End-of-Life (EoL)

PAN-OS 7.1.11 Addressed Issues

PAN-OS® 7.1.11 addressed issues
The following table lists the issues that are addressed in the PAN-OS® 7.1.11 release. For new features, associated software versions, known issues, and changes in default behavior, see PAN-OS 7.1 Release Information. Before you upgrade or downgrade to this release, review the information in Upgrade to PAN-OS 7.1.
Starting with PAN-OS 7.1.5, all unresolved known issues and any newly addressed issues in these release notes are identified using new issue ID numbers that include a product-specific prefix. Issues addressed in earlier releases and any associated known issue descriptions continue to use their original issue ID.
Issue ID
Fixed an issue where the WF-500 appliance returned false positives for known, benign Portable Executable (PE) files.
Fixed an issue where PA-7000 Series firewalls did not apply changes to the syslog server profile configuration until you restarted the syslog-ng process.
Fixed an issue where users experienced slow network connectivity due to CPU utilization spikes in the firewall Network Processing Cards (NPCs) when the URL cache exceeded one million entries.
Fixed an issue on Panorama in NSX deployments where dynamic address updates took several minutes to complete.
SafeNet Client 6.2.2 did not support the necessary MAC algorithm (HMAC-SHA1) to work with Palo Alto Networks firewalls running in FIPS-CC mode.
A security-related fix was made to address a vulnerability that allowed cross-site scripting (XSS) attacks on the GlobalProtect external interface because PAN-OS did not properly validate specific request parameters (CVE-2017-9467).
A security-related fix was made to prevent remote code execution within the Linux kernel that the firewall management plane uses (CVE-2016-10229).
Fixed an issue where the firewall reduced the range of local and remote IKEv2 traffic selectors in a way that disrupted traffic in a VPN tunnel that a Cisco Adaptive Security Appliance (ASA) initiated.
Fixed an issue on PA-7000 Series firewalls where the Egress Interface in a PBF policy rule (Policies > Policy Based Forwarding > < rule > > Forwarding) was reset to a null value, which brought down all the interfaces in the slot associated with the Egress Interface and caused an HA failover.
Fixed an issue where interfaces became unavailable due to a packet buffer overflow condition that occurred after the firewall tried to close the connection to a client that ignored the URL Filtering block page.
Fixed an issue on the PA-7080 firewall where authentication traffic from a wireless controller to a RADIUS server failed due to buffer depletion on the firewall.
Fixed an issue where several dataplane processes stopped responding when the firewall processed VPN traffic with IP packet chains, which were typically triggered by IP fragmentation or SSL decryption operations.
Fixed an issue where renaming a shared object on Panorama that you previously pushed to firewalls caused a commit failure if the firewalls referenced that object in local policies.
Fixed an issue where the firewall could not decrypt traffic for SSL inbound inspection when the private key size was 3,072 or 4,096 bits and the firewall stored the key on a hardware security module (HSM).
A security-related fix was made to address a persistent cross-site scripting (XSS) attack on the management interface of the firewall web interface (CVE-2017-9459).
Fixed an issue where the firewall allowed Psiphon application sessions to continue without applying policy rules to them after the firewall ran out of resources (such as while processing heavy traffic). With this fix, the firewall drops Psiphon sessions after running out of resources.
Fixed an issue where throughput was reduced on PA-5000 Series firewalls that used a single UDP session on one dataplane to process high rates of tunneled traffic. With this fix, you can use the set session filter-ip-proc-cpu CLI command to use multiple dataplanes to process traffic for up to 32 destination server IP addresses. This setting persists after reboots and upgrades.
Fixed an issue where Panorama failed to migrate URL categories from BrightCloud to PAN-DB in policy pre-rules and post-rules; this fix requires content release version 718 or a later version.
Fixed an issue where users failed to authenticate through a Ucopia LDAP server.
Fixed an issue where multicast packets with stale session IDs caused the firewall dataplane to restart.
Fixed an issue where the firewall enabled new applications associated with Applications updates received from Panorama even when you chose to Disable new apps in content update (Panorama > Device Deployment > Dynamic Updates).
Fixed an issue where you could not set the authentication profile Type to None (Device > Authentication Profile) on a firewall in FIPS mode.
Fixed an issue where a PAN-OS XML API query to fetch all dynamic address groups failed with an Opening and ending tag mismatch error due to a command buffer limitation.
Fixed an issue where PA-5000 Series firewalls kept sessions active for an hour instead of discarding them after 90 seconds as expected when the sessions matched a policy rule that was set to deny those sessions or when the sessions matched an allow rule that triggered a block page.
