End-of-Life (EoL)
PAN-OS 7.1.10 Addressed Issues
PAN-OS® 7.1.10 addressed issues
The following table lists the issues that are addressed
in the PAN-OS® 7.1.10 release. For new features, associated software
versions, known issues, and changes in default behavior, see PAN-OS 7.1 Release Information.
Before you upgrade or downgrade to this release, review the information in Upgrade to PAN-OS 7.1.
Starting with PAN-OS 7.1.5, all unresolved known issues
and any newly addressed issues in these release notes are identified
using new issue ID numbers that include a product-specific prefix.
Issues addressed in earlier releases and any associated known issue
descriptions continue to use their original issue ID.
Issue ID | Description |
---|---|
PAN-77595 | Fixed an issue where PA-7000 Series firewalls
forwarded a SIP INVITE based on route lookup instead of Policy-Based
Forwarding (PBF) policy. |
PAN-77516 | A security-related fix was made to address
a Remote Code Execution (RCE) vulnerability when the PAN-OS DNS
Proxy service resolved FQDNs (CVE-2017-8390). |
PAN-76890 | Fixed an issue where traffic that included
a ZIP file caused the all_task process to restart and the firewall
dropped packets while waiting for that process to resume. |
PAN-76153 | Fixed an issue where PA-5000 Series firewalls
dropped traffic because predict sessions incorrectly matched Policy-Based
Forwarding (PBF) policy rules for non-related sessions. |
PAN-75413 | Fixed an issue where DHCP servers did not assign
IP addresses to new end users (DHCP clients) because the firewall
failed to process and relay DHCP messages between the servers and
clients after you configured a firewall interface as a DHCP relay
agent. |
PAN-75372 | Fixed an issue where Panorama dropped all administrative
users because the management-server process restarted. |
PAN-75158 | Fixed an issue with network outages on firewalls
in a virtual wire HA configuration with HA Preemptive failback enabled
(Device > High Availability > General > Election Settings) due to
Layer 2 looping after failover events while the firewalls processed
broadcast traffic. |
PAN-74655 | Fixed an issue where users experienced slow
network connectivity due to CPU utilization spikes in the firewall
Network Processing Cards (NPCs) when the URL cache exceeded one
million entries. |
PAN-74548 | Fixed an issue where the Export Named Configuration
dialog did not let you filter configuration snapshots by Name, which
prevented you from selecting snapshots beyond the first 500. With
this fix, you can now enter a filter string in the Name field to
display any matching snapshots. |
PAN-74403 | Fixed an issue on Panorama where the web interface
became unresponsive after you selected Export to CSV for a custom
report, which forced you to log in to the CLI and reboot Panorama
or restart the management server. |
PAN-74368 | Fixed an issue where commits failed due to
configuration memory limits on firewalls that had numerous Security
policy rules that referenced many address objects. With this fix,
the number of address objects that a policy rule references does
not impact configuration memory. |
PAN-74236 | Fixed an issue where numerous non-browser based
requests from clients caused the User-ID process (useridd) to stop
responding, which resulted in too many pan_errors disk writes. |
PAN-74188 | Fixed an issue where conflicting next-hop entries
in the egress routing table caused the firewall to incorrectly route
traffic that matched Policy-Based Forwarding (PBF) policy rules
configured to Enforce Symmetric Return. |
PAN-74184 | Fixed an issue where Panorama failed to properly
create NSX service profile zones and was out of sync with VMware
Service Managers after you assigned VMware service definitions to
template stacks. |
PAN-73914 | A security-related fix was made to address
OpenSSL vulnerabilities (CVE-2017-3731). |
PAN-73783 | Fixed an issue where cookie-based authentication
for the GlobalProtect gateway failed with the following error: Invalid
user name. |
PAN-73631 | Fixed an issue where end user clients failed
on their first attempt to authenticate when you configured Captive
Portal for certificate-based authentication and the client certificates
exceeded 2,000 bytes. |
PAN-73553 | Fixed an issue where SSL Inbound Decryption
failed when the private key was stored on a hardware security module
(HSM). |
PAN-73502 | Fixed an issue where the firewall did not purge
expired IP address-to-username mappings, which caused one of the
root partitions to run out of free space. |
PAN-73497 | Fixed an issue on Panorama where the CSV file
that you exported for a custom report (Monitor > Manage Custom Reports)
included all entries instead of the number of entries specified
