where the firewall stopped writing new Traffic and Threat logs to storage because the Automated Correlation Engine used disk space in a way that prevented the firewall from purging older logs.

Fixed an issue where connections to the GlobalProtect portal failed when traffic came from a shared gateway and there was no Security policy rule to allow TCP port 20077 for the GlobalProtect portal IP address. With this fix, you need only allow access to TCP port 443 for the GlobalProtect portal even when traffic is coming from a shared gateway.

Fixed an issue where several processes stopped on firewalls in an HA configuration that received HA3 messages but didn't have configured HA3 interfaces (Device > High Availability > Active/Active Config).