Fixed an issue where IP Address Exemptions in Anti-Spyware profiles (Objects > Security Profiles > Anti-Spyware Profile) did not work for the following threats: Threat ID 14978, Threat ID 14984, and Raven.
Fixed an issue where the PA-5060 firewall randomly dropped packets and displayed the reason in Traffic logs as resources unavailable.
Fixed an issue on PA-3000 Series firewalls where SSL sessions failed due to memory depletion in the proxy memory pool; Traffic logs displayed the reason decrypt-error.
Fixed an issue where Panorama failed to push a shared address object to firewalls when the object was part of a dynamic address group that used a tag.
Fixed an issue where Panorama took longer than expected to push configurations from multiple device groups to firewalls.
Fixed an issue where Panorama could not push address objects to managed firewalls when zones specified the objects in the User Identification ACL include or exclude lists (Network > Zones) and you configured Panorama to not Share Unused Address and Service Objects with Devices (Panorama > Setup > Management > Panorama Settings).
Fixed an issue where, after a firewall successfully installed a content update received from Panorama, Panorama displayed a failure message for that update when the associated job ID on the firewall was higher than 65536.
Fixed an issue where the root partition on the firewall was low on disk space (requiring you to run the debug dataplane packet-diag clear log log CLI command to free disk space) because the pan_task process generated logs for H.225 sessions.
Fixed an issue where the firewall did not clear IP address-to-username mappings or username-to-group mappings after reaching the maximum supported number of user groups, which caused commit failures with the following errors: user-id is not registerd and ldmgr was reset. Commit is required to reinitialize User-ID.
Fixed an issue where the show running url-cache statistics CLI command did not display enough information to diagnose issues related to URL category resolution. With this fix, the error messages indicate what failed and the exact point of failure.
Fixed an issue where the debug dataplane internal pdt oct show-all CLI command restarted the firewall dataplane.
Fixed an issue where, in Decryption policy rules with an Action set to No Decrypt, you could not use the web interface to set the decryption Type for matching traffic.
Fixed an issue on Panorama where the replace device CLI command did not replace the serial numbers of firewalls that policy rules referenced as targets.
Fixed an issue where the firewall dropped sessions after only 30 seconds of idle traffic instead of after the session timeout associated with the application.
Fixed an issue on the PA-500 firewall where insufficient memory allocation caused SSL decryption errors that resulted in SSL session failures, and Traffic logs displayed the Session End Reason as decrypt-error or decrypt-cert-validation.
Fixed an issue where firewall management interfaces that were configured through DHCP released or renewed every time you pushed configurations from Panorama instead of releasing or renewing when the DHCP leases expired.
Fixed an issue where App-ID signature matching did not work on the firewall, which caused it to misidentify applications.
Fixed an issue where the firewall did not commit changes to the NTP servers configuration (Device > Setup > Services) when the firewall connected to the servers through a service route and the management (MGT) interface was down.
Fixed an issue where you could not generate a SCEP certificate if the SCEP Challenge (password) had a semicolon (Device > Certificate Management > SCEP).
Fixed an issue where the firewall did not delete multicast forwarding information base (FIB) entries for multicast groups that stopped receiving traffic.
Fixed an issue on firewalls with multiple virtual systems where end users could not authenticate to a GlobalProtect portal or gateway that specified an authentication profile for which the Allow List referenced user groups instead of usernames.
Fixed an issue where GlobalProtect prompted end users for a certificate from gp.paloaltonetworks.com because the default landing page for the GlobalProtect portal referenced an image at gp.paloaltonetworks.com.
Fixed an issue where incremental updates failed for registered IP addresses if the firewall retrieved the updates through VM information sources (Device > VM Information Sources).
Fixed an issue where HA firewalls displayed as out of sync if an SSL/TLS Service Profile without a certificate was assigned to the management (MGT) interface (Device > Setup > Management). With this fix, PAN-OS unassigns the SSL/TLS Service Profile if it doesn't have a certificate.
Fixed an issue where Panorama failed to display HA firewalls (Panorama > Managed Devices) after the configd process stopped responding.
Fixed an issue where the User-ID agent (PAN-OS integrated or Windows-based) stopped responding because the firewall sent numerous queries for the IP address-to-username mappings of unknown users. With this fix, the firewall no longer queries User-ID agents for unknown users unless you run the debug user-id query-unknown-ip yes CLI command on the firewall (you must re-run this command whenever the firewall reboots). Palo Alto Networks highly recommends upgrading your Windows-based User-ID agents to version 7.0.8 or a later version to avoid the WINAGENT-53 issue associated with this change in default behavior.