in the Sort By drop-down (such as Top 10). |
PAN-73484 | Fixed an issue where the firewall server process
(devsrvr) restarted during URL updates. |
PAN-73359 | Fixed an issue where commits failed because
an accumulation of delayed ACC summary reports on Panorama and Log
Collectors caused a memory leak in the reportd process. |
PAN-73281 | Fixed an issue where the firewall dropped multicast
traffic on an egress VLAN interface when the traffic was offloaded. |
PAN-73191 | Fixed an issue where OSPF adjacency flapping
occurred between the firewall and an OSPF peer due to a heavy processing
load on the dataplane and queued OSPF hello packets. |
PAN-73045 | Fixed an issue where HA failover and fail-back
events terminated sessions that started before the failover. |
PAN-72875 | Fixed an issue where the severity level of
the Failed to sync PAN-DB to peer: Peer user failure syslog message
was too high. With this fix, the message severity level is info
instead of medium. |
PAN-72871 | Fixed an issue where the firewall displayed
only part of the URL Filtering Continue and Override response page. |
PAN-72697 | Fixed an issue where, after a DoS attack ended,
the firewall continued generating Threat logs and incrementing the
session drop counter. |
PAN-72433 | Fixed an issue where the PA-7050 firewall displayed
incorrect information for the packet counts and number of bytes
associated with traffic on subinterfaces. With this fix, the firewall
displays the correct information in the show interface CLI command
output and in other sources of information for subinterfaces (such
as SNMP statistics and NetFlow record exports). |
PAN-72346 | Fixed an issue where the firewall failed to
export botnet reports and displayed the following error: Missing
report job id. |
PAN-71627 | Fixed an issue where the firewall failed to
authenticate to a SafeNet hardware security module (HSM). With this
fix, the firewall supports multiple SafeNet HSM client versions;
you can use the request hsm client-version CLI command to select
the version that is compatible with your SafeNet HSM server. |
PAN-71544 | Fixed an issue where the VM-Series firewall
on a Microsoft Hyper-V server stopped receiving traffic on interfaces
in Tap mode because the system clock went backward, which caused
the packet processor to stop responding. |
PAN-71484 | Fixed an issue where the firewall disrupted
SIP traffic by discarding long-lived SIP sessions after a content
update. |
PAN-71400 | Fixed an issue where the DNS Proxy feature
did not work because the associated process (dnsproxy) stopped running
on a firewall that had an address object (Objects > Address) with
the same FQDN as one of the Static Entries in a DNS proxy configuration
(Network > DNS Proxy). |
PAN-71312 | Fixed an issue where custom reports did not
display results for queries that specified the Negate option, Contains
operator, and a Value that included a period (.) character preceding
a filename extension. |
PAN-71311 | Fixed an issue where, after losing the connection
to the Windows-based User-ID agent, the firewall generated a System
log with the wrong severity level (informational instead of high)
if you configured the User-ID agent with an FQDN instead of an IP
address (Device > User Identification > User-ID Agents). |
PAN-71133 | Fixed an issue on where the dataplane rebooted
after multiple dataplane processes restarted due to memory corruption. |
PAN-70928 | Fixed an issue where the GlobalProtect gateway
failed to verify the revocation status of a client certificate using
Online Certificate Status Protocol (OCSP). |
PAN-70731 | Fixed an issue where the firewall failed to
authenticate to a SafeNet hardware security module (HSM) if the
Administrator Password (Device > Setup > HSM) contained special
characters. |
PAN-70366 | Fixed an issue where SMTP email servers did
not receive PDF reports from the firewall because the report emails
used bare LF instead of CRLF line separators. |
PAN-69951 | Fixed an issue where the firewall generated
System logs for dataplane under severe load events but failed to
forward those logs to Panorama. |
PAN-69874 | Fixed an issue where, when the PAN-OS XML API
sent IP address-to-username mappings with no timeout value to a
firewall that had the Enable User Identification Timeout option
disabled, the firewall assigned the mappings a timeout of 60 minutes
instead of never. |
PAN-69801 | Fixed an issue where the primary firewall peer
in an HA active/active configuration was in a tentative HA state
and did not synchronize session update messages with the secondary
peer, which resulted in dropped packets after a session aged out
(within 30 seconds). |
PAN-69799 | Fixed an issue where PA-7050 firewalls did
not correctly enforce log retention periods (Device > Setup > Management,
Logging and Reporting Settings section, Log Storage tab, Max Days
fields). |
PAN-69585 | Fixed an issue where the URL link included
in the email for a SaaS Application Usage report triggered third-party
spam filters. |
PAN-69235 | Fixed an issue where committing a configuration
with 4,000 or more Layer 3 subinterfaces caused the dataplane to
stop responding. |
PAN-68831 | Fixed an issue where CSV exports for Unified
logs (Monitor > Logs > Unified) had no log entries if you limited
the effective queries to one log type. |
PAN-68808 | Fixed an issue on the PA-7050 firewall where
the mprelay process experienced a memory leak and stopped responding,
which caused slot failures and HA failover. |
PAN-68795 | Fixed an issue where the SaaS Application Usage
report displayed upload and download bandwidth usage numbers incorrectly
in the Data Transfer by Application section. |
PAN-68767 | Fixed an issue where Panorama could not change
the connection Status of an NSX manager (Panorama > VMware NSX >
Service Managers) from Unknown to Registered due to a non-existent
null value entry in the NSX manager response. |
PAN-68763 | Fixed an issue where path monitoring failures
did not produce enough information for troubleshooting. With this
fix, PAN-OS supports additional debug commands and the tech support
file (click Generate Tech Support File under Device > Support) includes
additional registry values to troubleshoot path monitoring failures. |
PAN-67699 | Fixed an issue where enabling cookie authentication
on the GlobalProtect portal (Network > GlobalProtect > Portals)
caused the sslvpn process to stop responding, which disconnected
end users who connected through an SSL VPN. |
PAN-67692 | Fixed an issue where Panorama only intermittently
used the proxy server if you configured it for connecting to VMware
NSX service managers. |
PAN-67639 | Fixed an issue where the firewall did not properly
mask the Auth Password and Priv Password for SNMPv3 server profiles
when you viewed configuration changes in a Configuration log. |
PAN-67600 | Fixed an issue where firewall interfaces configured
as DHCP clients renewed DHCP leases at incorrect intervals. |
PAN-67412 | Fixed an issue on firewalls in an HA configuration
where, when an end user accessed applications over a GlobalProtect
clientless VPN, the web browser became unresponsive for about 30
seconds after a failover. |
PAN-66997 | Fixed an issue on PA-7000 Series and PA-5000
Series firewalls where end users who accessed applications over
SSL VPN or IPSec tunnels through GlobalProtect experienced one-directional
traffic. |
PAN-66873 | Fixed an issue where PAN-OS deleted critical
content files when the management plane ran out of memory, which
caused commit failures until you updated or reinstalled the content. |
PAN-66215 | Fixed an issue where the Panorama management
server became unresponsive and inaccessible through SSH or HTTPS
for several hours. |
PAN-65918 | Fixed an issue on the Panorama virtual appliance
where the third-party backup software BackupExec failed to back
up a quiesced snapshot of Panorama (Panorama in a temporary state
where all write operations are flushed). With this fix, the VMware
Tools bundled with Panorama supports the quiescing option. |
PAN-64884 | Fixed an issue where firewalls in an HA configuration
did not synchronize the Layer 2 MAC table; after failover, the MAC
table was rebuilt only on the peer that became active, which caused
excessive packet flooding. |
PAN-64870 | Fixed an issue where a zone with the Type set
to Virtual Wire (Network > Zones) dropped all incoming traffic when
you configured the Zone Protection profile for that zone with a
Strict IP Address Check (Network > Network Profiles > Zone Protection
> Packet Based Attack Protection > IP Drop). |
PAN-64725 | Fixed an issue where PA-7000 Series firewalls
and Panorama Log Collectors consumed excess memory and didn't process
logs as expected. This issue occurred when DNS response times were
slow and scheduled reports contained fields that required DNS lookups. |
PAN-64639 | Fixed an issue where HA firewalls failed to
synchronize the PAN-DB URL database. |
PAN-63969 | Fixed an issue on PA-7000 Series firewalls
in an HA configuration where the NPC 40Gbps (QSFP) Ethernet interfaces
on the passive peer displayed link activity on a neighboring device
(such as a switch) to which they connected even though the interfaces
were down on the passive peer. |
PAN-63612 | Fixed an issue where User activity reports
on Panorama did not include any entries when there was a space in
the Device Group name. |
PAN-62937 | Fixed an issue where establishing an LDAP connection
over a slow or unstable connection caused commits to fail when you