Fixed an issue where you could not configure the subnet as a Proxy ID for IPSec VPN tunnels.
Fixed an issue where the firewall did not mark BFD packets with appropriate differentiated services code point (DSCP) values.
Fixed an issue where end users ignored the Duo V2 authentication prompt until it timed out but still authenticated successfully to a GlobalProtect portal configured for two-factor authentication.
Fixed an issue where, just after rebooting, a PA-7000 Series firewall failed to store logs locally on the Log Processing Card (LPC).
Fixed an issue on firewalls in FIPS mode where the all_task process stopped responding when users accessed a web page that matched a policy rule with a URL Filtering profile in which the Site Access was set to continue or override for the category of that web page (Objects > Security Profiles > URL Filtering > < URL-filtering-profile > > Categories).
Fixed an issue where the firewall did not generate Threat logs for classified DoS protection profiles that had an Action set to SYN Cookies (Objects > Security Profiles > DoS Protection > Flood Protection > SYN Flood).
Fixed an issue on Panorama where Panorama > Device Deployment > Software stopped displaying software images for a release after you performed a manual Upload for a software image of that release.
Fixed an issue where the firewall mapped users to the Kerberos Realm defined in authentication profiles (Device > Authentication Profiles) instead of extracting the realm from Kerberos tickets.
Fixed an issue where the firewall allowed SSL sessions with unsupported ciphers (DHE or ECDHE) without decrypting the sessions even if they matched a Decryption policy rule with an Action set to Decrypt, a Type set to SSL Inbound Inspection, and a Decryption Profile that was configured to block unsupported ciphers (Policies > Decryption > < decryption-rule > > Options).
Fixed an issue where the firewall incorrectly generated packet diagnostic logs and captured packets for sessions that were not part of a packet filter (Monitor > Packet Capture).
Fixed an issue on PA-3000 Series firewalls where you could not configure a QoS Profile to have a maximum egress bandwidth (Egress Max) higher than 1Gbps for an aggregate group interface (Network > Network Profiles > QoS Profile).
Fixed an issue where the firewall did not populate User-ID mappings based on the defined Syslog Parse profiles (Device > User Identification > User Mapping > Palo Alto Networks User-ID Agent Setup > Syslog Filters).
A security-related fix was made to address OpenSSL vulnerabilities (CVE-2016-8610).
Fixed an issue where the Panorama XML API request to show all dynamic address groups responded with improperly formatted XML.
Fixed an issue where, when a multicast forwarding information base (FIB) timed out, the process for packet processing (flow_ctrl) stopped responding, which intermittently caused the firewall dataplane to restart.
Fixed an issue where PA-5000 Series firewalls did not correctly install DNS sessions that originated from an interface configured for a DNS Proxy (Network > DNS Proxy) and that were destined for a DNS server.
Fixed an issue where PA-3000 Series firewalls did not come up after the first reboot following an upgrade; a second reboot was required.
Fixed an issue where the commit validation process did not identify errors in content update files or in content-related configurations such as Data Pattern objects or custom threat signatures.
Fixed an issue where a firewall did not generate a log when a content update failed or was interrupted.
Fixed an issue where RTP sessions that were created from predict sessions went from an active state to a discard state after you installed a content update or committed configuration changes on the firewall.
Fixed an issue on VM-Series firewalls where commit operations failed after you configured HA with the HA2 and HA3 interfaces.
Fixed an issue where Panorama did not display the logs for Correlation events from PA-7000 Series firewalls.
Fixed an issue on Panorama where the show log threat pcap-dump equal yes CLI command produced an invalid PCAP file.
Fixed an issue where the firewall captured packets of IP addresses not included in the packet filter (Monitor > Packet Capture).
Fixed an issue where an application filter with no selected categories caused the firewall to perform slowly because the filter defaulted to include all categories (Objects > Application Filters). With this fix, you cannot configure an application filter without selecting one or more categories.
Fixed an issue where the dataplane restarted due to a memory leak in a process (mprelay) that occurred if you did not disable LLDP when you disabled an interface with LLDP enabled (Network > Interfaces > < interface > > Advanced > LLDP).
Fixed an issue where PA-7000 Series firewalls in an HA active/passive configuration did not correctly enforce QoS limits on Aggregate Ethernet (AE) subinterfaces and did not correctly forward traffic for offloaded sessions.
Fixed an issue where heavy processing loads caused the firewall to fill the root partition with unnecessary log_index_* and content_install_* files in the /tmp directory. With this fix, the firewall no longer generates these unnecessary files.

Recommended For You