enabled TLS. With this fix, if you enable TLS, the firewall does
not attempt to establish LDAP connections when you perform a commit. |
PAN-62797 | Fixed an issue where the cdb process intermittently
restarted, which prevented jobs from completing successfully. |
PAN-62791 | Fixed an issue where the firewall could not
use the certificates in its certificate store (Device > Certificate
Managment > Certificates > Device Certificates) after a manual or
automatic commit, which caused certificate authentication to fail. |
PAN-62500 | A security-related fix was made to prevent
the inappropriate disclosure of information due to a Linux Kernel
vulnerability (CVE-2016-5696). |
PAN-62436 | Fixed an issue where, after you installed the
GlobalProtect agent, it failed to connect with the GlobalProtect
portal to download the agent configuration because authentication
messages had special characters. |
PAN-62159 | Fixed an issue where the firewall did not generate
WildFire Submission logs when the number of cached logs exceeded
storage resources on the firewall. |
PAN-61682 | Fixed an issue where end users either did not
see the Captive Portal web form or saw a page displaying raw HTML
code after requesting an application through a web proxy because
the HTTP body content length exceeded the specified size in the
HTTP Header Content-Length. |
PAN-61644 | Fixed an issue where Panorama displayed the
Invalid term(device-group eq) error when you tried to display the
logs for a specific device group. |
PAN-61409 | Fixed an issue where the firewall failed to
connect to an HTTP server using the HTTPS protocol when the CA certificate
that validated the firewall certificate was in a specific virtual
system instead of the Shared location. |
PAN-60376 | Fixed an issue where the authentication process
(authd) stopped responding and caused the firewall to reboot after
the firewall received a stale response to an authentication request
before selecting CHAP or PAP as the protocol for authenticating
to a RADIUS server. |
PAN-60101 | Fixed an issue on the M-500 and M-100 appliances
in Panorama mode where emailed custom reports contained no data
if you configured a report query that used an Operator set to contains
(Monitor > Manage Custom Reports). |
PAN-59677 | A security-related fix was made to prevent
firewall administrators logged in as root from using GNU Wget to
access remote servers and write to arbitrary files by redirecting
a request from HTTP to a crafted FTP resource (CVE 2016-4971). |
PAN-59676 | Fixed an issue where firewall administrators
with custom roles (Admin Role profiles) could not download content
or sofware updates. |
PAN-58358 | Fixed an issue where CSV exports for Unified
logs (Monitor > Logs > Unified) displayed information in the wrong
columns. |
PAN-57553 | Fixed an issue where a QoS profile failed to
work as expected when applied to a clear text node configured with
an Aggregate Ethernet (AE) source interface that included AE subinterfaces. |
PAN-56453 | Fixed an issue where the Correlation logs that
Panorama forwarded with a custom Common Event Format (CEF) were
incomplete and incorrectly formatted when sent as syslogs. |
PAN-56287 | Fixed an issue where the firewall discarded
VoIP sessions that had multicast destinations. |
PAN-56015 | Fixed an issue where the syslog format for
Correlation logs differed from the format of other log types, which
prevented the firewall from integrating with some third-party syslog
feeds. |
PAN-55245 | Fixed an issue on VM-Series firewalls where
application-level gateway (ALG) H.245 traffic failed due to a session
prediction issue. |
PAN-54531 | Fixed an issue where the firewall stopped writing
new Traffic and Threat logs to storage because the Automated Correlation
Engine used disk space in a way that prevented the firewall from
purging older logs. |
PAN-49821 | Fixed an issue where connections to the GlobalProtect
portal failed when traffic came from a shared gateway and there
was no Security policy rule to allow TCP port 20077 for the GlobalProtect
portal IP address. With this fix, you need only allow access to
TCP port 443 for the GlobalProtect portal even when traffic is coming
from a shared gateway. |
PAN-49660 | Fixed an issue where several processes stopped
on firewalls in an HA configuration that received HA3 messages but
didn't have configured HA3 interfaces (Device > High Availability
> Active/Active Config). |
PAN-46374 | Fixed an issue on PA-7000 Series firewalls
where you had to power cycle the Switch Management Card (SMC) when
it failed to come up after a soft reboot (such as after upgrading
the PAN-OS software). |
Most Popular
Recommended For You
Recommended Videos
Recommended videos not found.